c0g wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
I have 3 real interfaces on my OpenBSD 3.1 box: A, B and C. I have also
setup ipsec on A interface. Default route goes thru interface C.
~ipsec ++
(...) ---A|OBSD|B--- net B
~ enc0 ++
~
Henning Brauer wrote:
On Fri, Dec 20, 2002 at 05:55:00PM +0100, Cedric Berger wrote:
As you might remember, I was interrested in an extension to PF
to be able to assign and manage a huge list of addresses to the
source or destination of any PF rule.
and if I
should try to clean it up and port
Henning Brauer wrote:
well then let's look at it post-3.3. It's too late, too big, and too many
stuff has already changed.
I'm not in the position to look at a time frame. I would already be
very happy if it was one day included.
However, let me just say again that I designed that code with
Daniel Hartmeier wrote:
Heh, I grant you that it's fast :)
+ if (m-addr32[0] == 0xCAFEBABE) {
+ if (pf_x_match_addr)
+ return pf_x_match_addr(a, m, b, af) ? !n : n;
+ return n;
+ }
But I think you need some out-of-band flag instead
Daniel Hartmeier wrote:
Heh, I grant you that it's fast :)
+ if (m-addr32[0] == 0xCAFEBABE) {
+ if (pf_x_match_addr)
+ return pf_x_match_addr(a, m, b, af) ? !n : n;
+ return n;
+ }
But I think you need some out-of-band flag instead
Michael Shalayeff wrote:
Making, drinking tea and reading an opus magnum from Cedric Berger:
Michael Shalayeff wrote:
so far, it's not implemented yet, nothing to talk about.
i suggest we return to this when some real diff resurfaces.
Does that mean that it's worth for me
Daniel Hartmeier wrote:
On Fri, Dec 20, 2002 at 07:11:12PM +0100, Cedric Berger wrote:
Yes, it's a valid address, but not a valid mask :)
Oh, misread the 'm-'. Hmm, it's not an invalid mask, actually, but one
pfctl can't load yet. There were a couple of requests to allow arbitrary
masks
Attached is a patch that fixes 3 problems Daniel found in
pfctl_table.c Please also make sure you update net/pf_table.c
to the latest version (version 9), sorry for that.
Cedric
--- pfctl-0.3/pfctl_table.c Wed Jan 1 19:58:07 2003
+++ pfctl-0.4/pfctl_table.c Wed Jan 1 22:54:49 2003
Wrong list,
Sorry guys,
Cedric
Sabino, Justin wrote:
Okay, I'm stumped here. I'm running OpenBSD v3.1 and have the
following issue. I have PF setup (pf.conf and nat.conf) and
everything has been working great for a while. I have several
services that re-direct to one of 2 boxes on my internal (private
192.168.1.x)
If we leave out all the technical challenges involved, the real question
is if the pf developers find this idea useful at all?
A few points, in wrac:
1) I kind of like libraries, but they are difficult to get right,
and probably more difficult is to have people agree to use it.
2) Theo
Srebrenko Sehic wrote:
On Thu, Jan 09, 2003 at 07:50:09PM +0100, Henning Brauer wrote:
pfctl does not support inserting rules on the fly and authpf needs that.
On the other hand, the overhead of having that would be too big.
h, things changed... authpf uses anchors now, that IS
[EMAIL PROTECTED] wrote:
Is it possible to bring up more than one pflog interfaces on PF, like
pflog0, pflog1,...etc, and be able to have a rule log to a specific
interface? I tried Block on log pflog0 and made a syntax error - would
this be a 'good thing' for PF?
IMHO, yes. I've wanted
Or if there's some way of doing something like ! { fxp0, fxp2 }, that would
make things easier too.
I do not understand what you wanna do, but you can try this:
table fxp0fxp2 const { fxp0 fxp2 }
and then use !fxp0fxp2
But that doesn't seem like a shortcut to me.
Cedric
Marco Grigull wrote:
If I want to forward all ip traffic verbatim to a loghost/ids machine,
would the following rules suffice?
