Re: pf question - antispoof and loopback

2022-12-24 Thread J Doe 



On 2022-12-24 02:32, Philipp Buehler wrote:


Am 22.12.2022 21:37 schrieb J Doe:

    set skip on lo0
. . .
    antispoof quick for $ext_if


This one will be faster (a tad) if you do not plan for more
detailled filtering (and who does so on lo0 besides the
esoteric ones).

ciao


Hi Philipp,

Thank you for your reply.  Ok, I've gone with:


set skip on lo0
antispoof quick for $ext_if

... as you have recommended.  I was thinking this was correct, but I 
figured a message to misc@ was worth it to double-check and learn 
something new!


- J

Re: pf question - antispoof and loopback

2022-12-23 Thread Philipp Buehler 

Am 22.12.2022 21:37 schrieb J Doe:

set skip on lo0
. . .
antispoof quick for $ext_if


This one will be faster (a tad) if you do not plan for more
detailled filtering (and who does so on lo0 besides the
esoteric ones).

ciao
--
pb

pf question - antispoof and loopback

2022-12-22 Thread J Doe 

Hi,

I have a question regarding pf.

In man pf.conf[1], the following note is made in the section on: antispoof

"Caveat: Rules created by the antispoof directive interfere with
 packets sent over loopback interfaces to local addresses. One
 should pass these explicitly."

When man says that the traffic for the loopback address(es) should be 
"...pass[ed] explicitly", does that mean I would something like the 
following in pf.conf:


pass quick on lo0
antispoof quick for $ext_if

... or is specifying an option that filtering on the loopback address 
should not take place sufficient:


set skip on lo0
. . .
antispoof quick for $ext_if

Thanks,

- J


Ref
===

[1] https://man.openbsd.org/pf.conf#TRAFFIC_NORMALISATION

Re: pf question - set skip on wildcards ?

2022-12-13 Thread Philipp Buehler 

Am 13.12.2022 22:11 schrieb J Doe:

set skip on !$ext_if

... with the idea that this skips all interfaces (virtual or
otherwise) _EXCEPT_ em0, which is the real Ethernet NIC that I want to
perform filtering on ?


Yes, but likely to need a space between ! and $.

ciao
--
pb

Re: pf question - set skip on wildcards ?

2022-12-13 Thread J Doe 



On 2022-12-13 01:23, Philipp Buehler wrote:

Am 13.12.2022 06:02 schrieb J Doe:

    set skip on { lo0, vif* }


in pf.conf(5) the GRAMMAR shows:
  ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
   "{" interface-list "}"

So you could do "set skip on { lo0 vif0 vif1 }" for explicit, or you
use interface-group, alas "set skip on vif". If that "one" interface
is e.g. vif7 within vif(4) this MIGHT go: "set skip on { vif !vif7 }".


Hi Philipp,

Ok, so the "!" is a NOT operation ?

If that is the case, could I use:

ext_if = "em0"

set skip on !$ext_if

... with the idea that this skips all interfaces (virtual or otherwise) 
_EXCEPT_ em0, which is the real Ethernet NIC that I want to perform 
filtering on ?


Thanks,

- J

Re: pf question - set skip on wildcards ?

2022-12-12 Thread Philipp Buehler 

Am 13.12.2022 06:02 schrieb J Doe:

set skip on { lo0, vif* }


in pf.conf(5) the GRAMMAR shows:
 ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
  "{" interface-list "}"

So you could do "set skip on { lo0 vif0 vif1 }" for explicit, or you
use interface-group, alas "set skip on vif". If that "one" interface
is e.g. vif7 within vif(4) this MIGHT go: "set skip on { vif !vif7 }".

HTH,
--
pb

pf question - set skip on wildcards ?

2022-12-12 Thread J Doe 

Hello,

I have a question regarding: set skip on in pf.conf(5).

I have a host that has a number of dynamic virtual interfaces.  I don't 
want my ruleset to apply to those interfaces, however, as they are 
created and removed dynamically, I don't know what the numbers will be 
assigned to those interfaces.


I'd like to use: set skip on, but I am uncertain as to whether I can use 
shell globbing to list the interfaces I want to omit.


For example, for a virtual interface: vifn where n can be 0, 1, etc., 
I'd like to use:


set skip on { lo0, vif* }

...however, that is not mentioned in man pf.conf.

If this is not possible, is there a way I can invert this and specify 
that the ruleset applies to _one_ interface ?


Thanks,

- J

Re: pf question: IPv6 prefix changed, how to tell pf?

2021-07-23 Thread David Dahlberg 
On Fri, 2021-07-23 at 08:21 +0200, Harald Dunkel wrote:

> Deutsche Telekom gives me a new /56 prefix for my internal net and
> a new /64 prefix for the external connection on every reboot of my
> modem. The old internal prefix is not routed anymore. Question is,
> how can I tell pf to use the new prefix? 
> 
> There are a few constants in my pf.conf file, e.g.
> 
> myhost = "{ 2001:db8:1f21:1c03:123:4567:89ab:cdef ... }"
> 
> Currently they have to be edited on every prefix change.

I'd suggest to write them into a table, which is runtime modifyable.

pf question: IPv6 prefix changed, how to tell pf?

2021-07-23 Thread Harald Dunkel 
Hi folks,

Deutsche Telekom gives me a new /56 prefix for my internal net and
a new /64 prefix for the external connection on every reboot of my
modem. The old internal prefix is not routed anymore. Question is,
how can I tell pf to use the new prefix? 

There are a few constants in my pf.conf file, e.g.

myhost = "{ 2001:db8:1f21:1c03:123:4567:89ab:cdef ... }"

Currently they have to be edited on every prefix change. Workaround
is to regenerate pf.conf from a template or to use pfctl to modify
some tables on the fly, but actually I would like to write something
like
p1 = (re1:prefix)
myhost = "{ $p1::123:4567:89ab:cdef ... }"

in my pf.conf.

The man page mentions "prefix" only for address family translation
(please excuse if I am too blind to see), so I wonder what is best
practice here?


Regards
Harri

Re: Networking/pf question, I am not sure ?

2020-05-11 Thread man Chan 
 I find out the problem is in the unbound.conf file.  Now, my xeperia can use 
the internet.  Thanks you for your help..
Clarence



===original 
server:
    interface: 192.168.1.1
    interface: 127.0.0.1
    interface: ::1

    access-control: 127.0.0.0/8 allow
    access-control: 10.0.0.0/24 allow
    access-control: 0.0.0.0/0 refuse
    access-control: ::0/0 refuse
    access-control: ::1 allow

    do-not-query-localhost: no
    hide-identity: yes
    hide-version: yes

forward-zone:
    name: "."
    forward-addr: 64.6.64.6        # Verisign 
    forward-addr: 94.75.228.29    # chaos Computer Club
    forward-first: yes        #try direct if forwarder fails

==  changed unbound.conf===

server:
    interface: 192.168.1.1
    interface: 127.0.0.1
  
    access-control: 192.168.1.0/24 allow
    access-control: 127.0.0.0/8 allow
  
    do-not-query-localhost: no
    hide-identity: yes
    hide-version: yes

forward-zone:
    name: "."
    forward-addr: 64.6.64.6        # Verisign 
    forward-addr: 94.75.228.29    # chaos Computer Club
    forward-first: yes        #try direct if forwarder fails

==




man Chan () 在 2020年5月11日星期一 下午3:21:17 [GMT+8] 寫道:  
 
  


Here is all the config files of my openbsd-router.  traceroute yahoo.com.hk on 
my xperia (android) stop at ip of my openbsd-router.  There is nothing display 
on openbsd-router running tcpdump -eni pflog0.

dhclient.conf
append domain-name-servers 127.0.0.1;
==

dhcpd.conf-
#    $OpenBSD: dhcpd.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#

# Network:        192.168.1.0/255.255.255.0
# Domain name:        my.domain
# Name servers:        192.168.1.3 and 192.168.1.5
# Default router:    192.168.1.1
# Addresses:        192.168.1.32 - 192.168.1.127
#
option  domain-name "my.domain";
#option  domain-name-servers 192.168.1.3, 192.168.1.5;

subnet 192.168.1.0 netmask 255.255.255.0 {
    option routers 192.168.1.1;
    option domain-name-servers 192.168.1.1;

    range 192.168.1.32 192.168.1.127;
}

 ==
pf.conf --
# The wirde and wireless interface of the LAN
wired="re0"
#wifi=""

# This is a table of non-routable addresses that will be used later
table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
           172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3    \
           192.168.0.0/16 192.18.0.0/15 198.51.100.0/24        \
           203.0.113.0/24 }

set block-policy drop
set loginterface egress
set skip on lo

# Normalize the traffic
match in all scrub (no-df random-id max-mss 1440)

# Perform NAT
match out on egress inet from !(egress:network) to any nat-to (egress:0)

block in quick on egress from  to any

block return out quick on egress from any to 

block all

pass out quick inet keep state

pass in on { $wired } inet

# Forward incoming connection ( on TCP port 40 and 443 ) to web server
#pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to 
192.168.1.2



resolv.conf--
# Generated by alc0 dhclient
nameserver 192.168.8.1
nameserver 127.0.0.1
lookup file bind


sysctl.conf-
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

=
unbound.conf  
server:
    interface: 192.168.1.1
    interface: 127.0.0.1
    interface: ::1

    access-control: 127.0.0.0/8 allow
    access-control: 10.0.0.0/24 allow
    access-control: 0.0.0.0/0 refuse
    access-control: ::0/0 refuse
    access-control: ::1 allow

    do-not-query-localhost: no
    hide-identity: yes
    hide-version: yes

forward-zone:
    name: "."
    forward-addr: 64.6.64.6        # Verisign 
    forward-addr: 94.75.228.29    # chaos Computer Club
    forward-first: yes        #try direct if forwarder fails


===
dmesg
OpenBSD 6.6-stable (GENERIC.MP) #1: Thu May  7 17:40:45 HKT 2020
    clare...@o66.my.domain:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 6156845056 (5871MB)
avail mem = 5957545984 (5681MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xfbe20 (23 entries)
bios0: vendor American Megatrends Inc. version "P1.20" date 11/30/2012
bios0: ASRock 960GM-VGS3 FX
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB AAFT HPET SSDT
acpi0: wakeup devices PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE6(S4) PCE7(S4) 
PCE9(S4) PCEA(S4) PCEB(S4) PCEC(S4) SBAZ(S4) PS2K(S4) P0PC(S4) UHC1(S4) 
UHC2(S4) UHC3(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Athlon(tm) II X4 630 Processor, 2805.89 MHz, 10-05-02

Re: Networking/pf question, I am not sure ?

2020-05-11 Thread man Chan 
 


Here is all the config files of my openbsd-router.  traceroute yahoo.com.hk on 
my xperia (android) stop at ip of my openbsd-router.  There is nothing display 
on openbsd-router running tcpdump -eni pflog0.

dhclient.conf
append domain-name-servers 127.0.0.1;
==

dhcpd.conf-
#    $OpenBSD: dhcpd.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#

# Network:        192.168.1.0/255.255.255.0
# Domain name:        my.domain
# Name servers:        192.168.1.3 and 192.168.1.5
# Default router:    192.168.1.1
# Addresses:        192.168.1.32 - 192.168.1.127
#
option  domain-name "my.domain";
#option  domain-name-servers 192.168.1.3, 192.168.1.5;

subnet 192.168.1.0 netmask 255.255.255.0 {
    option routers 192.168.1.1;
    option domain-name-servers 192.168.1.1;

    range 192.168.1.32 192.168.1.127;
}

 ==
pf.conf --
# The wirde and wireless interface of the LAN
wired="re0"
#wifi=""

# This is a table of non-routable addresses that will be used later
table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
           172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3    \
           192.168.0.0/16 192.18.0.0/15 198.51.100.0/24        \
           203.0.113.0/24 }

set block-policy drop
set loginterface egress
set skip on lo

# Normalize the traffic
match in all scrub (no-df random-id max-mss 1440)

# Perform NAT
match out on egress inet from !(egress:network) to any nat-to (egress:0)

block in quick on egress from  to any

block return out quick on egress from any to 

block all

pass out quick inet keep state

pass in on { $wired } inet

# Forward incoming connection ( on TCP port 40 and 443 ) to web server
#pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to 
192.168.1.2



resolv.conf--
# Generated by alc0 dhclient
nameserver 192.168.8.1
nameserver 127.0.0.1
lookup file bind


sysctl.conf-
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

=
unbound.conf  
server:
    interface: 192.168.1.1
    interface: 127.0.0.1
    interface: ::1

    access-control: 127.0.0.0/8 allow
    access-control: 10.0.0.0/24 allow
    access-control: 0.0.0.0/0 refuse
    access-control: ::0/0 refuse
    access-control: ::1 allow

    do-not-query-localhost: no
    hide-identity: yes
    hide-version: yes

forward-zone:
    name: "."
    forward-addr: 64.6.64.6        # Verisign 
    forward-addr: 94.75.228.29    # chaos Computer Club
    forward-first: yes        #try direct if forwarder fails


===
dmesg
OpenBSD 6.6-stable (GENERIC.MP) #1: Thu May  7 17:40:45 HKT 2020
    clare...@o66.my.domain:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 6156845056 (5871MB)
avail mem = 5957545984 (5681MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xfbe20 (23 entries)
bios0: vendor American Megatrends Inc. version "P1.20" date 11/30/2012
bios0: ASRock 960GM-VGS3 FX
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB AAFT HPET SSDT
acpi0: wakeup devices PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE6(S4) PCE7(S4) 
PCE9(S4) PCEA(S4) PCEB(S4) PCEC(S4) SBAZ(S4) PS2K(S4) P0PC(S4) UHC1(S4) 
UHC2(S4) UHC3(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Athlon(tm) II X4 630 Processor, 2805.89 MHz, 10-05-02
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,NODEID,ITSC
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
cpu0: AMD erratum 721 detected and fixed
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 200MHz
cpu0: mwait min=64, max=64, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Athlon(tm) II X4 630 Processor, 2805.51 MHz, 10-05-02
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,NODEID,ITSC
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu1: DTLB 48 4KB

Networking/pf question, I am not sure ?

