Re: Hardware recommendation for firewalls (more than 4 NICs)

2008-08-15 Thread James Records
I just spent some time on this and got a working image for the Watchguard
Firebox X 500-2500 platforms.

For more info about it, I'm keeping track of everything in a forum here:

http://www.thewaffle.org/Forum/viewforum.php?f=6st=0sk=tsd=dstart=0

While I was at it, I pulled out an old Watchguard Firebox III and attempted
to get the image working on it as well, to my surprise I was successful at
this as well, tracking this platforms progress here:

http://www.thewaffle.org/Forum/viewforum.php?f=25

These are great platforms for this application, onboard crypto accelerators
and the 3port FBIII has a pci slot for expansion so you could get another 4
ports off it as well.   They can be had for a reasonable price on eBay at
most times.

Let me know if anyon has any questions about this.

Thanks,
Jim

On Wed, Aug 13, 2008 at 8:26 AM, James Records [EMAIL PROTECTED]wrote:

 I just got some screenshots of the project up, if you care to take a look:

 http://www.thewaffle.org/screenshots.html

 There is also a working copy of the VMware image of the project availible
 for download, see the following for brief instructions on how to setup the
 image:

 http://www.thewaffle.org/Forum/viewtopic.php?f=11t=11p=16#p16

 pardon the site design, not my forte, hopefully getting someone else to
 build me something better soon.

 Over the next couple days I'll get an image made for the WG firebox X
 series, I have one laying around that I can work on, hopefully by this
 weekend.

 J

 On Fri, Aug 8, 2008 at 3:08 PM, James Records [EMAIL PROTECTED]wrote:

 Grab a Watchguard Firebox X off of ebay, they have 6 interfaces, and you
 can get them pretty cheap, some of the bigger ones have more, onboard
 crypto, perfect for building openbsd firewalls... you can run off a CF...

 I'm putting together a project that uses openbsd on these boxes.  If you
 have any questions about running openbsd on them let me know:

 www.thewaffle.org


 Thanks,
 Jim




 On Fri, Aug 8, 2008 at 2:59 PM, phoenixcomm [EMAIL PROTECTED]wrote:

 MartC-n Coco wrote:
 
  Hi misc,
 
  I'm currently looking for hardware alternatives for firewalls that
  should have more than four NICs.
 
  Currently we are buying R200s from Dell, but we have the 4 NIC
  limitation. We could tell Dell to install a quad port NIC (in addition
  to the two-port onboard card), but I haven't read good things about the
  way they work.
 
  I've also looked into soekris, but they don't seem to have enough CPU
  for what we want (this is pure speculation) as we also have intense
  IPSec traffic on some of these firewalls (I've seen that some of them
  could have encryption boards added to increase performance, but I don't
  know if it works for any kind of protocol, or at what rate).
 
  In any case, what I would like to have is firewalls with multiple NICs
  (at least 6 NICs) *and* sufficient CPU to let IPSec work alright at
  least at ~50Mbps (internal backbone firewalls). The multiple NICs are
 to
  use trunk, pfsync, real network interfaces, etc.
 
  Thanks,
  Martmn.
 
 
 
 Hi Gang,
 well heres my 3 cents,
 first why use a stupid PC (any os) for routing.. REALY BAD jue,jue
 brake
 down and buy a old Cisco 7200,  7500, 3600 they are all very good
 routers, I
 used a 7500 for a while and now use a 3640
 i use pf as a transparent bridge behind my router.. and protects my
 servers
 I have 3 nics, (world, dmz, ssh)

 you could put up a firewall before your router and put everything out one
 vlan to the router.
 and I have a cisco 2900-xl-en switch with 3 vlans on it... and no
 bleeding..
 enjoy
 Crazy Cris
 :working:
 --
 View this message in context:

 http://www.nabble.com/Hardware-recommendation-for-firewalls-%28more-than-4-NI
 Cs%29-tp18413703p18899631.htmlhttp://www.nabble.com/Hardware-recommendation-for-firewalls-%28more-than-4-NICs%29-tp18413703p18899631.html
 Sent from the openbsd user - misc mailing list archive at Nabble.com.



