Re: match queue ignored
Greetings,
I tried setting up the following into pf.conf on both 4.9 and latest
snapshot:
altq on $ext_if priq queue {q1, q2}
queue q1 priority 1 priq(default)
queue q2 priority 2
pass all queue q1
match all queue q2
And I see nothing going into q2.
Is this the expected behavior?
Thanks for your time.
William
After further experimentation, I found out the following:
match queue overrides:
- a previous match queue assignment
- the default queue
but does not override:
- a previous pass queue assignment
- a previous block queue assignment
It seems to me this might not be the expected behavior, so well, I
thought it might be worth reporting...
man 5 pf.conf:
match
The packet is matched. This mechanism is used to provide
fine
grained filtering without altering the block/pass state of a
packet. match rules differ from block and pass rules in
that
parameters are set every time a packet matches the rule, not
only
on the last matching rule. For the following parameters,
this
means that the parameter effectively becomes ``sticky''
until
explicitly overridden: nat-to, binat-to, rdr-to, queue,
rtable, and
scrub.
R/
Rod,
Obviously I have read this part (many times). But I don't think it
implies that pass/block queue assignments cannot be overridden by a
match queue assignment. I would say it almost suggests the opposite
actually.
William
Re: match queue ignored
Greetings,
I tried setting up the following into pf.conf on both 4.9 and latest snapshot:
altq on $ext_if priq queue {q1, q2}
queue q1 priority 1 priq(default)
queue q2 priority 2
pass all queue q1
match all queue q2
And I see nothing going into q2.
Is this the expected behavior?
Thanks for your time.
William
After further experimentation, I found out the following:
match queue overrides:
- a previous match queue assignment
- the default queue
but does not override:
- a previous pass queue assignment
- a previous block queue assignment
It seems to me this might not be the expected behavior, so well, I
thought it might be worth reporting...
Regards,
William
match queue ignored
Greetings,
I tried setting up the following into pf.conf on both 4.9 and latest snapshot:
altq on $ext_if priq queue {q1, q2}
queue q1 priority 1 priq(default)
queue q2 priority 2
pass all queue q1
match all queue q2
And I see nothing going into q2.
Is this the expected behavior?
Thanks for your time.
William
OpenBSD 5.0 (GENERIC) #51: Mon Aug 8 14:51:10 MDT 2011
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 267321344 (254MB)
avail mem = 246370304 (234MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (5 entries)
bios0: vendor innotek GmbH version VirtualBox date 12/01/2006
bios0: innotek GmbH VirtualBox
acpi0 at bios0: rev 2
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU 5130 @ 2.00GHz, 1976.26 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,MWAIT,SSSE3,NXE,LONG
cpu0: 4MB 64b/line 16-way L2 cache
cpu0: apic clock running at 1000MHz
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 1
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpibat0 at acpi0: BAT0 not present
acpiac0 at acpi0: AC unit online
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 Intel 82441FX rev 0x02
pcib0 at pci0 dev 1 function 0 Intel 82371SB ISA rev 0x00
pciide0 at pci0 dev 1 function 1 Intel 82371AB IDE rev 0x01: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: VBOX HARDDISK
wd0: 128-sector PIO, LBA, 2048MB, 4194304 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
vga1 at pci0 dev 2 function 0 InnoTek VirtualBox Graphics Adapter rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 3 function 0 Intel PRO/1000MT (82540EM) rev 0x02:
apic 1 int 19, address 08:00:27:e6:6a:e9
InnoTek VirtualBox Guest Service rev 0x00 at pci0 dev 4 function 0
not configured
piixpm0 at pci0 dev 7 function 0 Intel 82371AB Power rev 0x08: SMBus disabled
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
mtrr: CPU supports MTRRs but not enabled
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on wd0a (599187112325ad92.a) swap on wd0b dump on wd0b
Re: pf rdr-to outgoing to local port issues
pass out log(matches) quick inet proto tcp from any to 89.176.141.250 port = www rdr-to 127.0.0.1 port 8080 I think rdr-to is meant to be use on inbound rules.
