Ok... I said screw it and completly re-did the config. I've got most of it
working, but I'm still showing just a few weird things that's getting
blocked now...
6 is my block in, 7 is my block out.
All of the other DNS is working just fine... I just see port 53 in here a
couple of times...
===
I know it's long.. but several want to see this...
I used the "quick" commands just because they stop there and exit... I
figured it would be faster to write it that way and get exactly what I want.
I can just state what I want to pass, then kill everything else.
btw, I have 4 /22's going throug
On Mon, 2002-12-16 at 22:46, Shawn Mitchell wrote:
> on the "tcpdump -nettti pflog0" command, should everything match the last
> two rules, which are:
>
> pass in log quick inet from any to any
> pass out log quick inet from any to any
No. You have a gazillion other "quick" rules in front of thes
on the "tcpdump -nettti pflog0" command, should everything match the last
two rules, which are:
pass in log quick inet from any to any
pass out log quick inet from any to any
They were block, but I changed them to pass so I could better see what's
going on with live traffic...
-Original
On Mon, 2002-12-16 at 19:50, Shawn Mitchell wrote:
> Dosn't matter what IP address on any interface you ping. All comes back
> with the same thing.
>
> I turned on logging to see what wasn't making and such. I'm seeing DNS
> requests getting blocked...
>
> Routing is not an issue. The packets
[EMAIL PROTECTED] wrote:
http://www.iodamedia.net/pf.conf
Go grab it.. and tell me what I'm doing wrong!
-Shawn
Your ruleset is quite large to debug it just by looking at it.
But one error quickly sprang to my eyes: You're blocking the loopback
interface, which is certainly a bad idea.
C
Dosn't matter what IP address on any interface you ping. All comes back
with the same thing.
I turned on logging to see what wasn't making and such. I'm seeing DNS
requests getting blocked...
Routing is not an issue. The packets (ICMP, et al) are getting blocked.
I do a pfctl -f /etc/pf.conf
Your rule set is too large for me to debug without actually running it.
But you can debug it step by step yourself:
All your rules use 'quick', and you say the packets get blocked by the
last two 'block' rules. That means the packets don't match a 'pass' rule
that you expect them to match.
You'l
Only on the dc0 interface. the 192.168.3.0/24 block is on the dc1 interface.
The dc0 interface goes to the internet... I don't want/need to send anything from
192.168/16 to the internet
since their 1918 addys...
-Shawn
>
>
>
>
>> Do you have all routing set up correctly? Is the network that
>
Routing isn't an issue.
if I turn off packet filtering (pfctl -d) everything works perfect.
I turn it on... and I can get onto the firewall from my "full access" workstations
outside of the network.
I can't hit anything else in any networks while it's turnned on, unless I comment out
the "blo
Do you have all routing set up correctly? Is the network that
192.168.3.250 is on in the same subnet as one of the firewall interfaces?
Or is it a separate network? You'd need to add a route for it if it's
separate.
I had something funky happen with my routes at one point and had to
re-add.
Good
Yeah, I'll post them up on a webpage real quick.
and to answer someone's question earler, yes, I'm using "quick" rules. I'm wanting to
try and keep the
latency down as low as I can. And I figured that would be the best way to keep it
down.
> Shawn,
>
> Multi-interface packet filtering can be
Shawn,
Multi-interface packet filtering can be tricky. Could you post your
rules?
Without that, all we can probably say is that you have a
misconfiguration somewhere.
IIRC, creating stateful inspection on one interface does not allow the
packets to go through other interfaces. This is my first
Ok, I'm new to OpenBSD and pf, but I'm quickly getting the hang of it.
Here's my setup:
AMD 2300 w/ 512mb DDR ram
512mb flash drive
5 10/100 network cards
I have 4 networks right now, one of them is the internet. So let's call them, Inet,
A, B,and C.
Network C is the network with all mail/web
On Mon, Dec 16, 2002 at 09:47:41AM -0700, Duncan Matthew Stirling wrote:
> Please show me any example of a passive firewall rule set.
block in on $ext_if all
pass out on $ext_if all keep state
Passive mode ftp means that the ftp data connections are opened from the
clients to the servers (as com
On Mon, 2002-12-16 at 11:47, Duncan Matthew Stirling wrote:
>
> Please show me any example of a passive firewall rule set.
Let's nip this in the bud before it gets out of hand.
http://www.holland-consulting.net/tech/OBSDCommProbs.html#unfriendly
-J.
Please show me any example of a passive firewall rule set.
On Sun, Dec 15, 2002 at 09:50:44PM -0800, Ben Lovett wrote:
> Anyone else noticed panics with authpf and -current as of around 16:00
> on 12/14? The system in question is a Soekris net4501, which was
> previously running -current from around November 26th fine, with the
> same configuration.
If
18 matches
Mail list logo