Re: PF and LDAP
30.07.09, 13:55, Marcello Cruz marcello.c...@globo.com: Dear all, Is there a way to use LDAP in a rule to allow or deny based on the user instead of the IP Address? The idea is to permit the traffic from an inside user to access, for example, a VoIP resource on the Internet. Based on user... I use for this PPPoE server with list of usernames/passwords/IP addresses. Users connect with their usernames to PPPoE server, and PF controls traffic from PPPoE IP addresses. You can write script to synchronize users in LDAP and /etc/ppp/ppp.secret file. Example: allow access for user1 to web sites, and for user2 to mail servers /etc/ppp/ppp.secret user1 pass1 192.168.100.1 user2 pass2 192.168.100.2 .. /etc/pf.conf: table squid-pppoe file /etc/pftables/int-web-pppoe table mail-pppoe file /etc/pftables/int-mail-pppoe pass in log quick on tun inet proto tcp from mail-pppoe to any port = pop3 pass in log quick on tun inet proto tcp from mail-pppoe to any port = smtp pass in log quick on $pppoe_if_grp inet proto tcp from web-pppoe to any port { www, https } .. /etc/pftables/int-web-pppoe 192.168.100.1 .. /etc/pftables/int-mail-pppoe 192.168.100.2 ..
Re: ppp connection freezes
13.07.09, 15:32, P$QPP;PP2 PPP=QQP0P=QP8P= f-k...@yandex.ru: What it can be - PPP bug ? set mtu max 1492 set mru max 1492 Solved by lowering MTU and MRU to 1452
Re: pflow question/problem
03.07.09, 14:50, Joerg Goltermann j...@osn.de: Index: sbin/pfctl/pfctl_parser.c After patch: /etc/pf.conf set timeout pflowexport 10 # /flow-cat ft* | flow-export -f 2 out.csv out.csv --- #:unix_secs,unix_nsecs,sysuptime,exaddr,dpkts,doctets,first,last,engine_type,engine_id,srcaddr,dstaddr,nexthop,input,output,srcport,dstport,prot,tos,tcp_flags ,src_mask,dst_mask,src_as,dst_as 1246955430,6359600,63745000,192.168.70.254,4,241,63655000,63655000,42,42,192.168.70.254,192.168.70.251,0.0.0.0,0,0,10050,50659,6,0,0,0,0,0,0 1246955440,6360600,63755000,192.168.70.254,5,288,63655000,63655000,42,42,192.168.70.251,192.168.70.254,0.0.0.0,0,0,50662,10050,6,0,0,0,0,0,0 1246955440,6360600,63755000,192.168.70.254,4,243,63655000,63655000,42,42,192.168.70.254,192.168.70.251,0.0.0.0,0,0,10050,50662,6,0,0,0,0,0,0 1246955440,6360600,63755000,192.168.70.254,113,18378,57699000,4272321296,42,42,192.168.100.1,205.188.1.226,0.0.0.0,0,0,1273,5190,6,0,0,0,0,0,0 1246955440,6360600,63755000,192.168.70.254,110,42627,57699000,4272321296,42,42,205.188.1.226,192.168.100.1,0.0.0.0,0,0,5190,1273,6,0,0,0,0,0,0 1246955440,6360600,63755000,192.168.70.254,113,18378,57699000,4272321296,42,42,192.168.1.2,205.188.1.226,0.0.0.0,0,0,61158,5190,6,0,0,0,0,0,0 1246955440,6360600,63755000,192.168.70.254,110,42627,57699000,4272321296,42,42,205.188.1.226,192.168.1.2,0.0.0.0,0,0,5190,61158,6,0,0,0,0,0,0 1246955440,6360600,63755000,192.168.70.254,5,279,63658000,63665000,42,42,192.168.70.251,192.168.70.254,0.0.0.0,0,0,50677,10050,6,0,0,0,0,0,0 1246955440,6360600,63755000,192.168.70.254,4,234,63658000,63665000,42,42,192.168.70.254,192.168.70.251,0.0.0.0,0,0,10050,50677,6,0,0,0,0,0,0 1246955440,6360600,63755000,192.168.70.254,5,290,6366,63665000,42,42,192.168.70.251,192.168.70.254,0.0.0.0,0,0,50679,10050,6,0,0,0,0,0,0 lines 4-7 - strange big 'last' values, and last first that is incorrect.
Re: Bug in pppoe ?
Solved by adding ECHO parameters to ppp.conf: enable lqr set lqrperiod 5 + enable echo + set echoperiod 5 from man ppp: When this option is enabled, ppp will send LCP ECHO requests to the peer at the frequency defined by ``echoperiod''. Note: LQR requests will supersede LCP ECHO re- quests if enabled and negotiated. I think that lqr not supersede echo because it not negotiated win XP and Vista and dead link not eliminated by lqr timeout
Re: Bug in pppoe ?
