ftp throu transparent filtering bridge
Hi Guys, an excusse for my question: I am relativelly new to the OpenBSD (and PF) though not so the other firewall/filtering/nating :) Now, few days ago I've set up a transparent bridge on freshly installed OpenBSD 3.6 (my experience with OpenBSD started with 3.5 used as a desktop, just to learn the system, then I've just red about PF, not actually used it). And I did my homework and read some info from OpenBSD and around. Setting it up was therefore very easy now it's time for problems. At first I did it almost completely open from within and almost completely blocking from without. And it worked like charm. Now I'd like to get it more blocking also from within, just in case some of my users (I am at one of the departments at the university) gets too smart and would like to start bothering others. One of the valid things (with other ones not problems whatsoever :) for me is trying to get something from without via ftp but there is some problem and therefore the question. And I didn't find my answer in other docs :( As the bridge is completely transparent and without ANY IP number on any of the two cards I cannot solve my ftp problem via local ftp-proxy solution descibed in the documentation. Also setting simple rules like: pass in quick on $ext_if proto tcp from { $local } to any port = \ ftp-data flags S/SA keep state pass in quick on $ext_if proto tcp from { $local } to any port = \ ftp flags S/SA keep state gets mefro a client behind the bridge to the server outside (I even get banners/readmes) but any dir/ls gets back to me. Are there any smarted solutions I haven't found yet? I know that linux's iptables make use of special connection tracking module for ftp to handle that problem but ... is there anything like this for OpenBSD? If things like this are solvable shouldn't the solutions find the way to the bridging part of FAQ? I'd suggest so very strongly :) Best regards Romek
Re: ftp throu transparent filtering bridge
Hi, On Tue, Nov 23, 2004 at 11:24:18AM +0100, Roman Marcinek wrote: As the bridge is completely transparent and without ANY IP number on any of the two cards I cannot solve my ftp problem via local ftp-proxy solution descibed in the documentation. Also setting simple rules like: pass in quick on $ext_if proto tcp from { $local } to any port = \ ftp-data flags S/SA keep state pass in quick on $ext_if proto tcp from { $local } to any port = \ ftp flags S/SA keep state gets mefro a client behind the bridge to the server outside (I even get banners/readmes) but any dir/ls gets back to me. Your solution is good with a transparent bridge PF installation. But be carefull, it works only with FTP in passive mode (connection form client to server for ftp_data). Are there any smarted solutions I haven't found yet? I know that linux's iptables make use of special connection tracking module for ftp to handle that problem but ... is there anything like this for OpenBSD? If things like this are solvable shouldn't the solutions find the way to the bridging part of FAQ? I'd suggest so very strongly :) No, PF have not application connection tracking (like Iptables ftp_conntrack). That's why there is an userland ftp-proxy in OpenBSD. PF devs don't like application (OSI layer 7) connection tracking : for needs like that, an userland proxy is the solution (according to their opinion). A++ Foxy -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
Re: ftp throu transparent filtering bridge
On Tue, 23 Nov 2004, Roman Marcinek wrote: Are there any smarted solutions I haven't found yet? I know that linux's iptables make use of special connection tracking module for ftp to handle that problem but ... is there anything like this for OpenBSD? Ok, let me plug my own program again: http://www.sentia.org/ftpsesame
Re: ftp throu transparent filtering bridge
On Tue, 23 Nov 2004, Camiel Dobbelaar wrote: On Tue, 23 Nov 2004, Roman Marcinek wrote: Are there any smarted solutions I haven't found yet? I know that linux's iptables make use of special connection tracking module for ftp to handle that problem but ... is there anything like this for OpenBSD? Ok, let me plug my own program again: http://www.sentia.org/ftpsesame Duh, at least get the link right: http://www.sentia.org/projects/ftpsesame Sorry about that.
