Re: Adding zombies to a pf table?

2015-09-24 Thread Peter Hessler
On 2015 Sep 24 (Thu) at 12:37:03 +0300 (+0300), Pantelis Roditis wrote: :On 09/24/2015 11:39 AM, Peter Hessler wrote: :>On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote: :>:Hello, :>: :>:Zombies are often attacking ports which don't have services running, :>:such as telnet (most

Re: Making IPv6 NAT prefer privacy address

2015-09-24 Thread Stuart Henderson
On 2015-09-23, Giancarlo Razzolini wrote: > Em 23-09-2015 11:49, Stuart Henderson escreveu: >> Exactly. It also makes it easier to handle multiple ISPs for load-balancing >> or failover, which IPv6 handles poorly (short of using BGP). > > Wouldn't multipath and properly

Re: Recommended miniPCI express wireless module for PC Engines' APU system board?

2015-09-24 Thread Stuart Henderson
On 2015-09-24, Adam wrote: >>> So the one you recommend from Amazon got some >>> mediocre reviews and comes from Asia. >>> But it works, good for you, that's a plus. It is >>> also a Qualcomm Atheros, maybe not >>> so dissimilar from the ones PC Engines sells on >>>

Re: Adding zombies to a pf table?

2015-09-24 Thread Pantelis Roditis
On 09/24/2015 11:39 AM, Peter Hessler wrote: On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote: :Hello, : :Zombies are often attacking ports which don't have services running, :such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc. Hi, This is the exact

Re: Recommended miniPCI express wireless module for PC Engines' APU system board?

2015-09-24 Thread Adam
>> So the one you recommend from Amazon got some >> mediocre reviews and comes from Asia. >> But it works, good for you, that's a plus. It is >> also a Qualcomm Atheros, maybe not >> so dissimilar from the ones PC Engines sells on >> their site: >> http://www.pcengines.ch/wle200nx.htm and > > This

Re: Making IPv6 NAT prefer privacy address

2015-09-24 Thread Stuart Henderson
On 2015-09-23, Giancarlo Razzolini wrote: > Em 23-09-2015 11:16, Marios Makassikis escreveu: >> Rather than announcing the prefix obtained via DHCPv6-PD you can pick a >> prefix >> from fd00::/8 and announce that on your network. >> It is the equivalent to RFC1918

Re: Adding zombies to a pf table?

2015-09-24 Thread Pantelis Roditis
On 09/24/2015 12:48 PM, Peter Hessler wrote: On 2015 Sep 24 (Thu) at 12:37:03 +0300 (+0300), Pantelis Roditis wrote: :On 09/24/2015 11:39 AM, Peter Hessler wrote: :>On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote: :>:Hello, :>: :>:Zombies are often attacking ports which don't

Re: Adding zombies to a pf table?

2015-09-24 Thread Peter Hessler
On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote: :Hello, : :Zombies are often attacking ports which don't have services running, :such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc. : :With a default pf block drop in on $ext_if, how can those source ips be

Re: 5.8-stable: panic: mtx_enter locking against myself

2015-09-24 Thread mxb
Looks like I found the root cause. At least it is stable as it suppose to be. In need to reproduce this in lab before making next move. //mxb > On 17 sep. 2015, at 10:35, mxb wrote: > > > Hey, > getting panics with 5.8-STABLE kernel. > > panic: mix_enter: locking

Re: Making IPv6 NAT prefer privacy address

2015-09-24 Thread Delan Azabani
For the record, some ISPs offer both dynamic and static IPv6 subnets to their clients, like Internode, which uses router advertisements for dynamic subnets, and DHCPv6 IA_PD for static subnets.

Re: Adding zombies to a pf table?

