Re: pf: set skip option

Sorry, I forgot to mention that 10.40.65.0 is the remote network trying to connect to this machine over the GRE tunnel From: Matt S maschwa...@yahoo.com To: misc@openbsd.org Sent: Mon, April 11, 2011 2:34:58 PM Subject: pf: set skip option Hello Everyone: I

Re: pf: set skip option

On 04/11/11 23:34, Matt S wrote: Hello Everyone: I am using 4.8 RELEASE. Given the following pf.conf, would anyone be able to tell me why gre0 is not being skipped? set skip on lo set skip on gre0 set skip on enc0 You need to combine them, or they override each other. set skip on {

Re: pf: set skip option

DOH! I was following a how-to that showed two separate statements for set skip on. Works great now! My apologies for the stupid question. On Mon, Apr 11, 2011 at 2:34 PM, Matt S maschwa...@yahoo.com wrote: Hello Everyone: I am using 4.8 RELEASE. Given the following pf.conf, would anyone be

Re: pf: set skip option

Okay, I did that but apparently I spoke too soon as a tcpdump reveals packets are still being blocked. Here is an example from a tcpdump on the pflog0 interface: Apr 11 14:57:43.943764 rule 1/(match) block in on tun0: 172.16.254.2 10.40.60.1: icmp: echo request (gre encap) I guess I need to

Re: pf: set skip option

Penned by Matt S on 20110411 16:59.09, we have: | Okay, I did that but apparently I spoke too soon as a tcpdump reveals packets | are still being blocked. Here is an example from a tcpdump on the pflog0 | interface: | | Apr 11 14:57:43.943764 rule 1/(match) block in on tun0: 172.16.254.2 |

Re: pf: set skip option

On 2011-04-11, Matt S maschwa...@yahoo.com wrote: Hello Everyone: I am using 4.8 RELEASE. Given the following pf.conf, would anyone be able to tell me why gre0 is not being skipped? set skip on lo set skip on gre0 set skip on enc0 What does pfctl -sI -v say?

Re: pf: set skip option

On Mon, Apr 11, 2011 at 2:34 PM, Matt S maschwa...@yahoo.com wrote: Hello Everyone: I am using 4.8 RELEASE. Given the following pf.conf, would anyone be able to tell me why gre0 is not being skipped? set skip on lo set skip on gre0 set skip on enc0 pf.conf(5) how about: set skip on { lo

Re: pf: set skip option

Unfortunately, pfctl -sl -v says nothing. So, now I have a ruleset like the one below. I have added a specific pass statement for the gre protocol. This works, however, I fear that it is insecure. set skip on {lo, gre0, enc0} anchor ftp-proxy/* block in all pass out all antispoof for

Re: pf: set skip option

On 2011-04-11, Matt S maschwa...@yahoo.com wrote: Unfortunately, pfctl -sl -v says nothing. So, now I have a ruleset like the one -sI -v, not -sl -v. below. I have added a specific pass statement for the gre protocol. This works, however, I fear that it is insecure. You will need to

Re: pf rule

i try with: pass out on re0 from any to { 192.168.1.9, 192.168.1.10 } there is ok for you? Il giorno 06/apr/2011, alle ore 10.19, Gianluca D'Auri Muscelli ha scritto: Hi everyone, I never had to deal with pf, but if possible i have a question: on my OpenBSD now block all outcoming

Re: pf rule

On Wed, Apr 6, 2011 at 1:49 PM, Gianluca D'Auri Muscelli g...@email.it wrote: Hi everyone, I never had to deal with pf, but if possible i have a question: on my OpenBSD now block all outcoming connection to ssh and telnet to internet with: block out on re0 proto { tcp } from any to any port

Re: pf rdr-to outgoing to local port issues

On Sat, 19 Mar 2011 21:28:09 +0100 Henning Brauer lists-open...@bsws.de wrote: it was working for me - rdr-to outbound to a daemon on the firewall itself, but I deleted that virtual machine... rdr-to is usually applied inbound. If applied outbound, rdr-to to a local IP

Re: pf rdr-to outgoing to local port issues

* jirib ji...@devio.us [2011-03-21 09:55]: On Sat, 19 Mar 2011 21:28:09 +0100 Henning Brauer lists-open...@bsws.de wrote: it was working for me - rdr-to outbound to a daemon on the firewall itself, but I deleted that virtual machine... rdr-to is usually applied inbound.

