Re: need help with pf configuration
Matthew Seaman wrote: I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. Excuse me, I do not see how this is relevant to my question (allowing traffic to be initiated from a more secure interface to a less secure interface and not vice versa). Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in FreeBSD). There is no concept of security level at all, you must specify on each interface the traffic allowed (in input and output). My reply was about the use of the interface:network addresses. pf has the concept of packet tagging. So you can write a small rule to tag traffic crossing eg. your set of internal interfaces and then write one ruleset to filter all that traffic identified by tag. Quoting pf.conf(5): This can be used, for example, to provide trust between interfaces and to determine if packets have been processed by translation rules. I guess the tagging feature can be useful. Thank you for the hint. If I come up with a working ruleset, I'll post it here. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: need help with pf configuration
Nikos Vassiliadis wrote:
I have a configuration with 2 inside interfaces, 1 outside and 1 dmz
interface. The traffic should be able to flow
1) from inside1 to any (and back)
2) from inside2 to any (and back)
3) from dmz to outside only (and back).
I need no details, just a general hint how to setup such security
levels, preferably independent of actual IP addressses behind the
interfaces (a :network macro is not always sufficient).
You may use urpf-failed instead :network
urpf-failed: Any source address that fails a unicast reverse path
forwarding (URPF) check, i.e. packets coming in on an interface other
than that which holds the route back to the packet's source address.
Excuse me, I do not see how this is relevant to my question (allowing
traffic to be initiated from a more secure interface to a less secure
interface and not vice versa).
What if you combine macros and lists?
The ruleset below seems scalable to any number of interfaces.
inside1 = em1
inside2 = em2
dmz = em0
insides = { $inside1:network $inside2:network }
The problem is, there could be several routed networks behind the
inside interfaces. Not all inside networks are directly connected, and
the :network macro works only for directly connected interfaces,
right?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:suda...@sibptus.tomsk.ru
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: need help with pf configuration
Le Mon, 10 Oct 2011 14:10:53 +0700, Victor Sudakov suda...@sibptus.tomsk.ru a écrit : The problem is, there could be several routed networks behind the inside interfaces. Not all inside networks are directly connected, and the :network macro works only for directly connected interfaces, right? Rigth, this is why I suggest urpf-failed instead. Regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: need help with pf configuration
Le Sun, 9 Oct 2011 12:15:54 +0700, Victor Sudakov v...@mpeks.tomsk.su a écrit : I have a configuration with 2 inside interfaces, 1 outside and 1 dmz interface. The traffic should be able to flow 1) from inside1 to any (and back) 2) from inside2 to any (and back) 3) from dmz to outside only (and back). I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. something like block in quick on $inside1 from urpf-failed to any pass in quick on $inside1 I've not tested this. Regards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: need help with pf configuration
Patrick Lamaiziere wrote: I have a configuration with 2 inside interfaces, 1 outside and 1 dmz interface. The traffic should be able to flow 1) from inside1 to any (and back) 2) from inside2 to any (and back) 3) from dmz to outside only (and back). I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. Excuse me, I do not see how this is relevant to my question (allowing traffic to be initiated from a more secure interface to a less secure interface and not vice versa). -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: need help with pf configuration
Le Sun, 9 Oct 2011 14:39:10 +0700, Victor Sudakov v...@mpeks.tomsk.su a écrit : I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. Excuse me, I do not see how this is relevant to my question (allowing traffic to be initiated from a more secure interface to a less secure interface and not vice versa). Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in FreeBSD). There is no concept of security level at all, you must specify on each interface the traffic allowed (in input and output). My reply was about the use of the interface:network addresses. Regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: need help with pf configuration
On 09/10/2011 10:31, Patrick Lamaiziere wrote: Le Sun, 9 Oct 2011 14:39:10 +0700, Victor Sudakov v...@mpeks.tomsk.su a écrit : I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. Excuse me, I do not see how this is relevant to my question (allowing traffic to be initiated from a more secure interface to a less secure interface and not vice versa). Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in FreeBSD). There is no concept of security level at all, you must specify on each interface the traffic allowed (in input and output). My reply was about the use of the interface:network addresses. pf has the concept of packet tagging. So you can write a small rule to tag traffic crossing eg. your set of internal interfaces and then write one ruleset to filter all that traffic identified by tag. Quoting pf.conf(5): This can be used, for example, to provide trust between interfaces and to determine if packets have been processed by translation rules. I think that's roughly equivalent to what the OP was asking about. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: need help with pf configuration
On 10/9/2011 10:39 AM, Victor Sudakov wrote:
Patrick Lamaiziere wrote:
I have a configuration with 2 inside interfaces, 1 outside and 1 dmz
interface. The traffic should be able to flow
1) from inside1 to any (and back)
2) from inside2 to any (and back)
3) from dmz to outside only (and back).
