On Fri, Sep 04, 2015 at 11:22:48AM -0700, Chris Cappuccio wrote:
> Since the purpose of Secure Boot provide little to no benefit to users
> (in fact quite the opposite), the question becomes why?
>
For paranoid softraid crypto users who are concerned about a modified
On Mon, Jul 28, 2014 at 08:28:04PM -0500, Stan Gammons wrote:
A fellow from Intel told me they are coming out with Coreboot
firmware for the Minnowboard max, no ETA other than soon, and
he didn't know if any of the BSD's would work with it. He said
the forthcoming FreeBSD 11 almost boots with
On Mon, Dec 31, 2012 at 04:53:15PM +1100, Aaron Mason wrote:
Ok, I just tried freeing NULL, and it did nothing. Granted it was on
a Linux system but still...
free() handles a NULL pointer by doing nothing, and it will behave this
way on any posix system compliant system. However, on an OpenBSD
My immediate reaction is don't do it, but on the other hand I've never
known people for whom 'money is not a problem' to shy away from
something because of boring concerns like security. So...
Software:
Basically, to do this correctly you need to parse all the packets
running in both directions
On Fri, Nov 09, 2012 at 04:14:28PM +0100, Ariel Burbaickij wrote:
What is the rationale behind this statement:
...
- CPU: maximum SINGLE CORE turbo speed. Disable the other cores,
they're not helping you at all...?
OpenBSD doesn't run multiprocessor inside the kernel, so SMP provides no
On Fri, Nov 09, 2012 at 06:27:06PM +0200, Dan Shechter wrote:
I can do some assumptions regarding the TCP flow and its origins. Its
coming from the stock exchange over IPSEC gateways over leased lines.
I think I can trust the origin of the flow. At least I can trust it as
much as the off the
On Tue, Oct 02, 2012 at 09:59:05AM +0200, Christiano F. Haesbaert wrote:
Why not using tcpbench where you can actually specify the parameters
and know what is going on :).
Play with buffer sizes and you'll see a big difference, using -u will
give you the actual PPS.
I agree with this.
600Mbps seems about right, I tested a pair of E5649-based boxes to
550Mbps last year (with aes-128-gcm):
http://marc.info/?l=openbsd-miscm=134033767126930
You'll probably get slightly more than 600 with with multiple TCP
streams.
Assuming PF was enabled for your test (the default
On Wed, Aug 29, 2012 at 12:54:18PM -0400, Michel Blais wrote:
How much can I increase net.inet.ip.ifq.maxlen ?
I'm now at 2048 and still seeing increase in net.inet.ip.ifq.drops.
This morning, it was at 21280 and now at 21328.
A little bit of congestion increase is not the end of the world,
On Fri, Jun 29, 2012 at 01:20:49PM +0200, Martin Pelikan wrote:
2012/6/29 Matt Hamilton ma...@netsight.co.uk:
Does pfsync require firewalls to have the same firewall rules on all
hosts in the sync group?
pfsync only synchronizes states. Which rules created them is
irrelevant.
This
$ cat /etc/hostname.trunk0
dhcp trunkport em0 trunkport iwn0 trunkproto failover
Only annoyance is the iwn0 device doesn't attach to the trunk properly
if I boot with the wifi hardware switch turned off.
iwn0: radio is disabled by hardware switch
On Wed, Jun 27, 2012 at 05:04:26PM +0600,
100Mb/s with aes-128 / hmac-sha1 on
hw.model=Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class)
hw.vendor=Dell Computer Corporation
hw.product=PowerEdge 1850
550Mb/s with aes-128-gcm (requires AES-NI and amd64) on
hw.model=Intel(R) Xeon(R) CPU E5649 @ 2.53GHz
hw.vendor=HP
hw.product=ProLiant
No, there is no single mutex around PF specifically in OpenBSD, the
whole kernel is wrapped in a biglock.
I think if they work out all the nits and dead-ends we may have
something to learn from this effort, but I don't see this code coming
back to OpenBSD.
It's not critical because they can
Are you using route-to in your configuration?
This has been partly fixed in -current; if the route-to rule is matching
on an outbound packet the deferred packet will be routed correctly.
It is still broken in the case where route-to is on the inbound path;
this is trickier to fix and I'm still
On Tue, Oct 11, 2011 at 04:03:48PM +0200, BARDOU Pierre wrote:
I'm looking for hardware capable of doing 1bgps IPsec, under OpenBSD
of course. Do you think it is possible with a brand new high end
server and their new instructions (AES/NI and/or AVX) ?
