On Fri, Oct 26, 2007 at 01:59:57PM +0200, [EMAIL PROTECTED] wrote:
so u said that u could inject bad things on some level to give trouble and
shake
on stp ?
This is right, you can have fun with most L2 protocols out there
check out http://www.yersinia.net/ for instance.
Selon Henning
On Mon, Oct 08, 2007 at 11:50:14AM -0700, Florin Andrei wrote:
(originally posted on openbsd-misc, but then I figured this list might
be a better place for this question)
[snip]
Seems like a bad network driver, because of the amount of interrupts,
but I'm not sure. Any suggestion is
On Fri, Sep 21, 2007 at 11:55:36PM +0800, Ilya A. Kovalenko wrote:
block in inet from 192.168.0.1 to 192.168.114.31
pass in inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state
(does not work - neither pings nor TCP)
Here, you only pass the *inbound* packets; you also
On Wed, Aug 01, 2007 at 12:55:15PM +0100, Stuart Henderson wrote:
On 2007/07/30 17:33, Can Erkin Acar wrote:
The problem with this diff is that it assumes an ADSL link.
While 'vcmux' is obviously ADSL terminology, I assume
having 'pppoe' or 'bridge' would confuse others trying to
use
On Thu, Dec 21, 2006 at 03:29:51PM +0200, Dominik Zalewski wrote:
On Thursday 21 December 2006 15:04, Peter N. M. Hansteen wrote:
Dominik Zalewski [EMAIL PROTECTED] writes:
I have OpenBSD 4.0 firewall and I would like to redirect all outgoing
http requests to my squid web proxy.
On Thu, Dec 21, 2006 at 02:39:50PM +, Stuart Henderson wrote:
On 2006/12/21 15:29, Dominik Zalewski wrote:
In this article squid is running on the same machine as OpenBSD firewall.
In
my case I have squid running on different machine connected to LAN
interface.
My question is
On Wed, Nov 15, 2006 at 04:22:10PM +, [EMAIL PROTECTED] wrote:
Hello, everyone!
I'm not sure, if it is the good forum or not where I can
post my problem, but I hope there is some people who met
similar problems or have some good instructions as a
solution. Sorry for a long letter.
On Sun, Jul 16, 2006 at 07:02:00PM -0500, Travis H. wrote:
On 7/15/06, Ryan McBride [EMAIL PROTECTED] wrote:
Root can do stupid things which compromise security. Obfuscation or
needles complexity in an attempt to protect yourself from the root
account will only make your system less secure.
On Sun, Apr 30, 2006 at 08:22:51AM -0700, [EMAIL PROTECTED] wrote:
I don't think time spent developing PF or ALTQ could be better spent
developing something other than download queueing. Everyone here seems
to agree it's PF's worst deficiency.
Intresting definition for Everyone. It seems the
On Sun, Jan 15, 2006 at 04:19:10PM -0500, Peter wrote:
--- Melameth, Daniel D. [EMAIL PROTECTED] wrote:
Peter wrote:
Question: Why does tcpdump show pf rules when I use the pflog0
interface in combination with the -e switch (link layer)? It's a
fantastic feature but it seems like
On Sun, Jan 15, 2006 at 05:43:49PM -0500, Melameth, Daniel D. wrote:
Peter wrote:
--- Melameth, Daniel D. [EMAIL PROTECTED] wrote:
Peter wrote:
Question: Why does tcpdump show pf rules when I use the pflog0
interface in combination with the -e switch (link layer)? It's a
On Mon, Jan 09, 2006 at 04:56:27PM +0100, MK wrote:
Hello all
I can't still solve my problem. I have LAN which is connected to the
internet through OpenBSD's PF NAT. On OpenBSD gateway runs main ftp server
which is accessible from internet and also from LAN. But one computer in my
LAN is
On Mon, Jan 02, 2006 at 03:06:33PM +0100, Henrik Bro wrote:
Hi :)
I am a little confused about Pftpx / Ftpsesame, and I hope someone can help?
Both are written by the same author, Camiel.
Is Pftpx replacing Ftpsesame ?
