RE: Speed issues with bridge firewall
Henning/Daniel, is there any plans to implement polling in 3.4? Or have a patch for it? Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henning Brauer Sent: Monday, September 01, 2003 3:47 PM To: [EMAIL PROTECTED] Subject: Re: Speed issues with bridge firewall On Mon, Sep 01, 2003 at 12:20:04PM -0500, Mathew Binkley wrote: The firewall box is a SuperMicro 1U box with ServerWorks GC-LE chipset, dual 1.8 GHz Xeons, 1 GB RAM, 40 gig hard drive, and two gigabit NIC's (one Intel, the other NatSemi 83820). OpenBSD doesn't support SMP, so only one of the processors is being used. dmesg would help. my bet is on the nge(4), tho. at GigE - esp. when you run jumbo frame - it is not very efficient. I'd be interested in figures with a second em(4). Results: No firewall:939 Mbits/sec thoroughput Firewall: 785 Mbits/sec thoroughput that's already pretty impressive... check systat vmstat while doing the tests. I bet the interrupt #s kill you. check especially which device causes how many. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
RE: pf and bridge question
As long as you separate the rulesets for the bridged config and the management nic, I don't see how it could happen unless the pf code is not meant to handle this, I am running the same config roughly and it works damn good, in fact too good when I first configed it. Also I would like to point out that you stated he had trouble (OpenBSD 3.2 with ipf) with IPF. IPF and PF are 2 totally different animals. IPF may have a bug but unless Daniel or Henning or eh I forget, know of a bug using this configuration, then it should work as I have seen it. Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Beyer Sent: Wednesday, August 13, 2003 3:18 PM To: [EMAIL PROTECTED] Subject: pf and bridge question Hi, I have an OpenBSD 3.3 firewall which acts as a transparent bridge between our network (not NATted) and a router giving access to the rest of the world. The bridging interfaces are configured without IP address and a third (management) NIC is configured with an IP address inside our network's address space. A colleague of mine claims that this can lead to confusion in the routing/bridging code of the firewall and possible corruption of the arp table. He says that the management interface should never be in the same logical or physical network as one of the two sides of the bridge, i.e. it should have an address in rfc1918 space and be physically connected to different networking hardware. I have difficulty in understanding how this could be true and he cannot give me an explanation other than that he has had trouble with this in the past (running older versions of OpenBSD 3.2 with ipf). Can someone here enlighten me as to whether this is really a possible problem and if so how exactly some sort of corruption/glitch could happen? Thanks a lot, Marc P.S. Naturally I am aware of the fact that having the management interface on a separate NATted network with it's own protection is a good thing security-wise, so that's not really my question.
RE: pflogr
Anyway you can have it access MySQL as well? Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of derek potts Sent: Friday, July 18, 2003 12:37 PM To: [EMAIL PROTECTED] Subject: pflogr i would like to announce something i've been working on called pflogr. pflogr is a remote logging system for pf. features: - packets are stored using postgresql - ensures every packet makes it to the database - packets are decoded at the db server, not the firewall i've included a very basic php page for accessing the database. my goal is to have a nice web interface to watch logs from multiple firewalls. sourceforge page: http://pflogr.sf.net/ give it a whirl, send me comments. thanks :derek
RE: altq vs pppoe
So, let me ask, is the if_tun.c file supplied compat with 3.3 and does it require the kernel sources only, or the whole source tree? Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tobias Wigand Sent: Saturday, June 07, 2003 9:22 AM To: 'Trevor Talbot'; [EMAIL PROTECTED] Subject: AW: altq vs pppoe hi, I attached a copy of the entire if_tun.c you can drop in instead, though. it compiles now. and as far as i can see (with some quick testing here, at my parents over the weekend :), queueing on tun0 works at least better than it ever did before. it may need some fine tuning regarding the uplink speed. i´ll be able test more extensive that on monday and let you know. many thanks! tobias
RE: altq vs pppoe
Well if it was an accident at least I know, lol. I will try it also, as I want to see if it works with mine, I am using pppoe as well. I won't blame you if things go haywire, lol. Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Trevor Talbot Sent: Saturday, June 07, 2003 8:29 PM To: [EMAIL PROTECTED] Subject: Re: altq vs pppoe On Saturday, Jun 7, 2003, at 14:52 US/Pacific, Amir Seyavash Mesry wrote: So, let me ask, is the if_tun.c file supplied compat with 3.3 and does it require the kernel sources only, or the whole source tree? I think sending the attachment to the list was an accident. I sent it to Tobias when he had trouble with the patch at the end of my last email. Both are for 3.3-stable, kernel sources only.
