Hi Alejandro:
I'm not aware of a pfSense book, but if you want a book on PF, there is:
The OpenBSD PF Packet Filter Book
Editor: Jeremy C. Reed
Publisher: Reed Media Services
ISBN: 978-0-9790342-0-6
Regards,
Mike
--
Michael K. Smith - CISSP, GSEC, GISP
Chief Technical Officer - Adhost
Hello Danielisz:
I'm sending you my pflog captured whiled I try to connect, maybe
somebody will figure out something:
# tcpdump -i rl0 -n port 548
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on rl0, link-type EN10MB (Ethernet), capture size 96
-Original Message-
From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-
questi...@freebsd.org] On Behalf Of Brian McCann
Sent: Tuesday, November 24, 2009 3:03 PM
To: freebsd-questions
Subject: pf nuttyness
I'm at the end of my rope here with PF. I have a ruleset
Hello Steve:
I'll try to answer your questions in line.
snip
Another approach would be a cluster of Postfix servers and Dovecot
servers behind PF load balancers. We have 3 POP servers
(IMAP/POP), 9
Mail Servers, 2 Defer servers and 5 Filter servers that process over
20
million
-Original Message-
From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-
questi...@freebsd.org] On Behalf Of Steve Bertrand
Sent: Wednesday, September 16, 2009 7:09 AM
To: Matthew Seaman
Cc: questi...@freebsd.org
Subject: Re: New mail server setup
Matthew Seaman wrote:
Hello:
I'm having reachability problems with a CARP interface set up on two 7.1
boxes with an uplink to Cisco routers. However, the inside CARP address
on the same set of PF boxes are reachable with no trouble. Here's the
config.
Cisco Cisco
HSRP Gateway
|
is there a way to have FreeBSD work as BGP router and/or at least
failover between 2 different ISPs?
I, as some random guy on the Internet, would recommend Quagga and, yes, it will
work with 2+ ISP's on single device (server). It's well established and in use
for transit-facing Internet
,
but the 192.168.1.x addresses don't work. I've tried setting the vlan id
on the vSwitch to none and to 22, but in neither of the two cases does
it work.
[Michael K. Smith - Adhost]
You will need to make sure the switchport facing your server is set to
802.1Q trunk and has VLAN 22 allowed
Hello Eric:
Hi everyone,
Can you provide a little more information about your topology? Right now, you
only have one interface defined in your rules, but you are attempting to pass
traffic between two subnets. That would suggest you have two interfaces and,
if so, both need to be accounted
I also forgot to mention:
You should probably log your block rule so that you can see what's going on if
things don't work as expected.
So:
block in log on $ext_if
Note the lack of quick as well, as previously mentioned.
With logging enabled, provided you have pflog running (which you
** Apologies to folks already subscribed to p...@freebsd.org. This was posted
there as well but I'm not getting any responses at all so I thought it best to
post it here as well. **
We are having memory issues with PF and 7.1p2 that we didn't experience with
6.3. Here's what happens.
#
The term coined for this type of mail is backscatter.
There is no easy solution for this. The backscatter article on
postfix.org, for example, caused our mail servers to start rejecting
mail that was generated from PHP scripts and CGIs on our own systems,
which makes no sense. The
Hello All:
We are running the following:
- FreeBSD 6.3 Release #1
- PF
- pftpx for our ftp proxy
We have several ftp servers of different flavors behind the PF firewalls and we
are getting a lot of the following when users are trying to connect using
passive mode.
Server sent passive reply
Hello All:
We have a load balanced pair of PF boxes sitting in front of a whole bunch of
server doing all manner of things! It's been working great up until today when
it, well, didn't. Here's what I see in top -S.
PID USERNAME THR PRI NICE SIZERES STATE C TIME WCPU
Excuse me for jumping in on this thread, I'm only just starting to look
into IPv6 for myself.
My ISP has informed me that it doesn't support IPv6 yet, and won't for
some time. I have a DNS server and sites on IPv4, but I'd like to be
able to support IPv6- does the fact that my ISP doesn't
Hello David:
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
David Naylor
Sent: Thursday, September 11, 2008 1:49 PM
To: freebsd-questions@freebsd.org
Hello All:
I'm interested in making my messages file more likely to survive a hacking
attempt and I've set the sappend flag to that end. It would be nice if
syslog-ng could actually rotate the logfile since it gets quite large, but the
sappend flag seems to prohibit that from happening. Is
Hello Catalin:
snip
Michael Smith [EMAIL PROTECTED] wrote:
On Dec 9, 2007, at 3:34 PM, Erik Norgaard wrote:
Michael Smith wrote:
Hello All:
I am trying to configure a round-robin group of Name Servers
that
respond on to and from a single address.
