On 2022-12-24 02:32, Philipp Buehler wrote:
Am 22.12.2022 21:37 schrieb J Doe:
set skip on lo0
. . .
antispoof quick for $ext_if
This one will be faster (a tad) if you do not plan for more
detailled filtering (and who does so on lo0 besides the
esoteric ones).
ciao
Hi Philipp,
T
Am 22.12.2022 21:37 schrieb J Doe:
set skip on lo0
. . .
antispoof quick for $ext_if
This one will be faster (a tad) if you do not plan for more
detailled filtering (and who does so on lo0 besides the
esoteric ones).
ciao
--
pb
Hi,
I have a question regarding pf.
In man pf.conf[1], the following note is made in the section on: antispoof
"Caveat: Rules created by the antispoof directive interfere with
packets sent over loopback interfaces to local addresses. One
should pass these explicitly."
When man sa
Am 13.12.2022 22:11 schrieb J Doe:
set skip on !$ext_if
... with the idea that this skips all interfaces (virtual or
otherwise) _EXCEPT_ em0, which is the real Ethernet NIC that I want to
perform filtering on ?
Yes, but likely to need a space between ! and $.
ciao
--
pb
On 2022-12-13 01:23, Philipp Buehler wrote:
Am 13.12.2022 06:02 schrieb J Doe:
set skip on { lo0, vif* }
in pf.conf(5) the GRAMMAR shows:
ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
"{" interface-list "}"
So you could do "set skip on
Am 13.12.2022 06:02 schrieb J Doe:
set skip on { lo0, vif* }
in pf.conf(5) the GRAMMAR shows:
ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
"{" interface-list "}"
So you could do "set skip on { lo0 vif0 vif1 }" for explicit, or you
use inter
Hello,
I have a question regarding: set skip on in pf.conf(5).
I have a host that has a number of dynamic virtual interfaces. I don't
want my ruleset to apply to those interfaces, however, as they are
created and removed dynamically, I don't know what the numbers will be
assigned to those in
On Fri, 2021-07-23 at 08:21 +0200, Harald Dunkel wrote:
> Deutsche Telekom gives me a new /56 prefix for my internal net and
> a new /64 prefix for the external connection on every reboot of my
> modem. The old internal prefix is not routed anymore. Question is,
> how can I tell pf to use the new
Hi folks,
Deutsche Telekom gives me a new /56 prefix for my internal net and
a new /64 prefix for the external connection on every reboot of my
modem. The old internal prefix is not routed anymore. Question is,
how can I tell pf to use the new prefix?
There are a few constants in my pf.conf file
I find out the problem is in the unbound.conf file. Now, my xeperia can use
the internet. Thanks you for your help..
Clarence
===original
server:
interface: 192.168.1.1
interface: 127.0.0.1
interface: ::1
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/24
Here is all the config files of my openbsd-router. traceroute yahoo.com.hk on
my xperia (android) stop at ip of my openbsd-router. There is nothing display
on openbsd-router running tcpdump -eni pflog0.
dhclient.conf
append domain-name-servers 127.0.0.1;
==
Hello,
I recently setup a home network as followings (Just for fun):
ISP <> openbsd router (version 6.6 Stable) <---> gigabits switch
(TP-Link TL-SG1008D) <-> linksys ea8300 (with wireless)
everything works except that I can't use my sony xperia tablet to access
internet using the
On 5/10/20 2:12 PM, Kaya Saman wrote:
On 5/10/20 2:04 PM, Tom Smyth wrote:
Hello Clarence,
you would need to provide some more information about your setup,
ip addresses on interfaces , what is your pf.conf etc...
In your experia ( I believe they are android)
you can download the hurricane e
On 5/10/20 2:04 PM, Tom Smyth wrote:
Hello Clarence,
you would need to provide some more information about your setup,
ip addresses on interfaces , what is your pf.conf etc...
In your experia ( I believe they are android)
you can download the hurricane electric network tools (HE network
tool
Hello Clarence,
you would need to provide some more information about your setup,
ip addresses on interfaces , what is your pf.conf etc...
In your experia ( I believe they are android)
you can download the hurricane electric network tools (HE network
tools) (a free app to run rudimentary netw
Shame on me ;-)
Now I saw:
"if neither are specified, the rule will match packets in both directions."
