Re: rdr and TOS

2003-02-03 Thread Ed White 
On Monday 03 February 2003 10:53, Kremlyn Vostok wrote:
 The 'route-to' function may be what you're after.  Let us know how it
 goes :-)

I got a kernel panic with this ruleset:

HOST=x.x.x.x

# Redirect HOST
pass out quick on dc0 route-to lo0 inet proto tcp from any to $HOST port 25 
keep state
pass out quick on dc0 route-to lo0 inet proto tcp from any to $HOST port 80 
keep state

# Black Hole Host
pass out quick all keep state 

pass out quick on lo0 all
pass in quick on lo0 all

block in quick inet proto tcp all
block in quick inet proto udp all
block in quick inet proto icmp all
block in quick all 


After pfctl -f pf.route I tryed telnet x.x.x.x 25 and got kernel panic.
Note that savecore said me I haven't enough space to save the core, but it's 
strange because I have 128 Mb RAM, 200 Mb swap and gigs on /var...

What I'm missing ?.


Ed

RE: Qwest Contivity VPN Client Behind PF

2003-02-03 Thread Todd Chandler 
Tried this rule but no dice.  Still get message that server is not
responding.  Any other thoughts?

TC

-Original Message-
From: jolan [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 31, 2003 11:52 AM
To: Todd Chandler
Cc: [EMAIL PROTECTED]
Subject: Re: Qwest Contivity VPN Client Behind PF

On Fri, Jan 31, 2003 at 08:43:06AM -0500, Todd Chandler wrote:
 When I attempt to connect from the client, it simply times out.  Any
 ideas what I'm missing?

i assume the client is behind nat.

if you're using 3.2, try this rule:

nat on $ext_if inet proto udp from any port = isakmp to any - \
$ext_if port 500

problem is that the server is probably ignoring isakmp traffic that
doesn't have a source port of 500.

- jolan

Re: rdr and TOS

2003-02-03 Thread Daniel Hartmeier 
Can't reproduce it with -current anymore, I assume you were using an
older version. Can you retry with -current?

Daniel

ftp server behind bridge

2003-02-03 Thread Michael Coulter 

Looking at ftp-proxy as well as Daniel's reverse.diff, it appears
that neither of these will help my situation, as I'm not NATing
but simply using a bridging firewall.

Is there any code or anyone threatening to write code that would
help in this situation. Some code that would allow you to run
active and passive through a bridging firewall with a default
deny policy, without having to have a rule like:

pass quick in on $ext_if proto tcp from any to any port 1024

As an aside, if anyone knows how to tell MS-FTP what port range
to allocate for passive ftp sessions, that would also be useful.

RE: Nat Problem or misconfiguraton

2003-02-03 Thread Amir Seyavash Mesry 
Bump!

Amir Seyavash Mesry 
[EMAIL PROTECTED] 
LSI Logic Corporation 
http://www.lsilogic.com/ 
Raid Support Test Technician 
6145-D Northbelt Parkway 
Norcross, GA 30071 
678-728-1211 

NOTICE: This communication may contain privileged or other confidential
information. If you are not the intended recipient, or believe that you have
received this communication in error, please do not print, copy, retransmit,
disseminate, or otherwise use the information. Also, please indicate to the
sender that you have received this communication in error, and delete the
copy you received. Thank you.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Amir Seyavash Mesry
Sent: Friday, January 24, 2003 3:33 PM
To: 'PF Mailing list'
Subject: Nat Problem or misconfiguraton


Ok, I need some help.
Here is my pf conf, stripped down so the nat works, and 
ifconfig out put also, can anyone figure out why it won't do 
nat on rl1, but will do it one rl0
Pf.conf:
nat on rl0 inet from 192.168.0.7/32 to any - rl0
nat on rl1 inet from 192.168.0.15/32 to any - rl1
nat on rl1 inet from 192.168.0.4/32 to any - rl1
nat on rl1 inet from 192.168.0.16/28 to any - rl1

pass in all
pass out all

Ifconfig:
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
address: 00:50:fc:2a:17:5f
media: Ethernet 100baseTX full-duplex
status: active
inet6 fe80::250:fcff:fe2a:175f%rl0 prefixlen 64 scopeid 0x1
inet 24.98.84.83 netmask 0xfe00 broadcast 255.255.255.255

(RL1 is listed with media options 10BaseT and autoselect)
rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
address: 00:c0:26:7e:2c:3d
media: Ethernet 10baseT
status: active
inet6 fe80::2c0:26ff:fe7e:2c3d%rl1 prefixlen 64 scopeid 0x2
inet 24.98.85.22 netmask 0xfe00 broadcast 255.255.255.255
rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
address: 00:c0:26:7e:2c:3d
media: Ethernet autoselect (none)
status: active
inet6 fe80::2c0:26ff:fe7e:2c3d%rl1 prefixlen 64 scopeid 0x2
inet 24.98.85.22 netmask 0xfe00 broadcast 255.255.255.255

rl2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
address: 00:50:fc:3a:32:6d
media: Ethernet 100baseTX full-duplex
status: active
inet 192.168.0.1 netmask 0xffe0 broadcast 192.168.0.0
inet6 fe80::250:fcff:fe3a:326d%rl2 prefixlen 64 scopeid 0x3


If rl0  rl1 get dhcp assigned ips which are show, but rl1 
won't nat, anyone got any ideas as to why the nat on rl0 works 
and not on rl1


Amir Seyavash Mesry 
[EMAIL PROTECTED] 
LSI Logic Corporation 
http://www.lsilogic.com/ 
Raid Support Test Technician 
6145-D Northbelt Parkway 
Norcross, GA 30071 
678-728-1211 

NOTICE: This communication may contain privileged or other 
confidential information. If you are not the intended 
recipient, or believe that you have received this 
communication in error, please do not print, copy, retransmit, 
disseminate, or otherwise use the information. Also, please 
indicate to the sender that you have received this 
communication in error, and delete the copy you received. Thank you.