DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st December 2009
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 105
Thanked 0 Times in 0 Posts
Default Some Websites Wont Connect In Vista And XP

I have 3 computers in my network.

1. Windows XP SP2 (recently upgraded to SP3 to see if it would break but it still works with SP3)
2. Windows Vista SP2
3. Windows XP SP3

On computer 1 I can browse to all websites as normal. On computers 2 and 3 I can only browse to a few. All 3 use the same DNS ipaddress assigned via windows tcp/ip connections.

my pf.conf is basic as it gets for now

Code:
ext_if="pppeo0"
int_if="re1"

block log all

set block-policy drop

nat on $ext_if from !($ext_if) -> ($ext_if:0)

pass out keep state

pass out quick on $int_if from any to any
pass in quick on $int_if from any to any
pass out quick on $ext_if from any to any
ive even tried to alter the above to allow ALL traffic (temporarily) and i still receive the same issue.

I also found a thread on this forum with a guy that was having a similar problem and suggested that I add flags S/SA keep state to the firewall rules but that did not fix this issue.


I tried pfctl -vvss and found that computer 1 (working one) had a a wscale of 2, 4, 6, 8 etc... However the computers that are not working dont even have wscale on the screen. From the documentation I was expecting it to say wscale 0 or some kind of number at least.

I still have alot to learn when it comes to openbsd so any insight/troubleshooting tips you can give me is greatly appreciated.
Reply With Quote
  #2   (View Single Post)  
Old 21st December 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

Change
Code:
pass out keep state
into
Code:
pass out
pf will now make that into
Code:
pass out keep state flags S/A
Just make this change and use pfctl -vvs rules to check.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 21st December 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

Also see http://www.daemonforums.org/showthread.php?t=4106
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 21st December 2009
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 105
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by J65nko View Post
your a genius.

Code:
match on pppoe0 scrub (max-mss 1440)
That did the trick. Now I just have to figure out how to lock this thing down. I have alot of reading to do. Thanks for all the help
Reply With Quote
  #5   (View Single Post)  
Old 26th December 2009
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 105
Thanked 0 Times in 0 Posts
Default

is

Code:
match on pppoe0 scrub (max-mss 1440)
matching all traffic coming in to my external interface???


the reason I ask is because tcpdump shows me 0 packets dropped
Reply With Quote
  #6   (View Single Post)  
Old 26th December 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

Tcpdump doesn't do any blocking of packets. Sometimes when there is a lot of traffic, tcpdump notices that it cannot decode all incoming packets. Then it just skips, or drops decoding some of them and lets you know by saying something like 1232 packets dropped. Apparently it told you "0 packets dropped", so it could decode and show you everything. No hiatus,


Now some homework, if you fail, you have to redo last semester .

What does the pf.conf manual say about 'match' ? Please paste that man page section here using [code] and [/code] tags.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 27th December 2009
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 105
Thanked 0 Times in 0 Posts
Default

I though tcpdump was just a program that read the binary form of the log files?

I though the dropped meant packets that was showing you how many packets were dropped(rejected/unsuccessful connection) by the firewall for the duration that you were monitoring the log. When I had a much slower box I would see packets were 'dropped'. I see now that I was interpreting this the wrong way.

Code:
     match
           The packet is matched.  This mechanism is used to provide fine
           grained filtering without altering the block/pass state of a pack-
           et.  match rules differ from block and pass rules in that parame-
           ters are set every time a packet matches the rule, not only on the
           last matching rule.  For the following parameters, this means that
           the parameter effectively becomes ``sticky'' until explicitly over-
           ridden: max-mss, min-ttl, no-df, queue, random-id, reassemble tcp,
           rtable, and set-tos.

           log is different still, in that the action happens every time a
           rule matches i.e. a single packet can get logged more than once.
From this, it seems that its not a match in. It flags it as 'sticky' or OK but waits for an actual allow/block statement to pass the traffic. Am I interpreting this correctly?
Reply With Quote
  #8   (View Single Post)  
Old 27th December 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

Yes, you interpreting this correctly. You passed and can continue with the next semester

It just means that all packets on the pppoe interfaced will be scrubbed and it makes sure that the packet size doesn't exceed 1440 bytes.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
For those who REALLY need windoze, 2k, XP or Vista? fbsduser Other OS 68 4th July 2010 11:00 PM
Mailserver for websites xCipherx FreeBSD Ports and Packages 4 13th April 2010 03:56 PM
Guide for KDE over SSH from Vista ua549 FreeBSD General 13 13th June 2008 07:20 PM
KDE wont start up dctr FreeBSD General 9 11th June 2008 05:59 AM
OpenBSD-related websites bienc OpenBSD General 7 12th May 2008 09:15 PM


All times are GMT. The time now is 02:29 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick