Re: pfsync nic problem.
On 12/23/2010 10:48 PM, Johan Beisser wrote:
On Thu, Dec 23, 2010 at 10:43 AM, Alessandro Baggi
alessandro.ba...@gmail.com wrote:
Please post your pf.conf, ifconfig output and dmesg. There may be
another issue not addressed.
I still need your pf.conf.
ext=egress
int=rl0
dmz=rl1
hostweb=172.16.2.3
carpl=10.1.1.5
carpw=192.168.1.84
carpd=172.16.2.4
pfsyncpeer=10.1.1.5
pfsyncdev=rl0
table httpabuse persist
table httpsabuse persist
table sshblacklist persist
# LIMIT and Policy
set block-policy drop
set fingerprints /etc/pf.os
set hostid 1
#set debug none
set limit states 7000
set limit tables 100
set limit table-entries 9
set limit frags 6000
set limit src-nodes 1
set optimization aggressive
set ruleset-optimization basic
set loginterface $ext
#set state-policy if-bound
#set state-defaults
set skip on lo0
set timeout tcp.established 900
set timeout tcp.closed 5
set timeout tcp.first 20
set timeout tcp.opening 20
set timeout tcp.closing 10
set timeout tcp.finwait 30
match all scrub (no-df, random-id, max-mss 1440)
# NAT
match out on $ext inet from $int:network to any nat-to (carp0:0)
match out on $ext inet from $dmz:network to any nat-to (carp0:0)
# RDR
match in log on $int proto tcp from $int:network to any port 21 rdr-to
127.0.0.1 port 8021
# FILTERING RULES
# Bloccaggio delle blacklist http - https - sshd
block in log quick on $ext from { blacklist, httpabuse,
httpsabuse, sshblacklist } to any
# REGOLE ANTISPOOFING
antispoof log quick for { $int , $ext, $dmz }
# CARP RULES
pass in log quick on $int proto carp from $carpl to $int:0 keep state
(no-sync)
pass in log quick on $ext proto carp from $carpw to $ext:0 keep state
(no-sync)
pass in log quick on $dmz proto carp from $carpd to $dmz:0 keep state
(no-sync)
# PFSYNC RULES
pass in log quick on $pfsyncdev proto pfsync from $pfsyncpeer to $int:0
keep state (no-sync)
# DEFAULT DENY
block in log all
pass out all
anchor ftp-proxy/*
# LAN MACHINE RULES
pass in on $int from any to any
# DMZ RULES DOES NOT EXIST
Thanks in advance
Re: pfsync nic problem [SOLVED]
On 12/24/2010 10:25 AM, Alessandro Baggi wrote:
On 12/23/2010 10:48 PM, Johan Beisser wrote:
On Thu, Dec 23, 2010 at 10:43 AM, Alessandro Baggi
alessandro.ba...@gmail.com wrote:
Please post your pf.conf, ifconfig output and dmesg. There may be
another issue not addressed.
I still need your pf.conf.
ext=egress
int=rl0
dmz=rl1
hostweb=172.16.2.3
carpl=10.1.1.5
carpw=192.168.1.84
carpd=172.16.2.4
pfsyncpeer=10.1.1.5
pfsyncdev=rl0
table httpabuse persist
table httpsabuse persist
table sshblacklist persist
# LIMIT and Policy
set block-policy drop
set fingerprints /etc/pf.os
set hostid 1
#set debug none
set limit states 7000
set limit tables 100
set limit table-entries 9
set limit frags 6000
set limit src-nodes 1
set optimization aggressive
set ruleset-optimization basic
set loginterface $ext
#set state-policy if-bound
#set state-defaults
set skip on lo0
set timeout tcp.established 900
set timeout tcp.closed 5
set timeout tcp.first 20
set timeout tcp.opening 20
set timeout tcp.closing 10
set timeout tcp.finwait 30
match all scrub (no-df, random-id, max-mss 1440)
# NAT
match out on $ext inet from $int:network to any nat-to (carp0:0)
match out on $ext inet from $dmz:network to any nat-to (carp0:0)
# RDR
match in log on $int proto tcp from $int:network to any port 21 rdr-to
127.0.0.1 port 8021
# FILTERING RULES
# Bloccaggio delle blacklist http - https - sshd
block in log quick on $ext from { blacklist, httpabuse,
httpsabuse, sshblacklist } to any
# REGOLE ANTISPOOFING
antispoof log quick for { $int , $ext, $dmz }
# CARP RULES
pass in log quick on $int proto carp from $carpl to $int:0 keep state
(no-sync)
pass in log quick on $ext proto carp from $carpw to $ext:0 keep state
(no-sync)
pass in log quick on $dmz proto carp from $carpd to $dmz:0 keep state
(no-sync)
# PFSYNC RULES
pass in log quick on $pfsyncdev proto pfsync from $pfsyncpeer to
$int:0 keep state (no-sync)
# DEFAULT DENY
block in log all
pass out all
anchor ftp-proxy/*
# LAN MACHINE RULES
pass in on $int from any to any
# DMZ RULES DOES NOT EXIST
Thanks in advance
Hi list. I've tried another nic same as xl0, and the problem was the
same. The only thing to see was the pf ruleset. All carp rules was
wrong. Then I've tried with xl0 - rl2 and all works fine.
