Re: Firewall setup
e defining what is it that you want and FORGET ABOUT interface 1, > and then 2 for admin, and 3 for nas, etc. > > What is it that you want to do and go from there. > > Define your needs and then address them ONE by ONE. > > Fix one, test and then go to the next one. > > And FORGET ABOUT BRIDGE SETUP PLEASE!!! > > You have absolutely NO need for this with what you say so far in any of > your communications. > > Example of thinking. > > I see you try to use MANY macros, do you really need that? It's suppose > to be to make things simpler to understand and cleaner to read, not more > complex. > > The key of a decent firewall is first to know what is it that you want > to do and look to me you still do not know that yet. > > I would even say and said for many decades, a good firewall NOT only > stop incoming traffic, but also stop outgoing one. This mean, KNOW your > traffic and let get out what you want to go out! > > Define your needs first then address them one by one. > > So if I continue with my example, I see you did this: > > tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" > email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" > > I would ask again WHY? > > If you DO NOT host any services, then you don't need to define any... > > Again, it is NOT because you can do something that you should do it. > > And IF you would have some, why define them in two places > > Properly define needs will avoid basic mistakes like this that sooner or > later WILL bit you in the butts! > > And even here IF I go deeper, if it is only for you, why have both > secure one and insecure one and even why pop3 and IMAP? Don't you know > the configuration of your mail client? > > If that was ONLY for you, do you actually setup your mail clients to use > all of them? > > Here I would argue no. > > I would very strongly FIRST start by thinking what you want to do, > define your needs, argue them and why you want them. Are they needed and > justify them. > > After they are define and you understand why, then and ONLY then would > you start doing your config for it. > > AND you should do one at the time, test, make sure it works the way you > want then to, then do the next one. > > If you have no service you are hosting, then you should simply do a NAT > setup and that's it as you would have no other needs. > > Knowing what you want and why, is the key to understand your setup and > know why you did what you did, and trust me, you will know how to > maintain it too because you will know what you did and why you did it! > > Look to me, you haven't done the basic yet. Meaning define what you want > and justify why... > > And you sure try to do a setup that is way to complicated for your needs > and doing that, specially if you go bridge way, you will think you are > prospected and you will have a Swiss cheese setup big time. > > There is nothing worst then a false sense of security. > > Now as you can see I didn't suggest ANY configuration, as I see no needs > on your setup, yet. You haven't given any reason for any specific > configuration needs. > > And last VERY important point, if you asked for help, then PROVIDE YOUR > FULL configuration, NOT what you might think is relevant as you said you > don't have the knowledge for it, so don't assume what you send is useful. > > If you want people to help you, start by helping them helping you and > give them ALL the information! > > Hope this provide you some help from the start and yes I mean from the > start. > > Define what you want to do and FORGET any configuration until you can > explain what you want very clearly and simply. > > You might be surprise how simple it can be... > > Could be as simple as: > > match out on egress inet from !(egress:network) to any nat-to egress:0 > > Here I am not saying to do this. I only type this as an example to show > how simple it possibly can be on a NAT setup with no simple needs. > > Daniel > >
Re: Firewall setup
On 4/16/24 10:27 AM, Karel Lucas wrote: First and most importantly, I would like to apologize to anyone who was disturbed by my conversation. It is not my intention to offend people. I may be curt, but that's not because it's in my character. In daily life I work with electronics and computers and am much less familiar with networks. I don't need this knowledge for what I do in daily life. It is therefore difficult for me to estimate what is important to link back to this mailing list. So if I am curt, please try to remember that it is not intentional, but a matter of lack of knowledge. Again, I don't want to hurt anyone. Hi Karel, I think you may be missing the point that everyone try to explained to you. OpenBSD is a mailing list that have very think skin compare to any others. You need to be very rude to offend people here unless you are one that fell you have rights to other people free times. You got some VERY knowledgeable people answering you. If I was you I would fell lucky for their time, believe me. I have been on this list from OpenBSD 2.7. A few decades ago... Now you say you don't have the network know how to do this, sure everyone start somewhere. You say you don't needs this either in your daily job and keep asking others to point you at the page in the PF book, etc. Remember they are NOT the one in needs to know, you are, so make the effort please. Many will hold your hands gladly IF you show willingness to do your share. Even the site have basic start example here: https://www.openbsd.org/faq/pf/index.html And even some of them could be simple too, but they are provided as example to show what's possible. Up to the reader to start there and go where they want too... Now to the point, it was told to you to start simple and explained what you want to do. Here you say you have no special needs, etc. So why in gods name would you want to do a bridge setup? KISS principle apply! And it was asked as well to explained your setup. NOT what you think it should be or how it is connected, what interface does what, etc. What do you want to do, plain and simple. Here you say that "The internal network consists mainly of regular clients, so no email, web or name servers", so no needs for bridge, or DMZ, etc. Also looks like you use private IP's so yes NAT is needed obviously. Now if you want multiple networks, WHY? Any reason for it? I see none if you don't have hosting services. You say it could be possible, sure it can, I can have multiple vlan and domains routing, configure a specific IPMI DMZ for my servers configuration, add ssh keys for wireless access with time base access and limit, and kids restrictions, etc. But I wouldn't do that until I get my basin system going and know why. Amy be I don't have kids so why do that part of the setup, but may be I have wireless and friends coming over and they obviously all/may be want fast internet access on my wireless, but I don't what them to have access to ANY of my devices from their phones that might compromise my network, so I would have a guess wireless access to to outside world ONLY. But if I have no friends, then why would I want that? Etc... Sure may be you have wireless that you want to isolate from others hard wire computers, etc. You have NAS, may be you want to isolate it form wireless, or some specific computers, kids access restricted may be, etc. But no where did you ever describe what is it that you want... May be before you start building a house, you need to know what you want in it, etc. Same thing here. Start small and then go from there. Why? Doing incremental setup help understand your setup and why you do it. Then down the line when you make changes or want to add something to it, when your pf configuration is clean, you will know where to add it and what it does. Look to me that if your setup have NO special needs, no hosting services that needs to be reach form the Internet, then only thing you need is a VERY simple NAT setup, on two interfaces and that's it. It's not because you have 4 interfaces that you need to use 4 interfaces... Start be defining what is it that you want and FORGET ABOUT interface 1, and then 2 for admin, and 3 for nas, etc. What is it that you want to do and go from there. Define your needs and then address them ONE by ONE. Fix one, test and then go to the next one. And FORGET ABOUT BRIDGE SETUP PLEASE!!! You have absolutely NO need for this with what you say so far in any of your communications. Example of thinking. I see you try to use MANY macros, do you really need that? It's suppose to be to make things simpler to understand and cleaner to read, not more complex. The key of a decent firewall is first to know what is it that you want to do and look to me you still do not know that yet. I would even say and said for many decades, a good firewall NOT only stop incoming traffic
Re: Firewall setup
This is my dmesg, if anyone is interested: OpenBSD 7.4 (GENERIC.MP) #3: Wed Feb 28 06:23:33 MST 2024 r...@syspatch-74-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4047122432 (3859MB) avail mem = 3904729088 (3723MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.3 @ 0x74c77000 (117 entries) bios0: vendor American Megatrends International, LLC. version "JK4LV105" date 08/31/2022 bios0: Default string Default string efi0 at bios0: UEFI 2.7 efi0: American Megatrends rev 0x50013 acpi0 at bios0: ACPI 6.2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP MCFG FIDT SSDT SSDT SSDT HPET APIC PRAM SSDT SSDT NHLT LPIT SSDT SSDT DBGP DBG2 DMAR SSDT TPM2 WSMT FPDT acpi0: wakeup devices PEGP(S4) PEGP(S4) PEGP(S4) PEGP(S4) SIO1(S3) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 acpimcfg0: addr 0xc000, bus 0-255 acpihpet0 at acpi0: 1920 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2893.74 MHz, 06-9c-00, patch 2424 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 38MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.2.2.1.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2893.74 MHz, 06-9c-00, patch 2424 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2793.96 MHz, 06-9c-00, patch 2424 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2793.95 MHz, 06-9c-00, patch 2424 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu3: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins acpiprt0 at acpi0: bus 0 (PC00) acpiprt1 at acpi0: bus -1 (RP01) acpiprt2 at acpi0: bus -1 (RP02) acpiprt3 at acpi0: bus 1 (RP03) acpiprt4 at acpi0: bus -1 (RP04) acpiprt5 at acpi0: bus 2 (RP05) acpiprt6 at acpi0: bus 3 (RP06) acpiprt7 at acpi0: bus 4 (RP07) acpiprt8 at acpi0: bus 5 (RP08) acpiprt9 at acpi0: bus -1 (RP09) acpiprt10 at acpi0: bus -1 (RP10) acpiprt11 at acpi0: bus -1 (RP11) acpiprt12 at
Re: Firewall setup
First and most importantly, I would like to apologize to anyone who was disturbed by my conversation. It is not my intention to offend people. I may be curt, but that's not because it's in my character. In daily life I work with electronics and computers and am much less familiar with networks. I don't need this knowledge for what I do in daily life. It is therefore difficult for me to estimate what is important to link back to this mailing list. So if I am curt, please try to remember that it is not intentional, but a matter of lack of knowledge. Again, I don't want to hurt anyone. Second, the firewall. This is set up as a bridge with the following hardware: https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image=1. The Ethernet connections ETH1 ... ETH4 are translated by OpenBSD to igc0 ... igc3. Connection igc0 is the input that goes to the ISDN modem, and igc1 and igc2 are the two outputs that go to the internal network. These two connections are more flexible for the underlying network. This makes it possible to connect two different networks, if desired, albeit with one and the same IP range (192.168.2.0/24), or two different networks, if so configured. So two possibilities (which is best?). So there is no need to use two connections at the same time, although this should be possible. Finally, connection igc3. This is given the IP address 192.168.2.252, because it is intended for remote administration, including upgrades. This connection will therefore not be part of the firewall bridge, and will therefore not appear in pf.conf. The internal network consists mainly of regular clients, so no email, web or name servers. These clients will work with Linux, mac OSX, or OpenBSD, but not Windows, but there will be a small file server or NAS. This file server or NAS is only intended for the clients in the network and has no connection to the internet. For now it is important to get ping and traceroute working properly, after which work on normal internet traffic can be started. What I'm wondering is whether I need NAT for my firewall configuration. This is my plan for my firewall. It seems to me that there are much more difficult configurations than this one. I hope there are still people who are willing to help me. Op 16-04-2024 om 07:24 schreef Peter N. M. Hansteen: I give up. The obviously incomplete, hand edited ifconfig output shows three interfaces that are (or appear to be, judging from the excerpts that we are given) not configured with IP addresses, two of which have a link, while the last does not. For reasons unknown these three are joined in a three-way bridge. >From the tiny crumbs of information you have deigned to reveal to us, it is not at all clear what it is you are trying to achieve. That this configuration does not do anything useful is however no surprise at all. Once you can describe what it is your Rube Goldberg contraption is supposed to do, competent people here might offer some advice on how to make things work properly. Until that happens, I for one will simply ignore anything from that source.
Re: Firewall setup
On Tue, Apr 16, 2024 at 12:01:38AM +0200, Karel Lucas wrote: > > Op 15-04-2024 om 22:20 schreef Peter N. M. Hansteen: > > On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote: > > > This gives the following error messages when booting: > > > no IP address found for igc1:network > > > /etc/pf.conf:41: could not parse host specification > > > no IP address found for igc2:network > > > /etc/pf.conf:42: could not parse host specification > > This sounds to me like those interfaces either do not exist or > > have not been correctly configured. > > > > Are those interfaces configured, as in do they have IP addresses? > > > > the output of ifconfig igc1 and ifconfig igc2 will show you. > > > Output from ifconfig igc0: > igc0: flags=8b43 > mtu 1500 > lladdr 7c:2b:e1:13:dd:f4 > index 1 priority 0 llprio 3 > media: Ethernet autoselect (1000baseT full-duplex) > sratus: active > > Output from ifconfig igc1: > igc1: flags=8b43 > mtu 1500 > lladdr 7c:2b:e1:13:dd:f5 > index 2 priority 0 llprio 3 > media: Ethernet autoselect (1000baseT full-duplex) > sratus: active > > Output from ifconfig igc2: > igc2: flags=8b43 > mtu 1500 > lladdr 7c:2b:e1:13:dd:f6 > index 3 priority 0 llprio 3 > media: Ethernet autoselect (none) > status: no carrier > > /etc/hostname.bridge0: > add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip igc2 > up > > /etc/hostname.igc0: > up > > /etc/hostname.igc1: > up > > /etc/hostname.igc2: > up > Either Stuart is right, and you are trying to put up some weird firewall, or Diana is right, and you are way out of your depth and need to learn some of the basics of IPv4 networking. Or they are both right. Any other way, Peter is also right: you have been giving us information piecemeal, and not only this doesn't help you to solve your problems, it can be frustrating for the rest of us, because you've (involuntarily) been wasting our time, chasing the wrong problem. Your issues seem to be broader than just configuring PF. Incidentally, this is also an example on why copying/pasting stuff into your machine is often a bad idea. You need to understand what you are putting in there, bit by bit. Otherwise either it will fail immediately (as in your case) or it will fail later on the first time you try to tweak it. And with a firewall being key in network security, you'll really want to get it right. There is no harm in not knowing things, no one is born knowing what a routing table is, we've all had to start somewhere (I hope you don't find this patronizing, that's really not the point). And, as you've just seen, despite this mailing list having a reputation of being unfriendly, you've got plenty of people willing to help. There are just a few steps you need to take _on your own_ first. Peter's book is great for PF, as is the PF user's guide [1]. For the networking bits you can also take a look at the respective chapters on Michael W. Lucas' "Absolute OpenBSD" [2]. Palmer and Nazario's "Secure architectures with OpenBSD" also helped me a lot with system administration in general, back in the day. Others might have other suggestions, I'm sure there's a ton of stuff out there. [1] https://www.openbsd.org/faq/pf/index.html [2] https://www.michaelwlucas.com/os/ao2e --
Re: Firewall setup
I give up. The obviously incomplete, hand edited ifconfig output shows three interfaces that are (or appear to be, judging from the excerpts that we are given) not configured with IP addresses, two of which have a link, while the last does not. For reasons unknown these three are joined in a three-way bridge. >From the tiny crumbs of information you have deigned to reveal to us, it is not at all clear what it is you are trying to achieve. That this configuration does not do anything useful is however no surprise at all. Once you can describe what it is your Rube Goldberg contraption is supposed to do, competent people here might offer some advice on how to make things work properly. Until that happens, I for one will simply ignore anything from that source. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
On 2024-04-15, Karel Lucas wrote: > /etc/hostname.bridge0: > add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip > igc2 up bridging with PF is an advanced topic, please get familiar with PF on a standard routed firewall first -- Please keep replies on the mailing list.
Re: Firewall setup
Op 15-04-2024 om 22:20 schreef Peter N. M. Hansteen: On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote: This gives the following error messages when booting: no IP address found for igc1:network /etc/pf.conf:41: could not parse host specification no IP address found for igc2:network /etc/pf.conf:42: could not parse host specification This sounds to me like those interfaces either do not exist or have not been correctly configured. Are those interfaces configured, as in do they have IP addresses? the output of ifconfig igc1 and ifconfig igc2 will show you. Output from ifconfig igc0: igc0: flags=8b43 mtu 1500 lladdr 7c:2b:e1:13:dd:f4 index 1 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex) sratus: active Output from ifconfig igc1: igc1: flags=8b43 mtu 1500 lladdr 7c:2b:e1:13:dd:f5 index 2 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex) sratus: active Output from ifconfig igc2: igc2: flags=8b43 mtu 1500 lladdr 7c:2b:e1:13:dd:f6 index 3 priority 0 llprio 3 media: Ethernet autoselect (none) status: no carrier /etc/hostname.bridge0: add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip igc2 up /etc/hostname.igc0: up /etc/hostname.igc1: up /etc/hostname.igc2: up
Re: Firewall setup
That's a possibility I hadn't thought of yet. But how do I do that, and on which page can I find that in your book? Op 15-04-2024 om 22:17 schreef Peter N. M. Hansteen: The other option - if your network layout is such that it makes sense to treat them to the same rule criteria - would be to make an interface group with both interfaces as members, then use the interface group name in your rules.
