Re: Hi. Off topic slightly, and needing help. Cisco PIX to PF vpn

[Jean-Francois Dive]

fixup ipsec should do assuming your vpn is setup properly. 

Really this is a PIX question. Have a look to
http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Technologies:IPSecs=Implementation_and_Configuration
which holds quite some good tips on cisco related vpn configs. The pix
config guide is not too bad either.

On Wed, Nov 03, 2004 at 08:57:06AM -0800, Derrick wrote:
 I've got a opnebsd 3.5 firewall, VPN'd (I believe succesfuly) to a PIX, it
 would SEEM that traffic is not making it's way back from the PIX, off the
 PIX I see:
 
 
 Nov  3 08:51:30 active_pix_firewall Nov 03 2004 09:56:20: %PIX-4-400014:
 IDS:2004 ICMP echo request from 10.10.0.101 to 172.16.139.102 on interface
 outside
 Nov  3 08:51:30 active_pix_firewall Nov 03 2004 09:56:20: %PIX-3-106010:
 Deny inbound icmp src outside:10.10.0.101 dst inside:Mandarin (type 8,
 code 0)
 
 
 I'm wondering if there's someone who has decent PIX knowledge, as I do
 not, and can help me work through this problem.
 
 
 Derrick MacPherson
 [EMAIL PROTECTED]

-- 
--

- Jean-Francois Dive
-- [EMAIL PROTECTED]

  I think that God in creating Man somewhat overestimated his ability.
-- Oscar Wilde

RE: Should I use CBQ or Priority Queueing ?

[Bob DeBolt]

Hi Nicholas

I wonder what's the best traffic shaping method available? Is it Class 
Based Queuing or Priority Queuing.

My goal is to allow browsing the internet since local computers, while 
my DMZ-ed servers consume a lot of my upload bandwith. Right now, 
without traffic shaping, it's almost impossible to browse the internet 
while my servers receive a lot of queries (mail, www, ftp...).

The scenario you have before you is quite complex even if you 
have done this type of setup before, especially with so many interfaces. 
The policy to follow to get started is the KISS formula.

K eep
I t
S imple
S tupid

It has helped me conquer a lot of very complex tasks. You may 
find that priority queuing is quite adequate for the type of 
traffic you are using. This will allow you to learn about and 
get a better feel for traffic shaping before you move on to 
something more complex like cbq or hfsc.


Bob D

PF and two interfaces

[Matt Sellers]

Hello everybody...

Okay ive been trying to route a certain type of traffic over one
interface and send all other traffic onto another interface..  I hope
what I have posted below will at least illustrate what im trying to
achieve but I have had no success so far.

-matt

INFO ---

network:


(re0) --+
+  OpenBSD 3.6-snap +--(bge0)-(network)
(fxp0)-++


= pf.conf =

## OpenBSD 3.6 PF.CONF
## file: pf.conf.lbref
#

int_if = bge0
ext_if_sbc = fxp0
ext_if_rcn = re0
lan_net = 10.0.0.0/24
ext_gw_rcn = 24.148.37.1
ext_gw_sbc = 67.36.180.95

nat pass on $ext_if_sbc from $lan_net to any port 80 - ($ext_if_sbc)
nat on $ext_if_rcn from $lan_net to any port !=http - (ext_if_rcn)


# pass all outgoing packets on internal interface
pass out on $int_if from any to $lan_net
# pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $lan_net to $int_if

pass in quick on $int_if route-to ($ext_if_sbc $ext_gw_sbc) \
proto tcp from any to any port = 80 flags S/SA keep state

pass in on $int_if route-to (ext_if_rcn $ext_gw_rcn) \
proto tcp from any to any port !=http flags S/SA keep state

pass out on $ext_if_rcn proto { tcp, udp } all keep state
pass out on $ext_if_sbc proto { tcp, udp } all keep state
pass in on $int_if proto { tcp, udp } all keep state