RE: PF related crash? (fwd)

[Wouter Clarie]

-- Forwarded message --
Date: Sat, 22 Feb 2003 16:29:06 -0500
From: Glen MacAfee [EMAIL PROTECTED]
To: 'Wouter Clarie' [EMAIL PROTECTED]
Subject: RE: PF related crash?

Here are the results of dmesg and the ruleset; being a newbie, though, I'm
not sure exactly what you mean by crash trace and ps.  What specifically
should I do?

BTW, I have tried this with the scrub and states/fragments uncommented but
to no avail.

Thanks,

Glen


OpenBSD 3.2 (GENERIC) #25: Thu Oct  3 19:51:53 MDT 2002
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: F00F bug workaround installed
cpu0: Intel Pentium (P54C) (GenuineIntel 586-class) 166 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8
real mem  = 49917952 (48748K)
avail mem = 40730624 (39776K)
using 634 buffers containing 2596864 bytes (2536K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(9b) BIOS, date 12/12/96, BIOS32 rev. 0  0xf7722
apm0 at bios0: Power Management spec V1.1
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev. 2.1  0xf76e0/0x910
pcibios0: PCI BIOS has 4 Interrupt Routing table entries
pcibios0: PCI Exclusive IRQs: 10 11
pcibios0: PCI Interrupt Router at 000:01:0 (SIS 85C503 ISA rev 0x00)
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc/0x8000 0xca000/0x1800
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 SIS 5511 rev 0x00
pcib0 at pci0 dev 1 function 0 SIS 85C503 ISA rev 0x01
pciide0 at pci0 dev 1 function 1 SIS 5513 EIDE rev 0x08: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: ST31720A
wd0: 16-sector PIO, LBA, 1626MB, 3305 cyl, 16 head, 63 sec, 3331852 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
pciide0: channel 1 ignored (disabled)
vga1 at pci0 dev 11 function 0 SIS 86C205 rev 0x44: aperture at
0xfdc0, size 0x40
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
fxp0 at pci0 dev 17 function 0 Intel 82557 rev 0x08: irq 11, address
00:d0:b7:27:db:69
inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 4
fxp1 at pci0 dev 19 function 0 Intel 82557 rev 0x0c: irq 10, address
00:02:b3:32:1b:11
inphy1 at fxp1 phy 1: i82555 10/100 media interface, rev. 4
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask 4040 netmask 4c40 ttymask 5cc2
pctr: 586-class performance counters and user-level cycle counter enabled
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
WARNING: / was not properly unmounted
fd0: timeout (st0 0 cyl 0)
fd0c: soft error reading fsbn 0


#   $OpenBSD: pf.conf,v 1.6 2002/06/27 07:00:43 fgsch Exp $
#
# See pf.conf(5) for syntax and examples
#
# replace ext0 with external interface name, 10.0.0.0/8 with internal
network
# and 192.168.1.1 with external address
# Part 1 -- Macros and definitions
IfExt = fxp0
IfInt = fxp1
IPsExt = 64.36.88.0/24

# Part 2 -- Options
#set limit { states 2000, frags 2000 }
#set loginterface $IfExt
# Will changing the line below from aggressive to normal help?
set optimization aggressive
#set timeout { tcp.opening 6, tcp.closing 6 }
#set timeout tcp.closing 300, other.first 100

# Normalize: reassemble fragments and resolve or reduce traffic ambiguities
# Problems with scrub causing kernel panic?  Let's try turning it off...
#scrub in all

# Part 3 -- NAT
# Since this is a bridging FW, there will be no nat or rdr rules

# Part 4 -- Packet Filter Rules
#External bridge interface rules -- allow all in, filter on internal
# In bridge mode, we only filter on one interface.
pass in quick on $IfExt all
pass out quick on $IfExt all

# Internal bridge interface rules (main ruleset)
# Rule order does not matter.
# Most likely all of the packets we want dropped will use a rule of the
form:
# block out log quick on $IfInt ...
pass in quick on $IfInt inet proto { tcp, udp } from 64.36.88.146 to $IPsExt
port  1024
block out log quick on $IfInt inet proto { tcp, udp } from any to $IPsExt
port  1024
# This next rule blocks out attempts to connect to the MS UnPnP port; thanx
to grc
block out log quick on $IfInt inet proto tcp from any to $IPsExt port = 5000
# In rules
pass in quick on $IfInt proto { tcp, udp } from any to any keep state
# pass out/in certain ICMP queries and keep state (ping)
pass in quick on $IfInt inet proto icmp all icmp-type 8 code 0 keep state
# Allow certain UDP services in (DNS, 

RE: PF related crash? (fwd)

[Jason Dixon]

On Fri, 21 Feb 2003, Glen MacAfee wrote:

 IPsExt = xx.xx.xx.0/24

First, please always filter out real address information on public
lists.  While we're all here to help, that doesn't stop folks who have
bad motives from getting this off the archives.
 
