Re: The relationship between pf and yubkey(FIDO2) (About OpenSSH)
On 2024-09-11, WATANABE Takeo wrote: > on Tue, 10 Sep 2024 20:22:40 +0200 > Mike Fischer wrote: > >> The easiest way to test whether pf(4) is interfering with your YubiKey is to >> temporarily turn off pf(4) (`doas pfctl -d`) and test. If the problem >> persists then pf(4) is not the cause. >> Turn pf(4) back on again after your test (`doas pfctl -e` or `doas reboot`). > > When pf was disabled, the problem no longer occurred. > > I also discovered, through trial and error, that > If I change the SSH port back to the default 22, the problem goes away. > the problem no longer occurs, even with pf enabled. It doesn't make sense that either changing the port or disabling/enabling PF would make any difference as to whether SSH accepts Fido2 authentication. Perhaps something else is happening and it's a coincidence that it happens at the same time as you adjust configuration? Is there anything relevant in /var/log/authlog? -- Please keep replies on the mailing list.
Re: The relationship between pf and yubkey(FIDO2) (About OpenSSH)
on Tue, 10 Sep 2024 20:22:40 +0200 Mike Fischer wrote: > The easiest way to test whether pf(4) is interfering with your YubiKey is to > temporarily turn off pf(4) (`doas pfctl -d`) and test. If the problem > persists then pf(4) is not the cause. > Turn pf(4) back on again after your test (`doas pfctl -e` or `doas reboot`). When pf was disabled, the problem no longer occurred. I also discovered, through trial and error, that If I change the SSH port back to the default 22, the problem goes away. the problem no longer occurs, even with pf enabled. That is how this problem could be solved. Peter-san and Mike-san, thank you very much for all your advice and input. Sincerely yours, --- WATANABE, Takeo t...@kasaneiro.jp
Re: The relationship between pf and yubkey(FIDO2) (About OpenSSH)
The easiest way to test whether pf(4) is interfering with your YubiKey is to
temporarily turn off pf(4) (`doas pfctl -d`) and test. If the problem persists
then pf(4) is not the cause.
Turn pf(4) back on again after your test (`doas pfctl -e` or `doas reboot`).
Note: Turning off pf(4) should cause no issues in your case as your rules are
very simple and contain no NAT, forwarding or redirection. You just loose a bit
of protection which will not matter as long as you don’t have services running
that would otherwise be blocked by your rules.
FWIW: I don’t use YubiKey but I think it is highly unlikely that pf(4) rules
would interfere with its function. If I understand the YubiKey functionality
correctly it will work on with ssh(1) on the client to "provide" the private
key and ssh(1) will communicate with the server as it would normally.
HTH
Mike
> Am 10.09.2024 um 18:09 schrieb WATANABE Takeo :
>
> on Tue, 10 Sep 2024 16:08:07 +0200
> "Peter N. M. Hansteen" wrote:
>
>> On Tue, Sep 10, 2024 at 08:32:05PM +0900, WATANABE Takeo wrote:
>>> I found out that I can log in with normal public key
>>> cryptography authentication (ed25519) in the same pf.conf environment,
>>> and that I can log in with ed25519-sk key authentication if I stop pf.
>>>
>>> It occurred to me again that the pf.conf I had written might be the problem.
>>
>> It should not matter whether PF is enabled or not, as long as the loaded
>> rules
>> allow your SSH traffic to pass. I would suspect the cause lies elsewhere.
>> Just to make sure: Is that at the end of your message the complete ruleset,
>> loaded in the normal way (and no scriptery that set network-relevant options
>> you are not showing here)?
>
> I have read my past emails that I have posted and I regret that
> I did not provide enough information on many things and that
> I did not answer the questions that I received.
>
> Therefore, I have written everything I know in this email.
>
> 1. Filtering rules for PF (Result of pfctl -sr)
>
> moegi# pfctl -sr
> block drop log all
> pass quick on vio0 proto tcp from any to any port = 80 flags S/SA
> pass quick on vio0 proto tcp from any to any port = 443 flags S/SA
> pass quick on vio0 proto tcp from any to any port = 53 flags S/SA
> pass quick on vio0 proto tcp from any to any port = 25 flags S/SA
> pass quick on vio0 proto tcp from any to any port = 465 flags S/SA
> pass quick on vio0 proto tcp from any to any port = 587 flags S/SA
> pass quick on vio0 proto tcp from any to any port = 993 flags S/SA
> pass quick on vio0 proto tcp from any to any port = 1522 flags S/SA
> pass quick on vio0 proto udp from any to any port = 53
> pass quick on vio0 proto udp from any to any port = 123
> pass quick on vio0 proto icmp all
> pass quick on vio0 proto ipv6-icmp all
>
> * Port 1522 is the listening port for sshd.
> No scripts are used.
>
> 2. hostname.vio0
>
> moegi# more hostname.vio0
> inet 160.16.212.251 0xfe00
> inet6 autoconf -autoconfprivacy -soii
> inet6 alias 2001:e42:102:1808:160:16:212:251 64
> up
> !route -nq add -inet6 default fe80::1%vio0
>
> The server uses the service of a Japanese server provider called Sakura VPS,
> which lends one IPv4 address and 64 IPv6 addresses.
>
> 3. The ifconfig results are sent as an attachment.
>
> 4. I am sorry to have written this far,
> but I also set the following sentence in sshd_config.
>
> PubkeyAuthOption verfiry-required
>
>
>>> tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
>>
>> Are we safe to assume that your sshd listens on port 1522?
>
> Yes, Yes.
>
>> Once again, it is impossible to offer really useful input unless we have
>> the entire configuration, at least the complete pf.conf along with any
>> hostname.vio0 or at least the ifconfig output for the interface.
>
> I think I have informed you of the points raised in these pages,
> but is there anything that I am missing or that I should look into further?
> I am not familiar with tcpdmp, so I would be grateful
> if you could give me some pointers on topics that would help me to use it.
>
> Sincerely yours,
>
> ---
> WATANABE, Takeo
> t...@kasaneiro.jp
>
> moegi# ifconfig
> lo0: flags=2008049 mtu 32768
> index 5 priority 0 llprio 3
> groups: lo
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
> inet 127.0.0.1 netmask 0xff00
> vio0:
> flags=248843
> mtu 1500
> lladdr 9c:a3:ba:02:0a:73
> index 1 priority 0 llprio 3
> groups: egress
> media: Ethernet autoselect
> status: active
> inet 160.16.212.251 netmask 0xfe00 broadcast 160.16.213.255
> inet6 fe80::9ea3:baff:fe02:a73%vio0 prefixlen 64 scopeid 0x1
> inet6 2001:e42:102:1808:160:16:212:251 prefixlen 64
> vio1: flags=8802 mtu 1500
> lladdr 9c:a3:ba:03:91:13
> index 2 priority 0 llprio 3
> media: Ethernet autoselect
> status: no carrier
> vio2: flags=8802 mtu 1500
> lladdr 9c:a3:ba:05:17:b3
> index 3 priority 0 llprio 3
> media: Ethernet autoselect
> status: no carrier
> enc0: flags=0<>
> inde
Re: The relationship between pf and yubkey(FIDO2) (About OpenSSH)
on Tue, 10 Sep 2024 16:08:07 +0200
"Peter N. M. Hansteen" wrote:
> On Tue, Sep 10, 2024 at 08:32:05PM +0900, WATANABE Takeo wrote:
>> I found out that I can log in with normal public key
>> cryptography authentication (ed25519) in the same pf.conf environment,
>> and that I can log in with ed25519-sk key authentication if I stop pf.
>>
>> It occurred to me again that the pf.conf I had written might be the problem.
>
> It should not matter whether PF is enabled or not, as long as the loaded rules
> allow your SSH traffic to pass. I would suspect the cause lies elsewhere.
> Just to make sure: Is that at the end of your message the complete ruleset,
> loaded in the normal way (and no scriptery that set network-relevant options
> you are not showing here)?
I have read my past emails that I have posted and I regret that
I did not provide enough information on many things and that
I did not answer the questions that I received.
Therefore, I have written everything I know in this email.
1. Filtering rules for PF (Result of pfctl -sr)
moegi# pfctl -sr
block drop log all
pass quick on vio0 proto tcp from any to any port = 80 flags S/SA
pass quick on vio0 proto tcp from any to any port = 443 flags S/SA
pass quick on vio0 proto tcp from any to any port = 53 flags S/SA
pass quick on vio0 proto tcp from any to any port = 25 flags S/SA
pass quick on vio0 proto tcp from any to any port = 465 flags S/SA
pass quick on vio0 proto tcp from any to any port = 587 flags S/SA
pass quick on vio0 proto tcp from any to any port = 993 flags S/SA
pass quick on vio0 proto tcp from any to any port = 1522 flags S/SA
pass quick on vio0 proto udp from any to any port = 53
pass quick on vio0 proto udp from any to any port = 123
pass quick on vio0 proto icmp all
pass quick on vio0 proto ipv6-icmp all
* Port 1522 is the listening port for sshd.
No scripts are used.
2. hostname.vio0
moegi# more hostname.vio0
inet 160.16.212.251 0xfe00
inet6 autoconf -autoconfprivacy -soii
inet6 alias 2001:e42:102:1808:160:16:212:251 64
up
!route -nq add -inet6 default fe80::1%vio0
The server uses the service of a Japanese server provider called Sakura VPS,
which lends one IPv4 address and 64 IPv6 addresses.
3. The ifconfig results are sent as an attachment.
4. I am sorry to have written this far,
but I also set the following sentence in sshd_config.
PubkeyAuthOption verfiry-required
>> tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
>
> Are we safe to assume that your sshd listens on port 1522?
Yes, Yes.
> Once again, it is impossible to offer really useful input unless we have
> the entire configuration, at least the complete pf.conf along with any
> hostname.vio0 or at least the ifconfig output for the interface.
I think I have informed you of the points raised in these pages,
but is there anything that I am missing or that I should look into further?
I am not familiar with tcpdmp, so I would be grateful
if you could give me some pointers on topics that would help me to use it.
Sincerely yours,
---
WATANABE, Takeo
t...@kasaneiro.jp
moegi# ifconfig
lo0: flags=2008049 mtu 32768
index 5 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff00
vio0:
flags=248843
mtu 1500
lladdr 9c:a3:ba:02:0a:73
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect
status: active
inet 160.16.212.251 netmask 0xfe00 broadcast 160.16.213.255
inet6 fe80::9ea3:baff:fe02:a73%vio0 prefixlen 64 scopeid 0x1
inet6 2001:e42:102:1808:160:16:212:251 prefixlen 64
vio1: flags=8802 mtu 1500
lladdr 9c:a3:ba:03:91:13
index 2 priority 0 llprio 3
media: Ethernet autoselect
status: no carrier
vio2: flags=8802 mtu 1500
lladdr 9c:a3:ba:05:17:b3
index 3 priority 0 llprio 3
media: Ethernet autoselect
status: no carrier
enc0: flags=0<>
index 4 priority 0 llprio 3
groups: enc
status: active
pflog0: flags=141 mtu 33136
index 6 priority 0 llprio 3
groups: pflog
moegi#
Re: The relationship between pf and yubkey(FIDO2) (About OpenSSH)
On Tue, Sep 10, 2024 at 08:32:05PM +0900, WATANABE Takeo wrote:
> I found out that I can log in with normal public key
> cryptography authentication (ed25519) in the same pf.conf environment,
> and that I can log in with ed25519-sk key authentication if I stop pf.
>
> It occurred to me again that the pf.conf I had written might be the problem.
It should not matter whether PF is enabled or not, as long as the loaded rules
allow your SSH traffic to pass. I would suspect the cause lies elsewhere.
Just to make sure: Is that at the end of your message the complete ruleset,
loaded in the normal way (and no scriptery that set network-relevant options
you are not showing here)?
As Ze Loff said, tcpdump with appropriate options at both ends while trying
to authenticate will show the real story.
> tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
Are we safe to assume that your sshd listens on port 1522?
Once again, it is impossible to offer really useful input unless we have
the entire configuration, at least the complete pf.conf along with any
hostname.vio0 or at least the ifconfig output for the interface.
All the best,
Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: The relationship between pf and yubkey(FIDO2) (About OpenSSH)
On Tue, Sep 10, 2024 at 08:32:05PM +0900, WATANABE Takeo wrote:
> Hi. misc@ users.
>
> I have previously consulted on the description of pf.conf.
> I have reflected on the advice I received
> at that time and can now use it normally, thank you very much.
>
> However, we have noticed that one problem has arisen.
> I used to use ‘Yubikey(FIFO2)’ to log in via SSH,
> but now I can't log in.
>
> Starting with OpenSSH 8.2,
> hardware authentication using U2F/FIDO2 devices is supported.
> We have been using one of these devices, the ‘Yubikey’,
> for key authentication using ed25519-sk.
>
> I found out that I can log in with normal public key
> cryptography authentication (ed25519) in the same pf.conf environment,
> and that I can log in with ed25519-sk key authentication if I stop pf.
>
> It occurred to me again that the pf.conf I had written might be the problem.
>
> Could you please advise and discuss my pf.conf once more so that
> it is more appropriate and I can log in with ed25519-sk key authentication?
> The current pf.con is attached.
>
> # As there was no official OpenSSH user mailing list,
> # I posted this to misc@ If anyone knows of a suitable posting address,
> # please let us know.
>
> Sincerely yours,
>
> ---
> WATANABE, Takeo
> t...@kasaneiro.jp
>
> tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
> udp_services="{ domain, ntp }"
>
> set block-policy drop
> set loginterface vio0
>
> # don't filter on loopback interface
> set skip on lo0
>
> # set up a default deny policy
> block log all
>
> # Allow packets
> pass quick on vio0 proto tcp to any port $tcp_services keep state
> pass quick on vio0 proto udp to any port $udp_services keep state
>
> # Allow ICMP Packets
> pass quick on vio0 proto icmp to any keep state
> pass quick on vio0 proto icmp6 to any keep state
Does the pf log ("tcpdump -eti vio0" while attempting to login) and ssh
-v (at least on the client, ideally on the server side too) give any
clues?
--
The relationship between pf and yubkey(FIDO2) (About OpenSSH)
Hi. misc@ users.
I have previously consulted on the description of pf.conf.
I have reflected on the advice I received
at that time and can now use it normally, thank you very much.
