mailing list archive broken

[Travis H.]

FYI, this archive:

http://www.benzedrine.cx/pf/

Has not been archiving since 12 Apr 2005.

--
http://www.lightconsulting.com/~travis/  -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

dfd_keeper propaganda

[Travis H.]

Just letting everyone know about my cool tool for pf called dfd_keeper:

http://www.lightconsulting.com/ ~travis/dfd/dfd_keeper/

The "DFD" stands for Dynamic Firewall Daemon.  It manages your firewall rules.

Basically dfd_keeper is a command shell for the firewall.  You write a
python script which calls my API and sets up your firewall rules.  It
takes care of things like getting the ordering right automagically. 
Then, your script defines allowable transformations to the firewall
rules.  For example, it can create a block rule that blocks some IP
but expires in an hour.  Finally, it binds to a socket and invokes an
event loop.  Then users may connect to it using netcat or telnet and
invoke the aforementioned transformations.  Integration with automated
systems such as snort is designed to be trivial.

It does not have any crypto or access control, so you are enjoined to
create pf rules that only permit access to the DFD port from trusted
machines.  I make mine accessible only from localhost, and leave an
ssh connection to my firewall with netcat running.  Even though I'm on
the firewall, invoking DFD commands is simpler and less error-prone
than interactively editing /etc/pf.conf and reloading rules by hand.

I am currently in the process of reviewing APIs for a pcap-based
sniffer which will listen on your WAN interface, and:

1) Detect portscans, even if your pf rules block them.
2) Perform single-packet authentication (SPA), which is an improvement
over port knocking.
3) Detect use of protocols which require listening sockets, such as
bittorrent, SIP, edonkey, gnutella, active-mode FTP, IRC DCC
operations, etc., and invoke DFD commands to set up rdr rules to point
to the client that needs them, despite being behind NAT.

Comments welcome.  The code is browsable online, and very short (1k lines).
--
http://www.lightconsulting.com/~travis/  -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Fwd: why is pass/block necessary to tag or queue?

[Travis H.]

I just found out about this list, and realized this email was more
appropriate to send here.

In a prior email, I pointed out another case of asymmetry; namely,
that rdr works on the dst IP of inbound packets, and nat works on the
src of outbound packets, but there doesn't appear to be a way to
change the src of inbound packets or the dst of outbound packets (save
for those made in the return direction of a state entry made by one of
the above transformations).


-- Forwarded message --
From: Travis H. <[EMAIL PROTECTED]>
Date: Oct 8, 2005 2:58 AM
Subject: why is pass/block necessary to tag or queue?
To: [EMAIL PROTECTED]


It'd be nice if you didn't have to alter a packet's pass/block status
when tagging for policy-based filtering or queuing.  Although it
doesn't make much sense to do anything to a packet that you're
planning on blocking, decoupling these activities makes a certain
degree of sense.

For example, you may have a "default block" rule up top, then you
assign to queues, then you do some explicit allows.  However, you
can't (to my knowledge) assign to a queue without altering the default
block rule you had up top.  You *can* solve this by re-ordering, and
putting your queueing before the default block, but then it's not
nearly as clear what your default behavior is.

Here's a contrived example using a "enqueue" rule I made up for
reasons that shall become clear.  Note that enqueue implies an outward
directionality, as you can't queue inbound packets.

# define the queues
altq blah blah..
queue high_priority blah blah...

# Default deny - comes first so everyone knows we mean business.
block all

# Assign to queues (without doing filtering)
# All UDP port 53 (rule A) and TCP port 53, 80, 119 (rule B) traffic
is high priority
enqueue high_priority on $wan_if proto udp from any to any port 53
enqueue high_priority on $wan_if proto tcp from any to any port { 53, 80, 119 }
# All traffic from specialclient is high priority (rule C)
enqueue high_priority on $wan_if from specialclient to any

# Allow only certain traffic out
# rule X - I only let the average host do UDP to port 53 and 111 (DNS and RPC)
pass out quick on $wan_if proto udp from any to any port { 53, 111 } keep state
# rule Y - I only let the average host do TCP to port 53 and port 80
(DNS and HTTP)
pass out quick on $wan_if proto tcp from any to any port { 53, 80 } keep state
# rule Z - I let anyone speak anything to myserver
pass out quick on $wan_if from any to myserver keep state

Put another way, sequential rules can be thought of as disjunctive normal form:

classify high priority if (A or B or C)
pass if (X or Y or Z)

Unfortunately the two are coupled, so that I must write a
pass+classify rule that operates on the conjunction (intersection):

pass and classify high priority if ((A or B or C) and (X or Y or Z))
pass and don't classify if (X or Y or Z)

Technically the last rule could also be written thusly:
pass and don't classify if ((X or Y or Z) and NOT (A or B or C))

However, that's unnecessary, since a priority assignment in the first
group of pass rules "sticks", even though the second group of pass
rules matches.

If we wished all non-high-priority traffic to be assigned to another
(non-default) queue, we'd need to do something along those lines, and
apply DeMorgan's law.

But since a series of pass rules is a disjunction, and a single rule
is essentially a conjunction of conditions, we must convert the
intersection to disjunctive normal form using the boolean distributive
law:

pass and classify high priority if ((A and X) or (A and Y) or (A and
Z) or (B and X) or (B and Y) or (B and Z) or (C and X) or (C and Y) or
(C and Z))
pass and don't classify if (X or Y or X)

This shows us that six rules can convert to as many as twelve rules,
assuming that A, B and C are conditions on different fields in the
packet, and X, Y and Z are on different fields of the packet.  If X
and Y were both conditions on the source IP, for example, we could
represent (X or Y) as one condition in a single rule and simplify to:

pass and classify high priority if ((A and (X or Y) or (A and Z) or (B
and (X or Y)) or (B and Z) or (C and (X or Y)) or (C and Z))
pass and don't classify if (X or Y or X)

This still leaves us with 9 rules.

You don't have to decide on a pass/block  when you decide to NAT on an
interface, or when you decide to RDR an incoming packet.  By symmetry
why should you have to decide on pass/block when tagging or queuing?

My modest proposal is the addition of two new rules, "enqueue" and
"tag".  I could easily add these to pfctl's parser (I am so glad it
uses yacc and not a hand-written recursive descent parser), but I am
not sure if changes would be required to the engine in the kernel.
Also, if there are any problems with this proposal I'd like to find
out before I've done a lot of patching. ;-)
--
http://www.lightconsulting.com/~travis/  -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: rdr not redirecting when target is localhost

[Travis H.]

> The rewritten packet still went out on $int_if even though it was
> destined for 127.0.0.1 and routing was turned on.  However because the
> bridge interfaces had IPs, I tried a variation where instead of
> redirecting to a spamd process on 127.0.0.1, I redirected it to the
> IP of the $int_if, thinking that as the packet went out on the
> interface it would be recognised on that interface.

I was under the impression that packets destined for assigned IPs get
short-circuited by the routing subsystem and are delivered on the
loopback devices.

You had a host route for 127.0.0.1, and it ignored it?  Odd.

> This is a ridiculous hack which is completely unsatisfactory.
> I would very much appreciate if anyone who understands pf and
> knows what the heck is going on here could explain it to me.

The networking stack code is fairly readable, last time I checked.

I understand pf but not bridging and carp, so cannot help much.
--
http://www.lightconsulting.com/~travis/  -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: Problem with altq cbq queuing.. please assist?

[Travis H.]

The docs say that you can't queue on an inbound packet.
Queuing doesn't make sense inbound anyway;
once you've received the packet, it has already consumed your
bandwidth, and thus queuing won't change anything.

--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: pf to spoof source address - is it even possible?

[Travis H.]

I'm working on a sniffer that will look for certain kinds of traffic
and invoke changes to the firewall in reaction to them.

You might wish to check out dfd_keeper for a framework for making
changes to pf rules, and I'm working on a python-based sniffer that
listens to an interface and invokes DFD commands in reaction.

It would not be as fast as making the changes in C, so may not be for
performance-demanding environments, but it is very flexible and some
of it is already written.

OpenBSD's pcap format is pretty cool, it saves all kinds of useful
information like what rule number the packet matched, what interface
it was on, etc.

Right now I've reviewed all of the pcap implementations, and I could
have a rudimentary sniffer running and invoking DFD commands by the
end of the weekend.

GOALS:
python-based sniffer that runs on OpenBSD
should be able to sniff pflog device or any other interface
should detect port knocking a la fwknop
should detect port scanning a la psad
should detect use of protocols that require port forwarding
all can be done by monitoring the WAN interface alone
should interface to dfd_keeper to trigger rule changes
ideally any module we use should exploit full features of libpcap
ideally any module we use should be OO
ideally any module we use should be written at as high a level as possible

The code is on my homepage, listed in the .sig --- look for "Dynamic
Firewall Daemon"... about 1000 lines of python.  It's really more of
an API and system than a fixed set of rules.  Also, there's an example
script in the distribution suitable for a basic NATting firewall.
--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: Loading Files...

[Travis H.]

> >   Does packet filter allow you to load external files?  More
> > specifically, could one place macro definitions in a separate file, but
> > hook them up to pf.conf so as you reload the pf.conf file you get your
> > macros?  Thank you!

Quoting http://www.openbsd.org/faq/pf/anchors.html:

The load rule causes pfctl to populate the specified anchor by reading
rules from a text file. The load rule must be placed after the anchor
rule. Example:

anchor goodguys
load anchor goodguys from "/etc/anchor-goodguys-ssh"

To add rules to an anchor using pfctl, the following type of command
can be used:

# echo "pass in proto tcp from 192.0.2.3 to any port 22" \
   | pfctl -a goodguys -f -

> Another way is to use m4, make, or even a shell/perl script:
>#!/bin/sh
>TMP=`mktemp`
>
>for file in macros norm queue nat rules; do
>   cat /etc/pf/$file >> $TMP
>done
>
>pfctl -nf $TMP && mv $TMP /etc/pf.conf

Or you can pipe it directly, without creating a /tmp race:

cat /etc/pf/* | pfctl -nf -

I highly encourage you to script it... much more flexible.
You can create rules programmatically.
--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: prioritizing acks for a windows pc

[Travis H.]

Quoting:

http://www.openbsd.org/faq/pf/queueing.html

"Note that queueing is only useful for packets in the outbound
direction. Once a packet arrives on an interface in the inbound
direction it's already too late to queue it -- it's already consumed
network bandwidth to get to the interface that just received it. The
only solution is to enable queueing on the adjacent router or, if the
host that received the packet is acting as a router, to enable
queueing on the internal interface where packets exit the router."
--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: how to control outbound / upload BW in a NAT situation

[Travis H.]

> > so all of the clients
> > are basically matching to the external public IP... so
> > basically I can't individually control the upload
> > bandwidth.
>
>  for this, i use tags.  tags aren't bound to an iface, so if you


This should be in the FAQ.  I had not thought of this problem,
but it seems like it could happen enough to be in the pf doc,
perhaps under the tagging heading.
--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

packet filtering as a virtual machine

[Travis H.]

Has anyone thought of modeling packet filtering/translation/queueing
as a virtual machine?  I have been thinking about how to generalize
some of the current operations, and it seems to me that a virtual
machine with operations tuned for common packet judo would be a handy
unifying architecture.  I'm imagining something like the state machine
in a bpf, with the ability to match as well as alter a packet, and
modify its metadata (tag, queue, etc.)

The current operations could be easily generalized; for example,
remapping a src IP via nat becomes a "IP remap" operation, which can
work on both src or dst, both in and out, etc.  Additionally, you
could have string or regex match operations*, equal-length replacement
operations, maybe even unmatched-length replacement opcodes. 
Assigning to a queue or assigning a tag could be conditional based on
prior opcodes, seperating the semantics of matching and assignment.

[*] Let's not get into a flame war over packet-by-packet string match.
 I'm well aware it won't do to TCP segments what some people want, but
we can't be worse off by having more powers, however imperfect they
may be.

Of course, tapping this power would be a challenge; the
generalizations that it suggests will tax simple config file
languages; to that end, different filter languages could spring up,
with traditional pf.conf being one of them retained for backwards
compatibilty reasons and also because it's pretty good already.

We already have an example of how to code such a virtual machine in
the bpf code.  If we really want to get fancy, we can examine the
structure of more complex virtual machines such as the JVM or mono. 
There is undoubtedly a fair amount of work in this area which could be
brought to bear.

