I'm wondering what kind of systems pf is being used in, is it being used
in larger environments? I'm thinking of using it as the gateway for a
150+ computer network.
Bryan
On Fri, Dec 20, 2002 at 07:45:09AM -0800, Bryan Irvine wrote:
> I'm wondering what kind of systems pf is being used in, is it being used
> in larger environments? I'm thinking of using it as the gateway for a
> 150+ computer network.
check out http://www.benzedrine.cx/henning.txt
On 20/12/2002, Bryan Irvine <[EMAIL PROTECTED]> wrote To
[EMAIL PROTECTED]:
> I'm wondering what kind of systems pf is being used in, is it being used
> in larger environments? I'm thinking of using it as the gateway for a
> 150+ computer network.
No problem, we use it at customers with ~500 or
On Sat, Dec 21, 2002 at 02:45:40PM +0100, Philipp Buehler - sysfive.com GmbH wrote:
> state table search rates are typical 300-500/s and traffic up to
well my latest peak is 38640 states, and 16440 searches/s, on a Duron 700
beeing >>90% idle all the time.
hi all,
most heavily site i tested for 24 hours with PIII 1.36 Tualitin with average
state of 30K-43K with CPU load average of %20-%35 ...
-zd
Henning Brauer wrote:
On Sat, Dec 21, 2002 at 02:45:40PM +0100, Philipp Buehler - sysfive.com GmbH wrote:
state table search rates are t
On 21/12/2002, Zafer Dastan <[EMAIL PROTECTED]> wrote To [EMAIL PROTECTED]:
> hi all,
> most heavily site i tested for 24 hours with PIII 1.36 Tualitin with
> average state of 30K-43K with CPU load average of %20-%35 ...
i guess you use cheap NICs, or the machine is doing other stuff, too
dmesg
hi all,
actually it was several months ago with 3.1-current, and i did not note
exact values, to tell the truth, we were looking whether it will crash or
not, becuase i observed that max # of states was 2K before this site, (sometimes,
change in # of states was up to ~5K between two measurem
A thread was kind of started over on @misc about pf for live failover,
but it seems to have died.
I figured this might be a better place to ask as it's all about PF!! :-)
Is there a way using PF to do a live failover?
perhaps have a machine that is used to do reflection? But what i
Hi Folks
We have a requirement where we want to limit each IP address to a set
bandwidth. To be explicit we have a wireless network which is connected
to our main network and the Internet through a firewall. We have things
set up so that each user on the wireless network can send no more than
12
On Wed, Apr 02, 2003 at 09:49:26AM -0800, Bryan Irvine wrote:
> Is there a way using PF to do a live failover?
>
> perhaps have a machine that is used to do reflection? But what if the
> reflector dies? hmmm
>
> How would this best be accomplished?
http://marc.theaimsgroup.c
Replying to myself :(
Two ways of doing this occur to me:
1. tail the dhcp logs and dynamically add rules for IPs as they are
allocated -- reload an anchor each time a user joins or leaves the
wireless network. This is inherently fragile :(
2. define queues for all possible IP
On Fri, 2007-31-08 at 13:17 +1200, Russell Fulton wrote:
> Hi Folks
>
> We have a requirement where we want to limit each IP address to a set
> bandwidth. To be explicit we have a wireless network which is connected
> to our main network and the Internet through a firewall. We have things
> set
Thanks for your response Paul (and Andrew).
I had read this doc and if this is straight forward then I am clearly
missing something (it would not be the first time ;). I can't see how
to get individual child queues, each of 128Kbps for each active IP
address on the inside with out defining them a
I take it from the silence that the answer is that pf lacks this
functionality at the moment. Bother :)
What would the overhead be of setting up a queue for every source
address (1024 of them) ? Will this impact performance?
R
Russell Fulton wrote:
> Thanks for your response Paul (and Andrew
On Mon, Sep 03, 2007 at 10:22:53PM +1200, Russell Fulton wrote:
> I take it from the silence that the answer is that pf lacks this
> functionality at the moment. Bother :)
Yes, that's correct.
> What would the overhead be of setting up a queue for every source
> address (1024 of them) ? Will
hello ,
I wondered if anyone could assist me in writing a simple packet filter firewall
on my OpenBSD v4.5.
All I intend doing is to have two firewalling machine on a separate network :
192.168.1.1
ext_if = xl0 (dhcp) // Internet interface
int_if=xl1 // Internatl interface
192.168.2.2
Hi everybody,
I've been using pf on my home LAN for a while and now have an opportunity to use
it at work.
Here's the problem: Company has several branches, connected over VPN and a centr
al Exchange server. Because of the slow connections to the internet and large nu
mber of bran
hello list,
i am getting this very vague impression that the role
squid has been playing in the past is vanishing.
but as someone who is working near schools, i need
content filtering and reading about relaydb i thought
maybe pr0n sites could be filtered as well.
suppose i have a list of bad sit
Howdy,
Is it possible to rewrite packet payloads with pf, or failing that, some other
tool on OpenBSD? I want to replace a series of four bytes with a different
four bytes every time it occurs in the payload of an outgoing packet, but
extensive Googling hasn't turned up anything. The reaso
On Monday, Jul 7, 2003, at 12:47 US/Pacific, ALEX POPOV wrote:
Here's the problem: Company has several branches, connected over VPN
and a centr
al Exchange server. Because of the slow connections to the internet
and large nu
mber of branches/users email is increadibly slow especially during
mor
I'm currently running a slightly patched version of 3.4:
OpenBSD bute.gw.utoronto.ca 3.4 FIREWALL2#0 i386
When I try to perform what seems to be the simplest of
macros (the one given in the man page) I get a syntax
error:
# cat qwe.conf
ext_if = "kue0"
all_ifs = "{" $ext_
if you had a list of ip addresses of said p0rn sites you could simply have a
shell script read the list and call pfctl to block the ip address of the site
given the list of "bad" sites this is fairly easily achivable...
