nat before ipsec ...

2013-12-25 Thread Zeus Panchenko 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hi,

please, may somebody help with the subj? is it possible at all on
FreeBSD with pf?

I need to binat some of my LAN (network A) ip addresses to some of
secure communication addresses (network B) for, behind IPSec network C,
access

target <-> world <--> em0 - freebsd - vlanA <--> LAN
^^   net A
||
+- netC -.-.-.-.- IPSec -.-.-.-.- net B -+

when I land some B network address on freebsd box, than everything from
that address works but, when I try to bi/nat some network A address to some
network B address, it is not

in pf.conf I try this:

binat on vlanA from A1 to C3 -> B2

where:
A1 is some address from net A
B2 is some address from net B
C3 is some address from net C

I can see incoming packets from A1 to C3 on interface vlanA, but after
that, packets "disappears", I can not find them any other interface and
no return packets

as far as I know I need "nat before vpn" ... but I was not able to find
how to do that ... can I do that with pf on freebsd?

I run FreeBSD 9.2-PRERELEASE #6 r255856: amd64 with system pf

please, help me understand what am I missing ...

- -- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlK7H24ACgkQr3jpPg/3oypenQCeI6R+2lILmP0UxDT273T1S8nU
078AoJ3n1NRfU4L0pSrOKSDYovMpbIRF
=2FPq
-END PGP SIGNATURE-
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: nat before ipsec ...

2013-12-25 Thread Zeus Panchenko 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

wishmaster  wrote:

> If I understand you correctly, you want binat inside IPSec and

I'm not sure ... what I want is to nat packets from net A before they
are entering IPSec, as if they originate not on the freebsd host

so, they enters IPSec already as net B packets ...

- -- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlK7QRsACgkQr3jpPg/3oyoDeACglvxBxGXrq1/F5UxjKBIZLuj2
jN8AoNSp+doX77JlS1o4uFnhyQT0C4sC
=HPrd
-END PGP SIGNATURE-
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: nat before ipsec ...

2013-12-26 Thread Zeus Panchenko 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

> target <-> world <--> em0 - freebsd - vlanA <--> LAN
> ^^   net A
> ||
> +- netC -.-.-.-.- IPSec -.-.-.-.- net B -+
> ...
> where:
> A1 is some address from net A
> B2 is some address from net B
> C3 is some address from net C
>
> I can see incoming packets from A1 to C3 on interface vlanA, but after
> that, packets "disappears", I can not find them any other interface and
> no return packets

finally I was able to get the packets redirected (actually after pf restart,
not just reload) and now I have A1 packet going to C3 on vlanA

# tcpdump -ni tun10 host C3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun10, link-type NULL (BSD loopback), capture size 65535 bytes
07:10:57.641536 IP A1 > C3: ICMP echo request, id 59179, seq 8913, length 64
07:10:58.641467 IP A1 > C3: ICMP echo request, id 59179, seq 8914, length 64
07:10:59.641882 IP A1 > C3: ICMP echo request, id 59179, seq 8915, length 64

and further I can see them on the interface, IPSec configured on:

# tcpdump -ni em1 host C3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
07:12:28.638456 IP A1 > C3: ICMP echo request, id 59179, seq 9004, length 64
07:12:29.636961 IP A1 > C3: ICMP echo request, id 59179, seq 9005, length 64
07:12:30.637647 IP A1 > C3: ICMP echo request, id 59179, seq 9006, length 64

but these packets *does not passing through the nat* ...

in pf.conf I do:

rdr pass on $if_vpn from A1 to C -> $target-side-of-ipsec
binat on $if_vpn from A1 to C3 -> B2

and net.inet.ipsec.filtertunnel is set to 1

is bellow URL the answer?

http://forum.pfsense.org/index.php/topic,49800.msg265106.html#msg265106


- -- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlK9KpgACgkQr3jpPg/3oyrcbgCfe7+k8VGcoqpQkbjg5uTmGn/A
xTUAoLLjMCD0GEcRWcAD61mXWMNZ+4ZQ
=2rY3
-END PGP SIGNATURE-
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

nat lan to tun (nat before vpn)

2014-07-21 Thread Zeus Panchenko 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hi,

just was stumbled on the subject ... please, may somebody advise what am
I missing?

