Re: PF issue
Thank you guys for your quick responses :) This mailing list(group) is awesome. So last night, I changed my 4.3 openbsd gateway to 4.2 one, slapped on the same pf rules BUT with user land pppoe and PRESTO it works like a charm. I could access my webserver in the lab totally fine. I think it could be something to do with MTU size, I will still continue my search and post it to the list once I find something. Again, really appreciate everyone's help on this. Thx a bunch! On Jul 20, 2008, at 10:01 PM, Srikant Tangirala wrote: Have you tried doing a tcpdump on fxp0 and pflog0 while trying to access the web server on home firewall? Might give you clues. Srikant.
Re: PF issue
Parvinder Bhasin wrote: My home network. Firewall is openbsd (4.3). DSL setup with PPPOE (in kernel): cat /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 NONE \ pppoedev dc0 authproto pap \ authname '[EMAIL PROTECTED]' authkey 'password' up !/sbin/route add default # Here is my /etc/pf.conf for this network (HOME). Very simple blocking everything and allowing everything to go out from my internal network. # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if=dc0 int_if=fxp0 loopback=lo0 pppoe_if=pppoe0 #table spamd-white persist set skip on lo set loginterface $ext_if set loginterface $int_if set loginterface $pppoe_if set loginterface $loopback scrub in all max-mss 1440 nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* # nat on $pppoe_if from 172.16.200.0/24 - $pppoe_if nat on $pppoe_if from !($pppoe_if) to any - ($pppoe_if) block in log on $pppoe_if pass out keep state If you're able to connect to other stuff other than your webserver, than this is probably not it. But I'd expect a rule like: pass in $int_if Have you tried no filtering at all to see if it works that way? What about accessing your webserver directly from the firewall box? Here is my Lab network: setup on static DSL connection with 5 static IPs: I am using one for webserving: 75.44.224.2. my /etc/hostname.sk0 looks like: inet 75.44.229.1 255.255.255.248 NONE alias 75.44.229.2 255.255.255.248 I also have a laptop behind this firewall on internal network. Used for browsing etc. # MACROS ext_if=sk0 int_if=gem0 external_ip=75.44.229.1 external_net={75.44.229.17 75.44.229.18 75.44.229.19 75.44.229.20} internal_ip=172.16.10.10 webserver_ip=75.44.224.2 webserver_int=172.16.10.11 OPTIONS # set loginterface $ext_if set loginterface $int_if scrub in NAT/REDIRECTS nat on $ext_if from !($ext_if) to any - ($ext_if:0) rdr pass on $ext_if proto tcp from any to $webserver_ext port 80 - $webserver_int port 80 ## FILTERS # block in log on $ext_if pass in on $ext_if proto tcp from any to $webserver_ext port 80 keep state pass out keep state # MY PROBLEM: Whenever I am on my home network and I try to reach webserver on my lab network, I don't get anything. Whenever I try to hit the webserver from my work network or several other networks, I can access the webserver fine. Its only from my home network, I cannot access the site on my webserver. Any other sites from the home network work totally fine. Can see what's wrong with my configs? For troubleshooting this issue, i captured traffic on my webserver and saw that requests from my home network DO ARRIVE at the webserver and the webserver duely sends that data back BUT that data never arrives on the home network. If I try to hit any website from my webserver, I can reach it fine. This is really weared, I would really appreciate any help. I have tried almost everything to get this going. Thanks /Parvinder Bhasin
Re: PF issue
On Sun, Jul 20, 2008 at 07:06:39PM -0700, Parvinder Bhasin wrote: my /etc/hostname.sk0 looks like: inet 75.44.229.1 255.255.255.248 NONE alias 75.44.229.2 255.255.255.248 Unrelated, but use 255.255.255.255 for your alias netmask. MY PROBLEM: Whenever I am on my home network and I try to reach webserver on my lab network, I don't get anything. Whenever I try to hit the webserver from my work network or several other networks, I can access the webserver fine. Its only from my home network, I cannot access the site on my webserver. Any other sites from the home network work totally fine. http://www.openbsd.org/faq/pf/rdr.html#reflect -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: PF issue
Have you tried doing a tcpdump on fxp0 and pflog0 while trying to access the web server on home firewall? Might give you clues. Srikant.
