Re: Layer2 Filtering

2004-10-21 Thread Chris Reining 
Eric,
man brconfig(8). You can tag packets based on hardware address and refer
to them using the tagged directive in pf or simply use rules direct with
brconfig.

--
Chris Reining, GCFW, GCIA
[EMAIL PROTECTED]
http://packetfu.org

On Wed, Oct 20, 2004 at 05:59:51PM -0500, eric wrote:
 What's the method by which you folks filter layer 2 traffic? Some of
 my methods don't scale well (static arp entries, etc) and was
 curious to know if there was working being conducted in this area
 for pf, or any other BSD licensed goodies.
 
 Thanks.
 
 - Eric

Re: Layer2 Filtering

2004-10-21 Thread Jason Opperisano 
On Wed, 2004-10-20 at 18:59, eric wrote:
 What's the method by which you folks filter layer 2 traffic? Some of
 my methods don't scale well (static arp entries, etc) and was
 curious to know if there was working being conducted in this area
 for pf, or any other BSD licensed goodies.

man 8 brconfig

check out the examples on creating rules.  especially nifty is the
ability to tag packets at the bridge level and utilize those tags in
your PF rules.

dunno if this qualifies as scalable though...  maybe the rulefile
ability adds scalability.

-j

=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
Drinking coffee for instant relaxation? That's like drinking alcohol for
instant motor skills. -- Marc Price
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~

Altq priority question...

2004-10-21 Thread Yuri 
Heya
I'm just starting to implement the queuing on my 768u/d dsl line
Upload queueing works perfectly, but the download one is weird...
One queue (nntp_in) that has the lowest priority borrows from higher 
priority queues (std_in), so web download speeds are about 10kB/sec, 
while nntp goes at 50-60kB

Here's my Internal queue definition:
altq on $int_if cbq bandwidth 750Kb queue { std_in, ssh_in, dns_in, 
nntp_in }
queue std_inpriority 2 cbq(default)
queue ssh_inpriority 4
queue dns_inpriority 5
queue nntp_inbandwidth 200Kb priority 0 cbq(borrow red)

And assignment:
block out on $int_if all
pass  out on $int_if from any to $internal_net queue std_in
pass  out on $int_if proto { tcp udp } from any port domain to 
$internal_net queue dns_in
pass  out on $int_if proto tcp from any port ssh to $internal_net queue 
(std_in, ssh_in)
pass  out on $int_if proto tcp from any port nntp to $internal_net queue 
nntp_in

Am i missing something? :) Thanky in advance for your reply :)

Top 10 reasons IPTABLES is better than PF

2004-10-21 Thread Jeff Simmons 
10. Parsing IPTABLES config files excellent preparation for subsequent 
learning of Asian pictograph-based languages.

9. Standard logging via syslogd helps eliminate clutter in /var/log.

8. GPL prevents Steve Jobs from stealing your code.

7. Simplistic man pages encourage development of social skills via mailing 
lists.

6. Multiple distributions, versions, kernels, modules, plugins, etc. keep 
hackers confused as to exactly what they're attacking.

5. Mangle just sounds so much more 133+ than Scrub.

4. Complexity of structure leads to more opportunities for obfuscation and 
subsequent job security.

3. New and experimental kernel modules make life exciting again.

2. GUI and Web based utilities mean that anyone can set one up without knowing 
what they're doing.

And the number one reason IPTABLES is better than PF:

1. No distracting arguments about whether to port it to OpenBSD.

-- 
Jeff Simmons   [EMAIL PROTECTED]
 Simmons Consulting - Network Engineering, Administration, Security
You guys, I don't hear any noise.  Are you sure you're doing it right?
- My Life With The Thrill Kill Kult

pf / pf.conf problem

2004-10-21 Thread Justin Krejci 
This is a weird problem that took me a while to track down. First off I
have 3 openbsd servers, 1 linux machine, and a couple of windows
workstations on my network. My firewall running NAT is openbsd 3.5. It is
doing NAT for the linux and windows computers. The other two openbsd
servers are outside of the firewall each running pf. Now all of a sudden
(it seemed this way) I could not maintain a session from a host behind the
firewall to either of the two openbsd servers (all internet traffic was
fine). What would happen if I tried to access my webserver (one of the two
openbsd servers) is the page would start to load and only show about 1/3 of
the page, then freeze. My other server (mail server) would not allow me to
download my email via pop/imap but looking at tcpdump I was able to fully
log into the server. I could ssh to the server and hit enter a few times
but as soon as I did anything like ps axu it would freeze half way into
the output.

Since I had not changed any of my pf.conf files in several months (server
uptimes all were around 40-50 days) and I saw no signs of hacking (log
files, mtree, etc) I was stumped. I tried moving my linux machine outside
the firewall and I had the same problem accessing the servers. I tried
rebooting all of my servers and even my switch with no change. Then I
started looking at my pf.conf rules and removing several at a time and
figured out that there was one rule that was causing the whole problem.

Here is from one of my servers, the first pass in rule is the problem, as
soon as I removed keep state there are no problems with anything and when
I add keep state back in, the problems return.

What does this mean? what can I do? I mean, I guess I don't NEED keep
state, but I would like to use it if possible. The hardware is adequate:
350mhz AMD and p2 450, 128mb RAM and 128mb RAM for my web and mail servers
respectively.


ExtIf=dc0
Public={ 80, 21, 22 }
scrub in all

pass in log quick on $ExtIf inet proto tcp from any to any port $Public \
keep state

#pass in log quick on $ExtIf inet proto tcp from any to any port $Public

block in log all label block in all

pass out log quick on $ExtIf inet proto tcp   all  modulate state
pass out log quick on $ExtIf inet proto udp  all  keep state
pass out log quick on $ExtIf inet proto icmp all  keep state
pass in log quick on $ExtIf inet proto icmp all keep state

--
Public key http://www.krytosvirus.com/public.asc

pf, load-balancing attempt blocks incoming mail

2004-10-21 Thread George Pontis 

Hello,

Having some trouble here with mail when I try to implement outbound
load-balancing. I am following the example for outbound load balancing in
the
pf User's Guide. But I have changed it to be special for SMTP, to ensure
that
all mail is sent and received from the same IP which is advertized by DNS.
I'll implement a more redundant solution after getting this working.  

The problem is that the system can send mail, but cannot receive it. The
mail 
server sees incoming messages but cannot send a response because its
response
is blocked at the private interface! It reports an error writing to the
socket
because the connection was reset by the other side. However, the mail server
is capable of initiating an outgoing connection to send mail.

Any helpful explanation for the source of the problem or a way to debug it

would be much appreciated.


George


---
pfctl -g -s all ...   
---

LABEL COUNTERS:
Blocked in on int_if 364 26 1158
Blocked out on int_if 341 0 0

---
Relevant rules from pf.conf
---

nat on $ext_if1 from 192.168.1.0/24 to any port smtp - a.b.c.195
nat on $ext_if1 from 192.168.1.0/24 to any port != smtp - a.b.c.199  

rdr on $ext_if1 proto tcp from any to a.b.c.195 port smtp - 192.168.1.1
port smtp

# default: block all
block in log on $int_if from any to any label Blocked in on int_if
block out log on $int_if from any to any label Blocked out on int_if
block in on { $ext_if1, $ext_if2 }
block out on { $ext_if1, $ext_if2 }

pass in quick on $int_if route-to \
($ext_if1 $ext_gw1) \
proto tcp from any to any port = smtp flags S/SA keep state
pass in on $int_if route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto tcp from any to any flags S/SA keep state
pass out on $int_if from any to $lan_net


pass out on $ext_if1 proto tcp all flags S/SA keep state queue (q_def1,
q_pri1)
pass out on $ext_if2 proto tcp all flags S/SA keep state queue (q_def2,
q_pri2)

Re: Top 10 reasons IPTABLES is better than PF

2004-10-21 Thread eric 
On Wed, 2004-10-20 at 20:33:57 -0700, Jeff Simmons proclaimed...

 9. Standard logging via syslogd helps eliminate clutter in /var/log.

Right. 

 8. GPL prevents Steve Jobs from stealing your code.

What's wrong with making the computer industry better? Have you
contributed to this project? Probably not. So what does it matter to
you? Hopefully Microsoft would use pf one day; it means the industry
gets BETTER and doesn't sit in some state of them vs. us.

 7. Simplistic man pages encourage development of social skills via
 mailing lists.

Wow, can I quote you on this? This is the most idiotic thing I've
read in quite some time.

You'd rather have an undocumented system than one with
documentation. What do you do when the Internet isn't working?

 5. Mangle just sounds so much more 133+ than Scrub.
 
 4. Complexity of structure leads to more opportunities for obfuscation and 
 subsequent job security.
 
 1. No distracting arguments about whether to port it to OpenBSD.

Ya got me. And here I thought you were serious. Surely there isn't
anyone as idiotic as you've fooled me into thinking!

Thanks for the laugh.

- Eric

Re: pf / pf.conf problem

2004-10-21 Thread Daniel Hartmeier 
On Thu, Oct 21, 2004 at 12:56:44AM -0500, Justin Krejci wrote:

 Here is from one of my servers, the first pass in rule is the problem, as
 soon as I removed keep state there are no problems with anything and when
 I add keep state back in, the problems return.

Your current ruleset is pretty odd, I can't explain why it works at all
(or even better than with 'keep state'). For an incoming connection,
the TCP SYN would pass without creating state, and the outgoing SYN+ACK
reply would create state, including sequence number modulation. I think
that should be breaking the handshake.

a) change your default block rule to

 block logon $ExtIf all label block all

   so outgoing packets are blocked by default and virtual interfaces
   like loopback are not affected.

b) add 'flags S/SA' to all 'pass tcp' rules

c) re-add 'keep state' to all 'pass' rules

d) make sure all states are flushed (pfctl -Fs)

e) reproduce the problem

Possibly, connections will be refused now, and pflog shows entries. Also
enable pfctl -xm and check /var/log/messages.

If this shows no effect (i.e. connections can still be established but
stall), try to capture one such connection with tcpdump -nvvvSpi dc0
from TCP handshake to the point of stall.

Daniel

Re: Layer2 Filtering

2004-10-21 Thread Mike Belopuhov 
 What's the method by which you folks filter layer 2 traffic? Some of
 my methods don't scale well (static arp entries, etc) and was
 curious to know if there was working being conducted in this area
 for pf, or any other BSD licensed goodies.


Pf is a layer 3 and 4 packet filter. It doesn't know anything
about underlying layers. (And that is actually great!)

You should look brconfig(8) for layer 2 filtering on bridge.
One can tag traffic flow using brconfig(8), and then apply
some pf rules using ``tagged'' keyword. 

 Thanks.

 - Eric


--
 Mike Belopuhov

Re: Top 10 reasons IPTABLES is better than PF

2004-10-21 Thread Jeff Simmons 
On Thursday 21 October 2004 01:23, eric wrote:

  8. GPL prevents Steve Jobs from stealing your code.

 What's wrong with making the computer industry better? Have you
 contributed to this project? Probably not. So what does it matter to
 you? Hopefully Microsoft would use pf one day; it means the industry
 gets BETTER and doesn't sit in some state of them vs. us.

Full disclosure: I just bought my mom an iMac. ;-)

 Ya got me. And here I thought you were serious. Surely there isn't
 anyone as idiotic as you've fooled me into thinking!

Well, someone DID mention porting PF to Linux. (Just for grins, take a look at 
the Linux QOS/traffic shaping subsystem, and then imagine getting PF to 
interface with THAT.)

-- 
Jeff Simmons   [EMAIL PROTECTED]
 Simmons Consulting - Network Engineering, Administration, Security
You guys, I don't hear any noise.  Are you sure you're doing it right?
- My Life With The Thrill Kill Kult