Re: PF Rules for Dual Upstream Gateways

On 2023-11-22, Ian Timothy wrote: > Hello, > > I have two ISPs where one connection is primary and the other is > low-bandwidth for temporary failover only. ifstated handles the failover by > simply changing the default gateway. But under normal conditions I want to be > able to connect via

PF Rules for Dual Upstream Gateways

Hello, I have two ISPs where one connection is primary and the other is low-bandwidth for temporary failover only. ifstated handles the failover by simply changing the default gateway. But under normal conditions I want to be able to connect via either connection at any time without changing

Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3

(Sorry, I just realized I replied to just your email address, replying again to the mailing list this time.) On 2023年08月16日 10:05, Stuart Henderson wrote: > wireguard-tools is not required, everything you need for wg(4) is in > the base OS. Oh, I didn't know that. In that case, valid point. >

Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3

Hi, I appreciate the valuable advices you provided about pf rules in OpenBSD. I am currently away on a trip, but once I return, I will thoroughly test those rules and provide you with feedback. On Wed, Aug 16, 2023 at 3:50 PM Stuart Henderson wrote: > > On 2023-08-14, SOUBHEEK NATH

Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3

On 2023-08-14, SOUBHEEK NATH wrote: > 2. Please have a look at the configuration I have implemented. > > pass in quick on wg0 proto tcp from 10.0.8.3/32 to any port {22 80} > block in on wg0 proto tcp from any to any port {22 80} > block in quick on bwfm0 proto tcp from any to any

Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3

On Mon, Aug 14, 2023 at 05:54:55PM +0530, SOUBHEEK NATH said: 2. Please have a look at the configuration I have implemented. pass in quick on wg0 proto tcp from 10.0.8.3/32 to any port {22 80} block in on wg0 proto tcp from any to any port {22 80} block in quick on bwfm0 proto tcp

Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3

Hello, The solution you both provided, worked well. 1. I do not use nano! I use the vi editor for my tasks. 2. Please have a look at the configuration I have implemented. pass in quick on wg0 proto tcp from 10.0.8.3/32 to any port {22 80} block in on wg0 proto tcp from any to any

Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3

On 2023年08月13日 12:17, Stuart Henderson wrote: > >https://www.vultr.com/docs/install-wireguard-vpn-server-on-openbsd-7-0/ > > what a mess of things from the base OS and unneeded third-party tools. > List of tools: wireguard-tools (required), nano (vim would have been enough), and the rest is

Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3

given that using a WireGuard VPN makes sense if the server > > > is remote and normally accessible from the outside, and you want to make > > > it only accessible from the inside. > > > > > > As for your WireGuard config, you might want to add the Address to

Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3

>Based on my understanding of the OpenBSD PF-Packet filtering document >(https://www.openbsd.org/faq/pf/filter.html), the intention of this >pf rule is to allow only the IP address 10.0.8.4 to access ports 22 >and 80. However, currently both machines with IP addresses 10.0.8.2 >

Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3

> Not necessarily required to get it working, but would still add an extra > > layer of security if you generate a preshared key on each peer, then on > > both your server and peers: > > [Peer] > > ... > > PreSharedKey = (output) > > ... > > > >

Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3

BHEEK NATH wrote: > > Dear OpenBSD Mailing List Community, > > > > I hope this email finds you well. I am writing to seek your expertise > > and guidance regarding a Wireguard VPN configuration and pf rules on my > > OpenBSD 7.3 system. I have successfully set

Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3

s): wg genpsk > preshared.key On 2023年08月12日 20:30, SOUBHEEK NATH wrote: > Dear OpenBSD Mailing List Community, > > I hope this email finds you well. I am writing to seek your expertise > and guidance regarding a Wireguard VPN configuration and pf rules on my > OpenBSD 7.3 sys

Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3

Dear OpenBSD Mailing List Community, I hope this email finds you well. I am writing to seek your expertise and guidance regarding a Wireguard VPN configuration and pf rules on my OpenBSD 7.3 system. I have successfully set up a Wireguard VPN using the provided interface configuration, and the VPN

