RE: OpenBSD3.3 PF dhcp dhcrelay vlans
Thank you Henning, That's what I was looking for from my original post. :D. That also explains to me why when I set it to 64 instead of 32 it didn't boot, lol. I never could figure that one out until now. Also, the NMBCLUSTERS , is megabytes, kilobytes, bytes or some other measurement. Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henning Brauer Sent: Friday, September 05, 2003 11:10 AM To: [EMAIL PROTECTED] Subject: Re: OpenBSD3.3 PF dhcp dhcrelay vlans while pointing out that this can be changed via ukc is helpfull, 32786 is just insanity. sorry, it doesn't work like that. do some math. see how much kernel memory you waste. use your tools and see what you really need. hint: it's most likley 2048 or 4096 max. we've had posts to our mailing lists where ppl complained that their kernels don't boot. not really a surprise when they allocate several gigabutes to a single memory map, because, well, bigger is better, right. On Fri, Sep 05, 2003 at 10:43:24AM -0400, Amir Seyavash Mesry wrote: > Whoa, wait a minute, I wasn't attempting to insult anyone, why did you > reply like that? I was just offering a solution I thought may help, > and I posted it to this list so if I was wrong someone could say so, > but I wasn't trying to say I am the authority on it or anything > otherwise I would not have put in "I believe". I mean gimme a break > dude, I didn't think anyone would be offended by my post, otherwise I > wouldn't have posted it. > > Amir Seyavash Mesry > [EMAIL PROTECTED] > LSI Logic Corporation > http://www.lsilogic.com/ > Raid Support Test Technician > 6145-D Northbelt Parkway > Norcross, GA 30071 > 678-728-1211 > > NOTICE: This communication may contain privileged or other > confidential information. If you are not the intended recipient, or > believe that you have received this communication in error, please do > not print, copy, retransmit, disseminate, or otherwise use the > information. Also, please indicate to the sender that you have > received this communication in error, and delete the copy you > received. Thank you. > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Henning Brauer > Sent: Thursday, September 04, 2003 7:12 PM > To: [EMAIL PROTECTED] > Subject: Re: OpenBSD3.3 PF dhcp dhcrelay vlans > > > thanks for proving that you don't understand what you are doing. "my > dick is bigger than yours" doesn't work when modifying memory > aloocation affecting shitz in kernel land. > > On Thu, Sep 04, 2003 at 12:24:03PM -0400, Amir Seyavash Mesry wrote: > > I believe that can be done with the UKC on a live system as well, or > > with the Kernel Conf file. I recompile mine to 32768 normally > > > > Amir Seyavash Mesry > > [EMAIL PROTECTED] > > LSI Logic Corporation > > http://www.lsilogic.com/ > > Raid Support Test Technician > > 6145-D Northbelt Parkway > > Norcross, GA 30071 > > 678-728-1211 > > > > NOTICE: This communication may contain privileged or other > > confidential information. If you are not the intended recipient, or > > believe that you have received this communication in error, please do > > not print, copy, retransmit, disseminate, or otherwise use the > > information. Also, please indicate to the sender that you have > > received this communication in error, and delete the copy you > > received. Thank you. > > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf > > Of Shawn Kohrman > > Sent: Thursday, September 04, 2003 11:12 AM > > To: [EMAIL PROTECTED] > > Subject: OpenBSD3.3 PF dhcp dhcrelay vlans > > > > > > Some lessons learned for those out there who are running PF in some > > high traffic implementations. > > > > dhcrelay > > The dhcrelay that ships with OpenBSD 3.3 seems to be broken. I > > installed the one that is part of the ISC port, and it work
RE: OpenBSD3.3 PF dhcp dhcrelay vlans
Whoa, wait a minute, I wasn't attempting to insult anyone, why did you reply like that? I was just offering a solution I thought may help, and I posted it to this list so if I was wrong someone could say so, but I wasn't trying to say I am the authority on it or anything otherwise I would not have put in "I believe". I mean gimme a break dude, I didn't think anyone would be offended by my post, otherwise I wouldn't have posted it. Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henning Brauer Sent: Thursday, September 04, 2003 7:12 PM To: [EMAIL PROTECTED] Subject: Re: OpenBSD3.3 PF dhcp dhcrelay vlans thanks for proving that you don't understand what you are doing. "my dick is bigger than yours" doesn't work when modifying memory aloocation affecting shitz in kernel land. On Thu, Sep 04, 2003 at 12:24:03PM -0400, Amir Seyavash Mesry wrote: > I believe that can be done with the UKC on a live system as well, or > with the Kernel Conf file. I recompile mine to 32768 normally > > Amir Seyavash Mesry > [EMAIL PROTECTED] > LSI Logic Corporation > http://www.lsilogic.com/ > Raid Support Test Technician > 6145-D Northbelt Parkway > Norcross, GA 30071 > 678-728-1211 > > NOTICE: This communication may contain privileged or other > confidential information. If you are not the intended recipient, or > believe that you have received this communication in error, please do > not print, copy, retransmit, disseminate, or otherwise use the > information. Also, please indicate to the sender that you have > received this communication in error, and delete the copy you > received. Thank you. > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Shawn Kohrman > Sent: Thursday, September 04, 2003 11:12 AM > To: [EMAIL PROTECTED] > Subject: OpenBSD3.3 PF dhcp dhcrelay vlans > > > Some lessons learned for those out there who are running PF in some > high traffic implementations. > > dhcrelay > The dhcrelay that ships with OpenBSD 3.3 seems to be broken. I > installed the one that is part of the ISC port, and it worked fine. > > vlans > My PF box is setup with about 2500 machines behind it. I use 10 vlans > with a Cisco Catalyst switch. I found it necessary to increase > NMBCLUSTERS in param.h from 2048 to 16384 to adequately handle the > load. > > > Shawn Kohrman > Network/Security Administrator > Azusa Pacific University > 901 E. Alosta Ave. > Azusa, CA 91702 > http://www.apu.edu/ > > > > -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
RE: OpenBSD3.3 PF dhcp dhcrelay vlans
