Sorry, I forgot to mention that 10.40.65.0 is the remote network trying to
connect to this machine over the GRE tunnel
From: Matt S maschwa...@yahoo.com
To: misc@openbsd.org
Sent: Mon, April 11, 2011 2:34:58 PM
Subject: pf: set skip option
Hello Everyone:
I
On 04/11/11 23:34, Matt S wrote:
Hello Everyone:
I am using 4.8 RELEASE. Given the following pf.conf, would anyone be able to
tell me why gre0 is not being skipped?
set skip on lo
set skip on gre0
set skip on enc0
You need to combine them, or they override each other.
set skip on {
DOH! I was following a how-to that showed two separate statements for set skip
on. Works great now! My apologies for the stupid question.
On Mon, Apr 11, 2011 at 2:34 PM, Matt S maschwa...@yahoo.com wrote:
Hello Everyone:
I am using 4.8 RELEASE. Given the following pf.conf, would anyone be
Okay, I did that but apparently I spoke too soon as a tcpdump reveals packets
are still being blocked. Here is an example from a tcpdump on the pflog0
interface:
Apr 11 14:57:43.943764 rule 1/(match) block in on tun0: 172.16.254.2
10.40.60.1: icmp: echo request (gre encap)
I guess I need to
Penned by Matt S on 20110411 16:59.09, we have:
| Okay, I did that but apparently I spoke too soon as a tcpdump reveals packets
| are still being blocked. Here is an example from a tcpdump on the pflog0
| interface:
|
| Apr 11 14:57:43.943764 rule 1/(match) block in on tun0: 172.16.254.2
|
On 2011-04-11, Matt S maschwa...@yahoo.com wrote:
Hello Everyone:
I am using 4.8 RELEASE. Given the following pf.conf, would anyone be able to
tell me why gre0 is not being skipped?
set skip on lo
set skip on gre0
set skip on enc0
What does pfctl -sI -v say?
On Mon, Apr 11, 2011 at 2:34 PM, Matt S maschwa...@yahoo.com wrote:
Hello Everyone:
I am using 4.8 RELEASE. Given the following pf.conf, would anyone be able
to
tell me why gre0 is not being skipped?
set skip on lo
set skip on gre0
set skip on enc0
pf.conf(5)
how about: set skip on { lo
Unfortunately, pfctl -sl -v says nothing. So, now I have a ruleset like the
one
below. I have added a specific pass statement for the gre protocol. This
works, however, I fear that it is insecure.
set skip on {lo, gre0, enc0}
anchor ftp-proxy/*
block in all
pass out all
antispoof for
On 2011-04-11, Matt S maschwa...@yahoo.com wrote:
Unfortunately, pfctl -sl -v says nothing. So, now I have a ruleset like the
one
-sI -v, not -sl -v.
below. I have added a specific pass statement for the gre protocol. This
works, however, I fear that it is insecure.
You will need to
i try with:
pass out on re0 from any to { 192.168.1.9, 192.168.1.10 }
there is ok for you?
Il giorno 06/apr/2011, alle ore 10.19, Gianluca D'Auri Muscelli ha scritto:
Hi everyone,
I never had to deal with pf, but if possible i have a question:
on my OpenBSD now block all outcoming
On Wed, Apr 6, 2011 at 1:49 PM, Gianluca D'Auri Muscelli g...@email.it
wrote:
Hi everyone,
I never had to deal with pf, but if possible i have a question:
on my OpenBSD now block all outcoming connection to ssh and telnet to
internet
with:
block out on re0 proto { tcp } from any to any port
On Sat, 19 Mar 2011 21:28:09 +0100
Henning Brauer lists-open...@bsws.de wrote:
it was working for me - rdr-to outbound to a daemon on the firewall
itself, but I deleted that virtual machine...
rdr-to is usually applied inbound. If applied
outbound, rdr-to to a local IP
* jirib ji...@devio.us [2011-03-21 09:55]:
On Sat, 19 Mar 2011 21:28:09 +0100
Henning Brauer lists-open...@bsws.de wrote:
it was working for me - rdr-to outbound to a daemon on the firewall
itself, but I deleted that virtual machine...
rdr-to is usually applied inbound.
