My
What a fine pile of excrement you all are. Been dealing with UNIX machines for over 25 years and never ran into a bunch of assholes like you guys.
Re: Pretty sure I don't understand my own pf.conf
On Wed, Jan 05, 2011 at 08:42:03PM -0800, Bonnie Packet wrote: So my question is, again how regular packets from the Net pass out to the wireless network over rl0. Is this somehow a function of the NAT rules that I don't understand? Or something to do with established TCP connections being already green-lit? I would think without an explicit rule they'd be blocked (default block at the very end). Those packets are replies for connections opened from a wireless client to a server on the external net? Then, yes, those are passed back in due to the 'keep state' option you use on the rule pass in quick on $wls_if inet from 192.168.1.140 to any flags S/SA keep state This allows connections to be opened from 192.168.1.140 to any host, and covers both packets flowing from 192.168.1.140 to the server AND packets (that are part of such connections) back from the server to the client, it's the whole point of the 'keep state' part. If you mean other packets, please explain what kind. Since the wireless net has a non-routable address range, the only way packets from the external net would end up there is if they were initially directed to the routable external address, then de-NAT'd, which is only possible if there's a state entry (based on an outgoing packet). Daniel
Re: PF ruleset stymying my PPPoE testing, or am I just confused?
On Thu, Dec 30, 2010 at 09:48:52PM -0800, Jonathan Rogers wrote: Trying to set up a new telco fiber connection on my OpenBSD router/ firewall (this is an OLD box with OpenBSD 3.8 on it...sorry). I can't put the new telco connection live as the default yet, because it will affect all users, and I need to do some testing first. But I'm not quite sure I (a) understand if I've got PPPoE set up correctly, or (b) if I do but my existing pf firewall rules are affecting the test. In any case, I can't get it to work. pppoe0: flags=8850POINTOPOINT,RUNNING,SIMPLEX,MULTICAST mtu 1492 dev: xl2 state: session sid: 0xa2e9 PADI retries: 1 PADR retries: 0 time: 00:00:27 groups: pppoe inet 215.34.235.30 -- 0.0.0.1 netmask 0x Your pppoe0 is not functional. It did not correctly negotiate a session and is not UP. Did you check with ifconfig pppoe0 debug that the IPCP phase of ppp was successful? Normaly 0.0.0.1 should be changed to the real destination IP when the connection is established also the interface should be UP-ed by pppoe(4). There were quite a few fixes in pppoe(4) and sppp(4) over the last 5 years. -- :wq Claudio
Re: PF messing with my PPPoE test or am I just confused...?
* Jonathan Rogers thatseattle...@gmail.com [2011-01-04 02:30]: If I had the option of installing a more recent OS I would have done that, and I would not have posted the question. v3.8 help was explicitly asked for. A reply of form well, on a higher version of the OS there are other ways to do it is (a) obvious and (b) completely unhelpful in this context. you are on your own, then. the supported releases right now are 4.7 and 4.8, period. as if anyone remembers details from a release 5 years ago. and... why bother. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: PF messing with my PPPoE test or am I just confused...?
... per your other thread also ... Sorry to point out the obvious but 3.8? Can you install 4.8? # cat hostname.pppoe0 pppoedev vr0 authproto chap authname 'username' authkey 'password' up inet 0.0.0.0 255.255.255.255 dest 0.0.0.1 !/sbin/route -v add -inet default -ifp pppoe0 0.0.0.1 As far as pf.conf goes again 3.8 is a long time ago. pass out on pppoe0 ... or ... pass out on pppoe0 from (pppoe0) to any ... etcetera. That's 4.7 onwards. Best wishes.
PF ruleset stymying my PPPoE testing, or am I just confused?
Trying to set up a new telco fiber connection on my OpenBSD router/ firewall (this is an OLD box with OpenBSD 3.8 on it...sorry). I can't put the new telco connection live as the default yet, because it will affect all users, and I need to do some testing first. But I'm not quite sure I (a) understand if I've got PPPoE set up correctly, or (b) if I do but my existing pf firewall rules are affecting the test. In any case, I can't get it to work. I have a simple, standard PPPoE (pppoe(4), in the kernel) setup using XL2 as the outbound interface. (The existing outbound interface is over xl0.) # more hostname.xl2 up # more hostname.pppoe0 pppoedev xl2 !/sbin/ifconfig xl2 up !/usr/sbin/spppcontrol \$if myauthproto=chap myauthname...@me.net myauthkey=xx !/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1 netmask 0x # following is commented out for now, for this test #!/sbin/route add default 0.0.0.1 up # ifconfig (edited) xl2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:xx:04:81:39:50 media: Ethernet autoselect (100baseTX full-duplex) status: active pppoe0: flags=8850POINTOPOINT,RUNNING,SIMPLEX,MULTICAST mtu 1492 dev: xl2 state: session sid: 0xa2e9 PADI retries: 1 PADR retries: 0 time: 00:00:27 groups: pppoe inet 215.34.235.30 -- 0.0.0.1 netmask 0x So far so good...but when I try to add a single route to a single host to test it, I get...: # route add 69.17.116.121 pppoe0 route: writing to routing socket: Network is unreachable add host 69.17.116.121: gateway pppoe0: Network is unreachable So I though maybe I needed to add some firewall rules, even though pf.conf currently doesn't mention xl2 and pppoe0. So I added: # more test.pppoe.conf pass in quick on xl2 from any to any pass out quick on xl2 from any to any pass in quick on pppoe0 from any to any pass out quick on pppoe0 from any to any # pfctl -f test.pppoe.conf # Still no joy. Am I not understanding something basic here? (Likely.) Please give me some more diagnostics to try, or point me in the right direction...? thankee much /TSG/
Why is my carp demotion counter 1?
Hi,
OpenBSD 4.2 stable patched to Feb 27, 2008
I've two firewalls with carp failover between them.
One is configured with the carp interfaces having an
advskew of 100, so that machine is normally the backup.
Something happened and the backup has become the master,
and the master has a demotion counter of 1 on the
carp group.
I imagine that rebooting would fix things, but what's
going on?
FWIW, this happened around the time of the nightly fs
backup. Occasionally at this time the backup machine
momentarily becomes the master. I'm presuming that
this is because the network link is saturated
enough to mess with the carp protocol.
On a related note, the ifstated daemon on the backup
firewall did not pick up on the fact that it became
master. Appended is the configuration. Should I
discuss this problem on the openbsd misc list or
is it related to my demotion counter problem?
Thanks for the help.
Karl [EMAIL PROTECTED]
Free Software: You don't pay back, you pay forward.
-- Robert A. Heinlein
# /etc/ifstatd.conf
#
# The whole idea here is that we want 3 things:
# 1) to be emailed when interfaces go up and down
# 2) to record whether we're running as master, and
# 3) we want to ensure that DHCP runs only on the master firewall.
#(Because there's no way to sync dhcp state between
# two servers we could get conflicts if both servers ran dhcp.)
# net.inet.carp.preempt must be enabled (set to 1) for this to work
correctly.
master_up = (carp0.link.up carp1.link.up carp2.link.up
carp3.link.up)
master_down = (!carp0.link.up) (!carp1.link.up) (!carp2.link.up)
(!carp3.link.up)
master_sync = !((carp0.link.up carp1.link.up carp2.link.up
carp3.link.up) || ((!carp0.link.up) (!carp1.link.up)
(!carp2.link.up) (!carp3.link.up)))
init-state in_startup
state in_startup {
# initial startup state
run /usr/local/sbin/yellboot
run rm -f /var/mirror_system/bootnote
if $master_up
set-state in_master
if $master_down
set-state in_backup
}
state in_sync {
# state for when we're neither all master or all backup.
if $master_up {
run /usr/local/bin/wail 'sync attained, got master'
set-state in_master
}
if $master_down {
run /usr/local/bin/wail 'sync attained, in backup'
set-state in_backup
}
}
state in_master {
init {
# Note that we're now in master state
run touch /var/mirror_system/am_master
# Tell dhcp it's the master
run /usr/sbin/dhcpd sis2
}
if $master_down || $master_sync {
# Note that we're no longer in master state
run rm /var/mirror_system/am_master
# Have dhcp stop running
run pkill dhcpd
# Tell the sysadm our current state.
if $master_down {
run /usr/local/bin/wail 'lost master, in backup'
set-state in_backup
}
if $master_sync {
run /usr/local/bin/wail 'lost master, trying to sync'
set-state in_sync
}
}
}
state in_backup {
if $master_up {
run /usr/local/bin/wail 'out of backup, got master'
set-state in_master
}
if $master_sync {
run /usr/local/bin/wail 'out of backup, trying to sync'
set-state in_sync
}
}
Re: My PF faults list
Ilya A. Kovalenko wrote: Hmm, maybe, I'm, truly, too stupid to work with PF ... I'll re-test on clean environment it and write to the list. Hi Ilya Would you mind posting your entire config file(s) verbatim. Also post what version and is it current, release, stable that you are referring to. I would be interested in seeing just where the problem lies. regards BobD signature.asc Description: OpenPGP digital signature
Re[2]: My PF faults list
you must be cofnused here. dunno. people rarely have problems in that area. Hmm, maybe, I'm, truly, too stupid to work with PF ... I'll re-test on clean environment it and write to the list. i thought we did that with -vv or so hmm ... alas, no such warnings with -vv: evil# pfctl -vv -f /etc/pf.conf | grep notexist @67 pass in from notexist:0 to notexist2:0 no state queue notexist3 evil# uname -a OpenBSD evil.oganer.net 4.1 EVIL#0 i386 you are confused. not keeping state is stupid. Agree ... until states can work ... parts of your mail come pretty offensive... maybe i should not have bothered at all. I beg my pardon, these little things annoyed me sometimes. Thank you for answer. anyway. you know how things work: if you miss sth, you send a diff. yes, indeed :)
more on my question : DNS answers blocked?
Hello, Yesterday, my mail wasn't explicit. Sorry. Architecture: Internet PF firewall on FreeBSD 5.5 DNS server (bind 9) This is now a firewall in production: DNS host has 100 packets per second, there is a mail server with 700.000 smtp hits per day, 'pfctl -si' shows between 4000 and 8000 state entries during the day. Here is a more complete trace, thanks to script(1) and screen(1). . at 08:40:00, I set up the smallest rule: # date ; pfctl -f /etc/pf/test.conf Tue Mar 6 08:40:00 MET 2007 No ALTQ support in kernel ALTQ related functions disabled # pfctl -sr block drop in log all pass out on em0 all keep state pass out on em1 all keep state pass in on em0 all flags S/SA keep state pass in on em1 all flags S/SA keep state . at 08:40:10, 2 packets are blocked: # tcpdump -eni pflog0 host 192.134.0.49 08:40:10.848258 rule 0/0(match): block in on em1: IP 192.134.0.49.53 129.199.96.11.55186: 47029 NXDomain*-[|domain] 08:40:10.848266 rule 0/0(match): block in on em1: IP 192.134.0.49 129.199.96.11: udp . but the flow is opened: # pfctl -ss | grep 192.134.0.49 self udp 192.134.0.49:53 - 129.199.96.11:55186 MULTIPLE:MULTIPLE self udp 129.199.96.11:55186 - 192.134.0.49:53 MULTIPLE:MULTIPLE . and here is tcpdump before the firewall: # tcpdump -i em1 host 192.134.0.49 08:39:50.901802 IP 129.199.96.11.55186 192.134.0.49.53: 33752 [1au] A? bancoedwards.cl. (44) 08:39:50.903939 IP 192.134.0.49.53 129.199.96.11.55186: 33752- 0/2/3 (125) 08:39:52.150305 IP 129.199.96.11.55186 192.134.0.49.53: 53112 [1au] PTR? 8.101.224.88.in-addr.arpa. (54) 08:39:52.153941 IP 192.134.0.49.53 129.199.96.11.55186: 53112 NXDomain*- 0/6/6 (1472) 08:39:52.153945 IP 192.134.0.49 129.199.96.11: udp 08:39:56.164523 IP 129.199.96.11.55186 192.134.0.49.53: 43684 [1au] PTR? 176.195.118.88.in-addr.arpa. (56) 08:39:56.178153 IP 192.134.0.49.53 129.199.96.11.55186: 43684 NXDomain*- 0/6/6 (1472) 08:39:56.178158 IP 192.134.0.49 129.199.96.11: udp --- so before 08:40:00, there is traffic. See 'pfctl -ss' upper. And now the blocked packet: --- the DNS query (em0 to em1): 08:40:10.844354 IP 129.199.96.11.55186 192.134.0.49.53: 47029 [1au] PTR? 187.239.91.81.in-addr.arpa. (55) the answer (em1 to em0): 08:40:10.848241 IP 192.134.0.49.53 129.199.96.11.55186: 47029 NXDomain*- 0/6/6 (1472) 08:40:10.848246 IP 192.134.0.49 129.199.96.11: udp . here more details on blocked packets (tcpdump -n -v -i em1 host 192.134.0.49): 09:41:06.492426 IP (tos 0x0, ttl 58, id 34397, offset 0, flags [+], length: 1500) 192.134.0.49.53 129.199.96.11.57617: 5828 NXDomain*- 0/6/6 (1472) 09:41:06.492551 IP (tos 0x0, ttl 58, id 34397, offset 1480, flags [none], length: 458) 192.134.0.49 129.199.96.11: udp . adding the rule: pass in quick on em1 inet from any to 129.199.96.11 solves the problem. So, where is the problem? Is there a better fix than my rule? -- Jacques Beigbeder| [EMAIL PROTECTED] Service de Prestations Informatiques | http://www.spi.ens.fr Ecole normale supérieure | 45 rue d'Ulm |Tel : (+33 1)1 44 32 37 96 F75230 Paris cedex 05|Fax : (+33 1)1 44 32 20 75
Re: more on my question : DNS answers blocked?