03.07.09, 12:11, Gregory Edigarov g...@bestnet.kharkov.ua: sysctl net.inet.ip.forwarding ? net.inet.ip.forwarding=1
Re: Bug in pppoe ?
03.07.09, 16:00, Denis Doroshenko denis.doroshe...@gmail.com: how about tcpdumping at time when the link becomes broken and re-establishment is unsuccessful? tcpdumping on ethernet, on the pppoe in question... tcpdump shows nothing after pppoe reconnection. My IP - 192.168.70.44 My PPPoE IP - 192.168.100.35 tcpdump at the time of reconnection: # tcpdump -i vr0 host 192.168.70.44 and port ! 22 tcpdump: listening on vr0, link-type EN10MB 16:20:04.708536 oit-04.avangard.local IGMP.MCAST.NET: igmp-2 [v2] [ttl 1] 16:20:04.730965 oit-04.avangard.local IGMP.MCAST.NET: igmp-2 [v2] [ttl 1] 16:20:04.764234 arp who-has oit-04.avangard.local tell tserver.avangard.local 16:20:05.671519 oit-04.avangard.local IGMP.MCAST.NET: igmp-2 [v2] [ttl 1] # tcpdump -i vr0 host 192.168.100.35 tcpdump: listening on vr0, link-type EN10MB 16:20:04.781524 tserver.avangard.local.ntp 192.168.100.35.ntp: [len=68] v3 server strat 4 poll 10 prec -6 After reconnection i try to ping hosts, but tcpdump shows nothing.
Bug in pppoe ?
I have openbsd-based pppoe server for small lan with 20-30 WinXP and Vista clients (based on user-level ppp) After some time some random clients seems to be dead (XP and Vista) When i try disconnect/reconnect dead host to pppoe, connection established but i cannot ping hosts, link is dead. When i try to connect with different ppp username from same computer, connection establised and all OK. I see in firewall log pass rule for this connection, but can't see any traffic Maybe somebody knows where is the problem ? (same pppoe server config with OpenBSD 4.3 works without problems) My config: kernel 4.5 GENERIC + pflow patch from Joerg Goltermann devices --- /dev/tun0..tun100 (i make 100 tun devices with MAKEDEV) /etc/ppp/ppp.secret --- user1 pass1 192.168.100.1 user2 pass2 192.168.100.2 .. user30 pass30 192.168.100.30 /etc/ppp/ppp.conf -- default: set log Phase Chat LCP IPCP CCP tun command set device /dev/cua01 set speed 115200 set dial ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \\ AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT pppoe: set timeout 0 set device !/usr/sbin/pppoe -i vr0 set mtu max 1492 set mru max 1492 set speed sync disable acfcomp protocomp deny acfcomp enable chap set ifaddr set dns 192.168.70.250 accept dns set ifaddr 192.168.100.254 192.168.100.1-192.168.100.253 255.255.255.255 disable ipv6cp enable mssfixup enable lqr set lqrperiod 5 /etc/rc.local - /usr/sbin/pppoe -p pppoe -i vr0 -s
Re: pflow question - incorrect FIRST and LAST values ?
Hi, 16.06.09, 11:53, Joerg Goltermann go...@openbsd.org: pflow(4) is based on pf states, if a pflow tagged state expires, a flow is created. If you change the pf expire, you can configure the pflow expiring. I attached a new version, which should give more correct values for the last-time of a flow. - Joerg Index: if_pflow.c === RCS file: /cvs/src/sys/net/if_pflow.c,v retrieving revision 1.10 diff -u -p -r1.10 if_pflow.c --- if_pflow.c27 Feb 2009 11:09:36 - 1.10 +++ if_pflow.c16 Jun 2009 07:13:32 - @@ -356,8 +356,12 @@ copy_flow_data(struct pflow_flow *flow1, flow1-flow_octets = htonl(st-bytes[0]); flow2-flow_octets = htonl(st-bytes[1]); - flow1-flow_start = flow2-flow_start = htonl(st-creation * 1000); - flow1-flow_finish = flow2-flow_finish = htonl(time_second * 1000); + flow1-flow_start = flow2-flow_start = + htonl((st-creation - (time_second - time_uptime)) * 1000); + flow1-flow_finish = flow2-flow_finish = + htonl((time_uptime - (st-rule.ptr-timeout[st-timeout] ? + st-rule.ptr-timeout[st-timeout] : + pf_default_rule.timeout[st-timeout])) * 1000); flow1-tcp_flags = flow2-tcp_flags = 0; flow1-protocol = flow2-protocol = sk-proto; flow1-tos = flow2-tos = st-rule.ptr-tos; Tnanks ! I try it today
Re: pflow question - incorrect FIRST and LAST values ?
