I'm a network admin at a community college in Seattle. I have an OpenBSD PF
firewall between the outside world and our web server. I enabled 'synproxy
state' on the inbound connections to port 80 to the web server. After a few
weeks about 3 people started complaining that our web page had gone a
Here is a copy of my current pf.conf ruleset. I would like to log two
different things. I would like to log external connections to tcp port
22 (SSH), and I would like to log the tcp/udp packets that are blocked
coming from the internal network going outbound (the connections going
outbound that ar
For more illuminating debugging via logs, change "pass out on" to "pass
out log on", rerun your tests, and re-examine your logs.
Also, I think (maybe, possibly) that if you're hide-NATing (i.e., all
internal hosts leave with the IP address of the firewall's external
interface), that the NATing occ
Don't mean to be flame-bait...and I haven't done my homework...but are
there any pf-compatible open source projects that do application-layer
content inspection?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of eric
Sent: Friday, November 12, 2004 3:12 PM
On 12 Nov 2004 09:12:41 -0800, [EMAIL PROTECTED] (Hitete) wrote:
>
>rdr pass on $ext_if fron any to 1.1.1.1 port -> smtp_dmz port 22
>
>It seems good to me but I can't connecct to my smtp server in dmz from
>outside...
>
>
Thats because you're redirecting the flow to 22/tcp which is SSH, no
On Fri, 2004-11-12 at 11:41:10 -0600, Kevin proclaimed...
> While a strong deep-protocol-inspection product like the IntruShield
> *might* detect the protocol anomoly, the only effective way for a
> stateful packet inspection device to block AIM is to refuse ALL
> traffic towards the IP addresses
Hi,
On Fri, Nov 12, 2004 at 05:26:16PM +0100, Hitete wrote:
> I'm trying to add a rdr rule in order for me to connect to the smtp server
> whenI connect to my external address on port
>
>
> here is what I wrote :
>
> rdr pass on $ext_if fron any to 1.1.1.1 port -> smtp_dmz port 22
>
You'd be better served attaching your entire pf.conf
Phusion spewed:
> I have a question about logging certain packets. On my internal
> network I allow the following traffic outbound: tcp
> 21,22,25,53,80,110,443,5999 and udp 53,67,123. I was wondering how I
> can log all the blocked outbound tra
Actually, I was just using AOL Instant Messenger as an example.
Another example is that I might want to block and log cvsup (tcp 5999)
traffic from going outbound. If I don't have it in my allowed
tcp_ports it should be blocked and not allowed out. I tried to cvsup
out and it works (allowed out) an
--- Phusion wrote:
> I'm having a problem because when I tried
> AOL Instant Messenger, it should have been blocked, logged and not
> been able to connect because it makes an outbound connection to tcp
> port 5190 which isn't allowed, but it still works.
Are you sure AOL IM is using 5190 when i
On Fri, 12 Nov 2004 10:31:13 -0600, Phusion <[EMAIL PROTECTED]> wrote:
> I'm having a problem because when I tried
> AOL Instant Messenger, it should have been blocked, logged and not
> been able to connect because it makes an outbound connection to tcp
> port 5190 which isn't allowed, but it stil
Hitete spewed:
> Here is what I want :
>
> INTERNET
> |
> |
> |
> |ext_if (address=1.1.1.1) dmz_if
> OPENBSD---DMZ (SMTP SERVER)
> smtp_dmz
> |
> |
> INTERNAL LAN
>
> rdr
post your entire rulesset. What you posted isn't nearly enough.
--Bryan
On Fri, 12 Nov 2004 17:26:16 +0100, Hitete <[EMAIL PROTECTED]> wrote:
> Here is what I want :
>
> INTERNET
> |
> |
> |
> |ext_if (address=1.1.1.1) dmz_if
>
** Reply to message from "Hitete" <[EMAIL PROTECTED]> on Fri, 12 Nov 2004
17:26:16 +0100
>I'm trying to add a rdr rule in order for me to connect to the smtp server
>whenI connect to my external address on port
>
>here is wh
>
>
> >
> > What are you VPN Client et and VPN Server and do
> you
> > use IPsec for VPN ?
> >
> > To use IPsec with NAT, IPsec client and server
> must
> > use NAT-Traversal :
> > - isakmp exchanges on UDP/500
> > - encapsulation of ESP in UDP port 4500
> >
> > Laurent Cheylus <[EMAIL PROTECT
I have a question about logging certain packets. On my internal
network I allow the following traffic outbound: tcp
21,22,25,53,80,110,443,5999 and udp 53,67,123. I was wondering how I
can log all the blocked outbound traffic like to tcp and udp port
1214, 4662, and the rest. I'm having a problem b
Here is what I want :
INTERNET
|
|
|
|ext_if (address=1.1.1.1) dmz_if
OPENBSD---DMZ (SMTP SERVER)
smtp_dmz
|
|
INTERNAL LAN
I'm trying to add a rdr rule in order for me
>
> What are you VPN Client et and VPN Server and do you
> use IPsec for VPN ?
>
> To use IPsec with NAT, IPsec client and server must
> use NAT-Traversal :
> - isakmp exchanges on UDP/500
> - encapsulation of ESP in UDP port 4500
>
> Laurent Cheylus <[EMAIL PROTECTED]> OpenPGP ID 0x5B766EC2
>
Hi,
On Thu, Nov 11, 2004 at 03:53:50PM -0800, Tihomir Ganev wrote:
> how to adjust my pf.conf and connect to vpn server.
>
> VPNserver <- OpenBSD 3.5 + NAT <- myPc
What are you VPN Client et and VPN Server and do you use IPsec for VPN ?
To use IPsec with NAT, IPsec client and server must use N
On Thu, Nov 04, 2004 at 09:10:50AM -0700, Bob DeBolt wrote:
>
> Hi Nicholas
>
> >I wonder what's the best traffic shaping method available? Is it Class
> >Based Queuing or Priority Queuing.
>
> >My goal is to allow browsing the internet since local computers, while
> >my DMZ-ed servers consume
hi Pf
how to adjust my pf.conf and connect to vpn server.
VPNserver <- OpenBSD 3.5 + NAT <- myPc
default policy is
Block in log All
Block out log All
nat on rl0 from to any tag users ->
($ext_if:0)
pass out on $ext_if proto tcp all tagged users
modulate state flags S/SA
pass out on $ext_if pr
21 matches
Mail list logo