urpf-failed vs. multiple routing tables?

2008-05-01 Thread Max Laier 
Hi,

wouldn't it make sense to add a rtableid to urpf-failed?  It seems 
decreasingly useful without such an option - or am I missing something?

-- 
/\  Best regards,  | [EMAIL PROTECTED]
\ /  Max Laier  | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [EMAIL PROTECTED]
/ \  ASCII Ribbon Campaign  | Against HTML Mail and News

Re: Making 'loops' in pf.conf

2007-01-10 Thread Max Laier 

Am Mi, 10.01.2007, 14:18, schrieb Johan Segernäs:
 I have several networks in different IP nets and different incoming
 interfaces. I would like to make this a loop or something instead of, as
 it is now, different blocks.

 Today it looks like (very stripped down)
 pass in on $FOO_NET inet from $FOO_IPS to any keep state
 pass in on $BAR_NET inet from $BAR_IPS to any keep state

 Instead I would like to do it like
 for i in FOO BAR; do
   pass in on ${i}_NET inet from ${i}_IPS to any keep state
 done

 Or something. Is this possible within pf.conf or would I have to make a
 shell loop creating this little extra pf config file and include in
 pf.conf?

pfctl -f- is your friend.  There are a million tools our there that are
simply made to do stuff like this, just feed the output to pfctl.  Also
take a look at:
http://blog.xbsd.org/2006/11/04/freebsdpf-include-command-hack/

-- 
/\  Best regards,  | [EMAIL PROTECTED]
\ /  Max Laier  | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [EMAIL PROTECTED]
/ \  ASCII Ribbon Campaign  | Against HTML Mail and News

Re: statefull matching vs. local inet6

2006-08-04 Thread Max Laier 
On Friday 04 August 2006 13:13, Fabian Keil wrote:
 Max Laier [EMAIL PROTECTED] wrote:
  On a box running sshd (or something listening on an inet6 tcp port)
  load the following ruleset:
 
  pass quick on lo0 all
  pass quick on bge0 inet all
  block drop log all
  pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port = ssh \
flags S/SA keep state
 
  where bge0 is a real interface and 3000::1 is configured on that
  interface. Then try telnet 3000::1 22 and see if it works and
  provide me with the a tcpdump from pflog0 during the connection
  attempt - whether it works or not.

 On OpenBSD 3.9 with GENERIC kernel and the following ruleset:

 pass log quick on lo0 all
 pass quick on ne3 inet all
 block drop log all
 pass in log (all) on ne3 inet6 proto tcp from any to 3000::1 port = ssh
 flags S/SA keep state

 [added log in the first line and changed log-all to log (all) in the
 last one]

 telnet works and the log shows:
 Aug 04 13:07:08.201358 rule 0/(match) pass out on lo0: [|ip6]
 Aug 04 13:07:08.201772 rule 0/(match) pass in on lo0: [|ip6]
 Aug 04 13:07:08.204606 rule 0/(match) pass out on lo0: [|ip6]
 Aug 04 13:07:08.205024 rule 0/(match) pass in on lo0: [|ip6]
 Aug 04 13:07:08.205758 rule 0/(match) pass out on lo0: [|ip6]
 Aug 04 13:07:08.205867 rule 0/(match) pass in on lo0: [|ip6]
 Aug 04 13:07:08.954137 rule 0/(match) pass out on lo0: [|ip6]
 Aug 04 13:07:08.954581 rule 0/(match) pass in on lo0: [|ip6]
 Aug 04 13:07:09.150295 rule 0/(match) pass out on lo0: [|ip6]
 Aug 04 13:07:09.150509 rule 0/(match) pass in on lo0: [|ip6]
 Aug 04 13:07:37.841839 rule 0/(match) pass out on lo0: [|ip6]
 Aug 04 13:07:37.842188 rule 0/(match) pass in on lo0: [|ip6]
 [...]

 Is that enough information, or do you need the actual binary
 file?

No, that's fine.  Thanks a lot.

-- 
/\  Best regards,  | [EMAIL PROTECTED]
\ /  Max Laier  | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [EMAIL PROTECTED]
/ \  ASCII Ribbon Campaign  | Against HTML Mail and News


pgpyyRaXR33yN.pgp
Description: PGP signature

statefull matching vs. local inet6

2006-08-03 Thread Max Laier 
Hi,

can somebody try the following on a recent OpenBSD box?  I'm in the middle of 
reshuffling my hardware (for a couple of month now *sigh*) and don't have a 
test setup handy.  Thanks.

On a box running sshd (or something listening on an inet6 tcp port) load the 
following ruleset:

pass quick on lo0 all
pass quick on bge0 inet all
block drop log all
pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port = ssh \
  flags S/SA keep state

where bge0 is a real interface and 3000::1 is configured on that interface.  
Then try telnet 3000::1 22 and see if it works and provide me with the a 
tcpdump from pflog0 during the connection attempt - whether it works or not.

