Loading of pf rule hangs

I just installed the recent fixes for 6.0 with syspatch. After reboot my pf rules have not been installed. pfctl -nvvf pf.conf shows rule loading hangs between these rules: - - - table persist file "/etc/pf/black_hole.txt" block drop in quick on $red_if from flags any - - - After a minute rule

Re: Help with basic pf rule to open port 25

On Thu, Jan 06, 2022 at 03:39:00PM -0500, Sean McBride wrote: > I don't actually want to use OpenSMTPD, I was just using it as a way to test > my experimental pf rules. I'l try to find some other way to test them. netcat # man nc

Re: Help with basic pf rule to open port 25

On 5 Jan 2022, at 11:40, Crystal Kolipe wrote: > Have you actually changed the default /etc/mail/smtpd.conf to listen for > external connections? No. > By default it only listens on the loopback interface, (and local socket). Ah. That probably explains that then. I don't actually want to use

Re: Help with basic pf rule to open port 25

On Wed, Jan 05, 2022 at 11:03:02AM -0500, Sean McBride wrote: > pass in log quick on egress proto tcp to any port smtp > If on the OpenBSD system itself I do `telnet > localhost 25` I see the built-in OpenSTMPD. But if I telnet from another > machine on my LAN, I fail to connect. Shouldn't that

Re: Help with basic pf rule to open port 25

Hi Sean, Happy new year to you, do a netstat and make sure that your software is listening on an address other than loopback or all addresses (0.0.0.0) run the following command netstat -an If you want to check active rules in pf run the following command pfctl -sr if you ever want to

Help with basic pf rule to open port 25

Hi all, (Newbie and first time poster, please be gentle :)) I'm trying to set up spamd, and I think I'm having trouble with pf. So I tried to add a very basic test rule. I added to the beginning of /etc/pf.conf the following: pass in log quick on egress proto tcp to any port smtp then

Re: incorrect pf rule?

It turns out that my caring ISP really has a free firewall service which is enabled by default. I asked my ISP to disable it completely and now everything is OK. Thank you! 29.11.2020 13:08, Stuart Henderson пишет: On 2020-11-29, Родин Максим wrote: The problem is that only port 80 seems to

Re: incorrect pf rule?

It turns out that my caring ISP really has a free firewall service which is enabled by default. I asked my ISP to disable it completely and now everything is OK. Thank you! 29.11.2020 14:30, Stuart Henderson пишет: On 2020-11-29, Stuart Henderson wrote: On 2020-11-29, Родин Максим wrote:

Re: incorrect pf rule?

On 2020-11-29, Stuart Henderson wrote: > On 2020-11-29, Родин Максим wrote: >> The problem is that only port 80 seems to be open from the outside. >> I used several online port scanners to check this. >> All of them tell: >> port 80 OPEN >> port 443 CLOSED > > Could it be blocked by your ISP? Do

Re: incorrect pf rule?

On 2020-11-29, Родин Максим wrote: > The problem is that only port 80 seems to be open from the outside. > I used several online port scanners to check this. > All of them tell: > port 80 OPEN > port 443 CLOSED Could it be blocked by your ISP? Do you receive packets on your external interface at

incorrect pf rule?

is available from the internal network on http and https ports when 192.168.1.102 is used. To make the http server work from outside I'm trying to use the following PF rule on my router: ... web_server = "192.168.1.102" web_ports = "{ http https }"... ... # Web-server pass i

Re: Replace PF rule + inetd Proxy with 2 PF rules

Nick, Indeed Working. Thanks. >> >> May be a dumb question, but do you have net.inet.ip.forwarding=1 set? >> > > Neither can I believe had forgotten it, but I think you nailed it. > Will test monday and let know. > > Thanks in advance. > > -fm > >> >> tcpdump of a successful test connection:

Re: Replace PF rule + inetd Proxy with 2 PF rules

> > May be a dumb question, but do you have net.inet.ip.forwarding=1 set? > Neither can I believe had forgotten it, but I think you nailed it. Will test monday and let know. Thanks in advance. -fm > > tcpdump of a successful test connection: > c.c.c.c = remote test client on internet > r.r.r.r