 # Part 2 -- Options
 #set limit { states 2000, frags 2000 }
 #set loginterface $IfExt
 # Will changing the line below from aggressive to normal help?
 set optimization aggressive
 #set timeout { tcp.opening 6, tcp.closing 6 }
 #set timeout tcp.closing 300, other.first 100

Ok, you've set aggressive timeouts with the aggressive option, but you
aren't limiting your states or frags.  Knowing you're only running 48MB
of RAM, it's not unreasonable to assume you're running out of memory. 
You need to determine how much free RAM you have (excluding PF states),
then limit states based on that amount.  The calculation is roughly 1k
states == 1MB RAM.

 # Part 4 -- Packet Filter Rules
 #External bridge interface rules -- allow all in, filter on internal
 # In bridge mode, we only filter on one interface.
 pass in quick on $IfExt all
 pass out quick on $IfExt all

Ok, you need to study the PF documentation (FAQ, manpages, howto, etc). 
PF is a last rule matches firewall.  HOWEVER, you've already put in
the quick option on your first 2 rules... pass in and pass out. 
You're letting EVERYTHING through your firewall.  You're effectively
running nothing but a bridge... all the rules that follow are ignored by
the match engine, thanks to those 2 quick rules.

 block in log on $IfInt all

And this is the last rule in your set.  Provided you had NO quick
options in all the preceding rules, you would have just blocked
EVERYTHING inbound from your internal network.  But even that's
irrelevant at this point... you're only supposed to filter in ONE
direction on a bridge.  *sigh*

Try the following ruleset.  Note that the $IPsExt needs to be defined,
and you'll probably want to redefine $fw_services (stuff allowed into
your firewall/bridge host), $udp_allowed (udp traffic allowed into your
internal hosts), and $tcp_allowed (tcp traffic allowed into your
internal hosts).  ALSO NOTE that $udp_allowed and $tcp_allowed are only
defined to allow incoming traffic initiated from the outside... stuff
you are running internal servers for, IOW.  You do NOT need to allow
UDP/DNS traffic explicitly just for your internal hosts' resolution...
that is allowed and tracked by the outgoing UDP state rule.

The modulate state option in the TCP section is only necessary if you
need to protect hosts with weak TCP implementations.  If you're running
primarily Linux 2.4 and OpenBSD hosts, you only need to keep state. 
Otherwise, and particularly if you're running Windows hosts, go ahead
and use modulate state.

Please take some time to study this ruleset and learn what and why it
does what it does.  Reference the manpages to clarify what an option
means.  And for the LOVE OF GOD, please unplug this box from the
internet ASAP until you get the ruleset fixed... you're running a
wide-open bridge.  :)

-J.

# Macros
IfExt=fxp0
# Change the following network address to suit your needs
IPsExt=xxx.xxx.xxx.0/24
# Define the following sample services
fw_services={ ssh }
udp_allowed={ }
tcp_allowed={ http, smtp, https, ssh }
# Stuff that shouldn't cross our network
bad_blocks={ 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16,
172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 204.152.64.0/23,
224.0.0.0/3 }

# Options
set limit { states 16000, frags 8000 }
set loginterface $IfExt
set optimization aggressive

# Packet Normalization
scrub in all

# Default block
block out log on $IfExt all
block in log on $IfExt all
block return-rst out log on $IfExt proto tcp all
block return-rst in log on $IfExt proto tcp all
block return-icmp out log on $IfExt proto udp all
block return-icmp in log on $IfExt proto udp all

# Block unwanted
block in quick on $IfExt from 255.255.255.255/32 to any
block in quick on $IfExt from any to 255.255.255.255/32
block in quick on $IfExt from $bad_blocks to any
block in quick on $IfExt from any to $bad_blocks