Currently I don't think you'll be able
On Fri, Sep 02, 2011 at 05:41:26AM -0700, Stefan N wrote:
Okay guys. Thanks for the suggestion.
On 2 September 2011 09:26, Stefan N stefanbsd...@yahoo.com wrote:
anchors + crontab as Peter suggested is an easy alternative.
Depending on what exact effect you want to acheive, you can maybe
You and anyone else with an x220 want to be running -current, not the
Aug 17 snapshot. Do a CVS checkout and make build, it shouldn't take
long, especially with a nice SSD like that.
(I don't know that it will fix this specific problem - I don't have one
- but it will definately help other
On Wed, Aug 24, 2011 at 07:00:09PM +0200, Per-Olov SjC6holm wrote:
- SMP
worse. Really sucks! _Dramatically_ reduced throughput.
This is probably a result of you testing a virtualised guest rather than
real hardware.
- One processor core (as most of my tests have used)
An improvement, but
On Tue, Aug 23, 2011 at 09:10:05AM +0200, Per-Olov SjC6holm wrote:
If you please will explain how baddynamic and avoiding certain ports will
affect what we are talking about...
Naaahh lets forget that section
I believe people are referring to the text above that:
One goal of OpenBSD is
On Tue, Aug 23, 2011 at 10:42:59AM +, Stuart Henderson wrote:
On 2011-08-22, Per-Olov Sj?holm p...@incedo.org wrote:
MCLGETI ?? Is it in if_em.c if I want to see how it is implemented?
it's in various files, see mbuf(9) and look for videos/slides from talks
by dlg (David Gwynne),
On Wed, Aug 17, 2011 at 11:30:05PM +0200, Pablo Velasco FernC!ndez wrote:
Hi all. Its possible to recovery a FFS partition? During my last OpenBSD
installation I format by mistake my second hard disk with all my videos,
texts, pictures etc... Thank you for you attention.
In the past I've used
There is not much to tweak, performance-wise. OpenBSD avoids such
buttons like the plague, and besides: benchmarks should be run with a
stock install, which is what 99% of users are going to be doing as well.
You can try looking at the output of 'pfctl -si' and see if any of those
is increasing a
to up to
90% of total memory. I don't want to make hasty conclusion, so I'll
keep searching..
Ryan McBride mcbr...@openbsd.org a C)critB :
There is not much to tweak, performance-wise. OpenBSD avoids such
buttons like the plague, and besides: benchmarks should be run with a
stock install
Thanks for pointing this out, it was an oversight in the recent changes
to pf_test_rule().
I recommend specifying explicitly the correct protocols if you're
wanting to to match by user/group/os fingerprints.
block return out log proto { tcp, udp } all user = 1002
If you'd like, you can
On Thu, Jun 23, 2011 at 01:21:06PM -0700, Chris Cappuccio wrote:
Unfortunately I'm not sure that the vlan driver can easily layer on
top of trunk, a few tweaks may be required to make it work properly
unless it mirrors if_capabilities from the parent interface (which
isn't clear to me after
On Sat, Mar 12, 2011 at 06:29:42PM -0800, Chris Cappuccio wrote:
Are you suggesting that because you have a quad-port gig nic, your box
should be able to do 6 *million* packets per second? By that logic my
5-port Soekris net4801 should be able to handle 740kpps. (for reference,
the net4801
On Thu, Mar 10, 2011 at 12:18:32PM +, Tom Murphy wrote:
I had a pair of Dell PowerEdge R200s that have both em(4) and bge(4)s
in them, however, it's the em(4) doing the heavy lifting. Roughly 30-40
megabits/s sustained and doing anywhere between 3000-4000 packets/s.
On OpenBSD 4.4,
On Fri, Feb 25, 2011 at 08:40:10PM +0100, Manuel Guesdon wrote:
systat -s 2 vmstat:
3.2%Int 0.1%Sys 0.0%Usr 0.0%Nic 96.8%Idle
|||||||||||
The numbers presented here are
On Thu, Mar 03, 2011 at 03:52:54PM +0100, Manuel Guesdon wrote:
Of course and s/OpenBSD/FreeBSD/ may help too but none of these proposals
seems very constructive.
