Is this the right list to post a
patch to ftp-proxy? I asked [EMAIL PROTECTED] if it was the
right place last night but haven't gotten an answer.
Sorry to bug y'all. Please ignore this if you like.
Thanks.
Karl [EMAIL PROTECTED]
Free Software: You don't pay back, you pay forward.
Hi,
It's been said on this list before that you can't
queue inbound traffic, say from a lower bandwidth
link to the net, effectively on a host that is multi-homed.
The solution has always been to do QOS on another
2-port box between the multi-homed host and the net.
It occurs to me that I
On 07/14/2005 09:42:49 PM, [EMAIL PROTECTED] wrote:
In my configuration there is a problem providing publicly-accessible
anonymous
FTP service.
In particular, my public FTP address is advertised to be at .197, and
the rules
are configured for ftpd to answer requests on that address. General
On 07/17/2005 08:09:02 AM, Michael Weiser wrote:
Do you or anyone else know the
rationale
behind rdr not working for locally originating packets?
I'll hazard a couple of guesses.
When rdr works only on packets inbound on an interface
there's no possibility of getting infinite loops.
In
On 07/22/2005 07:55:41 AM, j knight wrote:
Karl O. Pinc wrote:
Hi,
It's been said on this list before that you can't
queue inbound traffic,
What's the point? By the time these packets reach your box and jump
through these hoops, they've already traversed your network link. Any
On 07/22/2005 12:17:56 PM, Karl O. Pinc wrote:
On 07/22/2005 07:55:41 AM, j knight wrote:
Karl O. Pinc wrote:
Hi,
It's been said on this list before that you can't
queue inbound traffic,
What's the point? By the time these packets reach your box and jump
through these hoops, they've
On 08/02/2005 12:58:42 PM, quel wrote:
I am trying to find the appropriate way to set the external ip used.
I have a user who wants their outbound traffic to all go out their ip.
This sounds like you are running an application, like apache,
on the box and want different virtual hosts to go
Hi,
I want to route all inbound WAN traffic to a loopback
interface so I can try some queueing on inbound traffic
(to see if I can trade bandwidth for latency).
But I'm not sure there's a way to do this
in conjunction with stateful firewalling.
Seems like:
pass in on $internal_if from any to
On 08/05/2005 11:54:05 AM, Jon Hart wrote:
If you want to queue inbound traffic (LAN-WAN), why not just queue it
when it is heading out on the WAN interface?
I want to queue the traffic coming _in_ from the WAN,
and I want all that traffic in one queue and have
multiple interfaces on the
On 08/05/2005 11:43:07 AM, Daniel T. Staal wrote:
On Fri, August 5, 2005 12:30 pm, Karl O. Pinc said:
Hi,
I want to route all inbound WAN traffic to a loopback
interface so I can try some queueing on inbound traffic
(to see if I can trade bandwidth for latency).
But I'm not sure there's
On 08/05/2005 01:58:19 PM, Chris 'Xenon' Hanson wrote:
And further, by configuring an interface's sum total max bandwidth
slightly _lower_ than what it is, you leave yourself enough headroom
to start throttling back the data rate on all inbound streams before
you hit the ceiling
On 08/05/2005 03:58:09 PM, Daniel Hartmeier wrote:
On Fri, Aug 05, 2005 at 08:48:19PM +, Karl O. Pinc wrote:
But all this is already true when you've saturated your WAN
link so there's no harm in trying to shape the traffic anyway.
The comment above was only regards mis-behaving apps
On 08/05/2005 04:33:32 PM, Daniel Hartmeier wrote:
Ah, I think I get what you mean. You don't want to rate-limit your
outgoing replies to achieve this effect on incoming traffic. Instead,
you simply rate-limit the incoming traffic to some rate X, assuming
the
peer will converge to send at
On 08/05/2005 05:07:53 PM, Daniel Hartmeier wrote:
On Fri, Aug 05, 2005 at 03:47:57PM -0600, Chris 'Xenon' Hanson wrote:
If the theory is correct, the graphs will nicely show so, and you can
make a nice little web page which we can refer to the next time
someone
argues about rate-limiting
On 08/05/2005 11:28:43 PM, Lars Hansson wrote:
On Fri, 05 Aug 2005 16:30:44 +
Karl O. Pinc [EMAIL PROTECTED] wrote:
I want to route all inbound WAN traffic to a loopback
interface so I can try some queueing on inbound traffic
(to see if I can trade bandwidth for latency).