Looks like the blocked packets were IP fragments. For stateful filtering, IP fragments must be reassembled, try adding scrub in fragment reassemble at the top of your ruleset. Daniel
Re: ftp-proxy, and one nic: oh my...
rdr pass on $extif proto tcp from any to any port 21 - 127.0.0.1 port 8021 This makes inbound packets destined to port 21 on your box go to the proxy. But they'll be blocked because you don't have a pass rule anywhere to allow them. block drop in log quick on $extif from $privnets to any This blocks all DHCP traffic, given that your ISP is using RFC 1918 addresses internally (10.x). Stop trying to drop this traffic, at least for 10/8. pass out quick log on $extif proto udp from ($extif) port 68 to $dhcp port 67 keep state pass in quick log on $extif proto udp from ($dhcp) port 67 to ($extif) port 68 keep state That's not the best way to deal with DHCP. Remember when you start up, you don't have an IP, so your packets will be coming from 0.0.0.0! And they will be sent to the local-broadcast address 255.255.255.255. When your ISP's DHCP server reponds, that will be the first real address in the exchange, and that's a 10/8. All in all, you need to just bite the bullet and put a: pass out quick on $ext_if all keep state somewhere in there, it will make life much easier. The rdr rule won't do what you want. You're trying to munge the destination IP on an outbound packet. rdr munges the destination IP on inbound packets. nat munges the source IP on outbound packets. Nothing pf can do does what you want. BTW, quick rules are fine, continue to use them. Only use non-quicks if you can't avoid it. PS: Your bridging firewall will make remotely adminstering your firewall difficult, if not impossible IIUC. For example, how would you download a program you need (answer: you can't)? How would you update the firewall rules (answer: on the console)? How would you remote-log, or keep your clock accurate, or do anything with the box? How would you read the email that gets sent to root (answer: console again). Sounds like a major PITA if you ask me. -- Security Guru for Hire http://www.lightconsulting.com/~travis/ -- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
Re: ftp-proxy, and one nic: oh my...
thanks for writing back, i know that you're busy so... ifconfig -a vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::250:8dff:fe5a:18a0%vr0 prefixlen 64 scopeid 0x1 inet 69.205.XX.122 netmask 0xf000 broadcast 255.255.255.255 ether 00:50:8d:5a:18:a0 media: Ethernet autoselect (10baseT/UTP) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 pflog0: flags=141UP,RUNNING,PROMISC mtu 33208 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 pfsync0: flags=0 mtu 2020 i can surf and telnet; i took out the quick keyword but i'm still only logging rule 4. i'm still new at tcp/ip and services so how do i make an exception to my isp's dhcp server? you can see from above my nic's address is not a 10.mumble. i read your paper and the manpage for ftp-proxy so maybe i should roll back to a less strict ruleset. btw i really like pf, for a newbie it has an easy curve for learning. once i get this running i'll install a second nic and try to do the invisible bridge thing. i want to go into security so i need to get this right. thanks again. nikita -- frederick thomas [EMAIL PROTECTED] -- http://www.fastmail.fm - Or how I learned to stop worrying and love email again
ftp-proxy, and one nic: oh my...
i'm running freebsd 5.4 with only one nic(single user until i get a
router) so i don't think i can do nat. i've have had no luck in getting
damn thing to ftp. i added to the /etc/inetd.conf file the line
ftp-proxy:
stream tcp nowait root/usr/libexec/ftp-proxy ftp-proxy
and my /etc/pf.conf so far:
extif = vr0
tcpservices = { 20, 21, 25, 53, 67, 68, 80, 110, 123, 546, 631 }
udpservices = { 20, 21, 25, 53, 67, 68, 80, 110, 123, 546, 631 }
dhcp = 10.118.160.1
icmptypes = echoreq
privnets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
scrub in all
rdr pass on $extif proto tcp from any to any port 21 - 127.0.0.1 port
8021
block all
block drop in log quick on $extif from $privnets to any
block drop out log quick on $extif from any to $privnets
block drop in log quick on $extif proto icmp all
pass quick on lo0
pass out quick log on $extif proto udp from ($extif) port 68 to $dhcp
port 67 keep state
pass in quick log on $extif proto udp from ($dhcp) port 67 to ($extif)
port 68 keep state
pass out quick on $extif proto tcp from ($extif) to any port
$tcpservices keep state
pass out quick on $extif proto udp from ($extif) to any port
$udpservices keep state
pass out inet proto icmp all icmp-type $icmptypes keep state
pass out quick on $extif inet proto udp from any to any port 22:23 keep
state
pass in quick on $extif inet proto udp from any to any port 22:23 keep
state
pass out quick on $extif inet proto tcp from any to any port 22:23 keep
state
pass in quick on $extif inet proto tcp from any to ($extif) user proxy
keep state
i really hate asking for help but i've exhausted every site and faq on
web and it all
points to nat so do i have to install a dummy card to get this to work
or can i just
adjust the rule set? lastly as you can see from my conf i'm trying to
log all rfc 1918
addresses and my isp's dhcp server in bound but so far i only get rule
four(4) to log
the expansion of the privnets macro any help would be appreciated
greatly. peace
*is this the door where i came in?
--
frederick thomas
[EMAIL PROTECTED]
--
http://www.fastmail.fm - Faster than the air-speed velocity of an
unladen european swallow
Re: ftp-proxy, and one nic: oh my...
frederick thomas [EMAIL PROTECTED] writes: i've have had no luck in getting damn thing to ftp. not trying to be rude or anything, are you getting it to do anything at all? That is with dhcp = 10.118.160.1 does this mean your IP address is in the 10.mumble range too? if so, block drop in log quick on $extif from $privnets to any block drop out log quick on $extif from any to $privnets means you are dropping your own traffic. also, if you make every rule a quick rule, you are not making debugging any easier. you could try my tutorial at http://www.bgnett.no/~peter/pf/ for a gentle walkthrough. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds.
My ungodly PF config - am I sane and brilliant, or just deluded and dangerous?
My company is using FreeBSD for two major applications: our file servers
(via Samba), which aren't the subject of this message; and the routers
between branches. Some background follows.
We have essentially two types of branches - Type A, with thier own cable
internet connections, and Type B, who have point-to-point T1 connections
to Coprorate and use our internet connection for outside communication.
The Type A branches have FreeBSD machines acting as firewall/NAT, and
also providing gif endpoints for tunnels to our Corporate office, which
also uses a FreeBSD machine to provide firewall/NAT for the Corporate
Office and Type B branches.
With me so far?
Here's the fun part. Our traffic has gotten to the point where I've
decided that some traffic shaping (ALTQ) is necessary. I've been
experimenting with my home cable internet connection (and gif tunnel to
work), and I believe I've come up with a workable solution. However, I'd
like to run it by some experts to see if I'm screwing up (or hitting any
possible limits) before I try putting it in place live.
Here's the config, with some comments/questions
int_if = bge1 # obviously, the Internal interface of our firewall,
connected to the corporate internal network
ext_if = bge0 # again, obviously, the external interface, connected
to the DMZ, with a publicly routed IP
gif_if = { gif1 gif3 gif5 gif7 gif10 gif11 gif12 gif13 gif14 gif15
gif19 gif20 gif21 gif25 } # all of the gif tunnels to the various
branches
# options
set block-policy return
set loginterface $ext_if
# scrub
scrub in all
altq on $ext_if priq bandwidth 4500Kb queue {std_out, ssh_out, mail_out,
www_out, notes_out, asna_out, dns_out, gif_out, pri_out}
queue std_out priq(default) qlimit 150
queue mail_out priority 2
queue www_out priority 3
queue notes_out priority 4 # We use Notes primarily, so it gets higher
priority than normal SMTP/POP3 traffic
queue dns_out priority 6
queue ssh_out priority 7
queue gif_out priority 8 # This gets any traffic encapsulated in a gif
tunnel or ipsec.
queue pri_out priority 15
# nat/rdr
nat on $ext_if from $int_if:network to any - ($ext_if) # it occurs to
me, as I post this, that I'll need to change this to account for the
Type B branches that are on seperate subnets.
# filter rules
block all
pass quick on lo0 all
pass quick on $int_if all
pass in quick on $gif_if all
# Is there any reason to keep state on any of the following in rules?
pass in quick on $ext_if proto ipencap all
pass in quick on $ext_if proto esp all
pass in quick on $ext_if proto tcp all
pass in quick on $ext_if proto udp all
pass in quick on $ext_if proto icmp all
pass out on $gif_if proto udp all keep state queue(std_out, pri_out)
pass out on $gif_if proto icmp all keep state queue(std_out, pri_out)
pass out on $gif_if proto tcp all modulate state flags S/SA
queue(std_out, pri_out)
pass out on $gif_if proto tcp from any to any port 22 modulate state
flags S/SA queue(ssh_out, pri_out)
pass out on $gif_if proto tcp from any to any port 25 modulate state
flags S/SA queue(mail_out, pri_out)
pass out on $gif_if proto tcp from any to any port 110 modulate state
flags S/SA queue(mail_out, pri_out)
pass out on $gif_if proto tcp from any to any port 80 modulate state
flags S/SA queue(www_out, pri_out)
pass out on $gif_if proto tcp from any to any port 443 modulate state
flags S/SA queue(www_out, pri_out)
pass out on $gif_if proto tcp from any to any port 1352 modulate state
flags S/SA queue(notes_out, pri_out)
pass out on $gif_if proto udp from any to any port 53 keep state
queue(dns_out, pri_out)
pass out on $ext_if proto { udp, icmp } all keep state queue(std_out,
pri_out)
pass out on $ext_if proto tcp all modulate state flags S/SA
queue(std_out, pri_out)
pass out on $ext_if proto tcp from any to any port 22 modulate state
flags S/SA queue(ssh_out, pri_out)
pass out on $ext_if proto tcp from any to any port 25 modulate state
flags S/SA queue(mail_out, pri_out)
pass out on $ext_if proto tcp from any to any port 110 modulate state
flags S/SA queue(mail_out, pri_out)
pass out on $ext_if proto tcp from any to any port 1352 modulate state
flags S/SA queue(notes_out, pri_out)
pass out on $ext_if proto tcp from any to any port 80 modulate state
flags S/SA queue(www_out, pri_out)
pass out on $ext_if proto tcp from any to any port 443 modulate state
flags S/SA queue(www_out, pri_out)
pass out on $ext_if proto udp from any to any port 53 keep state
queue(dns_out, pri_out)
pass out on $ext_if proto ipencap all keep state queue(gif_out, pri_out)
# Again - any point in keeping state for the gif tunnels or ipsec
(below) packets?
pass out on $ext_if proto esp all keep state queue(gif_out, pri_out)
Believe it or not, pfctl -nv actually parses all of this out and seems
to believe it makes sense. The other ends, which usually have only one
or possibly two endpoints (branch-corporate and sometimes
branch-sister branch) will be significantly
pf for my little world.
I'm getting closer.
