You can use overload option.
"With the overload state option, source IP addresses which hit
either of the limits on established connections will be added to the
named table."
pass out log quick on $if_lan inet proto tcp to $rdp_int port rdp keep
state \
(max-src-conn-rat
ing flow, "->" means outgoing flow.
05.12.2019 7:24, Victor Sudakov пишет:
Victor Sudakov wrote:
Max wrote:
[dd]
Or you can create "pass out on $dmz..." rule.
Yeah, that sounds great. The ping responses begin to arrive at 192.168.10.3!
Victory!
You know what! If I cre
172.16.1.10-192.168.10.3. Then reply packet(s) will match this state
(traffic from 172.16.1.10 to 192.168.10.3).
Or you can create "pass out on $dmz..." rule.
02.12.2019 16:40, Victor Sudakov пишет:
Max wrote:
Is this a complete ruleset?
For this lab, yes, almost complete. There i
Hello.
Is this a complete ruleset? What about "pass out..." rules? You should
check other rules since you have no "quick" in your listed rules. The
last matching rule decides what action is taken.
02.12.2019 5:56, Victor Sudakov пишет:
Dear Colleagues,
I was asking this question on the free
set skip on lo
(or set skip on lo0)
20.10.2017 1:15, Dave Horsfall пишет:
Just upgraded to FreeBSD 10.4 (and NTP stopped working, but that's a
separate issue), and found that my pf log was flooded with things like:
00:03:25.172691 IP localhost.56537 > localhost.domain:
33908+[|domain]
it flushed. Any new packets
arriving from this host will be dropped unconditionally by
the block
rule.
block quick from
pass in on $ext_if proto tcp to $webserver port www keep
state \
(max-src-conn-rate 100/10, overload flush global)
Check the
re regards rejects and a long banner it as a challenge), and
following advice on this list I used the following (the important
bit, anyway):
#
# No more than 10/IP, or 5/m should be plenty.
#
pass inet proto tcp from any to any port smtp \
flags S/SA keep state \
(max-src-conn 1
o 0 I could reproduce the situation, but this time
both entries disappeared after a short while (as per “interval” timer setting).
—
Babak
On 2 May 2017, at 16:26, Max wrote:
Could you set "src.track" to zero and check if the issue persists?
02.05.2017 10:01, Babak Farrokhi пишет:
Hel
1-STABLE r317643. Please note that this is only reproducible when
you reload your pf configuration and tables.
—
Babak
On 2 May 2017, at 10:41, Max wrote:
Hello,
Can you show "pfctl -vsS" output? And what version of FreeBSD are you running?
01.05.2017 17:59, Babak Farrokhi пишет:
Hello,
Can you show "pfctl -vsS" output? And what version of FreeBSD are you
running?
01.05.2017 17:59, Babak Farrokhi пишет:
Hello,
I was running an experiment with pf in which I encountered an unusual case.
In a nat setup, is this okay to have multiple similar entries in source
tracking
After a quick look it seems that "show states" doesn't care about
anchors (-a option). "pfctl -vss" should print anchor reference.
Can you post a sample ruleset and FreeBSD version?
11.04.2017 12:45, Özkan KIRIK пишет:
Hello,
I'm trying to get states belongs to an anchor.
but pfctl -ss -a an
"pfctl -F info" command doesn't clear limit counters (shown in "pfctl
-vsi" output).
I think, should be
--- sys/netpfil/pf/pf_ioctl.c.orig 2017-04-14 09:10:25.17138 +0300
+++ sys/netpfil/pf/pf_ioctl.c 2017-04-14 09:13:21.55365 +0300
@@ -1835,16 +1835,18 @@
case DIOCCLRSTAT
Probably you should parse "pfctl -vvss" output to filter out state IDs
and then use "pfctl -k id -k 4823e8450003" (to kill a state with ID
4823e8450003).
11.04.2017 9:14, Özkan KIRIK пишет:
Hello,
I need to kill states from Host1 that belongs to a rdr rule. But pfctl
flush all states
Hello, Paul.
