On Tue, Jun 21, 2005 at 08:23:49PM -0400, Jason Dixon wrote:
On Jun 21, 2005, at 6:24 PM, Bill Swisher wrote:
After reading over the pf-faq.pdf file I have, at this time, one
question. The home/small office example assumes that the internet
lives off of ep0. In my case this is partially
On Wed, Apr 20, 2005 at 09:56:48PM +0930, alex wilkinson wrote:
Hi all,
Is it possible to specify a range within a table ? e.g.
table itunes const { 8000 8999 }
I get a syntax error for the aformentioned table, so can anyone
suggest a method for what I'm trying to achieve ?
tables
On Wed, Apr 20, 2005 at 09:44:59PM +0930, alex wilkinson wrote:
Hi all,
I have a macro defined such as:
EXT_IF=tun0
I want to refer to this interface in parentheses in case tun0's DHCP
ip address changes.
However, when I use the (...) feature in the following rule for example:
On Sun, Apr 10, 2005 at 11:18:58PM -0400, Michael W. Lucas wrote:
Hi,
I'm trying to duplicate packets matching one particular rule.
Background: I have softflowd running on OpenBSD 3.5 i386. This is
exporting flows to a logging host. Works beautifully.
The old logging host is being
On Fri, 2005-03-25 at 13:03, florian mosleh wrote:
The only other factor that I see as possibly contributing to the problem (i'm
not sure how) is that the internet connection is a set of 4 bonded t1s, but
I've
been given the impression that this shouldn't make a difference.
you're pretty
On Wed, 2005-03-23 at 15:21, Xavier wrote:
Hi,
Just one question... Maybe stupid, pardon me!
Can I define sort of route maps such as
in Cisco devices with pf?
Ex: if source address = x.x.x.x - send to next hop y.y.y.y
yes--route-to can be used for this:
pass in on $int_if route-to
On Fri, 2005-03-18 at 10:48, Michael W. Lucas wrote:
Hi,
I'm using two PF boxes as traffic shapers, with CARP, running 3.5
GENERIC#127 i386 (to be updated to 3.7 as soon as it hits the
shelves.)
Will promiscuous mode see traffic before or after queueing on an
interface?
inbound to an
On Mon, Mar 14, 2005 at 03:50:23PM +0530, Siju George wrote:
So probably no checks later in the protocol. Similar problem with
CheckPoint's fastpath option, btw.
1) check point fw-1 is software, not hardware.
2) the fastpath option hasn't been around since 4.0 (and has always
been
On Thu, 2005-02-17 at 10:21, Aaron Spanik wrote:
I couldn't find this issue in any of the documentation I could find, so
I thought I'd ask here.
Macros in pf can be defined recursively, but it doesn't seem to work
when the macros that are being expanded are CIDR-style network
On Tue, Feb 15, 2005 at 09:42:40AM -0800, Dominic Opferkuch wrote:
Hello
I need to block certain IP's on my webserver. Can
anyone point out how to do that.
Here the IP address range I need to block
(*-ed out the first three digits)
***.139.192.0 --
On Fri, Jan 28, 2005 at 10:37:44AM -0800, Gustavo A. Baratto wrote:
hello all,
Is it (or will be) possible to set different state timeouts for different
rules?
For example, if I'm using http, and I need to keep the state for 10 minutes
because of an e-commerce session, and I dont want
On Thu, 2005-01-20 at 17:05, Peter Fraser wrote:
The very broad: I don't understand why there is separate configuration
files for bridges and routing and packet filtering.
routing and bridging are two separate things.
Now for the picky ones.
Could the syntax error message, give the
On Wed, Jan 19, 2005 at 02:07:10PM -0700, R T wrote:
Hello folks. Thanks to everyone who responded to my problem. The laptop can
use the internet now, however it wont resolve host names properly. For
example, it wouldnt connect to www.google.ca but it would to 64.233.167.104
Same for IRC,
On Fri, Jan 14, 2005 at 08:51:57AM -0800, Bryan Irvine wrote:
Is there a way to limit people to only 1 or a few simultaneous connections?
