eneral,
but quite possibly some of the relevant developers read this as well.
- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
both for
this one and openbsd-misc, or for that matter openbsd-newbies).
And finally, for PF examples there is one more oft-cited resource, my
own The Book of PF (http://nostarch.com/pf2.htm) or the PF tutorial that
it grew out of (http://home.nuug.no/~peter/pf/, which links to full text
versions plu
, the keyword 'self' expands to all addresses
assigned to all interfaces on the host (as a man pf.conf and search for
self would have told you).
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuu
scenario, have a
slightly simpler script do the tables shuffling at a specific time
(again assuming you slice your traffic according to table membership).
Off the top of my head, I think those are the most workable options, I
hope this was a tiny bit helpful.
- Peter
[1] http://home.nuug.
d to a proper treatment of port
knocking in a blog post or article, and that may still happen given
enough round tuits. In the meantime, the main points have already
been presented.
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://w
Stuart Henderson wrote:
> On 2010/10/03 14:24, Peter GILMAN wrote:
> >
> > Marcus Larsson wrote:
> >
> > > On Tue, Sep 21, 2010 at 10:25:11PM -0400, Peter GILMAN wrote:
> > >
> > > > can anybody see what i'm missing? i'd love
Marcus Larsson wrote:
> On Tue, Sep 21, 2010 at 10:25:11PM -0400, Peter GILMAN wrote:
>
> > can anybody see what i'm missing? i'd love to score some points
> > for openbsd at my job (and i'll fall back to 4.6 if i have to) but
> > i'd really lov
ate
can anybody see what i'm missing? i'd love to score some points
for openbsd at my job (and i'll fall back to 4.6 if i have to) but i'd
really love to get this working with 4.7. any insight would be much
appreciated.
thanks,
peter gilman
tools in a very simple way.
One could of course argue that a little sshd config would go a long
way too, say enabling key based logins only (turning off password
authentication) and disallowing root logins so on, but we don't know
whether they've done that already.
- Peter
--
esets, with all the flexibility that comes with pf.
but you're right, it requires ssh to be accessible in order to log in,
and so may not be what the original poster was looking for.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bs
; that change with some frequency.
>
> Is there a straightforward way to incorporate dynamic ip source addresses in
> the
> pf ruleset?
I'd say this sounds like a situation where authpf could come in quite handy.
- P
--
Peter N. M. Hansteen, member of the firs
x.
One random thought - does your rule set include such things as limits
on max number of connections? Pure speculation, of course, but it is
one of many situations would fit the symptoms you describe.
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bs
scrub (reassemble tcp)
or some variation (some other parameters are possible). It's in the
official docs, but not all the other resources out there that your
favorite search engine will turn up have caught up with the news yet.
--
Peter N. M. Hansteen, member of the first RF
Hi,
We are testing the milter milter-checkrcpt.
Linux sendmail 8.13 to NovellGroupWise.
Sometimes the Novellserver says "421 Service not available" (Server
busy, some like that) ani
it would be REJECT.
So, would it not better, to say: If user avaible OK, if user not
availble REJECT, all other
hu st writes:
> So could pf limit the maximum number of simultaneous state entries
> that a single source IP's source port can create with a rule?
> (borrow from man pf.conf :))
max-src-states? (see STATEFUL TRACKING OPTIONS in man 5 pf.conf)
- P
--
Peter N. M. Hansteen, membe
Michael Grigoni writes:
> Please let us know what IRC server and channel you found for 'pf'
> discussions; it would be very useful.
FreeNode has a #pf channel. relatively low volume, at times quite useful.
--
Peter N. M. Hansteen, member of the first RFC 1149 implemen
study the
actual traffic and the inevitable tweaking of the parameters such as
lowering number of allowed connections.
- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil
ng an intensive Full-day PF tutorial[2]
featuring Book of PF[] 3author Peter Hansteen[4]. Click the links, then go
to the OpenBSD events page[5] for ways to extend that away from work
period.
[1] http://www.ukuug.org/
[2] http://www.ukuug.org/events/pftutorial/
[3] http://nostarch.com/pf.htm
[4]
ased
on an analysis of observed needs and an actual specification, somewhere
down the road.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network t
Ken Gunderson <[EMAIL PROTECTED]> wrote:
> Look what's happened to
> FreeBSD - damned near unusable these days.
funny - after using openbsd everywhere for years, i finally had to
switch to freebsd on my laptop (tp a31) because things that had worked
fine on previous versions of openbsd stopped w
ng but not limited to 'would it be more useful with a
multi-level certification', and of course any input on what the task
and skills spec should contain.
