pf: matching untagged traffic

Hi, Is it possible for pf to match traffic that has not been tagged? It seems possible to match a tag, or traffic that lacks a particular tag but I can't see any way to match traffic that has no tag at all? Any clues? Context: I'd like to tag at input particular traffic for specific outbound

Re: Can I ask a question about PF Here?

On 2018/07/17 06:47, Joseph Mayer wrote: > On July 17, 2018 3:18 PM, Stuart Henderson wrote: > > On 2018-07-16, Antonino Sidoti n...@sidoti.id.au wrote: > > > Hi, > > > > > > Before I go into to much detail, where is the appropriate place to get > > &

Re: Can I ask a question about PF Here?

On 07/17/18 00:57, Antonino Sidoti wrote: > Before I go into to much detail, where is the appropriate place to get help > for PF related problems? I am really stuck and need some assistance in > understanding PF. I can provide diagrams, configuration files too to make is > c

Re: Can I ask a question about PF Here?

On July 17, 2018 3:18 PM, Stuart Henderson wrote: > On 2018-07-16, Antonino Sidoti n...@sidoti.id.au wrote: > > Hi, > > > > Before I go into to much detail, where is the appropriate place to get help > > for PF related problems? I am really stuck and need some assis

Re: Can I ask a question about PF Here?

On 2018-07-16, Antonino Sidoti wrote: > Hi, > > Before I go into to much detail, where is the appropriate place to get help > for PF related problems? I am really stuck and need some assistance in > understanding PF. I can provide diagrams, configuration files too to make is &

Re: Best pf practices to limit ddos attacks

On July 16, 2018 8:14 PM, Ax0n a...@h-i-r.net wrote: > On Mon, Jul 16, 2018, 19:39 Walt neurobot...@protonmail.ch wrote: > > > I'm not sure what would be useful for when we are the target of an attack.  > > It seems to me that when the attack is going on, our bandwidth is so > > saturated

Re: Best pf practices to limit ddos attacks

On Mon, Jul 16, 2018, 19:39 Walt wrote: > > I'm not sure what would be useful for when we are the target of an > attack. It seems to me that when the attack is going on, our bandwidth is > so saturated that I'm not sure what we can do except to wait it out or to > pay our provider to help

Best pf practices to limit ddos attacks

With the prevalance of ddos attacks today, are there any steps we can do to limit them. We've been the subject of a few ddos attacks over the last 15 years lasting anywhere between a couple of hours and several days. One lasted a week or two but was largely broken into two parts -- the first

Re: Can I ask a question about PF Here?

On 07/16/18 15:57, Antonino Sidoti wrote: Hi, Before I go into to much detail, where is the appropriate place to get help for PF related problems? I am really stuck and need some assistance in understanding PF. I can provide diagrams, configuration files too to make is clearer. Thanks

Can I ask a question about PF Here?

Hi, Before I go into to much detail, where is the appropriate place to get help for PF related problems? I am really stuck and need some assistance in understanding PF. I can provide diagrams, configuration files too to make is clearer. Thanks in advance Nino

pf(4) queuing and interfaces

My wireless AP puts traffic from each WiFi network (trusted, guests, etc.) into a separate VLAN, which are then picked up by my OpenBSD router and filtered appropriately via pf rules. In other words: em1 is for untagged traffic to the AP itself vlan100 has parent em1 and is for my "tr

why is this pf rule logging?

OpenBSD 6.3, amd64 I am seeing this record being logged by pf. The rule specified in the record does not have logging enabled. I must be missing something simple as to why it is logging, but I can't see it. 20180623T112712.952EDT sentry pf: rule 12/(match) pass in on em0: fe80::1a8b

Re: Pf syntax, need help understanding an example

2018-06-06 13:55 GMT+02:00 Stuart Henderson : > On 2018-06-06, Johan Mellberg wrote: > with ext_if="re0", $ext_if expands to re0. > > If this if used in place of an address in a PF rule, re0's address is > looked up when pfctl is run and that is used. >

Re: Pf syntax, need help understanding an example

On 2018-06-06, Johan Mellberg wrote: > Hi, > > I am working my way through "The Book of Pf" and got hung up on the > example on page 31 of edition 3 (I am reading edition 2 but the > example seems to be identical in edition 3): > > ext_if = "re0"

