Re: A moment of silence for a fallen comrade...
At 03:15 AM 12/9/2004, David A. Ulevitch wrote: It'd probably be smart to just keep the openbsd firewall in place, even with a blank ruleset, behind the PIX. A PIX can't handle any traffic once it has a serious ruleset. -davidu That is actually our plan down the road. We're going to have another firewall protecting our servers from our user base, and as a second line or protection in case of an intrusion. My boss knows you shouldn't have two of the same firewall protecting your network, so we'll definitely be using OpenBSD for that. At 10:54 AM 12/9/2004, you wrote: What was their reasoning from switching from OBSD --> Cisco? They weren't spending enough money? ;) ~M Apparently. We had a consulting company come in that has a lot of sway with upper management and their big buzzword was Cisco (we're also forced to ditch our 3com switches for Cisco's...). So our steering committee is making us do the transition, even though this consulting company did an intrusion test on us and got nowhere ;) James Cammarata [EMAIL PROTECTED] www.sngx.net home: 314-966-5976 work: 314-872-2426 cell: 314-409-0583 __ Out the Ethernet, through the router, down the fiber, off another router, down the T1, past the fire-wall ..nothing but Net
A moment of silence for a fallen comrade...
I'd just like to have a moment of silence for my company's OpenBSD firewall It has served us well for over a year (no intrusions is well isn't it?), but the powers that be are demanding we actually install the Cisco PIX that we bought a couple of months ago. So this weekend we're throwing the switch on the super reliable whitebox we've been using to guard our company and installing the PIX. My coworker and myself both use OpenBSD for our home networks so not all is lost, hopefully in the future we'll be able to swing the pendulum back our way again :) James Cammarata [EMAIL PROTECTED] www.sngx.net home: 314-966-5976 work: 314-872-2426 cell: 314-409-0583 __ Out the Ethernet, through the router, down the fiber, off another router, down the T1, past the fire-wall ..nothing but Net
pfm up to 0.05
Two more updates from today, up to version 0.05. Changes: * altq / queue rules parsed * table rules are now parsed Tomorrow should bring options parsing as well as all anchor rules, and that will round out the majority of the parsing section. By thursday I plan to have OS fingerprinting and a few other options I missed from the filter rule parsing added in as well. As usuall, you can get the latest tar at http://24.107.132.68/ I leave the old ones up for historical reasons, please just always grab the newest one. Any questions / comments so far? James Cammarata [EMAIL PROTECTED] www.sngx.net home: 314-966-5976 work: 314-872-2426 cell: 314-409-0583 __ Out the Ethernet, through the router, down the fiber, off another router, down the T1, past the fire-wall ..nothing but Net
pfm 0.02 available
Here is my effort to date. I'll call mine PFM (pf manage) to differentiate
it from Johan's work.
New features:
* full recursive descent parser for the rulesets
* NAT/RDR support (working on BINAT)
* supports state, flags, tag, tagged, and queues for filter opts
(labels, user, group and others could be added easily, due to the
flexibilty of the new parser)
* I had macro support working, but since I redid the parser I have yet to
readd it. It is trivial to do however and will be redone soon.
* filter rules support table names
* the parser correctly does route options now, but I haven't added the
ability to edit them to the interface yet.
* the parser correctly parses out every kind of "block return" option now,
including the ICMP ones, but again, no way to view this on the edit
interface yet.
I've made the code available on my website. Be kind, it's only a 384kbps
upload speed, even if it is a 27K file :)
http://24.107.132.68/pfm-0.02.tar.gz
If you want to test rules, you can do it with a simple python script like this:
#---
from PFParse import pf_rule, pf_nat, display_obj
display_obj( pf_rule('YOUR FILTER RULE GOES HERE') )
display_obj( pf_nat('YOUR NAT RULE GOES HERE') )
#---
It is not very technical, basically it just dumps the hash object out in an
alphabetical manner. You can inspect the lines to see if each element of
the rule was done correctly. Good enough for testing though :)
Things that are borked:
* like I said, macro parsing is gone temporarily. These are so easy to
parse out though that I didn't even worry about it.