Thanks - much appreciated.

-- 
/\  Best regards,  | [EMAIL PROTECTED]
\ /  Max Laier  | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [EMAIL PROTECTED]
/ \  ASCII Ribbon Campaign  | Against HTML Mail and News


pgpc5Mo1J3ekF.pgp
Description: PGP signature

Re: macros and anchors

2005-01-30 Thread Max Laier 
On Saturday 29 January 2005 12:52, Peter Huncar wrote:
 Hi

 Is there any way to manage macros across rulesets?
 Because if you use the same macros in the main ruleset and in some rulesets
 which will be loaded into anchor points, you have to change multiple files
 And if you want to change any macro used, you have to change it in every
 ruleset where the macro is used.

$cat /etc/pf.macros rules.conf | pfctl -f-

Also pfctl(8)'s -D switch is helpful in some cases.

 :) I spent an hour searching why my rule isn't working :) .

 Thank you a lot. Great job you're doing.

 Hunci

-- 
/\  Best regards,  | [EMAIL PROTECTED]
\ /  Max Laier  | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [EMAIL PROTECTED]
/ \  ASCII Ribbon Campaign  | Against HTML Mail and News


pgpcQLWrrHX0x.pgp
Description: PGP signature

Re: Strange behaviour with PF on FreeBSD 5.3-STABLE

2004-11-26 Thread Max Laier 
On Friday 26 November 2004 14:58, Jonathan Weiss wrote:
 Hi folks,


 Since yesterday my PF firewall acts strange. I have not touched the ruleset
 and tried a new one only with pass-rules, but the problem is still there.

 I cannot go through the tunnel interface tun0 of ppp (I use DSL here in
 Germany). Even a pass on tun0 will not change anything.

 #pfctl -s rules
 block return log-all all
 pass on tun0 all
 pass on ed0 all
 pass on vr0 all


 vr0 is the internal interface and ed0 the external. I am connected through
 ppp with my ISP. Within the internal network over vr0 (192.168.0.0/24) I
 can connect to a ssh-server on 192.168.0.196 for example, but ssh (or
 telnet or whatever) will not work to an external ip.

 If a drop the block rule and reload the ruleset, it works! I can connect to
 an external ssh-server.

 Does anyboy have an idea?

You are supposed to have a NAT rule somewhere. Please let us know the complete 
ruleset (including translation rules) and include match counters so that 
people can figure if a certain rule is matched at all (pfctl -vv -sn -sr).

Make sure that the NAT rule has dynamic address tracking (as I think you get a 
dynamic IP from you ISP). The rule should look something like:
 nat on tun0 from $internalnet to any - (tun0)

Also note, that we have a pf related mailinglist on FreeBSD, called 
[EMAIL PROTECTED] You might want to subscribe and take the discussion 
there: http://lists.freebsd.org/mailman/listinfo/freebsd-pf

-- 
/\  Best regards,  | [EMAIL PROTECTED]
\ /  Max Laier  | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [EMAIL PROTECTED]
/ \  ASCII Ribbon Campaign  | Against HTML Mail and News


pgpsWpbsorBCH.pgp
Description: PGP signature

Re: Strange behaviour with PF on FreeBSD 5.3-STABLE

2004-11-26 Thread Max Laier 
On Friday 26 November 2004 19:05, Jonathan Weiss wrote:
 Hi Max,

  You are supposed to have a NAT rule somewhere. Please let us know the
  complete ruleset (including translation rules) and include match counters
  so that people can figure if a certain rule is matched at all (pfctl -vv
  -sn -sr).

 This was my complete ruleset, as I switched from my default ruleset in
 order to debug the problem.

 ext_if=ed0
 int_if=vr0
 tun_if=tun0
 internal_net=192.168.0.0/24

 set loginterface $tun_if

 #nat on $tun_if from $internal_net to any - ($tun_if)

 #default block
 block return log-all

 pass on $tun_if
 pass on $ext_if
 pass on $int_if

 --
 pfctl -vv -sn -sr
 @0 block return log-all all
   [ Evaluations: 2171  Packets: 1130  Bytes: 69021   States: 0
 @1 pass on tun0 all
   [ Evaluations: 2171  Packets: 0 Bytes: 0   States: 0

Hmmm ... tun0 is never matched against. Can I have a look at $ifconfig and 
$pfctl -vvsI ? Also try to watch pflog ($ifconfig pflog0 up  tcpdump 
-vvvnei pflog0) What does it say?