Re: Question regarding pf rules: block in on em0: ...

wrote: > For added clarity, this tcpdump you show is with pf disabled and all > its rules flushed. The tcpdump you showed in the initial e-mail > clearly was with active pf rules. Dude, it is _literally_ the same trace output. If you feel the need to try to help people, maybe calm

Re: Question regarding pf rules: block in on em0: ...

p. For added clarity, this tcpdump you show is with pf disabled and all its rules flushed. The tcpdump you showed in the initial e-mail clearly was with active pf rules. In the event that you require some form of traffic manipulation (e.g., NAT), then obviously you cannot disable pf. In that situatio

Re: Question regarding pf rules: block in on em0: ...

On Tue, Jul 04, 2023 at 10:42:39AM -0600, Zack Newman wrote: > ... > I am guessing you didn't flush the rules after disabling pf since > clearly pf rules are still being used. Run pfctl -F all after disabling > pf. Run pfctl -s all to verify there are no active rules. Hi,

Re: Question regarding pf rules: block in on em0: ...

tch) block in on em0: 192.168.178.11.9609 > 255.255.255.255.3289: udp 15 [ttl 1] Jul 04 11:23:46.155868 rule 2/(match) block in on em0: 192.168.178.11.39413 > 255.255.255.255.1124: udp 37 I am guessing you didn't flush the rules after disabling pf since clearly pf rules are still bein

Question regarding pf rules: block in on em0: ...

Hi All, I just noticed that "simple-scan" no longer discovers my scanner. While trying to debug the issue, it occurred to me that it could be a network / pf problem. This doesn't seem to be the issue though, even after I disable pf (pfctl -d), the scanner is still not seen. However, running

Re: DHCP server ignoring PF rules?

hello, barbarosb...@gmail.com (Barbaros Bilek), 2022.12.17 (Sat) 15:07 (CET): > On Sat, Dec 17, 2022 at 4:40 PM Cristian Danila wrote: > > Thanks for the provided info, now it makes sense about what is happening. > > Any idea about a possible way to control these packets? > > Still

Re: DHCP server ignoring PF rules?

I was just about thinking to it, I will try it. Many thanks and have a wonderful day! On Sat, Dec 17, 2022 at 4:07 PM Barbaros Bilek wrote: > > Hello Cristian, > > If you put your physical interface into veb(4) and set link1 flag you can > filter dhcp packets. > For more please read man veb >

Re: DHCP server ignoring PF rules?

Hello Cristian, If you put your physical interface into veb(4) and set link1 flag you can filter dhcp packets. For more please read man veb Have a nice weekend. -- Best Regards Barbaros On Sat, Dec 17, 2022 at 4:40 PM Cristian Danila wrote: > Thanks for the provided info, now it makes sense

Re: DHCP server ignoring PF rules?

Thanks for the provided info, now it makes sense about what is happening. Any idea about a possible way to control these packets? Still investigating but I had still not found yet a way to do it. Thank you. On Sat, Dec 17, 2022 at 3:11 PM David Gwynne wrote: > > dhcpd reads packets off the wire

Re: DHCP server ignoring PF rules?

dhcpd reads packets off the wire using BPF, which happens as packets come off the network interface, but before the IP stack where pf runs. > On 17 Dec 2022, at 22:40, Cristian Danila wrote: > > Good day! > I finished setup an DHCP server and for some reason it seems DHCP > server is ignoring

DHCP server ignoring PF rules?

