Gustavo Chamone wrote:
> Folks,
> since I couldn't find anything related to this on the archive, I'm hoping
> that you guys can help me out.
>
> Last may, Hartmeier sent an e-mail with the Hackathon Summary[1]. He
> mentioned that there was some work in progress on accounting per host, being
> mad
You'd better be blocking MS RPC PDQ!
Oh, and expect a flood of downloads from ftp.openbsd.org once people
figure Microsoft's definition of "Trusted Computing" :-)
Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto Tel.
Hi!
Living on a DSL link is hard when it comes to ALTQ configuration on the
upstream side.
If you are able to configure both sides of a link policy based routing
is no problem (i.e. prioritizing ACKs or icmp/udp/Diablo 2 :)).
In my (and prob. this is the most common setup) I cannot (legally) take
On Monday, Aug 11, 2003, at 18:35 US/Pacific, Scott Sipe wrote:
OpenBSD pf firewall for small network, adsl in, doing nat. I want to
rdr certain ports on the firewall to an internal server. My rdr and
pass lines work fine for some services (http [80], rsync [873], etc)
but two services DON'T
On Mon, Aug 11, 2003 at 04:01:38PM +0200, Hendrik Scholz wrote:
> Before starting setting up an OpenBSD box I'd like to know if there
> are any caveats/reasons since this has not been done already.
I guess the question is: does a significant share of internet routers
honour the flag? What effect
Ed White wrote:
>> > pass in quick inet proto tcp from $My_ISP_class_B to $eth_ext port 22 tos
>> > $key keep state
>>
>> This is the worst kind of security through obscurity.
>
> That's not security at all.
My point exactly.
> That's custom setup, like using sshd on port 31337.
And equally st
On Tue, Aug 12, 2003 at 10:09:01PM +1000, Damien Miller wrote:
> OTOH a "pass set-tos xxx" option (what this discussion was originally
> about) would be nice...
there are various people now asking for a possibility to set the tos.
I tend to think it makes sense.
not sure about the syntax tho.
--
Hello. Just got an OpenBSD 3.3 machine running as the firewall for a small
network - I've just started using OpenBSD recently so I'm sure it a rookie
mistake. I've been trying to get the packet logging set up as in the faq
but I can't get the file pflog.txt to be created. I've read this post
This question is really not appropriate for a packet filter mailing list.
Please post this to [EMAIL PROTECTED]
//Wouter
On Wed, 13 Aug 2003, Justin Houchin wrote:
> Hi Everyone,
> I have been trying for the past couple of days to get FTP chroot
> working on my 3.3 machine. I have added the
Hi,
I have an OpenBSD 3.3 firewall which acts as a transparent bridge
between our network (not NATted) and a router giving access to the rest
of the world. The bridging interfaces are configured without IP address
and a third (management) NIC is configured with an IP address inside our
network
I apologize in advance if this is a stupid question :)
OpenBSD pf firewall for small network, adsl in, doing nat. I want to
rdr certain ports on the firewall to an internal server. My rdr and
pass lines work fine for some services (http [80], rsync [873], etc) but
two services DON'T work--MS
On Wed, Aug 13, 2003 at 01:43:18PM +0200, Hendrik Scholz wrote:
> Hi!
>
> On Wed, 13 Aug 2003 12:01:16 +0200
> Henning Brauer <[EMAIL PROTECTED]> wrote:
>
> > there are various people now asking for a possibility to set the tos.
> > I tend to think it makes sense.
> > not sure about the syntax t
Hi!
On Mon, 11 Aug 2003 17:06:30 +0200
Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
> On Mon, Aug 11, 2003 at 04:01:38PM +0200, Hendrik Scholz wrote:
>
> > Before starting setting up an OpenBSD box I'd like to know if there
> > are any caveats/reasons since this has not been done already.
>
> I
On Tue, Aug 12, 2003 at 01:50:43PM -0700, Meenal C wrote:
>I have implemented Daniel's solutions (pf+relaydb on OpenBSD) and it works great!
> I have a question though... Why does relaydb ignore addresses inside of round
> brackets ? It seems to be adding only addresses within [].
> Some ema
Hi All,
I apologise if this is off topic for the list, but I am sure someone here
must be doing this.
I am running the standard distro of OpenBSD 3.2 on our firewall. We
currently have an SDSL connection which has an Ethernet interface.
