urpf-failed vs. multiple routing tables?
Hi, wouldn't it make sense to add a rtableid to urpf-failed? It seems decreasingly useful without such an option - or am I missing something? -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
Re: Making 'loops' in pf.conf
Am Mi, 10.01.2007, 14:18, schrieb Johan Segernäs: I have several networks in different IP nets and different incoming interfaces. I would like to make this a loop or something instead of, as it is now, different blocks. Today it looks like (very stripped down) pass in on $FOO_NET inet from $FOO_IPS to any keep state pass in on $BAR_NET inet from $BAR_IPS to any keep state Instead I would like to do it like for i in FOO BAR; do pass in on ${i}_NET inet from ${i}_IPS to any keep state done Or something. Is this possible within pf.conf or would I have to make a shell loop creating this little extra pf config file and include in pf.conf? pfctl -f- is your friend. There are a million tools our there that are simply made to do stuff like this, just feed the output to pfctl. Also take a look at: http://blog.xbsd.org/2006/11/04/freebsdpf-include-command-hack/ -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
Re: statefull matching vs. local inet6
On Friday 04 August 2006 13:13, Fabian Keil wrote: Max Laier [EMAIL PROTECTED] wrote: On a box running sshd (or something listening on an inet6 tcp port) load the following ruleset: pass quick on lo0 all pass quick on bge0 inet all block drop log all pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port = ssh \ flags S/SA keep state where bge0 is a real interface and 3000::1 is configured on that interface. Then try telnet 3000::1 22 and see if it works and provide me with the a tcpdump from pflog0 during the connection attempt - whether it works or not. On OpenBSD 3.9 with GENERIC kernel and the following ruleset: pass log quick on lo0 all pass quick on ne3 inet all block drop log all pass in log (all) on ne3 inet6 proto tcp from any to 3000::1 port = ssh flags S/SA keep state [added log in the first line and changed log-all to log (all) in the last one] telnet works and the log shows: Aug 04 13:07:08.201358 rule 0/(match) pass out on lo0: [|ip6] Aug 04 13:07:08.201772 rule 0/(match) pass in on lo0: [|ip6] Aug 04 13:07:08.204606 rule 0/(match) pass out on lo0: [|ip6] Aug 04 13:07:08.205024 rule 0/(match) pass in on lo0: [|ip6] Aug 04 13:07:08.205758 rule 0/(match) pass out on lo0: [|ip6] Aug 04 13:07:08.205867 rule 0/(match) pass in on lo0: [|ip6] Aug 04 13:07:08.954137 rule 0/(match) pass out on lo0: [|ip6] Aug 04 13:07:08.954581 rule 0/(match) pass in on lo0: [|ip6] Aug 04 13:07:09.150295 rule 0/(match) pass out on lo0: [|ip6] Aug 04 13:07:09.150509 rule 0/(match) pass in on lo0: [|ip6] Aug 04 13:07:37.841839 rule 0/(match) pass out on lo0: [|ip6] Aug 04 13:07:37.842188 rule 0/(match) pass in on lo0: [|ip6] [...] Is that enough information, or do you need the actual binary file? No, that's fine. Thanks a lot. -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News pgpyyRaXR33yN.pgp Description: PGP signature
statefull matching vs. local inet6
Hi, can somebody try the following on a recent OpenBSD box? I'm in the middle of reshuffling my hardware (for a couple of month now *sigh*) and don't have a test setup handy. Thanks. On a box running sshd (or something listening on an inet6 tcp port) load the following ruleset: pass quick on lo0 all pass quick on bge0 inet all block drop log all pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port = ssh \ flags S/SA keep state where bge0 is a real interface and 3000::1 is configured on that interface. Then try telnet 3000::1 22 and see if it works and provide me with the a tcpdump from pflog0 during the connection attempt - whether it works or not. Thanks - much appreciated. -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News pgpc5Mo1J3ekF.pgp Description: PGP signature
Re: macros and anchors
