Re: viewing packet data with tcpdump?

2005-06-08 Thread Rick Barter 

eric wrote:

On Tue, 2005-06-07 at 22:05:33 -0700, craSH proclaimed...



tcpdump is pretty much just for inspecting the headers of packets, to
capture data and entire sessions, snort would be a good tool to use.



Wow, quit spreading bad information.

tcpdump(8) is to capture packets, in full or part. Those captures can then
be dissected with tools. The original poster may want to look at tcpshow or
ngrep.



Wow.  Thanks.  tcpshow is exactly what I was looking for.

I just compiled it and used it to read one of the emails I just sent.
 I feel so naked and vulnerable now!  Holy crap!  I need to install
PHP ...RFN!!!

rvb

viewing packet data with tcpdump?

2005-06-07 Thread Rick Barter 
I use tcpdump to trouble-shoot my firewall, set up my rules, etc.  I 
found the -x option which dumps the packet in hex.  Can I view the 
packet data with tcpdump or do I need to install Ethereal or something?


Any help is appreciated.

rvb

Re: PF Question: auth (port 113) one to many rdr (moved from newbies list)

2005-01-31 Thread Rick Barter 
Kevin wrote:
On Sun, 30 Jan 2005 15:41:41 -0600, Rick Barter [EMAIL PROTECTED] wrote:
Kevin wrote:

I do not think this is technically possible without extensive effort,
nor desirable.  The 'ident' (auth, tap, TCP/113) protocol is no longer
very useful for the original purpose, but it is still required by IRC servers.
Many systems and firewalls, including OpenBSD (via the '-H' flag),
offer an identd work-alike which will provide a reasonable answer
to any and all ident queries.

Why not just go into /etc/inetd.conf and change the arguments on
identd from '-el' to '-elH'.  This will cause identd to always return an
answer for *any* ident query, valid or invalid.
Okay.  I've enabled this (-elH) and restarted inetd on my firewall and
have changed the rule to:
  pass in log on fxp0 proto tcp from any to any port = auth

Off the cuff, I'd suggest this:
 pass in on $ext_if proto tcp from any to ($ext_if) port = auth
keep state flags S/SA

However, I still wish I knew how to see the request from the IRC
server and the response from identd.  Is there a way? 

Using the '-l' flag in /etc/inetd.conf, identd logs to syslog. 
You can watch the actual conversation with the remote IRC server via:
tcpdump -i fxp0 -p -n -s 1500 -X port auth

There is no need for synproxy or modulate on inbound traffic that
terminates on the firewall itself, and with keep state you can lock down
the pass out $log_flg on $ext_if proto tcp all modulate state line.

Furthermore, how vulnerable does it make me by not forcing 
the SYN flag to be set?

If your policy includes 'keep state' on the incoming request, state table
entries are created for incoming sessions permitted by the policy,
which avoids extra pass out ... entries, and takes care of the SYN flag
question as well.
Kevin Kadow
Thanks so much for all your help, Kevin.

Re: arp flood on my external fxp0 port

2005-01-31 Thread Rick Barter 
Renato wrote:
why I can see these arp request?
192.168.205.0 is my internal network and I don't want that from
external network sameone could loock at my internal address ...
Renato,
As far as I know (and from what I've read) this is normal and nothing 
to be alarmed about.  Also, I think if someone compromises your 
firewall and/or LAN and has root access.  It won't matter much if they 
can see your network traffic.  You'll have much bigger problems.

Also, I notice that you are using an fxp0 device like I do in my 
firewall.  I had some problems with the firewall locking up because it 
was a 10mbit network.  There was a bug in the code from Intel.  If you 
experience these problems, you'll need to upgrade to 3.6 which will 
fix the problem.  I just wanted you to know.

rvb

Re: PF Question: auth (port 113) one to many rdr (moved from newbies list)

2005-01-30 Thread Rick Barter 
Kevin wrote:
I do not think this is technically possible without extensive effort,
nor desirable.  The 'ident' (auth, tap, TCP/113) protocol is no longer
very useful for the original purpose, but it is still required by IRC servers.
Many systems and firewalls, including OpenBSD (via the '-H' flag),
offer an identd work-alike which will provide a reasonable answer
to any and all ident queries.

