Re: ipf rules not working; is binat the solution?
Ouch, let's try that again with the line wrap set to a more reasonable value.
Sorry!
Here is my pf.conf file. Some things are working --
like access to the internet from within the network.
Other things, like external access to the web sites,
and incoming email, are not working. Outgoing email
and pings are working.
I'm thinking the problems are most likely in the NAT
section, labeled as problematic below.
# note: real external IP address has been replaced with 999.999.999
# real internal IP addresses have not been changed.
eif="dc0" # external interface, routes 999.999.999.226-230
iif="dc1" # internal interface, 192.168.0.230
external_net="999.999.999.224" # external network (/29)
internal_net="192.168.0.224" # internal network (/29)
eipc="999.999.999.226" # foo.com (not its real name) web site, external address
eipa="999.999.999.227" # bar.com (not its real name) web site, external address
eipf="999.999.999.229" # firewall, external address
iipc="192.168.0.226" # foo.com web site, internal address
iipa="192.168.0.227" # bar.com web site, internal address
iipf="192.168.0.229" # firewall, internal address
fssaks="flags S/SA keep state"
unrouteable="{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, \
192.168.0.0/16, 255.255.255.255/32 }"
# normalize: reassemble fragments and resolve or reduce traffic ambiguities
scrub out all
scrub in all
# THIS SECTION IS TOTALLY BROKEN -- CLUES WELCOME! #
# nat: packets going out through ext0 with source address 10.0.0.0/8 will get
# translated as coming from 192.168.1.1. a state is created for such packets,
# and incoming packets will be redirected to the internal address.
# nat on ext0 from 10.0.0.0/8 to any -> 192.168.1.1
# make ftp clients work ??? very iffy.
nat on $eif from $internal_net/29 to any -> $eipf port ftp
# make everything else work
# what is this? is 226/29 right, or should it be 224/29? or would 0/24 work?
nat on $eif from $internal_net/29 to any -> $eipf
# this gives "expands to multile ips of same family" error
#binat on $eif from $iipc to $eipc -> $eif
#binat on $eif from $iipa to $eipa -> $eif
# the author likes this
#binat on $eif from $iipc to any -> $eipc
#binat on $eif from $iipa to any -> $eipa
#the man page likes this
#binat on $eif from $iipa to any -> ($iif)
# END OF BROKEN SECTION -- I HOPE! #
# foo.com web, mail, ssh
rdr on $iif proto tcp from any to $eipc/32 port 80 -> $iipc port 8080
rdr on $iif proto tcp from any to $eipc/32 port 25 -> $iipc port 25
rdr on $iif proto tcp from any to $eipc/32 port 22 -> $iipc port 22
# bar.com web, mail, ssh
rdr on $iif proto tcp from any to $eipa/32 port 80 -> $iipa port 8090
rdr on $iif proto tcp from any to $eipa/32 port 25 -> $iipa port 25
rdr on $iif proto tcp from any to $eipa/32 port 22 -> $iipa port 22
# filter rules
antispoof for lo0
antispoof for dc0 inet
antispoof for dc1 inet
block out logall
block in logall
block return-rst in log inet proto tcp all
block return-rst out log inet proto tcp all
block return-icmp in log inet proto udp all
block return-icmp out log inet proto udp all
# block packets from or to unrouteable addresses
block in log quick on $eif from $unrouteable to any
block out log quick on $eif from any to $unrouteable
# by default, block all incoming packets, except those explicity
# allowed by further rules.
block in log on $eif all
# for www connections from the outside
pass in log quick on $eif proto tcp from any to $iipc port 8080 $fssaks
pass in log quick on $eif proto tcp from any to $iipa port 8090 $fssaks
# for mail connections from the outside
pass in quick on $eif inet proto tcp from any to $eipc port 25 $fssaks
pass in quick on $eif inet proto tcp from any to $eipa port 25 $fssaks
# for ident connections from the outside
pass in quick on $eif proto tcp from any to $eipc port 113 $fssaks
pass in quick on $eif proto tcp from any to $eipa port 113 $fssaks
# ident on firewall
pass in quick on $eif proto tcp from any to $eipf port 113 $fssaks
# pass ssh, plus locally originating outgoing traffic
pass in on $eif inet proto tcp from any to $eif port 22 $fssaks
# deal with outgoing traffic
block out on $eif all
pass in quick on { lo0, $iif } all
pass out quick on { lo0, $iif } all
pass out on $eif inet proto tcp all $fssaks
pass out on $eif inet proto { udp, icmp } all keep state
# block attempts to 1) access our network; 2) broadcast; 3) fingerprint
block in log quick on $eif from any to { 999.999.999.0/32, $external_net/32 }
block in log quick on $eif from any to { 999.999.999.231/32, 999.999.999.255/32
}
block in log quick on $eif inet proto tcp all flags FUP/FUP
__
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com
Re: ipf rules not working; is binat the solution?
Here is my pf.conf file. Some things are working --
like access to the internet from within the network.
Other things, like external access to the web sites,
and incoming email, are not working. Outgoing email
and pings are working.
I'm thinking the problems are most likely in the NAT
section, labeled as problematic below.
# note: real external IP address has been replaced
with 999.999.999
# real internal IP addresses have not been changed.
eif="dc0" # external interface, routes
999.999.999.226-230
iif="dc1" # internal interface, 192.168.0.230
external_net="999.999.999.224" # external network
(/29)
internal_net="192.168.0.224" # internal network (/29)
eipc="999.999.999.226" # foo.com (not its real name)
web site, external address
eipa="999.999.999.227" # bar.com (not its real name)
web site, external address
eipf="999.999.999.229" # firewall, external address
iipc="192.168.0.226" # foo.com web site, internal
address
iipa="192.168.0.227" # bar.com web site, internal
address
iipf="192.168.0.229" # firewall, internal address
fssaks="flags S/SA keep state"
unrouteable="{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12,
\
192.168.0.0/16, 255.255.255.255/32 }"
# normalize: reassemble fragments and resolve or
reduce traffic ambiguities
scrub out all
scrub in all
# THIS SECTION IS TOTALLY BROKEN -- CLUES
WELCOME! #
# nat: packets going out through ext0 with source
address 10.0.0.0/8 will get
# translated as coming from 192.168.1.1. a state is
created for such packets,
# and incoming packets will be redirected to the
internal address.
# nat on ext0 from 10.0.0.0/8 to any -> 192.168.1.1
# make ftp clients work ??? very iffy.
nat on $eif from $internal_net/29 to any -> $eipf port
ftp
# make everything else work
# what is this? is 226/29 right, or should it be
224/29? or would 0/24 work?
nat on $eif from $internal_net/29 to any -> $eipf
# this gives "expands to multile ips of same family"
error
#binat on $eif from $iipc to $eipc -> $eif
#binat on $eif from $iipa to $eipa -> $eif
# the author likes this
#binat on $eif from $iipc to any -> $eipc
#binat on $eif from $iipa to any -> $eipa
#the man page likes this
#binat on $eif from $iipa to any -> ($iif)
