Re: What am I doing wrong.
On Fri, Dec 5, 2008 at 4:17 PM, Anathae Townsend <[EMAIL PROTECTED]> wrote: > Checking the owner/group/permissions on my source tree, it's root (as > expected) wsrc (as expected) and rw-r--r--. Okay... the wsrc group only > has read permissions, that would explain why my user can't execute the > config command. Section 2 of man release shows a '$' as the prompt > character for the config command. Doesn't this mean that a member of > wsrc should be able to configure a kernel? Only if they have permission to write to the directory, obviously. The src tree needs to be writable by wsrc for this to work, as it is for a default install.
What am I doing wrong.
Not bothering with the asbestos suit, but still expecting some flamage. On a fresh install of OpenBSD 4.4 current as of 08-11-14, I created my own user with group of wheel, and secondary group of wsrc. Login is set as "staff". /etc/sudoers is set to allow members of wheel to execute it after entering the password or within the standard time after the last sudo. "$cd /usr; sudo cvs -d/cvs get src" was executed after mounting a network share of cvsync copy of the cvs repository. When I go to /etc/src/sys/arch/i386/conf/ to execute "$config GENERIC" it errors out saying I don't have permission to create ../compile/ GENERIC Checking the owner/group/permissions on my source tree, it's root (as expected) wsrc (as expected) and rw-r--r--. Okay... the wsrc group only has read permissions, that would explain why my user can't execute the config command. Section 2 of man release shows a '$' as the prompt character for the config command. Doesn't this mean that a member of wsrc should be able to configure a kernel?
Re: route-to doesnot work for me - what am i doing wrong
On Tue, Oct 14, 2008 at 3:50 PM, Stuart Henderson <[EMAIL PROTECTED]> wrote: >>> pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from >>> to any keep state >>> >>> to route requests from hosts in through the rl2 internet >>> connection but it does not seem to work. > > you should route the packets in the outgoing direction. > Hi Stuart, I did not get what you said. Could you please give an example ? Thanks Siju
Re: route-to doesnot work for me - what am i doing wrong
Hi Siju,
isn't this:
pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
to any keep state
meant to be like this:
pass in quick on $int_if route-to { ( $ext_if2 $ext_ifgw ) } from
to any keep state
Regards,
Charlie
Siju George wrote:
Hi,
I have firewall
sk0 - LAN Interface
rl1 - Primary internet connection
rl2 - secondary Internet connection
I have a line in pf.conf
to route requests from hosts in through the rl2 internet
connection but it does not seem to work.
the full pf.conf is below
===
##NETWORK INTERFACES
#
int_if="sk0"#HiFX LAN Interface - Connected to Main
Swithches - using 172.16.0.0/12 Range.
ext_if="rl1"#Dataone Connection - "rl2" interface
Connected to the Dataone Router.
ext_if2="rl2"
ext_ifgw="122.166.40.1"
proxy="122.166.40.36"
#Private IP Address Range Specified by RFC 1918.
#
priv_nets="{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
#Computers in HiFX LAN that are permitted to bypass squid to make HTTP
and HTTPS connections directly to the Internet
#
table persist file "/etc/pf-tables/bypass-squid-users"
#Websites to which bypassing SQUID is allowed.
#
table persist file "/etc/pf-tables/bypass-squid-sites"
table persist file "/etc/pf-tables/lanspl"
table persist file "/etc/pf-tables/adms"
table persist file "/etc/pf-tables/vtcservers"
table persist file "/etc/pf-tables/bannedIPs"
table persist
table persist file "/etc/pf-tables/hifxchn2"
#Traffic Normalization - Required for "pppoe" connection.
#
scrub on $ext_if all no-df random-id fragment reassemble
###"Network Address Translation" and "Port Redirection"
###The First Matching rule wins here for any packet and no further
"nat" or "rdr" rules are checked.
nat-anchor "authpf/*"
rdr-anchor "authpf/*"
binat-anchor "authpf/*"
nat pass on $ext_if from to any -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $int_if:network to any port 21 ->
127.0.0.1 port 8021
# redirect to beergas website
rdr pass on $ext_if inet proto tcp from any to any port 80 ->
172.16.4.12 port 80
rdr pass on $ext_if inet proto tcp from any to any port 443 ->
172.16.4.12 port 443
###
#
nat on $ext_if from to any -> ($ext_if)
#NAT connections to specified websites.
nat on $ext_if from any to port { 80, 443 } -> ($ext_if)
nat on $ext_if from any to port { 80, 443 } -> ($ext_if2)
#Block NAT for other hosts to port 80 and 443 on the Internet.
