On Wed, 7 Dec 2022 at 08.55 Damian McGuckin wrote:
>
> Has anybody created rules such as this and if so, do you have an example?
>
> Stay safe - Damian
>
Check this Example:
https://www.muntaza.id/pf/2020/02/03/pf-firewall-bagian-kedua.html
I write in Indonesia, you can use G
Take a look at PF-Badhost.
Here is a decent write-up:
https://undeadly.org/cgi?action=article;sid=20210119113425
Craig
> On Dec 6, 2022, at 18:28, Damian McGuckin wrote:
>
>
> Has anybody created rules such as this and if so, do you have an example?
>
> Stay safe - D
Considering you solved the issue with getting all IPs
for a given country correctly (and perhaps updating it sometimes):
1. Dump all IP addresses/ranges into a file (eg. blocked.ips)
2. add table file /path/to/blocked.ips
add "persist" if you want.
3. create rule to block all incoming
Has anybody created rules such as this and if so, do you have an example?
Stay safe - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views & opinions here are mine and not those of
Yes
On Fri, 2 Dec 2022, 01:14 Steve Litt, wrote:
> Is pf still the recommended firewall/NAT software for OpenBSD?
>
> Thanks,
>
> SteveT
>
> Steve Litt
> Autumn 2022 featured book: Thriving in Tough Times
> http://www.troubleshooters.com/bookstore/thrive.htm
>
>
efore with 1.2.3.4).
>
> 10:34:26.812675 x.x.x.x.123 > 2.3.4.5.123: v4 alarm client strat 0 poll 3
> prec -6 (DF)
> 10:34:28.812571 x.x.x.x.123 > 2.3.4.5.123: v4 alarm client strat 0 poll 3
> prec -6 (DF)
> 10:34:30.812587 x.x.x.x.123 > 2.3.4.5.123: v4 alarm client st
em.
>
> all udp 127.0.0.1:123 (remote_ntp1:123) <- y.y.y.y:54401 SINGLE:MULTIPLE
> all udp 127.0.0.1:123 (remote_ntp2:123) <- y.y.y.y:52525 SINGLE:MULTIPLE
>
> :(
>
> G
Yes indeed. from info debug level I get.
Sep 15 15:48:02 fw /bsd: pf: stack key attach failed on
t 0 poll 3 prec
-6 (DF)
I also see the pf log (4 times now and not 1 as before)
Sep 15 10:34:26.812688 rule 154/(match) pass in on int_if: x.x.x.x.123 >
2.3.4.5.123: v4 alarm client strat 0 poll 3 prec -6 (DF)
Sep 15 10:34:28.812583 rule 154/(match) pass in on int_if: x.x.x.x.123 >
2.3.4.
In message <https://marc.info/?l=openbsd-misc=166062861021368=1>
I described how I'm using an OpenBSD firewall (pf) to protect a VOIP
phone system. A small correction:
I wrote:
> The firewall
> also runs unbound to provide caching DNS service to the VOIP box and the
> local compu
In message <https://marc.info/?l=openbsd-misc=162550822403762=1>
(date 2021-07-05) I wrote:
> Has anyone used an OpenBSD firewall (pf) to protect an Ooma Telo VOIP
> phone system from internet attacks? If so, how did you do it? More
> generally, how do people protect VOI
0,em1 } no state"
they don't show the mpls neigbor but the rule match.
is there a possebility to do an kind of
pass quick on { em0 , em1 } mpls ?
how can i handle correct mpls with pf ?
I have zero hands on experience with mpls, but since
[Mon Aug 01 12:35:07] peter@skapet:~$ apropos mp
r but the rule match.
is there a possebility to do an kind of
pass quick on { em0 , em1 } mpls ?
how can i handle correct mpls with pf ?
Holger
mments the uncommented section will block out
> > traffic and second section will let it pass it. Somehow these
> > rules behaves like rules added to pf but with 'quick' keyword.
> > So I deduce that a catch all policy must be added last and not
> > first like in pf
> &g
---
> As you see in comments the uncommented section will block out
> traffic and second section will let it pass it. Somehow these
> rules behaves like rules added to pf but with 'quick' keyword.
