Neil wrote:
Hi everyone,
Just chat with someone in #pf and found out that pf at the moment cannot
maintain state on TCP connections from internal machine to external
machine when network cable on master firewall's external interface is
removed.
Anyways, most connections are coming from
Chad M Stewart wrote:
I'm building a new firewall, or rather an HA pair using OpenBSD, pf,
carp, pfsync, etc.. I'm writing a new pf.conf configuration as well.
I'm trying to do policy based rules (i.e. tagging), using the PF FAQ
(ftp://ftp.openbsd.org/pub/OpenBSD/doc/pf-faq.txt) and in
Steve Witucke wrote:
If I am sitting on 192.168.20.20 for example, and I ping 192.168.20.1 tcpdump
running on HOBBES shows that it responded to the ping. It's the master for
192.168.20.1 so it should. The really odd part is when I ping 192.168.30.1. I
found that HOBBES still responds, not
Lucas wrote:
i have done it this way, but still have some problems:
10.1.1.1 (M)
|---gw1 - |
LAN--| || - WAN
|---gw2 - |
(10.1.1.1) (B)
gw2 just have a backup carp interface
gw1 is carp master with
Steve Witucke wrote:
I am new to using PF, long time user of IPFilter. I switched to OpenbSD/PF last
week to setup a system to provide me with redundancy for my outbound
connections. The setup consists of 2 machines, each connected to a different
internet connection, and serving two internal
Neil wrote:
Ok guys. I will do it tonight once I reach home. I will also send my
pf.conf file.
Also, does it matter since I have different interfaces on FW1 and FW2?
FW1, xl0, fxp0 and fxp1
FW2: rl0, fxp0 and ne3
You're using 'set state-policy if-bound' so yes, that does matter.
Remove that
Neil wrote:
Hi guys,
I got pf and carp working together. However, I have noticed that TCP
oriented application doesn't get recover well when I disconnect a cable.
I setup a netcat listener on a machine inside the network. Then I ran
netcat from another machine outside the network. I was able
Karl O. Pinc wrote:
Hi,
It's been said on this list before that you can't
queue inbound traffic, say from a lower bandwidth
link to the net, effectively on a host that is multi-homed.
The solution has always been to do QOS on another
2-port box between the multi-homed host and the net.
It
Jaime Vargas wrote:
pass out log all
You probably want keep state on the pass out rule. The SYN/ACK reply
from $app_net isn't being allowed in this ruleset. You can see that in
your tcpdump capture below:
02:08:14.260021 rule 0/0(match): block in on sis1: 192.168.100.52.51011
b h wrote:
pass quick on lo all
used to work before the hackathon.
pass quick on lo0 all
I'm not sure if I just missed it or if you didn't mention it, but I
didn't realize you were running -current. There's lots of work ongoing
in -current on interface groups. Henning is doing some neat
Jon Simola wrote:
On 6/5/05, b h [EMAIL PROTECTED] wrote:
Or, could someone please point out something I might
have missed/case of the stupids?
block log all
pass quick on lo all
antispoof quick for lo
The documentation explicitly says not to use antispoof on loopback
interfaces. And
Rob wrote:
I am thinking of combining 2 or 3 different connections to one OpenBSD
3.7 box.
DSL/DSL/and possibly Cable Modem
I know that people use pf (as in the recent discussions) for multiple
connections,
but I am wondering if anyone has experience or opinions on ospfd vs pf
for this
Bernd Bednarz wrote:
Hello,
nat on $pppoe1 from $supp_net to any - ($pppoe1)
nat on $pppoe2 from $supp_net to any - ($pppoe2)
rdr on $pppoe2 proto tcp from any to $pppoe2 port 80 - 10.30.70.43 port 80
pass in on $pppoe2 reply-to ($pppoe2 $gw2) proto tcp from any to $pppoe2
port 80 keep state
Bernd Bednarz wrote:
j knight wrote:
pass out on $dsl2 route-to ($dsl1 $gw1) from $ip1 to any
pass out on $dsl1 route-to ($dsl2 $gw2) from $ip2 to any
Why did you remove them?
because the reply-to rule make the same for me and I don't need both of
them. When I ping the router on tun1
Bernd Bednarz wrote:
I got two connections to the internet and want to do one as my gateway
for everything and the other for request from the outside. Let's have a
look on my example wich explains what I want to do.
--snap---
84.158.5.xx(ip1) 84.158.161.xx(ip2)
217.0.116.xx(gw1)
Bernd Bednarz wrote:
j knight schrieb:
Bernd Bednarz wrote:
I was testing much more with this and always got the same result.
nat on $pppoe1 from $supp_net to any - ($pppoe1)
nat on $pppoe2 from $supp_net to any - ($pppoe2)
rdr pass on $pppoe2 proto tcp from any to any port 80 - 10.30.70.43
Abdul Rehman Gani wrote:
pass in on $ext_mail reply-to ($ext_mail $router_addr) proto tcp from
any to $ext_mail port { pop3, smtp, ssh } keep state
All works as expected (and required)
Now I want to use spamd on the mail. But the redirect to spamd happens
before the pass rule above,
eric wrote:
I have a machine with mutliple aliases on it. We'll say ext_if=fxp0
(192.168.1.1) and alias_if=192.168.1.2. net_gw=192.168.1.254 is the
gateway.
There is an smtpd on $alias_if that accepts mail. However, when mail is sent
from the host, the source address of any connections is $ext_if
Mike Mentges wrote:
What rules would I need to use to allow the 192 network on my internal
lan to route to the 10net across the ipsec vpn? The tunnel shouldnt
require anything special beyond permitting the specific ipsec ports but
I could be wrong.
You need appropriate rules on the physical
richard thornton wrote:
Hi
Can someone please help, I am configuring the setup below and I am
looking for a good ALTQ configuration for fwo, my ADSL connection off
of sis1 is 1500 kbps Down/256 kbps Up, ath0 is 11G and sis1 is
100baseT?
What I want:
For the 256 kbps up not to get choked, tcp_ack
Lyle Worthington wrote:
So there is no way for me to do this with openbsd and use PF? I dont
know anything about configuring routing in openbsd.
Today must be your lucky day:
http://www.openbsd.org/faq/faq6.html#Setup - of particular interest will
be the Setting up your OpenBSD box as a Gateway
Wouter Coene wrote:
According to j knight ([EMAIL PROTECTED]):
I have been following the following doc:
[http://www.inebriated.demon.nl/pf-howto], and there are examples in
there that filter for only SYN flags in a SYN+ACK mask. Which is
bizarre bec if I do that it doesn't work.
That howto is old
alex wilkinson wrote:
pass in log quick on tun0 proto tcp from any port = www to any keep state
pass in log quick on tun0 proto tcp from any port = https to any keep state
Well, that seems proper. However, this is just a guessing game since
you're not posting your entire ruleset :-/
Somewhere
Peter Huncar wrote:
So I create a state that will pass packets belonging to this connection
through both interfaces, on one interface and they will be assigned to the
queue on the other interface without creating any explicit pass rule for
this interface to assign the packet to the correct queue
j knight wrote:
Now throw stateful tracking on top of that. Stateful tracking is like
giving a packet a key that will open the door. When a packet tries to go
either in OR out on an interface, the state entry for that packet will
allow it to pass. And actually, the default behavior
F Walls wrote:
I am trying to port forward a service that accepts UDP traffic on
ports to 7000 and also 29200. However, there is a problem in my
rule-set. I think that the problem exists in my filter/lack of filter
rules. Can anybody help me with this, and perhaps show my how you would
stephen wrote:
Hi all,
Having a little difficulty regarding traffic counting.
post... your... ruleset!
Jon Hart wrote:
Greetings,
In trying to diagnose a problem with ftp-proxy, I stumbled upon
something with pf's rdr that I cannot explain.
Assume a simple firewall ruleset. I had the following rdr line:
rdr pass on $ext_if proto tcp from any to any \
port 21 - 127.0.0.1 port 2121
That line,
[EMAIL PROTECTED] wrote:
I have now placed my proftp server (normal ftp port) on my private DMZ,
I do a binat on pf..conf and edited my inetd.conf file again to add
this line.
http://www.openbsd.org/faq/pf/ftp.html#natserver
Not exactly what you're doing, but very close. You can skip the rdr
Benjamin Constant wrote:
Hello list,
Hi Benjamin,
...int_if(in) ext_if(ou)---
[station_a] [bsd_box]
[station_b]
---int_if(ou)ext_if(in)
Dotted
[EMAIL PROTECTED] wrote:
This morning I decided to investigate the source of traffic on one of those
interfaces, and found that my ISP is sending quite a few pings. There is a
block of 8 addresses and all are getting pinged at a slow rate, but repeatedly.