Re: Firewall setup
Op 14-04-2024 om 21:57 schreef Jens Kaiser: Hello Karel, if you want to start simply, then I would recommend to remove all marcos from your pf.conf which are not referenced. You can add them later if needed. As already state by others, there is a syntax error in marco martians. If there are syntax errors in pf.conf, the rules are not loaded at all. These have now been resolved, sse below. Also correct the syntax errors in the rules "Letting ping through". The key word "on" without interfacename, -group or keyword any looks incorrect. Give it a parameter or remove it. As far as I can see there are no errors in the ping rules. the key words "on", "group" or "any" do not appear there. Moreover, I have copied these rules, except the key words "log", exactly from Peter Hansteen's book (The book of PF), just like the rules of the martians. Please check your current running configuration with > pfctl -sr It prints out all currently active rules. If something behaves too wired, it can help to proof that the ruleset in /etc/pf.conf is the same as we assume to be active in the kernel. Because of the syntax errors I would guest that this is not true in your case. After correcting some errors, I reloaded pf.conf and found no errors. Here I give the output of pfctl -sr: match in all scrub (no-df max-mss 1440) block return in all block return in quick on igc0 inet from any to <__automatic_628bc734_1> pass log inet proto icmp all icmp-type echoreq pass log inet proto icmp all icmp-type echorep pass log inet proto icmp all icmp-type unreach pass log inet6 proto ipv6-icmp all icmp6-type echoreq pass log inet6 proto ipv6-icmp all icmp6-type echorep pass log inet6 proto ipv6-icmp all icmp6-type unreach pass out all flags S/SA /etc/pf.conf: ext_if = igc0 # The interface to the outside world int_if = "{ igc1, igc2 }" # The interfaces to the private hosts # localnet = "192.168.2.0/24" # Hosts on the screened LAN # tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" # udp_services = "{ domain, ntp }" # email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, echorep, unreach }" icmp6_types = "{ echoreq, echorep, unreach }" # nameservers = "{ 195.121.1.34, 195.121.1.66 }" # client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, }" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" # Options: set block-policy return set skip on lo # Normalize packets: match in all scrub ( no-df max-mss 1440 ) block in all # block stateless traffic block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log inet proto icmp icmp-type $icmp_types pass log inet6 proto icmp6 icmp6-type $icmp6_types pass out all
Re: Firewall setup
On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote: > This gives the following error messages when booting: > no IP address found for igc1:network > /etc/pf.conf:41: could not parse host specification > no IP address found for igc2:network > /etc/pf.conf:42: could not parse host specification This sounds to me like those interfaces either do not exist or have not been correctly configured. Are those interfaces configured, as in do they have IP addresses? the output of ifconfig igc1 and ifconfig igc2 will show you. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
On Mon, Apr 15, 2024 at 10:01:59PM +0200, Karel Lucas wrote: > They both give a syntax error by booting. > > Op 14-04-2024 om 17:45 schreef Zé Loff: > > pass in on $int_if proto udp to port 53 > > pass in on $int_if proto udp to $nameservers port 53 You're not giving us a lot to work with here. Off the top of my head, seeing that your int_if macro is a list of two interfaces, that may well be your problem (or one of them). The rule syntax is not really intended to deal with a list of interfaces following 'on'. It is likely more useful to treat the two interfaces separately. The other option - if your network layout is such that it makes sense to treat them to the same rule criteria - would be to make an interface group with both interfaces as members, then use the interface group name in your rules. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
This gives the following error messages when booting: no IP address found for igc1:network /etc/pf.conf:41: could not parse host specification no IP address found for igc2:network /etc/pf.conf:42: could not parse host specification Op 14-04-2024 om 19:59 schreef Peter N. M. Hansteen: On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote: Hi all, Everything about PF is all very confusing to me at the moment, so any help is appreciated. So let's start simple and then proceed step by step. I want to continue with ping so that I can test the connection to the internet. This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. As others have stated, I have a problem with using DNS servers on the internet. The PF ruleset needs to be adjusted for this, but it is still not clear to me how to do that. What else do I need to get ping to work correctly? To get started simply, I created a new pf.conf file, see below. I'd put this somewhere after your block rules: pass inet proto { tcp, udp } from igc1:network to port $client_out pass inet proto { tcp, udp } from igc2:network to port $client_out - that way you will actually use the macro. But the macro sitll references the invalid service nportntp (you probably want ntp instead), and I would think that the services "446, cvspserver, 2628, 5999, 8000, 8080" are unlikely to be useful unless you *know* you need to pass traffic for those.
Re: Firewall setup
They both give a syntax error by booting. Op 14-04-2024 om 17:45 schreef Zé Loff: pass in on $int_if proto udp to port 53 pass in on $int_if proto udp to $nameservers port 53
Re: Firewall setup
I'm a long time network engineer/firewall admin/make things work on our network when it is broken. First, ICMP Echo Request ( "ping" ) works, you proved that when you sent an Echo Request to a host using it's IP address. The fact that DNS host resolution fails has nothing to do with ICMP Echo Request. You WILL want to get DNS name resolution working in order to use hostnames, unless you want to keep everything in a static host file. In order to create a functioning firewall you need a good understanding of ip tcp/ip ports and protocols. To see what I'm talking about do an Internet search for 5 tuple firewall. You will need this knowledge for any system using statefull firewall, not just PF. Others are trying to help you write a functioning PF conf, however I think you need to learn how to fish before embarking on a deep sea fishing excursion. 73 diana On April 14, 2024 9:09:01 AM MDT, Karel Lucas wrote: >Hi all, > >Everything about PF is all very confusing to me at the moment, so any help is >appreciated. So let's start simple and then proceed step by step. I want to >continue with ping so that I can test the connection to the internet. This >works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 >www.apple.com. As others have stated, I have a problem with using DNS servers >on the internet. The PF ruleset needs to be adjusted for this, but it is still >not clear to me how to do that. What else do I need to get ping to work >correctly? To get started simply, I created a new pf.conf file, see below. > > >/etc/pf.conf: > >ext_if = igc0 # The interface to the outside world >int_if = "{ igc1, igc2 }" # The interfaces to the private hosts >localnet = "192.168.2.0/24" # Hosts on the screened LAN > >tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" >udp_services = "{ domain, ntp }" >email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" >icmp_types = "{ echoreq, unreach }" >icmp6_types = "{ echoreq, unreach }" >nameservers = "{ 195.121.1.34, 195.121.1.66 }" >client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ > 446, cvspserver, 2628, 5999, 8000, 8080 }" >martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ > 0.0.0.0/8, 240.0.0.0/4 }" > ># Options: >set block-policy return > >set skip on lo > >block log all # block stateless traffic > ># Normalize packets: >match in all scrub ( no-df max-mss 1440 ) > >block in quick on $ext_if from $martians to any >block out quick on $ext_if from any to $martians > ># Letting ping through: >pass log on inet proto icmp icmp-type $icmp_types >pass log on inet6 proto icmp6 icmp6-type $icmp6_types > >pass out all > >
Re: Firewall setup
> On Apr 14, 2024, at 08:09, Karel Lucas wrote: > > Hi all, Hi. > So let's start simple and then proceed step by step. I want to continue with > ping so that I can test the connection to the internet. This works: ping -c > 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. As others > have stated, I have a problem with using DNS servers on the internet. Does DNS resolution work without PF being enabled? If you want to “start simple”, don’t enable PF (or disable it, or use the default ruleset that OpenBSD ships with) and make sure everything works. Sean
Re: Firewall setup
Hello Karel, if you want to start simply, then I would recommend to remove all marcos from your pf.conf which are not referenced. You can add them later if needed. As already state by others, there is a syntax error in marco martians. If there are syntax errors in pf.conf, the rules are not loaded at all. Also correct the syntax errors in the rules "Letting ping through". The key word "on" without interfacename, -group or keyword any looks incorrect. Give it a parameter or remove it. After changing pf.conf, first check it with > pfctl -nf /etc/pf.conf before loading it. If no errors occur, simply update the ruleset in the kernel with > pftl -f /etc/pf.conf and test your changes. Keep in mind that reloading the ruleset does not affect the states of allready estblished connections. Please check your current running configuration with > pfctl -sr It prints out all currently active rules. If something behaves too wired, it can help to proof that the ruleset in /etc/pf.conf is the same as we assume to be active in the kernel. Because of the syntax errors I would guest that this is not true in your case. Try get IPv4 running first. If that goal is reached you have more experience and can go further adding IPv6, which is different in case of ICMP. If you don't have a static IPv6 address configuration, then the rules in your pf.conf are far too restrictive to get an autonconfigured IPv6 address, managed (DHCP6) or not (SLAAC). Jens Am 14.04.2024 um 17:09 schrieb Karel Lucas: Hi all, Everything about PF is all very confusing to me at the moment, so any help is appreciated. So let's start simple and then proceed step by step. I want to continue with ping so that I can test the connection to the internet. This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. As others haveo you get rid of the first syntax error yourstated, I have a problem with using DNS servers on the internet. The PF ruleset needs to be adjusted for this, but it is still not clear to me how to do that. What else do I need to get ping to work correctly? To get started simply, I created a new pf.conf file, see below. /etc/pf.conf: ext_if = igc0 # The interface to the outside world int_if = "{ igc1, igc2 }" # The interfaces to the private hosts localnet = "192.168.2.0/24" # Hosts on the screened LAN tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" # Options: set block-policy return set skip on lo block log all # block stateless traffic # Normalize packets: match in all scrub ( no-df max-mss 1440 ) block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types pass out all
Re: Firewall setup
On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote: > Hi all, > > Everything about PF is all very confusing to me at the moment, so any help > is appreciated. So let's start simple and then proceed step by step. I want > to continue with ping so that I can test the connection to the internet. > This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 > www.apple.com. As others have stated, I have a problem with using DNS > servers on the internet. The PF ruleset needs to be adjusted for this, but > it is still not clear to me how to do that. What else do I need to get ping > to work correctly? To get started simply, I created a new pf.conf file, see > below. I'd put this somewhere after your block rules: pass inet proto { tcp, udp } from igc1:network to port $client_out pass inet proto { tcp, udp } from igc2:network to port $client_out - that way you will actually use the macro. But the macro sitll references the invalid service nportntp (you probably want ntp instead), and I would think that the services "446, cvspserver, 2628, 5999, 8000, 8080" are unlikely to be useful unless you *know* you need to pass traffic for those. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
There is a typo on the second line of the martians definition (spurious comma and space). Michael > On Apr 14, 2024, at 11:09, Karel Lucas wrote: > > Hi all, > > Everything about PF is all very confusing to me at the moment, so any help is > appreciated. So let's start simple and then proceed step by step. I want to > continue with ping so that I can test the connection to the internet. This > works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 > www.apple.com. As others have stated, I have a problem with using DNS servers > on the internet. The PF ruleset needs to be adjusted for this, but it is > still not clear to me how to do that. What else do I need to get ping to work > correctly? To get started simply, I created a new pf.conf file, see below. > > > /etc/pf.conf: > > ext_if = igc0 # The interface to the outside > world > int_if = "{ igc1, igc2 }"# The interfaces to the private hosts > localnet = "192.168.2.0/24" # Hosts on the screened LAN > > tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" > udp_services = "{ domain, ntp }" > email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" > icmp_types = "{ echoreq, unreach }" > icmp6_types = "{ echoreq, unreach }" > nameservers = "{ 195.121.1.34, 195.121.1.66 }" > client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ > 446, cvspserver, 2628, 5999, 8000, 8080 }" > martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ > 0.0.0.0/8, 240.0.0.0/4 }" > > # Options: > set block-policy return > > set skip on lo > > block log all# block stateless traffic > > # Normalize packets: > match in all scrub ( no-df max-mss 1440 ) > > block in quick on $ext_if from $martians to any > block out quick on $ext_if from any to $martians > > # Letting ping through: > pass log on inet proto icmp icmp-type $icmp_types > pass log on inet6 proto icmp6 icmp6-type $icmp6_types > > pass out all > >
Re: Firewall setup
On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote: > Hi all, > > Everything about PF is all very confusing to me at the moment, so any help > is appreciated. So let's start simple and then proceed step by step. I want > to continue with ping so that I can test the connection to the internet. > This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 > www.apple.com. As others have stated, I have a problem with using DNS > servers on the internet. The PF ruleset needs to be adjusted for this, but > it is still not clear to me how to do that. What else do I need to get ping > to work correctly? You are blocking everything by default, with the "block log all" on top of your ruleset. This means that _everything_ needs to be explicitely allowed in and out of your firewall. If you want to resolve hostnames, you need to allow DNS requests (i.e. traffic _to_ UDP port 53) to enter and leave the firewall. So if a machine on your LAN needs to make a DNS request, you need something like pass in on $int_if proto udp to port 53 You have a $nameservers macro, which suggests you want to allow traffic to only those two, so you could rewrite the above rule as pass in on $int_if proto udp to $nameservers port 53 But then you need to make sure every machine on your LAN uses those IPs as resolvers, otherwise they'll try to query other DNS servers and fail. As I said on a reply to your other thread, you will probably need to use NAT on your egress traffic. I personally prefer to keep the most general rules at the top, and then to the specifics, so I would move "pass out all" next to "block log all", but it's a matter of taste. > To get started simply, I created a new pf.conf file, see > below. > > > /etc/pf.conf: > > ext_if = igc0 # The interface to the outside > world > int_if = "{ igc1, igc2 }" # The interfaces to the private > hosts > localnet = "192.168.2.0/24" # Hosts on the screened LAN > > tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" > udp_services = "{ domain, ntp }" > email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" > icmp_types = "{ echoreq, unreach }" > icmp6_types = "{ echoreq, unreach }" > nameservers = "{ 195.121.1.34, 195.121.1.66 }" > client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ > 446, cvspserver, 2628, 5999, 8000, 8080 }" > martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ > 0.0.0.0/8, 240.0.0.0/4 }" > > # Options: > set block-policy return > > set skip on lo > > block log all # block stateless traffic > > # Normalize packets: > match in all scrub ( no-df max-mss 1440 ) > > block in quick on $ext_if from $martians to any > block out quick on $ext_if from any to $martians > > # Letting ping through: > pass log on inet proto icmp icmp-type $icmp_types > pass log on inet6 proto icmp6 icmp6-type $icmp6_types > > pass out all > > --
Re: No internet connection (firewall block)
On Sun, Apr 14, 2024 at 04:33:58PM +0200, Karel Lucas wrote: > Output from "tcpdump -neti pflog0": > tcpdump: WARNING: snaplen raised from 116 to 160 > tcpdump: listening on pflog0, link-type PFLOG > ... > rule 4/(match) pass in on igc1: 192.168.2.252 > 17.253.53.207: icmp: echo > request > ... > > output from "pfctl -sr -R 4": > pass log inet proto icmp all icmp-type echoreq CAVEAT: I assume that 17.253.53.207 is NOT the address of igc0, and that you are trying to ping a host on the internet. If this is not true (i.e. if you are pinging the internet-facing IP if your firewall), some of what I write below won't apply. So you sent an ICMP ping (an 'Echo request', or echoreq, for short) to 17.253.53.207, which was allowed to enter via igc1. It matched rule 4 which allows ICMP echoreqs on an interfaces (regardless of source or destination). Now there are three questions: 1. Did the firewall forward the echoreq to 17.253.53.207, via icg0? 2. Did 17.253.53.207 send an "echo reply" (or "echorep") in response to your request? 3. Did the firewall let that reply enter igc0, and did it forward it to 192.168.2.252, via igc1? You don't show any logs for it, but I think we can stop at question 1, and the answer to that is: no. You are not NATing your outgoing traffic for the internet. Without NAT, the package that should leave via igc0 will leave igc0 have 192.168.2.252 as its source address (you should see something like "pass out on igc0: 192.168.2.252 > 17.253.53.207 ..." on tcpdump. Even if it's not filtered along the way, the host a 17.252.53.207 will want to send the "echo reply" to 192.168.2.252. But since this is an address reserved for private use, it won't be routed across the internet and back to your network (of which only the IPv4 address on igc0 will be 'visible'). So, in short, you need to add a "nat-to rule". You can find examples of this on the pf.conf man page. But I would advise you to pick up Peter Hansteen's The Book of pf and give it a good read (at least the first few chapters). Now note that even with NATting, you still might not get a reply, since the remote host might choose to ignore it (question 2, above) and, crucially, even if it does, you don't have "echorep" on yout $icmp_types macro. Which means you allow for ICMP echo requests, but not for the echo replies to them (question 3, above). To better debug this, you might want to add two more tcpdumps, to see what goes out and comes in at each interface: tcpdump -nti igc0 icmp tcpdump -nti igc1 icmp It then becomes easier to see where along the way the traffic is being dropped. > > Op 12-04-2024 om 19:46 schreef Zé Loff: > > On Fri, Apr 12, 2024 at 07:04:16PM +0200, Karel Lucas wrote: > > > Hi all, > > > > > > Traceroute still won't work. I'm playing around with the rules and > > > wondering > > > what's right and what's wrong with the traceroute rules. Can anyone give > > > me > > > some starting points here? > > > > > > > > > /etc/pf.conf: > > > > > > ext_if = igc0 # Extern interface > > > int_if = "{ igc1, igc2 }" # Intern interfaces > > > localnet = "192.168.2.0/24" > > > tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" > > > udp_services = "{ domain, ntp }" > > > email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" > > > icmp_types = "{ echoreq, unreach }" > > > icmp6_types = "{ echoreq, unreach }" > > > nameservers = "{ 195.121.1.34, 195.121.1.66 }" > > > client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ > > > 446, cvspserver, 2628, 5999, 8000, 8080 }" > > > Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > > > 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ > > > 0.0.0.0/8, 240.0.0.0/4 }" > > > > > > set skip on lo > > > # By default, do not permit remote connections to X11 > > > block return in on ! lo0 proto tcp to port 6000:6010 > > > > > > block log all # block stateless traffic > > > > > > block in quick on $ext_if from $martians to any > > > block out quick on $ext_if from any to $martians > > > > > > # Letting ping through: > > > pass log on inet proto icmp icmp-type $icmp_types > > > pass log on inet6 proto icmp6 icmp6-type $icmp6_types > > > > > > # Allow out the default range for traceroute(*): > > > # "base+nhops*nqueries-1&qu
Firewall setup
Hi all, Everything about PF is all very confusing to me at the moment, so any help is appreciated. So let's start simple and then proceed step by step. I want to continue with ping so that I can test the connection to the internet. This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. As others have stated, I have a problem with using DNS servers on the internet. The PF ruleset needs to be adjusted for this, but it is still not clear to me how to do that. What else do I need to get ping to work correctly? To get started simply, I created a new pf.conf file, see below. /etc/pf.conf: ext_if = igc0 # The interface to the outside world int_if = "{ igc1, igc2 }" # The interfaces to the private hosts localnet = "192.168.2.0/24" # Hosts on the screened LAN tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" # Options: set block-policy return set skip on lo block log all # block stateless traffic # Normalize packets: match in all scrub ( no-df max-mss 1440 ) block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types pass out all
Re: No internet connection (firewall block)
Output from "tcpdump -neti pflog0": tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG ... rule 4/(match) pass in on igc1: 192.168.2.252 > 17.253.53.207: icmp: echo request ... output from "pfctl -sr -R 4": pass log inet proto icmp all icmp-type echoreq Op 12-04-2024 om 19:46 schreef Zé Loff: On Fri, Apr 12, 2024 at 07:04:16PM +0200, Karel Lucas wrote: Hi all, Traceroute still won't work. I'm playing around with the rules and wondering what's right and what's wrong with the traceroute rules. Can anyone give me some starting points here? /etc/pf.conf: ext_if = igc0 # Extern interface int_if = "{ igc1, igc2 }" # Intern interfaces localnet = "192.168.2.0/24" tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" set skip on lo # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 block log all # block stateless traffic block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types # Allow out the default range for traceroute(*): # "base+nhops*nqueries-1" (3434+64*3-1) pass in on $ext_if inet proto udp to port 33433:33626 # for IPv4 pass log out on $ext_if inet proto udp to port 33433:33626 # for IPv4 pass in on $ext_if inet6 proto udp to port 33433:33626 # for IPv6 pass log out on $ext_if inet6 proto udp to port 33433:33626 # for IPv6 Your final four rules (for traceroute) only apply to the $ext_if, so I am assuming you are trying to traceroute _from_ the firewall itself to some machine on the internet. If you want to start traceroute from your local network, and to a machine on the internet, you'll need to add $int_if to those rules (and perhaps NAT, but let's not get ahead of ourselves). Again, assuming you are trying to traceroute from the firewall to the internet, I would use tcpdump to check if that traffic is being blocker, and, if so, which rule is blocking it: tcpdump -neti pflog0 (-n and -t are optional, but help to keep thing simpler in this case) Then on another terminal try to traceroute an easily identifiable IP, such as 1.1.1.1, and see what comes up on the tcpdump. It'll be something like "rule 2/(match) block ..." or "rule 2/(match) pass ...", and if you don't want to count the rules by hand, you can use pfctl to tell you which: pfctl -sr -R where is the rule number. Then, assuming it is being blocked, its time to figure out why the "pass" rules aren't being matched.
