Re: low priority, pf rule set debugging

2005-12-22 Thread David fire 
hi
this days i was doing that debuging the firewall
i do this
i put log in each rule i ant to debug
then i pfctl -f /etc/pf.conf
then
pfctl -s rules > /home/david/rules.txt

then

tcpdump -n -e -ttt -i pflog0  
you can look in the PF pdf  for all the filter options

now try each rule and you will see waht happend in the tcpdump output

good look
David






2005/12/22, Peter N. M. Hansteen <[EMAIL PROTECTED]>:
>
> Joachim Schipper <[EMAIL PROTECTED]> writes:
>
> > I like to macro pretty much every variable that is used in more than one
> > place (i.e., hostnames, ports, etc; hostnames are especially likely to
> > be re-re-re-...-used).
>
> That is very good advice. I tend to advocate that myself.
>
> > If you choose good names, it can make stuff easier to understand; and
> > typos tend to be far more disastrous (either giving syntax errors or
> > breaking a large part of the configuration), which is a good thing as
> > you can then fix it immediately.
>
> This also is very true. There is no silver bullet, but keeping your rule
> set readable will help prevent a lot of headaches.
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://www.blug.linux.no/rfc1149/ http://www.datadok.no/
> http://www.nuug.no/
> "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

how to disable remote root login

2005-12-22 Thread David fire 
hi
i was looking how to disable remote root login but i cant find it
some tip?

thanks
David

thanks

2005-11-18 Thread David fire 
hi
thanks all of you.
whit your help i have finished the router and gateway
thanks
david

pre defined macro

2005-11-16 Thread David fire 
hi
i almost finish my network the only think i need to finish is a way to tell
to PF what it the default gateway
look:
pass in on $int_if route-to \
($ext_if1 """defualt gateway ) from $lan_net to any keep state
how i can tell that to the pf 
thanks
David

bridge routing

2005-11-15 Thread David fire 
hi
yes me again

mi box isnt routing
i have a bridge vr0 vr1
vr0 ip 192.168.100.1 
255.255.255.0
vr1 ip 192.168.15.243 
255.255.255.248
the only route rule is
route add 192.168.15.241  -interface
192.168.15.243

when i do a ping from 192.168.100.2  to vr1 i get
answer but if i do trace rout 192.168.15.241  (from
192.168.100.2 ) it only get answer from
192.168.100.1and then no more

what does i should do?
thanks
David

routing tables

2005-11-15 Thread David fire 
hi
i read the man page fro netstat route routed ifconfig all the section 6 of
the facks and i cant find where i should put the routing info now i am doing
route add 198.162.15.0/8  .. route add
10.98.0.0/16   but when i reboot i must put it
again.

where i should put that
thanks!!!
David

Re: share PPPoE

2005-11-11 Thread David fire 
yes you understand i will send you your certificate of indan english
translator
so i will use bridge and i was all the day reading the pf user guide.
thanks
David

2005/11/11, Joachim Schipper <[EMAIL PROTECTED]>:
>
> On Fri, Nov 11, 2005 at 09:34:35AM -0300, David fire wrote:
> > hi
> > i want to share the internet conection i configured the PPPoE but i have
> a
> > bridge i should do NAT whit the interfase which is pppoe client and the
> if
> > where i want share internet or if a iam doing the bridge i dont need
> nat?
> > thanks!
> > David
>
> I am sorry, please rephrase this in a way I can understand. ;-)
>
> If you intended to ask this: yes, when using an OpenBSD box as a PPPoE
> router, it is possible to do NAT or bridging (probably both, too). I'd go
> with NAT, as this allows you to run multiple hosts and has some security
> benefits. [1]
>
> Someone else will have to comment on doing both.
>
> Joachim
>
> [1] Compared to a bridge, when neither is using pf. If using pf, well,
> it doesn't matter.

Re: pf tagging and matching over more than one interface ...

2005-11-11 Thread David fire 
hi
you only tag the package to port 1194 in both case and you are allowing only
tagged packaged to ports 22, 80, 443

David


2005/11/11, Karl-Heinz Wild <[EMAIL PROTECTED]>:
>
> I try to tag a connection on the wan_if and
> accordingly on the tag I'll restrict the
> access on an other interface like.
>
> an example ...
>
> pass in quick on wan_if proto tcp from  to port 1194 tag NORM
> keep state
> pass in quick on wan_if proto tcp from  to port 1194 tag POWER
> keep state
>
> pass in quick on tun_if to port { 80, 443 } tagged NORM keep state
> pass in quick on tun_if to port { 22, 80, 443 } tagged POWER keep state
>
> ...
>
> but I don't know why. It doesn't work.
> I thought that works.
>
> I ask for advice.
> Thanks
>
> Karl-Heinz

share PPPoE

2005-11-11 Thread David fire 
hi
i want to share the internet conection i configured the PPPoE but i have a
bridge i should do NAT whit the interfase which is pppoe client and the if
where i want share internet or if a iam doing the bridge i dont need nat?
thanks!
David

OPENBSD will implement TC tecnology?

