> This isn't a reply to you (Doug), but -- do not blindly use
> "keep state"
> everywhere!
>
> There's been too many cases I've experienced where using "keep state"
> blindly results in state-mismatch increasing at a very fast
> rate. When
> I implemented this mentality on our production server
On Wednesday 26 March 2008 17:02:03 Nejc Škoberne wrote:
> I like pf very much and I was planning to use it as a "central"
> firewall at one of the customers like this:
>
> subnet_3
>
>
> subnet_1 -- PF_firewall --- subnet_2
>
>
> intern
On Wed, Mar 26, 2008 at 4:42 PM, Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
>
> Now the opposite, where some host on the Internet attempts to connect to
> 4.4.4.4 on port 22:
>
> somehost -> pfbox = TCP flags SYN set, ACK not set
> = PASS: matches rule #4
> pfbox
Hello,
I like pf very much and I was planning to use it as a "central" firewall at one
of the customers like this:
subnet_3
|
|
subnet_1 -- PF_firewall --- subnet_2
|
On Wed, Mar 26, 2008 at 03:41:02PM +0100, Dalibor Gudzic wrote:
> From: http://pf4freebsd.love2party.net/
> Status
>
> The port is part of the base system of FreeBSD 5.X as of March, 8th 2004.
>
>- In RELENG_5 - pf is at OpenBSD 3.5
>- In RELENG_6 - pf is at OpenBSD 3.7
>- In RELENG_7
On Wed, Mar 26, 2008 at 04:02:02PM +0100, Dalibor Gudzic wrote:
> On Wed, Mar 26, 2008 at 3:53 AM, Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
> > I'll try to explain it with a very small ruleset and a couple scenarios:
> >
> > $ext_if = network interface that's got a public IP address
> > 4.4.4.4
On Wed, Mar 26, 2008 at 12:47 PM, Jeremy Chadwick <[EMAIL PROTECTED]>
wrote:
> This brings up another situation: there's no version number of pf in
> FreeBSD that I can find. The OpenBSD docs continually say "as of
> OpenBSD x.y". This confuses people, who when using pf under FreeBSD,
> have no
On Wed, Mar 26, 2008 at 3:53 AM, Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
> I'll try to explain it with a very small ruleset and a couple scenarios:
>
> $ext_if = network interface that's got a public IP address
> 4.4.4.4 = our public IP address
>
> pass out quick all flags S/SA keep state
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:owner-freebsd-
> [EMAIL PROTECTED] On Behalf Of Vitaliy Vladimirovich
> Sent: Wednesday, March 26, 2008 6:58 AM
> To: Jeremy Chadwick
> Cc: freebsd-pf@freebsd.org
> Subject: Re[2]: PF rules for internal interface
>
> --- Original Mes
On Wed, Mar 26, 2008 at 09:09:30AM +, Greg Hennessy wrote:
> Jeremy Chadwick wrote:
>> There's been too many cases I've experienced where using "keep state"
>> blindly results in state-mismatch increasing at a very fast rate. When
>> I implemented this mentality on our production servers, our
--- Original Message --- From: Jeremy Chadwick To: Vitaliy Vladimirovich Date:
26 march, 12:00:30 Subject: Re: PF rules for internal interface > On Wed, Mar
26, 2008 at 10:51:52AM +0200, Vitaliy Vladimirovich wrote: > > Hello! I have
problem with restriction rules for my internal interface. > >
--- Original Message --- From: Jeremy Chadwick To: Vitaliy Vladimirovich Date:
26 march, 12:00:30 Subject: Re: PF rules for internal interface > On Wed, Mar
26, 2008 at 10:51:52AM +0200, Vitaliy Vladimirovich wrote: > > Hello! I have
problem with restriction rules for my internal interface. > >
On Wed, Mar 26, 2008 at 10:51:52AM +0200, Vitaliy Vladimirovich wrote:
> Hello! I have problem with restriction rules for my internal interface.
> ...
Please don't stick stuff like this all on one line. It's impossible to
read.
> This is my rules for $int_if:
>
> pass out quick on $int_if
>
Jeremy Chadwick wrote:
This isn't a reply to you (Doug), but -- do not blindly use "keep state"
everywhere!
Hard cases make for bad laws. I have got to point out the error in the
above statement.
There's been too many cases I've experienced where using "keep state"
blindly results in state-m
Hello! I have problem with restriction rules for my internal interface. This is
my rules for $int_if: pass out quick on $int_if block in on $int_if pass in on
$int_if from $mynet to any But in this situation computers from another subnets
can ping my internal interface. Were is my mistake? Thank
15 matches
Mail list logo