This is what I think I want. Is there a problem with it?
---
# macros
int_if = rl0
ext_if = ne1
tcp_services = { 22, 113 }
bad_services = { 137, 138, 139, 445 }
icmp_types = echoreq
table private const \
{ 127/8, 10/8, 172.16/12, 192.168/16, !192.168.0/24 }
# options
set block-policy return
set loginterface $ext_if
# scrub
scrub in all
# nat/rdr
nat on $ext_if from $int_if:network to any - $ext_if
rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 \
port 8021
# filter rules
block all
pass quick on lo0 all
block drop in quick on $ext_if from private
block drop quick on $ext_if port $bad_services
pass in on $ext_if inet proto tcp from any to $ext_if \
port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from port 20 to $ext_if \
user proxy flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
--
Don't knock President Fillmore. He kept us out of Vietnam.
Re: anchors and tables and tags oh my.
ok, i've done some more investigating. i thought some tables were gone, but they weren't. in fact, i thought my old anchors were gone, but they weren't. i'm used to stale rules, tables, macros, being deleted when i reload the ruleset. this is a weird problem now. there are anchors (visible via 'pfctl -vs Anchors') that i'd stopped using days ago, and i cannot remove them. if i pftcl -a oldanchor -F all, it's still there! (although the stale tables seem to be gone, so my namespace collision warnings are gone as well) how can i rid myself of them? pfctl -d pfctl -e did not destroy the old anchors. they are no longer referenced in my ruleset in any way. there seems to be no documented way to remove an anchor (anyway, shouldn't old anchors be toast on reloading the ruleset? i'm using load anchor from file to get them in there..) -steve steve h wrote: - i create a table foo in the main ruleset and stick 10.0.0.0/24 in it. i pass in from foo in an anchored ruleset. the rule does not match. shouldn't tables in a 'parent' anchor ruleset be global? Yes. That's likely a bug. Please make a testcase. there are some tables i use everywhere. if i create the table in a bunch of anchor rulesets, it whines about namespace (so i have to rename it each time...?) It should whines only if the table is both in a parent and child ruleset (like /table and /ruleset/table) It should not whines if it is in two unrelated subrulesets (like /ruleset1/table and /ruleset2/table) If that's not the behaviour you see, then there is a bug. Cedric
anchors and tables and tags oh my.
i'm trying to convert a lot of my ruleset to anchors with interface/direction/etc for speed (kind of like you'd do with iptables and jumping between chains to avoid evaluating unnecessary rules). so far it seems to be working well, and i'm avoiding the evaluation of at least 50 rules on average. few things i don't understand that are not documented. it seems tags are not passed between anchored rulesets, or from the main ruleset to an anchor. is this true? why? it makes it a pain in the ass i'm also trying to understand tables (i get a lot of whining about namespace conflicts, even though i'm obeying my assumptions about tables in the main ruleset being 'global' and tables in the anchored rulesets only applying to the context of that ruleset) oh yeah, and the pf faq mentions you can tag on anchor rules. 'tagged' doesn't seem to work though. is it my syntax, or is that not possible yet practical examples of my problem: - i tag a nat rule 'foo' in the main ruleset, and i pass tagged 'foo' in an anchored ruleset. it does not match the rule. moving the rule back to the main ruleset causes it to match. - i create a table foo in the main ruleset and stick 10.0.0.0/24 in it. i pass in from foo in an anchored ruleset. the rule does not match. shouldn't tables in a 'parent' anchor ruleset be global? there are some tables i use everywhere. if i create the table in a bunch of anchor rulesets, it whines about namespace (so i have to rename it each time...?) - i do something like 'anchor bar tagged foo' (for example, to jump to that rule only for packets matching my nat). it doesn't let me. is that not implimented yet? i'd really appreciate any light shed on these issues. i'd also appreciate them being documented properly. tables in the context of the main ruleset and anchored rulesests is never mentioned in the pf.conf man page, nor is the limitation of tags not being passed. oh yeah, using 3.7-release. - steve haslin
Re: anchors and tables and tags oh my.
steve h wrote: - i create a table foo in the main ruleset and stick 10.0.0.0/24 in it. i pass in from foo in an anchored ruleset. the rule does not match. shouldn't tables in a 'parent' anchor ruleset be global? Yes. That's likely a bug. Please make a testcase. there are some tables i use everywhere. if i create the table in a bunch of anchor rulesets, it whines about namespace (so i have to rename it each time...?) It should whines only if the table is both in a parent and child ruleset (like /table and /ruleset/table) It should not whines if it is in two unrelated subrulesets (like /ruleset1/table and /ruleset2/table) If that's not the behaviour you see, then there is a bug. Cedric
Re: Still no answer on my bridge question -- resolved
Russell Fulton [EMAIL PROTECTED] writes: Yet another illustration of the rule that one should post config files when asking questions. simply exposing your rule set to a fresh set of eyes sometimes has wonderful problem solving capability. seriously, the real risk of embarrasment along the lines of now what on g*d's green earth are you doing that for? is a lot less than you think. Posting your config along with your problem description is always good. Obfuscate if you have to. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
Re: Still no answer on my bridge question
[In a message on Thu, 07 Apr 2005 12:58:22 +1200, Russell Fulton wrote:] Hi, Earlier I posted a note here asking about the order of processing incoming packets on a bridge with pf. I would really like to know if there is something wrong with our set up or if this is expected behaviour. I am seeing packets being dropped by pf that should not traverse the bridge at all (i.e. packets between hosts that are on the same side of the bridge). After a little thought I came to the conclusion that this is quite plausible since the filtering is taking place on the interface closest to the affected hosts and the packets are hitting pf before they get to the bridging logic. What do you mean packets being dropped by pf that should not traverse the bridge at all? Some clarity would help here. Are you saying: (host 1, host 2) (int_1 OBSD Box int_2) - (other hosts) And that packes from host 1 to host 2 (and vice versa) are showing as being dropped on int_2? If so, outbound? By a block rule? Topology and a pf.conf file will get you more help. . . I want to know if this conclusion is correct or do I have a problem that should be investigated. BTW I have also spent some time looking for docs that describe exact order of processing of packets but could not find anything useful. Try the list archives. This came over the list on March 17: http://mniam.net/pf/pf.png Sean
Re: Still no answer on my bridge question
On Thu, 7 Apr 2005, Russell Fulton wrote: I am seeing packets being dropped by pf that should not traverse the bridge at all (i.e. packets between hosts that are on the same side of the bridge). After a little thought I came to the conclusion that this is quite plausible since the filtering is taking place on the interface closest to the affected hosts and the packets are hitting pf before they get to the bridging logic. No, bridging comes first. And yes, the packet _should_ be dropped when the destination interface (according to the bridgecache) is the same as the source interface of the packet.
RE: Still no answer on my bridge question
Hi Russell, When I was looking for more information regarding pf + altq I also ask for documents describing packets processing and I got the following links: http://www.redshift.com/~ray/network/packet.gif http://mniam.net/pf/pf.png Hope this helps, Benjamin Constant TI Automotive -Original Message- From: Russell Fulton [mailto:[EMAIL PROTECTED] Sent: jeudi 7 avril 2005 2:58 To: pf@benzedrine.cx Subject: Still no answer on my bridge question Hi, Earlier I posted a note here asking about the order of processing incoming packets on a bridge with pf. I would really like to know if there is something wrong with our set up or if this is expected behaviour. I am seeing packets being dropped by pf that should not traverse the bridge at all (i.e. packets between hosts that are on the same side of the bridge). After a little thought I came to the conclusion that this is quite plausible since the filtering is taking place on the interface closest to the affected hosts and the packets are hitting pf before they get to the bridging logic. I want to know if this conclusion is correct or do I have a problem that should be investigated. BTW I have also spent some time looking for docs that describe exact order of processing of packets but could not find anything useful. Russell. The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. This communication is from TI Automotive.
Re: Still no answer on my bridge question
Thanks Sean! On Wed, 2005-04-06 at 19:36 -0700, Sean Kamath wrote: [In a message on Thu, 07 Apr 2005 12:58:22 +1200, Russell Fulton wrote:] Hi, Earlier I posted a note here asking about the order of processing incoming packets on a bridge with pf. I would really like to know if there is something wrong with our set up or if this is expected behaviour. I am seeing packets being dropped by pf that should not traverse the bridge at all (i.e. packets between hosts that are on the same side of the bridge). After a little thought I came to the conclusion that this is quite plausible since the filtering is taking place on the interface closest to the affected hosts and the packets are hitting pf before they get to the bridging logic. What do you mean packets being dropped by pf that should not traverse the bridge at all? Some clarity would help here. the addresses of the packets being dropped are both on the same side of the bridge and therefore the packets should not traverse the bridge. host 1 host2 | | | | +-+-+ | | bridge | | + rest of network I am seeing packets between host1 and host2 being dropped on the bridge, filtering is taking place on the interface closest to host1 and host2. Russell smime.p7s Description: S/MIME cryptographic signature
Re: Still no answer on my bridge question -- resolved
On Thu, 2005-04-07 at 12:58 +1200, Russell Fulton wrote: I am seeing packets being dropped by pf that should not traverse the bridge at all (i.e. packets between hosts that are on the same side of the bridge). After a little thought I came to the conclusion that this is quite plausible since the filtering is taking place on the interface closest to the affected hosts and the packets are hitting pf before they get to the bridging logic. Thanks to those who clarified the way bridge and pf interact and to Camiel Dobbelaar who suggested some useful diagnostics in private email. I now know what is going on. A while ago we were having some issues with our two pf/bridges interacting with our cisco switches, the network folk got these partly resolved by turning learning off on the bridges, so now they are simply flooding everything back and forth -- which is exactly what I had observed. Sigh... Thanks again and apologies for bothering the list with something that should have been sorted out locally. Yet another illustration of the rule that one should post config files when asking questions. If I had done that I would have noticed that learning had been turned off and solved the problem then and there. Russell -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand smime.p7s Description: S/MIME cryptographic signature
Still no answer on my bridge question
Hi, Earlier I posted a note here asking about the order of processing incoming packets on a bridge with pf. I would really like to know if there is something wrong with our set up or if this is expected behaviour. I am seeing packets being dropped by pf that should not traverse the bridge at all (i.e. packets between hosts that are on the same side of the bridge). After a little thought I came to the conclusion that this is quite plausible since the filtering is taking place on the interface closest to the affected hosts and the packets are hitting pf before they get to the bridging logic. I want to know if this conclusion is correct or do I have a problem that should be investigated. BTW I have also spent some time looking for docs that describe exact order of processing of packets but could not find anything useful. Russell. smime.p7s Description: S/MIME cryptographic signature
arp flood on my external fxp0 port
Hello everybody, I've a openBSD box running 3.5. I tried to configure it as firewall. Now, I've this problem: when I connect myself to the firewall via internal interface through ssh proto and I run tcpdump -i fxp0 I get this output: 14:05:57.043799 arp who-has 192.168.205.222 tell 192.168.205.201 14:05:57.334516 arp who-has 192.168.205.81 tell 192.168.205.100 14:05:58.333954 arp who-has 192.168.205.81 tell 192.168.205.100 14:05:58.361522 192.168.205.218.netbios-dgm 192.168.205.255.netbios-dgm: udp 201 14:05:58.367491 192.168.205.7.netbios-ns 192.168.205.255.netbios-ns: udp 50 14:05:58.751477 802.1d unknown protocol ver(0x2) 14:05:59.134366 802.1d unknown protocol id(0x1) 14:05:59.136030 802.1d unknown protocol id(0x1) 14:05:59.137523 802.1Q vid 2 pri 0 802.1d unknown protocol id(0x1) 14:05:59.333429 arp who-has 192.168.205.81 tell 192.168.205.100 14:05:59.333912 802.1d unknown protocol id(0x1) 14:06:00.754626 802.1d unknown protocol ver(0x2) 14:06:02.751742 802.1d unknown protocol ver(0x2) 14:06:04.752043 802.1d unknown protocol ver(0x2) 14:06:06.728593 arp who-has grfire.grdesign.it tell 192.168.205.246 why I can see these arp request? 192.168.205.0 is my internal network and I don't want that from external network sameone could loock at my internal address ... Thanks in advance
Re: arp flood on my external fxp0 port
Renato wrote: why I can see these arp request? 192.168.205.0 is my internal network and I don't want that from external network sameone could loock at my internal address ... Renato, As far as I know (and from what I've read) this is normal and nothing to be alarmed about. Also, I think if someone compromises your firewall and/or LAN and has root access. It won't matter much if they can see your network traffic. You'll have much bigger problems. Also, I notice that you are using an fxp0 device like I do in my firewall. I had some problems with the firewall locking up because it was a 10mbit network. There was a bug in the code from Intel. If you experience these problems, you'll need to upgrade to 3.6 which will fix the problem. I just wanted you to know. rvb
Re: My firewall
Hi Peter,
I am a newbie as well, but after some time banging my
head against walls I came up with my own 'silly'
pf.conf rules. I have included my rules at the end of
this email. I Removed the extra rules (I think all of
them) and all you have to do is change the variable
names to whatever you are using.
