Setting up bwi0 as an access point

[Parvinder Bhasin]

Hi,

I recently bought the Linksys wpc54g pci card to setup my system as a  
wireless access point?  I am having issues setting it up in host-ap  
mode?  Is this even supported?

thx. 

Re: Setting up bwi0 as an access point

[Parvinder Bhasin]

Correction the linksys card is WMP54GSV11 that was recommended for  
this purpose.

thx.



 Hi,

 I recently bought the Linksys wpc54g pci card to setup my system as  
 a wireless access point?  I am having issues setting it up in host- 
 ap mode?  Is this even supported?

 thx.

Re: How do I enable bsd.mp kernel in 4.4/i386?

[Parvinder Bhasin]

Another way would be through creating/editing /etc/boot.conf and  
having an entry for the mp kernel

ex:  boot wd0a:/bsd.mp

where wd0a is your root partition.

-Parvinder Bhasin

On May 2, 2009, at 5:03 PM, Anon Y. Mous wrote:


I am running OBSD 4.4/i386 on a Dell Inspiron 6400 (E1505) w/ 2GB RAM
and a 2.0 GHz Intel Core 2 Duo CPU (Merom).

I am running the GENERIC OBSD 4.4/i386 'bsd' kernel and would like
to set up the bsd.mp kernel instead.

How do I go about this?

Attached is my dmesg as a text file.

-minsai
OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008
   dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz (GenuineIntel 686- 
class) 2 GHz
cpu0:  
FPU 
,V86 
,DE 
,PSE 
,TSC 
,MSR 
,PAE 
,MCE 
,CX8 
,APIC 
,SEP 
,MTRR 
,PGE 
,MCA 
,CMOV 
,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,SSE3,MWAIT,DS- 
CPL,VMX,EST,TM2,CX16,xTPR

real mem  = 2145820672 (2046MB)
avail mem = 2066497536 (1970MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/13/07, BIOS32 rev. 0 @  
0xffa10, SMBIOS rev. 2.4 @ 0xf7980 (44 entries)

bios0: vendor Dell Inc. version A17 date 06/13/2007
bios0: Dell Inc. MM061
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP HPET APIC MCFG SLIC BOOT SSDT SSDT
acpi0: wakeup devices LID_(S3) PBTN(S4) MBTN(S5) PCI0(S3) USB0(S0)  
USB1(S0) USB2(S0) USB3(S0) EHCI(S0) AZAL(S3) PCIE(S4) RP01(S4)  
RP02(S3) RP03(S3) RP04(S3) RP05(S3) RP06(S3)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (AGP_)
acpiprt2 at acpi0: bus 3 (PCIE)
acpiprt3 at acpi0: bus 11 (RP01)
acpiprt4 at acpi0: bus -1 (RP02)
acpiprt5 at acpi0: bus -1 (RP03)
acpiprt6 at acpi0: bus 12 (RP04)
acpiprt7 at acpi0: bus -1 (RP05)
acpiprt8 at acpi0: bus -1 (RP06)
acpicpu0 at acpi0: C3, C2, C1
acpitz0 at acpi0: critical temperature 126 degC
acpiac0 at acpi0: AC unit offline
acpibat0 at acpi0: BAT0 model  DELLPD9458 serial 987 type LION oem  
Sanyo

acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: PBTN
acpibtn2 at acpi0: SBTN
acpivideo at acpi0 not configured
acpivideo at acpi0 not configured
acpivideo at acpi0 not configured
bios0: ROM list: 0xc/0x1
cpu0 at mainbus0
cpu0: Enhanced SpeedStep disabled by BIOS
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82945GM Host rev 0x03
ppb0 at pci0 dev 1 function 0 Intel 82945GM PCIE rev 0x03: irq 4
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 NVIDIA GeForce 7300 Go rev 0xa1
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
agp0 at vga1: no integrated graphics
drm at vga1 unsupported
azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x01:  
irq 11
azalia0: codec[s]: Sigmatel STAC9200, Conexant/0x2bfa, using  
Sigmatel STAC9200

audio0 at azalia0
ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01: irq 4
pci2 at ppb1 bus 11
wpi0 at pci2 dev 0 function 0 Intel PRO/Wireless 3945ABG rev 0x02:  
irq 4, MoW1, address 00:19:d2:bc:92:76

ppb2 at pci0 dev 28 function 3 Intel 82801GB PCIE rev 0x01: irq 3
pci3 at ppb2 bus 12
uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: irq 10
uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: irq 11
uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: irq 9
uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: irq 7
ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: irq 10
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xe1
pci4 at ppb3 bus 3
bce0 at pci4 dev 0 function 0 Broadcom BCM4401B1 rev 0x02: irq 5,  
address 00:19:b9:63:86:a4

bmtphy0 at bce0 phy 1: BCM4401 10/100baseTX PHY, rev. 0
Ricoh 5C832 Firewire rev 0x00 at pci4 dev 1 function 0 not  
configured

sdhc0 at pci4 dev 1 function 1 Ricoh 5C822 SD/MMC rev 0x19: irq 9
sdmmc0 at sdhc0
Ricoh 5C843 MMC rev 0x01 at pci4 dev 1 function 2 not configured
Ricoh 5C592 Memory Stick rev 0x0a at pci4 dev 1 function 3 not  
configured

Ricoh 5C852 xD rev 0x05 at pci4 dev 1 function 4 not configured
ichpcib0 at pci0 dev 31 function 0 Intel 82801GBM LPC rev 0x01: PM  
disabled
pciide0 at pci0 dev 31 function 2 Intel 82801GBM SATA rev 0x01:  
DMA, channel 0 wired to compatibility, channel 1 wired to  
compatibility

wd0 at pciide0 channel 0 drive 0: SAMSUNG HM160JI
wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets, initiator 7
cd0 at scsibus0 targ 0 lun 0: Optiarc, DVD+-RW AD-5540A, 102C  
ATAPI 5/cdrom removable

cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
ichiic0 at pci0 dev 31 function 3 Intel 82801GB SMBus rev 0x01:  
irq 5

iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-5300CL5 SO- 
DIMM
spdmem1 at iic0 addr 0x52: 1GB DDR2 SDRAM

Perl and MCPAN on OBSD4.4

[Parvinder Bhasin]

Wondering if its only me but  installing any module from MCPAN is  
erroring out with CHECKSUM MISMATCH for ANY module.
Does anyone know why this might be happeing?  I have tried it on my 3  
OBSD systems.  On the 3rd one I actually did a FRESH install of the OS  
4.4. Still the same issue.  I even tried installing first the MD5  
module but still issues.  On the other hand configured with same  
mirrors on my MAC , installation is totally fine.


Appreciate any help.

Thanks
Parvinder Bhasin

Re: Perl and MCPAN on OBSD4.4

[Parvinder Bhasin]

Got it working...What do you know just by setting env variable   
FTP_PASSIVE=1   everything is working like a charm.


-Parvinder Bhasin
On Apr 28, 2009, at 11:57 PM, Parvinder Bhasin wrote:

Wondering if its only me but  installing any module from MCPAN is  
erroring out with CHECKSUM MISMATCH for ANY module.
Does anyone know why this might be happeing?  I have tried it on my  
3 OBSD systems.  On the 3rd one I actually did a FRESH install of  
the OS 4.4. Still the same issue.  I even tried installing first the  
MD5 module but still issues.  On the other hand configured with same  
mirrors on my MAC , installation is totally fine.


Appreciate any help.

Thanks
Parvinder Bhasin

Re: OpenBSD as Wireless access point

[Parvinder Bhasin]

Thanks All for the replies.  Really appreciate it.

On Apr 23, 2009, at 4:22 AM, Sergey Khentov wrote:


D-Link DWA-520 (it is Atheros-based wireless) works more or less OK.
One issue - WPA2 is not working yet :(

--  
BR,

Sergey Khentov

2009/4/23 Parvinder Bhasin parvinder.bha...@gmail.com:

All,

Can someone suggest me a good WORKING wireless PCI or USB card (PCI
preferred) that I could use for setting up machine as Wireless  
access point?
I have tried 3-4 cards already and learnt that they were not  
supported for

the AP mode.

Thanks

OpenBSD as Wireless access point

[Parvinder Bhasin]

All,

Can someone suggest me a good WORKING wireless PCI or USB card (PCI  
preferred) that I could use for setting up machine as Wireless access  
point?
I have tried 3-4 cards already and learnt that they were not supported  
for the AP mode.


Thanks

snort 2.8 on OpenBSD 4.4 and Segmentation fault

[Parvinder Bhasin]

Hi,

Anyone else getting SEGMENTATION FAULT error while running snort 2.8  
on openbsd 4.4?

I updated my ports to the latest and still getting segmentation fault.

Here is the tailed output of running snort...

Initializing Network Interface rl0
Decoding Ethernet on interface rl0
database: compiled support for ( mysql )
database: configured to use mysql
database:  user = snort
database: password is set
database: database name = snort
database:  host = localhost
database:   sensor name = 75.44.229.20
database: sensor id = 1
database: schema version = 107
database: using the log facility
database: compiled support for ( mysql )
database: configured to use mysql
database:  user = snort
database: password is set
database: database name = snort
database:   sensor name = 75.44.229.20
database: sensor id = 1
Segmentation fault

Any help highly appreciated.

Thx.

Nepenthes on OBSD

[Parvinder Bhasin]

Hi,

I installed Nepenthes from ports on OBSD and when I run it,  I get  
this message saying:


[ crit mgr ] Compiled without support for capabilities, no way to run  
capabilities


Even though I see its workings (sort of) but I don't think its working  
as expected.  It has been running for couple of days and hasn't caught  
anything.  I have Nepenthes on an ubuntu machine , it doesn't give me  
this message and has caught many binaries in the wild.


Can anyone point me why I am getting this message? or the fix?  I  
tried compiling it from scratch with --enable-capabilities but still I  
get the same message.

I would appreciate any help.

Thanks
Parvinder Bhasin

Cannot FTP to ftp.openbsd.org

[Parvinder Bhasin]

Cannot ftp to ftp.openbsd.org from my openbsd machine.  This is not in  
front of firewall , this machine is actually connected to the internet  
directly.


Here is where it stops:

ftp open ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.


If I try to ftp to some other ftp site, they all work fine.

I have disabled pf on this for testing with same result.

Any suggestions?

Thanks

Re: Cannot FTP to ftp.openbsd.org

[Parvinder Bhasin]

Never mind this email...it turns out the server was REALY slow in  
responding and I was impatient (i guess).


Thx.
On Jan 23, 2009, at 3:58 PM, Parvinder Bhasin wrote:

Cannot ftp to ftp.openbsd.org from my openbsd machine.  This is not  
in front of firewall , this machine is actually connected to the  
internet directly.


Here is where it stops:

ftp open ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.


If I try to ftp to some other ftp site, they all work fine.

I have disabled pf on this for testing with same result.

Any suggestions?

Thanks

Re: Cannot FTP to ftp.openbsd.org

[Parvinder Bhasin]

Thanks for the response Stuart.  You maybe right there as , I setup  
another box (different network - same os (obsd)) but saw slowness only  
on one and not the other.  Also weird thing was as the slowness was  
only it getting back the user prompt.  After that login and file  
transfers were all fast.


Thanks for looking into this.
-Parvinder Bhasin

On Jan 23, 2009, at 5:35 PM, Stuart Henderson wrote:


On 2009-01-23, Parvinder Bhasin parvinder.bha...@gmail.com wrote:

Never mind this email...it turns out the server was REALY slow in
responding and I was impatient (i guess).


not sure about this particular occasion, but delays at that point are
often caused by broken reverse dns for the client's IP address.

Re: 10G NIC - Netxen

[Parvinder Bhasin]

Thanks Tico!!

I was wondering about the fiber version and not the copper.

-Parvinder Bhasin

On Jan 13, 2009, at 9:29 PM, tico wrote:


Parvinder Bhasin wrote:

Hi,

Anyone have any experience with 10G NICs from Netxen - Fiber and  
OBSD 4.x?

I don't see under the supported NICs list.

Thanks


Parvinder,

By searching in the usual places I found the following:

I went to the misc@ archives and searched netxen and got the  
following result:

http://marc.info/?l=openbsd-miscm=117685930328686w=2

The want page lists 10Gig ethernet as an area of development  
currently:

http://www.openbsd.org/want.html

And the man pages for -current list the 'nx' driver, but not 4.4 :
http://www.openbsd.org/cgi-bin/man.cgi?query=nxapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html

And CVS shows that nx is no longer in the tree:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/Attic/if_nx.c

As for the hardware itself, I have no experience with it.