[1] http://www.bsdcertification.org/index.php?NAV=FAQ#Q04
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
htt
until somewhere in your rc.local to
fill in those addresses (say, with a script that checks if each name
resolves, then adds the returned addresses to the table). Brittle,
but with a fighting chance of working.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http
m' and 'to' keywords only
denote source and destination addresses respectively.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network
clear things up. Sorry.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
), and I would think you're a lot closer to a
solution that would fit the basic requirements, ie adding flexibility
without adding clutter to the system at the same time.
Just my EUR 0.02, and maybe better ideas will be had by morning.
All the best,
--
Peter N. M. Hansteen, member of the firs
rrived and life's good :)
One interesting factoid (fsvo) is that this happened within hours of
the twenty-five thousandth unique visitor (since EuroBSDCon 2006 that
is) hitting the book's predecessor, the online PF tutorial[4].
So happy hacking holidays everyone,
[1] http://nostarch.com/
p://www.openbsd.org/faq/index.html>,
and just to toot my own horn, there's word out that those *excellent*
references are a little easier to take in usefully after you've spent
some time browsing <http://home.nuug.no/~peter/pf/> (also nostarch.com
may have the perfect xmas presen
interested in the results. Once you have made a decision,
> upgrading one is simpler than changing both.
It would be interesting to hear any data that comes out of tests like
that. That is, as long as the OP doesn't mind being a guinea pig.
- P
--
Peter N. M. Hansteen, member of th
I'm also
slightly curious about a direct comparison of FreeBSD vs OpenBSD
performance on the same hardware.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
"Remember to set the evil bit on al
ill don't see how a bridge would be totally desirable, bu then it's
possible I'm just being incredibly dense. I think I'd need more
information about your setup such as addresses and netmasks to offer
any input on that.
--
Peter N. M. Hansteen, member of the first RFC 1149
it
takes your main redundancy feature off the table. Why not just a
carp/pfsync setup?
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network tra
The error reporting messages could possibly improved upon too.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Ed wrote:
> Dear ladies and gentlemen,
>
> OpenCON is the only conference fully dedicated to OpenBSD. Last year
> edition was a great success and featured also the party for OpenBSD
> 10th birthday, with project leader Theo de Raadt and a lot of
> developers. More info here: http://2006.opencon.
centring view is really
is the only logical perspective if you think of it.
That's why I spend so much time hammering that in during the
relatively basic PF tutorial I've been giving. (yes, the one at
<http://home.nuug.no/~peter/pf/>).
--
Peter N. M. Hansteen, member
out to the destination address.
in simple environments it is possible to work around the problem by
omitting direction (implicitly writing rules for both inbound and
outbound traffic), ie
block inet from 192.168.0.1 to 192.168.114.31
pass inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep
.
In the meantime, plain old keep state isn't too bad either.
Cheers,
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
d
tups where you need to pass traffic in on a specific interface
(or interface group) and out on a some other specific interface or
group, it's a different story of course, but PF lets you do the less
complicated things in very straightforward ways.
This is the kind of stuff I rant about ext
e means is, you use "pass from queue foo" constructs
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded t
27; in your types list. If you use a list
of icmp codes too, 'host-unr' would be a valid member of your list of
codes.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we
Jacques Beigbeder <[EMAIL PROTECTED]> writes:
> But where is the trouble? Is there a better fix?
hard to tell without taking a peek at your actual rule set, but could
it be that you forgot "keep state" in the pass rules which let your
name service queries through?
--
P
the connection. Can pf do this?
The details differ slightly, but you can get something functionally
equivalent using overload rules and a table you block. I have some
musings on this in the tutorial[1], it does not cover all possible
wrinkles but should be enough to get you started.
[1] http://ho
f&sektion=8&manpath=OpenBSD+4.0
[3] http://home.nuug.no/~peter/pf/en/vegard.authpf.html
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" Th
such as
table persist expire 24h
meaning that table entries are removed when they have not been
referenced during the last 24 hours.
Oh well, it's late already. But it would be nice to hear any thoughts
on this, including "shoot this down, quick!"
[1] http://marc.theaimsgroup.com/?
of the world.
