My guess is that you meant 139/TCP instead of 439/TCP, in which case
this is pretty much on par for many residential ISPs and their
blocking of typical problematic ports.
My suggestion? Re-run shields-up (for what its worth) and run a
capture on $ext_if with an appropriate filter and I'd bet you
As you and others have stated, the 4.2 upgrade will probably help. What
does 'pfctl -vsi' say? Anything different?
If I were in your shoes, I'd do exactly what you are doing -- the 4.2
upgrade and search for NICs with better interrupt handling. In
a previous life when I was doing a lot more pf
On Wed, Nov 29, 2006 at 12:05:10AM +0100, Axel Rau wrote:
Hi all,
in my production pf.conf (113 rules) I have
set timeout { tcp.finwait 1}
. But
pfctl -s timeouts
shows
tcp.finwait 45s
(the default). In a simple pf.conf this works as expected.
What
On Sat, Apr 01, 2006 at 05:01:11AM -0600, Travis H. wrote:
Aside: What combinations of TCP flags does scrub filter out?
From my understanding and a re-reading of pf.conf(5), scrub does no
filtering of TCP at all unless you use the 'reassemble tcp' option.
Even when it is on, the man page does
On Sat, Feb 25, 2006 at 10:07:42AM +0100, Camiel Dobbelaar wrote:
On Fri, 24 Feb 2006, Jon Hart wrote:
scrub all no-df random-id fragment reassemble
Any ideas why this is not logged, or is this operator error?
I don't think it's very well known, but you can set 'log' on the scrub
I've got a fairly simple test ruleset:
WAN_IF=em0
LAN_IF=em1
set block-policy return
set state-policy if-bound
set require-order yes
set debug urgent
set loginterface $WAN_IF
set skip on lo0
scrub all no-df random-id fragment reassemble
On Thu, Dec 08, 2005 at 11:32:39PM +, ed wrote:
Hello,
Has anyone written scripts to ensure that preempt fail over fails over
all the carp interfaces to backup upon one becoming backup, I have found
often that a single interface will become backup leaving the remaining
interfaces as
Hello,
This may be a pf issue, this may be an OpenBSD issue or this may be
a client issue, so let me apologize in advance.
The setup is fairly simply -- a debian machine hanging off of each of
two interfaces on an OpenBSD -current box from 11/8 running pf. Nothing
particularly complex about
On Thu, Nov 17, 2005 at 10:02:46PM +1100, Alex Strawman wrote:
Traffic shouldn't even be getting OUT on the backup in this situation.
i agree - there is no correct solution without using an ip addr for
each real interface.
would be nice to for example use an external ntp server to sync
On Wed, Nov 16, 2005 at 04:34:24PM +0100, Raphael GRUNDRICH wrote:
Hello,
I'm trying to redirected outside traffic to internal Exchange Server
using IMAPS protocol :
rdr on $ext_if proto tcp from any to any port 993 - 192.168.1.1
pass in quick on $ext_if \
proto tcp \
On Thu, Nov 17, 2005 at 04:03:25AM -0600, Kevin wrote:
On 11/16/05, Jon Hart [EMAIL PROTECTED] wrote:
pass in on $CLIENT_IF inet proto tcp from $CLIENT_NET to $SERVER_NET \
port 12345 flags S/SA modulate state
I know it's a stupid question, but have you tried the same ruleset
On Thu, Nov 17, 2005 at 12:34:53PM -0600, Kevin wrote:
I think this is a key point -- the client is removing the quad from
TIME-WAIT and sees it as eligible for reuse, meanwhile the firewall
and/or the server still has this closed session state table entry in a
*WAIT state.
Yes. The client's
On Thu, Nov 17, 2005 at 09:54:02PM +0100, Daniel Hartmeier wrote:
You can check if it's pf blocking them by running pfctl -si, see if the
'state-mismatch' counter (or any other, actually) is increasing with
each SYN.
Ah, i see. There are quite a few in there. When I said logging
initialy, I
On Fri, Nov 18, 2005 at 12:49:48AM +0100, Daniel Hartmeier wrote:
On Thu, Nov 17, 2005 at 04:52:40PM -0500, Jon Hart wrote:
Bingo. There are entries in the logs when this condition happens but it
is not entirely clear what the problem aside from the fact that it is
a BAD STATE:
Nov
On Wed, Nov 09, 2005 at 09:57:08AM +0100, Peter N. M. Hansteen wrote:
Over in the comp.unix.bsd.freebsd.misc news group, there's a
discussion about what happens when PF loads, specifically a perceived
'window of opportunity' for an attacker in the interval between PF
getting enabled and the
On Tue, Nov 08, 2005 at 01:39:21AM +0100, Per-Olov Sjöholm wrote:
Hi
I have a redundant firewall with CARP. 3.6 STABLE plus all patches from CVS
for stable (updated last week). The firewalls have 7 nic ports each.
