openbsd router with 2 dsl lines

Hi List, I've been asked to to the following : Install a OpenBSD mashine with 3 NICs, connect 2 of them to different DSL lines, 1 to the local lan. Thats pretty easy. But, how do I set up pf to do the following : NAT http traffic from the local lan to the 1 dsl line, ssh to the second, ftp to the

Re: Linux virtual server competition

cket-filter (like the lvs) or implement it as astand-alone solution ?  Any comment is welcome.Hope this is not to off-topic.  Regards,Stefan Sonnenberg-Carstens

Linux virtual server competition

e this is not to off-topic.   Regards, Stefan Sonnenberg-Carstens  

Re: GE cards for VLANs

http://www.openbsd.org/cgi-bin/man.cgi?query=vlan&apropos=0&sektion=0&manpat h=OpenBSD+Current&arch=i386&format=html and http://www.openbsd.org/cgi-bin/man.cgi?query=ifconfig&sektion=8&arch=i386&ap ropos=0&manpath=OpenBSD+Current should help you. - Original Message - From: "Dieter Kasie

Re: PF MAC Filter

No, it is not possible. And you should remember that a setup like that can cut you off by mistake; everyone who had to deal with a Fw-1 and the f***ng arp-cache should know ... And another thing : In Ethernet terms, you can only see MAC's on your ethernet segment (eg a router,switch) etc, so if you

Re: how stupid is this?

Message - From: "Daniel Hartmeier" <[EMAIL PROTECTED]> To: "Stefan Sonnenberg-Carstens" <[EMAIL PROTECTED]> Cc: "David Krause" <[EMAIL PROTECTED]>; "Dave Rocks" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, February 19, 2

Re: how stupid is this?

Sorry, folks. some hotshot. This has never happend ... - Original Message - From: "Daniel Hartmeier" <[EMAIL PROTECTED]> To: "Stefan Sonnenberg-Carstens" <[EMAIL PROTECTED]> Cc: "David Krause" <[EMAIL PROTECTED]>; "Dave Rocks"

Re: how stupid is this?

How stupid are YOU !??!?!? DNS uses tcp/53 for zone transfers regarding slave servers, not big packets ! - Original Message - From: "David Krause" <[EMAIL PROTECTED]> To: "Dave Rocks" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, February 19, 2003 3:29 PM Subject: Re: how st

Re: PF gateway performance

If you'd like to know, where the limiting factor is, set up a bridge with rl0 and rl1 attached to it. If the performance is better, the CPU is limiting. But it seems obvious to me, that the NICs are the problem, as Daniel states. - Original Message - From: "Ed White" <[EMAIL PROTECTED]> To

Re: pf.conf and PF behaviour

I don't think this is neccessary,cause you got the "on" keyword. Filtering occurs in kernel AFTER the packet is passed into by the NIC driver, I think your mention would require seperate filters for each NIC, which would cause some things not to function properly (states etc). Trust the skip-steps,

and nat/rdr

Hi all, I recently installed the 3.2-CURRENT snapshot to check out the newest features available in the forthcoming 3.3 release for pf. I noticed the definition to pf rules, but the manpage and the section BNF rules state no possibility for using inside nat/rdr rules. I thought this might be fine

AW: Am I too dull for ftp-proxy ?

PCI slots, setup a client mashine, and ftp works ! God, sometime I ask myself, if I'm such an idiot, or if the docs are not Fully dummy-proof. -Ursprüngliche Nachricht- Von: Daniel Hartmeier [mailto:[EMAIL PROTECTED]] Gesendet: Mittwoch, 4. Dezember 2002 17:37 An: Stefan Sonnenberg-C

Re: Am I too dull for ftp-proxy ?

tream tcp nowait root /usr/libexec/ftp-proxy -m 12000 -M 14000 -t 300 and, an earlier try : 127.0.0.1:8081 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -m 12000 -M 14000 -t 300 Thx in advance - Original Message - From: "Daniel Hartmeier" <[EMAIL PROTECTED]>

Am I too dull for ftp-proxy ?