Good day! I finished setup an DHCP server and for some reason it seems DHCP server is ignoring PF filter. In short, in PF I have active only one rule: block drop quick all Double checked PF and it is enabled So using a windows machine to test DHCP server: 1) ifconfig /release 2) ifconfig /renew

Re: PF rules to block out every IP from a given country

Hi, On 07/12/2022 18:36, Peter N. M. Hansteen wrote: ...> and can now be found at https://nxdomain.no/~peter/ripe2cidr_country.sh.txt -- as it says in the script itself, a trivial hack. And I might add, it comes with *NO* warranties of any kind. I think instead of : grep allocated in the

Re: PF rules to block out every IP from a given country

On 2022-12-07, Peter N. M. Hansteen wrote: > On Wed, Dec 07, 2022 at 10:28:27AM +1100, Damian McGuckin wrote: >> >> Has anybody created rules such as this and if so, do you have an example? > > As others have already indicated, the PF way to do anything like this would be > to generate a list of

Re: PF rules to block out every IP from a given country

On Wed, Dec 07, 2022 at 10:28:27AM +1100, Damian McGuckin wrote: > > Has anybody created rules such as this and if so, do you have an example? As others have already indicated, the PF way to do anything like this would be to generate a list of addresses and networks you want to address (block in

Re: PF rules to block out every IP from a given country

On Wed, 7 Dec 2022 at 08.55 Damian McGuckin wrote: > > Has anybody created rules such as this and if so, do you have an example? > > Stay safe - Damian > Check this Example: https://www.muntaza.id/pf/2020/02/03/pf-firewall-bagian-kedua.html I write in Indonesia, you can use Google Translate

Re: PF rules to block out every IP from a given country

Take a look at PF-Badhost. Here is a decent write-up: https://undeadly.org/cgi?action=article;sid=20210119113425 Craig > On Dec 6, 2022, at 18:28, Damian McGuckin wrote: > > > Has anybody created rules such as this and if so, do you have an example? > > Stay safe - Damian > > Pacific

Re: PF rules to block out every IP from a given country

Considering you solved the issue with getting all IPs for a given country correctly (and perhaps updating it sometimes): 1. Dump all IP addresses/ranges into a file (eg. blocked.ips) 2. add table file  /path/to/blocked.ips add "persist" if you want. 3. create rule to block all incoming

PF rules to block out every IP from a given country

Has anybody created rules such as this and if so, do you have an example? Stay safe - Damian Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037 Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here Views & opinions here are mine and not those of

Re: pf rules after crash

On Sat, Jul 10, 2021, at 11:30 AM, Stuart Henderson wrote: > On 2021-07-10, Peter Nicolai Mathias Hansteen wrote: > > For whatever reason your pf.conf did not parse to a valid config, so rc’s > > own default rules were kept in place. > > Yep. dmesg -s might give a clue. Thank you both, I

Re: pf rules after crash

On 2021-07-10, Peter Nicolai Mathias Hansteen wrote: > For whatever reason your pf.conf did not parse to a valid config, so rc’s own > default rules were kept in place. Yep. dmesg -s might give a clue.

Re: pf rules after crash

> 10. jul. 2021 kl. 05:11 skrev Allan Streib : > > Hi, > > I have a KVM host running OpenBSD 6.9 for a few days. It crashed today for > some reason, and when I logged in and realized the uptime had changed, I > checked the pf rules out of curiosity since I have been exp

pf rules after crash

Hi, I have a KVM host running OpenBSD 6.9 for a few days. It crashed today for some reason, and when I logged in and realized the uptime had changed, I checked the pf rules out of curiosity since I have been experimenting with pf. These rules are very different from what is in /etc/pf.conf

Re: pf rules vs late pppoe0 setup

On Sun, 26 Apr 2020 13:54:27 +0200, Jan Stary wrote: > Is there a recommended way to deal with this? If I correctly understood your problem, the solution: (from pf.conf(5)) > Host name resolution and interface to address translation are > done at ruleset load-time. When the address of an

pf rules vs late pppoe0 setup

This is current/amd64 on an APU2. The machine is connected via pppoe over vlan over em as follows: $ ifconfig em0 em0: flags=8843 mtu 1500 lladdr 00:0d:b9:56:5e:fc index 1 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex) status: active $

Re: Replace PF rule + inetd Proxy with 2 PF rules

Nick, Indeed Working. Thanks. >> >> May be a dumb question, but do you have net.inet.ip.forwarding=1 set? >> > > Neither can I believe had forgotten it, but I think you nailed it. > Will test monday and let know. > > Thanks in advance. > > -fm > >> >> tcpdump of a successful test connection:

