Re: Firewall setup
May I suggest relaying these more basic questions to @rookies mail-list? I think it would be great if we could have this channel reactivated, dedicated to help folks like Karel learn how to navigate more basic stuff, and keep misc@ for intermediary / advanced users inquiries. On Wed, 17 Apr 2024 at 1:30 AM Daniel Ouellet wrote: > > On 4/16/24 10:27 AM, Karel Lucas wrote: > > First and most importantly, I would like to apologize to anyone who was > > disturbed by my conversation. It is not my intention to offend people. I > > may be curt, but that's not because it's in my character. In daily life > > I work with electronics and computers and am much less familiar with > > networks. I don't need this knowledge for what I do in daily life. It is > > therefore difficult for me to estimate what is important to link back to > > this mailing list. So if I am curt, please try to remember that it is > > not intentional, but a matter of lack of knowledge. Again, I don't want > > to hurt anyone. > > Hi Karel, > > I think you may be missing the point that everyone try to explained to > you. OpenBSD is a mailing list that have very think skin compare to any > others. You need to be very rude to offend people here unless you are > one that fell you have rights to other people free times. > > You got some VERY knowledgeable people answering you. If I was you I > would fell lucky for their time, believe me. I have been on this list > from OpenBSD 2.7. A few decades ago... > > Now you say you don't have the network know how to do this, sure > everyone start somewhere. You say you don't needs this either in your > daily job and keep asking others to point you at the page in the PF > book, etc. > > Remember they are NOT the one in needs to know, you are, so make the > effort please. Many will hold your hands gladly IF you show willingness > to do your share. > > Even the site have basic start example here: > > https://www.openbsd.org/faq/pf/index.html > > And even some of them could be simple too, but they are provided as > example to show what's possible. Up to the reader to start there and go > where they want too... > > Now to the point, it was told to you to start simple and explained what > you want to do. > > Here you say you have no special needs, etc. > > So why in gods name would you want to do a bridge setup? > > KISS principle apply! > > And it was asked as well to explained your setup. NOT what you think it > should be or how it is connected, what interface does what, etc. > > What do you want to do, plain and simple. > > Here you say that "The internal network consists mainly of regular > clients, so no email, web or name servers", so no needs for bridge, or > DMZ, etc. > > Also looks like you use private IP's so yes NAT is needed obviously. > > Now if you want multiple networks, WHY? > > Any reason for it? I see none if you don't have hosting services. > > You say it could be possible, sure it can, I can have multiple vlan and > domains routing, configure a specific IPMI DMZ for my servers > configuration, add ssh keys for wireless access with time base access > and limit, and kids restrictions, etc. But I wouldn't do that until I > get my basin system going and know why. > > Amy be I don't have kids so why do that part of the setup, but may be I > have wireless and friends coming over and they obviously all/may be want > fast internet access on my wireless, but I don't what them to have > access to ANY of my devices from their phones that might compromise my > network, so I would have a guess wireless access to to outside world > ONLY. But if I have no friends, then why would I want that? Etc... > > Sure may be you have wireless that you want to isolate from others hard > wire computers, etc. You have NAS, may be you want to isolate it form > wireless, or some specific computers, kids access restricted may be, etc. > > But no where did you ever describe what is it that you want... > > May be before you start building a house, you need to know what you want > in it, etc. > > Same thing here. > > Start small and then go from there. > > Why? Doing incremental setup help understand your setup and why you do it. > > Then down the line when you make changes or want to add something to it, > when your pf configuration is clean, you will know where to add it and > what it does. > > Look to me that if your setup have NO special needs, no hosting services > that needs to be reach form the Internet, then only thing you need is a > VERY simple NAT setup, on two interfaces and that's it. > > It's not because you have 4 interfaces that you need to use 4 interfaces... > > Start be defining what is it that you want and FORGET ABOUT interface 1, > and then 2 for admin, and 3 for nas, etc. > > What is it that you want to do and go from there. > > Define your needs and then address them ONE by ONE. > > Fix one, test and then go to the next one. > > And FORGET ABOUT BRIDGE SETUP PLEASE!!! > > You have absolutely
Re: Firewall setup
On 4/16/24 10:27 AM, Karel Lucas wrote: First and most importantly, I would like to apologize to anyone who was disturbed by my conversation. It is not my intention to offend people. I may be curt, but that's not because it's in my character. In daily life I work with electronics and computers and am much less familiar with networks. I don't need this knowledge for what I do in daily life. It is therefore difficult for me to estimate what is important to link back to this mailing list. So if I am curt, please try to remember that it is not intentional, but a matter of lack of knowledge. Again, I don't want to hurt anyone. Hi Karel, I think you may be missing the point that everyone try to explained to you. OpenBSD is a mailing list that have very think skin compare to any others. You need to be very rude to offend people here unless you are one that fell you have rights to other people free times. You got some VERY knowledgeable people answering you. If I was you I would fell lucky for their time, believe me. I have been on this list from OpenBSD 2.7. A few decades ago... Now you say you don't have the network know how to do this, sure everyone start somewhere. You say you don't needs this either in your daily job and keep asking others to point you at the page in the PF book, etc. Remember they are NOT the one in needs to know, you are, so make the effort please. Many will hold your hands gladly IF you show willingness to do your share. Even the site have basic start example here: https://www.openbsd.org/faq/pf/index.html And even some of them could be simple too, but they are provided as example to show what's possible. Up to the reader to start there and go where they want too... Now to the point, it was told to you to start simple and explained what you want to do. Here you say you have no special needs, etc. So why in gods name would you want to do a bridge setup? KISS principle apply! And it was asked as well to explained your setup. NOT what you think it should be or how it is connected, what interface does what, etc. What do you want to do, plain and simple. Here you say that "The internal network consists mainly of regular clients, so no email, web or name servers", so no needs for bridge, or DMZ, etc. Also looks like you use private IP's so yes NAT is needed obviously. Now if you want multiple networks, WHY? Any reason for it? I see none if you don't have hosting services. You say it could be possible, sure it can, I can have multiple vlan and domains routing, configure a specific IPMI DMZ for my servers configuration, add ssh keys for wireless access with time base access and limit, and kids restrictions, etc. But I wouldn't do that until I get my basin system going and know why. Amy be I don't have kids so why do that part of the setup, but may be I have wireless and friends coming over and they obviously all/may be want fast internet access on my wireless, but I don't what them to have access to ANY of my devices from their phones that might compromise my network, so I would have a guess wireless access to to outside world ONLY. But if I have no friends, then why would I want that? Etc... Sure may be you have wireless that you want to isolate from others hard wire computers, etc. You have NAS, may be you want to isolate it form wireless, or some specific computers, kids access restricted may be, etc. But no where did you ever describe what is it that you want... May be before you start building a house, you need to know what you want in it, etc. Same thing here. Start small and then go from there. Why? Doing incremental setup help understand your setup and why you do it. Then down the line when you make changes or want to add something to it, when your pf configuration is clean, you will know where to add it and what it does. Look to me that if your setup have NO special needs, no hosting services that needs to be reach form the Internet, then only thing you need is a VERY simple NAT setup, on two interfaces and that's it. It's not because you have 4 interfaces that you need to use 4 interfaces... Start be defining what is it that you want and FORGET ABOUT interface 1, and then 2 for admin, and 3 for nas, etc. What is it that you want to do and go from there. Define your needs and then address them ONE by ONE. Fix one, test and then go to the next one. And FORGET ABOUT BRIDGE SETUP PLEASE!!! You have absolutely NO need for this with what you say so far in any of your communications. Example of thinking. I see you try to use MANY macros, do you really need that? It's suppose to be to make things simpler to understand and cleaner to read, not more complex. The key of a decent firewall is first to know what is it that you want to do and look to me you still do not know that yet. I would even say and said for many decades, a good firewall NOT only stop incoming traffic, but also
Re: Firewall setup
This is my dmesg, if anyone is interested: OpenBSD 7.4 (GENERIC.MP) #3: Wed Feb 28 06:23:33 MST 2024 r...@syspatch-74-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4047122432 (3859MB) avail mem = 3904729088 (3723MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.3 @ 0x74c77000 (117 entries) bios0: vendor American Megatrends International, LLC. version "JK4LV105" date 08/31/2022 bios0: Default string Default string efi0 at bios0: UEFI 2.7 efi0: American Megatrends rev 0x50013 acpi0 at bios0: ACPI 6.2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP MCFG FIDT SSDT SSDT SSDT HPET APIC PRAM SSDT SSDT NHLT LPIT SSDT SSDT DBGP DBG2 DMAR SSDT TPM2 WSMT FPDT acpi0: wakeup devices PEGP(S4) PEGP(S4) PEGP(S4) PEGP(S4) SIO1(S3) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 acpimcfg0: addr 0xc000, bus 0-255 acpihpet0 at acpi0: 1920 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2893.74 MHz, 06-9c-00, patch 2424 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 38MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.2.2.1.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2893.74 MHz, 06-9c-00, patch 2424 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2793.96 MHz, 06-9c-00, patch 2424 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2793.95 MHz, 06-9c-00, patch 2424 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu3: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins acpiprt0 at acpi0: bus 0 (PC00) acpiprt1 at acpi0: bus -1 (RP01) acpiprt2 at acpi0: bus -1 (RP02) acpiprt3 at acpi0: bus 1 (RP03) acpiprt4 at acpi0: bus -1 (RP04) acpiprt5 at acpi0: bus 2 (RP05) acpiprt6 at acpi0: bus 3 (RP06) acpiprt7 at acpi0: bus 4 (RP07) acpiprt8 at acpi0: bus 5 (RP08) acpiprt9 at acpi0: bus -1 (RP09) acpiprt10 at acpi0: bus -1 (RP10) acpiprt11 at acpi0: bus -1 (RP11) acpiprt12 at
Re: Firewall setup
First and most importantly, I would like to apologize to anyone who was disturbed by my conversation. It is not my intention to offend people. I may be curt, but that's not because it's in my character. In daily life I work with electronics and computers and am much less familiar with networks. I don't need this knowledge for what I do in daily life. It is therefore difficult for me to estimate what is important to link back to this mailing list. So if I am curt, please try to remember that it is not intentional, but a matter of lack of knowledge. Again, I don't want to hurt anyone. Second, the firewall. This is set up as a bridge with the following hardware: https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image=1. The Ethernet connections ETH1 ... ETH4 are translated by OpenBSD to igc0 ... igc3. Connection igc0 is the input that goes to the ISDN modem, and igc1 and igc2 are the two outputs that go to the internal network. These two connections are more flexible for the underlying network. This makes it possible to connect two different networks, if desired, albeit with one and the same IP range (192.168.2.0/24), or two different networks, if so configured. So two possibilities (which is best?). So there is no need to use two connections at the same time, although this should be possible. Finally, connection igc3. This is given the IP address 192.168.2.252, because it is intended for remote administration, including upgrades. This connection will therefore not be part of the firewall bridge, and will therefore not appear in pf.conf. The internal network consists mainly of regular clients, so no email, web or name servers. These clients will work with Linux, mac OSX, or OpenBSD, but not Windows, but there will be a small file server or NAS. This file server or NAS is only intended for the clients in the network and has no connection to the internet. For now it is important to get ping and traceroute working properly, after which work on normal internet traffic can be started. What I'm wondering is whether I need NAT for my firewall configuration. This is my plan for my firewall. It seems to me that there are much more difficult configurations than this one. I hope there are still people who are willing to help me. Op 16-04-2024 om 07:24 schreef Peter N. M. Hansteen: I give up. The obviously incomplete, hand edited ifconfig output shows three interfaces that are (or appear to be, judging from the excerpts that we are given) not configured with IP addresses, two of which have a link, while the last does not. For reasons unknown these three are joined in a three-way bridge. >From the tiny crumbs of information you have deigned to reveal to us, it is not at all clear what it is you are trying to achieve. That this configuration does not do anything useful is however no surprise at all. Once you can describe what it is your Rube Goldberg contraption is supposed to do, competent people here might offer some advice on how to make things work properly. Until that happens, I for one will simply ignore anything from that source.
Re: Firewall setup
On Tue, Apr 16, 2024 at 12:01:38AM +0200, Karel Lucas wrote: > > Op 15-04-2024 om 22:20 schreef Peter N. M. Hansteen: > > On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote: > > > This gives the following error messages when booting: > > > no IP address found for igc1:network > > > /etc/pf.conf:41: could not parse host specification > > > no IP address found for igc2:network > > > /etc/pf.conf:42: could not parse host specification > > This sounds to me like those interfaces either do not exist or > > have not been correctly configured. > > > > Are those interfaces configured, as in do they have IP addresses? > > > > the output of ifconfig igc1 and ifconfig igc2 will show you. > > > Output from ifconfig igc0: > igc0: flags=8b43 > mtu 1500 > lladdr 7c:2b:e1:13:dd:f4 > index 1 priority 0 llprio 3 > media: Ethernet autoselect (1000baseT full-duplex) > sratus: active > > Output from ifconfig igc1: > igc1: flags=8b43 > mtu 1500 > lladdr 7c:2b:e1:13:dd:f5 > index 2 priority 0 llprio 3 > media: Ethernet autoselect (1000baseT full-duplex) > sratus: active > > Output from ifconfig igc2: > igc2: flags=8b43 > mtu 1500 > lladdr 7c:2b:e1:13:dd:f6 > index 3 priority 0 llprio 3 > media: Ethernet autoselect (none) > status: no carrier > > /etc/hostname.bridge0: > add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip igc2 > up > > /etc/hostname.igc0: > up > > /etc/hostname.igc1: > up > > /etc/hostname.igc2: > up > Either Stuart is right, and you are trying to put up some weird firewall, or Diana is right, and you are way out of your depth and need to learn some of the basics of IPv4 networking. Or they are both right. Any other way, Peter is also right: you have been giving us information piecemeal, and not only this doesn't help you to solve your problems, it can be frustrating for the rest of us, because you've (involuntarily) been wasting our time, chasing the wrong problem. Your issues seem to be broader than just configuring PF. Incidentally, this is also an example on why copying/pasting stuff into your machine is often a bad idea. You need to understand what you are putting in there, bit by bit. Otherwise either it will fail immediately (as in your case) or it will fail later on the first time you try to tweak it. And with a firewall being key in network security, you'll really want to get it right. There is no harm in not knowing things, no one is born knowing what a routing table is, we've all had to start somewhere (I hope you don't find this patronizing, that's really not the point). And, as you've just seen, despite this mailing list having a reputation of being unfriendly, you've got plenty of people willing to help. There are just a few steps you need to take _on your own_ first. Peter's book is great for PF, as is the PF user's guide [1]. For the networking bits you can also take a look at the respective chapters on Michael W. Lucas' "Absolute OpenBSD" [2]. Palmer and Nazario's "Secure architectures with OpenBSD" also helped me a lot with system administration in general, back in the day. Others might have other suggestions, I'm sure there's a ton of stuff out there. [1] https://www.openbsd.org/faq/pf/index.html [2] https://www.michaelwlucas.com/os/ao2e --
Re: Firewall setup
I give up. The obviously incomplete, hand edited ifconfig output shows three interfaces that are (or appear to be, judging from the excerpts that we are given) not configured with IP addresses, two of which have a link, while the last does not. For reasons unknown these three are joined in a three-way bridge. >From the tiny crumbs of information you have deigned to reveal to us, it is not at all clear what it is you are trying to achieve. That this configuration does not do anything useful is however no surprise at all. Once you can describe what it is your Rube Goldberg contraption is supposed to do, competent people here might offer some advice on how to make things work properly. Until that happens, I for one will simply ignore anything from that source. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
On 2024-04-15, Karel Lucas wrote: > /etc/hostname.bridge0: > add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip > igc2 up bridging with PF is an advanced topic, please get familiar with PF on a standard routed firewall first -- Please keep replies on the mailing list.
Re: Firewall setup
Op 15-04-2024 om 22:20 schreef Peter N. M. Hansteen: On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote: This gives the following error messages when booting: no IP address found for igc1:network /etc/pf.conf:41: could not parse host specification no IP address found for igc2:network /etc/pf.conf:42: could not parse host specification This sounds to me like those interfaces either do not exist or have not been correctly configured. Are those interfaces configured, as in do they have IP addresses? the output of ifconfig igc1 and ifconfig igc2 will show you. Output from ifconfig igc0: igc0: flags=8b43 mtu 1500 lladdr 7c:2b:e1:13:dd:f4 index 1 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex) sratus: active Output from ifconfig igc1: igc1: flags=8b43 mtu 1500 lladdr 7c:2b:e1:13:dd:f5 index 2 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex) sratus: active Output from ifconfig igc2: igc2: flags=8b43 mtu 1500 lladdr 7c:2b:e1:13:dd:f6 index 3 priority 0 llprio 3 media: Ethernet autoselect (none) status: no carrier /etc/hostname.bridge0: add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip igc2 up /etc/hostname.igc0: up /etc/hostname.igc1: up /etc/hostname.igc2: up
Re: Firewall setup
That's a possibility I hadn't thought of yet. But how do I do that, and on which page can I find that in your book? Op 15-04-2024 om 22:17 schreef Peter N. M. Hansteen: The other option - if your network layout is such that it makes sense to treat them to the same rule criteria - would be to make an interface group with both interfaces as members, then use the interface group name in your rules.
