Re: pf/altq on a fast link
Go here: http://www.benzedrine.cx/ackpri.html Daniel wrote a great article about just how to do this. Can't help with real world examples, but that should point you in the right direction. Note, you will need openbsd 3.3 to accomplish this scott On Sat, 31 May 2003, Tony Faoro wrote: Good day, I operate a web-hosting/colocation/game server hosting company with a generous amount of available banwidth. I have a OpenBSD bridge firewalling my network but after reading about the 'Prioritizing empty TCP ACKs with pf and ALTQ' I began to realize that there may be more I can do to speed things up on my link. If anyone out there would be so kind as to share a pf.conf they are using in a similar circumstance that would be great. I'm somewhat new to the packet prioritizing world and would love some real world examples you all have had success with. Thanks for your time, -t +--- -- - - - | Anthony M. Faoro II : CIO, Adtaq Internet . tmf at adtaq dot com 425.444.8787 VOICE . 800.861.1834 FAX
Re: smtp pop3 portforwarding
look below
On Wed, 7 May 2003, Jeffrey S. Payao wrote:
hi folks! im having a problem regarding my small network, regarding my
internal pop3/smtp server. its running cool if im connecting internally.
but if im connecting remotely i got a connection timeout. im running
OpenBSD 3.2 PF/NAT as my firewall. heres my pf.conf. hope you can point
my fault thx!!!
