to do per IP rate limiting alongside load-balancing you might
want "mode source-hash" rather than the default round-robin or one of
the random options.
(I wouldn't recommend sticky-address, because then you get into more
complex paths inside PF because it has to maintain source-tracking
information).
--- Original Message ---
On Tuesday, July 18th, 2023 at 10:59 PM, Stuart Henderson
wrote:
> PF's state-tracking options are only for TCP. (Blocking an IP
> based on number of connections from easily spoofed UDP is a good
> way to let third parties prevent your machine from
On 18/07/2023 23:59, Stuart Henderson wrote:
> PF's state-tracking options are only for TCP. (Blocking an IP
> based on number of connections from easily spoofed UDP is a good
> way to let third parties prevent your machine from communicating
> with IPs that may well get in the way i.e. trigger a
On 2023-07-18, mabi wrote:
> Hello,
>
> From the following documentation, I am trying to figure out which PF tracking
> options are also valid for UDP but unfortunately it is not quite clear to me:
>
> https://man.openbsd.org/pf.conf.5#Stateful_Tracking_Options
>
> My
Hello,
>From the following documentation, I am trying to figure out which PF tracking
>options are also valid for UDP but unfortunately it is not quite clear to me:
https://man.openbsd.org/pf.conf.5#Stateful_Tracking_Options
My goal would be to do add rate limiting options to a PF UD
I have no idea how I could make my question any clearer:
> My question is not about how to disable pf, but rather why the packets
> are see as "in" when coming from my own address, and, why they are
> blocked i.e. ...
On Thu, Jul 06, 2023 at 11:09:27AM -0600, Zack Newman
On 7/6/23 06:14, Why 42? The lists account. wrote:
Hi,
I see that I was not clear enough.
You were not. One of the first things in your initial e-mail was the
following:
"While trying to debug the issue, it occurred to me that it could be a
network / pf problem. This doesn't
On Tue, Jul 04, 2023 at 10:42:39AM -0600, Zack Newman wrote:
> ...
> I am guessing you didn't flush the rules after disabling pf since
> clearly pf rules are still being used. Run pfctl -F all after disabling
> pf. Run pfctl -s all to verify there are no active rules.
Hi,
On 7/4/23 10:36, "Why 42? The lists account.":
While trying to debug the issue, it occurred to me that it could be a
network / pf problem. This doesn't seem to be the issue though, even
after I disable pf (pfctl -d), the scanner is still not seen.
However, running "tcpdump -n -e
Hi All,
I just noticed that "simple-scan" no longer discovers my scanner.
While trying to debug the issue, it occurred to me that it could be a
network / pf problem. This doesn't seem to be the issue though, even
after I disable pf (pfctl -d), the scanner is still not seen.
Howeve
On Sat, 24 Jun 2023 07:33 -0600, Zack Newman wrote:
> On 6/2l/23 9:01, Stephan Neuhaus wrote:
> > I'm not sure about the Configuring NAT section being
> > correct. I still maintain that the documentation and
> > observed behaviour are different.
>
> I was lazy when I said that. I meant the
On 6/24/23 13:14, Stuart Henderson wrote:
On 2023-06-24, Stephan Neuhaus wrote:
I now think that either the documentation is wrong, or
pf is wrong. At any rate, there seems to be a rather
serious disconnect between the two. The FAQ clearly
says:
When a packet is selected by a match rule
Hello,
I’m not part of this maillist, so rply me directly if necessery.
(Sent this pf@ which seems do not exists any more)
Following is given in pf.conf:
### int
pass in on int from any to any keep state \
(max-src-conn 1, max-src-conn-rate 1/1, overload )
pass out on int from any
On 6/2l/23 9:01, Stephan Neuhaus wrote:
I'm not sure about the Configuring NAT section being
correct. I still maintain that the documentation and
observed behaviour are different.
I was lazy when I said that. I meant the example I quoted from that
section in the original reply is correct.
