I have been given this as a spec for the network layout:
---
| 217.205.140.x/32
+---+
|netgear adsl router|
+-+-+
| 83.146.42.
On Sat, 10 Jul 2004 11:40:45 +1000 (EST)
A <[EMAIL PROTECTED]> wrote:
> nat pass on interface [external_if] from any to \
>83.146.42.163 port 25 -> 192.168.0.20
Almost forgot. To the outside world, does 192.168.0.20 appear as
83.146.42.163, as this is for mail, it requires incoming and outgoi
On Sat, 10 Jul 2004 11:40:45 +1000 (EST)
A <[EMAIL PROTECTED]> wrote:
> You would clone the ethernet card on the OpenBSD firewall to have the
> extra addresses and then redirect based on the IP and the port number.
So for each address I want snated i would need to do:
ifconfig fxp0 83.146.42.163
7;t matter. Thanks for the
help. I sent the problems fix to the list, don't know if you read it.
--
Ed. BSc (Hons) Comp / Inet Tech. IEng. Debian 3.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Guys,
Has anyone ported pf for use on linux kernels? I like the firewall so
much I want to use it on the debian systems.
- --
Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and
LSD. Don't think this a coincidence.
On Tue, 19 Oct 2004 18:47:00 -0200
Douglas Santos <[EMAIL PROTECTED]> wrote:
> Why not to use it on OpenBSD?
Because I like to apt-get some parts of my life! Its nothing personal, I
just prefer debian on my workstation and OpenBSD on my firewall.
--
Ed. Debian 3. OpenBSD 3.5. Two th
st early this year, but
> I've haven't seen anything since.
I don't suppose you know which list that was and if anything more than
talk came of it? I am a little frustrated in using iptables.
Come to think of it, do you know if there is a pf -> iptables conversion
script?
-
nger. apt-get install gaim, on
a Debian system gets it right.
PF on linux would be 'awesome', so long as it did not become like the XP
firewall.
- --
Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and
LSD. Don't think this a coincidence. Can't cross chasm in sma
se don't hit me for giving iptables advice on
> the pf mailing list...
Thank you for your advice. I will see if that can save my bacon until I
can figure out some of the stuff that I don't know about BSD.
- --
Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD
not harder. Its just a matter of timing and administration required
if the UNIX like system doesn't have the package available.
- --
Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and
LSD. Don't think this a coincidence. Can't cross chasm in small jumps
PGP KeyID
interface with THAT.)
Thats not my concern. I just want the same firewall interface and
stability, I don't care if not having the same under the hood makes me a
bad person or if I have the duck the flames for saying so.
modprobe vmware-openbsd
I've said all Im going to say on the sub
RFC1918 space and if so, should I
BINAT the whole address, and even then, will it work? Is this question
too trivial for this list.
Thanks in advance.
- --
Ed. Debian 3. OpenBSD 3.5. You can not cross a chasm in two small
jumps. PGP KeyID 04EDACDA A0F3 44E9 C367 C6C1 C891 4C71 69AF 3CF5
04ED ACDA
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and
LSD. Don't think this a coincidence. Can't cross chasm in small jumps
PGP KeyID 04EDACDA A0F3 44E9 C367 C6C1 C891 4C71 69AF 3CF5 04ED ACDA
-BEGIN PGP
not know anything about pfsync, despite reading Absolute OpenBSD and
Building Firewalls with OpenBSD and PF 2nd edt.
Can someone possible point me in the direction of some pfsync examples?
- --
Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and
LSD. Don't think this a coinci
ot using the carp round-robin stuff.
Thanks, Ill check out the how to as the above does not make much sense
to the untrained reader, but I am sure it will when I have been through
the appropriate materials.
Thanks.
- --
Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and
LSD.
RH, I was using SuSE 5, and wordperfect back then, now
http://linux.corel.com doesnt exist so I use oo.org.
- --
Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and
LSD. Don't think this a coincidence. Can't cross chasm in small jumps
PGP KeyID 04EDACDA A0F3 44E9 C367 C6C1
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sun, 12 Dec 2004 10:54:28 -0500
Jason Dixon <[EMAIL PROTECTED]> wrote:
> On Dec 12, 2004, at 8:54 AM, ed wrote:
>
> > Anyway, I have a /etc/pf.conf file which was originally for a single
> > firewall, which worked for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, 15 Dec 2004 07:33:51 -0500
Jason Dixon <[EMAIL PROTECTED]> wrote:
> > Sorry for this lengthy reply, I hope you all can forgive me for
> > this, but as I am but a beginner with PF/CARP I hope we can avoid
> > hostility.
