Re: My firewall
Hi Peter,
I am a newbie as well, but after some time banging my
head against walls I came up with my own 'silly'
pf.conf rules. I have included my rules at the end of
this email. I Removed the extra rules (I think all of
them) and all you have to do is change the variable
names to whatever you are using.
I hope it is going to be helpful. It can be used to
learn about macros as well.
Some comments:
- Don't use 'pass in all' as a default. You are totaly
open
- Check out the declaration of my network's macros.
Compare to yours.
- Opening ssh (oprt 22) directly in your firewall can
be an invitation for an attacker. Try
to redirect it to another machine other than to your
firewall.
For example:
$ssh_ad = 192.168.1.22
rdr on $ext_if proto tcp from any to $ext_ad port ssh
- $ssh_ad port ssh
Best of lucks, J. Rivero
MTE Technology
mtechno.net
J. Rivero
3629 203rd Street
Langley, B.C.
V3A6A6
Tel. (604)-514-9092
Cell (778) 839-3395
--- R T [EMAIL PROTECTED] wrote:
Hello folks. Im trying to get my OpenBSD 3.5 machine
set up as a router. Heres the info so far:
xl0 network card getting dhcp address from my isp
ep1 network card hooked to my laptop 192.168.1.1
netmask 255.255.255.0
The laptop is windows and has 192.168.1.2 as its ip.
I can ping the laptop, and the laptop can ping the
OpenBSD box, but so far I cant get the laptop onto
the internet at all. My pf.conf is quite simple
compared to some examples I've seen and I'm thinking
its too simple perhaps...# $OpenBSD: pf.conf,v
1.21 2003/09/02 20:38:44 david Exp $
# gatewolf rules (experimental)
#
ext_if=xl0
int_if=ep1
internal_net=10.1.1.1/8
external_addr=192.168.1.1
# Filtering: the implicit first two rules are
pass in all
pass out all
# block all incoming packets but allow ssh, pass all
outgoing tcp and udp
# connections and keep state, logging blocked
packets.
block in log all
pass in on $ext_if proto tcp from any to $ext_if
port 22 keep state
pass out on $ext_if proto { tcp, udp } all keep
state
# pass incoming packets destined to the addresses
given in table foo.
pass in on $ext_if proto { tcp, udp } from any to
foo port 80 keep state
# My silly rules
pass in on xl0 all
pass out on xl0 all
pass in on ep1 all
pass out on ep1 all
any ideas as to what I have done wrong folks?
Thanks...
pf.conf
#
# macro definitions
#
# ext_if -- external interface, connects the firewall
to the
# outside world
# prv_if -- private interface, connects to the private
network
# segment to the firewall
#
ext_if = rl0
prv_if = rl1
#
# ext_ad -- the IPv4 address of the ext_if external
interface
# prv_ad -- the range of IPv4 addresses on the private
network
# int_net -- Internal subnets
#
ext_ad = $ext_if /32
prv_ad = 192.168.0.0/24
int_net = { 192.168.0.0/24, 10.0.0.0/24}
nonroutable = { 192.168.0.0/16, 127.0.0.0/8,
172.16.0.0/12, \
10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16,
204.152.64.0/23, 224.0.0.0/3 }
#
# options: set
#
set limit { frags 1, states 1 }
set loginterface $ext_if
set block-policy return
# table containing all the IP addresses assigned to
the firewall
table firewall const { self }
scrub in all fragment reassemble
scrub out all fragment reassemble
#
# NAT rules: rdr, nat, binat
#
nat on $ext_if from $prv_ad to any - $ext_ad
#
# filtering
#
block all
antispoof quick for $prv_if inet
# filter rules for ext_if
pass out on $ext_if proto tcp all modulate state flags
S/SA
pass out on $ext_if proto {udp icmp} all keep state
# filter rules for prv_if
pass in on $prv_if from $prv_ad to any keep state
pass out on $prv_if from any to $prv_ad keep state
__
Post your free ad now! http://personals.yahoo.ca
Re: my firewall
On Wed, Jan 19, 2005 at 02:07:10PM -0700, R T wrote: Hello folks. Thanks to everyone who responded to my problem. The laptop can use the internet now, however it wont resolve host names properly. For example, it wouldnt connect to www.google.ca but it would to 64.233.167.104 Same for IRC, xhat wouldnt connect to eu.undernet.org but it would connect to 195.68.221.221 ...wierd, huh? it sounds like you don't have the proper DNS servers set on your client machine. Heres the pf.conf Im using: === # Gatewolf pf rules # ext_if = xl0 int_if = ep1 nat on $ext_if from 192.168.1.2 to any - ($ext_if) any reason you're only NAT-ing for a single IP? block in log all block out log all pass in quick on lo0 all pass out quick on lo0 all pass in quick on $int_if from any to any pass out quick on $int_if from any to any pass quick all you *do* realize that your firewall doesn't actually *firewall* anything, right? -j -- Kids, you tried your best and you failed miserably. The lesson is, never try. --The Simpsons
my firewall OR gee im stupid...