Re: How to copy an entire directory to my home directory

2008-08-15 Thread Marc Balmer
* Pedro Martelletto wrote:
 On Thu, Aug 14, 2008 at 12:40:38PM -0700, Johan Beisser wrote:
  man cp(1)
 
 You're all apparently missing out on a great tool called GHome Mover
 (http://www.brookepeig.com/ghomemover/). I know the guy said he is
 logging in from remote, but it is definitely worth the effort having X
 installed on your server and tunneled through SSH just to use this
 absolutely revolutionary tool!

There is also a console version, so X is not strictly needed.

 
 -p.
 
-m.



Re: Using PF to NAT internal addresses over an IPSec link

2008-08-15 Thread Toby Burress
On Fri, Aug 15, 2008 at 01:24:59PM +0900, william dunand wrote:
 Hi,
 
 I tried to reproduce what you want in my testing environment and
 managed to make it work.
 
 What you have to do is :
  - In your ipsec.conf, add an rule from your local network to the
 distant 172.25.0.1 (this rule is needed in order to route the traffic
 to enc0)

Did you need to configure this on both ends?  If I add a flow routing
my network to the remote IP the packets never seem to get to enc0;
it looks like isakmpd is stuck trying to negotiate something with
the remove end.  From what I can tell I need an SA for packets to
get routed over enc0.

In ipsec.conf I have:

ike active esp from A.B.C.D to 172.25.0.1 peer W.X.Y.Z \
main auth hmac-md5 enc 3des \
quick auth hmac-md5 enc 3des group none \
psk yarg

which lets me ping 172.25.0.1 from A.B.C.D.  To route packets to
172.25.0.1 I am using

flow from any to 172.25.0.1 peer W.X.Y.Z

This does create appropriate encap entries in the routing tables,
but I never see anything hit enc0.



Re: Using PF to NAT internal addresses over an IPSec link

2008-08-15 Thread william dunand
Of course, as it is a testing environment it is a lot easier to make
it work for me...
On the remote side, a configured something like this (I suppose they
have something of this kind on the other side) :
ike passive esp from 172.25.0.1 to A.B.C.D

And on the local server side, all I have is :
ike esp from any to 172.25.0.1 peer W.X.Y.Z

Never tried to use the flow directives as you did. I suppose that if
as you said you have correct encap routes, packets headed to
172.25.0.1 should definitely go through enc0, then if you set nat on
enc0, it should work as it does for me.
Could you paste and show us the output of netstat -rnf encap and also
if possible your pf.conf ?

Regards,
William

2008/8/15 Toby Burress [EMAIL PROTECTED]:
 On Fri, Aug 15, 2008 at 01:24:59PM +0900, william dunand wrote:
 Hi,

 I tried to reproduce what you want in my testing environment and
 managed to make it work.

 What you have to do is :
  - In your ipsec.conf, add an rule from your local network to the
 distant 172.25.0.1 (this rule is needed in order to route the traffic
 to enc0)

 Did you need to configure this on both ends?  If I add a flow routing
 my network to the remote IP the packets never seem to get to enc0;
 it looks like isakmpd is stuck trying to negotiate something with
 the remove end.  From what I can tell I need an SA for packets to
 get routed over enc0.

 In ipsec.conf I have:

 ike active esp from A.B.C.D to 172.25.0.1 peer W.X.Y.Z \
main auth hmac-md5 enc 3des \
quick auth hmac-md5 enc 3des group none \
psk yarg

 which lets me ping 172.25.0.1 from A.B.C.D.  To route packets to
 172.25.0.1 I am using

 flow from any to 172.25.0.1 peer W.X.Y.Z

 This does create appropriate encap entries in the routing tables,
 but I never see anything hit enc0.