# xBox redirection
nat on $josh_if from $josh_xbox to any -> ($josh_if)
nat on $int_if from any to ($josh_if) -> $josh_xbox
Something wrong with these rules. It seems that $josh_xbox is a host
(xbox) in your local network. But the second rule changes source address
to $josh_xbox
Interface igb0:
nat on igb1 to 10.10.10.100 -> igb0
pass out on igb1 route-to ( igb0 10.0.0.1 ) from igb0 to 10.10.10.100
Why don't you use igb1 interface?
nat on igb1 to 10.10.10.100 -> igb0
And on Server B:
route add -host 10.0.0.10 10.10.10.10
29.10.2016 13:14, James Morris пишет:
Hi,
Hello, Zeus.
Probably you should use
pass out log on $if_dvr reply-to ($if_wan2 $gw_wan2) to
or
pass out log on $if_wan1 route-to ($if_wan2 $gw_wan2) from ($if_wan2)
or both rules.
Please check your state table and routing table.
05.08.2016 3:05, Zeus Panchenko пишет:
hi,
I need trivial thing
Give a try to google :)
site:squid-cache.org pf firewall
16.06.2016 10:15, atar пишет:
On Tue, Jun 14, 2016 at 09:29:33PM +0300, atar wrote:
atar wrote on 06/14/2016 16:05:
atar wrote on 06/14/2016 14:52:
[...]
The hostname "google.com" isn't blocked since its current ip differs from its
p
Hello, Eugene.
Can you show the output of "pfctl -vvss" before and after "pfctl -k id
-k ..."?
age 00:00:20, expires in *00:00:05*
08.06.2016 13:47, Eugene M. Zheganin пишет:
Hi.
Why it's often impossible to delete state from state table ?
Suppose I have a state:
all icmp 46.146.220.
Hello, Niklaas.
Can you try something like
exec.poststart = "/bin/sh /path/to/pf-config.sh $name $private_ip4
$private_ip6"
where pf-config.sh contains
#!/bin/sh
echo "rdr pass on vtnet0 inet proto { udp tcp } to vtnet0 port domain
-> $2
rdr pass on vtnet0 inet6 proto { udp tcp } to vtnet0
Hi, Kurt.
It`s incomplete. I have tested only the case when inner packet is UDP.
Other cases should be tested I think.
Actually the patch was mentioned in Alexey's message
(http://openbsd-archive.7691.n7.nabble.com/system-6564-pf-not-nating-does-not-see-icmp4-port-unreachable-packets-from-machi
Hello,
I have patched and tested "case IPPROTO_UDP". It works. Other cases
should work too I think.
It's against releng/10.3
--- sys/netpfil/pf/pf.c.orig2016-05-21 17:57:29.420602000 +0300
+++ sys/netpfil/pf/pf.c 2016-05-21 18:01:09.119724000 +0300
@@ -4866,8 +4866,7 @@ pf_test_state_icmp
Hello, Kristof.
20.05.2016 11:53, Kristof Provost пишет:
Hi Max,
On 19 May 2016, at 19:49, Max wrote:
The number of used frags (almost) never decreases. I don't have
enough experience in programming. But I guess that the problem may be
in "frag->fr_timeout = tim
19.05.2016 23:16, Radek Krejča пишет:
on $ext_if proto { tcp, udp } from 192.168.52.0/24
Why?
Is there any nat rule?
And second problem - how to set up (on which interface) altq queues?
You should use outgoing interface.
Hello,
there is relevant part of my pf.conf
ext_if =
The value of "time_second" is a number of seconds since 1970, if I
understand correctly. It means that then condition "if (frag->fr_timeout
> expire)" in pf_purge_expired_fragments() should always evaluated to
"true" and hence there is no expiring happens.
The problem exists since 10.2.
__
19.05.2016 12:48, Radek Krejča пишет:
Hello,
I have freebsd router with pf for NAT and firewall. There are 2 NICs, one for
incomming traffic from internet and second for traffic to clients. On internal
NIC are a lot of vlans.
I need to make traffic shaping for all users based on src ip from
Hello.