# temporarily disable portmapping
#nat on $eif from $external_net/29 to any -> $eipf/32
# END OF BROKEN SECTION -- I HOPE!
#
# foo.com web, mail, ssh
rdr on $iif proto tcp from any to $eipc/32 port 80 ->
$iipc port 8080
rdr on $iif proto tcp from any to $eipc/32 port 25 ->
$iipc port 25
rdr on $iif proto tcp from any to $eipc/32 port 22 ->
$iipc port 22
# bar.com web, mail, ssh
rdr on $iif proto tcp from any to $eipa/32 port 80 ->
$iipa port 8090
rdr on $iif proto tcp from any to $eipa/32 port 25 ->
$iipa port 25
rdr on $iif proto tcp from any to $eipa/32 port 22 ->
$iipa port 22
# filter rules
antispoof for lo0
antispoof for dc0 inet
antispoof for dc1 inet
block out logall
block in logall
block return-rst in log inet proto tcp all
block return-rst out log inet proto tcp all
block return-icmp in log inet proto udp all
block return-icmp out log inet proto udp all
# block packets from or to unrouteable addresses
block in log quick on $eif from $unrouteable to any
block out log quick on $eif from any to $unrouteable
# by default, block all incoming packets, except those
explicity
# allowed by further rules.
block in log on $eif all
# for www connections from the outside
pass in log quick on $eif proto tcp from any to $iipc
port 8080 $fssaks
pass in log quick on $eif proto tcp from any to $iipa
port 8090 $fssaks
# for mail connections from the outside
pass in quick on $eif inet proto tcp from any to $eipc
port 25 $fssaks
pass in quick on $eif inet proto tcp from any to $eipa
port 25 $fssaks
# for ident connections from the outside
pass in quick on $eif proto tcp from any to $eipc
port 113 $fssaks
pass in quick on $eif proto tcp from any to $eipa
port 113 $fssaks
# ident on firewall
pass in quick on $eif proto tcp from any to $eipf
port 113 $fssaks
# pass ssh, plus locally originating outgoing traffic
pass in on $eif inet proto tcp from any to $eif port
22 $fssaks
# deal with outgoing traffic
block out on $eif all
pass in quick on { lo0, $iif } all
pass out quick on { lo0, $iif } all
pass out on $eif inet proto tcp all $fssaks
pass out on $eif inet proto { udp, icmp } all keep
state
# block attempts to 1) access our network; 2)
broadcast; 3) fingerprint
block in log quick on $eif from any to {
999.999.999.0/32, $external_net/32 }
block in log quick on $eif from any to {
999.999.999.231/32, 999.999.999.255/32 }
block in log quick on $eif inet proto tcp all flags
FUP/FUP
__
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com
ipf rules not working; is binat the solution?
Can anybody point me to a sample pf.conf file that would cover the following scenario? My old rules from ipfilter and ipnat don't seem to be working. I have an OpenBSD box as a firewall/router between the outside and a single PC on the inside hosting two web sites on different addresses and ports. The way it was working with ipf (and the way I would like it to continue working, so I don't have to change my httpd.conf file -- not wanting to break more than one thing at a time) is that incoming requests to foo.com:80 were redirected to 192.168.0.1:8080 and those to bar.com:80 were redirected to 192.168.0.2:8090. This has worked fine for me with ipf. And all outgoing connections from inside were given the same IP address, that of the external interface on the gateway. Is what I describe an application of binat? I'm confused about what binat is for but am wondering if binat is what I need since the old ipf rules aren't working. The documentation online is frustrating -- a lot of it has been written before the integration of pf.conf and nat.conf, apparently; there is exactly one example of binat in the pf.conf man page, and it is a pretty unenlightening example; also, NAT is covered after filtering in the man page, when in fact one needs to understand and configure NAT in pf.conf *before* the filtering configuration, if both are used; the HOWTO doesn't mention binat, and says this is how to load the rule set: pfctl -R /etc/pf.conf What that line does is load the filtering rules, and ignore the NAT rules -- but the HOWTO doesn't say that. Then again, I am confused, so maybe I'm also wrong -- any corrections would be appreciated! Sorry about the rant. I understand things are evolving and the documents need time to catch up, so my whining about the documents is not just meant as a complaint, but more to say yes, I have tried to read the fine manual. Hopefully the manuals will be even more fine soon. So in the meantime is there anyone running a similar setup who would be willing to share the NAT part of your rule set? I've scoured the PF part of my rules pretty well and they seem OK. Am happy to post them if that would help... __ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com
RE: Lost DNS after upgrade to 3.2 -- FIXED
Okay, I figured it out.
This time around, I did dhcp configuration, then went back and manually
configured networking. /etc/mygate didn't exist with my gateway, so my
gateway wasn't reachable, hence neither was DNS or any outside locations.
Thanks for listening -- I hope this enables someone else to avoid this
simple error.
