Re: Very Annoying problem... blocks everything...
On Tue, Dec 17, 2002 at 01:33:18AM -0600, Shawn Mitchell wrote: 07:23:28.793476 rule 6/0(match): block in on dc1: 65.172.62.147.3086 205.188.179.233.5190: S 3584173258:3584173258(0) win 16384 mss 1460,nop,nop,sackOK (DF) 07:23:29.042444 rule 6/0(match): block in on dc1: 65.172.62.145.1145 64.12.161.153.5190: S 36704427:36704427(0) win 8192 mss 536,nop,nop,sackOK (DF) i have no idea what you're trying to accomplish. can you please post: 1) a map of your network topology 2) the purpose of each subnet 3) an updated ruleset 4) the overall goals you're trying to accomplish again, i am going cross eyed reading your posts and trying to guess all of this information. - jolan
It works! (was: Very Annoying problem... blocks everything...)
Yeah.. it was getting ugly... I was trying to keep a nice format to it, as I found out very quickly, it helps to have a good format. When your dealing with having to control packets going in and out, the two lines are the same except for the in and out statement. Well, if the two lines are the same length, your ok. If not, then you probably got a typo! But anyway, I took out all of the quick statements. Made it look at LOT nicer, and improved the comments. I took out some of the double rules that I have... cleaned up where some of the rules were... took out some I no longer needed because of the changes. But.. I finally got it working! I'm still having to tweak it here and there... But it's a great learning process... I can honestly say, that OBSD's pf is a LOT better than iptables in linux. The logging function to log into it's own psudo interface is GREAT. It's a lot eaiser with pf to build some cool stuff. I did at one point tighten stuff down too much, so I had to open it up a little here and there. But like I said, it's a learning process. Now for another question... How do I control the bandwidth via OpenBSD to any given IP Address? Also, is there anyway to log some stuff to syslog with prefixes? That is one thing I like about Linux... just the prefix option... btw... thx for the help everyone! -Original Message- From: Luiz Gustavo [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 11:21 AM To: [EMAIL PROTECTED] Subject: Re: Very Annoying problem... blocks everything... On Mon, Dec 16, 2002 at 04:20:01PM -0600, [EMAIL PROTECTED] wrote: http://www.iodamedia.net/pf.conf Go grab it.. and tell me what I'm doing wrong! Sorry dude, but your conf looks butt ugly... :/ Like C code, good style helps a lot. -- gustavo DCCC F540 C429 5636 EECF 5816 28E6 792E D820 15DE
Very Annoying problem... blocks everything...
Ok, I'm new to OpenBSD and pf, but I'm quickly getting the hang of it. Here's my setup: AMD 2300 w/ 512mb DDR ram 512mb flash drive 5 10/100 network cards I have 4 networks right now, one of them is the internet. So let's call them, Inet, A, B,and C. Network C is the network with all mail/web/dns/etc servers on it. A and B are networks, I could really care less what traffic goes to them, and from them, going to/from the internet and each other. I want networks A and B to be able to only access the mail servers on ports 25/110/80/443, dns servers on port 53, webservers on ports 80/443, and a couple of other servers via ftp. Should be very simple, I setup some rules to allow all traffic from Inet going to A and B. I then allowed all traffic from A and B going to Inet to pass through. I then setup some holes on C, to allow those ports to those servers that I want open. I also allowed network C to access http/https/ftp/dns/mail outside of it's network. I have a catch all in the bottom of my script, to just block everything that doesn't fit into anything else. I enable it.. what happens.. I loose connectivity to all the networks. Nothing can see anything outside of their network. do a ping from the firewall, and you get: ping: sendto: No route to host ping: wrote 192.168.3.250 64 chars, ret=-1 Anyone have any ideas?
Re: Very Annoying problem... blocks everything...
