Re: Firewall setup

[Michel von Behr]

May I suggest relaying these more basic questions to @rookies mail-list? I
think it would be great if we could have this channel reactivated,
dedicated to help folks like Karel learn how to navigate more basic stuff,
and keep misc@ for intermediary / advanced users inquiries.

On Wed, 17 Apr 2024 at 1:30 AM Daniel Ouellet  wrote:

>
> On 4/16/24 10:27 AM, Karel Lucas wrote:
> > First and most importantly, I would like to apologize to anyone who was
> > disturbed by my conversation. It is not my intention to offend people. I
> > may be curt, but that's not because it's in my character. In daily life
> > I work with electronics and computers and am much less familiar with
> > networks. I don't need this knowledge for what I do in daily life. It is
> > therefore difficult for me to estimate what is important to link back to
> > this mailing list. So if I am curt, please try to remember that it is
> > not intentional, but a matter of lack of knowledge. Again, I don't want
> > to hurt anyone.
>
> Hi Karel,
>
> I think you may be missing the point that everyone try to explained to
> you. OpenBSD is a mailing list that have very think skin compare to any
> others. You need to be very rude to offend people here unless you are
> one that fell you have rights to other people free times.
>
> You got some VERY knowledgeable people answering you. If I was you I
> would fell lucky for their time, believe me. I have been on this list
> from OpenBSD 2.7. A few decades ago...
>
> Now you say you don't have the network know how to do this, sure
> everyone start somewhere. You say you don't needs this either in your
> daily job and keep asking others to point you at the page in the PF
> book, etc.
>
> Remember they are NOT the one in needs to know, you are, so make the
> effort please. Many will hold your hands gladly IF you show willingness
> to do your share.
>
> Even the site have basic start example here:
>
> https://www.openbsd.org/faq/pf/index.html
>
> And even some of them could be simple too, but they are provided as
> example to show what's possible. Up to the reader to start there and go
> where they want too...
>
> Now to the point, it was told to you to start simple and explained what
> you want to do.
>
> Here you say you have no special needs, etc.
>
> So why in gods name would you want to do a bridge setup?
>
> KISS principle apply!
>
> And it was asked as well to explained your setup. NOT what you think it
> should be or how it is connected, what interface does what, etc.
>
> What do you want to do, plain and simple.
>
> Here you say that "The internal network consists mainly of regular
> clients, so no email, web or name servers", so no needs for bridge, or
> DMZ, etc.
>
> Also looks like you use private IP's so yes NAT is needed obviously.
>
> Now if you want multiple networks, WHY?
>
> Any reason for it? I see none if you don't have hosting services.
>
> You say it could be possible, sure it can, I can have multiple vlan and
> domains routing, configure a specific IPMI DMZ for my servers
> configuration, add ssh keys for wireless access with time base access
> and limit, and kids restrictions, etc. But I wouldn't do that until I
> get my basin system going and know why.
>
> Amy be I don't have kids so why do that part of the setup, but may be I
> have wireless and friends coming over and they obviously all/may be want
> fast internet access on my wireless, but I don't what them to have
> access to ANY of my devices from their phones that might compromise my
> network, so I would have a guess wireless access to to outside world
> ONLY. But if I have no friends, then why would I want that? Etc...
>
> Sure may be you have wireless that you want to isolate from others hard
> wire computers, etc. You have NAS, may be you want to isolate it form
> wireless, or some specific computers, kids access restricted may be, etc.
>
> But no where did you ever describe what is it that you want...
>
> May be before you start building a house, you need to know what you want
> in it, etc.
>
> Same thing here.
>
> Start small and then go from there.
>
> Why? Doing incremental setup help understand your setup and why you do it.
>
> Then down the line when you make changes or want to add something to it,
> when your pf configuration is clean, you will know where to add it and
> what it does.
>
> Look to me that if your setup have NO special needs, no hosting services
> that needs to be reach form the Internet, then only thing you need is a
> VERY simple NAT setup, on two interfaces and that's it.
>
> It's not because you have 4 interfaces that you need to use 4 interfaces...
>
> Start be defining what is it that you want and FORGET ABOUT interface 1,
> and then 2 for admin, and 3 for nas, etc.
>
> What is it that you want to do and go from there.
>
> Define your needs and then address them ONE by ONE.
>
> Fix one, test and then go to the next one.
>
> And FORGET ABOUT BRIDGE SETUP PLEASE!!!
>
> You have absolutely 

Re: Firewall setup

[Daniel Ouellet]

On 4/16/24 10:27 AM, Karel Lucas wrote:
First and most importantly, I would like to apologize to anyone who was 
disturbed by my conversation. It is not my intention to offend people. I 
may be curt, but that's not because it's in my character. In daily life 
I work with electronics and computers and am much less familiar with 
networks. I don't need this knowledge for what I do in daily life. It is 
therefore difficult for me to estimate what is important to link back to 
this mailing list. So if I am curt, please try to remember that it is 
not intentional, but a matter of lack of knowledge. Again, I don't want 
to hurt anyone.


Hi Karel,

I think you may be missing the point that everyone try to explained to 
you. OpenBSD is a mailing list that have very think skin compare to any 
others. You need to be very rude to offend people here unless you are 
one that fell you have rights to other people free times.


You got some VERY knowledgeable people answering you. If I was you I 
would fell lucky for their time, believe me. I have been on this list 
from OpenBSD 2.7. A few decades ago...


Now you say you don't have the network know how to do this, sure 
everyone start somewhere. You say you don't needs this either in your 
daily job and keep asking others to point you at the page in the PF 
book, etc.


Remember they are NOT the one in needs to know, you are, so make the 
effort please. Many will hold your hands gladly IF you show willingness 
to do your share.


Even the site have basic start example here:

https://www.openbsd.org/faq/pf/index.html

And even some of them could be simple too, but they are provided as 
example to show what's possible. Up to the reader to start there and go 
where they want too...


Now to the point, it was told to you to start simple and explained what 
you want to do.


Here you say you have no special needs, etc.

So why in gods name would you want to do a bridge setup?

KISS principle apply!

And it was asked as well to explained your setup. NOT what you think it 
should be or how it is connected, what interface does what, etc.


What do you want to do, plain and simple.

Here you say that "The internal network consists mainly of regular 
clients, so no email, web or name servers", so no needs for bridge, or 
DMZ, etc.


Also looks like you use private IP's so yes NAT is needed obviously.

Now if you want multiple networks, WHY?

Any reason for it? I see none if you don't have hosting services.

You say it could be possible, sure it can, I can have multiple vlan and 
domains routing, configure a specific IPMI DMZ for my servers 
configuration, add ssh keys for wireless access with time base access 
and limit, and kids restrictions, etc. But I wouldn't do that until I 
get my basin system going and know why.


Amy be I don't have kids so why do that part of the setup, but may be I 
have wireless and friends coming over and they obviously all/may be want 
fast internet access on my wireless, but I don't what them to have 
access to ANY of my devices from their phones that might compromise my 
network, so I would have a guess wireless access to to outside world 
ONLY. But if I have no friends, then why would I want that? Etc...


Sure may be you have wireless that you want to isolate from others hard 
wire computers, etc. You have NAS, may be you want to isolate it form 
wireless, or some specific computers, kids access restricted may be, etc.


But no where did you ever describe what is it that you want...

May be before you start building a house, you need to know what you want 
in it, etc.


Same thing here.

Start small and then go from there.

Why? Doing incremental setup help understand your setup and why you do it.

Then down the line when you make changes or want to add something to it, 
when your pf configuration is clean, you will know where to add it and 
what it does.


Look to me that if your setup have NO special needs, no hosting services 
that needs to be reach form the Internet, then only thing you need is a 
VERY simple NAT setup, on two interfaces and that's it.


It's not because you have 4 interfaces that you need to use 4 interfaces...

Start be defining what is it that you want and FORGET ABOUT interface 1, 
and then 2 for admin, and 3 for nas, etc.


What is it that you want to do and go from there.

Define your needs and then address them ONE by ONE.

Fix one, test and then go to the next one.

And FORGET ABOUT BRIDGE SETUP PLEASE!!!

You have absolutely NO need for this with what you say so far in any of 
your communications.


Example of thinking.

I see you try to use MANY macros, do you really need that? It's suppose 
to be to make things simpler to understand and cleaner to read, not more 
complex.


The key of a decent firewall is first to know what is it that you want 
to do and look to me you still do not know that yet.


I would even say and said for many decades, a good firewall NOT only 
stop incoming traffic, but also 

Re: Firewall setup

[Karel Lucas]

This is my dmesg, if anyone is interested:


OpenBSD 7.4 (GENERIC.MP) #3: Wed Feb 28 06:23:33 MST 2024
r...@syspatch-74-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4047122432 (3859MB)
avail mem = 3904729088 (3723MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.3 @ 0x74c77000 (117 entries)
bios0: vendor American Megatrends International, LLC. version "JK4LV105" 
date 08/31/2022

bios0: Default string Default string
efi0 at bios0: UEFI 2.7
efi0: American Megatrends rev 0x50013
acpi0 at bios0: ACPI 6.2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP MCFG FIDT SSDT SSDT SSDT HPET APIC PRAM SSDT 
SSDT NHLT LPIT SSDT SSDT DBGP DBG2 DMAR SSDT TPM2 WSMT FPDT
acpi0: wakeup devices PEGP(S4) PEGP(S4) PEGP(S4) PEGP(S4) SIO1(S3) 
RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) 
RP05(S4) PXSX(S4) RP06(S4) [...]

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0
acpimcfg0: addr 0xc000, bus 0-255
acpihpet0 at acpi0: 1920 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2893.74 MHz, 06-9c-00, patch 
2424
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 
64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache

cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 38MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2.2.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2893.74 MHz, 06-9c-00, patch 
2424
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 
64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache

cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2793.96 MHz, 06-9c-00, patch 
2424
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 
64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache

cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2793.95 MHz, 06-9c-00, patch 
2424
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu3: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 
64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache

cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins
acpiprt0 at acpi0: bus 0 (PC00)
acpiprt1 at acpi0: bus -1 (RP01)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt3 at acpi0: bus 1 (RP03)
acpiprt4 at acpi0: bus -1 (RP04)
acpiprt5 at acpi0: bus 2 (RP05)
acpiprt6 at acpi0: bus 3 (RP06)
acpiprt7 at acpi0: bus 4 (RP07)
acpiprt8 at acpi0: bus 5 (RP08)
acpiprt9 at acpi0: bus -1 (RP09)
acpiprt10 at acpi0: bus -1 (RP10)
acpiprt11 at acpi0: bus -1 (RP11)
acpiprt12 at 

Re: Firewall setup

[Karel Lucas]

First and most importantly, I would like to apologize to anyone who was 
disturbed by my conversation. It is not my intention to offend people. I 
may be curt, but that's not because it's in my character. In daily life 
I work with electronics and computers and am much less familiar with 
networks. I don't need this knowledge for what I do in daily life. It is 
therefore difficult for me to estimate what is important to link back to 
this mailing list. So if I am curt, please try to remember that it is 
not intentional, but a matter of lack of knowledge. Again, I don't want 
to hurt anyone.


Second, the firewall. This is set up as a bridge with the following 
hardware: 
https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image=1. 
The Ethernet connections ETH1 ... ETH4 are translated by OpenBSD to igc0 
... igc3. Connection igc0 is the input that goes to the ISDN modem, and 
igc1 and igc2 are the two outputs that go to the internal network. These 
two connections are more flexible for the underlying network. This makes 
it possible to connect two different networks, if desired, albeit with 
one and the same IP range (192.168.2.0/24), or two different networks, 
if so configured. So two possibilities (which is best?). So there is no 
need to use two connections at the same time, although this should be 
possible. Finally, connection igc3. This is given the IP address 
192.168.2.252, because it is intended for remote administration, 
including upgrades. This connection will therefore not be part of the 
firewall bridge, and will therefore not appear in pf.conf. The internal 
network consists mainly of regular clients, so no email, web or name 
servers. These clients will work with Linux, mac OSX, or OpenBSD, but 
not Windows, but there will be a small file server or NAS. This file 
server or NAS is only intended for the clients in the network and has no 
connection to the internet. For now it is important to get ping and 
traceroute working properly, after which work on normal internet traffic 
can be started. What I'm wondering is whether I need NAT for my firewall 
configuration. This is my plan for my firewall. It seems to me that 
there are much more difficult configurations than this one. I hope there 
are still people who are willing to help me.




Op 16-04-2024 om 07:24 schreef Peter N. M. Hansteen:

I give up.

The obviously incomplete, hand edited ifconfig output shows three
interfaces that are (or appear to be, judging from the excerpts that
we are given) not configured with IP addresses, two of which
have a link, while the last does not.

For reasons unknown these three are joined in a three-way bridge.

>From the tiny crumbs of information you have deigned to reveal to us,
it is not at all clear what it is you are trying to achieve.

That this configuration does not do anything useful is however no
surprise at all.

Once you can describe what it is your Rube Goldberg contraption
is supposed to do, competent people here might offer some advice
on how to make things work properly.

Until that happens, I for one will simply ignore anything from that
source.

Re: Firewall setup

[Zé Loff]

On Tue, Apr 16, 2024 at 12:01:38AM +0200, Karel Lucas wrote:
> 
> Op 15-04-2024 om 22:20 schreef Peter N. M. Hansteen:
> > On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote:
> > > This gives the following error messages when booting:
> > > no IP address found for igc1:network
> > > /etc/pf.conf:41: could not parse host specification
> > > no IP address found for igc2:network
> > > /etc/pf.conf:42: could not parse host specification
> > This sounds to me like those interfaces either do not exist or
> > have not been correctly configured.
> > 
> > Are those interfaces configured, as in do they have IP addresses?
> > 
> > the output of ifconfig igc1 and ifconfig igc2 will show you.
> > 
> Output from ifconfig igc0:
> igc0: flags=8b43
> mtu 1500
>         lladdr 7c:2b:e1:13:dd:f4
>         index 1 priority 0 llprio 3
>         media: Ethernet autoselect (1000baseT full-duplex)
>         sratus: active
> 
> Output from ifconfig igc1:
> igc1: flags=8b43
> mtu 1500
>         lladdr 7c:2b:e1:13:dd:f5
>         index 2 priority 0 llprio 3
>         media: Ethernet autoselect (1000baseT full-duplex)
>         sratus: active
> 
> Output from ifconfig igc2:
> igc2: flags=8b43
> mtu 1500
>         lladdr 7c:2b:e1:13:dd:f6
>         index 3 priority 0 llprio 3
>         media: Ethernet autoselect (none)
>         status: no carrier
> 
> /etc/hostname.bridge0:
> add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip igc2
> up
> 
> /etc/hostname.igc0:
> up
> 
> /etc/hostname.igc1:
> up
> 
> /etc/hostname.igc2:
> up
> 

Either Stuart is right, and you are trying to put up some weird
firewall, or Diana is right, and you are way out of your depth and need
to learn some of the basics of IPv4 networking.  Or they are both right.
Any other way, Peter is also right: you have been giving us information
piecemeal, and not only this doesn't help you to solve your problems, it
can be frustrating for the rest of us, because you've (involuntarily)
been wasting our time, chasing the wrong problem.  Your issues seem to
be broader than just configuring PF.

Incidentally, this is also an example on why copying/pasting stuff into
your machine is often a bad idea.  You need to understand what you are
putting in there, bit by bit.  Otherwise either it will fail immediately
(as in your case) or it will fail later on the first time you try to
tweak it.  And with a firewall being key in network security, you'll
really want to get it right.

There is no harm in not knowing things, no one is born knowing what a
routing table is, we've all had to start somewhere (I hope you don't
find this patronizing, that's really not the point).  And, as you've
just seen, despite this mailing list having a reputation of being
unfriendly, you've got plenty of people willing to help.  There are just
a few steps you need to take _on your own_ first.

Peter's book is great for PF, as is the PF user's guide [1].  For the
networking bits you can also take a look at the respective chapters on
Michael W. Lucas' "Absolute OpenBSD" [2].  Palmer and Nazario's "Secure
architectures with OpenBSD" also helped me a lot with system
administration in general, back in the day.  Others might have other
suggestions, I'm sure there's a ton of stuff out there.

[1] https://www.openbsd.org/faq/pf/index.html
[2] https://www.michaelwlucas.com/os/ao2e


-- 
 

Re: Firewall setup

[Peter N. M. Hansteen]

I give up.

The obviously incomplete, hand edited ifconfig output shows three
interfaces that are (or appear to be, judging from the excerpts that
we are given) not configured with IP addresses, two of which
have a link, while the last does not.

For reasons unknown these three are joined in a three-way bridge.

>From the tiny crumbs of information you have deigned to reveal to us,
it is not at all clear what it is you are trying to achieve.

That this configuration does not do anything useful is however no
surprise at all.

Once you can describe what it is your Rube Goldberg contraption
is supposed to do, competent people here might offer some advice
on how to make things work properly.

Until that happens, I for one will simply ignore anything from that
source.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Firewall setup

[Stuart Henderson]

On 2024-04-15, Karel Lucas  wrote:
> /etc/hostname.bridge0:
> add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip 
> igc2 up

bridging with PF is an advanced topic, please get familiar with PF on a standard
routed firewall first



-- 
Please keep replies on the mailing list.

Re: Firewall setup

[Karel Lucas]

Op 15-04-2024 om 22:20 schreef Peter N. M. Hansteen:

On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote:

This gives the following error messages when booting:
no IP address found for igc1:network
/etc/pf.conf:41: could not parse host specification
no IP address found for igc2:network
/etc/pf.conf:42: could not parse host specification

This sounds to me like those interfaces either do not exist or
have not been correctly configured.

Are those interfaces configured, as in do they have IP addresses?

the output of ifconfig igc1 and ifconfig igc2 will show you.


Output from ifconfig igc0:
igc0: 
flags=8b43 mtu 1500

        lladdr 7c:2b:e1:13:dd:f4
        index 1 priority 0 llprio 3
        media: Ethernet autoselect (1000baseT full-duplex)
        sratus: active

Output from ifconfig igc1:
igc1: 
flags=8b43 mtu 1500

        lladdr 7c:2b:e1:13:dd:f5
        index 2 priority 0 llprio 3
        media: Ethernet autoselect (1000baseT full-duplex)
        sratus: active

Output from ifconfig igc2:
igc2: 
flags=8b43 mtu 1500

        lladdr 7c:2b:e1:13:dd:f6
        index 3 priority 0 llprio 3
        media: Ethernet autoselect (none)
        status: no carrier

/etc/hostname.bridge0:
add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip 
igc2 up


/etc/hostname.igc0:
up

/etc/hostname.igc1:
up

/etc/hostname.igc2:
up

Re: Firewall setup

[Karel Lucas]

That's a possibility I hadn't thought of yet. But how do I do that, and 
on which page can I find that in your book?


Op 15-04-2024 om 22:17 schreef Peter N. M. Hansteen:

The other option - if your network layout is such that it makes
sense to treat them to the same rule criteria - would be to make an
interface group with both interfaces as members, then use the
interface group name in your rules.

Re: Firewall setup

[Karel Lucas]

Op 14-04-2024 om 21:57 schreef Jens Kaiser:

Hello Karel,

if you want to start simply, then I would recommend to remove all marcos
from your pf.conf which are not referenced. You can add them later if
needed. As already state by others, there is a syntax error in marco
martians. If there are syntax errors in pf.conf, the rules are not
loaded at all.