***
* Adam Getchell [EMAIL PROTECTED]
* System Architect/Programmer (530) 752-1584
* Human Resources Information Systems http://www.hr.ucdavis.edu/
***
"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu
-Original Message-
From: Adam Getchell [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 19, 2002 7:50 PM
To: [EMAIL PROTECTED]
Subject: Lost DNS after upgrade to 3.2
Hi all,
I upgraded my NAT firewall from OpenBSD 3.1 to OpenBSD 3.2. Everything seems
to work except DNS! (I've made macro substitutions for real addresses)
The clients are setup to get the NAT firewall as the gateway. Pinging our
local DNS server returns:
Reply from $NAT_public_ip: Destination host unreachable
gateway# cat hostname.fxp0
inet $NAT_public_ip 0xff00 NONE
inet alias $bdc_public_ip 0xff00 NONE
inet alias $hapkido_public_ip 0xff00 NONE
gateway# cat hostname.fxp1
inet $NAT_private_ip 0xff00 NONE
gateway# pfctl -ss
tcp $hapkido_private_ip:1990 -> $hapkido_public_ip:1990 -> server1:1059
ESTABLISHED:ESTABLISHED tcp $hapkido_private_ip:2020 ->
$hapkido_public_ip:2020 -> server2:22 ESTABLISHED:ESTABLISHED tcp
$hapkido_private_ip:1995 -> $hapkido_public_ip:1995 -> server3:139
ESTABLISHED:ESTABLISHED
I set no filter rules, just defined nat and two binats (with aliases on the
external addresses for replies) for fixed addresses.
/etc/pf.conf
ext_if = "fxp0"
int_if = "fxp1"
(other macros)
nat on $ext_if from $private_ip_range to any -> $NAT_public_ip binat on
$ext_if from $bdc_private_ip to any -> $bdc_public_ip binat on $ext_if from
$hapkido_private_ip to any -> $hapkido_public_ip
# filter rules
# the implicit first two rules are
# pass in all
# pass out all
# block all incoming packets but allow ssh, pass all outgoing tcp and udp #
connections and keep state # log blocked packets
# block in log all
# pass in on ext0 proto tcp from any to ext0 port 22 keep state # pass
out on ext0 proto { tcp, udp } all keep state
It's mostly working, so it's something subtle ...
***
* Adam Getchell [EMAIL PROTECTED]
* System Architect/Programmer (530) 752-1584
* Human Resources Information Systems http://www.hr.ucdavis.edu/
***
"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu
Lost DNS after upgrade to 3.2
Hi all,
I upgraded my NAT firewall from OpenBSD 3.1 to OpenBSD 3.2. Everything seems
to work except DNS! (I've made macro substitutions for real addresses)
The clients are setup to get the NAT firewall as the gateway. Pinging our
local DNS server returns:
Reply from $NAT_public_ip: Destination host unreachable
gateway# cat hostname.fxp0
inet $NAT_public_ip 0xff00 NONE
inet alias $bdc_public_ip 0xff00 NONE
inet alias $hapkido_public_ip 0xff00 NONE
gateway# cat hostname.fxp1
inet $NAT_private_ip 0xff00 NONE
gateway# pfctl -ss
tcp $hapkido_private_ip:1990 -> $hapkido_public_ip:1990 -> server1:1059
ESTABLISHED:ESTABLISHED
tcp $hapkido_private_ip:2020 -> $hapkido_public_ip:2020 -> server2:22
ESTABLISHED:ESTABLISHED
tcp $hapkido_private_ip:1995 -> $hapkido_public_ip:1995 -> server3:139
ESTABLISHED:ESTABLISHED
I set no filter rules, just defined nat and two binats (with aliases on the
external addresses for replies) for fixed addresses.
/etc/pf.conf
ext_if = "fxp0"
int_if = "fxp1"
(other macros)
nat on $ext_if from $private_ip_range to any -> $NAT_public_ip
binat on $ext_if from $bdc_private_ip to any -> $bdc_public_ip
binat on $ext_if from $hapkido_private_ip to any -> $hapkido_public_ip
# filter rules
# the implicit first two rules are
# pass in all
# pass out all
# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state
# log blocked packets
# block in log all
# pass in on ext0 proto tcp from any to ext0 port 22 keep state
# pass out on ext0 proto { tcp, udp } all keep state
It's mostly working, so it's something subtle ...