Re: PPPoE - Connection reset by peer

2008-08-15 Thread Olaf Schreck
 Warning: disable lcp: Invalid command
 Warning: disable lcp: Failed 1

Brainfart, sorry.  I confused it with disable lqr which had fixed a 
different problem for me.  No idea for your problem.

Sorry for posting noise.



Re: Using PF to NAT internal addresses over an IPSec link

2008-08-15 Thread Toby Burress
On Fri, Aug 15, 2008 at 05:09:08PM +0900, william dunand wrote:
 Of course, as it is a testing environment it is a lot easier to make
 it work for me...
 On the remote side, a configured something like this (I suppose they
 have something of this kind on the other side) :
 ike passive esp from 172.25.0.1 to A.B.C.D
 
 And on the local server side, all I have is :
 ike esp from any to 172.25.0.1 peer W.X.Y.Z

Ah, okay.  It doesn't look like I have the luxury of simply saying
'from any to IP', since the remote end refuses to set up the SAs
in that case.  I will try to get the other end to allow something
like that, since it seems like a MUCH better solution than the rube
goldberg stuff I'm playing with now, but half the reason I'm stuck
is the other guy doesn't return emails...

 
 Never tried to use the flow directives as you did. I suppose that if
 as you said you have correct encap routes, packets headed to
 172.25.0.1 should definitely go through enc0, then if you set nat on
 enc0, it should work as it does for me.
 Could you paste and show us the output of netstat -rnf encap and also
 if possible your pf.conf ?

Encap:
Source Port  DestinationPort  Proto 
SA(Address/Proto/Type/Direction)
172.25.0.1/32  0 A.B.C.D/32 0 0 W.X.Y.Z/esp/use/in
A.B.C.D/32 0 172.25.0.1/32  0 0 W.X.Y.Z/esp/require/out
172.25.0.1/32  0 default0 0 W.X.Y.Z/esp/use/in
default0 172.25.0.1/32  0 0 W.X.Y.Z/esp/use/out


The pf.conf is pretty complicated, but the relevant rules that get hit are:

ext_if=bge1
int_if=bge0
vpn_if=enc0
set ruleset-optimization none
set state-policy if-bound
set skip on { lo }
scrub all fragment reassemble reassemble tcp
nat on $vpn_if from 192.168.0.0/16 to any - A.B.C.D
nat on $ext_if from 192.168.0.0/16 to any - E.F.G.H
block drop
pass quick on $vpn_if
pass quick on $int_if

And then there are others that eventually let us out of $ext_if as well.



Re: Using PF to NAT internal addresses over an IPSec link

2008-08-15 Thread william dunand
Toby,

Actually, I was initially using my local subnet address rather than
any, but I realized that if did so, this address could be seen on
the remote vpn server by looking at the flows table.
After setting the from any rule, I realized that, yes it was more or
less working as expected, but it was screwing the internal carp
configuration on the remote side when you use the remote local subnet
as a target rather than 172.25.0.1. So I think it's not a good idea
anyway.

So I decided to try to set it up your way, with a manual flow directive.
I could make it work using something like :
ike esp from A.B.C.D to 172.25.0.1. peer W.X.Y.Z
flow from my.local.subnet to 172.25.0.1 peer W.X.Y.Z type require

(note that I had to set require to make it work)

But again the local subnet appears if you look at the flows on the
remote servers, so that's not what you want.
If I use any in place of my local subnet address, it doesn't work
for some reason I don't understand yet, I am just losing track of my
packets...

So I guess that as you said, you should try to get more informations
about the remote side configuration.
I would still be interested in knowing the clean and mighty way to
hide your local subnet topography.
Maybe using an intermediate local interface may help, as it was
suggested by Marc-Andre.

