Re: queuing question
On 4/13/05, Peter Huncar [EMAIL PROTECTED] wrote: Hi Only two simple questions (I hope). I'm trying to shape traffic between several subnets (some in form of VLANs and some have own physical interface) Is possible something like this? Anything is possible.. Just an example Subnet 1 -- fxp0 - OpenBSD - fxp1 --- Subnet 2 altq on $fxp0 bandwidth 100% cbq queue{fxp0_high, fxp0_def} altq on $fxp1 bandwidth 100% cbq queue{fxp1_high, fxp1_def} queue fxp0_high bandwidth 30% priority 7 cbq(red) queue fxp0_def bandwidth 70% priority 6 cbq(red, default) queue fxp1_high bandwidth 30% priority 7 cbq(red) queue fxp1_def bandwidth 70% priority 6 cbq(red, default) Having the priorites so close will most likely outweigh the benefit here pass in on {lo0 fxp0 fxp1} pass out on fxp0 inet proto {tcp udp} all flags S/SA keep state pass out on fxp0 inet proto {tcp udp} from any to any port $highports \ flags S/SA keep state queue fxp1_high pass out on fxp1 inet proto {tcp udp} all flags S/SA keep state pass out on fxp1 inet proto {tcp udp} from any to any port $highports \ flags S/SA keep state queue fxp0_high So I create a state that will pass packets belonging to this connection through both interfaces, on one interface and they will be assigned to the queue on the other interface without creating any explicit pass rule for this interface to assign the packet to the correct queue (because I don't know then which service it was) Am I right? well, you are on the right path, although this would not work, as you're crossing your queue definitions, all the traffic going out of fxp0 would go to your default queue fxp0_def, except anything matching the pass from $highports would end up on fxp1_high queue. The following ruleset would work as you intend: altq on $fxp0 bandwidth 100% cbq queue{fxp0_high, fxp0_def} queue fxp0_high bandwidth 30% priority 7 cbq(red) queue fxp0_def bandwidth 70% priority 2 cbq(red, default) altq on $fxp1 bandwidth 100% cbq queue{fxp1_high, fxp1_def} queue fxp1_high bandwidth 30% priority 7 cbq(red) queue fxp1_def bandwidth 70% priority 2 cbq(red, default) pass quick on lo0 pass in on { fxp0 fxp1 } pass out on fxp0 inet proto {tcp udp} \ all\ flags S/SA keep state pass out on fxp0 inet proto {tcp udp} \ from any to any port $highports\ flags S/SA keep state \ queue fxp0_high pass out on fxp1 inet proto {tcp udp} \ all\ flags S/SA keep state pass out on fxp1 inet proto {tcp udp} \ from any to any port $highports\ flags S/SA keep state \ queue fxp0_high Kimi -- spamassassinexception
Re: queuing question
Peter Huncar wrote: So I create a state that will pass packets belonging to this connection through both interfaces, on one interface and they will be assigned to the queue on the other interface without creating any explicit pass rule for this interface to assign the packet to the correct queue (because I don't know then which service it was) Am I right? http://www.openbsd.org/faq/pf/queueing.html#assign
Re: dup-to problem with specific packets
On Wed, Apr 13, 2005 at 07:55:22PM +0100, Kimi Ostro wrote: On 4/11/05, Michael W. Lucas [EMAIL PROTECTED] wrote: Hi, I'm trying to duplicate packets matching one particular rule. Background: I have softflowd running on OpenBSD 3.5 i386. This is exporting flows to a logging host. Works beautifully. The old logging host is being replaced. I would like to run the two logging hosts in parallel temporarily, until I'm sure all the bugs are out of the new one. While I could fire up a second instance of softflowd, it seems like this would be a good application of dup-to. I don't want to duplicate the entire mass of traffic going through this box, just the netflow packets. pass out on $int_if proto udp from any to a.b.c.251 port 8641 dup-to ($int_if a.b.c.252) Should probably read: pass out on $int_if proto udp from any to a.b.c.251 port 8641 (dup-to a.b.c.252) Thanks, but that doesn't do it either. :-( Any other suggestions? The rule parses perfectly if I put a # sign right before the dup-to, so I know the rest of it is correct. I'm sending this duplicate out via the same interface as the original packet, could that be the problem? The samples tend to show people dumping traffic over a different NIC, but that won't work in this case. Since netflow transmission is stateless I wasn't expecting any sort of trouble, but I freely admit that lots of people here know more than I do. :-) ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate http://www.CiscoRoutersForTheDesperate.com