I do not think so, although pftpx is now in the base distribution,
On Saturday 10 December 2005 01:55, ed wrote:
On Fri, 09 Dec 2005 16:14:25 -0500
Forrest Aldrich [EMAIL PROTECTED] wrote:
rdr on $ext_if proto tcp from !geoip, !spammers, !abuse any \
port { $tcp_services } tag INET_DMZ - $server
rdr on $ext_if proto tcp from { !geoip , !spammers,
On Saturday 08 October 2005 17:00, Graham Toal wrote:
This is my second adventure with pf. The first was setting
up spamd on a system with an IP - not the preferred solution
but one that was forced on me at the time because I didn't
have physical access to the mailserver in a way that would
On Wed, Sep 07, 2005 at 07:37:04PM +0100, ed wrote:
On Wed, 7 Sep 2005 20:25:54 +0200
Daniel Hartmeier [EMAIL PROTECTED] wrote:
rdr on $ext_if proto tcp from any to 1.2.3.4 port 80 - 10.10.10.10
pass on $ext_if proto tcp from any to 1.2.3.4 port {80,3389}
Packets will have their
On Thu, Nov 25, 2004 at 07:46:30PM -0500, Peter Matulis wrote:
--- Ilya A. Kovalenko [EMAIL PROTECTED] wrote:
These hosts, probably, infected w/ Lovesan (aka MS-blast) virus. It
scans networks for vulnerable Windows boxes to infect.
but you, should see it as incoming requests, than,
On Thu, May 27, 2004 at 04:56:41PM -0400, Jim Zajkowski wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi all,
Does anyone have any experience with the number of rules a bridge can
handle? We're thinking about how our wireless network policy, and we'd
like to filter by MAC --
On Wed, May 19, 2004 at 12:34:52PM -0400, Dave Anderson wrote:
[snip]
There seem to be some things one might reasonably want to do which are
not practical with pf; in particular, I (being paranoid) would like to
drop any incoming packets which have the loopback address as their
destination
On Thu, May 06, 2004 at 09:13:52AM -0700, Alex Berdan wrote:
Hello,
I have read the lists and I found somebody speaking
about this Borrowing not working but there is no
conclusion about that!
I'm running OpenBSD 3.3 and as the other guy I'm
trying to do borrowing which is not working as
On Mon, Apr 12, 2004 at 04:09:24PM +0200, Mario Lopez wrote:
Hi,
I have the following problem, I actually have a dual bridge configuration
(one machine with 4nic's, two filtering bridges), one of the bridges is the
one that is between all my class C network and Internet connection, my
On Thu, Feb 12, 2004 at 10:36:27PM -0800, Jason wrote:
Hi,
I'm new to the list, and fairly new to OpenBSD (installed maybe 6 months ago).
Anyway, I have a question. Is there anywhere to get PF to stop arp requests
from passing through it? The problem I'm having is dhcp requests from
On Fri, Feb 13, 2004 at 01:55:07AM -0800, Jason wrote:
I see, so if dhcpd and pf weren't sharing the same interface, then I wouldn't
have this problem.
I guess limiting dhcpd wouldn't be the best thing, but improving pf. Is
anyone working on adding such a feature to pf to make it block
On Mon, Feb 09, 2004 at 12:39:51PM -0500, Hsiao-lung Chang wrote:
Can I use ntop and pf at the same time?
Looks like ntop was not capturing any stats?
you can use ntop on a normal interface. pf does not interfere with bpf
captured packets. I do not know what will happen if you try to ntop
on
On Fri, Jan 09, 2004 at 12:41:45PM +0100, Laurent Cheylus wrote:
I have a problem with PF logs on OpenBSD 3.4-stable version.
I received a lot of packets from loopback addresse 127.0.0.1 port 80 :
- - TCP RST packets sent by clients infected by Blaster Worm and use of my
personnal
On Fri, Jan 09, 2004 at 03:30:37PM +0100, Laurent Cheylus wrote:
Hi,
On Fri, 9 Jan 2004, Daniel Hartmeier wrote:
Why do you assume those are incoming packets? Might as well be
_outgoing_ packets, with you being the one sending out packets with
unroutable source addresses. That would
On Sat, Jan 03, 2004 at 12:52:33PM -0500, stan wrote:
Ok, I thought I had active ftp working from behind my firewall, bit I am
still getting these message in /var/log/messages:
You thout it was working?
Cant you tell whether it works or not?
It is as simple as walking to a client and running
On Sat, Jan 03, 2004 at 02:53:29PM -0500, stan wrote:
Jan 3 09:24:31 koala ftp-proxy[22750]: xfer_data (server to client): failed
(Connection reset by peer) with flags 00
Jan 3 09:24:39 koala ftp-proxy[22750]: xfer_data (server to client): failed
(Connection reset by peer) with
On Sat, Nov 29, 2003 at 06:10:06PM +0100, Thelmo Loisio wrote:
On Fri, 2003-11-28 at 18:23, Greg Hennessy wrote:
Is your perimeter gateway doing address xlation for source address you are
using ?
Don't take me wrong, but... of course nat is working ;)
My problem is that i don't know
On Thu, Nov 06, 2003 at 10:36:12AM +0100, Ed White wrote:
Hi,
I'm wondering if there's a way to let ftp-proxy set the priority queue for
every state it creates.