> rdr pass on $int_if proto tcp from any to any port 80 -> $squid port 8080
I would supplement this with a 'no rdr' rule for the proxy generated traffic.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/
Dominik Zalewski <[EMAIL PROTECTED]> writes:
> I have OpenBSD 4.0 firewall and I would like to redirect all outgoing http
> requests to my squid web proxy.
Daniel Hartmeier wrote about this a while back, his article can be found at
http://www.benzedrine.cx/transquid.html
--
al at http://home.nuug.no/~peter/pf/,
specifically http://home.nuug.no/~peter/pf/en/tables.html, and of
course man pfctl is your dearest friend :)
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no
flags S/SA keep state
pass inet proto tcp from any to $localnet port ssh flags S/SA keep state
I have a semi-rant about these things in the tutorial[1], which I
probably will be accused of plugging quite shamelessly at this point.
[1] http://home.nuug.no/~peter/pf/, specifically about these matters
s
block all
pass from self to any keep state
or
pass from 10.12.14.0/24 to any port ssh keep state
it's extremely flexible really. The reason you see interface name
macros so often is that people tend to find them useful, but you can
do without them entirely if you like, I suppose
Hello, everyone!
I'm not sure, if it is the good forum or not where I can
post my problem, but I hope there is some people who met
similar problems or have some good instructions as a
solution. Sorry for a long letter.
Till know I used Internet with ADSL, and an OpenBSD firewall
separated my local
As some of you may be aware, I presented a half day PF tutorial at
EuroBSDCon in Milan. The manuscript is now online in several formats
at http://home.nuug.no/~peter/pf/.
This is a manuscript I've revisited on occasion over roughly the last
two years, intended as a flash intro to the fu
; something that large?
The limits are tuneable via pf.conf 'set limit' options. I forget
what the default max table size is, but the pf.conf man page contains
the magic to set it to 100,000 entries. Going from there should be
straightforward.
--
Peter N. M. Hansteen, member of the f
w
options which makes it easy to do operations on tables from the
command line.
So I suppose any set of addresses which conceivably could change more
frequently than you would want to reload your entire rule set would be
a prime candidate getting turned into a table.
--
Peter N. M. Hansteen
Michal Soltys <[EMAIL PROTECTED]> wrote:
>
> Those testes were with both enabled
that's reassuring...
I have a firewall running on my gateway. I also have a home mailserver
on my lan on which I decided to place its own firewall. I am now
getting disconnections from incoming SMTP traffic. I figure it is due
to
the TCP handshake not properly being set up but if someone can fill in
the details
The problem was an error in my rules. It has been corrected but an
auxilliary issue has surfaced. Due to limitations in hardware this
second firewalled host has two IP addresses on the same subnet. I
would like requests to certain ports to exit on a particular interface.
How do I do that? For
I am writing a shell script to handle simple IP accounting and I'm
getting an error I cannot solve. Here is the pertinent snippet:
PORT_IN=$(pfctl -sl | grep $i | grep $LABEL | cut -d ' ' -f 9)#
bytes
PORT_IN=$(echo "scale=3; $PORT_IN / 1024" | bc) #
kilobytes
PORT_IN_SUM=$(cat
run -current on something mission critical a
continent away, 'glutton for punishment' comes to mind.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spa
--- Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
> On Thu, Jul 13, 2006 at 11:07:46AM -0400, Peter wrote:
>
> > I have installed the pfstat 1.7 package on my 3.8 system. The
> trouble
> > is that I do not get any data being graphed. Here is my test
> setup:
> &
th (i.e. every one minute as opposed to every five
minutes)?
Peter
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Hello lists! (sorry if cross-list posting is frowned upon)
I'm setting up a BSD/pf machine that will be working as a binat
firewall for a number of hosts on two /28 subnets belonging to the
same co-location provider.
The BSD machine is already live, working hard for one subnet, and I
don't have
king it without timing out, and so on.
There are several more ways to misconfigure a machine so it will
produce the rather bizarre symptoms you are describing, but from the
information you are volunteering it's pretty much impossible to tell
what is causing the situation.
--
Peter N. M. Hanste
is
is my first large scale pf configuration.
My full config is at:
http://narwar.net/~peter/pf.conf
Note that traffic to lo0 is currently just passed as I couldn't figure
out what to do with it.