There might be some performance penalty of course, and perhaps
selection between the monolithic packet filter and a virtual machine
could be a compile-time kernel option.  However, I think the
flexibility this would allow would outstrip performance concerns; see
the quote in my signature for how I feel about performance.  In the
end, simple virtual machine programs may be able to out-perform
data-driven monolithic configs by not going through as many failed
conditionals, but that is strictly conjecture and the devil is in the
details.

One exciting advantage of adopting a virtual machine model is that we
could even implement JIT compilation for packet filter rules! 
Additionally, performing optimizing transformations on virtual machine
instructions would probably be more straightforward than on
data-driven execution of C code since the execution path is explicitly
encoded within them.
--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: packet filtering as a virtual machine

[Travis H.]

> They would have to have been
> really serious about protecting their patent to threaten Sun; remember
> that almost all FW1 installations (checkpoints cash cow) were dependant
> on solaris boxes.

Perhaps.  OTOH, if you don't protect IP, you lose it.  That is why so
many warnings about infringement get sent.  You have to, or the
evidence that you've
stopped protecting it can be used against you in a future infringement suit.

It looks like Checkpoint's patent is number 5,606,668.

http://tinyurl.com/dzhf2

Unfortunately I can't view the images from this workstation, so it's a
bit hard to follow the text.
--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: Adding support for FTP

[Travis H.]

> http://www.enyo.de/fw/security/java-firewall/

Towards the end... RFC 3514... check the date on that RFC.
HHOS at its best.
--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: Adding support for FTP

[Travis H.]

I am attempting to do something along these lines using a python+pcap
sniffer to watch for certain traffic, and use DFD (specifically
dfd_keeper) to make the changes to the firewall.  It will also be able
to tear down the connection when it sees it close (or after a timeout
- rules can be made with specified lifetimes):

http://www.lightconsulting.com/~travis/dfd/dfd_keeper/

Check it out; I'd like to get some people using it and helping me make
it better.

Once I finish the sniffer, it'll be able to do SPA (single packet
authentication), blocking of malicious hosts, FTP, peer-to-peer stuff,
streaming multimedia protocols, port scan detection, etc.*  Much of
the framework is there, it just needs a sniffer program to exploit it.

There might be some delay or packet loss, but I suspect these problems
will be manageable on modern machines.

[*] There will also be a cutting-edge DoS/DDoS mitigation technique, if
everything works the way I think it will.
--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: packet filtering as a virtual machine

[Travis H.]

On 10/25/05, Markus Friedl <[EMAIL PROTECTED]> wrote:
> On Mon, Oct 24, 2005 at 02:38:43AM -0500, Travis H. wrote:
> > Has anyone thought of modeling packet filtering/translation/queueing
> > as a virtual machine?
>
> BSD/OS ipfw (http://www.pix.net/software/ipfw/)

That site has some good code and links to conference papers by the way.

Looking at the filter injection points into the stacks, it looks a lot
like Linux's netfilter.  One potentially powerful change would be to
have the flow of packets through the stacks controlled by a
configurable ruleset, instead of inserting filter code at
semi-arbitrary points in the flow.  I'm not exactly sure how this
would be useful, but it strikes me as the kind of thing that could be
used in a great many ways I can't forsee.  For example, transparent
proxying would be much easier.  Perhaps you could make delivery to
sockets part of the ruleset, and give the user the ability to deliver
a packet to a socket that isn't necessarily bound to that destination
IP, with the original headers available via some socket-level
interface.  This would be similar to, but different than, creating an
"any destination" socket that is mentioned in the BSD/OS paper.
--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: pf security - is pf failsafe if config file invalid?

[Travis H.]

Lots of things in the startup scripts will fail to work or hang
indefinitely if you block outbound stuff.  I find it necessary to
allow at least outbound DNS in order for the machine to boot in
reasonable time.  Fortunately pf is pretty good about allowing
outbound but not allowing inbound connections, even for UDP.

I'm a bit unclear on how pf deals with state though.

1) On UDP keep state rules, do they allow replies from other IPs?  The
DNS spec says that servers can respond from a different IP than the
one they received the query on.

2) For UDP and TCP, does it allow ICMP replies that reference this
connection in the payload?  I seem to recall reading something that
indicated so, but exactly how does it decide?
--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: "would-be-nice-to-have" feature of the parser in pfctl

[Travis H.]

I have something similar in the way dfd_keeper expands variables.

Basically it will expand a python variable to a macro if it contains
one value (that is, if the python variable is a string or singleton
list/tuple), and a list if it contains more than one (that is, if it
is a list/tuple of length two or greater).

If you reference a variable that doesn't have a value, it throws and
exception which inhibits feeding that rule to pfctl, so rules that
refer to empty values don't get rendered.

If you wish to take advantage of this, you can model your script after
static_example.py --- it is not necessary to use the whole twisted
run-time event loop if you just want a static config file.

For the code, see the URL in my sig and look for "Dynamic Firewall Daemon".
--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: pps or other unknown upper bound?

[Travis H.]

On 11/17/05, Kevin <[EMAIL PROTECTED]> wrote:
> On 11/17/05, Jon Hart <[EMAIL PROTECTED]> wrote:
> > The funny thing is, in my tests, despite having ~31000 source ports to
> > choose from, the client is unlucky enough most of the time and very
> > quickly manages to reuse a port.  It depends on what else the client is
> > doing, but I saw a case earlier today that after about 300 connections,
> > the source port was reused.
>
> Does Debian have random source ports?
>
> My thought is that the classic approach of using ephemeral ports
> sequentially is acting as a poor man's "least recently used" algorithm
> in choosing the source port for each new session.
>
> Depending on the implementation, source port randomization could cause
> a source port to be reused much sooner than with the "classic"
> approach.

Classic birthday attack.  If the source ports are chosen randomly, and
there are 31000 ports to choose from, one would expect to see re-use
after approximately sqrt(n), or 176 tries.

Shouldn't the client still check to see if the socket is involved in a
2MSL WAIT state, and pick another source port if it is?  Or better yet
- choose randomly from sockets not involved in WAIT states, if there
are any.  That is trickier, but not impossible.
--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: spamd vs the sober worm

[Travis H.]

It looks like you forgot to sort before you uniq.

Most uniq programs I've worked with require the data to be sorted
first; they just store the last line in memory for comparisons.  Since
you've got to run sort anyway, you can use the -u flag.
--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: Looking for program to visualize pf.conf...

[Travis H.]

It's an interesting question, but I don't fully understand what you want.

pf.conf does not define a network, it defines a ruleset.

I wanted at one point in time to make a venn diagram which showed what
packets were blocked and what packets passed, but stateful filtering
has made this difficult.  My goal was not to make it "more readable"
(I find pf.conf fairly readable) but rather to show what you were
doing in a new way so that errors would be more likely to be caught.

Part of the problem is the high dimensionality of the data; you've got
at least 5 dimensions (src port, src ip, dst port, dst ip,
protocol)... and potentially many more.

If you really want to draw network diagrams, a perl script that
outputs stuff in dot format would be pretty easy to do, but may
require tweaking for different conf files to make sure that the output
fits on one page or screen, whatever your output format is.
--
http://www.lightconsulting.com/~travis/  -><- Knight of the Lambda Calculus
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: Lots of traffic on internal interface

[Travis H.]

No this is completely normal, traffic to local addresses (obtained by
DNS lookup of hostname) get routed to loopback interface as an
optimization.  Anything which tries to connect to your hostname
instead of "localhost" will do this.
--
http://www.lightconsulting.com/~travis/  -><- Knight of the Lambda Calculus
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: pf security - is pf failsafe if config file invalid?

[Travis H.]

Catching up on very old email.

On 11/15/05, Lars Hansson <[EMAIL PROTECTED]> wrote:
> > And if, for any reason whatsoever, pfctl fails to run? The system
> > remains wide open.
>
> Becasue that happens a lot
> Oh come on now, this is a fringe case if there ever was one.
> What if your default block kernel has a bug that causes it to pass all
> under some obscure circumstance?

Oh, you think *that* is a fringe case?

I once had OpenBSD come up with the LAN and WAN NICs (both same brand)
swapped, apparently because one of them received an interrupt at an
inopportune moment.  And then the name of my internal syslog server
was unfortunately also a valid domain name on the real internet, and
their syslog server was wide open, so my system started logging all
its dropped packets to their syslog server.  Also, all my network
daemons were exposed to the Internet.

I left them an apology with the logger command line tool, but I doubt
if they ever noticed.

Summary: Expect the unexpected.  I was logged in and running tcpdump
at the time, so I caught it right away.  This could be you:   :-(
--
http://www.lightconsulting.com/~travis/  -><- Knight of the Lambda Calculus
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: problems with binat ruleset

[Travis H.]

I'm not sure why it's having a problem with the tables, but the
antispoof rules are actually filtering rules so you have to put them
later in the file.

They're really only syntactic sugar for filtering rules:

http://www.openbsd.org/faq/pf/filter.html#antispoof
--
http://www.lightconsulting.com/~travis/  -><- Knight of the Lambda Calculus
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: excluding a port from a range

[Travis H.]

If the label keyword is something like the tag keyword, then the last
one sticks.

However, you cannot (to my knowledge) exclude a port from a range. 
You could, however, have two rules with the disjoint ranges, or
subtract the statistics of the narrow rule (matching that one port)
from the more broad rule.  Or, you could make the narrow rule come
first and use "quick" to prevent it from matching the broad rule which
follows.

It is unfortunate that such transformations will affect your rule
processing, but the two are intertwined at the moment.
--
http://www.lightconsulting.com/~travis/  -><- Knight of the Lambda Calculus
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: Syntax errors in pf.conf

[Travis H.]

On 12/9/05, Forrest Aldrich <[EMAIL PROTECTED]> wrote:
> First, does there exist a tidy-like syntax checker for the pf.conf
> file.  That would be handy.

pfctl -n

> What I'm trying to do is:
>
> rdr on $ext_if proto tcp from !, !, ! any \
> port { $tcp_services } tag INET_DMZ -> $server

I have doubts about negating tables.  This syntax is totally wrong;
you cannot specify multiple criteria by seperating them with commas
(to my knowledge).  The overall form is disjunctive (OR), you are
trying to make a conjunction (AND).

Perhaps you might make use of negation inside a table, as at the end
of this page:
http://www.openbsd.org/faq/pf/tables.html

Or, you could make packets which match the first criteria have a
temporary label, and have the second rule check for that label and if
they match the second criteria they get a different temporary label,
and so on, so that you use the internal label names to chain the rules
together.

Earlier I discussed making a virtual machine to match packets so that
these conflicts of form can be resolved.  Basically the current
firewall model assumes that the rules are of a certain form, and it is
up to you to force them into that form.  A virtual machine could take
arbitrary behavior.  I know it's possible, since BSDi did it and BPF
is almost enough.  It'd also be possible to optimize the rules in
userland, before they are loaded into the kernel --- doing
optimizations in kernelspace seems dangerous to me.  In fact, I saw
just recently some work where people were uploading hand-tuned
assembly (with proofs of correctness) for matching packets in
kernelspace.

pf is not the first place where access control rules are forced into
one form or another.  In apache, there is an "order" directive that
tells us whether deny or allow rules are processed first.  This is
clearly less flexible than a virtual machine and coming up with one
for access control that can be embedded in other applications is among
my list of things to do (if keynote is insufficient, I have to look at
that in depth first).

It would be simple enough to specify arbitrary packet-classification
rules in LISP-like notation (or XML if you find LISP syntax too
simple, too terse, insufficiently arbitrary, or insufficiently
trendy).

One thing I have noted is that the pf syntax tries (and succeeds) in
disguising some of the stages of packet flow through the kernel.  That
is, some things which seem simple enough when looking at pf.conf are
difficult or impossible due to the way it's implemented in the kernel.
 This difference is especially apparent in the interaction of NAT and
filtering, and in comparison with Linux's netfilter (a/k/a iptables)
and the kernel source.
--
http://www.lightconsulting.com/~travis/  -><- Knight of the Lambda Calculus
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: why is pf not logging?

[Travis H.]

Also try increasing the snaplen (-s) since it looks like some of your
packets are truncated.

For example, -s 2000 should catch full packets if the underlying media
is ethernet.
--
http://www.lightconsulting.com/~travis/  -><- Knight of the Lambda Calculus
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

dfd_keeper now has persistence

[Travis H.]

