On 2014/11/13 21:55, Kamil Jiwa wrote:
> Hi, I've got an IPv6 network that I'd like to connect to an IPv4
> network with a NAT64 router. The router has two interfaces with the
> following configurations:
>
> - em0: internal, IPv6 network
> - IPv4 address: 10.0.66.1/24
> - IPv6
On 2014/08/22 19:15, Kevin Gerrard wrote:
> I realize that this May seem like a dumb question for one of the developers.
> I didn't expect a detailed message or exact answer. I have spent much time
> reading different ideas and by doing so learned much more while on this
> path. I have not posted o
Have you set the net.inet.ip.forwarding sysctl?
That's a very old version of OpenBSD if the "nat on vr0" rule is valid
syntax...
Rather than looking at a tcpdump of packets that make it through, try looking
at blocked packets instead. Add 'log' to any block rules and try 'tcpdump
-netttipflog0'.
Walt Elam wrote:
>One more update:
>
>I opened up the tcpdump traffic in Wireshark and it appears that the
>Xbox
>is failing on
On 2013/11/19 02:55, Christiano Liberato wrote:
> Hi,
>
> fw1: 200.200.200.168
> fw2: 200.200.200.172
>
> carp0 (for twho fw)
> inet 200.200.200.162 255.255.255.240 200.200.200.175 vhid 1 advskew 0 carpd=
> ev em0 pass senha
> inet alias 200.200.200.163 255.255.255.255
> inet alias 200.200.200.16
On 2013/05/05 13:29, Peter N. M. Hansteen wrote:
> But even without the bouncing address, the messate is a textbook example
> of how *not* to ask questions.
I think the textbook in question here is "introduction to trolling, an
entry-level guide" :)
If you had spare network ports you could take the incoming feed, bridge it
to another port (filtering statelessly and if-bound), then loopback the
second port to a third port and do the normal filtering there...
I wonder if it would be possible to do similar with bridge+vether, iirc
Reyk posted a
On 2013/03/18 15:25, Daniel Hartmeier wrote:
> Yes, bridge between em2 and em3.
>
> Assign the IP (used as gateway by the clients) to bridge0.
This isn't possible on OpenBSD, you either need to put the IP on one
real interface (then it may go down if the port is down), or bridge a
vether with it
On 2013/03/11 12:06, Andrew Siegel wrote:
> I've been scratching my head over this one. Here is my pf.conf:
>
> int_if = "em0"
> dmz_if = "em1"
> block log all
> set skip on lo0
> block log quick inet6
> block in log quick on $int_if from ! to any
> block out log quick on $int_if from any to !
On 2013/01/14 15:30, Johan Helsingius wrote:
> Hi!
>
> I have a small network, connected by 2 ADSL connections, and
> want to load-share the connections. All examples of route-to
> round-robin that I have seen have used 2 separate interfaces,
> but as both my ADSL modems are on the same "no-mans-l
On 2012/11/19 00:02, gpon...@spamcop.net wrote:
> While porting a 4.9 pf.conf to 5.2 I came across something that looks
> like it might be a bug. The affected line was the pass in rule to
> send forward FTP requests to the proxy on the firewall.
>
> The following rule would not load:
>
> pass in
On 2012/11/16 11:08, Teemu Rinta-aho wrote:
> http://www.rinta-aho.org/blog/?p=168 (original, without VLANs) and
> http://www.rinta-aho.org/blog/?p=346 (with VLANs)
In -current OpenBSD, dhclient-script is no more, so you'll need
another way to do this..
The simplest way to do this is probably to use multiple route tables, then you
can use rtable in pf.conf instead of route-to.
www.openbsd.org/papers/eurobsd2012/phessler-rdomains/index.html
www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/
Your 'pass in' rule won't match o
On 2012/04/23 11:49, Kyle Lanclos wrote:
> In order for our firewall to operate effectively, we use 'keep state'
> pf rules. We empirically determined that we must have CARP preemption
> enabled, otherwise pf cannot properly establish state for new TCP
> connections. If pfsync could be told to sync
On 2012/04/12 02:48, Andy Lemin wrote:
> Hi, thanks very much for your suggestion.
