After some thinking
I believe the problem is that we have ip forwarding enabled thus when
pfsync interface send the traffic, it gets forwarded to the fxp1.
In order to avoid the "annoyance" log message ... a workaround is to
allow pfsync traffic on fxp1.
Cheers,
Edy
On Wed, 2004-11-24 at 09:06,
On Tue, 23 Nov 2004 11:24:18 +0100 (CET), Roman Marcinek
<[EMAIL PROTECTED]> wrote:
> Hi Guys,
>
> an excusse for my question:
>
> I am relativelly new to the OpenBSD (and PF) though not so the other
> firewall/filtering/nating :)
Hi Romek!
When I was new to PF these two sites helped me a lot!
man pfsync
"pf(4) must also be configured to allow pfsync and carp(4) traffic
through. The following should be added to the top of /etc/pf.conf:
pass quick on { sis2 } proto pfsync
pass on { sis0 sis1 } proto carp keep state"
Greetings,
Just note.
Stateful inspection on gateway can hamper tcp-connections, when
inbound or outbound packets goes another route (i.e. when one of
directions not goes thru gateway).
Connection works fine on low rate, but fast transfers stops on
each 64K (because suddenly PF stops pa
On Mon, 22 Nov 2004 17:17:18 +1300, you wrote:
>HI Folks,
>has anyone written a helper application like ftpsesame that will allow
>citrix metaframe to work through a pf firewall?
Citrix did... ;-) It is called Citrix Secure Gateway(CSG) or their
new name of Citrix Secure Access Manager(C
Greetings,
I was wondering if anyone noticed that any interface on OpenBSD with PF
is sending traffic pfsync?
For example
fxp0 and fxp1 are being setup as a bridge
fxp2 is the pfsync interface.
And you have a pf rule something like
block in log fxp1
You will see that in pflog0 (tcpdump -ni pfl
On Tue, Nov 23, 2004 at 04:05:01PM -0300, Emilio Lucena wrote:
> 1. Is the next-hop really optional?
The next-hop is required when the destination IP address of the packet
being route-to'd is not on the local network segment connected to the
interface you specify.
For instance, if you have an in
Hi there,
In the Tables section of the PF guide, it is said that:
"tables can be used in the following ways:
..
* destination address in route-to, reply-to and dup-to filter rule
options."
The man page for pf.conf says:
"The route-to option routes the packet to the specified interface
with a
> altq on $ext_if cbq bandwidth 220Kb queue { q_def, q_vpn, q_ssh, q_pri }
>
> queue q_def bandwidth 200Kb priority 4 cbq(default)
> queue q_vpn bandwidth 180Kb priority 2
> queue q_pri bandwidth 200Kb priority 6 cbq(borrow)
> queue q_ssh bandwidth 200Kb priority 7 cbq(borrow)
>
Sum of child bandw
Yes, that's true :) ftpsesame really works as said so ... thanks to all
:)
Romek
Well, it certainly does the job! :)
To Roman's initial question though, monitoring ftp connections is
really an application layer problem/responsibility. pf is lower level
and would need to implement (pretty much) a full protocol layer to
monitor ftp.
Anyway, there you have it.. check out ftpsesa
On Tuesday 23 November 2004 12:50, Camiel Dobbelaar wrote:
> On Tue, 23 Nov 2004, Camiel Dobbelaar wrote:
> > On Tue, 23 Nov 2004, Roman Marcinek wrote:
> > >Are there any smarted solutions I haven't found yet? I know that
> > > linux's iptables make use of special connection tracking module fo
Roman Marcinek wrote:
Are there any smarted solutions I haven't found yet? I know that
linux's iptables make use of special connection tracking module for ftp
to handle that problem but ... is there anything like this for OpenBSD?
If things like this are solvable shouldn't the solutions find t
On Tue, 23 Nov 2004, Camiel Dobbelaar wrote:
> On Tue, 23 Nov 2004, Roman Marcinek wrote:
> >Are there any smarted solutions I haven't found yet? I know that
> > linux's iptables make use of special connection tracking module for ftp
> > to handle that problem but ... is there anything like
On Tue, 23 Nov 2004, Roman Marcinek wrote:
>Are there any smarted solutions I haven't found yet? I know that
> linux's iptables make use of special connection tracking module for ftp
> to handle that problem but ... is there anything like this for OpenBSD?
Ok, let me plug my own program a
Hi,
On Tue, Nov 23, 2004 at 11:24:18AM +0100, Roman Marcinek wrote:
> As the bridge is completely transparent and without ANY IP number on
> any of the two cards I cannot solve my ftp problem via local ftp-proxy
> solution descibed in the documentation. Also setting simple rules like:
>
> pas
Hi Guys,
an excusse for my question:
I am relativelly new to the OpenBSD (and PF) though not so the other
firewall/filtering/nating :)
Now, few days ago I've set up a transparent bridge on freshly
installed OpenBSD 3.6 (my experience with OpenBSD started with 3.5 used
as a desktop, just to
17 matches
Mail list logo