On 2023-06-24, Stephan Neuhaus wrote:
> Hi Zack
>
> On 6/24/23 03:39, Zack Newman wrote:
>> There do appear to be contradictions in documentation as well as the pf
>> book. The Configuring NAT section is correct as you have seen with your
>> own rules.
>
> I'm n
Hi Zack
On 6/24/23 03:39, Zack Newman wrote:
There do appear to be contradictions in documentation as well as the pf
book. The Configuring NAT section is correct as you have seen with your
own rules.
I'm not sure about the Configuring NAT section being
correct. I still maintain
There do appear to be contradictions in documentation as well as the pf
book. The Configuring NAT section is correct as you have seen with your
own rules.
Here is the minimum set of stateless rules that allows ICMP traffic
between my laptop and Cloudflare.
# Options.
set block-policy drop
Just wanted to reply that that was an excellent rebuttal. Looks like I
should have put my foot in my mouth. I am now keenly interested-and
disappointed in my (lack) of knowledge. I will practice with pf on my
machine to better understand what is happening. If/when I have something
meaningful
, but if it is, it is in
conflict with the documentation and IMO the match/pass
combo is much less useful.
To make my first point, the pf FAQ says the following
about match/pass:
match
When a packet traverses the ruleset and matches a match rule, any
optional parameters specified in that rule
.
Is there anything you see in these rules, especially
in rules 5 and 6, that is not correct? I don't think
so, I've taken this almost verbatim from the pf FAQ
https://www.openbsd.org/faq/pf/nat.html.
You did not read that FAQ carefully enough, so I wouldn't say you
have followed it "almost verbatim&qu
matches. That is
entirely possible and agrees with all the experimental
evidence I have.
Still, I don't think that this is what's going on, for
the following reasons.
1. It is in conflict with the documentation. The FAQ
http://www.openbsd.org/faq/pf/nat.html says
match
When a packet traverses
On 6/23/23 13:19, Stephan Neuhaus wrote:
Hi list [...]
In other words, now the same packets that weren't
passed using the match/pass combo are not passed when
the nat-to is part of the pass rule.
That should have been "...combo are NOW passed...". Sorry.
Cheers
Stephan
ccmp wpagroupcipher ccmp
inet 192.168.3.2 netmask 0xff00 broadcast 192.168.3.255
What I want to do is NAT the wireless interface to the
egress interface. I have this experimental pf setup,
which has many problems, and which therefore has a big
comment at the top:
# PF configuration
Am 18.06.2023 20:35 schrieb Stephan Neuhaus:
Here you can see that the "from" part is what the
above description calls the src_addr, not the
ext_addr, as it claims. This makes much more sense and
is consistent with all the other documentation that
I've seen.
The "match" is rewriting to
Hi list
I think I have found a typo in the pf NAT FAQ here:
https://www.openbsd.org/faq/pf/nat.html. In the
"Configuring NAT" section it says:
The general format in pf.conf looks something like this:
match out on interface [af] \
from src_addr to dst_addr \
nat-t
On 15/06/2023 19:07, Peter Nicolai Mathias Hansteen wrote:
>> On 15 Jun 2023, at 16:26, Kapetanakis Giannis
>> wrote:
>> After applying some keep state (if-bound) on major rules, I 've already
>> found a problem.
>>
>> pfsync.
>>
>> It copies the interface. The interfaces are different on the
> On 15 Jun 2023, at 16:26, Kapetanakis Giannis
> wrote:
> After applying some keep state (if-bound) on major rules, I 've already found
> a problem.
>
> pfsync.
>
> It copies the interface. The interfaces are different on the backup firewall
> so the states will not match if I demote
On 15/06/2023 17:17, Kapetanakis Giannis wrote:
> Hello,
>
> I'd like to make a change to my firewall/router from the default state-policy
> floating to if-bound
>
> I believe the way my pf.conf is configured it will not do any harm but I'm
> being cautious here and I'd like some info.
>
> The
Hello,
I'd like to make a change to my firewall/router from the default state-policy
floating to if-bound
I believe the way my pf.conf is configured it will not do any harm but I'm
being cautious here and I'd like some info.