Re: Replace PF rule + inetd Proxy with 2 PF rules

> > May be a dumb question, but do you have net.inet.ip.forwarding=1 set? > Neither can I believe had forgotten it, but I think you nailed it. Will test monday and let know. Thanks in advance. -fm > > tcpdump of a successful test connection: > c.c.c.c = remote test client on internet > r.r.r.r

Re: Replace PF rule + inetd Proxy with 2 PF rules

On 2/14/2020 11:21 AM, Fabio Martins wrote: I am trying now only with the redirect to www.openbsd.org, if it works, I am sure it can be adapted to my case. Unfortunately still no success. # pf.conf: ext_if="xnf0" match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \

Re: Replace PF rule + inetd Proxy with 2 PF rules

I am trying now only with the redirect to www.openbsd.org, if it works, I am sure it can be adapted to my case. Unfortunately still no success. # pf.conf: ext_if="xnf0" match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \ rdr-to 129.128.5.194 port 80 match out log on

Re: Replace PF rule + inetd Proxy with 2 PF rules

Hi Fabio (xará), Apparently I achieved this with these rules: -- pass out log on hvn0 inet proto tcp from any port 1024:65535 to 8.8.8.8 port = flags S/SA label "TESTE LISTA" pass in on hvn0 inet proto tcp from any port 1024:65535 to 10.101.0.17 port = 25 flags S/SA label "TESTE LISTA" tag

Re: Replace PF rule + inetd Proxy with 2 PF rules

On 2/14/2020 6:30 AM, Fabio Martins wrote: Hi Nick, Thanks. I applied both rules below, unfortunately I am still only hitting rule number #1 (rdr-to). nat-to is never reached (added "log" on each to test). I tried inverting the order, too, but no luck. #1 match in on $ext_if proto tcp from

Re: Replace PF rule + inetd Proxy with 2 PF rules

Hi Nick, Thanks. I applied both rules below, unfortunately I am still only hitting rule number #1 (rdr-to). nat-to is never reached (added "log" on each to test). I tried inverting the order, too, but no luck. #1 match in on $ext_if proto tcp from to ($ext_if) port 25 \ rdr-to 200.200.200.200

Re: Replace PF rule + inetd Proxy with 2 PF rules

Hi Fabio, I believe this will do what you want, seemed to work in quick testing here, adjust to suit your environment. match in on $ext_if proto tcp from to ($ext_if) port 25 rdr-to 200.200.200.200 port match out on $ext_if proto tcp to 200.200.200.200 port received-on $ext_if

Replace PF rule + inetd Proxy with 2 PF rules

Hi, I am trying to redirect + NAT incoming packets without the need of a TCP Proxy. Currently I have the following setup to redirect hosts abusing SMTP to an email trap: inetd listening in 127.0.0.1:8000 and redirecting to an external host # inetd.conf 127.0.0.1:8000 stream tcp nowait

systat strange live display on pf rules activity.

Hello, Functionnally pf is OK : packets are blocked or passed according to what's expected. But when i use systat for live examination of what appends amongst the rules there is no hit on match rules with IP list while there's on relevant block rule. Did someone notice such behaviour, or

Re: Simplifying pf-rules

On Thu, Jan 4, 2018 at 8:09 AM, Jon S wrote: > This led to my first experieces with pf. After some work I came up with > whats below. It works as I want it to work, but I wonder if there is a way > to create a rule where incomming traffic to the internal NIC (re0) is >

Re: Simplifying pf-rules

Marko: Thanks for your input. Your proposals got me thinking a few steps further. I now came up with the following solution which have all propertiers i want: pass in on re0 inet to !all:network pass in on re0 inet to em0:network # Just in case we would need to interact # with some other service

Re: Simplifying pf-rules

On Thu, 4 Jan 2018 14:09:50 +0100 Jon S wrote: > Hello misc! > > My OpenBSD file server just became a router too (after getting a new > internet connection where the provider does not include a router in > the subscription). If possible, I'd avoid combining file server

