Re: OpenBGP
Hi, R1 - R2 - R3 - R4 I've only seen networks announced to the nearest router that it is connected to. For example: R1 see R2 but R1 cannot see R3 etc.. Do you mean R2 is neighbor to R1 but not R3 or you mean R3 doesn't distribute to R1 ?
Re: [PF] Strange Blocks
Le 4 mai 09 ` 14:59, ropers a icrit : Hang on, you're not running OpenBSD 4.5. What version are you running, and have you considered upgrading to the latest and greatest? regards, --ropers I'm running Openbsd 4.4. If I can't solve this issue, I will upgrade to 4.5. But I don't think, it's an issue of Openbsd 4.4 Version... Anyway, I had never read this information .
Re: [PF] Strange Blocks
Thans for your reply. Le 2 mai 09 ` 10:59, ropers a icrit : 2009/5/1 dug d...@xgs-france.com: 0 1 #Allow SMTP, HTTPS 2 pass quick proto tcp from any to {public-ip mail-server} port 25 3 pass quick proto tcp from any to {public-ip mail-server} port 443 4 pass quick proto tcp from {public-ip mail-server} port 25 to any 5 pass quick proto tcp from {public-ip mail-server} port 25 to any 6 pass quick proto tcp from any port 25 to {public-ip mail- server} 7 pass quick proto tcp from {public-ip mail-server} to any port 25 Line 4 and 5 are identical. Presumably you wanted to write port 443 in line 5? Ok. It's just a mistake rewriting the rule in the mail. In my pf.conf, it's set to port 443, not port 25. block in on em0: mail-server.59902 81.255.99.202.25: [|tcp] (ttl 63, id 14511, len 40) block in on em0: mail-server.59902 81.255.99.202.25: [|tcp] (ttl 63, id 40161, len 52) Not sure what's going on here; line 7 should match these. That's my problem and what I don't understand In a perfect world, my rule must match these packets But currently not. block in on em0: mail-server.25 81.28.185.240.1777: [|tcp] (ttl 63, id 4151, len 41) Not sure what's going on there; line 4 (and, currently, 5) should match these. Setting the rule pass quick from any to any at the beginning of my pf.conf file doesn't solve the problem. I always have block on these packets Logs of pftop tool : pfTop: Up Rule 1-55/71, View: rules, Cache: 1 RULE ACTION DIR LOG Q IF PRK PKTSBYTES STATES MAX INFO 0 Pass Any Q K 56069035 96 all flags S/SA 1 BlockAny Log44 1772 0 drop all This is the option in the pf.conf file : set block-policy drop set skip on {gif0} set loginterface $ext_if set limit { states 10, frags 5 } set optimization normal set state-policy if-bound scrub all no-df random-id fragment reassemble Regards.
Re: [PF] Strange Blocks
Le 3 mai 09 ` 18:04, (private) HKS a icrit : Setting the rule pass quick from any to any at the beginning of my pf.conf file doesn't solve the problem. I always have block on these packets Logs of pftop tool : pfTop: Up Rule 1-55/71, View: rules, Cache: 1 RULE ACTION DIR LOG Q IF PRK PKTSBYTES STATES MAX INFO 0 Pass Any Q K 56069035 96 all flags S/SA 1 BlockAny Log44 1772 0 drop all This is the option in the pf.conf file : set block-policy drop set skip on {gif0} set loginterface $ext_if set limit { states 10, frags 5 } set optimization normal set state-policy if-bound Remove that last line and it should work. If not, send the output of pfctl -s rules. -HKS I removed the state-policy but it doesn't work. This is the result of pfctl -s rules : # pfctl -s rules scrub all no-df random-id fragment reassemble pass quick on enc0 all flags S/SA keep state block drop log all pass quick inet proto tcp from public-ip port = smtp to any flags S/ SA keep state pass quick inet proto tcp from mail-server port = smtp to any flags S/SA keep state pass quick inet proto tcp from any port = smtp to public-ip flags S/ SA keep state pass quick inet proto tcp from any port = smtp to mail-server flags S/SA keep state pass quick inet proto tcp from any to public-ip port = smtp flags S/ SA keep state pass quick inet proto tcp from any to mail-server port = smtp flags S/SA keep state pass quick inet proto tcp from public-ip to any port = smtp flags S/ SA keep state pass quick inet proto tcp from mail-server to any port = smtp flags S/SA keep state pass quick inet proto tcp from public-ip port = https to any flags S/ SA keep state pass quick inet proto tcp from mail-server port = https to any flags S/SA keep state pass quick inet proto tcp from any to public-ip port = https flags S/ SA keep state pass quick inet proto tcp from any to mail-server port = https flags S/SA keep state pass quick inet proto icmp all icmp-type echoreq keep state pass quick inet proto icmp all icmp-type echorep keep state pass quick proto ospf all keep state pass quick proto pfsync all keep state pass quick proto carp all keep state pass in quick on em3 proto esp from vpn_noipencap to ip_public keep state pass in quick on em3 proto udp from vpn_noipencap to ip_public keep state pass in quick on em3 from vpn_ipencap to ip_public flags S/SA keep state pass out quick on em3 from ip_public to any flags S/SA keep state Thanks.