Re: Firewall setup
Op 14-04-2024 om 21:57 schreef Jens Kaiser: Hello Karel, if you want to start simply, then I would recommend to remove all marcos from your pf.conf which are not referenced. You can add them later if needed. As already state by others, there is a syntax error in marco martians. If there are syntax errors in pf.conf, the rules are not loaded at all. These have now been resolved, sse below. Also correct the syntax errors in the rules "Letting ping through". The key word "on" without interfacename, -group or keyword any looks incorrect. Give it a parameter or remove it. As far as I can see there are no errors in the ping rules. the key words "on", "group" or "any" do not appear there. Moreover, I have copied these rules, except the key words "log", exactly from Peter Hansteen's book (The book of PF), just like the rules of the martians. Please check your current running configuration with > pfctl -sr It prints out all currently active rules. If something behaves too wired, it can help to proof that the ruleset in /etc/pf.conf is the same as we assume to be active in the kernel. Because of the syntax errors I would guest that this is not true in your case. After correcting some errors, I reloaded pf.conf and found no errors. Here I give the output of pfctl -sr: match in all scrub (no-df max-mss 1440) block return in all block return in quick on igc0 inet from any to <__automatic_628bc734_1> pass log inet proto icmp all icmp-type echoreq pass log inet proto icmp all icmp-type echorep pass log inet proto icmp all icmp-type unreach pass log inet6 proto ipv6-icmp all icmp6-type echoreq pass log inet6 proto ipv6-icmp all icmp6-type echorep pass log inet6 proto ipv6-icmp all icmp6-type unreach pass out all flags S/SA /etc/pf.conf: ext_if = igc0 # The interface to the outside world int_if = "{ igc1, igc2 }" # The interfaces to the private hosts # localnet = "192.168.2.0/24" # Hosts on the screened LAN # tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" # udp_services = "{ domain, ntp }" # email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, echorep, unreach }" icmp6_types = "{ echoreq, echorep, unreach }" # nameservers = "{ 195.121.1.34, 195.121.1.66 }" # client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, }" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" # Options: set block-policy return set skip on lo # Normalize packets: match in all scrub ( no-df max-mss 1440 ) block in all # block stateless traffic block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log inet proto icmp icmp-type $icmp_types pass log inet6 proto icmp6 icmp6-type $icmp6_types pass out all
Re: Firewall setup
On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote: > This gives the following error messages when booting: > no IP address found for igc1:network > /etc/pf.conf:41: could not parse host specification > no IP address found for igc2:network > /etc/pf.conf:42: could not parse host specification This sounds to me like those interfaces either do not exist or have not been correctly configured. Are those interfaces configured, as in do they have IP addresses? the output of ifconfig igc1 and ifconfig igc2 will show you. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
On Mon, Apr 15, 2024 at 10:01:59PM +0200, Karel Lucas wrote: > They both give a syntax error by booting. > > Op 14-04-2024 om 17:45 schreef Zé Loff: > > pass in on $int_if proto udp to port 53 > > pass in on $int_if proto udp to $nameservers port 53 You're not giving us a lot to work with here. Off the top of my head, seeing that your int_if macro is a list of two interfaces, that may well be your problem (or one of them). The rule syntax is not really intended to deal with a list of interfaces following 'on'. It is likely more useful to treat the two interfaces separately. The other option - if your network layout is such that it makes sense to treat them to the same rule criteria - would be to make an interface group with both interfaces as members, then use the interface group name in your rules. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
This gives the following error messages when booting: no IP address found for igc1:network /etc/pf.conf:41: could not parse host specification no IP address found for igc2:network /etc/pf.conf:42: could not parse host specification Op 14-04-2024 om 19:59 schreef Peter N. M. Hansteen: On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote: Hi all, Everything about PF is all very confusing to me at the moment, so any help is appreciated. So let's start simple and then proceed step by step. I want to continue with ping so that I can test the connection to the internet. This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. As others have stated, I have a problem with using DNS servers on the internet. The PF ruleset needs to be adjusted for this, but it is still not clear to me how to do that. What else do I need to get ping to work correctly? To get started simply, I created a new pf.conf file, see below. I'd put this somewhere after your block rules: pass inet proto { tcp, udp } from igc1:network to port $client_out pass inet proto { tcp, udp } from igc2:network to port $client_out - that way you will actually use the macro. But the macro sitll references the invalid service nportntp (you probably want ntp instead), and I would think that the services "446, cvspserver, 2628, 5999, 8000, 8080" are unlikely to be useful unless you *know* you need to pass traffic for those.
Re: Firewall setup
They both give a syntax error by booting. Op 14-04-2024 om 17:45 schreef Zé Loff: pass in on $int_if proto udp to port 53 pass in on $int_if proto udp to $nameservers port 53
Re: Firewall setup
I'm a long time network engineer/firewall admin/make things work on our network when it is broken. First, ICMP Echo Request ( "ping" ) works, you proved that when you sent an Echo Request to a host using it's IP address. The fact that DNS host resolution fails has nothing to do with ICMP Echo Request. You WILL want to get DNS name resolution working in order to use hostnames, unless you want to keep everything in a static host file. In order to create a functioning firewall you need a good understanding of ip tcp/ip ports and protocols. To see what I'm talking about do an Internet search for 5 tuple firewall. You will need this knowledge for any system using statefull firewall, not just PF. Others are trying to help you write a functioning PF conf, however I think you need to learn how to fish before embarking on a deep sea fishing excursion. 73 diana On April 14, 2024 9:09:01 AM MDT, Karel Lucas wrote: >Hi all, > >Everything about PF is all very confusing to me at the moment, so any help is >appreciated. So let's start simple and then proceed step by step. I want to >continue with ping so that I can test the connection to the internet. This >works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 >www.apple.com. As others have stated, I have a problem with using DNS servers >on the internet. The PF ruleset needs to be adjusted for this, but it is still >not clear to me how to do that. What else do I need to get ping to work >correctly? To get started simply, I created a new pf.conf file, see below. > > >/etc/pf.conf: > >ext_if = igc0 # The interface to the outside world >int_if = "{ igc1, igc2 }" # The interfaces to the private hosts >localnet = "192.168.2.0/24" # Hosts on the screened LAN > >tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" >udp_services = "{ domain, ntp }" >email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" >icmp_types = "{ echoreq, unreach }" >icmp6_types = "{ echoreq, unreach }" >nameservers = "{ 195.121.1.34, 195.121.1.66 }" >client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ > 446, cvspserver, 2628, 5999, 8000, 8080 }" >martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ > 0.0.0.0/8, 240.0.0.0/4 }" > ># Options: >set block-policy return > >set skip on lo > >block log all # block stateless traffic > ># Normalize packets: >match in all scrub ( no-df max-mss 1440 ) > >block in quick on $ext_if from $martians to any >block out quick on $ext_if from any to $martians > ># Letting ping through: >pass log on inet proto icmp icmp-type $icmp_types >pass log on inet6 proto icmp6 icmp6-type $icmp6_types > >pass out all > >
Re: Firewall setup
> On Apr 14, 2024, at 08:09, Karel Lucas wrote: > > Hi all, Hi. > So let's start simple and then proceed step by step. I want to continue with > ping so that I can test the connection to the internet. This works: ping -c > 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. As others > have stated, I have a problem with using DNS servers on the internet. Does DNS resolution work without PF being enabled? If you want to “start simple”, don’t enable PF (or disable it, or use the default ruleset that OpenBSD ships with) and make sure everything works. Sean
Re: Firewall setup
Hello Karel, if you want to start simply, then I would recommend to remove all marcos from your pf.conf which are not referenced. You can add them later if needed. As already state by others, there is a syntax error in marco martians. If there are syntax errors in pf.conf, the rules are not loaded at all. Also correct the syntax errors in the rules "Letting ping through". The key word "on" without interfacename, -group or keyword any looks incorrect. Give it a parameter or remove it. After changing pf.conf, first check it with > pfctl -nf /etc/pf.conf before loading it. If no errors occur, simply update the ruleset in the kernel with > pftl -f /etc/pf.conf and test your changes. Keep in mind that reloading the ruleset does not affect the states of allready estblished connections. Please check your current running configuration with > pfctl -sr It prints out all currently active rules. If something behaves too wired, it can help to proof that the ruleset in /etc/pf.conf is the same as we assume to be active in the kernel. Because of the syntax errors I would guest that this is not true in your case. Try get IPv4 running first. If that goal is reached you have more experience and can go further adding IPv6, which is different in case of ICMP. If you don't have a static IPv6 address configuration, then the rules in your pf.conf are far too restrictive to get an autonconfigured IPv6 address, managed (DHCP6) or not (SLAAC). Jens Am 14.04.2024 um 17:09 schrieb Karel Lucas: Hi all, Everything about PF is all very confusing to me at the moment, so any help is appreciated. So let's start simple and then proceed step by step. I want to continue with ping so that I can test the connection to the internet. This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. As others haveo you get rid of the first syntax error yourstated, I have a problem with using DNS servers on the internet. The PF ruleset needs to be adjusted for this, but it is still not clear to me how to do that. What else do I need to get ping to work correctly? To get started simply, I created a new pf.conf file, see below. /etc/pf.conf: ext_if = igc0 # The interface to the outside world int_if = "{ igc1, igc2 }" # The interfaces to the private hosts localnet = "192.168.2.0/24" # Hosts on the screened LAN tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" # Options: set block-policy return set skip on lo block log all # block stateless traffic # Normalize packets: match in all scrub ( no-df max-mss 1440 ) block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types pass out all
Re: Firewall setup
On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote: > Hi all, > > Everything about PF is all very confusing to me at the moment, so any help > is appreciated. So let's start simple and then proceed step by step. I want > to continue with ping so that I can test the connection to the internet. > This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 > www.apple.com. As others have stated, I have a problem with using DNS > servers on the internet. The PF ruleset needs to be adjusted for this, but > it is still not clear to me how to do that. What else do I need to get ping > to work correctly? To get started simply, I created a new pf.conf file, see > below. I'd put this somewhere after your block rules: pass inet proto { tcp, udp } from igc1:network to port $client_out pass inet proto { tcp, udp } from igc2:network to port $client_out - that way you will actually use the macro. But the macro sitll references the invalid service nportntp (you probably want ntp instead), and I would think that the services "446, cvspserver, 2628, 5999, 8000, 8080" are unlikely to be useful unless you *know* you need to pass traffic for those. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
There is a typo on the second line of the martians definition (spurious comma and space). Michael > On Apr 14, 2024, at 11:09, Karel Lucas wrote: > > Hi all, > > Everything about PF is all very confusing to me at the moment, so any help is > appreciated. So let's start simple and then proceed step by step. I want to > continue with ping so that I can test the connection to the internet. This > works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 > www.apple.com. As others have stated, I have a problem with using DNS servers > on the internet. The PF ruleset needs to be adjusted for this, but it is > still not clear to me how to do that. What else do I need to get ping to work > correctly? To get started simply, I created a new pf.conf file, see below. > > > /etc/pf.conf: > > ext_if = igc0 # The interface to the outside > world > int_if = "{ igc1, igc2 }"# The interfaces to the private hosts > localnet = "192.168.2.0/24" # Hosts on the screened LAN > > tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" > udp_services = "{ domain, ntp }" > email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" > icmp_types = "{ echoreq, unreach }" > icmp6_types = "{ echoreq, unreach }" > nameservers = "{ 195.121.1.34, 195.121.1.66 }" > client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ > 446, cvspserver, 2628, 5999, 8000, 8080 }" > martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ > 0.0.0.0/8, 240.0.0.0/4 }" > > # Options: > set block-policy return > > set skip on lo > > block log all# block stateless traffic > > # Normalize packets: > match in all scrub ( no-df max-mss 1440 ) > > block in quick on $ext_if from $martians to any > block out quick on $ext_if from any to $martians > > # Letting ping through: > pass log on inet proto icmp icmp-type $icmp_types > pass log on inet6 proto icmp6 icmp6-type $icmp6_types > > pass out all > >
Re: Firewall setup
On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote: > Hi all, > > Everything about PF is all very confusing to me at the moment, so any help > is appreciated. So let's start simple and then proceed step by step. I want > to continue with ping so that I can test the connection to the internet. > This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 > www.apple.com. As others have stated, I have a problem with using DNS > servers on the internet. The PF ruleset needs to be adjusted for this, but > it is still not clear to me how to do that. What else do I need to get ping > to work correctly? You are blocking everything by default, with the "block log all" on top of your ruleset. This means that _everything_ needs to be explicitely allowed in and out of your firewall. If you want to resolve hostnames, you need to allow DNS requests (i.e. traffic _to_ UDP port 53) to enter and leave the firewall. So if a machine on your LAN needs to make a DNS request, you need something like pass in on $int_if proto udp to port 53 You have a $nameservers macro, which suggests you want to allow traffic to only those two, so you could rewrite the above rule as pass in on $int_if proto udp to $nameservers port 53 But then you need to make sure every machine on your LAN uses those IPs as resolvers, otherwise they'll try to query other DNS servers and fail. As I said on a reply to your other thread, you will probably need to use NAT on your egress traffic. I personally prefer to keep the most general rules at the top, and then to the specifics, so I would move "pass out all" next to "block log all", but it's a matter of taste. > To get started simply, I created a new pf.conf file, see > below. > > > /etc/pf.conf: > > ext_if = igc0 # The interface to the outside > world > int_if = "{ igc1, igc2 }" # The interfaces to the private > hosts > localnet = "192.168.2.0/24" # Hosts on the screened LAN > > tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" > udp_services = "{ domain, ntp }" > email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" > icmp_types = "{ echoreq, unreach }" > icmp6_types = "{ echoreq, unreach }" > nameservers = "{ 195.121.1.34, 195.121.1.66 }" > client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ > 446, cvspserver, 2628, 5999, 8000, 8080 }" > martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ > 0.0.0.0/8, 240.0.0.0/4 }" > > # Options: > set block-policy return > > set skip on lo > > block log all # block stateless traffic > > # Normalize packets: > match in all scrub ( no-df max-mss 1440 ) > > block in quick on $ext_if from $martians to any > block out quick on $ext_if from any to $martians > > # Letting ping through: > pass log on inet proto icmp icmp-type $icmp_types > pass log on inet6 proto icmp6 icmp6-type $icmp6_types > > pass out all > > --
Re: Firewall Problems
Hi, Please keep this on the list. On Sat, Nov 18, 2023 at 06:35:35AM -0800, louise9...@gmail.com wrote: > Hi thank you, I will try to change my rules accordingly. Also some questions: > 1. I saw you talked about the block all rule. Does this cover traffic between > vlans/networks as I’m trying to isolate vlans/networks 6,10,20,30 as well as > my admin network which is em2 interface in this case. Unless you have explicitly excluded interfaces from filtering (set skip on $interface) "block drop log all" will drop packets that do not match any pass rules following. > 2. You also pointed out that ICMPv4 wasn’t getting through. In my case ICMPv6 > won’t get out either from my internal networks. Literally nothing from > internal networks gets out except icmpv4 to gateway, icmp from internal lan > to internal lan, icmp from internal lan to firewall itself. Other than that > there’s no DNS, HTTP, etc getting out. Would I need additional rules for > those explicitly or would I just need a pass out all rule that done a certain > way could work?(I have also tried this and it still doesn’t work)? Please take a look at the resources I pointed to. The tutorial slides will clear up most of if not all of those questions. And please keep any followups on the list. All the best, Peter PS: The PF tutorial slides: https://home.nuug.no/~peter/pftutorial/ -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall Problems
Hi John, I I have enabled forwarding in my sysctl.conf. Thank you, Lewis ingraham > On Nov 17, 2023, at 8:52 AM, Lewis Ingraham wrote: > > > Hello i am trying to configure OpenBSD as a firewall but I can't get it to > ping outside the firewall and subsequently unable to reach the internet with > devices behind the firewall. I tried changing my pf.conf to match the FAQ (as > best as i could) and still cant get it to work. I am currently trying to get > both IPV4 and IPV6 addresses to my devices. Can anyone tell me what I am > doing wrong? > > For reference I can do the following: > 1. Ping the firewall and connected devices from the inside LAN networks. > 2. Use the firewall itself to ping outside and reach internet(use things like > pkg_add , etc). > 3. Use devices in my LAN networks to successfully ping the gateway. > 4. For some reason my devices on the lan only get IPV4 addresses and not > IPV6 in addition. > > > > > > > > > > > > >
Re: Firewall Problems
On Fri, Nov 17, 2023 at 08:52:19AM -0800, Lewis Ingraham wrote: > Hello i am trying to configure OpenBSD as a firewall but I can't get it to > ping outside the firewall and subsequently unable to reach the internet > with devices behind the firewall. I tried changing my pf.conf to match the > FAQ (as best as i could) and still cant get it to work. I am currently > trying to get both IPV4 and IPV6 addresses to my devices. Can anyone tell > me what I am doing wrong? You have a number of "block quick" that seem to be already covered by the seeming default block drop log all # block stateless traffic but the only mention of ICMP (which is what ping uses) in your pf.conf is pass in on egress inet6 proto icmp6 all icmp6-type { routeradv neighbrsol neighbradv } so IPv4 icmp will not be let through at all. This is covered somewhat extensively in that book I wrote (https://nostarch.com/pf3) and you should be able to find the relevant examples in the oft-repeated tutorial at https://home.nuug.no/~peter/pftutorial/ - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall Problems
On 11/17/2023 9:52 AM, Lewis Ingraham wrote: Hello i am trying to configure OpenBSD as a firewall but I can't get it to ping outside the firewall and subsequently unable to reach the internet with devices behind the firewall. I tried changing my pf.conf to match the FAQ (as best as i could) and still cant get it to work. I am currently trying to get both IPV4 and IPV6 addresses to my devices. Can anyone tell me what I am doing wrong? For reference I can do the following: 1. Ping the firewall and connected devices from the inside LAN networks. 2. Use the firewall itself to ping outside and reach internet(use things like pkg_add , etc). 3. Use devices in my LAN networks to successfully ping the gateway. 4. For some reason my devices on the lan only get IPV4 addresses and not IPV6 in addition. did you enable forwarding? # sysctl -a | grep forwarding net.inet.ip.forwarding=1 net.inet.ip.mforwarding=0
Re: Firewall won't forward IPv6 traffic
Is PF blocking anything? tcpdump -neipflog0 -vv Are comcast one of those ISPs that only route your prefix if you've requested it via DHCPv6-PD? >
Re: Firewall won't forward IPv6 traffic
Hi, Have you tested your configuration without any firewall? -- alarig signature.asc Description: PGP signature
Re: Firewall rules and features
On 2015-11-10, sven falempinwrote: > Ok , I agree, and thank you for the accurate answer. > > > OTOH the server was rejecting all the other request, (i do not think it > was badly configure) > and it ended up rejecting the good one also (after a lng time of use) > I first look in nsd manpages to see if i could figure why and found nothing > ( a log like i reject packet because ...) > I tried verbosity: 2, ratelimit: 1024 ( but nsd wasnt up to date - NSD > version 3.2.5 ) > I wanted to have a workaround, of course there is another authoritative to > answer, > therefore i ended up filtering content. > Sounds like you should first update, then if the problem persists work on tracking down the problem you see with NSD. Or outsource it (maybe run your server as a "hidden master" and use a DNS provider that will secondary from you, http://efball.com/dns/ lists free-of-charge ones). > If i run authoritative server can i filter to answer to only certain IP > addresses ? > Like a list of public/root DNS ? You are missing some knowledge of how DNS works. The root servers don't send queries, they answer them. There is no such list of addresses (and it wouldn't help anyway - lots of queries from different places for various "random".whatever.com will still give you problems. > My next step was to look at dnssec, which would be nice to have anyway. That is not going to make this any better. > On Mon, Nov 9, 2015 at 10:34 PM, Nick Holland > wrote: > >> > with iptables i was able to add >> > <-m string --hex-string whatever|03|com> >> > in the rules. >> > >> > So i only accept DNS request that matters to me. L7 filtering to remove DNS attack traffic can be useful, but mostly where it's done it is to carefully remove specific packets (e.g. if you have a bunch of spoofed queries trying to use you as a bouncer/amplifier and you can identify them from certain bits in the query) >> > Is there a way ? (something simpler than diverting to a >> > sort of grep -v ). >> >> I'd call that a wrong way to do it, definitely. >> >> If your name server is configured properly, it should be ignoring domain >> requests it isn't authoritative for. Not a problem. It should be returning REFUSED rather than just ignoring so it is still sending out packets (possibly to an unwitting victim). It can be a problem on the dns server or firewall too, e.g. if it fills PF state table.