Re: Pf syntax, need help understanding an example

hi, $ext_if -     expands to the name of the interface ($ext_if) - expands to the ip address assigned to the interface On 06.06.18 12:21, Johan Mellberg wrote: Hi, I am working my way through "The Book of Pf" and got hung up on the example on page 31 of edition 3 (I am reading

Pf syntax, need help understanding an example

Hi, I am working my way through "The Book of Pf" and got hung up on the example on page 31 of edition 3 (I am reading edition 2 but the example seems to be identical in edition 3): ext_if = "re0" # macro for external interface - use tun0 or pppoe0 for PPPoE int_if = "

Re: Can SSH report successful connections to pf?

>At the end of a "pass" rule in pf.conf, the author adds: > > max‐src‐conn 3, max‐src‐conn‐rate 2/5, overload flush global > >which means: > > "any source can only have a total of three connections, > and they may not create them at a rate faster than two > every five minutes. If

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets tra

> Not sure if it's going to be any use for your particular setup, but if > these are coming in as AS External LSAs ("ospfctl sh da ext") and you > have a way to get an "External route tag" set on them, you can have > ospfd tag the routes with a route label,

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets tra

>> If you want PF, go back and read about it. Learn to handle it in the >> way it was designed, don't try to blend it to whatever you used >> before. It useless if you do that. PF has evolved over time to fit in with what developers have needed... Not to say that's somethi

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets tra

> If you want PF, go back and read about it. Learn to handle it in the > way it was designed, don't try to blend it to whatever you used > before. It useless if you do that. I get your point, I really do. I'm just trying to figure out a way *not* to have to specify each and every subn

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets tra

it is designed and configured! Change that and you will move it to your coolOS. If you want PF, go back and read about it. Learn to handle it in the way it was designed, don't try to blend it to whatever you used before. It useless if you do that. Thanks.

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

On 05/07/18 23:51, Martin Gignac wrote: >> It looks like 'received-on' would be a cleaner and shorter way to >> achieve my goal by allowing me to specify inbound and outbound >> interfaces in the same rule. >> > > I think I spoke to quickly; it would be an alternative way, but not a > shorter one

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

On 05/07/18 18:40, Martin Gignac wrote: > In an OpenBSD pf rule however, a rule only references a single > interface and a direction (in, out). This is not correct. It's perfectly valid and not unusual to have rules like pass from 10.2.3.0/24 (or 'pass to $somenet'). The default state-

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

> It looks like 'received-on' would be a cleaner and shorter way to > achieve my goal by allowing me to specify inbound and outbound > interfaces in the same rule. > I think I spoke to quickly; it would be an alternative way, but not a shorter one as I would still need the initial "pass in lab01"

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

> You could also replace the above with "pass in on $lab02 received-on $lab01". Oh, I completely missed the 'received-on' statement in the OpenBSD pf.conf man page! (I have to support a pfSense for the moment so I'm alternating between the OpenBSD and FreeBSD man pages [the latter does not

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

> I imagine you meant "pass out on $lab02 tagged from_lab01". You're absolutely right Ken! Thanks, -Martin

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

>> enforce something like "all traffic from lab01 to lab02 is allowed by >> default, but all traffic from lab02 to to lab01 is denied by default". >> In this case lab01 and lab02 are bound to different interfaces >> (obviously), but behind each interface is another rout

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

to lab01 is denied by default". > In this case lab01 and lab02 are bound to different interfaces > (obviously), but behind each interface is another router to which are > attached a changing number of subnets, so I want to avoid having to > update subnet lists in my pf rules constant

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

On Mon, May 7, 2018 at 12:40 PM, Martin Gignac wrote: > set state-policy if-bound > > block > > pass in on $lab01 tag from_lab01 > pass in on $lab02 tag from_lab02 > > pass in on $lab02 tagged from_lab01 > block out on $lab01 tagged from_lab02 > > Does this

How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

. In Linux, the FORWARD chain is used for all traffic traversing the firewall and not destined for it. The firewall chain allows the administrator to filter based on incoming interface *and* outgoing interface. In an OpenBSD pf rule however, a rule only references a single interface and a dire

User-space TCP/IP testing with tap, bridge and PF

Hello list, I am developing a userspace TCP/IP stack. Most of the time on my servers I use special NICs and API to bypass the kernel. When on the go I'd like to do the same on my OpenBSD dev laptop. I chose to use tap + bridge and some PF-fu to try to make it work, but after several fruitless

Re: Can SSH report successful connections to pf?

