pf: brute-force ssh defence no longer working in OpenBSD 6.8

to work. I've stripped it back to: table persist file "/etc/scanners" block quick from pass quick proto tcp from any to any port ssh flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 3/15, overload flush global) (taken directly from https://home.nuug.no/~p

PF route-to and divert-packet

Hi Misc, I’m trying to use policy based routing (route-to) with divert-packet feature. I’m just using example code written at divert’s man page. (man divert) I’ve two WAN interfaces which are pppoe0(default gw) and pppoe. Those pf rules works below: # pass in log quick on vether10 inet proto udp

PF route-to and divert-packet

Hi Misc, I’m trying to use policy based routing (route-to) with divert-packet feature. I’m just using example code written at divert’s man page. (man divert) I’ve two wan interfaces which are pppoe0(default gw) and pppoe1 Those pf rules works below: # pass in log quick on vether10 inet proto

Re: pf adaptive syncookie

‐‐‐ Original Message ‐‐‐ On Friday, December 18, 2020 6:13 PM, Stuart Henderson wrote: > And if it's anything like when I try it, you'll see some TCP connections > failing when it is active too. Not everything fails. but e.g. if I have > "set syncookies always" on a router, and run "ftp

Re: pf adaptive syncookie

On 2020-12-18, mabi wrote: > ‐‐‐ Original Message ‐‐‐ > On Friday, December 18, 2020 10:48 AM, Stuart Henderson > wrote: > >> It's something like "what % of max allowed states is half-open tcp". >> Watch out as there are some bugs in this area, definitely thewith >> accounting of

Re: pf adaptive syncookie

‐‐‐ Original Message ‐‐‐ On Friday, December 18, 2020 10:48 AM, Stuart Henderson wrote: > It's something like "what % of max allowed states is half-open tcp". > Watch out as there are some bugs in this area, definitely thewith > accounting of half-open connections can be wildly off

pf adaptive syncookie

Hi, I see quite some syn flood packets on my OpenBSD firewall filling up the state table for nothing. So I thought let's try the pf's adaptive syncookies. I am just not quite sure what the percentage used by start and stop relate to. In the pf.conf man page the following is written: &qu

Re: pf adaptive syncookie

t; In the pf.conf man page the following is written: > > "pf will enable syncookie mode when a given percentage of the state table is > used up by half-open TCP connections..." > > That "given percentage" does it compare the "half-open tcp" value of the

Could "re0: watchdog timeout" be caused by pf queues?

Hi, On my home router, since a year or two I've occasionally seen watchdog timeouts on re0 (which is connected with 1Gbps to a Cisco switch): re0: watchdog timeout They weren't frequent, but when they occurred it was always under high-ish throughput (300-400 Mbps). Yesterday however, one

Re: incorrect pf rule?

It turns out that my caring ISP really has a free firewall service which is enabled by default. I asked my ISP to disable it completely and now everything is OK. Thank you! 29.11.2020 13:08, Stuart Henderson пишет: On 2020-11-29, Родин Максим wrote: The problem is that only port 80 seems to

Re: incorrect pf rule?

It turns out that my caring ISP really has a free firewall service which is enabled by default. I asked my ISP to disable it completely and now everything is OK. Thank you! 29.11.2020 14:30, Stuart Henderson пишет: On 2020-11-29, Stuart Henderson wrote: On 2020-11-29, Родин Максим wrote:

Re: incorrect pf rule?

On 2020-11-29, Stuart Henderson wrote: > On 2020-11-29, Родин Максим wrote: >> The problem is that only port 80 seems to be open from the outside. >> I used several online port scanners to check this. >> All of them tell: >> port 80 OPEN >> port 443 CLOSED > > Could it be blocked by your ISP? Do

Re: incorrect pf rule?