On Saturday 29 January 2005 12:52, Peter Huncar wrote: Hi Is there any way to manage macros across rulesets? Because if you use the same macros in the main ruleset and in some rulesets which will be loaded into anchor points, you have to change multiple files And if you want to change any macro used, you have to change it in every ruleset where the macro is used. $cat /etc/pf.macros rules.conf | pfctl -f- Also pfctl(8)'s -D switch is helpful in some cases. :) I spent an hour searching why my rule isn't working :) . Thank you a lot. Great job you're doing. Hunci -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News pgpcQLWrrHX0x.pgp Description: PGP signature
Re: Strange behaviour with PF on FreeBSD 5.3-STABLE
On Friday 26 November 2004 14:58, Jonathan Weiss wrote: Hi folks, Since yesterday my PF firewall acts strange. I have not touched the ruleset and tried a new one only with pass-rules, but the problem is still there. I cannot go through the tunnel interface tun0 of ppp (I use DSL here in Germany). Even a pass on tun0 will not change anything. #pfctl -s rules block return log-all all pass on tun0 all pass on ed0 all pass on vr0 all vr0 is the internal interface and ed0 the external. I am connected through ppp with my ISP. Within the internal network over vr0 (192.168.0.0/24) I can connect to a ssh-server on 192.168.0.196 for example, but ssh (or telnet or whatever) will not work to an external ip. If a drop the block rule and reload the ruleset, it works! I can connect to an external ssh-server. Does anyboy have an idea? You are supposed to have a NAT rule somewhere. Please let us know the complete ruleset (including translation rules) and include match counters so that people can figure if a certain rule is matched at all (pfctl -vv -sn -sr). Make sure that the NAT rule has dynamic address tracking (as I think you get a dynamic IP from you ISP). The rule should look something like: nat on tun0 from $internalnet to any - (tun0) Also note, that we have a pf related mailinglist on FreeBSD, called [EMAIL PROTECTED] You might want to subscribe and take the discussion there: http://lists.freebsd.org/mailman/listinfo/freebsd-pf -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News pgpsWpbsorBCH.pgp Description: PGP signature
Re: Strange behaviour with PF on FreeBSD 5.3-STABLE
On Friday 26 November 2004 19:05, Jonathan Weiss wrote: Hi Max, You are supposed to have a NAT rule somewhere. Please let us know the complete ruleset (including translation rules) and include match counters so that people can figure if a certain rule is matched at all (pfctl -vv -sn -sr). This was my complete ruleset, as I switched from my default ruleset in order to debug the problem. ext_if=ed0 int_if=vr0 tun_if=tun0 internal_net=192.168.0.0/24 set loginterface $tun_if #nat on $tun_if from $internal_net to any - ($tun_if) #default block block return log-all pass on $tun_if pass on $ext_if pass on $int_if -- pfctl -vv -sn -sr @0 block return log-all all [ Evaluations: 2171 Packets: 1130 Bytes: 69021 States: 0 @1 pass on tun0 all [ Evaluations: 2171 Packets: 0 Bytes: 0 States: 0 Hmmm ... tun0 is never matched against. Can I have a look at $ifconfig and $pfctl -vvsI ? Also try to watch pflog ($ifconfig pflog0 up tcpdump -vvvnei pflog0) What does it say? @2 pass on ed0 all [ Evaluations: 2171 Packets: 0 Bytes: 0 States: 0 @3 pass on vr0 all [ Evaluations: 2171 Packets: 1041 Bytes: 65738 States: 0 Make sure that the NAT rule has dynamic address tracking (as I think you get a dynamic IP from you ISP). The rule should look something like: nat on tun0 from $internalnet to any - (tun0) I use the NAT from ppp, but I think that this is not related, as the problem occur at (or better: also at) the firewall (i386 FreeBSD 5.3-STABLE of yesterday). The firewall itself (and everything behind it) cannot connect over ppp to external servers when the default block rule is activated. Hmmm - strange. Might be realted to the pf_if.c changes. What version are you running? RELENG_5? RELENG_5_3? HEAD? Did you (src-)update your kernel before the symptoms occurred? pf_if.c: 1.5.2.2 (RELENG_5) or 1.7 (HEAD)? When I deactivate the rule, everything runs smoothly. Also note, that we have a pf related mailinglist on FreeBSD, called [EMAIL PROTECTED] You might want to subscribe and take the discussion there: http://lists.freebsd.org/mailman/listinfo/freebsd-pf Thanks, I will suscribe. Should we change with this discussion the freebsd-centrinc mailinglist? I just did. -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News pgpbITem4orCf.pgp Description: PGP signature