Re: Ping blocked by firewall
This makes no difference. Op 13-04-2024 om 22:06 schreef Peter J. Philipp: On Sat, Apr 13, 2024 at 09:32:48PM +0200, Karel Lucas wrote: What should I add then, considering my PF ruleset? To be honest, all of this is very unclear to me at the moment, so any help is appreciated. How about: pass out inet proto { tcp, udp } from any to any port { 53, 853 } keep state pass out inet6 proto { tcp, udp } from any to any port { 53, 853 } keep state see if that will do it for you. You have a service called "domain" in your rules but it's only a macro/alias and not active Also if I remember it right (without looking) traceroute defaults to UDP mode by default, with ports (32768 + 666) + (every "*" in every hop counting as 1) so depending on how many hops outbound you want to traceroute you'll have to open those udp ports outbound. Of course you can be like windows and do traceroute -P1 to traceroute with ICMP. Remember, from your basic networking texts that each hop decrements (-1) the time to live, or the hop count. When a router encounters an IP[46] packet that would decrement to 0 it will not get forwarded and will reply an ICMP time exceeded message aka timex reply. Please familiarize yourself with tcpdump and for learning purposes wireshark and really analyze the packet headers with RFC's 791, 792, 8200 found at https://rfc-editor.org. Best of Luck! -pjp Op 13-04-2024 om 02:39 schreef Alexis: Karel Lucas writes: Ping only works partially. For example, this works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect this has to do with DNS servers, but I don't know where to start troubleshooting. Indeed, you appear to have no rules allowing outgoing requests to DNS servers for name resolution. Alexis.
Re: Ping blocked by firewall
What should I add to get it working? Op 13-04-2024 om 02:39 schreef Alexis: Karel Lucas writes: Ping only works partially. For example, this works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect this has to do with DNS servers, but I don't know where to start troubleshooting. Indeed, you appear to have no rules allowing outgoing requests to DNS servers for name resolution. Alexis.
Re: Ping blocked by firewall
On Sat, Apr 13, 2024 at 09:32:48PM +0200, Karel Lucas wrote: > What should I add then, considering my PF ruleset? To be honest, all of this > is very unclear to me at the moment, so any help is appreciated. How about: pass out inet proto { tcp, udp } from any to any port { 53, 853 } keep state pass out inet6 proto { tcp, udp } from any to any port { 53, 853 } keep state see if that will do it for you. You have a service called "domain" in your rules but it's only a macro/alias and not active Also if I remember it right (without looking) traceroute defaults to UDP mode by default, with ports (32768 + 666) + (every "*" in every hop counting as 1) so depending on how many hops outbound you want to traceroute you'll have to open those udp ports outbound. Of course you can be like windows and do traceroute -P1 to traceroute with ICMP. Remember, from your basic networking texts that each hop decrements (-1) the time to live, or the hop count. When a router encounters an IP[46] packet that would decrement to 0 it will not get forwarded and will reply an ICMP time exceeded message aka timex reply. Please familiarize yourself with tcpdump and for learning purposes wireshark and really analyze the packet headers with RFC's 791, 792, 8200 found at https://rfc-editor.org. Best of Luck! -pjp > Op 13-04-2024 om 02:39 schreef Alexis: > > > > Karel Lucas writes: > > > > > Ping only works partially. For example, this works: ping -c 10 > > > 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I > > > suspect this has to do with DNS servers, but I don't know where to > > > start troubleshooting. > > > > Indeed, you appear to have no rules allowing outgoing requests to DNS > > servers for name resolution. > > > > > > Alexis. > > > -- my associated domains: callpeter.tel|centroid.eu|dtschland.eu|mainrechner.de
Re: Ping blocked by firewall
What should I add then, considering my PF ruleset? To be honest, all of this is very unclear to me at the moment, so any help is appreciated. Op 13-04-2024 om 02:39 schreef Alexis: Karel Lucas writes: Ping only works partially. For example, this works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect this has to do with DNS servers, but I don't know where to start troubleshooting. Indeed, you appear to have no rules allowing outgoing requests to DNS servers for name resolution. Alexis.
Re: Ping blocked by firewall
On Sat, Apr 13, 2024 at 06:18:46AM +0200, Janne Johansson wrote: > Den fre 12 apr. 2024 kl 19:41 skrev Karel Lucas : > > > > Hi all, > > > > Ping only works partially. For example, this works: ping -c 10 > > 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect > > this has to do with DNS servers, but I don't know where to start > > troubleshooting. Can someone help me? > > If the below pf.conf it your total firewall config, then you are only > letting icmp through, and not DNS queries. > Perhaps you meant to use the "client_out" macro for a pass rule and forgot it? As Janne hints at here, your pass criteria are too narrow to be practical for the needs you appear to have. Not an uncommon problem while learning to write rulesets. And of course I have written about that too - https://home.nuug.no/~peter/pf/en/basicgw.html#GWPITFALLS (That is in the piece that evolved into The Book of PF, and likely something similar appears somewhere in the book too) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: No internet connection (firewall block)
On 2024-04-13, Janne Johansson wrote: > Den fre 12 apr. 2024 kl 20:22 skrev Karel Lucas : >> Traceroute still won't work. >> Can >> anyone give me some starting points here? > > Put "log" on all your block/pass rules, read the logs (man pflog for > help) and see which rule the traceroute packets hit. > Adapt and extend your pf.conf accordingly to allow the traffic you > want to let through. "match log(matches)", perhaps with an ip/proto/port restriction if the other traffic is too noisy, is good for diagnosing firewall rules - for each packet creating a new firewall state, it shows any matching rules for that packet in order of evaluation, with the last one printed showing the overall decision to block/pass. -- Please keep replies on the mailing list.
Re: No internet connection (firewall block)
Den fre 12 apr. 2024 kl 20:22 skrev Karel Lucas : > Traceroute still won't work. > Can > anyone give me some starting points here? Put "log" on all your block/pass rules, read the logs (man pflog for help) and see which rule the traceroute packets hit. Adapt and extend your pf.conf accordingly to allow the traffic you want to let through. -- May the most significant bit of your life be positive.
Re: Ping blocked by firewall
Den fre 12 apr. 2024 kl 19:41 skrev Karel Lucas : > > Hi all, > > Ping only works partially. For example, this works: ping -c 10 > 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect > this has to do with DNS servers, but I don't know where to start > troubleshooting. Can someone help me? If the below pf.conf it your total firewall config, then you are only letting icmp through, and not DNS queries. Perhaps you meant to use the "client_out" macro for a pass rule and forgot it? > /etc/pf.conf: > > ext_if = igc0 # Extern interface > int_if = "{ igc1, igc2 }" # Intern interfaces > localnet = "192.168.2.0/24" > tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" > udp_services = "{ domain, ntp }" > email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" > icmp_types = "{ echoreq, unreach }" > icmp6_types = "{ echoreq, unreach }" > nameservers = "{ 195.121.1.34, 195.121.1.66 }" > client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ > 446, cvspserver, 2628, 5999, 8000, 8080 }" > Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ > 0.0.0.0/8, 240.0.0.0/4 }" > > set skip on lo > # By default, do not permit remote connections to X11 > block return in on ! lo0 proto tcp to port 6000:6010 > > block log all# block stateless traffic > > # Letting ping through: > pass log on inet proto icmp icmp-type $icmp_types > pass log on inet6 proto icmp6 icmp6-type $icmp6_types -- May the most significant bit of your life be positive.
Re: Ping blocked by firewall
Karel Lucas writes: Ping only works partially. For example, this works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect this has to do with DNS servers, but I don't know where to start troubleshooting. Indeed, you appear to have no rules allowing outgoing requests to DNS servers for name resolution. Alexis.