If you think that you'd be better served by FreeBSD, please go ahead and
use that instead.
| I think we already mentioned it that
On Mon, Feb 28, 2011 at 12:49:01PM +0100, Manuel Guesdon wrote:
OK. Anyway NIC buffers restrict buffered packets number. But the problem
remain: why a (for exemple) dual Xeon E5520@2.27GHz with Intel PRO/1000
(82576) can't route 150kpps without Ierr :-)
http://www.oxymium.net/tmp/core3-dmesg
On Mon, Feb 28, 2011 at 12:49:01PM +0100, Manuel Guesdon wrote:
OK. Anyway NIC buffers restrict buffered packets number. But the problem
remain: why a (for exemple) dual Xeon E5520@2.27GHz with Intel PRO/1000
(82576) can't route 150kpps without Ierr :-)
http://www.oxymium.net/tmp/core3-dmesg
On Fri, Feb 25, 2011 at 02:05:30PM +0100, Patrick Lamaiziere wrote:
Le Fri, 25 Feb 2011 13:51:32 +0100,
Patrick Lamaiziere patf...@davenulle.org a icrit :
(ooops, push the wrong button)
How about a _full_ dmesg, so someone can take a wild guess at what
your machine is capable of?
On Wed, Feb 23, 2011 at 06:07:16PM +0100, Patrick Lamaiziere wrote:
I log the congestion counter (each 10s) and there are at max 3 or 4
congestions per day. I don't think the bottleneck is pf.
The congestion counter doesn't directly mean you have a bottleneck in
PF; it's triggered by the IP
On Tue, Feb 01, 2011 at 02:22:25PM +0530, Indunil Jayasooriya wrote:
I have 3 web servers running on port 8080 behind PF firewall. I am trying
to load balance these incoming connections to these web servers.
I wrote rules as below. Pls pay attention to *highligthed BOLD* rules .
they are
On Thu, Jan 20, 2011 at 01:47:20PM +0530, Indunil Jayasooriya wrote:
my question is that How can I exclude my firewall from being able to doing
it ?
I'm really not sure why you don't want the firewall to be able to
traceroute. (hint: if you can't trust the users on your firewall to
behave
On Wed, Dec 08, 2010 at 12:39:12PM -0800, dabheeruz wrote:
We are seeing the issue again and I am writing a script to get the
pfctl -vvsi data at regular intervals. Can you please point me to
what values I should be looking out for?
You want to look for any of the counters in the Counters
On Thu, Dec 02, 2010 at 11:22:08PM -0500, Godesi wrote:
1. Do I need pf for relayd when I am not doing redirects?
I don't think so, but this is easy for you to test...
2. How much states can i really have on a box that has 4 gig ram?
More than 100,000. I havn't tested lately (planning to
On Wed, Nov 10, 2010 at 01:45:16PM +0100, Tor Houghton wrote:
May I ask whether or not per user ownership (or permission to update) a
table is/will be possible?
I am pondering the best mechanism for a non-root process to add/remove
addresses to a table.
You can look at sysutils/tabled in
On Wed, Jul 28, 2010 at 07:59:20PM -0700, Justin wrote:
Confirmed - synproxy works great if the synproxy machine is the
default gateway for the end host.
Yes, PF has to handle every packet of a synproxy'd connection.
Sadly this means scalability (adding multiple synproxy boxes) is not
This sounds a lot like a kernel/userland mismatch. Please update both
kernel and userland from the same snapshot and try again.
On Thu, Jul 01, 2010 at 03:33:56AM +0200, Laurent CARON wrote:
Hi,
I did upgrade one of my BGP routers today with latest current.
Upon reboot I have no network.
On Thu, Jul 01, 2010 at 10:15:26PM +0200, Laurent CARON wrote:
This incidentally made my other router (running openBGPd) crash with:
uvm_fault(0x80cc7320, 0xdeafb000, 0, 1) - e
page fault trap, code=0
Stopped atpfsync_in_clr+0x123:movq 0x10(%rbx),%rax
On Tue, Jan 12, 2010 at 11:11:54PM -0500, Pascal Lalonde wrote:
I just caught the following from openbsd-cvs:
http://marc.info/?l=openbsd-cvsm=126326657232193w=2
If my understanding is correct, this means that it will become
impossible to emulate weighted round robin with constructs like
On Sat, Oct 31, 2009 at 03:00:41PM -0600, ghe wrote:
I'm fresh off the boat from Debian. I love OpenBSD's attitude, and
the documentation is even pretty decipherable, but I'm still a
little confused by pf. I managed to build a trivial filter, but
there are a few things I don't understand.
