On 1/21/06, Forrest Aldrich [EMAIL PROTECTED] wrote:
I saw an older thread where someone asked about this, but it applied to
a web server.
Could apply to anything.
Are there any ways to detect and/or limit the number of connections
coming in per IP, or act according to some other action
# grr, this bit isn't working
block out quick on $ext_if from $idiot to any
wrong interface.
block out quick on $int_if from $idiot to any
wrong direction.
:-)
--Bryan
On 8/31/05, Gustavo A. Baratto [EMAIL PROTECTED] wrote:
snip
I guess this is really a bug :(
snip
I think what you are trying to do might require tables.
Maybe this??
int_net=192.168.0/24
john=192.168.1.3
table everybody const { $int_net, $john }
pass in quick on bge0 proto tcp from
Actually in hindsight, I think this is due to all being reserved.
Try the exact rules you posted initially and change all to
AlmostAll or something.
--Bryan
On 8/31/05, Bryan Irvine [EMAIL PROTECTED] wrote:
On 8/31/05, Gustavo A. Baratto [EMAIL PROTECTED] wrote:
snip
I guess this is really
For the archives:
This ruleset passed syntax.
int_net = '192.168.0.0/24'
john = 192.168.1.3
notall = { $int_net $john }
pass in quick on xl0 proto tcp from $notall to 68.149.93.11 port 80
--Bryan
On 8/31/05, Bryan Irvine [EMAIL PROTECTED] wrote:
Actually in hindsight, I think this is due
D'oh!
On 8/29/05, Gustavo A. Baratto [EMAIL PROTECTED] wrote:
didnt work for me either :(
%more test.pf1
int_net='192.168.0.1/24'
this should say
int_net='192.168.0.0/24'
See this thread:
http://www.benzedrine.cx/pf/msg02223.html
--Bryan
On 8/22/05, Gustavo A. Baratto [EMAIL PROTECTED] wrote:
couldnt find any restriction about the content of a macro, so this doesnt
work:
int_net=192.168.0.1/24
john=192.168.1.3
all={ $int_net $john }
pass in quick on bge0 proto tcp from $all to 68.149.93.11 port 80
Try it this
Daniel wrote up a very nice howto a while back. Google for transquid.
--Bryan
On 5/31/05, Henry [EMAIL PROTECTED] wrote:
I have a squid server setup within my internal network and it does
work since I can manually set the proxy information into my desktops
and I am good to go. But I want to
Is there a way to limit people to only 1 or a few simultaneous connections?
Every morning the same IP makes about 100 simultaneous connections and
hogs all the resources until it's through. Is their a way to only
allow them 5? or 10, or whatever?
-Bryan
undeadly has this:
http://www.undeadly.org/cgi?action=articlesid=20041009000521
Don't know if that's what you are looking for.
On Wed, 5 Jan 2005 18:20:10 -0500, brianBOFH [EMAIL PROTECTED] wrote:
Hi,
I have two 192.168.1.0/24 networks physically separated. I need to
get connectivity from
Did you try what Jason suggested on [EMAIL PROTECTED]
On Tue, 28 Dec 2004 13:18:15 -0500, Roy Morris
[EMAIL PROTECTED] wrote:
you posted this on misc@ already.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Jayel Villamin
Sent: December 28,
I'm trying to laod the enormous CBL into my spamd table, but it seems
to be far to large.
I found this thread from back in April:
http://archive.netbsd.se/?ml=openbsd-pfa=2004-04t=127074
Does this apply if I'm on 3.6? I don't want to go applying old patches.
The thread seems to mention a Gig
post your entire rulesset. What you posted isn't nearly enough.
--Bryan
On Fri, 12 Nov 2004 17:26:16 +0100, Hitete [EMAIL PROTECTED] wrote:
Here is what I want :
INTERNET
|
|
|
|ext_if (address=1.1.1.1) dmz_if
hr altq work well with carp yet? I remember hearing some painful
stories a while back.
--Bryan
On 15 Sep 2004 09:23:29 -0700, Brent Bolin [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] (Jason Dixon) wrote in message news:[EMAIL PROTECTED]...
