Em 08-07-2015 18:48, Артур Истомин escreveu:
And it was send from Linux OS
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
Thunderbird/38.0.1
Shame for you, linux fan boy:)
And this proves what exactly? You don't know about my use for neither
Linux nor OpenBSD, you don't g
r dealing
with many default gateways. Using tags you can write an even conciser
ruleset.
Cheers,
Giancarlo Razzolini
Em 08-07-2015 15:34, Jorge Gabriel Lopez Paramount escreveu:
there are other OSes out there, no need to make accusations or throw a
tantrum about it.
Go use these other OSes and leave OpenBSD alone. You'd be doing us a favor.
Cheers,
Giancarlo Razzolini
consistent with behaviour I've seen on -stable. Good to know
that it's fixed on -current.
Cheers,
Giancarlo Razzolini
rt back to the
list if you can make it work with -current.
Cheers,
Giancarlo Razzolini
antime, I'll go with a bridge firewall. It seems
like the most hassle free way to go. Perhaps I'll hack some NDP proxy.
But I need IPv6 connectivity, and I need it now.
Cheers,
Giancarlo Razzolini
faq/faq6.html#Bridge
I'm trying to get some NDP proxy running on OpenBSD. But all of them are
linux centric. Perhaps, for now, I will use it as a filtering bridge.
Since I have enough interfaces on my OpenBSD machine, I will have a
bridge specifically for IPv6. And IPv4 will still be N
oxy is the only viable solution (besides my ISP allowing me to
change my router configuration).
Cheers,
Giancarlo Razzolini
SP's, since I doubt
they will implement authenticated NDP. I will look into this ndp proxy
daemon, since I couldn't make the ndp(8) proxy functionality to work.
Thank all you guys who replied. Both on and off list.
Cheers,
Giancarlo Razzolini
t the
CPE is trully delegating the prefix, hence that's why he's issuing
neighbor solicitation messages. Someone pointed to me that I'll need to
use a ndp proxy or use the openbsd machine as a bridge filter. I can't
change the CPE configuration, it's locked by my ISP.
Cheers,
Giancarlo Razzolini
the same problem with it enabled and with the
default firewall configuration. I'm trying first to get ipv6
connectivity working to after filter the packets. Anyone had a similar
issue?
Cheers,
Giancarlo Razzolini
you have the relevant files in your chroot's etc directory? I believe
that you need at least a resolv.conf there. Also, a localtime is always
a good idea.
Cheers,
Giancarlo Razzolini
nt on a production or critical environment will
prove to be a challenge. Unless you carefully test each snapshot and
then have some tool like puppet to automate the upgrade with snap or
other tool. Even with autoinstall(8).
Cheers,
Giancarlo Razzolini
PC about OpenBSD is ... a couple target platforms. :)
I'm remembering someone that was offended by smtpd manual page(IIRC).
Even sent a patch to fix it and everything!
>
> Nick.
> (making note to offend more in the future)
Oh no! Please don't!
Cheers,
Giancarlo Razzolini
mes it makes a
hard subject easier to swallow (as it is with cryptography). Perhaps
*that* one was misplaced.
Cheers,
Giancarlo Razzolini
ving on these days. At least
now we have more people paying attention to what happens on our
computers BEFORE any OS is loaded.
Cheers,
Giancarlo Razzolini
ass in quick from 192.168.1.200 to any route-to (tun0 gateway)
Cheers,
Giancarlo Razzolini
hard to
make a OS that try to don't allow you to shoot yourself in the face.
Even if that means removing software that might (or not) pose a threat
to you in any point in the future.
Cheers,
Giancarlo Razzolini
27;re on the wrong Operating System. OpenBSD is secure by default.
If lynx had the tiniest chance of compromising your system, then I'm
glad it's gone.
Cheers,
Giancarlo Razzolini
don't
think any other text mode browser will make into base in the near
future, unless someone develops a secure one.
Cheers,
Giancarlo Razzolini
ve the budget for this kind
of setup, I believe this trade-off is an acceptable one, if you
understand the risks. Also, there are some things you can't do if you
run the services on a separate machine such as divert(4).
Cheers,
Giancarlo Razzolini
ower frequency, more cores is better, because my firewall isn't used
just for PF. If you're gonna use you OpenBSD firewall for other
processes such as, proxy, dns server, web server, dhcp server, it won't
hurt to have more cores.
Cheers,
Giancarlo Razzolini
ters and it will revert to the old way.
Anyway, I, like you, have many OpenBSD systems that "just work". Thank
you OpenBSD.
Cheers,
Giancarlo Razzolini
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
an run in /etc/sudoers.