You dont need
On 08/16/2005 07:51:19 AM, Paul Galbraith wrote:
I have a simple setup with a obsd gateway connected to my isp, and a
few machines behind it on an internal network. I have port 993
(imaps) sucessfully redirected to my mail server and that works
nicely from anywhere (internal or external)
On 09/07/2005 07:45:05 AM, Peter N. M. Hansteen wrote:
Siju George [EMAIL PROTECTED] writes:
https://secure.logmein.com/
How do I prevent usage of such software with PF while permitting
http
access from the LAN at the same time through PF to the Internet???
As far as I can dechipher the
On 09/14/2005 12:26:12 PM, Brandon Mercer wrote:
Hello,
Thanks for providing this resource, I've found it most useful! Have
you
ever setup traffic shaping for the traffic over a VPN? This is my
scenario:
Your questions do not seem all that specific so it's hard to
respond other than yup,
On 09/22/2005 04:51:37 PM, Lucas wrote:
i have done it this way, but still have some problems:
I am sorry. I'm afraid I may not have understood your
initial diagram. (I like to see the machines, with
each interface and it's assigned IP, and the network
number/netmask of the networks
On 09/26/2005 08:23:49 AM, Raphael GRUNDRICH wrote:
hi,
I want to replace an ISA server by PF. This ISA Server does one thing
I can't reproduce under PF.
For each domain it redirect to different host : for exemple
www.domain1.com , www.domain2.net have the same IP address (i.e the
ISA Server
On 09/26/2005 03:54:35 PM, Mark Peoples wrote:
For each domain it redirect to different host : for exemple
www.domain1.com , www.domain2.net have the same IP address
(i.e the ISA Server public IP) but different IP address
inside local lan because they run on different host.
you need a
On 11/09/2005 02:57:08 AM, Peter N. M. Hansteen wrote:
Over in the comp.unix.bsd.freebsd.misc news group, there's a
discussion about what happens when PF loads, specifically a perceived
'window of opportunity' for an attacker in the interval between PF
getting enabled and the rule set loading,
On 11/17/2005 12:57:06 PM, Jon Hart wrote:
On Thu, Nov 17, 2005 at 12:34:53PM -0600, Kevin wrote:
I think this is a key point -- the client is removing the quad from
TIME-WAIT and sees it as eligible for reuse, meanwhile the firewall
and/or the server still has this closed session state
On 11/17/2005 08:38:05 PM, Russell Fulton wrote:
H... what ever is kip?
14:57:35.469584 kip 73.61.65.185 100.20.84.69: at-#105 2 (ttl 126,
id 22132, len 46)
Betcha anything that's an Apple keyserver. Does something with
authorizing licenses so people can use software licensed
to
On 12/01/2005 05:17:07 PM, Terje Elde wrote:
Really tired, so this is just a quick shot at explaining one possible
setup:
1. Set the speed of all interfaces to their actual physical speeds.
Exception: If your WAN link is behind another router, set it to
90% or so of the speed that
On 12/01/2005 03:49:06 PM, Chris 'Xenon' Hanson wrote:
The trouble comes when you use the router as a gateway for multiple
LANs to one WAN. If you put a queue on the LAN connections to try to
control the inbound WAN connection, you'll find that you are also
throttling the traffic
On 12/02/2005 10:46:05 AM, Chris 'Xenon' Hanson wrote:
Karl O. Pinc wrote:
What the developers are waiting for is proof that the tcp flow
limiting
mechanisim is actually an effective way to control bandwidth
across a WAN.
Yes, I recall the thread.
I need to go back and re-read
On 12/19/2005 04:33:27 PM, Jonathan Rogers wrote:
My new OpenBSD 3.8/pf firewall setup seems now to mostly be doing what
it's supposed to. One lingering problem, though, that I just can't
find
the source of. I'm getting occasional log messages like this (standard
tcpdump format):
pass in
On 12/25/2005 09:35:48 PM, Simeó Reig wrote:
Hi,
I'm trying to configure spamd, the problem occurrs when I try to load
a 2,7 milion list of spam Ip's, seems like PF crash, How many
addresses can have a table ? Is it possible to increase this limit ?