On Sep 14, 2004, at 3:33 PM, Bryan Irvine wrote
uh oh, I'm getting ready to deploy a new carp-fancy-doohicky router on
a VERY busy connection, using quad card fxp's. Should I delay a
smidge until Nov?
--Bryan
On Tue, 14 Sep 2004 13:34:05 +0200, Claudio Jeker
[EMAIL PROTECTED] wrote:
On Tue, Sep 14, 2004 at 12:51:26PM +0200, Marco Matarazzo
ahhh *lightbulb*
Thanks Daniel!
--Bryan
On Fri, 10 Sep 2004 01:27:13 +0200, Daniel Hartmeier
[EMAIL PROTECTED] wrote:
On Thu, Sep 09, 2004 at 03:21:25PM -0700, Bryan Irvine wrote:
anyone know why this rule doesn't work?
Because of the way {} lists are simply expanded by pfctl
anyone know why this rule doesn't work?
I've read and re-read the pf users guide but this specific example
isn't covered.
ftpservers = { ftp.kingcountyjournal.com intranet,kingcountyjournal.com }
rdr on $LANS proto tcp from any to ! $ftpservers port ftp -
$localhost port ftp-proxy
--Bryan
I copied my rulesset verbatim from an exisitng firewall where
everything was working perfectly, and now everything works perfectly
except redirections to other hosts.
the rdr for spamd, squid, and the ftp-proxy all work, but the ones for
vnc do not.
I was playing around with the rules a little
Does pf have a logo? I was just thinking it would be nice to have a
protected by image.
Maybe just an image of puffy as pf is pronounced pronounced puff after
all (well, if you stretch a bit). ;-)
--Bryan
I'm rebuilding our company firewall using pf and carp (instead of the
3.4 install using pf) and I'm wodnering if I need to use carp0 in my
rules?
example
pass in on $LAN any to any keep state
where $LAN == carp1, would I also need to do
pass in on carp0 any to any?
Do I need to reference the
do you have a pass line as well?
Follow these directions closely.
www.benzedrine.cx/transquid.html
--Bryan
On Mon, 2004-05-17 at 14:58, [EMAIL PROTECTED] wrote:
Hello,
I set up a transparent firewall running 3.4. Now Ive been
asked to run squid on the same box as the firewall to
Are you sure you implemented all the necessary changes to squid.conf?
They are important.
I thought I did. I swore I did. If we had been face to face I would
have bet money that I did. I went through it step by step just to make
you happy and found I had missed:
httpd_accel_host virtual
Absolutely you need a pass. the block/pass is part of the firwalling
section of pf, the rdr is part of the nat functionality. So using rdr
in conjuction with block all won't work unless you explicitly pass that
traffic as well. Clear as mud? :-)
--bryan
Jay Moore wrote:
All,
I am
Is there a way to assign more than one ip to the $ext_if and do rdr
based on that?
like (pretend 192.168.0 is a public routable range)
rdr on $ext_if proto tcp from any to 192.168.0.5 port 80 - 10.0.0.5
rdr on $ext_if proto tcp from any to 192.168.0.6 port 80 - 10.0.0.6
My understanding is that
I originally asked this on misc@ with no response so I will try here.
Is there a way to get pf to never use specific ports? For example a
client on my LAN might send a request for a certain webpage which gets
sent to the gateway from a certain port we'll say, 43101. The Request
hits the
On Tue, 2003-07-22 at 02:02, Trevor Talbot wrote:
On Friday, Jul 18, 2003, at 13:26 US/Pacific, Angel Todorov wrote:
I use the following pf.conf file for an internal network that passes
through the openbsd gateway box then goes its way to the external
firewall - then outside The problem
Just don't enable NAT. Use pass rules instead.
--Bryan
Marc Eggenberger wrote:
Hi there.
I'm trying to use OpenBSD 3.3 on a Sun Ultra1.