Re: nat static-port option
On Tue, Feb 1, 2011 at 6:43 AM, Josh Smith juice...@gmail.com wrote: misc@, I recently acquired a playstation 3 and have been running into some difficulties playing it online behing my openbsd gateway. After doing some research and testing I have been able to overcome most of these problems by appending the static-port option to my nat rule. I understand the concept that this prevents pf from modifying the source port on the packets as they are natted. But I am curious as to what implications flipping this switch has. At least I'm guessing there must be something since it is not the default behavior. Thanks, -- Josh Smith KD8HRX email/jabber:B juice...@gmail.com phone:B 304.237.9369(c) Naively, I would say you might run into conflict if two different internal hosts on your network try to access the same remote host from an identical source port. It feels like pf would have trouble finding which internal host to send the responses to. On a small network, it seems very unlikely to happen though.
Re: pf.conf: match seems to clean up previous log statements.
When you use 'match' to set options (e.g. nat-to) it does that for for *subsequent* rules, it doesn't retrospectively loop back and change addresses on a rule which has *already* been processed. Yes I know that much. And as my pass rules care about the not-yet translated source addresses, they have to be before the match...nat-to rule. I am not sure I am getting your point, but anyway the original question has been dealt with so I am fine. Thanks again. William
pf.conf: match seems to clean up previous log statements.
Dear list, I just noticed something strange with pf (4.7) and I wondered if someone could help me to understand it. Let's consider the following simple rule-set: pf.conf set skip on lo0 pass all block out log on bge0 inet proto tcp from any to x.x.x.x port 80 match out on bge0 inet proto tcp from any to x.x.x.x port 80 \pf.conf Then if I just try a simple hping on x.x.x.x on port 80, I expect to see the packet blocked, and logged on pflog0, but I don't see it. If I just add a log to the match rule, then my hping packet will be logged twice on pflog0 (for the block and the match). I observe analog behavior if I replace the block rule by a similar pass rule. So it seems impossible to log specific traffic if this traffic is matched somewhere by a simple match rule, one would need to add the log directive to the latter, which might of course not be desirable. Is this the expected behavior, or is there something I am overlooking? Any help would be greatly appreciated. Regards, William
Re: pf.conf: match seems to clean up previous log statements.
Hi Stuart,
Thanks for your answer.
Well this rule-set's purpose is just to illustrate the problem.
In my actual rule-set, I use several match statements to set default
queuing policy for block of rules, and of course for nating outgoing
traffic.
I noticed ny the way that if the block (or pass) log rule is located
after the match rule, then it is properly logged (which seems in line
with the man page). Unfortunately, I don't think I can change the
order of the rules in my particular case.
Here is a condensed version of my rule-set:
pf.conf
ext_if = bge0
int_if = em0
cross_if = bge1
non_routable = {127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4}
...
bunch of aliases
...
set skip on {lo, $cross_if, em1}
set block-policy return
set optimization normal
altq on $ext_if priq bandwidth 46Mb queue {q_max, q_hig, q_def, q_low}
queue q_max priority 15
queue q_hig priority 10
queue q_def priority 5 priq(default)
queue q_low priority 0
antispoof for {$ext_if, $int_if}
block in quick on $ext_if from $non_routable to any
block out quick on $ext_if from any to $non_routable
block quick inet6
block all
pass quick on {$ext_if, $int_if} proto carp keep state (no-sync) queue q_hig
match on $ext_if all scrub (reassemble tcp random-id)
### Ext inbound ###
match in on $ext_if proto {tcp, udp} from any to $ext_if:network queue
(q_def, q_hig)
pass in on $ext_if proto icmp from any to $ext_if:network queue q_low
pass in on $ext_if proto tcp from $somewhere to self port 22 keep
state (no-sync) queue (q_low, q_max)
pass in on $ext_if proto tcp from $somewhere to self port 80 keep
state (no-sync) queue (q_low, q_max)
... bunch of pass in on $ext_if from something to something rdr-to something ...
### Ext outbound ###
match out on $ext_if from any to any queue (q_low, q_max)
... bunch of pass out on $ext_if from something to something ...
pass out on $ext_if proto tcp from {A, B} to any port 25
match out on $ext_if from $somewhere to any nat-to $something
### Int inbound ###
pass in on $int_if
### Int outbound ###
pass out on $int_if
/pf.conf
So what I would like to do is simply to log blocked outgoing smtp
traffic (not coming from A or B), but I can't find a clean way (it is
in prod so I don't want to turn it upside down) to do it as long as my
nat-to rule has to be at the end of the ext outbound section, and my
block rules have to stay on top of everything.
