I started my RADXIDE peeking code (MIT) from
https://github.com/aplsimple/alited/
My RADXIDE has been lauched in few days and it has not syntax highlighing.
Alited is written completely in a simple Tcl/tk and it has syntax highlighting
functionalities.
Alex is also, often, available and
On Tue, Jul 23, 2024 at 12:22 PM wrote:
>
> On Tue, Jul 23, 2024 at 03:46:56PM +0100, Tom Smyth wrote:
> >Folks,
> >I wondering had anyone tried to make a syntax highlighting for pf.conf
> >syntax,
> >
> >to help folks new to the pf.conf syntax in th
On Tue, Jul 23, 2024 at 03:46:56PM +0100, Tom Smyth wrote:
>Folks,
>I wondering had anyone tried to make a syntax highlighting for pf.conf syntax,
>
>to help folks new to the pf.conf syntax in the editor of their choice...
>
>I was thinking that this approach might be lower ha
I think vim already has it.
share/vim/${P}/syntax/pf.vim
> Le 23 juil. 2024 à 16:49, Tom Smyth a écrit :
>
> Folks,
> I wondering had anyone tried to make a syntax highlighting for pf.conf
> syntax,
>
> to help folks new to the pf.conf syntax in the editor of t
On 23/07/24 16:46, Tom Smyth wrote:
Folks,
I wondering had anyone tried to make a syntax highlighting for pf.conf syntax,
to help folks new to the pf.conf syntax in the editor of their choice...
I was thinking that this approach might be lower hanging fruit rather
than trying to write a rule
Folks,
I wondering had anyone tried to make a syntax highlighting for pf.conf syntax,
to help folks new to the pf.conf syntax in the editor of their choice...
I was thinking that this approach might be lower hanging fruit rather
than trying to write a rule editor in nsh (for now at least
On Mon, Jul 15, 2024 at 6:33 AM Irreverent Monk wrote:
> pass in on egress inet6 proto icmp6 all \
>
> icmp6-type { routeradv neighbrsol neighbradv }
>
> pass in on egress inet6 proto udp \
>
> from fe80::/10 port dhcpv6-server \
>
> to fe80::/10 port dhcpv6-client \
>
> no state
>
>
>
On 2024-07-15, Irreverent Monk wrote:
> Question 1: What's causing inbound ssh to only work with IP address and
> not DNS name?
No idea about that, there's no reason for this to affect anything unless
the DNS is broken or returning an incorrect address etc (or returning
a v6 address if you have
d_config:
# grep -v ^# /etc/ssh/sshd_config
PermitRootLogin no
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
Subsystem sftp /usr/libexec/sftp-server
### Here is my /etc/pf.conf
# cat /etc/pf.conf
ext_if="ix0" # external interface/egress
int_if="ix1"
i
Hello,
I just want to share my solution taken from "Building Linux and OpenBSD
firewalls" (av. on the Internet Archive) to solve the no traffic prb
caused the block "block in all" statement.
I moved the following statements:
# dns
pass in quick on $all_ifs proto udp from any port domain to any
://bsd.network/@dch/110501874752402311) they said:
"@pitrh I’m still waiting for it to explain my pf .conf setup to me”
Which is kinda the inverse of “make me a pf.conf file”. I am curious
if “explain to me this pf.conf in plain english” would work. :-)
Probably about as well.
:
"@pitrh I’m still waiting for it to explain my pf .conf setup to me”
Which is kinda the inverse of “make me a pf.conf file”. I am curious if
“explain to me this pf.conf in plain english” would work. :-)
Probably about as well. It's the "Chinese Room" AI concept
I’m still waiting for it to explain my pf .conf setup to me”
Which is kinda the inverse of “make me a pf.conf file”. I am curious if
“explain to me this pf.conf in plain english” would work. :-)
Sean
Prompted by a followup on Mastodon, I was enticed to see what feeding a prose
spec
for a pf.conf to ChatGPT would produce.
TL;DR: it failed miserably, but in a way that would have lead the gullible to
try it out raw, leading them down a route that would lead to loads of misery
and frustration
):
> > > I have a question regarding queuing and priorities in pf.conf on
> > > OpenBSD 7.2.
