Re: viewing packet data with tcpdump?
eric wrote: On Tue, 2005-06-07 at 22:05:33 -0700, craSH proclaimed... tcpdump is pretty much just for inspecting the headers of packets, to capture data and entire sessions, snort would be a good tool to use. Wow, quit spreading bad information. tcpdump(8) is to capture packets, in full or part. Those captures can then be dissected with tools. The original poster may want to look at tcpshow or ngrep. Wow. Thanks. tcpshow is exactly what I was looking for. I just compiled it and used it to read one of the emails I just sent. I feel so naked and vulnerable now! Holy crap! I need to install PHP ...RFN!!! rvb
viewing packet data with tcpdump?
I use tcpdump to trouble-shoot my firewall, set up my rules, etc. I found the -x option which dumps the packet in hex. Can I view the packet data with tcpdump or do I need to install Ethereal or something? Any help is appreciated. rvb
Re: PF Question: auth (port 113) one to many rdr (moved from newbies list)
Kevin wrote: On Sun, 30 Jan 2005 15:41:41 -0600, Rick Barter [EMAIL PROTECTED] wrote: Kevin wrote: I do not think this is technically possible without extensive effort, nor desirable. The 'ident' (auth, tap, TCP/113) protocol is no longer very useful for the original purpose, but it is still required by IRC servers. Many systems and firewalls, including OpenBSD (via the '-H' flag), offer an identd work-alike which will provide a reasonable answer to any and all ident queries. Why not just go into /etc/inetd.conf and change the arguments on identd from '-el' to '-elH'. This will cause identd to always return an answer for *any* ident query, valid or invalid. Okay. I've enabled this (-elH) and restarted inetd on my firewall and have changed the rule to: pass in log on fxp0 proto tcp from any to any port = auth Off the cuff, I'd suggest this: pass in on $ext_if proto tcp from any to ($ext_if) port = auth keep state flags S/SA However, I still wish I knew how to see the request from the IRC server and the response from identd. Is there a way? Using the '-l' flag in /etc/inetd.conf, identd logs to syslog. You can watch the actual conversation with the remote IRC server via: tcpdump -i fxp0 -p -n -s 1500 -X port auth There is no need for synproxy or modulate on inbound traffic that terminates on the firewall itself, and with keep state you can lock down the pass out $log_flg on $ext_if proto tcp all modulate state line. Furthermore, how vulnerable does it make me by not forcing the SYN flag to be set? If your policy includes 'keep state' on the incoming request, state table entries are created for incoming sessions permitted by the policy, which avoids extra pass out ... entries, and takes care of the SYN flag question as well. Kevin Kadow Thanks so much for all your help, Kevin.
Re: arp flood on my external fxp0 port
Renato wrote: why I can see these arp request? 192.168.205.0 is my internal network and I don't want that from external network sameone could loock at my internal address ... Renato, As far as I know (and from what I've read) this is normal and nothing to be alarmed about. Also, I think if someone compromises your firewall and/or LAN and has root access. It won't matter much if they can see your network traffic. You'll have much bigger problems. Also, I notice that you are using an fxp0 device like I do in my firewall. I had some problems with the firewall locking up because it was a 10mbit network. There was a bug in the code from Intel. If you experience these problems, you'll need to upgrade to 3.6 which will fix the problem. I just wanted you to know. rvb
Re: PF Question: auth (port 113) one to many rdr (moved from newbies list)
