Re: Topics for revised PF and networking tutorial
Tue, 11 Apr 2017 15:31:57 -0500 "Adam Thompson" > > > Plus, this year it appears that Peter is co-delivering the seminar > > > with Massimiliano Stucchi from RIPE, so it will presumably cover > > > a lot of IPv6 topics as well, which are poorly represented in > > > existing materials and yet increasingly relevant. > > > > > Tue, 11 Apr 2017 10:30:35 +1000 > > And for those of us who cannot attend, hopefully it will be on > > video. > > I can't say with 100% certainty, but it's unlikely. The tutorials > are not typically recorded. Hi Adam, bytevolcano, misc@, This is very sad to hear, everyone loves these sessions and always asks. If you can not attend, if you're poor (or from an underdeveloped region) if you're an enthusiast without company / employment sponsorship, or any other sort of financial coverage for the expenses, you're left cold out. As an example of what to expect you can see some old tutorial recordings from the 2014 EuroBSDcon held in Sofia, Bulgaria. These are invaluable: https://va.ludost.net/files/eurobsdcon/2014/Pirin/01.Thursday/ https://va.ludost.net/files/eurobsdcon/2014/Pirin/02.Friday/ And if the video recordings of BSDCan are not available, or can not have the tutorial sessions we hope the new https://2017.eurobsdcon.org/ will. It is the live meetings that make the conferences magical for attendees, then video recordings are precious for the wider community, and history. It is most certain the presenters would love to see the sessions online. When there is a will, there is a way: all other reasons are meaningless. Congratulations on the OpenBSD 6.1 release, just in time for April 12th, [https://en.wikipedia.org/wiki/International_Day_of_Human_Space_Flight]. Kind regards, Anton Lazarov > (Among other things, AFAIK the people who do the recording are only > present for the conference itself.) There's also the matter of the > tutorials not necessarily being covered by the same broadcast > license (hmm, I wonder if Henning will consent this year?). I don't > have anything to do with any of those parts of the conference, so I > can't speak to the details. > > The slides and material are sometimes - not always - made available > afterward, and that depends on the individual presenters. Max is > working for RIPE - which makes large amounts of their material > available for free - and Peter historically makes his material > available online for free, so I therefore have at least moderate > hopes that they'll be able to find a way to sort out the copyright > issues and get the slides put up somewhere. > > -Adam
Re: Topics for revised PF and networking tutorial
> -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On > Behalf Of bytevolc...@safe-mail.net > Sent: April 10, 2017 19:31 > > > Plus, this year it appears that Peter is co-delivering the seminar > > with Massimiliano Stucchi from RIPE, so it will presumably cover a lot > > of IPv6 topics as well, which are poorly represented in existing > > materials and yet increasingly relevant. > > And for those of us who cannot attend, hopefully it will be on video. I can't say with 100% certainty, but it's unlikely. The tutorials are not typically recorded. (Among other things, AFAIK the people who do the recording are only present for the conference itself.) There's also the matter of the tutorials not necessarily being covered by the same broadcast license (hmm, I wonder if Henning will consent this year?). I don't have anything to do with any of those parts of the conference, so I can't speak to the details. The slides and material are sometimes - not always - made available afterward, and that depends on the individual presenters. Max is working for RIPE - which makes large amounts of their material available for free - and Peter historically makes his material available online for free, so I therefore have at least moderate hopes that they'll be able to find a way to sort out the copyright issues and get the slides put up somewhere. -Adam
Re: Topics for revised PF and networking tutorial
On April 11, 2017 5:54:31 AM GMT+02:00, Ingo Schwarze wrote: >bytevolc...@safe-mail.net wrote on Tue, Apr 11, 2017 at 10:30:35AM >+1000: > >> Another issue with the man pages is that there is extremely limited >> indexing. > >That isn't true on OpenBSD. It still is true on most Linux >distributions, and even on FreeBSD by default, but at least FreeBSD >has an option to enable OpenBSD-quality indexing. It also isn't >true on NetBSD, though there, it works in a completely different >way than here (no semantic indexing, but flat full-text search). > >> $ apropos -i EXDEV >> apropos: nothing appropriate > > schwarze@isnote $ apropos Er=EXDEV > intro, errno(2) - introduction to system calls and error numbers > link, linkat(2) - make hard link to a file > rename, renameat(2) - change the name of a file I was convinced Ingo would set things straight here. :-) Since I suck at markup, I think it's worth mentioning using "any=EXDEV" for the search expression, which works out fine for this case. For details, please consult the fine manual. It's totally worth it. /Alexander > >> Either I am doing something wrong here, or the indexing is junk. > >The former. You failed to read manual pages. >The apropos utility does not have a -i option, >but it does support searching for error numbers, >as documented in apropos(1). > >The indexing is NOT junk.