I have an issue with pf in FreeBSD 10.3-RELEASE-p2. Looks like there is
a problem with fragment expiring. It all began with kernel messages "PF
frag entries limit reached".
# sh -c "while true ; do date; { vmstat -z; pfctl -si; } | sed -n
'1p;/frag/p'; echo; sleep 5; done"
Thu May 19
atches for testing and never got any. I since
have given up on the project, the patches are still floating around if
anyone wants to pick them up, tho.
Max
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To u
; pf45_1.diff
make buildworld buildkernel
etc. ...
Let's go!!! And do not forget to reply if it works just, too.
Thank you,
Max
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send
f
bran...@x300:/usr/src$ cd /usr/src/sys/modules/pf
bran...@x300:modules/pf$ sudo make
Regards,
Max
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
please go ahead with whichever solution you find the most
convenient and let me know if you need any help. If you decide to go for the
base import, you might want to bring it up on net@ - as I'm sure the people on
there will have an opinion and it's always a good idea to have the d
tpicking side of things - from a quick glance: The build of
relayd/ctl should probably be conditional on WITHOUT_PF.
Thanks,
Max
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any
The following reply was made to PR kern/144311; it has been noted by GNATS.
From: Max Laier
To: bug-follo...@freebsd.org,
kasah...@nc.kyushu-u.ac.jp
Cc: Pyun YongHyeon
Subject: Re: kern/144311: [pf] [icmp] massive ICMP storm on lo0 occurs when
using pf(4) 'reply-to'
Date: Fri, 19 M
On Thursday 18 March 2010 17:39:29 Giulio Ferro wrote:
> On 18.03.2010 15:26, Max Laier wrote:
>
> Ok, it's happened again...
> and once the system freezes try to enter the debugger and get ps and
>
> >>>>> locks information.
> >>>>>
>
On Thursday 18 March 2010 15:04:06 Giulio Ferro wrote:
> On 17.03.2010 18:00, Max Laier wrote:
> > Can you enable WITNESS and compile in DDB. Make sure to report any LORs
> >
> >>> and once the system freezes try to enter the debugger and get ps and
> >>&
On Wednesday 17 March 2010 17:57:54 Giulio Ferro wrote:
> On 17.03.2010 17:47, Max Laier wrote:
> > On Wednesday 17 March 2010 17:37:31 Giulio Ferro wrote:
> >> On 17.03.2010 16:50, Greg Hennessy wrote:
> >>> A possible corner case with the virtual hosting platform
ks
ps
After that you can try to "call doadump" so you get the information in the
coredump and don't have to transcribe it manually.
Thanks,
Max
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
eway being ISP router]
>
> With this, the jail is working fine.
>
> What I'm trying to accomplish is portknocking for 'ssh' access:
>
> pass in log quick proto tcp from any to any port {1234} synproxy state \
> (max-src-conn-rate 5/15, overload )
>
school are you attending where they let you fiddle with BSD? Cool!
Regards,
--
Max
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
arts individually and cat them together if you
insist on keeping the ruleset unordered.
Regrads,
--
Max
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
he
addresses to your interface? Are you certain that you were testing with the
right rules in place (your output above shows zero rule evaluations) which is
a sign that something else went wrong.
Can anyone else reproduce this problem or did you see something similar?
Regards,
--
Max
On Saturday 12 December 2009 02:25:08 Aaron Stellman wrote:
> Hello there,
> Here is the problem I've encountered on a dual stack amd64 FreeBSD 8.0p1
> machine.
>
> What works:
> pass in on $ext_if proto tcp to port 21
>
> What doesn't work:
> pass in on $ext_if proto tcp to ($ext_if) p
or which part of the system should I tweak?
>
> Michal
>
--
/"\ Best regards, | mla...@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mla...@efnet
/ \ ASCII Ribbon Campaign
s where pf(4) won't see
> some packets in the connection.
--
/"\ Best regards, | mla...@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mla...@efnet
/ \ ASCII Ribbon Campaign | Against
is aware of the rc.conf variables and adjusts
accordingly (e.g. opening access to sshd iff it is configured). In
addition there might be *one or two* configuration variables for the early
stage to open additional ports or to select a default interface. However,
the fewer the better.