Yeah, dns wasnt set on the laptop, not too bright today. Its working fine now. Now to learn about making it an actual firewall :) Thanks guys for the help! R.T.
Re: my firewall
R T wrote: Hello folks. Thanks to everyone who responded to my problem. The laptop can use the internet now, however it wont resolve host names properly. For example, it wouldnt connect to www.google.ca but it would to 64.233.167.104 Same for IRC, xhat wouldnt connect to eu.undernet.org but it would connect to 195.68.221.221 ...wierd, huh? Heres the pf.conf Im using: === # Gatewolf pf rules # ext_if = xl0 int_if = ep1 nat on $ext_if from 192.168.1.2 to any - ($ext_if) block in log all block out log all pass in quick on lo0 all pass out quick on lo0 all pass in quick on $int_if from any to any pass out quick on $int_if from any to any pass quick all === Ummm... You are wide open to the outside world... Get rid of that last line ASAP. You should probably study some real-world examples to get a feel for how your pf.conf should be structured. Luckily, you can browse to https://solarflux.org/pf/ where I've compliled a (now aging) list of good examples to learn (and create a solid pf.conf) from. You can also visit #pf on irc.freenode.net and ask questions there; you might not get a response right away, since most everyone there lurks (myself included), but there are some knowledgeable people hanging around #pf. Sorry to hijack the thread, but asking basic questions here is generally frowned upon. -S
Re: my firewall
OOPS- pf-r wrote: where I've compliled a (now aging) list of s/compliled/compiled BTW, if anyone wants to submit pf.conf examples with accompanying 'pfctl -sr' (or alternative) outputs for posting on the pf-r, visit #pf and speak up. -S
Re: my firewall OR gee im stupid...
R T wrote: Yeah, dns wasnt set on the laptop, not too bright today. Its working fine now. Now to learn about making it an actual firewall :) Thanks guys for the help! R.T. No problem, RT. Good luck. rvb
Re: How do I change my firewall ports to stealth mode?
Rod.. Whitworth ([EMAIL PROTECTED]) wrote: On Tue, 28 Sep 2004 22:03:55 -0400, Greg Wooledge wrote: Personally, I prefer not to reveal the usernames behind the client connections I'm making, so I use nullidentd. What's better about that than making the flags -Hole on the inetd settings for identd? Well, for one, when I started out on OpenBSD 3.0, there wasn't a -H flag http://www.openbsd.org/cgi-bin/man.cgi?query=identdapropos=0sektion=0manpath=OpenBSD+3.0arch=i386format=html I'm not in the habit of re-checking the man pages for every command with every new release (nor am I subscribed to the CVS commit list), so I didn't know this feature had been added. Meanwhile, nullidentd does precisely what I want it to do, so there's very little reason for me to switch. New users who are just starting out, though, may prefer to use the in-tree identd. -- Greg Wooledge | Truth belongs to everybody. [EMAIL PROTECTED] |- The Red Hot Chili Peppers http://wooledge.org/~greg/ | signature.asc Description: Digital signature
Re: How do I change my firewall ports to stealth mode?
