Re: connect(): Operation not permitted

2008-07-04 Thread Kian Mohageri
On Fri, Jul 4, 2008 at 4:32 AM, Jeremy Chadwick <[EMAIL PROTECTED]> wrote: > On Thu, Jul 03, 2008 at 08:55:21AM -0700, Kian Mohageri wrote: >> On Wed, Jul 2, 2008 at 5:39 PM, Stef <[EMAIL PROTECTED]> wrote: >> > Kian Mohageri wrote: >> >> On Sun, Ma

Re: connect(): Operation not permitted

2008-07-03 Thread Kian Mohageri
On Wed, Jul 2, 2008 at 5:39 PM, Stef <[EMAIL PROTECTED]> wrote: > Kian Mohageri wrote: >> On Sun, May 18, 2008 at 3:33 AM, Johan Ström <[EMAIL PROTECTED]> wrote: >>> On May 18, 2008, at 9:19 AM, Matthew Seaman wrote: >>> >>>> Johan Ström wrote: &g

Re: Filtering CARP interface(s) and 'set skip on lo0'

2008-05-19 Thread Kian Mohageri
On Mon, May 19, 2008 at 2:11 AM, Max Laier <[EMAIL PROTECTED]> wrote: > On Monday 19 May 2008 05:38:20 Kian Mohageri wrote: >> Hey all, >> >> I'm trying to clean up my PF rulesets, and I noticed today that a CARP >> master connecting to itself (on the CARP

Filtering CARP interface(s) and 'set skip on lo0'

2008-05-18 Thread Kian Mohageri
Hey all, I'm trying to clean up my PF rulesets, and I noticed today that a CARP master connecting to itself (on the CARP IP address) appears to be filtered even when 'set skip on lo0' is in effect. At first I suspected that maybe CARP Master to itself is routed differently in FreeBSD (so it would

Re: connect(): Operation not permitted

2008-05-18 Thread Kian Mohageri
On Sun, May 18, 2008 at 3:33 AM, Johan Ström <[EMAIL PROTECTED]> wrote: > On May 18, 2008, at 9:19 AM, Matthew Seaman wrote: > >> Johan Ström wrote: >> >>> drop all traffic)? A check with pfctl -vsr reveals that the actual rule >>> inserted is "pass on lo0 inet from 123.123.123.123 to 123.123.123.1

Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules

2008-05-14 Thread Kian Mohageri
On Wed, May 14, 2008 at 3:45 PM, Mark Pagulayan <[EMAIL PROTECTED]> wrote: > Hi Guys, > > > > OS: FreeBSD 7.0-RELEASE > > > > Please correct me if I am wrong that PF 4.1 in FreeBSD 7.0 automatically > inserts 'Flags S/SA' to rules? > > It does... actually 'flags S/SA keep state'. > > The problem

Re: PF and State Table

2008-04-02 Thread Kian Mohageri
On Wed, Apr 2, 2008 at 9:20 PM, Jeremy Chadwick <[EMAIL PROTECTED]> wrote: > > On Wed, Apr 02, 2008 at 09:17:07PM -0700, Kian Mohageri wrote: > > On Wed, Apr 2, 2008 at 1:33 PM, Mark Pagulayan > > <[EMAIL PROTECTED]> wrote: > > > Hi, > > > >

Re: PF and State Table

2008-04-02 Thread Kian Mohageri
On Wed, Apr 2, 2008 at 1:33 PM, Mark Pagulayan <[EMAIL PROTECTED]> wrote: > Hi, > > What pf version are you using? Correct me if I am wrong guys, on PF4.1 > which a the release version of pf on freebsd 7.0 when you specify keep > state the flag S/A is implied? > Correct, and if you leave out 'k

Re: problem with PF tables

2008-03-31 Thread Kian Mohageri
On Mon, Mar 31, 2008 at 12:12 PM, Adam Vondersaar <[EMAIL PROTECTED]> wrote: > I have had a production machine running for 6 months now using PF to > block SSH brute force attacks. What seems to happen now is that the > table is not staying open and PF can not add the IP to block. I am > curio

Re: kern/121668: connect randomly fails with EPERM with some pf rules

2008-03-14 Thread Kian Mohageri
On Fri, Mar 14, 2008 at 2:09 PM, Laurent Frigault <[EMAIL PROTECTED]> wrote: > On Fri, Mar 14, 2008 at 10:02:36AM +0100, Remko Lodder wrote: > > > Why are you filtering on your local IP stack anyway? filtering on lo0 > > is not that common, or at least in my point of view not used often and > >