These have now been resolved, sse below.


Also correct the syntax errors in the rules "Letting ping through". The
key word "on" without interfacename, -group or keyword any looks
incorrect. Give it a parameter or remove it.
As far as I can see there are no errors in the ping rules. the key words 
"on", "group" or "any" do not appear there. Moreover, I have copied 
these rules, except the key words "log", exactly from Peter Hansteen's 
book (The book of PF), just like the rules of the martians.


Please check your current running configuration with
> pfctl -sr
It prints out all currently active rules. If something behaves too
wired, it can help to proof that the ruleset in /etc/pf.conf is the same
as we assume to be active in the kernel. Because of the syntax errors I
would guest that this is not true in your case.

After correcting some errors, I reloaded pf.conf and found no errors. 
Here I give the output of pfctl -sr:

match in all scrub (no-df max-mss 1440)
block return in all
block return in quick on igc0 inet from any to <__automatic_628bc734_1>
pass log inet proto icmp all icmp-type echoreq
pass log inet proto icmp all icmp-type echorep
pass log inet proto icmp all icmp-type unreach
pass log inet6 proto ipv6-icmp all icmp6-type echoreq
pass log inet6 proto ipv6-icmp all icmp6-type echorep
pass log inet6 proto ipv6-icmp all icmp6-type unreach
pass out all flags S/SA


/etc/pf.conf:

ext_if = igc0                            # The interface to the outside 
world

int_if = "{ igc1, igc2 }"             # The interfaces to the private hosts
# localnet = "192.168.2.0/24"    # Hosts on the screened LAN

# tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
# udp_services = "{ domain, ntp }"
# email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
icmp_types = "{ echoreq, echorep, unreach }"
icmp6_types = "{ echoreq, echorep, unreach }"
# nameservers = "{ 195.121.1.34, 195.121.1.66 }"
# client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
                 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
                 0.0.0.0/8, 240.0.0.0/4 }"

# Options:
set block-policy return

set skip on lo

# Normalize packets:
match in all scrub ( no-df max-mss 1440 )

block in all                # block stateless traffic

block in quick on $ext_if from $martians to any
block out quick on $ext_if from any to $martians

# Letting ping through:
pass log inet proto icmp icmp-type $icmp_types
pass log inet6 proto icmp6 icmp6-type $icmp6_types

pass out all

Re: Firewall setup

[Peter N. M. Hansteen]

On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote:
> This gives the following error messages when booting:
> no IP address found for igc1:network
> /etc/pf.conf:41: could not parse host specification
> no IP address found for igc2:network
> /etc/pf.conf:42: could not parse host specification

This sounds to me like those interfaces either do not exist or
have not been correctly configured.

Are those interfaces configured, as in do they have IP addresses?

the output of ifconfig igc1 and ifconfig igc2 will show you.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Firewall setup

[Peter N. M. Hansteen]

On Mon, Apr 15, 2024 at 10:01:59PM +0200, Karel Lucas wrote:
> They both give a syntax error by booting.
> 
> Op 14-04-2024 om 17:45 schreef Zé Loff:
> >  pass in on $int_if proto udp to port 53
> >  pass in on $int_if proto udp to $nameservers port 53

You're not giving us a lot to work with here.

Off the top of my head, seeing that your int_if macro is a list of 
two interfaces, that may well be your problem (or one of them).

The rule syntax is not really intended to deal with a list of interfaces
following 'on'. 

It is likely more useful to treat the two interfaces separately. 

The other option - if your network layout is such that it makes 
sense to treat them to the same rule criteria - would be to make an 
interface group with both interfaces as members, then use the 
interface group name in your rules.


-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Firewall setup

[Karel Lucas]

This gives the following error messages when booting:
no IP address found for igc1:network
/etc/pf.conf:41: could not parse host specification
no IP address found for igc2:network
/etc/pf.conf:42: could not parse host specification


Op 14-04-2024 om 19:59 schreef Peter N. M. Hansteen:

On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote:

Hi all,

Everything about PF is all very confusing to me at the moment, so any help
is appreciated. So let's start simple and then proceed step by step. I want
to continue with ping so that I can test the connection to the internet.
This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10
www.apple.com. As others have stated, I have a problem with using DNS
servers on the internet. The PF ruleset needs to be adjusted for this, but
it is still not clear to me how to do that. What else do I need to get ping
to work correctly? To get started simply, I created a new pf.conf file, see
below.

I'd put this somewhere after your block rules:

pass inet proto { tcp, udp } from igc1:network to port $client_out
pass inet proto { tcp, udp } from igc2:network to port $client_out

- that way you will actually use the macro. But the macro sitll references
the invalid service nportntp (you probably want ntp instead), and I would
think that the services "446, cvspserver, 2628, 5999, 8000, 8080" are unlikely
to be useful unless you *know* you need to pass traffic for those.

Re: Firewall setup

[Karel Lucas]

They both give a syntax error by booting.

Op 14-04-2024 om 17:45 schreef Zé Loff:

 pass in on $int_if proto udp to port 53



 pass in on $int_if proto udp to $nameservers port 53

Re: Firewall setup

[deich...@placebonol.com]

I'm a long time network engineer/firewall admin/make things work on our network 
when it is broken.

First, ICMP Echo Request ( "ping" ) works, you proved that when you sent an 
Echo Request to a host using it's IP address.  The fact that DNS host 
resolution fails has nothing to do with ICMP Echo Request.  You WILL want to 
get DNS name resolution working in order to use hostnames, unless you want to 
keep everything in a static host file.

In order to create a functioning firewall you need a good understanding of ip 
tcp/ip ports and protocols.  To see what I'm talking about do an Internet 
search for 5 tuple firewall.

You will need this knowledge for any system using statefull firewall, not just 
PF.

Others are trying to help you write a functioning PF conf, however I think you 
need to learn how to fish before embarking on a deep sea fishing excursion.

73
diana 



On April 14, 2024 9:09:01 AM MDT, Karel Lucas  wrote:
>Hi all,
>
>Everything about PF is all very confusing to me at the moment, so any help is 
>appreciated. So let's start simple and then proceed step by step. I want to 
>continue with ping so that I can test the connection to the internet. This 
>works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 
>www.apple.com. As others have stated, I have a problem with using DNS servers 
>on the internet. The PF ruleset needs to be adjusted for this, but it is still 
>not clear to me how to do that. What else do I need to get ping to work 
>correctly? To get started simply, I created a new pf.conf file, see below.
>
>
>/etc/pf.conf:
>
>ext_if = igc0                              # The interface to the outside world
>int_if = "{ igc1, igc2 }"                # The interfaces to the private hosts
>localnet = "192.168.2.0/24"      # Hosts on the screened LAN
>
>tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
>udp_services = "{ domain, ntp }"
>email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
>icmp_types = "{ echoreq, unreach }"
>icmp6_types = "{ echoreq, unreach }"
>nameservers = "{ 195.121.1.34, 195.121.1.66 }"
>client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
>                      446, cvspserver, 2628, 5999, 8000, 8080 }"
>martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
>                    10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
>                    0.0.0.0/8, 240.0.0.0/4 }"
>
># Options:
>set block-policy return
>
>set skip on lo
>
>block log all                # block stateless traffic
>
># Normalize packets:
>match in all scrub ( no-df max-mss 1440 )
>
>block in quick on $ext_if from $martians to any
>block out quick on $ext_if from any to $martians
>
># Letting ping through:
>pass log on inet proto icmp icmp-type $icmp_types
>pass log on inet6 proto icmp6 icmp6-type $icmp6_types
>
>pass out all
>
>

Re: Firewall setup

[Sean Kamath]

> On Apr 14, 2024, at 08:09, Karel Lucas  wrote:
> 
> Hi all,

Hi.

> So let's start simple and then proceed step by step. I want to continue with 
> ping so that I can test the connection to the internet. This works: ping -c 
> 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. As others 
> have stated, I have a problem with using DNS servers on the internet.

Does DNS resolution work without PF being enabled?

If you want to “start simple”, don’t enable PF (or disable it, or use the 
default ruleset that OpenBSD ships with) and make sure everything works.

Sean

Re: Firewall setup

[Jens Kaiser]

Hello Karel,

if you want to start simply, then I would recommend to remove all marcos
from your pf.conf which are not referenced. You can add them later if
needed. As already state by others, there is a syntax error in marco
martians. If there are syntax errors in pf.conf, the rules are not
loaded at all.

Also correct the syntax errors in the rules "Letting ping through". The
key word "on" without interfacename, -group or keyword any looks
incorrect. Give it a parameter or remove it.

After changing pf.conf, first check it with
> pfctl -nf /etc/pf.conf
before loading it. If no errors occur, simply update the ruleset in the
kernel with
> pftl -f /etc/pf.conf
and test your changes. Keep in mind that reloading the ruleset does not
affect the states of allready estblished connections.

Please check your current running configuration with
> pfctl -sr
It prints out all currently active rules. If something behaves too
wired, it can help to proof that the ruleset in /etc/pf.conf is the same
as we assume to be active in the kernel. Because of the syntax errors I
would guest that this is not true in your case.

Try get IPv4 running first. If that goal is reached you have more
experience and can go further adding IPv6, which is different in case of
ICMP. If you don't have a static IPv6 address configuration, then the
rules in your pf.conf are far too restrictive to get an autonconfigured
IPv6 address, managed (DHCP6) or not (SLAAC).

Jens

Am 14.04.2024 um 17:09 schrieb Karel Lucas:

Hi all,

Everything about PF is all very confusing to me at the moment, so any
help is appreciated. So let's start simple and then proceed step by
step. I want to continue with ping so that I can test the connection to
the internet. This works: ping -c 10 195.121.1.34. But this doesn't
work: ping -c 10 www.apple.com. As others haveo you get rid of the first syntax 
error yourstated, I have a problem
with using DNS servers on the internet. The PF ruleset needs to be
adjusted for this, but it is still not clear to me how to do that. What
else do I need to get ping to work correctly? To get started simply, I
created a new pf.conf file, see below.


/etc/pf.conf:

ext_if = igc0                              # The interface to the
outside world
int_if = "{ igc1, igc2 }"                # The interfaces to the private
hosts
localnet = "192.168.2.0/24"      # Hosts on the screened LAN

tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
udp_services = "{ domain, ntp }"
email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
icmp_types = "{ echoreq, unreach }"
icmp6_types = "{ echoreq, unreach }"
nameservers = "{ 195.121.1.34, 195.121.1.66 }"
client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
                       446, cvspserver, 2628, 5999, 8000, 8080 }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
                     10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
                     0.0.0.0/8, 240.0.0.0/4 }"

# Options:
set block-policy return

set skip on lo

block log all                # block stateless traffic

# Normalize packets:
match in all scrub ( no-df max-mss 1440 )

block in quick on $ext_if from $martians to any
block out quick on $ext_if from any to $martians

# Letting ping through:
pass log on inet proto icmp icmp-type $icmp_types
pass log on inet6 proto icmp6 icmp6-type $icmp6_types

pass out all

Re: Firewall setup

[Peter N. M. Hansteen]

On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote:
> Hi all,
> 
> Everything about PF is all very confusing to me at the moment, so any help
> is appreciated. So let's start simple and then proceed step by step. I want
> to continue with ping so that I can test the connection to the internet.
> This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10
> www.apple.com. As others have stated, I have a problem with using DNS
> servers on the internet. The PF ruleset needs to be adjusted for this, but
> it is still not clear to me how to do that. What else do I need to get ping
> to work correctly? To get started simply, I created a new pf.conf file, see
> below.

I'd put this somewhere after your block rules:

pass inet proto { tcp, udp } from igc1:network to port $client_out 
pass inet proto { tcp, udp } from igc2:network to port $client_out 

- that way you will actually use the macro. But the macro sitll references
the invalid service nportntp (you probably want ntp instead), and I would
think that the services "446, cvspserver, 2628, 5999, 8000, 8080" are unlikely
to be useful unless you *know* you need to pass traffic for those.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Firewall setup

[Michael Lambert]

There is a typo on the second line of the martians definition (spurious comma 
and space).

Michael

> On Apr 14, 2024, at 11:09, Karel Lucas  wrote:
> 
> Hi all,
> 
> Everything about PF is all very confusing to me at the moment, so any help is 
> appreciated. So let's start simple and then proceed step by step. I want to 
> continue with ping so that I can test the connection to the internet. This 
> works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 
> www.apple.com. As others have stated, I have a problem with using DNS servers 
> on the internet. The PF ruleset needs to be adjusted for this, but it is 
> still not clear to me how to do that. What else do I need to get ping to work 
> correctly? To get started simply, I created a new pf.conf file, see below.
> 
> 
> /etc/pf.conf:
> 
> ext_if = igc0  # The interface to the outside 
> world
> int_if = "{ igc1, igc2 }"# The interfaces to the private hosts
> localnet = "192.168.2.0/24"  # Hosts on the screened LAN
> 
> tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> udp_services = "{ domain, ntp }"
> email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> icmp_types = "{ echoreq, unreach }"
> icmp6_types = "{ echoreq, unreach }"
> nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
>   446, cvspserver, 2628, 5999, 8000, 8080 }"
> martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
> 0.0.0.0/8, 240.0.0.0/4 }"
> 
> # Options:
> set block-policy return
> 
> set skip on lo
> 
> block log all# block stateless traffic
> 
> # Normalize packets:
> match in all scrub ( no-df max-mss 1440 )
> 
> block in quick on $ext_if from $martians to any
> block out quick on $ext_if from any to $martians
> 
> # Letting ping through:
> pass log on inet proto icmp icmp-type $icmp_types
> pass log on inet6 proto icmp6 icmp6-type $icmp6_types
> 
> pass out all
> 
> 

Re: Firewall setup

[Zé Loff]

On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote:
> Hi all,
> 
> Everything about PF is all very confusing to me at the moment, so any help
> is appreciated. So let's start simple and then proceed step by step. I want
> to continue with ping so that I can test the connection to the internet.
> This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10
> www.apple.com. As others have stated, I have a problem with using DNS
> servers on the internet. The PF ruleset needs to be adjusted for this, but
> it is still not clear to me how to do that. What else do I need to get ping
> to work correctly?

You are blocking everything by default, with the "block log all" on top
of your ruleset.  This means that _everything_ needs to be explicitely
allowed in and out of your firewall.

If you want to resolve hostnames, you need to allow DNS requests (i.e.
traffic _to_ UDP port 53) to enter and leave the firewall.  So if a
machine on your LAN needs to make a DNS request, you need something like

pass in on $int_if proto udp to port 53

You have a $nameservers macro, which suggests you want to allow traffic
to only those two, so you could rewrite the above rule as 

pass in on $int_if proto udp to $nameservers port 53

But then you need to make sure every machine on your LAN uses those IPs
as resolvers, otherwise they'll try to query other DNS servers and fail.

As I said on a reply to your other thread, you will probably need to use
NAT on your egress traffic.

I personally prefer to keep the most general rules at the top, and then
to the specifics, so I would move "pass out all" next to "block log
all", but it's a matter of taste. 

> To get started simply, I created a new pf.conf file, see
> below.
> 
> 
> /etc/pf.conf:
> 
> ext_if = igc0                              # The interface to the outside
> world
> int_if = "{ igc1, igc2 }"                # The interfaces to the private
> hosts
> localnet = "192.168.2.0/24"      # Hosts on the screened LAN
> 
> tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> udp_services = "{ domain, ntp }"
> email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> icmp_types = "{ echoreq, unreach }"
> icmp6_types = "{ echoreq, unreach }"
> nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
>                       446, cvspserver, 2628, 5999, 8000, 8080 }"
> martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
>                     10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
>                     0.0.0.0/8, 240.0.0.0/4 }"
> 
> # Options:
> set block-policy return
> 
> set skip on lo
> 
> block log all                # block stateless traffic
> 
> # Normalize packets:
> match in all scrub ( no-df max-mss 1440 )
> 
> block in quick on $ext_if from $martians to any
> block out quick on $ext_if from any to $martians
> 
> # Letting ping through:
> pass log on inet proto icmp icmp-type $icmp_types
> pass log on inet6 proto icmp6 icmp6-type $icmp6_types
> 
> pass out all
> 
> 

-- 
 

Re: Firewall Problems

[Peter N. M. Hansteen]

Hi,

Please keep this on the list.

On Sat, Nov 18, 2023 at 06:35:35AM -0800, louise9...@gmail.com wrote:
> Hi thank you, I will try to change my rules accordingly. Also some questions:
> 1. I saw you talked about the block all rule. Does this cover traffic between 
> vlans/networks as I’m trying to isolate vlans/networks 6,10,20,30 as well as 
> my admin network which is em2 interface in this case.

Unless you have explicitly excluded interfaces from filtering (set skip on 
$interface)
"block drop log all" will drop packets that do not match any pass rules 
following.

> 2. You also pointed out that ICMPv4 wasn’t getting through. In my case ICMPv6 
> won’t get out either from my internal networks. Literally nothing from 
> internal networks gets out except icmpv4 to gateway, icmp from internal lan 
> to internal lan, icmp from internal lan to firewall itself. Other than that 
> there’s no DNS, HTTP, etc getting out. Would I need additional rules for 
> those explicitly or would I just need a pass out all rule that done a certain 
> way could work?(I have also tried this and it still doesn’t work)?

Please take a look at the resources I pointed to. The tutorial slides will 
clear up
most of if not all of those questions.

And please keep any followups on the list.

All the best,
Peter

PS: The PF tutorial slides: https://home.nuug.no/~peter/pftutorial/ 

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Firewall Problems

[louise9841]

Hi John, I I have enabled forwarding in my sysctl.conf.

Thank you,
Lewis ingraham 

> On Nov 17, 2023, at 8:52 AM, Lewis Ingraham  wrote:
> 
> 
> Hello i am trying to configure OpenBSD as a firewall but I can't get it to 
> ping outside the firewall and subsequently unable to reach the internet with 
> devices behind the firewall. I tried changing my pf.conf to match the FAQ (as 
> best as i could) and still cant get it to work. I am currently trying to get 
> both IPV4 and IPV6 addresses to my devices. Can anyone tell me what I am 
> doing wrong?
> 
> For reference I can do the following:
> 1. Ping the firewall and connected devices from the inside LAN networks.
> 2. Use the firewall itself to ping outside and reach internet(use things like 
> pkg_add , etc).
> 3. Use devices in my LAN networks to successfully ping the gateway.
> 4. For some reason my devices  on the lan only get IPV4 addresses and not 
> IPV6 in addition.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 

Re: Firewall Problems

[Peter N. M. Hansteen]

On Fri, Nov 17, 2023 at 08:52:19AM -0800, Lewis Ingraham wrote:
> Hello i am trying to configure OpenBSD as a firewall but I can't get it to
> ping outside the firewall and subsequently unable to reach the internet
> with devices behind the firewall. I tried changing my pf.conf to match the
> FAQ (as best as i could) and still cant get it to work. I am currently
> trying to get both IPV4 and IPV6 addresses to my devices. Can anyone tell
> me what I am doing wrong?

You have a number of "block quick" that seem to be already covered by the
seeming default

block drop log all  # block stateless traffic

but the only mention of ICMP (which is what ping uses) in your pf.conf is

pass in on egress inet6 proto icmp6 all icmp6-type { routeradv neighbrsol 
neighbradv }

so IPv4 icmp will not be let through at all.

