[pfSense Support] Ability to summarize # of states/IP
It would be incredibly handy to build a report that summarizes the number of states open, groups by IP. That way, one could easily identify a DOS origin. For example, I just had an attacker attempt to open 40,000 simultaneously HTTP sessions on one of my servers. I'd love to be able to see something like this: Proto Source SRC Ports DST Ports TCP 10.0.x.x40,000 1 TCP 74.1.x.x16 1 TCP 63.5.x.x10 1 TCP 152.4.x.x 4 1 Best Regards, Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Ability to summarize # of states/IP
Hello Nathan, On Wed, Feb 3, 2010 at 20:35, Nathan Eisenberg nat...@atlasnetworks.us wrote: It would be incredibly handy to build a report that summarizes the number of states open, groups by IP. That way, one could easily identify a DOS origin. For example, I just had an attacker attempt to open 40,000 simultaneously HTTP sessions on one of my servers. I'd love to be able to see something like this: Proto Source SRC Ports DST Ports TCP 10.0.x.x 40,000 1 TCP 74.1.x.x 16 1 TCP 63.5.x.x 10 1 TCP 152.4.x.x 4 1 Patches to pftop are very welcome, I suppose. Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland
RE: [pfSense Support] Ability to summarize # of states/IP
And, if I was capable of offering patches, I surely would! :-) Best Regards, Nathan Eisenberg
Re: [pfSense Support] Ability to summarize # of states/IP
On 2/3/2010 2:35 PM, Nathan Eisenberg wrote: It would be incredibly handy to build a report that summarizes the number of states open, groups by IP. That way, one could easily identify a DOS origin. For example, I just had an attacker attempt to open 40,000 simultaneously HTTP sessions on one of my servers. I'd love to be able to see something like this: Proto Source SRC Ports DST Ports TCP 10.0.x.x40,000 1 TCP 74.1.x.x16 1 TCP 63.5.x.x10 1 TCP 152.4.x.x 4 1 That may not be too difficult to pull off, just some basic regex work and knowledge of the output of pfctl -ss. Though the format of such a report would end up being a bit more complicated than the output you show. There are incoming connections, outgoing connections, outgoing NAT connections, incoming NAT connections (port forwards), etc, etc. And it looks like some detail is only listed in pfctl -ss while a state is active. The output you are talking about would only be a subset of the whole -- namely, outgoing NAT connections. I might see if I can make something useful out of it. It may not take long, but that depends on available time. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Public IP's behind Public IP's
Remko Lodder wrote: On Wed, February 3, 2010 1:45 am, Chris Flugstad wrote: So I am configuring a pfsense router with public IP's on the lan. Some of those public ips are also routers(some pfsense some not) and have blocks of ip's of there own on the LAN. What do i need to do on the main(1st) router to make sure the blocks on the next routers are routed correctly? I started to make a flow chart and was even confused bout that ;) If you understand what I am asking, then great. Much help would be appreciated. -chris Well, if you have a cloud (the internet) incoming on the PFsense box it works something like this: [internet] -- [pfsense box external range] -- [internal public ip range] \--- [internal public ip range] Etc. To get that working properly, you will need to add your communication network on the external network, and setup a connectivity lan on your internal network. If you have 254 machines in that, you could take an /24, and they could be private IP's for what that's worth (depending on the needs). Next: you need to setup routes to the internal gateways for the appropriate networks. Imagine your internal connectivity lan is: 10.0.1.0/24, your external PFsense box is .1, router_2 is .2, router_3 is .3 , yadayada. Router_2 contains the external entwork 192.168.1.0/24 and router_3 contains the external network 192.168.2.0/24. On the external PFsense box you need to add two gateways, with the IP addresses 10.0.1.2 and 10.0.1.3. Next you need to add the routes: 192.168.1.0/24 points to router_2 (10.0.1.2) 192.168.2.0/24 points to router_3 (10.0.1.3) Add more networks as you prefer, and create more gateways where needed. Does this help to get it going? Cheers, remko Remko let me draw out what i am trying to do | router with public ip(207.246.152.1) - public ip's on teh lan 216.127.61.1/29 provider 1-\ pfsense|--- | router with public ip(207.246.154.2) - public ip's on the lan 216.127.61.63/29 provider 2 -/ | router with public ip(207.246.154.3) - public ip's on the lan 216.127.61.129/29 so how does doe the pfsense router at the beginning know that teh LAST ip blocks(ex. 216.127.61.1/29) is behind 207.246.152.1? ill be trying use bgp to use both providers with the same ip's. i do have an AS # and supposedly both providers have done what they needed. Currently provider 1 is our provider and all the IP's belong to them. they supply all the routing for us, untill tomorrow ;) when i will try to route with pfsense i hope this helps -chris - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiple IPs via MAC/DHCP
