Re: Use an specific ADSL depending on IP
ot;{ xxx }"
> callcenter="xxx"
>
> # 2.Tables
> # Not used at present
> # 3.Options
> set skip on lo
> set optimization conservative
> set limit states 5
>
> # 4. Scrub traffic
> scrub all
>
> # 5. Queueing
> altq on $int_if cbq bandwidth 30Mb queue { zona1, zona2, zona3 }
>
> queue zona1 bandwidth 10Mb { centraeta, cpd1, ssh1, nocpd1 }
>queue centraleta bandwidth 50% priority 7 cbq(default)
>queue cpd1 bandwidth 25% priority 6 cbq(borrow)
>queue ssh1 bandwidth 5% priority 3 cbq
>queue nocpd1 bandwidth 20% priority 0 cbq
>
> queue zona2 bandwidth 10Mb { cpd2, ssh2, nocpd2 }
>queue cpd2 bandwidth 40% priority 7 cbq
>queue ssh2 bandwidth 40% priority 3 cbq(borrow)
>queue nocpd2 bandwidth 20% priority 0 cbq
>
> queue zona3 bandwidth 10Mb { cpd3, ssh3, nocpd3 }
>queue cpd3 bandwidth 60% priority 7 cbq
>queue ssh3 bandwidth 25% priority 3 cbq(borrow)
>queue nocpd3 bandwidth 15% priority 0 cbq
>
> # 6. Translation
> nat on $ext_if1 from $lan_net to any -> ($ext_if1)
> nat on $ext_if2 from $lan_net to any -> ($ext_if2)
> nat on $ext_if3 from $lan_net to any -> ($ext_if3)
>
> # 7. Filer rules
>
> ## from LAN to Internet: INBOUND to bge0 ##
> # dept_a using their own ADSL
> pass out on $int_if route-to \
> ($ext_if1 $ext_gw1) \
> proto { tcp udp } from $dept_a to any keep state
>
> # dept_b using their own ADSL
> pass out on $int_if route-to \
> ($ext_if2 $ext_gw2) \
> proto { tcp udp } from $dept_b to any keep state
>
> # dept_c using their own ADSL
> pass out on $int_if route-to \
> ($ext_if3 $ext_gw3) \
> proto { tcp udp } from $dept_c to any keep state
>
> ## from LAN to internet: OUTBOUND on bge1/re0/fxp0
> pass out on $ext_if1
> pass out on $ext_if2
> pass out on $ext_if3
>
> ###
>
> ### traffic from INTERNET to LAN
> ## from Internet to LAN: INBOUND to bge1/re0/fxp0 ##
> pass in on $ext_if1
> pass in on $ext_if2
> pass in on $ext_if3
>
> ## from Internet to LAN: OUTBOUND to bge0 ##
>
> ### dept_a
> pass in on $int_if route-to \
> ($ext_if1 $ext_gw1) \
> proto udp from $dept_a to $callcenter02 \
> keep state \
> queue centraleta
>
> pass in quick on $int_if route-to \
> ($ext_if1 $ext_gw1) \
> proto tcp from $dept_a to $cpd \
> port 22 keep state \
> queue ssh1
>
> pass in quick on $int_if route-to \
> ($ext_if1 $ext_gw1) \
> proto tcp from $dept_a to $cpd \
> keep state \
> queue cpd1
>
> pass in quick on $int_if route-to \
> ($ext_if1 $ext_gw1) \
> proto tcp from $dept_a to $cpd \
> keep state \
> queue nopcd1
>
> ### dept_b
> pass in quick on $int_if route-to \
> ($ext_if2 $ext_gw2) \
> proto tcp from $dept_b to $cpd \
> port 22 keep state \
> queue ssh2
>
> pass in quick on $int_if route-to \
> ($ext_if2 $ext_gw2) \
> proto tcp from $dept_b to $cpd \
> keep state \
> queue cpd2
>
> pass in quick on $int_if route-to \
> ($ext_if2 $ext_gw2) \
> proto tcp from $dept_b to $cpd \
> keep state \
> queue nopcd2
>
> ### dept_c
> pass in quick on $int_if route-to \
> ($ext_if3 $ext_gw3) \
> proto tcp from $dept_c to $cpd \
> port 22 keep state \
> queue ssh3
>
> pass in quick on $int_if route-to \
> ($ext_if3 $ext_gw3) \
> proto tcp from $dept_c to $cpd \
> keep state \
> queue cpd3
>
> pass in quick on $int_if route-to \
> ($ext_if3 $ext_gw3) \
> proto tcp from $dept_c to $cpd \
> keep state \
> queue nopcd3
> -
>
>
> I sound clear also... but simple doesn't work.
>
> I've convinced that my last goal (uses a ADSL depends on LAN IP's
> client and uses also the queue) is possible but is seems hard right
> now.
>
> Thanks in advance.
>
> --
> I must not fear. Fear is the mind-killer. Fear is the little-death
> that brings total obliteration. I will face my fear. I will permit
> it to pass over me and through me. And when it has gone past I will
> turn the inner eye to see its path. Where the fear has gone there
> will be nothing. Only I will remain.
>
> Bene Gesserit Litany Against Fear.
--
Michiel van Baak
mich...@vanbaak.eu
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD
"Why is it drug addicts and computer aficionados are both called users?"
Re: Restricting source with dDNS (dynamic DNS)
On 15:40, Fri 18 Dec 09, Jim Flowers wrote: > To lock down services (particularly ssh) as tightly as possible, I like to > allow > administrative access to a firewall only from specific ip addresses. > > Unfortunately, some of the administrators are working from dynamic ip > addresses > that change with some frequency. > > Is there a straightforward way to incorporate dynamic ip source addresses in > the > pf ruleset? You can go with the previously mentioned table + resolvingscriptcronjob, or you can not restrict access to ssh based on ip but disable root ssh login and passwordauthentication, ask for public keys, and go with that. This is the way i chose (mostly because of GPRS/UMTS/HSDPA access nowedays) and it's working great. -- Michiel van Baak mich...@vanbaak.eu http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer aficionados are both called users?"