>
> > You will want to see this thread:
> > Working example of bi-directional asymmetric ALTQ + NAT ruleset?
> > http://marc.info/?t=3D12947296581&r=3D1&w=3D2
> >=20
> > It talks about being able to have a singl
On 2012/01/12 06:15, pizzahut wrote:
>
> Hello,
>
> I try now to create a transparent proxy using squid and using OpenBSD 5.0
> Packet Filter all by passing a bridge.
>
> The squid run I tested the bridge walking machines located on the other side
> can access the outside.
>
> The problem is th
On 2011/07/19 06:49, Ben Harper wrote:
> Hi,
> I'm trying to NAT out to two DSL modems.
> I have three network cards on three subnets:
> re0: 192.168.4.0/24 Internal
> re1: 41.134.100.222/29DSL_A
> re2: 10.10.10.5/24 DSL_B
>
> I can NAT out to either re1 or re2, but I have to
On 2011/06/07 17:36, Rob Sessink wrote:
> You’re right, looking again at this rule, it is unwanted to do
> the NAT on the inbound packets of the internal interface when the
> firewall is connected to multiple networks/interfaces.
>
> Thanks for the pointer to pf.conf(5). But what is meant with the
On 2011/04/08 15:42, Bojidara Marinchovska wrote:
> It is not wrong but I cannot find it is possible to use negation with
> AND ( something like block in quick from !{$a, $b, $c} ) and yes as
> it is typed it will be produce exactly this ruleset you wrote.
>
> So if rules in conf are defined as se
Basically don't use queues named "foo_in" and "foo_out", just use
a single name "foo", defined with "queue foo on $tdcif" and "queue
foo on $sirif". See the list archives for more; this has come up
several times.
On 2011/02/11 02:25, Mikkel C. Simonsen wrote:
> I have attempted to setup a router
On 2011/02/10 12:10, RLW wrote:
> I am asking this because i was writing to the misc group about low
> performance on lan bandtwith
> (http://marc.info/?l=openbsd-misc&m=128990880310013&w=2) and someone
> said there might be a TBR related problem.
>
>
> For the more i found somebodys work on tryi
On 2011/01/25 11:30, Brian Keefer wrote:
> I'm embarrassed to ask such a simple question. Since 3.4 I've
> been running PF firewalls, but mostly for very small networks with
> 32 or fewer external addresses. I always assigned my external IPs
> to my external interface and then did NAT or bi-NAT.
400Kb priority 2 cbq(borrow)
> queue tcpack on $ext_if bandwidth 50Kb priority 3 cbq(borrow)
> ...
>
> Many thanks again for the help and discussion, all. This has been
> instructive and illuminating.
>
> -BP-
>
> On Jan 12, 12:08=A0pm, s...@spacehopper.org
On 2011/01/12 08:40, Bonnie Packet wrote:
> altq on $int_if cbq bandwidth 5000Kb queue { std, slow, fast, tcpack }
> queue std bandwidth 1200Kb priority 1 cbq(default borrow)
you're looking for this format:
queue std on $int_if bandwidth 1200Kb priority 1 cbq(default borrow)
..etc..
I don't reca
On 2011/01/11 12:46, Bonnie Packet wrote:
> the question is how to manage it simultaneously with the
> download direction when those packets already part of an established,
> stateful TCP connection that bypasses the firewall rules.
the PF state is associated with queue by name - you can u
On 2010/12/29 08:51, Johan Helsingius wrote:
> Running pf on openbsd 4.8 (i386), I find something very strange going on.