The way I see it, I have two states for each packet traveling either
ic is needed for name resolution to work
in your environment, but your ruleset has no mention of icmp, which is likely
why ping does not work.
But then as JJ said already, instrument your rules with log or log(all) and
spend some time getting to know our friend tcpdump(8) as applied to PF logging.
Fo
>
>
> "pfctl -f /etc/pf.conf" does not spit out any warnings or errors either,
> so I first assumed it would work just as flawlessly then, but apparently
> it doesnt, because I cant ping any domain or wget any webpage, when I
>
If you add "log" rules to your pf.conf and the watch the pflog device
Hey there,
as I am completely new here, I might do something against the netiquette here
in the mailing lists, so correct me if I am wrong and I will try to adjust.
I am trying to set up a transparent Tor proxy on OpenBSD with pf(4), but I
couldnt find any helpful resources in the FAQ
Hello,
> Either build from ports with the MODCARGO_RUSTFLAGS line changed to this:
>
> MODCARGO_RUSTFLAGS = -C debuginfo=0 -C target-cpu=i586
I get some errors trying to build it from port:
===> Configuring for ripgrep-13.0.0p3
Illegal instruction (core dumped)
*** Error 132 in .
On 2023-06-05, Radek wrote:
> RipGrep caused my issue. When I replaced ripgrep with ggrep the script
> started to work fine.
Can you try a new ripgrep binary built with a different target-cpu type
for me please? The default for the rust compiler is to use SSE instructions
which aren't present
what you're
doing. if you're just monitoring packets then there's also dup-to
and bpf/tcpdump.
> --
>
> I implemented a small C program that reads packets from /dev/tun8 and
> writes them back to the same device. During the writing phase, I have
> attempted to add a 4-byte TUN header (
sh -x does not trace into functions, and
> it is something inside "main" which is crashing:
>
> > > set -x or something.
> > Sorry, I should have started with that.
> >
> > test73# doas -u _pfbadhost pf-badhost -O openbsd
> > [ ... ]
> > + com
Unfortunately it looks like sh -x does not trace into functions, and
it is something inside "main" which is crashing:
> > set -x or something.
> Sorry, I should have started with that.
>
> test73# doas -u _pfbadhost pf-badhost -O openbsd
> [ ... ]
> + command -v t
On 2023-06-01, Radek wrote:
> Hello Stuart,
>
>> What is the name of the core dump file?
> Actually there isn't any .core file.
> test73# find / -name '*.core'
> test73#
>From your earlier mail:
test73# doas -u _pfbadho
gularly monitors this
> list.
>
> I've contacted him before at his email address and he was very prompt in
> reply.
>
> 73
> diana
> KI5PGJ
>
> On May 30, 2023 8:05:04 AM MDT, Radek wrote:
> >Hello and sorry for the late reply,
> >
> >> D
t; >> Did you contact the individual who provides pf-bafhost script? He has
> >> always responded to me when I contacted him.
> > No, I didn't. Jordan shared his scripts here, I hope he reads misc@.
> >
> >> what program dumped core?
> > Some parts
MDT, Radek wrote:
>Hello and sorry for the late reply,
>
>> Did you contact the individual who provides pf-bafhost script? He has
>> always responded to me when I contacted him.
>No, I didn't. Jordan shared his scripts here, I hope he reads misc@.
>
ly-to (em0 (em0))
--
I implemented a small C program that reads packets from /dev/tun8 and
writes them back to the same device. During the writing phase, I have
attempted to add a 4-byte TUN header (with AF_INET byte). The issue arises
when I enable pf, as my connectivity ceases to function. I suspe
On 2023-05-30, Radek wrote:
> Hello and sorry for the late reply,
>
>> Did you contact the individual who provides pf-bafhost script? He has
>> always responded to me when I contacted him.
> No, I didn't. Jordan shared his scripts here, I hope he reads misc@.
>
>
Hello and sorry for the late reply,
> Did you contact the individual who provides pf-bafhost script? He has always
> responded to me when I contacted him.