Simplifying pf-rules

Hello misc! My OpenBSD file server just became a router too (after getting a new internet connection where the provider does not include a router in the subscription). This led to my first experieces with pf. After some work I came up with whats below. It works as I want it to work, but I wonder

Re: trunk0 link aggregation interface and PF rules not working

den...@mindall.org (Denis), 2017.12.30 (Sat) 13:15 (CET): > Trying to make aggregation using two wireless interfaces on OpenBSD 6.1 > amd64 but unsuccessful. > > Both wireless interfaces successfully connects to its networks and have these are different networks? > DHCP assigned IP addresses. >

Fwd: Re: trunk0 link aggregation interface and PF rules not working

--- Treść przekazanej wiadomości --- Temat: Re: trunk0 link aggregation interface and PF rules not working Data: Sat, 30 Dec 2017 14:09:16 +0100 Nadawca:Krzysztof Strzeszewski <krz...@krzy.ch> Adresat:Denis <den...@mindall.org> link aggregation uses at the s

trunk0 link aggregation interface and PF rules not working

Trying to make aggregation using two wireless interfaces on OpenBSD 6.1 amd64 but unsuccessful. Both wireless interfaces successfully connects to its networks and have DHCP assigned IP addresses. Both configs are listed below: $ cat /etc/hostname.iwn0 dhcp bssid BSSID_MAC nwid NWID wpa wpakey

Re: PF Rules

On 08/26/16 14:55, Leo Silva wrote: > I'd like some help with the following rules on pf. > I'm trying to block all https requests outgoing from my network and unblock > just some IPs. > The blocked IPs are allowed to access specifics sites that are placed in files > with the domain names that I

PF Rules

and unblocked_sites files. The pf rules: antispoof for bge0 antispoof for bge1 set block-policy drop set skip on lo it_ips="{ 192.168.255.35, 192.168.255.36, 192.168.255.20 }" tcp_services="{ 20 21 25 80 110 143 465 587 993 1020 3389 5223 5310 8017 8080 8081 22000 }" udp_service

Re: Syntax error in pf rules

On another occasion when Master Foo gave public instruction, an end user, having heard tales of the Master's wisdom, came to him for guidance. He bowed three times to Master Foo. “I wish to learn the Great Way of Unix,” he said “but the command line confuses me.” Some of the onlooking neophytes

Re: Syntax error in pf rules

> On Mar 30, 2016, at 10:58 PM, Adam Smith wrote: > > Are you the owner of misc@openbsd.org? > >> --- dera...@cvs.openbsd.org wrote: >> >> From: Theo de Raadt >> To: ken...@dcemail.com >> >>> I know. Do you have proof that I hadn't put in my

Re: Syntax error in pf rules

Hi there, >--- jub...@fastmail.com wrote: > >From: Jubjub Jenkins <jub...@fastmail.com> >To: Adam Smith <ken...@dcemail.com> >Cc: misc@openbsd.org >Subject: Re: Syntax error in pf rules >Date: Wed, 30 Mar 2016 11:25:12 -0700 > > >The list owners are f

Re: Syntax error in pf rules

> I know. Do you have proof that I hadn't put in my minimum effort > before jumping to conclusions? Please stop picking fights with people. The best approach is to leave the list.

Re: Syntax error in pf rules

misc@openbsd.org >Subject: Re: Syntax error in pf rules >Date: Wed, 30 Mar 2016 20:39:57 -0600 > >> I know. Do you have proof that I hadn't put in my minimum effort >> before jumping to conclusions? >> >Please stop picking fights with people. > >The best approach is to leave the list. http://www.DCpages.com

Re: Syntax error in pf rules

>--- rczlo...@gmail.com wrote: > >From: Raf Czlonka <rczlo...@gmail.com> >To: Adam Smith <ken...@dcemail.com> >Cc: Marko Cupać <marko.cu...@mimar.rs>, misc@openbsd.org >Subject: Re: Syntax error in pf rules >Date: Wed, 30 Mar 2016 20:10:37 +0100 > >

