Re: My PF faults list
Ilya A. Kovalenko wrote: > Hmm, maybe, I'm, truly, too stupid to work with PF ... > I'll re-test on clean environment it and write to the list. Hi Ilya Would you mind posting your entire config file(s) verbatim. Also post what version and is it current, release, stable that you are referring to. I would be interested in seeing just where the problem lies. regards BobD signature.asc Description: OpenPGP digital signature
Re: NAT-T support of PF
John Mok wrote: > I hope someone to tell me if NAT-T support > is available in PF, Yes it is, since 3.7. or 3.8 me thinks. Bob signature.asc Description: OpenPGP digital signature
Re: Fair distribution of borrowed bandwidth with a lot of users
Hi Federico Giannici Posting you pf.conf will be of considerable benefit when attempting to seek help for something that has the complexity you are currently dealing with. Additionally, the type connection you have, i.e. DSL, cable etc. as the variations each of these has throughout the day will skew the appearance of your results etc. Supplying your complete pf.conf correctly commented with what you are wanting each rule and queue to accomplish is a good place to start. You will consistently find that without adequate information it will be difficult for people to help you. Bob signature.asc Description: OpenPGP digital signature
dup-to work around
Greets OpenBSD 4.0 I am working on an issue regarding dup-to. It works fine. When using an invisible bridge I dup-to all traffic ( in, out ) over to a computer that creates really nice graphs, using a third interface on the bridge. All is well. Issue: I need to get all traffic dup-to'd over to a graphing box using only the firewall, now dup-to works fine for the traffic that passes through the firewall but the blocked traffic doesn't get dup-to'd. I have tried every conceivable combination that I can think of, that the FAQ reveals or hints at and on and on. Any suggestions to get blocked traffic dup-to'd / copied to the graph box, have I overlooked something that may make this possible. Ideas? Bob D
Re: graphing pf stats
On Sunday 01 January 2006 18:52, you wrote: pfstat works well, it may be a nice starting point for you or it may do everything you want. Bob
Re: I have $300
I totally appreciate everybodies comments and I have in fact decided to pass over the embedded solution. We just picked up a Sun Netra T105 (440Mhz, 512MB)on ebay. It was about $135 shipped and have two onboard NIC's. I have always like Sun hardware and it works well with OpenBSD, it is some of the best in quality. Fits in one rack unit and will be cheap to grab another to do a failover when the time comes. I can even dd the drive to make a disk for the new unit when I implement it. I understand that running two cheap ones is better than running one solid state machine. Plus the horsepower leaves little to work with in some of these tiny contraptions(soekris comes to mind). Not to say that they do not have their place, but I feel that this is the best answer. -Bob
Re: I have $300
Graham Toal wrote: Depends if you're saying "embedded" because you need the form factor, or just to keep the price low. If the latter, you can get some good deals on desktops if you look around. I bought a nice Dell server for about $240 last year, leaving change for a couple of extra ether cards. 1Gb cards are dirt cheap nowadays; I got both of mine for about $30 at one of those weekend sales from CompUSA and Office Max (very suprised about the latter). Both were on one-per-customer mailin rebates... So I got an OpenBSD firewall/spamfilter *and* a server I could use for backing up my PC out of the deal... (Disk drive was 250Gb SATA which was effectively free because I'd had one die on me earlier in the year which I'ld already replaced, then for this server I sent the dead one back to Maxtor who replaced it for free with a new one) The server was on the Dell "small business" program. Quite often near the end of a quarter they'll dump stuff at or below cost just to bump up their numbers for their quarterly report. Obviously you need patience to wait for one of these - they don't happen every day :-) (Slightly related; I picked up a 200Gb Maxtor IDE drive in the Black Friday sales for $30. It'll sit waiting for the next project. Finally in rebellion for thirty years of paying through the nose for bleeding-edge early adopter prices, I've decided that from now on I'll only buy loss-leader sale items as much as I possibly can :-) ) Graham The biggest reason I was choosing to go embedded is that I wanted a system that did not have moving parts. This was to hopefully extend the life of the machine and increase uptime by eliminating the hard drives and power supplies with moving parts. I am not paying for power so I can say that I am not concerned about consumption at this point. This is only due to the fact that $ is finite at the present time and cannot weigh heavily on the list of importance. The alternative is to use a dual P3 that we have but I am still interested in optimum availibility. Do I implement RAID 1 with two drives.OR does this create more problems that it is worth by introducing more parts to fail(two drives. Do I implement a Flash card reader and install OpenBSD/pf on a compact flash drive? I am not sure where I should be drawing the line...I mean do I pay attention to drive redundency or power redundencyor even actual firewall redundency? What is the most bang for the buck in terms of availibility short of a hot standby firewall configuration? -Bob
I have $300