Re: Topics for revised PF and networking tutorial
bytevolc...@safe-mail.net wrote on Tue, Apr 11, 2017 at 10:30:35AM +1000: > Another issue with the man pages is that there is extremely limited > indexing. That isn't true on OpenBSD. It still is true on most Linux distributions, and even on FreeBSD by default, but at least FreeBSD has an option to enable OpenBSD-quality indexing. It also isn't true on NetBSD, though there, it works in a completely different way than here (no semantic indexing, but flat full-text search). > $ apropos -i EXDEV > apropos: nothing appropriate schwarze@isnote $ apropos Er=EXDEV intro, errno(2) - introduction to system calls and error numbers link, linkat(2) - make hard link to a file rename, renameat(2) - change the name of a file > Either I am doing something wrong here, or the indexing is junk. The former. You failed to read manual pages. The apropos utility does not have a -i option, but it does support searching for error numbers, as documented in apropos(1). The indexing is NOT junk.
Re: Topics for revised PF and networking tutorial
> Another issue with the man pages is that there is extremely limited > indexing. They are manual pages, not manual books. You are welcome to spend your time building an entire new subsystem and proving the value of your work. Go knock yourself out.
Re: Topics for revised PF and networking tutorial
On Mon, 10 Apr 2017 17:10:55 -0500 Adam Thompson wrote: > You've asked almost the same question as "why does anyone need > tutorials? just read the man pages!" just at the next level up. The > answer is because the man pages aren't adequate to cover every > scenario, and not everyone can read man pages effectively. People > have different learning styles, if nothing else. I learn best by > seeing examples and asking questions. (In fact, the lack of good > examples is a pet peeve of mine with the OpenBSD man pages, but > that's another story.) Another issue with the man pages is that there is extremely limited indexing. I have often had to google or find tutorials, only to find there's this "new" device or program I never heard of. $ apropos -i EXDEV apropos: nothing appropriate $ man errno | grep -i EXDEV 18 EXDEV Cross-device link. A hard link to a file on another file system $ Either I am doing something wrong here, or the indexing is junk. > > I've attended Peter's seminar two?, maybe three? times now, and got > something new out of it each time - some nuance that wasn't obvious > just from reading pf.conf(5). Sometimes it was something Peter said, > sometimes it was something another attendee said. That's the value > of attending any training class or seminar, not just this one for PF. > > The tutorial is aimed not at people who would go and produce another > tutorial, but at ordinary system administrators who don't have time > to pore over the entire manpage, who want the most relevant > information to them distilled and delivered efficiently. > > Plus, this year it appears that Peter is co-delivering the seminar > with Massimiliano Stucchi from RIPE, so it will presumably cover a > lot of IPv6 topics as well, which are poorly represented in existing > materials and yet increasingly relevant. And for those of us who cannot attend, hopefully it will be on video. > > Disclaimer: I now help organize (one small) part of BSDCan & PgCon, > so I'm not *entirely* unbiased, but this is pretty much what I would > have said the first two years I attended, anyway. > > -Adam
Re: Topics for revised PF and networking tutorial
On 8 April 2017 at 07:41, Mihai Popescu wrote: > I don;t want to offend you folks, but I'm curious and I will ask: is > this BSDCon so useful? Does it pay the efforts? > > If someone has time and knowledge to do a PF tutorial he/she can do it > and post. Do you need the Con? > > I'm traveling 17000km+ to go to the conference. This is my second time. Like other return attendees, tutors and presenters, I get a lot out of these conferences and the networking (excuse the pun) that comes out of it. I've been to other conferences like Cisco Live etc, they charge way, way, way more for the average punter and I don't get anywhere near as much out of those flashy conferences than I get from BSDCan. There is nothing quite like quizzing the minds of advanced users and the developers of the tools that we so often use in person. Those conversations are invaluable and something you just can't get via a mailing list.
Re: Topics for revised PF and networking tutorial
On 2017-04-07 16:41, Mihai Popescu wrote: I don;t want to offend you folks, but I'm curious and I will ask: is this BSDCon so useful? Does it pay the efforts? If someone has time and knowledge to do a PF tutorial he/she can do it and post. Do you need the Con? I'm asking this having in my mind Google Summer of (no)Code thread from misc@. Again, i'm asking, i've never been to a Con to sense the feeling. Thanks. I'll take a stab at this... * BSDCan (not Con) is cheap. Stupidly cheap, in fact: $195/person if you're paying your own way. * The PF tutorial is not free - there is an additional cost ($75) to attend the tutorial. * Peter clearly has the time and knowledge to do it, he has huge amounts of raw material on his website, including what amounts to last year's tutorial slides, for free - but also chooses to deliver this tutorial. Based on the fee, the number of attendees, and the number of presenters, no-one's getting rich off this. * The tutorial is a focused, half-day session where you get to interact with the top PF trainer in the