-Tico

10G NIC - Netxen

[Parvinder Bhasin]

Hi,

Anyone have any experience with 10G NICs from Netxen - Fiber and OBSD  
4.x?

I don't see under the supported NICs list.

Thanks

Pflow and ifconfig

[Parvinder Bhasin]

Hi,

I installed 4.4 from the Cd and was wondering how can I get the latest  
PFlow pseudo device created using ifconfig.  I know 4.4 doesn't YET  
have support for the new pseudo device, but I believe its available on  
the latest current version on openbsd.  My question is how do I bring  
my installation up to the newest stable release?


Thanks

Setting up OpenBSD as a PPPoE router

[Parvinder Bhasin]

Hi,

I have STATIC dsl - with 5 static ips.  I don't use the Netopia router  
that came with it, instead used OpenBSD as the router/firewall.  So  
for this I setup openbsd on a box with pppoe and pf.  The setup works  
totally fine.  People can reach my webservers fine which are BEHIND my  
openbsd firewall.  I have setup one to one NAT translation (binat) for  
this.


Here comes the dillema:
For setting up a high interaction honeynet,  I would like to setup a  
box with the one of the 5 ips given to me on that DSL connection and  
have that box sit OUTSIDE of the openbsd firewall, is there a way to  
do this?  Any help is highly appreciated.


Basically what I am saying here is I take another box (honeypot  
server) and give public IP to that box and point its gateway to the  
OPENBSD box.  How can I do this?  This is sort of making this Honeypot  
server sit right NEXT to the OpenBSD firewall, using Openbsd as just a  
ROUTER for the Honeypot server.


Thanks in advance.  Any help is highly appreciated.

-Parvinder Bhasin

Setting up OpenBSD as a PPPoE router

[Parvinder Bhasin]

Just to put everything in visual perspective:

Hi,

I have STATIC dsl - with 5 static ips.  I don't use the Netopia router  
that came with it, instead used OpenBSD as the router/firewall.  So  
for this I setup openbsd on a box with pppoe and pf.  The setup works  
totally fine.  People can reach my webservers fine which are BEHIND my  
openbsd firewall.  I have setup one to one NAT translation (binat) for  
this.

Here comes the dillema:
For setting up a high interaction honeynet,  I would like to setup a  
box with the one of the 5 ips given to me on that DSL connection and  
have that box sit OUTSIDE of the openbsd firewall, is there a way to  
do this?  Any help is highly appreciated.

Basically what I am saying here is I take another box (honeypot  
server) and give public IP to that box and point its gateway to the  
OPENBSD box.  How can I do this?  This is sort of making this Honeypot  
server sit right NEXT to the OpenBSD firewall, using Openbsd as just a  
ROUTER for the Honeypot server.

Thanks in advance.  Any help is highly appreciated.

-Parvinder Bhasin

[demime 1.01d removed an attachment of type image/tiff which had a name of 
pastedGraphic.tiff]

Re: Need Help badly - PF related

[Parvinder Bhasin]

I have done this already for the sake of troubleshooting.  I have  
tried removing BLOCKs , I have tried removing anti-spoof ,
I have tried re-writing the redirector by putting pass but for some  
reason PF doesn't seem to like packets coming from some DSL links.  I  
have also tried various scrubbing rules.  But no luck there either.
To add to this confusion, when I spin off a PIX firewall.  Everything  
(all the connection) can connect to the web servers.


I don't know about this but do I file a bug report??? I know probably  
I will get flamed but I have tried everything here though I still  
haven't given up on this.  I would appreciate if someone who has  
worked on PF's code can help with this.  I know they may not have  
time .. but I would appreciate some feedback.  I can provide all the  
troubleshooting steps and infact give access to systems (remote) if  
needed with all the wonderful sniffing tools etc.


-Parvinder Bhasin

On Sep 23, 2008, at 12:06 AM, John Jackson wrote:


Comments are inline.

On Sun, Sep 21, 2008 at 10:00:58PM -0700, Parvinder Bhasin wrote:

I have users that can access the website fine (75.44.229.18) and some
user that complain they can't access it.  I don't know what gives.  I
have asked on the list for help but haven't still resolved this.   I
would really appreciate any help.  Why is the user in the below pflog
getting blocked.  Where as most of the user can access the website
just fine.  I have spent countless hours on this.  I really don't  
want

a PIX firewall.  When I switch to the pix the access seems fine.


tcpdump: listening on pflog0, link-type PFLOG
Sep 21 21:53:21.903554 rule 0/(match) block in on fxp0:
172.16.10.11.80  75.18.177.36.1106: [|tcp] (DF)
Sep 21 21:53:34.570469 rule 0/(match) block in on fxp1:
75.18.177.36.1105  172.16.10.11.80: [|tcp] (DF)



Here is my pf.conf file:

# MACROS 
ext_if=fxp1
int_if=fxp0
pf_log=pflog0

icmp_types=echoreq

 OPTIONS #
set loginterface $ext_if
set loginterface $int_if
set block-policy return
set skip on lo

# scrub
scrub in



What are you trying to accomplish with the following?  I assume
NAT'ing outbound traffic from internal networks?  If so try creating a
macro for your internal networks and explicitly NAT that.


nat on $ext_if from !($ext_if) - ($ext_if:0)


Try this (put the table statement in the appropriate place with your
internal networks):
 table internal_nets persist { 10.0.0.0/24, 172.16.0.0/24 }
 nat on $ext_if from internal_nets to any - ($ext_if:0)


nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*



You may gain some clarity by placing a 'pass' in your rdr instead of
a seperate pass rule down lower:
 rdr pass on $ext_if inet proto tcp from any to 75.44.229.18 port 80  
- 172.16.10.11 port 80

rdr on $ext_if proto tcp from any to 75.44.229.18 port 80 -
172.16.10.11 port 80
rdr on $ext_if proto tcp from any to 75.44.229.19 port 3128 -
172.16.10.12 port 3128

# filter
block in log (all, to pflog0)

pass out keep state


For the sake of troubleshooting try removing the $int_if in the
antispoof statement:


antispoof quick for { lo $int_if }




pass in on $ext_if inet proto tcp from any to 172.16.10.11 port 80
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to 75.44.229.17 port 22
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to 172.16.10.12 port 3128
flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if



I'd try simplifying as much as possible while troubleshooting, like
commenting out the default 'block' rule and see if the 'antispoof' is
tripping you up and vice versa.

Re: Need Help badly - PF related

[Parvinder Bhasin]

Thanks a lot guys, I seem to have resolved the problem.  So in short  
it seems like the netopia 30xx series router was doing some funky  
thing with packets which PF was rightfully rejecting (as they were not  
normalized).  This is just my theory.  Once I converted my openbsd box  
to the router and the netopia box to a dumb bridge.  It all worked  
like a charm.


Appreciate the group's help on this.

I would like to personaly thank you guys in taking time to  
troubleshoot this with me.


Thanks:  John Jackson , Stuart henderson, Bryan , Mark and above all  
Jason Dixon.


-Parvinder Bhasin

On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:


On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote:

I have users that can access the website fine (75.44.229.18) and some
user that complain they can't access it.


Include the dmesg so we can see what OS version you're running.
Set pfctl -x misc and watch /var/log/messages, include any output
from around the time of a failed connection. Include the relevant
state table entries from pfctl -vss.


  Why is the user in the below pflog
getting blocked.  Where as most of the user can access the website
just fine.


tcpdump: listening on pflog0, link-type PFLOG
Sep 21 21:53:21.903554 rule 0/(match) block in on fxp0:
172.16.10.11.80  75.18.177.36.1106: [|tcp] (DF)
Sep 21 21:53:34.570469 rule 0/(match) block in on fxp1:
75.18.177.36.1105  172.16.10.11.80: [|tcp] (DF)


Here is my pf.conf file:

# MACROS 
ext_if=fxp1
int_if=fxp0
pf_log=pflog0

icmp_types=echoreq

 OPTIONS #
set loginterface $ext_if
set loginterface $int_if
set block-policy return
set skip on lo

# scrub
scrub in

nat on $ext_if from !($ext_if) - ($ext_if:0)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*

rdr on $ext_if proto tcp from any to 75.44.229.18 port 80 -
172.16.10.11 port 80
rdr on $ext_if proto tcp from any to 75.44.229.19 port 3128 -
172.16.10.12 port 3128

# filter
block in log (all, to pflog0)

pass out keep state
antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to 172.16.10.11 port 80
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to 75.44.229.17 port 22
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to 172.16.10.12 port 3128
flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if


If this is a newer OS version, flags S/SA and keep state are  
redundant.
If it's an old one, your pass in quick on $int_if should also use  
them.

Re: Need Help badly - PF related

[Parvinder Bhasin]

On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:


On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote:

I have users that can access the website fine (75.44.229.18) and some
user that complain they can't access it.


Include the dmesg so we can see what OS version you're running.
Set pfctl -x misc and watch /var/log/messages, include any output
from around the time of a failed connection. Include the relevant
state table entries from pfctl -vss.

Stuart/Jason:

The OS version is 4.3.
I did pfctl -x misc and I don't see any messages appearing related  
to the bad connection from that IP.  I logged on remotely on one of  
the system  and tried accessing the site but nothing showed up in /var/ 
log/messages.  Here is the output :


# pfctl -x misc
debug level set to 'misc'
# tail -f /var/log/messages
Sep 19 07:02:34 firetalk ntpd[18456]: bad peer from pool pool.ntp.org  
(209.132.176.4)
Sep 19 07:02:34 firetalk ntpd[18456]: bad peer from pool pool.ntp.org  
(208.53.158.34)

Sep 20 02:00:01 firetalk syslogd: restart
Sep 20 04:00:02 firetalk syslogd: restart
Sep 20 14:00:02 firetalk syslogd: restart
Sep 21 02:00:01 firetalk syslogd: restart
Sep 21 20:43:56 firetalk ntpd[18456]: 3 out of 5 peers valid
Sep 21 20:43:56 firetalk ntpd[18456]: bad peer from pool pool.ntp.org  
(209.132.176.4)
Sep 21 20:43:56 firetalk ntpd[18456]: bad peer from pool pool.ntp.org  
(208.53.158.34)

Sep 22 02:00:01 firetalk syslogd: restart


Here is the output from pfctl -vss - with the host(75.18.177.36)   
trying to access the website:


# pfctl -vss
all udp 204.152.186.173:123 - 172.16.10.12:19727
MULTIPLE:MULTIPLE
   age 12:04:07, expires in 00:00:31, 1364:1364 pkts, 103664:103664  
bytes
all udp 172.16.10.12:19727 - 75.44.229.17:60314 -  
204.152.186.173:123   MULTIPLE:MULTIPLE
   age 12:04:07, expires in 00:00:31, 1364:1364 pkts, 103664:103664  
bytes

all udp 82.165.177.157:123 - 172.16.10.12:44282   MULTIPLE:MULTIPLE
   age 10:04:30, expires in 00:00:57, 1138:1138 pkts, 86488:86488 bytes
all udp 172.16.10.12:44282 - 75.44.229.17:56413 -  
82.165.177.157:123   MULTIPLE:MULTIPLE

   age 10:04:30, expires in 00:00:57, 1138:1138 pkts, 86488:86488 bytes
all udp 207.192.69.197:123 - 172.16.10.12:42096   MULTIPLE:MULTIPLE
   age 03:06:08, expires in 00:00:47, 355:355 pkts, 26980:26980  
bytes, rule 14
all udp 172.16.10.12:42096 - 75.44.229.17:60864 -  
207.192.69.197:123   MULTIPLE:MULTIPLE
   age 03:06:08, expires in 00:00:47, 355:355 pkts, 26980:26980  
bytes, rule 1
all tcp 75.44.229.17:22 - 76.202.196.187:59799
ESTABLISHED:ESTABLISHED

   [654074524 + 524232] wscale 0  [3656802774 + 16952] wscale 3
   age 00:07:21, expires in 24:00:00, 490:427 pkts, 35301:77260  
bytes, rule 11

all tcp 216.39.62.89:25 - 172.16.10.12:29315   CLOSED:SYN_SENT
   [0 + 16384]  [4185608820 + 1]
   age 00:00:33, expires in 00:00:15, 3:0 pkts, 192:0 bytes, rule 14
all tcp 172.16.10.12:29315 - 75.44.229.17:61775 -  
216.39.62.89:25   SYN_SENT:CLOSED