Re: No internet connection (firewall block)
On 2024-04-12 13:04, Karel Lucas wrote: Hi all, Traceroute still won't work. I'm playing around with the rules and wondering what's right and what's wrong with the traceroute rules. Can anyone give me some starting points here? Start with: tcpdump -nettti pflog0. Adjust to suit your needs etc.. /etc/pf.conf: ext_if = igc0 # Extern interface int_if = "{ igc1, igc2 }" # Intern interfaces localnet = "192.168.2.0/24" tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" set skip on lo # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 block log all # block stateless traffic block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types # Allow out the default range for traceroute(*): # "base+nhops*nqueries-1" (3434+64*3-1) pass in on $ext_if inet proto udp to port 33433:33626 # for IPv4 pass log out on $ext_if inet proto udp to port 33433:33626 # for IPv4 pass in on $ext_if inet6 proto udp to port 33433:33626 # for IPv6 pass log out on $ext_if inet6 proto udp to port 33433:33626 # for IPv6
Re: No internet connection (firewall block)
On Fri, Apr 12, 2024 at 07:04:16PM +0200, Karel Lucas wrote: > Hi all, > > Traceroute still won't work. I'm playing around with the rules and wondering > what's right and what's wrong with the traceroute rules. Can anyone give me > some starting points here? > > > /etc/pf.conf: > > ext_if = igc0 # Extern interface > int_if = "{ igc1, igc2 }" # Intern interfaces > localnet = "192.168.2.0/24" > tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" > udp_services = "{ domain, ntp }" > email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" > icmp_types = "{ echoreq, unreach }" > icmp6_types = "{ echoreq, unreach }" > nameservers = "{ 195.121.1.34, 195.121.1.66 }" > client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ > 446, cvspserver, 2628, 5999, 8000, 8080 }" > Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ > 0.0.0.0/8, 240.0.0.0/4 }" > > set skip on lo > # By default, do not permit remote connections to X11 > block return in on ! lo0 proto tcp to port 6000:6010 > > block log all # block stateless traffic > > block in quick on $ext_if from $martians to any > block out quick on $ext_if from any to $martians > > # Letting ping through: > pass log on inet proto icmp icmp-type $icmp_types > pass log on inet6 proto icmp6 icmp6-type $icmp6_types > > # Allow out the default range for traceroute(*): > # "base+nhops*nqueries-1" (3434+64*3-1) > pass in on $ext_if inet proto udp to port 33433:33626 # for IPv4 > pass log out on $ext_if inet proto udp to port 33433:33626 # for IPv4 > pass in on $ext_if inet6 proto udp to port 33433:33626 # for IPv6 > pass log out on $ext_if inet6 proto udp to port 33433:33626 # for IPv6 > Your final four rules (for traceroute) only apply to the $ext_if, so I am assuming you are trying to traceroute _from_ the firewall itself to some machine on the internet. If you want to start traceroute from your local network, and to a machine on the internet, you'll need to add $int_if to those rules (and perhaps NAT, but let's not get ahead of ourselves). Again, assuming you are trying to traceroute from the firewall to the internet, I would use tcpdump to check if that traffic is being blocker, and, if so, which rule is blocking it: tcpdump -neti pflog0 (-n and -t are optional, but help to keep thing simpler in this case) Then on another terminal try to traceroute an easily identifiable IP, such as 1.1.1.1, and see what comes up on the tcpdump. It'll be something like "rule 2/(match) block ..." or "rule 2/(match) pass ...", and if you don't want to count the rules by hand, you can use pfctl to tell you which: pfctl -sr -R where is the rule number. Then, assuming it is being blocked, its time to figure out why the "pass" rules aren't being matched. --
No internet connection (firewall block)
Hi all, Traceroute still won't work. I'm playing around with the rules and wondering what's right and what's wrong with the traceroute rules. Can anyone give me some starting points here? /etc/pf.conf: ext_if = igc0 # Extern interface int_if = "{ igc1, igc2 }" # Intern interfaces localnet = "192.168.2.0/24" tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" set skip on lo # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 block log all # block stateless traffic block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types # Allow out the default range for traceroute(*): # "base+nhops*nqueries-1" (3434+64*3-1) pass in on $ext_if inet proto udp to port 33433:33626 # for IPv4 pass log out on $ext_if inet proto udp to port 33433:33626 # for IPv4 pass in on $ext_if inet6 proto udp to port 33433:33626 # for IPv6 pass log out on $ext_if inet6 proto udp to port 33433:33626 # for IPv6
Ping blocked by firewall
Hi all, Ping only works partially. For example, this works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect this has to do with DNS servers, but I don't know where to start troubleshooting. Can someone help me? /etc/pf.conf: ext_if = igc0 # Extern interface int_if = "{ igc1, igc2 }" # Intern interfaces localnet = "192.168.2.0/24" tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" set skip on lo # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 block log all # block stateless traffic # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types
Re: No internet connection (firewall block)
On Thu, Apr 11, 2024 at 07:45:18PM +0200, Karel Lucas wrote: > The typos have been fixed, and PF's ruleset will be put under a magnifying > glass. This is a bit of a personal preference, but (assuming you trust any traffic generated on the firewall itself), I find it helpful to start the ruleset with a simple: block log in pass out and then do the filtering what comes _in_ (either via $ext_if or $int_ifs), by adding "pass in ... on ... " rules. > Op 11-04-2024 om 10:34 schreef Zé Loff: > > On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote: > > > Hi all, > > > > > > With the new firewall I am setting up I cannot connect to the internet. > > > That > > > starts with traceroute, so let's start there. Ping works fine. Below I > > > have > > > listed my pf.conf file. > > > > > > > > > > > > /etc/pf.conf: > > > > > > ext_if = igc0 # Extern interface > > > int_if = "{ igc1, igc2 }" # Intern interfaces > > > localnet = "192.168.2.0/24" > > > tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" > > > udp_services = "{ domain, ntp }" > > > email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" > > > icmp_types = "{ echoreq, unreach }" > > > icmp6_types = "{ echoreq, unreach }" > > > nameservers = "{ 195.121.1.34, 195.121.1.66 }" > > > client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ > > > 446, cvspserver, 2628, 5999, 8000, 8080 }" > > > Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > > > 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ > > > 0.0.0.0/8, 240.0.0.0/4 }" > > > > > > set skip on lo > > > # By default, do not permit remote connections to X11 > > > block return in on ! lo0 proto tcp to port 6000:6010 > > > > > > block log all # block stateless traffic > > > > > > block in quick on $ext_if from $martians to any > > > block out quick on $ext_if from any to $martians > > > > > > # Letting ping through: > > > pass log on inet proto icmp icmp-type $icmp_types > > > pass log on inet6 proto icmp6 icmp6-type $icmp6_types > > > > > > # Allow out the default range for traceroute(*): > > > # "base+nhops*nqueries-1" (3434+64*3-1) > > > pass log out on egress inet proto udp to port 33433:33626 # for IPv4 > > > pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6 > > > > > > pass log quick on $ext_if inet proto {tcp, udp} from $localnet \ > > > to port $udp_services > > > pass log on $ext_if inet proto icmp all icmp-type $icmp_types > > > pass log on $ext_if inet proto tcp from $localnet to port $client_out > > > pass log out proto tcp to port $tcp_services # establish keep-stat > > > pass log log proto udp to port $udp_services # Establish keep-state > > If I read this correctly, you are not allowing any "in" traffic, except > > for the two "Letting ping through lines", which are just for ICMP, and > > on the first two rules on the last part ("...$icmp_types" and > > "...$client_out"). I am assuming "log log" on the last rule is a typo, > > and it is actually "log out". > --
Re: No internet connection (firewall block)
PF's ruleset will be put under a magnifying glass. Op 11-04-2024 om 11:09 schreef Peter N. M. Hansteen: On Thu, Apr 11, 2024 at 09:34:15AM +0100, Zé Loff wrote: pass log out on egress inet proto udp to port 33433:33626 # for IPv4 pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6 pass log quick on $ext_if inet proto {tcp, udp} from $localnet \ to port $udp_services pass log on $ext_if inet proto icmp all icmp-type $icmp_types pass log on $ext_if inet proto tcp from $localnet to port $client_out pass log out proto tcp to port $tcp_services # establish keep-stat pass log log proto udp to port $udp_services # Establish keep-state If I read this correctly, you are not allowing any "in" traffic, except for the two "Letting ping through lines", which are just for ICMP, and on the first two rules on the last part ("...$icmp_types" and "...$client_out"). I am assuming "log log" on the last rule is a typo, and it is actually "log out". Those are as far as I can tell correct observations. There appears to be no rule allowing traffic other than the selected icmp types to pass from anywhere but the local host.
Re: No internet connection (firewall block)
The typos have been fixed, and PF's ruleset will be put under a magnifying glass. Op 11-04-2024 om 10:34 schreef Zé Loff: On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote: Hi all, With the new firewall I am setting up I cannot connect to the internet. That starts with traceroute, so let's start there. Ping works fine. Below I have listed my pf.conf file. /etc/pf.conf: ext_if = igc0 # Extern interface int_if = "{ igc1, igc2 }" # Intern interfaces localnet = "192.168.2.0/24" tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" set skip on lo # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 block log all # block stateless traffic block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types # Allow out the default range for traceroute(*): # "base+nhops*nqueries-1" (3434+64*3-1) pass log out on egress inet proto udp to port 33433:33626 # for IPv4 pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6 pass log quick on $ext_if inet proto {tcp, udp} from $localnet \ to port $udp_services pass log on $ext_if inet proto icmp all icmp-type $icmp_types pass log on $ext_if inet proto tcp from $localnet to port $client_out pass log out proto tcp to port $tcp_services # establish keep-stat pass log log proto udp to port $udp_services # Establish keep-state If I read this correctly, you are not allowing any "in" traffic, except for the two "Letting ping through lines", which are just for ICMP, and on the first two rules on the last part ("...$icmp_types" and "...$client_out"). I am assuming "log log" on the last rule is a typo, and it is actually "log out".
Re: No internet connection (firewall block)
I do get the following error message: sysctl: toplevel name net/inet6 in net/inet6.ip6.forwarding is invalid Op 11-04-2024 om 09:49 schreef Peter N. M. Hansteen: On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote: With the new firewall I am setting up I cannot connect to the internet. That starts with traceroute, so let's start there. Ping works fine. Below I have listed my pf.conf file. This sounds like you have a link to somewhere, at least. The first question would be, when you say "I cannot connect to the internet", where is this in relation to the host with the ruleset you quote? Start with the basics - is the gateway set up to forward packets? The output of $ sysctl net.inet | grep forward will reveal the truth there. And looking at the quoted ruleset, I find it rather unlikely that it will actually load -- you will get a "macro 'martians' not defined" and "unknown port nportntp" and likely a few "syntax error" messages as well. I would advise to take a few steps back, start from the basics and add only the things you know you need.
Re: No internet connection (firewall block)
Output van 'sysctl net.inet | grep forward': net.inet.ip.forwarding=1 net.inet.ip.mforwarding=0 This may sound strange, but I don't get an error message when booting. I did have that problem because the word 'log' appeared in some lines, but that has already been resolved. I'm going to apply a "step by step" approach to the rules in pf.conf. Op 11-04-2024 om 09:49 schreef Peter N. M. Hansteen: On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote: With the new firewall I am setting up I cannot connect to the internet. That starts with traceroute, so let's start there. Ping works fine. Below I have listed my pf.conf file. This sounds like you have a link to somewhere, at least. The first question would be, when you say "I cannot connect to the internet", where is this in relation to the host with the ruleset you quote? Start with the basics - is the gateway set up to forward packets? The output of $ sysctl net.inet | grep forward will reveal the truth there. And looking at the quoted ruleset, I find it rather unlikely that it will actually load -- you will get a "macro 'martians' not defined" and "unknown port nportntp" and likely a few "syntax error" messages as well. I would advise to take a few steps back, start from the basics and add only the things you know you need.
Re: No internet connection (firewall block)
On Thu, Apr 11, 2024 at 09:34:15AM +0100, Zé Loff wrote: > > pass log out on egress inet proto udp to port 33433:33626 # for IPv4 > > pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6 > > > > pass log quick on $ext_if inet proto {tcp, udp} from $localnet \ > > to port $udp_services > > pass log on $ext_if inet proto icmp all icmp-type $icmp_types > > pass log on $ext_if inet proto tcp from $localnet to port $client_out > > pass log out proto tcp to port $tcp_services # establish keep-stat > > pass log log proto udp to port $udp_services # Establish keep-state > > If I read this correctly, you are not allowing any "in" traffic, except > for the two "Letting ping through lines", which are just for ICMP, and > on the first two rules on the last part ("...$icmp_types" and > "...$client_out"). I am assuming "log log" on the last rule is a typo, > and it is actually "log out". Those are as far as I can tell correct observations. There appears to be no rule allowing traffic other than the selected icmp types to pass from anywhere but the local host. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: No internet connection (firewall block)
On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote: > Hi all, > > With the new firewall I am setting up I cannot connect to the internet. That > starts with traceroute, so let's start there. Ping works fine. Below I have > listed my pf.conf file. > > > > /etc/pf.conf: > > ext_if = igc0 # Extern interface > int_if = "{ igc1, igc2 }" # Intern interfaces > localnet = "192.168.2.0/24" > tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" > udp_services = "{ domain, ntp }" > email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" > icmp_types = "{ echoreq, unreach }" > icmp6_types = "{ echoreq, unreach }" > nameservers = "{ 195.121.1.34, 195.121.1.66 }" > client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ > 446, cvspserver, 2628, 5999, 8000, 8080 }" > Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ > 0.0.0.0/8, 240.0.0.0/4 }" > > set skip on lo > # By default, do not permit remote connections to X11 > block return in on ! lo0 proto tcp to port 6000:6010 > > block log all # block stateless traffic > > block in quick on $ext_if from $martians to any > block out quick on $ext_if from any to $martians > > # Letting ping through: > pass log on inet proto icmp icmp-type $icmp_types > pass log on inet6 proto icmp6 icmp6-type $icmp6_types > > # Allow out the default range for traceroute(*): > # "base+nhops*nqueries-1" (3434+64*3-1) > pass log out on egress inet proto udp to port 33433:33626 # for IPv4 > pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6 > > pass log quick on $ext_if inet proto {tcp, udp} from $localnet \ > to port $udp_services > pass log on $ext_if inet proto icmp all icmp-type $icmp_types > pass log on $ext_if inet proto tcp from $localnet to port $client_out > pass log out proto tcp to port $tcp_services # establish keep-stat > pass log log proto udp to port $udp_services # Establish keep-state If I read this correctly, you are not allowing any "in" traffic, except for the two "Letting ping through lines", which are just for ICMP, and on the first two rules on the last part ("...$icmp_types" and "...$client_out"). I am assuming "log log" on the last rule is a typo, and it is actually "log out".
Re: No internet connection (firewall block)
On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote: > > With the new firewall I am setting up I cannot connect to the internet. That > starts with traceroute, so let's start there. Ping works fine. Below I have > listed my pf.conf file. This sounds like you have a link to somewhere, at least. The first question would be, when you say "I cannot connect to the internet", where is this in relation to the host with the ruleset you quote? Start with the basics - is the gateway set up to forward packets? The output of $ sysctl net.inet | grep forward will reveal the truth there. And looking at the quoted ruleset, I find it rather unlikely that it will actually load -- you will get a "macro 'martians' not defined" and "unknown port nportntp" and likely a few "syntax error" messages as well. I would advise to take a few steps back, start from the basics and add only the things you know you need. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
No internet connection (firewall block)
Hi all, With the new firewall I am setting up I cannot connect to the internet. That starts with traceroute, so let's start there. Ping works fine. Below I have listed my pf.conf file. /etc/pf.conf: ext_if = igc0 # Extern interface int_if = "{ igc1, igc2 }" # Intern interfaces localnet = "192.168.2.0/24" tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" set skip on lo # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 block log all # block stateless traffic block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types # Allow out the default range for traceroute(*): # "base+nhops*nqueries-1" (3434+64*3-1) pass log out on egress inet proto udp to port 33433:33626 # for IPv4 pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6 pass log quick on $ext_if inet proto {tcp, udp} from $localnet \ to port $udp_services pass log on $ext_if inet proto icmp all icmp-type $icmp_types pass log on $ext_if inet proto tcp from $localnet to port $client_out pass log out proto tcp to port $tcp_services # establish keep-stat pass log log proto udp to port $udp_services # Establish keep-state
Re: Ping blocked by firewall
On Wed, Apr 10, 2024 at 11:01:18PM +0200, Peter N. M. Hansteen wrote: > Another gentle introduction can be found in the latest PF tutorial, > the slides for the AsiaBSDCon 2024 version can be found as > https://nxdomain.no/~peter/pf_asiabsdcon2024.pdf which in turn has > references to various useful resources. and I should add that the labs referenced there are almost certainly not available at the moment. They tend to be turned on specifically for the sessions and are generally only left running for a few days. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Ping blocked by firewall
On Wed, Apr 10, 2024 at 04:41:58PM -0400, Steve Litt wrote: > I found out where to buy your book, and will buy it once I have the > "for dummies" level of knowledge. In the meantime, what other PF > references do you recommend? I know just enough PF to be dangerous, but > want to make my own BSD/PF firewall/router. The Book of PF was meant to be accessible to people with only basic networking knowledge, but anyway - I'd start with the official PF user guide at https://www.openbsd.org/faq/pf/index.html and look up the relevant man pages. Another gentle introduction can be found in the latest PF tutorial, the slides for the AsiaBSDCon 2024 version can be found as https://nxdomain.no/~peter/pf_asiabsdcon2024.pdf which in turn has references to various useful resources. And of course, this mailing list tends to be receptive to reasonably formulated questions. All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Ping blocked by firewall
Still dont know whats happening because we dont know what those line errors mean. When you changed the macros to tables, did you also update the rules to to match? On April 9, 2024 9:32:06 AM UTC, Karel Lucas wrote: >I moved the lines with the martians between the 'block log all' line and the >ping lines. Furthermore, I changed the macro 'martians' to a table: table > persist file "etc/martians". > >Messages during booting: >/etc/pf.conf:29: syntax error >/etc/pf.conf:29: macro 'martians' not defined >/etc/pf.conf:30: macro 'martians' not defined >/etc/pf.conf:38: syntax error >/etc/pf.conf:39: syntax error >/etc/pf.conf:46: syntax error > >Op 09-04-2024 om 11:13 schreef Otto Moerbeek: >> On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: >> >>> I defined the table as stated in your book (3rd edition, page 42). However, >>> that gives an error message. In the lines with that table: macro 'martians' >>> not defined. Moreover, I now also have a Syntax error in lines 38, 39 and >>> 46, causing the pf lines not to be loaded. >> How abot showing what you did, showing the actual error messages so >> people here can actually help you? Just saying "it does not work" does >> not get you anywhere. >> >> -Otto >>> Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen: >>>> On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: >>>>> Hi all, >>>>> >>>>> For the first time I tested my new firewall with ping, and it is blocked. >>>>> I >>>>> don't know what the reason is, you can find the information below. I have >>>>> a >>>>> network with only regular clients, so no servers. I'm still using OpenBSD >>>>> V7.4, and will upgrade once the firewall is up and running so I can test >>>>> the >>>>> upgrade process. >>>> Upgrading to 7.5 will not affect this particular problem I think. >>>> >>>> Still low on caffeine I spot two likely factors - your $localnet range >>>> overlaps >>>> with one of the ranges in $martians (which I anyway would recommend >>>> converting >>>> into a table), and your block referencing $martians comes after the pass >>>> rules >>>> that would have let icmp through. With no previous matching quick, last >>>> match >>>> applies. >>>> >>>> - Peter >>>> >
Re: Ping blocked by firewall
The errors were caused by the word 'log' in lines where it apparently did not belong. Those errors have now been resolved. In Peter Hansteen's book, the rules are clearly stated on page 91, and there is no 'match' in them. Op 09-04-2024 om 17:12 schreef l...@trungnguyen.me: Still dont know whats happening because we dont know what those line errors mean. When you changed the macros to tables, did you also update the rules to to match? On April 9, 2024 9:32:06 AM UTC, Karel Lucas wrote: I moved the lines with the martians between the 'block log all' line and the ping lines. Furthermore, I changed the macro 'martians' to a table: table persist file "etc/martians". Messages during booting: /etc/pf.conf:29: syntax error /etc/pf.conf:29: macro 'martians' not defined /etc/pf.conf:30: macro 'martians' not defined /etc/pf.conf:38: syntax error /etc/pf.conf:39: syntax error /etc/pf.conf:46: syntax error Op 09-04-2024 om 11:13 schreef Otto Moerbeek: On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. How abot showing what you did, showing the actual error messages so people here can actually help you? Just saying "it does not work" does not get you anywhere. -Otto Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: Hi all, For the first time I tested my new firewall with ping, and it is blocked. I don't know what the reason is, you can find the information below. I have a network with only regular clients, so no servers. I'm still using OpenBSD V7.4, and will upgrade once the firewall is up and running so I can test the upgrade process. Upgrading to 7.5 will not affect this particular problem I think. Still low on caffeine I spot two likely factors - your $localnet range overlaps with one of the ranges in $martians (which I anyway would recommend converting into a table), and your block referencing $martians comes after the pass rules that would have let icmp through. With no previous matching quick, last match applies. - Peter
Re: Ping blocked by firewall
In /etc/pf.conf: table persist file "/etc/martians" In /etc/martians: 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 192.0.2.0/24 0.0.0.0/8 240.0.0.0/4 Op 09-04-2024 om 16:06 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. The martians example only appears on page 91, and if you had read that book or other PF references, you would have known full well that the syntax for defining and referencing macros differs from how you define and reference tables. Please actually read the advice offered by contributors to this thread.
