What's up with my pf.conf?
Hi. I just upgraded from 3.7 to 4.0 (complete wipe and reinstall) and my previously working pf.conf now doesn't work correctly. Machines inside the private network can no longer connect to any IP outside of my network. # $Id: pf.conf 201 2007-02-13 20:03:11Z mc $ # network interface cards dmz_nic=fxp2 priv_nic=fxp1 wan_nic=fxp0 # ip addresses for this machine and the wan router my_dmz_ip=192.168.3.1 my_priv_ip=192.168.2.1 my_wan_ip=192.168.1.2 dtek_ip=192.168.1.1 # DNS server dns_cache=192.168.3.10 # clock server ntp_server=192.168.3.20 silc_server=192.168.3.33 irc_server=192.168.3.32 http_server=192.168.3.31 www_server=192.168.3.30 # private terminals priv_terminal1=192.168.2.15 priv_terminal2=192.168.2.5 # ip ranges of both networks priv_ips=192.168.2.0/24 dmz_ips=192.168.3.0/24 # freebsd.org hole for portaudit freebsd_org = 216.136.204.117 # blacklist table blacklist persist file /etc/pf.blacklist #-- # global rules # normalise incoming traffic scrub in all fragment reassemble #-- # NAT nat on $wan_nic from $priv_nic:network to any - ($wan_nic) nat on $wan_nic from $dmz_nic:network to any - ($wan_nic) # server services redirects rdr on $wan_nic proto tcp \ from any to any port 80 - $http_server port 80 rdr on $wan_nic proto tcp \ from any to any port 2200 - $http_server port 22 rdr on $wan_nic proto tcp \ from any to any port 6667 - $irc_server port 6667 rdr on $wan_nic proto tcp \ from any to any port 6669 - $irc_server port 6669 rdr on $wan_nic proto tcp \ from any to any port 706 - $silc_server port 10706 #-- # blacklist block log quick from blacklist to any block log quick from any to blacklist # clear localhost traffic pass out quick on lo0 all pass in quick on lo0 all #-- # wan subnet # the wan subnet is a tiny subnet containing only this nic and the # router (dtek) that gives access to the WAN. Legal packets include: # # - udp log packets from the wan router (dtek_ip) # - packets from the WAN, destined for the DMZ (destined for NAT) # - responses to requests for the admin web interface, destined for # the private network # # allow outgoing from $my_wan_ip because all outgoing connections # have this source address after being rewritten by NAT block in log on $wan_nic all block out log on $wan_nic all # allow web server, ssh, irc, silc in post-NAT pass in log quick on $wan_nic proto tcp \ from any to $http_server port 80 modulate state pass in log quick on $wan_nic proto tcp \ from any to $http_server port 2200 modulate state pass in log quick on $wan_nic proto tcp \ from any to $irc_server port 6667 modulate state pass in log quick on $wan_nic proto tcp \ from any to $irc_server port 6669 modulate state pass in log quick on $wan_nic proto tcp \ from any to $silc_server port 10706 modulate state # allow outgoing pass out on $wan_nic inet proto tcp \ from $my_wan_ip to any flags S/SA modulate state pass out on $wan_nic inet proto udp \ from $my_wan_ip to any modulate state #-- # private network # prevent spoofing block in log quick on $priv_nic from ! $priv_ips to any block out log quick on $priv_nic from any to ! $priv_ips # block everything by default block in log on $priv_nic all block out log on $priv_nic all # allow the private administrative terminal to connect to the SSH port pass in log quick on $priv_nic proto tcp \ from $priv_terminal1 to $my_priv_ip port 22 modulate state # allow connections from admin terminal to dtek pass in log quick on $priv_nic proto tcp \ from $priv_terminal1 to $dtek_ip port 8080 modulate state # same as above, different terminal pass in log quick on $priv_nic proto tcp \ from $priv_terminal2 to $my_priv_ip port 22 modulate state pass in log quick on $priv_nic proto tcp \ from $priv_terminal2 to $dtek_ip port 8080 modulate state # block anybody else that tries it block in log quick on $priv_nic \ from any to $dtek_ip block in log quick on $priv_nic \ from any to $my_priv_ip # allow private lan to connect out pass in log on $priv_nic proto tcp \ from $priv_ips to any flags S/SA modulate state pass in log on $priv_nic proto udp \ from $priv_ips to any modulate state #-- # dmz block in log quick on $dmz_nic from ! $dmz_ips to any block out log quick on $dmz_nic from any to ! $dmz_ips block in log on $dmz_nic all block out log on $dmz_nic all # this is the opposite of how it sounds. # pass in on $dmz_nic means any packets coming into the firewall from # the DMZ # pass out means any packets going into the DMZ from the firewall # allow DNS requests out pass in log quick on $dmz_nic proto udp \ from $dns_cache
Re: What's up with my pf.conf?
