Re: How to segregate forwarded and firewall-generated traffic in pf?

On 20/12/13 16:56, Maxim Khitrov wrote: On Thu, Dec 19, 2013 at 8:33 AM, Camiel Dobbelaar wrote: On 18/12/13 22:32, Camiel Dobbelaar wrote: I think a documentation fix for pf.conf(5) is all that can be done. The diff adds the following paragraph: When listening sockets are

Re: How to segregate forwarded and firewall-generated traffic in pf?

On 18/12/13 22:32, Camiel Dobbelaar wrote: On 18/12/13 14:50, Maxim Khitrov wrote: On Wed, Dec 18, 2013 at 8:42 AM, Camiel Dobbelaar wrote: On 18/12/13 13:53, Maxim Khitrov wrote: When writing outbound rules in pf, is there an accepted best practice for only matching packets that are either

Re: How to segregate forwarded and firewall-generated traffic in pf?

On 18/12/13 14:50, Maxim Khitrov wrote: On Wed, Dec 18, 2013 at 8:42 AM, Camiel Dobbelaar wrote: On 18/12/13 13:53, Maxim Khitrov wrote: When writing outbound rules in pf, is there an accepted best practice for only matching packets that are either forwarded or firewall-generated? The best

Re: How to segregate forwarded and firewall-generated traffic in pf?

On 18/12/13 13:53, Maxim Khitrov wrote: When writing outbound rules in pf, is there an accepted best practice for only matching packets that are either forwarded or firewall-generated? The best that I could come up with is 'received-on all' as a way of identifying forwarded packets, but that opt

Re: how to compare ipsec.conf and isakmpd.conf settings?

On 9/27/13 10:46 AM, Daniel Polak wrote: What would have helped me solve this is a way to see what the current configuration of isakmpd looks like (irrespective of whether it was loaded from isakmpd.conf or from ipsec.conf). It appears there is no equivalent of a "C get all" command to the FIFO t

Re: Bridge0 "Oerrs" with throughput speed issues

On 9/16/13 5:56 PM, Stephen Maher wrote: There are no errors on any other interface. Some interfaces are autoneg and some are full 100 statically set. (Normally I associate network errors with negotiation mismatch however I'm baffled how this can happen with a bridge) The bridge code increases

Re: CARP on Switch ports without port fast leading to double master-master problems

On 7/22/13 1:12 PM, Andy wrote: I messed up and added '!sleep 5' to the hostname.carp instead of the physical interface.. None the less I'm surprised that no one else has any thoughts on this when it has been discussed several times before. It would be /very/ easy to resolve (by someone with ta

Re: ftp-proxy(8) and ftpd(8) on the same host

On 3/27/13 4:14 PM, LEVAI Daniel wrote: On 5.2-stable, I'm trying to setup the stock ftpd(8) on a machine where the incoming traffic is not allowed arbitrarily above net.inet.ip.porthifirst, and the clients wish to use passive mode data connections. I thought I could use ftp-proxy(8) to append a

Re: packet loss in larger packets

On Fri, 21 Sep 2012, Erwin Lubbers wrote: > I'm using OpenBSD 5.1 and an Intel 10GbE SR (82598AF) ethernet card as a > router/firewall and it's working almost perfect. It is routing around 2 gbps > of traffic. > > On the ix0 interface there are several vlans configured with an MTU of 1500. > When

Re: hostname.if: preventing IPV4 assignment

On 30-8-2012 23:30, Scott wrote: > vis-a-vis /etc/hostname.if, where the 'if' is em1 and is a real > interface that is aggregating several VLANs (as em1 is connected to a > Cisco L2 switch). Since the each of the VLAN interface has its own, > and topology relevant, IPV4 address, we don't want or n

Re: ifconfig bridge delete

On 31-5-2012 19:01, Pieter Verberne wrote: > $ sudo ifconfig bridge0 delete athn0 > ifconfig: athn0: bad value > $ sudo ifconfig bridge0 del athn0 > $ The manpage is wrong. Only "del" works for the bridge. "delete" is used to remove an address from the interface. Probably a remainder of the brc

Re: carp mixed states

They should both be backup. Check if you have "keep state (no-sync)" on your carp pf rule. If not add it, and flush the state tables. Other hints to debug carp setups: - netstat -s -p carp - ifconfig -g carp - sysctl net.inet.carp.log=4 (check /var/log/messages) -- Cam On 18-5-2012 3:38, shad