world, and ask the questions specific to your network. * Peter keeps his tutorial up to date, unlike most if not all of the resources you'll find online, some of which predate the change in syntax from several years ago. You've asked almost the same question as "why does anyone need tutorials? just read the man pages!" just at the next level up. The answer is because the man pages aren't adequate to cover every scenario, and not everyone can read man pages effectively. People have different learning styles, if nothing else. I learn best by seeing examples and asking questions. (In fact, the lack of good examples is a pet peeve of mine with the OpenBSD man pages, but that's another story.) I've attended Peter's seminar two?, maybe three? times now, and got something new out of it each time - some nuance that wasn't obvious just from reading pf.conf(5). Sometimes it was something Peter said, sometimes it was something another attendee said. That's the value of attending any training class or seminar, not just this one for PF. The tutorial is aimed not at people who would go and produce another tutorial, but at ordinary system administrators who don't have time to pore over the entire manpage, who want the most relevant information to them distilled and delivered efficiently. Plus, this year it appears that Peter is co-delivering the seminar with Massimiliano Stucchi from RIPE, so it will presumably cover a lot of IPv6 topics as well, which are poorly represented in existing materials and yet increasingly relevant. Disclaimer: I now help organize (one small) part of BSDCan & PgCon, so I'm not *entirely* unbiased, but this is pretty much what I would have said the first two years I attended, anyway. -Adam
Re: Topics for revised PF and networking tutorial
Hi All,
Here's my config I'm using on my apu2 on my home network:
[apu2@apu2.domain.local:~]$ doas cat /etc/pf.conf
doas (apu2@apu2.domain.local) password:
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
# Macros
ext_if = "em0"
wifi_if0 = "athn0"
wifinet0 = "$wifi_if0:network"
tcp_out = "{www,https}"
icmp_types = "echoreq"
# Tables
table {8.8.8.8,8.8.4.4}
table {216.239.35.12}
# Options
set skip on lo
set loginterface $ext_if
set limit states 10
# ftp proxy rules
anchor "ftp-proxy/*"
pass in quick on !ext_if inet proto tcp from !$ext_if to any port
ftp divert-to 127.0.0.1 port 8021
# traffic normalization
match in all scrub (no-df random-id max-mss 1440)
# queueing
queue rootq_ext on $ext_if bandwidth 9M max 9M
queue sshq on $ext_if parent rootq_ext bandwidth 1M
queue ssh_prioq on $ext_if parent sshq bandwidth 200K min 200K
queue ssh_bulkq on $ext_if parent sshq bandwidth 800K min 800K
queue ackq on $ext_if parent rootq_ext bandwidth 2M min 500K
queue dnsq on $ext_if parent rootq_ext bandwidth 1M min 500K
queue webq on $ext_if parent rootq_ext bandwidth 4M min 4M max 8M
burst 7M for 300ms
queue defq on $ext_if parent rootq_ext bandwidth 1M min 500K default
queue rootq_wifi0 on $wifi_if0 bandwidth 100M max 100M
queue sshq on $wifi_if0 parent rootq_wifi0 bandwidth 10M
queue ssh_prioq on $wifi_if0 parent sshq bandwidth 2M min 1M
queue ssh_bulkq on $wifi_if0 parent sshq bandwidth 8M min 5M
queue ackq on $wifi_if0 parent rootq_wifi0 bandwidth 10M min 5M
queue dnsq on $wifi_if0 parent rootq_wifi0 bandwidth 10M min 5M
queue webq on $wifi_if0 parent rootq_wifi0 bandwidth 60M min 60M
max 90M burst 90M for 300ms
queue defq on $wifi_if0 parent rootq_wifi0 bandwidth 10M min 5M
default
# translation/NAT
match out on $ext_if inet from !$ext_if to any nat-to ($ext_if)
# packet filtering rules
block log all
pass out quick
antispoof quick for {lo $wifi_if0 $ext_if}
match inet proto tcp from any to any port ssh set queue (ssh_bulkq,
ssh_prioq)
match inet proto {tcp,udp} from any to any port {domain,ntp} set
queue (dnsq, ackq)
match inet proto tcp from any to any port $tcp_out set queue (webq,
ackq)
match inet proto tcp from any to any port ftp set queue (webq, ackq)
pass in quick on !$ext_if inet proto tcp from !$ext_if to any port
ssh
pass in quick on !$ext_if inet proto {tcp,udp} from !$ext_if to any
port domain rdr-to port domain
pass in quick on !$ext_if inet proto {tcp,udp} from !$ext_if to any
port ntp rdr-to port ntp
#pass in quick on !$ext_if inet proto tcp from !$ext_if to any port
www divert-to 127.0.0.1 port 8080 # uncomment when using relayd transparent
proxy; remove 'www' from tcp_out macro...
pass in quick on !$ext_if inet proto tcp from !$ext_if to any port
$tcp_out
pass in quick on !$ext_if inet proto icmp from !$ext_if to any
icmp-type $icmp_types
Regards,
Glenn
On Sat, Apr 8, 2017 at 4:10 PM, Stuart Henderson
wrote:
> On 2017-04-05, Marko CupaÄ wrote:
> > I still haven't found a way to throttle down queues to desired values
> > without using fixed min and max values.
>
> I haven't done very well with this either. I've had better luck with
> kernels built with higher HZ but haven't been really happy with it (and
> what I really want is to be able to limit bandwidth per-ip - with a
> limited amount of v4 space you can just about manage this with a lot of
> queue and assignment rules, but that's impossible for ipv6, and even
> with ipv4 makes it hard to use a decent amount of address space to
> mitigate against DHCP exhaustion attacks e.g. on public wifi).
>
> > Adding NAT to the mix
> > complicates things further. What about queueing of traffic inside GRE
> > tunnels in transport mode protected with IPSEC? Where to read about it?
>
> The queue is assigned to the PF state, based on the queue name.
