Re: Still no answer on my bridge question -- resolved
Russell Fulton [EMAIL PROTECTED] writes: Yet another illustration of the rule that one should post config files when asking questions. simply exposing your rule set to a fresh set of eyes sometimes has wonderful problem solving capability. seriously, the real risk of embarrasment along the lines of now what on g*d's green earth are you doing that for? is a lot less than you think. Posting your config along with your problem description is always good. Obfuscate if you have to. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
Re: filtering + NAT (Newbie)
On Apr 6, 2005 10:22 PM, Kimi Ostro [EMAIL PROTECTED] wrote: Hello ! I am trying to understand how NAT affects packet filtering and am not sure if I am on the right track. My understanding is this; $ext_if = tun0 $int_if = fxp1 nat on $ext_if from $int_if:network port 1023 to any - ($ext_if) block all pass quick on lo0 pass in quick on $int_if # allow my caching/forwardind dns out pass out on $ext_if inet proto tcp from $ext_if to any port 53 keep state flags S/SA # allow http (port 80) out from internal network pass out on $ext_if from $int_if:network to any port 80 keep state flags S/SA # eof from my understand is that DNS packets coming my firewall will pass out creating a connection then create a state in pf's state table - probably not evaluating the rule again, unless the packets destination has changed? as for the second pass rule, I kinda expect it to pass any packets destined to a port 80 (http in this case) on any host for the outside world, translating the packets with a source IP of my internal network to that of a IP of my external interfaces IP Your NAT rule nat on $ext_if from $int_if:network port 1023 to any - ($ext_if) only translates packets whose port is greater than 1023. 80 is not included hence. Why don't you add keep state to your rule pass in quick on $int_if also if you have not read http://www.openbsd.org/faq/pf/example1.html http://www.openbsd.org/faq/pf/ please go through it throughly :)) kind regards Siju
Insufficient benzed.... err caffiene
I have been awake since 0323 and it is now 1950 but I want to get this thing to shut up before I die/sleep: I have done quite a few authpf things and they always work. I have a labrat on my workbench and logging in from another box using an authpf account gets the usual Hello fred you are authenticated from 123.45.67.89 sort of message. The box I am trying to fix has: /etc/authpf/authpf.conf touch-ed (0 length) pf.conf with: anchor /authpf/* placed just after a block rule that will be overthrown by : /etc/authpf/authpf.rules that says: pass in on wi0 from $user_ip to any keep state and the test user has: /usr/sbin/authpf as its shell. When I log in from a remote station there is no error message. The session looks just as though it was a login with an immediate logout. The last line before the prompt returns is: Connection to 123.45.67.89 closed. On the target /var/log/messages says: Apr 8 19:46:20 puffy -authpf: cannot open packet filter device (Permission denied) I've never seen that before and Mrs Google didn't really help with only 4 hits that didn't make sense. I've fried my brain and it is not seeing where I screwed up but I cannot figure where permissions came into it. So all you who wake when we sleep can show how fresh you are this morning and how dumb it is to press on too long in the hope of finishing my tax paperwork on a Saturday Thanks, Rod/ usable email for off-list replies is ash1 at witworx dot com but we'd rather have the answer archived for someone else to find. Pointing out my boo-boo in public is not too worrying if another can learn from it. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
load-balancing + TCP proxy = TCP Multiplex?
Hi, Can I do load-balancing + TCP proxying to do something like TCP multiplexing (a la NetScaler)? Or, is there some other tool/plugin that I can use with pf to achieve the same results? - Siddhartha
Re: load-balancing + TCP proxy = TCP Multiplex?
On Apr 8, 2005, at 8:28 AM, Siddhartha Jain wrote: Hi, Can I do load-balancing + TCP proxying to do something like TCP multiplexing (a la NetScaler)? Or, is there some other tool/plugin that I can use with pf to achieve the same results? I have no idea what NetScaler does, but I suspect you can do whatever it is you're trying to do using PF and some other userland applications (Squid, PythonDirector, etc). Perhaps we could better answer your question if you could describe what it is you're actually trying to do, not the products you're comparing against. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Headache with dual WAN and source route verification
I am running pf in an environment with two WAN connections, and pf is configured to load-balance outgoing traffic. This worked nicely for quite a while, then one ISP turned on source route verification on their DSL circuits. This causes any packets coming into their equipment to get dropped if the source address is not within the block that they have assigned. When state is established by an incoming connection, none of my rules to redirect WAN traffic are effective and some connections cannot be established. What are my options to ensure that _only_ traffic with a source address belonging to ext_if2 goes out ext_if2 ? Sanitized pf.conf follows if of interest: # # Macros and Tables (grouped here for convenience) # int_if = em0 ext_if1 = fxp0 ext_if2 = fxp1 lan_net = 192.168.1.0/24 ext_gw1 = a.a.a.193 ext_gw2 = b.b.b.1 # IP Addresses of sites allowed to access World Client email table mail_clients const {\ c.c.c.c,\ d,d,d,d \ } # IP Addresses