Hi,
Is it possible for pf to match traffic that has not been tagged?
It seems possible to match a tag, or traffic that lacks a particular tag
but I can't see any way to match traffic that has no tag at all?
Any clues?
Context: I'd like to tag at input particular traffic for specific
outbound
On 2018/07/17 06:47, Joseph Mayer wrote:
> On July 17, 2018 3:18 PM, Stuart Henderson wrote:
> > On 2018-07-16, Antonino Sidoti n...@sidoti.id.au wrote:
> > > Hi,
> > >
> > > Before I go into to much detail, where is the appropriate place to get
> > &
On 07/17/18 00:57, Antonino Sidoti wrote:
> Before I go into to much detail, where is the appropriate place to get help
> for PF related problems? I am really stuck and need some assistance in
> understanding PF. I can provide diagrams, configuration files too to make is
> c
On July 17, 2018 3:18 PM, Stuart Henderson wrote:
> On 2018-07-16, Antonino Sidoti n...@sidoti.id.au wrote:
> > Hi,
> >
> > Before I go into to much detail, where is the appropriate place to get help
> > for PF related problems? I am really stuck and need some assis
On 2018-07-16, Antonino Sidoti wrote:
> Hi,
>
> Before I go into to much detail, where is the appropriate place to get help
> for PF related problems? I am really stuck and need some assistance in
> understanding PF. I can provide diagrams, configuration files too to make is
&
On July 16, 2018 8:14 PM, Ax0n a...@h-i-r.net wrote:
> On Mon, Jul 16, 2018, 19:39 Walt neurobot...@protonmail.ch wrote:
>
> > I'm not sure what would be useful for when we are the target of an attack.
> > It seems to me that when the attack is going on, our bandwidth is so
> > saturated
On Mon, Jul 16, 2018, 19:39 Walt wrote:
>
> I'm not sure what would be useful for when we are the target of an
> attack. It seems to me that when the attack is going on, our bandwidth is
> so saturated that I'm not sure what we can do except to wait it out or to
> pay our provider to help
With the prevalance of ddos attacks today, are there any steps we can do to
limit them. We've been the subject of a few ddos attacks over the last 15
years lasting anywhere between a couple of hours and several days. One lasted
a week or two but was largely broken into two parts -- the first
On 07/16/18 15:57, Antonino Sidoti wrote:
Hi,
Before I go into to much detail, where is the appropriate place to get help for
PF related problems? I am really stuck and need some assistance in
understanding PF. I can provide diagrams, configuration files too to make is
clearer.
Thanks
Hi,
Before I go into to much detail, where is the appropriate place to get help for
PF related problems? I am really stuck and need some assistance in
understanding PF. I can provide diagrams, configuration files too to make is
clearer.
Thanks in advance
Nino
My wireless AP puts traffic from each WiFi network (trusted, guests,
etc.) into a separate VLAN, which are then picked up by my OpenBSD
router and filtered appropriately via pf rules.
In other words:
em1 is for untagged traffic to the AP itself
vlan100 has parent em1 and is for my "tr
OpenBSD 6.3, amd64
I am seeing this record being logged by pf. The rule specified in the
record does not have logging enabled. I must be missing something
simple as to why it is logging, but I can't see it.
20180623T112712.952EDT sentry pf: rule 12/(match) pass in on em0:
fe80::1a8b
2018-06-06 13:55 GMT+02:00 Stuart Henderson :
> On 2018-06-06, Johan Mellberg wrote:
> with ext_if="re0", $ext_if expands to re0.
>
> If this if used in place of an address in a PF rule, re0's address is
> looked up when pfctl is run and that is used.