On 2020-11-29, Родин Максим wrote: > The problem is that only port 80 seems to be open from the outside. > I used several online port scanners to check this. > All of them tell: > port 80 OPEN > port 443 CLOSED Could it be blocked by your ISP? Do you receive packets on your external interface at

incorrect pf rule?

is available from the internal network on http and https ports when 192.168.1.102 is used. To make the http server work from outside I'm trying to use the following PF rule on my router: ... web_server = "192.168.1.102" web_ports = "{ http https }"... ... # Web-server pass i

Re: pf filtering on bridge totally blown my mind

ffset -0.000107, delay 0.02589 27 Nov 12:04:19 ntpdate[155511]: adjust time server 172.16.0.1 offset -0.000107 sec Is there some secret, I've failed to found in man? Are you sure you mean em0 and not em1 in your pf rules? em0 is my external interface, em1 is lan interface. I see typo in my

Re: pf filtering on bridge totally blown my mind

Den fre 27 nov. 2020 kl 10:08 skrev kasak : > Mine configuration requires to use a brigde: > I have files: > > gater:~$ doas pfctl -sr > block return all > pass all flags S/SA > block drop in on em0 all > pass out on em0 inet from 172.16.0.0/12 to any flags S/SA nat-to > 212.233.112.10 > pass

Re: pf filtering on bridge totally blown my mind

4:19 ntpdate[155511]: adjust time server 172.16.0.1 offset -0.000107 sec Is there some secret, I've failed to found in man? Are you sure you mean em0 and not em1 in your pf rules? em0 is my external interface, em1 is lan interface. I see typo in my message. I've tried to change "bridge0" t

Re: pf filtering on bridge totally blown my mind

07, delay 0.04155 > server 80.240.216.155, stratum 2, offset +0.000807, delay 0.02821 > 27 Nov 12:04:17 ntpdate[155506]: adjust time server 192.36.143.130 offset > +0.88 sec > [kasak@kasakoff ~]$ ntpdate -q 172.16.0.1 > server 172.16.0.1, stratum 4, offset -0.000107, delay 0.02589 > 27 Nov 12:04:19 ntpdate[155511]: adjust time server 172.16.0.1 offset > -0.000107 sec > > Is there some secret, I've failed to found in man? > Are you sure you mean em0 and not em1 in your pf rules? --  

pf filtering on bridge totally blown my mind

Mine configuration requires to use a brigde: I have files: cat /etc/hostname.bridge0 add vether0 add em1 add tap1 up files hostname.em1 and tap1 just contain "up" and file hostname.vether0 contain: inet 172.16.0.1 255.240.0.0 NONE description "LAN Link" this is ifconfig: em1: flags=8b43

Re: PF divert-packet reinjection

On 2020-11-23, Szél Gábor wrote: > Dear @misc > > We test OpenBSD with Suricata in IPS mode. > IPS mode requires PF divert-packet. > > simple rule to divert: > pass in log quick on $_if proto tcp from ! to any > divert-packet port 700 > > At first look everyth

PF divert-packet reinjection

Dear @misc We test OpenBSD with Suricata in IPS mode. IPS mode requires PF divert-packet. simple rule to divert: pass in log quick on $_if proto tcp from ! to any divert-packet port 700 At first look everything is good! The packet goes to suricata, suricata check packet, if packet

Re: limit UDP connection rate with PF pass rule

On 2020-11-18, mabi wrote: >> The DNS RRL techniques typically still reply to a proportion of queries >> (either directly with the answer, or with a "retry over TCP" response >> code) reducing impact if the source IP is also used by real queries as >> well as the attack traffic. > > I've been

Re: limit UDP connection rate with PF pass rule

uot;:"2020-11-17T14:02:00.059396Z","uid":"CD5YJQ2eVZKX6bhyoj","id.orig_h":"74.125.18.1","id.orig_p":51423,"id.resp_h":"","id.resp_p":53,"proto":"udp","trans_id":39451,"rcode"

