Re: reading pf log files on non Open BSD systems
Thanks Ryan! On 19/11/2008, at 7:00 PM, Ryan McBride wrote: On Wed, Nov 19, 2008 at 01:13:32AM +, Stuart Henderson wrote: On 2008/11/19 13:48, Russell Fulton wrote: Does anyone have any suggestions as to how we can get data in pf log files into pcap files that can be read (and filtered) on other systems. the packets have a struct pfloghdr header as described in pflog(4); this could be chopped off. I'm not aware of existing software that does this, but it would be simple to code. net/tcpreplay includes a utility called 'tcprewrite' that remove this information (or rewrite it with whatever you want). Ah! I do know about tcpreplay and friends but never thought of using it for this. other systems may actually understand the pfloghdr data and know how to present it. If they don't, ask for it. The information in there can be very useful. Good point. MacOS will read and display the information but the filtering is broken. The folk at Team Cymru have the same issue (I don't know what OS they are using). It would appear that there is a bug in this version of tcpdump. I wish I had time to pursue fixing it and reporting bugs to Apple is a pain :( Thanks again! Russell
reading pf log files on non Open BSD systems
Hi I run a dark net and feed data to one of the well known security organisations. I get the dark net data from the drop logs on our firewall by running tcpdump with appropriate filters. Up until now I have piped the data from tcpdump though a perl script to produce a standardised ascii version that is then shipped off for aggregation and analysis. Now we would like to export a pcap file and things get a little strange. Some systems (MacOSX and whatever the folk doing the analysis use) recognise the link type and will read the file OK, *but* as soon as you apply a filter you don't get any output. Linux systems refuse to read the files at all giving an unknown link type error. Does anyone have any suggestions as to how we can get data in pf log files into pcap files that can be read (and filtered) on other systems. Worst comes to the worst I'll get tcpdump to record the traffic from from the incoming interface rather than extracting it from the pf logs. Russell Fulton Information Security Officer, The University of Auckland New Zealand
bridge with management interface
Hi Folks We have a pf bridge which manages traffic into and out our our residence network. The external interface of this box is on our DMZ which is separated from our main network by another pf bridge. Default route from the resnet firewall is out to the dMZ. This box also has a management interface which is connected to the internal network. If you ssh to the management interface then the box sends the syn+ack out the default route to the dmz where is is blocked by the perimeter router. Is there anyway with a bridge set up that I can tag the incoming ssh traffic so pf will direct the returning traffic to the correct interface. Russell
Re: warning: namespace collisions with 170 global tables.
A short update on this one. We have two identical boxes running pf in bridge mode. The boxes are in parallel and we use the cisco switch/routers to handle the failover. Both the boxes receive the rulesets but only the 'active' one generates the error. I guess when all else fails we will try rebooting the box but I'd rather not: $ uptime 4:51PM up 215 days, 4:27, 1 user, load averages: 0.10, 0.08, 0.08 R On 30/01/2008, at 5:28 PM, Russell Fulton wrote: This afternoon pfctl started spitting out this message every time we reload the rule set. So far as I can tell nothing substantial changed at this point. Perhaps a new table was created or an IP added to an existing table. (the ruleset is built from a database and there have been quite a few changes this afternoon and by the time I noticed the error all the old versions had been overwritten -- I keep 20 old versions :( ) The rule set loads OK and appears to work fine. From some limited googling it appears that the issue is related to anchors but I can't figure out how. Our rule set has this structure lots of table defs anchor *ftpsesame some hand crafted rules anchor table_rules all the rules that use the tables anchor other_rules other rules that don't involve tables The last two anchors are completely redundant and I could remove them. I did a grep on the rule set and came up with 156 tables (not 170). Can someone shed some light on what is going on? Russell.
warning: namespace collisions with 170 global tables.
This afternoon pfctl started spitting out this message every time we reload the rule set. So far as I can tell nothing substantial changed at this point. Perhaps a new table was created or an IP added to an existing table. (the ruleset is built from a database and there have been quite a few changes this afternoon and by the time I noticed the error all the old versions had been overwritten -- I keep 20 old versions :( ) The rule set loads OK and appears to work fine. From some limited googling it appears that the issue is related to anchors but I can't figure out how. Our rule set has this structure lots of table defs anchor *ftpsesame some hand crafted rules anchor table_rules all the rules that use the tables anchor other_rules other rules that don't involve tables The last two anchors are completely redundant and I could remove them. I did a grep on the rule set and came up with 156 tables (not 170). Can someone shed some light on what is going on? Russell.
Re: Queues and state
Thanks Stuart! I thought there would be a straight forward way of doing it. With this set up I'm guessing that I can leave state policy as floating? Russell On 29/01/2008, at 9:45 PM, Stuart Henderson wrote: On 2008/01/29 15:54, Russell Fulton wrote: I know that one can only queue on the outbound interface. We want to queue traffic in both directions so we have to have two queues one on the external interface to queue outbound traffic and one on the internal interface to queue the incoming traffic. So far so good. What has me a little confused is how best to handle sessions with state. we have a rule: pass out quick on $ext_if from unlimited to any keep state queue unlimited_out where unimited_out is defined as applying to $ext_if. We have defined a queue unlimited_in on $int_if but what is the best way to assign the traffic to it? use the *same* queue name on ext_if and int_if, and specify the interface name when you define it, e.g. queue unlimited on $ext_if queue unlimited on $int_if then you can assign traffic to both queues in a single filter rule. AIUI if-bound is most useful on enc0 (in conjunction with ipsec) and with some special setups using route-to, usually you don't want it.