On Mon, Mar 21, 2011 at 02:45:35PM +0100, Henning Brauer wrote:
* jirib ji...@devio.us [2011-03-21 09:55]:
On Sat, 19 Mar 2011 21:28:09 +0100
Henning Brauer lists-open...@bsws.de wrote:
it was working for me - rdr-to outbound to a daemon on the firewall
itself, but I deleted that
* jirib ji...@devio.us [2011-03-19 00:38]:
On Fri, 25 Feb 2011 10:21:20 +0100
Henning Brauer lists-open...@bsws.de wrote:
* william dunand william.dun...@gmail.com [2011-02-25 05:26]:
pass out log(matches) quick inet proto tcp from any to
89.176.141.250 port = www rdr-to 127.0.0.1
On Fri, 25 Feb 2011 10:21:20 +0100
Henning Brauer lists-open...@bsws.de wrote:
* william dunand william.dun...@gmail.com [2011-02-25 05:26]:
pass out log(matches) quick inet proto tcp from any to
89.176.141.250 port = www rdr-to 127.0.0.1 port 8080
I think rdr-to is meant to be use on
* william dunand william.dun...@gmail.com [2011-02-25 05:26]:
pass out log(matches) quick inet proto tcp from any to 89.176.141.250 port
= www rdr-to 127.0.0.1 port 8080
I think rdr-to is meant to be use on inbound rules.
we allow rdr-to outbound too now. it has caveats, and - surprise! -
I posted on the pf mailing list originally, but the very aggresive spam
filter will not allow me to post a follow-up. I guess there are some pf
users on this list also :)
My original post can be found here:
http://marc.info/?l=openbsd-pfm=129740086511664w=2
Stuart Henderson wrote:
pass out log(matches) quick inet proto tcp from any to 89.176.141.250 port =
www rdr-to 127.0.0.1 port 8080
I think rdr-to is meant to be use on inbound rules.
On Tue, 1 Feb 2011 17:45:52 -0500
Ted Unangst ted.unan...@gmail.com wrote:
On Tue, Feb 1, 2011 at 4:34 PM, Steve Johnson
maill...@sjohnson.info wrote:
I had forgotten to also include the sysctl changes that I had made
as well, mostly based from calomel.org, which were the following:
But, it always directs to one particular ip address. How to see load
balancing?
today, I myself learnt it from the below url
http://www.openbsd.org/faq/pf/pools.html#incoming
match in on $ext_if proto tcp to port 80 rdr-to $web_servers \
round-robin *sticky-address *
*
* Successive
sigh.
remove this bullshit and start over.
* Steve Johnson maill...@sjohnson.info [2011-02-01 22:38]:
Ok, thanks for the tips. I did not have any ifq drops, but have still just
increased the net.inet.icmp.errppslimit to 1 (from the 1000 that was
before and shown below) and will see if
Ok, thanks for the tip. I've removed the settings through sysctl, but
unfortunately I still see those alerts being triggered, then mostly resolved
during the next check.
The system seems to have some issues during heavy UDP session bursts (the
monitoring system issues a stream of requests to a
On Tue, Feb 01, 2011 at 02:22:25PM +0530, Indunil Jayasooriya wrote:
I have 3 web servers running on port 8080 behind PF firewall. I am trying
to load balance these incoming connections to these web servers.
I wrote rules as below. Pls pay attention to *highligthed BOLD* rules .
they are
Indunil Jayasooriya P?P8QP5Q:
Hi list,
I have 3 web servers running on port 8080 behind PF firewall. I am trying
to load balance these incoming connections to these web servers.
I wrote rules as below. Pls pay attention to *highligthed BOLD* rules .
they are the once I have written. But, I
*match in on $ext_if inet proto tcp to $ext_if port 8080 rdr-to
$web_servers
\
round-robin sticky-address *
You need to pass the inbound traffic somehow (match doesn't do this).
Either change the 'match in' above to 'pass in',
YES, changed. It worked.
or add another rule
* Steve Johnson maill...@sjohnson.info [2011-02-01 20:35]:
I currently have a system that has no match rule in the ruleset, but that
uses tables for a big chunk of the traffic, including our monitoring station
that has a pretty high SNMP request rate. That system has a state table that
usually
Ok, thanks for the tips. I did not have any ifq drops, but have still just
increased the net.inet.icmp.errppslimit to 1 (from the 1000 that was
before and shown below) and will see if that helps anything. Thanks also for
the clarification on the match counter.