# forward stuff to our loghost/IDS
pass in log on $ext_if dup-to $dmz_if all
How's dmz_if defined? did you put the IP of your
loghost/IDS in there? If not, I think
Maik Kuendig wrote:
Is it a good idea to filter packages, as a example with source routing,
or is it not nessesary and I ask a stupid question?
I personally would *love* to be able to use PF to *insert* source routing
on some outgoing packets
Cedric
Mike Frantzen wrote:
Quite possibly the final word on the matter:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=58084
I may as well clarify the purpose of SCRUB to the masses since Niels
seems to be on an extended hiatus rolling a few tanks into france or
something.
Scrub is not
Will PF load a rule for each IP given by www.example.com DNS resolution ?
Yes.
[EMAIL PROTECTED] wrote:
you only want one because - In order to keep with the *nix ethic of one tool
one job - a singular loginterface gives you one point of contact for your
tool of choice for splitting out your various types of logs - i.e.. pipe it
through grep tee orsee?
I'm looking at
Henning Brauer wrote:
Obviously, nobody of you has thought through the consequences of collecting
the stats on each interface.
How do you know such a thing?
As I said, I've a patch that did that in the past, for 3.0
or 3.1. So obviously I know something about the
consequences on the code.
[EMAIL PROTECTED] wrote:
I'm almost totally new to pf.
I'v noticed that this syntax is not accepted:
Ext_If = rl0
MyVar = { 1.2.3.4/32, 2.1.0.0/24 }
pass in on $Ext_If from any to !$MyVar
beware of rule expansion.
PF would expand that to:
pass in on $Ext_If from any to !1.2.3.4/32
Henning Brauer wrote:
Index: parse.y
===
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.343
diff -u -r1.343 parse.y
--- parse.y 19 Mar 2003 15:51:40 - 1.343
+++ parse.y 1 Apr 2003 01:20:48 -
@@
Aaron Wade wrote:
2) Does PF read faster from an external file or a table list ( a la table
testnfs ) within pf.conf ?
It does not make any difference in either loading or running time.
In both case, the table is filled at the time you load your ruleset.
Cedric
James Kinney wrote:
I have what is probably a stupid question. I am trying to compile an
application that uses the pfioc_table structure. In the man page for
pf it lists a pfrio_esize variable. In the pfctl source this
variable is assigned with the size of the pfr_table buffer. When I
compile
Thanks for the quick reply. Do you know if support for synproxy on a
bridge is planned?
it can only work if the bridge has in ip address.
the same applies to the link2 for brconfig(8) and other things.
I will *try* to implement a solution for that problem,
assuming symetrical routing when
I will *try* to implement a solution for that problem,
assuming symetrical routing when no routing table is defined.
I don't think that makes sense...
Why?
I, for one, would love it.
Cedric
Daniel Hartmeier wrote:
But reloading the ruleset will reset all per-rule counters as a side-
effect, while the existing state entries will continue to work (ongoing
connections are not affected), so that should be close enough.
Unfortunately, I think that if you do it that way, existing states
Henning Brauer wrote:
I prefer this instead.
Yep, it's much better!
Index: parse.y
===
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.390
diff -u -r1.390 parse.y
--- parse.y 9 Jun 2003 11:14:46 - 1.390
+++
Jonathan S. Keim wrote:
Hello all,
I was reading the archives from October 2002 on load-balancing with
pf[1], and it seems that adding the ability to redirect to hosts from a
dynamic table would make building userland health monitoring
substantially easier.
For example, if we have the following
Peter Hun wrote:
Is it anyhow possible, for current allowed ports, to use all the
bandwidth and to keep everything else at let's say 2Mbit? Inbound and
outbound.
Isn't that the purpose of ALTQ?
I've tried something using altq/pf but without achieving all the
objectives. :(
Could you elaborate?
Dom De Vitto wrote:
Problem
I've a filtering bridge, which connects in/out to another firewall
(yea, yea, paranoid I know) and the local lan.
