digression

[Christopher Keeley]

forgive me, but isnt this all going a bit off topic?
After all, this list is about 'pf' not the legality issues surrounding
file sharing.

regards

chris


On Thu, Aug 19, 2004 at 09:38:27PM +0100, Greg Hennessy wrote:
## On 19 Aug 2004 12:02:20 -0700, [EMAIL PROTECTED] (Shawn K.
## Quinn) wrote:
## 
## 
## >Second, there are legitimate non-copyright-infringing uses for both 
## >Gnutella and BitTorrent (I use the latter for legitimate purposes on a 
## >semi-regular basis).
## 
## Exceedingly rare in a commercial environment. 
## 
## > I really think we could do without the implication 
## >that everyone who uses these services is doing so to infringe 
## >copyright.
## 
## One can pretty much guarantee with almost 100% certainty that such traffic
## is *not* being used for legitimate purposes in a commercial setting. 
## 
## 
## 
## 
## greg
## -- 
## Es ist mein Teil - nein 
## Mein Teil - nein 
## Denn das ist mein Teil - nein 
## Mein Teil - nein 
---end quoted text---

-- 
---
Chris Keeley 
public key: pgp.mit.edu (search string: crizza)


pgpRMSivntTVq.pgp
Description: PGP signature

SOLVED: TODO: pass unidir. TCP connections

[Ilya A. Kovalenko]

   Hurray! Solved by following change:

- pass  in  proto tcp  from   to  keep state
+ pass  out proto tcp  from   to  keep state

  I think, community, NEEDS documentation about PF's stateful
inspection, it's internal organization, posibilites and limitations.

  Documentation, not maillist arhive (I guess, nobody needs an
differrence explanation).

Thank you.

Ilya A. Kovalenko
S.A, SpecialEQ SW section
JSC Oganer-Service

For archives:
  
IAK>   I trying to pass any outgoing TCP connections from my
IAK> office () onto campus network () sites,
IAK> but block any incoming connections from campus to office.

IAK> Can use for it, PF ruleset like this (on 2-ifaced GW
IAK> between office & campus):
IAK> 
>> blockinall
>> block return-rst in proto tcp  all
>> 
>> pass in on lo0 all
>> 
>> pass  in  from   to 
>> pass  in  from  to 
>> pass  in  from  to 
>> 
>> pass  in proto tcp  from   to  keep state
IAK> 

IAK> I suppose to think, that last rule would create state for
IAK> outgoing connection and pass all campus packets for it.
IAK>   But it seems to does not work ... or I missed some other
IAK> factors.

IAK>tcpdump(8) shows this interchange:

IAK>OFFICE   __CAMPUS
IAK>|  |
IAK>SYN ->  |  GW  | -> SYN
IAK>|  | <- SYN ACK
IAK>|  | -> RST
IAK>and |  |
IAK>   again|  |
IAK>|  |
IAK>SYN ->  |  | -> SYN
IAK>|  | <- SYN ACK
IAK>|__| -> RST

IAK>Should such ruleset work ?
IAK> Previously, I've used construction like this

>> pass  in proto tcp  from   to 
>> block in proto tcp  from   to  flags S/SA

IAK> but it has security issue - public host could send spoofed
IAK> TCP packet, on which, internal host responds with RST.
IAK>   So public host could perform ping-scan (by nmap, for example)
IAK> for internal network.

Re: Holes or left overs?

[Greg Hennessy]

On 19 Aug 2004 16:57:35 -0700, [EMAIL PROTECTED] (A) wrote:


>Leaving that issue to one side for a moment, the hits from external
>hosts with source port of 80, are they just from left over web traffic?

Usually, quickest way to test would be to do a reverse lookup of the source
IPs and see where they are coming from. 

>Or are there some cunning scanners that are tailing in on a "keep
>state"? I am thinking not as I have looked at how the state table is
>checked and it would be hard to trick it.

It sounds like you have a timeout mismatch in your firewall sandwich. 


greg




-- 
Es ist mein Teil - nein 
Mein Teil - nein 
Denn das ist mein Teil - nein 
Mein Teil - nein 

Re: question on fragment handling

[Mike Frantzen]

>   * we are not using scrub rules.
> Does anyone have any ideas as to why these fragments are not being
> covered by the state mechanisms?

because "keep state" doesn't track fragments.  scrub does.
 
.mike

How slow can you make a queue go?

[Ken Simpson]

I recently tried to set up a 10 bit per second queue and got the
following error:

 pfctl: queue bandwidth must be larger than 5.59Kb

My pf.conf looked like this:

 # Set up a default and slow queue.
 altq on $ext_if bandwidth 100Mb cbq queue { dflt, slow }
 queue dflt bandwidth 99Mb cbq(default)
 queue slow bandwidth 10b

 #...

 pass in on $ext_if proto tcp from any os {"Windows XP"} \
  to any keep state queue slow

Is there any hard and fast reason why the queue can't go slower than
5.59Kb?

Thanks,
Ken

Moving an existing TCP connection to a different queue

[Ken Simpson]

Is there way in pf to move a particular TCP connection from one 
queue to another -- while the connection is still live? I don't
imagine it would be really difficult; isn't it just a case of changing
an entry in the state table?

Thanks,
Ken