sysctl - message queues
Is there any chance to change this settings: option MSGMNB option MSGMNI option MSGSEG option MSGSSZ option MSGTQL by not editing kernel sources, but by sysctl ? I only found that i can change: kern.shminfo.shmmax kern.shminfo.shmmin kern.shminfo.shmmni kern.shminfo.shmseg kern.shminfo.shmall kern.seminfo.semmni kern.seminfo.semmns kern.seminfo.semmnu kern.seminfo.semmsl kern.seminfo.semopm kern.seminfo.semume kern.seminfo.semusz kern.seminfo.semvmx kern.seminfo.semaem Regards, Mariusz
Mail-ClamAV
Hello,
I am trying to compile perl Mail-ClamAV-0.22
(http://search.cpan.org/~sabeck/Mail-ClamAV-0.22/ClamAV.pm) for
Mailscanner clamavmodule for virus checking.
At the beginning i had problem with:
-- shell --
seth:~/Mail-ClamAV-0.22 # perl Makefile.PL
Checking if your kit is complete...
Looks good
Note (probably harmless): No library found for -lclamav
Writing Makefile for Mail::ClamAV
-- shell --
And i solved the problem with editing two files:
/usr/libdata/perl5/i386-openbsd/5.8.8/Config.pm
/usr/libdata/perl5/i386-openbsd/5.8.8/Config_heavy.pl
Replacing line in
Config.pl
From: libpth = '/usr/lib',
To: libpth = '/usr/lib /usr/local/lib',
And
Config_heavy.pl
From: libpth='/usr/lib'
To: libpth='/usr/lib /usr/local/lib'
And now there are no errors with missing library:
-- shell --
seth:~/Mail-ClamAV-0.22 # perl Makefile.PL
Checking if your kit is complete...
Looks good
Writing Makefile for Mail::ClamAV
-- shell --
And also make accomplished successfully
Now i have another problem with make test and pthreads:
-- shell --
seth:~/Mail-ClamAV-0.22 # make test
PERL_DL_NONLAZY=1 /usr/bin/perl -MExtUtils::Command::MM -e
test_harness(0, 'blib/lib', 'blib/arch') t/*.t
t/Mail-ClamAV/usr/bin/perl:/usr/local/lib/libclamav.so.8.0:
undefined symbol 'pthread_create'
/usr/bin/perl:/usr/local/lib/libclamav.so.8.0: undefined symbol
'pthread_getspecific'
/usr/bin/perl:/usr/local/lib/libclamav.so.8.0: undefined symbol
'pthread_key_delete'
/usr/bin/perl:/usr/local/lib/libclamav.so.8.0: undefined symbol
'pthread_once'
/usr/bin/perl:/usr/local/lib/libclamav.so.8.0: undefined symbol
'pthread_key_create'
/usr/bin/perl:/usr/local/lib/libclamav.so.8.0: undefined symbol
'pthread_mutex_unlock'
/usr/bin/perl:/usr/local/lib/libclamav.so.8.0: undefined symbol
'pthread_mutex_lock'
/usr/bin/perl:/usr/local/lib/libclamav.so.8.0: undefined symbol
'pthread_join'
/usr/bin/perl:/usr/local/lib/libclamav.so.8.0: undefined symbol
'pthread_setspecific'
t/Mail-ClamAVok 1/10LibClamAV Warning:
***
LibClamAV Warning: *** This version of the ClamAV engine is
outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read
http://www.clamav.net/support/faq ***
LibClamAV Warning:
***
t/Mail-ClamAVdubious
Test returned status 0 (wstat 139, 0x8b)
DIED. FAILED tests 3-10
Failed 8/10 tests, 20.00% okay
Failed Test Stat Wstat Total Fail Failed List of Failed
---
t/Mail-ClamAV.t0 13910 16 160.00% 3-10
Failed 1/1 test scripts, 0.00% okay. 8/10 subtests failed, 20.00% okay.
*** Error code 255
Stop in /home/cnav/Mail-ClamAV-0.22 (line 761 of Makefile).
-- shell --
-- line 761 of Makefile --
Line 761:
test_dynamic :: pure_all
PERL_DL_NONLAZY=1 $(FULLPERLRUN) -MExtUtils::Command::MM -e
test_harness($(TEST_VERBOSE), '$(INST_LIB)', '$(INST_ARCHLIB)')
$(TEST_FILES)
-- line 761 of Makefile --
And now i am not quite sure how to solve this problem.