Re: kern/121668: connect randomly fails with EPERM with some pf rules

2008-03-13 Thread Kian Mohageri
The following reply was made to PR kern/121668; it has been noted by GNATS. From: Kian Mohageri <[EMAIL PROTECTED]> To: Laurent Frigault <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules Date: Thu, 13 Mar 2008 12

Re: kern/121668: connect randomly fails with EPERM with some pf rules

2008-03-13 Thread Kian Mohageri
The following reply was made to PR kern/121668; it has been noted by GNATS. From: Kian Mohageri <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules Date: Thu, 13 Mar 2008 11:29:52 -0700 This

Re: floating keep state

2008-02-28 Thread Kian Mohageri
On Thu, Feb 28, 2008 at 7:12 AM, Vadym Chepkov <[EMAIL PROTECTED]> wrote: > It was not my intention to argue with anybody, I was trying to understand > why the packet was blocked and reply to Daniel got bounced, so I posted it > in the distro. I got it now, IN packet state doesn't match IN packet

Re: floating keep state

2008-02-28 Thread Kian Mohageri
On Wed, Feb 27, 2008 at 8:02 PM, Vadym Chepkov <[EMAIL PROTECTED]> wrote: > set block-policy return > set state-policy floating > pass in log quick proto udp from any to 10.10.10.1 port domain keep state > block in log from any to 10.10.11.254 > > 22:58:14.296303 rule 0/0(match): pass in on xl

Re: carpdev ...

2008-01-11 Thread Kian Mohageri
On Jan 10, 2008 8:18 PM, Alexandre Biancalana <[EMAIL PROTECTED]> wrote: > On 1/11/08, Max Laier <[EMAIL PROTECTED]> wrote: > > > > That's good to hear, keep us up to date! > > The neverending history finish here !! haahahah > > Everything work as expected, carp with failover is awesome !! The only

Re: occasional "Operation not permitted" on state-mismatch

2007-12-18 Thread Kian Mohageri
On Dec 17, 2007 11:34 PM, Silver Salonen <[EMAIL PROTECTED]> wrote: > Hello! > > I have some FreeBSD-boxes (2x6.3-PRERELEASE (installed on 08.Dec), > 1x6.2-RELEASE) with PF configured. They are connected with OpenVPN LAN-to-LAN > and the problem is that a few times per hour connection drops between

Re: how to include external file in pf.conf

2007-10-01 Thread Kian Mohageri
On 9/30/07, Umar <[EMAIL PROTECTED]> wrote: > > Dear Members! > > Is it possible that i can include another configuration file e.g > (mycustom.conf) within pf.conf > Have you read about anchors? http://www.openbsd.org/faq/pf/anchors.html -Kian ___ free

Re: pf, ping and traceroute

2007-09-11 Thread Kian Mohageri
On 9/10/07, jonathan michaels <[EMAIL PROTECTED]> wrote: > > i get that it is part of teh functionality to stop outside stuff > garbage bad people from getting to teh inside but how do i make a > "hole" in teh 'firewall' for ping/traceroute without opening up teh > firewall to let the same (ping/tr

Re: alot of State failure on: 2

2007-05-25 Thread Kian Mohageri
On 5/25/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote: Hello, My server is being flooded by a script kiddie against port 7325. What exactly is your question? You can decrease the verbosity of PF (read the pfctl man page) if you don't want to see those messages. Kian

Re: Best way to decrease DDoS with pf.

2007-05-19 Thread Kian Mohageri
On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote: On 5/19/07, Kian Mohageri <[EMAIL PROTECTED]> wrote: > On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote: > > On 5/18/07, Kian Mohageri <[EMAIL PROTECTED]> wrote: > > &g

Re: Best way to decrease DDoS with pf.

2007-05-18 Thread Kian Mohageri
On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote: On 5/18/07, Kian Mohageri <[EMAIL PROTECTED]> wrote: > On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote: > > On 5/18/07, Kian Mohageri <[EMAIL PROTECTED]> wrote: > > &g

Re: Best way to decrease DDoS with pf.

2007-05-18 Thread Kian Mohageri
On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote: On 5/18/07, Kian Mohageri <[EMAIL PROTECTED]> wrote: > On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote: > > Thank you for the tip. > > > > Here what I'm using which

Re: Best way to decrease DDoS with pf.

2007-05-18 Thread Kian Mohageri
On 5/18/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote: Thank you for the tip. Here what I'm using which fixed the issue. pass in on $ext_if proto tcp from any to $ext_if port $tcp_services flags S/SA synproxy state pass in on $ext_if proto tcp from any to $ext_if port $tcp_services

Re: Best way to decrease DDoS with pf.

