Re: Internal Webserver Routing
On Mon, Jun 19, 2006 at 12:44:54PM -0400, Brandon Mercer wrote: > Ok, I have quite possibly the most trivial question ever. Didn't see > mention of it in the archives, but I know it's been done in fact, > I've done it before, but I'm having FITS making it work now. I've got > my PF firewall with $external and $internal. Behind that there is a > webserver with an address on the same network as $internal. I redirect > traffic through the firewall to that webserver. Now I just need to > create some rule to redirect web traffic from $internal stations that > try and hit the $external IP address to go to the internal web address > as well. It's SO easy... but I'm stuck. Thanks for all your help. Not > really comfortable pasting my ruleset on here... but I can if needed. > Brandon There's a nice bit about this in the FAQ. Look for "reflection" if I recall correctly... -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: blocking on scan attempts
On Mon, Jun 26, 2006 at 07:45:07PM -0700, nobiscuit wrote: > I gather it is possible to add IP addresses to a table using pfctl run > with a cron job based on what has been logged from pf. However, this > cron job would have to be run frequently to be any more effective than > the rule listed above. > > I've been through the documentaion and this mailing list. Is there > another way to add IP addresses to a table directly using a rule in > pf.conf? I can see the little bastards coming and I'd like to cut them > off as quickly as possible. I'm not sure about the archives here, but this comes up every few months on [EMAIL PROTECTED] One way is to use a log tail program, which would use pfctl to add the address to the table. Another way would be to rdr in pf.conf to a simple daemon which would add the address. You'd have to do this yourself, and you'd want to be careful! -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: blocking on scan attempts
On Tue, Jun 27, 2006 at 02:38:06PM -0500, Travis H. wrote: > There's some discussion there as to the wisdom of this, since scans > are trivially spoofed, it could lead to a DoS. I'm usually on the side against blocking. My reasons, more or less in order: * It wastes time and resources * Possible DoS situations * It's ineffective (see below) Anyone really serious about getting into your site probably will be scanning with a botnet. You can block 30 machines, but they still find out what they wanted to know and use yet other machines to mount their attacks. I have not been attacked, but I've seen the onslaught of botnet scans (scans of a certain type occuring within a short time from diverse places). My conclusion is that your time is best spent securing the network and individual boxes, and less time blocking drive by shooters (who won't be back anyway). YMMV. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: rdr over ip alias
On Tue, Jul 25, 2006 at 04:52:49PM -0400, mnothic wrote: > yea but don't work for me on OpenBSD 3.9 with 2 NIC wan and lan > > I have NAT on primary IP and "rdr ... to $alias_whit_second_public_ip > port 80 -> $prv_machine" > but the trafict don't work and without alias the same rule work. > > work > rdr pass on $ext_if proto tcp from any to $ext_if port 80 -> $web_server > port 80 > > don't work > rdr pass on $ext_if proto tcp from any to $alias port 80 -> $web_server > port 80 Remember that unlike filtering rules, nat/rdr use the first match instead of the last. Does something above your "$alias port 80 ->" rule also match? Perhaps something with ($ext_if)? -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Again... transparent bridge + spamd
I've got something of a crisis helping an admin with a huge spam problem. So I'm trying to put together a transparent bridge with spamd in front of a mail server. I've been reading archive posts here, on misc@openbsd.org and anywhere else I can find, but I'm not getting anywhere. Seems that no matter what I do, traffic goes over the bridge and will not rdr to 127.0.0.1. I tried doing the route-to, etc. Does anyone have this working, and willing to share the secret? Or I will gladly post my configs if someone will help! -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: Again... transparent bridge + spamd
Okay, nevermind! After MORE looking I finally found the article on undeadly with simplest complete configs and it works like a charm. Phew! Thanks for your patience. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: Again... transparent bridge + spamd
