did you "net.inet.ip.forwarding=1" in sysctl?
regards
karl-heinz
On 14.01.2010, at 16:10, PsYkHe wrote:
> I'm in troubles to put a router/firewall Openbsd 4.6 at vmware and at
> Slackware 13 to can "talk" throught of host-only. But the main problem now
is
> the OpenBSD make a rdr to webserver Sl
I'm in troubles to put a router/firewall Openbsd 4.6 at vmware and at
Slackware 13 to can "talk" throught of host-only. But the main problem now is
the OpenBSD make a rdr to webserver Slackware. Well, I'll try descrive the
situation:
The OpenBSD 4.6 has two interfaces:
One bridge
One host-on
Josh Grosse wrote:
> On Fri, 02 Oct 2009 19:10:46 +0100, AG wrote
>
>
>> The installation was from the 3.6 CD set and barebones to be a
>> headless firewall. I don't recall if I enabled a ftp-proxy to be
>> installed at that time. I'm not even sure whether I enabled if the
>> ports system w
On Fri, 02 Oct 2009 19:10:46 +0100, AG wrote
> The installation was from the 3.6 CD set and barebones to be a
> headless firewall. I don't recall if I enabled a ftp-proxy to be
> installed at that time. I'm not even sure whether I enabled if the
> ports system was installed
Just so you k
Jorge Enrique Valbuena Vargas wrote:
Hello,
Take a look at :
http://www.openbsd.org/faq/pf/ftp.html
Maybe it can help !
On Thu, Oct 1, 2009 at 3:52 PM, AG wrote:
Hello
I want to download via ftp, but am unable to do so. I believe that it
would have something to do with my pf.conf fil
Hello,
Take a look at :
http://www.openbsd.org/faq/pf/ftp.html
Maybe it can help !
On Thu, Oct 1, 2009 at 3:52 PM, AG wrote:
> Hello
>
> I want to download via ftp, but am unable to do so. I believe that it
> would have something to do with my pf.conf file in my firewall, so have
> listed t
Hello
I want to download via ftp, but am unable to do so. I believe that it
would have something to do with my pf.conf file in my firewall, so have
listed that below.
### simple pf.conf ##
# allow all outgoing TCP, UDP
# allow outgoing ICMP ping
# specifically block 1
Sha'ul wrote:
I tried writing my rules to allow only 1 SSH login at a time, and to
lock out everyone else until the current person has closed their
their SSH session, and then it is open for someone else to SSH in if
need be.
My problem seems to be is it only allows 1 SSH login and tha
I tried writing my rules to allow only 1 SSH login at a time, and to
lock out everyone else until the current person has closed their their
SSH session, and then it is open for someone else to SSH in if need be.
My problem seems to be is it only allows 1 SSH login and that's it, have
to reboot
Hello, World!
I've found my bug by myself. So for those interested, have a look
below.
Antoine Junod <[EMAIL PROTECTED]> writes:
[...]
> I'm facing what I think is a problem in my pf.conf rules set. Here is
> my setup:
>
> I've a private network, 192.168.1.0/24, with 192.168.1.1 being the
> def
Dear List,
I'm facing what I think is a problem in my pf.conf rules set. Here is
my setup:
I've a private network, 192.168.1.0/24, with 192.168.1.1 being the
default gateway. It runs OpenBSD and pf. Another box on the network,
192.168.1.4, is a gateway to the 10.82.6.0/24 network.
On 192.168.1.1
Hello all,
I've RTFM (man pf.conf) and found this :
"Only TCP and UDP packets can be associated with users; for other
protocols these parameters are ignored."
But I'm pretty sure it was working before the upgrade from 4.0 to 4.1,
then 4.2, then 4.3 (in fact, what caught my attention is that
program whenever someone comes up with a new
>> need.
>
>Now that the 'tag' option is available I don't expect ftp-proxy to gain
>any more options wrt. to the pf rules it creates, because you can
>implement those yourself using 'tagged'.
