On Wed, Aug 20, 2008 at 10:07 PM, Erik Danielsson <[EMAIL PROTECTED]> wrote:
> One question remains though. To count the total traffic from a certain IP
> range, should a separate PF rule with a label be used? If so, how can I
> reset only the labels statistics whenever I want to?
PF already main
On 9/6/07, Gergely CZUCZY <[EMAIL PROTECTED]> wrote:
> Hello
>
> I've got a configuration when i've got 2 IPs on em0
> from the very same subnet. This means, they have the
> same broadcast address.
ifconfig(8) suggests:
alias Establish an additional network address for this interface. This
On 8/14/07, Toomas Pelberg <[EMAIL PROTECTED]> wrote:
> pfctl man page says:
>
> -i interface
> Restrict the operation to the given interface.
>
> ..what exactly is meant under the word "operation" ?
This would be one of those things that is obvious once you've seen an example
and tho
On 5/28/07, B. Cook <[EMAIL PROTECTED]> wrote:
The new router will have em0 as a /30 facing the provider and em1 will be
setup with vlans.
You have to queue on the parent interface for the vlans, em1.
What I have is a 4mbit link symmetrical and what I would like to do is
make one parent queu
On 4/27/07, snowcrash <[EMAIL PROTECTED]> wrote:
no rdr pass from to any
# echo "no rdr pass from to any" | pfctl -vvnf-
stdin:1: "pass" not valid with "no"
Maybe you want to tag those packets and block them later:
no rdr on em2 proto tcp from { , ! } to em2 port smtp
tag BLOCKME
...
bl
On 4/27/07, snowcrash <[EMAIL PROTECTED]> wrote:
> Multiple tables in rules are tricky because they are not treated as
> "sets" that can be arbitrarily compared (ie, IPs in table A that are
> not in table B).
so, *IS* there a way to accomplish that? namely, match against a
boolean-composite o
On 4/27/07, snowcrash <[EMAIL PROTECTED]> wrote:
i suppose alternative would be to,
--- set require-order yes
+++ set require-order no
and put some
block quick
BEFORE those rdr's ... to prevent those addresses in from
ever seeing the redirection in the first place
no rdr proto tcp
On 4/27/07, snowcrash <[EMAIL PROTECTED]> wrote:
rdr pass on $ext_if proto tcp from { , ! } \
to ($ext_if)
port 25 -> 127.0.0.1 port 8025
rdr pass on $ext_if proto tcp from { !, ! } \
On 4/24/07, Volker <[EMAIL PROTECTED]> wrote:
Having a queue
with a guaranteed bandwidth for every connection (client) would
require the creation of "dynamic queues" on the fly. I'm not aware of
such possibility.
ipfw with dummynet could do this. Very interesting feature. See DUMMYNET
(specifi
On 3/20/07, WAYNE KING <[EMAIL PROTECTED]> wrote:
Hello list, My subnet at Ohio State is running a BSD firewall with packet
filter.
It works great, but I just encountered a weird problem with the linux 2.16.18.2
kernel and packet filter.
Any quick insights just for my own education?
A quick
The following reply was made to PR kern/103304; it has been noted by GNATS.
From: "Jon Simola" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc:
Subject: Re: kern/103304: pf accepts nonexistent queue in rules
Date: Tue, 12 Dec 2006 11:55:03 -0800
This is by design. Queueing,
On 11/28/06, Charles Lacroix <[EMAIL PROTECTED]> wrote:
table {} persist
block quick on $ext_if proto tcp from to $external_addr port 23
pass in on $ext_if proto tcp to $external_addr port 23 flags S/SA modulate \
state (max-src-conn-rate 5/60, overload flush global)
1. I wanted to do is
On 11/22/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
The current NAT rules in the PF router setup as:
# pfctl -a NATRULES -sn
nat on sis0 inet from 192.168.1.0/24 to any -> (sis0) round-robin
nat on sis0 inet from 172.17.3.0/24 to any -> (sis0) round-robin
nat on sis0 inet from 10.1.10.0/2
On 11/23/06, John Smith <[EMAIL PROTECTED]> wrote:
> > Could someone please give me full example to setup
> > limit {src-addr | src-port | dst-addr | dst-port} to do what IPFW
> > 01000 allow tcp from any to me setup limit src-addr 5 currently does
Could you please post your pf.conf with the r
On 11/23/06, John Smith <[EMAIL PROTECTED]> wrote:
Greetings BPF gurus!
PF? bpf is different and has little to do with firewalling.
