On 2023-09-04 22:53 +02, Alexander Bluhm wrote:
> On Mon, Sep 04, 2023 at 03:58:02PM +0200, Alexandr Nedvedicky wrote:
>> Hello,
>>
>> On Mon, Sep 04, 2023 at 03:28:00PM +0200, Alexander Bluhm wrote:
>> > On Sun, Sep 03, 2023 at 11:00:56PM +0200, Alexandr Nedvedicky wrote:
>> > > Hello,
>> > >
On Mon, Sep 04, 2023 at 03:58:02PM +0200, Alexandr Nedvedicky wrote:
> Hello,
>
> On Mon, Sep 04, 2023 at 03:28:00PM +0200, Alexander Bluhm wrote:
> > On Sun, Sep 03, 2023 at 11:00:56PM +0200, Alexandr Nedvedicky wrote:
> > > Hello,
> > >
> > > On Sun, Sep 03, 2023 at 09:26:29PM +0200, Florian
Hello,
On Mon, Sep 04, 2023 at 03:28:00PM +0200, Alexander Bluhm wrote:
> On Sun, Sep 03, 2023 at 11:00:56PM +0200, Alexandr Nedvedicky wrote:
> > Hello,
> >
> > On Sun, Sep 03, 2023 at 09:26:29PM +0200, Florian Obser wrote:
> > > FYI, I'm not using sloppy, and I don't have a network with
On Sun, Sep 03, 2023 at 11:00:56PM +0200, Alexandr Nedvedicky wrote:
> Hello,
>
> On Sun, Sep 03, 2023 at 09:26:29PM +0200, Florian Obser wrote:
> > FYI, I'm not using sloppy, and I don't have a network with asymmetric
> > routing
> > at the moment. I only remembered that we used sloppy for a
Hello,
On Sun, Sep 03, 2023 at 09:26:29PM +0200, Florian Obser wrote:
> FYI, I'm not using sloppy, and I don't have a network with asymmetric routing
> at the moment. I only remembered that we used sloppy for a while at my
> previous job. I think we settled on no-state because it was faster than
FYI, I'm not using sloppy, and I don't have a network with asymmetric routing
at the moment. I only remembered that we used sloppy for a while at my previous
job.
I think we settled on no-state because it was faster than sloppy and less
hastle.
On 3 September 2023 20:09:10 CEST, Alexandr
Hello,
On Sun, Sep 03, 2023 at 06:29:51PM +0200, Alexander Bluhm wrote:
> On Sun, Sep 03, 2023 at 06:17:12PM +0200, Florian Obser wrote:
> > On 2023-09-03 18:13 +02, Alexander Bluhm wrote:
> > > On Sun, Sep 03, 2023 at 05:59:18PM +0200, Alexandr Nedvedicky wrote:
> > >> Hello,
> > >>
> > >> On
On Sun, Sep 03, 2023 at 06:17:12PM +0200, Florian Obser wrote:
> On 2023-09-03 18:13 +02, Alexander Bluhm wrote:
> > On Sun, Sep 03, 2023 at 05:59:18PM +0200, Alexandr Nedvedicky wrote:
> >> Hello,
> >>
> >> On Sun, Sep 03, 2023 at 05:10:02PM +0200, Alexander Bluhm wrote:
> >> > On Sun, Sep 03,
On 2023-09-03 18:13 +02, Alexander Bluhm wrote:
> On Sun, Sep 03, 2023 at 05:59:18PM +0200, Alexandr Nedvedicky wrote:
>> Hello,
>>
>> On Sun, Sep 03, 2023 at 05:10:02PM +0200, Alexander Bluhm wrote:
>> > On Sun, Sep 03, 2023 at 04:12:35AM +0200, Alexandr Nedvedicky wrote:
>> > > in my opinion
On Sun, Sep 03, 2023 at 05:59:18PM +0200, Alexandr Nedvedicky wrote:
> Hello,
>
> On Sun, Sep 03, 2023 at 05:10:02PM +0200, Alexander Bluhm wrote:
> > On Sun, Sep 03, 2023 at 04:12:35AM +0200, Alexandr Nedvedicky wrote:
> > > in my opinion is to fix pf_match_rule() function, so ICMP error message
Hello,
On Sun, Sep 03, 2023 at 05:10:02PM +0200, Alexander Bluhm wrote:
> On Sun, Sep 03, 2023 at 04:12:35AM +0200, Alexandr Nedvedicky wrote:
> > in my opinion is to fix pf_match_rule() function, so ICMP error message
> > will no longer match 'keep state' rule. Diff below is for IPv4. I still
>
On Sun, Sep 03, 2023 at 04:12:35AM +0200, Alexandr Nedvedicky wrote:
> in my opinion is to fix pf_match_rule() function, so ICMP error message
> will no longer match 'keep state' rule. Diff below is for IPv4. I still
> need to think of more about IPv6. My gut feeling is it will be very similar.
Hello,
I'm sorry the diff against current does not compile. it's missing
a closing parren.
sorry about that.
regards
sashan
On Sun, Sep 03, 2023 at 04:12:35AM +0200, Alexandr Nedvedicky wrote:
> 8<---8<---8<--8<
> diff --git
On Sun, Sep 03, 2023 at 04:12:35AM +0200, Alexandr Nedvedicky wrote:
> Hello,
>
> so there is actually bug. I was able to reproduce it with very simple
> rules on my router:
>
> set skip on em1
> block return all
> pass out on em0 from 192.168.2.0/24 to any nat-to(em0)
>
> em1 is
Hello,
so there is actually bug. I was able to reproduce it with very simple
rules on my router:
set skip on em1
block return all
pass out on em0 from 192.168.2.0/24 to any nat-to(em0)
em1 is interface, facing to LAN
em0 is interface to internet where NAT happens.