Every morning the same IP makes about 100 simultaneous connections and
hogs all the resources until it's through. Is their a way to only
allow them 5? or
On Thu, 2005-01-06 at 16:48, Jason Murray wrote:
Hello new to the list, but not exactly new to pf.
I've got a 3 interface firewall and I'm seeing what I would call strange
behaviour. Here is the scenario. I want to allow http in from the Internet
to a web server on an isolated segment. I
On Sun, 2005-01-02 at 06:56, Daniel Johansson wrote:
Hi, my setup looks like the usual one. Internet - router with openbsd 3.5 -
switch - hosts.
I recently got a second IP from my ISP but I don't want to use it on an
external box directly to the internet. So I used ifconfig alias and added
On Thu, 2004-12-23 at 17:28, ed wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello again, sorry to bother you all again.
I have a question, we have two DSL connections, and I plan on using two
boxes, which are carped. But, I'd like to do this in a fashion such that
I can failover
On Fri, 2004-12-17 at 15:51, Peter GILMAN wrote:
Ed White [EMAIL PROTECTED] wrote:
| On Friday 17 December 2004 15:45, Roy Morris wrote:
| change your ssh port to like 30222 or something ..
|
| That's dumb.
why?
Choose a port 1024.
why?
not trying to speak for ed, but
On Thu, Dec 16, 2004 at 10:16:14AM -0500, Chad M Stewart wrote:
I don't know what it was, but after a reboot things are redirecting as
they should. Now I just need to configure spamd to my liking. :)
is it possible that you never did a pfctl -e
-j
--
What's the point of going out, we're
On Thu, Dec 16, 2004 at 07:16:48AM -0500, Chad M Stewart wrote:
# pfctl -vv -f /etc/pf.conf
Loaded 345 passive OS fingerprints
table spamd persist
table spamd-white persist
@0 rdr inet proto tcp from any to any port = smtp - 127.0.0.1 port 8025
# telnet localhost 8025
Trying 127.0.0.1...
On Mon, 2004-12-13 at 11:24, Alain wrote:
Hi,
I'm working on an high availability bridged firewall solution.
Would it be possible to put two openbsd bridged firewall on an
etherchannel link (between two cisco switch) and let the switch manage
the failover ?
i don't think etherchannel is
On Wed, 2004-12-08 at 14:34, messmate wrote:
This is correct. Squid by default includes a X-Forwarded-For: header
on each HTTP request showing the original requesting IP address. This
can be disabled in squid.conf with forwarded_for off.
Sorry, not correct. I'm behind my squid and
On Wed, 2004-11-24 at 01:32, Ilya A. Kovalenko wrote:
Greetings,
Just note.
Stateful inspection on gateway can hamper tcp-connections, when
inbound or outbound packets goes another route (i.e. when one of
directions not goes thru gateway).
Connection works fine on low rate,
[EMAIL PROTECTED] wrote:
On Sun, 7 Nov 2004, messmate wrote:
Hi all,
i've a problem to ftp from my admin machine to the
router/firewall/proxy.
This rule seems not correct :(
#Autorise SSH from admin machine
pass in quick on $internal proto tcp from $TRUST_IP to any port = 22
flags S keep state
On Sat, 2004-10-30 at 16:20, messmate wrote:
Hi list,
as a newbie i've installed pf and closed everything.
But i have to open port 6881 TCP/UDP to get
azureus ( torrent) working.
For one machine on this internal network.
How can i do that ?
Sorry for this ignorance
mess-mate
On Wed, 2004-10-20 at 18:59, eric wrote:
What's the method by which you folks filter layer 2 traffic? Some of
my methods don't scale well (static arp entries, etc) and was
curious to know if there was working being conducted in this area
for pf, or any other BSD licensed goodies.
man 8
changes to i need
to make in pf/carp/ftp-proxy setup...?
man 8 ftp-proxy
says:
-a address
Specify the local IP address to use in bind(2) as the
source for connections made by ftp-proxy when connecting
to destination FTP servers.
