Re: Tcpdump grepped for the machine: RE: Trouble with route-to:

2005-03-10 Thread Daniel Hartmeier 
On Wed, Mar 09, 2005 at 10:19:17PM -0800, Ben wrote:

 Mar 09 22:10:45.682221 0:9:5b:12:43:xx 0:c:f1:91:70:xx 0800 62:
 192.168.1.132.1273  216.51.232.100.80: S 417417262:417417262(0) win 16384
 mss 1460,nop,nop,sackOK (DF)

 $internal_net = 192.168.1.0

 nat on rl0 from $internal_net to !$internal_net - (rl0)
 nat on rl1 from $internal_net to !$internal_net - (rl1)
 pass in on em0 route-to (rl1 gw1) from 192.168.1.132 to !$internal_net keep 
 state

If you really defined internal_net as 192.168.1.0, and not
192.168.1.0/24, neither of those three rule matches the packet, because
192.168.1.132 is not within 192.168.1.0/32. Leaving out the /network
part means /32 (for IPv4) in pf.

If you misquoted your ruleset, quote precisely.

Daniel

Re: Trouble with route-to:

2005-03-10 Thread J Tingle 
 I've been messing around with a similar setup with dsl  cable
going into one PF firewall.  One thing I noticed that might be giving
you problems is your nat rules: 


nat on rl0 from $internal_net to !$internal_net - (rl0)
nat on rl1 from $internal_net to !$internal_net - (rl1)

 The way it's written it seems like it would try to nat everything to
both connections.  I remember reading that the first matching nat rule
wins, so you don't need to make it too fancy.  Here is how I did my
nat:

ext_if_cable=le1
ext_if_dsl=hme0
int_if=le0
mynet=192.168.0.0/24
gateway_cable=xx2xx.xxx.x
gateway_dsl=xx.xxx.xx.x
dslhosts={ 192.168.0.104  }

#NAT
nat on $ext_if_dsl from $dslhosts to any - ($ext_if_dsl)
nat on $ext_if_cable from $mynet to any - ($ext_if_cable)

Another thing is you need a rule on the external interface to let let
the re-routed packets out.  I might be wrong about this but If I
remember right once you do the route-to it changes the source
address of the packet.  So instead of the packet being from
192.168.1.132 it will be from the ip of your externel interface.  So
it won't work if you try to do something like.

pass out on $rl1 from 192.168.1.132 to !$internel_net keep state 

The way I got around that is to tag the packets as they come in the
internel interface.  That way I can make sure I don't get the
asymetric routing.  Here is how I did it(I added the spaces to make it
easier to read):
snip---
#route  tag
pass in quick on $int_if route-to ($ext_if_dsl $gateway_dsl) \
from  $dslhosts to any tag DSLBOUND keep state 

pass in  on $int_if route-to ($ext_if_cable $gateway_cable) \
all tag CABLEBOUND keep state 

#Pass out the routed packets on External Interfaces
pass out quick on $ext_if_dsl proto tcp from any to any \
tagged DSLBOUND flags S/SA modulate state 

pass out on $ext_if_cable proto tcp from any to any \
!tagged DSLBOUND flags S/SA modulate state \

pass out quick on $ext_if_dsl proto { udp, icmp } \
from any to any tagged DSLBOUND keep state 

pass out on $ext_if_cable proto { udp, icmp } from any to any \
!tagged DSLBOUND keep state 

---snip---

Hope that helps.

-Jay


Hey all,  having a bit of a problem with routing one specific ip address out
a different interface in a 2 external interface setup:
Em0=internal interface
Rl0=external interface #1
Rl1=external interface #2
Gw1=external gateway #2
$internal_net = 192.168.1.0

snip
scrub in on $ext_if all
scrub out on $ext_if all
scrub in on rl1 all
scrub out on rl1 all

snip
pass in on em0 route-to (rl1 gw1) from 192.168.1.132 to !$internal_net keep
state

Once I add the above line to pf.conf and flush the ruleset the computer can
no longer access the outside world.  So I assume I need some sort of
matching rule on rl1,  but can't figure out what it is.  

If I manually change the routing table to pass a specific destination ip
address out through gw1 it works without a flaw, however this machine needs
to access more then a few subnets through interface #2, so route-to is
preffered.


