On Wed, Jul 31, 2002 at 12:47:04AM +0200, Damian Jurzysta wrote:
I did try to connect from the internet when the rdr was set to the
external interfact, that's what refuses to work, and I don't understand
why.
The rules you quoted are not the cause of the problem (assuming you
quoted
On Fri, Aug 09, 2002 at 12:09:07PM -0400, Amir Seyavash Mesry wrote:
Can some one tell me what the proper syntax is for using the user
group parameters in OpenBSD 3.1 PF.
This feature was added after the 3.1 release, so you'll need -current to
use it.
pass out proto tcp from fxp0 port
On Wed, Aug 14, 2002 at 11:17:48PM -0700, Jason Williams wrote:
ext_if = dc0
nat on $ext_if from 192.168.1.0/24 to any - $ext_if
That looks fine and should load. The only explanation I can think of is
that you have some non-printable characters in there, like a trailing
carriage-return
On Sun, Aug 25, 2002 at 06:43:23PM +0200, Anders Jarnberg wrote:
When I try to go to my dyndns address I get a connection refused. But
if I try to go to the same address via www.anonymizer.com it works, so
I'm figuring my own firewall is doing something to stop me.
I assume you mean that
I guess what you want would be a 'route-replies-to' option, similar to
'route-to', but applying to packets that flow in the reverse direction
as the initial packet of the connection that created state.
Then you could just say
rdr on de0 inet proto tcp from any to 195.200.200.201 port http \
On Tue, Aug 13, 2002 at 09:11:38PM +0200, Matijs wrote:
I am told I should use a route-to rule in /etc/pf.conf but I am totally
lost.
Post a minimal rule set that reproduces the problem. Someone might spot
the problem. If you expect someone to write the entire rule set for you,
you better get
First, this only affects you if you applied the refrag.diff to an
OpenBSD 3.1-stable system.
The bridge refragmentation code that was added in OpenBSD 3.1-current
introduced two new bugs which can lead to the following kind of kernel
panics:
panic: m_copym0: m == 0 and not COPYALL
panic:
On Tue, Oct 15, 2002 at 03:37:56PM -0400, William Culler wrote:
Yes, the 'keep state' option in that rules allows replies to your
outgoing UDP packets.
I figured that was the case, but I just wanted to verify. I definitely
want to continue using keep state on outgoing UDP traffic so I
On Wed, Oct 23, 2002 at 11:12:09PM +0300, Nikolay Denev wrote:
If they are not so many probably there will be no significant performance
impact. And they will make the traffic accounting much easier.
The performance impact would be very significant, since you'd have to
evaluate those rules for
On Fri, Oct 18, 2002 at 10:03:16AM -0700, Sacha Ligthert wrote:
PS: Daniel, will you be at BSDconEurope?
Yes, I just registered. Today's the last day of early registration, so
anyone still undecided, make up your minds. And I'm looking forward to
meeting you there :)
On Fri, Oct 18, 2002 at 01:56:30PM +0200, Henning Brauer wrote:
There's a big thing coming I'm currently coding on, though that's an
extension. I think we will add quite a few extensions, but the existing
stuff should be fairly stable - but you never know for sure. perhaps we have
THE idea
On Thu, Oct 24, 2002 at 02:04:39AM -0400, Jason Dixon wrote:
Obviously this is a solution, but not the one I'm looking for. If this
is not possible, I can accept that. I just don't WANT to, given that
other systems (Cisco's loopback, F5, Iptables SNAT/DNAT) seem to have
mastered this
On Fri, Oct 11, 2002 at 09:45:45PM +0100, Stephen Marley wrote:
Will 3.2-stable get the bug fix once 3.2 is officially released? I've
already upgraded my bridge to 3.2 (as tagged in cvs) but I am not following
-current on that box. I guess I should manually apply the -current diffs to
this
On Thu, Oct 17, 2002 at 05:09:27AM -0400, Nathan Ryan Milford wrote:
The gateway is 192.168.0.5 which is a cisco 2610 doing nat (owned by the
ISP) the IPs listed in the pf.conf are the ones that translate to external
IPs. the IP I am trying to ftp to is mothra (external
On Wed, Oct 30, 2002 at 08:41:12PM +, Roy Badami wrote:
It seems to me that whilst it might require a minimal amount of kernel
machinery to permit setup of the outgoing connection from the proxy,
once established it is identical in nature to the incoming
connection...
