Re: Duplicate pf rules when using groupname

On 2015-04-27, Brian S. Vangsgaard b...@avalanic.dk wrote: When using interface groupnames in my pf.conf, I see the same rule 4 times when doing a pfctl -s rules. The interface group i'm using, have a vlan and carp member. Ex. pass in on groupA from groupA:network to groupB:network tag

Re: Duplicate pf rules when using groupname

Stuart Henderson skrev den 2015-04-28 15:55: Actually this is a bit odd, can't reproduce it here on 5.5 or -current. I'm running 5.5 GENERIC.MP SHA256 (/sbin/pfctl) = 9b84b5b3d846cf2f4c4a189d9711cc5d00c4ea096431df4eaea57ebfcd29de8c

Re: Duplicate pf rules when using groupname

Using a single interface (ex. vlan) will only produce one line (as I expect it to do) in the pfctl -s rules output. This is probably the simplest fix. The actual packets you want to filter show up on the vlan interfaces anyway. You'r right, this would be the best solution at the momemnt.

Duplicate pf rules when using groupname

Hi, I'm getting a strange output from pfctl that I cannot explain, perhaps someone lurking the list have the answer? When using interface groupnames in my pf.conf, I see the same rule 4 times when doing a pfctl -s rules. The interface group i'm using, have a vlan and carp member. Ex. pass

Re: Duplicate pf rules when using groupname

http://www.openbsd.org/faq/pf/macros.html Lists A list allows the specification of multiple similar criteria within a rule. For example, multiple protocols, port numbers, addresses, etc. So, instead of writing one filter rule for each IP address that needs to be blocked, one rule can be written

Re: Duplicate pf rules when using groupname

Lists A list allows the specification of multiple similar criteria within a rule. For example, multiple protocols, port numbers, addresses, etc. So, instead of writing one filter rule for each IP address that needs to be blocked, one rule can be written by specifying the IP addresses in a

Re: PF rules loading bug on OpenBSD 5.6

Am Mittwoch, den 03.12.2014, 11:08 +0800 schrieb Cosmo Wu: and it parsed correctly using command pfctl -nf /etc/pf.conf.test when I loaded it from the command pfctl -f /etc/pf.conf.test it grumbled: pfctl: DIOCXCOMMIT: Invalid argument Happens usually, if the pf.conf is

Re: PF rules loading bug on OpenBSD 5.6

Could anyone run into these problems? thanks! On 14.11.2014 14:50, Cosmo Wu wrote: Hi Misc , There is a no-syntax-error pf config file ( such a pf.conf.test ) , but another queue named differently is created on the same interface. and it parsed correctly using command pfctl -nf

PF rules loading bug on OpenBSD 5.6

Hi Misc , There is a no-syntax-error pf config file ( such a pf.conf.test ) , but another queue named differently is created on the same interface. and it parsed correctly using command pfctl -nf /etc/pf.conf.test when I loaded it from the command pfctl -f /etc/pf.conf.test it

Re: Routing tables and pf rules with using 2 DHCP WAN interfaces ...

the lease information to a file, then watch that file for changes (sysutils/entr in ports is good to trigger running a script based on this), parse the relevant lines, and reload your PF rules with the -D flag to set macros (e.g. pfctl -D ext_gw1=$someaddr -D ext_gw2=$otheraddr -f /etc/pf.conf

Re: Routing tables and pf rules with using 2 DHCP WAN interfaces ...

for changes (sysutils/entr in ports is good to trigger running a script based on this), parse the relevant lines, and reload your PF rules with the -D flag to set macros (e.g. pfctl -D ext_gw1=$someaddr -D ext_gw2=$otheraddr -f /etc/pf.conf).

Routing tables and pf rules with using 2 DHCP WAN interfaces ...

Hi misc@, I was wondering about the behavior of OpenBSD in this case (not a production case at this time). 2 WAN interfaces (Ethernet / IPv4 DHCP) , linked to an OpenBSD box and 1 LAN interface (Ethernet / IPv4 static address) WAN1 (em0 DHCP) - |--- OpenBSD - LAN

Re: Routing tables and pf rules with using 2 DHCP WAN interfaces ...