Re: limit UDP connection rate with PF pass rule

generated around 5200 requests/second on my DNS servers so I > was wondering if one can also limit the rate of requests in PF on UDP traffic > such as can be done with TCP (using max-src-nodes, max-src-conn, etc)? > > Looking at the documentation (https://www.openbsd.org/faq/pf/filter.ht

limit UDP connection rate with PF pass rule

was wondering if one can also limit the rate of requests in PF on UDP traffic such as can be done with TCP (using max-src-nodes, max-src-conn, etc)? Looking at the documentation (https://www.openbsd.org/faq/pf/filter.html) it only mentions TCP. So I deduct that it is simply not possible to somehow

Re: limit UDP connection rate with PF pass rule

NS servers so I > was wondering if one can also limit the rate of requests in PF on UDP traffic > such as can be done with TCP (using max-src-nodes, max-src-conn, etc)? > > Looking at the documentation (https://www.openbsd.org/faq/pf/filter.html) it > only mentions TCP. So I deduct

Re: dhcpd and pf table with fixed-address

On 2020-11-15, Joel Carnat wrote: > Hello, > > I have linked dhcpd(8) and pf(4) using -A, -C and -L dhcpd flags. > It seems dhcpd only adds IP for dynamic leases and not for leases > configured using fixed-address. > > Is this expected or is there something I misconfigu

dhcpd and pf table with fixed-address

Hello, I have linked dhcpd(8) and pf(4) using -A, -C and -L dhcpd flags. It seems dhcpd only adds IP for dynamic leases and not for leases configured using fixed-address. Is this expected or is there something I misconfigured? Thanks, Jo PS: configuration extracts rc.conf.local: dhcpd_flags

PF comments?

I have the following pf.conf file for Mail + Web server (on the same server) Link: https://pastebin.com/raw/UY698p2E Do I miss anything, or anything wrong appears to you there? Any suggestion would be much appreciated. Thanks a lot!

Re: pf and Wireguard

On 2020-09-26, Jan Betlach wrote: > > Hi, > > I’ve setup Wireguard on my home router running -current. > The tunnel works, I have access to my LAN resources ONLY in case pf is > disabled. When I enable pf, Wireguard connects, does handshakes, however > I cannot even ping

pf and Wireguard

... Change: match out on egress from (wg0:network) to any nat-to (egress:0) To: match on egress from (wg0:network) to any nat-to (egress:0) tag “wireguard” pass tagged “wireguard” keep state -- -Luke

pf and Wireguard

Hi, I’ve setup Wireguard on my home router running -current. The tunnel works, I have access to my LAN resources ONLY in case pf is disabled. When I enable pf, Wireguard connects, does handshakes, however I cannot even ping the router nor access anything in the network. So that it seems my

Re: PF Natting before filtering

On 2020-09-21, open...@kene.nu wrote: >> > My basic ruleset snippet: >> > pass quick on vlan100 from any to any >> > match out on vlan200 nat-to vlan200 >> > pass out on vlan200 >> > block out quick on vlan200 from >> >> If this is your actual ruleset, you are observing the intended behavior. >>

Re: PF Natting before filtering

freebsd.org/threads/nat-filtering-in-pf-what-happens-if.22783/ It's important to be aware that FreeBSD's PF is ancient, on par with roughly what was in OpenBSD 4.5. The NAT code on the OpenBSD side of the fence was totally rewritten for 4.7 which is also IIRC when match was introduced. You may ha

Re: PF Natting before filtering

ould be interesting to hear which shreds of information you found. > > Mainly this which I see now contradicts itself. https://forums.freebsd.org/threads/nat-filtering-in-pf-what-happens-if.22783/ > > > I have a box that acts as a router and firewall. It forwards packets from > &

Re: PF Natting before filtering

On Mon, Sep 21, 2020 at 12:46:15PM +0200, open...@kene.nu wrote: > I am seeing what could be expected behaviour but the small shreds of info I > can find online seems to suggest otherwise. It would be interesting to hear which shreds of information you found. > > I have a box that acts as a

PF Natting before filtering

Hello, I am seeing what could be expected behaviour but the small shreds of info I can find online seems to suggest otherwise. I have a box that acts as a router and firewall. It forwards packets from the internal lan (call it vlan100) and sends it natted out on the external lan (call it