I believe that can be done with the UKC on a live system as well, or with the Kernel Conf file. I recompile mine to 32768 normally Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Kohrman Sent: Thursday, September 04, 2003 11:12 AM To: [EMAIL PROTECTED] Subject: OpenBSD3.3 PF dhcp dhcrelay vlans Some lessons learned for those out there who are running PF in some high traffic implementations. dhcrelay The dhcrelay that ships with OpenBSD 3.3 seems to be broken. I installed the one that is part of the ISC port, and it worked fine. vlans My PF box is setup with about 2500 machines behind it. I use 10 vlans with a Cisco Catalyst switch. I found it necessary to increase NMBCLUSTERS in param.h from 2048 to 16384 to adequately handle the load. Shawn Kohrman Network/Security Administrator Azusa Pacific University 901 E. Alosta Ave. Azusa, CA 91702 http://www.apu.edu/
RE: Speed issues with bridge firewall
Henning/Daniel, is there any plans to implement polling in 3.4? Or have a patch for it? Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henning Brauer Sent: Monday, September 01, 2003 3:47 PM To: [EMAIL PROTECTED] Subject: Re: Speed issues with bridge firewall On Mon, Sep 01, 2003 at 12:20:04PM -0500, Mathew Binkley wrote: > The firewall box is a SuperMicro 1U box with ServerWorks GC-LE > chipset, > dual 1.8 GHz Xeons, 1 GB RAM, 40 gig hard drive, and two gigabit NIC's > (one Intel, the other NatSemi 83820). OpenBSD doesn't support SMP, so > only one of the processors is being used. dmesg would help. my bet is on the nge(4), tho. at GigE - esp. when you run jumbo frame - it is not very efficient. I'd be interested in figures with a second em(4). > Results: > > No firewall:939 Mbits/sec thoroughput > Firewall: 785 Mbits/sec thoroughput that's already pretty impressive... check systat vmstat while doing the tests. I bet the interrupt #s kill you. check especially which device causes how many. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
RE: Redirection (Unreal Tournament)
rdr on $ext_if proto tcp from any to $ext_if port $ut2003 ->$justin_machine
ut2003 = "{,7778,7787,7788,28900,28902,80}"
Port 80 if you want the webserver accessible
rdr on $ext_if proto tcp from any to $ext_if port $ut ->$justin_machine
ut = "{,7778,7779,7780,7781,80}"
Port 80 if you want the webserver accessible
Amir Seyavash Mesry
[EMAIL PROTECTED]
LSI Logic Corporation
http://www.lsilogic.com/
Raid Support Test Technician
6145-D Northbelt Parkway
Norcross, GA 30071
678-728-1211
NOTICE: This communication may contain privileged or other confidential
information. If you are not the intended recipient, or believe that you have
received this communication in error, please do not print, copy, retransmit,
disseminate, or otherwise use the information. Also, please indicate to the
sender that you have received this communication in error, and delete the
copy you received. Thank you.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Justin Houchin
Sent: Tuesday, August 19, 2003 2:05 PM
To: [EMAIL PROTECTED]
Subject: Redirection (Unreal Tournament)
Hi Everyone,
Here is my setup:
- OpenBSD 3.3 machine acting as a router with NAT.
- Windows XP machine with IP 192.168.21.2
I want the windows XP machine to serve as a Unreal Tournament server. It
says that Unreal uses port ,7778,7787,7788 UDP traffic only.
I have added the following rules to allow only this traffic to the windows
machine:
# Interface aliases should be created for ease of administration.
ext_if = "fxp0"# Untrusted (from cable modem) side
int_if = "fxp1"# Trusted (to hub/switch) side
justin_net = "192.168.21.0/24" # Justin's home network
# Port Definitions
icmp_types = "{ 8, 11 }"
smtp_rdr = "9925"
unreal = "{,7778,7787,7788}"
# Access IP Addresses
dunbarton = "66.0.45.96/29" # Dunbarton
charter_dhcp = "10.109.0.1" # Charter DHCP server
ncar = "192.43.244.18" # National Center for Atmospheric
Research
justin_machine = "192.168.21.2" # Justin's Machine
# Private addresses (Used to prevent links from the router)
priv_nets = "{ 127.0.0.0/8, 192.168.21.0/24, 172.16.0.0/12, 10.0.0.0/8 }"
# Default options
#set block-policy return
#set loginterface $ext_if
# Scrubbing paramters
scrub in all
# Nat parameters
nat on $ext_if from $justin_net to any -> ($ext_if)
# Redirect SMTP connections from port 9925 to port 25 (Charter blocks
port 25)
rdr on $ext_if inet proto tcp from any to ($ext_if) port $smtp_rdr
->($ext_if) port smtp
# Redirect Unreal Tournament connections to Justin's Machine
rdr on $ext_if proto udp from any to any port $unreal ->$justin_machine
# Start the filter rules
block in log on $ext_if all
# Allow traffic to be passed on the loopback interface
pass in quick on lo0 all
# Prevent the router from leaking private IP addresses
block in quick on $ext_if from $priv_nets to any
block out quick on $ext_if from any to $priv_nets
# Allow incoming unreal tournament connections
pass in quick on $ext_if proto udp from any to $justin_machine port
$unreal keep state
I don't believe the traffic is getting to my Unreal Server. Does my
rules look correct?
Thanks,
Justin
RE: pf and bridge question
As long as you separate the rulesets for the bridged config and the management nic, I don't see how it could happen unless the pf code is not meant to handle this, I am running the same config roughly and it works damn good, in fact too good when I first configed it. Also I would like to point out that you stated he had trouble (OpenBSD 3.2 with ipf) with IPF. IPF and PF are 2 totally different animals. IPF may have a bug but unless Daniel or Henning or eh I forget, know of a bug using this configuration, then it should work as I have seen it. Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Beyer Sent: Wednesday, August 13, 2003 3:18 PM To: [EMAIL PROTECTED] Subject: pf and bridge question Hi, I have an OpenBSD 3.3 firewall which acts as a transparent bridge between our network (not NATted) and a router giving access to the rest of the world. The bridging interfaces are configured without IP address and a third (management) NIC is configured with an IP address inside our network's address space. A colleague of mine claims that this can lead to confusion in the routing/bridging code of the firewall and possible corruption of the arp table. He says that the management interface should never be in the same logical or physical network as one of the two sides of the bridge, i.e. it should have an address in rfc1918 space and be physically connected to different networking hardware. I have difficulty in understanding how this could be true and he cannot give me an explanation other than that he has had trouble with this in the past (running older versions of OpenBSD 3.2 with ipf). Can someone here enlighten me as to whether this is really a possible problem and if so how exactly some sort of corruption/glitch could happen? Thanks a lot, Marc P.S. Naturally I am aware of the fact that having the management interface on a separate NATted network with it's own protection is a good thing security-wise, so that's not really my question.