Queues and state
Hi Folks We have been using pf on our campus firewall for many years now and are now looking at adding some queueing. I know that one can only queue on the outbound interface. We want to queue traffic in both directions so we have to have two queues one on the external interface to queue outbound traffic and one on the internal interface to queue the incoming traffic. So far so good. What has me a little confused is how best to handle sessions with state. we have a rule: pass out quick on $ext_if from unlimited to any keep state queue unlimited_out where unimited_out is defined as applying to $ext_if. We have defined a queue unlimited_in on $int_if but what is the best way to assign the traffic to it? After reading the docs I conclude that I should change the state policy to if_bound and add pass out quick on $int_if from unlimited to any modulate state queue unlimited_out Is this the best way to do it? Thanks, Russell
Re: protocol in rules
First, thanks to Stuart and Tihomir On 15/01/2008, at 5:23 AM, Stuart Henderson wrote: On 2008/01/14 07:49, Tihomir koychev wrote: one other question: Will pfctl expand port != {53, ...} ? Yes it will http://www.openbsd.org/faq/pf/macros.html not for port number. (and see the warning on that page for lists of addresses :-) nor does proto ! {list} as I have found out (i'm not surprised given the way pf works). - Original Message From: Russell Fulton [EMAIL PROTECTED] To: pf@benzedrine.cx Sent: Monday, January 14, 2008 5:24:59 AM Subject: protocol in rules pass out quick on $ext_if proto {udp,tcp} from any to any port != 53 keep state But now how do I allow all the other protocols ? I can enumerate the common ones but this is untidy and error prone. Slightly ugly, but how about this? pass out quick on $ext_if proto {udp,tcp} from external to port 53 block out quick on $ext_if proto {udp,tcp} to port 53 pass out quick on $ext_if the problem is that there are subsequent rules that allow DNS traffic for various name servers. I can change the rule set to put these rules above the external rule and then simply block 53. Looking at it now I think this is by far the cleanest way of dealing with the problem, I do something similar with our mailservers. I think I would be looking at converting the ruleset to use tags though. It is a major change but I find it much easier to work with. http://www.openbsd.org/faq/pf/tagging.html Policy filtering is very good for some applications -- in our case we have entries for about 700 systems and that is not counting the 7000 systems in the external table. Russell
protocol in rules
Hi Folks I am making what I thought would be a straight forward change to a rule set but one that turns out to be non trivial after all. existing rules: block out on $ext_if any (there are a few block quicks etc here pass out quick on $ext_if from external to any keep state Which allows outbound access to addresses in the table external. Now I want to block outbound access to port 53 (udp tcp) *by default*. I.e. if there are subsequent pass rules for port 53 then they should apply. The problem is that as soon as I specify a port I then have to specify a protocol (either tcp or udp) so I can modify the above rule pass out quick on $ext_if proto {udp,tcp} from any to any port != 53 keep state But now how do I allow all the other protocols ? I can enumerate the common ones but this is untidy and error prone. I really want quick on this rule since it is the most used rule in a large (several hundred rules) ruleset. Any suggestions? one other question: Will pfctl expand port != {53, ...} ? Russell
Re: Making progress on pf tuning
Henning, as always, thanks very much for your responses -- invariably to the point and informative. Thanks also to the others who have responded. I feel a little guilty dumping all this stuff to the list -- I have done some research on my own but not as much as I should have but circumstances forced my hand. On Monday we are getting some consultants in who have experience with BSD systems (although how much I'm not sure) and to get value out of them I wanted to make sure that *I* understood the issues so I could direct their efforts. This isnt actually my job -- I set up these systems years ago and handed the day to day maintenance to some one else. He had been researching these issue for some time but recently left leaving me the only person with knowledge and expertise to pursue the matter. Our plan of action is to first install 4.2 and see how that goes, then we intend to try NetBSD (or possibly Dragonfly) with the latest version of pf that they support to see what benefit multiple CPUs can give. When we are done I'll post a summary of our finding to the list. And again, thanks everyone. Russell
Re: linux/iptables/proxy arp to pf/redundant firewall
Henning Brauer wrote: so get a little transfer net and make your upstream adjust his routes otherwise you need a bridge indeed, but you really want to avoid that if you have a chance to go for regular routed with carp etc. we also run redundant bridges -- we have two physical paths to our ISP only one of which is ever in use. We have bridges on both these link and use pfsync to share state. The network uses STP to fail the traffic between the links. Works well for us.
Adding counters to symon reports
Hi Folks I would really like to monitor the pf congestion counter using symon. I've had a look at the code and it looks fairly straight forward to add but I am currently stuck on trying to figure out where the packet buffer is actually defined so I can check to make sure I don't overflow it. I can find the declaration in main but I have spent about an hour trying to find the actual structure definition -- I must be blind. I have dropped Willem some email but have not heard back from him and I would really like to get this done so we can see what difference 4.2 makes. So I'm asking if anyone here has hacked with the symon code and would be willing to help me out. Cheers, Russell
Adding counters to symon reports --- RECALL :)
Dear Moderator, I've spent some more time on this and found the stuff I was after in the lib dir. So if you get to this message before the original please drop the original in the bit bucket. Thanks, Russell Hi Folks I would really like to monitor the pf congestion counter using symon. I've had a look at the code and it looks fairly straight forward to add but I am currently stuck on trying to figure out where the packet buffer is actually defined so I can check to make sure I don't overflow it. I can find the declaration in main but I have spent about an hour trying to find the actual structure definition -- I must be blind. I have dropped Willem some email but have not heard back from him and I would really like to get this done so we can see what difference 4.2 makes. So I'm asking if anyone here has hacked with the symon code and would be willing to help me out. Cheers, Russell
Still dealing with pf performance issues
Hi Folks First off I *am* planning to install 4.2 on this box as soon as we can -- The CD are in the mail somewhere between North America and NZ ;) Over the last few days I have been closely monitoring the vital signs via pfctl -si, here is a typical view: State Table Total Rate current entries49289 searches11989371271822046.2/s inserts 1978241687 363.8/s removals 1978192398 363.8/s Counters match6819832152012540.4/s bad-offset 00.0/s fragment 235460.0/s short 74760.0/s normalize 501710.0/s memory3601960.1/s bad-timestamp 00.0/s congestion 31637770.6/s ip-option 109500.0/s proto-cksum 459168638.4/s state-mismatch 266701104.9/s state-insert 00.0/s state-limit00.0/s src-limit 00.0/s synproxy 00.0/s I note that memory counter is going up at a rate of 0.1/s. My understanding is that this counter is stepped when pf fails to get memory for a state entry but we are no where near the state limit: $ sudo head /etc/pf.conf set limit states 15 set timeout tcp.first 120 set timeout tcp.established 86400 set timeout { adaptive.start 9, adaptive.end 25} So clearly there is something I don't understand. Even more of a worry is the congestion counter is at 0.6/s and worse it has stayed at this level even though I have made considerable optimisations to the rule set. The bulk of the rules are generated by a script from at database. When I initially did this performance was not an issue so I did not worry about ordering. (I don't think the pfctl -o switch was around then). I removed a lot of (hundreds) of small tables (with less than 4 addresses in them) and replaced them with multiple rule and added -oo to the the load. To my surprise this appears to have had almost no effect on the cpu usage (which sits at around %50 Interupts and nothing anywhere else) or the pfctl -si output. Is there something else I might be missing missing? BTW according to the pf stats from symon we are seeing about 10K packets/sec in and out of the firewall (this matches the state searches above). I'm not sure what time these are averaged over so peaks could be well in excess of this. Russell
Re: monitoring performance indicators on pf
Thanks Henning and everyone else who responded (privately or to the list). Henning Brauer wrote: * Russell Fulton [EMAIL PROTECTED] [2007-10-16 10:03]: * Is there any tuning that we can do to improve performance of pf yes. install 4.2. seriously, it more than doubles pf performance. This appears to be a no brainer :) I've just (pre) ordered the CDs... The timing is perfect :) I have heard reports that pf actually performs better on FreeBSD because some of the NIC drivers are better -- any truth in that? certainly not I had my doubts ;) but the people who were looking after these particular firewalls were using this as an excuse for performance problems which may not even be related to the firewall. On the monitoring front I have rediscovered symon which I installed when we first moved to pf years ago but which did not survive an OS upgrade some time in the past. One more question: I take it that unintentionally 'dropped packets' will show up in the interface stats rather then in any pf counters (which is where I was looking for them)?So symon will show these. Russell
Re: traffic shaping using pf
I take it from the silence that the answer is that pf lacks this functionality at the moment. Bother :) What would the overhead be of setting up a queue for every source address (1024 of them) ? Will this impact performance? R Russell Fulton wrote: Thanks for your response Paul (and Andrew). I had read this doc and if this is straight forward then I am clearly missing something (it would not be the first time ;). I can't see how to get individual child queues, each of 128Kbps for each active IP address on the inside with out defining them all in the pf.conf (in this case 1024 child queues). All the examples show static assignment of address blocks or ports to predefined queues. what we want to do is to allow throttled access to the Internet from our wireless network while allowing full speed access to the campus network. And we want the throttling to be on a per user basis not on an aggregate basis. ipfw does this by having a (src|dst)mask parameter which essentially creates a new queue for each unique value of the address mask.