This is covered somewhat extensively in that book I wrote 
(https://nostarch.com/pf3)
and you should be able to find the relevant examples in the oft-repeated 
tutorial
at https://home.nuug.no/~peter/pftutorial/

- Peter

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Firewall Problems

[John Brooks]

On 11/17/2023 9:52 AM, Lewis Ingraham wrote:

Hello i am trying to configure OpenBSD as a firewall but I can't get it to
ping outside the firewall and subsequently unable to reach the internet
with devices behind the firewall. I tried changing my pf.conf to match the
FAQ (as best as i could) and still cant get it to work. I am currently
trying to get both IPV4 and IPV6 addresses to my devices. Can anyone tell
me what I am doing wrong?

For reference I can do the following:
1. Ping the firewall and connected devices from the inside LAN networks.
2. Use the firewall itself to ping outside and reach internet(use things
like pkg_add , etc).
3. Use devices in my LAN networks to successfully ping the gateway.
4. For some reason my devices  on the lan only get IPV4 addresses and not
IPV6 in addition.


did you enable forwarding?

 # sysctl -a | grep forwarding
net.inet.ip.forwarding=1
net.inet.ip.mforwarding=0

Re: Firewall won't forward IPv6 traffic

[Stuart Henderson]

Is PF blocking anything?

tcpdump -neipflog0 -vv

Are comcast one of those ISPs that only route your prefix if you've
requested it via DHCPv6-PD?
>

Re: Firewall won't forward IPv6 traffic

[Alarig Le Lay]

Hi,

Have you tested your configuration without any firewall?

-- 
alarig


signature.asc
Description: PGP signature

Re: Firewall rules and features

[Stuart Henderson]

On 2015-11-10, sven falempin  wrote:
> Ok , I agree, and thank you for the accurate answer.
>
>
> OTOH the server was rejecting  all the other request, (i do not think it
> was badly configure)
> and it ended up rejecting the good one also (after a lng time of use)
> I first look in nsd manpages to see if i could figure why and found nothing
> ( a log like i reject packet because ...)
> I tried verbosity: 2, ratelimit: 1024 ( but nsd wasnt up to date - NSD
> version 3.2.5 )
> I wanted to have a workaround, of course there is another authoritative to
> answer,
> therefore i ended up filtering content.
>

Sounds like you should first update, then if the problem persists work on
tracking down the problem you see with NSD. Or outsource it (maybe run your
server as a "hidden master" and use a DNS provider that will secondary from
you, http://efball.com/dns/ lists free-of-charge ones).

> If i run authoritative server can i filter to answer to only certain IP
> addresses ?
> Like a list of public/root DNS ?

You are missing some knowledge of how DNS works. The root servers don't
send queries, they answer them. There is no such list of addresses (and it
wouldn't help anyway - lots of queries from different places for various
"random".whatever.com will still give you problems.

> My next step was to look at dnssec, which would be nice to have anyway.

That is not going to make this any better.

> On Mon, Nov 9, 2015 at 10:34 PM, Nick Holland 
> wrote:
>
>> > with iptables i was able to add
>> > <-m string --hex-string whatever|03|com>
>> > in the  rules.
>> >
>> > So i only accept DNS request that matters to me.

L7 filtering to remove DNS attack traffic can be useful, but mostly
where it's done it is to carefully remove specific packets (e.g. if you
have a bunch of spoofed queries trying to use you as a bouncer/amplifier
and you can identify them from certain bits in the query)

>> > Is there a way ? (something simpler than diverting to a
>> > sort of grep -v ).
>>
>> I'd call that a wrong way to do it, definitely.
>>
>> If your name server is configured properly, it should be ignoring domain
>> requests it isn't authoritative for.  Not a problem.

It should be returning REFUSED rather than just ignoring so it is still
sending out packets (possibly to an unwitting victim). It can be a problem
on the dns server or firewall too, e.g. if it fills PF state table.

Re: Firewall rules and features

[sven falempin]

Thank you Pedro fot

http://ftp.openbsd.org/pub/OpenBSD/5.8/packages/amd64/dnsfilter-0.4p0.tgz

I am not sure this is as good as it could be, according to the mail there
is room for improvement.

Worth a test , and it s better to improve than to add up yet another small
program,
i wonder how good is the libdns compared to other.

Best regards,

On Mon, Nov 9, 2015 at 6:38 PM, Pedro Caetano 
wrote:

> Hi,
>
> I guess one could use pf's divert-to and dnsfilter.
>
> http://marc.info/?l=openbsd-misc=134187877220567=2
>
> Regards,
> Pedro Caetano
>
> On Mon, Nov 9, 2015 at 9:45 PM, sven falempin 
> wrote:
>
>> For the first time ever i did something with iptable
>> that i dont know how to do (simply) with
>> pf.
>> Something i think it is usefull.
>>
>> I have a domain server, nsd, it serves whatever.com,
>> the server is like flooded with request for no reason,
>>
>> with iptables i was able to add
>> <-m string --hex-string whatever|03|com>
>> in the  rules.
>>
>> So i only accept DNS request that matters to me.
>>
>> Is there a way ? (something simpler than diverting to a
>> sort of grep -v ).
>>
>> Would it be a cool feature ? or because it s a protocol shall
>> it be done inside relayd ?
>>
>> Best regards.
>>
>> --
>>
>> -
>> () ascii ribbon campaign - against html e-mail
>> /\
>>
>>
>


-- 
-
() ascii ribbon campaign - against html e-mail
/\

Re: Firewall rules and features

[Nick Holland]

On 11/09/15 16:45, sven falempin wrote:
> For the first time ever i did something with iptable
> that i dont know how to do (simply) with
> pf.
> Something i think it is usefull.
> 
> I have a domain server, nsd, it serves whatever.com,

Authoritative server, then.

> the server is like flooded with request for no reason,

Welcome to the Internet.  It happens.

> with iptables i was able to add
> <-m string --hex-string whatever|03|com>
> in the  rules.
> 
> So i only accept DNS request that matters to me.
> 
> Is there a way ? (something simpler than diverting to a
> sort of grep -v ).

I'd call that a wrong way to do it, definitely.

If your name server is configured properly, it should be ignoring domain
requests it isn't authoritative for.  Not a problem.  If you are running
a resolver, it should be resolving only for the IP addresses you manage
(here PF can help you, but the resolver can deal with that, too).

> Would it be a cool feature ? or because it s a protocol shall
> it be done inside relayd ?

No.  String and pattern matching in the kernel is not a really good
plan.  And if you are doing it in an application outside of the kernel,
why not just do it in NSD and be done with it?

Nor is this solving a problem.  Let NSD do its job correctly, and it
will just ignore those queries.  DNS queries are really small, and
authoritative servers put very little load on the processor.  The query
is going to get received, looked at, and either responded to or
dropped...adding extra layers here to change who receives and processes
the query isn't helping anything.  In fact -- assuming NSD is fairly
efficient (I think it is), what I propose is this:
Packet comes in (kernel)
Packet is compared against domains served (NSD)
Response or drop  (NSD)

What you propose is this:
Packet comes in (kernel)
packet is compared against domains served (filter)
drop ... OR ->
packet is compared against domains served (AGAIN!) (NSD)
response (NSD)

I don't think you win anything here by duplicating a step.

OR if you want to be nasty, set up a full resolver that returns the IP
of some really nasty, rude or inappropriate site for ALL queries except
the ones that should be answering for.  (actually, I don't recommend
doing this, but it made me grin to think about it.  "Why do I keep
ending up on the My Little Pony website??").  Again, just because you
CAN do something doesn't make it a good idea.

Nick.

Re: Firewall rules and features

[sven falempin]

Ok , I agree, and thank you for the accurate answer.


OTOH the server was rejecting  all the other request, (i do not think it
was badly configure)
and it ended up rejecting the good one also (after a lng time of use)
I first look in nsd manpages to see if i could figure why and found nothing
( a log like i reject packet because ...)
I tried verbosity: 2, ratelimit: 1024 ( but nsd wasnt up to date - NSD
version 3.2.5 )
I wanted to have a workaround, of course there is another authoritative to
answer,
therefore i ended up filtering content.


If i run authoritative server can i filter to answer to only certain IP
addresses ?
Like a list of public/root DNS ?

My next step was to look at dnssec, which would be nice to have anyway.


On Mon, Nov 9, 2015 at 10:34 PM, Nick Holland 
wrote:

> On 11/09/15 16:45, sven falempin wrote:
> > For the first time ever i did something with iptable
> > that i dont know how to do (simply) with
> > pf.
> > Something i think it is usefull.
> >
> > I have a domain server, nsd, it serves whatever.com,
>
> Authoritative server, then.
>
> > the server is like flooded with request for no reason,
>
> Welcome to the Internet.  It happens.
>
> > with iptables i was able to add
> > <-m string --hex-string whatever|03|com>
> > in the  rules.
> >
> > So i only accept DNS request that matters to me.
> >
> > Is there a way ? (something simpler than diverting to a
> > sort of grep -v ).
>
> I'd call that a wrong way to do it, definitely.
>
> If your name server is configured properly, it should be ignoring domain
> requests it isn't authoritative for.  Not a problem.  If you are running
> a resolver, it should be resolving only for the IP addresses you manage
> (here PF can help you, but the resolver can deal with that, too).
>
> > Would it be a cool feature ? or because it s a protocol shall
> > it be done inside relayd ?
>
> No.  String and pattern matching in the kernel is not a really good
> plan.  And if you are doing it in an application outside of the kernel,
> why not just do it in NSD and be done with it?
>
> Nor is this solving a problem.  Let NSD do its job correctly, and it
> will just ignore those queries.  DNS queries are really small, and
> authoritative servers put very little load on the processor.  The query
> is going to get received, looked at, and either responded to or
> dropped...adding extra layers here to change who receives and processes
> the query isn't helping anything.  In fact -- assuming NSD is fairly
> efficient (I think it is), what I propose is this:
> Packet comes in (kernel)
> Packet is compared against domains served (NSD)
> Response or drop  (NSD)
>
> What you propose is this:
> Packet comes in (kernel)
> packet is compared against domains served (filter)
> drop ... OR ->
> packet is compared against domains served (AGAIN!) (NSD)
> response (NSD)
>
> I don't think you win anything here by duplicating a step.
>
> OR if you want to be nasty, set up a full resolver that returns the IP
> of some really nasty, rude or inappropriate site for ALL queries except
> the ones that should be answering for.  (actually, I don't recommend
> doing this, but it made me grin to think about it.  "Why do I keep
> ending up on the My Little Pony website??").  Again, just because you
> CAN do something doesn't make it a good idea.
>
> Nick.
>
>


-- 
-
() ascii ribbon campaign - against html e-mail
/\

Re: Firewall rules and features

[Pedro Caetano]

Hi,

I guess one could use pf's divert-to and dnsfilter.

http://marc.info/?l=openbsd-misc=134187877220567=2

Regards,
Pedro Caetano

On Mon, Nov 9, 2015 at 9:45 PM, sven falempin 
wrote:

> For the first time ever i did something with iptable
> that i dont know how to do (simply) with
> pf.
> Something i think it is usefull.
>
> I have a domain server, nsd, it serves whatever.com,
> the server is like flooded with request for no reason,
>
> with iptables i was able to add
> <-m string --hex-string whatever|03|com>
> in the  rules.
>
> So i only accept DNS request that matters to me.
>
> Is there a way ? (something simpler than diverting to a
> sort of grep -v ).
>
> Would it be a cool feature ? or because it s a protocol shall
> it be done inside relayd ?
>
> Best regards.
>
> --
>
> -
> () ascii ribbon campaign - against html e-mail
> /\

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

[Christian Weisgerber]

On 2015-07-27, Quartz qua...@sneakertech.com wrote:

 Some years ago I remember reading that when using OpenBSD (or any OS, 
 really) as a router+firewall it was considered inadvisable from a 
 security standpoint to have the different networks all attached to a 
 single network card with multiple ethernet ports. The thinking being 
 that it was theoretically possible for an attacker to exploit bugs in 
 the card's chip to short circuit the path and route packets directly 
 across the card in a way pf can't control. It was also suggested that in 
 addition to using different physical cards, the cards should really use 
 different chipsets too, in case an unknown driver bug allows a short 
 circuit.

Those are not realistic concerns.

-- 
Christian naddy Weisgerber  na...@mips.inka.de

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

[Quartz]

turning out rather difficult to find a case that's small enough to fit. I'd
really like to use an itx system with multiple onboard ethernet jacks and
cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure


A Lanner FW7525 or even an Alix APU don't seem to be much larger...


They're not, but they also lack a bunch of features we need.

This is a little off-topic, but I should clarify that although this 
device's primary purpose is a firewall+router, it also has to provide a 
handful of other network related services that set a few requirements 
vis a vis hardware. Pre-fab appliance type devices always seem to fail 
at least one of these requirements. They also don't address the separate 
NICs issue, so if it turns out that that's not a problem anyway, a 
mini-itx board would be a much better choice for our situation.

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

[Kimmo Paasiala]

On Mon, Jul 27, 2015 at 12:46 PM, Quartz qua...@sneakertech.com wrote:
 Some years ago I remember reading that when using OpenBSD (or any OS,
 really) as a router+firewall it was considered inadvisable from a security
 standpoint to have the different networks all attached to a single network
 card with multiple ethernet ports. The thinking being that it was
 theoretically possible for an attacker to exploit bugs in the card's chip to
 short circuit the path and route packets directly across the card in a way
 pf can't control. It was also suggested that in addition to using different
 physical cards, the cards should really use different chipsets too, in case
 an unknown driver bug allows a short circuit.

 I swear I read this somewhere on the website, but I can't seem to find it
 now and I'm wondering if the concept is even still valid. The impetus here
 is that I'm building a router+firewall for a cramped location and it's
 turning out rather difficult to find a case that's small enough to fit. I'd
 really like to use an itx system with multiple onboard ethernet jacks and
 cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure
 if that's a good idea, security wise. Any thoughts?



It is certainly possible theoretically but you'll have to go to very
great lengths to imagine a scenario where a remote attacker could
exploit such a flaw. It's next to impossible identify the make and
model of the NIC that holds an IP address (if it is even directly
bound to a NIC, CARP and other similar technologies get in the way if
used), the attacker would first have to aquire this information trough
other means.

-Kimmo

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

[Martin Schröder]

2015-07-27 11:46 GMT+02:00 Quartz qua...@sneakertech.com:
 turning out rather difficult to find a case that's small enough to fit. I'd
 really like to use an itx system with multiple onboard ethernet jacks and
 cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure

A Lanner FW7525 or even an Alix APU don't seem to be much larger...

Best
   Martin

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

[Raul Miller]

Though, of course, if you have been actively developing your system,
or if you have already been subject to other root attempts, a root
attempt runs a significant risk of crashing it.

(And if you have been developing a lot, there's a decent chance you'll
have already crashed it so many times that you will not be able to
distinguish the root attempt from your own work. Or, maybe you will -
it depends on the nature of the update.)

-- 
Raul



On Mon, Jul 27, 2015 at 9:52 AM, Joseph Crivello
josephcrive...@gmail.com wrote:
 If someone successfully attacks the firmware on any of your network cards, 
 you are screwed no matter what. Any modern network card is going to have the 
 ability to issue DMAs and can easily root your entire system.

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

[Maxim Khitrov]

On Mon, Jul 27, 2015 at 7:37 AM, Christian Weisgerber
na...@mips.inka.de wrote:
 On 2015-07-27, Quartz qua...@sneakertech.com wrote:

 Some years ago I remember reading that when using OpenBSD (or any OS,
 really) as a router+firewall it was considered inadvisable from a
 security standpoint to have the different networks all attached to a
 single network card with multiple ethernet ports. The thinking being
 that it was theoretically possible for an attacker to exploit bugs in
 the card's chip to short circuit the path and route packets directly
 across the card in a way pf can't control. It was also suggested that in
 addition to using different physical cards, the cards should really use
 different chipsets too, in case an unknown driver bug allows a short
 circuit.

 Those are not realistic concerns.

Intel 82574L packet of death comes to mind as one example of a bug in
the EEPROM that allowed an attacker to bring down an interface:

http://blog.krisk.org/2013/02/packets-of-death.html

These days you have bypass features in hardware that allow packets
to flow from one interface to another even if the firewall is turned
off. Who knows what other bugs in such functionality will be
discovered in the future?

Having said that, just throwing random chipsets into the mix is
probably not the right solution. You may actually be increasing your
attack surface. If this is a real concern for you, I think multiple
firewalls, one behind the other (and using different chipsets, if you
really want to), is a better way to go.

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

[Quartz]

It is certainly possible theoretically but you'll have to go to very
great lengths to imagine a scenario where a remote attacker could
exploit such a flaw. It's next to impossible identify the make and
model of the NIC that holds an IP address (if it is even directly
bound to a NIC, CARP and other similar technologies get in the way if
used), the attacker would first have to aquire this information trough
other means.


Well, I'm not convinced that needing to identify the card first is 
really a requirement- I feel it's more likely an attacker using these 
techniques would just blast out a bunch of probes and figure it out 
based on what bounces back, similar concept to port knocking.


I wish I could find/remember where on openbsd.org this was mentioned and 
use the wayback machine or something, because it seemed like whoever 
wrote about it knew what they were talking about.

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

[Joseph Crivello]

If someone successfully attacks the firmware on any of your network cards, you 
are screwed no matter what. Any modern network card is going to have the 
ability to issue DMAs and can easily root your entire system.

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

[Quartz]

These days you have bypass features in hardware that allow packets
to flow from one interface to another even if the firewall is turned
off.


Can you elaborate on this?

Also, that brings up another point wrt motherboards with multiple jacks; 
are bios attacks something to worry about?




Having said that, just throwing random chipsets into the mix is
probably not the right solution. You may actually be increasing your
attack surface.


That's always a possibility yes.



If this is a real concern for you,


The thing is I don't really know if this should be a realistic concern, 
that's why I'm asking. A motherboard with multiple ports would certainly 
be more convenient, but it's not worth it if it would compromise security.

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

[Stuart Henderson]

On 2015-07-27, Quartz qua...@sneakertech.com wrote:
 This is a little off-topic, but I should clarify that although this 
 device's primary purpose is a firewall+router, it also has to provide a 
 handful of other network related services that set a few requirements 
 vis a vis hardware.

Depends what they are, but those other services are far more likely to
be a problem than a multiport NIC.

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

[Giancarlo Razzolini]

Em 27-07-2015 09:13, Kimmo Paasiala escreveu:
 It's next to impossible identify the make and
 model of the NIC that holds an IP address
With IPv6 and poor configuration, a remote attacker already have that
information. MAC addresses reveal a lot of information about a NIC.

Cheers,
Giancarlo Razzolini

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

[Maxim Khitrov]

On Mon, Jul 27, 2015 at 11:10 AM, Quartz qua...@sneakertech.com wrote:
 These days you have bypass features in hardware that allow packets
 to flow from one interface to another even if the firewall is turned
 off.

 Can you elaborate on this?