Hey all,

It took me longer than expected but I have finished adding persistence
to dfd_keeper.  This means that firewall rules which can be turned on
or off now maintain their state across reboots.  Similarly, other
commands which maintain state will do so across reboots without any
additional work.

If anyone is interested in playing with DFD, now is a good chance to
get in early.  One exciting opportunity that hasn't been exploited yet
is to use a logwatching program to invoke DFD commands to block IPs
trying to brute-force SSH passwords or block IPs trying to exploit web
vulnerabilities (by parsing the web server error log).

Expect a release of the code to my homepage within a few days.

Scripts which use dfd_keeper will need to add one line and make slight
changes to take full advantage of the persistence features.
--
http://www.lightconsulting.com/~travis/  -><- P=NP if (P=0 or N=1)
"My love for mathematics is unto 1/x as x approaches 0."
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: stucked connection (missing rst??)

[Travis H.]

On 12/13/05, Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
> Insertion and
> removal of state entries is costly, if you set pf up to insert a state
> for every single SYN and remove one for every single RST, you're exposing
> yourself to a DoS attack where an attacker floods you with SYNs and
> RSTs like that.

This reminds me, one company I worked for got SYN flooded, and thus
started dropping SYNs.  So they enabled Linux SYN cookies, which
involve an MD5 computation for each SYN it receives, and that
succeeded in making the machines completely unresponsive, even to
traffic on other ports like TCP/22.  Apparently it's a bad idea to
compute MD5 in kernel space on old Linux kernels (non-preemptible) for
every SYN you receive.
--
http://www.lightconsulting.com/~travis/  -><- P=NP if (P=0 or N=1)
"My love for mathematics is like 1/x as x approaches 0."
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

dfd_keeper now has persistence

[Travis H.]

Hiya,

DFD is the moniker I made up to describe a program that manages your
firewall rules, allowing changes to be made in them with more ease and
less chance of error than editing a text file.

dfd_keeper is the python/pf implementation that provides a
command-line style interface to your firewall rules accessible via
netcat or telnet.

I've added persistence to dfd_keeper.  This means that changes to your
firewall rules persist across reboots.  The keeper_example.py script
shows how to use
the persistence and should be your guide to using dfd_keeper.  It implements
a common firewall setup -- NAT, blocking inbound connections, etc. 
Persistence was a bit trickier than I expected since I did not
consider the effects of immutability on persistence.

The supported commands include a command to block a foreign host from
communicating with your LAN, a toggle for all WAN connectivity, and
the standard helper commands; online help, showing the current
ruleset, manually syncing the ruleset with the firewall, and manually
flushing a state table entry corresponding to an IP (or IP pair, or
all entries).

Homepage:
http://www.lightconsulting.com/~travis/dfd/dfd_keeper/

As usual, I look forward to any comments or suggestions.
--
http://www.lightconsulting.com/~travis/  -><- P=NP if (P=0 or N=1)
"My love for mathematics is like 1/x as x approaches 0."
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: pf won't pass some port 53 traffic even when asked nicely to

[Travis H.]

Yup.  TCP is only when resolving multiple requests (e.g. when running
netstat -a)
--
http://www.lightconsulting.com/~travis/  -><- You are free... to do as
we tell you!
"My love for mathematics is like 1/x as x approaches 0."
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: pf won't pass some port 53 traffic even when asked nicely to

[Travis H.]

On 19 Dec 2005 21:41:02 -0800, Jonathan Rogers <[EMAIL PROTECTED]> wrote:
> In any case, refer back to the original posting - the blocked packet
> from the tcpdump shown is clearly of a TCP packet (it would say "UDP"
> at the end otherwise).

It doesn't say S(YN), and I don't know what label does.

You haven't provided enough information.  Include pfctl -s all,
ifconfig -a, netstat -nr, capture with a long enough snaplen, decoded
with -v -v, and then maybe I can help.

I also assume dmz_if=xl2, but you haven't shown that here either.

This is like trying to identify a forest with one look through a
microscope.  What you show looks okay, but context matters.  Trying to
guess what might have gone wrong elsewhere is a game I don't have
patience to play.
--
http://www.lightconsulting.com/~travis/
"You are free... to do as we tell you!" -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: pf won't pass some port 53 traffic even when asked nicely to

[Travis H.]

While this tangent is interesting, if you read the OP carefully, he's
permitting his DMZ to pass DNS traffic into the firewall.

It's not clear that he's allowing it to pass into his LAN, although
that might not be so crazy (DMZ->LAN, to allow it to resolve internal
hostnames perhaps).
--
http://www.lightconsulting.com/~travis/
"You are free... to do as we tell you!" -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: analysing packets in user space process

[Travis H.]

You get a packet into pf by sending the packet.

There is no easy way to "resume processing".  Once it has been sent to
userland, processing is over.  There's nothing to resume.

If you're asking about this, you're probably out of your depth.

You might wish to look at the ftp proxy to see how that works.
--
"If I could remember the names of these particles, I would have been a botanist"
  -- Enrico Fermi -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: analysing packets in user space process

[Travis H.]

On 1/18/06, Bill Marquette <[EMAIL PROTECTED]> wrote:
> Or because IPFW on FreeBSD has divert() and IP Tables in Linux has
> netlink.  It's a logical question to ask - although a few minutes in
> the man page and a few hours groking the PF source would have been
> enough.

I don't say this to be arrogant.  pf is really good at hiding the
details of the packet path through the kernel, among other things, in
the config file.  But if you know the stack, then it becomes clear why
you can do some things (re-write dest IP on inbound packets) but not
their logical inverse (re-write dest IP on outbound packets, or
perhaps re-write source IP on inbound packets).  netfilter doesn't
have this layer of abstraction, so users have to deal with FORWARD
chains and PREROUTING and such.

Knowing what solution he wants will require knowing some of these
details, of the capabilities at each layer.

Yes, you can drop all packets and use bpf to capture them in userland,
and filter/mangle and reinject but copying a lot of data across
the userland/kernel barrier is not terribly efficient, as you've got
the crossing of protection domains, bitblits, and then you've got
latency issues since the userland process has scheduling overhead ---
we receive a packet at interrupt level, queue it for "top half"
kernel, copy it to userland, wait for userland sniffer to be
scheduled, it runs, re-injects packet at which point process reverses.
 It also involves socket coding and manipulating second-class data
objects (in C anyway).  If you go this route, and it is the easiest
solution beyond ftp-proxy, I suggest writing the prototype in a HLL
with a libpcap binding.  If you know python, Impacket is the best I've
seen.  If performance isn't enough (that is, if you are dropping
unacceptable numbers of packets during load), you may have to resort
to C/C++.  C in particular has lots of ways to screw this up, and
remember that you are handling data created by remote, possibly
hostile parties.  So one input validation screwup, one buffer
overflow, and you're harming your overall security, not helping it. 
If the drop rate is still too high, pcap/bpf won't work for you.

The next solution would be changing how the kernel works.  Lots of
learning involved, lots of tedious work, lots of testing, lots of
kernel panics, probably a lot of changes to please the kernel
developers.  Many places to go wrong on this path.  Will require
extensive reading and understanding of kernel source.  Fortunately the
pf code, at least in openbsd, is remarkably clean.  You'll still need
to learn how and where the kernel does 'tings.  You might want to buy
(or borrow) the 4.4 BSD book and read the network stack stuff just to
get a big picture on where things were aeons ago, relatively speaking.
 Then you'll have to read kernel code to come up to speed.

Of course the best solution, and probably the most efficient, would be
to find some underpaid kernel coder (preferably network stack stuff)
and bribe them with beer and pizza.  Or you could post a bounty on one
of the freelancecoder sites (be careful how you word it, specify how
you want it to work and that it must meet openbsd standards, and must
not be written in visual basic, php, or .NET).
--
"If I could remember the names of these particles, I would have been a botanist"
  -- Enrico Fermi -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

recommend good multiport enet card

[Travis H.]

Hey does anyone know of a good (well supported) PCI ethernet card, at
least 100Mbps,
that has multiple ports (preferably four)?  I'd like to free a few PCI
slots and want something
that works efficiently.
--
"The generation of random numbers is too important to be left to chance."
  -- Robert Coveyou -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: [OT] pf and vpn

[Travis H.]

On 1/17/06, Peter <[EMAIL PROTECTED]> wrote:
> 2. What is the use of forcing IP-in-IP (-forcetunnel) when setting up an
> SA?  The vpn manpage example does this without explanation.

So that it won't use transport mode, which may be the default?

If you're setting up a vpn, you have more than one computer "visible"
at one end (or both).  You need to encapsulate the whole packet if you
are to get it to the right machine, because with transport mode it
gets delivered to the machine which decrypts/authenticates it.  So
VPNs always use tunnel mode.

I believe Schneier & co. showed that tunnel mode was sufficient, and
that it'd be simpler to just have that.  I remember reading somewhere
else that someone showed transport mode was sufficient, too.
--
"The generation of random numbers is too important to be left to chance."
  -- Robert Coveyou -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: [OT] pf and vpn

[Travis H.]

> I've always used IPSEC in Transport mode, combined with a GIF tunnel for
> encapsulating the packets. Much easier to set up than tunnel-mode IPSEC.

I just finished setting up an IPsec tunnel, and it took me 7 hours.

Of course, this was my first time with IPsec, but still... it was very
very picky.

A hint to anyone considering it; look for a suitable example, do a
substitution on
the example isakmpd.* files, and don't try to write it yourself. 
Tinker with it once
you have it working, one variable at a time.  And know routing and pf ;-)
--
"Cryptography is nothing more than a mathematical framework for discussing
various paranoid delusions." -- Don Alvarez
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: ACK priority and TCP flags

[Travis H.]

On 2/7/06, Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
> > Also, what happens when a packet matches several queue assignments and
> > I'm not using the QUICK modifier in the rule?  Is it last match wins?
> > I'm migrating from ipfw which is based on first match wins.
>
> No, only the last-matching rule's queue option matters. If any other
> rules matched earlier, those rules' queue options don't matter at all.

If there is no queue option on the last match, does the previous
match's queue option still apply?  That is, is it sticky?

It would be nice if it was, so we could assign queues independently of
pass/block.

This should be in the FAQ.
--
"Cryptography is nothing more than a mathematical framework for discussing
various paranoid delusions." -- Don Alvarez
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

OT: VPN + default route - how?

[Travis H.]

Hey,

Sorry for the OT post, but I couldn't find a more appropriate mailing list.

I got a VPN set up but I'm wondering how to make all traffic go over
the VPN to the remote end, which is a gateway to the internet.

If I mess with my default route, my traffic stops flowing at all.

Related to this, what is the normal way of setting up static routes?

Also, is there a system for swapping out interface values, like for a
laptop that will go from a home WLAN to a wifi hotspot (which won't
use WEP keys, etc.)?
--
"Cryptography is nothing more than a mathematical framework for discussing
various paranoid delusions." -- Don Alvarez
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Re: OT: VPN + default route - how?

[Travis H.]

On 2/12/06, jared r r spiegel <[EMAIL PROTECTED]> wrote:
>   anyway, since it's all guesses as to what your setup is, i'll
>   guess that your (usual) default gateway is on the same subnet
>   as your external iface, and that your VPN peer is not on the
>   same subnet.  in that case i would set the destination for my
>   default route to be the tunnel (assuming you're using tunnel)
>   IP of the remote host, and then a regular host route with a destination
>   of that VPN peer's regular IP and a gateway of what your default
>   gateway originally was.

Basically I've got a remote node that is directly attached to an
untrusted LAN (think metropolitan) and the firewall/gateway to the
internet/VPN peer are the same machine, also directly attached to the
LAN.

I tried setting up a network route to 0.0.0.0 mask 0.0.0.0 in
isakmpd.conf but it didn't seem to do what I wanted to.

> sudo route add

Ugh, netstart should read a file in /etc/ for them or something.

Am I the only one who fiddles with /etc/netstart?  It'd be nice if it
sourced netstart.local or something, so I didn't have to hack distro
files.
--
"Cryptography is nothing more than a mathematical framework for discussing
various paranoid delusions." -- Don Alvarez
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

dfd_keeper v3.1 released

[Travis H.]

So I think a number of people were confused about what DFD actually *did*.

I think this is best explained by an example.