[snip]
The problem is that _passive_ ftp download tcp connections have not fixed
points: no IP and no ports.
you can always
On Mon, Oct 13, 2003 at 01:43:37PM -0400, [EMAIL PROTECTED] wrote:
[snip]
... I have seen a number of articles and email stating
that snort see's all traffic before it is ever filtered by PF ...
this is true. You can run snort and pf together without problems.
Can
On Thu, Sep 11, 2003 at 11:32:28PM +1000, Damien Miller wrote:
On Thu, 2003-09-11 at 23:00, Daniel Hartmeier wrote:
It would be cool if pf (some time in the future) had someway of passing
packets off to to a userspace inspection process before they were put
out on the wire or delivered
On Wed, Sep 10, 2003 at 10:50:24AM -0500, Chris Reining wrote:
Why don't you just run a chrooted snort on $ext_if?
choose one:
a. machines running snort usually have much higher requirements
(disk space, cpu, connection to a database?)
b. complex processes/services on a firewall is a bad
On Fri, Sep 05, 2003 at 03:16:05PM +0200, Ed White wrote:
On Friday 05 September 2003 13:03, Henning Brauer wrote:
We also modified the matching so that _every_ matching rule sets the
tag, not just the last one.
This means multiple tags for one packet, right ?
No, there is only one tag
On Fri, Mar 28, 2003 at 01:14:41AM -0500, [EMAIL PROTECTED] wrote:
Is pf a true 'silent' firewall, not touching the ttl of a packet and thereby
not giving out that the packet has gone through an extra layer to get to the
destination? If it isn't, is there a way to enable such a feature, if
On Fri, Mar 21, 2003 at 06:44:37PM +0100, Srebrenko Sehic wrote:
On Fri, Mar 21, 2003 at 12:50:43PM +0100, Henning Brauer wrote:
I'm close to give up on you wrt to that. SOmehow it seems you don't _want_
to see why the filtering outbond on an interface is so important. I gave a
very good
Perhaps this can be implemented in userland?
A deamon listening on pfsync could track states/hosts
and kills states/modifies rules depending on any criteria you
care to define. Better than adding more complexity to the kernel code.
Can
On Fri, Mar 14, 2003 at 09:04:51AM -0500, ben fleis wrote:
i hope this is the right forum for asking this question... i imagine it will
have a simple answer :)
simple answer : no need to keep state on lo :)
simple facts:
- these packets are filtered on lo0 twice, one inbound and one outbound
-
While pf has no syntax for intrusion detection, it has some nice features
that aid in intrusion detection.
scrub: makes sure that the intrusion detection system inside the firewall
cannot be fooled by fragments and similiar other tricks that would cause
hosts and the ids see different packet
On Thu, Jan 09, 2003 at 11:12:35PM +0100, Daniel Hartmeier wrote:
See the updated patch in the -current ports tree, it's fixed.
Thanks :)
There's no reason to gamble with sanity by trying to backport features,
people running 3.0, 3.1 and 3.2 -release or -stable are supposed to use
the
On Thu, Jan 09, 2003 at 06:52:40PM +0100, Srebrenko Sehic wrote:
On Thu, Jan 09, 2003 at 06:34:13PM +0100, Daniel Hartmeier wrote:
But it would be worth carefully looking at the currently shared modules,
and sorting all functions and shared globals to into either shared or
private
OpenBSD is not only the kernel, there are the system binaries apps etc.
the faq5 mostly talks about the kernel but gives a few pointers
especially the upgrade minifaq: http://www.openbsd.org/faq/upgrade-minifaq.html
the release(8) manual page describes the steps you need to compile a new
system
Rule changes do not affect existing states. You have to process each
state and decide if you still want it or not. Look at authpf for one
way to do it. authpf removes states containing the IP address
of the connection it authenticated on exit.
Can
On Thu, Dec 12, 2002 at 08:11:27AM -0700, Larry
pftop failes to compile on -current right now.
Daniel Hartmeier kindly provided a patch which can be downloaded from:
http://www.eee.metu.edu.tr/~canacar/pftop/pftop.diff
The patch is tested by jolan, many thanks.
I am having problems (of bandwidth and time) upgrading to -current
right now. I
On Mon, Oct 14, 2002 at 04:46:33PM -0400, Mike Frantzen wrote:
The application has to specify not only the
complete rule parameters, but has to know _where_ exactly to place the
rule in the ruleset (beginning, end, after a rule? etc.)
I'd hope so. I wouldn't want authpf to start placing
45 matches
Mail list logo