#They should all go via SQUID CACHE PROXY
#
no nat on $ext_if from any to any port { 80, 443 }
no nat on $ext_if2 from any to any port { 80, 443 }
#Allow NAT for rest of the Computers to Internet - port 80 and 443 is
already blocked for these hosts by the rule above.
#
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if2 from $int_if:network to any -> ($ext_if2)
#The SQUID CACHE PROXY Listens on localhost interface port 8080 for
security reasons.
#PROXY configuration for computers in the HIFX LAN Machine in the IP
Address of $int_if and port 8080
#Hence all Traffic comming to $int_if port 8080 should be redirected
to SQUID running on localhost:8080
#
no rdr on $int_if from any to 70.86.222.30
rdr on $int_if proto tcp from any to any port 8080 -> 127.0.0.1 port 8080
###Filter Rules.
###The last matching rule wins here for packets except when the quick
word is used in which case Further rules are not processed.
#Starting with a Deny all Traffic Policy. Later rules open up the
firewall for required traffic.
block all
pass in quick on $ext_if inet proto tcp from any to any port ssh keep state
#Blocking RFC1918 Traffic.
block in log quick on $ext_if from $priv_nets to any
block out log quick on $ext_if from any to $priv_nets
block out log quick on $ext_if from any to
#Allow all traffic on the localhost interface.
pass quick on lo0 all
#Allow Traffic from HIFX LAN to pass through the firewall & also allow
traffic from firewall to enter the LAN.
pass in quick on $int_if from any to $int_if keep state
pass out quick on $int_if from $int_if to any keep state
pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
to any keep state
pass in quick on $int_if from $int_if:network to any keep state
pass out quick on $int_if from any to $int_if:network keep state
#Allow Trafficfrom Firewall to pass out to the Internet.
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if2 proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $ext_if2 proto { udp, icmp } all keep state
#ftp-proxy
anchor "ftp-proxy/*"
pass out proto tcp from $proxy to any port 21 keep state
#authpf
anchor "authpf/*"
# ifconfig -a
lo0: flags=8049 mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff00
Re: route-to doesnot work for me - what am i doing wrong
Thanks I figured it out.
I missed the nat rule for $ext_if2
--Siju
On Tue, Oct 14, 2008 at 1:03 PM, Siju George <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I have firewall
>
> sk0 - LAN Interface
> rl1 - Primary internet connection
> rl2 - secondary Internet connection
>
> I have a line in pf.conf
>
> pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
> to any keep state
>
> to route requests from hosts in through the rl2 internet
> connection but it does not seem to work.
>
> the full pf.conf is below
>
> ===
> ##NETWORK INTERFACES
> #
> int_if="sk0"#HiFX LAN Interface - Connected to Main
> Swithches - using 172.16.0.0/12 Range.
> ext_if="rl1"#Dataone Connection - "rl2" interface
> Connected to the Dataone Router.
> ext_if2="rl2"
> ext_ifgw="122.166.40.1"
> proxy="122.166.40.36"
>
>
> #Private IP Address Range Specified by RFC 1918.
> #
> priv_nets="{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
>
>
> #Computers in HiFX LAN that are permitted to bypass squid to make HTTP
> and HTTPS connections directly to the Internet
> #
> table persist file "/etc/pf-tables/bypass-squid-users"
>
> #Websites to which bypassing SQUID is allowed.
> #
> table persist file "/etc/pf-tables/bypass-squid-sites"
> table persist file "/etc/pf-tables/lanspl"
> table persist file "/etc/pf-tables/adms"
> table persist file "/etc/pf-tables/vtcservers"
> table persist file "/etc/pf-tables/bannedIPs"
> table persist
> table persist file "/etc/pf-tables/hifxchn2"
>
> #Traffic Normalization - Required for "pppoe" connection.