Re: Syntax error in pf rules

On 30/03/16 17:05, Adam Smith wrote: Hi Marko In the rule below: vpnip="{72.201.193.25,84.211.50.249,77.90.247.88,118.157.115.10,218.147.117.236}" a. Must there be a space each before and after the = sign? b. Must there be a space after the opening curly bracket and before the first IP

Re: Syntax error in pf rules

" <ken...@dcemail.com> > >Cc: <misc@openbsd.org> > >Subject: Re: Syntax error in pf rules > >Date: Wed, 30 Mar 2016 16:53:38 +0200 > > > > > > > >There. I hope by posting this I didn't turn openbsd's misc@ into > >askubuntu :) > >

Re: Syntax error in pf rules

On Wed, Mar 30, 2016, at 08:47 AM, Adam Smith wrote: > Does it matter if misc@openbsd.org is an askubuntu of sorts? > Yes, first off you have to understand that Ubuntu is geared towards the retard market that is why most of their userbase are refereed to as "Ubuntards". As such, askubuntu is for

Re: Syntax error in pf rules

: misc@openbsd.org >Cc: <ken...@dcemail.com> >Subject: Re: Syntax error in pf rules >Date: Wed, 30 Mar 2016 10:02:40 +0200 > > >As a side note, commas in pf macros appear to be optional. I prefer not >to have them - they don't make rules more readable while consuming >character space. http://www.DCpages.com

Re: Syntax error in pf rules

Hi Marko Thank you for your detailed clarification. I really benefited from it. >--- marko.cu...@mimar.rs wrote: > >From: Marko Cupać <marko.cu...@mimar.rs> >To: "Adam Smith" <ken...@dcemail.com> >Cc: <misc@openbsd.org> >Subject: Re: Syntax erro

Re: Syntax error in pf rules

On Wed, 30 Mar 2016 07:05:56 -0700 "Adam Smith" wrote: > Hi Marko > > In the rule below: > > vpnip="{72.201.193.25,84.211.50.249,77.90.247.88,118.157.115.10,218.147.117.2 36}" > > > a. Must there be a space each before and after the = sign? > b. Must there be a space after

Re: Syntax error in pf rules

On Tue, 29 Mar 2016 08:45:11 -0700 "Adam Smith" <ken...@dcemail.com> wrote: > Hi guys > > I have a syntax error in my pf rules. I hope you can help me fix it. > > Thanks. > > Adam > > > > -snippet of my pf rules- > > #This is where

Re: Syntax error in pf rules

ail.com> >> To: ken...@dcemail.com >> Cc: OpenBSD Misc <misc@openbsd.org> >> Subject: Re: Syntax error in pf rules >> Date: Tue, 29 Mar 2016 08:55:32 -0700 >> >> Per http://www.openbsd.org/faq/pf/macros.html >> >> It looks like your list

Re: Syntax error in pf rules

On 29/03/16 20:24, Adam Smith wrote: Thanks, Taru, your solution works. Adam --- letcher.r...@gmail.com wrote: From: Letcher Ross <letcher.r...@gmail.com> To: ken...@dcemail.com Cc: OpenBSD Misc <misc@openbsd.org> Subject: Re: Syntax error in pf rules Date: Tue, 29 Mar 2016 08

Re: (2nd) Syntax error with pf rules

Hi Bryan Thanks for the link. Yes, I am using the latest snapshot of OpenBSD. Regards. Adam >--- br...@bsdjournal.net wrote: > >From: Bryan Vyhmeister <br...@bsdjournal.net> >To: misc@openbsd.org >Subject: Re: (2nd) Syntax error with pf rules >Date: Tue, 29 Mar 2016 10

Re: (2nd) Syntax error with pf rules

On Tue, Mar 29, 2016, at 10:26 AM, Adam Smith wrote: > set debug urgent > > comes with the following error message: > > pfctl: unknown debug level "urgent" > /etc/pfcustom.conf 13: error setting debuglevel "urgent" > pfctl: Syntax error in config file: p