There was recently something about
On 12/31/2005 06:29:34 PM, Randal L. Schwartz wrote:
Nope. No hostnames.
Any other ideas?
Some interface is not working on warm start?
You must be getting a message on boot from pfctl. Hack /etc/rc
to save it to a file.
pfctl -f ${pf_rules} /somewhere 21
Karl [EMAIL
On 01/01/2006 07:52:55 PM, Peter wrote:
I want to go to the next level and graph this data at each
interval.
Re: R, see also:
http://www-128.ibm.com/developerworks/linux/library/l-r1/
Karl [EMAIL PROTECTED]
Free Software: You don't pay back, you pay forward.
-- Robert A.
On 01/01/2006 07:52:55 PM, Peter wrote:
I have written an IP accounting system using pf labels. It runs every
5
minutes and extracts stats for data entering and leaving my lan. It
works
nicely but I want to go to the next level and graph this data at each
interval.
I have no experience,
On 01/05/2006 01:21:06 PM, tim wrote:
hullo,
I have a very simple problem but sadly I'm too brainless to figure it
out.
There's an idiot on our network who refuses to switch off his P2P.
The outward port blocking solution is not a popular one.
Thus, what I want to do is to block out this
On 01/15/2006 06:28:21 AM, ed wrote:
Another question, how do you associate the rule number to line in
pf.conf, without doing the obvious mental exercise, with many rules it
can be a chore.
This probably works. I'm not sure about the scrub though.
(This is based on the bnf grammer in
Sorry, pasted from the wrong window. This is the correct script.
On 01/15/2006 06:28:21 AM, ed wrote:
Another question, how do you associate the rule number to line in
pf.conf, without doing the obvious mental exercise, with many rules it
can be a chore.
awk 'BEGIN { c = 1; n = 1 } ;
On 01/26/2006 04:49:28 PM, Jon Simola wrote:
Try adding carpdev into your hostname files, and in my experience
creating the carp and adding the IP address to it in seperate commands
works better, ala:
# cat /etc/hostname.em0
inet 10.0.3.4 255.255.252.0 NONE
# cat /etc/hostname.carp8
carpdev
On 02/13/2006 07:29:17 AM, Travis H. wrote:
sudo route add
Ugh, netstart should read a file in /etc/ for them or something.
Am I the only one who fiddles with /etc/netstart? It'd be nice if it
sourced netstart.local or something, so I didn't have to hack distro
files.
Use ! in
On 02/26/2006 04:38:12 PM, [EMAIL PROTECTED] wrote:
PF sqawcks if a hostname in any of it's files are not currently
findable. Is there a reasonable way to have it gracefully skip
missing
hosts and carry on?
No. The best you can do is:
1) Do not use hostnames for hosts outside your DNS
On 03/03/2006 02:44:32 PM, Dmitriy wrote:
Hi,
I'm having what seems to be an issue with the OpenBSD 3.8 firewall. It
seems to be blocking SYN packets, not really randomly, but I can't
figure out what's causing it's behaviour.
You might want to check that the successive print jobs use
On 03/18/2006 05:26:22 PM, Paul Moore wrote:
The problem doesn't seem to be that nat is not working, but rather
the ftp server is sending out its internal ip in the data stream when
the data-port info is sent to the client.
This is the point of ftp-proxy, to deal with the network
Gustavo A. Baratto wrote:
..
FW2 is ready, and the IP for DNS2 is already assigned... So, while
DNS2 server is not ready, is it possible to setup FW2, so DNS
queries
from the external world can be redirected to DNS1?
How about a really simple bind config that uses FORWARD to
send all
On 03/30/2006 03:06:42 PM, Daniel T. Staal wrote:
FTP is a pain. It *needs* a proxy to go through a firewall.
.. because it imbeds network information in the application's
data stream.
The easiest way to get FTP working is to use OpenBSD 3.9
(i.e. the current release) or install the 3.9
On 03/31/2006 04:49:35 AM, IMS wrote:
Do I need to open the rule to enable the packet out from em2?
Yes.
If yes, Did I have to open at least 2 line (one in, one out) for one
task?