Regards,
William
On Mon, Jun 14, 2010 at 8:35 PM, Stuart Henderson s...@spacehopper.org wrote:
While this is wierd behaviour, I don't see what purpose this
match rule can serve, so it's not entirely surprising this hasn't
been noticed before... What are you trying to do with this?
On 2010-06-14, william dunand william.dun...@gmail.com wrote:
Dear list,
I just noticed something strange with pf (4.7) and I wondered if
someone could help me to understand it.
Let's consider the following simple rule-set:
pf.conf
set skip on lo0
pass all
block out log on bge0 inet proto tcp from any to x.x.x.x port 80
match out on bge0 inet proto tcp from any to x.x.x.x port 80
\pf.conf
Then if I just try a simple hping on x.x.x.x on port 80, I expect to
see the packet blocked, and logged on pflog0, but I don't see it.
If I just add a log to the match rule, then my hping packet will
be logged twice on pflog0 (for the block and the match).
I observe analog behavior if I replace the block rule by a similar pass rule.
So it seems impossible to log specific traffic if this traffic is
matched somewhere by a simple match rule, one would need to add the
log directive to the latter, which might of course not be desirable.
Is this the expected behavior, or is there something I am overlooking?
Any help would be greatly appreciated.
Regards,
William
Re: pf.conf: match seems to clean up previous log statements.
Stuart,
Thanks for your answer, and for sending the PR.
Ah, for that we can go simpler:
pass log
match
Indeed, sorry for the noise.
move this nat-to rule above the pass rule/s that it needs to apply
to.
Well, I'll have to test tomorrow, but according to pf.conf man page,
in the Translation section:
Subsequent rules will see packets as they look after any addresses and
ports have been translated. These rules will therefore have to filter
based on the translated address and port number.
So unless I am reading it wrong, I think one would expect the match
... nat-to rules to have to be after the related pass rules.
Thanks again for your help.
William
On Tue, Jun 15, 2010 at 12:28 AM, Stuart Henderson s...@spacehopper.org wrote:
On 2010-06-14, william dunand william.dun...@gmail.com wrote:
Well this rule-set's purpose is just to illustrate the problem.
Now you would expect any outgoing traffic to be logged. It isn't.
I've sent a PR for this so it's not lost - it will probably be
kernel/6401.
You don't need it for your requirements though:
### Ext outbound ###
match out on $ext_if from any to any queue (q_low, q_max)
... bunch of pass out on $ext_if from something to something ...
add block out log on $ext_if proto tcp to port 25 here
pass out on $ext_if proto tcp from {A, B} to any port 25
match out on $ext_if from $somewhere to any nat-to $something
in general (excepting the bug demonstrated above), match rules
don't affect preceding rules.
Re: pf.conf: match seems to clean up previous log statements.
ah, yes, I see what you mean, but this depends on the values chosen for
A, B, somewhere, something.
Yeah sorry for the vagueness :)
Anyway I tested it just in case and as expected it didn't work.
it might be simpler to combine the rules e.g.
pass out on $ext_if proto tcp from {A, B} to port 25 nat-to $something
Indeed, I guess having the nat-to on the pass rule is the only way
(until the PR get solved ;)
I just wanted to avoid having more than one nat rule, and block rules
not gathered altogether at the top.
Thanks again for your help.
