embedded device
Hi, Can anyone pointme to a embedded device like soekris?, but i want one that performs fine using pf. Better if it have gigabits NICs but if not there's no problem. thanks!
Re: PF overload table
Thanks that helps me. which is better ( less cpu overwelm )? pfctl -x misc or loud? Taking a look at pflog, i see something like: match rule 6 block in em0 How can i see which rule is rule 6? Thanks! On 6/18/07, Brian A. Seklecki [EMAIL PROTECTED] wrote: see the -x argument to pfctl(8); try turning up the debugging level to various settings and watch syslog ~BAS On Mon, 2007-06-18 at 13:46 +0200, Alberich de megres wrote: I'm wandering if there is some way to log when an ip is inserted in a table? -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
PF overload table
Hi, I'm wandering if there is some way to log when an ip is inserted in a table? thanks.
Re: PFSYNC
I know it, but i don't know how make it work to sync tabled with another machine. from: http://www.openbsd.org/4.1_packages/m68k/tabled-1.0.4p0.tgz-long.html daemon to modify pf tables from an unprivileged process in userland, useful e.g. when you want to add hostnames to a pf table from a chrooted process, e.g. from a webserver. Don't say nothing about network and man page only talk about to use a fifo. Thanks On 5/27/07, Mathieu Sauve-Frankel [EMAIL PROTECTED] wrote: On Sat, May 26, 2007 at 07:55:26AM +, Ryan McBride wrote: On Sat, May 26, 2007 at 09:36:48AM +0200, Alberich de megres wrote: I know i repeat myself, but that's important for me: my pf isn't syncing tables i create. Can I solve this? Write a tool that synchronises your tables. You don't need to write this tool. It already exists in the ports tree. sysutils/tabled. Thank mbalmer@ for that. -- Mathieu Sauve-Frankel
Re: PFSYNC
Ok, I was using ports tabled version 1.04 wich haven't tablec and its man tabled.conf don't tell nothing about listen command. I downloaded 1.05 and all ok. Thanks. On 5/30/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Tue, May 29, 2007 at 10:02:08PM +0200, Alberich de megres wrote: Maybe it's a silly question but don't know where to start with tabled :S I only got it installed. please..any help? With the caveat that I've never actually used it... It appears tabled.conf(5) documents an option to allow tabled to listen on a TCP port; tablec(8) documents an option to send commands to that socket. So if you can script tablec to fire at the right moment, this should work. If you are, for instance, parsing SSH requests out of log files, that need not be too difficult... Joachim -- TFMotD: mount_ados (8) - mount an AmigaDOS file system
Re: PFSYNC
Which tool is? tabled? How can i make it sync tables throught ethernet? I only see in man sockets files :S On 5/26/07, Jason Dixon [EMAIL PROTECTED] wrote: On Sat, May 26, 2007 at 09:36:48AM +0200, Alberich de megres wrote: Hi, I know i repeat myself, but that's important for me: my pf isn't syncing tables i create. Can I solve this? sysutils/tabled in ports. I was just reminded of this by todd and mbalmer. -J.
Re: PFSYNC
Maybe it's a silly question but don't know where to start with tabled :S I only got it installed. please..any help? On 5/29/07, Alberich de megres [EMAIL PROTECTED] wrote: Which tool is? tabled? How can i make it sync tables throught ethernet? I only see in man sockets files :S On 5/26/07, Jason Dixon [EMAIL PROTECTED] wrote: On Sat, May 26, 2007 at 09:36:48AM +0200, Alberich de megres wrote: Hi, I know i repeat myself, but that's important for me: my pf isn't syncing tables i create. Can I solve this? sysutils/tabled in ports. I was just reminded of this by todd and mbalmer. -J.