2020-05-10 Thread man Chan 
Hello,
I recently setup a home network as followings (Just for fun):
ISP  <> openbsd router (version 6.6 Stable) <--->  gigabits switch 
(TP-Link TL-SG1008D) <-> linksys ea8300 (with wireless)

everything works except that I can't use my sony xperia tablet to access 
internet using the wireless function provide by the linksys-ea8300.
When I replace the openbsd-router and switch with another wireless router, I 
can use my sony xperia to access the internet.  Does any one try this before ? 
If yes, please let me to know how you do it.  Thanks.
Clarence

Re: Networking/pf question, I am not sure ?

2020-05-10 Thread Kaya Saman 

On 5/10/20 2:12 PM, Kaya Saman wrote:

On 5/10/20 2:04 PM, Tom Smyth wrote:

Hello Clarence,

you would need to provide some more information about your setup,

ip addresses on interfaces , what is your pf.conf etc...

In your experia ( I believe they are android)
you can download the  hurricane electric network tools  (HE network
tools)  (a free app to run rudimentary network diagnostic commands,
such as ping traceroute dns lookup tests to identify the problem
associated with your connection when using openBSD..
that would help you diagnose the source of the connectivity problems
you are having...
Hope this helps

Tom Smyth


On Sun, 10 May 2020 at 13:09, man Chan  wrote:

Hello,
I recently setup a home network as followings (Just for fun):
ISP  <> openbsd router (version 6.6 Stable) <--->  gigabits 
switch (TP-Link TL-SG1008D) <-> linksys ea8300 (with wireless)


everything works except that I can't use my sony xperia tablet to 
access internet using the wireless function provide by the 
linksys-ea8300.
When I replace the openbsd-router and switch with another wireless 
router, I can use my sony xperia to access the internet.  Does any 
one try this before ?

If yes, please let me to know how you do it.  Thanks.
Clarence




I totally agree with the suggestion by @Tom above!


Another good tool for Android is 'fing', it will give you access to 
Traceroute and Ping functions on your Xperia.



The first thing to try would be to see if the Xperia can communicate 
with the gateway (OpenBSD router) then if that is successful public IP 
addresses. If something strange is going on you can further run 
Traceroute to narrow down where the issue is occurring.



On the OpenBSD side, it could be a number of things like PF rules, 
routing, NAT but without further information it is basically a guess 
as to what it could be.


Just to elaborate here a little; you can run the 'tcpdump' program on 
OpenBSD to give you more information.



To get started: man tcpdump


If you want to see where the packets from the Xperia are traveling then 
something like:



tcpdump -eni (inside_interface) host (ip_of_Xperia)


For debugging PF rules a good start is to use: tcpdump -eni pflog0 <- 
you can further narrow things down by using the 'action' option eg. 
'block' / 'allow'



Hope this helps a little more :-)

Re: Networking/pf question, I am not sure ?

2020-05-10 Thread Kaya Saman 

On 5/10/20 2:04 PM, Tom Smyth wrote:

Hello Clarence,

you would need to provide some more information about your setup,

ip addresses on interfaces , what is your pf.conf etc...

In your experia ( I believe they are android)
you can download the  hurricane electric network tools  (HE network
tools)  (a free app to run rudimentary network diagnostic commands,
such as ping traceroute dns lookup tests to identify the problem
associated with your connection when using openBSD..
that would help you diagnose the source of the connectivity problems
you are having...
Hope this helps

Tom Smyth


On Sun, 10 May 2020 at 13:09, man Chan  wrote:

Hello,
I recently setup a home network as followings (Just for fun):
ISP  <> openbsd router (version 6.6 Stable) <--->  gigabits switch (TP-Link 
TL-SG1008D) <-> linksys ea8300 (with wireless)

everything works except that I can't use my sony xperia tablet to access 
internet using the wireless function provide by the linksys-ea8300.
When I replace the openbsd-router and switch with another wireless router, I 
can use my sony xperia to access the internet.  Does any one try this before ?
If yes, please let me to know how you do it.  Thanks.
Clarence




I totally agree with the suggestion by @Tom above!


Another good tool for Android is 'fing', it will give you access to 
Traceroute and Ping functions on your Xperia.



The first thing to try would be to see if the Xperia can communicate 
with the gateway (OpenBSD router) then if that is successful public IP 
addresses. If something strange is going on you can further run 
Traceroute to narrow down where the issue is occurring.



On the OpenBSD side, it could be a number of things like PF rules, 
routing, NAT but without further information it is basically a guess as 
to what it could be.



Regards,


Kaya

Re: Networking/pf question, I am not sure ?

2020-05-10 Thread Tom Smyth 
Hello Clarence,

you would need to provide some more information about your setup,

ip addresses on interfaces , what is your pf.conf etc...

In your experia ( I believe they are android)
you can download the  hurricane electric network tools  (HE network
tools)  (a free app to run rudimentary network diagnostic commands,
such as ping traceroute dns lookup tests to identify the problem
associated with your connection when using openBSD..
that would help you diagnose the source of the connectivity problems
you are having...
Hope this helps

Tom Smyth


On Sun, 10 May 2020 at 13:09, man Chan  wrote:
>
> Hello,
> I recently setup a home network as followings (Just for fun):
> ISP  <> openbsd router (version 6.6 Stable) <--->  gigabits switch 
> (TP-Link TL-SG1008D) <-> linksys ea8300 (with wireless)
>
> everything works except that I can't use my sony xperia tablet to access 
> internet using the wireless function provide by the linksys-ea8300.
> When I replace the openbsd-router and switch with another wireless router, I 
> can use my sony xperia to access the internet.  Does any one try this before ?
> If yes, please let me to know how you do it.  Thanks.
> Clarence



-- 
Kindest regards,
Tom Smyth.

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread michael 
‎Shame on me ;-)
Now I saw:
"‎if neither are specified, the rule will match packets in both directions."

  Originalnachricht  
Von: Markus Rosjat
Gesendet: Freitag, 20. Oktober 2017 15:32
An: misc@openbsd.org
Betreff: Re: a pf question maybe asked a 1000 times

Hi,

as far as I understud the whole thing

Am 20.10.2017 um 15:09 schrieb Michael Hekeler:

>> pass on hvn0 inet proto icmp all icmp-type echoreq
> 
> just to be curious: what is the effect of "on" in your rules "pass on ..."
> As to pf.conf(5) there are only "in" or "out"

this should allow traffic in and out on a given nic but I might be 
wrong here. This is basically a training exercise for me so I dont do to 
much harm if some rules don't work right away as expected.

and this rule is valid even it if its not working as expected but after 
I activated it I could ping from the host and to the host. Without the 
rule I couldn't. On a host with just one nic it might be redundant but 
if you have more the one nic this might be a valid choice.

regards

-- 
Markus Rosjat fon: +49 351 8107223 mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Markus Rosjat 

Hi,

as far as I understud the whole thing

Am 20.10.2017 um 15:09 schrieb Michael Hekeler:


pass on hvn0 inet proto icmp all icmp-type echoreq


just to be curious: what is the effect of "on" in your rules "pass on ..."
As to pf.conf(5) there are only "in" or "out"


this  should allow traffic in and out on a given nic  but I might be 
wrong here. This is basically a training exercise for me so I dont do to 
much harm if some rules don't work right away as expected.


and this rule is valid even it if its not working as expected but after 
I activated it I could ping from the host and to the host. Without the 
rule I couldn't. On a host with just one nic it might be redundant but 
if you have more the one nic this might be a valid choice.


regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread sven falempin 
On Fri, Oct 20, 2017 at 9:09 AM, Michael Hekeler 
wrote:

>
> Glad to hear that you have solved the problem
>
>
> > as you may notice I added the ping and the dns to the ruleset since
> > this was blocked in the original set of rules.
>
> You can allow outgoind dns with one single rule:
>
>   pass out on $ext_if inet proto { tcp, udp } from $ext_if \
> to any port domain keep state
>
>
> > ...
> > pass on hvn0 inet proto icmp all icmp-type echoreq
>
> just to be curious: what is the effect of "on" in your rules "pass on ..."
> As to pf.conf(5) there are only "in" or "out"
>
>
>
>
> https://man.openbsd.org/pflog

Observe what your are doing block log []

tcpdump [-n] -i pflog0

-- 
--
-
Knowing is not enough; we must apply. Willing is not enough; we must do

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Michael Hekeler 

Glad to hear that you have solved the problem


> as you may notice I added the ping and the dns to the ruleset since
> this was blocked in the original set of rules.

You can allow outgoind dns with one single rule:

  pass out on $ext_if inet proto { tcp, udp } from $ext_if \
to any port domain keep state


> ...
> pass on hvn0 inet proto icmp all icmp-type echoreq

just to be curious: what is the effect of "on" in your rules "pass on ..."
As to pf.conf(5) there are only "in" or "out"

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Markus Rosjat 

Hi Michael,

as far as pfctl -sr goes a block return expands to block return all

but since I got it working now here is the ruleset that does what it 
suppose to do :)


ext_if="hvn0"

set skip on lo

block return# block stateless traffic
block inet6

pass on $ext_if inet proto {tcp udp} to port domain

pass on $ext_if inet proto icmp icmp-type echoreq

pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh
pass in on $ext_if inet proto tcp from any to ($ext_if) port 443

pass out on $ext_if inet proto tcp from ($ext_if) port { https, submission }

$ doas pfctl -sr
block return all
block drop inet6 all
pass in on hvn0 inet proto tcp from any to (hvn0) port = 22 flags S/SA
pass in on hvn0 inet proto tcp from any to (hvn0) port = 443 flags S/SA
pass out on hvn0 inet proto tcp from (hvn0) port = 443 to any flags S/SA
pass out on hvn0 inet proto tcp from (hvn0) port = 587 to any flags S/SA
pass on hvn0 inet proto tcp from any to any port = 53 flags S/SA
pass on hvn0 inet proto udp from any to any port = 53
pass on hvn0 inet proto icmp all icmp-type echoreq

as you may notice I added the ping and the dns to the ruleset since this 
was blocked in the original set of rules.


regards

Am 20.10.2017 um 14:27 schrieb Michael Hekeler:

On Fri, Oct 20, 2017 at 12:59:51PM +0200, Markus Rosjat wrote:

...
block return# block stateless traffic



Hi Markus, here´s another hint:

no matter if you want to drop silently or send a return for the dropped
packet, you have to tell **on which packet the block action should react**

   block drop all
   -or-
   block return all
   -or-
   block all
   


If you have this in your pf.conf and load this ruleset then 'pfctl -sr'
will give you a line like:

   block drop all
   (or whatever you have in pf.conf)




--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Michael Hekeler 
On Fri, Oct 20, 2017 at 12:59:51PM +0200, Markus Rosjat wrote:
> ...
> block return# block stateless traffic


Hi Markus, here´s another hint:

no matter if you want to drop silently or send a return for the dropped 
packet, you have to tell **on which packet the block action should react**

  block drop all
  -or-
  block return all
  -or-
  block all
  

If you have this in your pf.conf and load this ruleset then 'pfctl -sr' 
will give you a line like:

  block drop all
  (or whatever you have in pf.conf)

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Markus Rosjat 

Hi again,

okay big time PEBKAC  ... if you do the the -d you should at some point 
do the -e ... haha


anyway always fun to brainstorm with you guys this list rocks !!!

Am 20.10.2017 um 14:11 schrieb Markus Rosjat:

Hi,

yeah well the rules are loaded, I could flush befor do pfctl -f to make 
it all clean.


  I tried ssh m...@domain.tld from the machine with the ruleset. this works
  with the given rules but it shouldnt in my opinion.

and yes there is no dns traffic allowed in the rules. Maybe its really 
the flush that makes it all work. I will try that :)


regards



--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Markus Rosjat 

Hi,

yeah well the rules are loaded, I could flush befor do pfctl -f to make 
it all clean.


 I tried ssh m...@domain.tld from the machine with the ruleset. this works
 with the given rules but it shouldnt in my opinion.

and yes there is no dns traffic allowed in the rules. Maybe its really 
the flush that makes it all work. I will try that :)


regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Michael Hekeler 
On Fri, Oct 20, 2017 at 12:59:51PM +0200, Markus Rosjat wrote:
> ...
> what I notice is I can initiate a ssh connection from this machine.

Just a question:
how do you initiate the ssh connection?
  
  ssh host.example.com

Then you realise that there is also dns out (53/tcp,udp)

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Niels Kobschaetzki 

On 17/10/20 12:59, Markus Rosjat wrote:

Hi there,

I was wondering, after reading mr hansteens excelent book about pf and 
the man pages, if I got it all wrong :)


so here is my example pf.conf

ext_if="hvn0"

set skip on lo

block return# block stateless traffic
block inet6

pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh
pass in on $ext_if inet proto tcp from any to ($ext_if) port 443

pass out on $ext_if inet proto tcp from ($ext_if) port { https, submission }

and what I expect is the following:

- traffic ipv4 and ipv6 gets blocked -> general deny
- I let enter ssh traffic
- I let enter https traffic
- I let out treffic on https und submission port
- I should not be able to establish a ssh connection from this host to
  another machine but should connect to be able to connect to this
  machine

what I notice is I can initiate a ssh connection from this machine. So 
there are three possible answers to this:


- 1st with allowing ssh traffic in the first place ssh port will be
  considered passable from both sites of the nic. Which would somehow
  makes no sense to me at all because its a explicit in rule
- 2nd the ssh connection initiated is somehow considered coming fom lo
  and for that not passed to the following rules
- 3rd my rules are just wrong :)

So for all the more skilled human beings out there can you help me with it?


Can you do an ssh to all hosts, or did you try to ssh to the from which
you ssh in?
H1 is yours, H2 is the server with the rules above, H3 some other
machine:

1) H1 --ssh--> H2
  and then you did H2 --ssh--> H1

Or 2) H2 --ssh--> H3?

In case 1 I would expect that it works because the state should allow
that. Only when the connection is terminated, it shouldn't be possible
anymore to ssh from H2 to H1.

Niels

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Michael Hekeler 
On Fri, Oct 20, 2017 at 12:59:51PM +0200, Markus Rosjat wrote:
> ...
> what I notice is I can initiate a ssh connection from this machine.
> So there are three possible answers to this:
>  - 1st with allowing ssh traffic in the first place ssh port will be
>considered passable from both sites of the nic. Which would somehow
>makes no sense to me at all because its a explicit in rule
>  - 2nd the ssh connection initiated is somehow considered coming fom lo
>and for that not passed to the following rules
>  - 3rd my rules are just wrong :)

Another 4:
You forgot to load your ruleset:  pfctl -f pf.conf

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Markus Rosjat 

Hi,

Am 20.10.2017 um 13:11 schrieb Bryan Harris:

I don't know the answer but I'm curious.  What does "pfctl -sr" command
show?  Can you do dns lookups?

