Hi all,
I am playing with pf tool on openbsd/freebsd platforms and it is super
tool for firewalls. On thing is interesting for me, and I am hopping
someone has expeience with this.
If I say
block log all
block in log (all) quick on $ext_if proto udp from any to $ext_if
this would block all traf
Hi Glen,
Thank you for mail and help,
actually I do not have these options on my openBSD box, on freeBSD box
there are and I will implennt this.
Thank you very much
Kind regards,
Elvir Kuric
On Sun, Nov 9, 2008 at 12:09 PM, Glen Barber <[EMAIL PROTECTED]> wrote:
> On Sun, Nov 9, 2008 at 4:37
Hello Daniel,
thank you for answer, I understand, but I know pf is very powerful
tool I want to make some workaround using pf to perform blocking udp
floods, rule creation is not problem and I understand pf syntax. ISP
also use I suppose pf as firewall on their machines, so if they can,
I/we using
Hello Jeremy,
Thank you for your time and your answer,
> First, you should be very careful with use of the "log" directive on
> your rules. I've personally witnessed an attack which triggered "log"
> entries in block rules causing pflog to log at such a tremendous/fast
> rate, that newsyslog co
On Sun, Nov 9, 2008 at 4:37 AM, Elvir Kuric <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> I am playing with pf tool on openbsd/freebsd platforms and it is super
> tool for firewalls. On thing is interesting for me, and I am hopping
> someone has expeience with this.
>
> If I say
>
> block log all
> bloc
Hello Elvir,
Sunday, November 9, 2008, 10:37:29 AM, you wrote:
> My question would be, what are your experinces with battling against
> boring udp flooders ? Platform are FreeBSD / OpenBSD and all works
> like a charm except time to time, stupid udp flood atacks.
Ask your ISP to block UDP upfron
On Sun, Nov 09, 2008 at 10:37:29AM +0100, Elvir Kuric wrote:
> I am playing with pf tool on openbsd/freebsd platforms and it is super
> tool for firewalls. On thing is interesting for me, and I am hopping
> someone has expeience with this.
>
> If I say
>
> block log all
> block in log (all) quick
Elvir Kuric <[EMAIL PROTECTED]> wrote:
>
> I absolutely agree with you regarding logging, and I do not practice
> this, only logging specific data. The biggest problem with this DoS
> attacks ( udp floods ) is, processor must spend some time on packet
> arrive ( even dropping will take some proces
David DeSimone wrote:
> You may want to consider adding "keep state" to your "block log" rules.
> If you keep state on the blocked packets, only the first packet that is
> blocked will get logged; the others will be blocked statefully without
> consulting the rulebase, which may save some processi
On Mon, Nov 10, 2008 at 09:15:08AM +0100, Sebastian Tymków wrote:
> I wonder how does udp.blackhole working with DNS. Does it interfere bind or
> no ?
No.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com
On Sun, Nov 09, 2008 at 05:47:54PM +, Peter Maxwell wrote:
> ii) Ensure you're using a good NIC, the CPU offload abilities in Intel
> (and I think Broadcom) cards can reduce the impact on CPU generally.
I think (hope) what you're referring to are TSO, LRO, and TX/RX checksum
offloading.
Assum
Hi Peter,
Thank you for this excessive answer and it is really helpful.
On Sun, Nov 9, 2008 at 6:47 PM, Peter Maxwell <[EMAIL PROTECTED]> wrote:
> Hi Elvir,
>
> I'd second the advice given further up the thread about getting your
> ISP to filter upstream - that's about the only really effective
>
Eric Williams <[EMAIL PROTECTED]> wrote:
>
> David DeSimone wrote:
> > You may want to consider adding "keep state" to your "block log" rules.
>
> Doesn't seem to work, it just gives "keep state on block rules doesn't
> make sense" as an error.
I guess what I mean is that "blog log" rules can ke
I wonder how does udp.blackhole working with DNS. Does it interfere bind or
no ?
Best regards,
Sebastian Tymkow
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECT
Hi Elvir,
I'd second the advice given further up the thread about getting your
ISP to filter upstream - that's about the only really effective
solution. Once UDP packets hit your firewall's external interface
there's very little you can do about it.
The only other advice I could offer is;
i) Ma
Greetings,
On Sun, Nov 9, 2008 at 4:37 AM, Elvir Kuric wrote:
> > Hi all,
> >
> > I am playing with pf tool on openbsd/freebsd platforms and it is super
> > tool for firewalls. On thing is interesting for me, and I am hopping
> > someone has expeience with this.
> >
> > If I say
> >
> > block lo
Greetings, see below...
> On Sun, Nov 09, 2008 at 10:37:29AM +0100, Elvir Kuric wrote:
> > I am playing with pf tool on openbsd/freebsd platforms and it is super
> > tool for firewalls. On thing is interesting for me, and I am hopping
> > someone has expeience with this.
> >
> > If I say
> >
> > b
Hello Peter, and thank you for your reply...
On Sun, January 18, 2009 5:10 am, Peter Maxwell wrote:
> Comments inline...
>
>
>> Hello Jeremy,
>> I just joined this list. Then started parsing the archive, and
>> ran into this - what you refer to, is exactly the reason I'm getting off
>> my a$$ and
Hello again Peter, and thank you for your thoughtful reply...
On Sun, January 18, 2009 8:44 am, Peter Maxwell wrote:
> 2009/1/18 :
>
>> Hello Peter, and thank you for your reply...
>>
>>
>> On Sun, January 18, 2009 5:10 am, Peter Maxwell wrote:
>>
>>> Comments inline...
>>>
>>>
>>>
Hello Jer
19 matches
Mail list logo