Re: traffic shaping using pf
Thanks for your response Paul (and Andrew). I had read this doc and if this is straight forward then I am clearly missing something (it would not be the first time ;). I can't see how to get individual child queues, each of 128Kbps for each active IP address on the inside with out defining them all in the pf.conf (in this case 1024 child queues). All the examples show static assignment of address blocks or ports to predefined queues. what we want to do is to allow throttled access to the Internet from our wireless network while allowing full speed access to the campus network. And we want the throttling to be on a per user basis not on an aggregate basis. ipfw does this by having a (src|dst)mask parameter which essentially creates a new queue for each unique value of the address mask. Cheers, Russell Paul Matlock wrote: On Fri, 2007-31-08 at 13:17 +1200, Russell Fulton wrote: Hi Folks We have a requirement where we want to limit each IP address to a set bandwidth. To be explicit we have a wireless network which is connected to our main network and the Internet through a firewall. We have things set up so that each user on the wireless network can send no more than 128Kb to the Internet while having unthrottled access to the campus network. Currently we are doing this with ipfw under freebsd and I would like to move this over to pf but I can't see any way of setting up dynamic queues. This should be rather trivial to do, check out the pf doc http://www.openbsd.org/faq/pf/queueing.html -Paul
traffic shaping using pf
Hi Folks We have a requirement where we want to limit each IP address to a set bandwidth. To be explicit we have a wireless network which is connected to our main network and the Internet through a firewall. We have things set up so that each user on the wireless network can send no more than 128Kb to the Internet while having unthrottled access to the campus network. Currently we are doing this with ipfw under freebsd and I would like to move this over to pf but I can't see any way of setting up dynamic queues. Am I missing something? Russell.
Bug in pf FAQ?
quoting http://www.openbsd.org/faq/pf/filter.html quote IP Options By default, PF blocks packets with IP options set. This can make the job more difficult for OS fingerprinting utilities like nmap. If you have an application that requires the passing of these packets, such as multicast or IGMP, you can use the allow-opts directive: pass in quick on fxp0 all allow-opts /quote Am I correct in thinking that this line effectively passes *all* traffic in on fxp0 with no more checking because of the 'quick' option? One of our network folk was trying to get multicast working and found mention of 'allow-opts' and being necessary. Found this in the FAQ and naively cut and pasted it into our production rule set. A couple of hours later we found that we had half a dozen unpatched SQL servers on campus :( Surely in the context of the FAQ this rule should not have quick so that subsequent block rules will take effect. Please note I'm not blaming the FAQ for what happened to us. I'm perfectly clear that it is *our* responsibility to make sure we understand the consequences of the changes we make to our rule sets and that anyone who cut and pastes stuff without being quite sure that they understands what they are doing deserves what they get :) Sigh Russell
Re: authpf with time limited access?
Vas Péter wrote: Hello, everyone! I have a question about authpf. At my workplace we want to provide a time limited WiFi-access to our customers for money. Authpf might be a good solution, but I didn't find any information in authpf man page, pf.conf and google, how to set up a time limited access with authpf. It is possible to set up natively with some option, or authpf hasn't supported this function yet? what exactly do you mean by time limited access? Limited by time of day, limit the length of sessions, or what? If it is a time of day problem then you can use .nologin as Paul points out or fiddle authpf.allow and have the cron job kill any copies of authpf at the end of the time window. Whether or not the latter will work I don't know, it will depend on how authpf handles signals. Given that most OBSD programs go out of their way to handle sginals in a sane manner the chances are that sending a HUP or an INT to pfauthd will cause it to shutdown cleanly removing the rules from the anchor as it does so. Suck and see. If you want to limit the time of individual sessions you can use a similar approach of having a cron job that checks each session and kills any that are over their time. Russell
Re: odd things in pf drop logs...
Daniel Hartmeier wrote: I'm not sure. It looks like the only part of tcpdump that can potentially print the at-# part is print-atalk.c, pretty-printing AppleTalk packets. Ah! it is possible that there are apple-talk packets out on the DMZ -- there should not be but I've just spoken to the Network folk and they admitted that it is possible... Can you make sure you get untruncated packets and print them with tcpdump -nvvvX -s 1600 -i pflog0 ... so we get a little more verbose output? Maybe try 'src net 130.216.0.0/16', in case this is an issue here. H... what ever is kip? 14:57:35.469584 kip 73.61.65.185 100.20.84.69: at-#105 2 (ttl 126, id 22132, len 46) 14:57:35.469695 kip 157.83.218.108 103.144.153.93: at-#159 2 (ttl 126, id 22133, len 46) 14:57:35.469946 kip 85.201.20.82 73.101.163.27: at-#116 2 (ttl 126, id 22134, len 46) 14:57:39.524638 kip 129.167.100.163 74.225.191: at-#208 2 (ttl 126, id 22598, len 46) 14:58:52.925617 kip 253.21.66.19 78.108.120.140: at-#100 2 (ttl 126, id 25035, len 46) 14:58:53.927337 kip 41.123.131.187 77.232.89.31: at-#72 2 (ttl 126, id 25038, len 46) 14:58:53.927376 kip 4.113.163.218 71.118.37.164: at-#87 2 (ttl 126, id 25039, len 46) 14:58:53.927442 kip 208.31.23.9 68.242.77.169: at-#186 2 (ttl 126, id 25040, len 46) 14:58:53.927472 kip 172.173.155.213 64.127.248.149: at-#111 2 (ttl 126, id 25041, len 46) 14:58:58.032723 kip 120.195.219.92 67.251.196.97: at-#72 2 (ttl 126, id 25096, len 46) 14:58:59.034934 kip 246.185.50.183 85.67.177.5: at-#210 2 (ttl 126, id 25099, len 46) 14:58:59.035129 kip 34.215.165.215 86.199.142.235: at-#84 2 (ttl 126, id 25100, len 46) 14:58:59.035254 kip 94.101.246.155 82.74.194.192: at-#141 2 (ttl 126, id 25101, len 46) 14:58:59.035653 kip 138.11.174.232 81.206.14.187: at-#83 2 (ttl 126, id 25102, len 46) 14:59:03.086446 kip 167.1.223.59 91.80.250.54: at-#13 2 (ttl 126, id 25159, len 46)
odd things in pf drop logs...
Hi I am writing a program to analyize the drop logs from our pf firewall. I read the logs from pflog0 with tcpdump. Currently I am only interested in outbound packets that are being dropped so I filter on src net local network. But I get a steady trickle of packets that are not from our network and which I can not identify after reading the tcpdump man page. sudo tcpdump -ttn -i pflog0 src net 130.216 | grep -v '130.216' 1132197414.953036 44.201.164.226 223.198.129.20: at-#150 2 1132197414.953216 162.179.205.94 201.126.84.84: at-#205 2 1132197414.953249 118.221.55.38 202.250.187.185: at-#8 2 1132197414.953356 10.111.197.35 206.119.250.10: at-#63 2 1132197419.017820 222.1.252.13 205.243.180.221: at-#141 2 1132197420.020168 243.11.220.239 199.109.236.92: at-#246 2 1132197420.020232 39.101.239.105 196.233.184.35: at-#141 2 1132197420.020466 91.215.220.115 192.100.78.192: at-#135 2 1132197420.020716 143.185.248.140 195.224.249.254: at-#150 2 1132197425.029290 202.227.188.37 157.143.187.152: at-#231 2 1132197426.033726 30.141.191.130 158.11.15.71: at-#202 2 There are two questions here: 1/ what are these 'packets' and 2/ why are they getting selected when the filter says src net 130.216? Cheers and thanks, Russell
lots of state searches with little traffic ????