Re: Newbie Question
Ok. Pf is working fine ( i think, xD ). So better use pf+sec and forget snort. So now is time to find a good sec manual and start play with it, Thanks. Tang Tse On 5/28/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 28, 2007 at 10:35:41AM +0200, Tang Tse wrote: 2007/5/8, Alberich de megres [EMAIL PROTECTED]: On 5/8/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Tue, May 08, 2007 at 10:45:36AM +0200, Alberich de megres wrote: I'm new on the openbsd world..i came from linux world :P And i got a question about logs In linux i used logwatch, i know that i can use it on openbsd. But is there some other option in openbsd world? what about snort? what way you use to analyze logs in rout firewall or workstations? For log analysis, which is different from analyzing bandwidth and such, there are plenty of systems. I'd urge you to look at something that reports anything unknown, though, at least if you're using a log analyzer to point you at things that need fixing (as opposed to creating statistics, auto-blacklisting in response to SSH bruteforce attempts, and so on and so forth). Personally, I use SEC (sysutils/sec) for general log handling. It's pretty powerful, not too hard to use, and can be made to work in blacklist mode (search the web). I add pflogsumm (mail/pflogsumm) to handle all Postfix logs, mostly because SEC isn't that good at statistics (though you can get it to execute external programs...) Can Pfstat make per source ip ( for local lan for example ) statistics? I heared nice things about SEC,i will take a looks a both. Retaking this mail thread, One question about: which you think is best? snort+sec? or pf+sec? Snort and pf are network security technologies; the first is an intrusion detection system and the latter is a packet filter. SEC can be used as a log watcher. Those are different technologies; I think you might be a bit confused. Snort+SEC is most likely not the best choice (look at anything from BASE to Prelude for analysing and/or monitoring Snort logs), and I don't know what output of pf you want to feed to SEC. I'd recommend setting up pf first, log watching second, and ignoring Snort altogether. This is OpenBSD; vulnerabilities are rare, and if they appear, upgrading the vulnerable system is less work than upgrading the IDS. And the first actually makes you more secure. Joachim -- TFMotD: gem (4) - GEM 10/100/Gigabit Ethernet device
PFSYNC
Hi, I know i repeat myself, but that's important for me: my pf isn't syncing tables i create. Can I solve this? Thanks
FTP proxy
Hi again,
I got a trouble with ftp clients behind pf firewall. I can connect to server
but can't list directory contents, that's the chat:
230 User test logged in.
FEAT
211-Features:
MDTM
REST STREAM
SIZE
211 End
PWD
257 / is current directory.
TYPE A
200 Type set to A
PASV
227 Entering Passive Mode (86,109,162,174,133,169).
LIST
And it stays here until it timedout...
ftp-proxy is on, and i'm using openbsd 4.0 on this machine again.
Here is my pf.conf:
##
# NICs
ext_if=rl1
ext_carp_if=carp1
int_if=rl2
int_carp_if=carp0
carp_if={rl1,rl2}
sync_if=rl0
table blocked_ips persist file /pf/conf/blocked_ips
table lan_hosts persist file /pf/conf/lan_hosts
set block-policy drop
scrub in all
scrub out on $ext_if all random-id
nat on $ext_if proto $Nat_proto from lan_hosts to any - ($ext_carp_if)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr on $int_if inet proto tcp from any to $int_carp_if port 21 -
127.0.0.1port 8021
pass quick on lo0 all
pass quick on $carp_if proto carp keep state
pass quick on $sync_if proto pfsync
block all
block in quick on $ext_if from {127.0.0.1/8,192.168.0.0/16} to any
block out quick on $ext_if from any to {127.0.0.1/8,192.168.0.0/16}
block in quick on $ext_if from blocked_ips to any
## DNS internas funcionando...
pass in on $int_if inet proto {tcp,udp} from lan_hosts to any port domain
keep state
pass out on $ext_if inet proto {tcp,udp} from any to any port domain keep
state
#FTP
anchor ftp-proxy/*
pass in on $int_if inet proto tcp from any to any port {ftp,ftp-data} keep
state
pass out on $ext_if inet proto tcp from any to any port {ftp,ftp-data} keep
state
#anchor ftp-proxy/*
#pass in proto tcp from {lan_hosts,127.0.0.1} to any port {ftp,ftp-data}
keep state
#pass out proto tcp from ($ext_carp_if) to any port {ftp,ftp-data} keep
state
#anchor ftp-proxy/*
#pass out proto tcp from any to port 21 keep state user proxy
##
Any help?