On Mon, Aug 04, 2014 at 08:39:10PM +0200, Christophe wrote: Hi misc@, I was wondering about the behavior of OpenBSD in this case (not a production case at this time). 2 WAN interfaces (Ethernet / IPv4 DHCP) , linked to an OpenBSD box and 1 LAN interface (Ethernet / IPv4 static address)

Re: Routing tables and pf rules with using 2 DHCP WAN interfaces ...

On 04-08-2014 15:39, Christophe wrote: I was wondering about the behavior of OpenBSD in this case (not a production case at this time). 2 WAN interfaces (Ethernet / IPv4 DHCP) , linked to an OpenBSD box and 1 LAN interface (Ethernet / IPv4 static address) WAN1 (em0 DHCP) -

Re: Routing tables and pf rules with using 2 DHCP WAN interfaces ...

trying to do. It uses ifstated to adjust pf rules dynamically based on usability of the WAN interfaces, load-balancing outbound connections between the two gateways as well: https://www.geeklan.co.uk/?p=1564 Thanks and regards, Christophe.

Re: Routing tables and pf rules with using 2 DHCP WAN interfaces ...

On Mon, Aug 04, 2014 at 08:39:10PM +0200, Christophe wrote: Hi misc@, I was wondering about the behavior of OpenBSD in this case (not a production case at this time). 2 WAN interfaces (Ethernet / IPv4 DHCP) , linked to an OpenBSD box and 1 LAN interface (Ethernet / IPv4 static address)

Re: Routing tables and pf rules with using 2 DHCP WAN interfaces ...

On 04-08-2014 17:01, Fabian Raetz wrote: Maybe giving one of your interfaces a lower priority could solve this problem in a simple setup? If used with mpath routing, then probably this would work. As I mentioned, there is only need to take proper care of the resolv.conf file, since both

test tool to load pf rules

Hello the list. First, I wish you all a great weekend. Second, I am wondering if someone knows or has written some tool to prevent yourself from being locked out of your online ssh server when writing pf rules. Something like : copy the new pf rules in /tmp, load them, and ask the user

Re: test tool to load pf rules

On Sat, Jun 14, 2014 at 7:17 AM, Stéphane Guedon steph...@22decembre.eu wrote: Hello the list. First, I wish you all a great weekend. Second, I am wondering if someone knows or has written some tool to prevent yourself from being locked out of your online ssh server when writing pf rules

Re: test tool to load pf rules

I just use something like pfctl -v -f /etc/pf.conf.new ; sleep 30; pfctl -f /etc/pf.conf in a tmux session. That gives me 30 seconds to test what I was going to test and then reverts to the original file. -- Gregor Best -- After I run your program, let's make love like crazed

Re: test tool to load pf rules

Le samedi 14 juin 2014 05:55:19, vous avez écrit : If the user doesn't answer, that means for some reason pf has blocked ssh connection. This shouldn't happen as long as you don't flush your state table. That happened quite often. Obviously I am to blame. Now I take extra precaution. And

Re: test tool to load pf rules

On Sat, Jun 14, 2014 at 01:17:14PM +0200, St?phane Guedon wrote: Second, I am wondering if someone knows or has written some tool to prevent yourself from being locked out of your online ssh server when writing pf rules. Something like : copy the new pf rules in /tmp, load them, and ask

PANIC when loading pf rules

Hello! If you are following my debut here in misc@ (if not, please help me to put our OpenBSD to rock this network!), you are somehow familiar with my problems. I was trying to reproduce the panic in another context, but unsuccessful... it only happens in production. Well, this is the ruleset:

I can't find what is wrong with these PF rules

I am trying to set up a simple nat on OpenBSD 5.3, I copied from another config that is working. ext_if=em0 int_if=em1 ipv6=2607:f2f8:aa18::2 ipv4=208.79.92.130 local_net=192.168.1.0/24 cyrus=192.168.1.2 cyrus_ports = { 2022 } tcp_serv = { ftp, ssh, http, https, 1, , 8080, 8022,

