About pppoe PADI retries
Hi Misc, I' think this is not fully OpenBSD issue but want to learn the reason of problem. Here it is: I have two adsl modems which are in bridge mode. Here is my configs: # cat /etc/hostname.em1 up # cat /etc/hostname.em2 up # cat /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 NONE \ pppoedev em1 authproto pap \ authname 'username1@service' authkey 'password2' up dest 0.0.0.1 !/sbin/route add default -ifp hostname.pppoe0 0.0.0.1 # cat /etc/hostname.pppoe1 inet 0.0.0.0 255.255.255.255 NONE \ pppoedev em2 authproto pap \ authname 'username2@service' authkey 'password2' up dest 0.0.0.1 !/sbin/route add default -ifp hostname.pppoe1 0.0.0.1 My public ip addreses are static. (I get them with these configs above.) pppoe0 has no problems but pppoe1 somehow redialing all the time. (Works for some minutes after that redials...) After thousands of PADI retries pf hangs and rules of pppoe1 do not work. When i reload pf with pfctl -f /etc/pf.conf everything goes on... Also there are lots of "pppoe1: LCP keepalive timeout" messages on dmesg. I use generic 5.5 amd64 kernel with all errata patches. My first suspect is the telecom guys. I'll want the change my port at their side. Also wanted to inform this second issue which may be releated with pf. So, what do you think about this problem? Am i missing something? Any proper or temporary solution at OpenBSD side? Is it an "option PPPOE_TERM_UNKNOWN_SESSIONS" releated issue which told in manpage of pppoe? -- Thanks Theron
Re: About pppoe PADI retries
Hi Michal, Thanks for your advise; i'll give a try. I hope it saves my day. -- Theron The Zorbas' On Wednesday, January 7, 2015 11:43 PM, Michał Markowski wrote: 2015-01-07 16:13 GMT+01:00 Theron ZORBAS : > pppoe0 has no problems but pppoe1 somehow redialing all the time. (Works for > some minutes after that redials...) Sounds familiar. I think one of your adsl modems may be dying. -- Michał Markowski
OpenBSD Iscsid client
Hi Misc, I want to connect a nas device over iscsi under OpenBSD 5.5 amd64. I have information about nas ip address, chap and share. I've read man iscsi.conf but there is no part about chap auth. Also could not find any working example on net. Can anyone direct me please? Thanks Theron
Re: OpenBSD Iscsid client
Hi Claudio, Thanks for your reply. I'll disable it. Also wanna ask you if you're planning about chap auth implementation. Have a good day. Theron On Friday, February 20, 2015 8:33 PM, Claudio Jeker wrote: On Fri, Feb 20, 2015 at 04:32:42PM +0000, Theron ZORBAS wrote: > Hi Misc, > > I want to connect a nas device over iscsi under OpenBSD 5.5 amd64. > I have information about nas ip address, chap and share. > I've read man iscsi.conf but there is no part about chap auth. > Also could not find any working example on net. > > Can anyone direct me please? > iscsid does not support CHAP yet. Disable the auth and it should hopefully work. -- :wq Claudio
OpenBSD and 40G/100G ethernet cards
Hi, Is there any plan to support 40G/100G ethernet cards? You may see a vendor's product in this category at this link: http://www.mellanox.com/page/ethernet_cards_overview Thanks Theron
PF block log all and ddos issue
Hello Misc, I have an OpenBSD 5.2 i386 firewall. It was running so good till last night. We are under a ddos attack(DNS Amplification attack) (ANY? isc.org requests) Our firewall freezes. I cant ping to my firewall interfaces even internal interface. It doesnt answer maybe replies very slowly. Before this freezing issue i got these messages at /var/log/messages: /bsd: uvm_mapent_alloc: out of static map entries /bsd: WARNING: mclpools limit reached; increase kern.maxcluster I increased up kern.maxcluster values but did not work. We had to reboot firewall every 2 hours cause of this ddos attack. After that i realized that changing this pf rule worked: "block log all" to "block all" Now we are still under attack but firewall handles it. It drops udp port 53 attacks and doesnt log any packet. But this is not what i want. As default i wanna log which packet my firewall blocked. So how can i log all blocked packets and my firewall can be still up and running? Thanks. Theron
Re: PF block log all and ddos issue
Hello,
@Peter, thanks for your reply. But i have no problem with dns daemon.