Shawn, Multi-interface packet filtering can be tricky. Could you post your rules? Without that, all we can probably say is that you have a misconfiguration somewhere. IIRC, creating stateful inspection on one interface does not allow the packets to go through other interfaces. This is my first guess as to your problem. ==ml On Mon, Dec 16, 2002 at 03:03:53PM -0600, [EMAIL PROTECTED] wrote: Ok, I'm new to OpenBSD and pf, but I'm quickly getting the hang of it. Here's my setup: AMD 2300 w/ 512mb DDR ram 512mb flash drive 5 10/100 network cards I have 4 networks right now, one of them is the internet. So let's call them, Inet, A, B,and C. Network C is the network with all mail/web/dns/etc servers on it. A and B are networks, I could really care less what traffic goes to them, and from them, going to/from the internet and each other. I want networks A and B to be able to only access the mail servers on ports 25/110/80/443, dns servers on port 53, webservers on ports 80/443, and a couple of other servers via ftp. Should be very simple, I setup some rules to allow all traffic from Inet going to A and B. I then allowed all traffic from A and B going to Inet to pass through. I then setup some holes on C, to allow those ports to those servers that I want open. I also allowed network C to access http/https/ftp/dns/mail outside of it's network. I have a catch all in the bottom of my script, to just block everything that doesn't fit into anything else. I enable it.. what happens.. I loose connectivity to all the networks. Nothing can see anything outside of their network. do a ping from the firewall, and you get: ping: sendto: No route to host ping: wrote 192.168.3.250 64 chars, ret=-1 Anyone have any ideas? -- Michael Lucas [EMAIL PROTECTED], [EMAIL PROTECTED] http://www.oreillynet.com/pub/q/Big_Scary_Daemons Absolute BSD: http://www.AbsoluteBSD.com/
RE: Very Annoying problem... blocks everything...
Only on the dc0 interface. the 192.168.3.0/24 block is on the dc1 interface. The dc0 interface goes to the internet... I don't want/need to send anything from 192.168/16 to the internet since their 1918 addys... -Shawn Do you have all routing set up correctly? Is the network that 192.168.3.250 is on in the same subnet as one of the firewall interfaces? Or is it a separate network? You'd need to add a route for it if it's separate. I had something funky happen with my routes at one point and had to re-add. Good luck I enable it.. what happens.. I loose connectivity to all the networks. Nothing can see anything outside of their network. do a ping from the firewall, and you get: ping: sendto: No route to host ping: wrote 192.168.3.250 64 chars, ret=-1 Anyone have any ideas? block in log quick on dc0 inet from { 172.16.0.0/12 , 192.168.0.0/16 the 192.168.3.250 is included in this rules ?
Re: Very Annoying problem... blocks everything...
[EMAIL PROTECTED] wrote: http://www.iodamedia.net/pf.conf Go grab it.. and tell me what I'm doing wrong! -Shawn Your ruleset is quite large to debug it just by looking at it. But one error quickly sprang to my eyes: You're blocking the loopback interface, which is certainly a bad idea. Clemens
RE: Very Annoying problem... blocks everything...
On Mon, 2002-12-16 at 19:50, Shawn Mitchell wrote: Dosn't matter what IP address on any interface you ping. All comes back with the same thing. I turned on logging to see what wasn't making and such. I'm seeing DNS requests getting blocked... Routing is not an issue. The packets (ICMP, et al) are getting blocked. I do a pfctl -f /etc/pf.conf -e and I can't ping anything... I do a pfctl -d to turn it off... and everything goes back to working just fine. Sure sounds to me like you're blocking traffic to/from your gateway. I assume you've studied your logs? All of your block rules appear to be logging, so I'm not sure why we haven't seen any mention of what might be (or might not be) appearing in your log. Run tcpdump -nettti pflog0 as you run your ping tests. That will tell you which rule is causing your headache. Then run pfctl -s rules | grep rule # to find out which one it is. Honestly, your ruleset is giving *me* headaches just looking at it. Your background with Linux (that's not a rip; hell, I'm an rhce) certainly shows. Try to avoid the default behavior towards quick unless you're really sure that's what you want. You don't need to worry about performance... skip steps really avoids the extra processing overhead. -J.
RE: Very Annoying problem... blocks everything...
on the tcpdump -nettti pflog0 command, should everything match the last two rules, which are: pass in log quick inet from any to any pass out log quick inet from any to any They were block, but I changed them to pass so I could better see what's going on with live traffic... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jason Dixon Sent: Monday, December 16, 2002 8:42 PM To: PF Mailing List Subject: RE: Very Annoying problem... blocks everything... On Mon, 2002-12-16 at 19:50, Shawn Mitchell wrote: Dosn't matter what IP address on any interface you ping. All comes back with the same thing. I turned on logging to see what wasn't making and such. I'm seeing DNS requests getting blocked... Routing is not an issue. The packets (ICMP, et al) are getting blocked. I do a pfctl -f /etc/pf.conf -e and I can't ping anything... I do a pfctl -d to turn it off... and everything goes back to working just fine. Sure sounds to me like you're blocking traffic to/from your gateway. I assume you've studied your logs? All of your block rules appear to be logging, so I'm not sure why we haven't seen any mention of what might be (or might not be) appearing in your log. Run tcpdump -nettti pflog0 as you run your ping tests. That will tell you which rule is causing your headache. Then run pfctl -s rules | grep rule # to find out which one it is. Honestly, your ruleset is giving *me* headaches just looking at it. Your background with Linux (that's not a rip; hell, I'm an rhce) certainly shows. Try to avoid the default behavior towards quick unless you're really sure that's what you want. You don't need to worry about performance... skip steps really avoids the extra processing overhead. -J.