On Tue, Feb 2, 2010 at 2:54 PM, J.D. Bronson jd_bron...@sbcglobal.net wrote: I use pfSense and have it running well. I just obtained a static block of IPs from my ISP but they are handed out via DHCP to the ISP equipment. Once I have an DHCP IP, then I can go into the ISP hardware and change it to a public IP. Ok. well with that in mind, I have 1 WAN NIC in the pfSense box. Is there any way to fake out my ISP equipment by sending different fake MACs to it to obtain multiple static IP for the pfSense box? I am trying to just have pfSense do all my routing and networking. Otherwise, I need to essentially plug in each server into the back of the ISP equipment directly and would prefer NOT to do that. Hi JD, I'm not sure if this will accomplish your goal, but here's a thought. All this can be done from the Interfaces-WAN menu. 1) Set the interface to DHCP, obtain an IP and then tell your ISP's equipment that it's static (or reserved, or whatever they're doing). 2) Change the IP of your WAN interface. Move it up by 10 or something. As longs as you've only got a few interfaces in your router, you're unlikely to overlap anything doing it that way. 3) Disable then enable the WAN interface so that it requests a new DHCP lease 4) Since you have a new MAC address, they'll give you a new IP address at which point, you can go into their equipment and flag it as static. 5) Rinse and repeat: You can repeat this process several times until you have leased and then reserved the IPs that you need. 6) Setup all your new IPs as Virtual IPs under Firewall - Virtual IPs If I've understood your description of the setup and the ISP, there's a good chance this will work. The uncertainty in my mind is whether the ISP will really reserve that IP or whether there will be some lease expiration. Good Luck, Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiple IPs via MAC/DHCP
On 2/3/10 7:11 PM, Dave Donovan wrote: 1) Set the interface to DHCP, obtain an IP and then tell your ISP's equipment that it's static (or reserved, or whatever they're doing). 2) Change the IP of your WAN interface. Move it up by 10 or something. As longs as you've only got a few interfaces in your router, you're unlikely to overlap anything doing it that way. 3) Disable then enable the WAN interface so that it requests a new DHCP lease 4) Since you have a new MAC address, they'll give you a new IP address at which point, you can go into their equipment and flag it as static. 5) Rinse and repeat: You can repeat this process several times until you have leased and then reserved the IPs that you need. 6) Setup all your new IPs as Virtual IPs under Firewall - Virtual IPs How does a 'new' MAC come into play here though? Where does the new MAC come from? thanks... -- J.D. Bronson Information Technology Aurora Health Care - Milwaukee WI Office: 414.978.8282 // Fax: 414.978.3988 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Public IP's behind Public IP's
Chris, Your diagram came through a bit mangled, at least for me. Time to bust out MSPAINT. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Ability to summarize # of states/IP
On 2/3/2010 7:57 PM, Jim Pingle wrote: On 2/3/2010 2:35 PM, Nathan Eisenberg wrote: It would be incredibly handy to build a report that summarizes the number of states open, groups by IP. That way, one could easily identify a DOS origin. For example, I just had an attacker attempt to open 40,000 simultaneously HTTP sessions on one of my servers. I'd love to be able to see something like this: ProtoSource SRC Ports DST Ports TCP 10.0.x.x40,000 1 TCP 74.1.x.x16 1 TCP 63.5.x.x10 1 TCP 152.4.x.x 4 1 That may not be too difficult to pull off, just some basic regex work and knowledge of the output of pfctl -ss. Though the format of such a report would end up being a bit more complicated than the output you show. There are incoming connections, outgoing connections, outgoing NAT connections, incoming NAT connections (port forwards), etc, etc. And it looks like some detail is only listed in pfctl -ss while a state is active. The output you are talking about would only be a subset of the whole -- namely, outgoing NAT connections. I might see if I can make something useful out of it. It may not take long, but that depends on available time. I just committed a basic package that adds Diagnostics State Summary, which has somewhat of a similar form to what you're after. It probably needs some more refinement, but the info is there. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiple IPs via MAC/DHCP