> > >
> > > I have a basic gateway configuration - a PC with two NIC's (em0, em1). One
> > > interface is connected to the LAN and one interface is connected to
lso does this.
>
> Good that you noticed that, but it's unnecessary. pf is smart enough to know
> what traffic to apply it to. It's good to compare the output of pfctl(8) to
> know
> exactly what's changing and how things are getting parsed (`pfctl -s rules`,
> `pfctl -nvf /etc/pf.c
erimented with configurations that complex, and these days I
mostly stick to the simple one rule configuration mentioned in pf.conf(5) under
QUEUEING.
> match out on $ext_if inet proto tcp set queue dataq set prio (5, 6) \
> tag INTERNET
I'm aware of the priorities trick you're using[2]
On 2023-01-13 18:09, J Doe wrote:
Hello,
I have a question regarding queuing and priorities in pf.conf on OpenBSD
7.2.
I have a basic gateway configuration - a PC with two NIC's (em0, em1).
One interface is connected to the LAN and one interface is connected to
the Internet with a public
On 2023-01-14 11:37, Marcus MERIGHI wrote:
Hello,
not an answer but a little input below...
gene...@nativemethods.com (J Doe), 2023.01.14 (Sat) 00:09 (CET):
I have a question regarding queuing and priorities in pf.conf on
OpenBSD 7.2.
I have a basic gateway configuration - a PC with two
Hello,
not an answer but a little input below...
gene...@nativemethods.com (J Doe), 2023.01.14 (Sat) 00:09 (CET):
> I have a question regarding queuing and priorities in pf.conf on
> OpenBSD 7.2.
>
> I have a basic gateway configuration - a PC with two NIC's (em0, em1). One
Hello,
I have a question regarding queuing and priorities in pf.conf on OpenBSD
7.2.
I have a basic gateway configuration - a PC with two NIC's (em0, em1).
One interface is connected to the LAN and one interface is connected to
the Internet with a public IP and with a bandwidth
Hello,
On Mon, Oct 10, 2022 at 06:52:00AM +0200, Bjorn Ketelaars wrote:
>
> (reply also send to tech@)
>
> In 2011 henning@ removed fiddling with the ip checksum of normalised
> packets in sys/net/pf_norm.c (r1.131). Rationale was that the checksum
> is always recalculated in all output paths
. At first I believed this was the result of
> hardware checksum offloading. However, after some more digging I found
> that my pf.conf was to blame, specifically:
>
> match inet scrub (max-mss 1460, no-df, random-id)
>
> Removing `no-df` and `random-id` as argument causes mcast-
offloading. However, after some more digging I found
that my pf.conf was to blame, specifically:
match inet scrub (max-mss 1460, no-df, random-id)
Removing `no-df` and `random-id` as argument causes mcast-proxy to
accept all incoming IGMP packets resulting in a working solution.
After grepping sys/net
ternet via pppoe(4), which uses em(4)
> as the physical interface.
>
> The router has a /etc/hostname.wg0 file that connects it as a client to
> my VPN provider on boot. Then, /etc/pf.conf has a nat-to rule for
> WireGuard, for IP masquerading. Here's said rule:
>
> match out o
Hello. I have an APU4D4 running OpenBSD and acting as a router for my
home network. It connects to the Internet via pppoe(4), which uses em(4)
as the physical interface.
The router has a /etc/hostname.wg0 file that connects it as a client to
my VPN provider on boot. Then, /etc/pf.conf has a nat
0.1
host max : 127.255.255.254
hosts/net : 2147483646
> Since I don't want to filter any of the Wireguard traffic, at the top of
> the pf.conf, I have:
> set skip on wg0
You might not want to _filter_ it, but for some configurations you may
find it necessary to set max-mss in pf.co
Hello!
hamdi201...@gmail.com (Andreas X), 2020.12.29 (Tue) 13:53 (CET):
> > > I happen to come across this blog today that may help
> > > you clarify some of your questions:
> >
> >
>
>
>
> > I happen to come across this blog today that may help
> > you clarify some of your questions:
> >
>
>
> https://ozgur.kazancci.com/secure-fast-vpn-server-wireguard-setup-on-openbsd-and-configure-windows-10-clients-to-connect-through-it/
>
> I hope it helps. I am planning to set up one
Hi,
wgport 53
Unbound is configured to only listen on the loopback interface, so that
shouldn't be interfering...
