pf rules order

2007-01-10 Thread raff 
Hello misc.

I want to block traffic from 192.168.9.8 to 192.168.1.0/24
excluding 192.168.1.6
Is there any difference between:

block in all
pass in on xl1 from 192.168.9.8 to !192.168.1.0/24 modulate state
pass in on xl1 from 192.168.9.8 to 192.168.1.6 modulate state

and

block in all
pass in on xl1 from 192.168.9.8 to 192.168.1.6 modulate state
pass in on xl1 from 192.168.9.8 to !192.168.1.0/24 modulate state

Thanks in advance,

-- 
raff

Re: pf rules order

2007-01-10 Thread raff 
Thanks for all replies.

-- 
raff

002_xorg.patch compile error i386

2006-05-08 Thread raff 
: codec id 0x41445360 (Analog Devices AD1885)
ac97: codec features headphone, Analog Devices Phat Stereo
audio0 at auich0
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask ef65 netmask ef65 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302

Anyone knows what's the problem ?

Thanks in advance.

--
raff

Re: ipsec.conf, win xp

2006-01-13 Thread raff 
Chris Cappuccio napisaE(a):
 has anyone used ipsecctl with a win xp client yet?
 
 if so, can you share what options worked on the openbsd and win xp side?
 

yes, i'm using it with win xp home client and shared passwords with no
problems as described in http://openbsd.cz/~pruzicka/vpn.html

--
raff

Re: VPN: solutions that interoperate with win xp

2005-12-19 Thread raff 
[EMAIL PROTECTED] wrote:
 heya,
 
 i've been grinding away to get a VPN setup where i can have win xp clients
 connect to my openbsd firewall and access the network behind it. i have tried 
 a
 number of things, none of which have yet worked for all my users. i am very 
 much
 interested in hearing from other admins who have currently working solutions
 along these lines. i have setup isakmpd between my home and my business
 location, so i know i am not a complete idiot when it comes to this stuff ;).
 

as for me, howto described in http://openbsd.cz/~pruzicka/vpn.html works
with no problems.
here are my config files:

##isakmpd.conf##

[General]
Policy-file=/etc/isakmpd/isakmpd.policy
Retransmits=4
Listen-On=  ext_if_ip

[Phase 1]
perr1_ext_ip=   peer1

[Phase 2]
Passive-Connections=peer2

[peer1]
Phase=  1
Transport=  udp
Configuration=  Default-main-mode
Authentication= somepass

[peer2]
Phase=  2
ISAKMP-peer=perr1
Configuration=  Default-quick-mode
Local-ID=   local-net
Remote-ID=  peer-net

[peer-net]
ID-type=IPV4_ADDR
Address=peer_ext_ip

[local-net]
ID-type=IPV4_ADDR_SUBNET
Network=192.168.1.0
Netmask=255.255.255.0

[Default-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA-GRP2

[Default-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE

##isakmpd.policy##

KeyNote-Version: 2
Authorizer: POLICY
Licensees: passphrase:somepass
Conditions: app_domain == IPsec policy 
   esp_present == yes 
   esp_enc_alg != null - true;

##xp settings##

ipseccmd.exe -u
ipseccmd.exe -f 0=192.168.1.0/255.255.255.0 -t obsd_ext_ip -n
ESP[3DES,SHA] -a PRESHARE:somepass -1s 3DES-SHA-2
ipseccmd.exe -f 192.168.1.0/255.255.255.0=0 -t xp_client_local_ip -n
ESP[3DES,SHA] -a PRESHARE:somepass -1s 3DES-SHA-2

if you want to preserve (after reboot for eg.) ipseccmd setting you can
add '-w reg -p somename' to your cmd line to store ipseccmd settings in
windows registry, and so they be'll also visible via mmc/ipsec console.

on obsd firewall you have to pass traffic on enc0 and on ext_ip incoming
udp on ports 500 (and 4500 if your xp clients are behind nat witch
changes source ports numbers)

read also:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ipsecmd.mspx
http://support.microsoft.com/default.aspx?kbid=885407

hope it will help you.
sorry for my english ;)

--
raff

pf rule

2005-12-13 Thread raff 
Hello.

i have 1 rule in my pf.conf, with wich i want to allow locally generated
traffic ONLY to 10.0.0.1 and port 22:

block out on $int_if proto {tcp,udp} from $int_ip to ! 10.0.0.1 \
port != 22

this rule allow to connect to only 10.0.0.1, BUT to any port instead
only 22.
Am i doing something wrong?