RE: Very Annoying problem... blocks everything...
On Mon, 2002-12-16 at 22:46, Shawn Mitchell wrote: on the tcpdump -nettti pflog0 command, should everything match the last two rules, which are: pass in log quick inet from any to any pass out log quick inet from any to any No. You have a gazillion other quick rules in front of these. The first one that matches is going to force the action. That's why quick should be used very conservatively. Otherwise, last match wins. They were block, but I changed them to pass so I could better see what's going on with live traffic... Don't start changing your rules without monitoring your traffic. What kind of logged traffic are you seeing? We can't help you if you don't work with us. -J.
RE: Very Annoying problem... blocks everything...
208.23.207.24.445: S 974117744:974117744(0) win 16384 mss 1460,nop,nop,sackOK (DF) 22:08:16.979525 68.40.56.75.4934 208.23.207.24.445: S 974117744:974117744(0) win 16384 mss 1460,nop,nop,sackOK (DF) 22:08:16.979532 68.40.56.75.4934 208.23.207.24.445: S 974117744:974117744(0) win 16384 mss 1460,nop,nop,sackOK (DF) 22:08:16.979612 68.40.56.75.4934 208.23.207.24.445: S 974117744:974117744(0) win 16384 mss 1460,nop,nop,sackOK (DF) 22:08:16.979618 68.40.56.75.4934 208.23.207.24.445: S 974117744:974117744(0) win 16384 mss 1460,nop,nop,sackOK (DF) 22:08:16.979698 68.40.56.75.4934 208.23.207.24.445: S 974117744:974117744(0) win 16384 mss 1460,nop,nop,sackOK (DF) 22:08:16.979704 68.40.56.75.4934 208.23.207.24.445: S 974117744:974117744(0) win 16384 mss 1460,nop,nop,sackOK (DF) 22:08:16.979785 68.40.56.75.4934 208.23.207.24.445: S 974117744:974117744(0) win 16384 mss 1460,nop,nop,sackOK (DF) 22:08:16.979791 68.40.56.75.4934 208.23.207.24.445: S 974117744:974117744(0) win 16384 mss 1460,nop,nop,sackOK (DF) 22:08:16.979872 68.40.56.75.4934 208.23.207.24.445: S 974117744:974117744(0) win 16384 mss 1460,nop,nop,sackOK (DF) 22:08:16.979879 68.40.56.75.4934 208.23.207.24.445: S 974117744:974117744(0) win 16384 mss 1460,nop,nop,sackOK (DF) 22:08:16.979959 68.40.56.75.4934 208.23.207.24.445: S 974117744:974117744(0) win 16384 mss 1460,nop,nop,sackOK (DF) 22:08:16.979965 68.40.56.75.4934 208.23.207.24.445: S 974117744:974117744(0) win 16384 mss 1460,nop,nop,sackOK (DF) === -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jason Dixon Sent: Monday, December 16, 2002 9:52 PM To: PF Mailing List Subject: RE: Very Annoying problem... blocks everything... On Mon, 2002-12-16 at 22:46, Shawn Mitchell wrote: on the tcpdump -nettti pflog0 command, should everything match the last two rules, which are: pass in log quick inet from any to any pass out log quick inet from any to any No. You have a gazillion other quick rules in front of these. The first one that matches is going to force the action. That's why quick should be used very conservatively. Otherwise, last match wins. They were block, but I changed them to pass so I could better see what's going on with live traffic... Don't start changing your rules without monitoring your traffic. What kind of logged traffic are you seeing? We can't help you if you don't work with us. -J.
RE: Very Annoying problem... blocks everything...