I have:

FreeBSD 10.0-STABLE #0 r261303

BoxA:
 LAN: 192.168.0.1/24
 TUN (OpenVPN): 172.16.10.1 

 with route to 172.16/12 set via tun

BoxB:
 LAN: 192.168.0.2/24

 with route to 172.16/12 set via boxA lan

I need:
to give access to 172.16/12 for boxB via nat on boxA

in boxA pf.conf:

nat on tun1 from 192.168.0.2 to 172.16/12 -> 172.16.10.1
pass in log on tun1
pass in log (all) on $if_lan inet proto { tcp udp } from 192.168.0.2

when I spawn traffic to 172.16/12 from boxB I can see packets on lan
boxA but nothin is on boxA tun ...

so, can I do that this way or I need something yet? is it nat-before-vpn
case which is not implemented in FreeBSD pf yet (at last it was so)?

- -- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlPM0pEACgkQr3jpPg/3oyoSvwCg3XKMmYZ+i4Hewv/Lyde/pzZ3
uvYAoNkplMMP4+C9r/PP4Jw/Zg9JQJXo
=H//M
-END PGP SIGNATURE-
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

pfctl ... driver does not support altq

2014-11-03 Thread Zeus Panchenko 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

greetings,

I see, in list the issue appears from time to time but I was not able to
find the solution for my case, please help me to get working altq on my
igb(4) if it is possible at all

I was trying igb(4) original OS drivers and the one from Intel but the
result is the same

bellow are my details:


> uname -a
FreeBSD 10.0-RELEASE-p11 #2 r273597 and64


> dmesg
- ---[ quotation start ]---

igb3:  port 0xa000-0xa01f 
mem 0xf710-0xf717,0xf718-0xf7183fff irq 19 at device 0.0 on pci7
igb3: Using MSIX interrupts with 5 vectors
igb3: Ethernet address: 00:25:90:d1:dc:6b
igb3: Bound queue 0 to cpu 0
igb3: Bound queue 1 to cpu 1
igb3: Bound queue 2 to cpu 2
igb3: Bound queue 3 to cpu 3

- ---[ quotation end   ]---


> pciconf -l
igb3@pci0:7:0:0:class=0x02 card=0x153315d9 chip=0x15338086 rev=0x03 
hdr=0x00
vendor = 'Intel Corporation'
device = 'I210 Gigabit Network Connection'
class  = network
subclass   = ethernet


> /boot/loader.conf
- ---[ quotation start ]---

hw.igb.rxd=4096
hw.igb.txd=4096
hw.igb.rx_process_limit="-1"
hw.igb.num_queues=0
hw.igb.max_interrupt_rate=32000

net.isr.defaultqlimit=4096
net.isr.bindthreads=1
net.isr.maxthreads=4
net.isr.maxqlimit=32768

- ---[ quotation end   ]---


> /usr/src/sys/amd64/conf/MY_KERNEL
- ---[ quotation start ]---

options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_CDNR
options ALTQ_PRIQ
options ALTQ_NOPCC
options ALTQ_DEBUG

- ---[ quotation end   ]---


> /etc/pf.conf
- ---[ quotation start ]---

altq on igb3 cbq bandwidth 1000Mb queue { wan_rest, wan_viber }
 queue wan_viber bandwidth 5Mb priority 0
 queue wan_rest bandwidth 995Mb cbq(default)

- ---[ quotation end   ]---


> service pf check && service pf reload
Checking pf rules.
Reloading pf rules.
pfctl: igb3: driver does not support altq

