OpenBSD PF firewall and Cisco VPN client
I am new to setting up VPN's. Is the following possible using OpenBSDpf for firewalling. The internal network is made up of Windows serversand workstations, and the external laptop/workstation is runningWindows as well as having Cisco VPN client software.Would thisexternal machine running Windows and the Cisco client be able toconnect into the network remotely over the VPN through an OpenBSDbased firewall?If this is possible I would appreciate if someone could point me inthe write direction of where to read the appropriate documentation orguides. Thanks.Phusion Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1ยข/min.
Home Network Setup
I have a cable connection at home and was wondering if the following would work. If I put a Cisco 851 series router in front of a pair of Soekris firewalls running OpenBSD using CARP and pfsync. So the Cisco router would get a dynamic WAN IP and have a static LAN IP. The two Soekris firewalls would sit behind it. Behind the redundant firewalls would be the network. How could I get the computers behind the firewall Internet access? Also would port forwarding work? The thing is that I don't have a static IP address. Let me know. Phusion
Cable modem and pfsync
I was wondering if the following is possible. I get a dynamic IP address through my cable modem. Can I setup firewall failover using pfsync on OpenBSD with both OpenBSD firewalls having external interfaces set to DHCP. If so, how can I go about doing this. Phusion
CARP Failover
Hi, I was wondering about CARP failover. For an example, say we have two OpenBSD pf firewalls. When the main firewall fails for some reason, how long of a delay is there before the backup firewall takes over as the main firewall? Also, if I had a TCP connection running (like connection to an FTP site) and the main firewall went down, would I lose my connection? Keep in mind the network I have in mind is a small corporate network (40-50 users). Let me know. Thanks.
Throughput on Soekris Net4801
Hi, I've been wondering what the throughput on a single Soekris Net4801 without VPN is. I would like to know for a 4801 running OpenBSD that acts a dedicated firewall with no services but SSH. I'm interested in hearing what people have found. Please let me know.
Logging Question
I have a question about logging certain packets. On my internal
network I allow the following traffic outbound: tcp
21,22,25,53,80,110,443,5999 and udp 53,67,123. I was wondering how I
can log all the blocked outbound traffic like to tcp and udp port
1214, 4662, and the rest. I'm having a problem because when I tried
AOL Instant Messenger, it should have been blocked, logged and not
been able to connect because it makes an outbound connection to tcp
port 5190 which isn't allowed, but it still works. This is what I have
right now in my config files.
/etc/inetd.conf
127.0.0.1:8021 stream tcp nowait root/usr/libexec/ftp-proxy
ftp-proxy -n -u proxy -m 55000 -M 57000 -t 180
/etc/pf.conf
tcp_ports = { 21, 22, 25, 53, 80, 110, 443, 5999 }
block in all
block out log all
# for FTP
pass in on $ext_if inet proto tcp from any to $ext_if \
port 55000 57000 user proxy $tcpsrv_options $proto_options
for FTP
pass out on $ext_if inet proto tcp from $ext_if to any \
port 1023 $tcpsrv_options $proto_options
pass out on $ext_if inet proto tcp from $ext_if to any \
port $tcp_ports $tcpsrv_options $proto_options
Let me know how I can log the outbound traffic that is blocked. Thanks.
Re: AIM and packet filters (was Re: Logging Question)
Actually, I was just using AOL Instant Messenger as an example. Another example is that I might want to block and log cvsup (tcp 5999) traffic from going outbound. If I don't have it in my allowed tcp_ports it should be blocked and not allowed out. I tried to cvsup out and it works (allowed out) and is not logged. Why is this? I would like to know how to block and log outbound traffic to the ports that are not specified in tcp_ports or udp_ports. Let me know how I can do this. Thanks. On Fri, 12 Nov 2004 11:41:10 -0600, Kevin [EMAIL PROTECTED] wrote: On Fri, 12 Nov 2004 10:31:13 -0600, Phusion [EMAIL PROTECTED] wrote: I'm having a problem because when I tried AOL Instant Messenger, it should have been blocked, logged and not been able to connect because it makes an outbound connection to tcp port 5190 which isn't allowed, but it still works. AOL Instant Messenger (AIM) is one of the most effective 'firewall evasive applications I have seen in my career. The software can make it out through just about any packet filter and even most application proxy firewalls. It is very difficult to block successfully. AIM will try to tunnel out via just about any TCP port you might have open for default route to the Internet, including FTP and SNTP. AIM can also work via a HTTP proxy, though this may require manual configuration in the AIM client setup screen. While a strong deep-protocol-inspection product like the IntruShield *might* detect the protocol anomoly, the only effective way for a stateful packet inspection device to block AIM is to refuse ALL traffic towards the IP addresses which host the login.oscar.aol.com service (there are approximately fifty such servers under aol.com and icq.com). Kevin Kadow
Re: Logging Question
Here is a copy of my current pf.conf ruleset. I would like to log two
different things. I would like to log external connections to tcp port
22 (SSH), and I would like to log the tcp/udp packets that are blocked
coming from the internal network going outbound (the connections going
outbound that aren't specified in tcp_ports or udp_ports, things on
unusual ports like if there is a virus or something trying to go
outbound).
