* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-10-26 16:11]:
> so u said that u could inject bad things on some level to give trouble and
> shake
> on stp ?
yeah sure. just send a bpdu which makes the switch think it needs to
blocksome rather important link. there is no kindof authentication in
On Fri, Oct 26, 2007 at 01:59:57PM +0200, [EMAIL PROTECTED] wrote:
> so u said that u could inject bad things on some level to give trouble and
> shake
> on stp ?
This is right, you can have fun with most L2 protocols out there
check out http://www.yersinia.net/ for instance.
> Selon Henning Br
I'm going to repeat myself here because this has caused me countless
headaches: Understand how switches figure out which port goes to
which host. This can really bite you.
Here's an example
Packet from SERVERS intended for INTENET
Hits SW2,
SW2 learns which port SERVERS is on
SW2 does a discov
so u said that u could inject bad things on some level to give trouble and shake
on stp ?
Selon Henning Brauer <[EMAIL PROTECTED]>:
> * Russell Fulton <[EMAIL PROTECTED]> [2007-10-25 10:09]:
> > Henning Brauer wrote:
> > > so get a little transfer net and make your upstream adjust his routes
> >
thank u PEOPLES for all the advices
i will do a documentation if i had a bit of time
and for the firm.
it is just simple, i u have the schematics in the head
fW --- -
---INTERNET[SW |pfsync SW]-SERVERS
-FW
I t
* Russell Fulton <[EMAIL PROTECTED]> [2007-10-25 10:09]:
> Henning Brauer wrote:
> > so get a little transfer net and make your upstream adjust his routes
> >
> > otherwise you need a bridge indeed, but you really want to avoid that
> > if you have a chance to go for regular routed with carp etc.
Henning Brauer wrote:
> so get a little transfer net and make your upstream adjust his routes
>
> otherwise you need a bridge indeed, but you really want to avoid that
> if you have a chance to go for regular routed with carp etc.
>
>
we also run redundant bridges -- we have two physical pat
t access to all the servers
> and no alarm cause the nagios was behind the firewall.
> the box had linux iptables and proxy arp.
>
>
> [internet]---public IP--[linux box]-all the servers(public ip's)
>
> the ip of the box, is in the same subnet that the servers
>
all the servers
> and no alarm cause the nagios was behind the firewall.
> the box had linux iptables and proxy arp.
>
>
> [internet]---public IP--[linux box]-all the servers(public ip's)
>
> the ip of the box, is in the same subnet that the servers
> a
it works with stp and pfsync
it takes me just less than one hour
just cheap switch without stp then stp on the openbsd interfaces in the bridge..
ifconfig, brconfig and pf :)
the failover works well between 30s and a few minutes
needs more test but nice start.
* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-10-24 13:06]:
> Selon "Peter N. M. Hansteen" <[EMAIL PROTECTED]>:
>
> > [EMAIL PROTECTED] writes:
> >
> > > i was thinking at a bridge firewall with openbsd, and maybe carp to be
> > redundant
> > > but carp is not working with bridge
> >
> > I'd think
king (filtering and redundant maybe with QOS) and keep
it simple as we can.
i have a class A/public ip's subnet with /24
xx.xxx.xxx.1 the GW of the datacenter
xx.xxx.xxx.252 our proxy ARP/iptables
xx.xxx.xxx.2->xx.xxx.xxx.254 (public servers)
(xx.xxx.xxx is the same number here)
On 2007/10/24 12:29, Peter N. M. Hansteen wrote:
> [EMAIL PROTECTED] writes:
>
> >> then. Bridges generally makes it harder to debug and as you say it
> >> takes your main redundancy feature off the table. Why not just a
> >> carp/pfsync setup?
> >
> > cause i'm in the same subnet
> > if not, ca
Selon "Peter N. M. Hansteen" <[EMAIL PROTECTED]>:
> [EMAIL PROTECTED] writes:
>
> > i was thinking at a bridge firewall with openbsd, and maybe carp to be
> redundant
> > but carp is not working with bridge
>
> I'd think really hard about why you would want to make it a bridge
> then. Bridges gen
[EMAIL PROTECTED] writes:
>> then. Bridges generally makes it harder to debug and as you say it
>> takes your main redundancy feature off the table. Why not just a
>> carp/pfsync setup?