Hi Folks, We have recently installed syweb to monitor our firewalls (we have two bridges in parallel) between two core switches and and external switch). At the moment one is unplugged fom its internal switch but is still connected to the second and both are running pfsync. Both machines are running 3.6. core switch1 -- fw 1 -+ | | | | | externtal switch --- border router- | | | | core switch2 --/ -- fw 1 -+ So only FW1 is seeing any traffic. The graphs for the last 24H show a large spike in cpu usage for *both* machines from 3am to 6am. This corresponds with a large spike (to 60K/sec) in state searches on *both* machines. But there is no increase in the number of states being held and no obvious increase in dropped packets? Nor do the interface stats show any increase in packet/sec or bytes/sec. So my question is What event causes a state search without registering on the dropped packet count or the interface stats? I have attached a graph from syweb for the last week which shows two incidents of this type. Cheers and thanks, Russell
lots of state searches with little traffic ????
Hi Folks, We have recently installed syweb to monitor our firewalls (we have two bridges in parallel) between two core switches and and external switch). At the moment one is unplugged fom its internal switch but is still connected to the second and both are running pfsync. Both machines are running 3.6. core switch1 -- fw 1 -+ | | | | | externtal switch --- border router- | | | | core switch2 --/ -- fw 1 -+ So only FW1 is seeing any traffic. The graphs for the last 24H show a large spike in cpu usage for *both* machines from 3am to 6am. This corresponds with a large spike (to 60K/sec) in state searches on *both* machines. But there is no increase in the number of states being held and no obvious increase in dropped packets? Nor do the interface stats show any increase in packet/sec or bytes/sec. So my question is What event causes a state search without registering on the dropped packet count or the interface stats? I have attached a graph from syweb for the last week which shows two incidents of this type. (hmmm... well I would if the mailing list would allow me ;) I'm resending sans attachment. Cheers and thanks, Russell
pf firewall freezes (kernel panic)
Hi Folks, We have been running these particular pf firewalls since Xmas 2004 without problem except for the last month. During the last month we have been experiencing repeated failures where the running firewall would freeze with a kernel panic and need to be rebooted. I am now using symon to monitor the machines and this shows no sudden increase in the state table or anything else untoward. This probably means that what ever happened happened so fast that it was all over before the reporting interval :( The machine is currently on 3.6 with all patches applied. We will move on to 3.7 asap. What I have just established is that the latest failure coincided with the start of an inbound scan (sample argus logs) 28 Jul 05 17:05:07udp 218.92.13.149.32987 -130.216.39.121.1027 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 -130.216.58.204.1026 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 -130.216.39.122.1026 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 -130.216.58.204.1027 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 -130.216.58.205.1026 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 -130.216.58.114.1026 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 -130.216.58.114.1027 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 - 130.216.66.65.1026 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 - 130.216.46.80.1026 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 -130.216.46.125.1027 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 -130.216.46.126.1026 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 - 130.216.66.65.1027 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 -130.216.46.126.1027 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 -130.216.46.127.1026 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 - 130.216.46.81.1027 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 - 130.216.67.4.1027 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 - 130.216.67.20.1026 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 - 130.216.46.96.1026 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 - 130.216.67.20.1027 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 -130.216.46.142.1026 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 -130.216.46.142.1027 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 -130.216.46.143.1026 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 - 130.216.46.97.1026 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 -130.216.46.156.1026 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 -130.216.46.143.1027 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 -130.216.46.156.1027 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 - 130.216.66.96.1027 1 0 522 0 TIM 28 Jul 05 17:05:07udp 218.92.13.149.32987 -130.216.46.157.1026 1 0 522 0 TIM Most of these packets should have been dropped by the firewall and should not have created state. I am about to examine the argus logs from around the time of the previous failures to see if this is just coincidence or not. Any thought on what else we might do other than upgrade the OS (which we are doing)? Russell
Re: Auto expiering tables
On Fri, 2005-06-10 at 08:44 +0200, Manon Goo wrote: Hello, I am redirecting all kinds of unwanted trafffic to localhost:7 and loading the offending hosts into a table. pass in log quick inet proto tcp from ! protected_nets to 127.0.0.1 port = echo flags S/SA keep state (no-sync, source-track rule, max-src-conn 1, overload bad_hosts flush global) is there any way to expire host from bad_hosts after some time (3 hours) ? you need to do it yourself. short script run from cron and a flat file with the addresses and the time they were added is all that's needed. Russell
sample NAT logs and analysis tools (OBSD- fp)
Hi Folks, I am shortly going to have to set up NAT our residences firewall and one of the things I am going to deal with is storage of NAT logs so we can trace nefarious traffic after the fact. I am still in the planning phase and I would be grateful if someone could forward me some sample NAT logs from pf so I can see what I am dealing with. On a more general note how do people deal with the problem of tracing traffic through Natted gateways? Are there any tools available. One of the things that I am considering is to not bother with the NAT logs at all but instead run Argus www.qosient.com on the inside interface of the firewall. Russell -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand smime.p7s Description: S/MIME cryptographic signature
Re: [unisog] sample NAT logs and analysis tools (OBSD- fp)
Thanks to all who responded. I had already figured out that the pf nat logs were included in the general pflogs -- I should have made that clear but thanks to those who pointed it out anyway! On Thu, 2005-04-28 at 09:10 -0500, Chris Green wrote: One of the things that I am considering is to not bother with the NAT logs at all but instead run Argus www.qosient.com on the inside interface of the firewall. That would be good enough for most cases. You might also have luck with pfflowd logging to a netflow collector. Please post what your eventual solution will be :) I'll almost certainly go with Argus -- the alternatives are just too complicated with the exception of pfflowd is an acceptable alternative. I have just ordered a new box with a big disk to handle the logs. I am also considering writing a cgi script that will provide a simple query interface (for those who live in fear of command lines :) to access the argus logs. Cheers, Russell. smime.p7s Description: S/MIME cryptographic signature
Re: questions about daniel hartmeier's pf.conf example ...