I hope it is going to be helpful. It can be used to
learn about macros as well.
Some comments:
- Don't use 'pass in all' as a default. You are totaly
open
- Check out the declaration of my network's macros.
Compare to yours.
- Opening ssh (oprt 22) directly in your firewall can
be an invitation for an attacker. Try
to redirect it to another machine other than to your
firewall.
For example:
$ssh_ad = 192.168.1.22
rdr on $ext_if proto tcp from any to $ext_ad port ssh
- $ssh_ad port ssh
Best of lucks, J. Rivero
MTE Technology
mtechno.net
J. Rivero
3629 203rd Street
Langley, B.C.
V3A6A6
Tel. (604)-514-9092
Cell (778) 839-3395
--- R T [EMAIL PROTECTED] wrote:
Hello folks. Im trying to get my OpenBSD 3.5 machine
set up as a router. Heres the info so far:
xl0 network card getting dhcp address from my isp
ep1 network card hooked to my laptop 192.168.1.1
netmask 255.255.255.0
The laptop is windows and has 192.168.1.2 as its ip.
I can ping the laptop, and the laptop can ping the
OpenBSD box, but so far I cant get the laptop onto
the internet at all. My pf.conf is quite simple
compared to some examples I've seen and I'm thinking
its too simple perhaps...# $OpenBSD: pf.conf,v
1.21 2003/09/02 20:38:44 david Exp $
# gatewolf rules (experimental)
#
ext_if=xl0
int_if=ep1
internal_net=10.1.1.1/8
external_addr=192.168.1.1
# Filtering: the implicit first two rules are
pass in all
pass out all
# block all incoming packets but allow ssh, pass all
outgoing tcp and udp
# connections and keep state, logging blocked
packets.
block in log all
pass in on $ext_if proto tcp from any to $ext_if
port 22 keep state
pass out on $ext_if proto { tcp, udp } all keep
state
# pass incoming packets destined to the addresses
given in table foo.
pass in on $ext_if proto { tcp, udp } from any to
foo port 80 keep state
# My silly rules
pass in on xl0 all
pass out on xl0 all
pass in on ep1 all
pass out on ep1 all
any ideas as to what I have done wrong folks?
Thanks...
pf.conf
#
# macro definitions
#
# ext_if -- external interface, connects the firewall
to the
# outside world
# prv_if -- private interface, connects to the private
network
# segment to the firewall
#
ext_if = rl0
prv_if = rl1
#
# ext_ad -- the IPv4 address of the ext_if external
interface
# prv_ad -- the range of IPv4 addresses on the private
network
# int_net -- Internal subnets
#
ext_ad = $ext_if /32
prv_ad = 192.168.0.0/24
int_net = { 192.168.0.0/24, 10.0.0.0/24}
nonroutable = { 192.168.0.0/16, 127.0.0.0/8,
172.16.0.0/12, \
10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16,
204.152.64.0/23, 224.0.0.0/3 }
#
# options: set
#
set limit { frags 1, states 1 }
set loginterface $ext_if
set block-policy return
# table containing all the IP addresses assigned to
the firewall
table firewall const { self }
scrub in all fragment reassemble
scrub out all fragment reassemble
#
# NAT rules: rdr, nat, binat
#
nat on $ext_if from $prv_ad to any - $ext_ad
#
# filtering
#
block all
antispoof quick for $prv_if inet
# filter rules for ext_if
pass out on $ext_if proto tcp all modulate state flags
S/SA
pass out on $ext_if proto {udp icmp} all keep state
# filter rules for prv_if
pass in on $prv_if from $prv_ad to any keep state
pass out on $prv_if from any to $prv_ad keep state
__
Post your free ad now! http://personals.yahoo.ca
Re: my firewall
On Wed, Jan 19, 2005 at 02:07:10PM -0700, R T wrote: Hello folks. Thanks to everyone who responded to my problem. The laptop can use the internet now, however it wont resolve host names properly. For example, it wouldnt connect to www.google.ca but it would to 64.233.167.104 Same for IRC, xhat wouldnt connect to eu.undernet.org but it would connect to 195.68.221.221 ...wierd, huh? it sounds like you don't have the proper DNS servers set on your client machine. Heres the pf.conf Im using: === # Gatewolf pf rules # ext_if = xl0 int_if = ep1 nat on $ext_if from 192.168.1.2 to any - ($ext_if) any reason you're only NAT-ing for a single IP? block in log all block out log all pass in quick on lo0 all pass out quick on lo0 all pass in quick on $int_if from any to any pass out quick on $int_if from any to any pass quick all you *do* realize that your firewall doesn't actually *firewall* anything, right? -j -- Kids, you tried your best and you failed miserably. The lesson is, never try. --The Simpsons
my firewall OR gee im stupid...
Yeah, dns wasnt set on the laptop, not too bright today. Its working fine now. Now to learn about making it an actual firewall :) Thanks guys for the help! R.T.
Re: my firewall
R T wrote: Hello folks. Thanks to everyone who responded to my problem. The laptop can use the internet now, however it wont resolve host names properly. For example, it wouldnt connect to www.google.ca but it would to 64.233.167.104 Same for IRC, xhat wouldnt connect to eu.undernet.org but it would connect to 195.68.221.221 ...wierd, huh? Heres the pf.conf Im using: === # Gatewolf pf rules # ext_if = xl0 int_if = ep1 nat on $ext_if from 192.168.1.2 to any - ($ext_if) block in log all block out log all pass in quick on lo0 all pass out quick on lo0 all pass in quick on $int_if from any to any pass out quick on $int_if from any to any pass quick all === Ummm... You are wide open to the outside world... Get rid of that last line ASAP. You should probably study some real-world examples to get a feel for how your pf.conf should be structured. Luckily, you can browse to https://solarflux.org/pf/ where I've compliled a (now aging) list of good examples to learn (and create a solid pf.conf) from. You can also visit #pf on irc.freenode.net and ask questions there; you might not get a response right away, since most everyone there lurks (myself included), but there are some knowledgeable people hanging around #pf. Sorry to hijack the thread, but asking basic questions here is generally frowned upon. -S
Re: my firewall
OOPS- pf-r wrote: where I've compliled a (now aging) list of s/compliled/compiled BTW, if anyone wants to submit pf.conf examples with accompanying 'pfctl -sr' (or alternative) outputs for posting on the pf-r, visit #pf and speak up. -S
Re: my firewall OR gee im stupid...
R T wrote: Yeah, dns wasnt set on the laptop, not too bright today. Its working fine now. Now to learn about making it an actual firewall :) Thanks guys for the help! R.T. No problem, RT. Good luck. rvb
Re: Problem with my config?
Am Sonntag, 17. Oktober 2004 01:49 schrieb Joe: It's not so much that I'm concerned about the attacks as I am about why traffic is getting through that shouldn't be. After I added an IP to my block list, some packets still got through (although most do not). do a test with the following lines within pf.conf: table bad_hosts persist file /etc/bad_hosts (every ip address goes into 1 line ) .. block in log quick on em0 proto tcp from bad_hosts to any (and 2 more lines blocking) let's us know what still comes through (log file excerpt) regards i.t
Problem with my config?
Hi all- I'm a newbie to this list, OpenBSD, pf, and firewalls so go easy on me. :) I'm sure you've noticed the script-kiddie attacks trying to guess the root password (among other users). Every so often one of them will tick me off enough that I block their IP at the firewall. Normally this works just fine, but in the past couple of days one IP still gets through (211.46.163.166) even though it's in my bad_hosts table. Looking through the pf log I see many attempts are indeed blocked by the firewall. But some must get through because I get a few Failed password for root from 211.46.163.166 on the hosts they are attacking. Now I don't know if this is a problem with my rules, pf, OpenBSD, or the alignment of the planets but there must be a problem somewhere. If it matters, this is a transparent firewall plus an extra NIC for ssh access. Anybody have any ideas? Also if you have any comments about my pf rules, please share (but be gentle). Thanks! Joe pf.conf.20041015 Description: pf.conf.20041015
Re: How do I change my firewall ports to stealth mode?
Rod.. Whitworth ([EMAIL PROTECTED]) wrote: On Tue, 28 Sep 2004 22:03:55 -0400, Greg Wooledge wrote: Personally, I prefer not to reveal the usernames behind the client connections I'm making, so I use nullidentd. What's better about that than making the flags -Hole on the inetd settings for identd? Well, for one, when I started out on OpenBSD 3.0, there wasn't a -H flag http://www.openbsd.org/cgi-bin/man.cgi?query=identdapropos=0sektion=0manpath=OpenBSD+3.0arch=i386format=html I'm not in the habit of re-checking the man pages for every command with every new release (nor am I subscribed to the CVS commit list), so I didn't know this feature had been added. Meanwhile, nullidentd does precisely what I want it to do, so there's very little reason for me to switch. New users who are just starting out, though, may prefer to use the in-tree identd. -- Greg Wooledge | Truth belongs to everybody. [EMAIL PROTECTED] |- The Red Hot Chili Peppers http://wooledge.org/~greg/ | signature.asc Description: Digital signature
Re: How do I change my firewall ports to stealth mode?
Lars Hansson wrote: OpenBSD does this by default in inetd.conf. Correction, it doesnt. --- Lars Hansson
Re: How do I change my firewall ports to stealth mode?
Greg Wooledge wrote: Personally, I prefer not to reveal the usernames behind the client connections I'm making, so I use nullidentd. It's very simplistic; it just returns a constant string for all ident requests. (It doesn't appear to be in ports; I simply grabbed the source code from packages.debian.org/nullidentd and built it myself.) Any particular reason you didnt just use the -h/-H and -o options with the standard OpenBSD identd? --- Lars Hansson
Re: How do I change my firewall ports to stealth mode?
On Tue, 28 Sep 2004 22:03:55 -0400, Greg Wooledge wrote: Personally, I prefer not to reveal the usernames behind the client connections I'm making, so I use nullidentd. It's very simplistic; it just returns a constant string for all ident requests. (It doesn't appear to be in ports; I simply grabbed the source code from packages.debian.org/nullidentd and built it myself.) What's better about that than making the flags -Hole on the inetd settings for identd? I haven't been got at in any way using that. Any need for another approach? From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: How do I change my firewall ports to stealth mode?
[EMAIL PROTECTED] wrote: http://www.clock.org/~fair/opinion/identd.html Thanks for giving a link that nicely illustrates my point about people not understanding what ident does: The upshot of these assumptions is that when your system contacts the identd server of a remote system, you can trust the data returned that supposedly identifies a user who is trying to use a network service on your server,... That's exactly what ident is NOT intended to do, it's intended to help the admin of the machine connecting to *YOUR* machine if/when you need to coordinate something with him/her. --- Lars Hansson
Re: How do I change my firewall ports to stealth mode?
On Sep 28, 2004, at 2:13 AM, Siju George wrote: I changed the block-policy from return to drop. Now my ports except 113 are showing up as stealthed while twsting from http://www.grc.com/x/ne.dll?rh1dkyd2 The Port 113 was opened because the PF FAQ asked to open it for SMTP Auth/Ident (TCP port 113): used by some services such as SMTP and IRC. ICMP Echo Requests: the ICMP packet type used by ping(8). Now ask yourself- what's the point of dropping packets (woo, I'm in stealth mode, woo...), when a simple 1-1024 portscan will reveal you thanks to port 113 accepting connections (or sending resets, not sure if your identd is actually running)? Why wouldn't you rather just deny all and avoid behaving like a doof? -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: How do I change my firewall ports to stealth mode?
Hi Jason! Thanks for the reply! But if I can get port 113 also in adaptive stealth mode like Zonealarm did then it would be better isn't it? regards Siju
Re: How do I change my firewall ports to stealth mode?