Re: CARP interfaces randomly stop answering ARP requests

On 11-4-2012 11:48, Johan Ryberg wrote: > Regarding "f_ether.c: IFQ_SET_MAXLEN(&arpintrq, 50); /* > XXX hate magic numbers */" > > Is 50 the limitation of logical interface per each physical or is it > 50 carp per logic interface? No, it's the limit on the _global_ arp queue. arp re

Re: CARP interfaces randomly stop answering ARP requests

On 11-4-2012 11:07, Ian Chard wrote: > On 03/04/12 10:32, Camiel Dobbelaar wrote: >> I suspect you may run into this limit (in sys/netinet): >> if_ether.c: IFQ_SET_MAXLEN(&arpintrq, 50); /* XXX hate >> magic numbers */ >> >> Can you raise that n

Re: CARP interfaces randomly stop answering ARP requests

On 3-4-2012 11:13, Ian Chard wrote: > I have an OpenBSD box acting as a NATting firewall. It has 59 CARP > interfaces defined, all identical apart from the IP address and vhid. At > the moment there is no failover pair, so all the interfaces are in > MASTER mode. > > Every so often, one of these

Re: pfsync changes in current?

On 14-3-2012 10:43, Kapetanakis Giannis wrote: >> While heavily demoted, it still assumes the master role. I guess it's >> not seeing the carp announcements from firewall-2 at all. Do you use >> spanning tree in the network? > > Yes. The latest change which I did on the switch where the firewalls

Re: may 7 carp addresses be too much on 5.0/amd64 ?

On 13-3-2012 9:52, Janne Johansson wrote: > 2012/3/4 PP;QQ P(P8P?P8QP8P= : >> thank to Camiel Dobbelaar, carp log at 6 shown ip_output problem, which >> lead me to: >> >> pass quick proto carp no state > > Which doesn't match the PF FAQ which says: >

Re: pfsync changes in current?

Hi, comments inline: On 9-3-2012 15:20, Kapetanakis Giannis wrote: > On 08/03/12 18:17, Peter Hessler wrote: >> On 2012 Mar 07 (Wed) at 15:58:21 +0200 (+0200), Kapetanakis Giannis >> wrote: >> :Hi, >> : >> :I'm running a setup of Active/backup firewalls with carp/pfsync >> :successfully for the l

Re: may 7 carp addresses be too much on 5.0/amd64 ?

Why is demote 2? Do you have any carp interfaces in INIT? Note that demote takes precedence over advskew. What does "ifconfig -g carp", "ifconfig carp" and "netstat -s -p carp" look like on both machines? On 3-3-2012 19:26, PP;QQ P(P8P?P8QP8P= wrote: > I permormed tcpdump on appropriate vl

Re: may 7 carp addresses be too much on 5.0/amd64 ?

Do you have spanning tree enabled on the switch? The firewall ports should be in portfast mode, otherwise the backup may become master after a reboot or when bouncing the physical interface. And do you have carp preempt enabled? (net.inet.carp.preempt=1) On 2-3-2012 16:31, favar wrote: > hi li

Re: Problem filtering CARP in PF

On 2-3-2012 9:23, Marios Makassikis wrote: >> I just thought of something that bit me recently as well. >> >> With a real IPv6 address CARP will send out advertisements via IPv4 >> _and_ IPv6. It's the same CARP message so if either one reaches the >> backup it's ok. >> >> Your block rule had "ine

Re: Problem filtering CARP in PF

On 1-3-2012 18:20, Camiel Dobbelaar wrote: > On 1-3-2012 18:10, Marios Makassikis wrote: >> Here you go: >> carp: >> 45808 packets received (IPv4) >> 74835 packets received (IPv6) >> 0 packets discarded for bad interface >>

Re: Problem filtering CARP in PF

On 1-3-2012 18:10, Marios Makassikis wrote: > Here you go: > carp: > 45808 packets received (IPv4) > 74835 packets received (IPv6) > 0 packets discarded for bad interface > 0 packets discarded for wrong TTL > 0 packets shorter than hea

Re: random nat, ftp clients and 425: Securiy: Bad IP connecting

On 1-3-2012 16:43, Hrvoje Popovski wrote: > On 28.2.2012. 14:23, Stuart Henderson wrote: >>> >>> There is no such option in ftp-proxy. >>> >>> What _might_ work is to run one ftp-proxy per IP (30 in your case) and >>> use "random" on the divert-to. >>> >>> <5 minutes later> >>> >>> I just tried it,