2005-11-10 Thread David fire 
new anti privacy hard developed by yea microsoft and intel and others
look this

http://www.cl.cam.ac.uk/~rja14/tcpa-faq.htmlenglish

http://linuca.org/body.phtml?nIdNoticia=207 the same but in all other
lenguages


PD: Sorry for the OT

how to bridge

2005-11-08 Thread David fire 
hi
i need to comunicate 3 net so i will use a brigde so i am looking a how to,
i read manual page but i am prety new whit openbsd so i prefer a how to to
do this quickly have anyone one? or any text wich can help me.
Thanks
David

Re: pppoe detail

2005-09-28 Thread David fire 
look in www.openbsd.org in faqs there is a very good faq on how implement that
and in openbsd support too
David

2005/9/28, Francisco Valladolid <[EMAIL PROTECTED]>:
> Hi Folks ..
>  I had recently installed a OpenBSD 3.8 -current machine, running in-kernel
> PPPoE implementation, (man 4 pppoe), while it connect fine to the internet
> (via ADSL Modem), and do NAT corectly, I can't access to internal web server
> from the internet. it run DynDNS.
>  The scenario is the next.
>  Internet - ADSL dc0-- OpenBSD 3.8 fxp0 --switch
> - LAN (192.168.0.0/24 )
>  While i dodn't have a DMZ yet, I hope shortly have it.
>
> int_if = "fxp0"
> ext_if = "pppoe0"
>
> tcp_services = "{ 22, 113 }"
> www_server = "192.168.1.100 "
> webports = "{http, https}"
>
> # port 80 for www service ruunning
> icmp_types = "echoreq"
>
> #priv_nets = "{ 127.0.0.0/8 ,
> 192.168.0.0/16,
> 172.16.0.0/12 , 10.0.0.0/8  }"
> priv_nets = "{127.0.0.0/8 ,
> 192.168.0.0/16}"
>
> # options
> set block-policy return
> set loginterface $ext_if
>
> # scrub
> scrub in all
>
> # scrub for NAT in PPPoE for using max mtu value
> scrub out on pppoe0 max-mss 1440
>
> # nat/rdr
> nat on $ext_if from $int_if:network to any -> ($ext_if)
> rdr on $int_if proto tcp from any to any port 21 ->
> 127.0.0.1\
> port 8021
>
> # permite acceso al HTTP server
> rdr on $ext_if proto tcp from any to any port 80 -> $www_server
>
> #redirecciona el puerto 3128 al 8 para hacer squid transparente
> #rdr on $int_if inet proto tcp from any to any port www ->
> 127.0.0.1port 3128
>
> # filter rules
> block all
>
> pass quick on lo0 all
>
> block drop in quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets
>
> pass in on $ext_if inet proto tcp from any to ($ext_if) \
> port $tcp_services flags S/SA keep state
>
> pass in on $ext_if inet proto tcp from any to ($ext_if) \
> user proxy keep state
>
> #pasa todo por el squid
>
> # pass in on $int_if inet proto tcp from any to 127.0.0.1
> port 3128 keep state
> # pass out on $ext_if inet proto tcp from any to any port www keep state
>
> pass in on $int_if from $int_if:network to any keep state
> pass out on $int_if from any to $int_if:network keep state
>
> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass out on $ext_if proto { udp, icmp } all keep state
>
> #
>
> pass in on $ext_if proto tcp from any to $www_server port 80 \
> flags S/SA synproxy state
>
> Now, the www server (apache) located in 192.168.1.100
> do not work .
>
>  Any suggestions.
>
>  Regards.
>
> --
> ---
> BSD - Unix simplicity.
> Francisco Valladolid Hdez.
> [EMAIL PROTECTED]

3 networks openbsd like router and file server

2005-09-28 Thread David fire 
Hi

i have 2 networks developers network and aplication network
and a xDSL conection to internet

now i have the openBSD (3.8) like router whit xDSL and developers but
i need to add the aplication network which is another network whit
diferents users and diferents ip

Aplication network ->router<---Developers network
 ^
 | internet (xDSL)

ok the problem is Developers networks must have internet Aplication
network musnt have internet
Developers must see all the Pc in the Aplication  but apication musnt
have access to developers network
and of course all the net must be secure

now you know my problem

where i can find some info or a how to do this?
or if someone can tell me anything will be great

Thanks
David
Buenos Aires, Argentina