 @2 pass on ed0 all
   [ Evaluations: 2171  Packets: 0 Bytes: 0   States: 0
 @3 pass on vr0 all
   [ Evaluations: 2171  Packets: 1041  Bytes: 65738   States: 0

  Make sure that the NAT rule has dynamic address tracking (as I think you
  get a dynamic IP from you ISP). The rule should look something like:
   nat on tun0 from $internalnet to any - (tun0)

 I use the NAT from ppp, but I think that this is not related, as the
 problem occur at (or better: also at) the firewall (i386 FreeBSD 5.3-STABLE
 of yesterday). The firewall itself (and everything behind it) cannot
 connect over ppp to external servers when the default block rule is
 activated.

Hmmm - strange. Might be realted to the pf_if.c changes. What version are you 
running? RELENG_5? RELENG_5_3? HEAD? Did you (src-)update your kernel before 
the symptoms occurred?

pf_if.c:  1.5.2.2 (RELENG_5) or 1.7 (HEAD)?

 When I deactivate the rule, everything runs smoothly.

  Also note, that we have a pf related mailinglist on FreeBSD, called
  [EMAIL PROTECTED] You might want to subscribe and take the
  discussion there: http://lists.freebsd.org/mailman/listinfo/freebsd-pf

 Thanks, I will suscribe. Should we change with this discussion the
 freebsd-centrinc mailinglist?

I just did.

-- 
/\  Best regards,  | [EMAIL PROTECTED]
\ /  Max Laier  | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [EMAIL PROTECTED]
/ \  ASCII Ribbon Campaign  | Against HTML Mail and News


pgpbITem4orCf.pgp
Description: PGP signature

Re: new ftp proxy: pftpx

2004-11-24 Thread Max Laier 
On Wednesday 24 November 2004 21:32, Camiel Dobbelaar wrote:
 On Thu, 25 Nov 2004, Marcos Biscaysaqu - ThePacific.net wrote:
  Do you know if work on freebsd?

 Not sure.

 The two most important parts are:
 - recursive anchors (appeared in OpenBSD 3.6).  Maybe Max knows when those
 when into FreeBSD?

They will not come to the 5-STABLE branch, as we don't do user visible changes 
in the STABLE branch. So it will not be until 6-STABLE before we have 
recursive anchors in a FreeBSD Release. Do you really *need* recursive 
anchors? I'd guess one could work around this requirement.

 - libevent  0.8 (from ports/devel/libevent)

 Anything else that crops up should be easily fixable.

-- 
/\  Best regards,  | [EMAIL PROTECTED]
\ /  Max Laier  | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [EMAIL PROTECTED]
/ \  ASCII Ribbon Campaign  | Against HTML Mail and News


pgpO0l2ExgkBE.pgp
Description: PGP signature

Re: ftp throu transparent filtering bridge

2004-11-23 Thread Max Laier 
On Tuesday 23 November 2004 12:50, Camiel Dobbelaar wrote:
 On Tue, 23 Nov 2004, Camiel Dobbelaar wrote:
  On Tue, 23 Nov 2004, Roman Marcinek wrote:
  Are there any smarted solutions I haven't found yet? I know that
   linux's iptables make use of special connection tracking module for ftp
   to handle that problem but ... is there anything like this for OpenBSD?
 
  Ok, let me plug my own program again:
 
  http://www.sentia.org/ftpsesame

 Duh, at least get the link right:

 http://www.sentia.org/projects/ftpsesame

Heh, happens to the best. Any chance to see a this as a FreeBSD port? Sounds 
interesting.

-- 
/\  Best regards,  | [EMAIL PROTECTED]
\ /  Max Laier  | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [EMAIL PROTECTED]
/ \  ASCII Ribbon Campaign  | Against HTML Mail and News


pgpPTUI8jjtXw.pgp
Description: PGP signature

Re: pfctl and macro expansion

2004-10-08 Thread Max Laier 
On Friday 08 October 2004 15:43, Ben wrote:
 On Fri, Oct 08, 2004 at 08:53:11AM -0400, Jason Opperisano wrote:
   It'd be really useful if I could expand macros with subnets in, save
   duplicating IP blocks all over the ruleset. Is this a bug with me of
   pfctl?
 
  this has been covered in the archives several times.  you need extra
  quotes, as in:

 Ah, fantastic, thanks. I had a look around tut website and manpages,
 perhaps adding this to the FAQ or manpage would stop people like me in
 future.

How about this diff?

