Hi, kolipe-SAN.
on Sun, 04 Aug 2024 18:28:09 -0300
Crystal Kolipe wrote:
> On Mon, Aug 05, 2024 at 12:36:18AM +0900, WATANABE Takeo wrote:
>> Dear Sirs,
>>
>> Would you be willing to discuss how to write pf.conf?
>>
>> I'm using OpenBSD 7.5 AMD.
>> I want to limit the packets going in and out
Hi.
on Mon, 5 Aug 2024 12:34:18 +0200
Marko Cupać wrote:
> Having only one network interface, I assume this firewall protects
> machine it resides on (a server), not network behind it (a router /
> firewall), which rules out the need for net.inet.ip.forwarding sysctl.
I see.
A lot of the mate
On Mon Aug 5, 2024 at 8:24 PM BST, Mike Fischer wrote:
> Am 05.08.2024 um 20:22 schrieb WATANABE Takeo :
>
> Hi,Souji-SAN.
>
> Thank you so much for your advice.
> We will reply to you in due course.
>
>
> on Sun, 04 Aug 2024 19:56:38 +0100
> "Souji Thenria" wrote:
>
>> On Sun Aug 4, 202
> Am 05.08.2024 um 20:22 schrieb WATANABE Takeo :
>
> Hi,Souji-SAN.
>
> Thank you so much for your advice.
> We will reply to you in due course.
>
>
> on Sun, 04 Aug 2024 19:56:38 +0100
> "Souji Thenria" wrote:
>
>> On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote:
>>> I am having t
Hi,Souji-SAN.
Thank you so much for your advice.
We will reply to you in due course.
on Sun, 04 Aug 2024 19:56:38 +0100
"Souji Thenria" wrote:
> On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote:
>> I am having trouble because all packets are blocked.
>> Please see below for a descripti
On Mon, 05 Aug 2024 00:36:18 +0900 (JST)
WATANABE Takeo wrote:
> Dear Sirs,
>
> Would you be willing to discuss how to write pf.conf?
Having only one network interface, I assume this firewall protects
machine it resides on (a server), not network behind it (a router /
firewall), which rules out
On Mon, Aug 05, 2024 at 12:36:18AM +0900, WATANABE Takeo wrote:
> Dear Sirs,
>
> Would you be willing to discuss how to write pf.conf?
>
> I'm using OpenBSD 7.5 AMD.
> I want to limit the packets going in and out as follows
>
> 1. reject in principle : block all
> 2. when rejecting packets, do n
On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote:
I am having trouble because all packets are blocked.
Please see below for a description of the problem.
I would appreciate it if you could point out any problems.
The config looks ok so far; I don't see any problems.
Can you run 'pfctl -
Dear Sirs,
Would you be willing to discuss how to write pf.conf?
I'm using OpenBSD 7.5 AMD.
I want to limit the packets going in and out as follows
1. reject in principle : block all
2. when rejecting packets, do not log them.
3. there is only one interface (vio0) that goes in and out of the hos
I just installed the recent fixes for 6.0 with syspatch.
After reboot my pf rules have not been installed.
pfctl -nvvf pf.conf shows rule loading hangs between these rules:
- - -
table persist file "/etc/pf/black_hole.txt"
block drop in quick on $red_if from flags any
- - -
After a minute rule lo
On Thu, Jan 06, 2022 at 03:39:00PM -0500, Sean McBride wrote:
> I don't actually want to use OpenSMTPD, I was just using it as a way to test
> my experimental pf rules. I'l try to find some other way to test them.
netcat
# man nc
On 5 Jan 2022, at 11:40, Crystal Kolipe wrote:
> Have you actually changed the default /etc/mail/smtpd.conf to listen for
> external connections?
No.
> By default it only listens on the loopback interface, (and local socket).
