"suspends" count on pfctl -vvsq
Good time of day, pfctl -vvsq shows counter, named "suspends", what specific events it counts ? I just tryin' to understand what it means: queue root_pcn1 bandwidth 50Mb priority 0 cbq( wrr root ) {stub} [ pkts: 668486 bytes: 115633409 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 703.2 packets/s, 1.03Mb/s ] queue stub bandwidth 30Mb qlimit 5000 cbq( borrow default ) [ pkts: 668486 bytes: 115633409 dropped pkts: 0 bytes: 0 ] [ qlength: 0/5000 borrows: 0 suspends: 65311 ] [ measured: 703.2 packets/s, 1.03Mb/s ] queue root_pcn0 bandwidth 100Mb priority 0 cbq( wrr root ) {stub} [ pkts: 773002 bytes: 654654161 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 785.9 packets/s, 5.35Mb/s ] queue stub bandwidth 30Mb qlimit 5000 cbq( borrow default ) [ pkts: 773002 bytes: 654654161 dropped pkts: 0 bytes: 0 ] [ qlength: 0/5000 borrows: 2607 suspends: 56563 ] [ measured: 785.9 packets/s, 5.35Mb/s ] i.e. speed rates is good, but suspends (dequeuing stalls ?) with empty queues looks strange for me. I can guess, possible _cause_ of such behavior - host is runninig on virtual hardware under VMWare Hypervisor, but can't understand the _process_ itself. Kind regards, Ilya A. Kovalenko
diff: m_pkthdr.pf.hdr for default queue
Good time of day, Following diff removes testing queue id against zero, because of which default queue packets (seems to) passed to ALTQ w/o header hint (m_pkthdr.pf.hdr), so their headers can't be inspected or altered by ALTQ (with RED/ECN, for example). Diff against -current. Tested on 4.5 Index: pf.c === RCS file: /cvs/src/sys/net/pf.c,v retrieving revision 1.680 diff -u -r1.680 pf.c --- pf.c24 Dec 2009 04:24:19 - 1.680 +++ pf.c11 Jan 2010 05:57:38 - @@ -1971,7 +1971,7 @@ m->m_pkthdr.rdomain = rdom; #ifdef ALTQ - if (r != NULL && r->qid) { + if (r != NULL) { m->m_pkthdr.pf.qid = r->qid; /* add hints for ecn */ m->m_pkthdr.pf.hdr = mtod(m, struct ip *); @@ -2094,11 +2094,9 @@ m0->m_pkthdr.rdomain = rdomain; #ifdef ALTQ - if (r->qid) { - m0->m_pkthdr.pf.qid = r->qid; - /* add hints for ecn */ - m0->m_pkthdr.pf.hdr = mtod(m0, struct ip *); - } + m0->m_pkthdr.pf.qid = r->qid; + /* add hints for ecn */ + m0->m_pkthdr.pf.hdr = mtod(m0, struct ip *); #endif /* ALTQ */ switch (af) { @@ -5712,7 +5710,7 @@ m->m_pkthdr.pf.statekey = s->key[PF_SK_STACK]; #ifdef ALTQ - if (action == PF_PASS && qid) { + if (action == PF_PASS) { m->m_pkthdr.pf.qid = qid; m->m_pkthdr.pf.hdr = h; /* hints for ecn */ } @@ -6156,7 +6154,7 @@ m->m_pkthdr.pf.statekey = s->key[PF_SK_STACK]; #ifdef ALTQ - if (action == PF_PASS && s && s->qid) { + if (action == PF_PASS && s) { if (pd.tos & IPTOS_LOWDELAY) m->m_pkthdr.pf.qid = s->pqid; else Kind regards, Ilya A. Kovalenko SA, SpecialEQ SW sections JSC "Oganer-Service"
typo on altq.h ?
(sorry for winmua-broken diff) Index: altq.h === RCS file: /cvs/src/sys/altq/altq.h,v retrieving revision 1.6 diff -r1.6 altq.h 48c48 < /* simple token backet meter profile */ --- > /* simple token bucket meter profile */
Re: syntax error while using scrub with OpenBSD 4.6
On Wed, 2009-10-28 at 01:10 -0700, Micha Holzmann wrote: > i am fairly new to OpenBSD. I use it for a home router and firewall. > Following the recommendations, i want to use the scrub keyword. > > But regardles how i write it into the pf.conf and check it with pfctl > i get a syntax error message. > > I tried several syntax: > > scrub all > scrub in all > > After using google and other ressources for hours i found a changeset > which describes scrub to use > > match in all scrub (random-id fragment reassemble tcp) > > If i try to activate this, i got a syntax error. What have i done wrong? http://www.openbsd.org/faq/upgrade46.html#newPF
Re: synproxy issue
On Fri, 2008-12-05 at 06:01 -0700, Darrin Chandler wrote: > Stephan, > > On Fri, Dec 05, 2008 at 09:14:10AM +0100, Stephan A. Rickauer wrote: > > > > $ lynx -dump -head http://cds.sun.com > > > > The matching pf rule is: > > pass in log quick inet proto tcp to port http synproxy state > > (with default pass out policy) > > > > However, the http connection stalls. Changing the above rule to: > > pass in log quick inet proto tcp to port http modulate state > > > > "fixes" the stall and the header is transmitted by the webserver just > > fine. > > Does this happen with hosts other than cds.sun.com? I have witnessed it myself with a different site that I completed a checkout with. I can't reproduce it again without ordering more stuff ;) Even if it is likely a 'sun' problem I thought I'd better report it here, since it might be a possible border case that could trigger a wrong synproxy behaviour. Were the tcpdump's helpful at all? -- Stephan A. Rickauer --- Institute of Neuroinformatics Tel +41 44 635 30 50 University / ETH Zurich Sec +41 44 635 30 52 Winterthurerstrasse 190 Fax +41 44 635 30 53 CH-8057 ZurichWebwww.ini.uzh.ch
synproxy issue
I seem to either not understand or having the following synproxy issue: A client (172.16.2.60) behind a firewall (nat, 4.4) does a http connect to cds.sun.com (72.5.239.134), requesting the header only: $ lynx -dump -head http://cds.sun.com The matching pf rule is: pass in log quick inet proto tcp to port http synproxy state (with default pass out policy) However, the http connection stalls. Changing the above rule to: pass in log quick inet proto tcp to port http modulate state "fixes" the stall and the header is transmitted by the webserver just fine. I have captured both sessions into two individual tcpdump files that might be investigated further, if that's helpful: https://www.ini.uzh.ch/~stephan/out.synproxy https://www.ini.uzh.ch/~stephan/out.modulate Of course I tried to search the archives but I could only find old or irrelevant posts. Switching synproxy off in this case isn't a problem, but I'd like to understand why synproxy wouldn't work in this szenario or what triggers it to fail. Thanks, -- Stephan A. Rickauer --- Institute of Neuroinformatics Tel +41 44 635 30 50 University / ETH Zurich Sec +41 44 635 30 52 Winterthurerstrasse 190 Fax +41 44 635 30 53 CH-8057 ZurichWebwww.ini.uzh.ch
Re[2]: states handling
>> So, single state entry affects traffic on single interface only ? > It is little a bit different than that. > A state also has a 'direction' associated with it. > So, a state matches either incoming or outgoing traffic. > As long as the direction matches, the interface does not > really matter. > Sometimes, rarely, you have to enforce the interface > (usually only useful for IPSec (enc0) traffic) this is > what the ifbound states (check pf.conf man page) are for. Thank you very much for comprehensive explanation. I totally miss, that state entry uses gateway-related direction to match packets. *reading manuals one more time* > Keep in mind that address translation is done before > matching rules. NAT changes the source and always done at the > outgoing interface. RDR changes destination, at the incoming interface. yes, I learnt it after 3.1 migration :) > Actually, once you are comfortable with states, queueing is > very flexible and powerful. Looks like, it's time to learn PF-usage again ...
Re[2]: states handling
>>block in inet from 192.168.0.1 to 192.168.114.31 >>pass in inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state >> (does not work - neither pings nor TCP) > Here, you only pass the *inbound* packets; you also must > pass the outbound packets on the opposite interface. So, single state entry affects traffic on single interface only ? >> Preferred version, because it does not affect queueing > I think you'll find the complication comes from queueing. hell, yes ... states vs queueing ... but it's another story
states handling
(Detailed description of problem, broached on "faults list" topic) Two host, on oposite sides of gateway: _____ ___ | | | | | | |114.31 <-> 114.2190.254 <-> 0.1 | | priv | | step | | pub | |___| |__| |___| where, PRIV (192.168.114.31) is private network host PUB (192.168.0.1)is public host STEP (192.168.114.219/192.168.0.254) is firewall gateway Target: deny any access from PUB to PRIV, but allow PRIV to access PUB's resources (at least, pings and TCP) OS version: step# uname -a OpenBSD step.oganer.net 4.2 GENERIC#0 i386 Ruleset variants and PF's behavior (trying to ping PUB and connect to it's webserver): block in inet from 192.168.0.1 to 192.168.114.31 pass in inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state (does not work - neither pings nor TCP) Preferred version, because it does not affect queueing step# pfctl -ss all icmp 192.168.0.1:512 <- 192.168.114.31 0:0 all tcp 192.168.0.1:80 <- 192.168.114.31:3538 CLOSED:SYN_SENT block in inet from 192.168.0.1 to 192.168.114.31 pass out inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state (works) step# pfctl -ss all icmp 192.168.114.31:512 -> 192.168.0.1 0:0 all tcp 192.168.114.31:3547 -> 192.168.0.1:80 ESTABLISHED:ESTABLISHED In addition: block out inet from 192.168.0.1 to 192.168.114.31 pass in inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state (works) step# pfctl -ss all icmp 192.168.0.1:512 <- 192.168.114.31 0:0 all tcp 192.168.0.1:80 <- 192.168.114.31:3565 ESTABLISHED:ESTABLISHED block out inet from 192.168.0.1 to 192.168.114.31 pass out inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state (does not work) step# pfctl -ss all icmp 192.168.114.31:512 -> 192.168.0.1 0:0 all tcp 192.168.114.31:3542 -> 192.168.0.1:80 ESTABLISHED:SYN_SENT block inet from 192.168.0.1 to 192.168.114.31 pass in inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state (does not work) step# pfctl -ss all icmp 192.168.0.1:512 <- 192.168.114.31 0:0 all tcp 192.168.0.1:80 <- 192.168.114.31:3566 CLOSED:SYN_SENT block inet from 192.168.0.1 to 192.168.114.31 pass out inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state (does not work) step# pfctl -ss all icmp 192.168.114.31:512 -> 192.168.0.1 0:0 all tcp 192.168.114.31:3572 -> 192.168.0.1:80 ESTABLISHED:SYN_SENT And one more: block inet from 192.168.0.1 to 192.168.114.31 pass inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state (works) step# pfctl -ss all icmp 192.168.0.1:512 <- 192.168.114.31 0:0 all icmp 192.168.114.31:512 -> 192.168.0.1 0:0 all tcp 192.168.0.1:80 <- 192.168.114.31:3574 ESTABLISHED:ESTABLISHED all tcp 192.168.114.31:3574 -> 192.168.0.1:80 ESTABLISHED:ESTABLISHED Supposition: In all non-working cases, answer packets, somewhy does not match created state (by iface and/or direction ?), and are blocked by block rule. In last case, each communication stream creates 2 states. "state-policy" option setting to "floating" or "if-bound" does not change situation. Questions: Is this some kind of feature ? Is there any solution to make PF behave other way (for example, to work w/ first ruleset variant) ? Ilya A. Kovalenko (mailto:[EMAIL PROTECTED])
Re[2]: My PF faults list
> you must be cofnused here. dunno. people rarely have problems in that > area. Hmm, maybe, I'm, truly, too stupid to work with PF ... I'll re-test on clean environment it and write to the list. > i thought we did that with -vv or so hmm ... alas, no such warnings with -vv: evil# pfctl -vv -f /etc/pf.conf | grep notexist @67 pass in from to no state queue notexist3 evil# uname -a OpenBSD evil.oganer.net 4.1 EVIL#0 i386 > you are confused. not keeping state is stupid. Agree ... until states can work ... > parts of your mail come pretty offensive... maybe i should not have > bothered at all. I beg my pardon, these little things annoyed me sometimes. Thank you for answer. > anyway. you know how things work: if you miss sth, you send a diff. yes, indeed :)
Re: dhcp forwarding
* on [06-08-31 09:11] Mipam wrote: Is it possible to forward these dhcp discover and requests through pf to the dhcp server in 10.4.5.0/24? dhcrelay(8) works fine for this. I don't think it can be done by pf directly. -- David de Gruyl <[EMAIL PROTECTED]> New Brunswick, NJ
Re: pf.conf defaults for options
Thanks for answers... Correct me if I'm wrong, but I guess "pfctl -st", and "pfctl -sm" don't actually show the out-of-box defaults, right? They show the current values... True that I could find out the defaults by loading pf with an empty ruleset (or flushing the rules maybe?) and execute those commands, but this is a production FW that I have not built myself, and I cannot just flush the rules for no reason. So, maybe a feature request would be an option in pfctl to show all the defaults. I wish I was savvy enough in C to write that myself. Thanks a lot and have a great weekend! Jason Dixon wrote: > On May 5, 2006, at 2:35 PM, Gustavo A. Baratto wrote: > >> Hi all... >> >> Is there any easy way to find out what the defaults are for the options? >> Things like timeout, limit, debug, etc have no default values >> explicited in man page for pf.conf (openbsd 3.9) >> >> Any pointers? > > man 8 pfctl > pfctl -st > pfctl -sm > http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfvar.h > etc... > >> Thanks a lot ;) > > No problem. > > -- > Jason Dixon > DixonGroup Consulting > http://www.dixongroup.net > > >