William
ifstated behavior
Hi misc, I was playing around with ifstated, trying to understand exactly how it behaves, and came up with a few assumptions for which I could not find any contradiction or confirmation in the docs. So I'd appreciate if someone familiar with ifstated internals could shed some light. --- 1. If for some reason several set-state directives of a given state's body are processed, the last one applies. It is especially relevant when you have event A and event B set to true, and rules like: if A B set-state X if A set-state Y if B set-state Z Some people would probably expect ifstated to enter state X, but it that case it would go to Z. I actually found one example of this problem in mailing list archives (2009 Nov 03), and the poster was apparently instructed to avoid in his tests but I don't think that was a correct answer. --- 2. There is no rules of precedence between and ||, operation are processed from left to right, and not according to the usual order (http://en.wikipedia.org/wiki/Logical_connective#Order_of_precedence) So when you write : A || B C You should expect : ( A || B ) C Instead of the usually expected : A || ( B C ) --- 3. This point is actually properly documented in ifstated.conf man page, but apparently ignored in the sample ifstated.conf file. Man page states that Macros can be defined that will later be expanded in context. But if you look at /usr/src/etc/ifstated.conf, you can see at the bottom the macro $carp_sync being negated without use of parentheses, which is per my understanding equivalent to negate only the first test of the macro (which gives funky results). If my assumptions are correct, I think it would be nice to have 1 and 2 quickly mentioned in ifstated.conf's man page, and /usr/src/etc/ifstated.conf corrected. --- etc/ifstated.conf.orig Thu Apr 15 13:47:45 2010 +++ etc/ifstated.conf Thu Apr 15 13:50:53 2010 @@ -12,8 +12,8 @@ carp_up = carp0.link.up carp1.link.up carp_down = !carp0.link.up !carp1.link.up -carp_sync = carp0.link.up carp1.link.up || \ -!carp0.link.up !carp1.link.up +carp_sync = (carp0.link.up carp1.link.up || \ +!carp0.link.up !carp1.link.up) # The net addresses are other addresses which can be used to determine # whether we have connectivity. Make sure the hosts are always up, or Please let me know if you think any of the above is wrong. Regards, William
Preempt: apparently no effect on advskew
Dear list, I am currently setting up two 4.6 boxed to act as carp'ed firewalls. - On the active node: % cat /etc/hostname.bge1 inet 10.100.0.1 255.255.255.0 NONE -inet6 % cat hostname.pfsync0 up syncdev bge1 % cat /etc/hostname.bge0 inet xxx.xxx.xxx.48 255.255.255.224 NONE -inet6 % cat /etc/hostname.carp0 inet xxx.xxx.xxx.50 255.255.255.224 NONE -inet6 carpdev bge0 advskew 50 carppeer xxx.xxx.xxx.51 pass xxx vhid 1 % cat /etc/hostname.em0 up % cat /etc/hostname.vlan2 inet 172.16.0.101 255.255.255.0 NONE -inet6 vlan 2 vlandev em0 % cat /etc/hostname.carp1 inet 172.16.0.10 255.255.255.0 NONE -inet6 carpdev vlan2 advskew 50 carppeer 172.16.0.102 pass xxx vhid 2 % sysctl net.inet.carp.preempt net.inet.carp.preempt=1 % sysctl net.inet.carp.log net.inet.carp.log=6 - On the passive node: % cat /etc/hostname.bge1 inet 10.100.0.2 255.255.255.0 NONE -inet6 % cat /etc/hostname.pfsync0 up syncdev bge1 % cat /etc/hostname.bge0 inet xxx.xxx.xxx.51 255.255.255.224 NONE -inet6 % cat /etc/hostname.carp0 inet xxx.xxx.xxx.50 255.255.255.224 NONE -inet6 carpdev bge0 advskew 100 carppeer xxx.xxx.xxx.48 pass xxx vhid 1 % cat /etc/hostname.em0 up % cat /etc/hostname.vlan2 inet 172.16.0.102 255.255.255.0 NONE -inet6 vlan 2 vlandev em0 % cat /etc/hostname.carp1 inet 172.16.0.10 255.255.255.0 NONE -inet6 carpdev vlan2 advskew 100 carppeer 172.16.0.101 pass xxx vhid 2 % sysctl net.inet.carp.preempt net.inet.carp.preempt=1 % sysctl net.inet.carp.log net.inet.carp.log=6 Even though I got to quite satisfying results, I am confused about the net.inet.carp.preempt definition given in the carp(4) man page: a) Allow virtual hosts to preempt each other. b) It is also used to failover carp interfaces as a group. When the option is enabled and one of the carp