PS - my rules have the "pass out all" rule at the bottom.

V/r,
Bryan



sure I can give the output:

$ doas pfctl -sr
doas (m...@my.own) password:
block return all
block drop inet6 all
pass in on hvn0 inet proto tcp from any to (hvn0) port = 22 flags S/SA
pass in on hvn0 inet proto tcp from any to (hvn0) port = 443 flags S/SA
pass out on hvn0 inet proto tcp from (hvn0) port = 443 to any flags S/SA
pass out on hvn0 inet proto tcp from (hvn0) port = 587 to any flags S/SA

I dont have a pass out all rule this would match every outgoing traffic then

but maybe match is the key here :)

regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Solène Rapenne 

Je 2017-10-20 12:59, Markus Rosjat skribis:

Hi there,

I was wondering, after reading mr hansteens excelent book about pf and
the man pages, if I got it all wrong :)

so here is my example pf.conf

ext_if="hvn0"

set skip on lo

block return# block stateless traffic
block inet6

pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh
pass in on $ext_if inet proto tcp from any to ($ext_if) port 443

pass out on $ext_if inet proto tcp from ($ext_if) port { https, 
submission }


and what I expect is the following:

 - traffic ipv4 and ipv6 gets blocked -> general deny
 - I let enter ssh traffic
 - I let enter https traffic
 - I let out treffic on https und submission port
 - I should not be able to establish a ssh connection from this host to
   another machine but should connect to be able to connect to this
   machine

what I notice is I can initiate a ssh connection from this machine. So
there are three possible answers to this:

 - 1st with allowing ssh traffic in the first place ssh port will be
   considered passable from both sites of the nic. Which would somehow
   makes no sense to me at all because its a explicit in rule
 - 2nd the ssh connection initiated is somehow considered coming fom lo
   and for that not passed to the following rules
 - 3rd my rules are just wrong :)

So for all the more skilled human beings out there can you help me with 
it?


regards


Hello,

I'm not a pf expert but you did not block traffic at all.
You may want to use "block all" instead of block return

Have a look at the differents examples : https://www.openbsd.org/faq/pf/

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Bryan Harris 
I don't know the answer but I'm curious.  What does "pfctl -sr" command
show?  Can you do dns lookups?

PS - my rules have the "pass out all" rule at the bottom.

V/r,
Bryan

On Fri, Oct 20, 2017 at 6:59 AM, Markus Rosjat  wrote:

> Hi there,
>
> I was wondering, after reading mr hansteens excelent book about pf and the
> man pages, if I got it all wrong :)
>
> so here is my example pf.conf
>
> ext_if="hvn0"
>
> set skip on lo
>
> block return# block stateless traffic
> block inet6
>
> pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh
> pass in on $ext_if inet proto tcp from any to ($ext_if) port 443
>
> pass out on $ext_if inet proto tcp from ($ext_if) port { https, submission
> }
>
> and what I expect is the following:
>
>  - traffic ipv4 and ipv6 gets blocked -> general deny
>  - I let enter ssh traffic
>  - I let enter https traffic
>  - I let out treffic on https und submission port
>  - I should not be able to establish a ssh connection from this host to
>another machine but should connect to be able to connect to this
>machine
>
> what I notice is I can initiate a ssh connection from this machine. So
> there are three possible answers to this:
>
>  - 1st with allowing ssh traffic in the first place ssh port will be
>considered passable from both sites of the nic. Which would somehow
>makes no sense to me at all because its a explicit in rule
>  - 2nd the ssh connection initiated is somehow considered coming fom lo
>and for that not passed to the following rules
>  - 3rd my rules are just wrong :)
>
> So for all the more skilled human beings out there can you help me with it?
>
> regards
>
> --
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
> 
>
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT
>
>

a pf question maybe asked a 1000 times

2017-10-20 Thread Markus Rosjat 

Hi there,

I was wondering, after reading mr hansteens excelent book about pf and 
the man pages, if I got it all wrong :)


so here is my example pf.conf

ext_if="hvn0"

set skip on lo

block return# block stateless traffic
block inet6

pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh
pass in on $ext_if inet proto tcp from any to ($ext_if) port 443

pass out on $ext_if inet proto tcp from ($ext_if) port { https, submission }

and what I expect is the following:

 - traffic ipv4 and ipv6 gets blocked -> general deny
 - I let enter ssh traffic
 - I let enter https traffic
 - I let out treffic on https und submission port
 - I should not be able to establish a ssh connection from this host to
   another machine but should connect to be able to connect to this
   machine

what I notice is I can initiate a ssh connection from this machine. So 
there are three possible answers to this:


 - 1st with allowing ssh traffic in the first place ssh port will be
   considered passable from both sites of the nic. Which would somehow
   makes no sense to me at all because its a explicit in rule
 - 2nd the ssh connection initiated is somehow considered coming fom lo
   and for that not passed to the following rules
 - 3rd my rules are just wrong :)

So for all the more skilled human beings out there can you help me with it?

regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: pf: question about tables derived from interface group

2014-12-29 Thread Harald Dunkel 
On 12/28/14 15:35, Harald Dunkel wrote:
 
 Thats cool. Where did you find this? Searching on openbsd.org
 for _pf revealed only 
 http://www.openbsd.org/papers/ven05-henning/mgp00011.txt .
 This is surely something that should go to the man page or to
 the FAQs for pf.
 

PS: Another important information not told by pf.conf(5) is that
(groupname:network) excludes fe80::/10, even though (groupname)
includes the link local address.


Regards
Harri

pf: question about tables derived from interface group

2014-12-28 Thread Harald Dunkel 
Hi folks,

pfctl can give me an extended list of tables showing interface
group names, self, etc. Sample:

# pfctl -g -sT
egress
egress:0
extern
extern:network
intern:network
nospamd
self
spamd-white
unroutable

How can I query the value of the special tables?

# pfctl -g -t extern -T show
pfctl: Table does not exist.

???

pfctl -gsr shows me some highly interesting tables in some rules,
e.g.

pass in log quick on extern proto tcp from (extern:network:1) to 
(extern:1) port = 22 flags S/SA keep state (if-bound)
pass out log quick on extern proto tcp from (self:9) to any port = 80 
flags S/SA keep state (if-bound)
pass in log quick on extern inet proto tcp from spamd-white:80 to 
(egress:0:1) port = 25 flags S/SA keep state (if-bound)

I would like to know what (self:9) and (extern:network:1) and the
others mean, and which value they currently have.


Every helpful comment is highly appreciated.

Best seasons greetings
Harri

Re: pf: question about tables derived from interface group

2014-12-28 Thread Maxim Khitrov 
On Sun, Dec 28, 2014 at 6:38 AM, Harald Dunkel ha...@afaics.de wrote:
 Hi folks,

 pfctl can give me an extended list of tables showing interface
 group names, self, etc. Sample:

 # pfctl -g -sT
 egress
 egress:0
 extern
 extern:network
 intern:network
 nospamd
 self
 spamd-white
 unroutable

 How can I query the value of the special tables?

These tables are under the hidden _pf anchor:

pfctl -a _pf -t extern -T show

Re: pf: question about tables derived from interface group

2014-12-28 Thread Harald Dunkel 
On 12/28/14 13:51, Maxim Khitrov wrote:
 
 These tables are under the hidden _pf anchor:
 
 pfctl -a _pf -t extern -T show
 

Thats cool. Where did you find this? Searching on openbsd.org
for _pf revealed only 
http://www.openbsd.org/papers/ven05-henning/mgp00011.txt .
This is surely something that should go to the man page or to
the FAQs for pf.


Many thanx
Harri

Re: pf: question about tables derived from interface group

2014-12-28 Thread Maxim Khitrov 
On Sun, Dec 28, 2014 at 9:35 AM, Harald Dunkel ha...@afaics.de wrote:
 On 12/28/14 13:51, Maxim Khitrov wrote:

 These tables are under the hidden _pf anchor:

 pfctl -a _pf -t extern -T show


 Thats cool. Where did you find this? Searching on openbsd.org
 for _pf revealed only 
 http://www.openbsd.org/papers/ven05-henning/mgp00011.txt .
 This is surely something that should go to the man page or to
 the FAQs for pf.

Read the source code when I wanted to know how (if) was
implemented and whether there is any performance penalty associated
with this construct.

another carp bgp and pf question

2013-11-17 Thread Marko Cupać 
I have two routers in active/passive carp mode that share three pairs
of carp interfaces:
bge1 - DMZ
em0 - ISP1
em1 - ISP2

They are also syncing pf states over syncdev bge0.

Both routers are in BGP sessions with two upstream providers (via /29
networks), and I am achieving graceful failover by means of bgpd.conf:
...
network MY.NET.WO.RK/24 set nexthop carp ip to isp1
network MY.NET.WO.RK/24 set nexthop carp ip to isp2
...

I noticed ssh login attempts to one of my DMZ servers even though this
server is not in table of hosts for which ssh login is permitted:
$pass in on $if_isp1 inet proto tcp from any to ssh port ssh \
  modulate state \
  ( max-src-conn-rate 5/60, overload badsshlogins flush global) \
  set queue (isp1-run,isp1-ack)

Question #1:
How can I troubleshoot this? Is it possible that some ancient state is
keeping ssh to that host possible (eg. if I enabled it in past, and
later reloaded pf.conf but without flushing states)?

I have source track rule which should drop all
traffic with any host that fails to login 5 times over 60 seconds
period by dynamically updating badsshlogins, as I have:
block log quick from badsshlogins
block log quick to badsshlogins

...early in the ruleset.

Question #2: how come that, even though table badsshlogins is
filling up over time, I see some host violating this in security logs
of my DMZ servers but not being put in badsshlogins table

Question #3: badsshlogins on 2nd firewall is empty. Can they be
synced like states, or violators need to violate the rule on 2nd
firewall in order to have all the traffic with them blocked?

Question #4: Is there a better way of connecting to 2 upstream
providers with graceful failover ability?

Thank you in advance,
-- 
Marko Cupać

Re: another carp bgp and pf question

2013-11-17 Thread andy 
On Sun, 17 Nov 2013 15:32:01 +0100, Marko Cupać marko.cu...@mimar.rs
wrote:
 I have two routers in active/passive carp mode that share three pairs
 of carp interfaces:
 bge1 - DMZ
 em0 - ISP1
 em1 - ISP2
 
 They are also syncing pf states over syncdev bge0.
 
 Both routers are in BGP sessions with two upstream providers (via /29
 networks), and I am achieving graceful failover by means of bgpd.conf:
 ...
 network MY.NET.WO.RK/24 set nexthop carp ip to isp1
 network MY.NET.WO.RK/24 set nexthop carp ip to isp2
 ...
 
 I noticed ssh login attempts to one of my DMZ servers even though this
 server is not in table of hosts for which ssh login is permitted:
 $pass in on $if_isp1 inet proto tcp from any to ssh port ssh \
   modulate state \
   ( max-src-conn-rate 5/60, overload badsshlogins flush global) \
   set queue (isp1-run,isp1-ack)
 
 Question #1:
 How can I troubleshoot this? Is it possible that some ancient state is
 keeping ssh to that host possible (eg. if I enabled it in past, and
 later reloaded pf.conf but without flushing states)?
 
If you have large rulsets you may have overlapping rules.
Try connecting from a test machine on the outside to the public ip mapped
to
the internal server (but which isn't in the 'ssh' table).
Once you have tried to connect if you are successful but shouldn't have
been, run 'pfctl -ss -vv' greping for the IP of your outside host. Look for
the pf rule number on the active pf state.

If the rule number is a '*' i think this means the original pf rule which
created the state no longer exists in pf rule memory. Sure thats the case
with 'systat 8' anyway.

Finally run 'pfctl -sr -vv' and find the matching pf rule number..


 I have source track rule which should drop all
 traffic with any host that fails to login 5 times over 60 seconds
 period by dynamically updating badsshlogins, as I have:
 block log quick from badsshlogins
 block log quick to badsshlogins
 
 ...early in the ruleset.
 
 Question #2: how come that, even though table badsshlogins is
 filling up over time, I see some host violating this in security logs
 of my DMZ servers but not being put in badsshlogins table
 
Probably another old rule without any statefull source tracking applied
matching the connection.
The above steps would also show you if this was the case.


 Question #3: badsshlogins on 2nd firewall is empty. Can they be
 synced like states, or violators need to violate the rule on 2nd
 firewall in order to have all the traffic with them blocked?
No I don't think tables are sync'ed yet. Hopefully one day

 
 Question #4: Is there a better way of connecting to 2 upstream
 providers with graceful failover ability?

You could try tuning your BGP attributes with your transit providers to
improve BGP responsiveness maybe.

BFD (Bidirectional Forward Detection) is probably the best way to handle
BGP timeliness.
The benefit of BFD is that the moment your link goes down, within less
than a second /both/ sides have gracefully torn down their eBGP neighbour
relationships and pulled the routes. This means your public
announce on that side should also go down quickly reducing the chance of
inbound connections heading towards you via the down ISP, because they are
still announcing you.. Of course you always suffer any BGP dampening
systems networks might have.

BFD is supported on various commercial routers including Cisco and Juniper
etc, but not yet by OpenBSD.

Rivo Nurges kindly said he would try to find some time to look at
implementing this for OpenBSD, so if we're lucky we might have something
soon to really improve BGP responsiveness when using OpenBSD.
Andy.

 
 Thank you in advance,

altq / pf question

2011-10-06 Thread David Higgs 
I enabled altq briefly on my OpenBSD router to throttle upstream
traffic due to a buggy cable modem.  It worked great, but I've since
replaced the modem and removed the bandwidth constraints.

Since I'm nowhere near saturating the link and haven't dropped any
packets since then, is there any remaining benefit to keeping the
queueing config?  There's no 'maximum queue depth' output from pfctl
-sq to help me answer this question myself.  Is everything just FIFO
at this point or is there still some reordering that may occur, though
probably only in rare circumstances for my setup?

Thanks.

