arding.
I've also tried disabling learning on the internal interfaces and adding
static entries for 10.20.0.3, but this has no effect on the recovery
time.
Any suggestions on getting a rapid failover working?
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
throw together an OpenBSD port this weekend. In the meantime,
feel free to checkout a copy and try it out. I welcome user feedback
and bug reports.
http://www.netflowdashboard.com/
http://trac.netflowdashboard.com/netflowdashboard/wiki/InstallNotes
Thanks,
--
Jason Dixon
D
On Wed, Nov 26, 2008 at 04:16:30PM -0600, Patric wrote:
> On Wed, 2008-11-26 at 14:37 -0500, Jason Dixon wrote:
> > On Wed, Nov 26, 2008 at 12:52:47PM -0600, Patric wrote:
> > > My current pf.conf
> > >
> > > __
> > > ext_i
gt; appreciated.
Did you enable net.inet.ip.forwarding? Is pf actually enabled? You're
not giving us much detail as far as your troubleshooting.
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
There will be a PF BoF session at this year's NYCBSDCon. The BoF will
take place during the lunch break, in the main presentation room of the
Davis auditorium.
http://www.nycbsdcon.org/2008/schedule.html
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
being used.
This exists no matter what you do. Routing through an additional
firewall/proxy, assuming both websites are live, does nothing to help.
-J.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Jason Dixon
Sent: den 10 september 2008 13
then you're guaranteed all requests are hitting the new
server.
Watching logs (as another reply suggested) doesn't work because you
never know when that last request will hit (unless you're managing your
TTL).
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
could go out on the external interfaces ?
> i was reading that pf compare the ip of the interface and ones in the packet
>
> this migration from iptables to pf on so large farm of server might be
> finishing
> like in hell ;)
You're overthinking this too much. If
7;re missing the no-nat rule. This shouldn't break the "reflection"
traffic but might cause adverse effects for other connections originating
from your firewall.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
for your help
The "reflection" method is indeed what you want. You're only binat'g
if the traffic makes it outbound. The idea with reflection is to
intercept the packets destined for the "external hostname" and redirect
them on the internal interface to the intended s
ernal lan to internal lan, we get
> asymetrical routing where contacts to the DMZ come in over T1-1 but go back
> out over T1-2. I've tested it and it works, but it seems sloppy to me. Just
> wondering if there's a better way.
Not sure if it's "better", but you could nat the VPN traffic to your
DMZ.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
to work, but can be fairly unstable, with two (of six) of the VPN
> connections coming up and going down unpredictably. This may have nothing to
> do with the pf ruleset, but I would still ask: is there a better way to do
> this?
Add a static route for $remote_gw_addr through the appropriate gateway?
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
but never gets to the final "." after the message
> content.
>
> If I disable pf, it works! All the other needed NAT, filtering,
> etc., obviously doesn't, though. I thought these rules would
> cover it, but somehow they don't:
We need to see your enti
ciated.
It sounds like you don't have net.inet.carp.preempt enabled. We need more
information (read: configs) to help you.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
ds
> quickly after the long delay.
Alas, I'm too tired to review your ruleset, but I don't think it matters
anyways. Delays of the variety you've described scream "DNS". Check
your resolvers and your authoritative nameservers to make sure
everything operates as expected.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
ne absolute I can answer for you is to bypass 4.1 and use -current.
There were numerous PF performance advances made at c2k7.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
he
firewalls are running on commodity PC hardware (IronSystems A210 servers,
IIRC). The important thing is to get quality network interfaces. These days,
I'm not sure what is officially recommended, but I've always been happy with
Intel (em).
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
t porting CARP to OS X. I've
seen nothing in the Leopard preview pages to suggest it's on the
horizon.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
On Aug 27, 2006, at 10:04 AM, Federico Giannici wrote:
Jason Dixon wrote:
On Aug 27, 2006, at 7:55 AM, Federico Giannici wrote:
I'm setting up a firewall with queues and I'd like to know how
much traffic of a given "class" was ACTUALLY sent out of an
interface (i.e. no
ssigned to the queue.