Am I thinking about this the wrong way, should I basically have a pass
in set from each subn
ous goodness of your wished-for feature
does not convince, you should consider the possibility that a) your
idea isn't actually that obviously good or b) you need to work a bit
more on that explanation. Abuse and name-calling never helps your
case, ever.
--
Peter N. M. Hansteen, mem
st its
controlling terminal due to a reboot of a putty.exe equipped machine
elsewhere, it all started working again in that particular case. Given
the stability of the platform running putty.exe, this has happened more
than once.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation t
2.168.1.101 port 6502
> rdr tx1 1.2.3.3/32 port 6503 -> 192.168.1.122 port 6503
These are ordinary redirects as far as I can see, so would carry over
with minor adjustments.
Hope this helps,
[1] the tutorial is a work in progress, with a reasonably up to date
version posted at http://w
--- Per-Olov Sj�holm <[EMAIL PROTECTED]> wrote:
> On Thursday 06 April 2006 01.03, Peter wrote:
> > --- Per-Olov Sj�holm <[EMAIL PROTECTED]> wrote:
> > > The PF rule...
> > > pass in quick on $EXTERNAL_INT inet from any to $COLOC_IPS_1
&g
--- Per-Olov Sj�holm <[EMAIL PROTECTED]> wrote:
> The PF rule...
> pass in quick on $EXTERNAL_INT inet from any to $COLOC_IPS_1 label
> "TEST:$dstaddr#" keep state
>
> Gives a label like
> TEST:65.45.128.128/25# 230 3099 1511793 1370 148914 1729 1362879
>
>
> Is there an easy way to do e
--- Don Boling <[EMAIL PROTECTED]> wrote:
> On 4/5/06, Peter <[EMAIL PROTECTED]> wrote:
> > I have a user that is on WinXP. She uses Microsoft's Remote
> Desktop to
> > connect to a remote server (TCP port 3389). I have installed
> OpenBSD
> >
ence and the latency is going to happen again in
which case I am asking people what do they think I should look at? I
have since begun making long term tcpdump captures using pflog0.
Thanks,
Peter
__
Do You Yahoo!?
Tired of spam? Yahoo! Ma
[EMAIL PROTECTED] writes:
> Thanks Peter and mouss for the replies.
Oh, you're welcome,
> But I'm still puzzled. I read the description of the rdr directive a
> number of times and looked at some of the examples but it's still not
> clear to me how the above pr
--- IMS <[EMAIL PROTECTED]> wrote:
> Hi all
>
> I try to write FTP rules with ftp-proxy.
> However after try for serveral hours..
> It isn't work..
It depends what kind of FTP you are looking at. Most FTP clients these
days use passive FTP. In this case, you do not need ftp-proxy at all.
You
[EMAIL PROTECTED] (mouss) writes:
> map != rdr.
ipf != pf.
.?
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forw
ipsec/tcp
> map $ext_if 192.168.10.0/24 -> 1.2.3.4/32 portmap tcp/udp 1025:65000
> map $ext_if 192.168.10.0/24 -> 1.2.3.4/32
browsing the IPF howto briefly, I think you should be able to get those
done via rdr constructs and matching pass rules. The finer details
escape me, though.
port http keep state
would serve you better in the end.
My rant about this is at http://www.bgnett.no/~peter/pf/en/basicgw.html
(part of a PF tutorial).
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.n
probably
want a NAT rule in your config as well.
- have you enabled gatewaying (sysctl net.inet.ip.forwarding=1)?
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the
,
please let me know. Comments of all kinds are welcome. And yes, the
manuscript is set to evolve a bit further for BSDCan and SANE, those
updates will appear on-line, BSD licensed, after the conferences too.
The files are at http://www.bgnett.no/~peter/pf/, or can be accessed
directly as
you are not making debugging
any easier.
you could try my tutorial at http://www.bgnett.no/~peter/pf/ for a
gentle walkthrough.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First
mes?
This is certainly not a comprehensive analysis, but do look into the
logic issues here. The readability issues are probably byproducts of
using a GUI tool, so I won't beat you over the head with them just yet.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation t
PN" for something or other thought of some
other way to do what they needed.
(Microsoft - no, there's always an easier way :))
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"
ution unless
handled properly. Done right it sounds rather attractive though.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "
icial PF docs a bit more
accessible after spending some time with my PF tutorial at
http://www.bgnett.no/~peter/pf/ (see events.html at the openbsd site for
live performances of a slightly revised version).