>
On 2018-06-06, Johan Mellberg wrote:
> Hi,
>
> I am working my way through "The Book of Pf" and got hung up on the
> example on page 31 of edition 3 (I am reading edition 2 but the
> example seems to be identical in edition 3):
>
> ext_if = "re0"
hi,
$ext_if - expands to the name of the interface
($ext_if) - expands to the ip address assigned to the interface
On 06.06.18 12:21, Johan Mellberg wrote:
Hi,
I am working my way through "The Book of Pf" and got hung up on the
example on page 31 of edition 3 (I am reading
Hi,
I am working my way through "The Book of Pf" and got hung up on the
example on page 31 of edition 3 (I am reading edition 2 but the
example seems to be identical in edition 3):
ext_if = "re0" # macro for external interface - use tun0 or pppoe0 for PPPoE
int_if = "
>At the end of a "pass" rule in pf.conf, the author adds:
>
> max‐src‐conn 3, max‐src‐conn‐rate 2/5, overload flush global
>
>which means:
>
> "any source can only have a total of three connections,
> and they may not create them at a rate faster than two
> every five minutes. If
> Not sure if it's going to be any use for your particular setup, but if
> these are coming in as AS External LSAs ("ospfctl sh da ext") and you
> have a way to get an "External route tag" set on them, you can have
> ospfd tag the routes with a route label,
>> If you want PF, go back and read about it. Learn to handle it in the
>> way it was designed, don't try to blend it to whatever you used
>> before. It useless if you do that.
PF has evolved over time to fit in with what developers have needed...
Not to say that's somethi
> If you want PF, go back and read about it. Learn to handle it in the
> way it was designed, don't try to blend it to whatever you used
> before. It useless if you do that.
I get your point, I really do. I'm just trying to figure out a way
*not* to have to specify each and every subn
it is designed and configured! Change that
and you will move it to your coolOS.
If you want PF, go back and read about it. Learn to handle it in the
way it was designed, don't try to blend it to whatever you used
before. It useless if you do that.
Thanks.
On 05/07/18 23:51, Martin Gignac wrote:
>> It looks like 'received-on' would be a cleaner and shorter way to
>> achieve my goal by allowing me to specify inbound and outbound
>> interfaces in the same rule.
>>
>
> I think I spoke to quickly; it would be an alternative way, but not a
> shorter one
On 05/07/18 18:40, Martin Gignac wrote:
> In an OpenBSD pf rule however, a rule only references a single
> interface and a direction (in, out).
This is not correct. It's perfectly valid and not unusual to have rules
like
pass from 10.2.3.0/24
(or 'pass to $somenet'). The default state-
> It looks like 'received-on' would be a cleaner and shorter way to
> achieve my goal by allowing me to specify inbound and outbound
> interfaces in the same rule.
>
I think I spoke to quickly; it would be an alternative way, but not a
shorter one as I would still need the initial "pass in lab01"
> You could also replace the above with "pass in on $lab02 received-on $lab01".
Oh, I completely missed the 'received-on' statement in the OpenBSD
pf.conf man page! (I have to support a pfSense for the moment so I'm
alternating between the OpenBSD and FreeBSD man pages [the latter does
not
> I imagine you meant "pass out on $lab02 tagged from_lab01".
You're absolutely right Ken!
Thanks,
-Martin
>> enforce something like "all traffic from lab01 to lab02 is allowed by
>> default, but all traffic from lab02 to to lab01 is denied by default".
>> In this case lab01 and lab02 are bound to different interfaces
>> (obviously), but behind each interface is another rout
to lab01 is denied by default".
> In this case lab01 and lab02 are bound to different interfaces
> (obviously), but behind each interface is another router to which are
> attached a changing number of subnets, so I want to avoid having to
> update subnet lists in my pf rules constant
On Mon, May 7, 2018 at 12:40 PM, Martin Gignac wrote:
> set state-policy if-bound
>
> block
>
> pass in on $lab01 tag from_lab01
> pass in on $lab02 tag from_lab02
>
> pass in on $lab02 tagged from_lab01
> block out on $lab01 tagged from_lab02
>
> Does this
.
