Re: Still no answer on my bridge question -- resolved

[Peter N. M. Hansteen]

Russell Fulton [EMAIL PROTECTED] writes:

 Yet another illustration of the rule that one should post config files
 when asking questions.

simply exposing your rule set to a fresh set of eyes sometimes has
wonderful problem solving capability. seriously, the real risk of
embarrasment along the lines of now what on g*d's green earth are you
doing that for? is a lot less than you think.

Posting your config along with your problem description is always
good.  Obfuscate if you have to.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales

Re: filtering + NAT (Newbie)

[Siju George]

On Apr 6, 2005 10:22 PM, Kimi Ostro [EMAIL PROTECTED] wrote:
 Hello !
 
 I am trying to understand how NAT affects packet filtering and am not
 sure if I am on the right track. My understanding is this;
 
 $ext_if = tun0
 $int_if = fxp1
 
 nat on $ext_if from $int_if:network port  1023 to any - ($ext_if)
 
 block all
 
 pass quick on lo0
 
 pass in quick on $int_if
 
 # allow my caching/forwardind dns out
 pass out on $ext_if inet proto tcp from $ext_if to any port 53 keep
 state flags S/SA
 
 # allow http (port 80) out from internal network
 pass out on $ext_if from $int_if:network to any port 80 keep state flags S/SA
 
 # eof
 
 from my understand is that DNS packets coming my firewall will pass
 out creating a connection then create a state in pf's state table -
 probably not evaluating the rule again, unless the packets destination
 has changed?
 
 as for the second pass rule, I kinda expect it to pass any packets
 destined to a port 80 (http in this case) on any host for the outside
 world, translating the packets with a source IP of my internal network
 to that of a IP of my external interfaces IP
 

Your NAT rule

nat on $ext_if from $int_if:network port  1023 to any - ($ext_if)

 only translates packets whose port is greater than 1023.
 80 is not included hence.

Why don't you add keep state to your rule

pass in quick on $int_if

also if you have not read

http://www.openbsd.org/faq/pf/example1.html

http://www.openbsd.org/faq/pf/

please go through it throughly :))

kind regards

Siju

Insufficient benzed.... err caffiene

[Rod.. Whitworth]

I have been awake since 0323 and it is now 1950 but I want to get this
thing to shut up before I die/sleep:

I have done quite a few authpf things and they always work. I have a
labrat on my workbench and logging in from another box using an authpf
account gets the usual Hello fred you are authenticated from
123.45.67.89 sort of message.

The box I am trying to fix has:

/etc/authpf/authpf.conf touch-ed (0 length)

pf.conf with:
anchor /authpf/*
placed just after a block rule that will be overthrown by :
/etc/authpf/authpf.rules
that says:
pass in on wi0 from $user_ip to any keep state
and the test user has:
/usr/sbin/authpf
as its shell.

When I log in from a remote station there is no error message. The
session looks just as though it was a login with an immediate logout.
The last line before the prompt returns is:
Connection to 123.45.67.89 closed.

On the target /var/log/messages says:
Apr 8 19:46:20  puffy -authpf: cannot open packet filter device
(Permission denied)

I've never seen that before and Mrs Google didn't really help with only
4 hits that didn't make sense.

I've fried my brain and it is not seeing where I screwed up but I
cannot figure where permissions came into it.

So all you who wake when we sleep can show how fresh you are this
morning and how dumb it is to press on too long in the hope of
finishing my tax paperwork on a Saturday

Thanks,
Rod/

usable email for off-list replies is ash1 at witworx dot com but we'd
rather have the answer archived for someone else to find. Pointing out
my boo-boo in public is not too worrying if another can learn from it.

From the land down under: Australia.
Do we look umop apisdn from up over?

Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.

load-balancing + TCP proxy = TCP Multiplex?

[Siddhartha Jain]

Hi,

Can I do load-balancing + TCP proxying to do something like TCP
multiplexing (a la NetScaler)?