>
> cause i'm in the same subnet
> if not, carp will be the solution no ?
still don't see how a bridge would
[EMAIL PROTECTED] writes:
> i was thinking at a bridge firewall with openbsd, and maybe carp to be
> redundant
> but carp is not working with bridge
I'd think really hard about why you would want to make it a bridge
then. Bridges generally makes it harder to debug and as you say it
takes your m
iptables and proxy arp.
[internet]---public IP--[linux box]-all the servers(public ip's)
the ip of the box, is in the same subnet that the servers
and all the interfaces on the linux has the same public ip.
i was thinking at a bridge firewall with openbsd, and maybe carp to be redu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, 21 Oct 2004 10:37:56 -0700
Jeff Simmons <[EMAIL PROTECTED]> wrote:
> Well, someone DID mention porting PF to Linux. (Just for grins, take a
> look at the Linux QOS/traffic shaping subsystem, and then imagine
> getting PF to interface with THAT
I guess the lesson here is: No more witty cynicisms unless you intend to
also translate it into other languages to make sure everyone knows you
are only joking. A couple of people now have spent god-knows how long
responding to your every point to prove how wrong you are.
IOW: It was only a jo
Jeff Simmons wrote:
10. Parsing IPTABLES config files excellent preparation for subsequent
learning of Asian pictograph-based languages.
9. Standard logging via syslogd helps eliminate clutter in /var/log.
We should probably log everything to one file, right?
Many people need the files
On Thursday 21 October 2004 01:23, eric wrote:
> > 8. GPL prevents Steve Jobs from stealing your code.
>
> What's wrong with making the computer industry better? Have you
> contributed to this project? Probably not. So what does it matter to
> you? Hopefully Microsoft would use pf one day; it mean
Gold Jerry.. GOLD!
Andrew
"Why do they call it ovaltine.. the cup is round, the tin is round...
they should call it round-tine."
--- Jeff Simmons <[EMAIL PROTECTED]> wrote:
> 10. Parsing IPTABLES config files excellent preparation for
> subsequent
> learning
On Wed, 2004-10-20 at 20:33:57 -0700, Jeff Simmons proclaimed...
> 9. Standard logging via syslogd helps eliminate clutter in /var/log.
Right.
> 8. GPL prevents Steve Jobs from stealing your code.
What's wrong with making the computer industry better? Have you
contributed to this project? Prob
10. Parsing IPTABLES config files excellent preparation for subsequent
learning of Asian pictograph-based languages.
9. Standard logging via syslogd helps eliminate clutter in /var/log.
8. GPL prevents Steve Jobs from stealing your code.
7. Simplistic man pages encourage development of social
On Sat, Dec 13, 2003 at 01:47:28AM +0200, Toni Riekkinen wrote:
> $IPT -A FLAGS -m state --state INVALID -m limit --limit 5/minute -j
> LOG --log-level debug --log-prefix "INVALID: "
As far as I understand iptables, this will block packets invalid in
context of state lookups,
This is a cross pf/iptables related problem:
These are logs from linux servers with iptables, what I started getting
after I added openbsd fw (transparent bridge) to protect those servers
(DMZ):
INVALID: IN=eth0 OUT= MAC= SRC= DST=
LEN=56 TOS=0x00 PREC=0x00 TTL=57 ID=60965 PROTO=ICMP TYPE=3 CODE
AIL PROTECTED]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Philipp Buehler
Sent: Wednesday, December 10, 2003 7:08 AM
To: Arno Hechenberger
Cc: [EMAIL PROTECTED]
Subject: Re: pf <---> iptables
On 09/12/2003, Arno H
On 09/12/2003, Arno Hechenberger <[EMAIL PROTECTED]> wrote To [EMAIL PROTECTED]:
> Is anyone out there who knows real arguments for iptables or pf ? I
> should evaluate a packet filter for acompany with 73 internet accesses
> points where one of this should become suitable.
>
&
On Tue, Dec 09, 2003 at 09:04:46PM +0100, Arno Hechenberger wrote:
> - iptables is mostly always more performant
if you're stateless, yes.
> - pf (former ipf) is inspecting every packet 2 times
pf is not former ipf.
> - iptables (now, not ipchains) is now also stateful and
hello !
i' read "all the available on line material" which is available on the
web regarding these two (stateful) packet filters.
- iptables is mostly always more performant
- pf (former ipf) is inspecting every packet 2 times
- linux ip stack is not as robust as the obsd pen
On Thu, 6 Feb 2003, Daniel Hartmeier wrote:
> On Thu, Feb 06, 2003 at 07:05:26PM +0100, Dries Schellekens wrote:
>
> > Does PF protect against the "Crikey CRC Flood" (described in
> > http://www.kb.cert.org/vuls/id/539363)? I know that protection against
> > p60-0x0c.txt was add; does this protect
checks.