Re: I can't find what is wrong with these PF rules

I forgot to sysctl net.inet.ip.forwarding=1 lol. On Sun, Jun 2, 2013 at 8:36 AM, John Tate j...@johntate.org wrote: I am trying to set up a simple nat on OpenBSD 5.3, I copied from another config that is working. ext_if=em0 int_if=em1 ipv6=2607:f2f8:aa18::2 ipv4=208.79.92.130

Re: Using hostnames in pf rules

Hi all, make a table, and have cron update the contents of this table with the result of the latest resolved ip. Thanks all three for your answers. -- Au revoir, 09 51 84 42 42 Gilles Lamiral. France, Baulon (35580) 06 20 79 76 06

Using hostnames in pf rules

Hello, I need to use an hostname in a pf rule to allow a connection. The hostname is needed because the resolution is dynamic, it can change at any minute (TTL 60). Is there a flag to tell pf to resolve the name each time it tries to match this part? The domain name server is trusted and

Re: Using hostnames in pf rules

make a table, and have cron update the contents of this table with the result of the latest resolved ip. 2013/3/15 Gilles LAMIRAL gilles.lami...@laposte.net Hello, I need to use an hostname in a pf rule to allow a connection. The hostname is needed because the resolution is dynamic, it can

Re: Using hostnames in pf rules

On Fri, Mar 15, 2013 at 11:16:53AM +0100, Gilles LAMIRAL wrote: I need to use an hostname in a pf rule to allow a connection. The hostname is needed because the resolution is dynamic, it can change at any minute (TTL 60). host names in pf.conf and friends are resolved at load time so it's

Re: Using hostnames in pf rules

2013/3/15 Gilles LAMIRAL gilles.lami...@laposte.net Is there a flag to tell pf to resolve the name each time it tries to match this part? This would mean having a DNS resolver in the kernel; not going to happen. On 2013-03-15, Janne Johansson icepic...@gmail.com wrote: make a table, and

Re: How to stress (performance?) test my PF rules?

On Fri, Sep 21, 2012 at 09:33:04AM -0700, Ed Flecko wrote: Does anyone have any suggestions on how to best test the performance of my PF ruleset? Maybe iperf? Well, the traffic to your machine will be highly unique based on what you use it for, so pre-made testing tools will not be adapted to

How to stress (performance?) test my PF rules?

Does anyone have any suggestions on how to best test the performance of my PF ruleset? Maybe iperf? I'm just diving into learning PF and as I make changes to my ruleset, it would be great if there's a good way of testing the traffic flow through my OBSD box. Suggestions? Thank you, Ed

trunk0, inet6 , pf rules

Hello, I have a service listening both on inet and inet6 sockets, so I have inet6 traffic going in to that service Because I have trunk0 setup, a rule like: (3) pass in inet6 proto tcp to port $service_port queue services does not solves the problem, because only few packets and sometimes

Re: Using bridge and carp interfaces with pf rules

/hostname.em6 up /etc/hostname.em7 inet 172.25.60.1 255.255.255.240 /etc/hostname.bridge0 add em6 add em7 -blocknonip em6 -blocknonip em7 -stp em6 -stp em7 fwddelay 4 up and my pf rules are simple: pass in quick on em6 all pass out quick on em6 all block in on em7 all block out on em7 all pass

Using bridge and carp interfaces with pf rules

172.25.60.1 255.255.255.240 /etc/hostname.bridge0 add em6 add em7 -blocknonip em6 -blocknonip em7 -stp em6 -stp em7 fwddelay 4 up and my pf rules are simple: pass in quick on em6 all pass out quick on em6 all block in on em7 all block out on em7 all pass in quick on em7 proto tcp from any to any

Monitoring PF rules on egress interface not showing pass definitions

Hi, I created a virtual instance of OpenBSD 5.0 x64 RELEASE edition using VirtualBox and set it up to be used as router/gateway with NAT. Taking this: http://www.openbsd.org/faq/pf/example1.html as an example for practically getting to know packet filter which I've never used before and get

Perplexed by PF rules in NAT

I had this gateway with NAT working fine until I added another for load balancing using carp. So now I've been slowly discovering the ins and outs of carp in PF rules. Namely that packets seem to be going in and out of the physical interfaces, but in on the carp interfaces at the same time. Only

Re: Perplexed by PF rules in NAT

Stefan Midjich sweh...@gmail.com: I had this gateway with NAT working fine until I added another for load balancing using carp. So now I've been slowly discovering the ins and outs of carp in PF rules. Namely that packets seem to be going in and out of the physical interfaces

Why are my PF rules blocking FTP?