RE: pflogr
Anyway you can have it access MySQL as well? Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of derek potts Sent: Friday, July 18, 2003 12:37 PM To: [EMAIL PROTECTED] Subject: pflogr i would like to announce something i've been working on called pflogr. pflogr is a remote logging system for pf. features: - packets are stored using postgresql - ensures every packet makes it to the database - packets are decoded at the db server, not the firewall i've included a very basic php page for accessing the database. my goal is to have a nice web interface to watch logs from multiple firewalls. sourceforge page: http://pflogr.sf.net/ give it a whirl, send me comments. thanks :derek
RE: Stupid Question
The Next best thing to PF in Windows is VisNetic Firewall 1.x or 2.0, It's made by the same person that made ConSeal for Signal 9. It does Stateful Packet Inspection, supports multiple interfaces and changes the ISN as well like pf, the 2.0 version I haven't checked out yet, but I am sure it has improved on the features it had. You do have to pay for it, but for a windows server if you must have one, then this is one componenet you definately need. Don't get my wrong I love PF, but there is no PF for windows so I had to find the next best thing. Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Suen Sent: Thursday, July 10, 2003 9:38 PM To: [EMAIL PROTECTED] Subject: Stupid Question OK, so this is (may be, probably is) a stupid question. But I'm gonna ask it anyway, so if you think it's stupid, go ahead and at least get a good laugh out of it. Does anybody forsee a port, of some sorts, of pf for Windows? Yeah, it sounds a little wild, but I could really use something like this. I have a bunch of Windows clients on my home LAN, and you can never really trust the LAN (even though it's firewalled) since these are Windows (a.k.a. virus-laden) machines. So I want to install software firewalls on every machine to provide secondary protection against threats on the LAN. The big problem is that there are no good free firewalls for Windows. Of course, everybody will recommend the same things, such as ZoneAlarm, and similar types of programs, but all I need is something that can do fragment reassembly, stateful inspection, and block certain ports (135, 137-139, 445, 1025-1027, 5000) while leaving everything else open by default. Every free firewall I've seen is missing something. ZoneAlarm is too aggressive, blocks everything by default and asks the user questions all the time (I want to set it up and forget it). Rule-based firewalls like the ones based on Tiny's codebase all seem to lack some reassembly and stateful inspection capabilities; they're basically just SYN filters. So, how does one get the power of pf onto a Windows system? Well, the way other firewall products seem to work is that they insert a bit of code between the network driver and the TCP/IP stack, then redirect packets and fragments through the filter engine. So, if somebody were to get his hands on a packet interception thingy like that, we could make a pf-based firewall to protect Windows machines without having to have a *BSD machine for every Windows client. Sound crazy enough? Actually, it would be pretty nice to have a userland application that does what the pf engine does. One could use it, for instance, to filter traffic that goes through other userland applications (such as ppp using tun*). I'd like to know how feasible this Windows port idea would be. __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
FW: OpenBSD Bridge setup with OSPF routed networks behind it - W0ES-
Forwarding to PF list as well.
--- Begin Message ---
Title: RE: OpenBSD Bridge setup with OSPF routed networks behind it - W0ES-
I disabled pf and then re-enabled it and now my config works fine - after
I ping the Bridge External Address from a host behind the /28
I did notice this in the dmesg probably 50 times on the OpenBSD Bridge.
arplookup: unable to enter address for XXX.XXX.56.211
arpresolve: can't allocate llinfo
## This was a result of my reply-to config though.
Everything will work great till a timeout expires. It seems i need to
ping XXX.XXX.43.114 before I can get it to be able to ssh. Any ideas why
arp is giving me a hard time or is this more a proxy-arp needed scenario?
hum - i think I may have just answered my own question.
beast.some.net:/home/coldiso% route get XXX.XXX.56.211
route to: XXX.XXX.56.211
destination: XXX.XXX.56.211
gateway: xxx.xxx.43.116
interface: fxp0
flags:
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu
0 0 0 0 0 0 0
expire
0
Is there a way for me to encourage traffic to the /28 to always use fxp1?
I realize this is a bridge but it is not learning the MAC because it is
separated by the 2514 router which would stop broadcasts of layer2.
Interesting if i disable pf i don't have to ping the host first before I
can ssh to it. Now I am really confused.
my pf.conf is available at http://www.comnetohio.com/~jasonh/
Thanks for any suggestions.
Jason
On Mon, 9 Jun 2003, Amir Seyavash Mesry wrote:
> I take it this is not a transparent Bridge, as well, I think it would help
> if you posted your pf.conf.
>
> Amir Seyavash Mesry
> [EMAIL PROTECTED]
> LSI Logic Corporation
> http://www.lsilogic.com/
> Raid Support Test Technician
> 6145-D Northbelt Parkway
> Norcross, GA 30071
> 678-728-1211
>
> NOTICE: This communication may contain privileged or other confidential
> information. If you are not the intended recipient, or believe that you have
> received this communication in error, please do not print, copy, retransmit,
> disseminate, or otherwise use the information. Also, please indicate to the
> sender that you have received this communication in error, and delete the
> copy you received. Thank you.
>
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Jason Houx
> Sent: Monday, June 09, 2003 1:12 PM
> To: [EMAIL PROTECTED]
> Subject: OpenBSD Bridge setup with OSPF routed networks behind it - W0ES -
>
>
>
>
> {2600}---
> | --- /29
> | |
> fxp0 { OpenBSD } fxp1 --|
> { Bridge } |
> eth0 { Cisco 2514 } eth1 --|
> |
> | /28
> More OpenBSD Units
>
>
>
> I am having a problem that I have been unable to fix. The scenario above is
> what my lab looks like. Essentially my workstation lives off the /29 behind
> the fxp1 interface. The OpenBSD Bridge is a 3.3 Generic with pf/altq
> protecting everything behind it. I can ssh to the OpenBSD bridge from my
> workstation because my IP address is on the same /29 as the External Int of
> the Bridge on fxp0, but none of my machines behind the Cisco 2514 on the
> eth1 network /28 can talk directly to the Bridge but can bridge out/in just
> fine. Mind you traffic from the /29 can talk to the
> bridge just fine. Just to clarify anything that comes in from the
> Internet and lands on fxp0 can talk to the Bridge as well.