pf.conf defaults for options
Hi all... Is there any easy way to find out what the defaults are for the options? Things like timeout, limit, debug, etc have no default values explicited in man page for pf.conf (openbsd 3.9) Any pointers? Thanks a lot ;)
Re: redirecting to different networks
Well... this actually works: rdr on $ext_if proto {udp tcp} from any to DNS2_IP port 53 -> DNS1_IP nat on $ext_if proto {tcp,udp} from any to DNS1_IP port 53 -> $ext_if But the man pf.conf says: -- Redirections cannot reflect packets back through the interface they arrive on, they can only be redirected to hosts connected to different interfaces or to the firewall itself. -- The rdr rule above seem to be reflecting packets on $ext_if, since DNS1_IP is an address on the internet... What am I missing here? Cheers Karl O. Pinc wrote: > >> Gustavo A. Baratto wrote: >> .. >> > FW2 is ready, and the IP for DNS2 is already assigned... So, while >> > DNS2 server is not ready, is it possible to setup FW2, so DNS >> queries >> > from the external world can be redirected to DNS1? > > How about a really simple bind config that uses FORWARD to > send all queries to dns1? > > Karl <[EMAIL PROTECTED]> > Free Software: "You don't pay back, you pay forward." > -- Robert A. Heinlein >
redirecting to different networks
We have two firewalls (FW1 and FW2) in different locations, just connected to each other through the internet... We are running a DNS server (DNS1) inside just FW1. And later on a DNS2 will be inside FW2. FW2 is ready, and the IP for DNS2 is already assigned... So, while DNS2 server is not ready, is it possible to setup FW2, so DNS queries from the external world can be redirected to DNS1? It would be basically an rdr reflection on the external interface, but the manual is clear this can't be accomplished... Is there any other way though? Thanks for any input. Cheers
Re: macro doesnt expand CIDR
yeah... unfortunately none of these work I guess this is really a bug :( Thanks for your effort :) - Original Message - From: "Bryan Irvine" <[EMAIL PROTECTED]> To: "Gustavo A. Baratto" <[EMAIL PROTECTED]> Cc: Sent: Monday, August 29, 2005 12:42 PM Subject: Re: macro doesnt expand CIDR On 8/22/05, Gustavo A. Baratto <[EMAIL PROTECTED]> wrote: couldnt find any restriction about the content of a macro, so this doesnt work: int_net="192.168.0.1/24" john="192.168.1.3" all="{" $int_net $john "}" pass in quick on bge0 proto tcp from $all to 68.149.93.11 port 80 Try it this way int_net="'192.168.0.1/24'" john="192.168.1.3" all="{" $int_net $john"}" pass in quick on bge0 proto tcp from $all to 68.149.93.11 port 80 --Bryan
Re: macro doesnt expand CIDR
didnt work for me either :( %more test.pf1 int_net="'192.168.0.1/24'" john="192.168.1.3" all="{" $int_net $john"}" pass in quick on bge0 proto tcp from $all to 68.149.93.11 port 80 - %pfctl -nvv -f test.pf1 Loaded 293 passive OS fingerprints int_net = "'192.168.0.1/24'" john = "192.168.1.3" test.pf1:4: syntax error thanks - Original Message - From: "Bryan Irvine" <[EMAIL PROTECTED]> To: "Gustavo A. Baratto" <[EMAIL PROTECTED]> Cc: Sent: Monday, August 29, 2005 12:42 PM Subject: Re: macro doesnt expand CIDR On 8/22/05, Gustavo A. Baratto <[EMAIL PROTECTED]> wrote: couldnt find any restriction about the content of a macro, so this doesnt work: int_net="192.168.0.1/24" john="192.168.1.3" all="{" $int_net $john "}" pass in quick on bge0 proto tcp from $all to 68.149.93.11 port 80 Try it this way int_net="'192.168.0.1/24'" john="192.168.1.3" all="{" $int_net $john"}" pass in quick on bge0 proto tcp from $all to 68.149.93.11 port 80 --Bryan
Re: macro doesnt expand CIDR
Thanks for the response. I understand that I could write the rule with the ips harcoded in it, but I assume this doesnt change the fact that macros are not expanding CIDR addresses, and this maybe a bug. I was trying more to warn about this rather strange behaviour than to find an alternative solution. Thanks a bunch ;) - Original Message - From: "ed" <[EMAIL PROTECTED]> To: "Gustavo A. Baratto" <[EMAIL PROTECTED]> Sent: Friday, August 26, 2005 7:08 PM Subject: Re: macro doesnt expand CIDR On Mon, 22 Aug 2005 17:34:06 -0700 "Gustavo A. Baratto" <[EMAIL PROTECTED]> wrote: int_net="192.168.0.1/24" john="192.168.1.3" all="{" $int_net $john "}" pass in quick on bge0 proto tcp from $all to 68.149.93.11 port 80 pass in quick on bge0 proto tcp from "{" "192.168.0.1/24" \ "192.168.1.3" "}" 68.149.93.11 port 80 Why not just write pass in quick on bge0 proto tcp from {192.168.0.1/24,192.168.1.3} to \ 68.149.93.11 port 80 also note there is a , in the second version. I believe the "" marks are just to keep text together, now to separate it. This works: all="{192.168.0.1/24" $john "}" I think this could be through confusing the parser, and might even be considered buggy as you don't close the brace off. -- http://edd.link9.net - http://irc.is-cool.net
macro doesnt expand CIDR
couldnt find any restriction about the content of a macro, so this doesnt work: int_net="192.168.0.1/24" john="192.168.1.3" all="{" $int_net $john "}" pass in quick on bge0 proto tcp from $all to 68.149.93.11 port 80 This works: --- int_net="192.168.0.1/24" john="192.168.1.3" all="{192.168.0.1/24" $john "}" pass in quick on bge0 proto tcp from $all to 68.149.93.11 port 80 Why's that? thanks :)
Re[2]: 400Mbps PF based firewall, which hardware?
SG> Since your network is only 100Mpbs my recommendation is a dlink ehternet card. SG> Now I may not be fully correct but from my experience it performs well :-) AFAIK D-Link NICs is worst choice. Two reasons: 1. D-link NICs always was cheap low-end solution. 2. Couple months ago D-link switched it's NICs from RTL8139 (pretty stable) to VIA Rhino III chip (which has problems under OpenBSD) without any changes in model number. VIA chips has permanent problems w/ OpenBSD - it hangs and stops responding network connected to it (tcpdump(8) or reboot can reset NIC until next fault). Maybe, due driver imperfection. So I recommend you to avoid VIA NICs. Ilya A. Kovalenko S.A.
Re: 400Mbps PF based firewall, which hardware?
What is "Very Fast" memory? ;) for example, between DDR533 and DDR800 RAM modules, get a DDR800 (or faster, if they are out there) > Would not one 66MHz/64-bit bus which is not used by anything in system, but ethernet cards be sufficient? In theory 66MHz/64-bit PCI bus should be well enough even for wirespeed GigE it really depends on the amount of rules and amount of packets per second, but having one dedicated PCI controller per NIC is gonna be better than sharing one controller between 2 NICs. What about Intel Pro/100 S Server Dual Port 64bit/66Mhz adapters (fxp)? Like Henning said earlier in this thread: "there is really no reason to buy 100MBit/s cards at all any more". Go for gigabit. Definetely.
Re: 400Mbps PF based firewall, which hardware?
cool... great to know that. We blindly got a batch of sks here without knowing it's quality... just the price was good. What makes it far better than the well stablished intel? - Original Message - From: "Henning Brauer" <[EMAIL PROTECTED]> To: Sent: Friday, July 08, 2005 11:32 AM Subject: Re: 400Mbps PF based firewall, which hardware? * Gustavo A. Baratto <[EMAIL PROTECTED]> [2005-07-08 17:34]: Aparently gigabit intel NICs are the best out there, but this is just what I've heard. sk is far better. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: 400Mbps PF based firewall, which hardware?
You gonna need a server with a very fast bus, and a very fast memory. Some motherboards have dedicated PCI controllers for each slot, So, each NIC has its own dedicated controller, decreasing the interrupts for each one. Aparently gigabit intel NICs are the best out there, but this is just what I've heard. Don't know the details of your application, but you may think about using CARP or even a lame DNS round-robin to load-balance two or more FWs, instead of getting a very expensive hardware for just one. Cheers - Original Message - From: "Kirill Ponazdyr" <"ng1@"@codeangels.com> To: Sent: Friday, July 08, 2005 1:55 AM Subject: 400Mbps PF based firewall, which hardware? Hello, We are in need of "core" firewall for our new datacenter. This firewall will not be directly connected to internet but rather serve as a separator for security zones within the "application" part of our network, classical fileserver traffic will not go thru this firewall. Network is full duplex 100Mbps Ethernet, there will be 25 machines split into 6 zones, we estimate that our rules will be around 200 lines per zone. No Syproxy, no NAT, no QOS, "just" a stateful packet filter. The largest traffic types would be: http/s,postgres,imap and a daily backup which runs over network. TCP connections wise we expect to see no more then 30k concurrent connections, so taking 60k as a goal would fit very well. We would like this firewall to be able to fill 2 of its 100mbs ports with duplex traffic (400Mbps) at any given moment without significant latency due to the firewall itself. Which hardware would you advise for such environment? Any gotchas / hints to watch out? Kind Regards Kirill - When replying via E-Mail, please remove duplicate "@" from the address. -
Re[2]: handling nonexisting table/queue names
>> pfctl(8) silently ignores nonexisting table and queue names. >>I suppose, it is some kind of feature (like dynamic creation, >>or so), CB> Yes, that's a feature: the table can be created later by some daemon CB> like spamd. .. CB> ... so you can easily spot empty table: pfctl -vvsr | grep ':0>' hmm, looks like, pfctl -vvsr | grep ':\*>' > crater[3.7]# pfctl -vvsr | grep ':\*>' > @0 pass in from to any .. What about ALTQ queue names (mistyped on filter rules) ? for example: > crater[3.7]# pfctl -sq > queue root_rl0 bandwidth 100Mb priority 0 cbq( wrr root ) {def, sandbox} > queue def bandwidth 70Mb cbq( borrow default ) > queue sandbox bandwidth 2Mb cbq( red ) > crater[3.7]# pfctl -vvsr > @0 pass in from to any > [ Evaluations: 189 Packets: 0 Bytes: 0 States: 0 > ] > @1 pass in from (rl0:2) to any queue sendbox ^^^ mistyped name > [ Evaluations: 121 Packets: 0 Bytes: 0 States: 0 > ]
handling nonexisting table/queue names
Greetings, pfctl(8) silently ignores nonexisting table and queue names. I suppose, it is some kind of feature (like dynamic creation, or so), but such silent handling complicates debugging typos on ruleset. Can pfctl(8), at least, display warnings ? Thank you, Ilya A. Kovalenko(mailto:[EMAIL PROTECTED])
blocked connections from int_net -> fw -> int_net
Hello all... can anyone help me with this puzzle? I have a rdr load-balancer to 2 internal servers. It works fine when I connect from the external world to the webservers (1.2.3.4 -> 66.36.236.81 -> {192.168.0.13, 192.168.0.14}) But if I try to connect from the internal net back to the webservers I get a blocked connection (192.168.0.13 -> 66.36.236.81 -> {192.168.0.13, 192.168.0.14}) -- ext_if="fxp0" int_if="fxp1" int_net = "192.168.0.1/24" gateway = "192.168.0.1" table const {66.36.236.81} table persist {192.168.0.13 192.168.0.14} # translation rdr on $ext_if proto tcp from any to port {80 443} -> sticky-address nat on $ext_if from $int_net -> ($ext_if:0) # filter pass in quick log on $ext_if proto tcp from any to port {80 443} flags S/SA keep state (max 2000) pass out quick keep state block in log quick on $ext_if
new feature
hello all, Is it (or will be) possible to set different state timeouts for different rules? For example, if I'm using http, and I need to keep the state for 10 minutes because of an e-commerce session, and I dont want to keep the state for smtp for more than 30 seconds. Something like: - set timeout 60 #default timeout # http rule pass out on fxp0 proto tcp from any to any port www keep state timeout 600 # smtp rule pass out on fxp0 proto tcp from any to any port smtp keep state timeout 30 Cheers ;)
Re: Question about tables
yes... you have to notify pf: pfctl -t spam -T add xxx.xxx.xxx.xxx - Original Message - From: "Jonathan Weiss" <[EMAIL PROTECTED]> To: "OpenBSD-PF" Sent: Wednesday, January 19, 2005 1:56 PM Subject: Question about tables Hi folks, I have a question regarding tables that are defined in a text file, eg: table persist file "/etc/spammers" When is the looup done? Everytime the rule is evaluated or every time the content of the file is changing? If I add an entry to this table like this: echo "xxx.xxx.xxx.xxx" >> /etc/spammers Will the new IP be included or do I have to "notify" PF that I changed something? I guess the other option is that PF is reading this file everytime the rule is evaluated and this does not seems like a good idea if you think about performance. Greets, Jonathan P.S: I want to build an WLAN-AC that is configured by an web interface. I want to include the IP of an authentificated user into a table and only IPs from the table are allowed to make connections to the internet.