We would like to change ISPs and have been told we need to
As long as you separate the rulesets for the bridged config and the
management nic, I don't see how it could happen unless the pf code is not
meant to handle this, I am running the same config roughly and it works damn
good, in fact too good when I first configed it. Also I would like to point
out
Ok, here's the fix and the example.
Index: pf_ioctl.c
===
RCS file: /cvs/src/sys/net/pf_ioctl.c,v
retrieving revision 1.78
diff -u -r1.78 pf_ioctl.c
--- pf_ioctl.c 9 Aug 2003 14:56:48 - 1.78
+++ pf_ioctl.c 11 Aug 2003 20:1
On Mon, Aug 11, 2003 at 06:56:23PM -0700, Trevor Talbot wrote:
>
> Keep in mind the filter rules are applied _after_ translation, which
> affects the port numbers. $tcp_in should include 3389 instead of 4001
> and 4002.
>
also keep in mind that you'll forget that fact about 700 times.
yo
Hi!
On Wed, 13 Aug 2003 12:01:16 +0200
Henning Brauer <[EMAIL PROTECTED]> wrote:
> there are various people now asking for a possibility to set the tos.
> I tend to think it makes sense.
> not sure about the syntax tho.
>From my point of view it fits into the scrub scheme.
Adding it to each rul
Hi!
On Wed, 13 Aug 2003 14:51:35 +0200
Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
> Yes. Basic question is: do you want to set the same tos on all packets
> of one connection (state entry) automatically?
>
> Or is setting tos completely unrelated to connections, and you want to
> do it per pack
On Wed, 2003-08-13 at 12:08, [EMAIL PROTECTED] wrote:
> Hello. Tried that and still no luck. Even did chown and chgrp to pflogger
> and nothing.
a) Please stop top-posting.
b) Whenever you create a new file for a daemon like syslog to write to,
you need to restart that daemon.
kill -HUP `cat
>My advice is, unless you are planning on BGP which increases the costs, to
>buy an E1 capable CPE box (cisco is not the only make) and use it as first
>hop :( Must less hassle in the long run.
Thanks for the advice Peter.
I haven't been able to source an LMC card so a router out front looks like
I have just upgraded a couple of our firewalls from 3.0 and 3.1 to 3.3. The
site that uses binat rules is the one that started on 3.1
The external interface (vlan2) has each useable IP in an /27 range aliased
on the interface. I then have a load of rdr, nat and binat rules to map
certain IPs and I
Ed White wrote:
> BTW filtering on TOS value introduce a good way to filter some ports even if
> you get a dynamic IP.
>
> Example:
>
> You want to filter port tcp:22 to avoid the whole internet to get the OpenSSH
> prompt. Adding a rule like this would make it possible...
>
> pass in quick i
On Wed, 2003-08-13 at 10:19, [EMAIL PROTECTED] wrote:
> Hello. Just got an OpenBSD 3.3 machine running as the firewall for a small
> network - I've just started using OpenBSD recently so I'm sure it a rookie
> mistake. I've been trying to get the packet logging set up as in the faq
> but I can
On Mon, Aug 04, 2003 at 11:35:13PM +0300, Alexey E. Suslikov wrote:
> so, what is the point of example? we are unable to match in and out packets
> to shape them separately (remember, the state is the matching criteria) and
> we are unable to shape same packets on the different interfaces (the stat
On Monday 11 August 2003 18:33, Hendrik Scholz wrote:
> Where should I install a bridge?
LANrouter
> I cannot insert anything behind my router but like to modify the
> telco routers queueing mechanism.
I don't know your situation, but putting a bridge there could be invisible for
L
Hi there.
I have a OpenBSD 3.3 running on a Sun Ultra1.
I have 4 Interfaces (hme0 - hme3)
Right now I only have 2 Interfaces running, hme0 is connected to the
internet and hme3 is the internal network (but with official ip's - not
nat).
My basic question now. When I want certain traffic to be
Hi Everyone,
I have been trying for the past couple of days to get FTP chroot
working on my 3.3 machine. I have added the user name to /etc/ftpchroot.
Started the ftp server with ftpd -D. I can log into the ftp server and
get to the root directory. It is not restricting the user in the
/etc/
Hi,
thanks for the answers I've received to this.
Dom De Vitto wrote:
This is because most switches are not security oriented and should be
considered dumb hubs on all ports, all vlans. If anyone says this isn't
so I'll beat them with enough references to flood a STM64...
