On Fri, Jul 4, 2008 at 4:32 AM, Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
> On Thu, Jul 03, 2008 at 08:55:21AM -0700, Kian Mohageri wrote:
>> On Wed, Jul 2, 2008 at 5:39 PM, Stef <[EMAIL PROTECTED]> wrote:
>> > Kian Mohageri wrote:
>> >> On Sun, Ma
On Wed, Jul 2, 2008 at 5:39 PM, Stef <[EMAIL PROTECTED]> wrote:
> Kian Mohageri wrote:
>> On Sun, May 18, 2008 at 3:33 AM, Johan Ström <[EMAIL PROTECTED]> wrote:
>>> On May 18, 2008, at 9:19 AM, Matthew Seaman wrote:
>>>
>>>> Johan Ström wrote:
&g
On Mon, May 19, 2008 at 2:11 AM, Max Laier <[EMAIL PROTECTED]> wrote:
> On Monday 19 May 2008 05:38:20 Kian Mohageri wrote:
>> Hey all,
>>
>> I'm trying to clean up my PF rulesets, and I noticed today that a CARP
>> master connecting to itself (on the CARP
Hey all,
I'm trying to clean up my PF rulesets, and I noticed today that a CARP
master connecting to itself (on the CARP IP address) appears to be
filtered even when 'set skip on lo0' is in effect.
At first I suspected that maybe CARP Master to itself is routed
differently in FreeBSD (so it would
On Sun, May 18, 2008 at 3:33 AM, Johan Ström <[EMAIL PROTECTED]> wrote:
> On May 18, 2008, at 9:19 AM, Matthew Seaman wrote:
>
>> Johan Ström wrote:
>>
>>> drop all traffic)? A check with pfctl -vsr reveals that the actual rule
>>> inserted is "pass on lo0 inet from 123.123.123.123 to 123.123.123.1
On Wed, May 14, 2008 at 3:45 PM, Mark Pagulayan
<[EMAIL PROTECTED]> wrote:
> Hi Guys,
>
>
>
> OS: FreeBSD 7.0-RELEASE
>
>
>
> Please correct me if I am wrong that PF 4.1 in FreeBSD 7.0 automatically
> inserts 'Flags S/SA' to rules?
>
>
It does... actually 'flags S/SA keep state'.
>
> The problem
On Wed, Apr 2, 2008 at 9:20 PM, Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
>
> On Wed, Apr 02, 2008 at 09:17:07PM -0700, Kian Mohageri wrote:
> > On Wed, Apr 2, 2008 at 1:33 PM, Mark Pagulayan
> > <[EMAIL PROTECTED]> wrote:
> > > Hi,
> > >
>
On Wed, Apr 2, 2008 at 1:33 PM, Mark Pagulayan
<[EMAIL PROTECTED]> wrote:
> Hi,
>
> What pf version are you using? Correct me if I am wrong guys, on PF4.1
> which a the release version of pf on freebsd 7.0 when you specify keep
> state the flag S/A is implied?
>
Correct, and if you leave out 'k
On Mon, Mar 31, 2008 at 12:12 PM, Adam Vondersaar <[EMAIL PROTECTED]> wrote:
> I have had a production machine running for 6 months now using PF to
> block SSH brute force attacks. What seems to happen now is that the
> table is not staying open and PF can not add the IP to block. I am
> curio
On Fri, Mar 14, 2008 at 2:09 PM, Laurent Frigault <[EMAIL PROTECTED]> wrote:
> On Fri, Mar 14, 2008 at 10:02:36AM +0100, Remko Lodder wrote:
>
> > Why are you filtering on your local IP stack anyway? filtering on lo0
> > is not that common, or at least in my point of view not used often and
> >
The following reply was made to PR kern/121668; it has been noted by GNATS.
From: Kian Mohageri <[EMAIL PROTECTED]>
To: Laurent Frigault <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules
Date: Thu, 13 Mar 2008 12
The following reply was made to PR kern/121668; it has been noted by GNATS.
From: Kian Mohageri <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Cc:
Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules
Date: Thu, 13 Mar 2008 11:29:52 -0700
This
On Thu, Feb 28, 2008 at 7:12 AM, Vadym Chepkov <[EMAIL PROTECTED]> wrote:
> It was not my intention to argue with anybody, I was trying to understand
> why the packet was blocked and reply to Daniel got bounced, so I posted it
> in the distro. I got it now, IN packet state doesn't match IN packet
On Wed, Feb 27, 2008 at 8:02 PM, Vadym Chepkov <[EMAIL PROTECTED]> wrote:
> set block-policy return
> set state-policy floating
> pass in log quick proto udp from any to 10.10.10.1 port domain keep state
> block in log from any to 10.10.11.254
>
> 22:58:14.296303 rule 0/0(match): pass in on xl
On Jan 10, 2008 8:18 PM, Alexandre Biancalana <[EMAIL PROTECTED]> wrote:
> On 1/11/08, Max Laier <[EMAIL PROTECTED]> wrote:
> >
> > That's good to hear, keep us up to date!