Re: Reality check
On 17:37, Wed 10 Sep 08, Rod Whitworth wrote: > I'm suffering from sleep deprivation today so benzedrine.cx sounds > inviting ;-) > > Anyway a friend has a problem and I'd like a check on the sanity of my > hazy proposed solution. > > All addresses are fictitious. > > X has a webserver which has address 1.2.3.4 He wants to change his > hosting to another provider where a new server will be given address > 5.6.7.8 > > The time of changeover is not entirely under X's control but the > domain's DNS is. > > X would like all traffic to proceed to/from 1.2.3.4 until 5.6.7.8 is > ready and then switch with absolutely minimal downtime. Of course.. > > My foggy brain says that it should be possible to use a box running pf > to route requests arriving on one external interface (say 9.8.7.6) out > another one (we have enough spare IPs on separate netblocks) to 1.2.3.4 > until cut-over time and then pf.conf swaps to sending it to 5.6.7.8. > > If we put 9.8.7.6 into the DNS as the webserver address we should be > able to transparently route the traffic to whichever real webserver we > wish .. I think. > > Then when all is stable we swap the DNS records to point to 5.6.7.8 and > when no more traffic is seen to pass through our "black box router" we > dispense with it. > > Will this scheme work? Do I need to use binat? (all addresses are > global) does it matter if the webserver answers client requests and the > traffic does not come back via the black box? > > Normally I'd throw some boxes together and try it but I need sleep > before doing that and maybe someone cluey will tell me not to bother > because it's crazy or (oh happy day) that of course it will work, don't > i know pf is magic? > > Sure I do but i am not very magic just now and I'd like to give ny > buddy a realistic guess as to how doable it is. Here's what I would do: install balance-ng on the box with ip 1.2.3.4 Setup the new server and givi it ip 5.6.7.8 once you think the new server is ready to go into production, stop the webserver on 1.2.3.4, start balance to proxy all incomming traffic to 5.6.7.8 change DNS records watch the logs from balance on 1.2.3.4 and give the box a new task once all webtraffic is going directly to 5.6.7.8 No need for extra boxen or whatever. -- Michiel van Baak [EMAIL PROTECTED] http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer aficionados are both called users?"
Re: Blocking proto 0
On 15:49, Tue 08 Apr 08, Stuart Henderson wrote:
> On 2008/04/08 14:47, Ian Chard wrote:
> >>
> >> Hmm, it looks like IP-in-IP packets are blocked by default. See
> >> sysctl(3) about net.inet.ipip.allow.
>
> That's only to the local host; PF normally forwards them unless you do
> a default block (then you need to list the wanted protocols explicitly
> e.g. "pass on iface proto {tcp,udp,icmp,gre,igmp,whatever}")
Isn't this the base setup for a firewall ?
There's not a single setup I manage where the default is not a block.
And I'm talking Linux,OpenBSD,Cisco here.
I think the default block is the base of a good firewall.
--
Michiel van Baak
[EMAIL PROTECTED]
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD
"Why is it drug addicts and computer aficionados are both called users?"
Re: queuing question
On 11:28, Wed 27 Feb 08, Daniel Duerr wrote: > Hello, > > I understand from the pf documentation (and logic) that you cannot > queue incoming packets on an interface, makes sense... In various > examples around the net, however, I've seen people attaching queues > to inbound rules as well. I'm confused as to whether this is just a > mistake or if people are doing this on INBOUND rules which keep state > in order to have all OUTBOUND packets which are state tracked to that > rule get the queue assignment from the inbound rule. Can someone > please clarify? The latter is correct. -- Michiel van Baak [EMAIL PROTECTED] http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer aficionados are both called users?"
Re: simulate max traffic on an interface using queue
On 11:02, Tue 02 Oct 07, Sebastian Reitenbach wrote:
> Hi,
>
> I want to simulate some max bandwidth on an interface of a test box, e.g.
> 34MBit, 155MBit, ... to make some tests. The test box has some gigabit
> interfaces installed.
>
> I read in the pf.conf manual that I can define a maximum bandwidth for an
> interface, instead of taking the bandwidth from the interface itself. I just
> have to enable queueing, like this:
>
> altq on dc0 cbq bandwidth 5Mb queue { my_test_queue }
>
> just my question is, will pf honour the limit of 5Mb on that interface,
> regardless how much faster it could be? Or will it try to be "intelligent"
> and use all available bandwidth?
If you apply the my_test_queue to your rules it will stick
to the 5Mbit:
pass out on $test_if proto tcp from any to any port
$test_port queue my_test_queue
Keep in mind shaping only works for outbound packets. if you
want incoming to be shaped as well let all traffic go
through the machine and queue on both interfaces.
--
Michiel van Baak
[EMAIL PROTECTED]
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD
"Why is it drug addicts and computer afficionados are both called users?"
Re: spamd reflector
On 16:11, Thu 27 Sep 07, [EMAIL PROTECTED] wrote: > I'm trying to build a spamd box that will be setting next to and not > in front of the actual mx server. > > I'm thinking I won't be able to do a straight reflection, and will > probably need some sort of proxy. Anyone done similar? > > I'm thinking netcat proxy or ssh tunnel, but I'm interested in what > others have done and what would be the most elegant solution. > > I'm leaning away from netcat because we tend to get a lot of message > and an open copy of netcat (called via inetd) for each message might > be kind heavy, OTOH what if the ssh tunnel were to go down? At least > via inetd one lost connection wouldn't affect the opening of another. Get a switch that can copy traffic from/to a port to another port on the switch. That way you can get the same data to your real MX and to your spamd box. This looks like a weird setup to me though. Why cant you run spamd in front of your MX ? -- Michiel van Baak [EMAIL PROTECTED] http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer afficionados are both called users?"
Re: Firewall and the best PF throughput
On 12:04, Tue 14 Aug 07, [EMAIL PROTECTED] wrote: > Hello, > > What could be the throughput that a firewall working with OpenBSD 4.1 > and PF can reach with 2 and with 4 interfaces fast ethernet ??? It all depends on the ruleset and the type of interfaces but you should be able to get 200 and 400 mbit when you use the right setup. -- Michiel van Baak [EMAIL PROTECTED] http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer afficionados are both called users?"
Re: LAN layout for CARP usage
On 21:07, Fri 27 Apr 07, Phusion wrote: > I have a question about the LAN layout for a CARP firewall setup. I am > wondering what would be more preferable using a hub or a switch in the LAN > layout below. > > router > | > hub or switch ? > / \ > fw1 fw2 > \ / > hub or switch ? > | > LAN > > Let me know what you think. You can still buy hubs? I would never use hubs anymore. You can get cheap unmanaged switches so go with them. For example: we pay like 300 euro for a 24 port gigabit switch (unmanaged of course). -- Michiel van Baak [EMAIL PROTECTED] http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer afficionados are both called users?"
