On Fri, May 2, 2008 at 7:35 AM, B A [EMAIL PROTECTED] wrote:
Hello!
I have question about PF.
I have just found interesting behavior of of PF.
For example if I fix source port and run from my PC:
echo 'aaa' | nc -p www.my.rerver 80
I got response.
But if I just
On Thu, Apr 10, 2008 at 1:29 AM, Paul de Weerd [EMAIL PROTECTED] wrote:
Hi all,
The new 4.3 CD set has just arrived here in Zurich, Switzerland ! I've
put up a pic on http://www.weirdnet.nl/images/openbsd43set.jpg ..
looking very cool yet again ;)
Artwork looks great!
Are those the same
On Feb 20, 2008 10:51 AM, Ryan Corder [EMAIL PROTECTED] wrote:
On Wed, Feb 20, 2008 at 08:32:31AM -0800, Rami Sik wrote:
| I would like to see what you'd suggest as a log analyzer tool(s) on a
| centralized log server running syslog-ng.
|
| I also need to use a specific tool as PF log
On Feb 19, 2008 8:42 PM, Steve B [EMAIL PROTECTED] wrote:
My employer has given me some free colo space and I thought I would take
advantage of it to do remote system logging. Those of you here who are doing
it, could you comment on whether you are using Syslog-NG or something else,
and
On Dec 25, 2007 10:54 AM, Daniel [EMAIL PROTECTED] wrote:
Hi!
I'm having this problem:
# pfctl -sr |fgrep ftp
[...]
pass out on rl0 inet proto tcp from ip to __automatic_39c048b4_0
port = ftp flags S/SA keep state
What is that automatic stuff?
It's a table identifier. The optimizer
On Dec 19, 2007 8:25 PM, Nick Guenther [EMAIL PROTECTED] wrote:
On Dec 19, 2007 7:53 PM, Kian Mohageri [EMAIL PROTECTED] wrote:
On Dec 19, 2007 10:26 AM, Nick Guenther [EMAIL PROTECTED] wrote:
I've seen this problem intermittently before. Every once in a while,
this happens (the adapter
On Dec 19, 2007 10:26 AM, Nick Guenther [EMAIL PROTECTED] wrote:
I've seen this problem intermittently before. Every once in a while,
this happens (the adapter it happens on doesn't matter):
# dhclient de0
DHCPREQUEST on de0 to 255.255.255.255 port 67
DHCPREQUEST on de0 to 255.255.255.255
Hello,
I was setting up a central logserver this afternoon and some of the
functionality I need wasn't in the stock syslogd(8), so I chose to use
syslog-ng.
I noticed that you cannot specify syslogd=NO or syslogd_flags=NO to
disable it (in rc.conf.local), and I was mostly curious why.
I'm sure
On 6/13/07, Stuart Henderson [EMAIL PROTECTED] wrote:
On 2007/06/13 02:00, Kian Mohageri wrote:
Is my best option to kill syslogd from rc.local or manually edit /etc/rc?
How about leaving them both running, and binding syslog-ng to just
the relevant IP address?
Thank you all
On 6/2/07, Theo de Raadt [EMAIL PROTECTED] wrote:
The c2k7 hackathon is over, with roughly 50 developers attending the
event for 10 days in Calgary.
So many projects were started or finished, it is basically impossible
for me to describe all the projects.
Hope you guys out there enjoy the
Henning Brauer wrote:
* Chris Smith [EMAIL PROTECTED] [2007-04-25 00:42]:
Using openbsd as a firewall in several cases - a few small businesses, and
also for home use. Some websites, such as grc.com, stress that stealth
mode
(which openbsd handles with ease) is the safest. But I've also
to a host that doesn't exist or a port that isn't actually listening.
Much of
that activity is simply host/port scanning.
I could argue either way, but my preference is 'block drop' most of the
time.
--
Kian Mohageri
On 4/24/07, Lars Hansson [EMAIL PROTECTED] wrote:
Kian Mohageri wrote:
I could argue either way, but my preference is 'block drop' most of the
time.
Hopefully most of the time does not include ICMP.
It doesn't.
--
Kian Mohageri
cause a major
bottleneck?
It depends on the rate of the states changes.
Here, we have ~30mbits on pfsync, for ~40mbits of traffic (!)
On our college campus with 50Mbps, we see ~8Mbps pfsync traffic.
Your ratio amazes me... What type of environment is that in?