* filterrule.py:
1) ports are whacked. The filter object originally contained a string,
now it's an array. This messes things up and I haven't fixed them yet.
2) can't edit some options like the return-icmp commands, some of
the new filter opts like tag, tagged, etc., and routing options
* binat syntax sucks. It is so close to NAT and RDR but it just has to be
different and screw things up doesn't it...
* can someone please explain what the hell "sticky-address" does? It looks
like it is something that needs to be parsed out according to the BNF but
there is no other reference to it.
* the key (string or hex) for the "source-hash" pool type does not get
parsed out yet. This will cause the line to parse incorrectly if you have
this kind of entry.
* there's probably other cases where one thing may not parse correctly, I'm
just forgetting what.
So please, give it a try. Throw some rules at it, see if your ruleset will
export (the filter rules and NAT/RDR stuff anyway). Let me know if it
bombs on too much.
Thanks!
James Cammarata
[EMAIL PROTECTED]
www.sngx.net
home: 314-966-5976
work: 314-872-2426
cell: 314-409-0583
__
Out the Ethernet, through the router,
down the fiber, off another router,
down the T1, past the fire-wall
..nothing but Net
pfm 0.03 available
Ok, already got some extras done tonight... so I'm moving it up to 0.03. New stuff: * binat is parsed correctly * macros work again Here's the page for it: http://24.107.132.68/ Anyone else find it funny I got all that done before I ever got the last email back from the list that I sent? Is it just me or does it take a while for the email list to respond? If it's not just me, I think we all need to chip in and get Daniel a new mail server :) James Cammarata [EMAIL PROTECTED] www.sngx.net home: 314-966-5976 work: 314-872-2426 cell: 314-409-0583 __ Out the Ethernet, through the router, down the fiber, off another router, down the T1, past the fire-wall ..nothing but Net
Re: Introducing pfw - web frontend for pf
This is roughly where I am at too ;) I'm working on the NAT rule editing now. At 06:09 PM 7/25/2004, Johan Allard wrote: I've just made the first public release of pfw - a web frontend for pf - available on http://www.allard.nu/pfw. It's still in it's early development and it is functional enough for you to have a play with right now. Through the web interface, you can edit filters, macros and address translation (for now) and install them, all through the web interface. Have a look on http://www.allard.nu/pfw, I have put up some screenshots as well, and let me know what you think. Enjoy! //johan James Cammarata [EMAIL PROTECTED] www.sngx.net home: 314-966-5976 work: 314-872-2426 cell: 314-409-0583 __ Out the Ethernet, through the router, down the fiber, off another router, down the T1, past the fire-wall ..nothing but Net
PFmanage version -10
Yes, version -10... it's that bare so far. But I thought I'd get some early input on the interface and what not so you guys can play with it all you want. I'll try working on this more than one day a week, whether work permits it or not ;) I did go with suggestions to ditch Zope. Everything is done in pure Python now. http://24.107.132.68/cgi-bin/view_filter_rules.py ToDo (for now): 1) Implement route-to in the rule parsing (notice these don't parse correctly if you edit them). 2) Finish off the queue parsing (these don't work yet either for editing) 3) Saving/Inserting new rules 4) Implementing definitions for interfaces. The last one is puzzling me. I'm thinking of limiting definitions to only be allowed for interfaces, or if you want a def to appear on the interface list it has to start with $IF_. Any other suggestions? The samples on there are from my firewall, so don't hack me pls ;) Remember, I'm no expert on pf syntax, so feel free to correct me if I've made some incorrect reads on the BNF. Finally, here is the working idea: Main Screen |--- Checkout ruleset |--- Rules are parsed into individual files for individual editing and syntax checking |--- In the future, you'd be allowed to check out rulesets on different systems |--- Save currently checked-out ruleset. |--- this will remerge the files into the single pf.conf |--- Edit Filter rules (what I have mostly currently done) |--- Edit Rules |--- Delete Rules |--- Insert a new rule |--- Edit Queue rules |--- same options |--- Edit NAT rules |--- same options Enjoy... James Cammarata [EMAIL PROTECTED] www.sngx.net home: 314-966-5976 work: 314-872-2426 cell: 314-409-0583 __ Out the Ethernet, through the router, down the fiber, off another router, down the T1, past the fire-wall ..nothing but Net
Re: how can cheap routers do it?
At 01:25 PM 7/11/2004, you wrote: On Wed, Jul 07, 2004 at 08:42:58AM +0200, the unit calling itself Jean-Francois Dive wrote: > > How about the ability to handle IPSec passthrough??? > > > > I think both IPSec/PPTP passthrough abilities would be a big + for PF > > for people that are looking for this feature but stuck using a Linksys > > router to do it... I don't want to put any maps.. i just want it to > > work. > it's the nature of the protocol. Use nat-t and you should not have any > problem... > I've looked through the pf user's guide, and can't find anything on "nat-t"... How is nat-t accomplished in OBSD's pf? It isn't yet, they are working on it last i heard. At the start of June it was supposed to be done in 3 weeks James Cammarata [EMAIL PROTECTED] www.sngx.net home: 314-966-5976 work: 314-872-2426 cell: 314-409-0583 __ Out the Ethernet, through the router, down the fiber, off another router, down the T1, past the fire-wall ..nothing but Net
Re: carp + pfsync + sqlnet (Oracle)
At 06:00 AM 6/16/2004, [EMAIL PROTECTED] wrote: Does anybody protect any oracle rdbms (sqlnet protocol) using obsd 3.5 + carp + pfsync ? Does it work ? Is it problematic ? I assume you want to do a redundant DB correct? Databases are not suited to this kind of failover, due to the lack of consistency between the files on different disks. Your best bet is to use Oracle's built in redundancy (as expensive as that may be). Creating a stand-by server is not cheap, but that is the kind of redundancy you want. James Cammarata [EMAIL PROTECTED] www.sngx.net home: 314-966-5976 work: 314-872-2426 cell: 314-409-0583 __ Out the Ethernet, through the router, down the fiber, off another router, down the T1, past the fire-wall ..nothing but Net
Re: web interface?
Thanks all for the insightful comments. You've given me some extra things to look out for and some ideas for how to procede in the near future. I do believe there is a need for this, so I will keep working on it in my spare time, hopefully no one trumps me on this one due to me being overworked ;) Currently I'm very early in the development of this, I basically coded for one night before I made my post to the list, and I was busy till now to reply. The only thing I have done is a rule generation page, which gives most of the options I think people would like: the only thing really lacking is the route-to option. Currently the program grabs the list of interfaces from ifconfig for the rule generation, and it parses out all the queues available from the conf and lets you add them to the rule. Next up is parsing out rules and feeding them to this page so you can modify existing rules, and also the queue generation/parsing. I'll be working on that this week. Cheers, James Cammarata [EMAIL PROTECTED] www.sngx.net home: 314-966-5976 work: 314-872-2426 cell: 314-409-0583 __ Out the Ethernet, through the router, down the fiber, off another router, down the T1, past the fire-wall ..nothing but Net
web interface?
Is there any interest in this? I am currently writing one in Python/Zope to manage the PF rules. It's in the very early stages of planning so there isn't much to it yet, so I thought I'd ask people what they thought of the idea / Zope. I personally love Zope for web development (use it for our Intranet at my company), so that's why I'm using it. I could break out of it without too much pain now, and just have to rewrite the low-level CGI stuff myself. Also, in the future I would like to write a daemon that allowed a single web interface to manage multiple firewalls. This of course has many inherent risks so it's definitely just a thought right now, but Cisco does it and I'll be damned if they do something we can't do ;) Anyway, any thoughts are appreciated. James Cammarata [EMAIL PROTECTED] www.sngx.net home: 314-966-5976 work: 314-872-2426 cell: 314-409-0583 __ Out the Ethernet, through the router, down the fiber, off another router, down the T1, past the fire-wall ..nothing but Net
Filter on packet content
Hi all. My company recently underwent the first stages of a security review by a third-party. In this first stage they gathered information about our network via publicly accessible records and such, and did some port scans and some other light probing to see what they could detect on our network. The one thing that stuck out to me was this (from their report): "remote host does not discard TCP SYN packets that also have the FIN flag set." This note appeared for every visible server they probed. Now, I thought (based on the PF FAQ) that doing a scrub on incoming packets would stop this from happening. The first line (well, 2nd really) of my pf.conf is "scrub in all". Is something odd going on here? All of our servers they probed are behind the firewall, so the scrub rule is in effect for all of them. Is scrub just cleaning the packets instead of dropping them outright? PS. the actual first line of my pf.conf is: # It puts the lotion on the packets... ;)
pfstat possible bug
Hi all, don't know if this is the place to post this, but I found a
possible bug with pfstat. I'm running a pretty simple conf, I just want
a graph for the last hour, last day, last week, and last month.