of computers allowed to make outgoing SMTP connections mail_servers = { 192.168.1.1, 192.168.1.2 } # Secondary DNS servers that will pull from our primary. Must also be listed # in bind config files isp1_dns = { a.a.a.5, a.a.a.10 } # TCP mail services open to incoming connections. # Note that redirection is required to enable an incoming service to cross # the NAT boundary. mail_services = { https, smtp } # UDP Services # Note that some services like DNS responses are already allowed by keeping # state on outgoing UDP requests. udp_services = { ntp, syslog, tftp, bootps } # ICMP Packets allowed to reach the firewall machine icmp_types = { echoreq, unreach } # Blocked ports applied to outbound traffic blocked_outbound_tcp_ports = { \ bootpc, bootps, epmap, microsoft-ds,\ netbios-dgm, netbios-ns, netbios-ssn, \ smtp, ssdp \ } blocked_outbound_udp_ports = {\ bootpc, bootps, epmap, microsoft-ds,\ netbios-dgm, netbios-ns, netbios-ssn, \ ssdp\ } # # Options Section # Note that only one interface can be monitored for statistics at a time # Force state matching on an interface by interface basis # set loginterface $ext_if1 set block-policy drop # # Normalization Section # scrub in all # # Queueing Section # Use a simple priority queue on upstream DSL to prioritize empty (no payload) # TCP ACKs. # altq on $ext_if1 priq bandwidth 520Kb queue { q_pri1, q_def1 } queue q_pri1 priority 7 queue q_def1 priority 1 priq(default) altq on $ext_if2 priq bandwidth 438Kb queue { q_pri2, q_def2 } queue q_pri2 priority 7 queue q_def2 priority 1 priq(default) # # Translation Section # Specify how addresses are to be mapped or redirected. # # nat: packets going out through $ext_if1 with source address $internal_net will # get translated as coming from the address of $ext_if1, a state is created for # such packets, and incoming packets will be redirected to the internal address. # can't use $ext_if1 as a target since it will expand to all five addresses and try # to do outbound load balancing. A special rule is made to ensure that outgoing mail # appears to be from the mail address, .195 # # NAT needs to be applied to each outgoing interface nat on $ext_if1 from $lan_net to any port smtp - a.a.a.195 nat on $ext_if1 from $lan_net to any port != smtp - a.a.a.199 nat on $ext_if2 from $lan_net to any port != smtp - b.b.b.246 # # .195 - MAIL # Direct unwanted visitors to spamd # spamd-setup puts addresses to be redirected into table spamd. # table spamd persist rdr on $ext_if1 proto tcp from spamd to any port smtp - 127.0.0.1 port 8025 # SMTP: packets coming in on $ext_if1 with destination a.a.a.195:25 will # be redirected to the mail server, port 25. A state is created for such packets, # and outgoing packets will be translated as coming from the external address. rdr on $ext_if1 proto tcp from any to a.a.a.195 port smtp - 192.168.1.1 port smtp # World Client: packets coming in on $ext_if1 for mail:443 are SSL # encrypted packets for World Client access. Only allow ones that come
Re: Insufficient benzed.... err caffiene
On Fri, 08 Apr 2005 14:13:04 +0200, Peter N. M. Hansteen wrote: Rod.. Whitworth [EMAIL PROTECTED] writes: On the target /var/log/messages says: Apr 8 19:46:20 puffy -authpf: cannot open packet filter device (Permission denied) Strange. Could it be your kernel and userland are out of sync? No. I should have said that both environments are 3.6 from the CD (i386) Thanks for trying. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: Insufficient benzed.... err caffiene
On Fri, 08 Apr 2005 07:01:56 -0600, j knight wrote: Rod.. Whitworth wrote: pf.conf with: anchor /authpf/* With a leading slash? I'm not sure if this would cause you problems or not... That's a long day typo. I had it correctly done in the file. placed just after a block rule that will be overthrown by : /etc/authpf/authpf.rules that says: pass in on wi0 from $user_ip to any keep state and the test user has: /usr/sbin/authpf as its shell. PLEEASE don't paraphrase your pf.conf/authpf.rules. This is really getting annoying. People asking for help, even complaining when they don't get it, but they're unwilling to paste complete, unedited config files, commands being run, log messages, etc. I know that is usually the case but like all rules there are exceptions. In this case I should have stressed that the rules were identical on the working and non working machines. Putting a (very) long file full of complex nat rdr rules ahead of yards of filter rules would have added noise to the important bit which was the log entry. But don't blow a fuse - read on: On the target /var/log/messages says: Apr 8 19:46:20 puffy -authpf: cannot open packet filter device (Permission denied) Wow. A log message! :P Probably want to quickly verify the permissions on these files: jknight:~% ls -l /dev/pf /usr/sbin/authpf crw--- 1 root wheel73, 0 Dec 22 20:08 /dev/pf -r-sr-sr-x 1 root authpf 18068 Dec 9 18:01 /usr/sbin/authpf .joel And THAT did it. I had checked the perms on /dev/pf because it was obviously what couldn't be opened but, dozy me, did NOT check that authpf had suid/sgid on and for some bizarre reason it did not. Also it was owned by root:wheel. I don't know how but that box had all of /usr/bin and /usr/sbin files owned by root/wheel and all suid/sgid perms were missing. I pkg_added rsync which was on the LabRat and rsynced both of those dirs and I'll carefully check the rest later. Thanks for spotting the thing I missed and might not have thought of for quite a while anyway - I don't mess around with permissions on system supplied commands unless told to by [EMAIL PROTECTED] From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.