On Mon, Jan 15, 2007 at 02:53:03PM -0600, Neil Brockman wrote: > You don't mention if the mail server is an OpenBSD machine. Is it? If > so, then you don't really have to place spamd on the bridge. spamd > places a minimal load on its host. Alas, it's a Linux box and it's outdated. It's not normally within my purvue. It's for a sister company (ISP) and the current admin was hitting a wall trying to fight spam. Now, the company mail server that I maintain is obsd w/ spamd, and it runs fine... > If you are not running an OpenBSD mail server, you can redirect through > an OpenBSD box so that the OpenBSD box acts as a firewall of sorts for > the mail server. Since bridges don't have IP addresses of their own you > won't have much luck using spamd on a bridge. This is because the > bridge itself does not accept connections. I did get the setup working on a bridge with an IP address on the external interface, per the undeadly article. Slick as can be, since I can leave the existing mail server in place with all it's intricate config stuff. It's working great, and the stress on the mail server is way down. Pure goodness. The article I mention is at http://undeadly.org/cgi?action=article&sid=20061108134508 -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: Slow SSH connection
On Sun, Feb 24, 2008 at 05:27:42PM +0100, Jordi Espasa Clofent wrote: > A few points: > > * With pf disabled you get the ssh Password prompt in (aprox) 3 secons. > * With pf enabled you'll get the ssh Password prompt in (aprox) 15 secons. Ok. > * The use of ssh verbose flags (-vvv) it's the same with or without pf. Can you tell with -vvv where the delay is happening? Without pf it's 3 secs so everything should be zing, zing, zing. With pf the delays should be easy to spot with -vvv. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: A PF Certification - what do you think?
Peter, On Thu, Jul 10, 2008 at 12:10:50PM +0200, Peter N. M. Hansteen wrote: > Would a creating a PF certification be worth putting some effort into? > > The reason I'm asking is that the good people over at The BSD > Certification Group (http://www.BSDCertification.org/) are pondering > that very question, and they contacted me about it. My response was > essentially "yes, it would be useful to have a certification, mainly > because it would make PF (and by extension, OpenBSD and the other > BSDs) move visible at the suits level, making a useful certification > would be a lot of work, though". > > A lot of work, and making it into a useful certification depends > critically on Subject Matter Experts (aka SMEs, or please look in the > mirror) and the quality of the work they do when specifying the task > requirements that go into the certification specification. I came in (part way through the process) as an SME for the BSD certification, and I must say the group tried very hard to make the test meaningful and did a great job. Passing the test is not something trivial, and would show well grounded BSD knowledge. So I believe the test itself is worthwhile. The other part, the MAJOR part, is to get employers to buy into it as meaningful. I don't know how well that part is going. Hopefully it's going well among the companies who are looking for BSD expertise. > So, my fellow PF SMEs, would you like to be involved in this, and > contribute to creating a PF certification. I would like to have your > input, including but not limited to 'would it be more useful with a > multi-level certification', and of course any input on what the task > and skills spec should contain. Due to other recent commitments I can't participate as I did for the BSD cert. I do think that a multi-level or "areas of competency" test would be a nice approach. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: spamd & greylisting and gmail
Gmail provides SPF which describes valid outgoing IP addresses. You can use 'dig' or 'host' commands to fetch SPF records like so: $ host -ttxt gmail.com gmail.com descriptive text "v=spf1 redirect=_spf.google.com" $ host -ttxt _spf.google.com _spf.google.com descriptive text "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all" It shouldn't be too much trouble to script the lookups for you. In fact, I have a half-baked python script that you can use as a starting point: http://phxbsd.com/OpenBSD/mystuff/spf_whitelist.py -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation pgpbVWZaZ7Bjv.pgp Description: PGP signature
Re: synproxy issue
Stephan, On Fri, Dec 05, 2008 at 09:14:10AM +0100, Stephan A. Rickauer wrote: > > $ lynx -dump -head http://cds.sun.com > > The matching pf rule is: > pass in log quick inet proto tcp to port http synproxy state > (with default pass out policy) > > However, the http connection stalls. Changing the above rule to: > pass in log quick inet proto tcp to port http modulate state > > "fixes" the stall and the header is transmitted by the webserver just > fine. Does this happen with hosts other than cds.sun.com? -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation pgp6IArROpCW5.pgp Description: PGP signature