System: OpenBSD 4-9 i386 I am pasting a link to the entire PF ruleset. http://pastebin.com/vdbidqAL I would be grateful if someone more knowledgeable about PF would explain to me why I can't browse an FTP server (eg., ftp.heanet.ie) from a client (eg., Firefox) behind the firewall with the

Re: Why are my PF rules blocking FTP?

On Wed, 14 Sep 2011 15:21:42 +0100 Gerard Lally ger...@netmail.ie wrote: I would be grateful if someone more knowledgeable about PF would explain to me why I can't browse an FTP server (eg., ftp.heanet.ie) from a client (eg., Firefox) behind the firewall with the rules as they stand. Sorry

Re: Why are my PF rules blocking FTP?

Gerard Lally ger...@netmail.ie writes: System: OpenBSD 4-9 i386 I am pasting a link to the entire PF ruleset. http://pastebin.com/vdbidqAL I would be grateful if someone more knowledgeable about PF would explain to me why I can't browse an FTP server (eg., ftp.heanet.ie) from a client

Re: pf rules

2011/4/17, gdrm g...@email.it: table terlarang persist file /etc/terlarang block in quick on re0 from terlarang in /etc/terlarang 10.0.0.0/8 192.168.0.0/16 xxx.xxx.xxx.xxx Muhammad Muntaza bin Hatta -- Indonesia http://muntaza.wordpress.com

pf rules

Hi, i don't know more about pf, i will want block this IP black list and i want block ssh and telnet out from my lan...this is the right mode? Can I put this IP black list in a file and use it whit pf tables? Thanks vvm! block in on re0 proto {tcp udp } from { x.219.37.16, 209.160.28.116 \ ,

Re: pf rules for Load Balance Incoming Connections for webservers

But, it always directs to one particular ip address. How to see load balancing? today, I myself learnt it from the below url http://www.openbsd.org/faq/pf/pools.html#incoming match in on $ext_if proto tcp to port 80 rdr-to $web_servers \ round-robin *sticky-address * * * Successive

pf rules for Load Balance Incoming Connections for webservers

Hi list, I have 3 web servers running on port 8080 behind PF firewall. I am trying to load balance these incoming connections to these web servers. I wrote rules as below. Pls pay attention to *highligthed BOLD* rules . they are the once I have written. But, I can NOT login to these web

Re: pf rules for Load Balance Incoming Connections for webservers

On Tue, Feb 01, 2011 at 02:22:25PM +0530, Indunil Jayasooriya wrote: I have 3 web servers running on port 8080 behind PF firewall. I am trying to load balance these incoming connections to these web servers. I wrote rules as below. Pls pay attention to *highligthed BOLD* rules . they are

Re: pf rules for Load Balance Incoming Connections for webservers

Indunil Jayasooriya P?P8QP5Q: Hi list, I have 3 web servers running on port 8080 behind PF firewall. I am trying to load balance these incoming connections to these web servers. I wrote rules as below. Pls pay attention to *highligthed BOLD* rules . they are the once I have written. But, I

Re: pf rules for Load Balance Incoming Connections for webservers

*match in on $ext_if inet proto tcp to $ext_if port 8080 rdr-to $web_servers \ round-robin sticky-address * You need to pass the inbound traffic somehow (match doesn't do this). Either change the 'match in' above to 'pass in', YES, changed. It worked. or add another rule

Re: pf rules for Load Balance Incoming Connections for webservers

2011/2/1 Indunil Jayasooriya induni...@gmail.com # macros (...) web_servers = { 192.168.x.64, 192.168.x.66, 192.168.x.67 } lan_net=192.168.x.0/24 A table isn't better? I mean, we can control it without reloading the pf rules and the matching algorithm is better.

