pf.conf question

2010-07-22 Thread Frank Bax 

My OpenBSD system has several network cards.
- pppoe0 - is connected to DSL line
- fxp0 - is connected to switch for local network
- ral0 - is wireless

I am able to access internet from computers on LAN.
From outside my home; I am able to use port 2000 to access a Win2K system.

When I try to access the same Win2K systemon port 11005; I get 
connection refused.



$ sudo cat pf.conf
set skip on lo
pass
block in on ! lo0 proto tcp to port 6000:6010
ext_if = pppoe0
int_if = fxp0
air_if = ral0
match out on $ext_if nat-to ($ext_if)
win2k= 192.168.0.3
match in on $ext_if inet proto tcp from any to ($ext_if) port 2000 
rdr-to $win2k
match in on $ext_if inet proto tcp from any to ($ext_if) port 11005 
rdr-to $win2k

$ sudo pfctl -f /etc/pf.conf



From external system:

$ telnet .dyndns.org 2000
Trying 64.231.xx.xxx...
Connected to .dyndns.org.
Escape character is '^]'.
Terminated

$ telnet .dyndns.org 11005
Trying 64.231.xxx.xxx...
telnet: connect to address 64.231.xxx.xxx: Connection refused


I don't see any difference is setup between port 2000 and 11005; are 
there any suggestions out there?

Re: pf.conf question answer

2010-07-22 Thread Frank Bax 

Frank Bax wrote:
When I try to access the same Win2K system on port 11005; I get 
connection refused.


match in on $ext_if inet proto tcp from any to ($ext_if) port 2000 
rdr-to $win2k
match in on $ext_if inet proto tcp from any to ($ext_if) port 11005 
rdr-to $win2k




Sorry for the noise.  The service on port 11005 is udp; so connection 
was being refused by win2k system, not OpenBSD.

pf.conf question?

2006-09-19 Thread Jay Jesus Amorin 
hi,

good day, how do i  do an alternate sets of route-to rules for the internal
interface loaded in an anchor?

btw im doing a failover between two firewalls,

|--| |-|
| internet  | | internet  |
|--| |-|
   ||
   ||
|--| |--|
| firewall 1 || firewall 2 |
|--| |--|
   | |
   | |
|---|
| manage switch (des-3326sr) |
|---|

i've used ifstated to detect ( thanks a lot for those who help ).

any suggestions? help?

thanks more power to openbsd


--jay--

Re: pf.conf question?

2006-09-19 Thread Joachim Schipper 
On Tue, Sep 19, 2006 at 06:49:05PM +0800, Jay Jesus Amorin wrote:
 hi,
 
 good day, how do i  do an alternate sets of route-to rules for the internal
 interface loaded in an anchor?
 
 btw im doing a failover between two firewalls,
 
 |--| |-|
 | internet  | | internet  |
 |--| |-|
||
||
 |--| |--|
 | firewall 1 || firewall 2 |
 |--| |--|
| |
| |
 |---|
 | manage switch (des-3326sr) |
 |---|
 
 i've used ifstated to detect ( thanks a lot for those who help ).
 
 any suggestions? help?

The canonical setup would go with carp(4), which would solve most
routing problems.

Exactly what is the problem, though?

Joachim

pf.conf - question about queuing

2006-02-07 Thread yo2lux 
I write this mail  because I want to ask few questions about pf and 
queuing.
Sorry, my english grammar is bad. English is a foreign language for me, 
I usually speak Romanian and Hungarian.


I have a small computer network at home. This network have a gateway 
(OpenBSD 3.8).


The scenario :

1) My gateway has two network cards ( rl0 and fxp0 ).
   rl0 - connected to Internet (82.79.81.6)
   fxp0 - connected to Ethernet switch (192.168.10.1)
2) This gateway share the Internet for all computers in local network 
(192.168.10.0/24)
3) The maximum Internet speed is 24kb/sec. Maximum internet speed mean: 
The download speed in Firefox is 24kb/sec, when i get a file from Internet.
I think is not a very fast connection, but my ISP don't give more speed 
now :(


4) I have 5 users in network. I need to apply queue rules for 3 users 
(bob, mike, peter)


  - I want to reserve for bob and mike 8Kb/sec download bandwidth. I 
want to allow for bob and mike to use more than 8Kb/sec when it's aviable.
  - I want to reserve for peter 4Kb/sec download  bandwidth. I want to 
allow for peter to use more than 4Kb/sec when it's aviable.


  - SSH and instant message traffic need to have a higher priority than 
regular traffic.

  - DNS queries and replies need to have the second highest priority.
  - Outgoing TCP ACK packets need to have a higher priority than all 
other outgoing traffic.