Cool! On Sat, May 5, 2018 at 3:17 AM Andreas Kusalananda Kähäri < andreas.kah...@icm.uu.se> wrote: > On Fri, May 04, 2018 at 11:56:33PM +, Kapfhammer, Stefan wrote: > > > > You might want to parse /var/log/authlog and the logrotated > authlog.[0-9].gz > > for successful and unsuccessful

Re: Can SSH report successful connections to pf?

On 05/05/18 01:56, Kapfhammer, Stefan wrote: > > You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz > for successful and unsuccessful logins and then add the unsuccessful logins > with pfctl to a blocked table. To have it permanent after a reboot you can > write > with

Re: Can SSH report successful connections to pf?

On 2018-05-04, Kapfhammer, Stefan wrote: > > You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz This wheel has been invented several times, if someone wants to make their own they should study revisions to past designs as there have been some nasty

Re: Can SSH report successful connections to pf?

On 04/05/18 23:16, Luke Small wrote: Can SSH and possibly other programs more easily able to report successful connections so pf can make stricter bruteforce connection rejecting even better? See this paper, that might contain what you're trying to achieve: https://www.sans.org/reading-room

Re: Can SSH report successful connections to pf?

On Fri, May 04, 2018 at 11:56:33PM +, Kapfhammer, Stefan wrote: > > You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz > for successful and unsuccessful logins and then add the unsuccessful logins > with pfctl to a blocked table. To have it permanent after a reboot

Re: Can SSH report successful connections to pf?

If you want to open gate for those, who authenticated using ssh, you may need authpf(8) (known as Authentication Gateway) https://www.openbsd.org/faq/pf/authpf.html

Re: Can SSH report successful connections to pf?

g 5 mei 2018 00:16 Aan: openbsd-misc Onderwerp: Can SSH report successful connections to pf? Can SSH and possibly other programs more easily able to report successful connections so pf can make stricter bruteforce connection rejecting even better?

Re: Can SSH report successful connections to pf?

On 05/05/18 00:16, Luke Small wrote: > Can SSH and possibly other programs more easily able to report successful > connections so pf can make stricter bruteforce connection rejecting even > better? > Hi, could be just me but I didn't get what you want to achieve really. Could

Can SSH report successful connections to pf?

Can SSH and possibly other programs more easily able to report successful connections so pf can make stricter bruteforce connection rejecting even better?

Re: ICMPv6 Neighbor Advertisement PF Weirdness

, but shared the same subnet with other interfaces. Obviously this resulted in an "unusual" route table -- but it is unclear to us why the previously described PF problem manifested in the way it did -- especially given that the ICMPv6 packet used link-local addresses, and the pass rule did

ICMPv6 Neighbor Advertisement PF Weirdness

Hello -- While configuring a new firewall, I noticed that pflog0 was showing that some ICMPv6 neighbor advertisement packets were being blocked in on vlan51, which is a sub-interface of vmx1 (a vmxnet3 interface using VGT). I added a PF rule allowing this traffic to pass. However, even after

Re: pf: certain recursive macros causing syntax error

> Sent: Thursday, April 12, 2018 at 5:57 AM > From: "Theo de Raadt" <dera...@openbsd.org> > To: "Aham Brahmasmi" <aham.brahma...@gmx.com> > Cc: misc@openbsd.org > Subject: Re: pf: certain recursive macros causing syntax error > > Aham Brahma

Re: pf: certain recursive macros causing syntax error

Aham Brahmasmi wrote: > Hello misc, > > Recursive macros which include macros containing certain specific > characters cause syntax errors. > > Steps > $ cat pftemp.conf > forwardslash = "100/10" > #forwardslashrecursive = $forwardslash > number = "100" >

pf: certain recursive macros causing syntax error

Hello misc, Recursive macros which include macros containing certain specific characters cause syntax errors. Steps $ cat pftemp.conf forwardslash = "100/10" #forwardslashrecursive = $forwardslash number = "100" numberrecursive = $number string = "keep" #stringrecursive = $string ip = "0.0.0.0"

