NATed hosts.
Foxy.
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
=104473518402730w=2 for details.
Thanks Daniel for your work on PF.
A++ Foxy.
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
resolution ?
Thx, Foxy.
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
by 'block in on $ext_if
all' rule.
Read more carefully 'man pf.conf' and STATEFULL INSPECTION section to
understand 'keep-state' option.
A++ Foxy.
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
it in the open-source world (Linux...).
A++ Foxy.
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
?
Be carefull with bridge mode : a good configuration is difficult and may be a
source of problems.
Foxy.
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
CONNECTIONS
for your configuration).
Foxy.
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
to
graph number of entries in the state table, blocked packets, bytes in, bytes out...
See 'man 4 pfstat' and http://www.benzedrine.cx/pfstat.html for details and
examples.
A++ Foxy
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
filter :
- an incoming IP packet hit the interface
- the IP stack pass the packet to packet filter for analysis
In your case, the IP packet (TCP SYN of Blaster worm, probably) hit your
external interface (trace of 'tcpdump') then PF with your rules, block this packet.
A++ Foxy
--
Laurent Cheylus
-source.arkoon.net or SuperFreeswan on http://ww.freeswan.ca).
A++ Foxy.
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
Hi,
for a logging tool, I need to fill a buffer with the textual description of pf
loaded rules (identical to 'pfctl -sr' output).
But if the pf rules are changed, I need to update my buffer dynamically. Is it a
solution to know when a PF ruleset is modified ?
A++ Foxy
--
Laurent Cheylus
external IP -- 1 internal for all ports
- rdr = IP translation for one or range of ports : external IP port - internal
IP port
Why do you want use 'rdr' for you need ?
A++ Foxy
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
not a packet for POP3 exchange
A++ Foxy
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
create state are dropped, until existing states time out.
Example :
pass in proto tcp all port www flags S/SA keep state max 100
A++ Foxy
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
/nmproxy.html
A++ Laurent
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
nets according to RFC 1918) but no packets logged with
those rules !!!
Some bug on PF or an error in my configuration that I don't understand
:-(
Thx, Foxy.
- --
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE
.
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
!!!
A++ Foxy
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
pf scrub / modulate option or such).
A++ Laurent
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
rate.
A++ Foxy
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
and use a VPN client
compatible with NAT-Traversal.
In PF conf, you must allow incoming connections on UDP ports 500 and
4500.
A++ Foxy
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
-Traversal :
- isakmp exchanges on UDP/500
- encapsulation of ESP in UDP port 4500
A++ Foxy
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
.
If it does not work, please send your pflog for incoming connections for
outside with : tcpdump -nvei pflog0
A++ Foxy
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
Iptables
ftp_conntrack). That's why there is an userland ftp-proxy in OpenBSD.
PF devs don't like application (OSI layer 7) connection tracking : for
needs like that, an userland proxy is the solution (according to their
opinion).
A++ Foxy
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
state'.
I have the same rules to use Emule/Amule on an internal host and I have
no problems (connection on server and HighID).
A++ Foxy
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
to test).
Test if src.ip = dst.ip is very, very difficult to implement ;-)
Foxy
--
Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
Hi,
On Fri, Jan 23, 2009 at 11:12:42PM +0800, Pui Edylie wrote:
From the website
http://www.openbsd.org/faq/pf/queueing.html
It says it only supports FIFO, CBQ and PRIOQ
Yes, pf supports HFSC (Hierarchical Fair Service Curve) for queuing.
Extract from man pf.conf
HI,
On Wed, Nov 11, 2009 at 05:26:06PM +0100, Jordi Espasa Clofent wrote:
# 5. Queueing
# ISP1 queues, 10MBps
(...)
# web i prog_sistemes !my_networks
pass in quick on $int_if route-to \
($ext_if2 $ext_gw2) \
proto { udp, tcp } from { $web $prog_sistemes } to any keep state \
Hi,
On Fri, Dec 18, 2009 at 03:40:36PM +, Jim Flowers wrote:
To lock down services (particularly ssh) as tightly as possible, I like to
allow
administrative access to a firewall only from specific ip addresses.
Unfortunately, some of the administrators are working from dynamic ip
29 matches
Mail list logo