Re: Mult-vlan bridge without nat
> /etc/bridgename.bridge0 > add fxp0 add fxp1 add vlan0 add vlan1 add vlan1 add > vlan 3 up What's about "add vlan2"? I see only 0, 1, 1, 3.. is that right? -- Oskar
Mult-vlan bridge without nat
I have a question dealing with vlans and bridges on an OpenBSD-stable box. First, what I am trying to do is below in ascii art as much as I hate ascii art. - | Cisco 6509 | - | fa3/0 dot 1q trunk to OBSD bridge fxp0 | | | OBSD Bridge | | | fa0/1 dot 1q trunk back to OBSD bridge fxp1 | Cisco 2900XL | | | | | vlan 145 | | | vlan20 | | vlan 21 | vlan 202 Configuration for the bridge itself is : I have rebuilt my kernel with the option to add more vlans. /etc/mygate à empty /etc/hosts à only the loopback, no hostname /etc/sysctl à forwarding set to one /etc/rc.conf à pf set to yes /etc/hostname.fxp0 up /etc/hostname.fxp1 up /etc/hostname.vlan0 inet 128.252.20.0 255.255.255.0 NONE vlan 20 vlandev fxp1 /etc/hostname.vlan1 inet 128.252.21.0 255.255.255.0 NONE vlan 21 vlandev fxp1 /etc/hostname.vlan2 inet 128.252.145.0 255.255.255.0 NONE vlan 145 vlandev fxp1 /etc/hostname.vlan3 inet 128.252.202.0 255.255.255.0 NONE vlan 202 vlandev fxp1 /etc/bridgename.bridge0 add fxp0 add fxp1 add vlan0 add vlan1 add vlan1 add vlan 3 up As of right now, I am unable to get this bridge to pass any traffic whatsoever. The pf.conf simply allows all out and all in until I can get the testbed to work. What I do know is that the machines hanging off the 2900xl can talk to the 6509 without the firewall in place. Which means that I know the trunking is set up correctly on the 2900xl and the 6509. The machines all have IP address in the correct vlan, the vlans are set on the 2900xl, and the gateways on the machines are set to the 6509. Things I have tried: It seems to me that the vlans act as there own interfaces even though they are tied to fxp0 or fxp1. Since it doesn’t really make sense to put an interface on a bridge I tried to bring them up as vlan 20 vlandev fxp1 this brought up the vlans but still did not pass any traffic. I have also tried bringing them up as a real IP instead of a full /24 class C notation. Ie 128.252.21.230 255.255.255.0 Which works if you have a routing OBSD machine. I have also tried only adding the vlans into the bridgename.bridge0 without success. I have been working on different variations of this for a week and haven’t gotten OBSD to work as a transparent bridge. I did however to get it to work as a router. However, it seems as though people here would rather have it set up as a bridge. I have seen a lot of things on deja that say rtfm ie brconfig, vlan(4) etc., although I have rtfm’ed everything I can get my hands on I still have not come up with a solution. Maybe I have missed something quick and easy maybe not. If I need to go rtfm some more let me know where to go to get information on this particular setup without NAT’ting. Any help on this will save a lot of me banging my head into the wall. Much appreciated, Andrew Eaton Network Engineer Washington University St. Louis MO
Maby im in the wrong place..but here it goes
Hello, Does enyone have a howto on this: OpenBSD with 3 NIC's+SNORT with mysql+Apache with ACID 2 NIC's are used for bridge pf firewall OpenBSD is also with SNORT and mysql 1 NIC is used for hookup with my labtop. Labtop is with apache and ACID. If U have one that U would like to share..would make me very happy!! 8) If not...sorry for wasting UR time. 8) P
RE: Why isn't this port blocked?