   [4185608820 + 1]  [0 + 16384]
   age 00:00:33, expires in 00:00:15, 3:0 pkts, 192:0 bytes, rule 1
all udp 75.44.229.17:21902 - 66.250.45.2:123   MULTIPLE:SINGLE
   age 00:00:22, expires in 00:00:09, 1:1 pkts, 76:76 bytes, rule 1
# pfctl -vss | grep 75.18.177.36
# pfctl -vss
all udp 204.152.186.173:123 - 172.16.10.12:19727
MULTIPLE:MULTIPLE
   age 12:06:24, expires in 00:00:47, 1369:1369 pkts, 104044:104044  
bytes
all udp 172.16.10.12:19727 - 75.44.229.17:60314 -  
204.152.186.173:123   MULTIPLE:MULTIPLE
   age 12:06:24, expires in 00:00:47, 1369:1369 pkts, 104044:104044  
bytes

all udp 82.165.177.157:123 - 172.16.10.12:44282   MULTIPLE:MULTIPLE
   age 10:06:47, expires in 00:00:50, 1142:1142 pkts, 86792:86792 bytes
all udp 172.16.10.12:44282 - 75.44.229.17:56413 -  
82.165.177.157:123   MULTIPLE:MULTIPLE

   age 10:06:47, expires in 00:00:50, 1142:1142 pkts, 86792:86792 bytes
all udp 207.192.69.197:123 - 172.16.10.12:42096   MULTIPLE:MULTIPLE
   age 03:08:25, expires in 00:00:38, 359:359 pkts, 27284:27284  
bytes, rule 14
all udp 172.16.10.12:42096 - 75.44.229.17:60864 -  
207.192.69.197:123   MULTIPLE:MULTIPLE
   age 03:08:25, expires in 00:00:38, 359:359 pkts, 27284:27284  
bytes, rule 1
all tcp 75.44.229.17:22 - 76.202.196.187:59799
ESTABLISHED:ESTABLISHED

   [654079468 + 524232] wscale 0  [3656804886 + 16952] wscale 3
   age 00:09:38, expires in 24:00:00, 603:497 pkts, 43349:85892  
bytes, rule 11
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1125
SYN_SENT:ESTABLISHED

   [2398465402 + 65535]  [930424393 + 5840]
   age 00:00:11, expires in 00:00:30, 3:5 pkts, 144:240 bytes, rule 10
all tcp 75.18.177.36:1125 - 172.16.10.11:80   ESTABLISHED:SYN_SENT
   [930424393 + 5840]  [2398465402 + 65535]
   age 00:00:11, expires in 00:00:30, 3:5 pkts, 144:240 bytes, rule 1
# pfctl -vss
all udp 204.152.186.173:123 - 172.16.10.12:19727
MULTIPLE:MULTIPLE
   age 12:06:31, expires in 00:00:40

Re: Need Help badly - PF related

[Parvinder Bhasin]

On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:


On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED] wrote:
I have users that can access the website fine (75.44.229.18) and  
some

user that complain they can't access it.


Include the dmesg so we can see what OS version you're running.
Set pfctl -x misc and watch /var/log/messages, include any output
from around the time of a failed connection. Include the relevant
state table entries from pfctl -vss.


Here is the output from pfctl -vss - with the host(75.18.177.36)   
trying

to access the website:


Please do that again, but grep only the relevant bits.  I'm not  
going to

sift through all the noise.

$ sudo pfctl -ss | grep 75.18.177.36

I'm pretty sure your outbound nat needs to be moved *after* your  
rdr's.

I think the inbound traffic is having the src_addr translated to your
firewall's ($ext_if)


Jason,

Here it is without the noise.

# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED

all tcp 75.18.177.36:1056 - 172.16.10.11:80   ESTABLISHED:SYN_SENT
# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED

all tcp 75.18.177.36:1056 - 172.16.10.11:80   ESTABLISHED:SYN_SENT
#


-Parvinder Bhasin





--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: Need Help badly - PF related

[Parvinder Bhasin]

On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote:


On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:

On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED]  
wrote:

I have users that can access the website fine (75.44.229.18) and
some
user that complain they can't access it.


Include the dmesg so we can see what OS version you're running.
Set pfctl -x misc and watch /var/log/messages, include any output
from around the time of a failed connection. Include the relevant
state table entries from pfctl -vss.


Here is the output from pfctl -vss - with the host(75.18.177.36)
trying
to access the website:


Please do that again, but grep only the relevant bits.  I'm not  
going

to
sift through all the noise.

$ sudo pfctl -ss | grep 75.18.177.36

I'm pretty sure your outbound nat needs to be moved *after* your
rdr's.
I think the inbound traffic is having the src_addr translated to  
your

firewall's ($ext_if)


Jason,

Here it is without the noise.

# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT

# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT


Looks ok.  Let's see the output of `pfctl -sr` and `pfctl -sn`.  Also,
let's correlate your states to the logged blocks.  In separate
terminals, do the `pfctl -ss | grep foo` and then find the
corresponding traffic in pflog0 that's being blocked.  Let's see them
both.



# pfctl -sr
scrub in all fragment reassemble
block return in log (all) all
pass out all flags S/SA keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any
block drop in quick inet from 172.16.10.10 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to any
pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www  
flags S/SA keep state
pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh  
flags S/SA keep state
pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128  
flags S/SA synproxy state

pass in inet proto icmp all icmp-type echoreq keep state
pass in quick on fxp0 all flags S/SA keep state
# pfctl -sn
nat on fxp1 from ! (fxp1) to any - (fxp1:0)
nat-anchor ftp-proxy/* all
rdr-anchor ftp-proxy/* all
rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www -  
172.16.10.11 port 80
rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 -  
172.16.10.12 port 3128



# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1057
SYN_SENT:ESTABLISHED

all tcp 75.18.177.36:1057 - 172.16.10.11:80   ESTABLISHED:SYN_SENT








--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: Need Help badly - PF related

[Parvinder Bhasin]

On Sep 22, 2008, at 7:30 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 07:20:50AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote:


On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:


On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED]
wrote:
I have users that can access the website fine (75.44.229.18)  
and

some
user that complain they can't access it.


Include the dmesg so we can see what OS version you're running.
Set pfctl -x misc and watch /var/log/messages, include any  
output
from around the time of a failed connection. Include the  
relevant

state table entries from pfctl -vss.


Here is the output from pfctl -vss - with the host(75.18.177.36)
trying
to access the website:


Please do that again, but grep only the relevant bits.  I'm not
going
to
sift through all the noise.

$ sudo pfctl -ss | grep 75.18.177.36

I'm pretty sure your outbound nat needs to be moved *after* your
rdr's.
I think the inbound traffic is having the src_addr translated to
your
firewall's ($ext_if)


Jason,

Here it is without the noise.

# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT
# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT


Looks ok.  Let's see the output of `pfctl -sr` and `pfctl -sn`.   
Also,

let's correlate your states to the logged blocks.  In separate
terminals, do the `pfctl -ss | grep foo` and then find the
corresponding traffic in pflog0 that's being blocked.  Let's see  
them

both.



# pfctl -sr
scrub in all fragment reassemble
block return in log (all) all
pass out all flags S/SA keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any
block drop in quick inet from 172.16.10.10 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to  
any
pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www  
flags

S/SA keep state
pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh  
flags

S/SA keep state
pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128
flags S/SA synproxy state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick on fxp0 all flags S/SA keep state
# pfctl -sn
nat on fxp1 from ! (fxp1) to any - (fxp1:0)
nat-anchor ftp-proxy/* all
rdr-anchor ftp-proxy/* all
rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www -
172.16.10.11 port 80
rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 -
172.16.10.12 port 3128


# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1057
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1057 - 172.16.10.11:80
ESTABLISHED:SYN_SENT


And the blocked packets?



How should I capture them?  did you mean via pflog?

Thanks
Parvinder bhasin

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: Need Help badly - PF related

[Parvinder Bhasin]

On Sep 22, 2008, at 11:40 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 11:16:53AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 7:30 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 07:20:50AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote:


On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote:

On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin  
wrote:

On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:


On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED]
wrote:

I have users that can access the website fine
(75.44.229.18) and
some
user that complain they can't access it.


Include the dmesg so we can see what OS version you're  
running.

Set pfctl -x misc and watch /var/log/messages, include any
output
from around the time of a failed connection. Include the
relevant
state table entries from pfctl -vss.


Here is the output from pfctl -vss - with the  
host(75.18.177.36)

trying
to access the website:


Please do that again, but grep only the relevant bits.  I'm not
going
to
sift through all the noise.

$ sudo pfctl -ss | grep 75.18.177.36

I'm pretty sure your outbound nat needs to be moved *after* your
rdr's.
I think the inbound traffic is having the src_addr translated to
your
firewall's ($ext_if)


Jason,

Here it is without the noise.

# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT
# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT


Looks ok.  Let's see the output of `pfctl -sr` and `pfctl -sn`.
Also,
let's correlate your states to the logged blocks.  In separate
terminals, do the `pfctl -ss | grep foo` and then find the
corresponding traffic in pflog0 that's being blocked.  Let's see
them
both.



# pfctl -sr
scrub in all fragment reassemble
block return in log (all) all
pass out all flags S/SA keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any
block drop in quick inet from 172.16.10.10 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to
any
pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www
flags
S/SA keep state
pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh
flags
S/SA keep state
pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128
flags S/SA synproxy state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick on fxp0 all flags S/SA keep state
# pfctl -sn
nat on fxp1 from ! (fxp1) to any - (fxp1:0)
nat-anchor ftp-proxy/* all
rdr-anchor ftp-proxy/* all
rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www -
172.16.10.11 port 80
rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 -
172.16.10.12 port 3128


# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1057
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1057 - 172.16.10.11:80
ESTABLISHED:SYN_SENT


And the blocked packets?



How should I capture them?  did you mean via pflog?


Yes, just like you did before.  I'd like to see where they're being
passed (pfctl -ss) *and* blocked (pflog) at the same time


Jason,

Here are the blocked packets and pfctl -ss  , pfctl -sn , pfctl -sr  
dump.


# tcpdump -n -e -ttt -i pflog0
tcpdump: listening on pflog0, link-type PFLOG
Sep 22 11:57:34.445702 rule 0/(match) block in on fxp1:  
222.134.38.214.80  75.44.229.17.64783: [|tcp]
Sep 22 11:57:38.496743 rule 0/(match) block in on fxp1:  
222.134.38.214.80  75.44.229.17.64783: [|tcp]
Sep 22 11:58:59.557561 rule 0/(match) block in on fxp0:  
172.16.10.11.80  75.18.177.36.1058: [|tcp] (DF)



# pfctl -sn
nat on fxp1 from ! (fxp1) to any - (fxp1:0)
nat-anchor ftp-proxy/* all
rdr-anchor ftp-proxy/* all
rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www -  
172.16.10.11 port 80
rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 -  
172.16.10.12 port 3128

# pfctl -sr
scrub in all fragment reassemble
block return in log (all) all
pass out all flags S/SA keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any
block drop in quick inet from 172.16.10.10 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to any
pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www  
flags

Re: Need Help badly - PF related

[Parvinder Bhasin]

Any word Jason/Stuart?  I am stuck at this.  I have had sniffers all  
over the pace to see what was wrong that PF was NOT liking this  
connection but  Nothing turned up.


-Parvinder Bhasin

On Sep 22, 2008, at 11:40 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 11:16:53AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 7:30 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 07:20:50AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote:


On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote:

On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin  
wrote:

On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:


On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED]
wrote:

I have users that can access the website fine
(75.44.229.18) and
some
user that complain they can't access it.


Include the dmesg so we can see what OS version you're  
running.

Set pfctl -x misc and watch /var/log/messages, include any
output
from around the time of a failed connection. Include the
relevant
state table entries from pfctl -vss.


Here is the output from pfctl -vss - with the  
host(75.18.177.36)

trying
to access the website:


Please do that again, but grep only the relevant bits.  I'm not
going
to
sift through all the noise.

$ sudo pfctl -ss | grep 75.18.177.36

I'm pretty sure your outbound nat needs to be moved *after* your
rdr's.
I think the inbound traffic is having the src_addr translated to
your
firewall's ($ext_if)


Jason,

Here it is without the noise.

# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT
# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT


Looks ok.  Let's see the output of `pfctl -sr` and `pfctl -sn`.
Also,
let's correlate your states to the logged blocks.  In separate
terminals, do the `pfctl -ss | grep foo` and then find the
corresponding traffic in pflog0 that's being blocked.  Let's see
them
both.



# pfctl -sr
scrub in all fragment reassemble
block return in log (all) all
pass out all flags S/SA keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any
block drop in quick inet from 172.16.10.10 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to
any
pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www
flags
S/SA keep state
pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh
flags
S/SA keep state
pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128
flags S/SA synproxy state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick on fxp0 all flags S/SA keep state
# pfctl -sn
nat on fxp1 from ! (fxp1) to any - (fxp1:0)
nat-anchor ftp-proxy/* all
rdr-anchor ftp-proxy/* all
rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www -
172.16.10.11 port 80
rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 -
172.16.10.12 port 3128


# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1057
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1057 - 172.16.10.11:80
ESTABLISHED:SYN_SENT


And the blocked packets?



How should I capture them?  did you mean via pflog?


Yes, just like you did before.  I'd like to see where they're being
passed (pfctl -ss) *and* blocked (pflog) at the same time.

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: Need Help badly - PF related

[Parvinder Bhasin]

Here is some more info:  The request gets to the web server but when  
webserver is responding back to the client's request, PF BLOCKS the  
request:


Here is tcpdump view from webserver:

20:44:47.539217 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto 6, length: 48) 172.16.10.11.80  75.18.177.36.1120: S [tcp sum  
ok] 802414809:802414809(0) ack 740304551 win 5840 mss  
1460,nop,nop,sackOK
20:44:51.738331 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto 6, length: 48) 172.16.10.11.80  75.18.177.36.1120: S [tcp sum  
ok] 802414809:802414809(0) ack 740304551 win 5840 mss  
1460,nop,nop,sackOK
20:44:57.737882 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto 6, length: 48) 172.16.10.11.80  75.18.177.36.1120: S [tcp sum  
ok] 802414809:802414809(0) ack 740304551 win 5840 mss  
1460,nop,nop,sackOK
20:45:09.935925 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto 6, length: 48) 172.16.10.11.80  75.18.177.36.1120: S [tcp sum  
ok] 802414809:802414809(0) ack 740304551 win 5840 mss  
1460,nop,nop,sackOK
20:45:33.932113 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto 6, length: 48) 172.16.10.11.80  75.18.177.36.1120: S [tcp sum  
ok] 802414809:802414809(0) ack 740304551 win 5840 mss  
1460,nop,nop,sackOK
20:46:22.124476 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto 6, length: 48) 172.16.10.11.80  75.18.177.36.1120: S [tcp sum  
ok] 802414809:802414809(0) ack 740304551 win 5840 mss  
1460,nop,nop,sackOK
20:46:22.125818 IP (tos 0x10, ttl  64, id 35465, offset 0, flags [DF],  
proto 6, length: 40) 75.18.177.36.1120  172.16.10.11.80: R [tcp sum  
ok] 1:1(0) ack 1 win 0



Here is PF blocking the same:

# tcpdump -n -e -ttt -i pflog0
tcpdump: listening on pflog0, link-type PFLOG
Sep 22 22:16:18.905238 rule 0/(match) block in on fxp0:  
172.16.10.11.80  75.18.177.36.1120: [|tcp] (DF)
Sep 22 22:17:07.101648 rule 0/(match) block in on fxp0:  
172.16.10.11.80  75.18.177.36.1120: [|tcp] (DF)



Why is PF blocking???

HEL!!!



On Sep 22, 2008, at 11:40 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 11:16:53AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 7:30 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 07:20:50AM -0700, Parvinder Bhasin wrote:

On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote:


On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote:


On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote:

On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin  
wrote:

On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:


On 2008-09-22, Parvinder Bhasin [EMAIL PROTECTED]
wrote:

I have users that can access the website fine
(75.44.229.18) and
some
user that complain they can't access it.


Include the dmesg so we can see what OS version you're  
running.

Set pfctl -x misc and watch /var/log/messages, include any
output
from around the time of a failed connection. Include the
relevant
state table entries from pfctl -vss.


Here is the output from pfctl -vss - with the  
host(75.18.177.36)

trying
to access the website:


Please do that again, but grep only the relevant bits.  I'm not
going
to
sift through all the noise.

$ sudo pfctl -ss | grep 75.18.177.36

I'm pretty sure your outbound nat needs to be moved *after* your
rdr's.
I think the inbound traffic is having the src_addr translated to
your
firewall's ($ext_if)


Jason,

Here it is without the noise.

# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT
# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 - 75.44.229.18:80 - 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 - 172.16.10.11:80
ESTABLISHED:SYN_SENT


Looks ok.  Let's see the output of `pfctl -sr` and `pfctl -sn`.
Also,
let's correlate your states to the logged blocks.  In separate
terminals, do the `pfctl -ss | grep foo` and then find the
corresponding traffic in pflog0 that's being blocked.  Let's see
them
both.



# pfctl -sr
scrub in all fragment reassemble
block return in log (all) all
pass out all flags S/SA keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any
block drop in quick inet from 172.16.10.10 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to
any
pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www
flags
S/SA keep state
pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh
flags
S/SA keep state
pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128
flags S/SA synproxy state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick on fxp0 all flags S/SA keep state
# pfctl -sn
nat on fxp1 from ! (fxp1) to any - (fxp1:0

Need Help badly - PF related

[Parvinder Bhasin]

I have users that can access the website fine (75.44.229.18) and some  
user that complain they can't access it.  I don't know what gives.  I  
have asked on the list for help but haven't still resolved this.   I  
would really appreciate any help.  Why is the user in the below pflog  
getting blocked.  Where as most of the user can access the website  
just fine.  I have spent countless hours on this.  I really don't want  
a PIX firewall.  When I switch to the pix the access seems fine.


tcpdump: listening on pflog0, link-type PFLOG
Sep 21 21:53:21.903554 rule 0/(match) block in on fxp0:  
172.16.10.11.80  75.18.177.36.1106: [|tcp] (DF)
Sep 21 21:53:34.570469 rule 0/(match) block in on fxp1:  
75.18.177.36.1105  172.16.10.11.80: [|tcp] (DF)



Here is my pf.conf file:

# MACROS 
ext_if=fxp1
int_if=fxp0
pf_log=pflog0

icmp_types=echoreq

 OPTIONS #
set loginterface $ext_if
set loginterface $int_if
set block-policy return
set skip on lo

# scrub
scrub in

nat on $ext_if from !($ext_if) - ($ext_if:0)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*

rdr on $ext_if proto tcp from any to 75.44.229.18 port 80 -  
172.16.10.11 port 80
rdr on $ext_if proto tcp from any to 75.44.229.19 port 3128 -  
172.16.10.12 port 3128

# filter
block in log (all, to pflog0)

pass out keep state
antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to 172.16.10.11 port 80  
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to 75.44.229.17 port 22  
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to 172.16.10.12 port 3128  
flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if

scrubbing problem(s) with pf

[Parvinder Bhasin]

I am having hard time with issue that some of the DSL (ATT) are having  
issues connecting to website behind my openbsd firewall.  Now if I  
switched it back to cisco asa , access works flawlessly.


Everyone including those on DSL(ATT) are able to access the website  
(with cisco) but as soon as I put my Openbsd firewall website access  
to SOME DSL (ATT) users stops working.


I troubleshooted the problem to be related to scrubbing  
(normalization of packets).
So I tried couple of options in scrubbing rules: and got couple of  
people experiencing the problem to work but there are few still  
complaining that they can't access the site.  I have tried this from  
multiple different connections.  Even with Verizon EVDO internet  
access , people can't access the site.  Its reallly weired and I have  
been pulling my hair on this.  I don't really want to put other  
firewall in.


I would like to know what other people who are running openbsd as  
firewall are using for scrubbing.


Here is what I used first time:

scrub in all

and then changed to

scrub in all no-df
scrub out all no-df

and got few of DSL users to see the site but then others still can't.   
Verizon users can't either.


Any thoughts/help highly appreciated.  I dont' want to go BALD :)

Thanks

Re: scrubbing problem(s) with pf

[Parvinder Bhasin]

Todd,

Yes I have.  The problem is we cannot change anything on the client  
end we can only fix it on our end.  We have tried with cisco fw and  
the access works with those same people having issues but as soon as  
we put openbsd pf people begin to complain.  These are just few users  
that we are testing there may be other users who cannot reach the site  
either (which we don't know about).


-Parvinder Bhasin

On Sep 9, 2008, at 10:08 AM, Todd T. Fries wrote:

Did you read the pf suggestions via pppoe(4) ?  ATT tends to use  
pppoe(4)..

--
Todd Fries .. [EMAIL PROTECTED]

_
| \  1.636.410.0632  
(voice)
| Free Daemon Consulting, LLC \  1.405.227.9094  
(voice)

| http://FreeDaemonConsulting.com \  1.866.792.3418 (FAX)
| ..in support of free software solutions.  \  250797 (FWD)
| \
\\

 37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
   http://todd.fries.net/pgp.txt

Penned by Parvinder Bhasin on 20080909  9:59.02, we have:
I am having hard time with issue that some of the DSL (ATT) are  
having

issues connecting to website behind my openbsd firewall.  Now if I
switched it back to cisco asa , access works flawlessly.

Everyone including those on DSL(ATT) are able to access the website
(with cisco) but as soon as I put my Openbsd firewall website  
access to

SOME DSL (ATT) users stops working.

I troubleshooted the problem to be related to scrubbing  
(normalization

of packets).
So I tried couple of options in scrubbing rules: and got couple of
people experiencing the problem to work but there are few still
complaining that they can't access the site.  I have tried this from
multiple different connections.  Even with Verizon EVDO internet  
access ,
people can't access the site.  Its reallly weired and I have been  
pulling

my hair on this.  I don't really want to put other firewall in.

I would like to know what other people who are running openbsd as
firewall are using for scrubbing.

Here is what I used first time:

scrub in all

and then changed to

scrub in all no-df
scrub out all no-df

and got few of DSL users to see the site but then others still can't.
Verizon users can't either.

Any thoughts/help highly appreciated.  I dont' want to go BALD :)

Thanks

Re: pf visualization

[Parvinder Bhasin]

perhaps pfsysinfo and pfstat.  Some of the stuff you'll have to make  
your own graphs.


-Parvinder Bhasin

On Aug 28, 2008, at 8:24 AM, Stephan A. Rickauer wrote:


I am curious what tools people here use to visualize pf-generated logs
and/or live traffic. What i'm basically looking for is a tool, that
provides various stats about a pf firewall usage in a graphical way,
but not only 'bytes in/bytes out' (i have that using snmp/cacti) but
more detailed stuff like protocol and port distribution, IP based  
stats

and whatnot.

Thanks for any ideas beyond pftop, tcpdump, hatched, darkstat and
ntop ;)

Stephan

Re: PF redirection and pflogging

[Parvinder Bhasin]

Thanks Imre!!! That seems to have done the trick for both issues.

Cheers!
-Parvinder Bhasin

On Aug 21, 2008, at 2:28 PM, Imre Oolberg wrote:


Hallo!

My guess is you dont get anything logged since you pass with rdr  
rules. Maybe it is cleaner to keep translation and filtering  
separate, e.g. have translation rules like this


rdr on $ext_if proto tcp from any to $webby_ip port 80 -  
$webby_server port 80


And then you need to pass not to the external interface's ip address  
but to where is your so to say real server, e.g. rule


pass in on $ext_if proto tcp from any to $webby_ip port 80 keep state

should rather read

pass in on $ext_if proto tcp from any to $webby_server port 80 keep  
state


And also note that rule like this works when there aint other rules  
what matches the package. Maybe it is more straight-forward at least  
for debugging to add to it 'quick' keyword which makes the rule  
match no matter what follows, like this


pass in quick on $ext_if proto tcp from any to $webby_server port 80  
keep state



Imre


Parvinder Bhasin wrote:

List,

I am having some issues while redirecting traffic to port 80 on the  
$squid_server.


I have this server serving two purpose:  apache web server and  
squid server. I can definately get to the PROXY services fine but  
cannot get to the WWW (port 80) on the same server.


Another issue is that when I try to actively look at the pflog by  
running tcpdump -n -e -ttt -i pflog0   , I don't get anything  
even when the traffic is passing and/or getting blocked.


Any help is highly appreciated.

thx.