Search for intel nic bypass mode and you'll find lots of details.
It's an increasingly common feature in server network adapters. If the
host OS is down, the NIC continues forwarding packets between two
ports without any processing. Some older implementations used a
physical jumper to enable or disable this feature. Now it's all done
in software and can even be configured remotely. For example:

http://www.lannerinc.com/applications/product-features/lan-bypass

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

[Chris Cappuccio]

Joseph Crivello [josephcrive...@gmail.com] wrote:
 If someone successfully attacks the firmware on any of your network cards, 
 you are screwed no matter what. Any modern network card is going to have the 
 ability to issue DMAs and can easily root your entire system.

If you are running OpenBSD or Bitrig and you have VT-d enabled, someone is 
working on bringing iommu functionality to both OSes right now. This can 
prevent runaway DMA. Kinda cool, ya know!

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

[Joel Rees]

On Mon, Jul 27, 2015 at 10:52 PM, Joseph Crivello
josephcrive...@gmail.com wrote:
 If someone successfully attacks the firmware on any of your network cards, 
 you are screwed no matter what. Any modern network card is going to have the 
 ability to issue DMAs and can easily root your entire system.


(Somewhat of a rhetorical question, but ...) How hard would it be to
design and assemble one's own NIC, and use said design to construct
one's own switch?

(I daydream too much. Right now I'm daydreaming of a switch-on-a-card.
It's been a while since I've seen such things advertised, but maybe
I'm not looking in the right places nowadays.)

-- 
Joel Rees

Be careful when you look at conspiracy.
Arm yourself with knowledge of yourself, as well:
http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html

Re: Firewall: Where is the bottleneck?

[Patrick]

Hi Hrvoje,

nestat -i shows nothing special.

NameMtu   Network Address  Ipkts IerrsOpkts Oerrs Colls
lo0 33152 Link   91235 091235 0 0
lo0 33152 localhost/1 localhost91235 091235 0 0
lo0 33152 fe80::%lo0/ fe80::1%lo0  91235 091235 0 0
lo0 33152 localhost   localhost91235 091235 0 0
em0 1500  Link  00:25:90:a6:08:52 16371757334772 297519394073 
0 0
em0 1500  megagw06a.o megagw06a.ohb-sys 16371757334772 297519394073 
0 0
em0 1500  fe80::%em0/ fe80::225:90ff:fe 16371757334772 297519394073 
0 0
em1 1500  Link  00:25:90:a6:08:53 297512809627   489 163342615216 
0 0
em1 1500  10.242.13/2 10.242.13.1   297512809627   489 163342615216 
0 0
em1 1500  fe80::%em1/ fe80::225:90ff:fe 297512809627   489 163342615216 
0 0
em2*1500  Link  00:25:90:a6:08:540 00 0 0
em3*1500  Link  00:25:90:a6:08:550 00 0 0
enc0*   0 Link   0 00 0 0
pflog0  33152 Link   0 0 146527095 0 0

I will try to have a maintenance window for the upgrade.

Thanks for the help,
Patrick

Am 04.11.2014 um 23:22 schrieb Hrvoje Popovski hrv...@srce.hr:

 out of curiosity, could you post netstat -i
 
 if you can, why don't you upgrade bios and install openbsd 5.6

Re: Firewall: Where is the bottleneck?

[jummo4]

Hi Remi,

Thanks for your answer.

nestat -m is ok, see.

203 mbufs in use:
193 mbufs allocated to data
2 mbufs allocated to packet headers
8 mbufs allocated to socket names and addresses
190/658/6144 mbuf 2048 byte clusters in use (current/peak/max)
0/8/6144 mbuf 4096 byte clusters in use (current/peak/max)
0/8/6144 mbuf 8192 byte clusters in use (current/peak/max)
0/8/6144 mbuf 9216 byte clusters in use (current/peak/max)
0/8/6144 mbuf 12288 byte clusters in use (current/peak/max)
0/8/6144 mbuf 16384 byte clusters in use (current/peak/max)
0/8/6144 mbuf 65536 byte clusters in use (current/peak/max)
1680 Kbytes allocated to network (25% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines

sysctl net.inet.ip.ifq.drops is since two days at 104.

This drives me crazy. I have also make a packet dump with tcpdump to see 
any problems there. But nothing, no retransmission or bad packets only a 
lot of tcp packets from VNC connections.


Best Regards,
Patrick

On Wed, 29 Oct 2014, Remi Locherer wrote:


On Tue, Oct 28, 2014 at 10:13:54PM +0100, jum...@yahoo.de wrote:

Hi Andy,

sorry for the delay, but a lot of more important work were between your mail
and this answer ;).


You can set a simple prio on a rule like;
pass proto tcp from $left to $right set prio (1,4)


With PRIQ I mean the scheduler priq instead of cbq.

Relevant lines of my current pf.conf rule set.

pf.conf
...
altq on em0 priq bandwidth 1000Mb queue { std_em0, tcp_ack_em0 }
queue std_em0 priq(default)
queue tcp_ack_em0 priority 6

altq on em1 priq bandwidth 1000Mb queue { std_em1, tcp_ack_em1 }
queue std_em1 priq(default)
queue tcp_ack_em1 priority 6

match em0 on em0 inet proto tcp from any to any queue(std_em0, tcp_ack_em0)
match em0 on em1 inet proto tcp from any to any queue(std_em1, tcp_ack_em1)
...
/pf.conf

I have read The Book of PF 2nd, but there is nothing about troubleshooting.
What should I do to find the problem?

I have made some notes for troubleshooting purpose:

top - Interrupts - High CPU or network interfaces = Hardware limit systat
- Interrupts on CPU and network cards = Hardware limit
bwm-ng - Bandwidth near the theoretical limit = Hardware limit
pfctl -si - Look for current states, default limit to 1. The memory
counter shows failed allocation of memory for states. Is this number is high
and increased further = Set limit for states (pfctl -sm - shows States
Limit)
sysctl kern.netlivelocks - High number means something like two processes
blocks each user = Hardware limit

No problem can be found with above steps:


Two more things you can check:

# netstat -m
If peak is close of equal to max raise kern.maxclusters with sysctl.

# sysctl net.inet.ip.ifq.drops
If this counter goes up try to increase net.inet.ip.ifq.maxlen with
sysctl. It defines how many packets can be queued in the ip input queue
before further packets are dropped.

Remi


- prioritize TCP-ACK for tcp traffic

Best Regards,
Patrick


On Thu, 9 Oct 2014, Andy wrote:


Hi,

Just so I understand what you have done, PRIQ is not the same as queuing.

You can set a simple prio on a rule like;
pass proto tcp from $left to $right set prio (1,4)

But this doesn't manage the situations where you have lots of different
types/profiles of traffic on your network.
For example you might have some big file transfers going on which can be
delayed and can have a high latency but high throughput, alongside your
control/real-time protocols which need low latency etc.
Generally in this situation just using prio won't always be enough and
your file transfers will still swamp your Interactive SSH or VNC
connections etc..

So we do something like this;

altq on $if_trunk1 bandwidth 4294Mb hfsc queue { _wan }
  oldqueue _wan on $if_trunk1 bandwidth 4290Mb priority 15 hfsc(linkshare
4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, _wan_vpn,
_wan_web, _wan_dflt, _wan_bulk }
  oldqueue _wan_rt on $if_trunk1 bandwidth 20% priority 7 qlimit 50
hfsc(realtime(20%, 5000, 10%), linkshare 20%)
  oldqueue _wan_int on $if_trunk1 bandwidth 10% priority 5 qlimit 100
hfsc(realtime 5%, linkshare 10%)
  oldqueue _wan_pri on $if_trunk1 bandwidth 10% priority 4 qlimit 100
hfsc(realtime(15%, 2000, 5%), linkshare 10%)
  oldqueue _wan_vpn on $if_trunk1 bandwidth 30% priority 3 qlimit 300
hfsc(realtime(15%, 2000, 5%), linkshare 30%)
  oldqueue _wan_web on $if_trunk1 bandwidth 10% priority 2 qlimit 300
hfsc(realtime(10%, 3000, 5%), linkshare 10%)
  oldqueue _wan_dflt on $if_trunk1 bandwidth 15% priority 1 qlimit
100 hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default)
  oldqueue _wan_bulk on $if_trunk1 bandwidth 5% priority 0 qlimit 100
hfsc(linkshare 5%, upperlimit 30%, ecn, red)

altq on $if_trunk2 bandwidth 4294Mb hfsc queue { _wan }
  oldqueue _wan on $if_trunk2 bandwidth 4290Mb priority 15 hfsc(linkshare
4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, _wan_vpn,
_wan_web, _wan_dflt, 

Re: Firewall: Where is the bottleneck?

[Hrvoje Popovski]

On 4.11.2014. 21:48, jum...@yahoo.de wrote:
 Hi Remi,
 
 Thanks for your answer.
 
 nestat -m is ok, see.
 
 203 mbufs in use:
 193 mbufs allocated to data
 2 mbufs allocated to packet headers
 8 mbufs allocated to socket names and addresses
 190/658/6144 mbuf 2048 byte clusters in use (current/peak/max)
 0/8/6144 mbuf 4096 byte clusters in use (current/peak/max)
 0/8/6144 mbuf 8192 byte clusters in use (current/peak/max)
 0/8/6144 mbuf 9216 byte clusters in use (current/peak/max)
 0/8/6144 mbuf 12288 byte clusters in use (current/peak/max)
 0/8/6144 mbuf 16384 byte clusters in use (current/peak/max)
 0/8/6144 mbuf 65536 byte clusters in use (current/peak/max)
 1680 Kbytes allocated to network (25% in use)
 0 requests for memory denied
 0 requests for memory delayed
 0 calls to protocol drain routines
 
 sysctl net.inet.ip.ifq.drops is since two days at 104.
 
 This drives me crazy. I have also make a packet dump with tcpdump to see
 any problems there. But nothing, no retransmission or bad packets only a
 lot of tcp packets from VNC connections.
 
 Best Regards,
 Patrick
 

out of curiosity, could you post netstat -i

if you can, why don't you upgrade bios and install openbsd 5.6

Re: Firewall: Where is the bottleneck?

[Remi Locherer]

On Tue, Oct 28, 2014 at 10:13:54PM +0100, jum...@yahoo.de wrote:
 Hi Andy,
 
 sorry for the delay, but a lot of more important work were between your mail
 and this answer ;).
 
 You can set a simple prio on a rule like;
 pass proto tcp from $left to $right set prio (1,4)
 
 With PRIQ I mean the scheduler priq instead of cbq.
 
 Relevant lines of my current pf.conf rule set.
 
 pf.conf
 ...
 altq on em0 priq bandwidth 1000Mb queue { std_em0, tcp_ack_em0 }
 queue std_em0 priq(default)
 queue tcp_ack_em0 priority 6
 
 altq on em1 priq bandwidth 1000Mb queue { std_em1, tcp_ack_em1 }
 queue std_em1 priq(default)
 queue tcp_ack_em1 priority 6
 
 match em0 on em0 inet proto tcp from any to any queue(std_em0, tcp_ack_em0)
 match em0 on em1 inet proto tcp from any to any queue(std_em1, tcp_ack_em1)
 ...
 /pf.conf
 
 I have read The Book of PF 2nd, but there is nothing about troubleshooting.
 What should I do to find the problem?
 
 I have made some notes for troubleshooting purpose:
 
 top - Interrupts - High CPU or network interfaces = Hardware limit systat
 - Interrupts on CPU and network cards = Hardware limit
 bwm-ng - Bandwidth near the theoretical limit = Hardware limit
 pfctl -si - Look for current states, default limit to 1. The memory
 counter shows failed allocation of memory for states. Is this number is high
 and increased further = Set limit for states (pfctl -sm - shows States
 Limit)
 sysctl kern.netlivelocks - High number means something like two processes
 blocks each user = Hardware limit
 
 No problem can be found with above steps:

Two more things you can check:

# netstat -m
If peak is close of equal to max raise kern.maxclusters with sysctl.

# sysctl net.inet.ip.ifq.drops
If this counter goes up try to increase net.inet.ip.ifq.maxlen with
sysctl. It defines how many packets can be queued in the ip input queue
before further packets are dropped.

Remi

 - prioritize TCP-ACK for tcp traffic
 
 Best Regards,
 Patrick
 
 
 On Thu, 9 Oct 2014, Andy wrote:
 
 Hi,
 
 Just so I understand what you have done, PRIQ is not the same as queuing.
 
 You can set a simple prio on a rule like;
 pass proto tcp from $left to $right set prio (1,4)
 
 But this doesn't manage the situations where you have lots of different
 types/profiles of traffic on your network.
 For example you might have some big file transfers going on which can be
 delayed and can have a high latency but high throughput, alongside your
 control/real-time protocols which need low latency etc.
 Generally in this situation just using prio won't always be enough and
 your file transfers will still swamp your Interactive SSH or VNC
 connections etc..
 
 So we do something like this;
 
 altq on $if_trunk1 bandwidth 4294Mb hfsc queue { _wan }
oldqueue _wan on $if_trunk1 bandwidth 4290Mb priority 15 hfsc(linkshare
 4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, _wan_vpn,
 _wan_web, _wan_dflt, _wan_bulk }
oldqueue _wan_rt on $if_trunk1 bandwidth 20% priority 7 qlimit 50
 hfsc(realtime(20%, 5000, 10%), linkshare 20%)
oldqueue _wan_int on $if_trunk1 bandwidth 10% priority 5 qlimit 100
 hfsc(realtime 5%, linkshare 10%)
oldqueue _wan_pri on $if_trunk1 bandwidth 10% priority 4 qlimit 100
 hfsc(realtime(15%, 2000, 5%), linkshare 10%)
oldqueue _wan_vpn on $if_trunk1 bandwidth 30% priority 3 qlimit 300
 hfsc(realtime(15%, 2000, 5%), linkshare 30%)
oldqueue _wan_web on $if_trunk1 bandwidth 10% priority 2 qlimit 300
 hfsc(realtime(10%, 3000, 5%), linkshare 10%)
oldqueue _wan_dflt on $if_trunk1 bandwidth 15% priority 1 qlimit
 100 hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default)
oldqueue _wan_bulk on $if_trunk1 bandwidth 5% priority 0 qlimit 100
 hfsc(linkshare 5%, upperlimit 30%, ecn, red)
 
 altq on $if_trunk2 bandwidth 4294Mb hfsc queue { _wan }
oldqueue _wan on $if_trunk2 bandwidth 4290Mb priority 15 hfsc(linkshare
 4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, _wan_vpn,
 _wan_web, _wan_dflt, _wan_bulk }
oldqueue _wan_rt on $if_trunk2 bandwidth 20% priority 7 qlimit 50
 hfsc(realtime(20%, 5000, 10%), linkshare 20%)
oldqueue _wan_int on $if_trunk2 bandwidth 10% priority 5 qlimit 100
 hfsc(realtime 5%, linkshare 10%)
oldqueue _wan_pri on $if_trunk2 bandwidth 10% priority 4 qlimit 100
 hfsc(realtime(15%, 2000, 5%), linkshare 10%)
oldqueue _wan_vpn on $if_trunk2 bandwidth 30% priority 3 qlimit 300
 hfsc(realtime(15%, 2000, 5%), linkshare 30%)
oldqueue _wan_web on $if_trunk2 bandwidth 10% priority 2 qlimit 300
 hfsc(realtime(10%, 3000, 5%), linkshare 10%)
oldqueue _wan_dflt on $if_trunk2 bandwidth 15% priority 1 qlimit
 100 hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default)
oldqueue _wan_bulk on $if_trunk2 bandwidth 5% priority 0 qlimit 100
 hfsc(linkshare 5%, upperlimit 30%, ecn, red)
 
 pass quick proto { tcp, udp } from { (vlan1:network) } to {
 (vlan234:network) } port { 4569, 5060, 

Re: Firewall: Where is the bottleneck?

[jummo4]

Hi Andy,

sorry for the delay, but a lot of more important work were between your 
mail and this answer ;).



You can set a simple prio on a rule like;
pass proto tcp from $left to $right set prio (1,4)


With PRIQ I mean the scheduler priq instead of cbq.

Relevant lines of my current pf.conf rule set.

pf.conf
...
altq on em0 priq bandwidth 1000Mb queue { std_em0, tcp_ack_em0 }
queue std_em0 priq(default)
queue tcp_ack_em0 priority 6

altq on em1 priq bandwidth 1000Mb queue { std_em1, tcp_ack_em1 }
queue std_em1 priq(default)
queue tcp_ack_em1 priority 6

match em0 on em0 inet proto tcp from any to any queue(std_em0, tcp_ack_em0)
match em0 on em1 inet proto tcp from any to any queue(std_em1, tcp_ack_em1)
...
/pf.conf

I have read The Book of PF 2nd, but there is nothing about 
troubleshooting. What should I do to find the problem?


I have made some notes for troubleshooting purpose:

top - Interrupts - High CPU or network interfaces = Hardware limit 
systat - Interrupts on CPU and network cards = Hardware limit

bwm-ng - Bandwidth near the theoretical limit = Hardware limit
pfctl -si - Look for current states, default limit to 1. The memory
counter shows failed allocation of memory for states. Is this number is 
high and increased further = Set limit for states (pfctl -sm - shows States Limit)
sysctl kern.netlivelocks - High number means something like two processes blocks 
each user = Hardware limit


No problem can be found with above steps:
- prioritize TCP-ACK for tcp traffic

Best Regards,
Patrick


On Thu, 9 Oct 2014, Andy wrote:


Hi,

Just so I understand what you have done, PRIQ is not the same as queuing.

You can set a simple prio on a rule like;
pass proto tcp from $left to $right set prio (1,4)

But this doesn't manage the situations where you have lots of different 
types/profiles of traffic on your network.
For example you might have some big file transfers going on which can be 
delayed and can have a high latency but high throughput, alongside your 
control/real-time protocols which need low latency etc.
Generally in this situation just using prio won't always be enough and your 
file transfers will still swamp your Interactive SSH or VNC connections etc..


