OpenBSD and FreeBSD resources » Network http://purebsd.com Tue, 01 Jun 2010 06:01:11 +0000 en hourly 1 http://wordpress.org/?v=3.1 Cablemodem configuration http://purebsd.com/cablemodem-configuration.html http://purebsd.com/cablemodem-configuration.html#comments Tue, 01 Jun 2010 04:54:47 +0000 admin http://purebsd.com/?p=30 If you use DHCP to acquire your external interface’s configuration, it is necessary with some ISP’s to edit your /etc/dhclient.conf. Add or uncomment the following line in/etc/dhclient.conf:

send host-name "cp10682-a"

Where «cp10682-a» is the «hostname» the ISP assigned to you. It is probably printed on some form you received.

More coming soon!

]]> http://purebsd.com/cablemodem-configuration.html/feed 0 Configuring ADSL http://purebsd.com/configuring-adsl.html http://purebsd.com/configuring-adsl.html#comments Tue, 01 Jun 2010 04:53:41 +0000 admin http://purebsd.com/?p=22 Nota bene

In The Netherlands there are now, as far as I know, two different ways in which ADSL users have to configure their machines. One is without hassles (good!) and one is with hassles (bad!).

The without-hassle method below is valid for people connecting to Demon in The Netherlands. Please inform me of other ISPs implementing this method.

The with-hassle method below is valid for Alcatel ADSL modems as provided by the Dutch ISPPlanet Internet. People with an ADSL connection from the Austrian ISP Inode should encounter no problems, but they may not be (entirely) correct for Other ISP’s, in The Netherlands or abroad.

ADSL without hassles

Say you have an external interface called rl0. While installing OpenBSD, configure the interfacerl0 by typing «dhcp» when asked for an IP address. If you’ve already a running install, you can edit /etc/hostname.rl0. That file should exist of only one line reading «dhcp».

This is pretty much it. If you’re editing /etc/hostname.rl0 after you installed OpenBSD, you should either reboot or run route flush && sh -x /etc/netstart.

OpenBSD asks via the DHCP protocol your ISP to provide your machine with an IP address, gateway, DNS servers, etc. You might not like everything you receive from the remote DHCP daemon, so you might have to edit /etc/dhclient.conf in order to override some of the options the DHCP daemon whispers in your DHCP client’s ear:

supersede host-name "aurora";
supersede domain-name "intranet.hezeldrama.net";
prepend domain-name-servers 127.0.0.1;

Above three lines tell the DHCP client to use «aurora» as the hostname of the machine, «intranet.hezeldrama.net» as its domain name and to setup /etc/resolv.conf in such a way that the first nameserver line reads «127.0.0.1″. The last option is required only if you’d like to run your own caching DNS server on the localhost (= 127.0.0.1).

ADSL with hassles

  1. Reconfigure and recompile your kernel if you run the GENERIC OpenBSD kernel or a custom one, built with GRE (Generic Route Encapsulation) support. GRE eats the packets that are actually meant for the PPTP daemon software we’re about to use, resulting in a not working ADSL connection and the following error: LCP: timeout sending Config-Requests.So search for the line pseudo-device gre 1 in your kernel configuration file and disable it by putting a hash-sign (#) in front of that line. See the section updating for more information on recompiling your kernel.

    Doing sysctl -w net.inet.gre.allow=0 does not work. Reconfigure & Recompile(tm).

  2. Now you configure the network interface connected to your modem. Create or edit for this/etc/hostname.<if>, where if is the devicename of the interface: inet 10.0.0.150 255.0.0.0 NONE
  3. Download PPTP software from packetst0rm. Extract the source, runmake and copy pptp and pptp_callmgr to /usr/sbin.
  4. Edit /etc/ppp/options to read the following: name "LOGINNAME"
    noauth
    noipdefault
    defaultroute
    debug

    Replace LOGINNAME with the loginname/username/user-id that you need to dial-in to your ISP.
  5. Edit /etc/ppp/pap-secrets to read the following: LOGINNAME 10.0.0.138 PASSWORD

    Replace LOGINNAME with the loginname/username/user-id that you need to dial-in to your ISP. The same goes for PASSWORD.

  6. If you do not run your own (caching) nameserver, you may like to edit/etc/resolv.conf to use the nameservers of your ISP: search speed.planet.nl
    nameserver 195.121.1.34
    nameserver 195.121.1.66
  7. Run pptp 10.0.0.138 to login to your ISP. The ADSL internet link should now be up.
  8. Credits:
    Michael Kummer for his OpenBSD ADSL howto
    Lukas Ertl for his FreeBSD ADSL howto

ADSL with hassles: Afterwards

  1. For OpenBSD versions below 3.0:If you’d like to use NAT over your ADSL connection, disable the ipnat in your/etc/rc.conf, since ppp0 is not a valid configured interface at the time when/etc/netstart is run. Though ipfilter should be enabled.

    ipfilter=YES
    ipnat=NO

    Only when your ADSL connection is running and ppp0 is configured you should run:

    /sbin/ipnat -CF -f /etc/ipnat.conf

    For OpenBSD versions above 2.9:

    You’re probably running PF and not IPFilter. I’m not sure if you need to do special things in order to have NAT work automatically when connected to the internet via de ADSL line. I’ll ask around.