For this I have the following pf config:


ext_if=sk0
int_if=gem0
pf_log=pflog0
webby
set skip on enc0
set skip on gre0

external_ip=70.40.22.17
external_ips={70.40.22.17 70.40.22.18 70.40.22.19}
external_net={70.40.22.17 70.40.22.18 70.40.22.19}


internal_ip=172.16.10.10
internal_networks={172.16.10.0/24 172.16.100.0/24 172.16.200.0/24}

webby_ip=70.40.22.18
webby_server=172.16.10.11

squid_ip=70.40.22.19
squid_server=172.16.10.12

# block_ip=70.40.22.20
block_server=172.16.10.12

##TABLES
table bruteforce persist
table kiddies persist

 OPTIONS #
set loginterface $ext_if
set loginterface $int_if
scrub in

 NAT/REDIRECTS 

nat on $ext_if from !($ext_if) to any - ($ext_if:0)

# rdr pass on $ext_if proto tcp from any to $block_ip port 80 -  
$squid_server port 80
rdr pass on $ext_if proto tcp from any to $webby_ip port 80 -  
$webby_server port 80
rdr pass on $ext_if proto tcp from any to $webby_ip port 443 -  
$webby_server port 443
rdr pass on $ext_if proto tcp from any to $squid_ip port 3128 -  
$squid_server port 3128
rdr pass on $ext_if proto tcp from any to $squid_ip port 80 -  
$squid_server port 80


## FILTERS #
block log quick from bruteforce
block log quick from kiddies
block in log on $pf_log


# pass in quick on $int_if
pass out keep state

pass in on $ext_if proto icmp from any to $external_ip keep state
pass in on $ext_if proto tcp from any to $external_ip port ssh keep  
state

pass in on $ext_if proto tcp from any to $webby_ip port 80 keep state
pass in on $ext_if proto tcp from any to $webby_ip port 443 keep  
state
pass in log (all, to $pf_log) on $ext_if proto tcp from any to  
$squid_ip port 3128 keep state

pass in on $ext_if proto tcp from any to $squid_ip port 80 keep state
# pass in on $ext_if proto tcp from any to $block_ip port 80 keep  
state
pass in on $ext_if proto tcp from any to $external_ips port 22 keep  
state
pass inet proto tcp from any to $external_net port 22 flags S/SA  
keep state (max-src-conn 25, max-src-conn-rate 15/5, overload  
bruteforce flush global)

# block in quick on $ext_if

PF redirection and pflogging

[Parvinder Bhasin]

List,

I am having some issues while redirecting traffic to port 80 on the  
$squid_server.


I have this server serving two purpose:  apache web server and squid  
server. I can definately get to the PROXY services fine but cannot get  
to the WWW (port 80) on the same server.


Another issue is that when I try to actively look at the pflog by  
running tcpdump -n -e -ttt -i pflog0   , I don't get anything even  
when the traffic is passing and/or getting blocked.


Any help is highly appreciated.

thx.


For this I have the following pf config:


ext_if=sk0
int_if=gem0
pf_log=pflog0
webby
set skip on enc0
set skip on gre0

external_ip=70.40.22.17
external_ips={70.40.22.17 70.40.22.18 70.40.22.19}
external_net={70.40.22.17 70.40.22.18 70.40.22.19}


internal_ip=172.16.10.10
internal_networks={172.16.10.0/24 172.16.100.0/24 172.16.200.0/24}

webby_ip=70.40.22.18
webby_server=172.16.10.11

squid_ip=70.40.22.19
squid_server=172.16.10.12

# block_ip=70.40.22.20
block_server=172.16.10.12

##TABLES
table bruteforce persist
table kiddies persist

 OPTIONS #
set loginterface $ext_if
set loginterface $int_if
scrub in

 NAT/REDIRECTS 

nat on $ext_if from !($ext_if) to any - ($ext_if:0)

# rdr pass on $ext_if proto tcp from any to $block_ip port 80 -  
$squid_server port 80
rdr pass on $ext_if proto tcp from any to $webby_ip port 80 -  
$webby_server port 80
rdr pass on $ext_if proto tcp from any to $webby_ip port 443 -  
$webby_server port 443
rdr pass on $ext_if proto tcp from any to $squid_ip port 3128 -  
$squid_server port 3128
rdr pass on $ext_if proto tcp from any to $squid_ip port 80 -  
$squid_server port 80


## FILTERS #
block log quick from bruteforce
block log quick from kiddies
block in log on $pf_log


# pass in quick on $int_if
pass out keep state

pass in on $ext_if proto icmp from any to $external_ip keep state
pass in on $ext_if proto tcp from any to $external_ip port ssh keep  
state

pass in on $ext_if proto tcp from any to $webby_ip port 80 keep state
pass in on $ext_if proto tcp from any to $webby_ip port 443 keep state
pass in log (all, to $pf_log) on $ext_if proto tcp from any to  
$squid_ip port 3128 keep state

pass in on $ext_if proto tcp from any to $squid_ip port 80 keep state
# pass in on $ext_if proto tcp from any to $block_ip port 80 keep state
pass in on $ext_if proto tcp from any to $external_ips port 22 keep  
state
pass inet proto tcp from any to $external_net port 22 flags S/SA keep  
state (max-src-conn 25, max-src-conn-rate 15/5, overload bruteforce  
flush global)

# block in quick on $ext_if

Re: BIND and CNAME-ing

[Parvinder Bhasin]

Thanks Paul!!!
Wow!!! is the only thing that comes to my mind.  Didn't even know that  
DNAME existed.

I will definately read up on it.

Thanks a bunch!
-Parvinder Bhasin

On Jul 25, 2008, at 12:14 AM, Paul de Weerd wrote:


On Thu, Jul 24, 2008 at 04:49:55PM -0700, Parvinder Bhasin wrote:
Thanks guys for clearing this up.  So in short you cannot CNAME an  
entire

domain (domain.com   IN CNAME google.com  can't do ).


You should google for DNAME some time. Then form your own opinion on
the topic matter ;)

Cheers,

Paul 'WEiRD' de Weerd

--

[++-]+++.+++[---].+++[+

+++-].++[-]+.--.[-]
http://www.weirdnet.nl/

Re: BIND and CNAME-ing

[Parvinder Bhasin]

Thanks guys for clearing this up.  So in short you cannot CNAME an  
entire domain (domain.com   IN CNAME google.com  can't do ).


Thanks for the input.  Really appreciate it.

Cheers!
-Parvinder Bhasin

On Jul 24, 2008, at 6:10 AM, Giancarlo Razzolini wrote:


Almir Karic escreveu:

On Wed, Jul 23, 2008 at 01:17:04PM -0700, Parvinder Bhasin wrote:


Hi,

I am stuck at this situation:

Where I have a domain:  abc.com :

I would like to have user who type  http://abc.com (without the www)
redirected to a a different site for example :  www.xyz.com
Redirection for www.abc.com to www.xyz.com works fine.

I have tried CNAME-ing abc.com to www.xyz.com but that wouldn't  
work (I

can see it why).
Is there a way to do this in BIND zone configuration?



with this in my zone i get to google.com when i try to access
test.mydomain.org:

testIN  CNAME   google.com.




This works, yes. But you can't have a CNAME that has the same name as
the zone. It would conflict with the SOA and with the NS entries.
Parvinder will have to use it's scripts to make this work, as he can't
use http redirect.

My regards,

--
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD Stable
Ubuntu 8.04 Hardy Heron
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

BIND and CNAME-ing

[Parvinder Bhasin]

Hi,

I am stuck at this situation:

Where I have a domain:  abc.com :

I would like to have user who type  http://abc.com (without the www)  
redirected to a a different site for example :  www.xyz.com

Redirection for www.abc.com to www.xyz.com works fine.

I have tried CNAME-ing abc.com to www.xyz.com but that wouldn't work  
(I can see it why).

Is there a way to do this in BIND zone configuration?

Thanks

Re: BIND and CNAME-ing

[Parvinder Bhasin]

HTTP redirects don't apply to our setup.

From the info that I gather, I really can't do CNAME so I will just  
write small script to accomodate changing of Ips.


-Parvinder Bhasin

On Jul 23, 2008, at 1:33 PM, Jussi Peltola wrote:


Short answer: use HTTP redirects.
Long answer: provide more information, and read about the HTTP Host:
header and think how it applies to your setup.

Re: PF issue

[Parvinder Bhasin]

Thank you guys for your quick responses :)  This mailing list(group)  
is awesome.


So last night, I changed my 4.3 openbsd gateway to 4.2 one, slapped on  
the same pf rules BUT with user land pppoe and PRESTO it works like a  
charm.

I could access my webserver in the lab totally fine.
I think it could be something to do with MTU size, I will still  
continue my search and post it to the list once I find something.


Again, really appreciate everyone's help on this.

Thx a bunch!

On Jul 20, 2008, at 10:01 PM, Srikant Tangirala wrote:


Have you tried doing a tcpdump on fxp0
and pflog0 while trying to access the
web server on home firewall? Might give
you clues.

Srikant.

PF issue

[Parvinder Bhasin]

My home network.  Firewall is openbsd (4.3).  DSL setup with PPPOE (in  
kernel):

cat /etc/hostname.pppoe0

inet 0.0.0.0 255.255.255.255 NONE \
 pppoedev dc0 authproto pap \
 authname '[EMAIL PROTECTED]' authkey 'password' up
!/sbin/route add default

#


Here is my /etc/pf.conf for this network (HOME).  Very simple blocking  
everything and allowing everything to go out from my internal network.


#   $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or  
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if=dc0
int_if=fxp0
loopback=lo0
pppoe_if=pppoe0

#table spamd-white persist

set skip on lo
set loginterface $ext_if
set loginterface $int_if
set loginterface $pppoe_if
set loginterface $loopback
scrub in all max-mss 1440

nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*

# nat on $pppoe_if from 172.16.200.0/24 - $pppoe_if
nat on $pppoe_if from !($pppoe_if) to any - ($pppoe_if)
block in log on $pppoe_if

pass out keep state


Here is my Lab network:  setup on static DSL connection with 5 static  
IPs:
I am using one for webserving:  75.44.224.2.

my /etc/hostname.sk0 looks like:

inet 75.44.229.1 255.255.255.248 NONE
alias 75.44.229.2 255.255.255.248

I also have a laptop behind this firewall on internal network.  Used  
for browsing etc.


# MACROS 
ext_if=sk0
int_if=gem0

external_ip=75.44.229.1
external_net={75.44.229.17 75.44.229.18 75.44.229.19 75.44.229.20}

internal_ip=172.16.10.10


webserver_ip=75.44.224.2
webserver_int=172.16.10.11


 OPTIONS #
set loginterface $ext_if
set loginterface $int_if
scrub in

 NAT/REDIRECTS 

nat on $ext_if from !($ext_if) to any - ($ext_if:0)

rdr pass on $ext_if proto tcp from any to $webserver_ext port 80 -  
$webserver_int port 80


## FILTERS #

block in log on $ext_if

pass in on $ext_if proto tcp from any to $webserver_ext port 80 keep  
state
pass out keep state
#


MY PROBLEM:  Whenever I am on my home network and I try to reach  
webserver on my lab network, I don't get anything.  Whenever I try to  
hit the webserver from my work network or several other networks, I  
can access the webserver fine.  Its only from my home network, I  
cannot access the site on my webserver.  Any other sites from the home  
network work totally fine.

Can see what's wrong with my configs?

For troubleshooting this issue, i captured traffic on my webserver and  
saw that requests from my home network DO ARRIVE at the webserver and  
the webserver duely sends that data back BUT that data never arrives  
on the home network.

If I try to hit any website from my webserver, I can reach it fine.

This is really weared, I would really appreciate any help.  I have  
tried almost everything to get this going.

Thanks
/Parvinder Bhasin

Re: OpenBSD and SYNFlood / DDoS protection

[Parvinder Bhasin]

On Jul 19, 2008, at 1:26 AM, ropers wrote:


2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]:

This maybe dumb but won't hurt to throw this out there, maybe this
has to be
built with combination of tools, technologies etc but i would
definately
like to first collect as much info and then maybe work on this (or
maybe the
solution - open source is already out there , in that case I would
like to
know what :), I know of many 100K devices that will do this.

Is there a way that I can setup a machine (another openbsd machine)
in front
of an OpenBSD firewall to help against DDoS attacks?
If so what would be proper approach in doing so (if someone has
already
approached this subject).