Here are additional output from my system:
-- shell --
seth:~/Mail-ClamAV-0.22 # clamav-config --libs
-L/usr/local/lib -lz -L/usr/local/lib -lbz2 -R/usr/local/lib
-L/usr/local/lib -lgmp -R/usr/local/lib -liconv
seth:~/Mail-ClamAV-0.22 # pkg_info | grep clamav
clamav-0.93.3 virus scanner
-- shell --
As far as i checked in ports clamav is builded with pthread support.
-- random cut clamav Makefile from ports --
WANTLIB=c milter pthread wrap z
CONFIGURE_ENV+= LDFLAGS=-lpthread -L/usr/lib -L../libclamav/.libs
-L${LOCALBASE}/lib \
CPPFLAGS=-I/usr/include -I${LOCALBASE}/include
-- random cut clamav Makefile from ports --
If any of you have any ideas how to solve this problem, please help.
Regards,
Mariusz Makowski
Re: OpenBGP load balancing between 2 ISP (multihoming)
Frans Haarman wrote:
2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
Hello,
I am trying to set up a configuraion like this :
+--- -+ +-+
| ISP1 | | ISP2 | Cisco
| ROUTER | | ROUTER |
| AS3215 | | AS12670 |
+-+ +-+
||
||
+-+ +-+
| BGP | | BGP |
| ROUTER | | ROUTER | OpenBSD 4.3
| AS47818 | | AS45818 |
+-+ +-+
||
||
+-+
|217.109.108.240/28 |
+-+
||
||
+++---+
| FW || FW | OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
||
||
+-+
| PRIVATE NETWORKS|
+-+
I'd like to load balance outgoing connections to the internet,
but I don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations
on how to do this with cisco, but I have never found an openBGP solution.
Some people speak about it but I have never seen it.
I made a test conf where failover works like a charm (using iBGP on the
FW's with 'set nexhop self' on BGP routers), but when both connections
are active only one is used.
Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea ?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?
Many thanks
PS : loadbalancing incoming connections too would be very nice, but I
understood it was much more difficult.
--
Cordialement,
Pierre BARDOU
just wondering..
What happens when you load balance your
traffic on your firewalls ? So you devide
the traffic over both bgp routers:
http://www.openbsd.org/faq/pf/pools.html
maybe you could even do the route-to
on the bgp routers ?
something like:
route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin
from $lan_net to any keep state
#and on the other bgp router
route-to { ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin
from $lan_net to any keep state
Beware: I have no idea if any of this is possible.
But thats what I'd try :)
Gr. FH
You might want to read about http://www.openbsd.org/faq/faq6.html#Multipath,
although it's not bgp solution.
I think with default configuration you should have multipath capability. Check
if there is not localpref chosen, and check yours ISP prepends length.
Regards,
Mariusz Makowski
Re: OpenBSD + isakmpd + VPN concentrator 3060
I finally was able to setup vpn connection. Other side was configured in wrong way and sum of all my ipsec.conf look in this way: -- ipsec.conf -- other_peer = c.c.c.c_public_ip ike esp tunnel from a.a.a.a_net to d.d.d.d_net peer $other_peer \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk somekey -- ipsec.conf -- But i have another problem, a.a.a.a_net is not configured on my network interface, it's a just net that must be done nat on this. I was reading a bit about doing nat on obsd and ipsec. I've tried to do so: -- conf -- ifconfig lo1 inet a.a.a.a_net route add -net d.d.d.d_net a.a.a.a_host and pf.conf: nat on lo1 from e.e.e.e_net to d.d.d.d_net - a.a.a.a_host -- conf -- But it isn't seem to work. Packets are showing on