All the examples I see on the web are doing NAT. Are there any that
dont? Because I have real IP addresses for the hosts behing the OpenBSD
box.
see the first line of the email
April 1, 2002
--Bryan
On Fri, 2003-07-11 at 10:53, Jolan Luff wrote:
On Fri, Jul 11, 2003 at 01:30:34PM -0400, Michael W . Lucas wrote:
A port to Windows would not be feasible. And while I would not wish
to speak for our esteemed developers, I think I'm
laffs, so I'm the one that fell in? aww man :-p
--Bryan
On Fri, 2003-07-11 at 11:06, Bryan Irvine wrote:
see the first line of the email
April 1, 2002
--Bryan
On Fri, 2003-07-11 at 10:53, Jolan Luff wrote:
On Fri, Jul 11, 2003 at 01:30:34PM -0400, Michael W . Lucas wrote
Oh that is too great! -hehe
Get a firewall to protect your M$ firewall :-D
Thanks for the link!
--Bryan
On Wed, 2003-06-18 at 04:37, Ed White wrote:
Smile for some mins:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306203
To work around this behavior, obtain firewall
change modulate state to keep state?
--Bryan
On Tue, 2003-05-27 at 19:48, Trevor Talbot wrote:
On Tuesday, May 27, 2003, at 16:02 US/Pacific, Bryan Irvine wrote:
16:02:12.855960 12-213-225-238.client.attbi.com.42840
64-1-201-147.daf.concentric.net.ftp: . ack 1 win 17376
nop,nop,timestamp
I'm having problems using an FTP server on a DMZ. I thought initially
the problem was with the ftp-proxy, but I've commented out those lines.
With still no luck.
The relevent parts of the pf.conf file are here.
WAN = xl0
DMZ = xl3
LOOPBACK = lo0
LAN1 = xl1
LAN2 = xl2
LANS = { $LAN1 $LAN2 }
#
It does work from the LAN machines just not from the outside. The
outside _has_ to be passive and I don't want it to be if I can help it.
--Bryan
On Tue, 2003-05-27 at 11:46, j knight wrote:
Bryan Irvine wrote:
I'm having problems using an FTP server on a DMZ. I
up. Then I have to switch it into passive mode for anything to
work.
--Bryan
On Tue, 2003-05-27 at 13:16, Trevor Talbot wrote:
On Tuesday, May 27, 2003, at 12:22 US/Pacific, Bryan Irvine wrote:
I'm having problems using an FTP server on a DMZ. I thought
initially
the problem
ftp when going out over
the $WAN connnection which it does of the 2 NAT connections.
What am I missing here?
--Bryan
On Tue, 2003-05-27 at 14:00, Trevor Talbot wrote:
On Tuesday, May 27, 2003, at 13:44 US/Pacific, Bryan Irvine wrote:
pass in quick on $WAN inet proto tcp from any
)
It seems to connect, and then the firewall tries to do an nslookup of
the ip (knox is DNS). Does anyone else read this differently than I?
--Bryan
On Tue, 2003-05-27 at 15:24, Trevor Talbot wrote:
On Tuesday, May 27, 2003, at 14:39 US/Pacific, Bryan Irvine wrote:
[internet]---[OBSD]---[DMZ
A thread was kind of started over on @misc about pf for live failover,
but it seems to have died.
I figured this might be a better place to ask as it's all about PF!! :-)
Is there a way using PF to do a live failover?
perhaps have a machine that is used to do reflection? But what if the
- ($WAN)
Thanks!
--Bryan
- Original Message -
From: Srebrenko Sehic [EMAIL PROTECTED]
To: Bryan Irvine [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Thursday, March 20, 2003 12:59 PM
Subject: Re: Routing private networks
On Thu, Mar 20, 2003 at 11:02:03AM -0800, Bryan Irvine wrote
ah from 144.19.74.0/24 to any
nat on fxp1 from 144.19.74.0/24 to any - 204.92.77.100
:-/ hmmm
On Thu, 2003-03-20 at 12:23, Jacek Artymiak wrote:
On Thu, Mar 20, 2003 at 11:02:03AM -0800, Bryan Irvine wrote:
I read the rules on no nat and thought I had it configured correctly
So would I need to turn on RIP at all? Or would it just know because
it's a directly connected interface?