Re: counting dropped packets for pf

> ... better badly does work ... If it so, then it should not be done from the start. A bad implementation can trigger other problems. Try to think a little bit. ( hint: Chernobyl)

Re: counting dropped packets for pf

> On Fri, Mar 30, 2018 at 9:58 AM, 3 wrote: >> perhaps my poor english prevented you from understanding the question > perhaps >> my initial approach does work. u are have comments about route-to? > If people do not understand the words you use to represent the ideas > you

Re: counting dropped packets for pf

On Fri, Mar 30, 2018 at 10:35 AM, 3 wrote: > i showed my idea on the example of pf's config- this language should > be familiar to you ... > no more effective ways. the variant with pfctl is a kolhoz-style(ugly > and ineffective), it requires a lot of work to convert data into >

Re: counting dropped packets for pf

On Fri, Mar 30, 2018 at 9:58 AM, 3 wrote: > perhaps my poor english prevented you from understanding the question perhaps > my initial approach does work. u are have comments about route-to? If people do not understand the words you use to represent the ideas you were

Re: counting dropped packets for pf

> On 03/30/18 13:32, 3 wrote: >> people like you do not understand what better badly does work than >> well not works. and it is not our(not ordinary users) fault that the > Seriously, cipher, you're just spewing word salad again. > And it sounds vaguely like abuse, aimed at people who were in

Re: counting dropped packets for pf

On 03/30/18 13:32, 3 wrote: > people like you do not understand what better badly does work than > well not works. and it is not our(not ordinary users) fault that the Seriously, cipher, you're just spewing word salad again. And it sounds vaguely like abuse, aimed at people who were in fact

Re: counting dropped packets for pf

tead. teo and your ideal fucking unix system is "hello, world!" with two remote holes in the default install. but you are too d^Hstubborn to understand that such a system is not necessary for ordinary users. i like pf and i hate dirty monkey's style of linux, but there will come a time when this will not be enough to choose obsd

Re: counting dropped packets for pf

On Mar 30, 2018 4:08 AM, Mihai Popescu wrote: > > > You would need a 1/4" wrench and a screwdriver tip that fits an impact > > driver. > > I want to see you using your method for a deep sunken screw inside a > cylindrical channel of a case. > You can give a chance to the other

Re: counting dropped packets for pf

> You would need a 1/4" wrench and a screwdriver tip that fits an impact driver. I want to see you using your method for a deep sunken screw inside a cylindrical channel of a case. You can give a chance to the other guy, too. People like you do not understand concepts like evolution, smart tools,

Re: counting dropped packets for pf

> man pf.conf is your friend, please consult there before letting > resentment stew for years next time, huh? why are you silent? do you have the courage to admit that the famous russian comedian zadornov was right when said "ну тупые!"? ;)

Re: counting dropped packets for pf

> On 03/28/18 22:03, 3 wrote: >> maybe im so dumb and blind to see pflow here.. and maybe deal not in >> me. where is pflow? > pflow gets the data it exports from the state table. > Blocked connections do not create state table entries. > This means that pflow does not have the information

Re: counting dropped packets for pf

Вы писали 29 марта 2018 г., 16:35:45: > On Wed, Mar 28, 2018, at 7:10 PM, 3 wrote: >> > 3(ba...@yandex.ru) on 2018.03.28 23:03:27 +0300: >> >> > On 03/28/18 15:04, 3 wrote: >> >> >> hi guys. when the pflow option first appeared, i was surprised by the >> >> >> stupidity of those who implemented

Re: counting dropped packets for pf

On Mar 29, 2018 8:35 AM, Eric Furman wrote: > > On Wed, Mar 28, 2018, at 7:10 PM, 3 wrote: > > > 3(ba...@yandex.ru) on 2018.03.28 23:03:27 +0300: > > >> > On 03/28/18 15:04, 3 wrote: > > >> >> hi guys. when the pflow option first appeared, i was surprised by the > > >>

Re: counting dropped packets for pf

On Wed, Mar 28, 2018, at 7:10 PM, 3 wrote: > > 3(ba...@yandex.ru) on 2018.03.28 23:03:27 +0300: > >> > On 03/28/18 15:04, 3 wrote: > >> >> hi guys. when the pflow option first appeared, i was surprised by the > >> >> stupidity of those who implemented it- pflow could not be specified > >> >> for