I've changed the rules:
pass in log quick on $int proto carp from $carpl to $int:0 keep state
(no-sync)
pass in log quick on $ext proto carp from $carpw to $ext:0 keep state
(no-sync)
pass in log quick on $dmz proto carp from $carpd to $dmz:0 keep state
(no-sync)
in:
pass in quick on { $int, $ext, $dmz } proto carp keep state (no-sync)
Best regards and thanks for the time.
Re: pfsync nic problem.
On 12/19/2010 07:49 PM, Johan Beisser wrote: On Sun, Dec 19, 2010 at 9:12 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list. I've a little question about pfsync. Supposing to have two firewall, with 3 nic, one for lan, one for wan and one for DMZ, and supposing a similar scenario: firewall 1 firewall 2 WAN: re0WAN: xl0 LAN: rl0 LAN: rl0 DMZ: rl1DMZ: rl1 when pfsync send the interface state updates on backup firewall, pfsync update the table of states for the name of interfaces of first firewall? (in my scenario, the syncronization won't works for re0 and xl0, right? I don't see why not. Adjust your pf rules to use the groups field for the interface if you're worried. Hi list, I've tried to use the groups field for pfsync. I've changed in my pf rules, the wan interface ext=xl0 with ext=egress, then when I try to get a fault with firewall 1, firewall 2 become master, but all connections die. In state tables of firewall 2 there are syncronized states for xl0, but the wan interface is rl2. It's normal that all connections die, there are not valid states for rl2. Then at this point the problem persist. There is something that I've missed with ifconfig groups field? This is my misconfiguration or the use of groups field is not a valid issue for this problem? thanks in advance.
Re: pfsync nic problem.
On Thu, Dec 23, 2010 at 9:19 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list, I've tried to use the groups field for pfsync. I've changed in my pf rules, the wan interface ext=xl0 with ext=egress, then when I try to get a fault with firewall 1, firewall 2 become master, but all connections die. In state tables of firewall 2 there are syncronized states for xl0, but the wan interface is rl2. It's normal that all connections die, there are not valid states for rl2. Then at this point the problem persist. There is something that I've missed with ifconfig groups field? This is my misconfiguration or the use of groups field is not a valid issue for this problem? Please post your pf.conf, ifconfig output and dmesg. There may be another issue not addressed.
Re: pfsync nic problem.
On 12/22/2010 01:18 AM, Stuart Henderson wrote: On 2010-12-19, Alessandro Baggialessandro.ba...@gmail.com wrote: Hi list. I've a little question about pfsync. Supposing to have two firewall, with 3 nic, one for lan, one for wan and one for DMZ, and supposing a similar scenario: firewall 1 firewall 2 WAN: re0WAN: xl0 LAN: rl0 LAN: rl0 DMZ: rl1DMZ: rl1 when pfsync send the interface state updates on backup firewall, pfsync update the table of states for the name of interfaces of first firewall? (in my scenario, the syncronization won't works for re0 and xl0, right? Then, firewall 2 box must have nic card name equal to nic card name of first firewall or they can to be different? if this is the issue, and having those scenario, there is a method to make a valid update for re0 and xl0? thanks in advance. states don't normally depend on the interface (and if you *do* make them dependent on that with if-bound states, i'm not sure if pfsync handles that...) are you having problems or is this theoretical? if you're having problems then send a dmesg and full details. if it's theoretical, why don't you just try it for yourself? this stuff is easy to check and first-hand experience beats a post from some random dude on a mailing list. This problem is not theoretical.
Re: pfsync nic problem.
On 23 December 2010 18:24, Alessandro Baggi alessandro.ba...@gmail.com wrote: This problem is not theoretical. but the dmesg, pf.conf and ifconfig output is. :~)
Re: pfsync nic problem.
