On 2023-11-22, Ian Timothy wrote:
> Hello,
>
> I have two ISPs where one connection is primary and the other is
> low-bandwidth for temporary failover only. ifstated handles the failover by
> simply changing the default gateway. But under normal conditions I want to be
> able to connect via
Hello,
I have two ISPs where one connection is primary and the other is low-bandwidth
for temporary failover only. ifstated handles the failover by simply changing
the default gateway. But under normal conditions I want to be able to connect
via either connection at any time without changing
(Sorry, I just realized I replied to just your email address, replying
again to the mailing list this time.)
On 2023年08月16日 10:05, Stuart Henderson wrote:
> wireguard-tools is not required, everything you need for wg(4) is in
> the base OS.
Oh, I didn't know that.
In that case, valid point.
>
Hi,
I appreciate the valuable advices you provided about pf rules in
OpenBSD. I am currently away on a trip, but once I return, I will
thoroughly test those rules and provide you with feedback.
On Wed, Aug 16, 2023 at 3:50 PM Stuart Henderson
wrote:
>
> On 2023-08-14, SOUBHEEK NATH
On 2023-08-14, SOUBHEEK NATH wrote:
> 2. Please have a look at the configuration I have implemented.
>
> pass in quick on wg0 proto tcp from 10.0.8.3/32 to any port {22 80}
> block in on wg0 proto tcp from any to any port {22 80}
> block in quick on bwfm0 proto tcp from any to any
On Mon, Aug 14, 2023 at 05:54:55PM +0530, SOUBHEEK NATH said:
2. Please have a look at the configuration I have implemented.
pass in quick on wg0 proto tcp from 10.0.8.3/32 to any port {22 80}
block in on wg0 proto tcp from any to any port {22 80}
block in quick on bwfm0 proto tcp
Hello,
The solution you both provided, worked well.
1. I do not use nano! I use the vi editor for my tasks.
2. Please have a look at the configuration I have implemented.
pass in quick on wg0 proto tcp from 10.0.8.3/32 to any port {22 80}
block in on wg0 proto tcp from any to any
On 2023年08月13日 12:17, Stuart Henderson wrote:
> >https://www.vultr.com/docs/install-wireguard-vpn-server-on-openbsd-7-0/
>
> what a mess of things from the base OS and unneeded third-party tools.
>
List of tools:
wireguard-tools (required), nano (vim would have been enough), and the
rest is
given that using a WireGuard VPN makes sense if the server
> > > is remote and normally accessible from the outside, and you want to make
> > > it only accessible from the inside.
> > >
> > > As for your WireGuard config, you might want to add the Address to
>Based on my understanding of the OpenBSD PF-Packet filtering document
>(https://www.openbsd.org/faq/pf/filter.html), the intention of this
>pf rule is to allow only the IP address 10.0.8.4 to access ports 22
>and 80. However, currently both machines with IP addresses 10.0.8.2
>
> Not necessarily required to get it working, but would still add an extra
> > layer of security if you generate a preshared key on each peer, then on
> > both your server and peers:
> > [Peer]
> > ...
> > PreSharedKey = (output)
> > ...
> >
> >
BHEEK NATH wrote:
> > Dear OpenBSD Mailing List Community,
> >
> > I hope this email finds you well. I am writing to seek your expertise
> > and guidance regarding a Wireguard VPN configuration and pf rules on my
> > OpenBSD 7.3 system. I have successfully set
s):
wg genpsk > preshared.key
On 2023年08月12日 20:30, SOUBHEEK NATH wrote:
> Dear OpenBSD Mailing List Community,
>
> I hope this email finds you well. I am writing to seek your expertise
> and guidance regarding a Wireguard VPN configuration and pf rules on my
> OpenBSD 7.3 sys
Dear OpenBSD Mailing List Community,
I hope this email finds you well. I am writing to seek your expertise
and guidance regarding a Wireguard VPN configuration and pf rules on my
OpenBSD 7.3 system. I have successfully set up a Wireguard VPN using
the provided interface configuration, and the VPN
wrote:
> For added clarity, this tcpdump you show is with pf disabled and all
> its rules flushed. The tcpdump you showed in the initial e-mail
> clearly was with active pf rules.
Dude, it is _literally_ the same trace output.