Re: pf rdr-to outgoing to local port issues

On Mon, Mar 21, 2011 at 02:45:35PM +0100, Henning Brauer wrote: * jirib ji...@devio.us [2011-03-21 09:55]: On Sat, 19 Mar 2011 21:28:09 +0100 Henning Brauer lists-open...@bsws.de wrote: it was working for me - rdr-to outbound to a daemon on the firewall itself, but I deleted that

Re: pf rdr-to outgoing to local port issues

* jirib ji...@devio.us [2011-03-19 00:38]: On Fri, 25 Feb 2011 10:21:20 +0100 Henning Brauer lists-open...@bsws.de wrote: * william dunand william.dun...@gmail.com [2011-02-25 05:26]: pass out log(matches) quick inet proto tcp from any to 89.176.141.250 port = www rdr-to 127.0.0.1

Re: pf rdr-to outgoing to local port issues

On Fri, 25 Feb 2011 10:21:20 +0100 Henning Brauer lists-open...@bsws.de wrote: * william dunand william.dun...@gmail.com [2011-02-25 05:26]: pass out log(matches) quick inet proto tcp from any to 89.176.141.250 port = www rdr-to 127.0.0.1 port 8080 I think rdr-to is meant to be use on

Re: pf rdr-to outgoing to local port issues

* william dunand william.dun...@gmail.com [2011-02-25 05:26]: pass out log(matches) quick inet proto tcp from any to 89.176.141.250 port = www rdr-to 127.0.0.1 port 8080 I think rdr-to is meant to be use on inbound rules. we allow rdr-to outbound too now. it has caveats, and - surprise! -

Re: pf and altq setup

I posted on the pf mailing list originally, but the very aggresive spam filter will not allow me to post a follow-up. I guess there are some pf users on this list also :) My original post can be found here: http://marc.info/?l=openbsd-pfm=129740086511664w=2 Stuart Henderson wrote:

Re: pf rdr-to outgoing to local port issues

pass out log(matches) quick inet proto tcp from any to 89.176.141.250 port = www rdr-to 127.0.0.1 port 8080 I think rdr-to is meant to be use on inbound rules.

Re: PF match counter seems to be hitting a limit

On Tue, 1 Feb 2011 17:45:52 -0500 Ted Unangst ted.unan...@gmail.com wrote: On Tue, Feb 1, 2011 at 4:34 PM, Steve Johnson maill...@sjohnson.info wrote: I had forgotten to also include the sysctl changes that I had made as well, mostly based from calomel.org, which were the following:

Re: pf rules for Load Balance Incoming Connections for webservers

But, it always directs to one particular ip address. How to see load balancing? today, I myself learnt it from the below url http://www.openbsd.org/faq/pf/pools.html#incoming match in on $ext_if proto tcp to port 80 rdr-to $web_servers \ round-robin *sticky-address * * * Successive

Re: PF match counter seems to be hitting a limit

sigh. remove this bullshit and start over. * Steve Johnson maill...@sjohnson.info [2011-02-01 22:38]: Ok, thanks for the tips. I did not have any ifq drops, but have still just increased the net.inet.icmp.errppslimit to 1 (from the 1000 that was before and shown below) and will see if

Re: PF match counter seems to be hitting a limit

Ok, thanks for the tip. I've removed the settings through sysctl, but unfortunately I still see those alerts being triggered, then mostly resolved during the next check. The system seems to have some issues during heavy UDP session bursts (the monitoring system issues a stream of requests to a

