On Friday 04 January 2008 12:17, Henning Brauer wrote:
I noticed that with the following NAT rule:
nat on sis1 from 10.2.2.0/28 to any - (sis1) static-port
I get the following output:
# pfctl -sn
nat on sis1 inet from 10.2.2.0/28 to any - (sis1) round-robin
static-port
My
Happy new year everybody,
I have a quick question. I am using OpenBSD 4.2-stable.
I noticed that with the following NAT rule:
nat on sis1 from 10.2.2.0/28 to any - (sis1) static-port
I get the following output:
# pfctl -sn
nat on sis1 inet from 10.2.2.0/28 to any - (sis1) round-robin
Hello everyone,
OpenCON is a free entrance conference fully dedicated to OpenBSD.
http://www.opencon.org/
I just want to inform you that this year we are going to have one day
dedicated to free tutorials. In particular you might appreciate the tutorial
about PF by Peter Hansteen.
Peter is the
On Tuesday 02 October 2007 22:59, Peter GILMAN wrote:
OpenCON is the only conference fully dedicated to OpenBSD. Last year
edition was a great success and featured also the party for OpenBSD
10th birthday, with project leader Theo de Raadt and a lot of
developers. More info here:
Dear ladies and gentlemen,
OpenCON is the only conference fully dedicated to OpenBSD. Last year edition
was a great success and featured also the party for OpenBSD 10th birthday,
with project leader Theo de Raadt and a lot of developers. More info here:
http://2006.opencon.org/
The OpenCON
imagine. Obviously we can provide a valid EU receipt for
your tax duties. Just write an email to ed()bsd.it with OpenCON in the subject
line and tell us about your ideas!
Please spread the word among your friends, OpenBSD friendly companies, ISPs
that offers OpenBSD servers for rent or hosting
Hello,
in January I had an idea to shape download bandwidth, and I exchanged some
emails with various developers (Mike Frantzen, for example).
People asks how to limit *download* bandwith without dropping packets already
passed via the pipe to the firewall itself. The point is limiting the
On Tuesday 02 May 2006 14:24, Terje Elde wrote:
If you drop the ACKs, there'll be a retransmit anyway. So only thing
you'd really change is that the TCP packet would arrive a little bit
sooner, which could make a minor (probably not noticeable) difference
for interactive stuff, such as SSH.
On Sun, 15 Jan 2006 17:20:25 +
Karl O. Pinc [EMAIL PROTECTED] wrote:
Sorry, pasted from the wrong window. This is the correct script.
On 01/15/2006 06:28:21 AM, ed wrote:
Another question, how do you associate the rule number to line in
pf.conf, without doing the obvious mental
14885] pass out on fxp0: esp 192.168.1.1
192.168.2.213 spi 0x1
Another question, how do you associate the rule number to line in
pf.conf, without doing the obvious mental exercise, with many rules it
can be a chore.
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
:%s/Open
On Mon, 2 Jan 2006 13:56:21 -0700
Bob DeBolt [EMAIL PROTECTED] wrote:
pfstat works well, it may be a nice starting point for you or it may
do everything you want.
If there's time I'll look at making a plugin for monitoring programs.
--
Regards, Ed http://www.usenix.org.uk - http://irc.is
a suitable word/letter
for '?'... suggestion?
C
I don't remember seeing c in the man, please disregard if it's already
used.
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
:%s/Open Source/Free Software/g
if you have differing
configurations, neither knows which should be master, try and avoid
having differences between the primary and secondary CARP boxes.
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
:%s/Open Source/Free Software/g
reason,
### we should have this as a reserve
pass quick on $pri_if from $pri_network
pass quick on { lo }
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
:%s/Open Source/Free Software/g
is not possible then the protocol should retry in TCP, IIRC.
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
:%s/Open Source/Free Software/g
On Sat, 10 Dec 2005 16:43:50 -0500
Forrest Aldrich [EMAIL PROTECTED] wrote:
I had that before (with braces {}) and got a syntax error on these
lines as well, FYI.
ed wrote:
On Fri, 09 Dec 2005 16:14:25 -0500
Forrest Aldrich [EMAIL PROTECTED] wrote:
rdr on $ext_if proto tcp
- $server
rdr on $ext_if proto tcp from !abuse any \
port 80 tag INET_DMZ - $server
rdr on $ext_if proto tcp from !abuse any \
port 443 tag INET_DMZ - $server
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
A TCP/IP stack was the worst feature
Hello,
Has anyone written scripts to ensure that preempt fail over fails over
all the carp interfaces to backup upon one becoming backup, I have found
often that a single interface will become backup leaving the remaining
interfaces as master, which obviously messes things up.