> Looking at the log:
>
> Dec 28 22:23:37.772604 rule 4/(match) [uid 0, pid 28161] pass in on xl2:
> xxx.yyy.zzz.aaa.51717 > foo.bar.www: S [tcp sum ok]
> 3754046362:3754046362(
On 2010/12/17 23:18, Karl O. Pinc wrote:
> Hi,
>
> I'm wondering why pf.conf(5) has an example
> scrub setting where the mtu is 1440 when
> 1460 would be the usual mtu for a 1500
> byte IP datagram.
>
> From OpenBSD 4.8:
> -
> For example:
>
>match in all scr
On 2010/10/09 03:38, Evgeniy Sudyr wrote:
> I' need to allow access from my private network to other private
> network through IPSEC. So I need only one way access from my net to
> another via NAT on lo1 interface.
> I've read this post and found it's great, so I tried to get same NAT
> config with
On 2010/10/03 14:24, Peter GILMAN wrote:
>
> Marcus Larsson wrote:
>
> > On Tue, Sep 21, 2010 at 10:25:11PM -0400, Peter GILMAN wrote:
> >
> > > can anybody see what i'm missing? i'd love to score some points
> > > for openbsd at my job (and i'll fall back to 4.6 if i have to) but
> > > i'd re
On 2010/01/31 16:11, Agung T. Apriyanto wrote:
> pass out quick log on $client_if proto tcp from any to tos
> 0x30 no state queue q_tos
There's an implicit "flags s/sa" so this rule only matches SYN packets.
> no state used because after searching archive i found some suggest to use it.
This is
On 2010/01/17 12:08, Steven Surdock wrote:
> > -Original Message-
> > From: owner...@benzedrine.cx [mailto:owner...@benzedrine.cx] On Behalf
> Of
> > Stuart Henderson
> > Sent: Sunday, January 17, 2010 6:20 AM
> > To: mashenko shenua
> > Cc: pf@ben
On 2010/01/16 22:00, mashenko shenua wrote:
> Can you try it??. Some people tell me I can't use Squid with
> round-robin.. I see this for pfsense :
>
> http://forum.pfsense.org/index.php?topic=7591.msg42943
>
> tcp_outgoing_address 10.10.1.1 slow;tcp_outgoing_address 10.10.1.1
That diff is for p
On 2010/01/16 03:37, mashenko shenua wrote:
> I'm trying to setup a Multiwan OpenBSD firewall. I need to use Squid
> but I cannot setup with rdr and round-robin..
> pass in on $int_if route-to \
> { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
> proto tcp from $lan_net to any port htt
On 2009/12/18 15:40, Jim Flowers wrote:
> To lock down services (particularly ssh) as tightly as possible, I like to
> allow
> administrative access to a firewall only from specific ip addresses.
>
> Unfortunately, some of the administrators are working from dynamic ip
> addresses
> that change
On 2009/12/16 13:27, Helmut Schneider wrote:
> [...]
> > Dec 15 13:34:23.640235 rule 11/(match) block in on bge0: $SERVER >
> > $CLIENT: frag (0|1448) 500 > 500: isakmp v1.0 exchange ID_PROT encrypted
> > cookie: 583b9e29ae2a701f->f2257c7575eb8336 msgid: len:
> > 1596
> > Dec 15
On 2009/11/24 13:26, Jordi Espasa Clofent wrote:
> Hi all,
>
> I use the next rule:
>
> # SSH brutes protection
> pass quick on $bridge inet proto tcp from any to $vlan10 port 22
> keep state \
> (max-src-conn 20, max-src-conn-rate 3/12, \
> overload flush global)
>
> with succ
On 2009/09/12 16:50, Daniel Malament wrote:
>
> But if you create a default-permit ruleset with wide-ranging block
> rules, like:
>
> ---
> block in on $ext_if
> pass in on $ext_if from any to $ext_if port 22
> ---
>
> you get the same filtering results with fewer rules, one state per
> connection
On 2009/08/24 01:04, Michael Grigoni wrote:
> Michael Grigoni wrote:
> > Michael Grigoni wrote:
> >> Michael Grigoni wrote:
> >>> We have a web server behind NAT; the router runs OpenBSD (version
> >>> unimportant for this question), and remote http client connections
> >>> stall irrecoverably wit
On 2009/08/11 12:53, abs wrote:
> I have 3 interfaces:
> dc0 (ext)
> dc1 (int)
> ural0 (wifi)
>
> dc0 has vlans 3,4 and 10 coming in.