In Linux, the FORWARD chain is used for all traffic traversing the
firewall and not destined for it. The firewall chain allows the
administrator to filter based on incoming interface *and* outgoing
interface.
In an OpenBSD pf rule however, a rule only references a single
interface and a dire
Hello list,
I am developing a userspace TCP/IP stack. Most of the time on my
servers I use special NICs and API to bypass the kernel. When on the go
I'd like to do the same on my OpenBSD dev laptop.
I chose to use tap + bridge and some PF-fu to try to make it work, but
after several fruitless
Cool!
On Sat, May 5, 2018 at 3:17 AM Andreas Kusalananda Kähäri <
andreas.kah...@icm.uu.se> wrote:
> On Fri, May 04, 2018 at 11:56:33PM +, Kapfhammer, Stefan wrote:
> >
> > You might want to parse /var/log/authlog and the logrotated
> authlog.[0-9].gz
> > for successful and unsuccessful
On 05/05/18 01:56, Kapfhammer, Stefan wrote:
>
> You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz
> for successful and unsuccessful logins and then add the unsuccessful logins
> with pfctl to a blocked table. To have it permanent after a reboot you can
> write
> with
On 2018-05-04, Kapfhammer, Stefan wrote:
>
> You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz
This wheel has been invented several times, if someone wants to make
their own they should study revisions to past designs as there have
been some nasty
On 04/05/18 23:16, Luke Small wrote:
Can SSH and possibly other programs more easily able to report successful
connections so pf can make stricter bruteforce connection rejecting even
better?
See this paper, that might contain what you're trying to achieve:
https://www.sans.org/reading-room
On Fri, May 04, 2018 at 11:56:33PM +, Kapfhammer, Stefan wrote:
>
> You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz
> for successful and unsuccessful logins and then add the unsuccessful logins
> with pfctl to a blocked table. To have it permanent after a reboot
If you want to open gate for those, who authenticated using ssh, you may
need authpf(8) (known as Authentication Gateway)
https://www.openbsd.org/faq/pf/authpf.html
g 5 mei 2018 00:16
Aan: openbsd-misc
Onderwerp: Can SSH report successful connections to pf?
Can SSH and possibly other programs more easily able to report successful
connections so pf can make stricter bruteforce connection rejecting even
better?
On 05/05/18 00:16, Luke Small wrote:
> Can SSH and possibly other programs more easily able to report successful
> connections so pf can make stricter bruteforce connection rejecting even
> better?
>
Hi,
could be just me but I didn't get what you want to achieve really.
Could
Can SSH and possibly other programs more easily able to report successful
connections so pf can make stricter bruteforce connection rejecting even
better?
, but shared the same subnet with other
interfaces. Obviously this resulted in an "unusual" route table -- but it
is unclear to us why the previously described PF problem manifested in the
way it did -- especially given that the ICMPv6 packet used link-local
addresses, and the pass rule did
Hello --
While configuring a new firewall, I noticed that pflog0 was showing that
some ICMPv6 neighbor advertisement packets were being blocked in on vlan51,
which is a sub-interface of vmx1 (a vmxnet3 interface using VGT). I added a
PF rule allowing this traffic to pass. However, even after
> Sent: Thursday, April 12, 2018 at 5:57 AM
> From: "Theo de Raadt" <dera...@openbsd.org>
> To: "Aham Brahmasmi" <aham.brahma...@gmx.com>
> Cc: misc@openbsd.org
> Subject: Re: pf: certain recursive macros causing syntax error
>
> Aham Brahma
Aham Brahmasmi wrote:
> Hello misc,
>
> Recursive macros which include macros containing certain specific
> characters cause syntax errors.
>
> Steps
> $ cat pftemp.conf
> forwardslash = "100/10"
> #forwardslashrecursive = $forwardslash
> number = "100"
>
Hello misc,
Recursive macros which include macros containing certain specific
characters cause syntax errors.