Cheers,
Giancarlo Razzolini
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
On 25-10-2014 15:10, Theron ZORBAS wrote:
> # here is where and what i dont know to do?
> # How to forward https requests to https_server arriving at pppoe1
interface/IP
Your problem isn't with binat, which, by the way, you don't need. There
are several options for solving your problem. The easies
On 23-10-2014 21:49, Steve Litt wrote:
> I'm getting set to build my third OpenBSD/pf firewall/NAT/router. The
> first two I did with a lot of research and trial and error.
Don't worry about this. Even if you read the documentation you'll need
to try and test your rules.
>
> This time, I'd like to
On 21-10-2014 06:53, Stuart Henderson wrote:
> Don't rule out bugs in the OpenVPN port on OpenBSD. Despite user requests
> for version updates and tweaks to the port there has been an almost
complete
> lack of feedback when updates have been sent out for testing, so it's
> possible problems may hav
On 20-10-2014 19:37, Christian Weisgerber wrote:
> On 2014-10-20, Craig R. Skinner wrote:
>
>> I noticed OpenBSD anon CVS SSH fingerprints have the bit length
>> published with the algorithm type:
>> http://www.openbsd.org/anoncvs.html
> That seems useless.
That's not useless. SSHFP records have t
On 20-10-2014 21:52, Ian Grant wrote:
> How else can one protect a system from DoS attacks, other than by
> concealing it some way? And what is cryptography if it's not
> concealing the meaning of a communication in some way?
Oh my. DoS can be mitigated. You could never "protect" a system. Even if
On 20-10-2014 20:46, Ian Grant wrote:
> There's analysis, and there's analysis. None of this is particularly
> interesting without knowledge of what depth of analysis was being
> done.
Yes it is. Because filters can be made to alert you of odd traffic. And
certainly a tcp syn to an http port which
On 20-10-2014 11:02, Louis Bailleul wrote:
> Just to be clear, I did not say that the solution was to upgrade or
> anything else.
To quote you: "I experienced that exact issue a while back and managed
to solve it by accident while upgrading openvpn ..."
>
> But I think that asking someone to check
On 19-10-2014 21:01, Ian Grant wrote:
> On the contrary: it_will_ make it impossible for people to know what
> _we_ are doing. This is not one system I'm talking about: it's
> countless independent VPNs. No one person in the world will ever know
> what_we_ are doing.
Except perhaps for the natio
On 20-10-2014 09:08, Louis Bailleul wrote:
> I am using openvpn (with tun interfaces) and quagga to do something
> similar between two linux boxes .
>
> I experienced that exact issue a while back and managed to solve it by
> accident while upgrading openvpn ...
>
> I am currently using OpenVPN 2.2
On 20-10-2014 09:51, Nicolas Haller wrote:
> Sure I can. Did you see any change fitting with my issue? I took a
> look on the changelog but I didn't find anything relevant.
> I think I'll try to reproduce the issue on two 5.5 OpenBSD VMs to rule
> out (or not) FreeBSD and with the last snapshot to
On 20-10-2014 01:53, Nicolas Haller wrote:
> I have a strange issue while trying to reconfigure my Soekris after
> the CompactFlash died.
> Here the picture. I have a dedicated FreeBSD server linked with my
> Soekris acting as my home gateway(which was running OpenBSD 4.0, and
> now running OpenBSD
On 17-10-2014 15:59, Ian Grant wrote:
> On Fri, Oct 17, 2014 at 2:49 PM, Bret Lambert
wrote:
>> Well, if, as Herr Schroeder seems to be implying, this is used to
>> avoid port scans, I'd look for traffic to/from address:port which
>> don't show up on scans.
> That's why I want to hide it behind an
On 15-10-2014 17:56, Kevin Chadwick wrote:
> The address bar is one of the only things you can trust when browsing a
> web page
Provided your dns isn't spoofed. And you're are not being targeted with
a mitm attack. And perhaps a few other things. But yeah, the address bar
can normally be trusted.
>
On 15-10-2014 01:38, Justin Mayes wrote:
> Thanks to both of you for the advice
> Just to followup I ended up with the relayd 'routers' setup as described in
man page but with a script monitor rather than icmp. The monitor finds
gateway for interface in route table and pings it with "-I" interface
On 13-10-2014 19:56, Nux! wrote:
> Thanks, but for me it did not work, the guest fails to boot after this
change.
> I'll wait for 5.6 for more serious work on KVM.
Which kernel you're using? The bsd or the bsd.mp? Which message appear
on the boot? Which linux/qemu-kvm version?