> >
> > I have two boxes
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, 16 Dec 2004 20:54:54 -0500
Jason Dixon <[EMAIL PROTECTED]> wrote:
> > Things are nearly fully functional for me now, however, I don't seem
> > to have perfect throughput when a box is shot in the head, sometimes
> >
> > things
> > work OK for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 17 Dec 2004 18:47:47 +
Ryan McBride <[EMAIL PROTECTED]> wrote:
> $ ifconfig -a
> $ sysctl net.inet.carp
> $ netstat -sp carp
Thankyou I will provide this with my next post.
- --
/-- _| | Regards. Please note, my PGP key ID has changed.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello All,
I am, once again having trouble understanding CARP/pf. It is a shame
this is not covered in Building Firewalls with OpenBSD and PF, by J.A.
or in Absolute OpenBSD, they both cover PF very well, but not CARP.
Anyway, I have a /etc/pf.conf f
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello again, sorry to bother you all again.
I have a question, we have two DSL connections, and I plan on using two
boxes, which are carped. But, I'd like to do this in a fashion such that
I can failover to a different connection when the primary one
On Sat, 1 Jan 2005 09:53:44 +0100
"Miroslav Kubik" <[EMAIL PROTECTED]> wrote:
> OK, you´re right I appreciate Daniel´s work very much. It was only a
> little joke and at the same time I tryed to show you that everything
> isn´t only a matter of money. One friend of mine is a doctor and his
> payme
Hello,
Does any one know where I should look for the 3.7 change log? And is
there an update for the book Building Firewalls with OpenBSD and PF, 2nd
edition to take these improvements/changes onboard?
--
http://edd.link9.net - http://irc.is-cool.net
pgpRdYbVArAXs.pgp
Description: PGP signature
On Thu, 14 Jul 2005 22:42:49 -0400
[EMAIL PROTECTED] wrote:
> In my configuration there is a problem providing publicly-accessible
> anonymous FTP service. The config works for a small number of clients,
> but most cannot access my server and use any command that requires a
> data connection.
I h
On Mon, 29 Aug 2005 06:38:48 -0300
"Gustavo A. Baratto" <[EMAIL PROTECTED]> wrote:
> I understand that I could write the rule with the ips harcoded in it,
> but I assume this doesnt change the fact that macros are not
> expanding CIDR addresses, and this maybe a bug. I was trying more to
> warn
Hello,
On an openbsd 3.7 install the following rule will work yet not on a 3.6,
is there a difference in the way the rule should be declared, or if pf
can be upgraded, how should I do this?
ext_if=xl0
ext_network=1.2.3.4/5
pass in on $ext_if proto tcp from any to $ext_network port {22,3389}
keep
On Tue, 6 Sep 2005 17:56:40 +0200
"[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote:
> I have an important question:
> it's possible to define a filter that have as srcaddr or dstaddr
> all ip-address different from a host or a subnet?
this does not make a whole lot of sense. you could however make
Hello,
I am having troubles with some rdr rules. How should I specify:
rdr pass on $ext_if proto tcp from any to 1.2.3.4 port 80 -> 10.10.10.10
with
pass in on $ext_if proto tcp from any to $range port {80,3389} keep
state ( max-src-conn 3, max-src-conn-rate 2/5, overload
flush global )
I spl
On Wed, 7 Sep 2005 20:25:54 +0200
Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
> > rdr on $ext_if proto tcp from any to 1.2.3.4 port 80 -> 10.10.10.10
> > pass on $ext_if proto tcp from any to 1.2.3.4 port {80,3389}
>
> Packets will have their destination address replaced with 10.10.10.10
> when f
On Wed, 07 Sep 2005 14:19:06 -0400
Roy Morris <[EMAIL PROTECTED]> wrote:
> ed wrote:
> >pass in on $ext_if proto tcp from any to $range port {80,3389} keep
> >state ( max-src-conn 3, max-src-conn-rate 2/5, overload
> >flush global )
Thanks Roy and Daniel for your answe
On Thu, 8 Sep 2005 14:40:51 +0200
Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
> host1$ pfctl -t abuse_src -Ts | ssh host2 "pfctl -t abuse_src -Ta -f
> -"
Thanks very much, I had not thought about scripting it at all.
--
http://edd.link9.net - http://irc.is-cool.net
Hello all,
I have a question about route-to. I would like to know if the following
situation would work, and if there is any advice you can give on this:
I would like to provide some resilience to a group of servers behind a
pf NAT. If you could visualise the top three boxes as different /24
netw
On Wed, 21 Sep 2005 17:05:23 -0300
Lucas <[EMAIL PROTECTED]> wrote:
> i'm working with 3 gateways and want to load balance between them.
