Re: PF and LDAP

[Фролов Константин]

30.07.09, 13:55, Marcello Cruz marcello.c...@globo.com:

 Dear all,
 Is there a way to use LDAP in a rule to allow or deny based on the user
 instead of the IP Address?
 The idea is to permit the traffic from an inside user to access, for example,
 a VoIP resource on the Internet.

Based on user...
I use for this PPPoE server with list of usernames/passwords/IP addresses.
Users connect with their usernames to PPPoE server, and PF controls traffic 
from 
PPPoE IP addresses.
You can write script to synchronize users in LDAP and /etc/ppp/ppp.secret file.

Example: allow access for user1 to web sites, and for user2 to mail servers
/etc/ppp/ppp.secret
user1 pass1 192.168.100.1
user2 pass2 192.168.100.2
..

/etc/pf.conf:
table squid-pppoe file /etc/pftables/int-web-pppoe
table mail-pppoe file /etc/pftables/int-mail-pppoe
pass in log quick on tun inet proto tcp from mail-pppoe to any port = pop3
pass in log quick on tun inet proto tcp from mail-pppoe to any port = smtp
pass in log quick on $pppoe_if_grp inet proto tcp from web-pppoe to any port 
{ www, https }
..

/etc/pftables/int-web-pppoe
192.168.100.1
..

/etc/pftables/int-mail-pppoe
192.168.100.2
..

Re: ppp connection freezes

[Фролов Константин]

13.07.09, 15:32, P$QPP;PP2 PPP=Q
QP0P=QP8P= f-k...@yandex.ru:

 What it can be - PPP bug ?
  set mtu max 1492
  set mru max 1492

Solved by lowering MTU and MRU to 1452

Re: pflow question/problem

[Фролов Константин]

03.07.09, 14:50, Joerg Goltermann j...@osn.de:

 Index: sbin/pfctl/pfctl_parser.c


After patch:

/etc/pf.conf

set timeout pflowexport 10


# /flow-cat ft* | flow-export -f 2  out.csv

out.csv
---
#:unix_secs,unix_nsecs,sysuptime,exaddr,dpkts,doctets,first,last,engine_type,engine_id,srcaddr,dstaddr,nexthop,input,output,srcport,dstport,prot,tos,tcp_flags
,src_mask,dst_mask,src_as,dst_as
1246955430,6359600,63745000,192.168.70.254,4,241,63655000,63655000,42,42,192.168.70.254,192.168.70.251,0.0.0.0,0,0,10050,50659,6,0,0,0,0,0,0
1246955440,6360600,63755000,192.168.70.254,5,288,63655000,63655000,42,42,192.168.70.251,192.168.70.254,0.0.0.0,0,0,50662,10050,6,0,0,0,0,0,0
1246955440,6360600,63755000,192.168.70.254,4,243,63655000,63655000,42,42,192.168.70.254,192.168.70.251,0.0.0.0,0,0,10050,50662,6,0,0,0,0,0,0
1246955440,6360600,63755000,192.168.70.254,113,18378,57699000,4272321296,42,42,192.168.100.1,205.188.1.226,0.0.0.0,0,0,1273,5190,6,0,0,0,0,0,0
1246955440,6360600,63755000,192.168.70.254,110,42627,57699000,4272321296,42,42,205.188.1.226,192.168.100.1,0.0.0.0,0,0,5190,1273,6,0,0,0,0,0,0
1246955440,6360600,63755000,192.168.70.254,113,18378,57699000,4272321296,42,42,192.168.1.2,205.188.1.226,0.0.0.0,0,0,61158,5190,6,0,0,0,0,0,0
1246955440,6360600,63755000,192.168.70.254,110,42627,57699000,4272321296,42,42,205.188.1.226,192.168.1.2,0.0.0.0,0,0,5190,61158,6,0,0,0,0,0,0
1246955440,6360600,63755000,192.168.70.254,5,279,63658000,63665000,42,42,192.168.70.251,192.168.70.254,0.0.0.0,0,0,50677,10050,6,0,0,0,0,0,0
1246955440,6360600,63755000,192.168.70.254,4,234,63658000,63665000,42,42,192.168.70.254,192.168.70.251,0.0.0.0,0,0,10050,50677,6,0,0,0,0,0,0
1246955440,6360600,63755000,192.168.70.254,5,290,6366,63665000,42,42,192.168.70.251,192.168.70.254,0.0.0.0,0,0,50679,10050,6,0,0,0,0,0,0

lines 4-7 - strange big 'last' values, and last  first that is incorrect.

Re: Bug in pppoe ?

[Фролов Константин]

Solved by adding ECHO parameters to ppp.conf:

enable lqr
set lqrperiod 5
+ enable echo
+ set echoperiod 5


from man ppp:
When this option is enabled, ppp will send
 LCP ECHO requests to the peer at the frequency defined by
``echoperiod''.  Note: LQR requests will supersede LCP ECHO re-
quests if enabled and negotiated.

I think that lqr not supersede echo because it not negotiated win XP and Vista
and dead link not eliminated by lqr timeout

Re: Bug in pppoe ?

