On Tuesday 23 August 2005 11:58 pm, eric wrote:
On Tue, 2005-08-23 at 16:53:25 -0600, Theo de Raadt proclaimed...
It is plain simple bad advice. And totally ridiculous.
And plus, with ipv6, it's imperative that the filters be pushed down to the
end-host so we can quit relying on stupid
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
Bryan Irvine
Sent: Wednesday, August 24, 2005 10:11 AM
To: Misc OpenBSD
Subject: Re: /usr/share/pf/ suggestion
I personally like to 'pass keep state' with a 'scrub all' rule. This
at least gives
I personally like to 'pass keep state' with a 'scrub all' rule. This
at least gives me some interesting statistics to poke at when I'm
bored. Plus, I can firewall who gets to ssh into my machine.
Another good use is {max-src-states ##} for webservers and the like.
I have a webserver that
On Wed, Aug 24, 2005 at 09:15:48AM -0400, Timothy Donahue wrote:
On Tuesday 23 August 2005 11:58 pm, eric wrote:
On Tue, 2005-08-23 at 16:53:25 -0600, Theo de Raadt proclaimed...
It is plain simple bad advice. And totally ridiculous.
And plus, with ipv6, it's imperative that the
On 8/24/05, Bryan Irvine [EMAIL PROTECTED] wrote:
I personally like to 'pass keep state' with a 'scrub all' rule. This
at least gives me some interesting statistics to poke at when I'm
bored. Plus, I can firewall who gets to ssh into my machine.
Another good use is {max-src-states ##}
On Wed, 2005-08-24 at 09:15:48 -0400, Timothy Donahue proclaimed...
A Good Thing(TM) when done correctly, it is NAT that is not necessarily a
good thing. Filtering incoming (and possibly outgoing traffic) helps do
several things, first it decreases the burden on your hosts. It also allows
What crashed? Apache or OpenBSD?
Apache of course! ;)
Would it be useful to add an example pf rule set for just a simple host?
All of the examples assume a router.
--
Will Backman - Network Administrator
Coastal Enterprises, Inc.
http://www.ceimaine.org
-Original Message-
From: j knight [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 23, 2005 4:47 PM
To: Will H. Backman
Subject: Re: /usr/share/pf/ suggestion
--- Quoting Will H. Backman on 2005/08/23 at 14:59 -0400:
Would it be useful to add an example pf rule set for just
-Original Message-
From: Jason Crawford [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 23, 2005 5:25 PM
To: Will H. Backman
Cc: j knight; Misc OpenBSD
Subject: Re: /usr/share/pf/ suggestion
On 8/23/05, Will H. Backman [EMAIL PROTECTED] wrote:
-Original Message-
From
On 8/23/05, Will H. Backman [EMAIL PROTECTED] wrote:
-Original Message-
From: j knight [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 23, 2005 4:47 PM
To: Will H. Backman
Subject: Re: /usr/share/pf/ suggestion
--- Quoting Will H. Backman on 2005/08/23 at 14:59 -0400
Secondly, it seems pretty pointless to setup pf on a single host.
That is the most ridiculous thing I've heard all day. Lots of people
run servers and must block them, on the same machine. Probably every
single one of us.
--On 23 August 2005 17:25 -0400, Jason Crawford wrote:
Secondly, it seems pretty pointless to setup pf on a single host.
It has it's uses - spamd, for one...
That is the most ridiculous thing I've heard all day. Lots of people
run servers and must block them, on the same machine. Probably every
single one of us.
I'm not sure I understand what you mean. If you're going to run a
server, what's the point of blocking it? Might as well turn it
I never said that. PF isn't the only way to block packets, like TCP
wrappers or ACL's within the server itself.
That is horse shit, and shows that you don't know how actual code works.
I prefer to filter problems BEFORE THE ACTUAL CODE RUNS. Perhaps you
don't know what a pre-authentication bug
On 8/23/05, Stuart Henderson [EMAIL PROTECTED] wrote:
--On 23 August 2005 17:25 -0400, Jason Crawford wrote:
Secondly, it seems pretty pointless to setup pf on a single host.
It has it's uses - spamd, for one...
Which is already covered in the spamd man page and doesn't need
another
On 8/23/05, Theo de Raadt [EMAIL PROTECTED] wrote:
Secondly, it seems pretty pointless to setup pf on a single host.
That is the most ridiculous thing I've heard all day. Lots of people
run servers and must block them, on the
Your statements are beyond ridiculous. You are saying If you need
to filter it, you should not be running it.
X doesn't have to listen on TCP 6000, you can setup a unix socket, and
it's no longer reachable from the network, and you still have full
functionality (I know, I do just that).
On 8/23/05, Theo de Raadt [EMAIL PROTECTED] wrote:
That is the most ridiculous thing I've heard all day. Lots of people
run servers and must block them, on the same machine. Probably every
single one of us.
I'm not sure I understand what you mean. If you're going to run a
server,
On Tue, 2005-08-23 at 17:25 -0400, Jason Crawford wrote:
Secondly, it seems pretty pointless to setup pf on a single host.
I beg to differ. man pf.conf, and look at the user and group
keywords.
--
Shawn K. Quinn [EMAIL PROTECTED]
On 8/23/05, Will H. Backman [EMAIL PROTECTED] wrote:
I agree in general, but then start adding the gnome or kde desktop or
other applications and you never know what is listening.
what the hell?
On Tue, Aug 23, 2005 at 06:57:43PM -0400, Will H. Backman wrote:
-Original Message-
From: Theo de Raadt [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 23, 2005 6:53 PM
To: Jason Crawford
Cc: Will H. Backman; j knight; Misc OpenBSD
Subject: Re: /usr/share/pf/ suggestion
snip
There is an example:
set pf=YES in /etc/rc.conf.local reboot
pfctl -sr will give you:
block drop all
pass on lo0 all
pass in proto tcp from any to any port = ssh keep state
pass out proto tcp from any to any port = domain keep state
pass out proto udp from any to any port = domain keep state
On Tue, 2005-08-23 at 16:53:25 -0600, Theo de Raadt proclaimed...
It is plain simple bad advice. And totally ridiculous.
And plus, with ipv6, it's imperative that the filters be pushed down to the
end-host so we can quit relying on stupid firewalls and NAT bullshit to
break networks and slow
On Tue, 23 Aug 2005 16:53:25 -0600, Theo de Raadt wrote:
You're wrong. Everyone -- run pf wherever you find it easier.
Followed this discussion with interest.
Doing the same thing (running pf) on my single-ended boxes; I actually
questioned myself why all of this is not part of the base
On 8/24/05, Jason Crawford [EMAIL PROTECTED] wrote:
On 8/23/05, Will H. Backman [EMAIL PROTECTED] wrote:
-Original Message-
From: j knight [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 23, 2005 4:47 PM
To: Will H. Backman
Subject: Re: /usr/share/pf/ suggestion
26 matches
Mail list logo