Infact attackers make ddos to ip addresses which have no dns services
listening UDP port 53.
So i have solved this issue partially with these
rules below:
#Stop pointless udp 53 requests (dont log these packets)
block
drop in quick on vlan100 inet proto {tcp,udp} from any to $dmz2:network port
{ 53 }
block drop out quick on $dmz2 inet proto {tcp,udp} from any to
$dmz2:network port { 53 }
#default policy block and log all of them
block log
all
# Other ruless
..
But i still wonder why my firewall freezes when
logging all blocked udp 53 requests.
The attack is not too heavy. I had seen
much worse before.
Anyway, thanks.
From: Peter N. M. Hansteen
To: Theron ZORBAS
Cc: "misc@openbsd.org"
Sent:
Thursday, December 27, 2012 7:43 PM
Subject: Re: PF block log all and ddos
issue
Theron ZORBAS writes:
> I have an OpenBSD
5.2 i386 firewall. It was running so good till
> last night.
> We are under a
ddos attack(DNS Amplification attack) (ANY? isc.org
> requests)
First of all,
unless you *want* to run an open resolver, reconfigure so
only the ones you
want to do recursion for (typically at most clients in
a subset of directly
connected networks) will get the data they ask
for. The difference in size
between a full answer to the query you quote
and a 'denied' reply is quite
significant.
> Our firewall freezes. I cant ping to my firewall interfaces
even
> internal interface. It doesnt answer maybe replies very slowly.
>
Before this
> freezing issue i got these messages at /var/log/messages:
>
>
/bsd:
> uvm_mapent_alloc: out of static map entries
> /bsd: WARNING: mclpools
limit
> reached; increase kern.maxcluster
>
>
> I increased up
kern.maxcluster values
> but did not work. We had to reboot firewall every 2
hours cause of this ddos
> attack.
> After that i realized that changing this
pf rule worked:
>
> "block log
> all" to "block all"
>
> Now we are still
under attack but firewall handles it. It
> drops udp port 53 attacks and
doesnt log any packet.
> But this is not what i
> want. As default i wanna log
which packet my firewall blocked.
>
> So how can i
> log all blocked packets
and my firewall can be still up and running?
If pf logging or not is the
difference between your firewall crashing or
not, I'd put a significantly
lower priority on collecting statistics
than shutting up the noise makers.
I
was in a similar situation a little while back (blagged about it too,
see
[1]). If you do want to run a name service but want to send the
recursion
gropers packing, you could do what I did - read the log for
requests denied by
named, then blackhole route the offending IP address
to make sure you don't
make any noise yourself by sending replies (pfctl
-k and adding to a table you
block drop are optional extras).
- P
[1]
http://bsdly.blogspot.ca/2012/12/ddos-bots-are-people-or-manned-by-some.html
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember
to set the evil bit on all malicious network traffic"
delilah spamd[29949]:
85.152.224.147: disconnected after 42673 seconds.
Re: PF block log all and ddos issue
Hi again,
Here is the info that i can supply. If need more please tell me how
to do?