However, we have noticed that one problem has arisen.
I used to use ‘Yubikey(FIFO2)’ to log in via SSH,
but now I can't log in.
Starting with OpenSSH 8.2,
hardware authentication using U2F/FIDO2 devices is supported.
We have been using one of these devices, the ‘Yubikey’,
for key authentication using ed25519-sk.
I found out that I can log in with normal public key
cryptography authentication (ed25519) in the same pf.conf environment,
and that I can log in with ed25519-sk key authentication if I stop pf.
It occurred to me again that the pf.conf I had written might be the problem.
Could you please advise and discuss my pf.conf once more so that
it is more appropriate and I can log in with ed25519-sk key authentication?
The current pf.con is attached.
# As there was no official OpenSSH user mailing list,
# I posted this to misc@ If anyone knows of a suitable posting address,
# please let us know.
Sincerely yours,
---
WATANABE, Takeo
t...@kasaneiro.jp
tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
udp_services="{ domain, ntp }"
set block-policy drop
set loginterface vio0
# don't filter on loopback interface
set skip on lo0
# set up a default deny policy
block log all
# Allow packets
pass quick on vio0 proto tcp to any port $tcp_services keep state
pass quick on vio0 proto udp to any port $udp_services keep state
# Allow ICMP Packets
pass quick on vio0 proto icmp to any keep state
pass quick on vio0 proto icmp6 to any keep state
Re: pf and tap interfaces
On Sun, Oct 31, 2021 at 10:13:06AM -0600, Theo de Raadt wrote: you are asking a freebsd question on an openbsd mailing list. come on You may have missed my response to Sebastian: In-Reply-To: On Sun, Oct 31, 2021 at 03:59:40PM +, tech-lists wrote: [...] All I'm really asking at this stage is "is this possible". I'm asking that because I've looked in the pf section of the manual and have not found an example (yet) close enough to my enquiry. I think here it'd be better to ask firstly in an entirely OpenBSD 7.0 context. Like, OpenBSD has vmm now, its equivalent to bhyve. If you wanted to allow port 22 to the host *only* but allow all traffic to the guest, on another IP, can it be done in OpenBSD 7.0 pf on the host? -- J. signature.asc Description: PGP signature
Re: pf and tap interfaces
tech-lists wrote: > On Sun, Oct 31, 2021 at 09:33:54AM -0600, Theo de Raadt wrote: > >tech-lists wrote: > > > >> I'm asking this here because I'm trying to do this with FreeBSD but > >> their pf has diverged a lot from OpenBSD's > > > >that is incorrect history. > > > >It is hard to see how 'absolutely minimal maintainance' can result in > >divergence. > > yep. I should have said 'OpenBSD's pf has significantly evolved since ...' > > >At some point, pf's state table data structures were rewritten completely. > > > >You are better off adjusting your expectations. You can be foiled by > >differences at any point. > > Yes. At this stage it's more of an "is it even possible y/n" you are asking a freebsd question on an openbsd mailing list. come on
Re: pf and tap interfaces
On Sun, Oct 31, 2021 at 09:33:54AM -0600, Theo de Raadt wrote: tech-lists wrote: I'm asking this here because I'm trying to do this with FreeBSD but their pf has diverged a lot from OpenBSD's that is incorrect history. It is hard to see how 'absolutely minimal maintainance' can result in divergence. yep. I should have said 'OpenBSD's pf has significantly evolved since ...' At some point, pf's state table data structures were rewritten completely. You are better off adjusting your expectations. You can be foiled by differences at any point. Yes. At this stage it's more of an "is it even possible y/n" -- J. signature.asc Description: PGP signature
Re: pf and tap interfaces
Hi, On Sun, Oct 31, 2021 at 04:23:58PM +0100, Sebastian Benoit wrote: Maybe you could describe a bit more what you are trying to do. I'm trying to protect, with pf, a freebsd host running bhyve guests. The guests use tap interfaces. They are in the same network as the host (but with different IPs) and the IPs are routable. They're all web servers, accessible from the internet. So for example I'd like to block all on the host and just allow port 22. I don't want pf to process the tap interfaces at all, as all of the guests run their own firewalls. So far on freebsd with their pf, I've been unable to do this. I was wondering if the pf on openbsd can, as it has evolved significantly from when it was incorporated into FreeBSD. A way around my problem may be to have openbsd as a guest in a bhyve instance, as pci passthru is now available in that circumstance. But first I need to find whether it is possible to allow traffic on say tap0 but block all traffic apart from ssh on igb0 (for example). I understand that bridge and tap are "special" interfaces, in that they are not simply clones. And yet they are like clones, in that rules affecting the hardware interface also seem to affect the tap interface, from what I've so far seen. All I'm really asking at this stage is "is this possible". I'm asking that because I've looked in the pf section of the manual and have not found an example (yet) close enough to my enquiry. I think here it'd be better to ask firstly in an entirely OpenBSD 7.0 context. Like, OpenBSD has vmm now, its equivalent to bhyve. If you wanted to allow port 22 to the host *only* but allow all traffic to the guest, on another IP, can it be done in OpenBSD 7.0 pf on the host? -- J. signature.asc Description: PGP signature
Re: pf and tap interfaces
tech-lists wrote: > I'm asking this here because I'm trying to do this with FreeBSD but > their pf has diverged a lot from OpenBSD's that is incorrect history. It is hard to see how 'absolutely minimal maintainance' can result in divergence. At some point, pf's state table data structures were rewritten completely. You are better off adjusting your expectations. You can be foiled by differences at any point.
Re: pf and tap interfaces
tech-lists(tech-li...@zyxst.net) on 2021.10.31 15:10:57 +: > Hello misc@ > > Generically, can OpenBSD [7.0] apply rules to *just* the ethernet > interface, ignoring the bridge and tap interfaces? Can it do this > natively or is a VLAN required as well? Or something else? > > I'm asking this here because I'm trying to do this with FreeBSD > but their pf has diverged a lot from OpenBSD's, and what I thought > would work does not. skip on $tap_ifs has unexpected results in that > traffic still gets blocked on the guest. > > If OpenBSD's pf does work for my use case, then a way to solving my > issue may be to have an OpenBSD guest in the FreeBSD host managing the > pf for the host as bhyve has pci passthru. The other way would be to put > a firewall box in front of the freebsd host. Maybe you could describe a bit more what you are trying to do.
pf and tap interfaces
Hello misc@ Generically, can OpenBSD [7.0] apply rules to *just* the ethernet interface, ignoring the bridge and tap interfaces? Can it do this natively or is a VLAN required as well? Or something else? I'm asking this here because I'm trying to do this with FreeBSD but their pf has diverged a lot from OpenBSD's, and what I thought would work does not. skip on $tap_ifs has unexpected results in that traffic still gets blocked on the guest. If OpenBSD's pf does work for my use case, then a way to solving my issue may be to have an OpenBSD guest in the FreeBSD host managing the pf for the host as bhyve has pci passthru. The other way would be to put a firewall box in front of the freebsd host. thanks, -- J. signature.asc Description: PGP signature
Re: pf and Wireguard
On 2020-09-26, Jan Betlach wrote:
>
> Hi,
>
> I’ve setup Wireguard on my home router running -current.
> The tunnel works, I have access to my LAN resources ONLY in case pf is
> disabled. When I enable pf, Wireguard connects, does handshakes, however
> I cannot even ping the router nor access anything in the network.
>
> So that it seems my rules in pf are the reason. I admit I am a novice in
> respect with pf. Therefore I’d like to ask you to help or direct me to
> a solution.
>
> My pf rules are pretty easy, basically taken from FAQ - building a
> router. Here they are:
>
> wan="em0"
> lan="em1"
> localnet=$lan:network
> table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
> 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
> 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
> 203.0.113.0/24 }
> set skip on lo0
> set block-policy drop
> set loginterface egress
> match in all scrub (no-df random-id max-mss 1440)
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
> antispoof quick for { egress $lan }
> block in quick on egress from to any
> block return out quick on egress from any to
> block all
> pass out quick inet keep state
> pass in on { $lan } inet keep state
> pass in proto udp from any to any port XXX keep state
> match out on egress from (wg0:network) to any nat-to (egress:0)
One thing I've noticed, you "pass out quick" so outbound traffic
"short circuits" the rest of the ruleset, then later have a second
match...nat-to which is unreached by outbound traffic. Though that
should be a noop anyway because you ahve the earlier "match out on
egress inet from !(egress:network)" which I think already will have
natted the relevant traffic.
Another, the only *inbound* traffic you allow is on $lan or udp to
some port; there's no rule to pass inbound (encapsulated) traffic
from the wireguard interface, only the wireguard tunnel itself.
So you probably want "pass in on wg0" or something.
pf and Wireguard
... Change: match out on egress from (wg0:network) to any nat-to (egress:0) To: match on egress from (wg0:network) to any nat-to (egress:0) tag “wireguard” pass tagged “wireguard” keep state -- -Luke
pf and Wireguard
Hi,
I’ve setup Wireguard on my home router running -current.
The tunnel works, I have access to my LAN resources ONLY in case pf is
disabled. When I enable pf, Wireguard connects, does handshakes, however
I cannot even ping the router nor access anything in the network.
So that it seems my rules in pf are the reason. I admit I am a novice in
respect with pf. Therefore I’d like to ask you to help or direct me to
a solution.
My pf rules are pretty easy, basically taken from FAQ - building a
router. Here they are:
wan="em0"
lan="em1"
localnet=$lan:network
table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
203.0.113.0/24 }
set skip on lo0
set block-policy drop
set loginterface egress
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress $lan }
block in quick on egress from to any
block return out quick on egress from any to
block all
pass out quick inet keep state
pass in on { $lan } inet keep state
pass in proto udp from any to any port XXX keep state
match out on egress from (wg0:network) to any nat-to (egress:0)
Last two lines are Wireguard related. Being a noob, I suspect the last
NAT line may be the problem,
Thank you in advance for any comments.
Regards
Jan
Re: SPA112 VoIP with pf and NAT - States keeps open on address change
> On 07.02.2019, at 14:21, Stuart Henderson wrote: > > On 2019-02-06, Patrick wrote: >> My nat rule use the parenthesis and all other devices behind the >> firewall works fine. I think it’s more a specific issue with the SPA112. >> I have also set the ruleset optimization to conservative but in this >> case the generated state has just a longer time to live. This isn’t the >> problem because the SPA112 sends regular keep alive packets which reset >> the counter for the state. > > Setting to 'conservative' (i.e. hanging on to states for longer) can't > help with this. > > Using parentheses won't help either, that means "do a lookup at state > creation time", but you aren't getting a new state created because the > old one hasn't expired. > >> >> Here the related rules: >> pass out quick on egress inet from (vether0:network) nat-to (egress) >> modulate state >> pass in on egress inet proto udp from to (egress) port 5060 >> >> As I’m just reading again my rules. Is the modulate state the problem? >> Or will pf use keep state for UDP packets as the default? > > PF uses "keep state" by default, and "keep state" is required for NAT. > > I think your main options are: > > - use a *shorter* timeout for this rule (this can be set per-rule > and overrides the default from "set optimization") and have a port > forward rule so that incoming packets still work even when the > state has timed out > > - arrange a way to flush these states when the IP changes > > The first of these is probably easiest if you can do it .. > > Thanks for suggestions. I tried to change the timeouts but every time the state gets deleted the SIP server refused the new connection. I think because of the change of source port. Maybe it would work with static-port option. I choose option two and have created a cron job to reconnect my VDSL connection and flush the state table at 2am in the night. This moved the force termination after 24 hours to the night. I remember that the old firewall had a similar option and probably also deleted the state table at the same time. I didn’t noticed the disconnection of my SPA112 in the middle of the night. To recover quicker from a termination at day I have set the re-register timeout to 30 minutes and also runs a script every five minutes on the firewall to check the current public IPv4 address and the one in the state table for the SPA112 and if it not match delete the state. Best Regards, Patrick
Re: SPA112 VoIP with pf and NAT - States keeps open on address change
On 2019-02-06, Patrick wrote: > My nat rule use the parenthesis and all other devices behind the > firewall works fine. I think it’s more a specific issue with the SPA112. > I have also set the ruleset optimization to conservative but in this > case the generated state has just a longer time to live. This isn’t the > problem because the SPA112 sends regular keep alive packets which reset > the counter for the state. Setting to 'conservative' (i.e. hanging on to states for longer) can't help with this. Using parentheses won't help either, that means "do a lookup at state creation time", but you aren't getting a new state created because the old one hasn't expired. > > Here the related rules: > pass out quick on egress inet from (vether0:network) nat-to (egress) modulate > state > pass in on egress inet proto udp from to (egress) port 5060 > > As I’m just reading again my rules. Is the modulate state the problem? > Or will pf use keep state for UDP packets as the default? PF uses "keep state" by default, and "keep state" is required for NAT. I think your main options are: - use a *shorter* timeout for this rule (this can be set per-rule and overrides the default from "set optimization") and have a port forward rule so that incoming packets still work even when the state has timed out - arrange a way to flush these states when the IP changes The first of these is probably easiest if you can do it ..
Re: SPA112 VoIP with pf and NAT - States keeps open on address change
> On 06.02.2019, at 11:15, Sebastian Reitenbach > wrote: > > Am Mittwoch, Februar 06, 2019 10:57 CET, jum...@yahoo.de schrieb: > >> Hello, >> I have a Cisco SPA112 VoIP to connect my analog phone to my provider SIP >> system. Recently I replaced my Linux based (Fritzbox) with a OpenBSD 6.4 >> firewall. The firewall is connected to a vDSL modem and performs NAT for >> outgoing IPv4 connection. The connection to the SIP server from the SPA112 >> is a IPv4 with NAT via UDP port 5060. The connection works and I can see the >> NAT in the state table. I have configured NAT-Keepalive on the SPA112 to >> keep the state open. After 24 hours my provider terminate my connection and >> after established a new connection the firewall has a new public IPv4 >> address. >> After this change the SPA112 can't longer communicate to the SIP server >> because it's still using the old state with the old public IPv4 address. If >> I deleted the state manually on the firewall the force the SPA112 to >> register again it works. The SPA112 has also an automatism to re-register >> after 60 minutes. But without deleting the state the SPA112 will use again >> the old state/connection. >> From my point of view the SPA112 should use a new connection for the >> re-register or at least a new connection, if it detects the lost of the >> previous registration. But this problem doesn't exist with the old Linux >> based firewall. I can also see a lot of other NAT entries in the state table >> with the old public IPv4 address. Is there a feature of pf to delete all NAT >> entries with the no longer existing public IPv4 on a address change? >> Best Regards,Patrick > > some lines of pf.conf would be helpful. Do you have parentheses around your > interface name in the nat-to rule, like nat-to ($ext_if) > that should update the rules when addresses change, but I don't think that > will touch active states. > However, SIP and UDP might be problematic, since states are consulted first, > before the rules are traversed. Since UDP is stateless, PF only seems > sending/receiving IP and port, but with SIP the sending port always might be > 5060 as well, so it may match the existing state, even if the external IP > changed. > > Sebastian > Hi Sebastian, Thanks for your quick reply. My nat rule use the parenthesis and all other devices behind the firewall works fine. I think it’s more a specific issue with the SPA112. I have also set the ruleset optimization to conservative but in this case the generated state has just a longer time to live. This isn’t the problem because the SPA112 sends regular keep alive packets which reset the counter for the state. Here the related rules: pass out quick on egress inet from (vether0:network) nat-to (egress) modulate state pass in on egress inet proto udp from to (egress) port 5060 As I’m just reading again my rules. Is the modulate state the problem? Or will pf use keep state for UDP packets as the default? Best Regards, Patrick
Re: SPA112 VoIP with pf and NAT - States keeps open on address change
I think you need to show your pf rules. Did you make your firewall aware that your ISP is changing address ?
Re: SPA112 VoIP with pf and NAT - States keeps open on address change
Am Mittwoch, Februar 06, 2019 10:57 CET, jum...@yahoo.de schrieb: > Hello, > I have a Cisco SPA112 VoIP to connect my analog phone to my provider SIP > system. Recently I replaced my Linux based (Fritzbox) with a OpenBSD 6.4 > firewall. The firewall is connected to a vDSL modem and performs NAT for > outgoing IPv4 connection. The connection to the SIP server from the SPA112 is > a IPv4 with NAT via UDP port 5060. The connection works and I can see the NAT > in the state table. I have configured NAT-Keepalive on the SPA112 to keep the > state open. After 24 hours my provider terminate my connection and after > established a new connection the firewall has a new public IPv4 address. > After this change the SPA112 can't longer communicate to the SIP server > because it's still using the old state with the old public IPv4 address. If I > deleted the state manually on the firewall the force the SPA112 to register > again it works. The SPA112 has also an automatism to re-register after 60 > minutes. But without deleting the state the SPA112 will use again the old > state/connection. > From my point of view the SPA112 should use a new connection for the > re-register or at least a new connection, if it detects the lost of the > previous registration. But this problem doesn't exist with the old Linux > based firewall. I can also see a lot of other NAT entries in the state table > with the old public IPv4 address. Is there a feature of pf to delete all NAT > entries with the no longer existing public IPv4 on a address change? > Best Regards,Patrick some lines of pf.conf would be helpful. Do you have parentheses around your interface name in the nat-to rule, like nat-to ($ext_if) that should update the rules when addresses change, but I don't think that will touch active states. However, SIP and UDP might be problematic, since states are consulted first, before the rules are traversed. Since UDP is stateless, PF only seems sending/receiving IP and port, but with SIP the sending port always might be 5060 as well, so it may match the existing state, even if the external IP changed. Sebastian
SPA112 VoIP with pf and NAT - States keeps open on address change
Hello, I have a Cisco SPA112 VoIP to connect my analog phone to my provider SIP system. Recently I replaced my Linux based (Fritzbox) with a OpenBSD 6.4 firewall. The firewall is connected to a vDSL modem and performs NAT for outgoing IPv4 connection. The connection to the SIP server from the SPA112 is a IPv4 with NAT via UDP port 5060. The connection works and I can see the NAT in the state table. I have configured NAT-Keepalive on the SPA112 to keep the state open. After 24 hours my provider terminate my connection and after established a new connection the firewall has a new public IPv4 address. After this change the SPA112 can't longer communicate to the SIP server because it's still using the old state with the old public IPv4 address. If I deleted the state manually on the firewall the force the SPA112 to register again it works. The SPA112 has also an automatism to re-register after 60 minutes. But without deleting the state the SPA112 will use again the old state/connection. >From my point of view the SPA112 should use a new connection for the >re-register or at least a new connection, if it detects the lost of the >previous registration. But this problem doesn't exist with the old Linux based >firewall. I can also see a lot of other NAT entries in the state table with >the old public IPv4 address. Is there a feature of pf to delete all NAT >entries with the no longer existing public IPv4 on a address change? Best Regards,Patrick
Re: pf and max bandwidth in nested queues (bug?)
I've just given a spin to 6.2. And queueing in PF actually does all I want it to do - giving child queues max bandwidth of parent queue when parent queue is unsaturated, and throttling them down to set bandwidth when parent queue is saturated. Now those few years of pf queueing problems look so far away, almost like they never happened :) Thanks to people who made it possible. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: pf and max bandwidth in nested queues (bug?)
On Wed, 1 Nov 2017 13:22:03 + Oliver Humpage wrote: > Hello, > > I have an OpenBSD 6.2 router, set up in a test rig so there's no > traffic apart from my tests. It has vmx interfaces. $int_if is a vlan > on one of them. > > I have an issue where if a child queue has a different “max” from a > parent queue, the bandwidth is throttled down to much less than > either. Hi fellow adventurer in PF queuing :) I'd like authoritative, correct, field-tested answers to a number of questions related to PF queuing, but at the moment it appears there aren't any. pf.conf(5) doesn't say much, PF FAQ's chapter on queuing is in the attic for quite some time now: http://cvsweb.openbsd.org/cgi-bin/cvsweb/www/faq/pf/Attic/queueing.html So I guess it's you and me and maybe someone else on this list who will have to test and get those answers from those tests. I haven't yet get to do any tests on 6.2, but from my experience, the only way for queuing to work as expected is to set all three - declared, min and max bandwidth on parent, and all the child queues to the same value, where sum of child queues has to be less or equal to parent queue. Pay attention to the fact that only new states go to appropriate queues, so (from my experience) every ruleset change needs flushing of states (pfctl -F states). If you have NAT in the mix it complicates things further, and I think tagging packets inbound on internal interface, and queueing them on external interface by tags is the way to go. You will get different answers from different people regarding inbound (interface-wise) queuing - most people say it has no effect, but some people say it puts return traffic into appropriate queues, so it apparently does have effect. Go figure, and let me know if you do :) If you search misc@ list for my posts, you will find quite a number of rants regarding PF queuing. Not much useful info tho. Now, what I'd really like to know is, if I have let's say 4Mbit uplink, and 4x1Mbit declared queues (without min and max values), what is the logic of borrowing bandwidth from non-saturated queues. Because I can't for love of my life make any sense of it. That being said, all the alternatives to OpenBSD are worse. I guess we need to keep trying :) Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: pf and max bandwidth in nested queues (bug?)
Op 1-11-2017 om 14:22 schreef Oliver Humpage: > Hello, > > I have an OpenBSD 6.2 router, set up in a test rig so there's no traffic > apart from my tests. It has vmx interfaces. $int_if is a vlan on one of them. > > I have an issue where if a child queue has a different “max” from a parent > queue, the bandwidth is throttled down to much less than either. > > I have the following simple queue tree (eventually it will be bigger, this is > just for testing): > > queue inbound on $int_if bandwidth 100M > queue inbound_all parent inbound bandwidth 30M max 30M > queue inbound_std parent inbound_all bandwidth 20M max 30M default > pass on $int_if > > This works, and an iperf test shunting data through the router from ext->int > gets around 30Mb as expected. > > If I change the inbound_all queue's max to a slightly higher number, this > shouldn’t have any effect at all - after all, the inbound_std queue is still > "bandwidth 20M max 30M", and neither of these numbers exceed the parent: > > queue inbound on $int_if bandwidth 100M > queue inbound_all parent inbound bandwidth 30M max 40M > ^^^ > queue inbound_std parent inbound_all bandwidth 20M max 30M default > pass on $int_if > > However, when I do this, suddenly connections assigned to inbound_std only > get around 2.3Mb. > > ``systat q’’ shows all packets are going into the correct queue. > > As an experiment, I put a “min” level on inbound_std: > > queue inbound_std parent inbound_all bandwidth 20M min 10M max 30M default > > Then connections get that minimum bandwidth (here, iperf reported around > 10Mb), so it shows the queue *can* use more than 2.3Mb, but it still sticks > to the min rather than using all available bandwidth. > > This seems like a bug to me, although I’m hesitant to suggest it since I have > a lot of respect for the OpenBSD team. Does anyone have a suggestion as to > what’s happening? > > Thanks, > > Oliver. > I might be mistaken, but doesn't queueing only work on OUTgoing traffic since one cannot control the rate at which traffic is delivered to you, but one can control the rate of traffic going out of an interface? Erik
pf and max bandwidth in nested queues (bug?)
Hello, I have an OpenBSD 6.2 router, set up in a test rig so there's no traffic apart from my tests. It has vmx interfaces. $int_if is a vlan on one of them. I have an issue where if a child queue has a different “max” from a parent queue, the bandwidth is throttled down to much less than either. I have the following simple queue tree (eventually it will be bigger, this is just for testing): queue inbound on $int_if bandwidth 100M queue inbound_all parent inbound bandwidth 30M max 30M queue inbound_std parent inbound_all bandwidth 20M max 30M default pass on $int_if This works, and an iperf test shunting data through the router from ext->int gets around 30Mb as expected. If I change the inbound_all queue's max to a slightly higher number, this shouldn’t have any effect at all - after all, the inbound_std queue is still "bandwidth 20M max 30M", and neither of these numbers exceed the parent: queue inbound on $int_if bandwidth 100M queue inbound_all parent inbound bandwidth 30M max 40M ^^^ queue inbound_std parent inbound_all bandwidth 20M max 30M default pass on $int_if However, when I do this, suddenly connections assigned to inbound_std only get around 2.3Mb. ``systat q’’ shows all packets are going into the correct queue. As an experiment, I put a “min” level on inbound_std: queue inbound_std parent inbound_all bandwidth 20M min 10M max 30M default Then connections get that minimum bandwidth (here, iperf reported around 10Mb), so it shows the queue *can* use more than 2.3Mb, but it still sticks to the min rather than using all available bandwidth. This seems like a bug to me, although I’m hesitant to suggest it since I have a lot of respect for the OpenBSD team. Does anyone have a suggestion as to what’s happening? Thanks, Oliver.
Re: Topics for revised PF and networking tutorial
Tue, 11 Apr 2017 15:31:57 -0500 "Adam Thompson" > > > Plus, this year it appears that Peter is co-delivering the seminar > > > with Massimiliano Stucchi from RIPE, so it will presumably cover > > > a lot of IPv6 topics as well, which are poorly represented in > > > existing materials and yet increasingly relevant. > > > > > Tue, 11 Apr 2017 10:30:35 +1000 > > And for those of us who cannot attend, hopefully it will be on > > video. > > I can't say with 100% certainty, but it's unlikely. The tutorials > are not typically recorded. Hi Adam, bytevolcano, misc@, This is very sad to hear, everyone loves these sessions and always asks. If you can not attend, if you're poor (or from an underdeveloped region) if you're an enthusiast without company / employment sponsorship, or any other sort of financial coverage for the expenses, you're left cold out. As an example of what to expect you can see some old tutorial recordings from the 2014 EuroBSDcon held in Sofia, Bulgaria. These are invaluable: https://va.ludost.net/files/eurobsdcon/2014/Pirin/01.Thursday/ https://va.ludost.net/files/eurobsdcon/2014/Pirin/02.Friday/ And if the video recordings of BSDCan are not available, or can not have the tutorial sessions we hope the new https://2017.eurobsdcon.org/ will. It is the live meetings that make the conferences magical for attendees, then video recordings are precious for the wider community, and history. It is most certain the presenters would love to see the sessions online. When there is a will, there is a way: all other reasons are meaningless. Congratulations on the OpenBSD 6.1 release, just in time for April 12th, [https://en.wikipedia.org/wiki/International_Day_of_Human_Space_Flight]. Kind regards, Anton Lazarov > (Among other things, AFAIK the people who do the recording are only > present for the conference itself.) There's also the matter of the > tutorials not necessarily being covered by the same broadcast > license (hmm, I wonder if Henning will consent this year?). I don't > have anything to do with any of those parts of the conference, so I > can't speak to the details. > > The slides and material are sometimes - not always - made available > afterward, and that depends on the individual presenters. Max is > working for RIPE - which makes large amounts of their material > available for free - and Peter historically makes his material > available online for free, so I therefore have at least moderate > hopes that they'll be able to find a way to sort out the copyright > issues and get the slides put up somewhere. > > -Adam
Re: Topics for revised PF and networking tutorial
> -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On > Behalf Of bytevolc...@safe-mail.net > Sent: April 10, 2017 19:31 > > > Plus, this year it appears that Peter is co-delivering the seminar > > with Massimiliano Stucchi from RIPE, so it will presumably cover a lot > > of IPv6 topics as well, which are poorly represented in existing > > materials and yet increasingly relevant. > > And for those of us who cannot attend, hopefully it will be on video. I can't say with 100% certainty, but it's unlikely. The tutorials are not typically recorded. (Among other things, AFAIK the people who do the recording are only present for the conference itself.) There's also the matter of the tutorials not necessarily being covered by the same broadcast license (hmm, I wonder if Henning will consent this year?). I don't have anything to do with any of those parts of the conference, so I can't speak to the details. The slides and material are sometimes - not always - made available afterward, and that depends on the individual presenters. Max is working for RIPE - which makes large amounts of their material available for free - and Peter historically makes his material available online for free, so I therefore have at least moderate hopes that they'll be able to find a way to sort out the copyright issues and get the slides put up somewhere. -Adam
Re: Topics for revised PF and networking tutorial
On April 11, 2017 5:54:31 AM GMT+02:00, Ingo Schwarze wrote: >bytevolc...@safe-mail.net wrote on Tue, Apr 11, 2017 at 10:30:35AM >+1000: > >> Another issue with the man pages is that there is extremely limited >> indexing. > >That isn't true on OpenBSD. It still is true on most Linux >distributions, and even on FreeBSD by default, but at least FreeBSD >has an option to enable OpenBSD-quality indexing. It also isn't >true on NetBSD, though there, it works in a completely different >way than here (no semantic indexing, but flat full-text search). > >> $ apropos -i EXDEV >> apropos: nothing appropriate > > schwarze@isnote $ apropos Er=EXDEV > intro, errno(2) - introduction to system calls and error numbers > link, linkat(2) - make hard link to a file > rename, renameat(2) - change the name of a file I was convinced Ingo would set things straight here. :-) Since I suck at markup, I think it's worth mentioning using "any=EXDEV" for the search expression, which works out fine for this case. For details, please consult the fine manual. It's totally worth it. /Alexander > >> Either I am doing something wrong here, or the indexing is junk. > >The former. You failed to read manual pages. >The apropos utility does not have a -i option, >but it does support searching for error numbers, >as documented in apropos(1). > >The indexing is NOT junk.