2007-05-17 Thread Kian Mohageri
On 5/17/07, Abdullah Ibn Hamad Al-Marri <[EMAIL PROTECTED]> wrote: Hello, This isn't bandwidth issue, but filling the network buffer more than anything else, so there are no more free sockets, and I can't connect to the server via ssh, it's not syn as well. But mass connect to IRC server with s

Re: Packet Path Through PF (onec for each interface?)

2007-05-16 Thread Kian Mohageri
On 5/16/07, Tom Judge <[EMAIL PROTECTED]> wrote: em0 and bge0 em2 and bce0 em3 and bce1 Do all the interface names have to match on the HA pair? Yes they do - but that is only if you use an if-bound state-policy, which isn't default. Keep in mind also that states also have a direction associa

Re: PF not started on boot (though it's in /etc/rc.conf)

2007-05-05 Thread Kian Mohageri
Frank Steinborn wrote: > Hi pf-users, > > I have a problem bringing up PF after a reboot of my 6.2 machine. > I tried pf_enable="YES" in /etc/rc.conf, but it doesn't seem to > get executed. /etc/rc.d/pf exists, also tried to declare pf_rules and > even pf_program without luck. I always have to do

Re: pf starts, but no rules

2007-02-15 Thread Kian Mohageri
etc/rc.conf. -- Kian Mohageri ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: pf starts, but no rules

2007-02-13 Thread Kian Mohageri
couldn't decide what to pass in this initial ruleset. Passing SSH seems safe/smart, but surely not everyone will agree. Sorry if this is way off :) -- Kian Mohageri pf_early.diff Description: Binary data ___ freebsd-pf@freebsd.org mailing list

Re: pf starts, but no rules

2007-02-10 Thread Kian Mohageri
FQDN cannot be resolved. I believe that is because of the "BEFORE: routing" dependency in /etc/rc.d/pf. -- Kian Mohageri ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: PFSync Not Working Correctly

2007-02-06 Thread Kian Mohageri
e failing. That will tell you if there is a state mismatch going on when connections fail over. You first want to make sure the mid-connection packets are even reaching the new master. -- Kian Mohageri ___ freebsd-pf@freebsd.org mailing list http://list

Re: reply-to versus default route - PF/synproxy

2006-10-24 Thread Kian Mohageri
uick on $if_isp1 reply-to $rota1 proto tcp to 192.168.0.2 port 25 synproxy state pass in quick on $if_isp2 reply-to $rota2 proto tcp to 192.168.0.2 port 25 synproxy state What are the $rota1 and $rota2 macroes set to? -Kian -- Kian Mohageri ___ fre

Re: Need a little PF help here, please...

2006-10-08 Thread Kian Mohageri
On 10/8/06, Justin Franks <[EMAIL PROTECTED]> wrote: Have been using PF for over two years and recently ran into "problem" which I am sure is something I am overlooking. So I need some direction. Here it is: I recently enabled BIND9 on FreeBSD 6.1. I have PF running too (PF config below). If I p

Re: BAD state/State failure with large number of requests

2006-09-28 Thread Kian Mohageri
On 9/28/06, Daniel Hartmeier <[EMAIL PROTECTED]> wrote: On Thu, Sep 28, 2006 at 11:30:48PM +0200, Rolf Grossmann wrote: > Sep 28 23:56:56 balancer kernel: pf: BAD state: TCP 10.1.1.2:8080 10.25.0.41:8080 10.25.0.100:52209 [lo=2341692840 high=2341759447 win=33304 modulator=0 wscale=1] [lo=291942

Re: Easy Question From Newbie

2006-08-20 Thread Kian Mohageri
On 8/18/06, Ivan Levchenko <[EMAIL PROTECTED]> wrote: You need to either load the pf kernel module, which can be done by adding pf_load="YES" to /boot/loader.conf (you may also load the module without rebooting like this: kldload pf) If you use the module, then altq will not work for you. I

Re: ICMP traffic

2006-08-14 Thread Kian Mohageri
On 8/14/06, Charles Lacroix <[EMAIL PROTECTED]> wrote: On Monday 14 August 2006 09:42, Cristiano Deana wrote: > 2006/8/14, Charles Lacroix <[EMAIL PROTECTED]>: > > i was wondering which icmp type packets people accepted on there > > production servers. > Just echo (echo-req) from anywhere. p

Re: Spoofers, Spammers & Other Bad Guys

2006-08-11 Thread Kian Mohageri
On 8/11/06, beno <[EMAIL PROTECTED]> wrote: Hi; I'm configuring my firewall and I'd like to make a table of "bad guys", preferably one that automatically updates from the Web. Surely someone else has already thought of this and implemented something similar, so could someone clue me in? Read