# Variables
#
# PF supports variables expansion, modelled after
# that of the shell. We define some variables that
# we'll use later in the ruleset:
#
# Available Interfaces
EXT_IF= fxp2
INT_IF= fxp0
# Configured Networks
EXT=203.177.19.0/24
INT=192.168.9.0/24
# Firewall IP Address
FW= 203.177.19.202
# Special Networks/Hosts
RESERVED= { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
TRUSTED={ 192.168.9.0/24 }
#
# Packets normalization
#
# Since some IP stacks don't correctly implement IP
# packets defragmentation, OpenBSD PF provides the scrub
# directive. For packets matching the rule, the PF
# normalization component makes sure they are defragmented
# and completely stripped of all abnormalities before they
# are sent along to their final destination.
#
# NOTE: using the scrub directive uses quite an amount
# of server resources, so its use should be limited to
# protecting only the weak TCP/IP stack implementations
# (or to prevent NIDS evasion through IP fragmentation).
#
scrub in all
#scrub out all
#
# NAT: IP Masquerading (many-to-one mapping)
#
# Masquerade the hosts in the Internal network, dynamically
# changing packets as they traverse the external interface.
# This allows a single IP address on the translating host
# to support network traffic for a larger range of machines
# on an inside network.
#
nat on $EXT_IF inet from $INT to any - $FW
#
# NAT: Bi-directional NAT (one-to-one mapping)
#
# Uncomment the following rule to publish an internal
# IP address (192.168.0.33) to the external network
# (in this case we use the public IP address x.x.x.33).
# Remember that to be genuinely useful, binat should
# be used in conjunction with either proxy arp, or
# ifconfig(8) aliases. See the pf.conf(5) man page
# for details.
#
#binat on $EXT_IF inet from 192.168.0.33 to any - x.x.x.33
#
# NAT: Port redirect
# Uncomment the following rule to redirect all traffic
# from the specified external port to an internal
# host (192.168.0.33). In this example we did SMTP
# protocol.
#
rdr on $EXT_IF inet proto tcp from any to any port 25 - 192.168.9.222
port 25
rdr on $EXT_IF inet proto tcp from any to any port 110 - 192.168.9.222
port 110
#
# NAT: FTP Application Proxy
#
# The following rule activates the FTP proxy for the
# masqueraded hosts. With PF comes ftp-proxy(8), to
# run it with this configuration we need to put the
# following line (uncommented) in /etc/inetd.conf:
#
# 127.0.0.1:8081 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
#
rdr on $INT_IF inet proto tcp from any to any port 21 - 127.0.0.1 port 8081
#
# PF: Default policy (very restrictive)
#
# Set the default policy for INBOUND and OUTBOUND traffic
# on every interface. Basically, block everything, logging
# incoming blocked packets. For TCP and UDP protocols,
# return the replies specified by the RFCs.
#
block in log all
block return-rst in log inet proto tcp all
block return-icmp in log inet proto udp all
block out all
block return-rst out inet proto tcp all
block return-icmp out inet proto udp all
#
# PF: Trusted interfaces
#
# Take care of the trusted interfaces, allowing all
# traffic to/from the specified networks:
#
# lo0 is the loopback interface;
# INT_IF is the internal interface.
#
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on $INT_IF all
pass out quick on $INT_IF all
pass in quick on $EXT_IF all
pass out quick on $EXT_IF all
dont be so quick to use the quick keyword. since this rule passes
everything in, you never address the rules below... make sure you read the
manual to understand the quick keyword which allows the iteration over
rules to be stopped when it matches something marked as quick
now why this isnt still allowing the traffic to get passed in is well
beyond any logic i can offer (as noted in the below tdump)
and you probably dont want this rule at all, because it allows for
everything to come in and that wouldn't be much of a firewall
outbound probably shouldn't be much of a problem, but you definitely dont
want the inbound pass rule for all
Re: pppoe tun0 addr
why not just start pf after the connection comes online once in the ppp.linkup? that'll solve the redundant call problem and i think tun0 is always what obsd uses to reference a pppoe connection scott On Sat, 29 Mar 2003, Kent R. Spillner wrote: I use pppoe to connect to my DSL service provider. I call ppp from rc.local so my 'net connection is established after pf has been started. The problem is that I use (tun0) in my pf.conf as my external address, but when pf loads pf.conf it spews some errors about tun0 not having any address associated with it. Therefore, I have to reload my ruleset in /etc/ppp/ppp.linkup. That's not a problem; I'm just wondering if there is a better way to give tun0 a dummy address initially to appease pf and so that I don't have to reload my ruleset immediately (using (tun0) will automagically update my external addr, right?). Is a really stupid question? -Kent -- Kent R. Spillner They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin
Re: Port = domain
im gonna beat it to death... iana.org has most, but not all must up-to-date resource, imo www.portsdb.org and it has a good searchable iface scott On Wed, 26 Mar 2003, Richard Maclannan wrote: Can anyone tell me which ports are covered by port = domain? To stop me from asking any more obvious questions, is there a list of name aliases for certain ports? Thanks, Richard Maclannan Facilities Technical Support Data Connection Ltd. [EMAIL PROTECTED]
Re: dump pflog to a database
i am working on an app for this right now (with a web-based monitoring tool), though it should be a short while until i get it done, due to other constraints there is a conversion tool that takes pf logs and formats them to xml output, if that is of any use to you (http://monkey.org/~jose) - as referenced in a recent post to this list scott On Tue, 18 Mar 2003, Sid Keller wrote: Is there an easy way to get pflog information into a database? I don't need for pf to log directly to a database, I would just like to be able to take data from the pflog file and load it into a database, specifically a postgresql database. Any ideas or thoughts on how to do this? -- Sid
Re: problem with port 443 traffic
port 443 (ms sql server traffic) is being blocked because you dont have a
rule to pass it in
your ruleset allows only smtp, ssh, and https to come in, everything else
is being blocked
is that the only problem you are having? or is the email not functioning
properly either?
scott
On Tue, 18 Mar 2003, Sid Keller wrote:
I having some problems with my rulesets for an email server. The server
is not behind a firewall but I have pf enabled on the server. Here is
my ruleset.
###
#--
# Variable Section
#--
int_if=fxp0
nonroute={ 192.168.1.0/24, 172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8,
0.0.0.0/8 }
approved_mgmt_net={ x.x.x.x }
server_ip={ x.x.x.x }
#
#
#Firewall Rulebase Begin
#
#
#
#--
#Packet Normalization (deny fragmented packets)
#--
scrub in all
#--
#Default Deny
#--
block in log all
#--
#Allow Loopback Packets
pass in quick on lo0 all
pass out quick on lo0 all
#--
#Drop Spoofed Packets
#--
block in log quick on $int_if from $nonroute to any
block out log quick on $int_if from any to $nonroute
#--
#Drop wrong TCP Flags
#--
block in quick on $int_if inet proto tcp from any to any flags FUP/FUP
#--
#--
#Firewall RULES
#--
pass in quick on $int_if inet proto tcp from $approved_mgmt_net to
$server_ip port ssh
pass in quick on $int_if inet proto tcp from any to $server_ip port
https flags S/SA modulate state
pass in quick on $int_if inet proto tcp from any to $server_ip port {
smtp } flags S/SA modulate state
#--
#Allow Return Traffic and Connection From Firewall
#--
pass out on $int_if inet proto { tcp, udp, icmp } all keep state
Here is a snippet from my pflog file using tcpdump -n -e -ttt.