--david

Re: Newbie Network/PF Question

2011-01-07 Thread Mike. 
On 1/6/2011 at 10:40 AM Mike. wrote:

|On 1/5/2011 at 2:56 PM Axton wrote:
|
||On Wed, Jan 5, 2011 at 10:14 AM, Mike. the.li...@mgm51.com wrote:
||
|| On 1/4/2011 at 10:57 PM Josh Smith wrote:
||
|| |
|| |pass in on $int_if0 # pass all incomming traffic on our internal
|| interface
|| |pass in on $int_if1 # pass all incomming traffic on our internal
|| interface from the test network
||  =
||
||
||
||
|| I have two internal subnetworks, one for standard frames and one
for
|| jumbo frames.
||
|| Instead of the two rules you cite, I use the following:
||
||
||
||
|| # macros
|| std_if = em1
|| jum_if = em0
|| loc_if = lo0
||
||
|| # let internal traffic flow unimpeded
|| pass  quick on $loc_if
|| pass  quick on $std_if
|| pass  quick on $jum_if
||
||
||set skip is probably more efficient.
| =
|
|
|It's a very light-duty firewall, but I'll read up on your suggestion
|anyway.
|
|Thanks.
 =


I read through the documentation, and it looks like I cannot use 'set
skip' on my firewall.   Set skip bypasses all pf processing for the
interface noted, and I need for pf to perform the ftp proxy processing
on those two interfaces.

So I'll keep the pass quick rules.


Thanks again for your comment, though.  I learned something as I
researched it.

Re: pf question: multiple multihomed machines

2011-01-06 Thread lilit-aibolit 
 gwes ohxer:

  What is the recommended pf.conf to get symmetrical routing
  for incoming and outgoing connections using a dual-homed
  gateway and internal hosts with static IPs on both WANs?
  
  I'm assuming route-to and reply-to are the correct
  tools to use.
  
  I've looked at the FAQ, googled for dual  multihomed machines,
  and haven't found a clear answer yet.
  
  I know there's a multihome section in the FAQ, but
  it only handles pools of nat-ed machines, and the last couple
  of lines are not obvious.

Hi, I use policy based routing with PF. I have one local_if and three
external_if.
two of they have own gateway, and one don't have.
Here is my pf.conf, but it havn't comment, but if read carefully - all is
done.
have a nice day with PF=)

#$OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if_a = xl0
ext_gw_a = 195.26.xxx.xxx

ext_if_b = fxp1
ext_gw_b = 188.230.xxx.xxx

ext_if_c = fxp2
ext_gw_c = 172.20.252.33

int_if   = fxp0

table firewall const { self }
table khaer  { 192.168.16.0/24 }
table admin  { 192.168.16.1, 192.168.16.4, 192.168.16.6,
192.168.16.100 }
table www{ 192.168.16.2 }
table 1c { 192.168.16.3 }
table zvit   { 192.168.16.4 }
table mail   { 192.168.16.5 }
table ad { 192.168.16.7 }
table fourblock  { 192.168.16.188 }
table milestone  { 192.168.16.200 }
#table officeserv{  }
table dns{ 194.44.xxx.xxx, 217.12.xxx.xxx }
table kl-bank{ 192.168.16.184, 192.168.16.185, 192.168.16.201,
\
192.168.16.207, 192.168.16.210, 192.168.16.218, \
192.168.16.221, 192.168.16.241 }
table ipsec  { 192.168.15.0/24 }
table private{ 0.0.0.0/8, 10.0.0.0/8, 14.0.0.0/8, \
127.0.0.0/8, 128.0.0.0/16, 169.254.0.0/16, \
172.16.0.0/12, 191.255.0.0/16, 192.0.2.0/24, \
192.168.0.0/16, 240.0.0.0/4, 255.255.255.0/24 }
table bruteforce persist
table advertisement file /etc/advertisement

set skip on { lo0, enc0 }
set loginterface $ext_if_b
set timeout { frag 20, tcp.established 3600 }
set block-policy drop

antispoof quick for { fxp1, fxp2, xl0 }

match in all scrub (no-df)

#anchor ftp-proxy/*

#queuening
#altq on fxp0 cbq bandwidth 400Kb queue { q_std_a, q_mail_a, q_www_a }
#queue q_std_abandwidth 10% priority 1 cbq (default)
#queue q_mail_a   bandwidth 70% priority 5 cbq (borrow)
#queue q_www_abandwidth 20% priority 3 cbq (borrow)
#altq on fxp1 cbq bandwidth 4Mb queue { q_std_b, q_admin, q_kl-bank,
q_www_b }
#queue q_std_bbandwidth 5% priority 1 cbq(default)
#queue q_adminbandwidth 40% priority 4 cbq(borrow)
#queue q_kl-bank  bandwidth 15% priority 7 cbq(borrow)
#queue q_www_bbandwidth 40% priority 2 cbq(borrow)

#nat
match out on $ext_if_a inet proto tcp from khaer to !khaer nat-to
$ext_if_a
match out on $ext_if_b inet from khaer to !khaer nat-to $ext_if_b
match out on $ext_if_b inet from ipsec to !ipsec nat-to $ext_if_b
match out on $ext_if_c inet proto { tcp, udp } from admin to any nat-to
$ext_if_c
#rdr
match in on $ext_if_a inet proto tcp from any to $ext_if_a port { smtp,
smtps, 444, 5 } tag MAIL_A rdr-to mail
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 444 tag
EXT_B rdr-to mail
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 666 tag
EXT_B rdr-to 1c port rdp
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 50666 tag
EXT_B rdr-to zvit port rdp
#match in on $ext_if_b inet proto udp from any to $ext_if_b port 27015
tag EXT_B rdr-to milestome
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 55111 tag
EXT_B rdr-to milestone
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 1 tag
EXT_B rdr-to milestone port rdp
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 55222 tag
EXT_B rdr-to 192.168.16.26 port ssh
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 55333 tag
EXT_B rdr-to 192.168.16.26 port 80
#match in on $int_if inet proto tcp from 1c to any port www rdr-to
127.0.0.1 port 3128
#match in on $ext_if_b inet proto tcp from any to $ext_if_b port 8080 tag
EXT_B rdr-to 192.168.16.100 port 80
#match in on $ext_if_b inet proto tcp from any to $ext_if_b port { 6001,
6002 } tag EXT_B rdr-to 192.168.16.100
#block
block in quick on $ext_if_a from bruteforce
block in quick on $int_if from any to advertisement
block quick proto tcp flags /S
block quick proto tcp flags A/A
block in quick on { $ext_if_a, $ext_if_b } from private to any
block out quick on { $ext_if_a, $ext_if_b } from any to private
block log all
#in
pass in on $ext_if_a inet proto tcp from any to $ext_if_a port 5522
reply-to ($ext_if_a $ext_gw_a)
pass in on $ext_if_b inet proto udp from any to $ext_if_b port domain
reply-to ($ext_if_b

Re: Newbie Network/PF Question

2011-01-06 Thread David Walker 
While we're piling on ...

I have three interfaces, vr0 is my internet (pppoe), vr1 and vr2 are
my internal networks.
This gives me a good mental picture ...

# packet filtering

block all

# pppoe0:network

pass out on pppoe0 inet from (pppoe0) to any
pass out on pppoe0 inet from vr1:network nat-to (pppoe0)
pass out on pppoe0 inet from vr2:network nat-to (pppoe0)

# vr1:network

pass in on vr1 inet from vr1:network to any
pass out on vr1 inet from vr1 to vr1:network
pass out on vr1 inet from vr2:network to vr1:network

# vr2:network

pass in on vr2 inet from vr2:network to any
pass out on vr2 inet from vr2 to vr2:network
pass out on vr2 inet from vr1:network to vr2:network

... add echo, port rules, etcetera as necessary.
I think that does pretty much what you want - my setup is ziggactly the same.

Best wishes.

Re: Newbie Network/PF Question

2011-01-06 Thread Mike. 
On 1/5/2011 at 2:56 PM Axton wrote:

|On Wed, Jan 5, 2011 at 10:14 AM, Mike. the.li...@mgm51.com wrote:
|
| On 1/4/2011 at 10:57 PM Josh Smith wrote:
|
| |
| |pass in on $int_if0 # pass all incomming traffic on our internal
| interface
| |pass in on $int_if1 # pass all incomming traffic on our internal
| interface from the test network
|  =
|
|
|
|
| I have two internal subnetworks, one for standard frames and one for
| jumbo frames.
|
| Instead of the two rules you cite, I use the following:
|
|
|
|
| # macros
| std_if = em1
| jum_if = em0
| loc_if = lo0
|
|
| # let internal traffic flow unimpeded
| pass  quick on $loc_if
| pass  quick on $std_if
| pass  quick on $jum_if
|
|
|set skip is probably more efficient.
 =


It's a very light-duty firewall, but I'll read up on your suggestion
anyway.

Thanks.

Re: Newbie Network/PF Question

2011-01-05 Thread Remco 
Josh Smith wrote:

 I have been running OpenBSD as my home router for a couple of years
 now and everything has worked well thus far.  However this evening I
 added a second network interface to my router because I would like to
 add some hosts for testing on a separate network segment and am
 running into some difficulties.
 
 My network is configured as follows:
 gem0 - DHCP address and link to internet
 rl0 - 10.66.66.1/24 - original home network segment
 rl1 - 10.66.67.1/24 - new test network segment
 
 from a host on the 10.66.66.1/24 network I am able to connect to
 10.66.67.1 but no other host on that network segment.  However I am
 able to connect to any host on this segment from my openbsd router.
 

The one thing I tend to overlook is enabling IP forwarding:
$ sysctl |grep forward
net.inet.ip.forwarding=1
net.inet.ip.mforwarding=0
net.inet6.ip6.forwarding=1
net.inet6.ip6.mforwarding=0

Otherwise your best friends are probably ping and tcpdump ... -ipflog0 to
see if PF is blocking anything.

Re: Newbie Network/PF Question

2011-01-05 Thread Mike. 
On 1/4/2011 at 10:57 PM Josh Smith wrote:

|
|pass in on $int_if0 # pass all incomming traffic on our internal
interface
|pass in on $int_if1 # pass all incomming traffic on our internal
interface from the test network
 =




I have two internal subnetworks, one for standard frames and one for
jumbo frames.

Instead of the two rules you cite, I use the following:




# macros
std_if = em1
jum_if = em0
loc_if = lo0


# let internal traffic flow unimpeded
pass  quick on $loc_if
pass  quick on $std_if
pass  quick on $jum_if

pf question: multiple multihomed machines

2011-01-05 Thread gwes 
What is the recommended pf.conf to get symmetrical routing
for incoming and outgoing connections using a dual-homed
gateway and internal hosts with static IPs on both WANs?

I'm assuming route-to and reply-to are the correct
tools to use.

I've looked at the FAQ, googled for dual  multihomed machines,
and haven't found a clear answer yet.

I know there's a multihome section in the FAQ, but
it only handles pools of nat-ed machines, and the last couple
of lines are not obvious.

I've got 2 WAN connections going to a gateway machine
with 3 physical interfaces and one virtual interface:

  vether0
 |
wan1 --- bridge0 --- wan2
 |
lan--|
 |nat-host-1
multihomed-host-1|
 |nat-host-2
multihomed-host-2|
 |nat-host-3
multihomed-host-3|
 |nat-host-4

For one wan, the PF can be reasonably simple, with most
of the rules on the WAN interfaces. Even now, it's quite long:

block in on $wan all
block in quick on $wans from evil-hosts to any
block out on wan proto udp from any to any port $bad_port_list
block out on wan proto tcp from any to internals
block out on wan proto udp from any to internals
etc

pass in on wan proto tcp from any to www-hosts port www
pass in on wan proto tcp from ssh-hosts \
to ssh-servers port ssh
pass in on wan proto tcp from mail-clients \
to mail-server port $mail-ports
pass in on wan proto tcp from any to mail-servers port smtp
 many pass in 
pass in on wan proto icmp $icmp_types to ping_hosts

pass out on wan from static_ip_range to ! static_ip_range

...and more things to handle nat-host-x on vether0
. voip port range rules are lengthy

I could generate 2 copies of the ruleset matching
each IP range and route-to/reply-to everywhere, but
that is lengthy, error prone, and otherwise painful.

Given the current pf.conf, presumably a

pass out on $wan2 from wan2_ip_range to \
 !any_internal_ip route-to ($wan2 $wan2_gateway)

and no state on any outgoing rules would work for
outbound traffic.

What about inbound traffic?
  no state on all incoming rules, and a

pass in on $wan2 from any to wan2_ip_range reply-to \
 ($wan2 $wan2_gateway)
rule could work.

Is this the best solution, given pf internals?

geoff steckel

Re: Newbie Network/PF Question

2011-01-05 Thread Axton 
On Wed, Jan 5, 2011 at 10:14 AM, Mike. the.li...@mgm51.com wrote:

 On 1/4/2011 at 10:57 PM Josh Smith wrote:

 |
 |pass in on $int_if0 # pass all incomming traffic on our internal
 interface
 |pass in on $int_if1 # pass all incomming traffic on our internal
 interface from the test network
  =




 I have two internal subnetworks, one for standard frames and one for
 jumbo frames.

 Instead of the two rules you cite, I use the following:




 # macros
 std_if = em1
 jum_if = em0
 loc_if = lo0


 # let internal traffic flow unimpeded
 pass  quick on $loc_if
 pass  quick on $std_if
 pass  quick on $jum_if


set skip is probably more efficient.

Newbie Network/PF Question

2011-01-04 Thread Josh Smith 
I have been running OpenBSD as my home router for a couple of years
now and everything has worked well thus far.  However this evening I
added a second network interface to my router because I would like to
add some hosts for testing on a separate network segment and am
running into some difficulties.

My network is configured as follows:
gem0 - DHCP address and link to internet
rl0 - 10.66.66.1/24 - original home network segment
rl1 - 10.66.67.1/24 - new test network segment

from a host on the 10.66.66.1/24 network I am able to connect to
10.66.67.1 but no other host on that network segment.  However I am
able to connect to any host on this segment from my openbsd router.

