Re: Pf with multi gateways
HI, take a look at : http://openbsd.org/faq/faq6.html#Multipath On Wed, Feb 13, 2013 at 10:15 AM, What you get is Not what you see < wygin...@gmail.com> wrote: > Hi > I have a pf box with 4 links (a multihomed box ) and some services like > dns,dhcp on it. > I have set /etc/mygate to one of the gateways. > Sometimes the line drops and when it drops, obviously some services like > dns stop. > But the other lines are up then. > What is the proper way of handling mygate? > Do you suggest mpath? > > -- Cordialmente, 00110111 00111011
OpenBSD 5.0 Dual ISP , Load balance and Incoming Connections
Hello List !
I jus want to share my experience with OpenBSD configuring two ISP, load
balance and Incoming Connections , maybe it can help.
Problem:
1. Two (2) ISP connections for internet access from my LAN to the Internet
2. Remote access to a server in my DMZ from Internet
Solution to Problem 1:
http://www.openbsd.org/faq/faq6.html#Multipath
Install OpenBSD 5.0 and configure the network cards
Modify /etc/sysctl.conf, here i will show you the basic things, not all the
lines ... maybe you get bored !
net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4
packets
net.inet.ip.multipath=1 # 1=Enable IP multipath routing
PF
http://www.openbsd.org/faq/pf/pools.html#outgoing
Adjust /etc/pf.conf
*
*
*# Macros*
*
*
*#ISP A*
*ext_if="vr0"*
*#ISP B*
*ext_if2="vr1"*
*#LAN *
*int_if="vr2"*
*
*
*#DMZ *
*int_if2="vr3"*
*
*
*#ISP A IP*
*ext_ip="10.10.10.1"*
*
*
*#ISP B IP*
*ext_ip2="11.11.11.1"*
*
*
*#Gateways*
*Ext_gw1="10.10.10.2"*
*
*
*Ext_gw2="11.11.11.2"*
*
*
*Unxs="12.12.12.1"*
*
*
*
*
*
*
*#TABLES*
*
*
*
#Authorized incoming IP
table file "/home/pf/Noc"
*
*set skip on { lo0 }*
*
*
*#FTP Proxy Rules*
*
*
*anchor "ftp-proxy/*"*
*
*
*pass in quick on $int_if inet proto tcp to port 21 divert-to 127.0.0.1
port 8021*
*
*
*#NAT*
*
*
*match out on $ext_if2 inet from any to any nat-to $ext_ip2*
*match out on $ext_if inet from any to any nat-to $ext_ip*
*
*
*
*
*# *
*block in all*
*block out all*
*
*
*# Port redirection to DMZ , here as example i will use SSH *
*match in on $ext_if proto tcp from to $ext_ip port 22 rdr-to $Unxs
port 22*
*match in on $ext_if2 proto tcp from to $ext_ip2 port 22 rdr-to
$Unxs port 22*
*
*
*#Outgoing traffic with load Balance*
*
*
*pass in on $int_if from any route-to { ($ext_if $Ext_gw1), ($ext_if2
$Ext_gw2) }round-robin*
*
*
*# HTTPS packets*
*pass in on $int_if proto tcp from any to port https route-to ($ext_if
$Ext_gw1) keep state*
*
*
*
*
*
*
*pass out on $ext_if from $ext_if2 route-to ($ext_if2 $Ext_gw2) keep state *
*pass out on $ext_if2 from $ext_if route-to ($ext_if $Ext_gw1) keep state *
With this simple steps everything works perfect !
Taken from FAQ
"
It's worth noting that if an interface used by a multipath route goes down
(i.e., loses carrier), the kernel will still try to forward packets using
the route that points to that interface. This traffic will of course be
blackholed and end up going nowhere. It's highly recommended to use
ifstated(8)
to check for unavailable interfaces and adjust the routing table
accordingly. "
Problem 2
*
*
*I need to give access to a internal server from Internet using SSH
protocol.*
*
*
*Ok, here is the thing , if a connection is coming from internet to my ISP
A ip the PF redirects the packet to the server in my DMZ *
*
*
*match in on $ext_if proto tcp from to $ext_ip port 22 rdr-to $Unxs
port 22*
*
*
*or*
*if a connection is coming from internet to my ISP B ip the PF redirects
the packet to the server in my DMZ *
*
*
*
*
Now i need the pass in and the pass out rules to these connections , my
first mistake was just to simple make it like:
pass in on $ext_if proto tcp from to $Unxs port 22 keep state
pass in on $ext_if2 proto tcp from to $Unxs port 22 keep state
pass out on $int_if2 proto tcp from to $Unxs port 22 keep state
*
*
*And as you may thing , my incoming connection did not work ...*
*
*
*
*
*
*
*The final solution was just to change the filter rules to:*
*
*
*
*
*# *
*
*
*
pass in on $ext_if proto tcp from to $Unxs port 22 reply-to ($ext_if
$Ext_gw1) keep state
pass in on $ext_if2 proto tcp from to $Unxs port 22 reply-to
($ext_if2 $Ext_gw2) keep state
pass out on $int_if2 proto tcp from to $Unxs port 22 keep state
*
*
*
*I hope this can help !*
*
*
*Thanks !*
*
*
*
*
*
*
--
Cordialmente,
00110111 00111011
Re: Multiple ISP-connections/Routing/Packet filtering
Hello ! I read again your mail and now i'm lost ! You Wrote: "How can I force my Extl. FW to reply on exactly the same interface it > > had been requested on? For example I am running OpenVPN(1194/UDP) > > between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I > > would appretiate SSH-portforwarding from Internet to the Intl. FW. " SSH port forwarding from internet to Internal server is something like : ext_if=vr0 ext_ip=1.2.3.4 Spvt= 4.5.6.7 match in on $ext_if proto tcp from any to $ext_ip port 22 rdr-to $Spvt pass in on $ext_if proto tcp from any to $Spvt port 22 pass out on $int_if proto tcp from any to $Spvt port 22 The above line redirects all traffic coming from any place in internet to my external IP ( 1.2.3.4) to the server 4.5.6.7 which is located in my internal lan, in other words the packet comes in on external interface , goes out on internal interface .. These works on OpenBSD 4.8 or newer ! Is this what you need ? On Tue, Jan 10, 2012 at 10:46 AM, Dr.-Ing. Torsten Finke < torsten.fi...