pf.conf question
My OpenBSD system has several network cards. - pppoe0 - is connected to DSL line - fxp0 - is connected to switch for local network - ral0 - is wireless I am able to access internet from computers on LAN. From outside my home; I am able to use port 2000 to access a Win2K system. When I try to access the same Win2K systemon port 11005; I get connection refused. $ sudo cat pf.conf set skip on lo pass block in on ! lo0 proto tcp to port 6000:6010 ext_if = pppoe0 int_if = fxp0 air_if = ral0 match out on $ext_if nat-to ($ext_if) win2k= 192.168.0.3 match in on $ext_if inet proto tcp from any to ($ext_if) port 2000 rdr-to $win2k match in on $ext_if inet proto tcp from any to ($ext_if) port 11005 rdr-to $win2k $ sudo pfctl -f /etc/pf.conf From external system: $ telnet .dyndns.org 2000 Trying 64.231.xx.xxx... Connected to .dyndns.org. Escape character is '^]'. Terminated $ telnet .dyndns.org 11005 Trying 64.231.xxx.xxx... telnet: connect to address 64.231.xxx.xxx: Connection refused I don't see any difference is setup between port 2000 and 11005; are there any suggestions out there?
Re: pf.conf question answer
Frank Bax wrote: When I try to access the same Win2K system on port 11005; I get connection refused. match in on $ext_if inet proto tcp from any to ($ext_if) port 2000 rdr-to $win2k match in on $ext_if inet proto tcp from any to ($ext_if) port 11005 rdr-to $win2k Sorry for the noise. The service on port 11005 is udp; so connection was being refused by win2k system, not OpenBSD.
pf.conf question?
hi, good day, how do i do an alternate sets of route-to rules for the internal interface loaded in an anchor? btw im doing a failover between two firewalls, |--| |-| | internet | | internet | |--| |-| || || |--| |--| | firewall 1 || firewall 2 | |--| |--| | | | | |---| | manage switch (des-3326sr) | |---| i've used ifstated to detect ( thanks a lot for those who help ). any suggestions? help? thanks more power to openbsd --jay--
Re: pf.conf question?
On Tue, Sep 19, 2006 at 06:49:05PM +0800, Jay Jesus Amorin wrote: hi, good day, how do i do an alternate sets of route-to rules for the internal interface loaded in an anchor? btw im doing a failover between two firewalls, |--| |-| | internet | | internet | |--| |-| || || |--| |--| | firewall 1 || firewall 2 | |--| |--| | | | | |---| | manage switch (des-3326sr) | |---| i've used ifstated to detect ( thanks a lot for those who help ). any suggestions? help? The canonical setup would go with carp(4), which would solve most routing problems. Exactly what is the problem, though? Joachim
pf.conf - question about queuing
I write this mail because I want to ask few questions about pf and queuing. Sorry, my english grammar is bad. English is a foreign language for me, I usually speak Romanian and Hungarian. I have a small computer network at home. This network have a gateway (OpenBSD 3.8). The scenario : 1) My gateway has two network cards ( rl0 and fxp0 ). rl0 - connected to Internet (82.79.81.6) fxp0 - connected to Ethernet switch (192.168.10.1) 2) This gateway share the Internet for all computers in local network (192.168.10.0/24) 3) The maximum Internet speed is 24kb/sec. Maximum internet speed mean: The download speed in Firefox is 24kb/sec, when i get a file from Internet. I think is not a very fast connection, but my ISP don't give more speed now :( 4) I have 5 users in network. I need to apply queue rules for 3 users (bob, mike, peter) - I want to reserve for bob and mike 8Kb/sec download bandwidth. I want to allow for bob and mike to use more than 8Kb/sec when it's aviable. - I want to reserve for peter 4Kb/sec download bandwidth. I want to allow for peter to use more than 4Kb/sec when it's aviable. - SSH and instant message traffic need to have a higher priority than regular traffic. - DNS queries and replies need to have the second highest priority. - Outgoing TCP ACK packets need to have a higher priority than all other outgoing traffic. This is my /etc/pf.conf now : # macros ext_if = rl0 int_if = fxp0 int_net = 192.168.10.0/24 irc_ports = { 6667, 6668, 6669, 7000 } irc_allow = { 192.168.10.2, 192.168.10.3 } ssh_ports = { 22 2022 } im_ports = { 1863 5190 5222 } bob = 192.168.10.4 mike = 192.168.10.5 peter = 192.168.10.6 # tables table deny persist file /etc/pf.deny # scrub scrub in all no-df scrub out all no-df # queuing on external interface altq on $ext_if priq bandwidth 610Kb queue { std_out, ssh_im_out, dns_out, \ tcp_ack_out } queue std_out priq(default) queue ssh_im_outpriority 4 priq(red) queue dns_out priority 5 queue tcp_ack_out priority 6 # queuing on internal