Re: pf.conf: identifying a specific user from dhcpd-table
On 2018-10-10, Stefan Wollny wrote: > I could assign a static address to this laptop and use this address > setting up a specific rule for this one port. But this is not the way > I'd prefer to go. Note that, doing it this way, if the server's dynamic address changes client connections will need to timeout before they can reconnect and get redirected to the server's new address. Would DHCP with fixed-address not work here?
Re: pf.conf: identifying a specific user from dhcpd-table
On Oct 10, 2018 10:23 AM, Paul de Weerd wrote: > > On Wed, Oct 10, 2018 at 10:17:21AM -0500, Edgar Pettijohn wrote: > | When looking for pf info I generally just Google Peter Hansteen. > > So is Peter misnamed, should he be called Peter Fansteen, or is pf(4) > misnamed, should it be ph(4)? > We should let him choose, but Peter fansteen has a nice ring to it. Edgar > *confused* > > Paul 'WEiRD' de Weerd > > SCNR > > -- > >[<++>-]<+++.>+++[<-->-]<.>+++[<+ > +++>-]<.>++[<>-]<+.--.[-] > http://www.weirdnet.nl/
Re: pf.conf: identifying a specific user from dhcpd-table
On Wed, Oct 10, 2018 at 10:17:21AM -0500, Edgar Pettijohn wrote: | When looking for pf info I generally just Google Peter Hansteen. So is Peter misnamed, should he be called Peter Fansteen, or is pf(4) misnamed, should it be ph(4)? *confused* Paul 'WEiRD' de Weerd SCNR -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: pf.conf: identifying a specific user from dhcpd-table
Edgar,
Sounds like you need to build an adaptive firewall. I would suggest to start
with The Book of PF
by Peter Hansteen. An excellent resource. That might be a good starting point
for you as well.
It has some good portion of the information on adaptive firewalls.
P.S. Thank you, Peter for such a great book.
-bogdan
> On Oct 10, 2018, at 8:17 AM, Edgar Pettijohn wrote:
>
>
> On Oct 10, 2018 7:58 AM, "Peter N. M. Hansteen" wrote:
>>
>> On Wed, Oct 10, 2018 at 02:48:24PM +0200, Stefan Wollny wrote:
>>>
>>> I'd like to set up PF to forward this port (25565) without a pre-defined
>>> IP as macro as the dhcpd.conf has a line defining tables for abandoned
>>> ("-A"), changed ("-C") and present leases ("-L"). According to man
>>> dhcpd(8) those tables may be used with PF. But how??? I couldn't find
>>> examples.
>>>
>>> Do I have to tell PF about these tables in pf.conf? Or don't I need
>>> these tables at all?
>>
>> You do need to include the tables in your pf.conf. I'm a bit surprised
>> the example at https://home.nuug.no/~peter/pftutorial/#33 did not show up in
>> your search.
>>
>> - P
>>
>> --
>> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
>> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
>> "Remember to set the evil bit on all malicious network traffic"
>> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>>
>
> When looking for pf info I generally just Google Peter Hansteen.
>
> Edgar
>
Re: pf.conf: identifying a specific user from dhcpd-table
On Oct 10, 2018 7:58 AM, "Peter N. M. Hansteen" wrote:
>
> On Wed, Oct 10, 2018 at 02:48:24PM +0200, Stefan Wollny wrote:
> >
> > I'd like to set up PF to forward this port (25565) without a pre-defined
> > IP as macro as the dhcpd.conf has a line defining tables for abandoned
> > ("-A"), changed ("-C") and present leases ("-L"). According to man
> > dhcpd(8) those tables may be used with PF. But how??? I couldn't find
> > examples.
> >
> > Do I have to tell PF about these tables in pf.conf? Or don't I need
> > these tables at all?
>
> You do need to include the tables in your pf.conf. I'm a bit surprised
> the example at https://home.nuug.no/~peter/pftutorial/#33 did not show up in
> your search.
>
> - P
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>
When looking for pf info I generally just Google Peter Hansteen.
Edgar
Re: pf.conf: identifying a specific user from dhcpd-table
Am 10.10.18 um 14:58 schrieb Peter N. M. Hansteen:
> On Wed, Oct 10, 2018 at 02:48:24PM +0200, Stefan Wollny wrote:
>>
>> I'd like to set up PF to forward this port (25565) without a pre-defined
>> IP as macro as the dhcpd.conf has a line defining tables for abandoned
>> ("-A"), changed ("-C") and present leases ("-L"). According to man
>> dhcpd(8) those tables may be used with PF. But how??? I couldn't find
>> examples.
>>
>> Do I have to tell PF about these tables in pf.conf? Or don't I need
>> these tables at all?
>
> You do need to include the tables in your pf.conf. I'm a bit surprised
> the example at https://home.nuug.no/~peter/pftutorial/#33 did not show up in
> your search.
>
> - P
>
YES - this is exactly what I've been looking for!
(I use Google via 'startpage.com' - maybe this makes a difference???)
Thank you very much, Peter. BTW: Am I this blind that I oversaw this in
your book??? I had it with me on the train yesterday but I didn't see
this solution. Will take a 20th look tonight.
'Thank you' again for so much help here on the list, but as well for the
fine book!
Best,
STEFAN
Re: pf.conf: identifying a specific user from dhcpd-table
On Wed, Oct 10, 2018 at 02:48:24PM +0200, Stefan Wollny wrote:
>
> I'd like to set up PF to forward this port (25565) without a pre-defined
> IP as macro as the dhcpd.conf has a line defining tables for abandoned
> ("-A"), changed ("-C") and present leases ("-L"). According to man
> dhcpd(8) those tables may be used with PF. But how??? I couldn't find
> examples.
>
> Do I have to tell PF about these tables in pf.conf? Or don't I need
> these tables at all?
You do need to include the tables in your pf.conf. I'm a bit surprised
the example at https://home.nuug.no/~peter/pftutorial/#33 did not show up in
your search.
- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
pf.conf: identifying a specific user from dhcpd-table
Hi there!
I've google'd quite a while and read the FAQ and many man-pages - but I
didn't find an example for my pf.conf (or simply overlooked it...):
The system is amd64-current. The client is Win7-laptop serving as
Minecraft-server, thus port 25565 needs to be forwarded but IP may change.
I have set up OpenBSD as firewall-router serving additionally as
dhcpd-server plus running a transparent squid. IP-forwarding is set in
/etc/sysctl. Basically everything is running fine, my users surf the net
and send/receive mail. Just that the other kids cannot reach my son's
Minecraft-server on the inside from the outside.
I could assign a static address to this laptop and use this address
setting up a specific rule for this one port. But this is not the way
I'd prefer to go.
I'd like to set up PF to forward this port (25565) without a pre-defined
IP as macro as the dhcpd.conf has a line defining tables for abandoned
("-A"), changed ("-C") and present leases ("-L"). According to man
dhcpd(8) those tables may be used with PF. But how??? I couldn't find
examples.
Do I have to tell PF about these tables in pf.conf? Or don't I need
these tables at all?
What would the syntax actually be for the dhcpd-client (e.g.'enderman'),
s.th like the following tries?
pass on $ext_if from $int_if:peer to any binat-to $ext_if port 25565
This is not specific to client 'enderman'... another try:
pass out on $ext_if inet from $int_if to any \
nat-to enderman:peer static-port
pass in on $ext_if inet from any to $int_if rdr-to enderman:peer
This rule is not specific to port 25565, though.
Please help - I am pretty confused...
TIA.
Best,
STEFAN