-- 
/\  Best regards,  | [EMAIL PROTECTED]
\ /  Max Laier  | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [EMAIL PROTECTED]
/ \  ASCII Ribbon Campaign  | Against HTML Mail and News
Index: pf.conf.5
===
RCS file: /usr/store/mlaier/ocvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.301
diff -u -r1.301 pf.conf.5
--- pf.conf.5	21 Sep 2004 16:59:11 -	1.301
+++ pf.conf.5	8 Oct 2004 16:19:04 -
@@ -100,6 +100,18 @@
 pass out on $ext_if from any to any keep state
 pass in  on $ext_if proto tcp from any to any port 25 keep state
 .Ed
+.Pp
+Note that there is a parser problem with recursive macros and netmask
+specifications.
+In order to use network specifying macros recursively you must double quote
+them.
+.Pp
+For example,
+.Bd -literal -offset indent
+net1 = \\'10/8\'\
+net2 = \\'192.168.0/24\'\
+nets = \{\ $net1 $net2 \}\
+.Ed
 .Sh TABLES
 Tables are named structures which can hold a collection of addresses and
 networks.


pgpGnKjo6uFI9.pgp
Description: PGP signature

Re: CIDR notation - block spam 220.87.30.0/24

2004-10-06 Thread Max Laier 
On Wednesday 06 October 2004 18:39, i.t Consulting wrote:
 hallo,

 maybe I've a misunderstanding of the notation
 220.87.30.0/24
 for pf.conf

 Being not a fan of spamd I'll try to save bandwith blocking spam - access
 to port 25 - with pf and read a table with some blocks, e.g.
 # out of koreanet 220.87.30.0/24
 # India's Premeir Broadband and IPTV services 203.115.64.0/24
 or asiapac1
 210.0.0.0/8

 the postfix mailserver tells me today:
 Oct  6 18:06:16 yak postfix/smtpd[27628]: NOQUEUE: reject: RCPT from
 unknown[220.87.30.15]: 450 Client host rejected: cannot find your hostname,
 [220.87.30.15]; from= to=[EMAIL PROTECTED] proto=SMTP helo=HGK

 do I have to go back to the cidr-basics ?

Going back to valueable problem reports-basics might be a good idea ...

-- 
/\  Best regards,  | [EMAIL PROTECTED]
\ /  Max Laier  | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [EMAIL PROTECTED]
/ \  ASCII Ribbon Campaign  | Against HTML Mail and News

Should dynamic addresses included non-routeables?

2004-08-07 Thread Max Laier 
Hi,

http://www.freebsd.org/cgi/query-pr.cgi?pr=misc/69954 made me aware of a 
problem in the handling of dynamic addresses:
Right now it uses all addresses (or the first for :0) in the interface 
address list. As the PR shows this is not always appropriate. In this special 
case ppp does not remove the address used during IPCP negotiation from the 
list, but only removes the routing for it. A simple check for IFA_ROUTE(== 
RTF_UP) presence does fix it.
I am unsure, however, if this breaks any other case, but here's the diff (for 
OpenBSD HEAD).

Comments?

-- 
/\  Best regards,  | [EMAIL PROTECTED]
\ /  Max Laier  | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [EMAIL PROTECTED]
/ \  ASCII Ribbon Campaign  | Against HTML Mail and News
Index: pf_if.c
===
RCS file: /usr/store/mlaier/ocvs/src/sys/net/pf_if.c,v
retrieving revision 1.17
diff -u -r1.17 pf_if.c
--- pf_if.c	11 Jul 2004 15:22:22 -	1.17
+++ pf_if.c	7 Aug 2004 09:06:32 -
@@ -42,6 +42,7 @@
 
 #include net/if.h
 #include net/if_types.h
+#include net/route.h
 
 #include netinet/in.h
 #include netinet/in_var.h
@@ -407,6 +408,8 @@
 		af = ia-ifa_addr-sa_family;
 		if (af != AF_INET  af != AF_INET6)
 			continue;
+		if (!(ia-ifa_flags  IFA_ROUTE))
+			continue;
 		if ((flags  PFI_AFLAG_BROADCAST)  af == AF_INET6)
 			continue;
 		if ((flags  PFI_AFLAG_BROADCAST) 


pgpsl4SLFknQZ.pgp
Description: signature

Re: pppoe and altq

2004-07-22 Thread Max Laier 
On Thursday 22 July 2004 11:36, Carl Smith wrote:
 Is the following patch still useable for OpenBSD 3.5 or is it already
 intergrated?

The latter. Committed by Henning in rev. 1.48 Thu Jun 12 10:49:17 2003.

-- 
/\  Best regards,  | [EMAIL PROTECTED]
\ /  Max Laier  | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [EMAIL PROTECTED]
/ \  ASCII Ribbon Campaign  | Against HTML Mail and News


pgpjaU4th84dT.pgp
Description: signature

Re: pf logo?

2004-07-08 Thread Max Laier 
On Thursday 08 July 2004 21:33, Bryan Irvine wrote:
 Does pf have a logo?  I was just thinking it would be nice to have a
 protected by image.

There is:
http://www.benzedrine.cx/pf.png which is used on http://undeadly.org/ as well. 
Would make sense to go from there?

 Maybe just an image of puffy as pf is pronounced pronounced puff after
 all (well, if you stretch a bit). ;-)

... though I agree that Puffy is a hero and should not be forgotten about ;)

-- 
Best regards,   | [EMAIL PROTECTED]
Max Laier   | ICQ #67774661
http://pf4freebsd.love2party.net/   | [EMAIL PROTECTED]


pgpGoDixoLVad.pgp
Description: signature

Re: Example pf configs?