Re: Topics for revised PF and networking tutorial
bytevolc...@safe-mail.net wrote on Tue, Apr 11, 2017 at 10:30:35AM +1000: > Another issue with the man pages is that there is extremely limited > indexing. That isn't true on OpenBSD. It still is true on most Linux distributions, and even on FreeBSD by default, but at least FreeBSD has an option to enable OpenBSD-quality indexing. It also isn't true on NetBSD, though there, it works in a completely different way than here (no semantic indexing, but flat full-text search). > $ apropos -i EXDEV > apropos: nothing appropriate schwarze@isnote $ apropos Er=EXDEV intro, errno(2) - introduction to system calls and error numbers link, linkat(2) - make hard link to a file rename, renameat(2) - change the name of a file > Either I am doing something wrong here, or the indexing is junk. The former. You failed to read manual pages. The apropos utility does not have a -i option, but it does support searching for error numbers, as documented in apropos(1). The indexing is NOT junk.
Re: Topics for revised PF and networking tutorial
> Another issue with the man pages is that there is extremely limited > indexing. They are manual pages, not manual books. You are welcome to spend your time building an entire new subsystem and proving the value of your work. Go knock yourself out.
Re: Topics for revised PF and networking tutorial
On Mon, 10 Apr 2017 17:10:55 -0500 Adam Thompson wrote: > You've asked almost the same question as "why does anyone need > tutorials? just read the man pages!" just at the next level up. The > answer is because the man pages aren't adequate to cover every > scenario, and not everyone can read man pages effectively. People > have different learning styles, if nothing else. I learn best by > seeing examples and asking questions. (In fact, the lack of good > examples is a pet peeve of mine with the OpenBSD man pages, but > that's another story.) Another issue with the man pages is that there is extremely limited indexing. I have often had to google or find tutorials, only to find there's this "new" device or program I never heard of. $ apropos -i EXDEV apropos: nothing appropriate $ man errno | grep -i EXDEV 18 EXDEV Cross-device link. A hard link to a file on another file system $ Either I am doing something wrong here, or the indexing is junk. > > I've attended Peter's seminar two?, maybe three? times now, and got > something new out of it each time - some nuance that wasn't obvious > just from reading pf.conf(5). Sometimes it was something Peter said, > sometimes it was something another attendee said. That's the value > of attending any training class or seminar, not just this one for PF. > > The tutorial is aimed not at people who would go and produce another > tutorial, but at ordinary system administrators who don't have time > to pore over the entire manpage, who want the most relevant > information to them distilled and delivered efficiently. > > Plus, this year it appears that Peter is co-delivering the seminar > with Massimiliano Stucchi from RIPE, so it will presumably cover a > lot of IPv6 topics as well, which are poorly represented in existing > materials and yet increasingly relevant. And for those of us who cannot attend, hopefully it will be on video. > > Disclaimer: I now help organize (one small) part of BSDCan & PgCon, > so I'm not *entirely* unbiased, but this is pretty much what I would > have said the first two years I attended, anyway. > > -Adam
Re: Topics for revised PF and networking tutorial
On 8 April 2017 at 07:41, Mihai Popescu wrote: > I don;t want to offend you folks, but I'm curious and I will ask: is > this BSDCon so useful? Does it pay the efforts? > > If someone has time and knowledge to do a PF tutorial he/she can do it > and post. Do you need the Con? > > I'm traveling 17000km+ to go to the conference. This is my second time. Like other return attendees, tutors and presenters, I get a lot out of these conferences and the networking (excuse the pun) that comes out of it. I've been to other conferences like Cisco Live etc, they charge way, way, way more for the average punter and I don't get anywhere near as much out of those flashy conferences than I get from BSDCan. There is nothing quite like quizzing the minds of advanced users and the developers of the tools that we so often use in person. Those conversations are invaluable and something you just can't get via a mailing list.
Re: Topics for revised PF and networking tutorial
On 2017-04-07 16:41, Mihai Popescu wrote: I don;t want to offend you folks, but I'm curious and I will ask: is this BSDCon so useful? Does it pay the efforts? If someone has time and knowledge to do a PF tutorial he/she can do it and post. Do you need the Con? I'm asking this having in my mind Google Summer of (no)Code thread from misc@. Again, i'm asking, i've never been to a Con to sense the feeling. Thanks. I'll take a stab at this... * BSDCan (not Con) is cheap. Stupidly cheap, in fact: $195/person if you're paying your own way. * The PF tutorial is not free - there is an additional cost ($75) to attend the tutorial. * Peter clearly has the time and knowledge to do it, he has huge amounts of raw material on his website, including what amounts to last year's tutorial slides, for free - but also chooses to deliver this tutorial. Based on the fee, the number of attendees, and the number of presenters, no-one's getting rich off this. * The tutorial is a focused, half-day session where you get to interact with the top PF trainer in the world, and ask the questions specific to your network. * Peter keeps his tutorial up to date, unlike most if not all of the resources you'll find online, some of which predate the change in syntax from several years ago. You've asked almost the same question as "why does anyone need tutorials? just read the man pages!" just at the next level up. The answer is because the man pages aren't adequate to cover every scenario, and not everyone can read man pages effectively. People have different learning styles, if nothing else. I learn best by seeing examples and asking questions. (In fact, the lack of good examples is a pet peeve of mine with the OpenBSD man pages, but that's another story.) I've attended Peter's seminar two?, maybe three? times now, and got something new out of it each time - some nuance that wasn't obvious just from reading pf.conf(5). Sometimes it was something Peter said, sometimes it was something another attendee said. That's the value of attending any training class or seminar, not just this one for PF. The tutorial is aimed not at people who would go and produce another tutorial, but at ordinary system administrators who don't have time to pore over the entire manpage, who want the most relevant information to them distilled and delivered efficiently. Plus, this year it appears that Peter is co-delivering the seminar with Massimiliano Stucchi from RIPE, so it will presumably cover a lot of IPv6 topics as well, which are poorly represented in existing materials and yet increasingly relevant. Disclaimer: I now help organize (one small) part of BSDCan & PgCon, so I'm not *entirely* unbiased, but this is pretty much what I would have said the first two years I attended, anyway. -Adam
Re: Topics for revised PF and networking tutorial
Hi All,
Here's my config I'm using on my apu2 on my home network:
[apu2@apu2.domain.local:~]$ doas cat /etc/pf.conf
doas (apu2@apu2.domain.local) password:
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
# Macros
ext_if = "em0"
wifi_if0 = "athn0"
wifinet0 = "$wifi_if0:network"
tcp_out = "{www,https}"
icmp_types = "echoreq"
# Tables
table {8.8.8.8,8.8.4.4}
table {216.239.35.12}
# Options
set skip on lo
set loginterface $ext_if
set limit states 10
# ftp proxy rules
anchor "ftp-proxy/*"
pass in quick on !ext_if inet proto tcp from !$ext_if to any port
ftp divert-to 127.0.0.1 port 8021
# traffic normalization
match in all scrub (no-df random-id max-mss 1440)
# queueing
queue rootq_ext on $ext_if bandwidth 9M max 9M
queue sshq on $ext_if parent rootq_ext bandwidth 1M
queue ssh_prioq on $ext_if parent sshq bandwidth 200K min 200K
queue ssh_bulkq on $ext_if parent sshq bandwidth 800K min 800K
queue ackq on $ext_if parent rootq_ext bandwidth 2M min 500K
queue dnsq on $ext_if parent rootq_ext bandwidth 1M min 500K
queue webq on $ext_if parent rootq_ext bandwidth 4M min 4M max 8M
burst 7M for 300ms
queue defq on $ext_if parent rootq_ext bandwidth 1M min 500K default
queue rootq_wifi0 on $wifi_if0 bandwidth 100M max 100M
queue sshq on $wifi_if0 parent rootq_wifi0 bandwidth 10M
queue ssh_prioq on $wifi_if0 parent sshq bandwidth 2M min 1M
queue ssh_bulkq on $wifi_if0 parent sshq bandwidth 8M min 5M
queue ackq on $wifi_if0 parent rootq_wifi0 bandwidth 10M min 5M
queue dnsq on $wifi_if0 parent rootq_wifi0 bandwidth 10M min 5M
queue webq on $wifi_if0 parent rootq_wifi0 bandwidth 60M min 60M
max 90M burst 90M for 300ms
queue defq on $wifi_if0 parent rootq_wifi0 bandwidth 10M min 5M
default
# translation/NAT
match out on $ext_if inet from !$ext_if to any nat-to ($ext_if)
# packet filtering rules
block log all
pass out quick
antispoof quick for {lo $wifi_if0 $ext_if}
match inet proto tcp from any to any port ssh set queue (ssh_bulkq,
ssh_prioq)
match inet proto {tcp,udp} from any to any port {domain,ntp} set
queue (dnsq, ackq)
match inet proto tcp from any to any port $tcp_out set queue (webq,
ackq)
match inet proto tcp from any to any port ftp set queue (webq, ackq)
pass in quick on !$ext_if inet proto tcp from !$ext_if to any port
ssh
pass in quick on !$ext_if inet proto {tcp,udp} from !$ext_if to any
port domain rdr-to port domain
pass in quick on !$ext_if inet proto {tcp,udp} from !$ext_if to any
port ntp rdr-to port ntp
#pass in quick on !$ext_if inet proto tcp from !$ext_if to any port
www divert-to 127.0.0.1 port 8080 # uncomment when using relayd transparent
proxy; remove 'www' from tcp_out macro...
pass in quick on !$ext_if inet proto tcp from !$ext_if to any port
$tcp_out
pass in quick on !$ext_if inet proto icmp from !$ext_if to any
icmp-type $icmp_types
Regards,
Glenn
On Sat, Apr 8, 2017 at 4:10 PM, Stuart Henderson
wrote:
> On 2017-04-05, Marko CupaÄ wrote:
> > I still haven't found a way to throttle down queues to desired values
> > without using fixed min and max values.
>
> I haven't done very well with this either. I've had better luck with
> kernels built with higher HZ but haven't been really happy with it (and
> what I really want is to be able to limit bandwidth per-ip - with a
> limited amount of v4 space you can just about manage this with a lot of
> queue and assignment rules, but that's impossible for ipv6, and even
> with ipv4 makes it hard to use a decent amount of address space to
> mitigate against DHCP exhaustion attacks e.g. on public wifi).
>
> > Adding NAT to the mix
> > complicates things further. What about queueing of traffic inside GRE
> > tunnels in transport mode protected with IPSEC? Where to read about it?
>
> The queue is assigned to the PF state, based on the queue name.
> You can either do this in a "pass" rule or a "match" rule. NAT is easy
> to cope with using "match" when you take the following into account:
>
> : Translation
> : Translation options modify either the source or destination address and
> : port of the packets associated with a stateful connection. pf(4)
> : modifies the specified address and/or port in the packet and
> recalculates
> : IP, TCP, and UDP checksums as necessary.
> :
> : Subsequent rules will see packets as they look after any addresses and
> : ports have been translated. These rules will therefore have to filter
> : based on the translated address and port number.
>
> So you can simply do your queue assignment with a "match..queue" rule
> before the nat-to rule,
Re: Topics for revised PF and networking tutorial
On 2017-04-05, Marko Cupać wrote: > I still haven't found a way to throttle down queues to desired values > without using fixed min and max values. I haven't done very well with this either. I've had better luck with kernels built with higher HZ but haven't been really happy with it (and what I really want is to be able to limit bandwidth per-ip - with a limited amount of v4 space you can just about manage this with a lot of queue and assignment rules, but that's impossible for ipv6, and even with ipv4 makes it hard to use a decent amount of address space to mitigate against DHCP exhaustion attacks e.g. on public wifi). > Adding NAT to the mix > complicates things further. What about queueing of traffic inside GRE > tunnels in transport mode protected with IPSEC? Where to read about it? The queue is assigned to the PF state, based on the queue name. You can either do this in a "pass" rule or a "match" rule. NAT is easy to cope with using "match" when you take the following into account: : Translation : Translation options modify either the source or destination address and : port of the packets associated with a stateful connection. pf(4) : modifies the specified address and/or port in the packet and recalculates : IP, TCP, and UDP checksums as necessary. : : Subsequent rules will see packets as they look after any addresses and : ports have been translated. These rules will therefore have to filter : based on the translated address and port number. So you can simply do your queue assignment with a "match..queue" rule before the nat-to rule, then the queue rule will be evaluated while the packet still has the pre-NAT address. Also, if you're queueing in both directions (internet->local as well as local->internet) make sure the queues on the different interfaces have the same name, so you can just assign to e.g. "fast". I've often seen examples where people try to use two different names depending on the direction (e.g. "fast_in" and "fast_out") and run into problems when they try to assign to queues. > Optimistic me believes that devs are too busy making stuff work and > have no time to explain it to us poor admins (by means of manpages, > faqs or howtos). But how can I know how to use it if I can't read about > it anywhere? Queues never had the best documentation, I've tried improving it before but didn't manage to write anything that really helped. I think the most useful that I saw was in Jacek Artymiak's "building firewalls" book - but that was for altq and not relevant to newer PF/queues. If someone reading has a queue config that they're happy with, it would be nice to see pf.conf snippets! > Pessimistic me starts to notice that less and less free knowledge can be > found around the 'net. That's exactly the opposite of what OpenBSD is trying to do. >If I want answers to my questions, is the > best way to start saving money for paying OpenBSD consultants hourly > rates for tuition? Where the documentation leaves you with questions, I think the best way is to look at the code, mailing list posts and commit logs and try things out. If you can make any specific suggestions to improve docs, that would be really helpful.