Re: Pf Issue with a large number of Packet
I Think I have another piece of information, As the ping is very small, I think there are too many packets going on at the same time. Therefore, the system to check the states might not receive the packets in the right order and therefore decide that certain packets arrived to early. I hope it helps Regards Leo Alionis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lio Goehrs Sent: jeudi 7 juin 2007 09:35 To: misc@openbsd.org Subject: Pf Issue with a large number of Packet Hi All, I am sorry to bother the list but I think I may have encountered a bug and I would like to share with you guys. I have been using OpenBSD to build Firewall for a long time in solution with VLAN + CARP. When computers in the protected network downloads a file in HTTP, everything works for the First 15 Mo then it stops. When I tcpdump, On the external address, I get the folowing: 08:34:19.343833 mirrors.club-internet.fr.www so-bo01-std.55692: P 17637121:17638569(1448) ack 174 win 49232 nop,nop,timestamp 3651037459 313698521 (DF) 08:34:19.343870 so-bo01-std.55692 mirrors.club-internet.fr.www: . ack 17634225 win 1810 nop,nop,timestamp 313698522 3651037459 (DF) 08:34:19.614303 mirrors.club-internet.fr.www so-bo01-std.55692: P 20054337:20055785(1448) ack 174 win 49232 nop,nop,timestamp 3651037487 313698589 (DF) 08:34:19.614326 so-knox01a-std mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:20.024189 mirrors.club-internet.fr.www so-bo01-std.55692: . 20009449:20010897(1448) ack 174 win 49232 nop,nop,timestamp 3651037528 313698589 (DF) 08:34:20.024210 so-knox01a-std mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:20.844464 mirrors.club-internet.fr.www so-bo01-std.55692: . 20009449:20010897(1448) ack 174 win 49232 nop,nop,timestamp 3651037610 313698589 (DF) 08:34:20.844485 so-knox01a-std mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:22.485887 mirrors.club-internet.fr.www so-bo01-std.55692: . 20009449:20010897(1448) ack 174 win 49232 nop,nop,timestamp 3651037774 313698589 (DF) 08:34:22.485907 so-knox01a-std mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:24.234738 so-bo01-std.55692 mirrors.club-internet.fr.www: F 174:174(0) ack 20009449 win 1851 nop,nop,timestamp 313699744 3651037482 (DF) 08:34:24.235872 mirrors.club-internet.fr.www so-bo01-std.55692: . ack 175 win 49232 nop,nop,timestamp 3651037949 313699744 (DF) On the internal interfaces, I see nothing related to the host unreachable, just a Reset after a while from the server. - If I pfctl -d, everything works - If I remove all the blocks statement in the pf.conf, it do not work - If I rate limit the download to 50 ko/s, then I still have unreachable but it able to recover, above and up to 100Mo, it would fail and the transfer stall. - If I create an empty rules file, then it works Here are the two rules: # Production Firewall vers le Second FireWall service_granted={domain, ntp, smtp, snmp, http} block out log on $if_interco all label Protection vers le Back pass in on $if_interco proto {tcp, udp} from {$net_back, $net_interco} to any port $service_granted keep state label Back Office vers l'Internet Please advise Regarde Lio Alionis
Re: Pf Issue with a large number of Packet