On Wed, Feb 3, 2010 at 8:50 PM, J.D. Bronson jd_bron...@sbcglobal.net wrote: On 2/3/10 7:11 PM, Dave Donovan wrote: 1) Set the interface to DHCP, obtain an IP and then tell your ISP's equipment that it's static (or reserved, or whatever they're doing). 2) Change the IP of your WAN interface. Move it up by 10 or something. As longs as you've only got a few interfaces in your router, you're unlikely to overlap anything doing it that way. 3) Disable then enable the WAN interface so that it requests a new DHCP lease 4) Since you have a new MAC address, they'll give you a new IP address at which point, you can go into their equipment and flag it as static. 5) Rinse and repeat: You can repeat this process several times until you have leased and then reserved the IPs that you need. 6) Setup all your new IPs as Virtual IPs under Firewall - Virtual IPs How does a 'new' MAC come into play here though? Where does the new MAC come from? thanks... Short answers: New MAC means new IP. And, you just make it up. Long answer: The DHCP server uses MAC addresses to keep track of which clients have received IPs. If you use your regular MAC address and receive an IP, then to get another IP, you may need to use a different IP. MAC addresses are supposed to be assigned to each NIC by the manufacturer to make them globally unique an prevent two NICs from having duplicate addresses. In your case, you're only going to use a fictitious one for a few minutes so there's no harm in it. As for getting the new MAC, you can pretty much make it up. You can look at your existing MAC under Status - Interfaces. Look at your WAN interface and you'll see a string that looks like: 00:08:5b:b2:7e:e2 If your WAN interface is set to DHCP, you'll also see the IP that was assigned to you by your ISP. Chances are, you'll see the same address every time you reboot the system. That's because your ISP remembers your MAC and tries to assign the same number to you. If you want another address, you need to use another MAC. Make a change to the MAC, for instance, change the b2 to b3. Put the new, made up 'new' MAC in the appropriate field in Interfaces-WAN, and pick up at step 3 in my previous instructions. I should say that this is an unconventional approach. From your initial email, I assumed that your ISP supported reserving IPs through some configuration portal once you had obtained them by DHCP. If you're not comfortable with the details of how DHCP works, I'd hate to see you mess up your environment. I hope this helps, Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiple IPs via MAC/DHCP
On 2/3/10 7:38 PM, Dave Donovan wrote: As for getting the new MAC, you can pretty much make it up. Pretty much is the operative term here. Some MAC address space is reserved for multicast (always beginning with 01:00:5E) and locally administered addresses (where the second bit of the first byte is set). But as long as high-order bits 0 and 1 of the MAC address' first byte are 0, and the addresses you choose aren't already in use on the same network, you should be fine. I should say that this is an unconventional approach. Yes. dn - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiple IPs via MAC/DHCP
On Wed, Feb 3, 2010 at 10:46 PM, David Newman dnew...@networktest.com wrote: On 2/3/10 7:38 PM, Dave Donovan wrote: As for getting the new MAC, you can pretty much make it up. Pretty much is the operative term here. Some MAC address space is reserved for multicast (always beginning with 01:00:5E) and locally administered addresses (where the second bit of the first byte is set). But as long as high-order bits 0 and 1 of the MAC address' first byte are 0, and the addresses you choose aren't already in use on the same network, you should be fine. Thanks for that. My instinct was to stay away from the first half of the address and change the latter bits but I wasn't aware of those particulars. I thought the first part indicated only the manufacturer. Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org