Title: RE: Why isn't this port blocked? This was the problem: >>Just replace <> with ><. tcp 3.3.0.10:12002 <- 2.2.20.0:2913 ESTABLISHED:ESTABLISHED [498402552 + 63219] [922621281 + 63919] age 00:03:52, expires in 23:59:56, 207 pkts, 42135 bytes, rule 43 @43 pass in inet proto tcp from any to any port 5799 <> 5811 keep state Should have been these: @32 pass in on fxp1 inet proto tcp from 3.3.0.0/16 to 2.2.0.0/16 port = nameserver keep state @33 pass in on fxp0 inet proto tcp from 2.2.0.0/16 to 3.3.0.0/16 port = nameserver keep state Thanks men, learned a lot again. Pete
Re: pf rule sintax (newbie)
> > that doesn't work either, dude. > expands to > pass in on rl0 from any to !1.2.3.4/32 > pass in on rl0 from any to !2.1.0.0/24 > one will always match. > I've understood, i've to switch the rule from a pass to a block rule so my goal is reached. So the only way to accomplish that is with the next version of PF within OpenBSD 3.3 using table as Cedric point out !? Regards, Thelmo
RE: wireless interface sharing same subnet as wired
ok easy answer - get a fourth NIC, put it on the 192.168.1.50 net and use it to NAT out to the internet. When you bridge interfaces they are consumed and not available for anything other than the bridge. 2 NICs bridge 192.168.1.50 and 192.168.1.60 (if your doing a bridge, they will look like one subnet) 2 NICs for NAT from 192.168.1.60 to the Internet - firewall has an IP address on the Internet. there may be less simple ways to do this - tunnels and stuff, but with card at $15 - go with cheap and easy! -Original Message- From: Stephen Gutknecht (OBSD-PF) [mailto:[EMAIL PROTECTED] Sent: Sunday, March 09, 2003 10:11 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: wireless interface sharing same subnet as wired Ok, let me start over. What I want to be able to do is share a single IP subnet between two private network interfaces. Client 1: ethernet cable. 192.168.1.50 / mask 255.255.255.0 Cleint 2: wireless 192.168.1.60 / mask 255.255.255.0 With a 3-interface OpenBSD firewall in between the two. The fireall would bridge the ethernet and wireless so that both clients could connect directly to each other (ping or otherwise). And both clients would NAT out the same common public interface. The wireless network would use enhanced WEP + mac filtering for security. Not perfect, but suitable for the intended application. Stephen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, March 08, 2003 11:51 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: wireless interface sharing same subnet as wired I think you will need to run DHCP for your wireless (or some other 'infrastructure'daemons) on your PRIVnet, filter these ports from the PUBnet - but then just treat the wi0 as part of your internal network for NAT - when you say bridge you don't mean 'transparent bridge' right? I don't think that works with NAT. um no. -Original Message- From: Stephen Gutknecht (OBSD-PF) [mailto:[EMAIL PROTECTED] Sent: Saturday, March 08, 2003 8:45 AM To: [EMAIL PROTECTED] Subject: wireless interface sharing same subnet as wired Hi, Is there a way with OpenBSD 3.2 to "bridge" the wireless and wired interface. I have a 3-leg firewall: wi0 - private wireless fxp0 - public interface fxp1 - private interface I have seen Linux and WinXP firewalls that allow you to bridge the private and wireless interface to allow a single IP subnet. Also need to NAT on the public interface for both private interfaces. Any suggestions on how to configure this with OpenBSD 3.2? Thank you.
Re: Daniel Hartmeier Show
On Mon, Mar 10, 2003 at 11:34:34AM +0100, Jedi/Sector One wrote: > What software do you use to read .smil files? you need realplayer for those webcasts. - jolan
Re: Daniel Hartmeier Show
On Mon, Mar 10, 2003 at 11:08:32AM +0100, Ed White wrote: > Design and Performance of the OpenBSD Stateful Packet Filter (pf) > by Daniel Hartmeier > [ http://linuxforum.mmmanager.net/1045982346433661373/view ] What software do you use to read .smil files? -- __ /*- Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]> -*\ __ \ '/http://www.PureFTPd.Org/";> Secure FTP Server \' / \/ http://www.Jedi.Claranet.Fr/";> Misc. free software \/
Rule checker
Hi all, is there exist a tool that would check if a given packet would pass the firewall or not and which rule would apply? I'm looking for something like $ checkpacket --in-interface dc0 --source 10.20.30.40:1234 \ --destination 1.2.3.4:5678 --proto tcp --flags SYN,URG,DF --tos 0x10 ... ...and see which rules passed and what's the final decision. It would be also great to see into which queue would it belong. Is there something like this? Michal Ludvig
Re: pfctl: DIOCADDALTQ: Device busy
On Mon, Mar 10, 2003 at 10:06:55PM +1100, Damien Miller wrote: > Henning Brauer wrote: > >On Mon, Mar 10, 2003 at 09:43:16PM +1100, Damien Miller wrote: > >>Henning Brauer wrote: > >>>either you have more queuedefs you are hiding from us > >yes, you have. > >look, the error is obvious. > Ah, ok. Has the checking been tightened? This worked for ages... yes, it has been tightended. we guarantee now that same named queues even on different interfaces have the same queue ID. as you were adding two same named queues even on the same interface, they were getting different queue IDs before, which is very confusing and leads to it not working like you expect. now they get the same queue ID, but the kernel notices the queue ID is already taken for the second one and throws an error. perhaps we should add the same check in userland to give a better error message.
