gmane.os.openbsd.pf

Simultaneous CARP failover for multiple interfaces

Kyle Lanclos — 2012-04-23T18:49:14

I have a pair of OpenBSD firewall/routers in a reasonably vanilla
pf + pfsync + CARP configuration, each straddling two routed networks.
The CARP interface on the internal network is the default gateway for
that subnet. The CARP interface on the external network is the default
destination for traffic aimed at the internal network.

It all works splendidly, with one exception.

In order for our firewall to operate effectively, we use 'keep state'
pf rules. We empirically determined that we must have CARP preemption
enabled, otherwise pf cannot properly establish state for new TCP
connections. If pfsync could be told to synchronize incomplete states,
this issue might go away.

Example: firewall1 is the master on the carp1 interface, and firewall2
is the master on the carp2 interface. Inbound traffic to an internal
host arrives via the carp1 interface, and return traffic arrives via
the carp2 interface. pf will not establish state for this new connection
since the inbound and return traffic are not handled by the same firewall
host.

We thus use CARP preemption to force one of the firewalls to always come
up as the master for both CARP interfaces. This is not so unresaonable,
though it might be nice if the documentation presented this use-case (or
similar) as a rationale for needing CARP preemption.

Where this presents a problem is if the current CARP master loses a single
network interface (cable unplugged, isolated hardware failure, sysadmin
failure, etc.), as opposed to the CARP master failing entirely. The slave
will appropriately assume the master role for one CARP interface, but will
*not* do so for the second.

Beyond the basic asynchronous routing + state creation issue described
above, this specific failure mode would still result in a complete inability
to pass traffic in a single direction, since packets would come into the
half-dead master via its good interface, but could not be forwarded to the
network associated with the failed interface.

We would like our otherwise nicely redundant firewall configuration to be
resilient against this type of failure. Short of running a cron job every
sixty seconds to check the interface state, is there some way we can
automatically force the promotion of a CARP slave if a second CARP interface
flips from slave to master?

Suggestions are most appreciated. I apologize if the CARPish-flavor of this
question is not entirely appropriate for the pf mailing list; if there is
another list that would be more suited for this question, please let me know.

--Kyle

inbound queueing on external interface due to multiple internal interfaces

Andy Lemin — 2012-04-11T13:02:41

Hello,
I know this has been discussed before, but I am not a developer (I
wish I did have the skills as I would code this myself otherwise).
I have a huge respect for all that the OpenBSD community does and this
is not a winge or a moan, please hear our woes.


Yes, of course downstream queuing is only of benefit for TCP to get
the sender to slow down etc etc, but that is exactly what we need.
IF we don't queue downstream traffic, our downstream link gets
saturated and our ISP starts to drop random packets. If we do the
downstream queuing here, we pre-emptively drop low priority packets
before saturation thus slowing the sender down before saturating the
WAN's downstream leaving headroom for VoIP etc.


We have a firewall with 4 internal interfaces for various different
subnets and 1 external WAN interface like many users have. Queuing
upload traffic is easy on the WAN interface, but downstream traffic
needs to be queued on each of the internal interfaces.
Initially this would seem fine, until you realise that if 3 of the 4
internal interfaces are idle the busy 4th interface cannot use the
entire download bandwidth available on the WAN. This is because you
can only assign a 'slice' of the total download bandwidth (summing to
100% of WAN speed) to each of the internal interfaces resulting in
very inefficient download utilisation across the internal zones.

I appreciate that we could buy 'another' 2 boxes with only two
interfaces to sit on the WAN link (both running CARP etc) but this
seems extremely inefficient, wasteful, harder to manage and simply
ugly when compared to other features of OpenBSD, to end up with 4
boxes (2 multi-zone firewalls, and 2 queue servers) to achieve
resilient download queuing shared across multiple local subnets.

So, their is a clear need to be able to queue inbound traffic on the
WAN interface when there are multiple internal local interfaces. I
appreciate this is a feature that would need to be added to ALTQ than
PF.


So far my thinking is to create a second virtual loop-back interface
'lo1', and divert (divert-to not redirect (rdr-to)) all inbound
traffic on the WAN interface to lo1. Then set-up a queue on lo1 which
represents the desired shared 'inbound queue' for all internal
interfaces. Naturally after the traffic passes through lo1 it will get
queued, and the packets should then get routed as normal via their
respective internal local interfaces etc.

Would this work?

We have to use inbound queuing, without it our WAN link saturates with
low priority traffic, and we need to maintain headroom for high
priority VoIP traffic etc.
But we also want any internal local network to be able to fully
utilise the WAN downstream bandwidth instead of only 1/4 of it even
when the others are idle.


Thanks for your thoughts and ideas in advance :)
Andy

If we had to bounty this, how much? I might be able to get =A3100 for a
bounty?
Cheers.

CARP ip balancing on ExtremeWare

Kevin Bowling — 2012-02-07T10:03:36

I'm having a hell of a time using Extreme Networks Summit 400-24t
switches with IP balancing of any type.

I've tried OpenBSD 5.0 and a -current snapshot from Feb 02.  I've
tried all the modes, but none of them work.  There's not a good way
I'm aware of to do port mirroring for ip-unicast, but I don't
understand why ip-stealth isn't working.  I manually clear the
forwarding database after activating ip-stealth.

I'm just about to relegate these to dumb switch duty and try and find
some other vendor that just works.  Any chance someone else has
cracked the code on these with pf in the past?

Regards,
Kevin

handling local traffic

Justin Murdock — 2012-01-30T12:31:55

OpenBSD 4.9 GENERIC.MP#819 amd64

I'm not quite sure when things changed, but I can no longer apply rules 
to locally originating traffic:
     match in log on lo

now only logs local->local traffic and
     match out log received-on lo

logs nothing. The best I can do, it seems, is to
     match in tag "EXTERNAL"
     match out log tagged ""

More worrying for me, however, is the inability to control traffic being 
received by the host. I want to be able to

     pass on $dmz to port {http, https, ssh}
     block out on lo
     pass out on lo from <trusted> to port ssh

I feel I must be missing something, I'm just not sure what.

Matter with transparent proxy

pizzahut — 2012-01-12T14:15:54

Hello,

I try now to create a transparent proxy using squid and using OpenBSD 5.0
Packet Filter all by passing a bridge.

The squid run I tested the bridge walking machines located on the other side
can access the outside.

