them out.
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Thu, Jul 07, 2011 at 09:28:13AM -0400, Ermal Lu?i wrote:
On Wed, Jul 6, 2011 at 5:25 PM, Calomel Org
infallibilismindefeasibil...@calomel.org wrote:
ALTQ using hfsc is limited to a maximum parent bandwidth
the value flips twice and we are
left with 65.41Kb.
altq on $ExtIf bandwidth 8590Mb hfsc queue { ack, web}
queue root_em0 on em0 bandwidth 65.41Kb priority 0 {ack, web}
Thanks.
--
Calomel @ https://calomel.org
Open Source Research and Reference
modified is 10.0.0.50, then the resulting address will be 192.0.2.50.
If the address pool is 192.0.2.1/25 and the address being modified is
10.0.0.130, then the resulting address will be 192.0.2.2.
http://www.openbsd.org/faq/pf/pools.html
--
Calomel @ https://calomel.org
Open Source Research
about adding QOS so the gamers get higher network priority? :)
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Thu, Jun 03, 2010 at 02:14:53AM -0400, Teemu Rinta-aho wrote:
On Jun 3, 2010, at 3:51 AM, Calomel Org wrote:
Teemu,
Are you sure the ftp server you
Addresses: 12
Cleared: Wed Dec 31 19:00:00 1969
pfctl -a games -vvs Tables
--a-r-C BLOCKTEMP games
Addresses: 0
Cleared: Wed Jun 2 16:40:14 2010
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Wed, Jun 02, 2010 at 04:23
to openbsd.sunsite.ualberta.ca.
ftp ls
227 Entering Passive Mode (129,128,5,191,214,178)
150 Opening ASCII mode data connection for '/bin/ls'.
total 8
drwxr-xr-x 2 0 0 512 May 4 2009 etc
drwxr-xr-x 3 0 0 512 Jul 21 2009 pub
226 Transfer complete.
Was this the problem?
--
Calomel @ https://calomel.org
/apm_control.html
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Fri, Feb 05, 2010 at 11:37:16AM -0500, Jean-Francois wrote:
Le vendredi 05 fivrier 2010 11:17:51, vous avez icrit :
On 04/02/2010 23:02, Jean-Francois wrote:
All,
I am looking forward to reduce the TDP
the given probability value only. For ex-
ample, the following rule will drop 20% of incoming ICMP packets:
block in proto icmp probability 20%
I do not believe you can add latency timings using PF. I agree, this
would be very helpful for testing.
--
Calomel @ https://calomel.org
Open Source
Queue (2Mbps)
Queue A (1Mbps)
Queue B (500Kbps)
Queue C (500Kbps)
Also, you can use HFSC queueing for this as well.
Hierarchical Fair Service Curve (HFSC) of OpenBSD
https://calomel.org/pf_hfsc.html
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Tue
.
OpenSMTPD how to (smtpd.conf)
https://calomel.org/opensmtpd.html
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Tue, Jul 21, 2009 at 12:23:31PM -0400, Lars Nooden wrote:
I find the two manpages, smtpd(8) and smtpd.conf(5), in current.
Is there an official online
.
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Thu, May 07, 2009 at 10:53:18AM -0400, Darrin Chandler wrote:
On Thu, May 07, 2009 at 12:03:23PM +, Stuart Henderson wrote:
There are some useful things on the site, but please, use with a big
pinch of salt
proto tcp from $DMZ to any port ftp - lo0 port 8021
Filtering #
pass in log on $DMZIf inet proto tcp from $DMZ to lo0 port 8021 $TcpState
$FtpIntIf
Ftp-Proxy how to (forward and reverse proxy)
https://calomel.org/ftp_proxy.html
--
Calomel
clients.
Nginx web server how to
https://calomel.org/nginx.html
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Sun, Jul 20, 2008 at 03:14:40PM +0100, Nuno Magalh??es wrote:
I have an old Compaq Armada 1500c with 32MB of RAM i want to use as a
webserver. Having it support
Juan,
You can use email addresses, domains or partial domains in your
spamd.alloweddomains file.
Spamd tarpit/greylisting anti-spam how to (spamdb)
https://calomel.org/spamd_config.html
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Sat, Jun 21, 2008 at 09:24
this helps,
OpenBSD Pf Firewall how to ( pf.conf )
https://calomel.org/pf_config.html
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Fri, Jun 20, 2008 at 02:10:52PM -0700, Robert Gilaard wrote:
Hi folks,
All the time I had the following entries in my pf.conf for my
.