> after a failure with layer 2 (carp arpbalance) balancing, i tried to
> do it with pf.
>
> the most logical way to do it is with a machine before the gateways
aim to be using the same IP address,
check out the ARP table, they should all have the same MAC.
--
Regards, Ed
at you have network and IP
address entries that are routeable, and to the best of my knowledge it
should work as expected, but I do not think there is a state table when
you don't use NAT, but it should not hurt to leave that setup in it's
running configuration.
--
Regards, Ed http://www.usenix.org.uk
k to
the CARP interfaces and not physical interfaces. As far as I know there
is no state table that has to be synced.
--
Regards, Ed http://www.usenix.org.uk
k here.
Thanks.
--
Regards, Ed http://www.usenix.org.uk
On Wed, 12 Oct 2005 20:11:03 +0200
Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
> On Fri, Oct 07, 2005 at 07:10:04PM +0100, ed wrote:
>
> > Can ICMP packets be redirected using rdr to a RFC1918 host? I gave
> > it a couple of shots and did not get anywhere, as I can'
Hello,
I'd just like to say, pf rocks.
I have big changes to make to a rather important firewall, things
probably wont work for a while and it might look as though I don't know
what I'm doing at the time, but never the less, pf still rocks. Well
done chaps.
--
R
other than pf@benzedrine.cx
gets trashcanned. I'm sure if you know about SPF then you know all the
various anti-spam tactics.
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
A TCP/IP stack was the worst feature windows ever got
~~
~~
:wq
at makes it worth using spf alone - just
as a junk filter. I'm not going to praise it as a final solution to spam
and scam. DK is worth a look too, but it's added components to a mail
server.
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
A TCP/IP stack was the wor
rdr pass on $lan_if proto tcp from { $lan_nets, !w.x.y.z } -> a.b.c.d
should do the trick.
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
A TCP/IP stack was the worst feature windows ever got
~~
~~
:wq
Hello,
Has anyone written scripts to ensure that preempt fail over fails over
all the carp interfaces to backup upon one becoming backup, I have found
often that a single interface will become backup leaving the remaining
interfaces as master, which obviously messes things up.
--
Regards, Ed
> rdr on $ext_if proto tcp from ! any \
> port 80 tag INET_DMZ -> $server
>
> rdr on $ext_if proto tcp from ! any \
> port 443 tag INET_DMZ -> $server
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
A TCP/IP stack was the worst feature windows ever got
~~
~~
:wq
On Sat, 10 Dec 2005 16:43:50 -0500
Forrest Aldrich <[EMAIL PROTECTED]> wrote:
> I had that before (with braces {}) and got a syntax error on these
> lines as well, FYI.
>
>
>
> ed wrote:
> > On Fri, 09 Dec 2005 16:14:25 -0500
> > Forrest Aldrich <[EMAIL
takes place in fewer bytes.
If UDP is not possible then the protocol should retry in TCP, IIRC.
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
:%s/Open Source/Free Software/g
to work pass quick on $pri_if proto pfsync
pass quick on { $ext_if1, $ext_if2, $int_if } proto carp keep state
###
### private interface, this is the emergency rule to contact the other
### box should the private/public interface be blocked for some reason,
### we should have this as a reserve
pass quick on $pri_if from $pri_network
pass quick on { lo }
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
:%s/Open Source/Free Software/g
RP can behave odly if you have differing
configurations, neither knows which should be master, try and avoid
having differences between the primary and secondary CARP boxes.
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
:%s/Open Source/Free Software/g
s the hardest part would be to find a suitable word/letter
> for '?'... suggestion?
C
I don't remember seeing c in the man, please disregard if it's already
used.
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
:%s/Open Source/Free Software/g
On Mon, 2 Jan 2006 13:56:21 -0700
Bob DeBolt <[EMAIL PROTECTED]> wrote:
> pfstat works well, it may be a nice starting point for you or it may
> do everything you want.
If there's time I'll look at making a plugin for monitoring programs.
--
Regards, Ed http://ww
> rule 0/(match) [uid 0, pid 14885] pass out on fxp0: esp 192.168.1.1 >
> 192.168.2.213 spi 0x1
Another question, how do you associate the rule number to line in
pf.conf, without doing the obvious mental exercise, with many rules it
can be a chore.
--
Regards, Ed http://www.usenix
On Sun, 15 Jan 2006 17:20:25 +
"Karl O. Pinc" <[EMAIL PROTECTED]> wrote:
> Sorry, pasted from the wrong window. This is the correct script.