(2nd) Syntax error with pf rules

Hi guys, I have another syntax error with one of my pf rules that I hope you will be able to fix. Thanks. Adam - The rule: set debug urgent comes with the following error message: pfctl: unknown debug level "urgent" /etc/pfcust

Re: Syntax error in pf rules

Thanks, Taru, your solution works. Adam --- letcher.r...@gmail.com wrote: From: Letcher Ross <letcher.r...@gmail.com> To: ken...@dcemail.com Cc: OpenBSD Misc <misc@openbsd.org> Subject: Re: Syntax error in pf rules Date: Tue, 29 Mar 2016 08:55:32 -0700 Per http://www.openbs

Re: (2nd) Syntax error with pf rules

On Tue, Mar 29, 2016 at 10:26:36AM -0700, Adam Smith wrote: > Hi guys, > > I have another syntax error with one of my pf rules that I hope you will be > able to fix. > > Thanks. > > Adam > > - > > The ru

Re: (2nd) Syntax error with pf rules

A much better approach is to do: $ man pf.conf This and the previous question will be easily answered by reading the manual page. -luis On Tue, Mar 29, 2016 at 11:26 AM, Adam Smith <ken...@dcemail.com> wrote: > Hi guys, > > I have another syntax error with one of my pf rules

Re: Syntax error in pf rules

Hi guys > > I have a syntax error in my pf rules. I hope you can help me fix it. > > Thanks. > > Adam > > > > -snippet of my pf rules- > > #This is where I change or add different IP addresses of VPN gateways > > vpnip="77.90.247.88, 112.119.19

Syntax error in pf rules

Hi guys I have a syntax error in my pf rules. I hope you can help me fix it. Thanks. Adam -snippet of my pf rules- #This is where I change or add different IP addresses of VPN gateways vpnip="77.90.247.88, 112.119.192.26, 85.95.253.145, 31.210.111.78, 66.85.14.205, 54.201.11

Re: Block IP with pf rules

On 01/10/16 12:40, Gianluca D.Muscelli wrote: Hi, I do not understand, I'm blocking some IP with these PF rules: [ ... ] pass in quick on egress proto tcp \ from \ to (egress) port smtp \ rdr-to 127.0.0.1 port spamd pass out quick on egress proto tcp to any port smtp

Re: Block IP with pf rules

On Sun, 10 Jan 2016 13:36:44 +0100 "Peter N. M. Hansteen" <pe...@bsdly.net> wrote: > On 01/10/16 12:40, Gianluca D.Muscelli wrote: > > Hi, I do not understand, I'm blocking some IP with these PF rules: > > [ ... ] > > > pass in qui

Block IP with pf rules

Hi, I do not understand, I'm blocking some IP with these PF rules: table persist table persist table persist file "/var/db/blacklist” block in log block in quick from urpf-failed label uRPF pass out all modulate state pass in quick inet proto icmp icmp-type { echoreq, unreach }

Error loading pf rules: Device busy

Hi all, I have a strange problem. Every time that I try to reload my pf rules I see the following error message: pfctl: DIOCADDRULE: Device busy. I am using OpenBSD 5.8 amd64 fully patched. Any idea??

Re: Error loading pf rules: Device busy

On 01/02/2016 08:33 AM, C. L. Martinez wrote: Hi all, I have a strange problem. Every time that I try to reload my pf rules I seethe following error message: pfctl: DIOCADDRULE: Device busy. I am using OpenBSD 5.8 amd64 fully patched. Any idea?? Sorry for the noise. There was an error

pf rules for a (transparent) filtering bridge doing dns resolving/caching (unbound)

Yo, I'm somewhat used to set up OpenBSD gateways serving dhcp and doing dns resolving/caching for local networks. However, when attempting to set up a transparent filtering bridge between my ISP and my LAN, I run into problems with unbound and pf. The clients behind the bridge will get their

Re: PF rules block some websites (?)