I have $300 to spend, what hardware should I look at to make an embedded OpenBSD/pf firewall. I am looking for 3 NIC's so I can implement a DMZ. I am looking for an alternative to the Soekris 4801.since I do not know much about these systems, I am not sure if I should look no further than that board. It just seems a bit low on horsepower, usch that I would not be able to do much beyond a packet filter.but on the same token, a $300 embedded system may not yield much beyond that anyway. I am hoping to find out what other people are using. TIA, Bob
Re: pf rules question
One method I use successfully is to insert a quick in a rule as that will then finish with the ruleset and send the packet on it's way letting you see if there is something in the ruleset that is causing the blocked packet. Bob
Re: Dup-to (Solved)
On Saturday 13 August 2005 02:06, you wrote: But first a funny (???) story. I had my 7 year old daughter volunteer to help me on Friday with my work, on my primary workstation, my notebook. I didn't even have to ask her nor did I have to ask her to push the enter key, she read the screen and interpreted it as " Press the return key to boot the computer", and of course she did. I had burned a CD the night before and quite out of character, hadn't taken it out of the drive. I followed my usual process of many days, turning on the notebook and going to grab a java while it starts up. I ended up coming back to my office after about 6 or 7 minutes only to see one long red line going across the screen and another red line flashing across the screen just above the first. The CD was the latest honeynet "roo" and when you press enter it repartitions the drive and installs itself. I suppose here is a lesson in there for me. Now the dup-to resolution. What happened was I had listed the dup-to interface and destination address macros inside paranthesis separated by a coma and of course received a syntax error. Naturally being as gifted as I obviously am, ( see story above ) I substituted a pair of curly braces leaving the coma in but did not receive an error so I had assumed that the syntax was correct. After taking a break and rebuilding my notebook, I started thinking about the dup-to and remembered that I didn't see a coma nor curly braces in the man page or FAQ etc. I guess I am very used to separating values with that little coma. Parenthesis and no coma, all is well. Anyway Thanks for your responses, hope you got a bit of a chuckle out of the notebook story. Bob
Dup-to
I just realized I sent this email to the [EMAIL PROTECTED] list by mistake this morning, forgive the crosspost please This is a copy of that mail. Greets Dell 866MHz 256MB RAM OpenBSD 3.8 beta snapshot, or 3.7 GENERIC or 3.5 GENERIC All three have shown me the same problem. Three interfaces rl0, rl1 are the internal and external bridge interfaces, the bridge works just fine on all three OS versions. FXP0 is the logging interface to a log box. I have read what there is regarding dup-to and know it is straight forward, obviously I'm missing something. I also learned that log-all is now log (all). Not yet in the FAQ. After not being able to dup-to on the snapshot I thought maybe there is an issue with it so the other two releases were tried with the same result. As stated the IPless bridge works fine ( otherwise you wouldn't be reading this email). Here is the simplest form of what I now have. int_if = "rl1" ext_if = "rl0" log_if = "fxp0" pass in on $ext_if dup-to $log_if all pass out on $ext_if dup-to $log_if all I have tried pass quick on each interface and on and on and on. rdr works great, it's seems I have missed something in dup-to. TCPdump shows that nothing is hitting the log interface, connectivity to the log box and back is fine so it would seem that it must be in regard to something I am missing (other than sleep I must say) Each setting produces the same result on any release. Is this not a simple operation regarding rules? I have a lot of firewalls running all over the countryside so I have done numerous detailed setups but have never setup a logging system like this that I can remember. Suggestions Thanks Bob
Re: ALTQ and VoIP
Greets I have learned some very valuable and time saving procedures to assist in the deployment of VOIP when using altq over the course of the last year that can possibly help you. The greatest lesson to date is that you need to work with you ISP and have them give you readings for your line condition, twice a week for a month. Call other ISP sales departments as a prospective client and ask them to measure your line, you will likely discover some interesting things about why you are or are not getting the bandwidth you expect and why there are "seeming" inconsistencies in your altq. Often altq is not the problem. What all this means is you probably aren't getting the bandwidth you are paying for. Remember you are dealing with commodity Internet and as such all of it's inherent problems. Bob
Re: ALTQ on PF for gaming
[EMAIL PROTECTED] wrote:
> Bob, I have a question about your post. I am already queueing the
> outgoing packets via:
> pass out on $ext_if inet proto { udp tcp } from ($ext_if) to any port
> {27000:27020 } keep state queue(cs_out)
> and it works fine. I am then able to throttle the regular outgoing
> bandwidth way back and still allow some for counterstrike through the
> separate queue. Could you please explain a little on how your solution
> improves on this? I already have a queue for the outgoing cs traffic
> and the way you split it confuses me a little.
