Mipam wrote:
Hi All,
A small internal network is defined to be able to send traffic outside:
outside = "{ a.b.c.d }"
special = "{ 10.23.145.10 }"
internal = "{ 10.23.145.0/24, !10.23.145.10 }"
nat on fxp0 from $internal to any -> $outside
binat on fxp0 from $special to any -> $outside
Meaning
above was already over (see the
link below). Any good reason why they died when the load was back at standard
load? see http://www.flowsystems.se/~sjoholmp/pfstat.jpg
Thanks in advance
Per-Olov Sjöholm
--
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE
On Tuesday 11 April 2006 13.51, you wrote:
> * Per-Olov Sj?holm <[EMAIL PROTECTED]> [2006-04-05 21:50]:
> > Henning Brauer wrote:
> > >* Per-Olov Sj?holm <[EMAIL PROTECTED]> [2006-03-31 18:11]:
> > >>Can PF make use of SMP?
> > >
> > >no.
> >
> > So a faster cpu (not another cpu) is the only way if
On Thursday 06 April 2006 16.48, Daniel Hartmeier wrote:
> On Thu, Apr 06, 2006 at 09:52:34AM -0400, Peter wrote:
> > > Do you know if there is something going on to make this possible?
> > > And today the only way is a rule for each customer IP in pf.conf
> > > then?
> > > Or are there maybe o
On Thursday 06 April 2006 17.00, you wrote:
> When will the counters of label restart??
>
> I'm using pf label. Now I 'm wondering that
> when will the counter restart?
>
> After reload new rule or when?
>
> Thanks.
Reload the ruleset or clear the stats with a pfctl -z flag.
There are probably mo
On Thursday 06 April 2006 16.26, Daniel Hartmeier wrote:
> On Wed, Apr 05, 2006 at 11:49:12PM +0200, Per-Olov Sjöholm wrote:
> > The PF rule...
> > pass in quick on $EXTERNAL_INT inet from any to $COLOC_IPS_1 label
> > "TEST:$dstaddr#" keep state
> >
On Thursday 06 April 2006 01.03, Peter wrote:
> --- Per-Olov Sj�holm <[EMAIL PROTECTED]> wrote:
> > The PF rule...
> > pass in quick on $EXTERNAL_INT inet from any to $COLOC_IPS_1 label
> > "TEST:$dstaddr#" keep state
> >
> > Gives a label like
> > TEST:65.45.128.128/25# 230 3099 1511793 1370
The PF rule...
pass in quick on $EXTERNAL_INT inet from any to $COLOC_IPS_1 label
"TEST:$dstaddr#" keep state
Gives a label like
TEST:65.45.128.128/25# 230 3099 1511793 1370 148914 1729 1362879
Is there an easy way to do expansion of $COLOC_IPS_1 so that the single
rule above give labels
Henning Brauer wrote:
* Per-Olov Sj?holm <[EMAIL PROTECTED]> [2006-03-31 18:11]:
Can PF make use of SMP?
no.
So a faster cpu (not another cpu) is the only way if we will see to much
cpu usage caused by interrupts then... ?
(if we already have quality nics and hopefully an optimized rulese
Hi
Can PF make use of SMP? Asking as high load generates a lot of interrupts and
therefor eat CPU. We already use expensive dual port Intel NIC:s and also
some interrupt sharing to avoid to many context switches.
/Per-Olov
--
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC
On Friday 31 March 2006 12.45, you wrote:
> >This patch allows multiple tags in the tagged statement, like this:
> > pass out all on $ext proto tcp tagged { ADMIN, DEV }
> >I find it useful when using tags extensively.
>
> Hi, I hope someone finds this as useful as I do.