I
On Fri, Oct 16, 2009 at 10:58:53AM +0200, k...@oav.net wrote:
I love OpenBSD, and I really like to set a small OpenBSD distribution on
USB stick to allow make cheap OpenBGPd routers.
Is there any project that is officialy supported by OpenBSD team?
Do the regular OpenBSD install, selecting
On Mon, Mar 09, 2009 at 04:50:51PM +0100, Felipe Alfaro Solana wrote:
ARP is insecure by default. If you care, move to IPv6 and use IPSec/SeND.
SeND will not be coming to OpenBSD any time soon.
http://www.ietf.org/rfc/rfc3971.txt
http://www.ietf.org/rfc/rfc3972.txt
80 pages across two RFCs for
On Mon, Aug 11, 2008 at 01:14:53PM +0200, Marco Fretz wrote:
How odd. I know at least one site that runs all of their BGP off of
OpenBGP on OpenBSD boxes that are dedicated as routers. In all cases,
these systems outperform the equivalent Cisco hardware for a fraction
of the cost.
Forget
synproxy in pf already makes sure the 3-way handshake completes before
the connection is completed on the other side; rate limiting can also be
done on the OpenBSD firewall, so it's not clear why you would need an
extra box there.
The bigger problem with DDoS attacks is that the upstream pipe is
On Wed, Jul 16, 2008 at 10:24:36PM +0200, Martin Schmitt wrote:
I'm trying to use a Huawei E220 UMTS USB modem on an ALIX, using OpenBSD
Flashdist 20080504.
Please try this with the GENERIC kernel, and report back to us if you
still have a problem.
On Mon, Jul 14, 2008 at 10:28:18PM -0700, Parvinder Bhasin wrote:
Filtering happens AFTER translation, so you need to filter on the real
addresses of the hosts, not the alias addresses.
Hmm by real ip do you mean internal ips of the servers??
Yes.
On Mon, Jul 14, 2008 at 09:19:22PM -0700, Parvinder Bhasin wrote:
When I try to add the external ips as aliases on my external interface,
it works fine.
Isn't the BINAT statement sufficient??? do i have to use aliases???
Unless the addresses are being routed to the firewall in question, yes,
On Mon, Jul 14, 2008 at 09:48:22PM -0700, Parvinder Bhasin wrote:
Actually Ryan, when I do the aliases way , do I still need the binat
statements? because when I use aliases and binat statements together,
it doesn't work.
Without the binat statements and with aliases everything works
On Wed, Jul 02, 2008 at 03:52:26AM -0700, kavitha reddy wrote:
very recently i bought openBSD 4.2 (pack of 3CD's).Now, as a part of my
research work iam interested to know whether it is possible to show DoS
attacks in openBSD 4.1 .If so let me know how can that be possible.As u said
when a
On Wed, Jul 02, 2008 at 04:19:21PM +0200, Michael wrote:
topic says all I guess... if you need more details please let me know.
Well, with a bug report as detailed as this all I can say is it's
probably been fixed, try a new snapshot.
On Thu, Jun 26, 2008 at 09:37:28AM +0530, Amarendra Godbole wrote:
It would be a pleasure meeting folks on this mailing list, including
OBSD developers' at BH or DefCon. Thanks.
The great majority of OpenBSD developers are from outside the United
States, and I would guess that most of us prefer
On Fri, Jun 20, 2008 at 12:49:43PM -0700, Darrin Chandler wrote:
Yes, you use sloppy state only on the host(s) seeing half of the trafic.
So to say it even more plainly... anywhere you are forced to deal with
asymetric routing you can use sloppy state in place of not having any
stateful
On Mon, Jun 16, 2008 at 05:19:16PM +0800, Dongsheng Song wrote:
How can I default boot into GENERIC.MP, and not remove the 5 second
pause at boot-time?
Use the following in your boot.conf:
set image bsd.mp
man boot.conf for more details...
On Mon, Jun 16, 2008 at 11:28:36AM +0200, Michiel van Baak wrote:
How can I default boot into GENERIC.MP, and not remove the 5 second
pause at boot-time?
cd / mv bsd bsd.up mv bsd.mp bsd reboot
This is not really good advice, because it breaks next time you
accidentally copy the wrong
On Tue, Jun 10, 2008 at 11:19:46PM -0700, Aaron Glenn wrote:
Is there a particular time of day most changes are committed (like
pre-dinner) or should we sync and build at whim?
