Hi there,
May you help me with the following.
# pf.conf
#
# Translation
# use a macro for the interface name, so it can be changed easily
ext_if = "fx0"
# map daemon on 8080 to appear to be on 80
rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080
# map daem
Senhores Boa noite,
estou tentando utilizar a nova versco do openbsd (4.7), estou tendo
problemas com o pf.conf
eu utilizo de um servigo que eu forgo os pacotes a passarem por esse servigo
mesma forma que i feito com um squid transparente
mais tenho encontraod problemas
segue meu pf.conf http
Good afternoon lords,
I upgraded my openbsd 4.6 to 4.7
I always used it only for firewall and port redirector with
rdr command, I tried to use some scripts manual openbsd even more
so I can not stress more the internal network when you request a port in
Specific be redirected to another server such
Hi there,
I just created the following:
-
ext_if="vr0"
int_if="rl0"
tcp_services = "{ 80, 20, 21, 22, 25, 110, 113 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
set block-policy return
set loginterface $ext_if
scrub in a
supports only two firewalls.
Also does anyone know if there are any plans to make this pf.conf
propagation a feature in openbsd itself?
Alec
I want to use pf as firewall for my laptop.
It is connected wired and wireless, depending on the situation, but also to my
own router/modem.
I have enabled pf and made a pf.conf which is looking like this:
#
# $OpenBSD: PF firewall rules $
# scrub
hi,
good day, how do i do an alternate sets of route-to rules for the internal
interface loaded in an anchor?
btw im doing a failover between two firewalls,
|--| |-|
| internet | | internet |
|--|
necessary. In fact the example given at
https://www.openbsd.org/faq/pf/filter.html does not have these two initial
rules. These default rules were carried over from the /etc/example/pf.conf
Event moving the *block return* default rule to lower in the rulebase - results
in the same symptoms. Sy
Is it no longer important to group block/pass in/out for speed optimization?
I see many "modern" pf.conf where everything is mixed more or less randomly
Regards, Lars.
.
??
---> this is taken from man pf.conf filter example and
in the example the address is only routable. I run only one PC
and use DHCP, the question how to write the above in my case.
Try the pf faq: http://www.openbsd.org/faq/pf
And the last question can firefox and nedit
k out log quick on $ext_if from ! 157.161.48.183 to any--->
>
> ??????
> ---> this is taken from man pf.conf filter example and
> in the example the address is only routable. I run only one PC
> and use DHCP, the question how to write the above in my case.
> ?
block out log quick on $ext_if from ! ($ext_if) to any
On Tue, Nov 11, 2008 at 5:55 PM, johan beisser <[EMAIL PROTECTED]> wrote:
> On Nov 11, 2008, at 5:38 PM, igor denisov wrote:
>
> And the last question can firefox and nedit run with such pf.conf??
>>
>
> I'm unsure what you're asking. pf.conf is just a text
On Wed, Nov 12, 2008 at 7:47 AM, disintx <[EMAIL PROTECTED]> wrote:
> For all the ports you are looking for, you need to check /etc/services and
> you should read the man pages for whatever daemons you want to know about.
May I also recommend the excellent Building Firewalls with OpenBSD and
PF (h
access the same Win2K systemon port 11005; I get
connection refused.
$ sudo cat pf.conf
set skip on lo
pass
block in on ! lo0 proto tcp to port 6000:6010
ext_if = "pppoe0"
int_if = "fxp0"
air_if = "ral0"
match out on $ext_if nat-to ($ext_if)
win2k= 192.168.0.3
o do openbsd (4.7), estou tendo
> problemas com o pf.conf
> eu utilizo de um servigo que eu forgo os pacotes a passarem por esse
> servigo
> mesma forma que i feito com um squid transparente
> mais tenho encontraod problemas
> segue meu pf.conf http://pastebin.ca/1972254
> quan
--- Guilherme Ferreira Ros?rio [Mon, Oct 25, 2010 at 02:26:47PM -0200]: ---
> Good afternoon lords,
> I upgraded my openbsd 4.6 to 4.7
> I always used it only for firewall and port redirector with
> rdr command, I tried to use some scripts manual openbsd even more
> so I can not stress more the in
john
thanks for the suggestion,
but unfortunately I could not succeed I tried to use the inetd
nc command, as in the manual and also not getting success, you would have
some
another reference?