I thought the problem was that you needed to limit incoming traffic as
well as outgoing traffic.
You need to have rules for the internal interface too, if you want to
limit the rate at which local machines download incoming packets.
The outgoing (external interface) rule will be very similar to yours,
yes. But you also need the incoming (internal interface) rule to limit
incoming traffic speeds.
--
Bob
Re: ALTQ on PF for gaming
[EMAIL PROTECTED] wrote:
> Hey, I have been looking around everywhere about how to prioritize my
> bandwidth for gaming purposes. So far, I have the outgoing bandwidth
> working fine, but I cannot throttle the incoming bandwidth to optimize
> it for gaming. Whenever I add a rule such as:
> pass in on $ext_if from any to $int_if:network port (gaming ports)
> it seems to not catch any traffic.
You cannot limit download rates over the external interface. You can't
tell your ISP to limit download speed per packet-type, and once it
reaches the router, it's reached the router. Your router can only limit
the rate of packets that *leave* it.
What you have to do is limit the rate at which you feed your local
network, using a rule like this:
pass in on $int_if from $games_machine port >1024 to any port
{ gaming ports/ranges } tag $game_traffic keep state queue(game_in,
ack_in)
This rule will allow games packets in from the local network, tag them
with the $game_traffic tag, keep state so that replies are allowed, and
then add replies to the game_in queue (or ack_in for urgent packet types).
For the external interface, a matching rule should go something like:
pass out on $ext_if proto { udp, tcp } from any to any tagged
$game_traffic modulate state queue(game_out, ack_out)
You might want to split the internal-interface rule so that it allows
different ports for udp and tcp, but it depends on the game.
--
Bob
Re: ALTQ question
Russell Sutherland wrote: > 3. All src IPs in the queue share >the bandwith equally. That is each machine gets >a maximum allocation of N/n Mbps. E.g. If there are 10 src > IP >addresses sending traffic each one gets a maximum >bandwidth of: N/10 Mbps > > Can this be done using ALTQ? I believe its possible using dummynet. It is possible in dummynet using masking. But, as far as I know, ALTQ does not yet offer a way of saying "equal share to each host in this range". You can do it manually, by adding queuing rules for each IP, but even with only three IPs I find that pretty ugly. -- Bob
Re: ftp-proxy(8) issues ...
alex wilkinson wrote:
> # ftp hostname.some.domain
> Connected to hostname.some.domain
> 421 Service not available, remote server has closed connection.
> ftp>
Do you get the same message from all FTP servers?
"Service not available" might mean there's trouble with that specific
server.
Other than that, I can't immediately see anything wrong with your setup.
(It has been a while since I set up ftp-proxy and PF. But at least you
can take consolation in knowing it's possible. I'm failing to set up
p3scan with PF, and I've no idea if anyone has ever succeeded.)
My setup does seem slightly different to yours, however. Such as, in my
external interface rules, I have this:
# Allow ftp-proxy to contact FTP servers
pass out on $ext_intfc proto tcp from any port 49152:65535 to any
port { 20, 21, 49152:65535 } user ftp-proxy modulate state
queue(default_out, ack_out)
For my redirect rule, I have the very similar:
# Redirect FTP traffic from local network to ftp-proxy
# (Note: ftp-proxy needs to use the INTERNAL interface address so
that the local network is
# permitted to talk to it - the local network cannot talk to the
external interface address.
