Re: Does pf support NPT (RFC6296) ?

On 2017-05-15, Adam Thompson <athom...@athompso.net> wrote: > I still haven't found this answer anywhere... > > Does OpenBSD (more specifically, pf(4), I guess) support RFC 6296, > IPv6-to-IPv6 Network Prefix Translation? Looks like FreeBSD can do it, > but I can't tel

Does pf support NPT (RFC6296) ?

I still haven't found this answer anywhere... Does OpenBSD (more specifically, pf(4), I guess) support RFC 6296, IPv6-to-IPv6 Network Prefix Translation? Looks like FreeBSD can do it, but I can't tell if that's something they added to their own pf fork, or if I'm just missing something

Re: pf queue definition: bandwidth resolution problem

On Sat, 5/13/17, Carl Mascott <cmasc...@yahoo.com> wrote: Subject: Re: pf queue definition: bandwidth resolution problem To: "Mike Belopuhov" <m...@belopuhov.com> Cc: misc@openbsd.org Date: Saturday, May 13, 2017, 4:55 PM I forgot to ask: How will I know when there's

Re: pf queue definition: bandwidth resolution problem

wrote: Subject: Re: pf queue definition: bandwidth resolution problem To: "Mike Belopuhov" <m...@belopuhov.com> Cc: misc@openbsd.org, t...@openbsd.org Date: Saturday, May 13, 2017, 4:21 PM First, just to be safe, I did a bandwidth test with only one queue, max bandwidth 1999K.

Re: pf queue definition: bandwidth resolution problem

First, just to be safe, I did a bandwidth test with only one queue, max bandwidth 1999K. pf is fine: measured speed was about 2M. Just eyeballing it, I don't see anything wrong with your patch, but I have no way to test it: I'm not set up to build from source. If I understand correctly you have

Re: pf queue definition: bandwidth resolution problem

ue." Example: 1800K in pf.conf becomes 1M in the output > of "pfctl -squeue" -- a very significant difference. > > It remains to be determined whether the fault is in the setting of bandwidth > by pf or in the reporting of bandwidth by pfctl. Actual tests with a simp

Re: pf queue definition: bandwidth resolution problem

t of "pfctl -squeue." Example: 1800K in pf.conf becomes 1M in the output >of "pfctl -squeue" -- a very significant difference. It remains to be determined whether the fault is in the setting of bandwidth by pf or in the reporting of bandwidth by pfctl. Actual tests wit

Re: pf queue definition: bandwidth resolution problem

On Tue, May 09, 2017 at 19:47 +, Carl Mascott wrote: > Intel Atom D2500 1.66GHz > OpenBSD i386 v6.1-stable > > I can't get pf to give me the queue bandwidths that I specify in pf.conf. > > pf.conf: > > queue rootq on $ext_if bandwidth 9M max 9M qlimit 100 >

pf: pfi_kif_unref: rules refcount <= 0

Hi, I run OpenBSD 6.0 GENERIC.MP#4 amd64 on a firewall and I recently discovered lots of these messages in dmesg: pf: pfi_kif_unref: rules refcount <= 0 do you know what it is ? Thanks Morgan

Re: PF queueing confusion

Il 11/05/2017 01:42, Erling Westenvik ha scritto: > Check out pfctl(8) and the -F option. The issue might be resolvable > simply by flushing one or more of the filter parameters you'll find > there. I had always assumed that loading a new ruleset with pfctl -f also implied "-F all". This

Re: PF queueing confusion

On Thu, May 11, 2017 at 12:09:26AM +0200, Gabriele Tozzi wrote: > > Looks like I've solved by only renaming the queues. > > Instead of naming them "high", "normal" and "low", I have now named them > "exthi", "extstd" and "extlo" and then everything seems to work as expended. > > Maybe "high" is a

Re: PF queueing confusion

Looks like I've solved by only renaming the queues. Instead of naming them "high", "normal" and "low", I have now named them "exthi", "extstd" and "extlo" and then everything seems to work as expended. Maybe "high" is a (maybe undocumented) reserved queue name?

