the entire scrubbing idea is pretty much abandoned these days. it was
a hot topic in the early 2000s (for everybody, not just us).
no, don't use tcp reassemble.
* Evaldas Auryla evaldas.aur...@edqm.eu [2014-11-21 18:20]:
On 2014-11-14 14:54, Henning Brauer wrote:
Is anyone using reassemble tcp
On 2014-11-14 14:54, Henning Brauer wrote:
Is anyone using reassemble tcp with scrub ? Been using this for years
without problems,
you just didn't notice the problems or didn't hit them. Reassemble tcp
isn't 100%, unfortunately, and never was. No changes in ages either.
Well, nobody raised a
I have the requirement to NAT one address to 1 of 2 possible destination
addresses for a large number of devices. So I have 3 address pools which
are composed of these blocks:
10.10.0.0/16 (well known address pool)
10.11.0.0/16 (NAT'd pool A)
10.12.0.0/16 (NAT'd pool B)
Target devices allocate
On 2014/11/13 21:55, Kamil Jiwa wrote:
Hi, I've got an IPv6 network that I'd like to connect to an IPv4
network with a NAT64 router. The router has two interfaces with the
following configurations:
- em0: internal, IPv6 network
- IPv4 address: 10.0.66.1/24
- IPv6
* Evaldas Auryla evaldas.aur...@edqm.eu [2014-11-13 19:30]:
Is anyone using reassemble tcp with scrub ? Been using this for years
without problems,
you just didn't notice the problems or didn't hit them. Reassemble tcp
isn't 100%, unfortunately, and never was. No changes in ages either.
Thanks Stuart. I set the default route on my host and I can see it in
my route table but I'm still not able to send out pings. Is there a
way I can verify that the packets are making it to PF? Does the order
of that command in /etc/pf.conf make a difference?
Kamil
On Fri, Nov 14, 2014 at 1:25
Hi all,
Is anyone using reassemble tcp with scrub ? Been using this for years
without problems, now all of a sudden having trouble with SMTP echange
with someone, here is the definition I use, on OpenBSD 5.4:
match in all scrub (no-df max-mss 1440 random-id reassemble tcp)
If I telnet port
Hi, I've got an IPv6 network that I'd like to connect to an IPv4
network with a NAT64 router. The router has two interfaces with the
following configurations:
- em0: internal, IPv6 network
- IPv4 address: 10.0.66.1/24
- IPv6 address: fc00::1/64
- em1: external, IPv4
Hi,
what does
rule def/(short) [uid 0, pid 0] pass in
mean in the tcpdumped pflog?
Thanks, Axel
---
PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius
* Axel Rau axel@chaos1.de [2014-10-20 12:30]:
what does
rule def/(short) [uid 0, pid 0] pass in
mean in the tcpdumped pflog?
def: matched the implicit default rule
short: the reason why the packet was dropped - it was shorter than it
should have been, aka pbly truncated (or malicious).
Hi,
I use version 5.5 of PF in Openbsd, but my external redirects do not work.
My structure:
Internet - ADSL modem - Local network
In my modem, I have dmz directing all traffic to 10.1.1.1 (carp0 in the server)
My rules: http://pastebin.com/KChk3eTf
I wonder what is wrong.
Thanks!
Thank you again for the direction. I still do not have it correct but I have
a clue why. I am also starting to grasp the pf.conf man page much better. I
just wanted to reply back in here out of respect for Mr. Henderson for the
direction and to let him know that I am in much better shape now than
My many thanks for all the info. I didn't realize that this forum was
different from the mailing list of bsd. I receive all the mailing list
emails even though I don't understand most of them. I will handle that
situation better and it was my fault for posting the wrong place. The CD's
are nothing
On Aug 22, 2014, at 7:15 PM, Kevin Gerrard ke...@txwre.com wrote:
I realize that this May seem like a dumb question for one of the developers.
There's not much traffic on this pf list. You might have better luck asking on
the openbsd misc list, there are a lot more people subscribed to that
Thank You,
I will see this afternoon, and I appreciate your reply.
Can't believe it would be that simple and I missed it. I even have both pf
books. Pre 4.6 and post 4.6
Again thank you very much and will read.
