On Thu, Apr 16, 2009 at 12:36:20PM +0200, Peter N. M. Hansteen wrote:
> hu st writes:
> > So could pf limit the maximum number of simultaneous state entries
> > that a single source IP's source port can create with a rule?
> > (borrow from man pf.conf :))
>
> max-src-states? (see STATEFUL TRACKIN
> Does OpenBSD 4.4 PF ALTQ supports HFSC?
Yep.
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=OpenBSD+4.4&arch=i386&format=html#QUEUEING
On Tue, Nov 25, 2008 at 12:01:21PM -0700, Ken Gunderson wrote:
> Assholes On Line publishes a list of their outgoing mta's so I can white
> list them, but I've found no such list for gmail's outgoing mta's.
>
> How are the rest of y'all dealing with such situations?
Try
$ host -t txt _spf.goog
On Wed, Sep 17, 2008 at 10:12:39AM -0700, Bill Johnstone wrote:
> Hello.
>
> I have a couple of hosts that I want to to use binat with. However, I
> would like a daemon running locally on the pf machine to be accessible
> via a tcp port on one of the external IP addresses.
You could do something
On Thu, Sep 11, 2008 at 10:07:26AM +0100, Dave Lewney wrote:
> Can anyone say why this is syntactically correct ...
>
> I_OUTSIDE="em0"
> A_ping = "10.0.0.1/32"
> pass out log quick on { $I_OUTSIDE } proto icmp from { $A_ping } to any
> icmp-type 0 keep state
>
> ... and yet this is not ...
>
>
On Thu, Jul 31, 2008 at 03:35:45PM -0500, Jacob Lambert wrote:
> Hi guys,
>
> I'm new to pf but am learning quick. I've got one pf box up and running
> and working great. Now I want to try to simplify things a bit.
>
> I have multiple VMs each with their own public IP that need nat and rdr
> ru
On Sat, Jun 07, 2008 at 11:16:30AM +0200, Martin Toft wrote:
> Just a wild guess -- maybe the pf optimizer substitutes the six
> addresses with 192.168.1.0/29?
Sorry for sending so many mails, but I just want to correct myself
before somebody else does. Your six addresses are probab
On Fri, Jun 06, 2008 at 12:09:12PM -0400, Rick Aliwalas wrote:
[snip]
> one = "192.168.1.1/32"
> two = "192.168.1.2/32"
> three = "192.168.1.3/32"
> four= "192.168.1.4/32"
> five= "192.168.1.5/32"
> six = "192.168.1.6/32"
>
> pass in quick on $ext_if inet proto tcp from $one
Yep, I actually think the optimizer does it. Try loading your rule set
with "-o none" and watch ;-)
Martin
On Tue, Apr 08, 2008 at 03:10:47PM +0200, Martin Toft wrote:
> On Tue, Apr 08, 2008 at 09:27:49AM +0100, Ian Chard wrote:
> [snip]
> > Is there any other way of blocking IP proto 0 packets?
>
> You could use a default-deny/drop rule set, i.e. only allow the stuff
> you ne
On Tue, Apr 08, 2008 at 09:27:49AM +0100, Ian Chard wrote:
[snip]
> Is there any other way of blocking IP proto 0 packets?
You could use a default-deny/drop rule set, i.e. only allow the stuff
you need (probably inet and inet6).
Martin
signature.asc
Description: Digital signature
On Mon, Apr 23, 2007 at 07:11:05PM +0200, Daniel Hartmeier wrote:
> On Mon, Apr 23, 2007 at 11:58:19PM +0800, John Mok wrote:
> > I am new to PF, and I would like to build a firewall + NAT using PF
> > on OpenBSD or FreeBSD. However, I hope someone to tell me if NAT-T
> > support is available in PF
phil wrote:
First thing, in your reply you said to do:
rdr on $ext_if inet proto tcp from to $ext_ip port smtp -> 127.0.0.1
port spamd
But I don't have ext_ip defined, only ext_if I changed it to that -- is that a
problem on my end, or a mistype on yours?
I have defined ext_if and ext_ip as
phil wrote:
[snip]
Have /etc/pf.conf setup like this:
[15:34:49] [EMAIL PROTECTED] /usr/local/www/data]# cat /etc/pf.conf | grep -v
"#"
scrub in all
table persist file "/usr/local/etc/spamd.list"
rdr on $ext_if inet proto tcp from to any port smtp -> 127.0.0.1 port
8025
pass in all
pass out a
charles Collin wrote:
# NAT section
binat on ext_if from 10.0.0.B to any -> X.Y.Z.B
# Rules section, i only need https access to this machine.
block all
.
.
.
pass in on ext_if proto tcp from any to X.Y.Z.B port https
pass out in dmz_if proto tcp from any to 10.0.0.B port https
pass in
15 matches
Mail list logo