Re: pf(4) schemantics

2003-03-21 Thread Philipp Buehler - sysfive.com GmbH 
On 20/03/2003, Srebrenko Sehic [EMAIL PROTECTED] wrote To [EMAIL PROTECTED]:
 Or even better, dis the keep state on {$ext_if $int_if}; keep
 state should be enough, since pf(4) should take care of that. Now
 this feature would be _very_ nice.
 
 Any chance this could be implemented, say post 3.3?

Over my dead (and the really slacking) body.

This auto-generation of states on other interfaces is BRAINDEAD.
I do not even feel good about the 'on {if_list}', but well.

tons of ways to achieve that are 'out there' already, anyway.

It was a great relief, when I recognized that pf is NOT generating
states for all interfaces, and I am all against that this would change.

ciao
-- 
 Philipp Buehler  -  [EMAIL PROTECTED]  -  http://sysfive.com/
 sysfive.com GmbH - UNIX. Networking. Security. Applications.

Re: pf rule sintax (newbie)

2003-03-10 Thread Philipp Buehler - sysfive.com GmbH 
On 10/03/2003, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote To [EMAIL PROTECTED]:
 I'm almost totally new to pf.
 I'v noticed that this syntax is not accepted:
 
 Ext_If = rl0
 MyVar = { 1.2.3.4/32, 2.1.0.0/24 }
 
 pass in on $Ext_If from any to !$MyVar
 
 
 I think this should be a honest rule, am i wrong somewhere !?

No, you cannot use negated lists. They would always match in one or
the other way. Short, it wouldnt do what you want to achieve there.

Use { !1.2.3.4/32, !2.1.0.0/24}

ciao
-- 
 Philipp Buehler  -  [EMAIL PROTECTED]  -  http://sysfive.com/
 sysfive.com GmbH - UNIX. Networking. Security. Applications.
 Steilshooperstr. 184, 22305 Hamburg, Germany - GSM +49-179-1136646

Re: pf rule sintax (newbie)

2003-03-10 Thread Philipp Buehler - sysfive.com GmbH 
On 10/03/2003, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote To Philipp Buehler - 
sysfive.com GmbH:
 Use { !1.2.3.4/32, !2.1.0.0/24}
 
 Sure, i've already done that, thanks.
 
 Anyway i think that syntax interpreted as you've done could be an
 improvement in easing the ruleset of pf.conf file.

Well, it doesnt work out logically. { N, .. , M } expands
to NxM rules, if you negate it, this will always be true in
one way or the other.

pfctl doesnt start to think for you. :)

this has been discussed to death already, check the archives,
please. !{..} will never be supported.

ciao
-- 
 Philipp Buehler  -  [EMAIL PROTECTED]  -  http://sysfive.com/
 sysfive.com GmbH - UNIX. Networking. Security. Applications.
 Steilshooperstr. 184, 22305 Hamburg, Germany - GSM +49-179-1136646

Re: Cisco PIX 4-port 10/100 card in OpenBSD-current

2003-02-26 Thread Philipp Buehler - sysfive.com GmbH 
On 26/02/2003, Attila Nagy [EMAIL PROTECTED] wrote To Roger Skjetlein:
 I have at least 3 3com905 cards (don't know the exact subtypes) which
 works, present you a link and a blazingly fast 6 kB/s transfer rate on a
 fast ethernet network.

yah, you dont know. 3com *can* be ok, but usually they *suck*.
I remember a discussion where one told 3com is cool, after breakage
I got a new one within days on warranty .. yeah, right, but isnt it
better if they do NOT break in first place? Second, if you get re-
placements from 3com it CAN HAPPEN that everything looks the same
(including software serial numbers), but the firmware has changed
in an unknown way and the driver doesnt work any longer. nuff said.

 Older Intels had their bugs too, they locked up after some traffic sent
 through them, but I think this was solved at the driver level after some
 reading from the original Intel driver.

dont speculate. probably you are talking about i82562 (integrated on
i815) which had slightly different buffers in the chip and with this
chip intel stopped handing out real specs. thus no real drivers can
be written. one has to reverse engineer that, there are no free docs
on it (at least those days).

they all suck.

ciao
-- 
 Philipp Buehler  -  [EMAIL PROTECTED]  -  http://sysfive.com/
 sysfive.com GmbH - UNIX. Networking. Security. Applications.
 Steilshooperstr. 184, 22305 Hamburg, Germany - GSM +49-179-1136646

Re: DLC // Host protocols

2003-02-25 Thread Philipp Buehler - sysfive.com GmbH 
On 25/02/2003, caracha  ricardo [EMAIL PROTECTED] wrote To [EMAIL PROTECTED]:
 can openbsd/pf handle to the protocol dlc? for example 
 [ mainframe ] -far away- [router] -- [ openbsd ] -- [ clients ] 

beg your pardon?

pf is an ip (v4/v6) filter and can understand several protocols
on top of it (tcp/udp/icmp/...). Nothing else.

So, if this dlc is transported directly via ethernet, you have
no chance. If it is encapsulated into ip, you can restrict this
part, but not the specific dlc features (like their addressing
etc..).

//pb

Re: using pf

2002-12-21 Thread Philipp Buehler - sysfive.com GmbH 
On 21/12/2002, Zafer Dastan [EMAIL PROTECTED] wrote To [EMAIL PROTECTED]:
 hi all,
 most heavily site i tested for 24 hours with PIII 1.36 Tualitin with 
 average state of  30K-43K with CPU load average of %20-%35 ...

i guess you use cheap NICs, or the machine is doing other stuff, too

dmesg?

Ciao
-- 
 Philipp Buehler  -  [EMAIL PROTECTED]  -  http://sysfive.com/
 sysfive.com GmbH - UNIX. Networking. Security. Applications.
 Steilshooperstr. 184, 22305 Hamburg, Germany - GSM +49-179-1136646