[Фролов Константин]

03.07.09, 12:11, Gregory Edigarov g...@bestnet.kharkov.ua:

 sysctl net.inet.ip.forwarding ?

net.inet.ip.forwarding=1

Re: Bug in pppoe ?

[Фролов Константин]

03.07.09, 16:00, Denis Doroshenko denis.doroshe...@gmail.com:

how about tcpdumping at time when the link becomes broken and
re-establishment is unsuccessful? tcpdumping on ethernet, on the pppoe
in question...

tcpdump shows nothing after pppoe reconnection.

My IP - 192.168.70.44
My PPPoE IP - 192.168.100.35

tcpdump at the time of reconnection:

# tcpdump -i vr0 host 192.168.70.44 and port ! 22
tcpdump: listening on vr0, link-type EN10MB
16:20:04.708536 oit-04.avangard.local  IGMP.MCAST.NET: igmp-2 [v2] [ttl 1]
16:20:04.730965 oit-04.avangard.local  IGMP.MCAST.NET: igmp-2 [v2] [ttl 1]
16:20:04.764234 arp who-has oit-04.avangard.local tell tserver.avangard.local
16:20:05.671519 oit-04.avangard.local  IGMP.MCAST.NET: igmp-2 [v2] [ttl 1]

# tcpdump -i vr0 host 192.168.100.35
tcpdump: listening on vr0, link-type EN10MB
16:20:04.781524 tserver.avangard.local.ntp  192.168.100.35.ntp: [len=68] v3 
server strat 4 poll 10 prec -6


After reconnection i try to ping hosts, but tcpdump shows nothing. 

Bug in pppoe ?

[Фролов Константин]

I have openbsd-based pppoe server for small lan with 20-30 WinXP and Vista 
clients (based on user-level ppp)
After some time some random clients seems to be dead (XP and Vista)
When i try disconnect/reconnect dead host to pppoe, connection established but 
i cannot ping hosts, link is dead.
When i try to connect with different ppp username from same computer, 
connection establised and all OK.
I see in firewall log pass rule for this connection, but can't see any traffic
Maybe somebody knows where is the problem ?
(same pppoe server config with OpenBSD 4.3 works without problems)

My config:

kernel 4.5 GENERIC + pflow patch from Joerg Goltermann

devices
---
/dev/tun0..tun100 (i make 100 tun devices with MAKEDEV)

/etc/ppp/ppp.secret
---
user1 pass1 192.168.100.1
user2 pass2 192.168.100.2
..
user30 pass30 192.168.100.30

/etc/ppp/ppp.conf
--
default:
 set log Phase Chat LCP IPCP CCP tun command
 set device /dev/cua01
 set speed 115200
 set dial ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \\ AT OK-AT-OK ATE1Q0 OK 
\\dATDT\\T TIMEOUT 40 CONNECT

pppoe:
 set timeout 0
 set device !/usr/sbin/pppoe -i vr0
 set mtu max 1492
 set mru max 1492
 set speed sync
 disable acfcomp protocomp
 deny acfcomp
 enable chap
 set ifaddr
 set dns 192.168.70.250
 accept dns
 set ifaddr 192.168.100.254 192.168.100.1-192.168.100.253 255.255.255.255
 disable ipv6cp
 enable mssfixup
 enable lqr
 set lqrperiod 5

/etc/rc.local
-
/usr/sbin/pppoe -p pppoe -i vr0 -s

Re: pflow question - incorrect FIRST and LAST values ?

[Фролов Константин]

Hi,

16.06.09, 11:53, Joerg Goltermann go...@openbsd.org:

 pflow(4) is based on pf states, if a pflow tagged state expires, a
 flow is created. If you change the pf expire, you can configure 
 the pflow expiring.
 I attached a new version, which should give more correct values for
 the last-time of a flow.
  - Joerg
 Index: if_pflow.c
 ===
 RCS file: /cvs/src/sys/net/if_pflow.c,v
 retrieving revision 1.10
 diff -u -p -r1.10 if_pflow.c
 --- if_pflow.c27 Feb 2009 11:09:36 -  1.10
 +++ if_pflow.c16 Jun 2009 07:13:32 -
 @@ -356,8 +356,12 @@ copy_flow_data(struct pflow_flow *flow1,
   flow1-flow_octets = htonl(st-bytes[0]);
   flow2-flow_octets = htonl(st-bytes[1]);
  
 - flow1-flow_start = flow2-flow_start = htonl(st-creation * 1000);
 - flow1-flow_finish = flow2-flow_finish = htonl(time_second * 1000);
 + flow1-flow_start = flow2-flow_start =
 + htonl((st-creation - (time_second - time_uptime)) * 1000);
 + flow1-flow_finish = flow2-flow_finish =
 + htonl((time_uptime - (st-rule.ptr-timeout[st-timeout] ?
 + st-rule.ptr-timeout[st-timeout] :
 + pf_default_rule.timeout[st-timeout])) * 1000);
   flow1-tcp_flags = flow2-tcp_flags = 0;
   flow1-protocol = flow2-protocol = sk-proto;
   flow1-tos = flow2-tos = st-rule.ptr-tos;

Tnanks ! I try it today

Re: pflow question - incorrect FIRST and LAST values ?