But it does
https://www.mail-archive.com/misc@openbsd.org/msg175837.html
Hi Steve,
On 20/12/28 04:14PM, Steve Williams wrote:
> ...
>
> I am not sure where my issue is...
I am going to cut to the chase here since I am no wireguard or OpenBSD
expert; however, I happen to come across this blog today that may help
you clarify some of your questions:
.0.0.0/1
Endpoint = :53
Since I don't want to filter any of the Wireguard traffic, at the top of
the pf.conf, I have:
set skip on wg0
Then I am allowing incoming traffic to port 53.
# Wireguard running on DNS port
pass in on egress inet proto udp from any to (egress) port { domain }
When I
On Mon, Dec 21, 2020 at 07:28:54PM -0800, Sean Kamath wrote:
> > On Dec 21, 2020, at 14:24, Aham Brahmasmi wrote:
> > For the defaults, I try to explicitly write some of them sometimes. I
> > find this helpful because it is difficult for me to remember what the
> > defaults are. However, I do
> On Dec 21, 2020, at 14:24, Aham Brahmasmi wrote:
> For the defaults, I try to explicitly write some of them sometimes. I
> find this helpful because it is difficult for me to remember what the
> defaults are. However, I do understand that I run the risk of being
> caught unawares if the
Namaste Peter,
Tusen takk for your reply.
> Sent: Saturday, December 19, 2020 at 3:32 PM
> From: "Peter Nicolai Mathias Hansteen"
> To: "misc"
> Subject: Re: pf.conf parser/lint
>
>
>
> > 19. des. 2020 kl. 14:50 skrev Aham Brahmasmi :
> >
of the more important ones you’re likely to
get.
Adding to that, in my experience, the important thing is to make your
configurations as simple as possible but not simpler :)
I would like to stress using pf.conf readability features as helpers to keeping
your config maintainable, so
* use se
Namaste Theo,
I apologize for reincarnating this thread.
> Sent: Friday, September 04, 2020 at 5:33 PM
> From: "Theo de Raadt"
> To: "Tommy Nevtelen"
> Cc: misc@openbsd.org
> Subject: Re: pf.conf parser/lint
>
> Tommy Nevtelen wrote:
>
>
> We provide over FIVE ways to identify ports without using the hardware
> driver names, but hey... this discussion is about the theory you can
> check overall behaviour of a system by ignoring the important parts.
I always put a description and group field in my hostname config so that
it allow
Tommy Nevtelen wrote:
> On 04/09/2020 18.07, Brian Brombacher wrote:
> > Well, let’s say a Linter doesn’t exist and you can’t invest time to make
> > one. Do you have a lower environment, mirror-exact ideally, to run tests
> > on the pre-receive hook?
> >
> > It’s an interesting issue you’re
On 04/09/2020 18.07, Brian Brombacher wrote:
Well, let’s say a Linter doesn’t exist and you can’t invest time to make one.
Do you have a lower environment, mirror-exact ideally, to run tests on the
pre-receive hook?
It’s an interesting issue you’re trying to solve ;)
I didn't say I can't
> On Sep 4, 2020, at 12:03 PM, Tommy Nevtelen wrote:
>
> On 04/09/2020 17.40, Brian Brombacher wrote:
On Sep 4, 2020, at 11:28 AM, Brian Brombacher wrote:
>>>
>>>
On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote:
Hi there misc!
Is there an external pfctl
Tommy Nevtelen wrote:
> On 04/09/2020 17.24, Brian Brombacher wrote:
> >
> >> On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote:
> >>
> >> Hi there misc!
> >>
> >> Is there an external pfctl linter? we have bunch pf firwalls for which we
> >> generate rules but also write some manual ones
On 04/09/2020 17.40, Brian Brombacher wrote:
On Sep 4, 2020, at 11:28 AM, Brian Brombacher wrote:
On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote:
Hi there misc!