If you feel the need to try to help people, maybe calm
p.
For added clarity, this tcpdump you show is with pf disabled and all
its rules flushed. The tcpdump you showed in the initial e-mail
clearly was with active pf rules.
In the event that you require some form of traffic manipulation (e.g.,
NAT), then obviously you cannot disable pf. In that situatio
On Tue, Jul 04, 2023 at 10:42:39AM -0600, Zack Newman wrote:
> ...
> I am guessing you didn't flush the rules after disabling pf since
> clearly pf rules are still being used. Run pfctl -F all after disabling
> pf. Run pfctl -s all to verify there are no active rules.
Hi,
tch) block in on
em0:
192.168.178.11.9609 > 255.255.255.255.3289: udp 15 [ttl 1] Jul 04
11:23:46.155868
rule 2/(match) block in on em0: 192.168.178.11.39413 > 255.255.255.255.1124:
udp 37
I am guessing you didn't flush the rules after disabling pf since
clearly pf rules are still bein
Hi All,
I just noticed that "simple-scan" no longer discovers my scanner.
While trying to debug the issue, it occurred to me that it could be a
network / pf problem. This doesn't seem to be the issue though, even
after I disable pf (pfctl -d), the scanner is still not seen.
However, running
hello,
barbarosb...@gmail.com (Barbaros Bilek), 2022.12.17 (Sat) 15:07 (CET):
> On Sat, Dec 17, 2022 at 4:40 PM Cristian Danila wrote:
> > Thanks for the provided info, now it makes sense about what is happening.
> > Any idea about a possible way to control these packets?
> > Still
I was just about thinking to it, I will try it.
Many thanks and have a wonderful day!
On Sat, Dec 17, 2022 at 4:07 PM Barbaros Bilek wrote:
>
> Hello Cristian,
>
> If you put your physical interface into veb(4) and set link1 flag you can
> filter dhcp packets.
> For more please read man veb
>
Hello Cristian,
If you put your physical interface into veb(4) and set link1 flag you can
filter dhcp packets.
For more please read man veb
Have a nice weekend.
--
Best Regards
Barbaros
On Sat, Dec 17, 2022 at 4:40 PM Cristian Danila wrote:
> Thanks for the provided info, now it makes sense
Thanks for the provided info, now it makes sense about what is happening.
Any idea about a possible way to control these packets?
Still investigating but I had still not found yet a way to do it.
Thank you.
On Sat, Dec 17, 2022 at 3:11 PM David Gwynne wrote:
>
> dhcpd reads packets off the wire
dhcpd reads packets off the wire using BPF, which happens as packets come off
the network interface, but before the IP stack where pf runs.
> On 17 Dec 2022, at 22:40, Cristian Danila wrote:
>
> Good day!
> I finished setup an DHCP server and for some reason it seems DHCP
> server is ignoring
Good day!
I finished setup an DHCP server and for some reason it seems DHCP
server is ignoring PF filter.
In short, in PF I have active only one rule:
block drop quick all
Double checked PF and it is enabled
So using a windows machine to test DHCP server:
1) ifconfig /release
2) ifconfig /renew
Hi,
On 07/12/2022 18:36, Peter N. M. Hansteen wrote:
...> and can now be found at
https://nxdomain.no/~peter/ripe2cidr_country.sh.txt --
as it says in the script itself, a trivial hack.
And I might add, it comes with *NO* warranties of any kind.
I think instead of :
grep allocated
in the
On 2022-12-07, Peter N. M. Hansteen wrote:
> On Wed, Dec 07, 2022 at 10:28:27AM +1100, Damian McGuckin wrote:
>>
>> Has anybody created rules such as this and if so, do you have an example?
>
> As others have already indicated, the PF way to do anything like this would be
> to generate a list of
On Wed, Dec 07, 2022 at 10:28:27AM +1100, Damian McGuckin wrote:
>
> Has anybody created rules such as this and if so, do you have an example?
As others have already indicated, the PF way to do anything like this would be
to generate a list of addresses and networks you want to address (block in
On Wed, 7 Dec 2022 at 08.55 Damian McGuckin wrote:
>
> Has anybody created rules such as this and if so, do you have an example?
