and adding
static entries for 10.20.0.3, but this has no effect on the recovery
time.
Any suggestions on getting a rapid failover working?
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
port this weekend. In the meantime,
feel free to checkout a copy and try it out. I welcome user feedback
and bug reports.
http://www.netflowdashboard.com/
http://trac.netflowdashboard.com/netflowdashboard/wiki/InstallNotes
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
us much detail as far as your troubleshooting.
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
On Wed, Nov 26, 2008 at 04:16:30PM -0600, Patric wrote:
On Wed, 2008-11-26 at 14:37 -0500, Jason Dixon wrote:
On Wed, Nov 26, 2008 at 12:52:47PM -0600, Patric wrote:
My current pf.conf
__
ext_if = xl2
int_if = xl1
localnet = $int_if:network
nat
There will be a PF BoF session at this year's NYCBSDCon. The BoF will
take place during the lunch break, in the main presentation room of the
Davis auditorium.
http://www.nycbsdcon.org/2008/schedule.html
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
will hit (unless you're managing your
TTL).
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
used.
This exists no matter what you do. Routing through an additional
firewall/proxy, assuming both websites are live, does nothing to help.
-J.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Jason Dixon
Sent: den 10 september 2008 13:14
.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
is to
intercept the packets destined for the external hostname and redirect
them on the internal interface to the intended server. So you would
have a binat rule for traffic out to the internet, and rdr/no-nat/nat
rules for traffic to your own servers.
--
Jason Dixon
DixonGroup Consulting
http
and going down unpredictably. This may have nothing to
do with the pf ruleset, but I would still ask: is there a better way to do
this?
Add a static route for $remote_gw_addr through the appropriate gateway?
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
net.inet.carp.preempt enabled. We need more
information (read: configs) to help you.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
content.
If I disable pf, it works! All the other needed NAT, filtering,
etc., obviously doesn't, though. I thought these rules would
cover it, but somehow they don't:
We need to see your entire ruleset. Guessing sucks.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
to review your ruleset, but I don't think it matters
anyways. Delays of the variety you've described scream DNS. Check
your resolvers and your authoritative nameservers to make sure
everything operates as expected.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
for you is to bypass 4.1 and use -current.
There were numerous PF performance advances made at c2k7.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
preview pages to suggest it's on the
horizon.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
) that are assigned to a queue
count towards the passed pkts/bytes and dropped pkts/bytes
statistics shown by pfctl -vsq.
Perhaps I don't understand your question. The answer seems simple
enough.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
pfctl -sm
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfvar.h
etc...
Thanks a lot ;)
No problem.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
to write that myself.
Or you could just look in the source like I suggested...
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfvar.h
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
towards
the default queue, skewing my totals. Has anyone come up with an
effective QoS design for dealing with proxies handling multiple
networks?
(Note: I would post the ruleset, but it's over 600 lines long.)
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
255.255.252.0 NONE
# cat /etc/hostname.carp8
carpdev em0 vhid 8 pass bloogh advbase 200 advskew 1
inet 10.0.0.8 255.255.252.0
up
I'm curious as to what difference it makes.
None, from my experience. Sounds like misinformation to me.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
10.0.0.255 carpdev em0 vhid 1 pass foo
inet alias 10.0.0.4 255.255.255.0 10.0.0.255 carpdev em0 vhid 1 pass foo
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
terribly embarrassed to let anyone see it
at this point. Once I've re-introduced the anchors, perhaps. :)
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
it down as much as possible to what you see below.
I believe you are referring to Reflection.
http://www.openbsd.org/faq/pf/rdr.html#reflect
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
, not
recognizing any connections from internal server, discards the packet.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
On Oct 11, 2005, at 3:38 AM, Travis H. wrote:
FYI, this archive:
http://www.benzedrine.cx/pf/
Has not been archiving since 12 Apr 2005.
Don't need it.
http://marc.theaimsgroup.com/?l=openbsd-pfr=1w=2
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
this in very detail.
Please stop top-posting.
Always start at the man pages; there is an example given (man 4
carp). There is a similar configuration in my NYC BSD Con slides
(http://www.dixongroup.net/NYCBSDCON/); see the Advanced Example.
--
Jason Dixon
DixonGroup Consulting
http
the grouping feature in this sort of scenario.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
On Sep 26, 2005, at 11:07 AM, Chad M Stewart wrote:
On Sep 25, 2005, at 9:39 PM, Jason Dixon wrote:
On Sep 25, 2005, at 8:30 AM, Neil wrote:
Yep, the same behavior when the master dies. The solution that
the person in #pf told me is use routing but I don't know how to
implement. He told
, that's a good one. Linus, quit playing around.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
it?