On Tue, Sep 28, 2004 at 04:46:40PM +0530, Siju George wrote: But if I can get port 113 also in adaptive stealth mode like Zonealarm did then it would be better isn't it? Not really. It can give a false sense of security, because you assume the 'adaptive' part can't be tricked by the attacker. See http://marc.theaimsgroup.com/?t=10490548072 for more details. In short, pf doesn't have such a feature, and it's unlikely that it will have. If it's an essential requirement for you, you'll have to look elsewhere. Daniel
Re: How do I change my firewall ports to stealth mode?
on 28/9/04 12:16 pm, Siju George at [EMAIL PROTECTED] wrote: Hi Jason! Thanks for the reply! But if I can get port 113 also in adaptive stealth mode like Zonealarm did then it would be better isn't it? If you're just trying to hide, then no. Personally I send RSTs on blocked ports, partly because I think it's more polite, but also because filtered ports show there's a firewall in the way, whereas RSTs could come from a firewall or a host. As someone said, the only advantage to a drop policy is it slows down portscans, but that's irrelevant if we're talking about just one port. Although Zonealarm's explanation was a bit hazy, it sounds as if it simply drops the packet if there's no state associated with the remote server, which is easy to do with pf (just accept packets with keep state flags S/SAFR and then block anything else on port 113). If Zonealarm's nmot using states, how else can it know if there's an existing relationship with the remote server...? Oliver. -- Oliver Humpage ICT Co-ordinator, Watershed Media Centre -- +44 (0)117 9276444 E-mails received are assumed to be for my attention, to do with as I wish. No responsibility is accepted if communications are sent to me in error. This disclaimer has as much legal status as yours.
Re: How do I change my firewall ports to stealth mode?
Hi Siju, The Port 113 was opened because the PF FAQ asked to open it for SMTP Auth/Ident (TCP port 113): used by some services such as SMTP and IRC. ICMP Echo Requests: the ICMP packet type used by ping(8). I know that this is in the pf faq but I don't think that you really need it. I don't know about IRC but you mentioned only SMTP on your side. I'm running emailservers for years now and never ran an identd. And my clients don't have an identd running either. I don't think that you need this for smtp nowadays. -volker
Re: How do I change my firewall ports to stealth mode?
Siju George wrote: I was using Zone Alarm before on a Windows200 Firewall. All its ports were shown as Stealthed but still SMTP server access was possible! So further digging I got this explanation from the website that conducted the test. Adaptive Stealthing means that when a TCP SYN packet arrives to request a connection to your machine's port 113, ZoneAlarm checks, on the fly, to see whether your machine currently has any sort of relationship with the remote machine (such as a pending outgoing connection attempt). If so, the remote machine is considered to be friendly and its IDENT request packet is allowed to pass through ZoneAlarm's firewall. But if the IDENT originating machine is not known to ZoneAlarm as a friendly machine, the connection requesting packet is dropped and discarded, rendering port 113 stealth to all unknown port scanners. It's very slick. Is there any way to do this in OpenBSD? No, there's no point. People who say identd is a source of severe information leakage does not understand what ident does. If you feel paranoid, as I do, you can always configure it to return random usernames. --- Lars Hansson
Re: How do I change my firewall ports to stealth mode?
Thankyou Oliver for the reply and Explanation! It was very informative. I'll also try the S/SAFR thing and see how it works! God bless you warm regards Siju
Re: How do I change my firewall ports to stealth mode?
I know that this is in the pf faq but I don't think that you really need it. I don't know about IRC but you mentioned only SMTP on your side. I'm running emailservers for years now and never ran an identd. And my clients don't have an identd running either. I don't think that you need this for smtp nowadays. -volker I don't think we have IRC. Its almost time to close office. I'll try your suggestion tommorrow and see if it works! If it works fine because I'll have to show other guys who donot have all these technical knowledge that OpenBSD can do what Zone Alarm can do and much better alleast till they also learn the truth. Thanks a lot all you precious folks! Take care God bless you all Siju
Re: How do I change my firewall ports to stealth mode?
People who say identd is a source of severe information leakage does not understand what ident does. If you feel paranoid, as I do, you can always configure it to return random usernames. --- Lars Hansson Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me how to return random usernames? Or coulld you please give me a link where I can learn that? Thanks a lot God bless you. Siju
Re: How do I change my firewall ports to stealth mode?
Siju George writes: Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me how to return random usernames? Or coulld you please give me a link where I can learn that? http://www.clock.org/~fair/opinion/identd.html
Re: How do I change my firewall ports to stealth mode?
Kevin writes: Many IRC servers will drop sessions if they cannot talk to an ident service on the originating end. If you don't want your users to be on IRC; this could be considered as a benefit of blocking TCP/113 ;) Doubtful with IRC servers today. Although I'm not privy to the details of IRC per se, I have set up a number of firewalls in my day and have perused a lot of sockets code, and frankly, I would be surprised if anyone one this forum found they needed ident working for anything, including irc. I seriously doubt this is true any more. While the identd service is not *mandatory* on servers which send outbound SMTP email, many remote SMTP servers will query identd when your machine connects as a SMTP client. Agian, not lately. This I do know something about. I know that Sendmail and Qmail MTAs dropped any notion of needing ident for anything long ago. Exchange and Imap servers certainly don't rely on it. Bottom line, if your server sends SMTP email to arbitrary remote SMTP servers, is is detrimental to stealth ident. Name one mta that needs ident. I'm not saying they don't exist, I'm just curious.
Re: How do I change my firewall ports to stealth mode?
On 28 Sep 2004 10:50:02 -0700, [EMAIL PROTECTED] wrote: You don't need it, nothing now depends on it, Not quite correct. Certain smtp, ftp and irc servers come to mind. -- SB: Wait, you mean the costumes themselves give you super powers? MM: Of course! Why else would we fly around in coloured undies?
Re: How do I change my firewall ports to stealth mode?
On Tuesday, Sep 28, 2004, at 09:47 US/Pacific, [EMAIL PROTECTED] wrote: Kevin writes: Many IRC servers will drop sessions if they cannot talk to an ident service on the originating end. If you don't want your users to be on IRC; this could be considered as a benefit of blocking TCP/113 ;) Doubtful with IRC servers today. Although I'm not privy to the details of IRC per se, I have set up a number of firewalls in my day and have perused a lot of sockets code, and frankly, I would be surprised if anyone one this forum found they needed ident working for anything, including irc. I seriously doubt this is true any more. It is. It's a mitigating mechanism for many types of worms/bots/whatever, since they aren't capable of poking holes in their computer owner's broadband NAT device.
Re: How do I change my firewall ports to stealth mode?
On Tue, Sep 28, 2004 at 04:23:43PM -0700, Trevor Talbot wrote: It is. It's a mitigating mechanism for many types of worms/bots/whatever, since they aren't capable of poking holes in their computer owner's broadband NAT device. That's what UPnP is for, isn't it? SCNR, Daniel
Re: How do I change my firewall ports to stealth mode?
On Tue, 2004-09-28 at 16:23:43 -0700, Trevor Talbot proclaimed... It is. It's a mitigating mechanism for many types of worms/bots/whatever, since they aren't capable of poking holes in their computer owner's broadband NAT device. Yea, sure. I've seen *many* bots with identd running happily joining command and control IRC servers. Those servers are almost always rogue servers that don't care if identd is running. What examples, specifically, are you referring to? I'm actually curious.
Re: How do I change my firewall ports to stealth mode?
On Tuesday, Sep 28, 2004, at 16:34 US/Pacific, Daniel Hartmeier wrote: On Tue, Sep 28, 2004 at 04:23:43PM -0700, Trevor Talbot wrote: It is. It's a mitigating mechanism for many types of worms/bots/whatever, since they aren't capable of poking holes in their computer owner's broadband NAT device. That's what UPnP is for, isn't it? *grin* luckily they don't seem to have caught up with that... On Tuesday, Sep 28, 2004, at 16:39 US/Pacific, [EMAIL PROTECTED] wrote: Yea, sure. I've seen *many* bots with identd running happily joining command and control IRC servers. Those servers are almost always rogue servers that don't care if identd is running. Sure, there are always machines that aren't filtering identd, and of course the control servers won't care. I said it was a mitigating thing, not a prevention thing :) More of an issue are the things that attempt to spread, as those want to be on the big networks where everyone can see them. The average exploited cable/DSL machine also won't have identd enabled. Put two and two together, and it's useful. Another use is requiring shell providers to properly identify their customers for abuse control, lest they lose all connectivity to an IRC network. 'Course, that only works if it's a network their customers care about, and it's a bit away from the original identd/pf scenario under discussion. Anyway, IRC networks do still find ident useful and even require it at times.
Re: How do I change my firewall ports to stealth mode?
Siju George wrote: Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me how to return random usernames? Or coulld you please give me a link where I can learn that? man identd, options -h and -H in particular. OpenBSD does this by default in inetd.conf. --- Lars Hansson
Re: How do I change my firewall ports to stealth mode?
Volker Kindermann ([EMAIL PROTECTED]) wrote: I'm running emailservers for years now and never ran an identd. And my clients don't have an identd running either. I don't think that you need this for smtp nowadays. It's never been mandatory for SMTP. Some IRC servers do require it, though. Personally, I prefer not to reveal the usernames behind the client connections I'm making, so I use nullidentd. It's very simplistic; it just returns a constant string for all ident requests. (It doesn't appear to be in ports; I simply grabbed the source code from packages.debian.org/nullidentd and built it myself.) -- Greg Wooledge | Truth belongs to everybody. [EMAIL PROTECTED] |- The Red Hot Chili Peppers http://wooledge.org/~greg/ | signature.asc Description: Digital signature
pfsync is killing my two machines
hi all,
i have pfsync running on two soekris net4801 machines on the sis2
interface over a cross link cable. If both machines are running and have
sis2 and pfsync0 up - then after a while the system load will increase
until both machines are getting a kernel panic ( i can stop it with
simple detaching the cross link cable - but i can't work on the console
because both machines are getting unresponsive ).
On sis2 there is nothing else running
Here is my interface config on machine A:
sis2: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
address: 00:00:24:c1:c7:92
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.254.254 netmask 0xff00 broadcast
192.168.254.255
pfsync0: flags=0 mtu 1348
pfsync: syncif: sis2 maxupd: 128
Here for machine B:
sis2: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
address: 00:00:24:c1:c7:4a
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.254.253 netmask 0xff00 broadcast
192.168.254.255
pfsync0: flags=0 mtu 1348
pfsync: syncif: sis2 maxupd: 128
And here is my line in pf.conf for passing the pfsync traffice:
pass quick on { sis2 } proto pfsync
how can i debug this problem ? - is it already know ? - does there
already exists a solution ? - do you need more informations ?
David Krause also pointed out that he is having problems related to
pfsync
best regards
Wolfgang
Re: pfsync is killing my two machines
On Tue, 18 May 2004, Johan Fredin wrote: Try 'ifconfig pfsync0 up' on both machines. I obviously didn't read Wolfgangs post as careful as I should have. I'm very sorry for this unnecessary mail, please ignore it. /Johan
Re: pfsync is killing my two machines
On Tue, 18 May 2004, Wolfgang Pichler wrote: pfsync0: flags=0 mtu 1348 pfsync: syncif: sis2 maxupd: 128 pfsync0: flags=0 mtu 1348 pfsync: syncif: sis2 maxupd: 128 Try 'ifconfig pfsync0 up' on both machines. 'echo up syncif sis2 /etc/hostname.pfsync0' to make it happen at a reboot. /Johan
Re: pfsync is killing my two machines
i now had an idea which could cause this behaviour...
firewall A has on its internal interface the address 172.16.0.254
firewall B has on its internal interface the address 172.16.0.253
both firewalls are having on the internal carp interface the address
172.16.0.2
pfsync is syncing the states between both
what would happen if i directly connect to firewall A on 172.16.0.254 -
pfsync will sync the newly created state to firewall B - firewall B has
no idea what to do with this state - simple because it don't have the
172.16.0.254 ip address - the same also happens why i connect directly
to firewall B
could it be that this is causing the death of the machines ?
best regards
Wolfgang
Am Di, den 18.05.2004 schrieb Wolfgang Pichler um 14:39:
hi all,
i have pfsync running on two soekris net4801 machines on the sis2
interface over a cross link cable. If both machines are running and have
sis2 and pfsync0 up - then after a while the system load will increase
until both machines are getting a kernel panic ( i can stop it with
simple detaching the cross link cable - but i can't work on the console
because both machines are getting unresponsive ).