Here is a sample transcript, bash$ is the Unix command line and
dfd_keeper> is the dfd command line.  Basically I connect up, show the
rules in the example script, block the IP address 1.2.3.4, show what
it did, then exit.

bash$ nc localhost 8007
Your wish is my command.
dfd_keeper>show
nat on xl2 from xl1:network to any -> (xl2)

# Allow all loopback traffic.
pass quick on lo0

# Default deny.
block all

# Allow LAN to bomb out quickly.
block return on xl1

# Don't allow other networks to impersonate LAN.
antispoof quick for xl1

# Block leakage of LAN stuff to anywhere else.
block out log quick on ! xl1 to xl1:network

# Block hosts we have specified in both directions.
block in log quick on xl2 from [] to any
block out log quick on xl2 from any to []

# Allow firewall to talk to LAN.
pass out quick on xl1 from xl1 to xl1:network keep state

# Allow anything in from LAN that isn't destined to the LAN.
pass in quick on xl1 to ! xl1:network keep state allow-opts

# Allow LAN hosts to SSH into this box.
pass in quick on xl1 proto tcp from any to xl1 port ssh flags S/SA

# Allow connections out WAN, and randomize SEQ #s.
pass out quick on xl2 all modulate state allow-opts

It is done.
dfd_keeper>help
drop_state:
Drop a particular state table entry.  Takes src and optional dst.
flush:
Flush the state table.  This is done automatically.
sync:
Synchronize the rules with pf.  This is done automatically.
show:
This command shows the active rules to the client.
help:
Show help to the user.  A command may be provided as an argument.
wan:
Switches on/off connectivity with the Internet.
For emergencies only!
block:
block [add|del] host
Block an IP from sending in data via WAN interface either direction.
XXX: Assumes it is on the remote side of that interface.
It is done.
dfd_keeper>block add 1.2.3.4
It is done.
dfd_keeper>show
nat on xl2 from xl1:network to any -> (xl2)

# Allow all loopback traffic.
pass quick on lo0

# Default deny.
block all

# Allow LAN to bomb out quickly.
block return on xl1

# Don't allow other networks to impersonate LAN.
antispoof quick for xl1

# Block leakage of LAN stuff to anywhere else.
block out log quick on ! xl1 to xl1:network

# XXX This is what appeared by magic
# Block hosts we have specified in both directions.
block in log quick on xl2 from 1.2.3.4 to any
block out log quick on xl2 from any to 1.2.3.4

# Allow firewall to talk to LAN.
pass out quick on xl1 from xl1 to xl1:network keep state

# Allow anything in from LAN that isn't destined to the LAN.
pass in quick on xl1 to ! xl1:network keep state allow-opts

# Allow LAN hosts to SSH into this box.
pass in quick on xl1 proto tcp from any to xl1 port ssh flags S/SA

# Allow connections out WAN, and randomize SEQ #s.
pass out quick on xl2 all modulate state allow-opts

It is done.
dfd_keeper>block add 2.3.4.5
It is done.
dfd_keeper>show
nat on xl2 from xl1:network to any -> (xl2)

# Allow all loopback traffic.
pass quick on lo0

# Default deny.
block all

# Allow LAN to bomb out quickly.
block return on xl1

# Don't allow other networks to impersonate LAN.
antispoof quick for xl1

# Block leakage of LAN stuff to anywhere else.
block out log quick on ! xl1 to xl1:network

# Block hosts we have specified in both directions.
block in log quick on xl2 from { 1.2.3.4 2.3.4.5 } to any
block out log quick on xl2 from any to { 1.2.3.4 2.3.4.5 }

# Allow firewall to talk to LAN.
pass out quick on xl1 from xl1 to xl1:network keep state

# Allow anything in from LAN that isn't destined to the LAN.
pass in quick on xl1 to ! xl1:network keep state allow-opts

# Allow LAN hosts to SSH into this box.
pass in quick on xl1 proto tcp from any to xl1 port ssh flags S/SA

# Allow connections out WAN, and randomize SEQ #s.
pass out quick on xl2 all modulate state allow-opts

It is done.
dfd_keeper>exit
bash$

So... this is gearing up for prime time.  I'm planning on writing a
sniffer very soon that will do stuff like properly support bittorrent
behind NAT (assuming only one client at a time) and other fun stuff
like portknocking (a/k/a single packet authentication).  Since OpenBSD
shows logged packets as appearing on a pflog interface, this is easy
to do with a libpcap-based sniffer.  Of course it is trivial to set up
snort to shun attackers (using the above block command already there
in the example script)  and logwatchers to shun people attempting to
brute-force SSH passwords.

I also have a volunteer taking over the netfilter implementation,
which makes me very happy.  Perhaps this can be rolled up into a Live!
distro for firewalls or something.

If you have any other uses for changing firewall rules dynamically,
then I'd love to hear them!  dfd_keeper can already peacefully coexist
with anchors and tables
--
Security Guru for Hire http://ww

Re: dfd_keeper v3.1 released

[Travis H.]

Didn't notice this was to the list too.

As I said to the OP, I use asynchronous I/O; there is one
in-user-memory image of what the rules should look like, and multiple
clients are all simultaneously handled by one thread.  Commands to the
daemon are atomic, and commits to pfctl will commit the entire,
consistent, in-user-memory image.

This is all very much easier thanks to python's "twisted" library
(asynch I/O core).
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

help: network dies after some period

[Travis H.]

Hi,

When I put in some rdr rules for p2p stuff, it works for a couple of
hours, then the node becomes unresponsive.   The node has 48MB of RAM.
 The following settings are in place:

set timeout { udp.first 300, udp.single 150, udp.multiple 900 }

All other settings are default.  I had "pfctl -s state | wc -l"
running, and just before it became unresponsive, there was 2400 lines
or so, and had been decreasing from a high of 3200 or so.  At the time
it becomes unresponsive, extant ssh connections time out, new ssh
connections are rejected (perhaps by the smart switch).  I believe I
saw arps for its address going unanswered.  On the console, everything
looks fine (top shows not all memory being used, I can tcpdump, the
interfaces are up, there is nothing in dmesg or /var/log/messages
indicating a problem).  The ruleset looks fine.  I did a "pfctl -F
state" and reloaded the ruleset, and it started working again.

Anyone got any ideas what is going on, or what I can do to troubleshoot it more?
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: Debugging/troubleshooting rule sets.

[Travis H.]

I had a tool for ipfilter that would simulate packets hitting it, and
then make sure the reaction was the same as the last edit and the
whole thing was driven by make.

You're basically asking a similar question to "does this program do
what I want?" which is unsolvable.  Asking "does this program ever
stop?" is even unsolvalble in the general case.  Basically the best
you can do is code up test cases around likely problem spots, and make
sure each of those does what you want.  But IIUC you can't even test
pf rules without real packets, the way you could with ipfilter.

I wanted something that would look at all the rules and automatically
create packets for both sides of an inequality (or all three, if it
were an equality or range) and show a venn diagram with the results,
but this became tricker to visualize with stateful matching and only
two dimensions for output.

For the most basic test, run nmap from an untrusted host.  Or visit
any of the sites that will scan your IP for you (e.g. "Shields Up!" at
grc.com).  Beyond that, there's a trillion packet creation tools (I
like scapy) but I'm afraid it's not a simple answer to implement.

Amusing firewall anecdote:
Once long ago, I had an OpenBSD firewall, and two SMC ISA ethernet
cards.  I am not sure how, perhaps a packet arrived at an inopportune
moment, but the cards autoprobed in the opposite order of normal.  I
was using a bogus internal domain name, and syslogging the blocked
packets to something like loghost.bogus.com, except that someone
registered that bogus domain name in the meantime, and their syslog
server was named loghost and so all my syslog information got sent to
them.  Also the firewall was essentially unprotected.  I was lucky to
have been on the console running tcpdump at the time, and saw syslog
stuff flowing out to the Internet, so I caught it quickly.  A reboot
fixed it and it never happened again.  I now use a bogus TLD
internally.  The end.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: PF Feature request: graceful handling of non-lookupable hosts.

[Travis H.]

Peter writes:
> Putting host names in your PF config files is a practice that comes with
> warnings in large, friendly, red and flashing letters attached.

Ditto.  DNS is weak, much weaker than your firewall rules (generally).
 DNSSEC helps with some of the problems, but not all, and comes with a
performance penalty (besides, hardly anyone uses it).  Strict
conformance with the RFCs weakens you significantly.  The following
article is about the resolver in XP but many of the same concerns
apply:

http://www.phrack.org/show.php?p=62&a=3

Did you know?  According to the RFCs, the DNS reply need not come from
the same IP you sent it to (think multihomed hosts, wildcarded sockets
*:53, and recv(2) not telling you what IP received the message).  Of
course this breaks pf's stateful filtering; such a response would not
match the outbound state.  This is a good illustration that there are
tradeoffs between security and availability on occasion.

> The workaround
> involves setting up a local name resolution with a cache that's
> persistent enough to survive reboots

The TTL is controlled by the authoritative name server, though.  And
what about dynamic DNS?

>  In simple configs, that would possibly mean putting the ones you need in 
> /etc/hosts,

And possibly setting "lookup file bind" in /etc/resolv.conf.

On 2/27/06, Damien Miller <[EMAIL PROTECTED]> wrote:
> On Mon, 26 Feb 2006, [EMAIL PROTECTED] wrote:
>
> > PF sqawcks if a hostname in any of it's files are not currently
> > findable.  Is there a reasonable way to have it gracefully skip missing
> > hosts and carry on?
>
> So you firewall rules can be silently skipped during times of DNS outage
> or DoS? That doesn't sound like a very good idea.

Well, if it skipped only individual rules containing that hostname,
and you have a "default deny" firewall policy (i.e. "block all" at top
and only pass rules thereafter) then it's not such a bad idea.

> A better idea is creating your rules with tables in place of DNS names, and
> regularly updating the tables with the DNS names (e.g. out of cron).

That is a good idea.  I also have been thinking of equipping
dfd_keeper with a periodic refreshing of rules (which would force
periodic lookups to catch changes in dynamic DNS hosts).  Perhaps I
could add a feature for updating a hosts's IP via some command,
avoiding the use of tables.

It's unfortunate it's not as simple as looking up the IP of an
interface the way (ifname) does.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: auto-adding bad hosts to a table

[Travis H.]

On 2/27/06, Morten Larsen <[EMAIL PROTECTED]> wrote:
> rdr pass on $ext_if proto tcp from any to ($ext_if) port {135:139, 445}
> -> 127.0.0.1 $tarpit_port
>
> pass in on lo0 proto tcp from any to 127.0.0.1 \
> port {135:139, 445} flags S/SA synproxy state \
> (max-src-conn 0, max-src-conn-rate 0/1, \
> overload  flush)

I think you overlooked the fact that the dst port is remapped to
$tarpit_port, so this wouldn't work exactly as you wrote.  In any
case, you're right, and maybe I can write a couple of scripts or
trivial little C programs for doing this kind of stuff.  I'm seeing
more and more requests for things best done in the style of the
ftp-proxy and perhaps a web page with a couple of little pf-helper
tools is in order.

So far, I can remember:
1) re-writing layer 7 content
2) blocking src IPs by adding to a table

Any others come to mind?
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

example sniffers for DFD now available

[Travis H.]

Hi, the latest release of dfd_keeper, version 3.3, has a sample script
which now implements a new command, bittorrent.  This allows a client
behind NAT to receive connections from other bittorrent clients. 
Right now it simply gives this privilege for the last client to ask
for it, and assumes they are operating on ports 6881-6890.

Due to line-wrapping issues I have attached the sample sniffer, dfd_sniff.py.
It is only 89 lines long.

If you would like to discuss DFD or receive more frequent updates (I
intend to decrease the number sent here), email me and I'll put you on
a list.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

dfd_sniff script

[Travis H.]

Sorry, hit send by reflex.  Script attached.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484


dfd_sniff.py
Description: Binary data

Re: ping: wrote x.x.x.x 64 chars, ret=-1

[Travis H.]

Convert all your block rules to use "log", sniff on pflog0, with -e and -s 2048

That should tell you what rule is blocking the first few.

My hunch is that some kind of state is getting set up by the ICMP echo
replies, and thus future requests are being passed.

In any case, the "no route to host" suggests that it is pf that is blocking it.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

pf -> no memory buffers

[Travis H.]

Hiya,

I have a fairly complex firewall setup, and whenever I try to enable
p2p networking, it works for about a day, then the firewall goes
netdead.  Upon logging into the console, I find that everything looks
okay -- except network connections.  If I try to ping a local IP, it
says something like "no memory buffers available".  But top shows that
virtually no memory is being used (at least the conventional kind of
virtual memory).