Re: [EXTERNAL] Re: Troubleshooting pf congestion

> On 2020-09-14, Scott Reese wrote: >> Greetings: >> >> - Original Message - >>> From: "Uwe Werler" >>> To: "misc" , "Scott Reese" , "misc" >>> >>> Sent: Monday, September 14, 2020 12:47:

Re: [EXTERNAL] Re: Troubleshooting pf congestion

On 2020-09-14, Scott Reese wrote: > Greetings: > > - Original Message - >> From: "Uwe Werler" >> To: "misc" , "Scott Reese" , "misc" >> >> Sent: Monday, September 14, 2020 12:47:31 PM >> Subject: [EXTERNAL

Re: Troubleshooting pf congestion

Without seeing a rule set what should one say? Am 14. September 2020 15:19:46 GMT+00:00 schrieb Scott Reese : >Greetings: > >I am troubleshooting an issue: users complaining about network >performance. The firewall >is an OpenBSD 6.7 system with patches applied. I've traced the issue >and I'm

Re: Troubleshooting pf congestion

tailing what > state causes the system to consider itself contested, I would appreciate it. > > Thanks for your time. > > -Scott openbsd-archive.7691.n7.nabble.com/PF-congestion-question-td156490.html Description and potential remedy are stil true, afaik. -Otto > >

Re: [EXTERNAL] Re: Troubleshooting pf congestion

Greetings: - Original Message - > From: "Uwe Werler" > To: "misc" , "Scott Reese" , "misc" > > Sent: Monday, September 14, 2020 12:47:31 PM > Subject: [EXTERNAL] Re: Troubleshooting pf congestion > Without seeing a rule set wh

Troubleshooting pf congestion

Greetings: I am troubleshooting an issue: users complaining about network performance. The firewall is an OpenBSD 6.7 system with patches applied. I've traced the issue and I'm seeing the congestion counter incrementing on system. The problems that we're seeing fit with what I have been able

Re: pf, send(2) and EACCES

On Fri, 28 Aug 2020 22:33:30 +0200, Claudio Jeker wrote: > Have a look at the pf(4) stats. especially check if the congestion > counter increases when you see the error. If pf(4) detects a network > congestion then ruleset evaluation is skipped and only state matching > happens. In t

Re: pf, send(2) and EACCES

; a `while :` for about two hours and it didn't happen. > > I'll try again if the problem happens genuinely again. Have a look at the pf(4) stats. especially check if the congestion counter increases when you see the error. If pf(4) detects a network congestion then ruleset evaluation is skipp

Re: pf, send(2) and EACCES

On Fri, 28 Aug 2020 16:06:48 +0200, Sebastien Marie wrote: > - generate lot of postgresql access. from postgresql thread, the > statement seems to be a SELECT, so it would be fine to ran in loop > (hopping no cache and real traffic generated). > > - run pfctl -Treplace in a loop (with a set of

Re: pf, send(2) and EACCES

gt; and gets EACCES. > > > > > > According to send(2) this happens when "The connection was blocked > > > by pf(4)". I have a cron that modifies a table with > > > `pfctl -t TABLE_NAME -Tr -f TABLE_FILE_PATH` > > > > > > The file is

Re: pf, send(2) and EACCES

d data to client: > > Permission denied". I reported the problem on pgsql-general@ [0] > > and if I understood correctly, this happens when pgsql uses send(2) > > and gets EACCES. > > > > According to send(2) this happens when "The connection was blocke

Re: pf, send(2) and EACCES

l-general@ [0] and if > I understood correctly, this happens when pgsql uses send(2) and gets > EACCES. > > According to send(2) this happens when "The connection was blocked by > pf(4)". I have a cron that modifies a table with > `pfctl -t TABLE_NAME -Tr -f TABLE_FILE_PATH`

Re: pf, send(2) and EACCES

On Thu, 27 Aug 2020 16:16:17 -0400, "Sven F." wrote: > pflog0 will tell you what is block if you log it, and can tell you if > it is I would have been surprised otherwise (since normally packets pass) but I looked and there was no log about blocked packet at that time.