--
Regards, Ed
do the trick.
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
A TCP/IP stack was the worst feature windows ever got
~~
~~
:wq
spf alone - just
as a junk filter. I'm not going to praise it as a final solution to spam
and scam. DK is worth a look too, but it's added components to a mail
server.
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
A TCP/IP stack was the worst feature windows ever got
~~
~~
:wq
@benzedrine.cx
gets trashcanned. I'm sure if you know about SPF then you know all the
various anti-spam tactics.
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
A TCP/IP stack was the worst feature windows ever got
~~
~~
:wq
Hello,
I'd just like to say, pf rocks.
I have big changes to make to a rather important firewall, things
probably wont work for a while and it might look as though I don't know
what I'm doing at the time, but never the less, pf still rocks. Well
done chaps.
--
Regards, Ed http
On Wed, 12 Oct 2005 20:11:03 +0200
Daniel Hartmeier [EMAIL PROTECTED] wrote:
On Fri, Oct 07, 2005 at 07:10:04PM +0100, ed wrote:
Can ICMP packets be redirected using rdr to a RFC1918 host? I gave
it a couple of shots and did not get anywhere, as I can't see any
mentions of it it working
.
--
Regards, Ed http://www.usenix.org.uk
that are routeable, and to the best of my knowledge it
should work as expected, but I do not think there is a state table when
you don't use NAT, but it should not hurt to leave that setup in it's
running configuration.
--
Regards, Ed http://www.usenix.org.uk
and not physical interfaces. As far as I know there
is no state table that has to be synced.
--
Regards, Ed http://www.usenix.org.uk
table, they should all have the same MAC.
--
Regards, Ed
On Wed, 21 Sep 2005 17:05:23 -0300
Lucas [EMAIL PROTECTED] wrote:
i'm working with 3 gateways and want to load balance between them.
after a failure with layer 2 (carp arpbalance) balancing, i tried to
do it with pf.
the most logical way to do it is with a machine before the gateways
On Thu, 8 Sep 2005 14:40:51 +0200
Daniel Hartmeier [EMAIL PROTECTED] wrote:
host1$ pfctl -t abuse_src -Ts | ssh host2 pfctl -t abuse_src -Ta -f
-
Thanks very much, I had not thought about scripting it at all.
--
http://edd.link9.net - http://irc.is-cool.net
Hello,
I am having troubles with some rdr rules. How should I specify:
rdr pass on $ext_if proto tcp from any to 1.2.3.4 port 80 - 10.10.10.10
with
pass in on $ext_if proto tcp from any to $range port {80,3389} keep
state ( max-src-conn 3, max-src-conn-rate 2/5, overload abuse_src
flush global
On Wed, 7 Sep 2005 20:25:54 +0200
Daniel Hartmeier [EMAIL PROTECTED] wrote:
rdr on $ext_if proto tcp from any to 1.2.3.4 port 80 - 10.10.10.10
pass on $ext_if proto tcp from any to 1.2.3.4 port {80,3389}
Packets will have their destination address replaced with 10.10.10.10
when filter
On Wed, 07 Sep 2005 14:19:06 -0400
Roy Morris [EMAIL PROTECTED] wrote:
ed wrote:
pass in on $ext_if proto tcp from any to $range port {80,3389} keep
state ( max-src-conn 3, max-src-conn-rate 2/5, overload abuse_src
flush global )
Thanks Roy and Daniel for your answers. I have another question
On Tue, 6 Sep 2005 17:56:40 +0200
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
I have an important question:
it's possible to define a filter that have as srcaddr or dstaddr
all ip-address different from a host or a subnet?
this does not make a whole lot of sense. you could however make a
Hello,
On an openbsd 3.7 install the following rule will work yet not on a 3.6,
is there a difference in the way the rule should be declared, or if pf
can be upgraded, how should I do this?
ext_if=xl0
ext_network=1.2.3.4/5
pass in on $ext_if proto tcp from any to $ext_network port {22,3389}
On Mon, 29 Aug 2005 06:38:48 -0300
Gustavo A. Baratto [EMAIL PROTECTED] wrote:
I understand that I could write the rule with the ips harcoded in it,
but I assume this doesnt change the fact that macros are not
expanding CIDR addresses, and this maybe a bug. I was trying more to
warn about
On Thu, 14 Jul 2005 22:42:49 -0400
[EMAIL PROTECTED] wrote:
In my configuration there is a problem providing publicly-accessible
anonymous FTP service. The config works for a small number of clients,
but most cannot access my server and use any command that requires a
data connection.
