Doug Hardie wrote:
1. pf allows short cuts, but these also makes it more difficult to debug. I'd
separate NAT from filtering,
Ok. I guess you want some white space between them? Here it is with the white
space and comments:
ext_if=dc0
table blackhole persist file /etc/blackhole
Doug Hardie wrote:
This is quite interesting. I can't figure out the rules on my system.
Maybe try to simplify, clean up and structure your rules :)
Here is the pf.conf file with all comments removed:
table blackhole persist file /etc/blackhole
table spamd persist
table spamd-white
On 23 January 2010, at 04:18, Erik Norgaard wrote:
Doug Hardie wrote:
This is quite interesting. I can't figure out the rules on my system.
Maybe try to simplify, clean up and structure your rules :)
Here is the pf.conf file with all comments removed:
table blackhole persist file
hi kalin,
my question is: are you telnet-ing to/from/through this machine with the
specified pf rules?
From: kalin m ka...@el.net
To: freebsd-questions@freebsd.org
Sent: Fri, January 22, 2010 8:12:00 AM
Subject: pf rules
hi all...
doing testing with pf
port $tcp_in flags S/SAF synproxy state
pass proto tcp to any port ssh
To debug pf rules:
- always add direction to the rule, pass or block, add interface to all
rules except default policy, keep state on all pass rules
- group your rules per direction, then per interface
- add log to all rules
in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
pass proto tcp to any port ssh
To debug pf rules:
- always add direction to the rule, pass or block, add interface to all
rules except default policy, keep state on all pass rules
- group your rules per direction, then per interface
On 22 January 2010, at 01:45, Erik Norgaard wrote:
To debug pf rules:
- always add direction to the rule, pass or block, add interface to all
rules except default policy, keep state on all pass rules
- group your rules per direction, then per interface
- add log to all rules and watch
Doug Hardie wrote:
On 22 January 2010, at 01:45, Erik Norgaard wrote:
To debug pf rules:
- always add direction to the rule, pass or block, add interface to all
rules except default policy, keep state on all pass rules
- group your rules per direction, then per interface
- add log to all
On 1/22/10, kalin m ka...@el.net wrote:
hi all...
doing testing with pf...
how is it possible that if i have these rules below in pf.conf if i do:
telnet that.host.org 25
i get:
Trying xx.xx.xx.xx...
Connected to that.host.org.
Escape character is '^]'.
... etc ...
On Fri, Jan 22, 2010 at 8:12 AM, kalin m ka...@el.net wrote:
how is it possible that if i have these rules below in pf.conf if i do:
telnet that.host.org 25
i get:
Trying xx.xx.xx.xx...
Connected to that.host.org.
Escape character is '^]'.
you probably don't load pf.
pfctl -sa | grep
On 22 January 2010, at 03:14, Erik Norgaard wrote:
Doug Hardie wrote:
On 22 January 2010, at 01:45, Erik Norgaard wrote:
To debug pf rules:
- always add direction to the rule, pass or block, add interface to all
rules except default policy, keep state on all pass rules
- group your rules
On 22 January 2010, at 03:14, Erik Norgaard wrote:
Doug Hardie wrote:
On 22 January 2010, at 01:45, Erik Norgaard wrote:
To debug pf rules:
- always add direction to the rule, pass or block, add interface to all
rules except default policy, keep state on all pass rules
- group your rules
hi all...
doing testing with pf...
how is it possible that if i have these rules below in pf.conf if i do:
telnet that.host.org 25
i get:
Trying xx.xx.xx.xx...
Connected to that.host.org.
Escape character is '^]'.
... etc ...
pf.conf contetns:
tcp_in = { www, https }
ftp_in = {
Hello.
Is there some tool to test rules-file for PF with arbitrary packets
without need for real traffic?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
Michael Lednev wrote:
Hello.
Is there some tool to test rules-file for PF with arbitrary packets
without need for real traffic?
Yes. It's called netcat (nc on most systems).
--
Jay Chandler / KB1JWQ
Living Legend / Systems Exorcist
Today's Excuse: Second-system effect
Jay Chandler пишет:
Michael Lednev wrote:
Hello.
Is there some tool to test rules-file for PF with arbitrary packets
without need for real traffic?
Yes. It's called netcat (nc on most systems).
Very funny. It will create real traffic which I want to avoid.