Ruleset Problem
I am having a odd problem and I am hoping someone one the list can point out
my error,
Here is my pf.conf, the keepstate on the icmp doesn't seem to be working, it
won't pass the packets out. Ie
I am on host 10.0.0.51, I ping 10.0.4.1(routing table entry is present for
this net) and it won't ping it, but if I ping 10.0.0.1(fxp1) then it will
allow the packet and let it return. I think it is something really simple
that I am overlooking but I can't figure it out. Any help is appreciated.
#OpenBSD 3.3
#macros
#interfaces
eth0=fxp0
eth1=fxp1
eth2=fxp2
#lan segment ips
lan1=10.0.0.0/24
lan2=10.0.1.0/24
loc=127.0.0.1/8
#ip's to block
badip=0.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 172.31.0.0/16,
192.168.0.0/16, 224.0.0.0/3, 255.255.255.255/32
lanip=10.0.0.0/8
# Normalize: reassemble fragments and resolve or reduce traffic ambiguities
scrub in all
scrub out all
# nat rules for both lan segments
nat on $eth0 from $lan1 to any - $eth0
nat on $eth0 from $lan2 to any - $eth0
# rdr port mapping rules if needed
# rdr on eth0 proto tcp from any to 192.168.1.1/32 port 1234 - 10.1.1.1
port 5678
# filter rules
#block all in-out
block in log all
block out log all
block in on $eth0 inet proto {tcp, udp} from any to any port 136 140
#allow for dchp
pass in on $eth0 inet proto {tcp, udp} from any to $eth0 port 67
#allow outgoing traffic from Internet nic to internet if initiated from
Internet Nic.
pass out on $eth0 inet proto tcp from $eth0 to any modulate state
pass out on $eth0 inet proto udp from $eth0 to any keep state
pass out on $eth0 inet proto icmp from $eth0 to any icmp-type 8 code 0 keep
state
#allow nat for both lan segments only if lan segments initiate request.
pass out on $eth0 inet proto tcp from $lan1 to any modulate
state
pass out on $eth0 inet proto udp from $lan1 to any keep state
pass out on $eth0 inet proto icmp from $lan1 to any icmp-type 8 code 0
keep state
pass out on $eth0 inet proto tcp from $lan2 to any modulate
state
pass out on $eth0 inet proto udp from $lan2 to any keep state
pass out on $eth0 inet proto icmp from $lan2 to any icmp-type 8 code 0
keep state
#allow requests from segment 1 to segment 2 or internet only if segment 1
requests it.
pass in on $eth1 inet proto tcp from $lan1 to any modulate
state
pass in on $eth1 inet proto udp from $lan1 to any keep state
pass in on $eth1 inet proto icmp from { $lan1, $loc } to any icmp-type 8
code 0 keep state
#allow requests from segment 2 to segment 1 or internet only if segment 2
requests it.
pass in on $eth2 inet proto tcp from $lan2 to any modulate
state
pass in on $eth2 inet proto udp from $lan2 to any keep state
pass in on $eth2 inet proto icmp from { $lan1, $loc } to any icmp-type 8
code 0 keep state
#denie requests Out to internet for bad ip's
block out on $eth0 inet from any to { $badip, $lanip, $loc }
block out on $eth1 inet from any to { $badip }
block out on $eth2 inet from any to { $badip }
Amir Seyavash Mesry
[EMAIL PROTECTED]
LSI Logic Corporation
http://www.lsilogic.com/
Raid Support Test Technician
6145-D Northbelt Parkway
Norcross, GA 30071
678-728-1211
NOTICE: This communication may contain privileged or other confidential
information. If you are not the intended recipient, or believe that you have
received this communication in error, please do not print, copy, retransmit,
disseminate, or otherwise use the information. Also, please indicate to the
sender that you have received this communication in error, and delete the
copy you received. Thank you.
