Extremely weird PF behaviour
Hallo Misc.
I have a veeeryyy veeeryyy weird problem !!!
I will try to explain to you the best way I can.
I have small network. The Openbsd box (3.7 generic) is my firewall.
In 2 of my windows workstations I wont to have remote desktop. So I make a
pass in rule for the ports 65500 and 65501 and a rdr of these 2 ports 65500
to 1 ip at 3389 internal port and the 65501 to another ip in 3389.
It wont play from the outside world.
*Notice that the windows machines dont have a firewall and internally I can
log into remotely.
THIS IS THE WEIRD PART !
If i make the 65500 port 3389 and leave the rules for the 65501 INTACT it
will play immediately !!!
I tried also 5 and 50001 and many other combinations as well and I had
the same problem again and again !
Only if i set a pass in and rdr on 3389 on one pc I will not experience a
problem !!!
*No services on my server will occupy the ports 65500 ot 65501 or the others
i tried.
A very experienced Openbsd person that I know tried to help me but he either
didnt understand why !
Do you have any idea why is this happening ? Is this a bug ?
Offcourse every time i was making changes to the pf i was doing
pfctl -F all
pfctl -f /etc/pf.conf
just to be sure and I even tried a reboot on the server to be sure its not
something with a stuck state or something like that ! Nothing worked !
Please help me !
Reports from the system follow below.
# pfctl -sn
nat on tun0 inet from 192.168.0.1 to any -> (tun0) round-robin
nat on tun0 inet from 192.168.0.2 to any -> (tun0) round-robin
nat on tun0 inet from 192.168.0.3 to any -> (tun0) round-robin
nat on tun0 inet from 192.168.0.4 to any -> (tun0) round-robin
nat on tun0 inet from 192.168.0.69 to any -> (tun0) round-robin
nat on tun0 inet from 192.168.0.227 to any -> (tun0) round-robin
rdr on tun0 inet proto tcp from any to (tun0) port = 3389 ->
192.168.0.1port 3389
rdr on tun0 inet proto tcp from any to (tun0) port = 65501 ->
192.168.0.2port 3389
# pfctl -sr
scrub in all fragment reassemble
block drop all
block drop in quick on ! tun0 inet from 213.5.99.213 to any
block drop in quick inet from 213.5.99.213 to any
pass in on tun0 inet proto tcp from any to (tun0) port = 15352 keep state
pass in on tun0 proto tcp from any to any port = 3389
pass in on tun0 proto tcp from any to any port = 65501
pass out on tun0 proto tcp all keep state
pass out on tun0 proto udp all keep state
pass out on tun0 proto icmp all keep state
pass in on rl0 inet from 192.168.0.0/24 to any
pass out on rl0 inet from any to 192.168.0.0/24
Dmesg :
OpenBSD 3.7 (GENERIC) #0: Wed Mar 29 04:41:11 EEST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Celeron ("GenuineIntel" 686-class, 128KB L2 cache) 534 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXS
R
real mem = 167354368 (163432K)
avail mem = 145965056 (142544K)
using 2068 buffers containing 8470528 bytes (8272K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(3d) BIOS, date 04/02/99, BIOS32 rev. 0 @ 0xfb330
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf/0xb7ac
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdca0/128 (6 entries)
pcibios0: PCI Exclusive IRQs: 10 11
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371SB ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443LX AGP" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82443LX AGP" rev 0x03
pci1 at ppb0 bus 1
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel
0 wi red to compatibility,
channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA, 9541MB, 19541088 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power Mgmt" rev 0x02 at pci0 dev 7 function 3 not configured
vga1 at pci0 dev 9 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
rl0 at pci0 dev 11 function 0 "Realtek 8139" rev 0x10: irq 10 address
00:e0:4c:0 7:ad:dc
rlphy0 at rl0 phy 0: RTL internal phy
vr0 at pci0 dev 15 function 0 "VIA Rhine/RhineII" rev 0x06: irq 11 address
00:80 :c8:e6:b0:b6
amphy0 at vr0 phy 8: Am79C873 10/100 PHY, rev. 0
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at p
Re: Extremely weird PF behaviour
Dear Stuart. The translation is offcourse BEFORE the filtering ! Any other thoughts about the problem ? On 6/13/06, Stuart Henderson <[EMAIL PROTECTED]> wrote: > > On 2006/06/13 05:26, Alex Stamatis wrote: > > I have a veeeryyy veeeryyy weird problem !!! > > Not really... > > > I have small network. The Openbsd box (3.7 generic) is my firewall. > > In 2 of my windows workstations I wont to have remote desktop. So I make > a > > pass in rule for the ports 65500 and 65501 and a rdr of these 2 ports > 65500 > > to 1 ip at 3389 internal port and the 65501 to another ip in 3389. > > It wont play from the outside world. > > Read the first couple of paragraphs of the TRANSLATION section of > pf.conf(5), then you'll see that translation comes *before* filtering.