> So I deduce that a catch all policy must be added last and not
> fi
these
rules behaves like rules added to pf but with 'quick' keyword.
So I deduce that a catch all policy must be added last and not
first like in pf
In manpage of ifconfig I see this:
"Rules are processed in the order in which they were added to
the interface"
So I believe it makes sense th
hi all .
I'm running pf.conf behind the second wi-fi router .
[openbsd PC]--wired lan-->2nd wifi router--wifi-->1st wifi router
-->internet
opebbsd address is 192.168.68.123 .
/etc/pf.conf is
-
table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
On Tue, Jun 7, 2022 at 11:34 AM Zé Loff wrote:
>
> On Tue, Jun 07, 2022 at 04:26:11PM +0300, Barbaros Bilek wrote:
> > Hello Misc,
> >
> > I think there is an issue about PF tables at current.
> > Here my working PF config sample before 7.1-Current.
> > blo
On Tue, Jun 07, 2022 at 04:26:11PM +0300, Barbaros Bilek wrote:
> Hello Misc,
>
> I think there is an issue about PF tables at current.
> Here my working PF config sample before 7.1-Current.
> block log quick inet from
> pfctl -f /etc/pf.conf
> Another software fills
Hello Misc,
I think there is an issue about PF tables at current.
Here my working PF config sample before 7.1-Current.
block log quick inet from
pfctl -f /etc/pf.conf
Another software fills this Malicious table with this command:
# pfctl -t Malicious -T add 1.2.3.4
1 table created
In my pf.conf, I have a line like this:
wan = "re2"
pass in quick on $priv inet6 from any to 64:ff9b::/96 af-to inet from $wan
It used to work, but now it doesn't, I suspect that's because the order
of the ip addresses have changed when I type "ifconfig". Now I have some
ipv6 addresses before
use nodelay? That disables Nagle and is normally only wanted for
interactive protocols like SSH. High chance that will be slowing
things down.
https://en.m.wikipedia.org/wiki/Nagle%27s_algorithm
> If instead, I deactivate the relayd function and using a simple PF
> redirecting with
>
&
In the following command, is "Packets" the number of dropped packets
after 5,435,315 evaluations of that block rule?
If so, is "Bytes" the total size of those 16,303 dropped packets?
And is "States" zero because it is a block rule, thus no state created?
# pfctl -s rules -vR11
block drop in log
this is just a huge THANK YOU message...
for whatever reason, i have been "trying" to get my openbsd router
working correctly for many moons...
no reason to explain all of the mistaken paths i have had, but finally,
between the faq at https://www.openbsd.org/faq/pf/example1.html
and t
On 2022-04-07, Steve Litt wrote:
> I need some easy beginner's pf documentation as well as some
> intermediate pf documentation. I plan to make an OpenBSD/pf firewall. I
> haven't done this in ten years, and imagine pf and the process of
> turning OpenBSD into a firewall have changed
Steve,
if you like books ...
Peter Hansteen has written a book the book of pf
which I have read and would recommend
https://nostarch.com/pf3
and if you are interested in firewalls ingeneral and comparing features
On Thu, 7 Apr 2022 at 10:40, Tom Smyth wrote:
>
> Hi Steve,
> Im goin
Hi Steve,
Im going to give my usual answer here
Peter Hansteen and Max Stucchi have an amazing tutorial on PF
https://home.nuug.no/~peter/pftutorial/#1
but they explain the concepts really well
recommend the class that they do in person ..
for the latest features about PF in the version
To be honest, I just used the handbook/FAQ.
https://www.openbsd.org/faq/pf/example1.html
Note that some grammar and syntax from Google search results will not work in
newer versions of pf.
Sent from my iPhone
> On Apr 7, 2022, at 05:13, Steve Litt wrote:
>
> Hi all,
>
> I
Den tors 7 apr. 2022 kl 11:12 skrev Steve Litt :
>
> Hi all,
>
> I need some easy beginner's pf documentation as well as some
> intermediate pf documentation. I plan to make an OpenBSD/pf firewall. I
> haven't done this in ten years, and imagine pf and the process of
Hi all,
I need some easy beginner's pf documentation as well as some
intermediate pf documentation. I plan to make an OpenBSD/pf firewall. I
haven't done this in ten years, and imagine pf and the process of
turning OpenBSD into a firewall have changed in that time.