Re: using pf to block multiple connections in a given time
On 04:50, Fri 16 Feb 07, John wrote: > Hello list > > I've taken normal steps to secure ssh (via key only) but, because it > is still on the normal port (22), I keep seeing attempts like this in my > auth log: > > This is every couple of seconds as you can see. What i'd like is to > allow max 2 failures from one IP in 30 seconds, if more than that write > to /etc/shitlist.txt which, if the connecting IP is found in there, logs > and silently drops the connection. Can pf do this? > This is very well possible. Have a look here: http://www.openbsd.org/faq/pf/filter.html#stateopts What you want is the overload stuff. Works great on my setup. Use it for ftp and ssh. -- Michiel van Baak [EMAIL PROTECTED] http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer afficionados are both called users?"
Re: Question about port Forwarding (or Triggering ?)
On 13:40, Sun 11 Feb 07, Daniel Hartmeier wrote: > In -current, there's a command to expire unused addresses explicitely > > * * * * * pfctl -t free_lan_host -T expire 60 > or use the expiretable program from ports :) -- Michiel van Baak [EMAIL PROTECTED] http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer afficionados are both called users?"
Re: establish
On 15:44, Wed 13 Dec 06, Albert Shih wrote:
> Hi all
>
> How can I translate this ipfw rule
>
> ipfw add permit from any to any establisd
>
> into pf rule ?
I dont know ipfw but my guess:
pass out on $ext_if inet proto tcp all flags S/SA \
modulate state
--
Michiel van Baak
[EMAIL PROTECTED]
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD
"Why is it drug addicts and computer afficionados are both called users?"
Re: PF Table Size - Sanity Check
On 22:12, Tue 07 Nov 06, Cédric Berger wrote: > There is no way it can work on a 32-bit i386 system. > > This kind of pointer limitation is the first reason why > ppl move to 64-bit systems, so that might be worth testing > on a (maybe tuned) amd64 kernel. How about the core 2 duo and xeon intel stuff ? Those are EMT64. -- Michiel van Baak [EMAIL PROTECTED] http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer afficionados are both called users?"
Re: auto-adding bad hosts to a table
On 14:48, Wed 22 Feb 06, Chris Smith wrote: > In addition to preventing infected PC's from using their own SMTP engine > to send out spam by blocking port 25 from all but the mail server. I > would also like to add those hosts automatically to a table in order to > block their access altogether so that the infected PC's cannot attempt > other damage. How can this be accomplished? Hi, You can use the max-src-conn-rate for this. I block users who make more then 2 ssh connections in 10 seconds like this: pass in on $ext_if proto tcp from any to any \ port ssh flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 2/10, \ overload flush) I guess you could use something like max-src-conn-rate 1/10 Greetz, -- Michiel van Baak http://michiel.vanbaak.info [EMAIL PROTECTED] GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D "Why is it drug addicts and computer afficionados are both called users?"
Re: NAT / RDR Questions
Can't you use IAX2? I trashed all SIP did providers and switched to IAX2 and haven't been happier with my system since -- Michiel van Baak http://michiel.vanbaak.info [EMAIL PROTECTED] GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D "Why is it drug addicts and computer afficionados are both called users?"
Re: Presenting blocked IPs a different webpage instead of blocking them?
On 15:46, Wed 07 Dec 05, Webcharge wrote: > > > one thing you could do is to run an instance of apache on a high port, > > and put in a redirect call to forward the blocked ip's to localhost on > > the high port > > The other port idea makes sense and sounds like a good method, thanks! > I think I will look for a smaller webserver though as it seems a bit > overkill to run another Apache just for this purpose. > No need to configure and run a complete new instance of apache. Simply add another line like: Listen 8081 -- Michiel van Baak http://michiel.vanbaak.info [EMAIL PROTECTED] GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D "Why is it drug addicts and computer afficionados are both called users?"
Re: pf/carp for redundant production use
On 07:30, Sun 25 Sep 05, Neil wrote: > Yep, the same behavior when the master dies. The solution that the person > in #pf told me is use routing but I don't know how to implement. He told me > that it's an issue in pf's NAT. Does this mean you cannot failover an office NAT firewall ? Pretty useless then if you ask me -- Michiel van Baak http://michiel.vanbaak.info [EMAIL PROTECTED] GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D "Why is it drug addicts and computer afficionados are both called users?"
Re: pf/carp for redundant production use
On 00:21, Sun 25 Sep 05, Neil wrote: > Hi everyone, > > Just chat with someone in #pf and found out that pf at the moment cannot > maintain state on TCP connections from internal machine to external machine > when network cable on master firewall's external interface is removed. > > Anyways, most connections are coming from outside to inside and that is > working well. :) > Is the same true when the master dies ?? -- Michiel van Baak http://michiel.vanbaak.info [EMAIL PROTECTED] GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D "Why is it drug addicts and computer afficionados are both called users?"
Re: [Fwd: Problems with voip and state clashes]
On 09:14, Wed 29 Jun 05, Tim Pushor wrote: > No ideas? > > Even though most are using asterisk behind a nat with simple port > forwarding, it looks like I am unable to do this with pf. I have grown > to love pf so much it would be a shame to have to dump it on MY network :-( > > Thanks, > Tim > > > Original Message > Subject: Problems with voip and state clashes > Date: Sun, 26 Jun 2005 10:55:48 -0600 > From: Tim Pushor <[EMAIL PROTECTED]> > To: PF List > > > > Hi Friends, > > I am having real trouble with PF and Asterisk behind a NAT. > > The long and short of it is that I'd really like NAT a subset of > traffic, without putting the connection in the translation table. That > is, I want to translate the source ip:port on the outbound, but not > worry about return traffic (since it is handled by a RDR, hence the clash). > > Is that possible? > > I know this is short on details, but if theres an easy way to do that, I > don't need to bore you with them ;-) > > Thanks a lot, > Tim Tim, Without details of your current setup it's hard to help. Please provide some more info. -- Michiel van Baak http://michiel.vanbaak.info [EMAIL PROTECTED] GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D "Why is it drug addicts and computer afficionados are both called users?"
