possible PF queue speed bug??
Hello,
I am using OpenBSD for a long time now, but recenty when I was testing
hi speed queues using altq and cbq i saw there is strange problem.
When queue is set to:
a) 5 mbit, trasfer rate between 2 computers is around 5mbit -> OK
b) 90 mbit, trasfer rate between 2 computers is around 90mbit -> OK
c) 50 mbit, trasfer rate between 2 computers is ONLY around 30mbit ->
WHY ?!?!?!?!???
I have tried changing mbit to kb, using % - no difference.
I have tested it on OpenBSD 4.7 and 4.2.
I was testing this speed using iperf, pktstat, transfering file using
scp and wget.
Below is pf.conf:
set skip on lo
altq on xl1 cbq bandwidth 52Mb queue { komp1_out2, komp2_out2,
komp3_out2, domyslna_out2 }
queue komp1_out2bandwidth 500Kb cbq
queue komp2_out2bandwidth 500Kb cbq
queue komp3_out2bandwidth 50Mbcbq
queue domyslna_out2 bandwidth 1Mb cbq(default)
altq on xl0 cbq bandwidth 52Mb queue { komp1_in2_wew, komp2_in2_wew,
komp3_in2_wew, domyslna_in2_wew }
queue komp1_in2_wewbandwidth 500Kbcbq
queue komp2_in2_wewbandwidth 500Kbcbq
queue komp3_in2_wewbandwidth 50Mb cbq
queue domyslna_in2_wew bandwidth 1Mb cbq (default)
pass in quick on xl0 from 192.168.111.0/24 to any queue komp3_in2_wew
pass out quick on xl1 from 192.168.111.0/24 to any nat-to 10.0.0.4 queue
komp3_out2
pass in quick on xl1 proto tcp from any to 10.0.0.4 port {5001} rdr-to
192.168.111.2 queue komp3_out2
pass out quick on xl0 proto tcp from any to 192.168.111.2 queue
komp3_in2_wew
--
best regards,
Robert Lewandowski
Re: "suspends" count on pfctl -vvsq
On Wed, 20 Jan 2010 20:52:09 +0700
"Ilya A. Kovalenko" wrote:
> Good time of day,
>
>pfctl -vvsq shows counter, named "suspends", what specific events
> it counts ?
>
> I just tryin' to understand what it means:
>
> queue root_pcn1 bandwidth 50Mb priority 0 cbq( wrr root ) {stub}
> [ pkts: 668486 bytes: 115633409 dropped pkts: 0
> bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends:
> 0 ] [ measured: 703.2 packets/s, 1.03Mb/s ]
> queue stub bandwidth 30Mb qlimit 5000 cbq( borrow default )
> [ pkts: 668486 bytes: 115633409 dropped pkts: 0
> bytes: 0 ] [ qlength: 0/5000 borrows: 0 suspends:
> 65311 ] [ measured: 703.2 packets/s, 1.03Mb/s ]
> queue root_pcn0 bandwidth 100Mb priority 0 cbq( wrr root ) {stub}
> [ pkts: 773002 bytes: 654654161 dropped pkts: 0
> bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends:
> 0 ] [ measured: 785.9 packets/s, 5.35Mb/s ]
> queue stub bandwidth 30Mb qlimit 5000 cbq( borrow default )
> [ pkts: 773002 bytes: 654654161 dropped pkts: 0
> bytes: 0 ] [ qlength: 0/5000 borrows: 2607 suspends:
> 56563 ] [ measured: 785.9 packets/s, 5.35Mb/s ]
>
> i.e. speed rates is good, but suspends (dequeuing stalls ?) with
> empty queues looks strange for me.
>
> I can guess, possible _cause_ of such behavior - host is runninig on
> virtual hardware under VMWare Hypervisor, but can't understand the
> _process_ itself.
>
> Kind regards,
>
> Ilya A. Kovalenko
Yes, that counter shows the number of packets for that queue that got
delayed, not dequeued/sent "immidiately".
pf.conf(5)
QUEUEING
The scheduler defines the algorithm used to decide which packets
get delayed, dropped, or sent out immediately.
The counter is populated within the function rmc_delay_action
in sys/altq/altq_rmclass.c .
It is refered to everywhere as "delayed" only in the output of pfctl it
is called "suspends", for whatever reason.
- Robert
Re: CBQ download limits failed...
