this.
Thanks again for your reply Mr. Henderson and look forward to one day being
an asset and not a liability.
High Five
Kevin Gerrard
From: Stuart Henderson [via OpenBSD]
[mailto:ml-node+s7691n254354...@n7.nabble.com]
Sent: Saturday, August 23, 2014 3:05 PM
To: Kevin Gerrard
Subject
to worry about. I will just give it as a donation and download
one for replication. Report it was not really an issue, a bit of a rant
maybe and would have been better off left unsaid.
Thank you for your help. I will play with it here in a bit and see what
happens.
Kevin
From: Stuart
Thank You,
I will see this afternoon, and I appreciate your reply.
Can't believe it would be that simple and I missed it. I even have both pf
books. Pre 4.6 and post 4.6
Again thank you very much and will read.
Kevin Gerrard
--
View this message in context:
http://openbsd.7691.n7
but for
some reason it doesn't seem to happen. No reply needed, just read them and
take the post for what you think it is worth. Then do what you wish with the
post.
Kevin
--
View this message in context:
http://openbsd.7691.n7.nabble.com/OpenBSD-5-5-set-prio-3-and-interface-shaping-tp253916p254325
I realize that this May seem like a dumb question for one of the developers.
I didn't expect a detailed message or exact answer. I have spent much time
reading different ideas and by doing so learned much more while on this
path. I have not posted on here except a time or two. I have ordered cd's
. Is this
something to do without to much ado or is it something coming later?
Thanks for the brief direction to go,
Kevin Gerrard
--
View this message in context:
http://openbsd.7691.n7.nabble.com/OpenBSD-5-5-set-prio-3-and-interface-shaping-tp253916.html
Sent from the openbsd - packet filter mailing
Hey everyone!
I am sitting here with the following situation:
I just had to reinstall my OS X a while ago. Currently, this Mac Mini was used
as a NAT router. It uses its Wifi to connect to the dorms internet, and is
supposed to dish the data thru its ethernet port:
Dorms Wifi — Mac
?
Regards,
Kevin
Daniel Staal wrote:
--As of July 7, 2009 8:56:34 AM -0400, Kevin Kobb is alleged to have said:
Hello,
I am wondering if it is possible to add filters/anchors with pfctl to a
running instance of pf?
I have put an anchor option in my pf.conf, and I can add tables and
filter rules to that OK
Hello,
I am wondering if it is possible to add filters/anchors with pfctl to a
running instance of pf?
I have put an anchor option in my pf.conf, and I can add tables and
filter rules to that OK. But suppose I had no anchor option in pf.conf;
is there some way to add one with pfctl and
A failover will terminate any existing proxied connections, including
Squid and ftp-proxy. This is an inherent limitation of a proxy
firewall.
While active TCP sessions are expected to abort, if you start up a new
FTP or Squid session after the failover, does it succeed?
Kevin
is permitted to initiate outbound queries on UDP
and TCP 53.
OpenBSD ships with an example BIND configuration for this as
/var/named/etc/named-simple.conf
Kevin
scrub out all random-id
(Yes, optimzation normal is the default and unnecessary; it's there
for sanity, as on other machines of ours we use other settings.)
Good luck,
Kevin
--
http://www.ebiinc.com :
Background Screening from EBI
Leaders for employee background checks.
, and populate a round-robin A record with
all of these addresses. Then have the client connect to the
destination using a different destination IP address for each session.
This reduces the likelihood of duplicating the same quad by a factor
of 16 or 32. A hack, but not all hacks are bad
Kevin
to filling up the
local host (not pf) TCP state table with TIME_WAIT entries on the
client, the server, or both.
This can be diagnosed by running netstat -np tcp on the
client/server, right when the problem starts.
Kevin Kadow
for the
aggressive optimization to not only adjust timeouts, but also change
engine behavior so a newly received SYN, if it matches a state entry
which is in FIN-WAIT or CLOSED state, to reset that state entry back
into first?