Re: Problem filtering CARP in PF

On 1-3-2012 16:32, Marios Makassikis wrote: > Bumping net.inet.carp.log value only reports the demotion: > carp:carp0 demoted group carp by 1 to 2 (> snderrors) > carp:carp1 demoted group carp by 1 to 2 (> snderrors) > > And then, a few state transitions later: > carp: carp0 demoted group carp by

Re: Problem filtering CARP in PF

On 1-3-2012 10:08, Marios Makassikis wrote: > Hello, > No, I'm using hardware machines. > > I tested what Imre suggested, i.e.: flushing PF states with > 'pfctl -F states'. > With a freshly booted machine, CARP packets are allowed to pass. > I then disabled pf, flushed the states and reloaded pf w

Re: Problem filtering CARP in PF

On 29-2-2012 23:01, Fridiric URBAN wrote: > Hello, > > Confirmed on a fresh and very simple virtual environnement with 2 > firewall using latest snapshot (amd64). > pf.conf containt a single line "block log", nothing is logged on pflog > and the other firewall on the sharing the link layer still c

Re: random nat, ftp clients and 425: Securiy: Bad IP connecting

On 27-2-2012 22:22, Hrvoje Popovski wrote: > i'm having problem with ftp communication. when ftp client behind > openbsd 5.0 firewall connects to ftp server or servers > they see 425: Securiy: Bad IP connecting. > > openbsd has random nat with pool of /27 public addresess and inside > hosts connec

Re: PF: table sync

On 6-2-2012 10:52, Armin Wolfermann wrote: > * Camiel Dobbelaar [05.02.2012 20:19]: >> I'm not sure that pftabled is still maintained though. > > It is. > >> I reported a big flaw to the author in 2010 and it was never fixed. > > Aborting on a failur

Re: PF: table sync

On 5-2-2012 16:01, OSN | Marian Fischer wrote: > Am 05.02.2012 11:32, schrieb Maxim Bourmistrov: >> On Feb 5, 2012, at 10:47 AM, Otto Moerbeek wrote: >> >>> pfsync does not sync pf tables. >> Exactly, but it would be nice to have. >> >> //maxim >> > Hi, > > you should also take a look at wolferman

Re: CARP strangeness after 5.0 upgrade

On 2-2-2012 17:34, Matt Hamilton wrote: > Camiel Dobbelaar sentia.nl> writes: > >> Can you post the output of "netstat -m" and a dmesg? > > # netstat -m > 94 mbufs in use: > 88 mbufs allocated to data > 3 mbufs allocated to packet heade

Re: CARP strangeness after 5.0 upgrade

On 2-2-2012 16:38, Matt Hamilton wrote: > Camiel Dobbelaar sentia.nl> writes: > >> Can you show the output of: >> - ifconfig carp >> - ifconfig -g carp >> - netstat -s -p carp >> - sysctl net.inet.carp > > Ahhh... actually, I noticed mbuf memory

Re: CARP strangeness after 5.0 upgrade

On 25-1-2012 18:23, Matt Hamilton wrote: > I'm also getting strange weirdnesses with carp on 5.0. I too upgraded > from quite an old 4.x version (4.6 IIRC). > > The main thing I'm seeing is my master and backup switching back and > forth quite a few times. This is a pair of firewalls with carp > r

Re: how to find dependencies when building a new kernel

On 29-11-2011 13:00, Otto Moerbeek wrote: > On Tue, Nov 29, 2011 at 12:29:28PM +0100, Camiel Dobbelaar wrote: > >> On 29-11-2011 11:38, T. Valent wrote: >> >>>>> dmassage -t >>> >>>> i might be wrong, but is this really aggressive auto s

Re: how to find dependencies when building a new kernel

On 29-11-2011 11:38, T. Valent wrote: >>> dmassage -t > >> i might be wrong, but is this really aggressive auto spelling >> corrector for "dmesg"? > > I found an example usage of dmassage on the web, but could not find the > program. So I thought the same way as you did. > > It's not part of th

Re: problem with trunkproto lacp and carppeer

On 10-11-2011 23:02, Ben Franklan wrote: > Hi all, > I set up FW1 and FW2 with trunk and CARP - If I set up the trunk > interface using trunkproto lacp and also specify a carppeer FW1 carp > interface does not return to master upon reboot and FW1 has 'carp > demote count 1'. I tried with various sw