>
> Stay safe - Damian
>
Check this Example:
https://www.muntaza.id/pf/2020/02/03/pf-firewall-bagian-kedua.html
I write in Indonesia, you can use Google Translate
Take a look at PF-Badhost.
Here is a decent write-up:
https://undeadly.org/cgi?action=article;sid=20210119113425
Craig
> On Dec 6, 2022, at 18:28, Damian McGuckin wrote:
>
>
> Has anybody created rules such as this and if so, do you have an example?
>
> Stay safe - Damian
>
> Pacific
Considering you solved the issue with getting all IPs
for a given country correctly (and perhaps updating it sometimes):
1. Dump all IP addresses/ranges into a file (eg. blocked.ips)
2. add table file /path/to/blocked.ips
add "persist" if you want.
3. create rule to block all incoming
Has anybody created rules such as this and if so, do you have an example?
Stay safe - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views & opinions here are mine and not those of
On Sat, Jul 10, 2021, at 11:30 AM, Stuart Henderson wrote:
> On 2021-07-10, Peter Nicolai Mathias Hansteen wrote:
> > For whatever reason your pf.conf did not parse to a valid config, so rc’s
> > own default rules were kept in place.
>
> Yep. dmesg -s might give a clue.
Thank you both, I
On 2021-07-10, Peter Nicolai Mathias Hansteen wrote:
> For whatever reason your pf.conf did not parse to a valid config, so rc’s own
> default rules were kept in place.
Yep. dmesg -s might give a clue.
> 10. jul. 2021 kl. 05:11 skrev Allan Streib :
>
> Hi,
>
> I have a KVM host running OpenBSD 6.9 for a few days. It crashed today for
> some reason, and when I logged in and realized the uptime had changed, I
> checked the pf rules out of curiosity since I have been exp
Hi,
I have a KVM host running OpenBSD 6.9 for a few days. It crashed today for some
reason, and when I logged in and realized the uptime had changed, I checked the
pf rules out of curiosity since I have been experimenting with pf. These rules
are very different from what is in /etc/pf.conf
On Sun, 26 Apr 2020 13:54:27 +0200, Jan Stary wrote:
> Is there a recommended way to deal with this?
If I correctly understood your problem, the solution:
(from pf.conf(5))
> Host name resolution and interface to address translation are
> done at ruleset load-time. When the address of an
This is current/amd64 on an APU2.
The machine is connected via pppoe over vlan over em as follows:
$ ifconfig em0
em0: flags=8843 mtu 1500
lladdr 00:0d:b9:56:5e:fc
index 1 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex)
status: active
$
Nick,
Indeed Working.
Thanks.
>>
>> May be a dumb question, but do you have net.inet.ip.forwarding=1 set?
>>
>
> Neither can I believe had forgotten it, but I think you nailed it.
> Will test monday and let know.
>
> Thanks in advance.
>
> -fm
>
>>
>> tcpdump of a successful test connection:
>
> May be a dumb question, but do you have net.inet.ip.forwarding=1 set?
>
Neither can I believe had forgotten it, but I think you nailed it.
Will test monday and let know.
Thanks in advance.
-fm
>
> tcpdump of a successful test connection:
> c.c.c.c = remote test client on internet
> r.r.r.r
On 2/14/2020 11:21 AM, Fabio Martins wrote:
I am trying now only with the redirect to www.openbsd.org, if it works, I
am sure it can be adapted to my case.
Unfortunately still no success.
# pf.conf:
ext_if="xnf0"
match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \
I am trying now only with the redirect to www.openbsd.org, if it works, I
am sure it can be adapted to my case.
Unfortunately still no success.
# pf.conf:
ext_if="xnf0"
match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \
rdr-to 129.128.5.194 port 80
match out log on
Hi Fabio (xará),
Apparently I achieved this with these rules:
--
pass out log on hvn0 inet proto tcp from any port 1024:65535 to 8.8.8.8
port = flags S/SA label "TESTE LISTA"
pass in on hvn0 inet proto tcp from any port 1024:65535 to 10.101.0.17 port
= 25 flags S/SA label "TESTE LISTA" tag
On 2/14/2020 6:30 AM, Fabio Martins wrote:
Hi Nick,
Thanks. I applied both rules below, unfortunately I am still only hitting
rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
test). I tried inverting the order, too, but no luck.