I run snort on the various bits of network cable, watching the outside
and inside bridges, and cross-correlating.
My problem appears to be that there is
Daniel Hartmeier wrote:
You're right, 2 bridges on the same machine cannot work with PF.
That was discussed before, without conclusive solution.
I was in favor of tying states to interfaces, but there was objections.
Maybee we need a keyword like lock or attach or tie to attach
a state to a given
There should be a solution for your setup that doesn't require four
states (bound to the interface), so the discussion got side-tracked
here.
The problem is that even if just one state that get's created
(say on the first bridge) when the same packet traverse the
second bridge it will match the
William Yang wrote:
How can I get a similar stream of NAT state changes? I see how to
pull the NAT states with pfctl -s, but is there any way to get a
stream of state changes that can similarly be logged into a pipe, so
that I can do similar analysis?
Any suggestions?
man pfsync
Cedric
Daniel Hartmeier wrote:
I'm going to fix it (will require a kernel patch, probably will end up
in -stable), but depending on what you wanted to do with the ioctl,
there's alternatives:
DIOCCHANGEADDR is meant to manipulate the pool addresses of a rule,
depending on the rule type that's
rdr ... -
Mike Frantzen wrote:
We need your help to populate the operating system database. Please
go to http://lcamtuf.coredump.cx/p0f-help with as many machines with
web browsers as possible and type in your OS name if it doesn't
recognize the machine.
I'm typing that mail on a W2K box, behind a OpenBSD
Per-Olov Sjöholm wrote:
Hi !
Is there a reason that a rule like this works.
block in quick on $ALL_INTERFACES inet from any to $DMZ1_INT:broadcast
But not this dynamic update one with ()
block in quick inet from any to ($INTERNET_INT):broadcast
The rule simply doesn't work with the
Can Erkin Acar wrote:
I have been dreaming of passing assambled streams through
the userland. I have not yet come up with a suitable design though.
I've been probably dreaming too, but I would love to have some kind of
scrub tcp that would reassemble the stream, before forwarding it.
That
Daniel Hartmeier wrote:
On Thu, Sep 11, 2003 at 04:49:27PM +0200, Cedric Berger wrote:
3) somehow, a NAT rule is created to make that 2nd connection
originate from the
same socket as the first connection/packet.
*cough* embryonic state *cough*
Googling...
Ok, I see..
All you need
Mike Frantzen wrote:
I've been probably dreaming too, but I would love to have some kind of
scrub tcp that would reassemble the stream, before forwarding it.
That would allow me to easily bypass the PMTU problems for example,
without having to tweak all clients (Win2000 friends will send 1500
Daniel Cox wrote:
I have a router running OpenBSD 3.3 RELEASE.
- it uses a negated statement: block in from !foo
Hmmm, weird :(
Ok, for a quick fix, you could just replace the line:
printf(pfr_update_stats: assertion failed.\n);
inside /sys/net/pf_table.c by:
return;
But if you can
[EMAIL PROTECTED] wrote:
Hi,
At the university i am working on a project where i have to implement deep
packet inspection(payload inspection) with some firewall(i picked OpenBSD's
pf), currently i am thinking about design and implementation of that. One of
the most obvious options is to rdr
Daniel Carneiro wrote:
I was wandering if I can make a userland program to read the packets
from kernel land using ioctl insted of rdr?
man tun
man bpf
Ed White wrote:
On Tuesday 30 September 2003 06:23, [EMAIL PROTECTED] wrote:
What are possible ways of implementing payload inspection in
kernel? How is it possible to pass data from kernel-space to
user-space(with kernel being initiator of that transfer)?
This is pretty funny, I'm
Jonathan S. Keim wrote:
Hello,
I found the problem - a thread was erroneously closing fd 0, which
happened to be the /dev/pf file descriptor. fd 0 was subsequently being
assigned to various sockets. This would explain why ioctl(2) was
returning errno values that don't come from the PF
Octavian Hornoiu wrote:
Is there a feature currently in pf that allows one to limit how many
states one IP or group or macro or interface can use up? For example, i
want my clients that i am natting out to be limited to 1000 states per
machine so if they get a virus they won't be able to fill up
Wouter Coene wrote:
Wouter Coene wrote:
Perhaps another suffix along the lines of
':network' and ':broadcast' that omits non-routable addresses
(':routable', ':network-routable')?