Re: PF queueing confusion

l look for it. I have also checked "pfctl -s rules | grep high" and it returns no data. To the best of my knowledge, this confirms that there is no pf rule explicitly sending packets to the "high" queue... but lots of packets are queued there anyway, so I am supposing there sho

Re: PF queueing confusion

but perhaps someone else would be able to see something that you didn't, hence the requirement to share the file. -luis On Wed, May 10, 2017 at 12:50 PM, Gabriele Tozzi wrote: > > Il 10/05/2017 14:45, Daniel Melameth ha scritto: > >> queue ext on $Ext bandwidth 900K > >>

Re: PF queueing confusion

Il 10/05/2017 14:45, Daniel Melameth ha scritto: >> queue ext on $Ext bandwidth 900K >> queue normal parent ext bandwidth 386K, max 850K qlimit 10 default >> queue high parent ext bandwidth 193K qlimit 10 >> queue low parent ext bandwidth 193K, max 540Kb qlimit 10 > > You'll have to post your

Re: PF queueing confusion

On Wed, May 10, 2017 at 4:47 AM, Gabriele Tozzi <gabri...@tozzi.eu> wrote: > I have a quite simple pf setup: I have defined 3 queues for my external > interface in my pf.conf: > > queue ext on $Ext bandwidth 900K > queue normal parent ext bandwidth 386K, max 850K qlimit 10

PF queueing confusion

Hello there, I have noticed some weirdness when using "pfctl -s queue -v" so I have decided to investigate. I have a quite simple pf setup: I have defined 3 queues for my external interface in my pf.conf: queue ext on $Ext bandwidth 900K queue normal parent ext bandwidth 386K, max 8

pf queue definition: bandwidth resolution problem

Intel Atom D2500 1.66GHz OpenBSD i386 v6.1-stable I can't get pf to give me the queue bandwidths that I specify in pf.conf. pf.conf: queue rootq on $ext_if bandwidth 9M max 9M qlimit 100 queue qdef parent rootq bandwidth 3650K default queue qrtp parent rootq bandwidth 350K min

Re: Pf with secondary DNS resolution

2017-05-04 1:56 GMT+02:00 Luke Small : > Four words Peter..."dynamic IP address". I'm sure that there are folks that > ssh into machines that are on a dynamic IP address that don't have a modem > on a power backup, or even possibly on an ISP that may down, possibly when >

Re: Pf with secondary DNS resolution

of that script at whatever intervals you need (this is what cron was made for). That script could even put the results into files that you can then use as source for the initial values for table contents. Basically I think your scenario is easily solved with a reasonably structured set of PF rules

Re: Pf with secondary DNS resolution

Luke Small <lukensm...@gmail.com>: > >> Is it worthwhile to set up a hook for pf to load rules that have URLs >after >> the network services that can resolve them come into effect? >>

Re: Pf with secondary DNS resolution

orthwhile to set up a hook for pf to load rules that have URLs after > the network services that can resolve them come into effect? > -- May the most significant bit of your life be positive.

Pf with secondary DNS resolution

Four words Peter..."dynamic IP address". I'm sure that there are folks that ssh into machines that are on a dynamic IP address that don't have a modem on a power backup, or even possibly on an ISP that may down, possibly when they are out of town. I don't know if it is possible or already done,

Re: Pf with secondary DNS resolution

...@gmail.com> wrote: > Is it worthwhile to set up a hook for pf to load rules that have URLs > after the network services that can resolve them come into effect?

Re: Pf with secondary DNS resolution

On 05/03/17 22:16, Luke Small wrote: > Is it worthwhile to set up a hook for pf to load rules that have URLs after > the network services that can resolve them come into effect? This sounds like you have a pf.conf that contains host names, and for some reason you are not sure that those

Pf with secondary DNS resolution

Is it worthwhile to set up a hook for pf to load rules that have URLs after the network services that can resolve them come into effect?

Re: Playstations and PF de-fragmentation

On Wed, 3 May 2017 08:02:10 +0200 > Thanks for sharing. > I’ll re-use this at home. > > Br > > > 1 maj 2017 kl. 01:43 skrev Kevin Chadwick : > > > > > > I find that to prevent connection timeouts on playstations, the > > following is required. Hopefully they will fix

Re: Playstations and PF de-fragmentation

Thanks for sharing. I’ll re-use this at home. Br > 1 maj 2017 kl. 01:43 skrev Kevin Chadwick : > > > I find that to prevent connection timeouts on playstations, the > following is required. Hopefully they will fix their packet AND > connection handling one day. > > match

Playstations and PF de-fragmentation

I find that to prevent connection timeouts on playstations, the following is required. Hopefully they will fix their packet AND connection handling one day. match from ! $ps3 scrub(tcp reassembly) match from $ps3 scrub(without tcp reassembly)