Only if exactly the s
On Mon, 17 Mar 2008, Stuart Henderson wrote:
>On 2008-03-17, Dave Anderson <[EMAIL PROTECTED]> wrote:
>> I've been working on the pf configuration for my home firewall,
>> including setting up ftp-proxy. I've noticed that the command is
>> getting cluttered with options to adjust the rules it cre
t, or
> whatever. It seems to me to be a good way both to avoid needing more
> and more options to tweak the generated rules and to avoid the delay
> involved in modifying the program whenever someone comes up with a new
> need.
Now that the 'tag' option is available I don
On 2008-03-17, Dave Anderson <[EMAIL PROTECTED]> wrote:
> I've been working on the pf configuration for my home firewall,
> including setting up ftp-proxy. I've noticed that the command is
> getting cluttered with options to adjust the rules it creates to the
> needs of different pf configurations
I've been working on the pf configuration for my home firewall,
including setting up ftp-proxy. I've noticed that the command is
getting cluttered with options to adjust the rules it creates to the
needs of different pf configurations. Has any thought been given to
allowing arbitrary nat, rdr and
On Mon, Mar 3, 2008 at 6:34 PM, Henning Brauer <[EMAIL PROTECTED]> wrote:
> * Fratiman Vladut <[EMAIL PROTECTED]> [2008-03-01 23:16]:
>
>
> since there is no ng interface on OpenBSD I assume you use some other
> OS. which probably means you are doomed. On OpenBSD, you use interface
> groups for
* Fratiman Vladut <[EMAIL PROTECTED]> [2008-03-01 23:16]:
> I have an pppoe server. How i can write pf rules for this situation, in
> order to specify any interface, ng0, ng1, .
> I see that isn't any possibility to use wildcard in macros, something like
> this: n
On 2008-03-02, Fratiman Vladut <[EMAIL PROTECTED]> wrote:
> Ng interface is an netgraph node (virtual interface), like tun or tap,
> that is use by mpd4 daemon.
> Mpd4 act as acces concentrator, in order to give access to internet
> based on pppoe method.
> I use freebsd as SO, with pf firewall.
Ng interface is an netgraph node (virtual interface), like tun or tap,
that is use by mpd4 daemon.
Mpd4 act as acces concentrator, in order to give access to internet
based on pppoe method.
I use freebsd as SO, with pf firewall. This is why i post on OpenBSD
mailing list, because is father of p
On 2008-03-02, Fratiman Vladut <[EMAIL PROTECTED]> wrote:
> Thanks ! Work very well. Now, how can configure the system, in order to
> make this changes, every time when boot. How cand add all ng interface,
> to "ng" group at boot time?
What is an "ng interface"?
Substitute the the "group-name" for the interface name in
the applicable pf rule. One group-name based rule covers off all the
member interfaces.
:-)
-Original Message-
From: Fratiman Vladut <[EMAIL PROTECTED]>
To: misc@openbsd.org
Subject: write pf rules for acces concentra
timan Vladut <[EMAIL PROTECTED]>
To: misc@openbsd.org
Subject: write pf rules for acces concentrator server (pppoe)
Date: Sun, 02 Mar 2008 00:10:50 +0200
Mailer: Thunderbird 2.0.0.12 (Windows/20080213)
Delivered-To: [EMAIL PROTECTED]
I have an pppoe server. How i can write pf rules for th
I have an pppoe server. How i can write pf rules for this situation, in
order to specify any interface, ng0, ng1, .
I see that isn't any possibility to use wildcard in macros, something
like this: ng_if="ng*".
Obviously isn't very easy to have an rule for every ng i
Hi,
I'm trying to setup PF Rules for a new OpenBSD 4.2 installation, but
after struggling for a few days I still can't get it the way I need it
to be. This is my first time setting up a pf.conf file, so any
assistance would be greatly appreciated.
What I need:
- A firewall that a
David Newman wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/7/07 8:59 AM, Stuart Henderson wrote:
On 2007/09/07 08:41, David Newman wrote:
1. I believe "keep state" is still needed when using queuing. The
pf.conf manpage says it must be specified explicitly to apply options to
a rul
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/7/07 8:59 AM, Stuart Henderson wrote:
> On 2007/09/07 08:41, David Newman wrote:
>> 1. I believe "keep state" is still needed when using queuing. The
>> pf.conf manpage says it must be specified explicitly to apply options to
>> a rule.