Any passed packets (or dropped packets) that are assigned to a queue
count towards the "passed pkts/bytes" and "dropped pkts/bytes"
statistics shown by "pfctl -vsq".
Perhaps I don't understand your question. The answer seems simple
enough.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
ish I was savvy enough in C to write that myself.
Or you could just look in the source like I suggested...
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfvar.h
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
pfctl -sm
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfvar.h
etc...
Thanks a lot ;)
No problem.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
s are going to be counted towards
the default queue, skewing my totals. Has anyone come up with an
effective QoS design for dealing with proxies handling multiple
networks?
(Note: I would post the ruleset, but it's over 600 lines long.)
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
255.255.252.0 NONE
# cat /etc/hostname.carp8
carpdev em0 vhid 8 pass bloogh advbase 200 advskew 1
inet 10.0.0.8 255.255.252.0
up
I'm curious as to what difference it makes.
None, from my experience. Sounds like misinformation to me.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
10.0.0.255 carpdev em0 vhid 1 pass foo
inet alias 10.0.0.4 255.255.255.0 10.0.0.255 carpdev em0 vhid 1 pass foo
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
, I'm going to avoid posting the pf.conf. I know
this is a faux pas, but I'm terribly embarrassed to let anyone see it
at this point. Once I've re-introduced the anchors, perhaps. :)
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
ent. The client, not
recognizing any connections from "internal server", discards the packet.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
umbed it down as much as possible to what you see below.
I believe you are referring to "Reflection".
http://www.openbsd.org/faq/pf/rdr.html#reflect
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
lieves to be a CARP
packet, but really isn't. The CARP packet format is described in src/
sys/netinet/ip_carp.h. The VRRP packet format is in the RFC (http://
www.faqs.org/rfcs/rfc2338.html).
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
On Oct 11, 2005, at 3:38 AM, Travis H. wrote:
FYI, this archive:
http://www.benzedrine.cx/pf/
Has not been archiving since 12 Apr 2005.
Don't need it.
http://marc.theaimsgroup.com/?l=openbsd-pf&r=1&w=2
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
On Sep 26, 2005, at 11:07 AM, Chad M Stewart wrote:
On Sep 25, 2005, at 9:39 PM, Jason Dixon wrote:
On Sep 25, 2005, at 8:30 AM, Neil wrote:
Yep, the same behavior when the master dies. The solution that
the person in #pf told me is use routing but I don't know how to
implement. He
om other users or developers that
have tried the grouping feature in this sort of scenario.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
this in very detail.
Please stop top-posting.
Always start at the man pages; there is an example given (man 4
carp). There is a similar configuration in my NYC BSD Con slides
(http://www.dixongroup.net/NYCBSDCON/); see the "Advanced Example".
--
Jason Dixon
DixonGroup
en??
LOL, that's a good one. Linus, quit playing around.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
you think about it?
Or mabye run CARP on WEB#1 and WEB#2 too?
Yes.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
sking is , can pf be used w/o a network to
harden my desktop?
PF doesn't "point to a nic". It filters network interfaces, such as
ppp0. ;-)
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
n ep0 inet from ! 192.168.2.0/24 to any
where the second rule will drop traffic from 192.168.2.0/24, and the
fifth rule will effectively drop all other traffic.
Duh, thanks for catching that. I shot from the hip while running out
the door for a meeting. :-P
--
Jason Dixon
DixonGroup
near as I can figure.
I like that router! It does the PPoE for me, along with minimal
blocking. I don't want to toss it.
Anyone have a way around this?
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
!192.168.2.0/24 }"
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
On Jun 6, 2005, at 3:00 PM, Kelley Reynolds wrote:
On Jun 6, 2005, at 9:27 AM, Jason Dixon wrote:
Sorry, missed your comment before about only having that one rule.
