Re: Hardware recommendation for firewalls (more than 4 NICs)
I just spent some time on this and got a working image for the Watchguard Firebox X 500-2500 platforms. For more info about it, I'm keeping track of everything in a forum here: http://www.thewaffle.org/Forum/viewforum.php?f=6st=0sk=tsd=dstart=0 While I was at it, I pulled out an old Watchguard Firebox III and attempted to get the image working on it as well, to my surprise I was successful at this as well, tracking this platforms progress here: http://www.thewaffle.org/Forum/viewforum.php?f=25 These are great platforms for this application, onboard crypto accelerators and the 3port FBIII has a pci slot for expansion so you could get another 4 ports off it as well. They can be had for a reasonable price on eBay at most times. Let me know if anyon has any questions about this. Thanks, Jim On Wed, Aug 13, 2008 at 8:26 AM, James Records [EMAIL PROTECTED]wrote: I just got some screenshots of the project up, if you care to take a look: http://www.thewaffle.org/screenshots.html There is also a working copy of the VMware image of the project availible for download, see the following for brief instructions on how to setup the image: http://www.thewaffle.org/Forum/viewtopic.php?f=11t=11p=16#p16 pardon the site design, not my forte, hopefully getting someone else to build me something better soon. Over the next couple days I'll get an image made for the WG firebox X series, I have one laying around that I can work on, hopefully by this weekend. J On Fri, Aug 8, 2008 at 3:08 PM, James Records [EMAIL PROTECTED]wrote: Grab a Watchguard Firebox X off of ebay, they have 6 interfaces, and you can get them pretty cheap, some of the bigger ones have more, onboard crypto, perfect for building openbsd firewalls... you can run off a CF... I'm putting together a project that uses openbsd on these boxes. If you have any questions about running openbsd on them let me know: www.thewaffle.org Thanks, Jim On Fri, Aug 8, 2008 at 2:59 PM, phoenixcomm [EMAIL PROTECTED]wrote: MartC-n Coco wrote: Hi misc, I'm currently looking for hardware alternatives for firewalls that should have more than four NICs. Currently we are buying R200s from Dell, but we have the 4 NIC limitation. We could tell Dell to install a quad port NIC (in addition to the two-port onboard card), but I haven't read good things about the way they work. I've also looked into soekris, but they don't seem to have enough CPU for what we want (this is pure speculation) as we also have intense IPSec traffic on some of these firewalls (I've seen that some of them could have encryption boards added to increase performance, but I don't know if it works for any kind of protocol, or at what rate). In any case, what I would like to have is firewalls with multiple NICs (at least 6 NICs) *and* sufficient CPU to let IPSec work alright at least at ~50Mbps (internal backbone firewalls). The multiple NICs are to use trunk, pfsync, real network interfaces, etc. Thanks, Martmn. Hi Gang, well heres my 3 cents, first why use a stupid PC (any os) for routing.. REALY BAD jue,jue brake down and buy a old Cisco 7200, 7500, 3600 they are all very good routers, I used a 7500 for a while and now use a 3640 i use pf as a transparent bridge behind my router.. and protects my servers I have 3 nics, (world, dmz, ssh) you could put up a firewall before your router and put everything out one vlan to the router. and I have a cisco 2900-xl-en switch with 3 vlans on it... and no bleeding.. enjoy Crazy Cris :working: -- View this message in context: http://www.nabble.com/Hardware-recommendation-for-firewalls-%28more-than-4-NI Cs%29-tp18413703p18899631.htmlhttp://www.nabble.com/Hardware-recommendation-for-firewalls-%28more-than-4-NICs%29-tp18413703p18899631.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: How to copy an entire directory to my home directory
* Pedro Martelletto wrote: On Thu, Aug 14, 2008 at 12:40:38PM -0700, Johan Beisser wrote: man cp(1) You're all apparently missing out on a great tool called GHome Mover (http://www.brookepeig.com/ghomemover/). I know the guy said he is logging in from remote, but it is definitely worth the effort having X installed on your server and tunneled through SSH just to use this absolutely revolutionary tool! There is also a console version, so X is not strictly needed. -p. -m.