The reason ? The system is sending ping
Francis A. Vidal wrote:
I think you're missing a comma in between $host1 and $host2. It should
be:
all_hosts = { $host1, $host2 }
This hasn't been true for some time. The comma is optional.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Russell
Jonathan Thornburg wrote:
[ massive snip ]
pf with a filtering ruleset
===
Now for the problem: For real use I've defined a pf ruleset which does
NAT and some filtering (and once I get things working I'll add additional
filtering rules for the Windows subnet):
# macros
MzOzD wrote:
Hello,
I *think* there is a parsing problem in pf. Consider the following rule:
rdr on $ext_if inet proto tcp from outside_to_ssh to $ext_if port 6620
- 192.168.10.2 port 22
where outside_to_ssh is the following table:
table outside_to_ssh persist file /etc/pf/conf/outside_to_ssh,
Ilya A. Kovalenko wrote:
Greetings,
Shell we ever see HFSC scheduler on PF FAQ Queueing section ?
One day, yes :) I don't use HFSC myself, so I haven't bothered to really
research it (yet).
.joel
simon --- wrote:
Hi
I have been struggling with this for a while . I trying to build pf firewall that acts as a NAT .
[ snip ]
The problem is packets dont seem to route across the firewall.
In addition to Russell's suggestions, please see
http://www.openbsd.org/faq/faq6.html#Setup.2 and all
b h wrote:
Hi
I have a question that seems seemingly simple, but I
can't seem to get rdr working properly. Here is some
info... I thought I followed along correctly from the
PF FAQ, and also I've stared at rdr in Absolute
OpenBSD, but doesn't seem to work. Maybe it is just
my testing method?
Henning Brauer wrote:
that is in practice true for 99% of you.
the state key does not include the interface, but the direction.
as long as routes do not change that is equivalent to beeing bound to
the interface.
Would you agree then that the behavior of non -current pf is the
equivalent of
Henning Brauer wrote:
On Tue, Jan 06, 2004 at 03:48:36PM -0700, j knight wrote:
Henning Brauer wrote:
that is in practice true for 99% of you.
the state key does not include the interface, but the direction.
as long as routes do not change that is equivalent to beeing bound to
the interface
Bryan Irvine wrote:
I'm trying to follow the howto locate at
http://www.benzedrine.cx/transquid.html
And i'm having problems.
Are you sure you implemented all the necessary changes to squid.conf?
They are important.
.joel
Predrag Micakovic wrote:
Does anyone have an idea why pf and/or smtp protocol behave in such a
way, and how this could be solved? If it is worth, I am connected via
adsl. The rules that I wrote have been discussed here a million times -
just a standard set of rules that work for all but smtp. Oh,
Daniel Staal wrote:
Since translation occurs before filtering the filter engine will
see packets as they look after any addresses and ports have been
translated. Filter rules will therefore have to filter based on
the translated address and port number.
It is my understanding and
Per olof Ljungmark wrote:
I was reading about OpenVPN in order to make a possible test bed when I
came across the following statement:
* If run through a firewall using OpenBSDs packet filter PF and the
filter rules include a scrub directive, you may get problems talking
to Linux hosts over
Kahlil Erwin S. Talledo wrote:
Hi all,
I have 2 adsl connection... and i decided to do loadbalancing with pf on
openbsd 3.4 and i have the following pf.conf rules...
[ snip ]
everything is working well... only problem is that i cant seem to ping from
the gateway/firewall itself.. but the
Jason Williams wrote:
Our company firewall is a Watchguard (but goodnews is, our branch
offices are going to be deploying OpenBSD!!)
Ok...since this mail gateway is on the DMZ, I had to setup a rule on our
Company firewall, to allow traffic from the DMZ to our internal mail
server.
As it
Vladimir Potapov wrote:
bash-2.05b# ls -l /var/log/pflog
-rw--- 1 root wheel 3988 Sep 29 20:18 /var/log/pflog
bash-2.05b# /etc/pflogrotate
bash-2.05b# ls -l /home/pflogger
total 12
-rw-r--r-- 1 pflogger users 768 Mar 29 2003 .cshrc
-rw-r--r-- 1 pflogger users 317 Mar 29 2003
Lasse Stig Thomsen wrote:
Hi again.
The nic i use for the connecting to the internal network has the IP
10.0.1.1 so i thought that i was covered with the NAT rule, but this part
works know. But how do i filter on wich connection i want to accept out
from this box? If the pass out thing isnt the
Hi John,
John wrote:
# NAT and redirect
nat on $ext_if from { $int_if_dmz, $int_if_lan } to any - ($ext_if)
rdr on $ext_if proto tcp from any to any port $tcp_services - ($int_if_dmz)
[snip the rest]
Would it be neccesary to have a static route from the LAN to the service
machine for things
Hey Ron,
Ron Rosson wrote:
altq on $external priq bandwidth 356Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
#altq on $external cbq queue { external }
You have two altq on $external lines which is probably where your
problem is. There can only be one
Sean Balch wrote:
I'm running a 3.3 release firewall and am having a simple problem that
I've never had before.