On Wed, 11 Nov 2009 17:26:06 +0100
Jordi Espasa Clofent wrote:
> Hi all,
>
> I'm trying to implement queue using PF in OpenBSD box. The pf.conf
> looks like:
> # 5. Queueing
> # ISP1 queues, 10MBps
> altq on $ext_if1 priq bandwidth 10Mb queue { my1, centraleta, ssh1,
> nomy1 } queue centraleta priority 7
> queue my1 priority 6
> queue ssh1 priority 5
> queue nomy1 priority 1 priq (default)
>
> # ISP2 queues (10Mbps)
> altq on $ext_if2 cbq bandwidth 10Mb queue { nomy2, my2, ssh2 }
> queue my2 bandwidth 50% priority 7 cbq(default)
> queue nomy2 bandwidth 5% priority 0 cbq
> queue ssh2 bandwidth 45% priority 6 cbq(borrow)
Limiting incoming bandwidth on the external interface doesn't work.
You can have some success if you queue traffic to your lan on the
internal interface.
Have a look at the pf faq http://www.openbsd.org/faq/pf/queueing.html ,
especially the examples.
- Robert
Re: syntax error while using scrub with OpenBSD 4.6
On Wed, 28 Oct 2009 00:29:58 -0700 (PDT) Micha Holzmann wrote: > Hello all, > > i am fairly new to OpenBSD. I use it for a home router and firewall. > Following the recommendations, i want to use the scrub keyword. > > But regardles how i write it into the pf.conf and check it with pfctl > i get a syntax error message. > > I tried several syntax: > > scrub all > scrub in all > > After using google and other ressources for hours i found a changeset > which describes > > > The way to use scrub has changed for 4.6. "scrub" is now an option to a normal rule. match in all scrub http://www.openbsd.org/faq/upgrade46.html#newPF - Robert
Re: syntax error while using scrub with OpenBSD 4.6
On Wed, 28 Oct 2009 01:10:08 -0700 (PDT) Micha Holzmann wrote: > Hello all, > > [ the formerly post was not complete because of my web-session was > crashed ]. > > i am fairly new to OpenBSD. I use it for a home router and firewall. > Following the recommendations, i want to use the scrub keyword. > > But regardles how i write it into the pf.conf and check it with pfctl > i get a syntax error message. > > I tried several syntax: > > scrub all > scrub in all > > After using google and other ressources for hours i found a changeset > which describes scrub to use > > match in all scrub (random-id fragment reassemble tcp) > > If i try to activate this, i got a syntax error. What have i done > wrong? > > Best regards > > > > > remove "fragment" as that's not a supported option in the scrub context. have a look at the pf.conf manpage. - Robert
Re: ALTQ
On Tue, 14 Apr 2009 17:37:42 +0200
"Helmut Schneider" wrote:
> From: "Robert"
> > On Tue, 14 Apr 2009 15:39:48 +0200
> > "Helmut Schneider" wrote:
> >
> >> From: "Robert"
> >>> "Helmut Schneider" wrote:
> >>>> My proxy has one single GB interface and is connected to the
> >>>> internet using a E3-line (34Mb). I want to shape http traffic to
> >>>> 5Mb/s. How?
> >>>>
> >>>> Something like:
> >>>>
> >>>> altq on $extIF cbq bandwidth 100% queue { default, http_traf }
> >>>> queue default bandwidth 100% cbq(default borrow)
> >>>> queue http_traf bandwidth 5Mb cbq(borrow)
> >>>>
> >>>> What is the correct syntax?
> >>>>
> >>>> Thanks, Helmut
> >>>
> >>> This is explained (with an example you can adapt) in the PF FAQ.
> >>> http://www.openbsd.org/faq/pf/queueing.html
> >>
> >> No, it's not. The FAQ talks about two interfaces, I only do have
> >> one single interface. I also did not find an example where the
> >> default queue may use 100% percent and HTTP may use lets say 5Mb
> >> from that amount.
> >>
> >> If I'm wrong please point me to the specific location.
> >
> > Doesn't this section explain how to do it?
> > http://www.openbsd.org/faq/pf/queueing.html#assign
>
> Well, if then I do not understand it. The section states:
>
> altq on fxp0 cbq bandwidth 2Mb queue { std, ftp }
> queue std bandwidth 500Kb cbq(default)
> queue ftp bandwidth 1.5Mb
>
> What I want to do is to assign the default queue the whole bandwith
> (100%) and let e.g. http borrow 5Mb. As I do not know the connection
> speed (might be 1GB or 100Mb within the local LAN, but might also be
> 34Mb for the internet) I guess I need to mix absolute values and
> percentages which I currently fail to implement.
>
> What I tried:
>
> altq on $extIF cbq bandwidth 100% queue { default, http_traf }
> queue default bandwidth 100% cbq(default borrow)
> queue [default_]http_traf bandwidth 5Mb cbq(borrow)
>
> which does not work:
>
> # pfctl -nf /etc/pf.conf
> pfctl: the sum of the child bandwidth higher than parent "root_bge1"
> #
100% + 5Mb > 100%
All children have to fit into the parent.
(I think its a bad idea to mix % and Mb limits in the same tier of
child-queues.)