Re: Strange PF behaviour after 6.0 -> 6.1 pgrade

any buffers that is causing this in 6.1 but not in 6.0 ? >> >> There were changes that would allow larger TCP buffers in 6.1. This >> would not have made a difference to normal or natted connections from >> non-OpenBSD going through PF to non-OpenBSD but could possibly affect >

Re: Strange PF behaviour after 6.0 -> 6.1 pgrade

TCP buffers in 6.1. This > would not have made a difference to normal or natted connections from > non-OpenBSD going through PF to non-OpenBSD but could possibly affect > some configurations with proxies (though only if PF rules were already > dodgy - you would have active states in &qu

Re: Strange PF behaviour after 6.0 -> 6.1 pgrade

TCP buffers in 6.1. This > would not have made a difference to normal or natted connections from > non-OpenBSD going through PF to non-OpenBSD but could possibly affect > some configurations with proxies (though only if PF rules were already > dodgy - you would have active states in &qu

Re: Strange PF behaviour after 6.0 -> 6.1 pgrade

On 2017-04-20, Sjöholm Per-Olov <p...@incedo.org> wrote: > Could it be any buffers that is causing this in 6.1 but not in 6.0 ? There were changes that would allow larger TCP buffers in 6.1. This would not have made a difference to normal or natted connections from non-OpenBSD going t

Re: Strange PF behaviour after 6.0 -> 6.1 upgrade

e: >>>>> Anyone with a clue would be _very_ much appreciated…. >>>>> I upgraded from 6.0 to 6.1 two days ago and **did not change >anything to the network** stuff at all. After that clients have random >problems reaching my dmz web server (centos + nginx). I h

Re: Strange PF behaviour after 6.0 -> 6.1 upgrade

;>>> reaching my dmz web server (centos + nginx). I have checked the release >>>> notes, but could not see any clue there. Se logs below >>>> # Relevant rules from PF >>>> LAN_INT="vlan2" >>>> DMZ1_INT="vlan3" >>>&g

Re: Strange PF behaviour after 6.0 -> 6.1 pgrade

ed…. >>> I upgraded from 6.0 to 6.1 two days ago and **did not change anything to >>> the network** stuff at all. After that clients have random problems >>> reaching my dmz web server (centos + nginx). I have checked the release >>> notes, but could not see any clu

pf table statistics

Bytes: 0 ] Out/Pass:[ Packets: 0 Bytes: 0 ] Out/XPass: [ Packets: 0 Bytes: 0 ] which corresponds to the pf uptime. Is this intentional? I ran into this while trying to parse snmp info:

Re: Strange PF behaviour after 6.0 -> 6.1 pgrade

stuff at all. After that clients have random problems reaching my >> dmz web server (centos + nginx). I have checked the release notes, but could >> not see any clue there. Se logs below >> # Relevant rules from PF >> LAN_INT="vlan2" >> DMZ1_INT

Re: Strange PF behaviour after 6.0 -> 6.1 pgrade

checked the release notes, but could not see any clue there. Se logs below # Relevant rules from PF LAN_INT="vlan2" DMZ1_INT="vlan3" DMZ2_INT="vlan4" GUEST_INT="vlan1003" INTERNET_INT="em3 ALL_INTERFACES="{" $LAN_INT $GUEST_INT $DMZ1_INT $DMZ2

Strange PF behaviour after 6.0 -> 6.1 pgrade

any clue there. Se logs below # Relevant rules from PF LAN_INT="vlan2" DMZ1_INT="vlan3" DMZ2_INT="vlan4" GUEST_INT="vlan1003" INTERNET_INT="em3 ALL_INTERFACES="{" $LAN_INT $GUEST_INT $DMZ1_INT $DMZ2_INT $INTERNET_INT "}" pass out o

Re: Topics for revised PF and networking tutorial

Tue, 11 Apr 2017 15:31:57 -0500 "Adam Thompson" > > > Plus, this year it appears that Peter is co-delivering the seminar > > > with Massimiliano Stucchi from RIPE, so it will presumably cover > > > a lot of IPv6 topics as well, which are poorly represented in > > > existing

Re: Topics for revised PF and networking tutorial

> -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On > Behalf Of bytevolc...@safe-mail.net > Sent: April 10, 2017 19:31 > > > Plus, this year it appears that Peter is co-delivering the seminar > > with Massimiliano Stucchi from RIPE, so it will presumably