Ah. That probably explains that then. I don't actually want to use
On Wed, Jan 05, 2022 at 11:03:02AM -0500, Sean McBride wrote:
> pass in log quick on egress proto tcp to any port smtp
> If on the OpenBSD system itself I do `telnet
> localhost 25` I see the built-in OpenSTMPD. But if I telnet from another
> machine on my LAN, I fail to connect. Shouldn't that
Hi Sean,
Happy new year to you,
do a netstat and make sure that your software is listening on an address
other than loopback or all addresses (0.0.0.0)
run the following command
netstat -an
If you want to check active rules in pf run the following command
pfctl -sr
if you ever want to check
Hi all,
(Newbie and first time poster, please be gentle :))
I'm trying to set up spamd, and I think I'm having trouble with pf. So
I tried to add a very basic test rule. I added to the beginning of
/etc/pf.conf the following:
pass in log quick on egress proto tcp to any port smtp
then reb
It turns out that my caring ISP really has a free firewall service
which is enabled by default.
I asked my ISP to disable it completely and now everything is OK.
Thank you!
29.11.2020 13:08, Stuart Henderson пишет:
On 2020-11-29, Родин Максим wrote:
The problem is that only port 80 seems to be
It turns out that my caring ISP really has a free firewall service
which is enabled by default.
I asked my ISP to disable it completely and now everything is OK.
Thank you!
29.11.2020 14:30, Stuart Henderson пишет:
On 2020-11-29, Stuart Henderson wrote:
On 2020-11-29, Родин Максим wrote:
The
On 2020-11-29, Stuart Henderson wrote:
> On 2020-11-29, Родин Максим wrote:
>> The problem is that only port 80 seems to be open from the outside.
>> I used several online port scanners to check this.
>> All of them tell:
>> port 80 OPEN
>> port 443 CLOSED
>
> Could it be blocked by your ISP? Do
On 2020-11-29, Родин Максим wrote:
> The problem is that only port 80 seems to be open from the outside.
> I used several online port scanners to check this.
> All of them tell:
> port 80 OPEN
> port 443 CLOSED
Could it be blocked by your ISP? Do you receive packets on your external
interface at
available from the internal network on http and https
ports when 192.168.1.102 is used.
To make the http server work from outside I'm trying to use the
following PF rule on my router:
...
web_server = "192.168.1.102"
web_ports = "{ http https }"...
...
# Web-server
p
Nick,
Indeed Working.
Thanks.
>>
>> May be a dumb question, but do you have net.inet.ip.forwarding=1 set?
>>
>
> Neither can I believe had forgotten it, but I think you nailed it.
> Will test monday and let know.
>
> Thanks in advance.
>
> -fm
>
>>
>> tcpdump of a successful test connection:
>>
>
> May be a dumb question, but do you have net.inet.ip.forwarding=1 set?
>
Neither can I believe had forgotten it, but I think you nailed it.
Will test monday and let know.
Thanks in advance.
-fm
>
> tcpdump of a successful test connection:
> c.c.c.c = remote test client on internet
> r.r.r.r
On 2/14/2020 11:21 AM, Fabio Martins wrote:
I am trying now only with the redirect to www.openbsd.org, if it works, I
am sure it can be adapted to my case.
Unfortunately still no success.
# pf.conf:
ext_if="xnf0"
match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \
r
I am trying now only with the redirect to www.openbsd.org, if it works, I
am sure it can be adapted to my case.
Unfortunately still no success.
# pf.conf:
ext_if="xnf0"
match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \
rdr-to 129.128.5.194 port 80
match out log on $
Hi Fabio (xará),
Apparently I achieved this with these rules:
--
pass out log on hvn0 inet proto tcp from any port 1024:65535 to 8.8.8.8
port = flags S/SA label "TESTE LISTA"
pass in on hvn0 inet proto tcp from any port 1024:65535 to 10.101.0.17 port
= 25 flags S/SA label "TESTE LISTA" tag TES
On 2/14/2020 6:30 AM, Fabio Martins wrote:
Hi Nick,
Thanks. I applied both rules below, unfortunately I am still only hitting
rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
test). I tried inverting the order, too, but no luck.