# Make sure this is specified as an argument to ftp-proxy in
inetd.conf)
#
rdr on $int_intfc proto tcp from $int_intfc:network to any port 21
tag $ftp_traffic -> $int_intfc port 8021
If you're using NAT, you also need to use the -n switch in your
inetd.conf line for ftp-proxy.
--
Bob
Anyone get p3scan to work with PF?
I've got p3scan running, but I can't seem to work out what I need to do to get it to work with PF. I get output like this: P3Scan p3scan[4028]: P3Scan Version 1.0 p3scan[4028]: Selected scannertype: basic (Basic file invocation scanner) p3scan[4028]: Listen now on 192.168.1.100:8110 p3scan[4028]: Changing uid (we are root) p3scan[4028]: Changed UID.GID to 1008.1008 p3scan[4028]: RX compiled succesfully p3scan[4028]: Waiting for connections. p3scan[4028]: Forked, pid=4029, numprocs=1 p3scan[4029]: setting the virusdir to /var/spool/p3scan/children/4029/ p3scan[4029]: Initialize Context p3scan[4029]: starting proxy p3scan[4029]: Connection from 192.168.1.102: p3scan[4029]: Real-server adress is 192.168.1.100:8110 p3scan[4029]: starting mainloop p3scan[4028]: Forked, pid=4030, numprocs=2 p3scan[4030]: setting the virusdir to /var/spool/p3scan/children/4030/ p3scan[4030]: Initialize Context p3scan[4030]: starting proxy p3scan[4030]: Connection from 192.168.1.100:55153 p3scan[4030]: Real-server adress is 192.168.1.100:8110 p3scan[4030]: Oops, that would loop! p3scan[4030]: Session done (Critial abort). Mails: 0 Bytes: 0 I think the problem is that p3scan is receiving POP3 traffic directed to the local address, so it assumes that the ultimate destination is itself. Hence the "oops, that would loop" error. I'm using these rules in pf.conf # Redirect POP3 traffic from local network to p3scan (a POP3 proxy which passes mail through spam checker) rdr on $int_intfc proto tcp from $win_machine to any port 110 -> $int_intfc port 8110 nat on $int_intfc proto tcp from $win_machine to $int_intfc port 110 -> $int_intfc (I've tried with and without the nat line - which I only added because all the working examples using IPTABLES seem to use a nat line first.) I'm out of ideas. I can't work out how I can get p3scan to receive the POP3 traffic, and still know where the traffic was originally destined for. Anyone had any luck with this already? -- Bob
Re: explanation of blocked packets
[EMAIL PROTECTED] wrote: > Why are the following packets being blocked? I know that I have flags > S/SA modulate state, and that F or FP do not match S/SA, but does that > matter since its in state? If I remember correctly, S/SA means "only accept flags where out of S and A, only S is set". I.e. that pattern is only checking the S and A flags, and couldn't care less about F or P. However, in the packets that seem blocked, the S flag is not set, so those packets will not pass the rule you have to allow stuff out of $ext_if, and the last rule to match will be rule 0/0, which you have set to "block log-all all". You should find out what is creating the packets you see, and determine why they are not setting the S flag. Once a session has begun, the return packet, and all further reply packets for that session, should be automatically allowed in/out because you have turned on stateful inspection for outgoing packets. So the packets you see blocked are likely the first packets with the destination and source address that you see in the log. Why they don't have the S flag set, I'm not sure. -- Bob
Re: AIM connection issues
florian mosleh wrote: > Essentially, the problem I'm having is that a client that connects to the > internet through the new firewall (pf on openbsd 3.6) has problems > establishing > a connection to AIM (login.oscar.aol.com). I have performed severl ethereal > packet sniffing sessions and can confirm that there is a successful connection > established between the server and the client and then it just drops. Usually > after about an hour or two of stubborn retrying and waiting it eventually > works. The first thing I'd do is check that the firewall was allowing packets to the correct destination ports. One site tells me that iChat and AIM use the same ports for transactions, so this page might be interesting: http://docs.info.apple.com/article.html?artnum=93208 If you've allowed most of the ports needed, but not all, then the connection will go nicely until the client suddenly uses a service that requires a forbidden port, and then it all goes bad. (I've had a similar problem in the past getting Steam and Counter-Strike:Source to work over firewalls.) However, I've no idea why, if that is the problem, the connection would suddenly take and hold after an hour of trying. And I'm afraid I know nothing about the effect bonded T1 lines would have on a firewall setup. By the way, iChat (and seemingly AIM) seem to need a large number of ports open to work. I wouldn't be keen on that. Make sure that you don't allow incoming packets that don't match stateful inspection, unless you absolutely have to. (If an application requires me to leave ports open from the outside, I ban that application on my network.) -- Bob
