for allowing
increased usage of dynamic IP addresses. Rather like pfauth but we will
write a custom daemon to run on the firewall.
Has anyone else done anything like this?
Cheers and thanks, Russell.
--
Russell Fulton/~\ The ASCII
Network Security Officer
).
Any other suggestions of things that I could/should check?
Thanks, Russell.
--
Russell Fulton/~\ The ASCII
Network Security Officer \ / Ribbon Campaign
The University of Auckland X Against HTML
New Zealand
that proxies break the bridge model.
Cheers and thanks, Russell.
--
Russell Fulton/~\ The ASCII
Network Security Officer \ / Ribbon Campaign
The University of Auckland X Against HTML
New Zealand
filenames so google references to
them often point to the wrong archive file -- very confusing until you
realise what is happening. As far as I can see the current archive is
mail1 the previous is mail2 etc. so all the file name change whenever a
new file is created.
--
Russell Fulton
lists all addresses on campus
that have inbound access on port 21.
Will this do what I want?
--
Russell Fulton/~\ The ASCII
Network Security Officer \ / Ribbon Campaign
The University of Auckland X Against HTML
+--+
|+-+ FW 1 +---+ |
-+ hub| | hub +
|+-+ FW 2 +---+ |
++bge0 bge1+--+
--
Russell Fulton
sink in! I guess you must be using
low power cpus designed for laptops.
and yes, I have a copy of Jacek's book on order. :)
--
Russell Fulton/~\ The ASCII
Network Security Officer \ / Ribbon Campaign
The University of Auckland
flags=0
--
Russell Fulton/~\ The ASCII
Network Security Officer \ / Ribbon Campaign
The University of Auckland X Against HTML
New Zealand / \ Email!
and backed out.
Dan suggested that I watch the state transitions on the secondary bridge
with brconfig and this morning it performed exactly as expected so we
are now happily running on the backup.
Thanks very much to Dan!
--
Russell Fulton/~\ The ASCII
Network
Hi,
is there any docs that describe which numbers are which in the output
from pfstat -q ?
I observe that most are zero and when I try and plot the byte counts
etc. they come out as zeros.
What do I have to do to get these stats?
--
Russell Fulton
missed the obvious again ;)
I really need that book! (yes it is on order and amazon say they have
shipped it).
--
Russell Fulton/~\ The ASCII
Network Security Officer \ / Ribbon Campaign
The University of Auckland
sends SYN = tcp.first
dst sends SYN+ACK = tcp.opening
src send ACK+data = tcp.established
which seems logical to me.
If so then it is not clear from the manpage.
I.e which timeout should I tweak to protect against synfloods?
An hour seems way too long to keep state for a SYN.
--
Russell
of, say, 5 minutes? That might allow the machine to cope
gracefully with generating the table.
--
Russell Fulton/~\ The ASCII
Network Security Officer \ / Ribbon Campaign
The University of Auckland X Against HTML
choice, not mine.
There are several thousand other systems that have no access at all
through the firewall.
Cheers, Russell
--
Russell Fulton, Computer and Network Security Officer.
The University of Auckland, New Zealand.
--
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand
!
--
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand
ftp-proxy on a bridge, you must
have IP addresses on all interfaces. THe proxy breaks the bridge's
transparency.
I am using ftpsesame on my bridge and it works just fine. I don't have
the url to hand but there are references to it in the archive.
--
Russell Fulton, Information Security Officer
system and we use ssh to download
pf.conf to the firewalls. THis is a reasonable compromise.
--
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand
the
firewall to remember when sessions are established and allow packets
associated with those sessions to pass out.
--
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand
but I need a short
term solution.
--
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand
where I am very happy to be proved wrong!
Cheers, Russell
--
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand
to my firewall running OBSD 3.6
--
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand
On Fri, 2005-01-21 at 12:48 -0800, Dylan Martin wrote:
My redundant bridging firewall don't work no more with 3.6!
As background, the bridge interfaces have 'learn' disabled. That means,
they never cache information about which interface a packet came from.
(The inactive bridge would think
On Fri, 2005-01-28 at 12:15 -0600, Lyle Worthington wrote:
Where xx.xx.xx.xx/24 is our class C at our office. Now the problem we
see is that all of a sudden ssh is no longer allowed through. There
are no entries in the log about connections actually being blocked,
but nothing gets
Hmmm... what is the 'pf' response to this problem? I seem to remember
that 3.6 has per IP limits that can be set that perhaps could mitigate
this sort of problem.