Are the tags still sti
On Fri, February 10, 2006 20:10, Jon Simola wrote:
> On 2/9/06, Per-Olov Sjöholm <[EMAIL PROTECTED]> wrote:
>
>> Look at the following output:
>> [EMAIL PROTECTED]:~#ifconfig fxp0 inet alias 192.168.21.2 netmask
>> 255.255.255.0
>> broadcast 192.168.21.255 up
fxp0
192.168.8.20:e:c:a9:a8:8 UHLc05 - fxp0
192.168.21/24 link#1 UC 00 - fxp0
192.168.22/24 link#1 UC 00 - fxp0
224/4 127.0.0.1 URS 00 33224 lo0
Thanks in advance
Per-Olov Sjöholm
On Tuesday 07 February 2006 10.41, you wrote:
> On Mon, Feb 06, 2006 at 10:41:03PM +0100, Per-Olov Sjöholm wrote:
> > Is there a way to see in any log that the rate limiting, max source
> > nodes, max source states etc is working? I seems I can't find anything
> > about t
Hi
Is there a way to see in any log that the rate limiting, max source nodes, max
source states etc is working? I seems I can't find anything about this in the
pflog... I *can* see that an ssh session is hanging and not connecting and
assume that the rate limiting is working. But I would like t
terface. If I reboot FW1 then FW2 takes over. If FW1
> comes up and the switch is still down, FW2 is still MASTER for all
> interfaces. Is it a work around to a possible bug? Maybe.
>
> -Steve S.
>
> Per-Olov Sjöholm wrote:
> > Does that work?
> >
> > "man c
e
> described, only one FW is MASTER (the backup in this case)
>
> -Steve S.
>
> Per-Olov Sjöholm wrote:
> > I had dmz4-dmz6 100% configured but no cables connected to the
> > switch. The carp interfaces for them were in "init" state as they
> > could
top post... ok
I *think* I have tracked it down...
I had dmz4-dmz6 100% configured but no cables connected to the switch. The
carp interfaces for them were in "init" state as they could not talk to each
other. Although it all seemed to work as it should for all other interfaces.
This means al
ARPv2-advertise 36: vhid=5 advbase=1 advskew=240 (DF) [tos
0x10]
Suggestions *very* much appreciated
Thanks in advance
/Per-Olov Sjöholm
On Thursday 26 January 2006 23.49, you wrote:
> On 1/26/06, Per-Olov Sjöholm <[EMAIL PROTECTED]> wrote:
> > [EMAIL PROTECTED]:~#more /etc/hostname.carp1
> > 192.168.8.1 255.255.252.0 192.168.11.255 vhid 2 pass mypassword
>
> Try adding carpdev into your hostname
Hi
I have been using two firewalls with a carp+pfsync (6 interfaces + a dedicated
pfsync) setup in a company environment based on OpenBSD 3.6 for a year. Now I
have upgraded to 3.8 an see *really* strange things...
The LAN is a supernet 192.168.8.0 with a /22 mask which seems to be a problem
n
On Tuesday 08 November 2005 15.30, Jon Hart wrote:
> On Tue, Nov 08, 2005 at 01:39:21AM +0100, Per-Olov Sjöholm wrote:
> > Hi
> >
> > I have a redundant firewall with CARP. 3.6 STABLE plus all patches from
> > CVS for stable (updated last week). The firewalls have 7 n
On Tuesday 08 November 2005 15.30, Jon Hart wrote:
> On Tue, Nov 08, 2005 at 01:39:21AM +0100, Per-Olov Sjöholm wrote:
> > Hi
> >
> > I have a redundant firewall with CARP. 3.6 STABLE plus all patches from
> > CVS for stable (updated last week). The firewalls have 7 n
nuary but need this working now...
Thanks in advance
Per-Olov Sjöholm
pgpIOpDitTcbV.pgp
Description: PGP signature
A running ssh or telnet session will just freeze for a second or so and then
continue when a failover happens. When it comes to ftp I think you have a
problem if you use any userland proxies.
/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
On Monday 24 January 2005 14.38, you wrote:
> On Mon, Jan 24, 2005 at 01:22:03PM +0100, Per-Olov Sjöholm wrote:
> > Any suggestions? It worked well in 3.5...
>
> Even with the patch in -stale, you'll need 'set state-policy if-bound',
> see
>
> http:
works.
I have a cvs checkout for 3.6 stable from Jan 20 which I think contains
Daniels patch that is mentioned in an earlier thread. pf.c is revision
1.457.2.7 from 2006/01/06.
Any suggestions? It worked well in 3.5...
Thanks in advance
Per-Olov Sjöholm
On Monday 22 November 2004 05.17, you wrote:
> HI Folks,
>has anyone written a helper application like ftpsesame that will allow
> citrix metaframe to work through a pf firewall?
