ght, and I hope it didn't sound like I was
complaining about pf! It is by far my favorite firewall to work on.
Cheers to you and all of the developers!
Thanks again,
Mike
> pass out on $int_if inet proto tcp from $wlan to $webservers \
> port www flags S/SA synproxy state
>
> pass out on $int_if inet proto tcp from $wlan to $webservers \
> port https flags S/SA keep state
>
> pass out on $int_if inet proto tcp from $wlan to $mailserver
For a few of the servers I admin, I found the need for the ability to
add IP addresses to a pf table temporarily (for a few days, a couple
weeks, etc).
I grew tired of manually editing the files, so I wrote a scipt to
help me.
The script maintains a list of IP addresses for a pf table, along
wi
ansition.
Full version:
http://archive.mgm51.com/sources/pft.html
Patch:
http://archive.mgm51.com/sources/files/pft.sh_1-2_to_1-9.patch
***
On 4/24/2014 at 2:40 PM Mike. wrote:
From: Mike.
To: pf@benzedrine.cx
Date: Thu, 24 Apr 2014 14:40:56 -0400
Subject: script to hel
Forgive me if this is already known, but apparently pf drops certain outgoing
IP packets built using the raw socket interface. I've traced it to ip_output.c
where two pf_test() calls are made -- I'm not sure which one results in the
drop, but both of them return EHOSTUNREACH (No route to host).
Ah, this must be the case. Thanks.
On Mon, Jul 29, 2002 at 08:45:13AM +0200, Daniel Hartmeier wrote:
> On Sun, Jul 28, 2002 at 10:49:44PM -0700, mike schiffman wrote:
>
> > pass out proto tcp from any to any flags S/SA keep state
>
> Try
>
> pass out fr
insert rules (or can be designed to remove that requirement)
> However there are isolated cases where it would be useful see
> the recent post by Matthew Sweet for instance. That is why I could not
> easily come up with a real world example.
It is a cool concept, I'll give you that. But I still don't see the
problem you're trying to solve.
.mike
ld probabley hack up a little PCAP utility to profile your UDP
traffic and let it calculate a distribution of timeouts. But I have
very little free hacking time and I'm not sure there is enough demand.
.mike
but it'll save me some time if no one
beats me to debugging it.
A register dump may help too but it's probabley a NULL dereference.
.mike
es. The
default PF state code tries to account for some of those but I have
seen the ACK|FIN arrive many minutes after the state was deleted.
You could add a rule to drop those in the proverbial bit bucket:
block in quick on $ext_if all flags AF/AF
.mike
ured to
> use any TCP options that might affect window sizes (th_win).
In the tcpdump output, look for "wscale " on the first packet.
Our state code doesn't handle window scaling which I can see Oracle
enabling.
'echo 0 > /proc/sys/net/ipv4/tcp_window_scaling' on the l
> >We could add a "strip-wscale" option to scrub. It doesn't solve
> >the state pickup issue, but could prevent clients communicating
> >through the firewall from negotiating this option.
> Does the Linux NAT code already do this?
Linux's stock state code doesn't track sequence numbers.
.mike
iple times on the same pflog0 and use bpf filters to
split them up
pflogd0 -f /var/log/pf.blocked action block
pflogd0 -f /var/log/pf.passed action pass
pflogd0 -f /var/log/pf.rule.15 rulenum 15
pflogd0 -f /var/log/pf.fxp0 on fxp0
etc.
.mike
redirects to another host (while bridging), just wasn't sure if
this scenario worked or not.
Cheers,
-Mike
ve that process local
on the bridge (obviously removes some of the stealth), but that's the
justification, just wanted to see if it was feasible. I will put another
test system together and try it.
Thanks again for all the help
Cheers,
-Mike
- Original Message -
From: "Daniel Har
2.250.22: S 639356933:639356933(0) win
16384 (DF)
23:29:51.105285 192.168.2.10.2013 > 192.168.2.250.22: S 639356933:639356933(0) win
16384 (DF)
Any help would be greatly appreciated.