I have
Hello,
Does any one know where I should look for the 3.7 change log? And is
there an update for the book Building Firewalls with OpenBSD and PF, 2nd
edition to take these improvements/changes onboard?
--
http://edd.link9.net - http://irc.is-cool.net
pgpRdYbVArAXs.pgp
Description: PGP
On Tuesday 15 March 2005 12:19, Henning Brauer wrote:
So, I guess that leaves the question, can one change the ethernet
address of a NIC with ifconfig on OpenBSD?
no.
Yet.
http://marc.theaimsgroup.com/?l=openbsd-techm=111073781926839w=2
On Sat, 1 Jan 2005 09:53:44 +0100
Miroslav Kubik [EMAIL PROTECTED] wrote:
OK, you´re right I appreciate Daniel´s work very much. It was only a
little joke and at the same time I tryed to show you that everything
isn´t only a matter of money. One friend of mine is a doctor and his
payment is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello again, sorry to bother you all again.
I have a question, we have two DSL connections, and I plan on using two
boxes, which are carped. But, I'd like to do this in a fashion such that
I can failover to a different connection when the primary one
On Friday 17 December 2004 15:45, Roy Morris wrote:
change your ssh port to like 30222 or something ..
That's dumb. Choose a port 1024.
On Friday 17 December 2004 06:11, A wrote:
Further, jasper is the only machine that is externally accessible via
SSH (the only other open ports are domain, web and mail on other
servers). I need to leave SSH open as a number of people work remotely
and tunnel through it to some of the services
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 17 Dec 2004 18:47:47 +
Ryan McBride [EMAIL PROTECTED] wrote:
$ ifconfig -a
$ sysctl net.inet.carp
$ netstat -sp carp
Thankyou I will provide this with my next post.
- --
/-- _| | Regards. Please note, my PGP key ID has changed.
|--
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, 15 Dec 2004 07:33:51 -0500
Jason Dixon [EMAIL PROTECTED] wrote:
Sorry for this lengthy reply, I hope you all can forgive me for
this, but as I am but a beginner with PF/CARP I hope we can avoid
hostility.
I have two boxes, with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sun, 12 Dec 2004 10:54:28 -0500
Jason Dixon [EMAIL PROTECTED] wrote:
On Dec 12, 2004, at 8:54 AM, ed wrote:
Anyway, I have a /etc/pf.conf file which was originally for a single
firewall, which worked for a normal layout with two interfaces
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello All,
I am, once again having trouble understanding CARP/pf. It is a shame
this is not covered in Building Firewalls with OpenBSD and PF, by J.A.
or in Absolute OpenBSD, they both cover PF very well, but not CARP.
Anyway, I have a /etc/pf.conf
, and wordperfect back then, now
http://linux.corel.com doesnt exist so I use oo.org.
- --
Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and
LSD. Don't think this a coincidence. Can't cross chasm in small jumps
PGP KeyID 04EDACDA A0F3 44E9 C367 C6C1 C891 4C71 69AF 3CF5 04ED ACDA
not know anything about pfsync, despite reading Absolute OpenBSD and
Building Firewalls with OpenBSD and PF 2nd edt.
Can someone possible point me in the direction of some pfsync examples?
- --
Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and
LSD. Don't think this a coincidence
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and
LSD. Don't think this a coincidence. Can't cross chasm in small jumps
PGP KeyID 04EDACDA A0F3 44E9 C367 C6C1 C891 4C71 69AF 3CF5 04ED ACDA
-BEGIN PGP SIGNATURE
in RFC1918 space and if so, should I
BINAT the whole address, and even then, will it work? Is this question
too trivial for this list.
Thanks in advance.
- --
Ed. Debian 3. OpenBSD 3.5. You can not cross a chasm in two small
jumps. PGP KeyID 04EDACDA A0F3 44E9 C367 C6C1 C891 4C71 69AF 3CF5
04ED ACDA
with THAT.)
Thats not my concern. I just want the same firewall interface and
stability, I don't care if not having the same under the hood makes me a
bad person or if I have the duck the flames for saying so.
modprobe vmware-openbsd
I've said all Im going to say on the subject.
- --
Ed. Debian 3. OpenBSD
On Tue, 19 Oct 2004 18:47:00 -0200
Douglas Santos [EMAIL PROTECTED] wrote:
Why not to use it on OpenBSD?