Re: Firewall rules and features
Thank you Pedro fot http://ftp.openbsd.org/pub/OpenBSD/5.8/packages/amd64/dnsfilter-0.4p0.tgz I am not sure this is as good as it could be, according to the mail there is room for improvement. Worth a test , and it s better to improve than to add up yet another small program, i wonder how good is the libdns compared to other. Best regards, On Mon, Nov 9, 2015 at 6:38 PM, Pedro Caetanowrote: > Hi, > > I guess one could use pf's divert-to and dnsfilter. > > http://marc.info/?l=openbsd-misc=134187877220567=2 > > Regards, > Pedro Caetano > > On Mon, Nov 9, 2015 at 9:45 PM, sven falempin > wrote: > >> For the first time ever i did something with iptable >> that i dont know how to do (simply) with >> pf. >> Something i think it is usefull. >> >> I have a domain server, nsd, it serves whatever.com, >> the server is like flooded with request for no reason, >> >> with iptables i was able to add >> <-m string --hex-string whatever|03|com> >> in the rules. >> >> So i only accept DNS request that matters to me. >> >> Is there a way ? (something simpler than diverting to a >> sort of grep -v ). >> >> Would it be a cool feature ? or because it s a protocol shall >> it be done inside relayd ? >> >> Best regards. >> >> -- >> >> - >> () ascii ribbon campaign - against html e-mail >> /\ >> >> > -- - () ascii ribbon campaign - against html e-mail /\
Re: Firewall rules and features
On 11/09/15 16:45, sven falempin wrote: > For the first time ever i did something with iptable > that i dont know how to do (simply) with > pf. > Something i think it is usefull. > > I have a domain server, nsd, it serves whatever.com, Authoritative server, then. > the server is like flooded with request for no reason, Welcome to the Internet. It happens. > with iptables i was able to add > <-m string --hex-string whatever|03|com> > in the rules. > > So i only accept DNS request that matters to me. > > Is there a way ? (something simpler than diverting to a > sort of grep -v ). I'd call that a wrong way to do it, definitely. If your name server is configured properly, it should be ignoring domain requests it isn't authoritative for. Not a problem. If you are running a resolver, it should be resolving only for the IP addresses you manage (here PF can help you, but the resolver can deal with that, too). > Would it be a cool feature ? or because it s a protocol shall > it be done inside relayd ? No. String and pattern matching in the kernel is not a really good plan. And if you are doing it in an application outside of the kernel, why not just do it in NSD and be done with it? Nor is this solving a problem. Let NSD do its job correctly, and it will just ignore those queries. DNS queries are really small, and authoritative servers put very little load on the processor. The query is going to get received, looked at, and either responded to or dropped...adding extra layers here to change who receives and processes the query isn't helping anything. In fact -- assuming NSD is fairly efficient (I think it is), what I propose is this: Packet comes in (kernel) Packet is compared against domains served (NSD) Response or drop (NSD) What you propose is this: Packet comes in (kernel) packet is compared against domains served (filter) drop ... OR -> packet is compared against domains served (AGAIN!) (NSD) response (NSD) I don't think you win anything here by duplicating a step. OR if you want to be nasty, set up a full resolver that returns the IP of some really nasty, rude or inappropriate site for ALL queries except the ones that should be answering for. (actually, I don't recommend doing this, but it made me grin to think about it. "Why do I keep ending up on the My Little Pony website??"). Again, just because you CAN do something doesn't make it a good idea. Nick.
Re: Firewall rules and features
Ok , I agree, and thank you for the accurate answer. OTOH the server was rejecting all the other request, (i do not think it was badly configure) and it ended up rejecting the good one also (after a lng time of use) I first look in nsd manpages to see if i could figure why and found nothing ( a log like i reject packet because ...) I tried verbosity: 2, ratelimit: 1024 ( but nsd wasnt up to date - NSD version 3.2.5 ) I wanted to have a workaround, of course there is another authoritative to answer, therefore i ended up filtering content. If i run authoritative server can i filter to answer to only certain IP addresses ? Like a list of public/root DNS ? My next step was to look at dnssec, which would be nice to have anyway. On Mon, Nov 9, 2015 at 10:34 PM, Nick Hollandwrote: > On 11/09/15 16:45, sven falempin wrote: > > For the first time ever i did something with iptable > > that i dont know how to do (simply) with > > pf. > > Something i think it is usefull. > > > > I have a domain server, nsd, it serves whatever.com, > > Authoritative server, then. > > > the server is like flooded with request for no reason, > > Welcome to the Internet. It happens. > > > with iptables i was able to add > > <-m string --hex-string whatever|03|com> > > in the rules. > > > > So i only accept DNS request that matters to me. > > > > Is there a way ? (something simpler than diverting to a > > sort of grep -v ). > > I'd call that a wrong way to do it, definitely. > > If your name server is configured properly, it should be ignoring domain > requests it isn't authoritative for. Not a problem. If you are running > a resolver, it should be resolving only for the IP addresses you manage > (here PF can help you, but the resolver can deal with that, too). > > > Would it be a cool feature ? or because it s a protocol shall > > it be done inside relayd ? > > No. String and pattern matching in the kernel is not a really good > plan. And if you are doing it in an application outside of the kernel, > why not just do it in NSD and be done with it? > > Nor is this solving a problem. Let NSD do its job correctly, and it > will just ignore those queries. DNS queries are really small, and > authoritative servers put very little load on the processor. The query > is going to get received, looked at, and either responded to or > dropped...adding extra layers here to change who receives and processes > the query isn't helping anything. In fact -- assuming NSD is fairly > efficient (I think it is), what I propose is this: > Packet comes in (kernel) > Packet is compared against domains served (NSD) > Response or drop (NSD) > > What you propose is this: > Packet comes in (kernel) > packet is compared against domains served (filter) > drop ... OR -> > packet is compared against domains served (AGAIN!) (NSD) > response (NSD) > > I don't think you win anything here by duplicating a step. > > OR if you want to be nasty, set up a full resolver that returns the IP > of some really nasty, rude or inappropriate site for ALL queries except > the ones that should be answering for. (actually, I don't recommend > doing this, but it made me grin to think about it. "Why do I keep > ending up on the My Little Pony website??"). Again, just because you > CAN do something doesn't make it a good idea. > > Nick. > > -- - () ascii ribbon campaign - against html e-mail /\
Re: Firewall rules and features
Hi, I guess one could use pf's divert-to and dnsfilter. http://marc.info/?l=openbsd-misc=134187877220567=2 Regards, Pedro Caetano On Mon, Nov 9, 2015 at 9:45 PM, sven falempinwrote: > For the first time ever i did something with iptable > that i dont know how to do (simply) with > pf. > Something i think it is usefull. > > I have a domain server, nsd, it serves whatever.com, > the server is like flooded with request for no reason, > > with iptables i was able to add > <-m string --hex-string whatever|03|com> > in the rules. > > So i only accept DNS request that matters to me. > > Is there a way ? (something simpler than diverting to a > sort of grep -v ). > > Would it be a cool feature ? or because it s a protocol shall > it be done inside relayd ? > > Best regards. > > -- > > - > () ascii ribbon campaign - against html e-mail > /\
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
On 2015-07-27, Quartz qua...@sneakertech.com wrote: Some years ago I remember reading that when using OpenBSD (or any OS, really) as a router+firewall it was considered inadvisable from a security standpoint to have the different networks all attached to a single network card with multiple ethernet ports. The thinking being that it was theoretically possible for an attacker to exploit bugs in the card's chip to short circuit the path and route packets directly across the card in a way pf can't control. It was also suggested that in addition to using different physical cards, the cards should really use different chipsets too, in case an unknown driver bug allows a short circuit. Those are not realistic concerns. -- Christian naddy Weisgerber na...@mips.inka.de
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
turning out rather difficult to find a case that's small enough to fit. I'd really like to use an itx system with multiple onboard ethernet jacks and cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure A Lanner FW7525 or even an Alix APU don't seem to be much larger... They're not, but they also lack a bunch of features we need. This is a little off-topic, but I should clarify that although this device's primary purpose is a firewall+router, it also has to provide a handful of other network related services that set a few requirements vis a vis hardware. Pre-fab appliance type devices always seem to fail at least one of these requirements. They also don't address the separate NICs issue, so if it turns out that that's not a problem anyway, a mini-itx board would be a much better choice for our situation.
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
On Mon, Jul 27, 2015 at 12:46 PM, Quartz qua...@sneakertech.com wrote: Some years ago I remember reading that when using OpenBSD (or any OS, really) as a router+firewall it was considered inadvisable from a security standpoint to have the different networks all attached to a single network card with multiple ethernet ports. The thinking being that it was theoretically possible for an attacker to exploit bugs in the card's chip to short circuit the path and route packets directly across the card in a way pf can't control. It was also suggested that in addition to using different physical cards, the cards should really use different chipsets too, in case an unknown driver bug allows a short circuit. I swear I read this somewhere on the website, but I can't seem to find it now and I'm wondering if the concept is even still valid. The impetus here is that I'm building a router+firewall for a cramped location and it's turning out rather difficult to find a case that's small enough to fit. I'd really like to use an itx system with multiple onboard ethernet jacks and cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure if that's a good idea, security wise. Any thoughts? It is certainly possible theoretically but you'll have to go to very great lengths to imagine a scenario where a remote attacker could exploit such a flaw. It's next to impossible identify the make and model of the NIC that holds an IP address (if it is even directly bound to a NIC, CARP and other similar technologies get in the way if used), the attacker would first have to aquire this information trough other means. -Kimmo
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
2015-07-27 11:46 GMT+02:00 Quartz qua...@sneakertech.com: turning out rather difficult to find a case that's small enough to fit. I'd really like to use an itx system with multiple onboard ethernet jacks and cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure A Lanner FW7525 or even an Alix APU don't seem to be much larger... Best Martin
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
Though, of course, if you have been actively developing your system, or if you have already been subject to other root attempts, a root attempt runs a significant risk of crashing it. (And if you have been developing a lot, there's a decent chance you'll have already crashed it so many times that you will not be able to distinguish the root attempt from your own work. Or, maybe you will - it depends on the nature of the update.) -- Raul On Mon, Jul 27, 2015 at 9:52 AM, Joseph Crivello josephcrive...@gmail.com wrote: If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire system.
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
On Mon, Jul 27, 2015 at 7:37 AM, Christian Weisgerber na...@mips.inka.de wrote: On 2015-07-27, Quartz qua...@sneakertech.com wrote: Some years ago I remember reading that when using OpenBSD (or any OS, really) as a router+firewall it was considered inadvisable from a security standpoint to have the different networks all attached to a single network card with multiple ethernet ports. The thinking being that it was theoretically possible for an attacker to exploit bugs in the card's chip to short circuit the path and route packets directly across the card in a way pf can't control. It was also suggested that in addition to using different physical cards, the cards should really use different chipsets too, in case an unknown driver bug allows a short circuit. Those are not realistic concerns. Intel 82574L packet of death comes to mind as one example of a bug in the EEPROM that allowed an attacker to bring down an interface: http://blog.krisk.org/2013/02/packets-of-death.html These days you have bypass features in hardware that allow packets to flow from one interface to another even if the firewall is turned off. Who knows what other bugs in such functionality will be discovered in the future? Having said that, just throwing random chipsets into the mix is probably not the right solution. You may actually be increasing your attack surface. If this is a real concern for you, I think multiple firewalls, one behind the other (and using different chipsets, if you really want to), is a better way to go.
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
It is certainly possible theoretically but you'll have to go to very great lengths to imagine a scenario where a remote attacker could exploit such a flaw. It's next to impossible identify the make and model of the NIC that holds an IP address (if it is even directly bound to a NIC, CARP and other similar technologies get in the way if used), the attacker would first have to aquire this information trough other means. Well, I'm not convinced that needing to identify the card first is really a requirement- I feel it's more likely an attacker using these techniques would just blast out a bunch of probes and figure it out based on what bounces back, similar concept to port knocking. I wish I could find/remember where on openbsd.org this was mentioned and use the wayback machine or something, because it seemed like whoever wrote about it knew what they were talking about.
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire system.
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
These days you have bypass features in hardware that allow packets to flow from one interface to another even if the firewall is turned off. Can you elaborate on this? Also, that brings up another point wrt motherboards with multiple jacks; are bios attacks something to worry about? Having said that, just throwing random chipsets into the mix is probably not the right solution. You may actually be increasing your attack surface. That's always a possibility yes. If this is a real concern for you, The thing is I don't really know if this should be a realistic concern, that's why I'm asking. A motherboard with multiple ports would certainly be more convenient, but it's not worth it if it would compromise security.
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
On 2015-07-27, Quartz qua...@sneakertech.com wrote: This is a little off-topic, but I should clarify that although this device's primary purpose is a firewall+router, it also has to provide a handful of other network related services that set a few requirements vis a vis hardware. Depends what they are, but those other services are far more likely to be a problem than a multiport NIC.
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
Em 27-07-2015 09:13, Kimmo Paasiala escreveu: It's next to impossible identify the make and model of the NIC that holds an IP address With IPv6 and poor configuration, a remote attacker already have that information. MAC addresses reveal a lot of information about a NIC. Cheers, Giancarlo Razzolini
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
On Mon, Jul 27, 2015 at 11:10 AM, Quartz qua...@sneakertech.com wrote: These days you have bypass features in hardware that allow packets to flow from one interface to another even if the firewall is turned off. Can you elaborate on this? Search for intel nic bypass mode and you'll find lots of details. It's an increasingly common feature in server network adapters. If the host OS is down, the NIC continues forwarding packets between two ports without any processing. Some older implementations used a physical jumper to enable or disable this feature. Now it's all done in software and can even be configured remotely. For example: http://www.lannerinc.com/applications/product-features/lan-bypass
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
Joseph Crivello [josephcrive...@gmail.com] wrote: If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire system. If you are running OpenBSD or Bitrig and you have VT-d enabled, someone is working on bringing iommu functionality to both OSes right now. This can prevent runaway DMA. Kinda cool, ya know!
