RE: Open BSD 3.9 unable to send email with attachment thru pf firewall.
Hi Ajith Kumar wrote: Hi I got your email address from Open BSD mailing lists.I hope you can help me Some more information would be helpfull. Your OpenBSD setup, PF Configuration, E-Mail Client / Server, internet connection. Hi It is a simple connection. The client is contacting the sendmail server. The gateway machine is Open BSD Firewall. If I disable pf I am able to send mails with attachments.It looks like problem with firewall itself. SASKEN RATED Among THE Top 3 BEST COMPANIES TO WORK FOR IN INDIA - SURVEY 2005 conducted by the BUSINESS TODAY - Mercer - TNS India SASKEN BUSINESS DISCLAIMER This message may contain confidential, proprietary or legally Privileged information. In case you are not the original intended Recipient of the message, you must not, directly or indirectly, use, Disclose, distribute, print, or copy any part of this message and you are requested to delete it and inform the sender. Any views expressed in this message are those of the individual sender unless otherwise stated. Nothing contained in this message shall be construed as an offer or acceptance of any offer by Sasken Communication Technologies Limited (Sasken) unless sent with that express intent and with due authority of Sasken. Sasken has taken enough precautions to prevent the spread of viruses. However the company accepts no liability for any damage caused by any virus transmitted by this email
RE: Open BSD 3.9 unable to send email with attachment thru pffirewall.
On Mon, 26 Jun 2006 19:14:54 +0530 Ajith Kumar [EMAIL PROTECTED] wrote: Ajith, what exactly seems to be the problem? PF does not do any application layer filtering. If you are having trouble sending an email, you should verify with the recipient that the email server at the remote end is not filtering email attachments. There is no problem with mail server.If I disable pf by pfctl -d , I am able to send mails with attachments. SASKEN RATED Among THE Top 3 BEST COMPANIES TO WORK FOR IN INDIA - SURVEY 2005 conducted by the BUSINESS TODAY - Mercer - TNS India SASKEN BUSINESS DISCLAIMER This message may contain confidential, proprietary or legally Privileged information. In case you are not the original intended Recipient of the message, you must not, directly or indirectly, use, Disclose, distribute, print, or copy any part of this message and you are requested to delete it and inform the sender. Any views expressed in this message are those of the individual sender unless otherwise stated. Nothing contained in this message shall be construed as an offer or acceptance of any offer by Sasken Communication Technologies Limited (Sasken) unless sent with that express intent and with due authority of Sasken. Sasken has taken enough precautions to prevent the spread of viruses. However the company accepts no liability for any damage caused by any virus transmitted by this email
blocking on scan attempts
Hello,
I have a simple firewall set up with OpenBSD 3.9 and have been playing
around with logging ssh login attempts to my DMZ server and banishing
IPs using max-src-conn -rate ...
block quick from banish
pass in log quick on $ext_if proto tcp from any to $dmz_ip port = ssh
flags S/SA
synproxy state (max-src-conn 10, max-src-conn-rate 3/10, overload
banish flush global)
Great fun.
My DMZ server IP is part of a very small cidr block (xxx.xxx.xxx.64 -
xxx.xxx.xxx.67) with .65 being the gateway address and .66 being the
externally visible address. What is interesting about this is that I
can see automated login attempts coming. The four addresses in my cidr
block will get scanned on port 22 or port 25 fairly regularly. Shortly
after the initial scan there will be ssh login or smtp relay attempts
on my external address. I also get keyword spam attempts (e.g.
[EMAIL PROTECTED], [EMAIL PROTECTED], etc.)
I'd like to be able to automatically load any IP address that scans
any of these 3 none active addresses on port 22 or port 25 to a table
to be blocked.