Re: FTP proxy
Hi, Thanks for the answear. But i got this on my rc.local.conf yet.. Are the pass in and out rules for ftp and ftp-data ports right? I add them at my own risk.. none in openbsd ftp and pf issues page and google tell nothing about this. Any help? Thanks On 5/25/07, Peter N. M. Hansteen [EMAIL PROTECTED] wrote: Alberich de megres [EMAIL PROTECTED] writes: I got a trouble with ftp clients behind pf firewall. I can connect to server but can't list directory contents, that's the chat: Don't take this as gospel, but I vaguely remember having a similar problem, which apparently went away after I changed the ftpproxy startup options (/etc/rc.conf.local) to ftpproxy_flags=-r Again, YMMW, beware of nuts etc -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: FTP proxy
Hi again, I didn't wan't to mean that there is no info, I was only making reference to my ignorance: I don't know if this pass rules were seted corrected or not. I got the same basically, all pasted from ftp-proxy man page or openbsd issues with pf and ftp page. Maybe could it be for block all rules? Don't know what's happening, Thanks for all On 5/25/07, Peter N. M. Hansteen [EMAIL PROTECTED] wrote: Alberich de megres [EMAIL PROTECTED] writes: But i got this on my rc.local.conf yet.. Are the pass in and out rules for ftp and ftp-data ports right? your nat rule looks a bit strange, I have nat on $ext_if from $int_if:network to any - ($ext_if) static-port The ftp related rules I have are essentially pasted from the ftp-proxy man page, yours differ somewhat. I have # [...] nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* # [...] rdr pass on $int_if proto tcp from $lan to any port ftp - 127.0.0.1 port 8021 # [...] anchor ftp-proxy/* pass out proto tcp from $proxy to any port ftp I add them at my own risk.. none in openbsd ftp and pf issues page and google tell nothing about this. Any help? Thanks I don't want to appear rude, but there are the ftp-proxy man pages, the PF faq and a certain tutorial out there at least. A bit odd if you couln't find any info. Hope this helps, -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: FTP proxy
Sorry for the replay to myself..
But yes.. is was block rules:
block in quick on $ext_if from {127.0.0.1/8,192.168.0.0/16} to any
block out quick on $ext_if from any to {127.0.0.1/8,192.168.0.0/16}
i commented this and all works..
Thank Peter for all, you make me re-read all my pf.conf
On 5/25/07, Alberich de megres [EMAIL PROTECTED] wrote:
Hi again,
I didn't wan't to mean that there is no info, I was only making reference
to my ignorance: I don't know if this pass rules were seted corrected or
not.
I got the same basically, all pasted from ftp-proxy man page or openbsd
issues with pf and ftp page. Maybe could it be for block all rules? Don't
know what's happening,
Thanks for all
On 5/25/07, Peter N. M. Hansteen [EMAIL PROTECTED] wrote:
Alberich de megres [EMAIL PROTECTED] writes:
But i got this on my rc.local.conf yet.. Are the pass in and out
rules for ftp and ftp-data ports right?
your nat rule looks a bit strange, I have
nat on $ext_if from $int_if:network to any - ($ext_if) static-port
The ftp related rules I have are essentially pasted from the ftp-proxy
man page, yours differ somewhat.
I have
# [...]
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
# [...]
rdr pass on $int_if proto tcp from $lan to any port ftp - 127.0.0.1 port
8021
# [...]
anchor ftp-proxy/*
pass out proto tcp from $proxy to any port ftp
I add them at my own risk.. none in openbsd ftp and pf issues page
and google tell nothing about this. Any help? Thanks
I don't want to appear rude, but there are the ftp-proxy man pages,
the PF faq and a certain tutorial out there at least. A bit odd if
you couln't find any info.