# Allow certain icmp connections
pass out on $IfExt inet proto icmp all keep state
pass in on $IfExt inet proto icmp all icmp-type 8 code 0 keep state

# Allow certain udp connections
pass out on $IfExt proto udp all keep state
pass in on $IfExt proto udp from any to any port $udp_allowed keep state

# Allow certain tcp connections
pass out on $IfExt proto tcp all modulate state
pass in on $IfExt inet proto tcp from any to ($IfExt) port $fw_services
flags S/SA keep state
pass in on $IfExt proto tcp from any to any port $tcp_allowed flags S/SA
modulate state


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
 Wouter Clarie
 Sent: Saturday, February 22, 2003 04:21
 To: [EMAIL PROTECTED]
 Subject: Re: PF related crash?
 
 
 
 On Fri, 21 Feb 2003, Glen MacAfee wrote:
 
  I'm getting crashes whenever I put a heavy load on the fw/bridge that I
 have
  

Re: PF related crash? (fwd)

[Henning Brauer]

On Sun, Feb 23, 2003 at 10:20:05AM -0500, Jason Dixon wrote:
 On Fri, 21 Feb 2003, Glen MacAfee wrote: 
  IPsExt = xx.xx.xx.0/24
 First, please always filter out real address information on public
 lists.

this is the worst advice I've seen in the last few hours.

-- 
Henning Brauer, BS Web Services, http://bsws.de
[EMAIL PROTECTED] - [EMAIL PROTECTED]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: PF related crash? (fwd)

[Sancho2k.net Lists]

Jason Dixon wrote:
On Sun, 2003-02-23 at 11:14, Henning Brauer wrote:

On Sun, Feb 23, 2003 at 10:20:05AM -0500, Jason Dixon wrote:

On Fri, 21 Feb 2003, Glen MacAfee wrote: 

IPsExt = xx.xx.xx.0/24
First, please always filter out real address information on public
lists.
this is the worst advice I've seen in the last few hours.


At the risk of publicly embarrassing myself, WHY?  Why in the hell would
you want people knowing your IP information... particularly on such a
poorly configured (effectively NO) firewall?
Henning, I really respect you, so I'm really confused as to your terse
and enigmatic response.
What Henning is probably getting at is the sheer effectiveness of 
obfuscating information on a support list. Chances are you could 
determine IP information anyways, if from nothing else than looking at 
the header for the IP of the sending mail relay. Obfuscating data makes 
it difficult to see into the problem. Giving the pertinent information 
saves the list members from having to send more mail asking for details. 
If you are in the habit of obfuscating data on other lists (see also 
security through obscurity), you're going to waste a lot of peoples' 
time. Reasons to do so are in such cases where (as in a firewall issue) 
you are asking ppl to critique your config or tell you why something 
doesn't work. If we can see the real address info, and understand the 
subnet design and what interface is on what network and what the rules 
apply to, its much easier.

I understand your point about the misconfigured firewall and not wanting 
ppl to know how to reach you, but the majority of the time, do everyone 
a favor and give the unfettered, full, needed info in your help request.

My $0.02.

DS

Re: PF related crash? (fwd)

[Jason Dixon]

On Sun, 2003-02-23 at 16:41, Sancho2k.net Lists wrote:

 What Henning is probably getting at is the sheer effectiveness of 
 obfuscating information on a support list. Chances are you could 
 determine IP information anyways, if from nothing else than looking at 
 the header for the IP of the sending mail relay. Obfuscating data makes 
 it difficult to see into the problem. Giving the pertinent information 

DS, please understand that what I'm about to say is in no way directed
to you... you're simply the messenger/interpreter.

But GODDAMMIT, I'm tired of people suggesting that nothing get
obfuscated because hackers could get it anyways.  It's ridiculous to
suggest that because a very small minority set of bad people might be
able to dig up the relevant information (in this case, a netblock of
incredibly vulnerable hosts), that it's a bad idea to hide it in a
posted firewall ruleset to a public mailing list from the other hordes
of minimally qualified script kiddies.  Gimme a fucking break.

We're talking about the external netblock, people.  Not the internal
routing table, not a handful of relevant macros, not a trace.  Just a
NETWORK ADDRESS.  How could obfuscating this possibly rate as the worst
advice of the day on anyone's radar?