"debugging PF rule sets" might actually be a good tutorial topic. Noted
for lat
ral admin checklist.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
20:11:56 delilah spamd[26905]:
FreeBSD (lots more packages available).
[1] For some odd reason these messages were not as easy to find as I
had thought, but I'm pretty sure they're in the archives somewhere
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.n
one out. Thanks in Advance
Peter
--- [EMAIL PROTECTED] wrote:
> Hi all
>
> I hope this has not been asked millions of times... becasue if it has I
> am beyond help... since I cannot find the solution.
Upgrade to 3.8. You get two more columns which do track ALL traffic.
# pfctl -sl | grep tcp:80
inbound - tcp:80 -> 1 4 184 2
--- David Powers <[EMAIL PROTECTED]> wrote:
> I highly recommend looking into openvpn as an alternative. If you have
> control of both ends and don't have to work to inter operate with an
> existing IPSEC implementation then it is vastly easier to setup and
> maintain.
>
> -David
>
> Travis
(interface) notation is supposed to take care of?
as in
ext_if = "tun0" # macro for external interface - use tun0 for PPPoE
int_if = "xl1" # macro for internal interface
# ext_if IP address could be dynamic, hence ($ext_if)
nat on $ext_if from $int_if:network to any -> ($ext
ports system.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
ription
in http://www.bgnett.no/~peter/pf/en/bruteforce.html is written mainly
with SSH bruteforcers in mind, but with a few trivial adjustments would
apply equally well to SMTP. On the other hand, I would risk a wild
guess that the bots all run a certain family of operating systems, in
which cas
communications. Why is that? The provided rc.vpn script
does this without explanation.
2. What is the use of forcing IP-in-IP (-forcetunnel) when setting up an
SA? The vpn manpage example does this without explanation.
--
Peter
--- "Melameth, Daniel D." <[EMAIL PROTECTED]> wrote:
> Peter wrote:
> > Question: Why does tcpdump show pf rules when I use the pflog0
> > interface in combination with the -e switch (link layer)? It's a
> > fantastic feature but it seems like an odd w
0x00001
--
Peter
__
Find your next car at http://autos.yahoo.ca
--- Forrest Aldrich <[EMAIL PROTECTED]> wrote:
> Coming from FreeBSD's ipfw2, I've been accustomed to having a timestamp
> (ie: ipfw -t) that allowed me to measure "hits" on a given
> IP/block/rule.
>
> This isn't available with PF (though I think it would be a good idea).
>
> I maintain (as a
--- [EMAIL PROTECTED] wrote:
> We use Cacti, Net-SNMP, and several Perl scripts to monitor our OpenBSD
> firewalls.
>
>
https://noc.ece.uprm.edu/cacti/graph_view.php?action=tree&tree_id=2&hide=0&branch_id=734
>
> Pablo
>
>
> > I have written an IP accounting system using pf labels. It runs e
matter.
--
Peter
__
Find your next car at http://autos.yahoo.ca
t_if inet proto tcp from any to any port { $tcp_services }
> \
> modulate state
>
> pass in on $ext_if inet proto tcp from any to any port { 80, 443 }
> modulate state
>
>
>
> pass in on $ext_if inet proto udp all keep state
>
> pass in on $ext_if inet prot
--- Cédric Berger <[EMAIL PROTECTED]> wrote:
> Peter wrote:
> > Can someone please tell me how my webserver LEO is able to respond to
> > requests? Don't I need to specify an outgoing rule (pass out) for
> > replies?
> >
> Your RDR rule implicitely
Can someone please tell me how my webserver LEO is able to respond to
requests? Don't I need to specify an outgoing rule (pass out) for
replies?
nat on $EXT from $LAN_clients to any -> $EXT
rdr on $EXT proto tcp from any to ($EXT) port 80 -> $LEO port 80
block in on $EXT all
pass in o
On 19 Dec 2005 14:33:27 -0800
"Jonathan Rogers" <[EMAIL PROTECTED]> wrote:
: The think I can't understand is that I'm explicitly passing this kind
: of traffic:
:
:pass in quick on $dmz_if inet proto tcp from 192.168.3.0/26 to any
: port { 53 80 }
: keep state flags S/SA label "pass
or
> subtract the statistics of the narrow rule (matching that one port)
> from the more broad rule. Or, you could make the narrow rule come
> first and use "quick" to prevent it from matching the
1 - 100 of 234 matches
Mail list logo