On Sun, Dec 15, 2002 at 09:50:44PM -0800, Ben Lovett wrote:
Anyone else noticed panics with authpf and -current as of around 16:00
on 12/14? The system in question is a Soekris net4501, which was
previously running -current from around November 26th fine, with the
same configuration.
If
On Mon, 2002-12-16 at 11:47, Duncan Matthew Stirling wrote:
Please show me any example of a passive firewall rule set.
Let's nip this in the bud before it gets out of hand.
http://www.holland-consulting.net/tech/OBSDCommProbs.html#unfriendly
-J.
On Mon, Dec 16, 2002 at 09:47:41AM -0700, Duncan Matthew Stirling wrote:
Please show me any example of a passive firewall rule set.
block in on $ext_if all
pass out on $ext_if all keep state
Passive mode ftp means that the ftp data connections are opened from the
clients to the servers (as
Ok, I'm new to OpenBSD and pf, but I'm quickly getting the hang of it.
Here's my setup:
AMD 2300 w/ 512mb DDR ram
512mb flash drive
5 10/100 network cards
I have 4 networks right now, one of them is the internet. So let's call them, Inet,
A, B,and C.
Network C is the network with all
Shawn,
Multi-interface packet filtering can be tricky. Could you post your
rules?
Without that, all we can probably say is that you have a
misconfiguration somewhere.
IIRC, creating stateful inspection on one interface does not allow the
packets to go through other interfaces. This is my
Only on the dc0 interface. the 192.168.3.0/24 block is on the dc1 interface.
The dc0 interface goes to the internet... I don't want/need to send anything from
192.168/16 to the internet
since their 1918 addys...
-Shawn
Do you have all routing set up correctly? Is the network that
[EMAIL PROTECTED] wrote:
http://www.iodamedia.net/pf.conf
Go grab it.. and tell me what I'm doing wrong!
-Shawn
Your ruleset is quite large to debug it just by looking at it.
But one error quickly sprang to my eyes: You're blocking the loopback
interface, which is certainly a bad idea.
On Mon, 2002-12-16 at 19:50, Shawn Mitchell wrote:
Dosn't matter what IP address on any interface you ping. All comes back
with the same thing.
I turned on logging to see what wasn't making and such. I'm seeing DNS
requests getting blocked...
Routing is not an issue. The packets (ICMP,
on the tcpdump -nettti pflog0 command, should everything match the last
two rules, which are:
pass in log quick inet from any to any
pass out log quick inet from any to any
They were block, but I changed them to pass so I could better see what's
going on with live traffic...
-Original
On Mon, 2002-12-16 at 22:46, Shawn Mitchell wrote:
on the tcpdump -nettti pflog0 command, should everything match the last
two rules, which are:
pass in log quick inet from any to any
pass out log quick inet from any to any
No. You have a gazillion other quick rules in front of these. The
I know it's long.. but several want to see this...
I used the quick commands just because they stop there and exit... I
figured it would be faster to write it that way and get exactly what I want.
I can just state what I want to pass, then kill everything else.
btw, I have 4 /22's going through
Ok... I said screw it and completly re-did the config. I've got most of it
working, but I'm still showing just a few weird things that's getting
blocked now...
6 is my block in, 7 is my block out.
All of the other DNS is working just fine... I just see port 53 in here a
couple of times...
Do you have all routing set up correctly? Is the network that
192.168.3.250 is on in the same subnet as one of the firewall interfaces?
Or is it a separate network? You'd need to add a route for it if it's
separate.
I had something funky happen with my routes at one point and had to
re-add.
13 matches
Mail list logo