This could be
On Wed, Oct 30, 2002 at 10:26:24PM +, Roy Badami wrote:
Is that what everyone else does?
Yes. If you can't ensure that the ftp server never has a vulnerable
service listen on a port inside the range used for ftp passive data
connections, you could use ftp-proxy with the reverse proxy diff
On Wed, Oct 30, 2002 at 10:52:28PM +, Roy Badami wrote:
An imperfect kernel FTP proxy (as provided by iptables or ipfilter) is
surely still better than nothing when firewalling an FTP server. If
the userland FTP proxy can't easily be made fully transparent, then a
kernel FTP filter is
On Wed, Oct 30, 2002 at 11:34:16PM +, Roy Badami wrote:
I have to admit that I can't immediately see why ftp-proxy should need
to be patched to allow this. Isn't this just the same as the usual
case?
The usual case is ftp clients behind a NATing firewall, allowing active
data connections
I apologize for the previous spam mail that slipped through. There's no
need to complain to pathlink.com about it, since that is the Usenet
gateway intentionally set up to gate the list with the newsgroup
bit.listserv.openbsd-pf.
The problem was that the (proper) headers added by the gateway
On Fri, Nov 01, 2002 at 02:14:58AM +1000, loki wrote:
rather than having an embryo flag on a rule tho, id make it its own
directive and have it before the normal filter rules, therefore evaluated
before the normal rules. state is checked before rules. since embryo
states are almost states, it
On Thu, Oct 31, 2002 at 01:26:36PM -0500, Jason Dixon wrote:
nat on $int_if proto tcp from $int_net to $server port 80 - $int_if
/etc/nat.conf:22: syntax error
pfctl: syntax error in file: nat rules not loaded
Yes, pf in 3.1 doesn't allow to specify ports in nat rules, that was
added
On Thu, Oct 31, 2002 at 08:01:40PM +0100, Daniel Hartmeier wrote:
dc1 does have 192.168.1.0 netmask 255.255.255.0 assigned, right?
Oh, 192.168.1.0 is not a valid address for a host in that network, it's
the broadcast address (all host bits zero). Try 192.168.1.1 instead...
Daniel
On Fri, Nov 01, 2002 at 01:35:49PM +0100, [EMAIL PROTECTED] wrote:
I guess there are a lot of nat-unfriendly applications out there, but I, for one,
would be willing to contribute to such development.
For ftp, there's ftp-proxy, and the reverse proxy patch adds support for
servers behind the
On Tue, Nov 05, 2002 at 07:19:18PM +0100, Camiel Dobbelaar wrote:
You are not keeping state on int_if. Add 'keep state' to the 'lo0, enc0,
$int_if' rules above.
After the default block on all interfaces, he's passing everything
statelessly on ep0 with quick...
Or remove the very non-obvious
On Wed, Nov 06, 2002 at 08:11:04AM -0500, Jason Dixon wrote:
Ok, I'll refine my question (after reviewing the tarball). Any chance
that the related functionality provided by netfilter (--limit) will be
built into PF in future releases. Obviously, this type of feature still
has its
On Mon, Nov 11, 2002 at 01:34:03PM +0100, Richard Mueller wrote:
Any Ideas? I don't have any :-(
The snort box isn't replying to the packets, is it? If those packets
reach its stack, the stack might try to forward them or reply with RSTs,
thus disturbing the handshake (when such packets get
On Mon, Nov 11, 2002 at 10:49:11AM +0100, Stefan Sonnenberg-Carstens wrote:
in my effort to write a configuration program for pf, I'd like to know if there is a
easy way to figure out, what hardware interfaces are present to the system (fxp0 etc.)
In case you mean from a within a C program,
On Tue, Nov 12, 2002 at 03:37:01PM -0300, Alejandro G. Belluscio wrote:
I've notice a total lack of OpenBSD solutions.
I'm not sure what 'solutions' you expect. If your peer is sending you
packets with DF set that are too large to pass the intermediate hops but
doesn't get (or ignores) the
On Thu, Nov 14, 2002 at 11:16:42AM +0100, Dries Schellekens wrote:
I think PR 2309 (pf crashes kernel when pool_get() exhausts memory)
is still open. So it's still possible to crash a firewall if you don't
have a state limit set. And apparantly it's possible to crash it even when
a fragment
On Mon, Nov 25, 2002 at 02:47:54PM +0100, Ed White wrote:
reading http://www.openbsd.org/plus.html I found:
When routing via pf(4), use the outgoing interface as decided by the normal
routing code, not the interface to which the rule applies.