Re: natting static IP's
On 12:41, Sun 26 Jun 05, David Hill wrote:
> > David Hill <[EMAIL PROTECTED]> writes:
> >
> >> nat on sis0 inet from ! sis0:0 to any -> (sis0)
> >
> > This sounds a bit too inclusive for my tastes. I assume the address
> > range your DHCP deamon uses is known as well as the fixed addreses, so
> > why not use those instead, ie
> >
> > myranges = { 192.168.100.0/24, 192.168.101.0/24 }
> >
> > nat on $ext_if from $myranges to any -> ($ext_if)
> >
> > just my NOK 0.02
> >
> > --
> > Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> > http://www.blug.linux.no/rfc1149/ http://www.datadok.no/
> > http://www.nuug.no/
> > "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
> >
> >
>
> Well, I don't think I gave you all info.
>
> Lets say I have my box running with sis0 and ath0. sis0 has a public IP
> of 216.1.1.1. ath0 is running on private IP 10.0.0.1, serving DHCP for
> 10.0.0.0/24. But, lets say a person wanting to use the wireless hotspot
> has a static IP (public or private) set on his laptop and not set to use
> DHCP. Is there any possible way we could NAT his machine as well?
>
> The Cisco BBSM software could do it, but I cannot figure out how it worked.
Hi,
Some conference centers here do that.
They simply arp for all MAC addresses on the network and
that way the router sees an ip that is from your configured
lan. I know it's lame, but hey, it works
--
Michiel van Baak
http://michiel.vanbaak.info
[EMAIL PROTECTED]
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D
"Why is it drug addicts and computer afficionados are both called users?"
Re: PF help
On 22:59, Fri 17 Jun 05, Frank Cases wrote: > > Hi all > > we got a current setup withc involves > > FW1 and FW2 carped and pfsynced as pf firewalls > > and CLUSTER having HOST A,B under them > > they are using carp to failover load balance also > > We would need a hand in configuration. > > PROBLEM : > > we have server runnign on HOST A,B using tcp ,udp 4569 5060 and -2000k > > thing is when the traffic come to 4569 or 5060 the RTP stream is not > rewritten right and goes back out to a 192.168. if the client had that > as source addy.. > > > and its also sending 172.0.16.200 as SRC ip back to client witch make a > eturn packet impossible. > > > > Can one help ? > I think this is not a PF issue but an asterisk issue :) In sip.conf you should set the externip and localnet vars Also try canreinvite=no for all clients. That is the way it works here :) Almost same setup as you have. -- Michiel van Baak http://michiel.vanbaak.info [EMAIL PROTECTED] GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D "Two of the most famous products of Berkeley are LSD and BSD. I don't think that this is a coincidence."
Re: Is NAT in PF UPnP enabled or Non UPnP?
On 16:21, Fri 27 May 05, Siju George wrote: > On 5/26/05, Ingolf Zeiner Petersen <[EMAIL PROTECTED]> wrote: > > I don't think PF supports UPnP. But you should try to forward 3389/tcp > > to you NAT'ed computer (the rdp -port). > > > > Thankyou so much Ingolf for your tip :-) > > But this will only allow one Computer to connect to the Windows Remote > Desktop at a time isn't it? > > How will you let a no. of users on the LAN behind an OpenBSD firewall > connect to the remote desktop simultaneosly??? > > > Thankyou once again :-) > > kind regards > > Siju You mean: You have some windows pc's on your LAN and they want to connect to remote desktop on the outside ? To do that you dont need to do any rdr rules, i simple nat is ok. If, on the other hand, you want to connect to the pc's on your lan from the outside, you need to put the rdr rules in your PF. If you want to be able to connect to all of them, do something like: rdr on $ext_if proto tcp from any to $ext_if port 3389 -> $winmachine1 port 3398 rdr on $ext_if proto tcp from any to $ext_if port 3390 -> $winmachine2 port 3389 etc -- Michiel van Baak http://lunteren.vanbaak.info [EMAIL PROTECTED] GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D "Two of the most famous products of Berkeley are LSD and BSD. I don't think that this is a coincidence."
Re: questions about daniel hartmeier's pf.conf example ...
On 17:47, Mon 25 Apr 05, alex wilkinson wrote:
> Hi all,
>
> I am following daniel hartmeier's example pf.conf
> [http://www.benzedrine.cx/pf.conf].
>
> Something that I notice is that daniel allows all outgoing TCP and UDP
> traffic regardless of where it is going.
>
> Question: Isn't this a bad thing ? I would have thought it is best
> practice to only allow incomming and outgoing connections
> _explicitly_. With the reason being some OS upload information to
> base camp (redmond) for statistical analsyis.
>
> I do something along the lines of:
>
> pass out on $EXT_IF inet proto tcp from $INT_IF:network to any \
> port {80,443,22,21,20,6667} flags S/SA keep state
This will also allow the upload of info from windows update.
The connection to port 80 will create state and the stats
upload is simply a hidden form posted to $random_ms_server.
>
> So in a nutshell, do most of you guys just allow all TCP/UDP traffic
> out ? Or is what I am currently doing better ?
99% of the time it is enuf to filter incoming traffic and
allow outgoing out
>
> Cheers
>
> - Alex
--
Michiel van Baak
http://lunteren.vanbaak.info
[EMAIL PROTECTED]
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D
"Two of the most famous products of Berkeley are LSD and BSD. I don't think
that this is a coincidence."
Re: NAT state not deleted after IP change (DHCP)
On 21:00, Thu 10 Feb 05, Cyrill R?ttimann wrote: > Hello, > Keep alive on the server is nat=yes in the sip.conf? > yes. > > Not well suited means, that you have to define the internal ip on the > asterisk server (sip.conf) and the external ip on the sip.conf. If you > are running several servers, that is a burden. There is no single > sip.conf in the cvs to feed all servers. Every sip.conf is unique per > server. In addition, clients have (most of them) to use STUN-Servers. > If you compare to the iax protocol, you have a unique iax.conf on all > server and no STUN-Server's. > I dont use STUN server. I just map the 5060 with static-port and all works perfectly. Indeed, the IAX conf is way easier, but not that many hw phones use the IAX protocol. I was just replying cause I hear a lot of ppl yell "DONT use SIP when doing NAT, it will BREAK things". And that's just plain crap. ok, it takes 2 different pf.conf lines. > > > > > >Then about the bandwidth: > >What codec are you using ? If you use ulaw/alaw the soekris > >should keep up at 20 calls. Try to stay away from iLIBc, it > >is huge but doesn't sound any better then ulaw. > > g711u (raw, I think). We provide box-phones with g711u or g729a if the > customer has limited bandwith available. > But we have to handle hundreds of calls at the same time and to test, > we have to take the codec with the biggest bandwith ... > agreed. Dont want to upgrade everytime you get a new customer right ? To be honest I never tested beyond 50 concurrent calls. I do know those 50 calls went smoothly thru a cheap Realtek based card plugged into our good old Pentium 133 MMX. > > Thanks, > > Cyrill -- Michiel van Baak http://lunteren.vanbaak.info [EMAIL PROTECTED] GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D "Two of the most famous products of Berkeley are LSD and BSD. I don't think that this is a coincidence."