Re: new ftp proxy: pftpx
On Wednesday 24 November 2004 21:32, Camiel Dobbelaar wrote: On Thu, 25 Nov 2004, Marcos Biscaysaqu - ThePacific.net wrote: Do you know if work on freebsd? Not sure. The two most important parts are: - recursive anchors (appeared in OpenBSD 3.6). Maybe Max knows when those when into FreeBSD? They will not come to the 5-STABLE branch, as we don't do user visible changes in the STABLE branch. So it will not be until 6-STABLE before we have recursive anchors in a FreeBSD Release. Do you really *need* recursive anchors? I'd guess one could work around this requirement. - libevent 0.8 (from ports/devel/libevent) Anything else that crops up should be easily fixable. -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News pgpO0l2ExgkBE.pgp Description: PGP signature
Re: ftp throu transparent filtering bridge
On Tuesday 23 November 2004 12:50, Camiel Dobbelaar wrote: On Tue, 23 Nov 2004, Camiel Dobbelaar wrote: On Tue, 23 Nov 2004, Roman Marcinek wrote: Are there any smarted solutions I haven't found yet? I know that linux's iptables make use of special connection tracking module for ftp to handle that problem but ... is there anything like this for OpenBSD? Ok, let me plug my own program again: http://www.sentia.org/ftpsesame Duh, at least get the link right: http://www.sentia.org/projects/ftpsesame Heh, happens to the best. Any chance to see a this as a FreeBSD port? Sounds interesting. -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News pgpPTUI8jjtXw.pgp Description: PGP signature
Re: pfctl and macro expansion
On Friday 08 October 2004 15:43, Ben wrote: On Fri, Oct 08, 2004 at 08:53:11AM -0400, Jason Opperisano wrote: It'd be really useful if I could expand macros with subnets in, save duplicating IP blocks all over the ruleset. Is this a bug with me of pfctl? this has been covered in the archives several times. you need extra quotes, as in: Ah, fantastic, thanks. I had a look around tut website and manpages, perhaps adding this to the FAQ or manpage would stop people like me in future. How about this diff? -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News Index: pf.conf.5 === RCS file: /usr/store/mlaier/ocvs/src/share/man/man5/pf.conf.5,v retrieving revision 1.301 diff -u -r1.301 pf.conf.5 --- pf.conf.5 21 Sep 2004 16:59:11 - 1.301 +++ pf.conf.5 8 Oct 2004 16:19:04 - @@ -100,6 +100,18 @@ pass out on $ext_if from any to any keep state pass in on $ext_if proto tcp from any to any port 25 keep state .Ed +.Pp +Note that there is a parser problem with recursive macros and netmask +specifications. +In order to use network specifying macros recursively you must double quote +them. +.Pp +For example, +.Bd -literal -offset indent +net1 = \\'10/8\'\ +net2 = \\'192.168.0/24\'\ +nets = \{\ $net1 $net2 \}\ +.Ed .Sh TABLES Tables are named structures which can hold a collection of addresses and networks. pgpGnKjo6uFI9.pgp Description: PGP signature
Re: CIDR notation - block spam 220.87.30.0/24
On Wednesday 06 October 2004 18:39, i.t Consulting wrote: hallo, maybe I've a misunderstanding of the notation 220.87.30.0/24 for pf.conf Being not a fan of spamd I'll try to save bandwith blocking spam - access to port 25 - with pf and read a table with some blocks, e.g. # out of koreanet 220.87.30.0/24 # India's Premeir Broadband and IPTV services 203.115.64.0/24 or asiapac1 210.0.0.0/8 the postfix mailserver tells me today: Oct 6 18:06:16 yak postfix/smtpd[27628]: NOQUEUE: reject: RCPT from unknown[220.87.30.15]: 450 Client host rejected: cannot find your hostname, [220.87.30.15]; from= to=[EMAIL PROTECTED] proto=SMTP helo=HGK do I have to go back to the cidr-basics ? Going back to valueable problem reports-basics might be a good idea ... -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
Should dynamic addresses included non-routeables?
