Re: OpenBSD 4.1 - NAT + ttl=0 trouble -solved!

2007-12-23 Thread gentoo1 
gentoo1 wrote:
> 
> Hello :)
> 
> I use OpenBSD 4.1 for gateway for my laptop. I set in my pf.conf file :
>  nat on fxp0 from rl0:network to any -> fxp0 ..and other rules. OK and 
> I have Internet on my laptop. Worked fine! But yesterday  my ISP set ttl
> to 0  ---> ttl=0... and now i try to change this value but unsuccessful...
> 
> I put this in my pf.conf but ttl is still zero.:
> 
> scrub out on $ext_if min-ttl 10
> 
> scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400
> I use both options : in and out - unsuccessful...
> 
> pfctl  -sr show :
> 
> scrub in all fragment reassemble
> scrub in on fxp0 all min-ttl 15 max-mss 1400 fragment reassemble
> scrub out on fxp0 all min-ttl 15 max-mss 1400 fragment reassemble
> scrub in on fxp0 all no-df fragment reassemble
> scrub on fxp0 all reassemble tcp fragment reassemble
> 
> And ping form openbsd to  nabble.com is with tll=0:
> ping nabble.com
> PING nabble.com (216.139.236.162): 56 data bytes
> 64 bytes from 216.139.236.162: icmp_seq=0 ttl=0 time=165.931 ms
> 64 bytes from 216.139.236.162: icmp_seq=1 ttl=0 time=164.822 ms
> --- nabble.com ping statistics ---
> 2 packets transmitted, 2 packets received, 0.0% packet loss
> round-trip min/avg/max/std-dev = 164.822/165.376/165.931/0.687 ms
> ==> And on my laptop  I don't see  anything behind openbsd gw.
> 
> In linux case --> I just add this rule in iptables and i change  ttl
> successfully :
> iptables -t mangle -A PREROUTING -i eth1 -j TTL --ttl-inc 2.
> 
> But please let me know how I can change ttl in OpenBSD.
> 
> Kind Regards
> 

Issue solved!

right:
# scrub
scrub in on  $ext_if all min-ttl 15 max-mss 1400 fragment reassemble
scrub out on $ext_if all min-ttl 15 max-mss 1400 fragment reassemble

scrub in

scrub in all fragment reassemble
scrub in on $ext_if all no-df fragment reassemble
scrub on $ext_if all reassemble tcp fragment reassemble

Thanks to Nick Gustas!
-- 
View this message in context: 
http://www.nabble.com/OpenBSD-4.1NAT-%2B-ttl%3D0-trouble-tp14463336p14477341.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: OpenBSD 4.1 - NAT + ttl=0 trouble

2007-12-22 Thread gentoo1 
Stuart Henderson wrote:
> 
> I didn't give you rules to try, I was pointing out that you had
> a problem because you had conflicting scrub rules.
> 
> Since you didn't include pf.conf I can't make any suggestions
> exactly what is conflicting, but if you look through it you'll find
> some other scrub rules which you need to remove or re-order.
> 
> 
> 
> 

Aha...probably i have conflicting rules. See my pf.conf below.
fxp0 has 192.168.1.1/24
and rl0 10.10.10.1/24
My laptop receive IP via dhcp from OpenBSD server. I don't use switch to
connect my laptop via 192.168.1.0/24...
So I need to work via 10.10.10.0/24 network. Everything works fine until my
ISP set ttl to 0.
OK there is my pf.conf

#macros
ext_if="fxp0"
int_if="rl0"

tcp_services="{ 13, 21, 22, 37, 53, 80, 113, 139, 443, 445, 3:30005 }"
#tcp_services="{ 13, 21, 22, 37, 80, 113, 139, 443, 445 }"
icmp_types="echoreq"


# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

scrub in all fragment reassemble
scrub in on  $ext_if all min-ttl 15 max-mss 1400 fragment reassemble
scrub out on $ext_if all min-ttl 15 max-mss 1400 fragment reassemble
scrub in on $ext_if all no-df fragment reassemble
scrub on $ext_if all reassemble tcp fragment reassemble

# nat/rdr
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat on fxp0 from rl0:network to any -> fxp0
#nat-anchor "ftp-proxy/*"
#
#rdr-anchor "ftp-proxy/*"

#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#rdr on $ext_if proto tcp from any to any port 80 -> $comp3

# filter rules
block in

pass out keep state

#block drop  in on $ext_if proto tcp from 192.168.1.100  \
#   to $ext_if port 21

  
1,8   Top
block in log quick on $ext_if proto tcp from  192.168.1.254 to any port {
113, 139, 445 }
pass in on $ext_if proto tcp from 192.168.1.254 to any port { 21,
3:30005 }

#pass in on $ext_if proto {tcp, udp} from 192.168.1.100 to any port { 111,
2049 }
pass in on $ext_if proto { tcp, udp } from 192.168.1.0/24 to any port { 137,
138, 139, 445 }
pass in on $ext_if proto { tcp, udp } from any to any port { 53 }
block in log quick on $ext_if proto tcp from  77.232.66.61 to any port { 21,
3:30005 }
#block in log quick on $ext_if proto {tcp, udp} from  192.168.1.100 to any
port ftp
#block out on $ext_if proto tcp from 192.168.1.100 \ to $ext_if port 80
#block in quick on fxp0 proto tcp from any to 192.168.1.100 port ftp
#anchor "ftp-proxy/*"
#set block-policy  return

block in log quick proto tcp flags FUP/WEUAPRSF
block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick proto tcp flags SRAFU/WEUAPRSF
block in log quick proto tcp flags /WEUAPRSF
block in log quick proto tcp flags SR/SR
block in log quick proto tcp flags SF/SF
#
block in quick proto tcp all flags SF/SFRA
block in quick proto tcp all flags FPU/SFRAUP
block in quick proto tcp all flags /SFRA
block in quick proto tcp all flags F/SFRA
block in quick proto tcp all flags U/SFRAU

antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state


pass in inet proto icmp all icmp-type $icmp_types keep state

pass quick on $int_if

Thank you


-- 
View this message in context: 
http://www.nabble.com/OpenBSD-4.1NAT-%2B-ttl%3D0-trouble-tp14463336p14468697.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: OpenBSD 4.1 - NAT + ttl=0 trouble