> i would like to put dc1 (int) on vlan 3, 4,10 and ural0 (wifi) on vlan 4
>
> I have been playing around with multiple bridge configurations but cannot
> seem to
On 2009/07/17 10:22, Rafael Ganascim wrote:
>
> 2009/7/17 Stuart Henderson :
> > On 2009/07/17 09:17, Rafael Ganascim wrote:
> >> Hi Stuart / List,
> >>
> >> This option, 'tos XXX' can set TOS values only or can use (and match)
> >> DSCP
On 2009/07/17 09:17, Rafael Ganascim wrote:
> Hi Stuart / List,
>
> This option, 'tos XXX' can set TOS values only or can use (and match)
> DSCP values too?
see the manual, pf.conf(5).
>
>
> 2009/6/4 Stuart Henderson :
> > On 2009/06/04 11:42
On 2009/06/04 11:42, Rafael Ganascim wrote:
> Hi list,
>
> Can the PF works with the DiffServ DSCP markings in the IP packets?
>
> The idea is do the DSCP marking (classification) as close the source
> traffic and when the packet through my network, the 'core' routers
> only put the packets in th
On 2009/04/16 09:19, Jim Rosenberg wrote:
> Sorry this is such a basic question ...
>
> I'm having difficulty understanding just what the difference is between
> saying
>
> anchor "foo"
>
> and
>
> anchor "foo/*"
>
> What exactly goes wrong if you leave off the "/*"? The implication is
> that wit
On 2009/04/14 17:37, Helmut Schneider wrote:
> What I want to do is to assign the default queue the whole bandwith
> (100%) and let e.g. http borrow 5Mb. As I do not know the connection
> speed (might be 1GB or 100Mb within the local LAN, but might also be
> 34Mb for the internet) I guess I need
On 2009/03/13 10:25, Jeremie Le Hen wrote:
>
> It doesn't seem to be possible to disable sequence number/window
> tracking. Does it?
It's possible if you port the "sloppy" state handling code from OpenBSD..
On 2009/01/25 12:52, gwen hastings wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi Stuart,
> yes I noticed that in pf.c the overload table routines are
> called from tcp only..
that is because UDP can easily be, and often is, forged.
imagine an attacker sending packets with
On 2009/01/24 11:21, gwen hastings wrote:
> Does the overload keyword apply only to TCP
yes, it only applies to TCP. see pf.conf(5) STATEFUL TRACKING OPTIONS,
the few paragraphs starting "For stateful TCP connections, limits on
established connection[...]".
On 2009/01/20 22:40, Rod Whitworth wrote:
> Still learning
>
> I am trying to set up a box with two interfaces. I DO NOT want to route
> traffic through it.
>
> It is at a site where there are two connections to the net and I want
> the testbox to have an address on each of the LANs which are
On 2009/01/11 00:36, Helmut Schneider wrote:
> Stuart Henderson wrote:
>> On 2009/01/10 23:11, Helmut Schneider wrote:
>>> Stuart Henderson wrote:
>>>> On 2009/01/10 22:11, Helmut Schneider wrote:
>>>>> What do I have to do to see the detailed live ou
On 2009/01/10 23:11, Helmut Schneider wrote:
> Stuart Henderson wrote:
>> On 2009/01/10 22:11, Helmut Schneider wrote:
>>>
>>> I'm running pf on an IPv6 gateway. I use 'tcpdump -n -e -ttt -r
>>> /var/log/pflog' to see the pf traffic:
>>&g
On 2009/01/10 22:11, Helmut Schneider wrote:
>
> I'm running pf on an IPv6 gateway. I use 'tcpdump -n -e -ttt -r
> /var/log/pflog' to see the pf traffic:
>
> Jan 10 21:49:02.181784 rule 36/(match) pass in on xl0:
> 192.168.0.1.55206 > 192.168.0.2.161: GetRequest(9)[|snmp]
> Jan 10 21:49:05.22350
On 2008/12/28 17:52, Karl O. Pinc wrote:
>
> On 12/25/2008 07:54:35 AM, Federico Giannici wrote:
>> We have an OpenBSD server acting as a firewall/QoS router (no nat or
>> rdr).