Regards,
William



2008/8/15 Toby Burress [EMAIL PROTECTED]:
 On Fri, Aug 15, 2008 at 05:09:08PM +0900, william dunand wrote:
 Of course, as it is a testing environment it is a lot easier to make
 it work for me...
 On the remote side, a configured something like this (I suppose they
 have something of this kind on the other side) :
 ike passive esp from 172.25.0.1 to A.B.C.D

 And on the local server side, all I have is :
 ike esp from any to 172.25.0.1 peer W.X.Y.Z

 Ah, okay.  It doesn't look like I have the luxury of simply saying
 'from any to IP', since the remote end refuses to set up the SAs
 in that case.  I will try to get the other end to allow something
 like that, since it seems like a MUCH better solution than the rube
 goldberg stuff I'm playing with now, but half the reason I'm stuck
 is the other guy doesn't return emails...


 Never tried to use the flow directives as you did. I suppose that if
 as you said you have correct encap routes, packets headed to
 172.25.0.1 should definitely go through enc0, then if you set nat on
 enc0, it should work as it does for me.
 Could you paste and show us the output of netstat -rnf encap and also
 if possible your pf.conf ?

 Encap:
 Source Port  DestinationPort  Proto 
 SA(Address/Proto/Type/Direction)
 172.25.0.1/32  0 A.B.C.D/32 0 0 W.X.Y.Z/esp/use/in
 A.B.C.D/32 0 172.25.0.1/32  0 0 
 W.X.Y.Z/esp/require/out
 172.25.0.1/32  0 default0 0 W.X.Y.Z/esp/use/in
 default0 172.25.0.1/32  0 0 W.X.Y.Z/esp/use/out


 The pf.conf is pretty complicated, but the relevant rules that get hit are:

 ext_if=bge1
 int_if=bge0
 vpn_if=enc0
 set ruleset-optimization none
 set state-policy if-bound
 set skip on { lo }
 scrub all fragment reassemble reassemble tcp
 nat on $vpn_if from 192.168.0.0/16 to any - A.B.C.D
 nat on $ext_if from 192.168.0.0/16 to any - E.F.G.H
 block drop
 pass quick on $vpn_if
 pass quick on $int_if

 And then there are others that eventually let us out of $ext_if as well.



Re: [OOT]a way to gather AS numbers ?

2008-08-15 Thread Matt Rowley
 I was wondering if there is a way to collect all of the european AS numbers ?
 I took a look at the RIPE website, and I found nothing close to what I
 want to do.
 whois(1) was not of much help either.

http://iana.org/assignments/as-numbers/

Grep for RIPE.

 The ultimate goal is to have a list of all the AS running free
 software for their routers, as I'll soon be on the look for a job
 (well, it's a heuristic like another one !)

The IANA list will tell you which ranges were assigned to which RIR; you'll
have to query the RIR via WHOIS to determine registrant.

 I'm not really familiar with the mechanisms that make the internet
 tick, so if I missed a clue, or am just being awfully rude, feel free
 to lart me.

The IANA allocates number resources to the Regional Internet Registries, who
in turn allocate to registrants in their region.

See http://www.iana.org and http://www.nro.net for more information.

cheers,
Matt



Re: [OOT]a way to gather AS numbers ?

2008-08-15 Thread ropers
2008/8/14 dermiste [EMAIL PROTECTED]:
 I was wondering if there is a way to collect all of the european AS numbers ?

Relevancy link (for the archives):
http://en.wikipedia.org/wiki/Autonomous_system_(Internet)



You may wish to add /usr/local/jdk-1.7.0/man to /etc/man.conf ?

2008-08-15 Thread macintoshzoom

how?

jdk-1.7.0.00b24p2: complete
--- jdk-1.7.0.00b24p2 ---
You may wish to add /usr/local/jdk-1.7.0/man to /etc/man.conf



load balancing traffic destined for the webserver with router and openbsd

2008-08-15 Thread Imre Oolberg

Hallo!