Kevin Kadow
timeouts and
spurious packets arriving late, flushing old state entries when a new SYN
is seen would seem to be at least as secure and effective as lowering the
timeout values, but without the CPU overhead?
Kevin showing the limits of my TCP knowledge Kadow
are the loss of visibility into
and transfer accounting for the data connection, and greater exposure
to attacks such as this one:
http://www.enyo.de/fw/security/java-firewall/
Kevin Kadow
On 8/17/05, Daniel Hartmeier [EMAIL PROTECTED] wrote:
On Wed, Aug 17, 2005 at 01:42:52PM +0800, Kent Ho wrote:
Is there a way to throttle the number of connections from a CIDR block?
e.g. Allow only 20 connections from the entire 192.168.2.0/24 subnet.
. . .
Yes, it's possible with
On 8/17/05, Daniel Hartmeier [EMAIL PROTECTED] wrote:
On Wed, Aug 17, 2005 at 03:52:54AM -0500, Kevin wrote:
Some applications include code to throttle the number of concurrent
inbound connections from any CIDR block, this is a common request
for SMTP listeners.
Sounds like a nice
to any tagged aramith - 69.13.34.94
. . .
pass out from any to any user aramith tag aramith
I just happen to have read the section on tagging in Building
firewalls last weekend.
Kevin Kadow
, Limewire, etc all can be configured to abuse a proxy gateway).
Worst case, you'll have verbose logs of all outbound traffic that looks like
web traffic, and you can solve the social problem of AUP enforcement
through social means -- I recommend public hangings at dawn.
Kevin Kadow
rule that gets parsed.
To (mis)-quote Henning, Pfft. This is trivial. ;-)
Kevin
--
http://www.ebiinc.com :
Employee Background Screening from EBI
A leader in corporate background checks, worldwide.
. Starting out a policy with 'block as the first
filter rule is inherently a style decision, not an absolute requirement.
Kevin Kadow
requests
to one cache and some to a second cache, it's just like load-balancing
any other TCP service. You'll need to add your own failover mechanism.
Kevin Kadow
of queues and priorities.
I believe the idea here is to set TOS bits on the packets as they pass
through the OpenBSD gateway, so *other* routers in the path can act
accordingly, using their own queues and priorities.
Kevin Kadow
On Apr 10, 2005 1:13 AM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
On Apr 8, 2005 3:49 PM, [EMAIL PROTECTED] wrote:
I am running pf in an environment with two WAN connections,
I noticed you don't mention the specific version of OpenBSD?
and pf is configured to load-balance outgoing
associated with a particular state
entry to go out via the interface specified in the 'reply-to' option.
Kevin Kadow
On Apr 1, 2005 2:06 AM, Cedric Berger wrote:
Kevin Kadow wrote:
I've noticed frag'd ICMP echo-replies being dropped by scrub in when
they come from a Solaris host. Is this a known issue?
Oh Yeah,
That's a long time annoyance of the scrub code, which
(wrongly IMO, but others disagree
keep state
###EOF###
Thanks,
Kevin Kadow
particular to
load balancing.
As it's *so* easy to add / delete servers from the load balanced
server group when IPs are all you see when you open that particular
table, having use of two tables in one rule would be particularly
nifty.
As always, thanks.
Kevin
--
http://www.ebiinc.com
any to web_servers_ext
port 80- \
web_servers_int round-robin sticky-address
makes everything pass through like a champ. Now to grab an updated
3.6-stable. :-)
Thanks so much.
Kevin
On Tue, 1 Mar 2005 16:59:53 -0600, eric [EMAIL PROTECTED] wrote:
On Wed, 2005-03-02 at 11:22:15 +1300, Russell Fulton proclaimed...
I want to monitor the output from pflog in more or less real time. It
isn't clear to me what is the best (read simplest ;) way to do this.