Something that I notice is that daniel allows all outgoing TCP and UDP traffic regardless of where it is going. Question: Isn't this a bad thing ? I would have thought it is best practice to only allow incomming and outgoing connections _explicitly_. With the reason being some OS upload information to base camp (redmond) for statistical analsyis. It's the old case of horses for courses. In this case it depends on which risks you are trying to mitigate and the cost of the various countermeasures that are available. If your primary concern is to protect a network from external attack and your users are likely to be using a wide variety of protocols outbound then Daniel's approach is eminently sensible. If you are protecting a bunch of servers on a DMZ which have very specific outbound requirements then your approach is the correct one. In our case where we have a network of 10,000 machines behind a pf firewall we use both approaches. Some machines are blocked entirely from the Internet, a large group has inbound access blocked and free outbound access (except for a bunch of 'banned' ports, including 135-139 ;) and then there is a much smaller number of machines that have detailed rulesets that closely control what comes in and out from the address. I note that Alex did not use the term best practise and this rant is not directed at him although there is a hint of this sort of thinking in his question. rant Is anyone else as fed up with the term best practise as I am. It seems to me that the term is am consultant's short hand for I can't be bothered doing the analysis but this is what everyone else is doing so it must be OK. I keep getting asked if what we are doing is best practise and I have to keep responding best practise for who?. /rant -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand smime.p7s Description: S/MIME cryptographic signature
Re: performance: single ip in table Vs single ip
On Fri, 2005-04-22 at 10:21 -0400, Mike Frantzen wrote: Simple question which rule is evaluated faster. table ip0-2 const {192.168.0.2} pass in quick on $int_if from ip0-2 to any pass in quick on $int_if from 192.168.0.2 to any Daniel did some tests several years ago and the break even point was about six IPs in a table versus six individual rules. So your table rule will be 6x as slow. Unless you're running 10yr old hardware, your firewall is probably so overpowered that it doesn't matter. That's the conclusion I have come to. I have entries for around 7500 IPs on our firewall and have tables for each proto/port pair. Data is stored in a database and the pf conf generated by a perl script. Even though it would be easy (half an hours work including testing) to modify the script to emit individual rules for pairs with low number of addresses I have decided to keep it simple and have everything in tables. Since the firewall box idles at about 2% cpu the extra overhead is not an issue. Russell -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand smime.p7s Description: S/MIME cryptographic signature
Re: Still no answer on my bridge question
Thanks Sean! On Wed, 2005-04-06 at 19:36 -0700, Sean Kamath wrote: [In a message on Thu, 07 Apr 2005 12:58:22 +1200, Russell Fulton wrote:] Hi, Earlier I posted a note here asking about the order of processing incoming packets on a bridge with pf. I would really like to know if there is something wrong with our set up or if this is expected behaviour. I am seeing packets being dropped by pf that should not traverse the bridge at all (i.e. packets between hosts that are on the same side of the bridge). After a little thought I came to the conclusion that this is quite plausible since the filtering is taking place on the interface closest to the affected hosts and the packets are hitting pf before they get to the bridging logic. What do you mean packets being dropped by pf that should not traverse the bridge at all? Some clarity would help here. the addresses of the packets being dropped are both on the same side of the bridge and therefore the packets should not traverse the bridge. host 1 host2 | | | | +-+-+ | | bridge | | + rest of network I am seeing packets between host1 and host2 being dropped on the bridge, filtering is taking place on the interface closest to host1 and host2. Russell smime.p7s Description: S/MIME cryptographic signature
Re: Still no answer on my bridge question -- resolved
On Thu, 2005-04-07 at 12:58 +1200, Russell Fulton wrote: I am seeing packets being dropped by pf that should not traverse the bridge at all (i.e. packets between hosts that are on the same side of the bridge). After a little thought I came to the conclusion that this is quite plausible since the filtering is taking place on the interface closest to the affected hosts and the packets are hitting pf before they get to the bridging logic. Thanks to those who clarified the way bridge and pf interact and to Camiel Dobbelaar who suggested some useful diagnostics in private email. I now know what is going on. A while ago we were having some issues with our two pf/bridges interacting with our cisco switches, the network folk got these partly resolved by turning learning off on the bridges, so now they are simply flooding everything back and forth -- which is exactly what I had observed. Sigh... Thanks again and apologies for bothering the list with something that should have been sorted out locally. Yet another illustration of the rule that one should post config files when asking questions. If I had done that I would have noticed that learning had been turned off and solved the problem then and there. Russell -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand smime.p7s Description: S/MIME cryptographic signature
Still no answer on my bridge question
Hi, Earlier I posted a note here asking about the order of processing incoming packets on a bridge with pf. I would really like to know if there is something wrong with our set up or if this is expected behaviour. I am seeing packets being dropped by pf that should not traverse the bridge at all (i.e. packets between hosts that are on the same side of the bridge). After a little thought I came to the conclusion that this is quite plausible since the filtering is taking place on the interface closest to the affected hosts and the packets are hitting pf before they get to the bridging logic. I want to know if this conclusion is correct or do I have a problem that should be investigated. BTW I have also spent some time looking for docs that describe exact order of processing of packets but could not find anything useful. Russell. smime.p7s Description: S/MIME cryptographic signature
pf and bridging
Hi, We have pf running on a bridge . I am seeing packets being dropped by pf between two machines that are on the same side of the bridge. Am I correct in assuming that this is expected and that what is happening is that the packets hit pf before they get to the bridge where they would be discarded anyway? I.e. the filtering takes place at the interface. If I don't want to see this stuff in the log then I guess I should put a another rule before my generic 'block log' to 'block quick' (with no log) for the addresses concerned. Russell -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand smime.p7s Description: S/MIME cryptographic signature
watching pflog
HI, I want to monitor the output from pflog in more or less real time. It isn't clear to me what is the best (read simplest ;) way to do this. What I really want is a version of tcpdump that will effectively do a tail -f on /var/log/pf. Ideally it would cope with logfile rollovers too. Cheers, Russell smime.p7s Description: S/MIME cryptographic signature
[Fwd: [unisog] High speed firewalls - Connections per second not bits per second]
Hmmm... what is the 'pf' response to this problem? I seem to remember that 3.6 has per IP limits that can be set that perhaps could mitigate this sort of problem. Keep the pf specific stuff on this list I'll forward a summary to unisog. Russell. Forwarded Message From: Mayne, Jim [EMAIL PROTECTED] Reply-To: UNIversity Security Operations Group [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [unisog] High speed firewalls - Connections per second not bits per second Date: Mon, 21 Feb 2005 10:40:28 -0600 Currently TCU is using a Checkpoint FW1 NG AI firewall running on a Nokia platform in front of our RESNET network. We have begun to see more and more problems with the firewall dropping packets when we get a rash of infected machines. Nokia is now telling us that without their IP2250 (Very expensive!) box they cannot handle over 1k connections per second when running FW1 (even with SecureXL and every other optimization they can think of). 1k cps is not much when you have even a few infected machines. So my question is do you all know of firewalls, stateful inspection and not just ACL's on routers, that can really handle large numbers of connections per second? I see a lot about bps but not too much about cps. Thanks, Jim Jim Mayne Network Security Engineer Texas Christian University [EMAIL PROTECTED] (817) 257-6843 ___ unisog mailing list [EMAIL PROTECTED] http://www.dshield.org/mailman/listinfo/unisog smime.p7s Description: S/MIME cryptographic signature
Re: PF suddenly stops allowing certain connections through
On Fri, 2005-01-28 at 12:15 -0600, Lyle Worthington wrote: Where xx.xx.xx.xx/24 is our class C at our office. Now the problem we see is that all of a sudden ssh is no longer allowed through. There are no entries in the log about connections actually being blocked, but nothing gets through. From multiple IPs on our C block we can hit SMTP and HTTP, just not SSH. Does anyone have any ideas? Anywhere I can look? Need any more information? Are you quite sure that it is a firewall problem. In my experience (and I have seen a few things like this) it is often something else that is failing and everyone automatically points to the firewall. I have seen exactly this problem and it turned out that the admin on the box had put up a cron job that changed the host.allow file so access was blocked over the weekend. I would suggest that you sniff (tcpdump) the traffic on the inbound and outbound interfaces (or networks if you have monitoring points around the firewall) to establish if the traffic ever reaches the firewall and if it leaves it. This will tell you if the problem really is in the firewall. Also I would upgrade to 3.6 stable, there have been a lot of bug fixes. Russell smime.p7s Description: S/MIME cryptographic signature
Re: Redundant Bridging Firewall
On Fri, 2005-01-21 at 12:48 -0800, Dylan Martin wrote: My redundant bridging firewall don't work no more with 3.6! As background, the bridge interfaces have 'learn' disabled. That means, they never cache information about which interface a packet came from. (The inactive bridge would think all external hosts were attached to the internal interface.) Internal Host A sends a packet for Internal Host B Switch receives packet and records which port Host A is connected to. Switch's mac address list doesn't contain Host B's Mac address Switch floods the packet out all it's interfaces Packet arrives at Bridge Bridge doesn't know where Host B is, and because 'learn' is disabled, it also doesn't know where Host A is. It floods the same packet out all interfaces, including the one the packet came in on. Packet arrives at Switch Switch thinks Host A has moved to the port the Bridge is attached to and starts sending all packets intended for Host A to the Bridge instead. This continues until Host A sends out a packet that corrects the Switch's idea of where Host A is. Ahh!! so that's what is going on! We just moved our (very similar set up) to 3.6 and had similar problems. The the chief network guru went on holiday so we simply disabled one of the firewalls and waited until he gets back. We had not got to the stage of tracing individual packets through the network to figure out what was happening. If anyone has any ideas, please let me know. Me too :) Russell.
