What's up with my pf.conf?

2007-02-13 Thread mal content 

Hi.

I just upgraded from 3.7 to 4.0 (complete wipe and reinstall) and
my previously working pf.conf now doesn't work correctly. Machines
inside the private network can no longer connect to any IP outside
of my network.

# $Id: pf.conf 201 2007-02-13 20:03:11Z mc $

# network interface cards
dmz_nic=fxp2
priv_nic=fxp1
wan_nic=fxp0

# ip addresses for this machine and the wan router
my_dmz_ip=192.168.3.1
my_priv_ip=192.168.2.1
my_wan_ip=192.168.1.2
dtek_ip=192.168.1.1

# DNS server
dns_cache=192.168.3.10

# clock server
ntp_server=192.168.3.20

silc_server=192.168.3.33
irc_server=192.168.3.32
http_server=192.168.3.31
www_server=192.168.3.30

# private terminals
priv_terminal1=192.168.2.15
priv_terminal2=192.168.2.5

# ip ranges of both networks
priv_ips=192.168.2.0/24
dmz_ips=192.168.3.0/24

# freebsd.org hole for portaudit
freebsd_org = 216.136.204.117

# blacklist
table blacklist persist file /etc/pf.blacklist

#--
# global rules

# normalise incoming traffic
scrub in all fragment reassemble

#--
# NAT

nat on $wan_nic from $priv_nic:network to any - ($wan_nic)
nat on $wan_nic from $dmz_nic:network to any - ($wan_nic)

# server services redirects
rdr on $wan_nic proto tcp \
 from any to any port 80 - $http_server port 80
rdr on $wan_nic proto tcp \
 from any to any port 2200 - $http_server port 22
rdr on $wan_nic proto tcp \
 from any to any port 6667 - $irc_server port 6667
rdr on $wan_nic proto tcp \
 from any to any port 6669 - $irc_server port 6669
rdr on $wan_nic proto tcp \
 from any to any port 706 - $silc_server port 10706

#--

# blacklist
block log quick from blacklist to any
block log quick from any to blacklist

# clear localhost traffic
pass out quick on lo0 all
pass in quick on lo0 all

#--
# wan subnet
# the wan subnet is a tiny subnet containing only this nic and the
# router (dtek) that gives access to the WAN. Legal packets include:
#
# - udp log packets from the wan router (dtek_ip)
# - packets from the WAN, destined for the DMZ (destined for NAT)
# - responses to requests for the admin web interface, destined for
#   the private network
#
# allow outgoing from $my_wan_ip because all outgoing connections
# have this source address after being rewritten by NAT

block in log on $wan_nic all
block out log on $wan_nic all

# allow web server, ssh, irc, silc in post-NAT
pass in log quick on $wan_nic proto tcp \
 from any to $http_server port 80 modulate state
pass in log quick on $wan_nic proto tcp \
 from any to $http_server port 2200 modulate state
pass in log quick on $wan_nic proto tcp \
 from any to $irc_server port 6667 modulate state
pass in log quick on $wan_nic proto tcp \
 from any to $irc_server port 6669 modulate state
pass in log quick on $wan_nic proto tcp \
 from any to $silc_server port 10706 modulate state

# allow outgoing
pass out on $wan_nic inet proto tcp \
 from $my_wan_ip to any flags S/SA modulate state
pass out on $wan_nic inet proto udp \
 from $my_wan_ip to any modulate state

#--
# private network

# prevent spoofing
block in log quick on $priv_nic from ! $priv_ips to any
block out log quick on $priv_nic from any to ! $priv_ips

# block everything by default
block in log on $priv_nic all
block out log on $priv_nic all

# allow the private administrative terminal to connect to the SSH port
pass in log quick on $priv_nic proto tcp \
 from $priv_terminal1 to $my_priv_ip port 22 modulate state
# allow connections from admin terminal to dtek
pass in log quick on $priv_nic proto tcp \
 from $priv_terminal1 to $dtek_ip port 8080 modulate state

# same as above, different terminal
pass in log quick on $priv_nic proto tcp \
 from $priv_terminal2 to $my_priv_ip port 22 modulate state
pass in log quick on $priv_nic proto tcp \
 from $priv_terminal2 to $dtek_ip port 8080 modulate state

# block anybody else that tries it
block in log quick on $priv_nic \
 from any to $dtek_ip
block in log quick on $priv_nic \
 from any to $my_priv_ip