Thanks
2010/10/25 John Cosimano
> --- Guilherme Ferreira Ros?rio [Mon, Oct 25, 2010 at 02:26:47PM -020
What You want do ?
If is implement IM PROXY, see documentation project
Em 25 de outubro de 2010 22:35, Guilherme Ferreira Rosario <
guilherme.f.rosa...@gmail.com> escreveu:
> john
> thanks for the suggestion,
> but unfortunately I could not succeed I tried to use the inetd
> nc command, as in th
rl-C]
### Here's my sshd_config:
# grep -v ^# /etc/ssh/sshd_config
PermitRootLogin no
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
Subsystem sftp /usr/libexec/sftp-server
### Here is my /etc/pf.conf
# cat /etc/pf.conf
ext_if="ix0" # external interface/egr
On Sun, May 08, 2005 at 11:10:38PM +0200, GV wrote:
> Now, the above should normally block all the traffic to my server - but it
> doesn't! Am I missing something here?
>
> Also, I followed the section "Packet Logging Through Syslog" in
> "http://www.openbsd.org/faq/pf/logging.html"; and created
well, the silly one is simply me! I didn't see that after a "pf=YES" entry, it
was one with a "NO"!!!
Thanks
George
On Monday 09 May 2005 17:53, Jason Opperisano wrote:
> On Sun, May 08, 2005 at 11:10:38PM +0200, GV wrote:
> > Now, the above should normally block all the traffic to my server -
On 3/20/07, Alexander Lind <[EMAIL PROTECTED]> wrote:
>
> Hello misc.
>
> Can anyone recommend a pf propagation script, intended to be used to
> spread changes from one carp:ed openbsd firewall to another?
>
>
for host in fw1 fw2 fw3 fw4 fw5; do scp ~/master.pf.conf
t job here:
> http://archives.neohapsis.com/archives/openbsd/2006-11/1134.html
>
> But it requires bash and supports only two firewalls.
>
> Also does anyone know if there are any plans to make this pf.conf
> propagation a feature in openbsd itself?
This is trivially scripted (the poste
Hello,
You may want to have a look at
/usr/ports/sysutils/tentakel
--
Didier Wiroth
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> On Behalf Of Alexander Lind
> Sent: 20 March 2007 23:29
> To: misc
> Subject: pf.conf propagation
>
&
Okay, found some stuff on the internet; this is it at the moment:
# $OpenBSD: PF firewall rules $
# ports: see /etc/services
# 21 = ftp
# 22 = ssh
# 25 = smtp
# 53 = domain
# 80 = www
# 110 = pop3
# 123 = ntp
# 631 = ipp (CUPS)
# 6667 = irc
tcp_pass = "{ 21 22 25 53 80 110 123 6667}
Okay, this should be it, any commends are appreciated.
The >1023 is used for ftp;
###
# $OpenBSD: PF firewall rules $
tcp_pass = "{ 21 22 25 53 80 110 123 >1023}"
udp_pass = "{ 53 110 }"
# scrub
scrub in all
# setup a default deny policy
On Mon, 28 May 2007, Lontronics Mailinglist account wrote:
> Okay, found some stuff on the internet; this is it at the moment:
>
> # $OpenBSD: PF firewall rules $
>
> # ports: see /etc/services
> # 21 = ftp
> # 22 = ssh
> # 25 = smtp
> # 53 = domain
> # 80 = www
> # 110 = pop3
> # 12
On Mon, May 28, 2007 at 11:27:46PM +0200, Lontronics Mailinglist account wrote:
> Okay, this should be it, any commends are appreciated.
> The >1023 is used for ftp;
That is not the proper solution; use ftp-proxy, as documented in the
FAQ.
> ###
Thanks Joachim and Woodchuck for your replies.
To be RFC compliant I will add icmp.
I will also add logging to check the output, can indeed be very helpfull.