>
> The neverending history finish here !! haahahah
>
> Everything work as expected, carp with failover is awesome !! The only
On Dec 17, 2007 11:34 PM, Silver Salonen <[EMAIL PROTECTED]> wrote:
> Hello!
>
> I have some FreeBSD-boxes (2x6.3-PRERELEASE (installed on 08.Dec),
> 1x6.2-RELEASE) with PF configured. They are connected with OpenVPN LAN-to-LAN
> and the problem is that a few times per hour connection drops between
On 9/30/07, Umar <[EMAIL PROTECTED]> wrote:
>
> Dear Members!
>
> Is it possible that i can include another configuration file e.g
> (mycustom.conf) within pf.conf
>
Have you read about anchors?
http://www.openbsd.org/faq/pf/anchors.html
-Kian
___
free
On 9/10/07, jonathan michaels <[EMAIL PROTECTED]> wrote:
>
> i get that it is part of teh functionality to stop outside stuff
> garbage bad people from getting to teh inside but how do i make a
> "hole" in teh 'firewall' for ping/traceroute without opening up teh
> firewall to let the same (ping/tr
On 5/25/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote:
Hello,
My server is being flooded by a script kiddie against port 7325.
What exactly is your question?
You can decrease the verbosity of PF (read the pfctl man page) if you
don't want to see those messages.
Kian
On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote:
On 5/19/07, Kian Mohageri <[EMAIL PROTECTED]> wrote:
> On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote:
> > On 5/18/07, Kian Mohageri <[EMAIL PROTECTED]> wrote:
> > &g
On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote:
On 5/18/07, Kian Mohageri <[EMAIL PROTECTED]> wrote:
> On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote:
> > On 5/18/07, Kian Mohageri <[EMAIL PROTECTED]> wrote:
> > &g
On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote:
On 5/18/07, Kian Mohageri <[EMAIL PROTECTED]> wrote:
> On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote:
> > Thank you for the tip.
> >
> > Here what I'm using which
On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote:
Thank you for the tip.
Here what I'm using which fixed the issue.
pass in on $ext_if proto tcp from any to $ext_if port $tcp_services
flags S/SA synproxy state
pass in on $ext_if proto tcp from any to $ext_if port $tcp_services
On 5/17/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote:
Hello,
This isn't bandwidth issue, but filling the network buffer more than
anything else, so there are no more free sockets, and I can't connect
to the server via ssh, it's not syn as well.
But mass connect to IRC server with s
On 5/16/07, Tom Judge <[EMAIL PROTECTED]> wrote:
em0 and bge0
em2 and bce0
em3 and bce1
Do all the interface names have to match on the HA pair?
Yes they do - but that is only if you use an if-bound state-policy,
which isn't default.
Keep in mind also that states also have a direction associa
Frank Steinborn wrote:
> Hi pf-users,
>
> I have a problem bringing up PF after a reboot of my 6.2 machine.
> I tried pf_enable="YES" in /etc/rc.conf, but it doesn't seem to
> get executed. /etc/rc.d/pf exists, also tried to declare pf_rules and
> even pf_program without luck. I always have to do
etc/rc.conf.
--
Kian Mohageri
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
couldn't decide what to pass in this initial ruleset. Passing SSH seems
safe/smart, but surely not everyone will agree.
Sorry if this is way off :)
--
Kian Mohageri
pf_early.diff
Description: Binary data
___
freebsd-pf@freebsd.org mailing list
FQDN cannot be resolved. I believe that is because of the
"BEFORE: routing" dependency in /etc/rc.d/pf.
--
Kian Mohageri
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
e failing. That will tell you if
there is a state mismatch going on when connections fail over. You first
want to make sure the mid-connection packets are even reaching the new
master.
--
Kian Mohageri
___
freebsd-pf@freebsd.org mailing list
http://list
uick on $if_isp1 reply-to $rota1 proto tcp to 192.168.0.2
port 25 synproxy state
pass in quick on $if_isp2 reply-to $rota2 proto tcp to 192.168.0.2
port 25 synproxy state
What are the $rota1 and $rota2 macroes set to?
-Kian
--
Kian Mohageri
___
fre
On 10/8/06, Justin Franks <[EMAIL PROTECTED]> wrote:
Have been using PF for over two years and recently ran into "problem"
which I am sure is something I am overlooking. So I need some direction.