Is there an external pfctl linter? we have bunch pf firwalls for which we
generate rules but also write some manual ones
On 04/09/2020 17.24, Brian Brombacher wrote:
On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote:
Hi there misc!
Is there an external pfctl linter? we have bunch pf firwalls for which we
generate rules but also write some manual ones that get merged. Would be nice
if we could lint the
> On Sep 4, 2020, at 11:28 AM, Brian Brombacher wrote:
>
>
>
>> On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote:
>>
>> Hi there misc!
>>
>> Is there an external pfctl linter? we have bunch pf firwalls for which we
>> generate rules but also write some manual ones that get merged.
> On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote:
>
> Hi there misc!
>
> Is there an external pfctl linter? we have bunch pf firwalls for which we
> generate rules but also write some manual ones that get merged. Would be nice
> if we could lint the rules before committed to vcs.. (yes
On Fri, Sep 4, 2020 at 10:51 AM Tommy Nevtelen wrote:
>
> Hi there misc!
>
> Is there an external pfctl linter? we have bunch pf firwalls for which
> we generate rules but also write some manual ones that get merged. Would
> be nice if we could lint the rules before committed to vcs.. (yes we
>
Hi there misc!
Is there an external pfctl linter? we have bunch pf firwalls for which
we generate rules but also write some manual ones that get merged. Would
be nice if we could lint the rules before committed to vcs.. (yes we
test before they are applied on the machines as well but that is
pf.conf set state-defaults pflow seemingly not exporting traffic
My money is on state-defaults working and I just am doing something
wrong, but I can't figure out what it is.
The sensor's information:
OpenBSD 6.7 (GENERIC.MP) #4: Wed Jul 15 11:16:20 MDT 2020
r...@syspatch-67-amd64.openbsd.org
On Tue, 21 Jul 2020 19:35:17 +0200, Peter Nicolai Mathias Hansteen
wrote:
> pfctl -vnf pf.conf
oh indeed it says
pass out log on vlan10 proto tcp all flags S/SA modulate state
(if-bound)
but I understood why my pflow setup still works: it takes the flow from
the internal interfaces :)
on $ext_if proto { tcp, udp } all modulate state
>
> (I checked the rule is used because if I comment it the outgoing
> traffic doesn't go anymore)
The only way to be sure is to look at the actually loaded rule set (systat
rules or pfctl -vnf pf.conf), the boxes I have within e
On Tue, 21 Jul 2020 18:52:40 +0200, Peter Nicolai Mathias Hansteen
wrote:
> > 21. jul. 2020 kl. 17:42 skrev marfabastewart
> > :
> >
> > pf.conf set state-defaults pflow seemingly not exporting traffic
> >
> > My money is on state-defaults working and I just
> 21. jul. 2020 kl. 17:42 skrev marfabastewart :
>
> pf.conf set state-defaults pflow seemingly not exporting traffic
>
> My money is on state-defaults working and I just am doing something
> wrong, but I can't figure out what it is.
>
> The sensor's information:
>
>
> -- Forwarded message --
> From: Kevin Chadwick
> To: misc@openbsd.org
> Cc:
> Bcc:
> Date: Sun, 14 Jun 2020 13:58:39 +
> Subject: Thoughts or links on optimally secure defaults for pf.conf and
> fstab, whilst aiming to minimise support issues.
you may need no-df on the scrub rule.
>From the description in pf.conf(5) no-df on "set reassemble" is something else,
can't say I've ever needed to use that.
> Any thoughts or links on the most secure pf.conf that remains being compatible
> with any network?
"block" :)
On 2020-06-14 13:58, Kevin Chadwick wrote:
> set reassemble yes no-df
> match scrub (random-id max-mss 1389)
>
> Should I drop the no-df from set reassemble? Any other recommendations
> welcome?
To be clear. Previously, with scrub (no-df... the set reassemble line was
missing/default.
before and I am now using without issue, so far.
set reassemble yes no-df
match scrub (random-id max-mss 1389)
Should I drop the no-df from set reassemble? Any other recommendations welcome?