Re: Replace PF rule + inetd Proxy with 2 PF rules

On 2/14/2020 11:21 AM, Fabio Martins wrote: I am trying now only with the redirect to www.openbsd.org, if it works, I am sure it can be adapted to my case. Unfortunately still no success. # pf.conf: ext_if="xnf0" match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \

Re: Replace PF rule + inetd Proxy with 2 PF rules

I am trying now only with the redirect to www.openbsd.org, if it works, I am sure it can be adapted to my case. Unfortunately still no success. # pf.conf: ext_if="xnf0" match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \ rdr-to 129.128.5.194 port 80 match out log on

Re: Replace PF rule + inetd Proxy with 2 PF rules

Hi Fabio (xará), Apparently I achieved this with these rules: -- pass out log on hvn0 inet proto tcp from any port 1024:65535 to 8.8.8.8 port = flags S/SA label "TESTE LISTA" pass in on hvn0 inet proto tcp from any port 1024:65535 to 10.101.0.17 port = 25 flags S/SA label "TESTE LISTA" tag

Re: Replace PF rule + inetd Proxy with 2 PF rules

On 2/14/2020 6:30 AM, Fabio Martins wrote: Hi Nick, Thanks. I applied both rules below, unfortunately I am still only hitting rule number #1 (rdr-to). nat-to is never reached (added "log" on each to test). I tried inverting the order, too, but no luck. #1 match in on $ext_if proto tcp from

Re: Replace PF rule + inetd Proxy with 2 PF rules

Hi Nick, Thanks. I applied both rules below, unfortunately I am still only hitting rule number #1 (rdr-to). nat-to is never reached (added "log" on each to test). I tried inverting the order, too, but no luck. #1 match in on $ext_if proto tcp from to ($ext_if) port 25 \ rdr-to 200.200.200.200

Re: Replace PF rule + inetd Proxy with 2 PF rules

to an external host # inetd.conf 127.0.0.1:8000 stream tcp nowait _inetd_proxy /usr/bin/nc nc -w 20 200.200.200.200 and + pf rule redirecting the hosts: # pf.conf table persist file "/etc/pf/tables/spammers.txt pass in log on egress proto tcp from to any port 25 \ rdr-to 127.0.0.1 port 80

Replace PF rule + inetd Proxy with 2 PF rules

_inetd_proxy /usr/bin/nc nc -w 20 200.200.200.200 and + pf rule redirecting the hosts: # pf.conf table persist file "/etc/pf/tables/spammers.txt pass in log on egress proto tcp from to any port 25 \ rdr-to 127.0.0.1 port 8000 I am trying to remove the inetd from the setup. With

Re: PF rule - am I being stupid ?

> I think it is caused by the packets blocked having the RST flag set -- a > consequence of specifying "flags S/SA" in rule @39. Check out man > pf.conf. Look for section about "flags a/b | any" (line 317 here). The S/SA wasn't set explicitly my me, its the default. Out of interest, would this

Re: PF rule - am I being stupid ?

On Wed, Sep 05, 2018 at 05:14:14PM +, Bob Smith wrote: > I'm banging my head against a brick wall here trying to figure out why PF (on > OpenBSD 6.3) is allowing some packets but blocking others ? > Here's the tcpdump: > Sep 05 18:07:45.084191 rule 39/(match) pass in on vlan108:

PF rule - am I being stupid ?

Hi, I'm banging my head against a brick wall here trying to figure out why PF (on OpenBSD 6.3) is allowing some packets but blocking others ? Here's the tcpdump: Sep 05 18:07:45.084191 rule 39/(match) pass in on vlan108: 192.0.2.150.49156 > 198.51.100.158.20001: udp 47 Sep 05 18:07:45.084220

why is this pf rule logging?