Keep the pf specific stuff on this list I'll forward a summary to
unisog.
Russell.
Forwarded Message
From:
HI,
I want to monitor the output from pflog in more or less real time. It
isn't clear to me what is the best (read simplest ;) way to do this.
What I really want is a version of tcpdump that will effectively do a
tail -f on /var/log/pf. Ideally it would cope with logfile rollovers
too.
be discarded anyway? I.e. the filtering takes place at the interface.
If I don't want to see this stuff in the log then I guess I should put a
another rule before my generic 'block log' to 'block quick' (with no
log) for the addresses concerned.
Russell
--
Russell Fulton, Information Security
Hi,
Earlier I posted a note here asking about the order of processing
incoming packets on a bridge with pf. I would really like to know if
there is something wrong with our set up or if this is expected
behaviour.
I am seeing packets being dropped by pf that should not traverse the
bridge
Thanks Sean!
On Wed, 2005-04-06 at 19:36 -0700, Sean Kamath wrote:
[In a message on Thu, 07 Apr 2005 12:58:22 +1200,
Russell Fulton wrote:]
Hi,
Earlier I posted a note here asking about the order of processing
incoming packets on a bridge with pf. I would really like to know
On Thu, 2005-04-07 at 12:58 +1200, Russell Fulton wrote:
I am seeing packets being dropped by pf that should not traverse the
bridge at all (i.e. packets between hosts that are on the same side of
the bridge). After a little thought I came to the conclusion that this
is quite plausible since
it simple and have everything in
tables. Since the firewall box idles at about 2% cpu the extra overhead
is not an issue.
Russell
--
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand
smime.p7s
Description: S/MIME cryptographic signature
--
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand
smime.p7s
Description: S/MIME cryptographic signature
www.qosient.com on the inside
interface of the firewall.
Russell
--
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand
smime.p7s
Description: S/MIME cryptographic signature
Thanks to all who responded. I had already figured out that the pf nat
logs were included in the general pflogs -- I should have made that
clear but thanks to those who pointed it out anyway!
On Thu, 2005-04-28 at 09:10 -0500, Chris Green wrote:
One of the things that I am considering is to
On Fri, 2005-06-10 at 08:44 +0200, Manon Goo wrote:
Hello,
I am redirecting all kinds of unwanted trafffic to localhost:7 and loading
the offending hosts into a table.
pass in log quick inet proto tcp from ! protected_nets to 127.0.0.1 port
= echo flags S/SA keep state (no-sync,
Hi Folks,
We have been running these particular pf firewalls since Xmas 2004 without problem except for the last month. During the last month we have been experiencing repeated failures where the running firewall would freeze with a kernel panic and need to be rebooted.
I am now using symon
Hi Folks,
We have recently installed syweb to monitor our firewalls (we have two bridges in parallel) between two core switches and and external switch). At the moment one is unplugged fom its internal switch but is still connected to the second and both are running pfsync.
Both machines are
Hi Folks,
We have recently installed syweb to monitor our firewalls (we have two bridges in parallel) between two core switches and and external switch). At the moment one is unplugged fom its internal switch but is still connected to the second and both are running pfsync.
Both machines are
Hi I am writing a program to analyize the drop logs from our pf
firewall. I read the logs from pflog0 with tcpdump.
Currently I am only interested in outbound packets that are being
dropped so I filter on src net local network. But I get a steady
trickle of packets that are not from our
Daniel Hartmeier wrote:
I'm not sure. It looks like the only part of tcpdump that can
potentially print the at-# part is print-atalk.c, pretty-printing
AppleTalk packets.
Ah! it is possible that there are apple-talk packets out on the DMZ --
there should not be but I've just spoken to the
Vas Péter wrote:
Hello, everyone!
I have a question about authpf. At my workplace we want to provide a
time limited WiFi-access to our customers for money. Authpf might be a
good solution, but I didn't find any information in authpf man page,
pf.conf and google, how to set up a time
quoting http://www.openbsd.org/faq/pf/filter.html
quote
IP Options
By default, PF blocks packets with IP options set. This can make the job
more difficult for OS fingerprinting utilities like nmap. If you have
an application that requires the passing of these packets, such as
Hi Folks
We have a requirement where we want to limit each IP address to a set
bandwidth. To be explicit we have a wireless network which is connected
to our main network and the Internet through a firewall. We have things
set up so that each user on the wireless network can send no more than
want the throttling to be on a per user basis not on an
aggregate basis.
ipfw does this by having a (src|dst)mask parameter which essentially
creates a new queue for each unique value of the address mask.