***
* Adam Getchell [EMAIL PROTECTED]
* System Architect/Programmer (530) 752-1584
* Human Resources Information Systems http://www.hr.ucdavis.edu/
***
"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu
Re: altq, pf and ipsec?
On Wed, Nov 20, 2002 at 12:59:23PM +1300, Nicholas Lee wrote: > On Wed, Nov 20, 2002 at 12:38:46AM +0100, Philipp Buehler wrote: > > well, your ipsec is going to an IP, queue on this: > > pass out on $ext_phy_if inet proto 50 from $yours $others queue ipsec > > That queues the traffic, what about the traffic carried within the tunnel? Right. For instance if I'm doing voice & data over the same ipsec tunnel, I want to be able to give priority to the voice. (FWIW, the Lucent AccessPoint's CBQ implementation allows you to set up a queue on it's equivalent of enc0) -Ryan
Re: altq, pf and ipsec?
On 20/11/2002, Nicholas Lee <[EMAIL PROTECTED]> wrote To Philipp Buehler: > Ah, so traffic goes like physical if -> out bound enc if -> ipsec tunnel > -> inbound enc if -> phys if. no. boot brain. > So we can 'altq' traffic bound for the ipsec tunnel by filtering on dstn > ip and physical if that traffic has to leave on? > > > well, your ipsec is going to an IP, queue on this: > > pass out on $ext_phy_if inet proto 50 from $yours $others queue ipsec > > That queues the traffic, what about the traffic carried within the tunnel? well *heck*, YOU KNOW YOUR DESTINATIONS. write rules for it. pass in on $int from $Lan to $otherlan port $fuckit queue $bleargh and just tune your queue parameters to match your requirements and the maximum of external uplink. no, you cannot "peek" into ipsec packets on the outside, this would reverse about anything ever introduced by ipsec. get it. so just say "ok, 2Mb for ipsec on $ext is maximum, any subqueues go to $int" .. period.
Re: altq, pf and ipsec?
On Wed, Nov 20, 2002 at 12:38:46AM +0100, Philipp Buehler wrote: > On 20/11/2002, Nicholas Lee <[EMAIL PROTECTED]> wrote To Philipp Buehler: > > > you know your destinations.. no need for "special support" > > > > True enough. However last list I actually tried to attach an altq queue > > to enc0 it didn't work. tbrconfig applied but the interface stopped working. > > physical if's Ah, so traffic goes like physical if -> out bound enc if -> ipsec tunnel -> inbound enc if -> phys if. So we can 'altq' traffic bound for the ipsec tunnel by filtering on dstn ip and physical if that traffic has to leave on? > well, your ipsec is going to an IP, queue on this: > pass out on $ext_phy_if inet proto 50 from $yours $others queue ipsec That queues the traffic, what about the traffic carried within the tunnel? Nicholas
Re: altq, pf and ipsec?
On 20/11/2002, Nicholas Lee <[EMAIL PROTECTED]> wrote To Philipp Buehler: > > you know your destinations.. no need for "special support" > > True enough. However last list I actually tried to attach an altq queue > to enc0 it didn't work. tbrconfig applied but the interface stopped working. physical if's > Things are changing rapid and I might have missed something in the > documention showing how to do it correctly. well, your ipsec is going to an IP, queue on this: pass out on $ext_phy_if inet proto 50 from $yours $others queue ipsec
Re: altq, pf and ipsec?
On Tue, Nov 19, 2002 at 11:27:46PM +0100, Philipp Buehler wrote: > you know your destinations.. no need for "special support" True enough. However last list I actually tried to attach an altq queue to enc0 it didn't work. tbrconfig applied but the interface stopped working. Things are changing rapid and I might have missed something in the documention showing how to do it correctly. Nicholas
Re: altq, pf and ipsec?
