pf rules order
Hello misc. I want to block traffic from 192.168.9.8 to 192.168.1.0/24 excluding 192.168.1.6 Is there any difference between: block in all pass in on xl1 from 192.168.9.8 to !192.168.1.0/24 modulate state pass in on xl1 from 192.168.9.8 to 192.168.1.6 modulate state and block in all pass in on xl1 from 192.168.9.8 to 192.168.1.6 modulate state pass in on xl1 from 192.168.9.8 to !192.168.1.0/24 modulate state Thanks in advance, -- raff
Re: pf rules order
Thanks for all replies. -- raff
002_xorg.patch compile error i386
: codec id 0x41445360 (Analog Devices AD1885) ac97: codec features headphone, Analog Devices Phat Stereo audio0 at auich0 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask ef65 netmask ef65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 Anyone knows what's the problem ? Thanks in advance. -- raff
Re: ipsec.conf, win xp
Chris Cappuccio napisaE(a): has anyone used ipsecctl with a win xp client yet? if so, can you share what options worked on the openbsd and win xp side? yes, i'm using it with win xp home client and shared passwords with no problems as described in http://openbsd.cz/~pruzicka/vpn.html -- raff
Re: VPN: solutions that interoperate with win xp
[EMAIL PROTECTED] wrote: heya, i've been grinding away to get a VPN setup where i can have win xp clients connect to my openbsd firewall and access the network behind it. i have tried a number of things, none of which have yet worked for all my users. i am very much interested in hearing from other admins who have currently working solutions along these lines. i have setup isakmpd between my home and my business location, so i know i am not a complete idiot when it comes to this stuff ;). as for me, howto described in http://openbsd.cz/~pruzicka/vpn.html works with no problems. here are my config files: ##isakmpd.conf## [General] Policy-file=/etc/isakmpd/isakmpd.policy Retransmits=4 Listen-On= ext_if_ip [Phase 1] perr1_ext_ip= peer1 [Phase 2] Passive-Connections=peer2 [peer1] Phase= 1 Transport= udp Configuration= Default-main-mode Authentication= somepass [peer2] Phase= 2 ISAKMP-peer=perr1 Configuration= Default-quick-mode Local-ID= local-net Remote-ID= peer-net [peer-net] ID-type=IPV4_ADDR Address=peer_ext_ip [local-net] ID-type=IPV4_ADDR_SUBNET Network=192.168.1.0 Netmask=255.255.255.0 [Default-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA-GRP2 [Default-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE ##isakmpd.policy## KeyNote-Version: 2 Authorizer: POLICY Licensees: passphrase:somepass Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg != null - true; ##xp settings## ipseccmd.exe -u ipseccmd.exe -f 0=192.168.1.0/255.255.255.0 -t obsd_ext_ip -n ESP[3DES,SHA] -a PRESHARE:somepass -1s 3DES-SHA-2 ipseccmd.exe -f 192.168.1.0/255.255.255.0=0 -t xp_client_local_ip -n ESP[3DES,SHA] -a PRESHARE:somepass -1s 3DES-SHA-2 if you want to preserve (after reboot for eg.) ipseccmd setting you can add '-w reg -p somename' to your cmd line to store ipseccmd settings in windows registry, and so they be'll also visible via mmc/ipsec console. on obsd firewall you have to pass traffic on enc0 and on ext_ip incoming udp on ports 500 (and 4500 if your xp clients are behind nat witch changes source ports numbers) read also: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ipsecmd.mspx http://support.microsoft.com/default.aspx?kbid=885407 hope it will help you. sorry for my english ;) -- raff
pf rule
Hello. i have 1 rule in my pf.conf, with wich i want to allow locally generated traffic ONLY to 10.0.0.1 and port 22: block out on $int_if proto {tcp,udp} from $int_ip to ! 10.0.0.1 \ port != 22 this rule allow to connect to only 10.0.0.1, BUT to any port instead only 22. Am i doing something wrong? -- raff
ipsec question
Hi, I have wireless connection between my machine and router/gateway. I can set up ipsec connection betwen them if i'm connecting directly to gw machine, but is it possible to encrypt traffic between those when i'm connecting to internet via gw ? host--gw--internet | | '---|---' ipsec thanks in advance.
ipsec.conf / What am I dooing wrong?
following ipsec.conf(5) i was trying to set up connection between to hosts 192.168.1.115 and 192.168.1.125 I can set it using ipsecadm, and everything works fiine, but using ipsecctl i'm getting some errors like below: # ipsecctl -vvf ipsec.conf @0 flow esp out from 192.168.1.115 to 192.168.1.125 peer 192.168.1.125 type require @1 flow esp in from 192.168.1.125 to 192.168.1.115 peer 192.168.1.125 type use @2 esp from 192.168.1.115 to 192.168.1.125 spi 0x0115 auth sha1 enc 3des-cbc authkey 0x507a89ddbbca07ea595b338f78c9cf44162ef92e enckey 0x9f2d7686ee16363909e94c8334cc8492b53cb8d7d0734e29 @3 esp from 192.168.1.125 to 192.168.1.115 spi 0x0125 auth sha1 enc 3des-cbc authkey 0x513dc7a1b41d9a5ad9fca0eedc78180be2a82ba5 enckey 0x44c4006f164234375e892d64e8fbc42c6093064fb1aa3bb9 ipsecctl: writev failed: Invalid argument ipsecctl: failed to add rule 2 ipsecctl: writev failed: Invalid argument ipsecctl: failed to add rule 3 thanks in advance
ipsecadm tunnel
Hello. I want to set up tunnel between 2 networks 192.168.40.0/28 and 192.168.1.0/24 like bellow: (a.a.a.a)pubIP--(NAT)gw1--172.16.0.0/12--(NAT)gw2--192.168.40.0/28 | WAN | (b.b.b.b)pubIP--(NAT)gw3--192.168.1.0/24 i don't have access to 172.16.0.0/12 network and gw1 I was trying to set it up like this: --gw2-- ipsecadm new esp -enc 3des -forcetunnel -src a.a.a.a -dst b.b.b.b \ -spi 1234 -key somekey ipsecadm new esp -enc 3des -forcetunnel -src b.b.b.b -dst a.a.a.a \ -spi 4321 -key somekey ipseaadm flow -src a.a.a.a -dst b.b.b.b -addr 192.168.40.0/28 192.168.1.0/24 -out -require ipseaadm flow -src a.a.a.a -dst b.b.b.b -addr 192.168.1.0/24 192.168.40.0/28 -in -require --gw3-- ipsecadm new esp -enc 3des -forcetunnel -src a.a.a.a -dst b.b.b.b \ -spi 1234 -key somekey ipsecadm new esp -enc 3des -forcetunnel -src b.b.b.b -dst a.a.a.a \ -spi 4321 -key somekey ipseaadm flow -src b.b.b.b -dst a.a.a.a -addr 192.168.1.0/24 192.168.40.0/28 -out -require ipseaadm flow -src b.b.b.b -dst a.a.a.a -addr 192.168.40.0/28 192.168.1.0/24 -in -require If for eg. i do ping 192.168.1.6 from 192.168.40.2 machine, on gw3 'netstat -sn' shows me 1 packet out and in for ESP, but nothing comes back to me (192.168.40.2)... pf isn't blocking any traffic. Is it possible to build tunnel in that kind of network enviroment ? Sorry for my english ;) -- raff