Hi, http://www.freebsd.org/cgi/query-pr.cgi?pr=misc/69954 made me aware of a problem in the handling of dynamic addresses: Right now it uses all addresses (or the first for :0) in the interface address list. As the PR shows this is not always appropriate. In this special case ppp does not remove the address used during IPCP negotiation from the list, but only removes the routing for it. A simple check for IFA_ROUTE(== RTF_UP) presence does fix it. I am unsure, however, if this breaks any other case, but here's the diff (for OpenBSD HEAD). Comments? -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News Index: pf_if.c === RCS file: /usr/store/mlaier/ocvs/src/sys/net/pf_if.c,v retrieving revision 1.17 diff -u -r1.17 pf_if.c --- pf_if.c 11 Jul 2004 15:22:22 - 1.17 +++ pf_if.c 7 Aug 2004 09:06:32 - @@ -42,6 +42,7 @@ #include net/if.h #include net/if_types.h +#include net/route.h #include netinet/in.h #include netinet/in_var.h @@ -407,6 +408,8 @@ af = ia-ifa_addr-sa_family; if (af != AF_INET af != AF_INET6) continue; + if (!(ia-ifa_flags IFA_ROUTE)) + continue; if ((flags PFI_AFLAG_BROADCAST) af == AF_INET6) continue; if ((flags PFI_AFLAG_BROADCAST) pgpsl4SLFknQZ.pgp Description: signature
Re: pppoe and altq
On Thursday 22 July 2004 11:36, Carl Smith wrote: Is the following patch still useable for OpenBSD 3.5 or is it already intergrated? The latter. Committed by Henning in rev. 1.48 Thu Jun 12 10:49:17 2003. -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News pgpjaU4th84dT.pgp Description: signature
Re: pf logo?
On Thursday 08 July 2004 21:33, Bryan Irvine wrote: Does pf have a logo? I was just thinking it would be nice to have a protected by image. There is: http://www.benzedrine.cx/pf.png which is used on http://undeadly.org/ as well. Would make sense to go from there? Maybe just an image of puffy as pf is pronounced pronounced puff after all (well, if you stretch a bit). ;-) ... though I agree that Puffy is a hero and should not be forgotten about ;) -- Best regards, | [EMAIL PROTECTED] Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] pgpGoDixoLVad.pgp Description: signature
Re: Example pf configs?
On Tuesday 30 December 2003 14:44, Oskar Eyb wrote: Can anyone point me to some good examples? Try the nice PF user guide: http://openbsd.org/faq/pf/index.html https://solarflux.org/pf/ - has a big (but undocumented) real-life example section. -- Best regards, | [EMAIL PROTECTED] Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] #DragonFlyBSD
Re: Redirect problems with eMule ;)
On Friday 19 December 2003 11:58, Laurent Cheylus wrote: Hi, extract from my pf.conf to allow redirection and incoming connections from Emule clients to an internal LAN computer (192.169.0.100) : $EXT is my external interface (connected to my ISP) : # Redirect TCP/4662 and UDP/4672 for Emule on 192.168.0.100 rdr on $EXT proto tcp from any to any port 4662 - 192.168.0.100 port 4662 rdr on $EXT proto udp from any to any port 4672 - 192.168.0.100 port 4672 # Allow ports UDP/4672, TCP/4662 for EDonkey pass in on $EXT inet proto tcp from any to 192.168.0.100 port = 4662 keep state pass in on $EXT inet proto udp from any to 192.168.0.100 port = 4672 keep state With this conf, I have Emule high ID on every server :-) A++ Foxy As long as you don't have/want to block specific IPs from redirection you might just want to add pass to the rdr rules, like so: rdr pass on $EXT proto tcp from any to any port 4662 - $emule_ip port 4662 rdr pass on $EXT proto udp from any to any port 4672 - $emule_ip port 4672 -- Best regards, | [EMAIL PROTECTED] Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] #DragonFlyBSD
Re: pfcap filtering based on pf-tagged?