That is one approach. The more sophisticated way is to use tag to
tag the datagram on the in side and use
On 04/07/2006 11:04:23 AM, Gabriel Wachman wrote:
If NAT translation happens BEFORE any filter rules are evaluated
(see http://www.openbsd.org/faq/pf/nat.html), then wouldn't it be
true that an outbound packet from the internal network will be
seen by the filtering engine as a packet with
On 04/20/2006 12:57:23 PM, Prabhu Gurumurthy wrote:
As I understand the working of the rule set that I have written,
again please correct me if I wrong, the rule matching/allowing the
inbound on DMZ, again should have an outbound rule set allowing on
Internet, is this correct, then is
On 04/22/2006 10:14:29 PM, jared r r spiegel wrote:
is that at odds with:
---
set state-policy
The state-policy option sets the default behaviour for
states:
if-bound States are bound to interface.
floating States can match packets on any
On 04/29/2006 08:05:47 AM, [EMAIL PROTECTED] wrote:
Note that queueing is only useful for packets in the outbound
direction.
But this is wrong. It's not too late to queue it; by queueing it and
dropping some packets of inbound traffic the sending host slows down
the speed at which it sends.
On 04/29/2006 10:58:39 AM, Daniel Hartmeier wrote:
What I tried to express in the last paragraph of the referenced mail
was
that it's not pf that's lacking anything, but altq.
While there are now ties between pf and altq (pf classifying packets
for
altq, and pfctl setting up queues), that
On 05/02/2006 02:22:33 AM, Lars Hansson wrote:
The majority of users/developers has a separate firewall and then
download
queing is just a matter of doing it on the inside interface.
To be fair, this only works if you've a single inside interface.
Karl [EMAIL PROTECTED]
Free Software: You
On 05/02/2006 08:04:14 AM, Ed White wrote:
On Tuesday 02 May 2006 14:24, Terje Elde wrote:
If you drop the ACKs, there'll be a retransmit anyway. So only
thing
you'd really change is that the TCP packet would arrive a little bit
sooner, which could make a minor (probably not noticeable)
On 05/08/2006 11:21:47 AM, Daniel Hartmeier wrote:
On Mon, May 08, 2006 at 05:58:08PM +0300, Hisham Mardam Bey wrote:
Can this be achieved using pfsync? If so, what do I need to do to
get
this working? If not, can pfsync be extended to allow for this or
should we look into something
Hi,
Is this the right place to ask this question?
Here's my pfctl -vvs queue output. I'm not doing much but
trying to send as much through the 'bulk' queue as possible,
but as you can see although it does borrow, it does not borrow
much. (I tried turning off red on the 'std' queue and that
On 05/29/2006 04:28:49 AM, Travis H. wrote:
Queues are _only_ on outbound traffic.
I am queueing on outbound traffic, typing in was
a mistake. (Actually, I'm queueing both ways, using
an additional box. But that's neither here nor there
when it comes to what's happening with borrowing.)
On 05/29/2006 07:02:40 AM, Steven Surdock wrote:
I found that cbq didn't borrow as aggressively as I expected.
Switching
to the hfsc scheduler approached closer to what I wanted.
That does seem to be better, but I clearly am not getting how
hfsc uses the 'bandwidth' parameter as it seems to
On 05/29/2006 10:06:32 PM, Trevor Talbot wrote:
hfsc(linkshare) is what the bandwidth setting controls.
If hfc(linkshare) and bandwidth are the same thing,
then what happens if you specify both?
Karl [EMAIL PROTECTED]
Free Software: You don't pay back, you pay forward.
--
On 05/29/2006 11:59:51 PM, Peter wrote:
I am running 3.8 with postfix and amavisd-new. I have noticed a large
number of postfix disconnections in my logs recently and I'm wondering
whether this is normal or not.
Postfix has a tarpit setting that delays initial SMTP replies
because spammers
On Jun 20, 2006, at 5:53 PM, Kevin wrote:
A failover will terminate any existing proxied connections, including
Squid and ftp-proxy. This is an inherent limitation of a proxy
firewall.
Too bad that pfsync (or something) can't sync anchors. I imagine
there'd be some configuration involved,
On 06/22/2006 06:53:47 PM, Jascha Dub wrote:
I am in the process of seeting up a firewall for our datacenter.