Looking at cvsweb for www/plus.html, this
On Thu, Nov 28, 2002 at 07:13:28PM +0100, Jedi/Sector One wrote:
brutus sudo pfctl -d
synchron gets flooded by brutus, the 100Mb link gets immediately saturated
and the only way to calm the storm is to change the IP address of synchron.
The ssh connection to synchron-brutus isn't by any
On Thu, Nov 28, 2002 at 07:53:57PM +0059, Jedi/Sector One wrote:
The ssh connection to synchron-brutus isn't by any chance filtered
statefully, using modulate state? :)
It is.
Can you try to get a tcpdump -nvvvpSi $INT (-S shows absolute sequence
numbers), ideally a couple of packets
[ wild cross-posting reduced to pf list ]
On Fri, Nov 29, 2002 at 10:21:22AM +0100, Stefan Sonnenberg-Carstens wrote:
@Daniel Hartmeyer : is auto-detection of down hosts implemented in the
load-balancing code
in pf ?
No, that will be done by a userland daemon. As mentioned before, people
Mickey (rather silently ;) commited his pfsync to -current yesterday,
and you might find this useful for a number of things. It's a pseudo
device similar to pflog, but instead of logged packets, state table
changes are sent there. Example:
# ifconifg pfsync0 up
# tcpdump -s1500 -evtni pfsync0
On Sat, Nov 30, 2002 at 05:28:21PM +0100, Sven Böhringer wrote:
My first problem was that I didn't find the switch for pfctl -l, as
described on the pfstat-site:
That's the main problem, all the zeros in your pfstat log indicate that
interface logging is not enabled.
Note that in order to
On Wed, Dec 04, 2002 at 01:14:58PM +0100, Stefan Sonnenberg-Carstens wrote:
127.0.0.1:8081 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -m
12000 -M 14000 -t 300
That should work. You did sighup/restart inetd, of course?
When you make a control connection through ftp-proxy and run
On Wed, Dec 04, 2002 at 02:24:10PM -0500, Todd Chandler wrote:
We are experimenting with OpenBSD and have an issue that we haven't been
able to figure out. We would like to force all outbound http and https
traffic to a proxy server for content filtering before it leaves our
network. How
On Fri, Dec 06, 2002 at 12:37:32PM -0800, Stephen Gutknecht (OBSD-PF) wrote:
*** We did notice a few problems where pf rules we wrote using the
firewall's keep state option would incorrectly block packets returned as a
result of an incoming connection ***
That is a pretty good description
On Sun, Dec 08, 2002 at 12:21:36AM +0600, Michael O. Boev wrote:
I have a SQUID proxy inside my network and I want it to make active
FTP-connections to the world (instead of, default, passive). And SQUID
refuses to accept the data connection from the ftp-proxy process, stating
that the
On Mon, Dec 09, 2002 at 06:17:02PM +0100, Dries Schellekens wrote:
pass in on $int_if proto tcp from $mail_relay_ok_net to $int_if port smtp
keep state label int_if_in_$srcaddr-$dstaddr_$dstport
pass in on $int_if proto udp from $name_server_ip port domain to $int_if
keep state label
On Mon, Dec 09, 2002 at 05:58:15PM -0500, Michael Lucas wrote:
I need to be able to return specific ICMP responses to particular
connection attempts, instead of just unreachable. (say, prohibited
by filter or some such.
The type is always unreachable (ICMP_UNREACH), but you can choose the
On Thu, Dec 12, 2002 at 05:53:52PM +0200, Can Erkin Acar wrote:
Rule changes do not affect existing states. You have to process each
state and decide if you still want it or not. Look at authpf for one
way to do it. authpf removes states containing the IP address
of the connection it
On Sun, Dec 15, 2002 at 09:50:44PM -0800, Ben Lovett wrote:
Anyone else noticed panics with authpf and -current as of around 16:00
on 12/14? The system in question is a Soekris net4501, which was
previously running -current from around November 26th fine, with the
same configuration.