Re: pfsync states growing on carp backup firewall

I did not commit the fix for this bug in pfsync yet, but very soon now. On 9-11-2011 10:30, Maxim Bourmistrov wrote: > You might test to pull down if_pfsync.c from -current > or > flush states much sooner on failover with pf.conf (adaptive.start > adaptive.end) > > //maxim > > On Nov 9, 2011, a

Re: limit ftp download

y to do it. > Is there someone who have a sample ? using -T option for ftp-proxy ? > Thank you very much. > > Wesley. > >> On Thu, 03 Nov 2011 09:02:32 +0100, Camiel Dobbelaar > wrote: > >> Run two ftp-proxies: one with the -q ilimit and one with the -q istd. >> >> Then redirect the limited user to one proxy and the rest to the other.

Re: limit ftp download

On 3-11-2011 9:01, Wesley M. wrote: > Thank you for your reply. > I read the man page of ftp-proxy. > There's an option like you said, "-q queue". > But in my way, i have 2 queue : ilimit and istd > ilimit : bandwidth -> 20Ko/s > istd : bandwidth -> 128 Ko/s > > So i just modified to my /etc/rc.co

Re: limit ftp download

On 3-11-2011 6:07, Wesley M. wrote: > I suppose it is because traffic are redirect to 127.0.0.1 (ftpproxy) > > sample of my pf.conf: > ... > anchor "ftp-proxy/*" > pass in on $lan inet proto tcp from $limithost \ > to port 21 divert-to 127.0.0.1 port 8021 queue ilimit > ... > > Is there a

Re: PFSYNC - pf.conf best practice

On 26-10-2011 20:32, Maxim Bourmistrov wrote: > The side question, after observing 'systat -s1 states', is WHY "failover"-side > doubles exp. time?? > I'm more expected to have it like a "copy" of the current state of the > master. Yes, the number of states should be roughly in sync on both firewa

Re: PF with gigabit voice/video streams

On 4-6-2011 0:04, Stuart Henderson wrote: > On 2011-06-03, Eric K. Miller wrote: >>> Are you running -current? There have been some massive tweaks in >> networking performance in -current. Try out and report back. >> >> We were running 4.7 amd64 version (GENERIC.MP). Also tried the single >> proc

Re: ftp-proxy on a nat firewall

(private) HKS wrote: > Without -r things work just fine, but the shittiest ftp client I have > to test this is Windows 2003's native. What clients are known to > require the -r flag? I think I implemented -r for someone with an old VMS system. Most FTP clients work fine, don't use -r unless you'r

Re: ftp-proxy on a nat firewall

Camiel Dobbelaar wrote: > (private) HKS wrote: >> On Fri, Jan 23, 2009 at 3:06 PM, (private) HKS wrote: >>> On Fri, Jan 23, 2009 at 8:49 AM, Daniel A. Ramaley >>> wrote: >>>> I've gotten a couple of off-list replies with suggestions to try. I >>&

Re: ftp-proxy on a nat firewall

(private) HKS wrote: > On Fri, Jan 23, 2009 at 3:06 PM, (private) HKS wrote: >> On Fri, Jan 23, 2009 at 8:49 AM, Daniel A. Ramaley >> wrote: >>> I've gotten a couple of off-list replies with suggestions to try. I >>> greatly appreciate any ideas, but still have not had any luck so far. >>> I've t

Re: ftp-proxy and IP alias

Chris Smith wrote: > On Wed, Oct 22, 2008 at 11:52 PM, Chris Smith <[EMAIL PROTECTED]> wrote: >> Was finally able to test the reboot scenario and two instances of >> ftp-proxy do not get started from rc.conf.local. Needed to run the >> second instance from rc.local. > > Just wondering whether or n

Re: FTP-Proxy swallows 221 Message (MS FTP-Service)

Michael Hoffrath wrote: > Same problem here Running OpenBSD 4.2 (GENERIC) #375 i386. > > It seems not only being a problem of Microsoft, I've found that problem also > on VSFTPd (centos) and Filezilla (Windows 2003 Server). > > Both are sending "221 Goodbye" but ftp-proxy seems to swallow that

Re: Flexibility of pf rules created by ftp-proxy?