Let me know if anyone has any ideas,


Ben

Re: PF and LAND attack.

2005-03-10 Thread Miroslav Kubik 
Hi

In my opinion there's no reason why to block LANDs attacks with PF. I 
suppose that you have a windows server with private IP address behind PF and 
you use some portmapping for services you need accessible from outside. So 
if you want to make a LAND attack you have to make a packet with equal 
source and destination address but in this case it's not possible at all 
because everything goes to PF's IP address. As a matter of fact if your 
windows server doesn't have a public IP you're safe.

S pozdravem / Best Regards
Miroslav Kubik
IT Specialist
http://sweb.cz/kubik_miroslav



- Original Message - 
From: Henrik Bro [EMAIL PROTECTED]
To: pf@benzedrine.cx
Sent: Wednesday, March 09, 2005 9:00 PM
Subject: PF and LAND attack.


Is it possible to protect my Windows server from LAND attack with PF?

I have tried searching Google and Benzedrine, but have not found any info.

/Henrik

Re: PF and LAND attack.

2005-03-10 Thread Laurent Cheylus 
Hi,

On Thu, Mar 10, 2005 at 03:53:46PM +0100, Miroslav Kubik wrote:

 In my opinion there's no reason why to block LANDs attacks with PF.

Why ? 

Every good firewall blocks LAND Attacks (and PF is a very godd one).

I don't know if PF does it but the test is simple (with hping : 5
minutes to test).

Test if src.ip = dst.ip is very, very difficult to implement ;-)

Foxy

-- 
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

RE: Tcpdump grepped for the machine: RE: Trouble with route-to:

2005-03-10 Thread Ben 
Daniel:
H,  could have sworn pf assumed that .0 meant that all possible .x was
valid (in this instance 192.168.1.0/24) but fair enough; the network is
defined as 192.168.1.0/24   (sorry, was in a hurry so when I re-wrote the
ruleset I used shorthand.  My appologies)

Ben




 -Original Message-
 From: Daniel Hartmeier [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, March 10, 2005 12:20 AM
 To: Ben
 Cc: pf@benzedrine.cx
 Subject: Re: Tcpdump grepped for the machine: RE: Trouble 
 with route-to:
 
 On Wed, Mar 09, 2005 at 10:19:17PM -0800, Ben wrote:
 
  Mar 09 22:10:45.682221 0:9:5b:12:43:xx 0:c:f1:91:70:xx 0800 62:
  192.168.1.132.1273  216.51.232.100.80: S 
 417417262:417417262(0) win 
  16384 mss 1460,nop,nop,sackOK (DF)
 
  $internal_net = 192.168.1.0
 
  nat on rl0 from $internal_net to !$internal_net - (rl0) nat on rl1 
  from $internal_net to !$internal_net - (rl1) pass in on 
 em0 route-to 
  (rl1 gw1) from 192.168.1.132 to !$internal_net keep state
 
 If you really defined internal_net as 192.168.1.0, and not 
 192.168.1.0/24, neither of those three rule matches the 
 packet, because
 192.168.1.132 is not within 192.168.1.0/32. Leaving out the 
 /network part means /32 (for IPv4) in pf.
 
 If you misquoted your ruleset, quote precisely.
 
 Daniel

ICMP through CARP Failover

2005-03-10 Thread eric 
I was testing a pair of firewalls yesterday and found that there were no
issues with CARP except for ICMP echo requests not failing over when a
master fails. Are there any known issues with just using ping(8) to test
load balanced firewalls?  TCP connections work just fine without problem.

Here's my configurations.