Re: pf, send(2) and EACCES

l@ [0] and if > I understood correctly, this happens when pgsql uses send(2) and gets > EACCES. > > According to send(2) this happens when "The connection was blocked by > pf(4)". I have a cron that modifies a table with > `pfctl -t TABLE_NAME -Tr -f TABLE_FILE_PATH` >

pf, send(2) and EACCES

ets EACCES. According to send(2) this happens when "The connection was blocked by pf(4)". I have a cron that modifies a table with `pfctl -t TABLE_NAME -Tr -f TABLE_FILE_PATH` The file is large so it's not exactly immediate. Could pf temporarily block new connections while it loads the f

Re: Managing PF logs

-- Cordialement, Pierre BARDOU -Message d'origine- De : owner-m...@openbsd.org De la part de Peter N. M. Hansteen Envoyé : vendredi 7 août 2020 13:10 À : misc@openbsd.org Objet : Re: Managing PF logs On Fri, Aug 07, 2020 at 10:29:32AM +, Carlos Lopez

Re: Managing PF logs

t de Peter N. M. Hansteen Envoyé : vendredi 7 août 2020 13:10 À : misc@openbsd.org Objet : Re: Managing PF logs On Fri, Aug 07, 2020 at 10:29:32AM +, Carlos Lopez wrote: > Hi all, > > I am thinking about how could be the best option to inject PF logs in > Elasticsearch (or any simi

Re: Way to find most active IPs for rate limiting with pf

uilt-in implementation pflow(4) works with PF - and a collector/UI such as nfdump+nfsen (in ports) or elastiflow (not in ports, haven't tried running it, looks nice though) - pmacct (in ports, slightly old version as newer ones need a less ancient libpcap) - darkstat (in ports) - probably more in ports

Re: Managing PF logs

On Fri, Aug 07, 2020 at 10:29:32AM +, Carlos Lopez wrote: > Hi all, > > I am thinking about how could be the best option to inject PF logs in > Elasticsearch (or any similar platform). If I am not wrong, some years ago > there is an option using a shell wrapper to st

Re: Managing PF logs

pf logs are stored in Tcpdump format, so you can parse them with tcpdump before dumping them into your analysis dbs On Fri, 7 Aug 2020 at 11:36, Carlos Lopez wrote: > Hi all, > > I am thinking about how could be the best option to inject PF logs in > Elasticsearch (or any simi

Managing PF logs

Hi all, I am thinking about how could be the best option to inject PF logs in Elasticsearch (or any similar platform). If I am not wrong, some years ago there is an option using a shell wrapper to store all pf logs in ASCII format and redirect all of them to a central syslog server (published

Re: Way to find most active IPs for rate limiting with pf

Hi all May be that can help, something like this : pass in quick on $ext_if proto tcp from any to ($ext_if) port $tcp_services (max-src-conn 50, max-src-conn-rate 5/5, overload flush global) I use it to black list ip that do to many ssh or other tcp services simultaneous connections, but in

Re: Way to find most active IPs for rate limiting with pf

On 2020-08-06 13:46, Alan McKay wrote: So I want to implement rate limiting, and to determine a reasonable rate based on current traffic patterns I'd like to be able to figure out which source IPs are generating the most connections and at what rate. Is there a way to do that? There is

Way to find most active IPs for rate limiting with pf

So I want to implement rate limiting, and to determine a reasonable rate based on current traffic patterns I'd like to be able to figure out which source IPs are generating the most connections and at what rate. Is there a way to do that? -- "You should sit in nature for 20 minutes a day.

PF-BadHost Patch

meone more knowledgeable) can figure out what's going on with that, that's going to have to be worked around. I've released a patch to address both issues, you can find full instructions on the website: geoghegan.ca/pfbadhost.html Quick start: $ ftp https://geoghegan.ca/pub/pf-badhost/0.4/

pf-badhost + unbound adblock v4 released

Hey folks, just thought I'd share with you that I've released the latest versions of pf-badhost and unbound-adblock. pf-badhost webpage: https://www.geoghegan.ca/pfbadhost.html unbound-adblock webage: https://www.geoghegan.ca/unbound-adblock.html Key pf-badhost changes: * pf-badhost goes

This is the day pf was added

Hi, A little trip down memory lane, to 2001. Jun 24 PF added. Insane amounts of work done by dhartmei@, 2001 Thank you all for those who have worked on and contributed to pf. Keep up the great work! Best, j.b.