--
Kian Mohageri
. Requires a database, unfortunately, but it
works with LDAP and our staff like it.
http://roundcube.net/
--
Kian Mohageri
script for ipfw(8) called change_rules.sh. You could
probably modify it to suit your needs, but I haven't really looked at how it
works, as I don't find it necessary with pf.
http://www.freebsd.org/cgi/cvsweb.cgi/src/share/examples/ipfw/change_rules.sh?annotate=1.2.2.5
--
Kian Mohageri
://www.openbsd.org/faq/faq5.html#Options
--
Kian Mohageri
On 3/20/07, Alexander Lind [EMAIL PROTECTED] wrote:
Hello misc.
Can anyone recommend a pf propagation script, intended to be used to
spread changes from one carp:ed openbsd firewall to another?
for host in fw1 fw2 fw3 fw4 fw5; do scp ~/master.pf.conf
${host}:/etc/pf.conf; done
--
Kian
saying
This is terrible handling of a bug after it was fixed almost immediately.
Seems some people spend very little time thanking the developers for the
immediate fix and instead go straight to suggestions on how to handle their
project better.
--
Kian Mohageri
On 3/16/07, Karl O. Pinc [EMAIL PROTECTED] wrote:
On 03/16/2007 02:51:48 AM, Kian Mohageri wrote:
Yeah. Expectations aside, being condescending is never warranted.
We've all spent more time on this than it's worth, but I would
appreciate it if you'd point out any condescension in my
.
--
Kian Mohageri
On 3/12/07, Darrin Chandler [EMAIL PROTECTED] wrote:
Have you got yours yet?!
Just ordered the CD set and a poster myself!
--
Kian Mohageri
.
http://www.openbsd.org/faq/pf/filter.html
Also, try to use flags S/SA on all of your stateful TCP rules unless you
have a good reason not to.
--
Kian Mohageri
states and
I ended up putting in some rules to deal with it. Check your state table
for patterns...e.g. recurring ports, addresses with unreasonable numbers of
states, a lot of connections to port 2967 outside of your network, etc.
--
Kian Mohageri
is somewhat frightening though :) If you don't have one already, you should
set up a system that does daily+ backups, depending on how often things
change.
--
Kian Mohageri
On 11/15/06, Stuart Henderson [EMAIL PROTECTED] wrote:
On 2006/11/15 09:25, Kian Mohageri wrote:
On 11/14/06, Brian Keefer [EMAIL PROTECTED] wrote:
FWIW I was having very similar problems with em(4) in OpenBSD 4.0-
release under VMware (amd64 SMP). It would cease to recognize ARP
knees and totally swamp my cheap
switch.
The same card too?
--
Kian Mohageri
, unfortunately. I know
there were some related changes in 4.0 though, so I'm hoping that fixes it.
--
Kian Mohageri
. I dual
boot FreeBSD and OpenBSD on it.
I haven't run into any problems with basic functionality but I haven't tried
out much in the way of power management.
--
Kian Mohageri
/rsh. The way you
authenticate is obscured a bit, but not secured.
A neat project, I'll give you that. But I don't recommend it on a
production server.
--
Kian Mohageri
going on between these machines?
--
Kian Mohageri
to be very clear and concise and I'm pretty sure his explanations
will help you out.
http://www.undeadly.org
--
Kian Mohageri
request comes in, DHCPOFFER does not seem to reach
the client.
Where is your DHCP server? Where is the DHCPOFFER being lost? Have you
sniffed on interface between the firewalls and DHCP server? The client and
firewalls?
--
Kian Mohageri
On 10/12/06, S t i n g r a y [EMAIL PROTECTED] wrote:
i am facing problems using hfsc with PF.
do you see anything wrong with this ? is there a bug in this ?
I don't mean to be rude but you *really* need to start learning how to look
into these things by yourself. It will help you out a
On 10/10/06, chefren [EMAIL PROTECTED] wrote:
On 10/10/06 4:46 AM, Kian Mohageri wrote:
On 10/9/06, Lars Hansson [EMAIL PROTECTED] wrote:
I guess you didn't understand; OpenBSD does not exist for you or me, it
exists for the developers.
This is a truth everybody should have
On 10/9/06, Lars Hansson [EMAIL PROTECTED] wrote:
Asking for code submission if you want feature x or y doesn't really
float my boat. I only do some high level programming and I know nothing
about kernel internals.
I guess you didn't understand; OpenBSD does not exist for you or me, it
On 10/6/06, Ryan McBride [EMAIL PROTECTED] wrote:
I've just committed code based on a suggestion made by Daniel Hartmeier
to make flags S/SA keep state the default for rules.
Very cool. Thank you.
On 10/5/06, Ingo Schwarze [EMAIL PROTECTED] wrote:
The structure of the OpenBSD project suggests that this project
might be able to resist better than others. It is no company.
