What a fine pile of excrement you all are. Been dealing with UNIX machines for
over 25 years and never ran into a bunch of assholes like you guys.
On Wed, Jan 05, 2011 at 08:42:03PM -0800, Bonnie Packet wrote:
So my question is, again how regular packets from the Net pass out to
the wireless network over rl0. Is this somehow a function of the NAT
rules that I don't understand? Or something to do with established TCP
connections being
On Thu, Dec 30, 2010 at 09:48:52PM -0800, Jonathan Rogers wrote:
Trying to set up a new telco fiber connection on my OpenBSD router/
firewall (this is an OLD box with OpenBSD 3.8 on it...sorry). I can't
put the new telco connection live as the default yet, because it will
affect all users
* Jonathan Rogers thatseattle...@gmail.com [2011-01-04 02:30]:
If I had the option of installing a more recent OS I would have done
that, and I would not have posted the question. v3.8 help was
explicitly asked for. A reply of form well, on a higher version of
the OS there are other ways to do
... per your other thread also ...
Sorry to point out the obvious but 3.8?
Can you install 4.8?
# cat hostname.pppoe0
pppoedev vr0
authproto chap
authname 'username'
authkey 'password'
up
inet 0.0.0.0 255.255.255.255
dest 0.0.0.1
!/sbin/route -v add -inet default -ifp pppoe0 0.0.0.1
As far as
Trying to set up a new telco fiber connection on my OpenBSD router/
firewall (this is an OLD box with OpenBSD 3.8 on it...sorry). I can't
put the new telco connection live as the default yet, because it will
affect all users, and I need to do some testing first. But I'm not
quite sure I
is saturated
enough to mess with the carp protocol.
On a related note, the ifstated daemon on the backup
firewall did not pick up on the fact that it became
master. Appended is the configuration. Should I
discuss this problem on the openbsd misc list or
is it related to my demotion counter problem
Ilya A. Kovalenko wrote:
Hmm, maybe, I'm, truly, too stupid to work with PF ...
I'll re-test on clean environment it and write to the list.
Hi Ilya
Would you mind posting your entire config file(s) verbatim.
Also post what version and is it current, release, stable that you are
referring
not have
bothered at all.
I beg my pardon, these little things annoyed me sometimes.
Thank you for answer.
anyway. you know how things work: if you miss sth, you send a diff.
yes, indeed :)
Hello,
Yesterday, my mail wasn't explicit. Sorry.
Architecture:
Internet
PF firewall on FreeBSD 5.5
DNS server (bind 9)
This is now a firewall in production: DNS host has 100 packets per second,
there is a mail server with 700.000 smtp hits per day, 'pfctl -si' shows
Looks like the blocked packets were IP fragments. For stateful
filtering, IP fragments must be reassembled, try adding
scrub in fragment reassemble
at the top of your ruleset.
Daniel
rdr pass on $extif proto tcp from any to any port 21 - 127.0.0.1 port
8021
This makes inbound packets destined to port 21 on your box go to the
proxy. But they'll be blocked because you don't have a pass rule
anywhere to allow them.
block drop in log quick on $extif from $privnets to any
::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
pfsync0: flags=0 mtu 2020
i can surf and telnet; i took out the quick keyword but i'm still only
logging rule 4. i'm still new at tcp/ip and services so how do i make an
exception to my isp's dhcp server? you can see from above
i'm running freebsd 5.4 with only one nic(single user until i get a
router) so i don't think i can do nat. i've have had no luck in getting
damn thing to ftp. i added to the /etc/inetd.conf file the line
ftp-proxy:
stream tcp nowait root/usr/libexec/ftp-proxy ftp-proxy
and my /etc
is in the 10.mumble range too?
if so,
block drop in log quick on $extif from $privnets to any
block drop out log quick on $extif from any to $privnets
means you are dropping your own traffic.
also, if you make every rule a quick rule, you are not making debugging
any easier.
you could try my
My company is using FreeBSD for two major applications: our file servers
(via Samba), which aren't the subject of this message; and the routers
between branches. Some background follows.
We have essentially two types of branches - Type A, with thier own cable
internet connections, and Type B
I'm getting closer.
This is what I think I want. Is there a problem with it?