Re: Restore pf tables metadata after a reboot

No reason to expire ssh brute force. They will never stop. Manual flush if someone accidentally locked themselves out. Just my two cents :) > On Jun 4, 2020, at 12:48 AM, Anatoli wrote: > >  >> >> Even then it seems that some of them turn up again pretty much >> instantly after expiry. >

Re: Restore pf tables metadata after a reboot

> Even then it seems that some of them turn up again pretty much > instantly after expiry. You could update the expire time on each new connection/port scan attempt. This way you could put say 4 days expire time and block these IPs on all ports on all your systems and new connection attempts

Re: Restore pf tables metadata after a reboot

> 30. mai 2020 kl. 11:54 skrev Walter Alejandro Iglesias : > > The problem is most system administrators out there do very little. If > you were getting spam or attacks from some IP, even if you report the > issue to the respective whois abuse@ address, chances are attacks from > that IP won't

Re: Restore pf tables metadata after a reboot

In article Peter Nicolai Mathias Hansteen wrote: > It is a possibly desirable feature, but I an not aware whether any of the > currently capable developers are considering putting in the work to implement > it. > Let me finish the idea, not with the intention to pressure developers asking

Re: Restore pf tables metadata after a reboot

> 29. mai 2020 kl. 19:23 skrev Walter Alejandro Iglesias : > Could you summarize here which part of these articles of yours answer my > original question, please? > > For example, this list you share (linked in your article): > > https://home.nuug.no/~peter/pop3gropers_full.txt > > It would

Re: Restore pf tables metadata after a reboot

Hello Peter, In article Peter Nicolai Mathias Hansteen wrote: > > 28. mai 2020 kl. 19:09 skrev Bruno Flueckiger : > > > > > > You can save the list of IPs in a table and reload it after a reboot as > > described here: https://www.bsdhowto.ch/savepftables.html > > > I have a similar setup

Re: Restore pf tables metadata after a reboot

> 28. mai 2020 kl. 19:09 skrev Bruno Flueckiger : > > > You can save the list of IPs in a table and reload it after a reboot as > described here: https://www.bsdhowto.ch/savepftables.html I have a similar setup at bsdly.net , only I dump the tables to file and run expiry

Re: Restore pf tables metadata after a reboot

reason of my concern is to choose a > convenient "expire time." With mail is problematic but with ssh, since > I know exactly whom I want to allow external access (just me,) I let > them accumulate. I block ssh attackers in the ssh port only, people > sharing those addresses are not

Re: Restore pf tables metadata after a reboot

I block ssh attackers in the ssh port only, people sharing those addresses are not affected. So, I thought, the only concern in the ssh case was how much a big number of entries could affect pf performance, till at some point my tables reached the memory hard limit and I had to remove IPs arbitrarily

Re: Restore pf tables metadata after a reboot

On 26.05., Walter Alejandro Iglesias wrote: > I understand that this command: > > # pfctl -t spam -T expire > > Takes in care the "Cleared" date: > > # pfctl -t spam -vT show > ___.___.22.65 > Cleared: Mon May 25 16:10:22 2020 > ___.___.167.62 > Cleared:

Re: About pf max-src-conn-rate

On 2020-05-27 14:27, Walter Alejandro Iglesias wrote: Another question about pf. Perhaps I don't fully understand how connection rate is calculated. The following line in /etc/pf.conf: pass in log inet proto tcp to any port { smtp smtps } synproxy state \ (max-src-conn-rate 5/30

Re: About pf max-src-conn-rate

On Thu, May 28, 2020 at 12:06:18PM +0200, Marko Cupać wrote: > On 2020-05-27 14:27, Walter Alejandro Iglesias wrote: > > Another question about pf. > > > > Perhaps I don't fully understand how connection rate is calculated. > > > > The following line in /etc/pf.