Thanks,
SteveT
Steve Litt
I just installed the recent fixes for 6.0 with syspatch.
After reboot my pf rules have not been installed.
pfctl -nvvf pf.conf shows rule loading hangs between these rules:
- - -
table persist file "/etc/pf/black_hole.txt"
block drop in quick on $red_if from flags any
- - -
After a m
Dear @misc
We found the error!
This is not PF problem.
I found this:
http://undeadly.org/cgi?action=article=20090127205841
If i modify an ipsec config *from:*
ike active esp from 172.20.123.0/24 to 172.20.122.0/24 \
*to:*
ike active esp from 172.20.123.0/24 *(192.168.123.0/24
Dear @misc
We have an stupid problem.
On a complex firewall (currently PF rules 1200 row), one PASS rule not
working.
I do not know why.
There are many VLANs, WAN, LAN interfaces, many ipsec VPNs, CARP
(master-backup), pfsync, etc ...
PF main rules:
# set
little
> > > to wrap my head around the concept.
> > >
> > > The OpenBSD FAQ (https://www.openbsd.org/faq/pf/nat.html) gives the
> > > following example:
> > >
> > > "pass on tl0 from $web_serv_int to any binat-to $web_serv_ext"
> > >
> &g
On Wed, Feb 23, 2022 at 04:55:05PM +, Laura Smith wrote:
> I've never had occasion to use bi-nat before and I'm struggling a little to
> wrap my head around the concept.
>
> The OpenBSD FAQ (https://www.openbsd.org/faq/pf/nat.html) gives the following
> example:
>
&
rk
>>> * re2 so far unused
>>>
>>> I was setting up pf queues for bandwidth control as follows:
>>> * one queue on re0 for outgoing traffic
>>> * another queue on re1 for incoming traffic
>>>
>>> Now, I would like to connect a wireless
On 2022-02-17 18:56, Stuart Henderson wrote:
> On 2022-02-17, Matthias Pressfreund wrote:
>> On a server with 3 LAN interfaces (re0/1/2):
>> * re0 connected to the ISP
>> * re1 connected to the internal network
>> * re2 so far unused
>>
>> I was set
On 2022-02-17, Matthias Pressfreund wrote:
> On a server with 3 LAN interfaces (re0/1/2):
> * re0 connected to the ISP
> * re1 connected to the internal network
> * re2 so far unused
>
> I was setting up pf queues for bandwidth control as follows:
> * one queue on re0
On a server with 3 LAN interfaces (re0/1/2):
* re0 connected to the ISP
* re1 connected to the internal network
* re2 so far unused
I was setting up pf queues for bandwidth control as follows:
* one queue on re0 for outgoing traffic
* another queue on re1 for incoming traffic
Now, I would like
(and
allow "reassemble" as a synonym to avoid breaking existing configs).
Not sure if it's worth it though, people using the more advanced options
in PF certainly need to read the manual.
On 2022-02-07, J Doe wrote:
> My question is - is it unnecessary to include "reassemble tcp" in the
> scrub rule if "set reassemble yes" has already been set ? I know the
> FAQ example also doesn't explicitly state "set reassemble yes", but man
> notes that that is the default setting.
>
via "scrub" man states:
"reassemble tcp
Statefully normalises TCP connections. Reassemble tcp performs the
following normalisations ..."
The reassembly normalizations that are listed sound very useful, but I
note in the pf FAQ example for a router[1] that the "
yes, thats correct and just to make sure you got my last email. I was able to
fix my issue inthe meantime by adding allow-opts
> On 16. Jan 2022, at 12:40, David Gwynne wrote:
>
> you've set the net.inet.gre.allow sysctl to 1, right?
>
>> On 16 Jan 2022, at 17:05, Markus Wipp wrote:
>>
>>
you've set the net.inet.gre.allow sysctl to 1, right?
> On 16 Jan 2022, at 17:05, Markus Wipp wrote:
>
> Hi David,
>
> First of all thank you so much taking the time for my question!
