Re: Problem with my config?

2004-10-16 Thread Peter Matulis 
> I'm sure you've noticed the script-kiddie attacks trying to guess the root
> password (among other users).

No, actually I haven't.  And you shouldn't either if your config file is set up 
correctly.

> Now I don't know if this is a problem with my rules

Yes.

> ATTACHMENT part 2 application/octet-stream name=pf.conf.20041015

I took a look and I can say that you should redesign the whole thing.  The common and 
effective
strategy is to take a block (in ext_if) by default stance.  Then, still common, 
because it
makes things simple, you allow all traffic out and keep state on it.

This rule is allowing your box to be attacked:

pass in log on $ext_if proto tcp from any to  port $tcp_in keep state

Where port 22 is included in $tcp_in.  Why are you allowing hosts to connect to your 
box from
the internet?  Do *you* need to do this?  Very bad idea.  If you must then at least 
make it so
sshd will not allow root to connect directly (see /etc/ssh/sshd_config and look at
PermitRootLogin parameter).  You may also want to be less open by not using the "any" 
keyword.

I have a couple of tutorials on pf if you're interested.  Email me privately.

~~ pm

__ 
Post your free ad now! http://personals.yahoo.ca

block-policy default?

2004-09-28 Thread Peter Matulis 
I have not set my block policy (via set options) but
when I do

$ sudo pfctl -sr | grep block

all the results begin with

block drop

with the exception where I overrode it with block
return for two rules.

Yet the man page does not speak of a default
block-policy.

~~ Peter

__ 
Post your free ad now! http://personals.yahoo.ca

Re: block-policy default?

2004-09-28 Thread Peter Matulis 
 --- Daniel Hartmeier <[EMAIL PROTECTED]> wrote: 
> On Tue, Sep 28, 2004 at 03:09:42PM -0400, Peter
> Matulis wrote:
> 
> > Yet the man page does not speak of a default
> > block-policy.
> 
> It mentions that drop is default for block:
> 
>   block
> The packet is blocked.  There are a number
> of ways in which a block
> rule can behave when blocking a packet.  The
> default behaviour is
> 
> ^^^
> to drop packets silently, however this can
> be overridden or made
> explicit either globally, by setting the
> block-policy option, or on
> a per-rule basis with one of the following
> options:
> 
> If you'd like to have this mentioned in the section
> about set
> block-policy (which isn't an unreasonable request, I
> agree), how about
> sending in a small diff? :)

Ah! Yes, I went directly to the options section.  It
would be nice to have it there.  Honestly I wouldn't
know how to go about sending a diff in.

~~ Peter

__ 
Post your free ad now! http://personals.yahoo.ca

Re: FTP clients behind PF can connect to ftp serves but cannot list files why?

2004-10-03 Thread Peter Matulis 
> ftp-proxy
> wasn't able to handle two
> way active and passive connections in my setup but
> ftpsesame

What is "two way active and passive connections"?

> Is this working the same way proxy does? Redirecting
> ftp connection to
> localhost where ftp-proxy is running?

You do not need the sesame crap he mentions.

> > > > rdr on $int_if proto tcp from any to any port
> 21 -> 127.0.0.1:8021
>  
> > > 127.0.0.1:8021 stream tcp nowait root
> /usr/libexec/ftp-proxy
> > > ftp-proxy -n
>  
> > > pass in on $ext_if inet proto tcp from any to
> $ext_if \
> > > user proxy keep state 
> 
> I notcied that with the above rules internal clients
> can do pasive
> ftp fine, but active ftp wont work, pf drops the
> packets from
> the remote host from port 20 to a high port here.
> I dont know quickly how to remedy this, any hints?

Get into logging and then provide us with some facts.

~~ Peter

__ 
Post your free ad now! http://personals.yahoo.ca

Re: FTP clients behind PF can connect to ftp serves but cannot list files why?

2004-10-03 Thread Peter Matulis 
> Output from pflog0:
> 
> 4. 422299 rule 1/0(match): block in on wm0: IP (tos
> 0x0, ttl 242, id
> 58380, offset 0, flags [DF], length: 44, bad cksum
> d0ab (->2145)!)
> 129.128.5.191.20 > 82.161.169.153.55674: S [tcp sum
> ok]
> 693991520:693991520(0) win 8760 
> 
> Any hints?