Re: PF firewall rules

2006-07-10 Thread Kian Mohageri
On 7/10/06, Michael Vince <[EMAIL PROTECTED]> wrote: Dmitry Andrianov wrote: So to block to block IP 192.168.1.17 from connecting *out* to anything on the internet I have to use a "block in" statement and there is no other way of doing this rule? block in quick on $int_if proto { tcp, udp, icmp

Re: outgoing LAN traffic always in "keep state"

2006-06-19 Thread Kian Mohageri
nse packet will not be evaluated against incoming wan rules pass in log quick on $lan proto tcp from 20.0.0.0/8 to 10.3.2.19 pass out log quick on $wan proto tcp from 10.10.0.161 to 10.3.2.19 pass in log quick on $wan proto tcp from 10.3.2.19 to 10.10.0.161 pass out log quick on $lan proto tcp fr

Re: outgoing LAN traffic always in "keep state"

2006-06-18 Thread Kian Mohageri
Post your ruleset and people can help you. You're probably using nat/rdr/binat which create states. -Kian On 6/18/06, Ronnel P. Maglasang <[EMAIL PROTECTED]> wrote: I have a minimum PF setup that sits in between my internal network(lan) and external network(wan). PF by design, bypasses rulese

Re: FreeBSD 6.1-RELEASE + PF

2006-06-12 Thread Kian Mohageri
Perhaps your application needs specific IP options. PF blocks packets with IP options set by default. Append 'allow-opts' to the relevant rules. -Kian On 6/12/06, Ludovit Koren <[EMAIL PROTECTED]> wrote: Hi, I have problem to set up PIM and IGMP communication with pf on FreeBSD 6.1-RELEAS

Re: pf buggy on 6.1-STABLE?

2006-06-09 Thread Kian Mohageri
mismatched. On 6/8/06, Kian Mohageri <[EMAIL PROTECTED]> wrote: > > I'm aware. I meant that as "pass quick" (without any keep state) ;) > > Kian > > > On 6/8/06, Daniel Eriksson < [EMAIL PROTECTED]> wrote: > > > > Kian Mohageri wrote: &

Re: pf buggy on 6.1-STABLE?

2006-06-09 Thread Kian Mohageri
er, should mean that disabling pf wouldn't help -- but it does. Does pf handle state-mismatch differently? Maybe a pf expert could speak on that. Kian On 6/8/06, Kian Mohageri <[EMAIL PROTECTED]> wrote: I'm aware. I meant that as "pass quick" (without any keep state)

Re: pf buggy on 6.1-STABLE?

2006-06-08 Thread Kian Mohageri
Same issue here when using keep state. Specifically, it happened with PHP scripts accessing a remote MySQL database. I think it also happened with Qmail LDAP lookups. This happened even when I did not specify 'flags S/SA' 'pass quick' (non-stateful) fixed the problems but I wasn't satisfied wi

Re: pfsync after reboot does not synchronize

2006-06-06 Thread Kian Mohageri
As you can see, no IP is put on the sync interface; it is merely configured up. Auto-negotiation succeeds on both ends of the cross cable: All the examples I've seen give the syncdev an IP address, my setup included. I'd try that. It's strange that it works partially without having done that

Re: pfsync after reboot does not synchronize

2006-06-05 Thread Kian Mohageri
1. Why does pfsync synchronize the state tables when I use the "ifconfig syncdev" trick to force a bulk update, yet it does not do this when the system is booting up? What does your rc.conf look like? 2. Why does pfsync keep repeating the bulk update request and then give up

Re: authpf.

2006-05-26 Thread Kian Mohageri
Authpf puts authenticated users in a table. You can then handle all of that traffic to your liking. TYou can have a rule which redirects only certain HTTP connections to your web server. rdr pass on $wi_if inet proto tcp from ! to any port www -> ($wi_if) That should get you started. Keep in

Re: promt solution with max-src-conn-rate

2006-05-15 Thread Kian Mohageri
There is a nice and easy way to blocking ssh brute-force attempts with pf only: http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html Exactly. This is a much cleaner solution than portknocking to stop brute force attacks. I recently implemented this on a few of my servers. __

Re: promt solution with max-src-conn-rate

2006-05-14 Thread Kian Mohageri
On 5/14/06, GreenX FreeBSD <[EMAIL PROTECTED]> wrote: They work, but there are some things not arranging me: - If to change port http for any other empty port (on http post, I have working apache) source IP does not get in the table though state it is created. I would assume this is because