Re: Using PF to NAT internal addresses over an IPSec link
On Fri, Aug 15, 2008 at 01:24:59PM +0900, william dunand wrote: Hi, I tried to reproduce what you want in my testing environment and managed to make it work. What you have to do is : - In your ipsec.conf, add an rule from your local network to the distant 172.25.0.1 (this rule is needed in order to route the traffic to enc0) Did you need to configure this on both ends? If I add a flow routing my network to the remote IP the packets never seem to get to enc0; it looks like isakmpd is stuck trying to negotiate something with the remove end. From what I can tell I need an SA for packets to get routed over enc0. In ipsec.conf I have: ike active esp from A.B.C.D to 172.25.0.1 peer W.X.Y.Z \ main auth hmac-md5 enc 3des \ quick auth hmac-md5 enc 3des group none \ psk yarg which lets me ping 172.25.0.1 from A.B.C.D. To route packets to 172.25.0.1 I am using flow from any to 172.25.0.1 peer W.X.Y.Z This does create appropriate encap entries in the routing tables, but I never see anything hit enc0.
Re: Using PF to NAT internal addresses over an IPSec link
Of course, as it is a testing environment it is a lot easier to make it work for me... On the remote side, a configured something like this (I suppose they have something of this kind on the other side) : ike passive esp from 172.25.0.1 to A.B.C.D And on the local server side, all I have is : ike esp from any to 172.25.0.1 peer W.X.Y.Z Never tried to use the flow directives as you did. I suppose that if as you said you have correct encap routes, packets headed to 172.25.0.1 should definitely go through enc0, then if you set nat on enc0, it should work as it does for me. Could you paste and show us the output of netstat -rnf encap and also if possible your pf.conf ? Regards, William 2008/8/15 Toby Burress [EMAIL PROTECTED]: On Fri, Aug 15, 2008 at 01:24:59PM +0900, william dunand wrote: Hi, I tried to reproduce what you want in my testing environment and managed to make it work. What you have to do is : - In your ipsec.conf, add an rule from your local network to the distant 172.25.0.1 (this rule is needed in order to route the traffic to enc0) Did you need to configure this on both ends? If I add a flow routing my network to the remote IP the packets never seem to get to enc0; it looks like isakmpd is stuck trying to negotiate something with the remove end. From what I can tell I need an SA for packets to get routed over enc0. In ipsec.conf I have: ike active esp from A.B.C.D to 172.25.0.1 peer W.X.Y.Z \ main auth hmac-md5 enc 3des \ quick auth hmac-md5 enc 3des group none \ psk yarg which lets me ping 172.25.0.1 from A.B.C.D. To route packets to 172.25.0.1 I am using flow from any to 172.25.0.1 peer W.X.Y.Z This does create appropriate encap entries in the routing tables, but I never see anything hit enc0.
Re: PPPoE - Connection reset by peer
Warning: disable lcp: Invalid command Warning: disable lcp: Failed 1 Brainfart, sorry. I confused it with disable lqr which had fixed a different problem for me. No idea for your problem. Sorry for posting noise.
Re: Using PF to NAT internal addresses over an IPSec link
On Fri, Aug 15, 2008 at 05:09:08PM +0900, william dunand wrote:
Of course, as it is a testing environment it is a lot easier to make
it work for me...
On the remote side, a configured something like this (I suppose they
have something of this kind on the other side) :
ike passive esp from 172.25.0.1 to A.B.C.D
And on the local server side, all I have is :
ike esp from any to 172.25.0.1 peer W.X.Y.Z
Ah, okay. It doesn't look like I have the luxury of simply saying
'from any to IP', since the remote end refuses to set up the SAs
in that case. I will try to get the other end to allow something
like that, since it seems like a MUCH better solution than the rube
goldberg stuff I'm playing with now, but half the reason I'm stuck
is the other guy doesn't return emails...
Never tried to use the flow directives as you did. I suppose that if
as you said you have correct encap routes, packets headed to
172.25.0.1 should definitely go through enc0, then if you set nat on
enc0, it should work as it does for me.
Could you paste and show us the output of netstat -rnf encap and also
if possible your pf.conf ?