Hope this helps,
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/
http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded
tales
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
PFsync and tables
Hi again, Following with my playground with pf, i realised that pfsync don't send tables updates. I use a table to avoid ssh brute force, in carp master fw tables gets update when i get a ssh attack, but this table isn't updated on carp back fw. Thanks
CARP question
Hi Again! I got my firewall running, affer some headaches.. But i got a question: carp0 for example, uses em0 to listen my shared IP, and sends advsken on this nic ( em0 ). The same thing with internal lan carp device. But i don't want carp advske to travel in all net. I got a third NICs used by pfsync ( rl0 ), is it some way to send carp advskew throught rl0? Thanks once again, Alberich
Re: PF
Hi, Yeah man, that worked Thanks for all and you patience.. Thanks again. On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 07:25:34PM +0200, Alberich de megres wrote: On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 06:12:12PM +0200, Alberich de megres wrote: On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 12:41:18PM +0200, Alberich de megres wrote: Hi again, And sorry to insist on this I'm really lost. I read in most webs-docs with rdr rule trafic get redirected to internal servers and with this and pass rule is enought. But i find myself in a different scenario, with rdr rule and pass rule packets get redirected to internal server with the same external ip. With a tcpdump on internal server packets arrive to internal server but this one don't ask it back. If i add a nat rule from any to internal server, the server logs show me access only from firewall ip address ( logically ). Is there some way to redirect external traffic to internal server and the internal server to see external address ( for logs control, and access without firewall rule...only on server machine ) and all works fine? I don't really see what you mean: is there a server with public address 1.2.3.4 behind a firewall with public address 1.2.3.1, and rules like rdr pass on $ext_if to $server $port1 - $port2 pass on $ext_if to $server port $port3 In that case, that should just work. No, There's a firewall with public address, and a server with internal address. firewall: 1.2.3.4 server: 192.168.1.1 In that case, server = 192.168.1.1 rdr pass on $ext_if to $ext_if $port1 - $server rdr pass on $ext_if to $ext_if $port2 - $server $port3 should work just fine. What is your /etc/pf.conf? And what doesn't work? (The underlying idea is that 'rdr pass' is very useful for simple cases, and one should be careful with NAT.) I tried this you told me, and that not works, i get a syntax error my pf.conf: #supose 10.0.0.254 is external address.. ext_if=sis0 ext_carp_if=carp1 int_if=rl0 int_carp_if=carp0 nat on carp1 from 192.168.1.0/24 to any - 10.0.0.254 rdr on sis0 inet proto tcp from any to 10.0.0.254 port 80 - 192.168.1.69port 80 pass all Why are you messing with CARP before the whole thing works at all? CARP is wonderful and not that difficult to set up, but there are a couple of gotchas in combining CARP and pf that are best dealt with once you know pf.conf works. At least the first time. Also, actually using the $ext_if macro might be more useful than just defining it; there is no magic there, it's just a common macro to define. 'pass all' is the default; no need to define it. Your handling of IPv6 makes little sense (why allow IPv4 to $server port 80, but handle IPv6 on the firewall? Either 'block drop inet6' or do without 'inet'). Finally, symbolic names are more readable: use 'http' instead of '80'. That said, ext_if=sis0 int_if=rl0 server=192.168.1.69 nat on $ext_if from $int_if:network - $ext_if rdr on $ext_if inet proto tcp to $ext_if port http - $server should work for the no-CARP scenario. With CARP, that should become something like the below (not tested): ext_if_base=sis0 ext_if_carp=carp1 int_if_base=rl0 int_if_carp=carp0 server=192.168.1.69 nat on $ext_if_base from $int_if_carp:network - ($ext_if_carp) rdr on $ext_if_base proto tcp to $ext_if_carp port http - $server Joachim -- TFMotD: trek (6) - trekkie game
PF
Hi again, And sorry to insist on this I'm really lost. I read in most webs-docs with rdr rule trafic get redirected to internal servers and with this and pass rule is enought. But i find myself in a different scenario, with rdr rule and pass rule packets get redirected to internal server with the same external ip. With a tcpdump on internal server packets arrive to internal server but this one don't ask it back. If i add a nat rule from any to internal server, the server logs show me access only from firewall ip address ( logically ). Is there some way to redirect external traffic to internal server and the internal server to see external address ( for logs control, and access without firewall rule...only on server machine ) and all works fine? thanks, and sorry for the insistence.. Alberich.