Re: pf rules for Load Balance Incoming Connections for webservers

On Tue, Feb 01, 2011 at 02:22:25PM +0530, Indunil Jayasooriya wrote: I have 3 web servers running on port 8080 behind PF firewall. I am trying to load balance these incoming connections to these web servers. I wrote rules as below. Pls pay attention to *highligthed BOLD* rules . they are

Re: pf rules for Load Balance Incoming Connections for webservers

Indunil Jayasooriya P?P8QP5Q: Hi list, I have 3 web servers running on port 8080 behind PF firewall. I am trying to load balance these incoming connections to these web servers. I wrote rules as below. Pls pay attention to *highligthed BOLD* rules . they are the once I have written. But, I

Re: pf rules for Load Balance Incoming Connections for webservers

*match in on $ext_if inet proto tcp to $ext_if port 8080 rdr-to $web_servers \ round-robin sticky-address * You need to pass the inbound traffic somehow (match doesn't do this). Either change the 'match in' above to 'pass in', YES, changed. It worked. or add another rule

Re: PF match counter seems to be hitting a limit

* Steve Johnson maill...@sjohnson.info [2011-02-01 20:35]: I currently have a system that has no match rule in the ruleset, but that uses tables for a big chunk of the traffic, including our monitoring station that has a pretty high SNMP request rate. That system has a state table that usually

Re: PF match counter seems to be hitting a limit

Ok, thanks for the tips. I did not have any ifq drops, but have still just increased the net.inet.icmp.errppslimit to 1 (from the 1000 that was before and shown below) and will see if that helps anything. Thanks also for the clarification on the match counter. I had forgotten to also include

Re: PF match counter seems to be hitting a limit

On Tue, Feb 1, 2011 at 4:34 PM, Steve Johnson maill...@sjohnson.info wrote: I had forgotten to also include the sysctl changes that I had made as well, mostly based from calomel.org, which were the following: net.inet.ip.ttl=254 I love this. Bigger is better!

Re: pf rules for Load Balance Incoming Connections for webservers

2011/2/1 Indunil Jayasooriya induni...@gmail.com # macros (...) web_servers = { 192.168.x.64, 192.168.x.66, 192.168.x.67 } lan_net=192.168.x.0/24 A table isn't better? I mean, we can control it without reloading the pf rules and the matching algorithm is better.

Re: PF: Route packets out specific interface with NAT

On Mon, Jan 31, 2011, at 18:24:04PM GMT+01:00, Joachim Tingvold wrote: match out on $ext_carp_if inet from $our_int_net to any nat-to $ext_carp_if Do I also need to consider reply-to for this to work? -- Joachim

Re: PF: Route packets out specific interface with NAT

Le Mon, 31 Jan 2011 18:24:04 +0100, Joachim Tingvold joac...@tingvold.com a icrit : Hi, Hello, This does not work at all. If I change http://www.openbsd.org/faq/pf/carp.html#RulesetTips + Ruleset Tips Filter the physical interface. As far as PF is concerned, network traffic comes from the

Re: PF: Route packets out specific interface with NAT

On Mon, Jan 31, 2011, at 18:53:29PM GMT+01:00, Patrick Lamaiziere wrote: This does not work at all. If I change http://www.openbsd.org/faq/pf/carp.html#RulesetTips + Ruleset Tips Filter the physical interface. As far as PF is concerned, network traffic comes from the physical interface, not

Re: PF: Route packets out specific interface with NAT

On Mon, Jan 31, 2011, at 19:19:09PM GMT+01:00, Joachim Tingvold wrote: Okay, but where goes the line between the two? I mean, does this mean I can't use the carp-interface in the route-to at all? pass in log on $int_if proto { tcp, udp, icmp } from $our_int_net route-to {($ext_carp_if

Re: PF load balancing outgoing ISPs

On Sat, Jan 29, 2011 at 8:12 PM, roberth rob...@openbsd.pap.st wrote: I'll point out the most obvious: Since there are no tagged states, everyone of those three match rules matches and the last one wins. Hello Robert, Thanks for responding, I have changed the rules to tag packets coming from

