Re: PF issue
Thank you guys for your quick responses :) This mailing list(group) is awesome. So last night, I changed my 4.3 openbsd gateway to 4.2 one, slapped on the same pf rules BUT with user land pppoe and PRESTO it works like a charm. I could access my webserver in the lab totally fine. I think it could be something to do with MTU size, I will still continue my search and post it to the list once I find something. Again, really appreciate everyone's help on this. Thx a bunch! On Jul 20, 2008, at 10:01 PM, Srikant Tangirala wrote: Have you tried doing a tcpdump on fxp0 and pflog0 while trying to access the web server on home firewall? Might give you clues. Srikant.
Re: PF issue
Parvinder Bhasin wrote:
My home network. Firewall is openbsd (4.3). DSL setup with PPPOE (in
kernel):
cat /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
pppoedev dc0 authproto pap \
authname '[EMAIL PROTECTED]' authkey 'password' up
!/sbin/route add default
#
Here is my /etc/pf.conf for this network (HOME). Very simple blocking
everything and allowing everything to go out from my internal network.
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if=dc0
int_if=fxp0
loopback=lo0
pppoe_if=pppoe0
#table spamd-white persist
set skip on lo
set loginterface $ext_if
set loginterface $int_if
set loginterface $pppoe_if
set loginterface $loopback
scrub in all max-mss 1440
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
# nat on $pppoe_if from 172.16.200.0/24 - $pppoe_if
nat on $pppoe_if from !($pppoe_if) to any - ($pppoe_if)
block in log on $pppoe_if
pass out keep state
If you're able to connect to other stuff other than your webserver, than
this is probably not it. But I'd expect a rule like:
pass in $int_if
Have you tried no filtering at all to see if it works that way? What
about accessing your webserver directly from the firewall box?
Here is my Lab network: setup on static DSL connection with 5 static
IPs:
I am using one for webserving: 75.44.224.2.
my /etc/hostname.sk0 looks like:
inet 75.44.229.1 255.255.255.248 NONE
alias 75.44.229.2 255.255.255.248
I also have a laptop behind this firewall on internal network. Used
for browsing etc.
# MACROS
ext_if=sk0
int_if=gem0
external_ip=75.44.229.1
external_net={75.44.229.17 75.44.229.18 75.44.229.19 75.44.229.20}
internal_ip=172.16.10.10
webserver_ip=75.44.224.2
webserver_int=172.16.10.11
OPTIONS #
set loginterface $ext_if
set loginterface $int_if
scrub in
NAT/REDIRECTS
nat on $ext_if from !($ext_if) to any - ($ext_if:0)
rdr pass on $ext_if proto tcp from any to $webserver_ext port 80 -
$webserver_int port 80
## FILTERS #
block in log on $ext_if
pass in on $ext_if proto tcp from any to $webserver_ext port 80 keep
state
pass out keep state
#
MY PROBLEM: Whenever I am on my home network and I try to reach
webserver on my lab network, I don't get anything. Whenever I try to
hit the webserver from my work network or several other networks, I
can access the webserver fine. Its only from my home network, I
cannot access the site on my webserver. Any other sites from the home
network work totally fine.
Can see what's wrong with my configs?
For troubleshooting this issue, i captured traffic on my webserver and
saw that requests from my home network DO ARRIVE at the webserver and
the webserver duely sends that data back BUT that data never arrives
on the home network.
If I try to hit any website from my webserver, I can reach it fine.
This is really weared, I would really appreciate any help. I have
tried almost everything to get this going.
Thanks
/Parvinder Bhasin
Re: PF issue
On Sun, Jul 20, 2008 at 07:06:39PM -0700, Parvinder Bhasin wrote: my /etc/hostname.sk0 looks like: inet 75.44.229.1 255.255.255.248 NONE alias 75.44.229.2 255.255.255.248 Unrelated, but use 255.255.255.255 for your alias netmask. MY PROBLEM: Whenever I am on my home network and I try to reach webserver on my lab network, I don't get anything. Whenever I try to hit the webserver from my work network or several other networks, I can access the webserver fine. Its only from my home network, I cannot access the site on my webserver. Any other sites from the home network work totally fine. http://www.openbsd.org/faq/pf/rdr.html#reflect -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: PF issue
Have you tried doing a tcpdump on fxp0 and pflog0 while trying to access the web server on home firewall? Might give you clues. Srikant.