Lars Hansson wrote: OpenBSD does this by default in inetd.conf. Correction, it doesnt. --- Lars Hansson
Re: How do I change my firewall ports to stealth mode?
Greg Wooledge wrote: Personally, I prefer not to reveal the usernames behind the client connections I'm making, so I use nullidentd. It's very simplistic; it just returns a constant string for all ident requests. (It doesn't appear to be in ports; I simply grabbed the source code from packages.debian.org/nullidentd and built it myself.) Any particular reason you didnt just use the -h/-H and -o options with the standard OpenBSD identd? --- Lars Hansson
Re: How do I change my firewall ports to stealth mode?
On Tue, 28 Sep 2004 22:03:55 -0400, Greg Wooledge wrote: Personally, I prefer not to reveal the usernames behind the client connections I'm making, so I use nullidentd. It's very simplistic; it just returns a constant string for all ident requests. (It doesn't appear to be in ports; I simply grabbed the source code from packages.debian.org/nullidentd and built it myself.) What's better about that than making the flags -Hole on the inetd settings for identd? I haven't been got at in any way using that. Any need for another approach? From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: How do I change my firewall ports to stealth mode?
[EMAIL PROTECTED] wrote: http://www.clock.org/~fair/opinion/identd.html Thanks for giving a link that nicely illustrates my point about people not understanding what ident does: The upshot of these assumptions is that when your system contacts the identd server of a remote system, you can trust the data returned that supposedly identifies a user who is trying to use a network service on your server,... That's exactly what ident is NOT intended to do, it's intended to help the admin of the machine connecting to *YOUR* machine if/when you need to coordinate something with him/her. --- Lars Hansson
Re: How do I change my firewall ports to stealth mode?
On Sep 28, 2004, at 2:13 AM, Siju George wrote: I changed the block-policy from return to drop. Now my ports except 113 are showing up as stealthed while twsting from http://www.grc.com/x/ne.dll?rh1dkyd2 The Port 113 was opened because the PF FAQ asked to open it for SMTP Auth/Ident (TCP port 113): used by some services such as SMTP and IRC. ICMP Echo Requests: the ICMP packet type used by ping(8). Now ask yourself- what's the point of dropping packets (woo, I'm in stealth mode, woo...), when a simple 1-1024 portscan will reveal you thanks to port 113 accepting connections (or sending resets, not sure if your identd is actually running)? Why wouldn't you rather just deny all and avoid behaving like a doof? -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: How do I change my firewall ports to stealth mode?
Hi Jason! Thanks for the reply! But if I can get port 113 also in adaptive stealth mode like Zonealarm did then it would be better isn't it? regards Siju
Re: How do I change my firewall ports to stealth mode?
On Tue, Sep 28, 2004 at 04:46:40PM +0530, Siju George wrote: But if I can get port 113 also in adaptive stealth mode like Zonealarm did then it would be better isn't it? Not really. It can give a false sense of security, because you assume the 'adaptive' part can't be tricked by the attacker. See http://marc.theaimsgroup.com/?t=10490548072 for more details. In short, pf doesn't have such a feature, and it's unlikely that it will have. If it's an essential requirement for you, you'll have to look elsewhere. Daniel
Re: How do I change my firewall ports to stealth mode?
on 28/9/04 12:16 pm, Siju George at [EMAIL PROTECTED] wrote: Hi Jason! Thanks for the reply! But if I can get port 113 also in adaptive stealth mode like Zonealarm did then it would be better isn't it? If you're just trying to hide, then no. Personally I send RSTs on blocked ports, partly because I think it's more polite, but also because filtered ports show there's a firewall in the way, whereas RSTs could come from a firewall or a host. As someone said, the only advantage to a drop policy is it slows down portscans, but that's irrelevant if we're talking about just one port. Although Zonealarm's explanation was a bit hazy, it sounds as if it simply drops the packet if there's no state associated with the remote server, which is easy to do with pf (just accept packets with keep state flags S/SAFR and then block anything else on port 113). If Zonealarm's nmot using states, how else can it know if there's an existing relationship with the remote server...? Oliver. -- Oliver Humpage ICT Co-ordinator, Watershed Media Centre -- +44 (0)117 9276444 E-mails received are assumed to be for my attention, to do with as I wish. No responsibility is accepted if communications are sent to me in error. This disclaimer has as much legal status as yours.