Re: Ping blocked by firewall
The example I'm referring to is how to define a table (page 42), and I applied that to the martians example (page 91). Op 09-04-2024 om 16:06 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. The martians example only appears on page 91, and if you had read that book or other PF references, you would have known full well that the syntax for defining and referencing macros differs from how you define and reference tables. Please actually read the advice offered by contributors to this thread.
Re: Ping blocked by firewall
On Apr 09 08:39, Karel Lucas wrote: > For the first time I tested my new firewall with ping, and it is blocked. I > don't know what the reason is, you can find the information below. I have a > network with only regular clients, so no servers. I'm still using OpenBSD > V7.4, and will upgrade once the firewall is up and running so I can test the > upgrade process. I upgraded from OpenBSD 7.4 to OpenBSD 7.5 with zero issues using this example https://www.openbsd.org/faq/pf/example1.html Have you considered using that as a baseline?
Re: Ping blocked by firewall
On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: > I defined the table as stated in your book (3rd edition, page 42). However, > that gives an error message. In the lines with that table: macro 'martians' > not defined. Moreover, I now also have a Syntax error in lines 38, 39 and > 46, causing the pf lines not to be loaded. The martians example only appears on page 91, and if you had read that book or other PF references, you would have known full well that the syntax for defining and referencing macros differs from how you define and reference tables. Please actually read the advice offered by contributors to this thread. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Ping blocked by firewall
I can assure you that I did not use capital letters in the macro names, and used the '<' and '>'. Op 09-04-2024 om 11:58 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. macro names are case sensitive, to wit peter@kapet:~$ cat martians Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" block from $martians peter@skapet:~$ doas pfctl -vnf martians Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }" martians:5: macro 'martians' not defined martians:5: syntax error for conversion to tables, keep in mind that references need the surrounding '<' and '>'.
Re: Ping blocked by firewall
I managed to get ping through. The error was the "log" words in the lines. But this is just the beginning. Now I have another problem with traceroute, as well as with all the normal internet traffic that has to go through it. In the traceroute rules I replaced "$ext_if" with "egress", but that makes very little difference. Creating a table for the martians doesn't work either. I have restored the old situation, so that it does not cause an error message.
Re: Ping blocked by firewall
On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: > I defined the table as stated in your book (3rd edition, page 42). However, > that gives an error message. In the lines with that table: macro 'martians' > not defined. Moreover, I now also have a Syntax error in lines 38, 39 and > 46, causing the pf lines not to be loaded. macro names are case sensitive, to wit peter@kapet:~$ cat martians Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" block from $martians peter@skapet:~$ doas pfctl -vnf martians Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }" martians:5: macro 'martians' not defined martians:5: syntax error for conversion to tables, keep in mind that references need the surrounding '<' and '>'. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Ping blocked by firewall
I moved the lines with the martians between the 'block log all' line and the ping lines. Furthermore, I changed the macro 'martians' to a table: table persist file "etc/martians". Messages during booting: /etc/pf.conf:29: syntax error /etc/pf.conf:29: macro 'martians' not defined /etc/pf.conf:30: macro 'martians' not defined /etc/pf.conf:38: syntax error /etc/pf.conf:39: syntax error /etc/pf.conf:46: syntax error Op 09-04-2024 om 11:13 schreef Otto Moerbeek: On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. How abot showing what you did, showing the actual error messages so people here can actually help you? Just saying "it does not work" does not get you anywhere. -Otto Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: Hi all, For the first time I tested my new firewall with ping, and it is blocked. I don't know what the reason is, you can find the information below. I have a network with only regular clients, so no servers. I'm still using OpenBSD V7.4, and will upgrade once the firewall is up and running so I can test the upgrade process. Upgrading to 7.5 will not affect this particular problem I think. Still low on caffeine I spot two likely factors - your $localnet range overlaps with one of the ranges in $martians (which I anyway would recommend converting into a table), and your block referencing $martians comes after the pass rules that would have let icmp through. With no previous matching quick, last match applies. - Peter
Re: Ping blocked by firewall
On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: > I defined the table as stated in your book (3rd edition, page 42). However, > that gives an error message. In the lines with that table: macro 'martians' > not defined. Moreover, I now also have a Syntax error in lines 38, 39 and > 46, causing the pf lines not to be loaded. How abot showing what you did, showing the actual error messages so people here can actually help you? Just saying "it does not work" does not get you anywhere. -Otto > > Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen: > > On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: > > > Hi all, > > > > > > For the first time I tested my new firewall with ping, and it is blocked. > > > I > > > don't know what the reason is, you can find the information below. I have > > > a > > > network with only regular clients, so no servers. I'm still using OpenBSD > > > V7.4, and will upgrade once the firewall is up and running so I can test > > > the > > > upgrade process. > > Upgrading to 7.5 will not affect this particular problem I think. > > > > Still low on caffeine I spot two likely factors - your $localnet range > > overlaps > > with one of the ranges in $martians (which I anyway would recommend > > converting > > into a table), and your block referencing $martians comes after the pass > > rules > > that would have let icmp through. With no previous matching quick, last > > match > > applies. > > > > - Peter > > >
Re: Ping blocked by firewall
I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: Hi all, For the first time I tested my new firewall with ping, and it is blocked. I don't know what the reason is, you can find the information below. I have a network with only regular clients, so no servers. I'm still using OpenBSD V7.4, and will upgrade once the firewall is up and running so I can test the upgrade process. Upgrading to 7.5 will not affect this particular problem I think. Still low on caffeine I spot two likely factors - your $localnet range overlaps with one of the ranges in $martians (which I anyway would recommend converting into a table), and your block referencing $martians comes after the pass rules that would have let icmp through. With no previous matching quick, last match applies. - Peter
Re: Ping blocked by firewall
On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: > Hi all, > > For the first time I tested my new firewall with ping, and it is blocked. I > don't know what the reason is, you can find the information below. I have a > network with only regular clients, so no servers. I'm still using OpenBSD > V7.4, and will upgrade once the firewall is up and running so I can test the > upgrade process. > > /etc/pf.conf: > ext_if = igc0 # Extern interface > int_if = "{ igc1, igc2 }" # Intern interfaces > localnet = "192.168.2.0/24" > tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" > udp_services = "{ domain, ntp }" > email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" > icmp_types = "{ echoreq, unreach }" > icmp6_types = "{ echoreq, unreach }" > nameservers = "{ 195.121.1.34, 195.121.1.66 }" > client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ > ?? ?? ?? ?? 446, cvspserver, 2628, 5999, 8000, 8080 }" > Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > ?? ?? ?? 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ > ?? ?? ?? 0.0.0.0/8, 240.0.0.0/4 }" > set skip on lo > # By default, do not permit remote connections to X11 > block return in on ! lo0 proto tcp to port 6000:6010 > block log all?? ?? ?? ?? # block stateless traffic > # Letting ping through: > pass log on inet proto icmp icmp-type $icmp_types > pass log on inet6 proto icmp6 icmp6-type $icmp6_types > # Allow out the default range for traceroute(*): > # "base+nhops*nqueries-1" (3434+64*3-1) > pass log out on ext_if inet proto udp to port 33433:33626 # for IPv4 > pass log out on ext_if inet6 proto udp to port 33433:33626 # for IPv6 > pass log quick on $ext_if inet proto {tcp, udp} from $localnet \ > ?? ?? to port $udp_services > pass log on $ext_if inet proto icmp all icmp-type $icmp_types > pass log on $ext_if inet proto tcp from $localnet to port $client_out > block log in quick on $ext_if from $martians to any > block log out quick on $ext_if from any to $martians > pass log out proto tcp to port $tcp_services # establish keep-stat > pass log log proto udp to port $udp_services # Establish keep-state > > /var/log/pflog: > tcpdump: WARNING: snaplen raised from 116 to 160 > Apr 09 08:16:45.009497 :: > ff02::16: HBH multicast listener report v2, 2 > group record(S) [hlim 1] > apr 09 08:16:45.009500 :: > ff02::16: HBH multicast listener report v2, 2 > group record(S) [hlim 1] Hi Karel, Hope you're well! Here is what you should add to your IPv6 icmp_types: pass log on $ext_if inet6 proto ipv6-icmp all icmp6-type neighbrsol pass log on $ext_if inet6 proto ipv6-icmp all icmp6-type neighbradv This allows the NDP protocol to converse (it's similar to the IPv4 ARP). I didn't see you had the problem with only IPv6, but the way I tested it, the IPv4 worked fine. It was IPv6 that had the missing neighbour solicititation and advertising. Best Regards, -pjp -- my associated domains: callpeter.tel|centroid.eu|dtschland.eu|mainrechner.de
Re: Ping blocked by firewall
On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: > Hi all, > > For the first time I tested my new firewall with ping, and it is blocked. I > don't know what the reason is, you can find the information below. I have a > network with only regular clients, so no servers. I'm still using OpenBSD > V7.4, and will upgrade once the firewall is up and running so I can test the > upgrade process. Upgrading to 7.5 will not affect this particular problem I think. Still low on caffeine I spot two likely factors - your $localnet range overlaps with one of the ranges in $martians (which I anyway would recommend converting into a table), and your block referencing $martians comes after the pass rules that would have let icmp through. With no previous matching quick, last match applies. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Ping blocked by firewall
Hi all, For the first time I tested my new firewall with ping, and it is blocked. I don't know what the reason is, you can find the information below. I have a network with only regular clients, so no servers. I'm still using OpenBSD V7.4, and will upgrade once the firewall is up and running so I can test the upgrade process. /etc/pf.conf: ext_if = igc0 # Extern interface int_if = "{ igc1, igc2 }" # Intern interfaces localnet = "192.168.2.0/24" tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" set skip on lo # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 block log all # block stateless traffic # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types # Allow out the default range for traceroute(*): # "base+nhops*nqueries-1" (3434+64*3-1) pass log out on ext_if inet proto udp to port 33433:33626 # for IPv4 pass log out on ext_if inet6 proto udp to port 33433:33626 # for IPv6 pass log quick on $ext_if inet proto {tcp, udp} from $localnet \ to port $udp_services pass log on $ext_if inet proto icmp all icmp-type $icmp_types pass log on $ext_if inet proto tcp from $localnet to port $client_out block log in quick on $ext_if from $martians to any block log out quick on $ext_if from any to $martians pass log out proto tcp to port $tcp_services # establish keep-stat pass log log proto udp to port $udp_services # Establish keep-state /var/log/pflog: tcpdump: WARNING: snaplen raised from 116 to 160 Apr 09 08:16:45.009497 :: > ff02::16: HBH multicast listener report v2, 2 group record(S) [hlim 1] apr 09 08:16:45.009500 :: > ff02::16: HBH multicast listener report v2, 2 group record(S) [hlim 1]
Re: Bridging firewall with online update/upgrade
On 4/3/24 18:19, Karel Lucas wrote: I want to use ETH1 for the input from my ADSL modem, ETH2 and ETH3 for the output to my network. Furthermore, I would like to use ETH4 for the update/upgrade of the firewall. Remove the connection from ETH1, plug it into ETH4, and update/upgrade. Then the connection returns to ETH1. ETH4 therefore receives an IP address and ETH1,ETH2 and ETH3 not. But now the problem: as long as the network connection of the ADSL modem is in ETH4, my network, including the firewall, is no longer secured, and attackers can take advantage. I therefore wonder whether it is possible to let the data flow via ETH1 and ETH4 first pass through PF before an update/upgrade is done via ETH4. This means that the bridging firewall will have two entrances, one without and one with an IP address. I would like to know if that is possible, or if there is another option. I'm not entirely sure about how bridging works on OpenBSD and PF, but the answer, from a network point of view, would be "Don't make ETH4 part of the same bridge as ETH1-3, and apply a basic, restrictive ruleset to ETH4, allowing only for the update traffic to/from $self". (I hope I'm not missing something basic here)
Re: Bridging firewall with online update/upgrade
On 4/3/24 12:19, Karel Lucas wrote: Hi all, I am creating a bridging firewall with OpenBSD and the following hardware: https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image=1. OpenBSD is already installed. I want to use ETH1 for the input from my ADSL modem, ETH2 and ETH3 for the output to my network. Furthermore, I would like to use ETH4 for the update/upgrade of the firewall. Remove the connection from ETH1, plug it into ETH4, and update/upgrade. Then the connection returns to ETH1. ETH4 therefore receives an IP address and ETH1,ETH2 and ETH3 not. But now the problem: as long as the network connection of the ADSL modem is in ETH4, my network, including the firewall, is no longer secured, and attackers can take advantage. I therefore wonder whether it is possible to let the data flow via ETH1 and ETH4 first pass through PF before an update/upgrade is done via ETH4. This means that the bridging firewall will have two entrances, one without and one with an IP address. I would like to know if that is possible, or if there is another option. There are lots of options, but I'm not seeing the point of the bridging firewall here. Sounds like you are making things complicated and I'm suspicious you won't be getting much benefit from it. I think you would do much better with NAT. But...pretending for the moment this is the right solution for you, if you are already planning on physically moving to the box to do upgrades, just download the installXX.img file on another machine, drop it on a thumb drive, walk over to your bridge and reboot from the thumb drive and upgrade, don't bother fiddling with cables. I'm also pretty sure you can put an internal IP on one of the ports other than the bridge, and copy the files and install from there. That would have the benefit of remote administration, too. Nick.
Re: Bridging firewall with online update/upgrade
On Wed, Apr 03, 2024 at 06:19:29PM +0200, Karel Lucas wrote: > Hi all, > > I am creating a bridging firewall with OpenBSD and the following hardware: > https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image=1. > OpenBSD is already installed. I want to use ETH1 for the input from my ADSL > modem, ETH2 and ETH3 for the output to my network. Furthermore, I would like > to use ETH4 for the update/upgrade of the firewall. Remove the connection > from ETH1, plug it into ETH4, and update/upgrade. Then the connection > returns to ETH1. ETH4 therefore receives an IP address and ETH1,ETH2 and > ETH3 not. But now the problem: as long as the network connection of the ADSL > modem is in ETH4, my network, including the firewall, is no longer secured, > and attackers can take advantage. I therefore wonder whether it is possible > to let the data flow via ETH1 and ETH4 first pass through PF before an > update/upgrade is done via ETH4. This means that the bridging firewall will > have two entrances, one without and one with an IP address. I would like to > know if that is possible, or if there is another option. > I'd just run sysupgrade -n, unplug ETH1, reboot into the installer and upgrade, reboot, and finally plug ETH1 back in. --
Bridging firewall with online update/upgrade
Hi all, I am creating a bridging firewall with OpenBSD and the following hardware: https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image=1. OpenBSD is already installed. I want to use ETH1 for the input from my ADSL modem, ETH2 and ETH3 for the output to my network. Furthermore, I would like to use ETH4 for the update/upgrade of the firewall. Remove the connection from ETH1, plug it into ETH4, and update/upgrade. Then the connection returns to ETH1. ETH4 therefore receives an IP address and ETH1,ETH2 and ETH3 not. But now the problem: as long as the network connection of the ADSL modem is in ETH4, my network, including the firewall, is no longer secured, and attackers can take advantage. I therefore wonder whether it is possible to let the data flow via ETH1 and ETH4 first pass through PF before an update/upgrade is done via ETH4. This means that the bridging firewall will have two entrances, one without and one with an IP address. I would like to know if that is possible, or if there is another option.