---
# macros
int_if = rl0
ext_if = ne1
tcp_services = { 22, 113 }
bad_services = { 137, 138, 139, 445 }
icmp_types = echoreq
table private const \
{ 127/8, 10/8, 172.16/12, 192.168/16,
ok, i've done some more investigating. i thought some tables were gone,
but they weren't. in fact, i thought my old anchors were gone, but they
weren't. i'm used to stale rules, tables, macros, being deleted when i
reload the ruleset.
this is a weird problem now. there are anchors (visible
i'm trying to convert a lot of my ruleset to anchors with
interface/direction/etc for speed (kind of like you'd do
with iptables and jumping between chains to avoid evaluating
unnecessary rules). so far it seems to be working well, and
i'm avoiding the evaluation of at least 50 rules on average
steve h wrote:
- i create a table foo in the main ruleset and stick
10.0.0.0/24 in it. i pass in from foo in an anchored ruleset.
the rule does not match. shouldn't tables in a 'parent' anchor
ruleset be global?
Yes. That's likely a bug. Please make a testcase.
there are some tables i
Russell Fulton [EMAIL PROTECTED] writes:
Yet another illustration of the rule that one should post config files
when asking questions.
simply exposing your rule set to a fresh set of eyes sometimes has
wonderful problem solving capability. seriously, the real risk of
embarrasment along the
[In a message on Thu, 07 Apr 2005 12:58:22 +1200,
Russell Fulton wrote:]
Hi,
Earlier I posted a note here asking about the order of processing
incoming packets on a bridge with pf. I would really like to know if
there is something wrong with our set up or if this is expected
behaviour.
On Thu, 7 Apr 2005, Russell Fulton wrote:
I am seeing packets being dropped by pf that should not traverse the
bridge at all (i.e. packets between hosts that are on the same side of
the bridge). After a little thought I came to the conclusion that this
is quite plausible since the filtering
-Original Message-
From: Russell Fulton [mailto:[EMAIL PROTECTED]
Sent: jeudi 7 avril 2005 2:58
To: pf@benzedrine.cx
Subject: Still no answer on my bridge question
Hi,
Earlier I posted a note here asking about the order of
processing incoming packets on a bridge with pf. I would
Thanks Sean!
On Wed, 2005-04-06 at 19:36 -0700, Sean Kamath wrote:
[In a message on Thu, 07 Apr 2005 12:58:22 +1200,
Russell Fulton wrote:]
Hi,
Earlier I posted a note here asking about the order of processing
incoming packets on a bridge with pf. I would really like to know if
there
On Thu, 2005-04-07 at 12:58 +1200, Russell Fulton wrote:
I am seeing packets being dropped by pf that should not traverse the
bridge at all (i.e. packets between hosts that are on the same side of
the bridge). After a little thought I came to the conclusion that this
is quite plausible since
Hi,
Earlier I posted a note here asking about the order of processing
incoming packets on a bridge with pf. I would really like to know if
there is something wrong with our set up or if this is expected
behaviour.
I am seeing packets being dropped by pf that should not traverse the
bridge
protocol id(0x1)
14:06:00.754626 802.1d unknown protocol ver(0x2)
14:06:02.751742 802.1d unknown protocol ver(0x2)
14:06:04.752043 802.1d unknown protocol ver(0x2)
14:06:06.728593 arp who-has grfire.grdesign.it tell 192.168.205.246
why I can see these arp request?
192.168.205.0 is my internal network
Renato wrote:
why I can see these arp request?
192.168.205.0 is my internal network and I don't want that from
external network sameone could loock at my internal address ...
Renato,
As far as I know (and from what I've read) this is normal and nothing
to be alarmed about. Also, I think
Hi Peter,
I am a newbie as well, but after some time banging my
head against walls I came up with my own 'silly'
pf.conf rules. I have included my rules at the end of
this email. I Removed the extra rules (I think all of
them) and all you have to do is change the variable
names to whatever you
On Wed, Jan 19, 2005 at 02:07:10PM -0700, R T wrote:
Hello folks. Thanks to everyone who responded to my problem. The laptop can
use the internet now, however it wont resolve host names properly. For
example, it wouldnt connect to www.google.ca but it would to 64.233.167.104
Same for IRC
Yeah, dns wasnt set on the laptop, not too bright today. Its working fine now.
Now to learn about making it an actual firewall :) Thanks guys for the help!
R.T.