Kevin Gerrard
--
View this message in context:
On 2014/08/22 19:15, Kevin Gerrard wrote:
I realize that this May seem like a dumb question for one of the developers.
I didn't expect a detailed message or exact answer. I have spent much time
reading different ideas and by doing so learned much more while on this
path. I have not posted on
I am glad that the post above is screened. It does not need to go public. The
proper people will see it and can delete them both if they wish. Again I am
not mad or a hater yet do feel that there is a learning curve for even
searching the forum. I do read the man pages and do not understand them.
I realize that this May seem like a dumb question for one of the developers.
I didn't expect a detailed message or exact answer. I have spent much time
reading different ideas and by doing so learned much more while on this
path. I have not posted on here except a time or two. I have ordered cd's
The new rules for prioritizing traffic seem to be very simple to do. In my
case we have fiber that we pay for but has a burstable speed. We do not want
to use the burstable speeds due to the overcharging that ATT charges to do
it. Our fiber pipe that we pay for is 25Mbits at a tower. We have
On Thu, Aug 14, 2014 at 02:56:45PM -0400, Alan McKay wrote:
internalIPS = { 1 2 3 }
externalIPS = { 4 5 6 }
pass in quick log on $extIf inet proto tcp from any to (externalIPs)
port (some port) rdr-to (internalIPs)
Maybe I'm just hallucinating :-)
There's no such thing with lists or
Hi folks,
I have a firewall basically masking a bunch of IPs behind it, and a
bunch of rules that do RDRs from an IP on interface1 to an IP on
interface 2. These are 1-to-1 IP mappings. The firewall has a bunch
of CARP IPs defined on the external interface that map back to real
IPs (servers)
Alexandr Nedvedicky alexandr.nedvedi...@oracle.com writes:
I'm not sure it is the right place to submit patches. Let me know if there is
better/more appropriate address for this.
I would think t...@openbsd.org would be a more direct route to the
currently active PF developers and the OpenBSD
Hello,
I'm not sure it is the right place to submit patches. Let me know if there is
better/more appropriate address for this.
during our testing we've found the once rules are not removed,
when used in main anchor.
during debugging we found the rules in main anchor have member anchor set to
Does pf have specific rules for voip, may be example of working pf_rule
with voip?
Because for «standart rules» i have problems with voip.
set skip on lo
match out on pppoe0 from { em1:network } nat-to (pppoe0)
block
pass out
pass in on { em1 }
- after hanging up, the line near 3 minutes
On Tue, May 27, 2014 at 01:59:07PM +0400, wrote:
Does pf have specific rules for voip, may be example of working
pf_rule with voip?
Because for «standart rules» i have problems with voip.
set skip on lo
match out on pppoe0 from { em1:network } nat-to (pppoe0)
While I was cleaning the script up to make it available here, I
introduced a bug. I also found a bug in my use of the expr command.
1) the cleaning bug:
As I was moving the clean-up code from being scattered throughout the
script to the cleanup function, I made an error during a copy and
For a few of the servers I admin, I found the need for the ability to
add IP addresses to a pf table temporarily (for a few days, a couple
weeks, etc).
I grew tired of manually editing the files, so I wrote a scipt to
help me.
The script maintains a list of IP addresses for a pf table, along
I can ping Google DNS (8.8.8.8) from Openbsd machine
I cannot ping Google DNS from LAN PC.
This has been confirmed by using tcpdump.
Please help. Thanks.
--
View this message in context:
http://openbsd.7691.n7.nabble.com/Openbsd-Routing-Issues-tp244695p244890.html
Sent from the openbsd -
I think you're passing some packets statelessly, because you don't block
correctly by default:
nat on vr0 from !(vr0) to any - (vr0) round-robin
scrub on vr0 all no-df fragment reassemble
scrub on vr0 all reassemble tcp
block drop in log on vr0 all
pass out quick on ath0/rl0 keep state.
My openbsd version is 4.1. The net.inet.ip.forwarding shows 1.
Any other hints ?
Please help.
Thanks.