# allow private lan to connect out
pass in log on $priv_nic proto tcp \
 from $priv_ips to any flags S/SA modulate state
pass in log on $priv_nic proto udp \
 from $priv_ips to any modulate state

#--
# dmz

block in log quick on $dmz_nic from ! $dmz_ips to any
block out log quick on $dmz_nic from any to ! $dmz_ips

block in log on $dmz_nic all
block out log on $dmz_nic all

# this is the opposite of how it sounds.
# pass in on $dmz_nic means any packets coming into the firewall from
# the DMZ
# pass out means any packets going into the DMZ from the firewall

# allow DNS requests out
pass in log quick on $dmz_nic proto udp \
 from $dns_cache

Re: What's up with my pf.conf?

2007-02-13 Thread mal content 

On 13/02/07, Bryan Irvine [EMAIL PROTECTED] wrote:

On 2/13/07, mal content [EMAIL PROTECTED] wrote:
 Hi.

 I just upgraded from 3.7 to 4.0 (complete wipe and reinstall) and
 my previously working pf.conf now doesn't work correctly. Machines
 inside the private network can no longer connect to any IP outside
 of my network.

can you connect to any ip that is located on a different interface of
the firewall?

ie can 192.168.3.10 ping 192.168.2.15?

check the output of 'sysctl net.inet.ip.forwarding'


Hi.

Yes, I see 'pass in on fxp1' and 'pass out on fxp2'.

net.inet.ipforwarding is enabled.

MC

Re: What's up with my pf.conf?

2007-02-13 Thread mal content 

I have simplified the config file down to:

# $Id: pf.conf 202 2007-02-13 23:44:37Z mc $

nic_dmz = fxp2
nic_pri = fxp1
nic_wan = fxp0

# ip addresses for this machine and the wan router
ip_dmz = 192.168.3.1
ip_pri = 192.168.2.1
ip_wan = 192.168.1.2
ip_dtek = 192.168.1.1

# network
net_pri = 192.168.2.0/24
net_dmz = 192.168.3.0/24

# privileged terminals
ip_priv_term1= 192.168.2.5

# blacklist
table blacklist persist file /etc/pf.blacklist

#--
# global normalize rules

scrub in all fragment reassemble

#--
# NAT

nat on $nic_wan from $nic_pri:network to any - ($nic_wan)
nat on $nic_wan from $nic_dmz:network to any - ($nic_wan)

#--
# global filter rules

block log all

block log quick from blacklist to any
block log quick from any to blacklist

pass quick on lo0 all

#--
# WAN subnet

# allow outgoing
pass out on $nic_wan proto tcp \
 from $ip_wan to any flags S/SA modulate state
pass out on $nic_wan proto udp \
 from $ip_wan to any modulate state

#--
# private subnet

block in log quick on $nic_pri from ! $net_pri to any
block out log quick on $nic_pri from any to ! $net_pri

# allow the private administrative terminal to connect to the SSH port
pass in log quick on $nic_pri proto tcp \
 from $ip_priv_term1 to $ip_pri port 22 modulate state
# allow connections from admin terminal to dtek
pass in log quick on $nic_pri proto tcp \
 from $ip_priv_term1 to $ip_dtek port 8080 modulate state

# allow private lan to connect out
pass in log on $nic_pri proto tcp \
 from $net_pri to any flags S/SA modulate state
pass in log on $nic_pri proto udp \
 from $net_pri to any modulate state

#--
# dmz

block in log quick on $nic_dmz from ! $net_dmz to any
block out log quick on $nic_dmz from any to ! $net_dmz

# allow into the DMZ
pass out log on $nic_dmz proto tcp \
 from any to $net_dmz flags S/SA modulate state
pass out log on $nic_dmz proto udp \
 from any to $net_dmz modulate state

...but it still just isn't working. I'm scratching my head over this
one.

This is the exact same system I've been using for a good
year and a half. Have there been any changes to pf that I've
missed (in terms of interface - obviously there have been new
features and fixes etc.)?

MC

Re: What's up with my pf.conf?

2007-02-13 Thread mal content 

To clarify:

I can connect from any 192.168.2.* IP to a temporary machine
in the 192.168.1.* network (the empty network between the hardware
router and the openbsd box), so packets appear to be forwarded
correctly. If I try to connect to an external IP, however, the packets
don't seem to go anywhere. I have, on a few occasions, seen responses
from openbsd.org to packets sent earlier which are then blocked by
pf (correctly, as they are no longer associated with any connection).

