Nabble - openbsd - packet filter

pf is blocking too much connections?

2009-11-13T09:03:24Z

Hi,
I have a openbsd pf firewall protecting a web server, I have noticed that some pages gives me errors when browsing through my site (sometimes it works sometimes not), then I looked at pf and saw that is blocking a lot of connectyions, how do I know which connections is blocking?

# pfctl -s info
Status: Enabled for 202 days 23:34:57 Debug: Urgent

Interface Stats for bge0 IPv4 IPv6
Bytes In 1637636412652 1992
Bytes Out 1954253582327 0
Packets In
Passed 6000993286 31
Blocked 125620228 0
Packets Out
Passed 6379190130 0
Blocked 43305301 0

State Table Total Rate
current entries 9656
searches 25855533798 1474.3/s
inserts 2050396787 116.9/s
removals 2050387131 116.9/s
Counters
match 2334111432 133.1/s
bad-offset 0 0.0/s
fragment 64 0.0/s
short 20 0.0/s
normalize 0 0.0/s
memory 240838837 13.7/s
bad-timestamp 0 0.0/s
congestion 118 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 275884 0.0/s
state-insert 33110230 1.9/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s

access to outlook web access through Openbsd

2009-10-06T15:28:19Z

I changed OWA to allow anybody in the Exchange folder on the 2003 server. Did not add any security , just wanted to make work before I tightened it up. Updated the pf.conf to redirect to the internal Exchange 2003. Can't seem to get there. Works internally.
Openbsd 4.0

rdr pass on $ext_if proto tcp from any to any port 80 -> 192.168.254.99 port 80
pass in quick on $ext_if proto { tcp, udp } from any to 192.168.254.99 port 80 keep state

Problem with my rdr and pass in?

thanks

Bridge architecture question

2009-08-18T04:06:38Z

Hello,

I've got a SDSL line with a 8 public IP bloc

I would like to build an openBSD 4.5 in a bridge configuration with 3 interface.

Here is the architecture :

=== [ rl1 ] ===== SERVER1 PUB_IP_1 ======|
| |
SDSL =====[ rl0 ]= OpenBSD ===== |====== LAN
| |
=== [ rl2 ] ===== SERVER2 PUB_IP_2 ======

The clients will be acceding to both services offered by SERVER1 and SERVER2 :
- SERVER1 is a full H323 video conferencing server and is the gatekeeper
- SERVER2 is a web video conferencing server over HTTP/HTTPS

My goal is to build the OpenBSD machine as a bridge with multiple public IPs (in order not to mess with H323 and NAT problems)

Is this configuration possible ?
Will both SERVERS receive their IP and will be able to communicate over the SDSL link ?

I also would like to :
- Limit global SDSL link at 4 megs
- Allow each link to use all of the bandwith up to 4 mega if the other is unused
- But try to give an equal bandwidth to each link
- Filters some dangerous ports with pf

Can somebody give me some help with this case ?

Regards Romain

OpenBSD Loose UDP Routing?

2009-07-31T13:47:12Z

This is a quote from one of their Knowledge Base articles. Is it possible to enable this in OpenBSD?

The reason for this is AC uses "Loose UDP Routing". What this means is that information that comes back from the servers is on a different port than information that is sent to them.

Packet Logging Through Syslog, cannot get any logs from txt file

2009-06-27T15:27:05Z

I did everything as described in the faq, but for some reason I don't see any log in my new /var/log/pflog.txt file.
Do I need a fresh reboot, Even though I have restarted the syslog.pid process. ?

I have a block log all by default, but did not assign a pass to pflog0, is there a possible issue?

Thanks for any help.

Cannot rdr from internal network to a squid proxy running on pf bridge firewall.

2009-01-07T16:05:50Z

Hi Guys,

I have researching and investigating on doing squid transparent proxying with the use of pf in bridge mode. But I could not still find a way to make it work.
I have read heaps of stuff across the net but nothing seems to work for me.

I want all my clients on the internal network to be redirected to squid on localhost (127.0.0.1 3128) whenever they do http request. The firewall is in bridge mode.

Looking at the tcpdump on pflog0, the rdr rule is being hit but the rule with route-to is not.