>>
>> It has two requirements:
>>
>> A) It has to be as "transparent" as possible. So, if firewall is
>> rebooted or t
On 2008/11/19 13:48, Russell Fulton wrote:
> Does anyone have any suggestions as to how we can get data in pf log
> files into pcap files that can be read (and filtered) on other
> systems.
the packets have a "struct pfloghdr" header as described in pflog(4);
this could be chopped off. I'm not aw
Depending on where you test from,
http://www.openbsd.org/faq/pf/rdr.html#reflect may help.
On 2008/11/12 12:28, Dan wrote:
> Hi all, I am new to PF. Trying to set up a simple, typical ruleset as
> described on openbsd.org and other places. NAT works, rdr to a machine
> behind pf doesn't. The docum
You may be recycling port numbers before the state fully expired.
If that's the case you can try reducing the tcp.closed timeout:
"keep state (tcp.closed XX)".
On 2008/09/22 16:13, Jordi Espasa Clofent wrote:
> Ok; more info:
>
> $ pfctl -x misc
>
> $ tail -f /var/log/messages | grep 217.130.13.1
On 2008/09/10 12:05, Karl O. Pinc wrote:
>
> On 09/10/2008 08:54:21 AM, Stuart Henderson wrote:
>
>> HTTP redirects might be the least-overhead method and are usually
>> pretty simple to setup... add a record "www2 A 5.6.7.8", and have the
>> old server just r
On 2008/09/10 14:26, Fredrik Widlund wrote:
> No, of course, if both servers are alive and "online" at the same
> time, you might as well not redirect the stream. However if you
> need to take the older system offline, or if you need to only have
> one system online at one given time, then redirect
On 2008/09/02 10:06, Michael K. Smith - Adhost wrote:
> I'm wondering if it would be possible to create a mapping between
> an "outside" IPv6 address and an "inside" IPv4 NAT (or round-robin
> group, to take it to the next logical step) or vice versa? This
> would be on a FreeBSD 7.0 installation.
On 2008/07/31 23:12, Martin Toft wrote:
> On Thu, Jul 31, 2008 at 03:35:45PM -0500, Jacob Lambert wrote:
> > Hi guys,
> >
> > I'm new to pf but am learning quick. I've got one pf box up and running
> > and working great. Now I want to try to simplify things a bit.
> >
> > I have multiple VMs eac
On 2008/07/14 10:14, Ryan McBride wrote:
> > I see this in the 4.2->4.3 changelogs:
> > Changed rc(8) and netstart(8) so pfsync(4) is not brought up before the
> > working ruleset has been loaded
>
> I don't believe this is critical, but it means that if your rulesets are
> identical across fire
On 2008/07/09 22:13, Leslie Jensen wrote:
> Stuart Henderson skrev:
>> On 2008/07/09 19:25, Leslie Jensen wrote:
>>> table { something.somewhere.com,
>>> somethingelse.somewhere.com, xxx.yyy.zzz.qqq }
>>
>> With DNS names? That's likely to be your
On 2008/07/09 19:25, Leslie Jensen wrote:
> table { something.somewhere.com, somethingelse.somewhere.com,
> xxx.yyy.zzz.qqq }
With DNS names? That's likely to be your problem.