2007-12-22 Thread Stuart Henderson 
I didn't give you rules to try, I was pointing out that you had
a problem because you had conflicting scrub rules.

Since you didn't include pf.conf I can't make any suggestions
exactly what is conflicting, but if you look through it you'll find
some other scrub rules which you need to remove or re-order.


On 2007/12/22 00:49, gentoo1 wrote:
> Stuart Henderson wrote:
> > 
> > On 2007/12/21 14:13, gentoo1 wrote:
> >> I put this in my pf.conf but ttl is still zero.:
> >> 
> >> scrub out on $ext_if min-ttl 10
> >> 
> >> scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400
> > 
> > You've got some other scrub rules:
> > 
> >> scrub in all fragment reassemble
> >> scrub in on fxp0 all min-ttl 15 max-mss 1400 fragment reassemble
> >> scrub out on fxp0 all min-ttl 15 max-mss 1400 fragment reassemble
> >> scrub in on fxp0 all no-df fragment reassemble
> >> scrub on fxp0 all reassemble tcp fragment reassemble
> > 
> > It looks like first matching scrub rule wins, so you need to
> > remove/re-order some of the others.
> > 
> > 
> > 
> 
> Thank you Stuart for your kind reply!
> Ok. I try your rules but ttl is still zero. First i set this rules in my
> pf.conf , then i flush all tables and start pf again. 
> 
> mars:~# pfctl -sr
> scrub in all fragment reassemble
> scrub in all fragment reassemble
> scrub in on fxp0 all min-ttl 15 max-mss 1400 fragment reassemble
> scrub out on fxp0 all min-ttl 15 max-mss 1400 fragment reassemble
> scrub in on fxp0 all no-df fragment reassemble
> scrub on fxp0 all reassemble tcp fragment reassemble
> ..
> 
> mars:~#   ping openbsd.org
> PING openbsd.org (199.185.137.3): 56 data bytes
> 64 bytes from 199.185.137.3: icmp_seq=0 ttl=0 time=207.995 ms
> 64 bytes from 199.185.137.3: icmp_seq=1 ttl=0 time=208.266 ms
> 
> :(
> 
> So any other ideas?
> Thanks

Re: OpenBSD 4.1 - NAT + ttl=0 trouble

2007-12-22 Thread gentoo1 
Stuart Henderson wrote:
> 
> On 2007/12/21 14:13, gentoo1 wrote:
>> I put this in my pf.conf but ttl is still zero.:
>> 
>> scrub out on $ext_if min-ttl 10
>> 
>> scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400
> 
> You've got some other scrub rules:
> 
>> scrub in all fragment reassemble
>> scrub in on fxp0 all min-ttl 15 max-mss 1400 fragment reassemble
>> scrub out on fxp0 all min-ttl 15 max-mss 1400 fragment reassemble
>> scrub in on fxp0 all no-df fragment reassemble
>> scrub on fxp0 all reassemble tcp fragment reassemble
> 
> It looks like first matching scrub rule wins, so you need to
> remove/re-order some of the others.
> 
> 
> 

Thank you Stuart for your kind reply!
Ok. I try your rules but ttl is still zero. First i set this rules in my
pf.conf , then i flush all tables and start pf again. 

mars:~# pfctl -sr
scrub in all fragment reassemble
scrub in all fragment reassemble
scrub in on fxp0 all min-ttl 15 max-mss 1400 fragment reassemble
scrub out on fxp0 all min-ttl 15 max-mss 1400 fragment reassemble
scrub in on fxp0 all no-df fragment reassemble
scrub on fxp0 all reassemble tcp fragment reassemble
..

mars:~#   ping openbsd.org
PING openbsd.org (199.185.137.3): 56 data bytes
64 bytes from 199.185.137.3: icmp_seq=0 ttl=0 time=207.995 ms
64 bytes from 199.185.137.3: icmp_seq=1 ttl=0 time=208.266 ms

:(

So any other ideas?
Thanks


-- 
View this message in context: 
http://www.nabble.com/OpenBSD-4.1NAT-%2B-ttl%3D0-trouble-tp14463336p14467410.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: OpenBSD 4.1 - NAT + ttl=0 trouble

2007-12-21 Thread Stuart Henderson 
On 2007/12/21 14:13, gentoo1 wrote:
> I put this in my pf.conf but ttl is still zero.:
> 
> scrub out on $ext_if min-ttl 10
> 
> scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400

You've got some other scrub rules:

> scrub in all fragment reassemble
> scrub in on fxp0 all min-ttl 15 max-mss 1400 fragment reassemble
> scrub out on fxp0 all min-ttl 15 max-mss 1400 fragment reassemble
> scrub in on fxp0 all no-df fragment reassemble
> scrub on fxp0 all reassemble tcp fragment reassemble

It looks like first matching scrub rule wins, so you need to
remove/re-order some of the others.