RE: VPN over PF..
you definitely want to read the FAQ and at very least .. isakmpd (8) - ISAKMP/Oakley a.k.a. IKE key management daemon isakmpd.conf (5) - configuration file for isakmpd isakmpd.policy (5) - policy configuration file for isakmpd ipsec (4) - IP Security Protocol ipsecadm (8) - interface to set up IPsec vpn (8) - configuring the system for virtual private networks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of IMS Sent: Tuesday, May 02, 2006 1:03 PM To: pf@benzedrine.cx Subject: VPN over PF.. Hi all, I'm planning to make VPN tunnel over PF.. But now I have no idea about that thing.. Does anyone has information or article about that thing? Thanks so much.. Mark Site1 -- Firewall1 -- Internet -- Firewall2 -- Site2 (Private IP) (Tunnel) (Private IP)
RE: keep state clarification on OpenBSD 3.9 (snapshot) Dual proc PowerEdge 1850 3 NIC
On 04/20/2006 12:57:23 PM, Prabhu Gurumurthy wrote: As I understand the working of the rule set that I have written, again please correct me if I wrong, the rule matching/allowing the inbound on DMZ, again should have an outbound rule set allowing on Internet, is this correct, then is this what keep state does? I thought having keep state on a single rule on a specific interface, without any further rules on any other interface than necessary will do the trick. just leave out the $if all together for those rules crossing multiple interfaces. ie. pass from $inside_someplace to $outside_someplace proto xyz keep state
RE: ATT CallVantage VoIP and pf?
have you tried looking under SIP? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Doug Er Sent: Friday, November 25, 2005 9:25 PM To: pf@benzedrine.cx Subject: ATT CallVantage VoIP and pf? I got the VoIP adapter, a D-Link DVG-1120M, for ATT's CallVantage VoIP service and I want to put it behind the firewall(pf on OpenBSD 3.8) and do queueing, etc. I tried last night for a while but couldn't get it to work. I searched the list and found some helpful threads, but I was wondering if there's anything I have to do for this specific VoIP adapter and/or for CallVantage. _ Sign up for FREE email from www.swissmail.net at http://www.swissmail.net
Re: rdr pass, max-src-conn
add port xyz to the end of your example 10.10.10.10 port xyz ed wrote: Hello, I am having troubles with some rdr rules. How should I specify: rdr pass on $ext_if proto tcp from any to 1.2.3.4 port 80 - 10.10.10.10 with pass in on $ext_if proto tcp from any to $range port {80,3389} keep state ( max-src-conn 3, max-src-conn-rate 2/5, overload abuse_src flush global ) I split the rdr pass into two separate rules, rdr on $ext_if proto tcp from any to 1.2.3.4 port 80 - 10.10.10.10 pass on $ext_if proto tcp from any to 1.2.3.4 port {80,3389} Yet this does not get tagged for the abuse_src table, and in some cases it will be tagged, but connections remain open and can be established also. (I do have a block quick drop from abuse_src rule too). Can someone suggest how this should be specified so that the pass and rdr work together?
Re: help
sure use the negative from ! ip [EMAIL PROTECTED] wrote: Hi to all I have an important question: it's possible to define a filter that have as srcaddr or dstaddr all ip-address different from a host or a subnet? thanks Luca 6X velocizzare la tua navigazione a 56k? 6X Web Accelerator di Libero! Scaricalo su INTERNET GRATIS 6X http://www.libero.it
Re: viewing packet data with tcpdump?
craSH wrote: tcpdump is pretty much just for inspecting the headers of packets, to capture data and entire sessions, snort would be a good tool to use. It can be ran on the command line in a way similar to tcpdump and dump complete data to a pcap file for later inspection with tools such as ethereal. Generally it isn't recommended to use ethereal for sniffing/collecting data due to possible security risks that may pose. On 6/7/05, Rick Barter [EMAIL PROTECTED] wrote: I use tcpdump to trouble-shoot my firewall, set up my rules, etc. I found the -x option which dumps the packet in hex. Can I view the packet data with tcpdump or do I need to install Ethereal or something? Any help is appreciated. rvb You might also check into /usr/ports/net/tcpshow. It gives you the 'snoop' type output. cheers
Re: ranges within a table ... is it possible ?
alex wilkinson wrote: Hi all, Is it possible to specify a range within a table ? e.g. table itunes const { 8000 8999 } I get a syntax error for the aformentioned table, so can anyone suggest a method for what I'm trying to achieve ? Cheers - Alex why not put the table first and the ports in the rules allowing access. why would the table care what ports you are using?