I am not using ssh and dhcp, so I have blocked those ports
About 'block inet6'; I thought that 'block all' did that job?
I will also add
On 5/28/07, Woodchuck <[EMAIL PROTECTED]> wrote:
I wonder if this setup will allow you to do dhcp. Probably during
boot, (before it takes effect, when the rules in /etc/rc are active),
but afterwards, not.
Typically, dhclient(8) uses the bpf(4) devices and is not troubled by
PF's ruleset. If I
ng directory listing / from server (LC_TIME=C)
PASV
227 Entering Passive Mode (195,8,208,48,81,216)
Cannot create a data connection: No route to host
Disconnecting from site ftp.lontronics.nl
I am running pf as firewall now with the following settings:
pf.conf:
# $OpenBSD: PF firewall rules $
# m
The recent request for better comments in pf.conf files
as well as #include functionality points out a basic flaw
in the input language design:
The newline delimited input without /* */ comments.
And a basic flaw in the parser/lexer:
Comment handling at parse level not lexer level.
A
While reading VPN(8) manual page, i could no figure it out in what
interface context the following line applies:
# Pass encrypted traffic to/from security gateways
pass in proto esp from $GATEWAY_B to $GATEWAY_A
pass out proto esp from $GATEWAY_A to $GATEWAY_B
Thanks for your time and cooperatio
On Tue, Sep 19, 2006 at 06:49:05PM +0800, Jay Jesus Amorin wrote:
> hi,
>
> good day, how do i do an alternate sets of route-to rules for the internal
> interface loaded in an anchor?
>
> btw im doing a failover between two firewalls,
>
> |--| |-|
> |
I was looking at the pf.conf included with 3.8, and with the
addition of the following line:
set skip on { lo }
doesn't the lo part of the following line become redundant:
antispoof quick for { lo $int_if }
assuming both lines are uncommented?
Thanks.
Rodney Hopkins
[EMAIL PROT
Hi,
I am running OpenBSD 4.3 STABLE in an i386 machine.
The man page for pf.conf says at some point:
"Any lines beginning with a # are treated as comments and ignored."
Now, if a comment line ends with "\", should the next line
be also treated as comment? I noticed this be
The pf.conf man page sez:
Macros are not expanded inside quotes.
For example,
ext_if = "kue0"
all_ifs = "{" $ext_if lo0 "}"
However, that following fails with a syntax error on 4.3. On 4.2
something like this worked:
foo = 123
ba
Hi,
How do you manage your pf.conf?
My setup: I have 9 firewalls with carp and each with around 500 lines of
pf.conf, except one firewall, later more. I edit the pf.conf manually.
Every logical pf rule has a unique identifier (a number) which I add
manually and maps to the rule on a wiki
Dear All,
I am still working on OpenVPN gateway for my Lab. As of now I have
everything fully functional and I am trying now to tide up PF rules.
My network topology roughly looks like this
Internet (128.xxx) OpenVPN clients (VPN network 10.8.0.xxx)
| Also Pub
t is what happens.
>
> I have read online and man pages etc, and all say that the "block return" and
> "pass" rules are not necessary. In fact the example given at
> https://www.openbsd.org/faq/pf/filter.html does not have these two initial
> rules. These def
pfctl has an ruleset optimizer built in, which handles most of that.
So, it is best if you write rules in a way that makes sense.
Lars Bonnesen wrote:
> Is it no longer important to group block/pass in/out for speed optimization?
>
> I see many "modern" pf.conf where every
> 6. mai 2020 kl. 22:00 skrev Lars Bonnesen :
>
> Is it no longer important to group block/pass in/out for speed optimization?
>
> I see many "modern" pf.conf where everything is mixed more or less randomly
My advice would be to write your pf.conf in a way
Hi there misc!
Is there an external pfctl linter? we have bunch pf firwalls for which
we generate rules but also write some manual ones that get merged. Would
be nice if we could lint the rules before committed to vcs.. (yes we
test before they are applied on the machines as well but that is w
hiya
can you have lines like this in pf.conf
anchor "authpf/vpn/*" in on $VPN_IFACE
anchor "authpf/wireless/*" in on $WIRE_IFACE
and have anchors in /etc/authpf/vpn with your vpn rules
and anchors in /etc/authpf/wireless with your wireless rules ?
shadrock
Hello all (again),
I was wondering if someone could tell me if using tags in pf.conf makes
anything better apart from setting up trusts between interfaces etc.