> #
> scrub on $ext_if all no-df random-id fragment reassemble
>
> ###"Network Address Translation" and "Port Redirection"
> ###The First Matching rule wins here for any packet and no further
> "nat" or "rdr" rules are checked.
> nat-anchor "authpf/*"
> rdr-anchor "authpf/*"
> binat-anchor "authpf/*"
>
> nat pass on $ext_if from to any -> ($ext_if)
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
> rdr pass on $int_if proto tcp from $int_if:network to any port 21 ->
> 127.0.0.1 port 8021
>
> # redirect to beergas website
> rdr pass on $ext_if inet proto tcp from any to any port 80 ->
> 172.16.4.12 port 80
> rdr pass on $ext_if inet proto tcp from any to any port 443 ->
> 172.16.4.12 port 443
>
> ###
> #
> nat on $ext_if from to any -> ($ext_if)
>
> #NAT connections to specified websites.
> nat on $ext_if from any to port { 80, 443 } -> ($ext_if)
> nat on $ext_if from any to port { 80, 443 } -> ($ext_if2)
>
> #Block NAT for other hosts to port 80 and 443 on the Internet.
> #They should all go via SQUID CACHE PROXY
> #
> no nat on $ext_if from any to any port { 80, 443 }
> no nat on $ext_if2 from any to any port { 80, 443 }
>
> #Allow NAT for rest of the Computers to Internet - port 80 and 443 is
> already blocked for these hosts by the rule above.
> #
> nat on $ext_if from $int_if:network to any -> ($ext_if)
> nat on $ext_if2 from $int_if:network to any -> ($ext_if2)
>
> #The SQUID CACHE PROXY Listens on localhost interface port 8080 for
> security reasons.
> #PROXY configuration for computers in the HIFX LAN Machine in the IP
> Address of $int_if and port 8080
> #Hence all Traffic comming to $int_if port 8080 should be redirected
> to SQUID running on localhost:8080
> #
>
> no rdr on $int_if from any to 70.86.222.30
> rdr on $int_if proto tcp from any to any port 8080 -> 127.0.0.1 port 8080
>
> ###Filter Rules.
> ###The last matching rule wins here for packets except when the quick
> word is used in which case Further rules are not processed.
> #Starting with a Deny all Traffic Policy. Later rules open up the
> firewall for required traffic.
>
> block all
> pass in quick on $ext_if inet proto tcp from any to any port ssh keep state
>
> #Blocking RFC1918 Traffic.
> block in log quick on $ext_if from $priv_nets to any
> block out log quick on $ext_if from any to $priv_nets
> block out log quick on $ext_if from any to
>
> #Allow all traffic on the localhost interface.
>
> pass quick on lo0 all
>
> #Allow Traffic from HIFX LAN to pass through the firewall & also allow
> traffic from firewall to enter the LAN.
>
> pass in quick on $int_if from any to $int_if keep state
> pass out quick on $int_if from $int_if to any keep state
>
>
> pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
> to any keep state
>
> pass in quick on $int_if from $int_if:network to any keep state
> pass out quick on $int_if from any to $int_if:network keep state
>
>
>
> #Allow Trafficfrom Firewall to pass out to the Internet.
> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass out on $ext_if2 proto tcp all modulate state flags S/SA
> pass out on $ext_if proto { udp, icmp } all keep state
> pass out on $ext_if2 proto { udp, icmp } all keep state
>
>
> #ftp-proxy
> anchor "ftp-proxy/*"
> pass out proto tcp from $proxy to any port 21 keep state
>
> #authpf
> a
Re: route-to doesnot work for me - what am i doing wrong
> If you don't use quick option on rules, then it will be last matching rule > applied, but if you you use quick option, the first matching rule will be > applied, the rest will be ignored. So, if you use quick option the filter > order would be; picking just the "in...on $int_if" rules in order; >> pass in quick on $int_if from any to $int_if keep state >> pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from to >> any keep state >> pass in quick on $int_if from $int_if:network to any keep state so this is not a problem. >> pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from >> to any keep state >> >> to route requests from hosts in through the rl2 internet >> connection but it does not seem to work. you should route the packets in the outgoing direction.