@igh-essen.com> wrote: > Hello Jorge, > > > If i understood you well, the answer to your question is here ! > > > > > > http://www.openbsd.org/faq/pf/pools.html > > > > Under the section Load Balancing outgoing traffic, or take a look at: > > > > http://www.openbsd.org/faq/faq6.html#Multipath > > > > > > There are good examples there ! > > > > I hope this can help ! > > thank you for this. The FAQ on pools has nice examples but none of them > really > faces my problem. It discusses load balancing of incoming traffic to > several > servers as well as load balancing of outgoing traffic. I cannot figure out > how > to dispatch replies to incoming requests over different connections. > > The FAQ on multipath has helped me very well to set up multiple default > routes > - this works very well. > > Best regards > > Torsten > > > > > Dear List, > > > > > > Here I show my network topology. Maybe it seems quite typical. My > > > internal network is located behind an Intl/Extl Firewall which is > > > connected to the Internet(IN) via pppoe/ppp(8). On the other side I run > > > different systems, for instance a home office network, a mobile laptop, > > > and several customers. > > > > > > > > >+---+ +---+ > > >| A | | B | (PC) > > >+-+-+ +-+-+ > > > | | +-+ > > >--+-+---| Intl FW |---(DMZ)---+ > > >(LAN/int) +-+ | > > > | > > > +---+ > > > | +---+ > > > | | Z | (PC) > > > | () +---+ > > > | +-+ pppoe/ppp(8) +---+ () ++| > > > | | |--| DSL-Modem |--()--| GW |+- > > > | | | rl0/tun0 +---+ () ++ > (HomeOffice) > > > +--| Extl FW | ( IN ) +--+ > > > | | pppoe/ppp(8) +---+ ()--| Customer | > > > | |--| DSL-Modem |--() +--+ > > > +-+ rl1/tun1 +---+ () ++ > > > OpenBSD 4.8 ()--| Mobile | > > > ++ > > > > > > My question is about the setup of routing and packet filtering on the > > > External Firewall: > > > > > > How can I force my Extl. FW to reply on exactly the same interface it > > > had been requested on? For example I am running OpenVPN(1194/UDP) > > > between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I > > > would appretiate SSH-portforwarding from Internet to the Intl. FW. > > > > > > I tried using "route-to" and "reply-to", but that did not work - > > > PF.CONF(5) says this should do, but I could not figure out, how. I did > > > not not understand how "route-to" and "reply-to" actually work (could > > > not find any explanation, though I have tried hard to search for). > > > > > > Everything else (NAT, outbound load balancing, filtering) works just > > > fine. > > > > > > My routing is: > > > > > > default XXX.X.XX.XXXUGSP 2 101853 - 8 tun0 > > > default XXX.X.XX.XXXUGSP 0 988 - 8 tun1 > > > > > > I manage my multipath routes (net.inet.ip.multipath=1) via > > > - ppp.linkup: > > > MYADDR: > > > shell route add -mpath default HISADDR > > > > > > - ppp.linkdown > > > MYADDR: > > > shell route delete -mpath default HISADDR > > > > > > What I tried in pf.conf is: > > > > > > pass in on tun0 all keep state reply-to ( tun0 tun0:peer ) > > > pass in on tun1 all keep state reply-to ( tun1 tun1:peer ) > > > > > > Asking PF statistics (pfctl -v -s rules) shows that no packet has been > > > operated by those "reply-to" rules. > > > > > > Since I consider PF a brilliant concept I
Re: Multiple ISP-connections/Routing/Packet filtering
Hello Torsten ! If i understood you well, the answer to your question is here ! http://www.openbsd.org/faq/pf/pools.html Under the section Load Balancing outgoing traffic, or take a look at: http://www.openbsd.org/faq/faq6.html#Multipath There are good examples there ! I hope this can help ! Jorge V On Tue, Jan 10, 2012 at 8:38 AM, Dr.-Ing. Torsten Finke < torsten.fi...@igh-essen.com> wrote: > Dear List, > > Here I show my network topology. Maybe it seems quite typical. My > internal network is located behind an Intl/Extl Firewall which is > connected to the Internet(IN) via pppoe/ppp(8). On the other side I run > different systems, for instance a home office network, a mobile laptop, > and several customers. > > >+---+ +---+ >| A | | B | (PC) >+-+-+ +-+-+ > | | +-+ >--+-+---| Intl FW |---(DMZ)---+ >(LAN/int) +-+ | > | > +---+ > | +---+ > | | Z | (PC) > | () +---+ > | +-+ pppoe/ppp(8) +---+ () ++| > | | |--| DSL-Modem |--()--| GW |+- > | | | rl0/tun0 +---+ () ++ (HomeOffice) > +--| Extl FW | ( IN ) +--+ > | | pppoe/ppp(8) +---+ ()--| Customer | > | |--| DSL-Modem |--() +--+ > +-+ rl1/tun1 +---+ () ++ > OpenBSD 4.8 ()--| Mobile | > ++ > > My question is about the setup of routing and packet filtering on the > External Firewall: > > How can I force my Extl. FW to reply on exactly the same interface it > had been requested on? For example I am running OpenVPN(1194/UDP) > between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I > would appretiate SSH-portforwarding from Internet to the Intl. FW. > > I tried using "route-to" and "reply-to", but that did not work - > PF.CONF(5) says this should do, but I could not figure out, how. I did > not not understand how "route-to" and "reply-to" actually work (could > not find any explanation, though I have tried hard to search for). > > Everything else (NAT, outbound load balancing, filtering) works just > fine. > > My routing is: > > default XXX.X.XX.XXXUGSP 2 101853 - 8 tun0 > default XXX.X.XX.XXXUGSP 0 988 - 8 tun1 > > I manage my multipath routes (net.inet.ip.multipath=1) via > - ppp.linkup: > MYADDR: > shell route add -mpath default HISADDR > > - ppp.linkdown > MYADDR: > shell route delete -mpath default HISADDR > > What I tried in pf.conf is: > > pass in on tun0 all keep state reply-to ( tun0 tun0:peer ) > pass in on tun1 all keep state reply-to ( tun1 tun1:peer ) > > Asking PF statistics (pfctl -v -s rules) shows that no packet has been > operated by those "reply-to" rules. > > Since I consider PF a brilliant concept I would really appretiate any > hint that would help. Thanks to all OpenBSD developers for their great > work and thanks for any advice. > > > Best regards > > Torsten > > > -- > > Torsten Finke > f...@igh-essen.com > > > -- Cordialmente, 00110111 00111011