Re: Pf Issue with a large number of Packet
I Think I have another piece of information, As the ping is very small, I
think there are too many packets going on at the same time. Therefore, the
system to check the states might not receive the packets in the right order
and therefore decide that certain packets arrived to early.
I hope it helps
Regards
Leo
Alionis
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lio
Goehrs
Sent: jeudi 7 juin 2007 09:35
To: misc@openbsd.org
Subject: Pf Issue with a large number of Packet
Hi All,
I am sorry to bother the list but I think I may have encountered a bug and I
would like to share with you guys. I have been using OpenBSD to build
Firewall
for a long time in solution with VLAN + CARP. When computers in the protected
network downloads a file in HTTP, everything works for the First 15 Mo then
it
stops.
When I tcpdump, On the external address, I get the folowing:
08:34:19.343833 mirrors.club-internet.fr.www so-bo01-std.55692: P
17637121:17638569(1448) ack 174 win 49232 nop,nop,timestamp 3651037459
313698521 (DF)
08:34:19.343870 so-bo01-std.55692 mirrors.club-internet.fr.www: . ack
17634225 win 1810 nop,nop,timestamp 313698522 3651037459 (DF)
08:34:19.614303 mirrors.club-internet.fr.www so-bo01-std.55692: P
20054337:20055785(1448) ack 174 win 49232 nop,nop,timestamp 3651037487
313698589 (DF)
08:34:19.614326 so-knox01a-std mirrors.club-internet.fr: icmp: host
so-bo01-std unreachable
08:34:20.024189 mirrors.club-internet.fr.www so-bo01-std.55692: .
20009449:20010897(1448) ack 174 win 49232 nop,nop,timestamp 3651037528
313698589 (DF)
08:34:20.024210 so-knox01a-std mirrors.club-internet.fr: icmp: host
so-bo01-std unreachable
08:34:20.844464 mirrors.club-internet.fr.www so-bo01-std.55692: .
20009449:20010897(1448) ack 174 win 49232 nop,nop,timestamp 3651037610
313698589 (DF)
08:34:20.844485 so-knox01a-std mirrors.club-internet.fr: icmp: host
so-bo01-std unreachable
08:34:22.485887 mirrors.club-internet.fr.www so-bo01-std.55692: .
20009449:20010897(1448) ack 174 win 49232 nop,nop,timestamp 3651037774
313698589 (DF)
08:34:22.485907 so-knox01a-std mirrors.club-internet.fr: icmp: host
so-bo01-std unreachable
08:34:24.234738 so-bo01-std.55692 mirrors.club-internet.fr.www: F
174:174(0)
ack 20009449 win 1851 nop,nop,timestamp 313699744 3651037482 (DF)
08:34:24.235872 mirrors.club-internet.fr.www so-bo01-std.55692: . ack 175
win 49232 nop,nop,timestamp 3651037949 313699744 (DF)
On the internal interfaces, I see nothing related to the host unreachable,
just a Reset after a while from the server.
- If I pfctl -d, everything works
- If I remove all the blocks statement in the pf.conf, it do not work
- If I rate limit the download to 50 ko/s, then I still have unreachable but
it able to recover, above and up to 100Mo, it would fail and the transfer
stall.
- If I create an empty rules file, then it works
Here are the two rules:
# Production Firewall vers le Second FireWall
service_granted={domain, ntp, smtp, snmp, http}
block out log on $if_interco all label Protection vers le Back
pass in on $if_interco proto {tcp, udp} from {$net_back, $net_interco} to any
port $service_granted keep state label Back Office vers l'Internet
Please advise
Regarde
Lio
Alionis
Re: Pf Issue with a large number of Packet
Hi All,
Well, I confirm that there is a problem, when the packets arrives to fast
(about 25 000 pks/s), then it is likely that the packet does not arrive in the
right order and then the system checking the validity of the number of the
packet breaks and blocks legitimate traffic.
Regards
Lio Goehrs
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lio
Goehrs
Sent: jeudi 7 juin 2007 09:35
To: misc@openbsd.org
Subject: Pf Issue with a large number of Packet
Hi All,
I am sorry to bother the list but I think I may have encountered a bug and I
would like to share with you guys. I have been using OpenBSD to build
Firewall
for a long time in solution with VLAN + CARP. When computers in the protected
network downloads a file in HTTP, everything works for the First 15 Mo then
it
stops.