OpenBSD 6.3, amd64 I am seeing this record being logged by pf. The rule specified in the record does not have logging enabled. I must be missing something simple as to why it is logging, but I can't see it. 20180623T112712.952EDT sentry pf: rule 12/(match) pass in on em0: fe80::1a8b

spamd pf rule question

Hi there, it's a quiet simple question :) I have a rule like this pass in log(to $log_spamd_if) on $ext_if proto tcp to port smtp rdr-to 127.0.0.1 port spamd and was wondering if it's better to use pass in log(to $log_spamd_if) on $ext_if proto tcp to port smtp divert-to 127.0.0.1 port

Re: pf rule for openvpn

* Thuban le [25-10-2016 10:41:27 +0200]: > > # tcpdump -e -ttt -ni pflog0 action block > > > > You will be able to see what exactly is being blocked :) > > Okay, I'm just too stupid. I can access the wwweb through my VPN. I just can't ping, which is not a problem and

Re: pf rule for openvpn

> # tcpdump -e -ttt -ni pflog0 action block > > You will be able to see what exactly is being blocked :) > That's my problem, nothing seems blocked , tcpdump returns nothing about my requests to reach the outside web. I'm stuck. Please find below my full pf.conf in case I missed something :

Re: pf rule for openvpn

Assuming you block the traffic by default pf.conf block log all # tcpdump -e -ttt -ni pflog0 action block You will be able to see what exactly is being blocked :) -Regards 2016-10-24 12:19 GMT-02:00 Kenneth Gober : > On Sun, Oct 23, 2016 at 4:46 PM, Thuban

Re: pf rule for openvpn

On Sun, Oct 23, 2016 at 4:46 PM, Thuban wrote: > Here are the relevant parts of my pf.conf : > > ext_if = "re0" > tcp_pass = "{ gopher ipp 8000 }" > udp_pass = "{ 1194 }" > > pass in quick on $ext_if proto tcp to any port $tcp_pass keep state > pass in

Re: pf rule for openvpn

ure the server, I followed this : > > http://2f30.org/guides/openvpn.html > > > > So ip forwarding is ative, vpn port is open, clients can connect to > the > > vpn. But they can't access wwweb. > > > > I guess the problem comes from this pf rule : &g

Re: pf rule for openvpn

ive, vpn port is open, clients can connect to the > vpn. But they can't access wwweb. > > I guess the problem comes from this pf rule : > > pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if) > > I've been on this issue for too many hours to have a clear mind on

Re: pf rule for openvpn

ver, I followed this : > > http://2f30.org/guides/openvpn.html > > > > So ip forwarding is ative, vpn port is open, clients can connect to the > > vpn. But they can't access wwweb. > > > > I guess the problem comes from this pf rule : > > > > pass out

Re: pf rule for openvpn

ive, vpn port is open, clients can connect to the > vpn. But they can't access wwweb. > > I guess the problem comes from this pf rule : > > pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if) > > I've been on this issue for too many hours to have a clear mind on

pf rule for openvpn

. I guess the problem comes from this pf rule : pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if) I've been on this issue for too many hours to have a clear mind on this. Any advice to find why I'm stuck on the server? Regards. [demime 1.01d removed an attachment of type appli

Why this pf rule is not enough?

I have rdomain 1 and default rdomain pair1 is in rdomain 1 pair2 is in default rdomain Inside rdomain1 there is not loopback interface network is 172.10.0.2/24 In /etc/resolv.conf I have nameserver 127.0.0.1 so all DNS (UDP 53) packets should go to 127.0.0.1 Default route in rdomain1 is pair2

Re: NAT replies not triggering pf rule

On 2015-10-26, Giancarlo Razzolini wrote: > I suggest you move your match rules to the beginning of the ruleset and > use log on them. So you can watch your pflog interface and see the > packets being triggered. Also, you can (should) always use tags. Not > only they make

Re: NAT replies not triggering pf rule

On 10/27/15 3:42 AM, Stuart Henderson wrote: On 2015-10-26, Giancarlo Razzolini wrote: I suggest you move your match rules to the beginning of the ruleset and use log on them. So you can watch your pflog interface and see the packets being triggered. Also, you can

Re: NAT replies not triggering pf rule

Em 27-10-2015 09:37, Michael S. Keller escreveu: > These are the rules that appear potentially to affect outgoing packets > on the internal interface: > > match inet from any to 192.168.1.62 > block drop out on gem0 all > pass out on gem0 inet from any to 192.168.1.0/24 flags S/SA > > Only traffic