Re: Soekris lan1641 and Jetway J7F4K-1G5D
Ok, let me understand You have four ports on your soekris lan 1641, each port has an ip address in the 172.16.218.0/24 lan ? is that right for example: sis0 172.16.218.100 sis1 172.16.218.101 sis2 172.16.218.102 and so on for sis3 is that right ? Each port with a path cord ? In my experience i never put all the ports or interfaces on the same network segment ... that always gives problems ... if you need all the ports on the same lan use trunk(8) Is what i can understand ... On Tue, Sep 6, 2011 at 9:27 AM, James Abercromby wrote: > Has anyone else used this board with this mobo and experienced the same > issues as described below? > > http://www.itxdepot.com/xcart/product.php?productid=1910&cat=44019&page=1 > http://soekris.com/products/lan1641.html > > > I have tried both 4.9 and recent 5.0 snapshots but nothing earlier yet. > > OpenBSD sees the card and it's interfaces correctly as sis0-3, > they can successfully pull a dhcp lease or assign a static address. > > dhcp installs the correct default route or you can assign manually. > > When you go to ping. > > you get. > > send to: ping: Host is down > > I have made sure that pf is disabled and ip forwarding is turned off to see > if these were causing any issues but it has no issues with it. > > Tried this card with the same motherboard using Mint Linux and it was fine. > > Any help/insight would be appreciated. > > -- Cordialmente, 00110111 00111011
Re: Soekris lan1641 and Jetway J7F4K-1G5D
You have all the network interfaces of the soekris in the same network ? Are you trying to ping from the soekris the default gateway of from other pc using the soekris as a gateway ? On Tue, Sep 6, 2011 at 10:33 AM, James Abercromby wrote: > The ip of the default gateway itself. > > in this case for example. > > All of my boxen on the internal network are > 172.16.218.0/24 > > default gateway is 172.16.218.1/24 > > > > > On Tue, Sep 6, 2011 at 11:31 AM, Jorge Enrique Valbuena Vargas < > jvalbue...@gmail.com> wrote: > >> Which ip are pinging ? , can you be more specific ? >> >> >> >> On Tue, Sep 6, 2011 at 9:27 AM, James Abercromby wrote: >> >>> Has anyone else used this board with this mobo and experienced the same >>> issues as described below? >>> >>> http://www.itxdepot.com/xcart/product.php?productid=1910&cat=44019&page=1 >>> http://soekris.com/products/lan1641.html >>> >>> >>> I have tried both 4.9 and recent 5.0 snapshots but nothing earlier yet. >>> >>> OpenBSD sees the card and it's interfaces correctly as sis0-3, >>> they can successfully pull a dhcp lease or assign a static address. >>> >>> dhcp installs the correct default route or you can assign manually. >>> >>> When you go to ping. >>> >>> you get. >>> >>> send to: ping: Host is down >>> >>> I have made sure that pf is disabled and ip forwarding is turned off to >>> see >>> if these were causing any issues but it has no issues with it. >>> >>> Tried this card with the same motherboard using Mint Linux and it was >>> fine. >>> >>> Any help/insight would be appreciated. >>> >>> >> >> >> -- >> Cordialmente, >> >> 00110111 00111011 >> >> >> > -- Cordialmente, 00110111 00111011
Re: 4.6 Packages
Hola List ! The ftp sever is ok, what i meant is if you go to http://www.openbsd.org/faq/faq15.html you can not see the 4.6 link to packages. <http://www.openbsd.org/faq/faq15.html>Sorry for the lack of information regarding this issue on my first email. Jorge V On Wed, May 19, 2010 at 7:03 PM, Neal Hogan wrote: > On Wed, May 19, 2010 at 6:39 PM, Jorge Enrique Valbuena Vargas > wrote: > > Hola List ! > > > > I just try to download some packages for OpenBSD 4.6 , but they are not > > available. > > > > By now only 4.7, 4.5 and 4.4 are available. > > > > There is something wrong with the server ? > > > > What server? The main ftp site has them (from what I can tell). Have > you tried another mirror? > > > Ok, just to let you know. > > > > Kind Regards, > > > > Jorge V > > j...@sting:~$ date > > Wed May 19 18:38:44 COT 2010 > > > > [demime 1.01d removed an attachment of type image/png which had a name of > openbsdpackages.png]
4.6 Packages
Hola List ! I just try to download some packages for OpenBSD 4.6 , but they are not available. By now only 4.7, 4.5 and 4.4 are available. There is something wrong with the server ? Ok, just to let you know. Kind Regards, Jorge V j...@sting:~$ date Wed May 19 18:38:44 COT 2010 [demime 1.01d removed an attachment of type image/png which had a name of openbsdpackages.png]
Re: OpenBSD 4.7 pictures
Gracias ! On Thu, May 13, 2010 at 5:07 AM, Wolf Stettler wrote: > http://pubwww.hsz-t.ch/~wstettle/ > > > Martin Toft wrote: > >> http://pics.martintoft.dk/Events/OpenBSD%204.7%2020100508/dscn2548.jpg >> >> :-D
Re: VPN Clients Behind OpenBSD 4.6 PF NAT
hi,
what about pass in and pass out with proto esp or ah ?