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
On Mon, Jul 27, 2015 at 10:52 PM, Joseph Crivello josephcrive...@gmail.com wrote: If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire system. (Somewhat of a rhetorical question, but ...) How hard would it be to design and assemble one's own NIC, and use said design to construct one's own switch? (I daydream too much. Right now I'm daydreaming of a switch-on-a-card. It's been a while since I've seen such things advertised, but maybe I'm not looking in the right places nowadays.) -- Joel Rees Be careful when you look at conspiracy. Arm yourself with knowledge of yourself, as well: http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html
Re: Firewall: Where is the bottleneck?
Hi Hrvoje, nestat -i shows nothing special. NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls lo0 33152 Link 91235 091235 0 0 lo0 33152 localhost/1 localhost91235 091235 0 0 lo0 33152 fe80::%lo0/ fe80::1%lo0 91235 091235 0 0 lo0 33152 localhost localhost91235 091235 0 0 em0 1500 Link 00:25:90:a6:08:52 16371757334772 297519394073 0 0 em0 1500 megagw06a.o megagw06a.ohb-sys 16371757334772 297519394073 0 0 em0 1500 fe80::%em0/ fe80::225:90ff:fe 16371757334772 297519394073 0 0 em1 1500 Link 00:25:90:a6:08:53 297512809627 489 163342615216 0 0 em1 1500 10.242.13/2 10.242.13.1 297512809627 489 163342615216 0 0 em1 1500 fe80::%em1/ fe80::225:90ff:fe 297512809627 489 163342615216 0 0 em2*1500 Link 00:25:90:a6:08:540 00 0 0 em3*1500 Link 00:25:90:a6:08:550 00 0 0 enc0* 0 Link 0 00 0 0 pflog0 33152 Link 0 0 146527095 0 0 I will try to have a maintenance window for the upgrade. Thanks for the help, Patrick Am 04.11.2014 um 23:22 schrieb Hrvoje Popovski hrv...@srce.hr: out of curiosity, could you post netstat -i if you can, why don't you upgrade bios and install openbsd 5.6
Re: Firewall: Where is the bottleneck?
Hi Remi, Thanks for your answer. nestat -m is ok, see. 203 mbufs in use: 193 mbufs allocated to data 2 mbufs allocated to packet headers 8 mbufs allocated to socket names and addresses 190/658/6144 mbuf 2048 byte clusters in use (current/peak/max) 0/8/6144 mbuf 4096 byte clusters in use (current/peak/max) 0/8/6144 mbuf 8192 byte clusters in use (current/peak/max) 0/8/6144 mbuf 9216 byte clusters in use (current/peak/max) 0/8/6144 mbuf 12288 byte clusters in use (current/peak/max) 0/8/6144 mbuf 16384 byte clusters in use (current/peak/max) 0/8/6144 mbuf 65536 byte clusters in use (current/peak/max) 1680 Kbytes allocated to network (25% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines sysctl net.inet.ip.ifq.drops is since two days at 104. This drives me crazy. I have also make a packet dump with tcpdump to see any problems there. But nothing, no retransmission or bad packets only a lot of tcp packets from VNC connections. Best Regards, Patrick On Wed, 29 Oct 2014, Remi Locherer wrote: On Tue, Oct 28, 2014 at 10:13:54PM +0100, jum...@yahoo.de wrote: Hi Andy, sorry for the delay, but a lot of more important work were between your mail and this answer ;). You can set a simple prio on a rule like; pass proto tcp from $left to $right set prio (1,4) With PRIQ I mean the scheduler priq instead of cbq. Relevant lines of my current pf.conf rule set. pf.conf ... altq on em0 priq bandwidth 1000Mb queue { std_em0, tcp_ack_em0 } queue std_em0 priq(default) queue tcp_ack_em0 priority 6 altq on em1 priq bandwidth 1000Mb queue { std_em1, tcp_ack_em1 } queue std_em1 priq(default) queue tcp_ack_em1 priority 6 match em0 on em0 inet proto tcp from any to any queue(std_em0, tcp_ack_em0) match em0 on em1 inet proto tcp from any to any queue(std_em1, tcp_ack_em1) ... /pf.conf I have read The Book of PF 2nd, but there is nothing about troubleshooting. What should I do to find the problem? I have made some notes for troubleshooting purpose: top - Interrupts - High CPU or network interfaces = Hardware limit systat - Interrupts on CPU and network cards = Hardware limit bwm-ng - Bandwidth near the theoretical limit = Hardware limit pfctl -si - Look for current states, default limit to 1. The memory counter shows failed allocation of memory for states. Is this number is high and increased further = Set limit for states (pfctl -sm - shows States Limit) sysctl kern.netlivelocks - High number means something like two processes blocks each user = Hardware limit No problem can be found with above steps: Two more things you can check: # netstat -m If peak is close of equal to max raise kern.maxclusters with sysctl. # sysctl net.inet.ip.ifq.drops If this counter goes up try to increase net.inet.ip.ifq.maxlen with sysctl. It defines how many packets can be queued in the ip input queue before further packets are dropped. Remi - prioritize TCP-ACK for tcp traffic Best Regards, Patrick On Thu, 9 Oct 2014, Andy wrote: Hi, Just so I understand what you have done, PRIQ is not the same as queuing. You can set a simple prio on a rule like; pass proto tcp from $left to $right set prio (1,4) But this doesn't manage the situations where you have lots of different types/profiles of traffic on your network. For example you might have some big file transfers going on which can be delayed and can have a high latency but high throughput, alongside your control/real-time protocols which need low latency etc. Generally in this situation just using prio won't always be enough and your file transfers will still swamp your Interactive SSH or VNC connections etc.. So we do something like this; altq on $if_trunk1 bandwidth 4294Mb hfsc queue { _wan } oldqueue _wan on $if_trunk1 bandwidth 4290Mb priority 15 hfsc(linkshare 4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, _wan_vpn, _wan_web, _wan_dflt, _wan_bulk } oldqueue _wan_rt on $if_trunk1 bandwidth 20% priority 7 qlimit 50 hfsc(realtime(20%, 5000, 10%), linkshare 20%) oldqueue _wan_int on $if_trunk1 bandwidth 10% priority 5 qlimit 100 hfsc(realtime 5%, linkshare 10%) oldqueue _wan_pri on $if_trunk1 bandwidth 10% priority 4 qlimit 100 hfsc(realtime(15%, 2000, 5%), linkshare 10%) oldqueue _wan_vpn on $if_trunk1 bandwidth 30% priority 3 qlimit 300 hfsc(realtime(15%, 2000, 5%), linkshare 30%) oldqueue _wan_web on $if_trunk1 bandwidth 10% priority 2 qlimit 300 hfsc(realtime(10%, 3000, 5%), linkshare 10%) oldqueue _wan_dflt on $if_trunk1 bandwidth 15% priority 1 qlimit 100 hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default) oldqueue _wan_bulk on $if_trunk1 bandwidth 5% priority 0 qlimit 100 hfsc(linkshare 5%, upperlimit 30%, ecn, red) altq on $if_trunk2 bandwidth 4294Mb hfsc queue { _wan } oldqueue _wan on $if_trunk2 bandwidth 4290Mb priority 15 hfsc(linkshare 4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, _wan_vpn, _wan_web, _wan_dflt,
Re: Firewall: Where is the bottleneck?
On 4.11.2014. 21:48, jum...@yahoo.de wrote: Hi Remi, Thanks for your answer. nestat -m is ok, see. 203 mbufs in use: 193 mbufs allocated to data 2 mbufs allocated to packet headers 8 mbufs allocated to socket names and addresses 190/658/6144 mbuf 2048 byte clusters in use (current/peak/max) 0/8/6144 mbuf 4096 byte clusters in use (current/peak/max) 0/8/6144 mbuf 8192 byte clusters in use (current/peak/max) 0/8/6144 mbuf 9216 byte clusters in use (current/peak/max) 0/8/6144 mbuf 12288 byte clusters in use (current/peak/max) 0/8/6144 mbuf 16384 byte clusters in use (current/peak/max) 0/8/6144 mbuf 65536 byte clusters in use (current/peak/max) 1680 Kbytes allocated to network (25% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines sysctl net.inet.ip.ifq.drops is since two days at 104. This drives me crazy. I have also make a packet dump with tcpdump to see any problems there. But nothing, no retransmission or bad packets only a lot of tcp packets from VNC connections. Best Regards, Patrick out of curiosity, could you post netstat -i if you can, why don't you upgrade bios and install openbsd 5.6
Re: Firewall: Where is the bottleneck?
On Tue, Oct 28, 2014 at 10:13:54PM +0100, jum...@yahoo.de wrote: Hi Andy, sorry for the delay, but a lot of more important work were between your mail and this answer ;). You can set a simple prio on a rule like; pass proto tcp from $left to $right set prio (1,4) With PRIQ I mean the scheduler priq instead of cbq. Relevant lines of my current pf.conf rule set. pf.conf ... altq on em0 priq bandwidth 1000Mb queue { std_em0, tcp_ack_em0 } queue std_em0 priq(default) queue tcp_ack_em0 priority 6 altq on em1 priq bandwidth 1000Mb queue { std_em1, tcp_ack_em1 } queue std_em1 priq(default) queue tcp_ack_em1 priority 6 match em0 on em0 inet proto tcp from any to any queue(std_em0, tcp_ack_em0) match em0 on em1 inet proto tcp from any to any queue(std_em1, tcp_ack_em1) ... /pf.conf I have read The Book of PF 2nd, but there is nothing about troubleshooting. What should I do to find the problem? I have made some notes for troubleshooting purpose: top - Interrupts - High CPU or network interfaces = Hardware limit systat - Interrupts on CPU and network cards = Hardware limit bwm-ng - Bandwidth near the theoretical limit = Hardware limit pfctl -si - Look for current states, default limit to 1. The memory counter shows failed allocation of memory for states. Is this number is high and increased further = Set limit for states (pfctl -sm - shows States Limit) sysctl kern.netlivelocks - High number means something like two processes blocks each user = Hardware limit No problem can be found with above steps: Two more things you can check: # netstat -m If peak is close of equal to max raise kern.maxclusters with sysctl. # sysctl net.inet.ip.ifq.drops If this counter goes up try to increase net.inet.ip.ifq.maxlen with sysctl. It defines how many packets can be queued in the ip input queue before further packets are dropped. Remi - prioritize TCP-ACK for tcp traffic Best Regards, Patrick On Thu, 9 Oct 2014, Andy wrote: Hi, Just so I understand what you have done, PRIQ is not the same as queuing. You can set a simple prio on a rule like; pass proto tcp from $left to $right set prio (1,4) But this doesn't manage the situations where you have lots of different types/profiles of traffic on your network. For example you might have some big file transfers going on which can be delayed and can have a high latency but high throughput, alongside your control/real-time protocols which need low latency etc. Generally in this situation just using prio won't always be enough and your file transfers will still swamp your Interactive SSH or VNC connections etc.. So we do something like this; altq on $if_trunk1 bandwidth 4294Mb hfsc queue { _wan } oldqueue _wan on $if_trunk1 bandwidth 4290Mb priority 15 hfsc(linkshare 4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, _wan_vpn, _wan_web, _wan_dflt, _wan_bulk } oldqueue _wan_rt on $if_trunk1 bandwidth 20% priority 7 qlimit 50 hfsc(realtime(20%, 5000, 10%), linkshare 20%) oldqueue _wan_int on $if_trunk1 bandwidth 10% priority 5 qlimit 100 hfsc(realtime 5%, linkshare 10%) oldqueue _wan_pri on $if_trunk1 bandwidth 10% priority 4 qlimit 100 hfsc(realtime(15%, 2000, 5%), linkshare 10%) oldqueue _wan_vpn on $if_trunk1 bandwidth 30% priority 3 qlimit 300 hfsc(realtime(15%, 2000, 5%), linkshare 30%) oldqueue _wan_web on $if_trunk1 bandwidth 10% priority 2 qlimit 300 hfsc(realtime(10%, 3000, 5%), linkshare 10%) oldqueue _wan_dflt on $if_trunk1 bandwidth 15% priority 1 qlimit 100 hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default) oldqueue _wan_bulk on $if_trunk1 bandwidth 5% priority 0 qlimit 100 hfsc(linkshare 5%, upperlimit 30%, ecn, red) altq on $if_trunk2 bandwidth 4294Mb hfsc queue { _wan } oldqueue _wan on $if_trunk2 bandwidth 4290Mb priority 15 hfsc(linkshare 4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, _wan_vpn, _wan_web, _wan_dflt, _wan_bulk } oldqueue _wan_rt on $if_trunk2 bandwidth 20% priority 7 qlimit 50 hfsc(realtime(20%, 5000, 10%), linkshare 20%) oldqueue _wan_int on $if_trunk2 bandwidth 10% priority 5 qlimit 100 hfsc(realtime 5%, linkshare 10%) oldqueue _wan_pri on $if_trunk2 bandwidth 10% priority 4 qlimit 100 hfsc(realtime(15%, 2000, 5%), linkshare 10%) oldqueue _wan_vpn on $if_trunk2 bandwidth 30% priority 3 qlimit 300 hfsc(realtime(15%, 2000, 5%), linkshare 30%) oldqueue _wan_web on $if_trunk2 bandwidth 10% priority 2 qlimit 300 hfsc(realtime(10%, 3000, 5%), linkshare 10%) oldqueue _wan_dflt on $if_trunk2 bandwidth 15% priority 1 qlimit 100 hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default) oldqueue _wan_bulk on $if_trunk2 bandwidth 5% priority 0 qlimit 100 hfsc(linkshare 5%, upperlimit 30%, ecn, red) pass quick proto { tcp, udp } from { (vlan1:network) } to { (vlan234:network) } port { 4569, 5060,
Re: Firewall: Where is the bottleneck?
Hi Andy, sorry for the delay, but a lot of more important work were between your mail and this answer ;). You can set a simple prio on a rule like; pass proto tcp from $left to $right set prio (1,4) With PRIQ I mean the scheduler priq instead of cbq. Relevant lines of my current pf.conf rule set. pf.conf ... altq on em0 priq bandwidth 1000Mb queue { std_em0, tcp_ack_em0 } queue std_em0 priq(default) queue tcp_ack_em0 priority 6 altq on em1 priq bandwidth 1000Mb queue { std_em1, tcp_ack_em1 } queue std_em1 priq(default) queue tcp_ack_em1 priority 6 match em0 on em0 inet proto tcp from any to any queue(std_em0, tcp_ack_em0) match em0 on em1 inet proto tcp from any to any queue(std_em1, tcp_ack_em1) ... /pf.conf I have read The Book of PF 2nd, but there is nothing about troubleshooting. What should I do to find the problem? I have made some notes for troubleshooting purpose: top - Interrupts - High CPU or network interfaces = Hardware limit systat - Interrupts on CPU and network cards = Hardware limit bwm-ng - Bandwidth near the theoretical limit = Hardware limit pfctl -si - Look for current states, default limit to 1. The memory counter shows failed allocation of memory for states. Is this number is high and increased further = Set limit for states (pfctl -sm - shows States Limit) sysctl kern.netlivelocks - High number means something like two processes blocks each user = Hardware limit No problem can be found with above steps: - prioritize TCP-ACK for tcp traffic Best Regards, Patrick On Thu, 9 Oct 2014, Andy wrote: Hi, Just so I understand what you have done, PRIQ is not the same as queuing. You can set a simple prio on a rule like; pass proto tcp from $left to $right set prio (1,4) But this doesn't manage the situations where you have lots of different types/profiles of traffic on your network. For example you might have some big file transfers going on which can be delayed and can have a high latency but high throughput, alongside your control/real-time protocols which need low latency etc. Generally in this situation just using prio won't always be enough and your file transfers will still swamp your Interactive SSH or VNC connections etc.. So we do something like this; altq on $if_trunk1 bandwidth 4294Mb hfsc queue { _wan } oldqueue _wan on $if_trunk1 bandwidth 4290Mb priority 15 hfsc(linkshare 4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, _wan_vpn, _wan_web, _wan_dflt, _wan_bulk } oldqueue _wan_rt on $if_trunk1 bandwidth 20% priority 7 qlimit 50 hfsc(realtime(20%, 5000, 10%), linkshare 20%) oldqueue _wan_int on $if_trunk1 bandwidth 10% priority 5 qlimit 100 hfsc(realtime 5%, linkshare 10%) oldqueue _wan_pri on $if_trunk1 bandwidth 10% priority 4 qlimit 100 hfsc(realtime(15%, 2000, 5%), linkshare 10%) oldqueue _wan_vpn on $if_trunk1 bandwidth 30% priority 3 qlimit 300 hfsc(realtime(15%, 2000, 5%), linkshare 30%) oldqueue _wan_web on $if_trunk1 bandwidth 10% priority 2 qlimit 300 hfsc(realtime(10%, 3000, 5%), linkshare 10%) oldqueue _wan_dflt on $if_trunk1 bandwidth 15% priority 1 qlimit 100 hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default) oldqueue _wan_bulk on $if_trunk1 bandwidth 5% priority 0 qlimit 100 hfsc(linkshare 5%, upperlimit 30%, ecn, red) altq on $if_trunk2 bandwidth 4294Mb hfsc queue { _wan } oldqueue _wan on $if_trunk2 bandwidth 4290Mb priority 15 hfsc(linkshare 4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, _wan_vpn, _wan_web, _wan_dflt, _wan_bulk } oldqueue _wan_rt on $if_trunk2 bandwidth 20% priority 7 qlimit 50 hfsc(realtime(20%, 5000, 10%), linkshare 20%) oldqueue _wan_int on $if_trunk2 bandwidth 10% priority 5 qlimit 100 hfsc(realtime 5%, linkshare 10%) oldqueue _wan_pri on $if_trunk2 bandwidth 10% priority 4 qlimit 100 hfsc(realtime(15%, 2000, 5%), linkshare 10%) oldqueue _wan_vpn on $if_trunk2 bandwidth 30% priority 3 qlimit 300 hfsc(realtime(15%, 2000, 5%), linkshare 30%) oldqueue _wan_web on $if_trunk2 bandwidth 10% priority 2 qlimit 300 hfsc(realtime(10%, 3000, 5%), linkshare 10%) oldqueue _wan_dflt on $if_trunk2 bandwidth 15% priority 1 qlimit 100 hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default) oldqueue _wan_bulk on $if_trunk2 bandwidth 5% priority 0 qlimit 100 hfsc(linkshare 5%, upperlimit 30%, ecn, red) pass quick proto { tcp, udp } from { (vlan1:network) } to { (vlan234:network) } port { 4569, 5060, 1:2 } queue _wan_rt set prio 7 pass quick proto { tcp, udp } from { (vlan1:network) } to { (vlan234:network) } port { 53, 123, 5900 } queue _wan_pri set prio 4 pass quick proto { tcp } from { (vlan1:network) } to { (vlan234:network) } port { 80, 443 } queue (_wan_web,_wan_pri) set prio (2,4) pass quick proto { tcp } from { (vlan1:network) } to { (vlan234:network) } port { ssh } queue (_wan_bulk,_wan_int) set prio (0,5) . . All the other rules needing
Re: Firewall: Where is the bottleneck?