And "borrow" allows the child-queue to use more bandwidth than was
defined, if it is available. As your interface has more bandwidth than
your 34Mbit to the internet the queue won't have any effect.
If you want 'http-traf' to get 5Mb max omit the "borrow".
If you only queue traffic to your E3, just set the parent to 34Mb.
- Robert
Re: ALTQ
On Tue, 14 Apr 2009 15:39:48 +0200
"Helmut Schneider" wrote:
> From: "Robert"
> > "Helmut Schneider" wrote:
> >> My proxy has one single GB interface and is connected to the
> >> internet using a E3-line (34Mb). I want to shape http traffic to
> >> 5Mb/s. How?
> >>
> >> Something like:
> >>
> >> altq on $extIF cbq bandwidth 100% queue { default, http_traf }
> >> queue default bandwidth 100% cbq(default borrow)
> >> queue http_traf bandwidth 5Mb cbq(borrow)
> >>
> >> What is the correct syntax?
> >>
> >> Thanks, Helmut
> >
> > This is explained (with an example you can adapt) in the PF FAQ.
> > http://www.openbsd.org/faq/pf/queueing.html
>
> No, it's not. The FAQ talks about two interfaces, I only do have one
> single interface. I also did not find an example where the default
> queue may use 100% percent and HTTP may use lets say 5Mb from that
> amount.
>
> If I'm wrong please point me to the specific location.
>
> Thanks, Helmut
Doesn't this section explain how to do it?
http://www.openbsd.org/faq/pf/queueing.html#assign
- Robert
Re: ALTQ
On Tue, 14 Apr 2009 14:23:48 +0200
"Helmut Schneider" wrote:
> Hi,
>
> My proxy has one single GB interface and is connected to the internet
> using a E3-line (34Mb). I want to shape http traffic to 5Mb/s. How?
>
> Something like:
>
> altq on $extIF cbq bandwidth 100% queue { default, http_traf }
> queue default bandwidth 100% cbq(default borrow)
> queue http_traf bandwidth 5Mb cbq(borrow)
>
> What is the correct syntax?
>
> Thanks, Helmut
>
This is explained (with an example you can adapt) in the PF FAQ.
http://www.openbsd.org/faq/pf/queueing.html
- Robert
Re: PF and VoIP
I'd do a tcpdump and look for any rst or unreachable ports to find if
maybe the port specs are wrong for that provider.
On 10/29/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Hi all.
>
> First, take a greeting from Venezuela.
>
> I have an ATA VoIP (Analogue Telephone Adaptor) model HandyTone 486. I'll
> try to connect it behind my server on OpenBSD 3.7 running PF and NAT.
> Well, I think that you know whats the problem.
>
> I use SIP, so, the ATA behind NAT don't works. I've put a few rules that I
> find at one website, the rules are:
>
> ipphone1="192.168.1.36"
> nat on $ext_if proto udp from $ipphone1 to any -> ($ext_if) static-port
>
> # pass VoIP traffic
> pass in quick on $ext_if proto {udp,tcp} from any to any port {3478,1}
> keep state
> pass out quick on $ext_if proto {udp,tcp} from any to any port
> {3478,1} keep state
> pass in quick on $ext_if proto udp from any to any port 5060 keep state
> pass out quick on $ext_if proto udp from $ext_if to any port 16384:32768 \
> keep state
> pass in quick on $ext_if proto udp from any to any port 8000:8012 keep state
> pass out quick on $ext_if proto udp from any to any port 8000:8012 keep state
>
>
> So, with this rules, the ATA receive calls, and I speak and my contrapart
> listen me, but I can't hear him.
>
> Any idea? Anybody can talk on VoIP behind NAT?
>
> Thanks to all.
>
> Regards.
>
> --
> Juan J D'Alessandro M
> Coordinador General
> Grupo BSD Venezuela
> Valencia - Venezuela
>
>
Re: Load Balancing Outgoing, its possible ?