enabled physical interfaces goes down, advskew is changed to 240 on all carp interfaces. See also the first example. Disabled by default. I have no problem to observe [a], but I really can't manage to make [b] happens. So when one of my interfaces goes down, all carp interfaces are failing over to the other node but it seems to be thanks to the demotion of carp group. A you can see below, advskew on the other hand does not change at all: - On the active node % ifconfig carp carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 priority: 0 carp: MASTER carpdev bge0 vhid 1 advbase 1 advskew 50 carppeer xxx.xxx.xxx.51 groups: carp inet xxx.xxx.xxx.50 netmask 0xffe0 broadcast xxx.xxx.xxx.63 carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:02 priority: 0 carp: MASTER carpdev vlan2 vhid 2 advbase 1 advskew 50 carppeer 172.16.0.102 groups: carp inet 172.16.0.10 netmask 0xff00 broadcast 172.16.0.255 pfsync0: flags=41UP,RUNNING mtu 1500 priority: 0 pfsync: syncdev: bge1 maxupd: 128 defer: off groups: carp pfsync % sudo ifconfig vlan2 down % ifconfig carp carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 priority: 0 carp: BACKUP carpdev bge0 vhid 1 advbase 1 advskew 50 carppeer xxx.xxx.xxx.51 groups: carp inet xxx.xxx.xxx.50 netmask 0xffe0 broadcast xxx.xxx.xxx.63 carp1: flags=8803UP,BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:02 priority: 0 carp: INIT carpdev vlan2 vhid 2 advbase 1 advskew 50 carppeer 172.16.0.102 groups: carp inet 172.16.0.10 netmask 0xff00 broadcast 172.16.0.255 pfsync0: flags=41UP,RUNNING mtu 1500 priority: 0 pfsync: syncdev: bge1 maxupd: 128 defer: off groups: carp pfsync % tail -n 3 /var/log/messages Apr 13 16:15:13 bsdfw1 /bsd: carp1: state transition: MASTER - INIT Apr 13 16:15:13 bsdfw1 /bsd: carp: carp1 demoted group carp to 1 Apr 13 16:15:13 bsdfw1 /bsd: carp0: state transition: MASTER - BACKUP The failover happens and it comes back almost instantly if I up vlan2 back, and I would be quite happy with that if there wasn't this statement in the manpage about advskew being supposed to change. I tried different things to see it happen (disabling interface at the switch level, using the raw interface instead of vlan) but to no avail. Would anyone be so kind as to explain me what I am misunderstanding here ? Thanks, and regards, William dmesg of active node: OpenBSD 4.6 (GENERIC.MP) #1: Thu Dec 24 19:28:16 JST 2009 r...@bsdfw1.bsdfw1.ariake.sbidc.gaba.co.jp:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(TM) CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR real mem = 1073258496
Re: Preempt: apparently no effect on advskew
Marco, Thank you very much for you quick answer. I indeed had the feeling it was not really useful anymore (as the group demotion system is taking care of it) and probably deprecated. I guess I should have checked the latest man page :) Regards, William 2010/4/13 Marco Pfatschbacher m...@mailq.de: On Tue, Apr 13, 2010 at 04:32:12PM +0900, william dunand wrote: Dear list, I am currently setting up two 4.6 boxed to act as carp'ed firewalls. [...] Even though I got to quite satisfying results, I am confused about the net.inet.carp.preempt definition given in the carp(4) man page: a) Allow virtual hosts to preempt each other. b) It is also used to failover carp interfaces as a group. When the option is enabled and one of the carp enabled physical interfaces goes down, advskew is changed to 240 on all carp interfaces. See also the first example. Disabled by default. I have no problem to observe [a], but I really can't manage to make [b] happens. So when one of my interfaces goes down, all carp interfaces are failing over to the other node but it seems to be thanks to the demotion of carp group. A you can see below, advskew on the other hand does not change at all: [...] Would anyone be so kind as to explain me what I am misunderstanding here ? Hi, the advskew bump to 240 is done internally and not visible with ifconfig. Run tcpdump(8) and you'll see it on the wire. However, the 240 bump has been deprecated with 4.7 and the current manpage doesn't mention it either :) Marco
Re: Wondering about openbsd way to update for patches.