> You can either do this in a "pass" rule or a "match" rule. NAT is easy
> to cope with using "match" when you take the following into account:
>
> : Translation
> : Translation options modify either the source or destination address and
> : port of the packets associated with a stateful connection. pf(4)
> : modifies the specified address and/or port in the packet and
> recalculates
> : IP, TCP, and UDP checksums as necessary.
> :
> : Subsequent rules will see packets as they look after any addresses and
> : ports have been translated. These rules will therefore have to filter
> : based on the translated address and port number.
>
> So you can simply do your queue assignment with a "match..queue" rule
> before the nat-to rule,
Re: Topics for revised PF and networking tutorial
On 2017-04-05, Marko Cupać wrote: > I still haven't found a way to throttle down queues to desired values > without using fixed min and max values. I haven't done very well with this either. I've had better luck with kernels built with higher HZ but haven't been really happy with it (and what I really want is to be able to limit bandwidth per-ip - with a limited amount of v4 space you can just about manage this with a lot of queue and assignment rules, but that's impossible for ipv6, and even with ipv4 makes it hard to use a decent amount of address space to mitigate against DHCP exhaustion attacks e.g. on public wifi). > Adding NAT to the mix > complicates things further. What about queueing of traffic inside GRE > tunnels in transport mode protected with IPSEC? Where to read about it? The queue is assigned to the PF state, based on the queue name. You can either do this in a "pass" rule or a "match" rule. NAT is easy to cope with using "match" when you take the following into account: : Translation : Translation options modify either the source or destination address and : port of the packets associated with a stateful connection. pf(4) : modifies the specified address and/or port in the packet and recalculates : IP, TCP, and UDP checksums as necessary. : : Subsequent rules will see packets as they look after any addresses and : ports have been translated. These rules will therefore have to filter : based on the translated address and port number. So you can simply do your queue assignment with a "match..queue" rule before the nat-to rule, then the queue rule will be evaluated while the packet still has the pre-NAT address. Also, if you're queueing in both directions (internet->local as well as local->internet) make sure the queues on the different interfaces have the same name, so you can just assign to e.g. "fast". I've often seen examples where people try to use two different names depending on the direction (e.g. "fast_in" and "fast_out") and run into problems when they try to assign to queues. > Optimistic me believes that devs are too busy making stuff work and > have no time to explain it to us poor admins (by means of manpages, > faqs or howtos). But how can I know how to use it if I can't read about > it anywhere? Queues never had the best documentation, I've tried improving it before but didn't manage to write anything that really helped. I think the most useful that I saw was in Jacek Artymiak's "building firewalls" book - but that was for altq and not relevant to newer PF/queues. If someone reading has a queue config that they're happy with, it would be nice to see pf.conf snippets! > Pessimistic me starts to notice that less and less free knowledge can be > found around the 'net. That's exactly the opposite of what OpenBSD is trying to do. >If I want answers to my questions, is the > best way to start saving money for paying OpenBSD consultants hourly > rates for tuition? Where the documentation leaves you with questions, I think the best way is to look at the code, mailing list posts and commit logs and try things out. If you can make any specific suggestions to improve docs, that would be really helpful.
Re: Topics for revised PF and networking tutorial
Am 07.04.2017 18:38 schrieb Peter N. M. Hansteen: On 04/07/17 18:00, I love OpenBSD wrote: I second to more IPv6 related information. I am curious about blocking port scanning in IPv6 Web. Does pf let me put a CIDR into the named table based on offending IPv6 address and 64-bit mask? I mean something similar to 'overload ' option. Tables can hold both inet and inet6 items, and you can add them as single addresses or with masks: Also tables can be manipulated with bgpd, so keen to see phessler's new talk on that in Ottawa. ciao -- pb
Re: Topics for revised PF and networking tutorial
On Fri, 7 Apr 2017 17:39:16 + (UTC) Stuart Henderson wrote: > On 2017-04-06, > wrote: > > On Wed, 5 Apr 2017 22:44:54 + (UTC) > > Stuart Henderson wrote: > > > >> On 2017-04-05, > >> wrote: > >> > I've been using a trick to emulate scheduled rules using IP > >> > tables. > >> > >> Nice trick. Anchors are also good for this. > >> > >> But don't forget that active connections won't be dropped unless > >> you also flush the relevant states. > >> > > > > Anchors do not work with securelevel=2. This trick works in > > securelevel=2. > > Oh, people actually use that? :) Oh I reckon someone out there runs tetris(6) on their firewall. I use it when I am confident the ruleset is stable. Of course, I have to restart the gateway everytime I change the rules. > > > As for active connections, the goal here is to prevent new > > connections being made after closing time. I don't want my > > connection to close just because it is a few seconds after closing > > time, especially when I already got in before the ports were > > closed. It may be worth closing long-standing connections > > eventually though. > > > > Maybe something like this: > > > > 0 18 * * * *root/sbin/pfctl -F states > > > > > > If it's given as an example for something, it's definitely important > to point out about active connections. -F states will kill the > "wanted" states too, I use pfctl -k to knock out just the relevant > hosts. > I was wondering about that. I missed -k while scrolling through the man page. Labeling the rules may also be helpful: # Schedule Table table persist # Scheduled access to HTTP pass in on egress proto tcp from to any port http rdr-to $web_server keep state label sched_ip # Scheduled access to SSH pass in on egress proto tcp from to any port ssh keep-state label sched_ip System crontab: 0 18 * * * root/sbin/pfctl -k label -k sched_ip
Re: Topics for revised PF and networking tutorial
I don;t want to offend you folks, but I'm curious and I will ask: is this BSDCon so useful? Does it pay the efforts? If someone has time and knowledge to do a PF tutorial he/she can do it and post. Do you need the Con? I'm asking this having in my mind Google Summer of (no)Code thread from misc@. Again, i'm asking, i've never been to a Con to sense the feeling. Thanks.