Or mabye run CARP on WEB#1 and WEB#2 too?
Yes.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
is , can pf be used w/o a network to
harden my desktop?
PF doesn't point to a nic. It filters network interfaces, such as
ppp0. ;-)
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
! 192.168.2.0/24 to any
where the second rule will drop traffic from 192.168.2.0/24, and the
fifth rule will effectively drop all other traffic.
Duh, thanks for catching that. I shot from the hip while running out
the door for a meeting. :-P
--
Jason Dixon
DixonGroup Consulting
http
that router! It does the PPoE for me, along with minimal
blocking. I don't want to toss it.
Anyone have a way around this?
priv_nets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
!192.168.2.0/24 }
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
On Jun 6, 2005, at 3:00 PM, Kelley Reynolds wrote:
On Jun 6, 2005, at 9:27 AM, Jason Dixon wrote:
Sorry, missed your comment before about only having that one rule.
Well, I'm sure that the rule you've posted will cause you headaches
since it's filtering on all interfaces. Try the following
/pf.conf.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
On Jun 6, 2005, at 8:18 AM, Kelley Reynolds wrote:
On Jun 6, 2005, at 6:21 AM, Jason Dixon wrote:
On Jun 3, 2005, at 6:19 PM, Kelley Reynolds wrote:
Having an odd problem... a bridge configured such that one of the
interfaces has an IP works fantastically, until pf is enabled
not know how block this programs
can anybody help me?
http://www.squid-cache.org
Use a proxy to normalize the traffic. IIRC, Skype requires UDP
packets for the voice packets. Simply block udp/80 and allow tcp/80
and tcp/443 through the proxy.
HTH.
--
Jason Dixon
DixonGroup Consulting
http
On Apr 11, 2005, at 5:05 AM, Lars Hansson wrote:
On Mon, 11 Apr 2005 00:11:40 -0400
Jason Dixon [EMAIL PROTECTED] wrote:
Is the ability to run pfctl (via sudo) as a non-root user still
broken?
Huh? I have NEVER had any problems running pfctl via sudo. Ever.
Shit. I was stupid enough to actually
+ arpbalance does per-packet load balancing at L2.
man 4 carp
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
On May 17, 2005, at 9:20 AM, Manon Goo wrote:
--On 17. Mai 2005 06:37:02 -0400 Jason Dixon [EMAIL PROTECTED]
wrote:
snip
CARP + arpbalance does per-packet load balancing at L2.
This will not help me because my problem is with
outbound traffic.
So setup CARP + arpbalance on your internal
, given a long enough curve, won't it all theoretically balance
out?
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
skip steps to only compare
against rules that are relevant. Quit trying to over-engineer, PF is
plenty fast enough. When you need to filter 10Gbps, come back to me
and we'll hash it out.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
and
provide failover.
HTH.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
or suggestions on future revisions (I'll post it on my own
site in 3 months), please let me know off-list.
http://www.samag.com/documents/s=9658/sam0505e/
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
. Your paranoia isn't wrong, it just doesn't apply to all
circumstances. Many people filter outbound (including yours truly),
but others do not.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
Is the ability to run pfctl (via sudo) as a non-root user still broken?
I've tested this on a 3.6 -release system, and /dev/pf is still
unavailable for non-root users. I searched the archives and found
mention of this about a year ago, but nothing else since.
Thanks,
--
Jason Dixon
On Apr 11, 2005, at 5:13 AM, Peter N. M. Hansteen wrote:
Jason Dixon [EMAIL PROTECTED] writes:
Is the ability to run pfctl (via sudo) as a non-root user still
broken? I've tested this on a 3.6 -release system, and /dev/pf is
still unavailable for non-root users.
[EMAIL PROTECTED]:~$ ls -l /dev/pf
whatever
it is you're trying to do using PF and some other userland applications
(Squid, PythonDirector, etc). Perhaps we could better answer your
question if you could describe what it is you're actually trying to do,
not the products you're comparing against.
--
Jason Dixon
DixonGroup
traffic, then why are
you asking if they should be blocked in the first place?
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
/man5/pf.conf.5Sun Mar 27 08:16:01 2005
@@ -2213,7 +2213,7 @@
attachment points.
An
.Ar anchor
-is a container that can hold rules, address tables, and other anchors.
+is a container that can hold rules and other anchors.