On Mon, May 10, 2010 at 6:23 PM, dontek wrote:
> The only change to sysctl.conf from default install is uncommenting:
>
> net.inet.ip.forwarding=1
> net.inet6.ip6.forwarding=1
>
> I am running a slightly pruned version of the FAQ "Example: Firewall for
> Home or Small Office" pf.conf.
> -
> ext_if="fxp0"
> int_if="xl0"
>
> tcp_services="{ 22 }"
> icmp_types="echoreq"
>
> set block-policy return
> set loginterface $ext_if
>
> set skip on lo
>
> match in all scrub (no-df)
>
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
>
> rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
>
> block in
>
> pass out keep state
>
> anchor "ftp-proxy/*"
>
> antispoof quick for { lo $int_if }
>
> pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
> flags S/SA keep state
>
> pass in inet proto icmp all icmp-type $icmp_types keep state
>
> pass in quick on $int_if
> -
>
> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
> Jorge Enrique Valbuena Vargas
> Sent: Monday, May 10, 2010 5:47 PM
> To: Don Reis
> Cc: misc@openbsd.org
> Subject: Re: VPN Clients Behind OpenBSD 4.6 PF NAT
>
> HI,
>
> can you send the pf.conf and sysctl.conf files ?
>
>
>
> On Mon, May 10, 2010 at 2:56 PM, Don Reis wrote:
>
> > Hey guys, I got a little problem:
> >
> >
> >
> > First let me say I am running a fresh install of OpenBSD 4.6 and besides
> > turning on IP forwarding in sysctl and installing the pf.conf example
> from
> > the FAQ (modified of course to fit my NIC's), I have changed nothing in
> the
> > default install.
> >
> >
> >
> > The scenario is I am attempting to connect to various external VPN's from
> > inside my NAT network. I have tried both the Cisco and Shrew Soft VPN
> > Clients with various Cisco and Netgear VPN concentrators and appliances,
> > all
> > with the exact same results.
> >
> >
> >
> > I initiate the connection, Phase 1 completes, Phase 2 completes, the
> tunnel
> > comes up. I'm connected now right, except, packets only flow one
> direction
> > over the tunnel, my outbound traffic gets through the tunnel to the
> remote
> > network, but nothing ever comes back.
> >
> >
> >
> > If I jack my computer directly into my internet connection, everything is
> > peachy on all clients and all endpoints.
> >
> >
> >
> > I've searched quite a bit and almost all of what I find is people
> > complaining they can't get a connection over NAT and other people
> > recommending various port redirects to a single machine running the VPN
> > client to make things work.
> >
> >
> >
> > This is of course not like my situation. All VPN negotiations work just
> > fine, I just never receive anything over the tunnel once it's up.
> >
> >
> >
> > Give me a clue. I assume this should just work behind PF NAT, since both
> > clients are negotiating and using NAT-T.
> >
> >
> >
> > Thanks,
> >
> >
> >
> > don..
Re: VPN Clients Behind OpenBSD 4.6 PF NAT
HI, can you send the pf.conf and sysctl.conf files ? On Mon, May 10, 2010 at 2:56 PM, Don Reis wrote: > Hey guys, I got a little problem: > > > > First let me say I am running a fresh install of OpenBSD 4.6 and besides > turning on IP forwarding in sysctl and installing the pf.conf example from > the FAQ (modified of course to fit my NIC's), I have changed nothing in the > default install. > > > > The scenario is I am attempting to connect to various external VPN's from > inside my NAT network. I have tried both the Cisco and Shrew Soft VPN > Clients with various Cisco and Netgear VPN concentrators and appliances, > all > with the exact same results. > > > > I initiate the connection, Phase 1 completes, Phase 2 completes, the tunnel > comes up. I'm connected now right, except, packets only flow one direction > over the tunnel, my outbound traffic gets through the tunnel to the remote > network, but nothing ever comes back. > > > > If I jack my computer directly into my internet connection, everything is > peachy on all clients and all endpoints. > > > > I've searched quite a bit and almost all of what I find is people > complaining they can't get a connection over NAT and other people > recommending various port redirects to a single machine running the VPN > client to make things work. > > > > This is of course not like my situation. All VPN negotiations work just > fine, I just never receive anything over the tunnel once it's up. > > > > Give me a clue. I assume this should just work behind PF NAT, since both > clients are negotiating and using NAT-T. > > > > Thanks, > > > > don..