The problem is that when I try to redirect traffic using packet filter to
127.0.0.1 on port squid listening (port 3128) nothing happens the machine is
on the other side can access the Internet and suffers no restrictions
previously configured in the squid.

If anyone has an idea of the problem please.

thank you

I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

Gholam Mostafa Faridi — 2011-11-02T17:30:37

Hi
In work place , we have over 24 computer and all of them are windows and 
, I have NAT server . this NAT server use FreeBSD 8.2 AMD 64 , and I use 
PF for NAT with FreeBSD 8.2 . after many search in google , I find this 
pf.conf

====================================================
ns# cat  /usr/local/pf/pf.conf
# $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18 
mlaier Exp $
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
# Edited by: mfaridi

################################ MACROS 
############################################################

ext_if          = "sk0"
int_if          = "re0"
External_net    = "10.10.10.192/27"
Local_net       = "192.168.0.0/24"
Local_Web       = "192.168.0.10"
Local_Srv       = "192.168.0.1"
Prtcol          = "{ tcp, udp }"
Admin_IP        = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
ICMP_Types      = "{ echorep, unreach, squench, echoreq, timex }"

#Define ports for common internet services
#TCP_SRV         = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 
8443 }"
#UDP_SRV         = "{ 53 }"
TCP_SRV         = "{ 80, 443 }"
UDP_SRV         = "{ }"
Samba_TCP       = "{ 139, 445 }"
Samba_UDP       = "{ 137, 138 }"


SERVER          = "10.10.10.200"
NAT1            = "10.10.10.194"
NAT2            = "10.10.10.195"
NAT3            = "10.10.10.196"
NAT4            = "10.10.10.197"
NAT5            = "10.10.10.198"
NAT6            = "10.10.10.199"
NAT7            = "10.10.10.201"
NAT8            = "10.10.10.202"
NAT9            = "10.10.10.203"
NAT10           = "10.10.10.204"
NAT11           = "10.10.10.205"
NAT12           = "10.10.10.206"
NAT13           = "10.10.10.207"
NAT14           = "10.10.10.208"
NAT15           = "10.10.10.209"
NAT16           = "10.10.10.210"
NAT17           = "10.10.10.211"
NAT18           = "10.10.10.212"
NAT19           = "10.10.10.213"
NAT20           = "10.10.10.214"
NAT21           = "10.10.10.215"
NAT22           = "10.10.10.216"
NAT23           = "10.10.10.217"
NAT24           = "10.10.10.218"
NAT25           = "10.10.10.219"

#### All IP of Groups which can be connect to Internet
paltalk1        = "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
paltalk2        = "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
paltalk3        = "{ 192.168.0.26, 192.168.0.27, 192.168.0.28, 
192.168.0.29 }"
webdsgn1        = "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
webdsgn2        = "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
webdsgn3        = "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
webdsgn4        = "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
webdsgn5        = "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
webdsgn6        = "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
webdsgn7        = "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
webdsgn8        = "{ 192.168.0.51, 192.168.0.52, 192.168.0.53, 
192.168.0.54 }"
rased1          = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
rased2          = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
rased3          = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
rased4          = "{ 192.168.0.69, 192.168.0.70 }"
rased5          = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202, 
192.168.0.203, 192.168.0.204, 192.168.0.205 }"
rased6          = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208, 
192.168.0.209, 192.168.0.210, 192.168.0.211 }"
rased7          = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214, 
192.168.0.215, 192.168.0.216, 192.168.0.217 }"
rased8          = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220, 
192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224, 
192.168.0.225  }"
admin1          = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }"
admin2          = "{ 192.168.0.58, 192.168.0.59 }"

############################### TABLES 
############################################################

#Define privileged network address sets
table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12, 
10.0.0.0/8, 0.0.0.0/8, \
                           14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23, 
224.0.0.0/3 }
table <badguys> persist file "/usr/local/pf/Network/blocklist.lst"
table <hackers> persist file "/usr/local/pf/Network/hackers.lst"

#Define Favoured client hosts
table <Admin>   persist file "/usr/local/pf/Network/Admin.lst"
table <Paltalk> persist file "/usr/local/pf/Network/Paltalk.lst"
table <WebDsgn> persist file "/usr/local/pf/Network/WebDsgn.lst"
table <Rased>   persist file "/usr/local/pf/Network/Rased.lst"
table <LocalHost> const { self }

############################### OPTIONS 
############################################################
#Default behaviour
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0
#set state-policy if-bound


############################### TRAFFIC NORMALIZATION 
##############################################
#Filter traffic for unusual packets
scrub in all


############################### TRANSLATION 
######################################################

#NAT for the external traffic
#Mask internal ip addresses with actual external ip address
#nat pass on $ext_if from $Local_net to any -> $SERVER

nat pass on $ext_if from $paltalk1 to any -> $NAT1
nat pass on $ext_if from $paltalk2 to any -> $NAT2
nat pass on $ext_if from $paltalk3 to any -> $NAT3
nat pass on $ext_if from $webdsgn1 to any -> $NAT4
nat pass on $ext_if from $webdsgn2 to any -> $NAT5
nat pass on $ext_if from $webdsgn3 to any -> $NAT6
nat pass on $ext_if from $webdsgn4 to any -> $NAT7
nat pass on $ext_if from $webdsgn5 to any -> $NAT8
nat pass on $ext_if from $webdsgn6 to any -> $NAT9
nat pass on $ext_if from $webdsgn7 to any -> $NAT10
nat pass on $ext_if from $webdsgn8 to any -> $NAT11
nat pass on $ext_if from $rased1   to any -> $NAT12
nat pass on $ext_if from $rased2   to any -> $NAT13
nat pass on $ext_if from $rased3   to any -> $NAT14
nat pass on $ext_if from $rased4   to any -> $NAT15
nat pass on $ext_if from $rased5   to any -> $NAT16
nat pass on $ext_if from $rased6   to any -> $NAT17
nat pass on $ext_if from $rased7   to any -> $NAT18
nat pass on $ext_if from $rased8   to any -> $NAT19
nat pass on $ext_if from $admin1   to any -> $NAT20
nat pass on $ext_if from $admin2   to any -> $NAT21


#rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 5900 -> 
192.168.0.100 port 5900
#rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 2222 -> 
192.168.0.50 port 22

############################### PACKET FILTERING 
#################################################

# Default Rule
pass quick on { $ext_if, $int_if } all keep state




# End of File: pf.conf
=========================================================================================================================== 