Guide to SSL Certificates
https://calomel.org/ssl_certs.html
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Sun, Jun 15, 2008 at 03:02:48AM +1000, Damien Miller wrote:
On Sat, 14 Jun 2008, Khalid Schofield wrote:
Hi,
I need to get a proper signed ssl certificate
would also be interested in
hearing about them.
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Wed, Jun 04, 2008 at 05:02:45PM +0100, Joe Warren-Meeks wrote:
Hey guys,
I have a a pair of OpenBSD firewalls, using carp+pf protecting all
our services.
Now, we are going
Ropers,
You can find the badblocks utility prepackaged in e2fsprogs.
Hope this helps,
BadBlocks Hard Drive Validation and/or Destructive Wipe
http://calomel.org/badblocks_wipe.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Fri, Apr 18, 2008 at 08:44:27PM
email from new
potential clients all the time then this method is not really that helpful.
If anyone has any other ideas on this topic I would also be interested in
hear them.
Hope this helps.
Spamd tarpit/greylisting anti-spam how to
http://calomel.org/spamd_config.html
--
Calomel @ http
the table to the text file you can
always do pfctl -t bruteforce -T show /etc/bruteforce
Hope this helps.
OpenBSD Pf Firewall how to ( pf.conf )
http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Wed, Apr 16, 2008 at 12:20:38PM
? Are the firewalls overloaded?
You are welcome to check out some of the how to's I have at
http://calomel.org if you need to.
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Thu, Apr 10, 2008 at 12:35:17PM +0100, openbsd firewall wrote:
Hello,
I'm testing an OpenBSD 4.2 firewall
We use a simple Perl script to analyze the spamd logs and generate HTML
output.
Spamd Statistics Script (annoying spammers)
http://calomel.org/spamd_stats.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Thu, Apr 03, 2008 at 10:19:18AM -0300, Jose Fragoso
You also need to tell pfstat what action you want to do. You can query to
collect the pf interface statistics, generate new graphs or clean up the
database.
See if our page can help you out.
Pfstat how to ( pfstat.conf )
http://calomel.org/pfstat.html
--
Calomel @ http://calomel.org
to drop connections
dependent on ip address. For example, If we wanted to drop all states from
any ip to our internal server at 10.10.10.22 we could execute:
pfctl -k 0.0.0.0/0 -k 10.10.10.22
Hope this helps.
PF Config how to (pf.conf)
http://calomel.org/pf_config.html
--
Calomel @ http
proxy how to (relayd.conf)
http://calomel.org/relayd.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Tue, Mar 18, 2008 at 05:07:53PM -0400, Calomel wrote:
We are looking to do some URL path and request method filtering with relayd
if possible. Many of the other layer
that in some versions, Squid limits dns_children to 32. To increase it
beyond that value, you would have to edit the source code.
Hope this helps.
Squid config how to (squid.conf)
http://calomel.org/squid.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Mon, Mar
Config how to (pf.conf)
http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org/
Open Source Research and Reference
On Wed, Mar 26, 2008 at 04:41:01PM -0700, Lord Sporkton wrote:
I have this rule in my PF
and its not working
everything just gets thrown into the high queue and nothing
'
value in pfctl -si to see how many packets were dropped in this way.
I do not believe packets dropped by a rate limited rule are logged as
logging a DDOS attack might stress the machine.
Hope this helps.
OpenBSD Pf Firewall how to ( pf.conf )
http://calomel.org/pf_config.html
--
Calomel
be found
here for reference:
Relayd proxy how to (relayd.conf)
http://calomel.org/relayd.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
Subsystem sftp internal-sftp -f AUTH -l DEBUG3
Match User ftp
ForceCommand internal-sftp
ChrootDirectory /ftp_jail
http://calomel.org/sftp_chroot.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Thu, Mar 13, 2008 at 12:32:04PM +1100, Damien Miller
. The anchors are not pfsync states and thus are not transfered to
the backup firewall through pfsync.
But, if the users issue a reconnect to your ftp server after the firewall
fail over they will connect without issue.