Re: How do I change my firewall ports to stealth mode?
Hi Siju, The Port 113 was opened because the PF FAQ asked to open it for SMTP Auth/Ident (TCP port 113): used by some services such as SMTP and IRC. ICMP Echo Requests: the ICMP packet type used by ping(8). I know that this is in the pf faq but I don't think that you really need it. I don't know about IRC but you mentioned only SMTP on your side. I'm running emailservers for years now and never ran an identd. And my clients don't have an identd running either. I don't think that you need this for smtp nowadays. -volker
Re: How do I change my firewall ports to stealth mode?
Siju George wrote: I was using Zone Alarm before on a Windows200 Firewall. All its ports were shown as Stealthed but still SMTP server access was possible! So further digging I got this explanation from the website that conducted the test. Adaptive Stealthing means that when a TCP SYN packet arrives to request a connection to your machine's port 113, ZoneAlarm checks, on the fly, to see whether your machine currently has any sort of relationship with the remote machine (such as a pending outgoing connection attempt). If so, the remote machine is considered to be friendly and its IDENT request packet is allowed to pass through ZoneAlarm's firewall. But if the IDENT originating machine is not known to ZoneAlarm as a friendly machine, the connection requesting packet is dropped and discarded, rendering port 113 stealth to all unknown port scanners. It's very slick. Is there any way to do this in OpenBSD? No, there's no point. People who say identd is a source of severe information leakage does not understand what ident does. If you feel paranoid, as I do, you can always configure it to return random usernames. --- Lars Hansson
Re: How do I change my firewall ports to stealth mode?
Thankyou Oliver for the reply and Explanation! It was very informative. I'll also try the S/SAFR thing and see how it works! God bless you warm regards Siju
Re: How do I change my firewall ports to stealth mode?
I know that this is in the pf faq but I don't think that you really need it. I don't know about IRC but you mentioned only SMTP on your side. I'm running emailservers for years now and never ran an identd. And my clients don't have an identd running either. I don't think that you need this for smtp nowadays. -volker I don't think we have IRC. Its almost time to close office. I'll try your suggestion tommorrow and see if it works! If it works fine because I'll have to show other guys who donot have all these technical knowledge that OpenBSD can do what Zone Alarm can do and much better alleast till they also learn the truth. Thanks a lot all you precious folks! Take care God bless you all Siju
Re: How do I change my firewall ports to stealth mode?
People who say identd is a source of severe information leakage does not understand what ident does. If you feel paranoid, as I do, you can always configure it to return random usernames. --- Lars Hansson Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me how to return random usernames? Or coulld you please give me a link where I can learn that? Thanks a lot God bless you. Siju
Re: How do I change my firewall ports to stealth mode?
Siju George writes: Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me how to return random usernames? Or coulld you please give me a link where I can learn that? http://www.clock.org/~fair/opinion/identd.html
Re: How do I change my firewall ports to stealth mode?
Kevin writes: Many IRC servers will drop sessions if they cannot talk to an ident service on the originating end. If you don't want your users to be on IRC; this could be considered as a benefit of blocking TCP/113 ;) Doubtful with IRC servers today. Although I'm not privy to the details of IRC per se, I have set up a number of firewalls in my day and have perused a lot of sockets code, and frankly, I would be surprised if anyone one this forum found they needed ident working for anything, including irc. I seriously doubt this is true any more. While the identd service is not *mandatory* on servers which send outbound SMTP email, many remote SMTP servers will query identd when your machine connects as a SMTP client. Agian, not lately. This I do know something about. I know that Sendmail and Qmail MTAs dropped any notion of needing ident for anything long ago. Exchange and Imap servers certainly don't rely on it. Bottom line, if your server sends SMTP email to arbitrary remote SMTP servers, is is detrimental to stealth ident. Name one mta that needs ident. I'm not saying they don't exist, I'm just curious.