On 11/01/15 11:51, Marco Prause wrote: > Hi Piotr, > > just a guess, but you might hit some path mtu discovery issue. > On customer paths with e.g. mtu less than 1500 it should help to > discover the minimal mtu and while blocking the don't fragment bit, > which is used for pmtud, pmtud won't

PF rules block some websites (?)

Hi, I'm using OpenBSD 5.8 on a Ubiquiti Edgerouter Lite. It works great, apart from my customers reported that some websites don't work for them (I've verified that it's true). My /etc/pf.conf is: int_if="{ vether0 cnmac1 cnmac2 }" broken="224.0.0.22 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 \

Multiple VLANs PF rules

trunk0.vlan15 - vlan 15 So, can one of you help me understand how I can write the pf rules to allow communication between em1 and vlan 12/15 or communication between vlan 12 and vlan 15 etc. Please let me know. Thanks, dot

Re: Multiple VLANs PF rules

how I can write the pf rules to allow communication between em1 and vlan 12/15 or communication between vlan 12 and vlan 15 etc. Please let me know. Thanks, dot

Re: Multiple VLANs PF rules

Em 19-08-2015 16:50, Dot Yet escreveu: So, can one of you help me understand how I can write the pf rules to allow communication between em1 and vlan 12/15 or communication between vlan 12 and vlan 15 etc. If all machines have OpenBSD as their gateway, simple pass rules should do. No need

Re: Multiple VLANs PF rules

Em 19-08-2015 18:25, Dot Yet escreveu: The machines are all pointing to the openbsd server as their default gateway. Nice. the nat is only being used to get out to the internet (em0). internal subnets do not use nat to communicate. So you have the setup I outlined. I don't want to use any

Re: Multiple VLANs PF rules

to allow or deny the traffic. I'll read through some more docs to gain more information. Thanks Giancarlo! On Wed, Aug 19, 2015 at 5:14 PM, Giancarlo Razzolini grazzol...@gmail.com wrote: Em 19-08-2015 16:50, Dot Yet escreveu: So, can one of you help me understand how I can write the pf

Re: spamd pf rules

, but I was thinking the rdr-to rule was wrong so I looked at spamd(8) and it shows a divert-to rule instead. When I change it to divert-to I get the following error: # pfctl -vf /etc/pf.conf /etc/pf.conf:19: address family mismatch for divert pfctl: Syntax error in config file: pf rules

Re: spamd pf rules

mismatch for divert pfctl: Syntax error in config file: pf rules not loaded What should I do to fix this. Is the rdr-to rule sufficient or do I need to change it? Depends. 5.7 and prior used rdr-to; and -current switched to divert-to. Note that the address family mismatch error is because 5.7

Re: spamd pf rules

) and it shows a divert-to rule instead. When I change it to divert-to I get the following error: # pfctl -vf /etc/pf.conf /etc/pf.conf:19: address family mismatch for divert pfctl: Syntax error in config file: pf rules not loaded What should I do to fix this. Is the rdr-to rule sufficient

spamd pf rules

-to rule instead. When I change it to divert-to I get the following error: # pfctl -vf /etc/pf.conf /etc/pf.conf:19: address family mismatch for divert pfctl: Syntax error in config file: pf rules not loaded What should I do to fix this. Is the rdr-to rule sufficient or do I need to change

Re: spamd pf rules

the rdr-to rule was wrong so I looked at spamd(8) and it shows a divert-to rule instead. When I change it to divert-to I get the following error: # pfctl -vf /etc/pf.conf /etc/pf.conf:19: address family mismatch for divert pfctl: Syntax error in config file: pf rules not loaded What

Re: spamd pf rules

error in config file: pf rules not loaded What should I do to fix this. Is the rdr-to rule sufficient or do I need to change it? Depends. 5.7 and prior used rdr-to; and -current switched to divert-to. http://www.openbsd.org/faq/current.html#20150518 Thanks I guess I missed that line

Re: Duplicate pf rules when using groupname

Actually this is a bit odd, can't reproduce it here on 5.5 or -current.

  1   2   3   >