RE: Ruleset Problem
Sorry, I thought I gave enough info, they come in on eth1 and leave on eth1.
IE machine that pf.conf was given for is doing nat and some small routing.
Machine1(pf.conf given for this one)
Eth0=internetip
Eth1=10.0.0.1 network 10.0.0.0/24
Eth1=10.0.0.2 network 10.0.0.0/24
Machine2
Eth0=internetip
Eth1=10.0.0.2 network 10.0.0.0/24
Eth1=10.0.4.1 network 10.0.4.0/24
If I am reading this right translation takes precendence over filtering,
which means If I have the following after translation, then the packets will
still pass, or do they get blocked after translation on the outbound if.x
block in log all
block out log all
As for the keep state rules, what I was trying to accomplish is passing
packets between eth1 eth2 checking state on each interface. Maybe one 2
revised rules would be
pass in on $eth1 inet proto udp from $lan1 to $lan2 keep state
pass in on $eth2 inet proto udp from $lan1 to $lan2 keep state
Do I need a corresponding one backtracking such as?
pass in on $eth2 inet proto udp from $lan2 to $lan1 keep state
pass in on $eth1 inet proto udp from $lan2 to $lan1 keep state
Amir Seyavash Mesry
[EMAIL PROTECTED]
LSI Logic Corporation
http://www.lsilogic.com/
Raid Support Test Technician
6145-D Northbelt Parkway
Norcross, GA 30071
678-728-1211
NOTICE: This communication may contain privileged or other confidential
information. If you are not the intended recipient, or believe that you have
received this communication in error, please do not print, copy, retransmit,
disseminate, or otherwise use the information. Also, please indicate to the
sender that you have received this communication in error, and delete the
copy you received. Thank you.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of j
knight
Sent: Monday, June 02, 2003 2:42 PM
To: pf
Subject: Re: Ruleset Problem
Amir Seyavash Mesry wrote:
I am having a odd problem and I am hoping someone one the list can
point out my error, Here is my pf.conf, the keepstate on the icmp
doesn't seem to be working, it won't pass the packets out. Ie
I am on host 10.0.0.51, I ping 10.0.4.1(routing table entry is present for
this net) and it won't ping it, but if I ping 10.0.0.1(fxp1) then it will
allow the packet and let it return. I think it is something really simple
that I am overlooking but I can't figure it out. Any help is appreciated.
Which interface do packets have to exit to reach 10.0.4.1?
#allow outgoing traffic from Internet nic to internet if initiated
from Internet Nic.
pass out on $eth0 inet proto tcp from $eth0 to anymodulate state
pass out on $eth0 inet proto udp from $eth0 to anykeep state
pass out on $eth0 inet proto icmp from $eth0 to any icmp-type 8 code 0
keep
state
Translation happens before filtering so you will find that these rules
are passing packets from $lan1, $lan2 as well.
#allow nat for both lan segments only if lan segments initiate request.
pass out on $eth0 inet proto tcp from $lan1 to anymodulate
state
pass out on $eth0 inet proto udp from $lan1 to anykeep state
pass out on $eth0 inet proto icmp from $lan1 to any icmp-type 8 code 0
keep state
pass out on $eth0 inet proto tcp from $lan2 to anymodulate
state
pass out on $eth0 inet proto udp from $lan2 to anykeep state
pass out on $eth0 inet proto icmp from $lan2 to any icmp-type 8 code 0
keep state
These rules will have no affect because of what I mentioned above.
#allow requests from segment 1 to segment 2 or internet only if
segment 1 requests it.
pass in on $eth1 inet proto tcp from $lan1 to any modulate
state
pass in on $eth1 inet proto udp from $lan1 to any keep state
pass in on $eth1 inet proto icmp from { $lan1, $loc } to any icmp-type 8
code 0keep state
#allow requests from segment 2 to segment 1 or internet only if
segment 2 requests it.
pass in on $eth2 inet proto tcp from $lan2 to any modulate
state
pass in on $eth2 inet proto udp from $lan2 to any keep state
pass in on $eth2 inet proto icmp from { $lan1, $loc } to any icmp-type 8
code 0 keep state
Where are your pass out on { $eth1, $eth2 } rules? Keep state only
tracks state on one interface; you still have to pass the traffic
through any other interface the packets will pass through.
