Hi list!
I'm seeing dup-to duplicating some packets twice while trying to
duplicate all wireless traffic on a bridged access point.
My setup:
mainboard with two onboard NICs (re0, re1) plus PCI wireless adapter (ral0)
re0 and ral0 are bridged:
cat /etc/hostname.re0
up
cat
On 20/12/2006, at 7:03 PM, Daniel Hartmeier wrote:
On Wed, Dec 20, 2006 at 01:35:37PM +1100, Johan Allard wrote:
any idea why this caused this panic?
Can you try the patch below?
If it still panics, please include the panic message in the screenshot
(the first couple of lines got cut off).
On Wed, Dec 20, 2006 at 01:35:37PM +1100, Johan Allard wrote:
> echo "pass in on ne3 dup-to (lo1 1.1.12.1) inet all keep state" > /
> etc/pf.conf
> pfctl -e
> pfctl -f /etc/pf.conf
> and the first packet coming in on ne3 will cause a kernel dump, see
> attached
Johan Allard wrote:
Hi there,
I just managed to get a kernel dump on a basic clean installed OpenBSD
4.0 with the following settings:
ifconfig lo1 create
ifconfig lo1 inet 1.1.12.1 netmask 255.255.255.0
echo "pass in on ne3 dup-to (lo1 1.1.12.1) inet all keep state" >
/etc/pf
On Wed, Dec 20, 2006 at 01:35:37PM +1100, Johan Allard wrote:
> any idea why this caused this panic?
Can you try the patch below?
If it still panics, please include the panic message in the screenshot
(the first couple of lines got cut off).
Daniel
Index: pf.c
=
Hi there,
I just managed to get a kernel dump on a basic clean installed
OpenBSD 4.0 with the following settings:
ifconfig lo1 create
ifconfig lo1 inet 1.1.12.1 netmask 255.255.255.0
echo "pass in on ne3 dup-to (lo1 1.1.12.1) inet all keep state" > /
etc/pf.conf
pfctl -e
On Dec 6, 2006, at 4:45 PM, Camiel Dobbelaar wrote:
On Wed, 6 Dec 2006, Bob DeBolt wrote:
I need to get all traffic dup-to'd over to a graphing box using
only the
firewall, now dup-to works fine for the traffic that passes
through the
firewall but the blocked traffic doesn'
On Wed, Dec 06, 2006, Bob DeBolt wrote:
> I need to get all traffic dup-to'd over to a graphing box using only the
> firewall, now dup-to works fine for the traffic that passes through the
> firewall but the blocked traffic doesn't get dup-to'd.
route-to blocked
On Wed, 6 Dec 2006, Bob DeBolt wrote:
> I need to get all traffic dup-to'd over to a graphing box using only the
> firewall, now dup-to works fine for the traffic that passes through the
> firewall but the blocked traffic doesn't get dup-to'd.
>
> Any suggesti
Greets
OpenBSD 4.0
I am working on an issue regarding dup-to. It works fine.
When using an invisible bridge I dup-to all traffic ( in, out ) over to a
computer that creates really nice graphs, using a third interface on the
bridge. All is well.
Issue:
I need to get all traffic dup-to&#
the drive and installs itself. I suppose here is a lesson in there for me.
Now the dup-to resolution.
What happened was I had listed the dup-to interface and destination address
macros inside paranthesis separated by a coma and of course received a syntax
error. Naturally being as gifted as I o
Bob DeBolt wrote:
Here is the simplest form of what I now have.
int_if = "rl1"
ext_if = "rl0"
log_if = "fxp0"
pass in on $ext_if dup-to $log_if all
pass out on $ext_if dup-to $log_if all
I've not used dup-to for a while, but you should try to
add the ad
On Fri, Aug 12, 2005 at 04:51:56PM -0600, Bob DeBolt wrote:
> FXP0 is the logging interface to a log box.
>
> int_if = "rl1"
> ext_if = "rl0"
> log_if = "fxp0"
>
> pass in on $ext_if dup-to $log_if all
> pass out on $ext_if dup-to $log_if
rl0, rl1 are the internal and external bridge
interfaces, the bridge works just fine on all three OS versions.
FXP0 is the logging interface to a log box.
I have read what there is regarding dup-to and know it is straight
forward, obviously I'm missing something. I also learned that log-al
; > > logging hosts in parallel temporarily, until I'm sure all the bugs are
> > > out of the new one.
> > >
> > > While I could fire up a second instance of softflowd, it seems like
> > > this would be a good application of dup-to. I don't want to duplicate
> The old logging host is being replaced. I would like to run the two
> logging hosts in parallel temporarily, until I'm sure all the bugs are
> out of the new one.
>
> While I could fire up a second instance of softflowd, it seems like
> this would be a good application o
gt;
> > While I could fire up a second instance of softflowd, it seems like
> > this would be a good application of dup-to. I don't want to duplicate
> > the entire mass of traffic going through this box, just the netflow
> > packets.