People are working pretty much all the time, though you may notice a
slight decrease in commit rate around beer
On Tue, Apr 08, 2008 at 07:04:31PM -0600, Daniel Melameth wrote:
8.25Kb/s? I know this is 1Kb/s so what's going on? Is this just an
inaccuracy in the pfctl output or does altq really think I'm moving 8Kb/s?
I assume it's the former as pftop appears to get it right:
Make sure you're paying
On Mon, Mar 24, 2008 at 12:15:55AM -0700, Bryan Irvine wrote:
having also not read the book, my guess would be that a transparent
proxy + firewall would increase security because people don't have the
the option to run SSH tunnels via the HTTP port. A good example would
be years ago I ran a
On Sat, Mar 22, 2008 at 10:49:26AM -0700, johan beisser wrote:
I would like to reach a state, if possible, in which load balancing is
performed, but at the same time, if one machine fails, the other will
automatically take over. I believe this setup is also very useful when
deploying updates.
On Sun, Mar 16, 2008 at 02:57:23PM +1030, Timothy Wilson wrote:
Maybe this is new in 4.3 or 4.2? I don't have this option in 4.1. I
guess I should upgrade :)
Are you sure you're looking in the right place?
$ uname -a
OpenBSD foo 4.1 GENERIC.MP#0 i386
$ which kbd
/sbin/kbd
On Sun, Mar 16, 2008 at 12:47:48PM +1030, Timothy Wilson wrote:
I was wondering how I can use a dvorak keyboard on the console? I've
googled, but I can only find how to's for X11, or for 2.x OpenBSD. I'm
sure its something simple in rc.conf (.local!), but I can't find it.
Any help would be
On Thu, Mar 13, 2008 at 12:29:47PM +1100, Damien Miller wrote:
On Wed, 12 Mar 2008, Ed Ahlsen-Girard wrote:
Does OpenBSD's OpenSSL use the FIPS 140-2 certified bits where
applicable?
No. Furthermore, there are no FIPS 140-2 certified bits - it is an
entire package that is certified, you
On Sun, Feb 24, 2008 at 11:27:31PM -0800, Don Jackson wrote:
I would like make release to use [ a ] read only source tree
I use lndir(1) to accomplish this. Check your source tree out somewhere
else, and use lndir to make a 'copy' in /usr/src. Build from there, no
other magic required.
On Thu, Jan 24, 2008 at 10:11:14AM +0100, Pau Amaro-Seoane wrote:
I was thinking, as somebody in the thinkpad forum suggested, of an
USB WLAN dongle, but one of those with an external antenna that is
connected through a standard (typically: Reverse) SMA-connector. Next,
get a sufficiently
On Wed, Dec 05, 2007 at 01:00:11PM +0100, SeDoFa wrote:
It's true, but this can't solve any problems. In my case I have a /16
subnet and I need to nat every single IP to a different IP, for a
total amount of about 400 IPs. Same subnet, same interface, redundant
firewall with carp. Is there
On Tue, Jul 31, 2007 at 09:59:23PM +0100, poncenby wrote:
Grateful if anyone could recommend a mail retrieval program which does
not require a local SMTP service like fetchmail does.
How about fetchmail? (with procmail / maildrop / whatever)
poll mailserver protocol imap service 993:
On Wed, Jul 04, 2007 at 10:03:20AM -0700, Austin Hook wrote:
Thanks for the pointer to some stable binaries, however it's too old for
me. I guess I will try with current snapshot and build stable 4.1 if I
need it.
If the problem is entirely a kernel issue, until 4.2-beta you should be
able to
On Thu, Jun 28, 2007 at 02:56:33PM +0100, Stuart Henderson wrote:
On 2007/06/28 15:45, Huzeyfe ONAL wrote:
Use no state in your rule.
and 'flags any' if it's TCP.
You can set this explicitly if you'd like, but it's not necessary:
pfctl only applies 'flags S/SA' by default if the rule is
On Thu, May 31, 2007 at 03:43:56PM -0700, [EMAIL PROTECTED] wrote:
Were nearing the 8300pps mark so I was worried? But should I be?
You're fine. The 8300pps mark is not an upper limit, it's the best case
for a full 100Mbit ethernet link (ignoring jumbograms).
