Re: Will this work with PF?

NATed hosts. Foxy. -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: Will this work with PF?

=104473518402730w=2 for details. Thanks Daniel for your work on PF. A++ Foxy. -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: pf rules and some confusion

resolution ? Thx, Foxy. -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: pf default deny problem

by 'block in on $ext_if all' rule. Read more carefully 'man pf.conf' and STATEFULL INSPECTION section to understand 'keep-state' option. A++ Foxy. -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: IPSec client behind an OBSD router

it in the open-source world (Linux...). A++ Foxy. -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: PF MAC Filter

? Be carefull with bridge mode : a good configuration is difficult and may be a source of problems. Foxy. -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: route-to

CONNECTIONS for your configuration). Foxy. -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: Firewall statistics

to graph number of entries in the state table, blocked packets, bytes in, bytes out... See 'man 4 pfstat' and http://www.benzedrine.cx/pfstat.html for details and examples. A++ Foxy -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: Blocking Problem

filter : - an incoming IP packet hit the interface - the IP stack pass the packet to packet filter for analysis In your case, the IP packet (TCP SYN of Blaster worm, probably) hit your external interface (trace of 'tcpdump') then PF with your rules, block this packet. A++ Foxy -- Laurent Cheylus

Re: VPN query...

-source.arkoon.net or SuperFreeswan on http://ww.freeswan.ca). A++ Foxy. -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Detection of pf rules changes ?

Hi, for a logging tool, I need to fill a buffer with the textual description of pf loaded rules (identical to 'pfctl -sr' output). But if the pf rules are changed, I need to update my buffer dynamically. Is it a solution to know when a PF ruleset is modified ? A++ Foxy -- Laurent Cheylus

Re: Binat on more than one internal ip

external IP -- 1 internal for all ports - rdr = IP translation for one or range of ports : external IP port - internal IP port Why do you want use 'rdr' for you need ? A++ Foxy -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: pf with any l7 patches or ability?

not a packet for POP3 exchange A++ Foxy -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: ALTQ/PF throttling?

create state are dropped, until existing states time out. Example : pass in proto tcp all port www flags S/SA keep state max 100 A++ Foxy -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: Use of MSN through OpenBSD gateway

/nmproxy.html A++ Laurent -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Problem with log for loopback address

nets according to RFC 1918) but no packets logged with those rules !!! Some bug on PF or an error in my configuration that I don't understand :-( Thx, Foxy. - -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE

Re: Problem with log for loopback address

. -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: Problem with log for loopback address

!!! A++ Foxy -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: Prevent passive fingerprinting

pf scrub / modulate option or such). A++ Laurent -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: benchmarking pf in an rfc3511 way

rate. A++ Foxy -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: how can cheap routers do it?

and use a VPN client compatible with NAT-Traversal. In PF conf, you must allow incoming connections on UDP ports 500 and 4500. A++ Foxy -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: connect to vpn behind openbsd firewall

-Traversal : - isakmp exchanges on UDP/500 - encapsulation of ESP in UDP port 4500 A++ Foxy -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: Pf redirection problem

. If it does not work, please send your pflog for incoming connections for outside with : tcpdump -nvei pflog0 A++ Foxy -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: ftp throu transparent filtering bridge

Iptables ftp_conntrack). That's why there is an userland ftp-proxy in OpenBSD. PF devs don't like application (OSI layer 7) connection tracking : for needs like that, an userland proxy is the solution (according to their opinion). A++ Foxy -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: Help with Emule

state'. I have the same rules to use Emule/Amule on an internal host and I have no problems (connection on server and HighID). A++ Foxy -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: PF and LAND attack.

to test). Test if src.ip = dst.ip is very, very difficult to implement ;-) Foxy -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2

Re: Does OpenBSD 4.4 PF ALTQ supports HFSC?

Hi, On Fri, Jan 23, 2009 at 11:12:42PM +0800, Pui Edylie wrote: From the website http://www.openbsd.org/faq/pf/queueing.html It says it only supports FIFO, CBQ and PRIOQ Yes, pf supports HFSC (Hierarchical Fair Service Curve) for queuing. Extract from man pf.conf

Re: CBQ download limits failed...

HI, On Wed, Nov 11, 2009 at 05:26:06PM +0100, Jordi Espasa Clofent wrote: # 5. Queueing # ISP1 queues, 10MBps (...) # web i prog_sistemes !my_networks pass in quick on $int_if route-to \ ($ext_if2 $ext_gw2) \ proto { udp, tcp } from { $web $prog_sistemes } to any keep state \

Re: Restricting source with dDNS (dynamic DNS)

Hi, On Fri, Dec 18, 2009 at 03:40:36PM +, Jim Flowers wrote: To lock down services (particularly ssh) as tightly as possible, I like to allow administrative access to a firewall only from specific ip addresses. Unfortunately, some of the administrators are working from dynamic ip