Re: load balance (rdr) with tables
Hi Daniel, Based on your rule, it works fine if I do this: rdr pass on $ext_if proto tcp from any to $ext_if port {25 80 110 143 443} -> sticky-address But if I do as specified in the pf FAQ, it doesn't: rdr pass on $ext_if proto tcp from any to any port {25 80 110 143 443} -> sticky-address Is this the correct behaviour? tested on openbsd 3.6 as well with the same results. thanks - Original Message - From: "Daniel Hartmeier" <[EMAIL PROTECTED]> To: "Gustavo A. Baratto" <[EMAIL PROTECTED]> Cc: Sent: Monday, January 17, 2005 4:05 PM Subject: Re: load balance (rdr) with tables On Mon, Jan 17, 2005 at 01:21:02PM -0800, Gustavo A. Baratto wrote: So, it just looks like pf cannot match the rdr rule when a table is used. Again, I'm using the version of PF that comes with freebsd 5.3. It works for me on both OpenBSD 3.6-current and FreeBSD 5.3-stable. Here's the ruleset I tried: table persist { 127.0.0.1, 127.0.0.2 } rdr on em0 inet proto tcp from any to em0 port ssh \ -> pass all (where 127.0.0.2 is an alias on lo0, ifconfig lo0 inet alias 127.0.0.2) Then I establish (and close) several ssh connections through em0, and see # pfctl -ss self tcp 127.0.0.1:22 <- 10.1.1.111:22 <- 10.1.1.1:10090 FIN_WAIT_2:FIN_WAIT_2 self tcp 127.0.0.2:22 <- 10.1.1.111:22 <- 10.1.1.1:29848 FIN_WAIT_2:FIN_WAIT_2 self tcp 127.0.0.1:22 <- 10.1.1.111:22 <- 10.1.1.1:6638 FIN_WAIT_2:FIN_WAIT_2 (10.1.1.111 is em0's address, 10.1.1.1 the ssh client) So the rdr rule is applying and replacing the destination address. It's cycling through both addresses in the table (round-robin is default, even if not specified, here). When I add 'sticky-address', I get the expected stickyness based on source address. There have been several bugfixes related to the code parts that select a replacement address for translations. They have been merged back into OpenBSD 3.6-stable and FreeBSD 5.3-stable. If you're not running a recent 5.3-stable, please update (-rRELENG_5_3) and try again. If you can't reproduce the problem with a simple test ruleset like mine above, but can with your real ruleset, that would mean we should take a closer look at the verbatim ruleset. Daniel
Re: load balance (rdr) with tables
Hi Daniel, thanks a bunch for all your work with pf. 'Does not work' means that the packets are not matching the rdr rule when a table is used: # pfctl -vvsn @0 rdr on xl0 proto tcp from any to any port = smtp -> round-robin sticky-address [ Evaluations: 14Packets: 0 Bytes: 0 States: ] @1 rdr on xl0 proto tcp from any to any port = http -> round-robin sticky-address [ Evaluations: 12Packets: 0 Bytes: 0 States: ] @2 rdr on xl0 proto tcp from any to any port = pop3 -> round-robin sticky-address [ Evaluations: 8 Packets: 0 Bytes: 0 States: ] @3 rdr on xl0 proto tcp from any to any port = imap -> round-robin sticky-address [ Evaluations: 8 Packets: 0 Bytes: 0 States: ] @4 rdr on xl0 proto tcp from any to any port = https -> round-robin sticky-address [ Evaluations: 8 Packets: 0 Bytes: 0 States: ] ---- But if I instead of a table, I use a macro with the same addresses, the same rdr rule redirects the packets to the pool just fine (check the ruleset below). I tested from many source addresses, and the problem doesn't seems to be the stickiness of the sessions. Pf maintains the session just fine, and stickyness works if I use a macro though. I changed my fw rules to something very simple for testing purposes (the commented out rdr rule with the macro works fine, when enabled): -- ext_if = "xl0" int_if = "fxp0" int_net = "10.10.10.0/24" fw_yvr = "209.82.78.2" dev_server = "209.61.244.4" mail_pool = "{10.10.10.10/32, 10.10.10.11/32}" table persist {10.10.10.10/32, 10.10.10.11/32} rdr pass on $ext_if proto tcp from any to any port {25 80 110 143 443} -> sticky-address #rdr pass on $ext_if proto tcp from any to any port {25 80 110 143 443} -> $mail_pool round-robin sticky-address # packet filtering rules pass quick on lo0 all pass in log quick on $ext_if from $fw_yvr to any keep state pass in quick on $ext_if from $dev_server to any keep state pass out quick on $ext_if proto {tcp,udp,icmp} all keep state block in log quick on $ext_if This is pfctl -vvss when I use the table (the port 22 rule is not a part of the rdr, though): -- self tcp 207.228.225.135:22 <- 209.82.78.2:56824 ESTABLISHED:ESTABLISHED [1530102845 + 33256] [1671572552 + 33304] age 00:00:34, expires in 24:00:00, 25:16 pkts, 1972:2064 bytes, rule 1 --- This is pfctl -vvss when I use a macro instead: --- self tcp 10.10.10.10:443 <- 207.228.225.135:443 <- 209.82.78.2:53175 ESTABLISHED:ESTABLISHED [4203246125 + 16886] [3366592452 + 65535] age 00:00:04, expires in 23:59:57, 8:7 pkts, 1456:2775 bytes, sticky-address id: 41d39105d5b2 creatorid: 6c2dd1bf self tcp 207.228.225.135:22 -> 209.82.78.2:56824 ESTABLISHED:ESTABLISHED [1530285165 + 33256] [1671636312 + 33304] age 00:03:53, expires in 24:00:00, 49:69 pkts, 9380:5220 bytes, rule 9 id: 41d39105d5ac creatorid: 6c2dd1bf self tcp 10.10.10.10:80 <- 207.228.225.135:80 <- 207.228.226.6:54833 FIN_WAIT_2:FIN_WAIT_2 [2844882315 + 49332] [692242652 + 65534] age 00:00:23, expires in 00:01:07, 6:4 pkts, 469:476 bytes, sticky-address id: 41d39105d5b1 creatorid: 6c2dd1bf self tcp 10.10.10.11:80 <- 207.228.225.135:80 <- 66.36.226.248:4627 CLOSED:SYN_SENT [0 + 57344] [3720571632 + 1] age 00:00:29, expires in 00:00:23, 7:1 pkts, 356:56 bytes, sticky-address id: 41d39105d5b0 creatorid: 6c2dd1bf /var/log/messages doesnt return anything when I'm using a table. But when I'm using the macro, this is what I get: Jan 17 20:18:56 fas250-mgmt kernel: pf_map_addr: selected address 10.10.10.11 Jan 17 20:19:08 fas250-mgmt kernel: pf_map_addr: selected address 10.10.10.11 Jan 17 20:19:15 fas250-mgmt kernel: pf_map_addr: selected address 10.10.10.10 This is the result of pfctl -vvsT and pfctl -t smtp -vvTs. The results never change after the connection attempts. # pfctl -vvsT No ALTQ support in kernel ALTQ related functions disabled -pa-r- smtp Addresses: 2 Cleared: Mon Jan 17 20:06:58 2005 References: [ Anchors: 0 Rules: ] Evaluations: [ NoMatch: 0 Match: ] In/Block:[ Packets: 0 Bytes: ] In/Pass: [ Packets: 0 Bytes: ] In/XPass:[ Packets: 0 Bytes: ] Out/Block: [ Packets: 0 Bytes: ] Out/Pass:[ Packets: 0 Bytes: ] Out/XPass: [ Packets: 0 Bytes: ] # pfctl -t smtp -vvsT No ALTQ support in kernel ALTQ related functions disabled -pa-r- smtp Addresses: 2 Cleared: Mon Jan 17 20:06:58 2005 References: [ Anchors: 0 Rules: ]
Re: load balance (rdr) with tables
I posted the wrong rule in my last mesg: the rdr rule that DOES NOT work is this: --- table persist {10.10.10.10, 10.10.10.11} rdr pass on $ext_if proto tcp from any to any port {25 110 143} -> round-robin sticky-address --- This works fine: --- $mail_pool = {10.10.10.10, 10.10.10.11} rdr pass on $ext_if proto tcp from any to any port {25 110 143} -> $mail_pool round-robin sticky-address - Original Message - From: "Gustavo A. Baratto" <[EMAIL PROTECTED]> To: Sent: Thursday, January 13, 2005 3:13 PM Subject: load balance (rdr) with tables Greetings all, I'm quite new in pf, and I'm having some problem with a load balance rule to a pool defined in a table. This is roughly what I have: -- table persist {10.10.10.10, 10.10.10.11} rdr pass on $ext_if proto tcp from any to any port {25 110 143} -> $mail_pool round-robin sticky-address -- # pfctl -s nat rdr pass on xl0 proto tcp from any to any port = smtp -> round-robin sticky-address rdr pass on xl0 proto tcp from any to any port = http -> round-robin sticky-address rdr pass on xl0 proto tcp from any to any port = pop3 -> round-robin sticky-address rdr pass on xl0 proto tcp from any to any port = imap -> round-robin sticky-address rdr pass on xl0 proto tcp from any to any port = https -> round-robin sticky-address The strange thing is that exactly the same rdr rule works fine with I use a macro instead of a table, eventhough the pf FAQ says: --- round-robin - loops through the address pool in sequence. This is the default method and also the only method allowed when the address pool is specified using a table. --- Using freebsd port of pf, which is the equivalent to version in openbsd 3.5 thanks for any suggestion ;)
load balance (rdr) with tables
Greetings all, I'm quite new in pf, and I'm having some problem with a load balance rule to a pool defined in a table. This is roughly what I have: -- table persist {10.10.10.10, 10.10.10.11} rdr pass on $ext_if proto tcp from any to any port {25 110 143} -> $mail_pool round-robin sticky-address -- # pfctl -s nat rdr pass on xl0 proto tcp from any to any port = smtp -> round-robin sticky-address rdr pass on xl0 proto tcp from any to any port = http -> round-robin sticky-address rdr pass on xl0 proto tcp from any to any port = pop3 -> round-robin sticky-address rdr pass on xl0 proto tcp from any to any port = imap -> round-robin sticky-address rdr pass on xl0 proto tcp from any to any port = https -> round-robin sticky-address The strange thing is that exactly the same rdr rule works fine with I use a macro instead of a table, eventhough the pf FAQ says: --- round-robin - loops through the address pool in sequence. This is the default method and also the only method allowed when the address pool is specified using a table. --- Using freebsd port of pf, which is the equivalent to version in openbsd 3.5 thanks for any suggestion ;)
Re[2]: feature suggest: ability to load/add _inverted_ table file
GH> Is there some unknown reason why he cannot use GH> ~~ # grep \!\< /etc/pf.conf | head -3 GH> nat on $Ext from $LAN to ! -> $Ext:0 GH> pass out quick on $Ext $TCP to ! user squid $KSF queue (q_def,\ GH> q_pri) GH> pass out log quick on $Ext $TCP from $Ext:0 to ! port nntp\ GH> user news $KSF GH> for the same effect ? No it is not the same. I suggested "list exclude" feature in addition to existing "list include" feature on table RULE. As result, administrator would be able to assemble ONE table instead of two-three, and would be able to reduce number of rules, without external lists preprocess or dynamic table loading. IMHO, my suggest was pretty simple, and at the same time, very efficient for PF's core flexibility. Developers don't think so. Sad. Ilya A. Kovalenko "Better" is the worst enemy of "Good"
Re: feature suggest: ability to load/add _inverted_ table file
Here is diff (against 3.6-stable), that implements loading list to table in inverted form, by rule like this: table file priv_nets.tab file-inv pub_hosts.tab Unfortunately, it demands more changes, than I expected :(, so I don't think that it has a chance to be accepted. --- diff 2 orig/pfctl_parser.h ../pfctl/pfctl_parser.h --- orig/pfctl_parser.h Tue Dec 21 21:58:31 2004 +++ ../pfctl/pfctl_parser.h Tue Dec 21 22:06:39 2004 @@ -149,4 +149,5 @@ struct node_host*host; char*file; + int flags; }; @@ -257,5 +258,5 @@ struct node_host *host(const char *); -int append_addr(struct pfr_buffer *, char *, int); +int append_addr(struct pfr_buffer *, char *, int, int); int append_addr_host(struct pfr_buffer *, struct node_host *, int, int); diff 2 orig/pfctl.h ../pfctl/pfctl.h --- orig/pfctl.hTue Dec 21 21:58:31 2004 +++ ../pfctl/pfctl.hTue Dec 21 22:03:54 2004 @@ -34,4 +34,7 @@ #define _PFCTL_H_ +/* invert table file */ +#define FL_INVERTED (1) + enum { PFRB_TABLES = 1, PFRB_TSTATS, PFRB_ADDRS, PFRB_ASTATS, PFRB_IFACES, PFRB_TRANS, PFRB_MAX }; @@ -72,5 +75,5 @@ int pfr_buf_grow(struct pfr_buffer *, int); int pfr_buf_load(struct pfr_buffer *, char *, int, - int (*)(struct pfr_buffer *, char *, int)); + int (*)(struct pfr_buffer *, char *, int, int), int); char *pfr_strerror(int); int pfi_get_ifaces(const char *, struct pfi_if *, int *, int); diff 2 orig/parse.y ../pfctl/parse.y --- orig/parse.yTue Dec 21 21:58:31 2004 +++ ../pfctl/parse.yTue Dec 21 21:58:46 2004 @@ -383,5 +383,5 @@ %token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE %token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF -%token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL +%token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME FILENAMEINV ROUTETO DUPTO REPLYTO NO LABEL %token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE %token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR @@ -1082,4 +1082,15 @@ table_opts.init_addr = 1; } + | FILENAMEINV STRING{ + struct node_tinit *ti; + + if (!(ti = calloc(1, sizeof(*ti + err(1, "table_opt: calloc"); + ti->file = $2; + ti->flags |= FL_INVERTED; + SIMPLEQ_INSERT_TAIL(&table_opts.init_nodes, ti, + entries); + table_opts.init_addr = 1; + } ; @@ -3617,5 +3628,5 @@ SIMPLEQ_FOREACH(ti, &opts->init_nodes, entries) { if (ti->file) - if (pfr_buf_load(&ab, ti->file, 0, append_addr)) { + if (pfr_buf_load(&ab, ti->file, 0, append_addr, ti->flags)) { if (errno) yyerror("cannot load \"%s\": %s", @@ -4327,4 +4338,5 @@ { "fastroute", FASTROUTE}, { "file", FILENAME}, + { "file-inv", FILENAMEINV}, { "fingerprints", FINGERPRINTS}, { "flags", FLAGS}, diff 2 orig/pfctl_radix.c ../pfctl/pfctl_radix.c --- orig/pfctl_radix.c Tue Dec 21 21:58:31 2004 +++ ../pfctl/pfctl_radix.c Tue Dec 21 22:08:01 2004 @@ -557,5 +557,5 @@ int pfr_buf_load(struct pfr_buffer *b, char *file, int nonetwork, -int (*append_addr)(struct pfr_buffer *, char *, int)) +int (*append_addr)(struct pfr_buffer *, char *, int, int), int flags) { FILE*fp; @@ -573,5 +573,5 @@ } while ((rv = pfr_next_token(buf, fp)) == 1) - if (append_addr(b, buf, nonetwork)) { + if (append_addr(b, buf, nonetwork, flags)) { rv = -1; break; diff 2 orig/pfctl_parser.c ../pfctl/pfctl_parser.c --- orig/pfctl_parser.c Tue Dec 21 21:58:31 2004 +++ ../pfctl/pfctl_parser.c Tue Dec 21 21:58:46 2004 @@ -1455,9 +1455,9 @@ */ int -append_addr(struct pfr_buffer *b, char *s, int test) +append_addr(struct pfr_buffer *b, char *s, int test, int flags) { char *r; struct node_host*h, *n; - int rv, not = 0; + int rv, not = (flags & FL_INVERTED) ? 1:0; for (r = s; *r == '!'; r++) diff 2 orig/pfctl_table.c ../pfctl/pfctl_table.c --- orig/pfctl
Re[3]: feature suggest: ability to load/add _inverted_ table file
More correct & shorter diff, against -current (21.12) - diff 2 orig/pfctl_parser.h ../pfctl-current/pfctl_parser.h --- orig/pfctl_parser.h Thu Nov 18 21:57:45 2004 +++ ../pfctl-current/pfctl_parser.h Thu Nov 18 21:09:24 2004 @@ -149,4 +149,5 @@ struct node_host*host; char*file; + int flags; }; diff 2 orig/pfctl.h ../pfctl-current/pfctl.h --- orig/pfctl.hThu Nov 18 21:57:42 2004 +++ ../pfctl-current/pfctl.hThu Nov 18 21:26:34 2004 @@ -34,4 +34,8 @@ #define _PFCTL_H_ +/* append_addr() flags */ +#define PFAAF_NONETWORK(1) +#define PFAAF_INVERT (2) + enum { PFRB_TABLES = 1, PFRB_TSTATS, PFRB_ADDRS, PFRB_ASTATS, PFRB_IFACES, PFRB_TRANS, PFRB_MAX }; diff 2 orig/parse.y ../pfctl-current/parse.y --- orig/parse.yThu Nov 18 21:57:39 2004 +++ ../pfctl-current/parse.yThu Nov 18 21:41:30 2004 @@ -396,4 +396,5 @@ %token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF %token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL +%token FILENAMEINV %token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE %token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR @@ -1105,4 +1106,15 @@ table_opts.init_addr = 1; } + | FILENAMEINV STRING{ + struct node_tinit *ti; + + if (!(ti = calloc(1, sizeof(*ti + err(1, "table_opt: calloc"); + ti->file = $2; + ti->flags |= PFAAF_INVERT; + SIMPLEQ_INSERT_TAIL(&table_opts.init_nodes, ti, + entries); + table_opts.init_addr = 1; + } ; @@ -3789,5 +3801,5 @@ SIMPLEQ_FOREACH(ti, &opts->init_nodes, entries) { if (ti->file) - if (pfr_buf_load(&ab, ti->file, 0, append_addr)) { + if (pfr_buf_load(&ab, ti->file, ti->flags & PFAAF_INVERT, append_addr)) { if (errno) yyerror("cannot load \"%s\": %s", @@ -4499,4 +4511,5 @@ { "fastroute", FASTROUTE}, { "file", FILENAME}, + { "file-inv", FILENAMEINV}, { "fingerprints", FINGERPRINTS}, { "flags", FLAGS}, diff 2 orig/pfctl_radix.c ../pfctl-current/pfctl_radix.c --- orig/pfctl_radix.c Thu Nov 18 21:57:46 2004 +++ ../pfctl-current/pfctl_radix.c Thu Nov 18 21:25:18 2004 @@ -556,5 +556,5 @@ int -pfr_buf_load(struct pfr_buffer *b, char *file, int nonetwork, +pfr_buf_load(struct pfr_buffer *b, char *file, int flags, int (*append_addr)(struct pfr_buffer *, char *, int)) { @@ -573,5 +573,5 @@ } while ((rv = pfr_next_token(buf, fp)) == 1) - if (append_addr(b, buf, nonetwork)) { + if (append_addr(b, buf, flags)) { rv = -1; break; diff 2 orig/pfctl_parser.c ../pfctl-current/pfctl_parser.c --- orig/pfctl_parser.c Thu Nov 18 21:57:45 2004 +++ ../pfctl-current/pfctl_parser.c Thu Nov 18 22:06:08 2004 @@ -1494,4 +1494,5 @@ * test: * if set to 1, only simple addresses are accepted (no netblock, no "!"). + * bit 1 (PFAAF_INVERT flag) - add given address exclusion */ int @@ -1500,5 +1501,7 @@ char *r; struct node_host*h, *n; - int rv, not = 0; + int rv, not = (test & PFAAF_INVERT) ? 1:0; + + test &= PFAAF_NONETWORK; for (r = s; *r == '!'; r++) -
Re[2]: feature suggest: ability to load/add _inverted_ table file
>> Feature to load/add address list from file onto table in INVERTED >> form (i.e. replacing "A.B.C.D" -> "! A.B.C.D" & vice versa) from >> table rule (sth. like "file-inverted ") and command line >> (sth. like -T add-inverted/load-inverted). DH> You could use sed(1) to do that, like DH> # sed -e 's/^/!/' -e 's/^!!//' file | pfctl -t foo -Ta -f - Yes, you're right. There is no reasons for extra command line interface. But I can't do same thing on /etc/pf.conf, because table rule can only summarize list files. Of course, I can always generate inverted files or even full-compiled list files by some external utilites, and load rules after generation, but non-standard solutions causes specific problems.