On 2008/04/08 14:47, Ian Chard wrote:
>>
>> Hmm, it looks like IP-in-IP packets are blocked by default. See
>> sysctl(3) about net.inet.ipip.allow.
That's only to the local host; PF normally forwards them unless you do
a default block (then you need to list the wanted protocols explicitly
e.g. "pa
On 2008/03/11 23:01, Neil Sproston wrote:
> I have a pair of OpenBSD 4.1 firewalls using pf with pfsync to provide
> state synchronisation.
>
> To provide automatic routing around any network failures ospf is enabled
> to allow the firewalls to exchange routing information with the routers.
>
> T
On 2008/03/05 23:31, Karl O. Pinc wrote:
> ftproxy is only for proxying to other hosts.
ftpsesame _might_ work.
> Use a FTP client that knows enough about pf
> to add/remove rules from an anchor,
> in the manner of ftp-proxy, to allow establishment
> of data connections to arbitrary ports.
> Tell
On 2008/02/25 23:22, Adam Retter wrote:
> All of the examples that I have seen use two queues, one on the
> external interface and one on the internal interface. The example
> given in the PF manual on the OpenBSD website itself also shows a 2
> queue setup - http://www.openbsd.org/faq/pf/queueing.
On 2008/02/24 17:27, Jordi Espasa Clofent wrote:
> Stuart Henderson escribió:
>> On 2008/02/24 12:21, Jordi Espasa Clofent wrote:
>>> Very happy with performance and capabilities of PF. But when I try ssh
>>> connections from outside to my net boxes, they're ver
On 2008/02/24 12:21, Jordi Espasa Clofent wrote:
> Very happy with performance and capabilities of PF. But when I try ssh
> connections from outside to my net boxes, they're very very slow. They
> work, but work so slowly.
Describe this in a bit more detail...
On 2008/01/30 09:12, Russell Fulton wrote:
> Thanks Stuart! I thought there would be a straight forward way of doing it.
> With this set up I'm guessing that I can leave state policy as floating?
Yes, that's correct.
On 2008/01/29 15:54, Russell Fulton wrote:
>
> I know that one can only queue on the outbound interface. We want to queue
> traffic in both directions so we have to have two queues one on the external
> interface to queue outbound traffic and one on the internal interface to
> queue the incomin
On 2008/01/22 21:27, Samuel Penn wrote:
> As a followup however, I now have some success. I've been testing the
> remote interface from work, which blocks unknown outgoing ports which
> includes 5280, so the rule I actually had was to redirect a different
> external port which was allowed by work's
On 2008/01/22 12:07, Arnaud Feix wrote:
> Hi,
>
> In your rule you have :
> rdr on $IntIF inet proto tcp from any to 80.17.9.12 port 5280 -> 192.168.11.3
> port 5280
>
> instead of $IntIF you should have $ExtIF no ?
>
> because your rule says :
>
> pass in quick on $ExtIF inet proto tcp from an
On 2008/01/20 16:48, Samuel Penn wrote:
>
> However, I'm now trying to do the same with some other ports, without
> any luck. I'm starting by trying to allow access to the web page for
> an internal ejabberd installation (running on port 5280, on host
> 192.168.11.3), however adding in a similar r
On 2008/01/14 07:49, Tihomir koychev wrote:
> >>one other question: Will pfctl expand port != {53, ...} ?
>
> Yes it will
> http://www.openbsd.org/faq/pf/macros.html
not for port number.
(and see the warning on that page for lists of addresses :-)
> - Original Message
> From: Russell Fu
On 2008/01/04 13:57, Ed White wrote:
> The problem is that I actually see two IPs: one IPv4 and one IPv6.
> Would pf do round robin using one IPv4 and one IPv6?