I have 27 valid or static IPs,
all users  in my work place use paltalk , paltalk is messenger like 
yahoo messenger and use for voice chat , and paltalk like yahoo has many 
rooms for voice chat , but paltalk servers do not let users login with 
three different room from one valid IP or static IP . or paltalk server 
only let user login to three room from only one IP , and from one IP 
only three computer can login to paltalk server and use it . so we get 
27 valid or static IPs from ISP ,and I put all of them in my pf.conf 
.and set many NAT line in my pf.conf.
but I think my pf.conf has problem and I do not know why sometimes some 
users in work place can not use internet , when they open firefox and 
start browse web pages ,they see error , but when they can not browse 
web pages , their paltalk messenger is ON and they have voice chat , but 
they can not browse webpages , this problem can solve when I reboot 
server or disable and enable PF. but after one days or more this problem 
happen again , and some user can not browse web pages with firefox and 
other browser but they can voice chat
sometimes another problem happen , users can browse web pages , but they 
can not chat with paltalk messnger and I have to reboot server or 
disable and enable PF.

my knowledege about PF is not a lot
and I find this pf.conf from internet and  make it with many test .

I want only do NAT with PF and I do not want block ports or other policy 
. I want only PF for NAT.
please help me to solve this problem.


after search  google I understand PF version in FreeBSD 8.2 is very old 
, and after that I want use OpenBSD 5 for NAT server. and I want use it 
, but after search in google I understand NAT config in old PF is much 
different with new PF , and I know we can find new PF in OpenBSD 5

please help me to use my pf.conf in OpenBSD 5 ?
can I use this pf.conf in OpenBSD 5 or no ?
do I make mistake in my pf.conf ?



please help me to make best pf for NAT with OpenBSD 5

thanks

problems with PF and DMZ nat

Bentley78 — 2011-11-01T17:10:21

Hello all, I am replacing a Cisco ASA with an OpenBSD PF NAT box for a
couple of reasons: I'm tired of paying Cisco money just to receive
updates, tired of the license limits and the device is about six years
old.

So I have an atom server with three interfaces one for public/dmz/
internal.

The current config with the ASA is the following:

external (now fxp1) --->Firewall ---> DMZ (192.168.100.0/24) (now
fxp0) --->Inetrnal (192.168.200.0/24) (now re0).

I don't really want to re-IP the nodes in the DMZ so if possible I'd
like to keep everything the same. I've purchased the book of PF
version 2 but still need some assistance. Here is my pf.conf:


#MACROS
_int="re0"
lan="re0:network"

_dmz="fxp0"
dmz="192.168.100.0/24"

mailserver="192.168.100.2"
ftpwebserver="192.168.100.1"
RFC1918="{ 10/8 172.16/12 192.168/16 }"

#TABLES

#OPTIONS
set skip on lo
set block-policy drop

#NORMALIZE  TRAFFIC
match in all scrub ( no-df max-mss 1440 )

#NAT
match out on egress from $lan to any nat-to egress
match out on egress from $dmz to any nat-to egress

#REDIRECTIONS
match in on egress inet proto tcp from any to any port 25 \
    rdr-to $mailserver
match in on egress inet proto tcp from any to any port 110 \
    rdr-to $mailserver
match in on egress inet proto tcp from any to any port 587 \
    rdr-to $mailserver
match in on egress inet proto tcp from any to any port 465 \
    rdr-to $mailserver
match in on egress inet proto tcp from any to any port 25 \
    rdr-to $mailserver
match in on egress inet proto tcp from any to any port 995 \
    rdr-to $mailserver
match in on egress inet proto tcp from any to any port 443 \
    rdr-to $mailserver
match in on egress inet proto tcp from any to any port 110 \
    rdr-to $mailserver
match in on egress inet proto tcp from any to any port 80 \
    rdr-to $ftpwebserver

#BLOCK POLICY
block log all

#PROTECTION
antispoof for { lo0 re0 fxp0 fxp1 }
block in on egress from $RFC1918 to any
block out on egress from any to $RFC1918

#AUTHORIZE PINGS
pass inet proto icmp all icmp-type { echoreq, unreach }

#FORWARDING OUT
pass out on egress inet proto tcp from any to any
pass out on egress inet proto udp from any to any

#LAN SERVICES
anchor "ftp-proxy/*"
pass in on $_int proto tcp from any to any port ftp \
    rdr-to 127.0.0.1 port 8021

#AUTHORIZED SERVICES
pass in on $_int proto tcp from $lan to any port \
    { 80 22 3000 4567 443 53 69 }
pass in quick on $_int proto udp from $lan to any port { domain 69 }

#CONSOLE ACCESS
#pass in on egress proto tcp from any to egress port 22

#DMZ SERVICES
pass in on egress proto tcp from any to $mailserver port \
    { 25 110 443 587 465 995 }
pass out on $_dmz proto tcp from any to $mailserver port \
    { 25 110 443 587 465 995 }
pass in on $_dmz proto tcp from $mailserver to any port \
    { 25 110 587 465 995 }

#ACCESS WEB SERVICES
pass in on egress inet proto tcp from any to $ftpwebserver port 80
pass out on $_int inet proto tcp from any to $ftpwebserver port 80

basically I want the internal network to be able to access the DMZ but
obviously not the other way around.

anonymous VPN service and openbsd..

Daniel Rapp — 2011-08-23T11:00:26

Hi, has anybody tried to setup a openvpn/pptp connection on there
OpenBSD firewall to a anonymous VPN service and redirecting only
torrent traffic trough the tunnel ?

PF load balancing

elerdin — 2011-08-23T10:00:51

Hallo, I have two internet connections and I want to use both with a
round-robin load balancing, only for outgoing connections. I found
on the web various solutions, but I did not manage to modify them
for my scenario. One internet
connections is a normal adsl, there is a modem that I connect to the
OpenBSD router, the interface receives the dynamic IP using dhcp. The
other connection has a static IP address and gateway. Now I'm reading
the PF documentation, but while I study I need a "fast and dirty"
solution that "just works". Can someone help me?

Thanks, Elerdin.

pf reply-to problem

Schmurfy — 2011-08-08T14:11:49

Hi,
I am currently running OpenBSD 4.9 as a router/firewall for my work and so
far I have nearly a fully working config but there is something I cannot
manage to do :(

Here is my configuration:
The server has 1 physical interface, I added a gif interface to connect it
to a remote machine which is used to route most of the traffic, on this gif
interface I have incoming requests I want to pass through squid.

