On 8/2/06, Rajkumar S. <[EMAIL PROTECTED]> wrote:
Hi,
I was reading through an interview of pf developers[*], where Mike
Frantzen commented that
There are already two ways to emulate Linux's DIVERT sockets and turn
an IDS into an IPS (Intrusion Prevention System). One could use PF to
route the
On 6/6/06, Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
On Tue, Jun 06, 2006 at 04:01:09PM +0200, Antoine Jacoutot wrote:
> How would you translate the following ?
>
> => deny ip from any to 145.238.0.0/255.255.0.255
The parser doesn't yet support such netmasks,
Hi Danny, Thankyou for the tip
On 5/24/06, Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
On Tue, May 23, 2006 at 03:31:46PM -0700, andrew fresh wrote:
> host_list = "{" $hosts "}"
> port_list = "{" $ports "}"
Try adding
q_host_list = '"{' $hosts '}"'
q_port_list = '"{' $ports '}"'
Thankyou s much for the clarification
On 9/7/05, Karl O. Pinc <[EMAIL PROTECTED]> wrote:
>
> On 09/07/2005 07:45:05 AM, Peter N. M. Hansteen wrote:
> > Siju George <[EMAIL PROTECTED]> writes:
> >
> > > https://secure.logmein.com/
> > >
> > > How do I prevent usage of such sof
Hi,
I 've been using PF on OpenBSD for quite sometime now and I want to use
http://www.thinknerd.org/~ssc/wiki/doku.php?id=snort2pf
or snort2c
Actually the link to the snort2c program homepage
on Undeadly
http://www.undeadly.org/cgi?action=article&sid=20050505234022&mode=expanded
is not avai
On 7/11/05, Ilya A. Kovalenko <[EMAIL PROTECTED]> wrote:
> SG> Since your network is only 100Mpbs my recommendation is a dlink ehternet
> card.
> SG> Now I may not be fully correct but from my experience it performs well :-)
>
> AFAIK D-Link NICs is worst choice. Two reasons:
>
> 1. D-link NICs
On 7/10/05, Henning Brauer <[EMAIL PROTECTED]> wrote:
> * Rob <[EMAIL PROTECTED]> [2005-07-09 13:48]:
> > Henning Brauer wrote:
> > >* Gustavo A. Baratto <[EMAIL PROTECTED]> [2005-07-08 17:34]:
> > >
> > >>Aparently gigabit intel NICs are the best out there, but this is just
> > >>what I've heard.
On 7/10/05, Henning Brauer <[EMAIL PROTECTED]> wrote:
> * Siju George <[EMAIL PROTECTED]> [2005-07-09 15:50]:
> > Since your network is only 100Mpbs my recommendation is a dlink ehternet
> > card.
>
> no, there is really no reason to buy 100MBit/s cards
On 7/8/05, Kirill Ponazdyr wrote:
> Hello,
>
> We are in need of "core" firewall for our new datacenter.
>
> This firewall will not be directly connected to internet but rather
> serve as a separator for security zones within the "application" part
> of our network, classical fileserver traffic
On 7/8/05, Gustavo A. Baratto <[EMAIL PROTECTED]> wrote:
> You gonna need a server with a very fast bus, and a very fast memory.
> Some motherboards have dedicated PCI controllers for each slot, So, each NIC
> has its own dedicated controller, decreasing the interrupts for each one.
> Aparently gig
On 7/6/05, Rajkumar Andrews <[EMAIL PROTECTED]> wrote:
> Further, a shell script could be put as a cron job to ensure that if
> the default gateway goes down (ISP-A is out) then the default gateway
> ought to be changed to the next (ISP-B) and a monitoring starts to
> ensure that ISP-A comes back a
On 7/5/05, Eugene <[EMAIL PROTECTED]> wrote:
> Good day!
>
> I need help.
>
> I have 2 ISP connected to my FreeBSD router-firewall with pf.
>
> I need that my local net can connect http through router and squid to ISP-A.
> But all other pakets (POP3, SMTP, DNS, NTP, ...) would go through ISP-B.