On 12/23/2010 06:43 PM, Johan Beisser wrote: On Thu, Dec 23, 2010 at 9:19 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list, I've tried to use the groups field for pfsync. I've changed in my pf rules, the wan interface ext=xl0 with ext=egress, then when I try to get a fault with firewall 1, firewall 2 become master, but all connections die. In state tables of firewall 2 there are syncronized states for xl0, but the wan interface is rl2. It's normal that all connections die, there are not valid states for rl2. Then at this point the problem persist. There is something that I've missed with ifconfig groups field? This is my misconfiguration or the use of groups field is not a valid issue for this problem? Please post your pf.conf, ifconfig output and dmesg. There may be another issue not addressed. dmesg of Firewall 1 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class, 512KB L2 cache) 448 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,SSE real mem = 335114240 (319MB) avail mem = 319672320 (304MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 02/10/99, BIOS32 rev. 0 @ 0xec700, SMBIOS rev. 2.1 @ 0xf20ba (46 entries) bios0: vendor Compaq version 686T2 date 02/10/99 bios0: Compaq Deskpro EP/SB Series apm0 at bios0: Power Management spec V1.2 (BIOS managing devices) apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xec700/0x3900 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7360/128 (6 entries) pcibios0: PCI Interrupt Router at 000:20:0 (Intel 82371AB PIIX4 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xe/0x8000! cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03 intelagp0 at pchb0 agp0 at intelagp0: aperture at 0x4400, size 0x400 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03 pci1 at ppb0 bus 1 Matrox MGA G200 AGP rev 0x03 at pci1 dev 0 function 0 not configured vga1 at pci0 dev 13 function 0 Matrox MGA G200 PCI rev 0x01 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) xl0 at pci0 dev 14 function 0 3Com 3c905B 100Base-TX rev 0x30: irq 11, address 00:10:5a:2e:0f:9e exphy0 at xl0 phy 24: 3Com internal media interface rl0 at pci0 dev 15 function 0 Realtek 8139 rev 0x10: irq 11, address 00:1d:0f:c4:0c:1d rlphy0 at rl0 phy 0: RTL internal PHY rl1 at pci0 dev 16 function 0 Realtek 8139 rev 0x10: irq 11, address 00:1d:0f:c4:17:cb rlphy1 at rl1 phy 0: RTL internal PHY piixpcib0 at pci0 dev 20 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 20 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: Maxtor 6Y080L0 wd0: 16-sector PIO, LBA, 78167MB, 160086528 sectors atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVD-ROM GDR8164B, 0L06 ATAPI 5/cdrom removable wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) uhci0 at pci0 dev 20 function 2 Intel 82371AB USB rev 0x01: irq 11 piixpm0 at pci0 dev 20 function 3 Intel 82371AB Power rev 0x02: SMI iic0 at piixpm0 spdmem0 at iic0 addr 0x50: 128MB SDRAM non-parity PC133CL2 spdmem1 at iic0 addr 0x51: 128MB SDRAM non-parity PC100CL3 spdmem2 at iic0 addr 0x52: 64MB SDRAM non-parity PC66CL2 isa0 at piixpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 Intel UHCI root hub rev 1.00/1.00 addr 1 biomask ff65 netmask ff65 ttymask mtrr: Pentium Pro MTRR support uhidev0 at uhub0 port 2 configuration 1 interface 0 CC Technology Inc. HID Keyboard/Mouse PS/2 to USB Translator rev 2.00/1.64 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub0 port 2 configuration 1 interface 1 CC Technology Inc. HID Keyboard/Mouse PS/2 to USB Translator rev 2.00/1.64 addr 2 uhidev1: iclass 3/1, 3 report ids ums0 at uhidev1 reportid 1: 5 buttons, Z dir wsmouse0 at ums0 mux 0 uhid0 at uhidev1 reportid 2: input=1, output=0, feature=0 uhid1 at uhidev1 reportid 3: input=5, output=0, feature=0 softraid0 at root root on wd0a swap on wd0b dump on wd0b syncing disks... done rebooting... OpenBSD
Re: pfsync nic problem.
On 2010-12-19, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list. I've a little question about pfsync. Supposing to have two firewall, with 3 nic, one for lan, one for wan and one for DMZ, and supposing a similar scenario: firewall 1 firewall 2 WAN: re0WAN: xl0 LAN: rl0 LAN: rl0 DMZ: rl1DMZ: rl1 when pfsync send the interface state updates on backup firewall, pfsync update the table of states for the name of interfaces of first firewall? (in my scenario, the syncronization won't works for re0 and xl0, right? Then, firewall 2 box must have nic card name equal to nic card name of first firewall or they can to be different? if this is the issue, and having those scenario, there is a method to make a valid update for re0 and xl0? thanks in advance. states don't normally depend on the interface (and if you *do* make them dependent on that with if-bound states, i'm not sure if pfsync handles that...) are you having problems or is this theoretical? if you're having problems then send a dmesg and full details. if it's theoretical, why don't you just try it for yourself? this stuff is easy to check and first-hand experience beats a post from some random dude on a mailing list.
Re: pfsync nic problem.
On 12/19/2010 07:49 PM, Johan Beisser wrote: On Sun, Dec 19, 2010 at 9:12 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list. I've a little question about pfsync. Supposing to have two firewall, with 3 nic, one for lan, one for wan and one for DMZ, and supposing a similar scenario: firewall 1 firewall 2 WAN: re0WAN: xl0 LAN: rl0 LAN: rl0 DMZ: rl1DMZ: rl1 when pfsync send the interface state updates on backup firewall, pfsync update the table of states for the name of interfaces of first firewall? (in my scenario, the syncronization won't works for re0 and xl0, right? I don't see why not. Adjust your pf rules to use the groups field for the interface if you're worried. ok I will try. Thanks for the reply