Attached is a patch that implements this. So now you can write:
pass in on gif0
Wouter Coene wrote:
There is many little improvement possible, like warning if someone
write fxp0:routable:local for example, or similar invalid combination,
but let's see what other people say there.
Why should you? That would mean you could write:
if=fxp0:routable
pass in from any
Alexey E. Suslikov wrote:
i can't find the discussion with daniel, where he pointed out:
this is the pf.conf manual page issue in saying:
here is the daniel's message
http://www.benzedrine.cx/pf/msg02982.html
Quoting from that message:
But it's not entirely true, either, as state
Henning Brauer wrote:
On Tue, Jan 06, 2004 at 10:05:58AM +0100, Cedric Berger wrote:
Henning Brauer wrote:
that is in practice true for 99% of you.
the state key does not include the interface, but the direction.
as long as routes do not change that is equivalent to beeing bound
Hi Greg,
Thanks for the very detailled report!
# pfctl -T load -f /etc/pf.conf
pfctl: Cannot allocate memory
[...]
17006 pfctlCALL ioctl(0x3,_IOWR('D',0x4d,0x44),0xcfbfb630)
17006 pfctlRET ioctl -1 errno 12 Cannot allocate memory
[...]
Some of you are going to think that I
Microsoft Security Center wrote:
Was wondering if anybody know if it is possible to add some Default rules
to the kernel or something when compiling..
Well, remember that it's OpenBSD, so you've the source code.
You can probably do what you're asking for by adding 5 lines
of code in net/pf.c
Bohdan Tashchuk wrote:
Who knows if they're on the level or not. But at the risk of helping
some nuts, there's a really simple technique that can be used to put
a table of *ANY* number of IPV4 IPs into this guy's machine. Since
he's from Hong Kong it might not help, since he might need IPV6,
jared r r spiegel wrote:
On Fri, Feb 20, 2004 at 11:46:25PM +0100, Cedric Berger wrote:
Brent Bolin wrote:
Hello,
Does anybody know of a way to capture statistics on multiple
interfaces running pf
Aha!
Up to recently, that was impossible to grab stats on more than
one interface
Vladimir Potapov wrote:
2)I want to accounting traffic which goes via PF network interfaces.Can I
use for this pf options
setloginterface with 2 or 3 arguments ( if1 if2 ) ? If I cannot use it,
which tool I need to traffic accounting on all interfaces ?
Upgrade to -current, use pfctl -vvsI,
Greg Wooledge wrote:
Cedric Berger ([EMAIL PROTECTED]) wrote:
Now maybee you could succeed reloading your table with
the command: pfctl -t ban -Tr -f /etc/ban, because this
command is more optimized and will allocate less kernel
memory. It will run faster too.
Hope that helps, and let us know
Greg Wooledge wrote:
Cedric Berger ([EMAIL PROTECTED]) wrote:
Here is the problem I think: 40MB of kernel memory for routing table
entries...
It might be PF table stuff..., not sure yet.
Do you reload your ban table very often?
Whenever I notice a new IP address that needs my attention
No, i386 current pmap support is very poor, and won't allow you to
reliably allocate more than 64M of RAM.
You might be more lucky with sparc64 or amd64.
Cedric
Jon Mosco wrote:
Yes. option NMBCLUSTERS=N , where N is the number of clusters.
Read http://www.openbsd.org/faq/faq11.html#Network
Jason Dixon wrote:
# allow localhost
pass on lo0 all keep state
pass in log on lo0 inet proto tcp from spamd to 127.0.0.1 port 8025
# testing
That should be pass in log on $ext_if ...
Cedric
Michael O. Boev wrote:
Good time of the day, everybody!