lo1, but there are not going threw the flow/enc0 interface. -- tcpdump lo1 -- 09:38:20.497416 a.a.a.a_hostb d.d.d.d_host: icmp: echo request 09:38:20.497421 a.a.a.a_hostb d.d.d.d_host: icmp: echo request -- tcpdump lo1 -- flows: flow esp in from d.d.d.d_net to a.a.a.a_net peer c.c.c.c_public_ip srcid b.b.b.b_public_ip dstid c.c.c.c_public_ip type use flow esp out from a.a.a.a_net to d.d.d.d_net peer c.c.c.c_public_ip srcid b.b.b.b_public_ip dstid c.c.c.c_public_ip type require image :): e.e.e.e_net (em0) | a.a.a.a_net (lo1) obsd b.b.b.b_public_ip --- c.c.c.c_public_ip cisco d.d.d.d_net Regard, Mariusz Makowski Mariusz Makowski wrote: Mariusz Makowski wrote: Hello, Firstly i want to mention that it's my begining with ipsec/isakmpd tunneling. My problem is about making connection from OpenBSD 4.3 to Cisco VPN concentrator 3060. Cisco concentrator is out of my range so i can't check log there and i only wish that configuration there is done well. Here it is my example: a.a.a.a_net obsd b.b.b.b_public_ip --- c.c.c.c_public_ip cisco d.d.d.d_net What i wan't to achiev is: - comunication from a.a.a.a_net to d.d.d.d_net What i know about cisco configuration: - VPN concentrator 3060 - c.c.c.c_public_ip - d.d.d.d_net - VPN Method: IPSec - Encryption: 3DES - Key exchange IKE - Pre-Shared Key: somekey - Perfect Forward Secrecy: Yes - Group 2 (1024 bits) - Hashing: SHA-1 - Diffie-Hellman: Yes - Group 2 - Time Lifetime: 28800 seconds - Encapsulation Mode: Tunnel - Negotiation Mode: Main OpenBSD: - clean instalation of 4.3 - no pf yet - em0: a.a.a.a_net - em1: b.b.b.b_public_ip After couple hours of reading stuff on internet and reading some configuration files i achivied this configuration: -- isakmpd.conf -- [General] Listen-on= b.b.b.b_public_ip [Phase 1] c.c.c.c_public_ip= CONN [Phase 2] Connections = LINK [CONN] Phase= 1 Transport= udp Address = c.c.c.c_public_ip Configuration= Default-Main-Mode Authentication = somekey [LINK] Phase= 2 ISAKMP-Peer = HP Configuration= Default-Quick-Mode Local-ID = LAN-1 Remote-ID= LAN-2 [LAN-1] ID-Type = IPV4_ADDR_SUBNET Network = a.a.a.a_net Netmask = a.a.a.a_netmask [LAN-2] ID-Type = IPV4_ADDR_SUBNET Network = d.d.d.d_net Netmask = d.d.d.d_netmask [Default-Main-Mode] DOI = IPSEC Exchange_Type= ID_PROT Transforms = 3DES-SHA [Default-Quick-Mode] DOI = IPSEC Exchange_Type= QUICK_MODE Suites = QM-ESP-3DES-SHA-SUITE [3DES-SHA] ENCRYPTION_ALGORITHM = 3DES_CBC HASH_ALGORITHM = SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life = LIFE_3600_SECS [QM-ESP-3DES-SHA-SUITE] Protocols= QM-ESP-3DES-SHA [QM-ESP-3DES-SHA-PFS-SUITE] Protocols= QM-ESP-3DES-SHA-PFS [QM-ESP-3DES-SHA] PROTOCOL_ID = IPSEC_ESP Transforms = QM-ESP-3DES-SHA-XF [QM-ESP-3DES-SHA-PFS] PROTOCOL_ID = IPSEC_ESP Transforms = QM-ESP-3DES-SHA-PFS-XF [QM-ESP-3DES-SHA-TRP] PROTOCOL_ID = IPSEC_ESP Transforms = QM-ESP-3DES-SHA-TRP-XF [QM-ESP-3DES-SHA-XF] TRANSFORM_ID = 3DES ENCAPSULATION_MODE = TUNNEL AUTHENTICATION_ALGORITHM = HMAC_SHA Life = LIFE_28800_SECS [QM-ESP-3DES-SHA-PFS-XF] TRANSFORM_ID = 3DES ENCAPSULATION_MODE = TUNNEL AUTHENTICATION_ALGORITHM = HMAC_SHA GROUP_DESCRIPTION= MODP_1024 Life = LIFE_28800_SECS [QM-ESP-3DES-SHA-TRP-XF] TRANSFORM_ID = 3DES ENCAPSULATION_MODE = TRANSPORT AUTHENTICATION_ALGORITHM = HMAC_SHA Life = LIFE_28800_SECS [LIFE_3600_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 3600,1800:7200 [LIFE_28800_SECS] LIFE_TYPE = SECONDS LIFE_DURATION = 28800
OpenBSD + isakmpd + VPN concentrator 3060