Any thoughts or links on the most secure pf.conf that remains being compatible
with any network?
Thank You
> 6. mai 2020 kl. 22:00 skrev Lars Bonnesen :
>
> Is it no longer important to group block/pass in/out for speed optimization?
>
> I see many "modern" pf.conf where everything is mixed more or less randomly
My advice would be to write your pf.conf in a way
pfctl has an ruleset optimizer built in, which handles most of that.
So, it is best if you write rules in a way that makes sense.
Lars Bonnesen wrote:
> Is it no longer important to group block/pass in/out for speed optimization?
>
> I see many "modern" pf.conf where every
Is it no longer important to group block/pass in/out for speed optimization?
I see many "modern" pf.conf where everything is mixed more or less randomly
Regards, Lars.
hat happens.
>
> I have read online and man pages etc, and all say that the "block return" and
> "pass" rules are not necessary. In fact the example given at
> https://www.openbsd.org/faq/pf/filter.html does not have these two initial
> rules. These default rules were
necessary. In fact the example given at
https://www.openbsd.org/faq/pf/filter.html does not have these two initial
rules. These default rules were carried over from the /etc/example/pf.conf
Event moving the *block return* default rule to lower in the rulebase - results
in the same symptoms
gt;> | reach the Internet even when they are in BACKUP state.
>> | I'm managing pf via Ansible/GIT, so I'd like to keep the
>> | configuration of pf.conf standard and simple as much as possible.
>> |
>> | Usually, I use the notation "nat-to ($interface)" to l
| I'm managing pf via Ansible/GIT, so I'd like to keep the
> | configuration of pf.conf standard and simple as much as possible.
> |
> | Usually, I use the notation "nat-to ($interface)" to let pf use the
> | correct ip, but in this case I've BGP configured and the
On Wed, Feb 12, 2020 at 12:09:12PM +0100, Federico Donati wrote:
| Hi all,
|
| I have a couple of firewalls with carp configured and I need them to
| reach the Internet even when they are in BACKUP state.
| I'm managing pf via Ansible/GIT, so I'd like to keep the
| configuration of pf.conf
Hi all,
I have a couple of firewalls with carp configured and I need them to
reach the Internet even when they are in BACKUP state.
I'm managing pf via Ansible/GIT, so I'd like to keep the configuration
of pf.conf standard and simple as much as possible.
Usually, I use the notation &quo
Hi Philipp,
On Sat, Jan 25, 2020 at 12:06:49PM +0100, Philipp Buehler wrote:
|
| Hey Paul,
|
| Am 25.01.2020 11:43 schrieb Paul de Weerd:
| > block in on $IntIF inet proto { tcp, udp } from $IntIF:network to !
| > $IntIF:0 port domain
| > block in on $IntIF inet6 proto { tcp, udp } from
Hey Paul,
Am 25.01.2020 11:43 schrieb Paul de Weerd:
block in on $IntIF inet proto { tcp, udp } from $IntIF:network to !
$IntIF:0 port domain
block in on $IntIF inet6 proto { tcp, udp } from $IntIF:network to !
$IntIF:0 port domain
I just tested this with "IntIF=vio0" and works on
Hi all,
I'm rewriting some pf.conf rulesets and thought to use interface
modifiers to make them more generic. Here's an example of what I came
up with:
block in on $IntIF inet proto { tcp, udp } from $IntIF:network to ! $IntIF:0
port domain
block in on $IntIF inet6 proto { tcp, udp } from
> hiya
> can you have lines like this in pf.conf
> anchor "authpf/vpn/*" in on $VPN_IFACE
> anchor "authpf/wireless/*" in on $WIRE_IFACE
> and have anchors in /etc/authpf/vpn with your vpn rules
> and anchors in /etc/authpf/wireless with your wireless rules
yes
hiya
can you have lines like this in pf.conf
anchor "authpf/vpn/*" in on $VPN_IFACE
anchor "authpf/wireless/*" in on $WIRE_IFACE
and have anchors in /etc/authpf/vpn with your vpn rules
and anchors in /etc/authpf/wireless with your wireless rules ?
shadrock
> All-in-all, something like that would solve that problem for you:
>
> pass out quick proto tcp from (self) to port 22 route-to (athn0
> $athn0_gateway) nat-to (athn0)
>
That worked perfectly! Thank you, Igor.