>
> Only
On 2007/09/07 08:41, David Newman wrote:
>
> 1. I believe "keep state" is still needed when using queuing. The
> pf.conf manpage says it must be specified explicitly to apply options to
> a rule.
Only for state-related options (max-src-conn-rate and so);
queue is separate (and may also be used wh
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/7/07 7:54 AM, mail-lists wrote:
> I'm attempting to set up pf for a voip system. In order to prioritize
> VoIP packets I have this queue:
>
> altq on $ext_if priq bandwidth 1.4Mb queue {std_out, voip_out,
> tos_lowdelay_out}
> queue std_out priq(
On 2007/09/07 10:54, mail-lists wrote:
>
> This normally works very well. I'm planning to allow all inbound traffic to
> my VOIP Server like this:
>
> pass in quick log on $ext_if proto {tcp,udp} from any to $VOIP_SERVERS port
> $VOIP_PORTS
You can queue here too, return traffic matching the st
Hello everyone,
I have what might amount to a silly question.
I'm attempting to set up pf for a voip system. In order to prioritize
VoIP packets I have this queue:
altq on $ext_if priq bandwidth 1.4Mb queue {std_out, voip_out,
tos_lowdelay_out}
queue std_out priq(default)
queue voip_out pri
Wild Karl-Heinz <[EMAIL PROTECTED]> writes:
> Is this a feature or my fault?
Not sure what you used to do, but you can set group additional names
for interfaces yourself with ifconfig or via hostname.if
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.li
I use since the beginning of interface naming
this very nice feature in pf.
e.g.
pass in on lan_if from 10.0.0.1/8 flags S/SA keep state
This rule worked before -current.
Now I had to change the "group" name of
the interface to "lan" instead of "lan_if".
Now it works again.
Is this a feature or
On Fri, Mar 30, 2007 at 11:51:43AM +0200, Anze Povsic wrote:
> Hello!
>
> First of all i would like to say many many thanks to obsd comunity especially
> to obsd developers for realy great product
> i realy appreciate your work, now is a second time i pre-order cd-set just to
> support the proje
Hello!
First of all i would like to say many many thanks to obsd comunity especially
to obsd developers for realy great product
i realy appreciate your work, now is a second time i pre-order cd-set just to
support the project.
but what i wrote this message is thath i would like to heard what you
t; > I want that there should be no greylisting/filtering on fxp1 (I have
> > > > the related ports opened in the PIX) & it should be enabled only for
> > > > fx0.
> > > >
> > > > The server will be used as Mail se
rts opened in the PIX) & it should be enabled only for
> > > fx0.
> > >
> > > The server will be used as Mail server.
> > >
> > > Please help. I want to check if the below rules are correct.
> > > My Pf rules are as follows:
> > &g
server will be used as Mail server.
> >
> > Please help. I want to check if the below rules are correct.
> > My Pf rules are as follows:
> >
> > # PF Conf
> > # ###
> > # Macros
> > #
> >
> > # internal and extern
0)
>
> I want that there should be no greylisting/filtering on fxp1 (I have
> the related ports opened in the PIX) & it should be enabled only for
> fx0.
>
> The server will be used as Mail server.
>
> Please help. I want to check if the below rules ar
led only for
fx0.
The server will be used as Mail server.
Please help. I want to check if the below rules are correct.
My Pf rules are as follows:
# PF Conf
# ###
# Macros
#
# internal and external network interfaces
int_if = "fxp0"
ext_if = "fxp1"
work access the webserver on firewall box.
I think I understand.
You want to pass web traffic EXCEPT to the one on the firewall?
something like:
pass in on dc0 from 192.168.0.0/24 to !dc0 port
Thanks and sorry if isn't in this list to talk about pf rules...
it is, but there's a
l box.
Is there some way of rule like FORWARD of netfilter?
Thanks and sorry if isn't in this list to talk about pf rules...