--
View this message in context:
http://openbsd.7691.n7.nabble.com/Openbsd-Routing-Issues-tp244695p244818.html
Sent from the openbsd - packet filter mailing list archive at Nabble.com.
Hello to all, I had try to set up openbsd as home router but eventually it
fail to function properly.
External Interface (vr0)
192.168.1.2 255.255.255.0 none
Internal Interface (rl0)
172.16.10.1 255.255.255.0 none
Wireless Interface (ath0)
192.168.5.1 255.255.255.0 none
*Routing Table* (route
Have you set the net.inet.ip.forwarding sysctl?
That's a very old version of OpenBSD if the nat on vr0 rule is valid
syntax...
Hey everyone!
I am sitting here with the following situation:
I just had to reinstall my OS X a while ago. Currently, this Mac Mini was used
as a NAT router. It uses its Wifi to connect to the dorms internet, and is
supposed to dish the data thru its ethernet port:
Dorms Wifi — Mac
hi
it was working for me years ago with static-port
example:
nat on vr0 from 192.168.0.33 to any - (vr0) static-port
nat on vr0 from 192.168.0.34 to any - (vr0) static-port
rdr on vr0 inet proto udp from any to vr0 port 88 - 192.168.0.33
rdr on vr0 inet proto { tcp, udp } from any to vr0 port
Rather than looking at a tcpdump of packets that make it through, try looking
at blocked packets instead. Add 'log' to any block rules and try 'tcpdump
-netttipflog0'.
Walt Elam wre...@gmail.com wrote:
One more update:
I opened up the tcpdump traffic in Wireshark and it appears that the
Xbox
My pseudo solution was to put the xbox in it's own vlan and then to pass
all traffic to/from that vlan. It's working, albeit with a Strict NAT
according to the Xbox.
Previously I was logging all blocked packets but none of the xbox traffic
was matching any block rules. I'm still not sure what was
Hi Walt,
unfortunately I don't have specific knowledge either on Xbox or
Kerberos... I can only wish you good luck! (Or switch to Playstation ;-))
BR,
Teemu
7.12.2013 3:02, Walt Elam kirjoitti:
One more update:
I opened up the tcpdump traffic in Wireshark and it appears that the
Xbox is
Thanks Teemu, I gave some similar rules a shot but was unable to get it
working.
I'm still tweaking things and trying them, I'll update if I get it figured
out.
Thanks,
-Walt
On Thu, Dec 5, 2013 at 4:47 AM, Teemu Rinta-aho te...@rinta-aho.org wrote:
On 5.12.2013 3:16, Walt Elam wrote:
I
One more update:
I opened up the tcpdump traffic in Wireshark and it appears that the Xbox
is failing on Kerberos. I see an AS_REQ, then AS_REP, then the traffic
alternates between TGS_REQ and TGS_REP then fails. It seems like the xbox
is failing to successfully get the ticket from the TGS.
Are
On 5.12.2013 3:16, Walt Elam wrote:
I need to forward ports 88 (UDP), 3074 (UDP/TCP), 53 (UDP,TCP), and 80
(TCP) to the xbox360. This seems simple enough but I have been unsuccessful.
Hi Walt,
I don't do exactly the same, but almost. Check out my pf.conf at
* Sebastian John ba...@fukz.de [2013-11-19 19:00]:
try to use the correct network mask in alias configuration:
inet alias 200.200.200.163 255.255.255.240
try to not give wrong advice. all-ones netmask is EXACTLY the right
thing here.
probably even for the first (main) address, unless carpdev is
Hello,
I'm having trouble returning a server to be master with trade in advskew via
ifstated.
The following scenario:
##
server1
##
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:01
priority: 0
carp: MASTER
Hi,
fw1: 200.200.200.168
fw2: 200.200.200.172
carp0 (for twho fw)
inet 200.200.200.162 255.255.255.240 200.200.200.175 vhid 1 advskew 0 carpd=
ev em0 pass senha
inet alias 200.200.200.163 255.255.255.255
inet alias 200.200.200.164 255.255.255.255
inet alias 200.200.200.165 255.255.255.255
inet
Hello,
try to use the correct network mask in alias configuration:
inet alias 200.200.200.163 255.255.255.240
..