Re: PF
No, There's a firewall with public address, and a server with internal address. firewall: 1.2.3.4 server: 192.168.1.1 On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 12:41:18PM +0200, Alberich de megres wrote: Hi again, And sorry to insist on this I'm really lost. I read in most webs-docs with rdr rule trafic get redirected to internal servers and with this and pass rule is enought. But i find myself in a different scenario, with rdr rule and pass rule packets get redirected to internal server with the same external ip. With a tcpdump on internal server packets arrive to internal server but this one don't ask it back. If i add a nat rule from any to internal server, the server logs show me access only from firewall ip address ( logically ). Is there some way to redirect external traffic to internal server and the internal server to see external address ( for logs control, and access without firewall rule...only on server machine ) and all works fine? thanks, and sorry for the insistence.. Alberich. I don't really see what you mean: is there a server with public address 1.2.3.4 behind a firewall with public address 1.2.3.1, and rules like rdr pass on $ext_if to $server $port1 - $port2 pass on $ext_if to $server port $port3 In that case, that should just work. Joachim -- TFMotD: atq (1) - display the at(1) job queue
Re: PF
I tried this you told me, and that not works, i get a syntax error my pf.conf: #supose 10.0.0.254 is external address.. ext_if=sis0 ext_carp_if=carp1 int_if=rl0 int_carp_if=carp0 nat on carp1 from 192.168.1.0/24 to any - 10.0.0.254 rdr on sis0 inet proto tcp from any to 10.0.0.254 port 80 - 192.168.1.69port 80 pass all On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 06:12:12PM +0200, Alberich de megres wrote: On 5/14/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 at 12:41:18PM +0200, Alberich de megres wrote: Hi again, And sorry to insist on this I'm really lost. I read in most webs-docs with rdr rule trafic get redirected to internal servers and with this and pass rule is enought. But i find myself in a different scenario, with rdr rule and pass rule packets get redirected to internal server with the same external ip. With a tcpdump on internal server packets arrive to internal server but this one don't ask it back. If i add a nat rule from any to internal server, the server logs show me access only from firewall ip address ( logically ). Is there some way to redirect external traffic to internal server and the internal server to see external address ( for logs control, and access without firewall rule...only on server machine ) and all works fine? I don't really see what you mean: is there a server with public address 1.2.3.4 behind a firewall with public address 1.2.3.1, and rules like rdr pass on $ext_if to $server $port1 - $port2 pass on $ext_if to $server port $port3 In that case, that should just work. No, There's a firewall with public address, and a server with internal address. firewall: 1.2.3.4 server: 192.168.1.1 In that case, server = 192.168.1.1 rdr pass on $ext_if to $ext_if $port1 - $server rdr pass on $ext_if to $ext_if $port2 - $server $port3 should work just fine. What is your /etc/pf.conf? And what doesn't work? (The underlying idea is that 'rdr pass' is very useful for simple cases, and one should be careful with NAT.) Joachim -- TFMotD: vclean (9) - disassociate the underlying file system from a vnode
Re: RDR rule on PF
I checked tcpdump on internal if, and it's not working. I enabled ip forwarding on sysctl.conf, yes. It's so weird. I'm shure it's a very stupid mistake but i can't find it... On 5/13/07, Johan Linner [EMAIL PROTECTED] wrote: Is IP forwarding enabled? # sysctl net.inet.ip.forwarding=1 /Johan
RDR rule on PF
Hi, I send a previous mail about this yet, but i really can't fix the problem. I readed a book recomended on openbsd site: building firewall with pf and openbsd, and as i can understand rdr rules are very simple. That's what i do on pf.conf: pf.conf: ext_if=rl1 ext_carp_if=carp1 int_if=rl2 int_carp_if=carp0 pf_if=rl0 nat on $ext_if from lan_hosts to any - ($ext_carp_if) rdr on $ext_if inet proto tcp from any to ($ext_carp_if) port 22 - 192.168.0.200 port 22 rdr on $ext_if inet proto tcp from any to ($ext_carp_if) port 80 - 192.168.0.200 port 80 pass out all pass in all but http conections and ssh won't be redirected. If i setup httpd in firewall then i can see firewall apache daemon, but not apache on 192.168.0.200 Can anyone help me please? Thanks.
Re: RDR rule on PF
what you mean? On 5/12/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/05/12 11:11, Alberich de megres wrote: rdr on $ext_if inet proto tcp from any to ($ext_carp_if) port 22 - 192.168.0.200 port 22 rdr on $ext_if inet proto tcp from any to ($ext_carp_if) port 80 - 192.168.0.200 port 80 pass out all pass in all but http conections and ssh won't be redirected. If i setup httpd in firewall then i can see firewall apache daemon, but not apache on 192.168.0.200 you _are_ testing from $ext_if, aren't you..?
Re: RDR rule on PF
I'm trying to via passing trhough $ext_if. My $ext_if (rl0) has no ip addres, they share one with a carp device. On 5/12/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/05/12 12:15, Alberich de megres wrote: what you mean? Where are you trying to connect from when you test this? The connection needs to pass through $ext_if in order to be matched by the redirect rules you are using. You may need to read http://www.openbsd.org/faq/pf/rdr.html#reflect On 5/12/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/05/12 11:11, Alberich de megres wrote: rdr on $ext_if inet proto tcp from any to ($ext_carp_if) port 22 - 192.168.0.200 port 22 rdr on $ext_if inet proto tcp from any to ($ext_carp_if) port 80 - 192.168.0.200 port 80 pass out all pass in all but http conections and ssh won't be redirected. If i setup httpd in firewall then i can see firewall apache daemon, but not apache on 192.168.0.200 you _are_ testing from $ext_if, aren't you..?