#1
match in on $ext_if proto tcp from
Hi Nick,
Thanks. I applied both rules below, unfortunately I am still only hitting
rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
test). I tried inverting the order, too, but no luck.
#1
match in on $ext_if proto tcp from to ($ext_if) port 25 \
rdr-to 200.200.200.200
Hi Fabio,
I believe this will do what you want, seemed to work in quick testing
here, adjust to suit your environment.
match in on $ext_if proto tcp from to ($ext_if) port 25
rdr-to 200.200.200.200 port
match out on $ext_if proto tcp to 200.200.200.200 port received-on
$ext_if
Hi,
I am trying to redirect + NAT incoming packets without the need of a TCP
Proxy.
Currently I have the following setup to redirect hosts abusing SMTP to an
email trap:
inetd listening in 127.0.0.1:8000 and redirecting to an external host
# inetd.conf
127.0.0.1:8000 stream tcp nowait
Hello,
Functionnally pf is OK : packets are blocked or passed according to
what's expected. But when i use systat for live examination of what
appends amongst the rules there is no hit on match rules with IP list
while there's on relevant block rule.
Did someone notice such behaviour, or
On Thu, Jan 4, 2018 at 8:09 AM, Jon S wrote:
> This led to my first experieces with pf. After some work I came up with
> whats below. It works as I want it to work, but I wonder if there is a way
> to create a rule where incomming traffic to the internal NIC (re0) is
>
Marko: Thanks for your input. Your proposals got me thinking a few steps
further.
I now came up with the following solution which have all propertiers i want:
pass in on re0 inet to !all:network
pass in on re0 inet to em0:network # Just in case we would need to interact
# with some other service
On Thu, 4 Jan 2018 14:09:50 +0100
Jon S wrote:
> Hello misc!
>
> My OpenBSD file server just became a router too (after getting a new
> internet connection where the provider does not include a router in
> the subscription).
If possible, I'd avoid combining file server
Hello misc!
My OpenBSD file server just became a router too (after getting a new
internet connection where the provider does not include a router in the
subscription).
This led to my first experieces with pf. After some work I came up with
whats below. It works as I want it to work, but I wonder
den...@mindall.org (Denis), 2017.12.30 (Sat) 13:15 (CET):
> Trying to make aggregation using two wireless interfaces on OpenBSD 6.1
> amd64 but unsuccessful.
>
> Both wireless interfaces successfully connects to its networks and have
these are different networks?
> DHCP assigned IP addresses.
>
--- Treść przekazanej wiadomości ---
Temat: Re: trunk0 link aggregation interface and PF rules not working
Data: Sat, 30 Dec 2017 14:09:16 +0100
Nadawca:Krzysztof Strzeszewski <krz...@krzy.ch>
Adresat:Denis <den...@mindall.org>
link aggregation uses at the s
Trying to make aggregation using two wireless interfaces on OpenBSD 6.1
amd64 but unsuccessful.
Both wireless interfaces successfully connects to its networks and have
DHCP assigned IP addresses.
Both configs are listed below:
$ cat /etc/hostname.iwn0
dhcp bssid BSSID_MAC nwid NWID wpa wpakey
On 08/26/16 14:55, Leo Silva wrote:
> I'd like some help with the following rules on pf.
> I'm trying to block all https requests outgoing from my network and unblock
> just some IPs.
> The blocked IPs are allowed to access specifics sites that are placed in files
> with the domain names that I
and
unblocked_sites files.
The pf rules:
antispoof for bge0
antispoof for bge1
set block-policy drop
set skip on lo
it_ips="{ 192.168.255.35, 192.168.255.36, 192.168.255.20 }"
tcp_services="{ 20 21 25 80 110 143 465 587 993 1020 3389 5223 5310 8017 8080
8081 22000 }"
udp_service
On another occasion when Master Foo gave public instruction, an end
user, having heard tales of the Master's wisdom, came to him for
guidance.
He bowed three times to Master Foo. “I wish to learn the Great Way of
Unix,” he said “but the command line confuses me.”
Some of the onlooking neophytes
> On Mar 30, 2016, at 10:58 PM, Adam Smith wrote:
>
> Are you the owner of misc@openbsd.org?