# /etc/hostname.carp0
inet 10.19.81.200 255.255.255.128 10.19.81.255 vhid 1 pass bar advskew 100 

# /etc/hostname.carp1
inet 172.19.81.130 255.255.255.128 172.19.81.255 vhid 2 pass foo

# /etc/hostname.fxp0
inet 192.168.255.253 255.255.255.252 192.168.255.255 media 100baseTX mediaopt 
full-duplex description pfsync crossover

# /etc/hostname.fxp1
inet 172.19.81.131 255.255.255.128 172.19.81.255 media 100baseTX mediaopt 
full-duplex description inside

# /etc/hostname.pfsync0
up syncif fxp0

# /etc/hostname.xl0
inet 10.19.81.201 255.255.255.128 10.19.81.255 media 100baseTX mediaopt 
full-duplex description outside


#; /etc/pf.conf
#;
#; variables
###
# interfaces
loopbk  = lo0
ext_if  = xl0
wire_if = fxp1
pfsync_if   = fxp0
carp_ext_if = carp0
carp_int_if = carp1
all_if  = { $loopbk $wire_if }
ipsec_if= enc0

# hosts
broadcast   = 255.255.255.255

# host group definitions

# service definitions
tcp_wireif  = { ftp, ssh, www, https }

# tables
table admin   persist { 10.19.81.128/25, 10.13.2.0/24 }
table bogon   persist file /etc/bogon.txt

# administrative aliases
aspf= antispoof log
bi  = block in
bo  = block out
bil = block in log
biq = block in quick
blk = block
bol = block out log
boq = block out quick
bilq= block in log quick
bolq= block out log quick
pi  = pass in
po  = pass out
pil = pass in log
piq = pass in quick
pol = pass out log
poq = pass out quick
pqk = pass quick
pilq= pass in log quick
polq= pass out log quick
ks  = keep state
ms  = modulate state
ss  = synproxy state

#; behavior options
###
set loginterface  $ext_if
set timeout   { interval 11, frag 27 }
set limit { frags 45000, states 35000 }
set optimization  normal
set block-policy  return
set state-policy  if-bound
set debug urgent
# scrub-a-dub-dub
scrub out all no-df random-id max-mss 1440
scrub in  all no-df fragment reassemble min-ttl 2

#; network translations and redirection
###
# nat specific hard-wired hosts
nat   on $ext_if from any to any - ($ext_if)
# redirect for ftp-proxy
rdr   on $wire_if proto tcp from any to any port ftp - 127.0.0.1 port 8021

#; misc. authpf anchors
###
#binat-anchor   authpf/*
#anchor authpf/*

#; rules
###
# default block-all
$blk log \
label $if-block-log

# pass everything on loopback
$pqk on lo0   all \
label $if-pass

pass quick on { $pfsync_if }proto pfsync
pass   on { $ext_if, $wire_if } proto carp   $ks

# block broadcast noise, but dont log
$biq on $ext_if   from any to $broadcast \
label $if-broadcast
$biq on $ext_if   from $broadcast to any \
label $if-broadcast

# drop bogon tables from /etc/bogon.txt 
$bilqon $ext_if   from bogon \
 to any label $if-bogon
$bil on $wire_if  from { !$wire_if:network, bogon } \
 to any label $if-bogon

# prevent spoofing from this host
$bolqon $ext_if   from !$ext_if \
 to any label $if-block-out

# prevent spoofing of all interfaces
$aspf   for $loopbk  label $if-antispoof
$aspf   for $ext_if  label $if-antispoof
$aspf   for $wire_if label $if-antispoof

# pass out packets on any interface
$poq  inet proto tcp  all flags S/SA label $if-pass-synack-out $ms
$poq  inet proto udp  alllabel $if-pass-udp-out$ks
$poq  inet proto icmp alllabel $if-pass-icmp-out   $ks
$poq  alllabel $if-pass-ip-out

# allow bootp, dns lookups and ntp access (including 
# sntp) to $wire_if
$pi   on $wire_if inet proto udp from any \
 to any  port bootps label $if-bootps-in $ks
$pi   on $wire_if inet proto udp from $wire_if:network \
 to $wire_if port domain label $if-domain-udp-in $ks
$pi   on $wire_if inet proto udp from $wire_if:network \
 to $wire_if port ntplabel $if-ntp-in$ks

# allow users to ssh into this host for future authpf
$pilq on $wire_if inet proto tcp from any \
 to any port ssh label $if-ssh-authpf-in $ks

# icmp controls; log anything to our interfaces; pass everything else
$pil  on $wire_if inet proto icmp

RE: Trouble with route-to:

2005-03-10 Thread Ben 
Jay (and all)


I replaced my two separate nat lines with one testing line (using another
machine since that user (wife) would kill me if I kept having her test
things):

nat on rl1 from 192.168.1.142 to !$internal_net - (rl1) 