Could someone please give me full example to setup
limit {src-addr | src-port | dst-addr | dst-port} to do what IPFW
01000 allow tcp from any to me setup limit s
On 8/22/06, beno <[EMAIL PROTECTED]> wrote:
This is accepted by the pfclt compiler just fine:
http_ports="80 8080 7080"
ssh_ports="22"
ftp_ports="21 8021 7021"
smtp_ports="25"
pop3_ports="110"
https_ports="443"
imap_ssl_ports="993 143"
squid_ports="3128"
mysql_ports="3306"
email_ports='"{' $smtp
On 7/26/06, Jeffrey Williams <[EMAIL PROTECTED]> wrote:
I am not running anything that is trying to use the loopback interface
on this box.
Blocking traffic on the loopback will cause many odd problems. Always use
set skip on lo
The following rule passes traffic in on the internal interface,
On 7/14/06, Nejc Skoberne <[EMAIL PROTECTED]> wrote:
pass out on $UntrustInterface route-to ($UntrustInterface2 $NextHop2) from
$UntrustInterface2 to any keep state
pass out on $UntrustInterface2 route-to ($UntrustInterface $NextHop1) from
$UntrustInterface to any keep state
I thought this
page for pf.conf can be a pretty intimidating read, I've got a
couple network guys that have been going over it for a couple months
and are still figuring out the more intricate options. The sample
pf.conf is fairly decent, but the OpenBSD PF user's guide at
http://www.openbsd.org/faq/p
On 2/25/06, Mark Linimon <[EMAIL PROTECTED]> wrote:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=93829
> pfsync0: flags=41 mtu 1348
>pfsync: syncdev: fxp0 syncpeer: 15.1.1.1 maxupd: 128
> ### Pfsync Rule
> pass quick on { em1 } proto pfsync
This problem seems ob
On 2/22/06, Christopher McGee <[EMAIL PROTECTED]> wrote:
> Jon Simola wrote:
>
> >On 2/22/06, Christopher McGee <[EMAIL PROTECTED]> wrote:
> >
> >
> >
> >>I might be going about this the wrong way, but, this is ultimately what
> >>I&
research, so it may not be correct, but it's the
explanation that I use.
--
Jon Simola
Systems Administrator
ABC Communications
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
gt; ___
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
>
--
Jon Simola
Systems Administrator
ABC Communications
___
ut is working great. (2
per server per interface)
--
Jon Simola
Systems Administrator
ABC Communications
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
. You learn a lot more
that way. I'm rewriting my own PF set to address a lot of the problems
similar to yours, and that is mostly why I've tried to offer you some
help.
--
Jon Simola
Systems Administrator
ABC Communications
___
freebsd-
whether you need if-bound states for this,
and I think you do. Any other commentors on that?
Give me a bit to think through that and I'll try and get you an
example. In the meantime, take another read through the PF guide and
see if you can pick up any pointers from there.
--
Jon Simola
ndwidth 64Kb priority 1 cbq(red ecn)
The queueing rule for this is:
pass out on em0 from to any queue throttle_ext
Or you can specify a queue on the outbound interface (em0) with a rule
on the inbound (em1), for a basically similar effect:
pass in on em1 from to any queue throttle_ext
{ default_ext, throttle_ext }
queue default_ext bandwidth 40Mb qlimit 1000 priority 5 cbq(default red ecn)
queue throttle_ext bandwidth 64Kb priority 1 cbq(red ecn)
> pass in on $int_if proto { udp,tcp } from any port 53 to 200.49.242.42 keep
> state queue gold
Not actually having define
t the hang of
it.
For advanced configs, you can queue inbound traffic on an outbound
interface if it leaves the router/bridge on a different interface than
it entered on.
(simple and advanced are, of course, subjective terms)
--
Jon Simola
Systems Administrator
ABC Communications
_
cp from x.x.x.174 to any synproxy state
> ---internet-- fxp0-(box with pf)-em1 --- (webserver)
If that's a bridge config, synproxy will not work. It's not possible
to tell from the documentation you provided.
--
Jon Simola
Systems Ad
lan100 keep state
pass out quick log on vlan100 from any to keep state
queue throttle_int
pass out on vlan100 keep state
--
Jon Simola
Systems Administrator
ABC Communications
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/li
; $tcp_services flags S/SA keep state
DNS is UDP port 53, which you've blocked.
--
Jon Simola
Systems Administrator
ABC Communications
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
amp;w=2
Is a pach against OpenBSD-current that might be appearing in OpenBSD
3.7 that adds the carpdev keyword and binding to a physical interface.
--
Jon Simola
Systems Administrator
ABC Communications
___
freebsd-pf@freebsd.org mailing list
http://l
s like
vlan and tun are created and destroyed. You probably don't want to
reload your firewall config everytime you bring up a PPP link. ipfw
has the same feature.
--
Jon Simola
Systems Administrator
ABC Communications
___
freebsd-pf@f
34 matches
Mail list logo