pf rules order

Hello there, I posted previously my doubt with the follow subject: 4.7 and ftp-proxy I don't know what are occurring. I have the follow rules: table ftp { address1, address2, address3 } table ftppriv { internal_addr1, internal_addr2 } pass in quick on $int_if proto tcp from ftppriv to port

Help with PF rules

Hello, I was wondering if someone can help me with PF rules..it doesn't have to be exact syntax-maybe a high level explanation might be enough. Internet | BSD | / \ 192.168.10.0/24

Re: IPv6, ftp-proxy and PF rules

On Fri, Mar 12, 2010 at 1:06 AM, Claudio Jeker cje...@diehard.n-r-g.com wrote: Local IPv6 redirects do not work at least not to ::1. This is a bu^Wfeature in netinet6. It seems none of our IPv6 users care to much to fix it (or they're equaly scared of the code). Hi, Thanks for the help.

Re: IPv6, ftp-proxy and PF rules

On Thu, Mar 11, 2010 at 6:45 AM, Mattieu Baptiste mattie...@gmail.com wrote: correctly routed on my firewall. But as I don't want to route a giant port range for FTP on this firewall, I intend to use ftp-proxy. But the rdr-to rule doesn't seem to redirect packets to the ftp-proxy process. I

Re: IPv6, ftp-proxy and PF rules

On Mon, Mar 08, 2010 at 10:36:46AM +0100, Mattieu Baptiste wrote: Hi all, I have a public FTP server accessible through redirections on my firewall via ftp-proxy (my server has a private IPv4 address on a local subnet). I d'like to make it accessible through my IPv6 connectivity (gif

Re: IPv6, ftp-proxy and PF rules

On Tue, Mar 9, 2010 at 5:02 PM, Mattieu Baptiste mattie...@gmail.com wrote: I d'like to make it accessible through my IPv6 connectivity (gif tunnel with hurricane electric). With this IPv6 connectivity, all my servers have public addresses. But I can't find a way to do it with ftp-proxy which

Re: IPv6, ftp-proxy and PF rules

On Thu, Mar 11, 2010 at 1:54 AM, FRLinux frli...@gmail.com wrote: Just a shot in the dark here but why not enabling your local net with router advertisement? (man rtadvd) rtadvd has to do with stateless autoconfiguration. I use it on my private local network. On my dmz, all machines are

Re: IPv6, ftp-proxy and PF rules

On Mon, Mar 8, 2010 at 10:36 AM, Mattieu Baptiste mattie...@gmail.com wrote: Hi all, I have a public FTP server accessible through redirections on my firewall via ftp-proxy (my server has a private IPv4 address on a local subnet). I d'like to make it accessible through my IPv6 connectivity

IPv6, ftp-proxy and PF rules

Hi all, I have a public FTP server accessible through redirections on my firewall via ftp-proxy (my server has a private IPv4 address on a local subnet). I d'like to make it accessible through my IPv6 connectivity (gif tunnel with hurricane electric). With this IPv6 connectivity, all my servers

Re: PF log parser and dynamic PF rules...

On Wed, Feb 17, 2010 at 07:51:03AM +0100, Per-Olov Sj?holm wrote: On 17 feb 2010, at 02.07, Randal L. Schwartz wrote: Paul == Paul de Weerd we...@weirdnet.nl writes: Paul Jeez... As an asker, you don't really get to decide how or what other Paul people answer, or if they even answer at

Re: PF log parser and dynamic PF rules...

On 2010 Feb 17 (Wed) at 07:51:03 +0100 (+0100), Per-Olov Sjvholm wrote: :Answer correctly or don't answer at all. It seems to me that people *did* answer correctly. But, their answer was not what you wanted to hear. The answer: don't use port knocking, use a randomized url.

Re: PF log parser and dynamic PF rules...

On 17 feb 2010, at 12.38, Peter Hessler wrote: On 2010 Feb 17 (Wed) at 07:51:03 +0100 (+0100), Per-Olov Sjvholm wrote: :Answer correctly or don't answer at all. It seems to me that people *did* answer correctly. But, their answer was not what you wanted to hear. The answer: don't use port

PF log parser and dynamic PF rules...