What about the following process : - Install release - Download the release's src.tar.gz and sys.tar.gz from one of the official FTP - Extract those in /usr/src - wget all the patches listed on http://openbsd.org/errata44.html - Read http://openbsd.org/faq/faq10.html#Patches - Read instructions at the head(1) of the patches. - Apply them all to you src tree - Rebuild and install stuff according to instructions given in the patches - Reboot It's very straight forward and easy and I never felt the need for binary upgrade. Unless some big piece of code is concerned, compilation goes really quick, and if you start from a clean src tree downloaded from the FTP, there is no reason for it to fail. Anyway, the FAQ does not recommend it so... William 2008/11/28 Maurice Janssen [EMAIL PROTECTED]: On Thursday, November 27, 2008 at 23:56:31 -0600, Javier Vasquez wrote: I'm sorry about my ignorance, but I was reading the section 5.4 about releases, and couldn't find out how to upgrade a system from a release, :(. Maybe such upgrade is more like http://www.openbsd.org/faq/upgrade44.html;? But the release tree needs to be downloaded, or maybe synchronized instead, maybe using rsync? Just thinking out loud how to do upgrades to this binary repo once the installation is OK I usually do it like this: - download bsd.rd and copy it to / - reboot and type 'boot bsd.rd' at the boot prompt - select upgrade - select ftp as location for the file sets - select the file sets you need - reboot Because you go from 4.4-release to 4.4-stable, there's no need to fiddle with etc44.tgz. After the last reboot, it just works. Maurice
Re: Using PF to NAT internal addresses over an IPSec link
Of course, as it is a testing environment it is a lot easier to make it work for me... On the remote side, a configured something like this (I suppose they have something of this kind on the other side) : ike passive esp from 172.25.0.1 to A.B.C.D And on the local server side, all I have is : ike esp from any to 172.25.0.1 peer W.X.Y.Z Never tried to use the flow directives as you did. I suppose that if as you said you have correct encap routes, packets headed to 172.25.0.1 should definitely go through enc0, then if you set nat on enc0, it should work as it does for me. Could you paste and show us the output of netstat -rnf encap and also if possible your pf.conf ? Regards, William 2008/8/15 Toby Burress [EMAIL PROTECTED]: On Fri, Aug 15, 2008 at 01:24:59PM +0900, william dunand wrote: Hi, I tried to reproduce what you want in my testing environment and managed to make it work. What you have to do is : - In your ipsec.conf, add an rule from your local network to the distant 172.25.0.1 (this rule is needed in order to route the traffic to enc0) Did you need to configure this on both ends? If I add a flow routing my network to the remote IP the packets never seem to get to enc0; it looks like isakmpd is stuck trying to negotiate something with the remove end. From what I can tell I need an SA for packets to get routed over enc0. In ipsec.conf I have: ike active esp from A.B.C.D to 172.25.0.1 peer W.X.Y.Z \ main auth hmac-md5 enc 3des \ quick auth hmac-md5 enc 3des group none \ psk yarg which lets me ping 172.25.0.1 from A.B.C.D. To route packets to 172.25.0.1 I am using flow from any to 172.25.0.1 peer W.X.Y.Z This does create appropriate encap entries in the routing tables, but I never see anything hit enc0.
Re: Using PF to NAT internal addresses over an IPSec link
Toby,
Actually, I was initially using my local subnet address rather than
any, but I realized that if did so, this address could be seen on
the remote vpn server by looking at the flows table.
After setting the from any rule, I realized that, yes it was more or
less working as expected, but it was screwing the internal carp
configuration on the remote side when you use the remote local subnet
as a target rather than 172.25.0.1. So I think it's not a good idea
anyway.
So I decided to try to set it up your way, with a manual flow directive.
I could make it work using something like :
ike esp from A.B.C.D to 172.25.0.1. peer W.X.Y.Z
flow from my.local.subnet to 172.25.0.1 peer W.X.Y.Z type require
(note that I had to set require to make it work)
But again the local subnet appears if you look at the flows on the
remote servers, so that's not what you want.
If I use any in place of my local subnet address, it doesn't work
for some reason I don't understand yet, I am just losing track of my
packets...
So I guess that as you said, you should try to get more informations
about the remote side configuration.
I would still be interested in knowing the clean and mighty way to
hide your local subnet topography.
Maybe using an intermediate local interface may help, as it was
suggested by Marc-Andre.
Regards,
William
2008/8/15 Toby Burress [EMAIL PROTECTED]:
On Fri, Aug 15, 2008 at 05:09:08PM +0900, william dunand wrote:
Of course, as it is a testing environment it is a lot easier to make
it work for me...
On the remote side, a configured something like this (I suppose they
have something of this kind on the other side) :
ike passive esp from 172.25.0.1 to A.B.C.D
And on the local server side, all I have is :
ike esp from any to 172.25.0.1 peer W.X.Y.Z
Ah, okay. It doesn't look like I have the luxury of simply saying
'from any to IP', since the remote end refuses to set up the SAs
in that case. I will try to get the other end to allow something
like that, since it seems like a MUCH better solution than the rube
goldberg stuff I'm playing with now, but half the reason I'm stuck
is the other guy doesn't return emails...
