NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > OpenBSD Security> 2010-08

Re: OBSD 4.7 and Via C7 motherboards problem

From: Geoff Steckel (gwesoat.com)
Date: Sun Aug 08 2010 - 13:24:48 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've got a C7 board running 4.7 as my firewall.
The configuration is a lot more baroque than yours...

A couple of thoughts:

Your pf.conf should only hold state on one side. Multiple conflicting
state table entries for the same connection ensure flaky failures.

I use "quick" wherever possible to eliminate hidden dependencies

"label" entries on pf.conf rules can help show unexpected paths

when testing, do before and after runs of
    netstat -ss
    pfctl -s labels
    pfctl -s state
   and diff them to check where packets are going
Also tcpdump of pflog

I.E.

pass out quick log on $ext_if from ! ($ext_if) to any nat-to \
($ext_if:0) label nat-rule
pass out quick log on $ext_if all label ext-out
pass out quick log on $int_if all flags any no-state label int-out

pass in quick log on $ext_if all label ext-in
pass in quick log on $int_if all flags any no-state label int-in

This should show where things go.

Geoff Steckel
curmudgeon for hire

My system:

> $ dmesg
> OpenBSD 4.7 (GENERIC) #558: Wed Mar 17 20:46:15 MDT 2010
> deraadti386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: VIA Esther processor 1500MHz ("CentaurHauls" 686-class) 1.51 GHz
> cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,APIC,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3,EST,TM2
> real mem = 1005023232 (958MB)
> avail mem = 965070848 (920MB)
> mainbus0 at root
> bios0 at mainbus0: AT/286+ BIOS, date 05/16/06, BIOS32 rev. 0 0xfb570, SMBIOS rev. 2.3 0xf0000 (34 entries)
> bios0: vendor Phoenix Technologies, LTD version "6.00 PG" date 05/16/2006
> apm0 at bios0: Power Management spec V1.2 (slowidle)
> apm0: AC on, battery charge unknown
> acpi at bios0 function 0x0 not configured
> pcibios0 at bios0: rev 2.1 0xf0000/0xdc84
> pcibios0: PCI IRQ Routing Table rev 1.0 0xfdbb0/208 (11 entries)
> pcibios0: bad IRQ table checksum
> pcibios0: PCI BIOS has 11 Interrupt Routing table entries
> pcibios0: PCI Exclusive IRQs: 5 10 11
> pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT8237 ISA" rev 0x00)
> pcibios0: PCI bus #1 is the last bus
> bios0: ROM list: 0xc0000/0xfe00 0xd0000/0x5000!
> cpu0 at mainbus0: (uniprocessor)
> cpu0: RNG AES AES-CTR SHA1 SHA256 RSA
> cpu0: unknown Enhanced SpeedStep CPU, msr 0x08100f1308000f13
> cpu0: using only highest and lowest power states
> cpu0: Enhanced SpeedStep 1501 MHz: speeds: 1500, 800 MHz
> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> pchb0 at pci0 dev 0 function 0 "VIA CN700 Host" rev 0x00
> viaagp0 at pchb0: v3
> agp0 at viaagp0: aperture at 0xe8000000, size 0x10000000
> pchb1 at pci0 dev 0 function 1 "VIA CN700 Host" rev 0x00
> pchb2 at pci0 dev 0 function 2 "VIA CN700 Host" rev 0x00
> pchb3 at pci0 dev 0 function 3 "VIA PT890 Host" rev 0x00
> pchb4 at pci0 dev 0 function 4 "VIA CN700 Host" rev 0x00
> pchb5 at pci0 dev 0 function 7 "VIA CN700 Host" rev 0x00
> ppb0 at pci0 dev 1 function 0 "VIA VT8377 AGP" rev 0x00
> pci1 at ppb0 bus 1
> vga1 at pci1 dev 0 function 0 "VIA S3 Unichrome PRO IGP" rev 0x01
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> skc0 at pci0 dev 8 function 0 "D-Link Systems DGE-530T A1" rev 0x11, Yukon (0x1): irq 11
> sk0 at skc0 port A: address 00:0d:88:c8:2b:c8
> eephy0 at sk0 phy 0: 88E1011 Gigabit PHY, rev. 3
> "VIA VT6306 FireWire" rev 0x80 at pci0 dev 10 function 0 not configured
> re0 at pci0 dev 11 function 0 "Realtek 8169" rev 0x10: RTL8169/8110SCd (0x1800), irq 5, address 00:30:18:a8:10:76
> rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2
> pciide0 at pci0 dev 15 function 0 "VIA VT6420 SATA" rev 0x80: DMA
> pciide0: using irq 11 for native-PCI interrupt
> wd0 at pciide0 channel 1 drive 0: <HTS541080G9SA00>
> wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
> wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
> pciide1 at pci0 dev 15 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility
> pciide1: channel 0 ignored (disabled)
> atapiscsi0 at pciide1 channel 1 drive 0
> scsibus0 at atapiscsi0: 2 targets
> cd0 at scsibus0 targ 0 lun 0: <TSSTcorp, CDW/DVD SH-M522C, TS01> ATAPI 5/cdrom removable
> cd0(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 2
> uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0x81: irq 10
> uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0x81: irq 10
> uhci2 at pci0 dev 16 function 2 "VIA VT83C572 USB" rev 0x81: irq 11
> uhci3 at pci0 dev 16 function 3 "VIA VT83C572 USB" rev 0x81: irq 11
> ehci0 at pci0 dev 16 function 4 "VIA VT6202 USB" rev 0x86: irq 11
> ehci0: timed out waiting for BIOS
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 "VIA EHCI root hub" rev 2.00/1.00 addr 1
> viapm0 at pci0 dev 17 function 0 "VIA VT8237 ISA" rev 0x00
> iic0 at viapm0
> spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-6400CL5
> auvia0 at pci0 dev 17 function 5 "VIA VT8233 AC97" rev 0x60: irq 11
> ac97: codec id 0x56494170 (VIA Technologies VT1617)
> ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D
> audio0 at auvia0
> vr0 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x78: irq 10, address 00:30:18:a2:dd:0f
> ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 10: OUI 0x004063, model 0x0032
> usb1 at uhci0: USB revision 1.0
> uhub1 at usb1 "VIA UHCI root hub" rev 1.00/1.00 addr 1
> usb2 at uhci1: USB revision 1.0
> uhub2 at usb2 "VIA UHCI root hub" rev 1.00/1.00 addr 1
> usb3 at uhci2: USB revision 1.0
> uhub3 at usb3 "VIA UHCI root hub" rev 1.00/1.00 addr 1
> usb4 at uhci3: USB revision 1.0
> uhub4 at usb4 "VIA UHCI root hub" rev 1.00/1.00 addr 1
> isa0 at mainbus0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com0: probed fifo depth: 15 bytes
> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> com1: probed fifo depth: 15 bytes
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pcppi0 at isa0 port 0x61
> midi0 at pcppi0: <PC speaker>
> spkr0 at pcppi0
> lpt0 at isa0 port 0x378/4 irq 7
> fins0 at isa0 port 0x4e/2
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> biomask ff45 netmask ff65 ttymask ffff
> mtrr: Pentium Pro MTRR support
> vscsi0 at root
> scsibus1 at vscsi0: 256 targets
> softraid0 at root
> root on wd0a swap on wd0b dump on wd0b

The pf.conf is 160 lines - if anyone is interested, I'll forward it.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]