"Travis H." <[EMAIL PROTECTED]> writes:
> The TTL is controlled by the authoritative name server, though. And
> what about dynamic DNS?
I wouldn't want to go there. The domain name system is fairly good at
what it was designed to do, unfortunately firewall configs did not enter
into the equation
Peter writes:
> Putting host names in your PF config files is a practice that comes with
> warnings in large, friendly, red and flashing letters attached.
Ditto. DNS is weak, much weaker than your firewall rules (generally).
DNSSEC helps with some of the problems, but not all, and comes with a
p
I had a tool for ipfilter that would simulate packets hitting it, and
then make sure the reaction was the same as the last edit and the
whole thing was driven by make.
You're basically asking a similar question to "does this program do
what I want?" which is unsolvable. Asking "does this program
On 2/27/06, Peter N. M. Hansteen <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] writes:
>
> > Is there an online guide giving details about how to verify that a rule
> > set does what you want, and how to figure out what's wrong when it's
> > doing something else?
An idea I've been toying with is
Daniel Hartmeier wrote:
> On Mon, Feb 27, 2006 at 10:21:22AM -0500, Chris Smith wrote:
>
>> On Saturday 25 February 2006 19:34, Morten Larsen wrote:
>>> It would be nice if you cold do something like:
>>>
>>> block in on $ext_if proto {tcp, udp} from any to any port 135:139
>>> overload flush glo
>Down rule will work if your default gateway is on $ext_if
>pass out quick on $ext_if route-to ($ext_if2 $ext_gw2) from any to any port
www keep state probability 50%
It doesn't work either, I didn't debug it, but it seems packets going out
from ext_if2 are coming back to ext_if 1 too
The de
On 02/26/2006 04:38:12 PM, [EMAIL PROTECTED] wrote:
PF sqawcks if a hostname in any of it's files are not currently
findable. Is there a reasonable way to have it gracefully skip
missing
hosts and carry on?
No. The best you can do is:
1) Do not use hostnames for hosts outside your DNS zones
On Mon, Feb 27, 2006 at 10:21:22AM -0500, Chris Smith wrote:
> On Saturday 25 February 2006 19:34, Morten Larsen wrote:
> > It would be nice if you cold do something like:
> >
> > block in on $ext_if proto {tcp, udp} from any to any port 135:139
> > overload flush global
>
> That would sure clea
On Saturday 25 February 2006 19:34, Morten Larsen wrote:
> It would be nice if you cold do something like:
>
> block in on $ext_if proto {tcp, udp} from any to any port 135:139
> overload flush global
That would sure clean up the Internet! Quite funny.
But it would really be nice to load a table
On Sat, Feb 25, 2006 at 10:07:42AM +0100, Camiel Dobbelaar wrote:
>
> On Fri, 24 Feb 2006, Jon Hart wrote:
> > scrub all no-df random-id fragment reassemble
> >
> > Any ideas why this is not logged, or is this operator error?
>
> I don't think it's very well known, but you can set 'log' on the s
[EMAIL PROTECTED] writes:
> Is there an online guide giving details about how to verify that a rule
> set does what you want, and how to figure out what's wrong when it's
> doing something else?
To my knowledge, not specifically.
Some people have reported finding the official PF docs a bit mor
On Mon, 26 Feb 2006, [EMAIL PROTECTED] wrote:
> PF sqawcks if a hostname in any of it's files are not currently
> findable. Is there a reasonable way to have it gracefully skip missing
> hosts and carry on?
So you firewall rules can be silently skipped during times of DNS outage
or DoS? That doe
[EMAIL PROTECTED] writes:
> PF sqawcks if a hostname in any of it's files are not currently
> findable. Is there a reasonable way to have it gracefully skip missing
> hosts and carry on?
Putting host names in your PF config files is a practice that comes with
warnings in large, friendly, red and
i want aplly ALTQ-HFSC on PF, but i haven't rtfm for HFSC, i had
search on google but the site has down.
any one have rtfm about HFSC, please?
--- Jose Mejia <[EMAIL PROTECTED]> wrote:
>
> Hi all here we go again with that matter :
>
> We've a firewall with 4 interfaces (2 outside to two differents
> routers and
> ISPs,1 inside and 1 DMZ),the machine is running a Squid web proxy
> too, we
> wanna make balancing on outgoing connection
Hi Tihomir...thks for the response
I think SQUID is running fine, my default gw is ext_if, I was playing with
multipath too without
results.the conf file is really in disorder due to the try-out and
continous changes, I'm sorry
Now I'm not with the machine, but tomorrow I'll post
Is there an online guide giving details about how to verify that a rule
set does what you want, and how to figure out what's wrong when it's
doing something else?
I've found that using the log tcpdump combination has a tendency to
either produce litte, or alternately an avalance.
Also, log tells
PF sqawcks if a hostname in any of it's files are not currently
findable. Is there a reasonable way to have it gracefully skip missing
hosts and carry on?
18 matches
Mail list logo