2003-12-30 Thread Max Laier 
On Tuesday 30 December 2003 14:44, Oskar Eyb wrote:
  Can anyone point me to some good examples?

 Try the nice PF user guide: http://openbsd.org/faq/pf/index.html

https://solarflux.org/pf/ - has a big (but undocumented) real-life example 
section.

-- 
Best regards,   | [EMAIL PROTECTED]
Max Laier   | ICQ #67774661
http://pf4freebsd.love2party.net/   | [EMAIL PROTECTED] #DragonFlyBSD

Re: Redirect problems with eMule ;)

2003-12-19 Thread Max Laier 
On Friday 19 December 2003 11:58, Laurent Cheylus wrote:
 Hi,

 extract from my pf.conf to allow redirection and incoming connections from
 Emule clients to an internal LAN computer (192.169.0.100) :

 $EXT is my external interface (connected to my ISP) :

 # Redirect TCP/4662 and UDP/4672 for Emule on 192.168.0.100
 rdr on $EXT proto tcp from any to any port 4662 - 192.168.0.100 port 4662
 rdr on $EXT proto udp from any to any port 4672 - 192.168.0.100 port 4672

 # Allow ports UDP/4672, TCP/4662 for EDonkey
 pass in on $EXT inet proto tcp from any to 192.168.0.100 port = 4662 keep
 state
 pass in on $EXT inet proto udp from any to 192.168.0.100 port = 4672 keep
 state

 With this conf, I have Emule high ID on every server :-)

 A++ Foxy

As long as you don't have/want to block specific IPs from redirection you 
might just want to add pass to the rdr rules, like so:

rdr pass on $EXT proto tcp from any to any port 4662 - $emule_ip port 4662
rdr pass on $EXT proto udp from any to any port 4672 - $emule_ip port 4672

-- 
Best regards,   | [EMAIL PROTECTED]
Max Laier   | ICQ #67774661
http://pf4freebsd.love2party.net/   | [EMAIL PROTECTED] #DragonFlyBSD

Re: pfcap filtering based on pf-tagged?

2003-12-01 Thread Max Laier 
Kifah Abbad writes:

Hi all,

is it possible to set a pcap_setfilter based on packets tagged by pf,
or brconfig? (bridge).
I am afraid that this is not possible and not likely to become possibel as 
the tags are stored in a very kernel-centric way (via mbuf tags) and thus 
can't easily cross the kernel-/userland wall. As tags are not part of the 
packet as such, but more like a (in-kernel) lable, they won't make it to 
bpf, I think.


Best regards,
Max mailto:[EMAIL PROTECTED]

Re: feature in the parser?

2003-11-15 Thread Max Laier 
Saturday, November 15, 2003, 2:33:51 PM, you wrote:

AES # cat ./test
AES pass proto tcp from any to any port 111 # correct
AES pass proto tcp from any to any port = 111   # correct
AES pass proto tcp from any to any port {111,222}   # correct
AES pass proto tcp from any to any port = {111,222} # incorrect
AES # pfctl -nf ./test
AES ./test:4: syntax error
AES #

AES is it normal (3.4-stable from 20031113)?

Quite clear from the BNF:
port   = port ( unary-op | binary-op | { op-list } )

What would you - for example - expect port  {111, 222} to do?
If there is a symbol that can be put between port and { it's
element-of/not-element-of, but that's not something you'd like to
type, would you?

-- 
Best regards,
 Maxmailto:[EMAIL PROTECTED]

Re: FAQ ? PF bandwidth shaping in community wireless

2003-11-10 Thread Max Laier 
Monday, November 10, 2003, 3:54:11 PM, you wrote:
PG To fund some of this, we need to combine home workers (pay more, use
PG daytime) with domestic users (variable b/w, lower service price).

PG I looked at google, and apart from the usual you can do this statements, I
PG found little in the way of exposition and real commentary. Nothing appears
PG impossible with current tools, but if anyone has shoulders I can stand on,
PG it would be appreciated.

I am sure, that you can find admins and technicans I your area, who
can help you with this - fair payment provided! From me another you
can do this - for free.

-- 
Best regards,
 Maxmailto:[EMAIL PROTECTED]

Re: just another confused poor soul (yet)

2003-11-09 Thread Max Laier 
Sunday, November 9, 2003, 3:59:35 PM, you wrote:
fh i am trying configure a LAN for web surfing only thru squid.
fh the LAN is a school, i dont want kids going to phony pages.
fh right now i have some regexp files for squid to filter urls.
fh this is not a transparent proxy, just a plain squid proxy.
fh i was thinking that i simply block everything except 3128
fh and ssh.  is this reasonable?