Dave Anderson wrote: > I've been working on the pf configuration for my home firewall, > including setting up ftp-proxy. I've noticed that the command is > getting cluttered with options to adjust the rules it creates to the > needs of different pf configurations. Has any thought been given to >

Re: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working

S. Scott Sima, CISA, CISM wrote: > Using openbsd 4.2, pf and ftp-proxy. > > ftp-proxy -T is not being recognized by pf.conf ruleset. In the > NOT WORKING (snip) below, the tcpdump shows the ftp-proxied packets > being ignored by the tagged pass rule and hitting on the final block all > rule. >

Re: ftp-proxy feature request / tags

is exactly how it should work (ftpsesame, the other FTP proxy that I wrote already does it like that). I'll look into a fix for ftp-proxy. > On Tue, 4 Dec 2007, Camiel Dobbelaar wrote: > >> Bryan S. Leaman wrote: >>> I have a multiple ISP router/firewall running 4.2. To

Re: ftp-proxy feature request

Bryan S. Leaman wrote: > I have a multiple ISP router/firewall running 4.2. To make FTP work > properly over both gateways, I found and applied the following patch to > ftp-proxy **see link below** and it's working great (apparently pftpx is > very similar to ftp-proxy). Without this fix, my seco

Re: ftp-proxy and no route to host issue

On Tue, 2 Oct 2007, Falk Brockerhoff wrote: > When I try to connect a ftp daemon "behind" the firewall I can see the > following entry in /var/log/messages > > /var/log/messages.2.gz:Oct 2 09:58:32 buffy ftp-proxy[21285]: #478593 > proxy cannot connect to server 195.225.xx.yy: No route to host >

Re: ftp-proxy and no route to host issue

On Tue, 2 Oct 2007, Falk Brockerhoff wrote: > I'm using pf and ftp-proxy on an OpenBSD 4.2 GENERIC#374 i386 box. Most > the time everything works fine, but sometimes ftp-proxy reports a "no > route to host" in /var/log/messages. I can reproduce this behaviour, but > I'm able to ping the target ftp

Re: ftp-proxy fxp transfers

On Sun, 1 Jul 2007, Chris Cohen wrote: > according to http://www.openbsd.org/faq/pf/ftp.html i've setup ftp-proxy and > changed my pf.conf. A client on the extern interface of the firewall can > upload files, use passive and active mode. But fxp transfers (server to > server) doesn't work. My ft

Re: ftp-proxy binat design -- Was: Re: binat questions

On Sun, 1 Jul 2007, Karl O. Pinc wrote: > On 03/22/2007 03:17:00 PM, Stuart Henderson wrote: > > > One thing to watch out for with binat: you can't use it with > > ftp-proxy(8), since binat is of higher priority than the rdr or > > nat rules which are added to the anchor. The workaround there > >

Re: Using ftp-proxy(8) to proxy both internal and external FTP connections

On Fri, 22 Jun 2007, Damon McMahon wrote: > I'm trying to configure ftpd(8) to work on my OpenBSD 4.1 firewall > which currently proxies without issue client FTP connections to > outside FTP servers via ftp-proxy(8). You cannot proxy FTP from/to the firewall itself. pf user/group rules (user _ftp

Re: FTP/ftp-proxy/pf issue.

On Tue, 10 Apr 2007, Steve Mertz wrote: > I'm trying to setup a firewall that allows FTP in to a server that is NATd on > the other side. But that only allows access from one address outside the > firewall. > > Something like: > > Machine -> Internet -> Firewall/NAT -> FTP server > > I realize

Re: reverse ftp-proxy and reply-to?

On Sat, 17 Mar 2007, Sebastian Reitenbach wrote: > I use ftp-proxy on my firewall as a reverse proxy for a host on the dmz. The > incoming connections come in on one of the the external interfaces, which is > not the default gateway of the firewall. Therefore I use reply-to statements > on the pass

Re: ftp-proxy problem using active ftp

On Fri, 16 Feb 2007, [EMAIL PROTECTED] wrote: > #1 client: PORT 192,168,1,56,9,96\r\n > #1 proxy: PORT 193,172,163,50,235,99\r\n 193.172.163.50 is the correct external IP ? Does the firewall have more then one external IP? > #1 server: 200 PORT command successful - not using PASV eh?\r\n > #1 a

Re: Multiple ftp servers behind nat using pf-proxy?