Re: How do I change my firewall ports to stealth mode?
On 28 Sep 2004 10:50:02 -0700, [EMAIL PROTECTED] wrote: You don't need it, nothing now depends on it, Not quite correct. Certain smtp, ftp and irc servers come to mind. -- SB: Wait, you mean the costumes themselves give you super powers? MM: Of course! Why else would we fly around in coloured undies?
Re: How do I change my firewall ports to stealth mode?
On Tuesday, Sep 28, 2004, at 09:47 US/Pacific, [EMAIL PROTECTED] wrote: Kevin writes: Many IRC servers will drop sessions if they cannot talk to an ident service on the originating end. If you don't want your users to be on IRC; this could be considered as a benefit of blocking TCP/113 ;) Doubtful with IRC servers today. Although I'm not privy to the details of IRC per se, I have set up a number of firewalls in my day and have perused a lot of sockets code, and frankly, I would be surprised if anyone one this forum found they needed ident working for anything, including irc. I seriously doubt this is true any more. It is. It's a mitigating mechanism for many types of worms/bots/whatever, since they aren't capable of poking holes in their computer owner's broadband NAT device.
Re: How do I change my firewall ports to stealth mode?
On Tue, Sep 28, 2004 at 04:23:43PM -0700, Trevor Talbot wrote: It is. It's a mitigating mechanism for many types of worms/bots/whatever, since they aren't capable of poking holes in their computer owner's broadband NAT device. That's what UPnP is for, isn't it? SCNR, Daniel
Re: How do I change my firewall ports to stealth mode?
On Tue, 2004-09-28 at 16:23:43 -0700, Trevor Talbot proclaimed... It is. It's a mitigating mechanism for many types of worms/bots/whatever, since they aren't capable of poking holes in their computer owner's broadband NAT device. Yea, sure. I've seen *many* bots with identd running happily joining command and control IRC servers. Those servers are almost always rogue servers that don't care if identd is running. What examples, specifically, are you referring to? I'm actually curious.
Re: How do I change my firewall ports to stealth mode?
On Tuesday, Sep 28, 2004, at 16:34 US/Pacific, Daniel Hartmeier wrote: On Tue, Sep 28, 2004 at 04:23:43PM -0700, Trevor Talbot wrote: It is. It's a mitigating mechanism for many types of worms/bots/whatever, since they aren't capable of poking holes in their computer owner's broadband NAT device. That's what UPnP is for, isn't it? *grin* luckily they don't seem to have caught up with that... On Tuesday, Sep 28, 2004, at 16:39 US/Pacific, [EMAIL PROTECTED] wrote: Yea, sure. I've seen *many* bots with identd running happily joining command and control IRC servers. Those servers are almost always rogue servers that don't care if identd is running. Sure, there are always machines that aren't filtering identd, and of course the control servers won't care. I said it was a mitigating thing, not a prevention thing :) More of an issue are the things that attempt to spread, as those want to be on the big networks where everyone can see them. The average exploited cable/DSL machine also won't have identd enabled. Put two and two together, and it's useful. Another use is requiring shell providers to properly identify their customers for abuse control, lest they lose all connectivity to an IRC network. 'Course, that only works if it's a network their customers care about, and it's a bit away from the original identd/pf scenario under discussion. Anyway, IRC networks do still find ident useful and even require it at times.
Re: How do I change my firewall ports to stealth mode?
Siju George wrote: Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me how to return random usernames? Or coulld you please give me a link where I can learn that? man identd, options -h and -H in particular. OpenBSD does this by default in inetd.conf. --- Lars Hansson
Re: How do I change my firewall ports to stealth mode?