Re: pflog and traffic via gif_if
On 4/14/05, Kimi Ostro [EMAIL PROTECTED] wrote: On 4/13/05, stephen [EMAIL PROTECTED] wrote: On 4/13/05, Kimi Ostro [EMAIL PROTECTED] wrote: On 4/13/05, stephen [EMAIL PROTECTED] wrote: how does your routing table look? netstat -r -n how about: sysctl -a net.inet.ip.forwarding and: sysctl -a net.inet.etherip.allow net.inet.etherip.allow should be set to 1, if you are using a gif(4) device, read the man page. The moment I flush my ruleset or pass in/out all traffic, it works 100% so it's not a routing issue, something to do with the pf ruleset. let me know cause I can post it if required. Funny thing is, once you've figured it out, you'll probbaly kick your self.. at the moment, its just infuriating. tell me about it =] most of the time when I've been staring at something for so long and I walk in to work the next day it seems as plain as.. forgotten the rest of expression, but an obvious mistake I've over looked Why do people do this? I am just curious... cause in the shell i've got it sort of tabulated so it's easy to read.. dunno why but thats just how i like it =](one rule all in one line at time) you could add a \ at the end of a rule that is too long for coniuation on to the next line, example: pass out on $ext_if inet proto udp \ from ($ext_if:0) to any port { domain ntp }\ keep state \ label $nr: Out from $srcaddr to $dstaddr:$dstport\ queue ( q_def q_pri ) If you place a # just in front of the pass, it comments the whole block! Yup, saw an example ruleset like that yesterday actually, could rewrite ruleset to look like this in the future =] it's a bunch of private IP network addresses as specified by most example rulesets (and others I've seen posted here) (i forget which RFC, perhaps 1918? (wild guess)) RFC1918 seems like the one, although to be honest, I tend not to bother, when a simple block drop all on $ext_if and antispoof on $ext_if antispoof on $int_if work. but doesn't antispoof take the network address of your $int_if and block it on the $ext_if whereas blocking $priv_nets blocks spoofed attempts from any of those ip ranges? unlikely it'll be attempted (spoofing a $priv_net ip on my $ext_if) but can't have that attitude, would rather block it anyway =] are you running a DNS server? you only need UDP if no I'm not no, but for some reason it didnt want to work with just udp.. I do intend to start running a dns caching daemon soon though Only takes a few seconds *witty remark* sure np, I cant connect remotely as you can see by ruleset :Pbut I'll be sure to post it first thing in the morning whe I get to the office. There have been a few minor changes, as I was attempting to get ftp-proxy going this afternoon and making changes to the conf as I read more documentation. Stephen Oh, I did notice you didnt give us a uname -a? as pf runs on other BSDs besides OpenBSD, suprisingly how different each are too. really? I was under the impression it was sortof 'imported' into FreeBSD from OpenBSD, so the two would be pretty much identical ftp-proxy, spent the whole week re-writing my ruleset, tightening up the rules and broke ftp (sort of) oh well. mine's still pretty broke =] having to resort to PASV and a few users with ftp shortcuts on their desktops can't access the box as windows doesnt seem to kick back to PASV, just fails when cant get PORT connection. here ya go, uname -a pf.conf =] FreeBSD bollox.soh.local 5.3-STABLE FreeBSD 5.3-STABLE #2: Mon Mar 7 18:09:46 SAST 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/BOLLOX i386 pf.conf # macros int_if = rl0 ext_if = tun0 gif_if = gif3 icmp_types = echoreq dns = { 196.25.1.1 } mail1 = { dbn.stormnet.co.za } mail2 = { smtp.saix.net } p2p_ports = { 6346 } p2p_clients = { 10.0.88.5 , 10.0.88.11 , 10.0.88.12 , 10.0.88.23 } studio = { 10.0.88.5 , 10.0.88.11 , 10.0.88.12 } sh = 10.0.88.23/24 priv_nets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } soh ={ 10.0.88.1 , 10.0.88.2 , 10.0.88.3 , 10.0.88.4 , 10.0.88.5 , 10.0.88.6 , 10.0.88.7 , 10.0.88.8 , 10.0.88.9 , 10.0.88.10 , 10.0.88.11 , 10.0.88.12 , 10.0.88.13 , 10.0.88.14 , 10.0.88.15 , 10.0.88.16 , 10.0.88.17 , 10.0.88.18 , 10.0.88.19 , 10.0.88.20 , 10.0.88.21 , 10.0.88.22 , 10.0.88.23 , 10.0.88.24 , 10.0.88.25 , 10.0.88.26 , 10.0.88.27 , 10.0.88.28 , 10.0.88.29 , 10.0.88.30 } local_net = { 10.0.88.0/24 } vpn_conf = { 196.25.191.237 } # behavior options set optimization aggressive set block-policy return set loginterface $ext_if set fingerprints /etc/pf.os # scrub scrub in all # nat/rdr nat on $ext_if from $int_if:network to any - ($ext_if) rdr on $int_if proto tcp from any to any port 80 - 127.0.0.1 port 3128 rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021 # anti