feature suggest: ability to load/add _inverted_ table file
Greetings, I suggest to add pfctl(8) feature. Feature to load/add address list from file onto table in INVERTED form (i.e. replacing "A.B.C.D" -> "! A.B.C.D" & vice versa) from table rule (sth. like "file-inverted ") and command line (sth. like -T add-inverted/load-inverted). It is quite simple to implement (I think/believe), but make tables more more flexible. Later, I can post related code diff. Ilya A. Kovalenko
Re: pf port knocking
My heartfelt thanks for all the assistance there. ffs, you speak like some sort of lord who cannot be bothered assisting the peasants. I get an inkling you eminate for from such lofty heights. Now, I admit I am not on the main bsd list (even if I was, I don't have time to even skim the headers from all the postings it gets) but I have been on the pf list for about 6 months and thought this was a relevant topic for discussion. Now, I don't think port knocking the latest fad (how it would add to liability is beyond me). Rather, I think it a relevant security implementation for my situation. From the sounds, we will be getting a large number of external contractors, many of whom will be travelling, so this seemed a good fit. Surely you would agree that if a service appears closed, that provides increased security. Additionally, it seems pretty straight forward to implement (even to me who hasn't programmed in about 2 years); so a time vs reward analysis stacks up. I don't see the problem; a simple addition to give additional security. Simply changing the ssh port isn't good enough. Source IP filtering won't cut the mustard as I don't know which IPs people will get when they are using global roaming dial-up services. So, where does that leave me? Either just leave it as is, add a VPN (that I would still like to appear closed) or implement some system to hide the port. Now, leaving it as is will probably be absolutely fine provided the service is kept up to date. Installing a VPN is planned. Adding this extra layer of port security seems prudent and cost effective. So, yeah, whatever, it seems I will go it alone. Cheers Andrew --- jared r r spiegel <[EMAIL PROTECTED]> wrote: > On Fri, Dec 17, 2004 at 06:05:39PM -0500, Roy Morris wrote: > > > If you want to knock off most of the port pounding twits, stop > allowing > > ssh from 'any', filter instead by source. If you can't do that, > because you > > MUST have access from your remote laptop, then maybe try using a > ssh > > rule that says use OS type =my remote OS. > > that would probably work for most intents and purposes, but i > know the pf.conf(5) specifically cautions against using OS > fingerprints > for security enforcement. it suggests they're for policy > implementation at best. > > rather than allowing for your laptop like that, i'd probably > go the route of starting a second sshd listening on whatever > port ( where reserved is likely better than not ) for the > purposes of authpf(8) to allow a hole into tcp:22. > > jared > > -- > > [ openbsd 3.6 GENERIC ( nov 4 ) // i386 ] > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
pf port knocking
Hey all I am getting tired of seeing the following popping up every day (with various IPs) on my log server. * ROOT FAILURES jasper ssh2(pw) @221.143.156.58(3) * User Failures admin ssh2(pw) jasper(2) andrew ssh2(pw) jasper(1) angel ssh2(pw) jasper(1) barbara ssh2(pw) jasper(1) ben ssh2(pw) jasper(1) betty ssh2(pw) jasper(1) billy ssh2(pw) jasper(1) black ssh2(pw) jasper(1) blue ssh2(pw) jasper(1) brandon ssh2(pw) jasper(1) brian ssh2(pw) jasper(1) buddy ssh2(pw) jasper(1) carmen ssh2(pw) jasper(1) charlie ssh2(pw) jasper(1) daniel ssh2(pw) jasper(1) david ssh2(pw) jasper(1) dog ssh2(pw) jasper(1) emily ssh2(pw) jasper(1) eric ssh2(pw) jasper(1) god ssh2(pw) jasper(1) green ssh2(pw) jasper(1) guest ssh2(pw) jasper(1) henry ssh2(pw) jasper(1) jane ssh2(pw) jasper(1) jason ssh2(pw) jasper(1) jeremy ssh2(pw) jasper(1) joe ssh2(pw) jasper(1) johnny ssh2(pw) jasper(1) jordan ssh2(pw) jasper(1) justin ssh2(pw) jasper(1) larisa ssh2(pw) jasper(1) lion ssh2(pw) jasper(1) lp ssh2(pw) jasper(1) lucy ssh2(pw) jasper(1) magic ssh2(pw) jasper(1) mail ssh2(pw) jasper(1) maria ssh2(pw) jasper(1) market ssh2(pw) jasper(1) matthew ssh2(pw) jasper(1) max ssh2(pw) jasper(1) michael ssh2(pw) jasper(1) nathan ssh2(pw) jasper(1) nicholas ssh2(pw) jasper(1) nicole ssh2(pw) jasper(1) operator ssh2(pw) jasper(1) pub ssh2(pw) jasper(1) red ssh2(pw) jasper(1) robin ssh2(pw) jasper(1) rose ssh2(pw) jasper(1) shell ssh2(pw) jasper(1) stephen ssh2(pw) jasper(1) steven ssh2(pw) jasper(1) system ssh2(pw) jasper(1) test ssh2(pw) jasper(2) tom ssh2(pw) jasper(1) user ssh2(pw) jasper(1) vampire ssh2(pw) jasper(1) william ssh2(pw) jasper(1) yellow ssh2(pw) jasper(1) Just script kiddies most probably. Plus, we use public/private keys on "jasper" so it's not like people are going to get in that way. However, having the port wide open does give the possibility that a bug in the SSH daemon (if one pops up) could open the door for a hacker to get in. Further, "jasper" is the only machine that is externally accessible via SSH (the only other open ports are domain, web and mail on other servers). I need to leave SSH open as a number of people work remotely and tunnel through it to some of the services on the internal network. Additionally, we are about to setup a system to run a VPN between our office and some contractors. I would like that box's IP to appear offline/completely closed (until required) as well. To sum up, apart from web, mail and domain (to specific servers), I would much prefer that every port appear closed. To achieve this, I would like to implement port knocking on the gateway firewall (runs OBSD 3.4 and pf). For those unfamiliar with the technique, it is like knocking a certain pattern/code on a door to open it. Here, you fire connections at a server on designated ports to instruct the firewall to open a port. So, if the firewall detects a connection on ports 14289, 32883, 1234 and 3428 (in that order), port 22 is opened for the relevant IP address. Has anyone heard of anyone working on a portknocking daemon for OBSD/pf? There are a couple of basic setups over at www.portknocking.org but thought I would check here before attempting a port. If no work has begun, I think I will take the perl prototype script they have at portknocking.org and see what I can do for pf. I would imagine I will have to setup anchors in pf which I haven't done yet but am sure I will get my head around it. Any pointers would be appreciated! :) I will also need to write a windows util to do the knocking for the contractors - can Perl run on a Windows machine or will I have to dust off my C compiler? :) Andrew Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re[2]: Note: states with asymmetric routing
JO> i will assume that you do not have delusions that this should work with JO> NAT-ed connections, because it most certainly will not. of course, it will not, because pf must alter both directions.
