On Tue, Dec 31, 2002 at 10:55:14AM -0600, Joe Nall wrote:
How do you determine which rule matched in -current?
pfctl -vvs rules
On Mon, Jan 27, 2003 at 09:30:03PM -0500, Scircuit wrote:
Any idea why this would cause a syntax error?
FtpPort={ , 7778 }
rdr on $ExtIF proto tcp from any to any port $FtpPort - $FtpServer port $FtpPort
You cannot use lists of ports for either the destination port or the
redirection
On Wed, Feb 05, 2003 at 04:35:57PM +0100, Stefan Sonnenberg-Carstens wrote:
I noticed the table definition to pf rules, but the manpage and the
section BNF rules state no possibility for using table inside
nat/rdr rules. I thought this might be fine for some load balancing,
because you could
On Thu, Jul 31, 2003 at 12:42:10AM +0200, Mark Bojara wrote:
fxp0 is the uplink interface and xl0 is the interface that the vlan is
connected too. If i tcpdump xl0 I can see traffic from all the vlan's on
it.
pf and BPF aren't in the same place in packet flow. tcpdump gets packets
much earlier
On Thu, Jul 31, 2003 at 12:26:21AM +0200, Daniel Hartmeier wrote:
I'm not entirely sure, but the assumption that the same packet will be
filtered both on the real and the vlan interface (in both directions)
might just be wrong.
My experience is that the packet will appear on one interface or
On Thu, Nov 06, 2003 at 06:01:23PM +0100, [EMAIL PROTECTED] wrote:
pass in log quick on $INT proto ipv6-icmp all ipv6-icmp-type{135, 136} from
$INTNET to $INTIP
pass in on $INT inet6 proto ipv6-icmp all ipv6-icmp-type echoreq
I have copy those rule on the book, but when I compile the first
I just committed code which adds support to track stateful connections
by source IP address. This allows a user to:
- Ensure that clients get a consistent IP mapping with load-balanced
translation/routing rules
- Limit the number of simultaneous connections a client can make
- Limit the number
On Fri, Jan 09, 2004 at 09:41:45AM -, Peter Galbavy wrote:
Alexey E. Suslikov wrote:
b) uncomfortableness for people, who wants to have bunch
of rules stated differently from their state policy
default, instead of just constructing more hacking-proofing
ruleset.
If I understand
On Thu, Jan 29, 2004 at 12:16:44AM -0500, David Kaplowitz wrote:
I've been having some problems with a vpn client I use for work
(Nortel Contivity). The problem is: I keep getting the connection
dropped due to invalid cookie. I can sometimes connect (after about
5 tries), but I get booted out
On Thu, Jan 29, 2004 at 10:04:22AM +0100, Jean-Francois Dive wrote:
Well, this is not a bug but an initial requirement of the IKE RFC's. We
can discuss about it's validity, but i doubt this can be considered as a
problem with the conntivity.
All the rfc says is that at minimum, an
On Thu, Jan 29, 2004 at 06:04:10PM -0200, Rodrigo Borghette Schmidt wrote:
pass in on $int_if route-to {($ext_if1 $gw1),($ext_if2 $gw2)} round-robin
proto tcp from $mynet to any flags S/SA modulate state
pass in on $int_if route-to {($ext_if1 $gw1),($ext_if2 $gw2)} round-robin
proto
On Tue, Feb 17, 2004 at 10:39:27AM -0500, A. Wright wrote:
Is there a way with pf to wash these ambiguities (window size, syn packet
size, etc) away so that all outgoing TCP packets look the same? Maybe even
set them to user-defined variables, as we already can with 'max-mss' and
The most
On Fri, Feb 20, 2004 at 01:51:46PM +1300, Russell Fulton wrote:
While looking for possible things to tweak that might affect connections
I found the 'set limit src-nodes' in the pf.conf man pages.
Am I right in assuming that since I don't use any tag rules that I can
safely ignore this
On Mon, Mar 01, 2004 at 11:21:55PM +0100, Julien Bordet wrote:
As I said, there may a user land solution. Some kind of global user
space advisor daemon, helping packet filter to make complicated
decisions, for example.
Having a userland program doing blocking operations on kernel packet
flow
On Tue, Mar 02, 2004 at 09:27:48AM -0800, Getchell, Adam wrote:
I'm under the impression pf keeps the state table across reboots, but
It does not.