Here is my pf.conf fie (prettier version here:
https://gist.github.com/1131783 ):

    phys_if = "re0"

    c1_tunnel = "gif1001"
    c1_tunnel_dst = "95.140.15.38"
    c1_tunnel_src = "87.98.149.50"
    c1_escape = "87.98.154.179"

    set skip on lo0
    set block-policy drop

    # block any packet with no match
    block log all

    # allow our own services to work
    pass in on $phys_if proto tcp from any to $phys_if port { ssh } synproxy
state
    pass in on $phys_if inet proto icmp from any to $phys_if
    pass out on $phys_if label "system"

    # allow ipip traffic (gif interface)
    pass in on $phys_if from $c1_tunnel_dst to $c1_tunnel_src label
"c1_tunnel"
    pass out on $phys_if from $c1_tunnel_src to $c1_tunnel_dst label
"c1_tunnel"

    # tag incoming packets from the tunnel and from
    # the outside to the public ip address
    match in log(matches) on $c1_tunnel tag "c1"
    match in log(matches) on $phys_if from any to $c1_escape tag "c1"

    # Allow incoming packet to port 80 and redirect them to squid
    pass in log(matches, all) on $c1_tunnel proto tcp to port 80 \
      rdr-to 127.0.0.1 port 1001 \
      reply-to ($c1_tunnel 10.0.0.5) \
      tagged "c1" label "c1_proxied_traffic"



The result is that I cannot establish a tcp connection to port 80 for a
machine behing the gif tunnel, here is what tcpdump says on this machine (
tcpdump -s 0 -vlni <interface> port 80 ):

IP (tos 0x0, ttl  62, id 8175, offset 0, flags [DF], length: 60)
<client_address>.21746 > <web_address>.80: S [tcp sum ok]
3993732249:3993732249(0) win 65535 <mss 1380,nop,wscale 3,sackOK,timestamp
442132554 0>
IP (tos 0x0, ttl  64, id 59219, offset 0, flags [DF], length: 64)
<web_address>.80 > <client_address>.21746: S [tcp sum ok]
3332347257:3332347257(0) ack 3993732250 win 16384 <mss
1440,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 2569862135 442132554>

IP (tos 0x0, ttl  62, id 8176, offset 0, flags [DF], length: 52)
<client_address>.21746 > <web_address>.80: . [tcp sum ok] ack 1 win 8208
<nop,nop,timestamp 442132595 2569862135>
IP (tos 0x0, ttl  62, id 8189, offset 0, flags [DF], length: 54)
<client_address>.21746 > <web_address>.80: P [tcp sum ok] 1:3(2) ack 1 win
8208 <nop,nop,timestamp 442134444 2569862135>
IP (tos 0x0, ttl  64, id 65354, offset 0, flags [DF], length: 58)
<web_address>.80 > <client_address>.21746: P [bad tcp cksum a676 (->a9cf)!]
1:7(6) ack 3 win 2052 <nop,nop,timestamp 2569862139 442134444>

IP (tos 0x0, ttl  62, id 8190, offset 0, flags [DF], length: 54)
<client_address>.21746 > <web_address>.80: P [tcp sum ok] 1:3(2) ack 1 win
8208 <nop,nop,timestamp 442134770 2569862135>
IP (tos 0x0, ttl  64, id 23274, offset 0, flags [DF], length: 52)
<web_address>.80 > <client_address>.21746: . [bad tcp cksum b6c8 (->ba21)!]
ack 3 win 2052 <nop,nop,timestamp 2569862139 442134770>

IP (tos 0x0, ttl  62, id 8194, offset 0, flags [DF], length: 54)
<client_address>.21746 > <web_address>.80: P [tcp sum ok] 1:3(2) ack 1 win
8208 <nop,nop,timestamp 442135222 2569862135>
IP (tos 0x0, ttl  64, id 4613, offset 0, flags [DF], length: 52)
<web_address>.80 > <client_address>.21746: . [bad tcp cksum b503 (->b85c)!]
ack 3 win 2052 <nop,nop,timestamp 2569862140 442135222>
IP (tos 0x0, ttl  62, id 8199, offset 0, flags [DF], length: 54)
<client_address>.21746 > <web_address>.80: P [tcp sum ok] 1:3(2) ack 1 win
8208 <nop,nop,timestamp 442135926 2569862135>
IP (tos 0x0, ttl  64, id 41419, offset 0, flags [DF], length: 52)
<web_address>.80 > <client_address>.21746: . [bad tcp cksum b241 (->b59a)!]
ack 3 win 2052 <nop,nop,timestamp 2569862142 442135926>

IP (tos 0x0, ttl  62, id 8205, offset 0, flags [DF], length: 52)
<client_address>.21746 > <web_address>.80: F [tcp sum ok] 3:3(0) ack 1 win
8208 <nop,nop,timestamp 442136662 2569862135>
IP (tos 0x0, ttl  62, id 8209, offset 0, flags [DF], length: 54)
<client_address>.21746 > <web_address>.80: FP [tcp sum ok] 1:3(2) ack 1 win
8208 <nop,nop,timestamp 442137134 2569862135>
IP (tos 0x0, ttl  64, id 43519, offset 0, flags [DF], length: 58)
<web_address>.80 > <client_address>.21746: P [bad tcp cksum 9bee (->9f47)!]
1:7(6) ack 3 win 2052 <nop,nop,timestamp 2569862145 442137134>


There is only one packet from the web server (which is in fact my server
since the request was redirected to squid ) which finds its way to the
client and after that all the checksum are wrong and I suppose the packets
are dropped since they never reach my client (which is curl). I tried to
figure out why the checksum could be wrong but I am now out of ideas...

I hope someone can help me on this.

NAT out to two DSL modems

Ben Harper — 2011-07-19T13:49:45

Hi,
I'm trying to NAT out to two DSL modems.
I have three network cards on three subnets:
re0: 192.168.4.0/24         Internal
re1: 41.134.100.222/29    DSL_A
re2: 10.10.10.5/24           DSL_B

I can NAT out to either re1 or re2, but I have to make my default
gateway point to the relevant gateway on that network.
How can I tell the route tables or the nat-to command what the gateway
machine is?