It is no charity. It is not so small that it needs to grasp at
every straw to survive. It is not so large that
On 9/12/06, Gustavo Rios [EMAIL PROTECTED] wrote:
While reading VPN(8) manual page, i could no figure it out in what
interface context the following line applies:
# Pass encrypted traffic to/from security gateways
pass in proto esp from $GATEWAY_B to $GATEWAY_A
pass out proto esp from
Hello,
I was just curious if any of you sync pf tables between hosts, and how you
do it. I know it may be considered abusing tables, but in our setup, we
hold a list of registered clients within tables (which are updated
dynamically by scripts). We also use carp (and soon pfsync) for failover.
On CARP'd machines, it can be kinda handy, make a quick change on the
primary, test it, if it works, run the script. If it doesn't, you can
easily revert it by simply running the script on the standby machine.
Nick.
Ah...that is a pretty cool idea. I was more curious about dynamically
On 8/17/06, Alastair Johnson [EMAIL PROTECTED] wrote:
I have 2 OpenBSD 4.0beta firewalls arranged in a CARP
failover configuration with PFsync.
It seems to work very well for everything except NFS.
My ssh, remote desktop and telnet connections seem to
survive a failover very nicely.
I've
On 8/7/06, J Moore [EMAIL PROTECTED] wrote:
On Mon, Aug 07, 2006 at 10:51:02PM -0700, the unit calling itself Kian
Mohageri wrote:
B14xVu: Undefined variable.
where B14xVu is a fragment of the password. The full password was:
V$B14xVu
I tried this on other user/password
B14xVu: Undefined variable.
where B14xVu is a fragment of the password. The full password was:
V$B14xVu
I tried this on other user/password combinations, and got reasonable
results. But the $ char seems to cause a problem consistently. In all
other cases, the result was either:
Have you
Wouldn't this do the trick?
rdr on rl1 proto tcp from any to 192.168.1.121 port 80 - 192.168.1.103
Redirect any port 80 traffic originally meant for me to 192.168.1.103
Yes, but why are you asking if you already have the answer? As stated in
the man page, your traffic will also need to
Change 'syncif' to 'syncdev' in your hostname.pfsync files.
Also, out of curiosity, why are there two CARP addresses between the
workstation and firewalls?
Kian
On 9/20/06, Tim Pushor [EMAIL PROTECTED] wrote:
Hi friends,
I am trying to setup my first firewall w/failover via carp pfsync. I
http://www.roundcube.net/
It is pretty new still, but I replaced SquirrelMail with it because
SquirrelMail is terrible. People seemed to like the change. Very simple to
configure, and it's pretty.
-Kian
On 7/19/06, Bachman Kharazmi [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED]:~/ pkg_info
On 7/14/06, Jason Dixon [EMAIL PROTECTED] wrote:
We have an OpenBSD 3.8 firewall that has been in production for the
last six months. Until the last week or two, everything has been
great. Recently while diagnosing a problem with the bonded T1 pair,
I noticed the following error while
On 7/10/06, Lawrence Horvath [EMAIL PROTECTED] wrote:
Im using a OpenBSD 3.9 server and a FreeBSD 6.1 server on either end
of a firewall to test throughput and max open connections of the
firewall, i tested throughput with netstrain(d) but im unsure how to
test the max open connections,
I have been experiencing an issue lately where the internal NIC of our
firewall stops passing traffic until the interface is manually restarted (or
machine rebooted). This happens to whichever machine is MASTER of the
carp(4) group, but seems to only ever happen to the internal interface
though
# DMZ Host
rdr on $red_if proto tcp from any to any port $dmz_ports - $dmz_host
This doesn't look right. If you redirect all connections on those ports to
the DMZ host, how do you expect your router to receive replies to those
unprivileged ($dmz_ports) ports for stuff like web browsing?
Maybe you're really looking for something like spamd:
http://www.openbsd.org/spamd/
Much more effective than a trap e-mail address in my opinion?
Kian
On 6/1/06, Mike Spenard [EMAIL PROTECTED] wrote:
What are some thoughts on purposely getting a spam trap email
address acquired by spammers
they install files directly to
${LOCALBASE}
--
Kian Mohageri
ResTek, Western Washington University
[EMAIL PROTECTED]
Sorry - never mind. I cracked open my case after I got home to verify,
and I'm using a v4. v5 must be really new then, because I bought this
just a few weeks ago.
Kian
Kian Mohageri wrote:
Maybe someone on the mailing list can provide me with an answer to:
1. Can v5 af the card be used
:57:1e:59
ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525
Hope that helps.
--
Kian Mohageri
Western Washington University
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
55 matches
Mail list logo