I tried setting it up like this:
table cidr const { xxx.xxx.xxx.64, xxx.xxx.xxx.65, xxx.xxx.xxx.67 }
block quick from scanner
pass in log quick on $ext_if proto tcp from any to cidr = ssh flags
S/SA
synproxy state (max-src-conn 1, max-src-conn-rate 1/1, overload
scanner flush global)
This doesn't work because the connections have to exceed the number
limits and pfctl won't let me set the limits to 0. Each address
usually gets scanned only once from a particular IP.
I gather it is possible to add IP addresses to a table using pfctl run
with a cron job based on what has been logged from pf. However, this
cron job would have to be run frequently to be any more effective than
the banish rule listed above.
I've been through the documentaion and this mailing list. Is there
another way to add IP addresses to a table directly using a rule in
pf.conf? I can see the little bastards coming and I'd like to cut them
off as quickly as possible.
Thanks!
RE: Open BSD 3.9 Pf issue with email with attachments.
On 06/26/2006 09:17:33 AM, Ajith Kumar wrote: Ajith Kumar [EMAIL PROTECTED] writes: I am able to send and receive mails . But if there is any attachment which is bigger than 64 KB, i am not able to send. Peter N. M. Hansteen Writes : My first impulse is to look at what happens elsewhere, in no particular order, any content filtering or for that matter hard message size limits, network congestion on the way there causing timeouts etc. Ajith Kumar [EMAIL PROTECTED] writes: There is no problem in n/w congestion.If i disable pf by pfctl -d I am able to send mails with attachments. There is no problem in mail server also. This has a feel to it of what happens when you have a pf.conf file that keeps state but does not use flags S/SA, so (if I understand correctly) the state tracking mechanisim gets out of wack because it starts tracking in the middle of a flow. There was something about this on the pf list in the last couple of months. I had modified the entry like this pass in quick log on fxp0 from any to x.x.x.x keep state flags S/SA #1 pass out quick log on fxp1 from any to x.x.x.x keep state flags S/SA #2 pass in quick log on fxp1 from x.x.x.x to any keep state flags S/SA #3 pass out quick log on fxp0 from x.x.x.x to any keep state flags S/SA #4 ( fxp0 is internal interface card. fxp1 is external interface card) where x.x.x.x is ip address of mail server.Still I am not able to send mail with big attachments. I am able to send and receive other mails. I subscribed to the mail list yesterday only :( Regards, Ajith SASKEN RATED Among THE Top 3 BEST COMPANIES TO WORK FOR IN INDIA - SURVEY 2005 conducted by the BUSINESS TODAY - Mercer - TNS India SASKEN BUSINESS DISCLAIMER This message may contain confidential, proprietary or legally Privileged information. In case you are not the original intended Recipient of the message, you must not, directly or indirectly, use, Disclose, distribute, print, or copy any part of this message and you are requested to delete it and inform the sender. Any views expressed in this message are those of the individual sender unless otherwise stated. Nothing contained in this message shall be construed as an offer or acceptance of any offer by Sasken Communication Technologies Limited (Sasken) unless sent with that express intent and with due authority of Sasken. Sasken has taken enough precautions to prevent the spread of viruses. However the company accepts no liability for any damage caused by any virus transmitted by this email
Re: Open BSD 3.9 unable to send email with attachment thru pffirewall.
On Tuesday 27 June 2006 11:34, Ajith Kumar wrote: There is no problem with mail server.If I disable pf by pfctl -d , I am able to send mails with attachments. There's no problem with pf either since it does not do any application layer filtering. Perhaps you're doing something stupid like blanket ICMP blocking that screws up MTU discovery. Also, you haven't given nearly enough information for anyone to even make a reasonable guess on what the problem could be. Posting your pf ruleset would be a start. --- Lars Hansson
Re: Open BSD 3.9 Pf issue with email with attachments.
