gmane.os.openbsd.pf

Simultaneous CARP failover for multiple interfaces

Kyle Lanclos — 2012-04-23T18:49:14

I have a pair of OpenBSD firewall/routers in a reasonably vanilla
pf + pfsync + CARP configuration, each straddling two routed networks.
The CARP interface on the internal network is the default gateway for
that subnet. The CARP interface on the external network is the default
destination for traffic aimed at the internal network.

It all works splendidly, with one exception.

In order for our firewall to operate effectively, we use 'keep state'
pf rules. We empirically determined that we must have CARP preemption
enabled, otherwise pf cannot properly establish state for new TCP
connections. If pfsync could be told to synchronize incomplete states,
this issue might go away.

Example: firewall1 is the master on the carp1 interface, and firewall2
is the master on the carp2 interface. Inbound traffic to an internal
host arrives via the carp1 interface, and return traffic arrives via
the carp2 interface. pf will not establish state for this new connection
since the inbound and return traffic are not handled by t

inbound queueing on external interface due to multiple internal interfaces

Andy Lemin — 2012-04-11T13:02:41

Hello,
I know this has been discussed before, but I am not a developer (I
wish I did have the skills as I would code this myself otherwise).
I have a huge respect for all that the OpenBSD community does and this
is not a winge or a moan, please hear our woes.


Yes, of course downstream queuing is only of benefit for TCP to get
the sender to slow down etc etc, but that is exactly what we need.
IF we don't queue downstream traffic, our downstream link gets
saturated and our ISP starts to drop random packets. If we do the
downstream queuing here, we pre-emptively drop low priority packets
before saturation thus slowing the sender down before saturating the
WAN's downstream leaving headroom for VoIP etc.


We have a firewall with 4 internal interfaces for various different
subnets and 1 external WAN interface like many users have. Queuing
upload traffic is easy on the WAN interface, but downstream traffic
needs to be queued on each of the internal interfaces.
Initially this would seem fine, until you realise th

CARP ip balancing on ExtremeWare

Kevin Bowling — 2012-02-07T10:03:36

I'm having a hell of a time using Extreme Networks Summit 400-24t
switches with IP balancing of any type.

I've tried OpenBSD 5.0 and a -current snapshot from Feb 02.  I've
tried all the modes, but none of them work.  There's not a good way
I'm aware of to do port mirroring for ip-unicast, but I don't
understand why ip-stealth isn't working.  I manually clear the
forwarding database after activating ip-stealth.

I'm just about to relegate these to dumb switch duty and try and find
some other vendor that just works.  Any chance someone else has
cracked the code on these with pf in the past?

Regards,
Kevin

handling local traffic

Justin Murdock — 2012-01-30T12:31:55

OpenBSD 4.9 GENERIC.MP#819 amd64

I'm not quite sure when things changed, but I can no longer apply rules 
to locally originating traffic:
     match in log on lo

now only logs local->local traffic and
     match out log received-on lo

logs nothing. The best I can do, it seems, is to
     match in tag "EXTERNAL"
     match out log tagged ""

More worrying for me, however, is the inability to control traffic being 
received by the host. I want to be able to

     pass on $dmz to port {http, https, ssh}
     block out on lo
     pass out on lo from <trusted> to port ssh

I feel I must be missing something, I'm just not sure what.

Matter with transparent proxy

pizzahut — 2012-01-12T14:15:54

Hello,

I try now to create a transparent proxy using squid and using OpenBSD 5.0
Packet Filter all by passing a bridge.

The squid run I tested the bridge walking machines located on the other side
can access the outside.

The problem is that when I try to redirect traffic using packet filter to
127.0.0.1 on port squid listening (port 3128) nothing happens the machine is
on the other side can access the Internet and suffers no restrictions
previously configured in the squid.