I had forgotten to also include
On Tue, Feb 1, 2011 at 4:34 PM, Steve Johnson maill...@sjohnson.info wrote:
I had forgotten to also include the sysctl changes that I had made as well,
mostly based from calomel.org, which were the following:
net.inet.ip.ttl=254
I love this. Bigger is better!
2011/2/1 Indunil Jayasooriya induni...@gmail.com
# macros
(...)
web_servers = { 192.168.x.64, 192.168.x.66, 192.168.x.67 }
lan_net=192.168.x.0/24
A table isn't better? I mean, we can control it without reloading the pf
rules and the matching algorithm is better.
On Mon, Jan 31, 2011, at 18:24:04PM GMT+01:00, Joachim Tingvold wrote:
match out on $ext_carp_if inet from $our_int_net to any nat-to
$ext_carp_if
Do I also need to consider reply-to for this to work?
--
Joachim
Le Mon, 31 Jan 2011 18:24:04 +0100,
Joachim Tingvold joac...@tingvold.com a icrit :
Hi,
Hello,
This does not work at all. If I change
http://www.openbsd.org/faq/pf/carp.html#RulesetTips
+ Ruleset Tips
Filter the physical interface. As far as PF is concerned, network
traffic comes from the
On Mon, Jan 31, 2011, at 18:53:29PM GMT+01:00, Patrick Lamaiziere wrote:
This does not work at all. If I change
http://www.openbsd.org/faq/pf/carp.html#RulesetTips
+ Ruleset Tips
Filter the physical interface. As far as PF is concerned, network
traffic comes from the physical interface, not
On Mon, Jan 31, 2011, at 19:19:09PM GMT+01:00, Joachim Tingvold wrote:
Okay, but where goes the line between the two? I mean, does this mean
I can't use the carp-interface in the route-to at all?
pass in log on $int_if proto { tcp, udp, icmp } from $our_int_net
route-to {($ext_carp_if
On Sat, Jan 29, 2011 at 8:12 PM, roberth rob...@openbsd.pap.st wrote:
I'll point out the most obvious:
Since there are no tagged states, everyone of those three match rules
matches and the last one wins.
Hello Robert,
Thanks for responding, I have changed the rules to tag packets coming
from
See ftp://ftp3.usa.openbsd.org/pub/OpenBSD/doc/pf-faq.txt;,
especially the part about
Redirection and Reflection.
I've read that, and Split-horizon DNS isn't really applicable. However,
on two other points, I'm not so sure of:
1. TCP proxying seems like it might be overkill. I'd like to
Hi Stuart,
Thanks a bunch for you suggestions. This email got lost in my inbox.
Will let you know if I have some questions. Appreciate your help :)
Thx
On 1/11/11 1:43 PM, Stuart Henderson wrote:
On 2010-12-03, Godesidabhee...@aim.com wrote:
relay web {
Try applying this diff from
Ok, this is something that would work for me, ideally. I've tried every
combination of rules I can think of, and can't get my OpenBSD machine to
reflect the packets back out the interface they came in on (including
the rules outlines in the FAQ), and I'm ready to ask for help :)
So, here's my
either:
pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \
port 33433 33626 keep state tag mytracert
pass out log on $ext_if inet proto udp from $ext_if to any \
port 33433 33626 keep state tagged mytracert
or:
pass in log (all) on $int_if inet proto udp from
On Thu, Jan 20, 2011 at 01:47:20PM +0530, Indunil Jayasooriya wrote:
my question is that How can I exclude my firewall from being able to doing
it ?
I'm really not sure why you don't want the firewall to be able to
traceroute. (hint: if you can't trust the users on your firewall to
behave
l...@animata.net (David Gwynne), 2011.01.20 (Thu) 10:20 (CET):
either:
pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \
port 33433 33626 keep state tag mytracert
pass out log on $ext_if inet proto udp from $ext_if to any \
port 33433 33626 keep state tagged
* Harald Dunkel harald.dun...@aixigo.de [2011-01-20 09:18]:
Hi folks,
In the example for the rdr-to and nat-to combination in
the pf FAQs it seems that the http traffic is redirected
back through the incoming interface:
pass in on $int_if proto tcp from $int_net to $ext_if port 80 \
anyway, Thanks for enlightening me.
pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \
port 33433 33626 keep state tag mytracert
pass out log on $ext_if inet proto udp from $ext_if to any \
port 33433 33626 keep state tagged mytracert
the above 2 rules were
pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \
port 33433 33626 keep state
pass out log on $ext_if inet proto udp from $ext_if to any \
port 33433 33626 keep state tagged mytracert received-on $int_if
I guess there is a ``tagged mytracert'' copy-paste
On Thu, Jan 20, 2011 at 2:57 PM, Ryan McBride mcbr...@openbsd.org wrote:
On Thu, Jan 20, 2011 at 01:47:20PM +0530, Indunil Jayasooriya wrote:
my question is that How can I exclude my firewall from being able to
doing
it ?
I'm really not sure why you don't want the firewall to be able to
Hi,
I am on a 64 bit OpenBSD 4.8 stable.
Here is mine
on OpenBSD 4.8 firewall/router
# both traceroute www.google.lk and traceroute -I www.google.lk work.
From my fedora client,
traceroute www.google.lk works.
and
traceroute -I www.google.lk also works. But second hope gives in this way
On 16 jan 2011, at 18:49, Mike. wrote:
In any case, now that I've moved to OpenBSD 4.8 for the firewall/router
everything is working as expected now. I can traceroute from the
FreeBSD client, and Windows without a problem.
This was fixed between 4.7 and 4.8:
On 1/15/2011 at 8:00 AM David Walker wrote:
Hi David,
|[snip]
|
|What OS are we talking about now?
I had been running OpenBSD 4.7 GENERIC#558 i386
Yesterday I installed (not upgraded, but a fresh install)
OpenBSD 4.8 GENERIC#136 i386
and the ICMP traceroutes now work as expected.
The
On 1/13/2011 at 5:59 AM David Walker wrote:
|Hi Mike.
|
|[snip]
|
|Second, and here we go into grey area, I'm no expert at the pf thing
|and I do it slightly different to you.
|However, I use a simple ruleset and don't explicitly allow ICMP ...
|and yet it works from internal Windows and OpenBSD
Hi Mike.
Mike wrote:
Yes, I know that Windows uses ICMP for traceroute (I use both the
Windows tracert command line utility and the SamSpade GUI utility).
Cool.
However, I have found that troubleshooting is always easier if one can
eliminate Windows from the mix, that's why I reproduced the
On 1/13/2011 at 5:59 AM David Walker wrote:
|Hi Mike.
|
|Here's a couple of points.
|
|First, Windows uses ICMP only on traceroute (tracert) so there's
|consistency between your Windows and FreeBSD internal hosts - it's an
|ICMP blocked (in or out) issue.
|
Hi Mike.
Here's a couple of points.
First, Windows uses ICMP only on traceroute (tracert) so there's
consistency between your Windows and FreeBSD internal hosts - it's an
ICMP blocked (in or out) issue.
http://technet.microsoft.com/en-us/library/cc940128.aspx
Can you ping and traceroute your
On 2010-12-03, Godesi dabhee...@aim.com wrote:
relay web {
Try applying this diff from -current and rebuilding relayd.
It is an inline diff, if your mail client has problems giving
you valid plaintext then try pasting it from a web-based
mailing list archive instead.
I think the diff will
2011/1/7 Girish Venkatachalam girishvenkatacha...@gmail.com:
Many websites these days Akamize or do whatever that gives them a
different IP address
everytime you access it.
And consequently pf which does not know a thing about domains does not help
us.
What exactly is the problem you want
On Fri, Jan 07 2011 at 59:07, Girish Venkatachalam wrote:
I try to use OpenBSD wherever I can and in the firewall I have
installed in a big jewel store
here I have the following problem.
Many websites these days Akamize or do whatever that gives them a
different IP address
everytime you
Don't use stupid shit like Akamize. Problem solved.
Stop making people laugh at you.
On Fri, 07 Jan 2011 10:25 +0100, Claer cl...@claer.hammock.fr wrote:
On Fri, Jan 07 2011 at 59:07, Girish Venkatachalam wrote:
I try to use OpenBSD wherever I can and in the firewall I have
installed in a
On Fri, Jan 7, 2011 at 2:43 PM, Martin Schrvder mar...@oneiros.de wrote:
And consequently pf which does not know a thing about domains does not help
us.
What exactly is the problem you want to solve?