Does anyone have an idea what is going on?  Is it a memory leak?  When
it says memory buffers, does it mean mbufs?  How do I make more, or
how do I free used ones?

Why does this only happen when doing p2p networking?  If that isn't
enabled (i.e. no rdr ports) then it will run fine for weeks.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: ftp-proxy, and one nic: oh my...

[Travis H.]

> rdr pass on $extif proto tcp from any to any port 21 -> 127.0.0.1 port
8021

This makes inbound packets destined to port 21 on your box go to the
proxy.  But they'll be blocked because you don't have a pass rule
anywhere to allow them.

> block drop in  log quick on $extif from $privnets to any

This blocks all DHCP traffic, given that your ISP is using RFC 1918
addresses internally (10.x).  Stop trying to drop this traffic, at
least for 10/8.

> pass out quick log on $extif proto udp from ($extif) port 68 to $dhcp
> port 67 keep state
>
> pass in  quick log on $extif proto udp from ($dhcp)  port 67 to ($extif)
> port 68 keep state

That's not the best way to deal with DHCP.  Remember when you start
up, you don't have an IP, so your packets will be coming from 0.0.0.0!
 And they will be sent to the local-broadcast address 255.255.255.255.
 When your ISP's DHCP server reponds, that will be the first "real"
address in the exchange, and that's a 10/8.

All in all, you need to just bite the bullet and put a:
pass out quick on $ext_if all keep state
somewhere in there, it will make life much easier.

The rdr rule won't do what you want.  You're trying to munge the
destination IP on an outbound packet.  rdr munges the destination IP
on inbound packets.  nat munges the source IP on outbound packets. 
Nothing pf can do does what you want.

BTW, quick rules are fine, continue to use them.  Only use non-quicks
if you can't avoid it.

PS:  Your bridging firewall will make remotely adminstering your
firewall difficult, if not impossible IIUC.  For example, how would
you download a program you need (answer: you can't)?  How would you
update the firewall rules (answer: on the console)?  How would you
remote-log, or keep your clock accurate, or do anything with the box? 
How would you read the email that gets sent to root (answer: console
again).  Sounds like a major PITA if you ask me.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: pf -> no memory buffers

[Travis H.]

On 3/20/06, luke <[EMAIL PROTECTED]> wrote:
> what does netstat -m say?
>

312 mbufs in use:
307 mbufs allocated to data
1 mbuf allocated to packet headers
4 mbufs allocated to socket names and addresses
307/322/6144 mbuf clusters in use (current/peak/max)
740 Kbytes allocated to network (93% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines

I have a further data point; this started happening when I switched to
policy-based filtering (i.e. using tags extensively).  I also have a
few rules which only retag traffic (i.e. LAN_TO_WAN gets retagged as
PASS), which may be unusual enough to explain how other people are not
having this problem.  I'm going to experiment further.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: pf -> no memory buffers

[Travis H.]

On 3/25/06, Travis H. <[EMAIL PROTECTED]> wrote:
> I have a further data point; this started happening when I switched to
> policy-based filtering (i.e. using tags extensively).  I also have a
> few rules which only retag traffic (i.e. LAN_TO_WAN gets retagged as
> PASS), which may be unusual enough to explain how other people are not
> having this problem.  I'm going to experiment further.

On further experimentation, I am convinced there is a memory leak when
using tagging.  I would experience net death after 1-3 days of
activity.  Nothing I could do would free up any space, except for
rebooting.

When I removed the tagging and converted back from policy-based
routing, I no longer have a problem with buffer space.

Someone on the FreeBSD pf list is having the same problems.

Is anyone else using tagging extensively and _not_ having problems
with running out of kernel buffer space?  Do you do any retagging?  Do
you tag on one interface and use the tag on another?
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

pf help available

[Travis H.]

Hi,

If anyone has questions about pf, or wants firewall rulesets written,
I know that not all questions get answered here, and I am short on
cash at the moment., so I am available for consulting at reasonable
rates (e.g. ~$100 for a me to write you a ruleset, perhaps $25-50/hr
to grovel through the pf source or debug a malfunctioning
configuration).

I have been active in computer security for over 17 years, send me an
email if you wish to know more about my qualifications or to retain my
services.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: Vonage or AT&T call Advantage behind OpenBSD firewall

[Travis H.]

On 3/16/06, info.Vision <[EMAIL PROTECTED]> wrote:
> Hello All, Anybody have Vonage or Att CallVantage working behind
> a PF openBSD NAT on a DSL or Cablemodel connection.

I've had reports of people using SIP (Vonage) with success.

You might want to set these for VoIP work:
set timeout { udp.first 300, udp.single 150, udp.multiple 900 }

> It would be nice to know. I have some cool stuff I would like to
> share with you all if anybody can / or has this situation working

Do tell.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

RST packets not being natted or unmapped through rdr

[Travis H.]

Hi,

I was examining my WAN connection the other day, and I found something strange.

I have rdr and nat rules in place for this connection; some ports are
forwarded to an internal host; and nat occurs for everything going
out.

However, I noticed that RST packets coming from the internal host were
NOT being mapped, so it was sending them from an RFC 1918 address I
use for internal hosts, and thus the RST packets were cheerfully
ignored by the other end.

Does anyone know what is going on here, and how I can elicit the
proper behavior?

Aside: What combinations of TCP flags does "scrub" filter out?

Aside: What kinds of packets are considered associated with an active
connection?  Will an ICMP unreachable pass be passed in response to a
keep state rule?
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

dropped packets when queueing

[Travis H.]

Hey,

I'm having issues with queueing.  When I enable cbq, it seems like it
slows at lot of stuff down.  This would make sense if I was severely
throttling stuff, but I hardly ever reach full capacity, and each
class has "borrow".  Nevertheless, I'm seeing lots of dropped packets.


Here's a typical pfctl -s queue -v -v output:

queue root_sis0 bandwidth 500Kb priority 0 cbq( wrr root ) {streaming,
interact, std, bulk}
  [ pkts:   71842027  bytes: 9289172718  dropped pkts:  0 bytes:  0 ]
  [ qlength:   0/ 50  borrows:  0  suspends:  0 ]
  [ measured:   251.1 packets/s, 401.41Kb/s ]
queue  streaming bandwidth 10Kb priority 7 cbq( borrow )
  [ pkts:  0  bytes:  0  dropped pkts:  0 bytes:  0 ]
  [ qlength:   0/ 50  borrows:  0  suspends:  0 ]
  [ measured: 0.0 packets/s, 0 b/s ]
queue  interact bandwidth 75Kb priority 6 cbq( borrow )
  [ pkts:   53910441  bytes: 3158462651  dropped pkts: 378513 bytes: 22878585 ]
  [ qlength:   4/ 50  borrows: 36857361  suspends:738 ]
  [ measured:   180.5 packets/s, 86.99Kb/s ]
queue  std bandwidth 175Kb cbq( borrow default )
  [ pkts:2951692  bytes:  391820142  dropped pkts:   2896 bytes: 379305 ]
  [ qlength:   0/ 50  borrows:  22649  suspends: 11 ]
  [ measured: 8.0 packets/s, 10.14Kb/s ]
queue  bulk bandwidth 225Kb priority 0 cbq( borrow )
  [ pkts:   14979894  bytes: 5738889925  dropped pkts: 402347 bytes: 84102069 ]
  [ qlength:   8/ 50  borrows: 6690009  suspends:244 ]
  [ measured:62.6 packets/s, 304.28Kb/s ]

Note that only low-latency ToS, and dataless acks go into interact.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: pf -> no memory buffers

[Travis H.]

On 4/1/06, Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
> If this is on OpenBSD, packet tags (see mbuf_tags(9)) are allocated with
> malloc(M_PACKET_TAGS) in m_tag_get() and show up in vmstat -m as
> 'packet tags'.
>
> A leak would show as steadily increasing 'InUse' and 'HighUse' there.

I've attached my vmstat -m output from when I was having the problems.

If anyone could tell me what is going on, I'd appreciate it.

It looks to my untrained eye that there's a lot of devbuf stuff.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484


vmstat_-m
Description: Binary data

borrow on all queues

[Travis H.]

Does putting borrow on all child queues make any sense?

The way I read it, it does, so like a child queue that isn't using its
bandwidth, can be borrowed by a sibling queue, is that correct?
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

contributions to pf FAQ/manpage whatever

[Travis H.]

What would be the appropriate way to submit additions to the PF FAQ
and/or pf.conf manpage?  Specifically, what is the source format,
where can I get the source (for the FAQ, I know where to get the
unformatted manpage), and to whom exactly should I send the diffs?

TIA
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: PF and label expansion limitations

[Travis H.]

I don't see why you couldn't just feed your ruleset through a
preprocessor like m4 before passing it to pfctl.  It's just text. 
Make up your own syntactic sugar.

Back in the days before pf, I used to do shell expansions along the lines of

myhost="$(hostname)"
ipf ... -f /dev/stdin <-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484


preprocess
Description: Binary data

Re: pf -> no memory buffers

[Travis H.]

I removed all tagging and queueing and still had the problem.

Attached is the output of "vmstat -m" shortly before the system was rebooted.

If anyone has any troubleshooting ideas, I'm all ears.

The only other thing that has changed lately is that I'm now using one
of the Soekris 4-port PCI NICs.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484


bar
Description: Binary data

pf wish list

[Travis H.]

Just some suggestions.

1) Lists be allowed to contain only one value, or none.  Requiring
braces when > 1 value and requiring no braces when <2 values are
present is a pain for automated rule generation and should be very
easy to implement.

2) Sticky queue assignments.  Using tags for many purposes gets klunky.

3) A neutral rule, which doesn't affect pass/block status, but allows
one to assign a queue or assign a tag or what-have-you, orthogonal to
pass/block filtering decisions.  Can be done by placing previous to
your "default deny" and other filtering rules, but makes the "default
deny" rules and such less obvious.

4) A way to specify a network(s) directly attached to an interface,
minus the IP address of the interface itself.  I may want people to be
able to talk to something on my DMZ, but I don't want them to talk to
the IP of my firewall on that DMZ network!  Can be done with tables,
but is probably simple/frequent enough that a new :suffix could be
added for it.

5) Rules symmetric to nat and rdr.  I.E., change dst IP on outbound
packets, change src IP on inbound packets.

6) A way to simulate packets hitting the filter, so that I may create
a regression-test suite for my firewall rules.
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: pf -> no memory buffers

[Travis H.]

Here's a summary of my problem:

When I use p2p applications, the system runs out of buffer space. 
Network operations do not work; attempting to ping an internal host
says no memory buffers available".  It is not clear how to free any
more space; one time I killed off everything and got the system to
work for a short period, while less drastic measures typically have no
results at all.

I have attached the "vmstat -m" output when the machine was broken...
this time with a .txt extension to make it easy to browse.  To
summarize, only devbufs seem to be allocated in any great number,
totalling 1445K.

State table entries are not great in number and dwindle after
networking becomes impossible.

Note that this machine only has approximately 100MB of RAM.  It has
but one NIC, a soekris 4-port card.  This problem persists independent
of tagging and queueing, contrary to my original statements.

What are the chances the soekris card has a memory leak, which
permanently ties up devbufs?  Is that even what uses devbufs?