On 13/02/07, Bryan Irvine [EMAIL PROTECTED] wrote: On 2/13/07, mal content [EMAIL PROTECTED] wrote: Hi. I just upgraded from 3.7 to 4.0 (complete wipe and reinstall) and my previously working pf.conf now doesn't work correctly. Machines inside the private network can no longer connect to any IP outside of my network. can you connect to any ip that is located on a different interface of the firewall? ie can 192.168.3.10 ping 192.168.2.15? check the output of 'sysctl net.inet.ip.forwarding' Hi. Yes, I see 'pass in on fxp1' and 'pass out on fxp2'. net.inet.ipforwarding is enabled. MC
Re: What's up with my pf.conf?
I have simplified the config file down to: # $Id: pf.conf 202 2007-02-13 23:44:37Z mc $ nic_dmz = fxp2 nic_pri = fxp1 nic_wan = fxp0 # ip addresses for this machine and the wan router ip_dmz = 192.168.3.1 ip_pri = 192.168.2.1 ip_wan = 192.168.1.2 ip_dtek = 192.168.1.1 # network net_pri = 192.168.2.0/24 net_dmz = 192.168.3.0/24 # privileged terminals ip_priv_term1= 192.168.2.5 # blacklist table blacklist persist file /etc/pf.blacklist #-- # global normalize rules scrub in all fragment reassemble #-- # NAT nat on $nic_wan from $nic_pri:network to any - ($nic_wan) nat on $nic_wan from $nic_dmz:network to any - ($nic_wan) #-- # global filter rules block log all block log quick from blacklist to any block log quick from any to blacklist pass quick on lo0 all #-- # WAN subnet # allow outgoing pass out on $nic_wan proto tcp \ from $ip_wan to any flags S/SA modulate state pass out on $nic_wan proto udp \ from $ip_wan to any modulate state #-- # private subnet block in log quick on $nic_pri from ! $net_pri to any block out log quick on $nic_pri from any to ! $net_pri # allow the private administrative terminal to connect to the SSH port pass in log quick on $nic_pri proto tcp \ from $ip_priv_term1 to $ip_pri port 22 modulate state # allow connections from admin terminal to dtek pass in log quick on $nic_pri proto tcp \ from $ip_priv_term1 to $ip_dtek port 8080 modulate state # allow private lan to connect out pass in log on $nic_pri proto tcp \ from $net_pri to any flags S/SA modulate state pass in log on $nic_pri proto udp \ from $net_pri to any modulate state #-- # dmz block in log quick on $nic_dmz from ! $net_dmz to any block out log quick on $nic_dmz from any to ! $net_dmz # allow into the DMZ pass out log on $nic_dmz proto tcp \ from any to $net_dmz flags S/SA modulate state pass out log on $nic_dmz proto udp \ from any to $net_dmz modulate state ...but it still just isn't working. I'm scratching my head over this one. This is the exact same system I've been using for a good year and a half. Have there been any changes to pf that I've missed (in terms of interface - obviously there have been new features and fixes etc.)? MC
Re: What's up with my pf.conf?