Hello All:
Thanks to everyone for the hints on carp_alias interfaces. On a second note,
we are implementing 802.1Q trunked interfaces. So, our pre-vlan configuration
is:
$ext_if=em1
And an associated NAT rule is:
nat on $ext_if from $mail_in01_int to any - $mail_in01_ext
With the addition
Hello All:
I'm interested in using PF to front a web farm where there will be lots of
static IP addresses for SSL affinity. As such, I expect to have many more than
255 CARP interfaces. But, as I understand it, I'm limited to 255 vhid's and I
have to have a discreet vhid per CARP interface.
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Josh Carroll
Sent: Tuesday, November 27, 2007 8:12 AM
To: Ted Mittelstaedt
Cc: [EMAIL PROTECTED]; freebsd-questions@freebsd.org
Subject: Re: Help for very bad perf for MySQL
Is
Hello All:
We're getting a ton of these.
+Connection attempt to TCP 127.0.0.1:113 from 127.0.0.1:52655 flags:0x02
We've basically allowed all traffic to and from 127.0.0.1 in our
ruleset, but nothing seems to work. Does anyone have a magic bullet to
make this go away?
Thanks for any help!
Hello Nikos:
-Original Message-
From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 18, 2007 9:30 AM
To: freebsd-questions@freebsd.org
Cc: Michael K. Smith - Adhost
Subject: Re: Odd PF Denied Message
On Thursday 18 October 2007 17:59:49 Michael K. Smith
Hello:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, October 18, 2007 11:52 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: freebsd-questions@freebsd.org
Subject: Re: How To Change Email Addr?
Hello All:
Is there a way on the server side to have the output from the Security
Run and the Daily Run to go to separate email addresses? We have a
gihugic number of servers sending everything to a single address and I'd
like to be able to parse out the Security reports by from address
rather
Hello Lisandro:
You can try this from a command prompt.
netsh interface teredo set state disabled
That disables teredo for the entire system. I don't think you can just disable
it for the browser.
Regards,
Mike
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
Hello Lisandro:
Sure, here's the output from a Vista laptop and ping.
C:\ping www.freebsd.org
Pinging www.freebsd.org [2001:4f8:fff6::21] from 2001:468:1420:f:5872:c1f6:31bd:
2608 with 32 bytes of data:
Reply from 2001:4f8:fff6::21: time=144ms
Reply from 2001:4f8:fff6::21: time=142ms
Reply
Hello All:
I'm curious if there is any timeline for the correct display of IPv6
addresses in various displays. In particular, I'm interested in being
able to see a full address in 'who' and 'netstat' so I can track
connections to the server. Presently, the display shows:
[EMAIL PROTECTED] ~]$
Hello Jeff:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Jeffrey Goldberg
Sent: Thursday, October 11, 2007 8:55 AM
To: freebsd-questions@freebsd.org
Subject: Different DNS responses depending on query source
The host that runs
Hello:
Try going to http://www.freebsd.org/releases/6.2R/announce.html in your
browser and select from any of the links there for ftp sites with the
ISO's.
Regards,
Mike
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of I am ws:ion
Hello:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of User Bobby
Sent: Thursday, August 30, 2007 2:32 PM
To: freebsd-questions@freebsd.org
Subject: 4gb address space limitation for i386
I have an IBM xSeries 350 4xPIII with 5.5gb
Hello Mark:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Mark Messier
Sent: Friday, August 17, 2007 1:00 PM
To: FreeBSD Mailing List
Subject: performance hints (6.2)
I've got a freebsd 6.2 system, dual 2Ghz 5130 cpu, 4g ram,
Hello Laszlo:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Laszlo Nagy
Sent: Thursday, August 16, 2007 12:37 PM
To: Derek Ragona; freebsd-questions@freebsd.org
Subject: Re: Share folder over internet
You need to create a VPN
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello All:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Chuck Swiger
Sent: Monday, August 13, 2007 5:20 PM
To: Modulok
Cc: freebsd-questions@freebsd.org
Subject: Re: Redundant
Hello Some Person who may Be Robert
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Latitude
Sent: Wednesday, August 08, 2007 9:22 PM
To: freebsd-questions@FreeBSD.org
Subject: Convince me, please!