Basically, what I'm trying to ask is how can I make pf faster? What is
important? More RAM? Faster CPU? Using tags? A smaller rule
I noticed the new "match" keyword in pf.
Will it help with this problem.
I constantly have bad guys sweeping though all
the addresses in my class C network, trying
things like ssh.
I would like to notice these bad guys and
block them.
The obvious method of add them to a queue and
Using "overloa
What would be the most barebones pf.conf for a OpenBSD 4.7 nat firewall
with 2 nics, that passes everything.
Peter
Hello,
Is there any special reason that web manuals lack pf.conf man pages for
4.7? 4.6 and current looks ok.
Mitja
On 2024-07-15, Irreverent Monk wrote:
> Question 1: What's causing inbound ssh to only work with IP address and
> not DNS name?
No idea about that, there's no reason for this to affect anything unless
the DNS is broken or returning an incorrect address etc (or returning
a v6 address if you have
On Mon, Jul 15, 2024 at 6:33 AM Irreverent Monk wrote:
> pass in on egress inet6 proto icmp6 all \
>
> icmp6-type { routeradv neighbrsol neighbradv }
>
> pass in on egress inet6 proto udp \
>
> from fe80::/10 port dhcpv6-server \
>
> to fe80::/10 port dhcpv6-client \
>
> no state
>
>
> bl
Hi guys, just a quick question.
During some toying with pf I noticed something. When making a comment
like the following:
.
# pas on re0 from any \ #
# to any port 59#
.
is it expected behavior that pfctl
Hi,
searching on the Internet gave me no clear answer: is there a way to
include other config files in pf.conf, like
# /etc/pf.conf
Include /etc/pf.interfaces
Include /etc/pf.natrules
etc...
I expect to have many rules, so I'd like to split them accross multiple
files.
Thanks,
Arjen
Geoff Steckel <[EMAIL PROTECTED]> writes:
> I'd be glad to donate these changes if they have any hope of
> adoption. Note that any existing pf.conf files would work without
> any changes.
The normal route for patch submissions is as far as I can tell via
posting th
Peter N. M. Hansteen wrote:
The normal route for patch submissions is as far as I can tell via
posting the patch to tech@ and participating in any discussion that
ensues. The developers very much want to be able to take a good look
at any code before it enters the tree.
This seems to be the c
Dear All.
I start with the simple rule set in my pf bridge
machine to limit
bandwidth 3Mbps from my server on lan to internet and
from internet to
my server on lan
my_server_on_lan="172.16.0.228"
internet="202.x.x.x"
lan = "172.16.0.0/16"
altq on xl1 bandwidth 100% cbq queue \
{int_out,dflt_out
Hi!
I see from the pf-code it is possible to use interfacegroup with "on" option,
like:
pass on egress all keep state
but it is not documented.
Maxim.
Y_A
> pass out proto esp from $GATEWAY_A to $GATEWAY_B
No interface is specified so it applies to any interface. pf.conf(5) makes
that pretty clear.
Kian
gateways
> pass in proto esp from $GATEWAY_B to $GATEWAY_A
> pass out proto esp from $GATEWAY_A to $GATEWAY_B
No interface is specified so it applies to any interface. pf.conf(5) makes
that pretty clear.
I think i was nosense. If i would like to specify an interface, what
would it be?
Thanks in advance.
Kian
On Sun, 2005-12-04 at 11:39:01 -0800, Rodney Hopkins proclaimed...
> I was looking at the pf.conf included with 3.8, and with the
> addition of the following line:
>
> set skip on { lo }
>
> doesn't the lo part of the following line become redundant:
>
> antispoof
eric wrote:
On Sun, 2005-12-04 at 11:39:01 -0800, Rodney Hopkins proclaimed...