Re: 10gbps pf nat firewall ix to mcx
j...@openbsd.org [j...@openbsd.org] wrote: > On Sun, Feb 11, 2024 at 10:42:32AM -0800, Chris Cappuccio wrote: > > huh, after i migrated nat fw from 82599 (ix) with LRO on (default) to > > a CX4121A (mcx) flashed to latest nvidia firmware and now i'm getting > > 900mbps on single tcp throughput > > > (endpoints still using lro on em and ix) > em(4) does not support the LRO feature, just TSO with mglocker's diff. > > > and very consistently getting close to the full 1gbps > > thruoghput on single tcp connections now instead of slower and slightly > > varying results. guess i should go back and test ix with LRO off on > > the pf box. > > Sorry, I don't get your problem. You changed your firewall NICs from > ix(4) to mcx(4) and the throughput got slower? Or, the speed it varying > between 0.9 gbps and 1.0 gbps? got faster, notably faster and more consistent TCP performance as tested with an ix sender, through mcx firewall, to a 1Gbps em endpoint, 1500 byte normal mtu, all default settings across the board i would have to test more to understand what was going on, but this took me for surprise chris
Re: 10gbps pf nat firewall ix to mcx
On Sun, Feb 11, 2024 at 10:42:32AM -0800, Chris Cappuccio wrote: > huh, after i migrated nat fw from 82599 (ix) with LRO on (default) to > a CX4121A (mcx) flashed to latest nvidia firmware and now i'm getting > 900mbps on single tcp throughput > (endpoints still using lro on em and ix) em(4) does not support the LRO feature, just TSO with mglocker's diff. > and very consistently getting close to the full 1gbps > thruoghput on single tcp connections now instead of slower and slightly > varying results. guess i should go back and test ix with LRO off on > the pf box. Sorry, I don't get your problem. You changed your firewall NICs from ix(4) to mcx(4) and the throughput got slower? Or, the speed it varying between 0.9 gbps and 1.0 gbps?
10gbps pf nat firewall ix to mcx
huh, after i migrated nat fw from 82599 (ix) with LRO on (default) to a CX4121A (mcx) flashed to latest nvidia firmware and now i'm getting 900mbps on single tcp throughput (endpoints still using lro on em and ix) and very consistently getting close to the full 1gbps thruoghput on single tcp connections now instead of slower and slightly varying results. guess i should go back and test ix with LRO off on the pf box.
Re: Bridging firewall and ntpd
On Wed, Dec 20, 2023 at 12:23:31AM +0100, Karel Lucas wrote: >Dear Mr. Henderson, > >From your answer I understand that to use the ntp daemon the interfaces still >need an IP address. Unfortunately, a GPS unit is not available or desirable, >so it seems to me that I will have to do it without a calibrated time, if >there is no other option. Having an out-of-band management interface is a pretty standard architecture concept these days. Add a third NIC and control access by local pf policies, multi-factor authentication, etc.
Re: Bridging firewall and ntpd
Den tis 19 dec. 2023 kl 23:57 skrev Karel Lucas : > > Hi all, > > I am creating a bridging firewall, and am wondering if it is possible to > use the ntp daemon to ensure that all log files are timed correctly. Is > there a way to achieve that despite the fact that the network > connections do not have an IP address? > I did some of that in the early 2000s, and it wasn't as good an idea as I had imagined it to be. We put an extra eth interface on the box, and had that one on the inside network range, so it could log and be administered via it, then had some rules that allowed certain outside ips to traverse the bridging fw to the inside, and then reach the inside of the fw. But all in all, that was just a workaround for a bad network setup where we got a /24 from our ISP, but not a transport network for our outside of the fw. I would not do it like that again, I noticed how nice it actually is to be able to use layer-3 tools like ping and traceroute and so on, even if it felt secretive and hip to have an "invisible" fw. I think most people that have tried L2 firewalling end up moving away from it if they can, just because of the poor visibility you get when you run firewalls on top of bridges. -- May the most significant bit of your life be positive.
Re: Bridging firewall and ntpd
Dear Mr. Henderson, From your answer I understand that to use the ntp daemon the interfaces still need an IP address. Unfortunately, a GPS unit is not available or desirable, so it seems to me that I will have to do it without a calibrated time, if there is no other option. Op 20-12-2023 om 00:04 schreef Stuart Henderson: On 2023-12-19, Karel Lucas wrote: Hi all, I am creating a bridging firewall, and am wondering if it is possible to use the ntp daemon to ensure that all log files are timed correctly. Is there a way to achieve that despite the fact that the network connections do not have an IP address? Yes, e.g. with a gps unit and nmea(4) If you want to fetch time over the network, however, the machine will need to have network access.
Re: Bridging firewall and ntpd
On 2023-12-19, Karel Lucas wrote: > > Hi all, > > I am creating a bridging firewall, and am wondering if it is possible to > use the ntp daemon to ensure that all log files are timed correctly. Is > there a way to achieve that despite the fact that the network > connections do not have an IP address? Yes, e.g. with a gps unit and nmea(4) If you want to fetch time over the network, however, the machine will need to have network access. -- Please keep replies on the mailing list.
Bridging firewall and ntpd
Hi all, I am creating a bridging firewall, and am wondering if it is possible to use the ntp daemon to ensure that all log files are timed correctly. Is there a way to achieve that despite the fact that the network connections do not have an IP address?
firewall hardware
Hello! Please advise me hardware for an OpenBSD firewall: - 8 gigabit ethernet interfaces, - >= 4 Gbps throughput. Thanks, Alexei
Re: Firewall Problems
Hi, Please keep this on the list. On Sat, Nov 18, 2023 at 06:35:35AM -0800, louise9...@gmail.com wrote: > Hi thank you, I will try to change my rules accordingly. Also some questions: > 1. I saw you talked about the block all rule. Does this cover traffic between > vlans/networks as I’m trying to isolate vlans/networks 6,10,20,30 as well as > my admin network which is em2 interface in this case. Unless you have explicitly excluded interfaces from filtering (set skip on $interface) "block drop log all" will drop packets that do not match any pass rules following. > 2. You also pointed out that ICMPv4 wasn’t getting through. In my case ICMPv6 > won’t get out either from my internal networks. Literally nothing from > internal networks gets out except icmpv4 to gateway, icmp from internal lan > to internal lan, icmp from internal lan to firewall itself. Other than that > there’s no DNS, HTTP, etc getting out. Would I need additional rules for > those explicitly or would I just need a pass out all rule that done a certain > way could work?(I have also tried this and it still doesn’t work)? Please take a look at the resources I pointed to. The tutorial slides will clear up most of if not all of those questions. And please keep any followups on the list. All the best, Peter PS: The PF tutorial slides: https://home.nuug.no/~peter/pftutorial/ -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall Problems
Hi John, I I have enabled forwarding in my sysctl.conf. Thank you, Lewis ingraham > On Nov 17, 2023, at 8:52 AM, Lewis Ingraham wrote: > > > Hello i am trying to configure OpenBSD as a firewall but I can't get it to > ping outside the firewall and subsequently unable to reach the internet with > devices behind the firewall. I tried changing my pf.conf to match the FAQ (as > best as i could) and still cant get it to work. I am currently trying to get > both IPV4 and IPV6 addresses to my devices. Can anyone tell me what I am > doing wrong? > > For reference I can do the following: > 1. Ping the firewall and connected devices from the inside LAN networks. > 2. Use the firewall itself to ping outside and reach internet(use things like > pkg_add , etc). > 3. Use devices in my LAN networks to successfully ping the gateway. > 4. For some reason my devices on the lan only get IPV4 addresses and not > IPV6 in addition. > > > > > > > > > > > > >
Re: Firewall Problems
On Fri, Nov 17, 2023 at 08:52:19AM -0800, Lewis Ingraham wrote: > Hello i am trying to configure OpenBSD as a firewall but I can't get it to > ping outside the firewall and subsequently unable to reach the internet > with devices behind the firewall. I tried changing my pf.conf to match the > FAQ (as best as i could) and still cant get it to work. I am currently > trying to get both IPV4 and IPV6 addresses to my devices. Can anyone tell > me what I am doing wrong? You have a number of "block quick" that seem to be already covered by the seeming default block drop log all # block stateless traffic but the only mention of ICMP (which is what ping uses) in your pf.conf is pass in on egress inet6 proto icmp6 all icmp6-type { routeradv neighbrsol neighbradv } so IPv4 icmp will not be let through at all. This is covered somewhat extensively in that book I wrote (https://nostarch.com/pf3) and you should be able to find the relevant examples in the oft-repeated tutorial at https://home.nuug.no/~peter/pftutorial/ - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall Problems
On 11/17/2023 9:52 AM, Lewis Ingraham wrote: Hello i am trying to configure OpenBSD as a firewall but I can't get it to ping outside the firewall and subsequently unable to reach the internet with devices behind the firewall. I tried changing my pf.conf to match the FAQ (as best as i could) and still cant get it to work. I am currently trying to get both IPV4 and IPV6 addresses to my devices. Can anyone tell me what I am doing wrong? For reference I can do the following: 1. Ping the firewall and connected devices from the inside LAN networks. 2. Use the firewall itself to ping outside and reach internet(use things like pkg_add , etc). 3. Use devices in my LAN networks to successfully ping the gateway. 4. For some reason my devices on the lan only get IPV4 addresses and not IPV6 in addition. did you enable forwarding? # sysctl -a | grep forwarding net.inet.ip.forwarding=1 net.inet.ip.mforwarding=0
Firewall Problems
Hello i am trying to configure OpenBSD as a firewall but I can't get it to ping outside the firewall and subsequently unable to reach the internet with devices behind the firewall. I tried changing my pf.conf to match the FAQ (as best as i could) and still cant get it to work. I am currently trying to get both IPV4 and IPV6 addresses to my devices. Can anyone tell me what I am doing wrong? For reference I can do the following: 1. Ping the firewall and connected devices from the inside LAN networks. 2. Use the firewall itself to ping outside and reach internet(use things like pkg_add , etc). 3. Use devices in my LAN networks to successfully ping the gateway. 4. For some reason my devices on the lan only get IPV4 addresses and not IPV6 in addition. sysctl.conf Description: Binary data dhcpcd.conf Description: Binary data pf.conf Description: Binary data hostname.vlan10 Description: Binary data rad.conf Description: Binary data hostname.vlan20 Description: Binary data hostname.vlan4 Description: Binary data hostname.vlan30 Description: Binary data hostname.vlan6 Description: Binary data hostname.em0 Description: Binary data hostname.em2 Description: Binary data dhcpd.conf Description: Binary data hostname.em1 Description: Binary data
Re: Which hardware for a firewall?
On 2023-06-20, Nick Holland wrote: > On 6/20/23 13:13, Karel Lucas wrote: >> >> Hi all, >> >> I'm going to create a firewall with openBSD, and would like to use the >> ARM64 or ARMv7 distribution for that. Unfortunately I don't know what >> hardware I can get for this, and that's the reason for this mail. Can >> someone point me to a suitable platform for this? If this email does not >> belong on this mailing list, I offer my apology. This is my first post >> on this mailing list, and ask for understanding. Sincerely, Karel. R5S is probably most likely to fit the bill. armv7 is probably too slow to be of all that much interest. Be aware that OpenBSD is a bit less polished on arm platforms. Most are at least a bit more awkward than most amd64. > Fortunately, since there's only one speed connection, a set number of > devices doing a fixed number of things in each location, we will have no > problem advising you on the best choice for your application... > > oh, wait... :) > > Well, here's the HW compatibility for those platforms: > https://www.openbsd.org/arm64.html > https://www.openbsd.org/armv7.html There's only partial detail of what works on the various boards, and some need fiddling with boot loaders/device trees.
Re: Which hardware for a firewall?
On 6/20/23 13:13, Karel Lucas wrote: Hi all, I'm going to create a firewall with openBSD, and would like to use the ARM64 or ARMv7 distribution for that. Unfortunately I don't know what hardware I can get for this, and that's the reason for this mail. Can someone point me to a suitable platform for this? If this email does not belong on this mailing list, I offer my apology. This is my first post on this mailing list, and ask for understanding. Sincerely, Karel. Fortunately, since there's only one speed connection, a set number of devices doing a fixed number of things in each location, we will have no problem advising you on the best choice for your application... oh, wait... :) Well, here's the HW compatibility for those platforms: https://www.openbsd.org/arm64.html https://www.openbsd.org/armv7.html You will have to decide what fits your needs. Honestly, though, I'd suggest just recycling an old PC and a surplus network card (or multi-port card, depending on how people toss stuff out around you). If you want "the best choice", this is probably it. Nick.
Which hardware for a firewall?
Hi all, I'm going to create a firewall with openBSD, and would like to use the ARM64 or ARMv7 distribution for that. Unfortunately I don't know what hardware I can get for this, and that's the reason for this mail. Can someone point me to a suitable platform for this? If this email does not belong on this mailing list, I offer my apology. This is my first post on this mailing list, and ask for understanding. Sincerely, Karel.
Re: openbsd firewall configuration for extreme hostile environment
Thank you very much Nick. I truly appreciate your advise. Jonathon. Sent with Proton Mail secure email. --- Original Message --- On Tuesday, May 2nd, 2023 at 2:01 AM, Nick Holland wrote: > On 4/26/23 08:46, jonathon575 wrote: > > > Greetings, > > > > I have OpenBSD configured strictly as a dedicated firewall. Only BSD, > > BSD.rd, BSD.mp, and Base are installed (supposedly, this is the > > minimum installation). Blocked All, and only few selected out going > > IP addresses are allowed (strictly vpn ip addresses). > > > which basically means, you blew a huge hole in the firewall. > VPNs don't ADD security, they let infested computers you can't properly > maintain enter your network from all over the world. They take a > horrible idea (let people into your network) and make it less bad. > But there's a gap between "less bad" and "good". No firewall can > fix this. > > > I maintained rc.conf at its default configuration, including disabled > > ntpd, smtpd, sndiod, sshd, then deleted sshd binary file and related > > library directory, as well as deleted the portmap file. However, the > > penetration is still happening. IPS is not helping. DHCP is enabled > > and configured for LAN. > > > So...totally non-default config. > you can't track activity by accurate time stamps (no NTP), you can't > remotely manage the machine, and you have a management nightmare on > your hands. > > > I do have few clarifications, and kindly need your expertise: > > > > 1) Regarding the log files, how to sappnd the .history file? I could > > not locate it. Kindly advise. > > > just..don't. > When you start worrying about stuff like that, you are no longer > preventing attack, you are just measuring it. > > > 2) I read the publications of Mr. Michael Lucas, he did state that he > > had intruders to his openbsd systems few times, and the way to stop > > and frustrate the bugger was to make every file immutable, but, he > > did not specify how to do that without breaking the system. > > > "I want to shoot myself in the foot, but I want to be ok" > No, what you are proposing is a very good definition of "breaking > the system". > > and again... It is far better to keep people out of your system > through proper maintenance than try to slow 'em down once they > are in it. Now, if you have a horrible web application, ok, sure, > you might want to go all defense-in-depth here, because, well your > application sucks and we know you aren't going to fix that, and some > C-level said, "This is the answer, make it work". But a firewall > should be a pretty robust thing and a bad target anyway. > If I want into your network, I'm not going to waste time on your > firewall, I'll work over the things you expose through the > firewall. That's where the data is anyway... > > > I had the> directories /bin, /sbin, /usr/bin, /usr/sbin, /etc, schg > > immutable > > (chflags -R schg ), however, when applying it to other directories > > including the lib related directories such as /usr/lib, /lib, ..etc I > > get the error message "relink reorder failed..." when restarting the > > system. > > > yep. You shot yourself in the foot, and it hurts. You haven't even > started to experience the pain of bleeding out, either. That comes > when you try to upgrade this frankensystem. > > > How to make every file/directory, the file-system, schg immutable > > without breaking the system? > > > you don't. > > > 3) [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP > > connections. > > > > The above outgoing IP addresses are strictly related to VPN TCP ip > > addresses, so I hope the mentioned CVE is rectified in openbsd, > > however, I am not sure what new vulnerabilities are present with the > > existing, latest openbsd and VPN protocols that would have similar > > effects. > > > Well, your comments on that CVE are about as clear as the CVE itself > is. Looks like it boils down to "if someone can get into your systems > enough to see packets, they can guess where they are going." > How did you decide THIS was your big concern? > > > I included the below lines in the pf.conf to try to mitigate this > > vulnerability: > > > > set reassemble yes match in all scrub (no-df random-id reassemble tcp > > max-mss 1440) > > > > However, it was still not sufficient to prevent the penetration. > > > that wasn't how your systems were penetrated. Almost certain of that. > > > I did not come across any literature on h
Re: openbsd firewall configuration for extreme hostile environment
On 2023-04-26, jonathon575 wrote: > The services in the file rc.conf are kept in its default state which is > mostly disabled. the binary files sshd, portmap, ntpd are deleted from the > /bin directory. Other binary files telnet, ssh, scp, sftp are removed to > prevent any file transfer from the firewall to the LAN network. That is pointless, if an attacker is on the system they can use shell built-ins to write new binaries to disk. Better keep the tools which you need to maintain and administer the system. You talk about IDS/IPS a few times. Software doing that is often pretty damn scary and often runs with high privileges. I would be way more concerned about running that than say sshd. -- Please keep replies on the mailing list.