Re: Topics for revised PF and networking tutorial
Am 07.04.2017 18:38 schrieb Peter N. M. Hansteen: On 04/07/17 18:00, I love OpenBSD wrote: I second to more IPv6 related information. I am curious about blocking port scanning in IPv6 Web. Does pf let me put a CIDR into the named table based on offending IPv6 address and 64-bit mask? I mean something similar to 'overload ' option. Tables can hold both inet and inet6 items, and you can add them as single addresses or with masks: Also tables can be manipulated with bgpd, so keen to see phessler's new talk on that in Ottawa. ciao -- pb
Re: Topics for revised PF and networking tutorial
On Fri, 7 Apr 2017 17:39:16 + (UTC) Stuart Henderson wrote: > On 2017-04-06, > wrote: > > On Wed, 5 Apr 2017 22:44:54 + (UTC) > > Stuart Henderson wrote: > > > >> On 2017-04-05, > >> wrote: > >> > I've been using a trick to emulate scheduled rules using IP > >> > tables. > >> > >> Nice trick. Anchors are also good for this. > >> > >> But don't forget that active connections won't be dropped unless > >> you also flush the relevant states. > >> > > > > Anchors do not work with securelevel=2. This trick works in > > securelevel=2. > > Oh, people actually use that? :) Oh I reckon someone out there runs tetris(6) on their firewall. I use it when I am confident the ruleset is stable. Of course, I have to restart the gateway everytime I change the rules. > > > As for active connections, the goal here is to prevent new > > connections being made after closing time. I don't want my > > connection to close just because it is a few seconds after closing > > time, especially when I already got in before the ports were > > closed. It may be worth closing long-standing connections > > eventually though. > > > > Maybe something like this: > > > > 0 18 * * * *root/sbin/pfctl -F states > > > > > > If it's given as an example for something, it's definitely important > to point out about active connections. -F states will kill the > "wanted" states too, I use pfctl -k to knock out just the relevant > hosts. > I was wondering about that. I missed -k while scrolling through the man page. Labeling the rules may also be helpful: # Schedule Table table persist # Scheduled access to HTTP pass in on egress proto tcp from to any port http rdr-to $web_server keep state label sched_ip # Scheduled access to SSH pass in on egress proto tcp from to any port ssh keep-state label sched_ip System crontab: 0 18 * * * root/sbin/pfctl -k label -k sched_ip
Re: Topics for revised PF and networking tutorial
I don;t want to offend you folks, but I'm curious and I will ask: is this BSDCon so useful? Does it pay the efforts? If someone has time and knowledge to do a PF tutorial he/she can do it and post. Do you need the Con? I'm asking this having in my mind Google Summer of (no)Code thread from misc@. Again, i'm asking, i've never been to a Con to sense the feeling. Thanks.
Re: Topics for revised PF and networking tutorial
Dear Peter, May I suggest the following topic of interest: PF with VLAN interfaces (with LACP trunk interface behind) and CARP of course. Regards, M. Original Message Subject: Topics for revised PF and networking tutorial Local Time: April 1, 2017 10:52 AM UTC Time: April 1, 2017 8:52 AM From: pe...@bsdly.net To: misc@openbsd.org Hi, I thought I'd like to give you a heads up that there will be a "PF and networking" tutorial at BSDCan 2017 in Ottawa this June. The session will however not be the Nth rerun of the old one, we're starting from scratch this time, and were looking for input on what to include. Do you have questions on PF and related matters, or are there specific topics you would like to see covered? We want to hear from you, either contact us directly at the reply-to address use the list. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Topics for revised PF and networking tutorial
On 2017-04-06, wrote: > On Wed, 5 Apr 2017 22:44:54 + (UTC) > Stuart Henderson wrote: > >> On 2017-04-05, >> wrote: >> > I've been using a trick to emulate scheduled rules using IP >> > tables. >> >> Nice trick. Anchors are also good for this. >> >> But don't forget that active connections won't be dropped unless you >> also flush the relevant states. >> > > Anchors do not work with securelevel=2. This trick works in > securelevel=2. Oh, people actually use that? :) > As for active connections, the goal here is to prevent new connections > being made after closing time. I don't want my connection to close just > because it is a few seconds after closing time, especially when I > already got in before the ports were closed. It may be worth closing > long-standing connections eventually though. > > Maybe something like this: > > 0 18 * * * *root/sbin/pfctl -F states > > If it's given as an example for something, it's definitely important to point out about active connections. -F states will kill the "wanted" states too, I use pfctl -k to knock out just the relevant hosts.
Re: Topics for revised PF and networking tutorial
On 2017-04-07, I love OpenBSD wrote: > I second to more IPv6 related information. > I am curious about blocking port scanning in IPv6 Web. Does pf let me put a > CIDR into the named table based on offending IPv6 address and 64-bit mask? I > mean something similar to 'overload ' option. "overload" only adds the actual address, it doesn't have a way to mask on /64.
Re: Topics for revised PF and networking tutorial
On 04/07/17 18:00, I love OpenBSD wrote: > I second to more IPv6 related information. > I am curious about blocking port scanning in IPv6 Web. Does pf let me put a > CIDR into the named table based on offending IPv6 address and 64-bit mask? I > mean something similar to 'overload ' option. Tables can hold both inet and inet6 items, and you can add them as single addresses or with masks: [Fri Apr 07 18:31:40] peter@skapet:~$ doas pfctl -t myself -T show 127.0.0.1 192.168.103.1 213.187.179.198 ::1 2001:470:27:658::2 2001:470:28:658::1 2001:470:df85:dead:beef::1 fe80::1 fe80::7210:6fff:fe3e:dfd4 fe80::7210:6fff:fe3e:dfd5 [Fri Apr 07 18:31:59] peter@skapet:~$ doas pfctl -t myself -T add 2001:470:df85:dead:beef::1/64 1/1 addresses added. [Fri Apr 07 18:32:08] peter@skapet:~$ doas pfctl -t myself -T show 127.0.0.1 192.168.103.1 213.187.179.198 ::1 2001:470:27:658::2 2001:470:28:658::1 2001:470:df85:dead::/64 2001:470:df85:dead:beef::1 fe80::1 fe80::7210:6fff:fe3e:dfd4 fe80::7210:6fff:fe3e:dfd5 [Fri Apr 07 18:32:13] peter@skapet:~$ overload rules would work similarly. If you need to differentiate between address families, you use inet and inet6 respectively in the criteria. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Topics for revised PF and networking tutorial
+1 Queue Prioritization and ToS ( set prio / set tos combinations ) by examples will be great 2017-04-07 13:00 GMT-03:00 I love OpenBSD : > I second to more IPv6 related information. > I am curious about blocking port scanning in IPv6 Web. Does pf let me put > a CIDR into the named table based on offending IPv6 address and 64-bit > mask? I mean something similar to 'overload ' option.
Re: Topics for revised PF and networking tutorial
I second to more IPv6 related information. I am curious about blocking port scanning in IPv6 Web. Does pf let me put a CIDR into the named table based on offending IPv6 address and 64-bit mask? I mean something similar to 'overload ' option.
Re: Topics for revised PF and networking tutorial
On 04/07/17 13:36, Markus Rosjat wrote: > Since not everyone can attend to this Conference will there be a > recording of this session? At previous BSDCans, talks have generally been recorded but not tutorials. So probably not. Slides likely will be available after the session has concluded. On the other hand there is a chance we will be able to offer a similar session at EuroBSDCon too, but no decisions have been made yet. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Topics for revised PF and networking tutorial
Since not everyone can attend to this Conference will there be a recording of this session? I use pf not so much on a daily basis but I would like to get more insight too ;) And I admit I'm more the visual guy regards Markus Am 07.04.2017 um 06:25 schrieb li...@wrant.com: Wed, 5 Apr 2017 17:46:18 +0200 Marko Cupać On Sat, 1 Apr 2017 10:52:20 +0200 "Peter N. M. Hansteen" wrote: Hi, I thought I'd like to give you a heads up that there will be a "PF and networking" tutorial at BSDCan 2017 in Ottawa this June. The session will however not be the Nth rerun of the old one, we're starting from scratch this time, and were looking for input on what to include. Do you have questions on PF and related matters, or are there specific topics you would like to see covered? We want to hear from you, either contact us directly at the reply-to address use the list. Queueing. Prioritization. Throttling. Hi Peter, misc@, I would second the coherent practical examples in: queues, priorities, bandwidth caps, normalisation & reordering to have quality of service. And all required steps to achieve an advanced fully functional feature full typical home, office, lab, ISP, enterprise, etc setups iterative, each time incrementally enhancing the previous set of tricks and skill one game at a time, much more a practical hands on approach to the PF. Including performing common tasks of monitoring, maintenance, upgrade, conflict resolve, capturing, post processing, sanitation, enhancement. My personal interests have always been practical application examples, especially these extending the previous ones in a connected structure. From the default rule set after installation, through getting Internet working, and then fixing most common pitfalls of poor packet scheduler practices (or lack of) in (dumb) broadband equipment.. through solving all aspects to realisation of complete deployments, as YOU learned it. The PF features got implemented over time, to solve real actual needs. The typical new user begins with small common tasks up to their needs. The full example shows a complete configuration addressing most needs. The best tutorials give a practical approach to fulfil the real needs. I dream of a revised PF and networking tutorial from sketch to artist. Thank you ALL for the hard work over the years to complement OpenBSD.. Kind regards, Anton Lazarov I have hard time configuring these since years now. The fact (or is it rumour?) that prio works only when physical interface bandwidth is saturated couldn't be read in manpages, pf faq, or other 'official' docs, I heard about it by chance: [https://marc.info/?l=openbsd-misc&m=145261341431381&w=2] I still haven't found a way to throttle down queues to desired values without using fixed min and max values. Adding NAT to the mix complicates things further. What about queueing of traffic inside GRE tunnels in transport mode protected with IPSEC? Where to read about it? Optimistic me believes that devs are too busy making stuff work and have no time to explain it to us poor admins (by means of manpages, faqs or howtos). But how can I know how to use it if I can't read about it anywhere? Pessimistic me starts to notice that less and less free knowledge can be found around the 'net. If I want answers to my questions, is the best way to start saving money for paying OpenBSD consultants hourly rates for tuition? If there's any way I could help, don't hesitate to contact me. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/ -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Topics for revised PF and networking tutorial
On Fri, 7 Apr 2017 07:25:58 +0300 li...@wrant.com wrote: > Thank you ALL for the hard work over the years to complement OpenBSD. Yes.
Re: Topics for revised PF and networking tutorial
Wed, 5 Apr 2017 17:46:18 +0200 Marko Cupać > On Sat, 1 Apr 2017 10:52:20 +0200 > "Peter N. M. Hansteen" wrote: > > > Hi, > > > > I thought I'd like to give you a heads up that there will be a "PF and > > networking" tutorial at BSDCan 2017 in Ottawa this June. > > > > The session will however not be the Nth rerun of the old one, we're > > starting from scratch this time, and were looking for input on what to > > include. > > > > Do you have questions on PF and related matters, or are there specific > > topics you would like to see covered? > > > > We want to hear from you, either contact us directly at the reply-to > > address use the list. > > Queueing. Prioritization. Throttling. Hi Peter, misc@, I would second the coherent practical examples in: queues, priorities, bandwidth caps, normalisation & reordering to have quality of service. And all required steps to achieve an advanced fully functional feature full typical home, office, lab, ISP, enterprise, etc setups iterative, each time incrementally enhancing the previous set of tricks and skill one game at a time, much more a practical hands on approach to the PF. Including performing common tasks of monitoring, maintenance, upgrade, conflict resolve, capturing, post processing, sanitation, enhancement. My personal interests have always been practical application examples, especially these extending the previous ones in a connected structure. >From the default rule set after installation, through getting Internet working, and then fixing most common pitfalls of poor packet scheduler practices (or lack of) in (dumb) broadband equipment.. through solving all aspects to realisation of complete deployments, as YOU learned it. The PF features got implemented over time, to solve real actual needs. The typical new user begins with small common tasks up to their needs. The full example shows a complete configuration addressing most needs. The best tutorials give a practical approach to fulfil the real needs. I dream of a revised PF and networking tutorial from sketch to artist. Thank you ALL for the hard work over the years to complement OpenBSD.. Kind regards, Anton Lazarov > I have hard time configuring these since years now. The fact (or is > it rumour?) that prio works only when physical interface bandwidth is > saturated couldn't be read in manpages, pf faq, or other 'official' > docs, I heard about it by chance: > [https://marc.info/?l=openbsd-misc&m=145261341431381&w=2] > > I still haven't found a way to throttle down queues to desired values > without using fixed min and max values. Adding NAT to the mix > complicates things further. What about queueing of traffic inside GRE > tunnels in transport mode protected with IPSEC? Where to read about it? > > Optimistic me believes that devs are too busy making stuff work and > have no time to explain it to us poor admins (by means of manpages, > faqs or howtos). But how can I know how to use it if I can't read about > it anywhere? > > Pessimistic me starts to notice that less and less free knowledge can be > found around the 'net. If I want answers to my questions, is the > best way to start saving money for paying OpenBSD consultants hourly > rates for tuition? > > If there's any way I could help, don't hesitate to contact me. > -- > Before enlightenment - chop wood, draw water. > After enlightenment - chop wood, draw water. > > Marko Cupać > https://www.mimar.rs/
Re: Topics for revised PF and networking tutorial
Without hijacking this thread completely, but touching on some of the elements discussed above (and I think these are great inclusions for the tutorial). We have implemented a variety of queues to manage our internet links and ikev2 VPNs tunnels to remote offices. We have also done something similar for our public wireless like the schedule example above. I'll be giving an overview of this and other cool stuff provided by OpenBSD that we use during my BSDCan 2017 talk titled BSD in 60 Days. Hope to see you there!