Encap:
Source Port DestinationPort Proto
SA(Address/Proto/Type/Direction)
172.25.0.1/32 0 A.B.C.D/32 0 0 W.X.Y.Z/esp/use/in
A.B.C.D/32 0 172.25.0.1/32 0 0 W.X.Y.Z/esp/require/out
172.25.0.1/32 0 default0 0 W.X.Y.Z/esp/use/in
default0 172.25.0.1/32 0 0 W.X.Y.Z/esp/use/out
The pf.conf is pretty complicated, but the relevant rules that get hit are:
ext_if=bge1
int_if=bge0
vpn_if=enc0
set ruleset-optimization none
set state-policy if-bound
set skip on { lo }
scrub all fragment reassemble reassemble tcp
nat on $vpn_if from 192.168.0.0/16 to any - A.B.C.D
nat on $ext_if from 192.168.0.0/16 to any - E.F.G.H
block drop
pass quick on $vpn_if
pass quick on $int_if
And then there are others that eventually let us out of $ext_if as well.
Re: Using PF to NAT internal addresses over an IPSec link
Toby,
Actually, I was initially using my local subnet address rather than
any, but I realized that if did so, this address could be seen on
the remote vpn server by looking at the flows table.
After setting the from any rule, I realized that, yes it was more or
less working as expected, but it was screwing the internal carp
configuration on the remote side when you use the remote local subnet
as a target rather than 172.25.0.1. So I think it's not a good idea
anyway.
So I decided to try to set it up your way, with a manual flow directive.
I could make it work using something like :
ike esp from A.B.C.D to 172.25.0.1. peer W.X.Y.Z
flow from my.local.subnet to 172.25.0.1 peer W.X.Y.Z type require
(note that I had to set require to make it work)
But again the local subnet appears if you look at the flows on the
remote servers, so that's not what you want.
If I use any in place of my local subnet address, it doesn't work
for some reason I don't understand yet, I am just losing track of my
packets...
So I guess that as you said, you should try to get more informations
about the remote side configuration.
I would still be interested in knowing the clean and mighty way to
hide your local subnet topography.
Maybe using an intermediate local interface may help, as it was
suggested by Marc-Andre.
Regards,
William
2008/8/15 Toby Burress [EMAIL PROTECTED]:
On Fri, Aug 15, 2008 at 05:09:08PM +0900, william dunand wrote:
Of course, as it is a testing environment it is a lot easier to make
it work for me...
On the remote side, a configured something like this (I suppose they
have something of this kind on the other side) :
ike passive esp from 172.25.0.1 to A.B.C.D
And on the local server side, all I have is :
ike esp from any to 172.25.0.1 peer W.X.Y.Z
Ah, okay. It doesn't look like I have the luxury of simply saying
'from any to IP', since the remote end refuses to set up the SAs
in that case. I will try to get the other end to allow something
like that, since it seems like a MUCH better solution than the rube
goldberg stuff I'm playing with now, but half the reason I'm stuck
is the other guy doesn't return emails...
Never tried to use the flow directives as you did. I suppose that if
as you said you have correct encap routes, packets headed to
172.25.0.1 should definitely go through enc0, then if you set nat on
enc0, it should work as it does for me.
Could you paste and show us the output of netstat -rnf encap and also
if possible your pf.conf ?
Encap:
Source Port DestinationPort Proto
SA(Address/Proto/Type/Direction)
172.25.0.1/32 0 A.B.C.D/32 0 0 W.X.Y.Z/esp/use/in
A.B.C.D/32 0 172.25.0.1/32 0 0
W.X.Y.Z/esp/require/out
172.25.0.1/32 0 default0 0 W.X.Y.Z/esp/use/in
default0 172.25.0.1/32 0 0 W.X.Y.Z/esp/use/out
The pf.conf is pretty complicated, but the relevant rules that get hit are:
ext_if=bge1
int_if=bge0
vpn_if=enc0
set ruleset-optimization none
set state-policy if-bound
set skip on { lo }
scrub all fragment reassemble reassemble tcp
nat on $vpn_if from 192.168.0.0/16 to any - A.B.C.D
nat on $ext_if from 192.168.0.0/16 to any - E.F.G.H
block drop
pass quick on $vpn_if
pass quick on $int_if
And then there are others that eventually let us out of $ext_if as well.
Re: [OOT]a way to gather AS numbers ?