Re: openbsd firewall configuration for extreme hostile environment
On 2023-04-26, jonathon575 wrote: >>> #What firewall was compromised - your OpenBSD based firewall? ... hope you >>> did a fresh >>> install from scratch on this device... >>> >>> Yes, it was OpenBSD based firewall 7.1. Fresh install from scratch didn't >>> help as the attack appeared again. In what form did the compromise take? How did you identify that the firewall was compromised? -- Please keep replies on the mailing list.
Re: openbsd firewall configuration for extreme hostile environment
On 4/26/23 08:46, jonathon575 wrote: Greetings, I have OpenBSD configured strictly as a dedicated firewall. Only BSD, BSD.rd, BSD.mp, and Base are installed (supposedly, this is the minimum installation). Blocked All, and only few selected out going IP addresses are allowed (strictly vpn ip addresses). which basically means, you blew a huge hole in the firewall. VPNs don't ADD security, they let infested computers you can't properly maintain enter your network from all over the world. They take a horrible idea (let people into your network) and make it less bad. But there's a gap between "less bad" and "good". No firewall can fix this. I maintained rc.conf at its default configuration, including disabled ntpd, smtpd, sndiod, sshd, then deleted sshd binary file and related library directory, as well as deleted the portmap file. However, the penetration is still happening. IPS is not helping. DHCP is enabled and configured for LAN. So...totally non-default config. you can't track activity by accurate time stamps (no NTP), you can't remotely manage the machine, and you have a management nightmare on your hands. I do have few clarifications, and kindly need your expertise: 1) Regarding the log files, how to sappnd the .history file? I could not locate it. Kindly advise. just..don't. When you start worrying about stuff like that, you are no longer preventing attack, you are just measuring it. 2) I read the publications of Mr. Michael Lucas, he did state that he had intruders to his openbsd systems few times, and the way to stop and frustrate the bugger was to make every file immutable, but, he did not specify how to do that without breaking the system. "I want to shoot myself in the foot, but I want to be ok" No, what you are proposing is a very good definition of "breaking the system". and again... It is far better to keep people out of your system through proper maintenance than try to slow 'em down once they are in it. Now, if you have a horrible web application, ok, sure, you might want to go all defense-in-depth here, because, well your application sucks and we know you aren't going to fix that, and some C-level said, "This is the answer, make it work". But a firewall should be a pretty robust thing and a bad target anyway. If I want into your network, I'm not going to waste time on your firewall, I'll work over the things you expose *through* the firewall. That's where the data is anyway... I had the> directories /bin, /sbin, /usr/bin, /usr/sbin, /etc, schg immutable (chflags -R schg ), however, when applying it to other directories including the lib related directories such as /usr/lib, /lib, ..etc I get the error message "relink reorder failed..." when restarting the system. yep. You shot yourself in the foot, and it hurts. You haven't even started to experience the pain of bleeding out, either. That comes when you try to upgrade this frankensystem. How to make every file/directory, the file-system, schg immutable without breaking the system? you don't. 3) [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections. The above outgoing IP addresses are strictly related to VPN TCP ip addresses, so I hope the mentioned CVE is rectified in openbsd, however, I am not sure what new vulnerabilities are present with the existing, latest openbsd and VPN protocols that would have similar effects. Well, your comments on that CVE are about as clear as the CVE itself is. Looks like it boils down to "if someone can get into your systems enough to see packets, they can guess where they are going." How did you decide THIS was your big concern? I included the below lines in the pf.conf to try to mitigate this vulnerability: set reassemble yes match in all scrub (no-df random-id reassemble tcp max-mss 1440) However, it was still not sufficient to prevent the penetration. that wasn't how your systems were penetrated. Almost certain of that. I did not come across any literature on how to mitigate the mentioned CVE in OpenBSD. that's a big hint. 4) Perl: How to remove Perl and other scripting languages from the base installation without affecting other utilities that use it?! I do not have comp.tgz installed, but if perl is present, Perl can do anything that most compiled languages allow and can often do it quicker. :eyeroll: This idea is stupid. Just plain stupid. (Granted, it is a common stupid idea. But there's a lot of stupid in the world) Do you discard all the tools in your house because a thief might use them to disassemble stuff inside your house? Discard the soap because they might want to wash their hands? Turn off the water in case they get thirsty? Turn off the heat and AC so they won't be comfortable? That's what this line of logic boils down to. Any self-respecting burglar will bring their own tools, meanwhile stuff will be falling apart all around you ove
Re: openbsd firewall configuration for extreme hostile environment
Greetings, I have OpenBSD configured strictly as a dedicated firewall. Only BSD, BSD.rd, BSD.mp, and Base are installed (supposedly, this is the minimum installation). Blocked All, and only few selected out going IP addresses are allowed (strictly vpn ip addresses). I maintained rc.conf at its default configuration, including disabled ntpd, smtpd, sndiod, sshd, then deleted sshd binary file and related library directory, as well as deleted the portmap file. However, the penetration is still happening. IPS is not helping. DHCP is enabled and configured for LAN. I do have few clarifications, and kindly need your expertise: 1) Regarding the log files, how to sappnd the .history file? I could not locate it. Kindly advise. 2) I read the publications of Mr. Michael Lucas, he did state that he had intruders to his openbsd systems few times, and the way to stop and frustrate the bugger was to make every file immutable, but, he did not specify how to do that without breaking the system. I had the directories /bin, /sbin, /usr/bin, /usr/sbin, /etc, schg immutable (chflags -R schg ), however, when applying it to other directories including the lib related directories such as /usr/lib, /lib, ..etc I get the error message "relink reorder failed..." when restarting the system. How to make every file/directory, the file-system, schg immutable without breaking the system? 3) [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections. The above outgoing IP addresses are strictly related to VPN TCP ip addresses, so I hope the mentioned CVE is rectified in openbsd, however, I am not sure what new vulnerabilities are present with the existing, latest openbsd and VPN protocols that would have similar effects. I included the below lines in the pf.conf to try to mitigate this vulnerability: set reassemble yes match in all scrub (no-df random-id reassemble tcp max-mss 1440) However, it was still not sufficient to prevent the penetration. I did not come across any literature on how to mitigate the mentioned CVE in OpenBSD. 4) Perl: How to remove Perl and other scripting languages from the base installation without affecting other utilities that use it?! I do not have comp.tgz installed, but if perl is present, Perl can do anything that most compiled languages allow and can often do it quicker. 5) Disabled Services. The services in the file rc.conf are kept in its default state which is mostly disabled. the binary files sshd, portmap, ntpd are deleted from the /bin directory. Other binary files telnet, ssh, scp, sftp are removed to prevent any file transfer from the firewall to the LAN network. Strictly for a firewall, what additional services/binary files that should be disabled/removed to prevent firewall penetration, and/or prevent any rootkit, malware from getting executed and/or accessing the LAN network. Managing the firewall is only through direct terminal access. I am trying to make the openbsd firewall bulletproof as much as possible, sealing all possible gaps, otherwise, IDS/IPS is useless. Appreciate your kind support. Many thanks. --- Original Message --- On Wednesday, April 26th, 2023 at 12:37 PM, jonathon575 wrote: > Greetings, > > I have OpenBSD configured strictly as a dedicated firewall. Only BSD, BSD.rd, > BSD.mp, and Base are installed (supposedly, this is the minimum > installation). Blocked All, and only few selected out going IP addresses are > allowed (strictly vpn ip addresses). > > I maintained rc.conf at its default configuration, including disabled ntpd, > smtpd, sndiod, sshd, then deleted sshd binary file and related library > directory, as well as deleted the portmap file. However, the penetration is > still happening. IPS is not helping. DHCP is enabled and configured for LAN. > > I do have few clarifications, and kindly need your expertise: > > 1) Regarding the log files, how to sappnd the .history file? I could not > locate it. Kindly advise. > > 2) I read the publications of Mr. Michael Lucas, he did state that he had > intruders to his openbsd systems few times, and the way to stop and frustrate > the bugger was to make every file immutable, but, he did not specify how to > do that without breaking the system. I had the directories /bin, /sbin, > /usr/bin, /usr/sbin, /etc, schg immutable (chflags -R schg ), however, when > applying it to other directories including the lib related directories such > as /usr/lib, /lib, ..etc I get the error message "relink reorder failed..." > when restarting the system. > > How to make every file/directory, the file-system, schg immutable without > breaking the system? > > 3) [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections. > > The above outgoing IP addresses are strictly related to VPN TCP ip addresses, > so I hope the mentioned CVE is
Re: openbsd firewall configuration for extreme hostile environment
Greetings, I have OpenBSD configured strictly as a dedicated firewall. Only BSD, BSD.rd, BSD.mp, and Base are installed (supposedly, this is the minimum installation). Blocked All, and only few selected out going IP addresses are allowed (strictly vpn ip addresses). I maintained rc.conf at its default configuration, including disabled ntpd, smtpd, sndiod, sshd, then deleted sshd binary file and related library directory, as well as deleted the portmap file. However, the penetration is still happening. IPS is not helping. DHCP is enabled and configured for LAN. I do have few clarifications, and kindly need your expertise: 1) Regarding the log files, how to sappnd the .history file? I could not locate it. Kindly advise. 2) I read the publications of Mr. Michael Lucas, he did state that he had intruders to his openbsd systems few times, and the way to stop and frustrate the bugger was to make every file immutable, but, he did not specify how to do that without breaking the system. I had the directories /bin, /sbin, /usr/bin, /usr/sbin, /etc, schg immutable (chflags -R schg ), however, when applying it to other directories including the lib related directories such as /usr/lib, /lib, ..etc I get the error message "relink reorder failed..." when restarting the system. How to make every file/directory, the file-system, schg immutable without breaking the system? 3) [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections. The above outgoing IP addresses are strictly related to VPN TCP ip addresses, so I hope the mentioned CVE is rectified in openbsd, however, I am not sure what new vulnerabilities are present with the existing, latest openbsd and VPN protocols that would have similar effects. I included the below lines in the pf.conf to try to mitigate this vulnerability: set reassemble yes match in all scrub (no-df random-id reassemble tcp max-mss 1440) However, it was still not sufficient to prevent the penetration. I did not come across any literature on how to mitigate the mentioned CVE in OpenBSD. 4) Perl: How to remove Perl and other scripting languages from the base installation without affecting other utilities that use it?! I do not have comp.tgz installed, but if perl is present, Perl can do anything that most compiled languages allow and can often do it quicker. 5) Disabled Services. The services in the file rc.conf are kept in its default state which is mostly disabled. the binary files sshd, portmap, ntpd are deleted from the /bin directory. Other binary files telnet, ssh, scp, sftp are removed to prevent any file transfer from the firewall to the LAN network. Strictly for a firewall, what additional services/binary files that should be disabled/removed to prevent firewall penetration, and/or prevent any rootkit, malware from getting executed and/or accessing the LAN network. Managing the firewall is only through direct terminal access. I am trying to make the openbsd firewall bulletproof as much as possible, sealing all possible gaps, otherwise, IDS/IPS is useless. Appreciate your kind support. Many thanks. --- Original Message --- On Thursday, September 8th, 2022 at 9:49 AM, jonathon575 wrote: > from a quick glance the firewall seems ok. However, if the clients in > your network route all their traffic through VPN OpenBSD on the local > firewall cannot help. And on those VPN_IPs, what are the firewall rules? > > Hint: if the VPN_IPs are compromised traffic can be probably forwarded > to your hosts in the network which then might be the same as having > those client computers directly connected to the internet, without any > firewall. Also, restrict outgoing traffic on the VPN_IPs - it's quite > simple for a malware to e.g. make a reverse tunnel (like with ssh). > > Be sure to have your linux desktop devices updated. What firewall was > compromised - your OpenBSD based firewall? ... hope you did a fresh > install from scratch on this device... > > = > > Thank you very much for your feedback. Highly appreciated. > > Yes, you are correct. The spyware did generate a reverse tunnel, and we were > able to isolate and identify the traffic and the ip addresses that the > spyware was connecting to. > > == > > #"However, if the clients in your network route all their traffic through VPN > OpenBSD on the local firewall cannot help."# > > With the constants attacks we are getting, we had to route all traffic > through the VPN.
Re: Simple PF Router/Firewall/NAT requirements: was Performance optimizing OpenBSD 7.2
no On Wed, Feb 15, 2023 at 10:21 PM Steve Litt wrote: > Claudio Jeker said on Wed, 15 Feb 2023 14:14:11 +0100 > > > >I think the state-mismatch is a result of hitting the state limit and > >not the other way around. At over 90'000 states the default timeouts > >are reduced by more than 50% and so states are removed too soon > >resulting in a state-mismatch. > > > >So first bump the limit up and then look at the counters again. > > Within the next three months I'll be building a hardware (not VM) > OpenBSD machine with pf filtering to Route, firewall and NAT between my > house's IPV4 192.168.0.0/24 network and the Internet. My Internet is > about 26Mbit down and 3.5Mbit up. Do you think I'll need to worry about > state limits, states or state-mismatches? > > Thanks, > > SteveT > > Steve Litt > Autumn 2022 featured book: Thriving in Tough Times > http://www.troubleshooters.com/bookstore/thrive.htm > > -- Patric Conant Mirage Computing Lead Consultant @MirageComputing <https://twitter.com/MirageComputing>on twitter https://m.facebook.com/MirageComputing/ 316 409 2424
Simple PF Router/Firewall/NAT requirements: was Performance optimizing OpenBSD 7.2
Claudio Jeker said on Wed, 15 Feb 2023 14:14:11 +0100 >I think the state-mismatch is a result of hitting the state limit and >not the other way around. At over 90'000 states the default timeouts >are reduced by more than 50% and so states are removed too soon >resulting in a state-mismatch. > >So first bump the limit up and then look at the counters again. Within the next three months I'll be building a hardware (not VM) OpenBSD machine with pf filtering to Route, firewall and NAT between my house's IPV4 192.168.0.0/24 network and the Internet. My Internet is about 26Mbit down and 3.5Mbit up. Do you think I'll need to worry about state limits, states or state-mismatches? Thanks, SteveT Steve Litt Autumn 2022 featured book: Thriving in Tough Times http://www.troubleshooters.com/bookstore/thrive.htm
firewall woes: ipv6 dhcpcd rad pppoe
hi everyone these are my router configs at bootup i get a timeout on the dhcpcd some of my global ipv6 addresses are missing and i have a mtu warning at boot in one or two of the interfaces files could someone have a quick look over the configs and see whats wrong please also should i add the pppoe0 interface to rad.conf also ? shadrock cat /etc/hostname.bge0 inet 88.97.5.79 255.255.255.255 NONE mtu 1508 inet6 autoconf up ifconfig bge0 bge0: flags=248843 mtu 1500 lladdr 00:18:8b:6a:ab:48 index 1 priority 0 llprio 3 media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet6 fe80::218:8bff:fe6a:ab48%bge0 prefixlen 64 scopeid 0x1 inet 88.97.5.79 netmask 0x cat /etc/hostname.pppoe0 !/bin/sleep 10 inet 0.0.0.0 255.255.255.255 NONE mtu 1500 \ pppoedev bge0 authproto chap \ authname 'myuser' authkey 'mypass' dest 0.0.0.1 inet6 eui64 !/sbin/route add default -ifp pppoe0 0.0.0.1 # !/sbin/route add inet6 default -ifp pppoe0 fe80::%pppoe0 ifconfig pppoe0 pppoe0: flags=8851 mtu 1492 index 6 priority 0 llprio 3 dev: bge0 state: session sid: 0x1e PADI retries: 48 PADR retries: 0 time: 03:16:43 sppp: phase network authproto chap dns: 212.23.3.100 212.23.6.100 groups: pppoe egress status: active inet6 fe80::200:0:0:1%pppoe0 --> prefixlen 64 scopeid 0x6 inet 88.97.5.79 --> 51.148.72.22 netmask 0x inet6 2a02:8011:d000:57d:930c:8392:d5e2:6c10 --> prefixlen 64 autoconf pltime 172749 vltime 259149 cat /etc/dhcpcd.conf # Allow users of this group to interact with dhcpcd via the control socket. #controlgroup wheel # Inform the DHCP server of our hostname for DDNS. #hostname ipv6only noipv6rs # Use the hardware address of the interface for the Client ID. #clientid # or # Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361. # Some non-RFC compliant DHCP servers do not reply with this set. # In this case, comment out duid and enable clientid above. duid # Persist interface configuration when dhcpcd exits. persistent # vendorclassid is set to blank to avoid sending the default of # dhcpcd-::: vendorclassid # A list of options to request from the DHCP server. option domain_name_servers, domain_name, domain_search option classless_static_routes # Respect the network MTU. This is applied to DHCP routes. option interface_mtu # Request a hostname from the network option host_name # Most distributions have NTP support. #option ntp_servers # Rapid commit support. # Safe to enable by default because it requires the equivalent option set # on the server to actually work. option rapid_commit # A ServerID is required by RFC2131. require dhcp_server_identifier # Generate SLAAC address using the Hardware Address of the interface #slaac hwaddr # OR generate Stable Private IPv6 Addresses based from the DUID slaac private script "" allowinterfaces pppoe0 em0 em1 interface pppoe0 ipv6rs ia_na 1 ia_pd 2 em0/1 em1/2 cat /etc/rad.conf interface em0 interface em1 cat /etc/hostname.em0 inet 10.2.1.1 0xff00 inet6 autoconf ifconfig em0 em0: flags=248843 mtu 1500 lladdr 00:11:0a:5f:6d:40 index 2 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet6 fe80::211:aff:fe5f:6d40%em0 prefixlen 64 scopeid 0x2 inet 10.2.1.1 netmask 0xff00 broadcast 10.2.1.255
Re: Is pf still the recommended firewall/NAT software for OpenBSD?