Or, is there some other tool/plugin that I can use with pf to achieve
the same results?

- Siddhartha

Re: load-balancing + TCP proxy = TCP Multiplex?

[Jason Dixon]

On Apr 8, 2005, at 8:28 AM, Siddhartha Jain wrote:
Hi,
Can I do load-balancing + TCP proxying to do something like TCP
multiplexing (a la NetScaler)?
Or, is there some other tool/plugin that I can use with pf to achieve
the same results?
I have no idea what NetScaler does, but I suspect you can do whatever 
it is you're trying to do using PF and some other userland applications 
(Squid, PythonDirector, etc).  Perhaps we could better answer your 
question if you could describe what it is you're actually trying to do, 
not the products you're comparing against.

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Headache with dual WAN and source route verification

[gpontis]

I am running pf in an environment with two WAN connections, and pf is configured
to load-balance outgoing traffic. This worked nicely for quite a while, then one
ISP turned on source route verification on their DSL circuits. This causes any
packets coming into their equipment to get dropped if the source address is not
within the block that they have assigned. When state is established by an
incoming connection, none of my rules to redirect WAN traffic are effective and
some connections cannot be established.

What are my options to ensure that _only_ traffic with a source address
belonging to ext_if2 goes out ext_if2 ?


Sanitized pf.conf follows if of interest:

#
# Macros and Tables (grouped here for convenience)
#
int_if = em0
ext_if1 = fxp0
ext_if2 = fxp1
lan_net = 192.168.1.0/24
ext_gw1 = a.a.a.193
ext_gw2 = b.b.b.1

# IP Addresses of sites allowed to access World Client email
table mail_clients const {\
c.c.c.c,\
d,d,d,d \
}

# IP Addresses of computers allowed to make outgoing SMTP connections
mail_servers = { 192.168.1.1, 192.168.1.2 }


# Secondary DNS servers that will pull from our primary. Must also be listed
# in bind config files
isp1_dns = { a.a.a.5, a.a.a.10 }

# TCP mail services open to incoming connections.
# Note that redirection is required to enable an incoming service to cross
# the NAT boundary.
mail_services = { https, smtp }

# UDP Services
# Note that some services like DNS responses are already allowed by keeping
# state on outgoing UDP requests.
udp_services = { ntp, syslog, tftp, bootps }


# ICMP Packets allowed to reach the firewall machine
icmp_types = { echoreq, unreach }

# Blocked ports applied to outbound traffic
blocked_outbound_tcp_ports = { \
bootpc, bootps, epmap, microsoft-ds,\
netbios-dgm, netbios-ns, netbios-ssn,   \
smtp, ssdp  \
}

blocked_outbound_udp_ports  = {\
bootpc, bootps, epmap, microsoft-ds,\
netbios-dgm, netbios-ns, netbios-ssn,   \
ssdp\
}

#
# Options Section
# Note that only one interface can be monitored for statistics at a time
# Force state matching on an interface by interface basis
#
set loginterface $ext_if1
set block-policy drop


#
# Normalization Section
#
scrub in all


#
# Queueing Section
# Use a simple priority queue on upstream DSL to prioritize empty (no payload)
# TCP ACKs.
#
altq on $ext_if1 priq bandwidth 520Kb queue { q_pri1, q_def1 }
queue q_pri1 priority 7
queue q_def1 priority 1 priq(default)

altq on $ext_if2 priq bandwidth 438Kb queue { q_pri2, q_def2 }
queue q_pri2 priority 7
queue q_def2 priority 1 priq(default)


#
# Translation Section
# Specify how addresses are to be mapped or redirected.
#

# nat: packets going out through $ext_if1 with source address $internal_net will
# get translated as coming from the address of $ext_if1, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
# can't use $ext_if1 as a target since it will expand to all five addresses and
try
# to do outbound load balancing. A special rule is made to ensure that outgoing
mail
# appears to be from the mail address, .195
#
# NAT needs to be applied to each outgoing interface

nat on $ext_if1 from $lan_net to any port smtp - a.a.a.195
nat on $ext_if1 from $lan_net to any port != smtp - a.a.a.199
nat on $ext_if2 from $lan_net to any port != smtp - b.b.b.246

