Re: Layer2 Filtering
Eric, man brconfig(8). You can tag packets based on hardware address and refer to them using the tagged directive in pf or simply use rules direct with brconfig. -- Chris Reining, GCFW, GCIA [EMAIL PROTECTED] http://packetfu.org On Wed, Oct 20, 2004 at 05:59:51PM -0500, eric wrote: What's the method by which you folks filter layer 2 traffic? Some of my methods don't scale well (static arp entries, etc) and was curious to know if there was working being conducted in this area for pf, or any other BSD licensed goodies. Thanks. - Eric
Re: Layer2 Filtering
On Wed, 2004-10-20 at 18:59, eric wrote: What's the method by which you folks filter layer 2 traffic? Some of my methods don't scale well (static arp entries, etc) and was curious to know if there was working being conducted in this area for pf, or any other BSD licensed goodies. man 8 brconfig check out the examples on creating rules. especially nifty is the ability to tag packets at the bridge level and utilize those tags in your PF rules. dunno if this qualifies as scalable though... maybe the rulefile ability adds scalability. -j =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ Drinking coffee for instant relaxation? That's like drinking alcohol for instant motor skills. -- Marc Price =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
Altq priority question...
Heya I'm just starting to implement the queuing on my 768u/d dsl line Upload queueing works perfectly, but the download one is weird... One queue (nntp_in) that has the lowest priority borrows from higher priority queues (std_in), so web download speeds are about 10kB/sec, while nntp goes at 50-60kB Here's my Internal queue definition: altq on $int_if cbq bandwidth 750Kb queue { std_in, ssh_in, dns_in, nntp_in } queue std_inpriority 2 cbq(default) queue ssh_inpriority 4 queue dns_inpriority 5 queue nntp_inbandwidth 200Kb priority 0 cbq(borrow red) And assignment: block out on $int_if all pass out on $int_if from any to $internal_net queue std_in pass out on $int_if proto { tcp udp } from any port domain to $internal_net queue dns_in pass out on $int_if proto tcp from any port ssh to $internal_net queue (std_in, ssh_in) pass out on $int_if proto tcp from any port nntp to $internal_net queue nntp_in Am i missing something? :) Thanky in advance for your reply :)
Top 10 reasons IPTABLES is better than PF
10. Parsing IPTABLES config files excellent preparation for subsequent learning of Asian pictograph-based languages. 9. Standard logging via syslogd helps eliminate clutter in /var/log. 8. GPL prevents Steve Jobs from stealing your code. 7. Simplistic man pages encourage development of social skills via mailing lists. 6. Multiple distributions, versions, kernels, modules, plugins, etc. keep hackers confused as to exactly what they're attacking. 5. Mangle just sounds so much more 133+ than Scrub. 4. Complexity of structure leads to more opportunities for obfuscation and subsequent job security. 3. New and experimental kernel modules make life exciting again. 2. GUI and Web based utilities mean that anyone can set one up without knowing what they're doing. And the number one reason IPTABLES is better than PF: 1. No distracting arguments about whether to port it to OpenBSD. -- Jeff Simmons [EMAIL PROTECTED] Simmons Consulting - Network Engineering, Administration, Security You guys, I don't hear any noise. Are you sure you're doing it right? - My Life With The Thrill Kill Kult
pf / pf.conf problem
This is a weird problem that took me a while to track down. First off I have 3 openbsd servers, 1 linux machine, and a couple of windows workstations on my network. My firewall running NAT is openbsd 3.5. It is doing NAT for the linux and windows computers. The other two openbsd servers are outside of the firewall each running pf. Now all of a sudden (it seemed this way) I could not maintain a session from a host behind the firewall to either of the two openbsd servers (all internet traffic was fine). What would happen if I tried to access my webserver (one of the two openbsd servers) is the page would start to load and only show about 1/3 of the page, then freeze. My other server (mail server) would not allow me to download my email via pop/imap but looking at tcpdump I was able to fully log into the server. I could ssh to the server and hit enter a few times but as soon as I did anything like ps axu it would freeze half way into the output. Since I had not changed any of my pf.conf files in several months (server uptimes all were around 40-50 days) and I saw no signs of hacking (log files, mtree, etc) I was stumped. I tried moving my linux machine outside the firewall and I had the same problem accessing the servers. I tried rebooting all of my servers and even my switch with no change. Then I started looking at my pf.conf rules and removing several at a time and figured out that there was one rule that was causing the whole problem. Here is from one of my servers, the first pass in rule is the problem, as soon as I removed keep state there are no problems with anything and when I add keep state back in, the problems return. What does this mean? what can I do? I mean, I guess I don't NEED keep state, but I would like to use it if possible. The hardware is adequate: 350mhz AMD and p2 450, 128mb RAM and 128mb RAM for my web and mail servers respectively. ExtIf=dc0 Public={ 80, 21, 22 } scrub in all pass in log quick on $ExtIf inet proto tcp from any to any port $Public \ keep state #pass in log quick on $ExtIf inet proto tcp from any to any port $Public block in log all label block in all pass out log quick on $ExtIf inet proto tcp all modulate state pass out log quick on $ExtIf inet proto udp all keep state pass out log quick on $ExtIf inet proto icmp all keep state pass in log quick on $ExtIf inet proto icmp all keep state -- Public key http://www.krytosvirus.com/public.asc