No, I didn't. Jordan shared his scripts here, I hope he reads misc@.
> what program dumped core?
Some parts of [1]. How can I
On Thu, May 25, 2023 at 02:11:29AM +0200, Joel Carnat wrote:
> Hi,
>
> I'd like confirm I understood how pf works in a mixed veb/vport/tap
> environment. I'm using OpenBSD 7.3/amd64 (if that matters).
>
> I have a physical host that runs services (relayd, httpd...) the "cl
On 2023-05-25, Radek wrote:
> Hello,
> I am getting the following error message when I try to run pf-badhost script
> [1] at fresh install 7.3/i386. Have I missed something?
>
> 1. https://www.geoghegan.ca/pub/pf-badhost/latest/install/openbsd.txt
>
> test73# doas -u _pf
Did you contact the individual who provides pf-bafhost script? He has always
responded to me when I contacted him.
diana
On May 25, 2023 8:26:31 AM MDT, Radek wrote:
>Hello,
>I am getting the following error message when I try to run pf-badhost script
>[1] at fresh install 7.3/i38
Hello,
I am getting the following error message when I try to run pf-badhost script
[1] at fresh install 7.3/i386. Have I missed something?
1. https://www.geoghegan.ca/pub/pf-badhost/latest/install/openbsd.txt
test73# doas -u _pfbadhost pf-badhost -O openbsd
doas (r...@test73.my.domain
Hi,
I'd like confirm I understood how pf works in a mixed veb/vport/tap
environment. I'm using OpenBSD 7.3/amd64 (if that matters).
I have a physical host that runs services (relayd, httpd...) the
"classical" way and also provides VM using vmd. I have a couple of
public IPs that
Hi.
Check your PF rules and also confirm you have set
net.inet.ip.forwarding=1 via sysctl.
Regards,
Roman
On 30.04.23 11:23, Gurra wrote:
Hi list,
I’m stuck setting up this configuration - 2 OpenBSD 7.3 boxes
connected via a private network 192.168.2.0/24.
The clients connected to box 1
look for the issue.
If you use PF, enable logging on rules (man pflog) and see which rule
those packets hit.
--
May the most significant bit of your life be positive.
Hi list,
I’m stuck setting up this configuration - 2 OpenBSD 7.3 boxes
connected via a private network 192.168.2.0/24.
The clients connected to box 1 on 192.168.1.0/24 should be able to reach the
server
on 192.168.2.0/24 with ip 192.168.2.2 on port 1234 tcp
The communication between clients
-to (wg0) tagged nat
...
[1]
https://marc.info/?l=openbsd-pf=168215778109013=2
Cheers,
Charlie
tian Danila wrote:
> >
> > Hello Misc,
> >
> > I have a technical question in regards to PF tags.
> > I was always wondering if the length of tags matters
> > or not in terms of performance.
> > For example will PF use the same effort to match a tag
>
inside the kernel tags are given numeric identifiers, and these numbers are
used everywhere. the length of the tag name doesnt affect performance.
> On 21 Apr 2023, at 04:10, Cristian Danila wrote:
>
> Hello Misc,
>
> I have a technical question in regards to PF tags.
> I wa
Hello Misc,
I have a technical question in regards to PF tags.
I was always wondering if the length of tags matters
or not in terms of performance.
For example will PF use the same effort to match a tag
TEST_TEST_TEST_TEST_TEST as it would do for a tag A?
I am wondering if PF internally would
:1080,bind=192.168.1.10,reuseaddr,fork \
tcp:10.64.0.1:1080
I would very much like to replace the above command with pf rule(s).
All the combinations I tried with "rdr-to", "nat-to", "divert-to",
"synproxy state", etc. did not work. Could someone kindly poin
Well... somehow I managed to get inter rdomain forwarding.
I have no idea how...?
I think things started to work when I changed this statement in PF:
block log on rdomain 0 from "block log"
Right now I can only communicate between rdomain 2 and rdomain 0.