Do you mean something like:
so2:fred /var/log> sudo grep www /etc/pf.conf
pass log on $ext_if proto tcp from any to $webserver port { www, https }
keep state
O
rule like FORWARD of netfilter?
Thanks and sorry if isn't in this list to talk about pf rules...
On 2/20/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> Greetings,
>
> Does it make any difference if I group my rules like this .
> ## logs smtp sessions
> pass in log on $ext_if proto tcp to $mailhost port smtp keep state
> ## Pass all outgoing traffics
> pass out on $ext_if inet proto t
On Tue, 2007-02-20 at 07:32 -0800, [EMAIL PROTECTED] wrote:
> Greetings,
>
> Does it make any difference if I group my rules like this .
it can be, depending on your situation. PF rules are read top to
bottom, therefore, lower rules can "override" rules that were previous
Greetings,
Does it make any difference if I group my rules like this .
## logs smtp sessions
pass in log on $ext_if proto tcp to $mailhost port smtp keep state
## Pass all outgoing traffics
pass out on $ext_if inet proto tcp all flags S/SA keep state
pass out log on $ext_if inet proto tcp from
block in quick on $ext_if proto tcp from {!$me, !$mynet} to $ext_if port
80
read also
http://www.openbsd.org/faq/pf/tables.html
another way to deal with negative in your pf.conf
is to use tables... maybe try a table with safeip combinations
like, but do test and read and try variations, this
On 2/12/07, Artyom Goryainov <[EMAIL PROTECTED]> wrote:
block in quick on $ext_if proto tcp from {!$me, !$mynet} to $ext_if port 80
You will probably want to see the PF FAQ [1] on this, specifically the
section on Lists and Macros. It tells you why you should use tables
for this purpose. The l
On 1/30/07, Steve Williams <[EMAIL PROTECTED]> wrote:
Hi,
I have a Sunfire V120, sparc64, OpenBSD 3.9 performing NAT and assorted
firewall duties. It is working 100%, including proxying ftp requests
from the internal network.
Today I went to do an FTP directly from the server (perl CPAN), and
Hi,
I have a Sunfire V120, sparc64, OpenBSD 3.9 performing NAT and assorted
firewall duties. It is working 100%, including proxying ftp requests
from the internal network.
Today I went to do an FTP directly from the server (perl CPAN), and it
failed.
Looking at blocked packets, I see that
Thanks for all replies.
--
raff
dulate state
> > >
> > > and
> > >
> > > block in all
> > > pass in on xl1 from 192.168.9.8 to 192.168.1.6 modulate state
> > > pass in on xl1 from 192.168.9.8 to !192.168.1.0/24 modulate state
> >
> > Yes, pf rules ar
.168.1.6 modulate state
> > pass in on xl1 from 192.168.9.8 to !192.168.1.0/24 modulate state
>
> Yes, pf rules are evaluated from start to end, and the *last* match
> determines what happens. (There are some exceptions, like nat, where the
> *first* match determines this...)
>
>
raff schrieb:
> I want to block traffic from 192.168.9.8 to 192.168.1.0/24
> excluding 192.168.1.6
> Is there any difference between:
>
> block in all
> pass in on xl1 from 192.168.9.8 to !192.168.1.0/24 modulate state
> pass in on xl1 from 192.168.9.8 to 192.168.1.6 modulate state
>
> and
>
> b
te
> pass in on xl1 from 192.168.9.8 to 192.168.1.6 modulate state
>
> and
>
> block in all
> pass in on xl1 from 192.168.9.8 to 192.168.1.6 modulate state
> pass in on xl1 from 192.168.9.8 to !192.168.1.0/24 modulate state
Yes, pf rules are evaluated from start to end,
Hello misc.
I want to block traffic from 192.168.9.8 to 192.168.1.0/24
excluding 192.168.1.6
Is there any difference between:
block in all
pass in on xl1 from 192.168.9.8 to !192.168.1.0/24 modulate state
pass in on xl1 from 192.168.9.8 to 192.168.1.6 modulate state
and
block in all
pass in on
On 14/11/06, Leonardo Rodrigues de Mello
<[EMAIL PROTECTED]> wrote:
Here is one script i have done, you must setup ssh key authentication between
root from fw1 to fw2 and fw1 to fw1. and must install bash.