Why not just go into /etc/inetd.conf and change the arguments on
identd from '-el' to '-elH'.  This will cause identd to always return an
answer for *any* ident query, valid or invalid.
Okay.  I've enabled this (-elH) and restarted inetd on my firewall and 
have changed the rule to:
   pass in log on fxp0 proto tcp from any to any port = auth

Now, is there a way I can test it myself to see what's being returned? 
 The IRC server to which I'm trying to connect still says no 
response.I checked my firewall log and see that it's getting 
blocked on the way out:
Jan 30 15:21:16.438720 rule 0/0(match): block out on fxp0: 
24.174.112.98.113  66.198.160.2.1928: S 3654633913:3654633913(0) ack 
830143768 win 16384 mss 1460,nop,wscale 0,[|tcp] (DF)

===
A, while composing this email I figured it out.  My rule was:
pass out $log_flg on $ext_if proto tcp all modulate state flags S/SA
So, it was being blocked on the way out.  I changed it to:
pass out $log_flg on $ext_if proto tcp all modulate state
And now it works.  Thanks for helping me realize what was going on. 
However, I still wish I knew how to see the request from the IRC 
server and the response from identd.  Is there a way?  Furthermore, 
how vulnerable does it make me by not forcing the SYN flag to be set?

rvb

PF Question: auth (port 113) one to many rdr (moved from newbies list)

2005-01-29 Thread Rick Barter 
I have been racking my brain and reading, but can't figure out how to 
setup pf to pass or rdr ident requests to the the proper client 
(behind the firewall) that is trying to connect to an irc server.  I 
want to rdr the auth (port 113) request coming into my firewall to 
whichever machine is trying to connect to an irc server.  How can I do 
this?

Currently I have a rdr rule that handles the ident requests by passing
them to my windows machine running mIRC.  mIRC has built-in ident
emulator and works fine.  I've tried to setup an ident server on my
firewall that will handle all ident requests.  I enabled identd in
/etc/rc.conf and disabled the one running from /etc/inetd, but with no
joy.
What am I missing here?  Does anyone have such a setup working?
rvb
=
/etc/pf.conf
=
#=
# Macros
#=
log_flg = # log for on and  for  off
ext_if  = fxp0
dmz_if  = xl0
int_if  = xl1
dmz_ip  = 192.168.2.199
win_ip  = 192.168.3.100
#=
# Port Nbr Mapping
#=
ssh = 22
ident   = 113
irc_dcc = 1024:1066
web_svr = 80
tomcat  = 8080
tcp_services = { $ssh }
icmp_types = echoreq
priv_nets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
}
#=
# Options
#=
set block-policy drop
set loginterface $ext_if
#=
# Scrub Rules
#=
scrub in all
#=
# NAT and Forwarding Rules
#=
nat on $ext_if from $int_if:network to any - ($ext_if)
nat on $ext_if from $dmz_if:network to any - ($ext_if)
prefix_ext = rdr on $ext_if proto tcp from any to $ext_if port
$prefix_ext $web_svr - $dmz_ip
$prefix_ext $tomcat - $dmz_ip
$prefix_ext $ident - $win_ip
$prefix_ext $irc_dcc - $win_ip
# lan traffic to web server
rdr on $int_if proto tcp from any to $ext_if port $web_svr - $dmz_ip
# lan traffic to servlet engine
rdr on $int_if proto tcp from any to $ext_if port $tomcat - $dmz_ip
#=
# Filter Rules
#=
block $log_flg all
pass $log_flg quick on lo0 all
antispoof $log_flg quick for $ext_if
antispoof $log_flg quick for $dmz_if
antispoof $log_flg quick for $int_if
block drop in $log_flg quick on $ext_if from $priv_nets to any
block drop out $log_flg quick on $ext_if from any to $priv_nets
# tcp_services
pass in $log_flg on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state
# web server
pass in $log_flg on $ext_if proto tcp from any to $dmz_ip port $web_svr \
   flags S/SA synproxy state
# servlet/jsp engine
pass in $log_flg on $ext_if proto tcp from any to $dmz_ip port $tomcat \
   flags S/SA synproxy state
# ident requests
pass in $log_flg on $ext_if proto tcp from any to $win_ip port $ident
# dcc send
pass in $log_flg on $ext_if proto tcp from any to $win_ip port $irc_dcc
# ping requests
pass in $log_flg inet proto icmp all icmp-type $icmp_types keep state
# pass out all tcp, udp, and icmp packets
pass out $log_flg on $ext_if proto tcp all modulate state flags S/SA
pass out $log_flg on $ext_if proto { udp, icmp } all keep state
pass out $log_flg on $ext_if proto esp all keep state
# pass all traffic to the dmz
pass in $log_flg on $dmz_if from $dmz_if:network to any keep state
pass out $log_flg on $dmz_if from any to $dmz_if:network keep state
# pass all traffic to and from the local network
pass in $log_flg on $int_if from $int_if:network to any keep state
pass out $log_flg on $int_if from any to $int_if:network keep state

Re: my firewall OR gee im stupid...

