Re: pf examples needed
On Tuesday, January 16, 2007, Charles Farinella wrote: I have an OpenBSD 3.9 machine with a public IP providing NAT and firewalling for our internal network. It has 3 interfaces: dc0: public ip from internet X.X.X.25 dc1: 192.168.100.x to internal network. This works well. dc2: 192.168.200.x -- to Windows server. I need to allow public access to the Windows server connected to dc2 (one port only). Currently I have a private network address assigned to dc2 and a public one (X.X.X.26) assigned to the machine connected to it. Your network will be difficult at best to manage in your current configuration, it can be done, but not without some serious wasted effort in my opinion. I'm still trying to figure out how you're going to route a known public ip address (x.x.x.26) over an interface (192.168.200.x) assigned with a private network address. Are you planning on adding manual route statements on the x.x.x.26 web server to the 192.168.200.x 'net? What would be your default gateway on the x.x.x.26 server? I can only imagine the route, nat, rdr, and other pf statements you'd need to accomplish this. Switch this logic, assign the public IP address x.x.x.26 to dc2 and the private address 192.168.200.x to the Windows server. Physically connect dc2 to your WAN, make sure you add appropriate block in log rules in pf.conf. Add your rdr and pass in statements and your done. PF is great, OpenBSD is a powerful OS, however, physical, data, and network-layer stuff is necessary too. Good Luck --- Todd M. Boyer, CISSP AutumnTECH, LLC http://www.AutumnTECH.com ---
Problem using Nslookup through VPN link
I have two 3.8 (GENERIC) IPSec VPN gateways using ISAKMP transforms for negotiation. No complicated PF rules, everything is wide open between networks. I can access and negotiate every protocol except when I call an nslookup request from one side to a W2K3 server on the other. I receive timeouts and server not available. A quick telnet (ip) 53 returns a response. I can ping, tracert/traceroute, and map drives between networks. Tcpdump shows outbound domain requests from one side, tcpdump on the destination shows no domain requests coming in. No restrictions or ACL security implemented in AD that would prevent a lookup for a local zone. Finally, I have additional Ipsec peers in the same 3.8 (GENERIC) VPN gateway that have Sonicwall peers. From these links, I can run nslookups between the networks without issue. Very strange, any ideas? Thanks -T
Re: routing question
On Tuesday, September 06, John Brooks wrote: (209.145.160.141) OBSD #1 - \ Switch DSL Modem ISP(209.145.160.1) / OBSD #2 - (207.246.198.220) I was expecting that 207.246.198.217 would have been set up as the gateway on the ISP's end, leaving me with 5 useable addresses. In this case, you need to create (not your ISP) a default gateway for your new 207.246.198.216/29 network on your border router, so alias 207.246.198.217 on OBSD #1 This will leave you hosts 218-222 to use any way you see fit. --- Todd M. Boyer, CISSP President AutumnTECH, LLC [EMAIL PROTECTED] http://www.AutumnTECH.com AutumnTECH Manufactures Entire Network Protection Appliances that Identify Spam and Sanitize Dangerous E-mail Content ---
Re: routing question - why one way?
On Thursday, September 01, 2005, Bill wrote: Right now I have the router installed with two active interfaces... Segment A (192.168.0.4) interface on the router Segment B (10.3.0.1) interface on the router Now I have a machine on each segment also: 192.168.0.2 (Segment A) 10.3.50.1 (Segment B) Segment B has the default gateway set to 192.168.0.2 (192.168.0.2 then passes out to the internet ) This doesn't make sense, Segment B's default gateway is 10.3.0.1 From 10.3.50.1 my default gateway on is the 10.3.0.1 (router nic). I can ping any of the other interface cards on the router (there are a few) including the 192.168.0.4 interface on the router. But I cannot ping the 192.168.0.2 machine. * WAIT * I know what you are going to say... but I DO have the ip forwarding set No, I believe ip forwarding is enabled. A diagram of your network is a follows (I believe) 0/0 route to Internet gateway | (Segment A)(Segment B) 192.168.0.2 192.168.0.4 - 10.3.0.1 10.3.50.1 Segment A gets 192.168.0.4 as their default gateway, Segment B gets 10.3.0.1 as their default gateway Now, if I go to the 192.168.0.2 machine, I added a route so it knows where the 10.3.0.0 network is, and I can ping the 10.3.50.1 machine no problem. Not necessary (of course) if Segment A's default gateway is 192.168.0.4 and Segment B is set to 10.3.0.1 So if the pings can get from 192.168.0.2 to 10.3.50.1, the ping responses from 10.3.50.1 should be able to be returned from the 192.168.0.2 box back no problem. Let the router do it's job here I am not sure where the pings are being lost... Probably lost in a 0/0 route, check your gateways. YOU'RE SURE there aren't any other players here in this simple network, correct? Example, is pf, iptables, or other firewall blocking enabled on any of the machines involved? ICMP could be getting lost in an ACL --- Todd M. Boyer, CISSP President AutumnTECH, LLC [EMAIL PROTECTED] http://www.AutumnTECH.com AutumnTECH Manufactures Entire Network Protection Appliances that Identify Spam and Sanitize Dangerous E-mail Content ---
Re: web server pf problem
On Tuesday, August 30, 2005, [EMAIL PROTECTED] wrote:
So my problem is that i can't access any of my web server via internet
but it works in local
Locate these pf.conf rules:
block all
pass in on $ext_if proto tcp from any to $web_srv port 80 flags S/SA
synproxy state
pass in on $ext_if proto tcp from any to $web1_srv port 81 flags S/SA
synproxy state
Change to:
block log all
pass in on $ext_if proto tcp from any to { $ext_if $web_srv } port 80
flags S/SA synproxy state
pass in on $ext_if proto tcp from any to { $ext_if $web1_srv } port 80
flags S/SA synproxy state
use tcpdump -i pflog0 -qntte for additional troubleshooting
This should do it. -T
---
Todd M. Boyer, CISSP
President AutumnTECH, LLC
[EMAIL PROTECTED] http://www.AutumnTECH.com
AutumnTECH Manufactures Entire Network Protection Appliances
that Identify Spam and Sanitize Dangerous E-mail Content
---
Re: Stupid Carp question
On Thursday, August 04, 2005 Monah Baki wrote: However when I physiclly remove the ethernet cable from sis0 on the master, the internal machine cannot access the net anymore. Do I need to copy the pf.conf from the master to the scondary unit, have them both identical Sorry about my previous non-complete response...it's still early, anyway Wondering if you need to wait for the arp cache to clear on the internal machine...try clearing it yourself and making another 'net attempt -Todd
Re: Stupid Carp question
On Thursday, August 04, 2005 Monah Baki wrote: However when I physiclly remove the ethernet cable from sis0 on the master, the internal machine cannot access the net anymore. Do I need to copy the pf.conf from the master to the scondary unit, have them both identical arp cache on the