Cheers
[demime 1.01
On 13-10-2014 19:12, Mike Larkin wrote:
> isabling random parts of the kernel without understanding what you are
doing
> is certainly smoking crack. I doubt you heard "disable mpbios" as a valid
> solution from any OpenBSD developer.
No I didn't. I found it on a very old article, refering to OpenBS
On 13-10-2014 16:50, Mike Larkin wrote:
> You are smoking some serious crack there.
This is the only thing that works for me on all my OpenBSD virtualized
installations. And I'm running 5.5 stable on all of them. I can't really
speak for 5.6, since I don't run current on my production systems. So
n
you install a new kernel. Reboot your system and
check if mpbios is disabled:
dmesg | grep mpbios
You should get this:
mpbios at bios0 not configured
Now you can try issue virsh shutdown of shutting it down from
virt-manager. It will also correctly shutdown the OpenBSD guest in the
event of a h
On 09-10-2014 11:23, Justin Mayes wrote:
> In Reyk's presentation he talks about this
(http://www.youtube.com/watch?v=JtMxGslqGbM) @ 19:30 and describes the 'link
balancer' functionality of relayd intended to do exactly what I want. It
appears to work as described. In the presentation Reyk says rel
On 09-10-2014 10:16, Justin Mayes wrote:
> I did notice the problem with only detecting a LAN failure and was looking
at a better monitor. If I just used plain PF rules what would I use for the
next-hop parameter to the route-to command? This IP is dynamic.
>
There is no next-hop. Just make your r
On 09-10-2014 02:58, Justin Mayes wrote:
> Ok I got it working. Here is what I did
>
> Enabled multipath routing (sysctl)
> Added the relayd anchor to pf.conf
> Created a relayd.conf with this in it
>
> gw1="fxp0"
> gw2="fxp1"
>
> table { $gw1 ip ttl 1, $gw2 ip ttl 1 }
> router "uplinks" {
>
On 08-10-2014 18:25, stan wrote:
> Anyone have any sugestions as to how to make this work?
Did you try the suggestion I gave you off list, of making two ssh
connections? Also, you could provide more details of your setup? Both
your e-mails trying to explain it, were confusing. I think I understood
On 08-10-2014 17:14, David Coppa wrote:
> On Wed, Oct 8, 2014 at 9:47 PM, Giancarlo Razzolini
> wrote:
>> On 08-10-2014 15:03, ÐÑÑÑÑ ÐÑÑомин wrote:
>>> How affiliate mtier with OpenBSD? Is it safe method/source for update?
>>> Who they are?
>> It ha
On 08-10-2014 15:03, ÐÑÑÑÑ ÐÑÑомин wrote:
> How affiliate mtier with OpenBSD? Is it safe method/source for update?
> Who they are?
It has been pointed to me that one of the ports maintainer/developer, is
associated with them. I've been using since 5.4, and had no issues so
far. Their pa
On 04-10-2014 11:06, Peter N. M. Hansteen wrote:
> The parentheses denote potentially dynamic addresses, and IIRC the
> main difference is that with parentheses the list will be expanded
> IIRC at rule evaluation time, while without the parentheses, the list
> of addresses is expanded at ruleset lo
On 06-10-2014 22:37, Theo de Raadt wrote:
> I love this conversation.
>
> Hey don't trust OpenBSD, because the new (outsourced) store uses
Javascript.
Never, in any moment in the thread I said that the store shouldn't be
trusted.
> But trust Matti and Giancarlo's email headers.
While we are at it,
On 06-10-2014 22:31, Theo de Raadt wrote:
> You are the troll; he is the plant.
>
All right. Will end the discussion now. Just rest assured I'm not
working it any goverment agency, IT big enterprise and do not have any
hidden agenda.
Bye
[demime 1.01d removed an attachment of type application/pkc
On 06-10-2014 22:23, Theo de Raadt wrote:
> And you are UK or US as well. Nice Italian name, but you are likely
> part of the same parcel. Thanks for replying so fast!
Hahahahha. Brazilian Theo. Italian descendent. You can check my headers
and you'll see. Don't be so paranoid. And I'm not feeding
On 06-10-2014 22:09, Theo de Raadt wrote:
> He got a fake finnish name, but I bet he lives in the US or UK!
From the e-mail headers, US. Don't worry Theo, I won't be feeding the
troll any further. Just don't like stupid people spreading
misinformation. Others might believe it.
[demime 1.01d remov
On 06-10-2014 20:59, stan wrote:
> I have a pf configuration which corectly fowards external conections to
> port 5432 on a machine on the inside. Iam trying to set up a machine on the
> outside to use ssh port fowarding to send ackets to port 5432 on the
> machine runing pf (firewall). Here is my
On 06-10-2014 18:09, Tor Houghton wrote:
> Hi,
>
> Dumb question: I'm running 'sudo ntpd -s' as part of a remote command to an
> OpenBSD guest[*]; unless I add a 'pkill sshd' to the end of the remote
> command, e.g.