PF Options
set timeout { interval 10, frag 30 }
set timeout {
tcp.first 300, tcp.opening 60, tcp.established 86400 }
set timeout {
tcp.closing 900, tcp.finwait 60, tcp.closed 90 }
set timeout { udp.first 120,
udp.single 150, udp.multiple 120 }
set timeout { icmp.first 20, icmp.error 10
}
set timeout { other.first 60, other.single 30, other.multiple 60 }
set
timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 50, frags
10 }
set loginterface none
set skip on { lo0 enc0 }
set optimization
normal
set block-policy drop
set fingerprints "/etc/pf.os"
PF states :
root#
pfctl -ss |wc -l
4765
root# date;vmstat -i
Fri Dec 28 22:57:00 EET 2012
interrupt total rate
irq0/clock
91039955 799
irq0/ipi 17900164 157
irq82/bnx0
58237357 511
irq98/bnx1 215829335
1896
irq82/bnx2 59316 0
irq97/bnx4
6800293 59
irq80/mfi0 537214 4
irq82/bnx5
125670397 1104
irq84/ehci0 74177
0
Total 516148208 4534
root# date;vmstat -i
Fri
Dec 28 22:57:05 EET 2012
interrupt total rate
irq0/clock 91043954 799
irq0/ipi
17900210 157
irq82/bnx0 58237576 511
irq98/bnx1
215854554 1896
irq82/bnx2 59317
0
irq97/bnx4 6800360 59
irq80/mfi0
537232 4
irq82/bnx5 125684762 1104
irq84/ehci0
74177 0
Total 516192142
4535
My egress interface is at bnx1 and my attacked interface is bnx5.
I read
somewhere that intel network cards' (em0 etc.) performance were better. I can
try to get a new nic to see difference.
I have taken these outputs when i am
not logging udp 53 requests which are just attack.
Thanks.
From: James Shupe
To:
misc@openbsd.org
Sent: Friday, December 28, 2012 8:11 PM
Subject: Re: PF
block log all and ddos issue
> But i still wonder why my firewall freezes
when
> logging all blocked udp 53 requests.
> The attack is not too heavy. I
had seen
> much worse before.
>
- Check interrupt usage
- Check states to
make sure the reason it seems unresponsive isn't due
to the state table being
full
Without more information from the machine, we don't have a lot of advice
we can really give.
--
James Shupe
[demime 1.01d removed an attachment of
type application/pgp-signature which had a name of signature.asc]
Re: PF block log all and ddos issue
Sorry my last post is broken:
You can see my outputs at :
http://pastebin.com/FtbfHXf8
Thanks.
From: Theron ZORBAS
To: James Shupe
; "misc@openbsd.org"
Sent: Friday,
December 28, 2012 11:00 PM
Subject: Re: PF block log all and ddos issue
Hi
again,
Here is the info that i can supply. If need more please tell me how
to
do?
PF Options
set timeout { interval 10, frag 30 }
set timeout {
tcp.first
300, tcp.opening 60, tcp.established 86400 }
set timeout {
tcp.closing 900,
tcp.finwait 60, tcp.closed 90 }
set timeout { udp.first 120,
udp.single 150,
udp.multiple 120 }
set timeout { icmp.first 20, icmp.error 10
}
set timeout {
other.first 60, other.single 30, other.multiple 60 }
set
timeout {
adaptive.start 0, adaptive.end 0 }
set limit { states 50, frags
10 }
set loginterface none
set skip on { lo0 enc0 }
set optimization
normal
set
block-policy drop
set fingerprints "/etc/pf.os"
PF states :
root#
pfctl -ss
|wc -l
4765
root# date;vmstat -i
Fri Dec 28 22:57:00 EET 2012
interrupt
total rate
irq0/clock
91039955
799
irq0/ipi 17900164 157
irq82/bnx0
58237357 511
irq98/bnx1 215829335
1896
irq82/bnx2
59316 0
irq97/bnx4
6800293
59
irq80/mfi0 537214 4
irq82/bnx5
125670397 1104
irq84/ehci0 74177
0
Total
516148208 4534
root# date;vmstat -i
Fri
Dec 28 22:57:05
EET 2012
interrupt total rate
irq0/clock
91043954 799
irq0/ipi
17900210 157
irq82/bnx0 58237576 511
irq98/bnx1
215854554 1896
irq82/bnx2 59317
0
irq97/bnx4
6800360 59
irq80/mfi0
537232
4
irq82/bnx5 125684762 1104
irq84/ehci0
74177 0
Total 516192142
4535
My egress
interface is at bnx1 and my attacked interface is bnx5.
I read
somewhere that
intel network cards' (em0 etc.) performance were better. I can
try to get a
new nic to see difference.