2015-09-24 Thread David Dahlberg
Am Donnerstag, den 24.09.2015, 10:39 +0200 schrieb Peter Hessler: > On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote: > :Zombies are often attacking ports which don't have services running, > :such as telnet (most popular indeed), mysql, 3551, 8080, 13272, > etc. > : [..] >

Re: Making IPv6 NAT prefer privacy address

2015-09-24 Thread Daniel Gillen
On 23/09/2015 16:16, Marios Makassikis wrote: > On 23 September 2015 at 15:34, Giancarlo Razzolini > wrote: >> Em 23-09-2015 04:40, Stuart Henderson escreveu: >>> Saves messing about with DHCPv6-PD >> >> I see. So you translate from what exactly? Wouldn't it be better to

Re: Making IPv6 NAT prefer privacy address

2015-09-24 Thread Giancarlo Razzolini
Em 24-09-2015 08:36, Stuart Henderson escreveu: > What is the purpose of IPv6? The main purpose that I see is "ability to > continue getting internet addresses after v4 runout". (If it had been left > at that and didn't change a bunch of other things at the same time, perhaps > more people would

Re: Adding zombies to a pf table?

2015-09-24 Thread Benny Lofgren
On 2015-09-24 11:37, Pantelis Roditis wrote: > On 09/24/2015 11:39 AM, Peter Hessler wrote: >> On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote: >> :Hello, >> : >> :Zombies are often attacking ports which don't have services running, >> :such as telnet (most popular indeed),

Re: Adding zombies to a pf table?

2015-09-24 Thread Otto Moerbeek
On Thu, Sep 24, 2015 at 02:42:47PM +0200, Benny Lofgren wrote: > On 2015-09-24 11:37, Pantelis Roditis wrote: > > On 09/24/2015 11:39 AM, Peter Hessler wrote: > >> On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote: > >> :Hello, > >> : > >> :Zombies are often attacking ports

Re: Adding zombies to a pf table?

2015-09-24 Thread Craig Skinner
Thanks for all the helpful replies. On 2015-09-23 Wed 18:14 PM |, Craig Skinner wrote: > > Zombies are often attacking ports which don't have services running, > such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc. > This was logged from Friday - Monday (zombies love the

Re: Adding zombies to a pf table?

2015-09-24 Thread Craig Skinner
Hi Ted, On 2015-09-23 Wed 13:51 PM |, Ted Unangst wrote: > > > > Zombies are often attacking ports which don't have services running, > > such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc. > > > > block log those ports, then process the log file? > Running tcpdump was

Re: Adding zombies to a pf table?

2015-09-24 Thread Craig Skinner
Hi Pantelis, On 2015-09-24 Thu 12:37 PM |, Pantelis Roditis wrote: > > This is the exact reason why we created bofh-divert[1]. The idea is that you > pass those packets with PF to a divert socket opened by a daemon. The daemon > grabs the source IP and adds it to a predefined table. > Wow,

Re: Adding zombies to a pf table?

2015-09-24 Thread Craig Skinner
On 2015-09-24 Thu 14:42 PM |, Benny Lofgren wrote: > > I've used one of the inetd "trivial services" (echo, discard, chargen, > daytime or time) for this purpose, in combination with a couple of PF > rules. Something like this: > > match in log on egress from any to tag honeypot > pass in log

PF stops accepting packets after ~2 days on -current

2015-09-24 Thread Mattieu Baptiste
Hi, Since the recent mp network hackathon two weekd ago, I'm seeing very strange behavior on my gateway (PC-Engine APU on -current/amd64). After about 2 days, the box stops accepting "external" trafic, although everything seems normal when connected on serial. I dug a bit and it seems related

Re: Making IPv6 NAT prefer privacy address

2015-09-24 Thread Devin Reade
> On Sep 24, 2015, at 07:49, Giancarlo Razzolini wrote: > > Em 24-09-2015 08:36, Stuart Henderson escreveu: >> What is the purpose of IPv6? The main purpose that I see is "ability to >> continue getting internet addresses after v4 runout". (If it had been left >> at that

Re: xrandr: Failed to get size of gamma for output default

2015-09-24 Thread Aaron Poffenberger
On 09/20/15 16:35, Aaron Poffenberger wrote: I mentioned this in my dmesg for the Thinkpad T450s but thought it might also help others who have seen or may later see this issue to pull it out as a separate email. In addition to the xrandr issue below I can't change backlight settings. Noting

Re: network config question

2015-09-24 Thread Kapetanakis Giannis
On 24/09/15 22:41, patrick keshishian wrote: Hi, I'm pretty sure I'm over-thinking this, so I thought I'd step back and see if I can get some hints as how this sort of a set-up is done "properly" by pros. Say, existing set up: [internet] -- [pf] -- [ public-ip-net/24 ] Want to add/connect

Re: Recommended miniPCI express wireless module for PC Engines' APU system board?