Sebastian
On Tue, Nov 19, 2013 at 02:55:45AM -0800, Christiano Liberato wrote:
Hi,
fw1: 200.200.200.168
fw2: 200.200.200.172
carp0 (for twho fw)
inet 200.200.200.162
Sebastian,
my mask is /28 and 255.255.255.240 is fake for post in the list.
My first ip is x.x.x.160 (network) and last x.x.x.175 (broadcast).
Not understand what is wrong.
2013/11/19 Sebastian John ba...@fukz.de
Hello,
try to use the correct network mask in alias configuration:
inet
On 2013/11/19 02:55, Christiano Liberato wrote:
Hi,
fw1: 200.200.200.168
fw2: 200.200.200.172
carp0 (for twho fw)
inet 200.200.200.162 255.255.255.240 200.200.200.175 vhid 1 advskew 0 carpd=
ev em0 pass senha
inet alias 200.200.200.163 255.255.255.255
inet alias 200.200.200.164
* mark.lati...@gmail.com mark.lati...@gmail.com [2013-09-01 08:01]:
Is it possible to reassemble so fragments and not others
nope; all or nothing.
or is the best app=
roach to deploy a screening router/another PF to filter but not reassemble =
in addition to the PF reassembling and
Hello,
I am trying and so far failing to understand how to setup PF to drop some f=
ragments and reassemble others.
So far as I can tell fragment reassembly is an all or nothing choice with t=
he set reassemble option. If it is specified how to do this on a per rule b=
asis I have missed
Hi,
I want to upgrade openbsd 4.6 to 5.3, but have problems with some rules. I
need to change the following rules for the new version of pf and I can not
find information about that. You can help me with that problem?
pass in quick on $ext_if route-to lo0 inet proto tcp from any to 127.0.0.1
I rebuilt your setup but can't reproduce the problem.
I picked A.A.A.A=3.3.3.3 and B.B.B.B=4.4.4.4 and used FreeBSD 8.3-STABLE
i386 with GENERIC plus IPSEC, and installed ipsec-tools-0.8.0_3.
-- gatewayA --
/etc/rc.conf
ifconfig_em0=inet
Hi Daniel,
Thank you so much for taking the time to recreate my (rather large) setup, and
for posting it. I double checked my setup compared to your examples here to
make sure all was equivalent. I dumbed down my pf.conf as you suggested.
Still the same symptoms occur.
Then, as a last
Hi everyone,
I wrote up a post on the FreeBSD forums about the issue I am having. It's
rather long so I am providing a link to it here:
http://forums.freebsd.org/showthread.php?t=39595
In summary, it seems that when the packets are routed in to the gateway from
local network hosts, the src
Hi everyone,
I wrote up a post on the FreeBSD forums about the issue I am having. It's
rather long so I am providing a link to it here:
http://forums.freebsd.org/showthread.php?t=39595
In summary, it seems that when the packets are routed in to the gateway from
local network hosts, the src
On Sat, May 11, 2013 at 09:10:09AM -0600, JCA wrote:
I would be interested to use milter-regex to filter incoming emails
according to the relay host. When an email arrives, sendmail logs a line
containing several fields, like 'from', 'size', 'msgtype', etc. and their
values. One of those
I would be interested to use milter-regex to filter incoming emails
according to the relay host. When an email arrives, sendmail logs a line
containing several fields, like 'from', 'size', 'msgtype', etc. and their
values. One of those fields is 'relay'. Can milter-regex filter emails
depending on
What a fine pile of excrement you all are. Been dealing with UNIX machines for
over 25 years and never ran into a bunch of assholes like you guys.
On 2013/05/05 13:29, Peter N. M. Hansteen wrote:
But even without the bouncing address, the messate is a textbook example
of how *not* to ask questions.
I think the textbook in question here is introduction to trolling, an
entry-level guide :)
On Sun, May 5, 2013 at 7:29 AM, Peter N. M. Hansteen pe...@bsdly.net wrote:
The k...@have.it address bounces (domain exists, user does not), which
brings back the less fond memories of the 1990s when such asshattery was
to some extent tolerated and even condoned in some circles due to the
On 05/05/2013 06:29:01 AM, Peter N. M. Hansteen wrote:
First, in contast to at least some Unix-like systems, you can expect
OpenBSD's man pages to be up to date, correct and relevant.
And, IMO, the OpenBSD man pages are some of the best
technical references anywhere, ever. They are on-par
On 05/05/2013 10:03 AM, Peter N. M. Hansteen wrote:
Your references to OpenSUSE and IP Filter had me a bit confused.
And obviously me too. In my defense, in addition to the OpenBSD 5.3 install, I
haven't done much with BSD since the 90's so my memory is fuzzy, I just
finished
(well mostly
The FAQ at OpenSUSE is a fine document. On the page
www.openbsd.org/faq/pf/tables.html I found this or the self keyword. On the
page www.openbsd.org/faq/pf/filter.html I found this table firewall const {
self }. And finally, I think, at www.openbsd.org/faq/pf/nat.html there's this
The word
Sioux C. Queue k...@have.it writes:
The FAQ at OpenSUSE is a fine document. On the page
www.openbsd.org/faq/pf/tables.html I found this or the self keyword. On
the
page www.openbsd.org/faq/pf/filter.html I found this table firewall const
{
self }. And finally, I think, at
On Sat, 04 May 2013 13:08:39 -0800, Sioux C. Queue wrote:
The FAQ at OpenSUSE is a fine document. On the page
www.openbsd.org/faq/pf/tables.html I found this or the self keyword. On the
page www.openbsd.org/faq/pf/filter.html I found this table firewall const {
self }. And finally, I think,
On Sat, May 4, 2013 at 5:08 PM, Sioux C. Queue k...@have.it wrote:
The FAQ at OpenSUSE is a fine document. On the page
www.openbsd.org/faq/pf/tables.html I found this or the self keyword. On the
page www.openbsd.org/faq/pf/filter.html I found this table firewall const {
self }. And finally,
The k...@have.it address bounces (domain exists, user does not), which
brings back the less fond memories of the 1990s when such asshattery was
to some extent tolerated and even condoned in some circles due to the
then-emerging (oh, so intolerable) spam problem.
But even without the bouncing
On 2013-04-12 1:34 AM, Sebastian Singer wrote:
Just one thing: Please stick to the technical focus of the question.
Educational advice need not be given as I have received enough of it
in the past already. And as far as I have seen and heard I am not the
only father having to deal with these
Hi Kirk,
Hi Peter,
Thank you both for your quick and inspiring answers. I think I will first try
setting up a table and continue with scripting around pfctl -vt tablename -T
show as proposed by both of you.If I run into problems I will have a go at the
solution with labels.
Yours,
Sebastian
Sebastian Singer sebastian.sin...@kesslar.de writes:
So I do not want to cut him off the internet completely, just limit
his bandwidth so much that he is throttled if he has reached a set
time limit or else if he reaches a certain amount of gb used.
So the question is: is pf (ALTQ
On 04/12/2013 04:11:47 PM, Sebastian Singer wrote:
Hi Kirk,
Hi Peter,
Thank you both for your quick and inspiring answers. I think I will
first try setting up a table and continue with scripting around pfctl
-vt tablename -T show as proposed by both of you.If I run into
problems I will
Hi,
I am not generally against video games and other related online stuff. But my
son (age 16) is in WOW, COD, Mindcraft and the like by approximatly 8 to 12 h a
day. The same is to be observed in my friends families. Our children get lost
to their loved ones because of computer game
If you need NAT, you have to do that on the external interface, and it
requires (implies, even) creating states.
However, you can filter statelessly on the internal interface (the
states won't match there (wrong direction, if-bound), dropping outgoing
TCP RST, passing everything else.
Sounds
On 05Apr2013 08:45, Daniel Hartmeier dan...@benzedrine.cx wrote:
| If you need NAT, you have to do that on the external interface, and it
| requires (implies, even) creating states.
I was imagining NATing on an internal virtual interface to a private
address on some kind of internal virtual
On Fri, Apr 05, 2013 at 07:03:52PM +1100, Cameron Simpson wrote:
I was imagining NATing on an internal virtual interface to a private
address on some kind of internal virtual interface; this might keep
the necessary state without being the outmost layer.