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Wed, Mar 12
Protocol 2
StrictModes yes
SyslogFacility AUTH
TCPKeepAlive yes
UseDNS no
UsePrivilegeSeparation yes
X11Forwarding no
## sftp directives
Subsystem sftp internal-sftp
Match User ftp
ForceCommand internal-sftp
ChrootDirectory /ftp_jail
http://calomel.org/sftp_chroot.html
--
Calomel
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Mon, Feb 25, 2008 at 09:48:20PM -0600, Aaron Martinez wrote:
I've got spamd up and running in the default greylisting mode on a 4.2
stable system. Things seem to be working great, however I've noticed
that some freemail like
On Mon, Feb 11, 2008 at 11:17:35AM +0100, Raimo Niskanen wrote:
On Fri, Feb 08, 2008 at 11:20:31AM -0500, Calomel wrote:
Raimo,
Can you use the spamd.alloweddomains to whitelist email addresses and
domains you accept mail for? Any email sent to your mail server that is not
on the list
)
http://calomel.org/spamd_config.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Fri, Feb 08, 2008 at 11:07:15AM +0100, Raimo Niskanen wrote:
Apparently we (our mail server) got targeted by a zombie network
since suddenly there were some 3 hosts on spamd's whitelist
$SshPort
$SynState tagged OPENSSH
OpenBSD Pf Firewall how to ( pf.conf )
http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Fri, Feb 08, 2008 at 08:35:44AM -0500, S. Scott Sima, CISA, CISM wrote:
(sorry, orig post errantly had no subject
All macros, redirections and rules must be in the that uses it anchor as I
understand it. Take a look at the anchors section of this link.
OpenBSD Pf Firewall how to ( pf.conf )
http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Fri
://calomel.org/pf_config.html
Hope this helps.
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Thu, Jan 31, 2008 at 10:50:43AM -0600, Cache Hit wrote:
Hello,
I've been successfully using the max-src-conn and max-src-conn-rate
with an overload into a table that I block for our
be around
24-26.
What is your grey listed time out? By default I believe it is set at 25
minutes. (-G 25:4:864) Perhaps it is too low or too high?
This is probably not your issue, but may give you a place to start.
Spamd anti-spam how to (spamdb)
http://calomel.org/spamd_config.html
--
Calomel
and download 100 meg
per minute there is a problem and the ips can be blocked or slowed.
Thanks for your time,
--
Calomel @ http://calomel.org
Open Source Research and Reference
Pf Firewall how to ( pf.conf )
http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Tue, Dec 25, 2007 at 10:22:09AM -0800, Chris Cappuccio wrote:
upnp is also necessary for other multiplayer games like xbox live. it's
unfortunate, but true
Try using the ftp-proxy daemon. The proxy will take care of what ports need
to be open and close them when they are not needed. It will make your life
easier.
Ftp-proxy how to (forward and reverse)
http://calomel.org/ftp_proxy.html
--
Calomel @ http://calomel.org
Open Source Research
the altq on $ExtIf bandwidth 744Kb line to
reflect this. If the rest of the queues are setup to use a percentage of
the primary bandwidth amount then every thing will fall into line. Lastly,
refresh pf for the new settings to take effect.
Reference: http://calomel.org/pf_hfsc.html
--
Calomel
/4.2
with ALTQ (HFSC) without issue. CPU usage for the interrupts are around 33%
on a amd64 2.2GHz.
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Mon, Nov 12, 2007 at 02:05:54PM -0300, Fernando Braga wrote:
Hi,
I've setup a bridge over a 200Mb link, and everytime I turn
of bandwidth
specified by realtime. See if this link helps you out.
Hierarchical Fair Service Curve (HFSC) of OpenBSD
http://calomel.org/pf_hfsc.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Fri, Nov 16, 2007 at 04:56:51AM +0300, Jonathan Stewart wrote:
Is it possible
Chris,
It looks like you have quite a few questions. The obsd list will not write
your firewall for you, but this should get you started in the right
direction.
Hierarchical Fair Service Curve (HFSC) of OpenBSD
http://calomel.org/pf_hfsc.html
--
Calomel @ http://calomel.org
Open Source
the backup user. If ls is successful, the wrapper in not
working.
If anyone has any other recommendations I would be interested in hearing
about them. There is always room for improvement.