I have connected a machine to the 192.168.1.* network to sniff
packets with wireshark and see absolutely nothing go through when
a machine at 192.168.2.5 attempts to 'nc' to openbsd.org:80. Watching
pf logs with tcpdump shows that pf certainly believes it has forwarded
packets to the external IP address.

...

In the old days, we'd have opened the switch with bolt cutters and
set fire to the building on the way out.

MC

Re: What's up with my pf.conf?

2007-02-13 Thread mal content 

On 14/02/07, Ste Jones [EMAIL PROTECTED] wrote:


what does `route show`  say and is the default gateway correct?

Cheers
Ste



DestinationGatewayFlagsRefs  UseMtu  Interface
default192.168.1.1UGS 0  194  -   fxp0
127/8  127.0.0.1  UGRS00  33224   lo0
127.0.0.1  127.0.0.1  UH  3  389  33224   lo0
192.168.1/24   link#1 UC  30  -   fxp0
192.168.1.100:50:7f:21:67:94  UHLc1   37  -   fxp0
192.168.1.400:11:25:46:4b:11  UHLc01  -   fxp0
192.168.2/24   link#2 UC  10  -   fxp1
192.168.2.500:d0:b7:3f:44:85  UHLc223543  -   fxp1
192.168.3/24   link#3 UC  20  -   fxp2

The default gateway appears to be correct, 192.168.1.1, the IP address
of the hardware router.

MC

Re: What's up with my pf.conf?

2007-02-13 Thread mal content 

Well.

Amazing, and sickening as it is, rebooting the machine appears
to have cleared up the problem.

Any more of this and I'd have broken out in hives or chewed
through a mains cable.

Thanks for your time, everybody who replied on and off list.

MC

Re: blobs are bad

2006-10-18 Thread mal content 

On 18/10/06, Nico Meijer [EMAIL PROTECTED] wrote:


Yes, there's a lot of New Age bullshit floating around. It's your choice
to look beyond that and see the practical implications of it.



They do tend to get everywhere, don't they...

MC

Recommendation for T41 Wireless

2006-10-15 Thread mal content 

Hello.

I was recently given an IBM T41 laptop. I've had little experience
of laptop hardware, and no experience of wireless. The laptop itself
didn't come with any wireless hardware (which, I gather, is a good thing
as it would have been closed intel stuff).

I would like to get some sort of wireless card for it. What would the users
of this list recommend? It'll run OpenBSD 4.0, of course.

thanks,
MC

Re: Recommendation for T41 Wireless

2006-10-15 Thread mal content 

On 15/10/06, Jonathan Gray [EMAIL PROTECTED] wrote:

On Sun, Oct 15, 2006 at 07:57:56AM +0100, mal content wrote:
 Hello.

 I was recently given an IBM T41 laptop. I've had little experience
 of laptop hardware, and no experience of wireless. The laptop itself
 didn't come with any wireless hardware (which, I gather, is a good thing
 as it would have been closed intel stuff).

 I would like to get some sort of wireless card for it. What would the users
 of this list recommend? It'll run OpenBSD 4.0, of course.

 thanks,
 MC

Get a Ralink based card, they work great.
You'll have to run tpwireless from ports before you put it in
to get around the stupid IBM whitelist though.



Hi.

http://catalog.belkin.com/IWCatProductPage.process?Product_Id=136500

This uses the Ralink chipset doesn't it? I just want to be sure before I
place an order.

thanks,
MC

Re: Recommendation for T41 Wireless

2006-10-15 Thread mal content 

On 15/10/06, Jonathan Gray [EMAIL PROTECTED] wrote:


Well some companies like Belkin make it hard to tell as they change things.
If you don't mind opening up your thinkpad you should be able to place
an internal Mini PCI card.  These have the advantage of having the main
chip clearly visible so you can tell what you're getting.  People like
wim sell them clearly marked as Ralink cards.

If you want an external CardBus card look at the device list in the
ral man page ral(4).

Jonathan



Ok, thank you!

MC

Re: ksh vs bash

2006-08-26 Thread mal content 

On 27/08/06, Default User [EMAIL PROTECTED] wrote:

why does OpenBSD have ksh as the default shell, rather than bash?

...

No flames, please. Just honest thoughtful discussion.



That's probably not a question that's going to result in honest,
thoughtful discussion.

MC

Re: Do mp3 concatenation programs exist?