I have taken these outputs when i am
not logging
udp 53 requests which are just attack.
Thanks.
From: James Shupe
To:
misc@openbsd.org
Sent: Friday, December 28, 2012 8:11 PM
Subject: Re: PF
block log all and ddos issue
> But i still wonder why my firewall freezes
when
> logging all blocked udp 53 requests.
> The attack is not too heavy. I
had seen
> much worse before.
>
- Check interrupt usage
- Check states to
make sure the reason it seems unresponsive isn't due
to the state table being
full
Without more information from the machine, we don't have a lot of advice
we can really give.
--
James Shupe
[demime 1.01d removed an attachment of
type application/pgp-signature which had a name of signature.asc]
IBM x3850 acpi and qlogic fibre channel card problem
Hello Misc, I'm trying to install OpenBSD 5.2 amd64 to an IBM x3850 server. At my first attempt it failed with this error: "fatal page fault in supervisor mode" Here is screenshot of this error: http://oi45.tinypic.com/21mf8ee.jpg After that i ran into UKC with boot -c and disabled acpi so i've installed OpenBSD into my scsi disk whick is locally connected to LSI raid control card. When i boot OpenBSD from scsi disk it failed. Here is screenshot of kernel error: http://oi48.tinypic.com/xmq1dt.jpg Server was frozen so i could not run any debugging commands. I rebooted server and disabled acpi but have no success. OpenBSD attached mpi0 at pci2 dev 0 but server frozens again with these last info: vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets Here is screenshot : http://oi45.tinypic.com/rribnq.jpg My Fibre Channel HBA card is Qlogic QLE2560. Also I have tried to install from current snapshot (date 13 Jan 2013) (ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/install52.iso) But the results are the same. I've check that my hardware bios images are current and have no update available. So what can i do for fixing this issue? Thanks. Theron
Re: unable to add tun interface to bridge
blockquote, div.yahoo_quoted { margin-left: 0 !important; border-left:1px
#715FFA solid !important; padding-left:1ex !important; background-color:white
!important; } Hi,
I was just looking for usage of tap device.Is there any real world example for
tap?There is no information about tap at man pages of hostname.if and
ifconfig...Only tap(4) man page tells about creating tapN device. Is there any
other parameters like adding interfaces just like bridge interface?Â
Thanks.
Sent from Yahoo Mail for iPhone
On Pazar, Nisan 24, 2016, 9:58 ÃÃ, Claudio Jeker
wrote:
On Sun, Apr 24, 2016 at 03:39:58AM +0100, niya levi wrote:
> hi everyone
> i am trying to setup openvpn with tun on a bridge (openbsd 5.9),
> i tried the following but got an Invalid argument error,
>
> ifconfig tun0 create
> ifconfig bridge0 create
> ifconfig bridge0 add em0
> ifconfig bridge0 add tun0
> ifconfig: bridge0: tun0: Invalid argument
>
> what is the correct way to add the tun interface to the bridge ?
You need to use the tap(4) interface in 5.9 to get a Ethernet tunneling
device. tun(4) is now Layer 3 only.
--
:wq Claudio
Binat purpose?
Hi @misc, I've a topology which you can see at http://www.imagesup.net/?di=1214141397880 Modems are in bridge mode. OpenBSD is getting public addresses via pppoe. 1.1.1.1 is default gateway on OpenBSD. I'm trying to reach https server behind 2.2.2.2 ip address on pppoe1. So i have this rule for this aim: pass log quick from 192.168.101.168 to any binat-to 2.2.2.2 I see packets are reaching at 192.168.101.168 but no response. I think it's about reply-to / route-to but got no success with my tries. Can anyone tell me how to handle this issue please? -- Thanks Theron
Re: Binat purpose?