And then to do stateless filtering
* Cameron Simpson c...@zip.com.au [2013-04-05 11:01]:
On 05Apr2013 08:45, Daniel Hartmeier dan...@benzedrine.cx wrote:
| If you need NAT, you have to do that on the external interface, and it
| requires (implies, even) creating states.
I was imagining NATing on an internal virtual interface
If you had spare network ports you could take the incoming feed, bridge it
to another port (filtering statelessly and if-bound), then loopback the
second port to a third port and do the normal filtering there...
I wonder if it would be possible to do similar with bridge+vether, iirc
Reyk posted a
On 05Apr2013 11:34, Daniel Hartmeier dan...@benzedrine.cx wrote:
| On Fri, Apr 05, 2013 at 07:03:52PM +1100, Cameron Simpson wrote:
| I was imagining NATing on an internal virtual interface to a private
| address on some kind of internal virtual interface; this might keep
| the necessary state
On 03/16/2013 10:45:57 PM, Bonnie Packet wrote:
The question is how best to create a virtual switch out of em2 and
em3,
I'd love some advice on what the best way to accomplish this is.
(Best =
in my particular case means first, lowest total firewall cpu cost to
route/=
filter; second,
Come to think of it you wouldn't need to frob
the arp tables since I presume the gateway is
all on the soekris. And with proper dhcp
configuration you could just frob the gateway
address supplied to each access point.
On 03/18/2013 08:03:39 AM, Karl O. Pinc wrote:
On 03/17/2013 07:47:43 PM,
Yes, bridge between em2 and em3.
Assign the IP (used as gateway by the clients) to bridge0.
You'll have to duplicate the MAC filter rules per interface.
The pf rules need to match both interfaces with 'on { em2 em3 }',
and floating state-policy (default) will simply work. No increase in
On 2013/03/18 15:25, Daniel Hartmeier wrote:
Yes, bridge between em2 and em3.
Assign the IP (used as gateway by the clients) to bridge0.
This isn't possible on OpenBSD, you either need to put the IP on one
real interface (then it may go down if the port is down), or bridge a
vether with it
Shoot. Forgot to mention the most important user advantage of the current s=
etup: since there's only one physical interface on the firewall handling al=
l the (aggregated by the switch) wireless traffic, everyone can use that in=
terface's IP as the same gateway address, no matter which AP they
I've been scratching my head over this one. Here is my pf.conf:
int_if = em0
dmz_if = em1
block log all
set skip on lo0
block log quick inet6
block in log quick on $int_if from ! rfc1918 to any
block out log quick on $int_if from any to ! rfc1918
pass out log on $int_if inet proto tcp from
On 3/11/13 3:45 PM, Stuart Henderson wrote:
On 2013/03/11 12:06, Andrew Siegel wrote:
..
I've been scratching my head over this one. Here is my pf.conf:
This is under OpenBSD 5.1. Am I misunderstanding something? Is some kind of
optimization taking place behind the scenes?
Andy
On 2013/03/11 12:06, Andrew Siegel wrote:
I've been scratching my head over this one. Here is my pf.conf:
int_if = em0
dmz_if = em1
block log all
set skip on lo0
block log quick inet6
block in log quick on $int_if from ! rfc1918 to any
block out log quick on $int_if from any to !
2013-01-15 12:49, Daniel Hartmeier skrev:
You currently have the following rules
pass out log on $ext_if inet proto tcp from $proxy to any port
$proxy_services keep state
# pass out
pass out log
What's the point of these? Whenever the first rule would match, the
second one would
On Wed, Jan 16, 2013 at 10:19:45AM +0100, Leslie Jensen wrote:
The squid access.log says tcp_miss which should mean that the
website has not replied.
The browser shows the squid access denied screen.
I cannot see any denied packets with tcpdump.
Commenting out the rdr rule gives direct
2013-01-16 10:56, Daniel Hartmeier skrev:
On Wed, Jan 16, 2013 at 10:19:45AM +0100, Leslie Jensen wrote:
The squid access.log says tcp_miss which should mean that the
website has not replied.