Re: Topics for revised PF and networking tutorial

On April 11, 2017 5:54:31 AM GMT+02:00, Ingo Schwarze wrote: >bytevolc...@safe-mail.net wrote on Tue, Apr 11, 2017 at 10:30:35AM >+1000: > >> Another issue with the man pages is that there is extremely limited >> indexing. > >That isn't true on OpenBSD. It still is true on most

Re: Topics for revised PF and networking tutorial

bytevolc...@safe-mail.net wrote on Tue, Apr 11, 2017 at 10:30:35AM +1000: > Another issue with the man pages is that there is extremely limited > indexing. That isn't true on OpenBSD. It still is true on most Linux distributions, and even on FreeBSD by default, but at least FreeBSD has an

Re: Topics for revised PF and networking tutorial

> Another issue with the man pages is that there is extremely limited > indexing. They are manual pages, not manual books. You are welcome to spend your time building an entire new subsystem and proving the value of your work. Go knock yourself out.

Re: Topics for revised PF and networking tutorial

t wasn't obvious > just from reading pf.conf(5). Sometimes it was something Peter said, > sometimes it was something another attendee said. That's the value > of attending any training class or seminar, not just this one for PF. > > The tutorial is aimed not at people who would go and produce

Re: Topics for revised PF and networking tutorial

On 8 April 2017 at 07:41, Mihai Popescu <mih...@gmail.com> wrote: > I don;t want to offend you folks, but I'm curious and I will ask: is > this BSDCon so useful? Does it pay the efforts? > > If someone has time and knowledge to do a PF tutorial he/she can do it > and post

Re: Topics for revised PF and networking tutorial

On 2017-04-07 16:41, Mihai Popescu wrote: I don;t want to offend you folks, but I'm curious and I will ask: is this BSDCon so useful? Does it pay the efforts? If someone has time and knowledge to do a PF tutorial he/she can do it and post. Do you need the Con? I'm asking this having in my mind

Re: Topics for revised PF and networking tutorial

> complicates things further. What about queueing of traffic inside GRE > > tunnels in transport mode protected with IPSEC? Where to read about it? > > The queue is assigned to the PF state, based on the queue name. > You can either do this in a "pass" rule or a &qu

Re: Does OpenBSD's pf prevents Hole punching?

On Sat, Apr 8, 2017 at 4:39 AM, Marina Ala <marina...@mail.com> wrote: > I heard that OpenBSD's pf can prevent Hole punching: > Is it true? I just cannot google on it, but if someone would answer this > thread then the world can google for it from that point :D PF doesn't preven

Re: Does OpenBSD's pf prevents Hole punching?

On 04/08/17 10:39, Marina Ala wrote: > I heard that OpenBSD's pf can prevent Hole punching: > > https://en.wikipedia.org/wiki/Hole_punching_(networking) > > Is it true? I just cannot google on it, but if someone would answer this > thread then the world can google for it from

Does OpenBSD's pf prevents Hole punching?

Hello, I heard that OpenBSD's pf can prevent Hole punching: https://en.wikipedia.org/wiki/Hole_punching_(networking) Is it true? I just cannot google on it, but if someone would answer this thread then the world can google for it from that point :D Thanks..

Re: Topics for revised PF and networking tutorial

to mitigate against DHCP exhaustion attacks e.g. on public wifi). > Adding NAT to the mix > complicates things further. What about queueing of traffic inside GRE > tunnels in transport mode protected with IPSEC? Where to read about it? The queue

Re: Topics for revised PF and networking tutorial

Am 07.04.2017 18:38 schrieb Peter N. M. Hansteen: On 04/07/17 18:00, I love OpenBSD wrote: I second to more IPv6 related information. I am curious about blocking port scanning in IPv6 Web. Does pf let me put a CIDR into the named table based on offending IPv6 address and 64-bit mask? I mean

Re: Topics for revised PF and networking tutorial

On Fri, 7 Apr 2017 17:39:16 + (UTC) Stuart Henderson wrote: > On 2017-04-06, > wrote: > > On Wed, 5 Apr 2017 22:44:54 + (UTC) > > Stuart Henderson wrote: > > > >> On 2017-04-05,

Re: Topics for revised PF and networking tutorial

I don;t want to offend you folks, but I'm curious and I will ask: is this BSDCon so useful? Does it pay the efforts? If someone has time and knowledge to do a PF tutorial he/she can do it and post. Do you need the Con? I'm asking this having in my mind Google Summer of (no)Code thread from misc