Hi Peter,
Here is my pf.conf file:
# Macros
wan1 = "pppoe0"
wan2 = "pppoe1"
lan = "em0"
https_server = "192.168.101.168"
# Options
set skip on { lo0 enc0 }
set optimization normal
set block-policy drop
set fingerprints "/etc/pf.os"
# FTP Proxy
anchor "ftp-proxy/*"
# NAT Lan users on pppoe0 (wan1)
match out on $wan1 inet from $lan:network to any nat-to ($wan1)
# Default FW Policy
block drop log from any to any
# Lan
pass in log quick on $lan inet proto udp from $lan:network to any port 53
pass in log quick on $lan inet proto tcp from $lan:network to any port www
divert-to 127.0.0.1 port 3129 label "Squid proxy"
pass in log quick on $lan inet proto tcp from $lan:network to any port ftp
divert-to 127.0.0.1 port 8021 label "FTP Proxy"
pass in log quick on $lan inet proto tcp from $lan:network to any port {
25,110,143,443,465,587,993,995 }
#
pass log quick proto tcp from any to port 22
#
# here is where and what i dont know to do?
# How to forward https requests to https_server arriving at pppoe1 interface/IP
#
# Outgoing from interfaces
pass out from ($lan)
pass out from ($wan1)
pass out from ($wan2)
OpenBSD's default gateway is at pppoe0
Thanks...
On Saturday, October 25, 2014 2:52 PM, Peter N. M. Hansteen
wrote:
Theron ZORBAS writes:
> Modems are in bridge mode. OpenBSD is getting public addresses via pppoe.
> 1.1.1.1 is default gateway on OpenBSD.
> I'm trying to reach https server behind 2.2.2.2 ip address on pppoe1.
> So i have this rule for this aim:
> pass log quick from 192.168.101.168 to any binat-to 2.2.2.2
>
> I see packets are reaching at 192.168.101.168 but no response.
> I think it's about reply-to / route-to but got no success with my tries.
>
> Can anyone tell me how to handle this issue please?
Without your complete ruleset it's near impossible to debug your
problem. But on any recent OpenBSD you can improve your debugging
capability sighificantly by using log (matches) to track exactly what
rules are in fact matched by a specific connection.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
make release fault at OpenBSD 5.5
Hi,
I've just checked out from openbsd official cvs with -rOPENBSD_5_5 tag.
Then followed procedure from faq5/"building from source".
It failed after make
release command; here is the output:
[..]
ld -Ttext
0x810001e0 -e start --warn-common -nopie -S -x -o bsd ${SYSTEM_HEAD}
vers.o ${OBJS}
text data bss dec hex
4620925 2398568 520928
7540421 730ec5
cp
/usr/src/distrib/amd64/ramdisk_cd/../../../sys/arch/amd64/compile/RAMDISK_CD/
bsd bsd
cc -o rdsetroot
/usr/src/distrib/amd64/ramdisk_cd/../../common/elfrdsetroot.c
/usr/src/distrib/amd64/ramdisk_cd/../../common/elf32.c
/usr/src/distrib/amd64/ramdisk_cd/../../common/elf64.c
cp bsd bsd.rd
/usr/src/distrib/amd64/ramdisk_cd/obj/rdsetroot bsd.rd mr.fs
cp bsd.rd
bsd.strip
strip bsd.strip
strip -R .comment bsd.strip
gzip -c9n bsd.strip >
bsd.gz
dd if=/dev/zero of=/var/tmp/image.17536 bs=512 count=6976
6976+0
records in
6976+0 records out
3571712 bytes transferred in 0.120 secs
(29725623 bytes/sec)
vnconfig -v -c vnd0 /var/tmp/image.17536
vnd0: 3571712
bytes on /var/tmp/image.17536
fdisk -yi -l 6976 -f /usr/dest/usr/mdec/mbr vnd0
Warning CHS values out of bounds only saving LBA values
Writing MBR at offset
0.
disklabel -w vnd0 mini34
disklabel: unknown disk type: mini34
*** Error 1
in /usr/src/distrib/amd64/ramdisk_cd (../common/Makefile.inc:35
'miniroot55.fs')
*** Error 1 in /usr/src/distrib/amd64 (:48
'all')
*** Error 1 in /usr/src/distrib (:48 'all')
*** Error 1
in /usr/src/etc (Makefile:325 'distrib')
Any comment?