I was wondering if there is a way to collect all of the european AS numbers ? I took a look at the RIPE website, and I found nothing close to what I want to do. whois(1) was not of much help either. http://iana.org/assignments/as-numbers/ Grep for RIPE. The ultimate goal is to have a list of all the AS running free software for their routers, as I'll soon be on the look for a job (well, it's a heuristic like another one !) The IANA list will tell you which ranges were assigned to which RIR; you'll have to query the RIR via WHOIS to determine registrant. I'm not really familiar with the mechanisms that make the internet tick, so if I missed a clue, or am just being awfully rude, feel free to lart me. The IANA allocates number resources to the Regional Internet Registries, who in turn allocate to registrants in their region. See http://www.iana.org and http://www.nro.net for more information. cheers, Matt
Re: [OOT]a way to gather AS numbers ?
2008/8/14 dermiste [EMAIL PROTECTED]: I was wondering if there is a way to collect all of the european AS numbers ? Relevancy link (for the archives): http://en.wikipedia.org/wiki/Autonomous_system_(Internet)
You may wish to add /usr/local/jdk-1.7.0/man to /etc/man.conf ?
how? jdk-1.7.0.00b24p2: complete --- jdk-1.7.0.00b24p2 --- You may wish to add /usr/local/jdk-1.7.0/man to /etc/man.conf
load balancing traffic destined for the webserver with router and openbsd
Hallo! I use ip-based load balancing with carp on two-sided firewall, no nat, just routing and it works like this internet --- router -- 172.16.5.118:firewall:192.168.222.189 --- web server I tried this setup with two and more firewalls, where 5.118 is ip address assigned to outer carp0 interface and router uses it for routing subnet 192.168.222/24 behind the firewall. Web server uses .222.189 as their default gateway and it is inner carp1 interface's address. carp interfaces are configured like this in different firewalls (for example this is for one side, two-firewall setup) inet 172.16.5.118 255.255.255.0 195.222.5.0 carpnodes 1:100,2:0 balancing ip-stealth pass xxx carpdev em0 inet 172.16.5.118 255.255.255.0 195.222.5.0 carpnodes 1:0,2:100 balancing ip-stealth pass xxx carpdev em0 To my mind everything works like a charm, i see packages on every interface and only one of them processes them. They get out at the other side and 'magically' routing is symmetrical, i.e. each firewall accepts from webserver answers for the packets it sent out. PF is enabled. And here follows the problem part. With this described setup i have one doubt which seems to be remedied easy in my case since i can ask person responsible for the router to do load balancing on incoming traffic. Namely, i guess in case traffic flood comes in, every firewall gets incoming packets, although every firewall but one ignores each of them. Still i suspect that under heavy network load it leaves its mark on firewalls' performance. In the router it is possible to set up so to say src and dst address based hashed load-balancing (it is Juniper device) saying like this (5.116, 5.117 being firewalls' real outer ip addresses) route 192.168.222.0/24 next-hop [ 172.16.5.116 172.16.5.117 ] Now outer side of the firewalls doesnt have carp device configured any more and each physical firewall gets only its share of incoming packets, just as router decides to send them. And inner side of the firewall still has carp1 device configured as webserver's default gateway. The problem is that with this setup arises asymmetrical routing which i followed with tcpdump. If firewalls work with pf disabled (essentially as routers), traffic gets thru; but with it pf enabled it doesnt (in fact some wget's get answered but thats not obviously not enough). I believe it is possible to set up such a kind of pf.conf that works with asymmetrical traffic but the whole setup is then less balanced. I am sorry for the long description but i wanted to be clear of what i succeeded to configure and where i sumbled onto the obsticle. Is there a way to say to kernel that it does some kind of so to say stickyness to returning packets in a way packets get back to the very firewall they left? I.e. the the whole picture would be similar to the working case described in the beginning except Juniper does the load balancing and OpenBSD working with one carp interface on the inner side offering webserver a default gateway. Best regards, Imre PS As a somehow useable workaround would be not to use carp devices at all and to have packetes going to webserver nat'ed, but it has a drawback that webserver doesnt see any more their 'real' src addresses. PPS OpenBSD is needed between router and webserver to filter and analyze traffic.