On Mon, 22 Jan 2007, Satadru Pramanik wrote: > /usr/sbin/ftp-proxy -r -R 192.168.19.4 -p 21 -b externalip1 > /usr/sbin/ftp-proxy -r -R 192.168.19.122 -p 21 -b externalip2 > > Connections to externalip1 work just fine using ftp. > > Am I doing something wrong or is this just an unsupported configu

Re: dying ftp-proxy

Please try this diff: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ftp-proxy/ftp-proxy.c.diff?r1=1.10&r2=1.11 On Wed, 17 Jan 2007, Stefan Olsson wrote: > Hello, > > ftp-proxy starts up and runs fine for most of the time on one of my firewalls, > but sometimes and intermittently it just s

Re: ftp-proxy and old ftp-proxy co-mingling

On Thu, 11 Jan 2007, Ryan Corder wrote: > However, the 4.0 ftp-proxy and the 3.8 ftp-proxy don't seem to like > working with each other. When I attempt to ftp from the inside network > all the way out to the internet, I can get connected, but if I attempt > to do a transfer I receive a 'connection

Re: VPN/IPSEC trouble with Checkpoint

If you are willing to try ipsec.conf instead of isakmpd.conf. I use the following for a VPN with a Checkpoint NG. ike esp from a.a.a.a/24 to b.b.b.b/20 \ local x.x.x.x peer y.y.y.y \ main auth hmac-md5 enc 3des group grp2 \ quick auth hmac-md5 enc 3des group none \ psk secretsecr

Re: ftp-proxy clarification

On Tue, 28 Nov 2006, Mark Freeze wrote: > I also have a question regarding ftp proxy. My situation is that we > have our firewall running, and I can connect and upload files to ftp > sites from any of my workstations. The problem occurs when we are > trying to download files. When I connect my m

Re: ftp-proxy clarification

On Tue, 28 Nov 2006, Ryan Corder wrote: > While the PF User Guide is truly an excellent document, it seems to > assume that you allow all outound traffic, so it only instructs you to > add a couple of anchors and a redirect rule. Do I need an additional > outbound 'pass' rule for FTP high port

demystify enc interface

I'm trying to figure out how the enc interface works, and especially how to filter it using pf. This is what enc(4) says: The enc interface allows an administrator to see outgoing packets before they have been processed by ipsec(4), or incoming packets after they have been similar

Re: Failover with carp and pfsync issue

I see one possible flaw in your setup: On Fri, 17 Nov 2006, Dominique Goncalves wrote: > fw1: > pf.conf: > scrub in all > nat on fxp0 from !(fxp0) to any -> (fxp0) > pass quick on vr0 proto pfsync Your pfsync interface is vr1, not vr0. I tend to use "set skip" for the pfsync interface. > pass

Re: router wont stop sending icmp redirects

On Thu, 16 Nov 2006, Andrew Smith wrote: > net.inet.ip.redirect = 0 > > Means that the machine will not "honour" redirects. > > The value is used to ignore redirects sent by routers not to disable sending > of redirects if you happen to be running as a router. No, you're talking about net.inet

Re: ftp-proxy issues

On Tue, 14 Nov 2006, Camiel Dobbelaar wrote: > On Tue, 14 Nov 2006, Marc Peters wrote: > > > What I wanted to say: notice how failinghost shrinks the TCP window to > > > just > > > 46 bytes ("win 46"). That's not enough to fit the long path of the

Re: ftp-proxy issues

On Tue, 14 Nov 2006, Marc Peters wrote: > > What I wanted to say: notice how failinghost shrinks the TCP window to just > > 46 bytes ("win 46"). That's not enough to fit the long path of the > > directory change, so that stays in the network buffers of the firewall > > waiting for failinghost to s

Re: ftp-proxy issues

On Mon, 13 Nov 2006, Camiel Dobbelaar wrote: > Ok, I think I found something in your original tcpdump: > > Nov 11 15:15:04.389556 failinghost.domain.com.ftp > > ftp-proxy.domain.com.48293: P 202:233(31) ack 56 win 46 ^^ &g

Re: ftp-proxy issues

Ok, I think I found something in your original tcpdump: Nov 11 15:15:04.389556 failinghost.domain.com.ftp > ftp-proxy.domain.com.48293: P 202:233(31) ack 56 win 46 (DF) [tos 0x10] : 4510 0053 7066 4000 4006 0292 c2f5 20b4 [EMAIL PROTECTED]@...C5 B4 0010: c2f5 20fe 0015 bca5 48d1 b99c