Re: ftp throu transparent filtering bridge
Roman Marcinek wrote: Are there any smarted solutions I haven't found yet? I know that linux's iptables make use of special connection tracking module for ftp to handle that problem but ... is there anything like this for OpenBSD? If things like this are solvable shouldn't the solutions find the way to the bridging part of FAQ? I'd suggest so very strongly :) http://www.sentia.org/projects/ftpsesame/ is very interesting on bridges. Moritz
Re: ftp throu transparent filtering bridge
On Tuesday 23 November 2004 12:50, Camiel Dobbelaar wrote: On Tue, 23 Nov 2004, Camiel Dobbelaar wrote: On Tue, 23 Nov 2004, Roman Marcinek wrote: Are there any smarted solutions I haven't found yet? I know that linux's iptables make use of special connection tracking module for ftp to handle that problem but ... is there anything like this for OpenBSD? Ok, let me plug my own program again: http://www.sentia.org/ftpsesame Duh, at least get the link right: http://www.sentia.org/projects/ftpsesame Heh, happens to the best. Any chance to see a this as a FreeBSD port? Sounds interesting. -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News pgpPTUI8jjtXw.pgp Description: PGP signature
Re: ftp throu transparent filtering bridge
Well, it certainly does the job! :) To Roman's initial question though, monitoring ftp connections is really an application layer problem/responsibility. pf is lower level and would need to implement (pretty much) a full protocol layer to monitor ftp. Anyway, there you have it.. check out ftpsesame :) A --- Camiel Dobbelaar [EMAIL PROTECTED] wrote: On Tue, 23 Nov 2004, Roman Marcinek wrote: Are there any smarted solutions I haven't found yet? I know that linux's iptables make use of special connection tracking module for ftp to handle that problem but ... is there anything like this for OpenBSD? Ok, let me plug my own program again: http://www.sentia.org/ftpsesame Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re: ftp throu transparent filtering bridge
Yes, that's true :) ftpsesame really works as said so ... thanks to all :) Romek
Re: connection that changes queue after a while
altq on $ext_if cbq bandwidth 220Kb queue { q_def, q_vpn, q_ssh, q_pri } queue q_def bandwidth 200Kb priority 4 cbq(default) queue q_vpn bandwidth 180Kb priority 2 queue q_pri bandwidth 200Kb priority 6 cbq(borrow) queue q_ssh bandwidth 200Kb priority 7 cbq(borrow) Sum of child bandwith is higher than parrent queue (200+180+200+200 220). Your ruleset should give error on OBSD 3.6 so you probably have 3.5 or older version.
route-to tables
Hi there, In the Tables section of the PF guide, it is said that: tables can be used in the following ways: .. * destination address in route-to, reply-to and dup-to filter rule options. The man page for pf.conf says: The route-to option routes the packet to the specified interface with an optional address for the next hop. I am trying to setup a very simple fault-tolerance strategy with PF for a firewall with multiple external connections. I have noticed that, at least in my setup, route-to will only work as expected if the address of the next hop is also provided together with the interface. If only the interface is provided, PF will only route to default route interface. I have also noticed that if I define a table with only the addresses of the next-hops and use it as an option for route-to, such as: table routeto { ipaddresss1 , ipaddress2 } .. pass in $int_if route-to routeto round-robin from any to any keep state I get a syntax error. My questions are: 1. Is the next-hop really optional? 2. how to create a table for route-to? Thanks again, ebl
Re: route-to tables
On Tue, Nov 23, 2004 at 04:05:01PM -0300, Emilio Lucena wrote: 1. Is the next-hop really optional? The next-hop is required when the destination IP address of the packet being route-to'd is not on the local network segment connected to the interface you specify. For instance, if you have an interface xl0 with address 10.1.1.1 and netmask 255.255.0.0, and the packet being route-to'd has destination address 10.1.2.2, that destination address is within xl0's network and therefore directly reachable. You shouldn't specify a next-hop address, so the pf box will do an arp lookup for the local destination 10.1.2.2 and send the packet to the resulting MAC address. If you would specify a next-hop address, pf would send the packet to that address' MAC, and the packet would first go the the next-hop, and the get forwarded again. If you can reach the destination directly, you probably want to send it directly, not via another local hop. On the other hand, if the destination IP address is not local, you need to tell pf what gateway you want to send the packets to. Same example as before, but the destination is 62.65.145.30. This is not within xl0's network, so the pf box can't do an arp lookup for 62.65.145.30. Instead, it must send the packet to a local box that acts as gateway. The next-hop address in the route-to rule is the IP address of that gateway. For instance, route-to (xl0 10.1.3.3) would make the pf box do an arp lookup for 10.1.3.3, and send the packet (with destination 62.65.145.30) to the resulting MAC address. 2. how to create a table for route-to? The table in route-to can only hold next-hop addresses, like pass in route-to (xl0 nexthops) or even pass in route-to { (xl0 nexthops_xl0), (xl1 nexthops_xl1) } It can't hold a list of interfaces, for instance pass in route-to { xl0, xl1, xl2 } pass in route-to { (xl0 10.1.3.3), (xl1 10.2.3.3) } can't be converted into tables. Tables can only hold numerical IP addresses (and netmasks), they can't hold interface names or pairs of interface name and addresses. If you need either of the last two forms and want to use tables for the purpose of removing/adding interfaces to the round-robin pool from the command line, the following trick should work: Use a rule specifying all possible interface with one table of next-hop addresses for each one, like pass in route-to { (xl0 nexthops_xl0), (xl1 nexthops_xl1), ... } and put only a single next-hop address into each table (the IP address of the gateway for the network on that interface). When an uplink dies, remove the address from the interface's next-hop table, so the table becomes empty. pf will then skip the interface when selecting from the pool. When the uplink comes back, re-add the address to the corresponding pool. I haven't actually tried it, but I think that's how it's supposed to work, YMMV ;) Daniel
Question about pfsync.