Re: Extremely weird PF behaviour
Dear Stuart your reply is very much appriciated ! Thank you for sparing some
time to help me out.
I am pasting the rules so you can understand what I did. If I understand
correctly I did what you suggest allready!
Take a look :
Nat - Rdr Rules :
nat on $ext_if from { 192.168.0.1 192.168.0.2 192.168.0.3 192.168.0.4
192.168.0.69 192.168.0.227 } to any -> ($ext_if)
#
rdr on $ext_if proto tcp from any to ($ext_if) port 3389 -> 192.168.0.1 port
3389
rdr on $ext_if proto tcp from any to ($ext_if) port 65500 ->
192.168.0.2port 3389
Filtering Rules :
pass in on $ext_if proto tcp from any to any port 3389 keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port 65500 keep
state
Best Regards
Alex
On 6/13/06, Stuart Henderson <[EMAIL PROTECTED]> wrote:
>
> On 2006/06/13 22:57, Alex Stamatis wrote:
> > The translation is offcourse BEFORE the filtering ! Any other thoughts
> about
> > the problem ?
>
> I don't mean, being listed first in pf.conf. I'm talking about
> the order of actions on the packet.
>
> 1. Packets come into your box addressed to port 65500
> 2. NAT is carried out, port in packet is rewritten to 3389
> 3. Filter is carried out, port in packet says 3389:
> - does this match "pass in...to port 65500"? - no.
> - does this match "pass in...to port 65501"? - no.
>
> The pass in rule must be for the *rewritten* port, i.e. 3389
>
> If this is hard to understand, forget the separate 'pass in'
> rules and just use 'rdr pass'.
Re: OpenBSD gets a "poor score" in security.
Ahmmm. Openbsd gets bad score in patching ? Well that maybe becuase the os is so good that doesnt need 30 patches a day like the linux distros. I have heard the linux 'fans' saying amazing crap about their os'es... Thank god in this world there are people that know that openbsd rules. We must all also help the openbsd community with donations for the amazing work that all the guys in the obsd team do. I did a donation 3-4 months ago to the obsd and if I had more i'd send out more. Let the linux guys talk. All the can do is talk ... Their os's suck bsd for life ;) On 7/27/06, chefren <[EMAIL PROTECTED]> wrote: > > On 07/27/06 11:17, [EMAIL PROTECTED] wrote: > > Someone has written an article under "Information Security News", > > entitled "Linux patch problems: Your distro may vary". As if > > OpenBSD were a "Linux distro". > > Well, OpenBSD gets mentioned, that's the most important. > > .. > > > Good job Edmund! This is one of the worst articles on security I > > have ever read. Talk about missing the point. > > Yep, let's do talk about it since I see you as a blind horse that > misses the point because you cannot read. The title contains the two > words "patch problems" and that isn't a very strong point of OpenBSD. > (Obviously because there are not as many developers as other > distributions have.) > > > The article is not about the strong points of OpenBSD, pro-active and > integrated security, it's about patching and updates, a weak point of > OpenBSD. > > And it's not at all about stupidities like the one you mentioned of > Ubuntu, you provide chaos without a reason. > > +++chefren
Server question
Hello BSD'S :) I want to rent a box in 1und1.de. I wanted to ask the following questions. It has software raid. Do you think I might have a compartability problem with that ? Also has anyone tried from misc to install via serial console an OpenBSD in this company ? This is my main concern ... I assume that the network card that the rack has inside will play without compartability problems... Right ? These questions might sound stupid but i am asking because the ral pickle is that if you buy a box in this company you need to spend an ammount of money and it has at least 1 year contract so I need to be most assured that at least even if the raid doesnt play and I use 2 hdds instead of raid that the OS will run fine. Thank you very much everyone for your time. Best Regards Alex
Remote installation