Because I like to apt-get some parts of my life! Its nothing personal, I
just prefer debian on my workstation and OpenBSD on my firewall.
--
Ed. Debian 3. OpenBSD 3.5. Two things came out
that was and if anything more than
talk came of it? I am a little frustrated in using iptables.
Come to think of it, do you know if there is a pf - iptables conversion
script?
- --
Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and
LSD. Don't think this a coincidence. Can't cross
for giving iptables advice on
the pf mailing list...
Thank you for your advice. I will see if that can save my bacon until I
can figure out some of the stuff that I don't know about BSD.
- --
Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and
LSD. Don't think this a coincidence
and administration required
if the UNIX like system doesn't have the package available.
- --
Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and
LSD. Don't think this a coincidence. Can't cross chasm in small jumps
PGP KeyID 04EDACDA A0F3 44E9 C367 C6C1 C891 4C71 69AF 3CF5 04ED ACDA
-BEGIN
rule, max-src-nodes 50, max-src-states 10)
max-src-states 2)
block in quick all
..
Any clue ?
Ed
a segment got delayed in the network. That is how TCP works.
This explains the TIME_WAIT:TIME_WAIT status, but what about FIN_WAIT_2 ?
Ed
This is a message from an interesting thread on [EMAIL PROTECTED]
http://marc.theaimsgroup.com/?l=openbsd-miscm=109422765506037w=2
In short the question is:
why doesn't PF kill all the states associated with the tables entries when you
flush a table ?
Ed
On Thursday 02 September 2004 16:21, Ed White wrote:
/var/db/spamd is always empty.
Any clue ?
Since I've not found a solution I've posted the problem on [EMAIL PROTECTED]
Ed
, could you tell me some url to find that Linus's mail ?
Thanks.
Ed
dgram 0 0 0xd3b676440x00x00x0
/var/empty/dev/log
0xd3ba10c8 dgram 0 0 0xd3b675800x0 0xd0a97ec00x0 /dev/log
/var/db/spamd is always empty.
Any clue ?
Ed
=YES
Is this a bug ?
Ed
On Wednesday 25 August 2004 14:02, Ed White wrote:
limiting the # of states a single source node can create is also a good
idea, but less so to protect the firewall, more to protect the internet
from machines gone nuts, that got hit by a worm or whatever.
I've looked though my copy
of connections for each IP.
Then you could make a quick math to know the maximum number of states that
your ruleset could create and then install enough RAM.
Ed
. Thanks for the
help. I sent the problems fix to the list, don't know if you read it.
--
Ed. BSc (Hons) Comp / Inet Tech. IEng. Debian 3.
On Sat, 10 Jul 2004 11:40:45 +1000 (EST)
A [EMAIL PROTECTED] wrote:
nat pass on interface [external_if] from any to \
83.146.42.163 port 25 - 192.168.0.20
Almost forgot. To the outside world, does 192.168.0.20 appear as
83.146.42.163, as this is for mail, it requires incoming and outgoing
On Sat, 10 Jul 2004 11:40:45 +1000 (EST)
A [EMAIL PROTECTED] wrote:
You would clone the ethernet card on the OpenBSD firewall to have the
extra addresses and then redirect based on the IP and the port number.
So for each address I want snated i would need to do:
ifconfig fxp0 83.146.42.163
I have been given this as a spec for the network layout:
---
| 217.205.140.x/32
+---+
|netgear adsl router|
+-+-+
|
Hi,
I've read that since 3.5 PF can load rules for absent interfaces.
After some tests I've found that sometimes it works and sometimes it doesn't.
Can anyone tell me which interfaces are compatible ?
Ed
Example 1: desktop with only rl0
..
pass in on rl0 all
pass in on fxp0 all
--- why not 1 ?
..
Is this a bug or a feature ? ;-)
Ed
connections to port 80 and a max
number of 2 active connections to port 443. Right ?
Thanks.
Ed
P.S. PF FAQ has completely omitted this argument and also has wrong default
values for the limit section... it seems...
-matching
rule.
However I'd like to know if every packet that belongs to that connection
(matches the state) will be marked with LAN tag.
Thanks.
Ed
is not evaluated. However when the packet goes to rl1 (suppose this is the
external interface) the fact that packets come tagged or not is important for
ruleset evaluation.
Think at a second interface: would those packets come with a TAG ?
Ed
Hi,
can anyone show me some output numbers with the :peer modifier ?
Is there a way to see the current IP address from a rule like this ?
block in quick on rl0 inet from (rl0) to any
(Using pfctl not ifconfig)
Thanks.