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Tue, Nov 13, 2007 at 10:17:07PM
ports or ip's. Well NetFlow
is what your looking for. NetFlow is an open but proprietary network
protocol developed by Cisco Systems to run on Cisco IOS-enabled equipment
for collecting IP traffic information.
http://www.pantz.org/software/flowtools/configflowtoolspfflow.html
--
Calomel @ http
I believe the boot image must be less than 9900 sectors to be used on a
bootable cdrom. bsd.rd would be too large.
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Wed, Nov 07, 2007 at 07:45:52PM -0500, Steve Shockley wrote:
Calomel wrote:
You can use geteltorito.pl
You can use geteltorito.pl by Rainer Krienke. It will extract what it needs
from the cdemu42.iso image and make a new cdrom42.fs image. Just takes a
second.
Check out Step 3, option 2 at Making a bootable OpenBSD install CD
http://calomel.org/bootable_openbsd_cd.html
--
Calomel @ http
% )
queue bulk bandwidth 5% priority 1 qlimit 50 hfsc (realtime 5% default)
And use the ack with the queue name on the rules like, queue (edd, ack)
This might help you out with the directive definitions.
http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org
Open Source
Rod,
You are absolutely correct. Using the --reject *iso directive for wget in
the instructions will now filter out all iso files from downloading. The
wording on the web page has been cleaned up and clarified.
Thanks for your feedback, it is appreciated.
--
Calomel @ http://calomel.org
/bootable_openbsd_cd.html
--
Calomel @ http://calomel.org
OpenSource Research and Reference
On Fri, Nov 02, 2007 at 03:12:30AM +0800, Bibby wrote:
Hi, all.
Part of file: 4.2/i386/INSTALL.i386:
---
cdrom42.fsThe i386 boot and installation 2.88MB
floppy image that contains almost
You need to use at least samba-2.2.7a and use the audit.so module. The
samba source code has what you need. Check out the information in
~samba/examples/VFS/audit.c and in the README file in that directory.
--
Calomel @ http://calomel.org
OpenSource Research and Reference
On Sun, Oct 28, 2007
Siju,
Has the device name changed? Perhaps to /dev/cd0a
--
Calomel @ http://calomel.org
OpenSource Research and Reference
On Thu, Oct 25, 2007 at 07:12:59PM +0530, Siju George wrote:
Hi,
I installed OpenBSD 4.2 on CD on my amd64 that was running OpenBSD 4.0 fine.
I tried to mount
Pieter,
To remove the ^M characters at the end of all lines in vi, use:
:%s/^V^M//g
The ^v is a CONTROL-V character and ^m is a CONTROL-M. When you type this,
it will look like this:
:%s/^M//g
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Fri, Oct 26, 2007 at 03:45
on reboot.
OpenBSD Pf Firewall how to ( pf.conf )
http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org
On Thu, Oct 25, 2007 at 09:15:22AM +0300, Timo Myyr? wrote:
Hi,
I'm currently trying to configure small home network:
ADSL Server / Firewall Desktop
Now I'm working
the handshakes are completed, the
sequence number modulators (see previous section) are used to translate
further packets of the connection. Synproxy state includes modulate state.
(pf.conf man page)
--
Calomel @ http://calomel.org
On Tue, Oct 23, 2007 at 11:23:05PM -0500, david l goodrich wrote:
On Tue
the rate of
new connections over a time interval. The connection rate is an
approximation calculated as a moving average.
You may also want to use synproxy for ssh and take a look at
max-src-states. I have examples here: http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org
On Tue, Oct
Tony,
I agree with lars, squid is an excellent choice to proxy http and https.
Here are some instructions and a working example if you need them.
Squid Proxy (Secure, Paranoid and Non-caching)
http://calomel.org/squid.html
--
Calomel @ http://calomel.org
On Tue, Oct 09, 2007 at 03
.
--
Calomel @ http://calomel.org
On Fri, Oct 05, 2007 at 08:25:26AM -0400, a.padilla wrote:
ext_if =rl0 #macro for external interface
int_if =dc0 #macro for internal interface
localnet= $int_if:network
nat on $ext_if from $localnet to any - ($ext_if)
#block in
pass out keep state
pass out
matheus,
It is the order. The fist queue is for bulk packets and the second is for
ack packets.
Daniel Hartmeier has a detailed page with examples that may make this
clearer.
Prioritizing empty TCP ACKs with pf and ALTQ
http://www.benzedrine.cx/ackpri.html
--
Calomel @ http://calomel.org
62 matches
Mail list logo