Re: route-to doesnot work for me - what am i doing wrong
On Tue, 14 Oct 2008 14:33:19 +0700, Siju George <[EMAIL PROTECTED]>
wrote:
Hi Siju,
I think there are several things you need to understand more about pf
quick option.
If you don't use quick option on rules, then it will be last matching rule
applied, but if you you use quick option, the first matching rule will be
applied, the rest will be ignored. So, if you use quick option the filter
order would be;
rule 1 # very detail
rule 2 # pretty much detail
rule 3 # detail
rule 4 # not detail
something like;
pass in quick on $int_if inet proto tcp from to
pass in quick on $int_if inet from to
pass in quick on $int_if from to any
pass in quick on $int_if
if you don't use "quick" then it would be;
rule 1 # not detail
rule 2 # detail
rule 3 # pretty much detail
rule 4 # very detail
something like;
pass in on $int_if
pass in on $int_if from to any
pass in on $int_if from to
pass in on $int_if inet from to
pass in on $int_if inet proto tcp from
HTH,
Insan
Hi,
I have firewall
sk0 - LAN Interface
rl1 - Primary internet connection
rl2 - secondary Internet connection
I have a line in pf.conf
pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
to any keep state
to route requests from hosts in through the rl2 internet
connection but it does not seem to work.
the full pf.conf is below
===
##NETWORK INTERFACES
#
int_if="sk0"#HiFX LAN Interface - Connected to Main
Swithches - using 172.16.0.0/12 Range.
ext_if="rl1"#Dataone Connection - "rl2" interface
Connected to the Dataone Router.
ext_if2="rl2"
ext_ifgw="122.166.40.1"
proxy="122.166.40.36"
#Private IP Address Range Specified by RFC 1918.
#
priv_nets="{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
#Computers in HiFX LAN that are permitted to bypass squid to make HTTP
and HTTPS connections directly to the Internet
#
table persist file
"/etc/pf-tables/bypass-squid-users"
#Websites to which bypassing SQUID is allowed.
#
table persist file
"/etc/pf-tables/bypass-squid-sites"
table persist file "/etc/pf-tables/lanspl"
table persist file "/etc/pf-tables/adms"
table persist file "/etc/pf-tables/vtcservers"
table persist file "/etc/pf-tables/bannedIPs"
table persist
table persist file "/etc/pf-tables/hifxchn2"
#Traffic Normalization - Required for "pppoe" connection.
#
scrub on $ext_if all no-df random-id fragment reassemble
###"Network Address Translation" and "Port Redirection"
###The First Matching rule wins here for any packet and no further
"nat" or "rdr" rules are checked.
nat-anchor "authpf/*"
rdr-anchor "authpf/*"
binat-anchor "authpf/*"
nat pass on $ext_if from to any -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $int_if:network to any port 21 ->
127.0.0.1 port 8021
# redirect to beergas website
rdr pass on $ext_if inet proto tcp from any to any port 80 ->
172.16.4.12 port 80
rdr pass on $ext_if inet proto tcp from any to any port 443 ->
172.16.4.12 port 443
###
#
nat on $ext_if from to any -> ($ext_if)
#NAT connections to specified websites.
nat on $ext_if from any to port { 80, 443 } ->
($ext_if)
nat on $ext_if from any to port { 80, 443 } ->
($ext_if2)
#Block NAT for other hosts to port 80 and 443 on the Internet.
#They should all go via SQUID CACHE PROXY
#
no nat on $ext_if from any to any port { 80, 443 }
no nat on $ext_if2 from any to any port { 80, 443 }
#Allow NAT for rest of the Computers to Internet - port 80 and 443 is
already blocked for these hosts by the rule above.
#
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if2 from $int_if:network to any -> ($ext_if2)
#The SQUID CACHE PROXY Listens on localhost interface port 8080 for
security reasons.
#PROXY configuration for computers in the HIFX LAN Machine in the IP
Address of $int_if and port 8080
#Hence all Traffic comming to $int_if port 8080 should be redirected
to SQUID running on localhost:8080
#
no rdr on $int_if from any to 70.86.222.30
rdr on $int_if proto tcp from any to any port 8080 -> 127.0.0.1 port 8080
###Filter Rules.
