Re: OpenBGP

2011-02-28 Thread dug 
Hi,

 R1 - R2 - R3 - R4

 I've only seen networks announced to the nearest router that it is connected
 to.

 For example: R1 see R2 but R1 cannot see R3 etc..



Do you mean R2 is neighbor to R1 but not R3 or you mean R3 doesn't distribute
to R1 ?

Re: [PF] Strange Blocks

2009-05-04 Thread dug 

Le 4 mai 09 ` 14:59, ropers a icrit :



Hang on, you're not running OpenBSD 4.5. What version are you running,
and have you considered upgrading to the latest and greatest?

regards,
--ropers


I'm running Openbsd 4.4.
If I can't solve this issue, I will upgrade to 4.5.
But I don't think, it's an issue of Openbsd 4.4 Version...
Anyway, I had never read this information .

Re: [PF] Strange Blocks

2009-05-03 Thread dug 

Thans for your reply.

Le 2 mai 09 ` 10:59, ropers a icrit :


2009/5/1 dug d...@xgs-france.com:
0
1 #Allow SMTP, HTTPS
2 pass quick proto tcp from any to {public-ip mail-server} port
25
3 pass quick proto tcp from any to {public-ip mail-server} port
443
4 pass quick proto tcp from {public-ip mail-server} port 25 to
any
5 pass quick proto tcp from {public-ip mail-server} port 25 to
any
6 pass quick proto tcp from any port 25 to {public-ip mail-
server}
7 pass quick proto tcp from {public-ip mail-server}  to any
port 25

Line 4 and 5 are identical. Presumably you wanted to write port 443
in line 5?


Ok. It's just a mistake rewriting the rule in the mail.
In my pf.conf, it's set to port 443, not port 25.



block in on em0: mail-server.59902  81.255.99.202.25: [|tcp] (ttl
63, id
14511, len 40)

block in on em0: mail-server.59902  81.255.99.202.25: [|tcp] (ttl
63, id
40161, len 52)



Not sure what's going on here; line 7 should match these.


That's my problem and what I don't understand 
In a perfect world, my rule must match these packets  But
currently not.



block in on em0: mail-server.25  81.28.185.240.1777: [|tcp] (ttl
63, id
4151, len 41)



Not sure what's going on there; line 4 (and, currently, 5) should
match these.


Setting the rule pass quick from any to any at the beginning of my
pf.conf file doesn't solve the problem.
I always have block on these packets 

Logs of pftop tool :

pfTop: Up Rule 1-55/71, View: rules, Cache: 1

RULE  ACTION   DIR LOG Q IF PRK PKTSBYTES
STATES   MAX INFO
   0  Pass Any Q  K  56069035
96   all  flags S/SA
   1  BlockAny Log44 1772
0   drop all


This is the option in the pf.conf file :

set block-policy drop
set skip on {gif0}
set loginterface $ext_if
set limit { states 10, frags 5 }
set optimization normal
set state-policy if-bound

scrub all no-df random-id fragment reassemble

Regards.

Re: [PF] Strange Blocks

2009-05-03 Thread dug 

Le 3 mai 09 ` 18:04, (private) HKS a icrit :




Setting the rule pass quick from any to any at the beginning of my
pf.conf file doesn't solve the problem.
I always have block on these packets 

Logs of pftop tool :

pfTop: Up Rule 1-55/71, View: rules, Cache: 1

RULE  ACTION   DIR LOG Q IF PRK PKTSBYTES
STATES   MAX INFO
 0  Pass Any Q  K  56069035
96   all  flags S/SA
 1  BlockAny Log44 1772
0   drop all


This is the option in the pf.conf file :

set block-policy drop
set skip on {gif0}
set loginterface $ext_if
set limit { states 10, frags 5 }
set optimization normal
set state-policy if-bound


Remove that last line and it should work.

If not, send the output of pfctl -s rules.

-HKS


I removed the state-policy but it doesn't work.