Machine would have 2 or 3 nics (3rd nic for management maybe?).
You take the internet drop on the first port, say for example:  fxp0
(external_if) .  Maybe implement SYNCOOKIE (technology).   The
traffic only
gets passed on to the firewall port throught fxp1 (internal_if) ,
once the
server gets the ACK back.Would SYNPROXY do this too??
This machine could also be doing some form of RATE LIMITING?? maybe??

Anyone ?? Anytakes??

/Parvinder Bhasin


I don't mean to be impolite, but considering that these guys
http://www.rayservers.com/ddos-protection are the first Google hit
for firewall ddos protection openbsd (w/o quotation marks), it would
seem to me that you maybe didn't Use Teh Google.



Perhaps I didn't make it clear..maybe but yeah..I totally know that
there are PAY solutions, like I mentioned that I know of many devices
that can achieve this.  I have done research on these devices and was
thinking maybe something ( open source - openbsd baseddevice?? maybe)
can be made to prevent this attack upstream.

So I have experienced (my network) attack that choked our GigE link to
where DDoS attack was consuming almost 500mpbs (50% of total
bandwidth) available.  We still had 500mbps more that we would've
liked to have used for our business purposes but the problem with
these attacks is that they are NOT just meant to choke the BANDWIDTH,
they are actually meant to choke the CPU and other resources on your
firewalls or any devices you have in front.

Its just that if some device was there upstream to take 50% or more
load from the firewalls (cpu resources etc) in these attacks, maybe
the firewalls won't be that busy as to stop responding to legitimate
requests.  Ofcourse BANDWIDTH consumption becomes a problem where if
you had smaller pipe than basically you are screwed.   I know that the
ISPs can provide protection and some of them have already started
doing so but at a HUGE COST per month and frankly they have their
reasons on not protecting against such attacks as why would ISPs do
the filtering for free as they are making money because of the
attack.  That is charging the customer for bandwidth usage.  Lets get
realistic they would never do that unless it becomes so much of a
problem that all their customers start seeing the ill effects of that
attack.

Bandwidth issue can be sort of tackled separately where as you are
finding command and control servers and eliminating them that way but
that's another topic.  Also when the device is sending ACKs back , you
are sort of also in another way or form ATTACKING BACK but that's just
a zombie system out there where the person is just wondering why he
cannot even google know nothing that his bandwidth is choked because
of the attack.

I just thought to throw this out to the group and see if  there was a
person/group of people who have implemented such a solution using
combination of technologies (both open source and/or monetary).  I
already see OpenBSD/PF a very good combination in defending companies
from such attacks.

Any comments are welcome :)

/Parvinder Bhasin

Re: OpenBSD and SYNFlood / DDoS protection

[Parvinder Bhasin]

On Jul 19, 2008, at 2:31 PM, ropers wrote:


On Jul 19, 2008, at 1:26 AM, ropers wrote:


I don't mean to be impolite, but considering that these guys
http://www.rayservers.com/ddos-protection are the first Google hit
for firewall ddos protection openbsd (w/o quotation marks), it
would
seem to me that you maybe didn't Use Teh Google.


2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]:


Perhaps I didn't make it clear..maybe but yeah..I totally know that
there
are PAY solutions, like I mentioned that I know of many devices
that can
achieve this.  I have done research on these devices and was
thinking maybe
something ( open source - openbsd baseddevice?? maybe) can be made to
prevent this attack upstream.


I personally believe that some people are unable to do so because, uh,
some people out there on our list don't have man pages and, uh, I
believe that our, uh, Internets like such as in, uh,
www.rayservers.com/ddos-protection and, uh, the Iraq and everywhere
like such as, and I believe that they should, uh, see how OpenBSD is
mentioned over there on the rayservers page should help the people,
uh, should help find man pages and should help Iraq and the Asian
countries, so we will be able to build up our dDoS protection for our
children.

--ropers


 LoL:) didn't get a word out of it but yeah I think you took my
suggestion of all comments are welcome to the next level

Cheers!

Re: OpenBSD and SYNFlood / DDoS protection

[Parvinder Bhasin]

btw:  Ropers Thanks for the link.

On Jul 19, 2008, at 2:31 PM, ropers wrote:


On Jul 19, 2008, at 1:26 AM, ropers wrote:


I don't mean to be impolite, but considering that these guys
http://www.rayservers.com/ddos-protection are the first Google hit
for firewall ddos protection openbsd (w/o quotation marks), it
would
seem to me that you maybe didn't Use Teh Google.


2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]:


Perhaps I didn't make it clear..maybe but yeah..I totally know that
there
are PAY solutions, like I mentioned that I know of many devices
that can
achieve this.  I have done research on these devices and was
thinking maybe
something ( open source - openbsd baseddevice?? maybe) can be made to
prevent this attack upstream.


I personally believe that some people are unable to do so because, uh,
some people out there on our list don't have man pages and, uh, I
believe that our, uh, Internets like such as in, uh,
www.rayservers.com/ddos-protection and, uh, the Iraq and everywhere
like such as, and I believe that they should, uh, see how OpenBSD is
mentioned over there on the rayservers page should help the people,
uh, should help find man pages and should help Iraq and the Asian
countries, so we will be able to build up our dDoS protection for our
children.

--ropers

OpenBSD and SYNFlood / DDoS protection

[Parvinder Bhasin]

This maybe dumb but won't hurt to throw this out there, maybe this has  
to be built with combination of tools, technologies etc but i would  
definately like to first collect as much info and then maybe work on  
this (or maybe the solution - open source is already out there , in  
that case I would like to know what :), I know of many 100K devices  
that will do this.


Is there a way that I can setup a machine (another openbsd machine) in  
front of an OpenBSD firewall to help against DDoS attacks?
If so what would be proper approach in doing so (if someone has  
already approached this subject).


Machine would have 2 or 3 nics (3rd nic for management maybe?).
  You take the internet drop on the first port, say for example:   
fxp0 (external_if) .  Maybe implement SYNCOOKIE (technology).   The  
traffic only gets passed on to the firewall port throught fxp1  
(internal_if) , once the server gets the ACK back.Would SYNPROXY  
do this too??

This machine could also be doing some form of RATE LIMITING?? maybe??

Anyone ?? Anytakes??

/Parvinder Bhasin

PF and Binat

[Parvinder Bhasin]

Hi,

I am having some issues with PF and Binat.

Here is my scenario:

I have 5 static ips assisgned to me.  I have frontended my network  
(external) with an OpenBSD machine running pf.



I would like 2 of these IPs to have ONE to ONE translation.  I have 2  
very different servers serving different purpose.

75.36.44.22 for web serving and 75.36.44.23 for mail

For example:

75.36.44.22  - 172.16.10.22
75.36.44.23 - 172.16.10.23

I do this with the following binat statements:


## i have nat for anything that is not my servers

nat on $ext_if from !($ext_if) to any - ($ext_if:0)

### here are my servers

binat on $ext_if from 172.16.10.22 to any - 75.36.44.22
binat on $ext_if from 172.16.10.23 to any - 75.36.44.23


pass in on $ext_if proto tcp from any to 75.36.44.22 port 80
pass in on $ext_if proto tcp from any to 75.36.44.23 port 25



Problem is when I try to access my servers from outside (different  
external network), I cannot reach them at all.

Why can't I do this?

When I try to add the external ips as aliases on my external  
interface, it works fine.


Isn't the BINAT statement sufficient??? do i have to use aliases???

  I spun off sniffer on the Openbsd gateway to see if it was even  
getting the request and of course I don't even see the request come  
through as I am assuming my Netopia router doesn't know where the  
external IPs are for that server (arp).


When I go the aliases way, everything works fine.

Can someone shed some light on this?

Thanks

Re: PF and Binat

[Parvinder Bhasin]

Actually Ryan, when I do the aliases way , do I still need the binat  
statements?  because when I use aliases and binat statements together,  
it doesn't work.
Without the binat statements and with aliases everything works fine??  
what gives?


On Jul 14, 2008, at 9:31 PM, Ryan McBride wrote:


On Mon, Jul 14, 2008 at 09:19:22PM -0700, Parvinder Bhasin wrote:
When I try to add the external ips as aliases on my external  
interface,

it works fine.

Isn't the BINAT statement sufficient??? do i have to use aliases???


Unless the addresses are being routed to the firewall in question,  
yes,

you have to use aliases. Otherwise your system will not reply to ARP
requests for the addresses, and the upstream router will not know  
where

to send the traffic.

Re: PF and Binat

[Parvinder Bhasin]

Thanks Ryan!!

That was my hunch too, but wanted to be sure.  Another question that  
arises from this is whenever I reboot the box or do sh /etc/netstart,  
the ip address that is bound to the external interface (with aliases)  
would sort of round robin between the different aliases.  Is this  
normal behaviour?


On Jul 14, 2008, at 9:31 PM, Ryan McBride wrote:


On Mon, Jul 14, 2008 at 09:19:22PM -0700, Parvinder Bhasin wrote:
When I try to add the external ips as aliases on my external  
interface,

it works fine.

Isn't the BINAT statement sufficient??? do i have to use aliases???


Unless the addresses are being routed to the firewall in question,  
yes,

you have to use aliases. Otherwise your system will not reply to ARP
requests for the addresses, and the upstream router will not know  
where

to send the traffic.

Re: PF and Binat

[Parvinder Bhasin]

On Jul 14, 2008, at 10:00 PM, Ryan McBride wrote:


On Mon, Jul 14, 2008 at 09:48:22PM -0700, Parvinder Bhasin wrote:

Actually Ryan, when I do the aliases way , do I still need the binat
statements?  because when I use aliases and binat statements  
together,

it doesn't work.
Without the binat statements and with aliases everything works fine??


If you do aliases without the binat, you're not connecting to your
natted hosts, you're connecting to your firewall.


I understand that part fine, I use RDR when not using binat.  It works  
fine.
I would really like to make it work through binat than the RDR.  So  
what do you think the config should look like?






what gives?


Oh, I missed this before:


pass in on $ext_if proto tcp from any to 75.36.44.22 port 80
pass in on $ext_if proto tcp from any to 75.36.44.23 port 25


Filtering happens AFTER translation, so you need to filter on the real
addresses of the hosts, not the alias addresses.


Hmm by real ip do you mean internal ips of the servers??

Re: squidguard

[Parvinder Bhasin]

I don't quite understand your question.

Are you looking to know how to get SquidGuard going?  If so just add  
the following to your squid.conf file:


redirect_program /usr/local/bin/squidGuard -c /etc/squidguard/ 
squidguard.conf


Hope this helps!!

Cheers!
-Parvinder Bhasin

On Jul 7, 2008, at 2:12 PM, LinuxUser wrote:


sorry , i lacked information about pf .

in /etc/pf.conf
rdr on $int_if inet proto { tcp, udp }  from any to any port www -
127.0.0.1 port 3128
-
takesima

Re: Named and reverse zones help

[Parvinder Bhasin]

Thanks Rod!!  and Phillip!! for your help.  I had done what you had  
mentioned in your replies.  I was double checking with experts to make  
sure it was right.  And it seems like I got it right.


Oh yeah, the TTL is set very LOW for just in case there was a goof up  
on my side :) .  I will be changing them soon.


Once again, Thanks a bunch for your help guys!!.  I really appreciate  
it.


Cheers!
-Parvinder Bhasin

On Jun 28, 2008, at 10:14 PM, Rod Dorman wrote:


On Saturday, June 28, 2008, 16:32:18, Parvinder Bhasin wrote:

 ...
How should I write out the config in named.conf to reflect the  
reverse

zone?
Lets say my network is 192.168.1.0/25.
 ...
2.1/25.1.168.192.in-addr.arpa.  300  IN  PTR  foobar.mydns.com


It's simpler if you establish an origin
$ORIGIN 1.168.192.in-addr.arpa.

then you just have to use the identifying octet
2   300IN   PTR  foobar.mydns.com

From  the way you worded Lets say my network is I'm guessing that  
your
192.168.1.0/25  is  just an obfuscation of an allocated public  
range. If
so,  whoever  is authoritative for 168.192.in-addr.arpa. has to  
delegate
0.1.168.192.in-addr.arpa.  thru  127.1.168.192.in-addr.arpa.  to   
you in

order for the outside world to see your PTR records.

BTW, why only a 5 minute TTL?

