Re: Filtering inside IPSec tunnel

2011/10/11 Виталий Владимирович : > >  I have the IPSec tunnel FreeBSD <-> CISCO. Tunnel works fine but I can > filtering traffic inside tunnel with PF. > > pf.conf > > .. > > ipsec_if="gif0" > > ... > block in all > block out all > > ### EXT_IF_OUT > > pass out log quick on $ext_if inet f

Re: IPv6 config for PF

On Fri, Jul 29, 2011 at 8:11 PM, Chris wrote: > Hello, > > I'm having a heck of a time trying to get PF to work with IPv6 on a > few FreeBSD machines, mainly regarding NDP and RAs. Does anyone have a > sample ruleset they can share > for a server system that has a few services exposed? > I'm runn

Re: IPv6 day, PF and IPv6 fragments

On Tue, Jun 7, 2011 at 3:50 PM, Gary Palmer wrote: > Hi, > > I noticed after running test-ipv6.com at home that I was getting > > 2011-06-07 20:35:55.588335 rule 279/0(match): block in on gif0: > 2001:4998:0:6::11 > : frag (0|1424) 80 > 62594: . 0:1392(1392) ack 1 > win 8211 > 2011-06-07 20:35:

Re: For better security: always "block all" or "block in all" is enough?

On Wed, Jul 28, 2010 at 2:55 PM, Spenst, Aleksej wrote: > Hi All, > > I have to provide for my system better security and I guess it would be > better to start pf.conf with the "block all" rule opening afterwards only > those incoming and outcoming ports that are supposed to be used by the syste

Re: can pf block a string ? or better, to limit it ?

On Wed, Jun 23, 2010 at 4:15 PM, Peter Maxwell wrote: > Hmmm, off the top of my head: I wonder if you could use Snort and have that > do full packet inspection for you.  Then you should be able to script an > alert if the string is found and call pfctl to add the offending IP address > to a table

Re: sending mail with attachments always fails (FreeBSD/pf)

On Sat, Nov 21, 2009 at 1:23 PM, Michael Proto wrote: > On Sat, Nov 21, 2009 at 1:07 PM, Victor Lyapunov > wrote: > >> rule 4/0(match): pass out on em0: (tos 0x0, ttl 127, id 19860, offset >> 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > >> 209.85

Re: sending mail with attachments always fails (FreeBSD/pf)

On Sat, Nov 21, 2009 at 1:07 PM, Victor Lyapunov wrote: > rule 4/0(match): pass out on em0: (tos 0x0, ttl 127, id 19860, offset > 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > > 209.85.129.111.465:  tcp 28 [bad hdr length 0 - too short, < 20] This looks to be your problem-- bad hdr

Re: PF - load balancing outgoing connections

On Mon, Oct 19, 2009 at 11:48 AM, Jed Gainer wrote: > I wanted to setup a machine as my LAN gateway and have it load balance over > multiple WANs. When I found http://www.openbsd.org/faq/pf/pools.html I > choose FreeBSD as the machines OS. After getting it up and running, and > acting as a gateway