Re: traffic leaking out on PPP connection
PM> My firewall is pretty tight. I block all incoming by default and let out only certain PM> destination ports. I'm currently filtering on external interface only. PM> Now I decided to do a check on all outgoing traffic PM> (filtering out of course the allowed ports) PM> and I made an interesting discovery. PM> I am on dial-up (PPP) with a Canadian ISP (Sympatico) and I PM> am sending out regular replies to PM> port 135. I figured this is due to PPP tunneling. In 15 PM> minutes I was replying to about a PM> dozen different IP addresses but they all resolve back to my ISPs servers (or clients?): These hosts, probably, infected w/ "Lovesan" (aka "MS-blast") virus. It scans networks for vulnerable Windows boxes to infect. but you, should see it as incoming requests, than, your host replys. Ilya A. Kovalenkomailto:[EMAIL PROTECTED]
Re[2]: Note: states with asymmetric routing
>> Stateful inspection on gateway can hamper tcp-connections, when >> inbound or outbound packets goes another route (i.e. when one of >> directions not goes thru gateway). kpo> well, yeah. How is a firewall supposed to deduce state if it doesn't kpo> see any replies? psychic deduction? You, totally, miss my point. I don't asking question, why PF behave this way. I am programmer, and I guess, can understand it enough. Only thing I want to do - just to notify PF developers and users, that stateful inspection seems to does not applicable for cases with asymmetric routing. >> Connection works fine on low rate, but fast transfers stops on >> each 64K (because suddenly PF stops passing packets). >> >> I guess, it is not bug, just some feature (like some >> tcp-window-related state protection). So think, is there reasons to >> correct this PF behavior. found something on man --8<--- man pf.conf ---8<- This has several advantages. Comparing a packet to a state involves checking its sequence numbers. If the sequence numbers are outside the narrow windows of expected values, the packet is dropped. This prevents spoofing attacks, such as when an attacker sends packets with a fake source address/port but does not know the connection's sequence numbers. ------8<--- man pf.conf ---8<- kpo> Correct? If you can design a prescient packet filter, then more kpo> power to you. In general, prescience is hardware problem :) Seriously, there are couple of things can be done for solving such case, w/o prescience. Of course, ONLY if developers think that it's important enough. For example, it is posible, to make PF smart enough to detect asymmetric routing and turn off checks, that cannot be performed on such states. Or make ability to select more "light" inspection mode for such cases (w/ postfix like "keep light-state" :). Anyway, I can't and do not try to decide something for developers. Ilya A. Kovalenko (mailto:[EMAIL PROTECTED]) S.A. SpeciaEQ SW section JSC Oganer-Service
Note: states with asymmetric routing
Greetings, Just note. Stateful inspection on gateway can hamper tcp-connections, when inbound or outbound packets goes another route (i.e. when one of directions not goes thru gateway). Connection works fine on low rate, but fast transfers stops on each 64K (because suddenly PF stops passing packets). I guess, it is not bug, just some feature (like some tcp-window-related state protection). So think, is there reasons to correct this PF behavior. Thank you Ilya A. Kovalenko
Re: ftp throu transparent filtering bridge
Well, it certainly does the job! :) To Roman's initial question though, monitoring ftp connections is really an application layer problem/responsibility. pf is lower level and would need to implement (pretty much) a full protocol layer to monitor ftp. Anyway, there you have it.. check out ftpsesame :) A --- Camiel Dobbelaar <[EMAIL PROTECTED]> wrote: > > > > On Tue, 23 Nov 2004, Roman Marcinek wrote: > >Are there any smarted solutions I haven't found yet? I know that > > > linux's iptables make use of special connection tracking module for > ftp > > to handle that problem but ... is there anything like this for > OpenBSD? > > Ok, let me plug my own program again: > > http://www.sentia.org/ftpsesame > > > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re: question on pf filtering --> UDP keeping state
Just further to what Dave is saying, where can I read more about how the UDP 'keep state' actually works (short of sifting through the source code)? I am interested as I will be setting up a firewall next year sometime to handle 100,000's of simultaneous UDP connections so it is rather important that I understand the way this works. Thanks Andrew --- Dave Anderson <[EMAIL PROTECTED]> wrote: > ** Reply to message from Srikanth Sagiraju > <[EMAIL PROTECTED]> on Mon, 1 Nov 2004 19:37:30 -0500 > (EST) > > >I was looking at some of the sample pf rules given at: > >http://www.openbsd.org/faq/pf/queueing.html . > > > >On the same page in the second example (Ex2: Company network) there > is > >a rule that accepts DNS(port 53) requests from 'wwwserv' to any on > 'fxp1 > >inbound' as below: > ># filter rules for fxp1 inbound > >pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53 \ > > keep state > > > >But 'fxp0' does NOT allow any new 'outbound' connections except from > the > >'int_net'. Would that mean that DNS packets are not allowed outside > the > >firewall and the above rule was written in vein?? I am missing > >something here.. > > Note the 'keep state' at the end of that rule. This tells pf > (roughly > speaking) to allow further communication in both directions until the > tcp connection is terminated. (For udp, it allows 'related' > datagrams > in both directions -- I'm not sure exactly what the definition of > 'related' is, but it allows udp-based protocols to work.) > > Dave > > -- > Dave Anderson > <[EMAIL PROTECTED]> > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re: using the ! ("not") modifier
If you don't want any PCs on the LAN to access your server but for udp 53 (will mean you can't even SSH into the box) why don't you add something like: pass in quick on $int_if proto udp from $int_if:network to $int_if \ port $int_udp keep state block in quick on $int_if from any to $firewall_internal_ip Surely that is a better solution? Andrew --- Björn Ketelaars <[EMAIL PROTECTED]> wrote: > Hello, > > Im trying to setup a natting firewall in which the internal network > (int_if:network) *only* has access to the internet and udp-port 53 > (domain) on the firewall. When Im using pf.conf given beneath it is > possible to access all servers on the firewall... > > If I track a package (say tcp port 22 to $int_if) on the inbound > network > I will get the following: > > 1.) block log all > > default block policy > > 2.) pass in on $int_if proto udp from $int_if:network to $int_if port > > $int_udp keep state > > package is not accepted on $int_if because of tcp-port 22 > > 3.) pass in on $int_if from $int_if:network to !$int_if:network keep > state > > package is still not accepted because of !$int_if:network (=any > except > the internal network). > > Unfortunately, in the real world this does not work and the package > reaches its destination. Any suggestion? > > Kind regards, > > Björn > > > > > # macros > ext_if = "fxp0" > int_if = "de0" > > ext_tcp = "{ ftp, ssh, smtp, https, imaps }" > ext_icmp = "echoreq" > int_udp = "{ domain }" > > priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 > }" > > # options > set block-policy return > set loginterface $ext_if > > # scrub incoming packets > scrub in all > > # nat/rdr > nat on $ext_if from $int_if:network to any -> ($ext_if) > > # setup a default block policy > block log all > > # loopback interface (lo0) > pass quick on lo0 all > > # external interface ($ext_if) > pass in on $ext_if inet proto tcp from any to ($ext_if) port $ext_tcp > > flags S/SA keep state > pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type > $ext_icmp keep state > pass out on $ext_if proto tcp all modulate state flags S/SA > pass out on $ext_if proto { udp, icmp } all keep state > > # internal interface ($int_if) > pass in on $int_if proto udp from $int_if:network to $int_if port > $int_udp keep state > pass in on $int_if from $int_if:network to !$int_if:network keep > state > pass out on $int_if from any to $int_if:network keep state > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re:
Well, in such a small ruleset it won't really make bugger all of a difference. However, I assume this is an example of a principle you are using in a much larger set. With that in mind, I would opt to use the quick keyword. Everywhere I have read suggests using "quick" especially in large rulesets. Using quick as soon as you have matched a packet you want to let through or kick allows pf to move onto the next packet straight away. The additional benefit is that it is clearer to see what is happening. That is, without "quick" used, you trace a packet through and have to remember each rule it matches and overwrite the actions with actions from rules that match later on down the track. Anyway, there you go. andrew --- Björn Ketelaars <[EMAIL PROTECTED]> wrote: > Hello, > > Im trying to grasp the following two blocks of rules. If I > understand > correctly the main difference is that the first block of rules > dismisses > priv_nets by means of a drop, which means that the package is not > checked > by the following rules and in the second set of rules priv_net is > checked > until the end (and blocked). > > But which set is more efficient? > > # external interface ($ext_if) > block all > block drop in log quick on $ext_if from $priv_nets to any > block drop out log quick on $ext_if from any to $priv_nets > pass in on $ext_if inet proto tcp from any to ($ext_if) port $ext_tcp > flags S/SA keep state > pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type > $ext_icmp keep state > pass out on $ext_if proto tcp all modulate state flags S/SA > pass out on $ext_if proto { udp, icmp } all keep state > > # external interface ($ext_if) > block all > pass in on $ext_if inet proto tcp from !$priv_nets to ($ext_if) port > $ext_tcp flags S/SA keep state > pass in on $ext_if inet proto icmp from !$priv_nets to ($ext_if) > icmp-type > $ext_icmp keep state > pass out on $ext_if from any to !$priv_nets keep state > > Kind regards, > > Björn > > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re: Prohibiting outbound traffic
Hey there You have just forgotten that each packet goes through the rules set twice, once for the interface it comes in on and one for the interface it goes out on. So, you rdr rule is translating your outbound connections on that range of ports, then your anti-spoof check is blocking the packet. Let me explain by tracing an outbound (from your 10.0.0.101 workstation) packet through the rules set: 1. Ok, so your bitTorrent client on 10.0.0.101 sends out a packet ala: 10.0.0.101.6887 > \ c210-49-38-219.rochd2.qld.optusnet.com.au.59853 2. Hits the firewall and the first rule it matches is: pass in on $int_if from $int_if:network to any keep state 3. Then the packet (still with 10.0. address) routes over to the ext_if 4. Then it is NAT'd so the source address of 10.0.0.101 gets changed to "hydronium.demon.nl" 5. Then it hits the rdr rule of: > rdr on $ext_if proto tcp from any to any port 6881:6999 -> \ 10.0.0.101 port 6881:6999 and it matches as you have used "any" for the "from" qualifier (might want to try "! $int_if:network"). So the packet is rdr'd back to 10.0.0.101 but is still on the external interface card. 6. So, now the packet that is outbound on the external card but has had its destination address changed to 10.0.0.101 so it will be blocked and dropped by: > block drop out log quick on $ext_if from any to $priv_nets And that, as they say in the classics, is all folks. You might want to think about redoing your ruleset as it is a bit messy. Have a look at the pf guide. It has a good ruleset to start with. Available at: http://www.openbsd.org/faq/pf/index.html Hope that helps Andrew --- Björn Ketelaars <[EMAIL PROTECTED]> wrote: > Hello, > > In an effort to redirect some ports (6881:6999) to one of my > computers > (10.0.0.101) Im using pf.conf given beneath. Everything inbound > works > fine. There is just one strange thing when Im monitoring pflog0, > Im > receiving messages which indicate that outbound traffic originating > from > port 6887 (and others in the 6881:6999 range) is prohibited. Example > (hydronium.demon.nl is the firewall): > > 13:32:00.716083 hydronium.demon.nl.6887 > > c210-49-38-219.rochd2.qld.optusnet.com.au.59853: . ack 4223293259 win > > 65535 (DF) [tos 0x10] > > I do not fully understand why this happens, my config should pass all > > outbound traffic, but why not from this range? > > > # macros > ext_if = "fxp0" > int_if = "fxp1" > > priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 > }" > > # options > set block-policy return > set loginterface $ext_if > > # scrub > scrub in all > > # nat/rdr > nat on $ext_if from $int_if:network to any -> ($ext_if) > nat on $ext_if from $wir_if:network to any -> ($ext_if) > > rdr on $ext_if proto tcp from any to any port 6881:6999 -> 10.0.0.101 > > port 6881:6999 > > # filter rules > block log all > > pass in on $ext_if inet proto tcp from any to 10.0.0.101 port > 6881:6999 > flags S/SA synproxy state > > pass quick on lo0 all > > block drop in log quick on $ext_if from $priv_nets to any > block drop out log quick on $ext_if from any to $priv_nets > > pass in on $int_if from $int_if:network to any keep state > pass out on $int_if from any to $int_if:network keep state > > pass out on $ext_if proto tcp all modulate state flags S/SA > pass out on $ext_if proto { udp, icmp } all keep state > > > Regards, > > Björn > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re: Just how fast is pf?
Bonus! Well, that is good news and brings a smile to my face. As i have said before on this list, just love working with pf! Thanks for the links, I am going to look into that on Monday at work. Mind me asking what type of machine you are running? Andrew --- Sean <[EMAIL PROTECTED]> wrote: > A wrote: > > Now, I know this question gets asked a lot by newbs but I have a > > commercial reason for asking. Just how many connections can a high > spec > > PC with OBSD and pf handle from a filtering perspective? > > > > The company I work for is currently working on an online game that > will > > potentially have +100,000 concurrent users. We are looking at > different > > firewalls to help on the security side of things. A rather complex > > cluster of different machines will manage these connections but, I > am > > wondering if OBSD would be able to sit in front of this cluster and > act > > as a border firewall. The ruleset itself would be very simple > > (basically it would block everything except for a small number of > known > > UDP ports then "keep state"). > > > > Would a single machine be able to handle that type of load? What > sort > > of CPU+RAM+NIC would be required? Alternatively, if a single > machine > > wouldn't cut the mustard, could an array of firewall be setup? > > > > pf is plenty fast. we use a single pf firewall to filter 650+ > hits/second or about 30 MB/s of sustained traffic. The pf box doesn't > even break the slightest sweat. Others here run intense setups > without > problem, too. > > What's most important is good NIC cards (buffering and interrupt > generation for example) and RAM to hold states. Check out the pf FAQ: > > http://openbsd.org/faq/pf/perf.html > > Mike Frantzen posted a way to calculate the maximum number of states > you > have memory for (at least with 3.5, not sure if this is still true): > > http://marc.theaimsgroup.com/?l=openbsd-pf&m=108576335204963&w=2 > > cheers, > Sean > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Just how fast is pf?
Now, I know this question gets asked a lot by newbs but I have a commercial reason for asking. Just how many connections can a high spec PC with OBSD and pf handle from a filtering perspective? The company I work for is currently working on an online game that will potentially have +100,000 concurrent users. We are looking at different firewalls to help on the security side of things. A rather complex cluster of different machines will manage these connections but, I am wondering if OBSD would be able to sit in front of this cluster and act as a border firewall. The ruleset itself would be very simple (basically it would block everything except for a small number of known UDP ports then "keep state"). Would a single machine be able to handle that type of load? What sort of CPU+RAM+NIC would be required? Alternatively, if a single machine wouldn't cut the mustard, could an array of firewall be setup? Thanks! Andrew Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re: Top 10 reasons IPTABLES is better than PF
Gold Jerry.. GOLD! Andrew "Why do they call it ovaltine.. the cup is round, the tin is round... they should call it round-tine." --- Jeff Simmons <[EMAIL PROTECTED]> wrote: > 10. Parsing IPTABLES config files excellent preparation for > subsequent > learning of Asian pictograph-based languages. > > 9. Standard logging via syslogd helps eliminate clutter in /var/log. > > 8. GPL prevents Steve Jobs from stealing your code. > > 7. Simplistic man pages encourage development of social skills via > mailing > lists. > > 6. Multiple distributions, versions, kernels, modules, plugins, etc. > keep > hackers confused as to exactly what they're attacking. > > 5. "Mangle" just sounds so much more 133+ than "Scrub". > > 4. Complexity of structure leads to more opportunities for > obfuscation and > subsequent job security. > > 3. New and experimental kernel modules make life exciting again. > > 2. GUI and Web based utilities mean that anyone can set one up > without knowing > what they're doing. > > And the number one reason IPTABLES is better than PF: > > 1. No distracting arguments about whether to port it to OpenBSD. > > -- > Jeff Simmons > [EMAIL PROTECTED] > Simmons Consulting - Network Engineering, Administration, > Security > "You guys, I don't hear any noise. Are you sure you're doing it > right?" > - My Life With The Thrill Kill Kult > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re: Linux port of pf
Hey there I would certainly love to see pf ported. We run a number of linux servers and I like to have them run their own firewalls as a final line of defence. Unfortunately that means running iptables and, to be honest, I just can't stand that firewall. Simply having the firewall rules in one file (ala pf.conf) rather than executing commands to add rules to an in memory list/table is just so much nicer. I am sure we have all had our "firewall.sh" file with one "/sbin/iptables BLAH" with a syntax error that then screws up the whole ruleset. Most annoying. Add to that the wonderful pf syntax, the wicked speed (especially when keeping state), the shaping and, yeah, well, I see pf as just so much nicer. I am sure there are those that would disagree but I have just loved pf ever since I started using it. So, yes, if anyone hears of anything of pf being ported to linux, do post to the list! Andrew --- Sean <[EMAIL PROTECTED]> wrote: > Douglas Santos wrote: > > On Tue, Oct 19, 2004 at 09:08:50PM +0100, Ed wrote: > > > >>-BEGIN PGP SIGNED MESSAGE- > >>Hash: SHA1 > >> > >>Hello Guys, > >> > >>Has anyone ported pf for use on linux kernels? I like the firewall > so > >>much I want to use it on the debian systems. > > > > > > Why not to use it on OpenBSD? > > > > That's a very helpful comment, Douglas. > > Anyway, to address the original posters question, the only systems > I've > seen pf ported to are FreeBSD and NetBSD. There was some talk about > porting pf to linux 2.6 on a security list early this year, but I've > haven't seen anything since. > > Sean > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re: blocking DHCP requests
Ahh, I see what you guys are talking about now. I should really read the whole thread before replying. Very interesting stuff. A --- Daniel Hartmeier <[EMAIL PROTECTED]> wrote: > On Mon, Oct 04, 2004 at 06:09:56PM +0200, Ed White wrote: > > > Who's right ? > > There's no contradiction that I can see, just inprecision :) > > You have to distinguish bpf listeners and raw socket readers vs. raw > socket writers on input vs. output paths. > > On the input path you have > > wire --> nic --> bpf / raw sock reader --> pf --> stack > > so bpf listener and raw sock readers get packets before they are > filtered by pf. If you run a vulnerable bpf listener on the firewall, > pf doesn't protect it. Move it to a separate host behind the > firewall. > > On the output path you have > > stack --> raw sock writer --> pf --> bpf --> nic --> wire > > So a raw socket writer can't bypass pf. That's why you get nice > errors > when you try to run nmap with creative options on the firewall > through > pf's scrub. If anything, you could argue that this is asymmetric ;) > > On both paths, bpf is outmost near the nic. That's crucial if you use > bpf for debugging, like with tcpdump. Ideally, you'd want tcpdump to > show what's on the wire (just look at how much confusion is caused by > the small violation of that princible by hardware checksumming). > > You're arguing that we should punish those people that want to use > tcpdump for debugging firewalls to make life more convenient for > people > who carelessly run services on firewalls that they really should move > to > separate boxes? I think I'm with those people that rather want to run > tcpdump on the firewall itself (instead of inserting a sniffer on the > wire each time they want to debug) than those that want to run bpf > daemons on the firewall itself. > > Daniel > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re: blocking DHCP requests
Ahh.. how would _any_ software that uses IP (TCP or UDP) be able to "bypass" pf? Doesn't pf operate at layer 2 and 3? AFAIK, DHCP still ends up heading out of the client or server over the network as UDP packets on ports 67 & 68. eg: http://www.dhcp-handbook.com/dhcp_faq.html#wppdd Andrew --- Björn Ketelaars <[EMAIL PROTECTED]> wrote: > > Does your dhcpd server listen on wi0 ? > > > > /Sigfred > > > > > > On Saturday 02 October 2004 18.28, you wrote: > >> I'm trying to block wireless clients in using my DHCP-server. The > >> problem is that these clients are still able to retrieve > IP-information > >> from the DHCP-server. If I understand the hereby included pf.conf, > >> everything (except UDP domain and TCP ssh) is blocked into > entering > >> $wir_if (which comes from $wir_if:network). Doesn't this also mean > that > >> an DHCP-request is blocked? Any suggestions in what I'm missing? > >> > > > > Hello, > > Indeed does the DHCP-server listen on wi0...If I understand correctly > now > the DHCP daemon is written to use pcap instead of network sockets. > This > means that the offers send out by the daemon can not be filtered(?) . > > Quote from another user... > > "I know that the dhcp* subsystem, was fundamentally written using > pcap, > so that it did not use normal network sockets to request and accept > answers, at least I know that the dhcpclient worked this way for > sure. > I'm not sure that the dhcpd daemon worked this way, so this is > something that deserves some follow-up... The dhcpclient in OpenBSD > changed this in 3.5, I know because I had to put pf rules in place > for > the client to work on my DSL public interface. The dhcpd server may > well use proper sockets at this time..." > > A simple solution to this problem would be to remove wi0 from > dhcpd.interfaces, but I wonder; is it 'wise' to give daemons the > option to > 'bypass' pf? > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re: FTP clients behind PF can connect to ftp serves but cannot list files why?