Hello again Misc ! First of all thank you all for sending me some realtive links around the remote installation of an Openbsd system. But I am afraid the problem is much more complicated in our situation. We have tried so many different ways and we didnt make it. This server has : 1.scsi sata hdds. soft raid 2. Serial Console 3. Amd 64 cpu If someone can send me a "tutorial" around what he did on his case with some step by step commands you will help us very much. Every little help is really apriciated. I have been using openbsd everywhere for years now and having to turn our box into linux is worse than our worst nightmare. If you can help me please spare 3-4 minutes for a fellow obsd user to help ! Your help people right now is incredibly needed ! Thank you all so much for your time. I look forward for your mails. Yours Alexander
Problems on boot
Hallo. I have an old celeron pc and I just installed Openbsd. The hdd is scsi and its on a scsi controler. (I have checked and all this hardware are compliant with openbsd). Even though install has completed succefully and I have changed on bios the boot sequence to first boot from scsi it doesnt. I dont know why but i assume this happens because this pc is old and it doesnt "get along" with the scsi. Is there anyway that i can first boot from cdrom and then somehow make the system boot from the hdd ? Or do you have any suggestions ? Its the second time i use scsi in my life and I dont have any experience in scsi. Thank you very much for your time everyone. Best Regards Alex Stamatis
Re: Problems on boot
Thanks all of you that replied to my message. I just saw the dmesg and you were right. It says that Host adapter Bios disabled. Using default scsi device parameters. So how do I get to enable the scsi adapters bios ? The adapter is AIC-7850 and the hdd is a seagate. Thanks again for the help ! Best Regards Alex Stamatis On 6/2/05, Brian <[EMAIL PROTECTED]> wrote: > > A helpful hint: > > 1) post your dmesg along with your post; no one knows what scsi controller > you're running or anything else about your box. > > You can obtain your dmesg simply by: > > $ dmesg > file > > or you can read the man page for dmesg and just grab the file that is > created > at boot. > > I am currently running obsd on an old pentium II, but I am not using scsi, > so I > can only suggest posting the dmesg and hope for the best. > > I had been recommended on the list to use LSI scsi adapters, but I do not > have > a motherboard that can support those cards. > > Good luck, > > Brian > > --- Alex Stamatis <[EMAIL PROTECTED]> wrote: > > > Hallo. > > > > I have an old celeron pc and I just installed Openbsd. The hdd is scsi > and > > its on a scsi controler. (I have checked and all this hardware are > compliant > > with openbsd). > > Even though install has completed succefully and I have changed on bios > the > > boot sequence to first boot from scsi it doesnt. I dont know why but i > > assume this happens because this pc is old and it doesnt "get along" > with > > the scsi. Is there anyway that i can first boot from cdrom and then > somehow > > make the system boot from the hdd ? Or do you have any suggestions ? Its > the > > second time i use scsi in my life and I dont have any experience in > scsi. > > > > Thank you very much for your time everyone. > > > > Best Regards > > Alex Stamatis > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com
ram not shown
Hallo Misc. I have (real mem = 167354368 (163432K)) as shown in dmesg ... The weird part is that in top it shows Memory: Real: 56M/78M act/tot Why does this happen ? Does it really only use 78 mbyte of ram even though the system sees the rest of it in dmesg or is it just a bug in the top utility ? I've never seen this before and it really made me curious. In another openbsd that I have this doesnt happen and that fact made me even more curious ! Thanks for the help :) Best Regards Alex Stamatis
kernel
Hallo guys.
I have 1 question.
I turned the 3.7 system in the stable batch and everything went fine. But
what makes me wonder is that in dmesg or in uname-a the kernel doesnt say
STABLE. In 2 other openbsd's that I have seen being in stable batch the
STABLE word is shown. The best part is that in dmesg the kernels date is the
new one (the day that I did the build on the new kernel).
Do you know why this happens ???