Re: Topics for revised PF and networking tutorial
On Wed, 5 Apr 2017 22:44:54 + (UTC) Stuart Henderson wrote: > On 2017-04-05, > wrote: > > I've been using a trick to emulate scheduled rules using IP > > tables. > > Nice trick. Anchors are also good for this. > > But don't forget that active connections won't be dropped unless you > also flush the relevant states. > Anchors do not work with securelevel=2. This trick works in securelevel=2. As for active connections, the goal here is to prevent new connections being made after closing time. I don't want my connection to close just because it is a few seconds after closing time, especially when I already got in before the ports were closed. It may be worth closing long-standing connections eventually though. Maybe something like this: 0 18 * * * *root/sbin/pfctl -F states
Re: Topics for revised PF and networking tutorial
On 2017-04-05, wrote: > I've been using a trick to emulate scheduled rules using IP tables. Nice trick. Anchors are also good for this. But don't forget that active connections won't be dropped unless you also flush the relevant states.
Re: Topics for revised PF and networking tutorial
I've been using a trick to emulate scheduled rules using IP tables. It would be nice to have something like this covered. I have even seen it in the silliest of home router firewalls. First, create a rule with a table like so: # Schedule Table table persist # Scheduled access to HTTP pass in on egress proto tcp from to any port http rdr-to $web_server keep state Then add to crontab jobs like this: # Top secret business server opens from 9AM-4PM during weekdays, and 2PM-4PM weekends. 0 9 * * 1-5 root/sbin/pfctl -T add -t schedule_ip 0.0.0.0/0 # open (Mon - Fri) 0 14 * * 6-7root/sbin/pfctl -T add -t schedule_ip 0.0.0.0/0 # open (Sat + Sun) 0 16 * * * root/sbin/pfctl -T del -t schedule_ip 0.0.0.0/0 # close (everyday) Very useful technique, and I also think this works under securelevel=2 (correct me if I am wrong, I haven't tried myself). The 0.0.0.0/0 range is a very useful tool in many cases. On Sat, 1 Apr 2017 10:52:20 +0200 "Peter N. M. Hansteen" wrote: > Hi, > > I thought I'd like to give you a heads up that there will be a "PF and > networking" tutorial at BSDCan 2017 in Ottawa this June. > > The session will however not be the Nth rerun of the old one, we're > starting from scratch this time, and were looking for input on what to > include. > > Do you have questions on PF and related matters, or are there specific > topics you would like to see covered? > > We want to hear from you, either contact us directly at the reply-to > address use the list.
Re: Topics for revised PF and networking tutorial
On Sat, Apr 1, 2017 at 10:52 AM, Peter N. M. Hansteen wrote: > Hi, > > I thought I'd like to give you a heads up that there will be a "PF and > networking" tutorial at BSDCan 2017 in Ottawa this June. > > The session will however not be the Nth rerun of the old one, we're > starting from scratch this time, and were looking for input on what to > include. > > Do you have questions on PF and related matters, or are there specific > topics you would like to see covered? > > We want to hear from you, either contact us directly at the reply-to > address use the list. > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > > Seconding (thirding?) ipv6. Relayd would be nice too, maybe in the section about pf anchors.
Re: Topics for revised PF and networking tutorial
On Sat, 1 Apr 2017 10:52:20 +0200 "Peter N. M. Hansteen" wrote: > Hi, > > I thought I'd like to give you a heads up that there will be a "PF and > networking" tutorial at BSDCan 2017 in Ottawa this June. > > The session will however not be the Nth rerun of the old one, we're > starting from scratch this time, and were looking for input on what to > include. > > Do you have questions on PF and related matters, or are there specific > topics you would like to see covered? > > We want to hear from you, either contact us directly at the reply-to > address use the list. Queueing. Prioritization. Throttling. I have hard time configuring these since years now. The fact (or is it rumour?) that prio works only when physical interface bandwidth is saturated couldn't be read in manpages, pf faq, or other 'official' docs, I heard about it by chance: [https://marc.info/?l=openbsd-misc&m=145261341431381&w=2] I still haven't found a way to throttle down queues to desired values without using fixed min and max values. Adding NAT to the mix complicates things further. What about queueing of traffic inside GRE tunnels in transport mode protected with IPSEC? Where to read about it? Optimistic me believes that devs are too busy making stuff work and have no time to explain it to us poor admins (by means of manpages, faqs or howtos). But how can I know how to use it if I can't read about it anywhere? Pessimistic me starts to notice that less and less free knowledge can be found around the 'net. If I want answers to my questions, is the best way to start saving money for paying OpenBSD consultants hourly rates for tuition? If there's any way I could help, don't hesitate to contact me. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Topics for revised PF and networking tutorial
On Sat, Apr 01, 2017 at 10:52:20AM +0200, Peter N. M. Hansteen wrote: > Hi, > > I thought I'd like to give you a heads up that there will be a "PF and > networking" tutorial at BSDCan 2017 in Ottawa this June. > > The session will however not be the Nth rerun of the old one, we're > starting from scratch this time, and were looking for input on what to > include. > > Do you have questions on PF and related matters, or are there specific > topics you would like to see covered? I've been setting up a home firewall using pf and I'd love to see some more information on IPv6. Most of my problems have been due to me not knowing all that much about IPv6, rather than pf problems, but I'm sure there are a good number of people in the same predicament I'm in. -- To find a friend one must close one eye; to keep him -- two. -- Norman Douglas
Re: Topics for revised PF and networking tutorial
Anycast with ospf and ipv6 could be a fun tutorial...
/S
On 2 Apr 2017 22:27, "Luke Small" wrote:
> It might be a fun idea to share what a really locked down desktop system
> pf.conf would look like like if you are running a chain of DNS services (or
> something that would be good to tightly control) like local ntpd, unbound,
> and dnscrypt_proxy where you have local traffic locked down as well so that
> an aberrant process or even root cannot connect to the local ports and
> services eg.
>
> pass out quick on lo0 proto {tcp, udp} from self to any port 53 user
> {peter, _ntpd}
>
> block out log quick on lo0 proto {tcp, udp} from self to any port 53
>
>
> pass in quick on lo0 proto {tcp, udp} from any to self port 53 user
> _unbound
>
> block in log quick on lo0 proto {tcp, udp} from any to self port 53
>
>
>
> pass out quick on lo0 proto {tcp, udp} from self to any port 40 user
> _unbound
>
> block out log quick on lo0 proto {tcp, udp} from self to any port 40
>
>
> pass in quick on lo0 proto {tcp, udp} from any to self port 40 user
> _dnscrypt_proxy
>
> block in log quick on lo0 proto {tcp, udp} from any to self port 40
>
>
> pass out quick on egress proto {tcp, udp} from self to any port 53 user
> _dnscrypt_proxy
>
> block out log quick on egress proto {tcp, udp} from self to any port 53
>
> Maybe there is a similar case that can be made, possibly with a reverse
> http proxy setup that would make more sense for security in the case that a
> vulnerability is discovered.
Re: Topics for revised PF and networking tutorial
It might be a fun idea to share what a really locked down desktop system
pf.conf would look like like if you are running a chain of DNS services (or
something that would be good to tightly control) like local ntpd, unbound,
and dnscrypt_proxy where you have local traffic locked down as well so that
an aberrant process or even root cannot connect to the local ports and
services eg.
pass out quick on lo0 proto {tcp, udp} from self to any port 53 user
{peter, _ntpd}
block out log quick on lo0 proto {tcp, udp} from self to any port 53
pass in quick on lo0 proto {tcp, udp} from any to self port 53 user _unbound
block in log quick on lo0 proto {tcp, udp} from any to self port 53
pass out quick on lo0 proto {tcp, udp} from self to any port 40 user
_unbound
block out log quick on lo0 proto {tcp, udp} from self to any port 40
pass in quick on lo0 proto {tcp, udp} from any to self port 40 user
_dnscrypt_proxy
block in log quick on lo0 proto {tcp, udp} from any to self port 40
pass out quick on egress proto {tcp, udp} from self to any port 53 user
_dnscrypt_proxy
block out log quick on egress proto {tcp, udp} from self to any port 53
Maybe there is a similar case that can be made, possibly with a reverse
http proxy setup that would make more sense for security in the case that a
vulnerability is discovered.
Topics for revised PF and networking tutorial
Hi, I thought I'd like to give you a heads up that there will be a "PF and networking" tutorial at BSDCan 2017 in Ottawa this June. The session will however not be the Nth rerun of the old one, we're starting from scratch this time, and were looking for input on what to include. Do you have questions on PF and related matters, or are there specific topics you would like to see covered? We want to hear from you, either contact us directly at the reply-to address use the list. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: howto use route-to with pf and carp
Am 14.08.2016 07:06 schrieb niya levi: if yes can someone show me an example of how the route-to rule would be written, if no what would be the best way to go about this. Easier is to put an ip-address on the parent (carpdev) that can be reached from the ntp, mailserver, ..preferable w/o routing via the carp master. HTH, -- pb
howto use route-to with pf and carp
hi i have two firewalls running pf and carp, i have apcupsd and ntp running on the firewalls, both connect to apcupsd and ntp servers on my lan , the firewalls also send mail to my internal mail server at regular intervals, the firewall when in slave mode loses all connectivity through the carp interface, should i use a route-to rule to send it via the lan interface ? if yes can someone show me an example of how the route-to rule would be written, if no what would be the best way to go about this. thanks shadrock
Re: PF and interface changing IP
Am 12.05.2016 11:52 schrieb Gabriele Tozzi: I did not know about the "new" parentheses feature. It was brand-new with the 3.2 release :-) -- pb
Re: PF and interface changing IP
Thank you for all your answers. I did not know about the "new" parentheses feature. Solved :) Gabriele Tozzi -- GPG Key Fingerprint: DAD1 E3E3 C3E9 36FB C570 F405 9B5F 7108 A1D0 2FFF
Re: PF and interface changing IP
On 12 May 2016, Gabriele Tozzi wrote: (snip) > Then I have setup PF to allow incoming ssh traffic. Here is my rule: > > pass in on pppoe0 inet proto tcp to pppoe0 port ssh keep state > > > The interface has a dynamic IP. I was relying on the "!/sbin/pfctl -f > /etc/pf.conf" rule to reload my PF when the IP changes but, apparently, > it is not working as expected: it looks like the interface can change > its IP without being restarted, so PF never gets reloaded and keeps > using the old IP. (snip) Does it start to work okay if you put the pppoe0 in parentheses? http://www.openbsd.org/faq/pf/filter.html has, ] The name of a network interface or group in parentheses ( ). This ] tells PF to update the rule if the IP address(es) on the named ] interface change. -- Mark
Re: PF and interface changing IP
pass in on pppoe0 inet proto tcp to (pppoe0) port ssh keep state Von meinem Samsung Gerät gesendet. Ursprüngliche Nachricht Von: Gabriele Tozzi Datum: 12.05.2016 09:45 (GMT+01:00) An: misc@openbsd.org Betreff: PF and interface changing IP
Re: PF and interface changing IP
>From the pf.conf man page: "Surrounding the interface name (and optional modifiers) in parentheses changes this behaviour. When the interface name is surrounded by parentheses, the rule is automatically updated whenever the interface changes its address. The ruleset does not need to be reloaded. This is especially useful with NAT." Read it all, a few times and whenever is necessary.
Re: PF and interface changing IP
On Thu, May 12, 2016 at 09:36:35AM +0200, Gabriele Tozzi wrote: > Hi there, > > I have a pppoe0 interface setup like this (hostname.pppoe0): > > inet 0.0.0.0 255.255.255.255 NONE \ > pppoedev re0 \ > authproto pap \ > authname 'myuser' \ > authkey 'mypass' up > dest 0.0.0.1 > !/sbin/route add default 0.0.0.1 > !/sbin/pfctl -f /etc/pf.conf > !/etc/rc.d/isc_named restart > !/etc/rc.d/aiccu restart > > > Then I have setup PF to allow incoming ssh traffic. Here is my rule: > > pass in on pppoe0 inet proto tcp to pppoe0 port ssh keep state > > > The interface has a dynamic IP. I was relying on the "!/sbin/pfctl -f > /etc/pf.conf" rule to reload my PF when the IP changes but, apparently, > it is not working as expected: it looks like the interface can change > its IP without being restarted, so PF never gets reloaded and keeps > using the old IP. > > I am now thinking of placing a cron job that just reloads PF once in a > while. Is there a cleaner way to reload PF when the IP changes? Or maybe > even a better way to write the rule so that it auto-updates without the > need to reload PF at all? You can use interface groups, 'egress' or 'ppp' ? You can also hack your setup to label a router and use 'route '. j.
PF and interface changing IP
Hi there, I have a pppoe0 interface setup like this (hostname.pppoe0): inet 0.0.0.0 255.255.255.255 NONE \ pppoedev re0 \ authproto pap \ authname 'myuser' \ authkey 'mypass' up dest 0.0.0.1 !/sbin/route add default 0.0.0.1 !/sbin/pfctl -f /etc/pf.conf !/etc/rc.d/isc_named restart !/etc/rc.d/aiccu restart Then I have setup PF to allow incoming ssh traffic. Here is my rule: pass in on pppoe0 inet proto tcp to pppoe0 port ssh keep state The interface has a dynamic IP. I was relying on the "!/sbin/pfctl -f /etc/pf.conf" rule to reload my PF when the IP changes but, apparently, it is not working as expected: it looks like the interface can change its IP without being restarted, so PF never gets reloaded and keeps using the old IP. I am now thinking of placing a cron job that just reloads PF once in a while. Is there a cleaner way to reload PF when the IP changes? Or maybe even a better way to write the rule so that it auto-updates without the need to reload PF at all? Thank you Gabriele Tozzi -- GPG Key Fingerprint: DAD1 E3E3 C3E9 36FB C570 F405 9B5F 7108 A1D0 2FFF
Re: pf and filter for stp
On 2016-04-26, steve kolars wrote: > I have been working on getting rid of stp on my network (not really > interested in a diatribe on the pros and cons of stp). I have searched for > information on doing this in pf. So far my searches have come up dry. > Wondering if anyone on the list can assist. PF filters IP packets, STP is sent as ethernet BPDUs, not a layer that PF can do much with. Normally this is something you would need to filter on switches (e.g. procurve's bpdu-filter). If you're bridging on OpenBSD then maybe blocknonip will help but that doesn't really seem to fit with "getting rid of..on my network".
pf and filter for stp
I have been working on getting rid of stp on my network (not really interested in a diatribe on the pros and cons of stp). I have searched for information on doing this in pf. So far my searches have come up dry. Wondering if anyone on the list can assist. Thanks in advance.