Does anyone know, how to account per-direction traffic with PF?
Imagine I have a rule:
pass in on $int_if from $some_machine to any keep state label some-machine
When I invoke /sbin/pfctl -sl I get something like:
some-machine 5904 2510
Ed White wrote:
Hi,
someone asked me how to add a rdr rule on the fly.
They are coding a well-known network manipulation utility and needed to apply
the following redirection from the software itself.
They used the following command with Linux:
iptables -t nat -A PREROUTING -p tcp
Gregory Wright wrote:
Hi,
I have a question of style and efficiency. If I use a table with a
single element, say
table multicast const { 224/8 }
Is it significant more expensive to in a rule than an explicit (or
macro expanded)
224/8?
Probably something like 5x-10x slower.
I understand the
Greg McConkey wrote:
[EMAIL PROTECTED] (Cedric Berger) wrote in message news:[EMAIL PROTECTED]...
Greg McConkey wrote:
Anyone getting the Composite Blocking List to load into a table in PF,
the 1.4 million lines seems to be too much. PF seems to complain that
there isn't enough memory
Greg McConkey wrote:
[EMAIL PROTECTED] (Cedric Berger) wrote in message news:[EMAIL PROTECTED]...
Greg McConkey wrote:
Anyone getting the Composite Blocking List to load into a table in PF,
the 1.4 million lines seems to be too much. PF seems to complain that
there isn't enough memory
Attila Nagy wrote:
Cedric Berger wrote:
With that patch, you should be able to load up to something like
4'000'000 table entries on your i386 with 1G mem. Adding more than
1G memory will not help, since the kernel VM space is limited to 768Mb.
Is it possible to overcome this problem with a 64 bit
David Jobes wrote:
I am getting this error, and after checking online,
and searching thru the code and makefiles, i still
have been able to get it to rebuild pfctl.
cd /usr/src/sbin/pfctl/
# make
yacc parse.y
cc -O2 -Wall -Wmissing-prototypes -Wno-uninitialized
-Wstrict-prototypes
Dave Anderson wrote:
I'm new to pf, so I'd appreciate a sanity-check. I've searched through
the docs and the mailing list archives but not found anything that
clarifies this. (I found one similar question, but it never got an
answer.)
There seem to be some things one might reasonably want to do
Cameron MacDonald wrote:
I guess the sensible question would be, can you tftp things through pf?
tftp does not work with keep-state and friends, because it answers from
a different port then the one used for the query. that's a PITA, but
there is
nothing PF can do. tftp itself need to be fixed,
Ed White wrote:
On Monday 31 May 2004 01:26, Henning Brauer wrote:
block in quick on rl0 inet from (rl0) to any
(Using pfctl not ifconfig)
:peer applies to pointtopoint interfaces (like tun) where the remote
address is known and configured.
So if I'll use PPPoE on rl0 I'll have
Henning Brauer wrote:
* Ed White [EMAIL PROTECTED] [2004-06-01 13:32]:
On Tuesday 01 June 2004 00:48, David Gwynne wrote:
Theres always annoying edge cases. The only problem I've seen with this
behaviour of tags is when you're trying to keep track of traceroutes
through the box. Say you
JB Robertson wrote:
hi gang,
as i was playing with some ruleset, i noticed that i couldn't use
pfctl -n as non-root user anymore when there is a nat rule in the
ruleset.
Yeah, that's a known little issue.
We're looking for ways to solve that cleanly.
Cedric
[EMAIL PROTECTED] wrote:
Does anybody protect any oracle rdbms (sqlnet protocol) using
obsd 3.5 + carp + pfsync ? Does it work ? Is it problematic ?
I think for database failover, you'd better use the DB own features.
For example, a quick google grep gave me that:
If you have multiple addresses,
Ed White wrote:
Hi,
I've read that since 3.5 PF can load rules for absent interfaces.
After some tests I've found that sometimes it works and sometimes it doesn't.