Never tried to use the flow directives as you did. I suppose that if
as you said you have correct encap routes, packets headed to
172.25.0.1 should definitely go through enc0, then if you set nat on
enc0, it should work as it does for me.
Could you paste and show us the output of netstat -rnf encap and also
if possible your pf.conf ?
Encap:
Source Port DestinationPort Proto
SA(Address/Proto/Type/Direction)
172.25.0.1/32 0 A.B.C.D/32 0 0 W.X.Y.Z/esp/use/in
A.B.C.D/32 0 172.25.0.1/32 0 0
W.X.Y.Z/esp/require/out
172.25.0.1/32 0 default0 0 W.X.Y.Z/esp/use/in
default0 172.25.0.1/32 0 0 W.X.Y.Z/esp/use/out
The pf.conf is pretty complicated, but the relevant rules that get hit are:
ext_if=bge1
int_if=bge0
vpn_if=enc0
set ruleset-optimization none
set state-policy if-bound
set skip on { lo }
scrub all fragment reassemble reassemble tcp
nat on $vpn_if from 192.168.0.0/16 to any - A.B.C.D
nat on $ext_if from 192.168.0.0/16 to any - E.F.G.H
block drop
pass quick on $vpn_if
pass quick on $int_if
And then there are others that eventually let us out of $ext_if as well.
Re: Using PF to NAT internal addresses over an IPSec link
Hi, I tried to reproduce what you want in my testing environment and managed to make it work. What you have to do is : - In your ipsec.conf, add an rule from your local network to the distant 172.25.0.1 (this rule is needed in order to route the traffic to enc0) - Add a nat rule on enc0 in your pf.conf. Something like : nat on enc0 from !($ext_if) - ($ext_if:0) - Note that if you had set a skip on enc0, you should remove it and use something like pass quick on enc0 for the nat to be applied. It works for me, local addresses are nated inside the tunnel and cannot be seen by the remote servers. Feel free to ask if you need more details. Cheers, William 2008/8/15 Marc-Andre Jutras [EMAIL PROTECTED]: Hey List ! ... Interesting... I was about to send an e-mail on the list regarding this same question : aka: Best practice on NAT over IPsec... or how to do it correctly ?!?!?!? May I can suggest you to try something... : ( that what I will try anyway somewhere next week or so... ) Create a Loopback interface on one of your BSD and try to NAT on this 'lo' interface ... from that nat, adjust your pf to block all from lan A to lab B except from NAT ...and well, I think it should work ! any other suggestion to try or any ''already working here' ' notes that someone can post ? Regards, M-A Jorge Valbuena wrote: I have the following configuration: LAN_B--[openBSD+Pf+Nat+VPN]---(internet)---[OpenBSD+Pf+NAT+VPN]---[openBSD+Squid]---LAN_A http://bsdsupport.org/ , setting up Ipsec over GRE on OpenBSD I can ping a host from LAN_A to a host on LAN_B I hope this can Help ! Original-Nachricht Datum: Wed, 13 Aug 2008 16:41:20 -0400 Von: Toby Burress [EMAIL PROTECTED] An: misc@openbsd.org Betreff: Using PF to NAT internal addresses over an IPSec link I have an IPSec connection set up to an external site, over which I have no control and whose topololgy I know nothign about (i.e. I don't know what subnets they use, etc.) Using ipsecctl, I have one flow set up, from my external IP A.B.C.D to an internal IP on their side, 172.25.0.1. I can ping 172.25.0.1 from the OpenBSD box, so IPSec is working fine. What I want to do is allow any machine from my internal networks to reach 172.25.0.1. What I would like to do is set up NAT, so that packets headed to the OpenBSD box from anywhere on my network get translated to A.B.C.D, which is then sent over the VPN connection. Unfortunately it looks like PF only applies NAT transforms when packets leave interfaces, not when they enter them, so packets come into the OpenBSD box with their private IPs, get routed out the interface associated with the default route, and only then get rewritten. Is there a better way to do this? I would like to be able to change which hosts on my side can go over the IPSec connection without having to coordinate with the other company, and without having to expose internal IP information. If you reply to the list please cc me as I am not subscribed.
Re: OpenBSD 4.3 running in VirtualBox? Anyone have it working properly?