###The last matching rule wins here for packets except when the quick
word is used in which case Further rules are not processed.
#Starting with a Deny all Traffic Policy. Later rules open up the
firewall for required traffic.
block all
pass in quick on $ext_if inet proto tcp from any to any port ssh keep
state
#Blocking RFC1918 Traffic.
block in log quick on $ext_if from $priv_nets to any
block out log quick on $ext_if from any to $priv_nets
block out log quick on $ext_if from any to
#Allow all traffic on the localhost interface.
pass quick on lo0 all
#Allow Traffic from HIFX LAN to pass through the firewall & also allow
traffic from firewall to enter the LAN.
pass in quick on $int_if from any to $int_if keep state
pass out quick on $int_if from $int_if to any keep state
pas
route-to doesnot work for me - what am i doing wrong
Hi,
I have firewall
sk0 - LAN Interface
rl1 - Primary internet connection
rl2 - secondary Internet connection
I have a line in pf.conf
pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
to any keep state
to route requests from hosts in through the rl2 internet
connection but it does not seem to work.
the full pf.conf is below
===
##NETWORK INTERFACES
#
int_if="sk0"#HiFX LAN Interface - Connected to Main
Swithches - using 172.16.0.0/12 Range.
ext_if="rl1"#Dataone Connection - "rl2" interface
Connected to the Dataone Router.
ext_if2="rl2"
ext_ifgw="122.166.40.1"
proxy="122.166.40.36"
#Private IP Address Range Specified by RFC 1918.
#
priv_nets="{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
#Computers in HiFX LAN that are permitted to bypass squid to make HTTP
and HTTPS connections directly to the Internet
#
table persist file "/etc/pf-tables/bypass-squid-users"
#Websites to which bypassing SQUID is allowed.
#
table persist file "/etc/pf-tables/bypass-squid-sites"
table persist file "/etc/pf-tables/lanspl"
table persist file "/etc/pf-tables/adms"
table persist file "/etc/pf-tables/vtcservers"
table persist file "/etc/pf-tables/bannedIPs"
table persist
table persist file "/etc/pf-tables/hifxchn2"
#Traffic Normalization - Required for "pppoe" connection.
#
scrub on $ext_if all no-df random-id fragment reassemble
###"Network Address Translation" and "Port Redirection"
###The First Matching rule wins here for any packet and no further
"nat" or "rdr" rules are checked.
nat-anchor "authpf/*"
rdr-anchor "authpf/*"
binat-anchor "authpf/*"
nat pass on $ext_if from to any -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $int_if:network to any port 21 ->
127.0.0.1 port 8021
# redirect to beergas website
rdr pass on $ext_if inet proto tcp from any to any port 80 ->
172.16.4.12 port 80
rdr pass on $ext_if inet proto tcp from any to any port 443 ->
172.16.4.12 port 443
###
#
nat on $ext_if from to any -> ($ext_if)
#NAT connections to specified websites.
nat on $ext_if from any to port { 80, 443 } -> ($ext_if)
nat on $ext_if from any to port { 80, 443 } -> ($ext_if2)
#Block NAT for other hosts to port 80 and 443 on the Internet.
#They should all go via SQUID CACHE PROXY
#
no nat on $ext_if from any to any port { 80, 443 }
no nat on $ext_if2 from any to any port { 80, 443 }
#Allow NAT for rest of the Computers to Internet - port 80 and 443 is
already blocked for these hosts by the rule above.
#
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if2 from $int_if:network to any -> ($ext_if2)
#The SQUID CACHE PROXY Listens on localhost interface port 8080 for
security reasons.
#PROXY configuration for computers in the HIFX LAN Machine in the IP
Address of $int_if and port 8080
#Hence all Traffic comming to $int_if port 8080 should be redirected
to SQUID running on localhost:8080
#
no rdr on $int_if from any to 70.86.222.30
rdr on $int_if proto tcp from any to any port 8080 -> 127.0.0.1 port 8080
###Filter Rules.