I was looking at the pf.conf included with 3.8, and with the
addition of the following line:
set skip on { lo }
doesn't the lo part of the following line become redundant:
antispoof quick for { lo $int_if }
--On 04 December 2005 14:27 -0600, eric wrote:
On Sun, 2005-12-04 at 11:39:01 -0800, Rodney Hopkins proclaimed...
I was looking at the pf.conf included with 3.8, and with the
addition of the following line:
set skip on { lo }
doesn't the lo part of the following line become redu
The manpage of pf.conf tells me icmp is a layer 4 (transport layer)
protocol.
PACKET FILTERING
pf(4) has the ability to block and pass packets based on attributes of
their layer 3 (see ip(4) and ip6(4)) and layer 4 (see icmp(4),
icmp6(4),
tcp(4), udp(4)) headers.
I always thought
o have a higher priority than
regular traffic.
- DNS queries and replies need to have the second highest priority.
- Outgoing TCP ACK packets need to have a higher priority than all
other outgoing traffic.
This is my /etc/pf.conf now :
# macros
ext_if = "rl0"
int_if = "fx
Jose Fragoso wrote:
> Now, if a comment line ends with "\", should the next line
> be also treated as comment? I noticed this behaviour and I do
> not know whether or not it should work like that.
Interesting. Good to know that. In a small rule set it's easy to
notice, though.
I'm able to dupl
Louis V. Lambrecht wrote:
> rem the backslash is used as an escape character in shell world.
Yes, that's quite familiar and I use it a lot, both for long lines and
for escaping special characters (quotes, etc). What is new use to me is
that the comment lines can be affected. I simply hadn't trie
On Fri, Jun 13, 2008 at 04:52:45PM +0300, Lars Noodin wrote:
> Louis V. Lambrecht wrote:
> > rem the backslash is used as an escape character in shell world.
>
> Yes, that's quite familiar and I use it a lot, both for long lines and
> for escaping special characters (quotes, etc). What is new use
Ooops! Lars answered to my mail. Means, I hadn't replied to misc@ but
the lazy in me just replied.
Louis V. Lambrecht wrote:
Lars NoodC)n wrote:
Jose Fragoso wrote:
Now, if a comment line ends with "\", should the next line
be also treated as comment? I noticed this behaviour and I do
not
Darrin Chandler wrote:
> # This \
> Thus \
> that \
> other
Clearly this is the intuitive way that should work, since all
other languages I know of parse like this.
If you want to disable multiple lines you have to comment them all
out. Use a decent editor if you think that is much of
> The man page for pf.conf says at some point:
>
> "Any lines beginning with a # are treated as comments and ignored."
Yes, pf.conf(5) says that about the table files.
About the main pf.conf(5) file itself, it says:
Comments can be put anywhere in the file using a hash
rking in behaves.
Languages and file-formats where comment removal occurs before
backslash-newline removal:
sh
csh
perl
python
awk
/etc/sudoers
/etc/ipsec.conf
Languages and file-formats where backslash-newline removal occurs
before comment removal:
tcl
C
C++
2008/6/14 Philip Guenther <[EMAIL PROTECTED]>:
>
> Sadly, this varies among languages and file-formats. You just have to
> know how the one you're working in behaves.
>
So, when in doubt, comment every line that needs to be comment out,
should work in almost all cases?
--
This e-mail may be co
On Sat, Jun 14, 2008 at 8:58 AM, Sunnz <[EMAIL PROTECTED]> wrote:
> 2008/6/14 Philip Guenther <[EMAIL PROTECTED]>:
>> Sadly, this varies among languages and file-formats. You just have to
>> know how the one you're working in behaves.
>
> So, when in doubt, comment every line that needs to be comm
Jose Quinteiro-5 wrote:
>
> The pf.conf man page sez:
>
> Macros are not expanded inside quotes.
>
> For example,
>
> ext_if = "kue0"
> all_ifs = "{" $ext_if lo0 "}"
>
>
> However, that followin
error
pfctl: Syntax error in config file: pf rules not loaded
Now try this:
host1 = "192.1"
host2 = "192.168.1.2"
all_hosts = "{" $host1 $host2 "}"
That'll work too. Can't use macros for port numbers if dots are required.