>
> On 01/15/2006 06:28:21 AM, ed wrote:
> >
> > Another question, how do you associate the rule number to l
imagine. Obviously we can provide a valid EU receipt for
your tax duties. Just write an email to ed()bsd.it with OpenCON in the subject
line and tell us about your ideas!
Please spread the word among your friends, OpenBSD friendly companies, ISPs
that offers OpenBSD servers for rent or hosting, and
Dear ladies and gentlemen,
OpenCON is the only conference fully dedicated to OpenBSD. Last year edition
was a great success and featured also the party for OpenBSD 10th birthday,
with project leader Theo de Raadt and a lot of developers. More info here:
http://2006.opencon.org/
The OpenCON prog
On Tuesday 02 October 2007 22:59, Peter GILMAN wrote:
> > OpenCON is the only conference fully dedicated to OpenBSD. Last year
> > edition was a great success and featured also the party for OpenBSD
> > 10th birthday, with project leader Theo de Raadt and a lot of
> > developers. More info here: ht
Hello everyone,
OpenCON is a free entrance conference fully dedicated to OpenBSD.
http://www.opencon.org/
I just want to inform you that this year we are going to have one day
dedicated to free tutorials. In particular you might appreciate the tutorial
about PF by Peter Hansteen.
Peter is the
nt in Makefile).
-
I think anyone in this list could be interested.
Right ? ;-)
Ed
d maybe translate the cryptic STATE values (0:1, 4:4), too?
I'm not the author. ;-)
Please look at the "From".
Note: It was a mail from tech@ not misc@.
(http://marc.theaimsgroup.com/?l=openbsd-tech&m=103104775202469&w=2)
Bye.
Ed
ter a FTP
server even if it's secure, like OpenBSD ftpd.
In the end, what would be the target:
Protect a service or Permit a service ?
Thanks.
Ed
lly you use paketfilter to protect
> permissions ;0
uh ?
PF can't protect from an exploit.
Thanks.
Ed
ink these rules are good for a filter not for a firewall. I mean
they filter, but don't use all the power of THE Packet Filter.
> Would using 'quick' rules in certain places me rule parsing faster?
quick everywhere is faster in rules evaluation not parsing...
Bye.
Ed
> Thanks everyone. Your comments and suggestions are greatly appreciated.
Please do NOT send HTML mail.
Please!
Ed
<>
talking
> about the power of the packet filter..
>
PF has *NOT* return-icmp-as-dest.
If you sniff ICMP packets sent by PF you'll see the IP of the firewall
itself.
I talked with Daniel and jason@ about this ;-)
Maybe...
Bye.
Ed
one could solve putting 3 interface on one bridge.
if1 and if2 IPless
if3 with IP
So the box is invisible, but can return-* and be controlled remotely.
NOTE:
return-icmp will let know the IP of the firewall, so in most cases it's
better not to use it.
Bye.
Ed
> I think it would be an EXCELLENT way for a corporate administrator to
fine-tune their firewall
> to their particular environment.
I think it would be an EXCELLENT way for an attacker to fine-tune their
firewall to his particular environment.
This is "Security" Through Obscurity.
Ed
the wild
internet to the LAN. (Most people use it to permit active-FTP with NAT, so
from LAN to internet)
Thanks anyone will contribute with his ideas.
Ed
efine useful variables
> ext_if="{ dc0 }" # External Interface
> int_if="{ dc1 }" # Our internal network range 192.168.1.0/24
I think, I'm not sure, that using interfaces name to get all IPs it's a
feature of -current
So are you using -stable or -current ?
Bye.
Ed
ield, black hole lists,
> etc).
Using IDS to create that list could be cause of DoS.
Ed
ed X access from remote systems)
Note that without that filter a local user could spy (and sniff the keyboard
of) root.
Ed
For example, nmap -sS could be stopped with the right block rule, but if
I'll use -current "scrub in all" what will PF do ?
I believe that packet will pass "scrub" untouched.
Right ? ;-)
Ed
> > I'm not the author. ;-)
> > Please look at the "From".
>
> Please look at the "Cc" in the previous mail by Daniel ;-)
Ah! So "Cc" is used for that! ;-P
Sorry, I didn't see.
Bye.
Ed
act it jumps a rule).
Bye.
Ed
all of them
?
Can we trust a hub and be sure that each box will receive each packet ?
Thanks.
Ed
ntinue to access your local web server
because you _don't_ need dns lookup.
Is it too simple ?
Ed
ond for 'pf', I
> don't think that's too far away. But I'll see if I can add the link
> to the openbsd.org page.
IMHO:
adding a link to that page will add a lot of mail like those on misc@.
Something like: "I don't have a computer, can I use PF ?".
Obviously Daniel has *The Power* ;-)
Ed
Can anybody point me to a sample pf.conf file that
would cover the following scenario? My old rules from
ipfilter and ipnat don't seem to be working.
I have an OpenBSD box as a firewall/router between the
outside and a single PC on the inside hosting two web
sites on different addresses and ports.
Here is my pf.conf file. Some things are working --
like access to the internet from within the network.
Other things, like external access to the web sites,
and incoming email, are not working. Outgoing email
and pings are working.
I'm thinking the problems are most likely in the NAT
section, lab
Ouch, let's try that again with the line wrap set to a more reasonable value.
Sorry!
Here is my pf.conf file. Some things are working --
like access to the internet from within the network.
Other things, like external access to the web sites,
and incoming email, are not working. Outgoing email
and
PF for
the same ruleset ?
How will it apply to bridges ?
Thanks.
Ed
olution will be
choosed:
- add a new scrub-like rule to check the checksum
- check the checksum before returning (rst or icmp)
- ...
Ed
with PF ?
Thanks.
Ed
ck in quick inet proto icmp all
block in quick all
After "pfctl -f pf.route" I tryed "telnet x.x.x.x 25" and got kernel panic.
Note that savecore said me I haven't enough space to save the core, but it's
strange because I have 128 Mb RAM, 200 Mb swap and gigs on /var...
What I'm missing ?.
Ed
terfaces. It
> makes no sense to me.
I would like to change TOS value of outgoing packets.
So I'll forward them to localhost where a daemon is binding, altering and
forwarding.
Do you have a working solution for 3.2-stable ?
Thanks.
Ed
t let you jump all (or a lot of) rules
related to other interfaces.
But why don't you separate ruleset files ?
pf.conf (all global definitions)
pf.rl0
pf.fxp0
pf.dc0
pf.dc1
pf.tun0
So you'll be sure to evaluate interface related rules only.
What about ?
Ed
re can provide better performance for a gateway
setup also including some checksum validating like TCP.
This means that we could do better ;-)
Ed
.
Ed
# RFC @ hacking.openbsd.it
le with the original rule that
didn't match.
Infact using this added check, PF will jump rule #3 because proto is changed
(#1=tcp, #3=udp) and will jump to rule #4.
Obviously this is a small example, however magic-jumps could add some speed up
even if ruleset aren't exactly skip-step-
ore using a ruleset, if it brings
better performance every time a packet is evaluated.
This will be felt by who doesn't use quick on each line.
Ed
ngs.
> i have a good idea, how about an obfuscated pf.conf contest?
However the fact is that I would like OpenBSD to be careful at details like
this.
If most root/admin manually change this permission, why don't make it by
default ?
Ed
nyone who could try the same test with similar CPUs ?
For example, will PF get a boost from MMX registers ?
Thanks.
Ed
On Thursday 27 February 2003 06:58, Marco Grigull wrote:
> Wouldn't this create a 'fingerprint'?
There are many ways to find out an OpenBSD gateway 8-)
Ed
w00t!
Design and Performance of the OpenBSD Stateful Packet Filter (pf)
by Daniel Hartmeier
[ http://linuxforum.mmmanager.net/1045982346433661373/view ]
Showtime:
http://linuxforum.mmmanager.net/1045982346433661373/SMIL.smil
Ed
how many people here can speak italian, however this is the list
of PF related speeches :
- WiFi Gateway with OpenBSD
- IPv6 with OpenBSD
- OpenBSD VPN
- Packets Filtering
Maybe we'll see there ;-)
Bye.
Ed
now it's a bad time to ask features.
Let's write them down and forward on May.
Bye.
Ed
other application, like Lynx, simply close sockets without waiting
for such packets. Which is smarter ?
Could anyone try something with a -current setup ?
Thanks.
Ed
ap scans and such.
"nmap -O" uses strange packets to discover the OS.
These packets are:
1) blocked by your scrub rules
2) blocked by PF because contain IP options
To better understand how does it work, try to use ethereal (or tcpdump) to
sniff a local nmap scan. You'll see all those packets.
Ed
You have to add a route.
If this was the problem you could consider a full trasparent bridge.
Sometimes I saw LAN where packets for answers were going through internet
because were using the default gateway...
Ed
connections.
What does * means ?
Ed
d expires
>before reaching the destination host. reassemble tcp will
>raise the TTL of all packets back up to the highest value
>seen on the connection.
This is dangerous.
Ed
1 - 100 of 196 matches
Mail list logo