On 19/11/2002, Nicholas Lee <[EMAIL PROTECTED]> wrote To [EMAIL PROTECTED]: > Is there going to be a mechanism to use altq/pf to manage bandwidth > flows for ipsec data? Before encryption on the enc0 similar to packet > filtering seems like the best method. you know your destinations.. no need for "special support"
altq, pf and ipsec?
Is there going to be a mechanism to use altq/pf to manage bandwidth flows for ipsec data? Before encryption on the enc0 similar to packet filtering seems like the best method. Nicholas
Re: dynamically changing pf rules
On Tue, Nov 19, 2002 at 12:03:45PM +, Dan Heaver wrote: > Where would I have to look to dynamically change nat rules in pf ? I also have patches to pfctl to allow you to change rules, which I hope to review and submit in a week or two. Email me off-list if you want my current work, which I have for OpenBSD 3.1, and 3.2-current as of a few days ago. - deej -- Daniel (DJ) Gregor OSU Network Security Group http://www.net.ohio-state.edu/security/
Re: Scrub and fragments
On Tue, 19 Nov 2002 12:38:15 +0100, Daniel Hartmeier wrote: > On Tue, Nov 19, 2002 at 12:27:41PM +0100, [EMAIL PROTECTED] wrote: > > > come one, spend a second on it. fragmented packets with the don't fragment > > bit set are invalid. that's so obvious. > > Well, there's the case where fragments can be fragmented further, the > RFCs support that. The question is whether anyone would sanely set the > DF bit on a fragment to prevent _further_ fragmentation. Well, they can, but then they'd be stupid: An internet datagram can be marked "don't fragment." Any internet datagram so marked is not to be internet fragmented under any circumstances. (RFC 791) A fragment is fragmented; ergo, it cannot be marked don't fragment. One could argue that the "be liberal in what you accept and conservative in what you send" rule implies that you should accept fragments with DF set, but the potential for a host system to misinterpret such datagrams makes me unwilling to agree. -- Kyle R. Hofmann <[EMAIL PROTECTED]>
Re: dynamically changing pf rules
On Tue, Nov 19, 2002 at 12:03:45PM -, Dan Heaver wrote: > Hi, I'm currently pondering a solution for one of our clients using openbsd > / pf as the building blocks that hold the solution together and would value > > People's opinion on the idea. > > Basically this is the set up I want to implement > > I want to have an openbsd box in front of two Solaris boxes (these boxes are > already in place and serving a live website) that nat's a public ip address > to one > Of the boxes, I then want to write a demon that monitors services on the > Solaris and dynamically changes the nat to point to the second box should it > deem > That one of the services has failed. > > > Does this sound feasible ? > Where would I have to look to dynamically change nat rules in pf ? > Yes , you could do it writting a custom program (daemon) that : 1) Monitor services. 2) Change the NAT rules via /dev/pf ioctl's ( man pf ). Sounds prety easy if you have knowledge of c languaje. I'v been working with pf ioctl's for a while on a project currently owned by the company I work, so I can't open the sources but if you have problems with it make contact with me at [EMAIL PROTECTED] Regards. > > Regards > Dan > > > > This e-mail has been scanned for all viruses by Star Internet. The > service is powered by MessageLabs. For more information on a proactive > anti-virus service working around the clock, around the globe, visit: > http://www.star.net.uk > -- Hector A. Paterno
Re: altq and pf
On 19/11/2002, Jason Dixon <[EMAIL PROTECTED]> wrote To Philipp Buehler: > There's also some good stuff here: > http://www.muine.org/~hoang/openpf.html#qos no, the syntax is subliminally different
Re: altq and pf
There's also some good stuff here:
http://www.muine.org/~hoang/openpf.html#qos
-J.
On Tue, 2002-11-19 at 08:37, Philipp Buehler wrote:
> On 19/11/2002, Stefan Sonnenberg-Carstens <[EMAIL PROTECTED]> wrote To
>[EMAIL PROTECTED]:
> > Can some of you hackers show us some examples of the syntax style ?