#1
match in on $ext_if proto tcp from
Hi Nick,
Thanks. I applied both rules below, unfortunately I am still only hitting
rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
test). I tried inverting the order, too, but no luck.
#1
match in on $ext_if proto tcp from to ($ext_if) port 25 \
rdr-to 200.200.200.200
external host
# inetd.conf
127.0.0.1:8000 stream tcp nowait _inetd_proxy /usr/bin/nc nc -w 20
200.200.200.200
and + pf rule redirecting the hosts:
# pf.conf
table persist file "/etc/pf/tables/spammers.txt
pass in log on egress proto tcp from to any port 25 \
rdr-to 127.0.0.1 port 80
_inetd_proxy /usr/bin/nc nc -w 20
200.200.200.200
and + pf rule redirecting the hosts:
# pf.conf
table persist file "/etc/pf/tables/spammers.txt
pass in log on egress proto tcp from to any port 25 \
rdr-to 127.0.0.1 port 8000
I am trying to remove the inetd from the setup.
With
> I think it is caused by the packets blocked having the RST flag set -- a
> consequence of specifying "flags S/SA" in rule @39. Check out man
> pf.conf. Look for section about "flags a/b | any" (line 317 here).
The S/SA wasn't set explicitly my me, its the default.
Out of interest, would this
On Wed, Sep 05, 2018 at 05:14:14PM +, Bob Smith wrote:
> I'm banging my head against a brick wall here trying to figure out why PF (on
> OpenBSD 6.3) is allowing some packets but blocking others ?
> Here's the tcpdump:
> Sep 05 18:07:45.084191 rule 39/(match) pass in on vlan108: 192.0.2.150.49
Hi,
I'm banging my head against a brick wall here trying to figure out why PF (on
OpenBSD 6.3) is allowing some packets but blocking others ?
Here's the tcpdump:
Sep 05 18:07:45.084191 rule 39/(match) pass in on vlan108: 192.0.2.150.49156 >
198.51.100.158.20001: udp 47
Sep 05 18:07:45.084220 ru
OpenBSD 6.3, amd64
I am seeing this record being logged by pf. The rule specified in the
record does not have logging enabled. I must be missing something
simple as to why it is logging, but I can't see it.
20180623T112712.952EDT sentry pf: rule 12/(match) pass in on em0:
fe80:
Hi there,
it's a quiet simple question :)
I have a rule like this
pass in log(to $log_spamd_if) on $ext_if proto tcp to port smtp rdr-to
127.0.0.1 port spamd
and was wondering if it's better to use
pass in log(to $log_spamd_if) on $ext_if proto tcp to port smtp
divert-to 127.0.0.1 port spam
* Thuban le [25-10-2016 10:41:27 +0200]:
> > # tcpdump -e -ttt -ni pflog0 action block
> >
> > You will be able to see what exactly is being blocked :)
> >
Okay, I'm just too stupid. I can access the wwweb through my VPN. I just
can't ping, which is not a problem and seems logic according to my
p
> # tcpdump -e -ttt -ni pflog0 action block
>
> You will be able to see what exactly is being blocked :)
>
That's my problem, nothing seems blocked , tcpdump returns nothing about
my requests to reach the outside web.
I'm stuck.
Please find below my full pf.conf in case I missed something :
e
Assuming you block the traffic by default
pf.conf
block log all
# tcpdump -e -ttt -ni pflog0 action block
You will be able to see what exactly is being blocked :)
-Regards
2016-10-24 12:19 GMT-02:00 Kenneth Gober :
> On Sun, Oct 23, 2016 at 4:46 PM, Thuban wrote:
> > Here are the relevant
On Sun, Oct 23, 2016 at 4:46 PM, Thuban wrote:
> Here are the relevant parts of my pf.conf :
>
> ext_if = "re0"
> tcp_pass = "{ gopher ipp 8000 }"
> udp_pass = "{ 1194 }"
>
> pass in quick on $ext_if proto tcp to any port $tcp_pass keep state
> pass in quick on $ext_if proto ud
er, I followed this :
> > http://2f30.org/guides/openvpn.html
> >
> > So ip forwarding is ative, vpn port is open, clients can connect to
> the
> > vpn. But they can't access wwweb.