Here's the conf:
###
image "/var/www/htdocs/images/pfstat_hour.jpg" {
from 1 hours to now
width 960 height 300
...
}
image "/var/www/htdocs/images/pfstat_day.jpg" {
from 1 days to now
width 960 height 300
...
}
image "/var/www/htdocs/images/pfstat_week.jpg" {
from 1 weeks to now
width 960 height 300
...
}
image "/var/www/htdocs/images/pfstat_month.jpg" {
from 1 months to now
width 960 height 300
...
}
###
Everything is great, except the last graph. It prints out 30 weeks
along the bottom instead of 30 days. The x-axis is like this:
...-5 -4 -3 -2 -1 weeks
Is this a glitch/bug? Or something I've done wrong?
Re: dynamically updating anchors via pfctl
is it correct that you have to reload the ruleset after adding a rule to an anchor like this? echo "nat on ed0 inet from 172.16.55.2 to any -> ed0" | pfctl -a allownat:friso -f - pfctl -F all ; pfctl -f /etc/pf.conf it's the only way that it seems to work, just adding the rule without reloading /flushing does nothing... running freebsd and pf First off, I would recomend doing a "pfctl -Fn -f /etc/pf.conf" rather than what you have. This will only wipe out your NAT rules without destroying your states and then reload them from the conf. Secondly, can you add the -Fn rule to your echo statement above to flush the NAT rules there? So it would be: echo "nat on ed0 inet from 172.16.55.2 to any -> ed0" | pfctl -Fn -a allownat:friso -f - Never tried it but it may work. If not the first suggestion should make things a little smoother. That's the way I reload the ruleset, so that I don't disrupt any connections that are currently in progress. James Cammarata [EMAIL PROTECTED] www.sngx.net home: 314-835-1122 work: 314-872-2426 cell: 314-409-0583 __ Out the Ethernet, through the router, down the fiber, off another router, down the T1, past the fire-wall ...nothing but Net
Re: newbie help
>Thanks for the helpful reply. > >If you know it so well, I geuss you just aren't smart enough to figure out >why I'm geting ftp errors in my messages file, cause if you were, I certain >you would have to show off just how smart you are. you really are a silly c*nt. Ok, this is getting silly. Stan, people here are mostly right. There are dozens of variables in your problem and no one person here can be expected to figure out every little particular problem you have. We do not have access to your computer and thus cannot diagnose your problem by looking at your conf and a couple of lines out of a log. Your best bet is to familiarize yourself the best you can with how PF works and try to debug your problem as best possible. It is obviously not a PF bug, it is a configuration problem. So figure it out. For the trolls, don't bombard the list with your ignorant profanity, you simply make yourself wrong in the argument and do not add anything useful what so ever. This guy may be a pain in the a$$, but that does not make him an open target for attacks, and you could be turning him off getting help for his problems in the future. Do we want another clueless person out there in charge of securing computers? I think not. James Cammarata [EMAIL PROTECTED] www.sngx.net home: 314-835-1122 work: 314-872-2426 cell: 314-409-0583 __ Out the Ethernet, through the router, down the fiber, off another router, down the T1, past the fire-wall ...nothing but Net
Re: transquid