Maybe supply your pf.conf

__ 
Post your free ad now! http://personals.yahoo.ca

Re: FTP active mode desn't work properly with nat on PF

2004-10-26 Thread Peter Matulis 
> when I running an ftp connection on active mode, it is coming back 
> with the IP number of my  bsd box, some windows client doesn't care 
> about it, but Mac os users or NCFTP drop the connections when this is 
> happening.

Let's see your rules.

__ 
Post your free ad now! http://personals.yahoo.ca

Re: FTP active mode desn't work properly with nat on PF

2004-10-27 Thread Peter Matulis 
> this is my inetd.conf
> ftp-proxy stream tcp nowait root /usr/local/libexec/ftp-proxy ftp-proxy  
> -a 1.2.3.4 -m 55000 -M 57000 -u nobody
> 
> and pf.conf

> # Interfaces #
> int_if = "fxp0"
> ext_if = "ath0"
> 
> # Networks and IPs #
> int_ip = 192.168.0.254
> int_net = "192.168.0.0/24"

>  Options 
> set block-policy return
> set limit { states 2048, frags 2048 }
> set loginterface $ext_if

> ### Translation and Redirection ###
> # NAT #
> nat on $ext_if from $int_if:network to any -> ($ext_if) static-port
> 
> # FTP Passive Mode #
> rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> 
> # Redirection #
> rdr on $ext_if proto { tcp, udp } from any to ($ext_if) port 3389 -> 
> 192.168.0.1 port 3389
> # PPTP Redirection
> 
> 
> ### PACKET FILTERING 
> block in on $ext_if all
> block in quick on $ext_if inet from $priv_nets to any
> 
> block in quick on $ext_if inet from $ext_if to any
> block out quick on $ext_if inet from ! $ext_if to any
> block out quick on $ext_if inet from any to $priv_nets
> block in quick on $ext_if proto udp from any to any port { 137, 139, 445 }
> 
> # ICMP
> pass on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
> 
> # UDP
> pass in on $ext_if proto udp from any port 53 to any
> pass out on $ext_if proto udp from any to any port 53
> 
> #A FTP
> pass in on $ext_if proto tcp from any to any port { ftp, ftp-data }
> pass in on $int_if proto tcp from any to any port { ftp, ftp-data }
> pass in on $ext_if proto tcp from any port 20 to any

A few points:

1. You do not need any "pass out on $ext_if" rules since you are not blocking outgoing 
traffic
by default.

2. The last section (A FTP) you can simplify those three lines to:

pass in on $ext_if inet proto tcp from any port 20 to $ext_if

This is to allow the FTP server to respond to ftp-proxy's active FTP requests.

Peter

__ 
Post your free ad now! http://personals.yahoo.ca

traffic leaking out on PPP connection

2004-11-13 Thread Peter Matulis 
My firewall is pretty tight.  I block all incoming by default and let out only 
certain
destination ports.  I'm currently filtering on external interface only.

Now I decided to do a check on all outgoing traffic (filtering out of course 
the allowed ports)
and I made an interesting discovery.

I am on dial-up (PPP) with a Canadian ISP (Sympatico) and I am sending out 
regular replies to
port 135.  I figured this is due to PPP tunneling.  In 15 minutes I was 
replying to about a
dozen different IP addresses but they all resolve back to my ISPs servers (or 
clients?):

# host 209.226.190.100
100.190.226.209.in-addr.arpa domain name pointer SSMarie-ppp128981.sympatico.ca.
# host 209.226.119.1
1.119.226.209.in-addr.arpa domain name pointer Ottawa-ppp-198986.sympatico.ca.
# host 209.226.132.21
21.132.226.209.in-addr.arpa domain name pointer Lindsay-ppp-147952.sympatico.ca.
# host 209.226.247.21
21.247.226.209.in-addr.arpa domain name pointer London-ppp51940.sympatico.ca.
# host 209.226.124.1
1.124.226.209.in-addr.arpa domain name pointer 
HSE-Ottawa-ppp-33124.sympatico.ca.

Any comments?