Sorry for having been abstract.
Here is the detailed explanation.
One domain translates to
On Fri, Jan 07, 2011 at 05:50:25AM -0500, Eric Furman wrote:
On Fri, Jan 07 2011 at 59:07, Girish Venkatachalam wrote:
Many websites these days Akamize or do whatever that gives them a
different IP address
everytime you access it.
Don't use stupid shit like Akamize. Problem solved.
On Fri, 2011-01-07 at 16:26 +0530, Girish Venkatachalam wrote:
On Fri, Jan 7, 2011 at 2:43 PM, Martin Schrvder mar...@oneiros.de wrote:
And consequently pf which does not know a thing about domains does not help
us.
What exactly is the problem you want to solve?
Sorry for having
Thus said Girish Venkatachalam on Fri, 07 Jan 2011 16:26:01 +0530:
Due to this , whatever IP address pf(4) knows at the time of ruleset
loading alone works.
Use pfctl and a cronjob to periodically update a table. Kludgey, sure...
Andy
gwes ohxer:
What is the recommended pf.conf to get symmetrical routing
for incoming and outgoing connections using a dual-homed
gateway and internal hosts with static IPs on both WANs?
I'm assuming route-to and reply-to are the correct
tools to use.
I've looked at the FAQ,
On 12/20/10 15:52, Kevin Wilcox wrote:
On 19 December 2010 07:16, Henning Brauerlists-open...@bsws.de wrote:
you're way off ;)
I had 2 million during a DDoS. things got a bit slow but everything
worked.
Henning - out of curiosity, what were the specs on that hardware?
It may be interesting
* Kevin Wilcox ke...@tux.appstate.edu [2010-12-20 16:01]:
On 19 December 2010 07:16, Henning Brauer lists-open...@bsws.de wrote:
* Ryan McBride mcbr...@openbsd.org [2010-12-03 09:52]:
More than 100,000. I havn't tested lately (planning to do so soo), but I
would expect somewhere closer to
On 19 December 2010 07:16, Henning Brauer lists-open...@bsws.de wrote:
* Ryan McBride mcbr...@openbsd.org [2010-12-03 09:52]:
More than 100,000. I havn't tested lately (planning to do so soo), but I
would expect somewhere closer to 500,000.
you're way off ;)
I had 2 million during a DDoS.
* Ryan McBride mcbr...@openbsd.org [2010-12-03 09:52]:
On Thu, Dec 02, 2010 at 11:22:08PM -0500, Godesi wrote:
2. How much states can i really have on a box that has 4 gig ram?
More than 100,000. I havn't tested lately (planning to do so soo), but I
would expect somewhere closer to 500,000.
On 12/19/10 4:16 AM, Henning Brauer wrote:
* Ryan McBridemcbr...@openbsd.org [2010-12-03 09:52]:
On Thu, Dec 02, 2010 at 11:22:08PM -0500, Godesi wrote:
2. How much states can i really have on a box that has 4 gig ram?
More than 100,000. I havn't tested lately (planning to do so soo), but I
On Thu, Dec 16, 2010 at 5:21 PM, Rafal Brodewicz b...@brodewicz.pl wrote:
Hi.
How can I pass with PF traffic from all subdomains, for example
*.microsoft.com ?
You're thinking at the wrong layer. PF doesn't care about *.microsoft.com.
Thanks.
--
Rafal Brodewicz
Hi.
I think squid is better solution in this case.
you can taste it !
On Fri, Dec 17, 2010 at 2:51 AM, Rafal Brodewicz b...@brodewicz.pl wrote:
Hi.
How can I pass with PF traffic from all subdomains, for example
*.microsoft.com ?
Thanks.
--
Rafal Brodewicz
--
Gula_Gula =;=; BNF
Yes, I also agree with it. squid can handle that type of things easily.
On Fri, Dec 17, 2010 at 9:37 AM, Bahador NazariFard
bahador.nazarif...@gmail.com wrote:
Hi.
I think squid is better solution in this case.
you can taste it !
On Fri, Dec 17, 2010 at 2:51 AM, Rafal Brodewicz
On 12/8/10 2:09 PM, Ryan McBride wrote:
On Wed, Dec 08, 2010 at 12:39:12PM -0800, dabheeruz wrote:
We are seeing the issue again and I am writing a script to get the
pfctl -vvsi data at regular intervals. Can you please point me to
what values I should be looking out for?