Well, I'm sure that the rule you've posted will cause you headaches
since it's filtering on all interfaces. Tr
On Jun 6, 2005, at 8:18 AM, Kelley Reynolds wrote:
On Jun 6, 2005, at 6:21 AM, Jason Dixon wrote:
On Jun 3, 2005, at 6:19 PM, Kelley Reynolds wrote:
Having an odd problem... a bridge configured such that one of the
interfaces has an IP works fantastically, until pf is enabled with
the
ig -A" and your /etc/pf.conf.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
know how block this programs
can anybody help me?
http://www.squid-cache.org
Use a proxy to "normalize" the traffic. IIRC, Skype requires UDP
packets for the voice packets. Simply block udp/80 and allow tcp/80
and tcp/443 through the proxy.
HTH.
--
Jason Dixon
DixonGroup Consu
st
though, given a long enough curve, won't it all theoretically balance
out?
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
On May 17, 2005, at 9:20 AM, Manon Goo wrote:
--On 17. Mai 2005 06:37:02 -0400 Jason Dixon <[EMAIL PROTECTED]>
wrote:
CARP + arpbalance does per-packet load balancing at L2.
This will not help me because my problem is with
outbound traffic.
So setup CARP + arpbalance on your internal inte
does per-packet load balancing at L2.
man 4 carp
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
On Apr 11, 2005, at 5:05 AM, Lars Hansson wrote:
On Mon, 11 Apr 2005 00:11:40 -0400
Jason Dixon <[EMAIL PROTECTED]> wrote:
Is the ability to run pfctl (via sudo) as a non-root user still
broken?
Huh? I have NEVER had any problems running pfctl via sudo. Ever.
Shit. I was stupid eno
et/
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
synproxy
state.
Packet tagging can be done during nat, rdr, or binat rules
in addi-
tion to filter rules. Tags take the same macros as labels
(see
above).
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
les).
It doesn't. PF uses a method called "skip steps" to only compare
against rules that are relevant. Quit trying to over-engineer, PF is
plenty fast enough. When you need to filter 10Gbps, come back to me
and we'll hash it out.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
alance and
provide failover.
HTH.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
s systems.
P.S. Your paranoia isn't wrong, it just doesn't apply to all
circumstances. Many people filter outbound (including yours truly),
but others do not.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
any
corrections or suggestions on future revisions (I'll post it on my own
site in 3 months), please let me know off-list.
http://www.samag.com/documents/s=9658/sam0505e/
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
On Apr 11, 2005, at 5:13 AM, Peter N. M. Hansteen wrote:
Jason Dixon <[EMAIL PROTECTED]> writes:
Is the ability to run pfctl (via sudo) as a non-root user still
broken? I've tested this on a 3.6 -release system, and /dev/pf is
still unavailable for non-root users.
[EMAIL PROTECTED]:~$
Is the ability to run pfctl (via sudo) as a non-root user still broken?
I've tested this on a 3.6 -release system, and /dev/pf is still
unavailable for non-root users. I searched the archives and found
mention of this about a year ago, but nothing else since.
Thanks,
--
Jason
whatever
it is you're trying to do using PF and some other userland applications
(Squid, PythonDirector, etc). Perhaps we could better answer your
question if you could describe what it is you're actually trying to do,
not the products you're comparing against.
--
Jason D
's known bad traffic. If it's known bad traffic, then why are
you asking if they should be blocked in the first place?
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
/man5/pf.conf.5Sun Mar 27 08:16:01 2005
@@ -2213,7 +2213,7 @@
attachment points.
An
.Ar anchor
-is a container that can hold rules, address tables, and other anchors.
+is a container that can hold rules and other anchors.