Here is a tcpdump for the traffic:
1231295472.541029 rule 0/(match) rdr in on em0: freebsd-testmach.auckland.ac.nz.56875 > localhost.auckland.ac.nz.3128: [|tcp] (DF)
1231295472.541048 rule 3/(match) pass out on em1: freebsd-testmach.auckland.ac.nz.56875 > localhost.auckland.ac.nz.3128: [|tcp] (DF)

The first line matches the rdr rule on em0 but the second line tells that is has passed out on the external interface(em1) which is wrong.

Can you please help me out with this dilemma.

Below is my setup/configuration. I am running squid squid-3.0.STABLE11 and have configured squid with this options ./configure --prefix=/var/squid --with-pthreads --enable-pf-transparent

bridge0 = em0 + em1
# cat /etc/bridgename.bridge0 down
add em0
add em1
addspan em0
addspan em1
-learn em1
-learn em0
discover em0
discover em1
autoptp em0
autoptp em1
maxaddr 400
fwddelay 6
-link0
-link1
up

# cat /etc/sysctl.conf net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets

# cat /etc/pf.conf

ext_if="em1"
int_if="em0"
set loginterface $ext_if
scrub in

rdr pass log on $int_if inet proto tcp from any to any port 80 -> 127.0.0.1 port 3128
pass in quick log on $int_if route-to 127.0.0.1 proto tcp from any to 127.0.0.1 port 3128

pass in log all
pass out log on $int_if all
pass out log on $ext_if all

Thanks in advance. Your help is mostly appreciated.

Best Regards,

Mark Pagulayan
University of Auckland

Reflect SNMP traps to multiple destinations.

2008-11-03T06:01:34Z

Hello,

I am attempting to forward traps from a device to multiple management stations.
For example,

Router A sends a trap to a node (NMS-A). When this trap passes the firewall, I would like to pick up the packet, and duplicate this packet to NMS-B, NMS-C etc).

I have looked at pf.conf, attempting several rule types.
Firstly, I tried the rdr statement, but it only forwards round-robin (so either of the NMSs, but not all - which is what I want it to do).

Then I looked at the dup-to syntaxes, but I cannot see the traps being sent to any other NMS than one of them.

This rule (in my head), would look at all traps sent to nms-a, and duplicate the traps for nms-b and nms-c

pass in on $int_if dup-to ($nms_if $nms-b) proto udp from 10.10.10.1 to $nms-a port 162
pass in on $int_if dup-to ($nms_if $nms-c) proto udp from 10.10.10.1 to $nms-a port 162

# Router A is 10.10.10.1

Where am I going wrong? I have tried a lot of options now, but all I see when tcpduping the nms_if are traps goin gto nms-a....

Please help...

Cheers,
Simon (aka Cyberclogs).

Re: PFW... ever used it?

2007-11-07T12:04:26Z

So I guess that's a no?

PFW... ever used it?

2007-11-05T11:57:03Z

I am very very new to Open BSD, and we have a Twinguard firewall, with this pfw app installed. It allows for a web browser to configure the packet filter. I have some general questions if someone would like to help...

Does the syntax "any" work as a source or destination when setting up my rule?

Is a protocol always necessary on my rules?

What does the Family Address represent? What does inet mean and when should I use it?

Here is what the pfw interface has as my rules after I configured them in the web browser. I am sure there are mistakes here, so if someone could show me what I'm doing wrong, that would be GREAT!!!

Thanks!!

# Network Rules
pass in log on $ext_if from ipsec_users to 172.20.0.0 # Any in
pass out log on $ext_if from 172.20.0.0 to ipsec_users # Any out
pass in on $ext_if proto tcp from any to 172.20.255.108 port 5190 # AOL in
pass out log on $ext_if proto tcp from 172.20.255.108 to any port 5190 # AOL out
pass in on $ext_if from any to 172.20.255.108 port 5190 # AOL in
pass out log on $ext_if proto tcp from 172.20.1.110 port 80 to any # Filtered-HTTP
pass in on $ext_if proto tcp from any to 172.20.255.108 port 25 # Filtered-SMTP in
pass out log on $ext_if proto tcp from 172.20.255.108 port 25 to any # Filtered-SMTP out
pass in log on $ext_if proto FTP from 208.57.255.187 port 21 to 172.20.99.6 # FTP in
pass out log on $ext_if proto FTP from 172.20.99.6 to any port 21 # FTP out
pass in log on $ext_if proto tcp from 208.57.255.187 port 443 to 172.20.255.189 # HTTPS_Synxis in

