Re: a trick
On Tue, 9 Mar 2004, Claudio Jeker wrote: The best sollution is to have a full view (with no default route) via bgp and use no-route. So you get a auto-update bogon filter. It is more accurate than those lists because it is live and knows about the not announced but IANA allocated blocks. How does that help? Abusers use BGP to advertise reachability to those blocks in the first place, so they are in the routing table. And, BGP doesn't include WHOIS information to determine a given block's allocation status. -d
Re: a trick
On Wed, Mar 10, 2004 at 06:43:33PM +1100, Damien Miller wrote: On Tue, 9 Mar 2004, Claudio Jeker wrote: The best sollution is to have a full view (with no default route) via bgp and use no-route. So you get a auto-update bogon filter. It is more accurate than those lists because it is live and knows about the not announced but IANA allocated blocks. How does that help? Abusers use BGP to advertise reachability to those blocks in the first place, so they are in the routing table. And, BGP doesn't include WHOIS information to determine a given block's allocation status. If abusers use BGP to advertise reachability your in big trouble because then your list wont help you neither. If you can advertise a non allocated block you can also advertise a allocated but not announced block. There are many companies that own public IP blocks but don't announce then. -- :wq Claudio
Re: a trick
* Damien Miller [EMAIL PROTECTED] [2004-03-10 09:37]: Abusers use BGP to advertise reachability to those blocks in the first place well, it's mostly a myth that you can simply advertise something in bgp. There's basically no such thing as unfiltered bgp left. if such bogons are advertized somewhere the right fix is to get the ISP who accepts that advertizement to implement proper filters. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: pfctl: Cannot allocate memory
Greg Wooledge wrote: Cedric Berger ([EMAIL PROTECTED]) wrote: Here is the problem I think: 40MB of kernel memory for routing table entries... It might be PF table stuff..., not sure yet. Do you reload your ban table very often? Whenever I notice a new IP address that needs my attention. Unfortunately this can often be several times in an evening. Ok, I'm 99% convinced this has nothing to do with PF. At the time I sent my last e-mail, the box had been up approximately two weeks, so I figured I'd upgrade CVS before rebooting it. I did that, and now my 3.5-beta -current box has been up 22 hours. netstat -rn | wc shows 79 lines. Here's the top section (before the IPv6 stuff, which I don't use, as far as I know). === Internet: DestinationGatewayFlags Refs UseMtu Interface default209.142.155.254UGS 470 4603644 1492 tun0 12.169.2.37209.142.155.254UGHD0 4600038 1492 L tun0 24.57.88.139 209.142.155.254UGHD1 4603283 1492 L tun0 24.204.73.174 209.142.155.254UGHD0 4602201 1492 L tun0 62.34.2.173209.142.155.254UGHD1 4575857 1492 L tun0 62.49.7.13 209.142.155.254UGHD1 4586241 1492 L tun0 62.174.241.107 209.142.155.254UGHD1 4595161 1492 L tun0 62.234.101.184 209.142.155.254UGHD1 4594391 1492 L tun0 [...] If the routing table really does grow every time some spammer or P2P user connects to me from the Internet, and never gets pruned, then this resembles a denial of service attack. :-/ But I have a hard time believing I'd be the only person seeing such a problem. We're looking at the problem, but there is very likely a bug related to PMTU here. You can probably workaround the problem by turning PMTU off with sysctl: vm34c# grep mtu sysctl.conf #net.inet.ip.mtudisc=0 # 0=disable tcp mtu discovery I don't know if that is possible for you, though. Cedric
Re: example pf.conf
You can also try: https://www.solarflux.org/pf // Asenchi On Tue, 9 Mar 2004 13:06:23 -0800 Gary [EMAIL PROTECTED] wrote: I've been searching for some examples of pf.conf but all I can find are examples for a gateway/firewall with emphasis towards NAT. I need to set up packet filter on a stand alone (single NIC) OpenBSD 3.4 box which will run ssh, httpd, dns, smtp, pop3. Please can anyone point me towards such examples or perhaps post their pf.conf for me to try. At the moment I'm just trying to get dns working, I tried the following but it seems not to work. ssh is working fine. I think dns needs to use other ports as well. # cat /etc/pf.conf #$OpenBSD: pf.conf,v 1.21 2003/09/02 block in log all # pass ssh pass in on $ext_if proto tcp from any to $ext_if port 22 keep state pass out on $ext_if proto { tcp, udp } all keep state # pass dns pass in on $ext_if proto { tcp, udp } from any to any port 53 pass out on $ext_if proto { tcp, udp } from any to any port 53 Many thanks in advance Gary
Re: pfauth like system for modifying pf tables
* Russell Fulton [EMAIL PROTECTED] [10.03.2004 05:10]: In mid January I asked if anyone had written a daemon to allow one to modify pf tables from another system (eg an authentication system where people are logging in). Someone replied off list and now I that I really need the information I can't find it. I've spent most of this afternoon searching my email archive, my browser bookmarks, googling and anything else I can think of. It's in the archives: http://www.benzedrine.cx/pf/msg04036.html
RE : ftp on dmz
Hi, I've just finished to set up a glftpd behing my magic OpenBSD box. Like you I had problems with the ftp-data ports (cannot list but connected to the ftp). All I've done was correct according to this: http://www.openbsdjournal.org/howto/pfftp.html I suggest you two things: 1/ test ftp-data flow : - I used nc (netcat) to test the tcp ports (eg: on the ftp server nc -l yourtestport, on the client nc ipftpserver yourtestport) if you can establish a connection with nc on the ftp-data ports on you ftp server from a client the problem is the configuration of your ftp server. 2/ ftp configuration : be sure that the ip binded for the ftp-data is your public ip for the external and local ip for the lan That point was my problem with my glftpd passive configuration. I resolved the problem with this ad in glftpd.conf: ifip 192.168.*.* pasv_addr localip elseip pasv_addr publicip 1 endifip pasv_ports 56101-56399 Now it's working great with TLS too :) Hope this will help you -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Darek Eliasz Envoyé : lundi 8 mars 2004 18:33 À : Maxime Labelle Cc : [EMAIL PROTECTED] Objet : Re: ftp on dmz From the PF' user guide (http://www.openbsd.org/faq/pf/index.html) under Issues with FTP here is an example subset of rules which would accomplish this: But where in this rules is ftp-proxy. I try it before but without any result. Did you try this solution ?