R T wrote:
Hello folks. Thanks to everyone who responded to my problem. The laptop can use the internet now, however it wont resolve host names properly. For example, it wouldnt connect to www.google.ca but it would to 64.233.167.104
Same for IRC, xhat wouldnt connect to eu.undernet.org
OOPS-
pf-r wrote:
where I've compliled a (now aging) list of
s/compliled/compiled
BTW, if anyone wants to submit pf.conf examples with accompanying 'pfctl
-sr' (or alternative) outputs for posting on the pf-r, visit #pf and
speak up.
-S
R T wrote:
Yeah, dns wasnt set on the laptop, not too bright today. Its working fine now.
Now to learn about making it an actual firewall :) Thanks guys for the help!
R.T.
No problem, RT. Good luck.
rvb
Am Sonntag, 17. Oktober 2004 01:49 schrieb Joe:
It's not so much that I'm concerned about the attacks as I am about why
traffic is getting through that shouldn't be. After I added an IP to my
block list, some packets still got through (although most do not).
do a test with the following lines
this works just fine,
but in the past couple of days one IP still gets through (211.46.163.166) even
though it's in my bad_hosts table.
Looking through the pf log I see many attempts are indeed blocked by the
firewall. But some must get through because I get a few Failed password for
root from
Rod.. Whitworth ([EMAIL PROTECTED]) wrote:
On Tue, 28 Sep 2004 22:03:55 -0400, Greg Wooledge wrote:
Personally, I prefer not to reveal the usernames behind the client
connections I'm making, so I use nullidentd.
What's better about that than making the flags -Hole on the inetd
settings for
Lars Hansson wrote:
OpenBSD does this by default in inetd.conf.
Correction, it doesnt.
---
Lars Hansson
Greg Wooledge wrote:
Personally, I prefer not to reveal the usernames behind the client
connections I'm making, so I use nullidentd. It's very simplistic; it
just returns a constant string for all ident requests. (It doesn't
appear to be in ports; I simply grabbed the source code from
On Tue, 28 Sep 2004 22:03:55 -0400, Greg Wooledge wrote:
Personally, I prefer not to reveal the usernames behind the client
connections I'm making, so I use nullidentd. It's very simplistic; it
just returns a constant string for all ident requests. (It doesn't
appear to be in ports; I simply
[EMAIL PROTECTED] wrote:
http://www.clock.org/~fair/opinion/identd.html
Thanks for giving a link that nicely illustrates my point about people
not understanding what ident does:
The upshot of these assumptions is that when your system contacts the
identd server of a remote system, you can trust
On Sep 28, 2004, at 2:13 AM, Siju George wrote:
I changed the block-policy from return to drop. Now my ports except
113 are showing up as stealthed while twsting from
http://www.grc.com/x/ne.dll?rh1dkyd2
The Port 113 was opened because the PF FAQ asked to open it for SMTP
Auth/Ident (TCP port 113
Hi Jason!
Thanks for the reply!
But if I can get port 113 also in adaptive stealth mode like Zonealarm
did then it would be better isn't it?
regards
Siju
On Tue, Sep 28, 2004 at 04:46:40PM +0530, Siju George wrote:
But if I can get port 113 also in adaptive stealth mode like Zonealarm
did then it would be better isn't it?
Not really. It can give a false sense of security, because you assume
the 'adaptive' part can't be tricked by the attacker.
, how else can it know if there's an existing relationship with the
remote server...?
Oliver.
--
Oliver Humpage
ICT Co-ordinator, Watershed Media Centre -- +44 (0)117 9276444
E-mails received are assumed to be for my attention, to do with as I wish.
No responsibility is accepted if communications
don't
know about IRC but you mentioned only SMTP on your side.
I'm running emailservers for years now and never ran an identd. And my clients don't
have an identd running either. I don't think that you need this for smtp nowadays.
-volker
Siju George wrote:
I was using Zone Alarm before on a Windows200 Firewall. All its ports
were shown as Stealthed but still SMTP server access was possible!
So further digging I got this explanation from the website that
conducted the test.
Adaptive Stealthing means that when a TCP SYN packet
Thankyou Oliver for the reply and Explanation! It was very
informative. I'll also try the S/SAFR thing and see how it works!
God bless you
warm regards
Siju
I know that this is in the pf faq but I don't think that you really need it. I don't
know about IRC but you mentioned only SMTP on your side.
I'm running emailservers for years now and never ran an identd. And my clients don't
have an identd running either. I don't think that you need
People who say identd is a source of severe information leakage does
not understand what ident does. If you feel paranoid, as I do, you can
always configure it to return random usernames.