Best Regards
Alex
Uname :
OpenBSD hercules 3.7 GENERIC#0 i386
dmesg :
OpenBSD 3.7 (GENERIC) #0: Wed Mar 29 04:41:11 EEST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Celeron ("GenuineIntel" 686-class, 128KB L2 cache) 535 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem = 167354368 (163432K)
avail mem = 145965056 (142544K)
using 2068 buffers containing 8470528 bytes (8272K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(3d) BIOS, date 04/02/99, BIOS32 rev. 0 @ 0xfb330
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf/0xb7ac
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdca0/128 (6 entries)
pcibios0: PCI Exclusive IRQs: 10 11
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371SB ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443LX AGP" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82443LX AGP" rev 0x03
pci1 at ppb0 bus 1
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel
0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA, 9541MB, 19541088 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power Mgmt" rev 0x02 at pci0 dev 7 function 3 not configured
vga1 at pci0 dev 9 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
rl0 at pci0 dev 11 function 0 "Realtek 8139" rev 0x10: irq 10 address
00:e0:4c:07:ad:dc
rlphy0 at rl0 phy 0: RTL internal phy
vr0 at pci0 dev 15 function 0 "VIA Rhine/RhineII" rev 0x06: irq 11 address
00:80:c8:e6:b0:b6
amphy0 at vr0 phy 8: Am79C873 10/100 PHY, rev. 0
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using
wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask fb65 netmask ff65 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
Pf behaviour
Hallo Misc !
I have a problem with the Pf.
I dont understand why but for some reason it wont let ports 80 - 15352 pass
even though I have set it up n the configuration. Its been done according to
the faq and pfctl -nf doesnt return any errors at all !!!
Also NAT in the internal network and all communications from the int:if to
the openbsd are fine !
I am pasting below the conf so you can tell me if you see something wrong.
Thank you for your time !
Best Regards
Alex
int_if = "rl0"
ext_if = "tun0"
core = "192.168.0.1"
giouli = "192.168.0.2"
lydia = "192.168.0.3"
icall = "192.168.0.4"
laptop = "192.168.0.69"
wifi = "192.168.0.227"
clients = "{" $core $giouli $lydia $icall $laptop $wifi "}"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
set skip on lo0
scrub in all
nat on $ext_if from { 192.168.0.1 192.168.0.2 192.168.0.3 192.168.0.4
192.168.0.69 192.168.0.227 } to any -> ($ext_if)
rdr on $ext_if proto tcp from any to ($ext_if) port 5060 -> $core port 5060
rdr on $ext_if proto tcp from any to ($ext_if) port 5061 -> $core port 5061
rdr on $ext_if proto udp from any to ($ext_if) port 5060 -> $core port 5060
rdr on $ext_if proto udp from any to ($ext_if) port 5061 -> $core port 5061
block all
antispoof quick for $ext_if inet
pass in on $ext_if inet proto tcp from any to ($ext_if) port 15352 flags
S/SA keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port www flags S/SA
synproxy state
pass in on $ext_if proto udp from any to any port 5060 keep state
pass in on $ext_if proto udp from any to any port 5061 keep state
pass in on $ext_if proto tcp from any to any port 5060 keep state
pass in on $ext_if proto tcp from any to any port 5061 keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto {udp, icmp} all keep state
pass in on $int_if from $int_if:network to any
pass out on $int_if from any to $int_if:network
Live cd
Hallo. At my college there is a lesson around basics of unix systems (commands, shells , etc). Unfortunately they teach it in linux env. This mainly happens because there are live cds for linux. Do you think that we can create a live cd or dvd for openbsd so people can learn on openbsd platform ??? Regards A. Stamatis
Live dc
I want to thank all of you who replied on my previous mail about the live cd. I've seen many of those links you sent me which talk on how you can create a live cd. I would have done it my self but unfortunatelly I cant due to tech reasons right now. Also I dont know if it would have been good since i am an openbsd noob ! As i said I study at the American College of Greece and the head of dept agreed to use obsd for the teaching of unix instead of the crapy linux and asked me to get it to him. So if someone can create this live cd and upload it on the web just to download it and dist to all college I would really apriciate it. I know that time is precious for everybody so if noone can do it I will understand. But if you can you will help openbsd grow not only in many ppl but in the educational system of c.i.s as well. Thank you all very much again ! Best Regards Alex
Pf que for voip
Hello all. I am relatively new to openbsd. More than satisfied from the OS. From the day I set it up to do my router and some more things it never annoyed me. Even with some power failures etc the system kept working after booting again just fine ! Now I need an advise from you who know it very well and especially the pf (i am a total noob on pf). I bought a voip device today. And i want the router no matter what the network usage is and packets to always give full priority and the needed speed to 4 ports and a port range in 1 ip in order this device can work properly because if I am on the phone and start a download from another computer on the network the voip goes down ... The manual is very big to read it and understand it in such a small amount of time I use the system. As I told you I am a total newbie on OpenBSD. Can you sugget to me some lines that will give full priority to these 4 ports and 1 range which go into a specific lan ip ? Thank you so much for your time. Best Regards Alex Stamatis