So we do something like this;

altq on $if_trunk1 bandwidth 4294Mb hfsc queue { _wan }
   oldqueue _wan on $if_trunk1 bandwidth 4290Mb priority 15 hfsc(linkshare 
4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, _wan_vpn, _wan_web, 
_wan_dflt, _wan_bulk }
   oldqueue _wan_rt on $if_trunk1 bandwidth 20% priority 7 qlimit 50 
hfsc(realtime(20%, 5000, 10%), linkshare 20%)
   oldqueue _wan_int on $if_trunk1 bandwidth 10% priority 5 qlimit 100 
hfsc(realtime 5%, linkshare 10%)
   oldqueue _wan_pri on $if_trunk1 bandwidth 10% priority 4 qlimit 100 
hfsc(realtime(15%, 2000, 5%), linkshare 10%)
   oldqueue _wan_vpn on $if_trunk1 bandwidth 30% priority 3 qlimit 300 
hfsc(realtime(15%, 2000, 5%), linkshare 30%)
   oldqueue _wan_web on $if_trunk1 bandwidth 10% priority 2 qlimit 300 
hfsc(realtime(10%, 3000, 5%), linkshare 10%)
   oldqueue _wan_dflt on $if_trunk1 bandwidth 15% priority 1 qlimit 100 
hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default)
   oldqueue _wan_bulk on $if_trunk1 bandwidth 5% priority 0 qlimit 100 
hfsc(linkshare 5%, upperlimit 30%, ecn, red)


altq on $if_trunk2 bandwidth 4294Mb hfsc queue { _wan }
   oldqueue _wan on $if_trunk2 bandwidth 4290Mb priority 15 hfsc(linkshare 
4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, _wan_vpn, _wan_web, 
_wan_dflt, _wan_bulk }
   oldqueue _wan_rt on $if_trunk2 bandwidth 20% priority 7 qlimit 50 
hfsc(realtime(20%, 5000, 10%), linkshare 20%)
   oldqueue _wan_int on $if_trunk2 bandwidth 10% priority 5 qlimit 100 
hfsc(realtime 5%, linkshare 10%)
   oldqueue _wan_pri on $if_trunk2 bandwidth 10% priority 4 qlimit 100 
hfsc(realtime(15%, 2000, 5%), linkshare 10%)
   oldqueue _wan_vpn on $if_trunk2 bandwidth 30% priority 3 qlimit 300 
hfsc(realtime(15%, 2000, 5%), linkshare 30%)
   oldqueue _wan_web on $if_trunk2 bandwidth 10% priority 2 qlimit 300 
hfsc(realtime(10%, 3000, 5%), linkshare 10%)
   oldqueue _wan_dflt on $if_trunk2 bandwidth 15% priority 1 qlimit 100 
hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default)
   oldqueue _wan_bulk on $if_trunk2 bandwidth 5% priority 0 qlimit 100 
hfsc(linkshare 5%, upperlimit 30%, ecn, red)


pass quick proto { tcp, udp } from { (vlan1:network) } to { (vlan234:network) 
} port { 4569, 5060, 1:2 } queue _wan_rt set prio 7
pass quick proto { tcp, udp } from { (vlan1:network) } to { (vlan234:network) 
} port { 53, 123, 5900 } queue _wan_pri set prio 4
pass quick proto { tcp } from { (vlan1:network) } to { (vlan234:network) } 
port { 80, 443 } queue (_wan_web,_wan_pri) set prio (2,4)
pass quick proto { tcp } from { (vlan1:network) } to { (vlan234:network) } 
port { ssh } queue (_wan_bulk,_wan_int) set prio (0,5)

.
. All the other rules needing 

Re: Firewall: Where is the bottleneck?

[Stuart Henderson]

On 2014-10-09, Andy a...@brandwatch.com wrote:
 NB; This is the old syntax for queues and I strongly recommend reading 
 the 3rd edition of The book of PF (A must read for *anyone* new or old 
 to OpenBSD and PF) :) and using the new syntax

N.B. the oldqueue syntax goes away in 5.6, if you are writing a new
config you definitely should use the new stuff..

Re: Firewall: Where is the bottleneck?

[Andy]

Hi,

Just so I understand what you have done, PRIQ is not the same as queuing.

You can set a simple prio on a rule like;
pass proto tcp from $left to $right set prio (1,4)

But this doesn't manage the situations where you have lots of different 
types/profiles of traffic on your network.
For example you might have some big file transfers going on which can be 
delayed and can have a high latency but high throughput, alongside your 
control/real-time protocols which need low latency etc.
Generally in this situation just using prio won't always be enough and 
your file transfers will still swamp your Interactive SSH or VNC 
connections etc..


So we do something like this;

altq on $if_trunk1 bandwidth 4294Mb hfsc queue { _wan }
oldqueue _wan on $if_trunk1 bandwidth 4290Mb priority 15 
hfsc(linkshare 4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, 
_wan_vpn, _wan_web, _wan_dflt, _wan_bulk }
oldqueue _wan_rt on $if_trunk1 bandwidth 20% priority 7 qlimit 
50 hfsc(realtime(20%, 5000, 10%), linkshare 20%)
oldqueue _wan_int on $if_trunk1 bandwidth 10% priority 5 qlimit 
100 hfsc(realtime 5%, linkshare 10%)
oldqueue _wan_pri on $if_trunk1 bandwidth 10% priority 4 qlimit 
100 hfsc(realtime(15%, 2000, 5%), linkshare 10%)
oldqueue _wan_vpn on $if_trunk1 bandwidth 30% priority 3 qlimit 
300 hfsc(realtime(15%, 2000, 5%), linkshare 30%)
oldqueue _wan_web on $if_trunk1 bandwidth 10% priority 2 qlimit 
300 hfsc(realtime(10%, 3000, 5%), linkshare 10%)
oldqueue _wan_dflt on $if_trunk1 bandwidth 15% priority 1 
qlimit 100 hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default)
oldqueue _wan_bulk on $if_trunk1 bandwidth 5% priority 0 qlimit 
100 hfsc(linkshare 5%, upperlimit 30%, ecn, red)


altq on $if_trunk2 bandwidth 4294Mb hfsc queue { _wan }
oldqueue _wan on $if_trunk2 bandwidth 4290Mb priority 15 
hfsc(linkshare 4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, 
_wan_vpn, _wan_web, _wan_dflt, _wan_bulk }
oldqueue _wan_rt on $if_trunk2 bandwidth 20% priority 7 qlimit 
50 hfsc(realtime(20%, 5000, 10%), linkshare 20%)
oldqueue _wan_int on $if_trunk2 bandwidth 10% priority 5 qlimit 
100 hfsc(realtime 5%, linkshare 10%)
oldqueue _wan_pri on $if_trunk2 bandwidth 10% priority 4 qlimit 
100 hfsc(realtime(15%, 2000, 5%), linkshare 10%)
oldqueue _wan_vpn on $if_trunk2 bandwidth 30% priority 3 qlimit 
300 hfsc(realtime(15%, 2000, 5%), linkshare 30%)
oldqueue _wan_web on $if_trunk2 bandwidth 10% priority 2 qlimit 
300 hfsc(realtime(10%, 3000, 5%), linkshare 10%)
oldqueue _wan_dflt on $if_trunk2 bandwidth 15% priority 1 
qlimit 100 hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default)
oldqueue _wan_bulk on $if_trunk2 bandwidth 5% priority 0 qlimit 
100 hfsc(linkshare 5%, upperlimit 30%, ecn, red)


pass quick proto { tcp, udp } from { (vlan1:network) } to { 
(vlan234:network) } port { 4569, 5060, 1:2 } queue _wan_rt set 
prio 7
pass quick proto { tcp, udp } from { (vlan1:network) } to { 
(vlan234:network) } port { 53, 123, 5900 } queue _wan_pri set prio 4
pass quick proto { tcp } from { (vlan1:network) } to { (vlan234:network) 
} port { 80, 443 } queue (_wan_web,_wan_pri) set prio (2,4)
pass quick proto { tcp } from { (vlan1:network) } to { (vlan234:network) 
} port { ssh } queue (_wan_bulk,_wan_int) set prio (0,5)

.
. All the other rules needing higher priority than the rest
.
pass quick proto { tcp, udp, icmp } from { (vlan1:network) } to { 
(vlan234:network) } queue (_wan_bulk,_wan_pri) set prio (0,4)



NB; This is the old syntax for queues and I strongly recommend reading 
the 3rd edition of The book of PF (A must read for *anyone* new or old 
to OpenBSD and PF) :) and using the new syntax


The rule I use is that whenever one queue starts to get used too much 
and their is more than one type of traffic in a queue (here in this 
example I have DNS, NTP and VNC in the same queue) and if they start to 
affect eachother, its time to split the traffic out into further 
separate queues. So here you would split VNC into its own queue to stop 
VNC swamping the DNS queries :)


The priority in these queues is not the same as PRIO. These priority 
values don't have much impact *apparently* compared the the queues 
themselves (I just understand these to be CPU or bucket scheduling or 
something), but I've never understood how true that is, so I just set 
them to be the same number as the desired relative PRIO as that seems 
sensible.



Last but NOT least; the PRIO value gets copied into the VLAN's CoS 
header! :) So if you use VLANs like we do here on our trunks, the 
different packets will end up as frames with the prio copied in meaning 
your switches can then also maintain the layer 3 QoS in the layer 2 
CoS... Amazing stuff :)



Good luck

Andrew Lemin

*** looking forward to 64bit queues! :) ***



On 08/10/14 20:49, jum...@yahoo.de wrote:

Hi Andy,

This morning I have added 

Re: Firewall: Where is the bottleneck?

[jummo4]

Hi Andy,

This morning I have added Priority Queueing (PRIQ) to the ruleset and 
prefer TCP ACK packets over everything else. I can see the queues with 
systat queue but the change has no effect on the user experience nor the 
throughput.


I have read something about adjust TCP send and receive window sizes 
settings, but OpenBSD to this automatically since 2010 [1]. What else can 
I set?


Best Regards,
Patrick

[1] http://marc.info/?l=openbsd-miscm=128905075911814

On Thu, 2 Oct 2014, jum...@yahoo.de wrote:


Hi Andy,


Setup some queues and prioritise your ACK's ;)

Good idea, I will try to implement a Priority Queueing with the old altq.

Best Regards,
Patrick

On Thu, 2 Oct 2014, Andy wrote:


Setup some queues and prioritise your ACK's ;)

The box is fine under the load I'm sure, but you'll still need to 
prioritise those TCP acknowledgments to make things snappy when lots of 
traffic is going on..



On 02/10/14 17:13, Ville Valkonen wrote:

Hello Patrick,

On 2 October 2014 17:32, Patrick jum...@yahoo.de wrote:

Hi,

I use a OpenBSD based firewall (version 5.2, I know I should upgrade but 
...) between a 8 host cluster of Linux server and 300 clients which will 
access this clutser via VNC. Each server is connected with one gigabit 
port to a dedicated switch and the firewall has on each site one gigabit 
(dedicated switch and campus network).


The users complains about slow VNC response times (if I connect a client 
system to the dedicated switch, the access is faster, even during peak 
hours), and the admins of the cluster blame my firewall :(.


I use MRTG for traffic monitoring (data retrieves from OpenBSD in one 
minute interval) and can see average traffic of 160 Mbit/s during office 
hours and peaks and 280 Mbit/s. With bwm-ng and a five second interval I 
can see peaks and 580 Mbit/s. The peak packets per second is arround 
8 packets (also measured with bwm-ng). The interrupt of CPU0 is in 
peak 25%. So with this data I don't think the firewall is at the limit, 
I'm right?


The server is a standard Intel Xeon (E3-1220V2, 4 Cores, 3.10 GHz) with 4 
GByte of memory and 4 1 Gbit/s ethernet cooper Intel nics (driver em).


Where is the problem? Can't the nics handle more packets/second? How can 
I check for this?


If I connect a client system directly to the dedicated system, the 
response times are better.


Thanks for your help,
Patrick

In addition to dmesg, could you please provide the following information:
$ pfctl -si
$ sysctl kern.netlivelocks
and interrupt statistics (by systat for example) would be helpful.

Thanks!

--
Regards,
Ville

Re: Firewall: Where is the bottleneck?

[jummo4]

Hi Ville,

What I read on the Internet so far about states [1]: The memory counter 
shows how often pf tries to insert a state but failed. The reason could be 
a hard limit of state entries.


I watched at the memory counter this afternoon and it doesn't increased, 
still at 8764.



pfctl -s memory

stateshard limit1
src-nodes hard limit1
frags hard limit 5000
tableshard limit 1000
table-entries hard limit   20


systat

Sorry for pastebin link [2], but the formatting is broken inside a mail

Best Regards,
Patrick

[1] http://www.packetmischief.ca/2011/02/17/hitting-the-pf-state-table-limit/
[2] http://pastebin.com/CnfEZDE9


On Fri, 3 Oct 2014, Ville Valkonen wrote:


On 3 October 2014 11:11, Ville Valkonen weezeld...@gmail.com wrote:

On 2 October 2014 23:36,  jum...@yahoo.de wrote:

$ sysctl kern.netlivelocks

kern.netlivelocks=2

What does this means? I found something like a deadlock, when two processes
block each other, I'm right?


This is useful information specially under the load. I don't have the
source code available at the moment but as far as I know/remember it
tells how much interrupts network devices create (this is likely
wrong, don't take it as a fact. And please, someone correct me).


and interrupt statistics (by systat for example) would be helpful.


You mean during peak load. I will send it on Monday.


Yes, that's correct. Sorry for not mention this in the first mail.

btw. if you could yet provide this information it would be great:
$ sudo pfctl -sa |grep -A 5 LIMITS


Correction: rather use pfctl -s memory

Re: Firewall: Where is the bottleneck?

[Ville Valkonen]

On 2 October 2014 23:36,  jum...@yahoo.de wrote:
 $ sysctl kern.netlivelocks
 kern.netlivelocks=2

 What does this means? I found something like a deadlock, when two processes
 block each other, I'm right?

This is useful information specially under the load. I don't have the
source code available at the moment but as far as I know/remember it
tells how much interrupts network devices create (this is likely
wrong, don't take it as a fact. And please, someone correct me).

 and interrupt statistics (by systat for example) would be helpful.

 You mean during peak load. I will send it on Monday.

Yes, that's correct. Sorry for not mention this in the first mail.

btw. if you could yet provide this information it would be great:
$ sudo pfctl -sa |grep -A 5 LIMITS

--
Regards,
Ville

Re: Firewall: Where is the bottleneck?

[Ville Valkonen]

On 3 October 2014 11:11, Ville Valkonen weezeld...@gmail.com wrote:
 On 2 October 2014 23:36,  jum...@yahoo.de wrote:
 $ sysctl kern.netlivelocks
 kern.netlivelocks=2

 What does this means? I found something like a deadlock, when two processes
 block each other, I'm right?

 This is useful information specially under the load. I don't have the
 source code available at the moment but as far as I know/remember it
 tells how much interrupts network devices create (this is likely
 wrong, don't take it as a fact. And please, someone correct me).

 and interrupt statistics (by systat for example) would be helpful.

 You mean during peak load. I will send it on Monday.

 Yes, that's correct. Sorry for not mention this in the first mail.

 btw. if you could yet provide this information it would be great:
 $ sudo pfctl -sa |grep -A 5 LIMITS

Correction: rather use pfctl -s memory

Re: Firewall: Where is the bottleneck?

[Marcus MERIGHI]

jum...@yahoo.de (Patrick), 2014.10.02 (Thu) 16:32 (CEST):
 Hi,
 
 I use a OpenBSD based firewall (version 5.2, I know I should upgrade
 but ...) between a 8 host cluster of Linux server and 300 clients
 which will access this clutser via VNC. Each server is connected with
 one gigabit port to a dedicated switch and the firewall has on each
 site one gigabit (dedicated switch and campus network).
 
 The users complains about slow VNC response times (if I connect a
 client system to the dedicated switch, the access is faster, even
 during peak hours), and the admins of the cluster blame my firewall
 :(.
 
 I use MRTG for traffic monitoring (data retrieves from OpenBSD in one
 minute interval) and can see average traffic of 160 Mbit/s during
 office hours and peaks and 280 Mbit/s. With bwm-ng and a five second
 interval I can see peaks and 580 Mbit/s. The peak packets per second
 is arround 8 packets (also measured with bwm-ng). The interrupt of
 CPU0 is in peak 25%. So with this data I don't think the firewall is
 at the limit, I'm right?
 
 The server is a standard Intel Xeon (E3-1220V2, 4 Cores, 3.10 GHz)
 with 4 GByte of memory and 4 1 Gbit/s ethernet cooper Intel nics
 (driver em).
 
 Where is the problem? Can't the nics handle more packets/second? How
 can I check for this?
 
 If I connect a client system directly to the dedicated system, the
 response times are better.
 
 Thanks for your help, Patrick

I cannot help you on the topic but on improving your response rate:
provide a dmesg. At least. The precogs are on vacation ;-)

Bye, Marcus

Re: Firewall: Where is the bottleneck?

[Ville Valkonen]

Hello Patrick,

On 2 October 2014 17:32, Patrick jum...@yahoo.de wrote:
 Hi,

 I use a OpenBSD based firewall (version 5.2, I know I should upgrade but ...) 
 between a 8 host cluster of Linux server and 300 clients which will access 
 this clutser via VNC. Each server is connected with one gigabit port to a 
 dedicated switch and the firewall has on each site one gigabit (dedicated 
 switch and campus network).

 The users complains about slow VNC response times (if I connect a client 
 system to the dedicated switch, the access is faster, even during peak 
 hours), and the admins of the cluster blame my firewall :(.

 I use MRTG for traffic monitoring (data retrieves from OpenBSD in one minute 
 interval) and can see average traffic of 160 Mbit/s during office hours and 
 peaks and 280 Mbit/s. With bwm-ng and a five second interval I can see peaks 
 and 580 Mbit/s. The peak packets per second is arround 8 packets (also 
 measured with bwm-ng). The interrupt of CPU0 is in peak 25%. So with this 
 data I don't think the firewall is at the limit, I'm right?

 The server is a standard Intel Xeon (E3-1220V2, 4 Cores, 3.10 GHz) with 4 
 GByte of memory and 4 1 Gbit/s ethernet cooper Intel nics (driver em).

 Where is the problem? Can't the nics handle more packets/second? How can I 
 check for this?

 If I connect a client system directly to the dedicated system, the response 
 times are better.

 Thanks for your help,
 Patrick

In addition to dmesg, could you please provide the following information:
$ pfctl -si
$ sysctl kern.netlivelocks
and interrupt statistics (by systat for example) would be helpful.

Thanks!

--
Regards,
Ville

Re: Firewall: Where is the bottleneck?

[Andy]

Setup some queues and prioritise your ACK's ;)

The box is fine under the load I'm sure, but you'll still need to 
prioritise those TCP acknowledgments to make things snappy when lots of 
traffic is going on..



On 02/10/14 17:13, Ville Valkonen wrote:

Hello Patrick,

On 2 October 2014 17:32, Patrick jum...@yahoo.de wrote:

Hi,

I use a OpenBSD based firewall (version 5.2, I know I should upgrade but ...) 
between a 8 host cluster of Linux server and 300 clients which will access this 
clutser via VNC. Each server is connected with one gigabit port to a dedicated 
switch and the firewall has on each site one gigabit (dedicated switch and 
campus network).

The users complains about slow VNC response times (if I connect a client system 
to the dedicated switch, the access is faster, even during peak hours), and the 
admins of the cluster blame my firewall :(.

I use MRTG for traffic monitoring (data retrieves from OpenBSD in one minute 
interval) and can see average traffic of 160 Mbit/s during office hours and 
peaks and 280 Mbit/s. With bwm-ng and a five second interval I can see peaks 
and 580 Mbit/s. The peak packets per second is arround 8 packets (also 
measured with bwm-ng). The interrupt of CPU0 is in peak 25%. So with this data 
I don't think the firewall is at the limit, I'm right?

The server is a standard Intel Xeon (E3-1220V2, 4 Cores, 3.10 GHz) with 4 GByte 
of memory and 4 1 Gbit/s ethernet cooper Intel nics (driver em).

Where is the problem? Can't the nics handle more packets/second? How can I 
check for this?

If I connect a client system directly to the dedicated system, the response 
times are better.

Thanks for your help,
Patrick

In addition to dmesg, could you please provide the following information:
$ pfctl -si
$ sysctl kern.netlivelocks
and interrupt statistics (by systat for example) would be helpful.

Thanks!

--
Regards,
Ville

Re: Firewall: Where is the bottleneck?

[System Administrator]

On 2 Oct 2014 at 18:15, Andy wrote:

 Setup some queues and prioritise your ACK's ;)
 
 The box is fine under the load I'm sure, but you'll still need to 
 prioritise those TCP acknowledgments to make things snappy when lots of
 traffic is going on..

