Problem logging in.
Hello, A week ago my open bsd firewall started to show a very strange behaviour. I have the ssh-daemon running and ususally log-in remotely to be able to administrate the pf.conf file. But now I cant log in. Ok, maybe I've just forgott my password. I booted in single user mode and changed it, then booted normally but couldn't log in anyway. I booted in single user mode again changed it to another password, changed to another user (using su) and then changed user to root again (again using su). Was prompted for the password, entered it and login was again rejected. When i tried to change the password it complained that something was wrong with a file called /etc/master.passwd. When looking at the file it contained parts of my pf.conf file. Have I've been hacked or is it just a major error done from my side. I understand that the information probably isn't enough but if someone could guide me further I would be very happy. regards Jonas Lindskog
Routing problem?
Hello, We are running Open BSD 3.8 as a firewall router. The router has two internal networks to handle; a DMZ with "real" ip adresses and a NAT network to which our workstations are connected. The problem I have is that its not possible to connect to the server on the DMZ (ip 38.87.5.122, netmask 255.255.255.252) from the outside (but from the inside). I guess that I somehow has to make the external interface listen to the same adress as the server (they are on the same net), but if I add an alias to the external interface it doesn't (of course) route packages to the DMZ. How do I make OpenBSD route packages to the server (and the DMZ subnet)? Our ISP has given us a net that has the following data: Net segment: 38.87.5.112 /28 net address: 38.87.5.112 gw address: 38.87.5.113 firewall: 38.87.5.114 free ip ip: 38.87.5.115-126 broadcast address:38.87.5.127 netmask: 255.255.255.240 the server has the following interfaces configured: ### interfaces #external interface inet 38.87.5.114 255.255.255.240 NONE #internal interface inet 192.168.97.254 255.255.255.0 NONE # dmz inet 38.87.5.121 255.255.255.252 NONE Thanks in advance Jonas
[no subject]
Abraham Al-Saleh wrote: >On 1/10/06, Jonas Lindskog <[EMAIL PROTECTED]> wrote: > >>Hello, >> >>We are using OpenBSD 3.8 as a firewall/router. We have two internal >>nets; one with workstations (NAT) and one DMZ with a single server. >>And thus we have three network interfaces installed in the router: one >>for the NAT, one for the DMZ and one for the external net. >> >>Our ISP has given us a range of IP adresses (the ones below are >>obfuscated ;)), which we cant change: >> >>Segment: 38.87.5.112 /28 >>net address: 38.87.5.112 >>gateway adress: 38.87.5.113 >>firewall: 38.87.5.114 >>fria fasta ip: 38.87.5.115-126 >>broadcast address:38.87.5.127 >>netmask: 255.255.255.240 >> >>I have set up the DMZ with >>net adress 38.87.5.120 >>Gateway: 38.87.5.121 >>Server: 38.87.5.122 >> >>netmask: 255.255.255.252 >> >>To ensure that routing worked properly I just entered pass (and nat of course) in the /etc/pf.conf file. >> >>I have no trouble connecting to the server at 38.87.5.122 from the >>internal net where nat-addresses are used, but for some reason >>I cant connect to the server from the outside. I thought it was a >>routing problem but when I entered a port redirect from the gateway >> >>(38.87.5.113) to the server at 38.87.5.122 for the ssh port I reached the server. I haven't got a >>clue whats wrong. Can anybody help to explain this or have an idea of a workaround (I dont want the port >>redirect)? Thanks in advance. >> >>/Jonas >> > >It would help if you attached your pf.conf, and relevant configuration >files (hostname.if, for example) > ok, finally :) this is how my pf.conf and interfaces look like. # 1. macros if_ext="fxp0" if_int="bce0" if_dmz="re0" if_lo="lo0" icmp_types = "echoreq" dmz_servers = "{38.87.5.122}" services = "{22, 8080, 8081}" internal_services ="{2401}" reserved= "{ 0.0.0.0/8, 10.0.0.0/8, 20.0.0.0/24 127.0.0.0/8, \ 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, \ 224.0.0.0/3, 255.255.255.255}" # 2. Tables # No tables are defined # 3. Options # What should we do with blocked traffic? drop or return. set block-policy return # we