Kevin wrote: I do not think this is technically possible without extensive effort, nor desirable. The 'ident' (auth, tap, TCP/113) protocol is no longer very useful for the original purpose, but it is still required by IRC servers. Many systems and firewalls, including OpenBSD (via the '-H' flag), offer an identd work-alike which will provide a reasonable answer to any and all ident queries. Why not just go into /etc/inetd.conf and change the arguments on identd from '-el' to '-elH'. This will cause identd to always return an answer for *any* ident query, valid or invalid. Okay. I've enabled this (-elH) and restarted inetd on my firewall and have changed the rule to: pass in log on fxp0 proto tcp from any to any port = auth Now, is there a way I can test it myself to see what's being returned? The IRC server to which I'm trying to connect still says no response.I checked my firewall log and see that it's getting blocked on the way out: Jan 30 15:21:16.438720 rule 0/0(match): block out on fxp0: 24.174.112.98.113 66.198.160.2.1928: S 3654633913:3654633913(0) ack 830143768 win 16384 mss 1460,nop,wscale 0,[|tcp] (DF) === A, while composing this email I figured it out. My rule was: pass out $log_flg on $ext_if proto tcp all modulate state flags S/SA So, it was being blocked on the way out. I changed it to: pass out $log_flg on $ext_if proto tcp all modulate state And now it works. Thanks for helping me realize what was going on. However, I still wish I knew how to see the request from the IRC server and the response from identd. Is there a way? Furthermore, how vulnerable does it make me by not forcing the SYN flag to be set? rvb
PF Question: auth (port 113) one to many rdr (moved from newbies list)
I have been racking my brain and reading, but can't figure out how to setup pf to pass or rdr ident requests to the the proper client (behind the firewall) that is trying to connect to an irc server. I want to rdr the auth (port 113) request coming into my firewall to whichever machine is trying to connect to an irc server. How can I do this? Currently I have a rdr rule that handles the ident requests by passing them to my windows machine running mIRC. mIRC has built-in ident emulator and works fine. I've tried to setup an ident server on my firewall that will handle all ident requests. I enabled identd in /etc/rc.conf and disabled the one running from /etc/inetd, but with no joy. What am I missing here? Does anyone have such a setup working? rvb = /etc/pf.conf = #= # Macros #= log_flg = # log for on and for off ext_if = fxp0 dmz_if = xl0 int_if = xl1 dmz_ip = 192.168.2.199 win_ip = 192.168.3.100 #= # Port Nbr Mapping #= ssh = 22 ident = 113 irc_dcc = 1024:1066 web_svr = 80 tomcat = 8080 tcp_services = { $ssh } icmp_types = echoreq priv_nets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } #= # Options #= set block-policy drop set loginterface $ext_if #= # Scrub Rules #= scrub in all #= # NAT and Forwarding Rules #= nat on $ext_if from $int_if:network to any - ($ext_if) nat on $ext_if from $dmz_if:network to any - ($ext_if) prefix_ext = rdr on $ext_if proto tcp from any to $ext_if port $prefix_ext $web_svr - $dmz_ip $prefix_ext $tomcat - $dmz_ip $prefix_ext $ident - $win_ip $prefix_ext $irc_dcc - $win_ip # lan traffic to web server rdr on $int_if proto tcp from any to $ext_if port $web_svr - $dmz_ip # lan traffic to servlet engine rdr on $int_if proto tcp from any to $ext_if port $tomcat - $dmz_ip #= # Filter Rules #= block $log_flg all pass $log_flg quick on lo0 all antispoof $log_flg quick for $ext_if antispoof $log_flg quick for $dmz_if antispoof $log_flg quick for $int_if block drop in $log_flg quick on $ext_if from $priv_nets to any block drop out $log_flg quick on $ext_if from any to $priv_nets # tcp_services pass in $log_flg on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state # web server pass in $log_flg on $ext_if proto tcp from any to $dmz_ip port $web_svr \ flags S/SA synproxy state # servlet/jsp engine pass in $log_flg on $ext_if proto tcp from any to $dmz_ip port $tomcat \ flags S/SA synproxy state # ident requests pass in $log_flg on $ext_if proto tcp from any to $win_ip port $ident # dcc send pass in $log_flg on $ext_if proto tcp from any to $win_ip port $irc_dcc # ping requests pass in $log_flg inet proto icmp all icmp-type $icmp_types keep state # pass out all tcp, udp, and icmp packets pass out $log_flg on $ext_if proto tcp all modulate state flags S/SA pass out $log_flg on $ext_if proto { udp, icmp } all keep state pass out $log_flg on $ext_if proto esp all keep state # pass all traffic to the dmz pass in $log_flg on $dmz_if from $dmz_if:network to any keep state pass out $log_flg on $dmz_if from any to $dmz_if:network keep state # pass all traffic to and from the local network pass in $log_flg on $int_if from $int_if:network to any keep state pass out $log_flg on $int_if from any to $int_if:network keep state
Re: my firewall OR gee im stupid...