>
>> My first impression is that you're confusing where to apply policy to
>> the encapsulated traffic. "pass
bject: Re: GRE IP6/IP6 not working as soon as pf is enabled
> Date: 16. January 2022 at 08:03:39 CET
> To: Markus Wipp
>
> Hi,
>
> You look like you might understand german so I have a german link for you:
>
> https://wiki.freifunk-franken.de/w/Benutzer:PeterPhilipp#GRE_konf
Hi David,
First of all thank you so much taking the time for my question!
> My first impression is that you're confusing where to apply policy to
> the encapsulated traffic. "pass on gre proto gre" implies you're
> trying to pass GRE packets as they go over gre(4) interfaces, but
> it's the
On Sat, Jan 15, 2022 at 08:10:44PM +0100, Markus Wipp wrote:
> Hi all,
>
> This is my first mail to an OpenBSD list, so I hope I chose the correct one.
>
> I???m trying to get a GRE tunnel in combination with pf working a few days now
> on my OpenBSD (OpenBSD 7.0 (GENERIC.MP
Hi all,
This is my first mail to an OpenBSD list, so I hope I chose the correct one.
I’m trying to get a GRE tunnel in combination with pf working a few days now
on my OpenBSD (OpenBSD 7.0 (GENERIC.MP) #232: Thu Sep 30 14:25:29 MDT 2021)
If I disable pf with pfctl -d the connection is working
n
>> that case.
>
> ‐‐‐ Original Message ‐‐‐
>
> Le mercredi 12 janvier 2022 à 11:58, Carlos Lopez a
> écrit :
>
>> Hi all,
>>
>
>> I have a strange issue when I use a pf table inside an anchor. Error
>> returned is:
>>
Hi all,
I have a strange issue when I use a pf table inside an anchor. Error returned
is:
pfctl: warning: table already defined in anchor "pub-network/_2”
Table is defined in global pf.conf file. In pf.conf I have defined
some anchors by interface, like this:
# Group of rules for p
On Thu, Jan 06, 2022 at 03:39:00PM -0500, Sean McBride wrote:
> I don't actually want to use OpenSMTPD, I was just using it as a way to test
> my experimental pf rules. I'l try to find some other way to test them.
netcat
# man nc
nt to use OpenSMTPD,
I was just using it as a way to test my experimental pf rules. I'l try to find
some other way to test them.
Thanks both for your replies and links to reading materials.
Cheers,
Sean
On Wed, Jan 05, 2022 at 11:03:02AM -0500, Sean McBride wrote:
> pass in log quick on egress proto tcp to any port smtp
> If on the OpenBSD system itself I do `telnet
> localhost 25` I see the built-in OpenSTMPD. But if I telnet from another
> machine on my LAN, I fail to connect. Shouldn't that
Hi Sean,
Happy new year to you,
do a netstat and make sure that your software is listening on an address
other than loopback or all addresses (0.0.0.0)
run the following command
netstat -an
If you want to check active rules in pf run the following command
pfctl -sr
if you ever want
Hi all,
(Newbie and first time poster, please be gentle :))
I'm trying to set up spamd, and I think I'm having trouble with pf. So
I tried to add a very basic test rule. I added to the beginning of
/etc/pf.conf the following:
pass in log quick on egress proto tcp to any port smtp
On Sat, January 1, 2022 8:02 pm, Paul Pace wrote:
> Hello!
>
> I'm trying to understand the limits in PF, and I can't seem to figure
> this out:
>
> In pf.conf(5) I see two limits called table-entries, and one of them is
>
> table-entries PFR_KENTRY_HIWAT_SMALL 1
> I think it's expected. This is a simple construct and trying to use
> it for something more complicated is likely to run into problems.
> Manual pages usually talk about what is supported rather than what
> isn't (it's difficult to evaluate all the things somebody might
> try and explain why it
On 2021-12-30, Marin BERNARD wrote:
> While building a pf ruleset, I found out that trying to nest macros
> results in syntax errors, unless the original macros were defined
> with double (nested) quoting (e.g.: "'0.0.0.0/0'" or "\"0.0.0.0/0\"").