Here is my pf.conf:
#pf.conf jcsmith 2011-12-04

#macros
int_if0=rl0 #internal network interface for home network 10.66.66.0/24
int_if1=rl1 #internal networl interface for test network 10.66.67.0/24
ext_if=gem0 #external (internet) network interface

allowed_services = { ssh }
allowed_icmp = { echoreq, unreach }

#options
set block-policy return
set loginterface $ext_if
set skip on lo

#match rules for nat
match out on egress inet from !(egress) to any nat-to (egress:0) scrub
(no-df max-mss 1440)
match out on egress inet from !(egress) to any nat-to (egress:0) scrub
(no-df max-mss 1440)


#filter rules
block in log #block all incomming traffic

antispoof quick for { $int_if0 $ext_if $int_if1 } label AntiSpoofFailed

pass in on $int_if0 # pass all incomming traffic on our internal interface
pass in on $int_if1 # pass all incomming traffic on our internal
interface from the test network

pass in log on $ext_if inet proto tcp from any to ($ext_if) port
$allowed_services # allow selected services in from the net

pass in on $ext_if inet proto icmp all icmp-type $allowed_icmp #allow
some icmp traffic in from the net

pass out quick # allow outgoing traffic


I'm sure I'm just missing a quick setting in my pf configuration or
somewhere else on the box.

Any help is greatly appreciated.


Thanks,
--
Josh Smith
KD8HRX
email/jabber:B  juice...@gmail.com
phone:B  304.237.9369(c)

Re: Newbie Network/PF Question

2011-01-04 Thread Josh Smith 
Joshua,
I would like the two networks to be able to talk directly to each
other using plain old routing, however I would like to be able to
filter this traffic using PF in the future if I choose to, but the
only traffic that should be natted is from either of these networks
out to the internet.

Thanks,
--
Josh Smith
KD8HRX
email/jabber:B  juice...@gmail.com
phone:B  304.237.9369(c)





On Tue, Jan 4, 2011 at 11:16 PM, joshua stein j...@openbsd.org wrote:
 My network is configured as follows:
 gem0 - DHCP address and link to internet
 rl0 - 10.66.66.1/24 - original home network segment
 rl1 - 10.66.67.1/24 - new test network segment

 from a host on the 10.66.66.1/24 network I am able to connect to
 10.66.67.1 but no other host on that network segment. B However I am
 able to connect to any host on this segment from my openbsd router.

 do you want the traffic from 10.66.66.1/24 to 10.66.67.1/24 to be natted
 through 10.66.67.1 (using pf) or do you want the two networks to be able to
 talk directly to each other (using plain old routing)?

Re: Newbie Network/PF Question

2011-01-04 Thread Teemu Rinta-aho 
Hi Josh,

I guess the problem is that everything matches your NAT rules.

Try adding something like this before the match rules for nat:

pass in  quick on $int_if0 from 10.66.66.0/24 to 10.66.67.0/24
pass out quick on $int_if0 from 10.66.67.0/24 to 10.66.66.0/24
pass in  quick on $int_if1 from 10.66.67.0/24 to 10.66.66.0/24
pass out quick on $int_if1 from 10.66.66.0/24 to 10.66.67.0/24

Those rules should make pf almost ignore traffic between your
two home networks. I don't know if it works but give it a try.

BR,
Teemu

 #match rules for nat
 match out on egress inet from !(egress) to any nat-to (egress:0) scrub
 (no-df max-mss 1440)
 match out on egress inet from !(egress) to any nat-to (egress:0) scrub
 (no-df max-mss 1440)
 
 
 #filter rules
 block in log #block all incomming traffic
 
 antispoof quick for { $int_if0 $ext_if $int_if1 } label AntiSpoofFailed
 
 pass in on $int_if0 # pass all incomming traffic on our internal interface
 pass in on $int_if1 # pass all incomming traffic on our internal
 interface from the test network
 
 pass in log on $ext_if inet proto tcp from any to ($ext_if) port
 $allowed_services # allow selected services in from the net
 
 pass in on $ext_if inet proto icmp all icmp-type $allowed_icmp #allow
 some icmp traffic in from the net
 
 pass out quick # allow outgoing traffic
 
 
 I'm sure I'm just missing a quick setting in my pf configuration or
 somewhere else on the box.
 
 Any help is greatly appreciated.
 
 
 Thanks,
 --
 Josh Smith
 KD8HRX
 email/jabber:B  juice...@gmail.com
 phone:B  304.237.9369(c)

Re: (Perhaps?) dumb pf question relating to tables

2010-11-11 Thread Ryan McBride 
On Wed, Nov 10, 2010 at 01:45:16PM +0100, Tor Houghton wrote:
 May I ask whether or not per user ownership (or permission to update) a
 table is/will be possible?
 
 I am pondering the best mechanism for a  non-root process to add/remove
 addresses to a table.

You can look at sysutils/tabled in ports, which provides this
functionality (permissions would be controlled by the filesystem
permissions on the fifo)

I don't think we'll be making /dev/pf accessible by non-root processes
any time soon.

Re: (Perhaps?) dumb pf question relating to tables

2010-11-11 Thread Tor Houghton 
On Thu, Nov 11, 2010 at 05:32:27PM +0900, Ryan McBride wrote:
 On Wed, Nov 10, 2010 at 01:45:16PM +0100, Tor Houghton wrote:
  May I ask whether or not per user ownership (or permission to update) a
  table is/will be possible?
  
  I am pondering the best mechanism for a  non-root process to add/remove
  addresses to a table.
 
 You can look at sysutils/tabled in ports, which provides this
 functionality (permissions would be controlled by the filesystem
 permissions on the fifo)
 
 I don't think we'll be making /dev/pf accessible by non-root processes
 any time soon.

This looks exactly like what I need.

Thank you!

Kind regards,

Tor

Re: (Perhaps?) dumb pf question relating to tables

2010-11-11 Thread Dennis Davis 
On Thu, 11 Nov 2010, Tor Houghton wrote:

 From: Tor Houghton t...@bogus.net
 To: Ryan McBride mcbr...@openbsd.org
 Cc: misc@openbsd.org
 Date: Thu, 11 Nov 2010 11:06:25
 Subject: Re: (Perhaps?) dumb pf question relating to tables
 X-Spam-Score: 0.0 (/)
 
 On Thu, Nov 11, 2010 at 05:32:27PM +0900, Ryan McBride wrote:
  On Wed, Nov 10, 2010 at 01:45:16PM +0100, Tor Houghton wrote:
   May I ask whether or not per user ownership (or permission to update) a
   table is/will be possible?
   
   I am pondering the best mechanism for a  non-root process to add/remove
   addresses to a table.
  
  You can look at sysutils/tabled in ports, which provides this
  functionality (permissions would be controlled by the filesystem
  permissions on the fifo)
  
  I don't think we'll be making /dev/pf accessible by non-root processes
  any time soon.
 
 This looks exactly like what I need.

You could also used pftabled from:

http://www.wolfermann.org/pftabled.html

although it's mainly intended for keeping table(s) in step across
co-operating hosts.  Access is controlled by knowing a HMAC-SHA1
keyed hash.

Make this small change to get it to build on OpenBSD4.8:

--- Makefile.in.origWed Feb  4 11:09:33 2009
+++ Makefile.in Thu Nov 11 11:28:31 2010
@@ -27,7 +27,7 @@
${CC} ${LDFLAGS} -o $@ ${SERVEROBJS} ${LIBS}
 
 pftabled.cat1: pftabled.1
-   nroff -Tascii -man pftabled.1  pftabled.cat1
+   mandoc -Tascii -mandoc pftabled.1  pftabled.cat1
 
 pftabled-client: ${CLIENTOBJS}
${CC} ${LDFLAGS} -o $@ ${CLIENTOBJS} ${LIBS}
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
d.h.da...@bath.ac.uk   Phone: +44 1225 386101

(Perhaps?) dumb pf question relating to tables

2010-11-10 Thread Tor Houghton 
Hello,

May I ask whether or not per user ownership (or permission to update) a
table is/will be possible?

I am pondering the best mechanism for a  non-root process to add/remove
addresses to a table.

Kind regards,

Tor

Re: (Perhaps?) dumb pf question relating to tables

2010-11-10 Thread Bret S. Lambert 
On Wed, Nov 10, 2010 at 01:45:16PM +0100, Tor Houghton wrote:
 Hello,
 
 May I ask whether or not per user ownership (or permission to update) a
 table is/will be possible?
 
 I am pondering the best mechanism for a  non-root process to add/remove
 addresses to a table.

Privilege separation.

 
 Kind regards,
 
 Tor

Re: (Perhaps?) dumb pf question relating to tables

2010-11-10 Thread Thomas Jeunet 
On Wed, Nov 10, 2010 at 13:45, Tor Houghton t...@bogus.net wrote:
 Hello,

 May I ask whether or not per user ownership (or permission to update) a
 table is/will be possible?

 I am pondering the best mechanism for a  non-root process to add/remove
 addresses to a table.

 Kind regards,

 Tor


You might be interested in having a look at authpf(8) eventually?

pf question: no rdr problem, upgraded 4.2-4.7

2010-07-15 Thread David Hardy 
I'm upgrading a obsd firewall/router to 4.7 from 4.2 and am having to make
all kinds of changes, but one I can't figure out is why it's choking on:

no rdr on $cus inet proto tcp from noproxy to any port www

we use a web cache, but want to exempt some clients from being transparently
proxied to it.

what happened to no rdr?



-David

 ps: tried to get on the pf mailing list, but can't.

Re: pf question: no rdr problem, upgraded 4.2-4.7

2010-07-15 Thread John Cosimano 
--- David Hardy [Thu, Jul 15, 2010 at 12:09:07PM -0600]: --- 
 I'm upgrading a obsd firewall/router to 4.7 from 4.2 and am having to make
 all kinds of changes, but one I can't figure out is why it's choking on:
 
 no rdr on $cus inet proto tcp from noproxy to any port www
 
 we use a web cache, but want to exempt some clients from being transparently
 proxied to it.
 
 what happened to no rdr?

have you checked out this: http://www.openbsd.org/faq/upgrade47.html and
this: http://marc.info/?l=openbsd-miscm=125181847818600w=2

Re: pf question: no rdr problem, upgraded 4.2-4.7

2010-07-15 Thread Peter N. M. Hansteen 
David Hardy planetm...@gmail.com writes:

 no rdr on $cus inet proto tcp from noproxy to any port www

 we use a web cache, but want to exempt some clients from being transparently
 proxied to it.

the quick escape is likely just that - an appropriately placed pass
quick or match quick with the appropriate rdr-to, depending on just
how you handled the conversion of the general case.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: [pf question] Positive condition for adding in the table?

2009-09-17 Thread Ivan Radovanovic 

Iqigo Ortiz de Urbina napisa:

You could also take a look at the match, tag and tagged keywords in pf.conf.

Additionally, you may require parsing your custom logs (pflogN interfaces or
binary logs in /var/log/) in order to populate your tables for use in the
main ruleset or anchors.

Have a nice day,

Iqigo



I finished simple program that parses pflogN interface and executes 
actions embedded in labels in pf rules. However I don't have OpenBSD 
installed so I can't test if it works/compiles on OpenBSD (it works fine 
on FreeBSD), so it would be nice if someone is interested to try it on 
OpenBSD before I put it for everyone to download :-)


Best regards,
Ivan

Re: [pf question] Positive condition for adding in the table?

2009-09-17 Thread Gregory Edigarov 
On Thu, 17 Sep 2009 10:20:37 +0200
Ivan Radovanovic riv...@gmail.com wrote:

 Iqigo Ortiz de Urbina napisa:
  You could also take a look at the match, tag and tagged keywords in
  pf.conf.
  
  Additionally, you may require parsing your custom logs (pflogN
  interfaces or binary logs in /var/log/) in order to populate your
  tables for use in the main ruleset or anchors.
  
  Have a nice day,
  
  Iqigo
  
 
 I finished simple program that parses pflogN interface and executes 
 actions embedded in labels in pf rules. However I don't have OpenBSD 
 installed so I can't test if it works/compiles on OpenBSD (it works
 fine on FreeBSD), so it would be nice if someone is interested to try
 it on OpenBSD before I put it for everyone to download :-)

Perhaps it would be interesting, and I could try it, but could you give
an example use case?

-- 
With best regards,
Gregory Edigarov

[pf question] Positive condition for adding in the table?

2009-08-27 Thread Ivan Radovanovic 

I am new into pf configuration and I am curious if it is possible to add
some host into table in firewall rules if some conditions are met (not
if they are broken). I was thinking about some way to prevent port
scanning of machine and what came to me as obvious way to do it is this
(in some pseudocode)

block all communication with bad_guys
allow all communication with good_guys

allow any communication with my open port and put ip in good_guys table
block sending any rst packet from me and put ip in bad_guys table /*
somebody tried to connect to non-open port */


/* more criteria to remove someone from good_guys and put in bad_guys,
according to connection rate, etc */

Anyway when I tried to code this into pf rules I discovered that I can't
put host into table according to positive condition. Is there some
workaround for this, or maybe some better/smarter way to achieve the 
same thing I want to achieve?


Regards,
Ivan

P.S.
I am using pf on FreeBSD 7.2
I don't know how to check for pf's version - tag in source file is
/* add: $OpenBSD: pf.c,v 1.559 2007/09/18 18:45:59 markus Exp $ */

Re: [pf question] Positive condition for adding in the table?

2009-08-27 Thread Girish Venkatachalam 
On Thu, Aug 27, 2009 at 4:32 PM, Ivan Radovanovicriv...@gmail.com wrote:
 I am new into pf configuration and I am curious if it is possible to add
 some host into table in firewall rules if some conditions are met (not
 if they are broken). I was thinking about some way to prevent port
 scanning of machine and what came to me as obvious way to do it is this
 (in some pseudocode)

 block all communication with bad_guys
 allow all communication with good_guys

 allow any communication with my open port and put ip in good_guys table
 block sending any rst packet from me and put ip in bad_guys table /*
 somebody tried to connect to non-open port */


 /* more criteria to remove someone from good_guys and put in bad_guys,
 according to connection rate, etc */

 Anyway when I tried to code this into pf rules I discovered that I can't
 put host into table according to positive condition. Is there some
 workaround for this, or maybe some better/smarter way to achieve the same
 thing I want to achieve?

Please read up on pf(4) anchors.

And also on connection overloads in pf.conf(5).
Stuff like max-conn-rate and so on.

You already said you know about pf(4) tables. You need to populate the tables
based on  different criteria. I know that connection overload is one.

You should be able to define other conditions to populate the tables.

And you can use anchors along with tables, define conditions and get
what you want.

