DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
Old 27th July 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Thanks for your replies.

Ugh. I think this conversation is starting to go beyond my original intent.

I used an example of "pulling the network cable" to indicate a disruption in the flow of traffic. DSL/PPPoE is not 100% reliable. Service interruptions are bound to happen beyond my control. When they do I don't want to have to worry about having to manually re: initiate the ppp process. That's all.

In the ppp.conf I have values for reconnect...etc which I had figured would reconnect when needed.

Code:
default:
...
 set redial 15 0
 set reconnect 15 10000

pppoe:
...
Routing

Yes I understand what a gateway is. How my ISP has configured their side I am unaware of. My IP always stays the same. My gateway does not (when not enforced) however the one assigned to me is contiguous.

Example:

MY address range: 192.168.20.2 SN 255.255.255.248
Gateway assigned is: 192.168.20.1
However if I don't manually set the gateway I seem to get other gateway's which are probably from one superblock owned by my ISP.

Regarding manually setting my IP/GW

Code:
set ifaddr 192.168.20.2 192.168.20.1 255.255.255.248
Routing looks something like:
Code:
 route -n show -inet | grep tun0
default            192.168.20.1       UGS        0      727     -     8 tun0
192.168.20.1       192.168.20.2       UH         1        2  1500     4 tun0
I cannot ping or access anything.

If I don't set the address/gateway
Code:
#set ifaddr 192.168.20.2 192.168.20.1 255.255.255.248
Code:
route -n show -inet | grep tun0
default            192.168.40.1        UGS        5      252     -     8 tun0
192.168.40.1        192.168.20.2       UH         1        0  1492     4 tun0
However keep in mind the gateway seems to change pretty much on each connect. Usually ranges between something like 191.x.x.x - 193.x.x.x

Also note if setting the same IP/Gateway on my hardware appliance the connection works fine.

PF Load Failure

Also note that after removing the dynamic identifiers in pf.conf for ($ext_if) my pf fails to load again when I restart since tun0 is not ready. I have added up to hostname.tun0.

I'm curious about implementing "kernel" level PPPoE as apposed to what I have now. What is required? It sound's like this may have more desired results.


Thanks for all your help!
Reply With Quote
Old 28th July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I would dearly love to see a *complete* routing table. Feel free to redact any private IP addresses.
Reply With Quote
Old 28th July 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

That is the complete routing table using your command. I simply added tun0 to simplify removing the private addresses and of course I changed the public IP's.

What else would you like to see?
Reply With Quote
Old 28th July 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

the hostname.if is a many-splendid thing - part I

for example...

Code:
# pg /etc/hostname.tun0
inet 169.254.235.1 255.255.255.252 169.254.235.2
!/sbin/route add 169.254.235.0/24 169.254.235.1
#
You many find the entry in red useful. It inserts the route when the interface comes up.
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 28th July 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

hostname.if is a many-splendid thing - part II


Code:
# pg /etc/hostname.tun0
inet 169.254.235.1 255.255.255.252 169.254.235.2 group jabberwalkie
!/sbin/route add 169.254.235.0/24 169.254.235.1
#
Code:
/etc/pf.conf

#
pass in log quick on jabberwalkie inet \
 from <wherever> to (jabberwalkie:network) \
 flags S/FSRA keep state ...
#
pf will -- now -- parse correctly whether tun0 is up or down. The () change state will be detected appropriately.
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 28th July 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default dhclient-script

You may also want to look into your DHCLIENT operations and utilize dhclient-script functionality.

https://www.mirbsd.org/htman/i386/ma...ent-script.htm

remember, you're the dhclient of your isp, so let the dhcp-client event trigger the script and then let the script pass the new gateway parameters and, if necessary, trigger a pfctl -F all -f/etc/pf.conf.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 28th July 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

or at,

http://www.openbsd.org/cgi-bin/man.c...86&format=html

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 28th July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by plexter View Post
That is the complete routing table using your command. I simply added tun0 to simplify removing the private addresses...
I was interested in the complete list of directly connected subnets and remotely connected addresses, so that I could understand the entire routing table. By private address, I meant any addresses actually exposed to the Internet -- so that someone who saw a configuration problem would not be able to exploit it immediately. Since your gateway appears to use an RFC1918 address, it looks to me that your entire network falls within RFC1918 and NAT is managed by your ISP.