On Sun, Apr 11, 2004 at 07:48:40AM -0600, Role Account for SysAdmin wrote:
In my network I have 4 NICs
1) $ext /30
inet xxx.xxx.xxx.xxx 255.255.255.252 NONE
2) $dmz (part of a routable /26)
inet xxx.xxx.xxx.xxx 255.255.255.192 NONE
On Wed, Apr 14, 2004 at 09:34:06AM +0200, Tobias Wigand wrote:
i am thinking of to replacing my single firewall setup with a failover
pair using carp/pfsync. right now it?s one box with 3 nics
(internal/external/dmz). i am natting the dmz hosts on the external
interface 1:1, thus have a lot
On Wed, May 05, 2004 at 02:42:42PM -0400, Amir S Mesry wrote:
Well now I know the answer to my ifstated question I sent earlier as
well I think, I just wonder if I grabbed a bad .tgz because in CVS it
shows ifstated, yet I can't find it in my installs for some reason,
could that be because
On Fri, May 28, 2004 at 06:33:07PM -0700, SHAH,MEHUL wrote:
I am looking for pf (specifically, scrub) source code. I downloaded the
openBSD src but I am not a software guy and unfamiliar with the BSD src
tree.
You're looking for src/sys/net/pf_norm.c, but you might also be
interested in the
On Mon, May 31, 2004 at 02:39:50AM +0200, Ed White wrote:
Playing with custom pf.conf I've understood that source-track rule and
source-track global permit to manage in a different way all the src IP
states, however I'd like to receive some confirms.
1) pass in quick inet proto tcp to port
On Thu, Jun 10, 2004 at 11:46:28AM +0200, Xavier Beaudouin wrote:
BTW, is it necessary to assign an ip to pfsync interface (this is a
good question for pf gurus ?)
Yes. pfsync is an IP protocol, and needs a source IP address.
On Thu, Jun 10, 2004 at 04:08:55PM +, Ryan McBride wrote:
On Thu, Jun 10, 2004 at 11:46:28AM +0200, Xavier Beaudouin wrote:
BTW, is it necessary to assign an ip to pfsync interface (this is a
good question for pf gurus ?)
Yes. pfsync is an IP protocol, and needs a source IP address
On Mon, Jun 14, 2004 at 10:13:42AM -0700, Chris Golubski wrote:
boxes insist on keeping a status of MASTER on CARP0. My hostname.carp0
looks like this on both machines (with differing vhids):
The vhid has to be the same on all machines taking part in the same
virtual host.
On Thu, Aug 26, 2004 at 04:29:04PM +0100, Oliver Humpage wrote:
Has anyone got *any* ideas why internally there's only one master, yet
externally there are two? This is driving me nuts :)
They're not seeing or accepting each other's messages for some reason.
Check to make sure that the carp
On Wed, Sep 01, 2004 at 05:15:14PM +0200, Henning Brauer wrote:
* Alain [EMAIL PROTECTED] [2004-09-01 16:04]:
Can you give me your opinion about the choice between amd64 and i386 for
an openbsd/pf firewall ?
buy an amd64. you can still run that in i386 mode should something go
wrong in
On Wed, Sep 01, 2004 at 03:09:49PM +0200, Henning Brauer wrote:
You are speculating, and you don't really knwo what you are talking
about here... sorry, no GigE chipset interrupts per packet.
I beleive re(4) does, at least with the OpenBSD driver.
But if you are using this cheap, low-end
On Thu, Sep 02, 2004 at 04:16:40PM +0200, Wolfgang Pichler wrote:
an hour ago i was hit by a sort of dos attack (someone sent nearly
20 mails to our mail addresses in the form of [EMAIL PROTECTED]).
I've now googled around to see if its possible to limit the number of
connections from one
On Mon, Sep 06, 2004 at 06:23:28PM +0200, Per G?tterup wrote:
Now the problem is that states never seem to live more than a few minutes
at the most (a few seconds tends to be the rule) even for active
connections. I see web-connections and ssh-connections being terminated
more or less
On Tue, Sep 07, 2004 at 04:08:48PM -0700, Bryan Irvine wrote:
I copied my rulesset verbatim from an exisitng firewall where
everything was working perfectly, and now everything works perfectly
except redirections to other hosts.
the rdr for spamd, squid, and the ftp-proxy all work, but the
On Thu, Sep 09, 2004 at 08:40:23PM -0400, Jason Opperisano wrote:
all use TCP Port 5190. all three connections appear to stay open once
connected. the simple solution appears to be to set a NAT rule that
only uses 1 translation IP for connections on TCP Port 5190.