Re: RDR rule on PF
I have an external machine, and i try my setup from this external machine that enters directly to $ext_if, so direction is IN. And i checked yet the link you point me. Thanks for all Any help? On 5/12/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Sat, May 12, 2007 at 12:15:24PM +0200, Alberich de megres wrote: On 5/12/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/05/12 11:11, Alberich de megres wrote: rdr on $ext_if inet proto tcp from any to ($ext_carp_if) port 22 - 192.168.0.200 port 22 rdr on $ext_if inet proto tcp from any to ($ext_carp_if) port 80 - 192.168.0.200 port 80 pass out all pass in all but http conections and ssh won't be redirected. If i setup httpd in firewall then i can see firewall apache daemon, but not apache on 192.168.0.200 you _are_ testing from $ext_if, aren't you..? what you mean? You only redirect traffic when it comes in on $ext_if; so, if try to test your setup from any other interface, notably $int_if, you will indeed see the Apache process on the firewall and not the host behind it. Joachim -- TFMotD: ypset (8) - tell ypbind(8) which YP server process to use
PF and rdr rules
I got my pf set up. All works fine, except rdr rules. simply: pf won't redirect anything to internal servers. I change /etc/sysctl.conf: net.inet.ip.forwarding=1 net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.ip.multipath=1 My scenario is: fw1 - rl0 - carp / pfsync devs - rl1 - No ip addr, and vinculed to carp1 ( with external IP ) - rl2 - Internal lan ip vinculed to carp0 ( with lan gateway ip ) and FW2 on the same way. Nat works fine, but rdr don't. pf.conf: ext_if=rl1 ext_carp_if=carp1 int_if=rl2 int_carp_if=carp0 pf_if=rl0 nat on $ext_if from lan_hosts to any - ($ext_carp_if) rdr on $ext_if inet proto tcp from any to ($ext_carp_if) port 22 - 192.168.0.200 port 22 rdr on $ext_if inet proto tcp from any to ($ext_carp_if) port 80 - 192.168.0.200 port 80 pass out all pass in all What i am doing so worng? Thanks!
Newbie Question
Hello, I'm new on the openbsd world..i came from linux world :P And i got a question about logs In linux i used logwatch, i know that i can use it on openbsd. But is there some other option in openbsd world? what about snort? what way you use to analyze logs in rout firewall or workstations? Thanks!!
Re: Newbie Question
Hi, Yes i have explored ports tree. But maybe i ask the wrong way, what i want to know is what system you use to analyze logs ( pf, sshd ) and if you use to control/monitor bandwidth stadistics ( net flow ). Thanks. On 5/8/07, Edd Barrett [EMAIL PROTECTED] wrote: Hi, On 5/8/07, Alberich de megres [EMAIL PROTECTED] wrote: sed logwatch, i know that i can use it on openbsd. But is there some other option in openbsd world? what about snort? what way you use to analyze logs in rout firewall or workstations? Do you have the ports tree installed? If you do try: cd /usr/ports make search key=log | more make search key=analyzer | more Try different case aswell. -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett/
Re: Newbie Question
Can Pfstat make per source ip ( for local lan for example ) statistics? I heared nice things about SEC,i will take a looks a both. On 5/8/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Tue, May 08, 2007 at 10:45:36AM +0200, Alberich de megres wrote: Hello, I'm new on the openbsd world..i came from linux world :P And i got a question about logs In linux i used logwatch, i know that i can use it on openbsd. But is there some other option in openbsd world? what about snort? what way you use to analyze logs in rout firewall or workstations? For log analysis, which is different from analyzing bandwidth and such, there are plenty of systems. I'd urge you to look at something that reports anything unknown, though, at least if you're using a log analyzer to point you at things that need fixing (as opposed to creating statistics, auto-blacklisting in response to SSH bruteforce attempts, and so on and so forth). Personally, I use SEC (sysutils/sec) for general log handling. It's pretty powerful, not too hard to use, and can be made to work in blacklist mode (search the web). I add pflogsumm (mail/pflogsumm) to handle all Postfix logs, mostly because SEC isn't that good at statistics (though you can get it to execute external programs...) Joachim -- TFMotD: ldd (1) - list dynamic object dependencies