It will translate IPv4 packets to the IPv4 address of that interface,
and IPv6 packets to the IPv6 address of that interface. PF doesn't
On 2007/12/19 16:11, Jordi Espasa Clofent wrote:
>
> So, I need to benchmark the FW with little size packets. The question is
> ¿Is there any tool which generates small packets traffic to benchmark the
> network performance as iperf or netperf does?
iperf can do this with a command-line option. T
On 2007/11/19 22:05, Shane Harbour wrote:
> For the last few hours I've been knocking my head against my desk. I'm
> trying to setup spamd for the first time and keep receiving syntax
> errors on my redirect statements. My redirect statements are:
..
> rdr on $ext_if inet proto tcp from to $mail
On 2007/11/05 16:18, Florin Andrei wrote:
>> Does the "em" driver do interrupt mitigation ?
>
> I would like to know the answer to that question myself.
There's no single standard name for this, you'll see at least these:
em(4)
/* Set the interrupt throttling rate. Value is
On 2007/10/31 14:02, Guntis Bumburs wrote:
> It would be nice if there was a knob to mark some rules "skip on high load"
> so
> they would be skipped to avoid congestion.
So, when the system is already busy, it has to do extra processing
to figure out which rules to use? H...
> I suspected
On 2007/10/24 12:29, Peter N. M. Hansteen wrote:
> [EMAIL PROTECTED] writes:
>
> >> then. Bridges generally makes it harder to debug and as you say it
> >> takes your main redundancy feature off the table. Why not just a
> >> carp/pfsync setup?
> >
> > cause i'm in the same subnet
> > if not, ca
On 2007/10/19 12:26, Russell Fulton wrote:
> It has become very clear now that one of the significant bottlenecks is
> interrupt handling in the kernel.
I am pretty sure that PF's cpu use is counted in interrupt%.
Are you aware of the ruleset optimizer in pfctl? It reorders the
ruleset to take ad
On 2007/10/16 15:12, Russell Fulton wrote:
> I have a couple of questions:
>
> * Is there any tuning that we can do to improve performance of pf
Here's an article about PF optimization;
http://www.undeadly.org/cgi?action=article&sid=20060927091645
and one about the improvements in OpenBSD 4.2
On 2007/09/27 16:11, [EMAIL PROTECTED] wrote:
> I'm trying to build a spamd box that will be setting next to and not in
> front of the actual mx server.
>
> I'm thinking I won't be able to do a straight reflection, and will probably
> need some sort of proxy. Anyone done similar?
>
> I'm thinkin
On 2007/09/21 23:55, Ilya A. Kovalenko wrote:
> >>block in inet from 192.168.0.1 to 192.168.114.31
> >>pass in inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state
> >> (does not work - neither pings nor TCP)
> > Here, you only pass the *inbound* packets; you also must
> > p
On 2007/09/21 16:10, Ilya A. Kovalenko wrote:
>
>block in inet from 192.168.0.1 to 192.168.114.31
>pass in inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state
> (does not work - neither pings nor TCP)
Here, you only pass the *inbound* packets; you also must
pass the outbo
On 2007/09/19 21:45, Mark Fordham wrote:
> scrub in
> scrub out on $ext_if max-mss 1440
> set mtu max 1440
> set mru max 1440
MSS is the number of bytes of *payload*
MTU includes the headers as well
lower the max-mss value to 1400 or slightly less.
On 2007/07/30 17:33, Can Erkin Acar wrote:
>
> The problem with this diff is that it assumes an ADSL link.
> While 'vcmux' is obviously ADSL terminology, I assume
> having 'pppoe' or 'bridge' would confuse others trying to
> use non-adsl pppoe connections or even real bridges.
That's a very fair
On 2007/07/20 15:20, Daniel Melameth wrote:
> then go back to the broken behavior sometime later. A reboot of the box or
> removing altq is the only way to resolve the issue, temporarily. I've tried
> both priq and cbq, adjusting tbrsize, recompiling the kernel with a higher
> HZ value and using
On 2007/07/21 07:45, Jeff Santos wrote:
> > "memory" is PFRES_MEMORY, this could well be it. the description
> > is "Dropped due to lacking mem", it's triggered in quite a few
> > places (grep for PFRES_MEMORY in /sys/dev/net/pf*).