Steps
$ cat pftemp.conf
forwardslash = "100/10"
#forwardslashrecursive = $forwardslash
number = "100"
numberrecursive = $number
string = "keep"
#stringrecursive = $string
ip = "0.0.0.0"
> ... better badly does work ...
If it so, then it should not be done from the start.
A bad implementation can trigger other problems.
Try to think a little bit. ( hint: Chernobyl)
> On Fri, Mar 30, 2018 at 9:58 AM, 3 wrote:
>> perhaps my poor english prevented you from understanding the question
> perhaps
>> my initial approach does work. u are have comments about route-to?
> If people do not understand the words you use to represent the ideas
> you
On Fri, Mar 30, 2018 at 10:35 AM, 3 wrote:
> i showed my idea on the example of pf's config- this language should
> be familiar to you
...
> no more effective ways. the variant with pfctl is a kolhoz-style(ugly
> and ineffective), it requires a lot of work to convert data into
>
On Fri, Mar 30, 2018 at 9:58 AM, 3 wrote:
> perhaps my poor english prevented you from understanding the question
perhaps
> my initial approach does work. u are have comments about route-to?
If people do not understand the words you use to represent the ideas
you were
> On 03/30/18 13:32, 3 wrote:
>> people like you do not understand what better badly does work than
>> well not works. and it is not our(not ordinary users) fault that the
> Seriously, cipher, you're just spewing word salad again.
> And it sounds vaguely like abuse, aimed at people who were in
On 03/30/18 13:32, 3 wrote:
> people like you do not understand what better badly does work than
> well not works. and it is not our(not ordinary users) fault that the
Seriously, cipher, you're just spewing word salad again.
And it sounds vaguely like abuse, aimed at people who were in fact
tead. teo and your ideal fucking unix system is
"hello, world!" with two remote holes in the default install. but you
are too d^Hstubborn to understand that such a system is not necessary
for ordinary users. i like pf and i hate dirty monkey's style of
linux, but there will come a time when this will not be enough to
choose obsd
On Mar 30, 2018 4:08 AM, Mihai Popescu wrote:
>
> > You would need a 1/4" wrench and a screwdriver tip that fits an impact
> > driver.
>
> I want to see you using your method for a deep sunken screw inside a
> cylindrical channel of a case.
> You can give a chance to the other
> You would need a 1/4" wrench and a screwdriver tip that fits an impact driver.
I want to see you using your method for a deep sunken screw inside a
cylindrical channel of a case.
You can give a chance to the other guy, too.
People like you do not understand concepts like evolution, smart
tools,
> man pf.conf is your friend, please consult there before letting
> resentment stew for years next time, huh?
why are you silent? do you have the courage to admit that the famous
russian comedian zadornov was right when said "ну тупые!"? ;)
> On 03/28/18 22:03, 3 wrote:
>> maybe im so dumb and blind to see pflow here.. and maybe deal not in
>> me. where is pflow?
> pflow gets the data it exports from the state table.
> Blocked connections do not create state table entries.
> This means that pflow does not have the information
Вы писали 29 марта 2018 г., 16:35:45:
> On Wed, Mar 28, 2018, at 7:10 PM, 3 wrote:
>> > 3(ba...@yandex.ru) on 2018.03.28 23:03:27 +0300:
>> >> > On 03/28/18 15:04, 3 wrote:
>> >> >> hi guys. when the pflow option first appeared, i was surprised by the
>> >> >> stupidity of those who implemented
On Mar 29, 2018 8:35 AM, Eric Furman wrote:
>
> On Wed, Mar 28, 2018, at 7:10 PM, 3 wrote:
> > > 3(ba...@yandex.ru) on 2018.03.28 23:03:27 +0300:
> > >> > On 03/28/18 15:04, 3 wrote:
> > >> >> hi guys. when the pflow option first appeared, i was surprised by the
> > >>
On Wed, Mar 28, 2018, at 7:10 PM, 3 wrote:
> > 3(ba...@yandex.ru) on 2018.03.28 23:03:27 +0300:
> >> > On 03/28/18 15:04, 3 wrote:
> >> >> hi guys. when the pflow option first appeared, i was surprised by the
> >> >> stupidity of those who implemented it- pflow could not be specified
> >> >> for
On 03/28/18 22:03, 3 wrote:
> maybe im so dumb and blind to see pflow here.. and maybe deal not in
> me. where is pflow?
pflow gets the data it exports from the state table.