Why install bash? Just write the script properly so it works with ksh
or another shell i
[EMAIL PROTECTED] wrote:
...
ok, that's what one gets by doing silly stuff with too many mail clients
at too many different places and getting sloppy about how one configures
them. That was from me, in case anyone wasn't sure. :)
Nick.
C. L. Martinez wrote:
> Hi all,
>
> Somebody knows where I can find a good shell script to sync pf.conf rules
> over a several Openbsd firewalls using CARP?
>
> many thanks.
yeah, on a few of my boxes here. :)
No, I'm not going to post the script, on the grounds that people would
probably be t
> Hi all,
>
> Somebody knows where I can find a good shell script to sync
> pf.conf rules
> over a several Openbsd firewalls using CARP?
>
> many thanks.
Hello,
For this to work, you need ssh-agent and to setup /usr/ports/sysutils/tentakel
on your admin workstation.
#!/bin/sh
hosts[0]=172.16.42.
On 2006/11/14 18:20, Leonardo Rodrigues de Mello wrote:
> cp /etc/pf.conf /etc/pf.conf.orig
> vi /etc/pf.conf
> if pfctl -f /etc/pf.conf
...
>echo "Restoring old configuration file"
>cp /etc/pf.conf.orig /etc/pf.conf
it's good that you check and restore, but if the box restarts between
sav
activate changes in
your pf.conf. Carp has nothing todo with syncing pf rules.
Pfsync is for syncing the state tables - not rules!
so long,
Marcus.
d quick from edit.pf.sh"
exit 1
fi
else
echo "Changes ABORTED By User"
echo "Recovering old configuration file"
sleep 1
mv /etc/pf.conf.orig /etc/pf.conf
pfctl -f /etc/pf.conf
echo "Exiting gracefully from editpf.sh"
exit 0
fi
---
-Mensagem o
Sorry?? Do I need to run pfctl to load rules only on one fw under carp and
then this rules are sync to the others firewalls ?? If this is ok, then I
don't read pf's very well ...
On 11/14/06, Alexander Lind <[EMAIL PROTECTED]> wrote:
>
> no need to run pfctl on the other machines, if you are using
no need to run pfctl on the other machines, if you are using pfsync, is
there?
alec
z0mbix wrote:
> On 14/11/06, C. L. Martinez <[EMAIL PROTECTED]> wrote:
>> Hi all,
>>
>> Somebody knows where I can find a good shell script to sync pf.conf
>> rules
>> over a several Openbsd firewalls using CARP?
On 14/11/06, C. L. Martinez <[EMAIL PROTECTED]> wrote:
Hi all,
Somebody knows where I can find a good shell script to sync pf.conf rules
over a several Openbsd firewalls using CARP?
many thanks.
Surely a simple shell script using scp to copy the pf.conf to each
host and ssh to run pfctl to
On 2006-11-14T16:37, C. L. Martinez wrote:
> Hi all,
>
> Somebody knows where I can find a good shell script to sync pf.conf rules
> over a several Openbsd firewalls using CARP?
for HOST in a b c d; do
scp /etc/pf.conf $HOST:/etc/
done
hth,
Marcus.
Hi all,
Somebody knows where I can find a good shell script to sync pf.conf rules
over a several Openbsd firewalls using CARP?
many thanks.
On Sun, Oct 08, 2006 at 01:53:42AM -0400, Martin Gignac wrote:
> Is there any plan to add a variable in /etc/rc.conf to achieve this,
> or is using '-o' during boot considered a bad thing?
The plan is to make it possible to specify the optimization level
directly in the pf.conf file (which one cou
On 10/8/06, z0mbix <[EMAIL PROTECTED]> wrote:
You are supposed to use the -o option to optimise your ruleset, then
correct the ruleset in /etc/pf.conf so there should be no need to load
the ruleset with -o everytime.