Thanks,
Jose.
phoenixc
Thanks, I searched the archives but didn't find it.
Saludos,
Jose.
nate wrote:
Jose Quinteiro wrote:
host1 = "192"
host2 = "192.168.1.2"
all_hosts = "{" $host1 $host2 "}"
You'll get:
/etc/pf.conf:linenum: syntax error
pfctl: Syntax error in config file: pf rules not loaded
That's a bug i
Since pf.conf must be in a specific order, it might help to have comments
marking out this order in the sample confguraton file.
Below is a diff from the current file.
Regards,
-Lars
6a7,9
##
## MACROS
9a13,15
##
## TABLES
11a18,20
##
## OPTIONS
13a23,25
## NORMALIZATION
s.com/projects/1/wiki/Puppet_Books
Hope this helps, Andrew Lemin
On Thu 11 Jul 2013 12:18:13 BST, Jummo wrote:
Hi,
How do you manage your pf.conf?
My setup: I have 9 firewalls with carp and each with around 500 lines
of pf.conf, except one firewall, later more. I edit the pf.conf
manually. Eve
rmalisation' ;)
>
>https://puppetlabs.com/
>http://projects.puppetlabs.com/projects/1/wiki/Puppet_Books
>
>Hope this helps, Andrew Lemin
>
>
>On Thu 11 Jul 2013 12:18:13 BST, Jummo wrote:
>> Hi,
>>
>> How do you manage your pf.conf?
>>
>> My
Le Thu, 11 Jul 2013 13:18:13 +0200 (CEST),
Jummo a écrit :
> This works quiet good for me and my firewalls with one exception, my
> big fat central router/firewall. This firewall has around 2000 lines
> of pf.conf, is attached with 12 VLAN interfaces and get slowly
> unmanageab
On Thu, Jul 11, 2013 at 8:51 PM, Patrick Lamaiziere
wrote:
> Le Thu, 11 Jul 2013 13:18:13 +0200 (CEST),
> Jummo a écrit :
>
>> This works quiet good for me and my firewalls with one exception, my
>> big fat central router/firewall. This firewall has around 2000 lines
>&
On 11 July 2013, Andy wrote:
> Hi,
> I use 'puppet' for this to manage over 20 OpenBSD firewalls now.
[...]
If you're shopping for configuration management tools, people also
seem to like Ansible, Salt, and Chef:
http://en.wikipedia.org/wiki/Comparison_of_open_source_configuration_management
r friendly in Vim, set-up your PF syntax highlighting;
/root/.vimrc;
so /root/.vim/filetypes.vim
set guifont=9x15bold
set ruler
syntax on
set tabstop=4
set shiftwidth=4
filetype on
/root/.vim/filetypes.vim;
augroup filetype
au!
au BufRead,BufNewFile *.c set filetype=c
au BufRead,BufNewFile pf.* set filet
ruler
> syntax on
> set tabstop=4
> set shiftwidth=4
> filetype on
>
> /root/.vim/filetypes.vim;
> augroup filetype
> au!
> au BufRead,BufNewFile *.c set filetype=c
> au BufRead,BufNewFile pf.* set filetype=pf
> au BufRead,BufNewFile pf.conf set filetype=pf
> au Bu
On 07/11/2013 07:18 AM, Jummo wrote:
> Hi,
>
> How do you manage your pf.conf?
>
> My setup: I have 9 firewalls with carp and each with around 500 lines of
> pf.conf, except one firewall, later more. I edit the pf.conf manually.
> Every logical pf rule has a unique identifi
2013/7/11, Jummo :
> Hi,
>
> How do you manage your pf.conf?
>
> My setup: I have 9 firewalls with carp and each with around 500 lines of
> pf.conf, except one firewall, later more. I edit the pf.conf manually.