RE: OFF Topic Might not belong on the list PF anf VPN to Cisco
On Thu, 2004-12-30 at 11:44 -0500, Elijah Savage wrote: Jason, Thank you for the reply but I do not think you understand the question. It is not OpenBSD vs Cisco as your reply states. I am looking for get started info on making Cisco talk to OpenBSD via IPSEC vpn tunnels. My OpenBSD firewal has been up and running sometime. I have the absolute OpenBSD book and it does not address IPSEC Betwwen OpenBSD and Cisco. I what Jason meant was that you need to post more details about exactly what you are wanting to do. E.g. I have a cisco model xxx and I want to establish an IPSEC tunnel to my firewall running OBSD 3.6 -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand
citrix though the firewall...
HI Folks, has anyone written a helper application like ftpsesame that will allow citrix metaframe to work through a pf firewall? Citrix first talks on port 1494 and negotiates a high numbered port which the client then connects back to. I am going to be encouraging users to move to RDP but I need a short term solution. -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand
Re: citrix though the firewall...
On Tue, 2004-11-23 at 02:31, Per-Olov Sjholm wrote: On Monday 22 November 2004 05.17, you wrote: HI Folks, has anyone written a helper application like ftpsesame that will allow citrix metaframe to work through a pf firewall? Citrix first talks on port 1494 and negotiates a high numbered port which the client then connects back to. I am going to be encouraging users to move to RDP but I need a short term solution. ??? Citrix does not work like active or passive ftp. It just talks from client to server on port 1494. Just accept port 1494 and use keep state... I use citrix myself. RDP works perfect as well. Hi Per-Olov, I'm delighted to here this. I found two different web articles that said that it used 1494 to negotiate a high numbered port for further communication (maybe these refer to older versions??). This is one circumstance where I am very happy to be proved wrong! Cheers, Russell -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand
Re: question on pf filtering
On Tue, 2004-11-02 at 13:37, Srikanth Sagiraju wrote: Hello guys, I am a newbie to packet filter (pf), so please forgive me if this is a stupid question or if I am asking this as the wrong place. I was looking at some of the sample pf rules given at: http://www.openbsd.org/faq/pf/queueing.html . On the same page in the second example (Ex2: Company network) there is a rule that accepts DNS(port 53) requests from 'wwwserv' to any on 'fxp1 inbound' as below: # filter rules for fxp1 inbound pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53 \ keep state But 'fxp0' does NOT allow any new 'outbound' connections except from the 'int_net'. Would that mean that DNS packets are not allowed outside the firewall and the above rule was written in vein?? I am missing something here.. what you are missing is the keep state on the rule which tells the firewall to remember when sessions are established and allow packets associated with those sessions to pass out. -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand
Re: Is having a GUI on an OpenBSD firewall a serious mistake?
On Sat, 2004-10-09 at 19:24, Siju George wrote: I ''ve read some articles on hardening OpenBSD and also received suggestions. They tell me it is not a good Idea to install a GUI or compiler on an OpenBSD machine that acts as a firewall. Gui applications (particularly web based ones which are the easiest to write) tend to be complex and insecure, this is a good reason to keep them off the firewall itself. We have a home grown web based network management system which includes the ability to do most of the configuration necessary for pf in our environment. This app runs on another system and we use ssh to download pf.conf to the firewalls. THis is a reasonable compromise. -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand
Re: ftp-proxy on a bridging firewall
On Tue, 2004-08-24 at 04:55, Paul Hodges wrote: My configuration is that I have a (four-legged) bridge, and the EXT interface was assigned an IP address which I can access from anywhere for managing the firewall. I am trying to set up the ftp-proxy. My understanding is that you can not run ftp-proxy on a bridge, you must have IP addresses on all interfaces. THe proxy breaks the bridge's transparency. I am using ftpsesame on my bridge and it works just fine. I don't have the url to hand but there are references to it in the archive. -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand
Re: question on fragment handling
On Sat, 2004-08-21 at 01:38, Mike Frantzen wrote: * we are not using scrub rules. Does anyone have any ideas as to why these fragments are not being covered by the state mechanisms? because keep state doesn't track fragments. scrub does. Yes, using scrub fixed the problem. Thanks! -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand
question on fragment handling
Greetings All, We are currently having problems with a vpn application. The app initially negotiates a successful handshake on udp port 500 and then switches to udp port 1 which presumably is the tunnel. The machine initiating the sessions is 130.216.97.234 which is located on our network and has out bound access on both udp 500 and 10, return traffic should be handed by the keep state option on the rule and in fact we do see bi directional traffic on both ports (as observed by independent application). However the incoming traffic is being fragmented and some of these fragments are being dropped: 11:12:01.669842 rule 4/0(match): block in on bge1: 128.125.253.225.1 130.216.97.234.1: udp 1532 (frag 56706:[EMAIL PROTECTED]) 11:12:01.669859 rule 4/0(match): block in on bge1: 128.125.253.225 130.216.97.234: (frag 56706:[EMAIL PROTECTED]) 11:12:01.824700 rule 4/0(match): block in on bge1: 128.125.253.225.1 130.216.97.234.1: udp 1532 (frag 56892:[EMAIL PROTECTED]) 11:12:01.824717 rule 4/0(match): block in on bge1: 128.125.253.225 130.216.97.234: (frag 56892:[EMAIL PROTECTED]) 11:12:01.979229 rule 4/0(match): block in on bge1: 128.125.253.225.1 130.216.97.234.1: udp 1532 (frag 57074:[EMAIL PROTECTED]) 11:12:01.979246 rule 4/0(match): block in on bge1: 128.125.253.225 130.216.97.234: (frag 57074:[EMAIL PROTECTED]) 11:12:04.552666 rule 4/0(match): block in on bge1: 128.125.253.225.1 130.216.97.234.1: udp 1532 (frag 59870:[EMAIL PROTECTED]) 11:12:04.552682 rule 4/0(match): block in on bge1: 128.125.253.225 130.216.97.234: (frag 59870:[EMAIL PROTECTED]) 11:12:04.991560 rule 4/0(match): block in on bge1: 128.125.253.225.1 130.216.97.234.1: udp 1532 (frag 60341:[EMAIL PROTECTED]) 11:12:04.991577 rule 4/0(match): block in on bge1: 128.125.253.225 130.216.97.234: (frag 60341:[EMAIL PROTECTED]) 11:12:05.145053 rule 4/0(match): block in on bge1: 128.125.253.225.1 130.216.97.234.1: udp 1532 (frag 60511:[EMAIL PROTECTED]) 11:12:05.145071 rule 4/0(match): block in on bge1: 128.125.253.225 130.216.97.234: (frag 60511:[EMAIL PROTECTED]) 11:12:05.297440 rule 4/0(match): block in on bge1: 128.125.253.225.1 130.216.97.234.1: udp 1532 (frag 60663:[EMAIL PROTECTED]) Notes: * that rule 4 is the generic drop everything coming in rule at the start of the rule set. * we are not using scrub rules. Does anyone have any ideas as to why these fragments are not being covered by the state mechanisms? Rules: 4) block in log on $ext_if all pass out quick on $ext_if from external to any keep state 30.216.97.234 is a member of table external -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand
Re: web interface?
