Re: a trick

2004-03-10 Thread Damien Miller 
On Tue, 9 Mar 2004, Claudio Jeker wrote:

 The best sollution is to have a full view (with no default route) via bgp
 and use no-route. So you get a auto-update bogon filter. It is more
 accurate than those lists because it is live and knows about the not
 announced but IANA allocated blocks.

How does that help? Abusers use BGP to advertise reachability to those 
blocks in the first place, so they are in the routing table. And, BGP 
doesn't include WHOIS information to determine a given block's allocation 
status.

-d

Re: a trick

2004-03-10 Thread Claudio Jeker 
On Wed, Mar 10, 2004 at 06:43:33PM +1100, Damien Miller wrote:
 On Tue, 9 Mar 2004, Claudio Jeker wrote:
 
  The best sollution is to have a full view (with no default route) via bgp
  and use no-route. So you get a auto-update bogon filter. It is more
  accurate than those lists because it is live and knows about the not
  announced but IANA allocated blocks.
 
 How does that help? Abusers use BGP to advertise reachability to those 
 blocks in the first place, so they are in the routing table. And, BGP 
 doesn't include WHOIS information to determine a given block's allocation 
 status.
 

If abusers use BGP to advertise reachability your in big trouble because
then your list wont help you neither. If you can advertise a non allocated
block you can also advertise a allocated but not announced block. There
are many companies that own public IP blocks but don't announce then.

-- 
:wq Claudio

Re: a trick

2004-03-10 Thread Henning Brauer 
* Damien Miller [EMAIL PROTECTED] [2004-03-10 09:37]:
 Abusers use BGP to advertise reachability to those 
 blocks in the first place

well, it's mostly a myth that you can simply advertise something in 
bgp. There's basically no such thing as unfiltered bgp left. if such 
bogons are advertized somewhere the right fix is to get the ISP who 
accepts that advertizement to implement proper filters.

-- 
Henning Brauer, BS Web Services, http://bsws.de
[EMAIL PROTECTED] - [EMAIL PROTECTED]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: pfctl: Cannot allocate memory

2004-03-10 Thread Cedric Berger 
Greg Wooledge wrote:

Cedric Berger ([EMAIL PROTECTED]) wrote:
 

Here is the problem I think: 40MB of kernel memory for routing table 
entries...
It might be PF table stuff..., not sure yet.

Do you reload your ban table very often?
   

Whenever I notice a new IP address that needs my attention.  Unfortunately
this can often be several times in an evening.
 

Ok, I'm 99% convinced this has nothing to do with PF.

At the time I sent my last e-mail, the box had been up approximately
two weeks, so I figured I'd upgrade CVS before rebooting it.  I did
that, and now my 3.5-beta -current box has been up 22 hours.
netstat -rn | wc shows 79 lines.  Here's the top section (before the
IPv6 stuff, which I don't use, as far as I know).
===
Internet:
DestinationGatewayFlags Refs UseMtu  Interface
default209.142.155.254UGS   470  4603644   1492   tun0
12.169.2.37209.142.155.254UGHD0  4600038   1492 L tun0
24.57.88.139   209.142.155.254UGHD1  4603283   1492 L tun0
24.204.73.174  209.142.155.254UGHD0  4602201   1492 L tun0
62.34.2.173209.142.155.254UGHD1  4575857   1492 L tun0
62.49.7.13 209.142.155.254UGHD1  4586241   1492 L tun0
62.174.241.107 209.142.155.254UGHD1  4595161   1492 L tun0
62.234.101.184 209.142.155.254UGHD1  4594391   1492 L tun0
 

[...]

If the routing table really does grow every time some spammer or P2P
user connects to me from the Internet, and never gets pruned, then
this resembles a denial of service attack. :-/  But I have a hard time
believing I'd be the only person seeing such a problem.
 