Re: About pf max-src-conn-rate

mp/newaddresses # Save list to file pfctl -q -t smtp -T show > /path/to/smtp.txt (By the way, the 'expire' command is the reson of my first question in the "Restore pf tables metadata after a reboot" thread.) I'll do the test I mentioned before, I'll add a provisional table affected o

Re: About pf max-src-conn-rate

Keep in mind operations using pfctl such as reloading rule set or table from file, any IP’s caught in the smtp table by the max-src-conn-rate will be flushed depending on your command line. > On May 27, 2020, at 4:29 PM, Walter Alejandro Iglesias > wrote: > > Hello Brian, > >> On Wed, May

Re: About pf max-src-conn-rate

Hello Brian, On Wed, May 27, 2020 at 02:35:46PM -0400, Brian Brombacher wrote: > What do you do with table in other rules? If you’re doing nothing, > you need to do something like block additional connections, or adjust the > pass rule to include from ! You're right. I forgot to mention I

Re: About pf max-src-conn-rate

020, at 8:30 AM, Walter Alejandro Iglesias > wrote: > > Another question about pf. > > Perhaps I don't fully understand how connection rate is calculated. > > The following line in /etc/pf.conf: > > pass in log inet proto tcp to any port { smtp smtps } synproxy sta

About pf max-src-conn-rate

Another question about pf. Perhaps I don't fully understand how connection rate is calculated. The following line in /etc/pf.conf: pass in log inet proto tcp to any port { smtp smtps } synproxy state \ (max-src-conn-rate 5/30, overload flush global) Shouldn't avoid this happen

Re: Restore pf tables metadata after a reboot

On Tue, May 26, 2020 at 11:25:21PM +0200, Anders Andersson wrote: > On Tue, May 26, 2020 at 2:14 PM Walter Alejandro Iglesias > wrote: > > > > I understand that this command: > > > > # pfctl -t spam -T expire > > > > Takes in care the "Cleared" date: > > > > # pfctl -t spam -vT show > >

Re: Restore pf tables metadata after a reboot

On Tue, May 26, 2020 at 2:14 PM Walter Alejandro Iglesias wrote: > > I understand that this command: > > # pfctl -t spam -T expire > > Takes in care the "Cleared" date: > > # pfctl -t spam -vT show > ___.___.22.65 > Cleared: Mon May 25 16:10:22 2020 > ___.___.167.62 >

Restore pf tables metadata after a reboot

I understand that this command: # pfctl -t spam -T expire Takes in care the "Cleared" date: # pfctl -t spam -vT show ___.___.22.65 Cleared: Mon May 25 16:10:22 2020 ___.___.167.62 Cleared: Mon May 25 16:10:22 2020 [...] Is there a way to save and

Re: lost pf state - disappeared before expiration?

On 5/17/2020 8:40 PM, Strahil Nikolov wrote: > What is your conf having as a timeout ? Both of the rules explicitly override the default timeout with a six minute rule level timeout: pass in quick on vlan110 proto udp from any to port = 9430 tag VOIP_UDP keep state (udp.multiple 360)

Re: lost pf state - disappeared before expiration?

any to port = 9430 tag VOIP_UDP >keep state (udp.multiple 360) > >pass out quick on $ext_if proto udp tagged VOIP_UDP keep state >(udp.multiple 360) > >match out on $ext_if from 10.128.0.0/16 nat-to { $ext_vip } >sticky-address > >I turned on pf debugging, when the conne

lost pf state - disappeared before expiration?

tagged VOIP_UDP keep state (udp.multiple 360) match out on $ext_if from 10.128.0.0/16 nat-to { $ext_vip } sticky-address I turned on pf debugging, when the connection is created I see: May 17 15:36:39 lisa /bsd: pf: key search, in on vlan110: UDP wire: (0) 10.128.110.73:9430 198.148.6.55:9430