--
Mike McClure, CCIE # 5125, CISSP # 30232
PNE Services, Inc. - http://www.pneservices.com
e, Feb 04, 2003 at 11:35:29PM -0600, Mike McClure wrote:
>
>> So, one would expect a workstation on network A to be able to connect to port
>> on a given address and get the SSH daemon on the OBSD system, correct?
>
> Not on a bridge, if the destination mac address of the
y and is exactly what the scrubber is tasked to prevent.
Next show at eleven.
.mike
rub to operate more in the 'fragment reassembly' sense
than in the normalization sense.
> BTW, if the "end host" is "this host" (like in my NFS case) there is no
> ambiguities, we know we do accept theses packets.
The administrator may know that but neither the firewall or an
intermediate IDS will.
.mike
the DF bit on fragmented Linux NFS traffic
> without understanding WHY in the hell they wanted to do it that way.
It's not that we refused to respect it. We respect it. Hell, we even
admit it makes sense in some situations. But it is open for ambiguous
interpretation and thus SCRUB must normalize it away.
.mike
ndantly. For instance with TCP if
someone sends a SYN and then a RESET, we'll start up in SYN_SET:CLOSED
end up in TIME_WAIT:CLOSED after the RESET. Since the server never sent
any traffic, it's side of the state never reflects an opened connection
so we can treat the time the connection out appropriatly.
back to my hangover
.mike
after 15 minutes of idle time if one
endpoint doesn't honor the other endpoints close request (FIN flag).
alternatately, you could put a flags S/SA on the 'modulate state' rule
and return-rst non S/SA packets. that _should_ work (it may depend on
the browser).
.mike
ode 0 keep state
pass in log quick on $int_if inet proto icmp all icmp-type 8 code 0 keep state
Obviously you can turn the added logging off if you arent worried about
security tracking. ;-)
---
Mike Mentges
blowfishsecurity.net ## Still in development ##
On Tue, Apr 01, 2003 at 04:15:55PM +0200, Philipp Buehler wrote:
> [list added again, I think this is public interest and should be archived]
>
> On 01/04/2003, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote To [EMAIL PROTECTED]:
> > I just wanted to drop all nmap and/or other harmful packets... I f
two options. Figure out why they are reusing the source port
without waiting 2*msl and fix it. Or reduce the tcp.closed timeout.
Changing the tcp.closed timeout would probably be your best bet for the
typical customer.
pf.conf:
set timeout tcp.closed
.mike
n every ip address
and your dns server might have changed.
i'd also strongly suggest avoiding the '-v' option. it has a history of
being remotely exploitable.
the usual incantation is:
# tcpdump -nettti pflog0
.mike
s dhclient and spawn a new one every time the
gateway started. They would also relax the one IP per cablemodem
filtering for a while after a DHCP reply. I don't think that happens
anymore.
.mike
d part is
what to do when the ttl decreases and guessing if the end host will
actually receive that segment or not.
I suppose an anomoly detecting IDS could use TTL to try and dynamically
determine topography but that isn't of too much utility.
.mike
s... Is it still OK to dry them on the twine I used to tie my
jackass up with? :-P
Spam Kills, stick to the crack Dennis!
Mike
On 1 Jun 2003, Dennis wrote:
> [EMAIL PROTECTED] (Henning Brauer) wrote in message news:<[EMAIL PROTECTED]>...
> > On Sun, Jun 01, 2003 at 06:20:23AM -070
ber tracking code, which might cause
> problems. Right, Mike?
Last time I analyzed it, it looked like SACK would work fine because we
always allow one window backwards in the ack skew check. Lemme think
about it more after I've been awake for more than five minutes.
If I had to guess, t
; All Windows Updates installed, except .Net and WMP9. I have now changed it
> to turn SACK off, but can easily turn it back on for any testing.
Egads. A scale of 4. That is a stack tuned for the TCP benchmarks if I
ever saw one.