On Tue, Jun 27, 2006 at 09:17:18AM +0530, Ajith Kumar wrote: I had modified the entry like this pass in quick log on fxp0 from any to x.x.x.x keep state flags S/SA #1 pass out quick log on fxp1 from any to x.x.x.x keep state flags S/SA #2 pass in quick log on fxp1 from x.x.x.x to any keep state flags S/SA #3 pass out quick log on fxp0 from x.x.x.x to any keep state flags S/SA #4 ( fxp0 is internal interface card. fxp1 is external interface card) where x.x.x.x is ip address of mail server.Still I am not able to send mail with big attachments. I am able to send and receive other mails. The test with disabling pf was a good one. Next, enable pf but load an empty ruleset (pfctl -Fa, pfctl -e) and retry. Still working? If so, load only the four rules you pasted above, retry. Still working? If so, take a good look at your other rules. The difference between your real ruleset and the four rules quoted above must explain the breakage. Post the real ruleset if you can't spot it. If any other rule matches and creates state (for those TCP connections), make sure all states are created on the initial SYN only. If connections break with an empty ruleset or just the four rules above, enable debug logging (pfctl -xm), reproduce the problem, then check /var/log/messages for entries from pf. Post them. Run pfctl -si before and after reproducing the problem, what counters are increasing? Post both outputs. Daniel
Re: Open BSD 3.9 unable to send email with attachment thru pf
Ajith Kumar [EMAIL PROTECTED] writes: If I disable pf I am able to send mails with attachments.It looks like problem with firewall itself. The problem here is that you keep repeating a very vague description of symptoms without giving us any information which could point us in the right direction. Basically, to PF, the difference between a text only mail message and one with an attachment lies only in the amount of data which is transferred, if that. I reiterate that the more likely culprit is some sort of content filtering you are either not aware of or not telling us about. In some truly resource starved configurations, such as a system extremely low on memory, loading PF could be what makes the system start swapping, if the connection between your gateway and the mail server is already rather saturated a largish mail message would have trouble making it without timing out, and so on. There are several more ways to misconfigure a machine so it will produce the rather bizarre symptoms you are describing, but from the information you are volunteering it's pretty much impossible to tell what is causing the situation. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds
queueing: give some BW to each addr (in a table)?
Hello.
I work for small isp, and we want to make
customer plan look like this:
client A has N kbits/s while business day;
he has N*2 kbits/s at night and weekends;
and we guarantee to him minimum speed of N/2.
(we also buying our main uplink BW according to this formula)
We have many clients here, so i wanted to do it
on my freebsd6 router, with simple cron job switching
tables in PF, but pf doesn't support a thing like
give EACH ip in that table N kbits/s.
So i thought i will be able to do it using anchors for
pass rules AND for queues (many subqueues,
every client has one). But, unfortunately, PF in
freebsd6.1 and in openbsd3.9 does not support
anchors in queue declarations (i looked at man page).
So i have one option now - write some pf.conf
preprocessor, with soem frontend to edit it.
Also i have two feature suggestions (i'd be happy
to see just one of them implemented):
a) make pf+altq able to do things like
=== 8 =
table cli512 persist {
ip-one; ip-two;
...
queue int_cli512 bandwidth 8192Kb priority 2 \
cbq(ecn rio each=512Kb)
...
pass out quick on $int_if to cli512 keep state \
queue int_cli512
= 8 ===
b) make anchors work also for queues, not only
for rdr, nat and filtering rules
p.s. i used cbq in example, but i need hfsc here, so
if someone has a good documentation on hfsc,
please let me know where i can find it.
(i grok some hfsc only with this list archive's help)
Also, i may be on totally wrong way, and things i need
can be done in some other way i missed?...
--
wbr,|\ _,,,---,,_ dog bless ya!
` Zzz /,`.-'`'-. ;-;;,_
McLone at GMail dot com|,4- ) )-,_. ,\ ( `'-'
, net- and *BSD admin '---''(_/--' `-'\_) ...translit rawx
Re: Open BSD 3.9 Pf issue with email with attachments.