SIP connection tracking via PF

2007-09-10T11:44:49Z

Hi,

Is there an openbsd counterpart for linux sip connection tracking module? We have a voip setup (host based) wherein we have agents pc w/ xlite on windows connecting to a dialer outside our LAN. Our previous setup was openbsd 4.1 w/ PF enabled. I tried making calls but connection cannot be established. I tried removing all filtering/blocking but still of no avail. Then I heard about the sip connection tracking module of linux w/c I loaded upon start of the server then do the necessary Iptables config, voila ,, it works! I'm an openbsd for almost 4 yrs and I really love PF. Is there a way I could work this out using PF ?

Thanks,

Appie

Re: I have $300

2005-11-30T15:13:10Z

Awesome - good deal. I have a Netra X1 running openbsd and it's rock solid.

Good luck,

-Ian

On 11/30/05, Bob Ababurko <ababurko@...> wrote:

>
>
> I totally appreciate everybodies comments and I have in fact decided to
> pass over the embedded solution. We just picked up a Sun Netra T105
> (440Mhz, 512MB)on ebay. It was about $135 shipped and have two onboard
> NIC's. I have always like Sun hardware and it works well with OpenBSD,
> it is some of the best in quality. Fits in one rack unit and will be
> cheap to grab another to do a failover when the time comes. I can even
> dd the drive to make a disk for the new unit when I implement it.
>
> I understand that running two cheap ones is better than running one
> solid state machine. Plus the horsepower leaves little to work with in
> some of these tiny contraptions(soekris comes to mind). Not to say that
> they do not have their place, but I feel that this is the best answer.
>
> -Bob

Re: I have $300

2005-11-30T11:56:52Z

I totally appreciate everybodies comments and I have in fact decided to
pass over the embedded solution. We just picked up a Sun Netra T105
(440Mhz, 512MB)on ebay. It was about $135 shipped and have two onboard
NIC's. I have always like Sun hardware and it works well with OpenBSD,
it is some of the best in quality. Fits in one rack unit and will be
cheap to grab another to do a failover when the time comes. I can even
dd the drive to make a disk for the new unit when I implement it.

I understand that running two cheap ones is better than running one
solid state machine. Plus the horsepower leaves little to work with in
some of these tiny contraptions(soekris comes to mind). Not to say that
they do not have their place, but I feel that this is the best answer.

-Bob

Re: carp + no ip address on iface (only master can receive acks)

2005-11-17T05:55:13Z

On Thu, Nov 17, 2005 at 10:02:46PM +1100, Alex Strawman wrote:
> > Traffic shouldn't even be getting OUT on the backup in this situation.
>
> i agree - there is no correct solution without using an ip addr for
> each real interface.

> would be nice to for example use an external ntp server to sync with,
> but unless it uses another route (rather than ip-less carp'd
> interface), it cannot (without dodgy work-arounds).

Assuming you are also using pfsync, that means you've got another
interface that directly connects both firewalls. Assign normal,
non-multicast addresses to those physical pfsync interfaces and ensure
that you can pass traffic between the two. Configure pf on both boxes
to NAT traffic out over its external carp'd IP address when it is coming
in on $pfsync_if from $pfsync_net.

This allows your carp backup to still have outbound net so things like
NTP, mail and external DNS lookups still work. Yes, there are ways you
could run these and other various services internally but there may be
reasons you cannot do this. In the end, having outbound connectivity
for an otherwise unreachable host is a good thing, IMO.

The catch here is that when the backup carp host is a backup, its
routing table must be aware that its route is no longer out over the
carp'd interface, but rather over your pfsync interface and the
receiving end is going to nat for you. There may be other ways to
accomplish this (ospf, perhaps), but I went with ifstated.