The issue I am having is I can ping internal and externals from the
firewall. But can not get out from my internal servers. I'm sure it
is something pretty simple I am over
On 06/26/2006 09:17:33 AM, Ajith Kumar wrote:
Ajith Kumar [EMAIL PROTECTED] writes:
I am able to send and receive mails . But if there is any
attachment
which
is bigger than 64 KB, i am not able to send.
Peter N. M. Hansteen Writes :
My first impulse is to look at what happens elsewhere,
On 07/12/2006 02:33:12 AM, Daniel Hartmeier wrote:
We recently had a lenghty thread about the disadvantages (requiring
separate hosts) of lacking inbound queues
FWIW, I've put a separate OpenBSD host in front of my firewall/router
(which has several internal nics)
just for inbound queuing in
On 07/14/2006 03:17:22 AM, N.Kalev wrote:
I have a simple question is anyone up to the point of integrateing pf
support of WFQ or is it planned to be done anytime soon :-) ?
I found WFQ in freebsd very helpfull for my tasks but i have to use
ipfw+dummynet+pf to make config nice working :-)))
On 07/17/2006 04:14:56 PM, Michal Soltys wrote:
Back to my point: with limited inbound traffic (by isp) to 1mbit, the
incoming traffic is just some traffic. If whatever comes in, assigned
to ext_bulk1 saturates a bit ext_bulk2 - total traffic will be still
1mbit, and there won't be any hmmm,
On 07/25/2006 08:46:49 PM, Alex Thurlow wrote:
We currently have 2 links that are shared via BGP. One is an OC-12,
and the other is 100Mb ethernet.
Under just a normal BGP setup, our 100Mb line would be saturated as
it attempted to send traffic there based on routing distance.
My
On 08/18/2006 10:24:29 AM, Steve Chinatti wrote:
Hello PF List,
I'm hoping someone can help me out with my configuration issue.
The problem is that there is
overlap in the private RFC1918 addresses used in both sites. Let's
call them
SiteA and SiteB.
I only need to connect from
On 08/21/2006 02:04:02 PM, Steve Chinatti wrote:
Won't that be an issue for the firewall? It would RDR the packet in
order to change the destination address to 192.168.x.x (for a packet
destined for the tunnel), but the firewall also has routes to the
internal network for those addresses.
I
On 09/12/2006 02:16:33 PM, [EMAIL PROTECTED] wrote:
Am Tue, 12 Sep 2006 13:14:13 -0300
schrieb [EMAIL PROTECTED]:
19 # ALLOW $PC ACCESS HTTP SERVICE
20 pass out on $ext_if from $PC to any port 80 keep state
You are doing nat. nat occures before filter rules so you have to
change the
On 09/12/2006 05:13:55 PM, Daniel Staal wrote:
Filtering on the other interface will work, but is likely to cause
further headaches figuring out your rules in the future. (It doubles
the complexity of your rules, basically.)
You do not have to nat everything, and you *can* tag on nat,
(This is really offtopic for the pf list. You want the
openBSD misc list.)
On 09/20/2006 08:14:56 AM, charles Collin wrote:
1 for a my client's private network reachable via a Cisco router
linked to a T1.
The IP address of the LAN interface on the Cisco router is
172.18.254.1 and i
On 10/13/2006 04:26:04 PM, Martin Gignac wrote:
The way I understand it now I guess I have two options: either use
simple ingress/egress interface + direction policies (like a
NetScreen) but learn to live with the fact that I'll get back ICMP
errors if something is blocked, or else use filters
On 11/30/2006 04:25:12 AM, Sergey Prisyazhniy wrote:
Yes, Luca :). The think is, that I want, for example, to setup
remote machines
via siteXYtools (also load to pf.conf).
And as you can get, I don't know anything about the remote
NIC's, so in this case
I wana
OpenBSD has ifstated, which is pretty simple to configure
state engine.
Karl [EMAIL PROTECTED]
Free Software: You don't pay back, you pay forward.
-- Robert A. Heinlein
On 12/13/2006 09:40:03 AM, Sylwester S. Biernacki wrote:
On Wednesday, December 13, 2006, at 15:59:02, Karl O. Pinc wrote:
OpenBSD has ifstated, which is pretty simple to configure
state engine.
it's true, but it's unusable here - if machine get 100% cpu load it
won't put down
On 02/06/2007 03:16:28 PM, Daniel Hartmeier wrote:
The state entry doesn't get associated with a corresponding rule on
the
backup (because the rulesets are not identical), but with the default
rule instead. This means that aspects of the state entry might stop
working on failover (like
On 03/05/2007 01:05:25 PM, Peter N. M. Hansteen wrote:
hard to tell without taking a peek at your actual rule set, but could
it be that you forgot keep state
with: flags S/SA
in the pass rules which let your
name service queries through?
the omission of which is a common mistake.