https://solarflux.org/pf/ Site is slow right now, but look at the manpage for pf.conf You can do outgoing load balancing, and avoid most user problems from doing that. The manuals and solarflux have plenty of examples. HTH On 10/25/05, Daniel Dias Gonçalves <[EMAIL PROTECTED]> wrote: > Complicated ? Its possible ? > >TELECOM >LOAD SHARING PER PACKET > -- >| | | > | || >| | > | | || > - > - > CISCO 2600 (6mbps) HAUWEI (6mbps) > LOAD SHARING PER PACKET LOAD SHARING PER PACKET > - > - > Ethernet (64.XX.XX.1/30) Ethernet > (65.XX.XX.1/30) > | >| > | >| > | >| > | >| > XL0 (64.XX.XX.2/30)XL1 > (65.XX.XX.2/30) > -- > FREEBSD 5.4 + PF > -- > XL2 (192.168.0.254/24, 64.XX.XX.5/30, 65.XX.XX.5/30) > | > | > -- > SWITCH > --- IP: 65.XX.XX.6/30 > -- > GW: 65.XX.XX.5 > / \ > / \ >IP: 192.168.0.10/24 IP: > 64.XX.XX.6/30 > GW: 192.168.0.254 GW: 64.XX.XX.5 > and more clients ... > > > I need load balancing outgoing traffic from: > 192.168.0.0/24 ( NAT ) > and 64.XX.XX.0/24, 65.XX.XX.0/24 > > It is possible to make this balancing with the PF ? Exists some software > that I make this ? Zebra can help me? > This type of balancing gives to problems with the navigation of the user > of NAT or IP valid ? > If it is possible, wanted to see examples with rules. > > Thanks, > > -- > Daniel Dias Gonçalves > DGNET Network Solutions > [EMAIL PROTECTED] > (37) 99824809 > >
PF panic on spoofed internal mac
Hey all, love the PF, but this is a first time dump, panic or any problems at all really. I use an internal Squid server, transparent, and works fine on every other 5.3-RELEASE machine i've done. Problem at this one location is that there is two nics, xl0, and xl1. The $ext_if (xl1) needs a spoofed mac address due to old cable settings, as natural the xl0 is the int_if. I run a pretty default setup, but no scubbing, or other options that deal with your first 2-3 sections. I do some standard redirects for various protocols, and block some other ports. When I enable transparent proxy, with squid that has been built properly to support it, the first 2-3 hits on a webpage is fine. After a few proxy attempts that do work, then I get a panic in pf_socket lookup, at which point the machine will hard lock. The solution so far, that makes all of the hard locks, and even any panics is to remove the spoofed mac. This mac was spoofed using the ifconfig xl0 ether XXX command, before and after pf modules were loaded, or even enabled. Any pointers? I am lucky enough to have the cable provider let us keep the old IP, but with a new mac. Now that I am not spoofing the mac, PF is running fine and smooth and not a single error at all. Now my biggest enemy is trying to cache as much of windows update as I can.
Re: ack and priq
Thursday, November 20, 2003, 2:11:39 PM, Greg wrote: > If you are using P2P, I've found that CBQ works better than priq for > traffic management and ACKPRI. Why does people think i got involved in such things. Must be my childish English ;-) But i do host some legitimate bittorrent files so now and then. > Here are some snippets to give you an idea or two. Thanks, looking into it. Probably have to do some more reading on the tagging and labeling stuff you use. But why do you use CBQ on both the external and internal interface is that a requirement ? > Another few jars I owe Daniel and Co. Not yet, walking to the ATM machine now.;-)
Re: ack and priq
Well i already did what you suggested but gave it another pass. To rule out some leftovers in state's or queue's i rebooted and did the suggested test again. And as i stated earlier it looks like everything seems ok... again. loginfo http://members.home.nl/r.winder/out All outgoing tcp is bound to rule 46 with the queue(q_def, q_pri) definition and again some packets are dropped. The download isn't brought to a standstill but is seriously reduced. Is this normal behaviour ? graph http://members.home.nl/r.winder/graphnew.gif Not a steady http download but first part is a download file via http. Second part is uploading a file via ftp and downloading file via http concurrently. And the third part is stopping the ftp upload again. Did this over and over again and finaly disabled queueing and ran the test again. And interesting enough it gave me the same results. And this was with a pfctl -Fa before reloading the rules without queueing of course. This leads me to the following questions: * Must the connection be saturated at 100% before priq scheduling can kick in. * Is option ALTQ base in kernel enough ( last time i checked and that was nearly a year ago and additional options where needed to enable PRIQ) * Is a pass in rule with priq queueing definitions a requirement * Could it be that NAT or the option random_id in scrub rules prevents priq sheduling. Well as you can see i am getting desperate and shooting in the dark here. :-) Ignore the last questions if they are bogus. /Robert
ack and priq
Hi,
Yes, ack prioritizing again ;-)
For days now i am trying to grasp the concept of priq queueing and searched
the net, manpages and archives and to my understanding i did everything as
described.. but the ultimate goal to prioritize empty TCP ACKs doesn't
seem to work for me. I've seen a lot of these questions in the archives
regarding this issue but none of the given solutions seems to work for
me. Oh well, hate to ask but here it goes.
Only the relevant parts here, below are the full logs.