Re: pfctl: DIOCADDALTQ: Device busy
Henning Brauer wrote:
On Mon, Mar 10, 2003 at 09:43:16PM +1100, Damien Miller wrote:
Henning Brauer wrote:
either you have more queuedefs you are hiding from us
>
yes, you have.
look, the error is obvious.
Ah, ok. Has the checking been tightened? This worked for ages...
the really right thing is this:
altq on tun0 cbq bandwidth 50Kb queue { std, dns, http, mail, ssh }
queue std bandwidth 40% cbq(borrow ecn)
queue dns bandwidth 30% priority 7 cbq(borrow ecn)
queue mail bandwidth 50% priority 0 cbq(borrow ecn)
queue http bandwidth 40% priority 5 cbq(borrow ecn)
queue ssh bandwidth 40% priority 6 cbq(borrow ecn)
aka leave out the queue "root".
Many thanks.
-d
Re: pfctl: DIOCADDALTQ: Device busy
On Mon, Mar 10, 2003 at 09:43:16PM +1100, Damien Miller wrote:
> Henning Brauer wrote:
> >either you have more queuedefs you are hiding from us
> No.
yes, you have.
look, the error is obvious.
> altq on tun0 cbq bandwidth 50Kb queue { root, std, dns, http, mail, ssh }
> queue root bandwidth 100% cbq(default ecn) { std, dns, http, mail, ssh }
you defined the queues std, dns, http, mail and ssh all TWICE.
you are telling altq that these queues are BOTH childs of the implicit root
queue AND childs of the queue "root".
correct is this:
altq on tun0 cbq bandwidth 50Kb queue root
queue root bandwidth 100% cbq(default ecn) { std, dns, http, mail, ssh }
queue std bandwidth 40% cbq(borrow ecn)
...
but then this is nonsense.
the really right thing is this:
altq on tun0 cbq bandwidth 50Kb queue { std, dns, http, mail, ssh }
queue std bandwidth 40% cbq(borrow ecn)
queue dns bandwidth 30% priority 7 cbq(borrow ecn)
queue mail bandwidth 50% priority 0 cbq(borrow ecn)
queue http bandwidth 40% priority 5 cbq(borrow ecn)
queue ssh bandwidth 40% priority 6 cbq(borrow ecn)
aka leave out the queue "root".
Re: pfctl: DIOCADDALTQ: Device busy
Henning Brauer wrote:
On Mon, Mar 10, 2003 at 08:24:33PM +1100, Damien Miller wrote:
Philipp Buehler - sysfive.com GmbH wrote:
On 10/03/2003, Damien Miller <[EMAIL PROTECTED]> wrote To [EMAIL PROTECTED]:
After updating -current about a week ago I started getting the following
error upon trying to load my ruleset:
# pfctl -vf /etc/pf.conf
[...]
altq on tun0 cbq bandwidth 50Kb tbrsize 1500 queue { root std dns http
mail ssh}
queue root cbq( red ecn default ) { std dns http mail ssh }
pfctl: DIOCADDALTQ: Device busy
works here.. out of sync somewhere?
No, I am definitely in sync and have just re-verified the problem using
a GENERIC kernel.
works fine here too.
either you have more queuedefs you are hiding from us
No.
# grep queue /etc/pf.conf.altq
altq on tun0 cbq bandwidth 50Kb queue { root, std, dns, http, mail, ssh }
queue root bandwidth 100% cbq(default ecn) { std, dns, http, mail, ssh }
queue std bandwidth 40% cbq(borrow ecn)
queue dns bandwidth 30% priority 7 cbq(borrow ecn)
queue mail bandwidth 50% priority 0 cbq(borrow ecn)
queue http bandwidth 40% priority 5 cbq(borrow ecn)
queue ssh bandwidth 40% priority 6 cbq(borrow ecn)
pass out on tun0 all queue std
pass out on tun0 proto tcp from any port ssh to any queue ssh
pass out on tun0 proto tcp from any port http to any queue http
pass out on tun0 proto tcp from any port smtp to any queue smtp
or you are really
outta sync somewhere.
No.