>
> Citrix first talks on port 1494 and negotiates a high numbered port
> which the client then connects back to
Hi
Could any of the below changes to if_pfsync.c in cvs be related to my just
logged problem with random lost connections that only appears in a dual fw
environment with pfsync? The changes below are not applied as I use 3.6
release... I was not the only person that just like that started to see
r
On Wednesday 10 November 2004 19.46, you wrote:
> On Wed, Nov 10, 2004 at 04:14:59PM +0100, Per-Olov Sj?holm wrote:
> > >> http://marc.theaimsgroup.com/?l=openbsd-pf&m=109351242125764&w=2
> > >>
> > >> This has been fixed in -current, you might want to try that.
> >
> > Is this fixed in 3.6 release
Hi
During boot I see a console output that says:
"ifconfig: SIOCSETPFSYNC: No buffer space available"
The server is 3.6 release. Seems to be related to that I try to set up a carp
+ pfsync setup.
Does anybody have a clue of what can cause this error?
Many thanks in advance
/Per-Olov
--
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi !
Is altq info also synced with pfsync from box1 to box2? Or will a failover
session have an unlimited bandwidth if the altq info is not transferred?
And what is not synced with pfsync (if any)? Differences 3.5 to 3.6?
Thanks
/Per-Olov
-BEGIN
On Wednesday 04 August 2004 10.08, James Cammarata wrote:
> Two more updates from today, up to version 0.05.
>
> Changes:
> * altq / queue rules parsed
> * table rules are now parsed
>
> Tomorrow should bring options parsing as well as all anchor rules, and that
> will round out the majority of the
Hi !
I have used "$if:network" and "$if:broadcast" much to avoid specifying macros
with IP addresses. However... I have recently fixed me a second public IP on
my internet interface. Now I see the limitations with this and have to go
back and specify the IP:s directly in pf.conf (for the Intern
[EMAIL PROTECTED] said:
> On Mon, Jun 21, 2004 at 02:28:26AM -0500, James Cammarata wrote:
>> At 06:00 AM 6/16/2004, [EMAIL PROTECTED] wrote:
>> >Does anybody protect any oracle rdbms (sqlnet protocol) using
>> >obsd 3.5 + carp + pfsync ? Does it work ? Is it problematic ?
>>
>> I assume you want t
James Cammarata said:
> Is there any interest in this? I am currently writing one in Python/Zope
> to manage the PF rules. It's in the very early stages of planning so
> there
> isn't much to it yet, so I thought I'd ask people what they thought of the
> idea / Zope. I personally love Zope for w
Daniel Hartmeier said:
> On Mon, May 24, 2004 at 12:59:15PM -0500, Peter Hessler wrote:
>
>> Just updated my firewall to the May 21st source, and I am having a
>> problem
>> with synproxy. My synproxy rule is:
>
> This is the second (or third) report, I think something really broke. Do
> you have
Bruno Afonso said:
> Per-Olov Sjöholm wrote:
>
>> Bruno Afonso said:
>>
>>>Henning Brauer wrote:
>>>
>>>
>>>
>>>>>This means that over 90% of all
>>>>>bridge examples I have seen on the net where queueing takes pla
g for a bridge on just one
interface. And then I first thought (as I couldn't find much bridge info)
that it could also affect the queuing in some strange way. But that is
obviously not the case.
Thanks
/Per-Olov Sjöholm
that block diagram? :)
>>
>> The original: http://mniam.net/pf/pf.png
>> My version: http://homepage.mac.com/quension/pf/flow.png
>
> Am 25. Apr 2004 um 11:26 schrieb Per-Olov Sjöholm:
>
>> Hi all
>>
>> Have anybody made a packet flow picture for PF like
Hi all
Have anybody made a packet flow picture for PF like the one Darren Reed
has for IP filter.
http://coombs.anu.edu.au/~avalon/ipfil-flow.html
/Peo
Trevor Talbot said:
> On Saturday, Apr 24, 2004, at 15:12 US/Pacific, Per-Olov Sjöholm wrote:
>
>> Henning Brauer said:
>>> * Per-Olov Sjöholm <[EMAIL PROTECTED]> [2004-04-23 23:21]:
>>>> This is fact:
>>>> * Queue on the outgoing interface
>&
Henning Brauer said:
> * Per-Olov Sjöholm <[EMAIL PROTECTED]> [2004-04-23 23:21]:
>> This is fact:
>> * Queue on the outgoing interface
>> * On a bridge it is according to the FAQ at OpenBSD "STRONGLY"
>> recommended
>> to filter on just ONE interfa
jared r r spiegel said:
> On Thu, Apr 22, 2004 at 09:21:51AM +0200, Per-Olov Sjöholm wrote:
>>
>> If you have a std firewall not set up as a bridge everything is clear
>> (shape on the outgoing interface).