Cable connection 2048/128, so no PPPoE overhead. OpenBSD 3.4.
if_ext = "de0"
if_int = "rl0"(192.168.0.1)
if_wir = "wi0"(10.0.0.1)
altq on $if_ext priq bandwidth 128Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
nat on $if_ext from $if_int:network to any -> ($if_ext)
nat on $if_ext from $if_wir:network to any -> ($if_ext)
pass out on $if_ext inet proto tcp from ($if_ext) \
to any flags S/SA keep state queue (q_def, q_pri)
pass out on $if_ext inet proto { udp icmp } from ($if_ext) \
to any keep state
#pfctl -gsr
@44 pass out on de0 inet proto tcp from (de0) to any flags S/SA keep \
state queue(q_def, q_pri)
[ Skip steps: i=48 d=48 f=61 sp=end da=50 dp=47 ]
[ queue: qname=q_def qid=3 pqname=q_pri pqid=2 ]
---
#pfctl -gvsq
queue q_pri priority 7
[ pkts: 11446 bytes: 618408 dropped pkts: 0 bytes: 0 ]
[ qlength: 2/ 50 ]
[ qid=2 ifname=de0 ifbandwidth=128Kb ]
queue q_def priq( default )
[ pkts: 65035 bytes:14471431 dropped pkts: 31 bytes: 34911 ]
[ qlength: 3/ 50 ]
[ qid=3 ifname=de0 ifbandwidth=128Kb ]
To my understanding the queueing mechanism seems to work. When
the connection gets saturated packets are dropped when the queue
length of 50 is reached but it doesn't seem to have any affect for
the ack prioritizing. What's going on here ?
To spice it up a *bit* see rrdtool example at
http://members.home.nl/r.winder/graph.gif and as you can see
incoming data is brought to a standstill when connection gets
saturated.
What I did so far:
* Toggled bandwidth between 100Kb >< 128Kb
* Enabled priq queueing on $if_int and $if_ext simultaneously
* Tried numerous pf.conf samples obtained from the most obscure
corners on the net where priq was supposed to work... it did not.
All to no avail. Am I expecting to much from this priq scheduling ? I
hope it isn't something obvious.
If you didn't fell asleep right now, below are the links to logs and
pf.conf file. When more logs are needed just let me know.
http://members.home.nl/r.winder/pf.conf.priq
http://members.home.nl/r.winder/gsr
/Robert
Priority queue'ing on cable modem
Can someone tell me if this is correct. I'm on a Comcast cable modem where
the supposed upstream is 256K. Downloads are in the neighborhood of T1
(1.544M). Therefore, would I need to set queue'ing as so in pf.conf:
# Setup altq
altq on $ext_if priq bandwidth 230Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
# For SSH access in
pass in on $ext_if inet proto tcp from $trusted to $workstation port ssh
flags S/SA keep state queue (q_def, q_pri)
# Setup downstream
pass out on $ext_if proto tcp from $ext_if to any flags S/SA \
keep state queue (q_def, q_pri)
Any help appreciated...
Robert
Re: PF and a three-legged setup....head is spining
Since I only have one public IP, can I not use proxy arp to do this? If so, how would I enable proxy arp provided that my dmz server ip is 192.168.2.10 (MAC: 8:0:20:3a:5c:2b) and my external interface IP is 24.24.24.24 (MAC: 8:0:20:6b:1a:1b)? Would I do this: arp -s 192.168.2.10 8:0:20:6b:1a:1b pub I may be way off base here. Robert On Thu, 3 Jul 2003, Morten Norby Larsen wrote: > At 21:43 03/07/03, Robert Banniza wrote: > >Thanks ALOT! So are you using NAT'ed networks on both the internal and > >DMZ? Also, can you tell me exactly how you set up your aliases? I'm > >assuming this: > > > >192.168.2.1 - is you DMZ interface card > >1.2.3.4 - is you external interface card > > > >Did you create an alias on the external interface card with an IP of > >192.168.2.1? Thanks again. > > Say you have a web server in the DMZ with address 192.168.2.52, and you > want/need it NAT'ed to 1.2.3.5 on the external interface. > > You can do that with the following command ( = fxp0 or some such): > > ifconfig inet alias 1.2.3.5 255.255.255.255 > > You can make this persistent across boots by adding the arguments of the > line to the file /etc/hostname.. In our thought experiment: > > inet alias 1.2.3.5 255.255.255.255 > > > Now you can use a redirect in this way: > > rdr on fxp0 proto tcp from any to 1.2.3.5/32 port www -> 192.168.2.52 port > www > > This should work, provided you have not blocked port 80 on fxp0. I have > this rule to make sure there is a connection: > > pass in on fxp0 inet proto tcp from any to 192.168.2.52 port www keep state > > > When you need to add a machine to the DMZ, you just add one new line for > each step above. > > Hope this helps, > > Morten > > > >Robert > > > >On Thu, 3 Jul 2003, Morten Norby Larsen wrote: > > > > > At 21:13 03/07/03, Robert Banniza wrote: > > > >Any help CERTAINLY appreciated. > > > > > > Being a beginner as well, I have found the example pf.conf files on > > > http://www.0xdeadbeef.info useful. > > > > > > Stuff even started working when I defined aliases on the external interface > > > for the addresses NAT'ed (redirected in our configuration) to the DMZ. This > > > was our biggest issue, actually. > > > > > > Good luck, > > > > > > Morten > > > > > > > > > --- > > > Morten Norby Larsen [EMAIL PROTECTED] > > > Magister Ludi s.r.l. Phone: +39 02 26 11 72 80 > > > Via Battaglia 8, I-20127 Milano, ItalyFax: +39 02 28 46 037 > > > http://www.magisterludi.com > > > > > > > > --- > Morten Norby Larsen [EMAIL PROTECTED] > Magister Ludi s.r.l. Phone: +39 02 26 11 72 80 > Via Battaglia 8, I-20127 Milano, ItalyFax: +39 02 28 46 037 > http://www.magisterludi.com > >