If
On Mon, Dec 16, 2002 at 09:47:41AM -0700, Duncan Matthew Stirling wrote:
Please show me any example of a passive firewall rule set.
block in on $ext_if all
pass out on $ext_if all keep state
Passive mode ftp means that the ftp data connections are opened from the
clients to the servers (as
On Wed, Dec 18, 2002 at 09:26:47AM -0800, Bryan Irvine wrote:
I have an openbsd (3.1) natted firewall, with 3 nic's
rl0 = 64.1.201.130
sis = 192.168.0.1
ep1 = 192.233.103.186 (it's being used as an internal address don't ask,
long irritating story)
i'm trying to set it up to
A
On Fri, Dec 20, 2002 at 06:12:09PM +0100, Henning Brauer wrote:
I think it's useless. you can simply use N rules for N hosts.
Rule evaluation is O(n), at least for a huge block of rules that are
equal except for their addresses, while lookups in patricia trees are
O(log n)...
Daniel
Heh, I grant you that it's fast :)
+ if (m-addr32[0] == 0xCAFEBABE) {
+ if (pf_x_match_addr)
+ return pf_x_match_addr(a, m, b, af) ? !n : n;
+ return n;
+ }
But I think you need some out-of-band flag instead of a magic value.
On Fri, Dec 20, 2002 at 01:46:27PM -0500, Michael Lucas wrote:
I'm questing wether we still should bring new shit in. The number of bugs we
found recently is scary, and the new shit needs serious testing. And adding
_more_ features is for sure not helpfull.
As a user, please: stability
On Fri, Dec 20, 2002 at 08:07:59PM +0100, Cedric Berger wrote:
Now that change could result in a missed skip-step optimization if there
are two identical AF_INET addresses loaded with a different values in
words 1-3. I've added some code in pf_ioctl to always zero words 1-3
when we load the
On Tue, Dec 24, 2002 at 10:02:50AM -0600, Joe Nall wrote:
I took the reply-to out of pf.conf and disabled the cable modem and the
box is fine.
Can you post the significant reply-to to rule here? If it's using
address pools (round-robin), I hope Ryan can take a look...
Daniel
On Sat, Dec 28, 2002 at 07:02:52PM -0500, Marina Brown wrote:
Will binat and altq work with authpf in the coming release ? I am
planning a wireless network that will use authpf to limit users. I would
like VERY much to be able to load altq rules for each user.
As for binat, yes, you can
On Mon, Dec 30, 2002 at 03:04:43AM -0500, jolan wrote:
Please let me know if any other information is needed.
If you still have the same sources that you built that kernel from,
could you produce the objdump output as described on
http://www.benzedrine.cx/crashreport.html
Alternatively, do
If I'm not mistaken, the line is pf.c:2190 's-nat_rule-states++;'.
If you have pf.c prior to 1.278, that would explain the crash, it was
fixed with 1.278 later that day (s-nat-rule could be NULL before).
Daniel
On Mon, Dec 30, 2002 at 07:05:40PM +0100, Wouter Clarie wrote:
That should be more flexible eh? I'll see if i can cook up a diff for
that tonight.
Yes, it's rather simple to add support for either 'inf' or 'unlimited'
to the parser (it just has to translate to UINT_MAX).
But it really makes
On Tue, Dec 31, 2002 at 03:50:54PM -0600, Joe Nall wrote:
Selective tcpdumps show the packets arriving on rl0 and being
redirected to
the webserver on rl1. The response from the webserver comes back in on
rl1 and
then disappears. The reply-to rules set up for tcp/udp services
provided by
On Thu, Jan 02, 2003 at 10:46:08AM -0500, Sabino, Justin wrote:
@12 pass in log quick on rl0 proto tcp from any to any port = 81 flags S/SA
rdr on rl0 proto tcp from any to 67.82.111.216/32 port 81 - 192.168.1.5
port 80
Sorry to answer your detailed report so briefly, but you just have to
On Mon, Jan 06, 2003 at 03:42:09PM -0800, Bryan Irvine wrote:
Anyone using this yet?
It doesn't catch a very large percentage of spam here, as spammers use
much more relays than are listed in any database I could find. Spews.org
lists about 15000. So you'll still need spamassassin/bmf to detect
On Mon, Jan 06, 2003 at 10:12:13PM +0100, Srebrenko Sehic wrote:
Is scrub logging fully implemented? I have the following rules defined,
The log options was ignored on scrub rules just until a couple of days
ago. With a recent -current, it works.