Hi All, Well, I confirm that there is a problem, when the packets arrives to fast (about 25 000 pks/s), then it is likely that the packet does not arrive in the right order and then the system checking the validity of the number of the packet breaks and blocks legitimate traffic. Regards Lio Goehrs -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lio Goehrs Sent: jeudi 7 juin 2007 09:35 To: misc@openbsd.org Subject: Pf Issue with a large number of Packet Hi All, I am sorry to bother the list but I think I may have encountered a bug and I would like to share with you guys. I have been using OpenBSD to build Firewall for a long time in solution with VLAN + CARP. When computers in the protected network downloads a file in HTTP, everything works for the First 15 Mo then it stops. When I tcpdump, On the external address, I get the folowing: 08:34:19.343833 mirrors.club-internet.fr.www so-bo01-std.55692: P 17637121:17638569(1448) ack 174 win 49232 nop,nop,timestamp 3651037459 313698521 (DF) 08:34:19.343870 so-bo01-std.55692 mirrors.club-internet.fr.www: . ack 17634225 win 1810 nop,nop,timestamp 313698522 3651037459 (DF) 08:34:19.614303 mirrors.club-internet.fr.www so-bo01-std.55692: P 20054337:20055785(1448) ack 174 win 49232 nop,nop,timestamp 3651037487 313698589 (DF) 08:34:19.614326 so-knox01a-std mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:20.024189 mirrors.club-internet.fr.www so-bo01-std.55692: . 20009449:20010897(1448) ack 174 win 49232 nop,nop,timestamp 3651037528 313698589 (DF) 08:34:20.024210 so-knox01a-std mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:20.844464 mirrors.club-internet.fr.www so-bo01-std.55692: . 20009449:20010897(1448) ack 174 win 49232 nop,nop,timestamp 3651037610 313698589 (DF) 08:34:20.844485 so-knox01a-std mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:22.485887 mirrors.club-internet.fr.www so-bo01-std.55692: . 20009449:20010897(1448) ack 174 win 49232 nop,nop,timestamp 3651037774 313698589 (DF) 08:34:22.485907 so-knox01a-std mirrors.club-internet.fr: icmp: host so-bo01-std unreachable 08:34:24.234738 so-bo01-std.55692 mirrors.club-internet.fr.www: F 174:174(0) ack 20009449 win 1851 nop,nop,timestamp 313699744 3651037482 (DF) 08:34:24.235872 mirrors.club-internet.fr.www so-bo01-std.55692: . ack 175 win 49232 nop,nop,timestamp 3651037949 313699744 (DF) On the internal interfaces, I see nothing related to the host unreachable, just a Reset after a while from the server. - If I pfctl -d, everything works - If I remove all the blocks statement in the pf.conf, it do not work - If I rate limit the download to 50 ko/s, then I still have unreachable but it able to recover, above and up to 100Mo, it would fail and the transfer stall. - If I create an empty rules file, then it works Here are the two rules: # Production Firewall vers le Second FireWall service_granted={domain, ntp, smtp, snmp, http} block out log on $if_interco all label Protection vers le Back pass in on $if_interco proto {tcp, udp} from {$net_back, $net_interco} to any port $service_granted keep state label Back Office vers l'Internet Please advise Regarde Lio Alionis
Re: Pf Issue with a large number of Packet
On 2007/06/07 11:57, Lio Goehrs wrote: - If I pfctl -d, everything works - If I remove all the blocks statement in the pf.conf, it do not work if you can post dmesg and some relevant 'pass' rules, that might help.