One thing I did note; your default route points to your local end (20.1) of the ppp connection rather than the remote end (20.2). I don't know if this is a ppp or pppoe specific requirement, but it seems wrong to me.
Reply With Quote
Old 28th July 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Quote:
Originally Posted by s2scott View Post
Most ADSL/PPPoE services do not utilize DHCP at all..
Reply With Quote
Old 28th July 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Thanks s2scott/jggimi for the info.

Quote:
pf will -- now -- parse correctly whether tun0 is up or down. The () change state will be detected appropriately.
That's what I was doing before but figured there must be a better way. I guess maybe there isn't. Is there any down side to using that though? (aside from having to type the ( ) all the time?

I do not believe I require DHCP for my internet access.

As for my routes. Well what I posted was my "public addressable space" except I naturally modified so this information is not readily available to the world. I chose 192.168.x to indicate that.

In my example:

Code:
default            192.168.40.1        UGS        5      252     -     8 tun0
192.168.40.1        192.168.20.2       UH         1        0  1492     4 tun0
192.168.40.1 - would be the gateway
192.168.20.2 - would be my IP


I'm not sure how this could even be displayed without giving out personal information. The block my ISP owns would appear to be much larger than any class C address space. Hence a "supernet" however I have no intention of speculating further on the design practices of my ISP.
http://en.wikipedia.org/wiki/Supernet
http://www.firewall.cx/supernetting-intro.php

My performance issues have been resolved to some degree. I disabled all the "set" options in my PF.CONF which would indicate they were the cause of some of the performance. As it stands I see a lot of fluctuation in speed. My system is running in a VMWare ESXi server which may have compatibility issues with OpenBSD? When I do 'top' the CPU seems to be practically sleeping and memory looks adequate with no swap usage.

Anyway to see actual interface throughput/utilization? PFTOP shows some info but not specific to an interface, rather to PF.


Thanks for all your help!
Reply With Quote
Old 28th July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Thanks for the clarification, plexter. Now your route table makes sense to me. (Most people use a more obvious redaction, such as "203.37.x.y")

While I cannot tell why pppoe stops operation, I assume your virtual machine environment is a contributing factor.
Reply With Quote
Old 29th July 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by plexter View Post
...Is there any down side to using that though? (aside from having to type the ( ) all the time?
No down side.

, how many times can there be in a two-interface setup?

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 5th August 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Hi all,

I just wanted to say thanks to everyone for all your help!

I believe everything should be working. In any case this topic has probably strayed from the original topic so I'll just start a new post, if needed.

Oh also found a neat program to monitor bandwidth which seems pretty neat.
"bwm-ng"

Thanks a lot,
Cheers!
Reply With Quote
Old 28th August 2009
arcdigital arcdigital is offline
New User
 
Join Date: Aug 2009
Posts: 1
Default default_foo: not found

Hello,

Plexter, earlier you mentioned running into the same issue when sourcing vars during the setup of openvpn. You mentioned pointing to the right RSA files. By this do you mean the easy-rsa directory?

Regards,
Reply With Quote
Old 4th September 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

I'm not sure I understand your question. Are you having trouble with setup yourself? -if so, please post errors.

For myself: I found it necessary to go through the configuration files and make sure all variables are pointing to correct files. RSA you would need to generate.

http://openvpn.net/index.php/open-so...howto.html#pki

I do recommend starting a new post if you require assistance however.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Need help with NAT setup Quaxo OpenBSD Installation and Upgrading 6 27th January 2009 08:03 PM
DJ Setup tad1214 FreeBSD General 8 21st July 2008 01:50 PM
Remote Access to File Server Oko OpenBSD Security 7 23rd June 2008 05:17 PM
How To Setup WPA? warriors OpenBSD General 8 15th June 2008 04:39 PM
postfix setup Demodog General software and network 12 11th June 2008 07:43 PM


All times are GMT. The time now is 10:00 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick