Re: Redundant Bridging Firewall

2005-01-21 Thread Russell Fulton 
On Fri, 2005-01-21 at 12:48 -0800, Dylan Martin wrote:
> My redundant bridging firewall don't work no more with 3.6!
> 

> As background, the bridge interfaces have 'learn' disabled.  That means,
> they never cache information about which interface a packet came from.
> (The inactive bridge would think all external hosts were attached to 
> the internal interface.) 
> 
> Internal Host A sends a packet for Internal Host B
> Switch receives packet and records which port Host A is connected to.   
> Switch's mac address list doesn't contain Host B's Mac address Switch 
>   floods the packet out all it's interfaces
> Packet arrives at Bridge
> Bridge doesn't know where Host B is, and because 'learn' is disabled, it
>   also doesn't know where Host A is.  It floods the same packet out 
>   all interfaces, including the one the packet came in on.
> Packet arrives at Switch
> Switch thinks Host A has moved to the port the Bridge is attached to 
>   and starts sending all packets intended for Host A to the Bridge
>   instead.  This continues until Host A sends out a packet that 
>   corrects the Switch's idea of where Host A is.
> 

Ahh!! so that's what is going on!  We just moved our (very similar set
up) to 3.6 and had similar problems.  The the chief network guru went on
holiday so we simply disabled one of the firewalls and waited until he
gets back.  We had not got to the stage of tracing individual packets
through the network to figure out what was happening.

> 
> If anyone has any ideas, please let me know.

Me too :)

Russell.

Redundant Bridging Firewall

2005-01-21 Thread Dylan Martin 
My redundant bridging firewall don't work no more with 3.6!

Hi folks, a while back I set up a redundant bridging firewall and I wrote up
a web page describing how it works.  Well, now that I've upgraded to 3.6,
I've discovered it doesn't work any more.  So!  If you were going to follow
the directions in my web page to build a redundant bridging firewall, DON'T!

At least not yet.

My page of LOUSY advice is at
http://www.seattlecentral.edu/~dmartin/docs/bridge.html

If you're interested in what isn't working and how you might be able to help
me figure it out, read on.

It looks like (and I stress 'looks like') the following scenario is giving
the internal switch a headache.

As background, the bridge interfaces have 'learn' disabled.  That means,
they never cache information about which interface a packet came from.
(The inactive bridge would think all external hosts were attached to 
the internal interface.) 

Internal Host A sends a packet for Internal Host B
Switch receives packet and records which port Host A is connected to.   
Switch's mac address list doesn't contain Host B's Mac address Switch 
floods the packet out all it's interfaces
Packet arrives at Bridge
Bridge doesn't know where Host B is, and because 'learn' is disabled, it
also doesn't know where Host A is.  It floods the same packet out 
all interfaces, including the one the packet came in on.
Packet arrives at Switch
Switch thinks Host A has moved to the port the Bridge is attached to 
and starts sending all packets intended for Host A to the Bridge
instead.  This continues until Host A sends out a packet that 
corrects the Switch's idea of where Host A is.

Right now, I'm playing around with static mac address tables in the switch.
If that fixes it, it will support my theory, but it won't really be a
workable solution.  Maybe I could turn off 'learn' on the switch port
attached to the bridge somehow.  Maybe I could write a pf rule of some kind 
that would make the bridge only pass packets out of interfaces they didn't 
arrive on.

If anyone has any ideas, please let me know.

Thanks
-Dylan Martin
 Unix Admin
 Seattle Central Community College

Re: Using DNS names in pf.conf?

2005-01-21 Thread Trevor R.H. Clarke 
Henning Brauer wrote:
* Kevin <[EMAIL PROTECTED]> [2005-01-19 21:41]:
Are there any "gotchas" I should know about when using dns names in
pf.conf, specifically in tables used as destinations for permit rules?

well, if DNS is not available by the time pfctl tries to load your 
pf.conf you're pretty much screwed. and pf is enabled very early at 
boot.

try it out, and most importantly, get clear about the external 
dependencies you introduce and their consequences.

