On 11 January 2017 at 01:58, Harry Duncan wrote:
> Hi Guys,
>
> I get my net connection to my freebsd box by pppoe. I have a /29
> allocation, so I have to add my additional IP's at the public interface on
> my bsd box, so I add them with
>
> ifconfig tun0 alias 121.171.163.226 netmask 255.255.255
On 26 August 2015 at 16:09, Kolontai Andrej <
andrej.kolon...@verwaltung.uni-muenchen.de> wrote:
> >1.5k rules seems like a lot for PF to handle.
> >
> >Is that 1.5k rules you've written in the conf, or 1.5k rules from `pfctl
> -sr | wc -l' ?
>
> Yes, that's what is in the conf files. The latter c
On 25 August 2015 at 17:55, Kolontai Andrej <
andrej.kolon...@verwaltung.uni-muenchen.de> wrote:
> Hello,
>
> I'm new to this list and I hope it's the right place to ask.
>
> We have highly utilized installation of two FreeBSD-machines running
> 10.1-RELEASE, pf and carp. There are about 50 networ
On 23 Jun 2013, at 00:55, Nikos Vassiliadis wrote:
> On 06/22/2013 10:41 PM, Stan Gammons wrote:
>> On Sat, 2013-06-22 at 20:51 +0200, Nikos Vassiliadis wrote:
>>> It seems that people think that pf is unmaintained.
>>> Quite a disheartening thing for the person that did the hard work
>>> to cre
On 22 Jun 2013, at 03:49, Stan Gammons wrote:
> I see there are several PF bugs and wondered if it's because PF isn't
> maintained on FreeBSD? Perhaps that's the case given the version
> differences versus PF on OpenBSD. If not, is Ipfilter the "preferred"
> firewall on FreeBSD? Or is IPFW?
On 7 May 2013, at 16:01, Ian FREISLICH wrote:
> Nomad Esst wrote:
>>> Well, tags could help here. With a concrete example of what you want, it
>>> would be easier to suggest a solution.
>>
>>> Regards.
>>
>> Aren't anchors useful as David DeSimone said?
>
> Yes they are. I used to do the fol
On 13 Sep 2012, at 23:26, Olivier Cochard-Labbé wrote:
> Hi,
> here is a little patch (tested on FreeBSD 9.1-RC1) that add a new
> option to the kernel configuration file:
> options PF_DEFAULT_TO_DROP
>
> Without this option, with an empty pf.conf: All traffic are permit.
> With this option ena
Hello list,
Is there any interest regarding the support of includes in PF's configuration ?
As in:
include /etc/pf/interfaces
include /etc/pf/timers
include /etc/pf/tables
...
I for one would dearly love such functionality.
In the meantime, I have taken to splitting our rulesets at work int
On 7/23/12 7:31 AM, Jason Mattax wrote:
>
>
> On 07/22/2012 07:30 PM, Damien Fleuriot wrote:
>>
>> On 23 Jul 2012, at 01:49, jmat...@clanspum.net wrote:
>>
>>> A few weeks ago (I've been trying to debug it myself since then) my pf
>>> firewa
On 23 Jul 2012, at 01:49, jmat...@clanspum.net wrote:
> A few weeks ago (I've been trying to debug it myself since then) my pf
> firewall stopped working fully correctly. The symptom is that I can no longer
> access a variety of websites when I'm behind the firewall. I have verified
> that I can
On 13 April 2012 09:35, Damien Fleuriot wrote:
> On 13 April 2012 09:14, Daniel Hartmeier wrote:
>> But you're not referencing the tables in your rules!
>>
>> From pf.conf(5)
>>
>> persist The persist flag forces the kernel to keep the table even whe
On 13 April 2012 09:14, Daniel Hartmeier wrote:
> But you're not referencing the tables in your rules!
>
> From pf.conf(5)
>
> persist The persist flag forces the kernel to keep the table even when
> no rules refer to it. If the flag is not set, the kernel will
> au
aspects that would effect this outcome.
>
> I am on 8.3-STABLE and the configuration of rules sounds similiar to
> yours but I am not exhibiting any problems. Rule order is also key here
> so be sure to check that.
>
>
> On Fri, Apr 13, 2012 at 03:39:44AM +0200, Damien Fleur
.
-- Forwarded message --
From: Damien Fleuriot
Date: 12 April 2012 16:08
Subject: PF - pf not loading non-persist tables from main ruleset on
8.3-PRERELEASE
To: freebsd-sta...@freebsd.org
Hello list,
I installed a box recently and updated it to 8.3-PRERELEASE on 2012/04/11
I'm experiencing
Glad to hear that worked ;)
On 28 Feb 2012, at 18:57, Chris Bender wrote:
> Dude that was great it worked, I only changed the modulate to keep to work.