Re: ftp-proxy issues

On Mon, 13 Nov 2006, Marc Peters wrote: > 60 seconds, and the client gives me this message: > 421 Service not available, remote server timed out. Connection closed (mac osx > command line ftp-client) > > That CWD line did not pass out on the DMZ interface? > > > > no it didn't. it is everytime th

Re: Passive FTP support on a workstation running PF

The "user" and "group" features of pf are useful for this. See also: http://marc.theaimsgroup.com/?l=openbsd-misc&m=115202430208726&w=2 On Thu, 21 Sep 2006, Tom Fitzhenry wrote: > Hi, > > I'm going to university in one week and the university explicitly says > that only one computer (including

Re: ftp-proxy

On Thu, 14 Sep 2006, Steve Welham wrote: > I agree with you and I think the man page is missing a line - at least > for passive mode which is all that I tested (running ftp-proxy with no > options) . It does appear that 2 translation rules are added for PASV - > an rdr and a nat: > > It looks like

Re: Tuning OpenBSD network throughput

On Tue, 8 Aug 2006, Matthew R. Dempsky wrote: > Then, I substituted out the 266MHz machine and replaced it with the > 600MHz machine (i.e., faster processor, more ram, and better software), > but running ``iperf -c 192.168.10.1'' under OpenBSD reported a mere > 3.8 Mbits/sec---nearly two orders o

Re: ftp-proxy problem on firewall

On Thu, 13 Jul 2006, Jure Zbontar wrote: > I think the problem might be that ftp traffic from my firewall machine > doesn't go through the proxy at all, so ftp-proxy doesn't create any > rules for it. That's right, you cannot rdr to the proxy on the firewall itself. See also this thread: http://m

Re: Redirect to ftp-proxy when client is on localhost?

On Tue, 4 Jul 2006, [EMAIL PROTECTED] wrote: > I like the 3.9 ftp-proxy so much I'm thinking "wouldn't it be nice if, > in addition to the clients inside my lan, ftp connections from this very > openbsd machine went through it also". > > Is this just a silly idea? Is this possible, trivial, trick

Re: ftp-proxy does not work in secure level 2

On Mon, 3 Jul 2006, c.s.r.c.murthy wrote: > We have configured a firewall with pf on openbsd-3.9. It is found that > ftp-proxy is unable to operate when system is put in secure level 2. > This is due to the fact that ftp-proxy can't add/delete rules in pf in > secure level 2. But for security re

Re: ftp-proxy and bridge

On Thu, 22 Jun 2006, Dylan Martin wrote: > Hi, I've got a bridge firewall protecting some FTP servers. In the > past I've used ftpsesame to let people on the internet use passive > connections to my FTP servers. I hear that ftp-proxy in 3.9 is > supposed to have the functionality of ftpsesame, so

Re: state table, loopback and redirection

On Thu, 8 Jun 2006, sheda wrote: > There's a NAT box between the OpenBSD box and Internet, that's why I don't > need outgoing NAT rules. Then the ftp-proxy needs to run on the NAT box, because the private space address is used _inside_ the FTP protocol as well (in active mode). For bridges "ftps

Re: state table, loopback and redirection

On Thu, 8 Jun 2006, uc.sheda wrote: > When 172.16.218.129 is trying to reach the port 21/tcp of 129.128.5.191, > here is what happen: > > * tcpdump -tei pflog0 port 21 or 8021: don't show anything You don't have "log" on your "rdr pass" line. > * tcpdump -tni bridge0 port 21 or 8021: just show

Re: pftpx

On Fri, 26 May 2006, Gaby vanhegan wrote: > I see. What about running them on separate IP addresses (both still > on the same machine)? Or do they need to be on different physical > interfaces? Should I use a separate package, such as ftpsesame? Is > there any way round this problem? Usi

Re: pftpx

On Fri, 26 May 2006, Gaby vanhegan wrote: > When I type the ls command. is the same in each case, the > firewall, proxy and ftp server are running on the same machine. My > aim here is to not open a load of ports for ftpd, but to have the > pftpx part of ftp-proxy only open the ports on dem

Re: pftpx

On Thu, 25 May 2006, Gaby vanhegan wrote: > Is there a working pf.conf that anyone can share with me? I can > connect to the server but PASV mode fails with the normal error that > it can't make the data connection. You have to run two instances of the proxy. One as normal that listens on t