Re: NAT state not deleted after IP change (DHCP)
On 22:55, Tue 08 Feb 05, Cyrill R?ttimann wrote:
> Hi Daniel,
>
> Thanks for the answer and insights to the lower levels of the networked
> world. I have now hopefully solved my problem. I can see in the state
> table, that the state expires and after a few seconds, the state is
> recreated again (heartbeat 25s, timeout 20s):
>
> # voip
> nat on $ext_if from to any -> ($ext_if) static-port
> pass out quick on $ext_if inet proto {udp} from ($ext_if) to any port
> sip keep state (udp.first 20, udp.single 20, udp.multiple 20)
>
>
> >
> >If you force a constant proxy port to be used for all such connections,
> >neither peer will not notice that you removed and re-created state
> >entries.
> >With one little catch: during the time when there is no state entry
> >(after the previous state has been removed and before the next one is
> >created), the external peer will not be able to send your phone any UDP
> >packets (assuming you create state on outgoing packets from the phone
> >only). I don't know the SIP protocol, but it's possible that the peer
> >might want to send the phone a packet without being actively queried by
> >the phone first (like, when there's a call to pick up or such).
>
> - after sucessfully registering, the client (phone) sends a keep alive
> heartbeat to the sip-proxy. No packet is sent back from the sip-proxy.
>
> - there is a reregistration every x seconds
>
> - if someone calls me, packets are sent (only udp) from the sip-proxy
> to my phone (that is why the sip-protocol is not well suite to handle
> firewalls (specially NAT). They have to handle out the port to send RTP
> packages.
>
> That problem keeped me busy for a too long time.
>
> For those who are interested, we will roll out (now in production test)
> soon a Firewall based on OpenBSD/AMD64 and pf to load balance traffic
> to our SIP-Proxies. We started with the Soekris Net4801. But load tests
> pointed out, that the 3 network interfaces are sitting on the same IRQ.
> The CPU was nearly only handling interrupts and the solution was
> capable to filter about 20-25 phone calls at the same time (not the
> promises 20Mbit/s). A phone call produces a lot of traffic (depending
> on the interval sending RTP-Packages). We now have switched to a
> cluster (CARP) of HP DL145's with AMD's Opteron CPU :-)
>
> Regards,
>
> Cyrill
Hi,
I couldn't resist to comment on some lines here.
First of all, if you enable keepalive from the sip proxy to
the phones (both SER and asterisk can do that) the state
from server to phone won't be expiring. That way it is also
not true that SIP is not well suited for firewalled
connections. I have a asterisk server behind a natting
firewall on location A and some phones on different
residential places and both Linux and OpenBSD firewalls and
all is working smoothly. Just be sure to limit the RTP port
range so it's easy to forward it to the internal VOIP
server.
Then about the bandwidth:
What codec are you using ? If you use ulaw/alaw the soekris
should keep up at 20 calls. Try to stay away from iLIBc, it
is huge but doesn't sound any better then ulaw.
Just my 2 cents.
--
Michiel van Baak
http://lunteren.vanbaak.info
[EMAIL PROTECTED]
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D
"Two of the most famous products of Berkeley are LSD and BSD. I don't think
that this is a coincidence."
Re: macros and anchors
On 07:40, Sun 30 Jan 05, Fernando Braga wrote: > On Sat, 29 Jan 2005 13:06:00 -0500, solarflux.org/pf <[EMAIL PROTECTED]> > wrote: > > Peter Huncar wrote: > > > > > Is there any way to manage macros across rulesets? > > > > Sure. Just figure out how to write a little script to find and replace > > the targeted macro(s) across multiple files. > > This could be accomplished with a include directive, which is not > supported by pfctl nowadays. > > But I don't know what Daniel and Henning think of it. Like Daniel posted on Friday 28: http://www.benzedrine.cx/pf-include.diff Have fun. -- Michiel van Baak http://lunteren.vanbaak.info [EMAIL PROTECTED] GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D "Two of the most famous products of Berkeley are LSD and BSD. I don't think that this is a coincidence."
Re: Jeff quast
On 01:49, Fri 28 Jan 05, Daniel Hartmeier wrote: > On Thu, Jan 27, 2005 at 05:34:36PM -0600, Kevin wrote: > > > Now if only pf.conf could use #include, you'd really have something. > > You mean like this? :) > > http://www.benzedrine.cx/pf-include.diff > > Daniel Thnx Daniel, Any idea if this will be included in the main trunk someday? -- Michiel van Baak http://lunteren.vanbaak.info [EMAIL PROTECTED] GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D "Two of the most famous products of Berkeley are LSD and BSD. I don't think that this is a coincidence."
Fw: memory issue
On Fri, 21 May 2004 09:55:56 +1200 Russell Fulton <[EMAIL PROTECTED]> wrote: > On Fri, 2004-05-21 at 00:15, Michiel van Baak wrote: > > On Thu, 13 May 2004 12:47:42 +0200 Michiel van Baak <[EMAIL PROTECTED]> wrote: > > > > > Hi all, > > > > > > I'm trying to setup my spamd table in pf. > > > I used Daniel's script as he posted it on http://www.benzedrine.cx/relaydb.html > > > as a template for my own script (see below) > > > When I run my script it fails with the error: pfctl: Cannot allocate memory. > > > > > > Any idea how I can make this work? > > > > > I'm a pf novice but I would suggest that you isolate which invocation of > pfctl is getting the error by executing the script with -x. You also > need to tell us how many entries there are in the tables you are > creating. Have you looked at the files that are fed to pfctl to make > sure they are sane? > > In short, you have not given enough information to for anyone to even > guess at what the problem is. > > Russell > The line that gets the error is: pfctl -t spamd -Tr -f spammers.tmp the file spammers.tmp looks valid to me (http://lunteren.vanbaak.info/files/spammers.tmp) and holds 1269907 lines: cat spammers.tmp| wc -l /usr/local/sbin/spamfilter> cat spammers.tmp| wc -l 1269907 When I execute the command it tells me: /usr/local/sbin/spamfilter> pfctl -t spamd -Tr -f spammers.tmp pfctl: Cannot allocate memory. top shows me there is enough memory free: Memory: Real: 57M/158M act/tot Free: 57M Swap: 156M/500M used/tot Before I tried to load the file into the table I did: pfctl -t spamd -T flush The out put I get with debug set te loud: /usr/local/sbin/spamfilter> pfctl -x loud debug level set to 'loud' /usr/local/sbin/spamfilter> pfctl -t spamd -T flush 0 addresses deleted. /usr/local/sbin/spamfilter> pfctl -t spamd -Tr -f spammers.tmp pfctl: Cannot allocate memory. 255:/usr/local/sbin/spamfilter> that 255 is the exit code of pfctl Hope this is enough info now :) PS: sorry for the double post. forgot to send it to the list, instead posted it to Russel off list. --- Michiel van Baak http://lunteren.vanbaak.info [EMAIL PROTECTED] "Two of the most famous products of Berkeley are LSD and Unix. I don't think that this is a coincidence."