Hi list, I'm currently setting up a replacement firewall. This mashine must be able to do ftp requests for the clients, and for it self. In the inetd I added a line :   127.0.0.1:8081 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -m 12000 -M 14000 -t 300   My pf.conf file looks like

Announce : pf Rule editing module for webmin

Dear list subscribers, my company decided to give OpenBSD 3.2 a try a replacement for our Nokia/CheckPoint solution. My colleges are not that fit using OpenBSD pf at all, and I was searching for stuff to do rule editing with some sort of a remote possibility and an easy to use interface. I co

Re: pf address pools

the DNS queries, and there is no guaranty, that your ISP DNS will ask a second time. That is the reason why my company still sticks on BigIP. - Original Message - From: "Dries Schellekens" <[EMAIL PROTECTED]> To: "Stefan Sonnenberg-Carstens" <[EMAIL PROT

Re: pf address pools

sorry, www.heise.de, not www.heisse.de ! - Original Message - From: "Stefan Sonnenberg-Carstens" <[EMAIL PROTECTED]> To: "Darren Reed" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, November 29, 2002 10:21 AM

Re: pf address pools

So, do you think it might be better to use ipfilter than pf on OpenBSD in that case ? And the next question is, is it useful to have a wide spread (more than on IP subnet) servers to do load-balancing on ? After all, that is a feature, the BigIP supports and I know that atleast www.heisse.de is usi

AW: Am I too dull for NAT ?!??

Hartmeier Gesendet: Sonntag, 24. November 2002 01:17 An: Stefan Sonnenberg-Carstens Cc: [EMAIL PROTECTED] Betreff: Re: Am I too dull for NAT ?!?? On Sat, Nov 23, 2002 at 03:34:06PM +0100, Stefan Sonnenberg-Carstens wrote: > But if add a rule like : > > Binat on rl0 from any to 19

Am I too dull for NAT ?!??

I have a OpenBSD 3.2 firewall here, wich has an external interface rl0, with a routable IP Adress asigned, and an internal interface xl1, with a private IP assigned. On the internal side is a private network with some servers, 192.168.0.3 – 192.168.0.10, and I have corresponding routable I

altq and pf

Can some of you hackers show us some examples of the syntax style ?   Stefan Sonnenberg-CarstensRHCE & System-/Netzwerkadministrator-CoolSpot AGAm Albertussee 1 D-40549 DüsseldorfTel +211 50 66 1-0 Fax +211 50 66 1-11http://www.coolspot

Hardware interfaces listing

in my effort to write a configuration program for pf, I'd like to know if there is a easy way to figure out, what hardware interfaces are present to the system (fxp0 etc.)     Stefan Sonnenberg-CarstensRHCE & System-/Netzwerkadministrator---

pf and altq

Read about the effort to migrate pf and altq in the CURRENT changes, so how will it look like ?     Stefan Sonnenberg-CarstensRHCE & System-/Netzwerkadministrator-CoolSpot AGAm Albertussee 1 D-40549 DüsseldorfTel +211 50 66 1-0 Fax +211

Re: Redundent setup

p > > On Mon, Nov 04, 2002 at 12:42:02PM +0100, Stefan Sonnenberg-Carstens wrote: > > > The switch must be able to do this, right ? > > > And if it is not ? > > You just use the switches to send the traffic to both bridges, the bridges > will use STP to determine w

Re: Redundent setup

The switch must be able to do this, right ? And if it is not ? - Original Message - From: "Otto Jongerius" <[EMAIL PROTECTED]> To: "Cedric Berger" <[EMAIL PROTECTED]> Cc: "Stefan Sonnenberg-Carstens" <[EMAIL PROTECTED]>; <[EMAIL P

Redundent setup

| Is there any (perhaps ports) software to figure out, which PF/Bridge is alive, and if not to tell the second to overtake ? Any comment is welcome ! Stefan Sonnenberg-Carstens RHCE & System-/Netzwerkadministrator - CoolSpot AG Am Albert

pf and the "return" action

As stated in the documentation, "pf" has a "return" action to return (ICMP)messages to the sender ofthe packet.What the document does not mention, if it does it like "ipfilter" when using"return-as-dest" or as a packet oroginating from the firewall's ip pf runson.And, if it does by sending w