I did use a scapy
On Tue, Aug 29, 2023 at 11:11:53AM +0200, Alexandr Nedvedicky wrote:
> Hello,
>
> On Tue, Aug 29, 2023 at 09:48:21AM +0200, Peter J. Philipp wrote:
> > On Tue, Aug 29, 2023 at 09:45:24AM +1000, David Gwynne wrote:
> > > How are you injecting the crafted packet into the stack?
> >
> > Via BPF.
On Tue, Aug 29, 2023 at 12:35:47PM +0200, Claudio Jeker wrote:
> On Tue, Aug 29, 2023 at 12:16:23PM +0200, Peter J. Philipp wrote:
> > On Tue, Aug 29, 2023 at 11:11:53AM +0200, Alexandr Nedvedicky wrote:
> > > Hello,
> > >
> > > On Tue, Aug 29, 2023 at 09:48:21AM +0200, Peter J. Philipp wrote:
>
On Tue, Aug 29, 2023 at 12:16:23PM +0200, Peter J. Philipp wrote:
> On Tue, Aug 29, 2023 at 11:11:53AM +0200, Alexandr Nedvedicky wrote:
> > Hello,
> >
> > On Tue, Aug 29, 2023 at 09:48:21AM +0200, Peter J. Philipp wrote:
> > > On Tue, Aug 29, 2023 at 09:45:24AM +1000, David Gwynne wrote:
> > > >
On Tue, Aug 29, 2023 at 11:11:53AM +0200, Alexandr Nedvedicky wrote:
> Hello,
>
> On Tue, Aug 29, 2023 at 09:48:21AM +0200, Peter J. Philipp wrote:
> > On Tue, Aug 29, 2023 at 09:45:24AM +1000, David Gwynne wrote:
> > > How are you injecting the crafted packet into the stack?
> >
> > Via BPF.
Hello,
On Tue, Aug 29, 2023 at 09:48:21AM +0200, Peter J. Philipp wrote:
> On Tue, Aug 29, 2023 at 09:45:24AM +1000, David Gwynne wrote:
> > How are you injecting the crafted packet into the stack?
>
> Via BPF. It is a spoofing program that I made 23 years ago. While that's
> not really a
On Mon, Aug 28, 2023 at 07:13:29PM +0100, Stuart Henderson wrote:
> On 2023/08/28 18:30, Peter J. Philipp wrote:
> > Here is my icmp rulesets:
> >
> > root@stern# grep icmp /etc/pf.conf
>
> a partial pf.conf fragment is hardly ever enough to debug a ruleset
> problem. if a packet doesn't match
And well.. what is returned is negative which falls through to this:
6357
6358 return (PF_PASS);
15 year old bug and 10 year old bugs respectively.
Best Regards,
-peter
> On Tue, 29 Aug 2023, 01:14 , wrote:
>
> > >Synopsis: pf nat-to doesn't match
How are you injecting the crafted packet into the stack?
On Tue, 29 Aug 2023, 01:14 , wrote:
> >Synopsis: pf nat-to doesn't match a crafted packet
> >Category: system
> >Environment:
> System : OpenBSD 7.3
> Details : OpenBSD 7.3 (GENER
On 2023/08/28 18:30, Peter J. Philipp wrote:
> Here is my icmp rulesets:
>
> root@stern# grep icmp /etc/pf.conf
a partial pf.conf fragment is hardly ever enough to debug a ruleset
problem. if a packet doesn't match any rule then it hits the implicit
"pass flags any no state" rule 0.
Hello,
On Mon, Aug 28, 2023 at 06:30:55PM +0200, Peter J. Philipp wrote:
>
> Hi Alexandr,
>
> root@stern# tcpdump -v -n -i pppoe0 -c 1 icmp && pfctl -ss -v | grep icmp
> tcpdump: listening on pppoe0, link-type PPP_ETHER
> 18:25:34.273661 192.168.177.13 > 49.12.42.182: icmp: host 7.198.187.211
On Mon, Aug 28, 2023 at 06:18:41PM +0200, Alexandr Nedvedicky wrote:
> Hello,
>
> On Mon, Aug 28, 2023 at 05:13:29PM +0200, p...@delphinusdns.org wrote:
> > >Synopsis: pf nat-to doesn't match a crafted packet
> > >Category: system
> > >Environmen
Hello,
On Mon, Aug 28, 2023 at 05:13:29PM +0200, p...@delphinusdns.org wrote:
> >Synopsis: pf nat-to doesn't match a crafted packet
> >Category:system
> >Environment:
> System : OpenBSD 7.3
> Details : OpenBSD 7.3 (GENERIC.MP) #2080: Sat Mar
>Synopsis: pf nat-to doesn't match a crafted packet
>Category: system
>Environment:
System : OpenBSD 7.3
Details : OpenBSD 7.3 (GENERIC.MP) #2080: Sat Mar 25 14:20:25 MDT
2023
dera...@arm64.openbsd.org:/usr/src/sys/arch/arm6
28 matches
Mail list logo