I'm interested in changing over
Hello:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Paul Fraser
Sent: Wednesday, August 08, 2007 3:47 PM
To: Narek Gharibyan
Cc: freebsd-questions@freebsd.org
Subject: Re: Wathdog Timeout HELP
Narek Gharibyan wrote:
Dear All,
Hello Martin:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of martinko
Sent: Thursday, July 12, 2007 5:28 PM
To: freebsd-questions@freebsd.org
Subject: Re: cannot log in via console, cannot su(1), only as root
Michael K. Smith
Hello:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of fbsd2
Sent: Wednesday, July 11, 2007 10:27 AM
To: Jeff Mohler
Cc: [EMAIL PROTECTED] ORG
Subject: RE: 10Mbps versus 100Mbps Cable Modems
Sure they have more than 10Mbps
Hello Huy:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Schiz0
Sent: Tuesday, July 10, 2007 7:13 PM
To: Huy Ton That
Cc: [EMAIL PROTECTED]
Subject: Re: sshd config config file question
On 7/10/07, Huy Ton That [EMAIL PROTECTED]
Hello Martinko:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of martinko
Sent: Saturday, July 07, 2007 4:36 PM
To: freebsd-questions@freebsd.org
Subject: Re: cannot log in via console, cannot su(1), only as root
martinko wrote:
Hello Andrew:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Andrew Falanga
Sent: Tuesday, June 19, 2007 10:01 AM
To: freebsd-questions
Subject: Configuring dhcp6
Hello,
Has anyone on this list used dhcp6 from ports? What's
Ok, I've got a couple of more questions. Why does the port not
install the command dhcp6sctl? This is mentioned in manual pages
like, dhcp6s(8), and so forth but doing a man dhcp6sctl returns that
no manual page exists. Also, I can't find the command either. Lastly
how do I generate
Hello Andy:
-Original Message-
From: Andrew Falanga [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 19, 2007 1:39 PM
To: Michael K. Smith - Adhost
Cc: freebsd-questions
Subject: Re: Configuring dhcp6
On 6/19/07, Michael K. Smith - Adhost [EMAIL PROTECTED] wrote:
Ok, I've
Hello:
snip
On 6/15/07, Joe Holden [EMAIL PROTECTED] wrote:
Wojciech Puchar wrote:
zsquid# traceroute www.freebsd.org
traceroute to www.freebsd.org (69.147.83.33), 64 hops max, 40
byte
packets
1 www.freebsd.org (69.147.83.33) 1.050 ms 0.970 ms 2.110 ms
very short times
Hello All:
Are there any physical limitations to the number of connections
(TCP/UDP) that are determined by the physical interface itself? We have
a PF load-balancing solution in place in front of a large number of mail
servers and we're considering using the same boxes to front our Name
Hello:
Devin Heckman wrote:
[snip]
Does anyone have any experience tuning NFS mounts on FreeBSD
machines?
[snip]
Here's what we use for mount options in /etc/fstab, basically culled
from the O'Reilly NFS book.
rw,tcp,intr,noatime,nfsv3,-w=65536,-r=65536
You have to be careful with
Hello All:
We have a system that was built with the amd64 source (uname -a below).
I was attempting to make a custom kernel and the make kept failing so I
decided to try the make against GENERIC. It fails at the same place in
GENERIC as the custom kernel. Here is the output. It's failing on
Hi:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Alex Zbyslaw
Sent: Thursday, May 17, 2007 9:09 AM
To: Michael P. Soulier
Cc: freebsd-questions@freebsd.org
Subject: Re: looking for ethernet errors, collisions
Michael P. Soulier
Hello All:
We have recently purchased an RSA SecurID Appliance and there are no
native libraries for *BSD OS's. I have downloaded and installed the
appropriate files within the Linux Compat environment, but I'm not
having any success making it work. Specifically, the key file in
question is
Hello:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Ray
Sent: Wednesday, April 18, 2007 11:16 AM
To: freebsd-questions@freebsd.org
Subject: completly remove (or modify) a port
Hello all,
I have been trying to work with postfix
Hello:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Sean Murphy
Sent: Wednesday, April 18, 2007 11:19 AM
To: freebsd-questions@freebsd.org List
Subject: Best Open Source software to backup Cisco switches and
routers
I am looking
Hello:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Frank Wissmann
Sent: Tuesday, April 10, 2007 12:52 PM
To: freebsd-questions@freebsd.org
Subject: Error with make buildworld
Hello all!