>
>
Hi,
I'm using OpenBSD 7.0.
While building a pf ruleset, I found out that trying to nest macros
results in syntax errors, unless the original macros were defined
with double (nested) quoting (e.g.: "'0.0.0.0/0'" or "\"0.0.0.0/0\"").
I've read the man pages and the O
On Mon, Dec 20, 2021 at 05:38:45AM -0600, Luke Small wrote:
> I reserved a new address for the new I350-T2 card and replaced unbound.conf
> and all uses of it in /etc.
>
> ???tcpdump -aetvvipflog0??? still returns the old reserved address!
>
> What do I do?
Post a more comprehensive bug report.
I reserved a new address for the new I350-T2 card and replaced unbound.conf
and all uses of it in /etc.
“tcpdump -aetvvipflog0” still returns the old reserved address!
What do I do?
--
-Luke
I reserved a new address for the new I350-T2 card and replaced unbound.conf
and all uses of it in /etc.
“tcpdump -aetvvipflog0” still returns the old reserved address!
What do I do?
--
-Luke
here something obvious
> I'm missing? I can give more detailed info (pf rules, ifconfig)
> offline for anyone interested in helping out.
There are some strange issues with synproxy, for example if you have
pass in quick proto tcp to 157.240.1.35 synproxy state
and try an http get to that a
://www.openbsd.org/faq/pf/rdr.html
Rosen
Lyndon Nerenberg (VE7TFX/VE6BBM) wrote on 11/10/2021 14:41:
I'm trying to get synproxy working on a firewall, using the following
rule:
pass quick proto tcp from any to $front_smtp4 port 25 synproxy state
The firewall accepts the connection on the outside interface
interface. The state table shows a pair of entries with state
PROXY:SRC and DST:PROXY which line up with the connection, but all I
get it dead air.
This seems like it should 'just work'. Is there something obvious
I'm missing? I can give more detailed info (pf rules, ifconfig)
offline for anyone
at this stage is "is this possible". I'm asking
that because I've looked in the pf section of the manual and have not
found an example (yet) close enough to my enquiry.
I think here it'd be better to ask firstly in an entirely OpenBSD 7.0
context. Like, OpenBSD has vmm now, its equivalen
tech-lists wrote:
> On Sun, Oct 31, 2021 at 09:33:54AM -0600, Theo de Raadt wrote:
> >tech-lists wrote:
> >
> >> I'm asking this here because I'm trying to do this with FreeBSD but
> >> their pf has diverged a lot from OpenBSD's
> >
> >that is in
On Sun, Oct 31, 2021 at 09:33:54AM -0600, Theo de Raadt wrote:
tech-lists wrote:
I'm asking this here because I'm trying to do this with FreeBSD but
their pf has diverged a lot from OpenBSD's
that is incorrect history.
It is hard to see how 'absolutely minimal maintainance' can result
Hi,
On Sun, Oct 31, 2021 at 04:23:58PM +0100, Sebastian Benoit wrote:
Maybe you could describe a bit more what you are trying to do.
I'm trying to protect, with pf, a freebsd host running bhyve guests. The
guests use tap interfaces. They are in the same network as the host
tech-lists wrote:
> I'm asking this here because I'm trying to do this with FreeBSD but
> their pf has diverged a lot from OpenBSD's
that is incorrect history.
It is hard to see how 'absolutely minimal maintainance' can result in
divergence.
At some point, pf's state table data stru
>
> I'm asking this here because I'm trying to do this with FreeBSD
> but their pf has diverged a lot from OpenBSD's, and what I thought
> would work does not. skip on $tap_ifs has unexpected results in that
> traffic still gets blocked on the guest.
>
> If OpenBSD's pf d
Hello misc@
Generically, can OpenBSD [7.0] apply rules to *just* the ethernet
interface, ignoring the bridge and tap interfaces? Can it do this
natively or is a VLAN required as well? Or something else?
I'm asking this here because I'm trying to do this with FreeBSD
but their pf has diverged
Hi Matthias!