.joel
RE: Ruleset Problem
OMG TYPO! Packet is going from 10.0.0.51 to 10.0.0.1 to 10.0.0.2 to 10.0.4.1 Maybe this clarifys it now, lol. Machine1 Eth0=77.77.77.77 Eth1=10.0.0.1 network 10.0.0.0/24 Eth2=10.0.0.2 network 10.0.0.0/24 Machine2 Eth0=11.11.11.11 Eth1=10.0.0.2 network 10.0.0.0/24 Eth2=10.0.4.1 network 10.0.4.0/24 (routing table) Route Destination Gateway 10.0.0.0 Eth1 10.0.0.2 Eth1 10.0.1.0 Eth2 10.0.4.0 10.0.0.2 BTW, Thanks for working with me on this, and helping me figure where I am going wrong! Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of j knight Sent: Monday, June 02, 2003 4:50 PM To: pf Subject: Re: Ruleset Problem Amir Seyavash Mesry wrote: Sorry, I thought I gave enough info, they come in on eth1 and leave on eth1. IE machine that pf.conf was given for is doing nat and some small routing. Machine1(pf.conf given for this one) Eth0=internetip Eth1=10.0.0.1 network 10.0.0.0/24 Eth1=10.0.0.2 network 10.0.0.0/24 Machine2 Eth0=internetip Eth1=10.0.0.2 network 10.0.0.0/24 Eth1=10.0.4.1 network 10.0.4.0/24 Now I'm really confused :(. Perhaps you could draw a simple diagram? If I am reading this right translation takes precendence over filtering, which means If I have the following after translation, then the packets will still pass, or do they get blocked after translation on the outbound if.x Translated packets still pass through the filter engine and are subject to your filter rules block in log all block out log all ... so this will block translated packets. You'll need to pass out on $ext ... later on. As for the keep state rules, what I was trying to accomplish is passing packets between eth1 eth2 checking state on each interface. Maybe one 2 revised rules would be pass in on $eth1 inet proto udp from $lan1 to $lan2 keep state pass in on $eth2 inet proto udp from $lan1 to $lan2 keep state Is $lan1 connected to $eth1 or $eth2? From what I can tell, $lan1 is on $eth1 so looking for packets from $lan1 on $eth2 isn't necessary. Do I need a corresponding one backtracking such as? pass in on $eth2 inet proto udp from $lan2 to $lan1 keep state pass in on $eth1 inet proto udp from $lan2 to $lan1 keep state Same situation here with $lan2. What you need is a set of rules to pass traffic OUT on $eth1, $eth2. Like I said, keep state only tracks state on one interface, not all of them. pass in on $eth1 from $lan1 to $lan2 keep state pass out on $eth2 from $lan1 to $lan2 keep state .joel
RE: Ruleset Problem
Re-attaching pf2.conf, I forgot to add the ip changes. Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: Amir Seyavash Mesry [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 6:50 PM To: 'pf' Subject: RE: Ruleset Problem Yea I added some now it works, this got it all working now, attaching 2 pf.conf's and the diagram is below, lemme know If I still got something amiss, I think I got it all. Eth0(---Internet) | Machine1---Eth1(10.0.0.1,10.0.0.0/24)-| | | Eth2(10.0.1.1,10.0.1.0/24) | | | | Eth0(---Internet) | | | Machine2---Eth1(10.0.0.2,10.0.0.0/24)-| | Eth2(10.0.4.1,10.0.4.0/24) Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of j knight Sent: Monday, June 02, 2003 5:50 PM To: pf Subject: Re: Ruleset Problem Amir Seyavash Mesry wrote: OMG TYPO! Packet is going from 10.0.0.51 to 10.0.0.1 to 10.0.0.2 to 10.0.4.1 Maybe this clarifys it now, lol. I'm sorry, it really doesn't. Machine1 Eth0=77.77.77.77 Eth1=10.0.0.1 network 10.0.0.0/24 Eth2=10.0.0.2 network 10.0.0.0/24 Machine2 Eth0=11.11.11.11 Eth1=10.0.0.2 network 10.0.0.0/24 Eth2=10.0.4.1 network 10.0.4.0/24 I don't understand how these machines are connected or which machine is loaded with the pf.conf you gave. You say above the packets are going from 10.0.0.2 to 10.0.4.1 but I don't see how that's possible with a /24 netmask without some intermediate hop. Did you test it with the pass out rules? .joel pf2.conf Description: Binary data