What I really
] [box02] (208.19.20.25 208.19.20.27--Part of 208.19.20.0/24)
Thanks so much for your $.03 on this everyone.
Kevin
--
http://www.ebiinc.com :
Employee Background Screening from EBI
A leader in corporate background checks, worldwide.
to
a socket in
the designated range only if binding ftp-data fails?
Looking at ftp-proxy.c, the change to handle this would be minor, I can submit
a diff if there is interest.
Kevin Kadow
by IRC servers (of limited value, IMHO) in their fight against
compromised bots and open proxies.
Kevin Kadow
On Sun, 30 Jan 2005 15:41:41 -0600, Rick Barter [EMAIL PROTECTED] wrote:
Kevin wrote:
I do not think this is technically possible without extensive effort,
nor desirable. The 'ident' (auth, tap, TCP/113) protocol is no longer
very useful for the original purpose, but it is still required
with a different ext_if
interface address to force reply traffic to come back the same path it went out?
Kevin
, assuming
there are not risks or race conditions with putting DNS names into
pf.conf and populating the tables at boot time and whenever I manually
reload the ruleset?
I am running a local caching resolver, but I do also list my ISP's
nameserver in /etc/resolv.conf.
Thanks,
Kevin
On Mon, 17 Jan 2005 22:38:05 +0100, Laurent Cheylus [EMAIL PROTECTED] wrote:
Hi Rick,
On Mon, Jan 17, 2005 at 12:06:54PM -0600, Rick Barter wrote:
Okay. I have a problem that I can't get my brain around and I need
some help. My wife needs to connect to her VPN at work. I've
captured
:
http://www.allard.nu/mailman/listinfo/openbsd-ipsec-clients
Kevin Kadow
On Mon, 20 Dec 2004 18:42:58 +0100 (CET), J. [EMAIL PROTECTED] wrote:
# $OpenBSD: pf.conf,v 1.28 OpenBSD 3.5-current (GENERIC)
Why not upgrade to 3.6-stable, before going production?
# 1. ftp clients [external,incomming]
rdr on $ext_if proto tcp from any to any port 21 - $ftp_server port 21
On Wed, 15 Dec 2004 10:37:33 -0800, Bryan Irvine [EMAIL PROTECTED] wrote:
I'm trying to laod the enormous CBL into my spamd table, but it seems
to be far to large.
What happens when you try?
I found this thread from back in April:
http://archive.netbsd.se/?ml=openbsd-pfa=2004-04t=127074
is present.
The code which generate both of these headers is located in 'http.c'
in the Squid source tree. The only way to disable the 'Via' header in
Squid2.5 is to edit the source and recompile.
Kevin
listeners at
wire speed.
Kevin
, but it would still cost thousands of dollars. The big
advantage to using NetOptics is that the passive taps are entirely
transparent to the network (no single point of failure) and add
effectively no latency.
Kevin
*might* detect the protocol anomoly, the only effective way for a
stateful packet inspection device to block AIM is to refuse ALL
traffic towards the IP addresses which host the login.oscar.aol.com
service (there are approximately fifty such servers under aol.com and
icq.com).
Kevin Kadow
to the firewall from the management host?
Have you considered instead loading web management (e.g. webmin) on
the firewall, accessed via SSL? You could then lock down remote
access to the https service., for example, using a combination of
authpf and SSL client certificates.
Kevin
On Fri, 8 Oct 2004 12:12:08 +0200, i.t Consulting
[EMAIL PROTECTED] wrote:
Am Freitag, 8. Oktober 2004 07:53 schrieb Kevin:
[ Evaluations: 961075Packets: 213111Bytes: 76349669States: 0
] @34 block drop in log quick proto tcp from PDL:10994 to any port =
smtp
through cut and then reload the
table from a file.
I have never encountered a false positive in my six months of using
the PDL. YMMV.
Kevin
(P.S. As counters are cleared when the pf ruleset is changed, the
counters above are just one month's attempts.)