Volker Kindermann ([EMAIL PROTECTED]) wrote: I'm running emailservers for years now and never ran an identd. And my clients don't have an identd running either. I don't think that you need this for smtp nowadays. It's never been mandatory for SMTP. Some IRC servers do require it, though. Personally, I prefer not to reveal the usernames behind the client connections I'm making, so I use nullidentd. It's very simplistic; it just returns a constant string for all ident requests. (It doesn't appear to be in ports; I simply grabbed the source code from packages.debian.org/nullidentd and built it myself.) -- Greg Wooledge | Truth belongs to everybody. [EMAIL PROTECTED] |- The Red Hot Chili Peppers http://wooledge.org/~greg/ | signature.asc Description: Digital signature
RFC - my firewall ruleset
I would like to know what I can do to improve my firewall ruleset. This exact set
protects my own internal LAN (8 computers), and includes P2P rules. I have similar
rulesets protecting other networks I have worked on, none with more than 300 clients
though.
# pF.conf working for Wall
# Variables Tables
int_dev=xl0 # Internal network device.
ext_dev=ep0 # External network device.
cwork={ bunch of IPs here }
overpeer={ 64.15.228.160/27 }
max_mss=1432
unrouteable={ 0/8, 10/8, 127/8, 169.254/16, 172.16/12, 192.0.2/24, 192.168/16 }
ext_bandwidth=1544Kb
# Options
set optimization conservative
set loginterface $ext_dev
# Normalize (defragment) packets on External Interface
scrub in on $ext_dev all fragment reassemble
scrub out on $ext_dev all max-mss $max_mss fragment reassemble
# NAT Rules
# only internal LAN gets NAT currently
nat on $ext_dev from 192.168.1.0/24 to any - $ext_dev
# Port Forwarding Rules
rdr on $ext_dev proto tcp from any to any port 443 - 192.168.1.2 port 443
rdr on $ext_dev proto tcp from any to any port 892 - 192.168.1.2 port 892
rdr on $ext_dev proto udp from any to any port 4665 - 192.168.1.2 port 4665
rdr on $ext_dev proto tcp from any to any port 4662 - 192.168.1.2 port 4662
rdr on $ext_dev proto tcp from any to any port 2000 - 192.168.1.2 port 2000
rdr on $ext_dev proto tcp from any to any port 222 - 192.168.1.2 port 222
rdr on $ext_dev proto tcp from any to any port 6774 - 192.168.1.2 port 6774
rdr on $ext_dev proto tcp from any to any port 3389 - 192.168.1.2 port 3389
rdr on $ext_dev proto tcp from any to any port 6699 - 192.168.1.2 port 6699
rdr on $ext_dev proto udp from any to any port 6257 - 192.168.1.2 port 6257
rdr on $ext_dev proto udp from any to any port 1494 - 192.168.1.2 port 1494
# Deny all connections - default packet filter rule
block in log on $ext_dev from any to any label block_in_all
# pass all loopback traffic
pass in quick on lo0 all
pass out quick on lo0 all
# block out all Microsoft AD Netbios traffic
# mainly a paranoia rule
block out log quick on $ext_dev inet proto tcp from any to any port 445
block out log quick on $ext_dev inet proto udp from any to any port { 138, 137, 139
}
# Outbound Connection Rules for External Interface
pass out quick on $ext_dev proto tcp all modulate state
pass out quick on $ext_dev proto udp all keep state
pass out quick on $ext_dev proto icmp all keep state
# Block in all invalid combos of TCP flags Log them
# these rules exist mainly to log these packets so I can curse at the bad people
block in log quick on $ext_dev inet proto tcp from any to any flags /UAPRSF
block in log quick on $ext_dev inet proto tcp from any to any flags F/AF
block in log quick on $ext_dev inet proto tcp from any to any flags P/AP
block in log quick on $ext_dev inet proto tcp from any to any flags U/UA
block in log quick on $ext_dev inet proto tcp from any to any flags RF/RF
block in log quick on $ext_dev inet proto tcp from any to any flags SF/SF
block in log quick on $ext_dev inet proto tcp from any to any flags RS/RS
block in log quick on $ext_dev inet proto tcp from any to any flags UPF/UAPRSF
block in log quick on $ext_dev inet proto tcp from any to any flags UPSF/UAPRSF
block in log quick on $ext_dev inet proto tcp from any to any flags UARSF/UAPRSF
block in log quick on $ext_dev inet proto tcp from any to any flags UAPRSF/UAPRSF
# Rules to allow incoming traffic for internal services P2P traffic
pass in quick on $ext_dev proto tcp from any to 192.168.1.2 port