# ident /usr/src/sbin/pfctl/parse.y /usr/src/sys/net/pf.c
/usr/src/sbin/pfctl/parse.y:
$OpenBSD: parse.y,v 1.340 2003/03/09 19:07:21 henning Exp $
/usr/src/sys/net/pf.c:
$OpenBSD: pf.c,v 1.327 2003/03/09 20:26:12 frantzen Exp $
Maybe src/sbin/pfctl/* should use RCSID() macros like src/usr.bin/ssh
does so this can be more directly verified.
-d
Re: pfctl: DIOCADDALTQ: Device busy
On Mon, Mar 10, 2003 at 08:24:33PM +1100, Damien Miller wrote:
> Philipp Buehler - sysfive.com GmbH wrote:
> >On 10/03/2003, Damien Miller <[EMAIL PROTECTED]> wrote To [EMAIL PROTECTED]:
> >
> >>After updating -current about a week ago I started getting the following
> >>error upon trying to load my ruleset:
> >>
> >># pfctl -vf /etc/pf.conf
> >>[...]
> >>altq on tun0 cbq bandwidth 50Kb tbrsize 1500 queue { root std dns http
> >>mail ssh}
> >>queue root cbq( red ecn default ) { std dns http mail ssh }
> >>pfctl: DIOCADDALTQ: Device busy
> >works here.. out of sync somewhere?
> No, I am definitely in sync and have just re-verified the problem using
> a GENERIC kernel.
works fine here too.
either you have more queuedefs you are hiding from us, or you are really
outta sync somewhere.
--
Henning Brauer, BS Web Services, http://bsws.de
[EMAIL PROTECTED] - [EMAIL PROTECTED]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
Re: pf rule sintax (newbie)
On Mon, Mar 10, 2003 at 09:50:19AM +0100, Philipp Buehler - sysfive.com GmbH wrote:
> > pass in on $Ext_If from any to !$MyVar
> Use { !1.2.3.4/32, !2.1.0.0/24}
that doesn't work either, dude.
expands to
pass in on rl0 from any to !1.2.3.4/32
pass in on rl0 from any to !2.1.0.0/24
one will always match.
--
Henning Brauer, BS Web Services, http://bsws.de
[EMAIL PROTECTED] - [EMAIL PROTECTED]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
Daniel Hartmeier Show
w00t! Design and Performance of the OpenBSD Stateful Packet Filter (pf) by Daniel Hartmeier [ http://linuxforum.mmmanager.net/1045982346433661373/view ] Showtime: http://linuxforum.mmmanager.net/1045982346433661373/SMIL.smil Ed
Re: pfctl: DIOCADDALTQ: Device busy
Philipp Buehler - sysfive.com GmbH wrote:
On 10/03/2003, Damien Miller <[EMAIL PROTECTED]> wrote To [EMAIL PROTECTED]:
After updating -current about a week ago I started getting the following
error upon trying to load my ruleset:
# pfctl -vf /etc/pf.conf
[...]
altq on tun0 cbq bandwidth 50Kb tbrsize 1500 queue { root std dns http
mail ssh}
queue root cbq( red ecn default ) { std dns http mail ssh }
pfctl: DIOCADDALTQ: Device busy
works here.. out of sync somewhere?
No, I am definitely in sync and have just re-verified the problem using
a GENERIC kernel.
-d
Re: pf rule sintax (newbie)
[EMAIL PROTECTED] wrote:
I'm almost totally new to pf.
I'v noticed that this syntax is not accepted:
Ext_If = rl0
MyVar = { 1.2.3.4/32, 2.1.0.0/24 }
pass in on $Ext_If from any to !$MyVar
beware of rule expansion.
PF would expand that to:
pass in on $Ext_If from any to !1.2.3.4/32
pass in on $Ext_If from any to !2.1.0.0/24
which is probably not what you want.
with 3.3, you can use a table to do that:
table const { 1.2.3.4/32, 2.1.0.0/24 }
pass in on $Ext_If from any to !
Cedric
Re: pf rule sintax (newbie)
On 10/03/2003, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote To Philipp Buehler -
sysfive.com GmbH:
> >Use { !1.2.3.4/32, !2.1.0.0/24}
>
> Sure, i've already done that, thanks.
>
> Anyway i think that syntax interpreted as you've done could be an
> improvement in easing the ruleset of pf.conf file.
Well, it doesnt work out logically. { N, .. , M } expands
to NxM rules, if you negate it, this will always be true in
one way or the other.
pfctl doesnt start to think for you. :)
this has been discussed to death already, check the archives,
please. !{..} will never be supported.
ciao
--
Philipp Buehler - <[EMAIL PROTECTED]> - http://sysfive.com/
sysfive.com GmbH - UNIX. Networking. Security. Applications.