All these (otherwise valid) suggestions are useless until we know more 
about the specific firewall in question -- information best delivered 
in the form of dmesg, 'pfctl -si' output and other statistics as 
indicated in Ville's response below. I recently struggled with a very 
similar problem until I noticed that the total number of states 
reported in pftop was stuck at 10,000 ... guess what? that is a 
default limit and (also by default) stateless traffic is *dropped*! 
Raising that particular limit _magically_ tripled the throughput.

-Jacob.

 
 On 02/10/14 17:13, Ville Valkonen wrote:
  Hello Patrick,
 
  On 2 October 2014 17:32, Patrick jum...@yahoo.de wrote:
  Hi,
 
  I use a OpenBSD based firewall (version 5.2, I know I should upgrade
  but ...) between a 8 host cluster of Linux server and 300 clients
  which will access this clutser via VNC. Each server is connected with
  one gigabit port to a dedicated switch and the firewall has on each
  site one gigabit (dedicated switch and campus network).
 
  The users complains about slow VNC response times (if I connect a
  client system to the dedicated switch, the access is faster, even
  during peak hours), and the admins of the cluster blame my firewall
  :(.
 
  I use MRTG for traffic monitoring (data retrieves from OpenBSD in one
  minute interval) and can see average traffic of 160 Mbit/s during
  office hours and peaks and 280 Mbit/s. With bwm-ng and a five second
  interval I can see peaks and 580 Mbit/s. The peak packets per second
  is arround 8 packets (also measured with bwm-ng). The interrupt
  of CPU0 is in peak 25%. So with this data I don't think the firewall
  is at the limit, I'm right?
 
  The server is a standard Intel Xeon (E3-1220V2, 4 Cores, 3.10 GHz)
  with 4 GByte of memory and 4 1 Gbit/s ethernet cooper Intel nics
  (driver em).
 
  Where is the problem? Can't the nics handle more packets/second? How
  can I check for this?
 
  If I connect a client system directly to the dedicated system, the
  response times are better.
 
  Thanks for your help,
  Patrick
  In addition to dmesg, could you please provide the following
  information: $ pfctl -si $ sysctl kern.netlivelocks and interrupt
  statistics (by systat for example) would be helpful.
 
  Thanks!
 
  --
  Regards,
  Ville

Re: Firewall: Where is the bottleneck?

[Giancarlo Razzolini]

On 02-10-2014 17:30, System Administrator wrote:
 All these (otherwise valid) suggestions are useless until we know more
 about the specific firewall in question -- information best delivered
 in the form of dmesg, 'pfctl -si' output and other statistics as
 indicated in Ville's response below. I recently struggled with a very
 similar problem until I noticed that the total number of states
 reported in pftop was stuck at 10,000 ... guess what? that is a
 default limit and (also by default) stateless traffic is*dropped*!
 Raising that particular limit_magically_  tripled the throughput.
It is on the top of the /etc/pf.conf installation file. They put it
there just because people would come to misc complaining to only them
discover about the state limit. Also, there is no magic here. 10k is a
valid default limit tha won't consume too much memory and is ok for most
uses. In more than 10 years using pf I only had to tweak it once. As for
the OP, more information really is needed. But with the traffic he
mentioned, there are a lot of points where the bottleneck could be.
Perhaps even more than one combined.

Cheers,

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Firewall: Where is the bottleneck?

[jummo4]

Hi Andy,


Setup some queues and prioritise your ACK's ;)

Good idea, I will try to implement a Priority Queueing with the old altq.

Best Regards,
Patrick

On Thu, 2 Oct 2014, Andy wrote:


Setup some queues and prioritise your ACK's ;)

The box is fine under the load I'm sure, but you'll still need to prioritise 
those TCP acknowledgments to make things snappy when lots of traffic is going 
on..



On 02/10/14 17:13, Ville Valkonen wrote:

Hello Patrick,

On 2 October 2014 17:32, Patrick jum...@yahoo.de wrote:

Hi,

I use a OpenBSD based firewall (version 5.2, I know I should upgrade but 
...) between a 8 host cluster of Linux server and 300 clients which will 
access this clutser via VNC. Each server is connected with one gigabit 
port to a dedicated switch and the firewall has on each site one gigabit 
(dedicated switch and campus network).


The users complains about slow VNC response times (if I connect a client 
system to the dedicated switch, the access is faster, even during peak 
hours), and the admins of the cluster blame my firewall :(.


I use MRTG for traffic monitoring (data retrieves from OpenBSD in one 
minute interval) and can see average traffic of 160 Mbit/s during office 
hours and peaks and 280 Mbit/s. With bwm-ng and a five second interval I 
can see peaks and 580 Mbit/s. The peak packets per second is arround 8 
packets (also measured with bwm-ng). The interrupt of CPU0 is in peak 25%. 
So with this data I don't think the firewall is at the limit, I'm right?


The server is a standard Intel Xeon (E3-1220V2, 4 Cores, 3.10 GHz) with 4 
GByte of memory and 4 1 Gbit/s ethernet cooper Intel nics (driver em).


Where is the problem? Can't the nics handle more packets/second? How can I 
check for this?


If I connect a client system directly to the dedicated system, the 
response times are better.


Thanks for your help,
Patrick

In addition to dmesg, could you please provide the following information:
$ pfctl -si
$ sysctl kern.netlivelocks
and interrupt statistics (by systat for example) would be helpful.

Thanks!

--
Regards,
Ville

Re: Firewall: Where is the bottleneck?

[jummo4]

Hi Ville,


$ pfctl -si

Status: Enabled for 597 days 07:40:45Debug: err

Interface Stats for em0   IPv4 IPv6
  Bytes In  30397895135138   4212405499
  Bytes Out 358299989496464   64
  Packets In
Passed1542753124920
Blocked   92254910 29098377
  Packets Out
Passed2808765165391
Blocked   32530

State Table  Total Rate
  current entries  133
  searches87038129446216865.1/s
  inserts716973517   13.9/s
  removals   716973384   13.9/s
Counters
  match  853853991   16.5/s
  bad-offset 00.0/s
  fragment   00.0/s
  short  00.0/s
  normalize  30.0/s
  memory  87640.0/s
  bad-timestamp  00.0/s
  congestion 10.0/s
  ip-option  00.0/s
  proto-cksum00.0/s
  state-mismatch1972370.0/s
  state-insert   00.0/s
  state-limit00.0/s
  src-limit  00.0/s
  synproxy   00.0/s


$ sysctl kern.netlivelocks

kern.netlivelocks=2

What does this means? I found something like a deadlock, when two 
processes block each other, I'm right?



and interrupt statistics (by systat for example) would be helpful.

You mean during peak load. I will send it on Monday.

Best Regards,
Patrick

OpenBSD 5.2 (GENERIC.MP) #368: Wed Aug  1 10:04:49 MDT 2012
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4265099264 (4067MB)
avail mem = 4129193984 (3937MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb4c0 (55 entries)
bios0: vendor American Megatrends Inc. version 2.0b date 09/17/2012
bios0: Supermicro X9SCI/X9SCA
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT PRAD SPMI SSDT SSDT EINJ 
ERST HEST BERT
acpi0: wakeup devices PS2K(S4) PS2M(S4) UAR1(S4) UAR2(S4) P0P1(S4) 
USB1(S4) USB2(S4) USB3(S4) USB4(S4) USB5(S4) USB6(S4) USB7(S4) PXSX(S4) 
RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) 
RP05(S4) PXSX(S4) RP06(S4) PXSX(S4) RP07(S4) PXSX(S4) RP08(S4) PEGP(S4) 
PEG0(S4) PEG1(S4) PEG2(S4) PEG3(S4) GLAN(S4) EHC1(S4) EHC2(S4) HDEF(S4) 
PWRB(S4)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz, 3100.50 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF

cpu0: 256KB 64b/line 8-way L2 cache
cpu0: apic clock running at 100MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz, 3100.02 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF

cpu1: 256KB 64b/line 8-way L2 cache
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz, 3100.02 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF

cpu2: 256KB 64b/line 8-way L2 cache
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz, 3100.02 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF

cpu3: 256KB 64b/line 8-way L2 cache
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 6 (P0P1)
acpiprt2 at acpi0: bus 1 (RP01)
acpiprt3 at acpi0: bus -1 (RP02)
acpiprt4 at acpi0: bus -1 (RP03)
acpiprt5 at acpi0: bus -1 (RP04)
acpiprt6 at acpi0: bus 2 (RP05)
acpiprt7 at acpi0: bus 3 (RP06)

Re: Firewall cluster.

[Patrick Lamaiziere]

Le Wed, 09 Jul 2014 20:33:47 +0200,
Mxher o...@mxher.fr a écrit :

Hello,

  I'm doing few more tests and now I'm wondering if this is possible
  to disallow CARP to have some resources on serverA and others on
  serverB?

You can use ifstated to implement your own logic.

I have a pair of firewall, the first is the normal master, the second is
the backup. If a problem occurs on the first, carp allows the second to
become master. But then, ifstated running on the first fw disallows carp
to prevent it to become master again (even if a problem occurs on the
second). To make the first master again, someone must, by hand,
check the situation and enable carp on it. This is because the failover
depends on some BGP sessions here.

Regards,

Re: Firewall cluster.

[Mxher]

First, thanks for trying to help!

Le 09/07/2014 07:08, Remi Locherer a écrit :
 On Mon, Jul 07, 2014 at 08:44:43PM +0200, Mxher wrote:
 Hello again,

 I'm doing few more tests and now I'm wondering if this is possible to
 disallow CARP to have some resources on serverA and others on serverB?
 
 Have you set the sysctl net.inet.carp.preempt=1?
 
Yes it is.


 Here is my tests (advbase=1 and advskew=0 for every interfaces on both
 servers):
 
 advskew should be different on master from backkup. Try advskew=200 on
 obsd2.
 
 Please read man carp. The first example is exactly what you need.
 

It's not; I will describe my tests more precisely (sorry for the long
post again):

1) Initial state
root@obsd1:~# sysctl -a|grep net.inet.carp.preempt
net.inet.carp.preempt=1
root@obsd2:~# sysctl -a|grep net.inet.carp.preempt
net.inet.carp.preempt=1

root@obsd1:~# ifconfig HA|grep carp:
carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0
carp: MASTER carpdev em1 vhid 2 advbase 1 advskew 0
carp: MASTER carpdev em2 vhid 3 advbase 1 advskew 0
carp: MASTER carpdev em3 vhid 4 advbase 1 advskew 0
root@obsd2:~# ifconfig HA|grep carp:
carp: BACKUP carpdev em0 vhid 1 advbase 1 advskew 200
carp: BACKUP carpdev em1 vhid 2 advbase 1 advskew 200
carp: BACKUP carpdev em2 vhid 3 advbase 1 advskew 200
carp: BACKUP carpdev em3 vhid 4 advbase 1 advskew 200


2) Unplug of em3 on obsd1: the failover is done as expected
root@obsd1:~# ifconfig HA|grep carp:
carp: BACKUP carpdev em0 vhid 1 advbase 1 advskew 0
carp: BACKUP carpdev em1 vhid 2 advbase 1 advskew 0
carp: BACKUP carpdev em2 vhid 3 advbase 1 advskew 0
carp: INIT carpdev em3 vhid 4 advbase 1 advskew 0
root@obsd2:~# ifconfig HA|grep carp:
carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 200
carp: MASTER carpdev em1 vhid 2 advbase 1 advskew 200
carp: MASTER carpdev em2 vhid 3 advbase 1 advskew 200
carp: MASTER carpdev em3 vhid 4 advbase 1 advskew 200


3) (re)Plug of em3 on obsd1: resources gets back on obsd1 because of the
advskew greater on obsd2 (this is the exact purpose of advskew, and I
want to avoid it, but I did it to show you).
root@obsd1:~# ifconfig HA|grep carp:
carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0
carp: MASTER carpdev em1 vhid 2 advbase 1 advskew 0
carp: MASTER carpdev em2 vhid 3 advbase 1 advskew 0
carp: MASTER carpdev em3 vhid 4 advbase 1 advskew 0
root@obsd2:~# ifconfig HA|grep carp:
carp: BACKUP carpdev em0 vhid 1 advbase 1 advskew 200
carp: BACKUP carpdev em1 vhid 2 advbase 1 advskew 200
carp: BACKUP carpdev em2 vhid 3 advbase 1 advskew 200
carp: BACKUP carpdev em3 vhid 4 advbase 1 advskew 200


4) Unplug of em2 on obsd2 AND unplug of em3 on obsd1: resources get
mixed between the two nodes.
I don't think this is a bug, it seems to be design to act like this and
I can understand why. But, in my case, I must avoid that.
root@obsd1:~# ifconfig HA|grep carp:
carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0
carp: MASTER carpdev em1 vhid 2 advbase 1 advskew 0
carp: MASTER carpdev em2 vhid 3 advbase 1 advskew 0
carp: INIT carpdev em3 vhid 4 advbase 1 advskew 0
root@obsd2:~# ifconfig HA|grep carp:
carp: BACKUP carpdev em0 vhid 1 advbase 1 advskew 200
carp: BACKUP carpdev em1 vhid 2 advbase 1 advskew 200
carp: INIT carpdev em2 vhid 3 advbase 1 advskew 200
carp: MASTER carpdev em3 vhid 4 advbase 1 advskew 200

Re: Firewall cluster.

[Remi Locherer]

On Mon, Jul 07, 2014 at 08:44:43PM +0200, Mxher wrote:
 Hello again,
 
 I'm doing few more tests and now I'm wondering if this is possible to
 disallow CARP to have some resources on serverA and others on serverB?

Have you set the sysctl net.inet.carp.preempt=1?

 
 Here is my tests (advbase=1 and advskew=0 for every interfaces on both
 servers):

advskew should be different on master from backkup. Try advskew=200 on
obsd2.

Please read man carp. The first example is exactly what you need.

 * Initial state
 root@obsd1:~# ifconfig HA |grep status
 status: master
 status: master
 status: master
 status: master
 root@obsd2:~# ifconfig HA |grep status
 status: backup
 status: backup
 status: backup
 status: backup
 
 * I unplugged em2 and em3 on obsd2 and em1 on obsd1:
 root@obsd1:~# ifconfig HA |grep status
 status: master
 status: invalid
 status: master
 status: master
 root@obsd2:~# ifconfig HA |grep status
 status: backup
 status: master
 status: invalid
 status: invalid
 
 
 obsd2 became master for em1 while obsd1 is master for everything else.
 Is there any (proper and automatic) way to avoid that ?
 
 I know that kind of situation will not happens often but...
 
 
 Thanks again!
 
 
 Le 06/07/2014 13:13, Mxher a écrit :
  Le 06/07/2014 12:05, Otto Moerbeek a écrit :
  On Sun, Jul 06, 2014 at 10:59:16AM +0200, Janne Johansson wrote:
 
  The sysctl for carp.preempt controls if they should all fail at the same
  time.
 
  read carp(4). It contains answers to some questions asked.
 
 -Otto
 
  
  Den 6 jul 2014 10:12 skrev Adam Thompson athom...@athompso.net:
  I recall someone pointing out that interface groups of carp interfaces
  will all transition simultaneously.  I find ifconfig(8) inconclusive; run
  your own tests and if that works, you have a built-in solution for 
  keeping
  all the carp interfaces in sync.
  Then, use ifstated to manage the pppoe interfaces depending on ifstate of
  the relevant wan interface?  You could set up a carp interface with no IP
  address bound, set it into the common if group and it would go up/down 
  with
  the other carp ifs.
  Maybe.  I haven't tried anything like that myself.
  -Adam
  
  I run some tests and this is working as expected!
  
  Only thing I see is that there will be no group failback if this is a
  virtual carp interface which goes down.
  
  To be clear if the parent interface of carp2 goes down the whole group
  will switch but not if carp2 goes down by itself (by an admin mistake
  for example):
  * initial states
  root@obsd1:~# sysctl -a|grep preem
  net.inet.carp.preempt=1
  root@obsd1:~# ifconfig HA |grep status
  status: master
  status: master
  status: master
  status: master
  
  root@obsd2:~# sysctl -a|grep preem
  net.inet.carp.preempt=1
  root@obsd2:~# ifconfig HA |grep status
  status: backup
  status: backup
  status: backup
  status: backup
  
  
  * states with carp2 down on obsd1
  root@obsd1:~# ifconfig carp2 down
  root@obsd1:~# ifconfig HA |grep status
  status: master
  status: master
  status: invalid
  status: master
  
  root@obsd2:~# ifconfig HA |grep status
  status: backup
  status: backup
  status: master
  status: backup
  
  
  * also unfortunately when carp2 goes UP again on obsd1 it still remains
  on obsd2:
  root@obsd1:~# ifconfig carp2 up
  root@obsd1:~# ifconfig HA |grep status
  status: master
  status: master
  status: backup
  status: master
  
  root@obsd2:~# ifconfig HA |grep status
  status: backup
  status: backup
  status: master
  status: backup
  
  
  Anyway I think this is an acceptable risk.
  
  
  @Adam: I will now try to use ifstated to manage pppoe interfaces like
  you suggest.
  
  
  Thanks to everyone of you.

Re: Firewall cluster.

[Mxher]

Hello again,

I'm doing few more tests and now I'm wondering if this is possible to
disallow CARP to have some resources on serverA and others on serverB?

Here is my tests (advbase=1 and advskew=0 for every interfaces on both
servers):
* Initial state
root@obsd1:~# ifconfig HA |grep status
status: master
status: master
status: master
status: master
root@obsd2:~# ifconfig HA |grep status
status: backup
status: backup
status: backup
status: backup

* I unplugged em2 and em3 on obsd2 and em1 on obsd1:
root@obsd1:~# ifconfig HA |grep status
status: master
status: invalid
status: master
status: master
root@obsd2:~# ifconfig HA |grep status
status: backup
status: master
status: invalid
status: invalid


obsd2 became master for em1 while obsd1 is master for everything else.
Is there any (proper and automatic) way to avoid that ?

I know that kind of situation will not happens often but...


Thanks again!


Le 06/07/2014 13:13, Mxher a écrit :
 Le 06/07/2014 12:05, Otto Moerbeek a écrit :
 On Sun, Jul 06, 2014 at 10:59:16AM +0200, Janne Johansson wrote:

 The sysctl for carp.preempt controls if they should all fail at the same
 time.

 read carp(4). It contains answers to some questions asked.

  -Otto

 
 Den 6 jul 2014 10:12 skrev Adam Thompson athom...@athompso.net:
 I recall someone pointing out that interface groups of carp interfaces
 will all transition simultaneously.  I find ifconfig(8) inconclusive; run
 your own tests and if that works, you have a built-in solution for keeping
 all the carp interfaces in sync.
 Then, use ifstated to manage the pppoe interfaces depending on ifstate of
 the relevant wan interface?  You could set up a carp interface with no IP
 address bound, set it into the common if group and it would go up/down with
 the other carp ifs.
 Maybe.  I haven't tried anything like that myself.
 -Adam
 
 I run some tests and this is working as expected!
 
 Only thing I see is that there will be no group failback if this is a
 virtual carp interface which goes down.
 