If anyone has an idea of the problem please.

thank you

I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

Gholam Mostafa Faridi — 2011-11-02T17:30:37

Hi
In work place , we have over 24 computer and all of them are windows and 
, I have NAT server . this NAT server use FreeBSD 8.2 AMD 64 , and I use 
PF for NAT with FreeBSD 8.2 . after many search in google , I find this 
pf.conf

====================================================
ns# cat  /usr/local/pf/pf.conf
# $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18 
mlaier Exp $
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
# Edited by: mfaridi

################################ MACROS 
############################################################

ext_if          = "sk0"
int_if          = "re0"
External_net    = "10.10.10.192/27"
Local_net       = "192.168.0.0/24"
Local_Web       = "192.168.0.10"
Local_Srv       = "192.168.0.1"
Prtcol          = "{ tcp, udp }"
Admin_IP        = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
ICMP_Types      = "{ echorep, unreach, squench, echoreq, timex }"

#Define ports for common internet services
#TCP_SRV         = "{ 25, 53, 80

problems with PF and DMZ nat

Bentley78 — 2011-11-01T17:10:21

Hello all, I am replacing a Cisco ASA with an OpenBSD PF NAT box for a
couple of reasons: I'm tired of paying Cisco money just to receive
updates, tired of the license limits and the device is about six years
old.

So I have an atom server with three interfaces one for public/dmz/
internal.

The current config with the ASA is the following:

external (now fxp1) --->Firewall ---> DMZ (192.168.100.0/24) (now
fxp0) --->Inetrnal (192.168.200.0/24) (now re0).

I don't really want to re-IP the nodes in the DMZ so if possible I'd
like to keep everything the same. I've purchased the book of PF
version 2 but still need some assistance. Here is my pf.conf:


#MACROS
_int="re0"
lan="re0:network"

_dmz="fxp0"
dmz="192.168.100.0/24"

mailserver="192.168.100.2"
ftpwebserver="192.168.100.1"
RFC1918="{ 10/8 172.16/12 192.168/16 }"

#TABLES

#OPTIONS
set skip on lo
set block-policy drop

#NORMALIZE  TRAFFIC
match in all scrub ( no-df max-mss 1440 )

#NAT
match out on egress from $lan to any nat-to egress
match out on egress

anonymous VPN service and openbsd..

Daniel Rapp — 2011-08-23T11:00:26

Hi, has anybody tried to setup a openvpn/pptp connection on there
OpenBSD firewall to a anonymous VPN service and redirecting only
torrent traffic trough the tunnel ?

PF load balancing

elerdin — 2011-08-23T10:00:51

Hallo, I have two internet connections and I want to use both with a
round-robin load balancing, only for outgoing connections. I found
on the web various solutions, but I did not manage to modify them
for my scenario. One internet
connections is a normal adsl, there is a modem that I connect to the
OpenBSD router, the interface receives the dynamic IP using dhcp. The
other connection has a static IP address and gateway. Now I'm reading
the PF documentation, but while I study I need a "fast and dirty"
solution that "just works". Can someone help me?

Thanks, Elerdin.

pf reply-to problem

Schmurfy — 2011-08-08T14:11:49

Hi,
I am currently running OpenBSD 4.9 as a router/firewall for my work and so
far I have nearly a fully working config but there is something I cannot
manage to do :(

Here is my configuration:
The server has 1 physical interface, I added a gif interface to connect it
to a remote machine which is used to route most of the traffic, on this gif
interface I have incoming requests I want to pass through squid.

Here is my pf.conf fie (prettier version here:
https://gist.github.com/1131783 ):

    phys_if = "re0"

    c1_tunnel = "gif1001"
    c1_tunnel_dst = "95.140.15.38"
    c1_tunnel_src = "87.98.149.50"
    c1_escape = "87.98.154.179"

    set skip on lo0
    set block-policy drop

    # block any packet with no match
    block log all

    # allow our own services to work
    pass in on $phys_if proto tcp from any to $phys_if port { ssh } synproxy
state
    pass in on $phys_if inet proto icmp from any to $phys_if
    pass out on $phys_if label "system"

    # allow ipip traffic (gif interface)
    pass in

NAT out to two DSL modems

Ben Harper — 2011-07-19T13:49:45

Hi,
I'm trying to NAT out to two DSL modems.
I have three network cards on three subnets:
re0: 192.168.4.0/24         Internal
re1: 41.134.100.222/29    DSL_A
re2: 10.10.10.5/24           DSL_B

I can NAT out to either re1 or re2, but I have to make my default
gateway point to the relevant gateway on that network.
How can I tell the route tables or the nat-to command what the gateway
machine is?