On 2014-10-09, Andy a...@brandwatch.com wrote: NB; This is the old syntax for queues and I strongly recommend reading the 3rd edition of The book of PF (A must read for *anyone* new or old to OpenBSD and PF) :) and using the new syntax N.B. the oldqueue syntax goes away in 5.6, if you are writing a new config you definitely should use the new stuff..
Re: Firewall: Where is the bottleneck?
Hi, Just so I understand what you have done, PRIQ is not the same as queuing. You can set a simple prio on a rule like; pass proto tcp from $left to $right set prio (1,4) But this doesn't manage the situations where you have lots of different types/profiles of traffic on your network. For example you might have some big file transfers going on which can be delayed and can have a high latency but high throughput, alongside your control/real-time protocols which need low latency etc. Generally in this situation just using prio won't always be enough and your file transfers will still swamp your Interactive SSH or VNC connections etc.. So we do something like this; altq on $if_trunk1 bandwidth 4294Mb hfsc queue { _wan } oldqueue _wan on $if_trunk1 bandwidth 4290Mb priority 15 hfsc(linkshare 4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, _wan_vpn, _wan_web, _wan_dflt, _wan_bulk } oldqueue _wan_rt on $if_trunk1 bandwidth 20% priority 7 qlimit 50 hfsc(realtime(20%, 5000, 10%), linkshare 20%) oldqueue _wan_int on $if_trunk1 bandwidth 10% priority 5 qlimit 100 hfsc(realtime 5%, linkshare 10%) oldqueue _wan_pri on $if_trunk1 bandwidth 10% priority 4 qlimit 100 hfsc(realtime(15%, 2000, 5%), linkshare 10%) oldqueue _wan_vpn on $if_trunk1 bandwidth 30% priority 3 qlimit 300 hfsc(realtime(15%, 2000, 5%), linkshare 30%) oldqueue _wan_web on $if_trunk1 bandwidth 10% priority 2 qlimit 300 hfsc(realtime(10%, 3000, 5%), linkshare 10%) oldqueue _wan_dflt on $if_trunk1 bandwidth 15% priority 1 qlimit 100 hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default) oldqueue _wan_bulk on $if_trunk1 bandwidth 5% priority 0 qlimit 100 hfsc(linkshare 5%, upperlimit 30%, ecn, red) altq on $if_trunk2 bandwidth 4294Mb hfsc queue { _wan } oldqueue _wan on $if_trunk2 bandwidth 4290Mb priority 15 hfsc(linkshare 4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, _wan_vpn, _wan_web, _wan_dflt, _wan_bulk } oldqueue _wan_rt on $if_trunk2 bandwidth 20% priority 7 qlimit 50 hfsc(realtime(20%, 5000, 10%), linkshare 20%) oldqueue _wan_int on $if_trunk2 bandwidth 10% priority 5 qlimit 100 hfsc(realtime 5%, linkshare 10%) oldqueue _wan_pri on $if_trunk2 bandwidth 10% priority 4 qlimit 100 hfsc(realtime(15%, 2000, 5%), linkshare 10%) oldqueue _wan_vpn on $if_trunk2 bandwidth 30% priority 3 qlimit 300 hfsc(realtime(15%, 2000, 5%), linkshare 30%) oldqueue _wan_web on $if_trunk2 bandwidth 10% priority 2 qlimit 300 hfsc(realtime(10%, 3000, 5%), linkshare 10%) oldqueue _wan_dflt on $if_trunk2 bandwidth 15% priority 1 qlimit 100 hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default) oldqueue _wan_bulk on $if_trunk2 bandwidth 5% priority 0 qlimit 100 hfsc(linkshare 5%, upperlimit 30%, ecn, red) pass quick proto { tcp, udp } from { (vlan1:network) } to { (vlan234:network) } port { 4569, 5060, 1:2 } queue _wan_rt set prio 7 pass quick proto { tcp, udp } from { (vlan1:network) } to { (vlan234:network) } port { 53, 123, 5900 } queue _wan_pri set prio 4 pass quick proto { tcp } from { (vlan1:network) } to { (vlan234:network) } port { 80, 443 } queue (_wan_web,_wan_pri) set prio (2,4) pass quick proto { tcp } from { (vlan1:network) } to { (vlan234:network) } port { ssh } queue (_wan_bulk,_wan_int) set prio (0,5) . . All the other rules needing higher priority than the rest . pass quick proto { tcp, udp, icmp } from { (vlan1:network) } to { (vlan234:network) } queue (_wan_bulk,_wan_pri) set prio (0,4) NB; This is the old syntax for queues and I strongly recommend reading the 3rd edition of The book of PF (A must read for *anyone* new or old to OpenBSD and PF) :) and using the new syntax The rule I use is that whenever one queue starts to get used too much and their is more than one type of traffic in a queue (here in this example I have DNS, NTP and VNC in the same queue) and if they start to affect eachother, its time to split the traffic out into further separate queues. So here you would split VNC into its own queue to stop VNC swamping the DNS queries :) The priority in these queues is not the same as PRIO. These priority values don't have much impact *apparently* compared the the queues themselves (I just understand these to be CPU or bucket scheduling or something), but I've never understood how true that is, so I just set them to be the same number as the desired relative PRIO as that seems sensible. Last but NOT least; the PRIO value gets copied into the VLAN's CoS header! :) So if you use VLANs like we do here on our trunks, the different packets will end up as frames with the prio copied in meaning your switches can then also maintain the layer 3 QoS in the layer 2 CoS... Amazing stuff :) Good luck Andrew Lemin *** looking forward to 64bit queues! :) *** On 08/10/14 20:49, jum...@yahoo.de wrote: Hi Andy, This morning I have added
Re: Firewall: Where is the bottleneck?
Hi Andy, This morning I have added Priority Queueing (PRIQ) to the ruleset and prefer TCP ACK packets over everything else. I can see the queues with systat queue but the change has no effect on the user experience nor the throughput. I have read something about adjust TCP send and receive window sizes settings, but OpenBSD to this automatically since 2010 [1]. What else can I set? Best Regards, Patrick [1] http://marc.info/?l=openbsd-miscm=128905075911814 On Thu, 2 Oct 2014, jum...@yahoo.de wrote: Hi Andy, Setup some queues and prioritise your ACK's ;) Good idea, I will try to implement a Priority Queueing with the old altq. Best Regards, Patrick On Thu, 2 Oct 2014, Andy wrote: Setup some queues and prioritise your ACK's ;) The box is fine under the load I'm sure, but you'll still need to prioritise those TCP acknowledgments to make things snappy when lots of traffic is going on.. On 02/10/14 17:13, Ville Valkonen wrote: Hello Patrick, On 2 October 2014 17:32, Patrick jum...@yahoo.de wrote: Hi, I use a OpenBSD based firewall (version 5.2, I know I should upgrade but ...) between a 8 host cluster of Linux server and 300 clients which will access this clutser via VNC. Each server is connected with one gigabit port to a dedicated switch and the firewall has on each site one gigabit (dedicated switch and campus network). The users complains about slow VNC response times (if I connect a client system to the dedicated switch, the access is faster, even during peak hours), and the admins of the cluster blame my firewall :(. I use MRTG for traffic monitoring (data retrieves from OpenBSD in one minute interval) and can see average traffic of 160 Mbit/s during office hours and peaks and 280 Mbit/s. With bwm-ng and a five second interval I can see peaks and 580 Mbit/s. The peak packets per second is arround 8 packets (also measured with bwm-ng). The interrupt of CPU0 is in peak 25%. So with this data I don't think the firewall is at the limit, I'm right? The server is a standard Intel Xeon (E3-1220V2, 4 Cores, 3.10 GHz) with 4 GByte of memory and 4 1 Gbit/s ethernet cooper Intel nics (driver em). Where is the problem? Can't the nics handle more packets/second? How can I check for this? If I connect a client system directly to the dedicated system, the response times are better. Thanks for your help, Patrick In addition to dmesg, could you please provide the following information: $ pfctl -si $ sysctl kern.netlivelocks and interrupt statistics (by systat for example) would be helpful. Thanks! -- Regards, Ville
Re: Firewall: Where is the bottleneck?
Hi Ville, What I read on the Internet so far about states [1]: The memory counter shows how often pf tries to insert a state but failed. The reason could be a hard limit of state entries. I watched at the memory counter this afternoon and it doesn't increased, still at 8764. pfctl -s memory stateshard limit1 src-nodes hard limit1 frags hard limit 5000 tableshard limit 1000 table-entries hard limit 20 systat Sorry for pastebin link [2], but the formatting is broken inside a mail Best Regards, Patrick [1] http://www.packetmischief.ca/2011/02/17/hitting-the-pf-state-table-limit/ [2] http://pastebin.com/CnfEZDE9 On Fri, 3 Oct 2014, Ville Valkonen wrote: On 3 October 2014 11:11, Ville Valkonen weezeld...@gmail.com wrote: On 2 October 2014 23:36, jum...@yahoo.de wrote: $ sysctl kern.netlivelocks kern.netlivelocks=2 What does this means? I found something like a deadlock, when two processes block each other, I'm right? This is useful information specially under the load. I don't have the source code available at the moment but as far as I know/remember it tells how much interrupts network devices create (this is likely wrong, don't take it as a fact. And please, someone correct me). and interrupt statistics (by systat for example) would be helpful. You mean during peak load. I will send it on Monday. Yes, that's correct. Sorry for not mention this in the first mail. btw. if you could yet provide this information it would be great: $ sudo pfctl -sa |grep -A 5 LIMITS Correction: rather use pfctl -s memory
Re: Firewall: Where is the bottleneck?
On 2 October 2014 23:36, jum...@yahoo.de wrote: $ sysctl kern.netlivelocks kern.netlivelocks=2 What does this means? I found something like a deadlock, when two processes block each other, I'm right? This is useful information specially under the load. I don't have the source code available at the moment but as far as I know/remember it tells how much interrupts network devices create (this is likely wrong, don't take it as a fact. And please, someone correct me). and interrupt statistics (by systat for example) would be helpful. You mean during peak load. I will send it on Monday. Yes, that's correct. Sorry for not mention this in the first mail. btw. if you could yet provide this information it would be great: $ sudo pfctl -sa |grep -A 5 LIMITS -- Regards, Ville
Re: Firewall: Where is the bottleneck?
On 3 October 2014 11:11, Ville Valkonen weezeld...@gmail.com wrote: On 2 October 2014 23:36, jum...@yahoo.de wrote: $ sysctl kern.netlivelocks kern.netlivelocks=2 What does this means? I found something like a deadlock, when two processes block each other, I'm right? This is useful information specially under the load. I don't have the source code available at the moment but as far as I know/remember it tells how much interrupts network devices create (this is likely wrong, don't take it as a fact. And please, someone correct me). and interrupt statistics (by systat for example) would be helpful. You mean during peak load. I will send it on Monday. Yes, that's correct. Sorry for not mention this in the first mail. btw. if you could yet provide this information it would be great: $ sudo pfctl -sa |grep -A 5 LIMITS Correction: rather use pfctl -s memory
Re: Firewall: Where is the bottleneck?
jum...@yahoo.de (Patrick), 2014.10.02 (Thu) 16:32 (CEST): Hi, I use a OpenBSD based firewall (version 5.2, I know I should upgrade but ...) between a 8 host cluster of Linux server and 300 clients which will access this clutser via VNC. Each server is connected with one gigabit port to a dedicated switch and the firewall has on each site one gigabit (dedicated switch and campus network). The users complains about slow VNC response times (if I connect a client system to the dedicated switch, the access is faster, even during peak hours), and the admins of the cluster blame my firewall :(. I use MRTG for traffic monitoring (data retrieves from OpenBSD in one minute interval) and can see average traffic of 160 Mbit/s during office hours and peaks and 280 Mbit/s. With bwm-ng and a five second interval I can see peaks and 580 Mbit/s. The peak packets per second is arround 8 packets (also measured with bwm-ng). The interrupt of CPU0 is in peak 25%. So with this data I don't think the firewall is at the limit, I'm right? The server is a standard Intel Xeon (E3-1220V2, 4 Cores, 3.10 GHz) with 4 GByte of memory and 4 1 Gbit/s ethernet cooper Intel nics (driver em). Where is the problem? Can't the nics handle more packets/second? How can I check for this? If I connect a client system directly to the dedicated system, the response times are better. Thanks for your help, Patrick I cannot help you on the topic but on improving your response rate: provide a dmesg. At least. The precogs are on vacation ;-) Bye, Marcus
Re: Firewall: Where is the bottleneck?
Hello Patrick, On 2 October 2014 17:32, Patrick jum...@yahoo.de wrote: Hi, I use a OpenBSD based firewall (version 5.2, I know I should upgrade but ...) between a 8 host cluster of Linux server and 300 clients which will access this clutser via VNC. Each server is connected with one gigabit port to a dedicated switch and the firewall has on each site one gigabit (dedicated switch and campus network). The users complains about slow VNC response times (if I connect a client system to the dedicated switch, the access is faster, even during peak hours), and the admins of the cluster blame my firewall :(. I use MRTG for traffic monitoring (data retrieves from OpenBSD in one minute interval) and can see average traffic of 160 Mbit/s during office hours and peaks and 280 Mbit/s. With bwm-ng and a five second interval I can see peaks and 580 Mbit/s. The peak packets per second is arround 8 packets (also measured with bwm-ng). The interrupt of CPU0 is in peak 25%. So with this data I don't think the firewall is at the limit, I'm right? The server is a standard Intel Xeon (E3-1220V2, 4 Cores, 3.10 GHz) with 4 GByte of memory and 4 1 Gbit/s ethernet cooper Intel nics (driver em). Where is the problem? Can't the nics handle more packets/second? How can I check for this? If I connect a client system directly to the dedicated system, the response times are better. Thanks for your help, Patrick In addition to dmesg, could you please provide the following information: $ pfctl -si $ sysctl kern.netlivelocks and interrupt statistics (by systat for example) would be helpful. Thanks! -- Regards, Ville
Re: Firewall: Where is the bottleneck?
Setup some queues and prioritise your ACK's ;) The box is fine under the load I'm sure, but you'll still need to prioritise those TCP acknowledgments to make things snappy when lots of traffic is going on.. On 02/10/14 17:13, Ville Valkonen wrote: Hello Patrick, On 2 October 2014 17:32, Patrick jum...@yahoo.de wrote: Hi, I use a OpenBSD based firewall (version 5.2, I know I should upgrade but ...) between a 8 host cluster of Linux server and 300 clients which will access this clutser via VNC. Each server is connected with one gigabit port to a dedicated switch and the firewall has on each site one gigabit (dedicated switch and campus network). The users complains about slow VNC response times (if I connect a client system to the dedicated switch, the access is faster, even during peak hours), and the admins of the cluster blame my firewall :(. I use MRTG for traffic monitoring (data retrieves from OpenBSD in one minute interval) and can see average traffic of 160 Mbit/s during office hours and peaks and 280 Mbit/s. With bwm-ng and a five second interval I can see peaks and 580 Mbit/s. The peak packets per second is arround 8 packets (also measured with bwm-ng). The interrupt of CPU0 is in peak 25%. So with this data I don't think the firewall is at the limit, I'm right? The server is a standard Intel Xeon (E3-1220V2, 4 Cores, 3.10 GHz) with 4 GByte of memory and 4 1 Gbit/s ethernet cooper Intel nics (driver em). Where is the problem? Can't the nics handle more packets/second? How can I check for this? If I connect a client system directly to the dedicated system, the response times are better. Thanks for your help, Patrick In addition to dmesg, could you please provide the following information: $ pfctl -si $ sysctl kern.netlivelocks and interrupt statistics (by systat for example) would be helpful. Thanks! -- Regards, Ville
Re: Firewall: Where is the bottleneck?