On Tue, 2004-06-15 at 01:25, Petr Ruzicka wrote: No, you would be suprised. no I wouldn't ;) I have spoken to a lot of IT managers, CSO etc. and they would choose former. No matter what I say, no matter what I do and use, lots of them will choose gui/html over ssh/vi... Some people just do like nice and colorful GUIs and prefer them to clean, simle and secure. I think this is a case of horses for courses. A good firewall with a possibly less secure web based management platform is definitely better than no firewall at all and is arguably better than one with the simple interface if it means that it gets updated appropriately in a timely manner. There are many folk out there who have never worked at a command line at all (yet still call themselves IT professionals) -- come to think of it most of the people in our IT organisation have never used anything but a gui. I think that the OBSD folk have it right, they concentrate on building the base system and on getting it Right. Others can then add bits on to better fit various niches in the 'market'. I have modified our homegrown network management system (apache/perl/mysql) to manage our pf firewall. The system generates the pf.conf file which is then copied (via scp) to the firewall and the pfctl command done via ssh. The next step is to just do the table and updates rather than load the whole ruleset every time. Someone has written a daemon to manage the rule changes on the firewall we may well use that. And yes, that will introduce more possible weaknesses into the systems but these risks are justifiable in our environment, in others they may well not be. Remember that security is not a one size fits all job. We have entries for about 8,000 machines on our fw (thanks for the tables folks!!) and these are updated by about 100 IT staff scattered over campus and there is no way we could do this with just ssh and vi! It might interest folk to know that out of those 8000 systems only about 300 have any form of inbound access configured and the bulk of those are http and this is the local SA's choice, not mine. There are several thousand other systems that have no access at all through the firewall. Cheers, Russell -- Russell Fulton, Computer and Network Security Officer. The University of Auckland, New Zealand.
Re: Max table size and Composite Blocking List - 3.4 stable
On Sat, 2004-05-01 at 07:24, Greg McConkey wrote: compiled just fine. And works too. Tested on a PII 400MHz with 384mb of ram. It stops passing traffic for about a minute (64 seconds or so) when loading the table, H... have you tried loading the table in smaller chunks over a period of, say, 5 minutes? That might allow the machine to cope gracefully with generating the table. -- Russell Fulton/~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!
pfstat queries
Hi, is there any docs that describe which numbers are which in the output from pfstat -q ? I observe that most are zero and when I try and plot the byte counts etc. they come out as zeros. What do I have to do to get these stats? -- Russell Fulton/~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!
synflood defenses
Hi All, We have recently had a few outbound synfloods (from machines infected by one of the numerous 'bots'). An unfortunate side effect of this is that the state tables in pf eventually fill up and no legit new connections are accepted. I currently have set optimization conservative and I am guessing that this is not helping. I have also looked at the synpoxy state setting, but as I understand it this protects end hosts from synfloods and will have no affect on the state table usage. I have lots of memory on the firewalls and one thing that has occurred to me is that I could set the state table size much higher and have a monitor that pages someone when it goes above some reasonable limit. Another possibility is to tweak set timeout tcp.opening, what would be a reasonable value? -- the default seems to be 15minutes. H... would be nice to have this setting depend on the number of current states -- i.e. we time out non established sessions more aggressively when the state table is nearly full. There does not seem to be anyway of modifying the timeouts on the fly, i.e. with pfctl so I can't do this from a script. Any other suggestions? (Please tell me I've missed the obvious again ;) I really need that book! (yes it is on order and amazon say they have shipped it). -- Russell Fulton/~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!
more questions on timeouts
quoting pf.conf(5): tcp.first The state after the first packet. tcp.opening The state before the destination host ever sends a packet. I must be thick because I don't get the distinction between these two states. Does it work this way? src sends SYN = tcp.first dst sends SYN+ACK = tcp.opening src send ACK+data = tcp.established which seems logical to me. If so then it is not clear from the manpage. I.e which timeout should I tweak to protect against synfloods? An hour seems way too long to keep state for a SYN. -- Russell Fulton/~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!
Re: Can't get bridges to failover
On Mon, 2004-03-29 at 07:59, Dan wrote: Normal STP should converge within 50 seconds. 2*forward time + max_age time = 15*2 + 20 = 50 Well it was, in fact, all working fine. I just thought I had problems. The ping stream from a machine that was attached to the same hub as the bridges stopped as soon as I dropped the active bridge and did not restart (I still don't know why) and I had not appreciated how long pfctl -si took before it reflected changes in the flow rates. When I first tried this yesterday after about three minutes with things apparently 'not working' I got cold feet and backed out. Dan suggested that I watch the state transitions on the secondary bridge with brconfig and this morning it performed exactly as expected so we are now happily running on the backup. Thanks very much to Dan! -- Russell Fulton/~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!
Can't get bridges to failover
Hi I have a couple of boxes running 3.4 acting as bridges in parallel. Now that I have the spanning tree stuff set up they now coexist happily however when I unplug the active bridge the load does not appear to fail over to the other one. Unfortunately I don't have a test setup so I am working on the live system with several 1000 users behind it and I am limited to to one small test early in the morning each day. Sigh... I have one question: how long should the bridges take to failover, given that there are only two bridges in the network? I have appended the output from brconfig bridge0 for both machines. Anything indications of what is wrong? should I set the priorities differently so we have a primary and a secondary? on the active machine: bridge0: flags=3041UP,RUNNING,LINK0,LINK1 Configuration: priority 32768 hellotime 2 fwddelay 15 maxage 20 Interfaces: bge1 flags=fLEARNING,DISCOVER,BLOCKNONIP,STP port 4 ifpriority 128 ifcost 55 forwarding bge0 flags=fLEARNING,DISCOVER,BLOCKNONIP,STP port 3 ifpriority 128 ifcost 55 forwarding Addresses (max cache: 200, timeout: 240): 08:00:20:bf:cc:30 bge0 0 flags=0 00:c0:f0:96:3c:16 bge1 1 flags=0 00:0e:38:d2:ca:c0 bge1 1 flags=0 00:09:6b:f1:e0:d6 bge0 1 flags=0 00:03:ba:23:dd:a1 bge0 1 flags=0 00:00:0c:46:5c:d1 bge1 1 flags=0 00:09:6b:f1:e7:a2 bge0 1 flags=0 00:d0:b7:1e:c1:59 bge0 0 flags=0 00:c0:4f:7a:94:2a bge1 0 flags=0 00:09:11:fb:13:00 bge0 0 flags=0 00:07:e9:1f:db:04 bge0 0 flags=0 00:09:6b:f1:e7:6c bge0 1 flags=0 00:02:b3:32:72:72 bge0 1 flags=0 08:00:20:c7:e3:b7 bge0 0 flags=0 00:60:2f:a4:11:98 bge1 1 flags=0 00:0e:38:d2:ca:ef bge1 1 flags=0 00:80:5f:b6:61:70 bge0 0 flags=0 00:02:55:45:ad:ab bge0 0 flags=0 00:02:55:b7:e4:ff bge0 1 flags=0 00:e0:1e:8e:31:71 bge0 1 flags=0 00:01:e7:79:56:40 bge1 1 flags=0 00:0d:ed:b8:e1:6f bge0 1 flags=0 00:c0:f0:96:3c:24 bge1 1 flags=0 00:c0:f0:96:51:b6 bge1 1 flags=0 on the inactive machine: bridge0: flags=3041UP,RUNNING,LINK0,LINK1 Configuration: priority 32768 hellotime 2 fwddelay 15 maxage 20 Interfaces: bge1 flags=fLEARNING,DISCOVER,BLOCKNONIP,STP port 4 ifpriority 128 ifcost 55 disabled bge0 flags=fLEARNING,DISCOVER,BLOCKNONIP,STP port 3 ifpriority 128 ifcost 55 forwarding Addresses (max cache: 200, timeout: 240): 00:02:55:45:ad:ab bge0 1 flags=0 00:09:6b:f1:e7:32 bge0 0 flags=0 00:00:e8:3b:7e:ed bge0 1 flags=0 00:e0:1e:8e:31:71 bge0 1 flags=0 00:09:6b:f1:e7:a2 bge0 1 flags=0 00:02:55:b7:10:c1 bge0 0 flags=0 00:03:ba:23:dd:a1 bge0 1 flags=0 00:c0:f0:96:3c:16 bge0 0 flags=0 08:00:20:c7:e3:b7 bge0 1 flags=0 00:07:e9:1f:db:04 bge0 1 flags=0 00:02:55:b7:4c:15 bge0 0 flags=0 00:02:b3:32:72:72 bge0 0 flags=0 00:0d:ed:b8:e1:6d bge0 1 flags=0 00:09:11:fb:13:00 bge0 1 flags=0 00:80:5f:b6:61:70 bge0 1 flags=0 00:02:55:b7:4a:03 bge0 0 flags=0 08:00:20:bf:cc:30 bge0 0 flags=0 00:10:c6:07:03:78 bge0 0 flags=0 00:00:0c:46:5c:d1 bge0 1 flags=0 00:d0:b7:1e:c1:59 bge0 0 flags=0 00:09:6b:f1:e0:d6 bge0 0 flags=0 -- Russell Fulton/~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!