Re: Pf Issue with a large number of Packet
if you can post dmesg and some relevant 'pass' rules, that might help. Sure, So far, I have started my test and I have far less problems now but I don't think the solution is fine. As of Version 4.1, the rule keep state flags S/SA is by default. All my problems went away when I used the following rules: pass out on $if_prod proto tcp from any to so_prod_ad port {http, https} no state flags any label Internet vers la prod AD pass in on $if_prod proto tcp from so_prod_ad port {http, https} to any no state flags any label Reply From AD to the Internet If go on keep state, then, when I launch a download at 25 Mo/s, then it downloads about 35 Mo then stops and my log get full of Jun 7 12:15:26 so-knox01a-std /bsd: pf: BAD state: TCP 193.189.125.227:51872 193.189.125.227:51872 77.72.91.10:80 [lo=936647122 high=936652914 win=5840 modulator=0] [lo=2657626173 high=2657632013 win=5792 modulator=0] 4:2 SA seq=2660626928 (2660626928) ack=936647122 len=0 ackskew=0 pkts=3:1 dir=in,rev Jun 7 12:15:26 so-knox01a-std /bsd: pf: State failure on: 1 | 5 Jun 7 12:15:26 so-knox01a-std /bsd: pf: BAD state: TCP 193.189.125.227:51876 193.189.125.227:51876 77.72.91.10:80 [lo=941137405 high=941143197 win=5840 modulator=0] [lo=2659274591 high=2659280431 win=5792 modulator=0] 4:2 SA seq=2662275452 (2662275452) ack=941137405 len=0 ackskew=0 pkts=3:1 dir=in,rev Jun 7 12:15:26 so-knox01a-std /bsd: pf: State failure on: 1 | 5 Jun 7 12:15:26 so-knox01a-std /bsd: pf: BAD state: TCP 193.189.125.227:51880 193.189.125.227:51880 77.72.91.10:80 [lo=941037484 high=941043276 win=5840 modulator=0] [lo=2663170100 high=2663175940 win=5792 modulator=0] 4:2 SA seq=2666170841 (2666170841) ack=941037484 len=0 ackskew=0 pkts=3:1 dir=in,rev Jun 7 12:15:26 so-knox01a-std /bsd: pf: State failure on: 1 | 5 From my understanding, State failure on: 1 means the sequence number was too much ahead, based on the RFC. But, Today, with adaptive TCP Windows, we can have so many packets going thru at the same time. Leo
Re: pf issue with Soekris net4801
On Jul 30, 2006, at 2:59 PM, drkfiber wrote: I have just used the flashdist script to install OpenBSD 3.9 to a Soekris net4801. Everything works great on in aside from pf. whenever I try to load a ruleset it errors out with pfctl: DIOCCLRIFFLAG: Operation not supported by device I have tried this with my standard ruleset and a simplified pass in all , pass out all ruleset. Both of the network interfaces that I have configured function properly and I can ping both the LAN and WAN. If I try to do anything with pf it generates the error listed above. i.e. pfctl -ef /etc/pf.conf, or pfctl -sn. If I run pfctl without any arguments it displays the help for pfctl, so it seams the binary loads O.K. Any Ideas? We can't help until you provide the necessary information (pf.conf and dmesg). Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: pf issue with Soekris net4801
Thanks. I found the issue. I neglected to copy over the new source for 3.9. So the kernel I was compiling was actually 3.7. So useland was 3.9 but kernel 3.7. On 7/30/06, Jason Dixon [EMAIL PROTECTED] wrote: On Jul 30, 2006, at 2:59 PM, drkfiber wrote: I have just used the flashdist script to install OpenBSD 3.9 to a Soekris net4801. Everything works great on in aside from pf. whenever I try to load a ruleset it errors out with pfctl: DIOCCLRIFFLAG: Operation not supported by device I have tried this with my standard ruleset and a simplified pass in all , pass out all ruleset. Both of the network interfaces that I have configured function properly and I can ping both the LAN and WAN. If I try to do anything with pf it generates the error listed above. i.e. pfctl -ef /etc/pf.conf, or pfctl -sn. If I run pfctl without any arguments it displays the help for pfctl, so it seams the binary loads O.K. Any Ideas? We can't help until you provide the necessary information (pf.conf and dmesg). Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: pf issue - not blocking
On 9/5/05, Dulmandakh Sukhbaatar [EMAIL PROTECTED] wrote: I have this rule: block in log quick on $lan from { 192.168.1.88, 192.168.1.95, 192.168.1.99 } to any label USER_RULE: blabla pass in quick on $lan from 192.168.1.0/24 to any keep state label USER_RULE: Default LAN - any 192.168.1.95 is being blocked, but others can use internet. For this rule looks correct. Any suggestions? are there other *quick* rules that match 192.168.1.88 192.168.1.99 before the block in log quick on $lan from { 192.168.1.88, 192.168.1.95, 192.168.1.99 } to any label USER_RULE: blabla rule??? It is a bit difficult to help without those details. Please post your /etc/pf.conf and output of ifconfig -a etc. --Siju