I moved my ISP-B
Hi guys,
So far I have spent a week on this and I feel like I'm not progressing,
now I just feel like I'm banging against a brick wall.
To start with, I managed to send icmp echos over my WAN link through
ISP-B within the same routing domain rdomain 2.
I then started looking at
this
> https://blog.cloudflare.com/ip-fragmentation-is-broken/
Thank you for this one, Tom
I'd like to ask if it could be possible to have a new option between
aggressive and normal for 'set optimization' in pf?
Or if you consider the aggressive setting enough good for little desktops with
security
in mi
Does OpenBSD 7.2 PF support *SIIT* (RFC 7915, also called stateless NAT64)?
No, PF's address translation is tied to firewall states.
Thank you very much for the information!
Gábor
On 2023-03-03, Gabor LENCSE wrote:
> Does OpenBSD 7.2 PF support *SIIT* (RFC 7915, also called stateless NAT64)?
No, PF's address translation is tied to firewall states.
Dear All,
Does OpenBSD 7.2 PF support *SIIT* (RFC 7915, also called stateless NAT64)?
If yes, how can I set it?
I tried to set it similarly to stateful NAT64, but specifying "no
state". However, it resulted in error messages:
p095# pfctl -f /etc/pf-set-siit
/etc/pf-set-si
are reduced by more than 50% and so states are removed too soon
> >resulting in a state-mismatch.
> >
> >So first bump the limit up and then look at the counters again.
>
> Within the next three months I'll be building a hardware (not VM)
> OpenBSD machine with pf filterin
ate-mismatch.
>
>So first bump the limit up and then look at the counters again.
Within the next three months I'll be building a hardware (not VM)
OpenBSD machine with pf filtering to Route, firewall and NAT between my
house's IPV4 192.168.0.0/24 network and the Internet. My Internet is
J Doe wrote:
> Hi,
>
> I have a question regarding the temporary pf(4) ruleset that is found
> in: /etc/rc.
>
> A couple of lines below: "# Set initial temporary pf rule set." there
> appears to be two lines for DHCPv4 traffic:
>
> pass out inet proto
Hi,
I have a question regarding the temporary pf(4) ruleset that is found
in: /etc/rc.
A couple of lines below: "# Set initial temporary pf rule set." there
appears to be two lines for DHCPv4 traffic:
pass out inet proto udp from any port bootpc to any port bootps
pas
Hi
many thanks Otto and Stuart
forgot to move my default block rule
back to the top after adding some ipv6 stuff at the beginning.
have a happy and successful new year.
shadrock
On 2022-12-27, Otto Moerbeek wrote:
> On Tue, Dec 27, 2022 at 04:23:13AM +, Shadrock Uhuru wrote:
>
>> hi everyone
>> viewing my pf logs with
>> tcpdump -nettt -i pflog0 there are lines with no rule numbers
>> just rule def on the line instead,
>> i've tri
On Tue, Dec 27, 2022 at 04:23:13AM +, Shadrock Uhuru wrote:
> hi everyone
> viewing my pf logs with
> tcpdump -nettt -i pflog0 there are lines with no rule numbers
> just rule def on the line instead,
> i've tried googling without success,
> need to know if t
hi everyone
viewing my pf logs with
tcpdump -nettt -i pflog0
there are lines with no rule numbers
just rule def on the line instead,
i've tried googling without success,
need to know if they are wolf,sheep or misconfigurations causing them,
and against which rule do i match them up
On 2022-12-24 02:32, Philipp Buehler wrote:
Am 22.12.2022 21:37 schrieb J Doe:
set skip on lo0
. . .
antispoof quick for $ext_if
This one will be faster (a tad) if you do not plan for more
detailled filtering (and who does so on lo0 besides the
esoteric ones).
ciao
Hi Philipp,
Am 22.12.2022 21:37 schrieb J Doe:
set skip on lo0
. . .
antispoof quick for $ext_if
This one will be faster (a tad) if you do not plan for more
detailled filtering (and who does so on lo0 besides the
esoteric ones).
ciao
--
pb
Hi,
I have a question regarding pf.
