Re: Problem with pf rules.
did you net.inet.ip.forwarding=1 in sysctl? regards karl-heinz On 14.01.2010, at 16:10, PsYkHe wrote: I'm in troubles to put a router/firewall Openbsd 4.6 at vmware and at Slackware 13 to can talk throught of host-only. But the main problem now is the OpenBSD make a rdr to webserver Slackware. Well, I'll try descrive the situation: The OpenBSD 4.6 has two interfaces: One bridge One host-only with ip 192.168.38.130 At Slackware 13 has a interface: host-only with ip 192.168.38.128 That are my rules of pf: if_net=vic0 if_ws=vic1 ip_ws=192.168.138.128 #black log all pass log all rdr pass log on $if_net proto tcp to port 6060 - $ip_ws port 80 rdr pass log on $if_net proto tcp to port - 127.0.0.1 port 22 nat log on $if_net from !($if_net) - ($if_net:0) PS: Which if_net is the interface of the bridge and if_wa is the host-only. The OpenBSD can ping the internal ip of host-only of Slackware 192.168.138.128 and also when I sent a telnet to him in port 80 and it answer perfectly. Therefore when it comes outside of the internet, a telnet to OpenBSD in port it come in the ssh of OpenBSD but It cant log on. To port 6060 didn't show up the log and it cant do a rdr or it didn't work. I've thought the communication Slackware, the listen port 80 that was tcp6, maybe would be ipv6 only, but I did insert tcp to ipv4 and the rdr also didn't work. I'm using the command: tcpdump -n -e -ttt -i pflog0 To verify these logs by interface pflog0 I'm needing a light, suggestion or something like that..Can you tell me something guys? Any information or anything else you can ask me that Ill send. Thanks a lot. See ya.
Typo in ftp-proxy
CONFIGURATION To make use of the proxy, needs the following rules. Adjust the rules as needed. anchor ftp-proxy/* pass in quick proto tcp to port ftp rdr to 127.0.0.1 port 8021 # NEW? # pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 regards Karl-Heinz [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: pf bug
This seems to me not valid.
You can check with
l = {1.1.1.1,1.1.1.2}
block from $l
with pfctl -n -v -f file
it produce
l = {1.1.1.1,1.1.1.2}
block drop inet from 1.1.1.1 to any
block drop inet from 1.1.1.2 to any
Try next your example.
Karl-Heinz
On 08.05.2009, at 12:37, Cristiano Deana wrote:
Hi,
i think this is a pf's bug:
short description:
internal interface with two different ip's in two different lans:
192.168.20.254/24
192.168.21.254/24
They're used as gateway from the two lans.
nat rules: every 10 ip's use a different public ip.
everithing works fine for the first lan, with the second one pf
doesn't match the right rule(1) but similar rule for the other lan(2).
this is only true for NAT RULES, if i use a similar rule for
filtering (3,4) they perfectly match the right one.
(1)
nat on $ext_if from $lan_pri_01 - $ip_pub_01
(2)
nat on $ext_if from $lan_pri_26 - $ip_pub_26
(3)
pass in log quick on {192.168.20.254} from 192.168.20.0/24 to any
flags S/SA keep state
(4)
pass in log quick on {192.168.21.254} from 192.168.21.0/24 to any
flags S/SA keep state
lan_pri_01={ 192.168.20.01 - 192.168.20.10 }
lan_pri_26={ 192.168.21.01 - 192.168.21.10 }
it seems nat rule use only the last octet to match it.
thanks in advance
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
chsh patch ...
Hi
I got sick when adding a expire date for an useraccount with chsh.
The line with the format shows [month day year] but
the parameter you have to insert is the monthname as local name
or an abbreviation.
My patch adds the possibility to enter the old format and
the numerical format as well.