Ed
is that spamd would add the grey-listing triplet
to its database only if the destination address is present in the upsaid file
(/etc/spamd.addresses ?).
This will permit to save a lot of bandwidth and to move some load from the
mail server to the firewall.
Who likes it ?
Ed
on the whole PF
code.
Thanks to our preferred secret agent !
[ http://www.openbsd.it/images/tshirt-15.jpg ]
003 - Ed
REDIRECT
--to-port 9090
I said them that PF doesn't support adding rules by command line, so they
should use kernel IOCTL.
Any other idea ?
Ed
to modify the ruleset.
In fact you need an anchor...
They want to add a rdr when the tool is started and remove it before stopping
the tool. Something automagical and that doesn't need user complicity.
Ed
of context?
Check this...
http://marc.theaimsgroup.com/?l=openbsd-pfm=105716719422418w=2
If I'm not wrong rdr pass was introduced in 3.4 to solve this.
Ed
example ?
Ed
protocol without proxy
- compatible with NAT
- mergeable with other options like restriction for ports number, number of
concurrent connections and most of today PF features
w00t !
Ed
Hi,
I would like to know what tools were used to test PF behaviour correctness, to
improve performance, to find bottle necks and to check its security.
Any test suite is appreciated.
Thanks.
Ed
-source-ip limits. I
just didn't want to invent too many keywords.
Opinions? Ideas?
I've not tested it yet, but I'm going to make it soon.
What is the opinion of PF developers here in ml ?
Ed
, the
administrator could reactivate that rule.
Ed
the time to a file. The script checkips.sh is executed regularily so
when the file are not updated, it will delete the ip in the auth table and
kill the states.
Ed
On Wednesday 07 January 2004 00:27, Trevor Talbot wrote:
On Tuesday, Jan 6, 2004, at 09:59 US/Pacific, Ed White wrote:
I was playing with a 3-if firewall with static IP 10.* when I got a
simple doubt: when is supposed to be used the bridge feature ?
When you want a switch (smart hub
?) setup can be done without it.
Thanks.
Ed
) without accepting by default every
internat IPs to go out.
Thanks.
Ed
.
we thought about doing this through socket options, but it's not
really nice.
Is there any news ?
Ed
On Wednesday 31 December 2003 21:08, Dom De Vitto wrote:
I don't recall there EVER being a non-backward compatible change to
PF - can anyone correct me on this?
Checkout this previous thread:
http://marc.theaimsgroup.com/?t=1094632r=1w=2
Ed
kernel networking off-by-ones w.r.t. PRC_NCMDS.
+ Reorder the pf(4) statistics counter code and fix some miscount bugs.
Can anyone let me know some details and if anything affects -stable ?
Thanks.
Ed
mailbox, but soon restart to get the whole
bandwidth when I finished.
The problem is that _passive_ ftp download tcp connections have not fixed
points: no IP and no ports.
Thanks.
Ed
application level data ?
(like forwarding streams based on HTTP Hostname field)
Something that transparently modifies application level data ?
(like removing mail attachments)
Each problem has a solution, but it's not true that the solution to every
problem is the same ;-)
Ed
On Monday 20 October 2003 18:55, Ed White wrote:
Request to introduce a public revision number to PF and pfctl.
This is the answer Theo sent me some minutes ago:
Incorrect.
pf became incompatible way more than that.
No, most software
the client will be
able to talk to/receive from server port 21.
Is the only way to get it working this 2 lines ruleset ?
rdr on $if proto tcp from any to $if port 21 - $if port 8021
pass in quick on $if proto tcp from any to $if port 8021 keep state user
$ftp-u group $ftp-g
Thanks.
Ed
post by Ryan McBride (mcbride@) available at
http://marc.theaimsgroup.com/?l=openbsd-miscm=106642790513590w=2
Enjoy !
Ed
that...
However I'm using an atypical way as usual ;-P
Ed
Hi,
I'm looking for tips tricks to write patches for PF.
The biggest problem is debugging a live kernel.
How do you do ? VMWare ?
Ed
On Thursday 25 September 2003 19:42, Daniel Carneiro wrote:
Is there something like the IPFW divert socket for the PF?
Or some other way that PF can send packets to a userland program?
Double Burp !
http://marc.theaimsgroup.com/?l=openbsd-pfm=106327905718110w=2
Ed
the
connection or redirect (for example by hostname like apache vhost).
client -tcp- syn-proxy (- application filter) -tcp- server
Any chance to add this to the 3.4-current ideas queue ? ;-)
Ed
1 - 100 of 135 matches
Mail list logo