I need no details, just a general hint how to setup such security
levels, preferably independent of actual IP addressses behind the
interfaces (a :network macro is not always sufficient).
You may use urpf-failed instead :network
urpf-failed: Any source address that fails a unicast reverse path
forwarding (URPF) check, i.e. packets coming in on an interface other
than that which holds the route back to the packet's source address.
Excuse me, I do not see how this is relevant to my question (allowing
traffic to be initiated from a more secure interface to a less secure
interface and not vice versa).
What if you combine macros and lists?
The ruleset below seems scalable to any number of interfaces.
inside1 = em1
inside2 = em2
dmz = em0
insides = { $inside1:network $inside2:network }
pass in on $dmz from $dmz:network to any
block in on $dmz from any to $insides
This expands nicely to:
lab# pfctl -vf te
inside1 = em1
inside2 = em2
dmz = em0
insides = { em1:network em2:network }
pass in on em0 inet from 192.168.73.0/24 to any flags S/SA keep state
block drop in on em0 inet from any to 10.0.0.0/29
block drop in on em0 inet from any to 192.168.56.0/24
HTH, Nikos
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: need help with pf configuration
Patrick Lamaiziere wrote: I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. Excuse me, I do not see how this is relevant to my question (allowing traffic to be initiated from a more secure interface to a less secure interface and not vice versa). Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in FreeBSD). There is no concept of security level at all, you must specify on each interface the traffic allowed (in input and output). Actually you can with ipfw. The following concise ruleset should do it: check-state permit ip from any to any recv INSIDE xmit DMZ keep-state permit ip from any to any recv INSIDE xmit OUTSIDE keep-state permit ip from any to any recv DMZ xmit OUTSIDE keep-state -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
need help with pf configuration
Colleagues, I have a configuration with 2 inside interfaces, 1 outside and 1 dmz interface. The traffic should be able to flow 1) from inside1 to any (and back) 2) from inside2 to any (and back) 3) from dmz to outside only (and back). I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). It would be nice to find a configuration that would scale to any number of interfaces with different security levels. On a Cisco PIX I would configure outside security0 inside1 security100 inside2 security100 dmz security50 and that's it, the PIX logic would do the rest. Thank you very much in advance for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Help with pf ruleset
I'm pulling my hair out here. I've been working on this for days without any success. I've whittled the ruleset down to the barest possible rules and even that doesn't work. I'm at my wits end. I would really appreciate it if someone could show me where i'm being a complete and total moron. Here's the situation. I have a somewhat unique environment. It consists of 2 WAN's, an internal LAN, and numerous VLANS (isolated clients, which need to be accessible from the internet, but not to each other). This runs in a VMWare esx server, but that's not really important. FreeBSD 7.0-RELEASE em0 = lan (10.0.0.x) em2 = WAN1 (y.y.y.y) (dhcp) em3 = WAN2 (x.x.x.x) (static /28 subnet) the default gateway is on nic2. nic3 will need to forward ip:port's to various vlans. nic2 is used for all outbound lan traffic (internet). nic2 will need to failover to nic3 eventually, and nic3 will have to failover to nic2 (for outbound, obviously no choice for inbound). So here's the problem. I can't even get nic2 or nic3 to respond to a ping request from outside my network when pf is enabled. I know the interfaces are set up correct, as I can ping the default gateways of both interfaces. Also, outbound NAT works perfectly on wan1. Here's my ruleset. lan_if=em0 wan1_if=em2 wan2_if=em3 set block-policy return set skip on lo0 nat on $wan1_if from $lan_if:network to any - ($wan1_if) block in log pass out log keep state pass in log inet proto icmp all icmp-type echoreq keep state pass in log quick on $lan_if Looks simple enough, right? Why won't it work? All i want is to get a ping from both of the firewalls WAN's from outside the network. Any ideas? Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire defaulty.y.y.129 UGS 0 4433em2 10.0.0.0/24link#1 UC 00em0 10.0.0.1 00:0c:29:a9:e5:75 UHLW1 338em0 1177 10.0.0.2 00:0c:29:c0:74:57 UHLW1 3291em0 1041 10.0.0.10 00:19:db:b1:07:78 UHLW1 4827em0 1185 10.0.1.0/24link#7 UC 00 vlan0 10.0.2.0/24link#8 UC 00 vlan1 10.0.2.2 00:0c:29:e9:8c:d2 UHLW1 251 vlan1 1190 10.0.3.0/24link#9 UC 00 vlan2 10.0.3.2 00:50:56:9c:53:89 UHLW1 420 vlan2 1152 10.0.4.0/24link#10UC 00 vlan3 10.0.5.0/24link#11UC 00 vlan4 127.0.0.1 127.0.0.1 UH 00lo0 y.y.y.128/25link#3 UC 00em2 x.x.x.144/28 link#4 UC 00em3 x.x.x.14600:0c:29:b5:0e:bb UHLW16lo0 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with pf ruleset
On Sunday 09 March 2008 08:22:07 am erik Wilson wrote: I'm pulling my hair out here. I've been working on this for days without any success. I've whittled the ruleset down to the barest possible rules and even that doesn't work. I'm at my wits end. I would really appreciate it if someone could show me where i'm being a complete and total moron. Here's the situation. I have a somewhat unique environment. It consists of 2 WAN's, an internal LAN, and numerous VLANS (isolated clients, which need to be accessible from the internet, but not to each other). This runs in a VMWare esx server, but that's not really important. FreeBSD 7.0-RELEASE em0 = lan (10.0.0.x) em2 = WAN1 (y.y.y.y) (dhcp) em3 = WAN2 (x.x.x.x) (static /28 subnet) the default gateway is on nic2. nic3 will need to forward ip:port's to various vlans. nic2 is used for all outbound lan traffic (internet). nic2 will need to failover to nic3 eventually, and nic3 will have to failover to nic2 (for outbound, obviously no choice for inbound). So here's the problem. I can't even get nic2 or nic3 to respond to a ping request from outside my network when pf is enabled. I know the interfaces are set up correct, as I can ping the default gateways of both interfaces. Also, outbound NAT works perfectly on wan1. Here's my ruleset. lan_if=em0 wan1_if=em2 wan2_if=em3 set block-policy return set skip on lo0 nat on $wan1_if from $lan_if:network to any - ($wan1_if) block in log pass out log keep state pass in log inet proto icmp all icmp-type echoreq keep state pass in log quick on $lan_if Looks simple enough, right? Why won't it work? All i want is to get a ping from both of the firewalls WAN's from outside the network. Any ideas? Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire defaulty.y.y.129 UGS 0 4433em2 10.0.0.0/24link#1 UC 00em0 10.0.0.1 00:0c:29:a9:e5:75 UHLW1 338em0 1177 10.0.0.2 00:0c:29:c0:74:57 UHLW1 3291em0 1041 10.0.0.10 00:19:db:b1:07:78 UHLW1 4827em0 1185 10.0.1.0/24link#7 UC 00 vlan0 10.0.2.0/24link#8 UC 00 vlan1 10.0.2.2 00:0c:29:e9:8c:d2 UHLW1 251 vlan1 1190 10.0.3.0/24link#9 UC 00 vlan2 10.0.3.2 00:50:56:9c:53:89 UHLW1 420 vlan2 1152 10.0.4.0/24link#10UC 00 vlan3 10.0.5.0/24link#11UC 00 vlan4 127.0.0.1 127.0.0.1 UH 00lo0 y.y.y.128/25link#3 UC 00em2 x.x.x.144/28 link#4 UC 00em3 x.x.x.14600:0c:29:b5:0e:bb UHLW16lo0 The obfusication is making it harder for my brain to deal with than it should be. At any rate, em3 isn't going to work properly without a route-to rule to get it to answer back to pings out the proper gateway. I'm not entirely sure why you can't ping the ip on em2, could you provide the output of tcpdump -i em2 while you ping it? Also, what did you do with em1? :) -- Thanks, Josh Paetzel PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB signature.asc Description: This is a digitally signed message part.