> >
> > I guess the problem comes from this pf rule :
> >
> > pass ou
is ative, vpn port is open, clients can connect to
the
> vpn. But they can't access wwweb.
>
> I guess the problem comes from this pf rule :
>
> pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)
>
> I've been on this issue for too many hours to have
t; > http://2f30.org/guides/openvpn.html
> >
> > So ip forwarding is ative, vpn port is open, clients can connect to the
> > vpn. But they can't access wwweb.
> >
> > I guess the problem comes from this pf rule :
> >
> > pass out on $ext_if from 1
is ative, vpn port is open, clients can connect to the
> vpn. But they can't access wwweb.
>
> I guess the problem comes from this pf rule :
>
> pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)
>
> I've been on this issue for too many hours to have
cess wwweb.
I guess the problem comes from this pf rule :
pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)
I've been on this issue for too many hours to have a clear mind on this.
Any advice to find why I'm stuck on the server?
Regards.
[demime 1.01d removed an atta
I have rdomain 1 and default rdomain
pair1 is in rdomain 1
pair2 is in default rdomain
Inside rdomain1 there is not loopback interface
network is 172.10.0.2/24
In /etc/resolv.conf I have nameserver 127.0.0.1
so all DNS (UDP 53) packets should go to 127.0.0.1
Default route in rdomain1 is pair2 inte
On 2015-10-27, Michael S. Keller wrote:
> On 10/27/15 3:42 AM, Stuart Henderson wrote:
>> On 2015-10-26, Giancarlo Razzolini wrote:
>>> I suggest you move your match rules to the beginning of the ruleset and
>>> use log on them. So you can watch your pflog interface and see the
>>> packets being
Em 27-10-2015 09:37, Michael S. Keller escreveu:
> These are the rules that appear potentially to affect outgoing packets
> on the internal interface:
>
> match inet from any to 192.168.1.62
> block drop out on gem0 all
> pass out on gem0 inet from any to 192.168.1.0/24 flags S/SA
>
> Only traffic
On 10/27/15 3:42 AM, Stuart Henderson wrote:
On 2015-10-26, Giancarlo Razzolini wrote:
I suggest you move your match rules to the beginning of the ruleset and
use log on them. So you can watch your pflog interface and see the
packets being triggered. Also, you can (should) always use tags. Not
On 2015-10-26, Giancarlo Razzolini wrote:
> I suggest you move your match rules to the beginning of the ruleset and
> use log on them. So you can watch your pflog interface and see the
> packets being triggered. Also, you can (should) always use tags. Not
> only they make your ruleset "debugable",
Because there will never be a packet on gem0 with destination
192.168.1.64. The packets are being natted, aren't they? Try using tags,
your life will be much simpler.
I tried tags in an earlier iteration of this. Didn't help.
As a simpler test, I revised the rule for packets leaving gem0 to thi
On 10/26/15 8:12 AM, Giancarlo Razzolini wrote:
Are you aware that you'll need to have a queue on the internal interface
and another on the egress one right? Queuing incoming packets is very
tricky and not always have the desired effect. I suggest you start with
prio and see where it leads you:
Em 25-10-2015 15:31, Michael S. Keller escreveu:
> I want to set queues to limit bandwidth for the streaming media
> devices on my home network. Unfortunately, the "pass out" rules on my
> internal network (external is PPPoE) don't ever trip for replies
> received from the world.
Are you aware tha
I've worked with this off and on for some time, but still don't know
what I'm not doing correctly.