External, internal, pfsync and 4 dmz interfaces. The servers are firewalls,
On Thu, Oct 20, 2005 at 08:24:32AM -0400, Jon Hart wrote:
On Wed, Oct 19, 2005 at 07:51:13PM -0600, jared r r spiegel wrote:
On Tue, Oct 18, 2005 at 11:50:41AM -0400, Jon Hart wrote:
What I'd like is to disable scrub's tcp reassembly on per
host/port/protol basis, something along
On Wed, Oct 19, 2005 at 07:51:13PM -0600, jared r r spiegel wrote:
On Tue, Oct 18, 2005 at 11:50:41AM -0400, Jon Hart wrote:
What I'd like is to disable scrub's tcp reassembly on per
host/port/protol basis, something along the lines of:
scrub all no-df random-id fragment reassemble
On Thu, Oct 20, 2005 at 09:52:28AM -0500, Travis H. wrote:
Does packet filter allow you to load external files? More
specifically, could one place macro definitions in a separate file, but
hook them up to pf.conf so as you reload the pf.conf file you get your
macros? Thank you!
I've got a situation here where a particular vendor's IP stack doesn't
seem to be totally RFC compliant. The right solution is to get their
stack fixed but that takes time.
The problem is that when I turn on scrub's reassemble tcp option, i.e.:
scrub all no-df random-id fragment reassemble
On Sat, Oct 08, 2005 at 02:22:55PM -0700, ADub wrote:
Dear bit.listserv.openbsd-pf,
Does packet filter allow you to load external files? More
specifically, could one place macro definitions in a separate file, but
hook them up to pf.conf so as you reload the pf.conf file you get your
On Wed, Oct 12, 2005 at 04:12:52PM -0200, Lucas wrote:
List,
i want to control the number of packets per second a client can send
thru an interface.
For example, i want to limit the IP 10.1.1.1 to send a max of just 10
packets per second.
Is it possible to achieve this with pf or maybe
On Thu, Oct 06, 2005 at 03:48:17PM -0400, Dave wrote:
pf.conf
# pf.conf
# for use on gateway box
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter
Greetings,
This was mostly my fault but I saw some behavior in pf that I could not
explain. This is with 2 OpenBSD 3.8 -snapshots from about 8/23 and
a number of linux clients hanging off 4 different subnets on the
firewalls.
The application in question is JBoss. By default, it will wait until
On Mon, Sep 12, 2005 at 09:24:23AM +0200, Cedric Berger wrote:
snip
and because pfctl -ss will show the interface, which is very helpful.
Indeed. The more information I have to help debug any potential issues,
the better.
Whether or not these are true or complete is open to debate...
On Thu, Jun 23, 2005 at 07:39:41AM -0400, Melameth, Daniel D. wrote:
The TCP ACKs are not the issue. The issue is I never get more than half
of what I set the bandwidth value to.
I've never been able to get exactly the bandwidth I specified in my
pf.conf altq rules. In trying to figure out
On Tue, Jun 21, 2005 at 09:16:16PM -0400, Jaime Vargas wrote:
Hi all,
I have a very simple setup. One soekris that is acting as firewall
and router between two private networks. The rules are quite simple,
and are suppose to only let the traffic for a few ports to past form
the DMZ to the
On Wed, May 04, 2005 at 04:00:20PM +0200, Henning Brauer wrote:
* Jon Hart [EMAIL PROTECTED] [2005-05-04 14:35]:
but you should definitely
be specifying which combination of TCP flags can create the initial
state here. Try flags S/SA as a start.
no, this is bad advice and certainly
On Sun, May 01, 2005 at 07:32:35PM -0500, Brian John wrote:
ext_if=vr0
altq on $ext_if cbq bandwidth 2Mb queue { web , p2p , ssh }
queue web bandwidth 40% priority 6 cbq(borrow)
queue ssh bandwidth 40% priority 6 cbq(borrow)
queue p2p bandwidth 20% cbq(borrow default)
#pass in on $ext_if
On Mon, Apr 11, 2005 at 06:21:30AM -0400, Jason Dixon wrote:
# su - hatchet
$ pfctl -vsr
pfctl: /dev/pf: Permission denied
$ whoami
hatchet
$ groups
hatchet wheel
I think this is distinctly different than running pfctl via sudo as you
had originally mentioned. In the example above, you
Greetings,
In trying to diagnose a problem with ftp-proxy, I stumbled upon
something with pf's rdr that I cannot explain.
Assume a simple firewall ruleset. I had the following rdr line:
rdr pass on $ext_if proto tcp from any to any \
port 21 - 127.0.0.1 port 2121
That line, along with
31 matches
Mail list logo