Even with OpenBSD's legendary documentation at my disposal, with my current
On Thu, 17 Jan 2019 at 23:24, Bruno Dantas wrote:
[...]
> pass out proto {tcp udp} to any port 22022 route-to athn0
>
> and this:
>
> pass out proto {tcp udp} to any port 22022 route-to \
> $athn0_gateway
>
> But both result in ssh authentication attempts to hang at
> "debug1: Connecting
) to create a custom route for
the marked packets, like this:
iptables -t mangle -A PREROUTING -p tcp -m multiport --dport 22022 -j \
MARK --set-mark 1
ip route add table 100 $wlan0_default_gateway
ip rule add fwmark 1 table 10
Please, how do I accomplish this on OpenBSD 6.4 using pf.conf(5)?
I
* Stuart Henderson le [10-12-2018 18:19:41 +]:
> On 2018-12-07, Thuban wrote:
> > * Stuart Henderson le [06-12-2018 13:44:50 +]:
> >> On 2018-12-06, Thuban wrote:
> >> > * Thuban le [02-12-2018 19:16:09 +0100]:
> >> >> Hi,
> >
On 2018-12-07, Thuban wrote:
> * Stuart Henderson le [06-12-2018 13:44:50 +]:
>> On 2018-12-06, Thuban wrote:
>> > * Thuban le [02-12-2018 19:16:09 +0100]:
>> >> Hi,
>> >> I need help to write a correct rule in pf.conf.
>> >>
* Thuban le [02-12-2018 19:16:09 +0100]:
> > >> Hi,
> > >> I need help to write a correct rule in pf.conf.
> > >>
> > >> I want :
> > >>
> > >> A -> B --> web
> > >>
> > >> The appearing IP
* Stuart Henderson le [06-12-2018 13:44:50 +]:
> On 2018-12-06, Thuban wrote:
> > * Thuban le [02-12-2018 19:16:09 +0100]:
> >> Hi,
> >> I need help to write a correct rule in pf.conf.
> >>
> >> I want :
> >>
> >> A -&
On 2018-12-06, Thuban wrote:
> * Thuban le [02-12-2018 19:16:09 +0100]:
>> Hi,
>> I need help to write a correct rule in pf.conf.
>>
>> I want :
>>
>> A -> B --> web
>>
>> The appearing IP of A is the B's one on the web.
&g
* Thuban le [02-12-2018 19:16:09 +0100]:
> Hi,
> I need help to write a correct rule in pf.conf.
>
> I want :
>
> A -> B --> web
>
> The appearing IP of A is the B's one on the web.
>
> I managed to configure iked on A and B using default pub
Hi,
I need help to write a correct rule in pf.conf.
I want :
A -> B --> web
The appearing IP of A is the B's one on the web.
I managed to configure iked on A and B using default pubkeys according
to Stuart Henderson advices.
iked.conf on A :
ikev2 active ipco
On 2018-10-10, Stefan Wollny wrote:
> I could assign a static address to this laptop and use this address
> setting up a specific rule for this one port. But this is not the way
> I'd prefer to go.
Note that, doing it this way, if the server's dynamic address changes
client connections will need
On Oct 10, 2018 10:23 AM, Paul de Weerd wrote:
>
> On Wed, Oct 10, 2018 at 10:17:21AM -0500, Edgar Pettijohn wrote:
> | When looking for pf info I generally just Google Peter Hansteen.
>
> So is Peter misnamed, should he be called Peter Fansteen, or is pf(4)
> misnamed, should it be ph(4)?
>
On Wed, Oct 10, 2018 at 10:17:21AM -0500, Edgar Pettijohn wrote:
| When looking for pf info I generally just Google Peter Hansteen.
So is Peter misnamed, should he be called Peter Fansteen, or is pf(4)
misnamed, should it be ph(4)?
