Re: pf filtering on loopback?
Daniel Hartmeier [EMAIL PROTECTED] Thu, 15 Jul 2004 06:07:02 PDT
Thank you for the feedback. There have been several objections to bypass
filtering on loopback, so the status quo will remain. That is, use of
synproxy requires use of state-policy
Daniel Hartmeier wrote:
I guess it got lost. Since then, we added the 'set skip on lo' feature
(which is part of the example pf.conf), which resolves this issue, and
others.
Instead of going into the gory details of how loopback filtering breaks
synproxy in this case, I think it would be
Karl O. Pinc wrote:
Sorry, pasted from the wrong window. This is the correct script.
On 01/15/2006 06:28:21 AM, ed wrote:
Another question, how do you associate the rule number to line in
pf.conf, without doing the obvious mental exercise, with many rules it
can be a chore.
awk
Francisco Valladolid Hdez. wrote:
Hi, folks
is possible run rules on the command line via pfctl
command ?
there are situations where temporary rules are
usefuls.
Create an anchor at a proper location in your ruleset,
then load rules into that by doing
echo pass in quick to port ssh | pfctl
alex wilkinson wrote:
Jonas,
Can you please elaborate on Create an anchor at a proper location. ie
how does one do that ?
- aW
Try reading the manual for pf.conf, it has a section about anchors.
Pf does not seem to allow UDP packets destined for port 0 out, TCP packets to
the same port pass without problems.
If nothing else, this breaks nmaps os-detection mode.
with 'pass quick on em0'
#hping -2 -n -p 0 192.168.1.10
HPING 192.168.1.10 (em0 192.168.1.10): udp mode set, 28 headers + 0
Tr0go wrote:
I also saw such problem and for my case, it was
related to scrubbing all IP traffic... take care not
to scrub all traffic if you are trying to use nmap...
regards
Tr0go
Already tried removing all my scrub rules, still no joy.
jared r r spiegel wrote:
On Sat, Feb 04, 2006 at 12:59:41AM +0100, Jonas Davidsson wrote:
Pf does not seem to allow UDP packets destined for port 0 out, TCP packets
to the same port pass without problems.
If nothing else, this breaks nmaps os-detection mode.
with 'pass quick on em0
Tobias Weisserth wrote:
# inbound traffic (firewall)
pass in on $ext_if inet proto tcp from any to $fw_ext user proxy
keep state
pass in on $ext_if inet proto tcp from trusted to $fw_ext \
port 22 flags S/SA keep state
What's the first of these two rules doing? I can't find any
Gustavo A. Baratto wrote:
Hi all...
Is there any easy way to find out what the defaults are for the options?
Things like timeout, limit, debug, etc have no default values
explicited in man page for pf.conf (openbsd 3.9)
Any pointers?
Thanks a lot ;)
pfctl
-s timeouts
Daniel Hartmeier wrote:
Here's a major update to pfstat. The most important changes:
Im getting some very strange numbers out of this now, number of states
for example, are shown to be around seven thousand in the graph,
while pfctl shows only 680. Most other values are just plain off.
The
Brandon Mercer wrote:
Ok, I have quite possibly the most trivial question ever. Didn't see
mention of it in the archives, but I know it's been done in fact,
I've done it before, but I'm having FITS making it work now. I've got
my PF firewall with $external and $internal. Behind that
12 matches
Mail list logo