Re: counting dropped packets for pf

On 03/28/18 22:03, 3 wrote: > maybe im so dumb and blind to see pflow here.. and maybe deal not in > me. where is pflow? pflow gets the data it exports from the state table. Blocked connections do not create state table entries. This means that pflow does not have the information you're

Re: counting dropped packets for pf

user and tired of fighting hands-from-ass > developers. can anyone share their hacks for this? > > ps: sry for my english The English is mostly readable, the attitude is rather abrasive though. pflow hooks into pf states. There is no state for a blocked packet. I think you'll be happie

Re: counting dropped packets for pf

3(ba...@yandex.ru) on 2018.03.29 02:10:29 +0300: > > 3(ba...@yandex.ru) on 2018.03.28 23:03:27 +0300: > >> > On 03/28/18 15:04, 3 wrote: > >> >> hi guys. when the pflow option first appeared, i was surprised by the > >> >> stupidity of those who implemented it- pflow could not be specified > >> >>

Re: counting dropped packets for pf

> 3(ba...@yandex.ru) on 2018.03.28 23:03:27 +0300: >> > On 03/28/18 15:04, 3 wrote: >> >> hi guys. when the pflow option first appeared, i was surprised by the >> >> stupidity of those who implemented it- pflow could not be specified >> >> for block-rules, i.e. dropped packets were not taken into

Re: counting dropped packets for pf

3(ba...@yandex.ru) on 2018.03.28 23:03:27 +0300: > > On 03/28/18 15:04, 3 wrote: > >> hi guys. when the pflow option first appeared, i was surprised by the > >> stupidity of those who implemented it- pflow could not be specified > >> for block-rules, i.e. dropped packets were not taken into

Re: counting dropped packets for pf

> https://man.openbsd.org/pflow.4 > On Wed, Mar 28, 2018 at 4:03 PM, 3 wrote: >> On 03/28/18 15:04, 3 wrote: >>> hi guys. when the pflow option first appeared, i was surprised by the >>> stupidity of those who implemented it- pflow could not be specified >>> for block-rules,

Re: counting dropped packets for pf

https://man.openbsd.org/pflow.4 On Wed, Mar 28, 2018 at 4:03 PM, 3 wrote: > > On 03/28/18 15:04, 3 wrote: > >> hi guys. when the pflow option first appeared, i was surprised by the > >> stupidity of those who implemented it- pflow could not be specified > >> for block-rules,

Re: counting dropped packets for pf

> On 03/28/18 15:04, 3 wrote: >> hi guys. when the pflow option first appeared, i was surprised by the >> stupidity of those who implemented it- pflow could not be specified >> for block-rules, i.e. dropped packets were not taken into account. as > hm. you've suffered nine years of this stupidity

Re: counting dropped packets for pf

On 03/28/18 15:04, 3 wrote: > hi guys. when the pflow option first appeared, i was surprised by the > stupidity of those who implemented it- pflow could not be specified > for block-rules, i.e. dropped packets were not taken into account. as hm. you've suffered nine years of this stupidity of

counting dropped packets for pf

hi guys. when the pflow option first appeared, i was surprised by the stupidity of those who implemented it- pflow could not be specified for block-rules, i.e. dropped packets were not taken into account. as a result of this approach, the usefulness of pflow sought to zero for those cases where

monkeying around with pf (why scrub twice?)

Hi, I wrote a patch to program a very simple steganographic buffer into the pf firewalling system. However I'm running into a problem. It turns out at least to me, that pf's scrub gets called twice on output. Why is this? I'm making my patch available and the program to program the buffer

PF redirect traffic to TUN/VPN

Hi,� I have an OpenBSD box setup as a firewall and gateway with DHCP.� I was thinking about adding VPN to the box.� Is it possible to install OpenVPN, establish a tunnel via a third partyVPN provider (like PIA), and then have PF redirect some traffic throughthat tunnel based upon IP addresses

PF, CPU cores and usage of CPU turbo

Hi you OpenBSD pro:s… I have question regarding PF and thread use in kernel. If I got it right PF is single thread. Today the firewall I use uses a Jetway JNF9HG-2930 longlife 4 core N2930 @ 1.83GHz Celeron mainboard. It runs an OpenBSD 6.2 stable SMP kernel as I have not seen a penalty

PF command for pass all traffic from em1 to em0 interface

config pf config to allow all trafic forwarding to *em0*?