On sis2 there is nothing else running
Here is my interface config on machine A:
sis2: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
address: 00:00:24:c1:c7:92
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.254.254 netmask 0xff00 broadcast
192.168.254.255
pfsync0: flags=0 mtu 1348
pfsync: syncif: sis2 maxupd: 128
Here for machine B:
sis2: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
address: 00:00:24:c1:c7:4a
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.254.253 netmask 0xff00 broadcast
192.168.254.255
pfsync0: flags=0 mtu 1348
pfsync: syncif: sis2 maxupd: 128
And here is my line in pf.conf for passing the pfsync traffice:
pass quick on { sis2 } proto pfsync
how can i debug this problem ? - is it already know ? - does there
already exists a solution ? - do you need more informations ?
David Krause also pointed out that he is having problems related to
pfsync
best regards
Wolfgang
Review of my pf.conf
hi, i've created my first pf.conf file, and was
wondering if it can be optimized more, this pf.conf
was made by looking at other pf.conf file, i've also
been having problems with dhcp leases
here is what the needs of the internal machine are:
ftp, ssh, smtp, dns, http, pop3, ntp, https,
aim(5190), ability to traceroute and ping, but want to
stop people from pinging and tracerouting me
(firewall)
here is my pf.conf
---
#
# Interface:
# sis0 - internal to private network
# fxp0 - external to cable modem
#
# Macros
#
ext_if = fxp0
unfiltered = { lo0, sis0 }
unroutable = { 0.0.0.0/32, 10.0.0.0/8, 127.0.0.0/8, \
169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, \
255.255.255.255/32 }
services_tcp = { 21, 22, 25, 53, 80, 110, 123, 443,
1024 }
# Tables
#
# Options
#
set loginterface $ext_if
set limit { frags 500, states 1 }
set optimization aggressive
set block-policy drop
set require-order yes
# Traffic Normalization
#
scrub in on $ext_if all
scrub out on $ext_if all random-id
# Queueing
#
# Translations
#
no nat on $unfiltered from any to any
no rdr on $unfiltered from any to any
# nat private network to single routable address
nat on $ext_if inet from 192.168.0.0/16 to any -
$ext_if
# ftp-proxy redirection
rdr on $ext_if inet proto tcp from any to any port 21
- 127.0.0.1 port 8081
# ==
===
# Packet Filtering Rules (default block/pass)
# ==
===
# pass on unfiltered interfaces
#
pass quick on $unfiltered
# silently drop TCP non-SYN packets, the remaining
ruleset only deals with
# TCP SYNs, which always create state when passed. the
ruleset basically
# deals with 'connections', not packets, beyond this
point.
#
block return-rst quick proto tcp all flags /S
block return-rst quick proto tcp all flags A/A
# block and log everything by default
#
block log
block return-rst log inet proto tcp
block return-icmp log inet proto udp
# ==
===
# external interface (all external IPv4 traffic)
# ==
===
# silently drop broadcasts
block in quick on $ext_if inet from any to {
255.255.255.255 }
# block some known-bad ports without logging
#
block return-rst in quick on $ext_if proto tcp from
any to any \
port { 111, 445, 6000 }
block return-icmp in quick on $ext_if proto udp from
any to any \
port { 135, 137, 138, 139, 1434 }
# block and log incoming packets from reserved address
space and invalid
# addresses, they are either spoofed or misconfigured,
we can't reply to
# them anyway (hence, no return-rst).
#
block in log quick on $ext_if inet from $unroutable to
any
# block and log outgoing packets that don't have my
address as source, they are
# either spoofed or something is misconfigured (NAT
disabled, for instance),
# we want to be nice and not send out garbage.
#
block out log quick on $ext_if inet from !$ext_if to
any
# ICMP
#
pass out on $ext_if inet proto icmp from $ext_if to
any \
icmp-type 8 code 0 keep state
pass in on $ext_if inet proto icmp from any to $ext_if
\
icmp-type 8 code 0 keep state
# UDP
#
pass out on $ext_if inet proto udp from any to any \
keep state
pass in on $ext_if inet proto udp from any to $ext_if
\
port { 53, 68 } keep state
# TCP
#
pass out on $ext_if inet proto tcp from $ext_if to any
\
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $ext_if
port $services_tcp \
flags S/SA keep state (max 1024, tcp.first 10,
tcp.opening 10)
---
let me know how I can improve this, thanks
__
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
Re: Review of my pf.conf
Quickly looking at it, you need to specify in your NAT rule that the external
interface is dynamically assigned an address. Although, maybe I am wrong, I am
assuming from your message that you are on a dynamic IP. Replace this:
nat on $ext_if inet from 192.168.0.0/16 to any -
$ext_if
with:
nat on $ext_if inet from 192.168.0.0/16 to any -
{$ext_if}
I can't find this in the manpage. It is either there or here,
http://www.openbsd.org/faq/pf/index.html
-c
On Tue, 21 Oct 2003 10:37:15 -0700 (PDT)
Ryan [EMAIL PROTECTED] specifically said:
hi, i've created my first pf.conf file, and was
wondering if it can be optimized more, this pf.conf
was made by looking at other pf.conf file, i've also
been having problems with dhcp leases
here is what the needs of the internal machine are:
ftp, ssh, smtp, dns, http, pop3, ntp, https,
aim(5190), ability to traceroute and ping, but want to
stop people from pinging and tracerouting me
(firewall)
here is my pf.conf
---
#
# Interface:
# sis0 - internal to private network
# fxp0 - external to cable modem
#
# Macros
#
ext_if = fxp0
unfiltered = { lo0, sis0 }
unroutable = { 0.0.0.0/32, 10.0.0.0/8, 127.0.0.0/8, \
169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, \
255.255.255.255/32 }
services_tcp = { 21, 22, 25, 53, 80, 110, 123, 443,
1024 }
# Tables
#
# Options
#
set loginterface $ext_if
set limit { frags 500, states 1 }
set optimization aggressive
set block-policy drop
set require-order yes
# Traffic Normalization
#
scrub in on $ext_if all
scrub out on $ext_if all random-id
# Queueing
#
# Translations
#
no nat on $unfiltered from any to any
no rdr on $unfiltered from any to any
# nat private network to single routable address
nat on $ext_if inet from 192.168.0.0/16 to any -
$ext_if
# ftp-proxy redirection
rdr on $ext_if inet proto tcp from any to any port 21
- 127.0.0.1 port 8081
# ==
===
# Packet Filtering Rules (default block/pass)
# ==
===
# pass on unfiltered interfaces
#
pass quick on $unfiltered
# silently drop TCP non-SYN packets, the remaining
ruleset only deals with
# TCP SYNs, which always create state when passed. the
ruleset basically
# deals with 'connections', not packets, beyond this
point.
#
block return-rst quick proto tcp all flags /S
block return-rst quick proto tcp all flags A/A
# block and log everything by default
#
block log
block return-rst log inet proto tcp
block return-icmp log inet proto udp
# ==
===
# external interface (all external IPv4 traffic)
# ==
===
# silently drop broadcasts
block in quick on $ext_if inet from any to {
255.255.255.255 }
# block some known-bad ports without logging
#
block return-rst in quick on $ext_if proto tcp from
any to any \
port { 111, 445, 6000 }
block return-icmp in quick on $ext_if proto udp from
any to any \
port { 135, 137, 138, 139, 1434 }
# block and log incoming packets from reserved address
space and invalid
# addresses, they are either spoofed or misconfigured,
we can't reply to
# them anyway (hence, no return-rst).
#
block in log quick on $ext_if inet from $unroutable to
any
# block and log outgoing packets that don't have my
address as source, they are
# either spoofed or something is misconfigured (NAT
disabled, for instance),
# we want to be nice and not send out garbage.
#
block out log quick on $ext_if inet from !$ext_if to
any
# ICMP
#
pass out on $ext_if inet proto icmp from $ext_if to
any \
icmp-type 8 code 0 keep state
pass in on $ext_if inet proto icmp from any to $ext_if
\
icmp-type 8 code 0 keep state
# UDP
#
pass out on $ext_if inet proto udp from any to any \
keep state
pass in on $ext_if inet proto udp from any to $ext_if
\
port { 53, 68 } keep state
# TCP
#
pass out on $ext_if inet proto tcp from $ext_if to any
\
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $ext_if
port $services_tcp \
flags S/SA keep state (max 1024, tcp.first 10,
tcp.opening 10)
---
let me know how I can improve this, thanks
__
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
Re: Cant seem to get my rules correct...RESOLVED, almost
Ok...Narrowing down the problem here.
The problem, obviously, is with my rules.
I can SSH to the box from my intranet only.
My rules are allowing port 25 in, and it seems, nothing else.
The problem is when postfix tries to relay mail to my internal mail server.
When the rules are up, mail cannot find a route. When the rules are down,
it works perfectly.
Here is the snip from the maillog:
Oct 1 10:11:26 blowfish postfix/smtp[26912]: connect to
192.168.1.165[192.168.1.165]: No route to host (port 25)
Oct 1 10:11:26 blowfish postfix/smtp[26912]: 2AE731B0949:
to=[EMAIL PROTECTED], relay=none, delay=0, status=deferred
(connect to 192.168.1.165[192.168.1.165]: No route to host)
Here are my rules:
ext_if=fxp0 # External Interface
int_if=fxp1
int_net=192.168.1.0/24
tcp_services = { 25 }
tcp_int_services = { 22 }
#Tables
table NoRouteIPs { 127.0.0.1/8, 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16, !192.168.0.0/24 }
table trusted persist file /etc/tables/trusted
# Clean up fragmented and abnormal packets
scrub in all
#default Deny all
block in log on $ext_if all
#loopback rules
pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses
block in log quick on $ext_if from NoRouteIPs to any
block out log quick on $ext_if from any to NoRouteIPs
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
flags S/SAFR keep state
# pass trusted for SSH
pass in log quick on $int_if inet proto tcp from trusted to $int_if port
22 keep state
# and let out-going traffic out and maintain state on established connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
And here is a snippet from my pflog:
Oct 01 10:11:26.711858 rule 3/0(match): block out on fxp0:
10.0.1.80.30123 192.168.1.165.25: S 3073788046:3073788046(0) win 16384
mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 901711457 0 (DF)
Quick note: 10.0.1.80 is the OpenBSD mail gateway.
192.168.1.165 is the internal mail server.
The log clearly states the problem. Now im trying to figure out how to
tweak my rules.
Is the problem due to my tables for NoRouteIPs?
I tried removing 10.0.0.0/8 from the table, but it did not work?
Also, as far as tables is concerned, does it matter which order you place
the entries in?
Thanks everyone.
Cheers,
Jason
Re: Cant seem to get my rules correct...RESOLVED, almost
Jason Williams wrote: Our company firewall is a Watchguard (but goodnews is, our branch offices are going to be deploying OpenBSD!!) Ok...since this mail gateway is on the DMZ, I had to setup a rule on our Company firewall, to allow traffic from the DMZ to our internal mail server. As it stands right now, the rule allows IP address, 10.0.1.80 to 192.168.1.165... See, this is what I meant by sparsness of information. Why didn't you mention this earlier? Please everyone, be _detailed_ in your problem descriptions. That has to be it. So what I should change is the IP to, 10.0.1.100...that would allow traffic from that interface to the internal mail server, correct? I have no idea what .100 is. I'm not even sure what 10.0.1/24 is anymore. Let me give that a shot and see what happens. Thanks for turning the light bulb on in my head. :) Guy, this is not at all what I had in mind with my previous email :-/ .joel
Cant seem to get my rules correct...
I keep locking myself out the box. heheheh
Here is what I have: I have a OpenBSD Mail gateway on my DMZ. I want to
only allow SMTP connections coming from my firewall, but allow SSH
connections coming from my intranet.
