[Rack] Gorilla

Dr. Jesus j at hug.gs
Tue Jun 22 23:49:12 PDT 2010


This rule looks like it doesn't belong in the pf config, and I'm going
to remove it unless someone really is trying to actively prevent
someone from running X over the monkeybrains link:

   block drop in on ! lo0 proto tcp from any to any port = 6000

The problem with the monitoring box and everything else that was
trying to use gorilla to get out was that the interface address on
sis1 changed.  My guess is that dhclient got 192.168.188.138 for sis1
from monkeybrains' DHCP server, and pfctl used that as the saddr for
the nat engine.  Later on, 192.168.188.139 started being handed out
and pfctl didn't seem to handle the address change automatically.
pfctl -F nat ; pfctl -N -f /etc/pf.conf fixed it right away.  If
monitoring shows the link is reasonable, someone can switch it back
later.  Monitoring is on stallion (s1).

With regard to ingress filtering, monkeybrains happily passed traffic
from gorilla with spoofed saddrs.  I used 75.101.62.77:

23:38:12.634093 IP 75-101-62-77.dsl.static.sonic.net > server2: ICMP
echo request, id 60456, seq 20, length 64
23:38:12.634139 IP server2 > 75-101-62-77.dsl.static.sonic.net: ICMP
echo reply, id 60456, seq 20, length 64

I thought sonic's L3 subnet partitioning mechanism would block all
traffic with saddrs outside our allocation, but it seems to pass
traffic from 75.101.62.2:

23:43:40.145229 IP 75.101.62.2 > server2: ICMP echo request, id 53766,
seq 38, length 64
23:43:40.145256 IP server2 > 75.101.62.2: ICMP echo reply, id 53766,
seq 38, length 64

And 75.101.1.1:

23:44:45.587736 IP 75.101.1.1 > server2: ICMP echo request, id 4912,
seq 4, length 64
23:44:45.587779 IP server2 > 75.101.1.1: ICMP echo reply, id 4912, seq
4, length 64

But spoofing 1.2.3.4, 75.1.1.1, and 4.2.2.2, and the monkeybrains
gateway addresses didn't work.

Based on some research I did, I think upgrading the two soekris
routers to OpenBSD 4.7 should be a prerequisite to implementing more
HA features due to the new NAT features.  Matt?  I can do it if you
want, especially since the QoS config on r00ter might be a little hard
to port...


More information about the Rack mailing list