Re: pf/carp/pfsync on two OpenBSD 3.8 firewalls

2006-01-05 Thread Marcin Miksowski
On 12/31/05, ed [EMAIL PROTECTED] wrote: On Thu, 29 Dec 2005 14:41:38 +0100 Marcin Miksowski [EMAIL PROTECTED] wrote: Is there any solution to resolve my problems with carp? If there is necessary to show You more informations on my current configuration I will do everything what I only

Re: OpenBGPD PF

2006-01-05 Thread jared r r spiegel
On Thu, Jan 05, 2006 at 03:18:22AM +0100, Sylwester S. Biernacki wrote: On Thursday, January 5, 2006, at 01:15:00, jared r r spiegel wrote: - establish session with A and learn about 1.2.3.4/30; 1.2.3.4/30 is written to pftable IX - establish session with B and learn about 1.2.3.4/30;

Re: OpenBGPD PF

2006-01-05 Thread Claudio Jeker
On Thu, Jan 05, 2006 at 06:46:54AM -0500, jared r r spiegel wrote: On Thu, Jan 05, 2006 at 03:18:22AM +0100, Sylwester S. Biernacki wrote: On Thursday, January 5, 2006, at 01:15:00, jared r r spiegel wrote: - establish session with A and learn about 1.2.3.4/30; 1.2.3.4/30 is written

setting up pfsync and carp

2006-01-05 Thread Kilaru Sambaiah
Hello All, We have 3 systems connected to the net with ip addresses x.y.z/28 mask. We are planning to go with pf with carp and pfsync redundancy. We are planning to use two systems with 3 nic cards for this. We would like to have aliases for both the m/c listening to x.y.z/28 all ip

Re: setting up pfsync and carp

2006-01-05 Thread Jason Dixon
On Jan 5, 2006, at 3:18 PM, Kilaru Sambaiah wrote: unease. Carp interface can have aliases? Is it a good idea? What is the best way to go about it? Yes. $ cat /etc/hostname.carp0 inet 10.0.0.2 255.255.255.0 10.0.0.255 carpdev em0 vhid 1 pass foo inet alias 10.0.0.3 255.255.255.0

Re: pf/carp/pfsync on two OpenBSD 3.8 firewalls

2006-01-05 Thread Bill Marquette
On 1/5/06, Marcin Miksowski [EMAIL PROTECTED] # cat /etc/hostname.carp0 inet 192.168.0.5 255.255.255.0 192.168.0.255 vhid 1 carpdev em1 advskew 1 pass 31337 # cat /etc/hostname.carp1 inet 111.111.111.13 255.255.255.0 111.111.111.255 vhid 2 carpdev em0 advskew 1 pass 31337 # cat

Re: pf/carp/pfsync on two OpenBSD 3.8 firewalls

2006-01-05 Thread Marcin Miksowski
On 1/5/06, Karl O. Pinc [EMAIL PROTECTED] wrote: I have not been following your problem. You have net.inet.carp.preempt=1 in /etc/sysctl.conf? If not then that's likely your problem. (Then reboot or man sysctl.) Yes, I have preempt enabled: fw1: # sysctl net.inet.carp.preempt

blocking out an idiot on the network

2006-01-05 Thread tim
hullo, I have a very simple problem but sadly I'm too brainless to figure it out. There's an idiot on our network who refuses to switch off his P2P. The outward port blocking solution is not a popular one. Thus, what I want to do is to block out this idiot. He gets the same ip-number from

Re: blocking out an idiot on the network

2006-01-05 Thread Karl O. Pinc
On 01/05/2006 01:21:06 PM, tim wrote: hullo, I have a very simple problem but sadly I'm too brainless to figure it out. There's an idiot on our network who refuses to switch off his P2P. The outward port blocking solution is not a popular one. Thus, what I want to do is to block out this

Re: blocking out an idiot on the network

2006-01-05 Thread Jon Simola
On 1/5/06, tim [EMAIL PROTECTED] wrote: # grr, this bit isn't working block out quick on $ext_if from $idiot to any block out quick on $int_if from $idiot to any Blocking out on $ext_if is done post-NAT after the source IP changes, so do all the blocking on the internal interface: block out

Re: pf/carp/pfsync on two OpenBSD 3.8 firewalls

2006-01-05 Thread Marcin Miksowski
hello, I noticed in your original email that fw2 had advskews of 10's and 100's. This suggests that CARP may not be setup the way you think it is (based on the asvskew 240 in the hostname files). The difference appear, when I have testing various configurations. Now I have advskew equal on

Re: blocking out an idiot on the network

2006-01-05 Thread Bryan Irvine
# grr, this bit isn't working block out quick on $ext_if from $idiot to any wrong interface. block out quick on $int_if from $idiot to any wrong direction. :-) --Bryan

Re: Will pf write to a file

2006-01-05 Thread C├ędric Berger
The timestamp is reset when you flush and reload the table with # pfctl -t bruteforce -Ts /etc/bruteforce # pfctl -t bruteforce -Tf # pfctl -t bruteforce -Ta -f /etc/bruteforce Hmm, that't bad that there is no way to clear address stats without flushing the table. Actually, there is a

Recording statistics for PF...

2006-01-05 Thread Forrest Aldrich
Coming from FreeBSD's ipfw2, I've been accustomed to having a timestamp (ie: ipfw -t) that allowed me to measure hits on a given IP/block/rule. This isn't available with PF (though I think it would be a good idea). I maintain (as an example) a couple of tables that include spam IPs and other

Re: Recording statistics for PF...

2006-01-05 Thread eric
On Thu, 2006-01-05 at 22:30:40 -0500, Forrest Aldrich proclaimed... Coming from FreeBSD's ipfw2, I've been accustomed to having a timestamp (ie: ipfw -t) that allowed me to measure hits on a given IP/block/rule. This isn't available with PF (though I think it would be a good idea). I