So I can do this, but ***only if my default gateway is
41.134.100.217*** (which is the gateway for that net):
pass out on re1 proto tcp from 192.168.4.0/24 to any nat-to re1

Likewise, I can do this, but once again, ***only if my default gateway
is 10.10.10.1*** (which is the gateway for that net):
pass out on re2 proto tcp from 192.168.4.0/24 to any nat-to re2

I believe I should be able to make this work without ANY default
gateway. But then where do I tell the system
what these two gateway machines are?

Thanks,
Ben

Incorrect NAT translation?

Magnus Rixtorp — 2011-06-23T04:32:43

Lets get some standard stuff out of the way first.

# uname -a
OpenBSD pbxfw 4.9 GENERIC#671 i386

# dmesg
OpenBSD 4.9 (GENERIC) #671: Wed Mar  2 07:09:00 MST 2011
     deraadt< at >i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz ("GenuineIntel" 686-class) 3 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR
real mem  = 2137120768 (2038MB)
avail mem = 2092023808 (1995MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 02/09/05, BIOS32 rev. 0 < at > 0xffe90, 
SMBIOS rev. 2.3 < at > 0xf0450 (74 entries)
bios0: vendor Dell Inc. version "A04" date 02/09/2005
bios0: Dell Inc. OptiPlex GX280
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET
acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI1(S5) PCI2(S5) PCI3(S5) 
PCI4(S5) MOU_(S3) USB0(S3) USB1(S3) USB2(S3) USB3(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 199MHz
ioapic0 at mainbus0: apid 8 pa 0xfec00000, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 8
acpimcfg0 at acpi0 addr 0xe0000000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 4 (PCI1)
acpiprt1 at acpi0: bus 2 (PCI2)
acpiprt2 at acpi0: bus 3 (PCI3)
acpiprt3 at acpi0: bus 1 (PCI4)
acpiprt4 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C3
acpibtn0 at acpi0: VBTN
bios0: ROM list: 0xc0000/0xa800! 0xca800/0x1800!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82915G Host" rev 0x04
ppb0 at pci0 dev 1 function 0 "Intel 82915G PCIE" rev 0x04: apic 8 int 
16 (irq 11)
pci1 at ppb0 bus 1
vga1 at pci0 dev 2 function 0 "Intel 82915G Video" rev 0x04
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xc0000000, size 0x10000000
inteldrm0 at vga1: apic 8 int 16 (irq 11)
drm0 at inteldrm0
"Intel 82915G Video" rev 0x04 at pci0 dev 2 function 1 not configured
ppb1 at pci0 dev 28 function 0 "Intel 82801FB PCIE" rev 0x03: apic 8 int 
16 (irq 11)
pci2 at ppb1 bus 2
bge0 at pci2 dev 0 function 0 "Broadcom BCM5751" rev 0x01, BCM5750 A1 
(0x4001): apic 8 int 16 (irq 11), address 00:11:43:7c:f3:91
brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
ppb2 at pci0 dev 28 function 1 "Intel 82801FB PCIE" rev 0x03
pci3 at ppb2 bus 3
uhci0 at pci0 dev 29 function 0 "Intel 82801FB USB" rev 0x03: apic 8 int 
21 (irq 9)
uhci1 at pci0 dev 29 function 1 "Intel 82801FB USB" rev 0x03: apic 8 int 
22 (irq 5)
uhci2 at pci0 dev 29 function 2 "Intel 82801FB USB" rev 0x03: apic 8 int 
18 (irq 4)
uhci3 at pci0 dev 29 function 3 "Intel 82801FB USB" rev 0x03: apic 8 int 
23 (irq 3)
ehci0 at pci0 dev 29 function 7 "Intel 82801FB USB" rev 0x03: apic 8 int 
21 (irq 9)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xd3
pci4 at ppb3 bus 4
re0 at pci4 dev 0 function 0 "D-Link DGE-528T" rev 0x10: RTL8169/8110SB 
(0x1000), apic 8 int 16 (irq 11), address f0:7d:68:b8:62:95
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 3
ichpcib0 at pci0 dev 31 function 0 "Intel 82801FB LPC" rev 0x03: PM disabled
pciide0 at pci0 dev 31 function 1 "Intel 82801FB IDE" rev 0x03: DMA, 
channel 0 configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <SAMSUNG, CD-R/RW SW-252S, R902> ATAPI 
5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
pciide1 at pci0 dev 31 function 2 "Intel 82801FB SATA" rev 0x03: DMA, 
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: using apic 8 int 20 (irq 10) for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: <WDC WD5000AAKS-00UU3A0>
wd0: 16-sector PIO, LBA48, 476940MB, 976773168 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 6
ichiic0 at pci0 dev 31 function 3 "Intel 82801FB SMBus" rev 0x03: SMI
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 2GB DDR2 SDRAM non-parity PC2-6400CL5
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
mtrr: Pentium Pro MTRR support
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
root on wd0a swap on wd0b dump on wd0b

# cat /etc/pf.conf
#       $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if      = "bge0"
int_if      = "re0"

set skip on lo

pass out quick log on $ext_if inet from 192.168.0.0/24 nat-to $ext_if
pass out quick log on $ext_if inet from 192.168.230.0/24 nat-to $ext_if
pass out quick log on $ext_if inet from 192.168.231.0/24 nat-to $ext_if
pass out quick log on $ext_if inet from 192.168.239.0/24 nat-to $ext_if
pass out quick log on $ext_if inet from 192.168.240.0/24 nat-to $ext_if
pass out quick log on $ext_if inet from 192.168.241.0/24 nat-to $ext_if
pass out quick log on $ext_if inet from 192.168.242.0/24 nat-to $ext_if

pass in quick log on $ext_if inet proto {tcp, udp} from any to $ext_if 
port ssh
pass in quick log on $ext_if inet proto icmp from any to $ext_if

pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
1056 rdr-to 192.168.230.101
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
1061 rdr-to 192.168.230.101
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
1062 rdr-to 192.168.230.101
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
1070 rdr-to 192.168.230.101
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
1074 rdr-to 192.168.230.101
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
1088 rdr-to 192.168.230.101
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
1112 rdr-to 192.168.230.101
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
5060 rdr-to 192.168.230.101
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
8065 rdr-to 192.168.230.101
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
18060 rdr-to 192.168.230.101
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
30000 rdr-to 192.168.230.101
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
30001 rdr-to 192.168.230.101
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
40002 rdr-to 192.168.230.101
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
49152:65535 rdr-to 192.168.230.101
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
5004:5035 rdr-to 192.168.230.101
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
16400:17390 rdr-to 192.168.230.102
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
17400:17500 rdr-to 192.168.230.103
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
18400:19390 rdr-to 192.168.230.104
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
20400:21390 rdr-to 192.168.231.102
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
21400:21449 rdr-to 192.168.241.101
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
22400:22449 rdr-to 192.168.242.101
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
24400:24449 rdr-to 192.168.240.102
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
25400:25500 rdr-to 192.168.0.8

pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 
8080 rdr-to 192.168.231.2 port 80
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 85 
rdr-to 192.168.240.101 port 1062
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 86 
rdr-to 192.168.242.101 port 1062
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 87 
rdr-to 192.168.241.101 port 1062
pass in quick log on $ext_if proto {tcp,udp} from any to $ext_if port 89 
rdr-to 192.168.231.101 port 1062

pass in log on $ext_if from any to any
pass out log on $ext_if from any to any
pass log        # to establish keep-state