Any help would be greatly appreciated, having one's firewall suddenly
go netdead and require a physical reboot from the console is quite the
annoyance.
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484
Memory Totals:  In UseFreeRequests
 2114K 51K 3299971
Memory resource pool statistics
NameSize Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
extentpl  20  2220  197 1 0 1 1 0 80
phpool40  6960   12 7 0 7 7 0 80
pmappl76 31430 3112 1 0 1 1 0 80
vmsppl   220 31430 3112 3 0 3 3 0 81
vmmpepl   88   3100440   30722572 27070 0 87
vmmpekpl  88 70750 7048 1 0 1 1 0 80
aobjpl52100 1 0 1 1 0 80
amappl40   1773630   17501026 02626 0 82
bufpl116202 1 0 1 1 0 81
mbpl 256  61709730  617029055114444 1 81
mclpl   2048  18019720  1801493   254 0   254   254 4  3072   14
sockpl   204  2780  239 3 0 3 3 0 80
procpl   328 31520 3112 4 0 4 4 0 80
zombiepl  72 31120 3112 1 0 1 1 0 81
ucredpl   80 25240 2508 1 0 1 1 0 80
pgrppl24   630   41 1 0 1 1 0 80
sessionpl 48   290   10 1 0 1 1 0 80
pcredpl   24 31520 3112 1 0 1 1 0 80
lockfpl   52604 1 0 1 1 0 80
filepl481790101 2 0 2 2 0 80
fdescpl  292 31530 3112 4 0 4 4 0 81
pipepl72  8440  824 1 0 1 1 0 80
sigapl   316 31430 3112 4 0 4 4 0 81
wdcspl96 59780 5978 1 0 1 1 0 81
scxspl   128   190   19 1 0 1 1 0 81
pfiaddrpl100   9104 3 0 3 3 0 80
namei   102436742036742 1 0 1 1 0 81
vnodes   160 13100053 05353 0 80
nchpl 72 13100024 02424 0 80
ffsino   284 19320  62694 09494 0 80
dirhash 1024   750   1615 01515 0 80
pfrulepl 628  2490   7040 13940 0 88
pfstatepl268   1100530   107594   219 0   219   219 0  2000   32
pfaltqpl 128   1206 1 0 1 1 0 80
pfpooladdrpl  68   3104 1 0 1 1 0 80
pfrktable   1240704 2 0 2 2 0   3340
pfrkentry156   640   31 3 0 3 3 0  38471
pfosfpen 108 10350  69014 41010 0 80
pfosfp28  5640  376 2 0 2 2 0 80
pffrent   16101 1 0 1 1 0201
pffrag48101 1 0 1 1 0121
rtentpl  108   680   20 2 0 2 2 0 80

Re: pf wish list

[Travis H.]

On 4/13/06, Eric Pancer <[EMAIL PROTECTED]> wrote:
> On Thu, 2006-04-13 at 01:26:06 -0500, Travis H. proclaimed...
> > Just some suggestions.
>
> Sounds like you should get coding then.

I'm developing my own projects, such as DFD, which uses pf.
I can only split my time so many ways.
Maybe when time permits, I'll submit some diffs.
I'll probably start by clarifying some things in the documentation, first.
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: Home Network Setup

[Travis H.]

I recommend that you use the RFC1918 class B block. 172.16-32.x.x

I've seen networks that use 10/8 or 192.168/16 internally, and if you
have something like a laptop that needs to travel between your network
and others, things can get hairy when IP addresses conflict.

I've had to renumber my entire network on at least one occasion due to
conflicts with my ISP, and it's a pain.
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

is there a way to say "from or to" some host?

[Travis H.]

Just curious.   tcpdump has the handy "host blah" syntax, where it
implies src or dst.

Some of my rules could be simplified with a "from or to" sort of syntax.

If it doesn't exist, I'll put it on my "to code some day" list.
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

can pfctl show numeric ports instead of symbolic?

[Travis H.]

Just wondering if there's some hidden switch for dumping the rules
with numeric ports.

I personally use the nmap-services file, since it has a lot more ports
documented,
but the mapping from numbers to names is N to 1 lots of ports are named the
same thing, and pfctl prints symbolic names... and then cannot use
them if I feed
the data back to it, since names -> numbers is 1 to N.

The -n flag seems ideal for this, since it is used by netstat and
other programs,
and it doesn't make much sense when combined with -s (doesn't do anything).
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

wanted: pf tool ideas

[Travis H.]

Does anyone have any ideas about tools that are desired for working with pf?
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

pf_dns_lookup: DDNS -> tables

[Travis H.]

I wrote a tool that looks up IP addresses via DNS and updates table contents.
This is a way of getting pf to coexist with dynamic DNS.

http://www.lightconsulting.com/~travis/pf_dns_lookup/pf_dns_lookup.tar.gz

Browse the script here:
http://www.lightconsulting.com/~travis/pf_dns_lookup/pf_dns_lookup/pf_dns_lookup.py
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: PF inadequacy: queue download

[Travis H.]

On 5/1/06, Can Erkin Acar <[EMAIL PROTECTED]> wrote:

On Sun, Apr 30, 2006 at 08:22:51AM -0700, [EMAIL PROTECTED] wrote:
> I don't think time spent developing PF or ALTQ could be better spent
> developing something other than download queueing. Everyone here seems
> to agree it's PF's worst deficiency.


I don't know about "worst deficiency", but it sounds like it could be useful.


This might surprise you but OpenBSD does not run on requests, or polls
or democracy. If a developer feels that such a feature is intresting/important
and have resources to spare, than the feature will be implemented.


Well that's a way of looking at it.  Alternately, some coders may wake
up one day and wonder what they should code.  Maybe all their itches
are being scratched, but they still want to code something.  Maybe
they don't know which direction will be of the most benefit to the
community at large.  I know I personally have gotten (and implemented)
ideas from others.

For example, just today I pushed out a new distribution of
pf_dns_lookup.  This program will resolve a set of IPs or hosts, and
either print them out (to be redirected to a file) or stuff them into
a table.  This is to follow the IPs of DDNS clients.  I got the idea
from a discussion about how to handle dynamic DNS on this very list.
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: authpf with time limited access?

[Travis H.]

On 5/10/06, Vas Péter <[EMAIL PROTECTED]> wrote:

> Ooops. Well, it was quick and dirty. You'd have to figure out a way to kill
> logged in users too.


This seems simple.

pfctl -k a.b.c.d

Also, I have a tool that lets you create firewall rules which "time
out" at a particular time.
It's called dfd_keeper, and available on my website (see my .sig).
Unfortunately I have not fully exploited all of pf's features such as
anchors, tables, overload, and authpf.  You can still use these things
with dfd_keeper, but it could probably make better use of them.

Using dfd_keeper, you don't really need to use authpf though.  You can
create a rule which allows access for a person, and creates it with a
certain timeout, and you execute that command from a central
accounting system.  You may have to kill the state via another
command, at least unless I implement something clever.  But you can
script all of this, and use "at" to schedule the state flush.  If
you're interested, I can put you on a very low traffic mailing list
about it.
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: home network

[Travis H.]

On 5/16/06, Terry <[EMAIL PROTECTED]> wrote:

Page 2 gives the policies/functionality I would like to have. I want
the system to be secure but I would also like to be able to admin the
system from the outside.


You want your cake AND you want to eat it?  Ambitious!

Mostly, there is the threat of SSH brute forcers, which is annoying
but trivial to defend against (don't let people pick dumb passwords on
any exposed box).  Occasionally, there is the chance of an SSH
pre-auth remote root vuln, but I sort of doubt it, I hear OpenSSH's
privsep is hard to beat.


http://tyson.homeunix.org/net.pdf


Nice diagram.  It appears you like OpenBSD. :-)

I assume you are using all OpenBSD because you want a really secure
network.  Let me ask you to rethink it.  My $.02 is that a homogenous
network will be very secure, unless the one platform you use has a
fatal flaw.  It also won't be as functional, since you can only run
software ported to that OS.  You should read the "monoculture" paper,
although some people found the metaphor and analogy misleading, I
found it to be somewhat common sense.

If I were you, I'd at least consider having one internal system that
can run Xen and/or VMWare (I honestly don't know if OpenBSD can) and
then you can at least boot other OSes to play with them.  There's a
lot of good ideas and neat things out there, and OpenBSD is not the
supreme font of them all.  Or do OpenBSD until you master it, or reach
diminishing returns, or get bored, then consider reinstalling one of
them with something else.


I can't decide if it would be best for the firewall to be transparant
or not.


If you're talking about bridging, then that's in direct conflict with
your desire to admin it from the outside.  The only way to admin a
bridging firewall is on the keyboard and monitor directly attached to
it.  It is also impossible to download any packages/ports, or do just
about anything than filter/pass packets.  I find it somewhat
irritating, like cutting off my hands so that someone else can't use
them to stab me in the eye.

If you're talking about transparent proxying, be sure that your proxy
supports all the kinds of transactions.  For example, squid supports
all the HTTP transaction types that I know of, but some
message-oriented HTTP proxies (privoxy) don't support CONNECT, so some
things like streaming media won't work, and it's really irritating to
have to console into the firewall and disable that stuff, re-enable it
when you're done, etc.


Also, the admin computer listed isn't absolutely necessary but
I thought it might be a good way to help me admin the system from the
outside.


In what way?  If you're outside, you're not on the admin box.
Chaining to the admin box and back to the firewall box... it's not
clear what problem that solves that connecting directly to the
firewall doesn't.


Also, I'm still looking into learning how to use the Linksys WRT54G in
"bridge mode." As I understand it, I will need to do this.


I don't see why.  It can operate as a router just fine.  However, the
stock firmware really isn't designed to do what you're trying to do.
Consider installing OpenWRT or dd-WRT:

http://openwrt.org/
http://www.dd-wrt.com/dd-wrtv2/index.php

Note that by default in the stock firmware, the LAN ports are bridged
together already.  I am not sure if the WAN port is bridged or not.  I
wanted my LAN to be able to connect to the administrative web
interface, and to be the network uplink, but had trouble doing both.
I ended up putting in routes for 1/1 and 128/1 to get all the traffic
routed where I wanted, but a simpler solution is to turn the web
interface on for the WAN port.  If you ever need to reset the WRT to
factory defaults you'll need to be on the LAN port again, because the
WAN port doesn't have the web interface enabled by default.

And oh yeah, don't use 192.168.0/24 for your internal network.  Pick
something rare, like one of the RFC 1918 "class B" blocks, because the
WRT uses 192.168.0/24 and some cable ISPs use 10/8 internally.  Save
yourself a lot of trouble and pick something relatively unique.
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: home network

[Travis H.]

Just plug one of the LAN ports into your existing network and leave
the WAN unused.
Turn off the DHCP server and give the linksys device a proper IP on
your network.
The stock firmware supports this.  This is how I am bridging the
wireless linksys network to
my wired lan.



It works. ;) Thanks for the tip. Now, when I get my wireless nic
tomorrow, I'll see how the wireless part works.



Really?  I found that my traffic to the internet wasn't getting routed
when I did this.

Hmm.  I'll have to try again.
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: home network

[Travis H.]

On 5/19/06, Travis H. <[EMAIL PROTECTED]> wrote:

> Just plug one of the LAN ports into your existing network and leave
> the WAN unused.
Really?  I found that my traffic to the internet wasn't getting routed
when I did this.


Oh... yeah, it has to have an IP on my LAN... which is not 192.168.1/24.

So now I have to do NAT on that interface to talk to the web console,
or set pf up as a bridge on that interface.  Hrml.
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: Logging (lack of), driving me nuts

[Travis H.]

On 5/18/06, Daniel Hartmeier <[EMAIL PROTECTED]> wrote:

> set skip on lo0
> set skip on $pfsync_if# might not want this

These two lines don't add up, the second one replaces the first,
so lo0 is not really skipped. Use a single set skip line, listing
all interfaces to be skipped at once.


Ah, that should be in the PF docs.
I was doing the same thing with lo0 and enc0.


antispoof after a default block is superfluous. It expands to non-quick
block rules. Any packet that could possibly match them has already
matched your default block rule above.

The expanded rules also don't have the 'log' option. Try and remove the
antispoof line and reproduce.


I noticed that one can do "log antispoof on ..."

Perhaps a quick option is also merited?

I'm adding this to my wish list, maybe one day I'll get around to
creating a diff against the PF FAQ and/or code.  In the mean time, if
anyone comes across stuff that they feel should really go in the FAQ,
you can send me a quick note and I'll put it in with my set of
changes.

NOTE: I'm not the FAQ maintainer, just a pf enthusiast, short on time
but willing to do the work when time permits.
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: Logging (lack of), driving me nuts

[Travis H.]

On 5/19/06, Travis H. <[EMAIL PROTECTED]> wrote:

On 5/18/06, Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
> > set skip on lo0
> > set skip on $pfsync_if# might not want this
>
> These two lines don't add up, the second one replaces the first,
> so lo0 is not really skipped. Use a single set skip line, listing
> all interfaces to be skipped at once.

Ah, that should be in the PF docs.
I was doing the same thing with lo0 and enc0.


No, OP was right after all.


set skip on interface
   Skip all PF processing on interface. This can be useful on loopback
   interfaces where filtering, normalization, queueing, etc, are not
   required. This option can be used multiple times. By default this option
   is not set.

I tried various ways of specifying two interfaces on that line... it
doesn't work.
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: Logging (lack of), driving me nuts

[Travis H.]