Re: NAT replies not triggering pf rule

On 2015-10-27, Michael S. Keller wrote: > On 10/27/15 3:42 AM, Stuart Henderson wrote: >> On 2015-10-26, Giancarlo Razzolini wrote: >>> I suggest you move your match rules to the beginning of the ruleset and >>> use log on them. So you can watch

Re: NAT replies not triggering pf rule

Because there will never be a packet on gem0 with destination 192.168.1.64. The packets are being natted, aren't they? Try using tags, your life will be much simpler. I tried tags in an earlier iteration of this. Didn't help. As a simpler test, I revised the rule for packets leaving gem0 to

Re: NAT replies not triggering pf rule

Em 25-10-2015 15:31, Michael S. Keller escreveu: > I want to set queues to limit bandwidth for the streaming media > devices on my home network. Unfortunately, the "pass out" rules on my > internal network (external is PPPoE) don't ever trip for replies > received from the world. Are you aware

Re: NAT replies not triggering pf rule

On 10/26/15 8:12 AM, Giancarlo Razzolini wrote: Are you aware that you'll need to have a queue on the internal interface and another on the egress one right? Queuing incoming packets is very tricky and not always have the desired effect. I suggest you start with prio and see where it leads you:

NAT replies not triggering pf rule

I've worked with this off and on for some time, but still don't know what I'm not doing correctly. I want to set queues to limit bandwidth for the streaming media devices on my home network. Unfortunately, the "pass out" rules on my internal network (external is PPPoE) don't ever trip for

Re: PF rule for transparent siproxd ?

On 2014-04-07, Christophe t...@stuxnet.org wrote: The goal is to accept every SIP device from inside the LAN to register to SIP provider without any outbound proxy configuration, and let siproxd acting as a masquerading server. Do you really need it? Most user-facing SIP providers run SBCs to

Re: PF rule for transparent siproxd ?

Hi Simon, Le 07/04/2014 20:20, Simon Perreault a écrit : I don't know the direct answer to your question, but taking a step back... Any reason you want a transparent SIP proxy rather than an explicitly-configured SIP B2BUA? The latter is usually much easier to set up and maintain. SIP

Re: PF rule for transparent siproxd ?

Hi Stuart, Le 08/04/2014 10:41, Stuart Henderson a écrit : On 2014-04-07, Christophe t...@stuxnet.org wrote: The goal is to accept every SIP device from inside the LAN to register to SIP provider without any outbound proxy configuration, and let siproxd acting as a masquerading server. Do

Re: PF rule for transparent siproxd ?

On 2014-04-08, Christophe t...@stuxnet.org wrote: Hi Stuart, Le 08/04/2014 10:41, Stuart Henderson a écrit : On 2014-04-07, Christophe t...@stuxnet.org wrote: The goal is to accept every SIP device from inside the LAN to register to SIP provider without any outbound proxy configuration, and

Re: PF rule for transparent siproxd ?

On 2014-04-07, Christophe t...@stuxnet.org wrote: [..] Let's ignore the siproxd side of things and just look at the ruleset. set skip on lo set loginterface pflog0 block in on ! lo0 proto tcp to port 6000:6010 match out log on em0 inet from 172.18.160.0/24 to any nat-to em0 pass in on

Re: PF rule for transparent siproxd ?

Hi Stuart, Le 08/04/2014 18:31, Stuart Henderson a écrit : On 2014-04-07, Christophe t...@stuxnet.org wrote: [..] Let's ignore the siproxd side of things and just look at the ruleset. You have no pass or block rules for any outbound traffic so the implicit default is used for outbound

PF rule for transparent siproxd ?

Hi list, I encounter a problem while aptempting to get siproxd acting as a transparent SIP proxy and PF. OpenBSD version is 5.4 on amd64. OpenBSD 5.4 (GENERIC) #37: Tue Jul 30 15:24:05 MDT 2013 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC siproxd installed from

Re: PF rule for transparent siproxd ?