You want to look for
Hi Ryan,
We are seeing the issue again and I am writing a script to get the
pfctl -vvsi data at regular intervals. Can you please point me to
what values I should be looking out for?
Thanks
Parvinder Bhasin
On 12/3/10 11:32 AM, dabheeruz wrote:
Thanks Ryan! Unfortunately when this happened
On Wed, Dec 08, 2010 at 12:39:12PM -0800, dabheeruz wrote:
We are seeing the issue again and I am writing a script to get the
pfctl -vvsi data at regular intervals. Can you please point me to
what values I should be looking out for?
You want to look for any of the counters in the Counters
Hi Jan,
This actually happened again really late at night , one thing that
strangely happened was that we had nagios setup to monitor CARP state
and basically the secondary lb (same config etc) had its carp interface
in init state and once again the primary relayd box was displaying
Godesi dabhee...@aim.com wrote:
We recently deployed OBSD4.7 boxes to do load balancing in our
environment with relayd.
After few hours we encountered problem with the server going beyond
10,000 states.
Are you convinced that it is a state problem?
In our tests we have found that a default
On Thu, Dec 02, 2010 at 11:22:08PM -0500, Godesi wrote:
1. Do I need pf for relayd when I am not doing redirects?
I don't think so, but this is easy for you to test...
2. How much states can i really have on a box that has 4 gig ram?
More than 100,000. I havn't tested lately (planning to
Thanks Ryan! Unfortunately when this happened I was remote and could not
grab those stats. But what should I be looking for in term of badness.
Maybe I can quickly setup something to monitor for particular stat.
Really appreciate your input.
Thx.
On 12/3/10 12:41 AM, Ryan McBride wrote:
On Sun, Nov 14, 2010 at 06:27:38PM +0100, Johan Helsingius wrote:
Hi!
Setting up a firewall with 4.8, I was rather surprised
to see that I don get any logged info from the blocked
packets (beyond the fact that they were blocked).
I assume I am missing some silly little thing...
#
take a look at :
http://mouedine.net/ruleset47.aspx
On Thu, 4 Nov 2010 22:27:21 -0700, onteria onte...@scarletdevil.net
wrote:
I'm currently working on locking down one of my machines with pf.
Right now it has a default deny policy and FTP is causing issues. I did
a search on how to around
On Thu, Nov 4, 2010 at 10:27 PM, onteria onte...@scarletdevil.net wrote:
I'm currently working on locking down one of my machines with pf.
Right now it has a default deny policy and FTP is causing issues. I did
a search on how to around FTP oddities using ftp-proxy, but from what I
understand
* Patrick Lamaiziere patf...@davenulle.org [2010-10-25 13:47]:
PacketFilter Set skip does not look to work fine with interface group.
skip on ifgroups is indeed not implemented (but pbly should and that
isn't hard either)
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services,
forward to pool port http check http / code 200
Mistake in my copy/paste, this is the real line in my relayd.conf
Resolved with : relayd -d -f /etc/relayd.conf
...
Sorry for the noise.
2010/10/22 Alex Rastaklov alex.rastak...@gmail.com:
forward to pool port http check http / code 200
Mistake in my copy/paste, this is the real line in my relayd.conf
# man pf.conf
- route-to
The route-to option routes the packet to the specified interface
with an optional address for the next hop. When a route-to rule
creates state, only packets that pass in the same direction as
the
filter rule specifies will be
Just curious, but why not man route?
