Re: Tcpdump grepped for the machine: RE: Trouble with route-to:
On Wed, Mar 09, 2005 at 10:19:17PM -0800, Ben wrote: Mar 09 22:10:45.682221 0:9:5b:12:43:xx 0:c:f1:91:70:xx 0800 62: 192.168.1.132.1273 216.51.232.100.80: S 417417262:417417262(0) win 16384 mss 1460,nop,nop,sackOK (DF) $internal_net = 192.168.1.0 nat on rl0 from $internal_net to !$internal_net - (rl0) nat on rl1 from $internal_net to !$internal_net - (rl1) pass in on em0 route-to (rl1 gw1) from 192.168.1.132 to !$internal_net keep state If you really defined internal_net as 192.168.1.0, and not 192.168.1.0/24, neither of those three rule matches the packet, because 192.168.1.132 is not within 192.168.1.0/32. Leaving out the /network part means /32 (for IPv4) in pf. If you misquoted your ruleset, quote precisely. Daniel
Re: Trouble with route-to:
I've been messing around with a similar setup with dsl cable going into one PF firewall. One thing I noticed that might be giving you problems is your nat rules: nat on rl0 from $internal_net to !$internal_net - (rl0) nat on rl1 from $internal_net to !$internal_net - (rl1) The way it's written it seems like it would try to nat everything to both connections. I remember reading that the first matching nat rule wins, so you don't need to make it too fancy. Here is how I did my nat: ext_if_cable=le1 ext_if_dsl=hme0 int_if=le0 mynet=192.168.0.0/24 gateway_cable=xx2xx.xxx.x gateway_dsl=xx.xxx.xx.x dslhosts={ 192.168.0.104 } #NAT nat on $ext_if_dsl from $dslhosts to any - ($ext_if_dsl) nat on $ext_if_cable from $mynet to any - ($ext_if_cable) Another thing is you need a rule on the external interface to let let the re-routed packets out. I might be wrong about this but If I remember right once you do the route-to it changes the source address of the packet. So instead of the packet being from 192.168.1.132 it will be from the ip of your externel interface. So it won't work if you try to do something like. pass out on $rl1 from 192.168.1.132 to !$internel_net keep state The way I got around that is to tag the packets as they come in the internel interface. That way I can make sure I don't get the asymetric routing. Here is how I did it(I added the spaces to make it easier to read): snip--- #route tag pass in quick on $int_if route-to ($ext_if_dsl $gateway_dsl) \ from $dslhosts to any tag DSLBOUND keep state pass in on $int_if route-to ($ext_if_cable $gateway_cable) \ all tag CABLEBOUND keep state #Pass out the routed packets on External Interfaces pass out quick on $ext_if_dsl proto tcp from any to any \ tagged DSLBOUND flags S/SA modulate state pass out on $ext_if_cable proto tcp from any to any \ !tagged DSLBOUND flags S/SA modulate state \ pass out quick on $ext_if_dsl proto { udp, icmp } \ from any to any tagged DSLBOUND keep state pass out on $ext_if_cable proto { udp, icmp } from any to any \ !tagged DSLBOUND keep state ---snip--- Hope that helps. -Jay Hey all, having a bit of a problem with routing one specific ip address out a different interface in a 2 external interface setup: Em0=internal interface Rl0=external interface #1 Rl1=external interface #2 Gw1=external gateway #2 $internal_net = 192.168.1.0 snip scrub in on $ext_if all scrub out on $ext_if all scrub in on rl1 all scrub out on rl1 all snip pass in on em0 route-to (rl1 gw1) from 192.168.1.132 to !$internal_net keep state Once I add the above line to pf.conf and flush the ruleset the computer can no longer access the outside world. So I assume I need some sort of matching rule on rl1, but can't figure out what it is. If I manually change the routing table to pass a specific destination ip address out through gw1 it works without a flaw, however this machine needs to access more then a few subnets through interface #2, so route-to is preffered. Let me know if anyone has any ideas, Ben
Re: PF and LAND attack.
Hi In my opinion there's no reason why to block LANDs attacks with PF. I suppose that you have a windows server with private IP address behind PF and you use some portmapping for services you need accessible from outside. So if you want to make a LAND attack you have to make a packet with equal source and destination address but in this case it's not possible at all because everything goes to PF's IP address. As a matter of fact if your windows server doesn't have a public IP you're safe. S pozdravem / Best Regards Miroslav Kubik IT Specialist http://sweb.cz/kubik_miroslav - Original Message - From: Henrik Bro [EMAIL PROTECTED] To: pf@benzedrine.cx Sent: Wednesday, March 09, 2005 9:00 PM Subject: PF and LAND attack. Is it possible to protect my Windows server from LAND attack with PF? I have tried searching Google and Benzedrine, but have not found any info. /Henrik
Re: PF and LAND attack.