>
> I could not find any /sys/dev/net directory. Could that be a p
On 2007/07/20 17:39, Paul Collis wrote:
> I have a firewall running OpenBSD 4.1-STABLE with pptp-1.7.1 to access a
> corporate VPN from a Windows XP machine on the internal LAN. The VPN uses
> dial on demand. Running ping on the Windows machine to access the corporate
> server (192.168.0.143) does
On 2007/07/19 12:15, Jeff Santos wrote:
>
> net.inet.ip.ifq.len=0
> net.inet.ip.ifq.maxlen=300
> net.inet.ip.ifq.drops=0
>
> However, the problem did not go away altogether. I would like to
> know if it has anything to do with the "memory" or "state
> mismatch" statistics below:
"state-mismatch"
Look at sysctl net.inet.ip.ifq, bump maxlen until drops stops
increasing. I'd try 250 for starters.
On 2007/07/07 08:47, Jeff Santos wrote:
> Hi,
>
> It would help if someone with more experience with PF
> could help me to interpret some of those statistics
> shown with pfctl -si:
>
> Packets
On 2007/06/04 19:37, Jeremie Le Hen wrote:
> Finally, this rule can't be practically replaced with a set of "nat"
> and "rdr" rules since this would require 65535 "rdr" rules, one for
> each existing port number.
this part isn't correct; if unspecified, the port number defaults
to staying the same
On 2007/05/04 16:21, Karl O. Pinc wrote:
>
> On 05/04/2007 05:34:16 AM, Jason Dixon wrote:
>
> The important thing is to get
> > quality network interfaces.
>
> The OpenBSD FAQ makes recommendations and there's
> periodically a thread on the openbsd misc discussion
> list regarding the que
On 2007/04/23 19:59, Martin Toft wrote:
> I've had to add the following rule to make my users happy:
> pass in on $lan_if inet proto { ah gre esp } from to
> ! keep state
IPsec NAT-T transports ESP inside UDP packets (normally) on
port 4500; that rule shouldn't be needed for NAT-T.
On 2007/04/04 18:03, Joseph Lappa wrote:
> I would like to have icmp host-unreachable and fragmentation-
> needed in the icmp type that is returned.
your description is a little unclear here;
are you trying to alter the returned messages when a packet is
blocked? (you actually want 'block retu
On 2007/03/06 01:04, Karl O. Pinc wrote:
>
> On 03/05/2007 01:05:25 PM, Peter N. M. Hansteen wrote:
> >hard to tell without taking a peek at your actual rule set, but could
> >it be that you forgot "keep state"
>
> with: flags S/SA
Flags apply to TCP; name lookups are usually done over UDP.
> >
On 2007/02/28 11:14, Michael K. Smith - Adhost wrote:
> 1) Server 1 on 10.1.1.100/24
> 2) Carp Interface on 10.1.1.200 that fronts two servers, 10.1.1.201 and
> 10.1.1.202
> 3) Some service on servers, let's say mail
> 4) Server 1 wants to use the load-balance pool, so it sends traffic to
> 10.1.1.
On 2007/02/22 12:49, Wayne Swart wrote:
> This works fine with route-to for http traffic routing it to the adsl router,
Your configuration only works from machines on the lan, not from the
router itself.
Assuming the default route is on $wireless_if, you need some
'pass out on $wireless_if route-
On 2007/02/11 18:16, Arnaud Feix wrote:
>It's very interesting but my problem is to allow two or more station
> to receive the flow sent by the provider at the same time.
I think this is a bit more complicated than port forwarding/triggers..
it's most likely to be a multicast stream. Normally
1 - 100 of 114 matches
Mail list logo