We're looking at the problem, but there is very likely a bug related to 
PMTU here.
You can probably workaround the problem by turning PMTU off with sysctl:

  vm34c# grep mtu sysctl.conf
   #net.inet.ip.mtudisc=0  # 0=disable tcp mtu discovery
I don't know if that is possible for you, though.
Cedric

Re: example pf.conf

2004-03-10 Thread Curt Micol, PPC 
You can also try: https://www.solarflux.org/pf

// Asenchi

On Tue, 9 Mar 2004 13:06:23 -0800
Gary [EMAIL PROTECTED] wrote:

I've been searching for some examples of pf.conf but all I can find are
examples for a gateway/firewall with emphasis towards NAT.

I need to set up packet filter on a stand alone (single NIC) OpenBSD
3.4 box which will run ssh, httpd, dns, smtp, pop3.

Please can anyone point me towards such examples or perhaps post their
pf.conf for me to try. 

At the moment I'm just trying to get dns working, I tried the following
but it seems not to work. ssh is working fine. I think dns needs to use
other ports as well.


# cat /etc/pf.conf 

#$OpenBSD: pf.conf,v 1.21 2003/09/02
block in log all
# pass ssh
pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
pass  out on $ext_if proto { tcp, udp } all keep state
# pass dns
pass in on $ext_if proto { tcp, udp } from any to any port 53 
pass out on $ext_if proto { tcp, udp } from any to any port 53


Many thanks in advance
Gary

Re: pfauth like system for modifying pf tables

2004-03-10 Thread Armin Wolfermann 
* Russell Fulton [EMAIL PROTECTED] [10.03.2004 05:10]:
   In mid January I asked if anyone had written a daemon to allow one to
 modify pf tables from another system (eg an authentication system where
 people are logging in).  Someone replied off list and now I that I
 really need the information I can't find it. I've spent most of this
 afternoon searching my email archive, my browser bookmarks, googling and
 anything else I can think of.

It's in the archives: http://www.benzedrine.cx/pf/msg04036.html

RE : ftp on dmz

2004-03-10 Thread borrut 
Hi,
I've just finished to set up a glftpd behing my magic OpenBSD box.
Like you I had problems with the ftp-data ports (cannot list but
connected to the ftp). All I've done was correct according to this:
http://www.openbsdjournal.org/howto/pfftp.html
 I suggest you two things:
1/ test ftp-data flow :
 - I used nc (netcat) to test the tcp ports (eg: on the ftp server nc -l
yourtestport, on the client nc ipftpserver yourtestport)
 if you can establish a connection with nc on the ftp-data ports on you
ftp server from a client the problem is the configuration of your ftp
server.
2/ ftp configuration : be sure that the ip binded for the ftp-data is
your public ip for the external and local ip for the lan

 That point was my problem with my glftpd passive configuration.
I resolved the problem with this ad in glftpd.conf:
ifip 192.168.*.*
pasv_addr localip
elseip
pasv_addr publicip 1
endifip
pasv_ports 56101-56399

 Now it's working great with TLS too :)

 Hope this will help you

 -Message d'origine-
 De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part
de
 Darek Eliasz
 Envoyé : lundi 8 mars 2004 18:33
 À : Maxime Labelle
 Cc : [EMAIL PROTECTED]
 Objet : Re: ftp on dmz
 
   From the PF' user guide (http://www.openbsd.org/faq/pf/index.html)
  under Issues with FTP here is an example subset of rules which
would
  accomplish this:
 
 But where in this rules is ftp-proxy. I try it before but without any
 result. Did you try this solution ?

Re: example pf.conf

2004-03-10 Thread Per-Olov Sjöholm 
Gary said:
 I've been searching for some examples of pf.conf but all I can find are
 examples for a gateway/firewall with emphasis towards NAT.

 I need to set up packet filter on a stand alone (single NIC) OpenBSD 3.4
 box which will run ssh, httpd, dns, smtp, pop3.

 Please can anyone point me towards such examples or perhaps post their
 pf.conf for me to try.

 At the moment I'm just trying to get dns working, I tried the following
 but it seems not to work. ssh is working fine. I think dns needs to use
 other ports as well.