I don't know the direct answer to your question, but taking a step back... Any reason you want a transparent SIP proxy rather than an explicitly-configured SIP B2BUA? The latter is usually much easier to set up and maintain. Simon -- DTN made easy, lean, and smart --

pf rule idea

hi, not sure this is the correct place to ask but i wanted to know if the possibility of a new pf rule had been thought of? the concept i had in mind would be to filter packets bound for a port that contained a she! or similar script header? my thought was trying to add a way to check

Re: pf rule idea

Ì am not sure i am right but you are not in the good layer, you want snort or something similar to do that. On Fri, Jan 25, 2013 at 3:03 PM, Todd tcarpenter...@gmail.com wrote: hi, not sure this is the correct place to ask but i wanted to know if the possibility of a new pf rule had been

Re: pf rule idea

i highly doubt that they would add any sort of layer 7/string checking capability to pf. it's completely against its design that's just not going to happen

Re: pf rule idea

Best option I see here is a dup-to packets to an interface with IDS listening and give it the ability to add IP addresses to a blacklist and flush all states associated with them. PF is a kernel space item, and you want to keep this as simple as possible to minimize bugs. Leave complex stuff like

Re: simple PF rule? redirect port without touching address

WHOA! that works! I had no idea you could use the bitmask option like that! Thank You. Although I haven't tested for any unwanted behavior... I'll get back to you if i find any. On Mon, Jul 9, 2012 at 3:10 PM, Stuart Henderson s...@spacehopper.org wrote: On 2012-07-09, Simon Perreault

simple PF rule? redirect port without touching address

I am trying to achieve something I thought would be simple, but haven't had any luck. I have an OpenBSD 5.0 router/firewall with public IP X.X.X.A Behind it are a mix of OpenBSD and Linux systems, all with public IP. NO NAT. I run ssh on an alternate port, XXX22. However, from a certain

Re: simple PF rule? redirect port without touching address

On 2012-07-09, Fil DiNoto fdin...@gmail.com wrote: I am trying to achieve something I thought would be simple, but haven't had any luck. I have an OpenBSD 5.0 router/firewall with public IP X.X.X.A Behind it are a mix of OpenBSD and Linux systems, all with public IP. NO NAT. I run ssh on

Re: simple PF rule? redirect port without touching address

2012/7/9 Stuart Henderson s...@spacehopper.org On 2012-07-09, Fil DiNoto fdin...@gmail.com wrote: I am trying to achieve something I thought would be simple, but haven't had any luck. I have an OpenBSD 5.0 router/firewall with public IP X.X.X.A Behind it are a mix of OpenBSD and

Re: simple PF rule? redirect port without touching address

On 2012-07-09 10:17, Stuart Henderson wrote: On 2012-07-09, Fil DiNotofdin...@gmail.com wrote: But i was wondering if I could achieve something that would work for ALL the addresses behind the router as well without creating individual rules for each address. Something like this: pass in on

Re: simple PF rule? redirect port without touching address

On 2012-07-09, Simon Perreault sperrea...@openbsd.org wrote: On 2012-07-09 10:17, Stuart Henderson wrote: On 2012-07-09, Fil DiNotofdin...@gmail.com wrote: But i was wondering if I could achieve something that would work for ALL the addresses behind the router as well without creating

PF rule match only packets for local machine

Hallo all, May I ask any PF professional for his advice? I have openbsd router with more interfaces doing routing. It does not work as a firewall so there is only one rule pass flags any no state. Because of many hack-scripts doing SSH logins and filling logs I would like to block every SSH

Re: PF rule match only packets for local machine

Hi, On Thursday, 05 Jan 2012 at 09:00 CET Robert Wolf r.wolf.c...@gmail.com wrote: table OutNetworks const { } pass quick proto tcp from OurNetworks to any port 22 no state pass in quick proto tcp from any to any port rdr-to 127.0.0.1 port 22 block quick proto tcp from any to

Re: PF rule match only packets for local machine

On Thu, 5 Jan 2012 09:21:16 +0100 Rafal Bisingier ra...@man.poznan.pl wrote: Hi, On Thursday, 05 Jan 2012 at 09:00 CET Robert Wolf r.wolf.c...@gmail.com wrote: table OutNetworks const { } pass quick proto tcp from OurNetworks to any port 22 no state pass in quick proto