[ Evaluations: 1920 Packets: 1920
On Sat, Jan 04, 2003 at 12:01:19PM -0600, Joe Nall wrote:
Is there any way to determine the uid, gid or pid of the originating
process
in any of the logs?
Not in pflog yet. I'll have to check whether there's a way to pass that
information through the link layer header, if there's some space
On Mon, Jan 06, 2003 at 11:00:14PM -0600, Joe Nall wrote:
rule 44 is
block log all label default block
packets should be let in with
pass in on $static_if reply-to $route inet proto tcp from any to
$static_if port $tcp_svcs flags S/FSRPAU keep state
pass in on $static_if reply-to
On Thu, Jan 09, 2003 at 09:27:01PM +0100, Srebrenko Sehic wrote:
Didn't know that. So, authpf can insert rules on fly using anchors, but is
this possible with arbitrary applications? Say I want my snort box to insert
filter rules into pf, by sending a messages (something like
'block
On Thu, Jan 09, 2003 at 10:00:55PM +0100, Srebrenko Sehic wrote:
Nic. Btw, what's the main difference between tables and
anchors?
An anchor is a bunch of rules, while a table is a bunch of addresses (or
netmasks).
If you have a block of rules in your main ruleset like
pass out from
On Thu, Jan 09, 2003 at 08:21:29PM -0500, Marina Brown wrote:
I run an ISP that is almost totally OpenBSD. While i understand the
need for pfctl to be lightweight, it would be VERY nice to have a
utility to add or delete a temporary rule when an attack is on.
Check out the 'anchor' feature in
On Mon, Jan 13, 2003 at 03:11:36PM -, Dan Heaver wrote:
In order to use theese for NAT I obviously need to bind the addresses to our
firewall's external interface...
They do however need a different gateway address, where do I speciy this ?
is is something in my hostname.rl1 file ?
On Mon, Jan 13, 2003 at 06:40:39PM -0500, Michael Shalayeff wrote:
the main problem is that all of the MX hosts for the
domain(s) covered by the mail server running spamd
have to filter the same list of ip addresses.
otherwise they just remail it to the lower priority
MX when it fails w/ the
On Wed, Jan 15, 2003 at 04:03:31PM -0700, Ken Gunderson wrote:
Anyhow, I patched ftp-proxy for reverse and have it up and running.
Question is, how robust is this? (am wondering why it was not merged
into 3.2). Can anyone comment on security/performance comparison
between ftp-proxy
On Tue, Jan 14, 2003 at 10:33:32AM -0700, Ken Gunderson wrote:
configuration is 3 legged routing firewall. ext_if is aliased to a /29
subnet. one of the aliases, ext_ftp_ip resolves to ftp.example.com.
leg 2 is a 192.168.2.0/24 dmz subnet and leg 3 is a 192.168.1.0/24
private network.
On Thu, Jan 16, 2003 at 02:54:29PM +, Steve Schmitz wrote:
Any ideas?
Could be fragments. Can you try with
scrub in on $ext_if all no-df
scrub out on $ext_if all no-df
If you run pfctl -si, do you see any of the 'Counters' at the bottom
increase when you get a stalled connection?
On Fri, Jan 17, 2003 at 07:51:29AM +, Steve Schmitz wrote:
The firewall is running not quite the newest version of OpenBSD/PF (a 3.2
beta). Is it advisable to upgrade, given the interruption in service?
I doubt it will make a difference, as that part of the code (the
sequence number
On Fri, Jan 17, 2003 at 02:01:39PM +, Steve Schmitz wrote:
Any idea why they do this?
The TCP header has only space to hold a 16-bit unsigned number to hold
the window value, so windows are traditionally limited to 65535 bytes,
which can limit performance on fast networks.
RFC 1323
On Sat, Jan 18, 2003 at 08:42:04AM +, Steve Schmitz wrote:
Does the Linux NAT code already do this?
Possibly, but I'll have to check the source code to verify. It could
either strip the option or set any scale factors inside the option to
zero. But doing that is not much simpler than
On Sat, Jan 18, 2003 at 01:57:17PM +, Steve Schmitz wrote:
If you consider gigabit/copper a fast network and can suggest
experiments/meassurements, I'll be happy to conduct them.
