Re: pfsync, carp, transparent bridge
Lyle Worthington wrote: Our firewall is ipless, all traffic just runs through it because it is the only way in or out of our network. CARP and pfsync both needs IPs to operate. In pfsync's case, it'll use multicast or a unicast address. For CARP, failover is on a per IP basis and CARP'ed addresses require an address on an existing interface. cheers, Sean
Re: preventing dos attacks with pf
On Thu, Sep 02, 2004 at 04:16:40PM +0200, Wolfgang Pichler wrote: an hour ago i was hit by a sort of dos attack (someone sent nearly 20 mails to our mail addresses in the form of [EMAIL PROTECTED]). I've now googled around to see if its possible to limit the number of connections from one ip with pf - but havn't found something useful. Can someone please point me to the right direction ? Look at the pf.conf manpage, especially for source-track and max-src-states
Re: preventing dos attacks with pf
On Thu, 2004-09-02 at 10:16, Wolfgang Pichler wrote: hi all, an hour ago i was hit by a sort of dos attack (someone sent nearly 20 mails to our mail addresses in the form of [EMAIL PROTECTED]). I've now googled around to see if its possible to limit the number of connections from one ip with pf - but havn't found something useful. Can someone please point me to the right direction ? Thanks regards, Wolfgang man 5 pf.conf read the section titled STATEFUL TRACKING OPTIONS you appear to be asking for the functionality of: max-src-states Limits the maximum number of simultaneous state entries that a single source address can create with this rule. -j =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ Time is an illusion, lunchtime doubly so. -- The Hitchhiker's Guide to the Galaxy =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
Re: preventing dos attacks with pf
All three of keep state, modulate state and synproxy state support the following options: max-src-states Limits the maximum number of simultaneous state entries that a sin- gle source address can create with this rule. On Thursday 02 September 2004 08:16 am, you wrote: hi all, an hour ago i was hit by a sort of dos attack (someone sent nearly 20 mails to our mail addresses in the form of [EMAIL PROTECTED]). I've now googled around to see if its possible to limit the number of connections from one ip with pf - but havn't found something useful. Can someone please point me to the right direction ? Thanks regards, Wolfgang -- John R. Shannon [EMAIL PROTECTED]
That bastard FTP
Due to all the people who try to do active FTP with NATted clients behind pf firewalls doing lots of questioning about why they should have read the FAQs I find it difficult to construct a query to Mrs Google about whether it is possible for an active FTP session to happen from the NAT/Firewall itself. I'm sure I've seen a reference to it in the past but I didn't file it because I never (willingly) do active FTP - now Murphy comes around and I need to get files from outside the firewall from a server that only does acive FTP. Does that force the use of a NAT client and the proxyFTP or is there a direct way to get the files at the firewall host? Pointers to deficiencies in my research are thankfully received From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: That bastard FTP
On 3 Sep 2004 06:50:55 -0700, [EMAIL PROTECTED] (Rod.. Whitworth) wrote: I'm sure I've seen a reference to it in the past but I didn't file it because I never (willingly) do active FTP - now Murphy comes around and I need to get files from outside the firewall from a server that only does acive FTP. Does that force the use of a NAT client and the proxyFTP or is there a direct way to get the files at the firewall host? http://archives.neohapsis.com/archives/openbsd/2004-01/0417.html is the solution to your active ftp problems. greg -- Felicitations, malefactors! I am endeavoring to misappropriate the formulary for the preparation of affordable comestibles. Who will join me?!
PF tables states
This is a message from an interesting thread on [EMAIL PROTECTED] http://marc.theaimsgroup.com/?l=openbsd-miscm=109422765506037w=2 In short the question is: why doesn't PF kill all the states associated with the tables entries when you flush a table ? Ed
Re: PF --- spamd
On Thursday 02 September 2004 16:21, Ed White wrote: /var/db/spamd is always empty. Any clue ? Since I've not found a solution I've posted the problem on [EMAIL PROTECTED] Ed
Re: Fwd: Re: Things pf can't do?
On Thursday 20 May 2004 22:05, Jeff Simmons wrote: Actually, it's a breath of fresh air compared to other filters I've worked with. *cough* iptables *cough* LOL One of Linus' stated goals for the 2.7 kernel is to improve iptables so that it's up to the level of OpenBSD's pf. Jeff, could you tell me some url to find that Linus's mail ? Thanks. Ed
carp and httpd
In my pf/carp setup, the two boxes are also serving out http (port 80 and 443). Let's call the real hostnames A and B, and the carp hostname, HOST. My clients refer to a subdirectory on http://HOST/subdir and it redirects them to http://A/subdir/ to fill the request. However, my ruleset prevents port 80 from reaching A or B directly -- all 80/443 must go to the carp address, HOST. [ Now for the part where I'm going to get toasted: ] Anybody know what part of httpd.conf tells Apache to do this redirection? I'm looking for a directive that says, No, really, my hostname is not `hostname` but HOST! As always, thanks for your time, jw
Re: PF tables states
Ed White wrote: This is a message from an interesting thread on [EMAIL PROTECTED] http://marc.theaimsgroup.com/?l=openbsd-miscm=109422765506037w=2 In short the question is: why doesn't PF kill all the states associated with the tables entries when you flush a table ? Why? Because states have always survived rules. You can remove all your rules, your states will stay there. That is what ppl expect, and there is no reason to change that default behaviour. But since tables statistics already record the fact that a state exist for an address that is no longer there (XPASS) optionally blocking such packets or removing the state could be done easily. don't know if that's a good idea. Cedric