So I can do this, but ***only if my default gateway is
41.134.100.217*** (which is the gateway for that net):
pass out on re1 proto tcp from 192.168.4.0/24 to any nat-to re1

Likewise, I can do this, but once again, ***only if my default gateway
is 10.10.10.1*** (which is the gateway for that net):
pass out on re2 proto tcp from 192.168.4.0/24 to any nat-to re2

I believe I should be able to make this work without ANY default
gateway. But then where do I tell the system
what these two gateway machines are?

Thanks,
Ben

Incorrect NAT translation?

Magnus Rixtorp — 2011-06-23T04:32:43

Lets get some standard stuff out of the way first.

# uname -a
OpenBSD pbxfw 4.9 GENERIC#671 i386

# dmesg
OpenBSD 4.9 (GENERIC) #671: Wed Mar  2 07:09:00 MST 2011
     deraadt< at >i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz ("GenuineIntel" 686-class) 3 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR
real mem  = 2137120768 (2038MB)
avail mem = 2092023808 (1995MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 02/09/05, BIOS32 rev. 0 < at > 0xffe90, 
SMBIOS rev. 2.3 < at > 0xf0450 (74 entries)
bios0: vendor Dell Inc. version "A04" date 02/09/2005
bios0: Dell Inc. OptiPlex GX280
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET
acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI1(S5) PCI2(S5) PCI3(S5) 
PCI4(S5) MOU_(S3) USB0(S3) USB1(S3) USB2(S3) USB3(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpima

PFtabler application

Todor Todorov — 2011-06-22T10:04:24

Hi All,
Me and colleagues have made  a simple web interface wrapper to pfctl
for manipulation of pf tables. The application is written in Python
using web2py framework. If somebody is interested, here is the link:
http://goodspring-tech.com/index.php?option=com_content&view=article&id=99%3Agoodspring-pftabler&catid=59%3Aweb2py-applications&Itemid=169&lang=bg
The Readme: http://goodspring-tech.com/images/stories/pftabler/pftabler_v0_7_readme.pdf
Cheers,
TTT

Firewall Builder's pf.conf import tool

Gary — 2011-06-14T00:41:58

Hi folks,

I just came across this blog post from a few weeks ago:
http://it.toolbox.com/blogs/bsd-guru/submit-your-real-world-pfconf-45829. So
I wrote the config address to ask if they're still working on this and Mike
Horn wrote me back write away to let me know that they're still collecting
them. As Dru's blog post suggests, feel freel to sanitize your public IPs
and/or PGP encrypt your email.

-Gary

Log overload rule

Helmut Schneider — 2011-06-13T18:16:48

Hi,

pass in quick log proto tcp to (self) port 21 $SA_FLAGS (max-src-conn
75, max-src-conn-rate 75/5, overload <ftpconn_bruteforce> flush global)

Is it possible to find out/log which limit overloaded the rule? I want
to adjust the correct limits and knowing which limit was hit would be
very helpful.

Thanks, Helmut

nat-to and route-to specified in a single rule

Rob Sessink — 2011-06-06T08:05:50

Hello,

In a multi-homed setup I am trying to route out packets over the
secondary interface on which also NAT is done. 
The environment consists of a OpenBSD 4.9 Firewall with 3 em interfaces,
connected to 2 DSL providers

em0: internal interface
em1: first DSL 
em2: second DSL

I did dome testing with the understanding ruleset, where I have
specified a nat-to and route-to statement in a single rule
########### rules ###########
pass in  log on em0 from 192.168.1.118 nat-to (e2gress:0) route-to (em2
80.100.x.x)
pass out log on em2

########### states ###########
all icmp 74.125.77.104:8 <- 80.100.x.x:54000 (192.168.1.118:9035)
0:0
all icmp 80.100.x.x:54000 -> 74.125.77.104:8       0:0

This setup somewhat works. When pinging an upstream host, the packets
get send out over the secondary interface, but the first packet is
always dropped! 
According to the pf.conf man page this rule specification is possible.
My question is this kind of rule specification allowed and intended to
be working in PF?
 
When splitt

Enforcing asymmetric TCP MSS?

Eric Lee — 2011-05-10T07:34:04

Hi,

I'm trying to use scrub max-mss rules to create asymmetric MSS's.

Is this supported?  So far, I haven't got it to work (hence my post here).
The machine is running OpenBSD 4.9 with 2 network cards.