-
##
# Macros
##
ext_if = fxp0
int_if = sis0
unfiltered = { lo0, sis0 }
network = 10.10.0.0/16
nat_protocols = { icmp, tcp, udp }
proto_options = modulate state
tcpsrv_options = flags S/SA
icmp_types = { 8, 10, 13, 15, 17 }
tcp_services= { 22 }
tcp_ports = { 21, 22, 25, 53, 80, 110, 443, 5190, 5999 }
udp_ports = { 53, 67, 123 }
##
# Tables
##
table unroutable { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, \
169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, \
255.255.255.255 }
##
# Options
##
set loginterface $ext_if
set limit { frags 500, states 1 }
set optimization aggressive
set block-policy drop
##
# Packet Normalization
##
scrub in on $ext_if all
scrub out on $ext_if all random-id
##
# Packet Queueing
##
##
# Packet Redirection
##
# Rules for internal interfaces
##
no nat on $unfiltered inet proto $nat_protocols from any to any
no rdr on $unfiltered inet proto $nat_protocols from any to any
# Rules for external interface
# nat private network to single routable address
nat on $ext_if inet proto $nat_protocols from $network to any - ($ext_if)
# ftp-proxy redirection
rdr on $int_if inet proto tcp from $network to any port 21 -
127.0.0.1 port 8021
##
# Packet Filtering
##
# Rules for internal interfaces
##
# pass on unfiltered interfaces
pass quick on $unfiltered
# silently drop TCP non-SYN packets, the remaining ruleset only deals with
# TCP SYNs, which always create state when passed. the ruleset basically
# deals with 'connections', not packets, beyond this point.
block return-rst quick inet proto tcp all flags /S
block return-rst quick inet proto tcp all flags A/A
# block everything by default
block in all
block out log all
# Rules for external interface
##
# silently drop broadcasts
block in quick on $ext_if inet from any to { 255.255.255.255 }
# block incoming packets from reserved address space and invalid
# addresses, they are either spoofed or misconfigured, we can't reply to
# them anyway (hence, no return-rst).
block in quick on $ext_if inet from unroutable to any
# block outgoing packets that don't have my address as source, they are
# either spoofed or something is misconfigured (NAT disabled, for instance),
# we want to be nice and not send out garbage.
block out quick on $ext_if inet from !$ext_if to any
# ICMP
# internal hosts can send icmp queries and accept echo replies to
# external hosts
pass out on $ext_if inet proto icmp from $ext_if to any \
icmp-type $icmp_types $proto_options
# UDP
pass out on $ext_if inet proto udp from $ext_if to any \
port $udp_ports $proto_options
# TCP
# log external connections to ssh
pass in log on $ext_if inet proto tcp from any to $ext_if \
port $tcp_services $tcpsrv_options $proto_options
# external FTP servers (on port 20) to respond to the proxy's
# active ftp requests
pass in on $ext_if inet proto tcp from any to $ext_if \
port 55000 57000 user proxy $tcpsrv_options $proto_options
# allow firewall to contact ftp server on behalf of passive ftp
# clients on standard unprivileged port ( 1024 )
pass out on $ext_if inet proto tcp from $ext_if to any \
port 1023 $tcpsrv_options $proto_options
# allow these services outbound
pass out on $ext_if inet proto tcp from $ext_if to any \
port $tcp_ports $tcpsrv_options $proto_options
-
Let me know how I can do what I want. Thanks for any help.
Phusion
On Fri, 12 Nov 2004 14:31:36 -0600, Kevin [EMAIL PROTECTED] wrote:
On Fri, 12 Nov 2004 10:31:13 -0600, Phusion [EMAIL PROTECTED] wrote:
I have a question about logging certain packets. On my internal
network I allow the following traffic outbound: tcp
21,22,25,53,80,110,443,5999 and udp 53,67,123. I was wondering how I
can log all the blocked outbound traffic like to tcp and udp port
1214, 4662, and the rest. I'm having a problem because when I tried
AOL Instant Messenger, it should have been blocked, logged and not
been able to connect because it makes an outbound
PF Ruleset Problem for Active/Passive FTP
Hi, I've read http://www.openbsd.org/faq/pf/ftp.html about what to do
to allow ftp through the pf firewall, and have tried that but I still
am having problems. I would like to be able to have rules that support
both active and passive ftp. On my internal network there are
different operating systems with different ftp clients. By the way I'm
using OpenBSD 3.6 and my firewall provides NAT to the internal
network.