I've set my home router up like this and at least on older versions of 
obsd (I'm currently 2 versions behind) the initial pfctl load comes 
before named starts so if you run a local name server it will hang. The 
fix for my system was to reorder startup slightly although this would 
not work universally.

I'd suggest:
a) keeping names out of pf.conf
or
b) large blocks of names (for blacklisting/whitelisting) should go into 
tables as you explained. for cases where tables are overkill, add those 
host names to /etc/hosts and refresh it from dns when you reboot. if the 
names go stale between reboots you'll need to manually (or though cron) 
refresh but if you used dns directly you'd still have to refresh your pf 
rules when the addr translations go stale so this should not be too much 
of a problem.

Re: pf: messages /bsd: pf_map_addr: selected

2005-01-21 Thread marc gmx 
I do the same test on a FreeBSD 4.8-p17, IP Filter: v3.4.31.
There is no lost of packets.

I change my perl script to send more slowly the snmp packets.
With 100 000 packets in 31 seconds, 82599 are received.
With 100 000 packets in 89 seconds, 5 are received !!!

Some help ?

Here my perl script:
# script de generation de trafic
# auteur: Marc GAUTHIER
#
# pseudo package, juste pour faciliter le debug
package _Net::RawIP;
use strict;
sub new {
my($class, $name) = @_;
my $self = { 
  ip => {
saddr => '',
daddr => '',
  },
  udp => {
dest => '',
source => ''
  } 
};
bless($self, $class);
return $self;
}
sub set {
  my $self = shift;
  my $data = shift;
  while( my ($k,$v ) = each(%$data) ) {
$self->{$k} = $v;
  }
}
sub send {
  my $self = shift;
  printf("%-20s:%5s 
=>%-20s:%5s\n",$self->{ip}->{saddr},$self->{udp}->{source},$self->{ip}->{daddr},$self->{udp}->{dest});
}
package main;
use strict;
use Getopt::Long;
  my ( $sint,$dint,$dest,$source );
  my $saddr   = '192.168.3.1';
  my $sport   = '1024';
  my $daddr   = '192.168.13.5';
  my $dport   = '161';
  my $sa_iter = '0';
  my $sp_iter = '0';
  my $da_iter = '0';
  my $dp_iter = '0';
  my $count   = 0;
  my $max = 20;
  my $sleep   = 0;
  my $boucle  = 5000;
  my $debug   = 0;
  my $hostname = (gethostbyname ("localhost"))[0];
  my @ifconfig = `/sbin/ifconfig -a`;
  my $interface = '';
  my $ip = '';
  foreach my $line (@ifconfig) {
#print "line:$line";
$interface = $1 if ( $line =~/(^\w+(?:\d)?(?:\:\d)?)/ );
if ( ($ip) = ($line =~/inet (?:addr\:)?(\d+\.\d+\.\d+\.\d+)/)) { 
  last;
}
  }
  print "interface:$interface ip:$ip\n";
  $saddr = $ip;
  GetOptions(
"saddr=s"=> \$saddr,
"sport=s"=> \$sport,
"daddr=s"=> \$daddr,
"dport=s"=> \$dport,
"da_iter=s"  => \$da_iter,
"dp_iter=s"  => \$dp_iter,
"sa_iter=s"  => \$sa_iter,
"sp_iter=s"  => \$sp_iter,
"sleep=s"=> \$sleep,
"boucle=s"   => \$boucle,
"max=s"  => \$max,
"debug=s"=> \$debug,
  );