>
> look into latest pf.conf.5 on CVS, just committed the BNF
> more 'talk' in cvs soon
>
> example:
> ext_if = "lo0"
>
> altq on $ext_if scheduler cbq bandwidth 10Mb queue { deflt, http, ssh, mail }
> queue deflt bandwidth 10% priority 0 cbq(default ecn)
> queue http bandwidth 50% priority 5 cbq(red, ecn) \
> queue { http_vhosts, http_cust1 }
> queue http_vhosts bandwidth 40%
> queue http_cust1 bandwidth 1Mb
> queue mail bandwidth 10% priority 1
> queue ssh bandwidth 100Kb priority 7 cbq(borrow)
>
> pass in on $ext_if inet proto tcp from any to $web port 80 keep state queue http
> pass in on $ext_if inet proto tcp from any to $webvhost port 80 keep state queue
>http_vhosts
> pass in on $ext_if inet proto tcp from any to $webcust port 80 keep state queue
>http_cust1
> pass out on $ext_if inet proto tcp from any to any port 22 keep state queue ssh
> pass in on $ext_if inet proto tcp from any to any port 25 keep state queue mail
>
>
>
Re: altq and pf
On Tue, Nov 19, 2002 at 02:27:14PM +0100, Stefan Sonnenberg-Carstens wrote: > Can some of you hackers show us some examples of the syntax style ? I'll add an example to the tree soonish. and trim your .sig please ;-)
Re: altq and pf
On 19/11/2002, Stefan Sonnenberg-Carstens <[EMAIL PROTECTED]> wrote To
[EMAIL PROTECTED]:
> Can some of you hackers show us some examples of the syntax style ?
look into latest pf.conf.5 on CVS, just committed the BNF
more 'talk' in cvs soon
example:
ext_if = "lo0"
altq on $ext_if scheduler cbq bandwidth 10Mb queue { deflt, http, ssh, mail }
queue deflt bandwidth 10% priority 0 cbq(default ecn)
queue http bandwidth 50% priority 5 cbq(red, ecn) \
queue { http_vhosts, http_cust1 }
queue http_vhosts bandwidth 40%
queue http_cust1 bandwidth 1Mb
queue mail bandwidth 10% priority 1
queue ssh bandwidth 100Kb priority 7 cbq(borrow)
pass in on $ext_if inet proto tcp from any to $web port 80 keep state queue http
pass in on $ext_if inet proto tcp from any to $webvhost port 80 keep state queue
http_vhosts
pass in on $ext_if inet proto tcp from any to $webcust port 80 keep state queue
http_cust1
pass out on $ext_if inet proto tcp from any to any port 22 keep state queue ssh
pass in on $ext_if inet proto tcp from any to any port 25 keep state queue mail
altq and pf
Can some of you hackers show us some examples of the syntax style ? Stefan Sonnenberg-CarstensRHCE & System-/Netzwerkadministrator-CoolSpot AGAm Albertussee 1 D-40549 DüsseldorfTel +211 50 66 1-0 Fax +211 50 66 1-11http://www.coolspot.de- Vorstand: Roland Bongartz Aufsichtsrat:Dr. jur. Marco Picozzi (Vorsitzender),Prof. Dr.-Ing. Karl Friedrich Triebold,Heiko Hubertz Amtsgericht Düsseldorf HRB 37696
dynamically changing pf rules
Hi, I'm currently pondering a solution for one of our clients using openbsd / pf as the building blocks that hold the solution together and would value People's opinion on the idea. Basically this is the set up I want to implement I want to have an openbsd box in front of two Solaris boxes (these boxes are already in place and serving a live website) that nat's a public ip address to one Of the boxes, I then want to write a demon that monitors services on the Solaris and dynamically changes the nat to point to the second box should it deem That one of the services has failed. Does this sound feasible ? Where would I have to look to dynamically change nat rules in pf ? Regards Dan This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk
Re: Scrub and fragments
--- Daniel Hartmeier <[EMAIL PROTECTED]> wrote: > On Tue, Nov 19, 2002 at 12:27:41PM +0100, > [EMAIL PROTECTED] wrote: > > > notheless you can just "scrub in all no-df". > > That won't work for him, as the check in question > happens before no-df > is applied. > > Daniel > I take it that no-df works for 3.2, is that correct? I tried it on 3.1: the syntax is accepted but it doesn't seem to change anything. Regards, Dan __ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com
Re: Scrub and fragments
Thank you very much.