---
Lars Hansson
Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me
how to return
Siju George writes:
Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me
how to return random usernames? Or coulld you please give me a link
where I can learn that?
http://www.clock.org/~fair/opinion/identd.html
per se, I have set up a number of firewalls in my day and have
perused a lot of sockets code, and frankly, I would be surprised if
anyone one this forum found they needed ident working for anything,
including irc. I seriously doubt this is true any more.
While the identd service is not *mandatory
On 28 Sep 2004 10:50:02 -0700, [EMAIL PROTECTED] wrote:
You don't
need it, nothing now depends on it,
Not quite correct. Certain smtp, ftp and irc servers come to mind.
--
SB: Wait, you mean the costumes themselves give you super powers?
MM: Of course! Why else would we fly around in
;)
Doubtful with IRC servers today. Although I'm not privy to the details
of IRC per se, I have set up a number of firewalls in my day and have
perused a lot of sockets code, and frankly, I would be surprised if
anyone one this forum found they needed ident working for anything,
including irc. I
On Tue, Sep 28, 2004 at 04:23:43PM -0700, Trevor Talbot wrote:
It is. It's a mitigating mechanism for many types of
worms/bots/whatever, since they aren't capable of poking holes in their
computer owner's broadband NAT device.
That's what UPnP is for, isn't it?
SCNR,
Daniel
On Tue, 2004-09-28 at 16:23:43 -0700, Trevor Talbot proclaimed...
It is. It's a mitigating mechanism for many types of
worms/bots/whatever, since they aren't capable of poking holes in their
computer owner's broadband NAT device.
Yea, sure. I've seen *many* bots with identd running happily
On Tuesday, Sep 28, 2004, at 16:34 US/Pacific, Daniel Hartmeier wrote:
On Tue, Sep 28, 2004 at 04:23:43PM -0700, Trevor Talbot wrote:
It is. It's a mitigating mechanism for many types of
worms/bots/whatever, since they aren't capable of poking holes in
their computer owner's broadband NAT
Siju George wrote:
Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me
how to return random usernames? Or coulld you please give me a link
where I can learn that?
man identd, options -h and -H in particular.
OpenBSD does this by default in inetd.conf.
---
Lars Hansson
Volker Kindermann ([EMAIL PROTECTED]) wrote:
I'm running emailservers for years now and never ran an identd. And my
clients don't have an identd running either. I don't think that you need this
for smtp nowadays.
It's never been mandatory for SMTP. Some IRC servers do require it,
though
detaching the cross link cable - but i can't work on the console
because both machines are getting unresponsive ).
On sis2 there is nothing else running
Here is my interface config on machine A:
sis2: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
address: 00:00:24:c1:c7:92
media
On Tue, 18 May 2004, Johan Fredin wrote:
Try 'ifconfig pfsync0 up' on both machines.
I obviously didn't read Wolfgangs post as careful as I should have. I'm
very sorry for this unnecessary mail, please ignore it.
/Johan
On Tue, 18 May 2004, Wolfgang Pichler wrote:
pfsync0: flags=0 mtu 1348
pfsync: syncif: sis2 maxupd: 128
pfsync0: flags=0 mtu 1348
pfsync: syncif: sis2 maxupd: 128
Try 'ifconfig pfsync0 up' on both machines.
'echo up syncif sis2 /etc/hostname.pfsync0' to make it happen at
else running
Here is my interface config on machine A:
sis2: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
address: 00:00:24:c1:c7:92
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.254.254 netmask 0xff00 broadcast
hi, i've created my first pf.conf file, and was
wondering if it can be optimized more, this pf.conf
was made by looking at other pf.conf file, i've also
been having problems with dhcp leases
here is what the needs of the internal machine are:
ftp, ssh, smtp, dns, http, pop3, ntp, https,
aim(5190
with:
nat on $ext_if inet from 192.168.0.0/16 to any -
{$ext_if}
I can't find this in the manpage. It is either there or here,
http://www.openbsd.org/faq/pf/index.html
-c
On Tue, 21 Oct 2003 10:37:15 -0700 (PDT)
Ryan [EMAIL PROTECTED] specifically said:
hi, i've created my first pf.conf file
Ok...Narrowing down the problem here.
The problem, obviously, is with my rules.
I can SSH to the box from my intranet only.
My rules are allowing port 25 in, and it seems, nothing else.