I'm having serious trouble with
Hello Jim:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Jim Stapleton
Sent: Monday, April 09, 2007 2:52 PM
To: freebsd-questions@freebsd.org
Subject: Verifying that I have SMP up and running
I added SMP to the kernel config, but
Leigh -- Shire.Net LLC wrote:
On Mar 6, 2007, at 5:08 PM, Michael K. Smith - Adhost wrote:
Have you looked at the output of 'netstat -i' to see if there are
interface errors? Also, have you looked at the switch-side interface
for errors, buffer problems, etc. (if that's possible)? Finally
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of RJ45
Sent: Tuesday, March 06, 2007 9:08 AM
To: freebsd-questions@freebsd.org
Subject: Kerberos authenticatino and ldap authorization
Hello,
I would liek to use FreeBSD as a login
Hello:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Chad Leigh -- Shire.Net LLC
Sent: Tuesday, March 06, 2007 12:05 PM
To: User Questions
Subject: Re: started getting repeated bge0: PHY read timed out
messages
On Mar 6, 2007,
Hello:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Daniel Gerzo
Sent: Wednesday, February 28, 2007 3:52 PM
To: freebsd-questions@freebsd.org
Subject: pfctl: DIOCSETSTATUSIF
Hello pf,
I'm having the following problem:
Hell Don:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Don Munyak
Sent: Thursday, February 08, 2007 10:58 AM
To: FreeBSD Questions
Subject: Re: compiling error - /usr : filesystem full
Here's some additional Information I have
Hello:
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of freebsd
Sent: Wednesday, January 17, 2007 2:34 AM
To: FreeBSD Questions
Subject: Load balancing outgoing mail relay
Hi
I have a simple question but googling does not lead to
Hello All:
I've spent my entire FreeBSD life in /sys/i386 using Intel chips. We
have a new server with the AMD processor listed below and I'm wondering
if:
1) I should stay in /sys/i386 with different configuration variables; or
2) Compile out of /sys/amd64
Any insights would be greatly
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-freebsd-
[EMAIL PROTECTED] On Behalf Of Office of the CIO-rithy4u.NET
Sent: Monday, January 01, 2007 2:17 AM
To: freebsd-questions@freebsd.org
Subject: Routing
I try to do dual routing on my freebsd box but its was not
Hello All:
We have just implemented an NFS server behind a POP cluster of 3
servers. Incoming mail to the PF front-end box is at about 8 Mb/sec.
Communication between each of the POP servers to and from the NAS is
averaging about 70 Mb/sec.
Can anyone tell me if this is normal overhead for NFS
Hello Bill:
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Moran
Sent: Monday, December 11, 2006 2:15 PM
To: [EMAIL PROTECTED]
Subject: shmmax tops out at 2G?
uname -a
FreeBSD db00.lab00 6.2-BETA3 FreeBSD 6.2-BETA3 #1: Fri Dec 8 09:27:37
EST 2006
Hello:
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of g
Sent: Sunday, December 10, 2006 11:02 PM
To: freebsd-questions@freebsd.org
Subject: Re: What can I use to study Ethernet frames?
[EMAIL PROTECTED] wrote:
Which program can I use to study Ethernet
Hello Mark:
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marc G.
Fournier
Sent: Friday, December 01, 2006 10:28 AM
To: freebsd-questions@freebsd.org
Subject: Bandwidth Throttling under FreeBSD 6.x ...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello All:
I've posted this to the Samba list with no success and I'm hoping
someone here will have experience with this configuration. We're using
Winbind to authenticate against an Active Directory and it works
perfectly *if* the user is in the local password database. If the user
is not,
Hello:
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joao Barros
Sent: Thursday, November 09, 2006 12:36 PM
To: Bill Moran
Cc: Mark; freebsd-questions@freebsd.org
Subject: Re: access-lists and QoS implementation
On 11/9/06, Bill Moran [EMAIL PROTECTED]
67 matches
Mail list logo