On 9/22/10, Beavis pfu...@gmail.com wrote:
Greetings List,
I would like to ask if someone has done routing via pf(4) (non-NAT
rules). My idea is to be able to route packets from one interface to
the other. say from tun0 to rl0. I've been googling a lot
On Wed, Sep 22, 2010 at 02:04:39PM -0600, Beavis wrote:
Greetings List,
I would like to ask if someone has done routing via pf(4) (non-NAT
rules). My idea is to be able to route packets from one interface to
the other. say from tun0 to rl0. I've been googling a lot and most of
the rules im
2010/9/22, Beavis pfu...@gmail.com:
I would like to ask if someone has done routing via pf(4) (non-NAT
rules). My idea is to be able to route packets from one interface to
the other. say from tun0 to rl0. I've been googling a lot and most of
the rules im seeing have something to do with NAT
tcpdump on pflog will probably help (see the FAQ)
2010/9/2 Timothy Beyer timot...@titaniumant.com
Hello,
I'm having trouble setting up a redirect rule and I'm not sure where I'm
going
wrong. My redirect line and filter rules look like:
rdr on $ext_nic proto tcp from any to 38.xxx.xxx.213
, September 02, 2010 2:05 PM
To: Timothy Beyer
Cc: misc@openbsd.org
Subject: Re: pf redirect problem
tcpdump on pflog will probably help (see the FAQ)
2010/9/2 Timothy Beyer
timot...@titaniumant.commailto:timot...@titaniumant.com
Hello,
I'm having trouble setting up a redirect rule and I'm
:22.28 rule 0/(match) block in on fxp0: 208.xxx.xxx.236
38.xxx.xxx.206: icmp: echo request
From: sven falempin [sven.falem...@gmail.com]
Sent: Thursday, September 02, 2010 2:05 PM
To: Timothy Beyer
Cc: misc@openbsd.org
Subject: Re: pf redirect problem
2010/8/27, Henning Brauer lists-open...@bsws.de:
find that #define (I forgot its name and location), increase,
recompile.
We use such setup with HFSC limit raised up from 64 ten times, so far
without any problems (core i3, 2G RAM, em(4) gigabit desktop nics,
12-15k pps on average).
Is there a
* David Hardy planetm...@gmail.com [2010-08-27 20:21]:
Is there a limit to the # of cbq queues allowed in pf?
yes. it is a define somewhere.
if there's a limit, is there a way to increase it?
find that #define (I forgot its name and location), increase,
recompile.
--
Henning Brauer,
Thanks. Found it in sys/altq/altq_cbq.h:
#define CBQ_MAX_CLASSES 256
worked just fine after recompile.
David
On Fri, Aug 27, 2010 at 1:01 PM, Henning Brauer lists-open...@bsws.dewrote:
* David Hardy planetm...@gmail.com [2010-08-27 20:21]:
Is there a limit to the # of cbq queues
Johan Linnir skrev 2010-08-26 13:26:
Hi,
We need help/support with setting up a couple of pf firewalls with carp
etc. and are of course willing to pay for it if we find the right
resource. Please reply off list if you're interested or can recommend a
company/person whom you think can help us.
alastair.john...@trinity.ox.ac.uk skrev 2010-08-26 13:38:
You might get further if you said where you are in the world..
-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Johan
Linnir
Sent: 26 August 2010 12:26
To: misc@openbsd.org
On Thu, Aug 26, 2010 at 01:26:25PM +0200, Johan Linnir wrote:
We need help/support with setting up a couple of pf firewalls with
carp etc. and are of course willing to pay for it if we find the
right resource. Please reply off list if you're interested or can
recommend a company/person whom
Joachim Schipper skrev 2010-08-26 14:00:
On Thu, Aug 26, 2010 at 01:26:25PM +0200, Johan Linnir wrote:
We need help/support with setting up a couple of pf firewalls with
carp etc. and are of course willing to pay for it if we find the
right resource. Please reply off list if you're interested
* Marcos Laufer mar...@ipv4networks.com [2010-08-22 20:05]:
I'm just in doubt in how to replace the sentence for OpenBSD 4.7 :
scrub in all
Is it just like this? : match in all scrub
no.
just delete that line. it only did reassembly which is on by default
now.
--
Henning Brauer,
This has been fixed 4.8
On Thu, Aug 19, 2010 at 03:08:23AM +0300, ?? ?? wrote:
Hi
I move from 4.6 to 4.7, rewrite my pf.conf rules to match new style.
Everything works fine, but when I try to traceroute a host with -I flag
(force to use icmp) on my obsd fw
I got Request time out
On 2010-08-10, Metin KAYA kayam...@gmail.com wrote:
Is it possible to implement layer 2 SYN proxy with PF?
No.
On 7/29/10, Ryan McBride mcbr...@openbsd.org wrote:
On Wed, Jul 28, 2010 at 07:59:20PM -0700, Justin wrote:
Sadly this means scalability (adding multiple synproxy boxes) is not
possible,
...
synproxy works by completing the 3-way handshake with the source first,
then negotiating a
901 - 1000 of 2490 matches
Mail list logo