Re: memory issue
On Thu, 13 May 2004 12:47:42 +0200 Michiel van Baak <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> I'm trying to setup my spamd table in pf.
> I used Daniel's script as he posted it on http://www.benzedrine.cx/relaydb.html as a
> template for my own script (see below)
> When I run my script it fails with the error: pfctl: Cannot allocate memory.
>
> Any idea how I can make this work?
>
> Some info about my setup:
> OpenBSD griever.vanbaak.info 3.5 GENERIC#1 i386 Intel Pentium II ("GenuineIntel"
> 686-class, 512KB L2 cache)
> Build date 6 May
> 144 MB RAM
> 500 MB swap space
>
> my script to generate the spammers list, whitelist and pf tables:
>
> #!/bin/sh
> cd /root/spamfilter
> rm SBL.cidr
> rm spammers.tmp
> rm nonspammers.tmp
> wget -q http://bliab.com/sbl/SBL.cidr.bz2
> bunzip2 SBL.cidr.bz2
> rsync rsync://rsync.cbl.abuseat.org/cbl/list.txt list.txt
> relaydb -4lb -f /var/tmp/.relaydb > relay-black
> relaydb -4lw -f /var/tmp/.relaydb > relay-white
> cat SBL.cidr | grep -v '#' | cut -f 1 >>spammers.tmp
> cat list.txt | grep -v '#' | grep -v '^:' >>spammers.tmp
> cat relay-black >> spammers.tmp
> cat relay-white >> nonspammers.tmp
> cat mywhite >> nonspammers.tmp
> pfctl -t spamd -Tr -f spammers.tmp
> cat nonspammers.tmp | \
> pfctl -t spamd -vvTt -f - | \
> grep "^M " | grep -v "/" | \
> awk '{ printf("%s\n", $2); }' | \
> pfctl -t spamd -Td -f -
> cat nonspammers.tmp | \
> awk '{ printf("!%s\n", $1); }' | \
> pfctl -t spamd -Ta -f -
>
>
> --
> Michiel van Baak
> http://lunteren.vanbaak.info
> [EMAIL PROTECTED]
Is there anyone willing to answer this question ?
I tried google, irc and the pf documentation on the website.
I really want this to work...
Thanx
--
Michiel van Baak
http://lunteren.vanbaak.info
[EMAIL PROTECTED]
"Two of the most famous products of Berkeley are LSD and Unix. I don't think that this
is a coincidence."
memory issue
Hi all,
I'm trying to setup my spamd table in pf.
I used Daniel's script as he posted it on http://www.benzedrine.cx/relaydb.html as a
template for my own script (see below)
When I run my script it fails with the error: pfctl: Cannot allocate memory.
Any idea how I can make this work?
Some info about my setup:
OpenBSD griever.vanbaak.info 3.5 GENERIC#1 i386 Intel Pentium II ("GenuineIntel"
686-class, 512KB L2 cache)
Build date 6 May
144 MB RAM
500 MB swap space
my script to generate the spammers list, whitelist and pf tables:
#!/bin/sh
cd /root/spamfilter
rm SBL.cidr
rm spammers.tmp
rm nonspammers.tmp
wget -q http://bliab.com/sbl/SBL.cidr.bz2
bunzip2 SBL.cidr.bz2
rsync rsync://rsync.cbl.abuseat.org/cbl/list.txt list.txt
relaydb -4lb -f /var/tmp/.relaydb > relay-black
relaydb -4lw -f /var/tmp/.relaydb > relay-white
cat SBL.cidr | grep -v '#' | cut -f 1 >>spammers.tmp
cat list.txt | grep -v '#' | grep -v '^:' >>spammers.tmp
cat relay-black >> spammers.tmp
cat relay-white >> nonspammers.tmp
cat mywhite >> nonspammers.tmp
pfctl -t spamd -Tr -f spammers.tmp
cat nonspammers.tmp | \
pfctl -t spamd -vvTt -f - | \
grep "^M " | grep -v "/" | \
awk '{ printf("%s\n", $2); }' | \
pfctl -t spamd -Td -f -
cat nonspammers.tmp | \
awk '{ printf("!%s\n", $1); }' | \
pfctl -t spamd -Ta -f -
--
Michiel van Baak
http://lunteren.vanbaak.info
[EMAIL PROTECTED]
Re: ftp and irc problems
On Tue, 2003-12-16 at 18:21, Michiel van Baak wrote: > Hi all. > > @ the end of this email is my complete pf.conf file. > I'm running -CURRENT from Fri Nov 21 > I know I'm behind,.. cvs up is running > > I have a major problem with my pf setup and I cannot find my answer > anywhere. > > 1. Hosts out on the internet cannot passive ftp to my server. And a lot > that connect to my machine using active FTP get the error "Won't open > connection to (put any internal range here ppl have on their lan)" > I really would like to see ppl be able to use passive ftp when > connecting/downloading from my server. > The ftp server is running on the same machine as pf. Don't have > resources to setup a DMZ host. > > Can someone please help me ? Can someone plz tell me again to rtfm ? Sorry for bothering you all. *shame*
ftp and irc problems
Hi all.
@ the end of this email is my complete pf.conf file.
I'm running -CURRENT from Fri Nov 21
I know I'm behind,.. cvs up is running
I have a major problem with my pf setup and I cannot find my answer
anywhere.
1. Hosts out on the internet cannot passive ftp to my server. And a lot
that connect to my machine using active FTP get the error "Won't open
connection to (put any internal range here ppl have on their lan)"
I really would like to see ppl be able to use passive ftp when
connecting/downloading from my server.