Re: PF and a three-legged setup....head is spining
Thanks ALOT! So are you using NAT'ed networks on both the internal and DMZ? Also, can you tell me exactly how you set up your aliases? I'm assuming this: 192.168.2.1 - is you DMZ interface card 1.2.3.4 - is you external interface card Did you create an alias on the external interface card with an IP of 192.168.2.1? Thanks again. Robert On Thu, 3 Jul 2003, Morten Norby Larsen wrote: > At 21:13 03/07/03, Robert Banniza wrote: > >Any help CERTAINLY appreciated. > > Being a beginner as well, I have found the example pf.conf files on > http://www.0xdeadbeef.info useful. > > Stuff even started working when I defined aliases on the external interface > for the addresses NAT'ed (redirected in our configuration) to the DMZ. This > was our biggest issue, actually. > > Good luck, > > Morten > > > --- > Morten Norby Larsen [EMAIL PROTECTED] > Magister Ludi s.r.l. Phone: +39 02 26 11 72 80 > Via Battaglia 8, I-20127 Milano, ItalyFax: +39 02 28 46 037 > http://www.magisterludi.com > >
PF and a three-legged setup....head is spining
OK guys, This is my first post so I apologize if I'm in the wrong here. I have been reading Googling and reading OpenBSD PF man pages for the past week trying to understand PF and get the perfect setup. I currently have a dual-home setup that works great according to the simple-home setup in the PF Guide. However, I want to use the third ethernet card in my machine to setup a DMZ. However, I'm having issues with routing and a multitude of other oddites. Does someone have a pf.conf for a triple homed setup where the internal and DMZ networks are both RFC1918 networks. All I want to allow in and out of the DMZ are web, dns, pops, imaps, and smtp. If there is a good 3-legged howto out thereI don't mind reading that. I'm just confused as to whether I need to use proxy arp, or bridging. Any help CERTAINLY appreciated. Robert P.S. If you would like to see my current pf.conf file, email me directly and I'll include that.
RE: FTP server behind a NAT'ing OpenBSD firewall (reverse diff troubles)
Thanks very much Daniel and Dries! I'm sending my success report/resolution/lessons learned to the list for archives if someone else is in my shoes. The reverse proxy is a great tool for certain (non-ideal) situations that are bound to come up for random people. It would be nice to see this patch commited to -current :) but it's easy enough to compile myself. That line in inetd is now allowing incoming ftp connections. I don'teven need to nat/binat this connection with the reverse proxy. It worked once I removed the binat mapping altogether. For PF, all you need is to allow connections with S/SA keep state to port 21 on the ftp server. Finally, for outgoing ftp I kept the original line in inetd and the rdr on the $int_if and passive FTP from windows/UNIX clients inside the firewall is working great too. > -Original Message- > From: Daniel Hartmeier [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 26, 2002 9:20 AM > To: Robert Schwartz > Cc: [EMAIL PROTECTED] > Subject: Re: FTP server behind a NAT'ing OpenBSD firewall > (reverse diff troubles) > > > On Thu, Dec 26, 2002 at 09:06:04AM -0800, Robert Schwartz wrote: > > > I don't think I understand this. What should the line in > inetd.conf > > read? There aren't examples in the man page for -R and I've tried > > about 30 iterations so far of the syntax for that line and > none seem > > to work. > > ftp stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy > -R 192.168.1.2 > > where 192.168.1.2 is the local address of your ftp server. > > Verify that the firewall can itself connect to the ftp server > with telnet 192.168.1.2 21. If you don't get an ftp banner, > debug this first. > > Then verify inetd is working properly by connecting to the > firewall port 21. You should get the same banner as in the > previous test. If you don't, the ftp-proxy -R line in > inetd.conf is not working. > > If it does work, try some data connections with an ftp > client, as with ftp 127.0.0.1 on the firewall. Both active > and passive mode data connections should work. > > If that works, repeat with an external ftp client. If that > should fail, while the previous test worked, you're blocking > either the control connection or the active/passive data > connections with filter rules. > > And I suggest you do all of this with a simple pf.conf > without any unrelated translation rules (ftp-proxy -R does > NOT need an rdr rule). Once it works, extend the ruleset. If > ftp breaks in the process, you'll now what change broke it. > > Daniel >