Originalnachricht
Von: Markus Rosjat
Gesendet: Freitag, 20. Oktober 2017 15:32
An: misc@openbsd.org
Betreff: Re: a pf question maybe asked a 1000 times
Hi,
as far as I und
Hi,
as far as I understud the whole thing
Am 20.10.2017 um 15:09 schrieb Michael Hekeler:
pass on hvn0 inet proto icmp all icmp-type echoreq
just to be curious: what is the effect of "on" in your rules "pass on ..."
As to pf.conf(5) there are only "in" or "out"
this should allow traffic i
On Fri, Oct 20, 2017 at 9:09 AM, Michael Hekeler
wrote:
>
> Glad to hear that you have solved the problem
>
>
> > as you may notice I added the ping and the dns to the ruleset since
> > this was blocked in the original set of rules.
>
> You can allow outgoind dns with one single rule:
>
> pass
Glad to hear that you have solved the problem
> as you may notice I added the ping and the dns to the ruleset since
> this was blocked in the original set of rules.
You can allow outgoind dns with one single rule:
pass out on $ext_if inet proto { tcp, udp } from $ext_if \
to any port dom
Hi Michael,
as far as pfctl -sr goes a block return expands to block return all
but since I got it working now here is the ruleset that does what it
suppose to do :)
ext_if="hvn0"
set skip on lo
block return# block stateless traffic
block inet6
pass on $ext_if inet proto {tcp udp} to p
On Fri, Oct 20, 2017 at 12:59:51PM +0200, Markus Rosjat wrote:
> ...
> block return# block stateless traffic
Hi Markus, here´s another hint:
no matter if you want to drop silently or send a return for the dropped
packet, you have to tell **on which packet the block action should react**
Hi again,
okay big time PEBKAC ... if you do the the -d you should at some point
do the -e ... haha
anyway always fun to brainstorm with you guys this list rocks !!!
Am 20.10.2017 um 14:11 schrieb Markus Rosjat:
Hi,
yeah well the rules are loaded, I could flush befor do pfctl -f to make
i
Hi,
yeah well the rules are loaded, I could flush befor do pfctl -f to make
it all clean.
I tried ssh m...@domain.tld from the machine with the ruleset. this works
with the given rules but it shouldnt in my opinion.
and yes there is no dns traffic allowed in the rules. Maybe its really
the
On Fri, Oct 20, 2017 at 12:59:51PM +0200, Markus Rosjat wrote:
> ...
> what I notice is I can initiate a ssh connection from this machine.
Just a question:
how do you initiate the ssh connection?
ssh host.example.com
Then you realise that there is also dns out (53/tcp,udp)
On 17/10/20 12:59, Markus Rosjat wrote:
Hi there,
I was wondering, after reading mr hansteens excelent book about pf and
the man pages, if I got it all wrong :)
so here is my example pf.conf
ext_if="hvn0"
set skip on lo
block return# block stateless traffic
block inet6
pass in on $ext
On Fri, Oct 20, 2017 at 12:59:51PM +0200, Markus Rosjat wrote:
> ...
> what I notice is I can initiate a ssh connection from this machine.
> So there are three possible answers to this:
> - 1st with allowing ssh traffic in the first place ssh port will be
>considered passable from both sites o
Hi,
Am 20.10.2017 um 13:11 schrieb Bryan Harris:
I don't know the answer but I'm curious. What does "pfctl -sr" command
show? Can you do dns lookups?
PS - my rules have the "pass out all" rule at the bottom.
V/r,
Bryan
sure I can give the output:
$ doas pfctl -sr
doas (m...@my.own) passw
Je 2017-10-20 12:59, Markus Rosjat skribis:
Hi there,
I was wondering, after reading mr hansteens excelent book about pf and
the man pages, if I got it all wrong :)
so here is my example pf.conf
ext_if="hvn0"
set skip on lo
block return# block stateless traffic
block inet6
pass in on $e
I don't know the answer but I'm curious. What does "pfctl -sr" command
show? Can you do dns lookups?
PS - my rules have the "pass out all" rule at the bottom.
V/r,
Bryan
On Fri, Oct 20, 2017 at 6:59 AM, Markus Rosjat wrote:
> Hi there,
>
> I was wondering, after reading mr hansteens excelent
Hi there,
I was wondering, after reading mr hansteens excelent book about pf and
the man pages, if I got it all wrong :)
so here is my example pf.conf
ext_if="hvn0"
set skip on lo
block return# block stateless traffic
block inet6
pass in on $ext_if inet proto tcp from any to ($ext_if)
On 12/28/14 15:35, Harald Dunkel wrote:
>
> Thats cool. Where did you find this? Searching on openbsd.org
> for "_pf" revealed only
> http://www.openbsd.org/papers/ven05-henning/mgp00011.txt .
> This is surely something that should go to the man page or to
> the FAQs for pf.
>
PS: Another impor
On Sun, Dec 28, 2014 at 9:35 AM, Harald Dunkel wrote:
> On 12/28/14 13:51, Maxim Khitrov wrote:
>>
>> These tables are under the hidden "_pf" anchor:
>>
>> pfctl -a _pf -t extern -T show
>>
>
> Thats cool. Where did you find this? Searching on openbsd.org
> for "_pf" revealed only
> http://www.op
On 12/28/14 13:51, Maxim Khitrov wrote:
>
> These tables are under the hidden "_pf" anchor:
>
> pfctl -a _pf -t extern -T show
>
Thats cool. Where did you find this? Searching on openbsd.org
for "_pf" revealed only
http://www.openbsd.org/papers/ven05-henning/mgp00011.txt .
This is surely somet
On Sun, Dec 28, 2014 at 6:38 AM, Harald Dunkel wrote:
> Hi folks,
>
> pfctl can give me an extended list of tables showing interface
> group names, "self", etc. Sample:
>
> # pfctl -g -sT
> egress
> egress:0
> extern
> extern:network
> intern:network
Hi folks,
pfctl can give me an extended list of tables showing interface
group names, "self", etc. Sample:
# pfctl -g -sT
egress
egress:0
extern
extern:network
intern:network
nospamd
self
spamd-white
unroutable
How c
On Sun, 17 Nov 2013 15:32:01 +0100, Marko Cupać
wrote:
> I have two routers in active/passive carp mode that share three pairs
> of carp interfaces:
> bge1 - DMZ
> em0 - ISP1
> em1 - ISP2
>
> They are also syncing pf states over syncdev bge0.
>
> Both routers are in BGP sessions with two upstrea
I have two routers in active/passive carp mode that share three pairs
of carp interfaces:
bge1 - DMZ
em0 - ISP1
em1 - ISP2
They are also syncing pf states over syncdev bge0.
Both routers are in BGP sessions with two upstream providers (via /29
networks), and I am achieving graceful failover by me
I enabled altq briefly on my OpenBSD router to throttle upstream
traffic due to a buggy cable modem. It worked great, but I've since
replaced the modem and removed the bandwidth constraints.
Since I'm nowhere near saturating the link and haven't dropped any
packets since then, is there any remain
On 1/6/2011 at 10:40 AM Mike. wrote:
|On 1/5/2011 at 2:56 PM Axton wrote:
|
||On Wed, Jan 5, 2011 at 10:14 AM, Mike. wrote:
||
||> On 1/4/2011 at 10:57 PM Josh Smith wrote:
||>
||> |
||> |pass in on $int_if0 # pass all incomming traffic on our internal
||> interface
||> |pass in on $int_if1 # pas
On 1/5/2011 at 2:56 PM Axton wrote:
|On Wed, Jan 5, 2011 at 10:14 AM, Mike. wrote:
|
|> On 1/4/2011 at 10:57 PM Josh Smith wrote:
|>
|> |
|> |pass in on $int_if0 # pass all incomming traffic on our internal
|> interface
|> |pass in on $int_if1 # pass all incomming traffic on our internal
|> inter
While we're piling on ...
I have three interfaces, vr0 is my internet (pppoe), vr1 and vr2 are
my internal networks.
This gives me a good mental picture ...
# packet filtering
block all
# pppoe0:network
pass out on pppoe0 inet from (pppoe0) to any
pass out on pppoe0 inet from vr1:network nat-t
gwes ohxer:
What is the recommended pf.conf to get symmetrical routing
for incoming and outgoing connections using a dual-homed
gateway and internal hosts with static IPs on both WANs?