Re: Topics for revised PF and networking tutorial

Dear Peter, May I suggest the following topic of interest: PF with VLAN interfaces (with LACP trunk interface behind) and CARP of course. Regards, M. Original Message Subject: Topics for revised PF and networking tutorial Local Time: April 1, 2017 10:52 AM UTC Time: April 1

Re: Topics for revised PF and networking tutorial

On 2017-04-06, wrote: > On Wed, 5 Apr 2017 22:44:54 + (UTC) > Stuart Henderson wrote: > >> On 2017-04-05, >> wrote: >> > I've been using a trick to emulate

Re: Topics for revised PF and networking tutorial

On 2017-04-07, I love OpenBSD <lampsh...@poczta.fm> wrote: > I second to more IPv6 related information. > I am curious about blocking port scanning in IPv6 Web. Does pf let me put a > CIDR into the named table based on offending IPv6 address and 64-bit mask? I > mean

Re: Topics for revised PF and networking tutorial

On 04/07/17 18:00, I love OpenBSD wrote: > I second to more IPv6 related information. > I am curious about blocking port scanning in IPv6 Web. Does pf let me put a > CIDR into the named table based on offending IPv6 address and 64-bit mask? I > mean something similar to 'overl

Re: Topics for revised PF and networking tutorial

+1 Queue Prioritization and ToS ( set prio / set tos combinations ) by examples will be great 2017-04-07 13:00 GMT-03:00 I love OpenBSD <lampsh...@poczta.fm>: > I second to more IPv6 related information. > I am curious about blocking port scanning in IPv6 Web. Does pf let me

Re: Topics for revised PF and networking tutorial

I second to more IPv6 related information. I am curious about blocking port scanning in IPv6 Web. Does pf let me put a CIDR into the named table based on offending IPv6 address and 64-bit mask? I mean something similar to 'overload ' option.

Re: Topics for revised PF and networking tutorial

On 04/07/17 13:36, Markus Rosjat wrote: > Since not everyone can attend to this Conference will there be a > recording of this session? At previous BSDCans, talks have generally been recorded but not tutorials. So probably not. Slides likely will be available after the session has concluded. On

Re: Topics for revised PF and networking tutorial

Since not everyone can attend to this Conference will there be a recording of this session? I use pf not so much on a daily basis but I would like to get more insight too ;) And I admit I'm more the visual guy regards Markus Am 07.04.2017 um 06:25 schrieb li...@wrant.com: Wed, 5 Apr 2017

Re: Topics for revised PF and networking tutorial

On Fri, 7 Apr 2017 07:25:58 +0300 li...@wrant.com wrote: > Thank you ALL for the hard work over the years to complement OpenBSD. Yes.

Re: Topics for revised PF and networking tutorial

Wed, 5 Apr 2017 17:46:18 +0200 Marko Cupać <marko.cu...@mimar.rs> > On Sat, 1 Apr 2017 10:52:20 +0200 > "Peter N. M. Hansteen" <pe...@bsdly.net> wrote: > > > Hi, > > > > I thought I'd like to give you a heads up that there will be a "PF

Re: Topics for revised PF and networking tutorial

Without hijacking this thread completely, but touching on some of the elements discussed above (and I think these are great inclusions for the tutorial). We have implemented a variety of queues to manage our internet links and ikev2 VPNs tunnels to remote offices. We have also done something

Re: Topics for revised PF and networking tutorial

On Wed, 5 Apr 2017 22:44:54 + (UTC) Stuart Henderson wrote: > On 2017-04-05, > wrote: > > I've been using a trick to emulate scheduled rules using IP > > tables. > > Nice trick. Anchors are also good for this. >

Re: Topics for revised PF and networking tutorial

On 2017-04-05, wrote: > I've been using a trick to emulate scheduled rules using IP tables. Nice trick. Anchors are also good for this. But don't forget that active connections won't be dropped unless you also flush the relevant states.