 To be clear if the parent interface of carp2 goes down the whole group
 will switch but not if carp2 goes down by itself (by an admin mistake
 for example):
 * initial states
 root@obsd1:~# sysctl -a|grep preem
 net.inet.carp.preempt=1
 root@obsd1:~# ifconfig HA |grep status
 status: master
 status: master
 status: master
 status: master
 
 root@obsd2:~# sysctl -a|grep preem
 net.inet.carp.preempt=1
 root@obsd2:~# ifconfig HA |grep status
 status: backup
 status: backup
 status: backup
 status: backup
 
 
 * states with carp2 down on obsd1
 root@obsd1:~# ifconfig carp2 down
 root@obsd1:~# ifconfig HA |grep status
 status: master
 status: master
 status: invalid
 status: master
 
 root@obsd2:~# ifconfig HA |grep status
 status: backup
 status: backup
 status: master
 status: backup
 
 
 * also unfortunately when carp2 goes UP again on obsd1 it still remains
 on obsd2:
 root@obsd1:~# ifconfig carp2 up
 root@obsd1:~# ifconfig HA |grep status
 status: master
 status: master
 status: backup
 status: master
 
 root@obsd2:~# ifconfig HA |grep status
 status: backup
 status: backup
 status: master
 status: backup
 
 
 Anyway I think this is an acceptable risk.
 
 
 @Adam: I will now try to use ifstated to manage pppoe interfaces like
 you suggest.
 
 
 Thanks to everyone of you.

Re: Firewall cluster.

[Mxher]

Le 05/07/2014 22:37, sven falempin a écrit :
 
 read the FAQ, dont forget to sync the states and use ifstated to change the
 modem state when swithcing master fw.
 
 

Actually I read it but I didn't notice ifstated; after a quick look it
seems quite interesting.

Thank you.

Re: Firewall cluster.

[Mxher]

Le 06/07/2014 04:34, Giancarlo Razzolini a écrit :
 Em 05-07-2014 16:20, Mxher escreveu:
 1) Can I group multiple virtuals ips to make them switch all at the same
 time using CARP ?
 AFAIK, no. But you can use ifstated.
I have to admit that I didn't knew about ifstated; I will test it.

 2) About modems interfaces, I can't have them UP on both firewalls at
 the same time.
 How would you managed that?
 You're dialing to your modems using pppoe? If so, them no, you probably
 can't have both them up, even with carp. If you could change your
 configuration for routing instead, you could use carp on your external
 interface to talk with your modems.
Yes, unfortunately I have to use pppoe on two (of the five) modems.

 
 Cheers,
 

Thanks for your answer!

Re: Firewall cluster.

[Adam Thompson]

On July 6, 2014 2:51:03 AM CDT, Mxher o...@mxher.fr wrote:
Le 06/07/2014 04:34, Giancarlo Razzolini a écrit :
 Em 05-07-2014 16:20, Mxher escreveu:
 1) Can I group multiple virtuals ips to make them switch all at the
same
 time using CARP ?
 AFAIK, no. But you can use ifstated.
I have to admit that I didn't knew about ifstated; I will test it.

 2) About modems interfaces, I can't have them UP on both firewalls
at
 the same time.
 How would you managed that?
 You're dialing to your modems using pppoe? If so, them no, you
probably
 can't have both them up, even with carp. If you could change your
 configuration for routing instead, you could use carp on your
external
 interface to talk with your modems.
Yes, unfortunately I have to use pppoe on two (of the five) modems.

 
 Cheers,
 

Thanks for your answer!

I recall someone pointing out that interface groups of carp interfaces will all 
transition simultaneously.  I find ifconfig(8) inconclusive; run your own tests 
and if that works, you have a built-in solution for keeping all the carp 
interfaces in sync.
Then, use ifstated to manage the pppoe interfaces depending on ifstate of the 
relevant wan interface?  You could set up a carp interface with no IP address 
bound, set it into the common if group and it would go up/down with the other 
carp ifs.
Maybe.  I haven't tried anything like that myself.
-Adam
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Firewall cluster.

[Janne Johansson]

The sysctl for carp.preempt controls if they should all fail at the same
time.
Den 6 jul 2014 10:12 skrev Adam Thompson athom...@athompso.net:

 On July 6, 2014 2:51:03 AM CDT, Mxher o...@mxher.fr wrote:
 Le 06/07/2014 04:34, Giancarlo Razzolini a écrit :
  Em 05-07-2014 16:20, Mxher escreveu:
  1) Can I group multiple virtuals ips to make them switch all at the
 same
  time using CARP ?
  AFAIK, no. But you can use ifstated.
 I have to admit that I didn't knew about ifstated; I will test it.
 
  2) About modems interfaces, I can't have them UP on both firewalls
 at
  the same time.
  How would you managed that?
  You're dialing to your modems using pppoe? If so, them no, you
 probably
  can't have both them up, even with carp. If you could change your
  configuration for routing instead, you could use carp on your
 external
  interface to talk with your modems.
 Yes, unfortunately I have to use pppoe on two (of the five) modems.
 
 
  Cheers,
 
 
 Thanks for your answer!

 I recall someone pointing out that interface groups of carp interfaces
 will all transition simultaneously.  I find ifconfig(8) inconclusive; run
 your own tests and if that works, you have a built-in solution for keeping
 all the carp interfaces in sync.
 Then, use ifstated to manage the pppoe interfaces depending on ifstate of
 the relevant wan interface?  You could set up a carp interface with no IP
 address bound, set it into the common if group and it would go up/down with
 the other carp ifs.
 Maybe.  I haven't tried anything like that myself.
 -Adam
 --
 Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Firewall cluster.

[Otto Moerbeek]

On Sun, Jul 06, 2014 at 10:59:16AM +0200, Janne Johansson wrote:

 The sysctl for carp.preempt controls if they should all fail at the same
 time.

read carp(4). It contains answers to some questions asked.

-Otto

 Den 6 jul 2014 10:12 skrev Adam Thompson athom...@athompso.net:
 
  On July 6, 2014 2:51:03 AM CDT, Mxher o...@mxher.fr wrote:
  Le 06/07/2014 04:34, Giancarlo Razzolini a ??crit :
   Em 05-07-2014 16:20, Mxher escreveu:
   1) Can I group multiple virtuals ips to make them switch all at the
  same
   time using CARP ?
   AFAIK, no. But you can use ifstated.
  I have to admit that I didn't knew about ifstated; I will test it.
  
   2) About modems interfaces, I can't have them UP on both firewalls
  at
   the same time.
   How would you managed that?
   You're dialing to your modems using pppoe? If so, them no, you
  probably
   can't have both them up, even with carp. If you could change your
   configuration for routing instead, you could use carp on your
  external
   interface to talk with your modems.
  Yes, unfortunately I have to use pppoe on two (of the five) modems.
  
  
   Cheers,
  
  
  Thanks for your answer!
 
  I recall someone pointing out that interface groups of carp interfaces
  will all transition simultaneously.  I find ifconfig(8) inconclusive; run
  your own tests and if that works, you have a built-in solution for keeping
  all the carp interfaces in sync.
  Then, use ifstated to manage the pppoe interfaces depending on ifstate of
  the relevant wan interface?  You could set up a carp interface with no IP
  address bound, set it into the common if group and it would go up/down with
  the other carp ifs.
  Maybe.  I haven't tried anything like that myself.
  -Adam
  --
  Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Firewall cluster.

[Mxher]

Le 06/07/2014 12:05, Otto Moerbeek a écrit :
 On Sun, Jul 06, 2014 at 10:59:16AM +0200, Janne Johansson wrote:
 
 The sysctl for carp.preempt controls if they should all fail at the same
 time.
 
 read carp(4). It contains answers to some questions asked.
 
   -Otto
 

 Den 6 jul 2014 10:12 skrev Adam Thompson athom...@athompso.net:
 I recall someone pointing out that interface groups of carp interfaces
 will all transition simultaneously.  I find ifconfig(8) inconclusive; run
 your own tests and if that works, you have a built-in solution for keeping
 all the carp interfaces in sync.
 Then, use ifstated to manage the pppoe interfaces depending on ifstate of
 the relevant wan interface?  You could set up a carp interface with no IP
 address bound, set it into the common if group and it would go up/down with
 the other carp ifs.
 Maybe.  I haven't tried anything like that myself.
 -Adam

I run some tests and this is working as expected!

Only thing I see is that there will be no group failback if this is a
virtual carp interface which goes down.

To be clear if the parent interface of carp2 goes down the whole group
will switch but not if carp2 goes down by itself (by an admin mistake
for example):
* initial states
root@obsd1:~# sysctl -a|grep preem
net.inet.carp.preempt=1
root@obsd1:~# ifconfig HA |grep status
status: master
status: master
status: master
status: master

root@obsd2:~# sysctl -a|grep preem
net.inet.carp.preempt=1
root@obsd2:~# ifconfig HA |grep status
status: backup
status: backup
status: backup
status: backup


* states with carp2 down on obsd1
root@obsd1:~# ifconfig carp2 down
root@obsd1:~# ifconfig HA |grep status
status: master
status: master
status: invalid
status: master

root@obsd2:~# ifconfig HA |grep status
status: backup
status: backup
status: master
status: backup


* also unfortunately when carp2 goes UP again on obsd1 it still remains
on obsd2:
root@obsd1:~# ifconfig carp2 up
root@obsd1:~# ifconfig HA |grep status
status: master
status: master
status: backup
status: master

root@obsd2:~# ifconfig HA |grep status
status: backup
status: backup
status: master
status: backup


Anyway I think this is an acceptable risk.


@Adam: I will now try to use ifstated to manage pppoe interfaces like
you suggest.


Thanks to everyone of you.

Re: Firewall cluster.

[sven falempin]

On Sat, Jul 5, 2014 at 3:20 PM, Mxher o...@mxher.fr wrote:

 Hello everyone,

 At work we are using a firewall cluster of two Linux servers but I'm
 trying to change this; especially to replace iptables/netfilter by pf
 (mostly for performances and 'easy to maintain' reasons).

 Here is the thing: right now if the active node is seen dead, all
 resources will switch on the other node (via pacemaker/heartbeat); here
 is the resources managed:
 - virtuals ips,
 - firewall's configuration,
 - routes,
 - ADSL modems (in bridge mode) interfaces.

 So here is my issues:
 1) Can I group multiple virtuals ips to make them switch all at the same
 time using CARP ?

 2) About modems interfaces, I can't have them UP on both firewalls at
 the same time.
 How would you managed that?


 Currently, I'm thinking about making CARP listen on a dedicated
 interface (directly connected between the two servers) and manage
 everything by the up/down scripts.
 But with that kind of solution there will be no failover if another
 interface goes down on the active node.


 Maybe I'm missing something obvious here, in that case please don't hit
 me too hard ;)


 Thanks!




read the FAQ, dont forget to sync the states and use ifstated to change the
modem state when swithcing master fw.




-- 
-
() ascii ribbon campaign - against html e-mail
/\

Re: Firewall cluster.

[Giancarlo Razzolini]

Em 05-07-2014 16:20, Mxher escreveu:
 1) Can I group multiple virtuals ips to make them switch all at the same
 time using CARP ?
AFAIK, no. But you can use ifstated.
 2) About modems interfaces, I can't have them UP on both firewalls at
 the same time.
 How would you managed that?
You're dialing to your modems using pppoe? If so, them no, you probably
can't have both them up, even with carp. If you could change your
configuration for routing instead, you could use carp on your external
interface to talk with your modems.

Cheers,

-- 
Giancarlo Razzolini
GPG: 4096R/77B981BC

Re: firewall not catching?

[Luis Coronado]

You need to provide more information about your situation to be able to
help you. dmesg, pf ruleset, network config., etc.

-luis


On Mon, Jul 9, 2012 at 12:34 PM, Peter J. Philipp p...@centroid.eu wrote:

 Hi,

 Was there any bugfixes between 5.0 and 5.1 that would allow certain packets
 through the pf filter?  I have a case where I cannot block a certain IP on
 a 5.0 box.  I tested that same IP on an 5.1 box with a spoofer and I found
 my same rules to catch, so it's not my logic I don't think.

 I tested with tcpdump, netcat, and custom software.

 Any hint would be nice,

 -peter

Re: firewall not catching?

[Peter J. Philipp]

On Mon, Jul 09, 2012 at 12:47:18PM -0600, Luis Coronado wrote:
 You need to provide more information about your situation to be able to
 help you. dmesg, pf ruleset, network config., etc.
 
 -luis

Due to the sensitivity of the host I cannot do that.  But I'll tell you what
I will do.  Upgrade.  Perhaps by next week even.  I'll let you know if the
problem persists then, and perhaps I'll even get an OK to share the hardware
data by then.

I understand you can't help me much more, thanks anyways...

Regards,

-peter


 On Mon, Jul 9, 2012 at 12:34 PM, Peter J. Philipp p...@centroid.eu wrote:
 
  Hi,
 
  Was there any bugfixes between 5.0 and 5.1 that would allow certain packets
  through the pf filter?  I have a case where I cannot block a certain IP on
  a 5.0 box.  I tested that same IP on an 5.1 box with a spoofer and I found
  my same rules to catch, so it's not my logic I don't think.
 
  I tested with tcpdump, netcat, and custom software.
 
  Any hint would be nice,
 
  -peter

Re: firewall not catching?

[Brian W.]

I would take steps to see if another rule is being matched when you see the
flaw?

Brian

On Jul 9, 2012 12:28 PM, Peter J. Philipp p...@centroid.eu wrote:

 On Mon, Jul 09, 2012 at 12:47:18PM -0600, Luis Coronado wrote:
  You need to provide more information about your situation to be able to
  help you. dmesg, pf ruleset, network config., etc.
 
  -luis

 Due to the sensitivity of the host I cannot do that.  But I'll tell you
what
 I will do.  Upgrade.  Perhaps by next week even.  I'll let you know if the
 problem persists then, and perhaps I'll even get an OK to share the
hardware
 data by then.

 I understand you can't help me much more, thanks anyways...

 Regards,

 -peter


  On Mon, Jul 9, 2012 at 12:34 PM, Peter J. Philipp p...@centroid.eu
wrote:
 
   Hi,
  
   Was there any bugfixes between 5.0 and 5.1 that would allow certain
packets
   through the pf filter?  I have a case where I cannot block a certain
IP on
   a 5.0 box.  I tested that same IP on an 5.1 box with a spoofer and I
found
   my same rules to catch, so it's not my logic I don't think.
  
   I tested with tcpdump, netcat, and custom software.
  
   Any hint would be nice,
  
   -peter

Re: firewall not catching?

[Peter Hessler]

Use 'pfctl -vvss' to see which rule it is matching on.  I bet you have a
rule that matches that traffic.


On 2012 Jul 09 (Mon) at 20:34:55 +0200 (+0200), Peter J. Philipp wrote:
:Hi,
:
:Was there any bugfixes between 5.0 and 5.1 that would allow certain packets
:through the pf filter?  I have a case where I cannot block a certain IP on
:a 5.0 box.  I tested that same IP on an 5.1 box with a spoofer and I found
:my same rules to catch, so it's not my logic I don't think.  
:
:I tested with tcpdump, netcat, and custom software.
:
:Any hint would be nice,
:
:-peter
:

-- 
43rd Law of Computing:
Anything that can go wr
fortune: Segmentation violation -- Core dumped

Re: firewall not catching?

[Peter J. Philipp]

On Mon, Jul 09, 2012 at 10:21:47PM +0200, Peter Hessler wrote:
 Use 'pfctl -vvss' to see which rule it is matching on.  I bet you have a
 rule that matches that traffic.

That was the hint I needed.  Thanks!  It did cross my mind and I did dump
the states before but I must have missed that IP in there.  

-peter

Re: Firewall problem

[James A. Peltier]

- Original Message -
| Hi All,
| 
| I've been battling this issue for a couple of days now and I'm hoping
| someone might have a possible fix for it. Any help is greatly
| appreciated.
| 
| I have a workstation which is on a network routed through VPN client
| device
| The clients are on VLAN 304 with an address range of 192.168.18.0 -
| 192.168.18.128 (192.168.18.0/25)
| This VPN client device is connected to a VPN concentrator
| The VPN concentrator is on VLAN 300 with the IP address 192.168.1.141
| I have the upper 128 IP addresses are also in VLAN 304 but have a
| default route of 192.168.18.254
| I have a OpenBSD bridge / firewall with several VLANs on it. It
| bridges VLANs provided by Network Services, who have recently took
| over our routing, and our VLANs
| The bridge VLANs in question are as follows
| 
| Network Services Our VLAN
| 310 300 = bridge300
| 314 304 = bridge304
| 
| 
| The problem is that traffic from a host on the 192.168.18.0/25
| (192.168.18.90) seems to be getting blocked by my rules. For example
| if I ping a host on VLAN 300 (192.168.1.59) from VLAN 304
| (192.168.18.90) the packet is dropped as it is found to match my
| default block rule for traffic passing to the public side of the
| bridge.
| 
| If I add a default route on the 192.168.1.59 host for 192.168.18.0/25
| to 192.168.1.254 traffic passes. It also passes if I remove the
| default block rule.
| It also look like every packet is passing through the firewall twice,
| in and out, but the second packet is the one being blocked.
| 
| Block logs: Attempt connect to a web server
| ---
| Jul 07 19:51:55.757076 rule 10/(match) block in on vlan310:
| 192.168.18.90.2263  192.168.1.167.80: R 1:1(0) ack 1 win 0 (DF) [tos
| 0x10]
| 
| 
| Pass Logs: Pinging 192.168.18.90 host from 192.168.1.251 host
| ---
| Jul 07 20:13:39.041885 rule 4/(match) pass out on vlan310:
| 192.168.1.251  192.168.18.90: icmp: echo request (DF)
| Jul 07 20:13:39.042008 rule 4/(match) pass in on vlan310:
| 192.168.1.251  192.168.18.90: icmp: echo request (DF)
| 
| 
| PF Rules
| =
| NS_LAN1=vlan310
| NS_LAN2=vlan314
| LAN1=vlan300
| LAN2=vlan304
| 
| snip
| # don't do any filtering on these devices
| # only public side is filtered since you only
| # need to filter on one side of the bridge
| set skip on { lo $NS_LAN2 $LAN2 $LAN1 }
| 
| # scrub incoming packets
| match in all scrub (no-df)
| 
| # block any host deemed for whatever reason to be bad
| # be meaner and just drop them which will use resources
| # of the attacker slightly longer
| block drop from bad_hosts
| block drop from blacklist_hosts
| 
| # By default, do not permit remote connections to X11
| # all X11 traffic should be tunnelled through SSH
| block in quick on ! lo0 proto tcp to port 6000:6010
| 
| # Allow ping and traceroute through
| pass quick log (to pflog1) inet proto icmp from any to any icmp-type
| echoreq keep state
| 
| # traffic from these hosts should never be blocked
| pass quick from whitelist_hosts
| pass to whitelist_hosts
| 
| ### LAN1 RULES ###
| ###
| # Block access to FASNET
| block in log on $NS_LAN1 all
| 
| # use modulate state to generate stronger ISNs on outgoing packets
| # for OSs that don't already generate them
| pass out quick log (to pflog1) on $NS_LAN1

I should also mention that I tried adding a pass quick on $NS_LAN1 from 
192.168.18.0/25 rule and this did not solve the problem either.