>
> I see this in my tcpdumps
>
> ## XXX.XXX.56.211 = machine on /28 subnet
> ## xxx.xxx.43.114 = fxp0 IP on Bridge on /29
>
> Jun 09 11:09:48.142206 rule 20/0(match): pass in on fxp0:
> XXX.XXX.56.211.32214 > xxx.xxx.43.114.22: S Jun 09 11:09:48.146181 rule
> 6/0(match): block in on fxp0: xxx.xxx.43.114.22 > XXX.XXX.56.211.32214: S
>
> supporting icmp redirect dumps show this
> Jun 09 11:19:55.824378 : ROU.TER.IP.113 > xxx.xxx.43.114: icmp: redirect
> XXX.XXX.56.211 to net xxx.xxx.43.116
>
>
> This looks to me like a icmp redirect problem because I am seeing the
> External IP of my bridge send the packet right back at the interface with
> destination of the correct machine on the /29.
>
> I at first thought it was a problem with icmp route-redirects on the Bridge
> not being allowed to pass in to tell the Bridge external IP to redirect the
> traffic back o
RE: altq vs pppoe
Well if it was an accident at least I know, lol. I will try it also, as I want to see if it works with mine, I am using pppoe as well. I won't blame you if things go haywire, lol. Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Trevor Talbot Sent: Saturday, June 07, 2003 8:29 PM To: [EMAIL PROTECTED] Subject: Re: altq vs pppoe On Saturday, Jun 7, 2003, at 14:52 US/Pacific, Amir Seyavash Mesry wrote: > So, let me ask, is the "if_tun.c" file supplied compat with 3.3 and > does it > require the kernel sources only, or the whole source tree? I think sending the attachment to the list was an accident. I sent it to Tobias when he had trouble with the patch at the end of my last email. Both are for 3.3-stable, kernel sources only.
RE: altq vs pppoe
So, let me ask, is the "if_tun.c" file supplied compat with 3.3 and does it require the kernel sources only, or the whole source tree? Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tobias Wigand Sent: Saturday, June 07, 2003 9:22 AM To: 'Trevor Talbot'; [EMAIL PROTECTED] Subject: AW: altq vs pppoe hi, > I attached a copy of the entire if_tun.c you can drop in instead, > though. it compiles now. and as far as i can see (with some quick testing here, at my parents over the weekend :), queueing on tun0 works at least better than it ever did before. it may need some fine tuning regarding the uplink speed. i´ll be able test more extensive that on monday and let you know. many thanks! tobias
RE: Ruleset Problem
Yea I added some now it works, this got it all working now, attaching 2 pf.conf's and the diagram is below, lemme know If I still got something amiss, I think I got it all. Eth0(---Internet) | Machine1---Eth1(10.0.0.1,10.0.0.0/24)-| | | Eth2(10.0.1.1,10.0.1.0/24) | | | | Eth0(---Internet) | | | Machine2---Eth1(10.0.0.2,10.0.0.0/24)-| | Eth2(10.0.4.1,10.0.4.0/24) Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of j knight Sent: Monday, June 02, 2003 5:50 PM To: pf Subject: Re: Ruleset Problem Amir Seyavash Mesry wrote: > OMG TYPO! Packet is going from 10.0.0.51 to 10.0.0.1 to 10.0.0.2 to > 10.0.4.1 Maybe this clarifys it now, lol. I'm sorry, it really doesn't. > Machine1 > Eth0=77.77.77.77 > Eth1=10.0.0.1 network 10.0.0.0/24 > Eth2=10.0.0.2 network 10.0.0.0/24 > > Machine2 > Eth0=11.11.11.11 > Eth1=10.0.0.2 network 10.0.0.0/24 > Eth2=10.0.4.1 network 10.0.4.0/24 I don't understand how these machines are connected or which machine is loaded with the pf.conf you gave. You say above the packets are going from 10.0.0.2 to 10.0.4.1 but I don't see how that's possible with a /24 netmask without some intermediate hop. Did you test it with the "pass out" rules? .joel pf1.conf Description: Binary data pf2.conf Description: Binary data
RE: Ruleset Problem
Re-attaching pf2.conf, I forgot to add the ip changes. Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: Amir Seyavash Mesry [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 6:50 PM To: 'pf' Subject: RE: Ruleset Problem Yea I added some now it works, this got it all working now, attaching 2 pf.conf's and the diagram is below, lemme know If I still got something amiss, I think I got it all. Eth0(---Internet) | Machine1---Eth1(10.0.0.1,10.0.0.0/24)-| | | Eth2(10.0.1.1,10.0.1.0/24) | | | | Eth0(---Internet) | | | Machine2---Eth1(10.0.0.2,10.0.0.0/24)-| | Eth2(10.0.4.1,10.0.4.0/24) Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of j knight Sent: Monday, June 02, 2003 5:50 PM To: pf Subject: Re: Ruleset Problem Amir Seyavash Mesry wrote: > OMG TYPO! Packet is going from 10.0.0.51 to 10.0.0.1 to 10.0.0.2 to > 10.0.4.1 Maybe this clarifys it now, lol. I'm sorry, it really doesn't. > Machine1 > Eth0=77.77.77.77 > Eth1=10.0.0.1 network 10.0.0.0/24 > Eth2=10.0.0.2 network 10.0.0.0/24 > > Machine2 > Eth0=11.11.11.11 > Eth1=10.0.0.2 network 10.0.0.0/24 > Eth2=10.0.4.1 network 10.0.4.0/24 I don't understand how these machines are connected or which machine is loaded with the pf.conf you gave. You say above the packets are going from 10.0.0.2 to 10.0.4.1 but I don't see how that's possible with a /24 netmask without some intermediate hop. Did you test it with the "pass out" rules? .joel pf2.conf Description: Binary data
RE: Ruleset Problem