On 5/21/06, Magne J. Andreassen <[EMAIL PROTECTED]> wrote:

set skip on { lo sis0 }


Well I'll be... somehow I didn't try that.
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: Borrow isn't borrowing much

[Travis H.]

On 5/28/06, Karl O. Pinc <[EMAIL PROTECTED]> wrote:

Is this the right place to ask this question?


Yes.


Is this the way it's supposed to work or am I missing something here?
(Id be happy to supply pf.conf but AFIK the queue layout is all
that's relevant.  Some of my rules are just "pass on $if" rather
than "pass in on $if", could that possibly make the outbound
traffic affect the bandwidth computations borrow uses??)


This is a misunderstanding based on the #1 FAQ.

Queues are _only_ on outbound traffic.

Queuing on inbound makes little sense, as the packets have already
crossed the wire, so there's not much impact on the bottleneck (the
wire) by dropping or reodering them once you've received them.
Processing the packet is fast by comparison.
--
Scientia Est Potentia
Security "guru" for rent or hire - http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: blocking on scan attempts

[Travis H.]

On 6/27/06, Darrin Chandler <[EMAIL PROTECTED]> wrote:

> I've been through the documentaion and this mailing list.  Is there
> another way to add IP addresses to a table directly using a rule in
> pf.conf?  I can see the little bastards coming and I'd like to cut them
> off as quickly as possible.

I'm not sure about the archives here, but this comes up every few months
on [EMAIL PROTECTED]


See my article on open-source active response:
http://www.lightconsulting.com/~travis/active_response.pdf
There's some discussion there as to the wisdom of this, since scans
are trivially spoofed, it could lead to a DoS.

I have been beset with system administration issues, but I intend to
finish up my sniffer that will detect stuff like this and trigger DFD
rule changes.  However, scan detection is going to be one of the last
features I'll encode.

BTW: I'll be making OpenBSD ports to make installing dfd_keeper more
easy to install.
--
"I sometimes have delusions of adequacy" -- Woody Allen
Security "guru" for rent or hire - http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: queueing: give some BW to each addr (in a table)?

[Travis H.]

On 6/27/06, McLone <[EMAIL PROTECTED]> wrote:

We have many clients here, so i wanted to do it
on my freebsd6 router, with simple cron job switching
tables in PF, but pf doesn't support a thing like
"give EACH ip in that table N kbits/s".


Yes, what you want is a list.


So i have one option now - write some pf.conf
preprocessor, with soem frontend to edit it.


If you know python, check out dfd_keeper.

There is an OpenBSD port here:
http://www.lightconsulting.com/~travis/OpenBSD/

Basically you can, from a script that uses nc/netcat, add or delete
from a list relatively trivially.  It then renders the ruleset and
loads it into pf.  It looks intimidating at first but isn't really.
You have my permission to use it in your commercial environment.  Once
installed, you need to write a short python script; there is an
example in the dist (but it doesn't get installed by the port yet,
sorry).

If you have any further questions, or if you want [paid] help
implementing it, email me.
--
"I sometimes have delusions of adequacy" -- Woody Allen
Security "guru" for rent or hire - http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: RFC1323 Window Scaling Issues

[Travis H.]

Yeah, great explanation.

I'm adding this to my "list of things that should be in the docs"
list, hopefully I'll get a chance to submit some patches some day.
--
Resolve is what distinguishes a person who has failed from a failure.
Unix "guru" for sale or rent - http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

pfstat network client

[Travis H.]

So...

If pfstatd makes statistics available to network clients like pfstat,
how does one tell pfstat to use the network?  I see no options for
such, and putting the hostname on the command line just generates an
error.

TY
--
Resolve is what distinguishes a person who has failed from a failure.
Unix "guru" for sale or rent - http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

pf "default deny" compile-time option?

[Travis H.]

Hey,

On the FreeBSD pf list someone mentioned that they wanted the ability
to have a "default deny" policy with pf, like the old ipf kernel
option.  That reminded me that I thought the same thing when I started
with pf.  I know, I know, it's not a terribly useful setup until the
pass rules get loaded, but by enforcing "default deny" in both pf and
in the rules, you're less likely to forget it in one place or the
other.  And yes, I'm aware that it is enabled in /etc/rc before
/etc/netstart is even called.

Also, it's right in line with OpenBSD's "default secure" ideology.

BTW, the ruleset loaded in /etc/rc could use "set skip" on lo0, and
quick rules, and make some allowance for DHCP.
--
``I am not a pessimist.  To perceive evil where it exists is, in my
opinion, a form of optimism.'' -- Roberto Rossellini
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: pf "default deny" compile-time option?

[Travis H.]

On 7/15/06, Ryan McBride <[EMAIL PROTECTED]> wrote:

Root can do stupid things which compromise security. Obfuscation or
needles complexity in an attempt to protect yourself from the root
account will only make your system less secure.


If every ruleset needs to put a rule in to default to blocking
packets, then that's needless complexity to me.


Because the /etc/rc ruleset is only temporary, and quite small, I don't
see the point in making performance-related changes to it (particularly
performance-related changes that one would have a hard time measuring
the effects of)


I doubt it could hurt.


> and make some allowance for DHCP.
DHCP uses bpf(4), and is unaffected by pf rulesets.


Ah, learn something new every day.

I suppose the outbound packets are passed by the ruleset, so it makes
no difference that they have a SRC IP of 0.0.0.0...
--
``I am not a pessimist.  To perceive evil where it exists is, in my
opinion, a form of optimism.'' -- Roberto Rossellini
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: controlling ext. inbound traffic on int. interface - few doubts/thoughts

[Travis H.]

On 7/14/06, Michal Soltys <[EMAIL PROTECTED]> wrote:

Recently I've been writing rules for small router (2 internal interfaces, 1
external, few services running).  I've just set 1 queue for the whole
inbound (1 mbit) on internal interface, so it won't get stalled by other
traffic from int. net to the server itself. Essentially:

altq on $if_100 cbq bandwidth 100Mb queue { if100_extbulk, \
if100_misc, if100_ack, ... other queues }


I can't parse this.  If the traffic is to the server, it will be inbound.
Queuing works on outbound traffic.  They are distinct, and don't
interact in full-duplex mode.

Or are you talking about doing this on your external interface?


But then I recalled the 2nd example from PF faq, that actually used
subqueues to shape traffic of inbound traffic. But ... they all had 'borrow'
option - does it even have a chance to work as intended this way ?


What do you mean?

If the max bandwidth isn't being used, then any one subqueue can
borrow from the others, until they need it.


Am I thinking right ?


Can't tell, your post is lacking a lot of detail.
--
``I am not a pessimist.  To perceive evil where it exists is, in my
opinion, a form of optimism.'' -- Roberto Rossellini
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: controlling ext. inbound traffic on int. interface - few doubts/thoughts

[Travis H.]

On 7/17/06, Michal Soltys <[EMAIL PROTECTED]> wrote:

Back to my point: with limited inbound traffic (by isp) to 1mbit, the
incoming traffic is just some traffic. If whatever comes in, assigned
to ext_bulk1 saturates a bit ext_bulk2 - total traffic will be still
1mbit, and there won't be any hmmm, strain to suddenly limit ext_bulk1
in favor of ext_bulk2 - as far as I understand, borrow options on both
subqueues will just make PF adapt to current shape of whatever in that
1 mbit comes back through fxp0 and fxp1 to internal hosts.


Correct.


If borrows
were not there, then it could work, assuming participating host(s)
would behave and slow down.


Indirectly, through TCP window shrinkage.  It's not a very elegant
method, since the packets have already crossed your WAN link and
consumed its bandwidth.  It won't have any effect on new TCP
connections.


Normally I'd just set one ifext_bulk queue, to make sure that traffic
coming from outside back to internal hosts, has always reserved 1mbit
outgoing queue on internal interface, and for example - other internal
hosts won't saturate the link by abusing some services sitting on routing
machine.


Use tagging on ext_if, and assign queues based on tags in the int_if.
--
``I am not a pessimist.  To perceive evil where it exists is, in my
opinion, a form of optimism.'' -- Roberto Rossellini
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: pf "default deny" compile-time option?

[Travis H.]

On 7/18/06, Can Erkin Acar <[EMAIL PROTECTED]> wrote:

No, needless complexity is a compile time option that makes it
impossible to know whether a given installation needs the block rule or not.


Good point.


packets are sent using bpf(4) so ruleset does not really matter.


Every day a school day!
--
``I am not a pessimist.  To perceive evil where it exists is, in my
opinion, a form of optimism.'' -- Roberto Rossellini
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: shell script troubles using expr ("non-numeric argument")

[Travis H.]

On 7/27/06, Karl O. Pinc <[EMAIL PROTECTED]> wrote:

I've not tried to scroodle what you're trying to do,
but expr is integer-only.  That's your problem.


And it's not really relevant to pf.


When faced with problems that look like this I usually
use awk with a awk script on the command line
mixed in with the regular shell scripting.
Mostly because it's not perl so there's
an upper limit to how crazy the script can get.


Is that really an advantage? :-)  Perl can do everything awk can do,
then some.  There's even an automatic awk-to-perl translator.

Anyhow, you might find "dc" easier to use from the command line than bc.

Merely replace the expr command with:
echo $PORT_IN_SUM $PORT_IN + p | dc

It takes RPN, so the + is at the end, and the p means print the value
on the stack.
--
"if you're not part of the solution, you're part of the precipitate"
Unix "guru" for rent or hire || http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

deadman's pf rule editor - never lock yourself out again

[Travis H.]

I locked myself out a couple of days ago by removing "set skip" and
not adding rules to allow any traffic on lo0.

I got sick of this and finally wrote this shell script to prevent it.

http://www.subspacefield.org/~travis/deadman/

Note that you shouldn't kill state, because then you won't be able
to hit return and the script will probably exit due to a HUP.  I'll
think about how to fix that for the next rev.
-- 
"Cryptography is nothing more than a mathematical framework for
discussing various paranoid delusions." -- Don Alvarez
http://www.subspacefield.org/~travis/> -><-

Re: deadman's pf rule editor - never lock yourself out again

[Travis H.]

On Tue, Dec 12, 2006 at 09:29:34PM +0100, Stanislaw Halik wrote:
> You don't need to think much.
> 
>  trap [action signal ...]
> Cause the shell to parse and execute action when any of the
> specified signals are received.

That has been suggested a couple of times but it doesn't work.

Yes, it will keep the script from exiting.  However, the script's
parent shell exits, so it gets inherited by init.  Also, the script
will not have a controlling tty.  When you log in again, you don't
have a way to re-attach to it, or to adopt it.

I will probably do something involving "screen", or seperate the
two halves of the procedure.
-- 
"Cryptography is nothing more than a mathematical framework for
discussing various paranoid delusions." -- Don Alvarez
http://www.subspacefield.org/~travis/> -><-


pgpgtjApbvlbp.pgp
Description: PGP signature

Re: pf on FreeBSD

[Travis H.]

On Wed, Dec 13, 2006 at 06:31:10PM +0100, Daniel Hartmeier wrote:
> > pass in on $first-nic proto tcp from IP-A to IP-B port 22 keep state
>
> The point of this is that you can control _which_ interface(s) a
> connection must flow through, instead of granting a permission to pass
> any and all interfaces.

Or, you can specify no interfaces, which is okay to do _if_:

1) Both interfaces have only directly attached networks (that are static)
2) antispoof is on for both interfaces

Some guy's guide out there for pf fails to take this into account.
If there's a static "default" route on an interface, you really can't
omit that interface from any rules, because both conditions are false.
-- 
A: No.
Q: Should I include quotations after my reply?
http://www.subspacefield.org/~travis/> -><-


pgpoWglC5yYBe.pgp
Description: PGP signature

Re: Kernel panic on dup-to, to localhost

[Travis H.]

On Wed, Dec 20, 2006 at 01:35:37PM +1100, Johan Allard wrote:
> echo "pass in on ne3 dup-to (lo1 1.1.12.1) inet all keep state" > / 
> etc/pf.conf
> pfctl -e
> pfctl -f /etc/pf.conf
> and the first packet coming in on ne3 will cause a kernel dump, see  
> attached screenshot.


I didn't view the screenshot (were you running it as a virtual
machine or something?), but I'll make some wild guesses..