2015-09-24 Thread Adam Thompson
On 15-09-23 05:01 PM, Mike Bregg wrote: I'm using an APU as a firewall/router and it works very well. However, after experimenting with some different wireless cards, I actually opted to install a separate EnGenius EAP600 Access Point on the main floor of my house, using PoE to run to the

Re: network config question

2015-09-24 Thread Daniel Melameth
On Thu, Sep 24, 2015 at 1:41 PM, patrick keshishian wrote: > I'm pretty sure I'm over-thinking this, so I thought I'd step back and > see if I can get some hints as how this sort of a set-up is done > "properly" by pros. > > Say, existing set up: > > [internet] -- [pf] -- [

Re: Making IPv6 NAT prefer privacy address

2015-09-24 Thread Giancarlo Razzolini
Em 24-09-2015 16:51, Devin Reade escreveu: > Another consideration that has entered the picture since that idea came out, > though, is how much easier it will be in the non-NAT world for advertisers or > whomever to track individuals' behaviour. Not everyone likes that. Hence privacy

Re: Making IPv6 NAT prefer privacy address

2015-09-24 Thread Stefan Sperling
On Thu, Sep 24, 2015 at 05:25:31PM -0300, Giancarlo Razzolini wrote: > The fact is, that OpenBSD and the other OS's should prefer > privacy address for everything (even pf itself). This already happens on > some linux configurations, where you have a semi stable privacy address > any given time on

Re: Recommended miniPCI express wireless module for PC Engines' APU system board?

2015-09-24 Thread Mike Bregg
On Thu, Sep 24, 2015 at 5:28 PM, Adam Thompson wrote: On 15-09-23 05:01 PM, Mike Bregg wrote: > I'm using an APU as a firewall/router and it works very well. > However, after experimenting with some different wireless cards, I > actually opted to install a separate

Re: doas and home directory of target user

2015-09-24 Thread Joel Rees
At any rate, I have convinced myself that doas follows the manual page in preserving the calling user's key environment variables, including HOME and USER. I had not grasped that this was considered desired behavior, so did not initially read it that way. I still think the man page is a little

Tratamiento para controlar la Gastritis naturalmente.

2015-09-24 Thread Basta de Gastritis
La foma natural de eliminar la gastritis comienza desde las causas. “La gastritis” se da por problemas digestivos y la deficiente función del sistema inmunológico, resultado de una incorrecta alimentación y de malos hábitos. Se debe curar la raíz, “La Raíz Son Los Hábitos En El Estilo

dig and DNSSEC

2015-09-24 Thread Etienne
Hello there, Is there any chance that dig (src/usr.sbin/bind/bin/dig/) could be build with -DDIG_SIGCHASE to enable dnssec verification in future releases? Where would be a proper place to request that? Cheers, -- Étienne

network config question

2015-09-24 Thread patrick keshishian
Hi, I'm pretty sure I'm over-thinking this, so I thought I'd step back and see if I can get some hints as how this sort of a set-up is done "properly" by pros. Say, existing set up: [internet] -- [pf] -- [ public-ip-net/24 ] Want to add/connect a private 192.168.0/24 to existing [

Re: mini itx from intel

2015-09-24 Thread abyxcos
On Sun, Sep 20, 2015, at 08:50 AM, frantisek holop wrote: > does anyone happen to have any of these? > http://www.intel.com/content/www/us/en/nuc/nuc-comparison.html > > plz send dmesg if possible. > > -f > -- > loose lips sinks ships > Intel NUC 54250WYK, everything seems to work, prone to