Input gre
t;block all/allow
dhcp/RA/DNS/..." and "firewall_late" to setup the final thing.
In any case setting up the firewall is a non-trivial task and I doubt that
there really is a good "one size fits all" solution. I'd prefer your
version over the previous incarnation -
se problem when I first experienced it with the
> DB server and I saw that this wasn't going to happen with the new
> release. I were happy to build I new 7.2-Rel server so that I wasn't
> going to face the same problem.
>
> But, in fact, I'm facing what looks like the sam
(in stable/7)
It is not easily fixable in stable/6
--
/"\ Best regards, | mla...@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mla...@efnet
/ \ ASCII Ribbon Campaign | Against HTML Mail
On Sunday 17 May 2009 23:08:32 Kevin Smith wrote:
> You mean the ext_ad macro right ?
>
> What do you tell with that to pf, and why do I need it, can you tell me
> ? :)
http://www.freebsd.org/cgi/query-pr.cgi?pr=69954
> Thank you!
>
> 2009/5/17 Max Laier
>
> >
's an FAQ, only we don't have a good place
to document it. Suggestions - once again welcome.
--
/"\ Best regards, | mla...@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mla...@e
me subnet in a bridge interface to allow direct
communication between all members in one subnet.
--
/"\ Best regards, | mla...@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mla...@efnet
/ \ ASCII Ribbo
Hello Anton,
On Monday 13 April 2009 21:40:55 Anton Yuzhaninov wrote:
> It seems to be, that max-src-conn is broken under FreeBSD, and not useful
> to limit incoming connections.
>...
> New state not created, but packets matched first rule is passed, while
> should be dropped.
>
t an immediate concern at this point.
--
/"\ Best regards, | mla...@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mla...@efnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
_
The following reply was made to PR kern/130977; it has been noted by GNATS.
From: Max Laier
To: bug-follo...@freebsd.org,
darki...@gmail.com
Cc:
Subject: Re: kern/130977: [netgraph][pf] kernel panic trap 12 on user connect
to VPN server
Date: Sat, 11 Apr 2009 01:11:54 +0100
--Boundary-00
a proper solution should hit the tree over the weekend.
--
/"\ Best regards, | mla...@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mla...@efnet
/ \ ASCI
t; +++ sys/net/if.c2009-04-10 12:38:14.0 +0300
> @@ -846,6 +846,7 @@ if_detach(struct ifnet *ifp)
> mtx_destroy(&ifp->if_snd.ifq_mtx);
> IF_AFDATA_DESTROY(ifp);
> splx(s);
> + if_delgroup(ifp, IFG_ALL);
>
fil rm_lock (not so much). In addition the pf mutex is a
single, global lock and thus reduces the opportunity for parallelism.
> OS: 8.0-CURRENT #0: Fri Feb 27 04:20:49 MSK 2009
>
> thanks.
--
/"\ Best regards, | mla...@freebsd.org
\ / Max
seems to _only_ work from the root queue/first level down.
> >
> > Am I missing something here?
> >
> > ]Peter[
>
> I think Max has to answer this if he sees this post. In any case I guess
> you have to be clear about what your available upload bandwidth is on
&
On Wednesday 25 February 2009 15:10:04 Artis Caune wrote:
> 2009/2/25 Max Laier :
> > Hello Artis,
> >
> > looks like a valid catch to me. I'm CC'ing the upstream maintainer (Bob,
> > that's you, right?) From a quick glance there is also a minor leak i
LIST_EMPTY(&db_changes)) {
> dbc = SLIST_FIRST(&db_changes);
> ...
> free(dbc->key);
> free(dbc->data);
> SLIST_REMOVE_HEAD(&db_changes, entry);
> }
>
> there is no "free(dbc);"
--
/"\ Best regards
the following links helpful:
http://www.daemonology.net/blog/2008-01-29-depenguinator-2.0.html
http://www.daemonology.net/depenguinator/
--
/"\ Best regards, | mla...@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mla.
___
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
>
>
> !DSPAM:4982cc5c68861640720005!