If you have a little bit more complex setup, I found that FTP Sesame (google ftpsesame) worked a charm. ftp-proxy wasn't able to handle two way active and passive connections in my setup but ftpsesame has been going great guns. Handles several hundred inbound and several thousand outbound ftp connections a day. Andrew --- Mipam <[EMAIL PROTECTED]> wrote: > On Wed, 29 Sep 2004, Siju George wrote: > > > hi all, > > > > I configured OpenBSD 3.5 PF as said in the FAQ. > > > > For the clients behind my PF firewall to access ftp servers I put > this > > line in the pf.conf file > > > > rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1:8021 > > > > I also have the following line uncommented from /etc/inetd.conf > > > > 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy > ftp-proxy > > > > Now the FTP clients behind the PF firewall cant connect to the ftp > > servers on the internet username is authenticated successfully. but > > listing of files is not possible. > > > > It is not a problem with user permission because if I FTP from the > > OpenBSD firewall itslef as the same user to the same FTP server I > am > > able to list the files. > > > > I'll paste the output of ftp commands issued from both OpenBSD and > a > > client behind OpenBSD below. Domain names and user names are > replaced > > with "a " for the sake of security. > > > > Could someone please point out the trouble? > > Are you doing nat as well? > You could try: > > 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy > ftp-proxy -n > > And do you have a rule like: > > pass in on $ext_if inet proto tcp from any to $ext_if \ > user proxy keep state > > It worked for me. > Bye, > > Mipam. > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re: pf stuffing sendmail?
Hi Yeah, have been studying the pflogs without any luck. No blocks registered from localhost.. indeed none on port 25 (except for packets with destination IP's inside the firewall). I would post the pf.conf but it is rather long. Andrew --- Sean <[EMAIL PROTECTED]> wrote: > A wrote: > > Hey all > > > > I don't know if this is a pf question but I think pf might be > causing > > it so here comes the question. > > > > I have recently started to notice a stack of the following popping > up > > on the logging server from the border firewall. It runs OBSD 3.5 > with a > > pf ruleset. > > > > The log messages (usually several hundred a day) are (2 examples) > > > > Sep 28 06:01:17 draco sm-msp-queue[28462]: i8OJU1Xl011892: to=root, > > delay=3+00:30:01, xdelay=00:00:00, mailer=relay, pri=13083226, > > relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection timed out > with > > [127.0.0.1] > > > > Sep 28 06:01:17 draco sm-msp-queue[28462]: i8OJU1Xm011892: > > to=postmaster, delay=3+00:29:59, xdelay=00:00:00, mailer=relay, > > pri=13084892, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: > Connection > > timed out with [127.0.0.1] > > > > > > Now, I originally thought that sendmail had stopped accepting > > connections but no, it is still doing that. I can "telnet localhost > 25" > > and it happily answers back: > > > > border# telnet localhost 25 > > Trying ::1... > > Connected to localhost. > > Escape character is '^]'. > > 220 border.x.com ESMTP Sendmail 8.12.11/8.12.11; Wed, 29 Sep > 2004 > > 09:27:45 +1000 (EST) > > > > What does a tcpdump of pflog tell you? > > http://openbsd.org/faq/pf/logging.html > > > > > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
pf stuffing sendmail?
Hey all I don't know if this is a pf question but I think pf might be causing it so here comes the question. I have recently started to notice a stack of the following popping up on the logging server from the border firewall. It runs OBSD 3.5 with a pf ruleset. The log messages (usually several hundred a day) are (2 examples) Sep 28 06:01:17 draco sm-msp-queue[28462]: i8OJU1Xl011892: to=root, delay=3+00:30:01, xdelay=00:00:00, mailer=relay, pri=13083226, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection timed out with [127.0.0.1] Sep 28 06:01:17 draco sm-msp-queue[28462]: i8OJU1Xm011892: to=postmaster, delay=3+00:29:59, xdelay=00:00:00, mailer=relay, pri=13084892, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection timed out with [127.0.0.1] Now, I originally thought that sendmail had stopped accepting connections but no, it is still doing that. I can "telnet localhost 25" and it happily answers back: border# telnet localhost 25 Trying ::1... Connected to localhost. Escape character is '^]'. 220 border.x.com ESMTP Sendmail 8.12.11/8.12.11; Wed, 29 Sep 2004 09:27:45 +1000 (EST) I am actually not sure what is even trying to send email as the only things running on the box are pf and some IP accounting stuff. I guess it is the OBSD standard security/cron scripts. The pf.conf is a deny by default but I have a line: pass quick on lo0 all .so connections from the box to itself should be fine. So, yeah, any ideas? thanks! A PS. I have googled around and can't seem to find much. eg tried all the things in these: http://www.monkey.org/openbsd/archive/misc/0405/msg01275.html http://www.mailarchive.ca/lists/comp.mail.sendmail/2003-08/0826.html http://monkey.org/openbsd/archive/misc/0308/msg00314.html And in /etc/hosts I have a line: 127.0.0.1 localhost.localdomain localhost Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re: preventing state runaway
JW> Summer is over. School is back in session. The 4,500 students behind my JW> OpenBSD 3.5 pf firewall are mostly settled into their dorm rooms. My JW> nightmare begins. A single Blaster infection can spray out thousands of JW> connections in seconds. One sad day, I had to reboot my firewall three or JW> four times before we could identify and disconnect the offending JW> student(s). hmm ... what about just block in quick proto tcp from any to any port {135, 137, 445} works fine for me Ilya A. Kovalenko
SOLVED: TODO: pass unidir. TCP connections
Hurray! Solved by following change: - pass in proto tcp from to keep state + pass out proto tcp from to keep state I think, community, NEEDS documentation about PF's stateful inspection, it's internal organization, posibilites and limitations. Documentation, not maillist arhive (I guess, nobody needs an differrence explanation). Thank you. Ilya A. Kovalenko S.A, SpecialEQ SW section JSC Oganer-Service For archives: IAK> I trying to pass any outgoing TCP connections from my IAK> office () onto campus network () sites, IAK> but block any incoming connections from campus to office. IAK> Can use for it, PF ruleset like this (on 2-ifaced GW IAK> between office & campus): IAK> >> blockinall >> block return-rst in proto tcp all >> >> pass in on lo0 all >> >> pass in from to >> pass in from to >> pass in from to >> >> pass in proto tcp from to keep state IAK> IAK> I suppose to think, that last rule would create state for IAK> outgoing connection and pass all campus packets for it. IAK> But it seems to does not work ... or I missed some other IAK> factors. IAK>tcpdump(8) shows this interchange: IAK>OFFICE __CAMPUS IAK>| | IAK>SYN -> | GW | -> SYN IAK>| | <- SYN ACK IAK>| | -> RST IAK>and | | IAK> again| | IAK>| | IAK>SYN -> | | -> SYN IAK>| | <- SYN ACK IAK>|__| -> RST IAK>Should such ruleset work ? IAK> Previously, I've used construction like this >> pass in proto tcp from to >> block in proto tcp from to flags S/SA IAK> but it has security issue - public host could send spoofed IAK> TCP packet, on which, internal host responds with RST. IAK> So public host could perform ping-scan (by nmap, for example) IAK> for internal network.
Re: Holes or left overs?
Hey guys Yeah, I will be hunting down the file sharers. I know that we sometimes put updates to our products on P2P networks but the most probable use is illegitimate. Leaving that issue to one side for a moment, the hits from external hosts with source port of 80, are they just from left over web traffic? Or are there some cunning scanners that are tailing in on a "keep state"? I am thinking not as I have looked at how the state table is checked and it would be hard to trick it. Thoughts? A --- Greg Hennessy <[EMAIL PROTECTED]> wrote: > On 19 Aug 2004 12:02:20 -0700, [EMAIL PROTECTED] (Shawn > K. > Quinn) wrote: > > > >Second, there are legitimate non-copyright-infringing uses for both > >Gnutella and BitTorrent (I use the latter for legitimate purposes on > a > >semi-regular basis). > > Exceedingly rare in a commercial environment. > > > I really think we could do without the implication > >that everyone who uses these services is doing so to infringe > >copyright. > > One can pretty much guarantee with almost 100% certainty that such > traffic > is *not* being used for legitimate purposes in a commercial setting. > > > > > greg > -- > Es ist mein Teil - nein > Mein Teil - nein > Denn das ist mein Teil - nein > Mein Teil - nein > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
TODO: pass unidir. TCP connections
Good day, I trying to pass any outgoing TCP connections from my office () onto campus network () sites, but block any incoming connections from campus to office. Can use for it, PF ruleset like this (on 2-ifaced GW between office & campus): > blockinall > block return-rst in proto tcp all > > pass in on lo0 all > > pass in from to > pass in from to > pass in from to > > pass in proto tcp from to keep state I suppose to think, that last rule would create state for outgoing connection and pass all campus packets for it. But it seems to does not work ... or I missed some other factors. Should it work ? Previously, I've used construction like this > pass in proto tcp from to > block in proto tcp from to flags S/SA but it has security issue - public host could send spoofed TCP packet, on which, internal host responds with RST. So public host could perform ping-scan (by nmap, for example) for internal network. (feel free for any RTFM links) Thank you. Ilya A. Kovalenko S.A, SpecialEQ SW section JSC Oganer-Service
TODO: pass unidir. TCP connections
Addition (GW behavior description): [ ... skipped ... ] outgoing connection and pass all campus packets for it. But it seems to does not work ... or I missed some other factors. + + tcpdump(8) shows this interchange: + +OFFICE __CAMPUS +| | +SYN -> | GW | -> SYN +| | <- SYN ACK +| | -> RST +and | | + again| | +| | +SYN -> | | -> SYN +| | <- SYN ACK +|__| -> RST + -Should it work ? +Should such ruleset work ? Previously, I've used construction like this [ ... skipped ... ] ----- Ilya A. Kovalenko
Holes or left overs?
Hey all I recently implement an OBSD 3.5 border firewall at work. It all went well apart from a 3 minute cold sweat where packets weren't routing.. because I had a typo when throwing the router's IP into /etc/mygate! ;) Anyway, the wall is up and blocking away but I am still seeing quite a lot of logged hits on the secondary firewall that sits between the internal corporate LAN and the OBSD firewall (and subsequently router and internet). The LAN is a private class C subnet running through a secured linux box with NAT and firewall/logging. The main source ports of the hits are 80 (web), 6346 (Gnutella) and 6889 (bit torrent) but there are other random ports as well. The only reference to the NAT box in pf.conf is: pass in quick on $int_if proto {tcp udp} from $box port >= 1024 to \ any keep state pass out quick on $ext_if proto {tcp udp} from $box port >= 1024 to \ any keep state NB: There are plenty of other rules for all the other servers but $box is only referred to in these two lines. So, what are these hits? Are they just the outside server sending a left-over packet after the client has actually closed the connection or does it sound like a hole? Any help would be great! Thanks! Andrew Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
ftp-proxy on a non NAT'ing firewall - can it work?