Yes On Fri, 2 Dec 2022, 01:14 Steve Litt, wrote: > Is pf still the recommended firewall/NAT software for OpenBSD? > > Thanks, > > SteveT > > Steve Litt > Autumn 2022 featured book: Thriving in Tough Times > http://www.troubleshooters.com/bookstore/thrive.htm > >
Re: SOLVED: Re: how to use OpenBSD firewall (pf) to protect Ooma Telo VOIP phone system
In message <https://marc.info/?l=openbsd-misc=166062861021368=1> I described how I'm using an OpenBSD firewall (pf) to protect a VOIP phone system. A small correction: I wrote: > The firewall > also runs unbound to provide caching DNS service to the VOIP box and the > local computers, and to do secure DNS-over-TCP to an upstream DNSSEC > provider. (That way I don't need to trust the ISP box's DNS service.) Oops, /dev/brain parity error there -- that should have been "DNS-over-TLS". Sorry for any confusion, -- -- "Jonathan Thornburg [remove -color to reply]" on the west coast of Canada, eh? "Why would we install sewers in London? Everyone keeps getting cholera again and again so there's obviously no reason to install sewers. We just need to get used to this as the new normal." -- 2022-07-25 tweet by "Neoliberal John Snow"
SOLVED: Re: how to use OpenBSD firewall (pf) to protect Ooma Telo VOIP phone system
In message <https://marc.info/?l=openbsd-misc=162550822403762=1> (date 2021-07-05) I wrote: > Has anyone used an OpenBSD firewall (pf) to protect an Ooma Telo VOIP > phone system from internet attacks? If so, how did you do it? More > generally, how do people protect VOIP phone systems (regardless of brand) > from internet attacks? There were various helpful replies in that thread, but I wasn't able to complete my firewall upgrade at that time. I've recently returned to this project, and after a bit of fiddling around I'm please to report a successful outcome. For the benefit of anyone else trying to protect a similar VOIP system, here's a summary of what I've done. My network topology is this: +---+ (internet) | ISP-provided ADSL | | modem/router | +---+ | | +--++---+ | OpenBSD || Omma Telo |.. analog | firewall || VOIP box | telephones +--++---+ | | ++ | | | Wifi |-+ +-- wired client | access |(or network switch for | point | multiple wired clients) ++ One of my overall goals in trying to design this system is to not trust either the ISP-provided ADSL modem/router (the "ISP box") or the Ooma Telo VOIP box any more than necessary -- they're both probably running out-of-date embedded Linux systems, and could well be hacked at some point. Notably, I'd rather not trust the ISP box's DNS service, and I'd like to prevent either the ISP box or the VOIP box from being able to probe or attack my other local computers. Therefore, the OpenBSD firewall (a PC Engines apu4d4) has separate physical network interfaces to talk to the ISP box, the VOIP box, a wifi access point (for other local computers that want internet access) and a wired client (another local computer or computers that wants internet access). The firewall gets a dynamic address on its "outside" interface via DHCP from the ISP box. The firewall assigns distinct /26 subnets of the 192.168.*.* address space to clients connecting via its three internal interfaces ("wired", "wifi", and "voip"). The firewall runs dhcpd to assign dynamic IP addresses within those subnets, and to advertise itself as a DNS server to all the local clients and the VOIP box. The firewall also runs unbound to provide caching DNS service to the VOIP box and the local computers, and to do secure DNS-over-TCP to an upstream DNSSEC provider. (That way I don't need to trust the ISP box's DNS service.) The Ooma VOIP documentation says it uses the following ports: outgoing UDP/TCP 53, 1194, 1294 outgoing TCP 80, 110, 443 outgoing UDP 67, 123, 3480 incoming UDP 1 to 3 but doesn't have much to say about NAT-vs-dynamically-chosen-ports issues. I was pleasantly surprised to find that it works fine through the firewall's NAT. I give the relevant parts of the firewall's /etc/pf.conf below. This doesn't give perfect protection (e.g., the ISP box could still insert nastygram packets into non-encrypted connections), but it does offer fairly good protection, hopefully enough to protect me from typical "mass attacks". Unless the ISP box meddles in the traffic quite heavily, the OpenBSD firewall's NAT and "modulate state" should ensure that all traffic to/from the outside world has high-entropy initial TCP sequence numbers and ports (for improved resistance to TCP-sequence-guessing attacks). --- begin firewall /etc/pf.conf --- # uncomment one of the following two lines # to configure logging for the main wired/wifi subnets MAYBE_LOG_MAIN = ""# uncomment for no logging #MAYBE_LOG_MAIN = "log" # uncomment for logging # uncomment one of the following two lines # to configure logging for the voip subnet MAYBE_LOG_VOIP = ""# uncomment for no logging #MAYBE_LOG_VOIP = "log" # uncomment for logging # uncomment one of the following two lines # to configure logging for the default block rule MAYBE_LOG_BLOCK = ""# uncomment for no logging #MAYBE_LOG_BLOCK= "log" # uncomment for logging if_outside = "em0" if_wired= "em1" if_wifi = "em2" if_voip = "em3" if_internal = "{" $if_wired $if_wifi $if_voip "}" if_all = "{" $if_outside $if_wired $if_wifi $if_voip "}" # last byte of ip address: # /25 /26 /27 /28 /29 /30 /31 /32 # 128
Re: Desktops and laptops status of firewall and FDE
On 2022-03-25, Mikolaj Kucharski wrote: > On Thu, Mar 24, 2022 at 09:56:24AM +, Mikolaj Kucharski wrote: >> Hi, >> >> Do you guys have an approach, a software to periodically monitor status of >> endpoint machines, laptops, desktops where the requirement is to have >> full disk encryption and firewall enabled, and appropriately configured? >> >> Machines would be OpenBSD and Linux. I guess MacOS too, but that is less >> relevant I think. >> > > I think I have more specific question. How you would codify answer that > a directory, for example "/" is on a softraid crypto device? bioctl $(df -h / | awk '/^\/dev/ { print substr($1, 6, length($1)-6) }')
Re: Desktops and laptops status of firewall and FDE
On Thu, Mar 24, 2022 at 09:56:24AM +, Mikolaj Kucharski wrote: > Hi, > > Do you guys have an approach, a software to periodically monitor status of > endpoint machines, laptops, desktops where the requirement is to have > full disk encryption and firewall enabled, and appropriately configured? > > Machines would be OpenBSD and Linux. I guess MacOS too, but that is less > relevant I think. > I think I have more specific question. How you would codify answer that a directory, for example "/" is on a softraid crypto device? -- Regards, Mikolaj
Desktops and laptops status of firewall and FDE
Hi, Do you guys have an approach, a software to periodically monitor status of endpoint machines, laptops, desktops where the requirement is to have full disk encryption and firewall enabled, and appropriately configured? Machines would be OpenBSD and Linux. I guess MacOS too, but that is less relevant I think. -- Regards, Mikolaj
Re: PF pass not working (on complex "firewall")
Dear @misc We found the error! This is not PF problem. I found this: http://undeadly.org/cgi?action=article=20090127205841 If i modify an ipsec config *from:* ike active esp from 172.20.123.0/24 to 172.20.122.0/24 \ *to:* ike active esp from 172.20.123.0/24 *(192.168.123.0/24)* to 172.20.122.0/24 \ PF rules working correctly. -- Regards Gábor Szél email:gabor.s...@wantax.hu 2022. 03. 05. 23:08 keltezéssel, Szél Gábor írta: Dear @misc We have an stupid problem. On a complex firewall (currently PF rules 1200 row), one PASS rule not working. I do not know why. There are many VLANs, WAN, LAN interfaces, many ipsec VPNs, CARP (master-backup), pfsync, etc ... PF main rules: # set #. set block-policy drop set loginterface $ext_wan1_if set skip on { lo $pfsync_if } set reassemble no set timeout { tcp.established 600, tcp.closing 60 } set optimization aggressive set ruleset-optimization none set limit { states 10, src-nodes 10, tables 10, table-entries 10 } # scrub # - match on $ext_wan1_if all scrub ( no-df max-mss 1440 random-id ) #. antispof #. antispoof quick for { $ext_wan1_if } inet # anchors # - anchor "ftp-proxy/*" # Block(s) #. block quick proto udp to port { 1985 8116 } # neighbours HSRP & ... block quick log on $ext_wan1_if from { } label IPBlackList block log inet6 all block log all So all interface traffic are basically forbidden (block). Each traffic is allowed separately We have one ipsec VPN, where there are NAT on both sides. (on both sides have 192.168.x.x subnets, there is a subnet collision) we want to solve a simple thing: * comes in the packet on VPN tunnel to "virtual" IP address - 172.20.123.54 (bind to oBSD vlan interface) * from this address PF redirect packet to destination server - 192.168.123.54 * destination server make return package, and send back * the response packet comes in oBSD VLAN interface (vlan141) * PF NAT-ed this packate to 172.20.123.54 * NAT-ed package return to source address in VPN rules: match in log on enc0 proto tcp from 172.20.122.0/24 to 172.20.123.54 port 5240 rdr-to 192.168.123.54 port 5240 pass in log on enc0 proto tcp from 172.20.122.0/24 to 192.168.123.54 pass out log on vlan141 from 172.20.122.0/24 to 192.168.123.54 match in log on vlan141 from 192.168.123.54 to 172.20.122.0/24 nat-to 172.20.123.54 pass in log on vlan141 from 172.20.123.54 to 172.20.122.0/24 pass in log on vlan141 from 192.168.123.54 to 172.20.122.0/24 (not needed, but ... :) return package tcpdump: nat-to, okay: Mar 05 23:01:09.418806 rule 410/(match) [uid 0, pid 32543] match in on vlan141: [orig src 192.168.123.54:5240, dst 172.20.122.10:39322] 172.20.123.54.51958 > 172.20.122.10.39322: S [bad tcp cksum 5166! -> af7b] 966412712:966412712(0) ack 437277320 win 65160 1460,sackOK,timestamp 452766647 201794907,nop,wscale 7> (DF) (ttl 64, id 0, len 60, bad ip cksum d8be! -> ed52) and, PF block this packet: Mar 05 23:01:09.418820 rule 9/(match) [uid 0, pid 32543]*block in on vlan141:* [orig src 192.168.123.54:5240, dst 172.20.122.10:39322] 172.20.123.54.51958 > 172.20.122.10.39322: S [bad tcp cksum 5166! -> af7b] 966412712:966412712(0) ack 437277320 win 65160 1460,sackOK,timestamp 452766647 201794907,nop,wscale 7> (DF) (ttl 64, id 0, len 60, bad ip cksum d8be! -> ed52) If i modify pass rule, to match rule: match in log on vlan141 from 172.20.123.54 i see, match it works, but pass rule not works! I've tried a lot of things already, without match rules, without nat (okay, no route, but ...), it is always blocked. Why can't i override the block rule? Everywhere else goes ... -- Regards Gábor Szél email:gabor.s...@wantax.hu
PF pass not working (on complex "firewall")
Dear @misc We have an stupid problem. On a complex firewall (currently PF rules 1200 row), one PASS rule not working. I do not know why. There are many VLANs, WAN, LAN interfaces, many ipsec VPNs, CARP (master-backup), pfsync, etc ... PF main rules: # set #. set block-policy drop set loginterface $ext_wan1_if set skip on { lo $pfsync_if } set reassemble no set timeout { tcp.established 600, tcp.closing 60 } set optimization aggressive set ruleset-optimization none set limit { states 10, src-nodes 10, tables 10, table-entries 10 } # scrub # - match on $ext_wan1_if all scrub ( no-df max-mss 1440 random-id ) #. antispof #. antispoof quick for { $ext_wan1_if } inet # anchors # - anchor "ftp-proxy/*" # Block(s) #. block quick proto udp to port { 1985 8116 } # neighbours HSRP & ... block quick log on $ext_wan1_if from { } label IPBlackList block log inet6 all block log all So all interface traffic are basically forbidden (block). Each traffic is allowed separately We have one ipsec VPN, where there are NAT on both sides. (on both sides have 192.168.x.x subnets, there is a subnet collision) we want to solve a simple thing: * comes in the packet on VPN tunnel to "virtual" IP address - 172.20.123.54 (bind to oBSD vlan interface) * from this address PF redirect packet to destination server - 192.168.123.54 * destination server make return package, and send back * the response packet comes in oBSD VLAN interface (vlan141) * PF NAT-ed this packate to 172.20.123.54 * NAT-ed package return to source address in VPN rules: match in log on enc0 proto tcp from 172.20.122.0/24 to 172.20.123.54 port 5240 rdr-to 192.168.123.54 port 5240 pass in log on enc0 proto tcp from 172.20.122.0/24 to 192.168.123.54 pass out log on vlan141 from 172.20.122.0/24 to 192.168.123.54 match in log on vlan141 from 192.168.123.54 to 172.20.122.0/24 nat-to 172.20.123.54 pass in log on vlan141 from 172.20.123.54 to 172.20.122.0/24 pass in log on vlan141 from 192.168.123.54 to 172.20.122.0/24 (not needed, but ... :) return package tcpdump: nat-to, okay: Mar 05 23:01:09.418806 rule 410/(match) [uid 0, pid 32543] match in on vlan141: [orig src 192.168.123.54:5240, dst 172.20.122.10:39322] 172.20.123.54.51958 > 172.20.122.10.39322: S [bad tcp cksum 5166! -> af7b] 966412712:966412712(0) ack 437277320 win 65160 1460,sackOK,timestamp 452766647 201794907,nop,wscale 7> (DF) (ttl 64, id 0, len 60, bad ip cksum d8be! -> ed52) and, PF block this packet: Mar 05 23:01:09.418820 rule 9/(match) [uid 0, pid 32543]*block in on vlan141:* [orig src 192.168.123.54:5240, dst 172.20.122.10:39322] 172.20.123.54.51958 > 172.20.122.10.39322: S [bad tcp cksum 5166! -> af7b] 966412712:966412712(0) ack 437277320 win 65160 1460,sackOK,timestamp 452766647 201794907,nop,wscale 7> (DF) (ttl 64, id 0, len 60, bad ip cksum d8be! -> ed52) If i modify pass rule, to match rule: match in log on vlan141 from 172.20.123.54 i see, match it works, but pass rule not works! I've tried a lot of things already, without match rules, without nat (okay, no route, but ...), it is always blocked. Why can't i override the block rule? Everywhere else goes ... -- Regards Gábor Szél email:gabor.s...@wantax.hu