I use ip-based load balancing with carp on two-sided firewall, no nat, 
just routing and it works like this


  internet --- router --  172.16.5.118:firewall:192.168.222.189 --- 
web server


I tried this setup with two and more firewalls, where 5.118 is ip 
address assigned to outer carp0 interface and router uses it for routing 
subnet 192.168.222/24 behind the firewall. Web server uses .222.189 as 
their default gateway and it is inner carp1 interface's address.


carp interfaces are configured like this in different firewalls (for 
example this is for one side, two-firewall setup)


inet 172.16.5.118 255.255.255.0 195.222.5.0 carpnodes 1:100,2:0 
balancing ip-stealth pass xxx carpdev em0
inet 172.16.5.118 255.255.255.0 195.222.5.0 carpnodes 1:0,2:100 
balancing ip-stealth pass xxx carpdev em0


To my mind everything works like a charm, i see packages on every 
interface and only one of them processes them. They get out at the other 
side and 'magically' routing is symmetrical, i.e. each firewall accepts 
from webserver answers for the packets it sent out. PF is enabled.


And here follows the problem part.

With this described setup i have one doubt which seems to be remedied 
easy in my case since i can ask person responsible for the router to do 
load balancing on incoming traffic. Namely, i guess in case traffic 
flood comes in, every firewall gets incoming packets, although every 
firewall but one ignores each of them. Still i suspect that under heavy 
network load it leaves its mark on firewalls' performance.


In the router it is possible to set up so to say src and dst address 
based hashed load-balancing (it is Juniper device) saying like this 
(5.116, 5.117 being firewalls' real outer ip addresses)


route 192.168.222.0/24 next-hop [ 172.16.5.116 172.16.5.117 ]

Now outer side of the firewalls doesnt have carp device configured any 
more and each physical firewall gets only its share of incoming packets, 
just as router decides to send them.


And inner side of the firewall still has carp1 device configured as 
webserver's default gateway.


The problem is that with this setup arises asymmetrical routing which i 
followed with tcpdump. If firewalls work with pf disabled (essentially 
as routers), traffic gets thru; but with it pf enabled it doesnt (in 
fact some wget's get answered but thats not obviously not enough). I 
believe it is possible to set up such a kind of pf.conf that works with 
asymmetrical traffic but the whole setup is then less balanced.


I am sorry for the long description but i wanted to be clear of what i 
succeeded to configure and where i sumbled onto the obsticle.  Is there 
a way to say to kernel that it does some kind of so to say stickyness to 
returning packets in a way packets get back to the very firewall they 
left? I.e. the the whole picture would be similar to the working case 
described in the beginning except Juniper does the load balancing and 
OpenBSD working with one carp interface on the inner side offering 
webserver a default gateway.



Best regards,

Imre

PS As a somehow useable workaround would be not to use carp devices at 
all and to have packetes going to webserver nat'ed, but it has a 
drawback that webserver doesnt see any more their 'real' src addresses.


PPS OpenBSD is needed between router and webserver to filter and analyze 
traffic.




Not updating .libs1-gettext-0.16.1, remember to clean it

2008-08-15 Thread macintoshzoom

how?



Re: You may wish to add /usr/local/jdk-1.7.0/man to /etc/man.conf ?

2008-08-15 Thread Paul de Weerd
On Fri, Aug 15, 2008 at 02:40:07PM -0600, macintoshzoom wrote:
 how?

 jdk-1.7.0.00b24p2: complete
 --- jdk-1.7.0.00b24p2 ---
 You may wish to add /usr/local/jdk-1.7.0/man to /etc/man.conf

You're asking a question about manpages and it doesn't come to mind to
actually try using them ? If you're not going to use them, why are you
asking this question ?

Try reading the manpage, man.conf(5)

Cheers,

Paul 'WEiRD' de Weerd

-- 
[++-]+++.+++[---].+++[+
+++-].++[-]+.--.[-]
 http://www.weirdnet.nl/ 



Re: Not updating .libs1-gettext-0.16.1, remember to clean it

2008-08-15 Thread Paul de Weerd
On Fri, Aug 15, 2008 at 02:44:36PM -0600, macintoshzoom wrote:
 how?

Please, try doing a bit of homework before posting one-word questions.
This is OpenBSD, we have manpages. Read them, you'll find them quite
informative (and less belligerent).