Re: Topics for revised PF and networking tutorial
Dear Peter, May I suggest the following topic of interest: PF with VLAN interfaces (with LACP trunk interface behind) and CARP of course. Regards, M. Original Message Subject: Topics for revised PF and networking tutorial Local Time: April 1, 2017 10:52 AM UTC Time: April 1, 2017 8:52 AM From: pe...@bsdly.net To: misc@openbsd.org Hi, I thought I'd like to give you a heads up that there will be a "PF and networking" tutorial at BSDCan 2017 in Ottawa this June. The session will however not be the Nth rerun of the old one, we're starting from scratch this time, and were looking for input on what to include. Do you have questions on PF and related matters, or are there specific topics you would like to see covered? We want to hear from you, either contact us directly at the reply-to address use the list. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Topics for revised PF and networking tutorial
On 2017-04-06, wrote: > On Wed, 5 Apr 2017 22:44:54 + (UTC) > Stuart Henderson wrote: > >> On 2017-04-05, >> wrote: >> > I've been using a trick to emulate scheduled rules using IP >> > tables. >> >> Nice trick. Anchors are also good for this. >> >> But don't forget that active connections won't be dropped unless you >> also flush the relevant states. >> > > Anchors do not work with securelevel=2. This trick works in > securelevel=2. Oh, people actually use that? :) > As for active connections, the goal here is to prevent new connections > being made after closing time. I don't want my connection to close just > because it is a few seconds after closing time, especially when I > already got in before the ports were closed. It may be worth closing > long-standing connections eventually though. > > Maybe something like this: > > 0 18 * * * *root/sbin/pfctl -F states > > If it's given as an example for something, it's definitely important to point out about active connections. -F states will kill the "wanted" states too, I use pfctl -k to knock out just the relevant hosts.
Re: Topics for revised PF and networking tutorial
On 2017-04-07, I love OpenBSD wrote: > I second to more IPv6 related information. > I am curious about blocking port scanning in IPv6 Web. Does pf let me put a > CIDR into the named table based on offending IPv6 address and 64-bit mask? I > mean something similar to 'overload ' option. "overload" only adds the actual address, it doesn't have a way to mask on /64.
Re: Topics for revised PF and networking tutorial
On 04/07/17 18:00, I love OpenBSD wrote: > I second to more IPv6 related information. > I am curious about blocking port scanning in IPv6 Web. Does pf let me put a > CIDR into the named table based on offending IPv6 address and 64-bit mask? I > mean something similar to 'overload ' option. Tables can hold both inet and inet6 items, and you can add them as single addresses or with masks: [Fri Apr 07 18:31:40] peter@skapet:~$ doas pfctl -t myself -T show 127.0.0.1 192.168.103.1 213.187.179.198 ::1 2001:470:27:658::2 2001:470:28:658::1 2001:470:df85:dead:beef::1 fe80::1 fe80::7210:6fff:fe3e:dfd4 fe80::7210:6fff:fe3e:dfd5 [Fri Apr 07 18:31:59] peter@skapet:~$ doas pfctl -t myself -T add 2001:470:df85:dead:beef::1/64 1/1 addresses added. [Fri Apr 07 18:32:08] peter@skapet:~$ doas pfctl -t myself -T show 127.0.0.1 192.168.103.1 213.187.179.198 ::1 2001:470:27:658::2 2001:470:28:658::1 2001:470:df85:dead::/64 2001:470:df85:dead:beef::1 fe80::1 fe80::7210:6fff:fe3e:dfd4 fe80::7210:6fff:fe3e:dfd5 [Fri Apr 07 18:32:13] peter@skapet:~$ overload rules would work similarly. If you need to differentiate between address families, you use inet and inet6 respectively in the criteria. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Topics for revised PF and networking tutorial
+1 Queue Prioritization and ToS ( set prio / set tos combinations ) by examples will be great 2017-04-07 13:00 GMT-03:00 I love OpenBSD : > I second to more IPv6 related information. > I am curious about blocking port scanning in IPv6 Web. Does pf let me put > a CIDR into the named table based on offending IPv6 address and 64-bit > mask? I mean something similar to 'overload ' option.
Re: Topics for revised PF and networking tutorial
I second to more IPv6 related information. I am curious about blocking port scanning in IPv6 Web. Does pf let me put a CIDR into the named table based on offending IPv6 address and 64-bit mask? I mean something similar to 'overload ' option.