OMG TYPO! Packet is going from 10.0.0.51 to 10.0.0.1 to 10.0.0.2 to 10.0.4.1 Maybe this clarifys it now, lol. Machine1 Eth0=77.77.77.77 Eth1=10.0.0.1 network 10.0.0.0/24 Eth2=10.0.0.2 network 10.0.0.0/24 Machine2 Eth0=11.11.11.11 Eth1=10.0.0.2 network 10.0.0.0/24 Eth2=10.0.4.1 network 10.0.4.0/24 (routing table) Route Destination Gateway 10.0.0.0 Eth1 10.0.0.2 Eth1 10.0.1.0 Eth2 10.0.4.0 10.0.0.2 BTW, Thanks for working with me on this, and helping me figure where I am going wrong! Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of j knight Sent: Monday, June 02, 2003 4:50 PM To: pf Subject: Re: Ruleset Problem Amir Seyavash Mesry wrote: > Sorry, I thought I gave enough info, they come in on eth1 and leave on > eth1. IE machine that pf.conf was given for is doing nat and some > small routing. Machine1(pf.conf given for this one) Eth0=internetip > Eth1=10.0.0.1 network 10.0.0.0/24 > Eth1=10.0.0.2 network 10.0.0.0/24 > > Machine2 > Eth0=internetip > Eth1=10.0.0.2 network 10.0.0.0/24 > Eth1=10.0.4.1 network 10.0.4.0/24 Now I'm really confused :(. Perhaps you could draw a simple diagram? > > If I am reading this right translation takes precendence over > filtering, which means If I have the following after translation, then > the packets will still pass, or do they get blocked after translation > on the outbound if.x Translated packets still pass through the filter engine and are subject to your filter rules > block in log all > block out log all ... so this will block translated packets. You'll need to "pass out on $ext ..." later on. > As for the keep state rules, what I was trying to accomplish is > passing packets between eth1 & eth2 checking state on each interface. > Maybe one 2 revised rules would be > > pass in on $eth1 inet proto udp from $lan1 to $lan2 keep state > pass in on $eth2 inet proto udp from $lan1 to $lan2 keep state Is $lan1 connected to $eth1 or $eth2? From what I can tell, $lan1 is on $eth1 so looking for packets from $lan1 on $eth2 isn't necessary. > Do I need a corresponding one backtracking such as? > > pass in on $eth2 inet proto udp from $lan2 to $lan1 keep state > pass in on $eth1 inet proto udp from $lan2 to $lan1 keep state Same situation here with $lan2. What you need is a set of rules to pass traffic OUT on $eth1, $eth2. Like I said, "keep state" only tracks state on one interface, not all of them. pass in on $eth1 from $lan1 to $lan2 keep state pass out on $eth2 from $lan1 to $lan2 keep state .joel
RE: Ruleset Problem
Sorry, I thought I gave enough info, they come in on eth1 and leave on eth1.
IE machine that pf.conf was given for is doing nat and some small routing.
Machine1(pf.conf given for this one)
Eth0=internetip
Eth1=10.0.0.1 network 10.0.0.0/24
Eth1=10.0.0.2 network 10.0.0.0/24
Machine2
Eth0=internetip
Eth1=10.0.0.2 network 10.0.0.0/24
Eth1=10.0.4.1 network 10.0.4.0/24
If I am reading this right translation takes precendence over filtering,
which means If I have the following after translation, then the packets will
still pass, or do they get blocked after translation on the outbound if.x
block in log all
block out log all
As for the keep state rules, what I was trying to accomplish is passing
packets between eth1 & eth2 checking state on each interface. Maybe one 2
revised rules would be
pass in on $eth1 inet proto udp from $lan1 to $lan2 keep state
pass in on $eth2 inet proto udp from $lan1 to $lan2 keep state
Do I need a corresponding one backtracking such as?
pass in on $eth2 inet proto udp from $lan2 to $lan1 keep state
pass in on $eth1 inet proto udp from $lan2 to $lan1 keep state
Amir Seyavash Mesry
[EMAIL PROTECTED]
LSI Logic Corporation
http://www.lsilogic.com/
Raid Support Test Technician
6145-D Northbelt Parkway
Norcross, GA 30071
678-728-1211
NOTICE: This communication may contain privileged or other confidential
information. If you are not the intended recipient, or believe that you have
received this communication in error, please do not print, copy, retransmit,
disseminate, or otherwise use the information. Also, please indicate to the
sender that you have received this communication in error, and delete the
copy you received. Thank you.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of j
knight
Sent: Monday, June 02, 2003 2:42 PM
To: pf
Subject: Re: Ruleset Problem
Amir Seyavash Mesry wrote:
> I am having a odd problem and I am hoping someone one the list can
> point out my error, Here is my pf.conf, the keepstate on the icmp
> doesn't seem to be working, it won't pass the packets out. Ie
> I am on host 10.0.0.51, I ping 10.0.4.1(routing table entry is present for
> this net) and it won't ping it, but if I ping 10.0.0.1(fxp1) then it will
> allow the packet and let it return. I think it is something really simple
> that I am overlooking but I can't figure it out. Any help is appreciated.
Which interface do packets have to exit to reach 10.0.4.1?
> #allow outgoing traffic from Internet nic to internet if initiated
> from Internet Nic.
> pass out on $eth0 inet proto tcp from $eth0 to anymodulate state
> pass out on $eth0 inet proto udp from $eth0 to anykeep state
> pass out on $eth0 inet proto icmp from $eth0 to any icmp-type 8 code 0
keep
> state
Translation happens before filtering so you will find that these rules
are passing packets from $lan1, $lan2 as well.
> #allow nat for both lan segments only if lan segments initiate request.
> pass out on $eth0 inet proto tcp from $lan1 to anymodulate
> state
> pass out on $eth0 inet proto udp from $lan1 to anykeep state
> pass out on $eth0 inet proto icmp from $lan1 to any icmp-type 8 code 0
> keep state
> pass out on $eth0 inet proto tcp from $lan2 to anymodulate
> state
> pass out on $eth0 inet proto udp from $lan2 to anykeep state
> pass out on $eth0 inet proto icmp from $lan2 to any icmp-type 8 code 0
> keep state
These rules will have no affect because of what I mentioned above.
> #allow requests from segment 1 to segment 2 or internet only if
> segment 1 requests it.
> pass in on $eth1 inet proto tcp from $lan1 to any modulate
> state
> pass in on $eth1 inet proto udp from $lan1 to any keep state
> pass in on $eth1 inet proto icmp from { $lan1, $loc } to any icmp-type 8
> code 0keep state
>
> #allow requests from segment 2 to segment 1 or internet only if
> segment 2 requests it.
> pass in on $eth2 inet proto tcp from $lan2 to any modulate
> state
> pass in on $eth2 inet proto udp from $lan2 to any keep state
> pass in on $eth2 inet proto icmp from { $lan1, $loc } to any icmp-type 8
> code 0 keep state
Where are your "pass out on { $eth1, $eth2 }" rules? "Keep state" only
tracks state on one interface; you still have to pass the traffic
through any other interface the packets will pass through.