--Bryan
On Wed, 2003-03-19 at 14:07, Srebrenko Sehic wrote:
On Wed, Mar 19, 2003 at 01:37:35PM -0800, Bryan Irvine wrote:
What I want is for the 192.168.0.* and 10.0.*.* networks to see
nevermind, I figured it out. I needed to add another rdr rule.
My interpretation was that you could only forward one port per machine
running NAT, but I tried it out and I guess it's forward one port per
nat'd interface. Anyone care to correct me?
--Bryan
On Sat, 2032-02-28 at 02:01, Bryan
Ignore this I guess it was cached...:-/
I shoulda checked that...*grumble*
On Fri, 2003-02-28 at 10:06, Bryan Irvine wrote:
nevermind, I figured it out. I needed to add another rdr rule.
My interpretation was that you could only forward one port per machine
running NAT, but I tried
Will the ruleset below block MSN messenger, AIM, IRC, etc...?
I've blocked _in_ all except what is explicitly allowed, but allowed out
_all_.
My company bans chat clients, and I'm in the process of rebuilding the
firewall.
Should add a rule that blocks those specific ports? (ports 1863, 5190,
In order to actually live test this rule set,
I have to come in in the middle of the night and swap out the linux server.
I'd like to have as many bugs worked out before then.
I finally have a pf rule the pf -f /etc/pf.conf command
doesn't puke on. I now submit it to you to see if there's
On Thu, 2003-02-13 at 11:44, LaPane, Michael (NIH/NINDS) wrote:
Without completely checking the rules - I would not do { tcp, udp } for
ports that do not require it (i.e. don't do mail on udp/25) same for SSH.
Also, didn't see a nat rule? did you do that separately?
You might want to define
On Tue, 2003-02-04 at 14:57, jorge wrote:
Hi:
i am two ISP and two phisical Links, i am PF firewall install...
PF is enable support load balance in two Phisycal Links in two ISP ?
thanks for advanced
holy crap, uhm ok lets restate first...
I work for two ISP's with two physical
Qwest Contivity? hmm i know of the one from nortel networks.
It's basically a layer 4 switch. Describe the setup a little more.
Use ASCII art if necessary
--Bryan
On Fri, 2003-01-31 at 05:43, Todd Chandler wrote:
I have a user on my network that needs to use the Qwest Contivity VPN
Client
Is there a converter out there for ipchains - pf?
I'm migrating all of my linux ipchain firewalls to openbsd.
Or at least if someone familiar with both can convert a couple of them
jsut so I get the idea of what I'm supposed to do.
--Bryan
I've never done pf without NAT before. Now I've been charged with
building a new firewall to replace the aging linux firewall.
I've come across a couple things in the pf howto at deadly.org that I'm
not sure if I should use.
One is scrub, and the other is modulation state.
What do these do
Does pf have a syntax for intrusion detection?
Id not what do you guys recommend? Nessus? Snort? Prelude?
--Bryan
IS there a way to do this? I'd rather use VNC but a vendor is insisting
on pcanywhere.
I'm wondering if there is some rdr rules I can use.
OBSD 3.2
--
Bryan Irvine [EMAIL PROTECTED]
I read recently about the new pf-based spam filter included in
openbsd(-current?).
There has been talk about rebuilding our mailserver, so I'm wondering if
this is a good way to go.
Anyone using this yet?
--
Bryan Irvine [EMAIL PROTECTED]
. But adding
the mailing list servers to the spammer list would be wrong, of course.
Daniel
--
Bryan Irvine
UNIX Administrator
King County Journal Newspapers
(425) 467-5308
Ok, It's time for me to expand my knowledge of firewalling a little bit.
I've got it down pretty good where I can to NAT and port forwarding and
blocking rules and such...
Now, how can I setup an ip range to use (CIDR'd) that is publicly
accessible?
I have a /27 network, and it would be nice to
54 matches
Mail list logo