I want to set queues to limit bandwidth for the streaming media devices
on my home network. Unfortunately, the "pass out" rules on my internal
network (external is PPPoE) don't ever trip for repl
Hi Stuart,
Le 08/04/2014 18:31, Stuart Henderson a écrit :
> On 2014-04-07, Christophe wrote:
> [..]
>
> Let's ignore the siproxd side of things and just look at the ruleset.
>
> You have no "pass" or "block" rules for any outbound traffic so the implicit
> default is used for outbound traffic
On 2014-04-07, Christophe wrote:
[..]
Let's ignore the siproxd side of things and just look at the ruleset.
>> set skip on lo
>> set loginterface pflog0
>>
>> block in on ! lo0 proto tcp to port 6000:6010
>>
>> match out log on em0 inet from 172.18.160.0/24 to any nat-to em0
>>
>> pass in on
On 2014-04-08, Christophe wrote:
> Hi Stuart,
>
> Le 08/04/2014 10:41, Stuart Henderson a écrit :
>> On 2014-04-07, Christophe wrote:
>>> The goal is to accept every SIP device from inside the LAN to register
>>> to SIP provider without any "outbound proxy" configuration, and let
>>> siproxd acti
Hi Stuart,
Le 08/04/2014 10:41, Stuart Henderson a écrit :
> On 2014-04-07, Christophe wrote:
>> The goal is to accept every SIP device from inside the LAN to register
>> to SIP provider without any "outbound proxy" configuration, and let
>> siproxd acting as a masquerading server.
>
> Do you re
Hi Simon,
Le 07/04/2014 20:20, Simon Perreault a écrit :
> I don't know the direct answer to your question, but taking a step back...
>
> Any reason you want a transparent SIP proxy rather than an
> explicitly-configured SIP B2BUA? The latter is usually much easier to
> set up and maintain.
>
S
On 2014-04-07, Christophe wrote:
> The goal is to accept every SIP device from inside the LAN to register
> to SIP provider without any "outbound proxy" configuration, and let
> siproxd acting as a masquerading server.
Do you really need it? Most user-facing SIP providers run SBCs to work
around
I don't know the direct answer to your question, but taking a step back...
Any reason you want a transparent SIP proxy rather than an
explicitly-configured SIP B2BUA? The latter is usually much easier to
set up and maintain.
Simon
--
DTN made easy, lean, and smart --> http://postellation.viageni
Hi list,
I encounter a problem while aptempting to get siproxd acting as a
transparent SIP proxy and PF.
OpenBSD version is 5.4 on amd64.
> OpenBSD 5.4 (GENERIC) #37: Tue Jul 30 15:24:05 MDT 2013
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
siproxd installed from pack
Best option I see here is a dup-to packets to an interface with IDS
listening and give it the ability to add IP addresses to a blacklist and
flush all states associated with them.
PF is a kernel space item, and you want to keep this as simple as possible
to minimize bugs. Leave complex stuff like
i highly doubt that they would add any sort of layer 7/string checking
capability to pf. it's completely against its design
that's just not going to happen
à am not sure i am right but you are not in the good layer, you want snort
or something similar to do that.
On Fri, Jan 25, 2013 at 3:03 PM, Todd wrote:
> hi,
>
> not sure this is the correct place to ask but i wanted to know if the
> possibility of a new pf rule had been thought
hi,
not sure this is the correct place to ask but i wanted to know if the
possibility of a new pf rule had been thought of?
the concept i had in mind would be to filter packets bound for a port that
contained a she! or similar script header?
my thought was trying to add a way to check or
WHOA! that works!
I had no idea you could use the bitmask option like that! Thank You.
Although I haven't tested for any unwanted behavior... I'll get back
to you if i find any.