Re: Help with pf ruleset
erik Wilson wrote: I'm pulling my hair out here. I've been working on this for days without any success. I've whittled the ruleset down to the barest possible rules and even that doesn't work. I'm at my wits end. I would really appreciate it if someone could show me where i'm being a complete and total moron. Here's the situation. I have a somewhat unique environment. It consists of 2 WAN's, an internal LAN, and numerous VLANS (isolated clients, which need to be accessible from the internet, but not to each other). This runs in a VMWare esx server, but that's not really important. FreeBSD 7.0-RELEASE em0 = lan (10.0.0.x) em2 = WAN1 (y.y.y.y) (dhcp) em3 = WAN2 (x.x.x.x) (static /28 subnet) the default gateway is on nic2. nic3 will need to forward ip:port's to various vlans. nic2 is used for all outbound lan traffic (internet). nic2 will need to failover to nic3 eventually, and nic3 will have to failover to nic2 (for outbound, obviously no choice for inbound). So here's the problem. I can't even get nic2 or nic3 to respond to a ping request from outside my network when pf is enabled. I know the interfaces are set up correct, as I can ping the default gateways of both interfaces. Also, outbound NAT works perfectly on wan1. Here's my ruleset. lan_if=em0 wan1_if=em2 wan2_if=em3 set block-policy return set skip on lo0 nat on $wan1_if from $lan_if:network to any - ($wan1_if) block in log pass out log keep state pass in log inet proto icmp all icmp-type echoreq keep state pass in log quick on $lan_if Looks simple enough, right? Why won't it work? All i want is to get a ping from both of the firewalls WAN's from outside the network. Any ideas? How about the log? I know you have cut away a lot of rules, but maybe that just makes things more confusing. Try to nest your rules in the following order: direction - interface - protocol - src net - dst net - port/type You should need no out rules if you have in rules with keep state. At each branch level make a catchup rule at the end with default action and quick key word to make sure packets don't spill over and get matched by other rules. Hopefully this will help you pin down where things go wrong. Cheers, Erik -- Erik Nørgaard Ph: +34.666334818 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with pf ruleset
On Sun, Mar 9, 2008 at 3:20 PM, Erik Norgaard [EMAIL PROTECTED] wrote: erik Wilson wrote: I'm pulling my hair out here. I've been working on this for days without any success. I've whittled the ruleset down to the barest possible rules and even that doesn't work. I'm at my wits end. I would really appreciate it if someone could show me where i'm being a complete and total moron. Here's the situation. I have a somewhat unique environment. It consists of 2 WAN's, an internal LAN, and numerous VLANS (isolated clients, which need to be accessible from the internet, but not to each other). This runs in a VMWare esx server, but that's not really important. FreeBSD 7.0-RELEASE em0 = lan (10.0.0.x) em2 = WAN1 (y.y.y.y) (dhcp) em3 = WAN2 (x.x.x.x) (static /28 subnet) the default gateway is on nic2. nic3 will need to forward ip:port's to various vlans. nic2 is used for all outbound lan traffic (internet). nic2 will need to failover to nic3 eventually, and nic3 will have to failover to nic2 (for outbound, obviously no choice for inbound). So here's the problem. I can't even get nic2 or nic3 to respond to a ping request from outside my network when pf is enabled. I know the interfaces are set up correct, as I can ping the default gateways of both interfaces. Also, outbound NAT works perfectly on wan1. Here's my ruleset. lan_if=em0 wan1_if=em2 wan2_if=em3 set block-policy return set skip on lo0 nat on $wan1_if from $lan_if:network to any - ($wan1_if) block in log pass out log keep state pass in log inet proto icmp all icmp-type echoreq keep state pass in log quick on $lan_if Looks simple enough, right? Why won't it work? All i want is to get a ping from both of the firewalls WAN's from outside the network. Any ideas? How about the log? I'll post some log info as soon as I can bring down the network again to do some testing. I know you have cut away a lot of rules, but maybe that just makes things more confusing. Try to nest your rules in the following order: direction - interface - protocol - src net - dst net - port/type You should need no out rules if you have in rules with keep state. At each branch level make a catchup rule at the end with default action and quick key word to make sure packets don't spill over and get matched by other rules. Good advice, thanks. I'm afraid i've tried so many different options and variations to get this to work that it's not as pretty as it should be. I got some of these rules from various examples posted on the web, and tweaked them into unrecognizability ;) Do you think that Josh is right about needing a route-to rule for the second WAN interface? Since you're handing out best practices ;) Is it better to use a nat pass or rdr pass rule than seperate nat/rdr and pass statements? Why? I think my biggest frustration is not finding a single place that is detailed enough about things. I've rad the book of pf, the man pages, the handbooks, etc.. they all give pieces of the puzzle. Maybe once i master this i'll work on a pf bible ;) Hopefully this will help you pin down where things go wrong. Cheers, Erik Cheers yourself Erik ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with pf ruleset