Thanks.
Re: make release fault at OpenBSD 5.5
Thanks Brad.
I've updated it. I think it will be ok.
On Wednesday, March
5, 2014 12:29 AM, Brad Smith wrote:
On 04/03/14 5:24 PM,
Theron ZORBAS wrote:
> Hi,
>
> I've just checked out from openbsd official cvs
with -rOPENBSD_5_5 tag.
> Then followed procedure from faq5/"building from
source".
> It failed after make
> release command; here is the output:
>
[..]
> ld -Ttext
> 0x810001e0 -e start
--warn-common -nopie -S -x -o bsd ${SYSTEM_HEAD}
> vers.o ${OBJS}
> text
data bss dec hex
> 4620925 2398568 520928
> 7540421 730ec5
> cp
>
/usr/src/distrib/amd64/ramdisk_cd/../../../sys/arch/amd64/compile/RAMDISK_CD/
> bsd bsd
> cc -o rdsetroot
>
/usr/src/distrib/amd64/ramdisk_cd/../../common/elfrdsetroot.c
>
/usr/src/distrib/amd64/ramdisk_cd/../../common/elf32.c
>
/usr/src/distrib/amd64/ramdisk_cd/../../common/elf64.c
> cp bsd bsd.rd
>
/usr/src/distrib/amd64/ramdisk_cd/obj/rdsetroot bsd.rd mr.fs
> cp bsd.rd
>
bsd.strip
> strip bsd.strip
> strip -R .comment bsd.strip
> gzip -c9n
bsd.strip >
> bsd.gz
> dd if=/dev/zero of=/var/tmp/image.17536 bs=512
count=6976
> 6976+0
> records in
> 6976+0 records out
> 3571712 bytes
transferred in 0.120 secs
> (29725623 bytes/sec)
> vnconfig -v -c vnd0
/var/tmp/image.17536
> vnd0: 3571712
> bytes on /var/tmp/image.17536
> fdisk
-yi -l 6976 -f /usr/dest/usr/mdec/mbr vnd0
> Warning CHS values out of bounds
only saving LBA values
> Writing MBR at offset
> 0.
> disklabel -w vnd0 mini34
> disklabel: unknown disk type: mini34
> *** Error 1
> in
/usr/src/distrib/amd64/ramdisk_cd (../common/Makefile.inc:35
>
'miniroot55.fs')
> *** Error 1 in /usr/src/distrib/amd64 (:48
>
'all')
> *** Error 1 in /usr/src/distrib (:48 'all')
> ***
Error 1
> in /usr/src/etc (Makefile:325 'distrib')
>
> Any comment?
Make sure
/etc/disktab is up to date.
--
This message has been scanned for viruses
and
dangerous content by MailScanner, and is
believed to be clean.
Dual connections not Load Balancing
Hi, I'm trying to handle dual wan connections on OpenBSD. I see the official PF load balancing example at main site, clearly. But my aim is not load balancing. I'm just trying to use first wan connection for our labs and use second wan connection for wireless users. Also NAT is needed cause i use private ip networks. # cat /etc/hostname.re0 inet 172.16.67.2 255.255.255.0 NONE description "ADSL WAN 1" # cat /etc/hostname.re1 inet 172.16.68.2 255.255.255.0 NONE description "ADSL WAN 2" # cat /etc/hostname.re3 inet 192.168.8.1 255.255.248.0 NONE description "Wireless LAN" # cat /etc/hostname.re4 inet 192.168.1.254 255.255.255.0 NONE description "LAB Network" # cat /etc/mygate 172.16.67.1 I could not know where to start how to do it? I've just stucked. Thanks for your help. -- Theron
PF and prio keyword
Hi,
I'm just an OpenBSD newbie derived from Linux. I'm trying to understand
both OpenBSD and PF. In fact it's very clear and strong structure; happy with
that.
My question is about using prio keyword. Can anyone help me with this
little pf.conf below. Is it smart/advisable config or just a time
wasting expectation?