Re: example pf.conf
Gary said: I've been searching for some examples of pf.conf but all I can find are examples for a gateway/firewall with emphasis towards NAT. I need to set up packet filter on a stand alone (single NIC) OpenBSD 3.4 box which will run ssh, httpd, dns, smtp, pop3. Please can anyone point me towards such examples or perhaps post their pf.conf for me to try. At the moment I'm just trying to get dns working, I tried the following but it seems not to work. ssh is working fine. I think dns needs to use other ports as well. # cat /etc/pf.conf #$OpenBSD: pf.conf,v 1.21 2003/09/02 block in log all # pass ssh pass in on $ext_if proto tcp from any to $ext_if port 22 keep state pass out on $ext_if proto { tcp, udp } all keep state # pass dns pass in on $ext_if proto { tcp, udp } from any to any port 53 pass out on $ext_if proto { tcp, udp } from any to any port 53 Many thanks in advance Gary Start by reading the FAQ and all man pages. Is is good to know what you are doing... But here is a complete filter as a start.I have not tried it, but it should be ok. -- INTERNET_INT=fxp1 scrub in on $INTERNET_INT all fragment reassemble block log all pass quick on lo0 all keep state antispoof for $INTERNET_INT inet pass out on $INTERNET_INT inet proto {tcp udp icmp} all keep state # The rules goes here pass in log quick on $INTERNET_INT inet proto tcp from any to $INTERNET_INT port { 22 25 80 110 443 } flags S/SA keep state pass in log quick on $INTERNET_INT inet proto udp from any to $INTERNET_INT port { 53 } keep state --- /Peo
pf plans, please am I on track?
Hi this is David, please know I posted this today on OpenBSD.org misc list - I hope this is not considered 'cross-posting' if I tell you that first, so as to warn you so you don't bother with answering me on both lists. *** I really need help, pf gurus! I'm ok with setting up hosts on an existing network, as I'm familiar with the basics of DNS, DHCP, etc. But now I am trying to solve a problem on a friend's network and it looks to me like pf would be a wonderful solution, and I want to know if you think this would work, and also I have questions about setting up the interfaces on the OpenBSD/pf box. Here is the setup: 3 Computers on Ethernet LAN to Netgear RP614v2, Cable/DSL Gateway/Router/Switch (Firmware v. 5.13) and this attached to DSL modem. Cisco ATA186 (Analog Telephone Adaptor) used with a service that connects telephones into ethernet (VOIP). This device attached to phone and ethernet to the Netear router. Here is the problem: When using the phone or fax over the Cisco ATA186 it works fine UNTIL there is any other traffic from the computers. Not sure if problem with traffic on LAN, but definitely when there is simultaneous traffic to or from Internet to any of the computers, the voice in the phone to the Cisco ATA186 gets choppy and a fax can even get dropped. Proposed solution - will this work? Seems that using an OpenBSD box with 2 NICs, I could configure pf as NAT router/firewall, and also give priority to the VOIP traffic (the Cisco box is using DHCP server in the Netgear router but I can change it to fixed IP address to aid filtering by pf). This way, I would be replacing the Netgear router, and fixing the problem with the choppy voice or dropped faxes. I may need a switch going from the pf box to the computers, to handle the multiple ports. Does this sound feasible? SPECIFIC QUESTIONS (assuming the above is feasible)... One of the interfaces on pf box would be configured for using DHCP, and be connected to the DSL router. This would be like the present connection between Netgear router and DSL modem. The other interface is where I am having a bit of difficulty in understanding. I am so used to working with hosts set up as DHCP clients, that I'm having hard time seeing what to do with configuring the settings for the LAN side of the pf box. Specifically, since the LAN is a workgroup and not a domain, and I want to make the pf box be the DHCP server on the LAN side, what should I answer to these parameters: DNS domain name? (just put a space or nothing?) DNS name server? (DNS addresses used on the ISP side?) Use the nameserver now? Default route?(I'm wanting this interface's IP address to be the default route, I believe) The examples given in the pf manual on openbsd site really got me thinking and it seems that pf is really powerful. Thanks to all who worked on the docs and the software. I'm really looking forward to experimenting! THANK YOU! David