On Sat, 25 Sep 2004 13:41:40 -0300, Gustavo [EMAIL PROTECTED] wrote:
I have a OpenBSD 3.5 with 3 external interfaces (WAN) and with squid
twirling.
Can anybody translate squid twirling ?
xl0 - 200.x.x.x (default route)
rl0 - 192.168.254.253 (dsl)
rl1 - 192.168.254.254 (dsl)
He would
On Tue, 21 Sep 2004 10:54:50 -0600, [EMAIL PROTECTED] wrote:
Russell Fulton writes:
On Tue, 2004-09-21 at 09:37, Nick Buraglio wrote:
They also said that in large enterprise there
is a need to have a responsible party for software and hardware.
My stock answer to this argument is And
On Wed, 22 Sep 2004 10:08:07 +0100, Greg Hennessy [EMAIL PROTECTED] wrote:
On 21 Sep 2004 23:20:32 -0700, [EMAIL PROTECTED] (Kevin) wrote:
I'm sort of in the same boat. I have a strong case for replacing
multiple PIX failover pairs with OpenBSD on Dell,
They are installed, working
129.118.156.149:2447ESTABLISHED
Oddly none of those IPs are shown with a pfctl -ss
Thanks,
Kevin
On Thu, 1 Jul 2004 20:39:28 +0200, Daniel Hartmeier
[EMAIL PROTECTED] wrote:
On Wed, Jun 30, 2004 at 04:47:00PM -0500, Kevin wrote:
Unable to get synproxy working using snapshot dated June 28
synproxy before and it worked quite
well, just can't figure out what I am doing wrong, configuration is
kept very simple for testing. Included below is the pf.conf, pfctl
-sa and ifconfig -a output.
Thanks,
Kevin
# cat /etc/pf.conf.syn
pass in log quick on em0 proto tcp from any to any port 80
! I
think I'm going to start firing up a bunch of boxes to do this, too! You
guys wouldn't mind getting a few emails from me would ya?!
/sarcasm
Kevin
Here's the message I received from them in its entirety, for those that are
interested
Hello
Thank
documentation on that either--my efforts at apply 3.2 syntax in 3.3
have failed. Presumably this feature still exists, and I'm not seeing how to
specify rule placement
Thanks,
Kevin
ago by Henning showing
15k packets/s on a Duron 700 with 10% CPU usage, although that was prior
to synproxy, so Im doubtful that I've hit a ceeling with PF.
Anyone have any ideas? dmesg and pf.conf are below.
Thanks,
Kevin
dmesg:
OpenBSD 3.3-current (GENERIC) #45: Wed Jun 11 03:42:09 MDT
Thanks for the explanation, that makes sense. And even more thanks for
an extraordinary packet filter. I don't know what I would do without
it.
Kevin
Just installed the June 11 snapshot to do some testing with synproxy.
The server has three NICs installed with fxp0 and fxp1 making up the
bridge and dc0 for remote access.
Traffic through the bridge works fine, unless I enable synproxy. Both
keep state and moduleate state work as expected,
rules which would generate
packets. This applies to rules with return, return-rst,
return-icmp, return-icmp6 or synproxy defined.
Thanks for the quick reply. Do you know if support for synproxy on a
bridge is planned?
Kevin
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL
on $ext proto tcp from $allow to any port = 5631 flags S/SAFR
\
modulate state
pass in quick on $ext proto udp from $allow to any port = 5632 keep state
pass in quick on $ext proto tcp from $allow to any port = 65301 flags S/SAFR
\
modulate state
Good luck,
Kevin
- Original Message
Here's what you're looking for:
rdr on $ext proto tcp from $allow to public_ip port 5631 - your_nat_ip
port
5631
rdr on $ext proto ucp from $allow to public_ip port 5632 - your_nat_ip
port
5632
rdr on $ext proto tcp from $allow to public_ip port 65301 - your_nat_ip
port 65301
pass in
63 matches
Mail list logo