Re: ftp-proxy isssues

On Thu, 11 May 2006, [EMAIL PROTECTED] wrote: > > pass in on $ext_if inet proto tcp from any \ > > to $ext_if port 55000 >< 57000 user proxy \ > > flags S/SA keep state > > C>You don't need this anymore. > > Ah, okay, how come i don't need this anymore, i must be missing and not > und

Re: ftp-proxy isssues

On Thu, 11 May 2006, [EMAIL PROTECTED] wrote: > rdr on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 You need this. > pass in on $ext_if inet proto tcp from any \ > to $ext_if port 55000 >< 57000 user proxy \ > flags S/SA keep state You don't need this anymore. > How can i tr

Re: FTP Issues

On Fri, 24 Mar 2006, Hutger H. wrote: > - Analysing the firewall's traffic, I could notice that the problem > happens when the FTP server try to make a new connection back to the > client using I high port. I got some tutorials explaining how to solve > this problem using ftp-proxy and some PF rule

Re: 3.8 bridge trouble

On Wed, 15 Feb 2006, Pailloncy Jean-Gerard wrote: > Second part of the test, I set up a bridgename.bridge0 file with the 2 nics up > with STP, and I restart the soekris. Few seconds after the end of the boot > (login prompt) immediate reboot of the soekris. > I stop it by, as soon as login prompt a

Re: MAC filter Bridge

On Wed, 1 Feb 2006, Badbanchi Hossein wrote: > What is bothering me is the sentence: > Rules are processed in the order in which they were added to the interface, > and the first rule matched takes the action ... > > Does this really mean that no hash function is used? I mean if I have 2 > MAC

Re: Stripping vlan tag - libpcap and tcpdump - arpwatch on trunk

On Thu, 5 Jan 2006, Raphael wrote: > * My first try was to run one instance of arpwatch per configured > virtual vlan interface. This worked fine for up to 10 sessions, but not > more (maybe the amount of concurrent libpcap sessions is limited?). > Q: Is this a configurable parameter? >From man bp

Re: VLANs not isolated

On Thu, 24 Nov 2005, Jason Dixon wrote: > I'm testing PF on a proposed network design and experiencing some unexpected > behavior. With three vlan(4) interfaces on the interior of an OpenBSD > gateway, each of the clients on a segment is able to ping the gateway address > for at least one of the o

Re: bridge and Spanning Tree, WAS Re: Help with bridging firewall failover w/ CARP, OpenBSD 3.7

On Sun, 20 Nov 2005, Ramsey Tantawi wrote: > I set up failover of two redundant bridging firewalls using the > Spanning Tree Protocol options in bridge, and it worked great. > > However, when testing failover, it takes between 45 seconds to more > than 3 minutes for traffic to start flowing again.

Re: Help with bridging firewall failover w/ CARP, OpenBSD 3.7

On Sat, 19 Nov 2005, Ramsey Tantawi wrote: > > For a redundant bridge setup you need spanning tree. See "stp" in the > > brconfig(8) manpage. > > I'm using unmanaged switches that don't support STP, so for now I'm out of > luck. No, that's ok. You don't have to run STP on every device, only on

Re: Help with bridging firewall failover w/ CARP, OpenBSD 3.7

On Fri, 18 Nov 2005, Ramsey Tantawi wrote: > I can't get failover of a bridging firewall to work using CARP and OpenBSD > 3.7. > > All the documentation + googling I've done leads me to believe it > *should* work. I think. But with everything setup all I get is a > flood of ARP requests that pa

Re: ftp-proxy upgrade instructions

On Wed, 16 Nov 2005, Moritz Grimm wrote: > Moritz Grimm wrote: > > Using the parameter ``-q "(q_med, q_pri)"'' does not result in any error > > message, however, I have no proof whether this works or not. Actually, > [...] > > Hm, and while I'm at it ... how can things like these be properly teste

Re: inetd and netstat with parameters

netstat is already taken. [EMAIL PROTECTED] $ grep netstat /etc/services netstat 15/tcp On Fri, 24 Jun 2005, Karl-Heinz Wild wrote: > I try the following > > /etc/services > > netstat /tcp > > /etc/inetd > > netstat stream tcp nowait

Re: spamd greylisting and server pools

On Tue, 21 Jun 2005, Heinrich Rebehn wrote: > If a mail is sent via a server pool, it can take quite long until it happens > to be sent 3 times from the same ip address and thus get whitelisted and > delivered. With a big server pool this can take hours. I use the attached very simple script to he