Re: Question that has dogged me for a while.

2017-05-05 Thread Julian Elischer
On 6/5/17 8:14 am, Karl Denninger wrote: On 5/5/2017 19:08, Dr. Rolf Jansen wrote: Am 05.05.2017 um 20:53 schrieb Karl Denninger : On 5/5/2017 14:33, Julian Elischer wrote: On 5/5/17 1:48 am, Dr. Rolf Jansen wrote: Resolving this with ipfw/NAT may easily become quite

Re: Question that has dogged me for a while.

2017-05-05 Thread Julian Elischer
On 6/5/17 7:53 am, Karl Denninger wrote: On 5/5/2017 14:33, Julian Elischer wrote: On 5/5/17 1:48 am, Dr. Rolf Jansen wrote: Resolving this with ipfw/NAT may easily become quite complicated, if not impossible if you want to run a stateful nat'ting firewall, which is usually the better choice.

Re: Question that has dogged me for a while.

2017-05-05 Thread Karl Denninger
On 5/5/2017 21:56, Dr. Rolf Jansen wrote: > Am 05.05.2017 um 21:14 schrieb Karl Denninger : >> On 5/5/2017 19:08, Dr. Rolf Jansen wrote: >>> Am 05.05.2017 um 20:53 schrieb Karl Denninger : On 5/5/2017 14:33, Julian Elischer wrote: > On 5/5/17 1:48

Re: Question that has dogged me for a while.

2017-05-05 Thread Dr. Rolf Jansen
Am 05.05.2017 um 21:14 schrieb Karl Denninger : > On 5/5/2017 19:08, Dr. Rolf Jansen wrote: >> Am 05.05.2017 um 20:53 schrieb Karl Denninger : >>> On 5/5/2017 14:33, Julian Elischer wrote: On 5/5/17 1:48 am, Dr. Rolf Jansen wrote: > Resolving this

Re: Question that has dogged me for a while.

2017-05-05 Thread Karl Denninger
On 5/5/2017 19:08, Dr. Rolf Jansen wrote: > Am 05.05.2017 um 20:53 schrieb Karl Denninger : >> On 5/5/2017 14:33, Julian Elischer wrote: >>> On 5/5/17 1:48 am, Dr. Rolf Jansen wrote: Resolving this with ipfw/NAT may easily become quite complicated, if not impossible

Re: Question that has dogged me for a while.

2017-05-05 Thread Dr. Rolf Jansen
Am 05.05.2017 um 20:53 schrieb Karl Denninger : > On 5/5/2017 14:33, Julian Elischer wrote: >> On 5/5/17 1:48 am, Dr. Rolf Jansen wrote: >>> Resolving this with ipfw/NAT may easily become quite complicated, if >>> not impossible if you want to run a stateful nat'ting firewall,

Re: Question that has dogged me for a while.

2017-05-05 Thread Karl Denninger
On 5/5/2017 18:53, Karl Denninger wrote: > A "telnet 70.169.168.7 2552" from outside works perfectly well. But the > second NAT should cause a "telnet 70.169.168.7 2552" from an > internet-network host to work also. It doesn't. s/internet-network/inside-network/ :-) -- Karl Denninger

Re: Question that has dogged me for a while.

2017-05-05 Thread Karl Denninger
On 5/5/2017 14:33, Julian Elischer wrote: > On 5/5/17 1:48 am, Dr. Rolf Jansen wrote: >> Resolving this with ipfw/NAT may easily become quite complicated, if >> not impossible if you want to run a stateful nat'ting firewall, which >> is usually the better choice. >> >> IMHO a DNS based solution

Re: Question that has dogged me for a while.

2017-05-05 Thread Julian Elischer
On 5/5/17 2:06 am, Karl Denninger wrote: On 5/4/2017 12:12, Rodney W. Grimes wrote: Consider the following network configuration. Internet --- Gateway/Firewall -- Inside network (including a web host) 70.16.10.1/28 192.168.0.0/24 The address of the outside is

Re: equivalent for pf's max-src-conn-rate in ipfw

2017-05-05 Thread Dmitry Selivanov
you can try using "limit src-addr" keyword and maybe tune net.inet.ip.fw.dyn_syn_lifetime. See "Examples/DYNAMIC RULES" section at ipfw(8). 05.05.2017 0:46, Marco van Tol пишет: Hi there, Possibly this questions pops up regularly. I have tried to find the answer myself and have been unable