Mail list archive
Where and how can I download OpenBSD's maillist archives? -- Arseny Nasokin (aka Tarc)
Firewalling with PF manuscript updated, BSD-licensed
I have put an updated version of the Firewalling with PF manuscript up at http://www.bgnett.no/~peter/pf/ with links to the various versions (btw the old links will still work). This is roughly what I'll be presenting in Oslo tonight. Highlights: * Various minor corrections including typos * Added network hygiene section - scrub, block-policy, antispoof * Added NetBSD info * Doc available as single html file * License is now BSD It's still a work in progress which I will keep maintaining and possibly expand as time goes by. Thanks are due to everyone who sent me comments and suggestions, and to the excellent PF developers, OpenBSD and elsewhere. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
Re: dup-to problem with specific packets
On Sun, Apr 10, 2005 at 11:18:58PM -0400, Michael W. Lucas wrote: Hi, I'm trying to duplicate packets matching one particular rule. Background: I have softflowd running on OpenBSD 3.5 i386. This is exporting flows to a logging host. Works beautifully. The old logging host is being replaced. I would like to run the two logging hosts in parallel temporarily, until I'm sure all the bugs are out of the new one. While I could fire up a second instance of softflowd, it seems like this would be a good application of dup-to. I don't want to duplicate the entire mass of traffic going through this box, just the netflow packets. pass out on $int_if proto udp from any to a.b.c.251 port 8641 dup-to ($int_if a.b.c.252) (port number changed to protect the guilty, of course) pfctl -nf gives me a syntax error on line 80, but won't be specific on what the problem is. Any suggestions? Or am I just outright misunderstanding dup-to? dup-to goes in the same spot as route-to and reply-to, so: pass out on $int_if dup-to ($int_if a.b.c.252) inet proto udp \ from any to a.b.c.251 port = 8641 appears to be the correct syntax here (3.6 GENERIC#0 sparc64) -j -- Contestant: I'll take the dying boy to block. Tom Bergeron: Ok, Jeremy... is there anything lower than absolute zero? Jeremy: Uhh, yeah... my white cell count. --Family Guy
Re: dup-to problem with specific packets
On 4/14/05, Michael W. Lucas [EMAIL PROTECTED] wrote: On Wed, Apr 13, 2005 at 07:55:22PM +0100, Kimi Ostro wrote: On 4/11/05, Michael W. Lucas [EMAIL PROTECTED] wrote: Hi, I'm trying to duplicate packets matching one particular rule. Background: I have softflowd running on OpenBSD 3.5 i386. This is exporting flows to a logging host. Works beautifully. The old logging host is being replaced. I would like to run the two logging hosts in parallel temporarily, until I'm sure all the bugs are out of the new one. While I could fire up a second instance of softflowd, it seems like this would be a good application of dup-to. I don't want to duplicate the entire mass of traffic going through this box, just the netflow packets. pass out on $int_if proto udp from any to a.b.c.251 port 8641 dup-to ($int_if a.b.c.252) Should probably read: pass out on $int_if proto udp from any to a.b.c.251 port 8641 (dup-to a.b.c.252) Thanks, but that doesn't do it either. :-( Any other suggestions? The rule parses perfectly if I put a # sign right before the dup-to, so I know the rest of it is correct. I'm sending this duplicate out via the same interface as the original packet, could that be the problem? The samples tend to show people dumping traffic over a different NIC, but that won't work in this case. Since netflow transmission is stateless I wasn't expecting any sort of trouble, but I freely admit that lots of people here know more than I do. :-) ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate http://www.CiscoRoutersForTheDesperate.com After doing a little more reading, the syntax is wrong on our parts, try: pass out on $int_if dup-to ($int_if a.b.c.252) proto udp from any to a.b.c.251 port 8641 Kimi -- spamassassinexception