RE: FTP server behind a NAT'ing OpenBSD firewall (reverse diff troubles)
> > > # vi /etc/inetd.conf > > xx.yy.zz.ww:21stream tcp nowait root > > /usr/libexec/ftp-proxy ftp-proxy > > This doesn't look like the syntax described in the patched > ftp-proxy(8): > -R address:[port] > Reverse proxy mode for FTP servers running behind a > NAT gateway. > In this mode, no redirection is needed. The proxy > is run from > inetd(8) on the port that external clients connect > to (usually > 21). Control connections and passive data > connections are for- > warded to the server. > So you should add e.g. -R 192.168.0.2. I don't think I understand this. What should the line in inetd.conf read? There aren't examples in the man page for -R and I've tried about 30 iterations so far of the syntax for that line and none seem to work. > If you can binat, you don't need to use ftp-proxy reverse > mode. Reverse mode is necessary if you only have one external > IP address. I've been trying this with various pass in's pass out's and rdr's. I cannot make ftp work. Does anyone have a few lines from a sample ruleset to accomplish this? I've tried many iterations of allows and blocks and rdrs and binats with no success. > > Can you show us your pf.conf? > Here is the pf.conf I'm using at the moment for testing to make this work: nat on fxp0 from 10.1.1.0/24 to any -> 1.2.3.4 rdr on fxp0 proto tcp from 209.61.182.33 to 1.2.3.5 port 25 -> 10.1.1.10 port 25 binat on fxp0 from 10.1.1.10 to any -> 1.2.3.6 pass in all keep state pass out all keep state I've made it as simple as possible and still I cannot get to my ftp server using the ftp-proxy in reverse mode (although I doubt now that I'm launching it correctly from inetd) or though active or passive ftp client on the internet with the permissive ruleset and the binat'ing.
FTP server behind a NAT'ing OpenBSD firewall (reverse diff troubles)
The problem: OpenBSD firewall (3.2 stable up to errata005) basic 2 interface config (DSL and LAN interfaces). Windows ftp server inside the firewall (client cannot migrate ftp services to the firewall or to a new host on the "dmz" since the admin staff "needs this server like it is"). I have found and read the relevant threads leading me to believe: 1) this is in fact a Bad Idea (tm) 2) there is a patch for ftp-proxy for reverse proxing at: http://www.benzedrine.cx/ftp-proxy-reverse.diff I'm doubting my method of implementing this patch: # cd /usr/src/ # patch -p0 < ftp-proxy-reverse.diff (relevant output included) Patching file libexec/ftp-proxy/ftp-proxy.c using Plan A... Hunk #1 succeeded at 126. Hunk #2 succeeded at 137. Hunk #3 succeeded at 918. Hunk #4 succeeded at 965. Hunk #5 succeeded at 999. Hunk #6 succeeded at 1063. Patching file libexec/ftp-proxy/util.h using Plan A... Hunk #1 succeeded at 55. Patching file libexec/ftp-proxy/util.c using Plan A... Hunk #1 succeeded at 58. Hunk #2 succeeded at 76. Hunk #3 succeeded at 94. Hunk #4 succeeded at 104. Patching file libexec/ftp-proxy/ftp-proxy.8 using Plan A... Hunk #1 succeeded at 125 (offset 6 lines). Hmm... Ignoring the trailing garbage. done At this point my old ftp-proxy and my new ftp-proxy binaries both have the same file size (suspicious): # ls -la /usr/libexec/ftp-proxy (old) -r-xr-xr-x 1 root bin 28672 Dec 13 23:07 /usr/libexec/ftp-proxy (new) -r-xr-xr-x 1 root bin 28672 Dec 25 16:36 /usr/libexec/ftp-proxy # cd /usr/src/libexec/ftp-proxy/ # make obj # make depend # make # make install # vi /etc/inetd.conf xx.yy.zz.ww:21stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy xx.yy.zz.ww is an address on my external NIC that I'm binat'ing to the FTP server The pf.conf is, for testing purposes, just the binat rule and a pass in all pass out all pair. I've also tried it by forwarding the connections to an ftp-proxy on 127.0.0.1:8081 as if it were just ftp-proxy in reverse with PF. I cannot seem to get incoming ftp connections proxied through the PF at all. I can connect and authenticate, but I can't get an ls, download, upload, etc. Can anyone direct me to a solution for this little quandry I have?
RE: Activating temporary rules in static pf.conf
authpf?