Re: pf FAQ: redirection back through the incoming interface

See ftp://ftp3.usa.openbsd.org/pub/OpenBSD/doc/pf-faq.txt;, especially the part about Redirection and Reflection. I've read that, and Split-horizon DNS isn't really applicable. However, on two other points, I'm not so sure of: 1. TCP proxying seems like it might be overkill. I'd like to

Re: PF and States

Hi Stuart, Thanks a bunch for you suggestions. This email got lost in my inbox. Will let you know if I have some questions. Appreciate your help :) Thx On 1/11/11 1:43 PM, Stuart Henderson wrote: On 2010-12-03, Godesidabhee...@aim.com wrote: relay web { Try applying this diff from

Re: pf FAQ: redirection back through the incoming interface

Ok, this is something that would work for me, ideally. I've tried every combination of rules I can think of, and can't get my OpenBSD machine to reflect the packets back out the interface they came in on (including the rules outlines in the FAQ), and I'm ready to ask for help :) So, here's my

Re: pf commands to discuss

either: pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state tag mytracert pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state tagged mytracert or: pass in log (all) on $int_if inet proto udp from

Re: pf commands to discuss

On Thu, Jan 20, 2011 at 01:47:20PM +0530, Indunil Jayasooriya wrote: my question is that How can I exclude my firewall from being able to doing it ? I'm really not sure why you don't want the firewall to be able to traceroute. (hint: if you can't trust the users on your firewall to behave

Re: pf commands to discuss

l...@animata.net (David Gwynne), 2011.01.20 (Thu) 10:20 (CET): either: pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state tag mytracert pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state tagged

Re: pf FAQ: redirection back through the incoming interface

* Harald Dunkel harald.dun...@aixigo.de [2011-01-20 09:18]: Hi folks, In the example for the rdr-to and nat-to combination in the pf FAQs it seems that the http traffic is redirected back through the incoming interface: pass in on $int_if proto tcp from $int_net to $ext_if port 80 \

Re: pf commands to discuss

anyway, Thanks for enlightening me. pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state tag mytracert pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state tagged mytracert the above 2 rules were

Re: pf commands to discuss

pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state tagged mytracert received-on $int_if I guess there is a ``tagged mytracert'' copy-paste

Re: pf commands to discuss

On Thu, Jan 20, 2011 at 2:57 PM, Ryan McBride mcbr...@openbsd.org wrote: On Thu, Jan 20, 2011 at 01:47:20PM +0530, Indunil Jayasooriya wrote: my question is that How can I exclude my firewall from being able to doing it ? I'm really not sure why you don't want the firewall to be able to

Re: pf and traceroute

Hi, I am on a 64 bit OpenBSD 4.8 stable. Here is mine on OpenBSD 4.8 firewall/router # both traceroute www.google.lk and traceroute -I www.google.lk work. From my fedora client, traceroute www.google.lk works. and traceroute -I www.google.lk also works. But second hope gives in this way

Re: pf and traceroute

On 16 jan 2011, at 18:49, Mike. wrote: In any case, now that I've moved to OpenBSD 4.8 for the firewall/router everything is working as expected now. I can traceroute from the FreeBSD client, and Windows without a problem. This was fixed between 4.7 and 4.8:

Re: pf and traceroute

On 1/15/2011 at 8:00 AM David Walker wrote: Hi David, |[snip] | |What OS are we talking about now? I had been running OpenBSD 4.7 GENERIC#558 i386 Yesterday I installed (not upgraded, but a fresh install) OpenBSD 4.8 GENERIC#136 i386 and the ICMP traceroutes now work as expected. The

Re: pf and traceroute

On 1/13/2011 at 5:59 AM David Walker wrote: |Hi Mike. | |[snip] | |Second, and here we go into grey area, I'm no expert at the pf thing |and I do it slightly different to you. |However, I use a simple ruleset and don't explicitly allow ICMP ... |and yet it works from internal Windows and OpenBSD