As long as you don't need DNS resolves for your ssh, that's fine.

fh +---+  +--+   +--+
fh LAN--ne1|openbsd|rl0---|linux1|---|linux2|---internet
fh +---+  +--+   +--+

fh here is a ruleset i came up with after reading pf.conf and a
fh couple of hours of trial and error.  it seems to work fine, except that
fh i cant ssh now outside.  i read my mail on linux2 and have a couple of
fh shell accounts elsewhere...  linux1 is doing nat, so it is enough for me
fh to get to linux1.

As rl0 is 192.168.0.3, I assume that linux1 knows only how to route to
192.168.0.0/24 but not to 192.168.3.0/24 (which is required to route
the packets back to your LAN). Add rl0 as next-hop from linux1 and you
should be fine (if you don't need DNS for your ssh). If you want to
ssh to the internet, you'll need some more work on the linux box (or
let openbsd do the NAT already).

-- 
Best regards,
 Maxmailto:[EMAIL PROTECTED]

Re[2]: just another confused poor soul (yet)

2003-11-09 Thread Max Laier 
Sunday, November 9, 2003, 5:46:14 PM, Fred Edwards wrote:
FE I wondered about routing also, but since he said that web worked but ssh didn't, I 
wrote that
FE off.  Did I miss something?

Yes, the web request comes from the squid on the OpenBSD box thus
originating from an IP linux1 has a backroute to.

Sunday, November 9, 2003, 5:39:02 PM, Fred Edwards wrote:
FE What happens if you write your ssh line as:

FE pass in quick on $int_if proto tcp from $int_net to any port ssh keep state

He can ssh to the OpenBSD box (period), what isn't exactly what he
asked for.

FE Why not do a transparent proxy on ports 80, 443, 3128 by
FE doing a redirect to the squid proxy?  
FE That would mean the a misconfigured box would still get out on port 80 and not 
generate a
FE trouble call. 

That's an option.

Sunday, November 9, 2003, 5:42:57 PM, Franciszek Holop wrote:
FH on the lan, i always use my notebook which has a fixed ip,
FH i figured i could add this line before the rules,
FH
FH nat on $ext_if from $my_ip to any - ($ext_if)
FH
FH and ssh just works fine...
FH i just didnt want the other machines to nat outside.
FH
FH how could i harden this rule?  i mean because i am not
FH always here, (it is very unprobable, but) if somebody figured
FH out my ip, and set one of the lab machines to it, they could
FH circumvent the firewall.  i am the only one who uses openbsd,
FH is it possible to apply the `os' keyword to nat lines?
FH practically the firewall saying: if you are an openbsd machine
FH i will nat you.  or even better, if you are going outside just
FH for ssh, i will nat you

Well, that's the other alternative to adding a route on linux1. For
the other thing note that even if natted packets, are still evaluated
by your filter rules, where you can decide what kind of (natted)
traffic you want to allow out. If you are very worried about it take a
look at authpf.

-- 
Best regards,
 Maxmailto:[EMAIL PROTECTED]

Re[2]: source routing

2003-10-23 Thread Max Laier 
 It is no clear what you really want to accomplish, but I think you
 want rdr and not route-to.

True as ipfw's fwd does more than route-to. Quoting ipfw(8):
If ipaddr is a local address, then matching packets will be for-
warded to port (or the port number in the packet if one is not
specified in the rule) on the local machine.

To do this with pf, you must use rdr.

 aside from that I don't know the status of route-to and friends in the
 freebsd port, but Max surely does ;-)

Quite well and working (at least in my tests). Might suffer _a bit_ in
performance, due to needed locking, compared to OpenBSD.

HB On Wed, Oct 22, 2003 at 07:56:14PM +0200, Mark Bojara wrote:
 Hello All,
 
 I bet this subject has come up a couple of times. But searching through
 the previous threads i could not find a working solution for me.
 
 I recently compiled pf/altq in FreeBSD 5.1 to see how it runs. I am trying
 to set up so that all traffic comming from 192.168.0.2 is routed to
 192.168.0.1.
 
 My default route points to tun0 and 192.168.0.0/30 sits on tun1.
 
 in FreeBSD's ipfw i do:
 ipfw add fwd 192.168.0.1 ip from 192.168.0.0/30 to any via tun0 (this works fine)
 
 in PF i do:
 pass out quick on tun0 route-to (tun1 192.168.0.1) from 192.168.0.0/30 to any
 
 This does not work.. I reall dislike ipfw and would like to get the whole
 system working on PF.
 
 Thanks alot
 Mark Bojara
 

-- 
Best regards,
 Maxmailto:[EMAIL PROTECTED]

Re[2]: RFC#12 - PF version

2003-10-20 Thread Max Laier 
Monday, October 20, 2003, 7:44:52 PM, Henning Brauer wrote:
 Request to introduce a public revision number to PF and pfctl.
HB no.

HB I had code doing this, and even pfctl erroring out with a nice message
HB if kernel and userland are out of sync, but theo refused it.

That's strange. Why? I mean: That is vital information about the own
system. That would save a lot of time for threads like *whine* syntax
error *whine* when the problem is a version missmatch. Additionally
it's a security improvement when I can step up to an old box check the
versions and update _if_ required! Can you please tell me: What is the
point in _not_ providing such information?!

-- 
Best regards,
 Maxmailto:[EMAIL PROTECTED]

Re[2]: PF and Snort Working together

2003-10-13 Thread Max Laier 

edo (...) it seems if I create a rule to let a specific packet through
edo the firewall then snort see's it if I block it. Then it never gets
edo logged by snort. So I am totally confused and pulling out my hair.
edo I have posted my snort configs to the snort list and no one see's
edo anything wrong with it.

Are you sure that you snort on the right (=correct) side of your
firewall. i.e. does the traffic you block arrive at the interface you
are snorting on? On a plain two legged router you can snort on if0 all
traffic that comes from the network connected to if0 and on if1 you can
snort all traffic that comes from the network that is connected to if1!

If you have your LAN on if0 and the internet on if1 you can see all
traffic originating *from* the internet on if1 (regardless your pf
rules) and all traffic *from* the LAN on if0. Obviously a packet from
your LAN blocked by pf won't show up on if1!!! (and the other way round)

-- 
Best regards,
 Maxmailto:[EMAIL PROTECTED]

Re[2]: deep packet inspection

2003-10-02 Thread Max Laier 
What are possible ways of implementing payload inspection in
kernel? ...

 And what's the point of writing that e-mail if you don't
 describe your atypical way?

What's the point in writing follow-ups to this really OT thread at all?
And my piece for the atypical way: Take a look at Net-/FreeBSDs
PFIL_HOOKS that's a _generic_ way to implement in-kernel mbuf inspection
of any kind. No need of any other hacks!

-- 
Best regards,
 Maxmailto:[EMAIL PROTECTED]

Re: expanding anchor rules

2003-09-01 Thread Max Laier 
I like the idea (as I suggested that before:
http://marc.theaimsgroup.com/?l=openbsd-pfm=105215655418099w=2) Somehow
Henning didn't like the idea back then, and as I got my rules working w/o I
did not implement it.
Vincent's patch might need some minor improvements and changes, but the idea
is right IMO. We should keep in mind that firewall admins are not allways
programmers and will appreachiate such helpers. Unless you tell me an *easy*
way to get a *full* dump of all rules in place at any given time, that is
*readable* I'd like to have something like Vincent's patch in pfctl.

Remember the pain when all of a sudden all webserver traffic is blocked and
you find that it was some rule inside of an authpf anchor that caused the
headache ... sure I hear you screaming that that's a beginner's fault, but
everybody starts as a beginner and we should help them to get on the train
and not tell them to bugger of and learn to write C before *useing* a
firewall, IMO.

Max

 Hi all,

 I started to use OpenBSB and PF a few weeks ago, and I must say I'm
 really satisfied with this. The anchor system is definitely a nice
 feature!
 However, in the beginning, I've had some hard time debugging my fw
 rules, when anchors were involved. So I've tried to add an anchor
 expansion option to pfctl, to help in such situations.
 As I've seen some people had talked about such an expansion in a
 previous thread, I've decided to share my few code lines with the
 list...
 To face the pfctl output should be a valid pfctl input issue, I've
 addded a # at the beginning of every expanded line (ie for every rule
 related to an anchor). However, I still wonder if it is a good idea use
 a printf for it, or if these rules should be shown using fprintf on
 stderr... Any idea about this ?

 Here is a (dumb) sample of a modified pfctl output :
 1) without expansion
 # pfctl -sr
 block drop in all
 block drop out all
 anchor test all
 pass in on rl0 all

 # pfctl -sn
 nat on rl1 inet all - (rl1)
 nat-anchor test all

 2) with expansion
 # pfctl -sr -E
 block drop in all
 block drop out all
 anchor test all
 # pass in on rl1 inet proto tcp from any to any port = ssh
 pass in on rl0 all

 # pfctl -sn -E
 nat on rl1 inet all - (rl1)
 nat-anchor test all
 # nat on rl0 inet proto tcp from 172.16.1.2 to any port = www -
192.168.1.1
 # rdr on rl1 inet proto tcp from any to 192.168.1.1 port = www -
172.16.1.1 port 8080

 The patch was done using pfctl code from OpenBSD 3.3.
 Every comment or suggestion about it is welcome !

 -- 
 Vincent - [EMAIL PROTECTED]

Re: Speed issues with bridge firewall

2003-09-01 Thread Max Laier 
 On Monday 01 September 2003 19:20, Mathew Binkley wrote:
  So our bridging firewall achieves ~84% of full line speed.  However,
  during testing the firewall had a load level of 4.3.  There doesn't
  appear to be any packet loss, but I'm not sure if it is affecting
  latency or not.  Does anyone know a good way of testing that?  The
  firewall console is completely frozen when it's under that stress.