On 2 Oct 2014 at 18:15, Andy wrote: Setup some queues and prioritise your ACK's ;) The box is fine under the load I'm sure, but you'll still need to prioritise those TCP acknowledgments to make things snappy when lots of traffic is going on.. All these (otherwise valid) suggestions are useless until we know more about the specific firewall in question -- information best delivered in the form of dmesg, 'pfctl -si' output and other statistics as indicated in Ville's response below. I recently struggled with a very similar problem until I noticed that the total number of states reported in pftop was stuck at 10,000 ... guess what? that is a default limit and (also by default) stateless traffic is *dropped*! Raising that particular limit _magically_ tripled the throughput. -Jacob. On 02/10/14 17:13, Ville Valkonen wrote: Hello Patrick, On 2 October 2014 17:32, Patrick jum...@yahoo.de wrote: Hi, I use a OpenBSD based firewall (version 5.2, I know I should upgrade but ...) between a 8 host cluster of Linux server and 300 clients which will access this clutser via VNC. Each server is connected with one gigabit port to a dedicated switch and the firewall has on each site one gigabit (dedicated switch and campus network). The users complains about slow VNC response times (if I connect a client system to the dedicated switch, the access is faster, even during peak hours), and the admins of the cluster blame my firewall :(. I use MRTG for traffic monitoring (data retrieves from OpenBSD in one minute interval) and can see average traffic of 160 Mbit/s during office hours and peaks and 280 Mbit/s. With bwm-ng and a five second interval I can see peaks and 580 Mbit/s. The peak packets per second is arround 8 packets (also measured with bwm-ng). The interrupt of CPU0 is in peak 25%. So with this data I don't think the firewall is at the limit, I'm right? The server is a standard Intel Xeon (E3-1220V2, 4 Cores, 3.10 GHz) with 4 GByte of memory and 4 1 Gbit/s ethernet cooper Intel nics (driver em). Where is the problem? Can't the nics handle more packets/second? How can I check for this? If I connect a client system directly to the dedicated system, the response times are better. Thanks for your help, Patrick In addition to dmesg, could you please provide the following information: $ pfctl -si $ sysctl kern.netlivelocks and interrupt statistics (by systat for example) would be helpful. Thanks! -- Regards, Ville
Re: Firewall: Where is the bottleneck?
On 02-10-2014 17:30, System Administrator wrote: All these (otherwise valid) suggestions are useless until we know more about the specific firewall in question -- information best delivered in the form of dmesg, 'pfctl -si' output and other statistics as indicated in Ville's response below. I recently struggled with a very similar problem until I noticed that the total number of states reported in pftop was stuck at 10,000 ... guess what? that is a default limit and (also by default) stateless traffic is*dropped*! Raising that particular limit_magically_ tripled the throughput. It is on the top of the /etc/pf.conf installation file. They put it there just because people would come to misc complaining to only them discover about the state limit. Also, there is no magic here. 10k is a valid default limit tha won't consume too much memory and is ok for most uses. In more than 10 years using pf I only had to tweak it once. As for the OP, more information really is needed. But with the traffic he mentioned, there are a lot of points where the bottleneck could be. Perhaps even more than one combined. Cheers, [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: Firewall: Where is the bottleneck?
Hi Andy, Setup some queues and prioritise your ACK's ;) Good idea, I will try to implement a Priority Queueing with the old altq. Best Regards, Patrick On Thu, 2 Oct 2014, Andy wrote: Setup some queues and prioritise your ACK's ;) The box is fine under the load I'm sure, but you'll still need to prioritise those TCP acknowledgments to make things snappy when lots of traffic is going on.. On 02/10/14 17:13, Ville Valkonen wrote: Hello Patrick, On 2 October 2014 17:32, Patrick jum...@yahoo.de wrote: Hi, I use a OpenBSD based firewall (version 5.2, I know I should upgrade but ...) between a 8 host cluster of Linux server and 300 clients which will access this clutser via VNC. Each server is connected with one gigabit port to a dedicated switch and the firewall has on each site one gigabit (dedicated switch and campus network). The users complains about slow VNC response times (if I connect a client system to the dedicated switch, the access is faster, even during peak hours), and the admins of the cluster blame my firewall :(. I use MRTG for traffic monitoring (data retrieves from OpenBSD in one minute interval) and can see average traffic of 160 Mbit/s during office hours and peaks and 280 Mbit/s. With bwm-ng and a five second interval I can see peaks and 580 Mbit/s. The peak packets per second is arround 8 packets (also measured with bwm-ng). The interrupt of CPU0 is in peak 25%. So with this data I don't think the firewall is at the limit, I'm right? The server is a standard Intel Xeon (E3-1220V2, 4 Cores, 3.10 GHz) with 4 GByte of memory and 4 1 Gbit/s ethernet cooper Intel nics (driver em). Where is the problem? Can't the nics handle more packets/second? How can I check for this? If I connect a client system directly to the dedicated system, the response times are better. Thanks for your help, Patrick In addition to dmesg, could you please provide the following information: $ pfctl -si $ sysctl kern.netlivelocks and interrupt statistics (by systat for example) would be helpful. Thanks! -- Regards, Ville
Re: Firewall: Where is the bottleneck?
Hi Ville, $ pfctl -si Status: Enabled for 597 days 07:40:45Debug: err Interface Stats for em0 IPv4 IPv6 Bytes In 30397895135138 4212405499 Bytes Out 358299989496464 64 Packets In Passed1542753124920 Blocked 92254910 29098377 Packets Out Passed2808765165391 Blocked 32530 State Table Total Rate current entries 133 searches87038129446216865.1/s inserts716973517 13.9/s removals 716973384 13.9/s Counters match 853853991 16.5/s bad-offset 00.0/s fragment 00.0/s short 00.0/s normalize 30.0/s memory 87640.0/s bad-timestamp 00.0/s congestion 10.0/s ip-option 00.0/s proto-cksum00.0/s state-mismatch1972370.0/s state-insert 00.0/s state-limit00.0/s src-limit 00.0/s synproxy 00.0/s $ sysctl kern.netlivelocks kern.netlivelocks=2 What does this means? I found something like a deadlock, when two processes block each other, I'm right? and interrupt statistics (by systat for example) would be helpful. You mean during peak load. I will send it on Monday. Best Regards, Patrick OpenBSD 5.2 (GENERIC.MP) #368: Wed Aug 1 10:04:49 MDT 2012 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4265099264 (4067MB) avail mem = 4129193984 (3937MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb4c0 (55 entries) bios0: vendor American Megatrends Inc. version 2.0b date 09/17/2012 bios0: Supermicro X9SCI/X9SCA acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT PRAD SPMI SSDT SSDT EINJ ERST HEST BERT acpi0: wakeup devices PS2K(S4) PS2M(S4) UAR1(S4) UAR2(S4) P0P1(S4) USB1(S4) USB2(S4) USB3(S4) USB4(S4) USB5(S4) USB6(S4) USB7(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) PXSX(S4) RP07(S4) PXSX(S4) RP08(S4) PEGP(S4) PEG0(S4) PEG1(S4) PEG2(S4) PEG3(S4) GLAN(S4) EHC1(S4) EHC2(S4) HDEF(S4) PWRB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz, 3100.50 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF cpu0: 256KB 64b/line 8-way L2 cache cpu0: apic clock running at 100MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz, 3100.02 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF cpu1: 256KB 64b/line 8-way L2 cache cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz, 3100.02 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF cpu2: 256KB 64b/line 8-way L2 cache cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz, 3100.02 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF cpu3: 256KB 64b/line 8-way L2 cache ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 6 (P0P1) acpiprt2 at acpi0: bus 1 (RP01) acpiprt3 at acpi0: bus -1 (RP02) acpiprt4 at acpi0: bus -1 (RP03) acpiprt5 at acpi0: bus -1 (RP04) acpiprt6 at acpi0: bus 2 (RP05) acpiprt7 at acpi0: bus 3 (RP06)
Re: Firewall cluster.
Le Wed, 09 Jul 2014 20:33:47 +0200, Mxher o...@mxher.fr a écrit : Hello, I'm doing few more tests and now I'm wondering if this is possible to disallow CARP to have some resources on serverA and others on serverB? You can use ifstated to implement your own logic. I have a pair of firewall, the first is the normal master, the second is the backup. If a problem occurs on the first, carp allows the second to become master. But then, ifstated running on the first fw disallows carp to prevent it to become master again (even if a problem occurs on the second). To make the first master again, someone must, by hand, check the situation and enable carp on it. This is because the failover depends on some BGP sessions here. Regards,
Re: Firewall cluster.
First, thanks for trying to help! Le 09/07/2014 07:08, Remi Locherer a écrit : On Mon, Jul 07, 2014 at 08:44:43PM +0200, Mxher wrote: Hello again, I'm doing few more tests and now I'm wondering if this is possible to disallow CARP to have some resources on serverA and others on serverB? Have you set the sysctl net.inet.carp.preempt=1? Yes it is. Here is my tests (advbase=1 and advskew=0 for every interfaces on both servers): advskew should be different on master from backkup. Try advskew=200 on obsd2. Please read man carp. The first example is exactly what you need. It's not; I will describe my tests more precisely (sorry for the long post again): 1) Initial state root@obsd1:~# sysctl -a|grep net.inet.carp.preempt net.inet.carp.preempt=1 root@obsd2:~# sysctl -a|grep net.inet.carp.preempt net.inet.carp.preempt=1 root@obsd1:~# ifconfig HA|grep carp: carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0 carp: MASTER carpdev em1 vhid 2 advbase 1 advskew 0 carp: MASTER carpdev em2 vhid 3 advbase 1 advskew 0 carp: MASTER carpdev em3 vhid 4 advbase 1 advskew 0 root@obsd2:~# ifconfig HA|grep carp: carp: BACKUP carpdev em0 vhid 1 advbase 1 advskew 200 carp: BACKUP carpdev em1 vhid 2 advbase 1 advskew 200 carp: BACKUP carpdev em2 vhid 3 advbase 1 advskew 200 carp: BACKUP carpdev em3 vhid 4 advbase 1 advskew 200 2) Unplug of em3 on obsd1: the failover is done as expected root@obsd1:~# ifconfig HA|grep carp: carp: BACKUP carpdev em0 vhid 1 advbase 1 advskew 0 carp: BACKUP carpdev em1 vhid 2 advbase 1 advskew 0 carp: BACKUP carpdev em2 vhid 3 advbase 1 advskew 0 carp: INIT carpdev em3 vhid 4 advbase 1 advskew 0 root@obsd2:~# ifconfig HA|grep carp: carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 200 carp: MASTER carpdev em1 vhid 2 advbase 1 advskew 200 carp: MASTER carpdev em2 vhid 3 advbase 1 advskew 200 carp: MASTER carpdev em3 vhid 4 advbase 1 advskew 200 3) (re)Plug of em3 on obsd1: resources gets back on obsd1 because of the advskew greater on obsd2 (this is the exact purpose of advskew, and I want to avoid it, but I did it to show you). root@obsd1:~# ifconfig HA|grep carp: carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0 carp: MASTER carpdev em1 vhid 2 advbase 1 advskew 0 carp: MASTER carpdev em2 vhid 3 advbase 1 advskew 0 carp: MASTER carpdev em3 vhid 4 advbase 1 advskew 0 root@obsd2:~# ifconfig HA|grep carp: carp: BACKUP carpdev em0 vhid 1 advbase 1 advskew 200 carp: BACKUP carpdev em1 vhid 2 advbase 1 advskew 200 carp: BACKUP carpdev em2 vhid 3 advbase 1 advskew 200 carp: BACKUP carpdev em3 vhid 4 advbase 1 advskew 200 4) Unplug of em2 on obsd2 AND unplug of em3 on obsd1: resources get mixed between the two nodes. I don't think this is a bug, it seems to be design to act like this and I can understand why. But, in my case, I must avoid that. root@obsd1:~# ifconfig HA|grep carp: carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0 carp: MASTER carpdev em1 vhid 2 advbase 1 advskew 0 carp: MASTER carpdev em2 vhid 3 advbase 1 advskew 0 carp: INIT carpdev em3 vhid 4 advbase 1 advskew 0 root@obsd2:~# ifconfig HA|grep carp: carp: BACKUP carpdev em0 vhid 1 advbase 1 advskew 200 carp: BACKUP carpdev em1 vhid 2 advbase 1 advskew 200 carp: INIT carpdev em2 vhid 3 advbase 1 advskew 200 carp: MASTER carpdev em3 vhid 4 advbase 1 advskew 200
Re: Firewall cluster.
On Mon, Jul 07, 2014 at 08:44:43PM +0200, Mxher wrote: Hello again, I'm doing few more tests and now I'm wondering if this is possible to disallow CARP to have some resources on serverA and others on serverB? Have you set the sysctl net.inet.carp.preempt=1? Here is my tests (advbase=1 and advskew=0 for every interfaces on both servers): advskew should be different on master from backkup. Try advskew=200 on obsd2. Please read man carp. The first example is exactly what you need. * Initial state root@obsd1:~# ifconfig HA |grep status status: master status: master status: master status: master root@obsd2:~# ifconfig HA |grep status status: backup status: backup status: backup status: backup * I unplugged em2 and em3 on obsd2 and em1 on obsd1: root@obsd1:~# ifconfig HA |grep status status: master status: invalid status: master status: master root@obsd2:~# ifconfig HA |grep status status: backup status: master status: invalid status: invalid obsd2 became master for em1 while obsd1 is master for everything else. Is there any (proper and automatic) way to avoid that ? I know that kind of situation will not happens often but... Thanks again! Le 06/07/2014 13:13, Mxher a écrit : Le 06/07/2014 12:05, Otto Moerbeek a écrit : On Sun, Jul 06, 2014 at 10:59:16AM +0200, Janne Johansson wrote: The sysctl for carp.preempt controls if they should all fail at the same time. read carp(4). It contains answers to some questions asked. -Otto Den 6 jul 2014 10:12 skrev Adam Thompson athom...@athompso.net: I recall someone pointing out that interface groups of carp interfaces will all transition simultaneously. I find ifconfig(8) inconclusive; run your own tests and if that works, you have a built-in solution for keeping all the carp interfaces in sync. Then, use ifstated to manage the pppoe interfaces depending on ifstate of the relevant wan interface? You could set up a carp interface with no IP address bound, set it into the common if group and it would go up/down with the other carp ifs. Maybe. I haven't tried anything like that myself. -Adam I run some tests and this is working as expected! Only thing I see is that there will be no group failback if this is a virtual carp interface which goes down. To be clear if the parent interface of carp2 goes down the whole group will switch but not if carp2 goes down by itself (by an admin mistake for example): * initial states root@obsd1:~# sysctl -a|grep preem net.inet.carp.preempt=1 root@obsd1:~# ifconfig HA |grep status status: master status: master status: master status: master root@obsd2:~# sysctl -a|grep preem net.inet.carp.preempt=1 root@obsd2:~# ifconfig HA |grep status status: backup status: backup status: backup status: backup * states with carp2 down on obsd1 root@obsd1:~# ifconfig carp2 down root@obsd1:~# ifconfig HA |grep status status: master status: master status: invalid status: master root@obsd2:~# ifconfig HA |grep status status: backup status: backup status: master status: backup * also unfortunately when carp2 goes UP again on obsd1 it still remains on obsd2: root@obsd1:~# ifconfig carp2 up root@obsd1:~# ifconfig HA |grep status status: master status: master status: backup status: master root@obsd2:~# ifconfig HA |grep status status: backup status: backup status: master status: backup Anyway I think this is an acceptable risk. @Adam: I will now try to use ifstated to manage pppoe interfaces like you suggest. Thanks to everyone of you.
Re: Firewall cluster.