I'm assuming "route-to" and "reply-to" are the correct
tools to use.
I've looked at the FAQ, g
On Wed, Jan 5, 2011 at 10:14 AM, Mike. wrote:
> On 1/4/2011 at 10:57 PM Josh Smith wrote:
>
> |
> |pass in on $int_if0 # pass all incomming traffic on our internal
> interface
> |pass in on $int_if1 # pass all incomming traffic on our internal
> interface from the test network
> =
>
What is the recommended pf.conf to get symmetrical routing
for incoming and outgoing connections using a dual-homed
gateway and internal hosts with static IPs on both WANs?
I'm assuming "route-to" and "reply-to" are the correct
tools to use.
I've looked at the FAQ, googled for dual & multihomed m
On 1/4/2011 at 10:57 PM Josh Smith wrote:
|
|pass in on $int_if0 # pass all incomming traffic on our internal
interface
|pass in on $int_if1 # pass all incomming traffic on our internal
interface from the test network
=
I have two internal subnetworks, one for standard frames and
Josh Smith wrote:
> I have been running OpenBSD as my home "router" for a couple of years
> now and everything has worked well thus far. However this evening I
> added a second network interface to my router because I would like to
> add some hosts for testing on a separate network segment and am
Hi Josh,
I guess the problem is that everything matches your NAT rules.
Try adding something like this before the match rules for nat:
pass in quick on $int_if0 from 10.66.66.0/24 to 10.66.67.0/24
pass out quick on $int_if0 from 10.66.67.0/24 to 10.66.66.0/24
pass in quick on $int_if1 from 10.
Joshua,
I would like the two networks to be able to talk directly to each
other using plain old routing, however I would like to be able to
filter this traffic using PF in the future if I choose to, but the
only traffic that should be natted is from either of these networks
out to the internet.
Th
I have been running OpenBSD as my home "router" for a couple of years
now and everything has worked well thus far. However this evening I
added a second network interface to my router because I would like to
add some hosts for testing on a separate network segment and am
running into some difficul
On Thu, 11 Nov 2010, Tor Houghton wrote:
> From: Tor Houghton
> To: Ryan McBride
> Cc: misc@openbsd.org
> Date: Thu, 11 Nov 2010 11:06:25
> Subject: Re: (Perhaps?) dumb pf question relating to tables
> X-Spam-Score: 0.0 (/)
>
> On Thu, Nov 11, 2010 at 05:32:27PM +
On Thu, Nov 11, 2010 at 05:32:27PM +0900, Ryan McBride wrote:
> On Wed, Nov 10, 2010 at 01:45:16PM +0100, Tor Houghton wrote:
> > May I ask whether or not "per user" ownership (or permission to update) a
> > table is/will be possible?
> >
> > I am pondering the best mechanism for a non-root proce
On Wed, Nov 10, 2010 at 01:45:16PM +0100, Tor Houghton wrote:
> May I ask whether or not "per user" ownership (or permission to update) a
> table is/will be possible?
>
> I am pondering the best mechanism for a non-root process to add/remove
> addresses to a table.
You can look at sysutils/table
On Wed, Nov 10, 2010 at 13:45, Tor Houghton wrote:
> Hello,
>
> May I ask whether or not "per user" ownership (or permission to update) a
> table is/will be possible?
>
> I am pondering the best mechanism for a non-root process to add/remove
> addresses to a table.
>
> Kind regards,
>
> Tor
>
Yo
On Wed, Nov 10, 2010 at 01:45:16PM +0100, Tor Houghton wrote:
> Hello,
>
> May I ask whether or not "per user" ownership (or permission to update) a
> table is/will be possible?
>
> I am pondering the best mechanism for a non-root process to add/remove
> addresses to a table.
Privilege separati
Hello,
May I ask whether or not "per user" ownership (or permission to update) a
table is/will be possible?
I am pondering the best mechanism for a non-root process to add/remove
addresses to a table.