My subnets:
DMZ = 10.0.1.1/24
Private = 192.168.1.0/24
RULES:
# Define useful variables
ext_if=fxp0 # External Interface
int_if=fxp1
tcp_services = { 25 }
tcp_int_services = { 22 }
table NoRouteIPs { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 }
# Clean up fragmented and abnormal packets
scrub in all
#default Deny all
block log all
#loopback rules
pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses
block in log quick on $ext_if from NoRouteIPs to any
block out log quick on $ext_if from any to NoRouteIPs
# block NMAP stuff
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU
block in log on $ext_if all
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
flags S/SAFR keep state
#Passing in SSH from intranet
pass in on $int_if inet proto tcp from $int_if:network port
$tcp_int_services flags S/SAFR keep state
pass in on $int_if from $int_if:network to any keep state
# and let out-going traffic out and maintain state on established connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
Im reading over the PF FAQ right now, trying to see where i've gone wrong.
I'm wondering if I need to add something like this:
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
Like I said, I want to be able to SSH to the box on the DMZ.
Any recommendations?
Thanks.
jason
Re: Cant seem to get my rules correct...RESOLVED
Figured it out! Woot!
Feels good when you put your nose to the grind and hammer it out.
Did some mixing around, but this is the end result:
# Define useful variables
ext_if=fxp0 # External Interface
int_if=fxp1
int_net=192.168.1.0/24
tcp_services = { 25 }
tcp_int_services = { 22 }
#Tables
table NoRouteIPs { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8,
192.168.0.0/16, !192.168.0.0/24 }
table trusted persist file /etc/tables/trusted
# Clean up fragmented and abnormal packets
scrub in all
#default Deny all
block in log on $ext_if all
#loopback rules
pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses
block in log quick on $ext_if from NoRouteIPs to any
block out log quick on $ext_if from any to NoRouteIPs
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
flags S/SAFR keep state
# pass trusted for SSH
pass in log quick on $int_if inet proto tcp from trusted to $int_if port
22 keep state
# and let out-going traffic out and maintain state on established connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
pfctl -s rules output:
scrub in all fragment reassemble
block drop in log on fxp0 all
pass in quick on lo0 all
block drop in log quick on fxp0 from NoRouteIPs to any
block drop out log quick on fxp0 from any to NoRouteIPs
pass in on fxp0 inet proto tcp from any to (fxp0) port = smtp flags S/FSRA
keep state
pass in log quick on fxp1 inet proto tcp from trusted to 10.0.1.100 port
= ssh keep state
pass out on fxp1 inet from any to 10.0.1.0/24 keep state
pass out on fxp0 proto tcp all flags S/FSRA modulate state
pass out on fxp0 proto udp all keep state
pass out on fxp0 proto icmp all keep state
I can telnet to port 25 on it and it works. denied on all other ports so far.
I can SSH from my intranet...
Im happy. :)
Anyone care to make any comments or suggestions?
Thanks.
Jason
At 03:22 PM 9/30/2003 -0700, you wrote:
I keep locking myself out the box. heheheh
Here is what I have: I have a OpenBSD Mail gateway on my DMZ. I want to
only allow SMTP connections coming from my firewall, but allow SSH
connections coming from my intranet.
My subnets:
DMZ = 10.0.1.1/24
Private = 192.168.1.0/24
RULES:
# Define useful variables
ext_if=fxp0 # External Interface
int_if=fxp1
tcp_services = { 25 }
tcp_int_services = { 22 }
table NoRouteIPs { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 }
# Clean up fragmented and abnormal packets
scrub in all
#default Deny all
block log all
#loopback rules
pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses
block in log quick on $ext_if from NoRouteIPs to any
block out log quick on $ext_if from any to NoRouteIPs
# block NMAP stuff
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU
block in log on $ext_if all
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
flags S/SAFR keep state
#Passing in SSH from intranet
pass in on $int_if inet proto tcp from $int_if:network port
$tcp_int_services flags S/SAFR keep state
pass in on $int_if from $int_if:network to any keep state
# and let out-going traffic out and maintain state on established connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
Im reading over the PF FAQ right now, trying to see where i've gone wrong.
I'm wondering if I need to add something like this:
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
Like I said, I want to be able to SSH to the box on the DMZ.
Any recommendations?
Thanks.
jason
Question about PF for my setup
Hello everyone.
I had a question about a setup that I am working on at work and was hoping
to get some feedback here as to whether or not my setup will work.
Here it is:
I have setup a Mail Gateway on our DMZ running OpenBSD 3.3 with Postfix. I
have also setup PF on the mail gateway as to add a extra layer of
protection on the mail gateway.
The company firewall is a brand called Watchguard. It is decent and does
the job.
Here is what I setup:
I setup a rule on our company firewall to pass all incoming SMTP traffic to
the OpenBSD Mail gateway server on our DMZ. I then setup the mail gateway
to relay traffic to our intranet mail server. I also setup a second rule on
the company firewall to only allow traffic from the mail gateway to our
mail server using a smtp-filter rule.
Here are my PF rules on my OpenBSD box:
# Define useful variables
ext_if=fxp0 # External Interface
int_if=fxp1
tcp_services = { 25 }
tcp_int_services = { 22 }
table NoRouteIPs { 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
}
# Clean up fragmented and abnormal packets
scrub in all
#default Deny all
block log all
#loopback rules
pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses
block in log quick on $ext_if from NoRouteIPs to any
block out log quick on $ext_if from any to NoRouteIPs
# block NMAP stuff
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU
block in log on $ext_if all
# only allow our machines to connect via ssh
#pass in on $IntIF inet proto tcp from $sshHost to any port = 22 keep state
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
flags S/SAFR keep state
#Passing in SSH from intranet
pass in on $int_if inet proto tcp from $int_if:network port
$tcp_int_services flags S/SAFR keep state
pass in on $int_if from $int_if:network to any keep state
# and let out-going traffic out and maintain state on established
connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
Basically, what I want to do is only allow SMTP traffic to the mail gateway
and drop everything else. At the same time, I want to only allow SSH
connections from our intranet.
My questions, in a nutshell:
1.) Does it appear that my rules look sufficient to perform the duties?
Anything look like it could possibly be a problem?
2.) Because the company firewall is 'different' could it pose a problem
when passing traffic from the firewall to the mail gateway? (Like, could
the openbsd box disallow connections, drop connections etc.)
That is about it.
I appreciate everyones help and input.
Jason
mail2web - Check your email from the web at
http://mail2web.com/ .
Help please what is worng with my pf.conf
I tried to setup queing based on the faq and website. But I just can't get
it to work. Downloading is great but as soon as I start to upload my speed
drops way down to about the same speed as the upload. I have played around
with the queue statements and bandwidth settings but no luck. I am on adsl
link of 1.5down/768 up, using different ftp sites to test throughput it
seems I get about 1330down/605up.
Maybe I have my rules out of place or something I am at a lost.
I do appreciate any responses
# macros
int_if = xl0
ext_if = fxp0
tcp_services = { 22, 113 }
icmp_types = { 8, 11 }
priv_nets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
# options
set block-policy return
set loginterface $ext_if
# scrub
scrub in all
#Que
altq on $ext_if priq bandwidth 525Kb queue { q_pri, q_def } queue q_pri
priority 7 queue q_def priority 1 priq(default)
# nat/rdr
nat on $ext_if from $int_if:network to any - $ext_if
rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
# filter rules
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to $ext_if port $tcp_services
flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $ext_if proto tcp from $ext_if to any flags S/SA keep state
queue (q_def, q_pri)
pass in on $ext_if proto tcp from any to $ext_if flags S/SA keep state
queue (q_def, q_pri)
I can't connect my DMZ webserver!
hi! Follow is my network. rl0 xl0 ||-- DMZ(webserver, dns, ftp) router--| OBSD3.2 | ||-- client rl1 Problem is my webserver(win2000). This webserver have 3 sites. my pf.conf is follow. xl0=128.134.54.151 rl0=192.168.0.1 rl1=10.0.0.1 webserver=192.168.0.2 // rdr on xl0 proto tcp from any to 128.134.54.151 port 80 - 192.168.0.2 port 80 for test If i use a single site in my webserver(linux), that is ok! I can connect my webserver! If i telnet to my webserver, i can connecto to 80 port. ex)telnet www.xxx.xx.xx 80 GET / HTTP/1.0 = I can found page not found! anyone help me! ps)I am not familier english. I am sorry!(for my expression!)
Re: I can't connect my DMZ webserver!
On Sun, Mar 30, 2003 at 10:15:50PM +0900, dreamer wrote: If i telnet to my webserver, i can connecto to 80 port. ex)telnet www.xxx.xx.xx 80 GET / HTTP/1.0 = I can found page not found! The problem is not with pf or the redirection, but name based virtual hosting at the web server. If you don't use dedicated IP addresses for each domain, the web client must provide the domain in the HTTP host header, otherwise the web server has no way of knowing which of the several domains the client wants. Try $ telnet www.xxx.xx.xx 80 GET / HTTP/1.0 Host: www.domain.tld and see http://httpd.apache.org/docs/vhosts/name-based.html. If the HTTP TCP connection is redirected, you get an established connection, and can talk HTTP to the web server, the problem is beyond pf. Daniel
RFC - my firewall ruleset
I would like to know what I can do to improve my firewall ruleset. This exact set
protects my own internal LAN (8 computers), and includes P2P rules. I have similar
rulesets protecting other networks I have worked on, none with more than 300 clients
though.
# pF.conf working for Wall
# Variables Tables
int_dev=xl0 # Internal network device.
ext_dev=ep0 # External network device.
cwork={ bunch of IPs here }
overpeer={ 64.15.228.160/27 }
max_mss=1432
unrouteable={ 0/8, 10/8, 127/8, 169.254/16, 172.16/12, 192.0.2/24, 192.168/16 }
ext_bandwidth=1544Kb
# Options
set optimization conservative
set loginterface $ext_dev
# Normalize (defragment) packets on External Interface
scrub in on $ext_dev all fragment reassemble
scrub out on $ext_dev all max-mss $max_mss fragment reassemble
# NAT Rules
# only internal LAN gets NAT currently
nat on $ext_dev from 192.168.1.0/24 to any - $ext_dev
# Port Forwarding Rules
rdr on $ext_dev proto tcp from any to any port 443 - 192.168.1.2 port 443
rdr on $ext_dev proto tcp from any to any port 892 - 192.168.1.2 port 892
rdr on $ext_dev proto udp from any to any port 4665 - 192.168.1.2 port 4665
rdr on $ext_dev proto tcp from any to any port 4662 - 192.168.1.2 port 4662
rdr on $ext_dev proto tcp from any to any port 2000 - 192.168.1.2 port 2000
rdr on $ext_dev proto tcp from any to any port 222 - 192.168.1.2 port 222
rdr on $ext_dev proto tcp from any to any port 6774 - 192.168.1.2 port 6774
rdr on $ext_dev proto tcp from any to any port 3389 - 192.168.1.2 port 3389
rdr on $ext_dev proto tcp from any to any port 6699 - 192.168.1.2 port 6699
rdr on $ext_dev proto udp from any to any port 6257 - 192.168.1.2 port 6257
rdr on $ext_dev proto udp from any to any port 1494 - 192.168.1.2 port 1494
# Deny all connections - default packet filter rule
block in log on $ext_dev from any to any label block_in_all
# pass all loopback traffic
pass in quick on lo0 all
pass out quick on lo0 all
# block out all Microsoft AD Netbios traffic
# mainly a paranoia rule
block out log quick on $ext_dev inet proto tcp from any to any port 445
block out log quick on $ext_dev inet proto udp from any to any port { 138, 137, 139
}
# Outbound Connection Rules for External Interface
pass out quick on $ext_dev proto tcp all modulate state
pass out quick on $ext_dev proto udp all keep state
pass out quick on $ext_dev proto icmp all keep state
# Block in all invalid combos of TCP flags Log them
# these rules exist mainly to log these packets so I can curse at the bad people
block in log quick on $ext_dev inet proto tcp from any to any flags /UAPRSF
block in log quick on $ext_dev inet proto tcp from any to any flags F/AF
block in log quick on $ext_dev inet proto tcp from any to any flags P/AP
block in log quick on $ext_dev inet proto tcp from any to any flags U/UA
block in log quick on $ext_dev inet proto tcp from any to any flags RF/RF
block in log quick on $ext_dev inet proto tcp from any to any flags SF/SF
block in log quick on $ext_dev inet proto tcp from any to any flags RS/RS
block in log quick on $ext_dev inet proto tcp from any to any flags UPF/UAPRSF
block in log quick on $ext_dev inet proto tcp from any to any flags UPSF/UAPRSF
block in log quick on $ext_dev inet proto tcp from any to any flags UARSF/UAPRSF
block in log quick on $ext_dev inet proto tcp from any to any flags UAPRSF/UAPRSF
# Rules to allow incoming traffic for internal services P2P traffic
pass in quick on $ext_dev proto tcp from any to 192.168.1.2 port
{443,892,222,1494,3389,2000} flags S/SA modulate state
pass in quick on $ext_dev proto tcp from any to $ext_dev port=22 flags S/SA modulate
state
pass in log quick on $ext_dev proto tcp from any to $ext_dev port=25 flags S/SA
modulate state
pass in on $ext_dev proto udp from any to 192.168.1.2 port {4665,6257} keep state
pass in on $ext_dev proto tcp from any to 192.168.1.2 port {4662,6774,6699} modulate
state
# block and log incoming packets from reserved address space and invalid addresses
block in log on $ext_dev inet from $unrouteable to any
# properly respond to ident protocol also
block return-rst in proto tcp from any to any port { 111, 6000, 6667 }
block return-icmp in proto udp from any to any port { 137 }
# block Overpeer shit
block in on $ext_dev inet from $overpeer to any
Request for comments on my -current firewall ruleset
Two things: One is a question regarding scrub and
the other is a request for comments on my pf ruleset (If someone has actually
started using something like wiki then a pointer in that direction would be nice
too :)
First my goals and circumstances for my
ruleset:
I have an OpenBSD-current machine acting as my
gateway/firewall/NAT box. There are a few Windows (2000) boxes and one
OpenBSD-current box behind the NAT.