.joel
Ruleset Problem
I am having a odd problem and I am hoping someone one the list can point out
my error,
Here is my pf.conf, the keepstate on the icmp doesn't seem to be working, it
won't pass the packets out. Ie
I am on host 10.0.0.51, I ping 10.0.4.1(routing table entry is present for
this net) and it won't ping it, but if I ping 10.0.0.1(fxp1) then it will
allow the packet and let it return. I think it is something really simple
that I am overlooking but I can't figure it out. Any help is appreciated.
#OpenBSD 3.3
#macros
#interfaces
eth0="fxp0"
eth1="fxp1"
eth2="fxp2"
#lan segment ips
lan1="10.0.0.0/24"
lan2="10.0.1.0/24"
loc="127.0.0.1/8"
#ip's to block
badip="0.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 172.31.0.0/16,
192.168.0.0/16, 224.0.0.0/3, 255.255.255.255/32"
lanip="10.0.0.0/8"
# Normalize: reassemble fragments and resolve or reduce traffic ambiguities
scrub in all
scrub out all
# nat rules for both lan segments
nat on $eth0 from $lan1 to any -> $eth0
nat on $eth0 from $lan2 to any -> $eth0
# rdr port mapping rules if needed
# rdr on eth0 proto tcp from any to 192.168.1.1/32 port 1234 -> 10.1.1.1
port 5678
# filter rules
#block all in-out
block in log all
block out log all
block in on $eth0 inet proto {tcp, udp} from any to any port 136 >< 140
#allow for dchp
pass in on $eth0 inet proto {tcp, udp} from any to $eth0 port 67
#allow outgoing traffic from Internet nic to internet if initiated from
Internet Nic.
pass out on $eth0 inet proto tcp from $eth0 to any modulate state
pass out on $eth0 inet proto udp from $eth0 to any keep state
pass out on $eth0 inet proto icmp from $eth0 to any icmp-type 8 code 0 keep
state
#allow nat for both lan segments only if lan segments initiate request.
pass out on $eth0 inet proto tcp from $lan1 to any modulate
state
pass out on $eth0 inet proto udp from $lan1 to any keep state
pass out on $eth0 inet proto icmp from $lan1 to any icmp-type 8 code 0
keep state
pass out on $eth0 inet proto tcp from $lan2 to any modulate
state
pass out on $eth0 inet proto udp from $lan2 to any keep state
pass out on $eth0 inet proto icmp from $lan2 to any icmp-type 8 code 0
keep state
#allow requests from segment 1 to segment 2 or internet only if segment 1
requests it.
pass in on $eth1 inet proto tcp from $lan1 to any modulate
state
pass in on $eth1 inet proto udp from $lan1 to any keep state
pass in on $eth1 inet proto icmp from { $lan1, $loc } to any icmp-type 8
code 0 keep state
#allow requests from segment 2 to segment 1 or internet only if segment 2
requests it.
pass in on $eth2 inet proto tcp from $lan2 to any modulate
state
pass in on $eth2 inet proto udp from $lan2 to any keep state
pass in on $eth2 inet proto icmp from { $lan1, $loc } to any icmp-type 8
code 0 keep state
#denie requests Out to internet for bad ip's
block out on $eth0 inet from any to { $badip, $lanip, $loc }
block out on $eth1 inet from any to { $badip }
block out on $eth2 inet from any to { $badip }
Amir Seyavash Mesry
[EMAIL PROTECTED]
LSI Logic Corporation
http://www.lsilogic.com/
Raid Support Test Technician
6145-D Northbelt Parkway
Norcross, GA 30071
678-728-1211
NOTICE: This communication may contain privileged or other confidential
information. If you are not the intended recipient, or believe that you have
received this communication in error, please do not print, copy, retransmit,
disseminate, or otherwise use the information. Also, please indicate to the
sender that you have received this communication in error, and delete the
copy you received. Thank you.
RE: pf/altq on a fast link
They would be much simpler if you supported OpenBSD PF, sadly you do not, making it difficult for people to trust what your offering since your basing your support on capital flow and not security. Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Sent: Sunday, June 01, 2003 6:09 PM To: [EMAIL PROTECTED] Subject: Re: pf/altq on a fast link [EMAIL PROTECTED] (Henning Brauer) wrote in message news:<[EMAIL PROTECTED]>... > On Sun, Jun 01, 2003 at 06:20:23AM -0700, Dennis wrote: > > If you get serious about bandwidth management, take a look at > > something a bit more advanced at a very affordable price. Our > > software > > blah blah blah. what a bullshit. take your commercial advertising crap > elsewhere. Sorry. I hate to see people struggle to do simple things. Do you still use a hand mower to cut your grass too? Wash your clothes in a stream behind the house? :-) DB
Will this work with PF?
http://www.research.att.com/~smb/papers/fnat.pdf Can they do this with pf? Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you.