Steilshooperstr. 184, 22305 Hamburg, Germany - GSM +49-179-1136646
Re: pfctl: DIOCADDALTQ: Device busy
On 10/03/2003, Damien Miller <[EMAIL PROTECTED]> wrote To [EMAIL PROTECTED]:
> After updating -current about a week ago I started getting the following
> error upon trying to load my ruleset:
>
> # pfctl -vf /etc/pf.conf
> [...]
> altq on tun0 cbq bandwidth 50Kb tbrsize 1500 queue { root std dns http
> mail ssh}
> queue root cbq( red ecn default ) { std dns http mail ssh }
> pfctl: DIOCADDALTQ: Device busy
works here.. out of sync somewhere?
ciao
--
Philipp Buehler - <[EMAIL PROTECTED]> - http://sysfive.com/
sysfive.com GmbH - UNIX. Networking. Security. Applications.
Steilshooperstr. 184, 22305 Hamburg, Germany - GSM +49-179-1136646
Re: pf rule sintax (newbie)
On 10/03/2003, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote To [EMAIL PROTECTED]:
> I'm almost totally new to pf.
> I'v noticed that this syntax is not accepted:
>
> Ext_If = rl0
> MyVar = { 1.2.3.4/32, 2.1.0.0/24 }
>
> pass in on $Ext_If from any to !$MyVar
>
>
> I think this should be a honest rule, am i wrong somewhere !?
No, you cannot use negated lists. They would always match in one or
the other way. Short, it wouldnt do what you want to achieve there.
Use { !1.2.3.4/32, !2.1.0.0/24}
ciao
--
Philipp Buehler - <[EMAIL PROTECTED]> - http://sysfive.com/
sysfive.com GmbH - UNIX. Networking. Security. Applications.
Steilshooperstr. 184, 22305 Hamburg, Germany - GSM +49-179-1136646
Re: pf rule sintax (newbie)
>No, you cannot use negated lists. They would always match in one or
>the other way. Short, it wouldnt do what you want to achieve there.
>
>Use { !1.2.3.4/32, !2.1.0.0/24}
>
Sure, i've already done that, thanks.
Anyway i think that syntax interpreted as you've done could be an
improvement in easing the ruleset of pf.conf file.
Thanks for the fast reply.
Best Regards,
Thelmo
__
Tiscali ADSL, fino a 9 MESI GRATIS sull'offerta Tiscali ADSL Light Mega!
Tiscali ADSL non teme confronti! Abbonati subito.
http://point.tiscali.it/adsl/index.shtml
pfctl: DIOCADDALTQ: Device busy
After updating -current about a week ago I started getting the following
error upon trying to load my ruleset:
# pfctl -vf /etc/pf.conf
[...]
altq on tun0 cbq bandwidth 50Kb tbrsize 1500 queue { root std dns http
mail ssh}
queue root cbq( red ecn default ) { std dns http mail ssh }
pfctl: DIOCADDALTQ: Device busy
It disappears if I comment out the altq-related portion of my ruleset
(which follow). What am I doing wrong? It seemed to work until a week or
so ago.
-d
# Queuing
altq on tun0 cbq bandwidth 50Kb queue { root, std, dns, http, mail, ssh }
queue root bandwidth 100% cbq(default ecn) { std, dns, http, mail, ssh }
queue std bandwidth 40% cbq(borrow ecn)
queue dns bandwidth 30% priority 7 cbq(borrow ecn)
queue mail bandwidth 50% priority 0 cbq(borrow ecn)
queue http bandwidth 40% priority 5 cbq(borrow ecn)
queue ssh bandwidth 40% priority 6 cbq(borrow ecn)
# Set up cbq
pass out on tun0 all queue std
pass out on tun0 proto tcp from any port ssh to any queue ssh
pass out on tun0 proto tcp from any port http to any queue http
pass out on tun0 proto tcp from any port smtp to any queue smtp
pf rule sintax (newbie)
I'm almost totally new to pf.
I'v noticed that this syntax is not accepted:
Ext_If = rl0
MyVar = { 1.2.3.4/32, 2.1.0.0/24 }
pass in on $Ext_If from any to !$MyVar
I think this should be a honest rule, am i wrong somewhere !?
Best Regards,
Thelmo
__
Tiscali ADSL, fino a 9 MESI GRATIS sull'offerta Tiscali ADSL Light Mega!
Tiscali ADSL non teme confronti! Abbonati subito.
http://point.tiscali.it/adsl/index.shtml