Re: Topics for revised PF and networking tutorial
On 04/07/17 13:36, Markus Rosjat wrote: > Since not everyone can attend to this Conference will there be a > recording of this session? At previous BSDCans, talks have generally been recorded but not tutorials. So probably not. Slides likely will be available after the session has concluded. On the other hand there is a chance we will be able to offer a similar session at EuroBSDCon too, but no decisions have been made yet. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Topics for revised PF and networking tutorial
Since not everyone can attend to this Conference will there be a recording of this session? I use pf not so much on a daily basis but I would like to get more insight too ;) And I admit I'm more the visual guy regards Markus Am 07.04.2017 um 06:25 schrieb li...@wrant.com: Wed, 5 Apr 2017 17:46:18 +0200 Marko Cupać On Sat, 1 Apr 2017 10:52:20 +0200 "Peter N. M. Hansteen" wrote: Hi, I thought I'd like to give you a heads up that there will be a "PF and networking" tutorial at BSDCan 2017 in Ottawa this June. The session will however not be the Nth rerun of the old one, we're starting from scratch this time, and were looking for input on what to include. Do you have questions on PF and related matters, or are there specific topics you would like to see covered? We want to hear from you, either contact us directly at the reply-to address use the list. Queueing. Prioritization. Throttling. Hi Peter, misc@, I would second the coherent practical examples in: queues, priorities, bandwidth caps, normalisation & reordering to have quality of service. And all required steps to achieve an advanced fully functional feature full typical home, office, lab, ISP, enterprise, etc setups iterative, each time incrementally enhancing the previous set of tricks and skill one game at a time, much more a practical hands on approach to the PF. Including performing common tasks of monitoring, maintenance, upgrade, conflict resolve, capturing, post processing, sanitation, enhancement. My personal interests have always been practical application examples, especially these extending the previous ones in a connected structure. From the default rule set after installation, through getting Internet working, and then fixing most common pitfalls of poor packet scheduler practices (or lack of) in (dumb) broadband equipment.. through solving all aspects to realisation of complete deployments, as YOU learned it. The PF features got implemented over time, to solve real actual needs. The typical new user begins with small common tasks up to their needs. The full example shows a complete configuration addressing most needs. The best tutorials give a practical approach to fulfil the real needs. I dream of a revised PF and networking tutorial from sketch to artist. Thank you ALL for the hard work over the years to complement OpenBSD.. Kind regards, Anton Lazarov I have hard time configuring these since years now. The fact (or is it rumour?) that prio works only when physical interface bandwidth is saturated couldn't be read in manpages, pf faq, or other 'official' docs, I heard about it by chance: [https://marc.info/?l=openbsd-misc&m=145261341431381&w=2] I still haven't found a way to throttle down queues to desired values without using fixed min and max values. Adding NAT to the mix complicates things further. What about queueing of traffic inside GRE tunnels in transport mode protected with IPSEC? Where to read about it? Optimistic me believes that devs are too busy making stuff work and have no time to explain it to us poor admins (by means of manpages, faqs or howtos). But how can I know how to use it if I can't read about it anywhere? Pessimistic me starts to notice that less and less free knowledge can be found around the 'net. If I want answers to my questions, is the best way to start saving money for paying OpenBSD consultants hourly rates for tuition? If there's any way I could help, don't hesitate to contact me. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/ -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Topics for revised PF and networking tutorial
On Fri, 7 Apr 2017 07:25:58 +0300 li...@wrant.com wrote: > Thank you ALL for the hard work over the years to complement OpenBSD. Yes.
Re: Topics for revised PF and networking tutorial
Wed, 5 Apr 2017 17:46:18 +0200 Marko Cupać > On Sat, 1 Apr 2017 10:52:20 +0200 > "Peter N. M. Hansteen" wrote: > > > Hi, > > > > I thought I'd like to give you a heads up that there will be a "PF and > > networking" tutorial at BSDCan 2017 in Ottawa this June. > > > > The session will however not be the Nth rerun of the old one, we're > > starting from scratch this time, and were looking for input on what to > > include. > > > > Do you have questions on PF and related matters, or are there specific > > topics you would like to see covered? > > > > We want to hear from you, either contact us directly at the reply-to > > address use the list. > > Queueing. Prioritization. Throttling. Hi Peter, misc@, I would second the coherent practical examples in: queues, priorities, bandwidth caps, normalisation & reordering to have quality of service. And all required steps to achieve an advanced fully functional feature full typical home, office, lab, ISP, enterprise, etc setups iterative, each time incrementally enhancing the previous set of tricks and skill one game at a time, much more a practical hands on approach to the PF. Including performing common tasks of monitoring, maintenance, upgrade, conflict resolve, capturing, post processing, sanitation, enhancement. My personal interests have always been practical application examples, especially these extending the previous ones in a connected structure. >From the default rule set after installation, through getting Internet working, and then fixing most common