Re: PF rule match only packets for local machine

Hi, start with block rule without quick, then apply pass rules. something like this: table OutNetworks const { } block proto tcp from any to any port 22 pass quick proto tcp from OurNetworks to any port 22 no state pass in quick proto tcp from any to any port rdr-to 127.0.0.1 port 22

Re: PF rule match only packets for local machine

On 2012-01-05, Gregory Edigarov g...@bestnet.kharkov.ua wrote: On Thu, 5 Jan 2012 09:21:16 +0100 Rafal Bisingier ra...@man.poznan.pl wrote: Hi, On Thursday, 05 Jan 2012 at 09:00 CET Robert Wolf r.wolf.c...@gmail.com wrote: table OutNetworks const { } pass quick proto tcp

Re: PF rule match only packets for local machine

Hallo all, thank you for your answers. table OutNetworks const { } pass quick proto tcp from OurNetworks to any port 22 no state pass in quick proto tcp from any to any port rdr-to 127.0.0.1 port 22 block quick proto tcp from any to any port 22 But of

PF rule counters

Hello, I would like a clarification. I have these rules and I notice an incrementation only when there is a new incoming connection. Here I did an ssh connection # pfctl -s rules -v | head -6 block drop log all [ Evaluations: 83Packets: 0 Bytes: 0 States: 0 ] [

pf rule def/(short) pass

Hi, I'm seeing these in the pflog off my firewall: Oct 27 15:20:32.845671 rule def/(short) pass in on vlanxxx: 218.76.138.156.0 x.x.x.63.0: udp 17035 Oct 27 15:21:12.924605 rule def/(short) pass in on vlanxxx: 218.76.138.156.0 x.x.x.38.0: udp 17035 Oct 27 15:21:15.652141 rule def/(short)

Time interval based pf rule

Hi all, Does OpenBSD PF engine have the feature to create time interval based rule? I have tried to do that but I could not find any relevant documentation. Is time interval based rule supported to be created on OpenBSD PF? Regards, Stefan

Re: Time interval based pf rule

On Fri, 2 Sep 2011 04:21:31 -0700 (PDT) Stefan N wrote: Hi all, Does OpenBSD PF engine have the feature to create time interval based rule? What exactly do you mean by time interval based rule. I have tried to do that but I could not find any relevant documentation. Is time interval

Re: Time interval based pf rule

On Fri, Sep 2, 2011 at 4:21 AM, Stefan N stefanbsd...@yahoo.com wrote: Does OpenBSD PF engine have the feature to create time interval based rule? See how to dynamically add rules via anchors: http://www.openbsd.org/faq/pf/anchors.html ... scheduling scripts via crontab(5). Jim

Re: Time interval based pf rule

stefanbsd...@yahoo.com Cc: misc@openbsd.org misc@openbsd.org Sent: Friday, September 2, 2011 7:47 PM Subject: Re: Time interval based pf rule On Fri, Sep 2, 2011 at 4:21 AM, Stefan N stefanbsd...@yahoo.com wrote: Does OpenBSD PF engine have the feature to create time interval based rule? See

Re: Time interval based pf rule

On 2 September 2011 09:11, Stefan N stefanbsd...@yahoo.com wrote: Hi Jim, If I used anchor to create pf rules which means there is another configuration needs to be taken care. Beside /etc/pf.conf, we need to take care and maintain crontab for schedulling. What are you trying to

Re: Time interval based pf rule

On Fri, Sep 02, 2011 at 04:21:31AM -0700, Stefan N wrote: Does OpenBSD PF engine have the feature to create time interval based rule? I have tried to do that but I could not find any relevant documentation. Is time interval based rule supported to be created on OpenBSD PF? the question

Re: Time interval based pf rule

To: Stefan N stefanbsd...@yahoo.com Cc: misc@openbsd.org misc@openbsd.org Sent: Friday, September 2, 2011 8:14 PM Subject: Re: Time interval based pf rule On 2 September 2011 09:11, Stefan N stefanbsd...@yahoo.com wrote: Hi Jim, If I used anchor to create pf rules which means there is another