Greetings, I was wondering if anyone noticed that any interface on OpenBSD with PF is sending traffic pfsync? For example fxp0 and fxp1 are being setup as a bridge fxp2 is the pfsync interface. And you have a pf rule something like block in log fxp1 You will see that in pflog0 (tcpdump -ni pflog0) fxp1 is sending out 16:54:17.020170 192.168.0.36: UPD ST COMP: (DF) [tos 0x10] tcpdump -n -e -ttt -r /var/log/pflog Nov 24 16:54:34.020175 rule 3/0(match): block in on fxp1: 192.168.0.36: PFSYNCv2 count 1: UPD ST COMP: (DF) [tos 0x10] So i guess my question is, How to disable fxp0 and fxp1 to participate (sending) pfsync traffic? Thanks! Best Regards, Edy
Re: citrix though the firewall...
On Mon, 22 Nov 2004 17:17:18 +1300, you wrote: HI Folks, has anyone written a helper application like ftpsesame that will allow citrix metaframe to work through a pf firewall? Citrix did... ;-) It is called Citrix Secure Gateway(CSG) or their new name of Citrix Secure Access Manager(CSAM). Basically the server sits in the DMZ and only communicates on 443 with SSL for external users and it communicates from the CSG back to the Citrix servers a number of ways including SSL. http://www.citrix.com/site/PS/products/product.asp?familyID=%2019productID=184 Citrix first talks on port 1494 and negotiates a high numbered port which the client then connects back to. You are correct, it depends on how you are setup and what servers need to communicate with external resources. If you require the use of an alternate address configuration you could end up having an inane range of ports which must be opened. What versions of Citrix are you using? Is this strictly for external users to access the internal applications? I am going to be encouraging users to move to RDP but I need a short term solution. There are a number of options depending on what the requirements are. Links: _HUGE_ resource on Citrix with links, white papers, etc Original web page http://www.dabcc.com/ThinSol/ New web page (click on Citrix Systems on the left) http://www.dabcc.com/DABCC/ CSG document http://support.citrix.com/servlet/KbServlet/download/134-102-7736/Windows_Secure_Gateway_Guide.pdf Mike
Note: states with asymmetric routing
Greetings, Just note. Stateful inspection on gateway can hamper tcp-connections, when inbound or outbound packets goes another route (i.e. when one of directions not goes thru gateway). Connection works fine on low rate, but fast transfers stops on each 64K (because suddenly PF stops passing packets). I guess, it is not bug, just some feature (like some tcp-window-related state protection). So think, is there reasons to correct this PF behavior. Thank you Ilya A. Kovalenko
Re: Question about pfsync.
After some thinking I believe the problem is that we have ip forwarding enabled thus when pfsync interface send the traffic, it gets forwarded to the fxp1. In order to avoid the annoyance log message ... a workaround is to allow pfsync traffic on fxp1. Cheers, Edy On Wed, 2004-11-24 at 09:06, Edy Lie wrote: Greetings, I was wondering if anyone noticed that any interface on OpenBSD with PF is sending traffic pfsync? For example fxp0 and fxp1 are being setup as a bridge fxp2 is the pfsync interface. And you have a pf rule something like block in log fxp1 You will see that in pflog0 (tcpdump -ni pflog0) fxp1 is sending out 16:54:17.020170 192.168.0.36: UPD ST COMP: (DF) [tos 0x10] tcpdump -n -e -ttt -r /var/log/pflog Nov 24 16:54:34.020175 rule 3/0(match): block in on fxp1: 192.168.0.36: PFSYNCv2 count 1: UPD ST COMP: (DF) [tos 0x10] So i guess my question is, How to disable fxp0 and fxp1 to participate (sending) pfsync traffic? Thanks! Best Regards, Edy