>
>ssh guesthost 'sudo pkill -9 ntpd && sudo ntpd -s && date && pkill sshd'
>
>
On 06-10-2014 17:48, Matti Karnaattu wrote:
> Node.js
I've used it, and there is too much hype about it. It has it's uses, but
can be replaced with other non javascript technologies, at least from
the server side.
> And this is current status. Apple, Canonical, Google and Microsoft
> pushing their
On 06-10-2014 16:36, Matti Karnaattu wrote:
> I don't know details but it sounds overly complex. And complexity
> may cause other issues, without any benefit for security.
>
> Example, you don't have to encrypt your whole hard disk if the hard
> disk is located in guarded bunker. But if you do that
On 06-10-2014 14:20, Matti Karnaattu wrote:
> I strongly disagree.
>
> In server side there is vast amount of different software stacks build
> top of C library and they are incompatible. Running PHP code top of
> Java stack just doesn't work.
But none of them *require* javascript to function.
>
>
On 03-10-2014 17:48, Matti Karnaattu wrote:
> Unfortunately, we are living world where almost all applications are
> nowadays writen with Javascript or compiled to Javascript. And it is
> matter of time when rest of the issues are solved which prevents it
> using ~everywhere to reduce server load.
On 03-10-2014 16:01, Matti Karnaattu wrote:
> Soon it is probably nearly impossible to do anything useful with web
> without Javascript. It is defacto and dejure standard language for
> portable applications.
I believe the OP could have done his research a little better, there are
other ways of fin
On 02-10-2014 17:30, System Administrator wrote:
> All these (otherwise valid) suggestions are useless until we know more
> about the specific firewall in question -- information best delivered
> in the form of dmesg, 'pfctl -si' output and other statistics as
> indicated in Ville's response below.
On 02-10-2014 16:12, Jeff wrote:
> With the addition of a carefully constructed route-to rule I now have all of
the
> individual pieces working. Now, with some careful plumbing and testing I
should
> be all set. The final solution will be a combination of ifstated, multipath
routing
> (prioritize
On 02-10-2014 10:11, Jeff wrote:
> I still can't seem to force a ping through a particular interface, even when
I
> have both interfaces as default routes (I've tried both with and without
mpath).
> If it matters, in both cases I used a lower priority (higher #) for our low
speed
> metered connecti
On 01-10-2014 14:14, Jeff wrote:
> It sounds like "ping -I" is what I was looking for, but when I use it, it
seems
> to be sending out the packet with the right source address, but sending it
to
> the wrong interface.are there any tricks here?
You must enforce through pf route-to the packets to
On 01-10-2014 01:58, Eric Furman wrote:
> If you don't realize the the OpenBSD team hasn't thought about, talked
> about and argued about these issues to an extremely large extent
> then you are very new here.
Nope. I myself participated on these discussions on the past.
> You won't see it on the
On 30-09-2014 20:24, Stuart Henderson wrote:
> There is no "expiry time" on a signify signature. If an anoncvs server
> were to be compromised such that you could no longer trust its key,
> there is no way we could "revoke" that signed web page. If an attacker
> was able to cause you to keep seeing
On 30-09-2014 16:03, Ted Unangst wrote:
> In theory, we could sign the ssh fingerprint page, but I don't think
> that's a good idea at the current time. There are some issues with
> expiring old data.
This would be a significant improvement. If you are 99,99% certain you
got the release right, them
On 30-09-2014 12:46, trondd wrote:
> Sure, you have to somehow verify that the fingerprint is good and
> check it against the fingerprint you get when first connecting to the
> CVS server. How can you verify that fingerprint is good? I don't know.
SSHFP. DNSSEC. And other ways. But these won't ha
On 30-09-2014 11:56, trondd wrote:
> There are SSH fingerprints published for each of the CVS servers.
They are published on a clear http page and there is no SSHFP on the
dns. You need to access the anoncvs page from different places, using
different connections/vpns/proxies, to be sure you are ta
On 19-09-2014 11:24, Craig R. Skinner wrote:
> On 2014-09-19 Fri 12:28 PM |, Krzysztof Strzeszewski wrote:
>> I want add my global domain in my serwer dns unbound... How to do?
>>
>> I konw how add my domain in named(bind):
>>
> $ man 8 unbound
> ...
> ..