Peter

__ 
Post your free ad now! http://personals.yahoo.ca

Re: traffic leaking out on PPP connection

2004-11-25 Thread Peter Matulis 
 --- "Ilya A. Kovalenko" <[EMAIL PROTECTED]> wrote: 
> PM> My firewall is pretty tight.  I block all incoming by default and let out 
> only certain
> PM> destination ports.  I'm currently filtering on external interface only.
> 
> PM> Now I decided to do a check on all outgoing traffic
> PM> (filtering out of course the allowed ports)
> PM> and I made an interesting discovery.
> 
> PM> I am on dial-up (PPP) with a Canadian ISP (Sympatico) and I
> PM> am sending out regular replies to
> PM> port 135.  I figured this is due to PPP tunneling.  In 15
> PM> minutes I was replying to about a
> PM> dozen different IP addresses but they all resolve back to my ISPs servers 
> (or clients?):
> 
> These hosts, probably, infected w/ "Lovesan" (aka "MS-blast") virus. It
> scans networks for vulnerable Windows boxes to infect.
> 
> but you, should see it as incoming requests, than, your host replys.

I do get, like everyone else, incoming requests due to the reason you give but 
this is the only
port my firewall is responding to and I have no idea why except the hypothesis 
that it is due
to some PPP tunneling being done by my ISP.

Furthermore, I went to the Shields Up! site at 
https://grc.com/x/ne.dll?bh0bkyd2 and it scanned
my IP and did not report *any* ports open.  This is what I should expect.

Peter

__ 
Post your free ad now! http://personals.yahoo.ca

[SOLVED] traffic leaking out on PPP connection

2004-11-30 Thread Peter Matulis 
Ok, got it.  Prior to submitting my ruleset in my last post I removed one key 
line that I did
not think could have any influence:

block return in log on $EXT proto { udp, tcp } all

Yesss doggy... this creates a very misleading result when viewing traffic with 
tcpdump.

For those who may get tripped up by this, I *am* responding but the response 
consists of
sending a RST flag to close the TCP connection immediately instead of allowing 
it to time out.

__ 
Post your free ad now! http://personals.yahoo.ca

Re: Traffic Monitoring, IP

2004-12-31 Thread Peter Matulis 
> > you can improve PFSTAT without any money :))
> 
> You should know that the work Daniel has already donated to PF and the 
> OpenBSD project is worth thousands of dollars.

Tens of thousands I would say.

__ 
Post your free ad now! http://personals.yahoo.ca

LAN requests to internal web server (beware: involves mod_rewrite)

2005-08-17 Thread Peter Matulis 
Hi gang.

I have a 3.7 box redirecting internet HTTP requests to my dynamically assigned 
address to an
internal web server with the following PF line:

rdr on tun0 inet proto tcp from any to $EXT port 80 -> 192.168.2.214

All is well.

When I needed to provide access to lan clients I added this line:

rdr on $INT inet proto tcp from $LAN_clients to $EXT port 80 -> 192.168.2.214

All is well.

I recently needed to redirect requests to http://example.com/ to 
http://example.com/dir/ and I
accomplished this using mod_rewrite:

RewriteRule ^/$ /dir/ [R,L]

Internet requests are redirected.  All is well.

Incidentally, when I point lynx directly to example.com/dir/ it works but when 
I do the same
with Firefox it doesn't.

The main problem is when an internal client (using either browser) attempts to 
reach the
server.  Somehow the rewrite is breaking things.  I have sniffed the traffic on 
the web server
(leo) and I see the client (sonata) keeps resetting the connection:

