I've attempted to make the ruleset as tight as possible while still being
understood by those other than myself. Any comments or tips would be
greatly welcomed.
ExtIF="xl0" #xl0 external dhcp interface
IntIF="sis0" #sis0 internal interface dhcpd
Services="{ 22, 25, 80 }"
NoRouteIPs="{0.0.0.0/32
Is it possible to bring up more than one pflog interfaces on PF, like
pflog0, pflog1,...etc, and be able to have a rule log to a specific
interface? I tried Block on log pflog0 and made a syntax error - would
this be a 'good thing' for PF?
e same as the line
> in the pf.conf - right? does an AuthPF renumber the rules from bpf's
> perspective, yes? can a rule be labeled? I don't suppose that macros in pf
> are followed in bpf?
Unfortunately you'll have to run pfctl -v to determine the rule numbers
since pfctl
PF rule-sets are a very good idea - also include context - like
bridgename.if files
should<->there be categories - like PF with: transparent bridging,
ftp-proxy, 802.11, email filtering.
good idea - I can learn lots from something like this - Ed
-Original Message-
From: Jaso
looks like it made -current after the freeze on 3.2 - so get a 3.3 CD when
they ship.
didn't play with CVS so I could be wrong! but I don't think you could play
with ALTQ+PF in 3.2, only -current.
there are answers that shouldn't make you think...and lookup a purchase and
cross re
you are here! oh and the -current MAN page. the ALTQ man page should also
work - Xavier's referrals outline what hadn't made the blending, but that
isn't current ;)
>>>>there was some talk of starting a WIKI on PF rulesets, that would be a
good place to look!<
As I understand 'The PF + Bridge Caution' - it is a risk of tanglefoot - as
packets are going in and out of at least two interfaces, giving four PF
filtering scenarios, it is easy to get it wrong or not get a small bit of it
just right - especially if you are keeping states. The rule o
you only want one because - In order to keep with the *nix ethic of one tool
one job - a singular loginterface gives you one point of contact for your
tool of choice for splitting out your various types of logs - i.e.. pipe it
through grep & tee orsee?
now maybe if PF echoed rule cha
right? I don't think
that works with NAT. um no.
-Original Message-
From: Stephen Gutknecht (OBSD-PF) [mailto:[EMAIL PROTECTED]
Sent: Saturday, March 08, 2003 8:45 AM
To: [EMAIL PROTECTED]
Subject: wireless interface sharing same subnet as wired
Hi,
Is there a way with OpenBSD 3.
dup-to could be something to do too =)
I just figure the guys writing Unix had just given their kids the big box of
Lego blocks.
ttfn - it's a beautiful day here and Phoenix is having an 'Art Walk' - I
can't wait to see all the Art walking around town!
-Original Message-
From: Cedric Be
um...is it raining where you are Henning? snow? I agree only one interface
is best - more is against the Unix idea. Stats on an interface come from the
filtering rules - no reason for PF to report more than is requested by the
rules. (bet that would make a slow PF)
1)monitoring traffic on an
subnet)
2 NICs for NAT from 192.168.1.60 to the Internet - firewall has an IP
address on the Internet.
there may be less simple ways to do this - tunnels and stuff, but with card
at $15 - go with cheap and easy!
-Original Message-
From: Stephen Gutknecht (OBSD-PF) [mailto:[EMAIL PROTECTED
after you call DIOCCHANGERULE with PF_CHANGE_GET_TICKET - does
DIOCCHANGERULE return anything for the rules it accepts?
I'm just starting to read up on this - pardon my guessings
Daniel Wrote:
> Is it correct that DIOCCHANGERULE now needs a ticket for every operation
> (in earlier releases I di
irewall or are you set up to
work with a server too?
looking forward to 3.3 CD to try the ALTQ tools - Ed
-Original Message-
From: Peter Hessler [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 18, 2003 7:04 AM
To: Marc Balmer
Cc: [EMAIL PROTECTED]
Subject: Re: PF, ALTQ on Bridge?
Works as w
bag a slothy PHB by mistake - you should know that IP. =)
-Original Message-
From: Bryan Irvine [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 18, 2003 3:00 PM
To: [EMAIL PROTECTED]
Subject: pflogging
Is there a way to pipe only parts of pf to a log file? Or a different
log file?
What I
On Tuesday, April 1, Henning Brauer wrote:
>
> After much discussion we made a hard decision: we will change pf syntax
from
> English to German.
right - I'm trained as an economist so I can help. this should be a useful
template:
Noun Noun NounNoun Noun adjective verb NounNou
> 224.0.0.0/3, 255.255.255.255/32
I believe 224.0.0.0/3 includes 255.255.255.255/32
3 bits 128+64+32 = 224
which says match 224 and anything else goes
so 224.0.0.0-255.255.255.255 is 224.0.0.0/3
[EMAIL PROTECTED]
[EMAIL PROTECTED]
I also tried tircproxy with no success.
James
On Sat, 28 Dec 2002, Scircuit wrote:
> Has anyone been able to get established outgoing dcc connections with pf? I tried
>out tircproxy, but I am looking for an alternative.
>
> Jon
>
>
For the life of me I couldn't figure out why my logs were filling so fast
and yet there were only a few packets actually in them. When I listened
to pflog0 I found 1000s of dhcp server broadcasts that were being blocked
as par my ruleset (block that which I didn't request.)
I analyze my logs by th
On Thu, 13 Feb 2003, siivv wrote:
> On Wed, 12 Feb 2003, pf-list wrote:
>
> > For the life of me I couldn't figure out why my logs were filling so fast
> > and yet there were only a few packets actually in them. When I listened
> > to pflog0 I found 1000s of dhc
On Wed, 12 Feb 2003, Saad Kadhi wrote:
> On Wed, Feb 12, 2003 at 02:34:21PM -0600, pf-list wrote:
> > For the life of me I couldn't figure out why my logs were filling so fast
> > and yet there were only a few packets actually in them. When I listened
> > to pflog0 I
On Thu, 13 Feb 2003, Daniel Hartmeier wrote:
> On Thu, Feb 13, 2003 at 09:59:04AM -0600, pf-list wrote:
>
> > No that rule was written intetionally so that the packets would no longer
> > be blocked. However, I still should have been able to see the packets via
> > t
Hi I think I remember reading about this in -current. However, I am
trying to establist multiple pflogs. Ie a 2nd one for some specific
packets. Could someone explain how you go about this? Or it not possible
in 3.2 -patch ?
-James
ork - I've just started using OpenBSD recently so I'm sure it a rookie
>> mistake. I've been trying to get the packet logging set up as in the faq
>> but I can't get the file pflog.txt to be created. I've read this post and
>> checked everything that I
I haven't seen anything about that in the faq that would
indicate a problem but is there something that this might affect?
I appreciate the time and the help. Is there a method that I can use to
verify that this command : logger -t pf -p local0.info
is working? I've been able to veri
I've read this post and
checked everything that I can think
of:http://www.benzedrine.cx/pf/msg01009.html
I've tried running the scripts as root and I get no errors but the file
pflog.txt is never created, even when I can see that there is information
in the pflog file.
I created t
> now, i read that using nmap and other vulnerability assessment tools from the
> int_lan to
> the iNet will result in unreliable returns, i have noticed that if using nmap for os
> fingerprinting always results to my obsd os fingerprint, can anyone enlighten me as
> to
> why? (and since i cant
I guess you have to open up the (incomming) ports you want to redirect, instead
of blocking it.
good luck
-Stef
Quoting Eric <[EMAIL PROTECTED]>:
> Hello All,
>
> I have set up a PF on a OpenBSD 3.3 box, the NAT and
> binat is working fine. But I cant redirect the
>
-an'' and ``pfctl -s all'' on the
> openbsd machine also looks perfectly normal. But I can't ping, I can't
> get nfs and anything else UNTIL I pfctl -F all; pfctl -f /etc/pf.conf.
> I rebooted just to get the same error again, just to make sure it's
> repeata
, 11 Nov 2003, Omer Faruk Sen wrote:
>
> I have lived a problem with Suse and Windows Servers. The problem is exactly
> the same with tne one detailed at http://www.benzedrine.cx/pf/msg03194.html.
> I have a mail server that is installed SUSE as OS with 2.4.19-4GB kernel
> and my
day 11 November 2003 08:51, Omer Faruk Sen wrote:
> > I have lived a problem with Suse and Windows Servers. The problem is
> > exactly the same with tne one detailed at
> > http://www.benzedrine.cx/pf/msg03194.html. I have a mail server that is
> > installed SUSE as OS wi
Please ignore, this is just a bounce troller.
would connect to 195.68.221.221 ...wierd, huh?
Heres the pf.conf Im using:
===
# Gatewolf pf rules
#
ext_if = "xl0"
int_if = "ep1"
nat on $ext_if from 192.168.1.2 to any -> ($ext_if)
block in log all
block out log all
pass in quick on lo0 all
pass ou
OOPS-
pf-r wrote:
where I've compliled a (now aging) list of
s/compliled/compiled
BTW, if anyone wants to submit pf.conf examples with accompanying 'pfctl
-sr' (or alternative) outputs for posting on the pf-r, visit #pf and
speak up.
-S
Peter Huncar wrote:
Hi
Howdy.
Is there any way to manage macros across rulesets?
Sure. Just figure out how to write a little script to find and replace
the targeted macro(s) across multiple files.
