Hi,
wouldn't it make sense to add a rtableid to urpf-failed? It seems
decreasingly useful without such an option - or am I missing something?
--
/\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http
/
--
/\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
On Friday 04 August 2006 13:13, Fabian Keil wrote:
Max Laier [EMAIL PROTECTED] wrote:
On a box running sshd (or something listening on an inet6 tcp port)
load the following ruleset:
pass quick on lo0 all
pass quick on bge0 inet all
block drop log all
pass in log-all on bge0 inet6
with the a
tcpdump from pflog0 during the connection attempt - whether it works or not.
Thanks - much appreciated.
--
/\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED
regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpcQLWrrHX0x.pgp
Description: PGP signature
regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpsWpbsorBCH.pgp
Description: PGP signature
, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpbITem4orCf.pgp
Description: PGP signature
0.8 (from ports/devel/libevent)
Anything else that crops up should be easily fixable.
--
/\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign
? Sounds
interesting.
--
/\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpPTUI8jjtXw.pgp
]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
Index: pf.conf.5
===
RCS file: /usr/store/mlaier/ocvs
,
[220.87.30.15]; from= to=[EMAIL PROTECTED] proto=SMTP helo=HGK
do I have to go back to the cidr-basics ?
Going back to valueable problem reports-basics might be a good idea ...
--
/\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X
, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
Index: pf_if.c
===
RCS
On Thursday 22 July 2004 11:36, Carl Smith wrote:
Is the following patch still useable for OpenBSD 3.5 or is it already
intergrated?
The latter. Committed by Henning in rev. 1.48 Thu Jun 12 10:49:17 2003.
--
/\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier
of puffy as pf is pronounced pronounced puff after
all (well, if you stretch a bit). ;-)
... though I agree that Puffy is a hero and should not be forgotten about ;)
--
Best regards, | [EMAIL PROTECTED]
Max Laier | ICQ #67774661
http
, | [EMAIL PROTECTED]
Max Laier | ICQ #67774661
http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] #DragonFlyBSD
proto tcp from any to any port 4662 - $emule_ip port 4662
rdr pass on $EXT proto udp from any to any port 4672 - $emule_ip port 4672
--
Best regards, | [EMAIL PROTECTED]
Max Laier | ICQ #67774661
http://pf4freebsd.love2party.net
Kifah Abbad writes:
Hi all,
is it possible to set a pcap_setfilter based on packets tagged by pf,
or brconfig? (bridge).
I am afraid that this is not possible and not likely to become possibel as
the tags are stored in a very kernel-centric way (via mbuf tags) and thus
can't easily cross the
Saturday, November 15, 2003, 2:33:51 PM, you wrote:
AES # cat ./test
AES pass proto tcp from any to any port 111 # correct
AES pass proto tcp from any to any port = 111 # correct
AES pass proto tcp from any to any port {111,222} # correct
AES pass proto tcp from any to any port =
Monday, November 10, 2003, 3:54:11 PM, you wrote:
PG To fund some of this, we need to combine home workers (pay more, use
PG daytime) with domestic users (variable b/w, lower service price).
PG I looked at google, and apart from the usual you can do this statements, I
PG found little in the way
Sunday, November 9, 2003, 3:59:35 PM, you wrote:
fh i am trying configure a LAN for web surfing only thru squid.
fh the LAN is a school, i dont want kids going to phony pages.
fh right now i have some regexp files for squid to filter urls.
fh this is not a transparent proxy, just a plain squid
Sunday, November 9, 2003, 5:46:14 PM, Fred Edwards wrote:
FE I wondered about routing also, but since he said that web worked but ssh didn't, I
wrote that
FE off. Did I miss something?
Yes, the web request comes from the squid on the OpenBSD box thus
originating from an IP linux1 has a
It is no clear what you really want to accomplish, but I think you
want rdr and not route-to.
True as ipfw's fwd does more than route-to. Quoting ipfw(8):
If ipaddr is a local address, then matching packets will be for-
warded to port (or the port number in the packet if one is not
Monday, October 20, 2003, 7:44:52 PM, Henning Brauer wrote:
Request to introduce a public revision number to PF and pfctl.
HB no.
HB I had code doing this, and even pfctl erroring out with a nice message
HB if kernel and userland are out of sync, but theo refused it.
That's strange. Why? I
edo (...) it seems if I create a rule to let a specific packet through
edo the firewall then snort see's it if I block it. Then it never gets
edo logged by snort. So I am totally confused and pulling out my hair.
edo I have posted my snort configs to the snort list and no one see's
edo anything
What are possible ways of implementing payload inspection in
kernel? ...
And what's the point of writing that e-mail if you don't
describe your atypical way?
What's the point in writing follow-ups to this really OT thread at all?
And my piece for the atypical way: Take a look at Net-/FreeBSDs
I like the idea (as I suggested that before:
http://marc.theaimsgroup.com/?l=openbsd-pfm=105215655418099w=2) Somehow
Henning didn't like the idea back then, and as I got my rules working w/o I
did not implement it.
Vincent's patch might need some minor improvements and changes, but the idea
is
On Monday 01 September 2003 19:20, Mathew Binkley wrote:
So our bridging firewall achieves ~84% of full line speed. However,
during testing the firewall had a load level of 4.3. There doesn't
appear to be any packet loss, but I'm not sure if it is affecting
latency or not. Does anyone
From:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c
Revision 1.1 / (download) - annotate - [select for diffs] , Sun Jun 24
19:48:58 2001 UTC (23 months, 4 weeks ago) by kjell
2 years! All the best for the future!
New since pfvar.h 1.140:
Update the pfioc_table IOCTL structure.
Prepare for anchors, improve robustness.
WARNING: need to sync kernel/userland.
ok dhartmei@
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfvar.h.diff?r1=1.140r2=1
.141f=hMax
From: Paul B. Henson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, May 27, 2003 9:05 PM
Subject: portable pf
Is there any widespread interest in developing a portable version of pf,
similar to portable ssh? I know some efforts have been made to port it to
other BSD variants, but I
From: Uwe Dippel [EMAIL PROTECTED] Sent: Wednesday, May 07, 2003 3:44 PM
Maybe this has been discussed earlier .. ?
Very new to pf I have that feeling that all those rulesets with
bindings to the interface to me seem less optimal than binding to an
IP-address.
Before I start writing my own
If you dont want port XYZ being reached. Block it. Completly. No
matter what fuxxored flag ever is set. Period.
//pb
Agreed, but a quick block on some of the common nmap flags on the very top
of your ruleset can save you some time (right?) Esp. when somebody went mad,
has a big pipe and
Agreed, but a quick block on some of the common nmap flags on the very
top
of your ruleset can save you some time (right?) Esp. when somebody went
mad,
has a big pipe and found out about insane-nmap timeing.
*sigh*
And all other tcp packets (which are most likely to happen more often)
33 matches
Mail list logo