The browser shows the squid access denied screen.
I cannot see any denied packets with tcpdump.
2013-01-16 10:56, Daniel Hartmeier skrev:
On Wed, Jan 16, 2013 at 10:19:45AM +0100, Leslie Jensen wrote:
The squid access.log says tcp_miss which should mean that the
website has not replied.
The browser shows the squid access denied screen.
I cannot see any denied packets with tcpdump.
Hello,
i'm new on this list, so please be patient with me.
Anyway - I did my homework (at least i think so) but i'm stuck
nevertheless. All man pages and docs i found seem to indicate that
what i want is impossible, but i hope, someone might have an idea...
I want to use ftp-proxy for outgoing
Wait, the squid server is on a separate host, on the $int_if side of the
firewall (the same side the clients are on)?
Then transparent proxying would require reflection, and doesn't work, see
http://www.openbsd.org/faq/pf/rdr.html#reflect
If squid is seeing TCP_MISS errors, that probably means
On Tue, Jan 15, 2013 at 11:50:14AM +0100, Leslie Jensen wrote:
2013-01-15 11:10, Daniel Hartmeier skrev:
Wait, the squid server is on a separate host, on the $int_if side of the
firewall (the same side the clients are on)?
Yes! This machine has been in service since Freebsd 7.2.
It's one
2013-01-15 11:10, Daniel Hartmeier skrev:
Wait, the squid server is on a separate host, on the $int_if side of the
firewall (the same side the clients are on)?
Then transparent proxying would require reflection, and doesn't work, see
http://www.openbsd.org/faq/pf/rdr.html#reflect
If squid is
You currently have the following rules
pass out log on $ext_if inet proto tcp from $proxy to any port
$proxy_services keep state
# pass out
pass out log
What's the point of these? Whenever the first rule would match, the
second one would always override it, making the first one
2013-01-15 12:01, Daniel Hartmeier skrev:
On Tue, Jan 15, 2013 at 11:50:14AM +0100, Leslie Jensen wrote:
2013-01-15 11:10, Daniel Hartmeier skrev:
Wait, the squid server is on a separate host, on the $int_if side of the
firewall (the same side the clients are on)?
Yes! This machine has
On Mon, Jan 14, 2013 at 03:30:21PM +0100, Johan Helsingius wrote:
I have a small network, connected by 2 ADSL connections, and
want to load-share the connections. All examples of route-to
round-robin that I have seen have used 2 separate interfaces,
but as both my ADSL modems are on the same
Thanks for the reply, Daniel!
AFAIK, it should work.
Good to have that confirmed, thanks!
Can you ping $isp1_gw and $isp2_gw and arp -sn is showing two
different entries for them?
From the firewall machine, yes, but not from machines on
the internal network.
What is the problem? All
AFAIK, it should work.
And it does :)
Turns out the problem had nothing to do with pf.
For some reason one of the DSM routers (ZyXEL P-2601HN-F1)
needed an explicit static return route, while the other,
(FRITZ!Box Fon WLAN 7360) didn't.
Everything works fine after adding the return route.
On 01/15/2013 04:10:33 AM, Daniel Hartmeier wrote:
Wait, the squid server is on a separate host, on the $int_if side of
the
firewall (the same side the clients are on)?
Then transparent proxying would require reflection, and doesn't
work, see
http://www.openbsd.org/faq/pf/rdr.html#reflect
On Tue, Jan 15, 2013 at 09:46:37AM -0600, Karl O. Pinc wrote:
Something that's not mentioned that
comes to mind is ICMP redirection. (Without thinking
about it a lot it seems like it should be a good candidate.)
However when I tried ICMP redirection on OpenBSD
years ago I couldn't get it to
Thanks very much for the reply.
On 01/15/2013 01:25:50 PM, Daniel Hartmeier wrote:
On Tue, Jan 15, 2013 at 09:46:37AM -0600, Karl O. Pinc wrote:
Something that's not mentioned that
comes to mind is ICMP redirection. (Without thinking
about it a lot it seems like it should be a good
1 - 100 of 6927 matches
Mail list logo