In my case, carp5/em5 on each box points upstream and each box has
a single external IP address assigned to it. The two boxes each have
the same two failover upstream gateways (not under my control -- a.b.c.d
and w.x.y.z). Yes, this setup is different than yours, but it should
give you enough to help you figure out the routing bit.

The config below is for the backup carp host. A similar one exists for
the master (all that is different is that the primary/secondary routes
are different and the pfsync IP to route to is different (.3 vs .2)).

Pretty? Depends who you ask. The right solution? Likely not, but it
got me out of a hole that I needed a way out of quickly, and it may
help you too.

-jon

#####

init-state wan_master
wan_carp_up = "carp5.link.up"
wan_carp_init = "carp5.link.unknown"
wan_iface_up = "em5.link.up"
wan_primary_route_up = '"ping -q -c1 -w1 a.b.c.d 2> /dev/null 1> /dev/null" every 2'
wan_secondary_route_up = '"ping -q -c1 -w1 w.x.y.z 2> /dev/null 1> /dev/null" every 2'

state wan_master {
init {
run "echo WAN master at `date` | mail -s 'WAN master change' \
someone@..."
}

# probably just came up. give things a chance to sync
if ($wan_carp_init)
run "sleep 5"

if (! $wan_carp_up)
set-state wan_slave
if ($wan_primary_route_up)
set-state primary_route
if (! $wan_primary_route_up) && ($wan_secondary_route_up)
set-state secondary_route
if (! $wan_primary_route_up) && (! $wan_secondary_route_up)
run "echo THIS SHOULD NEVER HAPPEN!"
}

state wan_slave {
init {
# simple. drop the default route and route over $SYNC_IF
run "route change default 192.168.0.2"
run "echo WAN slave at `date` | mail -s 'WAN slave change' \
someone@..."
}

# if our link(s) come up, become the master
if ($wan_carp_up)
set-state wan_master
}

state primary_route {
init {
run "route change default a.b.c.d"
run "echo Using primary route at `date` | mail -s 'Primary route change' someone@..."
}

# if our link(s) go down, become the slave
if (! $wan_carp_up)
set-state wan_slave

if (! $wan_primary_route_up)
set-state secondary_route
}

state secondary_route {
init {
run "route change default w.x.y.z"
run "echo Using secondary route at `date` | mail -s 'Secondary route change' someone@..."
}
# if our link(s) go down, become the slave
if (! $wan_carp_up)
set-state wan_slave

if (! $wan_secondary_route_up)
set-state primary_route
}

Re: carp + no ip address on iface (only master can receive acks)

2005-11-17T03:02:46Z

> Traffic shouldn't even be getting OUT on the backup in this situation.

i agree - there is no correct solution without using an ip addr for
each real interface.

would be nice to for example use an external ntp server to sync with,
but unless it uses another route (rather than ip-less carp'd
interface), it cannot (without dodgy work-arounds).

Re: carp + no ip address on iface (only master can receive acks)

2005-11-17T00:02:39Z

On Thu, Nov 17, 2005 at 03:02:56PM +1100, Alex Strawman wrote:
> ok, now this makes sense, how is the next hop meant to send packets
> back? it sends them to the mac address the carp0 is broadcasting,
> which the master happily accepts, only to see its not in its state
> table, and drops it.
>
> the backup system doesn't get it's acks back..

Traffic shouldn't even be getting OUT on the backup in this situation.

> is there currently a way around this

Get more IP addresses.

carp + no ip address on iface (only master can receive acks)

2005-11-16T20:02:56Z

one small problem with carp and ip-less interfaces..

scenario: you have no ip address bound to each of the real interfaces,
and carp is sharing the one address for you (isp only gives you 1
address).

only the master can craft packets out (assuming this shared carp'ed
address is the external).

ok, now this makes sense, how is the next hop meant to send packets
back? it sends them to the mac address the carp0 is broadcasting,
which the master happily accepts, only to see its not in its state
table, and drops it.

the backup system doesn't get it's acks back..

is there currently a way around this?

i bashed a quick thing to route via the other system (via pfsync
interface), and if the host is down or this box (the backup) becomes a
master, then remove the route and resort back to the default (via the
carp0 interface, which the next hop will now reply too, or should i
say, the carp0 will now accept to/from)

buts thats fair hokey

Alex