#
# .195 - MAIL
# Direct unwanted visitors to spamd
# spamd-setup puts addresses to be redirected into table spamd.
#
table spamd persist
rdr on $ext_if1 proto tcp from spamd to any port smtp - 127.0.0.1 port 8025

# SMTP: packets coming in on $ext_if1 with destination a.a.a.195:25 will
# be redirected to the mail server, port 25. A state is created for such
packets,
# and outgoing packets will be translated as coming from the external address.
rdr on $ext_if1 proto tcp from any to a.a.a.195 port smtp - 192.168.1.1 port
smtp

# World Client: packets coming in on $ext_if1 for mail:443 are SSL
# encrypted packets for World Client access. Only allow ones that come 

Re: Insufficient benzed.... err caffiene

[Rod.. Whitworth]

On Fri, 08 Apr 2005 14:13:04 +0200, Peter N. M. Hansteen wrote:

Rod.. Whitworth [EMAIL PROTECTED] writes:

 On the target /var/log/messages says:
 Apr 8 19:46:20  puffy -authpf: cannot open packet filter device
 (Permission denied)

Strange. Could it be your kernel and userland are out of sync?

No. I should have said that both environments are 3.6 from the CD
(i386)

Thanks for  trying.

From the land down under: Australia.
Do we look umop apisdn from up over?

Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.

Re: Insufficient benzed.... err caffiene

[Rod.. Whitworth]

On Fri, 08 Apr 2005 07:01:56 -0600, j knight wrote:

Rod.. Whitworth wrote:

 pf.conf with:
 anchor /authpf/*

With a leading slash? I'm not sure if this would cause you problems or 
not...

That's a long day typo. I had it correctly done in the file.


 placed just after a block rule that will be overthrown by :
 /etc/authpf/authpf.rules
 that says:
 pass in on wi0 from $user_ip to any keep state
 and the test user has:
 /usr/sbin/authpf
 as its shell.

PLEEASE don't paraphrase your pf.conf/authpf.rules. This is really 
getting annoying. People asking for help, even complaining when they 
don't get it, but they're unwilling to paste complete, unedited config 
files, commands being run, log messages, etc.


I know that is usually the case but like all rules there are
exceptions. In this case I should have stressed that the rules were
identical on the working and non working machines. Putting a (very)
long file full of complex nat rdr rules ahead of yards of filter rules
would have added noise to the important bit which was the log entry.
But don't blow a fuse - read on:

 On the target /var/log/messages says:
 Apr 8 19:46:20  puffy -authpf: cannot open packet filter device
 (Permission denied)

Wow. A log message! :P

Probably want to quickly verify the permissions on these files:

jknight:~% ls -l /dev/pf /usr/sbin/authpf
crw---  1 root  wheel73,   0 Dec 22 20:08 /dev/pf
-r-sr-sr-x  1 root  authpf 18068 Dec  9 18:01 /usr/sbin/authpf
.joel


And THAT did it. I had checked the perms on /dev/pf because it was
obviously what couldn't be opened but, dozy me, did NOT check that
authpf had suid/sgid on and for some bizarre reason it did not. Also it
was owned by root:wheel.

I don't know how but that box had all of /usr/bin and /usr/sbin files
owned by root/wheel and all suid/sgid perms were missing.

I pkg_added rsync which was on the LabRat and rsynced both of those
dirs and I'll carefully check the rest later.

Thanks for spotting the thing I missed and might not have thought of
for quite a while anyway - I don't mess around with permissions on
system supplied commands unless told to by [EMAIL PROTECTED]

From the land down under: Australia.
Do we look umop apisdn from up over?

Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.