Hi!
Thank you for the quick answer!
I have tried what you said, and I experienced that, when pf was not enabled,
then everything went fine (I couldn't see any connection in TIME_WAIT state
with netstat -n (I think the state was removed pretty fast).
Could you explain to me, why this happened?
On Tue, Dec 13, 2005 at 03:12:12PM +0100, Németh Tamás wrote:
I have tried what you said, and I experienced that, when pf was not enabled,
then everything went fine (I couldn't see any connection in TIME_WAIT state
with netstat -n (I think the state was removed pretty fast).
Could you explain
On Tue, Dec 13, 2005 at 03:12:12PM +0100, Németh Tamás wrote:
With PF:
hping -c 1 -s 60002 -S -p 22 1.2.3.4
14:16:48.379903 00:0c:f1:6b:31:d9 00:e0:18:c4:b7:68, ethertype IPv4
(0x0800), length 54: IP 1.2.3.5.60002 1.2.3.4.22: S
1809653489:1809653489(0) win 512
14:16:48.381907
On 12/13/05, Daniel Hartmeier [EMAIL PROTECTED] wrote:
Insertion and
removal of state entries is costly, if you set pf up to insert a state
for every single SYN and remove one for every single RST, you're exposing
yourself to a DoS attack where an attacker floods you with SYNs and
RSTs like
Subject says it. I'm trying to bring up a new firewall with OpenBSD 3.8
+ pf to replace the aging Linux one here, and something is not clicking
for me between the ears. Right now all I'm trying to do is get NATing
working between the internal network and the internet, but I'm not even
getting that
On Tue, Dec 13, 2005 at 01:22:48PM -0800, Jonathan Rogers wrote:
# Rule 1.5 get stuff in to the firewall for NATing
pass in quick on $good_if inet from $good_net to any
Add 'keep state' to the above rule, so it reads
pass in quick on $good_if inet from $good_net to any keep state
otherwise
Daniel:
A _lot_ just fell into place that wasn't connecting before.
Thanks for providing the missing linknot to mention for pf itself.
Much, much appreciated.
-Jon-