RE: Ruleset Problem
Yea I added some now it works, this got it all working now, attaching 2 pf.conf's and the diagram is below, lemme know If I still got something amiss, I think I got it all. Eth0(---Internet) | Machine1---Eth1(10.0.0.1,10.0.0.0/24)-| | | Eth2(10.0.1.1,10.0.1.0/24) | | | | Eth0(---Internet) | | | Machine2---Eth1(10.0.0.2,10.0.0.0/24)-| | Eth2(10.0.4.1,10.0.4.0/24) Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of j knight Sent: Monday, June 02, 2003 5:50 PM To: pf Subject: Re: Ruleset Problem Amir Seyavash Mesry wrote: OMG TYPO! Packet is going from 10.0.0.51 to 10.0.0.1 to 10.0.0.2 to 10.0.4.1 Maybe this clarifys it now, lol. I'm sorry, it really doesn't. Machine1 Eth0=77.77.77.77 Eth1=10.0.0.1 network 10.0.0.0/24 Eth2=10.0.0.2 network 10.0.0.0/24 Machine2 Eth0=11.11.11.11 Eth1=10.0.0.2 network 10.0.0.0/24 Eth2=10.0.4.1 network 10.0.4.0/24 I don't understand how these machines are connected or which machine is loaded with the pf.conf you gave. You say above the packets are going from 10.0.0.2 to 10.0.4.1 but I don't see how that's possible with a /24 netmask without some intermediate hop. Did you test it with the pass out rules? .joel pf1.conf Description: Binary data pf2.conf Description: Binary data
Will this work with PF?
http://www.research.att.com/~smb/papers/fnat.pdf Can they do this with pf? Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you.
RE: Nat Problem or misconfiguraton
Bump! Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Amir Seyavash Mesry Sent: Friday, January 24, 2003 3:33 PM To: 'PF Mailing list' Subject: Nat Problem or misconfiguraton Ok, I need some help. Here is my pf conf, stripped down so the nat works, and ifconfig out put also, can anyone figure out why it won't do nat on rl1, but will do it one rl0 Pf.conf: nat on rl0 inet from 192.168.0.7/32 to any - rl0 nat on rl1 inet from 192.168.0.15/32 to any - rl1 nat on rl1 inet from 192.168.0.4/32 to any - rl1 nat on rl1 inet from 192.168.0.16/28 to any - rl1 pass in all pass out all Ifconfig: rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:50:fc:2a:17:5f media: Ethernet 100baseTX full-duplex status: active inet6 fe80::250:fcff:fe2a:175f%rl0 prefixlen 64 scopeid 0x1 inet 24.98.84.83 netmask 0xfe00 broadcast 255.255.255.255 (RL1 is listed with media options 10BaseT and autoselect) rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:c0:26:7e:2c:3d media: Ethernet 10baseT status: active inet6 fe80::2c0:26ff:fe7e:2c3d%rl1 prefixlen 64 scopeid 0x2 inet 24.98.85.22 netmask 0xfe00 broadcast 255.255.255.255 rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:c0:26:7e:2c:3d media: Ethernet autoselect (none) status: active inet6 fe80::2c0:26ff:fe7e:2c3d%rl1 prefixlen 64 scopeid 0x2 inet 24.98.85.22 netmask 0xfe00 broadcast 255.255.255.255 rl2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:50:fc:3a:32:6d media: Ethernet 100baseTX full-duplex status: active inet 192.168.0.1 netmask 0xffe0 broadcast 192.168.0.0 inet6 fe80::250:fcff:fe3a:326d%rl2 prefixlen 64 scopeid 0x3 If rl0 rl1 get dhcp assigned ips which are show, but rl1 won't nat, anyone got any ideas as to why the nat on rl0 works and not on rl1 Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you.