> Every logical pf rule has a unique identifier (a number) which
On 09/17/2013 19:25, Predrag Punosevac wrote:
Internet (128.xxx) OpenVPN clients (VPN network 10.8.0.xxx)
|Also Public 128.xxx addresses
||
||
-
Hi,
On Fri, Sep 20, 2013 at 9:06 AM, Carsten Larsen wrote:
> On 09/17/2013 19:25, Predrag Punosevac wrote:
>
>> Internet (128.xxx) OpenVPN clients (VPN network 10.8.0.xxx)
>>
>> The subnet mask for private addresses seems odd. With the /8 mask you
> have specified a class A network. Take a lo
Hi,
The output of 'pfctl -s timeout' shows
...
tcp.tsdiff 30s
...
However this feature is not mentioned in the pf.conf man-page (on 5.3) nor did
I find anything sufficiently useful on google.
Anyone care to explain how this feature works?
Thanks,
Buzz
I post this here because I don't know if considering it bug.
To use a macro in the "file" table option I had to enclose double on
single quotes:
blockIP='"/path/to/file"'
table persist file $blockIP
Any of these syntax examples return errors:
blockIP="/path/to/file"
blockIP=/path/to/fi
Hello,
I have a question regarding queuing and priorities in pf.conf on OpenBSD
7.2.
I have a basic gateway configuration - a PC with two NIC's (em0, em1).
One interface is connected to the LAN and one interface is connected to
the Internet with a public IP and with a bandwid
his is not possible I
have to hard code the IP:s in pf.conf.
Have I misunderstood something? Please enlighten me.
Tnx
Peo
On Fri, Sep 4, 2020 at 10:51 AM Tommy Nevtelen wrote:
>
> Hi there misc!
>
> Is there an external pfctl linter? we have bunch pf firwalls for which
> we generate rules but also write some manual ones that get merged. Would
> be nice if we could lint the rules before committed to vcs.. (yes we
> te
> On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote:
>
> Hi there misc!
>
> Is there an external pfctl linter? we have bunch pf firwalls for which we
> generate rules but also write some manual ones that get merged. Would be nice
> if we could lint the rules before committed to vcs.. (yes
On 04/09/2020 17.24, Brian Brombacher wrote:
On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote:
Hi there misc!
Is there an external pfctl linter? we have bunch pf firwalls for which we
generate rules but also write some manual ones that get merged. Would be nice
if we could lint the rules
> On Sep 4, 2020, at 11:28 AM, Brian Brombacher wrote:
>
>
>
>> On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote:
>>
>> Hi there misc!
>>
>> Is there an external pfctl linter? we have bunch pf firwalls for which we
>> generate rules but also write some manual ones that get merged. Wou
On 04/09/2020 17.40, Brian Brombacher wrote:
On Sep 4, 2020, at 11:28 AM, Brian Brombacher wrote:
On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote:
Hi there misc!
Is there an external pfctl linter? we have bunch pf firwalls for which we
generate rules but also write some manual ones tha
Tommy Nevtelen wrote:
> On 04/09/2020 17.24, Brian Brombacher wrote:
> >
> >> On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote:
> >>
> >> Hi there misc!
> >>
> >> Is there an external pfctl linter? we have bunch pf firwalls for which we
> >> generate rules but also write some manual ones that
> On Sep 4, 2020, at 12:03 PM, Tommy Nevtelen wrote:
>
> On 04/09/2020 17.40, Brian Brombacher wrote:
On Sep 4, 2020, at 11:28 AM, Brian Brombacher wrote:
>>>
>>>
On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote:
Hi there misc!
Is there an external pfctl
On 04/09/2020 18.07, Brian Brombacher wrote:
Well, let’s say a Linter doesn’t exist and you can’t invest time to make one.
Do you have a lower environment, mirror-exact ideally, to run tests on the
pre-receive hook?
It’s an interesting issue you’re trying to solve ;)
I didn't say I can't inv
Tommy Nevtelen wrote:
> On 04/09/2020 18.07, Brian Brombacher wrote:
> > Well, let’s say a Linter doesn’t exist and you can’t invest time to make
> > one. Do you have a lower environment, mirror-exact ideally, to run tests
> > on the pre-receive hook?
> >
> > It’s an interesting issue you’re t
1 - 100 of 569 matches
Mail list logo