I think that was ki
Oh no problem. Thanks for clearing that up for me, I feel so much
better now that I know I'm not crazy. Also, I agree that Daniel did
make a good point that I hadn't thought about previously regarding the
internal users using the firewall for DNS, Proxy, etc. I am of the
mindset that these s
Tuesday, August 5, 2003, 11:00:14 AM, Daniel Hartmeier wrote:
> Well, not an arbitrary number of states per connection, at most two
> (unless translation and/or encapsulation is involved, then you could
> possibly create more).
> You can easily see how this works by loading the simple ruleset
>
J. Sabino wrote:
Been reading a lot about pf recently, extremely nice software and love
the easy syntax and great features. Something however has me a bit
confused that I've read on this page:
http://www.openbsd.org/faq/pf/filter.html#example
I'm trying to remember what I had in mind when I wro
On Monday 11 August 2003 16:01, Hendrik Scholz wrote:
> Living on a DSL link is hard when it comes to ALTQ configuration on the
> upstream side.
> In my (and prob. this is the most common setup) I cannot (legally) take
> control of the upstream router and its queueing policies.
Sorry it's not clea
Hi,
I have implemented Daniel's solutions (pf+relaydb on OpenBSD) and it works great! I
have a question though... Why does relaydb ignore addresses inside of round brackets ?
It seems to be adding only addresses within [].
Some emails do not even have a single address within [].
(who adds t
On Wednesday, Aug 13, 2003, at 03:01 US/Pacific, Henning Brauer wrote:
On Tue, Aug 12, 2003 at 10:09:01PM +1000, Damien Miller wrote:
OTOH a "pass set-tos xxx" option (what this discussion was originally
about) would be nice...
there are various people now asking for a possibility to set the tos.
On Wed, Aug 13, 2003 at 05:39:56PM -0400, Amir Seyavash Mesry wrote:
> Henning or eh I forget, know of a bug using this configuration, then it
> should work as I have seen it.
I don't know what should prevent that from working indeed.
--
Henning Brauer, BS Web Services, http://bsws.de
[EMAIL PRO
Ok, lets go through this...
> Hi,
>
> I have an OpenBSD 3.3 firewall which acts as a transparent bridge
> between our network (not NATted) and a router giving access to the
rest
> of the world. The bridging interfaces are configured without IP
address
> and a third (management) NIC is configur
Been reading a lot about pf recently, extremely nice software and love
the easy syntax and great features. Something however has me a bit
confused that I've read on this page:
http://www.openbsd.org/faq/pf/filter.html#example
First, I've read that pf is configured by default with an implicit a
On Fri, Aug 08, 2003 at 02:57:18PM -0700, Bryan Irvine wrote:
> Is there a way to assign more than one ip to the $ext_if and do rdr
> based on that?
You can add an ip alias and use binat. I had problems w/arp that way.
Could have been a problem between the keyboard & chair though.
> like (prete
On Wed, Aug 06, 2003 at 05:47:43PM -0300, Gustavo Chamone wrote:
> Last may, Hartmeier sent an e-mail with the Hackathon Summary[1]. He
> mentioned that there was some work in progress on accounting per host, being
> made by Ryan McBride. Does anyone know the status of this feature?
I'm flying to
Folks,
since I couldn't find anything related to this on the archive, I'm hoping
that you guys can help me out.
Last may, Hartmeier sent an e-mail with the Hackathon Summary[1]. He
mentioned that there was some work in progress on accounting per host, being
made by Ryan McBride. Does anyone know t
On Wed, Aug 13, 2003 at 01:43:18PM +0200, Hendrik Scholz wrote:
> You'd have to add the tos statement to both rules in case you want
> the replies to incoming icmp echo request packets to be passed out
> with a tos flag set.
Yes. Basic question is: do you want to set the same tos on all packets
o
Hello. Tried that and still no luck. Even did chown and chgrp to pflogger
and nothing.
At 11:39 AM 8/13/2003 -0400, Jason Dixon wrote:
>On Wed, 2003-08-13 at 10:19, [EMAIL PROTECTED] wrote:
>> Hello. Just got an OpenBSD 3.3 machine running as the firewall for a
small
>> network - I've just st
At 12:27 PM 8/13/2003 -0400, you wrote:
>a) Please stop top-posting.
Sorry about that. If you would prefer that I not reply all also, please
let me know.
>b) Whenever you create a new file for a daemon like syslog to write to,
>you need to restart that daemon.
>
>kill -HUP `cat /var/run/syslog.p
45 matches
Mail list logo