Re: [6.2] pf nat-to ignoring static-port?

tly after that few customers contacted me >> >> that they are getting nat type 3 on their xbox\playstation. >> >> When doing some investigation, I noticed that binat-to >> >> rules have static-port specified, but looking into states >> >> table, they

Re: [6.2] pf nat-to ignoring static-port?

e 3 on their xbox\playstation. > >> When doing some investigation, I noticed that binat-to > >> rules have static-port specified, but looking into states > >> table, they were actually not mapped statically. Failing > >> over to backup box still running 5.9 with iden

Re: [6.2] pf nat-to ignoring static-port?

ly mapped statically and online gaming >> on consoles works fine. >> >> I tried to do some investigation, but am not aware of any >> change in pf syntax. So wondering if anyone would be >> able to confirm this behavior? >> >> this is in rules: >> >> pa

Re: [6.2] pf nat-to ignoring static-port?

er to backup box still running 5.9 with identical ruleset, > ports are actually mapped statically and online gaming > on consoles works fine. > > I tried to do some investigation, but am not aware of any > change in pf syntax. So wondering if anyone would be > able to confirm thi

Re: [6.2] pf nat-to ignoring static-port?

ng into states table, they were actually not mapped statically. Failing over to backup box still running 5.9 with identical ruleset, ports are actually mapped statically and online gaming on consoles works fine. I tried to do some investigation, but am not aware of any change in pf syntax. So wonde

[6.2] pf nat-to ignoring static-port?

into states table, they were actually not mapped statically. Failing over to backup box still running 5.9 with identical ruleset, ports are actually mapped statically and online gaming on consoles works fine. I tried to do some investigation, but am not aware of any change in pf syntax. So wondering

Re: Bitmask for 224.0.0.0 in Martians PF table entry

Thank you Kapetanakis Giannis and Mike Coddington for your helpful replies. I will now use /3, since I do not think that I will use multicast. Regards, ab

Re: Probable mistake in PF tagging example ruleset order

(Resending, I fessed up the inline reply) Arigato gojaimas Trondd san for your very helpful reply. I had understood from the documentation that tags were sticky. I also understood that a packet can only have zero or one tag at any time. Also, that a tag cannot be removed, but only replaced.

Re: Probable mistake in PF tagging example ruleset order

Arigato gojaimas Trondd san for your very helpful reply.    Sent: Thursday, January 11, 2018 at 3:17 AM From: trondd <tro...@kagu-tsuchi.com> To: "Aham Brahmasmi" <aham.brahma...@gmx.com> Cc: misc@openbsd.org Subject: Re: Probable mistake in PF tagging example ruleset or

Re: Bitmask for 224.0.0.0 in Martians PF table entry

List, Aggregated and /4 in IPv4 Fullbogons. /3 is also present in > https://www.openbsd.org/faq/pf/example1.html. > > I think it should be /3, but I am still learning pf. > > Thanks. > > Regards, > ab > See here: https://www.iana.org/assignments/ipv4-address-space/ipv4-ad

Re: Probable mistake in PF tagging example ruleset order

On Wed, January 10, 2018 2:44 pm, Aham Brahmasmi wrote: > Hi, > > I am trying to learn and understand the pf tagging mechanism. I was > wondering whether my understanding of the order in the example at > https://www.openbsd.org/faq/pf/tagging.html is correct. If it is, the

Re: Bitmask for 224.0.0.0 in Martians PF table entry

The Text > Bogon List, Aggregated and /4 in IPv4 Fullbogons. /3 is also present in > https://www.openbsd.org/faq/pf/example1.html. > > I think it should be /3, but I am still learning pf. 224.0.0.0/3 would include the 240.0.0.0/4 block as well. For what it's worth, I use 224.0

Probable mistake in PF tagging example ruleset order

Hi, I am trying to learn and understand the pf tagging mechanism. I was wondering whether my understanding of the order in the example at https://www.openbsd.org/faq/pf/tagging.html is correct. If it is, then there might be a mistake in the order. The relevant lines are ... pass out on egress

Bitmask for 224.0.0.0 in Martians PF table entry

://www.openbsd.org/faq/pf/example1.html. I think it should be /3, but I am still learning pf. Thanks. Regards, ab

