>
> If you must do this then please consider adding a /boot/loader.conf setting
> instead of kernel configuration option. The option could be read only on
> running system or dependent on securelevel(7).
>
+1
Greg
___
freebsd-pf@freebsd.org mailin
>
> On 07/24/2012 01:07 AM, Daniel Hartmeier wrote:
> > What's the client OS?
> >
> The client OS for this test is Ubuntu 12.04 LTS
>
> jmattax@chani:~/pf_debugging$ uname -a
> Linux chani 3.2.0-26-generic #41-Ubuntu SMP Thu Jun 14 16:26:01 UTC 2012
> i686 i686 i386 GNU/Linux
>
> > It looks like
> From: Tonix (Antonio Nati) [mailto:to...@interazioni.it]
> Sent: Saturday, 21 July 2012 11:49 PM
> To: Greg Hennessy
> Cc: freebsd-pf@freebsd.org
> Subject: Re: Question on packet filter using in and out interfaces
>
> Il 20/07/2012 02:44, Greg Hennessy ha scritto:
> >
For PF I would tend to filter in the ingress interface, tag flows passed by
policy and put a generic pass rule on the egress interface permitting the
tagged flow.
The only exception would be assignment of specific flows for shaping.
Greg
> -Original Message-
> From: owner-freebsd..
Put the vlan interfaces into an interface group and nat that...
> -Original Message-
> From: owner-freebsd...@freebsd.org [mailto:owner-freebsd-
> p...@freebsd.org] On Behalf Of just man man
> Sent: Friday, 6 April 2012 9:51 AM
> To: freebsd-pf@freebsd.org
> Subject: nat vlan
>
> How to
[SNIP]
I suppose I could e-mail the original PF list to figure that out though.
[SNIP]
Pack your flak jacket and kevlar cricket box ;-)
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any
Hi Peter,
That doesn't sound unreasonable, bearing in mind how much we all $ENJOY using
the operating system precisely because the interfaces are defined and stable
between major releases.
I would not have expected PF 4.7 and above to be backported.
Reading between the lines of earlier posts
> >
> There is one catch.
> FreeBSD does not want to break compatibility of old syntax and that is why
> i did not port the latest version of pf(4).
Shades of the versioning/maintenance issues surrounding putting Perl in the
base way back in the day.
> What is there now makes it 'trivial' to go
that.
From: Mostaf Faridi [mostafafar...@gmail.com]
Sent: 29 November 2011 16:23
To: Greg Hennessy
Cc: Fatal Error; freebsd-pf@freebsd.org
Subject: RE: one ADSL connection with 10 static IPs and PF
Can I do this with Linux?
If the Zyxel ADSL router supports PPP half bridge mode, configure that and then
configure the PF host with the real IP addresses as appropriate.
Otherwise replace the router with something which does support PPP half bridge.
Thomson Speedtouch is pretty solid in this space.
http://goo.gl/yr7
If you have no access to the gateway system, the only other alternative is a
client side configuration, either use a PAC file or browser exception or
routing statement to send traffic elsewhere.
Greg
> -Original Message-
> From: owner-freebsd...@freebsd.org [mailto:owner-freebsd-
> p.
> Recently it has come to our attention that bandwidth has become an issue
> with increased spotify usage throughout the company. Im looking for a way
> to block access to it in pf. the rule that i am trying is the following:
>
> table { 78.31.8.0/22, 193.182.8.0/21 }
> block return in quick on $
detailed write up here under
"Can we achieve 10 gigabit speeds ?"
Network Tuning and Performance
https://calomel.org/network_performance.html
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Wed, Jul 06, 2011 at 07:09:59PM -0400, Greg Hennessy wrote:
>
> ALTQ using hfsc is limited to a maximum parent bandwidth of 4294Mb.
> This value is 2^32 or 4,294,967,296 bits. If you set the bandwidth any higher,
> altq will flip back to zero. This "bug" was found when trying to test 10
> gigabit
> and 40 gigabit bandwidth models.