The ftp server is running on the same machine as pf. Don't have
resources to setup a DMZ host.
Can someone please help me ?
pf.conf:
(some lines are wrapped over 2 lines, my email client does that.)
#
# macro definitions
ext_if = "xl0"
int_if = "rl0"
int_net = "192.168.2.0/24"
nat_p = "{tcp, udp, icmp}"
no_go_ip = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12}"
#
# options: "set"
set loginterface xl0
set limit { frags 3, states 25000 }
#
# scrub rules: "scrub"
scrub in on $ext_if all fragment reassemble
altq on $ext_if cbq bandwidth 1000Kb queue { def, ftp-inet, prio-inet }
queue def bandwidth 100% cbq(default)
queue ftp-inet bandwidth 200Kb cbq(ecn)
queue prio-inet bandwidth 320Kb cbq { prio-inet-def, prio-inet-pri }
queue prio-inet-def priority 0
queue prio-inet-pri priority 7
#
# NAT rules: "rdr", "nat", "binat"
nat on $ext_if proto $nat_p from $int_net to any -> $ext_if
#ftp proxy
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#
# filtering rules: "antispoof", "block", "pass"
# block and log everything by default
block out log on $ext_if all label logall-tcp-out
block in log on $ext_if all label logall-tcp-in
block return-rst out log on $ext_if proto tcp all
block return-rst in log on $ext_if proto tcp all
block return-icmp out log on $ext_if proto udp all
block return-icmp in log on $ext_if proto udp all
# antispoofing stuff
# silently drop broadcasts (cable modem noise)
block in log quick on $ext_if from any to 255.255.255.255 label noise
# block and log incoming packets from reserved address space and invalid
# addresses, they are either spoofed or misconfigured, we can't reply to
# them anyway (hence, no return-rst).
block in log on $ext_if inet from $no_go_ip to $ext_if label nogoip
block out log on $ext_if inet from any to $no_go_ip label nogoip
# ICMP
# pass out/in certain ICMP queries and keep state (ping)
# state matching is done on host addresses and ICMP id (not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state \
queue (prio-inet-def,prio-inet-pri) label icmp-type-8
# UDP
# pass out all UDP connections and keep state
pass out on $ext_if inet proto udp all keep state queue \
(prio-inet-def,prio-inet-pri)
# pass in certain UDP connections and keep state (DNS)
pass in on $ext_if proto udp from any to any port domain keep state
# TCP
pass out on $ext_if inet proto tcp all flags S/SA modulate state \
queue (prio-inet-def,prio-inet-pri)
pass out on $ext_if inet proto tcp from any port { ftp, ftp-data } \
modulate state
# pass in certain TCP connections and keep state (SSH, FTP, IDENT, WWW)
pass in on $ext_if proto tcp from any to any port { ssh, auth, www, 443,
smtp, imap, pop3, ftp, ftp-data, domain, rsync } flags S/SA keep state \
queue (prio-inet-def,prio-inet-pri)
pass in on $ext_if proto tcp from any to any port { domain } \
flags S/SA keep state
# allow all on internal
pass in on $int_if all
pass out on $int_if all
Re: latest snapshot, pf blocks until reloaded
Make sure to have the following line in your /etc/sysctl.conf net.inet.ip.forwarding=1 During one of my upgrades this setting was lost. Took me 3 days to figure it out. Maybe this happened to you too. Michiel On Sun, 2003-11-02 at 19:17, pf-list wrote: > I may be experiencing the same problem you are speaking of. I just > upgraded to 3.4-RELEASE and now my firewall refuses to route traffic. > From the firewall itself i can get anywhere. From the internal network i > can get to the firewall. It's almost as if it's ignoring my nat rules > entirely. Odd! I've been over my routes and my pf.conf forwards and > backwards. Is there something from 3.3 to 3.4 in my ruleset I have to > change to get the box to route packets? (I also tried a flush/reload to > no avail) > > -James Nobis > > On Sun, 2 Nov 2003, Han Boetes wrote: > > > Hi, > > > > With the latest snapshot (01-11-03) I got the following: > > > > >From my linux desktop to my openbsd (dhcp)server I got an ip-address via > > dhcp. ``ifconfig eth0'' and ``route -an'' on the desktop looks totally > > normal. ``ifconfig ep0;; and ``route -an'' and ``pfctl -s all'' on the > > openbsd machine also looks perfectly normal. But I can't ping, I can't > > get nfs and anything else UNTIL I pfctl -F all; pfctl -f /etc/pf.conf. > > I rebooted just to get the same error again, just to make sure it's > > repeatable. > > > > Here are my pf rules for your consideration: > > > > http://www.xs4all.nl/~hanb/configs/pf.conf-altq > > > > > > I hope someone can make a repeatable of this. > > > > > > > > # Han > > -- > > __ A woman is like your shadow; follow her, she > > .,-;-;-,. /'_\ flies; fly from her, she follows. -- Chamfort > > _/_/_/_|_\_\) / > > '-<_><_><_><_>=/\ > > jgs `/_//_/-'\_\ > > "" """" > >
Re: pfstat gone nuts
On Thu, 2003-10-09 at 19:36, Colin Harford wrote: > http://www.ualberta.ca/~charford/pfstat1.jpg > > > So, I think a picture is worth a thousand words. I've had pfstat > working for a couple weeks on this machine without problems. It is > monitoring a single 100 megabit pipe, usually with 3 mb/sec of traffic > on it each way. The past 2 days I run into problems with the stats > being completely off the wall, like the illustration shows. > > Has anyone run into this problem before? > > It is running pfstat-1.6 and OpenBSD 3.4 (source rebuilt 7 days ago). > > Thanks, > > CH > > I have kernel and world from Sep 30. This weird problem is not on my box. http://stats.vanbaak.info/pf/ Just to let you ppl know that Sept 30 code runs fine. Michiel signature.asc Description: This is a digitally signed message part
Re: failing file transfers (seti@home)
On Wed, Jun 11, 2003 at 11:32:24AM +0100, Peter Galbavy wrote: > Daniel Hartmeier wrote: > > If you need a quick > > workaround, you could disable SACK on that client. > > (For the archives maybe) > > >From http://support.microsoft.com/default.aspx?kbid=224829 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SackOp > ts -> 0 > > Now it all works. Perfectly. > > The really weird thing is that this registry entry is not there on my > colleagues Win2k machine. > > Is this something that may / will be addressed in pf in the near future ? > Just asking as it will be a pain to go and change all the Windows systems :) > > Peter > > Make a registry export from this key and put it in the domain login script :)) That way we do something like this here. -- Michiel van Baak-( When one burns one's bridges, what )- [EMAIL PROTECTED] -( a very nice fire it makes. )- http://lunteren.vanbaak.info-(-- Dylan Thomas )-