Kifah Abbad writes: Hi all, is it possible to set a pcap_setfilter based on packets tagged by pf, or brconfig? (bridge). I am afraid that this is not possible and not likely to become possibel as the tags are stored in a very kernel-centric way (via mbuf tags) and thus can't easily cross the kernel-/userland wall. As tags are not part of the packet as such, but more like a (in-kernel) lable, they won't make it to bpf, I think. Best regards, Max mailto:[EMAIL PROTECTED]
Re: feature in the parser?
Saturday, November 15, 2003, 2:33:51 PM, you wrote: AES # cat ./test AES pass proto tcp from any to any port 111 # correct AES pass proto tcp from any to any port = 111 # correct AES pass proto tcp from any to any port {111,222} # correct AES pass proto tcp from any to any port = {111,222} # incorrect AES # pfctl -nf ./test AES ./test:4: syntax error AES # AES is it normal (3.4-stable from 20031113)? Quite clear from the BNF: port = port ( unary-op | binary-op | { op-list } ) What would you - for example - expect port {111, 222} to do? If there is a symbol that can be put between port and { it's element-of/not-element-of, but that's not something you'd like to type, would you? -- Best regards, Maxmailto:[EMAIL PROTECTED]
Re: FAQ ? PF bandwidth shaping in community wireless
Monday, November 10, 2003, 3:54:11 PM, you wrote: PG To fund some of this, we need to combine home workers (pay more, use PG daytime) with domestic users (variable b/w, lower service price). PG I looked at google, and apart from the usual you can do this statements, I PG found little in the way of exposition and real commentary. Nothing appears PG impossible with current tools, but if anyone has shoulders I can stand on, PG it would be appreciated. I am sure, that you can find admins and technicans I your area, who can help you with this - fair payment provided! From me another you can do this - for free. -- Best regards, Maxmailto:[EMAIL PROTECTED]
Re: just another confused poor soul (yet)
Sunday, November 9, 2003, 3:59:35 PM, you wrote: fh i am trying configure a LAN for web surfing only thru squid. fh the LAN is a school, i dont want kids going to phony pages. fh right now i have some regexp files for squid to filter urls. fh this is not a transparent proxy, just a plain squid proxy. fh i was thinking that i simply block everything except 3128 fh and ssh. is this reasonable? As long as you don't need DNS resolves for your ssh, that's fine. fh +---+ +--+ +--+ fh LAN--ne1|openbsd|rl0---|linux1|---|linux2|---internet fh +---+ +--+ +--+ fh here is a ruleset i came up with after reading pf.conf and a fh couple of hours of trial and error. it seems to work fine, except that fh i cant ssh now outside. i read my mail on linux2 and have a couple of fh shell accounts elsewhere... linux1 is doing nat, so it is enough for me fh to get to linux1. As rl0 is 192.168.0.3, I assume that linux1 knows only how to route to 192.168.0.0/24 but not to 192.168.3.0/24 (which is required to route the packets back to your LAN). Add rl0 as next-hop from linux1 and you should be fine (if you don't need DNS for your ssh). If you want to ssh to the internet, you'll need some more work on the linux box (or let openbsd do the NAT already). -- Best regards, Maxmailto:[EMAIL PROTECTED]
Re[2]: just another confused poor soul (yet)
Sunday, November 9, 2003, 5:46:14 PM, Fred Edwards wrote: FE I wondered about routing also, but since he said that web worked but ssh didn't, I wrote that FE off. Did I miss something? Yes, the web request comes from the squid on the OpenBSD box thus originating from an IP linux1 has a backroute to. Sunday, November 9, 2003, 5:39:02 PM, Fred Edwards wrote: FE What happens if you write your ssh line as: FE pass in quick on $int_if proto tcp from $int_net to any port ssh keep state He can ssh to the OpenBSD box (period), what isn't exactly what he asked for. FE Why not do a transparent proxy on ports 80, 443, 3128 by FE doing a redirect to the squid proxy? FE That would mean the a misconfigured box would still get out on port 80 and not generate a FE trouble call. That's an option. Sunday, November 9, 2003, 5:42:57 PM, Franciszek Holop wrote: FH on the lan, i always use my notebook which has a fixed ip, FH i figured i could add this line