Re: pf and traceroute

Hi Mike. Mike wrote: Yes, I know that Windows uses ICMP for traceroute (I use both the Windows tracert command line utility and the SamSpade GUI utility). Cool. However, I have found that troubleshooting is always easier if one can eliminate Windows from the mix, that's why I reproduced the

Re: pf and traceroute

On 1/13/2011 at 5:59 AM David Walker wrote: |Hi Mike. | |Here's a couple of points. | |First, Windows uses ICMP only on traceroute (tracert) so there's |consistency between your Windows and FreeBSD internal hosts - it's an |ICMP blocked (in or out) issue. |

Re: pf and traceroute

Hi Mike. Here's a couple of points. First, Windows uses ICMP only on traceroute (tracert) so there's consistency between your Windows and FreeBSD internal hosts - it's an ICMP blocked (in or out) issue. http://technet.microsoft.com/en-us/library/cc940128.aspx Can you ping and traceroute your

Re: PF and States

On 2010-12-03, Godesi dabhee...@aim.com wrote: relay web { Try applying this diff from -current and rebuilding relayd. It is an inline diff, if your mail client has problems giving you valid plaintext then try pasting it from a web-based mailing list archive instead. I think the diff will

Re: pf and DNS

2011/1/7 Girish Venkatachalam girishvenkatacha...@gmail.com: Many websites these days Akamize or do whatever that gives them a different IP address everytime you access it. And consequently pf which does not know a thing about domains does not help us. What exactly is the problem you want

Re: pf and DNS

On Fri, Jan 07 2011 at 59:07, Girish Venkatachalam wrote: I try to use OpenBSD wherever I can and in the firewall I have installed in a big jewel store here I have the following problem. Many websites these days Akamize or do whatever that gives them a different IP address everytime you

Re: pf and DNS

Don't use stupid shit like Akamize. Problem solved. Stop making people laugh at you. On Fri, 07 Jan 2011 10:25 +0100, Claer cl...@claer.hammock.fr wrote: On Fri, Jan 07 2011 at 59:07, Girish Venkatachalam wrote: I try to use OpenBSD wherever I can and in the firewall I have installed in a

Re: pf and DNS

On Fri, Jan 7, 2011 at 2:43 PM, Martin Schrvder mar...@oneiros.de wrote: And consequently pf which does not know a thing about domains does not help us. What exactly is the problem you want to solve? Sorry for having been abstract. Here is the detailed explanation. One domain translates to

Re: pf and DNS

On Fri, Jan 07, 2011 at 05:50:25AM -0500, Eric Furman wrote: On Fri, Jan 07 2011 at 59:07, Girish Venkatachalam wrote: Many websites these days Akamize or do whatever that gives them a different IP address everytime you access it. Don't use stupid shit like Akamize. Problem solved.

Re: pf and DNS

On Fri, 2011-01-07 at 16:26 +0530, Girish Venkatachalam wrote: On Fri, Jan 7, 2011 at 2:43 PM, Martin Schrvder mar...@oneiros.de wrote: And consequently pf which does not know a thing about domains does not help us. What exactly is the problem you want to solve? Sorry for having

Re: pf and DNS

Thus said Girish Venkatachalam on Fri, 07 Jan 2011 16:26:01 +0530: Due to this , whatever IP address pf(4) knows at the time of ruleset loading alone works. Use pfctl and a cronjob to periodically update a table. Kludgey, sure... Andy

Re: pf question: multiple multihomed machines

gwes ohxer: What is the recommended pf.conf to get symmetrical routing for incoming and outgoing connections using a dual-homed gateway and internal hosts with static IPs on both WANs? I'm assuming route-to and reply-to are the correct tools to use. I've looked at the FAQ,

Re: PF and States

On 12/20/10 15:52, Kevin Wilcox wrote: On 19 December 2010 07:16, Henning Brauerlists-open...@bsws.de wrote: you're way off ;) I had 2 million during a DDoS. things got a bit slow but everything worked. Henning - out of curiosity, what were the specs on that hardware? It may be interesting