Hello. 13.06.09, 12:08, Joerg Goltermann go...@openbsd.org: are you sure both versions are captured at the same time? Yes. pflow(4) uses the counters from pf. Can you reproduce the difference of 14? Yes, see attached file - i start softflowd and pflow capture at the same time, but get different results. This capture i make with your new patch. # date Mon Jun 15 11:02:40 MSD 2009 # /usr/local/sbin/softflowd -n 127.0.0.1:1234 -i vic0 # ifconfig pflow0 flowsrc 192.168.227.131 flowdst 127.0.0.1:4321 # flow-capture -w /var/spool/netflow/softflowd -N 0 0/0/1234 # flow-capture -w /var/spool/netflow/pflow -N 0 0/0/4321 # lynx www.openbsd.org .. (wait for log rotation by flow-capture, 15 mins) # date Mon Jun 15 11:15:53 MSD 2009 # flow-cat /var/spool/netflow/softflowd/ft* | flow-export -f 2 softflowd.csv # flow-cat /var/spool/netflow/pflow/ft* | flow-export -f 2 pflow.csv Just one question softflowd will expire flows after user-configurable periods. Can i configure expire period for pflow ? [demime 1.01d removed an attachment of type application/octet-stream which had a name of pflow.csv] [demime 1.01d removed an attachment of type application/octet-stream which had a name of softflowd.csv]
Re: pflow question - incorrect FIRST and LAST values ?
09.06.09, 18:07, Stuart Henderson s...@spacehopper.org: The fix might be as simple as this, but it's totally untested, not even compiled. Index: if_pflow.c === RCS file: /cvs/src/sys/net/if_pflow.c,v retrieving revision 1.10 diff -u -p -r1.10 if_pflow.c --- if_pflow.c27 Feb 2009 11:09:36 - 1.10 No, your patch is not a solution. Look: FLOWEXPORT TIMETIME INTERVAL | || | || | FL SU,US,UNS F-FIRST,L-LAST SysUptime at start of the flow and at the time the last packet of the flow was received SU-SYSUPTIME from header, time in milliseconds since this device was first booted. US-Unix seconds from header, Seconds since Coordinated Universal Time (UTC) 1970. Time calculation formula (without nanoseconds): --- Date/time at start of the flow = US - (SU-F)/1000 Date/time at end of the flow = US - (SU-L)/1000 example: flow collection begin with softflowd - UNIX_SECS=1244458921 # 2009-06-08 15:02:01+04 SYSUPTIME=363460 FIRST=60073 LAST=60090 - Date/time of first packet = US - (SU-F)/1000 = 1244458618 = 2009-06-08 14:56:58+04 All correct. example: flow collection with pflow before patch - UNIX_SECS=1244351870 # 2009-06-07 09:17:50 +04 SYSUPTIME=1119000 # FIRST=3106274456 # Why so huge ? LAST=3106291456 # ?? - Date/time of first packet = US - (SU-F)/1000 = 1244351870 - (-3105155) = 1247457025 = 2009-07-13 07:50:25+04 Incorrect. F and L time values must be lesser than UNIX_SECS example: flow collection with pflow after patch UNIX_SECS=1213083472 # 2008-06-10 11:37:52+04 SYSUPTIME=525000 FIRST=1902158528 # Also Huge. LAST=1902169528 # ?? - Date/time of first packet = US - (SU-F)/1000 = 1213083472 - (-1901633) = 2008-07-02 11:51:45+04 Incorrect. F and L time values must be lesser than UNIX_SECS
Re: pflow question - incorrect FIRST and LAST values ?
patch works, but i note some differences in same traffic (see attached files in my previous message) 1. softflowd captured 7 records, pflowd at the same time captured 8 2. different quantity of octets in reply from openbsd.org webserver: pflow.csv, line #6: 7107 octets softflowd.csv, line #5: 7121 octet i don't know what to use for traffic accounting - where is right values :))
pflow question - incorrect FIRST and LAST values ?
Hi all. In fields FIRST and LAST in a stream should be system uptime during reception of the first package and during reception of the last When i use 'softflowd' software sensor - all OK (see below), but when i use pflow interface then in fields FIRST and LAST i see huge values. Maybe somebody knows, what mean these values ? 2:56 PM, up 3 mins - flow collection begin with softflowd - UNIX_SECS=1244458921 # 2009-06-08 15:02:01 +04 SYSUPTIME=363460 # 363460/1000/60 = 6 mins FIRST=60073 # LAST=60090# - 9:17 AM, up 18 mins - flow collection begin with pflow - UNIX_SECS=1244351870 # 2009-06-07 09:17:50 +04 SYSUPTIME=1119000# 1119000/60/1000=18.6 MIN FIRST=3106274456 # LAST=3106291456 # -