|
|||
New Firewall Creation
Hi,
I tried to create a new firewall by copying an existing pf.conf file to a brand new OpenBSD installation. But from my LAN internet is not accessible. I try, pfctl -nf /etc/pf.conf and it didn't give any errors then I try, pfctl -f /etc/pf.conf and it gave the following error pfctl: SIOCGIFMTU: Device not configured My external interface card have Realtek chipset. Why this error occur? when I try to ping www.google.lk it pings but from my LAN internet is not accessible. Thanks |
|
|||
Hi jggimi,
Thanks for the reply.My if config output is as follows Code:
# ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196 priority: 0 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr xx:xx:xx:xx:xx:xx priority: 0 media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 192.168.94.227 netmask 0xffffff00 broadcast 192.168.94.255 inet6 x::x:x:x:x%em0 prefixlen 64 scopeid 0x1 rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr xx:xx:xx:xx:xx:xx priority: 0 groups: egress media: Ethernet autoselect (none) status: no carrier inet x.x.x.x netmask 0xfffffffc broadcast x.x.x.x inet6 x::x:x:x:x%rl0 prefixlen 64 scopeid 0x2 enc0: flags=0<> priority: 0 groups: enc status: active pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196 priority: 0 groups: pflog |
|
|||
Quote:
|
|
||||
I've recommended upgrading or reinstalling, and questioned the continued use of 5.3 more than once. Three weeks ago, we learned that at least one of Amithapr's systems was running a blend of components from 4.1 and 5.3, and perhaps from other releases, and that none of them were beyond 5.3.
It is unclear to me if Amithapr was referring to 5.3 in this thread as the "old" system, or the "new" system. |
|
|||
Hi Ocicat, Jggimi
I installed OpenBSD 6.0 finally on my backup gateway. Could you assist me on transferring me PF rules and IPSEC VPN from my old OpenBSD 5.3 system to the new one? I cannot change the existing IPSEC VPN keys since my remote OpenVPN box is beyond my control I really need your help to get this backup up and running with the remote OpenBSD 5.3 system Many thanks for your help. Last edited by Amithapr; 3rd October 2016 at 09:37 AM. |
|
|||
My pf.conf of the 5.3 live firewall is attached herewith. What are the IPSEC VPN deatils I should get from the old firewall to the new one to make the IPSEC VPN up and running? ( do I have to create a separate topic for the VPN ? ) |
|
||||
OpenVPN? I'll assume that's a typo, as all previous discussion has been about IPSec.
You must make contact with the person or persons who control your remote gateway. Your replacement of the local gateway would need to be coordinated with the remote facility. In addition, the remote gateway is also running an unsupported OS, and is likely running the same unsupportable Frankensystem as your local gateway. Ideally, both gateways should have their OSes replaced, and it would be best to coordinate the activity so they are replaced at the same time. If this were my environment, I would replace both gateways at the same time, coordinating with a remote systems administrator, or arranging for a remote console. There are risks to replacing only one gateway and leaving the other unchanged. There is no guarantee that a modern, supported release will work with a remote "something unknown but similar to 5.3" gateway, as there have been changes to IPSec over time.--- To my understanding, this is a simple gateway-to-gateway network architecture, such as: [lan a] - [gateway a] - [Internet] - [gateway b] - [lan b] If that is actually true, I would abandon whatever complex isakmpd.policy(5) structure was deployed by your predecessor and replace it with a simple ipsec.conf(5) configuration. There is a reason that Symantec wrote Zero to IPSec in 4 minutes. It is easy, simple, and quick. I don't know if your environment is that simple, because you have not posted any configuration information. But if the network topology is that simple, and you decide to proceed with replacing the IPSec configuration, keep in mind the article is ten years old. Use up-to-date man pages, do not copy/paste. If the environment is sufficiently complex to be unable to use ipsec.conf(5) and ipsecctl(8), you will need to migrate all of the existing isakmpd(8) configuration files such as isakmpd.conf(5), isakmpd.policy(5), keynote(5) files, and you will need to migrate keys. Last edited by jggimi; 3rd October 2016 at 05:54 PM. Reason: typos |
|
|||
Thanks a lot Jggimi,
I'll try your information. |
|
||||
I've taken a few minutes to look at the only network configuration information you have posted at this forum. In its entirety, this is:
Last edited by jggimi; 9th October 2016 at 03:22 AM. Reason: clarity |
|
|||
Hi Jggimi,
Thanks a lot for your information. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
npf firewall | gpatrick | NetBSD Security | 0 | 30th October 2015 02:18 AM |
Thread creation | kalimuthu | NetBSD General | 0 | 7th December 2010 05:11 PM |
Needs for a firewall | milo974 | OpenBSD Security | 1 | 31st December 2009 03:00 PM |
PF firewall | bsdnewbie999 | OpenBSD General | 3 | 28th April 2009 12:35 PM |
Web GUI for firewall ? | giga | FreeBSD General | 6 | 8th May 2008 05:10 AM |