A moment of silence for a fallen comrade...
I'd just like to have a moment of silence for my company's OpenBSD firewall It has served us well for over a year (no intrusions is well isn't it?), but the powers that be are demanding we actually install the Cisco PIX that we bought a couple of months ago. So this weekend we're throwing the switch on the super reliable whitebox we've been using to guard our company and installing the PIX. My coworker and myself both use OpenBSD for our home networks so not all is lost, hopefully in the future we'll be able to swing the pendulum back our way again :) James Cammarata [EMAIL PROTECTED] www.sngx.net home: 314-966-5976 work: 314-872-2426 cell: 314-409-0583 __ Out the Ethernet, through the router, down the fiber, off another router, down the T1, past the fire-wall ..nothing but Net
Re: Internal IP Address Detection Through NAT
On Wed, 2004-12-08 at 14:34, messmate wrote: This is correct. Squid by default includes a X-Forwarded-For: header on each HTTP request showing the original requesting IP address. This can be disabled in squid.conf with forwarded_for off. Sorry, not correct. I'm behind my squid and forwarded on or off the header is there ! the X-Forwarded-For header is present whether you set the forwarded_for directive to on or off--the difference is that with it set to off the header reads: X-Forwarded-For: unknown\r\n which would rule it out as the source of the IP leak that the OP is asking about. you can also control what is shown in the Via header by setting the visible_hostname directive. again--ruling out squid as the source of the leak... oh--and if the Via: header bugs you: header_access Via deny all works without and recompile... as does: header_access X-Forwarded-For deny all -j -- Oh, so they have internet on computers now! --The Simpsons
Re: Internal IP Address Detection Through NAT
On Wed, 08 Dec 2004 19:22:53 -0500 Jason Opperisano [EMAIL PROTECTED] wrote: On Wed, 2004-12-08 at 14:34, messmate wrote: This is correct. Squid by default includes a X-Forwarded-For: header on each HTTP request showing the original requesting IP address. This can be disabled in squid.conf with forwarded_for off. Sorry, not correct. I'm behind my squid and forwarded on or off the header is there ! the X-Forwarded-For header is present whether you set the forwarded_for directive to on or off--the difference is that with it set to off the header reads: X-Forwarded-For: unknown\r\n I agree :) which would rule it out as the source of the IP leak that the OP is asking about. you can also control what is shown in the Via header by setting the visible_hostname directive. again--ruling out squid as the source of the leak... oh--and if the Via: header bugs you: header_access Via deny all Tested and works on openbsd without a recompile :) works without and recompile... as does: header_access X-Forwarded-For deny all -j Thanks mess-mate
Re: A moment of silence for a fallen comrade...
At 03:15 AM 12/9/2004, David A. Ulevitch wrote: It'd probably be smart to just keep the openbsd firewall in place, even with a blank ruleset, behind the PIX. A PIX can't handle any traffic once it has a serious ruleset. -davidu That is actually our plan down the road. We're going to have another firewall protecting our servers from our user base, and as a second line or protection in case of an intrusion. My boss knows you shouldn't have two of the same firewall protecting your network, so we'll definitely be using OpenBSD for that. At 10:54 AM 12/9/2004, you wrote: What was their reasoning from switching from OBSD -- Cisco? They weren't spending enough money? ;) ~M Apparently. We had a consulting company come in that has a lot of sway with upper management and their big buzzword was Cisco (we're also forced to ditch our 3com switches for Cisco's...). So our steering committee is making us do the transition, even though this consulting company did an intrusion test on us and got nowhere ;) James Cammarata [EMAIL PROTECTED] www.sngx.net home: 314-966-5976 work: 314-872-2426 cell: 314-409-0583 __ Out the Ethernet, through the router, down the fiber, off another router, down the T1, past the fire-wall ..nothing but Net
Queue name, no error!
PF doesn't notice if I add a queue to a rule with the wrong name.
http_aut should be http_out, and there's no http_aut queue.
pass out on $ext inet proto { tcp, udp } from any to any port www keep
state queue http_aut
And pf goes on... and on... and on... :-)
Anyway, great packet filter and great documentation! Congratulations!
--
Manuel Pata
pata (ate) alface (dote) de
Re: Internal IP Address Detection Through NAT
Hello, Thanks everyone for your comments. I should have guessed that it would be a Java script or something. I disabled Java in Internet Explorer and the site I was talking about was not able to get the internal ip address anymore. Thanks again. -- Best regards, William mailto:[EMAIL PROTECTED]