Becuase the majority of my
On Sat, May 26, 2007 at 09:36:48AM +0200, Alberich de megres wrote:
I know i repeat myself, but that's important for me: my pf isn't syncing
tables i create. Can I solve this?
Write a tool that synchronises your tables.
The pfsync protocol as it stands is not an appropriate protocol for
On Mon, Nov 27, 2006 at 12:16:13PM -, Pedro Hugo wrote:
Is it possible to send packets with the carp address as the source
address ?
You have a few options:
- Have the process bind to the carp address only (most daemons allow
this to be configured as do some userland tools such as nc and
At 2006-11-14 13:03:51, Chris Cameron wrote:
I can't (easily) give direct output from things like ifconfig or pf.conf
as they're both huge and contain information I've been told we don't
want to send out. Hopefully this doesn't prevent anyone from helping me
out.
If it's a problem with carp,
On Wed, Nov 08, 2006 at 10:08:14PM -0500, Michael Hernandez wrote:
When I got home... I looked... and low and behold... X was running
just fine, and there was no xorg.conf to be found.
Is that expected behavior? Of course not...
Actually, that IS the expected behaviour from X now. It
On Wed, Nov 01, 2006 at 04:50:50PM -0500, Der Engel wrote:
VMware Workstation 3.2.1 is like a bit old don't you think?
When can we expect your patches to make VMWare Workstation 5.* work on
OpenBSD?
On Tue, Oct 24, 2006 at 12:55:09AM -0500, Sam Fourman Jr. wrote:
is it possible to have a AJAX enabled Website hosted on OpenBSD?
Yes
the reason why I am asking is because Apache is version 1.3.x (due to
licencing issues).
if not Maybe there is another http server that would support it?
On Tue, Oct 24, 2006 at 10:42:25AM +0200, Magnus Bodin wrote:
On Tue, Oct 24, 2006 at 01:30:02AM -0500, Sam Fourman Jr. wrote:
my next question is Would it be Possible to use AJAX from a CGI made
with C running from Apache that Ships w/ OpenBSD?
Yes. C, INTERCAL, ksh.
Any application
On Tue, Oct 24, 2006 at 02:37:05PM +0200, Andreas Bihlmaier wrote:
On Tue, Oct 24, 2006 at 08:25:52AM +0900, vladas wrote:
On 10/24/06, Andreas Bihlmaier [EMAIL PROTECTED] wrote:
Is this LiveCD/DVD reliable enough to send in dmesg's from it?
Exuse me, but I don't see a point in posting a
On Thu, Oct 19, 2006 at 01:09:57PM -0600, Breen Ouellette wrote:
From: Daniel Hartmeier (danielbenzedrine.cx)
pf uses a binary search tree instead of a hash table, which doesn't
require pre-defining a maximum size. The tree will just grow until
memory allocation fails. With 64MB RAM that
On Tue, Oct 10, 2006 at 05:50:50PM -0400, Brian A. Seklecki wrote:
Certainly a way to log events (interfaces, etc.) and the resulting actions
taken by the code would be useful in mission critical environments.
Anything beats tcpdump 'proto carp' and making guesses from there.
Nothing new to
On Tue, Oct 10, 2006 at 08:31:25PM -0500, Sam Fourman Jr. wrote:
for what is it worth I would like to say thank you for porting kismet,
I use it all the time, because I do not know of another tool to scan
for available AP's
ifconfig -M
dstumbler (in security/bsd-airtools)
On Sun, Oct 08, 2006 at 01:53:42AM -0400, Martin Gignac wrote:
Is there any plan to add a variable in /etc/rc.conf to achieve this,
or is using '-o' during boot considered a bad thing?
The plan is to make it possible to specify the optimization level
directly in the pf.conf file (which one
I've just committed code based on a suggestion made by Daniel Hartmeier
to make flags S/SA keep state the default for rules.
NOTE: This does change is in -current only, and does not apply to the
4.0 release.
These changes makes pf rulesets significantly cleaner, improving
readability. More
The company I work for is required to get PCI (Payment Card
something-or-other) certified in order to keep doing some of the things
that we are doing with credit card payments.