Maybe you'll find that ok or better helpful
--- usr.bin/chpass/util.c.orig Tue Dec 16 06:25:55 2008
+++ usr.bin/chpass/util.c Fri Feb 27 21:36:03 2009
@@ -75,11 +75,16 @@
return (0);
}
(void) memset(tm, 0, sizeof(tm));
- for (t = p; (t = strchr(t, ',')) != NULL; t++)
- *t = ' ';
+ for (t = p; *t != NULL; t++ )
+ if( *t == ',' || *t == '/' || *t == '.' )
+ *t = ' ';
t = strptime(p, %B %d %Y, tm);
- if (t == NULL || (*t != '\0' *t != '\n'))
- return 1;
+ if (t == NULL || (*t != '\0' *t != '\n')) {
+ t = strptime( p, %m %d %Y, tm );
+ if (t == NULL || (*t != '\0' *t != '\n')) {
+ return 1;
+ }
+ }
tm.tm_isdst = -1;
*store = mktime(tm);
if (*store == (time_t) -1)
Regards
Karl-Heinz
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
Re: load-balancing with carpnodes
On 18.02.2009, at 19:07, Jason Dixon wrote:
Is anyone using the carpnodes load-balancing feature for carp(4)? I
can't seem to get it to balance any traffic across the two nodes. I'm
testing a simple dual-homed CARP/pfsync pair. Creating the interfaces
is simple enough and they seem to behave ok. I have to use ip-stealth
for the switch to work properly.
host-a # ifconfig carp0 10.20.0.1 netmask 255.255.255.0 \
carpnodes 1:0,2:100 balancing ip-stealth
host-a # ifconfig carp1 10.30.0.1 netmask 255.255.255.0 \
carpnodes 1:0,2:100 balancing ip-stealth
host-b # ifconfig carp0 10.20.0.1 netmask 255.255.255.0 \
carpnodes 1:100,2:0 balancing ip-stealth
host-b # ifconfig carp1 10.30.0.1 netmask 255.255.255.0 \
carpnodes 1:100,2:0 balancing ip-stealth
After a short delay I can ping 10.20.0.1 from another host.
Everything
looks normal except there is a lack of routes on host-b pointing to
the
carp interfaces (output abbreviated for clarity).
host-a # netstat -rn -finet | grep carp
10.20.0.110.20.0.1UH 00 - 4 carp0
10.30.0.110.30.0.1UH 00 - 4 carp1
host-b # netstat -rn -finet | grep carp
I will then issue a network test from a client (10.20.0.4) to a server
(10.30.0.4). While monitoring netstat -i, I can see all of the
traffic
entering and leaving both interfaces on host-a, but only entering
interfaces
on host-b (no forwarding). Forwarding is correctly enabled on both
hosts and they're running the same ruleset. Same results with pf
disabled.
I haven't found many examples of carpnodes in production on the lists.
Can someone please verify this is truly feature complete and that I'm
just doing something stupid (highly possible)?
I'm testing a similar environment with -Current and the new PFSYNC V5 on
both firewalls. The box behind starts a connection and fails after
seconds.
The routing entries seems similar to Jason's. box-A has a routing with
carp as device and the box-B doesn't.
I've tried nat with and without source-hash. carp seems to work
correctly
and pfsync runs on its own interface without filtering.
nat on if_wan from 10.10.10.10/16 to ! 10.10.10.10/16 - x.x.x.x
pass quick on { if_sync } proto pfsync keep state (no-sync)
pass quick on { carp } proto carp keep state (no-sync)
Is someone running a loadbalanced firewall solution and know what to-do
solving the problem?
Thanks for every hint or info
Kind regards
Karl-Heinz
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
Problem with hvid in load-balancing carp in -current 4.4
Hi all I try to configure a failover and loadbalanced firewall with carp's. I use for hostname.carp0 on the first an the second with small modifications inet 10.0.0.1 255.255.255.0 NONE blancing ip carpnodes 1:0,2:100 carpdev xl0 carppeer 172.16.0.1 This results in carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:12:5e:00:01:12 priority: 0 carp: carpdev xl0 advbase 1 balancing ip carppeer 172.16.0.1 state MASTER vhid 1 advskew 100 state MASTER vhid 2 advskew 0 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 But where can I set the vhid. When I do so the vhid will not be shown. And when I set the vhid explicitly to 1 the result is carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:12:5e:00:01:12 priority: 0 carp: BACKUP carpdev xl0 vhid 1 advbase 1 advskew 100 carppeer 172.16.0.1 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 and now it seems that load-balancing doesn't work anymore. Where can I set the vhid, or where is the vhid shown or is it unnecessary? Thanks for you help. Kind regards Karl-Heinz [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
pf grouped per interface with anchors and brace ...