I hope I have not left out anything important.

Best of luck.

-Girish
-- 
Gayatri Hitech
web: http://gayatri-hitech.com

SpamCheetah Spam filter:
http://spam-cheetah.com

Re: [pf question] Positive condition for adding in the table?

2009-08-27 Thread Ivan Radovanovic 

Girish Venkatachalam napisa:

Please read up on pf(4) anchors.

And also on connection overloads in pf.conf(5).
Stuff like max-conn-rate and so on.

You already said you know about pf(4) tables. You need to populate the tables
based on  different criteria. I know that connection overload is one.

You should be able to define other conditions to populate the tables.

And you can use anchors along with tables, define conditions and get
what you want.

I hope I have not left out anything important.
  
Thanks for your respone. If I understand you correctly pf kernel module 
actually supports operating with tables based on positive conditions (ie 
not only when rule is broken, but also when rule is true), and the way 
to define rules of that kind is using directly some of IOCTLs documented 
in pf(4)? Plese confirm if that is true, since I couldn't find that kind 
of functionality with pfctl(8) (I tried making conditions with 
max-src-conn-rate set to 0 with idea that making one connection will 
break this rule so I could add ip in table that way, but pfctl(8) is too 
smart to accept rules with max-src-conn-rate set to 0)


Regards,
Ivan

Re: [pf question] Positive condition for adding in the table?

2009-08-27 Thread Girish Venkatachalam 
On Thu, Aug 27, 2009 at 4:59 PM, Ivan Radovanovicriv...@gmail.com wrote:
 Thanks for your respone. If I understand you correctly pf kernel module
 actually supports operating with tables based on positive conditions (ie not
 only when rule is broken, but also when rule is true), and the way to define
 rules of that kind is using directly some of IOCTLs documented in pf(4)?
 Plese confirm if that is true, since I couldn't find that kind of
 functionality with pfctl(8) (I tried making conditions with
 max-src-conn-rate set to 0 with idea that making one connection will break
 this rule so I could add ip in table that way, but pfctl(8) is too smart to
 accept rules with max-src-conn-rate set to 0)

There is no need to write any C code with pf(4) ioctls.

A simple pf.conf should get you what you want. What do you mean by
max-src-conn-rate set to zero?

I think you are needlessly complicating things. If your goal is to
send reset, then
you can always do them with pf in a much more straight forward manner.

set block-policy return bad-guys

Try to keep things simple.

-Girish
-- 
Gayatri Hitech
web: http://gayatri-hitech.com

SpamCheetah Spam filter:
http://spam-cheetah.com

Re: [pf question] Positive condition for adding in the table?

2009-08-27 Thread Ivan Radovanovic 

Girish Venkatachalam napisa:

On Thu, Aug 27, 2009 at 4:59 PM, Ivan Radovanovicriv...@gmail.com wrote:
  

Thanks for your respone. If I understand you correctly pf kernel module
actually supports operating with tables based on positive conditions (ie not
only when rule is broken, but also when rule is true), and the way to define
rules of that kind is using directly some of IOCTLs documented in pf(4)?
Plese confirm if that is true, since I couldn't find that kind of
functionality with pfctl(8) (I tried making conditions with
max-src-conn-rate set to 0 with idea that making one connection will break
this rule so I could add ip in table that way, but pfctl(8) is too smart to
accept rules with max-src-conn-rate set to 0)



There is no need to write any C code with pf(4) ioctls.

A simple pf.conf should get you what you want. What do you mean by
max-src-conn-rate set to zero?

I think you are needlessly complicating things. If your goal is to
send reset, then
you can always do them with pf in a much more straight forward manner.

set block-policy return bad-guys

Try to keep things simple.
  


I think you misunderstood me - what I want is to add host to bad_guys if 
it tries to connect to some closed port on my machine - in that case i 
would like to intercept RST and put host in bad_guys table - that is why 
I wrote


block sending any rst packet from me and put ip in bad_guys table 
/* somebody tried to connect to non-open port */


maybe equivalent problem to this would be - how to add host to bad_guys 
table if it tries to connect to port 0? (That is probably one line in 
pf.conf if pfctl supports adding to table on positive conditions - I am 
currently failing to find the way to achieve this)

Re: [pf question] Positive condition for adding in the table?

2009-08-27 Thread Ivan Radovanovic 

Iqigo Ortiz de Urbina napisa:
You could also take a look at the match, tag and tagged keywords in 
pf.conf.


Additionally, you may require parsing your custom logs (pflogN 
interfaces or binary logs in /var/log/) in order to populate your 
tables for use in the main ruleset or anchors.


Have a nice day,

Iqigo
Thank you so much for pointing me in the right direction - I wasn't 
aware of /dev/pflog interface, I just wrote simple program to sniff 
packets going through it and to add host to appropriate table if I don't 
like the activity I see there


Thanks again,
Ivan

Re: simple PF question

2008-06-22 Thread Lars Noodén 
Peter N. M. Hansteen wrote:
 ... Hm. Might actually be a good idea to expose
 learners to tcpdump a tad earlier.

I used PF on OpenBSD for a small polytechnic course with the help of
Peter's book.  For most it was a first introduction to any of these
tools or supporting tools or hands-on computing.  As much as possible, I
encouraged people to get comfortable looking for man pages, howtos, web
forums and mailing list archives.

Below is the base checklist for laboratory exercises from the 7-week
course.  It's so short because, among other things, there was no access
to the laboratory outside of class hours.  :(

I placed tcpdump near the end, because familiarity with PF needs to be
established first.  But it not at the very end in order to still have
time for repetition.  Nearly everyone got that far, a few got to the
queues and one got to the round-robin.

There were supplemental exercises to keep those with experience learning
while others were working on the main exercises.

Regards,
-Lars

[note, 1b/s is not possible, turns out that 6kb/s is the slowest]

Install OpenBSD 4.2 b!.  Install pftop b!  and nmap b! .
Use of editor b!, pfctl b! and working from copy of /etc/pf.conf b! (not
/etc/pf.conf itself)

Create a host-based packet filter. Allow incoming SSH b! , HTTP b! and
HTTPS  b! and some ICMP (0,3,4,8,11,30)  b! See pp 7 - 16, and p 29

Allow incoming SSH, HTTP and HTTPS and some ICMP (0,3,4,8,11,30) Use a
table b! and state-tracking options to limit or block b! hosts that try to
connect to frequently or too many times concurrently to SSH. See pp 67 -
71 (excluding 'expiretable')

Use pftop b! to track connections to your machine. Currently you have
HTTP and SSH available. Show me one SSH b! connection and one HTTP or
HTTPS b! connection. See pp 115 - 116 and the manpage printed last week.

Use pflog b! and tcpdump b! to track some connections to your machine.
Show me one SSH b! connection and one HTTP or HTTPS b! connection.  See pp
107 - 115

Use the overload tables from the second host-based exercise, and
class-based queuing (cbq) b!.
Rather than blocking overloads, send them to a 1 b/s queue.  b!  See pp
87 b 97

Arrange that one interface on a multi-homed machine connects to the
Internet and distributes  b! incoming connections to a 'pool' of web
services, using rdr. Choose either 'round-robin' or 'random' assignment.
  See pp 50 - 52


===
supplemental activities

If and only if you have already finished your first packet filter, then
try turning on HTTPS  b! You will need to create a self-signed (aka root)
certificate for the web server as well as create one virtual host.

If and only if you have already finished HTTPS, then you may try
installing and using Xfce b!

Install pfstat b! and create a graph b! based on traffic to or from your
machine.  (pp 115-118)

Show that you have lab notes b!

Re: simple PF question

2008-06-21 Thread Peter N. M. Hansteen 
Robert Gilaard [EMAIL PROTECTED] writes:

 All the time I had the following entries in my pf.conf for my
 Desktop system.  However, as I've bought this pf book that was
 lately released, I begin to suspect that these rules are way to
 liberal.

 If I only want to be able to browse the web and maybe use
 ssh-client, how should I rewrite the rules so that only those ports
 are open (80,443 and 22)?

The main message in the parts of the book you're referring to is that
allowing only the traffic you know there's a good reason to allow
leads to a cleaner network and fewer surprises.  In fact it can be
quite instructive (and fun!) to play around with tcpdump to watch what
happens on the interfaces you're interested in.  You will see, of
course, a lot of relatively uninteresting stuff that only says the
traffic you thought would pass indeed does, but every now and then you
will likely see something that has you grepping /etc/services and
browsing man pages.  Hm. Might actually be a good idea to expose
learners to tcpdump a tad earlier.

- P
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

simple PF question

2008-06-20 Thread Robert Gilaard 
Hi folks,

All the time I had the following entries in my pf.conf for my Desktop system.
However, as I've bought this pf book that was lately released, I begin to 
suspect that these rules are way to liberal.

If I only want to be able to browse the web and maybe use ssh-client, how 
should I rewrite the rules so that only those ports are open (80,443 and 22)?

I guess i'm looking forward to a RTFM answer, but hey, I wouldn't ask if I knew 
how to write them.

The best I could guess is:

pass out on $int_if proto tcp from any to any port 80 modulate state flags S/SA

But I don't know if this is correct.

Brgds
Robert

Re: simple PF question

2008-06-20 Thread Calomel 
Robert,

You rule looks ok. You may want to add a variable for the port number
so you can add or delete them as needed. Something like... 

### Ports
AllowOUT={22, 80, 443}

### Pass out interface
pass out on $int_if proto tcp from ($int_if) to any port $AllowOUT modulate 
state flags S/SA


Hope this helps,

 OpenBSD Pf Firewall how to ( pf.conf )
 https://calomel.org/pf_config.html

--
  Calomel @ https://calomel.org
  Open Source Research and Reference


On Fri, Jun 20, 2008 at 02:10:52PM -0700, Robert Gilaard wrote:
Hi folks,

All the time I had the following entries in my pf.conf for my Desktop system.
However, as I've bought this pf book that was lately released, I begin to 
suspect that these rules are way to liberal.

If I only want to be able to browse the web and maybe use ssh-client, how 
should I rewrite the rules so that only those ports are open (80,443 and 22)?

I guess i'm looking forward to a RTFM answer, but hey, I wouldn't ask if I 
knew how to write them.

The best I could guess is:

pass out on $int_if proto tcp from any to any port 80 modulate state flags S/SA

But I don't know if this is correct.

Brgds
Robert

Re: simple PF question

2008-06-20 Thread Martin Toft 
On Fri, Jun 20, 2008 at 02:10:52PM -0700, Robert Gilaard wrote:
 Hi folks,
 
 All the time I had the following entries in my pf.conf for my Desktop
 system.
 However, as I've bought this pf book that was lately released, I begin
 to suspect that these rules are way to liberal.
 
 If I only want to be able to browse the web and maybe use ssh-client,
 how should I rewrite the rules so that only those ports are open
 (80,443 and 22)?
 
 I guess i'm looking forward to a RTFM answer, but hey, I wouldn't ask
 if I knew how to write them.
 
 The best I could guess is:
 
 pass out on $int_if proto tcp from any to any port 80 modulate state
 flags S/SA
 
 But I don't know if this is correct.
 
 Brgds
 Robert

If it's just a simple workstation with a single user, I see no reason
for restricting outgoing traffic. If you really want this, remember to
also allow DNS queries (port 53, tcp+udp).

Let me point you to some of Peter Hansteen's goodies:

  http://home.nuug.no/~peter/pf/en/minimal-ruleset.html

(you should also click Next when you get to the bottom of that page)

The full table of contents:

  http://home.nuug.no/~peter/pf/en/

Martin

multiple routing tables pf question

2007-06-15 Thread ben 

I have two ISPs on two nics on my router/firewall and I use some
route-to rules to make traffic nat out on a specific interface and
gateway. Similar to the set-up described here:
http://www.openbsd.org/faq/pf/pools.html#outgoing

Instead of using route-to, can I set up a second route (eg: route -T1
..) then use pf to choose a routing table and interface?

Since the rtable flag in pf only works when filtering inbound I'm
guessing the rule will have to happen on the internal interface.

Re: multiple routing tables pf question

2007-06-15 Thread ben 

Also, I forgot that NAT happens before filtering. That makes what I'm
trying to do here more complicated if not impossible.

Maybe I should just use route-to :-)

Re: basic pf question without NAT or rdr

2007-06-01 Thread Boudewijn Ector 
Boudewijn Ector schreef:
 Hi there,


 I've been using openBSD for some months now, for example on my office
 router which uses NAT (based on a tweaked example config from the FAQ).
 This works really great!

 But now I'm designing a firewall which is not used for any routing, and
 will be ran on a machine having just one NIC. So it has to be a
 'personal firewall'. After having done the basic stuff, I'll add authpf
 (which runs by the way great on my router, really cool!).

 I've got the config:

 -bash-3.2# grep -v ^$ pf.conf
 # macros
 iface=sis0
 tcp_services={ 22 }
 icmp_types=echoreq
 # options
 set block-policy return
 #set loginterface $ext_if
 set skip on lo
 nat-anchor authpf/*
 rdr-anchor authpf/*
 binat-anchor authpf/*
 anchor authpf/*
 # filter rules
 block in
 #antispoof quick for { lo $int_if }
 block in quick on $iface proto tcp from any \
 port 1022
 pass out keep state
 pass in on $iface inet proto tcp from any \
port $tcp_services flags S/SA keep state
 pass in inet proto icmp all icmp-type $icmp_types keep state


 I'd like to close port 1022 for ALL traffic (and will allow it soon
 after authpf works).
 Can someone please point out what's wrong?

   
Just fixed it.
Note to /me; don't forget pfctl -e.

basic pf question without NAT or rdr

2007-05-31 Thread Boudewijn Ector 
Hi there,


I've been using openBSD for some months now, for example on my office
router which uses NAT (based on a tweaked example config from the FAQ).
This works really great!

But now I'm designing a firewall which is not used for any routing, and
will be ran on a machine having just one NIC. So it has to be a
'personal firewall'. After having done the basic stuff, I'll add authpf
(which runs by the way great on my router, really cool!).