Ok, thanks, my bad. I originally thought the intent of the flag was to
permit
On 08/10/06, Martin Gignac <[EMAIL PROTECTED]> wrote:
Hi,
While playing around with pf I've gotten used to passing the '-o' flag
to pfctl to optimize my rulesets when loading them.
However, I've noticed that /etc/rc does not pass the '-o' flag when
loading the ruleset with pfctl during boot. Mo
Hi,
While playing around with pf I've gotten used to passing the '-o' flag
to pfctl to optimize my rulesets when loading them.
However, I've noticed that /etc/rc does not pass the '-o' flag when
loading the ruleset with pfctl during boot. Moreover, I couldn't find
any apparent variable in the /e
dr traffic from pf to frickin (setup 3 from frickin
readme), things fall apart and even a single pptp client is unable
to connect. The WinXP clients hang at the "Verifying username
and password..." screen :-(
My pf rules look like this:
wan = "xl0"
lan = "xl1&quo
Hi people...
I wonder if anyone can see what is up with these firewall rules.
We have two external IP ranges from our ISP. We're trying to migrate from
IPCop to OpenBSD so we can use the extra range, using a CARPed cluster of two
3.8 machines. Initially we just want to get a single Windows we
On Sun, Jul 16, 2006 at 02:40:04AM +0300, Soner Tari wrote:
> Thanks jared and others for your replies. I'll try all of your
> suggestions.
>
> However, if you agree with me, I get the feeling that all of these are
> inelegant workarounds compared to the ideal solution: time support in pf
> (simi
On 7/15/06, Darrin Chandler <[EMAIL PROTECTED]> wrote:
On Sun, Jul 16, 2006 at 02:40:04AM +0300, Soner Tari wrote:
> However, if you agree with me, I get the feeling that all of these are
> inelegant workarounds compared to the ideal solution: time support in pf
> (similar to perhaps iptables). I
On Sun, Jul 16, 2006 at 02:40:04AM +0300, Soner Tari wrote:
> However, if you agree with me, I get the feeling that all of these are
> inelegant workarounds compared to the ideal solution: time support in pf
> (similar to perhaps iptables). I've read the replies from developers to
> a similar quest
Thanks jared and others for your replies. I'll try all of your
suggestions.
However, if you agree with me, I get the feeling that all of these are
inelegant workarounds compared to the ideal solution: time support in pf
(similar to perhaps iptables). I've read the replies from developers to
a simi
On Sat, Jul 15, 2006 at 08:27:32PM +0300, Soner Tari wrote:
> > Have your cron job copy the current anchor rules to pf-current.conf,
> > then add pfctl -f pf-current.conf to rc.local.
>
> Thank you for the reply (and Gaby too). But I am not sure if this would
> be an elegant workaround. Because by
On Sat, Jul 15, 2006 at 08:27:32PM +0300, Soner Tari wrote:
> > Have your cron job copy the current anchor rules to pf-current.conf,
> > then add pfctl -f pf-current.conf to rc.local.
>
> Thank you for the reply (and Gaby too). But I am not sure if this would
> be an elegant workaround. Because by
> Have your cron job copy the current anchor rules to pf-current.conf,
> then add pfctl -f pf-current.conf to rc.local.
Thank you for the reply (and Gaby too). But I am not sure if this would
be an elegant workaround. Because by chance there may be cron jobs
scheduled to run exactly during downtim
On 15 Jul 2006, at 15:48, Soner Tari wrote:
> I have time-based pf rules using cron and anchors (such as to restrict
> HTTP access after hours). But as you can guess, they do not survive a
> reboot. Is there any solution?
Create a script that works out what the rules should be at
On Sat, Jul 15, 2006 at 05:48:06PM +0300, Soner Tari wrote:
>
> I have time-based pf rules using cron and anchors (such as to restrict
> HTTP access after hours). But as you can guess, they do not survive a
> reboot. Is there any solution?
There are probably a lot of solutions...
Ha
Hi All,
I have time-based pf rules using cron and anchors (such as to restrict
HTTP access after hours). But as you can guess, they do not survive a
reboot. Is there any solution?