Re: Time interval based pf rule

On 2 September 2011 09:26, Stefan N stefanbsd...@yahoo.com wrote: Actually I would like to limit the access during office hour. So Time interval base rule means: user is only allowed to access specific application and destination based from the time interval. For example: Finance Department

Re: Time interval based pf rule

Okay guys. Thanks for the suggestion. Regards, Stefan From: Christiano F. Haesbaert haesba...@openbsd.org To: Stefan N stefanbsd...@yahoo.com Cc: misc@openbsd.org misc@openbsd.org Sent: Friday, September 2, 2011 8:34 PM Subject: Re: Time interval based pf rule

Re: Time interval based pf rule

On Fri, Sep 02, 2011 at 05:41:26AM -0700, Stefan N wrote: Okay guys. Thanks for the suggestion. On 2 September 2011 09:26, Stefan N stefanbsd...@yahoo.com wrote: anchors + crontab as Peter suggested is an easy alternative. Depending on what exact effect you want to acheive, you can maybe

Re: pf rule?

2011/7/20 fqui nonez fquinon...@gmail.com: 2011/7/20 Andres Perera andre...@zoho.com: On Wed, Jul 20, 2011 at 8:49 AM, fqui nonez fquinon...@gmail.com wrote: On Wed, 20 Jul 2011 01:09:09 -0700, fqui nonez fquinon...@gmail.com wrote: Hello I have a sshd/ftpd/httpd server box, 4.9 stable;

Re: pf rule?

Hi, For your ftp issue, see here : http://www.openbsd.org/faq/pf/ftp.html Wesley. M www.mouedine.net www.e-solutions.re On Wed, 20 Jul 2011 23:26:33 -0700, fqui nonez fquinon...@gmail.com wrote: 2011/7/20 fqui nonez fquinon...@gmail.com: 2011/7/20 Andres Perera andre...@zoho.com: On Wed, Jul

pf rule?

Hello I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all blocked packets, and send them to /var/log/pfblocklog to be read with tcpdump. What and where should be the rule? # $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $ # set skip on lo ### Agregadas por mi:

Re: pf rule?

ifconfig pflog1 create touch /var/log/pfblocklog pflogd -ipflog1 -f$_ pf.conf: l = log (to pflog1) block return $l block ... $l to keep the pfctl rule output readable, match and tag the packets instead and have a single block + log rule (at the expense of no quick) On Wed, Jul 20, 2011 at

Re: pf rule?

Hi, Try this: block log return Cheers, Wesley. On Wed, 20 Jul 2011 01:09:09 -0700, fqui nonez fquinon...@gmail.com wrote: Hello I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all blocked packets, and send them to /var/log/pfblocklog to be read with tcpdump. What and

Re: pf rule?

Also, you can see a sample on http://mouedine.net/ruleset49.aspx Wesley. On Wed, 20 Jul 2011 14:27:27 +0400, Wesley MOUEDINE ASSABY open...@e-solutions.re wrote: Hi, Try this: block log return Cheers, Wesley. On Wed, 20 Jul 2011 01:09:09 -0700, fqui nonez fquinon...@gmail.com

Re: pf rule?

now for the problems in your rules: On Wed, Jul 20, 2011 at 3:39 AM, fqui nonez fquinon...@gmail.com wrote: # B B B $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $ # set skip on lo ### Agregadas por mi: (added by me) block return pass in quick log on rl0 proto tcp from any to

Re: pf rule?

2011/7/20 Wesley MOUEDINE ASSABY open...@e-solutions.re: Also, you can see a sample on http://mouedine.net/ruleset49.aspx Wesley. On Wed, 20 Jul 2011 14:27:27 +0400, Wesley MOUEDINE ASSABY open...@e-solutions.re wrote: Hi, Try this: block log return Cheers, Wesley. On Wed, 20 Jul

Re: pf rule?