--
[EMAIL PROTECTED] The avalanche has already started, it is too
Rod Dorman  late for the pebbles to vote. - Ambassador  
Kosh

Re: Named and reverse zones help

[Parvinder Bhasin]

Totally agree!!  :)

On Jun 29, 2008, at 3:03 AM, Stuart Henderson wrote:


On 2008-06-29, Parvinder Bhasin [EMAIL PROTECTED] wrote:

Thanks Rod!!  and Phillip!! for your help.  I had done what you had
mentioned in your replies.  I was double checking with experts to  
make

sure it was right.


If you want to double-check with experts, give them unobfuscated
data so they can actually check.

If you're publishing something in DNS, it's obviously not private  
data...

Named and reverse zones help

[Parvinder Bhasin]

Hi all,

I am having issues setting up reverse zone for my domain.
We own only HALF or PART of the network instead of whole class C.

How should I write out the config in named.conf to reflect the reverse  
zone?


Lets say my network is 192.168.1.0/25.

This is how I wrote my named.conf

zone 1/25.1.168.192.in-addr.arpa {
type master;
file reverse/1_25.1.168.192.in-addr.arpa;
zone-statistics yes;
};


And my zone file:  1_25.1.168.192.in-addr.arpa

$TTL 2d
@ IN SOA ns1. admin. (
2008021602 ; serial
3600 ; refresh
3600 ; retry
2592000 ; expire
86400 ; minimum
)
1/25.1.168.192.in-addr.arpa. 	300 	IN  	NS  		 
ns1.mydns.com

2.1/25.1.168.192.in-addr.arpa.  300 IN  PTR 
foobar.mydns.com


The problem is when I do : (for testing)

dig +short -x 192.168.1.2 @localhost

I don't get anything back.  I simply get the next line (prompt).  I  
should get foobar.mydns.com


Can anyone see what I am doing wrong?

Any help is highly appreciated.

Thanks

Re: net-snmp and openbsd

[Parvinder Bhasin]

I got it going..finally just removed the package and installed it from  
ports and it worked like a charm.

Still having issues with graphing it using cacti.
Any know how...would be great to know.

Thx.

On May 7, 2008, at 4:15 PM, Aaron Glenn wrote:


On Tue, May 6, 2008 at 10:03 PM, Parvinder Bhasin
[EMAIL PROTECTED] wrote:


Appreciate any help.

Thanks :)


Does netstat show it listening on the correct IP? any reason to run
net-snmp? I'd use the base snmpd unless you have a very specific
reason to run net-snmp.

aaron.glenn

Re: Use of 'Puffy' Logo *and* weatherproof stickers?

[Parvinder Bhasin]

This is not an advert for the company I work for but I can help out in  
creation of shop etc...
I work for cafepress :) I can talk to our marketing department and  
arrange something.


Let me know how I can help.  pbhasin at cafepress dot com :)

-Parvinder Bhasin

On May 6, 2008, at 4:36 PM, James Crutchfield wrote:


On 4/9/08, Theo de Raadt [EMAIL PROTECTED] wrote:



Sale of the items on that page do not fund the project.  Sale of  
those

items does not even cover the cost that Austin and I paid our artist
to draw the pictures for those items.

Just keep that in mind please.

From time to time I have toyed with the idea of producing OpenBSD- 
related
swag, and either donating it to the project outright or selling it  
myself
with donation = revenue - cost.  I'd have to use some outside  
vendor and
face the same production costs that Theo and the project do  
(CafePress,
anyone?).  Is this something that can be handled in a decentralized  
manner,

or do you prefer that everything be kept under the same roof as the
CD/Poster/etc. sales?  What would give the OpenBSD project the most  
benefit

while populating our lives with more Puffy-branded merchandise?

JC Crutchfield

net-snmp and openbsd

[Parvinder Bhasin]

I am having some issues getting snmpd going on one of my boxes ,  
wondering if some snmp guru can help me here.


Here is my /usr/local/share/snmp/snmpd.conf:

###
#
# snmpd.conf
#
#   - created by the snmpconf configuration program
#
###
# SECTION: Access Control Setup
#
#   This section defines who is allowed to talk to your running
#   snmp agent.

# rocommunity: a SNMPv1/SNMPv2c read-only access community name
#   arguments:  community [default|hostname|network/bits] [oid]

rocommunity  public


++

When I try to do the snmpwalk...i get timeout error.

snmpwalk -v 1 -c public 172.16.200.1 syscontact
Timeout: No Response from 172.16.200.1

I know snmpd is running:

# ps -aux | grep snmp
root 26868  0.0  3.5  2372  4548 ??  S  9:45PM0:00.39 snmpd


Appreciate any help.

Thanks :)

Re: net-snmp and openbsd

[Parvinder Bhasin]

Reyk,

I just ran it for troubleshooting purposes..any points?

thx.

On May 6, 2008, at 10:13 PM, Reyk Floeter wrote:


On Tue, May 06, 2008 at 10:03:39PM -0700, Parvinder Bhasin wrote:

# ps -aux | grep snmp
root 26868  0.0  3.5  2372  4548 ??  S  9:45PM0:00.39  
snmpd




yuck, it is running as root...



Appreciate any help.

Thanks :)

colors in regular openbsd terminal

[Parvinder Bhasin]

Hi,

I was wondering if there was to get some colors inside the regular  
terminal (not Xterm or Xorg).
I know if I alias colorls it sort of works for just listing  
directories and files but I would like to customize the look of the  
entire terminal for example :


lets say I type in ifconfig  , I would like to change the colors on  
the ip addresses and the interface names.

Any pointers would come in handy.  Thanks in advance.

thx.

Re: colors in regular openbsd terminal

[Parvinder Bhasin]

Thanks!! Will give it a shot.

-Parvinder Bhasin

On May 5, 2008, at 6:56 AM, Edd Barrett wrote:


On Mon, May 5, 2008 at 7:25 AM, Parvinder Bhasin
[EMAIL PROTECTED] wrote:

Hi,

I was wondering if there was to get some colors inside the regular  
terminal

(not Xterm or Xorg).


export TERM=wsvt25

--

Best Regards

Edd

http://students.dec.bournemouth.ac.uk/ebarrett

symon and pf states

[Parvinder Bhasin]

Hi,

I am completely stumped on this , how can I graph pf states etc with  
symon and symux? I do see my regular pf graph but how do i create  
graphs for pf states etc?


Thanks

Re: symon/symux and syweb PF reporting

[Parvinder Bhasin]

Thanks Stuart,  I will give it a shot.

On Apr 28, 2008, at 3:38 AM, Stuart Henderson wrote:


On 2008-04-28, Parvinder Bhasin [EMAIL PROTECTED] wrote:

Hi,

I have symon, symux working and reporting on 2 of the systems.
How do I get more graphs for PF ?  Currently I only see bytes in/out
for PF graph?


Create a new syweb layout based on the sample pf.layout.

symon/symux and syweb PF reporting

[Parvinder Bhasin]

Hi,

I have symon, symux working and reporting on 2 of the systems.
How do I get more graphs for PF ?  Currently I only see bytes in/out  
for PF graph?


Thanks

PF , redirection and NAT-ing question?

[Parvinder Bhasin]

Hi,


I have 2 webservers on my internal lan.  Both have associated EXTERNAL  
IPs.  I setup an OpenBSD box with PF to do firewalling and  
redirection.  Do I also have to put the 2 external IPs on the external  
interface of my PF box as aliases?


If I do put in the aliases and I am also doing NAT-ing on the internal  
lan , would PF  do some kind of round-robin using different  EXTERNAL  
IPs to go out to the net?  I don't want that behaviour.  How can I  
make PF go out on only one pre-determined external IP and not the  
aliases that I am using for the webservers?


Thanks
Parvinder Bhasin

symon and syweb

[Parvinder Bhasin]

Hi,

I am having trouble getting symon, symux and syweb to give me nice  
graphs.
I have configured my /etc/symon.conf file as:

#
# $Id: symon.conf,v 1.12 2004/02/26 22:48:08 dijkstra Exp $
#
# Demo configuration for symon. See symon(8) for BNF.

monitor { if(rl0), if(fxp1), if(fxp0), if(sk0),
   io(wd0),
   cpu(0), mem } stream to 127.0.0.1 2100


my /etc/symux.conf file looks like:

# $Id: symux.conf,v 1.22 2004/02/26 22:48:08 dijkstra Exp $
#
# Demo symux configuration. See symux(8) for BNF.

mux 127.0.0.1 2100

source 127.0.0.1 {
 accept { cpu(0),  mem,
  if(lo0),
  pf,
  mbuf,
  sensor(0),
  proc(httpd),
  if(xl0), if(de0), if(wi0),
  io(wd1), io(wd2), io(wd3), io(cd0)
  io(wd0)
 }

 datadir /var/www/symon/rrds/localhost
}

Whenever I try to run symux , I get this:

# /usr/local/libexec/symux
warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
io_wd0.rrd', guessed by datadir,  cannot be opened
warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
io_cd0.rrd', guessed by datadir,  cannot be opened
warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
io_wd3.rrd', guessed by datadir,  cannot be opened
warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
io_wd2.rrd', guessed by datadir,  cannot be opened
warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
io_wd1.rrd', guessed by datadir,  cannot be opened
warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
if_wi0.rrd', guessed by datadir,  cannot be opened
warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
if_de0.rrd', guessed by datadir,  cannot be opened
warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
if_xl0.rrd', guessed by datadir,  cannot be opened
warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
proc_httpd.rrd', guessed by datadir,  cannot be opened
warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
sensor0.rrd', guessed by datadir,  cannot be opened
warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
mbuf.rrd', guessed by datadir,  cannot be opened
warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
pf.rrd', guessed by datadir,  cannot be opened
warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
if_lo0.rrd', guessed by datadir,  cannot be opened
warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
mem.rrd', guessed by datadir,  cannot be opened
warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
cpu0.rrd', guessed by datadir,  cannot be opened
warning: /etc/symux.conf: no filename specified for stream 'io(wd0)'  
in source '127.0.0.1'
warning: /etc/symux.conf: no filename specified for stream 'io(cd0)'  
in source '127.0.0.1'
warning: /etc/symux.conf: no filename specified for stream 'io(wd3)'  
in source '127.0.0.1'
warning: /etc/symux.conf: no filename specified for stream 'io(wd2)'  
in source '127.0.0.1'
warning: /etc/symux.conf: no filename specified for stream 'io(wd1)'  
in source '127.0.0.1'
warning: /etc/symux.conf: no filename specified for stream 'if(wi0)'  
in source '127.0.0.1'
warning: /etc/symux.conf: no filename specified for stream 'if(de0)'  
in source '127.0.0.1'
warning: /etc/symux.conf: no filename specified for stream 'if(xl0)'  
in source '127.0.0.1'
warning: /etc/symux.conf: no filename specified for stream  
'proc(httpd)' in source '127.0.0.1'
warning: /etc/symux.conf: no filename specified for stream 'sensor(0)'  
in source '127.0.0.1'
warning: /etc/symux.conf: no filename specified for stream 'mbuf()' in  
source '127.0.0.1'
warning: /etc/symux.conf: no filename specified for stream 'pf()' in  
source '127.0.0.1'
warning: /etc/symux.conf: no filename specified for stream 'if(lo0)'  
in source '127.0.0.1'
warning: /etc/symux.conf: no filename specified for stream 'mem()' in  
source '127.0.0.1'
warning: /etc/symux.conf: no filename specified for stream 'cpu(0)' in  
source '127.0.0.1'

Can anyone shed some light on this?

I have checked the permission on the /var/www/symon directory and they  
all appear fine (?)

drwxr-xr-x  3 www   daemon   512 Apr 24 20:55 symon


Thanks

Re: symon and syweb

[Parvinder Bhasin]

Sorry for the trouble..I just got it working by running the  following:

# sh /usr/local/share/symon/c_smrrds.sh all

I see then this script starts to create the rrds.

Thx.

