On Wed, 24 Aug 2005 08:53:33 -0700, Bryan Irvine wrote:
> Apache of course! ;)
This goes off-topic, but there must be something wrong. Somewhere.
This is not default behaviour of Apache. Did some research on this two
years back, on OpenBSD, P233 and 64 MB, to check its behaviour. It
wouldn't cras
> What crashed? Apache or OpenBSD?
>
Apache of course! ;)
On Wed, 2005-08-24 at 09:15:48 -0400, Timothy Donahue proclaimed...
> "A Good Thing"(TM) when done correctly, it is NAT that is not necessarily a
> good thing. Filtering incoming (and possibly outgoing traffic) helps do
> several things, first it decreases the burden on your hosts. It also all
On 8/24/05, Bryan Irvine <[EMAIL PROTECTED]> wrote:
> > I personally like to 'pass keep state' with a 'scrub all' rule. This
> > at least gives me some interesting statistics to poke at when I'm
> > bored. Plus, I can firewall who gets to ssh into my machine.
>
> Another good use is {max-src-state
--On 24 August 2005 07:10 -0700, Bryan Irvine wrote:
They were very low bandwidth, but there went all available
connections.
Low-bandwidth is often worse if it's a dynamic website (especially if
it needs a lot of RAM to service a connection), placing an
http-accelerator in front can sometime
On Wed, Aug 24, 2005 at 09:15:48AM -0400, Timothy Donahue wrote:
> On Tuesday 23 August 2005 11:58 pm, eric wrote:
> > On Tue, 2005-08-23 at 16:53:25 -0600, Theo de Raadt proclaimed...
> >
> > > It is plain simple bad advice. And totally ridiculous.
> >
> > And plus, with ipv6, it's imperative tha
> I personally like to 'pass keep state' with a 'scrub all' rule. This
> at least gives me some interesting statistics to poke at when I'm
> bored. Plus, I can firewall who gets to ssh into my machine.
Another good use is {max-src-states ##} for webservers and the like.
I have a webserver that w
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
> Bryan Irvine
> Sent: Wednesday, August 24, 2005 10:11 AM
> To: Misc OpenBSD
> Subject: Re: /usr/share/pf/ suggestion
>
> > I personally like to 'pass keep state'
On Tuesday 23 August 2005 11:58 pm, eric wrote:
> On Tue, 2005-08-23 at 16:53:25 -0600, Theo de Raadt proclaimed...
>
> > It is plain simple bad advice. And totally ridiculous.
>
> And plus, with ipv6, it's imperative that the filters be pushed down to the
> end-host so we can quit relying on stup
On 8/24/05, Jason Crawford <[EMAIL PROTECTED]> wrote:
> On 8/23/05, Will H. Backman <[EMAIL PROTECTED]> wrote:
> > > -Original Message-
> > > From: j knight [mailto:[EMAIL PROTECTED]
> > > Sent: Tuesday, August 23, 2005 4:47 PM
> > > T
On Tue, 23 Aug 2005 16:53:25 -0600, Theo de Raadt wrote:
> You're wrong. Everyone -- run pf wherever you find it easier.
Followed this discussion with interest.
Doing the same thing (running pf) on my single-ended boxes; I actually
questioned myself why all of this is not part of the base instal
On Tue, 2005-08-23 at 16:53:25 -0600, Theo de Raadt proclaimed...
> It is plain simple bad advice. And totally ridiculous.
And plus, with ipv6, it's imperative that the filters be pushed down to the
end-host so we can quit relying on stupid firewalls and NAT bullshit to
break networks and slow p
There is an example:
set pf=YES in /etc/rc.conf.local reboot
pfctl -sr will give you:
block drop all
pass on lo0 all
pass in proto tcp from any to any port = ssh keep state
pass out proto tcp from any to any port = domain keep state
pass out proto udp from any to any port = domain keep state
pa
On Tue, Aug 23, 2005 at 06:57:43PM -0400, Will H. Backman wrote:
> > -Original Message-
> > From: Theo de Raadt [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, August 23, 2005 6:53 PM
> > To: Jason Crawford
> > Cc: Will H. Backman; j knight; Misc OpenBSD
On 8/23/05, Will H. Backman <[EMAIL PROTECTED]> wrote:
>
> I agree in general, but then start adding the gnome or kde desktop or
> other applications and you never know what is listening.