before the rules, FH FH nat on $ext_if from $my_ip to any - ($ext_if) FH FH and ssh just works fine... FH i just didnt want the other machines to nat outside. FH FH how could i harden this rule? i mean because i am not FH always here, (it is very unprobable, but) if somebody figured FH out my ip, and set one of the lab machines to it, they could FH circumvent the firewall. i am the only one who uses openbsd, FH is it possible to apply the `os' keyword to nat lines? FH practically the firewall saying: if you are an openbsd machine FH i will nat you. or even better, if you are going outside just FH for ssh, i will nat you Well, that's the other alternative to adding a route on linux1. For the other thing note that even if natted packets, are still evaluated by your filter rules, where you can decide what kind of (natted) traffic you want to allow out. If you are very worried about it take a look at authpf. -- Best regards, Maxmailto:[EMAIL PROTECTED]
Re[2]: source routing
It is no clear what you really want to accomplish, but I think you want rdr and not route-to. True as ipfw's fwd does more than route-to. Quoting ipfw(8): If ipaddr is a local address, then matching packets will be for- warded to port (or the port number in the packet if one is not specified in the rule) on the local machine. To do this with pf, you must use rdr. aside from that I don't know the status of route-to and friends in the freebsd port, but Max surely does ;-) Quite well and working (at least in my tests). Might suffer _a bit_ in performance, due to needed locking, compared to OpenBSD. HB On Wed, Oct 22, 2003 at 07:56:14PM +0200, Mark Bojara wrote: Hello All, I bet this subject has come up a couple of times. But searching through the previous threads i could not find a working solution for me. I recently compiled pf/altq in FreeBSD 5.1 to see how it runs. I am trying to set up so that all traffic comming from 192.168.0.2 is routed to 192.168.0.1. My default route points to tun0 and 192.168.0.0/30 sits on tun1. in FreeBSD's ipfw i do: ipfw add fwd 192.168.0.1 ip from 192.168.0.0/30 to any via tun0 (this works fine) in PF i do: pass out quick on tun0 route-to (tun1 192.168.0.1) from 192.168.0.0/30 to any This does not work.. I reall dislike ipfw and would like to get the whole system working on PF. Thanks alot Mark Bojara -- Best regards, Maxmailto:[EMAIL PROTECTED]
Re[2]: RFC#12 - PF version
Monday, October 20, 2003, 7:44:52 PM, Henning Brauer wrote: Request to introduce a public revision number to PF and pfctl. HB no. HB I had code doing this, and even pfctl erroring out with a nice message HB if kernel and userland are out of sync, but theo refused it. That's strange. Why? I mean: That is vital information about the own system. That would save a lot of time for threads like *whine* syntax error *whine* when the problem is a version missmatch. Additionally it's a security improvement when I can step up to an old box check the versions and update _if_ required! Can you please tell me: What is the point in _not_ providing such information?! -- Best regards, Maxmailto:[EMAIL PROTECTED]
Re[2]: PF and Snort Working together
edo (...) it seems if I create a rule to let a specific packet through edo the firewall then snort see's it if I block it. Then it never gets edo logged by snort. So I am totally confused and pulling out my hair. edo I have posted my snort configs to the snort list and no one see's edo anything wrong with it. Are you sure that you snort on the right (=correct) side of your firewall. i.e. does the traffic you block arrive at the interface you are snorting on? On a plain two legged router you can snort on if0 all traffic that comes from the network connected to if0 and on if1 you can snort all traffic that comes from the network that is connected to if1! If you have your LAN on if0 and the internet on if1 you can see all traffic originating *from* the internet on if1 (regardless your pf rules) and all traffic *from* the LAN on if0. Obviously a packet from your LAN blocked by pf won't show up on if1!!! (and the other way round) -- Best regards, Maxmailto:[EMAIL PROTECTED]
Re[2]: deep packet inspection