On 6/8/05, Peter N. M. Hansteen <[EMAIL PROTECTED]> wrote:
> Siju George <[EMAIL PROTECTED]> writes:
>
> > Is PF not capable of letting two users ( with two
> > differrent computers with 2 differrent IP from the RFC1918 range ) in
> > the LAN to connect to the
Hi all,
After a lot of seeking and reading and doing I have this doubt :-)
Is PF not capable of letting two users ( with two
differrent computers with 2 differrent IP from the RFC1918 range ) in
the LAN to connect to the Same Windows 2003 remote
desktop server on the Internet and work on it simul
On 5/26/05, Ingolf Zeiner Petersen <[EMAIL PROTECTED]> wrote:
> I don't think PF supports UPnP. But you should try to forward 3389/tcp
> to you NAT'ed computer (the rdp -port).
>
Thankyou so much Ingolf for your tip :-)
But this will only allow one Computer to connect to the Windows Remote
Deskt
Hi all,
I would like to know if there is any body using Windows XP remote
desktop sharing behind an OpenBSD Firewall.
What I would like to do is to allow a couple of windows users behind
my OpenBSD firewall to access windows XP remote desktops on the
internet.
From
http://www.microsoft.com/tech
On 5/21/05, Melameth, Daniel D. <[EMAIL PROTECTED]> wrote:
> tefol tefol wrote:
> > I manage several different pf firewalls around the country, and so I
> > need to have ssh access allowed. Occaisionally, (more and more
> > often lately), I get script kiddies having a go at brute forcing my
> >
On 4/22/05, Lyle Worthington <[EMAIL PROTECTED]> wrote:
> Hey All,
>
> We are soon to have 2 seperate lines coming into our office each with
> a seperate set of IPs and restrictions (One full class C each). They
> will be handled by one router, and we would like to firewall both of
> them with ju
On Apr 6, 2005 10:22 PM, Kimi Ostro <[EMAIL PROTECTED]> wrote:
> Hello !
>
> I am trying to understand how NAT affects packet filtering and am not
> sure if I am on the right track. My understanding is this;
>
> $ext_if = "tun0"
> $int_if = "fxp1"
>
> nat on $ext_if from $int_if:network port > 1
On Wed, 23 Mar 2005 21:21:58 +0100 (CET), Xavier <[EMAIL PROTECTED]> wrote:
> Hi,
>
> Just one question... Maybe stupid, pardon me!
> Can I define sort of "route maps" such as
> in Cisco devices with pf?
>
> Ex: if source address = x.x.x.x -> send to next hop "y.y.y.y"
>
YUP !!!
You can use th
On Wed, 23 Mar 2005 13:22:40 -0500, Peter Fraser <[EMAIL PROTECTED]> wrote:
> Siju George <[EMAIL PROTECTED]> asked for examples of ftp
> clients that do not work with ftp-proxy.
>
> The simplest example is the Microsoft ftp client that comes
> with Windows XP.
>
On Mon, 21 Mar 2005 15:09:31 -0500, Peter Fraser <[EMAIL PROTECTED]> wrote:
> A while a go I had trouble if ftp-proxy and windows ftp clients.
>
> The windows clients were checking to see if the ftp responses were
> actually coming from the ip address they expected, and they were
> not, and as a r
On Mon, 14 Mar 2005 15:33:02 +, Ryan McBride <[EMAIL PROTECTED]> wrote:
> On Mon, Mar 14, 2005 at 03:50:23PM +0530, Siju George wrote:
> > Could Someone please tell me the advantages of PF against Firewalls
> > using the ASIC technology in terms of Security and perfomance
Hi all,
Could Someone please tell me the advantages of PF against Firewalls
using the ASIC technology in terms of Security and perfomance??