Thanks.
#Macros
int_if="re1"
#Tables
table {
192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.14 }
table {
192.168.1.21 192.168.1.22 192.168.1.23 192.168.1.24 }
table {
192.168.1.100 192.168.1.101 }
#NAT private Networks
match out on egress inet
from $int_if:network to any nat-to (egress)
#Default FW policy
block log all
#Always pass from my house
pass log quick from 194.30.xxx.YYY prio 7
#Loosers
with very low priority
pass in log quick on $int_if from prio 0
#Users with a standart priority
pass in log quick on $int_if from prio
3
#Admins have the highest priority
pass in log quick on $int_if from
prio 7
#pass out from "the" interfaces
pass out from ($int_if)
pass out from
(egress)
# uname -rms
OpenBSD 5.0 i386
--
Theron ZORBAS
Re: PF and prio keyword
Hi,
> From: Henning Brauer
> To: misc@openbsd.org
> Sent: Monday, March 26, 2012
3:26 AM
> Subject: Re: PF and prio keyword
* Theron ZORBAS
[2012-03-25 19:38]:
> My question is about using prio
keyword. Can anyone help me with this
> little pf.conf below. Is it
smart/advisable config or just a time
> wasting expectation?
>it does make
sense.
>two gotchas:
>1) priority queueing really only has an effect when you
see a lot of
>traffic and/or your box is very loaded.
>2) please consider
prio experimental for now until I am done with the
>rest of the new queueing
subsystem. foremost, and this is the really
>big gotcha, "prio 5" will likely
match on packets with priority 5
>instead of setting it. yes, i know, sorry
guys, sometimes it takes a
>while to get a really clear picture on where we
want to head.
Thank you so much Henning, i've got the point.
Also i'm very
excited about new queueing subsystem.
> #Macros
> int_if="re1"
>one thing
i almost always do these days and recommend:
> ifconfig re1 group int (aka
"group int" in hostname.re1)
>and then just use "int" whereever you have
$int_if now.
This is great! I had not seen this feature before. Now i can
have less rules with interface grouping which have same firewall policies.
>
#Tables
> table { 192.168.1.11 192.168.1.12 192.168.1.13
192.168.1.14 }
> table { 192.168.1.21 192.168.1.22 192.168.1.23
192.168.1.24 }
> table { 192.168.1.100 192.168.1.101 }
> #NAT private
Networks
> match out on egress inet from $int_if:network to any nat-to
(egress)
> #Default FW policy
> block log all
> #Always pass from my house
>
pass log quick from 194.30.xxx.YYY prio 7
> #Loosers with very low priority
>
pass in log quick on $int_if from prio 0
> #Users with a standart
priority
> pass in log quick on $int_if from prio 3
> #Admins have the
highest priority
> pass in log quick on $int_if from prio 7
>that
might be a bit excessive logging :)
I was only trying to express myself. I am
not too despot :)
> #pass out from "the" interfaces
> pass out from ($int_if)
> pass out from (egress)
>--
>Henning Brauer, h...@bsws.de,
henn...@openbsd.org
>BS Web Services, http://bsws.de, Full-Service ISP
>Secure
Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
>Henning Brauer Consulting, http://henningbrauer.com/
--
Theron ZORBAS
PF match word
Hello Misc, What is the difference beetwen these two rules: match out on egress inet from $int_if:network to any nat-to (egress) pass out on egress inet from $int_if:network to any nat-to (egress) Or there is no difference? I could not understand when to use match word. P.S. It's been very near time that i started to use OpenBSD as a firewall. I'm asking this question as a newbie. Sorry if it is a time wasting question to you. Thanks. Theron ZORBAS
The new queueing subsystem
Hello Misc, Henning, As a fresh OpenBSD user, i'd like to learn the release date of new queueing subsystem. Is there any date on your mind or any updates? I guess it will be a part of OpenBSD 5.2 or 5.3? Please forgive my curiosity. I really want to use new queueing subsystem in production. Thanks. -- Theron