Re: Building Firewalls... spring update
On Sat, 2004-03-27 at 23:05, Daniel Hartmeier wrote: Here's a picture for the collection from me (the boxes below the book are Soekris running 3.5 ;) OK, I'll bite ;) what are Soekris? small dedicated firewalls by any chance? The boxes don't look big enough to get a modern CPU plus heat sink in! I guess you must be using low power cpus designed for laptops. and yes, I have a copy of Jacek's book on order. :) -- Russell Fulton/~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!
pf bridges in parallel
Hi All, We have now been running with our pf perimeter firewall for 3 months. It is set up as a bridge. We have installed a second (more or less identical system) in parallel but when we plug it in neither bridge passes traffic. I have been unable to find anything in the logs that indicates what is wrong. On reading the brconfig man pages (again) I see the stp option and this is probably the cause of our 'problem'. What isn't clear to me is which interface should I specify in the stp option on each bridge? ++bge0 bge1+--+ |+-+ FW 1 +---+ | -+ hub| | hub + |+-+ FW 2 +---+ | ++bge0 bge1+--+ -- Russell Fulton/~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!
ftpsesame and pf.conf
Hi All, I'm about to try out ftpsesame on our firewall. The system is set up as a bridge and I only filter on $ext_if. I intend running ftpsesame as ftpsesame -i $ext_if excerpts from pf.conf: pass in quick on $int_if pass out quick on $int_if block in log on $ext_if all block return out log on $ext_if all # ftp rules anchor ftpsesame out on $ext_if pass in quick on $ext_if proto tcp from any to (ftpc_in port=21 flags S/SA modulate state anchor ftpsesame in on $ext_if proto tcp from any to ftpc_in I want ftpsesame to handle all outbound and inbound ftp traffic. Outbound we have other rules which control whether particular addresses have internet access on not, Inbound we have a table ftpc_in which lists all addresses on campus that have inbound access on port 21. Will this do what I want? -- Russell Fulton/~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!
pfauth like system for modifying pf tables
Hi All, In mid January I asked if anyone had written a daemon to allow one to modify pf tables from another system (eg an authentication system where people are logging in). Someone replied off list and now I that I really need the information I can't find it. I've spent most of this afternoon searching my email archive, my browser bookmarks, googling and anything else I can think of. I have just admitted defeat and with humble apologies resend this request to the list. One thing I did notice in this exercise is that the list archives on benzedrine.cx does not have static filenames so google references to them often point to the wrong archive file -- very confusing until you realise what is happening. As far as I can see the current archive is mail1 the previous is mail2 etc. so all the file name change whenever a new file is created. -- Russell Fulton/~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!
problem with ftp proxy rule
Hi All, I am getting errors from a rule I copied from the ftp-proxy manpage to handle data connections: pass in quick on $ext_if inet proto tcp from any to $ext_if user proxy \ keep state the error I get is: rule expands to no valid combination. I am unsure what this actually means. $ext_if is defined and used in many other rules. User proxy is defined. I am a little puzzled as to exactly how this rule works particularly since $ext_if occurs on both sides of the rule. The box is currently configured as a bridge and I suspect that this may be the problem -- I'm aware that proxies break the bridge model. Cheers and thanks, Russell. -- Russell Fulton/~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!
set limit src-nodes
HI All, I am try to diagnose a problem that *may* be related to our pf based firewall. About the time we implemented our our new firewall people started to report problems with our CISCO based VPN where connections are dropped more or less randomly (often after more than an hours connection). I have reviewed all the setting of the firewall that I believe to be relevant and checked the pf.log file to make certain that packets to/from the vpn concentrator are not being dropped. While looking for possible things to tweak that might affect connections I found the 'set limit src-nodes' in the pf.conf man pages. Am I right in assuming that since I don't use any tag rules that I can safely ignore this option? The fw host machine is very lightly loaded (cpu in the order of 1%) and there is plenty of room in the state table (set at 50,000 -- I have never seen it over 35,000). Any other suggestions of things that I could/should check? Thanks, Russell. -- Russell Fulton/~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!
What is the smallest sensible size for a table? and pfauth like system
Hi All, I have just move our Campus firewall over to PF (from TAMU's drawbridge if anyone is interested) and it is working just fine. I have been off this list for several months but I have briefly checked the archives but could not find anything really relevant so I am posting here. First some background: We have around 10,000 machines on campus most with static IP addresses, we have an database in which we store various network and host based information including firewalling requirements for individual systems. About 7000 of these are allowed out to the Net. The vast bulk of these have standard access which allows full outbound access and no inbound. Around 300 system offer various services to the net and require inbound entries. I build the pf.conf file directly from the database and at the moment I put all 'standard' machines in a single table which is used by a single rule. Works brilliantly :) To get the rest of the system going quickly I simply built up a table (using perl hashes) for each protocol/port/in|out combination and automatically generated the appropriate rules for them. This also works fine at the moment. There are some very small tables, in one case one with a single entry. Since the conf file is generated by a program it is trivial to change it so that for table with less than n entries I simply generate multiple rules. One observation (confirmed by pftop) is that most of the small tables only handle small numbers of packets. This might not always be the case (eg if someone installs a video server running on some strange port and starts streaming udp packets...) My question for the list is what is a sensible value for n? At the moment I a regenerating the whole pf.conf file whenever there are changes in the database, I then use ssh to copy the file to the firewall and use pfctl -f to load it. As soon as I have some time I plan to just load the deltas using pfctl (or a custom C program using the ioctls) to update just the tables and rules that have changed. This would be easier although probably not by much if everything was table based. We are also looking at moving many of our 'standard' machines to dynamic table whereby they will have to log in to a 'service' which will open up their access through the firewall and inform our traffic meter which user is on the particular IP, this will pave the way for allowing increased usage of dynamic IP addresses. Rather like pfauth but we will write a custom daemon to run on the firewall. Has anyone else done anything like this? Cheers and thanks, Russell. -- Russell Fulton/~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!