Two nics, external and interal. Internal has ip 192.168.0.1, and all
machines behind it are on 192.168.0.0/24.
using these rules, I cannot get internal traffic to leave the box.
J. Sabino wrote:
Been reading a lot about pf recently, extremely nice software and love
the easy syntax and great features. Something however has me a bit
confused that I've read on this page:
http://www.openbsd.org/faq/pf/filter.html#example
I'm trying to remember what I had in mind when I
james silliman wrote:
Which one should I use, #1 with tun0, or 2 with dc0?
1. nat on tun0 from 192.168.1.0/24 to any - tun0
This one. Make sure you're using tun0 in your filtering rules as well
because dc0 will only see the encapsulated packets.
.joel
Scircuit wrote:
FtpServer=192.168.0.2
tcp_allow={ 22, 7778 }
rdr on $ExtIF proto tcp from any to any port - $FtpServer
pass in on $ExtIF inet proto tcp from any to $ExtIF port $tcp_allow \
flags S/SA modulate state
In addition to what Alexey said, read this:
Hi Matt.
Matt Bettinger wrote:
Also, I would like to find out how to pass out more than just www
traffic from the DMZ. Say for instance I wanted to run some other
services or use lynx on the dmz box etc etc.
Add a pass in on $dmz_if rule for each type of traffic you want to
permit. In your
Steve Kersley wrote:
I've looked through the pf(4) manpage and the header files and have written
some code to display values returned from the DIOCGETSTATUS ioctl. Number
of states I can find, but I can't find anything which might correspond to
numbers of packets passed or blocked -
Ed Powers wrote:
Greets.
I'm having an issue with authpf where I can only have one user(_id) connected
at the same time. That is, the authpf.rules file gets loaded and works
properly with the anchors I have set in place in pf.conf, but only if the same
user id logs in. When another id logs in
Ganbaa wrote:
Hi All,
I want to limit bandwidth each node on the backbone. I don't know how to configure pf. Anybody, who know to configure pf, please give me advice.
Ganbaa, what happened to that marvelously detailed email you sent me in
private? That was an excellent problem report. You'll
Fernando Braga wrote:
Hi,
I'm trying to load balance outgoing traffic, as suggested on newest PF
FAQ. However my config involves a DMZ, a internal interface, e one
external interfaces bounded to two different IPs.
Hi Fernando.
Can you explain a bit more about your Internet connection? Why do
Amir Seyavash Mesry wrote:
I am having a odd problem and I am hoping someone one the list can point out
my error,
Here is my pf.conf, the keepstate on the icmp doesn't seem to be working, it
won't pass the packets out. Ie
I am on host 10.0.0.51, I ping 10.0.4.1(routing table entry is present for
Amir Seyavash Mesry wrote:
Sorry, I thought I gave enough info, they come in on eth1 and leave on eth1.
IE machine that pf.conf was given for is doing nat and some small routing.
Machine1(pf.conf given for this one)
Eth0=internetip
Eth1=10.0.0.1 network 10.0.0.0/24
Eth1=10.0.0.2 network
Amir Seyavash Mesry wrote:
OMG TYPO! Packet is going from 10.0.0.51 to 10.0.0.1 to 10.0.0.2 to 10.0.4.1
Maybe this clarifys it now, lol.
I'm sorry, it really doesn't.
Machine1
Eth0=77.77.77.77
Eth1=10.0.0.1 network 10.0.0.0/24
Eth2=10.0.0.2 network 10.0.0.0/24
Machine2
Eth0=11.11.11.11
Tony Faoro wrote:
If anyone out there would be so kind as to share a pf.conf they are using
in a similar circumstance that would be great. I'm somewhat new to the
packet prioritizing world and would love some real world examples you all
have had success with.
Hi.
You can find further information
[EMAIL PROTECTED] wrote:
these is the lines with in pf.conf that affect pflog0:
ext=fxp1 # External ConnectorXXX.XXX.XXX.XXX N=/30
set loginterface $ext
It's also worth noting that set loginterface has nothing to do with
pflog[d0] but instead controls byte/packet counters.
b bee wrote:
the router talks ipv6 to boxen behind three of the interfaces (not
$ext_if). my external ipv6 connectivity is via a tunnel over v4 (via
$ext_if, obviously). it is fairly simple to classify the traffic of
outgoing ipv6 connections (i just make a pass out on gif0 ... queue
Bryan Irvine wrote:
I'm having problems using an FTP server on a DMZ. I thought initially
the problem was with the ftp-proxy, but I've commented out those lines.
With still no luck.
You're being way too sparse on details, but I'll take a stab at it.
The relevent parts of the pf.conf file are
65 matches
Mail list logo