and do you have ip forwarding enabled? (sysctl.conf)
net.inet.ip.forwarding=1
pfctl -vs rules
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Gary
Sent: Wednesday, November 26, 2008 3:04 PM
To: pf@benzedrine.cx
Subject: Re: super simple pf.conf that doesn't
you definitely want to read the FAQ and at very least ..
isakmpd (8) - ISAKMP/Oakley a.k.a. IKE key management daemon
isakmpd.conf (5) - configuration file for isakmpd
isakmpd.policy (5) - policy configuration file for isakmpd
ipsec (4) - IP Security Protocol
ipsecadm (8) - interface to set up IP
> On 04/20/2006 12:57:23 PM, Prabhu Gurumurthy wrote:
> >
> > As I understand the working of the rule set that I have written,
> > again please correct me if I wrong, the rule matching/allowing the
> > inbound on DMZ, again should have an outbound rule set allowing on
> > Internet, is this
> Just curious. tcpdump has the handy "host blah" syntax, where it
> implies src or dst.
>
> Some of my rules could be simplified with a "from or to" sort
> of syntax.
>
> If it doesn't exist, I'll put it on my "to code some day" list.
> --
huh? - I must be misreading/understanding the questi
have you tried looking under SIP?
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> Doug Er
> Sent: Friday, November 25, 2005 9:25 PM
> To: pf@benzedrine.cx
> Subject: AT&T CallVantage VoIP and pf?
>
>
> I got the VoIP adapter, a D-Link DVG-1120M, fo
add port xyz to the end of your example
10.10.10.10 port xyz
ed wrote:
Hello,
I am having troubles with some rdr rules. How should I specify:
rdr pass on $ext_if proto tcp from any to 1.2.3.4 port 80 -> 10.10.10.10
with
pass in on $ext_if proto tcp from any to $range port {80,3389} keep
st
sure use the negative from ! ip
[EMAIL PROTECTED] wrote:
Hi to all
I have an important question:
it's possible to define a filter that have as srcaddr or dstaddr
all ip-address different from a host or a subnet?
thanks
Luca
6X v
craSH wrote:
tcpdump is pretty much just for inspecting the headers of packets, to
capture data and entire sessions, snort would be a good tool to use.
It can be ran on the command line in a way similar to tcpdump and dump
complete data to a pcap file for later inspection with tools such as
ethe
alex wilkinson wrote:
Hi all,
Is it possible to specify a range within a table ? e.g.
table const { 8000 >< 8999 }
I get a syntax error for the aformentioned table, so can anyone
suggest a method for what I'm trying to achieve ?
Cheers
- Alex
why not put the table first and the ports in the ru
I use max-src-conn in production and it works fine. Just don't be to tight on
the numbers
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> Chris Cameron
> Sent: January 12, 2005 1:46 PM
> To: pf@benzedrine.cx
> Subject: Re: State searches sky rocket
you posted this on misc@ already.
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> Jayel Villamin
> Sent: December 28, 2004 11:43 AM
> To: pf@benzedrine.cx
> Subject: help with a pf rule
>
>
> I have been looking at this tcpdump log for the last ho
> not trying to speak for ed, but IMHO...it's dumb because any
> yahoo with
> a local account on a machine can create a listening socket on
> a port >=
> 1024.
Anyone can create a socket above 1024 anyway, regardless .. this has
nothing to do with ssh. If you are running a server, full of users
change your ssh port to like 30222 or something ..
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> A
> Sent: December 17, 2004 12:12 AM
> To: [EMAIL PROTECTED]
> Subject: pf port knocking
>
>
> Hey all
>
> I am getting tired of seeing the follow
p has
been for about 24 hours.
I just got my 3.3 disk and was planning to rebuild the box this weekend.
Has anybody else had this problem and have they found a solution.
Linux isn't working either, so my ONLY means of accessing the internet
is a Wimp98 box going straight to the modem.
Thanks
Roy
ey're routed out of the correct leased line.
-roy
g a firewall on an
unfamiliar OS in a hurry is not the best idea in the world...
Sorry to complain, just feel the need to vent my frustration at the
fact that it appears I can't get hold of a copy of OpenBSD at short
notice...
-roy
2, and have them
guaranteed to correspond to what's physically plugged in to those
ports. Curretnly it relies on my not screwing up with my macro
definitions.
-roy
t this point, I no longer see what problem you're trying to solve.
Not having to rewrite all the scripts that process the logs just
because I'm using OpenBSD as my firewall...
-roy
Are we talking at cross purposes here? The FTP server has a real,
routable IP address. No NAT involved. I don't see why I would need
to do anything special.
-roy
nce it's probably not a big deal.
-roy
Aside from that:
people using ftp-proxy in front of a ftp-server which is not NATed make a
fault. it's not needed.
I don't understand. Why is firewalling my FTP server a bad idea?
-roy
agree that FTP should be
handled in user space. I want a solution that can be used to firewall
FTP servers. I was proposing that this should be done in userspace,
and musing on what level of kernel support such a solution would
require.
-roy
t applies to packets sent
from interface A to interface B without having to hardwire the list of
networks into my packet filters.
(And the explicit form gets really messy when you have a network
routed out of one interface, except for a small subnet of it which
sits on another interface.)
-roy
rwise have allowed anyway, but might
block some that I am currently forced to allow.
Put another way: the fact that you can't spot all invalid packets that
might be sent to my FTP server isn't an argument for not blocking
those that you can spot...
-roy
then (like
ftp-proxy) surely the CPU cost is worth the benefit?
-roy
P connection that is not
addressed to it. And due to the symmetric nature of TCP, both
connections are indistinguishable, once established.
-roy
This could be solved with 'embryonic states' [...]
Sounds interesting, and far more general than the simple hack I was
envisioning. If there's some way of convincing the kernel to send the
initial SYN and accept the SYN/ACK, then all that's needed (if it
doesn't already exist) is a means for
addresses
224.0.0.0/4, the all-ones broadcast address 255.255.255.255, and the
unused Class E (experimental) space that lies between.
Also, I was under the impression that for historical classful reasons
all of 0.0.0.0/8 is invalid and should be dropped.
What's 204.152.64.0/23 ?
-roy
it is identical in nature to the incoming
connection...
Thanks in advance,
-roy
29 matches
Mail list logo