To clarify: I can connect from any 192.168.2.* IP to a temporary machine in the 192.168.1.* network (the empty network between the hardware router and the openbsd box), so packets appear to be forwarded correctly. If I try to connect to an external IP, however, the packets don't seem to go anywhere. I have, on a few occasions, seen responses from openbsd.org to packets sent earlier which are then blocked by pf (correctly, as they are no longer associated with any connection). I have connected a machine to the 192.168.1.* network to sniff packets with wireshark and see absolutely nothing go through when a machine at 192.168.2.5 attempts to 'nc' to openbsd.org:80. Watching pf logs with tcpdump shows that pf certainly believes it has forwarded packets to the external IP address. ... In the old days, we'd have opened the switch with bolt cutters and set fire to the building on the way out. MC
Re: What's up with my pf.conf?
On 14/02/07, Ste Jones [EMAIL PROTECTED] wrote: what does `route show` say and is the default gateway correct? Cheers Ste DestinationGatewayFlagsRefs UseMtu Interface default192.168.1.1UGS 0 194 - fxp0 127/8 127.0.0.1 UGRS00 33224 lo0 127.0.0.1 127.0.0.1 UH 3 389 33224 lo0 192.168.1/24 link#1 UC 30 - fxp0 192.168.1.100:50:7f:21:67:94 UHLc1 37 - fxp0 192.168.1.400:11:25:46:4b:11 UHLc01 - fxp0 192.168.2/24 link#2 UC 10 - fxp1 192.168.2.500:d0:b7:3f:44:85 UHLc223543 - fxp1 192.168.3/24 link#3 UC 20 - fxp2 The default gateway appears to be correct, 192.168.1.1, the IP address of the hardware router. MC
Re: What's up with my pf.conf?
Well. Amazing, and sickening as it is, rebooting the machine appears to have cleared up the problem. Any more of this and I'd have broken out in hives or chewed through a mains cable. Thanks for your time, everybody who replied on and off list. MC
Re: blobs are bad
On 18/10/06, Nico Meijer [EMAIL PROTECTED] wrote: Yes, there's a lot of New Age bullshit floating around. It's your choice to look beyond that and see the practical implications of it. They do tend to get everywhere, don't they... MC
Recommendation for T41 Wireless
Hello. I was recently given an IBM T41 laptop. I've had little experience of laptop hardware, and no experience of wireless. The laptop itself didn't come with any wireless hardware (which, I gather, is a good thing as it would have been closed intel stuff). I would like to get some sort of wireless card for it. What would the users of this list recommend? It'll run OpenBSD 4.0, of course. thanks, MC
Re: Recommendation for T41 Wireless
On 15/10/06, Jonathan Gray [EMAIL PROTECTED] wrote: On Sun, Oct 15, 2006 at 07:57:56AM +0100, mal content wrote: Hello. I was recently given an IBM T41 laptop. I've had little experience of laptop hardware, and no experience of wireless. The laptop itself didn't come with any wireless hardware (which, I gather, is a good thing as it would have been closed intel stuff). I would like to get some sort of wireless card for it. What would the users of this list recommend? It'll run OpenBSD 4.0, of course. thanks, MC Get a Ralink based card, they work great. You'll have to run tpwireless from ports before you put it in to get around the stupid IBM whitelist though. Hi. http://catalog.belkin.com/IWCatProductPage.process?Product_Id=136500 This uses the Ralink chipset doesn't it? I just want to be sure before I place an order. thanks, MC
Re: Recommendation for T41 Wireless
On 15/10/06, Jonathan Gray [EMAIL PROTECTED] wrote: Well some companies like Belkin make it hard to tell as they change things. If you don't mind opening up your thinkpad you should be able to place an internal Mini PCI card. These have the advantage of having the main chip clearly visible so you can tell what you're getting. People like wim sell them clearly marked as Ralink cards. If you want an external CardBus card look at the device list in the ral man page ral(4). Jonathan Ok, thank you! MC
Re: ksh vs bash
On 27/08/06, Default User [EMAIL PROTECTED] wrote: why does OpenBSD have ksh as the default shell, rather than bash? ... No flames, please. Just honest thoughtful discussion. That's probably not a question that's going to result in honest, thoughtful discussion. MC
Re: Do mp3 concatenation programs exist?
http://archives.neohapsis.com/archives/openbsd/cvs/2006-07/0032.html
Re: Filesystem using tags, not folders?