When I tcpdump, On the external address, I get the folowing:
08:34:19.343833 mirrors.club-internet.fr.www so-bo01-std.55692: P
17637121:17638569(1448) ack 174 win 49232 nop,nop,timestamp 3651037459
313698521 (DF)
08:34:19.343870 so-bo01-std.55692 mirrors.club-internet.fr.www: . ack
17634225 win 1810 nop,nop,timestamp 313698522 3651037459 (DF)
08:34:19.614303 mirrors.club-internet.fr.www so-bo01-std.55692: P
20054337:20055785(1448) ack 174 win 49232 nop,nop,timestamp 3651037487
313698589 (DF)
08:34:19.614326 so-knox01a-std mirrors.club-internet.fr: icmp: host
so-bo01-std unreachable
08:34:20.024189 mirrors.club-internet.fr.www so-bo01-std.55692: .
20009449:20010897(1448) ack 174 win 49232 nop,nop,timestamp 3651037528
313698589 (DF)
08:34:20.024210 so-knox01a-std mirrors.club-internet.fr: icmp: host
so-bo01-std unreachable
08:34:20.844464 mirrors.club-internet.fr.www so-bo01-std.55692: .
20009449:20010897(1448) ack 174 win 49232 nop,nop,timestamp 3651037610
313698589 (DF)
08:34:20.844485 so-knox01a-std mirrors.club-internet.fr: icmp: host
so-bo01-std unreachable
08:34:22.485887 mirrors.club-internet.fr.www so-bo01-std.55692: .
20009449:20010897(1448) ack 174 win 49232 nop,nop,timestamp 3651037774
313698589 (DF)
08:34:22.485907 so-knox01a-std mirrors.club-internet.fr: icmp: host
so-bo01-std unreachable
08:34:24.234738 so-bo01-std.55692 mirrors.club-internet.fr.www: F
174:174(0)
ack 20009449 win 1851 nop,nop,timestamp 313699744 3651037482 (DF)
08:34:24.235872 mirrors.club-internet.fr.www so-bo01-std.55692: . ack 175
win 49232 nop,nop,timestamp 3651037949 313699744 (DF)
On the internal interfaces, I see nothing related to the host unreachable,
just a Reset after a while from the server.
- If I pfctl -d, everything works
- If I remove all the blocks statement in the pf.conf, it do not work
- If I rate limit the download to 50 ko/s, then I still have unreachable but
it able to recover, above and up to 100Mo, it would fail and the transfer
stall.
- If I create an empty rules file, then it works
Here are the two rules:
# Production Firewall vers le Second FireWall
service_granted={domain, ntp, smtp, snmp, http}
block out log on $if_interco all label Protection vers le Back
pass in on $if_interco proto {tcp, udp} from {$net_back, $net_interco} to any
port $service_granted keep state label Back Office vers l'Internet
Please advise
Regarde
Lio
Alionis
Re: Pf Issue with a large number of Packet
On 2007/06/07 11:57, Lio Goehrs wrote: - If I pfctl -d, everything works - If I remove all the blocks statement in the pf.conf, it do not work if you can post dmesg and some relevant 'pass' rules, that might help.
Re: Pf Issue with a large number of Packet
if you can post dmesg and some relevant 'pass' rules, that might help.
Sure, So far, I have started my test and I have far less problems now but I
don't think the solution is fine. As of Version 4.1, the rule keep state flags
S/SA is by default.