Blocked connections do not create state table entries.
This means that pflow does not have the information you're
user and tired of fighting hands-from-ass
> developers. can anyone share their hacks for this?
>
> ps: sry for my english
The English is mostly readable, the attitude is rather abrasive though.
pflow hooks into pf states. There is no state for a blocked packet.
I think you'll be happie
3(ba...@yandex.ru) on 2018.03.29 02:10:29 +0300:
> > 3(ba...@yandex.ru) on 2018.03.28 23:03:27 +0300:
> >> > On 03/28/18 15:04, 3 wrote:
> >> >> hi guys. when the pflow option first appeared, i was surprised by the
> >> >> stupidity of those who implemented it- pflow could not be specified
> >> >>
> 3(ba...@yandex.ru) on 2018.03.28 23:03:27 +0300:
>> > On 03/28/18 15:04, 3 wrote:
>> >> hi guys. when the pflow option first appeared, i was surprised by the
>> >> stupidity of those who implemented it- pflow could not be specified
>> >> for block-rules, i.e. dropped packets were not taken into
3(ba...@yandex.ru) on 2018.03.28 23:03:27 +0300:
> > On 03/28/18 15:04, 3 wrote:
> >> hi guys. when the pflow option first appeared, i was surprised by the
> >> stupidity of those who implemented it- pflow could not be specified
> >> for block-rules, i.e. dropped packets were not taken into
> https://man.openbsd.org/pflow.4
> On Wed, Mar 28, 2018 at 4:03 PM, 3 wrote:
>> On 03/28/18 15:04, 3 wrote:
>>> hi guys. when the pflow option first appeared, i was surprised by the
>>> stupidity of those who implemented it- pflow could not be specified
>>> for block-rules,
https://man.openbsd.org/pflow.4
On Wed, Mar 28, 2018 at 4:03 PM, 3 wrote:
> > On 03/28/18 15:04, 3 wrote:
> >> hi guys. when the pflow option first appeared, i was surprised by the
> >> stupidity of those who implemented it- pflow could not be specified
> >> for block-rules,
> On 03/28/18 15:04, 3 wrote:
>> hi guys. when the pflow option first appeared, i was surprised by the
>> stupidity of those who implemented it- pflow could not be specified
>> for block-rules, i.e. dropped packets were not taken into account. as
> hm. you've suffered nine years of this stupidity
On 03/28/18 15:04, 3 wrote:
> hi guys. when the pflow option first appeared, i was surprised by the
> stupidity of those who implemented it- pflow could not be specified
> for block-rules, i.e. dropped packets were not taken into account. as
hm. you've suffered nine years of this stupidity of
hi guys. when the pflow option first appeared, i was surprised by the
stupidity of those who implemented it- pflow could not be specified
for block-rules, i.e. dropped packets were not taken into account. as
a result of this approach, the usefulness of pflow sought to zero for
those cases where
Hi,
I wrote a patch to program a very simple steganographic buffer into the pf
firewalling system. However I'm running into a problem. It turns out at
least to me, that pf's scrub gets called twice on output. Why is this?
I'm making my patch available and the program to program the buffer
Hi,� I have an OpenBSD box setup as a firewall and gateway with DHCP.� I
was thinking about adding VPN to the box.� Is it possible to install
OpenVPN, establish a tunnel via a third partyVPN provider (like PIA), and
then have PF redirect some traffic throughthat tunnel based upon IP
addresses
Hi you OpenBSD pro:s…
I have question regarding PF and thread use in kernel.