Re: reconfigure squid on packages
Hi, If you read the configure file which is in the source code of squid , you can learn how to do that Other source of info: http://wiki.squid-cache.org/SquidFaq/SquidAcl On Thu, Mar 25, 2010 at 7:54 PM, sonjaya wrote: > hi ... > > i using squid in my openbsd box , i need reconfigure squid to support > useragent acl ( team viewer problem ) . > i'm installed from port. > how to do that to make squid working with acl useragent ? > can do that without recomplie from source > -- > sonjaya > http://www.sharenupload.com > http://www.airportindonesia.info
Re: Spanish language resources for OpenBSD
The web site is in spanish and with good info ! http://www.openbsdcolombia.org/ On Thu, Nov 19, 2009 at 6:31 PM, Marco Peereboom wrote: > On Mon, Nov 16, 2009 at 07:17:18PM -0600, Chris Bennett wrote: > > I am now going to be setting up occasionally but regularly OpenBSD > > machines for people who only speak Spanish. > > > > I have already found the language packs for kde, openoffice, firefox and > > thunderbird. > > > > I just accidentally figured out that that www.openbsd.org has a couple a > > pages in Spanish, but no links to them from site that I could find. > > > > Is there anyone actively maintaining Spanish translations? Most of what > > I found was several releases old or even older. > > > > Is there a particular site that has "got it all?" > > > > > > I also saw a while back on ports that scrotwm was adding man pages in > > some additional languages, but I don't see any signs of that. Was that > > just for non-OpenBSD versions? > > Pages should be installed with the latest pkg. Let me know if that is > not the case. > > > > > Thanks, > > Chris Bennett > > > > -- > > A human being should be able to change a diaper, plan an invasion, > > butcher a hog, conn a ship, design a building, write a sonnet, balance > > accounts, build a wall, set a bone, comfort the dying, take orders, > > give orders, cooperate, act alone, solve equations, analyze a new > > problem, pitch manure, program a computer, cook a tasty meal, fight > > efficiently, die gallantly. Specialization is for insects. > > -- Robert Heinlein
Re: How to Install OpenBSD 4.6 with Ubuntu 9.10 and Windows 7 (Openbsd 4.6 with GRUB2)
Thank You ! On Sat, Nov 14, 2009 at 11:49 PM, Andres Genovez wrote: > Hi friends I want to share this information, if anyone is migrating from > Linux(Ubuntu) to OpenBSD. > Hope will be helpful. > > http://www.crice.org/?q=node/364 > > Andres > > www.crice.org
Re: IP Aliasing with DHCP
Hugo, No sure about a real answer to your question, but what i try will be: Set manually two of the dynamic addresses on my interfaces,other idea would be use two network interfaces, use the trunk ( man trunk ) and again set manually the two ip addresses ... I hope this can help ! On Wed, Nov 11, 2009 at 9:19 PM, Hugo Osvaldo Barrera < h...@osvaldobarrera.com.ar> wrote: > I want to set up an HTTPS server which serves two domains. I know this > is pretty much impossible with one IP, due to how SSL works. > > However, my ISP throws me an Ethernet cable, and I can use as many IPs > as I want. - If I connect a switch to that cable, and 5 PCs, they each > get 5 REAL internet IPs. > > I'v already seen the "alias" option for ifconfig, however, it always > refers to static IPs, and I've found no reference to this being > possible with dynamic IPs. > Is this possible? A single interface, with TWO dynamic IPs?
Re: Anyway to force IP to be assigned only if MAC matches?
You can do that using the arp(8) command # arp -s 10.0.0.2 00:90:27:bb:cc:dd permanent take a look at the man page of the command I hope this can Help ! On Wed, Oct 28, 2009 at 5:29 PM, Andres Salazar wrote: > Hello, > > I Have dhcp enabled on my LAN which assigns an IP according to the > clients MAC address, however if a user wanted to be malicious he can > statically assign any IP to his NIC. > > Isnt there anyway I can force my ARP tables to only allow IPs to be > assigned if the MAC address matches? > > > Thanks > Andres
Re: Network problems with OpenBSD 4.6 on a IBM xSeries 335
What happend if you change the bge1 interface to other network, example,
10.4.1.2 , for me, two interfaces on the same network, sometimes produces a
strange behavior.
I hope this can help !
On Thu, Oct 22, 2009 at 3:18 PM, Mauro Rezzonico wrote:
> I get myself an IBM xSeries 335 model 8676 on eBay a couple of weeks ago,
> installed OpenBSD 4.5 updated to 4.5-stable and did not notice any
> problems...
>
> Today I did a Fresh install of OpenBSD 4.6 and the network does not work!
>
> Unfortunately I am not able to understand what's the matter, meaning that
> the output of ifconfig & netstat look right to me, if I ping the first
> configured NIC (bge0), output is like I'm pinging lo0, any other IP (away,
> same segment, same machine) alway return 'Host is down'.
>
> Additionally, the machine is now unable to reboot itself: it shows the
> kernel message "Syncing disks" and then hangs (with OpenBSD 4.5 it did
> properly reboot itself as long as powerdown itself).
>
> As I said the machine is second hand from eBay, so there may be hardware
> issues I am unaware of, but everything 'just worked fine' with OpenBSD (I
> was able to checkout the 4.5-stable branch e recompile everything).
>
> There is a fxp0 NIC installed in a PCI-X slot.
>
> Moreover my network should not be the issue, as I have a HP Proliant DL145
> G2 on the same segment and on the same switch, that was running OpenBSD 4.5
> (following 4.5-stable), and received a fresh install of OpenBSD 4.6 this
> morning (followed by a checkout of 4.6-stable and a rebuild of everything)
> that is working perfectly fine...