pf, load-balancing attempt blocks incoming mail
Hello, Having some trouble here with mail when I try to implement outbound load-balancing. I am following the example for outbound load balancing in the pf User's Guide. But I have changed it to be special for SMTP, to ensure that all mail is sent and received from the same IP which is advertized by DNS. I'll implement a more redundant solution after getting this working. The problem is that the system can send mail, but cannot receive it. The mail server sees incoming messages but cannot send a response because its response is blocked at the private interface! It reports an error writing to the socket because the connection was reset by the other side. However, the mail server is capable of initiating an outgoing connection to send mail. Any helpful explanation for the source of the problem or a way to debug it would be much appreciated. George --- pfctl -g -s all ... --- LABEL COUNTERS: Blocked in on int_if 364 26 1158 Blocked out on int_if 341 0 0 --- Relevant rules from pf.conf --- nat on $ext_if1 from 192.168.1.0/24 to any port smtp - a.b.c.195 nat on $ext_if1 from 192.168.1.0/24 to any port != smtp - a.b.c.199 rdr on $ext_if1 proto tcp from any to a.b.c.195 port smtp - 192.168.1.1 port smtp # default: block all block in log on $int_if from any to any label Blocked in on int_if block out log on $int_if from any to any label Blocked out on int_if block in on { $ext_if1, $ext_if2 } block out on { $ext_if1, $ext_if2 } pass in quick on $int_if route-to \ ($ext_if1 $ext_gw1) \ proto tcp from any to any port = smtp flags S/SA keep state pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from any to any flags S/SA keep state pass out on $int_if from any to $lan_net pass out on $ext_if1 proto tcp all flags S/SA keep state queue (q_def1, q_pri1) pass out on $ext_if2 proto tcp all flags S/SA keep state queue (q_def2, q_pri2)
Re: Top 10 reasons IPTABLES is better than PF
On Wed, 2004-10-20 at 20:33:57 -0700, Jeff Simmons proclaimed... 9. Standard logging via syslogd helps eliminate clutter in /var/log. Right. 8. GPL prevents Steve Jobs from stealing your code. What's wrong with making the computer industry better? Have you contributed to this project? Probably not. So what does it matter to you? Hopefully Microsoft would use pf one day; it means the industry gets BETTER and doesn't sit in some state of them vs. us. 7. Simplistic man pages encourage development of social skills via mailing lists. Wow, can I quote you on this? This is the most idiotic thing I've read in quite some time. You'd rather have an undocumented system than one with documentation. What do you do when the Internet isn't working? 5. Mangle just sounds so much more 133+ than Scrub. 4. Complexity of structure leads to more opportunities for obfuscation and subsequent job security. 1. No distracting arguments about whether to port it to OpenBSD. Ya got me. And here I thought you were serious. Surely there isn't anyone as idiotic as you've fooled me into thinking! Thanks for the laugh. - Eric
Re: pf / pf.conf problem
On Thu, Oct 21, 2004 at 12:56:44AM -0500, Justin Krejci wrote: Here is from one of my servers, the first pass in rule is the problem, as soon as I removed keep state there are no problems with anything and when I add keep state back in, the problems return. Your current ruleset is pretty odd, I can't explain why it works at all (or even better than with 'keep state'). For an incoming connection, the TCP SYN would pass without creating state, and the outgoing SYN+ACK reply would create state, including sequence number modulation. I think that should be breaking the handshake. a) change your default block rule to block logon $ExtIf all label block all so outgoing packets are blocked by default and virtual interfaces like loopback are not affected. b) add 'flags S/SA' to all 'pass tcp' rules c) re-add 'keep state' to all 'pass' rules d) make sure all states are flushed (pfctl -Fs) e) reproduce the problem Possibly, connections will be refused now, and pflog shows entries. Also enable pfctl -xm and check /var/log/messages. If this shows no effect (i.e. connections can still be established but stall), try to capture one such connection with tcpdump -nvvvSpi dc0 from TCP handshake to the point of stall. Daniel
Re: Layer2 Filtering
What's the method by which you folks filter layer 2 traffic? Some of my methods don't scale well (static arp entries, etc) and was curious to know if there was working being conducted in this area for pf, or any other BSD licensed goodies. Pf is a layer 3 and 4 packet filter. It doesn't know anything about underlying layers. (And that is actually great!) You should look brconfig(8) for layer 2 filtering on bridge. One can tag traffic flow using brconfig(8), and then apply some pf rules using ``tagged'' keyword. Thanks. - Eric -- Mike Belopuhov
Re: Top 10 reasons IPTABLES is better than PF
On Thursday 21 October 2004 01:23, eric wrote: 8. GPL prevents Steve Jobs from stealing your code. What's wrong with making the computer industry better? Have you contributed to this project? Probably not. So what does it matter to you? Hopefully Microsoft would use pf one day; it means the industry gets BETTER and doesn't sit in some state of them vs. us. Full disclosure: I just bought my mom an iMac. ;-) Ya got me. And here I thought you were serious. Surely there isn't anyone as idiotic as you've fooled me into thinking! Well, someone DID mention porting PF to Linux. (Just for grins, take a look at the Linux QOS/traffic shaping subsystem, and then imagine getting PF to interface with THAT.) -- Jeff Simmons [EMAIL PROTECTED] Simmons Consulting - Network Engineering, Administration, Security You guys, I don't hear any noise. Are you sure you're doing it right? - My Life With The Thrill Kill Kult