Can anyone tell me which interfaces are compatible ?
with 3.5, PF look if the interface you're trying to load can be
hot-plugged
Per-Olov Sjöholm wrote:
Hi !
I have used $if:network and $if:broadcast much to avoid specifying macros
with IP addresses. However... I have recently fixed me a second public IP on
my internet interface. Now I see the limitations with this and have to go
back and specify the IP:s directly in
Ilya A. Kovalenko wrote:
Good time of day,
I want to define table, that includes all Internet IP
addresses (i.e. all except fake ones).
Excludes-only table does not work.
table nInet {!192.168.0.0/16 !172.16.0.0/12 !10.0.0.0/8}
How can I add all IP addresses onto table ?
any causes error
Ilya A. Kovalenko wrote:
Good time of day,
I want to define table, that includes all Internet IP
addresses (i.e. all except fake ones).
Excludes-only table does not work.
table nInet {!192.168.0.0/16 !172.16.0.0/12 !10.0.0.0/8}
How can I add all IP addresses onto table ?
any causes error
Tamas TEVESZ wrote:
hi,
i think i'm missing something on filtering on the enc interface.
scenario looks as:
leftsecgwAright
[internal lan] -- [xl0 tun0] -- ~~ -- [secgwB] -- [other lan]
secgwA is a 3.5-stable built on jun 15 (ie. it doesn't have the pf
Okan Demirmen wrote:
On Fri 2004.07.23 at 23:33 +0200, Daniel Hartmeier wrote:
On Fri, Jul 23, 2004 at 03:24:25PM -0500, eric wrote:
So, I know there's a way to tell pf to route traffic from a
source-ip, I just forgot how and can't find it in the manpages.
Also, is a way to make traffic
Alain wrote:
Hello,
We're working on an openbsd/pf based GigE firewall.
I would like to know if amd64 is a good architecture choice ?
Will it be better than i386 ?
In the pf developer interview, 64 bit architecture is recommended, but
they don't really explain why.
One of the limitation of i386
Ed White wrote:
This is a message from an interesting thread on [EMAIL PROTECTED]
http://marc.theaimsgroup.com/?l=openbsd-miscm=109422765506037w=2
In short the question is:
why doesn't PF kill all the states associated with the tables entries when you
flush a table ?
Why?
Because states have
Paul Cusbish wrote:
[ All, a bit of a late followup, but i've included some rules this time. Thanks for
your help ]
Hi there,
I have a common setup (seen it a few times on this list) -
xl0 LAN
fxp0 Cable / dynamic address
fxp1 ADSL / static (DNS, SMTP, HTTP etc...)
The default gateway
Paul Cusbish wrote:
--- Cedric Berger [EMAIL PROTECTED] wrote:
Paul Cusbish wrote:
[ All, a bit of a late followup, but i've included some rules this time. Thanks for
your help ]
Hi there,
I have a common setup (seen it a few times on this list) -
xl0 LAN
fxp0 Cable / dynamic address
Siju George wrote:
Hi all,
When my OpenBSD 3.5 System tries to load the PF ruleset it shows the
following error.
/etc/pf.conf:22: could not parse host specification no IP address
found for dc0:172.16.0.0/12
the 22nd line of my pf.conf is this.
nat on $ext_if from $int_if:172.16.0.0/12 to any -
i.t Consulting wrote:
Am Mittwoch, 6. Oktober 2004 21:21 schrieb Max Laier:
the postfix mailserver tells me today:
Oct 6 18:06:16 yak postfix/smtpd[27628]: NOQUEUE: reject: RCPT from
unknown[220.87.30.15]: 450 Client host rejected: cannot find your
hostname, [220.87.30.15]; from= to=[EMAIL
Ed White wrote:
On Tuesday 19 October 2004 22:08, Ed wrote:
Has anyone ported pf for use on linux kernels? I like the firewall so
much I want to use it on the debian systems.
..and maybe releasing it under GPL...
You really like flames, don't you?