I've got the config:

-bash-3.2# grep -v ^$ pf.conf
# macros
iface=sis0
tcp_services={ 22 }
icmp_types=echoreq
# options
set block-policy return
#set loginterface $ext_if
set skip on lo
nat-anchor authpf/*
rdr-anchor authpf/*
binat-anchor authpf/*
anchor authpf/*
# filter rules
block in
#antispoof quick for { lo $int_if }
block in quick on $iface proto tcp from any \
port 1022
pass out keep state
pass in on $iface inet proto tcp from any \
   port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state


I'd like to close port 1022 for ALL traffic (and will allow it soon
after authpf works).
Can someone please point out what's wrong?

layer 2 pf question

2007-04-17 Thread poncenby 
Dear list,

What do openbsd users do when they need to filter/redirect traffic based on 
layer
2 addresses?
I'm using 4.0 generic on a 386.

Many thanks

poncenby

PF question.

2006-12-28 Thread Der Engel 

Hi,

I have the below rule set in my firewall, both internal networks can
access the Internet and both internal networks can see each other, how
can i prevent each internal network from seeing each other? I have
tried various rule sets with no luck, any advice is appreciated.

Thanks,

Der

# macros
ext_if=fxp0
int_if=xl0
int_if2=bge0

tcp_services={ 22, 113 }
icmp_types=echoreq


# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if from !($ext_if) - ($ext_if:0)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*

rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021

# filter rules
block in

pass out keep state

anchor ftp-proxy/*
antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) \
  port $tcp_services flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass quick on $int_if

pass quick on $int_if2

PF question

2006-11-26 Thread Sylwester S. Biernacki 
Hello all,

   I was looking for a ipfw looking-like statement in PF:
   ipfw add 10 fwd ip_proxy,proxy_port from 192.168.1.0/24 to any 25 via fxp0

   Is it possible to forward packet to some destination in the same
   subnet without changing SRC/DST_ADDRESS ?

   I RTFMed but haven't found anything...
   
-- 
regards,
Sylwester S. Biernacki [EMAIL PROTECTED]
X-NET, http://www.xnet.com.pl/

Configuring remote access and a pf question

2006-09-01 Thread mop 
Hi

I have a home network set up with an OpenBSD gateway which is bridged to an
ADSL router, two Windows XP machines and assortment of old boxes I play
around with, and a few IP's available to me. What I want is remote access
back to my windows boxes probably using VNC, and to be able to ssh to my
gateway and into my network. At least one of the sites I wish to connect
from uses a web proxy and I would have to tunnel through it. 

What software/techniques can people suggest, and how much of a risk am I
exposing myself to by doing this? I have survived this far without it, but
it would be nice to have. Can I do it without it showing up in a port scan?

Now to the pf question. My policy for everything blocked from entering the
network is that it is dropped with no reply. I have several ports forwarded
to my Windows box, mainly for file sharing over IRC so they are only open
when I wish to do a DCC send. I would like to drop error messages coming
from my windows box when those ports are closed so no one got curious as to
why those ports replied and nothing else did.

As I allow everying exiting the network to keep state, how would I block
these packets? I know it probably doesn't get me much in the way of
security, but it is an interesting problem. Any suggestions?

Any suggestions would be greatly appreciated. Regards,

Kim

Re: Configuring remote access and a pf question

2006-09-01 Thread viq 

On 9/1/06, mop [EMAIL PROTECTED] wrote:

Hi

I have a home network set up with an OpenBSD gateway which is bridged to an
ADSL router, two Windows XP machines and assortment of old boxes I play
around with, and a few IP's available to me. What I want is remote access
back to my windows boxes probably using VNC, and to be able to ssh to my
gateway and into my network. At least one of the sites I wish to connect
from uses a web proxy and I would have to tunnel through it.

What software/techniques can people suggest, and how much of a risk am I
exposing myself to by doing this? I have survived this far without it, but
it would be nice to have. Can I do it without it showing up in a port scan?

Now to the pf question. My policy for everything blocked from entering the
network is that it is dropped with no reply. I have several ports forwarded
to my Windows box, mainly for file sharing over IRC so they are only open
when I wish to do a DCC send. I would like to drop error messages coming
from my windows box when those ports are closed so no one got curious as to
why those ports replied and nothing else did.

As I allow everying exiting the network to keep state, how would I block
these packets? I know it probably doesn't get me much in the way of
security, but it is an interesting problem. Any suggestions?

Any suggestions would be greatly appreciated. Regards,


How about using authpf for the port forwarding? You want the ports
forwarded, you ssh to the box, and they are open. You're finished, you
finish ssh session, they are closed.
Also, for VNC, you want to use that over an encrypted channel, either
ssh tunnel, or otherwise (OpenVPN or IPSec comes to mind).

As for ssh not showing on a port scan... Not likely that a ful port
scan is not going to pick it up, though you could play with passive OS
detection, and block nmap, that could provide a bit more of
obscurity...

As for going through a proxy, it depends how it is set up. ssh does
have an option to use proxy, but that depends on the proxy
configuration obviously... And you may have some success moving port
ssh listens on to 80 or 443 (I personally prefer the latter, as it's
rather less likely for anyone to look closer at the traffic passing
there). But that again depends on the proxy in question.


Kim





--
viq

Re: Configuring remote access and a pf question

2006-09-01 Thread Joachim Schipper 
On Fri, Sep 01, 2006 at 09:41:18PM +0800, mop wrote:
 Hi
 
 I have a home network set up with an OpenBSD gateway which is bridged to an
 ADSL router, two Windows XP machines and assortment of old boxes I play
 around with, and a few IP's available to me. What I want is remote access
 back to my windows boxes probably using VNC, and to be able to ssh to my
 gateway and into my network. At least one of the sites I wish to connect
 from uses a web proxy and I would have to tunnel through it. 
 
 What software/techniques can people suggest, and how much of a risk am I
 exposing myself to by doing this? I have survived this far without it, but
 it would be nice to have. Can I do it without it showing up in a port scan?

I'd personally go with VNC-over-SSH; sure, it might not be as efficient
as IPsec (or even OpenVPN), but it's pretty effective and SSH is a truly
nice piece of software - to the extent that I just tried to offset this
by a point on which OpenSSH sucks, and didn't hit upon one while typing
this sentence.

Note that most everything can be tunneled over HTTP, and that there
exist implementations of IP-over-DNS. Not that VNC would be a pleasant
experience over such a link...

 Now to the pf question. My policy for everything blocked from entering the
 network is that it is dropped with no reply. I have several ports forwarded
 to my Windows box, mainly for file sharing over IRC so they are only open
 when I wish to do a DCC send. I would like to drop error messages coming
 from my windows box when those ports are closed so no one got curious as to
 why those ports replied and nothing else did.

That is best configured on the Windows box itself; it's not impossible
to do it on OpenBSD (authpf comes to mind, indeed), but there's no
reason to make things more complicated than necessary.

Joachim

Re: Configuring remote access and a pf question

2006-09-01 Thread Bill 
On Fri, 1 Sep 2006 21:41:18 +0800
mop [EMAIL PROTECTED] spake:
 Hi
 
 I have a home network set up with an OpenBSD gateway which is bridged to an
 ADSL router, two Windows XP machines and assortment of old boxes I play
 around with, and a few IP's available to me. What I want is remote access
 back to my windows boxes probably using VNC, and to be able to ssh to my
 gateway and into my network. At least one of the sites I wish to connect
 from uses a web proxy and I would have to tunnel through it. 
 
 What software/techniques can people suggest, and how much of a risk am I
 exposing myself to by doing this? I have survived this far without it, but
 it would be nice to have. Can I do it without it showing up in a port scan?

Personally, I use OpenVPN to remote back to my home network from work.
I also run it on a non-standard higher port so it won't be found during
a cursory scan of the firewall.  Of course if someone really wants to
scan your whole range they will find it.  But I am more worried about
someone with a vulnerability-in-hand and no particular target in mind.
If you don't want anyone to find it, you could try something like
port-knocking, which is a neat concept, but maybe just too much work
for too little.  If you really want something like that, I would say
authpf would be a great solution.

I have also rode https out before for OpenVPN when I could not find a
good port open on the firewall.

Re: Configuring remote access and a pf question

2006-09-01 Thread Stuart Henderson 
 I have a home network set up with an OpenBSD gateway which is bridged to an
 ADSL router, two Windows XP machines and assortment of old boxes I play
 around with, and a few IP's available to me. What I want is remote access
 back to my windows boxes probably using VNC, and to be able to ssh to my
 gateway and into my network.

SSH and port-forwarding is probably simplest, and works well.

 At least one of the sites I wish to connect
 from uses a web proxy and I would have to tunnel through it. 

See ssh_config(5): ProxyCommand. If you must connect from Windows
too, PuTTY has a similar option.

 What software/techniques can people suggest, and how much of a risk am I
 exposing myself to by doing this? I have survived this far without it, but
 it would be nice to have. Can I do it without it showing up in a port scan?

If you know the IP addresses you'll connect from, that's basic PF
of course. If not, well, is there too much harm from an up-to-date
OpenSSH showing up? You can always turn off PasswordAuthentication
to help security.

Re: PF question : set block-policy drop : spoofed ip (NAT'ed) elicits icmp unreachable

2006-05-10 Thread Steve Welham 
 # tcpdump -n -i sis2 'icmp'
 19:21:05.848459 wan_if.ip  external.host: icmp: echo request
 19:21:05.868202 external.host  wan_if.ip: icmp: echo reply
 19:21:05.868499 wan_if.ip  external.host: icmp: host wan_if.ip unreachable
 
 I was obviously expecting the first two lines but I assumed that PF
 would just drop the echo reply and not issue an ICMP host unreachable.

The block policy only applies to the block rule. In this case the icmp
unreachable is matching state since it is corresponding icmp traffic as
noted in the PF FAQ http://www.openbsd.org/faq/pf/filter.html#state

Re: PF question : set block-policy drop : spoofed ip (NAT'ed) elicits icmp unreachable

2006-05-10 Thread Joris Van Herzele 

Steve Welham wrote:


The block policy only applies to the block rule. In this case the icmp
unreachable is matching state since it is corresponding icmp traffic as
noted in the PF FAQ http://www.openbsd.org/faq/pf/filter.html#state




That indeed makes a lot of sense :)
Thank you both for your time !



--
Joris Van Herzele

Brad Pitt + Albert Einstein = Dick Cheney - The Simpsons EABF09

PF question : set block-policy drop : spoofed ip (NAT'ed) elicits icmp unreachable

2006-05-09 Thread Joris Van Herzele 

Hi everyone,


I was playing a bit with OpenBSD's PF and noticed something I did not 
expect. I assume I am missing something quite obvious.




The basic /etc/pf.conf I created for home use is included at the end of 
the mail.




From a client on $lan_if:network I spoofed a non existing host on 
$lan_if:network and sent an ICMP exho request to an external host :


# hping -1 -a spoofed.host external.host



This resulted in :

# tcpdump -n -i sis2 'icmp'
19:21:05.848459 wan_if.ip  external.host: icmp: echo request
19:21:05.868202 external.host  wan_if.ip: icmp: echo reply
19:21:05.868499 wan_if.ip  external.host: icmp: host wan_if.ip unreachable


I was obviously expecting the first two lines but I assumed that PF 
would just drop the echo reply and not issue an ICMP host unreachable.





The basic /etc/pf.conf I created for home use :

# Macros
wan_if=sis0
dmz_if=sis1
lan_if=sis2
frigg=10.0.12.7
crappy_isp_ssh_port=2

# Options
set block-policy drop
set loginterface $wan_if
set skip on lo0

# Scrub
scrub in all

# Translation
nat on $wan_if inet from $dmz_if:network to any - ($wan_if)
nat on $wan_if inet from $lan_if:network to any - ($wan_if)
rdr on $wan_if proto tcp from any to ($wan_if) port $crappy_isp_ssh_port 
- $frigg port ssh


# Filter Rules
block all
antispoof quick for $wan_if inet
antispoof quick for $dmz_if inet
antispoof quick for $lan_if inet
pass in log on $wan_if inet proto tcp from any to $frigg port ssh flags 
S/SA synproxy state

pass out on $wan_if inet proto { tcp, udp, icmp } modulate state
pass in on $lan_if inet from $lan_if:network to any keep state
pass in on $dmz_if inet from $dmz_if:network to any keep state
pass out on $dmz_if inet proto tcp from any to $frigg port ssh flags 
S/SA keep state





Can someone be so kind to help me in the right direction ?




--
Joris Van Herzele

Brad Pitt + Albert Einstein = Dick Cheney - The Simpsons EABF09

Re: pf question - solved

2006-02-03 Thread Ray Lai 
On Thu, Feb 02, 2006 at 05:59:54PM -0500, Dave Feustel wrote:
 I found the solution in the pf faq:  skip lo0.
 This rule is not mentioned in Artymiak's book
 which I had been reading. I will now read the
 complete pf faq to see what I have not been
 aware of.

You can also do ``set skip on lo'' to skip all loopback interfaces
(not that most people have more than one).

-Ray-

pf question

2006-02-02 Thread Dave Feustel 
After getting pf working with a block in all rule,
I am now trying to add a rule to allow local and internet access to my 
webserver.


I have been able to access the web server from a computer on a subnet,
I copied a rule from the OpenBSD pf faq which would seem to accomplish this, 
(see ruleset below) but nothing comes back even to my browser running on the 
same computer.

What pf rule(s) do I have to change/add to permit my browser and others on the
internet to access the web server?

Thanks,
Dave Feustel
===current pf ruleset
ext_if = xl0
#ext_ad = 71.97.201.76
ext_ad = (xl0)
web_server = (xl0)
pr1 = 192.168.1.1/24
pr2 = 192.168.2.1/24
pr3 = 192.168.3.1/24
pr4 = 192.168.4.1/24
nat_proto = {tcp, udp, icmp}

# options

set require-order yes
set block-policy drop
set optimization normal
set loginterface none

# scrubbing

scrub in all
scrub out all

# nat rules

nat on $ext_if inet proto $nat_proto \
from {$pr1, $pr2, $pr3, $pr4} to any - $ext_ad

# filtering

pass in quick on sis1

block in log all 

pass in on $ext_if proto tcp to $web_server \
port www flags S/SA keep state \
(max 200, source-track rule, max-src-nodes 100, max-src-states 3)

pass out log quick on $ext_if inet \
from ($ext_if) to any flags S/SA keep state

antispoof for $ext_if
===

pf question - solved

2006-02-02 Thread Dave Feustel 
I found the solution in the pf faq:  skip lo0.
This rule is not mentioned in Artymiak's book
which I had been reading. I will now read the
complete pf faq to see what I have not been
aware of.