Re: Good HFSC explanation
jared r r spiegel wrote: > i myself am still learning about HFSC, and experimenting, however > if you search pf list archives for 'jared hfsc', you can see a lot > of posts by me or in re: to me about HFSC. > > of note: > > http://marc.theaimsgroup.com/?l=openbsd-pf&m=105691519510241&w=2 > http://marc.theaimsgroup.com/?l=openbsd-pf&m=107936788832658&w=2 > http://marc.theaimsgroup.com/?l=openbsd-pf&m=110488079304643&w=2 You know, I actually did find all that stuff since posting the original question. (And the stuff you link to in the second thread above.) Thanks for the help. -- Bob
When does a table outperform a list?
In my ruleset, I've only defined a table for a huge list of IP addresses belonging to adservers. I've no doubt that a table will perform better than a list in this case. But when does a table begin to outperform a list? I imagine a list is quicker when the list contains two or three items, but at what point would it be more efficient to put the items into a table? Anyone know? -- Bob
Re: Borrow not working
Alexandre Ilha wrote: > Hello, everybody. > > We've been trying to get "borrow" to work for us, but despite our > reading every reasonable piece of documentation, messages in this list > and several web pages - trying to find a solution, it's still not > working. We also tried to use the same PF configuration on BSD 3.3 and > 3.6, with no success. I couldn't get the CBQ scheduler (I'm in FreeBSD 5.3 which I believe uses the same underlying code as OpenBSD - ALTQ) to share out bandwidth reliably. It wouldn't use all the bandwidth available, even if there was only one queue in use. I switched to the HFSC scheduler, and I'm very happy with it. I haven't been able to find any decent documentation for it with specific regard to PF, but I read enough theoretical overview documents to have a bit of a clue. Seems a shame not to have a good document for PF and HFSC, though. -- Bob
Re: using altq for rate limiting on certain ports across multiple
darren david wrote: > My /guess/ is that i need 2 queues - one on $EXT_IF inbound and one on > $PRIV_IF outbound. Or perhaps i simply need to be tagging packets? > $PRIV_NET is NATed, as one might expect. You seem to be confused, as I was, about the possibilities of the queue mechanism. You cannot queue packets coming into your firewall / shaper. Once they have arrived, it is too late to ask them not to arrive. No doubt your ISP is using queuing of some sort, but you have no influence over that. So, first of all, you need to realise that you can only queue stuff *leaving the firewall*. Secondly, now you know this, you need to realise that you needn't consider queues that affect both interfaces. It's not possible to have a queue that affects an internal and external interface (because you cannot queue packets entering the firewall), so you don't need to worry about trying to accomplish this. If what you are hoping to do is limit the download bandwidth of a machine on $PRIV_NET, for instance $dev_box, you just limit the rate that $dev_box can draw packets out of the firewall. Which requires only a queue that affects $PRIV_IF, because (sing along now) you cannot affect the rate at which packets are received from your ISP. If you want to limit the upload rate of $dev_box, then you want a queue that acts on $EXT_IF. Because NAT is working on $EXT_IF, you will not be able to check the local address of packets on $EXT_IF, so if you need to limit the upload rate of a specific private address, tag those packets using a rule that acts on the internal interface. Tags in PF remain the whole time the packet is in the firewall, and are not transmitted outside of the firewall. Because of what is described above, it is probably not possible to precisely limit the download rate of the firewall machine (when downloading CVSup data, for instance). It might be possible to reduce the downstream bandwidth the firewall uses by limiting its upstream bandwidth (which is tricky because a packet can only be tagged once), but unless your firewall is likely to be downloading a lot, it's probably unnecessary to do so. Hopefully I haven't confused you worse than before. I've just finished (well, tinkering continues) configuring my PF firewall, so for the moment I'm full of wisdom that will quickly fall out of my spongy brain. -- Bob