--
/"\ Best regards,
y increase it. I'd shoot for at least
512M which I believe is the maximum in 7.1 with the stock kernel. It seems
that there is work in progress to increase that limit for amd64 in releng_7,
however. Increasing this is worthwhile in any case, as I have a hard time
imagining what else you&
r pass option to a
> pass rule which would behave in the same way as rdr pass?
The simplest way off the top of my head: Use a "rdr ... tag"-rule and "pass
... tagged" later on.
--
/"\ Best regards, | mla...@freebsd.org
\ / Max Laier
can afford to do it without funding. I'll have to look into that after
my current projects are mature enough to figure out when exactly I'll have an
opening.
--
/"\ Best regards, | mla...@freebsd.org
\ / Max Laier | ICQ #67774661
X
On Thursday 04 December 2008 16:47:13 Max Laier wrote:
> On Thursday 04 December 2008 16:24:23 Vladimir Ermakov wrote:
> > problem is fixed in OpenBSD 4.4
> > http://www.openbsd.org/plus44.html
>
> The bug this note refers to was introduced after OpenBSD 4.1 (our last
> i
it to
make sure synproxy is working, but I don't think it was broken after my last
import ... do you have a particular test case that I could reproduce?
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | IC
The following reply was made to PR kern/129060; it has been noted by GNATS.
From: Max Laier <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED],
[EMAIL PROTECTED]
Cc:
Subject: Re: kern/129060: [pf] [tun] pf doesn't forget the old tun IP
Date: Sun, 23 Nov 2008 02:20:57 +0100
This is a known
't found any support for altq(4). If someone
> could provide some patch on this, then I am willing to test.
according to the code, igb(4) supports ALTQ since it was first committed back
in February. What makes you think that it isn't?
--
/"\ Best regards, | [E
On Tuesday 04 November 2008 16:50:43 Jeremy Chadwick wrote:
> On Tue, Nov 04, 2008 at 04:48:31PM +0100, Matthias Kellermann wrote:
...
> >
> > Thanks for your explanation, Max.
> >
> > I've added the following line to /etc/inetd.conf:
> > telnet stream tcp no
r clients connect to the correct box in the first place
(split horizon DNS etc.)
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Aga
s for lo0, as nothing can talk
> to that interface except local stuff anyway.
Indeed. In fact, "set skip on" was especially made for this case. The
problem is that lo0 is special. The packet direction and the fact that on lo0
127.0.0.1 talks to itself, greatly confuse
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
___
free
that's the same as the one you are after, but there is a
definition in that directory so it's easy enough to check.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL
t;
> [EMAIL PROTECTED] cat /etc/inetd.conf
>
> ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
>
> -
>
> I hope I've been verbose enough. Thank you!
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier
On Tuesday 30 September 2008 00:02:04 Robert Watson wrote:
> On Mon, 29 Sep 2008, Max Laier wrote:
> > Please help testing. It's been confirmed to work for IPFW, let's make
> > sure pf is in good shape, too. Thanks.
>
> A casual glance at pf.c suggests that pf(4
oratory
University of Cambridge
---
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign
The following reply was made to PR conf/127511; it has been noted by GNATS.
From: Max Laier <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED],
[EMAIL PROTECTED]
Cc:
Subject: Re: conf/127511: [patch] /usr/sbin/authpf: add authpf folders to
BSD.root.dist and BSD.var.dist mtree files
Date: Mon,
on bge0 inet from 1.2.3.1 to 10.0.0.2 keep state flags S/SA
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \
ts. But
that's a very rough estimate - but you can't do better than that, anyways.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign
Systems Programmer
> Brooks Library
> Central Washington University
>
> ___
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
--
/"\ B
ID_PF (see make config). I have no idea if Dansguardian has
support for pf or if squid or Dansguardian is the first to look at the
traffic. If squid is the first you should be good ... otherwise you must talk
to the Dansguardian people about pf support.
--
/"\ Best regards,
h could utilise "flags any" correctly, but the risks are high.
>
> 2) Add "no state" to rules you want shaping to occur on. This has the
> added drawback of pf not being able to keep track of state on such
> packets (performance hit), and you'll need to tune y
x or from an ISP firewall (though that fact might
be obfuscated, too).