The problem is when postfix tries to relay mail to my internal mail server.
When the rules are up, mail cannot
...that would allow
traffic from that interface to the internal mail server, correct?
I have no idea what .100 is. I'm not even sure what 10.0.1/24 is anymore.
Let me give that a shot and see what happens.
Thanks for turning the light bulb on in my head. :)
Guy, this is not at all what I had in mind
I keep locking myself out the box. heheheh
Here is what I have: I have a OpenBSD Mail gateway on my DMZ. I want to
only allow SMTP connections coming from my firewall, but allow SSH
connections coming from my intranet.
My subnets:
DMZ = 10.0.1.1/24
Private = 192.168.1.0/24
RULES:
# Define
pass out on fxp0 proto icmp all keep state
I can telnet to port 25 on it and it works. denied on all other ports so far.
I can SSH from my intranet...
Im happy. :)
Anyone care to make any comments or suggestions?
Thanks.
Jason
At 03:22 PM 9/30/2003 -0700, you wrote:
I keep locking myself out
Hello everyone.
I had a question about a setup that I am working on at work and was hoping
to get some feedback here as to whether or not my setup will work.
Here it is:
I have setup a Mail Gateway on our DMZ running OpenBSD 3.3 with Postfix. I
have also setup PF on the mail gateway as to add
I tried to setup queing based on the faq and website. But I just can't get
it to work. Downloading is great but as soon as I start to upload my speed
drops way down to about the same speed as the upload. I have played around
with the queue statements and bandwidth settings but no luck. I am
hi!
Follow is my network.
rl0
xl0 ||-- DMZ(webserver, dns, ftp)
router--| OBSD3.2 |
||-- client
rl1
Problem is my webserver(win2000). This webserver have 3 sites.
my pf.conf
On Sun, Mar 30, 2003 at 10:15:50PM +0900, dreamer wrote:
If i telnet to my webserver, i can connecto to 80 port.
ex)telnet www.xxx.xx.xx 80
GET / HTTP/1.0
= I can found page not found!
The problem is not with pf or the redirection, but name based virtual
hosting at the web server. If you
I would like to know what I can do to improve my firewall ruleset. This exact set
protects my own internal LAN (8 computers), and includes P2P rules. I have similar
rulesets protecting other networks I have worked on, none with more than 300 clients
though.
# pF.conf working for Wall
Two things: One is a question regarding scrub and
the other is a request for comments on my pf ruleset (If someone has actually
started using something like wiki then a pointer in that direction would be nice
too :)
First my goals and circumstances for my
ruleset:
I have an OpenBSD
the packets silently or respond w/ rsts
and wouldn't it be nice to be pingable.
If you keep your pingable however I would disable icmp timestamps
net.inet.icmp.tstamprepl=0
Hope this was somewhat useful.
-James
My goals (other than to help prevent being hacked of course ;) are to stop
spoofed packets
wrote the rules the way I
did. I also used the flags in the block rules rather than the pass rules
to save having to add flags to each pass rule later on. Of course, if I
wanted to expand my flag blocking then I would need to add more block
rules like my flags A/A rule.
i'm not sure how a syn+fin
firewall's external interface...
They do however need a different gateway
address, where do I speciy this ? is is something in my hostname.rl1 file ?
Dan
This e-mail has been scanned for all viruses by Star Internet
On Mon, Jan 13, 2003 at 03:11:36PM -, Dan Heaver wrote:
In order to use theese for NAT I obviously need to bind the addresses to our
firewall's external interface...
They do however need a different gateway address, where do I speciy this ?
is is something in my hostname.rl1 file
Eek, that should keep be busy for a while :-~
-Original Message-
From: Daniel Hartmeier [mailto:[EMAIL PROTECTED]]
Sent: 13 January 2003 16:10
To: Dan Heaver
Cc: [EMAIL PROTECTED]
Subject: Re: adding a new subnet to my firewall
On Mon, Jan 13, 2003 at 03:11:36PM -, Dan Heaver wrote
paths to outside world, using 2.1.7.1/26 on xl2
or 2.2.8.1/26 on xl3, where my default route is on 2.1.7.1/26 gateway.
would like to leave 192.168/24 traffic on xl2 link (working by default)
and 2.2.8.64/26 on xl3. I tried the following rule in pf:
pass in quick on xl1 route-to xl3:200.211.81.1
82 matches
Mail list logo