Re: Topics for revised PF and networking tutorial

). The 0.0.0.0/0 range is a very useful tool in many cases. On Sat, 1 Apr 2017 10:52:20 +0200 "Peter N. M. Hansteen" <pe...@bsdly.net> wrote: > Hi, > > I thought I'd like to give you a heads up that there will be a "PF and > networking" tutorial at BSDCan 2017

Re: Topics for revised PF and networking tutorial

On Sat, Apr 1, 2017 at 10:52 AM, Peter N. M. Hansteen <pe...@bsdly.net> wrote: > Hi, > > I thought I'd like to give you a heads up that there will be a "PF and > networking" tutorial at BSDCan 2017 in Ottawa this June. > > The session will however not be t

Re: Topics for revised PF and networking tutorial

On Sat, 1 Apr 2017 10:52:20 +0200 "Peter N. M. Hansteen" <pe...@bsdly.net> wrote: > Hi, > > I thought I'd like to give you a heads up that there will be a "PF and > networking" tutorial at BSDCan 2017 in Ottawa this June. > > The session will howeve

Re: Topics for revised PF and networking tutorial

On Sat, Apr 01, 2017 at 10:52:20AM +0200, Peter N. M. Hansteen wrote: > Hi, > > I thought I'd like to give you a heads up that there will be a "PF and > networking" tutorial at BSDCan 2017 in Ottawa this June. > > The session will however not be the Nth rerun of t

Re: Topics for revised PF and networking tutorial

Anycast with ospf and ipv6 could be a fun tutorial... /S On 2 Apr 2017 22:27, "Luke Small" wrote: > It might be a fun idea to share what a really locked down desktop system > pf.conf would look like like if you are running a chain of DNS services (or > something that

Re: Topics for revised PF and networking tutorial

It might be a fun idea to share what a really locked down desktop system pf.conf would look like like if you are running a chain of DNS services (or something that would be good to tightly control) like local ntpd, unbound, and dnscrypt_proxy where you have local traffic locked down as well so

Topics for revised PF and networking tutorial

Hi, I thought I'd like to give you a heads up that there will be a "PF and networking" tutorial at BSDCan 2017 in Ottawa this June. The session will however not be the Nth rerun of the old one, we're starting from scratch this time, and were looking for input on what to include. D

Re: help with pf filtering on enc

On Tue, Mar 21, 2017, at 16:56, Marko Cupać wrote: > ... > > What exactly I should pass on enc interface so that the above packet > passes? > > Thank you in advance. Hi, You probably need to allow ipencap protocol packets. I also need l2tp packets, but that depends on whether you use it. --

help with pf filtering on enc

of my better understanding of pf. However I can't figure out what exactly I need to pass. Here's output from tcpdump on pflog: 16:37:37.380697 rule 4/(match) [uid 0, pid 17711] block in on enc0: 192.168.224.2 > 192.168.224.97: gre 192.168.224.2 > 192.168.224.97: [] 10.50.0.89 > 224.0.0.

Re: pf group and setgid

You seem to be equating the setgid bit with the concept of "start a process with a different gid". No, that's not what it does. The setgid bit starts a new executable with a disjoint mix of effective, saved, and real gid list, as well as a gidlist. Maybe it was not clear in my message but:

Re: pf group and setgid

On Sun, Mar 12, 2017 at 07:13:08PM +0100, Jrme FRGACIC wrote: > Hi @misc, > > I have a question about pf and its possibility to filter packets by process > group: is it a reasonable practice to use setgid for add some rules that > allow only specific programs to use some servic

Re: pf group and setgid

sking. You are asking about doing this for a gigantic program like firefox. That approach is crazy, and doesn't match what pf is doing in any case.

Re: pf group and setgid

Thanks for your reply. You are providing a program with an additional gid. The program has not been coded be aware of that gid. Two potentially different filesystem views now exist within the program, depending on the g=rwx bits of directories and files in the tree. The program is no longer

Re: pf group and setgid

> Thanks for your reply. > > > You are providing a program with an additional gid. The program has > > not been coded be aware of that gid. Two potentially different > > filesystem views now exist within the program, depending on the g=rwx > > bits of directories and files in the tree. The

Re: pf group and setgid

> If I create a separate group for each program I want to allow, is there > any additional risk induce by the use of the setgid? Yes, it introduces a risk. You are providing a program with an additional gid. The program has not been coded be aware of that gid. Two potentially different

pf group and setgid

Hi @misc, I have a question about pf and its possibility to filter packets by process group: is it a reasonable practice to use setgid for add some rules that allow only specific programs to use some services? For example, only permit the ftp command and firefox to use HTTP and HTTPS

Re: Content filtering through pf?

privoxy will be faster I think. as well as footprint on the system. But both privoxy and squid are a bit different, especially if you’ll need to chain proxies. > 24 feb. 2017 kl. 17:39 skrev Alan Corey : > > I'm looking at privoxy although I'm not sure it's more

Re: hairpin nat with pf ?