.Pp
An
.Ar anchor
--
Jason Dixon
DixonGroup Consulting
http
On Mar 27, 2005, at 1:05 PM, Cedric Berger wrote:
Jason Dixon wrote:
Looking at pf.conf (5), it claims that anchors can hold rules,
address tables, and other anchors.
Do you have the possibility to check if that was working on 3.5?
I wouldn't be surprised if there was new bugs in that area in 3.6
, filtering
/etc/pf.conf:26: Rules must be in order: options, normalization,
queueing, translation, filtering
It appears that pfctl assumes that anchors only contain filter rules.
Have I stumbled over a bug in either pf.conf (5) or pfctl, or am I
doing/assuming something wrong?
Thanks,
--
Jason
capitalize the T in Ot, so it looked like a typo of Ok.
:)
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
CARP firewalls. If you want ifstated,
it's a very simple cvs checkout, make make install.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
off bpf and loads
a quick pass rule into a pf anchor. No userland stuff is touched.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
you how.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
to find any
reference to it in the man pages or PF FAQ, but I found a good
explanation from the following document. I believe the information
regarding skip steps is still accurate, but I'll have to defer to the
developers:
http://www.inebriated.demon.nl/pf-howto/pf-howto.txt
--
Jason Dixon
it. The man pages are sufficient for the
firewalling concepts. If you need more information on setting up the
VPN, you might want to refer to one of the OpenBSD books
(http://www.openbsd.org/books.html), as faq13.html was tossed in the
CVS attic some time ago.
--
Jason Dixon
DixonGroup Consulting
http
) accurately. What have you
tried? What is not working for you? What errors have you experienced?
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
with exact specifics. Rather, it is YOU who
needs to expound on what you're looking for.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
donated to PF and the
OpenBSD project is worth thousands of dollars. Would you like to pay
by check now, or should they bill your credit card?
P.S. Shut up and code.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
with one box connected to dual gateways, since that's exactly what
you're emulating.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
unless you really know what you're doing.
I overextended myself with that piece of logic. I remember it being
capped at 255, but inappropriately associated it with the mask. Sorry
for any confusion caused, I fucking hate it when people give wrong
answers on list. :-P
--
Jason Dixon
DixonGroup
=110229937028512w=2
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
the master returns from me issuing a
reboot does the connection for the client appear to get shaky again?
No clue, you're not providing anything but anecdotal evidence.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
and what isn't? What is the output of ifconfig -a on
each box?
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
(hostname.*, pf.conf), it's
impossible to help you. It would also help to know what
troubleshooting you've already tried and what errors/failures you're
encountered.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
attention to the section Filtering on a bridge.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
and help yourself too. :)
HTH.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
.. It only listen to incoming packets.
man pf.conf, search for dup-to.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
Gah, this is the 2nd time in a week I've cc'd the wrong list. Sorry.
-J.
On Nov 25, 2004, at 10:01 PM, Jason Dixon wrote:
On Nov 25, 2004, at 8:55 PM, William Gan wrote:
I have a question regarding PF
Internet - FW - Local Area Network
in the source. They are limited only by your
available memory, but can be capped using set limit states in
pf.conf. The general rule is 1k states per 1MB of memory.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
Sorry, redirected to pf@ by accident.
-J.
On Nov 19, 2004, at 6:51 AM, Jason Dixon wrote:
On Nov 19, 2004, at 6:32 AM, Sergi Toledo wrote:
Hi
I've been looking for the maximum number of states that pf is able to
handle, but I can't find the correct .c or .h file. Which one is it?
I suppose
firewalls on the linux
hosts, but it would be in your best interests to take advantage of PF
wherever possible (IMHO).
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
and watch as you attempt your ftp
sessions. This assumes that you're logging and pflog0 is up. Basic
troubleshooting skills like this are necessary for becoming part of the
OpenBSD community.
tcpdump -nettti pflog0
Thanks,
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
resets, not sure
if your identd is actually running)? Why wouldn't you rather just deny
all and avoid behaving like a doof?
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
On Sep 15, 2004, at 12:23 PM, Brent Bolin wrote:
[EMAIL PROTECTED] (Jason Dixon) wrote in message
news:DCB03664-06A3-11D9-933E
I think this thread is still germane:
http://marc.theaimsgroup.com/?l=openbsd-pfm=104592911709710w=2
Don't try to block it. Its a port hopper. Instead make it painfull
?
I think this thread is still germane:
http://marc.theaimsgroup.com/?l=openbsd-pfm=104592911709710w=2
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
director springs to mind) and let it handle the application
issues? Let _it_ deal with whether a server is alive or not; PF is a
_packet_filter_, not an application proxy/LB device.