 ...too many interrupts...


  Does OpenBSD 3.3 not support zero-copy?  Or is there something trivial
  I'm missing here?  I wouldn't have expecting bridging to put that kind
  of load on the CPU.

 Device Polling is the answer...

 tedu@ said he was working on it.

 I hope someone will find time to port FreeBSD code.
 Here you can find an explanation with code.


Maybe you give pf on FreeBSD a try: http://pf4freebsd.love2party.net/ this
will give you said device polling and allows you to use the second
processor. Once the netlocking is done, you will maybe even see a further
speedup. On the other hand, bridging on FreeBSD with pf filtering is not
working propperly without a patch. We hope that 5.2R will have solutions for
that.

Max

Happy Birthday

2003-06-24 Thread Max Laier 
From:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c
Revision 1.1 / (download) - annotate - [select for diffs] , Sun Jun 24
19:48:58 2001 UTC (23 months, 4 weeks ago) by kjell

2 years! All the best for the future!

Re: pfioc_table.pfrio_esize?

2003-05-31 Thread Max Laier 
New since pfvar.h 1.140:
 Update the pfioc_table IOCTL structure.
 Prepare for anchors, improve robustness.
 WARNING: need to sync kernel/userland.
 ok dhartmei@
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfvar.h.diff?r1=1.140r2=1
.141f=hMax

Re: portable pf

2003-05-27 Thread Max Laier 

From: Paul B. Henson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, May 27, 2003 9:05 PM
Subject: portable pf

 Is there any widespread interest in developing a portable version of pf,
 similar to portable ssh? I know some efforts have been made to port it to
 other BSD variants, but I would be very interested in a Solaris port. I've
 used ipf under Solaris for a long time, however pf has long since
overtaken
 it in feature set and reliability. I have ongoing issues with system
 crashes under Solaris when a lot of state is maintained.

While working on Pyun's FreeBSD-port I did think about such a project as
well and (memory allocation provided [pool(9)/zone(9) or alike]) it should
not be too hard to get it working on other platforms (with ipf/pfil_hooks).
I started to clean up our FreeBSD port in order to make it more easy to keep
up with the development in OpenBSD-Current and will keep an eye on the
possiblity to include other porting efforts as well. If you are working on
something, please contact me.

I didn't find time to look at the NetBSD port yet, but I will try to.

Max

Re: binding to if or IP ?

2003-05-07 Thread Max Laier 

From: Uwe Dippel [EMAIL PROTECTED] Sent: Wednesday, May 07, 2003 3:44 PM
 Maybe this has been discussed earlier .. ?
 Very new to pf I have that feeling that all those rulesets with
 bindings to the interface to me seem less optimal than binding to an
 IP-address.
 Before I start writing my own stuff to parse the IP to pf instead of
 the interface: What is the opinion of the people on this list?

pf filters on the IP layer, hence there is no binding to if. What you seem
to confuse is (updated) expanding of interface to its bound ip/ip6
addresses. It makes little difference if you have a static IP bound to your
interface as pfctl will replace the ifname with the bound ip-adress(es) when
loading the ruleset. However, if you write your static IP to your pf.conf
you'll have to update one more file when changeing your IP on one interface
(so it's not a good idea IMO).
If you have an interface with a dynamic ip (say ppp-dul) you'll want to use
the (ifname) feature (hook_establish()) which updates your ruleset
whenever a new ip is assigned to the interface. Note that you'll have to
specify the af in that case (to enable pf to choose the right address).

I think it's better to use the interface name (with proper af spec) in your
ruleset. I can't think of a case where I'd use the ip of a local interface.
If you are uncertain what pfctl will make of your ruleset use pfctl -nvf
yourrules.conf which will display the fully expanded ruleset with all
ifname-conversions.

Max

Re: grouped tcp flags

2003-04-01 Thread Max Laier 

 If you dont want port XYZ being reached. Block it. Completly. No
 matter what fuxxored flag ever is set. Period.

 //pb


Agreed, but a quick block on some of the common nmap flags on the very top
of your ruleset can save you some time (right?) Esp. when somebody went mad,
has a big pipe and found out about insane-nmap timeing.

max

Re: grouped tcp flags

2003-04-01 Thread Max Laier 
  Agreed, but a quick block on some of the common nmap flags on the very
top
  of your ruleset can save you some time (right?) Esp. when somebody went
mad,
  has a big pipe and found out about insane-nmap timeing.

 *sigh*

 And all other tcp packets (which are most likely to happen more often)
 evaluate through all that shit every time? Great gain after all, eh?


I didn't test/benchmark/analyse it ... did you? It's just a bitmask
afterall.

max