The gateway runs dhcpd on the internal interface,
and also acts as a caching name server and the internal authoriative name server
for my local domain. It runs ftp-proxy and tircproxy, and I've added entries to
/etc/services for the ports that both of these proxies use. I've also added a
_tirc user which tircproxy runs as. /dev/pf has been made group read/writeable
and I've added a pf group and chown'd it to root:pf, and added _tirc, proxy and
_identd to this group. I'm using oidentd instead of identd and it runs as user
_identd.
Fromthe external interface point of view, I
run sshd and I have oidentd open to only the list of ips given from a table. I
currently connect via 28.8kbps modem (hopefully to change soon ;)
From the internal interface point of view, I run
the above mentioned services and ftpd, although the internal interface
protection is permissive enough to allow the internal machines to connect to any
other service listening on the internal interface. The internal interface is a
100Mbps rl card.
My goals(other than to help prevent being
hacked of course ;) are to stop spoofed packets (I looked at using antispoof but
it didn't meet my requirements) from entering or leaving, to implement some sort
of bandwidth priority and to otherwise to appear to not being running a firewall
and to if possible mask what OS I'm running from fingerprinting.Currently
I block icmp6.
My question regarding scrub is this: it would seem
that scrub is stopping FIN, NULL and XMAS scans cold, and not returning anything
at all. From my quick reading of the relevant RFC, an RST should be returned if
the port is closed and an ACK should be returned if the port is open (although a
number of OS's just return RSTs too). Either way, the scrub rule seems to drop
the packet entirely, not passing it on to the filter rules giving me a chance to
reply or not reply at my choosing. (I would prefer to reply with RST
personally). I don't want to remove the scrub statement because then I'd lose
the other benefits of scrub.
Also I've noticed when doing tcpdump's that when
packets go through scrub the tcpdump's sometimes tend to mention that the packet
has a bad IP checksum (well the TCP checksum was reported as ok, so I assume
they mean the IP checksum). Is this known behaviour?
Anyway, here's my ruleset:
==
#
Macrosint_if="rl1"ext_if="tun0"max_mss="1432"min_highport="49152"ext_bandwidth="28Kb"#
Tablestable unrouteable const { 0/8, 10/8, 127/8, 169.254/16,
172.16/12, 192.0.2/24, 192.168/16 } table noircproxy persist file
"/etc/pf/noircproxy" { }table allowedsmb const { $int_if:network,
255.255.255.255 }table int_ok const { $int_if:network,
255.255.255.255 }table bannedips persist file "/etc/pf/bannedips" {
} table identservers persist file "/etc/pf/identservers" {
}# Optionsset timeout tcp.closed 1# Normalisationscrub
out on $ext_if all no-df max-mss $max_mss random-idscrub out on $int_if inet
from ! $int_if max-mss $max_mss scrub log no-df# Queuesaltq on
$ext_if cbq bandwidth $ext_bandwidth queue { std, bulk, medium, fast }queue
std cbq(default)queue bulk priority 0queue medium priority 4queue
fast priority 7# Translationnat on $ext_if inet from $int_if:network
to ! $int_if:network - $ext_ifrdr on $int_if inet proto tcp from
$int_if:network to ! $int_if:network port 21 - lo0 port ftpproxyno
rdr on $int_if inet proto tcp from $int_if:network to noircproxy port
6667no rdr on $int_if inet proto tcp from $int_if to any port 6667rdr on
$int_if inet proto tcp from $int_if:network to ! $int_if port 6667 - lo0
port ircproxy# Filter Rules# Default action is to block with
return and logblock return log# Don't log inet6block return
inet6# Allow through unfiltered interfacespass quick on { lo0, lo1,
enc0 } # antispoof unfiltered interfacesblock in quick on ! lo0 inet
from lo0:network# Block non routeable packetsblock log quick from
no-routeblock return log quick to no-route# Block TCP connections
with invalid flagsblock quick proto tcp flags R/Rblock return log
quick proto tcp flags /S block return log quick proto tcp flags A/A#
Internal Interface# Incoming Internal# Allow DHCP clients
through to our DHCP serverpass in quick on $int_if inet proto udp from port
= bootpc to { 255.255.255.255, $int_if } port = bootps keep state#
antispoof in for internal interfacesblock in log quick on ! $int_if inet
from $int_if:network block in quick on $int_if inet
Re: Request for comments on my -current firewall ruleset
The stopping of fingerprinting is an interesting issue. Essentially you must silently drop and not respond to as many things as possible. Responding w/ RST's would be adverse to this goal. The only things I allow from the outside are via this rule: pass in inet proto tcp from any to any port $Services flags S/SAFRPU modulate state The flags are key to decreasing the chance of fingerprints. Essentially we only allow in a syn packet with no other flags and then keep state. Also, by using scrub in nmap will say you are openbsd 3.0 using scrub. If you wish to cease to appear as openbsd you must also do the following: sysctl -w net.inet.tcp.rfc1323 = 0 this is in regards to sending tcp timestamps which is also a good way to be fingerprintted. This may have adverse affects to your packet transmission, especially in a high latency environment as this disables a sliding window for packet size. Essentially if you really wish to block fingerprintting you must respond only to things that you have to while blocking everything else and silently dropping them. In many cases the benefits of stopping fingerprintting are far outweighed by convience, ie do you really want to drop the packets silently or respond w/ rsts and wouldn't it be nice to be pingable. If you keep your pingable however I would disable icmp timestamps net.inet.icmp.tstamprepl=0 Hope this was somewhat useful. -James My goals (other than to help prevent being hacked of course ;) are to stop spoofed packets (I looked at using antispoof but it didn't meet my requirements) from entering or leaving, to implement some sort of bandwidth priority and to otherwise to appear to not being running a firewall and to if possible mask what OS I'm running from fingerprinting. Currently I block icmp6.
Re: Request for comments on my -current firewall ruleset
One of the key give aways can also be the total packet length: http://www.incidents.org/papers/OSfingerprinting.php The first document a good read if you want to try to mimick another os. Active fingerprinting: http://www.l0t3k.org/security/documents/fingerprinting/ http://www.insecure.org/nmap/nmap-fingerprinting-article.html Though you're right regarding what happens when a SYN+FIN for example packet comes in...It would currently create state on a later rule as it's not blocked with these ones. Of course such a SYN+FIN packet might be valid according to the RFC's, which is why I wrote the rules the way I did. I also used the flags in the block rules rather than the pass rules to save having to add flags to each pass rule later on. Of course, if I wanted to expand my flag blocking then I would need to add more block rules like my flags A/A rule. i'm not sure how a syn+fin that isn't related to a current state is valid. If you keep state on all your (valid) connections then it's a matter of the timeout values. Sure you might end up blocking a syn+fin that is x seconds after the state was expired, in that case you adjust the timeout values. For an inbound connection only the S flag should be set (or perhaps ECN related flags.) For outbound if another more than than S is set chances are someone is up to no good ie a port scan. (This assumes you keep state.)
adding a new subnet to my firewall
Hiyas, although no stritly a pf question I hope somone can answer this one for me We have just been given a second routable set of ip's for our servers as we hit capacity on our old one In order to use theese for NAT I obviously need to bind the addresses to our firewall's external interface... They do however need a different gateway address, where do I speciy this ? is is something in my hostname.rl1 file ? Dan This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk
Re: adding a new subnet to my firewall
On Mon, Jan 13, 2003 at 03:11:36PM -, Dan Heaver wrote: In order to use theese for NAT I obviously need to bind the addresses to our firewall's external interface... They do however need a different gateway address, where do I speciy this ? is is something in my hostname.rl1 file ? OpenBSD itself does not support multiple default gateways. Incoming packets on the new link will arrive fine without any routing table additions, but outgoing packets to external hosts (even replies to connections arriving through the new uplink) will only go through the default gateway (through the old uplink). You can use pf to route through interfaces explicitely: a) have nat use both external addresses with round-robin on connection level (this requires -current) b) make replies of incoming connections on the second interface go out through there again c) route outgoing connections selectively, based on some criteria (source/destination address, protocol, ports) You can add explicit routing table entries for external hosts without pf, but you add only one default gateway. If you want to use the second uplink only for a limited set of peers, the routing table will work, otherwise you might want to use pf to spread the outgoing packets for arbitrary destinations accross the two uplinks. Daniel
RE: adding a new subnet to my firewall
Eek, that should keep be busy for a while :-~ -Original Message- From: Daniel Hartmeier [mailto:[EMAIL PROTECTED]] Sent: 13 January 2003 16:10 To: Dan Heaver Cc: [EMAIL PROTECTED] Subject: Re: adding a new subnet to my firewall On Mon, Jan 13, 2003 at 03:11:36PM -, Dan Heaver wrote: In order to use theese for NAT I obviously need to bind the addresses to our firewall's external interface... They do however need a different gateway address, where do I speciy this ? is is something in my hostname.rl1 file ? OpenBSD itself does not support multiple default gateways. Incoming packets on the new link will arrive fine without any routing table additions, but outgoing packets to external hosts (even replies to connections arriving through the new uplink) will only go through the default gateway (through the old uplink). You can use pf to route through interfaces explicitely: a) have nat use both external addresses with round-robin on connection level (this requires -current) b) make replies of incoming connections on the second interface go out through there again c) route outgoing connections selectively, based on some criteria (source/destination address, protocol, ports) You can add explicit routing table entries for external hosts without pf, but you add only one default gateway. If you want to use the second uplink only for a limited set of peers, the routing table will work, otherwise you might want to use pf to spread the outgoing packets for arbitrary destinations accross the two uplinks. Daniel This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk application/ms-tnef
Source-routing hanging my OpenBSD box
Hi Folks, I introduced a OpenBSD 3.1 (stable) firewall in a network with 4 paths, described below: xl0:192.168.0.254/24 | ++ gw=2.2.8.1/26 xl3=2.2.8.20/26 ||xl2=2.1.7.56/26 gw=2.1.7.1/26 --| FW |-- || ++ | xl1=2.2.8.65/26 So, I have two paths to outside world, using 2.1.7.1/26 on xl2 or 2.2.8.1/26 on xl3, where my default route is on 2.1.7.1/26 gateway. would like to leave 192.168/24 traffic on xl2 link (working by default) and 2.2.8.64/26 on xl3. I tried the following rule in pf: pass in quick on xl1 route-to xl3:200.211.81.1 from 200.211.81.26/26 to any keep state Once my interface xl1 is not working too, since it is redirecting all traffic to xl2, I tried this: pass in quick on xl3 route-to xl3:200.211.81.1 from 200.211.81.20/32 to any keep state Using only one, or both rules, is just hanging my firewall. Have anyone any idea about what is wrong? -- Hélio Alexandre Lopes Loureiro [[EMAIL PROTECTED]] Regional Software Supply Integration South America Tel.: + 55 11 6224-1795 Public Key ID: FB5972D1@http://search.keyserver.net