Re: PF and States

* Kevin Wilcox ke...@tux.appstate.edu [2010-12-20 16:01]: On 19 December 2010 07:16, Henning Brauer lists-open...@bsws.de wrote: * Ryan McBride mcbr...@openbsd.org [2010-12-03 09:52]: More than 100,000. I havn't tested lately (planning to do so soo), but I would expect somewhere closer to

Re: PF and States

On 19 December 2010 07:16, Henning Brauer lists-open...@bsws.de wrote: * Ryan McBride mcbr...@openbsd.org [2010-12-03 09:52]: More than 100,000. I havn't tested lately (planning to do so soo), but I would expect somewhere closer to 500,000. you're way off ;) I had 2 million during a DDoS.

Re: PF and States

* Ryan McBride mcbr...@openbsd.org [2010-12-03 09:52]: On Thu, Dec 02, 2010 at 11:22:08PM -0500, Godesi wrote: 2. How much states can i really have on a box that has 4 gig ram? More than 100,000. I havn't tested lately (planning to do so soo), but I would expect somewhere closer to 500,000.

Re: PF and States

On 12/19/10 4:16 AM, Henning Brauer wrote: * Ryan McBridemcbr...@openbsd.org [2010-12-03 09:52]: On Thu, Dec 02, 2010 at 11:22:08PM -0500, Godesi wrote: 2. How much states can i really have on a box that has 4 gig ram? More than 100,000. I havn't tested lately (planning to do so soo), but I

Re: PF subdomain filtering

On Thu, Dec 16, 2010 at 5:21 PM, Rafal Brodewicz b...@brodewicz.pl wrote: Hi. How can I pass with PF traffic from all subdomains, for example *.microsoft.com ? You're thinking at the wrong layer. PF doesn't care about *.microsoft.com. Thanks. -- Rafal Brodewicz

Re: PF subdomain filtering

Hi. I think squid is better solution in this case. you can taste it ! On Fri, Dec 17, 2010 at 2:51 AM, Rafal Brodewicz b...@brodewicz.pl wrote: Hi. How can I pass with PF traffic from all subdomains, for example *.microsoft.com ? Thanks. -- Rafal Brodewicz -- Gula_Gula =;=; BNF

Re: PF subdomain filtering

Yes, I also agree with it. squid can handle that type of things easily. On Fri, Dec 17, 2010 at 9:37 AM, Bahador NazariFard bahador.nazarif...@gmail.com wrote: Hi. I think squid is better solution in this case. you can taste it ! On Fri, Dec 17, 2010 at 2:51 AM, Rafal Brodewicz

Re: PF and States

On 12/8/10 2:09 PM, Ryan McBride wrote: On Wed, Dec 08, 2010 at 12:39:12PM -0800, dabheeruz wrote: We are seeing the issue again and I am writing a script to get the pfctl -vvsi data at regular intervals. Can you please point me to what values I should be looking out for? You want to look for

Re: PF and States

Hi Ryan, We are seeing the issue again and I am writing a script to get the pfctl -vvsi data at regular intervals. Can you please point me to what values I should be looking out for? Thanks Parvinder Bhasin On 12/3/10 11:32 AM, dabheeruz wrote: Thanks Ryan! Unfortunately when this happened

Re: PF and States

On Wed, Dec 08, 2010 at 12:39:12PM -0800, dabheeruz wrote: We are seeing the issue again and I am writing a script to get the pfctl -vvsi data at regular intervals. Can you please point me to what values I should be looking out for? You want to look for any of the counters in the Counters

Re: PF and States

Hi Jan, This actually happened again really late at night , one thing that strangely happened was that we had nagios setup to monitor CARP state and basically the secondary lb (same config etc) had its carp interface in init state and once again the primary relayd box was displaying

Re: PF and States

Godesi dabhee...@aim.com wrote: We recently deployed OBSD4.7 boxes to do load balancing in our environment with relayd. After few hours we encountered problem with the server going beyond 10,000 states. Are you convinced that it is a state problem? In our tests we have found that a default