On 18.10.21 05:30, Matthias Pressfreund wrote:
> Hi,
>
> maybe that would serve your purposes:
>
> https://github.com/mpfr/pftbld
>
Awesome! This is exactly what I have planned.
Starred on GitHub. :)
Many thanks and best regards.
Hi,
maybe that would serve your purposes:
https://github.com/mpfr/pftbld
On 2021-10-18 00:24, J. K. wrote:
> Hi,
>
> Is there an existing library for pf(4) which includes
> the same features like pfctl? Or at least add IP addresses
> to a specific block table?
>
> Want
Hi,
Is there an existing library for pf(4) which includes
the same features like pfctl? Or at least add IP addresses
to a specific block table?
Want to build a some sort of application level IDS/IPS
for my homepage.
The concept (my goal):
- Write a daemon which listen on a specific port
d to believe that source-track is not really the best
idea if you want good performance out of PF).
Probably the best way to hide which ports are really open on a machine is to
answer connections on *every* port, which could be done with "pass in on
proto tcp to self synproxy state", it's definitely a bodge though!
On Sun, Oct 10, 2021 at 02:48:04PM +0300, Barbaros Bilek wrote:
> Hello Peter,
>
> I think you suggest me some work around like max-src-conn-rate, right?
I would think both the rate and the number of simultaneous connections could be
relevant here, yes.
- Peter
--
Peter N. M. Hansteen,
> I try to block port scanning attempts with OpenBSD 6.9/amd64 + PF.
> > At the top of my pf.conf i've added these lines but it didn't work.
> >
> > block in quick proto tcp all flags SF/SFRA label bps1
> > block in quick proto tcp all flags FPU/SFRAUP label bps3
> >
ello misc,
> >
> > I try to block port scanning attempts with OpenBSD 6.9/amd64 + PF.
> > At the top of my pf.conf i've added these lines but it didn't work.
> >
> > block in quick proto tcp all flags SF/SFRA label bps1
> > block in quick proto tcp all flags FPU/SFRAU
> 7. okt. 2021 kl. 15:58 skrev Barbaros Bilek :
>
> Hello misc,
>
> I try to block port scanning attempts with OpenBSD 6.9/amd64 + PF.
> At the top of my pf.conf i've added these lines but it didn't work.
>
> block in quick proto tcp all flags SF/SFRA label bps1
> b
On 2021-10-07, Barbaros Bilek wrote:
> Hello misc,
>
> I try to block port scanning attempts with OpenBSD 6.9/amd64 + PF.
> At the top of my pf.conf i've added these lines but it didn't work.
>
> block in quick proto tcp all flags SF/SFRA label bps1
> block in quick proto tcp
Hello misc,
I try to block port scanning attempts with OpenBSD 6.9/amd64 + PF.
At the top of my pf.conf i've added these lines but it didn't work.
block in quick proto tcp all flags SF/SFRA label bps1
block in quick proto tcp all flags FPU/SFRAUP label bps3
block in quick proto tcp all flags
Running openbsd 6.9 stable here
I am not able to use a pf rule using route-to/reply-to with an ipv6
linklocal address.
example:
pass out inet6 route-to fe80::abcd%em0
The syntax is valid and therefore is accepted but the "%em0" is striped
out when config is pushed.
T
onality would be for 'sticky-address' to consider
> both
> > > > source IP and destination IP after initially being load balanced by
> > > > round-robin or random.
> > >
> > > Just use multipath routing, it will make sure that selected default
> routes
> >
selected routes in a way to
> > minimize the affected sessions. All this is done without any extra memory
> > usage since the hashing function is smart.
> >
> > --
> > :wq Claudio
> >
> >
> > > Thanks again, Andy.
> > >
> &g
to nat-to on those links.
>
> On rerouting the multipath code reshuffles the selected routes in a way to
> minimize the affected sessions. All this is done without any extra memory
> usage since the hashing function is smart.
>
> --
> :wq Claudio
>
>
> > Thanks ag
;
> > The current implementation of ‘sticky-address‘ relates only to a sticky
> > source IP.
> > https://www.openbsd.org/faq/pf/pools.html
> >
> > This is used for inbound server load balancing, by ensuring that all
> > socket connections from the same client/user/IP
f ‘sticky-address‘ relates only to a sticky
> source IP.
