Tiv wrote:
I'm no expert, but unless you intend to block ICMP messages,
you just might want to use something like this...
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
If you can't ping/arp a host (icmp disabled), I'd think
Op dinsdag 26 september 2006 12:04, schreef Gergo Szakal:
No, I never had to explicitly allow ICMP on any of my firewalls, because
stateful filtering takes care of internet connection messaging protocol
as well. I only had to explicitly allow echo requests and echo replies.
Otherwise I would
Emiel Kollof wrote:
I would definately allow ICMP, because ICMP is just necessary. If you don't
want ping to work, just disallow icmp echo and reply.
Again: that config works on OpenBSD 3.8, just we cannot ping, but other
ICMP works. This is from the PF users' guide:
'Another advantage of
Emiel, I tried your idea and that one does not work either.
I think I fixed it. Here is the relevant config piece:
-
int_if=sk1
ext_if=sk0
tcp_opts=flags S/SA modulate state
# omitting previously mentioned config options
# default block policy
block in log all
block out log all
#
Gergo Szakal wrote:
Followed the advice here:
http://leaf.dragonflybsd.org/mailarchive/users/2006-05/msg00148.html
and tried to pass thru the traffic of the whole dormitory but it does
not seem to pass packets (even with PF disabled). With OpenBSD 3.8, I
have done the same
Bill Hacker wrote:
OK - do you mean to:
- route, NAT, DHCP share a connection for (all those folks)?
- firewall/filter for them?
- proxy some service(s)?
- electronically vampire-tap their traffic?
Or what?
FWIW, a 'bridging' arrangement is often one of the hardest-working ways
to do
Gergo Szakal wrote:
..and I am also sick tired of OpenBSD.
I confess in advance that this is a mild troll
Is your sickness caused by technical problems, or
perhaps some kind of difficulty with politics or
personalities?
walt wrote:
Gergo Szakal wrote:
...and I am also sick tired of OpenBSD.
I confess in advance that this is a mild troll
Is your sickness caused by technical problems, or
perhaps some kind of difficulty with politics or
personalities?
Both (don't wanna explain here, it would be OT). And that
Gergo Szakal wrote:
walt wrote:
Gergo Szakal wrote:
...and I am also sick tired of OpenBSD.
I confess in advance that this is a mild troll
Is your sickness caused by technical problems, or
perhaps some kind of difficulty with politics or
personalities?
Both (don't wanna explain here,
walt wrote:
Your technical skill has been obvious all along
Hehe, you haven't read through my posts carefully enough then. :-P
you demonstrate political ability as well.
Kinda belongs to my profession.
Argh, I tracked down the problem to pf itself.
With this ruleset it works:
--
int_if=sk0
ext_if=sk1
intnet={xxx.xxx.118.64/26,xxx.1xxx14.118.224/27}
tcp_opts=flags S/SA modulate state
# Options: tune the behavior of pf, default
Gergo Szakal wrote:
Argh, I tracked down the problem to pf itself.
With this ruleset it works:
--
int_if=sk0
ext_if=sk1
intnet={xxx.xxx.118.64/26,xxx.1xxx14.118.224/27}
tcp_opts=flags S/SA modulate state
# Options: tune the
13 matches
Mail list logo