>
what the hell?
On Tue, 2005-08-23 at 17:25 -0400, Jason Crawford wrote:
> Secondly, it seems pretty pointless to setup pf on a single host.
I beg to differ. man pf.conf, and look at the "user" and "group"
keywords.
--
Shawn K. Quinn <[EMAIL PROTECTED]>
> -Original Message-
> From: Theo de Raadt [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 23, 2005 6:53 PM
> To: Jason Crawford
> Cc: Will H. Backman; j knight; Misc OpenBSD
> Subject: Re: /usr/share/pf/ suggestion
>
> > > Your statements are beyond ridic
On 8/23/05, Theo de Raadt <[EMAIL PROTECTED]> wrote:
> > > That is the most ridiculous thing I've heard all day. Lots of people
> > > run servers and must block them, on the same machine. Probably every
> > > single one of us.
> >
> > I'm not sure I understand what you mean. If you're going to ru
> > Your statements are beyond ridiculous. You are saying "If you need
> > to filter it, you should not be running it".
>
> X doesn't have to listen on TCP 6000, you can setup a unix socket, and
> it's no longer reachable from the network, and you still have full
> functionality (I know, I do jus
On 8/23/05, Theo de Raadt <[EMAIL PROTECTED]> wrote:
> > Secondly, it seems pretty pointless to setup pf on a single host.
>
>
>
> That is the most ridiculous thing I've heard all day. Lots of people
> run servers and must block them
On 8/23/05, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> --On 23 August 2005 17:25 -0400, Jason Crawford wrote:
>
> > Secondly, it seems pretty pointless to setup pf on a single host.
>
> It has it's uses - spamd, for one...
>
Which is already covered in the spamd man page and doesn't need
anot
> I never said that. PF isn't the only way to block packets, like TCP
> wrappers or ACL's within the server itself.
That is horse shit, and shows that you don't know how actual code works.
I prefer to filter problems BEFORE THE ACTUAL CODE RUNS. Perhaps you
don't know what a pre-authentication bu
> > That is the most ridiculous thing I've heard all day. Lots of people
> > run servers and must block them, on the same machine. Probably every
> > single one of us.
>
> I'm not sure I understand what you mean. If you're going to run a
> server, what's the point of blocking it? Might as well t
On Tue, Aug 23, 2005 at 05:25:14PM -0400, Jason Crawford wrote:
| First off, it should be, set skip on lo0 (or lo, but by default
| there's only one lo interface anyways). Secondly, it seems pretty
| pointless to setup pf on a single host. Instead of worrying about the
| firewall, which takes up mo
--On 23 August 2005 17:25 -0400, Jason Crawford wrote:
Secondly, it seems pretty pointless to setup pf on a single host.
It has it's uses - spamd, for one...
> Secondly, it seems pretty pointless to setup pf on a single host.
That is the most ridiculous thing I've heard all day. Lots of people
run servers and must block them, on the same machine. Probably every
single one of us.
> Inste
On 8/23/05, Will H. Backman <[EMAIL PROTECTED]> wrote:
> > -Original Message-
> > From: j knight [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, August 23, 2005 4:47 PM
> > To: Will H. Backman
> > Subject: Re: /usr/share/pf/ suggestion
> >
> >
> -Original Message-
> From: Jason Crawford [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 23, 2005 5:25 PM
> To: Will H. Backman
> Cc: j knight; Misc OpenBSD
> Subject: Re: /usr/share/pf/ suggestion
>
> On 8/23/05, Will H. Backman <[EMAIL PROTECTED]> wrot
> -Original Message-
> From: j knight [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 23, 2005 4:47 PM
> To: Will H. Backman
> Subject: Re: /usr/share/pf/ suggestion
>
> --- Quoting Will H. Backman on 2005/08/23 at 14:59 -0400:
>
> > Would it be useful to
29 matches
Mail list logo