This is my /etc/pf.conf now :

# macros
ext_if = rl0
int_if = fxp0
int_net = 192.168.10.0/24
irc_ports = { 6667, 6668, 6669, 7000 }
irc_allow = { 192.168.10.2, 192.168.10.3 }
ssh_ports = { 22 2022 }
im_ports = { 1863 5190 5222 }

bob = 192.168.10.4
mike = 192.168.10.5
peter = 192.168.10.6

# tables
table deny persist file /etc/pf.deny

# scrub
scrub in all no-df
scrub out all no-df

# queuing on external interface
altq on $ext_if priq  bandwidth 610Kb queue { std_out, ssh_im_out, 
dns_out, \

  tcp_ack_out }

queue std_out  priq(default)
queue ssh_im_outpriority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out  priority 6

# queuing on internal interface
altq on $int_if cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, 
bujor_in }


queue std_in   bandwidth 1.6Mb cbq(default)
queue ssh_im_in bandwidth 200Kb priority 4
queue dns_in  bandwidth 120Kb priority 5
queue bob_in   bandwidth 80Kb cbq(borrow)

# nat
nat on $ext_if from $int_net to any - $ext_if

# filter rules for external interface inbound
block in on $ext_if all

# filter rules for external interface outbound
block out on $ext_if all

pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA \
   keep state queue(std_out, tcp_ack_out)
pass out on $ext_if inet proto { udp icmp } from ($ext_if) to any keep 
state
pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port 
domain \

   keep state queue dns_out
pass out on $ext_if inet proto tcp from ($ext_if) to any port $ssh_ports \
   flags S/SA keep state queue(std_outm ssh_im_out)
pass out on $ext_if inet proto tcp from ($ext_if) to any port $im_ports \
   flags S/SA keep state queue(ssh_im_out, tcp_ack_out)

# filter rules for internal interface inbound
block in on $int_if all
pass in on $int_if from $int_net

# filter rules for internal interface outbound
block out on $int_if all

pass out on $int_if from any to $int_net
pass out on $int_if proto { tcp udp } from any port domain to $int_net \
   queue dns_in
pass out on $int_if proto tcp from any port $ssh_ports to $int_net \
   queue(std_in, ssh_im_in)
pass out on $int_if proto tcp from any port $im_ports to $int_net \
   queue ssh_im_in
pass out on $int_if from any to $bob queue bob_in

# block irc
block in on $int_if proto tcp from $int_net to any port $irc_ports
pass in on $int_if proto tcp from $irc_allow to any port $irc_ports

# block icmp
block in on $ext_if inet proto icmp all icmp-type echoreq

My problems are:

- I don't know if queue value on external interface (610Kb) is good for 
my internet connection (my 24kb/sec internet connection).


altq on $ext_if priq  bandwidth 610Kb queue { std_out, ssh_im_out, 
dns_out, \

  tcp_ack_out }

-  I don't know what lines need to add to define the following rules:

- Reserve for bob and mike 8Kb/sec download bandwidth.  Allow for bob 
and mike to use more than 8Kb/sec when it's aviable.
- Reserve for peter 4Kb/sec download  bandwidth. Allow for peter to use 
more than 4Kb/sec when it's aviable.


If anyone want to help me a bit please write a reply.
Until March I don't have time to read much documentation, I have a lot 
of exams at university.


Thank you very much for any help!

3.8 pf.conf question

2005-12-04 Thread Rodney Hopkins 
I was looking at the pf.conf included with 3.8, and with the 
addition of the following line:

set skip on { lo }

doesn't the lo part of the following line become redundant:

antispoof quick for { lo $int_if }

assuming both lines are uncommented?

Thanks.

Rodney Hopkins
[EMAIL PROTECTED]

_
Free E-mail by CamaroZ28.Com - FULL THROTTLE INTERNET

Re: 3.8 pf.conf question

2005-12-04 Thread eric 
On Sun, 2005-12-04 at 11:39:01 -0800, Rodney Hopkins proclaimed...

 I was looking at the pf.conf included with 3.8, and with the 
 addition of the following line:
 
 set skip on { lo }
 
 doesn't the lo part of the following line become redundant:
 
 antispoof quick for { lo $int_if }

It becomes irrelevant; after set skip, nothing else will be evaluated for
that interface.

Re: 3.8 pf.conf question

2005-12-04 Thread Moritz Grimm 

eric wrote:

On Sun, 2005-12-04 at 11:39:01 -0800, Rodney Hopkins proclaimed...

I was looking at the pf.conf included with 3.8, and with the 
addition of the following line:


set skip on { lo }

doesn't the lo part of the following line become redundant:

antispoof quick for { lo $int_if }


It becomes irrelevant; after set skip, nothing else will be evaluated for
that interface.


No, look at what antispoof expands to:

block drop in on ! lo inet from 127.0.0.1/8 to any
block drop in on ! lo inet6 from ::1 to any

That means antispoof for lo filters on all but the lo interface group. 
The skipping on lo takes care of the Caveat: outlined in the man page, 
though... it replaces the previously recommended pass quick on lo rule.



Moritz

Re: 3.8 pf.conf question

2005-12-04 Thread Stuart Henderson 

--On 04 December 2005 14:27 -0600, eric wrote:


On Sun, 2005-12-04 at 11:39:01 -0800, Rodney Hopkins proclaimed...


I was looking at the pf.conf included with 3.8, and with the
addition of the following line:

set skip on { lo }

doesn't the lo part of the following line become redundant:

antispoof quick for { lo $int_if }


It becomes irrelevant; after set skip, nothing else will be
evaluated for that interface.


'antispoof for lo0' affects every interface other than lo0. From 
pf.conf(5):


For example, the line

  antispoof for lo0

expands to

  block drop in on ! lo0 inet from 127.0.0.1/8 to any
  block drop in on ! lo0 inet6 from ::1 to any