Cheers, Russell
Paul Matlock wrote:
On Fri, 2007-31-08 at 13:17 +1200, Russell Fulton wrote
I take it from the silence that the answer is that pf lacks this
functionality at the moment. Bother :)
What would the overhead be of setting up a queue for every source
address (1024 of them) ? Will this impact performance?
R
Russell Fulton wrote:
Thanks for your response Paul (and Andrew
Thanks Henning and everyone else who responded (privately or to the list).
Henning Brauer wrote:
* Russell Fulton [EMAIL PROTECTED] [2007-10-16 10:03]:
* Is there any tuning that we can do to improve performance of pf
yes. install 4.2. seriously, it more than doubles pf
Hi Folks
I would really like to monitor the pf congestion counter using symon.
I've had a look at the code and it looks fairly straight forward to add
but I am currently stuck on trying to figure out where the packet buffer
is actually defined so I can check to make sure I don't overflow it. I
Dear Moderator,
I've spent some more time on this and found the stuff I was after in the
lib dir. So if you get to this message before the original please drop
the original in the bit bucket.
Thanks, Russell
Hi Folks
I would really like to monitor the pf congestion counter using symon.
Hi Folks
First off I *am* planning to install 4.2 on this box as soon as we can
-- The CD are in the mail somewhere between North America and NZ ;)
Over the last few days I have been closely monitoring the vital signs
via pfctl -si, here is a typical view:
State Table
Henning Brauer wrote:
so get a little transfer net and make your upstream adjust his routes
otherwise you need a bridge indeed, but you really want to avoid that
if you have a chance to go for regular routed with carp etc.
we also run redundant bridges -- we have two physical paths to
Henning, as always, thanks very much for your responses -- invariably to
the point and informative.
Thanks also to the others who have responded.
I feel a little guilty dumping all this stuff to the list -- I have
done some research on my own but not as much as I should have but
circumstances
Hi Folks
I am making what I thought would be a straight forward change to a
rule set but one that turns out to be non trivial after all.
existing rules:
block out on $ext_if any
(there are a few block quicks etc here
pass out quick on $ext_if from external to any keep state
on that page for lists of addresses :-)
nor does proto ! {list} as I have found out (i'm not surprised given
the way pf works).
- Original Message
From: Russell Fulton [EMAIL PROTECTED]
To: pf@benzedrine.cx
Sent: Monday, January 14, 2008 5:24:59 AM
Subject: protocol in rules
pass out
Hi Folks
We have been using pf on our campus firewall for many years now and
are now looking at adding some queueing.
I know that one can only queue on the outbound interface. We want to
queue traffic in both directions so we have to have two queues one on
the external interface to
This afternoon pfctl started spitting out this message every time we
reload the rule set. So far as I can tell nothing substantial changed
at this point. Perhaps a new table was created or an IP added to an
existing table. (the ruleset is built from a database and there have
been quite
Thanks Stuart! I thought there would be a straight forward way of
doing it. With this set up I'm guessing that I can leave state policy
as floating?
Russell
On 29/01/2008, at 9:45 PM, Stuart Henderson wrote:
On 2008/01/29 15:54, Russell Fulton wrote:
I know that one can only queue
will try rebooting the box but I'd
rather not:
$ uptime
4:51PM up 215 days, 4:27, 1 user, load averages: 0.10, 0.08, 0.08
R
On 30/01/2008, at 5:28 PM, Russell Fulton wrote:
This afternoon pfctl started spitting out this message every time we
reload the rule set. So far as I can tell
Hi Folks
We have a pf bridge which manages traffic into and out our our
residence network. The external interface of this box is on our DMZ
which is separated from our main network by another pf bridge.
Default route from the resnet firewall is out to the dMZ. This box
also has a
to record the traffic from
from the incoming interface rather than extracting it from the pf logs.
Russell Fulton
Information Security Officer, The University of Auckland
New Zealand
Thanks Ryan!
On 19/11/2008, at 7:00 PM, Ryan McBride wrote:
On Wed, Nov 19, 2008 at 01:13:32AM +, Stuart Henderson wrote:
On 2008/11/19 13:48, Russell Fulton wrote:
Does anyone have any suggestions as to how we can get data in pf log
files into pcap files that can be read (and filtered
60 matches
Mail list logo