Kind regards,
Tor
David Hardy writes:
> no rdr on $cus inet proto tcp from to any port www
>
> we use a web cache, but want to exempt some clients from being transparently
> proxied to it.
the quick escape is likely just that - an appropriately placed pass
quick or match quick with the appropriate rdr-to, depend
--- David Hardy [Thu, Jul 15, 2010 at 12:09:07PM -0600]: ---
> I'm upgrading a obsd firewall/router to 4.7 from 4.2 and am having to make
> all kinds of changes, but one I can't figure out is why it's choking on:
>
> no rdr on $cus inet proto tcp from to any port www
>
> we use a web cache, but
I'm upgrading a obsd firewall/router to 4.7 from 4.2 and am having to make
all kinds of changes, but one I can't figure out is why it's choking on:
no rdr on $cus inet proto tcp from to any port www
we use a web cache, but want to exempt some clients from being transparently
proxied to it.
what
On Thu, 17 Sep 2009 10:20:37 +0200
Ivan Radovanovic wrote:
> Iqigo Ortiz de Urbina napisa:
> > You could also take a look at the match, tag and tagged keywords in
> > pf.conf.
> >
> > Additionally, you may require parsing your custom logs (pflogN
> > interfaces or binary logs in /var/log/) in or
Iqigo Ortiz de Urbina napisa:
You could also take a look at the match, tag and tagged keywords in pf.conf.
Additionally, you may require parsing your custom logs (pflogN interfaces or
binary logs in /var/log/) in order to populate your tables for use in the
main ruleset or anchors.
Have a nice
Iqigo Ortiz de Urbina napisa:
You could also take a look at the match, tag and tagged keywords in
pf.conf.
Additionally, you may require parsing your custom logs (pflogN
interfaces or binary logs in /var/log/) in order to populate your
tables for use in the main ruleset or anchors.
Have a n
Girish Venkatachalam napisa:
On Thu, Aug 27, 2009 at 4:59 PM, Ivan Radovanovic wrote:
Thanks for your respone. If I understand you correctly pf kernel module
actually supports operating with tables based on positive conditions (ie not
only when rule is broken, but also when rule is true), and
On Thu, Aug 27, 2009 at 4:59 PM, Ivan Radovanovic wrote:
> Thanks for your respone. If I understand you correctly pf kernel module
> actually supports operating with tables based on positive conditions (ie not
> only when rule is broken, but also when rule is true), and the way to define
> rules of
Girish Venkatachalam napisa:
Please read up on pf(4) anchors.
And also on connection overloads in pf.conf(5).
Stuff like max-conn-rate and so on.
You already said you know about pf(4) tables. You need to populate the tables
based on different criteria. I know that connection overload is one.
On Thu, Aug 27, 2009 at 4:32 PM, Ivan Radovanovic wrote:
> I am new into pf configuration and I am curious if it is possible to add
> some host into table in firewall rules if some conditions are met (not
> if they are broken). I was thinking about some way to prevent port
> scanning of machine and
I am new into pf configuration and I am curious if it is possible to add
some host into table in firewall rules if some conditions are met (not
if they are broken). I was thinking about some way to prevent port
scanning of machine and what came to me as obvious way to do it is this
(in some pseudo
Peter N. M. Hansteen wrote:
> ... Hm. Might actually be a good idea to expose
> learners to tcpdump a tad earlier.
I used PF on OpenBSD for a small polytechnic course with the help of
Peter's book. For most it was a first introduction to any of these
tools or supporting tools or hands-on computin
Robert Gilaard <[EMAIL PROTECTED]> writes:
> All the time I had the following entries in my pf.conf for my
> Desktop system. However, as I've bought this pf book that was
> lately released, I begin to suspect that these rules are way to
> liberal.
>
> If I only want to be able to browse the web a
On Fri, Jun 20, 2008 at 02:10:52PM -0700, Robert Gilaard wrote:
> Hi folks,
>
> All the time I had the following entries in my pf.conf for my Desktop
> system.
> However, as I've bought this pf book that was lately released, I begin
> to suspect that these rules are way to liberal.
>
> If I only
Robert,
You rule looks ok. You may want to add a variable for the port number
so you can add or delete them as needed. Something like...
### Ports
AllowOUT="{22, 80, 443}"
### Pass out interface
pass out on $int_if proto tcp from ($int_if) to any port $AllowOUT modulate
state flags S/SA
Hope
Hi folks,
All the time I had the following entries in my pf.conf for my Desktop system.