  2. You could optionally download this ADSL reconnect script from packetst0rm and run it from crontab to reestablish a broken connection. But that’s not a usable script.Don’t panic! I wrote one myself. Though it is very brutal, it does reconnect in all possible situations as far as I know. Packetst0rm’s script didn’t.

    - View adsl_reconnect.sh
    - Download adsl_reconnect.sh (gzipped)

    The only thing you should configure is the REMOTE_IP variable, which is the IP address of the remote end of your PPTP tunnel. This IP can be found easily when ADSL is running:

    $ ifconfig ppp0
    ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
    inet 62.131.xx.yyy --> 195.190.aaa.bbb netmask 0xff000000

    Here, the «195.190.aaa.bbb» is the value you should assign to the REMOTE_IP variable.
    Note: some ISPs drop/block ping packets directed to the remote end of the PPTP tunnel or most if not all of their other servers. So it is advised to check if the IP you’d like to use is returning ping packets before using it in the reconnect script.

    To have that reconnection script executed every five minutes you could edit root’s crontaband insert the following somewhere:

    # Check ADSL connection
    */5 * * * * /root/bin/adsl_reconnect.sh > /dev/null

]]> http://purebsd.com/configuring-adsl.html/feed 0 PFlog http://purebsd.com/pflog.html http://purebsd.com/pflog.html#comments Tue, 01 Jun 2010 04:33:43 +0000 admin http://purebsd.com/?p=20 PF, by means of the /etc/pf.conf file, indicates which packets should be logged. pflogdhandles those logging requests.

Normally, the pflog file used is /var/log/pflog. It’s in tcpdump readable format. It is synced every minute with the pflog0 interface.

To view the pflog file:

tcpdump -n -e -ttt -r /var/log/pflog

To view packets being logged in realtime:

tcpdump -n -e -ttt pflog0

]]> http://purebsd.com/pflog.html/feed 0 Network Address Translation http://purebsd.com/network-address-translation.html http://purebsd.com/network-address-translation.html#comments Tue, 01 Jun 2010 04:32:49 +0000 admin http://purebsd.com/?p=18 Note: This page is for people still using OpenBSD versions below 3.0 or OpenBSD versions above 2.9 patched to include IPFilter support. This page will be restructured soon.

To enable NAT you should enable ipfilter and ipnat in /etc/rc.conf and edit/etc/ipnat.rules to reflect your needs.

An example. rl0 is the external interface, connected with the internet.

Proxy outgoing FTP connections from the intranet:

map rl0 192.168.0.0/24 -> rl0/32 proxy port ftp ftp/tcp

Do some redirection from the outside to an internal host:

rdr rl0 0.0.0.0/0 port 8022 -> 192.168.0.8 port 22
rdr rl0 0.0.0.0/0 port 8080 -> 192.168.0.8 port 80

Two NAT rules to let the intranet transparently talk with the internet:

map rl0 192.168.0.0/24 -> rl0/32 portmap tcp/udp 10000:20000
map rl0 192.168.0.0/24 -> rl0/32

More coming soon.

]]> http://purebsd.com/network-address-translation.html/feed 0 Setting Up Firewall http://purebsd.com/setting-up-firewall.html http://purebsd.com/setting-up-firewall.html#comments Tue, 01 Jun 2010 04:15:25 +0000 admin http://purebsd.com/?p=14 Setting up a firewall
A structured page about configuring PF, the OpenBSD firewall program, is coming soon. In the mean time you might like to view my /etc/pf.conf file below. It has comments to make things more clear.

You can also download it:
pf.conf (plaintext)
pf.conf.gz (gzipped)

My /etc/pf.conf:

# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
#

# <bof>

#########################################
# *** START MACRO & TABLE DEFINITIONS ***
#

# (Device)names of network interfaces
loc_if = "lo0"
int_if = "xl0"
ext_if = "rl0"

# IP addresses of network interfaces
loc_addr = "127.0.0.1"
int_addr = "192.168.0.3"
ext_addr = "132.175.118.161"

# CIDR address spaces of our networks
loc_net = "127.0.0.1/32"
int_net = "192.168.0.0/24"
ext_net = "132.175.118.161/32"

# Port intervals, icmp-types, etc
ftp_ports = "{ 50042 >< 52042 }"
icmp_types = "echoreq"

# Stateful packet filtering options macros for clarity pf rules
sf_udp = "keep state"
sf_icmp = "keep state"
sf_tcp = "flags S/SA modulate state"

# Restrictive access tables (for POP3 & syslog)
table <popxs> { 180.126.21.182, 243.73.176.15, 243.73.158.228 }
table <syslxs> { 132.175.117.104 }

#
# *** END MACRO & TABLE DEFINITIONS ***
#######################################

###################################################
# *** START OPTIONS, SCRUBBING & QUEUEING RULES ***
#

# Options: tune the behavior of pf, default values are given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
#set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"