What a problem to have
Sunday, 5 June 2011 11:11 PM
> To: Greg Hennessy
> Cc: freebsd-pf@freebsd.org
> Subject: Re: pf speed drops
>
> Hello
> I look via systat -if 1
>
> Greg Hennessy пишет:
> > As measured by?
> >
> >
> >
> >> -Original Message-
>
As measured by?
> -Original Message-
> From: owner-freebsd...@freebsd.org [mailto:owner-freebsd-
> p...@freebsd.org] On Behalf Of Dmitri Budko
> Sent: Sunday, 5 June 2011 7:43 PM
> To: freebsd-pf@freebsd.org
> Subject: pf speed drops
>
> Hello.
> When I turn on the PF server internet sp
You've enabled routing ?
What are the logs telling you ?
Change this
"block in log on $ext_if all"
to
block log all
there maybe an egress block somewhere.
> -Original Message-
> From: owner-freebsd...@freebsd.org [mailto:owner-freebsd-
> p...@freebsd.org] On Beha
e platform as a multihomed firewall, it may make life simpler
to grant the egress interfaces access by default, and put security policy
enforcement on the ingress interface.
Regards
Greg
> -Original Message-
> From: Michael [mailto:mlmichae...@gmail.com]
> Sent: 09 March 2011
What's the likely use case ? Jails ?
> -Original Message-
> From: owner-freebsd...@freebsd.org [mailto:owner-freebsd-
> p...@freebsd.org] On Behalf Of Michael
> Sent: 08 March 2011 11:44 PM
> To: freebsd-pf@freebsd.org
> Subject: multiple loginterface
>
> Hi,
>
> Is it possible to set mu
Too true.
> -Original Message-
> From: Iñigo Ortiz de Urbina [mailto:inigoortizdeurb...@gmail.com]
> Sent: 28 January 2011 11:34 AM
> To: Greg Hennessy; freebsd-pf@freebsd.org
> Subject: Re: why "block quick on wlan0" doesn't stop DHCP?
>
> And it
Could be talking complete nonsense here, but
IIRC BPF sees all traffic before PF. DHCP hooks at the BPF layer, so it'll be
serviced before any filtering policy applies.
Greg
> -Original Message-
> From: owner-freebsd...@freebsd.org [mailto:owner-freebsd-
> p...@freebsd.org] On B
s/CURRENT/HEAD/ below, wasn't quite awake yet when I sent it. :-)
> -Original Message-
> From: owner-freebsd...@freebsd.org [mailto:owner-freebsd-
> p...@freebsd.org] On Behalf Of Greg Hennessy
> Sent: 24 October 2010 10:26 AM
> To: Max Laier; Ermal Luçi
> Cc:
It doesn't appear to patch cleanly against CURRENT
gw2:/usr/src # find . -name \*.rej
./contrib/pf/pfctl/pfctl_table.c.rej
./contrib/pf/pfctl/parse.y.rej
./contrib/pf/pfctl/pfctl.c.rej
./contrib/pf/pfctl/pfctl_parser.h.rej
./contrib/pf/pfctl/pfctl.8.rej
./contrib/pf/pfctl/pfctl.h.rej
./sys/contrib
of my willy (so to speak) are readily determined through
http://www.google.co.uk/
From: allicient3...@gmail.com [mailto:allicient3...@gmail.com] On Behalf Of
Peter Maxwell
Sent: 29 July 2010 10:10 PM
To: Greg Hennessy
Cc: freebsd-pf@freebsd.org
Subject: Re: For better security: always "
> If, as you say, there are "Governance, Risk, and Compliance reasons",
> perhaps you'd like to specify one or two for each category?
Start with an ISMS derived from 27k, add a soupcon of PCI DSS requirement 10,
Basel II, throw in SOX 404 or an SAS 70 type II audit, you get the picture.
> Lo
er
Maxwell [pe...@allicient.co.uk]
Sent: 29 July 2010 03:52
To: Greg Hennessy
Cc: Spenst, Aleksej; freebsd-pf@freebsd.org
Subject: Re: For better security: always "block all" or "block in all" is
enough?