> DESCRIPTION
> Unbound is an imple
On 21-09-2014 12:46, Steve Litt wrote:
> Over the weekend, on a Linux list, I read that the kvm hardware VM mods
> to qemu are not available on OpenBSD, and as a result any qemu sessions
> on OpenBSD are extremely slow. Is that true, or is it just FUD?
As already pointed out, it is true. But it's n
VcRwQxZ8UKGWY8Ui4RHi229KFL84wV
Nice tip. Perhaps I'll implement a script to check it against all
anoncvs servers to see if any of them disagree with mine.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
t. I'm not saying that you
should just give up. I'm just saying that your attackers have much, much
more resources than you'd possibly have. You might avoid getting
compromised for some time, but eventually you'll be.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
lable on a non ssl web page. There are
SSHFP records for this. But with no DNSSEC you incur on the same issue,
of having to access the anoncvs page from many places/proxies/tor/etc to
see if the ssh fingerprint match.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an atta
tercepted by the dragnet. Even people on US are being targeted.
This isn't a paranoid's concern anymore. We should do what we can to at
least achieve some privacy.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
one. And this will keep
going for the foreseeable future.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
make things simple to
some extent. As your setup gets more complex, so does your ruleset.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
en the connection is
ended, with all the begin/end and traffic values at once. It does not
sample a state. There was even a diff proposed for doing this. In your
case, I suggest that you only set the pflow option for the rules you
need, not as a state-defaults. This might explain this large volume
ckets from the internal network or you can end up allowing
things into your dmz that weren't supposed to get there.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
en use the pf's ruleset optimizer, and then use the optimization as a
starting point.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
ets for for a week or so. That way you can effectively know how your
network behave and can program your rules accordingly.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
aller anchors. This will save you time and make your pf rules
much more readable.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
y at all, or drop so many frames that they'll be
unwatchable. Another shot is to use vlc, but it will be limited by your
video driver, in the same manner mplayer is.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
has been tested inside Google and elsewhere. NEO is twice the
price now.
You just need to take care to use only printable ASCII characters when
using static passwords. Lesson learned the hard way. But they work fine
otherwise.
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachm
rnet links speeds getting bigger over the years.
I had problems with ALTQ using very small queues.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
, if I'm not mistaken you can't get
anything above 5.1, and even that, is compressed. You won't have 7.1.
But none of this was on OpenBSD. Just to illustrate how painful is this
kind of setup.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of typ
a related issue, I've always wanted to
migrated my HTPC solution to OpenBSD. But there are lots of hiccups, and
honestly, I don't even know if I have the knowledge to code what needs
to be coded.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type
eginning to use OpenBSD, so I lacked the
skills. And, since I've switched to tmux and it does not happen anymore,
I just didn't went after the cause. Perhaps you're facing a similar issue.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type a
ot to learn about security.
Don't forget to check your own machine, not just your OpenBSD server.
It's more often than not the point of origin of the attack. If your
machine is compromised, reinstalling your server won't do anything,
since they'll reinfect it again.
Cheers,
threads have shown that Arches build system and
> debians packages that can include binary uploads are alarmingly
> questionable even when signed with a known valid key.
Their security track record isn't that great.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
ware? Everyone need to trust somebody else at some point, otherwise
we wouldn't be here. On the other hand, a little bit of paranoia, never
hurt.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
is always, and always will be the
problem of trust. Or, in this case, the initial trust. I don't see
OpenBSD adding SSL nor DNSSEC.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
install, I'll keep
doing this, just to be sure.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
On 11-08-2014 12:05, Gustav Fransson Nyvell wrote:
> There's no guarantee a patch would be accepted.
Don't feed the troll, please.
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
ing
your tfpt server and retrieving the file? Many times there is the problem.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
t which is
running arpwatch on their networks will notice that the airport take
over the mac addresses of the wireless clients. But I also believe that
atheros devices will give you better performance. Just don't forget that
the 802.11 network stack of OpenBSD does not support 802.11n yet. It
s
's really
> our network stack.
That's why I use OpenBSD. It gives me the flexibility and security I
need even when it need to go along with insecure machines and hardware.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
hould go to queue foo". once the packet hits an outbound
> interface, we check wether queue foo exists there and if so use it.
This is one of the greatest features of pf, in my opinion. This
flexibility is what make pf what it is.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime
ven be assigned to queues when specifying rules
referring another interface. Queuing is a very complicated matter. And
the examples both on the pf.conf man page, and it's faq, are meant as a
starting point.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment
and you are on the right direction. You'll just
need to invert your queues. As I mentioned, use your queues on the vlans
for connections initiated by your networks. And queue on the external
interface connections coming from the internet.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
101 - 200 of 522 matches
Mail list logo