Re: PF and States

On Thu, Dec 02, 2010 at 11:22:08PM -0500, Godesi wrote: 1. Do I need pf for relayd when I am not doing redirects? I don't think so, but this is easy for you to test... 2. How much states can i really have on a box that has 4 gig ram? More than 100,000. I havn't tested lately (planning to

Re: PF and States

Thanks Ryan! Unfortunately when this happened I was remote and could not grab those stats. But what should I be looking for in term of badness. Maybe I can quickly setup something to monitor for particular stat. Really appreciate your input. Thx. On 12/3/10 12:41 AM, Ryan McBride wrote:

Re: pf logs - no packet header data (4.8)

On Sun, Nov 14, 2010 at 06:27:38PM +0100, Johan Helsingius wrote: Hi! Setting up a firewall with 4.8, I was rather surprised to see that I don get any logged info from the blocked packets (beyond the fact that they were blocked). I assume I am missing some silly little thing... #

Re: pf+FTP external interface only

take a look at : http://mouedine.net/ruleset47.aspx On Thu, 4 Nov 2010 22:27:21 -0700, onteria onte...@scarletdevil.net wrote: I'm currently working on locking down one of my machines with pf. Right now it has a default deny policy and FTP is causing issues. I did a search on how to around

Re: pf+FTP external interface only

On Thu, Nov 4, 2010 at 10:27 PM, onteria onte...@scarletdevil.net wrote: I'm currently working on locking down one of my machines with pf. Right now it has a default deny policy and FTP is causing issues. I did a search on how to around FTP oddities using ftp-proxy, but from what I understand

Re: PF set skip on interface group

* Patrick Lamaiziere patf...@davenulle.org [2010-10-25 13:47]: PacketFilter Set skip does not look to work fine with interface group. skip on ifgroups is indeed not implemented (but pbly should and that isn't hard either) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services,

Re: pf anchor

forward to pool port http check http / code 200 Mistake in my copy/paste, this is the real line in my relayd.conf

Re: pf anchor

Resolved with : relayd -d -f /etc/relayd.conf ... Sorry for the noise. 2010/10/22 Alex Rastaklov alex.rastak...@gmail.com: forward to pool port http check http / code 200 Mistake in my copy/paste, this is the real line in my relayd.conf

Re: pf for routers?

# man pf.conf - route-to The route-to option routes the packet to the specified interface with an optional address for the next hop. When a route-to rule creates state, only packets that pass in the same direction as the filter rule specifies will be

Re: pf for routers?

Just curious, but why not man route? On 9/22/10, Beavis pfu...@gmail.com wrote: Greetings List, I would like to ask if someone has done routing via pf(4) (non-NAT rules). My idea is to be able to route packets from one interface to the other. say from tun0 to rl0. I've been googling a lot

Re: pf for routers?

On Wed, Sep 22, 2010 at 02:04:39PM -0600, Beavis wrote: Greetings List, I would like to ask if someone has done routing via pf(4) (non-NAT rules). My idea is to be able to route packets from one interface to the other. say from tun0 to rl0. I've been googling a lot and most of the rules im

Re: pf for routers?

2010/9/22, Beavis pfu...@gmail.com: I would like to ask if someone has done routing via pf(4) (non-NAT rules). My idea is to be able to route packets from one interface to the other. say from tun0 to rl0. I've been googling a lot and most of the rules im seeing have something to do with NAT

Re: pf redirect problem

tcpdump on pflog will probably help (see the FAQ) 2010/9/2 Timothy Beyer timot...@titaniumant.com Hello, I'm having trouble setting up a redirect rule and I'm not sure where I'm going wrong. My redirect line and filter rules look like: rdr on $ext_nic proto tcp from any to 38.xxx.xxx.213

Re: pf redirect problem

, September 02, 2010 2:05 PM To: Timothy Beyer Cc: misc@openbsd.org Subject: Re: pf redirect problem tcpdump on pflog will probably help (see the FAQ) 2010/9/2 Timothy Beyer timot...@titaniumant.commailto:timot...@titaniumant.com Hello, I'm having trouble setting up a redirect rule and I'm

Re: pf redirect problem

:22.28 rule 0/(match) block in on fxp0: 208.xxx.xxx.236 38.xxx.xxx.206: icmp: echo request From: sven falempin [sven.falem...@gmail.com] Sent: Thursday, September 02, 2010 2:05 PM To: Timothy Beyer Cc: misc@openbsd.org Subject: Re: pf redirect problem

Re: pf - max number of cbq queues ?