On 2017/03/01 17:12, Frank White wrote: > yes it works well. But it's very interesting the use of tag. There might be another way to do it, but I stopped looking after I hit upon one that worked :) > Is egress:0 the if alias ? It's the "main" address on the interface, so it's a single

Re: hairpin nat with pf ?

yes it works well. But it's very interesting the use of tag. Is egress:0 the if alias ? 2017-03-01 16:09 GMT+01:00 Stuart Henderson <s...@spacehopper.org>: > On 2017-03-01, Frank White <mediome...@gmail.com> wrote: > > Hi, > > anyone know how to configure pf to ma

Re: hairpin nat with pf ?

On 2017-03-01, Frank White <mediome...@gmail.com> wrote: > Hi, > anyone know how to configure pf to make hairpin nat ? Should be something like this. pass in quick inet proto tcp to self port 7755 rdr-to $SOMEHOST port 80 tag hairpin pass out quick inet tagged hairpin nat-to egress:0

pf: warning on duplicate table?

Hi folks, I spent way too much time on a table defined twice by accident in my pf.conf file. Do you think it would be possible to throw a warning if there are 2 table definitions with the same name? Probably table : : table const persist { 172.22.32.0/24

Re: hairpin nat with pf ?

On Wed, Mar 01, 2017 at 12:50:39PM +0100, Frank White wrote: > Hi, > anyone know how to configure pf to make hairpin nat ? At first blush, no. But after a quick web search, I can think of several equally opaque terms for the same phenomenon. Some more useful than others. A piece of g

hairpin nat with pf ?

Hi, anyone know how to configure pf to make hairpin nat ?

Re: Content filtering through pf?

I'm looking at privoxy although I'm not sure it's more appropriate than squid. I'm hoping to run this on a Raspberry Pi or Zero so it'll most likely be under Raspbian. Right now I use the standard Android "Portable Wi-Fi hotspot" in the phone. I run it open (no password) because I'm in a very

Re: Content filtering through pf?

On Thu, Feb 23, 2017 at 10:27:20AM -0500, Alan Corey wrote: > I'm wondering if it's possible to do content filtering in a firewall. > Maybe with something that cooperates with pf. I'm on a very limited > (5 GB/month) metered internet connection through a cell phone and I'm > not t

Re: Content filtering through pf?

Not a pf job Best to greese monkey your js to drop or stuff like http://www.opera.com/blogs/news/2015/11/how-operas-video-compression-technology-works/ Last ressort : relayd + mime type filtering. On Thu, Feb 23, 2017 at 10:27 AM, Alan Corey <alan01...@gmail.com> wrote: > I'm

Content filtering through pf?

I'm wondering if it's possible to do content filtering in a firewall. Maybe with something that cooperates with pf. I'm on a very limited (5 GB/month) metered internet connection through a cell phone and I'm not the only user when I have it shared over wifi. I'd like to block video because it's

Re: Skype issue with office behind PF

On 01/28/2017 12:13 PM, Stuart Henderson wrote: On 2017-01-27, lilit-aibolit<lilit-aibo...@mail.ru> wrote: Hi list, I have an office behind NAT with PF. There are mostly Win7 workstations with different Skype versions but mostly with 7.3x or the latest versions. Two days ago any skyp

Re: Skype issue with office behind PF

On 2017/01/30 09:36, lilit-aibolit wrote: > On 01/28/2017 12:13 PM, Stuart Henderson wrote: > > On 2017-01-27, lilit-aibolit<lilit-aibo...@mail.ru> wrote: > > > Hi list, I have an office behind NAT with PF. > > > There are mostly Win7 workstations with > >

Re: Skype issue with office behind PF

On 2017-01-27, lilit-aibolit <lilit-aibo...@mail.ru> wrote: > Hi list, I have an office behind NAT with PF. > There are mostly Win7 workstations with > different Skype versions but mostly with > 7.3x or the latest versions. > Two days ago any skype call started to drop > a

Skype issue with office behind PF

Hi list, I have an office behind NAT with PF. There are mostly Win7 workstations with different Skype versions but mostly with 7.3x or the latest versions. Two days ago any skype call started to drop after few seconds without any voice from opposite side. I got skype support which remotely looked

<    5   6   7   8   9   10   11   12   13   14   >