Not updating .libs1-gettext-0.16.1, remember to clean it
how?
Re: You may wish to add /usr/local/jdk-1.7.0/man to /etc/man.conf ?
On Fri, Aug 15, 2008 at 02:40:07PM -0600, macintoshzoom wrote: how? jdk-1.7.0.00b24p2: complete --- jdk-1.7.0.00b24p2 --- You may wish to add /usr/local/jdk-1.7.0/man to /etc/man.conf You're asking a question about manpages and it doesn't come to mind to actually try using them ? If you're not going to use them, why are you asking this question ? Try reading the manpage, man.conf(5) Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: Not updating .libs1-gettext-0.16.1, remember to clean it
On Fri, Aug 15, 2008 at 02:44:36PM -0600, macintoshzoom wrote: how? Please, try doing a bit of homework before posting one-word questions. This is OpenBSD, we have manpages. Read them, you'll find them quite informative (and less belligerent). Try pkg_add(1) and pkg_delete(1) on for size. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: Not updating .libs1-gettext-0.16.1, remember to clean it
macintoshzoom wrote: how? http://marc.info/?l=openbsd-miscm=120345554523124w=2
Re: Not updating .libs1-gettext-0.16.1, remember to clean it
You know, if you go on like that, you're going to end up in my killfile, and a lot of other people as well.
[landisk] problem installing Aug 8th, snapshot
I haven't worked on any of my Plextors in awhile so I decided to install the Aug 11, 2008 snapshot. I kept having issues after dd'ng the miniroot, the boot loader would load then No OS Found. I kept thinking it was related to how I had the hard drive connected to boot strap system. So I kept at it for awhile, trying to modify drive settings via fdisk and disklabel. I finally dd'd a 4.3 release miniroot on to the drive and it boot okay. So I mount the 4.3 miniroot file system, copied the Aug 11 snapshot bsd and bsd.rd to the file system, dd'd it to the hard drive and voila it booted. Has anyone else tried to install a recent landisk snapshot? diana
OpenBSD at Defcon 16
OpenBSD is trusted to handle and defense Defcon network!! Nice!! DefCon 16: Hackers and a Gag Order in Sin City Posted by Scott_Ruecker on Aug 15, 2008 11:11 PM UTC LXer Linux News; By Derek Knowlton http://lxer.com/module/newswire/view/107146/ Quote: DefCon produces the most hostile network environment in the world every year. The DefCon network has evolved with the event. What started out as a casually constructed resource to provide access to the Internet and a venue for pranksters to attack has grown into a hardened network. A quad-core Xeon supports the network with openBSD as the firewall protecting a backbone link to (an estimated) 150 vlans, propagated to the public with 35 Aruba AP-70 wireless access points and 30 ethernet connections to support the administration of the event. The AP-70s are maintained by a management switch. The AP-70s allow and monitor traffic and can triangulate the position of signals received. Since they are all propagating a signal from the management switch, traffic can be analyzed and recorded for the competitions. -woss-
Re: OpenBSD at Defcon 16
This was posted up on Wired.com a few days ago. Both posts are interesting, but it might have been far more interesting to show something of the network diagram along with the pf.conf file. What could we learn from it? On Fri, Aug 15, 2008 at 9:58 PM, World of Open Source [EMAIL PROTECTED] wrote: OpenBSD is trusted to handle and defense Defcon network!! Nice!! DefCon 16: Hackers and a Gag Order in Sin City Posted by Scott_Ruecker on Aug 15, 2008 11:11 PM UTC LXer Linux News; By Derek Knowlton http://lxer.com/module/newswire/view/107146/ Quote: DefCon produces the most hostile network environment in the world every year. The DefCon network has evolved with the event. What started out as a casually constructed resource to provide access to the Internet and a venue for pranksters to attack has grown into a hardened network. A quad-core Xeon supports the network with openBSD as the firewall protecting a backbone link to (an estimated) 150 vlans, propagated to the public with 35 Aruba AP-70 wireless access points and 30 ethernet connections to support the administration of the event. The AP-70s are maintained by a management switch. The AP-70s allow and monitor traffic and can triangulate the position of signals received. Since they are all propagating a signal from the management switch, traffic can be analyzed and recorded for the competitions. -woss-