Nat Problem or misconfiguraton
Ok, I need some help. Here is my pf conf, stripped down so the nat works, and ifconfig out put also, can anyone figure out why it won't do nat on rl1, but will do it one rl0 Pf.conf: nat on rl0 inet from 192.168.0.7/32 to any - rl0 nat on rl1 inet from 192.168.0.15/32 to any - rl1 nat on rl1 inet from 192.168.0.4/32 to any - rl1 nat on rl1 inet from 192.168.0.16/28 to any - rl1 pass in all pass out all Ifconfig: rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:50:fc:2a:17:5f media: Ethernet 100baseTX full-duplex status: active inet6 fe80::250:fcff:fe2a:175f%rl0 prefixlen 64 scopeid 0x1 inet 24.98.84.83 netmask 0xfe00 broadcast 255.255.255.255 (RL1 is listed with media options 10BaseT and autoselect) rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:c0:26:7e:2c:3d media: Ethernet 10baseT status: active inet6 fe80::2c0:26ff:fe7e:2c3d%rl1 prefixlen 64 scopeid 0x2 inet 24.98.85.22 netmask 0xfe00 broadcast 255.255.255.255 rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:c0:26:7e:2c:3d media: Ethernet autoselect (none) status: active inet6 fe80::2c0:26ff:fe7e:2c3d%rl1 prefixlen 64 scopeid 0x2 inet 24.98.85.22 netmask 0xfe00 broadcast 255.255.255.255 rl2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:50:fc:3a:32:6d media: Ethernet 100baseTX full-duplex status: active inet 192.168.0.1 netmask 0xffe0 broadcast 192.168.0.0 inet6 fe80::250:fcff:fe3a:326d%rl2 prefixlen 64 scopeid 0x3 If rl0 rl1 get dhcp assigned ips which are show, but rl1 won't nat, anyone got any ideas as to why the nat on rl0 works and not on rl1 Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you.
Pass In for out Syntax
Ok I got another Q. I know Cisco has this for it's routers, what I want to know is how would I implement it on openbsd. Here is what the rule does. A packet goes out on if0 on port 22, which causes port 22 to open for incoming traffic on if0 to the same ip it is now outgoing. Or A packet goes out on if1 on port 22, which causes port 22 to open for incoming traffic to the same ip it is now outgoing on if0. Basically if you open port 22 for outgoing then it auto opens for incoming. Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. BEGIN:VCARD VERSION:2.1 N:Mesry;Amir;Seyavash FN:Amir Seyavash Mesry ORG:LSI Logic Inc.;Raid TITLE:Raid Support Test Technician TEL;WORK;VOICE:(678) 728-1211 ADR;WORK:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca ADR;POSTAL:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;POSTAL;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020510T175919Z END:VCARD
Proper Syntax for Limiting Ports per user group.
Title: Message Can some one tell me what the proper syntax is for using the user group parameters in OpenBSD 3.1 PF. here is and example rule. pass out proto tcp from fxp0 port 3 5 to any port 3 5 modulate statepass out proto udp from fxp0 port 3 5 to any port 3 5 the user id is 1001 Group id is 1007, how do I limit those to rules to be used by those 2 id's? Amir Seyavash Mesry[EMAIL PROTECTED]LSI Logic Corporationhttp://www.lsilogic.com/Raid Support Test Technician6145-D Northbelt ParkwayNorcross, GA 30071678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. BEGIN:VCARD VERSION:2.1 N:Mesry;Amir;Seyavash FN:Amir Seyavash Mesry ORG:LSI Logic Inc.;Raid TITLE:Raid Support Test Technician TEL;WORK;VOICE:(678) 728-1211 ADR;WORK:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca ADR;POSTAL:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;POSTAL;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020510T175919Z END:VCARD