Hello again, I'm doing few more tests and now I'm wondering if this is possible to disallow CARP to have some resources on serverA and others on serverB? Here is my tests (advbase=1 and advskew=0 for every interfaces on both servers): * Initial state root@obsd1:~# ifconfig HA |grep status status: master status: master status: master status: master root@obsd2:~# ifconfig HA |grep status status: backup status: backup status: backup status: backup * I unplugged em2 and em3 on obsd2 and em1 on obsd1: root@obsd1:~# ifconfig HA |grep status status: master status: invalid status: master status: master root@obsd2:~# ifconfig HA |grep status status: backup status: master status: invalid status: invalid obsd2 became master for em1 while obsd1 is master for everything else. Is there any (proper and automatic) way to avoid that ? I know that kind of situation will not happens often but... Thanks again! Le 06/07/2014 13:13, Mxher a écrit : Le 06/07/2014 12:05, Otto Moerbeek a écrit : On Sun, Jul 06, 2014 at 10:59:16AM +0200, Janne Johansson wrote: The sysctl for carp.preempt controls if they should all fail at the same time. read carp(4). It contains answers to some questions asked. -Otto Den 6 jul 2014 10:12 skrev Adam Thompson athom...@athompso.net: I recall someone pointing out that interface groups of carp interfaces will all transition simultaneously. I find ifconfig(8) inconclusive; run your own tests and if that works, you have a built-in solution for keeping all the carp interfaces in sync. Then, use ifstated to manage the pppoe interfaces depending on ifstate of the relevant wan interface? You could set up a carp interface with no IP address bound, set it into the common if group and it would go up/down with the other carp ifs. Maybe. I haven't tried anything like that myself. -Adam I run some tests and this is working as expected! Only thing I see is that there will be no group failback if this is a virtual carp interface which goes down. To be clear if the parent interface of carp2 goes down the whole group will switch but not if carp2 goes down by itself (by an admin mistake for example): * initial states root@obsd1:~# sysctl -a|grep preem net.inet.carp.preempt=1 root@obsd1:~# ifconfig HA |grep status status: master status: master status: master status: master root@obsd2:~# sysctl -a|grep preem net.inet.carp.preempt=1 root@obsd2:~# ifconfig HA |grep status status: backup status: backup status: backup status: backup * states with carp2 down on obsd1 root@obsd1:~# ifconfig carp2 down root@obsd1:~# ifconfig HA |grep status status: master status: master status: invalid status: master root@obsd2:~# ifconfig HA |grep status status: backup status: backup status: master status: backup * also unfortunately when carp2 goes UP again on obsd1 it still remains on obsd2: root@obsd1:~# ifconfig carp2 up root@obsd1:~# ifconfig HA |grep status status: master status: master status: backup status: master root@obsd2:~# ifconfig HA |grep status status: backup status: backup status: master status: backup Anyway I think this is an acceptable risk. @Adam: I will now try to use ifstated to manage pppoe interfaces like you suggest. Thanks to everyone of you.
Re: Firewall cluster.
Le 05/07/2014 22:37, sven falempin a écrit : read the FAQ, dont forget to sync the states and use ifstated to change the modem state when swithcing master fw. Actually I read it but I didn't notice ifstated; after a quick look it seems quite interesting. Thank you.
Re: Firewall cluster.
Le 06/07/2014 04:34, Giancarlo Razzolini a écrit : Em 05-07-2014 16:20, Mxher escreveu: 1) Can I group multiple virtuals ips to make them switch all at the same time using CARP ? AFAIK, no. But you can use ifstated. I have to admit that I didn't knew about ifstated; I will test it. 2) About modems interfaces, I can't have them UP on both firewalls at the same time. How would you managed that? You're dialing to your modems using pppoe? If so, them no, you probably can't have both them up, even with carp. If you could change your configuration for routing instead, you could use carp on your external interface to talk with your modems. Yes, unfortunately I have to use pppoe on two (of the five) modems. Cheers, Thanks for your answer!
Re: Firewall cluster.
On July 6, 2014 2:51:03 AM CDT, Mxher o...@mxher.fr wrote: Le 06/07/2014 04:34, Giancarlo Razzolini a écrit : Em 05-07-2014 16:20, Mxher escreveu: 1) Can I group multiple virtuals ips to make them switch all at the same time using CARP ? AFAIK, no. But you can use ifstated. I have to admit that I didn't knew about ifstated; I will test it. 2) About modems interfaces, I can't have them UP on both firewalls at the same time. How would you managed that? You're dialing to your modems using pppoe? If so, them no, you probably can't have both them up, even with carp. If you could change your configuration for routing instead, you could use carp on your external interface to talk with your modems. Yes, unfortunately I have to use pppoe on two (of the five) modems. Cheers, Thanks for your answer! I recall someone pointing out that interface groups of carp interfaces will all transition simultaneously. I find ifconfig(8) inconclusive; run your own tests and if that works, you have a built-in solution for keeping all the carp interfaces in sync. Then, use ifstated to manage the pppoe interfaces depending on ifstate of the relevant wan interface? You could set up a carp interface with no IP address bound, set it into the common if group and it would go up/down with the other carp ifs. Maybe. I haven't tried anything like that myself. -Adam -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Firewall cluster.
The sysctl for carp.preempt controls if they should all fail at the same time. Den 6 jul 2014 10:12 skrev Adam Thompson athom...@athompso.net: On July 6, 2014 2:51:03 AM CDT, Mxher o...@mxher.fr wrote: Le 06/07/2014 04:34, Giancarlo Razzolini a écrit : Em 05-07-2014 16:20, Mxher escreveu: 1) Can I group multiple virtuals ips to make them switch all at the same time using CARP ? AFAIK, no. But you can use ifstated. I have to admit that I didn't knew about ifstated; I will test it. 2) About modems interfaces, I can't have them UP on both firewalls at the same time. How would you managed that? You're dialing to your modems using pppoe? If so, them no, you probably can't have both them up, even with carp. If you could change your configuration for routing instead, you could use carp on your external interface to talk with your modems. Yes, unfortunately I have to use pppoe on two (of the five) modems. Cheers, Thanks for your answer! I recall someone pointing out that interface groups of carp interfaces will all transition simultaneously. I find ifconfig(8) inconclusive; run your own tests and if that works, you have a built-in solution for keeping all the carp interfaces in sync. Then, use ifstated to manage the pppoe interfaces depending on ifstate of the relevant wan interface? You could set up a carp interface with no IP address bound, set it into the common if group and it would go up/down with the other carp ifs. Maybe. I haven't tried anything like that myself. -Adam -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Firewall cluster.
On Sun, Jul 06, 2014 at 10:59:16AM +0200, Janne Johansson wrote: The sysctl for carp.preempt controls if they should all fail at the same time. read carp(4). It contains answers to some questions asked. -Otto Den 6 jul 2014 10:12 skrev Adam Thompson athom...@athompso.net: On July 6, 2014 2:51:03 AM CDT, Mxher o...@mxher.fr wrote: Le 06/07/2014 04:34, Giancarlo Razzolini a ??crit : Em 05-07-2014 16:20, Mxher escreveu: 1) Can I group multiple virtuals ips to make them switch all at the same time using CARP ? AFAIK, no. But you can use ifstated. I have to admit that I didn't knew about ifstated; I will test it. 2) About modems interfaces, I can't have them UP on both firewalls at the same time. How would you managed that? You're dialing to your modems using pppoe? If so, them no, you probably can't have both them up, even with carp. If you could change your configuration for routing instead, you could use carp on your external interface to talk with your modems. Yes, unfortunately I have to use pppoe on two (of the five) modems. Cheers, Thanks for your answer! I recall someone pointing out that interface groups of carp interfaces will all transition simultaneously. I find ifconfig(8) inconclusive; run your own tests and if that works, you have a built-in solution for keeping all the carp interfaces in sync. Then, use ifstated to manage the pppoe interfaces depending on ifstate of the relevant wan interface? You could set up a carp interface with no IP address bound, set it into the common if group and it would go up/down with the other carp ifs. Maybe. I haven't tried anything like that myself. -Adam -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Firewall cluster.
Le 06/07/2014 12:05, Otto Moerbeek a écrit : On Sun, Jul 06, 2014 at 10:59:16AM +0200, Janne Johansson wrote: The sysctl for carp.preempt controls if they should all fail at the same time. read carp(4). It contains answers to some questions asked. -Otto Den 6 jul 2014 10:12 skrev Adam Thompson athom...@athompso.net: I recall someone pointing out that interface groups of carp interfaces will all transition simultaneously. I find ifconfig(8) inconclusive; run your own tests and if that works, you have a built-in solution for keeping all the carp interfaces in sync. Then, use ifstated to manage the pppoe interfaces depending on ifstate of the relevant wan interface? You could set up a carp interface with no IP address bound, set it into the common if group and it would go up/down with the other carp ifs. Maybe. I haven't tried anything like that myself. -Adam I run some tests and this is working as expected! Only thing I see is that there will be no group failback if this is a virtual carp interface which goes down. To be clear if the parent interface of carp2 goes down the whole group will switch but not if carp2 goes down by itself (by an admin mistake for example): * initial states root@obsd1:~# sysctl -a|grep preem net.inet.carp.preempt=1 root@obsd1:~# ifconfig HA |grep status status: master status: master status: master status: master root@obsd2:~# sysctl -a|grep preem net.inet.carp.preempt=1 root@obsd2:~# ifconfig HA |grep status status: backup status: backup status: backup status: backup * states with carp2 down on obsd1 root@obsd1:~# ifconfig carp2 down root@obsd1:~# ifconfig HA |grep status status: master status: master status: invalid status: master root@obsd2:~# ifconfig HA |grep status status: backup status: backup status: master status: backup * also unfortunately when carp2 goes UP again on obsd1 it still remains on obsd2: root@obsd1:~# ifconfig carp2 up root@obsd1:~# ifconfig HA |grep status status: master status: master status: backup status: master root@obsd2:~# ifconfig HA |grep status status: backup status: backup status: master status: backup Anyway I think this is an acceptable risk. @Adam: I will now try to use ifstated to manage pppoe interfaces like you suggest. Thanks to everyone of you.
Re: Firewall cluster.
On Sat, Jul 5, 2014 at 3:20 PM, Mxher o...@mxher.fr wrote: Hello everyone, At work we are using a firewall cluster of two Linux servers but I'm trying to change this; especially to replace iptables/netfilter by pf (mostly for performances and 'easy to maintain' reasons). Here is the thing: right now if the active node is seen dead, all resources will switch on the other node (via pacemaker/heartbeat); here is the resources managed: - virtuals ips, - firewall's configuration, - routes, - ADSL modems (in bridge mode) interfaces. So here is my issues: 1) Can I group multiple virtuals ips to make them switch all at the same time using CARP ? 2) About modems interfaces, I can't have them UP on both firewalls at the same time. How would you managed that? Currently, I'm thinking about making CARP listen on a dedicated interface (directly connected between the two servers) and manage everything by the up/down scripts. But with that kind of solution there will be no failover if another interface goes down on the active node. Maybe I'm missing something obvious here, in that case please don't hit me too hard ;) Thanks! read the FAQ, dont forget to sync the states and use ifstated to change the modem state when swithcing master fw. -- - () ascii ribbon campaign - against html e-mail /\
Re: Firewall cluster.
Em 05-07-2014 16:20, Mxher escreveu: 1) Can I group multiple virtuals ips to make them switch all at the same time using CARP ? AFAIK, no. But you can use ifstated. 2) About modems interfaces, I can't have them UP on both firewalls at the same time. How would you managed that? You're dialing to your modems using pppoe? If so, them no, you probably can't have both them up, even with carp. If you could change your configuration for routing instead, you could use carp on your external interface to talk with your modems. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: firewall not catching?
You need to provide more information about your situation to be able to help you. dmesg, pf ruleset, network config., etc. -luis On Mon, Jul 9, 2012 at 12:34 PM, Peter J. Philipp p...@centroid.eu wrote: Hi, Was there any bugfixes between 5.0 and 5.1 that would allow certain packets through the pf filter? I have a case where I cannot block a certain IP on a 5.0 box. I tested that same IP on an 5.1 box with a spoofer and I found my same rules to catch, so it's not my logic I don't think. I tested with tcpdump, netcat, and custom software. Any hint would be nice, -peter
Re: firewall not catching?
On Mon, Jul 09, 2012 at 12:47:18PM -0600, Luis Coronado wrote: You need to provide more information about your situation to be able to help you. dmesg, pf ruleset, network config., etc. -luis Due to the sensitivity of the host I cannot do that. But I'll tell you what I will do. Upgrade. Perhaps by next week even. I'll let you know if the problem persists then, and perhaps I'll even get an OK to share the hardware data by then. I understand you can't help me much more, thanks anyways... Regards, -peter On Mon, Jul 9, 2012 at 12:34 PM, Peter J. Philipp p...@centroid.eu wrote: Hi, Was there any bugfixes between 5.0 and 5.1 that would allow certain packets through the pf filter? I have a case where I cannot block a certain IP on a 5.0 box. I tested that same IP on an 5.1 box with a spoofer and I found my same rules to catch, so it's not my logic I don't think. I tested with tcpdump, netcat, and custom software. Any hint would be nice, -peter
Re: firewall not catching?
I would take steps to see if another rule is being matched when you see the flaw? Brian On Jul 9, 2012 12:28 PM, Peter J. Philipp p...@centroid.eu wrote: On Mon, Jul 09, 2012 at 12:47:18PM -0600, Luis Coronado wrote: You need to provide more information about your situation to be able to help you. dmesg, pf ruleset, network config., etc. -luis Due to the sensitivity of the host I cannot do that. But I'll tell you what I will do. Upgrade. Perhaps by next week even. I'll let you know if the problem persists then, and perhaps I'll even get an OK to share the hardware data by then. I understand you can't help me much more, thanks anyways... Regards, -peter On Mon, Jul 9, 2012 at 12:34 PM, Peter J. Philipp p...@centroid.eu wrote: Hi, Was there any bugfixes between 5.0 and 5.1 that would allow certain packets through the pf filter? I have a case where I cannot block a certain IP on a 5.0 box. I tested that same IP on an 5.1 box with a spoofer and I found my same rules to catch, so it's not my logic I don't think. I tested with tcpdump, netcat, and custom software. Any hint would be nice, -peter
Re: firewall not catching?
Use 'pfctl -vvss' to see which rule it is matching on. I bet you have a rule that matches that traffic. On 2012 Jul 09 (Mon) at 20:34:55 +0200 (+0200), Peter J. Philipp wrote: :Hi, : :Was there any bugfixes between 5.0 and 5.1 that would allow certain packets :through the pf filter? I have a case where I cannot block a certain IP on :a 5.0 box. I tested that same IP on an 5.1 box with a spoofer and I found :my same rules to catch, so it's not my logic I don't think. : :I tested with tcpdump, netcat, and custom software. : :Any hint would be nice, : :-peter : -- 43rd Law of Computing: Anything that can go wr fortune: Segmentation violation -- Core dumped
Re: firewall not catching?