.Pp
An
.Ar anchor
--
Jason Dixon
DixonGroup Consulting
http
On Mar 27, 2005, at 1:05 PM, Cedric Berger wrote:
Jason Dixon wrote:
Looking at pf.conf (5), it claims that anchors can "hold rules,
address tables, and other anchors".
Do you have the possibility to check if that was working on 3.5?
I wouldn't be surprised if there was new bugs
be in order: options, normalization,
queueing, translation, filtering
It appears that pfctl assumes that anchors only contain filter rules.
Have I stumbled over a bug in either pf.conf (5) or pfctl, or am I
doing/assuming something wrong?
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
wer.
You didn't capitalize the T in "Ot", so it looked like a typo of "Ok".
:)
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
CARP firewalls. If you want ifstated,
it's a very simple cvs checkout, make && make install.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
off bpf and loads
a quick pass rule into a pf anchor. No userland stuff is touched.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
there
in the article to show you how.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
nt to the packet being analyzed. I can't seem to find any
reference to it in the man pages or PF FAQ, but I found a good
explanation from the following document. I believe the information
regarding skip steps is still accurate, but I'll have to defer to the
developers:
http://www.inebr
state
pass out on $ext_if inet proto udp from ($ext_if) to any port
$udp_services_out keep state
pass out on $ext_if inet proto icmp from ($ext_if) to any icmp-type
echoreq keep state
Hope this helps.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
donated to PF and the
OpenBSD project is worth thousands of dollars. Would you like to pay
by check now, or should they bill your credit card?
P.S. Shut up and code.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
to
respond to your query with exact specifics. Rather, it is YOU who
needs to expound on what you're looking for.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
your problem (or concern) accurately. What have you
tried? What is not working for you? What errors have you experienced?
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
y it. The man pages are sufficient for the
firewalling concepts. If you need more information on setting up the
VPN, you might want to refer to one of the OpenBSD books
(http://www.openbsd.org/books.html), as faq13.html was tossed in the
CVS attic some time ago.
--
Jason Dixon
DixonGroup Consu
just like you might
with one box connected to dual gateways, since that's exactly what
you're emulating.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
legal values are 1-255. Keep the
value
below 240 unless you really know what you're doing.
I overextended myself with that piece of logic. I remember it being
capped at 255, but inappropriately associated it with the mask. Sorry
for any confusion caused, I fucking hate it when people
sed on my own experience, so YMMV.
2) Why does it seem that when the master returns from me issuing a
reboot does the connection for the client appear to get shaky again?
No clue, you're not providing anything but anecdotal evidence.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
imsgroup.com/?l=openbsd-tech&m=110229937028512&w=2
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
and what isn't? What is the output of "ifconfig -a" on
each box?
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
ithout providing your configuration (hostname.*, pf.conf), it's
impossible to help you. It would also help to know what
troubleshooting you've already tried and what errors/failures you're
encountered.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
#x27;re here to help, but you need to
try and help yourself too. :)
HTH.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
ecial attention to the section "Filtering on a bridge".
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
Gah, this is the 2nd time in a week I've cc'd the wrong list. Sorry.
-J.
On Nov 25, 2004, at 10:01 PM, Jason Dixon wrote:
On Nov 25, 2004, at 8:55 PM, William Gan wrote:
I have a question regarding PF
Internet -> FW -> Lo
ddress.. It only listen to incoming packets.
man pf.conf, search for "dup-to".
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
Sorry, redirected to pf@ by accident.
-J.
On Nov 19, 2004, at 6:51 AM, Jason Dixon wrote:
On Nov 19, 2004, at 6:32 AM, Sergi Toledo wrote:
Hi
I've been looking for the maximum number of states that pf is able to
handle, but I can't find the correct .c or .h file. Which one is it?
I sup
d limit in the source. They are limited only by your
available memory, but can be capped using "set limit states" in
pf.conf. The general rule is 1k states per 1MB of memory.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
On Oct 21, 2004, at 4:28 AM, Lars Hansson wrote:
Jason Dixon wrote:
Maybe it's just me, but why would you need to have machines outside
your firewall, yet still need to run iptables on them?