- -- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlRYacMACgkQr3jpPg/3oyp1iwCgxQCBIWoYa5b0yKAQxVODSGNb
NSYAn15io3G83u46pHN+BwRcN2ywsNIZ
=waxI
-END PGP SIGNATURE-
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

default to wan1, definite subnet replies to wan2

2016-08-04 Thread Zeus Panchenko 
greetings,

I have two wan intefaces, wan1 and wan2

wan1 is for default

I have subnet in my LAN all replies from which I need to direct through
wan2

I hoped to do that with this pf configuration:

if_service = "vlan1234" # service network
table  const { 10.0.0.0/24 }
# requests for the service 
rdr pass on $if_wan2 proto { tcp, udp } to ($if_wan2) port 1234 -> 10.0.0.1 
port 5678
nat log on $if_wan2 from  to any -> ($if_wan2)
...
pass in log on $if_video route-to ($if_wan3 $gw_wan3) from  to ! 
 keep state

-- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

wan1 as default, wan2 dedicated to a service

2016-08-04 Thread Zeus Panchenko 
hi,
I need trivial thing but wondering where am I wrong ... :(
help please

I have two WAN interfaces: wan1 and wan2
wan1 is default route interface, wan2 is dedicated for DVR (video)

I'm trying to direct all output from DVR to wan2 (here I do not care of
where a request to DVR came from, I want all replies to go out trough wan2)

so, I hoped to do that with this pf.config

---[ start ]
if_wan1 = "em0"
if_wan2 = "igb0" # ip address A.B.C.D
gw_wan2 = "E.F.G.H"
if_dvr="vlan123"
table  const { 10.0.0.0/24 }
# redirect all requests on wan2 to DVR host1
rdr pass on $if_wan2 proto { tcp, udp } to ($if_wan2) port 1234 -> 10.0.0.1 
port 5678
nat log on $if_wan2 from  to any -> ($if_wan2)
...
pass in log on $if_dvr route-to ($if_wan2 $gw_wan2) from  to any keep state
---[ stop  ]

as results, 
I see requests from world on $if_wan2
I see redirects of the requests, out packets on $if_dvr
I see replies to the requests, in packets on $if_dvr
but I see ($if_wan2) sourced replies, and I see them on *$if_wan1*

so, as I understand ... route-to works, otherwise replies wouldn't be
from ($if_wan2)

but nated replies appears on $if_wan1 what is default route ... so
... how can I have replies go out through $if_wan2? is it question of
the second routing table?

please, advise
-- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: default to wan1, definite subnet replies to wan2

2016-08-04 Thread Zeus Panchenko 
sorry for noise, please ignore this incomplete message

Zeus Panchenko  wrote:

> greetings,
> 
> I have two wan intefaces, wan1 and wan2
> 
> wan1 is for default
> 
> I have subnet in my LAN all replies from which I need to direct through
> wan2
> 
> I hoped to do that with this pf configuration:
> 
> if_service = "vlan1234" # service network
> table  const { 10.0.0.0/24 }
> # requests for the service 
> rdr pass on $if_wan2 proto { tcp, udp } to ($if_wan2) port 1234 -> 10.0.0.1 
> port 5678
> nat log on $if_wan2 from  to any -> ($if_wan2)
> ...
> pass in log on $if_video route-to ($if_wan3 $gw_wan3) from  to ! 
>  keep state
> 

-- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: wan1 as default, wan2 dedicated to a service

2016-08-10 Thread Zeus Panchenko 
Max  wrote:

> Probably you should use
> pass out log on $if_dvr reply-to ($if_wan2 $gw_wan2) to 

thank you, Max, this helped

-- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

psync for sshguard table sync on several hosts

2016-10-11 Thread Zeus Panchenko 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hi,

please advise

I think of pfsync-ing sshguard table content among several hosts to get
one big table on each host, since IP blocked on one host I want to be
blocked on all others automatically (all hosts are terminated in one
VPN) ...

am I correct to consider psync as right way to get that?