Hi misc I am looking for a tool to use as a trigger for dynamically open PF ports from certain IP:s. I will access non critical info but want at least a port knocker as security. If I access an IP on my DMZ that is not in use on a port that is fake I want to dynamically add a PF rule for a

Re: PF log parser and dynamic PF rules...

I will access non critical info but want at least a port knocker as security. s/security/inappropriate self-touching/

Re: PF log parser and dynamic PF rules...

On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov Sj?holm wrote: Hi misc I am looking for a tool to use as a trigger for dynamically open PF ports from certain IP:s. I will access non critical info but want at least a port knocker as security. If I access an IP on my DMZ that is not in

Re: PF log parser and dynamic PF rules...

On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov Sjvholm wrote: Hi misc I am looking for a tool to use as a trigger for dynamically open PF ports from certain IP:s. I will access non critical info but want at least a port knocker as security. If I access an IP on my DMZ that is not in

Re: PF log parser and dynamic PF rules...

On 16 feb 2010, at 10.40, Claudio Jeker wrote: On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov Sjvholm wrote: Hi misc I am looking for a tool to use as a trigger for dynamically open PF ports from certain IP:s. I will access non critical info but want at least a port knocker as

Re: PF log parser and dynamic PF rules...

Why not require a authentication token in the url? On 16 Feb 2010 10:59, Per-Olov SjC6holm pe...@incedo.org wrote: On 16 feb 2010, at 10.40, Claudio Jeker wrote: On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov... How do you use authpf from a IPhone or similar... The reason is to use and

Re: PF log parser and dynamic PF rules...

Per-Olov SjC6holm wrote: How do you use authpf from a IPhone or similar... Probably Fugu or Cyberduck or, if you can get a shell, plain openssh, as Fugu is a UI for the client. http://rsug.itd.umich.edu/software/fugu/ http://cyberduck.ch/ /Lars

Re: PF log parser and dynamic PF rules...

On 16 feb 2010, at 11.04, Floor Terra wrote: Why not require a authentication token in the url? On 16 Feb 2010 10:59, Per-Olov SjC6holm pe...@incedo.org wrote: On 16 feb 2010, at 10.40, Claudio Jeker wrote: On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov... How do you use authpf from a

Re: PF log parser and dynamic PF rules...

Per-Olov Sjvholm pe...@incedo.org writes: How do you use authpf from a IPhone or similar... There are ssh clients for iphones, just look in the app store. The one i ended up installing has gone up in price it seems to (shock, horror) NOK 35 (about USD 6), but I see one at NOK 6 (about a

Re: PF log parser and dynamic PF rules...

On 16 feb 2010, at 11.11, Lars Nooden wrote: http://rsug.itd.umich.edu/software/fugu/ Noop. Can't see that these will work and all phones and computers seamlessly with ease of use for the users. The reason for the post was just to see if there is already any tools for this purpose, which is

Re: PF log parser and dynamic PF rules...

There is a way to do port knocking in pf without any external help. Maybe you can figure it out. I will not give more hints since port knocking is a dumb idea better spend your time reading on authpf(8). -- :wq Claudio How do you use authpf from a IPhone or similar... The

Re: PF log parser and dynamic PF rules...

On 16 feb 2010, at 11.17, Bret S. Lambert wrote: There is a way to do port knocking in pf without any external help. Maybe you can figure it out. I will not give more hints since port knocking is a dumb idea better spend your time reading on authpf(8). -- :wq Claudio How do you use

Re: PF log parser and dynamic PF rules...

On 16 feb 2010, at 11.17, Peter N. M. Hansteen wrote: Per-Olov Sjvholm pe...@incedo.org writes: How do you use authpf from a IPhone or similar... There are ssh clients for iphones, just look in the app store. The one i ended up installing has gone up in price it seems to (shock, horror)

Re: PF log parser and dynamic PF rules...

On Tue, Feb 16, 2010 at 11:28:28AM +0100, Per-Olov Sj?holm wrote: On 16 feb 2010, at 11.17, Bret S. Lambert wrote: There is a way to do port knocking in pf without any external help. Maybe you can figure it out. I will not give more hints since port knocking is a dumb idea better spend

Re: PF log parser and dynamic PF rules...