On 09/06/06, Kyrre Nygard [EMAIL PROTECTED] wrote: Hello! Just a wild thought here ... After noticing how much simpler it is using tags, for instance with my bookmarks at http://del.icio.us -- compared to hours of frustration trying find the right combination of folders and sub folders in my Firefox' bookmarks.html, I was wondering if the same approach could be used to arrange the UNIX filesystem hierarchy, from the root and up. This is just a radical thought, not yet an idea even -- but if somebody would be willing to think with me -- maybe we could make a big change. Can you elaborate? I don't really understand. MC
Re: Filesystem using tags, not folders?
On 11/06/06, Ingo Schwarze [EMAIL PROTECTED] wrote: http://del.icio.us/help/tags Seems to me that this would just be a simple manager interface built over the existing filesystem. No need to change the filesystem, just maintain a database of pointers to files using tags as search keys. MC
Re: Filesystem using tags, not folders?
On 11/06/06, Ingo Schwarze [EMAIL PROTECTED] wrote: mal content wrote on Sun, Jun 11, 2006 at 07:55:30PM +0100: On 11/06/06, Ingo Schwarze [EMAIL PROTECTED] wrote: http://del.icio.us/help/tags Seems to me that this would just be a simple manager interface built over the existing filesystem. No need to change the filesystem, just maintain a database of pointers to files using tags as search keys. About any bloody app out there in userland relies on open(2), rename(2), unlink(2) and friends. Thus, either tamper with syscall stubs in libc - see /usr/src/lib/libc/sys/Makefile.inc for details - or rewrite userland or be content with a locate(1) quality database. Not exactly what i might call just and simple. Regarding myself, _I_ do not feel fit to build a new world right now. At the very least, i think i ought to spend some more time understanding the one that we already have, first. I wasn't talking about replacing or modifying any system calls at all. I am also perfectly content with the current UNIX filesystem. What I was saying is that this seems to be a job for a high level userland application that maintains a database - not a kernel filesystem. MC
Re: Does Lenovo suck ?
Lenovo In other news Lenovo pretend that they never used the words We will not have models available for Linux, and we do not have custom order, either: http://news.com.com/Lenovo+denies+ditching+Linux/2100-1003_3-6080115.html
[ot] Security question from 2004 MCS 494
Hello. djb published the exam paper from the 2004 UNIX security hole course: http://cr.yp.to/2004-494/1209.pdf I've been going through it, for something to do, and am stuck on question 7: --- Problem 7. The system administrator, after learning that the /home disk is full, finds and removes a 40-gigabyte file: % find /home -ls | sort -n +6 | tail -1 | awk '{print $11}' /home/joe/just-testing/rc % ls -l /home/joe/just-testing/rc -rw-r--r-- 1 joe joe 41162685334 Dec 9 10:00 /home/joe/just-testing/rc % rm /home/joe/just-testing/rc % ls -l /home/joe/just-testing/rc ls: /home/joe/just-testing/rc: No such file or directory % The system administrator later discovers, to his surprise, that the important 16000-byte system file /etc/rc has disappeared. What exactly did joe do? --- Anybody got any ideas? The rest of the questions seem quite easy but this one has me scratching my head. MC
Connecting to Sun Ultra 5 over serial line
Hello. I'm trying to connect to a Sun Ultra 5 from my OpenBSD laptop (a thinkpad) but I'm currently stuck. I have next to no experience with serial communications, so I'm groping around in the dark currently. I have a serial cable with a null modem adapter connected to the DB9 serial port on my laptop and the DB25 A serial port on the Sun. I'm using minicom, at 9600 baud and using the /dev/tty00 device. When I switch on the Sun, I'm told that I should get some console output and then the usual ok prompt. I actually get a lot of control characters and binary gibberish. Where exactly do I start with troubleshooting? The cable doesn't seem to be at fault, so I'm assuming that the problem is software related. cheers, MC