It could be that the kernel doesn't like packets not addressed
to it arriving on loopback interfaces.  Or it could be some kind
of infinite loop like the old "land" attack (srcip=dstip=us).
Is forwarding enabled on this kernel?

-- 
A: No.
Q: Should I include quotations after my reply?
http://www.subspacefield.org/~travis/> -><-


pgpkB70MzYJh7.pgp
Description: PGP signature

Re: New Feature(s) Ideas

[Travis H.]

On Wed, Dec 20, 2006 at 10:24:16AM -0800, Rob wrote:
> I'd like to get some feedback on the feasibility of some new features for pf
> and the feasibility of them being implemented by the current pf hackers.
> 
> For large table support, what do people think of the idea of "read only" 
> external tables. For instance, using CDB

Interesting... I can't think of an example where I'd want a large high-speed
table that rarely changes, but I'm sure they exist.

> The second more outlandish feature I call "The Decider" which would be 
> similar to read only tables but would communicate with an external program
> which could use more complex criteria to decide if that packet was part of
> the dynamic table or not.
> Basically, a process driven dynamic table lookup:
> 
> decider  127.0.0.1:2727 400ms:no
> 
> block drop quick log on $ext_if from {}
> 
> pf would pass the packet details and the parameter after the decider_name:
> and would get a yes/no response, maybe an optional timeout is included in 
> the decider
> declaration and if it is exceeded it defaults to whatever is specified.
> Of course, this would be painfully slow and when misused would cause people
> to bitch about pf being slow.

I have no idea if pf can hang onto a packet, especially incoming, long enough
for a call to userland, but I think anything we can do to make pf more
flexible (or to reduce the need to be skilled in kernelspace coding) would
be beneficial.

Another alternative is to upload the code into kernelspace into a sandbox.
If people are interested in this, it can be done with x86 code by re-writing
and incurs something like a < 20% penalty.  The paper describing this won
best paper award recently by Usenix.
-- 
A: No.
Q: Should I include quotations after my reply?
http://www.subspacefield.org/~travis/> -><-


pgp4ZhmHrmVyo.pgp
Description: PGP signature

RFC on DoS mitigation

[Travis H.]

This RFC discusses DoS mitigation at the design and implementation
levels.  Most of its advicen and observations pertain to routers,
but a surprising amount are also relevant to pf.  I suspect that
the authors of pf have already considered most of these scenarios,
but there may be ones they haven't considered.

http://www.isi.edu/in-notes/rfc4732.txt
-- 
A: No.
Q: Should I include quotations after my reply?
http://www.subspacefield.org/~travis/> -><-


pgphegjNGvFEh.pgp
Description: PGP signature

Re: Featuritis: overload on transferred volumes, auto-expiring tables?

[Travis H.]

On Mon, Jan 08, 2007 at 12:03:30AM +0100, Peter N. M. Hansteen wrote:
> The OTHER feature I thought of, since we're dealing with tables, is to
> have a way to declare tables with expire time for its entries.  We
> have expiretable for that, but I for one would find it convenient to
> be able to declare a table such as
> 
>  table  persist expire 24h
>
> meaning that table entries are removed when they have not been
> referenced during the last 24 hours.


I feel like I'm always repeating myself (or advertising) when I bring
this up, but this can more or less be done with pf and my tool,
dfd_keeper.

Since before macros existed (meaning, I think, ipfilter), I've been
generating my firewall with a simple shell script.

Basically you do something like:

pfctl -f /dev/stdin <<- http://www.subspacefield.org/~travis/>


pgp1SuoLlfUCq.pgp
Description: PGP signature

TCP timestamp clock behavior

[Travis H.]

So, surprisingly, many OSes don't synchronize their TCP timestamp
clock to their system clock, so effectively they leak the skew of
that clock, even if they are synching their system clock via NTP.

I am wondering what the current behavior is for OpenBSD, and if
scrubbing or any other pf function (e.g. synproxy) does anything
about it.

My thoughts are that scrubbing should replace any end-system timestamps
in the outbound packets with OpenBSD's timestamps.  This would have the
benefit of making all boxes behind NAT have the same clock skew, a minor
win.

The best solution would be to drive the TCP clock off the system clock,
so that if you synch with NTP, you don't have to worry about timestamps.

A lesser win would be giving scrub the ability to remove them from
packets on the way out.  This would make them look like MS Windoze,
which doesn't enable timestamps by default.  This only need be done on
the SYN if the remote end follows RFCs, but a malicious remote system
could put them on ACK packets and the end system typically starts
using them too (at least, that's true with Windoze).

Also, does OpenBSD suffer from etherleak the way other BSDs do, or
has that been fixed long ago?

Any other mechanisms that might identify/fingerprint a host that
aren't automatically fixed by scrubbing with the right options,
or that may not be obvious from the scrub documentation?

I know that you want to use min-ttl in order to hide the number
of hops in your internal network before it hit the firewall, and
random-id is fairly obvious; is there anything else?

Would people like a manual or FAQ section on exactly what scrubbing
does?  I think it could use one.  For example, does it block /S,
F/SFRA, U/SFRAU, FUP/FUP?  Nowhere in the FAQ or manual (last I
checked) dealt with this at all.  Opinions?  Questions?
-- 
``Unthinking respect for authority is the greatest enemy of truth.''
-- Albert Einstein -><- http://www.subspacefield.org/~travis/>


pgpxLaeLlAM8M.pgp
Description: PGP signature

Re: Making 'loops' in pf.conf

[Travis H.]

On Wed, Jan 10, 2007 at 02:18:57PM +0100, Johan Segern?s wrote:
> Today it looks like (very stripped down)
> pass in on $FOO_NET inet from $FOO_IPS to any keep state
> pass in on $BAR_NET inet from $BAR_IPS to any keep state
> 
> Instead I would like to do it like
> for i in FOO BAR; do
>   pass in on ${i}_NET inet from ${i}_IPS to any keep state
> done

> Or something. Is this possible within pf.conf or would I have to make a
> shell loop creating this little extra pf config file and include in
> pf.conf?

You could also do it with dfd_keeper, available off my web site.
It's a framework for writing pf rules using python.  There used
to be a static version, but I think it didn't present enough
utility to continue to maintain static-only as a seperate library.

You could do it as a shell script, or any kind of preprocessor.
I don't really like the way m4 syntax looks, or how it re-reads
expanded macros as input again.  The cpp would be fine if it wasn't
specific to C, so I wrote a little script that mimics cpp (but offers
much more flexibility) and I've attached it for your convenience.
-- 
``Unthinking respect for authority is the greatest enemy of truth.''
-- Albert Einstein -><- http://www.subspacefield.org/~travis/>
#! /usr/local/bin/perl -w

# $Id: preprocess 11947 2007-01-12 04:01:15Z user $

$main::command="#"; # semicolon is the default command indicator
$main::ignore_header = 1;  # ignore interpreter line and leading #commands
$main::quiet = 0; # give error messages for invalid commands
$main::leading_spaces = 1;
$main::fi_match = 0;
$main::empty_fi = 1; # Empty commands are fi commands by default.

use Getopt::Long;

GetOptions("command=s", \$main::command,
   "define=s%", \%main::preprocess,
   "quiet!", \$main::quiet,
   "ignore!", \$main::ignore_header,
   "leading-spaces!", \$main::leading_spaces,
   "fi-match!", \$main::fi_match,
   "empty!", \$main::empty_fi);

@main::regions = ( [ 1, ""] ); # The root-level region is a printing region.

# Force user-defined variables into preprocess namespace.
while (($key, $val) = each (%main::preprocess)) {
eval "\$preprocess::$key = $val";
}

$main::skip_spaces = ($main::leading_spaces ? '\s*' : '');

# We found a command line, so do something.
sub process_command {
my ($command) = @_;

$_ = $command;

# Get rid of leading/trailing white space.
s/^\s*//;
s/\s*$//;

# Do we want to allow trailing comments?  Other comments?

# Empty commands are fi commands by default.
$_ = "fi" if ($main::empty_fi and $_ eq "");

# Process any end-of-region markers.
if (/^(endif|fi)(\s+(.*))?$/) {
die "Unexpected end of region at line $.\n" unless $#main::regions;
my ($truth, $expr) = @{pop @main::regions};
if (defined($3) and $main::fi_match and $expr ne $3) {
die "Unmatched fi at line $. (\"$expr\" ne \"$3\")\n";
}
return;
}

# NB: We do not ignore if commands inside conditional regions that are
# false because we allow nested if statements.  We need to see the
# if statement so we can skip the next end-of-region marker.
if (/^(unless|if)\s+(.*)$/) {
my $expr = $2;
package preprocess;
my $condition = eval $expr;
# Undefined expressions are false.
$condition = 0 unless defined($condition);
package main;
my $cond_truth = ($1 eq "if") ? $condition : !$condition;

# NB: If we are in a false region, all nested regions are false.
push(@main::regions, [ $cond_truth && $main::current_truth, $expr ]);

return;
}

# Ignore anything else if we are in a conditional region that is false.
return unless $main::current_truth;

if (/([^=]+)\s*=\s*([^=]+)/) {
package preprocess;
eval "$1=$2";
return;
}

die "Invalid command $_ at line $.\n" unless $main::quiet;
}

while () {
chomp;

# NB: Easier to short-circuit the header if we are ignoring it.
if (/^#/ and $main::ignore_header) { print "$_\n"; next; }
$main::ignore_header = 0;

# Is the current region true?
$main::current_truth = $main::regions[-1]->[0];

if ($_ =~ /^$main::skip_spaces$main::command(.*)$/) {
process_command($1);
next;
}
print "$_\n" if $main::current_truth;
}

if ($#main::regions) { die "Not enough fi statements.\n"; }

exit 0;

__END__

=head1 NAME

preprocess - Preprocess arbitrary files.

=head1 SYNPOSIS

preprocess --command=';' --quiet  whatever

=head1 DESCRIPTION

This program is used for conditionally printing various regions of a file.
It is much like the C preprocessor, except that it is meant for any text
file, not just C code.  Its command language is a restricted subset of Perl.

=item --command delimiter

Specify that you may introduce commands to preprocess by beginning the line
with the specified delimiter.

=item 

Re: TCP timestamp clock behavior

[Travis H.]

On Fri, Jan 12, 2007 at 09:27:58AM +0100, Daniel Hartmeier wrote:
> > I am wondering what the current behavior is for OpenBSD, and if
> > scrubbing or any other pf function (e.g. synproxy) does anything
> > about it.
> 
> The first match searching for 'timestamp' in pf.conf(5) is in

Hmm, forgot about TFM, thanks :-)

> which sounds like it might be vaguely relevant, have you tried that? ;)

Once again pf has anticipated what I wanted before I even knew what
it was and that I wanted it ;-)
-- 
``Unthinking respect for authority is the greatest enemy of truth.''
-- Albert Einstein -><- http://www.subspacefield.org/~travis/>


pgpqws7iVvG2T.pgp
Description: PGP signature

antispoof and default routes

[Travis H.]

Someone's guide to pf made the intelligent observation that if
you use antispoof, you can often avoid specifying an interface
in the filter rules that also refer to IPs (or ranges), because
you already know what interface those are coming from.

However, I wanted to point out that you can't really use antispoof
on an interface with a default route to/from it, since any IP
(other than those on other interfaces) can come from there.

So basically you still need to specify the WAN interface in rules
which deal with it.
-- 
``Unthinking respect for authority is the greatest enemy of truth.''
-- Albert Einstein -><- http://www.subspacefield.org/~travis/>


pgpzfq7rbCcIJ.pgp
Description: PGP signature

Re: Strange disconnection problem - 2nd take

[Travis H.]

On Tue, Jan 23, 2007 at 03:23:36PM +, Stuart Henderson wrote:
> > I don't use flags anywhere in my keep state rules... Are you saying that I 
> > should use those flags everywhere
> 
> Yes, use them everywhere.

Yep.  It turns out that if you don't, your firewall may pick up
a TCP connection in the middle, and create a state for it, but
certain things about it (I believe the window size) can only be
properly interpreted if the firewall saw the SYN (I believe the
wscale option), so you will get weird behavior if you don't
specify flags S/SA for every keep state on a TCP rule (I believe
now you can specify it on other rules, pf is smart enough to
ignore them for UDP et. al.)
-- 
``Unthinking respect for authority is the greatest enemy of truth.''
-- Albert Einstein -><- http://www.subspacefield.org/~travis/>


pgpLcACUOiMUz.pgp
Description: PGP signature