Erik Wilson wrote: I know you have cut away a lot of rules, but maybe that just makes things more confusing. Try to nest your rules in the following order: direction - interface - protocol - src net - dst net - port/type You should need no out rules if you have in rules with keep state. At each branch level make a catchup rule at the end with default action and quick key word to make sure packets don't spill over and get matched by other rules. Good advice, thanks. I'm afraid i've tried so many different options and variations to get this to work that it's not as pretty as it should be. I got some of these rules from various examples posted on the web, and tweaked them into unrecognizability ;) Do you think that Josh is right about needing a route-to rule for the second WAN interface? It is absolutely possible that the problem is that the ping or response get sent the wrong way. Use snort to see what goes on. I did not analyze your setup to the point that I can tell you that. Since you're handing out best practices ;) Is it better to use a nat pass or rdr pass rule than seperate nat/rdr and pass statements? Why? I prefer to separate things. I know the less lines you have, the less lines can contain an error. But on the other hand, the less lines you have the more obscure and difficult to debug they become. It is very common that people believe they have errors in their filter rules when in fact it's nat rules that are wrong. When you have both rdr, nat and binat be careful to understand which order they take effect. They are first match. But since rdr is done on the way IN while nat is done on the way OUT, an rdr rule can take effect before the intended nat rule despite it being after the nat rule. So, to avoid such confusion, write first your rdr, then nat. Also, use the log statement in your nat rules while debugging. Cheers, Erik -- Erik Nørgaard Ph: +34.666334818 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Need some help with PF rule letting two machines access each other
Pat Maddox wrote: 12.34.56.78 runs a server on port 1234 87.65.43.21 should connect to this Both of them have PF rulesets that block off most traffic, keeping open the publically available ports I need open. In this case though, any traffic over this port should only be between these two machines. I've tried to set this up, but I keep getting operation not permitted, connection refused, and connection reset by peer errors. Thanks for any info. It's quite difficult to tell which rule catches your packets without the ruleset. Try this: 1) Add log to all block rules 2) Check you have keep state in pass rules 3) Check you have quick in your pass rules If you have a default block policy, then you should generally have quick in pass rules or you might have packets marked for passing being caught later by a block rule. I generally prefer having the default policy at top without quick, and then set quick on rules taking an explicit action. Cheers, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Need some help with PF rule letting two machines access each other
On 6/9/06, Erik Norgaard [EMAIL PROTECTED] wrote: Pat Maddox wrote: 12.34.56.78 runs a server on port 1234 87.65.43.21 should connect to this Both of them have PF rulesets that block off most traffic, keeping open the publically available ports I need open. In this case though, any traffic over this port should only be between these two machines. I've tried to set this up, but I keep getting operation not permitted, connection refused, and connection reset by peer errors. Thanks for any info. It's quite difficult to tell which rule catches your packets without the ruleset. Try this: 1) Add log to all block rules 2) Check you have keep state in pass rules 3) Check you have quick in your pass rules If you have a default block policy, then you should generally have quick in pass rules or you might have packets marked for passing being caught later by a block rule. I generally prefer having the default policy at top without quick, and then set quick on rules taking an explicit action. Cheers, Erik Okay, I got it