#and then re-enabled the route-to

pass in on em0 route-to (rl1 128.195.88.1) from 192.168.1.142 to
!$internal_net keep state

#and added a pass out line
pass out on rl1 from 192.168.1.142 to !$internal_net keep state


My simple understanding of the nat function in pf is that it will only nat
packets that are already heading out on the interface specified, but I could
be wrong.  Either way, with no other nat line was left active in PF and with
the two above pass lines activated I can browse to any ipaddress that is
routed out through rl1 via the route add commands,  but if I try to go to
something not included in the route add commands (like say, browsing to
www.slickdeals.net) it just waits for a response from www.slickdeals.net
forever.  So, I tried sniffing the rl1 interface grepping for slickdeals' ip
address, and found something really odd.


With the above nat's there's no traffic to slickdeals on rl1,   if I sniff
rl0 (default route) I find the traffic to slickdeals:

Mar 10 10:04:17.407558 0:10:b5:f:db:xx 0:50:57:0:92:20 0800 62:
192.168.1.142.3787  67.15.144.66.80: S 693520951:693520951(0) win 65535
mss1460,nop,nop,sackOK (DF)

So, it would seem that pf is ignoring the route-to command.   

If I re-enable the two separate nat lines, and keep the route-to command
(and the pass out on rl1 line intact I get the following:

Nothing on rl0,   but on rl1 things get really interesting:

tcpdump: listening on rl1
Mar 10 10:10:52.585188 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 60:
68.4.66.x.61861  67.15.144.66.80: . ack 3117311098 win 65535 (DF)
Mar 10 10:10:52.585679 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 454:
68.4.66.x.61861  67.15.144.66.80: P 0:400(400) ack 1 win 65535 (DF)
Mar 10 10:10:55.664414 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 454:
68.4.66.x.61861  67.15.144.66.80: P 0:400(400) ack 1 win 65535 (DF)
Mar 10 10:10:55.925367 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 60:
68.4.66.x.61861  67.15.144.66.80: . ack 1 win 65535 (DF)
Mar 10 10:11:01.789024 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 454:
68.4.66.x.61861  67.15.144.66.80: P 0:400(400) ack 1 win 65535 (DF)

dc:xx is rl1,  which is good, but 68.4.66.x is the ip address for rl0 (my
cable modem), which is a very bad thing (tm).

Once again I get the above when the following lines are active:
snip
nat on rl0 from $internal_net to !$internal_net - (rl0)
nat on rl1 from $internal_net to !$internal_net - (rl1)
snip
pass in on em0 route-to (rl1 128.195.88.1) from 192.168.1.142 to
!$internal_net keep state
pass out on rl1 from 192.168.1.142 to !$internal_net keep state
snip


If you're so inclined, my entire pf.conf file is available at:

http://members.cox.net/holysin/pf.conf

Not terribly sanitized, so there is a LOT of rules there...  I don't think
any of the rules matter outside what's been mentioned above, and yesterday,
but just in case, it's available.



Also, a little something about my connection:

rl0 is connected to the cable modem,   rl1 is connected to the campus
network (which is NOISY!),  if I have to I can just have the wife plug her
computer into the campus network directly,  but it would be infinitely more
prefered to be able to route all traffic from a spicific IP address through
the campus network while still keeping a firewall between the machine and
campus.  (Also, I'd prefer not to have to add route to commands for each
subnet she will connect to.

Thanks for the help.




 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
 On Behalf Of J Tingle
 Sent: Thursday, March 10, 2005 12:12 AM
 To: pf@benzedrine.cx
 Subject: Re: Trouble with route-to:
 
  I've been messing around with a similar setup with dsl  
 cable going into one PF firewall.  One thing I noticed that 
 might be giving you problems is your nat rules: 
 
 
 nat on rl0 from $internal_net to !$internal_net - (rl0) nat on rl1 
 from $internal_net to !$internal_net - (rl1)
 