pitfalls of poor packet scheduler practices (or lack of) in (dumb) broadband equipment.. through solving all aspects to realisation of complete deployments, as YOU learned it. The PF features got implemented over time, to solve real actual needs. The typical new user begins with small common tasks up to their needs. The full example shows a complete configuration addressing most needs. The best tutorials give a practical approach to fulfil the real needs. I dream of a revised PF and networking tutorial from sketch to artist. Thank you ALL for the hard work over the years to complement OpenBSD.. Kind regards, Anton Lazarov > I have hard time configuring these since years now. The fact (or is > it rumour?) that prio works only when physical interface bandwidth is > saturated couldn't be read in manpages, pf faq, or other 'official' > docs, I heard about it by chance: > [https://marc.info/?l=openbsd-misc&m=145261341431381&w=2] > > I still haven't found a way to throttle down queues to desired values > without using fixed min and max values. Adding NAT to the mix > complicates things further. What about queueing of traffic inside GRE > tunnels in transport mode protected with IPSEC? Where to read about it? > > Optimistic me believes that devs are too busy making stuff work and > have no time to explain it to us poor admins (by means of manpages, > faqs or howtos). But how can I know how to use it if I can't read about > it anywhere? > > Pessimistic me starts to notice that less and less free knowledge can be > found around the 'net. If I want answers to my questions, is the > best way to start saving money for paying OpenBSD consultants hourly > rates for tuition? > > If there's any way I could help, don't hesitate to contact me. > -- > Before enlightenment - chop wood, draw water. > After enlightenment - chop wood, draw water. > > Marko Cupać > https://www.mimar.rs/
Re: Topics for revised PF and networking tutorial
Without hijacking this thread completely, but touching on some of the elements discussed above (and I think these are great inclusions for the tutorial). We have implemented a variety of queues to manage our internet links and ikev2 VPNs tunnels to remote offices. We have also done something similar for our public wireless like the schedule example above. I'll be giving an overview of this and other cool stuff provided by OpenBSD that we use during my BSDCan 2017 talk titled BSD in 60 Days. Hope to see you there!
Re: Topics for revised PF and networking tutorial
On Wed, 5 Apr 2017 22:44:54 + (UTC) Stuart Henderson wrote: > On 2017-04-05, > wrote: > > I've been using a trick to emulate scheduled rules using IP > > tables. > > Nice trick. Anchors are also good for this. > > But don't forget that active connections won't be dropped unless you > also flush the relevant states. > Anchors do not work with securelevel=2. This trick works in securelevel=2. As for active connections, the goal here is to prevent new connections being made after closing time. I don't want my connection to close just because it is a few seconds after closing time, especially when I already got in before the ports were closed. It may be worth closing long-standing connections eventually though. Maybe something like this: 0 18 * * * *root/sbin/pfctl -F states
Re: Topics for revised PF and networking tutorial
On 2017-04-05, wrote: > I've been using a trick to emulate scheduled rules using IP tables. Nice trick. Anchors are also good for this. But don't forget that active connections won't be dropped unless you also flush the relevant states.
Re: Topics for revised PF and networking tutorial
I've been using a trick to emulate scheduled rules using IP tables. It would be nice to have something like this covered. I have even seen it in the silliest of home router firewalls. First, create a rule with a table like so: # Schedule Table table persist # Scheduled access to HTTP pass in on egress proto tcp from to any port http rdr-to $web_server keep state Then add to crontab jobs like this: # Top secret business server opens from 9AM-4PM during weekdays, and 2PM-4PM weekends. 0 9 * * 1-5 root/sbin/pfctl -T add -t schedule_ip 0.0.0.0/0 # open (Mon - Fri) 0 14 * * 6-7root/sbin/pfctl -T add -t schedule_ip 0.0.0.0/0 # open (Sat + Sun) 0 16 * * * root/sbin/pfctl -T del -t schedule_ip 0.0.0.0/0 # close (everyday) Very useful technique, and I also think this works under securelevel=2 (correct me if I am wrong, I haven't tried myself). The 0.0.0.0/0 range is a very useful tool in many cases. On Sat, 1 Apr 2017 10:52:20 +0200 "Peter N. M. Hansteen" wrote: > Hi, > > I thought I'd like to give you a heads up that there will be a "PF and > networking" tutorial at BSDCan 2017 in Ottawa this June. > > The session will however not be the Nth rerun of the old one, we're > starting from scratch this time, and were looking for input on what to > include. > > Do you have questions on PF and related matters, or are there specific > topics you would like to see covered? > > We want to hear from you, either contact us directly at the reply-to > address use the list.
Re: Topics for revised PF and networking tutorial
On Sat, Apr 1, 2017 at 10:52 AM, Peter N. M. Hansteen wrote: > Hi, > > I thought I'd like to give you a heads up that there will be a "PF and > networking" tutorial at BSDCan 2017 in Ottawa this June. > > The session will however not be the Nth rerun of the old one, we're > starting from scratch this time, and were looking for input on what to > include. > > Do you have questions on PF and related matters, or are there specific > topics you would like to see covered? > > We want to hear from you, either contact us directly at the reply-to > address use the list. > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > > Seconding (thirding?) ipv6. Relayd would be nice too, maybe in the section about pf anchors.