On 16 feb 2010, at 11.44, Lars Nooden wrote: Per-Olov Sjvholm wrote: On 16 feb 2010, at 11.11, Lars Nooden wrote: http://rsug.itd.umich.edu/software/fugu/ Noop. Can't see that these will work and all phones and computers seamlessly with ease of use for the users. You appear to have

Re: PF log parser and dynamic PF rules...

Per-Olov Sjvholm wrote: On 16 feb 2010, at 11.11, Lars Nooden wrote: http://rsug.itd.umich.edu/software/fugu/ Noop. Can't see that these will work and all phones and computers seamlessly with ease of use for the users. You appear to have asked about clients for the iphone, not all

Re: PF log parser and dynamic PF rules...

On 16 feb 2010, at 11.35, Bret S. Lambert wrote: On Tue, Feb 16, 2010 at 11:28:28AM +0100, Per-Olov Sj?holm wrote: On 16 feb 2010, at 11.17, Bret S. Lambert wrote: There is a way to do port knocking in pf without any external help. Maybe you can figure it out. I will not give more hints

Re: PF log parser and dynamic PF rules...

On 2010-02-16, Per-Olov Sj?holm pe...@incedo.org wrote: The reason is to use and RSS reader that cannot autenticate. I want some sort of security for it even though it's not critical. https://some.host/super-sekrit-password-here/feed.rss gives more security than trying to use a web browser

Re: PF log parser and dynamic PF rules...

Hi again Lars... And important addition below On 16 feb 2010, at 11.44, Lars Nooden wrote: Per-Olov Sjvholm wrote: On 16 feb 2010, at 11.11, Lars Nooden wrote: http://rsug.itd.umich.edu/software/fugu/ Noop. Can't see that these will work and all phones and computers seamlessly with

Re: PF log parser and dynamic PF rules...

Just put your data on some funny port, then? Or give it a long and hard to guess name, that might actually have sufficient entropy to be any use. A less-than-16-bit random port is rather easy to guess. And, if you really want to do port blocking, read the pf man page. It is possible with a rule

Re: PF log parser and dynamic PF rules...

On Tue, Feb 16, 2010 at 11:44:12AM +0100, Per-Olov Sj?holm wrote: See my post to Peter H. You obviously have not worked with security Why? Because I'm unwilling to endorse your preferred approach? and the tradeoffs you _always_ have to make. Yes, you make tradeoffs, but you're asking for

Re: PF log parser and dynamic PF rules...

Per-Olov Sjvholm p...@incedo.org writes: None said anything about a password.. From where did you get that? I don't have a plain text password. A port knocking sequence is for most purposes a password, encoded in a 16 bit alphabet. That's it - port numbers run from 0 through 64k, although

Re: PF log parser and dynamic PF rules...

Per-Olov Sjvholm wrote: ...Or did miss something here? You missed quite a lot. I would recommend looking up the following before aggravating a larger public: client - server architecture client application server (daemon) rss ssh http, https

Re: PF log parser and dynamic PF rules...

On 16 feb 2010, at 12.06, Lars Nooden wrote: Per-Olov Sjvholm wrote: ...Or did miss something here? You missed quite a lot. I would recommend looking up the following before aggravating a larger public: client - server architecture client application server (daemon)

Re: PF log parser and dynamic PF rules...

On 16 feb 2010, at 11.57, Stuart Henderson wrote: On 2010-02-16, Per-Olov Sj?holm pe...@incedo.org wrote: The reason is to use and RSS reader that cannot autenticate. I want some sort of security for it even though it's not critical. https://some.host/super-sekrit-password-here/feed.rss

Re: PF log parser and dynamic PF rules...

On 16 feb 2010, at 12.07, Bret S. Lambert wrote: On Tue, Feb 16, 2010 at 11:44:12AM +0100, Per-Olov Sj?holm wrote: See my post to Peter H. You obviously have not worked with security Why? Because I'm unwilling to endorse your preferred approach? and the tradeoffs you _always_ have to make.

Re: PF log parser and dynamic PF rules...