>
>> But if you want to shape traffic on both directions
Hi !
If you have a std firewall not set up as a bridge everything is clear
(shape on the outgoing interface).
But if you want to shape traffic on both directions on a bridge ?
I am about to try bridging for a setup where we want to shape traffic
without changing the network topology and put this
Hi !
I have started to look at pfsync for state table syncing and have read the
excellent written docs from Ryan McBride. I do however have some questions...
Can pfsync handle to sync queue info as well ?
How well will altq work in a pfsync/carp environment?
Thanks
Per-Olov Sjöholm
Darek Eliasz said:
> Hello.
> I have problem with rules for ftp server which is standing on DMZ. I read
> archive, but i can't find working solution.
> Firewall/router is running under OpenBSD 3.4. There are 3 NIC's :
> ext_if="fxp2" - internet
> prv_if="fxp0"- LAN
> dmz_if="fxp1" - DMZ
> On D
Gary said:
> I've been searching for some examples of pf.conf but all I can find are
> examples for a gateway/firewall with emphasis towards NAT.
>
> I need to set up packet filter on a stand alone (single NIC) OpenBSD 3.4
> box which will run ssh, httpd, dns, smtp, pop3.
>
> Please can anyone poin
Read the old posting ( just a few days old) from me with the answer from
Daniel Hartmeier.
The subject of that posting was "Re: packets with SYN and FIN set not
discarded!"
I think as said that it's a false positive as scrub removed the FIN from
the packet. And then the pass rule with the S/SA (
Daniel Hartmeier said:
> On Sun, Jan 25, 2004 at 02:59:16PM +0100, Per-Olov Sjöholm wrote:
>
>> I know the purpose of the flag mask... But I thought Daniel Hartmeier
>> said
>> that F is cleared by scrub if it's in a combination with S, and therefor
>> should co
Daniel Staal said:
> --As off Saturday, January 24, 2004 6:42 PM +0100, Per-Olov Sjöholm
> is alleged to have said:
>
>> Hi !
>>
>> A friend yesterday scanned my firewall with nessus. One thing he
>> found was that nessus said:
>> "The remote host does n
ve to manually block all illegal flag combinations as I earlier
used to do when I used ipfilter?
I have not looked any deeper into this as I know there are a lot of bright
people on this list that probably know this...
Thanks in advance
Per-Olov Sjöholm
This is how I usually build up my filters
I left everything out except the rules and variables. Maybe it can give
you some hints.
-pf.conf
LAN_INT="em0"
DMZ1_INT="fxp0"
INTERNET_INT="fxp1"
ALL_INTERFACES="{" $LAN_INT $DMZ1_INT $INTERNET_INT "}"
# SETTING SOME DEFAULTS
block lo
Hi !
Here is an old pf.conf I found that u can use as an example or template (it
will work in OpenBSD 3.4)...
Hope it will give you some hints. By the way... The examples in OpenBSD 3.4 is
not bad and should be easy to use as a template. Note that some rows are
market out and not used.
The co
tate
--snip--
Maybe the only way is to do it like below in pf.conf...
INTERNET_INT_IP_1="200.200.200.200"
INTERNET_INT_IP_2="200.200.200.201"
But I prefer if possible to NOT specify to much IP:s in my pf.conf.
Suggestions ?
Thanks in advance
--
Per-Olov Sjöholm
Flowsystems
terface as you suggest as that
interface will never change. but the $DMZ1_INT:broadcast is translated to the
corresponding broadcast address.
But I can miss something as well... ;-)
Thanks
Per-Olov Sjöholm
On Monday 25 August 2003 09.29, Daniel Hartmeier wrote:
> On Mon, Aug 25, 2003 at 08:04:34AM +0200, Per-Olov Sjöholm wrote:
> > The rule simply doesn't work with the () specified. Have I missed
> > something ?
>
> No, that's simply not supported yet.
>
>
ecified. Have I missed something ?
Thanks
Per-Olov Sjöholm
58 matches
Mail list logo