2006-07-16 Thread mal content 

http://archives.neohapsis.com/archives/openbsd/cvs/2006-07/0032.html

Re: Filesystem using tags, not folders?

2006-06-11 Thread mal content 

On 09/06/06, Kyrre Nygard [EMAIL PROTECTED] wrote:

Hello!

Just a wild thought here ...

After noticing how much simpler it is using tags, for instance
with my bookmarks at http://del.icio.us -- compared to hours of
frustration trying find the right combination of folders and
sub folders in my Firefox' bookmarks.html, I was wondering
if the same approach could be used to arrange the UNIX filesystem
hierarchy, from the root and up. This is just a radical thought,
not yet an idea even -- but if somebody would be willing to think
with me -- maybe we could make a big change.



Can you elaborate? I don't really understand.

MC

Re: Filesystem using tags, not folders?

2006-06-11 Thread mal content 

On 11/06/06, Ingo Schwarze [EMAIL PROTECTED] wrote:


http://del.icio.us/help/tags



Seems to me that this would just be a simple manager interface
built over the existing filesystem. No need to change the filesystem,
just maintain a database of pointers to files using tags as search
keys.

MC

Re: Filesystem using tags, not folders?

2006-06-11 Thread mal content 

On 11/06/06, Ingo Schwarze [EMAIL PROTECTED] wrote:

mal content wrote on Sun, Jun 11, 2006 at 07:55:30PM +0100:
 On 11/06/06, Ingo Schwarze [EMAIL PROTECTED] wrote:

 http://del.icio.us/help/tags

 Seems to me that this would just be a simple manager interface
 built over the existing filesystem. No need to change the filesystem,
 just maintain a database of pointers to files using tags as search
 keys.

About any bloody app out there in userland relies on open(2), rename(2),
unlink(2) and friends.  Thus, either tamper with syscall stubs in libc
 - see /usr/src/lib/libc/sys/Makefile.inc for details - or rewrite
userland or be content with a locate(1) quality database.  Not
exactly what i might call just and simple.

Regarding myself, _I_ do not feel fit to build a new world right
now.  At the very least, i think i ought to spend some more time
understanding the one that we already have, first.


I wasn't talking about replacing or modifying any system calls
at all. I am also perfectly content with the current UNIX filesystem.

What I was saying is that this seems to be a job for a high level
userland application that maintains a database - not a kernel
filesystem.

MC

Re: Does Lenovo suck ?

2006-06-05 Thread mal content 

Lenovo


In other news Lenovo pretend that they never used the words We will
not have models available for Linux, and we do not have custom order,
either:

http://news.com.com/Lenovo+denies+ditching+Linux/2100-1003_3-6080115.html

[ot] Security question from 2004 MCS 494

2006-06-03 Thread mal content 

Hello.

djb published the exam paper from the 2004 UNIX security hole course:

http://cr.yp.to/2004-494/1209.pdf

I've been going through it, for something to do, and am stuck on
question 7:

---
Problem 7.

The system administrator, after learning that the /home disk is full, finds and
removes a 40-gigabyte file:

% find /home -ls | sort -n +6 | tail -1 | awk '{print $11}'
/home/joe/just-testing/rc
% ls -l /home/joe/just-testing/rc
-rw-r--r-- 1 joe joe 41162685334 Dec 9 10:00 /home/joe/just-testing/rc
% rm /home/joe/just-testing/rc
% ls -l /home/joe/just-testing/rc
ls: /home/joe/just-testing/rc: No such file or directory
%

The system administrator later discovers, to his surprise, that the important
16000-byte system file /etc/rc has disappeared. What exactly did joe do?
---

Anybody got any ideas? The rest of the questions seem quite easy but
this one has me scratching my head.

MC

Connecting to Sun Ultra 5 over serial line

2006-05-19 Thread mal content 

Hello.

I'm trying to connect to a Sun Ultra 5 from my OpenBSD
laptop (a thinkpad) but I'm currently stuck. I have next to
no experience with serial communications, so I'm groping
around in the dark currently.

I have a serial cable with a null modem adapter connected
to the DB9 serial port on my laptop and the DB25 A serial
port on the Sun.

I'm using minicom, at 9600 baud and using the /dev/tty00
device.

When I switch on the Sun, I'm told that I should get some
console output and then the usual ok prompt. I actually
get a lot of control characters and binary gibberish.