Karl
On 07/04/2007 03:54:57 AM, Norman Maurer wrote:
Hi all,
we are on the way to migrate some linux firewall to a pf firewall.
After I read the pf faq and manual pages I'm still not sure whats the
best way to replace iptables FORWARD rules.
It seems to me that I need one in and one out rule for
On 07/04/2007 03:10:50 PM, Попов Игорь Николаевич wrote:
Hi,
I have router under OpenBSD, it main purpose is NAT.
some rules from /etc/pf.conf
#...
table nat_addr const { 80.0.0.21 80.0.0.22 80.0.0.23 80.0.0.24 }
table lan_addr const { 192.168.0.0/25 192.168.10.0/24 }
# NAT
nat pass on
My random thoughts...
On 07/05/2007 02:09:20 PM, Jeff Santos wrote:
This firewall runs route -s because there is a need
to publish RIPv1 routes for these networks.
(You mean routed.)
I'm always suspicious of RIP. It's so easy for
a rouge device to mess up the whole network.
You might
On 07/09/2007 07:45:58 AM, Igor Popov wrote:
Bridge works, NAT works, but problems with ftp - control connection is
established, but data connection is dropped. Of course, without
ftp-proxy
passive ftp works, but some clients need working active ftp too.
I don't know FreeBSD but you might
On 08/20/2007 11:43:08 AM, Daniel Hartmeier wrote:
On Fri, Aug 17, 2007 at 11:01:20AM -0700, Dylan Martin wrote:
Or, is there another way around this problem? A way to make an
alias for an interface, say?
Interface groups work pretty well for that, see ifconfig(8). In most
cases, the
On 10/02/2007 08:37:22 AM, Serge Basterot wrote:
Hello list,
I have a problem with a soekris 4801 machine. Outgoing SSL and SSH
connections are impossible with it.
ssh -v (or -vv etc) can be helpful in diagnosing this sort
of problem.
Karl [EMAIL PROTECTED]
Free Software: You don't pay
On 12/14/2007 02:17:22 AM, Henrik Johansen wrote:
Hi list,
We are experiencing a steady flow of BAD state error messages that I
cannot explain.
I continue to have problems with (Microsoft) hosts that
violate the 2MSL TCP rule (STD7, RFC793, page 27
Knowing When to Keep Quiet). I strongly
On 12/17/2007 03:32:39 AM, Henrik Johansen wrote:
[Karl O. Pinc] wrote:
On 12/14/2007 02:17:22 AM, Henrik Johansen wrote:
Hi list,
We are experiencing a steady flow of BAD state error messages that
I cannot explain.
I continue to have problems with (Microsoft) hosts that
violate
On 12/18/2007 02:29:38 AM, Henrik Johansen wrote:
[Karl O. Pinc] wrote:
I'll need to examine my traffic to see whether
I need to mess with tcp.closed, interval, or tcp.finwait.
(I know in one case it's RST packets that are the trouble
so tcp.closed/interval would do the trick
On 12/19/2007 09:11:48 AM, Jordi Espasa Clofent wrote:
So, I need to benchmark the FW with little size packets. The question
is
¿Is there any tool which generates small packets traffic to benchmark
the network performance as iperf or netperf does?
You can give a payload to ping. And ttcp
On 12/20/2007 12:44:48 AM, Camiel Dobbelaar wrote:
Karl O. Pinc wrote:
Are there any concurrency issues involved in
updating pf tables?
In the case of ftp-proxy you mean anchors, right?
Oops. Right.
So multiple ftp-proxy's will never collide.
Awesome. Thanks!
Karl [EMAIL
Any hope of documenting the various 'set timeout' default values,
maybe in pf.conf(5)? Is there a reason why it's _not_ documented?
Would entries like:
tcp.first
The state after the first packet. Defaults to 120
seconds.
have the proper structure?