-j
--
Jason Opperisano
On Tue, Oct 12, 2004 at 03:38:49PM -0700, Jon Simola wrote:
I've searched a fair bit and started some research into the pf code
looking for a way to identify packets at the application layer.
I believe that the functionality (just some simple text searching
inside the packet payload) would
On Fri, 2004-10-08 at 17:41, Ben wrote:
Great, thanks! So the hostname.* file would look like (for example)
dhcp NONE NONE NONE
!-s route add 128.195.0.0/16 128.195.88.1
Ben
heh, no... that was an attempt to make an exclamation point plural...
man 5 hostname.if
you would use:
On Tue, 2004-09-14 at 15:33, Bryan Irvine wrote:
I can't seem to get gnutella to break.
gnutella = { 6346 6348 8436 }
block out quick proto { udp tcp } from any to any port $gnutella
block in quick proto { udp tcp } from any to any port $gnutella
pftop still shows connection on 6346
On Fri, 2004-09-10 at 03:11, Ryan McBride wrote:
On Thu, Sep 09, 2004 at 08:40:23PM -0400, Jason Opperisano wrote:
all use TCP Port 5190. all three connections appear to stay open once
connected. the simple solution appears to be to set a NAT rule that
only uses 1 translation IP
On Thu, 2004-09-09 at 18:21, Bryan Irvine wrote:
anyone know why this rule doesn't work?
I've read and re-read the pf users guide but this specific example
isn't covered.
ftpservers = { ftp.kingcountyjournal.com intranet,kingcountyjournal.com }
On Thu, 2004-09-02 at 10:16, Wolfgang Pichler wrote:
hi all,
an hour ago i was hit by a sort of dos attack (someone sent nearly
20 mails to our mail addresses in the form of [EMAIL PROTECTED]).
I've now googled around to see if its possible to limit the number of
connections from one ip
On Tue, 2004-08-31 at 19:31, cmustard wrote:
are those the complete log entries? my log entries look more like
- no, i truncated, I was running tcpdump -neq -ttt -r /var/log/pflog
they were the 'standard/normal' entries:
Aug 31 01:20:15.287341 rule 1/0(match): block in on rl0:
On Mon, 2004-08-30 at 14:18, cmustard wrote:
rule 1/0(match) block in on rl0: 84.2x.xxx.xx 192.168.3.2.6346: tcp 0 (DF)
rule 1/0(match) block in on rl0: 224.2x.xxx.xx 192.168.3.2.6346: tcp 0 (DF)
to me, this rule says it's blocking traffic on my external interface that is
comming from any
On Mon, 2004-08-30 at 12:46, [EMAIL PROTECTED] wrote:
Hi,
I have tried to set up a firewall with BSD (3.5).
I experimented with filtering bridge, so far ok. Now I needed a DMZ, so
I didn't want to play with two PCs, all should be in one PC. I
understand, I'd have to use a firewall with
On Thu, 2004-08-19 at 06:51, Ilya A. Kovalenko wrote:
Good day,
I trying to pass any outgoing TCP connections from my
office (nPrivate) onto campus network (nPublic) sites,
but block any incoming connections from campus to office.
Can use for it, PF ruleset like this (on 2-ifaced GW
On Fri, 2004-08-13 at 04:18, Paul Cusbish wrote:
My problem is with route-to. It seems to have no effect in my case. For the
record, I don't have any nat rules on this link - My suspicion is that the nat'd
link is grabbing the packet bound for the route-to gateway, but i'm probably wrong.
Hello There,
I'm a complete newbie to OpenBSD - a veteran from FreeBSD attracted by
the green grass of pf for a new firewall. Here's the rub - simple setup
with nic connected to internet, nic connected to subnet, wireless card
bridged to internal subnet. Dhcpd is running, working fine,
still be possible to use the syntax above that I really like.
Thanks
Per-Olov
--
Jason Opperisano [EMAIL PROTECTED]
(q_def, q_pri)
--
Jason Opperisano [EMAIL PROTECTED]
41 matches
Mail list logo