This is the result of pfctl -s rules :

# pfctl -s rules
scrub all no-df random-id fragment reassemble
pass quick on enc0 all flags S/SA keep state
block drop log all
pass quick inet proto tcp from public-ip port = smtp to any flags S/
SA keep state
pass quick inet proto tcp from mail-server port = smtp to any flags
S/SA keep state
pass quick inet proto tcp from any port = smtp to public-ip flags S/
SA keep state
pass quick inet proto tcp from any port = smtp to mail-server flags
S/SA keep state
pass quick inet proto tcp from any to public-ip port = smtp flags S/
SA keep state
pass quick inet proto tcp from any to mail-server port = smtp flags
S/SA keep state
pass quick inet proto tcp from public-ip to any port = smtp flags S/
SA keep state
pass quick inet proto tcp from mail-server to any port = smtp flags
S/SA keep state
pass quick inet proto tcp from public-ip port = https to any flags S/
SA keep state
pass quick inet proto tcp from mail-server port = https to any flags
S/SA keep state
pass quick inet proto tcp from any to public-ip port = https flags S/
SA keep state
pass quick inet proto tcp from any to mail-server port = https flags
S/SA keep state
pass quick inet proto icmp all icmp-type echoreq keep state
pass quick inet proto icmp all icmp-type echorep keep state
pass quick proto ospf all keep state
pass quick proto pfsync all keep state
pass quick proto carp all keep state
pass in quick on em3 proto esp from vpn_noipencap to ip_public
keep state
pass in quick on em3 proto udp from vpn_noipencap to ip_public
keep state
pass in quick on em3 from vpn_ipencap to ip_public flags S/SA keep
state
pass out quick on em3 from ip_public to any flags S/SA keep state

Thanks.

[PF] Strange Blocks

2009-05-01 Thread dug 

Hello,

I have some filter problems with a new installed firewall with Openbsd  
4.4 using PF.


This Firewall is connect to Internet and to a private network.
On this private network there is  another Freebsd router which is a  
connected to

a second private network. On it, there is a mail server.

To summarize :

| Internet |   -   | (em3) OpenBsd FW  (em0) | --- |  
Freebsd Router |


|   

|

|

 | Mail Server |


On OpenBsd FW, I set these rules :

rdr on em3 inet proto tcp from any to public-ip port https -  mail- 
server port https
rdr on em3 inet proto tcp from any to public-ip port smtp -  mail- 
server port smtp


block log all

#Allow SMTP, HTTPS
pass quick proto tcp from any to {public-ip mail-server} port 25
pass quick proto tcp from any to {public-ip mail-server} port 443
pass quick proto tcp from {public-ip mail-server} port 25 to any
pass quick proto tcp from {public-ip mail-server} port 25 to any
pass quick proto tcp from any port 25 to {public-ip mail-server}
pass quick proto tcp from {public-ip mail-server}  to any port 25

On pflog0 interface, I have these logs :

# tcpdump -vvveni pflog0
tcpdump: listening on pflog0, link-type PFLOG
block in on em0: mail-server.443  149.6.161.125.58350: [|tcp] (ttl  
63, id 49121, len 40)


block in on em0: mail-server.59902  81.255.99.202.25: [|tcp] (ttl 63,  
id 14511, len 40)


block in on em0: mail-server.59902  81.255.99.202.25: [|tcp] (ttl 63,  
id 40161, len 52)


block in on em0: mail-server.25  81.28.185.240.1777: [|tcp] (ttl 63,  
id 4151, len 41)


I have only one block rule (As you can guess, when I delete this rule,  
all work good).

I don't understand why these packets don't match my pass rules.

Somebody have already seen it or have any idea to solve it ?

Thanks.

Re: pf dynamic firewall for web portal ?

2009-03-23 Thread dug 

Hello,

You can create table in your conf file. Give access to this table.
Then, you will be abble to modify this table without change your text
file or reloading it.
You can do this using pfctl option (specifically -T option).




Le 23 mars 09 ` 12:02, RJ45 a icrit :


Hello,
I implemented a OpenBSD solution for a soekris appliance.
My problem is that I have a web portal there and I need
a new pass rule for each client IP authenticating.
Actually this was easy to do with linux iptables,
but how to do it with PF ? Actually all the PF rules are
into a file, and can be read from file. This is fare
to be a dynamic system. Rules must first be deleted fomr file
and then reloaded with pfctl.
My problem is, how can I Remove a single PF rule without
modifying a text file and realoading all the rules ?


thanks

Rick

Re: Cisco IPSec Security Association Idle Timers and isakmpd

2009-01-19 Thread dug 

Le 19 janv. 09 ` 17:37, Hans-Joerg Hoexer a icrit :


Hi,

On Mon, Jan 19, 2009 at 04:56:25PM +0100, Christoph Leser wrote:


I noticed that the cisco end of a VPN I configured on my openBSD
sends a
DELETE message after a certain amount of idle time.


Which SAs get deleted? isakmp, ipsec or both?

HJ.





When you execute netstat -rn, do you always see the SA  on your
OpenBSD, after DELETE message has been sended  ?