RE: Nat Problem or misconfiguraton
Bump! Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. >-Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] >On Behalf Of Amir Seyavash Mesry >Sent: Friday, January 24, 2003 3:33 PM >To: 'PF Mailing list' >Subject: Nat Problem or misconfiguraton > > >Ok, I need some help. >Here is my pf conf, stripped down so the nat works, and >ifconfig out put also, can anyone figure out why it won't do >nat on rl1, but will do it one rl0 >Pf.conf: >nat on rl0 inet from 192.168.0.7/32 to any -> rl0 >nat on rl1 inet from 192.168.0.15/32 to any -> rl1 >nat on rl1 inet from 192.168.0.4/32 to any -> rl1 >nat on rl1 inet from 192.168.0.16/28 to any -> rl1 > >pass in all >pass out all > >Ifconfig: >rl0: flags=8843 mtu 1500 >address: 00:50:fc:2a:17:5f >media: Ethernet 100baseTX full-duplex >status: active >inet6 fe80::250:fcff:fe2a:175f%rl0 prefixlen 64 scopeid 0x1 >inet 24.98.84.83 netmask 0xfe00 broadcast 255.255.255.255 > >(RL1 is listed with media options 10BaseT and autoselect) >rl1: flags=8843 mtu 1500 >address: 00:c0:26:7e:2c:3d >media: Ethernet 10baseT >status: active >inet6 fe80::2c0:26ff:fe7e:2c3d%rl1 prefixlen 64 scopeid 0x2 >inet 24.98.85.22 netmask 0xfe00 broadcast 255.255.255.255 >rl1: flags=8843 mtu 1500 >address: 00:c0:26:7e:2c:3d >media: Ethernet autoselect (none) >status: active >inet6 fe80::2c0:26ff:fe7e:2c3d%rl1 prefixlen 64 scopeid 0x2 >inet 24.98.85.22 netmask 0xfe00 broadcast 255.255.255.255 > >rl2: flags=8843 mtu 1500 >address: 00:50:fc:3a:32:6d >media: Ethernet 100baseTX full-duplex >status: active >inet 192.168.0.1 netmask 0xffe0 broadcast 192.168.0.0 >inet6 fe80::250:fcff:fe3a:326d%rl2 prefixlen 64 scopeid 0x3 > > >If rl0 & rl1 get dhcp assigned ips which are show, but rl1 >won't nat, anyone got any ideas as to why the nat on rl0 works >and not on rl1 > > >Amir Seyavash Mesry >[EMAIL PROTECTED] >LSI Logic Corporation >http://www.lsilogic.com/ >Raid Support Test Technician >6145-D Northbelt Parkway >Norcross, GA 30071 >678-728-1211 > >NOTICE: This communication may contain privileged or other >confidential information. If you are not the intended >recipient, or believe that you have received this >communication in error, please do not print, copy, retransmit, >disseminate, or otherwise use the information. Also, please >indicate to the sender that you have received this >communication in error, and delete the copy you received. Thank you. > > >
Nat Problem or misconfiguraton
Ok, I need some help. Here is my pf conf, stripped down so the nat works, and ifconfig out put also, can anyone figure out why it won't do nat on rl1, but will do it one rl0 Pf.conf: nat on rl0 inet from 192.168.0.7/32 to any -> rl0 nat on rl1 inet from 192.168.0.15/32 to any -> rl1 nat on rl1 inet from 192.168.0.4/32 to any -> rl1 nat on rl1 inet from 192.168.0.16/28 to any -> rl1 pass in all pass out all Ifconfig: rl0: flags=8843 mtu 1500 address: 00:50:fc:2a:17:5f media: Ethernet 100baseTX full-duplex status: active inet6 fe80::250:fcff:fe2a:175f%rl0 prefixlen 64 scopeid 0x1 inet 24.98.84.83 netmask 0xfe00 broadcast 255.255.255.255 (RL1 is listed with media options 10BaseT and autoselect) rl1: flags=8843 mtu 1500 address: 00:c0:26:7e:2c:3d media: Ethernet 10baseT status: active inet6 fe80::2c0:26ff:fe7e:2c3d%rl1 prefixlen 64 scopeid 0x2 inet 24.98.85.22 netmask 0xfe00 broadcast 255.255.255.255 rl1: flags=8843 mtu 1500 address: 00:c0:26:7e:2c:3d media: Ethernet autoselect (none) status: active inet6 fe80::2c0:26ff:fe7e:2c3d%rl1 prefixlen 64 scopeid 0x2 inet 24.98.85.22 netmask 0xfe00 broadcast 255.255.255.255 rl2: flags=8843 mtu 1500 address: 00:50:fc:3a:32:6d media: Ethernet 100baseTX full-duplex status: active inet 192.168.0.1 netmask 0xffe0 broadcast 192.168.0.0 inet6 fe80::250:fcff:fe3a:326d%rl2 prefixlen 64 scopeid 0x3 If rl0 & rl1 get dhcp assigned ips which are show, but rl1 won't nat, anyone got any ideas as to why the nat on rl0 works and not on rl1 Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you.
RE: Keepstate ?
That was exactly the answer I was looking for. Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Philipp Buehler Sent: Friday, August 30, 2002 9:43 AM To: [EMAIL PROTECTED] Subject: Re: Keepstate ? On 30/08/2002, Daniel Hartmeier <[EMAIL PROTECTED]> wrote To [EMAIL PROTECTED]: > I'm not familiar with Cisco rule sets, so please explain what the > latter rule does, exactly. cisco's 'established' lets anything 'in' where it thinks (!) that it belongs to answering packets. such as fin/rst/syn-ack/ack packets. More or less, anything except a pure 'syn'. so consider this 'established' a subset of 'keep state' where the later provides way more filtering security. BEGIN:VCARD VERSION:2.1 N:Mesry;Amir;Seyavash FN:Amir Seyavash Mesry ORG:LSI Logic Inc.;Raid TITLE:Raid Support Test Technician TEL;WORK;VOICE:(678) 728-1211 ADR;WORK:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca ADR;POSTAL:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;POSTAL;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020510T175919Z END:VCARD
RE: Keepstate ?
Anyone??? Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Amir Seyavash Mesry Sent: Thursday, August 29, 2002 3:33 PM To: [EMAIL PROTECTED] Subject: Keepstate ? Ok so a keep state statement such as "Pass out all keep state" would be the same as "Permit any, any established" on a cisco router? Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. BEGIN:VCARD VERSION:2.1 N:Mesry;Amir;Seyavash FN:Amir Seyavash Mesry ORG:LSI Logic Inc.;Raid TITLE:Raid Support Test Technician TEL;WORK;VOICE:(678) 728-1211 ADR;WORK:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca ADR;POSTAL:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;POSTAL;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020510T175919Z END:VCARD
Keepstate ?