I happened to hear the following
"Netscreen is running in ASIC (they are boasting in their marketing) -
and thus probably only is checking the first (or fir
On Mon, 7 Mar 2005 22:07:52 +0100, Daniel Hartmeier
<[EMAIL PROTECTED]> wrote:
>
> No, pf route-to always overrides the routing table. You can use route-to
> on a 'pass in' rule. In this case, pf alone routes the packet, and the
> routing table is completely bypassed (never consulted). Or you can
Hi Eric,
On Thu, 3 Mar 2005 22:11:34 -0600, Phusion <[EMAIL PROTECTED]> wrote:
> Hi, I was wondering about CARP failover. For an example, say we have
> two OpenBSD pf firewalls. When the main firewall fails for some
> reason, how long of a delay is there before the backup firewall takes
> over as
Hi all,
I have 2 OpenBSD firewalls protecting my LAN from 2 internet connections
1) a cable modem connection for which the Internet IP address is
obtained by "dhcp"
2) a DSL connection with a Static IP assigned to the $ext_if of the
second firewall
Now I am trying to firewall these two Internet
On Fri, 28 Jan 2005 13:36:52 +0100, Henning Brauer <[EMAIL PROTECTED]> wrote:
> * Siju George <[EMAIL PROTECTED]> [2005-01-28 10:50]:
> > I would like to know if there is any plan among PF developers to add
> > the feature to filter traffic based on time.
>
> no
On Fri, 28 Jan 2005 11:35:33 +0100, Daniel Hartmeier
<[EMAIL PROTECTED]> wrote:
> On Fri, Jan 28, 2005 at 02:29:36PM +0530, Siju George wrote:
>
> > I would like to know if there is any plan among PF developers to add
> > the feature to filter traffic based on time.
>
Hi all,
This question is primarily to the PF developers :))
Thankyou so much for all your great work and effort to give us an
excellent firewall!!
I would like to know if there is any plan among PF developers to add
the feature to filter traffic based on time.
I mean a way by which I can pass tr
On Thu, 20 Jan 2005 14:33:00 +0100, Henning Brauer <[EMAIL PROTECTED]> wrote:
> * Kevin <[EMAIL PROTECTED]> [2005-01-19 21:41]:
> > Are there any "gotchas" I should know about when using dns names in
> > pf.conf, specifically in tables used as destinations for permit rules?
>
> well, if DNS is not
On Wed, 19 Jan 2005 13:02:10 -0600, Kevin <[EMAIL PROTECTED]> wrote:
> Are there any "gotchas" I should know about when using dns names in
> pf.conf, specifically in tables used as destinations for permit rules?
>
> The addresses for the hosts change, but relatively rarely. Is it
> safe/recommende
Hi all,
At present my Proxy server and firewall is an OpenBSD 3.6 box running Squid.
I have a DSL internet connection with Static IP.
The squid proxy listens on 127.0.0.1:8080.
The clients have their browsers configured to use proxy server address
as 172.16.1.1:8080 which is the internal interfa
Thankyou so much for your replies, Stefan, Daniel, Kevin,Jason and messmate :))
Thankyou so much for helping out!
Kind Regards
Siju
Hi Danny,
On Wed, 8 Dec 2004 11:22:01 +0100, Daniel Hartmeier
<[EMAIL PROTECTED]> wrote:
>
> It might be some game with IP TTL values, but pf should always replace
> the internal address with the gateway's. The tcpdump will tell.
>
I found the same thing happenning when I use Squid Proxy to co
On Tue, 23 Nov 2004 11:24:18 +0100 (CET), Roman Marcinek
<[EMAIL PROTECTED]> wrote:
> Hi Guys,
>
> an excusse for my question:
>
> I am relativelly new to the OpenBSD (and PF) though not so the other
> firewall/filtering/nating :)
Hi Romek!
When I was new to PF these two sites helped me a lot!
Thanks a lot Nic, Jeff, Kevin and Russel for your inputs
Good luck!
regards
Siju
Thanks a lot Fred, James, Russel, Peter and Shawn for the replies!
good luck!
Siju
Hi all,
This question comes from the fact that I plan to promote OpenBSD and
its use in my country India. I'll plan to start from my city Cochin
state of Kerala. One of the major problems I face is that nobody has
even heard of OpenBSD and most are used to MS Windows and GUI
interface! So initiall
On Sat, 2 Oct 2004 11:27:33 +0200 (MEST), Mipam <[EMAIL PROTECTED]> wrote:
> I notcied that with the above rules internal clients can do pasive
> ftp fine, but active ftp wont work, pf drops the packets from
> the remote host from port 20 to a high port here.