[PF] Strange Blocks
Hello, I have some filter problems with a new installed firewall with Openbsd 4.4 using PF. This Firewall is connect to Internet and to a private network. On this private network there is another Freebsd router which is a connected to a second private network. On it, there is a mail server. To summarize : | Internet | - | (em3) OpenBsd FW (em0) | --- | Freebsd Router | | | | | Mail Server | On OpenBsd FW, I set these rules : rdr on em3 inet proto tcp from any to public-ip port https - mail- server port https rdr on em3 inet proto tcp from any to public-ip port smtp - mail- server port smtp block log all #Allow SMTP, HTTPS pass quick proto tcp from any to {public-ip mail-server} port 25 pass quick proto tcp from any to {public-ip mail-server} port 443 pass quick proto tcp from {public-ip mail-server} port 25 to any pass quick proto tcp from {public-ip mail-server} port 25 to any pass quick proto tcp from any port 25 to {public-ip mail-server} pass quick proto tcp from {public-ip mail-server} to any port 25 On pflog0 interface, I have these logs : # tcpdump -vvveni pflog0 tcpdump: listening on pflog0, link-type PFLOG block in on em0: mail-server.443 149.6.161.125.58350: [|tcp] (ttl 63, id 49121, len 40) block in on em0: mail-server.59902 81.255.99.202.25: [|tcp] (ttl 63, id 14511, len 40) block in on em0: mail-server.59902 81.255.99.202.25: [|tcp] (ttl 63, id 40161, len 52) block in on em0: mail-server.25 81.28.185.240.1777: [|tcp] (ttl 63, id 4151, len 41) I have only one block rule (As you can guess, when I delete this rule, all work good). I don't understand why these packets don't match my pass rules. Somebody have already seen it or have any idea to solve it ? Thanks.
Re: pf dynamic firewall for web portal ?
Hello, You can create table in your conf file. Give access to this table. Then, you will be abble to modify this table without change your text file or reloading it. You can do this using pfctl option (specifically -T option). Le 23 mars 09 ` 12:02, RJ45 a icrit : Hello, I implemented a OpenBSD solution for a soekris appliance. My problem is that I have a web portal there and I need a new pass rule for each client IP authenticating. Actually this was easy to do with linux iptables, but how to do it with PF ? Actually all the PF rules are into a file, and can be read from file. This is fare to be a dynamic system. Rules must first be deleted fomr file and then reloaded with pfctl. My problem is, how can I Remove a single PF rule without modifying a text file and realoading all the rules ? thanks Rick
Re: Cisco IPSec Security Association Idle Timers and isakmpd
Le 19 janv. 09 ` 17:37, Hans-Joerg Hoexer a icrit : Hi, On Mon, Jan 19, 2009 at 04:56:25PM +0100, Christoph Leser wrote: I noticed that the cisco end of a VPN I configured on my openBSD sends a DELETE message after a certain amount of idle time. Which SAs get deleted? isakmp, ipsec or both? HJ. When you execute netstat -rn, do you always see the SA on your OpenBSD, after DELETE message has been sended ?