Because if you use the same macros in the main ruleset and in some rulesets
which will be loaded into
Cyrill Rüttimann wrote:
The state of the SIP-Connection remains active in the state table after
changing the IP, why?
The state is not expiring immediately.
If I then delete the state, the SIP-Phone registers immediately with the
SIP-Proxy.
Try 'set optimization aggressive' which removes state en
Please ignore, this is just a bounce troller.
Could you post your iptables rules and your pf.conf?
Did you use "rdr pass..." for the http access ?
Florin Andrei wrote:
(originally posted on openbsd-misc, but then I figured this list might
be a better place for this question)
OS: OpenBSD 4.1
Hardware: Tyan Transport GT24, 2 x AMD64 dual c
er for looping
touch $NEWGOOD
# add all your good dns names here:
dig +short something.somewhere.com >> $NEWGOOD
dig +short somethingelse.somewhere.com >> $NEWGOOD
# add good ips here:
echo "xxx.yyy.zzz.qqq" >> $NEWGOOD
# done with good ips
mv $PFGOOD $OLDGOOD
cp $NEWGOOD $P
On Fri, 2004-07-23 at 23:33:48 +0200, Daniel Hartmeier proclaimed...
> The form ($ext_if) is useful when you get a single address assigned to
> $ext_if dynamically (and it changes automatically). If you have aliases
> and want specific addresses used like this, don't use (if).
Thanks Daniel, that
On Tue, 2004-09-28 at 16:23:43 -0700, Trevor Talbot proclaimed...
> It is. It's a mitigating mechanism for many types of
> worms/bots/whatever, since they aren't capable of poking holes in their
> computer owner's broadband NAT device.
Yea, sure. I've seen *many* bots with identd running happi
[ Preface: This message isn't intended to start a religious battle; ]
[ I believe we are all on this list because we believe that pf is ]
[ best-suited for whatever needs it's servicing. I'm just looking ]
[ for information in general! :)]
I'm curious if anyone can provide some experience on something I have
observed...
We have a OpenBSD 3.1 firewall protecting a public web site. We are using
good hardware (Intel ISP1100 1u server / Intel Pro Ethernet adapters) by all
accounts, etc. At times, the only way we have been able to get
Hello all,
Windows XP / Windows 2000 / OpenBSD systems behind a OpenBSD 3.2-stable
firewall with PF.
During "heavy web surfing sessions", especially when loading a lot over a
slower (90Kbps link)... I see my "block in rule" stopping a few packets from
port 80 servers.
A g
other than the 10.0.0.x network you are
"borrowing" your physical link from.
"man brconfig" on OpenBSD has a section on "IPSEC BRIDGE".
>From my perspective, you are correct that PF has nothing or little to do
with your need :) When I mention "bridge" I mean
Hi,
I'm booting firewall from Compact Flash and want to have PF log to a mounted
hard drive. My goal is to keep logs longer. I have a 2GB partition set for
logging.
Is there anything I need to do other than:
revise /etc/rc.conf
pflogd_flags="-f /fwlog/active/pflog"
revise
I'm going to revisit this topic... as a comment from eWeek's OpenHack 4
caught my attention. On the following page, in the left column...
http://www.eweek.com/image_popup/0,3662,s=25546&iid=18512,00.asp
Regarding OpenBSD 3.2 PF:
*** We did notice a few problems where pf rules
Correction to last post...
I wrote:
When we used "keep state" on our out rules, we would see port 80 packets
originating from our IIS server were sometimes showing in the log as
dropped.
I meant to say:
When we used keep state on our *in* rules (both interfaces of bridge) - we
would sometimes
state matching tolerance?
Thanks.
Stephen
-Original Message-
From: Daniel Hartmeier [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 06, 2002 1:08 PM
Subject: Re: Public web server behind a PF bridge, crap clients
[snip]
In every case, either the state has
timed out already or the peer
Howdy,
I'm trying to NAT using only a single Ethernet interface. Laptop system
where another interface is not available. The upstream is a cable modem
that provides address via DHCP.
I have configured my /etc/hostname.if to have:
dhcp NONE NONE NONE
inet alias 192.168.148.249 255.255.255.0
Hi,
Is there a way with OpenBSD 3.2 to "bridge" the wireless and wired
interface.
I have a 3-leg firewall:
wi0 - private wireless
fxp0 - public interface
fxp1 - private interface
I have seen Linux and WinXP firewalls that allow you to bridge the private
and wireless interface to allow a
ith NAT. um no.
-Original Message-
From: Stephen Gutknecht (OBSD-PF) [mailto:[EMAIL PROTECTED]
Sent: Saturday, March 08, 2003 8:45 AM
To: [EMAIL PROTECTED]
Subject: wireless interface sharing same subnet as wired
Hi,
Is there a way with OpenBSD 3.2 to "bridge" the wireless and w
52 matches
Mail list logo