Please keep in mind that I am a critic of security through obscurity
as well.  But, as my momma used to say, pick your battles wisely.

-J.

Re: PF related crash? (fwd)

[Henning Brauer]

pfft.
nothing is scret on an IP address.
if you have problems making your IP public... stop sending mails, stop
surfing, stop doing dns.

this is ridiculous.

keeping your IP secret buys you NOTHING.

-- 
Henning Brauer, BS Web Services, http://bsws.de
[EMAIL PROTECTED] - [EMAIL PROTECTED]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: PF related crash? (fwd)

[Sam Smith]

On Sun, 23 Feb 2003, Jason Dixon wrote:
 Just a NETWORK ADDRESS. How could obfuscating this
 possibly rate as the worst advice of the day on
 anyone's radar?

There's been no useful advice today on misc@, so your
words get the honour?





Sam

-- 
  A few .Xr's short of a man page.

Re: PF related crash? (fwd)

[Jason Dixon]

On Sun, 2003-02-23 at 17:06, Henning Brauer wrote:
 pfft.
 nothing is scret on an IP address.
 if you have problems making your IP public... stop sending mails, stop
 surfing, stop doing dns.

 this is ridiculous.
 
 keeping your IP secret buys you NOTHING.

Gosh, you're so right.  It's impossible someone might submit their real
ruleset from a hotmail/yahoo/myrealbox email account.  What was I ever
thinking.  Let's make it a requisite that all folks with broken rulesets
post their firewall's external IP information to the list.  /sarcasm

Henning, it's unfortunate that you probably think I'm on the other side
of the fence.  That's not at all the case... you're just being
unreasonable.  So be it, we'll agree to disagree.

-J.

Re: PF related crash? (fwd)

[kjell]

 Gosh, you're so right.  It's impossible someone might submit their real
 ruleset from a hotmail/yahoo/myrealbox email account.  What was I ever
 thinking.  Let's make it a requisite that all folks with broken rulesets
 post their firewall's external IP information to the list.  /sarcasm

There is nothing more frustrating than trying to help someone with a
problem, and then realizing you spent your time debugging a 
typo made when obfuscating IP addresses.

Also, when these addresses are obfuscated, often they are NOT done
in a consistent manner. This makes the config files
impossible to read.

it is ALWAYS easiest to track down a problem from the actual
ruleset used. Unless you have a good reason to change something,
DON'T.

-kj

Re: PF related crash? (fwd)

[Jason Dixon]

On Sun, 2003-02-23 at 19:49, [EMAIL PROTECTED] wrote:
 There is nothing more frustrating than trying to help someone with a
 problem, and then realizing you spent your time debugging a 
 typo made when obfuscating IP addresses.
 
 Also, when these addresses are obfuscated, often they are NOT done
 in a consistent manner. This makes the config files
 impossible to read.
 
 it is ALWAYS easiest to track down a problem from the actual
 ruleset used. Unless you have a good reason to change something,
 DON'T.

I'm still aghast that you neglect to recognize this fellow's instance as
a situation that falls into this scenario.  Did you even bother to
review his ruleset?  He was allowing EVERYTHING... with quick, without
state.  What, for gosh sake, WOULD you consider an ok situation to
obfuscate his external address?  Not to mention it was only submitted in
ONE place... a macro!

Are you suggesting that, more often than not, folks post their ruleset
with macros so obfuscated as to render them illegible?  Or perhaps
you're simply fabricating an impractical happenstance to validate your
zealotry?

14.230.99.0   #imaginary
xx.xx.xx.0#obfuscated

Was that really so confusing?

-J.

Re: PF related crash? (fwd)

[kjell]

  There is nothing more frustrating than trying to help someone with a
  problem, and then realizing you spent your time debugging a 
  typo made when obfuscating IP addresses.

 Are you suggesting that, more often than not, folks post their ruleset
 with macros so obfuscated as to render them illegible?  Or perhaps
 you're simply fabricating an impractical happenstance to validate your
 zealotry?

right. I made up that impractical happenstance. I frequently
make up hypothetical situations and act like they really happened,
because I want people to think I'm important.

no, Jason. I'm saying when people mangle their rulefiles before
posting them, THEY OFTEN MANGLE THEIR RULEFILES. This is why I don't
bother reading obviously mangled rulefiles any more.

out

-kj