  my $scenario = shift if ( @ARGV );
  if ( $scenario =~ /intra/i ) {
$sa_iter = '19';
$saddr = '10.0.0.1';
  }
  if ( $scenario =~ /extra/i ) {
$da_iter = '19';
$daddr = '10.128.0.1';
  }
  if ( $scenario =~ /big/i ) {
if ( $da_iter > 0 ) { $da_iter = 20 };
if ( $sa_iter > 0 ) { $sa_iter = 20 };
  }
  print "max:$max boucle:$boucle\n";
  my $data = 
'302902010004067075626c6963a01c0204094b6a71020100020100300e300c06082b060102010101000500';
  my $pdata= pack('H*',$data);
use Net::RawIP qw();
  my $a = new Net::RawIP ({udp =>{}});
  $dint = ip2int($daddr);
  $sint = ip2int($saddr);
  my $start = time;
  for ( my $daddr_offset = 0; $daddr_offset <= $da_iter; $daddr_offset++ ) {
  for ( my $saddr_offset = 0; $saddr_offset <= $sa_iter; $saddr_offset++ ) {
$dest= int2ip($dint+$daddr_offset);
$source = int2ip($sint+$saddr_offset);
$a->set({ip => {saddr => $source, daddr => $dest} });
  for ( my $sport_offset = 0; $sport_offset <= $sp_iter; $sport_offset++ ) {
  for ( my $dport_offset = 0; $dport_offset <= $dp_iter; $dport_offset++ ) {
$a->set({ udp => {
  dest => $dport,
  source => $sport_offset+$sport,
  data => $pdata,
}} );

$a->send($sleep);
# pour ralentir
for(1..$boucle) { };
$count++;
last if ( $count >= $max );
  }
  last if ( $count >= $max );
  }
  last if ( $count >= $max );
  }
  last if ( $count >= $max );
  }
  my $stop = time;
  print "count:$count duree:".($stop-$start)."\n";

sub usage {
  warn "$0: @_\n" if @_;
  die < 0 ) && ( $int < 4294967295 ) ) {
my $w=($int/16777216)%256;
my $x=($int/65536)%256;
my $y=($int/256)%256;
my $z=$int%256;
my $ip = $w . "." . $x . "." . $y . "." . $z;
return $ip;
  } else {
return 0;
  }
}

Re: First time user comments

2005-01-21 Thread Jason Opperisano 
On Thu, 2005-01-20 at 17:05, Peter Fraser wrote:
> The very broad: I don't understand why there is separate configuration
> files for bridges and routing and packet filtering.

routing and bridging are two separate things.

> Now for the picky ones.
> 
> Could the "syntax error" message, give the position in the line that the
> error occurred, or at least the token that caused it. When you are a
> first time user you syntax errors are not obvious.
> 
> I could find no where in the documentation that says what happens when
> you omit the "on " clause. The documentation implies that it
> must always be given, and grammar in "man pf.conf" shows it as being
> required, but several examples don't supply one. 

the GRAMMAR section in pf.conf show this:


 pf-rule= action [ ( "in" | "out" ) ]
  [ "log" | "log-all" ] [ "quick" ]
  [ "on" ifspec ] [ route ] [ af ] [ protospec ]
  hosts [ filteropt-list ]

where "on ifspec" is in [] denoting that it's optional.  in the intro
paragraph of the PARAMETERS section it also states "Most parameters are
optional."  from the above--the only required parameters are "action"
and "hosts" making the simplest rule possibilities:

  block all
  pass all

> I believe that not
> supplying a "on " means the statement applies to all
> interfaces.

correct.  just like not specifying in|out means the packet can match in
either direction.

> What needs to be quoted in a macro is not documented. One of my first
> mistakes was to write
>   Internal_net = 192.168.200/24
> I could not find any documentation that said it had to be written as
>   Internal_net = "192.168.200/24"
> with quotes. I also tried 
>   DebugLog = log
> and got a similar error.

i have never seen an example where the value of a macro was not quoted. 
the exception to this is macros inside of macros, which is pointed out
in the MACROS section of the man page:

  Macros are not expanded inside quotes.
 For example,
   ext_if = "kue0"
   all_ifs = "{" $ext_if lo0 "}"