>
> Transcript follows (with dmesg, ifconfig, netstat etc)
>
> **This is the dmesg with OpenBSD 4.5 GENERIC.MP**
>
> OpenBSD 4.5 (GENERIC.MP) #108: Sat Feb 28 14:58:58 MST 2009
>dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
> cpu0: Intel(R) XEON(TM) CPU 2.40GHz ("GenuineIntel" 686-class) 2.40 GHz
> cpu0: CPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,
> PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM
> real mem = 3220766720 (3071MB)
> avail mem = 3120787456 (2976MB)
> mainbus0 at root
> bios0 at mainbus0: AT/286+ BIOS, date 09/11/02, BIOS32 rev. 0 @ 0xfd7e1,
> SMBIOS rev. 2.3 @ 0xf7141 (43 entries)
> bios0: vendor IBM version "-[T2E110AUS-1.01]-" date 09/11/2002
> bios0: IBM eserver xSeries 335 -[867665X]-
> acpi0 at bios0: rev 0
> acpi0: tables DSDT FACP APIC ASF!
> acpi0: wakeup devices PCI0(S5)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: apic clock running at 99MHz
> cpu1 at mainbus0: apid 6 (application processor)
> cpu1: Intel(R) XEON(TM) CPU 2.40GHz ("GenuineIntel" 686-class) 2.40 GHz
> cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,
> PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM
> cpu2 at mainbus0: apid 1 (application processor)
> cpu2: Intel(R) XEON(TM) CPU 2.40GHz ("GenuineIntel" 686-class) 2.40 GHz
> cpu2: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,
> PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM
> cpu3 at mainbus0: apid 7 (application processor)
> cpu3: Intel(R) XEON(TM) CPU 2.40GHz ("GenuineIntel" 686-class) 2.40 GHz
> cpu3: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,
> PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM
> ioapic0 at mainbus0: apid 14 pa 0xfec0, version 11, 16 pins
> ioapic1 at mainbus0: apid 13 pa 0xfec01000, version 11, 16 pins
> ioapic2 at mainbus0: apid 12 pa 0xfec02000, version 11, 16 pins
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 1 (PCI1)
> acpiprt2 at acpi0: bus 2 (PCI2)
> acpicpu0 at acpi0
> acpicpu1 at acpi0
> acpicpu2 at acpi0
> acpicpu3 at acpi0
> bios0: ROM list: 0xc/0x8000 0xc8000/0x4000 0xcc000/0x1800
> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> pchb0 at pci0 dev 0 function 0 "ServerWorks CMIC-WS Host (GC-LE)" rev 0x13
> pchb1 at pci0 dev 0 function 1 "ServerWorks CMIC-WS Host (GC-LE)" rev 0x00
> pchb2 at pci0 dev 0 function 2 "ServerWorks CMIC-LE" rev 0x00
> pci1 at pchb2 bus 1
> mpi0 at pci1 dev 1 function 0 "Symbios Logic 53c1030" rev 0x07: apic 13 int
> 6 (irq 9)
> scsibus0 at mpi0: 16 targets, initiator 7
> sd0 at scsibus0 targ 0 lun 0: SCSI3
> 0/direct fixed
> sd0: 70006MB, 512 bytes/sec, 143374000 sec total
> safte0 at scsibus0 targ 8 lun 0: SCSI2
> 3/processor fixed
> mpi0: target 0 Sync at 80MHz width 16bit offset 63 QAS 0 DT 1 IU 0
> vga1 at pci0 dev 1 function 0 "ATI Rage XL" rev 0x27
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> fxp0 at pci0 dev 2 function 0 "Intel 8255x" rev 0x0d, i82550: apic 13 int 0
> (irq 10), address 00:02:b3:da:76:86
> inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
> piixpm0 at pci0 dev 15 function 0 "ServerWorks CSB5" rev 0x93: polling
> iic0 at piixpm0
> spdmem0 at iic0 addr 0x50: 1GB DDR SDRAM registered ECC PC2100CL2.5
> spdm
Re: PF simple rdr help?
On Thu, Oct 8, 2009 at 7:03 AM, Jorge Enrique Valbuena Vargas < jvalbue...@gmail.com> wrote: > Hi Andres, > > > take a look at the examples at: > > http://www.openbsd.org/faq/pf/rdr.html > > Remember to use the *pass in *and *pass ou*t rules > > I use the rdr feature when i have a webserver on my DMZ. on port 8081 or > whatever port you want > > Public IP = 1.2.3.4 > ext_if=rl0 > dmz_if=rl1 > webserver= 5.6.7.8 > > > rdr on $ext_if proto tcp from any to any port 80 -> $webserver port 8081 > > pass in on $ext_if inet proto tcp from any to $webserver port 8081 > pass in oot $dmz_if inet proto tcp from any to $webserver port 8081 > > > Here all traffic comes from internet and goes to your privatewebserver > > I hope this can help ! > > > > On Wed, Oct 7, 2009 at 10:55 PM, Andres Salazar wrote: > >> Dorian, >> >> Thank you. I take it for granted that "match" is for 4.6 . Thats fine. >> >> What is the difference passing it onto netcat, then doing it directly? >> >> Aside from this I also need to redirect a range of ports (1500-2000).. >> and I think the issue would get more difficult if i do it with this >> method.. >> >> --Andres >> >> On Wed, Oct 7, 2009 at 6:38 PM, Dorian B|ttner >> wrote: >> > Probably what you want might be something like this in pf.conf >> > match in on $int_if proto tcp from any to ($ext_if) port www rdr-to >> 127.0.0.1 >> > port 5000 >> > and in inetd.conf: >> > 127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w >> 20 >> > my.internal.gateway.ip.here 80 >> > >> > I believe this was somewhere in the pf faq, not exactly sure, you should >> start >> > inetd of course. >> > >> > If I'm right you wanna see what's your home hosted httpd doing on the >> outside >> > interface using your dyndns fqdn from internal network or similar. >> Actually >> > there's changes in pf so you might want to specify your version. >> > >> > Regards, >> > Dorian
Re: PF simple rdr help?