Hey there all Well, after a little hiccup with a RAID failing (gotta love hardware), I have had a few minutes to revisit my ftp/ftp-proxy problem. Unfortunately, the time away has not provided adequate clarity and I am posting to the list for some help on that front! ;) SETUP OpenBSD 3.5 firewall setup for a border firewall NOT doing any NAT (just routing packets for one NIC to the next) with a PC on each side of it. ie: Test PC/ftp client OBSD BOXTest FTP Server 192.168.1.2 <->192.168.1.1 (int) 192.168.2.1 (ext) <-> 192.168.2.2 CURRENT STATE OF PLAY With the test ruleset at the end of this email, I get the following: - Internal client using an ACTIVE FTP connection. Connection and control channel work fine. Data connection is there but is _way_ slow when uploading a file to the external test server. Only getting a transfer of 103KB/s when uploading whereas I am getting 9,000KB/s when downloading the same file. - Internal client using a PASV FTP connection - Connects and control connection established fine. No data connection made. TCPDUMPS * Active FTP connection from 192.168.1.2 to 192.168.2.2 If I do a tcpdump I can see the FTP proxy doing its job. Packets are heading for port 21 on the external server, the redirection kicks in and the ftp-proxy then connects to the external server. The server then responds, the ftp-proxy gets the response and forwards it to the internal client (with IP address of 192.168.2.2 still intact - according to a tcpdump on the internal machine). When a download or upload occurs however the IP is changed to the OBSD internal address. Is that supposed to happen? That is, a dump on the internal machine shows: Control connection: 192.168.1.2.51446 > 192.168.2.2.21 192.168.2.2.21 > 192.168.1.2.51446 Data connection: 192.168.1.1.51126 > 192.168.1.2.3293 192.168.1.2.3293 > 192.168.1.1.51126 * Passive FTP connection from 192.168.1.2 to 192.168.2.2 I think the ftp-proxy is missing the data connection all together; I have tried with the -n option in inetd.conf as well. Does ftp-proxy assumes masquerading will take care of it?. The control connection works fine. The redirection occurs, ftp-proxy grabs the control connection then connects to the external server. When it comes time for the data connection to start, the internal machine sends its packets to the external machines BUT ftp-proxy does nothing. As such, the ftp server on the other side gets a connection from an incorrect IP and, quite correctly, sends a RESET back and the ftp client reports "Connection Refused". TCPDump from the internet client machine: Control connection (no problems, ftp-proxy is changing the addresses on each side and all is well): 192.168.1.2.3332 > 192.168.2.2.21: S 192.168.2.2.21 > 192.168.1.2.3332: S 192.168.1.2.3332 > 192.168.2.2.21: . ack 192.168.2.2.21 > 192.168.1.2.3332: P Data connection attempt (external ftp server is receiving packets from 192.168.1.2 instead of 192.168.2.2 where the connection was originally made): 192.168.1.2. > 192.168.2.2.61689: S ... 192.168.2.2.61689 > 192.168.1.2.: R ... QUESTIONS 1. Am I just beating my head against a wall here? Is getting active and passive from internal FTP clients even possible when pf is used in a border firewall type situation with no NAT going on? Is ftp-proxy the correct option? 2. If ftp-proxy is the correct option, pointers please. And why is the upload in active ftp going so slowly? 3. Failing the use of ftp-proxy, is the best course of action to just allow traffic in for >=1024 ports to clients using active ftp? (I don't really want to do this and it would be a last resort) Any help would be greatly appreciated please guys! Thanks, Andrew TEST RULESET (using two private addresses for now) ext_if = "xl0" ext_ip = "192.168.2.1" ext_net = "192.168.2.1/24" int_if = "xl1" int_ip = "192.168.1.1" int_net = "192.168.1.1/24" rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \ port 8021 block in log all block out log all # FTP-PROXY rules (for internal ftp clients connecting to external FTP servers) # Allow redirections to the proxy server on this machine pass in quick log on $int_if proto tcp from $int_net \ to 127.0.0.1 port 8021 keep state # Outbound connections owned by ftp-proxy (user proxy) are ok on int card (to # clients) and ext card (to ext servers) pass out quick log on $ext_if proto tcp from any to any \ user proxy keep state pass out quick log on $int_if proto tcp from any to any \ user proxy keep state # FTP connections coming back to ftp-proxy (user proxy) owned processes are ok pass in quick log on $ext_if proto tcp from any to any \ user proxy keep state pass in quick log on $int_if proto tcp from any to any \ user proxy keep state # LOOPBACK - Pass traffic on the loopback interface in either d
ruleset tracing
Greetings, Reckon as mad idea. Is there any posibilites/ideas for PF-ruleset "tracing" - automatic finding out last matching rule for specific packet(s), on active (kernel) ruleset or ruleset loaded into some kind of "filter emulation". Best regards, Ilya A. Kovalenko
Re: NAT question
Hey there You would clone the ethernet card on the OpenBSD firewall to have the extra addresses and then redirect based on the IP and the port number. Have a look at http://openbsd.org/faq/pf/index.html and specifically http://openbsd.org/faq/pf/nat.html . I believe something like this will work: nat pass on interface [external_if] from any to \ 83.146.42.163 port 25 -> 192.168.0.20 Andrew --- Ed <[EMAIL PROTECTED]> wrote: > I have been given this as a spec for the network layout: > > --- > | 217.205.140.x/32 > +---+ > |netgear adsl router| > +-+-+ > | 83.146.42.160/28 > | > | 83.146.42.161 > +---+---+ > | openbsd firewall box | > +---+---+ > | 192.168.0.0/24 > | > +---+-++--+ > | | | | > | +---++ +---++ | > | |192.168.0.21/24 | |192.168.0.22/24 | | > | |83.146.42.163:80| |83.146.42.163:21| | > | ++ ++ | > | | > +---++ +++ > |192.168.0.20/24 | |192.168.0.0/24 | > |83.146.42.163:25| |nat 83.146.42.162| > ++ +-+ > > The leaf nodes on 192.168.0.0/24 which have the address > 83.146.42.163:x > are specific port numbers which should go to the LAN IP. Part of the > reason for this is to make better use of the /28 IP space. > > However, I have no idea how to implement this in pf, can someone help > me > please? > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re[2]: Inet on table
CB> But the real question I've is why do you need that. CB> You can just do the opposite table: CB> table { 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8} CB> And then use the table in negative rules, like: CB> pass in from ! hmm, yes, it's better idea.
Inet on table
Good time of day, I want to define table, that includes all Internet IP addresses (i.e. all except fake ones). Excludes-only table does not work. table {!192.168.0.0/16 !172.16.0.0/12 !10.0.0.0/8} How can I add all IP addresses onto table ? "any" causes error "0/0" does not work (as said on FAQ) construction "0/1 128/1" seems to work How I should do it ? Thank you. Ilya A. Kovalenko
Yet another FTP and ftp-proxy question
Hi Firstly, I would like to say hi. I work at a computer software company in Australia. Now, I have read the manual (repeatedly) and I have also searched the mailing list archives and lots on google. While I can find plenty about FTP and NAT, I can't find what to do when you are not using NAT and have FTP servers and clients behind the firewall. With that out of the way, I was hoping to get some help with a new firewall and some FTP woes. The firewall is a border firewall as follows: Internet | Router | Firewall (this is the box in question. Running OpenBSD 3.5) | External servers (all have valid external IP addresses) NB: There is also an NAT box in the "external server" pool that is the gateway between our internal network (about 100 workstations) and the net. I have written a deny based ruleset for the firewall. All parts (mail, web, DNS, nmap scan blocking, etc) are all good and working well.. except for the ever problematic FTP. I have tried a number of different combinations and all seem to have one problem or another. I need to: - allow active FTP connections from the net to the FTP servers; - allow passive FTP connections from the net to the FTP servers; - allow active FTP connections from internal clients to FTP servers on the internet; and - allow passive FTP connections from internal clients to FTP servers on the internet. In addition to trying heaps of combinations and reading the tcpdump of the pf logs, I have also looked at tcpdumps on the internal machine, the firewall and the external machine to try and understand where the FTP connections are going and therefore which rules are required. I am now rather confused. :( I have also noticed that some combinations work for some connection types but not all or seem to work for a connection type but slow the transfer rate down to around 40kB/s from 5,000kB/s (over 100Mbps ethernet in the test lab at the moment). If someone could suggest some appropriate rules and, if you have time, I would love to be point to a website or otherwise read about how ftp-proxy actually works. It _seems_ from the tcpdumps that in certain cases it passes the ftp data connections straight through although that might just be some misconfigured rules. Anyway, thanks in advance and sorry if that was too long but I wanted to be thorough. Andrew -- The best rule combination I have tried is below. FTP servers are configured to limit high ports to 49152 -> 65534 and ftp-proxy is configured in inetd.conf (I tried it with and without the -n property even though I am not masquerading): ftpbox = 192.168.1.112 ftp2box = 192.168.1.111 ftphighports = "49152:65534" ftpservers = "{" $ftpbox $ftp2box "}" ftpports = "{ 20 21 }" TAKE ONE - FOR FTP SERVERS ## This (understandably) only works for active ftp connections ## to the ftp servers pass quick proto tcp from any to $ftpservers port $ftpports \ keep state TAKE TWO - FOR FTP SERVERS pass in log quick on $ext_if proto tcp from any to $ftpservers \ port $ftpports keep state pass out log quick on $int_if proto tcp from any to $ftpservers \ port $ftpports keep state pass in log quick on $ext_if proto tcp from any to $ftpservers \ port $ftphighports keep state pass out log quick on $int_if proto tcp from any to $ftpservers \ port $ftphighports keep state TAKE THREE - FOR FTP CLIENTS rdr on $int_if proto tcp from $int_net to any \ port 21 -> 127.0.0.1 port 8021 #(ftp-proxy is configured in inetd.conf) pass in quick log on $int_if proto tcp from $int_net to \ 127.0.0.1 port 8021 keep state pass out quick log on $ext_if proto tcp from any to any \ user proxy keep state pass out quick log on $int_if proto tcp from any to any \ user proxy keep state END Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
RE: pf macro syntax problems
I think you're missing a comma in between $host1 and $host2. It should be: all_hosts = "{ $host1, $host2 }" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Russell Sutherland Sent: Wednesday, June 30, 2004 2:00 AM To: [EMAIL PROTECTED] Subject: pf macro syntax problems According to the pf FAQ: Macros can be defined recursively. Since macros are not expanded within quotes the following syntax must be used: host1 = "192.168.1.1" host2 = "192.168.1.2" all_hosts = "{" $host1 $host2 "}" However when one tries to use this syntax to create a list of networks a syntax error occurs when checking the rule set using pfctl: # cat nets.conf netA = "18.100.0.0/16" netB = "12.150.0.0/16" netC = "12.151.0.0/16" nets = "{" $netA $netB $netC "}" # pfctl -nvf ./nets.conf netA = "18.100.0.0/16" netB = "12.150.0.0/16" netC = "12.151.0.0/16" ./nets.conf:5: syntax error How does one create a macro to expand to a list of networks? -- Russell P. Sutherland Email: russ @ madhaus.cns.utoronto.ca 4 Bancroft Ave., Rm. 102Voice: +1.416.978.0470 University of Toronto Fax: +1.416.978.6620 Toronto, ON M5S 1C1WWW: http://madhaus.cns.utoronto.ca/~russ CANADA
HFSC on PF FAQ
Greetings, Shell we ever see HFSC scheduler on PF FAQ Queueing section ? Thank you. Ilya A. Kovalenko (mailto:[EMAIL PROTECTED]) S.A. JSC Oganer-Service
Re: Per direction rule counters in PF
MOB> Does anyone know, how to account per-direction traffic with PF? MOB> Imagine I have a rule: MOB> pass in on $int_if from $some_machine to any keep state label some-machine MOB> When I invoke /sbin/pfctl -sl I get something like: MOB> some-machine 5904 2510 130379 MOB> where 130371 (the last number) is the TOTAL traffic that was generated by MOB> the named rule. MOB> I wish I could know the amount of incoming traffic for that machine MOB> separately from MOB> the outgoing. AFAIK - write two rules (for each direction) and don't use "keep state"
Re: Identical MAC addresses, 2 different systems
> I don't think there are "private" MAC addresses as there are for private IPs. But you can certainly try filling the first three pairs "ff:ff:ff:" I don't think that represents a vendor or not but it gives your MAC addresses some consistency. > > Diego You can assign a new mac address, with the following precaution: bit 46 must be 1 (this means: Locally administered) Burned in addresses come with bit 46 set to 0. (bit 46 is the second bit of the OUI section). I don't know if your system supports any way to modify mac addresses, but this subject has been discussed previously on this list, so a google search should give some positive results (there is a C program floating around that is reported to work on many cards). Regards, Rodrigo A. Guzmán Salta - Argentina
Re: Remotely Counting Machines Behind Nat
I don't think 'modulate state' foils OS fingerprinting. If you look at p0f (http://lcamtuf.coredump.cx/p0f.shtml), you'll see that it uses things like window size, ttl, SYN packet size, and some OS specific quirks to identify OS's by their TCP SYN packet. (I think this is reliable, as OpenBSD uses the same OS fingerprint file as p0f, I believe) Since 'modulate state' doesn't touch any of these, as far as I know, it doesn't help prevent OS detection. It does greatly increase security, but doesn't aide in preventing passive OS fingerprinting. - Original Message - From: "Todd Stratton" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, February 20, 2004 5:31 PM Subject: Re: Remotely Counting Machines Behind Nat > Shouldn't the "modulate state" option foil > fingerprinting via ISNs since it creates random ones? > I don't think there is an acceptable way to normalize > the TCP window size...Then you'd be messing with > buffer management at the endpoints. You'd have to > proxy for that. > > from man 8 pf.conf: > Much of the security derived from TCP is attributable > to how well the > initial sequence numbers (ISNs) are chosen. Some > popular stack implemen- > tations choose very poor ISNs and thus are > normally susceptible to ISN > prediction exploits. By applying a modulate > state rule to a TCP connec- > tion, pf(4) will create a high quality random > sequence number for each > connection endpoint. > > The modulate state directive implicitly keeps > state on the rule and is > only applicable to TCP connections. > > TRS > > __ > Do you Yahoo!? > Yahoo! Mail SpamGuard - Read only the mail you want. > http://antispam.yahoo.com/tools
Re: Remotely Counting Machines Behind Nat