Or use the 'sticky-address'
On Wed, Nov 10, 2004 at 04:14:59PM +0100, Per-Olov Sj?holm wrote:
http://marc.theaimsgroup.com/?l=openbsd-pfm=109351242125764w=2
This has been fixed in -current, you might want to try that.
Is this fixed in 3.6 release ?
Yes.
Wonder as I have random disconnects when the two firewalls
On Thu, Dec 16, 2004 at 08:54:54PM -0500, Jason Dixon wrote:
There is probably a good reason for this, but might be hard to
determine a) for an experienced user without access to your network, or
b) for an inexperienced user *with* access to your network. ;-)
I suggest monitoring your
On Mon, Feb 14, 2005 at 10:20:44AM +0100, Andrea Mistrali wrote:
Those lines are always relative to broadcast addresses.
What can it be?
If a packet reaches both firewalls, they will both create state; when
they each recieve the state creation message from the other, the state
already exists
On Mon, Mar 14, 2005 at 03:50:23PM +0530, Siju George wrote:
Could Someone please tell me the advantages of PF against Firewalls
using the ASIC technology in terms of Security and perfomance??
If there is a bug in pf, we'll tell you, and you can apply a patch.
If there is a bug in your ASIC,
On Thu, Nov 17, 2005 at 03:02:56PM +1100, Alex Strawman wrote:
ok, now this makes sense, how is the next hop meant to send packets
back? it sends them to the mac address the carp0 is broadcasting,
which the master happily accepts, only to see its not in its state
table, and drops it.
the
On Mon, May 08, 2006 at 06:21:47PM +0200, Daniel Hartmeier wrote:
Can this be achieved using pfsync? If so, what do I need to do to get
this working? If not, can pfsync be extended to allow for this or
should we look into something different altogether?
This currently won't work. pfsync
On Fri, May 19, 2006 at 12:42:57AM +0200, Daniel Hartmeier wrote:
Does this mean 'antispoof for carp0' is generally (always?) a mistake?
Yes.
If you've got the same subnet on your physical interface, you can safely
do antispoof there however.
As Chad showed, packets are seen by tcpdump on
On Sat, Jul 15, 2006 at 09:26:02AM -0500, Travis H. wrote:
On the FreeBSD pf list someone mentioned that they wanted the ability
to have a default deny policy with pf, like the old ipf kernel
option.
FreeBSD is free to add this option, if they'd like.
That reminded me that I thought the same
On Mon, Oct 30, 2006 at 01:41:48AM -0500, Joseph Gorse wrote:
I'm posting my intention to port pf (4) (http://www.freebsd.org/cgi/
man.cgi?query=pfsektion=4) to an NKE for use as a replacement or
complement to the current ipfw2 that is available in current Mac OS X.
FreeBSD version will be
On Mon, Nov 06, 2006 at 02:21:58PM -0800, Michael K. Smith - Adhost wrote:
We are looking at pulling in a listing of about 70,000 IP entries (most
of them are hosts, not subnets) into a PF Table.
There is essentially no difference between a host and a subnet as far as
tables are concerned in
On Wed, Nov 15, 2006 at 01:22:33AM -0500, Joseph Gorse wrote:
This may seem like a silly question, but where exactly is the code
that sets up the /dev/pf device? I am probably overlooking something
extremely simple and it's probably because I am currently overwhelmed
with a foreign OS
On Wed, Nov 15, 2006 at 08:44:15AM -0500, Joseph Gorse wrote:
As for downloading the system source tree, it doesn't immediately
have a /dev/MAKEDEV. Does MAKEDEV support devfs or is it strictly the
legacy style of devices?
# THIS FILE AUTOMATICALLY GENERATED. DO NOT EDIT.
# generated
On Fri, Feb 08, 2008 at 03:37:33PM +0700, Dmitry Medvedev wrote:
Is that correct behavior what we need to specify keep state, which
is should be by default? or I miss something?
Yes, this is the correct behaviour when you're trying to set state
tracking options. In the pf.conf(5) manpage:
On Wed, Apr 02, 2008 at 04:27:17PM -0700, Adam Richards wrote:
Is there a no state directive for nat rules, similar to the
no-state directive for filter rules? Or another clever way to
use nat/rdr/filter statements? Even though I wasn't able to find
any affirmative evidence in pf.conf(5)
On Tue, Apr 08, 2008 at 11:59:11PM -0700, Adam Richards wrote:
Maybe a pf.conf knob that allows me to turn off stateful tracking
for a particular nat on iface ... rule?