On Mon, Jul 09, 2012 at 10:21:47PM +0200, Peter Hessler wrote: Use 'pfctl -vvss' to see which rule it is matching on. I bet you have a rule that matches that traffic. That was the hint I needed. Thanks! It did cross my mind and I did dump the states before but I must have missed that IP in there. -peter
Re: Firewall problem
- Original Message - | Hi All, | | I've been battling this issue for a couple of days now and I'm hoping | someone might have a possible fix for it. Any help is greatly | appreciated. | | I have a workstation which is on a network routed through VPN client | device | The clients are on VLAN 304 with an address range of 192.168.18.0 - | 192.168.18.128 (192.168.18.0/25) | This VPN client device is connected to a VPN concentrator | The VPN concentrator is on VLAN 300 with the IP address 192.168.1.141 | I have the upper 128 IP addresses are also in VLAN 304 but have a | default route of 192.168.18.254 | I have a OpenBSD bridge / firewall with several VLANs on it. It | bridges VLANs provided by Network Services, who have recently took | over our routing, and our VLANs | The bridge VLANs in question are as follows | | Network Services Our VLAN | 310 300 = bridge300 | 314 304 = bridge304 | | | The problem is that traffic from a host on the 192.168.18.0/25 | (192.168.18.90) seems to be getting blocked by my rules. For example | if I ping a host on VLAN 300 (192.168.1.59) from VLAN 304 | (192.168.18.90) the packet is dropped as it is found to match my | default block rule for traffic passing to the public side of the | bridge. | | If I add a default route on the 192.168.1.59 host for 192.168.18.0/25 | to 192.168.1.254 traffic passes. It also passes if I remove the | default block rule. | It also look like every packet is passing through the firewall twice, | in and out, but the second packet is the one being blocked. | | Block logs: Attempt connect to a web server | --- | Jul 07 19:51:55.757076 rule 10/(match) block in on vlan310: | 192.168.18.90.2263 192.168.1.167.80: R 1:1(0) ack 1 win 0 (DF) [tos | 0x10] | | | Pass Logs: Pinging 192.168.18.90 host from 192.168.1.251 host | --- | Jul 07 20:13:39.041885 rule 4/(match) pass out on vlan310: | 192.168.1.251 192.168.18.90: icmp: echo request (DF) | Jul 07 20:13:39.042008 rule 4/(match) pass in on vlan310: | 192.168.1.251 192.168.18.90: icmp: echo request (DF) | | | PF Rules | = | NS_LAN1=vlan310 | NS_LAN2=vlan314 | LAN1=vlan300 | LAN2=vlan304 | | snip | # don't do any filtering on these devices | # only public side is filtered since you only | # need to filter on one side of the bridge | set skip on { lo $NS_LAN2 $LAN2 $LAN1 } | | # scrub incoming packets | match in all scrub (no-df) | | # block any host deemed for whatever reason to be bad | # be meaner and just drop them which will use resources | # of the attacker slightly longer | block drop from bad_hosts | block drop from blacklist_hosts | | # By default, do not permit remote connections to X11 | # all X11 traffic should be tunnelled through SSH | block in quick on ! lo0 proto tcp to port 6000:6010 | | # Allow ping and traceroute through | pass quick log (to pflog1) inet proto icmp from any to any icmp-type | echoreq keep state | | # traffic from these hosts should never be blocked | pass quick from whitelist_hosts | pass to whitelist_hosts | | ### LAN1 RULES ### | ### | # Block access to FASNET | block in log on $NS_LAN1 all | | # use modulate state to generate stronger ISNs on outgoing packets | # for OSs that don't already generate them | pass out quick log (to pflog1) on $NS_LAN1 I should also mention that I tried adding a pass quick on $NS_LAN1 from 192.168.18.0/25 rule and this did not solve the problem either. -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier
Re: Firewall problem
- Original Message - | - Original Message - | | Hi All, | | | | I've been battling this issue for a couple of days now and I'm | | hoping | | someone might have a possible fix for it. Any help is greatly | | appreciated. | | | | I have a workstation which is on a network routed through VPN client | | device | | The clients are on VLAN 304 with an address range of 192.168.18.0 - | | 192.168.18.128 (192.168.18.0/25) | | This VPN client device is connected to a VPN concentrator | | The VPN concentrator is on VLAN 300 with the IP address | | 192.168.1.141 | | I have the upper 128 IP addresses are also in VLAN 304 but have a | | default route of 192.168.18.254 | | I have a OpenBSD bridge / firewall with several VLANs on it. It | | bridges VLANs provided by Network Services, who have recently took | | over our routing, and our VLANs | | The bridge VLANs in question are as follows | | | | Network Services Our VLAN | | 310 300 = bridge300 | | 314 304 = bridge304 | | | | | | The problem is that traffic from a host on the 192.168.18.0/25 | | (192.168.18.90) seems to be getting blocked by my rules. For example | | if I ping a host on VLAN 300 (192.168.1.59) from VLAN 304 | | (192.168.18.90) the packet is dropped as it is found to match my | | default block rule for traffic passing to the public side of the | | bridge. | | | | If I add a default route on the 192.168.1.59 host for | | 192.168.18.0/25 | | to 192.168.1.254 traffic passes. It also passes if I remove the | | default block rule. | | It also look like every packet is passing through the firewall | | twice, | | in and out, but the second packet is the one being blocked. | | | | Block logs: Attempt connect to a web server | | --- | | Jul 07 19:51:55.757076 rule 10/(match) block in on vlan310: | | 192.168.18.90.2263 192.168.1.167.80: R 1:1(0) ack 1 win 0 (DF) | | [tos | | 0x10] | | | | | | Pass Logs: Pinging 192.168.18.90 host from 192.168.1.251 host | | --- | | Jul 07 20:13:39.041885 rule 4/(match) pass out on vlan310: | | 192.168.1.251 192.168.18.90: icmp: echo request (DF) | | Jul 07 20:13:39.042008 rule 4/(match) pass in on vlan310: | | 192.168.1.251 192.168.18.90: icmp: echo request (DF) | | | | | | PF Rules | | = | | NS_LAN1=vlan310 | | NS_LAN2=vlan314 | | LAN1=vlan300 | | LAN2=vlan304 | | | | snip | | # don't do any filtering on these devices | | # only public side is filtered since you only | | # need to filter on one side of the bridge | | set skip on { lo $NS_LAN2 $LAN2 $LAN1 } | | | | # scrub incoming packets | | match in all scrub (no-df) | | | | # block any host deemed for whatever reason to be bad | | # be meaner and just drop them which will use resources | | # of the attacker slightly longer | | block drop from bad_hosts | | block drop from blacklist_hosts | | | | # By default, do not permit remote connections to X11 | | # all X11 traffic should be tunnelled through SSH | | block in quick on ! lo0 proto tcp to port 6000:6010 | | | | # Allow ping and traceroute through | | pass quick log (to pflog1) inet proto icmp from any to any icmp-type | | echoreq keep state | | | | # traffic from these hosts should never be blocked | | pass quick from whitelist_hosts | | pass to whitelist_hosts | | | | ### LAN1 RULES ### | | ### | | # Block access to FASNET | | block in log on $NS_LAN1 all | | | | # use modulate state to generate stronger ISNs on outgoing packets | | # for OSs that don't already generate them | | pass out quick log (to pflog1) on $NS_LAN1 | | I should also mention that I tried adding a pass quick on $NS_LAN1 | from 192.168.18.0/25 rule and this did not solve the problem either. Problem solved. No worries. Move along, nothing to see here. -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier
Re: Firewall PF with network alias
Re: Firewall PF WITH NETWORK ALIAS Sorry, but PF does not run well on openbsd? then do not understand why I have to go alone to the freebsd lists. you understand when someone needs help with a problem and need some idea for solution? I am sorry to have bothered anyone, but my only intention was to ask for help because I thought that that the list had been created. IDEXBSD. --- El mii, 25/5/11, Alexander Hall ha...@openbsd.org escribis: De: Alexander Hall ha...@openbsd.org Asunto: Re: Firewall PF with network alias Para: MArtin Grados Marquina themartin...@yahoo.es CC: openbsd-mex...@googlegroups.com, openbsd-newb...@sfobug.org, misc@openbsd.org, usuar...@listas.bsd.cl, bsd-v...@bsd.org.ve, bsd-p...@listas.bsd-peru.org, openbsd-colom...@googlegroups.com Fecha: miircoles, 25 de mayo, 2011 16:28 On 05/25/11 05:12, MArtin Grados Marquina wrote: In the past, i configure a virtual machine with firewall PF in FreeBSD 8.1 with three network interface (in pf.conf) 1. As sthen@ pointed out, try a FreeBSD list for questions regarding FreeBSD's PF. 2. You posted my private reply to a mailing list. I do not care much for this particular mail, but just don't do that. --- El lun, 23/5/11, Alexander Hall ha...@openbsd.org escribis: 3. Also (please read this again as THIS ANNOYS ME THE MOST): 2. Don't cross-post. Cheers, Alexander
Re: Firewall PF with network alias
MArtin Grados Marquina themartin...@yahoo.es writes: Sorry, but PF does not run well on openbsd? then do not understand why I have to go alone to the freebsd lists. There are significant differences between the PF in FreeBSD (equivalent to OpenBSD 4.1, roughly) and recent OpenBSD versions, meaning that the correct answer for OpenBSD may not be the correct one for FreeBSD in quite a few cases i can think of. In this specifici case, at first blush I think your problem is that you're mixing rc.conf shellscript-isms into your pf.conf, which is not a shell script. Your rc.conf environment variables are not directly accessible to the pf.conf parser. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall PF with network alias
On 2011-05-25, MArtin Grados Marquina themartin...@yahoo.es wrote: In the past, i configure a virtual machine with firewall PF in FreeBSD 8.1 Wrong mailing list. This list is for OpenBSD.
Re: Firewall PF with network alias
On 05/25/11 05:12, MArtin Grados Marquina wrote: In the past, i configure a virtual machine with firewall PF in FreeBSD 8.1 with three network interface (in pf.conf) 1. As sthen@ pointed out, try a FreeBSD list for questions regarding FreeBSD's PF. 2. You posted my private reply to a mailing list. I do not care much for this particular mail, but just don't do that. --- El lun, 23/5/11, Alexander Hall ha...@openbsd.org escribis: 3. Also (please read this again as THIS ANNOYS ME THE MOST): 2. Don't cross-post. Cheers, Alexander
Re: firewall virtualization using tagging?
On 2011-05-23, Oeschger Patrick patrick.oesch...@bluewin.ch wrote: the first experiments were using routing domain coupled with different vlans but vlans are limited to 4k+ no, you can stack them. svlan(4) does QinQ with the 802.1AD standard ethertype (0x88a8).
Re: firewall virtualization using tagging?
stacking (802.11ah/QinQ) is ok for most situations, however it would be nice to have a SAP style construct (service access port), which essentially is a logical customer interface - most switch/router vendors have such as thing. On 24 May 2011 11:56, Stuart Henderson s...@spacehopper.org wrote: On 2011-05-23, Oeschger Patrick patrick.oesch...@bluewin.ch wrote: the first experiments were using routing domain coupled with different vlans but vlans are limited to 4k+ no, you can stack them. svlan(4) does QinQ with the 802.1AD standard ethertype (0x88a8).
Re: firewall virtualization using tagging?
On Tue, 24 May 2011 12:33:55 +1200 Joel Wiramu Pauling j...@aenertia.net wrote: stacking (802.11ah/QinQ) is ok for most situations, however it would be nice to have a SAP style construct (service access port), which essentially is a logical customer interface - most switch/router vendors have such as thing. Tags are local to the physical port. So i guess they work like that. ifconfig vlan1 vlan 234 vlandev em2 ifconfig vlan24123 vlan 234 vlandev em3
Re: Firewall sends wrong MAC address per ARP?
Le Tue, 22 Mar 2011 13:01:48 +0100, Marcus M|lb|sch muelbue...@as-infodienste.de a icrit : hello, carp3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:21 priority: 0 carp: carpdev bge0 advbase 1 balancing arp carppeer 192.168.3.3 state MASTER vhid 33 advskew 0 state MASTER vhid 133 advskew 100 Why do you have two vhid and with different advskew values?
Re: Firewall sends wrong MAC address per ARP?
On Tue, Mar 22, 2011 at 01:27:39PM +0100, Patrick Lamaiziere wrote: Le Tue, 22 Mar 2011 13:01:48 +0100, Marcus M|lb|sch muelbue...@as-infodienste.de a icrit : hello, carp3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:21 priority: 0 carp: carpdev bge0 advbase 1 balancing arp carppeer 192.168.3.3 state MASTER vhid 33 advskew 0 state MASTER vhid 133 advskew 100 Why do you have two vhid and with different advskew values? carp load balancing, see carp(4), which could explain what is going on here. -Otto
Re: Firewall sends wrong MAC address per ARP?
Am 22.03.2011 13:27, schrieb Patrick Lamaiziere: Le Tue, 22 Mar 2011 13:01:48 +0100, Marcus M|lb|schmuelbue...@as-infodienste.de a icrit : hello, carp3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:21 priority: 0 carp: carpdev bge0 advbase 1 balancing arp carppeer 192.168.3.3 state MASTER vhid 33 advskew 0 state MASTER vhid 133 advskew 100 Why do you have two vhid and with different advskew values? To set up a second FW with active/active configuration as shown here: http://www.kernel-panic.it/openbsd/carp/carp4.html#carp-4.2.2 That does work when the second FW is up; however for testing purposes this machine is now down. Marcus
Re: Firewall sends wrong MAC address per ARP?
More Info: - Neither rebooting the FW nor the linux machine did change anything - changing the load balancing from arp balancing to ip balancing did not change anything. - At first I thought it might be a problem of the switch and it has an old virtual IP address cached. However, the log on the FW does show that the machgine itself replies to to the arp-request, does it not? - it happened suddenly. I did change a pf-rule and restarted pf; however I did not restart networking (AFAIK) - unfortunately I cannot determine whether the wrong lladdress was used as virtual address before. I did not note it down, before this happened. Marcus
Re: Firewall sends wrong MAC address per ARP?
On Tue, Mar 22, 2011 at 01:57:36PM +0100, Marcus M|lb|sch wrote: More Info: - Neither rebooting the FW nor the linux machine did change anything - changing the load balancing from arp balancing to ip balancing did not change anything. - At first I thought it might be a problem of the switch and it has an old virtual IP address cached. However, the log on the FW does show that the machgine itself replies to to the arp-request, does it not? - it happened suddenly. I did change a pf-rule and restarted pf; however I did not restart networking (AFAIK) - unfortunately I cannot determine whether the wrong lladdress was used as virtual address before. I did not note it down, before this happened. The lladdr is not wrong. It just happens to be the one for the second vhid. Since you do arp balancing the two lladdrs are split among the various hosts on the lan. Your carp setup runs with two MACs 00:00:5e:00:01:21 for vid 33 and 00:00:5e:00:01:85 for vid 133. So the MAC addr your linux box got is not wrong. Does the traffic from the linux box end up on the FW or is the traffic lost somewhere in between? -- :wq Claudio
Re: Firewall sends wrong MAC address per ARP?
Am 22.03.2011 14:42, schrieb Claudio Jeker: The lladdr is not wrong. It just happens to be the one for the second vhid. Since you do arp balancing the two lladdrs are split among the various hosts on the lan. Your carp setup runs with two MACs 00:00:5e:00:01:21 for vid 33 and 00:00:5e:00:01:85 for vid 133. So the MAC addr your linux box got is not wrong. Does the traffic from the linux box end up on the FW or is the traffic lost somewhere in between? Thanks, that helped a lot. I didn't realize that arp balancing with two vhids necessarily creates two MACs. Switching between ARP and IP balancing and back again I'm now back at ARP balancing. The fw advertises now at 00:00:5e:00:01:85 and reacts to pings at 192.168.3.1 Changing the arp table on the linux host to 00:00:5e:00:01:21 with arp -s 192.168.3.1 00:00:5e:00:01:21 results in the fw reacting to the pings correctly, too. I should have watched the traffic with tcpdump -e before, however I forgot about the usefulness of that switch when watching physical interfaces. Dumb, but these things happen. Now I see that pings arrive at the fw and are replied to correctly. All other traffic through the fw is also routed correctly. Why it did not work before I cannot say. Something changed, and probably it was me who did it, but I cannot say what, how and when. diffing the pf.conf files before and afterwards showed nothing. Thanks to all, Marcus
Re: Firewall rules to block unwanted protocolls on given ports
On Sat, Mar 19, 2011 at 06:05:49AM -0700, johhny_at_poland77 wrote: Does somebody has an idea, that what kind of iptables/pf rule must i use to achieve this?: i only want to allow these connections [on the output chain]: on port 53 output only allow udp - dns on port 80 output only allow tcp - http on port 443 output only allow tcp - https on port 993 output only allow tcp - imaps on port 465 output only allow tcp - smtps on port 22 output only allow tcp - ssh on port 20-21 output only allow cp - ftp on port 989-990 output only allow tcp - ftps on port 1194 output only allow udp - OpenVPN So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is allowed on port 443 outbound. Any ideas? :\ Yes. Read pf.conf(4): pf(4) has the ability to block, pass, and match packets based on attributes of their layer 3 and layer 4 headers. That sentence contains the answer. -Otto
Re: Firewall rules to block unwanted protocolls on given ports
On 19 March 2011 10:22, Christiano F. Haesbaert haesba...@haesbaert.org wrote: On 19 March 2011 10:05, johhny_at_poland77 johhny_at_polan...@zoho.com wrote: Does somebody has an idea, that what kind of iptables/pf rule must i use to achieve this?: iptables is linux thingy, so is out of the equation. i only want to allow these connections [on the output chain]: on port 53 output only allow udp - dns on port 80 output only allow tcp - http on port 443 output only allow tcp - https on port 993 output only allow tcp - imaps on port 465 output only allow tcp - smtps on port 22 output only allow tcp - ssh on port 20-21 output only allow cp - ftp on port 989-990 output only allow tcp - ftps on port 1194 output only allow udp - OpenVPN So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is allowed on port 443 outbound. Any ideas? :\ To my knowledge pf doesn't do layer 7 filtering, and from what I've hear that is not a wanted feature, but pf hackers might know it better.
Re: Firewall rules to block unwanted protocolls on given ports
On Sat, Mar 19, 2011 at 2:05 PM, johhny_at_poland77 johhny_at_polan...@zoho.com wrote: Does somebody has an idea, that what kind of iptables/pf rule must i use to achieve this?: i only want to allow these connections [on the output chain]: on port 53 output only allow udp - dns on port 80 output only allow tcp - http on port 443 output only allow tcp - https on port 993 output only allow tcp - imaps on port 465 output only allow tcp - smtps on port 22 output only allow tcp - ssh on port 20-21 output only allow cp - ftp on port 989-990 output only allow tcp - ftps on port 1194 output only allow udp - OpenVPN So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is allowed on port 443 outbound. Any ideas? :\ Yes, write some sort of traffic-classification daemon that uses divert sockets to pass/deny traffic based on what that traffic is. I will personally check it in to the ports system once you are done and it has undergone a complete audit.
Re: Firewall rules to block unwanted protocolls on given ports
On Sat, Mar 19, 2011 at 06:05:49AM -0700, johhny_at_poland77 wrote: Does somebody has an idea, that what kind of iptables/pf rule must i use to achieve this?: i only want to allow these connections [on the output chain]: on port 53 output only allow udp - dns on port 80 output only allow tcp - http on port 443 output only allow tcp - https on port 993 output only allow tcp - imaps on port 465 output only allow tcp - smtps on port 22 output only allow tcp - ssh on port 20-21 output only allow cp - ftp on port 989-990 output only allow tcp - ftps on port 1194 output only allow udp - OpenVPN So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is allowed on port 443 outbound. You can't do that with pf, since it doesn't look at the content of packets. For some of these protocols, you can easily send traffic to a proxy on the firewall machine; this can, for instance, be used to make sure that everything going over port 80 is HTTP. See ftp-proxy(8). I know of no such solution for imaps, though. If you're just worried about people running BitTorrent/Skype, install something like net/snort or net/bro and send angry mail to everyone who shows up in the logs. On the other hand, if you believe that restricting traffic to specific protocols makes it impossible to get arbitrary data out of your network, look at e.g. net/iodine (tunnel IPv4 over DNS). Joachim -- PotD: net/powerdns,-ldap - ldap module for powerdns http://www.joachimschipper.nl/
Re: Firewall rules to block unwanted protocolls on given ports
On 19 Mar 2011, at 09:05, johhny_at_poland77 wrote: Does somebody has an idea, that what kind of iptables/pf rule must i use to achieve this?: i only want to allow these connections [on the output chain]: on port 53 output only allow udp - dns TCP also needs to be allowed for DNS (to allow for large DNSSEC packets). Michael