TCP window scaling support has been commited to -current (pf.c 1.306).
If you have a spare box to install
Actually, the redirection itself will only work if the internal
interface has an IP address.
A 'stealth' (IP-less) bridge functionally isolates its own userland from
any networks. No userland process can establish connections, as there is
no routing table. That's basically the point of such a
On Fri, Jan 24, 2003 at 10:37:57PM +1100, Benjamin M.A. Robson wrote:
(Internet Cloud)---
|
|
[ fxp0 - No IP ]
(Bridging Firewall)[ fxp2 - 10.0.0.1/24 ]---(Internal LAN)
[ fxp1 - 2.2.2.2/24 ]
|
On Fri, Jan 24, 2003 at 11:11:27AM -0500, Aaron Wade wrote:
I am trying to set up authpf users to use Public Key authentication in ssh.
I am trying it on a windows client at the present time, using ssh.com's
windows client. I create the key's and try to upload the pub key to the bsd
On Fri, Jan 31, 2003 at 12:43:50PM -0800, Cameron Lerch wrote:
nat on ne0 proto udp from 10.0.0.3/32 port 6000 to any - ne0 port 6000
nat on ne0 proto udp from 10.0.0.3/32 port 6001 to any - ne0 port 6001
nat on ne0 proto udp from 10.0.0.3/32 port 6999 to any - ne0 port 6999
Is this
On Sun, Feb 02, 2003 at 12:07:11AM +1000, Marco Grigull wrote:
What have I missed here?
Is it a bridge? With no addresses assigned to the interfaces (or only
some of them)? Because neither return-rst/icmp nor route/reply/dup-to
work on a fully transparent bridge...
Daniel
On Sat, Feb 01, 2003 at 04:14:32PM +0100, Cedric Berger wrote:
Marco Grigull wrote:
pass in log on $ext_if dup-to $dmz_if all
How's dmz_if defined? did you put the IP of your
loghost/IDS in there? If not, I think you should.
Yes, try this:
pass in log on $ext_if dup-to ($dmz_if
On Sat, Feb 01, 2003 at 10:54:44PM -0500, Jason Dixon wrote:
I just noticed an odd entry into one of my firewall's logs earlier this
evening. It looks like this:
Feb 1 21:10:02 cortez pf: cookie:
d581cae75f749704- msgid: len: 680
This is printed by tcpdump's
On Sun, Feb 02, 2003 at 11:16:31AM +0100, Cedric Berger wrote:
this rule loads, though I cannot see all (or any) of the traffic that
would be viewable on ext_if with tcpdump. pflog reveals nothing either
Is this rule the LAST one that matches your input packets?
Are you sure there is no
Can't reproduce it with -current anymore, I assume you were using an
older version. Can you retry with -current?
Daniel
On Tue, Feb 04, 2003 at 11:35:29PM -0600, Mike McClure wrote:
So, one would expect a workstation on network A to be able to connect to port
on a given address and get the SSH daemon on the OBSD system, correct?
Not on a bridge, if the destination mac address of the incoming frame is
On Thu, Feb 06, 2003 at 11:15:22AM +0100, Dries Schellekens wrote:
benzedrine.cx was temporary unreachable. The problem seems to be solved
now (because this mailing list seems to work again).
Wednesday 6:15pm, uplink dies. Router says PPP authentication fails. Of
course, all staff of the 'ISP'
On Thu, Feb 06, 2003 at 01:12:37PM +0100, [EMAIL PROTECTED] wrote:
Any info/URL about that ?
http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-5.html#ss5.10
On Thu, Feb 06, 2003 at 01:42:45PM +0100, Emmanuel Fleury wrote:
But, I wonder why they are faster than pf !
Because, there is no obvious relation between the fact that pf is more
secure and the fact that it is slow (I might be wrong!!!).
You can't really use the pf paper and come to this
On Thu, Feb 06, 2003 at 07:05:26PM +0100, Dries Schellekens wrote:
Does PF protect against the Crikey CRC Flood (described in
http://www.kb.cert.org/vuls/id/539363)? I know that protection against
p60-0x0c.txt was add; does this protect against this C2 Flood as well?
A C2 flood is nothing
On Thu, Feb 06, 2003 at 09:23:06PM +0100, Maik Kuendig wrote:
Can I change IP-Header Options, or filter based on them? I have not
found any point about that in the current man page, so I belive it's not
possible.