> I have sent files to Daniel. Do you want same Mike ?
Please ap
e
a difficult time predicting when the 10s timeout was first inserted into
the wheel. Remember PF prunes the whole tree of expired states every
timeout interval, we don't insert a timeout into the wheel for every
state or reassembly queue.
Perusing the PF source would probably do you some good. Some
implementation experience to back up the theory.
.mike
bing to catch the time of a reboot.
Predictible expiration doesn't really matter too much anyway. Attacks
against the state table typically are brute force floods.
.mike
-help with as many machines with
web browsers as possible and type in your OS name if it doesn't
recognize the machine.
.mike
.coredump.cx/p0f-beta.tgz. Run it while you're scanning,
copy the fingerprint and adapt it to our format.
The p0f fingerprints have an OS and a Desc field. We have an OS, a
Version, a subtype/patchlevel and an overall description field. The
format is documented if the pf.os man page and in /etc/pf.os itself.
.mike
ate the few zones with
real records that I want the client to reach.
Or maybe my sandbox could link to http://windowsupdate.microsoft.com:81
and I can rdr that to port 80 on the real host?
Are there any better ideas I'm missing here?
Mike
d all
packets could appear to be older.
The other remote possibility is that something sets the timestamp to
zero when they stop echoing the timestamp and PF doesn't honor that
zero. I can't remember if that was only on ACKs or if it is legal.
Anyway. I need a pcap.
.mike
ew thousand of lines of code.
Go read Ptacek's and Newsham's seminal IDS paper:
http://citeseer.nj.nec.com/ptacek98insertion.html
Then keep in mind more advance evasions have been discovered in the last
five years.
.mike
n2000 & friends will send 1500
> byte segments, the gateway will reassemble them, and regenerate 1300
> bytes segments to the destination transparently, wow)
> Is that a crazy idea?
use the max-mss scrub option. the hosts should then take care of it
themselves. some nat/dsl routers automatically do this.
.mike
eal
> destination
> 3) somehow, a NAT rule is created to make that 2nd connection
> originate from the
> same socket as the first connection/packet.
> Would that work?
Yup. That's the easiest way to do it (and the most secure). I believe
the original post didn't want the connection terminated on the firewall.
.mike
> I have a problem with one specific host.
> When I try to connect from an host behind my OpenBSD 3.4-current NAT
> gateway to www.dingologos.com, no TCP session can actually be established if
> I have the following rule :
> scrub on $if_ext proto tcp all fragment reassemble reassemble tcp
>
> Is it possible to log the OS of a passed/blocked packet, instead
> of just using the OS for filtering? I am trying to do an analysis
> of what OSes are typically used for, say, spamming.
tcpdump -netttor /var/log/pflog 'tcp[13] == 2 and port 25'
.mike
syn-proxy. It crafts all of the SYN's by hand. It is still
possible to fingerprint based on things like the retransmission timers
but that is much harder and they'd be better off looking at HTTP
User-Agent discrepancies.
.mike
It is an hour in the conservative optimization setting. It is two
minutes by default and goes down to 30 seconds for the aggressive
optimization or two minutes.
.mike
everything for PF states.
That should give you an idea of your upper limit on the number of
states (make sure to leave enough memory for other things). Now look
into the adaptive.start and adaptive.end limits in the pf.conf man page
to start expiring states more quickly when you're approaching a full
state table.
.mike
PROFILE;
+ else
+ opts |= PF_OPT_OPTIMIZE;
break;
case 'O':
loadopt |= PFCTL_FLAG_OPTION;
Index: pfctl_optimize.c
===
;t allowed to drink any
more beer until you have sent in your ruleset. So quick, hurry, before
it's too late!
.mike
> And my last attempt to cajole you. Henning@ isn't allowed to drink any
> more beer until you have sent in your ruleset. So quick, hurry, before
> it's too late!
Thanks to everyone who sent in rulesets! I have more than enough now so
Henning@ is allowed to drink beer again.