In man pf.conf[1], the following note is made in the section on: antispoof
"Caveat: Rules created by the antispoof directive interfere with
packets sent over loopback interfaces to local addresses. One
should pass these explicitly."
on't want to routing for this VLAN!
We want to filter the traffic to the VLAN - (with PF)
_We came up with the following solution for this:__
_
* em0 - public WAN interface
* em1 - filtered "WAN" interface
internal VLAN is connected here - switch port, native VLAN
* veb0 - we m
x-cvsweb-markup
I've not used this option, just saying...
Marcus
> > On Sat, Dec 17, 2022 at 3:11 PM David Gwynne wrote:
> > >
> > > dhcpd reads packets off the wire using BPF, which happens as packets
> > come off the network interface, but before the IP stack
o control these packets?
>> Still investigating but I had still not found yet a way to do it.
>>
>> Thank you.
>>
>> On Sat, Dec 17, 2022 at 3:11 PM David Gwynne wrote:
>> >
>> > dhcpd reads packets off the wire using BPF, which happens as packets co
ing BPF, which happens as packets
> come off the network interface, but before the IP stack where pf runs.
> >
> > > On 17 Dec 2022, at 22:40, Cristian Danila wrote:
> > >
> > > Good day!
> > > I finished setup an DHCP server and for some reason it seem
e wire using BPF, which happens as packets come off
> the network interface, but before the IP stack where pf runs.
>
> > On 17 Dec 2022, at 22:40, Cristian Danila wrote:
> >
> > Good day!
> > I finished setup an DHCP server and for some reason it seems D
dhcpd reads packets off the wire using BPF, which happens as packets come off
the network interface, but before the IP stack where pf runs.
> On 17 Dec 2022, at 22:40, Cristian Danila wrote:
>
> Good day!
> I finished setup an DHCP server and for some reason it seems DHCP
> ser
Good day!
I finished setup an DHCP server and for some reason it seems DHCP
server is ignoring PF filter.
In short, in PF I have active only one rule:
block drop quick all
Double checked PF and it is enabled
So using a windows machine to test DHCP server:
1) ifconfig /release
2) ifconfig /renew
Am 13.12.2022 22:11 schrieb J Doe:
set skip on !$ext_if
... with the idea that this skips all interfaces (virtual or
otherwise) _EXCEPT_ em0, which is the real Ethernet NIC that I want to
perform filtering on ?
Yes, but likely to need a space between ! and $.
ciao
--
pb
On 2022-12-13 01:23, Philipp Buehler wrote:
Am 13.12.2022 06:02 schrieb J Doe:
set skip on { lo0, vif* }
in pf.conf(5) the GRAMMAR shows:
ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
"{" interface-list "}"
So you could do "set skip on
Am 13.12.2022 06:02 schrieb J Doe:
set skip on { lo0, vif* }
in pf.conf(5) the GRAMMAR shows:
ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
"{" interface-list "}"
So you could do "set skip on { lo0 vif0 vif1 }" for explicit, or you
use
Hello,
I have a question regarding: set skip on in pf.conf(5).
I have a host that has a number of dynamic virtual interfaces. I don't
want my ruleset to apply to those interfaces, however, as they are
created and removed dynamically, I don't know what the numbers will be
assigned to those
Hi,
On 07/12/2022 18:36, Peter N. M. Hansteen wrote:
...> and can now be found at
https://nxdomain.no/~peter/ripe2cidr_country.sh.txt --
as it says in the script itself, a trivial hack.
And I might add, it comes with *NO* warranties of any kind.
I think instead of :
grep allocated
in the
On 2022-12-07, Peter N. M. Hansteen wrote:
> On Wed, Dec 07, 2022 at 10:28:27AM +1100, Damian McGuckin wrote:
>>
>> Has anybody created rules such as this and if so, do you have an example?
>
> As others have already indicated, the PF way to do anything like this would be
On Wed, Dec 07, 2022 at 10:28:27AM +1100, Damian McGuckin wrote:
>
> Has anybody created rules such as this and if so, do you have an example?