I needed
On 02/24/2008 10:27:42 AM, Jordi Espasa Clofent wrote:
Stuart Henderson escribió:
On 2008/02/24 12:21, Jordi Espasa Clofent wrote:
Very happy with performance and capabilities of PF. But when I try
ssh connections from outside to my net boxes, they're very very
slow. They work, but work so
On 03/05/2008 09:47:10 AM, Saad Kadhi wrote:
Do you any ideas of how to be able to use active FTP on a PF
self-protecting FreeBSD 7.0 host (PF running on the host itself and
not on a gateway protecting the host) with a default block policy?
ftproxy is only for proxying to other hosts.
On 04/23/2008 01:38:22 AM, Adam Richards wrote:
So, is there a way to achieve both authentication and interactive
access? Am I missing something stupid? :)
Authpf is just a shell. Write your own that runs it,
and have that be your user's shell. Like:
#!/bin/ksh
/usr/sbin/authpf
/bin/ksh
On 05/12/2008 04:32:05 PM, Christer Solskogen wrote:
If I do not use the binat-rule, connecting to games (in CoH) will not
work. But CoH also seems to be the only game with that kind of
problem.
If I am not mistaken, using a binat-rule also makes my machine
vurnable for other stuff. I am
On 05/12/2008 12:07:45 PM, Christer Solskogen wrote:
I have been trying to get some of my online games to work. Normally
on a NAT-ed network rdr's are needed to get the port forwarding to
work.
My pf.conf is:
funshine = 192.168.0.12
rdr pass log on $ext_if proto { tcp, udp } from any to
On 05/13/2008 12:35:28 AM, Christer Solskogen wrote:
This is my full pf.conf:
The only thing I notice offhand is that I prefer to put
the ftp-proxy anchors above all the other translation
rules so that whatever magic ftp-proxy is working
does not get inadvertently preempted. (I don't
know
The wording here has always bugged me.
Attached is a patch against
.\ $OpenBSD: pf.conf.5,v 1.397 2008/05/19 14:57:31 markus Exp $
(Which should be cvs head.)
What prompted me to do this was page 60 of
'The Book of PF', Once a packet has been tagged by a matching rule,
it can potentially be
On 07/10/2008 05:10:50 AM, Peter N. M. Hansteen wrote:
Would a creating a PF certification be worth putting some effort into?
No problem, just so long as you grandfather all of us in.
Karl [EMAIL PROTECTED]
Free Software: You don't pay back, you pay forward.
-- Robert A.
On 07/12/2008 04:12:14 PM, Karl O. Pinc wrote:
Hi,
I've two firewalls configured to synchronize state with pfsync
and failover transparently. The other day I was bringing
the firewalls up and down and was surprised to find that
when I did so some connections were dropped.
The one unusual
On 07/13/2008 08:14:30 PM, Ryan McBride wrote:
On Sat, Jul 12, 2008 at 04:12:14PM -0500, Karl O. Pinc wrote:
Aside from dumping state tables on the master and standby
boxes and comparing them, is there a way to ask
if the state tables are synchronized?
Not really, because
Knowing
On 07/14/2008 12:52:16 AM, Ryan McBride wrote:
On Sun, Jul 13, 2008 at 02:44:40PM -0500, Karl O. Pinc wrote:
On 07/12/2008 04:12:14 PM, Karl O. Pinc wrote:
The one unusual thing about my configuration is that
I don't bring up pf with rc.conf.local. Pf is
started in rc.local so
Hi,
OpenBSD 4.2 stable patched to Feb 27, 2008
I've two firewalls with carp failover between them.
One is configured with the carp interfaces having an
advskew of 100, so that machine is normally the backup.
Something happened and the backup has become the master,
and the master has a demotion
On 08/28/2008 08:13:50 AM, [EMAIL PROTECTED] wrote:
On Aug 28, 12:45=A0am, [EMAIL PROTECTED] wrote:
# =A0 =A0 =A0 $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp
$
#Map internal addresses to external
binat on $tun_if proto {tcp, udp, icmp} from $intaddr_irishcoffe to
any -
On 09/10/2008 08:54:21 AM, Stuart Henderson wrote:
HTTP redirects might be the least-overhead method and are usually
pretty simple to setup... add a record www2 A 5.6.7.8, and have the
old server just redirect to www2 after the switch-over date to catch
any late queries that arrive due to
1 - 100 of 131 matches
Mail list logo