2005-01-19 Thread Rick Barter 
R T wrote:
Yeah, dns wasnt set on the laptop, not too bright today. Its working fine now. 
Now to learn about making it an actual firewall  :)   Thanks guys for the help!
R.T.
No problem, RT.  Good luck.
rvb

Re: VPN client cannot connect through OpenBSD router/firewall

2005-01-18 Thread Rick Barter 
jared r r spiegel wrote:
  yup.  by seeing what was dropped.
  i _always always always_ keep block return log all as the first real
  rule in my pf.conf.  whether or not you want to return or drop is of
  course a matter of taste ( i do drop some things later in a more 
  specific rule ), and whether or not you want to block all ifaces or
  not is a matter of taste too... 
Okay.  So I have the following (not the whole pf.conf file):
#=
# Macros
#=
log_flg = log
#=
# Options
#=
set block-policy drop
set loginterface $ext_if
#=
# Filter Rules
#=
block $log_flg all
pass $log_flg quick on lo0 all
antispoof $log_flg quick for $ext_if
antispoof $log_flg quick for $dmz_if
antispoof $log_flg quick for $int_if
block drop in $log_flg quick on $ext_if from $priv_nets to any
block drop out $log_flg quick on $ext_if from any to $priv_nets
Why would I not see the dropped packets in my log file (pflog0). 
Should I be setting pflog0 as my loginterface instead of fxp0?

rvb

VPN client cannot connect through OpenBSD router/firewall

2005-01-17 Thread Rick Barter 
Okay.  I have a problem that I can't get my brain around and I need 
some help.  My wife needs to connect to her VPN at work.  I've 
captured packets for her connection and see that it's connecting to 
her work server on ports 53 (dns) and 500 (isakmp).

I have been doing a lot of reading (Artymiak, OpenBSD PF Manual) and 
searching (Google and Archives), but I'm still not understanding 
something I guess.

I thought that since she was initiating the connections to port 53 and 
500 that the keep state entries on the outbound tcp and udp traffic 
would be enough to ensure she could connect and wouldn't require me to 
set up NAT for these connections.  Am I wrong?  What am I missing here?

Thank you for any help.  My pf.conf is below.
rvb
#=
# Macros
#=
log_flg =   # log for on and  for  off
ext_if  = fxp0
dmz_if  = xl0
int_if  = xl1
dmz_ip  = 192.168.2.199
win_ip  = 192.168.3.100
#=
# Port Nbr Mapping
#=
ssh = 22
ident   = 113
irc_dcc = 1024:1066
web_svr = 80
tomcat  = 8080
tcp_services = { $ssh }
icmp_types = echoreq
priv_nets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
}
#=
# Options
#=
set block-policy drop
set loginterface $ext_if
#=
# Scrub Rules
#=
scrub in all
#=
# NAT and Forwarding Rules
#=
nat on $ext_if from $int_if:network to any - ($ext_if)
nat on $ext_if from $dmz_if:network to any - ($ext_if)
prefix_ext = rdr on $ext_if proto tcp from any to $ext_if port
$prefix_ext $web_svr - $dmz_ip
$prefix_ext $tomcat - $dmz_ip
$prefix_ext $ident - $win_ip
$prefix_ext $irc_dcc - $win_ip
# lan traffic to web server
rdr on $int_if proto tcp from any to $ext_if port $web_svr - $dmz_ip
# lan traffic to servlet engine
rdr on $int_if proto tcp from any to $ext_if port $tomcat - $dmz_ip
#=
# Filter Rules
#=
block all
pass $log_flg quick on lo0 all
antispoof $log_flg quick for $ext_if
antispoof $log_flg quick for $dmz_if
antispoof $log_flg quick for $int_if
block drop in $log_flg quick on $ext_if from $priv_nets to any
block drop out $log_flg quick on $ext_if from any to $priv_nets
# tcp_services
pass in $log_flg on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state
# web server
pass in $log_flg on $ext_if proto tcp from any to $dmz_ip port $web_svr \
   flags S/SA synproxy state
# servlet/jsp engine
pass in $log_flg on $ext_if proto tcp from any to $dmz_ip port $tomcat \
   flags S/SA synproxy state
# ident requests
pass in $log_flg on $ext_if proto tcp from any to $win_ip port $ident
# dcc send
pass in $log_flg on $ext_if proto tcp from any to $win_ip port $irc_dcc
# ping requests
pass in $log_flg inet proto icmp all icmp-type $icmp_types keep state
# pass out all tcp, udp, and icmp packets
pass out $log_flg on $ext_if proto tcp all modulate state flags S/SA
pass out $log_flg on $ext_if proto { udp, icmp } all keep state
# pass all traffic to the dmz
pass in $log_flg on $dmz_if from $dmz_if:network to any keep state
pass out $log_flg on $dmz_if from any to $dmz_if:network keep state
# pass all traffic to and from the local network
pass in $log_flg on $int_if from $int_if:network to any keep state
pass out $log_flg on $int_if from any to $int_if:network keep state