Thanks,
Hi,
I am using PF with two ISP links and doing load balancing.
Everything works fine, I copied the rules from the FAQ, except for one
issue. I am using samba, my problem appears when I have to Log to samba or
with RDR to my XP ip (192.168.3.22). PF is blocking internal traffic from
I wrote this little script to copy and reload rules on two firewalls. Thought
I'd share it here in case it is any use or I am missing something. ( My
money's on the latter :) ) it just needs a separate user with correct sudo
privileges to run certain commands.
It's very verbose just so I cou
On 4/25/06, Nick Guenther <[EMAIL PROTECTED]> wrote:
...
> The programmer in me says it should be "it's" and to hell with
> 'standard english'. So there.
Yeah! Just like "hi's" and "her's" and "thei'r" and "m'y"!
Philip
On 4/25/06, jacek <[EMAIL PROTECTED]> wrote:
>
> On 4/25/06, Chris Smith <[EMAIL PROTECTED]> wrote:
> >
> > On Tuesday 25 April 2006 13:04, Chris Smith wrote:
> > > nic would then get it's info from your
> >
> > ugly grammar error
> > should be "its" instead of "it's", sorry for that
>
> who cares
who cares :)
On 4/25/06, Chris Smith <[EMAIL PROTECTED]> wrote:
>
> On Tuesday 25 April 2006 13:04, Chris Smith wrote:
> > nic would then get it's info from your
>
> ugly grammar error
> should be "its" instead of "it's", sorry for that
On Tuesday 25 April 2006 13:04, Chris Smith wrote:
> nic would then get it's info from your
ugly grammar error
should be "its" instead of "it's", sorry for that
external dhcp server responds
>
> my pf rules
I don't think the pf rules are useful as I read something about dhcp
working at the bpf level and not pf.
It looks like you simply need to configure your dhcp server correctly to
listen on only the internal and wireless networks.
Your external n
server at the isp
and the local and wireless network to request and recieve offers from the dhcp
server on the firewall
when a request is made from the local network both the internal and the
external dhcp server responds
my pf rules
===
pass quick on $internal_interface
I noticed that pf will load a default rule set if there is no valid
/etc/pf.conf file.
Is it unwise to depend on this default rule set if it works?
The default rule set makes exceptions for carp and pfsync traffic.
Any possibility of adding exceptions for vpn traffice also?
On 12/23/2005 05:22:28 AM, Kilaru Sambaiah wrote:
I need to do the following:
1) Allow only ssh to firewall
2) Allow 80, 443 fron net to web server through binat
3) Allow 25 and 143 to mail server
Rdr may do what you want (maybe along with some natting
too but my brain is full at the moment a
On 12/23/2005 05:22:28 AM, Kilaru Sambaiah wrote:
I have a question regarding pf and binat.
I need to protect mail server and web server behind firewall. I am
planning to run
pf with binat rules. I need to do the following:
1) Allow only ssh to firewall
2) Allow 80, 443 fron net to web serve
I have a question regarding pf and binat.
I need to protect mail server and web server behind firewall. I am
planning to run
pf with binat rules. I need to do the following:
1) Allow only ssh to firewall
2) Allow 80, 443 fron net to web server through binat
3) Allow 25 and 143 to mail server
box is having one
> > interface or
> > two interfaces or three. Policy, zone, interfaces, rules these are all
> > I need to edit.
> >
> > Is there any such tool for PF. I am not looking at GUI for generating
> > rules.
>
> Hello Sam,
>
> fwb
there any such tool for PF. I am not looking at GUI for generating
rules.
Hello Sam,
fwbuilder is a GUI which "vomits" pf rules if you wish (and also
iptables and some other kind of firewalls).
It's easy to use, but the result is not ever ecactly what you want
(therefore i use
Hello All,
I am linux administrator and use iptables for firewall. I use
shorewall, which you
need to be setting up only policy based on your box is having one
interface or
two interfaces or three. Policy, zone, interfaces, rules these are all
I need to edit.
Is there any such tool for PF
201 - 300 of 313 matches
Mail list logo