>
>> --- dera...@cvs.openbsd.org wrote:
>>
>> From: Theo de Raadt
>> To: ken...@dcemail.com
>>
>>> I know. Do you have proof that I hadn't put in my
Hi there,
>--- jub...@fastmail.com wrote:
>
>From: Jubjub Jenkins <jub...@fastmail.com>
>To: Adam Smith <ken...@dcemail.com>
>Cc: misc@openbsd.org
>Subject: Re: Syntax error in pf rules
>Date: Wed, 30 Mar 2016 11:25:12 -0700
>
>
>The list owners are f
> I know. Do you have proof that I hadn't put in my minimum effort
> before jumping to conclusions?
Please stop picking fights with people.
The best approach is to leave the list.
misc@openbsd.org
>Subject: Re: Syntax error in pf rules
>Date: Wed, 30 Mar 2016 20:39:57 -0600
>
>> I know. Do you have proof that I hadn't put in my minimum effort
>> before jumping to conclusions?
>>
>Please stop picking fights with people.
>
>The best approach is to leave the list.
http://www.DCpages.com
>--- rczlo...@gmail.com wrote:
>
>From: Raf Czlonka <rczlo...@gmail.com>
>To: Adam Smith <ken...@dcemail.com>
>Cc: Marko Cupać <marko.cu...@mimar.rs>, misc@openbsd.org
>Subject: Re: Syntax error in pf rules
>Date: Wed, 30 Mar 2016 20:10:37 +0100
>
>
On 30/03/16 17:05, Adam Smith wrote:
Hi Marko
In the rule below:
vpnip="{72.201.193.25,84.211.50.249,77.90.247.88,118.157.115.10,218.147.117.236}"
a. Must there be a space each before and after the = sign?
b. Must there be a space after the opening curly bracket and before the first
IP
" <ken...@dcemail.com>
> >Cc: <misc@openbsd.org>
> >Subject: Re: Syntax error in pf rules
> >Date: Wed, 30 Mar 2016 16:53:38 +0200
> >
> >
> >
> >There. I hope by posting this I didn't turn openbsd's misc@ into
> >askubuntu :)
>
>
On Wed, Mar 30, 2016, at 08:47 AM, Adam Smith wrote:
> Does it matter if misc@openbsd.org is an askubuntu of sorts?
>
Yes, first off you have to understand that Ubuntu is geared towards the
retard market
that is why most of their userbase are refereed to as "Ubuntards". As
such, askubuntu
is for
: misc@openbsd.org
>Cc: <ken...@dcemail.com>
>Subject: Re: Syntax error in pf rules
>Date: Wed, 30 Mar 2016 10:02:40 +0200
>
>
>As a side note, commas in pf macros appear to be optional. I prefer not
>to have them - they don't make rules more readable while consuming
>character space.
http://www.DCpages.com
Hi Marko
Thank you for your detailed clarification. I really benefited from it.
>--- marko.cu...@mimar.rs wrote:
>
>From: Marko Cupać <marko.cu...@mimar.rs>
>To: "Adam Smith" <ken...@dcemail.com>
>Cc: <misc@openbsd.org>
>Subject: Re: Syntax erro
On Wed, 30 Mar 2016 07:05:56 -0700
"Adam Smith" wrote:
> Hi Marko
>
> In the rule below:
>
>
vpnip="{72.201.193.25,84.211.50.249,77.90.247.88,118.157.115.10,218.147.117.2
36}"
>
>
> a. Must there be a space each before and after the = sign?
> b. Must there be a space after
On Tue, 29 Mar 2016 08:45:11 -0700
"Adam Smith" <ken...@dcemail.com> wrote:
> Hi guys
>
> I have a syntax error in my pf rules. I hope you can help me fix it.
>
> Thanks.
>
> Adam
>
>
>
> -snippet of my pf rules-
>
> #This is where
ail.com>
>> To: ken...@dcemail.com
>> Cc: OpenBSD Misc <misc@openbsd.org>
>> Subject: Re: Syntax error in pf rules
>> Date: Tue, 29 Mar 2016 08:55:32 -0700
>>
>> Per http://www.openbsd.org/faq/pf/macros.html
>>
>> It looks like your list
On 29/03/16 20:24, Adam Smith wrote:
Thanks, Taru, your solution works.