  The way it's written it seems like it would try to nat 
 everything to both connections.  I remember reading that the 
 first matching nat rule wins, so you don't need to make it 
 too fancy.  Here is how I did my
 nat:
 
 ext_if_cable=le1
 ext_if_dsl=hme0
 int_if=le0
 mynet=192.168.0.0/24
 gateway_cable=xx2xx.xxx.x
 gateway_dsl=xx.xxx.xx.x
 dslhosts={ 192.168.0.104  }
 
 #NAT
 nat on $ext_if_dsl from $dslhosts to any - ($ext_if_dsl) nat 
 on $ext_if_cable from $mynet to any - ($ext_if_cable)
 
 Another thing is you need a rule on the external interface to 
 let let the re-routed packets out.  I might be wrong about 
 this but If I remember right once you do the route-to it 
 changes the source address of the packet.  So instead of the 
 packet being from
 192.168.1.132 it will be from the ip of your externel 
 interface.  So it won't work if

Re: Trouble with route-to:

2005-03-10 Thread Jon Simola 
On Thu, 10 Mar 2005 10:58:35 -0800, Ben [EMAIL PROTECTED] wrote:

 nat on rl0 from $internal_net to !$internal_net - (rl0)
 nat on rl1 from $internal_net to !$internal_net - (rl1)
 snip
 pass in on em0 route-to (rl1 128.195.88.1) from 192.168.1.142 to
 !$internal_net keep state
 pass out on rl1 from 192.168.1.142 to !$internal_net keep state

Make sure you've changed your $internal_net to be 192.168.1.0/24
instead of 192.168.1.0 or use em0:network.

 rl0 is connected to the cable modem,   rl1 is connected to the campus
 network (which is NOISY!),  if I have to I can just have the wife plug her
 computer into the campus network directly,  but it would be infinitely more
 prefered to be able to route all traffic from a spicific IP address through
 the campus network while still keeping a firewall between the machine and
 campus.  (Also, I'd prefer not to have to add route to commands for each
 subnet she will connect to.

What I have in a similar situation (serving residents):
em0 - public internet (y.y.y.y/29)
vlan700 connects to a private network that connects to university
network (x.x.0.0/16)
vlan101 through 109 are 10.1.1.0/24 through 10.1.9.0/24 for students

We needed to make sure student traffic to the university went out
directly on vlan700, but everything else went out the public internet
side. The university network is a publically routable /16, but the
residence and university use different ISPs so the traffic took a 4000
mile trip and made things far slower than would be liked.

Summarized rules:
nat on em0 from vlan101:network to !10.0.0.0/8 - y.y.y.y/31 source-hash
nat on vlan700 from 10.0.0.0/8 to x.x.0.0/16 - (vlan700)
pass in  on vlan101 from vlan101:network to any keep state
pass in  on vlan101 route-to (vlan700 172.16.0.129) from
vlan101:network to x.x.0.0/16 keep state
pass out on vlan101 from any to vlan101:network
pass out on vlan700 proto tcp all modulate state flags S/SA
pass out on vlan700 proto { udp, icmp } all keep state


So what you're probably looking for (very abbreviated ruleset) is:
nat on rl0 from !$wife to !em0:network - (rl0)
nat on rl1 from $wife to !em0:network - (rl1)
#drop junk on em0 to make the !$wife nat safer
antispoof quick for em0
pass in on em0 route-to (rl1 gw1) from $wife to any keep state

Or, try a binat rule on the rl1 interface for your wife's computer.
Spare IP might help, but you shouldn't have any problems.
binat on rl1 from $wife to any - (rl1)
pass in on em0 route-to (rl1 gw1) from $wife to any keep state

Hopefully that helps or gives you an idea.

-- 
Jon Simola
Systems Administrator
ABC Communications

Re: Good HFSC explanation

2005-03-10 Thread John Ricardo 
Thanks for the answer.

Can you shed any light on my other question, namely (quoting myself):

So with fully-specified service curves, does HFSC as implemented here
in fact superimpose CBQ-style hierarchical priorities ontop, or do the
service curve specifications somehow mean that also giving priority
doesn't makes sense?


--- Henning Brauer [EMAIL PROTECTED] wrote:
 * John Ricardo [EMAIL PROTECTED] [2005-03-05 11:22]:
  If you have specified the 3 service curves, the bandwidth keyword
 is
  redundant and/or unnecessary?
 
 true.




__ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/