# ps aux
USER       PID %CPU %MEM   VSZ   RSS TT  STAT  STARTED       TIME COMMAND
root         1  0.0  0.0   480   332 ??  Is     9:39PM    0:00.01 /sbin/init
_syslogd 16956  0.0  0.0   516   728 ??  S      9:39PM    0:01.14 
syslogd -a /var/spool/postfix/dev/log -a /var/www/dev/log -a 
/var/empty/dev/log
root     20737  0.0  0.0   472   672 ??  Is     9:39PM    0:00.00 
syslogd: [priv] (syslogd)
root       736  0.0  0.0   412   396 ??  Is     9:39PM    0:00.03 
pflogd: [priv] (pflogd)
_pflogd  10358  0.0  0.0   476   356 ??  S      9:39PM    0:00.50 
pflogd: [running] -s 160 -i pflog0 -f /var/log/pflog (pflogd)
_ntp     11468  0.0  0.0   544   960 ??  I      9:39PM    0:00.04 ntpd: 
ntp engine (ntpd)
root     18585  0.0  0.0   508   872 ??  Is     9:39PM    0:00.00 ntpd: 
[priv] (ntpd)
_ntp      9153  0.0  0.0   660   884 ??  I      9:39PM    0:00.02 ntpd: 
dns engine (ntpd)
root     11287  0.0  0.1   616  1244 ??  Is     9:39PM    0:00.13 
/usr/sbin/sshd
root      8482  0.0  0.0   560   728 ??  Is     9:39PM    0:00.00 inetd
_dnsmasq 29798  0.0  0.0   596   936 ??  I      9:39PM    0:00.05 
/usr/local/sbin/dnsmasq
root      1946  0.0  0.0   552   816 ??  Is     9:39PM    0:00.09 cron
root     10375  0.0  0.1   568  1528 ??  Ss     9:39PM    0:00.30 
/usr/local/libexec/postfix/master
_postfix 18950  0.0  0.1   660  1668 ??  S      9:39PM    0:00.29 qmgr 
-l -t fifo -u -c
root      2691  0.0  0.1  3440  2600 ??  Ss     7:39AM    0:00.14 sshd: 
root< at >ttyp0 (sshd)
root      8552  0.0  0.1  3452  2724 ??  Is     8:09AM    0:01.65 sshd: 
root< at >ttyp1 (sshd)
_postfix 27294  0.0  0.1   452  1536 ??  I      2:17PM    0:00.01 pickup 
-l -t fifo -u -c
root     27041  0.0  0.1  3420  2628 ??  Is     2:31PM    0:00.06 sshd: 
root< at >ttyp2 (sshd)
root     21966  0.0  0.0   556   476 p0  Ss     7:39AM    0:00.02 -ksh (ksh)
root      2216  0.0  0.0   288   212 p0  R+     3:14PM    0:00.00 ps -aux
root      7010  0.0  0.0   584   468 p1  Is+    8:10AM    0:00.01 -ksh (ksh)
root     31137  0.0  0.0   472   484 p2  Is+    2:31PM    0:00.01 -ksh (ksh)
root     16961  0.0  0.0   476   756 C0  Is+    9:39PM    0:00.00 
/usr/libexec/getty std.9600 ttyC0
root      7681  0.0  0.0   400   756 C1  Is+    9:39PM    0:00.00 
/usr/libexec/getty std.9600 ttyC1
root     12426  0.0  0.0   324   756 C2  Is+    9:39PM    0:00.00 
/usr/libexec/getty std.9600 ttyC2
root     32624  0.0  0.0   364   760 C3  Is+    9:39PM    0:00.00 
/usr/libexec/getty std.9600 ttyC3
root      4144  0.0  0.0   296   760 C5  Is+    9:39PM    0:00.00 
/usr/libexec/getty std.9600 ttyC5

# pkg_info
dnsmasq-2.55        caching DNS forwarder and DHCP server
gd-2.0.35p0         library for dynamic creation of images
gettext-0.18.1p0    GNU gettext
jpeg-8b             IJG's JPEG compression utilities
libdnet-1.12p1      portable low-level networking library
libiconv-1.13p2     character set conversion library
lrzsz-0.12.20p0     receive/send files via X/Y/ZMODEM protocol
lua-5.1.4p1         powerful, light-weight programming language
lzo2-2.04           portable speedy lossless data compression library
nano-2.2.6          Pico editor clone with enhancements
nmap-5.21p3         scan ports and fingerprint stack of network hosts
oidentd-2.0.7p1     ident daemon with custom responses and NAT support
pcre-8.02p1         perl-compatible regular expression library
pfstat-2.3p1        packet filter statistics visualization
png-1.2.44          library for manipulating PNG images
postfix-2.8.20110113 fast, secure sendmail replacement
trafshow-3.1        full screen visualization of network traffic

So, down to the nitty gritty.

Jun 15 09:41:21 pbxfw /bsd: pf: state key linking mismatch! dir=OUT, 
if=re0, stored af=2, a0: 130.244.190.46:5060, a1: 192.168.230.101:5060, 
proto=17, found af=2, a0: 192.168.230.101:5060, a1: 
187.170.255.239:5060, proto=17
Jun 17 12:02:55 pbxfw /bsd: pf: state key linking mismatch! dir=OUT, 
if=re0, stored af=2, a0: 130.244.190.46:5060, a1: 192.168.230.101:5060, 
proto=17, found af=2, a0: 192.168.230.101:5060, a1: 
187.170.255.239:5060, proto=17

Is the only error output ive found on the problem.