*confused*
Paul 'WEiRD' de Weerd
SCNR
--
F to forward this port (25565) without a pre-defined
>>> IP as macro as the dhcpd.conf has a line defining tables for abandoned
>>> ("-A"), changed ("-C") and present leases ("-L"). According to man
>>> dhcpd(8) those tables may be used
line defining tables for abandoned
> > ("-A"), changed ("-C") and present leases ("-L"). According to man
> > dhcpd(8) those tables may be used with PF. But how??? I couldn't find
> > examples.
> >
> > Do I have to tell PF about these tables in pf.conf?
t;> ("-A"), changed ("-C") and present leases ("-L"). According to man
>> dhcpd(8) those tables may be used with PF. But how??? I couldn't find
>> examples.
>>
>> Do I have to tell PF about these tables in pf.conf? Or don't I need
>>
quot;-L"). According to man
> dhcpd(8) those tables may be used with PF. But how??? I couldn't find
> examples.
>
> Do I have to tell PF about these tables in pf.conf? Or don't I need
> these tables at all?
You do need to include the tables in your pf.conf. I'm a bit surprised
the
Hi there!
I've google'd quite a while and read the FAQ and many man-pages - but I
didn't find an example for my pf.conf (or simply overlooked it...):
The system is amd64-current. The client is Win7-laptop serving as
Minecraft-server, thus port 25565 needs to be forwarded but IP may change.
I
-
> > >
> > > Is there a special reason syntax like INTERNET_INT:1 wont work if we
> want to use the first alias address from the hostname interface file?
> > >
> > > As it is now I have to use the base adress by using ":0" or including
> all aliases
s address from the hostname interface file?
> >
> > As it is now I have to use the base adress by using ":0" or including all
> > aliases. For me this seems unusable. If I want to nat out on the alias
> > address from for example the DMZ I would like to use ":1". A
s seems unusable. If I want to nat out on the alias
> address from for example the DMZ I would like to use ":1". As this is not
> possible I have to hard code the IP:s in pf.conf.
Yes there is a very good reason.
Interface aliases are not what you think they. A mistake was made
not possible I
have to hard code the IP:s in pf.conf.
Have I misunderstood something? Please enlighten me.
Tnx
Peo
Apologies, correction:
obsd3# pfctl -f /etc/pf.conf
Should be:
obsd2# pfctl -f /etc/pf.conf
Joe
On Sat, May 12, 2018 at 9:37 PM Joseph Crivello <josephcrive...@gmail.com>
wrote:
> I cannot get reply-to working with if-bound under any circumstances. It
> works fine with floa
.84.32.11 255.255.255.0" > /etc/hostname.vmx2
obsd2# echo "inet 10.84.33.11 255.255.255.0" > /etc/hostname.vmx3
obsd2# echo "net.inet.ip.forwarding=1" > /etc/sysctl.conf
obsd2# reboot
...
obsd2# echo "pass in log on vmx1 inet from 10.84.31.10 to 10.84.33.12 kee
Hello!
I have a trunk0 interface on a router (#1) that is used for a singular
purpose -- to pass (IPsec protected) traffic for an IPIP tunnel (gif0) to
another router (#2). I have configured PF rules on router #1 that prevent
any other type of traffic from passing on trunk0. There are several
; > On 2017-12-14, ti...@openmailbox.org <ti...@openmailbox.org> wrote:
> >> Hi!
> >>
> >> Do you see any typical pf.conf or sysctl settings to tweak/speedup
> >> NAT/networking stack throughput?
> >>
> >> (On USB2 dongles, sigh.
> >>
>
gt;
>> Do you see any typical pf.conf or sysctl settings to tweak/speedup
>> NAT/networking stack throughput?
>>
>> (On USB2 dongles, sigh.
>>
>> Current speed is quite OK actually, a client with good hardware would get up
>> to 70mbps through the NAT. I
On 2017-12-14, ti...@openmailbox.org <ti...@openmailbox.org> wrote:
> Hi!
>
> Do you see any typical pf.conf or sysctl settings to tweak/speedup
> NAT/networking stack throughput?
>
> (On USB2 dongles, sigh.
>
> Current speed is quite OK actually, a client w
1 - 100 of 541 matches
Mail list logo
