On Tue, 18 Jul 2006, Can Erkin Acar wrote:
On Sun, Jul 16, 2006 at 07:02:00PM -0500, Travis H. wrote:
On 7/15/06, Ryan McBride [EMAIL PROTECTED] wrote:
Root can do stupid things which compromise security. Obfuscation or
needles complexity in an attempt to protect yourself from the root
On Mon, 26 Feb 2006, [EMAIL PROTECTED] wrote:
PF sqawcks if a hostname in any of it's files are not currently
findable. Is there a reasonable way to have it gracefully skip missing
hosts and carry on?
So you firewall rules can be silently skipped during times of DNS outage
or DoS? That
Adam Clark wrote:
Hi,
I am using IPSEC tunnels to connect my home office to our work site.
I am using a cisco voip phone which uses the vpn to talk to the call
manager.
I have worked for a bit to try to give the voip traffic highest priority
with ALTQ.
I have gotten some headway to what
On Mon, 14 Nov 2005, mike scott wrote:
I accept that this may not be an issue for some; for my own part,
although I would /very/ much like to use the extra flexibility pf
offers compared with the alternatives, nevertheless, I view this
startup issue as a fundamental and fatal flaw. I shall
On Wed, 9 Nov 2005, Peter N. M. Hansteen wrote:
Jon Hart [EMAIL PROTECTED] writes:
Unless I'm being completely mislead, this feature is already in place
with OpenBSD. See /etc/rc.
Now that you mention it, it does look like the good people who ported PF
over to FreeBSD did not bring with
Jason Dixon wrote:
Ah, ok. Thanks for clarifying. No, I think you're stuck with the
per-session pool behavior you're currently seeing. To be quite honest
though, given a long enough curve, won't it all theoretically balance out?
If you are balancing across divergent paths (different ISPs or
Tucker Bradford wrote:
I'm experiencing a very annoying session timeout issue. Its most often
noticed when sshing to a host behind the firewall from off site. It
doesn't seem to happen when the connection is initiated from another
internal network, but that could be due to some bi-directional
Matt Van Mater wrote:
I
haven't been able to find a switch that allows multiple destinations
for a single SPAN session.
A hub? You might also be able to use a switch if you can disable MAC
address learning to force it to flood frames to all its ports.
Ed White wrote:
This is a message from an interesting thread on [EMAIL PROTECTED]
http://marc.theaimsgroup.com/?l=openbsd-miscm=109422765506037w=2
In short the question is:
why doesn't PF kill all the states associated with the tables entries when you
flush a table ?
For the same
Christopher Keeley wrote:
Dear All
I have an idea which I would like to run by developers and users alike.
Does anyone think 'pattern matching' on packets values would be
a useful addition to pf' current capabilities?
The idea would be to allow users to write simple numeric sequences
Marcelo de Souza wrote:
Hello all,
I'm planning to implement some kind of network IPS (a preemptive network IDS)
and, after some days of research, I've discovered that there are already good
solutions for this.
The biggest example is using snort-inline in Linux (using iptables QUEUE) or
cloper wrote:
list,
I have been watching posts go back and forth regarding Layer7 filtering
with PF. What are the plans for this (if any). I was thinking about it,
how difficult would it be to add in a setup similiar to the OSPF that
currently exists.
It would be really easy, about as
cell-X wrote:
Good day,
I haven't seen this question thrown in here or the openbsd list but
how can you make a openbsd PF firebox allow PPTP passthrough and IPSEC
passthrough like Linksys and SMC routers? I know that you can do PPTP
one-to-one map but the connections are going to be going
On Tue, 9 Mar 2004, Claudio Jeker wrote:
The best sollution is to have a full view (with no default route) via bgp
and use no-route. So you get a auto-update bogon filter. It is more
accurate than those lists because it is live and knows about the not
announced but IANA allocated blocks.
How
On Tue, 9 Mar 2004, Greg Hennessy wrote:
On 9 Mar 2004 07:22:39 -0800, [EMAIL PROTECTED] (Todd T. Fries) wrote:
Not when you're working on a system that is being attacked with packets
with source ip's in the list.
I find that highly unlikely.
I think you are highly presumptive, I'm
On Mon, 1 Mar 2004, Julien Bordet wrote:
In fact, even if it does not really matter to you in fact, I'm not
talking about a kernel proxy here. I'm talking about something smart
enough to tag packets related and so to pass them. If we go on with
FTP, a piece of code that attach data
On Tue, 2 Mar 2004, Kory T wrote:
I'm sure portknocking has been discussed in this list before but has
anyone actually tried it with pf? At first I didn't think it was a
good idea since the patterns can be sniffed until I viewed the whole
concept of it on portknocking.org and the example
Max Laier wrote:
What are possible ways of implementing payload inspection in
kernel? ...
And what's the point of writing that e-mail if you don't
describe your atypical way?
What's the point in writing follow-ups to this really OT thread at all?
And my piece for the atypical way: Take a look
On Thu, 2003-09-11 at 23:00, Daniel Hartmeier wrote:
This can be done easily within the logic of the http proxy, just write
one that doesn't open the real server connection immediately, but parses
the the request first. This works for TCP protocols where the client
must first send a complete
Dom De Vitto wrote:
Damn straight.