###The last matching rule wins here for packets except when the quick
word is used in which case Further rules are not processed.
#Starting with a Deny all Traffic Policy. Later rules open up the
firewall for required traffic.
block all
pass in quick on $ext_if inet proto tcp from any to any port ssh keep state
#Blocking RFC1918 Traffic.
block in log quick on $ext_if from $priv_nets to any
block out log quick on $ext_if from any to $priv_nets
block out log quick on $ext_if from any to
#Allow all traffic on the localhost interface.
pass quick on lo0 all
#Allow Traffic from HIFX LAN to pass through the firewall & also allow
traffic from firewall to enter the LAN.
pass in quick on $int_if from any to $int_if keep state
pass out quick on $int_if from $int_if to any keep state
pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
to any keep state
pass in quick on $int_if from $int_if:network to any keep state
pass out quick on $int_if from any to $int_if:network keep state
#Allow Trafficfrom Firewall to pass out to the Internet.
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if2 proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $ext_if2 proto { udp, icmp } all keep state
#ftp-proxy
anchor "ftp-proxy/*"
pass out proto tcp from $proxy to any port 21 keep state
#authpf
anchor "authpf/*"
# ifconfig -a
lo0: flags=8049 mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
rl0: flags=8802 mtu 1500
lladdr 00:50:fc:7d:4e:50
media: Ethernet autoselect
PF & tcp.established - what am I doing wrong ?
I'm trying to protect my mail server by adding some rudimentary options
to inbound SMTP connections on my 3.9 stable firewall. I have the
following in my pf.conf;
SMTP_OPT = "(max 10, source-track rule, max-src-states 1, max-src-nodes
7, tcp.established 60)"
pass in quick on $INTERNET_IF proto tcp from any to any port 25 flags
S/FSRPAU synproxy state $SMTP_OPT queue (q_def, q_pri)
This is is what I see from 'pftop' from time to time;
tcp Out 72.236.237.53:2528 192.168.2.3:25 ESTABLISHED:ESTABLISHED
12:13:41 12:07:30 19 2176
ie a connection that has been establish for 12h 13min. Why doesn't this
connection get dropped off after 60 seconds ?
I Noticed that this connection is in the 'OUT' direction which I think
suggests that the connection is from the firewall to the mailserver in
the DMZ, like some sort of proxy. I thought it may have been as a result
of the 'synproxy' option, but 95% of other SMTP connections are gone
from the state table after their 60 seconds are up and they use the same
rule. Incidentally, the 72.x.x.x address is the SMTP senders address.
Just curious.
Brian.
I've searched the archives and can't seem to locate a similar issue.
Dmesg below;
OpenBSD 3.9-stable (GENERIC) #0: Sat Sep 30 18:25:53 EST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III ("GenuineIntel" 686-class, 512KB L2 cache) 501 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem = 66625536 (65064K)
avail mem = 53166080 (51920K)
using 838 buffers containing 3432448 bytes (3352K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(45) BIOS, date 12/24/99, BIOS32 rev. 0 @ 0xfb310
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xb798
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde80/144 (7 entries)
pcibios0: PCI Exclusive IRQs: 5 10 11 12
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371SB ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xcc000/0x1000
0xcd000/0x1000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Rage Pro" rev 0x5c
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA, 9786MB, 20041967 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 5
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x02: polling
iic0 at piixpm0
fxp0 at pci0 dev 9 function 0 "Intel 8255x" rev 0x08, i82559: irq 10,
address 00:d0:b7:40:77:ae
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
fxp1 at pci0 dev 10 function 0 "Intel 8255x" rev 0x08, i82559: irq 12,
address 00:d0:b7:07:81:51
inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4
fxp2 at pci0 dev 11 function 0 "Intel 8255x" rev 0x05, i82558: irq 5,
address 00:90:27:2f:4d:98
inphy2 at fxp2 phy 1: i82555 10/100 PHY, rev. 0
fxp3 at pci0 dev 12 function 0 "Intel 8255x" rev 0x08, i82559: irq 11,
address 00:d0:b7:b0:73:2c
inphy3 at fxp3 phy 1: i82555 10/100 PHY, rev. 4
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
biomask e365 netmask ff65 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