RE: Load balancing/failover
Great news! There has been some interesting movement on the VRRP front. I have it running at home actually and I am more then willing (and hopefully able) to test any and all VRRP / HA solutions for firewalls from the public domain. I got some Dell Celeron 433's from Ye Olde Used Compooter Shoppe for about 150$ total (with the extra NIC's) and an old hub to share the DSL modem and a small subnet of live IP's to use on this hub. I'm sure you've seen the HUT project for FreeBSD freevrrpd: http://www.bsdshell.net/hut_fvrrpd.html and it has been ported to OpenBSD by Blake Matheny http://www.backwatcher.com/~matheny/ this is hard to get to compile (you need gmake for it and some other autoconf options) It was translated to an unofficial OpenBSD port by Chris Kuethe: http://archives.neohapsis.com/archives/openbsd/2002-07/1032.html I'm using the source port on one gateway and the "port" on another. The "port" installs easy obviously but you end up with the same thing. That being said, there are problems. The original porter (Blake Matheny) ported FreeVRRPD to OpenBSD (and his web site is down ATM) at version .84. This works great for load balancing and HA for web servers, etc, but doesn't help if just 1 interface in my 8 legged firewall fails. Version .85b from the HUT project added the "killer app" for firewalls: Monitored Circuits! Second, state information is not maintained when it fails over :(. So I would think that there's enough out there in the GPL area and enough work already done so that you wouldn't need to reinvent the wheel, just take the GPL'ed software already out there and finish the port / actively work with Sebastien Petit (the developer of FreeVRRPD) to keep it up to date with OpenBSD. I see that there are some comments on the patent issue that came in after this post. This is very highly misunderstood by either me or them. The heart of the matter was re-hashed 1 times with the OpenSSL thread on misc@. It's pretty much the same type of license: "Cisco retains the right to assert patent claims against any party and any subsidiary of a party that asserts a patent it owns or controls, either directly or indirectly, against Cisco or any of its subsidiaries or successors in title, including the right to claim damages for any prior use or sale of VRRP by such a party." http://marc.theaimsgroup.com/?l=openbsd-misc&m=100758029726542&w=2 http://marc.theaimsgroup.com/?l=openbsd-misc&m=102884286900348&w=2 http://marc.theaimsgroup.com/?l=openbsd-misc&m=102902419103247&w=2 1) IANAL :) your mileage may vary, objects in the mirror are closer then they appear. 2) The issue is not that Cisco "owns" vrrp as a concept (they don't actually, they own various other protocols for HA that the open standard was based on). If Cisco "owned" it, how could it be an open protocol with the IETF and how could Checkpoint use it flagrantly? Finally, no one owns "high availability" or "shared IP solutions", since every vendor (even M$!) has some form or this somewhere in their products. 3) Cisco offered up "their" piece of the "open" protocol for free as long as you accept their license. This license was not in the best interest of the OpenBSD project, but it COULD BE IN THE BEST INTEREST of one or more OpenBSD users that care more about HA then suing CISCO (see the last link above). 4) The OpenBSD team even had their own port of VRRPD see the first link in the list above), but wouldn't put it in the code base because it adds some stealth licenses to OpenBSD. (see the first link from the archives above). 5) There is nothing stopping people with no intention of litigation with Cisco from making their own VRRP based on the public open standard, as long as you promise not to sue Cisco. 6) The OpenBSD team could not distribute VRRP without poisoning the entire license for this one use, but independently making the software doesn't hurt anyone except people that are using it. And the "hurt" is that they lose their ability to sue Cisco. So as long as it's not in the "core" distro or distributed by the "core" team, VRRP ports violate no patents and cause no licensing problems for OpenBSD. If I'm wrong, please smacketh me with a clue stick. > -Original Message- > From: Luca Perugini [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 03, 2002 10:49 AM > To: [EMAIL PROTECTED] > Subject: R: Load balancing/failover > > > Hi, > I'm working on vrrp implementation on OBSD. > My starting point was Linux vrrp implementation done by > Jerome Etienne and FreeBSD vrrp. I hope in 2 or 3 weeks to > have a "running" version of vrrpd for OBSD 3.1 > > In the meaning time I send a patch around ifconfig and 'if' > files to support MAC showing and MAC setting on ethernet card. > > Luk > > __ > > Ing. Luca Perugini o mailto: [EMAIL PROTECTED] > o > Oxys S.r.l. o Mo
Support for external files in pf.conf?
Is there currently support for (or plans to include support for) external files for use in macros or in a rule? i.e. NoRoute = "/etc/badips.txt" block in log quick on $ext_if $NoRoute to any or pass in on $ext_if inet proto tcp from any to any port="/etc/allowedports" keep state The idea being that one can maintain a list of bad hosts in a file like "badips.txt" or a list of allowed/denied ports etc. that can be created then shared/updated to many computers or programatically manipulated by an IDS system or some other reporting system (dshield, black hole lists, etc).