RE: help with a pf rule
you posted this on misc@ already. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jayel Villamin Sent: December 28, 2004 11:43 AM To: pf@benzedrine.cx Subject: help with a pf rule I have been looking at this tcpdump log for the last hour. -- 03:26:46.533038 192.168.1.2.1115 192.168.2.2.5905: S 111902708:111902708(0) win 65535 mss 1460,nop,nop,sackOK (DF) - I have 2 subnets behind my obsd firewall. 192.168.1.0/24 and 192.168.2.0/24. as can be seen in the log, I'm trying to connect (via VNC) from 192.168.1.2 to 192.168.2.2. But every time I try it, PF blocks the connection. I have tried numerous rule combo without much luck. I am not an expert with tcp internals so I really really appreciate if you could write the rule for me. Thanks :)
RE: pf port knocking
change your ssh port to like 30222 or something .. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of A Sent: December 17, 2004 12:12 AM To: [EMAIL PROTECTED] Subject: pf port knocking Hey all I am getting tired of seeing the following popping up every day (with various IPs) on my log server. * ROOT FAILURES jasper ssh2(pw) @221.143.156.58(3) * User Failures admin ssh2(pw) jasper(2) andrew ssh2(pw) jasper(1) angel ssh2(pw) jasper(1) barbara ssh2(pw) jasper(1) ben ssh2(pw) jasper(1) betty ssh2(pw) jasper(1) billy ssh2(pw) jasper(1) black ssh2(pw) jasper(1) blue ssh2(pw) jasper(1) brandon ssh2(pw) jasper(1) brian ssh2(pw) jasper(1) buddy ssh2(pw) jasper(1) carmen ssh2(pw) jasper(1) charlie ssh2(pw) jasper(1) daniel ssh2(pw) jasper(1) david ssh2(pw) jasper(1) dog ssh2(pw) jasper(1) emily ssh2(pw) jasper(1) eric ssh2(pw) jasper(1) god ssh2(pw) jasper(1) green ssh2(pw) jasper(1) guest ssh2(pw) jasper(1) henry ssh2(pw) jasper(1) jane ssh2(pw) jasper(1) jason ssh2(pw) jasper(1) jeremy ssh2(pw) jasper(1) joe ssh2(pw) jasper(1) johnny ssh2(pw) jasper(1) jordan ssh2(pw) jasper(1) justin ssh2(pw) jasper(1) larisa ssh2(pw) jasper(1) lion ssh2(pw) jasper(1) lp ssh2(pw) jasper(1) lucy ssh2(pw) jasper(1) magic ssh2(pw) jasper(1) mail ssh2(pw) jasper(1) maria ssh2(pw) jasper(1) market ssh2(pw) jasper(1) matthew ssh2(pw) jasper(1) max ssh2(pw) jasper(1) michael ssh2(pw) jasper(1) nathan ssh2(pw) jasper(1) nicholas ssh2(pw) jasper(1) nicole ssh2(pw) jasper(1) operator ssh2(pw) jasper(1) pub ssh2(pw) jasper(1) red ssh2(pw) jasper(1) robin ssh2(pw) jasper(1) rose ssh2(pw) jasper(1) shell ssh2(pw) jasper(1) stephen ssh2(pw) jasper(1) steven ssh2(pw) jasper(1) system ssh2(pw) jasper(1) test ssh2(pw) jasper(2) tom ssh2(pw) jasper(1) user ssh2(pw) jasper(1) vampire ssh2(pw) jasper(1) william ssh2(pw) jasper(1) yellow ssh2(pw) jasper(1) Just script kiddies most probably. Plus, we use public/private keys on jasper so it's not like people are going to get in that way. However, having the port wide open does give the possibility that a bug in the SSH daemon (if one pops up) could open the door for a hacker to get in. Further, jasper is the only machine that is externally accessible via SSH (the only other open ports are domain, web and mail on other servers). I need to leave SSH open as a number of people work remotely and tunnel through it to some of the services on the internal network. Additionally, we are about to setup a system to run a VPN between our office and some contractors. I would like that box's IP to appear offline/completely closed (until required) as well. To sum up, apart from web, mail and domain (to specific servers), I would much prefer that every port appear closed. To achieve this, I would like to implement port knocking on the gateway firewall (runs OBSD 3.4 and pf). For those unfamiliar with the technique, it is like knocking a certain pattern/code on a door to open it. Here, you fire connections at a server on designated ports to instruct the firewall to open a port. So, if the firewall detects a connection on ports 14289, 32883, 1234 and 3428 (in that order), port 22 is opened for the relevant IP address. Has anyone heard of anyone working on a portknocking daemon for OBSD/pf? There are a couple of basic setups over at www.portknocking.org but thought I would check here before attempting a port. If no work has begun, I think I will take the perl prototype script they have at portknocking.org and see what I can do for pf. I would imagine I will have to setup anchors in pf which I haven't done yet but am sure I will get my head around it. Any pointers would be appreciated! :) I will also need to write a windows util to do the knocking for the contractors - can Perl run on a Windows machine or will I have to dust off my C compiler? :) Andrew Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
RE: pf port knocking
not trying to speak for ed, but IMHO...it's dumb because any yahoo with a local account on a machine can create a listening socket on a port = 1024. Anyone can create a socket above 1024 anyway, regardless .. this has nothing to do with ssh. If you are running a server, full of users with shell access, you must have a completely different security model. If this is a gateway then ... I don't want to beat this to death, so let me say this is my opinion. If you want to knock off most of the port pounding twits, stop allowing ssh from 'any', filter instead by source. If you can't do that, because you MUST have access from your remote laptop, then maybe try using a ssh rule that says use OS type =my remote OS. Cheers Rm