 # cat /etc/pf.conf
 #$OpenBSD: pf.conf,v 1.21 2003/09/02
 block in log all
 # pass ssh
 pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
 pass  out on $ext_if proto { tcp, udp } all keep state
 # pass dns
 pass in on $ext_if proto { tcp, udp } from any to any port 53
 pass out on $ext_if proto { tcp, udp } from any to any port 53


 Many thanks in advance
 Gary




Start by reading the FAQ and all man pages. Is is good to know what you
are doing...

But here is a complete filter as a start.I have not tried it, but it
should be ok.

--
INTERNET_INT=fxp1
scrub in on $INTERNET_INT all fragment reassemble
block log all
pass quick on lo0 all keep state
antispoof for $INTERNET_INT inet
pass out on $INTERNET_INT inet proto {tcp udp icmp} all keep state
# The rules goes here
pass in log quick on $INTERNET_INT inet proto tcp  from any  to
$INTERNET_INT port  { 22 25 80 110 443 } flags S/SA keep state
pass in log quick on $INTERNET_INT inet proto udp  from any  to
$INTERNET_INT port  { 53 } keep state
---



/Peo

pf plans, please am I on track?

2004-03-10 Thread Dr. David Johnson 
Hi this is David, please know I posted this today on
OpenBSD.org misc list - I hope this is not considered
'cross-posting' if I tell you that first, so as to warn you
so you don't bother with answering me on both lists.
***

I really need help, pf gurus!

I'm ok with setting up hosts on an existing network,
as I'm familiar with the basics of DNS, DHCP, etc.
But now I am trying to solve a problem on a friend's
network and it looks to me like pf would be a
wonderful solution, and I want to know if you think
this would work, and also I have questions about
setting up the interfaces on the OpenBSD/pf box.
Here is the setup:

3 Computers on Ethernet LAN to Netgear RP614v2,
Cable/DSL Gateway/Router/Switch (Firmware v. 5.13)
and this attached to DSL modem.
Cisco ATA186 (Analog Telephone Adaptor) used with a
service that connects telephones into ethernet (VOIP).
This device attached to phone and ethernet to the
Netear router.
Here is the problem:

When using the phone or fax over the Cisco ATA186
it works fine UNTIL there is any other traffic from
the computers. Not sure if problem with traffic on
LAN, but definitely when there is simultaneous
traffic to or from Internet to any of the computers,
the voice in the phone to the Cisco ATA186 gets
choppy and a fax can even get dropped.
Proposed solution - will this work?

Seems that using an OpenBSD box with 2 NICs, I could
configure pf as NAT router/firewall, and also give
priority to the VOIP traffic (the Cisco box is using
DHCP server in the Netgear router but I can change it
to fixed IP address to aid filtering by pf). This way,
I would be replacing the Netgear router, and fixing
the problem with the choppy voice or dropped faxes.
I may need a switch going from the pf box to the computers,
to handle the multiple ports. Does this sound feasible?
SPECIFIC QUESTIONS (assuming the above is feasible)...

One of the interfaces on pf box would be configured
for using DHCP, and be connected to the DSL router.
This would be like the present connection between
Netgear router and DSL modem.
The other interface is where I am having a bit of
difficulty in understanding. I am so used to working
with hosts set up as DHCP clients, that I'm having
hard time seeing what to do with configuring the
settings for the LAN side of the pf box. Specifically,
since the LAN is a workgroup and not a domain, and
I want to make the pf box be the DHCP server on the
LAN side, what should I answer to these parameters:
DNS domain name?  (just put a space or nothing?)
DNS name server?  (DNS addresses used on the ISP side?)
Use the nameserver now?
Default route?(I'm wanting this interface's IP address
 to be the default route, I believe)
The examples given in the pf manual on openbsd site really
got me thinking and it seems that pf is really powerful.
Thanks to all who worked on the docs and the software.
I'm really looking forward to experimenting!
THANK YOU!

David