At 05:24 PM 1/1/2004 -0800, Bryan Irvine wrote: I'm trying to follow the howto locate at http://www.benzedrine.cx/transquid.html And i'm having problems. Ideas? suggestions? cluestick? --Bryan Seeing your configs for Squid and PF would help, as well as any tcpdump's you might have. James Cammarata [EMAIL PROTECTED] www.sngx.net home: 314-835-1122 work: 314-872-2426 cell: 314-409-0583 __ Out the Ethernet, through the router, down the fiber, off another router, down the T1, past the fire-wall ...nothing but Net
Re: HTTP/FTP Proxy not working
Ok, figured out the problem. I finally noticed that packets with destination 127.0.0.1 were being routed out my main external interface. Why? Don't ask me. So I added this rule: pass in quick on xl2 route-to lo0 from any to 127.0.0.1 keep state Maybe this has something to do with the fact that I've got two external interfaces (xl0 goes to our old frac. T1, xl1 goes to our new full T1). We use xl0 to service our WAN, with all the large traffic from our main support center going out xl1. Anyone have some forensic analysis as to why I had to add this rule? James Cammarata [EMAIL PROTECTED] www.sngx.net home: 314-835-1122 work: 314-872-2426 cell: 314-409-0583 __ Out the Ethernet, through the router, down the fiber, off another router, down the T1, past the fire-wall ...nothing but Net
Re: HTTP/FTP Proxy not working
On Wed, 31 Dec 2003, James Cammarata wrote: > # the local interface is wide open > pass in quick on lo0 all > pass out quick on lo0 all You really want the lo0 rules before any block rules, just to be sure. right, normally i'd agree but I doubt it makes a difference here. I've got the global blocks first, followed by very specific blocking on the two external interfaces (which should not affect a 127.0.0.1 address at all) and then the pass quick for the loopback. it wouldn't hurt to move the loopback stuff up first of course, but i'm sure that's not the problem. > >What does 'tcpdump -i pflog0 -env' say when you start an FTP session? > > # tcpdump -env -i lo0 > tcpdump: listening on lo0 pflog0, not lo0. I'm an idiot :| I did answer this in the first email though, pflog0 was not showing any activity while the ftp program was trying to connect. The command "ftp ftp.openbsd.org" on my test server caused this on xl2: 192.168.10.11.52157 > 129.128.5.191.21: tcp 0 (DF) (192.168.10.11 being the internal computer i ran that command on). Nothing appeared on lo0, pflog0, xl1, or xl0 after this packet came into xl2. James Cammarata [EMAIL PROTECTED] www.sngx.net home: 314-835-1122 work: 314-872-2426 cell: 314-409-0583 __ Out the Ethernet, through the router, down the fiber, off another router, down the T1, past the fire-wall ...nothing but Net
Re: HTTP/FTP Proxy not working
At 11:33 AM 12/31/2003 +0100, you wrote:
Do you have 'pass on lo0 keep state' ? Forwarding enabled?
yep forwarding enabled, these are the first rules I have following my
NAT/RDR rules:
# block everything by default
block return-rst in log proto tcp from any to any
blockin log from any to any
# block in spoofs
# log these in case we want to analyze an attack
block in log quick on {xl0,xl1} from $spoof_ips to any
block in log quick on xl0 from anyto $frsmurf_ips
block in log quick on xl1 from anyto $t1smurf_ips
# the local interface is wide open
pass in quick on lo0 all
pass out quick on lo0 all
# no ip6 pls...
block in quick inet6 all
block out quick inet6 all
#
I did comment out the spoof blocking lines above (one of the spoof IP's in
the list is 127.0.0.0/8), and it did not make a difference.
What does 'tcpdump -i pflog0 -env' say when you start an FTP session?