All my problems went away when I used the following rules:
pass out on $if_prod proto tcp from any to so_prod_ad port {http, https} no
state flags any label Internet vers la prod AD
pass in on $if_prod proto tcp from so_prod_ad port {http, https} to any no
state flags any label Reply From AD to the Internet
If go on keep state, then, when I launch a download at 25 Mo/s, then it
downloads about 35 Mo then stops and my log get full of
Jun 7 12:15:26 so-knox01a-std /bsd: pf: BAD state: TCP 193.189.125.227:51872
193.189.125.227:51872 77.72.91.10:80 [lo=936647122 high=936652914 win=5840
modulator=0] [lo=2657626173 high=2657632013 win=5792 modulator=0] 4:2 SA
seq=2660626928 (2660626928) ack=936647122 len=0 ackskew=0 pkts=3:1 dir=in,rev
Jun 7 12:15:26 so-knox01a-std /bsd: pf: State failure on: 1 | 5
Jun 7 12:15:26 so-knox01a-std /bsd: pf: BAD state: TCP 193.189.125.227:51876
193.189.125.227:51876 77.72.91.10:80 [lo=941137405 high=941143197 win=5840
modulator=0] [lo=2659274591 high=2659280431 win=5792 modulator=0] 4:2 SA
seq=2662275452 (2662275452) ack=941137405 len=0 ackskew=0 pkts=3:1 dir=in,rev
Jun 7 12:15:26 so-knox01a-std /bsd: pf: State failure on: 1 | 5
Jun 7 12:15:26 so-knox01a-std /bsd: pf: BAD state: TCP 193.189.125.227:51880
193.189.125.227:51880 77.72.91.10:80 [lo=941037484 high=941043276 win=5840
modulator=0] [lo=2663170100 high=2663175940 win=5792 modulator=0] 4:2 SA
seq=2666170841 (2666170841) ack=941037484 len=0 ackskew=0 pkts=3:1 dir=in,rev
Jun 7 12:15:26 so-knox01a-std /bsd: pf: State failure on: 1 | 5
From my understanding, State failure on: 1 means the sequence number was too
much ahead, based on the RFC. But, Today, with adaptive TCP Windows, we can
have so many packets going thru at the same time.
Leo
Re: pf issue with Soekris net4801
On Jul 30, 2006, at 2:59 PM, drkfiber wrote: I have just used the flashdist script to install OpenBSD 3.9 to a Soekris net4801. Everything works great on in aside from pf. whenever I try to load a ruleset it errors out with pfctl: DIOCCLRIFFLAG: Operation not supported by device I have tried this with my standard ruleset and a simplified pass in all , pass out all ruleset. Both of the network interfaces that I have configured function properly and I can ping both the LAN and WAN. If I try to do anything with pf it generates the error listed above. i.e. pfctl -ef /etc/pf.conf, or pfctl -sn. If I run pfctl without any arguments it displays the help for pfctl, so it seams the binary loads O.K. Any Ideas? We can't help until you provide the necessary information (pf.conf and dmesg). Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: pf issue with Soekris net4801
Thanks. I found the issue. I neglected to copy over the new source for 3.9. So the kernel I was compiling was actually 3.7. So useland was 3.9 but kernel 3.7. On 7/30/06, Jason Dixon [EMAIL PROTECTED] wrote: On Jul 30, 2006, at 2:59 PM, drkfiber wrote: I have just used the flashdist script to install OpenBSD 3.9 to a Soekris net4801. Everything works great on in aside from pf. whenever I try to load a ruleset it errors out with pfctl: DIOCCLRIFFLAG: Operation not supported by device I have tried this with my standard ruleset and a simplified pass in all , pass out all ruleset. Both of the network interfaces that I have configured function properly and I can ping both the LAN and WAN. If I try to do anything with pf it generates the error listed above. i.e. pfctl -ef /etc/pf.conf, or pfctl -sn. If I run pfctl without any arguments it displays the help for pfctl, so it seams the binary loads O.K. Any Ideas? We can't help until you provide the necessary information (pf.conf and dmesg). Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: pf issue - not blocking
On 9/5/05, Dulmandakh Sukhbaatar [EMAIL PROTECTED] wrote:
I have this rule:
block in log quick on $lan from { 192.168.1.88, 192.168.1.95,
192.168.1.99 } to any label USER_RULE: blabla
pass in quick on $lan from 192.168.1.0/24 to any keep state label
USER_RULE: Default LAN - any
192.168.1.95 is being blocked, but others can use internet. For this
rule looks correct. Any suggestions?
are there other *quick* rules that match 192.168.1.88 192.168.1.99
before the
block in log quick on $lan from { 192.168.1.88, 192.168.1.95,
192.168.1.99 } to any label USER_RULE: blabla
rule???
It is a bit difficult to help without those details.
Please post your
/etc/pf.conf
and
output of
ifconfig -a
etc.
--Siju