Here it is: I recently enabled BIND9 on FreeBSD 6.1. I have PF running
too (PF config below). If I p
On 9/28/06, Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
On Thu, Sep 28, 2006 at 11:30:48PM +0200, Rolf Grossmann wrote:
> Sep 28 23:56:56 balancer kernel: pf: BAD state: TCP 10.1.1.2:8080
10.25.0.41:8080 10.25.0.100:52209 [lo=2341692840 high=2341759447 win=33304
modulator=0 wscale=1] [lo=291942
On 8/18/06, Ivan Levchenko <[EMAIL PROTECTED]> wrote:
You need to either load the pf kernel module, which can be done by adding
pf_load="YES" to /boot/loader.conf (you may also load the module
without rebooting like this:
kldload pf) If you use the module, then altq will not work for you.
I
On 8/14/06, Charles Lacroix <[EMAIL PROTECTED]> wrote:
On Monday 14 August 2006 09:42, Cristiano Deana wrote:
> 2006/8/14, Charles Lacroix <[EMAIL PROTECTED]>:
> > i was wondering which icmp type packets people accepted on there
> > production servers.
>
Just echo (echo-req) from anywhere. p
On 8/11/06, beno <[EMAIL PROTECTED]> wrote:
Hi;
I'm configuring my firewall and I'd like to make a table of "bad guys",
preferably one that automatically updates from the Web. Surely someone
else has already thought of this and implemented something similar, so
could someone clue me in?
Read
On 7/10/06, Michael Vince <[EMAIL PROTECTED]> wrote:
Dmitry Andrianov wrote:
So to block to block IP 192.168.1.17 from connecting *out* to anything
on the internet I have to use a "block in" statement and there is no
other way of doing this rule?
block in quick on $int_if proto { tcp, udp, icmp
nse packet will not be evaluated against incoming wan rules
pass in log quick on $lan proto tcp from 20.0.0.0/8 to 10.3.2.19
pass out log quick on $wan proto tcp from 10.10.0.161 to 10.3.2.19
pass in log quick on $wan proto tcp from 10.3.2.19 to 10.10.0.161
pass out log quick on $lan proto tcp fr
Post your ruleset and people can help you. You're probably using
nat/rdr/binat which create states.
-Kian
On 6/18/06, Ronnel P. Maglasang <[EMAIL PROTECTED]> wrote:
I have a minimum PF setup that sits in between my internal network(lan)
and external network(wan). PF by design, bypasses rulese
Perhaps your application needs specific IP options. PF blocks packets with
IP options set by default.
Append 'allow-opts' to the relevant rules.
-Kian
On 6/12/06, Ludovit Koren <[EMAIL PROTECTED]> wrote:
Hi,
I have problem to set up PIM and IGMP communication with pf on FreeBSD
6.1-RELEAS
mismatched.
On 6/8/06, Kian Mohageri <[EMAIL PROTECTED]> wrote:
>
> I'm aware. I meant that as "pass quick" (without any keep state) ;)
>
> Kian
>
>
> On 6/8/06, Daniel Eriksson < [EMAIL PROTECTED]> wrote:
> >
> > Kian Mohageri wrote:
&
er, should mean that disabling pf wouldn't help -- but it does.
Does pf handle state-mismatch differently? Maybe a pf expert could speak on
that.
Kian
On 6/8/06, Kian Mohageri <[EMAIL PROTECTED]> wrote:
I'm aware. I meant that as "pass quick" (without any keep state)
Same issue here when using keep state. Specifically, it happened with PHP
scripts accessing a remote MySQL database. I think it also happened with
Qmail LDAP lookups. This happened even when I did not specify 'flags S/SA'
'pass quick' (non-stateful) fixed the problems but I wasn't satisfied wi
As you can see, no IP is put on the sync interface; it is merely
configured up. Auto-negotiation succeeds on both ends of the cross
cable:
All the examples I've seen give the syncdev an IP address, my setup
included. I'd try that. It's strange that it works partially without
having done that
1. Why does pfsync synchronize the state tables when I use the
"ifconfig syncdev" trick to force a bulk update, yet it does
not do this when the system is booting up?
What does your rc.conf look like?
2. Why does pfsync keep repeating the bulk update request and then give
up
Authpf puts authenticated users in a table. You can then handle all of that
traffic to your liking. TYou can have a rule which redirects only certain
HTTP connections to your web server.
rdr pass on $wi_if inet proto tcp from ! to any port www ->
($wi_if)
That should get you started. Keep in
There is a nice and easy way to blocking ssh brute-force attempts with pf
only:
http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html
Exactly. This is a much cleaner solution than portknocking to stop brute
force attacks. I recently implemented this on a few of my servers.
__
On 5/14/06, GreenX FreeBSD <[EMAIL PROTECTED]> wrote:
They work, but there are some things not arranging me:
- If to change port http for any other empty port (on http post, I have
working apache) source IP does not get in the table though state it is
created.
I would assume this is because
48 matches
Mail list logo