Hi Andres, take a look at the examples at: http://www.openbsd.org/faq/pf/rdr.html Remember to use the *pass in *and *pass ou*t rules I use the rdr feature when i have a webserver on my DMZ. on port 8081 or whatever port you want Public IP = 1.2.3.4 ext_if=rl0 dmz_if=rl1 webserver= 5.6.7.8 rdr on $ext_if proto tcp from any to any port 80 -> $webserver port 8081 pass in on $ext_if inet proto tcp from any to $webserver port 8081 pass in oot $int_if inet proto tcp from any to $webserver port 8081 Here all traffic comes from internet and goes to your privatewebserver I hope this can help ! On Wed, Oct 7, 2009 at 10:55 PM, Andres Salazar wrote: > Dorian, > > Thank you. I take it for granted that "match" is for 4.6 . Thats fine. > > What is the difference passing it onto netcat, then doing it directly? > > Aside from this I also need to redirect a range of ports (1500-2000).. > and I think the issue would get more difficult if i do it with this > method.. > > --Andres > > On Wed, Oct 7, 2009 at 6:38 PM, Dorian B|ttner > wrote: > > Probably what you want might be something like this in pf.conf > > match in on $int_if proto tcp from any to ($ext_if) port www rdr-to > 127.0.0.1 > > port 5000 > > and in inetd.conf: > > 127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w 20 > > my.internal.gateway.ip.here 80 > > > > I believe this was somewhere in the pf faq, not exactly sure, you should > start > > inetd of course. > > > > If I'm right you wanna see what's your home hosted httpd doing on the > outside > > interface using your dyndns fqdn from internal network or similar. > Actually > > there's changes in pf so you might want to specify your version. > > > > Regards, > > Dorian
Re: How do I change PF rules to enable ftp downloads?
Hello,
Take a look at :
http://www.openbsd.org/faq/pf/ftp.html
Maybe it can help !
On Thu, Oct 1, 2009 at 3:52 PM, AG wrote:
> Hello
>
> I want to download via ftp, but am unable to do so. I believe that it
> would have something to do with my pf.conf file in my firewall, so have
> listed that below.
>
> ### simple pf.conf ##
> # allow all outgoing TCP, UDP
> # allow outgoing ICMP ping
> # specifically block 11 common inet services
> # Modified for nntp and bittorrent
> #
>
>
> # MACRO
> ext_if = "rl0"
> int_if = "vr0"
> PING = "echoreq"
> allow_tcp = "{ 119 }" #Port needed for nntp server
>
> #IntNet = "192.168.1.0/24" #Sub-net range
> #InBitTCP = "{ 6969, 6881:6889 }" #Ports needed for BitTorrent
> #BitIP = "192.168.1.40" #BitTorrent client
>
> tcp_services = "{ smtp, pop3, pop3s, www, msa, https, ftp, whois, ssh,
> telnet, rsync }"
> udp_services = "{ domain }"
>
>
> # OPTIONS:
> set block-policy drop
> set optimization normal
> set loginterface $ext_if
>
> # SCRUB:
> scrub in on $ext_if all
>
> # NAT/RDR
> nat on $ext_if from $int_if:network to any -> $ext_if
>
> #nat on $ext_if proto tcp from $IntNet port $InBitTCP to any -> $ext_if \
> static-port #nat on $ext_if proto udp from $IntNet port $InBitTCP to any ->
> $ext_if \
> static-port
> #rdr on $ext_if proto tcp from !$IntNet to any port 6969 -> $BitIP port
> 6969
> #rdr on $ext_if proto udp from !$IntNet to any port 6881:6889 -> $BitIP \
> port 6881:6889
>
> # filter:
>
> block log on $ext_if all
>
> #pass in quick on $ext_if inet proto tcp from any to any port $InBitTCP \
> flags S/SA synproxy state
> #pass in quick on $ext_if inet proto udp from any to any port $InBitTCP
>
> #pass out on $int_if inet proto tcp from any to $IntNet port
> $port_bittorrent \
> flags S/SA synproxy state
> #pass out on $int_if inet proto udp from any to $IntNet port
> $port_bittorrent
>
> pass quick on lo0 all
>
> pass out on $ext_if proto tcp from any to any port $allow_tcp keep state
>
> pass out quick on $ext_if inet proto tcp from \
> { $ext_if:network, $int_if:network } to any port $tcp_services keep state
>
> pass out quick on $ext_if inet proto udp from \
> { $ext_if:network, $int_if:network } to any port $udp_services keep state
>
> pass out quick on $ext_if inet proto icmp from \
> { $ext_if:network, $int_if:network } to any icmp-type $PING keep state
>
> antispoof for $ext_if
> antispoof for $int_if
>
> /etc/pf.conf ends ##
>
> It has been a number of years since I set this up, and note that I have ftp
> listed as a protocol to not allow. How can I change this without
> compromising security please?
>
> Many TIA.
>
> AG
Re: NAT, Firewall & pf
Hi, these simple rules works for me !
Remember how good is the learning process !
