Re: dup-to work around
On Dec 6, 2006, at 4:45 PM, Camiel Dobbelaar wrote: On Wed, 6 Dec 2006, Bob DeBolt wrote: I need to get all traffic dup-to'd over to a graphing box using only the firewall, now dup-to works fine for the traffic that passes through the firewall but the blocked traffic doesn't get dup-to'd. Any suggestions to get blocked traffic dup-to'd / copied to the graph box, have I overlooked something that may make this possible. Use a span port on the bridge? See brconfig(8). Why not remove all your block rules and instead use route-to? So you block by routing the packet to the third interface. . . Sean
Re: PF inadequacy: queue download
[In a message on 01 May 2006 01:51:35 PDT, [EMAIL PROTECTED] wrote:] This works adequetly (How could it be better? Sounds like zealot speak to me.) if the boxes only function is NAT, but if it also runs external services queueing inbound traffic on the internal interface doesn't work, because external services get priority. Is it a firewall or a dessert topping? Firewalls should firewall, not serve services. If you can't afford one box to firewall, and another to provide services, well, you're in a fix. I got a Sun IPX I'll give you if you pay shipping (anything to end this topic) -- Hardly sucks any juice, too. I'm sure I'm part of a large majority of list members who would be thrilled to see this topic end. While there's no harm in asking for a feature expansion, and a discussion about the technical feasibility of it, when it devolves into accusations of zealot speak, it's time to move on. Sean PS You're all buying your CDs, right? Once I'm employed again, I will be.
Active FTP problem
Hi. I feel like this is a newbie question, but I just can't see it.
I'm setting up a PF F/W, and it only allows SSH in. That works.
Passive FTP works outgoing, but not active. I have almost *EXACTLY*
the same setup on another machine (or three, actually), and they all
work. . .
When I initiate an active FTP 'ls' from a linux box behind this
firewall (note it fails for active ftp from the firewall itself),
here's what I get on the interface on the active return-path:
16:13:52.999528 the.ftp.server.ftp-data the.ftp.client.51505: S
234239363:234239363(0) win 49640 mss 1460,nop,nop,sackOK (DF)
16:13:53.000131 the.ftp.client.51505 the.ftp.server.ftp-data: S
1181053425:1181053425(0) ack 234239364 win 16384 mss 1460,nop,nop,sackOK (DF)
16:13:53.039997 the.ftp.server.ftp-data the.ftp.client.51505: . ack 1 win
49640 (DF)
16:13:53.118417 the.ftp.server.ftp-data the.ftp.client.51505: P 1:1019(1018)
ack 1 win 49640 (DF)
16:13:53.120570 the.ftp.server.ftp-data the.ftp.client.51505: FP
1019:1529(510) ack 1 win 49640 (DF)
16:13:53.120895 the.ftp.client.51505 the.ftp.server.ftp-data: . ack 1530 win
15992 (DF)
Everything looks like it SHOULD look but (the data is in the packets),
but nada.
Any help? Am I missing something stupid? Should I be rdr'ing packet
going out to the proxy (to catch the firewall's ftp?).
I have the following line in inetd.conf:
127.0.0.1:8021 stream tcp nowait root/usr/libexec/ftp-proxy
ftp-proxy -n -m 49152 -M 51937
Here's my pf.conf file:
int_if=le0
ext_if=le1
table NoRoute { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
int_net=192.168.22.0/24
scrub in all
rdr on $int_if inet proto tcp from any to any port 21 - 127.0.0.1 port 8021
nat on $ext_if inet from $int_net to any - ($ext_if:0)
block in quick on $ext_if from NoRoute to any
block out quick on $ext_if from any to NoRoute
block in on $ext_if all
block out on $ext_if all
pass out quick on $ext_if inet proto tcp from ($ext_if) to any flags S/SA keep
state
pass out quick on $ext_if inet proto { udp, icmp } from ($ext_if) to any keep
state
pass out quick on $ext_if inet proto gre to any keep state
my_svcs={ ssh }
my_block_return={ ident }
block return quick log on $ext_if inet proto tcp from any to ($ext_if) port
$my_block_return label ident
pass in quick log on $ext_if inet proto tcp from any to ($ext_if) port $my_svcs
flags S/SA keep state
pass in quick on $ext_if inet proto icmp from any to ($ext_if) icmp-type 8 code
0 keep state
pass in quick on $ext_if inet proto icmp from any to ($ext_if) icmp-type 3 code
4 keep state
pass in quick on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy
flags S/SA keep state
Re: ranges within a table ... is it possible ?
[In a message on Wed, 20 Apr 2005 17:12:52 +0200,
Daniel Hartmeier wrote:]
On Wed, Apr 20, 2005 at 09:56:48PM +0930, alex wilkinson wrote:
Is it possible to specify a range within a table ? e.g.
table itunes const { 8000 8999 }
I get a syntax error for the aformentioned table, so can anyone
suggest a method for what I'm trying to achieve ?
No. Tables contain only addresses (and netblocks of addresses), but
not ports.
You can use a macro like
itunes=8000 8999
pass inet proto tcp from any port { $itunes , 80 }
Just a comment that that should probably be 8000:8999. I got bit by
this before as the is not inclusive of the boundry ports. . . ;-)
Sean
Re: Still no answer on my bridge question
[In a message on Thu, 07 Apr 2005 12:58:22 +1200, Russell Fulton wrote:] Hi, Earlier I posted a note here asking about the order of processing incoming packets on a bridge with pf. I would really like to know if there is something wrong with our set up or if this is expected behaviour. I am seeing packets being dropped by pf that should not traverse the bridge at all (i.e. packets between hosts that are on the same side of the bridge). After a little thought I came to the conclusion that this is quite plausible since the filtering is taking place on the interface closest to the affected hosts and the packets are hitting pf before they get to the bridging logic. What do you mean packets being dropped by pf that should not traverse the bridge at all? Some clarity would help here. Are you saying: (host 1, host 2) (int_1 OBSD Box int_2) - (other hosts) And that packes from host 1 to host 2 (and vice versa) are showing as being dropped on int_2? If so, outbound? By a block rule? Topology and a pf.conf file will get you more help. . . I want to know if this conclusion is correct or do I have a problem that should be investigated. BTW I have also spent some time looking for docs that describe exact order of processing of packets but could not find anything useful. Try the list archives. This came over the list on March 17: http://mniam.net/pf/pf.png Sean
Re: can you help me measuring traffic using OpenBSD's pf?
[In a message on Tue, 22 Mar 2005 22:52:58 +0100, Steven Schubiger wrote:] On 22 Mar, Eugene M. Minkovskii wrote: I want to meashure incoming traffic and outgoing traffic separately, regardless of which side initiated the traffic. # Excerpt from pf.conf, Options set loginterface Enable collection of packet and byte count statistics for the given interface. These statistics can be viewed using # pfctl -s info Huh. Didn't know about that. Any idea about the amount of overhead it would incur? Currently, I'm using a simple perl script that uses netstat -b output on the outward side interface. . . Sean
Re: PF, Bridge, and IP on bridged interface [more]
[In a message on Wed, 02 Mar 2005 05:34:20 GMT, [EMAIL PROTECTED] wrote:] In my case, I'm running a SS20 with le* interfaces, which means that all interfaces use the same ethernet address. I'm curious, doesn't setting local-mac-address? to true doesn't work with LE's? Only HME's and newer? Actually, I guess only quad HME's and newer, according to: http://www.barbary.com/cookbooks/macaddress.html So, I guess that leaves the question, can one change the ethernet address of a NIC with ifconfig on OpenBSD? My 3.5 box doesn't seem to allow it. . . Sean