> I have several (actually three) segments, each of which have their own
> set of IP address. I wanted each segment to be only allowed to send in
> from IP addresses belonging to the segment, (and for good message stop
> the
> firewall from putting out packets onto a segment that they did not
> belong on). I expected an option on the antispoof directive to implement
> this effect, but it was not there so I wrote:
>   InternalInterfaces = "{" ste1 ste2 ste3 "}"
>   block in  quick on $InternalInterfaces from !$id:network
>   block out quick on $InternalInterfaces to   !$id:network  
> and was surprised to get "macro id is not defined". I believe the $id is
> only defined in certain contexts. Now I can get the same effect by
> writing the six statements which is what I did, but I was surprised.

um--that's what "antispoof" is for--source address verification inbound
on a given interface.  as for your good measure(?) of blocking packets
outbound from the firewall...that's what the routing table is for...IMHO
i don't see the "good" in that measure(?).

as for pf not magically knowing what $id is supposed to mean; i'm not
sure why you think it would--also not sure why you'd be surprised that
it would tell you that the macro isn't defined, as you clearly didn't
define it.  the macro $magic_miss_cleo_psychic_logic isn't defined
either--so it doesn't surprise me when my rules fail to load when i
reference it.  computers do what you tell them to do--they're funny that
way.

<--snip dns resolving in rules comments-->

> It would be nice if there was a predefined macro for the unrouteable
> address.

all IP address are routeable, as IP is a routed protocol; unlike say,
NetBEUI for example...  i could be so bold as to assume you mean the RFC
1918 address spaces reserved for private networks, but i would just be
assuming.  maybe you mean the RFC 3330 special-use addresses, sans the
cable modem 24/8 network.  maybe you mean all the network blocks listed
on http://www.iana.org/assignments/ipv4-address-space as
Reserved|Private Use|Returned.  ah--but this list is a moving target
that can be modified at any time--last update was 02Aug2004, fyi...  the
pf developers; much like the parsing engine, are not
mind-readers--firewalling is a personal thing:  say what you mean and
mean what you say.  how hard is it to define what *you* actually mean by
"unrouteable" in a template file that you create your firewall configs
from?

> It would be nice if there is only one interface type on the computer to
> define a macro automatically for them, I suggest $id0 $id1 etc. That way
> pf config files could be more portable, particularly in the case of a
> server machine that only has one interface.

not 100% sure what you mean here, but if you mean being able to refer to
hme0, hme1, hme2, hme3, and hme4 simply as hme--then it's already there.

> I could not find a documentat

Re: Using DNS names in pf.conf?

2005-01-21 Thread Siju George 
On Thu, 20 Jan 2005 14:33:00 +0100, Henning Brauer <[EMAIL PROTECTED]> wrote:
> * Kevin <[EMAIL PROTECTED]> [2005-01-19 21:41]:
> > Are there any "gotchas" I should know about when using dns names in
> > pf.conf, specifically in tables used as destinations for permit rules?
> 
> well, if DNS is not available by the time pfctl tries to load your
> pf.conf you're pretty much screwed. and pf is enabled very early at
> boot.
> 

may be this is the reason my "SQUID" fails during startup!! 
I get a few error message that squid exits due to repeated freequent
failures and after the login prompt appears I get this messages once
more but by that time SQUID is up and running.
A person not used to this might think that SQUID failed to startup
looking at the conslole.
:)))

Thankyou henning for the reply

Kind Regards

Siju

Re: First time user comments

2005-01-21 Thread Henning Brauer 
* Peter Fraser <[EMAIL PROTECTED]> [2005-01-21 00:54]:
> Could the "syntax error" message, give the position in the line that the
> error occurred, or at least the token that caused it.

no - that is not how parsers work. syntax error actually says it didn't 
match any production from the grammar. if we don't know what production 
it should have matches, how should we tell which part didn't?

that is just not how parsers work, sorry.

> I believe that not
> supplying a "on " means the statement applies to all
> interfaces.

yes.

> It would be nice if there is only one interface type on the computer to
> define a macro automatically for them, I suggest $id0 $id1 etc. That way
> pf config files could be more portable, particularly in the case of a
> server machine that only has one interface.

that will be solved by interface groups.

-- 
Henning Brauer, BS Web Services, http://bsws.de
[EMAIL PROTECTED] - [EMAIL PROTECTED]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)