However, as I've bought this pf book that was lately released, I begin to
suspect that these rules are way to liberal.
If I only want to be able to browse the web and maybe use ssh-client, how
should I rewri
Also, I forgot that NAT happens before filtering. That makes what I'm
trying to do here more complicated if not impossible.
Maybe I should just use route-to :-)
I have two ISPs on two nics on my router/firewall and I use some
route-to rules to make traffic nat out on a specific interface and
gateway. Similar to the set-up described here:
http://www.openbsd.org/faq/pf/pools.html#outgoing
Instead of using route-to, can I set up a second route (eg: route -T
Boudewijn Ector schreef:
> Hi there,
>
>
> I've been using openBSD for some months now, for example on my office
> router which uses NAT (based on a tweaked example config from the FAQ).
> This works really great!
>
> But now I'm designing a firewall which is not used for any routing, and
> will be
Hi there,
I've been using openBSD for some months now, for example on my office
router which uses NAT (based on a tweaked example config from the FAQ).
This works really great!
But now I'm designing a firewall which is not used for any routing, and
will be ran on a machine having just one NIC. S
On 4/18/07, poncenby <[EMAIL PROTECTED]> wrote:
Dear list,
What do openbsd users do when they need to filter/redirect traffic based on
layer
2 addresses?
I'm using 4.0 generic on a 386.
http://www.openbsd.org/faq/faq6.html#Bridge
for MAC address filtering using PF.
http://bio3d.colorado.ed
Dear list,
What do openbsd users do when they need to filter/redirect traffic based on
layer
2 addresses?
I'm using 4.0 generic on a 386.
Many thanks
poncenby
Hi,
I have the below rule set in my firewall, both internal networks can
access the Internet and both internal networks can see each other, how
can i prevent each internal network from seeing each other? I have
tried various rule sets with no luck, any advice is appreciated.
Thanks,
Der
# macr
Hello all,
I was looking for a ipfw looking-like statement in PF:
ipfw add 10 fwd ip_proxy,proxy_port from 192.168.1.0/24 to any 25 via fxp0
Is it possible to forward packet to some destination in the same
subnet without changing SRC/DST_ADDRESS ?
I RTFMed but haven't found anythi
> I have a home network set up with an OpenBSD gateway which is bridged to an
> ADSL router, two Windows XP machines and assortment of old boxes I play
> around with, and a few IP's available to me. What I want is remote access
> back to my windows boxes probably using VNC, and to be able to ssh to
On Fri, 1 Sep 2006 21:41:18 +0800
"mop" <[EMAIL PROTECTED]> spake:
> Hi
>
> I have a home network set up with an OpenBSD gateway which is bridged to an
> ADSL router, two Windows XP machines and assortment of old boxes I play
> around with, and a few IP's available to me. What I want is remote acc
er-DNS. Not that VNC would be a pleasant
experience over such a link...
> Now to the pf question. My policy for everything blocked from entering the
> network is that it is dropped with no reply. I have several ports forwarded
> to my Windows box, mainly for file sharing over IRC so they a
his? I have survived this far without it, but
it would be nice to have. Can I do it without it showing up in a port scan?
Now to the pf question. My policy for everything blocked from entering the
network is that it is dropped with no reply. I have several ports forwarded
to my Windows box, mainly for f
ld be nice to have. Can I do it without it showing up in a port scan?
Now to the pf question. My policy for everything blocked from entering the
network is that it is dropped with no reply. I have several ports forwarded
to my Windows box, mainly for file sharing over IRC so they are only open
when I
Steve Welham wrote:
The block policy only applies to the "block" rule. In this case the icmp
unreachable is matching state since it is corresponding icmp traffic as
noted in the PF FAQ http://www.openbsd.org/faq/pf/filter.html#state
That indeed makes a lot of sense :)
Thank you both for your
> # tcpdump -n -i sis2 'icmp'
> 19:21:05.848459 wan_if.ip > external.host: icmp: echo request
> 19:21:05.868202 external.host > wan_if.ip: icmp: echo reply
> 19:21:05.868499 wan_if.ip > external.host: icmp: host wan_if.ip unreachable
>
> I was obviously expecting the first two lines but I assumed
Hi everyone,
I was playing a bit with OpenBSD's PF and noticed something I did not
expect. I assume I am missing something quite obvious.