# tcpdump -env -i lo0
tcpdump: listening on lo0
# ifconfig lo0
lo0: flags=8149 mtu 33224
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
James Cammarata
[EMAIL PROTECTED]
www.sngx.net
home: 314-835-1122
work: 314-872-2426
cell: 314-409-0583
__
Out the Ethernet, through the router,
down the fiber, off another router,
down the T1, past the fire-wall
...nothing but Net
HTTP/FTP Proxy not working
Hi all, I'm having some problems with proxying on my OpenBSD 3.4 box. I have squid installed, as well as enabling ftp-proxy exactly as the FAQ describes. Here's what happens: 1) FTP program starts up 2) FTP packet hits xl2 (my internal interface) 3) Nothing else happens The packet is not hitting xl0 or xl1 (my external interfaces) nor is it hitting lo0. The same thing happens for Squid, as it is also listening on 127.0.0.1. Sample TCP dump: tcpdump: listening on xl2 192.168.10.11.52157 > 129.128.5.191.21: tcp 0 (DF) 192.168.10.11.52157 > 129.128.5.191.21: tcp 0 (DF) 192.168.10.11.52157 > 129.128.5.191.21: tcp 0 (DF) 192.168.10.11.52157 > 129.128.5.191.21: tcp 0 (DF) PF rules (right out of the FAQ): # FTP Proxy rdr on xl2 inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # SQUID rdr on xl2 inet proto tcp from any to any port 80 -> 127.0.0.1 port 3128 HTTP and FTP work fine if i comment out the above lines (FTP in passive mode only). Here's the routing table regarding 127.0 IP's: # route -n show | grep 127.0 127.0.0.0127.0.0.1 UG 127.0.0.1127.0.0.1 UH ::127.0.0.0 ::1UG I'm sure this is probably something stupid, but I'm new to this so I'd appreciate any help available. James Cammarata [EMAIL PROTECTED] www.sngx.net home: 314-835-1122 work: 314-872-2426 cell: 314-409-0583 __ Out the Ethernet, through the router, down the fiber, off another router, down the T1, past the fire-wall ...nothing but Net
Strange Setup problems
Ok, I've read the examples of load balancing outgoing connections, but this
is not exactly what my company is trying to do.
1) We have a frame relay line that connects our WAN to our central office.
2) All internal IP address on this WAN (192.168.x.x) do not pass through
the firewall. They are split off by a router before they hit our firewall.
3) We have a new full T1 line that we want to service our central office,
since it has much higher bandwidth requirements than all our branch offices.
4) We want all new outgoing traffic from our central office to go over the
T1 line, and everything else will stay on the frame relay.
So this is basically a very screwed up kind of load balancing.
My problem is, when I turn on our firewall rules, I can see out just
fine. However, incoming packets are getting trapped somewhere. After
using tcpdump to watch the interfaces, this is what i see happening.
Packet comes in on xl0 (external interface 1)
Packet gets NAT'd and forwarded to xl2 (internal interface)
The internal server responds to the packet (ping for instance) and sends
the reply
Packet goes out xl2
Packet never makes it to xl0 or xl1 (the other ext.if)
Admittedly, I'm a complete n00b when it comes to OpenBSD and PF. Is there
a setting i'm missing somewhere, is there a route i need to add? I'm
completely in the dark as to what is happening and how the packets are
being bounced from interface to interface. It seems like xl2 is not
forwarding to xl0, and I have no idea how to make it do that.
Here's a sample of a pf.conf I made for testing, it is a wide open setup as
I was just trying to make the internal servers visible to the outside world
xl0 from any to X.X.X.X/32 -> 192.168.10.17/32
block in log from any to any
block out log from any to any
pass in quick on xl0 all
pass in quick on xl1 all
pass out on xl2 from any to any keep state
pass in quick on xl2 from 192.168.0.0/16 to xl2
pass in on xl2 route-to (xl0 Y.Y.Y.Y) from 192.168.0.0/16 to any modulate state
pass out on xl0 proto tcp from any to any flags S/SA modulate state
pass out on xl0 proto {udp,icmp} from any to any keep state
pass out on xl1 proto tcp from any to any flags S/SA modulate state
pass out on xl1 proto {udp,icmp} from any to any keep state
pass out on xl0 route-to (xl1 Z.Z.Z.Z) from xl1 to any
pass out on xl1 route-to (xl0 Y.Y.Y.Y) from xl0 to any
As you can see, it is essentially based on the PF FAQ's load balancing example.
Any tips for a complete n00b?