Re: Topics for revised PF and networking tutorial
On Sat, 1 Apr 2017 10:52:20 +0200 "Peter N. M. Hansteen" wrote: > Hi, > > I thought I'd like to give you a heads up that there will be a "PF and > networking" tutorial at BSDCan 2017 in Ottawa this June. > > The session will however not be the Nth rerun of the old one, we're > starting from scratch this time, and were looking for input on what to > include. > > Do you have questions on PF and related matters, or are there specific > topics you would like to see covered? > > We want to hear from you, either contact us directly at the reply-to > address use the list. Queueing. Prioritization. Throttling. I have hard time configuring these since years now. The fact (or is it rumour?) that prio works only when physical interface bandwidth is saturated couldn't be read in manpages, pf faq, or other 'official' docs, I heard about it by chance: [https://marc.info/?l=openbsd-misc&m=145261341431381&w=2] I still haven't found a way to throttle down queues to desired values without using fixed min and max values. Adding NAT to the mix complicates things further. What about queueing of traffic inside GRE tunnels in transport mode protected with IPSEC? Where to read about it? Optimistic me believes that devs are too busy making stuff work and have no time to explain it to us poor admins (by means of manpages, faqs or howtos). But how can I know how to use it if I can't read about it anywhere? Pessimistic me starts to notice that less and less free knowledge can be found around the 'net. If I want answers to my questions, is the best way to start saving money for paying OpenBSD consultants hourly rates for tuition? If there's any way I could help, don't hesitate to contact me. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Topics for revised PF and networking tutorial
On Sat, Apr 01, 2017 at 10:52:20AM +0200, Peter N. M. Hansteen wrote: > Hi, > > I thought I'd like to give you a heads up that there will be a "PF and > networking" tutorial at BSDCan 2017 in Ottawa this June. > > The session will however not be the Nth rerun of the old one, we're > starting from scratch this time, and were looking for input on what to > include. > > Do you have questions on PF and related matters, or are there specific > topics you would like to see covered? I've been setting up a home firewall using pf and I'd love to see some more information on IPv6. Most of my problems have been due to me not knowing all that much about IPv6, rather than pf problems, but I'm sure there are a good number of people in the same predicament I'm in. -- To find a friend one must close one eye; to keep him -- two. -- Norman Douglas
Re: Topics for revised PF and networking tutorial
Anycast with ospf and ipv6 could be a fun tutorial...
/S
On 2 Apr 2017 22:27, "Luke Small" wrote:
> It might be a fun idea to share what a really locked down desktop system
> pf.conf would look like like if you are running a chain of DNS services (or
> something that would be good to tightly control) like local ntpd, unbound,
> and dnscrypt_proxy where you have local traffic locked down as well so that
> an aberrant process or even root cannot connect to the local ports and
> services eg.
>
> pass out quick on lo0 proto {tcp, udp} from self to any port 53 user
> {peter, _ntpd}
>
> block out log quick on lo0 proto {tcp, udp} from self to any port 53
>
>
> pass in quick on lo0 proto {tcp, udp} from any to self port 53 user
> _unbound
>
> block in log quick on lo0 proto {tcp, udp} from any to self port 53
>
>
>
> pass out quick on lo0 proto {tcp, udp} from self to any port 40 user
> _unbound
>
> block out log quick on lo0 proto {tcp, udp} from self to any port 40
>
>
> pass in quick on lo0 proto {tcp, udp} from any to self port 40 user
> _dnscrypt_proxy
>
> block in log quick on lo0 proto {tcp, udp} from any to self port 40
>
>
> pass out quick on egress proto {tcp, udp} from self to any port 53 user
> _dnscrypt_proxy
>
> block out log quick on egress proto {tcp, udp} from self to any port 53
>
> Maybe there is a similar case that can be made, possibly with a reverse
> http proxy setup that would make more sense for security in the case that a
> vulnerability is discovered.
Re: Topics for revised PF and networking tutorial
It might be a fun idea to share what a really locked down desktop system
pf.conf would look like like if you are running a chain of DNS services (or
something that would be good to tightly control) like local ntpd, unbound,
and dnscrypt_proxy where you have local traffic locked down as well so that
an aberrant process or even root cannot connect to the local ports and
services eg.
pass out quick on lo0 proto {tcp, udp} from self to any port 53 user
{peter, _ntpd}
block out log quick on lo0 proto {tcp, udp} from self to any port 53
pass in quick on lo0 proto {tcp, udp} from any to self port 53 user _unbound
block in log quick on lo0 proto {tcp, udp} from any to self port 53
pass out quick on lo0 proto {tcp, udp} from self to any port 40 user
_unbound
block out log quick on lo0 proto {tcp, udp} from self to any port 40
pass in quick on lo0 proto {tcp, udp} from any to self port 40 user
_dnscrypt_proxy
block in log quick on lo0 proto {tcp, udp} from any to self port 40
pass out quick on egress proto {tcp, udp} from self to any port 53 user
_dnscrypt_proxy
block out log quick on egress proto {tcp, udp} from self to any port 53
Maybe there is a similar case that can be made, possibly with a reverse
http proxy setup that would make more sense for security in the case that a
vulnerability is discovered.
Topics for revised PF and networking tutorial
Hi, I thought I'd like to give you a heads up that there will be a "PF and networking" tutorial at BSDCan 2017 in Ottawa this June. The session will however not be the Nth rerun of the old one, we're starting from scratch this time, and were looking for input on what to include. Do you have questions on PF and related matters, or are there specific topics you would like to see covered? We want to hear from you, either contact us directly at the reply-to address use the list. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
