I'm curious,
How does everyone maintain their firewalls when patching them? Do you use
cvs or a manual patch? Or do you compile things on a separate system and do
binary patch on the firewall?
It would seem that CVS (tracking -stable) is the best way. The problem with
this though is you have
On Thu, Jan 09, 2003 at 09:42:35AM -0500, Small, Jim wrote:
How does everyone maintain their firewalls when patching them? Do you use
cvs or a manual patch? Or do you compile things on a separate system and do
binary patch on the firewall?
It would seem that CVS (tracking -stable) is the
I've sent this some time ago to misc@, but didn't get much response. I
thought I might try the pf specific list.
While working on my own tool, rpfcd (remote pf control dameon,
http://www.insecure.dk/rpfcd/) I found myself reusing a lot of code from
pfctl for pf(4) related routines. While some of
On Thu, Jan 09, 2003 at 06:34:13PM +0100, Daniel Hartmeier wrote:
On Thu, Jan 09, 2003 at 06:20:55PM +0100, Srebrenko Sehic wrote:
What do you think about this?
There is some sharing of pfctl code with authpf already, but it's done
by compiling and linking some source modules of pfctl
If we leave out all the technical challenges involved, the real question
is if the pf developers find this idea useful at all?
A few points, in wrac:
1) I kind of like libraries, but they are difficult to get right,
and probably more difficult is to have people agree to use it.
2) Theo
On Thu, Jan 09, 2003 at 07:22:14PM +0100, Cedric Berger wrote:
If we leave out all the technical challenges involved, the real question
is if the pf developers find this idea useful at all?
A few points, in wrac:
1) I kind of like libraries, but they are difficult to get right,
and
On Thu, Jan 09, 2003 at 07:40:52PM +0100, Srebrenko Sehic wrote:
pfctl does not support inserting rules on the fly and authpf needs that.
On the other hand, the overhead of having that would be too big.
h, things changed... authpf uses anchors now, that IS possible with
pfctl... hmmm.
--
On Thu, Jan 09, 2003 at 06:52:40PM +0100, Srebrenko Sehic wrote:
On Thu, Jan 09, 2003 at 06:34:13PM +0100, Daniel Hartmeier wrote:
But it would be worth carefully looking at the currently shared modules,
and sorting all functions and shared globals to into either shared or
private
On Thu, Jan 09, 2003 at 09:27:01PM +0100, Srebrenko Sehic wrote:
Didn't know that. So, authpf can insert rules on fly using anchors, but is
this possible with arbitrary applications? Say I want my snort box to insert
filter rules into pf, by sending a messages (something like
'block
Srebrenko Sehic wrote:
On Thu, Jan 09, 2003 at 07:50:09PM +0100, Henning Brauer wrote:
pfctl does not support inserting rules on the fly and authpf needs that.
On the other hand, the overhead of having that would be too big.
h, things changed... authpf uses anchors now, that IS
On Thu, Jan 09, 2003 at 09:52:56PM +0100, Cedric Berger wrote:
There is a table feature that has just been commited to the kernel.
You can write in pf.conf:
table snortblacklist persist
block in from snortblacklist to any
And then, your snort box can do the following:
ssh firewall
On Thu, Jan 09, 2003 at 10:00:55PM +0100, Srebrenko Sehic wrote:
Nic. Btw, what's the main difference between tables and
anchors?
An anchor is a bunch of rules, while a table is a bunch of addresses (or
netmasks).
If you have a block of rules in your main ruleset like
pass out from
On Thu, Jan 09, 2003 at 09:43:34PM +0100, Daniel Hartmeier wrote:
As for a library, that would only make sense if it were an additional
abstraction layer somewhere between pf(4) ioctls and pfctl command line.
Whether you find a level that changes less often than pf(4) but is more
generic than
On Thu, Jan 09, 2003 at 11:13:41PM +0100, Henning Brauer wrote:
Didn't know that. So, authpf can insert rules on fly using anchors, but is
this possible with arbitrary applications? Say I want my snort box to insert
filter rules into pf, by sending a messages (something like
'block
On Thu, Jan 09, 2003 at 09:27:01PM +0100, Srebrenko Sehic wrote:
On Thu, Jan 09, 2003 at 07:50:09PM +0100, Henning Brauer wrote:
pfctl does not support inserting rules on the fly and authpf needs that.
On the other hand, the overhead of having that would be too big.
h, things
On Thu, 09 Jan 2003, Srebrenko Sehic wrote:
4) I've never used authpf, but I wonder why authpf does not
call the pfctl binary, to have the benefit of code reuse without
that tricky sharing of files. Combining binaries is usually the
Unix way, I believe.
pfctl does not support inserting
On Thu, Jan 09, 2003 at 08:21:29PM -0500, Marina Brown wrote:
I run an ISP that is almost totally OpenBSD. While i understand the
need for pfctl to be lightweight, it would be VERY nice to have a
utility to add or delete a temporary rule when an attack is on.
Check out the 'anchor' feature in
...Guess i should take a look at the authpf and pfctl code
Or just look at anchors in the -current code.
Basically, find the spot in the ruleset where you want to insert
your rules, and drop an anchor attacks in there.
Then, for an attack in progress, do a:
echo 'block in quck from
On Thu, Jan 09, 2003 at 07:17:05PM -0700, [EMAIL PROTECTED] wrote:
Basically, find the spot in the ruleset where you want to insert
your rules, and drop an anchor attacks in there.
Then, for an attack in progress, do a:
echo 'block in quck from $attacker to any' | pfctl -a attacks -R -f -
19 matches
Mail list logo