If I got it right PF is single thread.
Today the firewall I use uses a Jetway JNF9HG-2930 longlife 4 core N2930 @
1.83GHz Celeron mainboard. It runs an OpenBSD 6.2 stable SMP kernel as I have
not seen a penalty
config pf config to allow all
trafic forwarding to *em0*?
tly after that few customers contacted me
>> >> that they are getting nat type 3 on their xbox\playstation.
>> >> When doing some investigation, I noticed that binat-to
>> >> rules have static-port specified, but looking into states
>> >> table, they
e 3 on their xbox\playstation.
> >> When doing some investigation, I noticed that binat-to
> >> rules have static-port specified, but looking into states
> >> table, they were actually not mapped statically. Failing
> >> over to backup box still running 5.9 with iden
ly mapped statically and online gaming
>> on consoles works fine.
>>
>> I tried to do some investigation, but am not aware of any
>> change in pf syntax. So wondering if anyone would be
>> able to confirm this behavior?
>>
>> this is in rules:
>>
>> pa
er to backup box still running 5.9 with identical ruleset,
> ports are actually mapped statically and online gaming
> on consoles works fine.
>
> I tried to do some investigation, but am not aware of any
> change in pf syntax. So wondering if anyone would be
> able to confirm thi
ng into states
table, they were actually not mapped statically. Failing
over to backup box still running 5.9 with identical ruleset,
ports are actually mapped statically and online gaming
on consoles works fine.
I tried to do some investigation, but am not aware of any
change in pf syntax. So wonde
into states
table, they were actually not mapped statically. Failing
over to backup box still running 5.9 with identical ruleset,
ports are actually mapped statically and online gaming
on consoles works fine.
I tried to do some investigation, but am not aware of any
change in pf syntax. So wondering
Thank you Kapetanakis Giannis and Mike Coddington for your helpful
replies. I will now use /3, since I do not think that I will use
multicast.
Regards,
ab
(Resending, I fessed up the inline reply)
Arigato gojaimas Trondd san for your very helpful reply.
I had understood from the documentation that tags were sticky. I also
understood that a packet can only have zero or one tag at any time.
Also, that a tag cannot be removed, but only replaced.
Arigato gojaimas Trondd san for your very helpful reply.
Sent: Thursday, January 11, 2018 at 3:17 AM
From: trondd <tro...@kagu-tsuchi.com>
To: "Aham Brahmasmi" <aham.brahma...@gmx.com>
Cc: misc@openbsd.org
Subject: Re: Probable mistake in PF tagging example ruleset or
List, Aggregated and /4 in IPv4 Fullbogons. /3 is also present in
> https://www.openbsd.org/faq/pf/example1.html.
>
> I think it should be /3, but I am still learning pf.
>
> Thanks.
>
> Regards,
> ab
>
See here:
https://www.iana.org/assignments/ipv4-address-space/ipv4-ad
On Wed, January 10, 2018 2:44 pm, Aham Brahmasmi wrote:
> Hi,
>
> I am trying to learn and understand the pf tagging mechanism. I was
> wondering whether my understanding of the order in the example at
> https://www.openbsd.org/faq/pf/tagging.html is correct. If it is, the
The Text
> Bogon List, Aggregated and /4 in IPv4 Fullbogons. /3 is also present in
> https://www.openbsd.org/faq/pf/example1.html.
>
> I think it should be /3, but I am still learning pf.
224.0.0.0/3 would include the 240.0.0.0/4 block as well. For what it's
worth, I use 224.0
Hi,
I am trying to learn and understand the pf tagging mechanism. I was
wondering whether my understanding of the order in the example at
https://www.openbsd.org/faq/pf/tagging.html is correct. If it is, then
there might be a mistake in the order. The relevant lines are
...
pass out on egress
://www.openbsd.org/faq/pf/example1.html.