- -- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlf9KHEACgkQr3jpPg/3oyojOwCgpZbc04rwL41LIIDaVDPgR7Vi
G8QAoOP5wj87qh4JpT7NePGvnZBbplp2
=NSkz
-END PGP SIGNATURE-
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: pfsync for sshguard table sync on several hosts

2016-10-12 Thread Zeus Panchenko 
mxb  wrote:

> Use BGP to distribute list of IP addresses.
> Like it is done at http://bgp-spamd.net/

what about pfsync indeed? I need black list of addresses I do can
control on my own and to install BGP infrastructure for local needs
looks excessive

isn't psync aimed for the tasks like this one?

-- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)


pgpXSyCIWQRD7.pgp
Description: PGP signature

[Q] what is the correct way to filter by remote pf?

2017-06-27 Thread Zeus Panchenko 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

greetings

please, advise

WHAT I HAVE:

routerB <-> netX/16
   ^
   |
   V
clients <-> routerA <-> netX/24


WHAT I NEED:
to provide `clients <-> netX/24' traffic on the base of routerB pf rules
so, the very decission to pass or to block have to be done on routerB



HOW I THINK TO DO THAT:

=
VARIANT I
- 
-

- ---[ routerA pf.conf quotation start 
]---
...
pass in log (to pflog1) on $if_clients-to-routerA from  to  
tag TO_AUTH
pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagged 
TO_AUTH
...
- ---[ routerA pf.conf quotation end   
]---

- ---[ routerB pf.conf quotation start 
]---
...
pass in log (to pflog1) on $if_routerB-to-routerA from  to 
 tag AUTHED
pass in log (to pflog1) route-to ($if_routerB-to-routerA $routerA_ip) tagged 
AUTHED
block  to 
...
- ---[ routerB pf.conf quotation end   
]---


RESULTS: I see packets redirected to routerB, but there the packets are looping
 untill the time to live exceeded



=
VARIANT II
- 
-

- ---[ routerA pf.conf quotation start 
]---
...
pass in log (to pflog1) on $if_clients-to-routerA from  to  
tag TO_AUTH
pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagged 
TO_AUTH
...
- ---[ routerA pf.conf quotation end   
]---


- ---[ routerB configuration quotation start 
]-

rc.conf
static_routes="netX24"
route_netX24="-net A.B.C.0/24 $routerA_ip"


pf.conf
pass in log (to pflog1) on $if_routerB-to-routerA from  to 
 tag AUTHED
block  to 

- ---[ routerB configuration quotation end   
]-


RESULTS: are same as for VARIANT I



=
VARIANT III
- 
-

something else ...
may it relate to pfsync somehow?


- -- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
-BEGIN PGP SIGNATURE-

iF0EARECAB0WIQQYIXL6FUmD7SUfqoOveOk+D/ejKgUCWVJGygAKCRCveOk+D/ej
KhQoAKCHB+55dzTYOqD6S5mSC2TtCDjV8gCgzXQfBd3U30nXJMyj5Q4Ggfq1sRA=
=ZCm0
-END PGP SIGNATURE-
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

[Q] is there way to use bgp-spamd.net?

2019-01-13 Thread Zeus Panchenko 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hi,

is there way to use BGP to block traffic, like it is described on
https://www.bgp-spamd.net/index.html

or even BGP feeds from spamhaus
https://www.spamhaus.org/news/article/683/spamhaus-releases-bgp-feed-bgpf-and-botnet-cc-list-bgpcc

- -- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
-BEGIN PGP SIGNATURE-

iF0EARECAB0WIQQYIXL6FUmD7SUfqoOveOk+D/ejKgUCXDwgjQAKCRCveOk+D/ej
KjLDAJ0a+9Q82cUVufYDn9c3Saq8Q0ARtgCggnadaidgIm4lBFQMUmOFEFl8b4I=
=4djw
-END PGP SIGNATURE-
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"