Adam
--- letcher.r...@gmail.com wrote:
From: Letcher Ross <letcher.r...@gmail.com>
To: ken...@dcemail.com
Cc: OpenBSD Misc <misc@openbsd.org>
Subject: Re: Syntax error in pf rules
Date: Tue, 29 Mar 2016 08
Hi Bryan
Thanks for the link.
Yes, I am using the latest snapshot of OpenBSD.
Regards.
Adam
>--- br...@bsdjournal.net wrote:
>
>From: Bryan Vyhmeister <br...@bsdjournal.net>
>To: misc@openbsd.org
>Subject: Re: (2nd) Syntax error with pf rules
>Date: Tue, 29 Mar 2016 10
On Tue, Mar 29, 2016, at 10:26 AM, Adam Smith wrote:
> set debug urgent
>
> comes with the following error message:
>
> pfctl: unknown debug level "urgent"
> /etc/pfcustom.conf 13: error setting debuglevel "urgent"
> pfctl: Syntax error in config file: p
Hi guys,
I have another syntax error with one of my pf rules that I hope you will be
able to fix.
Thanks.
Adam
-
The rule:
set debug urgent
comes with the following error message:
pfctl: unknown debug level "urgent"
/etc/pfcust
Thanks, Taru, your solution works.
Adam
--- letcher.r...@gmail.com wrote:
From: Letcher Ross <letcher.r...@gmail.com>
To: ken...@dcemail.com
Cc: OpenBSD Misc <misc@openbsd.org>
Subject: Re: Syntax error in pf rules
Date: Tue, 29 Mar 2016 08:55:32 -0700
Per http://www.openbs
On Tue, Mar 29, 2016 at 10:26:36AM -0700, Adam Smith wrote:
> Hi guys,
>
> I have another syntax error with one of my pf rules that I hope you will be
> able to fix.
>
> Thanks.
>
> Adam
>
> -
>
> The ru
A much better approach is to do:
$ man pf.conf
This and the previous question will be easily answered by reading the
manual page.
-luis
On Tue, Mar 29, 2016 at 11:26 AM, Adam Smith <ken...@dcemail.com> wrote:
> Hi guys,
>
> I have another syntax error with one of my pf rules
Hi guys
>
> I have a syntax error in my pf rules. I hope you can help me fix it.
>
> Thanks.
>
> Adam
>
>
>
> -snippet of my pf rules-
>
> #This is where I change or add different IP addresses of VPN gateways
>
> vpnip="77.90.247.88, 112.119.19
Hi guys
I have a syntax error in my pf rules. I hope you can help me fix it.
Thanks.
Adam
-snippet of my pf rules-
#This is where I change or add different IP addresses of VPN gateways
vpnip="77.90.247.88, 112.119.192.26, 85.95.253.145, 31.210.111.78,
66.85.14.205, 54.201.11
On 01/10/16 12:40, Gianluca D.Muscelli wrote:
Hi, I do not understand, I'm blocking some IP with these PF rules:
[ ... ]
pass in quick on egress proto tcp \
from \
to (egress) port smtp \
rdr-to 127.0.0.1 port spamd
pass out quick on egress proto tcp to any port smtp
On Sun, 10 Jan 2016 13:36:44 +0100
"Peter N. M. Hansteen" <pe...@bsdly.net> wrote:
> On 01/10/16 12:40, Gianluca D.Muscelli wrote:
> > Hi, I do not understand, I'm blocking some IP with these PF rules:
>
> [ ... ]
>
> > pass in qui
Hi, I do not understand, I'm blocking some IP with these PF rules:
table persist
table persist
table persist file "/var/db/blacklistâ
block in log
block in quick from urpf-failed label uRPF
pass out all modulate state
pass in quick inet proto icmp icmp-type { echoreq, unreach }
Hi all,
I have a strange problem. Every time that I try to reload my pf rules I see
the following error message:
pfctl: DIOCADDRULE: Device busy.
I am using OpenBSD 5.8 amd64 fully patched.
Any idea??
On 01/02/2016 08:33 AM, C. L. Martinez wrote:
Hi all,
I have a strange problem. Every time that I try to reload my pf rules I
seethe following error message:
pfctl: DIOCADDRULE: Device busy.