I have been trying things like:
match out on $ext proto tcp scrub(max-mss 1000) flags S/SA
match in on $ext proto tcp scrub(max-mss 500) flags SA/SA

Scrubbing on the other interface doesn't seem to work either.
match out on $int proto tcp scrub(max-mss 500) flags SA/SA

client <--> pf gateway <--> internet

With a sniffer on the client link and the internet link,
-client sends large MSS on initial syn (> 1000)
-pf scrubs MSS to 1000 on initial syn

-pf receives large MSS on syn+ack (> 1000)
-pf scrubs MSS to 1000 in syn+ack reply to client

Thanks!

Fwd: Re: double NOT in rules is not working as expected

Bojidara Marinchovska — 2011-04-08T15:39:47

-------- Original Message --------
Subject: Re: double NOT in rules is not working as expected
Date: Fri, 08 Apr 2011 17:00:52 +0300
From: Bojidara Marinchovska <quintessence< at >bobi.gateit.net>
To: Stuart Henderson <stu< at >spacehopper.org>

On 04/08/11 16:11, Stuart Henderson wrote:
Hello,

Thank you, yes my mistake about block , whole day looking at the 2 rules
...
As Claudio already wrote
"

The {foo, bar} notation results in a OR operation so
foo || bar. Now !foo || !bar with foo != bar is always true.

"

As I can define with 1 rule for example
from {<tableA>,<tableB>  }
I want to be able to use also
from ! {<tableA>,<tableB>}

Yes, it is clear ...

Yes, I wrote about negation in tables, there is enough examples of its
usage in the Book Of PF, but it is not what I need ( following KISS )

Anyway thank you all
I try to accomplish something which is correct to be done with no
firewall but with other software and I try to use as simple as possible
rules

I have 2 types of lists with IPs which I put in

double NOT in rules is not working as expected

Bojidara Marinchovska — 2011-04-08T10:19:59

Hello,

netif="netif"
test1="1.2.3.4"
test2="2.3.4.5"

block in quick on $netif from {!$test1, !$test2} to x.x.x.x - blocks the 
access from the IPs from test1 and test2 macros, BUT it should block all 
other EXCEPT this ones

--
block in quick on $netif from {$test1, $test2} to x.x.x.x - this rule 
works as expected
--
block in quick on $netif from {!$test1, $test2} to x.x.x.x - this rule 
works as expected
--
block in quick on $netif from {$test1, !$test2} to x.x.x.x - this rule 
works as expected

I know example rule :

block in quick on $netif from {!$test1, !$test2} to x.x.x.x

can be replaced with:

pass in quick on $netif from {$test1, $test2} to x.x.x.x
block in quick on $netif from any to x.x.x.x

In the example I used macors, also tried with tables or direct inserting 
IP addresses instead of using macros or tables, but it does not work as 
expected

So it is possible to use {$test, $test1}, but isn't "double negation" as 
following: {!$test1, !$test2} ?

Applying QoS on trafic

ali_BSD — 2011-04-05T11:56:51

Hello,

So here is the issue:

I want to detect the size of a session " a session is defined with: < at >source,
< at >dest, port source, port dest, UDP/TCP" So when a session exceeds a
threshold then I want to put that session in a less prioritized queue.

To create queues it is simple: I can use altq and queue commands. But the
issue is how to detect the size in real time!!!!! I thought about using
"systat states" that shows the needed information but the probleme is how to
match a session that exceeded a threshold to another queue ?

Anyone have an idea ? Thanks for your help !!!

Suggestion for a new feature, port code

Johan Söderberg — 2011-02-28T15:17:25

A ridiculously simple idea.
Protect your port, say ssh, by adding a code to access it.
Ok, that's nothing new, but maybe how it's done.

For a client to connect to a service, it need to unlock the port with a code.
The code is made of predefined blocked ports, that makes pf trigger.
If the first code port is triggered, IP address enters a state with timestamp.
If the next port that the address triggers, matches the next code port
within a timeframe, let it enter new state, else lose state.
When all code ports have been triggered in the right order, allow
address to pass.

Sure it's not safe from MITM, but it protects from scans, and allows
you to connect from dynamic IP addresses.
There are 65536 ports, that gives you 65536^n possible combinations
where n is the number of ports in your code.
So you probably won't need more than 2-3 ports in your code.

Say what you think! And if you like my brain fart, would you want to
implement it?

Kind regards, Johan Söderberg