It might be not that useful, but looks nice :)
Loaded without errors. It should work :)
# Experimental filter
# too show the possibility using anchors for grouping
# interfaces in readable sections
table admin { 1.1.1.1 } persist
set skip on { lo }
scrub in on wan_if
nat on wan_if from (lan_if) to !(lan_if) - (wan_if:0)
antispoof for { wan_if, lan_if }
anchor external on wan_if {
block # default rule
pass out proto { tcp, udp } to port 1025 # restricted and maybe
not useful
pass in from admin# all for the admin
}
anchor internal on lan_if {
block out # default block into the lan
pass in# but all allowed from lan
}
---
Regards Karl-Heinz
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
pf label and viewing with tcpdump?
Hi. After viewing the man pages and searched the internet I couldn't find how to display pf tags-labels in tcpdump. The other thing is how to display a tag in the states with pfctl -ss? Is it not implemented or did I miss the right information? I hope that my questions aren't rubbish :) Thanks for answering. Regards Karl-Heinz
Info gpio Support on alix - pcengines ...
Hi. Marc Balmer gave me info about adding gpio support for the new alix boards produced by pcengines. I hope someone is interested in ... I'll sum it up ... 1. add to GENERIC config gpio* at gscpcib? glxpcib* at pci? # AMD CS5536 PCI-ISA bridge gpio* at glxpcib? 2. booting the new kernel dmesg shows then gpio0 at glxpcib0: 32 pins pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility 3. after making the device with MAKEDEV gpio0 4. initializing the gpio for led 1 = 6; led 2 = 25 and led 3 = 27 with gpioctl -c [led] out iout 5. then - to set or reset the leds use gpioctl [led] 1 || 0 || 2 for the rest rtfm - gpioctl. This configuration works for me. Please correct me if something is wrong or could be done better. - Karl-Heinz
pf tagging and matching over more than one interface ...
I try to tag a connection on the wan_if and
accordingly on the tag I'll restrict the
access on an other interface like.
an example ...
pass in quick on wan_if proto tcp from nuser to port 1194 tag NORM
keep state
pass in quick on wan_if proto tcp from puser to port 1194 tag POWER
keep state
pass in quick on tun_if to port { 80, 443 } tagged NORM keep state
pass in quick on tun_if to port { 22, 80, 443 } tagged POWER keep state
...
but I don't know why. It doesn't work.
I thought that works.
I ask for advice.
Thanks
Karl-Heinz
Re: pf altq blocking ssh
On 10.10.2005, at 16:35, John Kintaro Tate wrote:
altq on $if cbq bandwidth 100Mb queue { all, local, http, ssh, rsets }
try other names. one of them seems to be a keyword?!
{ xall, xlocal, xhttp, xssh, xrsets }
Karl-Heinz
pf and altq group interface ...
maybe i've missed something.
ifconfig rl0 group wan_if
pf.conf:
- altq on wan_if cbq bandwidth 100Mb queue { http ssh }
produce an error when loading the ruleset.
but every other rules like
- pass in on wan_if proto tcp to port ssh keep state queue ssh
will be accepted.
isn't that a bit confusing?
Karl-Heinz
ipsec, ipsecctl configuration
Hi. I'm trying to use ipsecctl to manage my ipsec connection. Is there a more detailed description/howto or some more infos available? Whould be great. Regards Thanks. Karl-Heinz
certpatch in 3.8 ...
I've installed a new server with 3.8 current. I can't find certpatch anymore? I installed a snapshop. 3.8 GENERIC#106 i386 Is the use of the programm obsolet? thanks. regards. Karl-Heinz
if group names with various networktools ...
Are there ideas to change tcpdump or different networking tools that it can be started with the new group names instead of the ifnames. tcpdump -evtni lan_if instead of tcpdump -evtni sis0 thanks regards Karl-Heinz
inetd and netstat with parameters
I try the following /etc/services netstat /tcp /etc/inetd netstat stream tcp nowait root/usr/bin/netstat netstat - natafinet $ nc localhost but I can get any result. then i tried starting inetd -d to get some infos where the problem could be, but no result. My question is how to get this work or how to debug. thanks regards Karl-Heinz
Re: djbdns DNS server? Status, Pros and Cons?
On 25.05.2005, at 07:20, Theo de Raadt wrote: Is it not just a license problem that keeps djbdns out of the BSD's ? just That word really does not belong there. That's a phrase used in english often used to express how small a problem is. It is not a small problem. It is fatal. Maybe a stupid question, but is an OpenDNS out there? I laught as I thought about, as I read the explaination to the word just. Kind regards Karl-Heinz