2010/8/27, Henning Brauer lists-open...@bsws.de: find that #define (I forgot its name and location), increase, recompile. We use such setup with HFSC limit raised up from 64 ten times, so far without any problems (core i3, 2G RAM, em(4) gigabit desktop nics, 12-15k pps on average). Is there a

Re: pf - max number of cbq queues ?

* David Hardy planetm...@gmail.com [2010-08-27 20:21]: Is there a limit to the # of cbq queues allowed in pf? yes. it is a define somewhere. if there's a limit, is there a way to increase it? find that #define (I forgot its name and location), increase, recompile. -- Henning Brauer,

Re: pf - max number of cbq queues ?

Thanks. Found it in sys/altq/altq_cbq.h: #define CBQ_MAX_CLASSES 256 worked just fine after recompile. David On Fri, Aug 27, 2010 at 1:01 PM, Henning Brauer lists-open...@bsws.dewrote: * David Hardy planetm...@gmail.com [2010-08-27 20:21]: Is there a limit to the # of cbq queues

Re: pf support

Johan Linnir skrev 2010-08-26 13:26: Hi, We need help/support with setting up a couple of pf firewalls with carp etc. and are of course willing to pay for it if we find the right resource. Please reply off list if you're interested or can recommend a company/person whom you think can help us.

Re: pf support

alastair.john...@trinity.ox.ac.uk skrev 2010-08-26 13:38: You might get further if you said where you are in the world.. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Johan Linnir Sent: 26 August 2010 12:26 To: misc@openbsd.org

Re: pf support

On Thu, Aug 26, 2010 at 01:26:25PM +0200, Johan Linnir wrote: We need help/support with setting up a couple of pf firewalls with carp etc. and are of course willing to pay for it if we find the right resource. Please reply off list if you're interested or can recommend a company/person whom

Re: pf support

Joachim Schipper skrev 2010-08-26 14:00: On Thu, Aug 26, 2010 at 01:26:25PM +0200, Johan Linnir wrote: We need help/support with setting up a couple of pf firewalls with carp etc. and are of course willing to pay for it if we find the right resource. Please reply off list if you're interested

Re: pf scrub doubt

* Marcos Laufer mar...@ipv4networks.com [2010-08-22 20:05]: I'm just in doubt in how to replace the sentence for OpenBSD 4.7 : scrub in all Is it just like this? : match in all scrub no. just delete that line. it only did reassembly which is on by default now. -- Henning Brauer,

Re: PF 'traceroute -I host' 'tracert host' problem

This has been fixed 4.8 On Thu, Aug 19, 2010 at 03:08:23AM +0300, ?? ?? wrote: Hi I move from 4.6 to 4.7, rewrite my pf.conf rules to match new style. Everything works fine, but when I try to traceroute a host with -I flag (force to use icmp) on my obsd fw I got Request time out

Re: PF Layer 2 SYN Proxy

On 2010-08-10, Metin KAYA kayam...@gmail.com wrote: Is it possible to implement layer 2 SYN proxy with PF? No.

Re: pf synproxy

On 7/29/10, Ryan McBride mcbr...@openbsd.org wrote: On Wed, Jul 28, 2010 at 07:59:20PM -0700, Justin wrote: Sadly this means scalability (adding multiple synproxy boxes) is not possible, ... synproxy works by completing the 3-way handshake with the source first, then negotiating a

<    5   6   7   8   9   10   11   12   13   14   >