On Tue, Feb 16, 2010 at 12:27:44PM +0100, Per-Olov Sj?holm wrote: On 16 feb 2010, at 12.07, Bret S. Lambert wrote: On Tue, Feb 16, 2010 at 11:44:12AM +0100, Per-Olov Sj?holm wrote: See my post to Peter H. You obviously have not worked with security Why? Because I'm unwilling to

Re: PF log parser and dynamic PF rules...

On 16 feb 2010, at 12.06, Peter N. M. Hansteen wrote: Per-Olov Sjvholm p...@incedo.org writes: None said anything about a password.. From where did you get that? I don't have a plain text password. A port knocking sequence is for most purposes a password, encoded in a 16 bit alphabet.

Re: PF log parser and dynamic PF rules...

Per-Olov Sjvholm p...@incedo.org writes: we have to use something that works from all places. The content is not a secret, but something you have to pay a little for. So... not critical. Being the lazy git that I am, I could imagine that simply generating a sufficiently obfuscated set of

Re: PF log parser and dynamic PF rules...

So if anybody can come up with a better approach I will be very happy. You've already been told, by multiple people, that a better approach is to use the things that are available to you via the rich possibilities of HTTP to solve this problem. Sometimes, you're the lone genius who is

Re: PF log parser and dynamic PF rules...

On Tue, Feb 16, 2010 at 12:27 PM, Per-Olov SjC6holm p...@incedo.org wrote: There is no authentication available in most RSS clients. If it was, i would of course prefer or at least consider that. I am not that stupid you know. https://example.com/feed.php?user=floortpasswd=SUPERSECRET Every

Re: PF log parser and dynamic PF rules...

2010/2/16 Per-Olov SjC6holm p...@incedo.org: Hi misc I am looking for a tool use as a trigger for dynamically open PF ports from certain IP:s. I will access non critical info but want at least a port knocker as security. If I access an IP on my DMZ that is not in use on a port that is

Re: PF log parser and dynamic PF rules...

On 16 feb 2010, at 17.17, Eugene Yunak wrote: 2010/2/16 Per-Olov Sjvholm p...@incedo.org: Hi misc I am looking for a tool use as a trigger for dynamically open PF ports from certain IP:s. I will access non critical info but want at least a port knocker as security. If I access an IP on

Re: PF log parser and dynamic PF rules...

On Wed, Feb 17, 2010 at 12:40:02AM +0100, Per-Olov Sj?holm wrote: | Amazing that so many people in this forum cannot read and therefor answer to B | when I ask for A. It's amazing that you get so much free (and good, imo) advice and then not only completely ignore it, but even go out of your way

Re: PF log parser and dynamic PF rules...

Paul == Paul de Weerd we...@weirdnet.nl writes: Paul Jeez... As an asker, you don't really get to decide how or what other Paul people answer, or if they even answer at all. As I snipped off a Usenet group once: Get real! This is a discussion group, not a helpdesk. You post something

Re: PF log parser and dynamic PF rules...

On 17 feb 2010, at 02.07, Randal L. Schwartz wrote: Paul == Paul de Weerd we...@weirdnet.nl writes: Paul Jeez... As an asker, you don't really get to decide how or what other Paul people answer, or if they even answer at all. As I snipped off a Usenet group once: Get real! This is a

Re: Problem with pf rules.

Well, My rules of rdr now work, but dont log on. Only the out of rdr port 8080. Any suggestion? Thanks, Bye. 2010/1/14 PsYkHe psyk...@gmail.com Damn man!!!.Holy crap.I really forgot this detail... Thanks Man. Regards. did you net.inet.ip.forwarding=1 in sysctl? regards

Problem with pf rules.

I'm in troubles to put a router/firewall Openbsd 4.6 at vmware and at Slackware 13 to can talk throught of host-only. But the main problem now is the OpenBSD make a rdr to webserver Slackware. Well, I'll try descrive the situation: The OpenBSD 4.6 has two interfaces: One bridge One

Re: Problem with pf rules.

did you net.inet.ip.forwarding=1 in sysctl? regards karl-heinz On 14.01.2010, at 16:10, PsYkHe wrote: I'm in troubles to put a router/firewall Openbsd 4.6 at vmware and at Slackware 13 to can talk throught of host-only. But the main problem now is the OpenBSD make a rdr to webserver

<    1   2   3   >