Well, not in the truest sense, anyways. :)
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
that by killing cron and restarting it
manually (it's usually started in rc), that this seems to fix it. I've
compared the permissions of /var/cron/* before and after, and don't see
any differences.
Any ideas what I'm missing here?
Thanks in advance,
--
Jason Dixon, RHCE
DixonGroup Consulting
it might be a lot to take in.
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
failed. I'm running 3.4 -stable. Any ideas?
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
On Mar 18, 2004, at 9:56 AM, Peter Hessler wrote:
On Thu, 18 Mar 2004 06:27:39 -0500
Jason Dixon [EMAIL PROTECTED] wrote:
:Thanks, that works. Looking at pf.conf (5), it appears that rdr
pass
:is just a feature to bypass the normal filtering rule. I don't see
why
:my mine would've failed
with the whole
translate before filtering thing, applying logic where none applied.
;-)
Thanks,
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
out on $ext_if inet proto tcp from ($ext_if) to any port $tcp_out
keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_in
flags S/SA synproxy state
# END of pf.rules
Thanks,
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
by pfstat. However it looks like
pfstat does not have an option for specific interfaces.
Actually, it does. The set loginterface option in pf.conf determines
which interface to collect packet/byte counts for. The statistics are
sent to pf (4), which is read by either pfctl or pfstat.
--
Jason
Microsoft vpn information doesn't tell us a lot. I
suggest you search the archives for L2TP or PPTP, depending on your
needs. There's plenty of information there. I personally have PPTP
GRE tunnels running through my firewall as we speak.
--
Jason Dixon, RHCE
DixonGroup Consulting
http
of a time matching regex for all the possible IPv6
permutations.
Thanks,
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
On Tue, 2004-01-27 at 11:18, Daniel Hartmeier wrote:
On Tue, Jan 27, 2004 at 11:03:03AM -0500, Jason Dixon wrote:
I'm wondering, though, if PF/pflogd has chosen to represent these
addresses in a standard, predictable format, or if it's simply dumping
the address information as it finds
On Tue, 2004-01-27 at 11:40, Daniel Hartmeier wrote:
On Tue, Jan 27, 2004 at 11:27:24AM -0500, Jason Dixon wrote:
A text representation of an IPv6 address can still be logged as anything
from :: to x:x:x:x:x:x:x:x, as far as I understand. Is it possible
for a mixed representation
://marc.theaimsgroup.com/?l=openbsd-pfm=105637568926390w=2
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
I'm trying to find some common ground for certain udp packets. Aside
from ServFail packets et. al., would it be safe to assume that any
packets with a '?' found after the destination IP in pflog output would
reflect a DNS packet? Can anyone think of an exception to this?
Thanks,
--
Jason
and tested under a 3.3 snapshot.
http://www.dixongroup.net/hatchet/
Released under the BSD license. Please direct any questions, comments,
etc. to my email (off-list).
Thanks,
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
://www.deadly.org/article.php3?sid=20020130012631
On another note, have you bothered to dump pflog0 to see which packets
are being blocked?
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
he has no desire to learn. He seeks only to have
others do his work for him. At this point, many of us here and on misc@
know his machine better than HE does.
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
and others) have given you more than sufficient assistance in
getting this working. Pissing folks off only makes it harder on
yourself. Feel free to send me an approved purchase order and your
login information, and I'll fix it FOR you.
Or learn how OpenBSD/PF work and fix it your damn self.
--
Jason
it.
I probably would, if I could understand what you're trying to say. Your
grammar, typos, and inability to form a coherent sentence leave me
speechless. I suggest you kill this thread, focus on your technical
issues, and quit wasting everyone's time.
--
Jason Dixon, RHCE
DixonGroup Consulting
On Fri, 2003-12-19 at 10:33, Henning Brauer wrote:
huh? why would you NAT on the internal interface?
well, admitted, I never use NAT, but...;2C
Reflection would be one example. ;-)
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
Talk about a slow reply...
-J.
-Forwarded Message-
From: Dawna Hoerle (LCA) [EMAIL PROTECTED]
To: Jason Dixon [EMAIL PROTECTED]
Subject: RE: NAT Traversal Patent
Date: 06 Nov 2003 10:35:20 -0800
Thank you for your inquiry and my sincere apologies for the late
response.
At this time
On Fri, 2003-09-19 at 15:42, tefol tefol wrote:
How do I specify the encap interfaces in pf.conf?
man 4 enc
I need to to setup security policies, don't I ?
It would be in your best interests.
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
1 - 100 of 149 matches
Mail list logo