>
> Thanks
>
> Sent from my iPhone
>
> On Feb 28, 2012, at 10:17 AM, Damien Fleuriot wrote:
>
>> Regarding
States: 24
>
> ]
>
>
> I do see states changing on this rule @12.
>
> What is the modulate state, I was looking in the book of PF didn't see it as
> modulate, what setting or how to change that?
>
> Lastly, how to disable scrub in tcp reassembly. I am no
On 2/28/12 2:27 AM, csbender wrote:
> Hi Folks,
> it is great to join you.
> I am pretty new to the world of PF so please excuse some ignorance at least
> for
> now.
>
>
>
> I have a PF running freebsd 8.2.
>
> Here is my issue...
>
> I have SMTP rule allowing traffic in and out for cert
On 2/15/12 2:22 AM, Doug Sampson wrote:
> I got bitten by PF when upgrading from 8.2 to 9.0. It refused to allow
> any incoming mail. I'm using spamd in conjunction with pf. I use a
> combination of natting along with redirections in conjunction with the
> normal pass/block rules.
>
Toggle loggin
On 1/21/12 5:41 PM, Ermal Luçi wrote:
> On Fri, Jan 20, 2012 at 11:04 PM, Walt Elam wrote:
>
>> I would like to help with the development of the PF port for FreeBSD but am
>> not quite sure how to get involved. More specifically, I would like to help
>> get something ported over that accepts th
On 10/17/11 2:50 PM, Eric Masson wrote:
> Hello,
>
> Does the PF 4.5 port present in -current & 9-STABLE support inside NAT
> please (somewhat like the reverse nat available with libalias) ?
>
> Kind Regards
>
> Éric Masson
>
I totally did not understand whatever you're trying to say.
En d'aut
On 25 Sep 2011, at 12:15, h bagade wrote:
> Hello everybody,
>
> Is there any way to dynamically load pf rules? I mean each part of pf rules
> could be loaded and deleted without interruptions to the other parts(e.g.
> loading nat rules first then add only altq rules then delete filter rules).
Hello list,
TLDR: carp interface becomes MASTER for a split second after being
created, even if another MASTER exists on the network with faster
advertisements. Breaks connections. HOWTO prevent ?
We've been experiencing this double mastership problem with CARP interfaces.
Allow me to put
On 9/2/11 12:26 PM, Victor Nagoryanskii wrote:
> Hello!
> I've noticed wierd behavior of pf port redirection. I have FreeBSD 8.2 box
> which nat'ed my lan. There are some http/mail servers presented in lan, tcp
> port redirection work fine, but udp redirection to my H323 enabled device is
> stran
On 6/27/11 8:51 PM, Schmurfy wrote:
> On 27 June 2011 16:47, Damien Fleuriot mailto:m...@my.gd>> wrote:
>
> On 6/27/11 12:50 PM, Schmurfy wrote:
> >
> > What I wanted to do is to redirect incoming connections on the
> external
> > interface
On 6/28/11 4:25 PM, Espartano wrote:
> On Tue, Jun 28, 2011 at 4:09 AM, Damien Fleuriot wrote:
>>
>> You need to define a dump device then, so that you may extract the
>> kernel's crash dump for analysis.
>
>
> I don't know if there is enought free spa
On 6/27/11 11:34 PM, Espartano wrote:
> Hi People I'm having a problem with my Alix board model 2d3
> (http://pcengines.ch/alix2d3.htm) , Yesterday I compiled and installed
> NanoBSD into my alix board using FreeBSD 8.2 RELEASE, today when i
> tried to configure network interfaces and pf firewall
On 6/27/11 12:50 PM, Schmurfy wrote:
> Hi,
> I just came across a problem with route-to and gif interfaces.
> First, here is my rc.conf:
>
> # Router
> ifconfig_em0="inet 10.11.12.212/24"
> defaultrouter="10.11.12.253"
> gateway_enable="YES"
>
> static_routes="gif_endpoint"
> route_visp="10.11.20
Hey up Mike,
Sorry about the delay, was busy at work ;)
On 6/8/11 3:55 PM, Mike M wrote:
> Hi Damien,
>
> Thanks for helping out, I've provided responses beneath yours below.
>
> On Wed, Jun 8, 2011 at 11:25 PM, Damien Fleuriot <mailto:m...@my.gd>>
Hey up Mike,
My responses in between your own text.
On 6/8/11 9:58 AM, Mike M wrote:
> Hi,
>
> I have an issue with pf where incoming packets matching a particular
> rule, are not being responded to, resulting in public users being
> unable to access a web server. I'm receiving a SYN flood on
On 9 May 2011, at 05:25, Michael wrote:
> Hello,
>
> Is pf in FreeBSD 8.2-R open by default? So that it is NATing and allows
> anything when it fails to load user provided rules?
>
> Michael
> ___
> freebsd-pf@freebsd.org mailing list
> http://lists
On 3/23/11 8:21 AM, andy thomas wrote:
> On Tue, 22 Mar 2011, Damien Fleuriot wrote:
>
>> On 3/22/11 9:58 AM, andy thomas wrote:
>>> -- Forwarded message --
>>> Date: Fri, 28 Jan 2011 08:49:27 + (GMT)
>>> From: andy thomas
>>>
On 3/22/11 9:58 AM, andy thomas wrote:
> -- Forwarded message --
> Date: Fri, 28 Jan 2011 08:49:27 + (GMT)
> From: andy thomas
> To: freebsd-pf@freebsd.org
> Subject: PF port forward problem with Sonicwall VPN
>
> I'm maintaining some OpenBSD-based firewalls and have been real
On 20 Feb 2011, at 23:16, Maxim Khitrov wrote:
> On Sun, Feb 20, 2011 at 4:16 PM, jhell wrote:
>>
>> On Sun, 20 Feb 2011 13:27, eirnym@ wrote:
>>>
>>> On 20 February 2011 06:50, jhell wrote:
On Fri, 18 Feb 2011 03:26, eirnym@ wrote:
>
> I heard while ago about packet filte
On 1/28/11 11:29 AM, Damien Fleuriot wrote:
> On 1/27/11 10:44 PM, Jack Vogel wrote:
>>
>> The 8.X kernel is NOT single-threaded. Anything but. And the stack has
>> also been improved, I believe there are still bottlenecks but its far better
>> than the old days.
On 16 Feb 2011, at 21:59, "kevin" wrote:
>> If you only have one gateway, then you have nothing to worry about for
>> this part.
>
> They provide a gateway address for each subnet they allocate to me -- which
> probably is assigned to the same device for them, but I would need to
> establish th
On 2/16/11 5:01 PM, kevin wrote:
>> If you have only 1 upstream interconnection, this won't be a problem for
>> you.
>
> These boxes are in a collocation facility, in a data center. There are
> multiple upstream providers, but I am using the data center's default
> gateways for each allocated subn
On 2/15/11 7:27 PM, kevin wrote:
> I have a generally simplistic question about a potential scenario for a
> FreeBSD PF with multiple gateways/routes.
>
>
>
> The backend network would not consist of local or private ip addresses -
> every device will have a public IP. There will be about 7 pu
On 2/8/11 11:06 PM, Vadym Chepkov wrote:
>
> On Feb 8, 2011, at 2:58 PM, Mike Tancsa wrote:
>
>> On 2/8/2011 1:11 PM, Vadym Chepkov wrote:
>>> Hi,
>>>
>>> Could somebody help in figuring out why PF configuration meant to prevent
>>> brutal SSH attacks doesn't work.
>>>
>>> Here are the relevan
On 2/9/11 10:00 PM, Vadym Chepkov wrote:
>
>
> On Feb 9, 2011, at 5:00 AM, Damien Fleuriot wrote:
>
>> Looks like my previous message didn't make it to the list.
>>
>>
>> @OP: nothing indicates that your table is getting populated correctly.
>>
Looks like my previous message didn't make it to the list.
@OP: nothing indicates that your table is getting populated correctly.
While this doesn't address your main issue, you may want to install
sshguard which will automatically blacklist attackers and populate a
dedicated table.
On 2/8/11
I didn't see anything the author posted to indicate that his abusive hosts
table was being populated.
@OP: install sshguard from the ports
---
Fleuriot Damien
On 8 Feb 2011, at 23:26, "Helmut Schneider" wrote:
>> Could somebody help in figuring out why PF configuration meant to prevent
>> br
On 1/28/11 4:25 PM, Michael wrote:
> On 28/01/2011 09:47, Greg Hennessy wrote:
>>
>> IIRC BPF sees all traffic before PF. DHCP hooks at the BPF layer, so
>> it'll be serviced before any filtering policy applies.
>>
>
> Now that's not cool man.. ;) So is it like there's nothing I can do
> about it?
On 1/27/11 9:58 PM, Jeremy Chadwick wrote:
>
> Kernel folks should be able to talk about this in detail, but my
> understanding is that the kernel itself supports multiple threads, but
> the question is whether or not the drivers or relevant "pieces" (e.g.
> igb(4) driver, pf, TCP stack, etc.) s
On 1/27/11 10:44 PM, Jack Vogel wrote:
>
> The 8.X kernel is NOT single-threaded. Anything but. And the stack has
> also been improved, I believe there are still bottlenecks but its far better
> than the old days.
>
> The igb driver in 8.2 creates up to 8 queues on the right hardware, they
> are
On 1/27/11 9:02 PM, Jack Vogel wrote:
> If you go to 8.2 and the latest driver you will get better stats also,
> ahem...
>
> Jack
>
We'll be doing that as soon as 8.2 hits release, as opposed to
prerelease/rc.
Can never be too careful with this one project, outtages would be costly -.-
On 1/27/11 8:57 PM, Jeremy Chadwick wrote:
> On Thu, Jan 27, 2011 at 08:39:40PM +0100, Damien Fleuriot wrote:
>>
>>
>> On 1/27/11 7:46 PM, Sergey Lobanov wrote:
>>> В сообщении от Пятница 28 января 2011 00:55:35 автор Damien Fleuriot
>>> написал:
>
On 1/27/11 7:46 PM, Sergey Lobanov wrote:
> В сообщении от Пятница 28 января 2011 00:55:35 автор Damien Fleuriot написал:
>> On 1/27/11 6:41 PM, Vogel, Jack wrote:
>>> Jeremy is right, if you have a problem the first step is to try the
>>> latest code.
>>
On 1/27/11 6:41 PM, Vogel, Jack wrote:
> Jeremy is right, if you have a problem the first step is to try the latest
> code.
>
> However, when I look at the interrupts below I don't see what the problem is?
> The Broadcom seems to have about the same rate, it just doesn't have MSIX
> (multiple
On 1/27/11 6:37 PM, Jeremy Chadwick wrote:
> On Thu, Jan 27, 2011 at 06:31:29PM +0100, Damien Fleuriot wrote:
>>
>>
>> On 1/27/11 6:27 PM, Jeremy Chadwick wrote:
>>> On Thu, Jan 27, 2011 at 10:57:14AM +0100, Damien Fleuriot wrote:
>>>> Hello list,
On 1/27/11 6:27 PM, Jeremy Chadwick wrote:
> On Thu, Jan 27, 2011 at 10:57:14AM +0100, Damien Fleuriot wrote:
>> Hello list,
>>
>> I have a problem with interrupts, network cards, and PF performance.
>>
>> We have 2 firewalls running FreeBSD 8.0 for the current
On 1/27/11 11:03 AM, Bartosz Stec wrote:
> W dniu 2011-01-27 10:57, Damien Fleuriot pisze:
>> Hello list,
>>
>> I have a problem with interrupts, network cards, and PF performance.
>>
> I think you should try with polling(4) enabled and probably increase
> ker
Hello list,
I have a problem with interrupts, network cards, and PF performance.
We have 2 firewalls running FreeBSD 8.0 for the current master and
FreeBSD 8.1 for the backup host, which I upgraded just yesterday.
The servers use CARP for redundancy.
These are rather busy boxes which run PF
On 1/2/11 10:59 PM, j...@experts-exchange.com wrote:
> From studying squid rules, I found the following pf rule set. Does this do
> something similar to what I'm after? I tried something like this but it
> didn't help.
>
> int_if="gem0"
> ext_if="kue0"
>
> rdr on $int_if inet proto tcp from any
On 1/2/11 9:04 PM, j...@experts-exchange.com wrote:
> Here I want :
>
> nn:nn:nn.nn IP 127.0.0.1.51791 > 192.168.103.2.80: Flags [S], ack ...
>
> int_if="lo0"
> ext_if="ed0"
>
> pass in on $int_if route-to ($int_if 127.0.0.1) from 192.168.103.1 keep state
>
> But no good (it's not able to s
In other software such as HTTP that you took for example, there's this
special X-Forwarded-For header which covers this very need.
IMO you shouldn't have to tweak around with the firewall or the IP stack
to make up for a missing capability but nvm.
Perhaps these 2 PF rules would be of use to you
Hi Jay,
I'm not sure what you're trying to achieve here.
Are you actually using proxy software at all, or only a PF redirect rule ?
Are you trying to set up a FORWARD or a REVERSE proxy ?
What do you use stunnel for, SSL/TLS connectivity ?
On 1/2/11 5:38 AM, j...@experts-exchange.com wrote:
Hello list,
I apologize if the question has been asked already but I couldn't find
it in the ML archives nor in the FreeBSD9 roadmap.
I was wondering if there are plans to mimic OpenBSD's mechanism which
lets one include a subconfig file from the main pf.conf file.
As in:
include "/etc/pf/int
57 matches
Mail list logo