I think it should be /3, but I am still learning pf.
Thanks.
Regards,
ab
On Thu, Jan 4, 2018 at 8:09 AM, Jon S <jonsjost...@gmail.com> wrote:
> This led to my first experieces with pf. After some work I came up with
> whats below. It works as I want it to work, but I wonder if there is a way
> to create a rule where incomming traffic to the in
g file server and firewall services on
> single box
>
> > This led to my first experieces with pf. After some work I came up
> > with whats below. It works as I want it to work, but I wonder if
> > there is a way to create a rule where incomming traffic to the
> > internal
combining file server and firewall services on
single box.
> This led to my first experieces with pf. After some work I came up
> with whats below. It works as I want it to work, but I wonder if
> there is a way to create a rule where incomming traffic to the
> internal NIC (re0) is
Hello misc!
My OpenBSD file server just became a router too (after getting a new
internet connection where the provider does not include a router in the
subscription).
This led to my first experieces with pf. After some work I came up with
whats below. It works as I want it to work, but I wonder
Hi Freddy,
I just ran some further benchmarks between your first and second script,
compared to mine, and again similar results were found. Your second
script was significantly faster than the first, but still didn't match
the grep-piped-into-awk config.
This shouldn't be the case though. I
nkproto lacp trunkport iwn0 trunkport athn0 192.168.20.1 netmask
> 255.255.255.0
> #trunkproto loadbalance trunkport iwn0 trunkport athn0 192.168.20.1
> netmask 255.255.255.0
do not assign an IP and run dhclient on trunk0!
> By PF I set trunk0 as an egress interface in PF instead of pre
I have tried using all awk for the script before, but I find piping the
grep output into awk to be 2-3x faster on the Edgerouter Lite. I just
ran some timed tests for your script against mine on the ErLite, and I
got similar results, with my script completing in ~6 seconds against the
--- Treść przekazanej wiadomości ---
Temat: Re: trunk0 link aggregation interface and PF rules not working
Data: Sat, 30 Dec 2017 14:09:16 +0100
Nadawca:Krzysztof Strzeszewski <krz...@krzy.ch>
Adresat:Denis <den...@mindall.org>
link aggregation uses at the s
athn0 192.168.20.1 netmask
255.255.255.0
#trunkproto lacp trunkport iwn0 trunkport athn0 192.168.20.1 netmask
255.255.255.0
#trunkproto loadbalance trunkport iwn0 trunkport athn0 192.168.20.1
netmask 255.255.255.0
By PF I set trunk0 as an egress interface in PF instead of previously
used athn0
> Hi everyone,
Hello,
[ snip ]
> cat hosts | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\"
> redirect\nlocal-data: \""$2" A 0.0.0.0\""}' > ads.conf
awk 'NF == 2 && $1 == "0.0.0.0" && $2 ~ /^[a-z0-9]/ { print "local-zone: \"" $2
"\" redirect\nlocal-data: \"" $2 " A " $1 "\"" }' host >
://www.openbsd.org/faq/pf/example1.html
I've included some example files from my an Edgerouter I have set up .
They are trimmed down for brevities sake; the conf files are not
production ready, these are merely examples.
This setup is easily customizable, if you come across any other block
lists you
Hi Peter,
On 12/14/17 9:27 PM, Peter N. M. Hansteen wrote:
If you have thoughts on what you would like to see in a tutorial session
and would like to share them either with me or the list, we would love
to hear from you.
What are the risks of ICMP and ICMP6? Is it reasonable to filter
these
to geographically
prohibited contents (e.g. censorship, etc.).
Thanks!
Il 14 dic 2017 9:31 PM, "Peter N. M. Hansteen" <pe...@bsdly.net> ha scritto:
> We're in the process of preparing for upcoming conferences with updates
> to the ever-in-progress PF tutorial.
>
> If you hav
701 - 800 of 6743 matches
Mail list logo