As others have already indicated, the PF way to do anything like this would be
to generate a list of addresses and networks you want to address
On Wed, 7 Dec 2022 at 08.55 Damian McGuckin wrote:
>
> Has anybody created rules such as this and if so, do you have an example?
>
> Stay safe - Damian
>
Check this Example:
https://www.muntaza.id/pf/2020/02/03/pf-firewall-bagian-kedua.html
I write in Indonesia, you can use G
Take a look at PF-Badhost.
Here is a decent write-up:
https://undeadly.org/cgi?action=article;sid=20210119113425
Craig
> On Dec 6, 2022, at 18:28, Damian McGuckin wrote:
>
>
> Has anybody created rules such as this and if so, do you have an example?
>
> Stay safe - D
Considering you solved the issue with getting all IPs
for a given country correctly (and perhaps updating it sometimes):
1. Dump all IP addresses/ranges into a file (eg. blocked.ips)
2. add table file /path/to/blocked.ips
add "persist" if you want.
3. create rule to block all incoming
Has anybody created rules such as this and if so, do you have an example?
Stay safe - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views & opinions here are mine and not those of
Yes
On Fri, 2 Dec 2022, 01:14 Steve Litt, wrote:
> Is pf still the recommended firewall/NAT software for OpenBSD?
>
> Thanks,
>
> SteveT
>
> Steve Litt
> Autumn 2022 featured book: Thriving in Tough Times
> http://www.troubleshooters.com/bookstore/thrive.htm
>
>
efore with 1.2.3.4).
>
> 10:34:26.812675 x.x.x.x.123 > 2.3.4.5.123: v4 alarm client strat 0 poll 3
> prec -6 (DF)
> 10:34:28.812571 x.x.x.x.123 > 2.3.4.5.123: v4 alarm client strat 0 poll 3
> prec -6 (DF)
> 10:34:30.812587 x.x.x.x.123 > 2.3.4.5.123: v4 alarm client st
em.
>
> all udp 127.0.0.1:123 (remote_ntp1:123) <- y.y.y.y:54401 SINGLE:MULTIPLE
> all udp 127.0.0.1:123 (remote_ntp2:123) <- y.y.y.y:52525 SINGLE:MULTIPLE
>
> :(
>
> G
Yes indeed. from info debug level I get.
Sep 15 15:48:02 fw /bsd: pf: stack key attach failed on
t 0 poll 3 prec
-6 (DF)
I also see the pf log (4 times now and not 1 as before)
Sep 15 10:34:26.812688 rule 154/(match) pass in on int_if: x.x.x.x.123 >
2.3.4.5.123: v4 alarm client strat 0 poll 3 prec -6 (DF)
Sep 15 10:34:28.812583 rule 154/(match) pass in on int_if: x.x.x.x.123 >
2.3.4.
In message <https://marc.info/?l=openbsd-misc=166062861021368=1>
I described how I'm using an OpenBSD firewall (pf) to protect a VOIP
phone system. A small correction:
I wrote:
> The firewall
> also runs unbound to provide caching DNS service to the VOIP box and the
> local compu
In message <https://marc.info/?l=openbsd-misc=162550822403762=1>
(date 2021-07-05) I wrote:
> Has anyone used an OpenBSD firewall (pf) to protect an Ooma Telo VOIP
> phone system from internet attacks? If so, how did you do it? More
> generally, how do people protect VOI
0,em1 } no state"
they don't show the mpls neigbor but the rule match.
is there a possebility to do an kind of
pass quick on { em0 , em1 } mpls ?
how can i handle correct mpls with pf ?
I have zero hands on experience with mpls, but since
[Mon Aug 01 12:35:07] peter@skapet:~$ apropos mp
r but the rule match.
is there a possebility to do an kind of
pass quick on { em0 , em1 } mpls ?
how can i handle correct mpls with pf ?
Holger
101 - 200 of 6743 matches
Mail list logo