> I dont know quickly how to remedy th
Thankyou so much Andrew for your advice. I don't have a complex setup
now but may have one soon. Thankyou so much for responding.
Thanks a lot Mark, Jason, Clinton, Oliver, Greg, Philippe, Mipam for
your repliestomy question. From all the help you provided I was able
to get the necessarry informa
sing FTP-Proxy
> http://www.aei.ca/~pmatulis/pub/obsd_ftp.html
>
>
>
>
> Siju George wrote:
>
> > hi all,
> >
> > I configured OpenBSD 3.5 PF as said in the FAQ.
> >
> > For the clients behind my PF firewall to access ftp servers I put this
>
On Wed, 29 Sep 2004 08:57:42 -0400, Jason Dixon <[EMAIL PROTECTED]> wrote:
> How could I possibly be angry at such a nice guy? Frustrated perhaps,
> but not angry. Did you run the command I told you about, and monitor
> any output? Was anything revealed?
>
Hi Jason, thanks a lot I run the comm
On Wed, 29 Sep 2004 07:32:07 -0400, Jason Dixon <[EMAIL PROTECTED]> wrote:
> As pleasant as you are Siju, it's quickly becoming apparent that you
> lack necessary training for becoming a qualified Systems Administrator.
Very True! but Jason by the Grace of God, with alot of hardwork and
help from
On Wed, 29 Sep 2004 13:31:52 +0200, Mark Rosenstand <[EMAIL PROTECTED]> wrote:
>
> If you're running NAT, you'll need to add the -n option to ftp-proxy.
>
Thanks Mark for the tip.
So I changed the line in /etc/inetd.conf line to
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp
On Tue, 28 Sep 2004 14:08:03 +0200, Daniel Hartmeier
<[EMAIL PROTECTED]> wrote:
> On Tue, Sep 28, 2004 at 04:46:40PM +0530, Siju George wrote:
>
> > But if I can get port 113 also in adaptive stealth mode like Zonealarm
> > did then it would be better isn't it?
&
hi all,
I configured OpenBSD 3.5 PF as said in the FAQ.
For the clients behind my PF firewall to access ftp servers I put this
line in the pf.conf file
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1:8021
I also have the following line uncommented from /etc/inetd.conf
127.0.0.1:8
> People who say identd is a source of "severe information leakage" does
> not understand what ident does. If you feel paranoid, as I do, you can
> always configure it to return "random" usernames.
>
> ---
> Lars Hansson
Hi Lars! Thanks a lot for the reply! Will manpage for identd tell me
how to
> I know that this is in the pf faq but I don't think that you really need it. I don't
> know about IRC but you mentioned only SMTP on your side.
>
> I'm running emailservers for years now and never ran an identd. And my clients don't
> have an identd running either. I don't think that you need
Thankyou Oliver for the reply and Explanation! It was very
informative. I'll also try the S/SAFR thing and see how it works!
God bless you
warm regards
Siju
On Tue, 28 Sep 2004 14:08:03 +0200, Daniel Hartmeier
<[EMAIL PROTECTED]> wrote:
> On Tue, Sep 28, 2004 at 04:46:40PM +0530, Siju George wrote:
> Not really. It can give a false sense of security, because you assume
> the 'adaptive' part can't be tricked b
Hi Jason!
Thanks for the reply!
But if I can get port 113 also in adaptive stealth mode like Zonealarm
did then it would be better isn't it?
regards
Siju
Thankyou somuch Luke, Gragnak, Clinton Ben, Peter, Volker, Greg,
interval , for all the responses and advice!
I changed the block-policy from return to drop. Now my ports except
113 are showing up as stealthed while twsting from
http://www.grc.com/x/ne.dll?rh1dkyd2
The Port 113 was opened becaus
Thankyou somuch Cedric, Its working now! I greatly appreciate your help!
God bless you
siju
Hi all,
When my OpenBSD 3.5 System tries to load the PF ruleset it shows the
following error.
/etc/pf.conf:22: could not parse host specification no IP address
found for dc0:172.16.0.0/12
the 22nd line of my pf.conf is this.
nat on $ext_if from $int_if:172.16.0.0/12 to any -> $ext_if
this is t
55 matches
Mail list logo