Dan.
--- Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
> On Tue, Nov 19, 2002 at 02:16:50AM -0800, Dan
> Moinescu wrote:
>
> > I don't think of it as giving in to one point of
> view
> > or another. All I really care about is for the box
> to
> > work, regardless of whether the other machines in
> the
> > network are Linux, Windows or anything else for
> that
> > matter. So, could you please do me a favor and
> tell me
> > what file that DF check is performed in? That
> would
> > save me from going through the kernel sources to
> find
> > it.
>
> /usr/src/sys/net/pf_norm.c
>
> --- pf_norm.c.origTue Nov 19 12:26:29 2002
> +++ pf_norm.c Tue Nov 19 12:26:52 2002
> @@ -835,12 +835,6 @@
> if (!fragoff && !mff)
> goto no_fragment;
>
> - /* This can not happen */
> - if (h->ip_off & IP_DF) {
> - DPFPRINTF(("IP_DF\n"));
> - goto bad;
> - }
> -
> ip_len = h->ip_len - hlen;
> ip_off = h->ip_off << 3;
>
> Daniel
__
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com
Re: Scrub and fragments
On Tue, Nov 19, 2002 at 12:27:41PM +0100, [EMAIL PROTECTED] wrote: > come one, spend a second on it. fragmented packets with the don't fragment > bit set are invalid. that's so obvious. Well, there's the case where fragments can be fragmented further, the RFCs support that. The question is whether anyone would sanely set the DF bit on a fragment to prevent _further_ fragmentation. You have to consider fragmentation of fragments in context of PMTU and then compare all of this to Linux NFS setting DF on all (unfragmented) packets, and the reasons they do that (which is not fragmentation of fragments at all). > notheless you can just "scrub in all no-df". That won't work for him, as the check in question happens before no-df is applied. Daniel
Re: Scrub and fragments
On Tue, Nov 19, 2002 at 02:16:50AM -0800, Dan Moinescu wrote: > I don't think of it as giving in to one point of view > or another. All I really care about is for the box to > work, regardless of whether the other machines in the > network are Linux, Windows or anything else for that > matter. So, could you please do me a favor and tell me > what file that DF check is performed in? the right place to fix is the linux kernel. come one, spend a second on it. fragmented packets with the don't fragment bit set are invalid. that's so obvious. notheless you can just "scrub in all no-df".
Re: Scrub and fragments
On Tue, Nov 19, 2002 at 02:16:50AM -0800, Dan Moinescu wrote:
> I don't think of it as giving in to one point of view
> or another. All I really care about is for the box to
> work, regardless of whether the other machines in the
> network are Linux, Windows or anything else for that
> matter. So, could you please do me a favor and tell me
> what file that DF check is performed in? That would
> save me from going through the kernel sources to find
> it.
/usr/src/sys/net/pf_norm.c
--- pf_norm.c.orig Tue Nov 19 12:26:29 2002
+++ pf_norm.c Tue Nov 19 12:26:52 2002
@@ -835,12 +835,6 @@
if (!fragoff && !mff)
goto no_fragment;
- /* This can not happen */
- if (h->ip_off & IP_DF) {
- DPFPRINTF(("IP_DF\n"));
- goto bad;
- }
-
ip_len = h->ip_len - hlen;
ip_off = h->ip_off << 3;
Daniel
Re: Scrub and fragments
> The bottom line, so far, is that they think using DF > is a good idea, > whereas we think it's not. > > You can remove the DF check, if > you want to give in > to Linux' point of view regarding this matter, but > we won't change pf's > default behavior based on the discussions so far. > > Daniel I don't think of it as giving in to one point of view or another. All I really care about is for the box to work, regardless of whether the other machines in the network are Linux, Windows or anything else for that matter. So, could you please do me a favor and tell me what file that DF check is performed in? That would save me from going through the kernel sources to find it. Thanks, Dan. __ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com