Dave Feustel

Re: pf-question: blocking nmap and dropping the IP of the src-host to a table?

2006-01-15 Thread NetNeanderthal 
On 1/14/06, Daniel Ouellet [EMAIL PROTECTED] wrote:
 I didn't spend to much time on this one, but I think the above should
 give you an idea as to how to go about it. Might work just as is if you
 add the ports you want to protect inside your LAN, or may need some
 minor changes, but it is sure very close to what you might need I think.

(Sorry, Daniel, my first reply didn't hit the list.)

I don't disagree with the approach, though I am not certain it will
solve the NMAP issue unless NMAP completes the 3-way handshake.

Default nmap behaviour (as observed executed with root privileges)
will send a syn packet, which is returned by OpenBSD with an ack..
then either nmap or the host O/S on the far side returns a RST packet.
 No handshake, no connection.

I ran nmap several times against four open ports (nc -k -l 25 (et al)
listening) with this rule, here's what my state table shows:

nmap.source.ip - 0.0.0.0 ( states 4, connections 0, rate 0.0/60s )
nmap.source.ip - 0.0.0.0 ( states 4, connections 0, rate 0.0/60s )
nmap.source.ip - 0.0.0.0 ( states 4, connections 0, rate 0.0/60s )
nmap.source.ip - 0.0.0.0 ( states 4, connections 0, rate 0.0/60s )

I'm not sure that will ever trigger an overload to a table.

Documentation can be found at
http://www.openbsd.org/faq/pf/filter.html#stateopts.  I'm interested
in hearing solutions from others as well.

pf-question: blocking nmap and dropping the IP of the src-host to a table?

2006-01-14 Thread Sebastian Rother 
Hello everybody,

PF offers a great OS-Detection wich enable me to block all Packets from
NMAP (OS: NMAP).

But I thought about another problem.
How can I drop the IP of an nmap-scanning computer into a table?

Such an overload-option (like for max-src-conn) would be very neat
because a host which tried to scan could try e.g. a brute-force either
(or simply use other tools not detectable by ospf).

So does somebody know how to handle such situations?

Kind regards,
Sebastian

Re: pf-question: blocking nmap and dropping the IP of the src-host to a table?

2006-01-14 Thread Daniel Ouellet 

Sebastian Rother wrote:

Hello everybody,

PF offers a great OS-Detection wich enable me to block all Packets from
NMAP (OS: NMAP).

But I thought about another problem.
How can I drop the IP of an nmap-scanning computer into a table?

Such an overload-option (like for max-src-conn) would be very neat
because a host which tried to scan could try e.g. a brute-force either
(or simply use other tools not detectable by ospf).

So does somebody know how to handle such situations?

Kind regards,
Sebastian


I am not sure if this would work, but quickly, I don't see why not. Use 
the same way should have the results intended. However if you already 
block all the NMAP, why do you want to limit them then? I may not have 
understood that part to well obviously.


But here is some food for thought.

# define macros for each network interface
ext_if=fxp0
nmap_services = { xx, yy }

...

# Define some variable for clarity
NMAP_LIMIT=(max-src-conn-rate 5/30, overload bad_nmap flush global)

...

# Table directive
table bad_nmap persist file /var/log/bad_nmap

...

pass in on $ext_if inet proto tcp from !bad_nmap \
   to $ext_if port $nmap_services flags S/SA keep state \
   $NMAP_LIMIT label nmap

Then setup your nmap ports in the $nmap_services above and you should be 
fine. Also run a cronjob like this:


/sbin/pfctl -T show -t bad_nmap  /var/log/bad_nmap

or similar to update your table when ever you see fit.

I didn't spend to much time on this one, but I think the above should 
give you an idea as to how to go about it. Might work just as is if you 
add the ports you want to protect inside your LAN, or may need some 
minor changes, but it is sure very close to what you might need I think.


Daniel

pf question

2005-12-29 Thread Dave Feustel 
Has anyone on the list experience with using pf to
block ip addresses in the iana reserved ip address ranges list?

Thanks,
Dave Feustel
-- 
Lose, v., experience a loss, get rid of, lose the weight
Loose, adj., not tight, let go, free, loose clothing

Re: pf question

2005-12-29 Thread eric 
On Thu, 2005-12-29 at 11:38:22 -0500, Dave Feustel proclaimed...

 Has anyone on the list experience with using pf to
 block ip addresses in the iana reserved ip address ranges list?

I don't think any of us have ever thought of that.

Oh wait..I may have... run this out of cron weekly

#!/bin/sh
#; $Id: gbogl.sh,v 1.3 2005/01/28 04:47:16 epancer Exp $
#; a small tool to grab bogon list from team cymru
#;

PATH=/usr/bin:/bin:/usr/sbin:/sbin
BOGONFILE=/etc/bogon.txt
BOGONURL=http://www.cymru.com/Documents/bogon-bn-nonagg.txt;

checkfile () {
 if [ ! -f $BOGONFILE ]; then
  echo ! $BOGONFILE must exist, exiting.
  exit 2
 fi
}

getnewfile () {
lynx -dump $BOGONURL  $BOGONFILE
}

fixperm () {
chmod 644 $BOGONFILE
}

logmsg () {
logger -p kern.notice rewrote $BOGONFILE
}

checkfile
getnewfile
fixperm
logmsg

exit 0


Then...

table bogon persist file /etc/bogon.txt

Somewhere in your pf.conf.

Re: pf question

2005-12-29 Thread Dave Feustel 
from http://www.liquifried.com/docs/security/reservednets.html

For security purposes, reserved addresses should be prevented from both 
entering and leaving a network 
(i.e. ingress and egress filtering). Ideally, this filtering will be 
multi-layer in nature; at a minimum, this sort 
of filtering should be done at the border of a network.

This morning I found an established tcp connection between 
[EMAIL PROTECTED]:43060 and  [EMAIL PROTECTED]:2005
(ip address [EMAIL PROTECTED]:2005 (an IANA reserved address))
Whois does not return any info on the ip name. The connection 
seems to be incoming only (15718 packets at last check). I put 
a block all from 5.0.0.0/24 in pf.conf. Additionally, as of this morning, 
the # on the keyboard  displayed as a British Pound sign in console 
mode until I logged off and logged back in.



On Thursday 29 December 2005 12:32, eric wrote:
 On Thu, 2005-12-29 at 11:38:22 -0500, Dave Feustel proclaimed...
 
  Has anyone on the list experience with using pf to
  block ip addresses in the iana reserved ip address ranges list?
 
 I don't think any of us have ever thought of that.
 
 Oh wait..I may have... run this out of cron weekly
 
 #!/bin/sh
 #; $Id: gbogl.sh,v 1.3 2005/01/28 04:47:16 epancer Exp $
 #; a small tool to grab bogon list from team cymru
 #;
 
 PATH=/usr/bin:/bin:/usr/sbin:/sbin
 BOGONFILE=/etc/bogon.txt
 BOGONURL=http://www.cymru.com/Documents/bogon-bn-nonagg.txt;
 
 checkfile () {
  if [ ! -f $BOGONFILE ]; then
   echo ! $BOGONFILE must exist, exiting.
   exit 2
  fi
 }
 
 getnewfile () {
 lynx -dump $BOGONURL  $BOGONFILE
 }
 
 fixperm () {
 chmod 644 $BOGONFILE
 }
 
 logmsg () {
 logger -p kern.notice rewrote $BOGONFILE
 }
 
 checkfile
 getnewfile
 fixperm
 logmsg
 
 exit 0
 
 
 Then...
 
 table bogon persist file /etc/bogon.txt
 
 Somewhere in your pf.conf.
 

-- 
Lose, v., experience a loss, get rid of, lose the weight
Loose, adj., not tight, let go, free, loose clothing

Re: pf question

2005-12-29 Thread Dave Feustel 
On Thursday 29 December 2005 12:32, eric wrote:
 Re: pf question
I just noticed that it's 5.0.0.0/8, not 5.0.0.0/24.
-- 
Lose, v., experience a loss, get rid of, lose the weight
Loose, adj., not tight, let go, free, loose clothing

Re: pf question

2005-12-29 Thread Pete Vickers 
Better (IMHO) to use bgpd to suck down the 'bogon' prefixes, and then  
tag them for pf, see example here:


http://www.cymru.com/BGP/bogon-rs.html

/Pete


On 29. des. 2005, at 18.32, eric wrote:


On Thu, 2005-12-29 at 11:38:22 -0500, Dave Feustel proclaimed...


Has anyone on the list experience with using pf to
block ip addresses in the iana reserved ip address ranges list?


I don't think any of us have ever thought of that.

Oh wait..I may have... run this out of cron weekly

#!/bin/sh
#; $Id: gbogl.sh,v 1.3 2005/01/28 04:47:16 epancer Exp $
#; a small tool to grab bogon list from team cymru
#;

PATH=/usr/bin:/bin:/usr/sbin:/sbin
BOGONFILE=/etc/bogon.txt
BOGONURL=http://www.cymru.com/Documents/bogon-bn-nonagg.txt;

checkfile () {
 if [ ! -f $BOGONFILE ]; then
  echo ! $BOGONFILE must exist, exiting.
  exit 2
 fi
}

getnewfile () {
lynx -dump $BOGONURL  $BOGONFILE
}

fixperm () {
chmod 644 $BOGONFILE
}

logmsg () {
logger -p kern.notice rewrote $BOGONFILE
}

checkfile
getnewfile
fixperm
logmsg

exit 0


Then...

table bogon persist file /etc/bogon.txt

Somewhere in your pf.conf.

Re: pf question

2005-12-29 Thread David Higgs 
You're either the victim of a truncated display or lacking in
fundamental DNS knowledge.

[EMAIL PROTECTED] host 5.191.160.66
Host 66.160.191.5.in-addr.arpa not found: 3(NXDOMAIN)
[EMAIL PROTECTED] host dedicated5.thehideout.net
Host dedicated5.thehideout.net not found: 3(NXDOMAIN)
[EMAIL PROTECTED] host 66.160.191.5
5.191.160.66.in-addr.arpa domain name pointer dedicated5.thehideout.net.

--david


On 12/29/05, Dave Feustel [EMAIL PROTECTED] wrote:
 from http://www.liquifried.com/docs/security/reservednets.html

 For security purposes, reserved addresses should be prevented from both 
 entering and leaving a network
 (i.e. ingress and egress filtering). Ideally, this filtering will be 
 multi-layer in nature; at a minimum, this sort
 of filtering should be done at the border of a network.

 This morning I found an established tcp connection between
 [EMAIL PROTECTED]:43060 and  [EMAIL PROTECTED]:2005
 (ip address [EMAIL PROTECTED]:2005 (an IANA reserved address))
 Whois does not return any info on the ip name. The connection
 seems to be incoming only (15718 packets at last check). I put
 a block all from 5.0.0.0/24 in pf.conf. Additionally, as of this morning,
 the # on the keyboard  displayed as a British Pound sign in console
 mode until I logged off and logged back in.



 On Thursday 29 December 2005 12:32, eric wrote:
  On Thu, 2005-12-29 at 11:38:22 -0500, Dave Feustel proclaimed...
 
   Has anyone on the list experience with using pf to
   block ip addresses in the iana reserved ip address ranges list?
 
  I don't think any of us have ever thought of that.
 
  Oh wait..I may have... run this out of cron weekly
 
  #!/bin/sh
  #; $Id: gbogl.sh,v 1.3 2005/01/28 04:47:16 epancer Exp $
  #; a small tool to grab bogon list from team cymru
  #;
 
  PATH=/usr/bin:/bin:/usr/sbin:/sbin
  BOGONFILE=/etc/bogon.txt
  BOGONURL=http://www.cymru.com/Documents/bogon-bn-nonagg.txt;
 
  checkfile () {
   if [ ! -f $BOGONFILE ]; then
echo ! $BOGONFILE must exist, exiting.
exit 2
   fi
  }
 
  getnewfile () {
  lynx -dump $BOGONURL  $BOGONFILE
  }
 
  fixperm () {
  chmod 644 $BOGONFILE
  }
 
  logmsg () {
  logger -p kern.notice rewrote $BOGONFILE
  }
 
  checkfile
  getnewfile
  fixperm
  logmsg
 
  exit 0
 
 
  Then...
 
  table bogon persist file /etc/bogon.txt
 
  Somewhere in your pf.conf.
 

 --
 Lose, v., experience a loss, get rid of, lose the weight
 Loose, adj., not tight, let go, free, loose clothing

Re: pf question

2005-12-29 Thread Dave Feustel 
On Thursday 29 December 2005 20:27, David Higgs wrote:
 You're either the victim of a truncated display or lacking in
 fundamental DNS knowledge.

I definitely lack knowledge of DNS right now. 
 
 [EMAIL PROTECTED] host 5.191.160.66
 Host 66.160.191.5.in-addr.arpa not found: 3(NXDOMAIN)
 [EMAIL PROTECTED] host dedicated5.thehideout.net
 Host dedicated5.thehideout.net not found: 3(NXDOMAIN)
 [EMAIL PROTECTED] host 66.160.191.5
 5.191.160.66.in-addr.arpa domain name pointer dedicated5.thehideout.net.

What is the import of the last line above?

Thanks.
-- 
Lose, v., experience a loss, get rid of, lose the weight
Loose, adj., not tight, let go, free, loose clothing

Re: pf question

2005-12-29 Thread Greg Thomas 
On 12/29/05, Dave Feustel [EMAIL PROTECTED] wrote:
 On Thursday 29 December 2005 20:27, David Higgs wrote:
  You're either the victim of a truncated display or lacking in
  fundamental DNS knowledge.

 I definitely lack knowledge of DNS right now.

  [EMAIL PROTECTED] host 5.191.160.66
  Host 66.160.191.5.in-addr.arpa not found: 3(NXDOMAIN)
  [EMAIL PROTECTED] host dedicated5.thehideout.net
  Host dedicated5.thehideout.net not found: 3(NXDOMAIN)
  [EMAIL PROTECTED] host 66.160.191.5
  5.191.160.66.in-addr.arpa domain name pointer dedicated5.thehideout.net.

 What is the import of the last line above?


Probably that you had the IP address backwards.  It's 66.160.191.5
that you should be worried about, not the other way around.  Your 2nd
message in this thread appears to have necessary info removed.

Greg

  1   2   >