Dan
Quoting franciszek holop <[EMAIL PROTECTED]>:
> hello list,
>
> i am ge
Jeff said the following on 10/13/05 00:50:
Howdy,
Is it possible to rewrite packet payloads with pf, or failing that, some other
tool on OpenBSD? I want to replace a series of four bytes with a different
four bytes every time it occurs in the payload of an outgoing packet, but
extensive G
> all_ifs = "{" $ext_if lo0 "}
You forgot a quote in this line. It should be
all_ifs = "{" $ext_if lo0 "}"
Kind regards
Julien
On Wed, Oct 01, 2003 at 04:26:35PM -0400, Russell P. Sutherland wrote:
> When I try to perform what seems to be the simplest of
> macros (the one given in the man page) I get a syntax
> error:
>
> # cat qwe.conf
> ext_if = "kue0"
> all_ifs = "{" $ext_if lo0 "}
>
> # pfctl
* Jolan Luff ([EMAIL PROTECTED]) [ 1 Oct 2003 17:01]:
> > Is there a basic bug or am I making a fundamental mistake.
>
> You're missing a quote.
Thanks. Blush.
But here's a snippet from my real "problem":
$ cat asd.conf
# Interface defintions and directions
canet = "f
On Wed, Oct 01, 2003 at 05:25:42PM -0400, Russell P. Sutherland wrote:
> But here's a snippet from my real "problem":
> classB2 = "143.150.0.0/16"
> classB3 = "143.151.0.0/16"
>
> res_net = "{" $classB3 $classB2 "}"
>
> classB2 = "143.150.0.0/16"
> classB3 = "143.151
On Wed, Oct 01, 2003 at 04:53:54PM -0500, Jolan Luff wrote:
> On Wed, Oct 01, 2003 at 05:25:42PM -0400, Russell P. Sutherland wrote:
> > But here's a snippet from my real "problem":
> > classB2 = "143.150.0.0/16"
> > classB3 = "143.151.0.0/16"
> >
> > res_net = "{" $classB3 $classB2 "}
Hello list
I've taken normal steps to secure ssh (via key only) but, because it
is still on the normal port (22), I keep seeing attempts like this in my
auth log:
Feb 16 04:36:13 shell sshd[28127]: Received disconnect from
218.108.234.158: 11: Bye Bye
Feb 16 04:36:17 shell sshd[8049]: Received di
John <[EMAIL PROTECTED]> writes:
> This is every couple of seconds as you can see. What i'd like is to
> allow max 2 failures from one IP in 30 seconds, if more than that write
> to /etc/shitlist.txt which, if the connecting IP is found in there, logs
> and silently drops the connection. Can pf do
On Fri, Feb 16, 2007 at 11:00:20AM -0500, Josh Grosse wrote:
> On Fri, Feb 16, 2007 at 04:50:10AM +, John wrote:
> > ...What i'd like is to
> > allow max 2 failures from one IP in 30 seconds, if more than that write
> > to /etc/shitlist.txt which, if the connecting IP is found in there, logs
>
On 04:50, Fri 16 Feb 07, John wrote:
> Hello list
>
> I've taken normal steps to secure ssh (via key only) but, because it
> is still on the normal port (22), I keep seeing attempts like this in my
> auth log:
>
> This is every couple of seconds as you can see. What i'd like is to
> allow max 2 f
On Fri, Feb 16, 2007 at 04:50:10AM +, John wrote:
> Hello list
>
> I've taken normal steps to secure ssh (via key only) but, because it
> is still on the normal port (22), I keep seeing attempts like this in my
> auth log:
> [...]
> 218.108.234.158: 11: Bye Bye
> Feb 16 04:37:25 shell sshd[28
On Fri, Feb 16, 2007 at 04:50:10AM +, John wrote:
> ...What i'd like is to
> allow max 2 failures from one IP in 30 seconds, if more than that write
> to /etc/shitlist.txt which, if the connecting IP is found in there, logs
> and silently drops the connection. Can pf do this?
Yes, it can do th
* J?r?me Magnin <[EMAIL PROTECTED]> [2007-02-16 21:00]:
> you can use expiretable [1] combined with pf to solve this issue.
since I added
pfctl -t tablename -T expire 3600
to -current/soon 4.1, this is kinda obsolete.
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, htt
On Fri, Feb 16, 2007 at 04:50:10AM +, John wrote:
> This is every couple of seconds as you can see. What i'd like is to
> allow max 2 failures from one IP in 30 seconds, if more than that write
> to /etc/shitlist.txt which, if the connecting IP is found in there, logs
> and silently drops the c
36 matches
Mail list logo