What are possible ways of implementing payload inspection in kernel? ... And what's the point of writing that e-mail if you don't describe your atypical way? What's the point in writing follow-ups to this really OT thread at all? And my piece for the atypical way: Take a look at Net-/FreeBSDs PFIL_HOOKS that's a _generic_ way to implement in-kernel mbuf inspection of any kind. No need of any other hacks! -- Best regards, Maxmailto:[EMAIL PROTECTED]
Re: expanding anchor rules
I like the idea (as I suggested that before: http://marc.theaimsgroup.com/?l=openbsd-pfm=105215655418099w=2) Somehow Henning didn't like the idea back then, and as I got my rules working w/o I did not implement it. Vincent's patch might need some minor improvements and changes, but the idea is right IMO. We should keep in mind that firewall admins are not allways programmers and will appreachiate such helpers. Unless you tell me an *easy* way to get a *full* dump of all rules in place at any given time, that is *readable* I'd like to have something like Vincent's patch in pfctl. Remember the pain when all of a sudden all webserver traffic is blocked and you find that it was some rule inside of an authpf anchor that caused the headache ... sure I hear you screaming that that's a beginner's fault, but everybody starts as a beginner and we should help them to get on the train and not tell them to bugger of and learn to write C before *useing* a firewall, IMO. Max Hi all, I started to use OpenBSB and PF a few weeks ago, and I must say I'm really satisfied with this. The anchor system is definitely a nice feature! However, in the beginning, I've had some hard time debugging my fw rules, when anchors were involved. So I've tried to add an anchor expansion option to pfctl, to help in such situations. As I've seen some people had talked about such an expansion in a previous thread, I've decided to share my few code lines with the list... To face the pfctl output should be a valid pfctl input issue, I've addded a # at the beginning of every expanded line (ie for every rule related to an anchor). However, I still wonder if it is a good idea use a printf for it, or if these rules should be shown using fprintf on stderr... Any idea about this ? Here is a (dumb) sample of a modified pfctl output : 1) without expansion # pfctl -sr block drop in all block drop out all anchor test all pass in on rl0 all # pfctl -sn nat on rl1 inet all - (rl1) nat-anchor test all 2) with expansion # pfctl -sr -E block drop in all block drop out all anchor test all # pass in on rl1 inet proto tcp from any to any port = ssh pass in on rl0 all # pfctl -sn -E nat on rl1 inet all - (rl1) nat-anchor test all # nat on rl0 inet proto tcp from 172.16.1.2 to any port = www - 192.168.1.1 # rdr on rl1 inet proto tcp from any to 192.168.1.1 port = www - 172.16.1.1 port 8080 The patch was done using pfctl code from OpenBSD 3.3. Every comment or suggestion about it is welcome ! -- Vincent - [EMAIL PROTECTED]
Re: Speed issues with bridge firewall
On Monday 01 September 2003 19:20, Mathew Binkley wrote: So our bridging firewall achieves ~84% of full line speed. However, during testing the firewall had a load level of 4.3. There doesn't appear to be any packet loss, but I'm not sure if it is affecting latency or not. Does anyone know a good way of testing that? The firewall console is completely frozen when it's under that stress. ...too many interrupts... Does OpenBSD 3.3 not support zero-copy? Or is there something trivial I'm missing here? I wouldn't have expecting bridging to put that kind of load on the CPU. Device Polling is the answer... tedu@ said he was working on it. I hope someone will find time to port FreeBSD code. Here you can find an explanation with code. Maybe you give pf on FreeBSD a try: http://pf4freebsd.love2party.net/ this will give you said device polling and allows you to use the second processor. Once the netlocking is done, you will maybe even see a further speedup. On the other hand, bridging on FreeBSD with pf filtering is not working propperly without a patch. We hope that 5.2R will have solutions for that. Max
Happy Birthday
From: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c Revision 1.1 / (download) - annotate - [select for diffs] , Sun Jun 24 19:48:58 2001 UTC (23 months, 4 weeks ago) by kjell 2 years! All the best for the future!