.mike
sfered over.
thanks,
.mike
> * we are not using scrub rules.
> Does anyone have any ideas as to why these fragments are not being
> covered by the state mechanisms?
because "keep state" doesn't track fragments. scrub does.
.mike
ipfilter, I tweaked
> kernel settings such as NKMEMCLUSTERS and NMBCLUSTERS to obscenely high
> numbers (such as 16K). Any other kernel tweaks? Or better yet, anything
> within pf to directly contain such a state runaway scenario?
see adaptive.start and adaptive.end in the pf.conf man page
.mike
aptop has 208 PF states and 190 of which are
in fin-wait or closed.
The adaptive limits will penalize those states hanging around after the
connection closed far more than it will penalize established
connections.
.mike
optimize for the common case instead of degrading everything to the
pathological case.
> You can lower some specific timeout limits and you'll always know what your
> firewall is doing.
You can do the math when setting up adaptive timeouts and you'll always
know what your firewall is doing.
.mike
states.
> # vmstat -m
> Memory statistics by bucket size
> Size In Use Free Requests HighWater Couldfree
> 16 7270922 826181280 3
> 32 1387533 15436 640 0
the rest of vmstat -m is more useful
.mike
oose. If the {PIX|netscreen|FW1} takes a dump at 3:00PM, you will
get chewed out, not Cisco, Juniper/Netscreen, CP, etc.
PIX is not a bad firewall if you already have the infrastructure.
However, I would avoid using CiscoWorks - it's an ugly, expensive
solution (IMHO).
-Mike
On Thu, 23 Sep 2
state after the connection closes in case
a segment got delayed in the network. That is how TCP works.
.mike
host. Thus PF can not ratchet the connection state past
FIN_WAIT_2.
And yes, 2msl applies to a FIN close.
.mike
packet filter. It doesn't know anything
about underlying layers. (And that is actually great!)
You should look brconfig(8) for layer 2 filtering on bridge.
One can tag traffic flow using brconfig(8), and then apply
some pf rules using ``tagged'' keyword.
> Thanks.
>
> - Eric
>
--
Mike Belopuhov
imes. The debug message is there because I used to investigate
all of those occurences to see if we could handle it better.
In your case, both hosts had echanged FINs but not the final ACK. Then
one of them sent an in-window TCP RST that wasn't an exact sequence
match. PF allowed it because the connection was already closing.
.mike
using an old connection's ports without waiting the
2*msl period. No big deal.
.mike
On Fri, Feb 11, 2005 at 15:39 +, Bob wrote:
> Is there a clear HFSC explanation somewhere, with real simple examples?
> Preferably that apply directly to PF which uses three SC types, not two.
>
> I've found plenty of documents, but they're all high-level overview
> slideshows that are a bit
ist contains two or three items, but at what point
> would it be more efficient to put the items into a table?
IIRC Daniel did tests about two years ago and the break-even point was
about 6 addresses. That is what the optimizer uses to merge similar
rules into a single rule with a table.
.mike
> Is it possible to protect my Windows server from LAND attack with PF?
> I have tried searching Google and Benzedrine, but have not found any info.
Search for 'antispoof' in the pf.conf man page. It'll protect most
setups.
.mike
your intel processor is an asic too.
.mike
> I happened to hear the following
>
> "Netscreen is running in ASIC (they are boasting in their marketing) -
> and thus probably only is checking the first (or first few) packages and
> then handing all traffic control off to du
sors are cheap and
faster. It seems like everyone and their brother is shipping a network
processor these days that can easily do light-weight firewalling. I
wouldn't want to rewrite scrub, carp or ALTQ for them though. But
there's no way in hell I'd want to redesign those in vhdl for an fpga
either. Can you imagine having to pipeline those so the logic doesn't
blow through the clock on an fpga? yikes
.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28
l rules. So your table
rule will be 6x as slow. Unless you're running 10yr old hardware, your
firewall is probably so overpowered that it doesn't matter.