I am using OpenBSD 5.8 amd64 fully patched.
Any idea??
Sorry for the noise. There was an error
Yo,
I'm somewhat used to set up OpenBSD gateways serving dhcp and doing dns
resolving/caching for local networks. However, when attempting to set up
a transparent filtering bridge between my ISP and my LAN, I run into
problems with unbound and pf.
The clients behind the bridge will get their
On 11/01/15 11:51, Marco Prause wrote:
> Hi Piotr,
>
> just a guess, but you might hit some path mtu discovery issue.
> On customer paths with e.g. mtu less than 1500 it should help to
> discover the minimal mtu and while blocking the don't fragment bit,
> which is used for pmtud, pmtud won't
Hi,
I'm using OpenBSD 5.8 on a Ubiquiti Edgerouter Lite. It works great,
apart from my customers reported that some websites don't work for them
(I've verified that it's true).
My /etc/pf.conf is:
int_if="{ vether0 cnmac1 cnmac2 }"
broken="224.0.0.22 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 \
trunk0.vlan15 - vlan 15
So, can one of you help me understand how I can write the pf rules to allow
communication between em1 and vlan 12/15 or communication between vlan 12
and vlan 15 etc.
Please let me know.
Thanks,
dot
how I can write the pf rules to allow
communication between em1 and vlan 12/15 or communication between vlan 12
and vlan 15 etc.
Please let me know.
Thanks,
dot
Em 19-08-2015 16:50, Dot Yet escreveu:
So, can one of you help me understand how I can write the pf rules to allow
communication between em1 and vlan 12/15 or communication between vlan 12
and vlan 15 etc.
If all machines have OpenBSD as their gateway, simple pass rules should
do. No need
Em 19-08-2015 18:25, Dot Yet escreveu:
The machines are all pointing to the openbsd server as their default
gateway.
Nice.
the nat is only being used to get out to the internet (em0). internal
subnets do not use nat to communicate.
So you have the setup I outlined.
I don't want to use any
to allow or deny the traffic.
I'll read through some more docs to gain more information.
Thanks Giancarlo!
On Wed, Aug 19, 2015 at 5:14 PM, Giancarlo Razzolini grazzol...@gmail.com
wrote:
Em 19-08-2015 16:50, Dot Yet escreveu:
So, can one of you help me understand how I can write the pf
, but I was thinking the rdr-to rule was
wrong so I looked at spamd(8) and it shows a divert-to rule instead. When
I change it to divert-to I get the following error:
# pfctl -vf /etc/pf.conf
/etc/pf.conf:19: address family mismatch for divert
pfctl: Syntax error in config file: pf rules
mismatch for divert
pfctl: Syntax error in config file: pf rules not loaded
What should I do to fix this. Is the rdr-to rule sufficient or do I need
to change it?
Depends. 5.7 and prior used rdr-to; and -current switched to divert-to.
Note that the address family mismatch error is because 5.7
) and it shows a divert-to rule instead. When
I change it to divert-to I get the following error:
# pfctl -vf /etc/pf.conf
/etc/pf.conf:19: address family mismatch for divert
pfctl: Syntax error in config file: pf rules not loaded
What should I do to fix this. Is the rdr-to rule sufficient
-to rule instead. When I
change it to divert-to I get the following error:
# pfctl -vf /etc/pf.conf
/etc/pf.conf:19: address family mismatch for divert
pfctl: Syntax error in config file: pf rules not loaded
What should I do to fix this. Is the rdr-to rule sufficient or do I need to
change
the rdr-to rule was
wrong so I looked at spamd(8) and it shows a divert-to rule instead. When I
change it to divert-to I get the following error:
# pfctl -vf /etc/pf.conf
/etc/pf.conf:19: address family mismatch for divert
pfctl: Syntax error in config file: pf rules not loaded
What
error in config file: pf rules not loaded
What should I do to fix this. Is the rdr-to rule sufficient or do I need to
change it?
Depends. 5.7 and prior used rdr-to; and -current switched to divert-to.
http://www.openbsd.org/faq/current.html#20150518
Thanks
I guess I missed that line
Actually this is a bit odd, can't reproduce it here on 5.5 or -current.
1 - 100 of 297 matches
Mail list logo