2008/8/7 Jordi Beltran Creix [EMAIL PROTECTED]: I tried to run a recent i386 4.4 beta on a KVM/QEMU virtual machine under Ubuntu and there are some problems with the emulated network. The driver constantly reports timeouts. re0: watchdog timeout As a side effect the connection is very slow. I assume that doesn't happen on the actual hardware that QEMU is supposed to emulate, but other OSes don't have the same problem. I had this problem too. qemu allows you to work around it easily just by changing the model of the emulated network card. ne2k_pci is working just fine. Cheers, William
Firmware loading delay for malo on Zaurus
Hi, I recently purchased a marvell based CF wifi card for my zaurus, which is running 4.4-beta snapshot (2008-07-03). After installing the package malo-firmware-1.4.tgz I was encountering the following messages when plugging the card : malo0: main FW not loaded! So I took a quick look at the driver code (/usr/src/sys/dev/pcmcia/if_malo.c) and saw that the error was due to some kind of timeout in querying the card about the proper loading of the firmware. The zarus being quite slow, I thought my slight but only chance was to try to give it more time before raising the error and so I applied the following change : 613c613 delay(1000); --- delay(1); Quite the small change actually, just drastically raised the delay inside the loop. I recompiled my kernel with that and now it just works! I have been using it for 2 days now and it looks ok. Please find hereafter the resulting dmesg with the card plugged Cheers, William OpenBSD 4.4-beta (GENERIC) #0: Thu Jul 24 15:13:23 JST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/zaurus/compile/GENERIC real mem = 67108864 (64MB) avail mem = 56627200 (54MB) mainbus0 at root cpu0 at mainbus0: PXA27x step C-5 (XScale core) cpu0: DC enabled IC enabled WB enabled LABT branch prediction enabled cpu0: 32KB(32b/l,32way) I-cache, 32KB(32b/l,32way) wr-back-lock D-cache pxaip0 at mainbus0: CPU clock = 416.003 MHz pxaintc0 at pxaip0 addr 0x40d0: Interrupt Controller pxagpio0 at pxaip0 addr 0x40e0: GPIO Controller pxadmac0 at pxaip0 addr 0x4000 intr 25: DMA Controller pxaost0 at pxaip0 addr 0x40a0 com0 at pxaip0 addr 0x4010 intr 22: pxa2x0, 32 byte fifo com1 at pxaip0 addr 0x4020 intr 21: pxa2x0, 32 byte fifo com2 at pxaip0 addr 0x4070 intr 20: pxa2x0, 32 byte fifo (SIR) pxaudc0 at pxaip0: USB Device Controller usbf0 at pxaudc0: USB revision 1.1 cdcef0 at usbf0: usbf_open_pipe failed ohci0 at pxaip0, version 1.0 usb0 at ohci0: USB revision 1.0 uhub0 at usb0 PXA27x OHCI root hub rev 1.00/1.00 addr 1 lcd0 at pxaip0 wsdisplay0 at lcd0 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1 added (std, vt100 emulation) zkbd0 at pxaip0 wskbd0 at zkbd0: console keyboard, using wsdisplay0 scoop0 at pxaip0: PCMCIA/GPIO controller scoop1 at pxaip0: PCMCIA/GPIO controller pxapcic0 at pxaip0: 2 slots pcmcia0 at pxapcic0 pcmcia1 at pxapcic0 pxammc0 at pxaip0: MMC/SD/SDIO controller sdmmc0 at pxammc0 zssp0 at pxaip0 apm0 at pxaip0 zts0 at pxaip0 wsmouse0 at zts0 mux 0 zaudio0 at pxaip0: I2C, I2S, WM8750 Audio audio0 at zaudio0 zrc0 at pxaip0: CE-RH2 remote control wskbd1 at zrc0 mux 1 wskbd1: connecting to wsdisplay0 flash0 at pxaip0: Samsung K9F1G08U0A 128Mx8 3.3V wdc0 at pcmcia0 function 0 HITACHI, microdrive port 0x0/16: irq 138 wd0 at wdc0 channel 0 drive 0: HMS360606D5CF00 wd0: 32-sector PIO, LBA, 5859MB, 12000556 sectors wd0(wdc0:0:0): using BIOS timings malo0 at pcmcia1 function 0 IODATA , WNG54CF , ID: 04 port 0x0/128, irq 1 37 softraid0 at root boot device: wd0 root on wd0a swap on wd0b dump on wd0b malo0: address 00:a0:b0:85:ad:43