Re: Connecting to Sun Ultra 5 over serial line
On 5/19/06, Jasper Lievisse Adriaanse [EMAIL PROTECTED] wrote: Instead of using minicom, can you try: # cu -l /dev/cua00 This works fine (here) from and to a Blade 100/SS4/SGI 02. Hello. The output from that command was colourful to say the least and in fact caused xterm to glitch (the prompt was replaced with strange control characters in that strange manner that sometimes happens when you accidentally cat a binary file). No luck so far... MC
Re: Connecting to Sun Ultra 5 over serial line
On 5/19/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello. I'm trying to connect to a Sun Ultra 5 from my OpenBSD laptop (a thinkpad) but I'm currently stuck. I have next to no experience with serial communications, so I'm groping around in the dark currently. I have a serial cable with a null modem adapter connected to the DB9 serial port on my laptop and the DB25 A serial port on the Sun. I'm using minicom, at 9600 baud and using the /dev/tty00 device. When I switch on the Sun, I'm told that I should get some console output and then the usual ok prompt. I actually get a lot of control characters and binary gibberish. Where exactly do I start with troubleshooting? The cable doesn't seem to be at fault, so I'm assuming that the problem is software related. cheers, MC Hi, make sure your keyboard is not connected to the Sun, otherwise it will not switch the console to the serial IF. Also make sure your connection settings are 9600-8N1. You might also find more help at http://www.obsolyte.com/sunFAQ/serial/. Hello. Yes, I have this guide onscreen now. My keyboard is already unplugged, and I seem to be using the correct settings. MC
Re: Connecting to Sun Ultra 5 over serial line
On 5/20/06, Chad M Stewart [EMAIL PROTECTED] wrote: Being a U5, its used, which means someone could have changed the baud rate of the serial port. :) I've got two U10s, a SS20, and 220R in my basement^H^H data center. ;-) If you can use a keyboard monitor to get to the ok prompt, then you can check the speed of the serial port. I can't remember the command right now, but a search on the web should point in the right direction. I don't recall if the U5s are like the U10s in this respect, if so, then don't break the serial connection once the machine is booted. Otherwise it'll do the equivalent of stop-a. My main mail server was up over 500 days when I had to move things around. I accidently pulled the serial cable, damn it. :) Ah, well, there's the problem you see. I'm actually trying to get a serial login as the last lot apparently set the console to some ridiculous resolution that no monitor here can handle. It's looking pretty unlikely that I'm even going to get that though, this one might have to go for scrap. :( MC
Re: Connecting to Sun Ultra 5 over serial line
On 5/20/06, Sevan / Venture37 [EMAIL PROTECTED] wrote: mal content wrote: Ah, well, there's the problem you see. I'm actually trying to get a serial login as the last lot apparently set the console to some ridiculous resolution that no monitor here can handle. It's looking pretty unlikely that I'm even going to get that though, this one might have to go for scrap. :( MC Power up the system whilst holding STOP N that will force the OBP to reset to default settings all should be well again. Hah, well that pretty much settles it - this is a faulty machine. I tried STOP-N on boot, no video and now the machine refuses to acknowledge that the keyboard exists too. Thanks to all who replied. MC
Re: Connecting to Sun Ultra 5 over serial line
On 5/20/06, Sevan / Venture37 [EMAIL PROTECTED] wrote: Try holding STOP F powering up the system, this forces output via serial port A STOP-D forces a diagnostic power on. The NVRAM Parameter diag-switch? is set to true. Not supported by USB Keyboards. STOP-F forces input and output to ttya. Input from the Keyboard is disabled except for L1-A. Not supported by USB Keyboards. STOP-N forces a set-defaults of the NVRAM. Not supported by USB Keyboards. Hi. I tried all of the above, but the machine stubbornly refuses to do anything useful. Shame, really. cheers, MC