Ok... I said screw it and completly re-did the config. I've got most of it working, but I'm still showing just a few weird things that's getting blocked now... 6 is my block in, 7 is my block out. All of the other DNS is working just fine... I just see port 53 in here a couple of times... 07:23:24.345466 rule 6/0(match): block in on dc1: 65.172.62.58.3973 65.31.108.206.3379: udp 12 07:23:24.502276 rule 6/0(match): block in on dc1: 65.172.62.140.1214 65.168.173.82.2805: udp 12 07:23:24.783620 rule 6/0(match): block in on dc1: 65.172.62.152.1024 198.77.116.8.53: 15534+ A? KRLK.direcpc.com. (46) 07:23:25.354632 rule 6/0(match): block in on dc1: 65.172.62.58.3973 65.25.23.239.1873: udp 12 07:23:25.404610 rule 7/0(match): block out on dc0: 213.67.113.237.3342 65.172.61.201.6346: S 3848218851:3848218851(0) win 16384 mss 1460,nop,nop,sackOK (DF) 07:23:25.413441 rule 6/0(match): block in on dc1: 65.172.62.140.1214 134.129.63.205.2672: udp 12 07:23:26.105551 rule 6/0(match): block in on dc1: 65.172.62.58.3777 62.195.38.112.2064: S 2594810045:2594810045(0) win 8760 mss 1460,nop,nop,sackOK (DF) 07:23:26.282313 rule 6/0(match): block in on dc1: 65.172.62.152.1024 198.77.116.8.53: 15534+ A? KRLK.direcpc.com. (46) 07:23:26.365464 rule 6/0(match): block in on dc1: 65.172.62.58.3973 65.27.244.188.1261: udp 12 07:23:26.522323 rule 6/0(match): block in on dc1: 65.172.62.140.1214 65.166.158.173.2239: udp 12 07:23:27.374891 rule 6/0(match): block in on dc1: 65.172.62.58.3973 65.30.166.133.2571: udp 12 07:23:27.482349 rule 6/0(match): block in on dc1: 65.172.62.140.1214 65.31.25.21.2886: udp 12 07:23:27.553453 rule 6/0(match): block in on dc1: 65.172.62.134.1709 172.145.107.136.3014: P 451548289:451548691(402) ack 14364311 win 9112 (DF) 07:23:28.374805 rule 6/0(match): block in on dc1: 65.172.62.58.3973 65.35.72.29.1519: udp 12 07:23:28.513473 rule 6/0(match): block in on dc1: 65.172.62.140.1214 65.171.14.29.1795: udp 12 07:23:28.602579 rule 6/0(match): block in on dc1: 65.172.62.134.1706 207.69.113.152.3607: P 450659155:450659527(372) ack 852793283 win 9112 (DF) 07:23:28.793476 rule 6/0(match): block in on dc1: 65.172.62.147.3086 205.188.179.233.5190: S 3584173258:3584173258(0) win 16384 mss 1460,nop,nop,sackOK (DF) 07:23:29.042444 rule 6/0(match): block in on dc1: 65.172.62.145.1145 64.12.161.153.5190: S 36704427:36704427(0) win 8192 mss 536,nop,nop,sackOK (DF) 07:23:29.365514 rule 6/0(match): block in on dc1: 65.172.62.58.3973 65.35.65.139.2063: udp 12 07:23:29.453323 rule 6/0(match): block in on dc1: 65.172.62.140.1214 216.98.72.126.1826: udp 12 == -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jason Dixon Sent: Monday, December 16, 2002 9:52 PM To: PF Mailing List Subject: RE: Very Annoying problem... blocks everything... On Mon, 2002-12-16 at 22:46, Shawn Mitchell wrote: on the tcpdump -nettti pflog0 command, should everything match the last two rules, which are: pass in log quick inet from any to any pass out log quick inet from any to any No. You have a gazillion other quick rules in front of these. The first one that matches is going to force the action. That's why quick should be used very conservatively. Otherwise, last match wins. They were block, but I changed them to pass so I could better see what's going on with live traffic... Don't start changing your rules without monitoring your traffic. What kind of logged traffic are you seeing? We can't help you if you don't work with us. -J.
Re: Very Annoying problem... blocks everything...
Do you have all routing set up correctly? Is the network that 192.168.3.250 is on in the same subnet as one of the firewall interfaces? Or is it a separate network? You'd need to add a route for it if it's separate. I had something funky happen with my routes at one point and had to re-add. Good luck I enable it.. what happens.. I loose connectivity to all the networks. Nothing can see anything outside of their network. do a ping from the firewall, and you get: ping: sendto: No route to host ping: wrote 192.168.3.250 64 chars, ret=-1 Anyone have any ideas?