On Mon, Jul 9, 2012 at 3:10 PM, Stuart Henderson wrote:
> On 2012-07-09, Simon Perreault wrote:
>> On 2012-07-09 10
On 2012-07-09, Simon Perreault wrote:
> On 2012-07-09 10:17, Stuart Henderson wrote:
>> On 2012-07-09, Fil DiNoto wrote:
>>> But i was wondering if I could achieve something that would work for
>>> ALL the addresses behind the router as well without creating
>>> individual rules for each address.
On 2012-07-09 10:17, Stuart Henderson wrote:
On 2012-07-09, Fil DiNoto wrote:
But i was wondering if I could achieve something that would work for
ALL the addresses behind the router as well without creating
individual rules for each address. Something like this:
pass in on egress proto tcp fr
2012/7/9 Stuart Henderson
> On 2012-07-09, Fil DiNoto wrote:
> > I am trying to achieve something I thought would be simple, but
> > haven't had any luck.
> >
> >
> > I have an OpenBSD 5.0 router/firewall with public IP X.X.X.A
> >
> > Behind it are a mix of OpenBSD and Linux systems, all with p
On 2012-07-09, Fil DiNoto wrote:
> I am trying to achieve something I thought would be simple, but
> haven't had any luck.
>
>
> I have an OpenBSD 5.0 router/firewall with public IP X.X.X.A
>
> Behind it are a mix of OpenBSD and Linux systems, all with public IP. NO NAT.
>
> I run ssh on an altern
I am trying to achieve something I thought would be simple, but
haven't had any luck.
I have an OpenBSD 5.0 router/firewall with public IP X.X.X.A
Behind it are a mix of OpenBSD and Linux systems, all with public IP. NO NAT.
I run ssh on an alternate port, XXX22. However, from a certain
locatio
Hallo all,
thank you for your answers.
> > >
> > > table const { }
> > > pass quick proto tcp from to any port 22 no state
> > > pass in quick proto tcp from any to any port rdr-to 127.0.0.1
> > > port 22 block quick proto tcp from any to any port 22
> > >
> > >
> > > But o
On 2012-01-05, Gregory Edigarov wrote:
> On Thu, 5 Jan 2012 09:21:16 +0100
> Rafal Bisingier wrote:
>
>> Hi,
>>
>> On Thursday, 05 Jan 2012 at 09:00 CET
>> Robert Wolf wrote:
>>
>> >
>> > table const { }
>> > pass quick proto tcp from to any port 22 no state
>> > pass in quick prot
Hi,
start with block rule without "quick", then apply pass rules.
something like this:
table const { }
block proto tcp from any to any port 22
pass quick proto tcp from to any port 22 no state
pass in quick proto tcp from any to any port rdr-to 127.0.0.1 port 22
2012/1/5 Gregory Ediga
On Thu, 5 Jan 2012 09:21:16 +0100
Rafal Bisingier wrote:
> Hi,
>
> On Thursday, 05 Jan 2012 at 09:00 CET
> Robert Wolf wrote:
>
> >
> > table const { }
> > pass quick proto tcp from to any port 22 no state
> > pass in quick proto tcp from any to any port rdr-to 127.0.0.1
> > p
Hi,
On Thursday, 05 Jan 2012 at 09:00 CET
Robert Wolf wrote:
>
> table const { }
> pass quick proto tcp from to any port 22 no state
> pass in quick proto tcp from any to any port rdr-to 127.0.0.1 port 22
> block quick proto tcp from any to any port 22
>
>
> But of course,
Hallo all,
May I ask any PF professional for his advice?
I have openbsd router with more interfaces doing routing. It does not work as a
firewall so there is only one rule "pass flags any no state".
Because of many hack-scripts doing SSH logins and filling logs I would like to
block every SSH
Hello,
I would like a clarification. I have these rules and I notice an
incrementation only when there is a new incoming connection.