sonata.50203 > leo.www: S 3873582015:3873582015(0) win 65535  (DF)
leo.www > sonata.50203: S 1850416475:1850416475(0) ack 3873582016 win 16384  (DF)
sonata.50203 > leo.www: R 3873582016:3873582016(0) win 0 (DF)
sonata.59370 > leo.www: S 1346830390:1346830390(0) win 65535  (DF)
leo.www > sonata.59370: S 100367935:100367935(0) ack 1346830391 win 16384  (DF)
sonata.59370 > leo.www: . ack 1 win 33304  (DF)
sonata.59370 > leo.www: P 1:446(445) ack 1 win 33304 
(DF)
leo.www > sonata.59370: P 1:524(523) ack 446 win 17376 
(DF)
sonata.51209 > leo.www: S 172896183:172896183(0) win 65535  (DF)
leo.www > sonata.51209: S 226194437:226194437(0) ack 172896184 win 16384  (DF)
sonata.51209 > leo.www: R 172896184:172896184(0) win 0 (DF)
sonata.59370 > leo.www: . ack 524 win 33304  (DF)
sonata.51209 > leo.www: S 172896183:172896183(0) win 65535  (DF)
leo.www > sonata.51209: S 1749620331:1749620331(0) ack 172896184 win 16384  (DF)
sonata.51209 > leo.www: R 172896184:172896184(0) win 0 (DF)
sonata.51209 > leo.www: S 172896183:172896183(0) win 65535  (DF)
leo.www > sonata.51209: S 1451968876:1451968876(0) ack 172896184 win 16384  (DF)
sonata.51209 > leo.www: R 172896184:172896184(0) win 0 (DF)
sonata.51209 > leo.www: S 172896183:172896183(0) win 65535  (DF)
leo.www > sonata.51209: S 1937590863:1937590863(0) ack 172896184 win 16384  (DF)
sonata.51209 > leo.www: R 172896184:172896184(0) win 0 (DF)t proto tcp from any 
to $EXT port 80
-> 192.168.2.214

Here is what I get from lynx:

http://httpd.apacheLooking up example.com
Making HTTP connection to example.com
Sending HTTP request.
HTTP request sent; waiting for response.
HTTP/1.1 302 Found
Data transfer complete
HTTP/1.1 302 Found
Using http://www.example.com/dir/
Looking up www.example.com
Making HTTP connection to www.example.com
Alert!: Unable to connect to remote host.
< long pause >
lynx: Can't access startfile http://example.com/

Is this a PF issue?  I'm not sure.

Thanks for any input,

Peter

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Re: LAN requests to internal web server (beware: involves mod_rewrite)

2005-08-17 Thread Peter Matulis 

--- Daniel Hartmeier <[EMAIL PROTECTED]> wrote:

> Make sure you understand
> 
>   http://www.openbsd.org/faq/pf/rdr.html#reflect
> 
> Unless 192.168.2.214 is on a subnet separate from sonata (and replies
> from 192.168.2.214 to sonata pass back through the pf box), the resets
> are a normal (though possibly surprising) reaction, explained by the
> document above.

Thank you.  All is well (really).

Peter Matulis

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

question re pfstat and recent isp downage

2005-09-03 Thread Peter Matulis 
I am monitoring my connection with pfstat on OBSD 3.7 .

Now...

Recently my internet connection went down for 2 hours.  When it came back
I noticed pfstat reporting massive increase in "block in" speeds
(packets/s).  I am wondering why this is happening.  It also skewes my
previous stats. :(

I am filtering on my external interface only.

You can view this phenomenon here:

http://papamike.ca/misc/pass_b lock_12.png

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

IP accounting

2005-09-03 Thread Peter Matulis 
As a recent post of mine shows, I am in the process of setting up various types 
of IP
accounting for my humble ADSL network.  I have pfstat that provides an overview 
of what is
happening on the PF side.  Now I am looking for some hard numbers in this order 
of priority:

1. number of MB that has exited/entered my firewall's external interface during 
the month
2. graph this type of data on a daily basis
3. know which internal hosts accounted for that bandwidth

I looked at ipfm.  It is very small and appears to do what I want but I cannot 
get it to listen
on my external interface (fxp0/tun0) for some reason.  There are a few 
perl/shell scripts I
found that outputs the data in some nicer format but these things seem very 
brittle.  ipfm does
not seem to be maintained anymore (since 2002).

My next stop is symon.

Does anyone have any suggestions or comments on my meagre demands?

Peter

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Re: IP accounting

2005-09-04 Thread Peter Matulis 

--- jared r r spiegel <[EMAIL PROTECTED]> wrote:

>   i think the closest granularity you'll be able to get with symon is 
>   that it can monitor individual altq queues now (symon v2.71).

Symon is looking good.  I have a basic installation now but I am getting odd 
results:

# getsymonitem.pl 127.0.0.1 2100 127.0.0.1 "mem" "real_total" 
44761088
# getsymonitem.pl 127.0.0.1 2100 127.0.0.1 "mem" "free"   
152129536

How can free ram be greater than total ram?

--
Peter






__ 
Find your next car at http://autos.yahoo.ca