interface altq on $int_if cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, bujor_in } queue std_in bandwidth 1.6Mb cbq(default) queue ssh_im_in bandwidth 200Kb priority 4 queue dns_in bandwidth 120Kb priority 5 queue bob_in bandwidth 80Kb cbq(borrow) # nat nat on $ext_if from $int_net to any - $ext_if # filter rules for external interface inbound block in on $ext_if all # filter rules for external interface outbound block out on $ext_if all pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA \ keep state queue(std_out, tcp_ack_out) pass out on $ext_if inet proto { udp icmp } from ($ext_if) to any keep state pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port domain \ keep state queue dns_out pass out on $ext_if inet proto tcp from ($ext_if) to any port $ssh_ports \ flags S/SA keep state queue(std_outm ssh_im_out) pass out on $ext_if inet proto tcp from ($ext_if) to any port $im_ports \ flags S/SA keep state queue(ssh_im_out, tcp_ack_out) # filter rules for internal interface inbound block in on $int_if all pass in on $int_if from $int_net # filter rules for internal interface outbound block out on $int_if all pass out on $int_if from any to $int_net pass out on $int_if proto { tcp udp } from any port domain to $int_net \ queue dns_in pass out on $int_if proto tcp from any port $ssh_ports to $int_net \ queue(std_in, ssh_im_in) pass out on $int_if proto tcp from any port $im_ports to $int_net \ queue ssh_im_in pass out on $int_if from any to $bob queue bob_in # block irc block in on $int_if proto tcp from $int_net to any port $irc_ports pass in on $int_if proto tcp from $irc_allow to any port $irc_ports # block icmp block in on $ext_if inet proto icmp all icmp-type echoreq My problems are: - I don't know if queue value on external interface (610Kb) is good for my internet connection (my 24kb/sec internet connection). altq on $ext_if priq bandwidth 610Kb queue { std_out, ssh_im_out, dns_out, \ tcp_ack_out } - I don't know what lines need to add to define the following rules: - Reserve for bob and mike 8Kb/sec download bandwidth. Allow for bob and mike to use more than 8Kb/sec when it's aviable. - Reserve for peter 4Kb/sec download bandwidth. Allow for peter to use more than 4Kb/sec when it's aviable. If anyone want to help me a bit please write a reply. Until March I don't have time to read much documentation, I have a lot of exams at university. Thank you very much for any help!
3.8 pf.conf question
I was looking at the pf.conf included with 3.8, and with the addition of the following line: set skip on { lo } doesn't the lo part of the following line become redundant: antispoof quick for { lo $int_if } assuming both lines are uncommented? Thanks. Rodney Hopkins [EMAIL PROTECTED] _ Free E-mail by CamaroZ28.Com - FULL THROTTLE INTERNET
Re: 3.8 pf.conf question
On Sun, 2005-12-04 at 11:39:01 -0800, Rodney Hopkins proclaimed... I was looking at the pf.conf included with 3.8, and with the addition of the following line: set skip on { lo } doesn't the lo part of the following line become redundant: antispoof quick for { lo $int_if } It becomes irrelevant; after set skip, nothing else will be evaluated for that interface.
Re: 3.8 pf.conf question
eric wrote: On Sun, 2005-12-04 at 11:39:01 -0800, Rodney Hopkins proclaimed... I was looking at the pf.conf included with 3.8, and with the addition of the following line: set skip on { lo } doesn't the lo part of the following line become redundant: antispoof quick for { lo $int_if } It becomes irrelevant; after set skip, nothing else will be evaluated for that interface. No, look at what antispoof expands to: block drop in on ! lo inet from 127.0.0.1/8 to any block drop in on ! lo inet6 from ::1 to any That means antispoof for lo filters on all but the lo interface group. The skipping on lo takes care of the Caveat: outlined in the man page, though... it replaces the previously recommended pass quick on lo rule. Moritz
Re: 3.8 pf.conf question
--On 04 December 2005 14:27 -0600, eric wrote: On Sun, 2005-12-04 at 11:39:01 -0800, Rodney Hopkins proclaimed... I was looking at the pf.conf included with 3.8, and with the addition of the following line: set skip on { lo } doesn't the lo part of the following line become redundant: antispoof quick for { lo $int_if } It becomes irrelevant; after set skip, nothing else will be evaluated for that interface. 'antispoof for lo0' affects every interface other than lo0. From pf.conf(5): For example, the line antispoof for lo0 expands to block drop in on ! lo0 inet from 127.0.0.1/8 to any block drop in on ! lo0 inet6 from ::1 to any