working. On the client, the rule is pass out quick on $EXT_IF inet proto tcp from $EXT_IF to $SERVER port 7721 keep state and on the server, it's just the opposite pass in quick on $EXT_IF inet proto tcp from $CLIENT to $EXT_IF port 7721 keep state The only difference between that rule and the one I had earlier includes a flags S/SA directive on each. Of course now I just tried adding the flags and it works...I'm guessing because the state was already made. If I add flags S/SA is there any reason that'd cause problems. It seems to work fine right now, but didn't earlier - though perhaps I had a typo or something. Pat ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Need some help with PF rule letting two machines access each other
12.34.56.78 runs a server on port 1234 87.65.43.21 should connect to this Both of them have PF rulesets that block off most traffic, keeping open the publically available ports I need open. In this case though, any traffic over this port should only be between these two machines. I've tried to set this up, but I keep getting operation not permitted, connection refused, and connection reset by peer errors. Thanks for any info. Pat ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Need some help with PF rule letting two machines access each other
Pat Maddox wrote: 12.34.56.78 runs a server on port 1234 87.65.43.21 should connect to this Both of them have PF rulesets that block off most traffic, keeping open the publically available ports I need open. In this case though, any traffic over this port should only be between these two machines. I've tried to set this up, but I keep getting operation not permitted, connection refused, and connection reset by peer errors. Thanks for any info. Hi, This'll do: EIF=eif # external interface HOSTA=12.34.56.78 # host A HOSTB=87.65.43.21 # host B # These lines go on host A pass in quick on $EIF from $HOSTB to $EIF port 1234 pass out quick on $EIF from $EIF to $HOSTB port 1234 # These lines go on host B pass in quick on $EIF from $HOSTA to $EIF port 1234 pass out quick on $EIF from $EIF to $HOSTA port 1234 Put those lines somewhere at the beginning of your pf.conf files. Also, if I may add, this is very basic and you should consult/read/learn PF's guide. Cheers, Mikhail. -- Mikhail Goriachev Webanoide Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: [EMAIL PROTECTED] Web: http://www.webanoide.org PGP Key ID: 0x4E148A3B PGP Key Fingerprint: D96B 7C14 79A5 8824 B99D 9562 F50E 2F5D 4E14 8A3B ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: help with pf
On Sun, 3 Apr 2005, Brian John wrote:
altq on $ext_if priq
queue mail priority 13
queue ssh priority 12
queue web priority 14
I see one syntactical thing you missed.
You have to define your child queues in your altq declaration. Something
like:
altq on $ext_if priq queue {mail, ssh, web}
Also, after you get the syntax right, unless the maximum bandwidth of your
outside line is the same as the maximum bandwidth of your network card
(does this ever happen?) you're going to want to use the bandwidth
keyword in that declaration also, and pick a proper value for it. Picking
the right bandwidth value seems to be an art form that requires a lot of
trial and error and liberal use of pfctl -vvs queue
If traffic shaping isn't working and your queues are always empty, then
the number is too high. If the queues are filling up and dropping too
many packets, then either the number is too low or you're just generating
more traffic than you can handle well.
Luke Dean
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
help with pf
Hello,
I read the manpage on pf and constructed a basic set of rules and
macros. However, when I start pf it gives me errors about the syntax of
my file. Basically all I want to accomplish is I don't want my p2p
programs to be able to hog the traffic away from me if I'm trying to
surf. When I'm not surfing I want them to be able to download as fast
as possible.
Here is what I have added to pf.conf:
ext_if=vr0
further down
altq on $ext_if priq
queue mail priority 13
queue ssh priority 12
queue web priority 14
further down
pass in proto tcp from any to port http keep state queue web
pass in proto tcp from any to port ssh keep state queue ssh
pass in proto tcp from any to port {smtp imap} queue mail
Does anyone know what I might have done wrong? I thought that I had it
correct based on the manpage. I'm sure it's something really stupid
that I missed.
Thanks in advance for the help
/Brian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: help with pf
Brian John wrote: However, when I start pf it gives me errors about the syntax of my file. Read http://www.openbsd.org/faq/pf/queueing.html. There are good examples. Regards Björn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