Pf Blocks

2009-01-06 Thread dug 

Hello,

I have some troubles with PF blocks.

I have two networks connected with a VPN between an
Openbsd 4.4 and a Freebsd 6.4 firewall.
So, I can connect to a remote host, from my computer behind the
Openbsd  firewall, throught the VPN with SSH.
But a few second after, the following block appears in my pf log
on the Openbsd firewall :

# tcpdump -vvveni pflog0
tcpdump: listening on pflog0, link-type PFLOG

03:35:48.937334 rule 1/(match) [uid 0, pid 14289] block in on nfe0:
10.11.1.100.65024  192.168.1.150.22: [|tcp] [tos 0x10]
(ttl 63, id 32188, len 100)

03:35:49.108254 rule 1/(match) [uid 0, pid 14289] block in on nfe0:
10.11.1.100.65024  192.168.1.150.22: [|tcp] [tos 0x10]
(ttl 63, id 58480, len 100)

03:35:49.178617 rule 1/(match) [uid 0, pid 14289] block in on nfe0:
10.11.1.100.65024  192.168.1.150.22: [|tcp] [tos 0x10]
(ttl 63, id 32629, len 148)

03:35:49.267735 rule 1/(match) [uid 0, pid 14289] block in on nfe0:
10.11.1.100.65024  192.168.1.150.22: [|tcp] [tos 0x10]
(ttl 63, id 16761, len 100)

Yet, in my PF configuration, I set rule which allow this traffic :
pass log quick on nfe0 from 10.11.0.0/16 to any flags S/SA keep state
(if-bound)

This is the option of my pf.conf file :
scrub in all no-df random-id fragment reassemble
scrub on nfe0 all reassemble tcp fragment reassemble

I have another similar problem.
I'm trying to connect to a web server behind the Openbsd Firewall from a
computer behind the Freebsd Firewall.
I have this block in my PF log :

# tcpdump -vvveni pflog0
tcpdump: listening on pflog0, link-type PFLOG

03:36:03.309939 rule 1/(match) [uid 0, pid 14289] block in on nfe0:
10.10.1.39.80  192.168.1.150.56417: [|tcp] (ttl 127, id 35287, len 48)

03:36:06.002860 rule 1/(match) [uid 0, pid 14289] block in on nfe0:
10.10.1.39.80  192.168.1.150.56417: [|tcp] (ttl 127, id 50439, len 48)


This is a rule set in my pf.conf file :

pass log quick on nfe0 inet from 10.10.1.39 to 192.168.1.0/24 flags S/SA
keep state (if-bound)



Somebody have an idea  to help me ?

Thank you.

[PF] IPSEC and PF/RDR rule

2009-01-02 Thread dug 

Hello,

I wish you an happpy new year.

I have some trouble with my new Openbsd router.
I installed  the latest version 4.4. I compile the kernel with the  
RAID FRAME

options.

This router is running services for :
- OSPF
- PF
- CARP
- IPSEC/ISAKMPD/SASYNCD

I have trouble with the IPSEC and PF services (rdr rules particularly).

I have a VPN between two peers : A.B.C.D and E.F.G.H
The peer A.B.C.D is running Openbsd 4.4 and E.F.G.H is running
Feebsd 6.3.
Behind this two peers, I have many networks. So, I use IPENCAP potocol
to connect it.

From the host x.x.x.x behind E.F.G.H, I would like to connect to the  
host

y.y.y.y behind A.B.C.D. This working good.
But when I try to redirect traffic  from x.x.x.x to y.y.y.y toward  
z.z.z.z with a

PF/rdr rule, this don't work.

Following, the pf rule used on the peer A.B.C.D :
rdr  from any to y.y.y.y - z.z.z.z

I also try this rules :
rdr  enc0 from any to y.y.y.y - z.z.z.z
rdr  nfe0 from any to y.y.y.y - z.z.z.z (where is nfe0 is a private  
interface used

to route the traffic).

With the same result .

The traffic is not redirected. I can see on nfe0 the traffic from  
x.x.x.x to y.y.y.y

instead of traffic from x.x.x.x to z.z.z.z.

with the pfctl -s state, I can see state like this :
nfe0 icmp x.x.x.x:31262 - y.y.y.y:31262   0:0


Before using this configuration on Openbsd 4.4, I used it on Freebsd  
6.3.

Everything is OK.

I'm searching for any documentation on the WEB, without success for the
moment.

Maybe someone can help me here.

Thank you.