Ok so a keep state statement such as "Pass out all keep state" would be the same as "Permit any, any established" on a cisco router? Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. BEGIN:VCARD VERSION:2.1 N:Mesry;Amir;Seyavash FN:Amir Seyavash Mesry ORG:LSI Logic Inc.;Raid TITLE:Raid Support Test Technician TEL;WORK;VOICE:(678) 728-1211 ADR;WORK:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca ADR;POSTAL:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;POSTAL;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020510T175919Z END:VCARD
RE: Pass In for out Syntax
I am not quite understanding what you are asking. But I will try to explain what I am wanting to do. My machine sends data on port 25 out, there is a rule for it to let the data out. But there is no corresponding rule to let the data in on port 25 to that ip. What I am trying to do is get pf to open up the corresponding incoming port when the outgoing port has been opened. Another words one rule that encompasses all ports so that when the data is sent out on port 25 the pf opens that port for outgoing and then opens it for incoming as well. Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris Sent: Friday, August 09, 2002 8:01 PM To: [EMAIL PROTECTED] Subject: Re: Pass In for out Syntax Keep State does this for individual connections ... opening for everybody while you are connected to anyone has what advantage if you aren't wanting to open for everybody wanting your service regardless whether you're connected to anyone at the moment? IE, why not do a keep-state rule on outgoing packets, or allow connections in on a port, rather than allow all in but only while you are connecting out? On Friday, August 9, 2002, at 02:15 PM, Amir Seyavash Mesry wrote: > > Basically if you open port 22 for outgoing then it auto opens for > incoming. BEGIN:VCARD VERSION:2.1 N:Mesry;Amir;Seyavash FN:Amir Seyavash Mesry ORG:LSI Logic Inc.;Raid TITLE:Raid Support Test Technician TEL;WORK;VOICE:(678) 728-1211 ADR;WORK:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca ADR;POSTAL:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;POSTAL;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020510T175919Z END:VCARD
RE: Pass In for out Syntax
Kinda close unless I am reading the pf.conf man page wrong, where I have been reading it again and again. It keeps state for that data stream, be it out going or incoming. What I am asking is how to do this. Keep state for outgoing on port X and open incoming for port X & keep state for it. And do the same for any other port that is opened for outgoing, open the same port for incoming. Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Philipp Buehler Sent: Friday, August 09, 2002 3:28 PM To: [EMAIL PROTECTED] Subject: Re: Pass In for out Syntax On 09/08/2002, Amir Seyavash Mesry <[EMAIL PROTECTED]> wrote To [EMAIL PROTECTED]: > Ok I got another Q. > I know Cisco has this for it's routers, what I want to know is how > would I implement it on openbsd. Here is what the rule does. > A packet goes out on if0 on port 22, which causes port 22 to open for > incoming traffic on if0 to the same ip it is now outgoing. > Or > A packet goes out on if1 on port 22, which causes port 22 to open for > incoming traffic to the same ip it is now outgoing on if0. > > Basically if you open port 22 for outgoing then it auto opens for > incoming. If I dont get that completly wrong, you want to read about 'STATEFUL INSPECTION' in pf.conf(5) BEGIN:VCARD VERSION:2.1 N:Mesry;Amir;Seyavash FN:Amir Seyavash Mesry ORG:LSI Logic Inc.;Raid TITLE:Raid Support Test Technician TEL;WORK;VOICE:(678) 728-1211 ADR;WORK:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca ADR;POSTAL:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;POSTAL;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020510T175919Z END:VCARD
Pass In for out Syntax
Ok I got another Q. I know Cisco has this for it's routers, what I want to know is how would I implement it on openbsd. Here is what the rule does. A packet goes out on if0 on port 22, which causes port 22 to open for incoming traffic on if0 to the same ip it is now outgoing. Or A packet goes out on if1 on port 22, which causes port 22 to open for incoming traffic to the same ip it is now outgoing on if0. Basically if you open port 22 for outgoing then it auto opens for incoming. Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. BEGIN:VCARD VERSION:2.1 N:Mesry;Amir;Seyavash FN:Amir Seyavash Mesry ORG:LSI Logic Inc.;Raid TITLE:Raid Support Test Technician TEL;WORK;VOICE:(678) 728-1211 ADR;WORK:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca ADR;POSTAL:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;POSTAL;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020510T175919Z END:VCARD
RE: Proper Syntax for Limiting Ports per user group.
LOL, ok I will wait, btw if I move to current, that it not the same as snapshot is it. And if I move to current can I upgrade to 3.2 when it comes out? Iknow it's OT, but I was curious. Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Daniel Hartmeier Sent: Friday, August 09, 2002 1:59 PM To: [EMAIL PROTECTED] Subject: Re: Proper Syntax for Limiting Ports per user group. On Fri, Aug 09, 2002 at 01:10:13PM -0400, Amir Seyavash Mesry wrote: > Is there anyway to compile the current pf into a 3.1 release? There are many dependencies you'd have to backport as well, which themselves have dependencies, etc. Unless you want to spend an afternoon cursing, I recommend either going all the way to -current or waiting for 3.2-release. Daniel BEGIN:VCARD VERSION:2.1 N:Mesry;Amir;Seyavash FN:Amir Seyavash Mesry ORG:LSI Logic Inc.;Raid TITLE:Raid Support Test Technician TEL;WORK;VOICE:(678) 728-1211 ADR;WORK:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca ADR;POSTAL:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;POSTAL;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020510T175919Z END:VCARD
RE: Proper Syntax for Limiting Ports per user group.
Is there anyway to compile the current pf into a 3.1 release? Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Daniel Hartmeier Sent: Friday, August 09, 2002 1:02 PM To: [EMAIL PROTECTED] Subject: Re: Proper Syntax for Limiting Ports per user group. On Fri, Aug 09, 2002 at 12:09:07PM -0400, Amir Seyavash Mesry wrote: > Can some one tell me what the proper syntax is for using the user & > group parameters in OpenBSD 3.1 & PF. This feature was added after the 3.1 release, so you'll need -current to use it. > pass out proto tcp from fxp0 port 3 >< 5 to any port 3 >< > 5 modulate state pass out on fxp0 proto tcp \ from any port 3 >< to any port 3 >< 5 \ user 1001 group 1007 modulate state Daniel BEGIN:VCARD VERSION:2.1 N:Mesry;Amir;Seyavash FN:Amir Seyavash Mesry ORG:LSI Logic Inc.;Raid TITLE:Raid Support Test Technician TEL;WORK;VOICE:(678) 728-1211 ADR;WORK:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca ADR;POSTAL:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;POSTAL;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020510T175919Z END:VCARD
Proper Syntax for Limiting Ports per user group.
Title: Message Can some one tell me what the proper syntax is for using the user & group parameters in OpenBSD 3.1 & PF. here is and example rule. pass out proto tcp from fxp0 port 3 >< 5 to any port 3 >< 5 modulate statepass out proto udp from fxp0 port 3 >< 5 to any port 3 >< 5 the user id is 1001 Group id is 1007, how do I limit those to rules to be used by those 2 id's? Amir Seyavash Mesry[EMAIL PROTECTED]LSI Logic Corporationhttp://www.lsilogic.com/Raid Support Test Technician6145-D Northbelt ParkwayNorcross, GA 30071678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. BEGIN:VCARD VERSION:2.1 N:Mesry;Amir;Seyavash FN:Amir Seyavash Mesry ORG:LSI Logic Inc.;Raid TITLE:Raid Support Test Technician TEL;WORK;VOICE:(678) 728-1211 ADR;WORK:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca ADR;POSTAL:;;6145-D Northbelt Parkway;Norcross;GA;30071;United States of America LABEL;POSTAL;ENCODING=QUOTED-PRINTABLE:6145-D Northbelt Parkway=0D=0ANorcross, GA 30071=0D=0AUnited States of Ameri= ca EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020510T175919Z END:VCARD