, expiration in 60s 164003.841595 Timr 10 timer_add_event: event exchange_free_aux(0x85b87500) added last, expiration in 120s 164003.841694 Exch 10 exchange_establish_p1: 0x85b87500 HP Default-Main-Mode policy initiator phase 1 doi 1 exchange 2 step 0 164003.841759 Exch 10 exchange_establish_p1: icookie 89c5123a508af611 rcookie 164003.841824 Exch 10 exchange_establish_p1: msgid 164003.842106 Timr 10 timer_add_event: event message_send_expire(0x82fcc380) added before connection_checker(0x8848bdf0), expiration in 7s 164003.915645 Timr 10 timer_remove_event: removing event message_send_expire(0x82fcc380) 164003.915747 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected 164003.915881 Exch 10 exchange_handle_leftover_payloads: unexpected payload VENDOR 164003.927145 Timr 10 timer_add_event: event message_send_expire(0x82fcc380) added before connection_checker(0x8848bdf0), expiration in 7s 164004.016036 Timr 10 timer_remove_event: removing event message_send_expire(0x82fcc380) 164004.028960 Exch 10 exchange_handle_leftover_payloads: unexpected payload VENDOR 164004.029187 Timr 10 timer_add_event: event message_send_expire(0x82fcc500) added before connection_checker(0x8848bdf0), expiration in 7s 164004.201816 Timr 10 timer_remove_event: removing event message_send_expire(0x82fcc500) 164004.201919 Default ipsec_validate_id_information: dubious ID information accepted 164004.201986 Exch 10 dpd_check_vendor_payload: DPD capable peer detected 164004.202091 Exch 10 exchange_finalize: 0x85b87500 HP Default-Main-Mode policy initiator phase 1 doi 1 exchange 2 step 5 164004.202156 Exch 10 exchange_finalize: icookie 89c5123a508af611 rcookie 18b62c758e254f26 164004.202212 Exch 10 exchange_finalize: msgid 164004.202307 Exch 10 exchange_finalize: phase 1 done: initiator id 53ee0ef5: b.b.b.b_public_ip, responder id 0fcba9e1: c.c.c.c_public_ip, src: b.b.b.b_public_ip dst: c.c.c.c_public_ip 164004.202380 Timr 10 timer_add_event: event sa_soft_expire(0x85b87900) added last, expiration in 3124s 164004.202443 Timr 10 timer_add_event: event sa_hard_expire(0x85b87900) added last, expiration in 3600s 164004.202536 Timr 10 timer_add_event: event exchange_free_aux(0x85b87c00) added before sa_soft_expire(0x85b87900), expiration in 120s 164004.202609 Exch 10 exchange_establish_p2: 0x85b87c00 LINK Default-Quick-Mode policy initiator phase 2 doi 1 exchange 32 step 0 164004.202670 Exch 10 exchange_establish_p2: icookie 89c5123a508af611 rcookie 18b62c758e254f26 164004.202736 Exch 10 exchange_establish_p2: msgid 92fba8ce sa_list 164004.203164 Timr 10 timer_remove_event: removing event exchange_free_aux(0x85b87500) 164004.203278 Timr 10 timer_add_event: event message_send_expire(0x82fcc680) added before connection_checker(0x8848bdf0), expiration in 7s 164004.288093 Timr 10 timer_add_event: event exchange_free_aux(0x85b87500) added before sa_soft_expire(0x85b87900), expiration in 120s 164004.288162 Exch 10 exchange_setup_p2: 0x85b87500 unnamed no policy policy responder phase 2 doi 1 exchange 5 step 0 164004.288222 Exch 10 exchange_setup_p2: icookie 89c5123a508af611 rcookie 18b62c758e254f26 164004.288278 Exch 10 exchange_setup_p2: msgid f4674a28 sa_list 164004.288347 Timr 10 timer_remove_event: removing event sa_hard_expire(0x85b87900) 164004.288406 Timr 10 timer_remove_event: removing event sa_soft_expire(0x85b87900) 164004.288475 Exch 10 exchange_finalize: 0x85b87500 unnamed no policy policy responder phase 2 doi 1 exchange 5 step 0 164004.288535 Exch 10 exchange_finalize: icookie 89c5123a508af611 rcookie 18b62c758e254f26 164004.288596 Exch 10 exchange_finalize: msgid f4674a28 sa_list 164004.288654 Timr 10 timer_remove_event: removing event exchange_free_aux(0x85b87500) 164011.216819 Timr 10 timer_handle_expirations: event message_send_expire(0x82fcc680) 164011.217085 Timr 10 timer_add_event: event message_send_expire(0x82fcc680) added before connection_checker(0x8848bdf0), expiration in 9s 164020.226826 Timr 10 timer_handle_expirations: event message_send_expire(0x82fcc680) 164020.227092 Timr 10 timer_add_event: event message_send_expire(0x82fcc680) added before connection_checker(0x8848bdf0), expiration in 11s 164031.236823 Timr 10 timer_handle_expirations: event message_send_expire(0x82fcc680) 164031.237085 Default transport_send_messages: giving up on exchange LINK, no response from peer c.c.c.c_public_ip:500 -- isakmpd -d -DA=10 -- I am really bad in understanding this logs. We can see is that: xchange_finalize: phase 1 done: initiator id 53ee0ef5: b.b.b.b_public_ip, responder id 0fcba9e1: c.c.c.c_public_ip, src: b.b.b.b_public_ip dst: c.c.c.c_public_ip But still nothing about second phase. Thanks for any help. Mariusz Makowski
Re: OpenBSD + isakmpd + VPN concentrator 3060
Mariusz Makowski wrote: Hello, Firstly i want to mention that it's my begining with ipsec/isakmpd tunneling. My problem is about making connection from OpenBSD 4.3 to Cisco VPN concentrator 3060. Cisco concentrator is out of my range so i can't check log there and i only wish that configuration there is done well. Here it is my example: a.a.a.a_net obsd b.b.b.b_public_ip --- c.c.c.c_public_ip cisco d.d.d.d_net What i wan't to achiev is: - comunication from a.a.a.a_net to d.d.d.d_net What i know about cisco configuration: - VPN concentrator 3060 - c.c.c.c_public_ip - d.d.d.d_net - VPN Method: IPSec - Encryption: 3DES - Key exchange IKE - Pre-Shared Key: somekey - Perfect Forward Secrecy: Yes - Group 2 (1024 bits) - Hashing: SHA-1 - Diffie-Hellman: Yes - Group 2 - Time Lifetime: 28800 seconds - Encapsulation Mode: Tunnel - Negotiation Mode: Main OpenBSD: - clean instalation of 4.3 - no pf yet - em0: a.a.a.a_net - em1: b.b.b.b_public_ip After couple hours of reading stuff on internet and reading some configuration files i achivied this configuration: -- isakmpd.conf -- [General] Listen-on= b.b.b.b_public_ip [Phase 1] c.c.c.c_public_ip= CONN [Phase 2] Connections = LINK [CONN] Phase= 1 Transport= udp Address = c.c.c.c_public_ip Configuration= Default-Main-Mode Authentication = somekey [LINK] Phase= 2 ISAKMP-Peer = HP Configuration= Default-Quick-Mode Local-ID = LAN-1 Remote-ID= LAN-2 [LAN-1] ID-Type = IPV4_ADDR_SUBNET Network = a.a.a.a_net Netmask = a.a.a.a_netmask [LAN-2] ID-Type = IPV4_ADDR_SUBNET Network = d.d.d.d_net Netmask = d.d.d.d_netmask [Default-Main-Mode] DOI = IPSEC Exchange_Type= ID_PROT Transforms = 3DES-SHA [Default-Quick-Mode] DOI = IPSEC Exchange_Type= QUICK_MODE Suites = QM-ESP-3DES-SHA-SUITE [3DES-SHA] ENCRYPTION_ALGORITHM = 3DES_CBC HASH_ALGORITHM = SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life = LIFE_3600_SECS [QM-ESP-3DES-SHA-SUITE] Protocols= QM-ESP-3DES-SHA [QM-ESP-3DES-SHA-PFS-SUITE] Protocols= QM-ESP-3DES-SHA-PFS [QM-ESP-3DES-SHA] PROTOCOL_ID = IPSEC_ESP Transforms = QM-ESP-3DES-SHA-XF [QM-ESP-3DES-SHA-PFS] PROTOCOL_ID = IPSEC_ESP Transforms = QM-ESP-3DES-SHA-PFS-XF [QM-ESP-3DES-SHA-TRP] PROTOCOL_ID = IPSEC_ESP Transforms = QM-ESP-3DES-SHA-TRP-XF [QM-ESP-3DES-SHA-XF] TRANSFORM_ID = 3DES ENCAPSULATION_MODE = TUNNEL AUTHENTICATION_ALGORITHM = HMAC_SHA Life = LIFE_28800_SECS [QM-ESP-3DES-SHA-PFS-XF] TRANSFORM_ID = 3DES ENCAPSULATION_MODE = TUNNEL AUTHENTICATION_ALGORITHM = HMAC_SHA GROUP_DESCRIPTION= MODP_1024 Life = LIFE_28800_SECS [QM-ESP-3DES-SHA-TRP-XF] TRANSFORM_ID = 3DES ENCAPSULATION_MODE = TRANSPORT AUTHENTICATION_ALGORITHM = HMAC_SHA Life = LIFE_28800_SECS [LIFE_3600_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 3600,1800:7200 [LIFE_28800_SECS] LIFE_TYPE = SECONDS LIFE_DURATION = 28800 -- isakmpd.conf -- After this i am able to get threw first phase. But i am unable to get the second. Here it is my debug: -- isakmpd -d -DA=10 -- 164003.690124 Default log_debug_cmd: log level changed from 0 to 10 for class 0 [priv] 164003.690315 Default log_debug_cmd: log level changed from 0 to 10 for class 1 [priv] 164003.690379 Default log_debug_cmd: log level changed from 0 to 10 for class 2 [priv] 164003.690437 Default log_debug_cmd: log level changed from 0 to 10 for class 3 [priv] 164003.690493 Default log_debug_cmd: log level changed from 0 to 10 for class 4 [priv] 164003.690554 Default log_debug_cmd: log level changed from 0 to 10 for class 5 [priv] 164003.690610 Default log_debug_cmd: log level changed from 0 to 10 for class 6 [priv] 164003.690670 Default log_debug_cmd: log level changed from 0 to 10 for class 7 [priv] 164003.690726 Default log_debug_cmd: log level changed from 0 to 10 for class 8 [priv] 164003.690787 Default log_debug_cmd: log level changed from 0 to 10 for class 9 [priv] 164003.690844 Default log_debug_cmd: log level changed from 0 to 10 for class 10 [priv] 164003.691747 Misc 10 monitor_init: privileges dropped for child process 164003.839514 Timr 10 timer_add_event: event connection_checker(0x8848bdf0) added last, expiration in 0s 164003.841346 Timr 10 timer_handle_expirations: event connection_checker(0x8848bdf0) 164003.841426 Timr 10 timer_add_event: event connection_checker
Re: OpenBSD 4.1: pf is not blocking anything
check pfctl -sr -vv
use log and pflog
check pflog via tcpdump and you will find answer
On 2007-05-21, at 20:36, Marcos Laufer wrote:
Hello,
I am testing pf in an OpenBSD 4.1. This same configuration works
fine on
OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is
passing
thru,
just like as if there was no 'block all'. What worries me most is that
anyone
on the outside can see my ssh service .
Is there anything wrong with the state of my rules? If i didn't
misunderstand ,
this rules should work just fine
Any ideas?
Thanks in advance,
Marcos
---
#
set skip on lo
scrub in
icmp_nets={ 10.10.10.0/24 }
block all
# good guys
table goodhosts persist
pass in quick on egress from goodhosts to any keep state
# blackhole
table badhosts persist
block in quick log on egress from badhosts to any
# no ipv6
block in quick inet6 all
##
# outgoing
# dns
pass out on egress proto { tcp, udp } from (self)/32 to any port
domain
flags S/SA keep state
# smtp, http , https
pass out on egress proto tcp from (self)/32 to any port { smtp,
www, https }
flags S/SA keep state
# ntp
ntp_servers={ 10.10.10.4 }
pass out on egress proto udp from (self)/32 to $ntp_servers port
ntp keep
state
# ssh
ssh_friends={ 10.10.10.0/24 }
pass out on egress proto tcp from (self)/32 to $ssh_friends port
ssh flags
S/SA keep state
# mysql
pass out on egress proto tcp from (self)/32 to any port 3306 flags
S/SA keep
state
##
# incoming
# private
friends={ 10.10.10.0/24 }
friends_srvs={ ftp, ftp-data, ssh }
pass in on egress proto tcp from $friends to (self)/32 port
$friends_srvs
flags S/SA keep state
# MySQL y PgSQL
sql_www_apps_srv={ 10.10.10.0/24 }
pass in quick proto tcp from $sql_www_apps_srv to self/32 port { 3306,
5432 } flags S/SA keep state
# icmp
pass in quick proto icmp from $icmp_nets to self/32 keep state