BGP, PF and CARP together
I'm trying to do something somewhat similar to Loïc Blot was attempting, as described in http://openbsd.7691.n7.nabble.com/PF-sync-doesn-t-not-work-very-well-tc230786.html#none but have the additional complication that I *do* need to do NAT for one subnet on the BGP routers, and I am using a mix of both CARP and dual-sessions depending on the BGP peer. I'm pushing up to ~1gbps through this pair of routers, each is more than capable of that much traffic on its own (in fact, they are right now). So far, I'm not doing NAT on these routers, and my pf rulesets on both consist of "pass". I am not using pfsync, as there's no point (no rules). Current topology is shown at http://r1.customhosting.ca/BGP-plus-NAT.png. I now need to do NAT for one subnet and set up some actual pf rules. Should I configure pfsync? Should I just use sloppy state? (Admittedly, I know very little about running pf in this situation. Cluebats welcome.) -- -Adam Thompson athom...@athompso.net
Need help debugging PF and issues with window scaling (I think)
Network layout: (ISP)->[cable modem]->[OpenBSD]->(rest of my network)
Recently ISP changed cable modem, and since then I noticed strange
issues. Simplest repeatable test: rsync -avP
rsync://ftp2.eu.openbsd.org/OpenBSD/snapshots/i386 /tmp/
Now here comes the strange part: on the OpenBSD box acting as my
router this stalls after a while. Same on a FreeBSD box behind it. But
it works without any issue on a linux box behind the same OpenBSD
machine.
With pfctl -x info I see following when rsync from FreeBSD box stalls:
Aug 17 15:01:43 keibi /bsd: pf: BAD state: TCP out wire: (0)
137.208.8.135:873 172.30.205.2:63278 stack: (0) 137.208.8.135:873
192.168.13.13:46460 [lo=3971834393 high=3971865753 win=1026
modulator=0 wscale=6] [lo=2515060045 high=2515125709 win=980
modulator=0 wscale
=5] 4:4 @8 A seq=2515168085 (2515168085) ack=3971834393 len=1460
ackskew=0 pkts=21851:43626 dir=in,rev
Aug 17 15:01:43 keibi /bsd: pf: State failure on: 1 |
Aug 17 15:01:44 keibi /bsd: pf: BAD state: TCP out wire: (0)
137.208.8.135:873 172.30.205.2:63278 stack: (0) 137.208.8.135:873
192.168.13.13:46460 [lo=3971834393 high=3971865753 win=1026
modulator=0 wscale=6] [lo=2515061505 high=2515127169 win=980
modulator=0 wscale
=5] 4:4 @8 A seq=2515169545 (2515169545) ack=3971834393 len=1460
ackskew=0 pkts=21852:43627 dir=in,rev
Aug 17 15:01:44 keibi /bsd: pf: State failure on: 1 |
When OpenBSD box stalls I get:
Aug 17 15:09:52 keibi /bsd: pf: BAD state: TCP out wire: (0)
77.238.36.56:873 172.30.205.2:65533 stack: (0) 77.238.36.56:873
172.30.205.2:39510 [lo=2445871828 high=2445903316 win=2048 modulator=0
wscale=3] [lo=2724110043 high=2724126427 win=123 modulator=0 wscale=8]
4:4 @8 A seq=2724130483 (2724130483) ack=2445871828 len=1460
ackskew=0 pkts=1381:2048 dir=in,rev
Aug 17 15:09:52 keibi /bsd: pf: State failure on: 1 |
Aug 17 15:09:52 keibi /bsd: pf: BAD state: TCP out wire: (0)
77.238.36.56:873 172.30.205.2:65533 stack: (0) 77.238.36.56:873
172.30.205.2:39510 [lo=2445871828 high=2445903316 win=2048 modulator=0
wscale=3] [lo=2724110043 high=2724126427 win=123 modulator=0 wscale=8]
4:4 @8 A seq=2724131943 (2724131943) ack=2445871828 len=1460
ackskew=0 pkts=1381:2048 dir=in,rev
Aug 17 15:09:52 keibi /bsd: pf: State failure on: 1 |
More info on configuration:
$ grep -v ^# /etc/sysctl.conf
net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 packets
machdep.apmhalt=1 # 1=powerdown hack, try if halt -p doesn't work
machdep.kbdreset=1 # permit console CTRL-ALT-DEL to do a nice halt
kern.version=OpenBSD 5.6 (GENERIC.MP) #278: Wed Jul 30 11:51:47 MDT 2014
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
pf.conf:
ext_if="xl0"
int_if="rl0"
tamotsu="192.168.13.13"
phone="192.168.13.xx"
table persist
table persist
set skip on lo
block drop in quick from
block drop in quick from
anchor "ftp-proxy/*"
pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
match out log on $ext_if from !$phone nat-to ($ext_if)
match out log on $ext_if inet proto { tcp, udp} from $phone to any \
nat-to ($ext_if) static-port
block return# block stateless traffic
pass out log
pass in log on $int_if
table persist
table persist file "/etc/mail/nospamd"
pass in on egress proto tcp from any to any port smtp \
rdr-to 127.0.0.1 port spamd
pass in log on egress proto tcp from to any port smtp
pass out log on egress proto tcp to any port smtp
pass in log on $ext_if proto tcp from any to ($ext_if) port ssh keep state \
(max-src-conn-rate 4/30, overload flush global)
pass in log on $ext_if proto tcp from any to ($ext_if) port { 5222,
5223, 5269 } keep state
pass in log on $ext_if proto { tcp, udp } from any to ($ext_if) port 5000:5100 \
rdr-to $phone port 5000:*
pass in log on $ext_if proto tcp from any to ($ext_if) port imaps keep state
pass in log on $ext_if proto tcp from any to ($ext_if) port 53589
block return in on ! lo0 proto tcp to port 6000:6010
Any ideas what's going on here, and what to do about it?
--
viq
Re: pf and nat
Em 17-04-2014 15:08, Henning Brauer escreveu: > * Giancarlo Razzolini [2014-03-24 15:46]: >> First of all, I hardly see why you want or need to use if-bound, since >> it most likely hurts pf performance. > it doesn't. > > however, if-bound is stupid except very few cases, i. e. on encX. > >> Secondly, the proper way of doing nat, is using match rules, not pass. > sez who? > nat-to on pass rules is perfectly fine. > using a match rule is just more practical in most scenarios. > Yes Henning you're right. I replied in another mail this, I believe you didn't got it. I prefer match because of the flexibility you get. Also, I do work on firewalls with 2, 3 and sometimes, 4 different internet connections and dynamically switches between then upon availability. Using match is much easier in these cases, because you can have one anchor and just change the pass ... route-to rules. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: pf and nat
* Giancarlo Razzolini [2014-03-24 15:46]: > First of all, I hardly see why you want or need to use if-bound, since > it most likely hurts pf performance. it doesn't. however, if-bound is stupid except very few cases, i. e. on encX. > Secondly, the proper way of doing nat, is using match rules, not pass. sez who? nat-to on pass rules is perfectly fine. using a match rule is just more practical in most scenarios. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: pf and nat
Em 24-03-2014 19:28, Alexander Hall escreveu: > On 03/24/14 15:44, Giancarlo Razzolini wrote: > >> Secondly, the proper way of doing nat, is using match rules, not pass. > > Why would you say that? 'pass ... nat-to ...' makes perfect sense to > me. Using "match" was an easy transition from the old nat rules, but > being "*the* proper way", no way. > > /Alexander Yes, you are right. You can condense everything in one rule. But, I prefer using match, because I can decouple the nat part from the filter part. I can have a broader match rule that allow nat for the entire network and all the protocols and ports, and I can filter individually things with pass rules. One of the things that I love the most about unix is that there are many ways to do things. And you can do things the way you taste better. Sorry if I was too strong in my opinion. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: pf and nat
> > Secondly, the proper way of doing nat, is using match rules, not pass. > > Why would you say that? 'pass ... nat-to ...' makes perfect sense to me. > Using "match" was an easy transition from the old nat rules, but being > "*the* proper way", no way. I also believe that one-way-ism is disease. I don't need to prove the concept. Things change. One-way-ist's often succumb.
Re: pf and nat
On 03/24/14 15:44, Giancarlo Razzolini wrote: Secondly, the proper way of doing nat, is using match rules, not pass. Why would you say that? 'pass ... nat-to ...' makes perfect sense to me. Using "match" was an easy transition from the old nat rules, but being "*the* proper way", no way. /Alexander
Re: pf and nat
Em 18-03-2014 15:19, Friedrich Locke escreveu: > Hi folks, > > i am studying pf and a doubt arose! > > Since my state policy if if-bound (set state-policy if-bound) i need two > rules for each traffic i want to pass. Is that understanding right ? > > For instance, for nat i could : > > pass out on tl0 from dc0:network to any nat-to tl0 > > pass in on dc0 from dc0:network to any > > Is this understanding correct ? Or only the first rule is ok? > > Thanks. > First of all, I hardly see why you want or need to use if-bound, since it most likely hurts pf performance. Secondly, the proper way of doing nat, is using match rules, not pass. And, even with match rules, you need 2 rules anyway: match out on tl0 from dc0:network to any nat-to (tl0), tl0, gw ip, whatever pass in on dc0 from dc0:network to any If you want better control of what passes in which interfaces, I believe you are better served using tags than using if-bound and always duplicating yourself. You're less error prone. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: pf and nat
Hello, you are right, you need the both rules. -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le mardi 18 mars 2014 à 15:19 -0300, Friedrich Locke a écrit : > Hi folks, > > i am studying pf and a doubt arose! > > Since my state policy if if-bound (set state-policy if-bound) i need two > rules for each traffic i want to pass. Is that understanding right ? > > For instance, for nat i could : > > pass out on tl0 from dc0:network to any nat-to tl0 > > pass in on dc0 from dc0:network to any > > Is this understanding correct ? Or only the first rule is ok? > > Thanks. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
pf and nat
Hi folks, i am studying pf and a doubt arose! Since my state policy if if-bound (set state-policy if-bound) i need two rules for each traffic i want to pass. Is that understanding right ? For instance, for nat i could : pass out on tl0 from dc0:network to any nat-to tl0 pass in on dc0 from dc0:network to any Is this understanding correct ? Or only the first rule is ok? Thanks.
Re: Layer 7 filtering example using pf and relayd : block torrent use and some urls
[ http://www.mouedine.net/relayd/ ] > Le 2013-11-27 13:21, Tristan Le Guern a \xc3\xa9crit\xc2\xa0: >> Are you aware that DNS use TCP connexion when replies are too large >> for UDP? It is a bad practice to block this. >> When replies are too large, or in some cases when the servers are under attack (the RRL SLIP mechanism). Other notes on this method: - magnet: links don't use http - forcing all https sites through this type of proxy will break sites using certificate pinning, e.g. google sites if accessed via chrome
Re: Layer 7 filtering example using pf and relayd : block torrent use and some urls
Thanks, i will correct that. Le 2013-11-27 13:21, Tristan Le Guern a écrit : Le 11/25/13 15:38, Wesley MOUEDINE ASSABY a écrit : Hi, A new how to about PF and relayd : http://www.mouedine.net/relayd Cheers, Wesley MOUEDINE ASSABY Are you aware that DNS use TCP connexion when replies are too large for UDP? It is a bad practice to block this.
Re: Layer 7 filtering example using pf and relayd : block torrent use and some urls
Hi, Tested with facebook.com/ It works. In this case, PF doesn't block any IP, relayd take all the work, it is a transparent proxy with https/http inspection. I also tested this : Download .torrent file is not allowed. From a usb key, i tried to open a .torrent with utorrent client (windows) it doesn't download any files.I don't want to make any risky assumptions ;-) Cheers, ==wma Le 2013-11-26 4:14, Paolo Aglialoro a écrit : Hi, really nice tutorial :) What about blocking some sites like dropbox, gdrive, etc. which are the main channels through which files are nowadays leaking out of companies? For instance, in the case of dropbox a single url would not be enough, just look here: https://ipdb.at/org/Dropbox Same to block fbook or similar socials. U could integrate ur schema with the use of tables but the real breakthrough would be catching these applications at protocol level when they try to login remotely. Managing tables of forbidden ip addresses is a job in itself. Il 25/nov/2013 15:38 "Wesley MOUEDINE ASSABY" ha scritto: Hi, A new how to about PF and relayd : http://www.mouedine.net/relayd Cheers, Wesley MOUEDINE ASSABY
Re: Layer 7 filtering example using pf and relayd : block torrent use and some urls
Hi, really nice tutorial :) What about blocking some sites like dropbox, gdrive, etc. which are the main channels through which files are nowadays leaking out of companies? For instance, in the case of dropbox a single url would not be enough, just look here: https://ipdb.at/org/Dropbox Same to block fbook or similar socials. U could integrate ur schema with the use of tables but the real breakthrough would be catching these applications at protocol level when they try to login remotely. Managing tables of forbidden ip addresses is a job in itself. Il 25/nov/2013 15:38 "Wesley MOUEDINE ASSABY" ha scritto: > Hi, > > A new how to about PF and relayd : > http://www.mouedine.net/relayd > > Cheers, > > Wesley MOUEDINE ASSABY
Re: Layer 7 filtering example using pf and relayd : block torrent use and some urls
Quoting Wesley MOUEDINE ASSABY : Hi, A new how to about PF and relayd : http://www.mouedine.net/relayd Cheers, Wesley MOUEDINE ASSABY Nice! Thanks very much, Vijay Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited vsan...@foretell.ca - This message was sent using ForeTell-POST 4.9
Layer 7 filtering example using pf and relayd : block torrent use and some urls
Hi, A new how to about PF and relayd : http://www.mouedine.net/relayd Cheers, Wesley MOUEDINE ASSABY
Re: Internet access on openvpn with PF and NAT
Hello mike You are blocking trafic after matching nat rule. Because you don't use quick keyword, your PF match the first rule, and next the second and next the third and to do third. In your firewall configuration you block nothing and you nat nothing. Better way is to write this: set skip on lo block in log pass out pass in quick on tun0 from 10.8.0.0/24 to any nat-to 37.x.x.x This allow outgoing traffic and incoming trafic from tun0 (+nat). Because PF is stateful, you don't have to allow return traffic from tun0 nated clients. If you want to allow some more incoming traffic, add new rules after the previous rules. -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le vendredi 28 juin 2013 à 23:50 -0500, Mike Parker a écrit : > pf.conf > set skip on lo > pass in on tun0 from 10.8.0.0/24 to any nat-to 37.x.x.x > block log > pass > block in on ! lo0 proto tcp to port 6000:6010 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Internet access on openvpn with PF and NAT
I am having trouble trying to route tun0 to em0 via nat. Maybe I've misread the nat section / examples in pf.conf man page The iptables way to do this was, iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 37.x.x.x I can access and ping both sides while connected to openvpn. But when I tried outside the network I get. --- 8.8.8.8 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 999ms tcpdump -eni pflog0 rule 1/(match) block in on tun0: 10.8.0.6 > 8.8.8.8: icmp: echo request (DF) pf.conf set skip on lo pass in on tun0 from 10.8.0.0/24 to any nat-to 37.x.x.x block log pass block in on ! lo0 proto tcp to port 6000:6010 openvpn server.conf proto udp port 80 dev tun0 ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/private/server.key dh /etc/openvpn/dh2048.pem comp-lzo persist-key persist-tun keepalive 10 120 server 10.8.0.0 255.255.255.0 user _openvpn group _openvpn daemon push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" verb 3 status /etc/openvpn/status.log log /etc/openvpn/openvpn.log
Re: pf and apache
Thanks everyone. Seems to be working from outside, so for now I'll just go
with the direct ip of the server when I need to access it internally.