I hope this can help !
ext_if="vr0"
dmz_if="sis1"
int_if="sis0"
ext_ip="123.45.67.89"
#Don't Filter on the loopback interface
set block-policy drop
set skip on lo
#NORMALIZACION DE PAQUETES
scrub in all
scrub out on $ext_if all random-id
nat on $ext_if from !($ext_if) -> $ext_ip
block in on { sis0 , vr0 } all
block out on { sis0 , vr0 } all
pass out keep state
antispoof quick for { lo $int_if }
pass in on $int_if inet proto tcp all flags S/SA keep state
pass in on $int_if inet proto udp all keep state
pass in on $int_if inet proto icmp all keep state
pass in on $int_if inet proto esp all keep state
pass out on $ext_if inet proto tcp all flags S/SA keep state
pass out on $ext_if inet proto udp all keep state
pass out on $ext_if inet proto icmp all keep state
pass out on $ext_if inet proto esp all keep state
On Wed, Feb 25, 2009 at 8:39 PM, patrick keshishian wrote:
> On Wed, Feb 25, 2009 at 5:15 PM, Jason Dixon wrote:
> > On Wed, Feb 25, 2009 at 04:39:08PM -0800, patrick keshishian wrote:
> >> On Wed, Feb 25, 2009 at 4:07 PM, ropers wrote:
> >> > 2009/2/25 patrick keshishian :
> >> >> On Tue, Feb 24, 2009 at 9:48 PM, Hilco Wijbenga
> >> >> wrote:
> >> >>> 2009/2/23 Jason Dixon :
> >> ##
> >> 00 ext_if = "sk0"
> >> 01 int_if = "sk1"
> >> 02
> >> 03 set skip on lo
> >> 04
> >> 05 scrub in
> >> 06
> >> 07 nat on $ext_if from $int_if:network to any -> ($ext_if:0)
> >> 08
> >> 09 block in log all
> >> 10 pass in on $int_if inet keep state
> >> >>
> >> >> # I think you are missing a pass out on $ext_if rule
> >> >> 11 pass out on $ext_if
> >> >>
> >> >> w/o 11 all inbound packets are blocked by 09.
> >> >
> >> > Please correct me it I'm wrong, but my understanding is that Jason's
> >> > line 09 is only blocking packets that traverse interfaces in the
> >> > *inward* direction (i.e. from the attached networks (WAN and LAN)
> >> > *in*to the OpenBSD box). And I think that's why a "pass out" rule
> >> > would be unnecessary, as the default is to pass packets. Again, take
> >> > this with truckloads of salt; I could be wrong, but I trust Jason.
> >>
> >> You need states created for traffic passing through the pf firewall,
> >> specifically through the $ext_if to allow packets flowing back in,
> >> otherwise line 09 blocks those packets. I don't see where states would
> >> get created for outbound traffic with Jason's rule-set.
> >
> > Using floating states (the default), line 10 should suffice. B But I
> > forgot to account for outbound DNS requests from the firewall itself.
> > Here is the same ruleset with the one extra rule. B It shouldn't be
> > necessary for outbound traffic originating from $int_if:network, but it
> > won't hurt either.
>
> The floating states based on line 10 would be for pre-NAT sources on
> $int_if and wouldn't match any inbound packets on $ext_if. Unless I'm
> misunderstanding how NAT works with pf, there are no pass out rules
> that would create states for these packets:
>
> from pf.conf(5):
>
> Since translation occurs before filtering the filter engine will see
> packets as they look after any addresses and ports have been
> translated.
> Filter rules will therefore have to filter based on the translated ad-
> dress and port number. Packets that match a translation rule are only
> automatically passed if the pass modifier is given, otherwise they are
> still subject to block and pass rules.
> ...
> Translation rules apply only to packets that pass through the specified
> interface, and if no interface is specified, translation is applied to
> packets on all interfaces.
>
> --patrick
Re: NAT, Firewall & pf
1. You need to enable routing on your BSD box
edit /etc/sysctl.conf and change the 0 (zero) with 1
net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4
packets
In order to enable routing without restart the BSD type:
sysctl -w net.inet.ip.forwarding=1
On Mon, Feb 23, 2009 at 8:58 PM, Hilco Wijbenga wrote:
> Hi all,
>
> I've been trying to get a simple firewall system up-and-running in
> OpenBSD. I have "The Book of PF" and "Secure Architectures
> with OpenBSD" so I thought it would be very simple. Well, we're two
> weeks later now and still no firewall. :-) The pf rules I found in
> those books don't seem to work as I expected them to work.
>
> Before I list my current pf.conf, let me give a few more details. My
> firewall will be running a few services for my network (DHCP, NTP, and
> DNS). I need to use NAT to get my own network Internet access. DHCP
> works. I seem to have managed to get DNS (maradns on lo0 and sk1) and
> ICMP working.
>
> /etc/pf.conf
> 01 ext_if = "sk0"
> 02 int_if = "sk1"
> 03 localnet = $int_if:network
> 04 internet = $ext_if:network
> 05 udp_services = "{ domain, ntp }"
> 06 icmp_types = "{ echoreq, unreach }"
> 07
> 08 nat log on $ext_if from $localnet to any -> ($ext_if)
> 09
> 10 block log all
> 11
> 12 pass quick inet proto { tcp, udp } from $internet to any port
> $udp_services
> 13 pass quick inet proto { tcp, udp } from $localnet to any port
> $udp_services
> 14 pass quick inet proto { tcp, udp } from $lo0:network to any port
> $udp_services
> 15
> 16 pass inet proto icmp all icmp-type $icmp_types
> 17 pass from { lo0, $localnet } to any keep state
>
> a. Why do I need 12? I had expected 13 (which I don't seem to need).
> Wouldn't 12 be for incoming requests from the Internet?
> b. Given that ping works from my network (so that presumably routing
> is okay), why doesn't anything else work? HTTP seems blocked by the
> firewall.
> c. How can I get pflog to flush immediately? I noticed I have to wait
> a minute or so before logged lines show up.
> d. Any other pointers?
>
> Cheers,
> Hilco