Hi, On Thu, Mar 10, 2005 at 03:53:46PM +0100, Miroslav Kubik wrote: In my opinion there's no reason why to block LANDs attacks with PF. Why ? Every good firewall blocks LAND Attacks (and PF is a very godd one). I don't know if PF does it but the test is simple (with hping : 5 minutes to test). Test if src.ip = dst.ip is very, very difficult to implement ;-) Foxy -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
RE: Tcpdump grepped for the machine: RE: Trouble with route-to:
Daniel: H, could have sworn pf assumed that .0 meant that all possible .x was valid (in this instance 192.168.1.0/24) but fair enough; the network is defined as 192.168.1.0/24 (sorry, was in a hurry so when I re-wrote the ruleset I used shorthand. My appologies) Ben -Original Message- From: Daniel Hartmeier [mailto:[EMAIL PROTECTED] Sent: Thursday, March 10, 2005 12:20 AM To: Ben Cc: pf@benzedrine.cx Subject: Re: Tcpdump grepped for the machine: RE: Trouble with route-to: On Wed, Mar 09, 2005 at 10:19:17PM -0800, Ben wrote: Mar 09 22:10:45.682221 0:9:5b:12:43:xx 0:c:f1:91:70:xx 0800 62: 192.168.1.132.1273 216.51.232.100.80: S 417417262:417417262(0) win 16384 mss 1460,nop,nop,sackOK (DF) $internal_net = 192.168.1.0 nat on rl0 from $internal_net to !$internal_net - (rl0) nat on rl1 from $internal_net to !$internal_net - (rl1) pass in on em0 route-to (rl1 gw1) from 192.168.1.132 to !$internal_net keep state If you really defined internal_net as 192.168.1.0, and not 192.168.1.0/24, neither of those three rule matches the packet, because 192.168.1.132 is not within 192.168.1.0/32. Leaving out the /network part means /32 (for IPv4) in pf. If you misquoted your ruleset, quote precisely. Daniel
ICMP through CARP Failover
I was testing a pair of firewalls yesterday and found that there were no issues with CARP except for ICMP echo requests not failing over when a master fails. Are there any known issues with just using ping(8) to test load balanced firewalls? TCP connections work just fine without problem. Here's my configurations. # /etc/hostname.carp0 inet 10.19.81.200 255.255.255.128 10.19.81.255 vhid 1 pass bar advskew 100 # /etc/hostname.carp1 inet 172.19.81.130 255.255.255.128 172.19.81.255 vhid 2 pass foo # /etc/hostname.fxp0 inet 192.168.255.253 255.255.255.252 192.168.255.255 media 100baseTX mediaopt full-duplex description pfsync crossover # /etc/hostname.fxp1 inet 172.19.81.131 255.255.255.128 172.19.81.255 media 100baseTX mediaopt full-duplex description inside # /etc/hostname.pfsync0 up syncif fxp0 # /etc/hostname.xl0 inet 10.19.81.201 255.255.255.128 10.19.81.255 media 100baseTX mediaopt full-duplex description outside #; /etc/pf.conf #; #; variables ### # interfaces loopbk = lo0 ext_if = xl0 wire_if = fxp1 pfsync_if = fxp0 carp_ext_if = carp0 carp_int_if = carp1 all_if = { $loopbk $wire_if } ipsec_if= enc0 # hosts broadcast = 255.255.255.255 # host group definitions # service definitions tcp_wireif = { ftp, ssh, www, https } # tables table admin persist { 10.19.81.128/25, 10.13.2.0/24 } table bogon persist file /etc/bogon.txt # administrative aliases aspf= antispoof log bi = block in bo = block out bil = block in log biq = block in quick blk = block bol = block out log boq = block out quick bilq= block in log quick bolq= block out log quick pi = pass in po = pass out pil = pass in log piq = pass in quick pol = pass out log poq = pass out quick pqk = pass quick pilq= pass in log quick polq= pass out log quick ks = keep state ms = modulate state ss = synproxy state #; behavior options ### set loginterface $ext_if set timeout { interval 11, frag 27 } set limit { frags 45000, states 35000 } set optimization normal set block-policy return set state-policy if-bound set debug urgent # scrub-a-dub-dub scrub out all no-df random-id max-mss 1440 scrub in all no-df fragment reassemble min-ttl 2 #; network translations and redirection ### # nat specific hard-wired hosts nat on $ext_if from any to any - ($ext_if) # redirect for ftp-proxy rdr on $wire_if proto tcp from any to any port ftp - 127.0.0.1 port 8021 #; misc. authpf anchors ### #binat-anchor authpf/* #anchor authpf/* #; rules ### # default block-all $blk log \ label $if-block-log # pass everything on loopback $pqk on lo0 all \ label $if-pass pass quick on { $pfsync_if }proto pfsync pass on { $ext_if, $wire_if } proto carp $ks # block broadcast noise, but dont log $biq on $ext_if from any to $broadcast \ label $if-broadcast $biq on $ext_if from $broadcast to any \ label $if-broadcast # drop bogon tables from /etc/bogon.txt $bilqon $ext_if from bogon \ to any label $if-bogon $bil on $wire_if from { !