>
> I can't help but giggle when people start comparing iptables/ipf/pf on
> the basis of how "slow" they are. Do you people (the ones asking these
> stupid questions) realize _just_how_FAST_ this code is? Just how little
> resources you need to saturate your
On Thu, Feb 06, 2003 at 07:05:26PM +0100, Dries Schellekens wrote:
> Does PF protect against the "Crikey CRC Flood" (described in
> http://www.kb.cert.org/vuls/id/539363)? I know that protection against
> p60-0x0c.txt was add; does this protect against this C2 Flood as well?
A "C2 flood" is nothi
On Thu, 6 Feb 2003, Daniel Hartmeier wrote:
> > Stateful is not a solution because it introduces a strong flaw inside
> > your firewall... The connection table (used to remember the state of
> > each connection) is using a limited ressource of the kernel: memory.
>
> Of course. See
>
> http://ww
low (I might be wrong!!!).
>
> pf is not close to beeing slow. in fact, it's bleeding fast.
> they are a bit faster in some areas because they leave out the sequence
> number checks.
I can't help but giggle when people start comparing iptables/ipf/pf on
the basis of how "
On Thu, Feb 06, 2003 at 03:22:35PM +0100, Emmanuel Fleury wrote:
> What are the arguments in favor of having two separate interfaces better
> than one forward chain ?
It gives the admin more options to express a filter policy. You can
decide what interfaces a forwarded connection may arrive in th
On Thu, 2003-02-06 at 15:37, Henning Brauer wrote:
>
> of course, "optimized representation" is such a meaningless word that
> everything can be claimed to fit ;-)
I was meaning this sort of representation:
http://www.brics.dk/RS/02/43/BRICS-RS-02-43.ps.gz
Regards
--
Emmanuel Fleury
Computer Sc
On Thu, Feb 06, 2003 at 03:22:35PM +0100, Emmanuel Fleury wrote:
> Stateful is not a solution because it introduces a strong flaw inside
> your firewall... The connection table (used to remember the state of
> each connection) is using a limited ressource of the kernel: memory.
this is pretty irre
st consisted of exactly, and what
> reasons possibly explain the result. The stateful test didn't involve
> iptables at all, so we're talking about stateless filtering with an
> increasing number of rules, which were chosen in such a way that each
> packet caused a full evaluation
On Thu, Feb 06, 2003 at 01:42:45PM +0100, Emmanuel Fleury wrote:
> But, I wonder why they are faster than pf !
> Because, there is no obvious relation between the fact that pf is more
> secure and the fact that it is slow (I might be wrong!!!).
pf is not close to beeing slow. in fact, it's bleedin
d come to this conclusion. It's
mostly brought up by people who didn't read the text but were looking
only at the graphs.
The text explains what the two test consisted of exactly, and what
reasons possibly explain the result. The stateful test didn't involve
iptables at all, so
On Thu, 2003-02-06 at 13:20, Daniel Hartmeier wrote:
> On Thu, Feb 06, 2003 at 01:12:37PM +0100, [EMAIL PROTECTED] wrote:
>
> > Any info/URL about that ?
>
> http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
> http://www.netfilter.org/documentation/HOWTO
On Thu, Feb 06, 2003 at 01:12:37PM +0100, [EMAIL PROTECTED] wrote:
> Any info/URL about that ?
http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-5.html#ss5.10
http://marc.theaimsgroup.com/?l=netfil
On Thu, Feb 06, 2003 at 11:15:22AM +0100, Dries Schellekens wrote:
>[...] but iptable doesn't do proper
> statefull firewalling. [...]
Any info/URL about that ?
przemol
On Thu, Feb 06, 2003 at 11:15:22AM +0100, Dries Schellekens wrote:
> benzedrine.cx was temporary unreachable. The problem seems to be solved
> now (because this mailing list seems to work again).
Wednesday 6:15pm, uplink dies. Router says PPP authentication fails. Of
course, all staff of the 'ISP
Hello,
> I was recently pointed to a paper on the internet that talked about the
> speed improvments of iptables vs pf. UNfortunatelly the paper is no
> longer there. The paper was linked from deadly.org here
> http://www.deadly.org/article.php3?sid=20020617203813
I think you are t
46 matches
Mail list logo