Try pkg_add(1) and pkg_delete(1) on for size.

Cheers,

Paul 'WEiRD' de Weerd

-- 
[++-]+++.+++[---].+++[+
+++-].++[-]+.--.[-]
 http://www.weirdnet.nl/ 



Re: Not updating .libs1-gettext-0.16.1, remember to clean it

2008-08-15 Thread Frank Bax

macintoshzoom wrote:

how?





http://marc.info/?l=openbsd-miscm=120345554523124w=2



Re: Not updating .libs1-gettext-0.16.1, remember to clean it

2008-08-15 Thread Marc Espie
You know, if you go on like that, you're going to end up in my killfile,
and a lot of other people as well.



[landisk] problem installing Aug 8th, snapshot

2008-08-15 Thread Diana Eichert

I haven't worked on any of my Plextors in awhile so I decided to
install the Aug 11, 2008 snapshot.  I kept having issues after
dd'ng the miniroot, the boot loader would load then No OS Found.
I kept thinking it was related to how I had the hard drive
connected to boot strap system.  So I kept at it for awhile,
trying to modify drive settings via fdisk and disklabel.

I finally dd'd a 4.3 release miniroot on to the drive and it
boot okay.  So I mount the 4.3 miniroot file system, copied the
Aug 11 snapshot bsd and bsd.rd to the file system, dd'd it to
the hard drive and voila it booted.

Has anyone else tried to install a recent landisk snapshot?

diana



OpenBSD at Defcon 16

2008-08-15 Thread World of Open Source
OpenBSD is trusted to handle and defense Defcon network!! Nice!!

DefCon 16: Hackers and a Gag Order in Sin City
Posted by Scott_Ruecker on Aug 15, 2008 11:11 PM UTC
LXer Linux News; By Derek Knowlton
http://lxer.com/module/newswire/view/107146/

Quote:

DefCon produces the most hostile network environment in the world every
year. The DefCon network has evolved with the event. What started out as a
casually constructed resource to provide access to the Internet and a venue
for pranksters to attack has grown into a hardened network. A quad-core Xeon
supports the network with openBSD as the firewall protecting a backbone link
to (an estimated) 150 vlans, propagated to the public with 35 Aruba AP-70
wireless access points and 30 ethernet connections to support the
administration of the event. The AP-70s are maintained by a management
switch. The AP-70s allow and monitor traffic and can triangulate the
position of signals received. Since they are all propagating a signal from
the management switch, traffic can be analyzed and recorded for the
competitions.

-woss-



Re: OpenBSD at Defcon 16

2008-08-15 Thread Steve B
This was posted up on Wired.com a few days ago. Both posts are interesting,
but it might have been far more interesting to show something of the network
diagram along with the pf.conf file. What could we learn from it?

On Fri, Aug 15, 2008 at 9:58 PM, World of Open Source 
[EMAIL PROTECTED] wrote:

 OpenBSD is trusted to handle and defense Defcon network!! Nice!!

 DefCon 16: Hackers and a Gag Order in Sin City
 Posted by Scott_Ruecker on Aug 15, 2008 11:11 PM UTC
 LXer Linux News; By Derek Knowlton
 http://lxer.com/module/newswire/view/107146/

 Quote:

 DefCon produces the most hostile network environment in the world every
 year. The DefCon network has evolved with the event. What started out as a
 casually constructed resource to provide access to the Internet and a venue
 for pranksters to attack has grown into a hardened network. A quad-core
 Xeon
 supports the network with openBSD as the firewall protecting a backbone
 link
 to (an estimated) 150 vlans, propagated to the public with 35 Aruba AP-70
 wireless access points and 30 ethernet connections to support the
 administration of the event. The AP-70s are maintained by a management
 switch. The AP-70s allow and monitor traffic and can triangulate the
 position of signals received. Since they are all propagating a signal from
 the management switch, traffic can be analyzed and recorded for the
 competitions.

 -woss-