Here I did an ssh
connection
# pfctl -s rules -v | head -6
block drop log all
[ Evaluations:
83Packets: 0 Bytes: 0 States: 0 ]
[
Hi,
I'm seeing these in the pflog off my firewall:
Oct 27 15:20:32.845671 rule def/(short) pass in on vlanxxx:
218.76.138.156.0 > x.x.x.63.0: udp 17035
Oct 27 15:21:12.924605 rule def/(short) pass in on vlanxxx:
218.76.138.156.0 > x.x.x.38.0: udp 17035
Oct 27 15:21:15.652141 rule def/(short) pa
On Fri, Sep 02, 2011 at 05:41:26AM -0700, Stefan N wrote:
> Okay guys. Thanks for the suggestion.
>
> > On 2 September 2011 09:26, Stefan N wrote:
> >
> > anchors + crontab as Peter suggested is an easy alternative.
Depending on what exact effect you want to acheive, you can maybe do it
without
Okay guys. Thanks for the suggestion.
Regards,
Stefan
From: Christiano F. Haesbaert
To: Stefan N
Cc: "misc@openbsd.org"
Sent: Friday, September 2, 2011 8:34 PM
Subject: Re: Time interval based pf rule
On 2 September 2011 09:26, Stefan N wrote:
&g
On 2 September 2011 09:26, Stefan N wrote:
> Actually I would like to limit the access during office hour.
> So Time interval base rule means:
> user is only allowed to access specific application and destination based
> from the time interval.
> For example: Finance Department user is only allow
o: Stefan N
Cc: "misc@openbsd.org"
Sent: Friday, September 2, 2011 8:14 PM
Subject: Re: Time interval based pf rule
On 2 September 2011 09:11, Stefan N wrote:
> Hi Jim,
>
> If I used anchor to create pf rules which means there is another
> configuration needs to be taken ca
On Fri, Sep 02, 2011 at 04:21:31AM -0700, Stefan N wrote:
> Does OpenBSD PF engine have the feature to create time interval based rule?
> I have tried to do that but I could not find any relevant documentation.
> Is time interval based rule supported to be created on OpenBSD PF?
the question co
On 2 September 2011 09:11, Stefan N wrote:
> Hi Jim,
>
> If I used anchor to create pf rules which means there is another
> configuration needs to be taken care.
> Beside /etc/pf.conf, we need to take care and maintain crontab for
> schedulling.
>
What are you trying to accomplish with timer ba
;misc@openbsd.org"
Sent: Friday, September 2, 2011 7:47 PM
Subject: Re: Time interval based pf rule
On Fri, Sep 2, 2011 at 4:21 AM, Stefan N wrote:
> Does OpenBSD PF engine have the feature to create time interval based rule?
>
See how to dynamically add rules via anchors:
http://www.op
On Fri, Sep 2, 2011 at 4:21 AM, Stefan N wrote:
> Does OpenBSD PF engine have the feature to create time interval based rule?
>
See how to dynamically add rules via anchors:
http://www.openbsd.org/faq/pf/anchors.html
...& scheduling scripts via crontab(5).
Jim
On Fri, 2 Sep 2011 04:21:31 -0700 (PDT)
Stefan N wrote:
> Hi all,
>
> Does OpenBSD PF engine have the feature to create time interval based rule?
What exactly do you mean by time interval based rule.
> I have tried to do that but I could not find any relevant documentation.
> Is time interval
Hi all,
Does OpenBSD PF engine have the feature to create time interval based rule?
I have tried to do that but I could not find any relevant documentation.
Is time interval based rule supported to be created on OpenBSD PF?