# Options that suit us better than the defaults
set block-policy return

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all

# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 15Kb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing bandwidth 15%

#
# *** END OPTIONS, SCRUBBING & QUEUEING RULES ***
#################################################

#######################################
# *** START NAT & REDIRECTION RULES ***
#

# NAT: Do some NAT favors for the internal net (-:
nat on $ext_if from $int_net to any -> $ext_addr

# RDR: Redirect eDonkey2000/Overnet and WinMX traffic to my laptop
rdr on $ext_if proto tcp to $ext_if port 4662 -> 192.168.0.110 port 4662 # eDonkey
rdr on $ext_if proto udp to $ext_if port 4665 -> 192.168.0.110 port 4665 # eDonkey
rdr on $ext_if proto tcp to $ext_if port 6699 -> 192.168.0.110 port 6699 # WinXM
rdr on $ext_if proto udp to $ext_if port 6257 -> 192.168.0.110 port 6257 # WinXM

# RDR: Redirect outgoing FTP requests to the ftp-proxy
rdr on $int_if proto tcp from any to any port ftp -> $loc_if port 8021

# RDR: spamd-setup puts addresses to be redirected into table <spamd>.
table <spamd> persist
no rdr on $loc_if all
rdr inet proto tcp from <spamd> to any port smtp -> $loc_if port 8025

#
# *** END NAT & REDIRECTION RULES ***
######################################

#########################################
# *** START (STATEFUL) FIREWALL RULES ***
#

# External interface: anti-spoofing measures; with logging
block drop in quick log on $ext_if from 127.0.0.1/8 to any
block drop in quick log on $ext_if from 172.16.0.0/12 to any
block drop in quick log on $ext_if from 192.168.0.0/16 to any
block drop in quick log on $ext_if from $ext_addr to any

# External interface: drop ASAP Windows SMB & MS-SQL related packets; no logging
block drop in quick on $ext_if proto { tcp, udp } to port { 135, 137, 138, 139, 1433 }
block drop in quick on $ext_if proto { tcp, udp } from port { 135, 137, 138, 139, 1433 }

# External interface: drop UDP port 4669 crap without logging
block drop in quick on $ext_if proto udp to port 4669

# External inferface: drop ASAP spammers; no logging
block drop in quick on $ext_if from 202.84.15.0/24 to any # Hongkong.com crap

# External interface: drop crap we don't want to see in our logs
block drop in quick on $ext_if to 0.0.0.0/32
block drop in quick on $ext_if from 0.0.0.0/32
block drop in quick on $ext_if to 224.0.0.0/4
block drop out quick on $ext_if to 224.0.0.0/4
block drop in quick on $ext_if to 255.255.255.255/32
block drop in quick on $ext_if from 255.255.255.255/32

# Local interface: TCP/UDP/ICMP incoming/outgoing connection
pass in quick on $loc_if all
pass out quick on $loc_if all

# Internal interface: TCP/UDP/ICMP incoming/outgoing connection
pass in quick on $int_if all
pass out quick on $int_if all

# External interface: incoming eDonkey2000/Overnet and WinMX traffic to my laptop
pass in quick on $ext_if proto tcp to 192.168.0.110 port 4662 # eDonkey
pass in quick on $ext_if proto udp to 192.168.0.110 port 4665 # eDonkey
pass in quick on $ext_if proto tcp to 192.168.0.110 port 6699 # WinXM
pass in quick on $ext_if proto udp to 192.168.0.110 port 6257 # WinXM

# External interface: UDP incoming connections
pass in quick on $ext_if proto udp to $ext_if port 53 $sf_udp
pass in quick on $ext_if proto udp from <syslxs> to $ext_if port 514 $sf_udp

# Externel interface: TCP incoming connections
pass in quick on $ext_if proto tcp to $ext_if port 22 $sf_tcp
pass in quick on $ext_if proto tcp to $ext_if port 25 $sf_tcp
pass in quick on $ext_if proto tcp to $ext_if port 80 $sf_tcp
pass in quick on $ext_if proto tcp from <popxs> to $ext_if port 110 $sf_tcp
pass in quick on $ext_if proto tcp to $ext_if port 113 $sf_tcp
pass in quick on $ext_if proto tcp to $loc_if port 8025 $sf_tcp
pass in quick on $ext_if proto tcp from any port 20 to $ext_if port $ftp_ports user proxy $sf_tcp

# Externel interface: ICMP incoming connections
pass in quick on $ext_if proto icmp to $ext_if icmp-type $icmp_types $sf_icmp

# Externel interface: TCP outgoing connections
pass out quick on $ext_if proto tcp all $sf_tcp
pass out quick on $ext_if proto { udp, icmp } all $sf_udp

# All interfaces: block everything by default
block log quick all

#
# *** END (STATEFUL) FIREWALL RULES ***
#######################################

#####################################################
# *** START QUEUE ASSIGNMENTS FOR OUTGOING TRAFIC ***
#

# Assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing

#
# *** END QUEUE ASSIGNMENTS FOR OUTGOING TRAFIC ***
###################################################

# <eof>
 ]]> http://purebsd.com/setting-up-firewall.html/feed 0