Cedric
Bjrn Ketelaars wrote:
Hello,
Im trying to setup a natting firewall in which the internal network
(int_if:network) *only* has access to the internet and udp-port 53
(domain) on the firewall. When Im using pf.conf given beneath it is
possible to access all servers on the firewall...
If I track a
Björn Ketelaars wrote:
here is two as a start:
1) to !$int_if:network will only work as you intend if there is only
one IP address assigned to $int_if. If there is more, it will fail.
please show the content of pfctl -sr. as a workaround, you can
use !($int_if:network).
2) You want to
Chris Wilson wrote:
Hi all,
Trying to get my head around mixing NAT and IPSEC on OpenBSD; hoping you
folks can tell me whether I'm crazy :-)
I'm doing that, but with a somewhat older version of OpenBSD.
So I guess that makes us both crazy :)
I've got IPSEC ala:
10.1.1.1/32 10.1.1.1
brianBOFH wrote:
Hi,
I have two 192.168.1.0/24 networks physically separated. I need to
get connectivity from one to the other and vice versa _without_
renumbering hosts.
That being said - I have an openbsd 3.6 machine with one public and
one private interface on each end.
I know I can setup the
Adam Morley wrote:
table internal_subnets { 10.1.1.0/24, 10.1.2.0/24, 10.1.0.0/24 }
.. tables for rfc1918, classD, classE, etc.
table outsideworld { *, !internal_subnets, !rfc1918, !classD, !classE
} (can I use * or should it be 0.0.0.0/0?)
It should be 0/0, and you cannot have tables containing
guilgamesh70 wrote:
Hi group,
I have this situation
+
+
+--- IPSec link
Internal network + Obsd Box+
+
guilgamesh70 wrote:
Cedric Berger wrote:
guilgamesh70 wrote:
Hi group,
I have this situation
+
+
+--- IPSec link
Internal network + Obsd Box
Sean Kamath wrote:
[In a message on Tue, 22 Mar 2005 22:52:58 +0100,
Steven Schubiger wrote:]
On 22 Mar, Eugene M. Minkovskii wrote:
I want to meashure incoming traffic and outgoing traffic
separately, regardless of which side initiated the traffic.
# Excerpt from pf.conf, Options
Jason Dixon wrote:
Looking at pf.conf (5), it claims that anchors can hold rules,
address tables, and other anchors.
Do you have the possibility to check if that was working on 3.5?
I wouldn't be surprised if there was new bugs in that area in 3.6.
Cedric
Kevin wrote:
I've noticed frag'd ICMP echo-replies being dropped by scrub in when
they come from a Solaris host. Is this a known issue?
Oh Yeah,
That's a long time annoyance of the scrub code, which (wrongly IMO, but
others
disagree) drops fragments which have the DF bit set. You'll get the
Kevin wrote:
On Apr 1, 2005 2:06 AM, Cedric Berger wrote:
Kevin Kadow wrote:
I've noticed frag'd ICMP echo-replies being dropped by scrub in when
they come from a Solaris host. Is this a known issue?
Oh Yeah,
That's a long time annoyance of the scrub code, which
(wrongly IMO, but others
Peter N. M. Hansteen wrote:
Jason Dixon [EMAIL PROTECTED] writes:
Is the ability to run pfctl (via sudo) as a non-root user still
broken? I've tested this on a 3.6 -release system, and /dev/pf is
still unavailable for non-root users.
[EMAIL PROTECTED]:~$ ls -l /dev/pf
crw--- 1 root
alex wilkinson wrote:
Hi all,
Is it possible to specify a range within a table ? e.g.
No, table do not currently support ports.
table itunes const { 8000 8999 }
I get a syntax error for the aformentioned table, so can anyone
suggest a method for what I'm trying to achieve ?
You need to use
Mike Frantzen wrote:
Simple question which rule is evaluated faster.
table ip0-2 const {192.168.0.2}
pass in quick on $int_if from ip0-2 to any
pass in quick on $int_if from 192.168.0.2 to any
Daniel did some tests several years ago and the break even point was
about six IPs in a table versus six
1 - 100 of 108 matches
Mail list logo