On Tue, 27 Jun 2006 09:56:46 +0200 Daniel Hartmeier [EMAIL PROTECTED] wrote: On Tue, Jun 27, 2006 at 09:17:18AM +0530, Ajith Kumar wrote: I had modified the entry like this pass in quick log on fxp0 from any to x.x.x.x keep state flags S/ SA #1 pass out quick log on fxp1 from any to x.x.x.x keep state flags S/ SA #2 pass in quick log on fxp1 from x.x.x.x to any keep state flags S/SA #3 pass out quick log on fxp0 from x.x.x.x to any keep state flags S/SA #4 ( fxp0 is internal interface card. fxp1 is external interface card) where x.x.x.x is ip address of mail server.Still I am not able to send mail with big attachments. I am able to send and receive other mails. The test with disabling pf was a good one. Next, enable pf but load an empty ruleset (pfctl -Fa, pfctl -e) and retry. Still working? If so, load only the four rules you pasted above, retry. Still working? If so, take a good look at your other rules. The difference between your real ruleset and the four rules quoted above must explain the breakage. Post the real ruleset if you can't spot it. If any other rule matches and creates state (for those TCP connections), make sure all states are created on the initial SYN only. If connections break with an empty ruleset or just the four rules above, enable debug logging (pfctl -xm), reproduce the problem, then check /var/log/messages for entries from pf. Post them. Run pfctl -si before and after reproducing the problem, what counters are increasing? Post both outputs. Daniel I just wanted throw this into the debugging mix as well, anywhere you have a block statement add 'log' to the statement. Then you can run `tcpdump - n -e - vv -i pflog0` and it will list the rule number that the packet matched in the ruleset. Tim Donahue
Re: blocking on scan attempts
On Mon, Jun 26, 2006 at 07:45:07PM -0700, nobiscuit wrote: I gather it is possible to add IP addresses to a table using pfctl run with a cron job based on what has been logged from pf. However, this cron job would have to be run frequently to be any more effective than the banish rule listed above. I've been through the documentaion and this mailing list. Is there another way to add IP addresses to a table directly using a rule in pf.conf? I can see the little bastards coming and I'd like to cut them off as quickly as possible. I'm not sure about the archives here, but this comes up every few months on [EMAIL PROTECTED] One way is to use a log tail program, which would use pfctl to add the address to the table. Another way would be to rdr in pf.conf to a simple daemon which would add the address. You'd have to do this yourself, and you'd want to be careful! -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: blocking on scan attempts
On 6/27/06, Darrin Chandler [EMAIL PROTECTED] wrote: I've been through the documentaion and this mailing list. Is there another way to add IP addresses to a table directly using a rule in pf.conf? I can see the little bastards coming and I'd like to cut them off as quickly as possible. I'm not sure about the archives here, but this comes up every few months on [EMAIL PROTECTED] See my article on open-source active response: http://www.lightconsulting.com/~travis/active_response.pdf There's some discussion there as to the wisdom of this, since scans are trivially spoofed, it could lead to a DoS. I have been beset with system administration issues, but I intend to finish up my sniffer that will detect stuff like this and trigger DFD rule changes. However, scan detection is going to be one of the last features I'll encode. BTW: I'll be making OpenBSD ports to make installing dfd_keeper more easy to install. -- I sometimes have delusions of adequacy -- Woody Allen Security guru for rent or hire - http://www.lightconsulting.com/~travis/ -- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
Re: blocking on scan attempts
On Tue, Jun 27, 2006 at 02:38:06PM -0500, Travis H. wrote: There's some discussion there as to the wisdom of this, since scans are trivially spoofed, it could lead to a DoS. I'm usually on the side against blocking. My reasons, more or less in order: * It wastes time and resources * Possible DoS situations * It's ineffective (see below) Anyone really serious about getting into your site probably will be scanning with a botnet. You can block 30 machines, but they still find out what they wanted to know and use yet other machines to mount their attacks. I have not been attacked, but I've seen the onslaught of botnet scans (scans of a certain type occuring within a short time from diverse places). My conclusion is that your time is best spent securing the network and individual boxes, and less time blocking drive by shooters (who won't be back anyway). YMMV. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