R T wrote: Yeah, dns wasnt set on the laptop, not too bright today. Its working fine now. Now to learn about making it an actual firewall :) Thanks guys for the help! R.T. No problem, RT. Good luck. rvb
Re: VPN client cannot connect through OpenBSD router/firewall
jared r r spiegel wrote: yup. by seeing what was dropped. i _always always always_ keep block return log all as the first real rule in my pf.conf. whether or not you want to return or drop is of course a matter of taste ( i do drop some things later in a more specific rule ), and whether or not you want to block all ifaces or not is a matter of taste too... Okay. So I have the following (not the whole pf.conf file): #= # Macros #= log_flg = log #= # Options #= set block-policy drop set loginterface $ext_if #= # Filter Rules #= block $log_flg all pass $log_flg quick on lo0 all antispoof $log_flg quick for $ext_if antispoof $log_flg quick for $dmz_if antispoof $log_flg quick for $int_if block drop in $log_flg quick on $ext_if from $priv_nets to any block drop out $log_flg quick on $ext_if from any to $priv_nets Why would I not see the dropped packets in my log file (pflog0). Should I be setting pflog0 as my loginterface instead of fxp0? rvb
VPN client cannot connect through OpenBSD router/firewall
Okay. I have a problem that I can't get my brain around and I need some help. My wife needs to connect to her VPN at work. I've captured packets for her connection and see that it's connecting to her work server on ports 53 (dns) and 500 (isakmp). I have been doing a lot of reading (Artymiak, OpenBSD PF Manual) and searching (Google and Archives), but I'm still not understanding something I guess. I thought that since she was initiating the connections to port 53 and 500 that the keep state entries on the outbound tcp and udp traffic would be enough to ensure she could connect and wouldn't require me to set up NAT for these connections. Am I wrong? What am I missing here? Thank you for any help. My pf.conf is below. rvb #= # Macros #= log_flg = # log for on and for off ext_if = fxp0 dmz_if = xl0 int_if = xl1 dmz_ip = 192.168.2.199 win_ip = 192.168.3.100 #= # Port Nbr Mapping #= ssh = 22 ident = 113 irc_dcc = 1024:1066 web_svr = 80 tomcat = 8080 tcp_services = { $ssh } icmp_types = echoreq priv_nets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } #= # Options #= set block-policy drop set loginterface $ext_if #= # Scrub Rules #= scrub in all #= # NAT and Forwarding Rules #= nat on $ext_if from $int_if:network to any - ($ext_if) nat on $ext_if from $dmz_if:network to any - ($ext_if) prefix_ext = rdr on $ext_if proto tcp from any to $ext_if port $prefix_ext $web_svr - $dmz_ip $prefix_ext $tomcat - $dmz_ip $prefix_ext $ident - $win_ip $prefix_ext $irc_dcc - $win_ip # lan traffic to web server rdr on $int_if proto tcp from any to $ext_if port $web_svr - $dmz_ip # lan traffic to servlet engine rdr on $int_if proto tcp from any to $ext_if port $tomcat - $dmz_ip #= # Filter Rules #= block all pass $log_flg quick on lo0 all antispoof $log_flg quick for $ext_if antispoof $log_flg quick for $dmz_if antispoof $log_flg quick for $int_if block drop in $log_flg quick on $ext_if from $priv_nets to any block drop out $log_flg quick on $ext_if from any to $priv_nets # tcp_services pass in $log_flg on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state # web server pass in $log_flg on $ext_if proto tcp from any to $dmz_ip port $web_svr \ flags S/SA synproxy state # servlet/jsp engine pass in $log_flg on $ext_if proto tcp from any to $dmz_ip port $tomcat \ flags S/SA synproxy state # ident requests pass in $log_flg on $ext_if proto tcp from any to $win_ip port $ident # dcc send pass in $log_flg on $ext_if proto tcp from any to $win_ip port $irc_dcc # ping requests pass in $log_flg inet proto icmp all icmp-type $icmp_types keep state # pass out all tcp, udp, and icmp packets pass out $log_flg on $ext_if proto tcp all modulate state flags S/SA pass out $log_flg on $ext_if proto { udp, icmp } all keep state # pass all traffic to the dmz pass in $log_flg on $dmz_if from $dmz_if:network to any keep state pass out $log_flg on $dmz_if from any to $dmz_if:network keep state # pass all traffic to and from the local network pass in $log_flg on $int_if from $int_if:network to any keep state pass out $log_flg on $int_if from any to $int_if:network keep state