[Фролов Константин]

Hello.

13.06.09, 12:08, Joerg Goltermann go...@openbsd.org:

 are you sure both versions are captured at the same time?

Yes.

 pflow(4) uses the counters from pf. Can you reproduce the
 difference of 14?


Yes, see attached file - i start softflowd and pflow capture at the same time, 
but
get different results. This capture i make with your new patch.

# date
Mon Jun 15 11:02:40 MSD 2009

# /usr/local/sbin/softflowd -n 127.0.0.1:1234 -i vic0
# ifconfig pflow0 flowsrc 192.168.227.131 flowdst 127.0.0.1:4321
# flow-capture -w /var/spool/netflow/softflowd -N 0 0/0/1234
# flow-capture -w /var/spool/netflow/pflow -N 0 0/0/4321

# lynx www.openbsd.org

.. (wait for log rotation by flow-capture, 15 mins)

# date
Mon Jun 15 11:15:53 MSD 2009

# flow-cat /var/spool/netflow/softflowd/ft* | flow-export -f 2  softflowd.csv
# flow-cat /var/spool/netflow/pflow/ft* | flow-export -f 2  pflow.csv


Just one question
softflowd will expire flows after user-configurable periods.
Can i configure expire period for pflow ? 

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of pflow.csv]

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of softflowd.csv]

Re: pflow question - incorrect FIRST and LAST values ?

[Фролов Константин]

09.06.09, 18:07, Stuart Henderson s...@spacehopper.org:

 The fix might be as simple as this, but it's totally untested, not
 even compiled.
 Index: if_pflow.c
 ===
 RCS file: /cvs/src/sys/net/if_pflow.c,v
 retrieving revision 1.10
 diff -u -p -r1.10 if_pflow.c
 --- if_pflow.c27 Feb 2009 11:09:36 -  1.10


No, your patch is not a solution.
Look:

  FLOWEXPORT
  TIMETIME
INTERVAL  |
 ||   |
 ||   |
 FL   SU,US,UNS

F-FIRST,L-LAST SysUptime at start of the flow and at the time the last packet 
of the flow was received
SU-SYSUPTIME from header, time in milliseconds since this device was first 
booted.
US-Unix seconds from header, Seconds since  Coordinated Universal Time 
(UTC) 1970.

Time calculation formula (without nanoseconds):
---
Date/time at start of the flow = US - (SU-F)/1000
Date/time at end of the flow = US - (SU-L)/1000


example: flow collection begin with softflowd
-
UNIX_SECS=1244458921 # 2009-06-08 15:02:01+04
SYSUPTIME=363460
FIRST=60073
LAST=60090
-
Date/time of first packet = US - (SU-F)/1000 = 1244458618 = 2009-06-08 
14:56:58+04
All correct.


example: flow collection with pflow before patch
-
UNIX_SECS=1244351870 # 2009-06-07 09:17:50 +04
SYSUPTIME=1119000 #
FIRST=3106274456 # Why so huge ?
LAST=3106291456 #  ??
-
Date/time of first packet = US - (SU-F)/1000 = 1244351870 - (-3105155) = 
1247457025 = 2009-07-13 07:50:25+04
Incorrect.
F and L time values must be lesser than UNIX_SECS


example: flow collection with pflow after patch

UNIX_SECS=1213083472 # 2008-06-10 11:37:52+04
SYSUPTIME=525000
FIRST=1902158528 # Also Huge. 
LAST=1902169528 # ??
-
Date/time of first packet = US - (SU-F)/1000 = 1213083472 - (-1901633) = 
2008-07-02 11:51:45+04
Incorrect.
F and L time values must be lesser than UNIX_SECS

Re: pflow question - incorrect FIRST and LAST values ?

[Фролов Константин]

patch works, but i note some differences in same traffic
(see attached files in my previous message)

1. softflowd captured 7 records, pflowd at the same time captured 8
2. different quantity of octets in reply from openbsd.org webserver:
pflow.csv, line #6: 7107 octets
softflowd.csv, line #5: 7121 octet

i don't know what to use for traffic accounting - where is right values :))

pflow question - incorrect FIRST and LAST values ?

[Фролов Константин]

Hi all.

In fields FIRST and LAST in a stream should be system uptime during reception 
of the first package
and during reception of the last

When i use 'softflowd' software sensor - all OK (see below), but when i use 
pflow interface 
then in fields FIRST and LAST i see huge values.
Maybe somebody knows, what mean these values ?


2:56 PM, up 3 mins - flow collection begin with softflowd
-
UNIX_SECS=1244458921 # 2009-06-08 15:02:01 +04
SYSUPTIME=363460 # 363460/1000/60 = 6 mins
FIRST=60073   # 
LAST=60090# 
-

9:17 AM, up 18 mins - flow collection begin with pflow
-
UNIX_SECS=1244351870 # 2009-06-07 09:17:50 +04
SYSUPTIME=1119000# 1119000/60/1000=18.6 MIN
FIRST=3106274456 # 
LAST=3106291456  # 
-