My desktop PC get its IP address from a PPPoA modem connected with ethernet. I
started logging DHCP in PF, to make sure I wasn't dropping anything, but the
*only* packets I'm seeing are incoming broadcast:
pass in on vr0: 10.0.0.2.67 255.255.255.255.68: BOOTP/DHCP, Reply,
length:
binat on $dig_if from $dmz_srv to any - $dig_ip2
binat on $dsl1_if from $dmz_srv to any - $dsl1_ip2
binat on $dsl2_if from $dmz_srv to any - $dsl2_ip2
rdr on $dig_if inet proto tcp from any to $dig_ip2 port { 25, 80, 81,
110 } - $dmz_srv
rdr on $dsl1_if inet proto tcp from any to $dsl1_ip2 port
It's a question of letting DNS traffic _in_ to your nameserver:
pass in on $ext_if inet proto { tcp, udp } \
from any to ($ext_if) port 53
^^^ that lets the traffic in
pass out on $ext_if inet proto { tcp, udp } \
from ($ext_if) port 53 to any
^^^ and that lets it
Correction:
Unless I COMMENT the default deny policy nothing seems to work.
--
Fafa Hafiz Krantz
Research Designer @ http://www.home.no/barbershop
Enlightened @ http://www.home.no/barbershop/smart/sharon.pdf
--
___
Sign-up for Ads
It's a question of letting DNS traffic _in_ to your nameserver:
pass in on $ext_if inet proto { tcp, udp } \
from any to ($ext_if) port 53
^^^ that lets the traffic in
pass out on $ext_if inet proto { tcp, udp } \
from ($ext_if) port 53 to any
^^^ and that lets it
On Tue, 10 May 2005, Fafa Hafiz Krantz wrote:
Ok, after having added that it seems that my DNS works.
The same goes for my WWW and mail server.
SSH servers are all OK to connect to.
I have to wait like 5 minutes after booting my computer
before I can connect to those certain FTP sites.
On 2005-05-10 05:09, Fafa Hafiz Krantz [EMAIL PROTECTED] wrote:
It's a question of letting DNS traffic _in_ to your nameserver:
pass in on $ext_if inet proto { tcp, udp } \
from any to ($ext_if) port 53
^^^ that lets the traffic in
pass out on $ext_if inet proto { tcp, udp } \
- Original Message -
From: Giorgos Keramidas [EMAIL PROTECTED]
To: Fafa Hafiz Krantz [EMAIL PROTECTED], Jan Grant [EMAIL PROTECTED]
Subject: Re: PF RULES! But mine doesn't ...
Date: Tue, 10 May 2005 13:50:27 +0300
On 2005-05-10 05:09, Fafa Hafiz Krantz [EMAIL PROTECTED] wrote:
It's
The rules I suggested are so that external machines can talk to your DNS
server (querying about the domain it is authoritative for), and so that
responses can get back to those machines.
Your nameserver, however, may also be trying to get requests out. When
it does this, by default, it
On 2005-05-10 07:19, Fafa Hafiz Krantz [EMAIL PROTECTED] wrote:
Giorgos Keramidas [EMAIL PROTECTED] wrote:
Show us the output of:
# pfctl -sr
[snip ruleset]
Hello!
# pfctl -sr
scrub in all fragment reassemble
block drop log all
pass quick on lo0 all
pass quick on ep0 all
Hello.
My ruleset is all twisted.
Unless I disable the default deny policy, this is what happens:
* My nameserver setup goes disfunctional.
* My web, mail and fileserver goes disfunctional.
* I cannot SSH and FTP into certain servers.
* I cannot ping my IP from the outside.
Can anyone tell
On Sun, 8 May 2005, Fafa Hafiz Krantz wrote:
Hello.
My ruleset is all twisted.
Unless I disable the default deny policy, this is what happens:
* My nameserver setup goes disfunctional.
* My web, mail and fileserver goes disfunctional.
* I cannot SSH and FTP into certain servers.
*
Fafa Hafiz Krantz wrote:
Hello.
My ruleset is all twisted.
Unless I disable the default deny policy, this is what happens:
* My nameserver setup goes disfunctional.
* My web, mail and fileserver goes disfunctional.
* I cannot SSH and FTP into certain servers.
* I cannot ping my IP from the
Fafa Hafiz Krantz wrote:
Perhaps you should check the archives. :)
What do you mean? There are many archives out there ...
Please tell me which one?
Thanks!
--
Fafa Hafiz Krantz
Research Designer @ http://www.home.no/barbershop
Enlightened @ http://www.home.no/barbershop/smart/sharon.pdf
Did
30 matches
Mail list logo