Re: pfioc_table.pfrio_esize?
New since pfvar.h 1.140: Update the pfioc_table IOCTL structure. Prepare for anchors, improve robustness. WARNING: need to sync kernel/userland. ok dhartmei@ http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfvar.h.diff?r1=1.140r2=1 .141f=hMax
Re: portable pf
From: Paul B. Henson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 27, 2003 9:05 PM Subject: portable pf Is there any widespread interest in developing a portable version of pf, similar to portable ssh? I know some efforts have been made to port it to other BSD variants, but I would be very interested in a Solaris port. I've used ipf under Solaris for a long time, however pf has long since overtaken it in feature set and reliability. I have ongoing issues with system crashes under Solaris when a lot of state is maintained. While working on Pyun's FreeBSD-port I did think about such a project as well and (memory allocation provided [pool(9)/zone(9) or alike]) it should not be too hard to get it working on other platforms (with ipf/pfil_hooks). I started to clean up our FreeBSD port in order to make it more easy to keep up with the development in OpenBSD-Current and will keep an eye on the possiblity to include other porting efforts as well. If you are working on something, please contact me. I didn't find time to look at the NetBSD port yet, but I will try to. Max
Re: binding to if or IP ?
From: Uwe Dippel [EMAIL PROTECTED] Sent: Wednesday, May 07, 2003 3:44 PM Maybe this has been discussed earlier .. ? Very new to pf I have that feeling that all those rulesets with bindings to the interface to me seem less optimal than binding to an IP-address. Before I start writing my own stuff to parse the IP to pf instead of the interface: What is the opinion of the people on this list? pf filters on the IP layer, hence there is no binding to if. What you seem to confuse is (updated) expanding of interface to its bound ip/ip6 addresses. It makes little difference if you have a static IP bound to your interface as pfctl will replace the ifname with the bound ip-adress(es) when loading the ruleset. However, if you write your static IP to your pf.conf you'll have to update one more file when changeing your IP on one interface (so it's not a good idea IMO). If you have an interface with a dynamic ip (say ppp-dul) you'll want to use the (ifname) feature (hook_establish()) which updates your ruleset whenever a new ip is assigned to the interface. Note that you'll have to specify the af in that case (to enable pf to choose the right address). I think it's better to use the interface name (with proper af spec) in your ruleset. I can't think of a case where I'd use the ip of a local interface. If you are uncertain what pfctl will make of your ruleset use pfctl -nvf yourrules.conf which will display the fully expanded ruleset with all ifname-conversions. Max
Re: grouped tcp flags
If you dont want port XYZ being reached. Block it. Completly. No matter what fuxxored flag ever is set. Period. //pb Agreed, but a quick block on some of the common nmap flags on the very top of your ruleset can save you some time (right?) Esp. when somebody went mad, has a big pipe and found out about insane-nmap timeing. max
Re: grouped tcp flags
Agreed, but a quick block on some of the common nmap flags on the very top of your ruleset can save you some time (right?) Esp. when somebody went mad, has a big pipe and found out about insane-nmap timeing. *sigh* And all other tcp packets (which are most likely to happen more often) evaluate through all that shit every time? Great gain after all, eh? I didn't test/benchmark/analyse it ... did you? It's just a bitmask afterall. max