The basic /etc/pf.conf I created for home use is included at the end of
the mail.
From a client on $lan_if:network I spoofed a non existing host on
On Thu, Feb 02, 2006 at 05:59:54PM -0500, Dave Feustel wrote:
> I found the solution in the pf faq: skip lo0.
> This rule is not mentioned in Artymiak's book
> which I had been reading. I will now read the
> complete pf faq to see what I have not been
> aware of.
You can also do ``set skip on lo'
I found the solution in the pf faq: skip lo0.
This rule is not mentioned in Artymiak's book
which I had been reading. I will now read the
complete pf faq to see what I have not been
aware of.
Dave Feustel
After getting pf working with a "block in all" rule,
I am now trying to add a rule to allow local and internet access to my
webserver.
I have been able to access the web server from a computer on a subnet,
I copied a rule from the OpenBSD pf faq which would seem to accomplish this,
(see ruleset
On 1/14/06, Daniel Ouellet <[EMAIL PROTECTED]> wrote:
> I didn't spend to much time on this one, but I think the above should
> give you an idea as to how to go about it. Might work just as is if you
> add the ports you want to protect inside your LAN, or may need some
> minor changes, but it is su
Sebastian Rother wrote:
Hello everybody,
PF offers a great OS-Detection wich enable me to block all Packets from
NMAP (OS: NMAP).
But I thought about another problem.
How can I drop the IP of an nmap-scanning computer into a table?
Such an overload-option (like for max-src-conn) would be very
Hello everybody,
PF offers a great OS-Detection wich enable me to block all Packets from
NMAP (OS: NMAP).
But I thought about another problem.
How can I drop the IP of an nmap-scanning computer into a table?
Such an overload-option (like for max-src-conn) would be very neat
because a host which
On 12/29/05, Dave Feustel <[EMAIL PROTECTED]> wrote:
> On Thursday 29 December 2005 20:27, David Higgs wrote:
> > You're either the victim of a truncated display or lacking in
> > fundamental DNS knowledge.
>
> I definitely lack knowledge of DNS right now.
>
> > [EMAIL PROTECTED] host 5.191.160.66
On Thursday 29 December 2005 20:27, David Higgs wrote:
> You're either the victim of a truncated display or lacking in
> fundamental DNS knowledge.
I definitely lack knowledge of DNS right now.
> [EMAIL PROTECTED] host 5.191.160.66
> Host 66.160.191.5.in-addr.arpa not found: 3(NXDOMAIN)
> [EMAI
You're either the victim of a truncated display or lacking in
fundamental DNS knowledge.
[EMAIL PROTECTED] host 5.191.160.66
Host 66.160.191.5.in-addr.arpa not found: 3(NXDOMAIN)
[EMAIL PROTECTED] host dedicated5.thehideout.net
Host dedicated5.thehideout.net not found: 3(NXDOMAIN)
[EMAIL PROTECTED
Better (IMHO) to use bgpd to suck down the 'bogon' prefixes, and then
tag them for pf, see example here:
http://www.cymru.com/BGP/bogon-rs.html
/Pete
On 29. des. 2005, at 18.32, eric wrote:
On Thu, 2005-12-29 at 11:38:22 -0500, Dave Feustel proclaimed...
Has anyone on the list experience
On Thursday 29 December 2005 12:32, eric wrote:
> Re: pf question
I just noticed that it's 5.0.0.0/8, not 5.0.0.0/24.
--
Lose, v., experience a loss, get rid of, "lose the weight"
Loose, adj., not tight, let go, free, "loose clothing"
from http://www.liquifried.com/docs/security/reservednets.html
"For security purposes, reserved addresses should be prevented from both
entering and leaving a network
(i.e. ingress and egress filtering). Ideally, this filtering will be
multi-layer in nature; at a minimum, this sort
of filterin
On Thu, 2005-12-29 at 11:38:22 -0500, Dave Feustel proclaimed...
> Has anyone on the list experience with using pf to
> block ip addresses in the iana reserved ip address ranges list?
I don't think any of us have ever thought of that.
Oh wait..I may have... run this out of cron weekly
#!/bin/sh
1 - 100 of 122 matches
Mail list logo