Where exactly do I start with troubleshooting? The cable
doesn't seem to be at fault, so I'm assuming that the
problem is software related.

cheers,
MC

Re: Connecting to Sun Ultra 5 over serial line

2006-05-19 Thread mal content 

On 5/19/06, Jasper Lievisse Adriaanse [EMAIL PROTECTED] wrote:

Instead of using minicom, can you try:

# cu -l /dev/cua00

This works fine (here) from and to a Blade 100/SS4/SGI 02.


Hello.

The output from that command was colourful to say the least
and in fact caused xterm to glitch (the prompt was replaced
with strange control characters in that strange manner that
sometimes happens when you accidentally cat a binary
file).

No luck so far...
MC

Re: Connecting to Sun Ultra 5 over serial line

2006-05-19 Thread mal content 

On 5/19/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:



 Hello.

 I'm trying to connect to a Sun Ultra 5 from my OpenBSD
 laptop (a thinkpad) but I'm currently stuck. I have next to
 no experience with serial communications, so I'm groping
 around in the dark currently.

 I have a serial cable with a null modem adapter connected
 to the DB9 serial port on my laptop and the DB25 A serial
 port on the Sun.

 I'm using minicom, at 9600 baud and using the /dev/tty00
 device.

 When I switch on the Sun, I'm told that I should get some
 console output and then the usual ok prompt. I actually
 get a lot of control characters and binary gibberish.

 Where exactly do I start with troubleshooting? The cable
 doesn't seem to be at fault, so I'm assuming that the
 problem is software related.

 cheers,
 MC

Hi,
make sure your keyboard is not connected to the Sun, otherwise it will not 
switch the console to the serial IF. Also make sure your connection settings 
are 9600-8N1.  You might also find more help at 
http://www.obsolyte.com/sunFAQ/serial/.


Hello.

Yes, I have this guide onscreen now. My keyboard is already unplugged,
and I seem to be using the correct settings.

MC

Re: Connecting to Sun Ultra 5 over serial line

2006-05-19 Thread mal content 

On 5/20/06, Chad M Stewart [EMAIL PROTECTED] wrote:


Being a U5, its used, which means someone could have changed the baud
rate of the serial port.  :)  I've got two U10s, a SS20, and 220R in
my basement^H^H data center.  ;-)

If you can use a keyboard  monitor to get to the ok prompt, then you
can check the speed of the serial port.  I can't remember the command
right now, but a search on the web should point in the right
direction.  I don't recall if the U5s are like the U10s in this
respect, if so, then don't break the serial connection once the
machine is booted.  Otherwise it'll do the equivalent of stop-a.  My
main mail server was up over 500 days when I had to move things
around.  I accidently pulled the serial cable, damn it.  :)


Ah, well, there's the problem you see. I'm actually trying to get
a serial login as the last lot apparently set the console to some
ridiculous resolution that no monitor here can handle.

It's looking pretty unlikely that I'm even going to get that though,
this one might have to go for scrap. :(

MC

Re: Connecting to Sun Ultra 5 over serial line

2006-05-19 Thread mal content 

On 5/20/06, Sevan / Venture37 [EMAIL PROTECTED] wrote:

mal content wrote:
 Ah, well, there's the problem you see. I'm actually trying to get
 a serial login as the last lot apparently set the console to some
 ridiculous resolution that no monitor here can handle.

 It's looking pretty unlikely that I'm even going to get that though,
 this one might have to go for scrap. :(

 MC

Power up the system whilst holding STOP  N
that will force the OBP to reset to default settings  all should be
well again.



Hah, well that pretty much settles it - this is a faulty machine.

I tried STOP-N on boot, no video and now the machine refuses
to acknowledge that the keyboard exists too.

Thanks to all who replied.
MC

Re: Connecting to Sun Ultra 5 over serial line

2006-05-19 Thread mal content 

On 5/20/06, Sevan / Venture37 [EMAIL PROTECTED] wrote:


Try holding STOP  F  powering up the system, this forces output via
serial port A

STOP-D forces a diagnostic power on. The NVRAM Parameter
diag-switch? is set to true.
Not supported by USB Keyboards.

STOP-F forces input and output to ttya. Input from the Keyboard is
disabled except for L1-A.
Not supported by USB Keyboards.

STOP-N forces a set-defaults of the NVRAM.
Not supported by USB Keyboards.


Hi. I tried all of the above, but the machine stubbornly refuses to
do anything useful.

Shame, really.
cheers,
MC