Here's what I have in my inetd.conf:
127.0.0.1:8021 stream tcp nowait root/usr/libexec/ftp-proxy
ftp-proxy -n
Here's some of what I have in my pf.conf:
ext_if = fxp0
int_if = sis0
network = 10.10.0.0/16
nat_protocols = { icmp, tcp, udp }
proto_options = modulate state
tcpsrv_options = flags S/SA
tcp_ports = { 21, 22, 25, 53, 80, 110, 443, 5190, 5999 }
# nat private network to single routable address
nat on $ext_if inet proto $nat_protocols from $network to any - ($ext_if)
# ftp-proxy redirection
rdr on $int_if inet proto tcp from any to any port 21 - 127.0.0.1 port 8021
pass in on $ext_if inet proto tcp from port 20 to $ext_if \
user proxy flags S/SA keep state
pass out on $ext_if inet proto tcp from $ext_if to any \
port $tcp_ports $tcpsrv_options $proto_options
How can I write rules that will support both active and passive ftp
that will allow my internal machines to connect to external ftp sites.
Let me know what is wrong with what I have. Thanks.
Phusion
IPv6 Rules
My OpenBSD kernel has only IPv4 in it. I was wondering, do I need to have IPv6 rules since the kernel doesn't support it or can I keep it as is with IPv4 rules? Also does this apply for ICMPv6? Let me know. Thanks.
Problem logging packets to port 22
Hi, I've been having a problem logging port 22
traffic. Here is some of my pf.conf file. Let me know
what you think. Thanks.
##
# Packet Filtering
##
# Rules for internal interfaces
##
# pass on unfiltered interfaces
pass quick on $unfiltered
# silently drop TCP non-SYN packets, the remaining
ruleset only deals with
# TCP SYNs, which always create state when passed. the
ruleset basically
# deals with 'connections', not packets, beyond this
point.
block return-rst quick inet proto tcp all flags /S
block return-rst quick inet proto tcp all flags A/A
# block everything by default
block
block return-rst inet proto tcp
block return-icmp inet proto udp
# Rules for external interface
##
# silently drop broadcasts
block in quick on $ext_if inet from any to {
255.255.255.255 }
# block incoming packets from reserved address space
and invalid
# addresses, they are either spoofed or misconfigured,
we can't reply to
# them anyway (hence, no return-rst).
block in quick on $ext_if inet from unroutable to
any
# block outgoing packets that don't have my address as
source, they are
# either spoofed or something is misconfigured (NAT
disabled, for instance),
# we want to be nice and not send out garbage.
block out quick on $ext_if inet from !$ext_if to any
# ICMP
# internal hosts can send icmp queries and accept echo
replies to external hosts
pass out on $ext_if inet proto icmp from $ext_if to
any \
icmp-type $icmp_types $icmp_options
# UDP
pass out on $ext_if inet proto udp from any to any \
$udp_options
pass in on $ext_if inet proto udp from any to $ext_if
\
port $udp_services $udp_options
# TCP
pass in log on $ext_if inet proto tcp from any to
$ext_if \
port 22 $tcp_options
pass out on $ext_if inet proto tcp from $ext_if to any
\
$tcp_options
pass in on $ext_if inet proto tcp from any to $ext_if
\
port $tcp_services $tcp_options
__
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail
Re: Problem logging packets to port 22
I found out that the problem was that since I included port 22 (in $tcp_services) in the last line of pf.conf file, it took precedence over my previous port 22 rule, so it wouldn't log it. Thanks for the help anyway. --- Wouter Coene [EMAIL PROTECTED] wrote: phusion wrote: Hi, I've been having a problem logging port 22 traffic. Here is some of my pf.conf file. Let me know what you think. Thanks. So what's the problem exactly? Or do you expect us to somehow magically guess your problems? pass in log on $ext_if inet proto tcp from any to $ext_if \ port 22 $tcp_options pass out on $ext_if inet proto tcp from $ext_if to any \ $tcp_options pass in on $ext_if inet proto tcp from any to $ext_if \ port $tcp_services $tcp_options My guess is you forgot a quick keyword. Wouter __ Do you Yahoo!? Vote for the stars of Yahoo!'s next ad campaign! http://advision.webevents.yahoo.com/yahoo/votelifeengine/