So the problem, has to do with the ip 187.170.255.239,
239.255.170.187.in-addr.arpa domain name pointer 
dsl-187-170-255-239-dyn.prod-infinitum.com.mx.
Our system has no relation at all with this ip.
But somehow our NAT translation at random intervals, decides to 
redirects traffic to that ip instead of the intended destination.
Sofar we have primarily noted the problem towards 130.244.190.46 and 
130.244.190.42, that are our providers sip gateways.
Since the only thing beeing used on the connection is a PBx solution.

A google on that perticular IP, gives a simular dmesg error output in 
this post:
http://www.mail-archive.com/misc< at >openbsd.org/msg95116.html
But in his case, the system hangs, our system keeps on going.
And instead interferes with the connection of phonecalls.

since the problem was discovered ive set up pf to log the first packet 
of every new state,
and then that is tcpdump thru tcpdump -n -e -ttt -s 1600 -vvv -XX to a 
ascii log using the
http://www.openbsd.org/faq/pf/logging.html syslog method.

Jun 22 15:40:06.212694 rule 26/(match) [uid 0, pid 20284] pass in on 
bge0: 130.244.190.46.5060 > 212.247.80.66.5060: udp 442 (DF) [tos 0xb8] 
(ttl 56, id 0, len 470)
   0000: 45b8 01d6 0000 4000 3811 da02 82f4 be2e 
E\M-8.\M-V..< at >.8.\M-Z..\M-t\M->.
   0010: d4f7 5042 13c4 13c4 01c2 f6b9 4259 4520 
\M-T\M-wPB.\M-D.\M-D.\M-B\M-v\M-9BYE
   0020: 7369 703a 3835 3933 4032 3132 2e32 3437  sip:8593< at >212.247
   0030: 2e38 302e 3636 2053 4950 2f32            .80.66 SIP/2

Jun 22 15:40:06.307515 rule 60/(match) [uid 0, pid 20284] pass in on 
re0: 192.168.230.101.5060 > 187.170.255.239.5060: udp 550 (ttl 64, id 
33961, len 578)
   0000: 4500 0242 84a9 0000 4011 9159 c0a8 e665 
E..B.\M-)..< at >..Y\M-< at >\M-(\M-fe
   0010: bbaa ffef 13c4 13c4 022e 9dc3 5349 502f 
\M-;\M-*\M^?\M-o.\M-D.\M-D...\M-CSIP/
   0020: 322e 3020 3230 3020 4f4b 0d0a 5669 613a  2.0 200 OK..Via:
   0030: 2053 4950 2f32 2e30 2f55 4450             SIP/2.0/UDP

Jun 22 15:40:06.307526 rule 0/(match) [uid 0, pid 20284] pass out on 
bge0: 192.168.230.101.5060 > 187.170.255.239.5060: udp 550 (ttl 63, id 
33961, len 578, bad cksum 9159! differs by 100)
   0000: 4500 0242 84a9 0000 3f11 9159 c0a8 e665 
E..B.\M-)..?..Y\M-< at >\M-(\M-fe
   0010: bbaa ffef 13c4 13c4 022e 9dc3 5349 502f 
\M-;\M-*\M^?\M-o.\M-D.\M-D...\M-CSIP/
   0020: 322e 3020 3230 3020 4f4b 0d0a 5669 613a  2.0 200 OK..Via:
   0030: 2053 4950 2f32 2e30 2f55 4450             SIP/2.0/UDP

and on a side note, if anyone has a suggestion how to actually get the 
complete package logged, and not just the first snap, it would be nice,
openbsd tcpdump seems to not support -s 0 as snaplen, to get the whole 
thing.

anyway, that log snippet, is 130.244.190.46 asking us to setup a sip 
connection with them on 5060,
but our respond to that ip, goes to 187.170.255.239. and the connection 
fails.

another side note would be about the rampant amount of bad ckdsum on udp 
traffic, if anyone would care to chime in about that.
Since about 98% of all udp packets gets a bad cksum.

but my main problem and concern is this 187.170.255.239, and why they 
should get my phonecalls.

Regards

Magnus

PFtabler application

Todor Todorov — 2011-06-22T10:04:24

Hi All,
Me and colleagues have made  a simple web interface wrapper to pfctl
for manipulation of pf tables. The application is written in Python
using web2py framework. If somebody is interested, here is the link:
http://goodspring-tech.com/index.php?option=com_content&view=article&id=99%3Agoodspring-pftabler&catid=59%3Aweb2py-applications&Itemid=169&lang=bg
The Readme: http://goodspring-tech.com/images/stories/pftabler/pftabler_v0_7_readme.pdf
Cheers,
TTT

Firewall Builder's pf.conf import tool

Gary — 2011-06-14T00:41:58

Hi folks,

I just came across this blog post from a few weeks ago:
http://it.toolbox.com/blogs/bsd-guru/submit-your-real-world-pfconf-45829. So
I wrote the config address to ask if they're still working on this and Mike
Horn wrote me back write away to let me know that they're still collecting
them. As Dru's blog post suggests, feel freel to sanitize your public IPs
and/or PGP encrypt your email.

-Gary

Log overload rule

Helmut Schneider — 2011-06-13T18:16:48

Hi,

pass in quick log proto tcp to (self) port 21 $SA_FLAGS (max-src-conn
75, max-src-conn-rate 75/5, overload <ftpconn_bruteforce> flush global)

Is it possible to find out/log which limit overloaded the rule? I want
to adjust the correct limits and knowing which limit was hit would be
very helpful.

Thanks, Helmut

nat-to and route-to specified in a single rule

Rob Sessink — 2011-06-06T08:05:50

Hello,

In a multi-homed setup I am trying to route out packets over the
secondary interface on which also NAT is done. 
The environment consists of a OpenBSD 4.9 Firewall with 3 em interfaces,
connected to 2 DSL providers

em0: internal interface
em1: first DSL 
em2: second DSL

I did dome testing with the understanding ruleset, where I have
specified a nat-to and route-to statement in a single rule
########### rules ###########
pass in  log on em0 from 192.168.1.118 nat-to (e2gress:0) route-to (em2
80.100.x.x)
pass out log on em2

########### states ###########
all icmp 74.125.77.104:8 <- 80.100.x.x:54000 (192.168.1.118:9035)
0:0
all icmp 80.100.x.x:54000 -> 74.125.77.104:8       0:0

This setup somewhat works. When pinging an upstream host, the packets
get send out over the secondary interface, but the first packet is
always dropped! 
According to the pf.conf man page this rule specification is possible.
My question is this kind of rule specification allowed and intended to
be working in PF?
 