Payment Card Industry Data Security Standard
[snip]
However, now that we need this cert, one of the few things
On Wed, Oct 04, 2006 at 10:18:21AM +0200, Joachim Schipper wrote:
I have two firewalls running CARP and pfsync for high availability. The
physical interfaces do not have IP addresses, only the CARP interface
do. The problem is is that the backup CARP interface still needs to be
able to
On Wed, Aug 09, 2006 at 07:33:08PM -0400, Jason Dixon wrote:
Unless you're using more than 255 VLANs (unlikely), you don't need
that many vhids.
Also, if the carp(4) devices are connected are on different VLANS
(distinct layer 2 segments), you can use the same vhid on multiple
interfaces.
On Tue, Aug 08, 2006 at 12:33:23PM +0200, Henning Brauer wrote:
Why the carp interface cannot be used in context of the interface?
well, because it is that way.
Because of the way that the routing currently works, if both the carpdev
'physical' interface and the carp interfaces have
On Wed, Jul 05, 2006 at 02:36:44AM -0400, Nick Guenther wrote:
#pftcl -f all echo block all | pfctl -f -
then the switch over to the new ruleset is pretty snappy and hardly
enough time for any malicious packets to get through.
Flushing the ruleset is totally unneccessary when loading a new
On Mon, Jul 03, 2006 at 04:58:09PM +0200, Sebastian Reitenbach wrote:
I can setup a tunnel between both hosts, and route the mulitcast
packets through the tunnel and then have the IP address shared between
the two hosts?
No. CARP does not accept packets that have crossed a router, to prevent
On Sun, Jun 25, 2006 at 01:55:24PM -0400, Barry, Christopher wrote:
display format of the host. One selection is network board
manufacturer, based on MAC allocation I'm guessing. My CARP
interface says the mfg is U.S. Department of Defense.
CARP uses the same MAC address range as VRRP.
On Thu, Jun 22, 2006 at 01:04:00PM +0100, Constantine A. Murenin wrote:
On 21/06/06, Joco Salvatti [EMAIL PROTECTED] wrote:
So the attacker could enter in single
user mode, without the need for the root password, and load a
malicious kernel module.
The attacker cannot load a malicious
On Mon, Mar 27, 2006 at 12:32:31PM +0900, Jason Stubbs wrote:
Same main question as in the last thread I posted to, but without any of
the distractions. Can a pair of redundant firewalls be used with
arpbalance without being affected by the state race?
It should work fine with arpbalance, as
On Wed, Feb 22, 2006 at 08:39:36PM -0500, Nick Holland wrote:
Steve D. wrote:
Hi,
I'm setting up a gateway (1.7 Ghz machine with 1 Gig of ram) for 700+
users using pf with NAT and BINAT's (90% NAT).I would like to know
if anyone has any recommendations on tweaking the runtime options
On Thu, Nov 17, 2005 at 03:02:56PM +1100, Alex Strawman wrote:
ok, now this makes sense, how is the next hop meant to send packets
back? it sends them to the mac address the carp0 is broadcasting,
which the master happily accepts, only to see its not in its state
table, and drops it.
the
On Fri, Nov 04, 2005 at 07:22:33PM +1100, Cameron Simpson wrote:
I was imagining the keep state stuff handled that. So - for my mental
model - a packet being forwarded traverses the rules twice: once on the
way in and once on the way out?
Yes.
Well I'd reduced my test to pinging the firewall
On Thu, Nov 03, 2005 at 06:11:20PM -0500, Jon Hart wrote:
1) used to determine that a particular carp packet is intended for
you carp host?
carp(4) does a number of validity checks before treating the packet a
real carp packet:
- was the device recieved on a interface that has a
On Sat, Nov 05, 2005 at 04:05:17AM +1300, Josh wrote:
Is this anything to be concerned about?
http://www.isrc.qut.edu.au/people/mbradfor/openbsd-carp-arpbalance.html
Only if you use arpbalance in a situation where it really matters (as
opposed to a situation where you use it because you think
On Fri, Nov 04, 2005 at 05:16:22PM +1100, Cameron Simpson wrote:
[var/[EMAIL PROTECTED] pfctl -s rules
block return all
pass quick proto tcp from any to any port = ssh flags S/SA keep state
pass in quick proto icmp all keep state
^^
How are the packets
On Thu, Aug 11, 2005 at 07:02:35PM -0300, Luiz Ot?vio Souza wrote:
Probably my problem is hardware (two cheap realteks for sync), but why the
pfsync accept this malformed address, and why the kernel panic on flush ?
(i can also get panic from a pf -F state).
i can send more info if someone
1 - 100 of 101 matches
Mail list logo