Regards,
Stefan
Hi,
For your ftp issue, see here : http://www.openbsd.org/faq/pf/ftp.html
Wesley. M
www.mouedine.net
www.e-solutions.re
On Wed, 20 Jul 2011 23:26:33 -0700, fqui nonez
wrote:
> 2011/7/20 fqui nonez :
>> 2011/7/20 Andres Perera :
>>> On Wed, Jul 20, 2011 at 8:49 AM, fqui nonez
>>> wrote:
>>
2011/7/20 fqui nonez :
> 2011/7/20 Andres Perera :
>> On Wed, Jul 20, 2011 at 8:49 AM, fqui nonez wrote:
>
> On Wed, 20 Jul 2011 01:09:09 -0700, fqui nonez
> wrote:
>> Hello
>>
>> I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all
>> blocked packets, an
On Wed, Jul 20, 2011 at 8:49 AM, fqui nonez wrote:
> 2011/7/20 Wesley MOUEDINE ASSABY :
>> Also,
>> you can see a sample on http://mouedine.net/ruleset49.aspx
>>
>> Wesley.
>>
>> On Wed, 20 Jul 2011 14:27:27 +0400, Wesley MOUEDINE ASSABY
>> wrote:
>>> Hi,
>>>
>>> Try this:
>>> block log return
>>
2011/7/20 Wesley MOUEDINE ASSABY :
> Also,
> you can see a sample on http://mouedine.net/ruleset49.aspx
>
> Wesley.
>
> On Wed, 20 Jul 2011 14:27:27 +0400, Wesley MOUEDINE ASSABY
> wrote:
>> Hi,
>>
>> Try this:
>> block log return
>>
>> Cheers,
>>
>> Wesley.
>>
>> On Wed, 20 Jul 2011 01:09:09 -070
now for the problems in your rules:
On Wed, Jul 20, 2011 at 3:39 AM, fqui nonez wrote:
> # B B B $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
> #
>
> set skip on lo
>
> ### Agregadas por mi: (added by me)
> block return
>
> pass in quick log on rl0 proto tcp from any to port 22
> pas
Also,
you can see a sample on http://mouedine.net/ruleset49.aspx
Wesley.
On Wed, 20 Jul 2011 14:27:27 +0400, Wesley MOUEDINE ASSABY
wrote:
> Hi,
>
> Try this:
> block log return
>
> Cheers,
>
> Wesley.
>
> On Wed, 20 Jul 2011 01:09:09 -0700, fqui nonez
> wrote:
>> Hello
>>
>> I have a sshd
Hi,
Try this:
block log return
Cheers,
Wesley.
On Wed, 20 Jul 2011 01:09:09 -0700, fqui nonez
wrote:
> Hello
>
> I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all
> blocked packets, and send them to /var/log/pfblocklog to be read with
> tcpdump. What and where should be t
ifconfig pflog1 create
touch /var/log/pfblocklog
pflogd -ipflog1 -f$_
pf.conf:
l = "log (to pflog1)"
block return $l
block ... $l
to keep the pfctl rule output readable, match and tag the packets
instead and have a single block + log rule (at the expense of no
"quick")
On Wed, Jul 20, 2011 at
Hello
I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all
blocked packets, and send them to /var/log/pfblocklog to be read with
tcpdump. What and where should be the rule?
# $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#
set skip on lo
### Agregadas por mi: (a
On Wed, Apr 6, 2011 at 1:49 PM, Gianluca D'Auri Muscelli
wrote:
> Hi everyone,
> I never had to deal with pf, but if possible i have a question:
>
> on my OpenBSD now block all outcoming connection to ssh and telnet to
internet
> with:
>
> block out on re0 proto { tcp } from any to any port { ssh
i try with:
pass out on re0 from any to { 192.168.1.9, 192.168.1.10 }
there is ok for you?
Il giorno 06/apr/2011, alle ore 10.19, Gianluca D'Auri Muscelli ha scritto:
> Hi everyone,
> I never had to deal with pf, but if possible i have a question:
>
> on my OpenBSD now block all outcoming conne
Hi everyone,
I never had to deal with pf, but if possible i have a question:
on my OpenBSD now block all outcoming connection to ssh and telnet to internet
with:
block out on re0 proto { tcp } from any to any port { ssh telnet }
but now with this rule i can't connect with ssh to my lan 192.168.
1 - 100 of 172 matches
Mail list logo