On Apr 25, 2008, at 4:12 AM, Parvinder Bhasin wrote:

 Hi,

 I am having trouble getting symon, symux and syweb to give me nice  
 graphs.
 I have configured my /etc/symon.conf file as:

 #
 # $Id: symon.conf,v 1.12 2004/02/26 22:48:08 dijkstra Exp $
 #
 # Demo configuration for symon. See symon(8) for BNF.

 monitor { if(rl0), if(fxp1), if(fxp0), if(sk0),
   io(wd0),
   cpu(0), mem } stream to 127.0.0.1 2100


 my /etc/symux.conf file looks like:

 # $Id: symux.conf,v 1.22 2004/02/26 22:48:08 dijkstra Exp $
 #
 # Demo symux configuration. See symux(8) for BNF.

 mux 127.0.0.1 2100

 source 127.0.0.1 {
 accept { cpu(0),  mem,
  if(lo0),
  pf,
  mbuf,
  sensor(0),
  proc(httpd),
  if(xl0), if(de0), if(wi0),
  io(wd1), io(wd2), io(wd3), io(cd0)
  io(wd0)
 }

 datadir /var/www/symon/rrds/localhost
 }

 Whenever I try to run symux , I get this:

 # /usr/local/libexec/symux
 warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
 io_wd0.rrd', guessed by datadir,  cannot be opened
 warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
 io_cd0.rrd', guessed by datadir,  cannot be opened
 warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
 io_wd3.rrd', guessed by datadir,  cannot be opened
 warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
 io_wd2.rrd', guessed by datadir,  cannot be opened
 warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
 io_wd1.rrd', guessed by datadir,  cannot be opened
 warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
 if_wi0.rrd', guessed by datadir,  cannot be opened
 warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
 if_de0.rrd', guessed by datadir,  cannot be opened
 warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
 if_xl0.rrd', guessed by datadir,  cannot be opened
 warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
 proc_httpd.rrd', guessed by datadir,  cannot be opened
 warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
 sensor0.rrd', guessed by datadir,  cannot be opened
 warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
 mbuf.rrd', guessed by datadir,  cannot be opened
 warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
 pf.rrd', guessed by datadir,  cannot be opened
 warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
 if_lo0.rrd', guessed by datadir,  cannot be opened
 warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
 mem.rrd', guessed by datadir,  cannot be opened
 warning: /etc/symux.conf:21: file '/var/www/symon/rrds/localhost/ 
 cpu0.rrd', guessed by datadir,  cannot be opened
 warning: /etc/symux.conf: no filename specified for stream 'io(wd0)'  
 in source '127.0.0.1'
 warning: /etc/symux.conf: no filename specified for stream 'io(cd0)'  
 in source '127.0.0.1'
 warning: /etc/symux.conf: no filename specified for stream 'io(wd3)'  
 in source '127.0.0.1'
 warning: /etc/symux.conf: no filename specified for stream 'io(wd2)'  
 in source '127.0.0.1'
 warning: /etc/symux.conf: no filename specified for stream 'io(wd1)'  
 in source '127.0.0.1'
 warning: /etc/symux.conf: no filename specified for stream 'if(wi0)'  
 in source '127.0.0.1'
 warning: /etc/symux.conf: no filename specified for stream 'if(de0)'  
 in source '127.0.0.1'
 warning: /etc/symux.conf: no filename specified for stream 'if(xl0)'  
 in source '127.0.0.1'
 warning: /etc/symux.conf: no filename specified for stream  
 'proc(httpd)' in source '127.0.0.1'
 warning: /etc/symux.conf: no filename specified for stream  
 'sensor(0)' in source '127.0.0.1'
 warning: /etc/symux.conf: no filename specified for stream 'mbuf()'  
 in source '127.0.0.1'
 warning: /etc/symux.conf: no filename specified for stream 'pf()' in  
 source '127.0.0.1'
 warning: /etc/symux.conf: no filename specified for stream 'if(lo0)'  
 in source '127.0.0.1'
 warning: /etc/symux.conf: no filename specified for stream 'mem()'  
 in source '127.0.0.1'
 warning: /etc/symux.conf: no filename specified for stream 'cpu(0)'  
 in source '127.0.0.1'

 Can anyone shed some light on this?

 I have checked the permission on the /var/www/symon directory and  
 they all appear fine (?)

 drwxr-xr-x  3 www   daemon   512 Apr 24 20:55 symon


 Thanks

Disabling IPv6 ?

[Parvinder Bhasin]

How can I disable IPv6 in openbsd 4.x (3 - in my case) without  
recompiling kernel?
I have a strange issue where when I try to install symon utility using  
ports, it fails with message:


 Fetch ftp://ftp.freebsd.org/pub/FreeBSD/distfiles//jpegsrc.v6b.tar.gz 
.

Trying 2001:4f8:0:2::e...
ftp: connect to address 2001:4f8:0:2::e: No route to host
Trying 2001:6c8:6:4::7...

I don't know why I am seeing Ipv6 address there.  Maybe the DNS server  
is returning this IPv6 address but my os or app (ports in this case)  
has to be querying for an IPv6  record?? don't know.


Any help is highly appreciated.

Thanks!

Re: Disabling IPv6 ?

[Parvinder Bhasin]

Thanks Everyone for the help!! from what I gather it not easy to  
disable ipv6 but then why disable it anyways.
I think what's happening is that the fetch (or ftp) is just trying  
ipv6 address first and not the ipv4.
 From one of the replies I got from Jona (see below), this should do  
the trick.

Thanks

In gmane.os.openbsd.misc, you wrote:
 How can I disable IPv6 in openbsd 4.x (3 - in my case) without
 recompiling kernel?
 I have a strange issue where when I try to install symon utility using
 ports, it fails with message:

 Fetch ftp://ftp.freebsd.org/pub/FreeBSD/distfiles// 
 jpegsrc.v6b.tar.gz
 .
 Trying 2001:4f8:0:2::e...
 ftp: connect to address 2001:4f8:0:2::e: No route to host
 Trying 2001:6c8:6:4::7...

 I don't know why I am seeing Ipv6 address there.  Maybe the DNS server
 is returning this IPv6 address but my os or app (ports in this case)
 has to be querying for an IPv6  record?? don't know.

It should fall back to the v4 address if the connection to the v6  
address fails.

If you want to get rid of the message you can set:

FETCH_CMD = /usr/bin/ftp -V -m -4 -k ${FTP_KEEPALIVE}

in /etc/mk.conf. That's the default setting plus -4 which makes it  
stick to
IPv4 addresses.

See:
bsd.port.mk(5)
ftp(1)



On Apr 24, 2008, at 4:21 PM, Matthew Dempsky wrote:

 On Thu, Apr 24, 2008 at 3:16 PM, Parvinder Bhasin
 [EMAIL PROTECTED] wrote:
 How can I disable IPv6 in openbsd 4.x (3 - in my case) without  
 recompiling
 kernel?

 Unless your network is misconfigured, in your use case there's no
 problem.  Your machine will detect it has no routes for IPv6 unicast
 addresses, and will skip those and attempt IPv4 automatically.

 Is that not what you're seeing?

 I don't know why I am seeing Ipv6 address there.

 Because ftp.freebsd.org has  records, and ftp(1) supports IPv6.

Re: Logging failed SSH users and the passwords they typed

[Parvinder Bhasin]

Thanks Guys!!  Like what Claer said, this was just for the purpose of  
honeypot research.  I don't care about user passwords in real world :)


Thanks for the patch.

-Parvinder Bhasin

On Apr 23, 2008, at 9:06 AM, HDC wrote:


I have 3 sshd deamons in my border firewall, 2 in no common ports for
my use, and 1 on default port (without real access) for prevention
statistics.
Depending of the prevention statistic I design de security policy to
SSH and passwords.

It nice to see the statistics of ilegal access on the default port of
your sshd :)

Greetings,
Hernan
OpenBSDeros.org

On Wed, Apr 23, 2008 at 11:12 AM, Peter N. M. Hansteen [EMAIL PROTECTED] 


wrote:

Ed Ahlsen-Girard [EMAIL PROTECTED] writes:


When I was getting brute forced that way I just turned off remote

password

login and use keypairs exclusively.

Which won't work for everybody, I guess.


plus, of course, the fact that overload + flush global is fun to  
watch


- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation  
team

http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673  
seconds.







--
# /dev/hdc
- OpenBSDeros.org
hdc [at] openbsderos [dot] org

Logging failed SSH users and the passwords they typed

[Parvinder Bhasin]

Hi,

Is there a way to login the passwords that were used in the bruteforce 
attack?


thx.

Installing X11R6 after the OpenBSD install

[Parvinder Bhasin]

Hi,

Is there a way to run the Installation script that is provided on the  
installation cd again after  you have already completed the install?
I would like to install the BARE minimum of XWindows system on the  
machine.


Any help is highly appreciated.

Thanks!

Re: Installing X11R6 after the OpenBSD install

[Parvinder Bhasin]

Thanks a bunch!!

On Apr 22, 2008, at 3:26 PM, Paul de Weerd wrote:


On Tue, Apr 22, 2008 at 03:20:19PM -0700, Parvinder Bhasin wrote:

Hi,

Is there a way to run the Installation script that is provided on the
installation cd again after  you have already completed the install?
I would like to install the BARE minimum of XWindows system on the  
machine.


Check the FAQ :

http://www.openbsd.org/faq/faq4.html#AddFileSet

Cheers,

Paul 'WEiRD' de Weerd

--

[++-]+++.+++[---].+++[+

+++-].++[-]+.--.[-]
http://www.weirdnet.nl/

Re: configure squid on openBSD

[Parvinder Bhasin]

Anil Saini wrote:

how can i change the default squid configuration options of squid while
installing it from BSD ports

i make changes in Makefile...is it do the trick

also how we do the same thing when we install it thru pkg_add command



-
Anil Saini
M.E. - Software Systems
B.E. - Electronics and Communication

Project Assistant
CISCO LAB
Information Processing Center Unit
BITS-PILANI
  

In the squid ports directory:   /usr/ports/www/squid (i think)
do :   make show=FLAVORS -- This will give you different config 
options...like build it for transparent proxy or with snmp support.  
Choose what you want and then do:

env FLAVOR=transparent snmp make install.

That should do the trick.

Re: Squid proxy server authentication

[Parvinder Bhasin]

Parvinder Bhasin wrote:

Hi,

How do I setup squid proxy server for authentication using NSCA?  I 
used the ports to install squid.

I can't find the NSCA auth module to allow me to do that.
Any help ..is highly appreciated.

Thanks


I figured it out.  Just did search for auth_ncsa and found the program.  
Thx. :)

Squid proxy server authentication

[Parvinder Bhasin]

Hi,

How do I setup squid proxy server for authentication using NSCA?  I used 
the ports to install squid.

I can't find the NSCA auth module to allow me to do that.
Any help ..is highly appreciated.

Thanks

Sed or perl subsitutions - in place

[Parvinder Bhasin]

I am writing up a script to automatically increment the serial number of 
bind dns zone file  , but I am running across issues doing in place 
substitution with either sed or even perl for that matter.  I can do 
this easily in Linux but am having hard time doing so in openbsd.  I 
would like to search for the serial number , increment by one and then 
save the file.


Any help...highly appreciated.

Thx.

Here is my code snippet:

#!/bin/sh

for file in $(ls /var/named/master/*.file);
do
 if [ -f $file ];
 then
   OLD=`grep serial $file | awk '{print $1}'`
   echo $OLD
   NEW=$(($OLD + 1))
   echo $NEW
   *perl -p -i -e 's/$OLD/$NEW/' $file  --tried using 
perl but still the file didn't change with the incremented serial number
   sed 's/$OLD/$NEW/' $file -I know this will only 
search and replace but how do I do in in-place so that the file itself 
is modified.*

 fi
done

Re: Pfstat - issue

[Parvinder Bhasin]

Calomel wrote:

You also need to tell pfstat what action you want to do. You can query to
collect the pf interface statistics, generate new graphs or clean up the
database.

See if our page can help you out.

  Pfstat how to ( pfstat.conf )
  http://calomel.org/pfstat.html

--
  Calomel @ http://calomel.org
  Open Source Research and Reference


On Wed, Apr 02, 2008 at 08:13:35PM -0700, Parvinder Bhasin wrote:
  

I cannot get pfstat to run with -c or -d option whenever I run:

pfstat -c /etc/pfstat.conf

I get:
usage: pfstat [-v] [-c config] [-d data] [-r host[:port]] [-p] [-q] [-t 
days[:days]]


same thing when I even run against provided example pfstat.conf file.

Any ideas? anyone?

any help, highly appreciated :)

thx.



  

Thanks Calomel, this is excellent info.

Thanks again!
-Parvinder Bhasin

Pfstat - issue

[Parvinder Bhasin]

I cannot get pfstat to run with -c or -d option whenever I run:

pfstat -c /etc/pfstat.conf

I get:
usage: pfstat [-v] [-c config] [-d data] [-r host[:port]] [-p] [-q] [-t 
days[:days]]


same thing when I even run against provided example pfstat.conf file.

Any ideas? anyone?

any help, highly appreciated :)

thx.