> >
> > pass out o
> The old logging host is being replaced. I would like to run the two
> logging hosts in parallel temporarily, until I'm sure all the bugs are
> out of the new one.
>
> While I could fire up a second instance of softflowd, it seems like
> this would be a good application of
arily, until I'm sure all the bugs are
out of the new one.
While I could fire up a second instance of softflowd, it seems like
this would be a good application of dup-to. I don't want to duplicate
the entire mass of traffic going through this box, just the netflow
packets.
pass out on $i
nt part of
my traffic.
> If it's the ports, then couldn't you use your obsd dup-to box to
> aggregate the traffic, and put the hub AFTER it?
>
I'm going to give this a try, I think it is essentially the same idea
that the previous responder on this list had.
> Alter
gator" position are causing your switches to disable their span ports.
Is the issue the collisions themselves, or just the switches disabling
the ports?
If it's the ports, then couldn't you use your obsd dup-to box to
aggregate the traffic, and put the hub AFTER it?
Alternatively, how
n further why a hub is no longer sufficient? If you can
> ensure that the only device transmitting to the hub is the host
> sending out the dup-to traffic (perhaps by physically disabling
> transmit lines on the "listen only" ports), then a hub should be able
> to flood out packet
Maybe you could chain multiple dup-to boxes togeather, or chain several
interfaces on one box? I don't know a thing about dup-to, but it seems like
it might work.
_
--|A|--[ destination 1 ]
|
-
|B|--[ destination 2 ]
|
-
|C|--[ destinat
> >Maybe you can to use multicast address as destination.
>
> Unfortunately dup-to requires you to specify a physical network
> interface for where to send the traffic to. You can specify an
> address associated with that network interface, but I'm not really
> sure wha
configuration allows me to
aggregate network feed like I want and dup-to doesn't then of course
I'll go that route. Another concern with using bridge is that since
it is a two way connection there might be additional overhead in
maintaining communications (maybe it would try to keep state?) and I
# traffic feed 1
int_if="xl0" # traffic feed 2
ids_if="xl1"#port to feed traffic to for IDS / analysis
ids_if2="xl2"#port to feed traffic to for IDS / analysis
..
pass in on $ext_if dup-to $ids_if
pass in on $ext_if dup-to $ids_if2
pass in on $int_if dup-to $
possible, and was wondering
> if it is even remotely on the radar of the developers?
I do not believe OpenBSD can currently dup-to multiple destinations,
without some nasty kludge.
> I may be able to do this in an inelegant way, but I haven't tested to
> see if it works,
> A hub? You might also be able to use a switch if you can disable MAC
> address learning to force it to flood frames to all its ports.
>
I'm currently using a hub, and that is what is hurting me. Too many
collisions from the hub shuts down my SPAN port on my switch. (CatOS
sets a port to errdis
Matt Van Mater wrote:
I
> haven't been able to find a switch that allows multiple destinations
> for a single SPAN session.
A hub? You might also be able to use a switch if you can disable MAC
address learning to force it to flood frames to all its ports.
2="xl2" #port to feed traffic to for IDS / analysis
..
pass in on $ext_if dup-to $ids_if
pass in on $ext_if dup-to $ids_if2
pass in on $int_if dup-to $ids_if
pass in on $int_if dup-to $ids_if2
If this is a viable option, it would be nice to have the syntax be like
pass in on ($ext_if $in
ep 10, 2003 at 09:25:37AM -0400, Aaron Wade wrote:
> > Hi all,
> > I have a 3.3 based firewall, and I am looking at deploying snort on a 3rd
> > interface. It seems like dup-to is the best option for this, but I have a
> > few questions as to how it works.
> >
&g
Why don't you just run a chrooted snort on $ext_if?
Chris
On Wed, Sep 10, 2003 at 09:25:37AM -0400, Aaron Wade wrote:
> Hi all,
> I have a 3.3 based firewall, and I am looking at deploying snort on a 3rd
> interface. It seems like dup-to is the best option for this, but I
Hi all,
I have a 3.3 based firewall, and I am looking at deploying snort on a 3rd
interface. It seems like dup-to is the best option for this, but I have a
few questions as to how it works.
How does dup-to work with scrub ? If scrub is reassembling packets, how
could the IDS
On Sun, 2 Feb 2003 11:53:12 +0100
Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
> No, that's a wrong assumption. Only the last matching rule matters. Any
> previously matching rules are completely irrelevant, their options like
> log or dup-to are not applied.
>
> You hav
On Sun, Feb 02, 2003 at 08:43:51PM +1000, Marco Grigull wrote:
> # forward stuff to our loghost/IDS
> pass in log on $ext_if dup-to $dmz_if all
> pass out log quick on $dmz_if all
> block in log quick on $dmz_if all
>
> These are the FIRST rules in the ruleset.