That's 94% of wire speed!
But largely irrelevant, as it is packets per second and not bytes per
second that matter.
As it is probably interrupts that are loading the box and not packet
processing, you could perster tedu@ for his devpoll patch, but to quote
Ed White wrote:
BTW filtering on TOS value introduce a good way to filter some ports even if
you get a dynamic IP.
Example:
You want to filter port tcp:22 to avoid the whole internet to get the OpenSSH
prompt. Adding a rule like this would make it possible...
pass in quick inet
Ed White wrote:
pass in quick inet proto tcp from $My_ISP_class_B to $eth_ext port 22 tos
$key keep state
This is the worst kind of security through obscurity.
That's not security at all.
My point exactly.
That's custom setup, like using sshd on port 31337.
And equally stupid.
Gustavo Chamone wrote:
Folks,
since I couldn't find anything related to this on the archive, I'm hoping
that you guys can help me out.
Last may, Hartmeier sent an e-mail with the Hackathon Summary[1]. He
mentioned that there was some work in progress on accounting per host, being
made by
Adam Coyne wrote:
Alexey E. Suslikov wrote:
I'd like to pass or block certain packets based on an inspection
of the payload after scrubbing.
snort is your friend. check out http://www.snort.org/
As far as I have seen, snort's native blocking ability is limited to
adding firewall rules, and
Hi,
Using the just-committed bidirectional byte and packet counters, I wrote
a small daemon to convert these to Cisco Netflow datagrams. This may be
useful for people who have NetFlow capable monitoring or accounting tools.
I should hasten to add that this is beta code which depends on OpenBSD
Damien Miller wrote:
Daniel Hartmeier wrote:
On Wed, Jun 18, 2003 at 07:49:52PM +1000, Damien Miller wrote:
Comments?
I guess the additional two numbers don't bloat the state entry too much.
I'm not doing any accounting, so I'm not sure if this is a problem, but
the numbers a:b
Daniel Hartmeier wrote:
On Wed, Jun 18, 2003 at 07:49:52PM +1000, Damien Miller wrote:
Comments?
I guess the additional two numbers don't bloat the state entry too much.
I'm not doing any accounting, so I'm not sure if this is a problem, but
the numbers a:b will be relative
Hi,
I have just noticed an interaction between reply-to and synproxy.
It seems that the packets generated by the firewall as it performs
synproxying are not subject to the reply-to directive - i.e they are
routed normally.
I am not sure whether this is a bug (though I suspect so) or easily
After updating -current about a week ago I started getting the following
error upon trying to load my ruleset:
# pfctl -vf /etc/pf.conf
[...]
altq on tun0 cbq bandwidth 50Kb tbrsize 1500 queue { root std dns http
mail ssh}
queue root cbq( red ecn default ) { std dns http mail ssh }
pfctl:
Philipp Buehler - sysfive.com GmbH wrote:
On 10/03/2003, Damien Miller [EMAIL PROTECTED] wrote To [EMAIL PROTECTED]:
After updating -current about a week ago I started getting the following
error upon trying to load my ruleset:
# pfctl -vf /etc/pf.conf
[...]
altq on tun0 cbq bandwidth 50Kb
Henning Brauer wrote:
On Mon, Mar 10, 2003 at 08:24:33PM +1100, Damien Miller wrote:
Philipp Buehler - sysfive.com GmbH wrote:
On 10/03/2003, Damien Miller [EMAIL PROTECTED] wrote To [EMAIL PROTECTED]:
After updating -current about a week ago I started getting the following
error upon trying
Henning Brauer wrote:
On Mon, Mar 10, 2003 at 09:43:16PM +1100, Damien Miller wrote:
Henning Brauer wrote:
either you have more queuedefs you are hiding from us
yes, you have.
look, the error is obvious.
Ah, ok. Has the checking been tightened? This worked for ages...
the really right thing
Quite possibly the final word on the matter:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=58084
Henning Brauer wrote:
well 6k is just a little _too_ low for a 100Mb interface (I presume it is
one). the resolution isn't that high I think.
tho, 10k worked somewhat good for me on a 100Mb card - don't expect a too
close match on such absurd low values, as said, the time resoltion is limited.
Miles Sabin wrote:
Daniel Hartmeier wrote,
On Fri, Dec 20, 2002 at 12:25:57PM -0500, Michael Shalayeff wrote:
if i'm not mistaken n is the address length there...
so, regardless of the number of addresses in the set it's still
a constant for each address family...
Oh, my bad, so it's O(1)
Han Boetes wrote:
Not so much as a direct reply but more as to share what happened when I
was ddossed a few month ago.
The thing that brought my pc to it's knees was pflog trying to log it
all. Once I found that out I disabled logging and Then I hardly had a
connection because my upload
Daniel Hartmeier wrote:
On Wed, Oct 30, 2002 at 11:10:18PM +0100, Henning Brauer wrote:
Uh well, this sounds like a massive performance penalty... I don't think I
like that.
A lookup in an empty list/tree would of course equal a single pointer
comparison, so if someone is not using the
37 matches
Mail list logo
