Daniel Hartmeier wrote,
> return-rst/-icmp require a bridge to have IP addresses assigned and
> routing table entries added. Basically, you must be able to ping the
> destination of the RST packet from userland, i.e. have a suitable
> source address and (default) route to the destination. Hence, on
Wouter Coene wrote:
Perhaps another suffix along the lines of
':network' and ':broadcast' that omits non-routable addresses
(':routable', ':network-routable')?
Attached is a patch that implements this. So now you can write:
pass in on gif0 from any to gif0:routable
a
Henning Brauer wrote:
On Sun, Nov 09, 2003 at 05:34:45PM +0100, Wouter Coene wrote:
For those who don't really use their IPv6 link-local addresses and who
would like to shrink their ruleset a little, here's a patch against
OpenBSD 3.4's pfctl to add an option to omit these completely from your
rule
On Sun, Nov 09, 2003 at 05:34:45PM +0100, Wouter Coene wrote:
> For those who don't really use their IPv6 link-local addresses and who
> would like to shrink their ruleset a little, here's a patch against
> OpenBSD 3.4's pfctl to add an option to omit these completely from your
> ruleset.
just for
Sunday, November 9, 2003, 5:46:14 PM, Fred Edwards wrote:
FE> I wondered about routing also, but since he said that web worked but ssh didn't, I
wrote that
FE> off. Did I miss something?
Yes, the web request comes from the squid on the OpenBSD box thus
originating from an IP linux1 has a backrou
On Sun, Nov 09, 2003 at 05:13:23PM +, Miles Sabin wrote:
> Options returning packets have no effect if pf(4) operates on a
> bridge(4).
>
> which leaves me even more puzzled. The block rule is on a bridge
> interface, yet the RST is being returned (definitely by the bridge
> itself, not
I wrote,
> I've just noticed that in 3.4 the RST generated by a block in
> return-rst rule is being blocked on the way out by a catch all block
> out rule, eg.,
>
> block return-rst in quick on $ext_if proto tcp \
> from any to $reachable_addrs port = ident
>
> block out log quick on $br_ex
On Sun, Nov 09, 2003 at 04:51:52PM +, Miles Sabin wrote:
> But this doesn't feel like it should be necessary ... shouldn't pf
> create a transient state for the outbound RST? Unless I missed it
> previously, it's also a change in behaviour from 3.3.
The RST generated by pf due to a block re
hmm, Fred Edwards said that
> What happens if you write your ssh line as:
>
> pass in quick on $int_if proto tcp from $int_net to any port ssh keep state
i get a state like this and no prompt:
tcp 192.168.3.92:28403 -> aaa.bbb.ccc.ddd:22 SYN_SENT:CLOSED
my rule knowledge is still in its in
I've just noticed that in 3.4 the RST generated by a block in return-rst
rule is being blocked on the way out by a catch all block out rule,
eg.,
block return-rst in quick on $ext_if proto tcp \
from any to $reachable_addrs port = ident
block out log quick on $br_ext_if all<-- RST b
hmm, Max Laier said that
> As rl0 is 192.168.0.3, I assume that linux1 knows only how to route to
> 192.168.0.0/24 but not to 192.168.3.0/24 (which is required to route
> the packets back to your LAN). Add rl0 as next-hop from linux1 and you
> should be fine (if you don't need DNS for your ssh). If
On Sun, 9 Nov 2003 17:10:37 +0100, Max Laier wrote
>
> As rl0 is 192.168.0.3, I assume that linux1 knows only how to route
> to 192.168.0.0/24 but not to 192.168.3.0/24 (which is required to route
> the packets back to your LAN). Add rl0 as next-hop from linux1 and
> you should be fine (if you d
Hi,
For those who don't really use their IPv6 link-local addresses and who
would like to shrink their ruleset a little, here's a patch against
OpenBSD 3.4's pfctl to add an option to omit these completely from your
ruleset.
To omit link-local addresses, simply set use-linklocal to no (default is
y
On Sun, 9 Nov 2003 15:59:35 +0100, franciszek holop wrote
> here is a ruleset i came up with after reading pf.conf and a
> couple of hours of trial and error. it seems to work fine, except that
> i cant ssh now outside. i read my mail on linux2 and have a couple
> of shell accounts elsewhere..
Sunday, November 9, 2003, 3:59:35 PM, you wrote:
fh> i am trying configure a LAN for web surfing only thru squid.
fh> the LAN is a school, i dont want kids going to phony pages.
fh> right now i have some regexp files for squid to filter urls.
fh> this is not a transparent proxy, just a plain squid
nice sunday to you all (depending on your timezone),
well i have read this mailinglist tolerates jackasses like
me a little bit better. please be patient with me, constructing
my first real firewall (openbsd 3.4current).
i am trying configure a LAN for web surfing only thru squid.
the LAN is a
16 matches
Mail list logo