$wire_if:network, bogon } \ to any label $if-bogon # prevent spoofing from this host $bolqon $ext_if from !$ext_if \ to any label $if-block-out # prevent spoofing of all interfaces $aspf for $loopbk label $if-antispoof $aspf for $ext_if label $if-antispoof $aspf for $wire_if label $if-antispoof # pass out packets on any interface $poq inet proto tcp all flags S/SA label $if-pass-synack-out $ms $poq inet proto udp alllabel $if-pass-udp-out$ks $poq inet proto icmp alllabel $if-pass-icmp-out $ks $poq alllabel $if-pass-ip-out # allow bootp, dns lookups and ntp access (including # sntp) to $wire_if $pi on $wire_if inet proto udp from any \ to any port bootps label $if-bootps-in $ks $pi on $wire_if inet proto udp from $wire_if:network \ to $wire_if port domain label $if-domain-udp-in $ks $pi on $wire_if inet proto udp from $wire_if:network \ to $wire_if port ntplabel $if-ntp-in$ks # allow users to ssh into this host for future authpf $pilq on $wire_if inet proto tcp from any \ to any port ssh label $if-ssh-authpf-in $ks # icmp controls; log anything to our interfaces; pass everything else $pil on $wire_if inet proto icmp
RE: Trouble with route-to:
Jay (and all) I replaced my two separate nat lines with one testing line (using another machine since that user (wife) would kill me if I kept having her test things): nat on rl1 from 192.168.1.142 to !$internal_net - (rl1) #and then re-enabled the route-to pass in on em0 route-to (rl1 128.195.88.1) from 192.168.1.142 to !$internal_net keep state #and added a pass out line pass out on rl1 from 192.168.1.142 to !$internal_net keep state My simple understanding of the nat function in pf is that it will only nat packets that are already heading out on the interface specified, but I could be wrong. Either way, with no other nat line was left active in PF and with the two above pass lines activated I can browse to any ipaddress that is routed out through rl1 via the route add commands, but if I try to go to something not included in the route add commands (like say, browsing to www.slickdeals.net) it just waits for a response from www.slickdeals.net forever. So, I tried sniffing the rl1 interface grepping for slickdeals' ip address, and found something really odd. With the above nat's there's no traffic to slickdeals on rl1, if I sniff rl0 (default route) I find the traffic to slickdeals: Mar 10 10:04:17.407558 0:10:b5:f:db:xx 0:50:57:0:92:20 0800 62: 192.168.1.142.3787 67.15.144.66.80: S 693520951:693520951(0) win 65535 mss1460,nop,nop,sackOK (DF) So, it would seem that pf is ignoring the route-to command. If I re-enable the two separate nat lines, and keep the route-to command (and the pass out on rl1 line intact I get the following: Nothing on rl0, but on rl1 things get really interesting: tcpdump: listening on rl1 Mar 10 10:10:52.585188 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 60: 68.4.66.x.61861 67.15.144.66.80: . ack 3117311098 win 65535 (DF) Mar 10 10:10:52.585679 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 454: 68.4.66.x.61861 67.15.144.66.80: P 0:400(400) ack 1 win 65535 (DF) Mar 10 10:10:55.664414 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 454: 68.4.66.x.61861 67.15.144.66.80: P 0:400(400) ack 1 win 65535 (DF) Mar 10 10:10:55.925367 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 60: 68.4.66.x.61861 67.15.144.66.80: . ack 1 win 65535 (DF) Mar 10 10:11:01.789024 0:10:b5:f:dc:xx 0:7:b3:a5:bc:xx 0800 454: 68.4.66.x.61861 67.15.144.66.80: P 0:400(400) ack 1 win 65535 (DF) dc:xx is rl1, which is good, but 68.4.66.x is the ip address for rl0 (my cable modem), which is a very bad thing (tm). Once again I get the above when the following lines are active: snip nat on rl0 from $internal_net to !$internal_net - (rl0) nat on rl1 from $internal_net to !$internal_net - (rl1) snip pass in on em0 route-to (rl1 128.195.88.1) from 192.168.1.142 to !$internal_net keep state pass out on rl1 from 192.168.1.142 to !$internal_net keep state snip If you're so inclined, my entire pf.conf file is available at: http://members.cox.net/holysin/pf.conf Not terribly sanitized, so there is a LOT of rules there... I don't think any of the rules matter outside what's been mentioned above, and yesterday, but just in case, it's available. Also, a little something about my connection: rl0 is connected to the cable modem, rl1 is connected to the campus network (which is NOISY!), if I have to I can just have the wife plug her computer into the campus network directly, but it would be infinitely more prefered to be able to route all traffic from a spicific IP address through the campus network while still keeping a firewall between the machine and campus. (Also, I'd prefer not to have to add route to commands for each subnet she will connect to. Thanks for the help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J Tingle Sent: Thursday, March 10, 2005 12:12 AM To: pf@benzedrine.cx Subject: Re: Trouble with route-to: I've been messing around with a similar setup with dsl cable going into one PF firewall. One thing I noticed that might be giving you problems is your nat rules: nat on rl0 from $internal_net to !$internal_net - (rl0) nat on rl1 from $internal_net to !$internal_net - (rl1) The way it's written it seems like it would try to nat everything to both connections. I remember reading that the first matching nat rule wins, so you don't need to make it too fancy. Here is how I did my nat: ext_if_cable=le1 ext_if_dsl=hme0 int_if=le0 mynet=192.168.0.0/24 gateway_cable=xx2xx.xxx.x gateway_dsl=xx.xxx.xx.x dslhosts={ 192.168.0.104 } #NAT nat on $ext_if_dsl from $dslhosts to any - ($ext_if_dsl) nat on $ext_if_cable from $mynet to any - ($ext_if_cable) Another thing is you need a rule on the external interface to let let the re-routed packets out. I might be wrong about this but If I remember right once you do the route-to it changes the source address of the packet. So instead of the packet being from 192.168.1.132 it will be from the ip of your externel interface. So it won't work if
Re: Trouble with route-to:
On Thu, 10 Mar 2005 10:58:35 -0800, Ben [EMAIL PROTECTED] wrote: nat on rl0 from $internal_net to !$internal_net - (rl0) nat on rl1 from $internal_net to !$internal_net - (rl1) snip pass in on em0 route-to (rl1 128.195.88.1) from 192.168.1.142 to !$internal_net keep state pass out on rl1 from 192.168.1.142 to !$internal_net keep state Make sure you've changed your $internal_net to be 192.168.1.0/24 instead of 192.168.1.0 or use em0:network. rl0 is connected to the cable modem, rl1 is connected to the campus network (which is NOISY!), if I have to I can just have the wife plug her computer into the campus network directly, but it would be infinitely more prefered to be able to route all traffic from a spicific IP address through the campus network while still keeping a firewall between the machine and campus. (Also, I'd prefer not to have to add route to commands for each subnet she will connect to. What I have in a similar situation (serving residents): em0 - public internet (y.y.y.y/29) vlan700 connects to a private network that connects to university network (x.x.0.0/16) vlan101 through 109 are 10.1.1.0/24 through 10.1.9.0/24 for students We needed to make sure student traffic to the university went out directly on vlan700, but everything else went out the public internet side. The university network is a publically routable /16, but the residence and university use different ISPs so the traffic took a 4000 mile trip and made things far slower than would be liked. Summarized rules: nat on em0 from vlan101:network to !10.0.0.0/8 - y.y.y.y/31 source-hash nat on vlan700 from 10.0.0.0/8 to x.x.0.0/16 - (vlan700) pass in on vlan101 from vlan101:network to any keep state pass in on vlan101 route-to (vlan700 172.16.0.129) from vlan101:network to x.x.0.0/16 keep state pass out on vlan101 from any to vlan101:network pass out on vlan700 proto tcp all modulate state flags S/SA pass out on vlan700 proto { udp, icmp } all keep state So what you're probably looking for (very abbreviated ruleset) is: nat on rl0 from !$wife to !em0:network - (rl0) nat on rl1 from $wife to !em0:network - (rl1) #drop junk on em0 to make the !$wife nat safer antispoof quick for em0 pass in on em0 route-to (rl1 gw1) from $wife to any keep state Or, try a binat rule on the rl1 interface for your wife's computer. Spare IP might help, but you shouldn't have any problems. binat on rl1 from $wife to any - (rl1) pass in on em0 route-to (rl1 gw1) from $wife to any keep state Hopefully that helps or gives you an idea. -- Jon Simola Systems Administrator ABC Communications
Re: Good HFSC explanation
Thanks for the answer. Can you shed any light on my other question, namely (quoting myself): So with fully-specified service curves, does HFSC as implemented here in fact superimpose CBQ-style hierarchical priorities ontop, or do the service curve specifications somehow mean that also giving priority doesn't makes sense? --- Henning Brauer [EMAIL PROTECTED] wrote: * John Ricardo [EMAIL PROTECTED] [2005-03-05 11:22]: If you have specified the 3 service curves, the bandwidth keyword is redundant and/or unnecessary? true. __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/