Re: Simplifying pf-rules

On Thu, Jan 4, 2018 at 8:09 AM, Jon S <jonsjost...@gmail.com> wrote: > This led to my first experieces with pf. After some work I came up with > whats below. It works as I want it to work, but I wonder if there is a way > to create a rule where incomming traffic to the in

Re: Simplifying pf-rules

g file server and firewall services on > single box > > > This led to my first experieces with pf. After some work I came up > > with whats below. It works as I want it to work, but I wonder if > > there is a way to create a rule where incomming traffic to the > > internal

Re: Simplifying pf-rules

combining file server and firewall services on single box. > This led to my first experieces with pf. After some work I came up > with whats below. It works as I want it to work, but I wonder if > there is a way to create a rule where incomming traffic to the > internal NIC (re0) is

Simplifying pf-rules

Hello misc! My OpenBSD file server just became a router too (after getting a new internet connection where the provider does not include a router in the subscription). This led to my first experieces with pf. After some work I came up with whats below. It works as I want it to work, but I wonder

Re: Addblock + Badhost blocking via unbound(8) and pf anchors

Hi Freddy, I just ran some further benchmarks between your first and second script, compared to mine, and again similar results were found. Your second script was significantly faster than the first, but still didn't match the grep-piped-into-awk config. This shouldn't be the case though. I

Re: trunk0 link aggregation interface and PF rules not working

nkproto lacp trunkport iwn0 trunkport athn0 192.168.20.1 netmask > 255.255.255.0 > #trunkproto loadbalance trunkport iwn0 trunkport athn0 192.168.20.1 > netmask 255.255.255.0 do not assign an IP and run dhclient on trunk0! > By PF I set trunk0 as an egress interface in PF instead of pre

Re: Addblock + Badhost blocking via unbound(8) and pf anchors

I have tried using all awk for the script before, but I find piping the grep output into awk to be 2-3x faster on the Edgerouter Lite. I just ran some timed tests for your script against mine on the ErLite, and I got similar results, with my script completing in ~6 seconds against the

Fwd: Re: trunk0 link aggregation interface and PF rules not working

--- Treść przekazanej wiadomości --- Temat: Re: trunk0 link aggregation interface and PF rules not working Data: Sat, 30 Dec 2017 14:09:16 +0100 Nadawca:Krzysztof Strzeszewski <krz...@krzy.ch> Adresat:Denis <den...@mindall.org> link aggregation uses at the s

trunk0 link aggregation interface and PF rules not working

athn0 192.168.20.1 netmask 255.255.255.0 #trunkproto lacp trunkport iwn0 trunkport athn0 192.168.20.1 netmask 255.255.255.0 #trunkproto loadbalance trunkport iwn0 trunkport athn0 192.168.20.1 netmask 255.255.255.0 By PF I set trunk0 as an egress interface in PF instead of previously used athn0

Re: Addblock + Badhost blocking via unbound(8) and pf anchors

> Hi everyone, Hello, [ snip ] > cat hosts | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" > redirect\nlocal-data: \""$2" A 0.0.0.0\""}' > ads.conf awk 'NF == 2 && $1 == "0.0.0.0" && $2 ~ /^[a-z0-9]/ { print "local-zone: \"" $2 "\" redirect\nlocal-data: \"" $2 " A " $1 "\"" }' host >

Addblock + Badhost blocking via unbound(8) and pf anchors

://www.openbsd.org/faq/pf/example1.html I've included some example files from my an Edgerouter I have set up . They are trimmed down for brevities sake; the conf files are not production ready, these are merely examples. This setup is easily customizable, if you come across any other block lists you

Re: What would you like to see in upcoming PF tutorials?

Hi Peter, On 12/14/17 9:27 PM, Peter N. M. Hansteen wrote: If you have thoughts on what you would like to see in a tutorial session and would like to share them either with me or the list, we would love to hear from you. What are the risks of ICMP and ICMP6? Is it reasonable to filter these

Re: What would you like to see in upcoming PF tutorials?

to geographically prohibited contents (e.g. censorship, etc.). Thanks! Il 14 dic 2017 9:31 PM, "Peter N. M. Hansteen" <pe...@bsdly.net> ha scritto: > We're in the process of preparing for upcoming conferences with updates > to the ever-in-progress PF tutorial. > > If you hav

<    3   4   5   6   7   8   9   10   11   12   >