.mike
wise I will post to the IPSEC groups. Thanks in advance!
Thanks!
Mike M
his is not the
case, in some tests the master / backup state lasts for several
minutes, and rarely will stay permenently. shouldn't the above sysctl
require one box to either have all master or all backup?
please advise!
- mike
s cash cow) were dependant
on solaris boxes.
.mike
key
(key fingerprint 2ACC 9F21 5103 F68C 7C32 9EA8 C949 81E1 31C9 1364)
[EMAIL PROTECTED]Mike Scott, Harlow, Essex, England
omments.
--
various incoming sites blocked because of spam; see
http://www.scottsonline.org.uk for a list and openpgp crypto key
(key fingerprint 2ACC 9F21 5103 F68C 7C32 9EA8 C949 81E1 31C9 1364)
[EMAIL PROTECTED]Mike Scott, Harlow, Essex, England
crypto key
(key fingerprint 2ACC 9F21 5103 F68C 7C32 9EA8 C949 81E1 31C9 1364)
[EMAIL PROTECTED]Mike Scott, Harlow, Essex, England
e of spam; see
http://www.scottsonline.org.uk for a list and openpgp crypto key
(key fingerprint 2ACC 9F21 5103 F68C 7C32 9EA8 C949 81E1 31C9 1364)
[EMAIL PROTECTED]Mike Scott, Harlow, Essex, England
linked
into the freebsd kernel; I know that's not a pf issue particularly, but
is still another nail in the coffin, so to speak, from my perspective.
--
various incoming sites blocked because of spam; see
http://www.scottsonline.org.uk for a list and openpgp crypto key
(key fingerprint 2ACC 9F21 5103 F68C 7C32 9EA8 C949 81E1 31C9 1364)
[EMAIL PROTECTED]Mike Scott, Harlow, Essex, England
for another 3rd party personal firewall as
most not made by Microsoft seem to work well.Hope that helps!
Mike Mentges
Peter wrote:
I have a user that is on WinXP. She uses Microsoft's Remote Desktop to
connect to a remote server (TCP port 3389). I have installed OpenBSD
3.8 to act as fir
IIRC Dug Song's libdnet supports just that. See his fragroute as an
example on how to use it.
.mike
> Hi,
>
> I was reading through an interview of pf developers[*], where Mike
> Frantzen commented that
>
>
> There are already two ways to emulate Linux's DIV
On Sat, May 4, 2013 at 5:08 PM, Sioux C. Queue wrote:
> The FAQ at OpenSUSE is a fine document. On the page
> www.openbsd.org/faq/pf/tables.html I found this "or the self keyword". On the
> page www.openbsd.org/faq/pf/filter.html I found this "table const {
> self }". And finally, I think, at
On Sun, May 5, 2013 at 7:29 AM, Peter N. M. Hansteen wrote:
> The address bounces (domain exists, user does not), which
> brings back the less fond memories of the 1990s when such asshattery was
> to some extent tolerated and even condoned in some circles due to the
> then-emerging (oh, so intole
oing on? I apologize if the
rules above aren't exact - we're doing these from memory because we're
not currently logged in to it. We are receiving no errors when running
pfctl -nf /etc/pf.conf, so it doesn't appear to be a syntax error.
Any help will be greatly appreciated!
Thanks,
Mike Sweetser
help matters?
Is there a way to modify the state timeouts on a more granular level?
Thank You,
Mike Sweetser
--
Mike Sweetser | Systems Administrator
Adhost Internet
140 Fourth Avenue North, Suite 360, Seattle, Washington 98109 USA
P 206.404.9000T 888.234.6781 (ADHO
es out
when it tries to initialize the TLS connection. The server also worked
properly prior to using pftpx.
Any ideas? We really need to get SSL FTP working.
Thank You,
Mike Sweetser
--
Mike Sweetser | Systems Administrator
Adhost Internet
140 Fourth Avenue North
81 matches
Mail list logo