By default, pf blocks all packets with IP options. You can pass them per
rule,
On Thu, Feb 13, 2003 at 09:59:04AM -0600, pf-list wrote:
No that rule was written intetionally so that the packets would no longer
be blocked. However, I still should have been able to see the packets via
tcpdumping /var/log/pflog and I never could. The only reason I discovered
my logs were
On Fri, Feb 14, 2003 at 08:15:35PM +0100, Nick Nauwelaerts wrote:
non ecn:
18:41:25.069229 192.168.0.3.1293 195.130.132.40.25: S [tcp sum ok]
879782618:879782618(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 1954566973 0 (DF) [tos 0x10] (ttl 64, id 43699)
On Fri, Feb 14, 2003 at 11:54:25PM +0100, Nick Nauwelaerts wrote:
For some reason the second reset packet has an ack of 1.
It's not really 1 in the packet, tcpdump without -S just displays it
like that.
After some testing, it looks like the bug is in the TCP stack, not pf.
Try with pf disabled
On Fri, Feb 21, 2003 at 08:59:58PM +0100, Srebrenko Sehic wrote:
AFAIK, this issue is fixed -current and will be in 3.3.
Yes, the no-df option has been modified in -current so it applies
earlier and also covers fragments with DF (clearing the DF flag), so you
can make these NFS connections work
On Thu, Feb 27, 2003 at 11:07:10AM +1100, Kremlyn Vostok wrote:
I have done exactly as you suggested, and it does not work. pf.conf
indicates that rdr rules imply keeping state through drop rules.. which
is why I did not have an allow outbound keep state rule. I've also
tried with such a
On Wed, Feb 26, 2003 at 06:13:38PM -0600, Shawn Mitchell wrote:
Just a little pre-filtering to stop the ignorant people, and the wanna-be
hackers.
For MAC level filtering, you'll need a bridge. See brconfig(8) about how
to filter on MAC addresses. pf will still work on a bridge, and you can
do
On Thu, Feb 27, 2003 at 10:13:55PM -0800, Ben Lovett wrote:
All in all, I'm seeing a great improvement. My connection is ADSL
1.5M/384, and the sweet spot for my connection appears to be 330Kbit/s.
I'll do some more playing around with it tomorrow to see if I can get
better speeds, but
Try with just the altq, queue and pass rules from the example. Reload
the ruleset and flush all existing state entries (pfctl -Fs), as only
newly established connections will be queued according to the new
ruleset. Then try a single download and upload over TCP (ftp, http,
etc.) concurrently.
If
On Fri, Mar 07, 2003 at 11:45:16AM -0500, Pete Toscano wrote:
Anybody have any ideas? Am I using scrub incorrectly? Should I be
using scrub? Is there something else I'm doing wrong? Is there any
other potentially useful information I forgot to give?
Your ruleset looks fine, that's exactly
On Fri, Mar 07, 2003 at 03:27:06PM -0500, Pete Toscano wrote:
That's good to know. Would scrub in all work just as well as scrub
in on {$ExtIf, $IntIf} all fragment reassemble?
Yes, 'fragment reassemble' is the default, so both do the same thing
(unless you have additional interfaces that you
On Fri, Mar 07, 2003 at 05:22:23PM -0500, Peter Gorsuch wrote:
Connections to port 12002 occur between net2 and net3,
which should only allow port 42.
Show us the state entry (from pfctl -vvss output) that passes the
connection, then the corresponding rule (pfctl -vvsr, for the rule
number
On Fri, Mar 14, 2003 at 01:28:02PM -0500, ben fleis wrote:
udp 127.0.0.1:30551 - 127.0.0.1:53 MULTIPLE:SINGLE
udp 127.0.0.1:53 - 127.0.0.1:30551 SINGLE:NO TRAFFIC
since udp itself is stateless, each half of the connection ought to simply
be held on a timer, nothing else. and
On Sat, Mar 15, 2003 at 10:43:07AM -0500, Michael Anuzis wrote:
Any advice on how to get syslogd working with spamd? Do I have it set up
correctly and I'm just not catching anything or ..?
I'm running spamd with the small patch below and have in /etc/syslog.conf
!spamd
*.warn
1 - 100 of 525 matches
Mail list logo