On Fri, Mar 1, 2013 at 11:22 AM, Pawel Jurusz wrote:
> Hello,
>
> If You are using only redirections, source host will receive SYN-ACK
> from 192.168.1.70, but there was not previously SYN to this address, so
> source host will send TCP Reset. Solution may be:
>
> pass in on $int_if proto tcp from $int_if:network to any port 80 rdr-to
> 192.168.1.70
> pass out on $int_if proto tcp from $int_if:network to any port 80
> received-on $int_if nat-to $int_if
>
>
> W dniu 01.03.2013 06:07, Matt Morrow pisze:
> > I have pf running on an openbsd box handling port forwarding. All ports
> > seem to forward ok except for port 80.
> >
> > Apache is running on a slackware box. I can access apache just fine
> > internally by using the ip address of that server (192.168.1.70), but if
> I
> > access the ip of the openbsd box (192.168.1.60) I just get an error that
> > the server is not available. It should be forwarding port 80 to the
> > slackware box.
> >
> > Here is my pf.conf
> > -
> > ext_if = "rl0"
> > int_if = "em0"
> >
> > icmp_types="echoreq"
> > set block-policy return
> > set loginterface egress
> >
> > set skip on lo
> > match out on egress inet from !(egress:network) to any nat-to (egress:0)
> > block in log
> > pass out log quick
> > antispoof quick for { lo $int_if }
> >
> > #
> > # port forwarding
> > #
> > pass in on $ext_if proto tcp from any to any port 80 rdr-to 192.168.1.70
> > port 80
> > pass in on $int_if proto tcp from any to any port 80 rdr-to 192.168.1.70
> > port 80
> > pass in on $ext_if proto tcp from any to any port 6699 rdr-to
> 192.168.1.60
> > port 22
> > pass in on $ext_if proto tcp from any to any port 51413 rdr-to
> > 192.168.1.105 port 51413
> > pass in on $ext_if proto udp from any to any port 51413 rdr-to
> > 192.168.1.105 port 51413
> > pass in on $int_if proto udp from any to any port 58846 rdr-to
> > 192.168.1.101 port 6881
> > pass in on $ext_if proto tcp from any to any port 9000 rdr-to
> 192.168.1.105
> > port 81
> >
> >
> > #pass in log (all) inet proto icmp all icmp-type $icmp_types
> > pass in log (all) on $int_if
Re: pf and apache
Hello,
If You are using only redirections, source host will receive SYN-ACK
from 192.168.1.70, but there was not previously SYN to this address, so
source host will send TCP Reset. Solution may be:
pass in on $int_if proto tcp from $int_if:network to any port 80 rdr-to
192.168.1.70
pass out on $int_if proto tcp from $int_if:network to any port 80
received-on $int_if nat-to $int_if
W dniu 01.03.2013 06:07, Matt Morrow pisze:
> I have pf running on an openbsd box handling port forwarding. All ports
> seem to forward ok except for port 80.
>
> Apache is running on a slackware box. I can access apache just fine
> internally by using the ip address of that server (192.168.1.70), but if I
> access the ip of the openbsd box (192.168.1.60) I just get an error that
> the server is not available. It should be forwarding port 80 to the
> slackware box.
>
> Here is my pf.conf
> -
> ext_if = "rl0"
> int_if = "em0"
>
> icmp_types="echoreq"
> set block-policy return
> set loginterface egress
>
> set skip on lo
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
> block in log
> pass out log quick
> antispoof quick for { lo $int_if }
>
> #
> # port forwarding
> #
> pass in on $ext_if proto tcp from any to any port 80 rdr-to 192.168.1.70
> port 80
> pass in on $int_if proto tcp from any to any port 80 rdr-to 192.168.1.70
> port 80
> pass in on $ext_if proto tcp from any to any port 6699 rdr-to 192.168.1.60
> port 22
> pass in on $ext_if proto tcp from any to any port 51413 rdr-to
> 192.168.1.105 port 51413
> pass in on $ext_if proto udp from any to any port 51413 rdr-to
> 192.168.1.105 port 51413
> pass in on $int_if proto udp from any to any port 58846 rdr-to
> 192.168.1.101 port 6881
> pass in on $ext_if proto tcp from any to any port 9000 rdr-to 192.168.1.105
> port 81
>
>
> #pass in log (all) inet proto icmp all icmp-type $icmp_types
> pass in log (all) on $int_if
Re: pf and apache
Andy, We can see the result of running tcpdump -n -e -ttt -i pflog0 host 192.168.1.70 Thanks 2013/3/1 Matt Morrow > I'm doing the rdr-to on both interfaces. But, I have other ports that rdr > just fine internally, so that's why I think something else is going on. For > example, I have ssh on 6699 and I can access that both internally and > externally. > > On Thu, Feb 28, 2013 at 11:46 PM, Andy Bradford > wrote: > > > Thus said Matt Morrow on Thu, 28 Feb 2013 23:07:30 -0600: > > > > > Apache is running on a slackware box. I can access apache just fine > > > internally by using the ip address of that server (192.168.1.70), but > > > if I access the ip of the openbsd box (192.168.1.60) I just get an > > > error that the server is not available. It should be forwarding port > > > 80 to the slackware box. > > > > I'm going to guess from your description that you are trying to rdr-to > > on the same interface. The documentation says: > > > > Redirections cannot reflect packets back through the interface > > they arrive on, they can only be redirected to hosts connected > > to different interfaces or to the firewall itself. > > > > The next section discusses using NAT... might be what you're after. > > > > Andy > > -- > > TAI64 timestamp: 4000513040c3
Re: pf and apache
I'm doing the rdr-to on both interfaces. But, I have other ports that rdr just fine internally, so that's why I think something else is going on. For example, I have ssh on 6699 and I can access that both internally and externally. On Thu, Feb 28, 2013 at 11:46 PM, Andy Bradford wrote: > Thus said Matt Morrow on Thu, 28 Feb 2013 23:07:30 -0600: > > > Apache is running on a slackware box. I can access apache just fine > > internally by using the ip address of that server (192.168.1.70), but > > if I access the ip of the openbsd box (192.168.1.60) I just get an > > error that the server is not available. It should be forwarding port > > 80 to the slackware box. > > I'm going to guess from your description that you are trying to rdr-to > on the same interface. The documentation says: > > Redirections cannot reflect packets back through the interface > they arrive on, they can only be redirected to hosts connected > to different interfaces or to the firewall itself. > > The next section discusses using NAT... might be what you're after. > > Andy > -- > TAI64 timestamp: 4000513040c3
Re: pf and apache
Thus said Matt Morrow on Thu, 28 Feb 2013 23:07:30 -0600: > Apache is running on a slackware box. I can access apache just fine > internally by using the ip address of that server (192.168.1.70), but > if I access the ip of the openbsd box (192.168.1.60) I just get an > error that the server is not available. It should be forwarding port > 80 to the slackware box. I'm going to guess from your description that you are trying to rdr-to on the same interface. The documentation says: Redirections cannot reflect packets back through the interface they arrive on, they can only be redirected to hosts connected to different interfaces or to the firewall itself. The next section discusses using NAT... might be what you're after. Andy -- TAI64 timestamp: 4000513040c3
Re: pf and torrenting
*I am trying to get torrenting to work but I can't seem to get any packets to go through. Tcpdump shows attempted activity and nothing blocked,but the torrent client itself doesn't seem to be receiving anything from any torrent I have tried. The torrent client is using port 58846 >From the pf.conf: --- ext_if="rl0" pass in on $ext_if proto tcp from any to any port 58846 rdr-to 192.168.1.101 port 58846* --- Thanks everyone who responded. I got it working by switching to transmission.
Re: pf and torrenting
On Wed, Oct 31, 2012 at 11:08 PM, Matt M. wrote: > I am trying to get torrenting to work but I can't seem to get any packets to > go through. Tcpdump shows attempted activity and nothing blocked,but the > torrent client itself doesn't seem to be receiving anything from any torrent > I have tried. > The torrent client is using port 58846 Which torrent client, what command line options used, what was in tcpdump, what version of OpenBSD. > > From the pf.conf: > --- > > ext_if="rl0" > > > > > pass in on $ext_if proto tcp from any to any port 58846 rdr-to 192.168.1.101 > port 58846 > Useless without complete pf.conf. You can trim out IPs for "safety"
pf and torrenting
I am trying to get torrenting to work but I can't seem to get any packets to go through. Tcpdump shows attempted activity and nothing blocked,but the torrent client itself doesn't seem to be receiving anything from any torrent I have tried. The torrent client is using port 58846 From the pf.conf: --- ext_if="rl0" pass in on $ext_if proto tcp from any to any port 58846 rdr-to 192.168.1.101 port 58846
PF and altq isues...need advice please.
i start experimenting with alt-q ,and manage to make a nice test config.
my box has 3 LAN interfaces, but i am playing atm only with one network.
i manage to get the trafic that comes from the internet to each machine
nicely as i want it.
the global out speed to internet is set to 256Kbs.
while each machine is set with 1Mbit out
but the outspeed stays at the 256kbs ,and not the values i want,so my
question, what is wrong with my config ?
below my current pf.conf
START CONFIG ##
#
ext_if = "fxp0"
int0_if = "re0"
int2_if = "rl0"
int3_if = "rl1"
#
localnet0 ="192.168.0.0/24"
localnet2 ="192.168.2.0/24"
localnet3 ="192.168.3.0/24"
#
blockedport ="{21,25,53,80,110,119, 2128}"
openport="{ 21,25,110,8002,45631 }"
#
table persist file "/etc/table/firewall.table"
#
# extern -> intern IF-0
altq on $int0_if cbq bandwidth 1000Mb queue /
{ std0_in, core_in, soep_in, global0_in, server2_in }
queue std0_inbandwidth 15Mb priority 1 cbq(default)
queue global0_in bandwidth 192Kb cbq
queue core_inbandwidth 2024Kb cbq
queue soep_inbandwidth 1024Kb cbq
queue server2_in bandwidth 512Kb cbq
#
#
# intern -> extern
altq on $ext_if cbq bandwidth 10Mb queue /
{ std_ext , lan_ext ,core_ext, soep_ext, server2_ext }
queue std_ext bandwidth 6Mb cbq(default)
queue lan_ext bandwidth 256Kb cbq
queue core_extbandwidth 1024Kb cbq
queue soep_extbandwidth 1024Kb cbq
queue server2_ext bandwidth 512Kb cbq
#
match out on egress inet from !(egress) to any nat-to (egress:0)
#
block in on $ext_if all
block quick on $ext_if proto {tcp,udp} from to any port /
$blockedport
antispoof for $ext_if inet
#
# Local servers (mail / ftp / other)
pass in quick on $ext_if proto { tcp,udp } from any to $ext_if port /
$openport rdr-to 192.168.0.254
# traffic from localnet0 to internet
pass out on $ext_if keep state queue lan_ext
pass out on $ext_if from 192.168.0.238 keep state queue core_ext
pass out on $ext_if from 192.168.0.227 keep state queue soep_ext
pass out on $ext_if from 192.168.0.254 keep state queue server2_ext
# Traffic from internet to localnet0 (this block work correct)
pass in on $int0_if from $localnet0 keep state queue global0_in
pass in on $int0_if from 192.168.0.238 keep state queue core_in
pass in on $int0_if from 192.168.0.227 keep state queue soep_in
pass in on $int0_if from 192.168.0.254 keep state queue server2_in
## END CONFIG
simply sayd.
i dont want a global CAP on outgoing trafic.
each machine should have his own CAP on outgoing trafic.
any advice ?
Re: PF and ftp: to use or not to use ftp-proxy ?
On 2012-06-26, Илья Шипицин wrote: > match in inet proto tcp from any port = ftp-data to $external port > 1024:65535 rdr-to $internal port 1024:65535 You know people can choose their own source port number? It's just as safe to do "from any to $external port 1024:65535"...
Re: PF and ftp: to use or not to use ftp-proxy ?
On Tue, 26 Jun 2012 14:51:35 +0600 Илья Шипицин wrote: > Hello! > > I managed to get ftp through PF working either without ftp-proxy ... > > match in inet proto tcp from any to $external port = ftp rdr-to > $internal port 21 > match in inet proto tcp from any port = ftp-data to $external port > 1024:65535 rdr-to $internal port 1024:65535 > match in inet proto tcp from any to $external port = ftp-data rdr-to > $internal port 20 > > > or with ftp-proxy... > > pass in quick on vlan5 inet proto tcp from any to $external port ftp > divert-to 127.0.0.1 port 8021 > > > /etc/rc.local: > > /usr/sbin/ftp-proxy -p 8021 -R $internal -P 21 -D7 -v > > > I asked question is it possible to use multiple intances of ftp-proxy > and it turned out that several people are running reverse ftp-proxy in > production. > so... can anybody help me to choose between two above options ? with > ftp-proxy or without ftp-proxy ? Your solution without ftp-proxy won't work when other services expect incoming tcp connections in the high ports range. ftp-proxy will only open and forward ports that have been negotiated in the ftp control connection. This is safer and will not interfere with other services. Use ftp-proxy. Christopher