{443,892,222,1494,3389,2000} flags S/SA modulate state
pass in quick on $ext_dev proto tcp from any to $ext_dev port=22 flags S/SA modulate
state
pass in log quick on $ext_dev proto tcp from any to $ext_dev port=25 flags S/SA
modulate state
pass in on $ext_dev proto udp from any to 192.168.1.2 port {4665,6257} keep state
pass in on $ext_dev proto tcp from any to 192.168.1.2 port {4662,6774,6699} modulate
state
# block and log incoming packets from reserved address space and invalid addresses
block in log on $ext_dev inet from $unrouteable to any
# properly respond to ident protocol also
block return-rst in proto tcp from any to any port { 111, 6000, 6667 }
block return-icmp in proto udp from any to any port { 137 }
# block Overpeer shit
block in on $ext_dev inet from $overpeer to any
adding a new subnet to my firewall
Hiyas, although no stritly a pf question I hope somone can answer this one for me We have just been given a second routable set of ip's for our servers as we hit capacity on our old one In order to use theese for NAT I obviously need to bind the addresses to our firewall's external interface... They do however need a different gateway address, where do I speciy this ? is is something in my hostname.rl1 file ? Dan This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk
Re: adding a new subnet to my firewall
On Mon, Jan 13, 2003 at 03:11:36PM -, Dan Heaver wrote: In order to use theese for NAT I obviously need to bind the addresses to our firewall's external interface... They do however need a different gateway address, where do I speciy this ? is is something in my hostname.rl1 file ? OpenBSD itself does not support multiple default gateways. Incoming packets on the new link will arrive fine without any routing table additions, but outgoing packets to external hosts (even replies to connections arriving through the new uplink) will only go through the default gateway (through the old uplink). You can use pf to route through interfaces explicitely: a) have nat use both external addresses with round-robin on connection level (this requires -current) b) make replies of incoming connections on the second interface go out through there again c) route outgoing connections selectively, based on some criteria (source/destination address, protocol, ports) You can add explicit routing table entries for external hosts without pf, but you add only one default gateway. If you want to use the second uplink only for a limited set of peers, the routing table will work, otherwise you might want to use pf to spread the outgoing packets for arbitrary destinations accross the two uplinks. Daniel
RE: adding a new subnet to my firewall
Eek, that should keep be busy for a while :-~ -Original Message- From: Daniel Hartmeier [mailto:[EMAIL PROTECTED]] Sent: 13 January 2003 16:10 To: Dan Heaver Cc: [EMAIL PROTECTED] Subject: Re: adding a new subnet to my firewall On Mon, Jan 13, 2003 at 03:11:36PM -, Dan Heaver wrote: In order to use theese for NAT I obviously need to bind the addresses to our firewall's external interface... They do however need a different gateway address, where do I speciy this ? is is something in my hostname.rl1 file ? OpenBSD itself does not support multiple default gateways. Incoming packets on the new link will arrive fine without any routing table additions, but outgoing packets to external hosts (even replies to connections arriving through the new uplink) will only go through the default gateway (through the old uplink). You can use pf to route through interfaces explicitely: a) have nat use both external addresses with round-robin on connection level (this requires -current) b) make replies of incoming connections on the second interface go out through there again c) route outgoing connections selectively, based on some criteria (source/destination address, protocol, ports) You can add explicit routing table entries for external hosts without pf, but you add only one default gateway. If you want to use the second uplink only for a limited set of peers, the routing table will work, otherwise you might want to use pf to spread the outgoing packets for arbitrary destinations accross the two uplinks. Daniel This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk application/ms-tnef