Yes, I've tried this, but have run into some troubles. My ruleset is below, and here's the setup. Box A is Windows XP behind the NAT with IP of 192.168.0.5 plugged into Hub A. Box B is the FreeBSD pf/NAT box, int_if is 192.168.0.1 plugged into Hub A, ext_if is 10.12.4.61 plugged into Hub B. Box C is FreeBSD box running p0f and netcat with IP of 10.12.4.66 plugged into Hub B. So my test is to run netcat on Box C (nc -l -p 23), and try to telnet from Box A to Box C. The synproxy rule below is the only one I've gotten to work to do this. (I commented the NAT rule out to be sure it didn't interfere with what I was trying to do.) Box A (Windows) seems to open a telnet session, but nothing I type goes though to Box C, and vice versa. (Everything I type does get though if I set up Box B as regular NAT, though) Interesting to note, p0f on Box C shows that IP address 192.168.0.5 is connecting to it, *not* 10.12.4.61. I'm sure it's something I've done wrong. Can anyone explain? Thanks! Aaron # Variables ext_if="xl0" int_if="fxp0" internal_net="192.168.0.0/16" #Options set block-policy return #Scrub rules scrub all random-id reassemble tcp #NAT or rdr rules #nat on $ext_if from $internal_net to any -> ($ext_if) # Filtering block log all #Allow permitted icmp pass in log inet proto icmp all icmp-type echoreq keep state label "$nr" #Allow inbound on int_if for NAT #pass in log on $int_if from $int_if:network to any keep state label "$nr" #Allow all outbound pass out log on $ext_if proto tcp from any to any modulate state flags S/SA label "$nr" pass out log on $ext_if proto { udp, icmp } from any to any keep state label "$nr" #Synproxy test pass in log on $int_if proto tcp from any to any port 23 synproxy state flags S/SA label "synproxy" > > Is there a way with pf to "wash" these ambiguities (window size, syn packet > > size, etc) away so that all outgoing TCP packets look the same? Maybe even > > set them to user-defined variables, as we already can with 'max-mss' and > > 'min-ttl'? > > Use the syn-proxy. It crafts all of the SYN's by hand. It is still > possible to fingerprint based on things like the retransmission timers > but that is much harder and they'd be better off looking at HTTP > User-Agent discrepancies. > > .mike
Remotely Counting Machines Behind Nat
Hello All, It says in the FAQ that using the 'reassemble tcp' scrub option keeps an observer from guessing how many hosts are behind a NAT gateway. The main thing I plan to use this for is to prevent my ISP from finding out I have more than 1 computer connected, and then start asking me to pay more money for extra IP addresses. Problem is that TCP SYN packets that go though my NAT/pf box still have OS ambiguities. So my ISP can see that Windows, BSD, and Linux TCP SYN packets are coming from my cable modem, therefore proving that I have more than 1 machine, and that I need to be charged accordingly. Is there a way with pf to "wash" these ambiguities (window size, syn packet size, etc) away so that all outgoing TCP packets look the same? Maybe even set them to user-defined variables, as we already can with 'max-mss' and 'min-ttl'? Thanks for your time. Aaron
Re: Prevent passive fingerprinting
> > is there any option for pf to prevent passive os fingerprinting for the > > clients behind an obsd nat-box? > > Use 'module state' option on your 'pass out' rule to randomize TCP ISN > generation and options 'reassemble tcp timeout modulation', 'random-id' > in your 'scrub' rule. I've found that this does very little in the way of preventing OS fingerprinting. It does stop outsiders from guessing your uptime, but that's about it. From what I can tell, most OS fingerprinting is based on the window size, ttl, SYN packet size, etc. p0f is very educational if you want to learn about it, especially the p0f.fp file (http://lcamtuf.coredump.cx/p0f.shtml). Setting min-ttl, or max-mss can help, but p0f usually can still guess correctly using fuzzy matching. I've found it much more effective to change some kernel variables. Below are some I've found useful on my FreeBSD systems: net.inet.ip.ttl net.inet.tcp.rfc1323 One of these makes more of a difference than the other, can't remember which: net.inet.tcp.recvspace net.inet.tcp.sendspace Here is a patch I've found to give you some control over TOS: http://lists.freebsd.org/pipermail/freebsd-hackers/2003-May/001078.html Just remember that if you're going to all this trouble to disguise your OS, don't leave your OpenSSH banner on, like I did! :-) Aaron
Re: pf and smtp
Why do you feel that way? Are you aware that the spam problem has forced many to block _all_ mail coming from dynamic IP addresses - regardless of Trying to avoid the pitched ideological battle and get back to a technical discussion. I think I understand dynamic vs. static IP addresses, and I understand why some people feel compelled to filter on them, and why others consider that an ill-conceived idea. But how is the filtering actually performed? Is this simply recognizing the well-known non-routable IP addresses (10..., 192.168.., etc.) in the source address of an incoming connection to port 25? I don't see how that could ever happen. Is it scanning email headers for those addresses? I don't see that this would filter much of anything. One of the "ideological battle" messages blamed some part of this on NAT; I don't see where NAT has anything to do with this, as NAT is not the only source of dynamic addresses. I'm sending this email via a dial-up PPP connection. My ISP has assigned me IP address 209.248.81.177, derived from where I landed in the modem pool. If I disconnect and dial-in again I will likely get a different IP address. 209.248.81.177 is what I think is meant by "dynamic address" in this discussion. When I send email, it goes from my PC to a server at my ISP. The mail server has the static IP address 209.248.82.245. It is registered under the DNS name mail.ophidian.com. The above two IP addresses appear as the first "Received:" headers in email that I send. From just the IP addresses themselves, I don't see any way to distinguish the one address as dynamic and the other as static. One could perform a reverse DNS lookup, which should succeed on the static address and fail on the dynamic. Is this what it means to "block mail from dynamic addresses"? To block incoming connections to port 25 unless a reverse DNS lookup succeeds? Is any other checking done with the results of the lookup? I don't really understand so-called dynamic DNS, other that what seems self evident from the name. But wouldn't that provide a way to get around such blocking and send mail from dynamic addresses? A more succinct way of asking the above might be to ask how one would write a pf filter (or an email filter) to recognize and block email from dynamic addresses. Edward A. Gardner eag at ophidian dot com Ophidian Designs719 593-8866 voice 1262 Hofstead Terrace 719 210-7200 cell Colorado Springs, CO 80907
Re: ALTQ & filter rules
Good time of day, AES> 3.4's (and above) "tagging" is your friend :) AES> if you need skeleton ruleset, this one... [skipped] hmm ... thanks for method (shaping on lo0, tagging), 'll see how it works. But the question was Why queueing filters & packet filters cannot be configured separatelly ? Shaping & filtering, theoretically, can have completely different policy. I.e. not "pass-n-shape" as on your ruleset, but "pass" & "shape" in different rules/rulesets. It is development question. Before 3.3 ALTQ ruleset was completely separated, but inflexible. On 3.3+ ALTQ was merged into PF and pf.conf it become more more flexible (BIG thanks to developers), but queue filters become hard-linked to packet filter ruleset. I think, there is a reasons to let queueing filters to can be independed from packet filter rules, if need. Maybe, it means hard work for developers, maybe it is inpossible at all ('cause, for example, hard deep-low-level dependings), I don't, really, know. It's just an opinion and feeling, that separated options must to can be configured separatelly. Regards, Ilya A. Kovalenko(mailto:[EMAIL PROTECTED]) S.A. JSC Oganer-Service Special Equipment Software section
ALTQ & filter rules
Good time of day, When ALTQ was merged with PF, it become more more flexible. But now, packets can be assigned to specific queue only on filter rule. It's good, then filter and queue layout are the same. But if aren't, we have an issues: >> superfluous filter rules (added for queuing only) >> necessity of queue modifier in _each_ rule that controls non-default queue packets I suggest to create new type of rules - Queuing filters. Same as (packet) filter rules, except one thing - no "pass" or "block" action. Let them define default queues assignment, applied to (packet) filter rule, w/o "queue" modifier and implicit rules. Example pf.conf (for illustration only) # Queueing: rule-based bandwidth control. altq on if0 bandwidth 2Mb cbq queue { dflt, developers, marketing } queue dflt bandwidth 5% cbq(default) queue developers bandwidth 80% queue marketing bandwidth 15% # Queueing filters: defines default queue assignment # developers subnet assign out on if0 from 10.0.1.0/24 to any queue developers # un-assign person from developers (re-assign to default) assign out on if0 from 10.0.1.125 to any # marketing subnet assign out on if0 from 10.0.2.0/24 to any queue marketing # developer on marketing subnet assign out on if0 from 10.0.2.35 to any queue developers # ssh traffic assign in on if0 proto tcp from any to any port 22 keep state queue developers # Filtering: # Repository access block in on if0 from any to $hRepository # pass developers (assigned to developers queue) pass in on if0 from 10.0.1.0/24 to $hRepository block in on if0 from 10.0.1.125 to $hRepository pass in on if0 from 10.0.2.35 to $hRepository # exclusion: pass _marketing_ person to repository with # developers bandwidth # (re-assingning Repository traffic to developers queue) pass in on if0 from 10.0.2.34 to $hRepository queue developers Something like that ... This leaves PF to be more flexible & powerful. Ilya A. Kovalenko (mailto:[EMAIL PROTECTED]) S.A. JSC Oganer-Service Special Equipment Software Section
binat & filtering
Hi there, I'm having a little bit of difficulty with a binat rule that I need. Here's the situation: I have a machine (10.20.0.100) in the internal LAN (10.20.0.0/24, note the /24 because of my organization's routing policies and network topology) that I'd like to binat it onto a routable IP address. The network this machine is (10.20.0.0/24) is also under plain-old nat. So, part of my pf.conf setup is this (w.x.y.z is the routable IP address that I'd like to use, aliased to the external interface, which uses w.x.y.[z - 1]): binat on $ext_if from 10.20.0.100 to any -> w.x.y.z nat on $ext_if from 10.20.0.0/24 to any -> w.x.y.[z - 1] (of course, w.x.y.z and w.x.y.[z - 1] are writing aids, I use either proper IP addresses of macros.) My questions: 1) If I have the machine on binat, should I exclude it from the NAT rules? (using nat syntax) 2) I have a default deny filtering policy. But, to take into account the binat address do I have to filter on the external interface, the internal or both? In addition, should I use the 10.20.0.100 (internal IP) or w.x.y.z? My filter rules are these: block in all block out all # both $ext_udp and $ext_tcp are lists of ports that I # allow incoming connections from the Internet (DNS, NTP, # WWW, SMTP, the usual suspects.) # pass in on $ext_if proto udp from any to any \ port $ext_udp keep state pass in on $ext_if proto tcp from any to any \ port $ext_tcp keep state pass out on $ext_if from $ext_if to any keep state pass in on $int_if from 10.20.0.0/24 to any keep state All the other computers access the Internet pretty well, but I'm missing the rules for binat to work. I've tried several combinations, read the manpages, browsed the archives. Nothing. What's going on? Oh, happy holidays and a big thanks to OpenBSD and pf hackers! Best regards, Carlos.
Re: About using reassemble tcp/modulate state
I have a question about the statement below. Does the use of 'modulate state' really disguise the OS of computers behind your OpenBSD NAT/pf firewall box? I have not found this to be the case, but I don't know if this is because I'm using the FreeBSD port or not. Can someone clairify? Thanks for your time. Aaron > The sequence number generation on many OSes is poor, allowing for > easier attacks, and often OS guessing. With keep state PF keeps > track of the 'stage' of connection setup/teardown and also > the CORRECT sequence numbers midway through a connection, blocking > inappropriate packets. With modulate state PF translates the > sequence numbers for ones that are more random, making insertion and > OS guessing more difficult (in fact the OS will looks like the best > one out there - OpenBSD :-) )
Re: patch to support labels in scrub rules ( 3.4 current ).
On Thu, Oct 09, 2003 at 01:13:05AM +0200, Henning Brauer wrote: Sorry, this is the correct one. Best Regards. Hector. > On Wed, Oct 08, 2003 at 02:52:57PM -0300, Hector A. Paterno wrote: > > + | label { > > + if (filter_opts.label) { > > + yyerror("label cannot be redefined"); > > + YYERROR; > > + } > > + scrub_opts.label = $1; > > eh, no ;-) > > also, diff -u is preferred ;-) > > -- > Henning Brauer, BS Web Services, http://bsws.de > [EMAIL PROTECTED] - [EMAIL PROTECTED] > Unix is very simple, but it takes a genius to understand the simplicity. > (Dennis Ritchie) > -- --- parse.y.origFri Sep 26 18:06:31 2003 +++ parse.y Thu Oct 9 00:06:43 2003 @@ -189,6 +189,7 @@ int fragcache; int randomid; int reassemble_tcp; + char*label; } scrub_opts; struct queue_opts { @@ -688,6 +689,11 @@ } r.rule_flag |= PFRULE_REASSEMBLE_TCP; } + + if (rule_label(&r, $8.label)) + YYERROR; + free($8.label); + if ($8.minttl) r.min_ttl = $8.minttl; if ($8.maxmss) @@ -764,6 +770,13 @@ } scrub_opts.reassemble_tcp = 1; } + | label { + if (scrub_opts.label) { + yyerror("label cannot be redefined"); + YYERROR; + } + scrub_opts.label = $1; + } | RANDOMID { if (scrub_opts.randomid) { yyerror("random-id cannot be respecified");
patch to support labels in scrub rules ( 3.4 current ).
patch attached. Best Regards. -- Hector A. Paterno*** sbin/pfctl/parse.y Fri Sep 26 18:06:31 2003 --- sbin/pfctl/parse.y Thu Oct 9 15:11:32 2003 *** *** 189,194 --- 189,195 int fragcache; int randomid; int reassemble_tcp; + char*label; } scrub_opts; struct queue_opts { *** *** 688,693 --- 689,699 } r.rule_flag |= PFRULE_REASSEMBLE_TCP; } + + if (rule_label(&r, $8.label)) + YYERROR; + free($8.label); + if ($8.minttl) r.min_ttl = $8.minttl; if ($8.maxmss) *** *** 764,769 --- 770,782 } scrub_opts.reassemble_tcp = 1; } + | label { + if (filter_opts.label) { + yyerror("label cannot be redefined"); + YYERROR; + } + scrub_opts.label = $1; + } | RANDOMID { if (scrub_opts.randomid) { yyerror("random-id cannot be respecified");
Dynamic domain and table
I had an idea to update a table for a VPN table using something to the effect of: pfctl -t table -T replace `host -l domain.name | grep -v "^_" | grep "has address" | \ awk '{print $4}' | sort | uniq | tr '\n' ' '` for dynamic updates from a windows DNS server. So I start with 10.0.0.0/8 and I narrow it down to less than 50 ip addresses. (don't comment on the range, I inherited it). I am actually wondering whether this is at all a good idea, and what a resonable frequency would be (it takes practically no time to run). My thoughts are that a. Anyone on the network should be in the database. and b. If they are not registered then they should probably not be allowed unfettered access to the other side of the link. Any thoughts? David -- David de Gruyl <[EMAIL PROTECTED]>
Re: dynamically changing pf rules
On Tue, Nov 19, 2002 at 12:03:45PM -, Dan Heaver wrote: > Hi, I'm currently pondering a solution for one of our clients using openbsd > / pf as the building blocks that hold the solution together and would value > > People's opinion on the idea. > > Basically this is the set up I want to implement > > I want to have an openbsd box in front of two Solaris boxes (these boxes are > already in place and serving a live website) that nat's a public ip address > to one > Of the boxes, I then want to write a demon that monitors services on the > Solaris and dynamically changes the nat to point to the second box should it > deem > That one of the services has failed. > > > Does this sound feasible ? > Where would I have to look to dynamically change nat rules in pf ? > Yes , you could do it writting a custom program (daemon) that : 1) Monitor services. 2) Change the NAT rules via /dev/pf ioctl's ( man pf ). Sounds prety easy if you have knowledge of c languaje. I'v been working with pf ioctl's for a while on a project currently owned by the company I work, so I can't open the sources but if you have problems with it make contact with me at [EMAIL PROTECTED] Regards. > > Regards > Dan > > > > This e-mail has been scanned for all viruses by Star Internet. The > service is powered by MessageLabs. For more information on a proactive > anti-virus service working around the clock, around the globe, visit: > http://www.star.net.uk > -- Hector A. Paterno