Pf Blocks
Hello, I have some troubles with PF blocks. I have two networks connected with a VPN between an Openbsd 4.4 and a Freebsd 6.4 firewall. So, I can connect to a remote host, from my computer behind the Openbsd firewall, throught the VPN with SSH. But a few second after, the following block appears in my pf log on the Openbsd firewall : # tcpdump -vvveni pflog0 tcpdump: listening on pflog0, link-type PFLOG 03:35:48.937334 rule 1/(match) [uid 0, pid 14289] block in on nfe0: 10.11.1.100.65024 192.168.1.150.22: [|tcp] [tos 0x10] (ttl 63, id 32188, len 100) 03:35:49.108254 rule 1/(match) [uid 0, pid 14289] block in on nfe0: 10.11.1.100.65024 192.168.1.150.22: [|tcp] [tos 0x10] (ttl 63, id 58480, len 100) 03:35:49.178617 rule 1/(match) [uid 0, pid 14289] block in on nfe0: 10.11.1.100.65024 192.168.1.150.22: [|tcp] [tos 0x10] (ttl 63, id 32629, len 148) 03:35:49.267735 rule 1/(match) [uid 0, pid 14289] block in on nfe0: 10.11.1.100.65024 192.168.1.150.22: [|tcp] [tos 0x10] (ttl 63, id 16761, len 100) Yet, in my PF configuration, I set rule which allow this traffic : pass log quick on nfe0 from 10.11.0.0/16 to any flags S/SA keep state (if-bound) This is the option of my pf.conf file : scrub in all no-df random-id fragment reassemble scrub on nfe0 all reassemble tcp fragment reassemble I have another similar problem. I'm trying to connect to a web server behind the Openbsd Firewall from a computer behind the Freebsd Firewall. I have this block in my PF log : # tcpdump -vvveni pflog0 tcpdump: listening on pflog0, link-type PFLOG 03:36:03.309939 rule 1/(match) [uid 0, pid 14289] block in on nfe0: 10.10.1.39.80 192.168.1.150.56417: [|tcp] (ttl 127, id 35287, len 48) 03:36:06.002860 rule 1/(match) [uid 0, pid 14289] block in on nfe0: 10.10.1.39.80 192.168.1.150.56417: [|tcp] (ttl 127, id 50439, len 48) This is a rule set in my pf.conf file : pass log quick on nfe0 inet from 10.10.1.39 to 192.168.1.0/24 flags S/SA keep state (if-bound) Somebody have an idea to help me ? Thank you.
[PF] IPSEC and PF/RDR rule
Hello, I wish you an happpy new year. I have some trouble with my new Openbsd router. I installed the latest version 4.4. I compile the kernel with the RAID FRAME options. This router is running services for : - OSPF - PF - CARP - IPSEC/ISAKMPD/SASYNCD I have trouble with the IPSEC and PF services (rdr rules particularly). I have a VPN between two peers : A.B.C.D and E.F.G.H The peer A.B.C.D is running Openbsd 4.4 and E.F.G.H is running Feebsd 6.3. Behind this two peers, I have many networks. So, I use IPENCAP potocol to connect it. From the host x.x.x.x behind E.F.G.H, I would like to connect to the host y.y.y.y behind A.B.C.D. This working good. But when I try to redirect traffic from x.x.x.x to y.y.y.y toward z.z.z.z with a PF/rdr rule, this don't work. Following, the pf rule used on the peer A.B.C.D : rdr from any to y.y.y.y - z.z.z.z I also try this rules : rdr enc0 from any to y.y.y.y - z.z.z.z rdr nfe0 from any to y.y.y.y - z.z.z.z (where is nfe0 is a private interface used to route the traffic). With the same result . The traffic is not redirected. I can see on nfe0 the traffic from x.x.x.x to y.y.y.y instead of traffic from x.x.x.x to z.z.z.z. with the pfctl -s state, I can see state like this : nfe0 icmp x.x.x.x:31262 - y.y.y.y:31262 0:0 Before using this configuration on Openbsd 4.4, I used it on Freebsd 6.3. Everything is OK. I'm searching for any documentation on the WEB, without success for the moment. Maybe someone can help me here. Thank you.