On Wed, Jul 20, 2011 at 8:49 AM, fqui nonez fquinon...@gmail.com wrote: 2011/7/20 Wesley MOUEDINE ASSABY open...@e-solutions.re: Also, you can see a sample on http://mouedine.net/ruleset49.aspx Wesley. On Wed, 20 Jul 2011 14:27:27 +0400, Wesley MOUEDINE ASSABY open...@e-solutions.re wrote:

pf rule

Hi everyone, I never had to deal with pf, but if possible i have a question: on my OpenBSD now block all outcoming connection to ssh and telnet to internet with: block out on re0 proto { tcp } from any to any port { ssh telnet } but now with this rule i can't connect with ssh to my lan

Re: pf rule

i try with: pass out on re0 from any to { 192.168.1.9, 192.168.1.10 } there is ok for you? Il giorno 06/apr/2011, alle ore 10.19, Gianluca D'Auri Muscelli ha scritto: Hi everyone, I never had to deal with pf, but if possible i have a question: on my OpenBSD now block all outcoming

Re: pf rule

On Wed, Apr 6, 2011 at 1:49 PM, Gianluca D'Auri Muscelli g...@email.it wrote: Hi everyone, I never had to deal with pf, but if possible i have a question: on my OpenBSD now block all outcoming connection to ssh and telnet to internet with: block out on re0 proto { tcp } from any to any port

Options for graphing pf rule matches

Hello, I'm wondering what other folks are using to graph pf data beyond what is provided by pfstat. The aggregate values are useful and I'd also like to setup graphs of particular services, particular tables, etc. Is there a way for pfstat to graph labeled traffic that I have overlooked? I

Re: Options for graphing pf rule matches

On Mon, Feb 15, 2010 at 03:00:59PM -0800, Brian Keefer wrote: Hello, I'm wondering what other folks are using to graph pf data beyond what is provided by pfstat. The aggregate values are useful and I'd also like to setup graphs of particular services, particular tables, etc. Is there a way

Re: Options for graphing pf rule matches

On Feb 15, 2010, at 3:29 PM, Jason Dixon wrote: On Mon, Feb 15, 2010 at 03:00:59PM -0800, Brian Keefer wrote: Hello, I'm wondering what other folks are using to graph pf data beyond what is provided by pfstat. The aggregate values are useful and I'd also like to setup graphs of particular

Re: Options for graphing pf rule matches

On Mon, Feb 15, 2010 at 06:57:06PM -0800, Brian Keefer wrote: On Feb 15, 2010, at 3:29 PM, Jason Dixon wrote: On Mon, Feb 15, 2010 at 03:00:59PM -0800, Brian Keefer wrote: Hello, I'm wondering what other folks are using to graph pf data beyond what is provided by pfstat. The

Re: PF rule problems using tables

-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Geoff Sweet Sent: Friday, July 31, 2009 11:34 AM To: misc@openbsd.org Subject: PF rule problems using tables Greetings all, I have very successfully been using OpenBSD 4.5 to manage both our corporate firewall as well as the firewall

PF rule problems using tables

Greetings all, I have very successfully been using OpenBSD 4.5 to manage both our corporate firewall as well as the firewall in our production gaming environment. However recently I have been given the task from the home office to do some basic regional IP blocking. Great thinks I, I will

PF rule help

Hi, I AM getting some erros to apply this rule in my PF. I am running OpenBSD 4.3. winupdate = { 65.54.87.0/24 , 207.46.112.0/24 } nat on $ext_if from $lan to ! $winupdate port $portas_saida_tcp tag INT_10.10.10.0 - ($ext_if) block inon $wan_uf from $winupdate to any block out on

Re: PF rule help

On 19 Nov 2008, at 13:36, Ricardo Augusto de Souza wrote: Hi, I AM getting some erros to apply this rule in my PF. I am running OpenBSD 4.3. winupdate = { 65.54.87.0/24 , 207.46.112.0/24 } Are these the windows update servers for microsoft? Where did you get this ip range from?

Re: PF rule help

Use a no nat rule _before_ your nat rule. On 2008-11-19, Ricardo Augusto de Souza [EMAIL PROTECTED] wrote: Hi, I AM getting some erros to apply this rule in my PF. I am running OpenBSD 4.3. winupdate = { 65.54.87.0/24 , 207.46.112.0/24 } nat on $ext_if from $lan to ! $winupdate

  1   2   >