Re: pf/altq on a fast link
On Fri, Jun 06, 2003 at 08:48:22AM -0700, Dennis wrote: > [EMAIL PROTECTED] (Wouter Clarie) wrote in message > > Ah, so I see that posting private emails to you on the list is among > your repetiore. Very impressive. Too bad you can't make your point > with product features. > > DB Common Dennis. We told ya before, pf does the trick, and this is NOT an advertisementboard. Can we plz stay on topic and remain handling pf support/improvements here ? FOAD > > news:<[EMAIL PROTECTED]>... > > And a private reply (sent this already, but it appears to be lost). > > > > Very interesting, by the way. (ahum) > > > > Oh, and I suggest we just ignore this troll from now on. He obviously has > > nothing to contribute to this list. > > > > //Wouter > > > > -- Forwarded message -- > > Date: Thu, 05 Jun 2003 17:09:42 -0400 > > From: Dennis <[EMAIL PROTECTED]> > > To: Wouter Clarie <[EMAIL PROTECTED]> > > Subject: Re: pf/altq on a fast link > > > > At 03:48 AM 06/05/2003, you wrote: > > > > >On Wed, 4 Jun 2003, Dennis wrote: > > > > > > > "FREE" isnt really cheaper when you spend $1000's worth of your time > > > > to make it work, and then end up with an inferior solution when you're > > > > done. > > > > > > I think, if you need $1000s worth of time figuring this out, perhaps you > > > shouldn't be doing this kind of stuff at all. So that's probably your > > > market share. > > > > > > You are one voice on the list.What you mean is that YOU arent interested, > > and thats because you dont need it, or maybe you have already figured it > > out. My country is a free one, so take a flying leap if you dont like what > > I do, because I can do whatever I want and I don't care about stupid > > people who think that they can do everything themselves with > > cobbled-together sofware. Judging from the increase in web hits and demo > > downloads when I make such a posting, I'd say that there are a lot of > > people who are interested. > > > > db > > -- Michiel van Baak-( When one burns one's bridges, what )- [EMAIL PROTECTED] -( a very nice fire it makes. )- http://lunteren.vanbaak.info-(-- Dylan Thomas )-
Re: Port = domain
On Wed, 26 Mar 2003 15:42:24 - Richard Maclannan <[EMAIL PROTECTED]> wrote: > Can anyone tell me which ports are covered by "port = domain"? To stop me > from asking any more obvious questions, is there a list of name aliases for > certain ports? > > Thanks, > > Richard Maclannan > Facilities Technical Support > Data Connection Ltd. > [EMAIL PROTECTED] > cat /etc/services | grep domain
Re: Priorizing empty ACKs
On Fri, 28 Feb 2003 10:21:55 +0100
Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
>On Thu, Feb 27, 2003 at 10:13:55PM -0800, Ben Lovett wrote:
>
>> All in all, I'm seeing a great improvement. My connection is ADSL
>> 1.5M/384, and the sweet spot for my connection appears to be 330Kbit/s.
>> I'll do some more playing around with it tomorrow to see if I can get
>> better speeds, but even if I don't -- I'm happy with what I'm getting
>> now :)
>
>Great, thanks for the feedback.
>
>Henning suggested using the priq scheduler instead of cbq, like
>
> altq on kue0 priq bandwidth 100Kb queue { q_pri, q_def }
> queue q_pri priority 7
> queue q_def priority 1 priq(default)
>
>I get about the same results with this, but it's somewhat simpler.
>BTW, try pfctl -vsq or -vvsq to check the altq stats.
>
>Daniel
This is awesome :))
this way my girlfriend can use my connection while me and my friends are sharing data
:)
Is this patch going to be in 3.3 ??
I'm running 28/2/2003 3.2-current and this patch did the job.
Would be nice to see it in 3.3 so I can roll out it easily on wrk servers.
Michiel van Baak
Re: iptables
On Thu, Feb 06, 2003 at 08:53:26AM -0500, Jason Dixon wrote: > On Thu, 2003-02-06 at 08:09, Henning Brauer wrote: > > On Thu, Feb 06, 2003 at 01:42:45PM +0100, Emmanuel Fleury wrote: > > > But, I wonder why they are faster than pf ! > > > Because, there is no obvious relation between the fact that pf is more > > > secure and the fact that it is slow (I might be wrong!!!). > > > > pf is not close to beeing slow. in fact, it's bleeding fast. > > they are a bit faster in some areas because they leave out the sequence > > number checks. > > I can't help but giggle when people start comparing iptables/ipf/pf on > the basis of how "slow" they are. Do you people (the ones asking these > stupid questions) realize _just_how_FAST_ this code is? Just how little > resources you need to saturate your connections? > > -J. > I have the same thing here. People want to see how fast things go and such. I have a very old 386 8 Mhz here and it works SUPER as 3.2-current firewall for my home network. As far as I can notice I have no network slowdown compared to the firewall at work (pII 400). For me this makes more sense then a graph. pf is FAST, even on slow hardware. Michiel van Baak PS: For the record - I have 110 lines in pf.conf and I use alq for limiting upstream for certain protocols (ftp and http)
Re: dDoS attacks
Thnx all. The trick with the max states and timeouts works fine. Michiel
Re: dDoS attacks
On Tue, 5 Nov 2002 17:28:18 -0500 jolan <[EMAIL PROTECTED]> wrote: > On Tue, Nov 05, 2002 at 02:49:42PM +0100, Michiel van Baak wrote: > > Anyone who can enlighten me ? > > ddos attacks need to be blocked at the router and even then it doesn't > mean you're going to come away from one unscathed. > > - jolan > I know they have to block it in the router. But that's not the case with my network and now I want to block them in the router here. It's a box that does NAT for our internal net and runs smtp,pop3,www,https and ssh Is there a way to do it with pf? Michiel
dDoS attacks
Hi all, I've been spending 3 days searching on google and reading docs/howto's about pf. But I didn't find any information about how to protect you server/network against dos and ddos attacks. Anyone who can enlighten me ? I'm pretty new to OpenBSD. Started using it when 2.9 came out and just preordered 3.2. I'm running a server/firewall on 3.0 for a while now. Regards, Michiel van Baak