> I would
+0100, Cedric Berger wrote:
> >>
> >>
> >>
> >>>Marco Grigull wrote:
> >>>
> >>>
> >>>
> >>>>pass in log on $ext_if dup-to $dmz_if all
> >>>>
> >>>>
> >
> Are you sure there is no "quick" rule before?
Also, in case you are filtering statefully, this rule might not match
any incoming packets on the external interface. For instance:
pass in on $ext_if dup-to ...
pass out ... keep state
pass in ... keep state
The dup-to r
Marco Grigull wrote:
On Sat, 1 Feb 2003 16:12:26 +0100
Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
On Sat, Feb 01, 2003 at 04:14:32PM +0100, Cedric Berger wrote:
Marco Grigull wrote:
pass in log on $ext_if dup-to $dmz_if all
How's dmz_if defined? did you pu
On Sat, 1 Feb 2003 16:12:26 +0100
Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
> On Sat, Feb 01, 2003 at 04:14:32PM +0100, Cedric Berger wrote:
>
> > Marco Grigull wrote:
> >
> > >pass in log on $ext_if dup-to $dmz_if all
> >
> > How's dmz_if defi
On Sat, 01 Feb 2003 16:14:32 +0100
Cedric Berger <[EMAIL PROTECTED]> wrote:
> Marco Grigull wrote:
>
> >
> >If I want to forward all ip traffic verbatim to a loghost/ids machine,
> >would the following rules suffice?
> >
> >
> ># forward stuff to
On Sat, 1 Feb 2003 14:39:08 -0800 (PST)
Adam Shephard <[EMAIL PROTECTED]> wrote:
> > BTW: couldn't we simplify things and accept just the
> > following:
> >
> > pass in log on $ext_if dup-to 10.1.2.3 all
> >
>
> Wouldn't you just define
> BTW: couldn't we simplify things and accept just the
> following:
>
> pass in log on $ext_if dup-to 10.1.2.3 all
>
Wouldn't you just define dmz_if as 10.1.2.3?
i.e.
dmz_if=10.1.2.3
Then use
pass in log on $ext_if dup-to $dmz_if all
=
Adam Shephard
-- No
Daniel Hartmeier wrote:
pass in log on $ext_if dup-to $dmz_if all
How's dmz_if defined? did you put the IP of your
loghost/IDS in there? If not, I think you should.
Yes, try this:
pass in log on $ext_if dup-to ($dmz_if 10.1.2.3) all
replacing 10.1.2.3 with the IP address of your lo
On Sat, Feb 01, 2003 at 04:14:32PM +0100, Cedric Berger wrote:
> Marco Grigull wrote:
>
> >pass in log on $ext_if dup-to $dmz_if all
>
> How's dmz_if defined? did you put the IP of your
> loghost/IDS in there? If not, I think you should.
Yes, try this:
pass in log
Marco Grigull wrote:
If I want to forward all ip traffic verbatim to a loghost/ids machine,
would the following rules suffice?
# forward stuff to our loghost/IDS
pass in log on $ext_if dup-to $dmz_if all
How's dmz_if defined? did you put the IP of your
loghost/IDS in there? If not, I
Because neither return-rst/icmp nor route/reply/dup-to
> work on a fully transparent bridge...
Its not setup as a bridge.
The external if has a realworld ip addr (leased), the dmz is assigned 10.0.0.1
though I figured that it might not need it anyway
Marco
On Sun, Feb 02, 2003 at 12:07:11AM +1000, Marco Grigull wrote:
> What have I missed here?
Is it a bridge? With no addresses assigned to the interfaces (or only
some of them)? Because neither return-rst/icmp nor route/reply/dup-to
work on a fully transparent bridge...
Daniel
If I want to forward all ip traffic verbatim to a loghost/ids machine,
would the following rules suffice?
# forward stuff to our loghost/IDS
pass in log on $ext_if dup-to $dmz_if all
pass out log quick on $dmz_if all
block in log quick on $dmz_if all
I have added this in as the first rules
Hello Daniel,
Monday, November 11, 2002, 3:18:44 PM, you wrote:
>> Any Ideas? I don't have any :-(
DH> The snort box isn't replying to the packets, is it? If those packets
DH> reach its stack, the stack might try to forward them or reply with RSTs,
DH> thus disturbing the handshake (when such pa
On Mon, Nov 11, 2002 at 01:34:03PM +0100, Richard Mueller wrote:
> Any Ideas? I don't have any :-(
The snort box isn't replying to the packets, is it? If those packets
reach its stack, the stack might try to forward them or reply with RSTs,
thus disturbing the handshake (when such packets get bac
Hy Folks,
I am experiencing very strange Problems with pf (OpenBSD-current).
I wanted to set up a OpenBSD-Firewall -- Linux/snort IDS Combo
using the dup-to feature to feed the IDS with the relevant Parts
of the traffic.
Here comes some ASCII-Art:
192.168.1.2 192.168.1.1
51 matches
Mail list logo