Mar 07 10:58:10.177507 rule 1/0(match): block in on fxp0:
user.ip.address.1501 my.ip.address.443: F 71818460:71818460(0) ack
3194040235 win 5549 (DF)
Mar 07 10:58:10.183314 rule 1/0(match): block in on fxp0:
user.ip.address.1502 my.ip.address.443: F 71819657:71819657(0) ack
963312026 win 5549 (DF)
Mar 07 11:52:59.986506 rule 1/0(match): block in on fxp0:
user.ip.address.1586 my.ip.address.443: R 75169994:75169994(0) win 0 (DF)
Mar 07 11:52:59.990614 rule 1/0(match): block in on fxp0:
user.ip.address.1585 my.ip.address.443: R 75170656:75170656(0) win 0 (DF)
I'm curious as to why the above traffic is being block on port 443.
Thanks for your help. Any other suggestions concerning my ruleset would
be greatly appreciated.
--
Sid Keller
RE: CheckPoint SecureRemote Client through pf
problem resolved, thank you everyone for your help.. especially jolan for his openbsd vpn how-to http://www.cryptonomicon.org/notes/vpn_nat.html oddly enough, my first problem was on the vpn server, whoever setup my account was a poor typer and screwed something up... stupid simple mistakes that i cannot control... (a waste of 3 days of my time for a stupid mistake on their part, shoulda hit up the firewall team at the get-go) also, i found that i had to open up port 2746 - checkpoint udp encap port to allow connections (in addition to the rules found in jolan's how-to) thanks again to all piez, scott On Tue, 4 Mar 2003, siivv wrote: I am trying to work with a few others to figure out the solution to this problem, though their time is hard to come by... since I do not have access to the vpn firewall, I cannot check it's logs, and can only deal with what is on my end I thank you all for your time and help, hopefully this is something simple that I am forgetting to configure, but we shall see... scott
RE: CheckPoint SecureRemote Client through pf
What kind of setup am I looking for? I am using the VPN-1 SecureClient 4.1 SP5 build 4200 The initial connection and proper update of the client with the VPN server works just fine. Then, it states that it is performing the key exchange when trying to connect to a computer on the vpn, but always seems to fail tcpdump shows only the first packet going out, but then it would seem nothing is being returned it's strange to me, i do not know what type(s) of packets compose vpn traffic, so i am unsure of what to look for when sniffin any help is appreciated thanks, scott On Sat, 1 Mar 2003, Terry Baranski wrote: Works fine here as well. There are issues when the NAT'd network behind the user's firewall overlaps with the destination encryption domain, but that's about it AFAIK. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Camiel Dobbelaar Sent: Saturday, March 01, 2003 4:13 AM To: siivv Cc: [EMAIL PROTECTED] Subject: Re: CheckPoint SecureRemote Client through pf I have secureclient working fine here through a pf firewall, with NAT. No special tricks really... if I tcpdump I first see isakmp traffic (500/udp), then encapsulated traffic using 2746/udp. Let me know if you need more info. -- Cam On Fri, 28 Feb 2003, siivv wrote: Is a connection with the checkpoint secureremote client possible through a obsd 3.2 nat'd pf firewall? I am refering to an outbound connection from my home network, through the pf fwall, and to the checkpoint fwall I have read that it is not possible with NAT, but figured I would run it by those who may have used it. Also, if this is possible, can someone point me in the direction of documentation or explain how exactly it can be done
Re: Priorizing empty ACKs
If this works I will be terribly happy, until now I thought there was no way arround it. THANKYOU I will try implementing it tonight! scott