-- 
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax : 778-782-3045
E-Mail  : jpelt...@sfu.ca
Website : http://www.sfu.ca/itservices
  http://blogs.sfu.ca/people/jpeltier

Re: Firewall problem

[James A. Peltier]

- Original Message -
| - Original Message -
| | Hi All,
| |
| | I've been battling this issue for a couple of days now and I'm
| | hoping
| | someone might have a possible fix for it. Any help is greatly
| | appreciated.
| |
| | I have a workstation which is on a network routed through VPN client
| | device
| | The clients are on VLAN 304 with an address range of 192.168.18.0 -
| | 192.168.18.128 (192.168.18.0/25)
| | This VPN client device is connected to a VPN concentrator
| | The VPN concentrator is on VLAN 300 with the IP address
| | 192.168.1.141
| | I have the upper 128 IP addresses are also in VLAN 304 but have a
| | default route of 192.168.18.254
| | I have a OpenBSD bridge / firewall with several VLANs on it. It
| | bridges VLANs provided by Network Services, who have recently took
| | over our routing, and our VLANs
| | The bridge VLANs in question are as follows
| |
| | Network Services Our VLAN
| | 310 300 = bridge300
| | 314 304 = bridge304
| |
| |
| | The problem is that traffic from a host on the 192.168.18.0/25
| | (192.168.18.90) seems to be getting blocked by my rules. For example
| | if I ping a host on VLAN 300 (192.168.1.59) from VLAN 304
| | (192.168.18.90) the packet is dropped as it is found to match my
| | default block rule for traffic passing to the public side of the
| | bridge.
| |
| | If I add a default route on the 192.168.1.59 host for
| | 192.168.18.0/25
| | to 192.168.1.254 traffic passes. It also passes if I remove the
| | default block rule.
| | It also look like every packet is passing through the firewall
| | twice,
| | in and out, but the second packet is the one being blocked.
| |
| | Block logs: Attempt connect to a web server
| | ---
| | Jul 07 19:51:55.757076 rule 10/(match) block in on vlan310:
| | 192.168.18.90.2263  192.168.1.167.80: R 1:1(0) ack 1 win 0 (DF)
| | [tos
| | 0x10]
| |
| |
| | Pass Logs: Pinging 192.168.18.90 host from 192.168.1.251 host
| | ---
| | Jul 07 20:13:39.041885 rule 4/(match) pass out on vlan310:
| | 192.168.1.251  192.168.18.90: icmp: echo request (DF)
| | Jul 07 20:13:39.042008 rule 4/(match) pass in on vlan310:
| | 192.168.1.251  192.168.18.90: icmp: echo request (DF)
| |
| |
| | PF Rules
| | =
| | NS_LAN1=vlan310
| | NS_LAN2=vlan314
| | LAN1=vlan300
| | LAN2=vlan304
| |
| | snip
| | # don't do any filtering on these devices
| | # only public side is filtered since you only
| | # need to filter on one side of the bridge
| | set skip on { lo $NS_LAN2 $LAN2 $LAN1 }
| |
| | # scrub incoming packets
| | match in all scrub (no-df)
| |
| | # block any host deemed for whatever reason to be bad
| | # be meaner and just drop them which will use resources
| | # of the attacker slightly longer
| | block drop from bad_hosts
| | block drop from blacklist_hosts
| |
| | # By default, do not permit remote connections to X11
| | # all X11 traffic should be tunnelled through SSH
| | block in quick on ! lo0 proto tcp to port 6000:6010
| |
| | # Allow ping and traceroute through
| | pass quick log (to pflog1) inet proto icmp from any to any icmp-type
| | echoreq keep state
| |
| | # traffic from these hosts should never be blocked
| | pass quick from whitelist_hosts
| | pass to whitelist_hosts
| |
| | ### LAN1 RULES ###
| | ###
| | # Block access to FASNET
| | block in log on $NS_LAN1 all
| |
| | # use modulate state to generate stronger ISNs on outgoing packets
| | # for OSs that don't already generate them
| | pass out quick log (to pflog1) on $NS_LAN1
| 
| I should also mention that I tried adding a pass quick on $NS_LAN1
| from 192.168.18.0/25 rule and this did not solve the problem either.

Problem solved.  No worries.  Move along, nothing to see here.

-- 
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax : 778-782-3045
E-Mail  : jpelt...@sfu.ca
Website : http://www.sfu.ca/itservices
  http://blogs.sfu.ca/people/jpeltier

Re: Firewall PF with network alias

[MArtin Grados Marquina]

Re: Firewall PF WITH NETWORK ALIAS
Sorry, but PF does not run well on openbsd? then do not understand why I have
to go alone to the freebsd lists.

you understand when someone needs help with a problem and need some idea for
solution?

I am sorry to have bothered anyone, but my only intention was to ask for help
because I thought that that the list had been created.

IDEXBSD.

--- El mii, 25/5/11, Alexander Hall ha...@openbsd.org escribis:

De: Alexander Hall ha...@openbsd.org
Asunto: Re: Firewall PF with network alias
Para: MArtin Grados Marquina themartin...@yahoo.es
CC: openbsd-mex...@googlegroups.com, openbsd-newb...@sfobug.org,
misc@openbsd.org, usuar...@listas.bsd.cl, bsd-v...@bsd.org.ve,
bsd-p...@listas.bsd-peru.org, openbsd-colom...@googlegroups.com
Fecha: miircoles, 25 de mayo, 2011 16:28

On 05/25/11 05:12, MArtin Grados Marquina wrote:
 In the past, i configure a virtual machine with firewall PF in FreeBSD
8.1
 with three network interface (in pf.conf)

1. As sthen@ pointed out, try a FreeBSD list for questions regarding
FreeBSD's PF.

2. You posted my private reply to a mailing list. I do not care much for
this particular mail, but just don't do that.

 --- El lun, 23/5/11, Alexander Hall ha...@openbsd.org escribis:

3. Also (please read this again as THIS ANNOYS ME THE MOST):

 2. Don't cross-post.

Cheers,
Alexander

Re: Firewall PF with network alias

[Peter N. M. Hansteen]

MArtin Grados Marquina themartin...@yahoo.es writes:

 Sorry, but PF does not run well on openbsd? then do not understand why I have
 to go alone to the freebsd lists.

There are significant differences between the PF in FreeBSD (equivalent
to OpenBSD 4.1, roughly) and recent OpenBSD versions, meaning that the
correct answer for OpenBSD may not be the correct one for FreeBSD in
quite a few cases i can think of.

In this specifici case, at first blush I think your problem is that
you're mixing rc.conf shellscript-isms into your pf.conf, which is not a
shell script.  Your rc.conf environment variables are not directly
accessible to the pf.conf parser.

- Peter

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Firewall PF with network alias

[Stuart Henderson]

On 2011-05-25, MArtin Grados Marquina themartin...@yahoo.es wrote:
 In the past, i configure a virtual machine with firewall PF in FreeBSD 8.1

Wrong mailing list.
This list is for OpenBSD.

Re: Firewall PF with network alias

[Alexander Hall]

On 05/25/11 05:12, MArtin Grados Marquina wrote:
 In the past, i configure a virtual machine with firewall PF in FreeBSD 8.1
 with three network interface (in pf.conf)

1. As sthen@ pointed out, try a FreeBSD list for questions regarding
FreeBSD's PF.

2. You posted my private reply to a mailing list. I do not care much for
this particular mail, but just don't do that.

 --- El lun, 23/5/11, Alexander Hall ha...@openbsd.org escribis:

3. Also (please read this again as THIS ANNOYS ME THE MOST):

 2. Don't cross-post.

Cheers,
Alexander

Re: firewall virtualization using tagging?

[Stuart Henderson]

On 2011-05-23, Oeschger Patrick patrick.oesch...@bluewin.ch wrote:
 the first experiments were using routing domain coupled with different vlans
 but vlans are limited to 4k+

no, you can stack them. svlan(4) does QinQ with the 802.1AD standard
ethertype (0x88a8).

Re: firewall virtualization using tagging?

[Joel Wiramu Pauling]

stacking (802.11ah/QinQ) is ok for most situations, however it would be nice
to have a SAP style construct (service access port), which essentially is a
logical customer interface - most switch/router vendors have such as thing.


On 24 May 2011 11:56, Stuart Henderson s...@spacehopper.org wrote:

 On 2011-05-23, Oeschger Patrick patrick.oesch...@bluewin.ch wrote:
  the first experiments were using routing domain coupled with different
 vlans
  but vlans are limited to 4k+

 no, you can stack them. svlan(4) does QinQ with the 802.1AD standard
 ethertype (0x88a8).

Re: firewall virtualization using tagging?

[Martin Hein]

On Tue, 24 May 2011 12:33:55 +1200
Joel Wiramu Pauling j...@aenertia.net wrote:
 stacking (802.11ah/QinQ) is ok for most situations, however it would
 be nice to have a SAP style construct (service access port), which
 essentially is a logical customer interface - most switch/router
 vendors have such as thing.

Tags are local to the physical port. So i guess they work like that.

ifconfig vlan1 vlan 234 vlandev em2
ifconfig vlan24123 vlan 234 vlandev em3

Re: Firewall sends wrong MAC address per ARP?

[Patrick Lamaiziere]

Le Tue, 22 Mar 2011 13:01:48 +0100,
Marcus M|lb|sch muelbue...@as-infodienste.de a icrit :

hello,

  carp3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
  lladdr 00:00:5e:00:01:21
  priority: 0
  carp: carpdev bge0 advbase 1 balancing arp carppeer
  192.168.3.3 state MASTER vhid 33 advskew 0
  state MASTER vhid 133 advskew 100

Why do you have two vhid and with different advskew values?

Re: Firewall sends wrong MAC address per ARP?

[Otto Moerbeek]

On Tue, Mar 22, 2011 at 01:27:39PM +0100, Patrick Lamaiziere wrote:

 Le Tue, 22 Mar 2011 13:01:48 +0100,
 Marcus M|lb|sch muelbue...@as-infodienste.de a icrit :
 
 hello,
 
   carp3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:00:5e:00:01:21
   priority: 0
   carp: carpdev bge0 advbase 1 balancing arp carppeer
   192.168.3.3 state MASTER vhid 33 advskew 0
   state MASTER vhid 133 advskew 100
 
 Why do you have two vhid and with different advskew values?

carp load balancing, see carp(4), which could explain what is going on
here. 

-Otto

Re: Firewall sends wrong MAC address per ARP?

[Marcus Mülbüsch]

Am 22.03.2011 13:27, schrieb Patrick Lamaiziere:

Le Tue, 22 Mar 2011 13:01:48 +0100,
Marcus M|lb|schmuelbue...@as-infodienste.de  a icrit :

hello,


carp3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST  mtu 1500
 lladdr 00:00:5e:00:01:21
 priority: 0
 carp: carpdev bge0 advbase 1 balancing arp carppeer
192.168.3.3 state MASTER vhid 33 advskew 0
 state MASTER vhid 133 advskew 100


Why do you have two vhid and with different advskew values?



To set up a second FW with active/active configuration as shown here:

http://www.kernel-panic.it/openbsd/carp/carp4.html#carp-4.2.2

That does work when the second FW is up; however for testing purposes 
this machine is now down.


Marcus

Re: Firewall sends wrong MAC address per ARP?

[Marcus Mülbüsch]

More Info:

- Neither rebooting the FW nor the linux machine did change anything

- changing the load balancing from arp balancing to ip balancing did 
not change anything.


- At first I thought it might be a problem of the switch and it has an 
old virtual IP address cached. However, the log on the FW does show 
that the machgine itself replies to to the arp-request, does it not?


- it happened suddenly. I did change a pf-rule and restarted pf; 
however I did not restart networking (AFAIK)


- unfortunately I cannot determine whether the wrong lladdress was 
used as virtual address before. I did not note it down, before this 
happened.


Marcus

Re: Firewall sends wrong MAC address per ARP?

[Claudio Jeker]

On Tue, Mar 22, 2011 at 01:57:36PM +0100, Marcus M|lb|sch wrote:
 More Info:
 
 - Neither rebooting the FW nor the linux machine did change anything
 
 - changing the load balancing from arp balancing to ip balancing
 did not change anything.
 
 - At first I thought it might be a problem of the switch and it has
 an old virtual IP address cached. However, the log on the FW does
 show that the machgine itself replies to to the arp-request, does it
 not?
 
 - it happened suddenly. I did change a pf-rule and restarted pf;
 however I did not restart networking (AFAIK)
 
 - unfortunately I cannot determine whether the wrong lladdress was
 used as virtual address before. I did not note it down, before this
 happened.
 

The lladdr is not wrong. It just happens to be the one for the second
vhid. Since you do arp balancing the two lladdrs are split among the
various hosts on the lan. Your carp setup runs with two MACs
00:00:5e:00:01:21 for vid 33 and 00:00:5e:00:01:85 for vid 133.
So the MAC addr your linux box got is not wrong. Does the traffic from
the linux box end up on the FW or is the traffic lost somewhere in
between?

-- 
:wq Claudio

Re: Firewall sends wrong MAC address per ARP?

[Marcus Mülbüsch]

Am 22.03.2011 14:42, schrieb Claudio Jeker:


The lladdr is not wrong. It just happens to be the one for the second
vhid. Since you do arp balancing the two lladdrs are split among the
various hosts on the lan. Your carp setup runs with two MACs
00:00:5e:00:01:21 for vid 33 and 00:00:5e:00:01:85 for vid 133.
So the MAC addr your linux box got is not wrong. Does the traffic from
the linux box end up on the FW or is the traffic lost somewhere in
between?


Thanks, that helped a lot. I didn't realize that arp balancing with two 
vhids necessarily creates two MACs.


Switching between ARP and IP balancing and back again I'm now back at 
ARP balancing. The fw advertises now at 00:00:5e:00:01:85 and reacts to 
pings at 192.168.3.1


Changing the arp table on the linux host to 00:00:5e:00:01:21 with arp 
-s 192.168.3.1 00:00:5e:00:01:21 results in the fw reacting to the 
pings correctly, too.


I should have watched the traffic with tcpdump -e before, however I 
forgot about the usefulness of that switch when watching physical 
interfaces. Dumb, but these things happen. Now I see that pings arrive 
at the fw and are replied to correctly.


All other traffic through the fw is also routed correctly.

Why it did not work before I cannot say. Something changed, and probably 
it was me who did it, but I cannot say what, how and when. diffing the 
pf.conf files before and afterwards showed nothing.


Thanks to all,

Marcus

Re: Firewall rules to block unwanted protocolls on given ports

[Otto Moerbeek]

On Sat, Mar 19, 2011 at 06:05:49AM -0700, johhny_at_poland77 wrote:

 Does somebody has an idea, that what kind of iptables/pf rule must i use to 
 achieve this?:
 
 i only want to allow these connections [on the output chain]:
 
 on port 53 output only allow udp - dns
 on port 80 output only allow tcp - http
 on port 443 output only allow tcp - https
 on port 993 output only allow tcp - imaps
 on port 465 output only allow tcp - smtps
 on port 22 output only allow tcp - ssh
 on port 20-21 output only allow cp - ftp
 on port 989-990 output only allow tcp - ftps
 on port 1194 output only allow udp - OpenVPN
 
 So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is 
 allowed on port 443 outbound.
 
 Any ideas? :\

Yes. Read pf.conf(4):

pf(4) has the ability to block, pass, and match packets based on
attributes of their layer 3 and layer 4 headers.

That sentence contains the answer.

-Otto

Re: Firewall rules to block unwanted protocolls on given ports

[Christiano F. Haesbaert]

On 19 March 2011 10:22, Christiano F. Haesbaert haesba...@haesbaert.org wrote:
 On 19 March 2011 10:05, johhny_at_poland77 johhny_at_polan...@zoho.com 
 wrote:
 Does somebody has an idea, that what kind of iptables/pf rule must i use to 
 achieve this?:


iptables is linux thingy, so is out of the equation.

 i only want to allow these connections [on the output chain]:

 on port 53 output only allow udp - dns
 on port 80 output only allow tcp - http
 on port 443 output only allow tcp - https
 on port 993 output only allow tcp - imaps
 on port 465 output only allow tcp - smtps
 on port 22 output only allow tcp - ssh
 on port 20-21 output only allow cp - ftp
 on port 989-990 output only allow tcp - ftps
 on port 1194 output only allow udp - OpenVPN

 So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is 
 allowed on port 443 outbound.

 Any ideas? :\


To my knowledge pf doesn't do layer 7 filtering, and from what I've
hear that is not a wanted feature, but pf hackers might know it
better.

Re: Firewall rules to block unwanted protocolls on given ports

[Bret Lambert]

On Sat, Mar 19, 2011 at 2:05 PM, johhny_at_poland77
johhny_at_polan...@zoho.com wrote:
 Does somebody has an idea, that what kind of iptables/pf rule must i use to 
 achieve this?:

 i only want to allow these connections [on the output chain]:

 on port 53 output only allow udp - dns
 on port 80 output only allow tcp - http
 on port 443 output only allow tcp - https
 on port 993 output only allow tcp - imaps
 on port 465 output only allow tcp - smtps
 on port 22 output only allow tcp - ssh
 on port 20-21 output only allow cp - ftp
 on port 989-990 output only allow tcp - ftps
 on port 1194 output only allow udp - OpenVPN

 So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is 
 allowed on port 443 outbound.

 Any ideas? :\



Yes, write some sort of traffic-classification daemon that uses divert
sockets to pass/deny traffic based on what that traffic is. I will
personally check it in to the ports system once you are done and it
has undergone a complete audit.

Re: Firewall rules to block unwanted protocolls on given ports

[Joachim Schipper]

On Sat, Mar 19, 2011 at 06:05:49AM -0700, johhny_at_poland77 wrote:
 Does somebody has an idea, that what kind of iptables/pf rule must i use to 
 achieve this?:
 
 i only want to allow these connections [on the output chain]:
 
 on port 53 output only allow udp - dns
 on port 80 output only allow tcp - http
 on port 443 output only allow tcp - https
 on port 993 output only allow tcp - imaps
 on port 465 output only allow tcp - smtps
 on port 22 output only allow tcp - ssh
 on port 20-21 output only allow cp - ftp
 on port 989-990 output only allow tcp - ftps
 on port 1194 output only allow udp - OpenVPN
 
 So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is 
 allowed on port 443 outbound.

You can't do that with pf, since it doesn't look at the content of
packets. For some of these protocols, you can easily send traffic to a
proxy on the firewall machine; this can, for instance, be used to make
sure that everything going over port 80 is HTTP. See ftp-proxy(8). I
know of no such solution for imaps, though.

If you're just worried about people running BitTorrent/Skype, install
something like net/snort or net/bro and send angry mail to everyone who
shows up in the logs.

On the other hand, if you believe that restricting traffic to specific
protocols makes it impossible to get arbitrary data out of your network,
look at e.g. net/iodine (tunnel IPv4 over DNS).

Joachim

-- 
PotD: net/powerdns,-ldap - ldap module for powerdns
http://www.joachimschipper.nl/

Re: Firewall rules to block unwanted protocolls on given ports

[Michael H Lambert]

On 19 Mar 2011, at 09:05, johhny_at_poland77 wrote:

 Does somebody has an idea, that what kind of iptables/pf rule must i use to
achieve this?:

 i only want to allow these connections [on the output chain]:

 on port 53 output only allow udp - dns

TCP also needs to be allowed for DNS (to allow for large DNSSEC packets).

Michael