Re: pf table for all publicly routable ipv4 addresses

from guest vlan (basically table from pf FAQ). I have also been testing "table with negated records" approach, which also seems to work fine block log all pass in on $vlan_guests from $vlan:guests:network to ...where routable is list of negated subnets I don't want to be reach

Re: Networking/pf question, I am not sure ?

ith another wireless >>> router, I can use my sony xperia to access the internet.  Does any >>> one try this before ? >>> If yes, please let me to know how you do it.  Thanks. >>> Clarence >> >> > I totally agree with the suggestion by @Tom above! >

Re: Networking/pf question, I am not sure ?

  Does any >>> one try this before ? >>> If yes, please let me to know how you do it.  Thanks. >>> Clarence >> >> > I totally agree with the suggestion by @Tom above! > > > Another good tool for Android is 'fing', it will give you access to > Trac

Networking/pf question, I am not sure ?

Hello, I recently setup a home network as followings (Just for fun): ISP  <> openbsd router (version 6.6 Stable) <--->  gigabits switch (TP-Link TL-SG1008D) <-> linksys ea8300 (with wireless) everything works except that I can't use my sony xperia tablet to access internet using the

Re: Networking/pf question, I am not sure ?

if the Xperia can communicate with the gateway (OpenBSD router) then if that is successful public IP addresses. If something strange is going on you can further run Traceroute to narrow down where the issue is occurring. On the OpenBSD side, it could be a number of things like PF rules, routing, NAT b

Re: Networking/pf question, I am not sure ?

ay (OpenBSD router) then if that is successful public IP addresses. If something strange is going on you can further run Traceroute to narrow down where the issue is occurring. On the OpenBSD side, it could be a number of things like PF rules, routing, NAT but without further information it is

Re: Networking/pf question, I am not sure ?

Hello Clarence, you would need to provide some more information about your setup, ip addresses on interfaces , what is your pf.conf etc... In your experia ( I believe they are android) you can download the hurricane electric network tools (HE network tools) (a free app to run rudimentary

mysteriously disappearing pf state entries

I'm running OpenBSD 6.6 operating as an inter-VLAN and border router using pf. Recently I wanted to use a nondefault state timeout for some UDP traffic traversing from my voip subnet to a provider off site. Within pf, there are three rules involved. The first is for traffic coming from

Re: pf table for all publicly routable ipv4 addresses

On Mon, May 4, 2020 at 4:43 PM Marko Cupać wrote: > ...so I can permit hosts on guest vlan access Internet hosts, but not > hosts on other private vlans similar to: > > block log all > pass in on $guest_vlan from $guest_vlan:network to > I suspect the best path forward here is: block log all

Re: pf table for all publicly routable ipv4 addresses

On 2020-05-04 19:23, Stuart Henderson wrote: On 2020-05-04, Marko Cupać wrote: Hi, I'd like to create pf table "all publicly routable ipv4 addresses". Is this possible with some short syntax? Thank you in advance. something like this? # https://www.team-cymru.org/Services/Bogon

Re: pf table for all publicly routable ipv4 addresses

then welling to be wrong. I think you have way less chance of mistake when you block all and only allow what you need. Daniel On 5/4/20 4:42 PM, Marko Cupać wrote: > On 2020-05-04 19:23, Stuart Henderson wrote: >> On 2020-05-04, Marko Cupać wrote: >>> Hi, >>> >>&

Re: pf table for all publicly routable ipv4 addresses

Marko Cupa??(marko.cu...@mimar.rs) on 2020.05.04 22:42:50 +0200: > I thought I could do such table like this: > > table {0.0.0.0/0 \ > !0.0.0.0/8 \ > ... >!224.0.0.0/3 } > > ...but https://www.openbs

pf table for all publicly routable ipv4 addresses

Hi, I'd like to create pf table "all publicly routable ipv4 addresses". Is this possible with some short syntax? Thank you in advance. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/

<    1   2   3   4   5   6   7   8   9   10   >