On 28 July 2010 20:39, Greg Hennessy wrote:
> What disadvantag
> What disadvantages does it have in term of security in comparison with
> "block all"? In other words, how bad it is to have all outgoing ports always
> opened and whether someone can use this to hack the sysem?
>
It's the principle of 'least privilege'. Explicitly allow what is permitted,
de
Running out of state table entries ?
From: owner-freebsd...@freebsd.org [owner-freebsd...@freebsd.org] On Behalf Of
Gaurav Ghimire [gau...@subisu.net.np]
Sent: 16 April 2010 12:50
To: freebsd-pf@freebsd.org
Subject: ping sendto: operation not permitted.
My bad, that'll teach me to reply in haste :-)
Sent using BlackBerry® from Orange
-Original Message-
From: Giulio Ferro
Date: Wed, 17 Mar 2010 16:37:31
To: Greg Hennessy
Cc: Daniel Hartmeier;
freebsd-...@freebsd.org;
freebsd-pf@freebsd.org
Subject: Re: PF + BRIDGE + PFSYNC c
A possible corner case with the virtual hosting platform ?
Try changing the NICS from EM to something else supported RL on vmware IIRC.
Greg
From: owner-freebsd...@freebsd.org [owner-freebsd...@freebsd.org] On Behalf Of
Giulio Ferro [au...@zirakzigil.
s/block all/block log all/
Or debug will come back and bite you.
Regards
Greg
-Original Message-
From: owner-freebsd...@freebsd.org [mailto:owner-freebsd...@freebsd.org] On
Behalf Of David Mehler
Sent: 16 December 2009 12:59 AM
To: freebsd-pf@freebsd.org
Subject: new firewall confi
That converts the operation of PF into a PIX. :-)
I would tend to caveat the advice below with liberal use of tag and 'tagged'
Greg
From: owner-freebsd...@freebsd.org [owner-freebsd...@freebsd.org] On Behalf Of
Torsten Kersandt [tors...@cnc-london.net]
http://www.openbsd.org/faq/pf/index.html
will teach you everything you need to know.
-Original Message-
From: owner-freebsd...@freebsd.org [mailto:owner-freebsd...@freebsd.org] On
Behalf Of John Dakos [ Enovation Technologies ]
Sent: 07 July 2009 09:30
To: freebsd-pf@freebsd.org
Subject:
Sebastiaan van Erk wrote:
nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if
This is the nub of the problem, 'hide' NAT breaks GRE.
To successfully do 'Many:1' NAT of GRE requires a rewrite of the GRE
call id header to track each session in a manner analagous to rewriting
the so
Angelo Turetta wrote:
Rudi Kramer - MWEB wrote:
I had the same issue and when I checked with our ms-admin team they said
it was a Microsoft limitation.
Quite the opposite. Since Windows2000 MS introduced, or started using,
a CallID in the GRE header.
Indeed.
Remember, many-to-one NAT has o
Ansar Mohammed wrote:
Hello All,
Does pf have any higher level application inspection capability such as RPC
filtering based on UUID?
No, that is layer 7 style 'deep packet inspection' (tm) voodoo.
Greg
___
freebsd-pf@freebsd.org mailing list
ht
Mark Pagulayan wrote:
Hi,
I have checked this link for the pftop-0.7
ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/sysutils/
But no luck, where can I get the pftop-0.7 version for freebsd 7.0?
The same place as everyone else.
---> Listing the results (+:done / -:ignored / *:skipped /
> but look at the other option, somehow feed the constructed rules into
> pfctl dynamically as they are "interpreted"
By that statement, you really need to forget everything you know about
IPTables and read the relevant PF documentation, in particular the man page
for pfctl, unlike other unix lik
Jeremy Chadwick wrote:
This isn't a reply to you (Doug), but -- do not blindly use "keep state"
everywhere!
Hard cases make for bad laws. I have got to point out the error in the
above statement.
There's been too many cases I've experienced where using "keep state"
blindly results in state-m
Doug Sampson wrote:
On Friday 21 March 2008 21:59:46 Doug Sampson wrote:
I want to back up a client running packet filter. I am
using Bacula to
backup this client to a Bacula server in the internal network. The
Bacula client has two interfaces- one external and one internal. T
On Mon, March 17, 2008 1:50 pm, Stephan F. Yaraghchi wrote:
>
> What do I have to do to see that much info while watching the log in real
> time?
Use the '-l' flag additionally with tcpdump and increase the snapsize to
96 bytes with '-s'.
Regards
Greg
>
> --
> Mit freundlichen Grüßen / wit
Lorenz Helleis wrote:
everthing was ok until we start tomake backups passing through the firewall.
What sort of 'backups', using what exactly ?
Did you monitor the input Q drop figure from
net.inet.ip.intr_queue_drops
before during and after the service impacting traffic ?
Do you ca
> I have squid and apache in the same machine. My problem is that the
> users
> cannot see the web page at the same machine in which squid is
> installed. Any
> idea why?
Yes, you should only policy route traffic *not* destined for your webserver
Try something like this instead
# Transparent Squ
> > You are running the version of PF which ships as standard with
> FreeBSD
> > 6.1. Which IIRC is the same as shipped with OpenBSD 3.6.
>
> 3.7 in RELENG_6, 3.5 in RELENG_5, 4.1 in what is to become RELENG_7.
>
My mistake Max :-), thanks for the correction.
> If this box can take a downtime
> Hello,
>
> I'm using PF from a 6.1 FreeBSD kernel (Just added pf_enable="YES" in
> rc.conf) and also using Firewall Builder.
Updating why exactly ?
> How do I know what version is running?
You are running the version of PF which ships as standard with FreeBSD 6.1.
Which IIRC is the same as sh
[snip]
> scrub in all
>
> nat on $ext_if from $int_net to any -> ($ext_if)
>
> rdr on $ext_if pro to tcp from any to any port 22011 -> 192.168.1.10
> port 22
>
Add
block log all
here
> pass in all
> pass out all
Replace these with explicitly coded ingress and egress rules using 'k
> # filter rules
> block log all
> block in log quick proto tcp from to any port smtp
> block in log quick proto tcp from to any port ssh
> block in log quick proto tcp from to any port http
>
> pass quick on lo0 all
Change this to
set skip on lo0
>
> block drop in log quick on $e
> Hi
>
> Two of us have found out a very strange issue with pf on FreeBSD 6.2
> on a xDSL connection.
>
Posting a copy of your pf.conf and trawling the logs for drops around the
same time as the transfers are underway would be useful.
You're possibly meeting an issue with tcp window scaling a
> > > We're doing some stress testing on our server,
> >
> > CPU ? Memory ?
>
> Xeon 3060 (dual core @ 2.4 Ghz)
> 2 gigs of ram
That's got more than enough grunt, intel gig-e nics, a good recipe for PF
success.
> I'm not very familiar with pf at this point.
It won't take you long, it's very
>
> We're doing some stress testing on our server,
CPU ? Memory ?
> and noticed that when
> we turn PF on, we lose connections and have a drastic reduction in
> performance.
>
> We used SIEGE for 120 seconds, 50 connections, on req/conn
>
[snip]
> # --- DEFAULT POLICY
> block log all
>
Wh
>
> I've heard that the pf version being used on freebsd 6-stable is 3.7 so
> the
> features "pass" and "log" when using "rdr" won't work.
> Is this true??
Yes and yes, Max Laier has just found a mechanism to squeeze 27 hours into a
working day and is currently porting the 4.1 PF code into CURRE
> so, i think i'm in the right ballpark with *nat of some sort, but how
> do i get this done correctly?
>
There's a number of ways to do this.
Add the extra addresses as aliases to the internet facing interface. E.g
gw2:~ # cat /etc/rc.early /etc/rc.conf | egrep -i 'outside|alias' | sed -e
...
> ditto. I'd like to import a couple of features on a per-feature base
> rather than doing a complete import which isn't possible anymore due to
> SMP and routing code changes.
Is the inability to completely sync PF with the latest OpenBSD release cast
in stone for here on, or it an issue of reso
> Hi,
> I'm trying to get ftp working from behind a pf firewall. I'm using
> pftpx on FreeBSD 6.2 for this. I believe i have passive working, one of my
> windows boxes goes passive and dies on active.
Command line FTP client in windows is active only.
> I've got three questions. First,
> po
>
> Does a packet being routed from em0 to em1 pass through PF twice?
>
PF does both ingress and egress filtering, this explains it far better than
I could.
http://homepage.mac.com/quension/pf/flow.png
>
> pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port
> 22 keep st
> I'm a pf newb and am running pfspamd on this FBSD 6.2 machine. How do I
> trace the collision errors? Seems excessively high- more than 5% here.
> I
> want to rule out hardware issues with the 3C905b card before I get into
> network overload issues but am not sure how.
Hard set the card, switch
> (and the rest). What am I missing?
>From the rule snippets posted, 'keep state' & 'keep state flags S/SA' comes
to mind.
You should endeavour to keep state on each and every rule and only establish
tcp state on the 3 way handshake.
>
> If it helps, I also posted my complete pf.conf and th
> >
> > Not if you run a default block policy it wont.
> >
> I've seen my problem
>
> I have a rule with is something like opendoor for outgoing packet from
> the firewall...
Ahhh, that wouldn't help :-).
> And NAT rules are applied before filtering rules.
> SO for traffic going from internal t
> Hi,
>
> I just want to know how to handle properly packets which pass
> through the firewall...
That depends on what you're trying to do exactly.
>
> I can handle for all packets coming to all interface of my
> firewall and the same with outgoing packets by using in/out
> with statement
>
> Thanks to Max Laier and Jon Smola for helpful comments on my earlier
> post. I have not put the flags S/SA option in my rule set as yet
That's the most likely reason why it's breaking.
Greg
___
freebsd-pf@freebsd.org mailing list
http://lists
>
> Why is the first host producing more detailed logs? why isnt pf showing
> the port that was blocked or anything else like it does in the first
> host? Is there a way to make the ng0 interface log more or is this due
> to the netgraph hooks into pf?
At a rough guess, you've not got IPV6 compil
> I'm also open to pf + dummynet integration,
That's a very intriguing idea and a lot more palatable than ipfw + dummynet.
> but don't have time to work on that, at the moment.
I know what that's like.
Greg
___
freebsd-pf@freebsd.org mailing
> Greg suggested that I do a tcpdump -s 96 -nleti pflog0 to see what was
> going on.
Do you have pflog_enable="YES"
Set in /etc/rc.conf ? Is pflog0 visible as up and running in the output of
ifconfig -a ?
>
> I tried that and got no data captured, not a single entry.
>
> one of my /etc/rc.con
> could someone please explain the "right" way to do this, or point me
> to the right doc,
> I'm willing to learn if I can find the right teacher.
Make the 1st packet filtering rule
block log all
and from there read the firewall logs in real time with
tcpdump -s 96 -nleti pflo
> I have the following rules on lo0:
>
Have you tried an set skip with a default block log all ?
Greg
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
>
> I actually need to see how a packet that the IPSEC code generates is
> passes through PF (What rules it is (not) matching etc). At the moment
> it seems that it is either a) not passing through pf at all, b) For
> some
> reason not matching the source routing rule.
>
> Is there anyway to see
> I was wondering if there is any way to trace packets as they pass
> through PF and possibly even the network stack. If someone could give
> me some pointers on this it would be greatly appreciated.
A full tcpdump on the ingress and egress interfaces,a bpf filter will find
the interesting bits
>
> Can someone please convert this simple ipfw rule to of?
>
Judicious use of 'scrub' will take nuke most if not all invalidly flagged
packets.
greg
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To
>
> I need to record logs of all connections nated from PF, has some way?
>
Tag the nat rule and then apply that tag to an egress rule of the form
pass out log quick on blah tagged natted
Greg
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7
> I'd like to know if anyone else has experienced something similar with
> Vista and their firewall. I realize it may be something with Vista, but
this
> issue seems to be related with PF firewalls and Vista.
>
I have ran (and am running ) vista with CTCP enabled and disabled through PF
just fine
>
> It is possible to record logs of all connections nated with the PF?
> Already tried to use "nat log on...", without success.
>
The version of PF used in FreeBSD (OpenBSD rev 3.7 I believe) doesn't have
the log option for either nat pass or rdr pass.
That facility came in later versions of
> Can you by any chance run the simple benchmark described at
> http://people.freebsd.org/~mlaier/ALTQ_driver/ ? It's good if hfsc
> works, but the main goal is to make sure that we do not break anything
> for non-ALTQ users.
>
Here's the meaty goodness.
Test system.
P4 2.8 downclocked to 2.1
> > gw2:~ # cat /etc/rc.early
> > /sbin/ifconfig aue0 name outside
> > /sbin/ifconfig em0 name inside
> > /sbin/ifconfig inside polling
>
> Wow ... so naming really works? That's news :-)
Works a treat, I've been using naming for over 6 months now, saves a lot of
PITA conf changes when swapping
> aue and kue patches added to
> http://people.freebsd.org/~mlaier/ALTQ_driver/
>
> Please test and report back.
So far so good.
Greg
gw2:~ # uname -a
FreeBSD gw2.local.net 7.0-CURRENT FreeBSD 7.0-CURRENT #167: Tue Jan 30
15:57:33 GMT 2007 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GH i386
gw
> Anyway, I've already checked altq(9) which describes the
> driver transition and I thought about patching the drivers myself.
>
> I've got a bunch of aue, one kue and a few currently unsupported NICs.
>
I could find a use for an altq patched aue ta muchly.
Greg
--
No virus found in thi
> Hi all!
>
> I would like to start a debate on this subject. Which method of
> enabling
> PF is the more secure (buffer overflow for example), the fastest, the
> most stable, etc. I searched the web for some info but without result.
> So I would like to know your opinion on the pros and cons of e
>>
> I have no idea how to get Cacti to graph this data. Clues please?
IIRC there's a thread or two on the cacti forums w.r.t importing the pf mibs
from bsnmpd.
>
> Seems pretty good. Opinions?
>
> $ sudo pfctl -si
> Password:
> No ALTQ support in kernel
> ALTQ related functions disabled
> I suspect this may have been my state table filling up.
>
For a high traffic'd internet facing service such as Freshports, running
pfstat, symon or even the pf snmp mibs loaded into something such as Cacti
is not optional.
They would have kept track of firewall state table utilisation over ti
> However, if
> I comment out the PF rule "block in all" then suddenly I can ping
> yahoo.com. Why will my server not resolve names (like
> yahoo.com) if the
> "block in all" statement exists? Why does that statement mess it up?
> What am I missing? Please help because I am totally frustrated.
>
> The part that confused me was that the connections failed
> immediately -- it turns out that PF sends a RST upon state
> mismatch during the intial handshake, as opposed to dropping
> the packets and letting the connection time out.
As a matter of policy, I would never black hole internal
> HFSC is a fun animal to learn. We've tried to gather some
> data, check out
> http://wiki.pfsense.com/wikka.php?wakka=ReadingRoom and
> http://wiki.pfsense.com/wikka.php?wakka=HFSCBandwidthShapingNotes ..
> Unfortunately the more that I learn about HFSC it seems like
> the more I really do
> That's LANIC IP space, not RIPE. Though RIPE should have
> pointed you to LANIC, IMO, they don't.
With RIPE one is doing well to get anything at all.
> They show what you
> see for any IP space that isn't under their control. I'd
> recommend starting your searches with ARIN, as they'll
RTFHB
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html
>
> Hi;
> I copied my /usr/src/sys/i386/conf/GENERIC to
> /usr/src/sys/i386/conf/LOCAL with the "cp" command (no
> flags), then used vi to edit and added the following lines:
>
> # Packet Filters
> device pf
>
>
> Wait! That might render your box unaccessible.
>
> What if your terminal session dies? Then the pfctl command
> after sleep will never be executed.
Quite, for long distance management of any device like this, a 2[56]11
plumbed into com0 configured as the console is not optional.
Greg
> > I am wondering if this is achievable with PF. If yes, which
> section of
> > the FAQ should I read?
> i'm pretty sure, that you haven't read pf.conf(5).
I'm pretty sure he has. He just didn't see it.
> please check the manual next time, _before_ you ask a question
>
While I am as guil
> > list of what are most likely dhcp assigned addresses is a complete
> > waste of time and a nightmare to maintain.
> Could you give an example of this?
The lists used by PeerGuardian.
Greg
___
freebsd-pf@freebsd.org mailing list
http://lists.fr
> Hi;
> I'm configuring my firewall and I'd like to make a table of
> "bad guys", preferably one that automatically updates from
> the Web.
As long as you run a default block policy, maintaining an ever growing list
of what are most likely dhcp assigned addresses is a complete waste of time
a
> I'm not sure the average user _really_ is worried enough
> about that half a second period on boot. But I DO know there
> will be people locking themselves out from far-away remote
> hosts (on updates, for instance) if this becomes the default.
That is pretty much guaranteed. Murphy will al
> What I'd like to see is a real virtual machine designed for
> packet filtering (similar to BPF), and we compile the rules
> into VM instructions,
You've been using that Israeli firewall product again, what was it called
again, Crackpoint ? :-)
Greg
___
>>
>See the mac_ifoff(4) manpage. You can disable your interfaces until
> the system is fully booted.
>
Crikey! Everyday a school day :-). Most useful.
Greg
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/fre
> >
> While I can give you the benefit of the doubt that in some
> way you are trying to help I would prefer it if you just didn't respond to
me.
> Your your comments are really abrasive,over the top and lacking of
> useful nature.
I am sorry, I cannot leave this go unchallenged, one's posting
>
> I did mention it a few times but I suppose I wasn't clear
> about it, but I really do want to use "single line firewall
> rules", and the only way to do this is to keep state, if
> there are other ways/rules to have really flexible firewall
> but still with stateful inspection with a sma
> >
> >
> is it safe to say to just remove the "keep state" behavior
> for udp and other connectionless packets?
No. Anything but.
If you don't keep state, you would have to specifically code wide open
ingress packet filtering rules for reply traffic.
Greg
>
> So ultimately what your saying is PF is too clever now and
> can never be simplified like UDP state modes for single line
The notion of UDP keeping state is overstated.
Basic layer 3 'keep state' for UDP is nothing more than a watchdog timer
tracking how long it was since the last pack
> What we are looking for is to be able to pass through
> firewall with one set of rule per allowed traffic like it is
> used to be in ipf like firewalls.
>
[snip]
>
> Is there another way to securely let everything "pass
> through" firewall?
> without having to write another rule for outgoi
> Hi,
>
> I am new to FreeBSD and PF but was wondering how I could do
> using PF a rule from iptables on Linux.
>
> The rule using iptables in Linux is:
> iptables -t nat -A PREROUTING -p udp --dport 3322 -j REDIRECT
> --to-ports 3323
>
> I would like to know how you perform the same operati
>
> Thanks for your answer but what do you think of using ipfw
> for routing policy and pf for firewalling, is it possible ?
With two active packet filters in the system, I would not like to be the one
trying to debug problems.
One can do policy based routing in PF using route-to.
Greg
__
Everything you need to know here
http://www.openbsd.org/faq/pf/index.html
and even more here
http://www.bgnett.no/~peter/pf/en/
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ali Faiez Taha
> Sent: 07 June 2006 19:40
> To: freebsd-pf@freebsd.org
> A test page that makes 10,000 rapid SQL connections which
> connected 100% of the time before, now will usually see
> anywhere from one or two failed connections to a dozen or so
> (per 10,000)
Have you kept track of state table entries during this process with
pfctl -si ?
You may
>
> Is there a best way to unblock the windows update ??
>
Yes rebuild squid to operate as a transparent cache and redirect all
outbound port 80 traffic through it.
http://www.benzedrine.cx/transquid.html
gw2:~ # grep -i 3128 /etc/pf.conf
rdr pass on $Int $TCP from to ! port www ->
127.
1 - 100 of 140 matches
Mail list logo