> I do not have any rules to allow these ports.
>
> Any suggestions on what might be the reason for this?
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier
state creation
> or application trying to talk on closed connection.
>
> I have two FreeBSD 7-STABLE with PF, carp, pfsync and max carpdev
> patch and two application servers (jboss) that listen on port 9090
> behind this firewalls, some connections from external clients off this
> ap
//www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/freebsd-
versions.html
You can also check sysutils/pftop/Makefile for hints.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2pa
about netmasks and
write the above as either
table { 80.252.2.0/25, !80.252.2.3/30 }
or
box = "{ 80.252.2.64/26, 80.252.2.32/27, 80.252.2.16/28, \
80.252.2.8/29, 80.252.2.4/30 }"
as Nejc suggested.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ /
On Thursday 31 July 2008 19:38:01 Tilman Linneweh wrote:
> * Max Laier [2008-07-31 18:27]:
> > > LAN -> Router with PF <- gif tunnel with IPSEC -> Server
> > >
> > > The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works,
> > > but
;pfctl -si". If you really
want to trust gif0 completely, you could simply add "skip on gif0" and pf will
not mess with it at all.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X h
keywords ) in my
> pf.conf file did not produce identical behavior from pf. I've started
> wondering about how one would implement regression testing on pf.
Do you have an example? It's hard to imagine how that would be possible.
There are some parser regression tests in OpenBSD&#x
ick ... tcp ... to !int_if port != 5190 ...
pass quick ... udp ... to !int_if port != 5190 ...
It should be obvious that the first rule will allow tcp traffic to port
5190 and the third to port 25.
In general you should rather block unwanted traffic explicitly.
--
/"\ Best regards,
On Thursday 17 July 2008 17:19:02 Jeremy Chadwick wrote:
> On Thu, Jul 17, 2008 at 05:11:50PM +0200, Max Laier wrote:
> > On Thursday 17 July 2008 15:28:49 CZUCZY Gergely wrote:
> > > On Thu, 17 Jul 2008 09:13:03 -0400
> > >
> > > "Glen Barber" <
ooks/handbook/firewalls-pf.html
http://www.openbsd.org/faq/pf/index.html
http://home.nuug.no/~peter/pf/en/
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCI
should add an
rc.d that depends on NETWORKING (or hook something up to ppp.linkup, or
whereeverelse you can be sure that your resolver is working) and fill a
predefined table from that script. i.e. "pfctl -t mytable -T add
foo.bar.local"
--
/"\ Best regards,
(all)" flag
set. When you reload the ruleset no more new states will be created with
that flag, but the existing states stick around and keep logging all
packets. You can either "pfctl -Fstates" or simply wait until they die
off on their own.
--
/"\ Bes
trieve the URL: http://www.yahoo.com/
>
> The following error was encountered:
>
>- * Connection to Failed *
>
> The system returned:
>
> *(1) Operation not permitted*
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier
| [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--- Begin Message ---
I have committed the base of teh Multi-routing-table support.
I am curren
4) Find this offending rule (and also the interface and direction the
traffic was blocked on)
5) Insert a rule to allow the traffic in question
6) Repeat until everything works as required
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ
The following reply was made to PR kern/123726; it has been noted by GNATS.
From: Max Laier <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED],
[EMAIL PROTECTED]
Cc:
Subject: Re: kern/123726: [panic] [altq] page fault after ppp restart and pf
resync
Date: Mon, 19 May 2008 01:22:21 +0200
Th
> PORTSTATE SERVICE VERSION
> 22/tcp open ssh OpenSSH 4.5p1 (FreeBSD 20061110; protocol 2.0)
> 25/tcp open smtp?
> 110/tcp open pop3Openwall popa3d
>
>
> I can not understand what the problem...
>
> FreeBSD-7.0-RELEASE-p1
> i386
--
/"\ Best regards,
think that either PF or IPFW
can do what you need. If not, please be more specific about what your
goal is.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \
1 - 100 of 418 matches
Mail list logo