They could be routers.
I was looking for real answers, not possibilities. Ed has already
stated
security by running firewalls on the linux
hosts, but it would be in your best interests to take advantage of PF
wherever possible (IMHO).
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
Did you run the command I told you about, and monitor
any output? Was anything revealed?
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
terminal and watch as you attempt your ftp
sessions. This assumes that you're logging and pflog0 is up. Basic
troubleshooting skills like this are necessary for becoming part of the
OpenBSD community.
tcpdump -nettti pflog0
Thanks,
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
113 accepting connections (or sending resets, not sure
if your identd is actually running)? Why wouldn't you rather just deny
all and avoid behaving like a doof?
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
On Sep 15, 2004, at 12:23 PM, Brent Bolin wrote:
[EMAIL PROTECTED] (Jason Dixon) wrote in message
news:I think this thread is still germane:
http://marc.theaimsgroup.com/?l=openbsd-pf&m=104592911709710&w=2
Don't try to block it. Its a port hopper. Instead make it painfull
for the u
connection on 6346 though, ideas?
I think this thread is still germane:
http://marc.theaimsgroup.com/?l=openbsd-pf&m=104592911709710&w=2
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
balancer
(python director springs to mind) and let it handle the application
issues? Let _it_ deal with whether a server is alive or not; PF is a
_packet_filter_, not an application proxy/LB device.
Well, not in the truest sense, anyways. :)
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
s this has been requested
numerous times. Daniels sums up the developers' point-of-view on this
quite nicely here:
http://marc.theaimsgroup.com/?l=openbsd-pf&m=108846519101164&w=2
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
e pfl2sysl script. I've found that by killing cron and restarting it
manually (it's usually started in rc), that this seems to fix it. I've
compared the permissions of /var/cron/* before and after, and don't see
any differences.
Any ideas what I'm missing here?
Thanks
On May 20, 2004, at 6:19 AM, Greg Hennessy wrote:
On 19 May 2004 14:04:37 -0700, [EMAIL PROTECTED] (Jason Dixon)
wrote:
On May 19, 2004, at 4:09 PM, Dave Anderson wrote:
pf is complicated enough that it definitely takes a while to wrap
one's
mind around the whole thing.
Actually, it'
erstand
why it might be a lot to take in.
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
"translate before filtering" thing, applying logic where none applied.
;-)
Thanks,
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
On Mar 18, 2004, at 9:56 AM, Peter Hessler wrote:
On Thu, 18 Mar 2004 06:27:39 -0500
Jason Dixon <[EMAIL PROTECTED]> wrote:
:Thanks, that works. Looking at pf.conf (5), it appears that "rdr
pass"
:is just a feature to bypass the normal filtering rule. I don't see
why
:my
my mine would've failed. I'm running 3.4 -stable. Any ideas?
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
udp_in
keep state
# allow certain tcp connections
pass out on $ext_if inet proto tcp from ($ext_if) to any port $tcp_out
keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_in
flags S/SA synproxy state
# END of pf.rules
Thanks,
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
by pfstat. However it looks like
pfstat does not have an option for specific interfaces.
Actually, it does. The "set loginterface" option in pf.conf determines
which interface to collect packet/byte counts for. The statistics are
sent to pf (4), which is read by either pfctl or pfstat.
"Microsoft vpn information" doesn't tell us a lot. I
suggest you search the archives for L2TP or PPTP, depending on your
needs. There's plenty of information there. I personally have PPTP
GRE tunnels running through my firewall as we speak.
--
Jason Dixon, RHCE
DixonG
es of IPv6 traffic (besides icmp6
and DNS).
Sorry for posting this to pf@, but I'm looking for as many PF/IPv6 users
as possible.
Thanks,
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
1 - 100 of 218 matches
Mail list logo