Ah, you keep mentioning 'nat' and 'rdr', which confused me before, but I
guess what you're actually talking about is called
On Wed, Apr 09, 2008 at 05:36:57PM +0900, Ryan McBride wrote:
You're right, it should be relatively easy to give binat a 'no state'
option...
Try the attached diff, eg:
binat on egress from 192.168.100.1 to any - 10.99.99.99 no state
Index: sys/net/pf.c
On Mon, Apr 14, 2008 at 06:50:24PM -0700, Adam Richards wrote:
And there's another nuance as well: on ingress I need dest
re-mapped while preserving src,
Yes, that's how binat works.
and on egress I need src re-mapped while passing on the [preserved]
src as the egress dest.
I'm not sure I
Trevor:
I mostly agree with your analysis, and without more information about
the actual problem Adam is trying to solve I'm chalking it all up to
horrendous network design.
That being said, part of PFs usefulness is it's ability to make some
horrendous network situations manageable. So I don't
On Sat, Jul 12, 2008 at 04:12:14PM -0500, Karl O. Pinc wrote:
I'm assuming that the pfsync mechanism (with syncdev) does
more than expose changes, that it actually merges the
existing state tables of the two machines.
When a pfsync'd firewall boots, pfsync requests a bulk update of all
states
On Wed, Oct 08, 2008 at 04:03:14PM -0700, Mike Sweetser - Adhost wrote:
rdr on ! $vlanX_if proto { udp tcp } from any to $web_183_ext port { 80
443 } - web_183_roundrobin round-robin sticky-address
It's working - too well. We're noticing that it's round-robining not
only based on the IP
On Tue, Nov 18, 2008 at 10:36:48AM -0800, [EMAIL PROTECTED] wrote:
Today I was shocked when I found, what PF doesn't support filtering by
packets size and can't answer by admin-generated icmp code (for
example, by icmp code 1 admin. prohibited). And don't tell me that
it is useless.
Packets
On Wed, Nov 19, 2008 at 01:13:32AM +, Stuart Henderson wrote:
On 2008/11/19 13:48, Russell Fulton wrote:
Does anyone have any suggestions as to how we can get data in pf log
files into pcap files that can be read (and filtered) on other
systems.
the packets have a struct pfloghdr
On Fri, Mar 13, 2009 at 10:15:06AM +, Stuart Henderson wrote:
On 2009/03/13 10:25, Jeremie Le Hen wrote:
It doesn't seem to be possible to disable sequence number/window
tracking. Does it?
It's possible if you port the sloppy state handling code from OpenBSD..
Using 'sloppy' is a
Looking at these stats, I would guess that you are running with the
default limit of states, 10,000. You have nearly 10,000 in your state
table now, and every time you get to the limit, new connections fail
(the 'memory' counter: 13.7/s).
You can check with pfctl -sm, and change the limit with
On Sat, Oct 23, 2010 at 02:51:11AM +0300, Nerius Landys wrote:
Thanks for the reply. But I don't _completely_ understand. I don't
know too much about operating system calls, but let's say that I
have a program that is bound to TCP port 8080 on my local machine
(same machine that is running
On Sat, Nov 13, 2010 at 11:54:28AM +0100, Christopher Zimmermann wrote:
It seems that there is no 'all' interface group as documented in
ifconfig(8) or at least pf.conf cannot use it.
Hmmm. I'll have to look at this more closely. However, I think what you
want in this case is actually (self),
On Tue, Feb 22, 2011 at 02:18:10PM +0100, Mikkel C. Simonsen wrote:
Stuart Henderson wrote:
Basically don't use queues named foo_in and
foo_out, just use a single name foo, defined with
queue foo on $tdcif and queue foo on $sirif. See
the list archives for more; this has come up several
I really think this violates your intended KISS principle, and you
would be a lot better off by simply making a file that contains
/somefile and /someotherfile, and load all that into one a 3rd table to
be used when you want both, eg.
table listab persist file /someotherotherfile
block in
There is documentation and a quick-and-dirty example in the PF
User's Guide:
http://openbsd.org/faq/pf/pools.html#outgoing
On Tue, Aug 23, 2011 at 03:00:51AM -0700, elerdin wrote:
Hallo, I have two internet connections and I want to use both with a
round-robin load balancing, only for outgoing
59 matches
Mail list logo