> https://www.openbsd.org/faq/pf/pools.html
>
> This is used for inbound server load balancing, by ensuring that all
> socket connections from the same client/user/IP on the internet goes to the
> same server on your local
Hi. Sorry for extremely slow reply!
Did you add the return routes for your internal subnets into each of the
per-tun rdomains?
To test your tunnels are setup correctly;
Once you have the external interface in rdomain 0, and each VPN instance's
tun interface is bound to different rdomains etc, you
On 19/08/2021 19:01, Stefan Sperling wrote:
Any idea?
I suspect the packets towards vether0 are being dropped by pf.
What does your pf.conf look like?
I have been looking in that direction, and reduced my pf.conf to this:
default_tcp_ports="{ 22 }"
set block-policy retur
use bpf, thus see raw packets
> > > > from the wire before pf can block them. Most daemons of this type
> > > > also use bpf to send packets, and pf doesn't see these either
> > > Does that prevent dhcpd from listening on any virtual interface? I'm
> > > trying
>
On 31/07/2021 19:27, Stefan Sperling wrote:
On Sat, Jul 31, 2021 at 07:02:35PM +0100, Étienne wrote:
On 30/07/2021 04:37, Theo de Raadt wrote:
dhcpleased (and a few other daemons) use bpf, thus see raw packets
from the wire before pf can block them. Most daemons of this type
also use bpf
> > Does that prevent dhcpd from listening on any virtual interface? I'm trying
> > to have it listen for requests on a vether in a bridge, and that fails (or
> > I'm making a mistake).
> It should work, unless are running dhclient/dhcpleased on the same machine,
> because the bpf filter will eat
On Sat, Jul 31, 2021 at 07:02:35PM +0100, Étienne wrote:
> On 30/07/2021 04:37, Theo de Raadt wrote:
> > dhcpleased (and a few other daemons) use bpf, thus see raw packets
> > from the wire before pf can block them. Most daemons of this type
> > also use bpf to send packet
On 30/07/2021 04:37, Theo de Raadt wrote:
dhcpleased (and a few other daemons) use bpf, thus see raw packets
from the wire before pf can block them. Most daemons of this type
also use bpf to send packets, and pf doesn't see these either
Does that prevent dhcpd from listening on any virtual
t;
> ISP-RouterOPENBSD/PFVLAN10—openWRT—Macbook
> |
> VLAN20__openWRT some Devices
> |
> |
> Neighbour Access Point
>
> Recently I tried to enable IPv6 in openbs
gt; {timestamp} {ip2}.67 > {my_ip}.68: xid:0xfe51c9a3 Y:{my_ip} G:{ip1}[|bootp]
>
> I get that tcpdump taps to bpf so it can see both packets.
>
> And my understanding of your answer is that pf doesn't see the
> first packet (DHCPREQUEST) since it's being sent using bpf.
>
> Th
Hi
I have following setup at home ,I am sharing internet
with neighbour , our ISP provides IPV6
With 2001:16a2:cdd2:xx00::/56 prefix delegation , until now I was only using
IPv4 NAT with following setup
ISP-RouterOPENBSD/PFVLAN10—openWRT
to bpf so it can see both packets.
And my understanding of your answer is that pf doesn't see the
first packet (DHCPREQUEST) since it's being sent using bpf.
The second packet (DHCPACK) -- although dhcpleased has unfiltered
access to -- is eventually visible to pf, thus will be blocked by
pf and
dhcpleased (and a few other daemons) use bpf, thus see raw packets
from the wire before pf can block them. Most daemons of this type
also use bpf to send packets, and pf doesn't see these either.
This behaviour is intentional, and useful.
beebeet...@posteo.de wrote:
> Hi all,
>
> I'
Hi all,
I'm running OpenBSD 6.9 as a home router, and observed some behavior of
pf that I can't really make sense of.
The router runs dhcpleased to obtain its IP address from the ISP, and I
have
the following pf rules (only the relevant ones are shown):
block drop all
pass out on $ext_if
201 - 300 of 6755 matches
Mail list logo