can only gather statistics on one interface at a time set loginterface $if_ext # 4. Packet normalization scrub in all # 5. Queueing is not done # 6. Adress translation # The internal network has NAT-adresses nat on $if_ext from $if_int:network to any -> ($if_ext) # Redirecting ports # Port redirect to make ftp possible. See manual for OpenBSD rdr on $if_int proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # temporary redirects rdr on $if_ext proto tcp from any to any port 8080 -> 38.87.5.122 port 8080 rdr on $if_ext proto tcp from any to any port 8081 -> 38.87.5.122 port 8081 #rdr on $if_ext proto tcp from any to any port 22 -> 38.87.5.122 port 22 # 7. Filtering #allow loopback # Block everything block all pass quick on if_lo all # Antispoof antispoof for { $if_lo, $if_ext, $if_int } # Allow traffic in on our ssh-deamon pass in log quick on $if_ext proto tcp from any to any port 22 flags S/SA keep state # Allow trafic to and from the internal interface # are the lines below the same as # pass quick on $if_int all pass in on $if_int from $if_int:network to any keep state pass out on $if_int from any to $if_int:network keep state # block all traffic from reserved nets to external interface block in quick on $if_ext from $reserved to any #allow pinging pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state # Open ports 8080 and ssh to trused machines on the dmz pass in on $if_ext proto tcp from any to any port 8081 keep state pass in on $if_ext proto tcp from any to any port 8080 keep state #Allow active ftp pass in on $if_ext inet proto tcp from port 20 to ($if_ext) \ user proxy flags S/SA keep state # Users on the internal network is allowd to initate external contact pass out on $if_ext proto tcp all modulate state flags S/SA pass out on $if_ext proto {udp, icmp} all keep state # DMZ rules. As default we stop all traffic in to the dmz. # To open up a service we use port forwarding in the external if # to the specific server in the dmz block in on $if_dmz all pass out on $if_dmz proto tcp from any to any port $services flags S/SA keep state pass out on $if_dmz proto tcp from any to any port internal_services flags S/SA keep state pass in quick on $if_dmz proto tcp from $if_int to $dmz_servers port internal_services keep state #pf.conf ends here ### interfaces hostname.fxp0 #external interface inet 38.87.5.114 255.255.255.240 NONE # more hostname.bce0 #internal interface inet 192.168.97.254 255.255.255.0 NONE # more hostname.re0 # dmz inet 38.87.5.121 255.255.255.252 NONE
Re: Unable to reach server in dmz. Whats wrong?
Abraham Al-Saleh wrote: >On 1/10/06, Jonas Lindskog <[EMAIL PROTECTED]> wrote: > >>Hello, >> >>We are using OpenBSD 3.8 as a firewall/router. We have two internal nets; one with workstations (NAT) and one DMZ with a single server. And thus we have three network interfaces installed in the router: one for the NAT, one for the DMZ and one for the external net. >> >>Our ISP has given us a range of IP adresses (the ones below are >>obfuscated ;)), which we cant change: >> >>Segment: 38.87.5.112 /28 >>net address: 38.87.5.112 >>gateway adress: 38.87.5.113 >>firewall: 38.87.5.114 >>fria fasta ip: 38.87.5.115-126 >>broadcast address:38.87.5.127 >>netmask: 255.255.255.240 >> >>I have set up the DMZ with >>net adress 38.87.5.120 >>Gateway: 38.87.5.121 >>Server: 38.87.5.122 >> >>netmask: 255.255.255.252 >> >>To ensure that routing worked properly I just entered pass (and nat of course) in the /etc/pf.conf file. >> >>I have no trouble connecting to the server at 38.87.5.122 from the internal net where nat-addresses are used, but for some reason >>I cant connect to the server from the outside. I thought it was a routing problem but when I entered a port redirect from the gateway >> >>(38.87.5.113) to the server at 38.87.5.122 for the ssh port I reached the server. I haven't got a >>clue whats wrong. Can anybody help to explain this or have an idea of a workaround (I dont want the port >>redirect)? Thanks in advance. >> >>/Jonas >> > >It would help if you attached your pf.conf, and relevant configuration files (hostname.if, for example) > ok, finally :) this is how my pf.conf and interfaces look like. # 1. macros if_ext="fxp0" if_int="bce0" if_dmz="re0" if_lo="lo0" icmp_types = "echoreq" dmz_servers = "{38.87.5.122}" services = "{22, 8080, 8081}" internal_services ="{2401}" reserved= "{ 0.0.0.0/8, 10.0.0.0/8, 20.0.0.0/24 127.0.0.0/8, \ 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, \ 224.0.0.0/3, 255.255.255.255}" # 2. Tables # No tables are defined # 3. Options # What should we do with blocked traffic? drop or return. set block-policy return # we can only gather statistics on one interface at a time set loginterface $if_ext # 4. Packet normalization scrub in all # 5. Queueing is not done # 6. Adress translation # The internal network has NAT-adresses nat on $if_ext from $if_int:network to any -> ($if_ext) # Redirecting ports # Port redirect to make ftp possible. See manual for OpenBSD rdr on $if_int proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # temporary redirects rdr on $if_ext proto tcp from any to any port 8080 -> 38.87.5.122 port 8080 rdr on $if_ext proto tcp from any to any port 8081 -> 38.87.5.122 port 8081 #rdr on $if_ext proto tcp from any to any port 22 -> 38.87.5.122 port 22 # 7. Filtering #allow loopback # Block everything block all pass quick on if_lo all # Antispoof antispoof for { $if_lo, $if_ext, $if_int } # Allow traffic in on our ssh-deamon pass in log quick on $if_ext proto tcp from any to any port 22 flags S/SA keep state # Allow trafic to and from the internal interface # are the lines below the same as # pass quick on $if_int all pass in on $if_int from $if_int:network to any keep state pass out on $if_int from any to $if_int:network keep state # block all traffic from reserved nets to external interface block in quick on $if_ext from $reserved to any #allow pinging pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state # Open ports 8080 and ssh to trused machines on the dmz pass in on $if_ext proto tcp from any to any port 8081 keep state pass in on $if_ext proto tcp from any to any port 8080 keep state #Allow active ftp pass in on $if_ext inet proto tcp from port 20 to ($if_ext) \ user proxy flags S/SA keep state # Users on the internal network is allowd to initate external contact pass out on $if_ext proto tcp all modulate state flags S/SA pass out on $if_ext proto {udp, icmp} all keep state # DMZ rules. As default we stop all traffic in to the dmz. # To open up a service we use port forwarding in the external if # to the specific server in the dmz block in on $if_dmz all pass out on $if_dmz proto tcp from any to any port $services flags S/SA keep state pass out on $if_dmz proto tcp from any to any port internal_services flags S/SA keep state pass in quick on $if_dmz proto tcp from $if_int to $dmz_servers port internal_services keep state #pf.conf ends here ### interfaces hostname.fxp0 #external interface inet 38.87.5.114 255.255.255.240 NONE # more hostname.bce0 #internal interface inet 192.168.97.254 255.255.255.0 NONE # more hostname.re0 # dmz inet 38.87.5.121 255.255.255.252 NONE
Unable to reach server in dmz. Whats wrong?
Hello, We are using OpenBSD 3.8 as a firewall/router. We have two internal nets; one with workstations (NAT) and one DMZ with a single server. And thus we have three network interfaces installed in the router: one for the NAT, one for the DMZ and one for the external net. Our ISP has given us a range of IP adresses (the ones below are obfuscated ;)): Segment: 38.87.5.112 /28 net address: 38.87.5.112 gateway adress: 38.87.5.113 firewall: 38.87.5.114 fria fasta ip: 38.87.5.115-126 broadcast address:38.87.5.127 netmask: 255.255.255.240 I have set up the DMZ with net adress 38.87.5.120 Gateway: 38.87.5.121 Server: 38.87.5.122 netmask: 255.255.255.252 To ensure that routing worked properly I just entered pass (and nat of course) in the /etc/pf.conf file. I have no trouble connecting to the server at 38.87.5.122 from the internal net where nat-addresses are used, but for some reason I cant connect to the server from the outside. I thought it was a routing problem but when I entered a port redirect from the gateway (38.87.5.113) to the server at 38.87.5.122 for the ssh port I reached the server. I haven't got a clue whats wrong. Can anybody help to explain this or have an idea of a workaround (I dont want the port redirect)? Thanks in advance. /Jonas