--
raff

ipsec question

2005-11-30 Thread raff 
Hi,
I have wireless connection between my machine and router/gateway.
I can set up ipsec connection betwen them if i'm connecting directly to
gw machine, but is it possible to encrypt traffic between those when i'm
connecting to internet via gw ?

host--gw--internet
|   |
'---|---'
  ipsec

thanks in advance.

ipsec.conf / What am I dooing wrong?

2005-11-24 Thread raff 
following ipsec.conf(5) i was trying to set up connection between to
hosts 192.168.1.115 and 192.168.1.125
I can set it using ipsecadm, and everything works fiine, but using
ipsecctl i'm getting some errors like below:


# ipsecctl -vvf ipsec.conf
@0 flow esp out from 192.168.1.115 to 192.168.1.125 peer 192.168.1.125
type require
@1 flow esp in from 192.168.1.125 to 192.168.1.115 peer 192.168.1.125
type use
@2 esp from 192.168.1.115 to 192.168.1.125 spi 0x0115 auth sha1 enc
3des-cbc
authkey 0x507a89ddbbca07ea595b338f78c9cf44162ef92e
enckey 0x9f2d7686ee16363909e94c8334cc8492b53cb8d7d0734e29
@3 esp from 192.168.1.125 to 192.168.1.115 spi 0x0125 auth sha1 enc
3des-cbc
authkey 0x513dc7a1b41d9a5ad9fca0eedc78180be2a82ba5
enckey 0x44c4006f164234375e892d64e8fbc42c6093064fb1aa3bb9
ipsecctl: writev failed: Invalid argument
ipsecctl: failed to add rule 2
ipsecctl: writev failed: Invalid argument
ipsecctl: failed to add rule 3

thanks in advance

ipsecadm tunnel

2005-10-30 Thread raff 
Hello.
I want to set up tunnel between 2 networks
192.168.40.0/28 and 192.168.1.0/24 like bellow:

(a.a.a.a)pubIP--(NAT)gw1--172.16.0.0/12--(NAT)gw2--192.168.40.0/28
   |
  WAN
   |
(b.b.b.b)pubIP--(NAT)gw3--192.168.1.0/24

i don't have access to 172.16.0.0/12 network and gw1

I was trying to set it up like this:


--gw2--
ipsecadm new esp -enc 3des -forcetunnel -src a.a.a.a -dst b.b.b.b \
-spi 1234 -key somekey
ipsecadm new esp -enc 3des -forcetunnel -src b.b.b.b -dst a.a.a.a \
-spi 4321 -key somekey
ipseaadm flow -src a.a.a.a -dst b.b.b.b
-addr 192.168.40.0/28 192.168.1.0/24 -out -require
ipseaadm flow -src a.a.a.a -dst b.b.b.b
-addr 192.168.1.0/24 192.168.40.0/28 -in -require


--gw3--
ipsecadm new esp -enc 3des -forcetunnel -src a.a.a.a -dst b.b.b.b \
-spi 1234 -key somekey
ipsecadm new esp -enc 3des -forcetunnel -src b.b.b.b -dst a.a.a.a \
-spi 4321 -key somekey
ipseaadm flow -src b.b.b.b -dst a.a.a.a
-addr 192.168.1.0/24 192.168.40.0/28 -out -require
ipseaadm flow -src b.b.b.b -dst a.a.a.a
-addr 192.168.40.0/28 192.168.1.0/24 -in -require

If for eg. i do ping 192.168.1.6 from 192.168.40.2 machine, on gw3
'netstat -sn' shows me 1 packet out and in for ESP, but nothing comes
back to me (192.168.40.2)...

pf isn't blocking any traffic.

Is it possible to build tunnel in that kind of network enviroment ?

Sorry for my english ;)

--
raff