When splitting the nat-to / route-to statement in the ruleset everything
works fine.
########### rules ###########
pass in  log on em0 from 192.168.1.118 route-to (em2 80.100.x.x)
pass out log on em2 from 192.168.1.118 nat-to (em2:0)

########### states ###########
all icmp 74.125.77.104:8 <- 192.168.1.118:8779       0:0
all icmp 80.100.x.x:9676 (192.168.1.118:8779) -> 74.125.77.104:8
0:0

Regards Rob

Enforcing asymmetric TCP MSS?

Eric Lee — 2011-05-10T07:34:04

Hi,

I'm trying to use scrub max-mss rules to create asymmetric MSS's.

Is this supported?  So far, I haven't got it to work (hence my post here).
The machine is running OpenBSD 4.9 with 2 network cards.

I have been trying things like:
match out on $ext proto tcp scrub(max-mss 1000) flags S/SA
match in on $ext proto tcp scrub(max-mss 500) flags SA/SA

Scrubbing on the other interface doesn't seem to work either.
match out on $int proto tcp scrub(max-mss 500) flags SA/SA

client <--> pf gateway <--> internet

With a sniffer on the client link and the internet link,
-client sends large MSS on initial syn (> 1000)
-pf scrubs MSS to 1000 on initial syn

-pf receives large MSS on syn+ack (> 1000)
-pf scrubs MSS to 1000 in syn+ack reply to client

Thanks!

Fwd: Re: double NOT in rules is not working as expected

Bojidara Marinchovska — 2011-04-08T15:39:47

-------- Original Message --------
Subject: Re: double NOT in rules is not working as expected
Date: Fri, 08 Apr 2011 17:00:52 +0300
From: Bojidara Marinchovska <quintessence< at >bobi.gateit.net>
To: Stuart Henderson <stu< at >spacehopper.org>

On 04/08/11 16:11, Stuart Henderson wrote:
Hello,

Thank you, yes my mistake about block , whole day looking at the 2 rules
...
As Claudio already wrote
"

The {foo, bar} notation results in a OR operation so
foo || bar. Now !foo || !bar with foo != bar is always true.

"

As I can define with 1 rule for example
from {<tableA>,<tableB>  }
I want to be able to use also
from ! {<tableA>,<tableB>}

Yes, it is clear ...

Yes, I wrote about negation in tables, there is enough examples of its
usage in the Book Of PF, but it is not what I need ( following KISS )

Anyway thank you all
I try to accomplish something which is correct to be done with no
firewall but with other software and I try to use as simple as possible
rules

I have 2 types of lists with IPs which I put in tables (because these
IPs changes often and I don't want to reload rules, it is easy to add
just the new IP address)

table<lista>  persist file "/somefile"
table<listb>  persist file "/someotherfile"

IPs from list A have to be able to access IP A.A.A.A,B.B.B.B,C.C.C.C,
D.D.D.D and E.E.E.E for example ( protocol, port )
IPs from list B have to be able to access for example only D.D.D.D and
E.E.E.E

# block access to A.A.A.A - C.C.C.C for all except listA
block in quick on $if inet proto protocol from !<lista>  to A.A.A.A...
port ...

# here I wanted to be able to use something like to allow listA and
listB to access D.D.D.D and E.E.E.E
block in quick on $if inet proto protocol from ! {<lista>,<listb>  } to
D.D.D.D,... port ...
instead of using:
pass in quick on $if inet proto protocol from {<lista>,<listb>  } to
D.D.D.D ... port ...
block in quick on $if inet proto protocol from any to D.D.D.D ... port ...

double NOT in rules is not working as expected

Bojidara Marinchovska — 2011-04-08T10:19:59

Hello,

netif="netif"
test1="1.2.3.4"
test2="2.3.4.5"

block in quick on $netif from {!$test1, !$test2} to x.x.x.x - blocks the 
access from the IPs from test1 and test2 macros, BUT it should block all 
other EXCEPT this ones

--
block in quick on $netif from {$test1, $test2} to x.x.x.x - this rule 
works as expected
--
block in quick on $netif from {!$test1, $test2} to x.x.x.x - this rule 
works as expected
--
block in quick on $netif from {$test1, !$test2} to x.x.x.x - this rule 
works as expected

I know example rule :

block in quick on $netif from {!$test1, !$test2} to x.x.x.x

can be replaced with:

pass in quick on $netif from {$test1, $test2} to x.x.x.x
block in quick on $netif from any to x.x.x.x

In the example I used macors, also tried with tables or direct inserting 
IP addresses instead of using macros or tables, but it does not work as 
expected

So it is possible to use {$test, $test1}, but isn't "double negation" as 
following: {!$test1, !$test2} ?

Applying QoS on trafic

ali_BSD — 2011-04-05T11:56:51

Hello,

So here is the issue:

I want to detect the size of a session " a session is defined with: < at >source,
< at >dest, port source, port dest, UDP/TCP" So when a session exceeds a
threshold then I want to put that session in a less prioritized queue.

To create queues it is simple: I can use altq and queue commands. But the
issue is how to detect the size in real time!!!!! I thought about using
"systat states" that shows the needed information but the probleme is how to
match a session that exceeded a threshold to another queue ?

Anyone have an idea ? Thanks for your help !!!

Suggestion for a new feature, port code

Johan Söderberg — 2011-02-28T15:17:25

A ridiculously simple idea.
Protect your port, say ssh, by adding a code to access it.
Ok, that's nothing new, but maybe how it's done.

For a client to connect to a service, it need to unlock the port with a code.
The code is made of predefined blocked ports, that makes pf trigger.
If the first code port is triggered, IP address enters a state with timestamp.
If the next port that the address triggers, matches the next code port
within a timeframe, let it enter new state, else lose state.
When all code ports have been triggered in the right order, allow
address to pass.

Sure it's not safe from MITM, but it protects from scans, and allows
you to connect from dynamic IP addresses.
There are 65536 ports, that gives you 65536^n possible combinations
where n is the number of ports in your code.
So you probably won't need more than 2-3 ports in your code.

Say what you think! And if you like my brain fart, would you want to
implement it?

Kind regards, Johan Söderberg