Re: altq fishiness
Jason Murray wrote: > As I understand it the two child ssh queues should just use up all the > bandwidth from the parent. I couldn't get CBQ to use up all of the bandwidth. Even when only one queue had any traffic, the bandwidth was never getting saturated. Possibly (probably) it was something I was doing wrong. But I've changed to HFSC now, and my broadband line is saturated with traffic. So I'm happy. I have to admit, though, that I couldn't find any simple explanation of HFSC with regard to PF, so I had to guess my way through setting it up. -- Bob
Good HFSC explanation
Is there a clear HFSC explanation somewhere, with real simple examples? Preferably that apply directly to PF which uses three SC types, not two. I've found plenty of documents, but they're all high-level overview slideshows that are a bit hard to fathom. -- Bob
log to mysql
Greets Does anyone have or know of a script of some sort like perl, bash ...? to log to mysql. I had a man working on one and he went and moved to Taiwan to teach english. Importing existing logs would be fine as well. Bob
RE: Traffic Monitoring, IP
http://www.ntop.org might be what your looking for Bob
RE: Should I use CBQ or Priority Queueing ?
Hi Nicholas >I wonder what's the best traffic shaping method available? Is it Class >Based Queuing or Priority Queuing. >My goal is to allow browsing the internet since local computers, while >my DMZ-ed servers consume a lot of my upload >bandwith. Right now, >without traffic shaping, it's almost impossible to browse the internet >while my servers receive a lot >of queries (mail, www, ftp...). The scenario you have before you is quite complex even if you have done this type of setup before, especially with so many interfaces. The policy to follow to get started is the KISS formula. K eep I t S imple S tupid It has helped me conquer a lot of very complex tasks. You may find that priority queuing is quite adequate for the type of traffic you are using. This will allow you to learn about and get a better feel for traffic shaping before you move on to something more complex like cbq or hfsc. Bob D
Re: 3.2 pf problems
heh, thanks for the tip --- Philipp Buehler <[EMAIL PROTECTED]> wrote: > On 25/11/2002, bob bob <[EMAIL PROTECTED]> wrote > To Daniel Hartmeier: > > Thats the problem, both computers cant contact > each > > other in any way. Also, neither light on both my > > ethernet cards turns on when i connect the cable. > > you have a cross cable between the computers? > if not, get one. > __ Do you Yahoo!? Yahoo! Mail Plus Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
Re: 3.2 pf problems
Thats the problem, both computers cant contact each other in any way. Also, neither light on both my ethernet cards turns on when i connect the cable. --- Daniel Hartmeier <[EMAIL PROTECTED]> wrote: > On Mon, Nov 25, 2002 at 01:18:27PM -0800, bob bob > wrote: > > > but for some reason im not getting a connection > from > > the computer behind this one. This is a layout of > my > > network: > > > > router->hub->openbsd box->second computer > > any suggestions? > > Verify that both the gateway and the second computer > have IP addresses > inside 192.168.0.0/24 assigned, and that they can > ping each other. > > Set the default gateway on the second computer to > the 192.168.x.x > address of the gateway. Ping an external host from > the second computer. > > Run tcpdump -nvvvpi and then -nvvvpi > on the gateway > and tell us what you see. > > If the packets from the second computer don't arrive > at the internal > interface of the gateway, you have a local network > problem, and > debugging pf is futile. If packets arrive there, but > don't get forwarded > (and translated) correctly, the problem lies with > the gateway/pf. > > Daniel > __ Do you Yahoo!? Yahoo! Mail Plus Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
3.2 pf problems
Hello, Ive installed the openbsd 3.2 GENERIC kernel, enabled pf in rc.conf, enabled ip forwarding in> sysctl.conf, and this is what my pf.conf looks like nat on rl0 from 192.168.0.0/24 to any -> rl0 pass in all pass out all but for some reason im not getting a connection from the computer behind this one. This is a layout of my network: router->hub->openbsd box->second computer any suggestions? __ Do you Yahoo!? Yahoo! Mail Plus Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
