On 7 December 2014 at 23:09, Martin Hanson
wrote:
> > Given you appear to believe you are well acquainted with the problem, why
> > not pull your finger out of your proverbial and sort it yourself?
>
> LOL, good one!
>
> Seems like you have missed the whole point, nobody can sort it out now!
>
I
On 7 December 2014 at 15:52, Martin Hanson
wrote:
>
>
> Did anyone on FreeBSD bother to look at that first?
>
> Multi-threading!?
>
> So okay, now there's essentially another product on FreeBSD, its NOT PF any
> longer! It's "old crap that should have been updated some six years ago"
> with
> new
On 30 July 2010 00:08, Chris Buechler wrote:
> On Thu, Jul 29, 2010 at 5:09 PM, Peter Maxwell
> wrote:
> >
> > An ISMS, is a company defined document so will likely have different
> entries
> > or even none at all for that matter depending on the company. In a
>
On 29 July 2010 20:08, Greg Hennessy wrote:
>
>
> > If, as you say, there are "Governance, Risk, and Compliance reasons",
> > perhaps you'd like to specify one or two for each category?
>
> Start with an ISMS derived from 27k, add a soupcon of PCI DSS requirement
> 10, Basel II, throw in SOX 404
; primary cause of a test failing.
>
>
>
>
> Kind regards
>
> Greg
>
>
>
> From: allicient3...@gmail.com [allicient3...@gmail.com] On Behalf Of Peter
> Maxwell [pe...@allicient.co.uk]
> Sent: 29 July 2010 03:52
> To: Greg Hennessy
> Cc: Spenst, Aleksej; fre
On 28 July 2010 20:39, Greg Hennessy wrote:
>
> > What disadvantages does it have in term of security in comparison with
> > "block all"? In other words, how bad it is to have all outgoing ports
> always
> > opened and whether someone can use this to hack the sysem?
> >
>
> It's the principle of
Hmmm, off the top of my head: I wonder if you could use Snort and have that
do full packet inspection for you. Then you should be able to script an
alert if the string is found and call pfctl to add the offending IP address
to a table that blackholes it. Just a thought.
Or if you want to do it "
Checking whether there is anything unexpected in the dmesg output and
posting the output of
pfctl -v -s a
wouldn't hurt either.
On 16 April 2010 14:57, jose ycogo wrote:
>
>
> i think its best if you post your pf.conf
>
> cheers...
>
>
>
>
>
> From: Gaurav
On 16 April 2010 05:11, DAve wrote:
> DAve wrote:
> > Peter Maxwell wrote:
> >> Can't see anything obvious but have you tried these things in the event
> >> something strange is going on:
> >>
> >> - removing the scrub rule;
> >>
>
Hit reply in haste and forgot to send to list...
-- Forwarded message --
From: Peter Maxwell
Date: 10 April 2010 01:16
Subject: Re: Issues with pf and snmp
To: DAve
On 9 April 2010 20:55, DAve wrote:
> Peter Maxwell wrote:
> >
> > Hi DAve,
> >
&
Hi DAve,
This may be a daft question, but is the destination IP in your tcpdump of
10.0.241.41 (one of) the IP address(es) assigned to dc0?
The next question isn't actually related to your problem; when you say "I've
been working to enable pf on all our servers in preparation for moving them
outs
Hi Maurice,
Yes, you can do it without much difficulty and I've got my server
setup in that manner: there's about twenty separate jails that can
access the internet via specific NAT rules and incoming services
handled via RDR rules. Note: you won't be able to ping from a jail,
unless you want to
Hi Kristian,
This is quite late, so if my reply doesn't make and sense please
ignore it ;-) Also, I'm not really answering your question, just
suggesting an alternative.
Instead of using reply-to, can the upstream device that is sending
packets to the gif0 tunnel - or even pf if it works in thi
2010/1/8 Olivier Thibault :
> Le 08.01.2010 11:31, Peter Maxwell a écrit :
>>
>> 2010/1/8 Olivier Thibault :
>>
>>>> # keep stats of outging connections
>>>> pass out keep state
>>>
>>> This rule allows everything out and next
2010/1/8 Olivier Thibault :
>> # keep stats of outging connections
>> pass out keep state
>
> This rule allows everything out and next outgoing rules won't be checked as
> this one first match.
That's incorrect, pf does the opposite and uses the *last* match - at
least that's what the documentati
2010/1/6 M. Keith Thompson :
> I have a very screwy problem. I have a pure-ftp server running pf on
> FreeBSD 7.0. For the most part the server works fine; users upload
> and download multi-megabyte files daily. However, I have one client
> (HP-UX) that can not get files larger that 98K. If I t
2009/12/22 Gaurav Ghimire :
> thinking if I could be informed via an email alert that a new IP has
> been added to the table abusive_ips. It seems this would have been
> possible if there was a possibility that I could trigger an external
> script on the rule 3rd rule I have. And the external sc
2009/12/21 Gaurav Ghimire :
> Hi all,
>
> Are there any possibilities that I could run a script (bash, perl) when
> any rule is matched.
>
> For example, I have some distinct rule and want to get an alert email
> each time any connection threshold is crossed on it from a singe IP. Say
> I want one
2009/12/21 Tom Uffner :
> Gaurav Ghimire wrote:
>>
>> Are there any possibilities that I could run a script (bash, perl) when
>> any rule is matched.
>
> make sure the rule you want to trigger your script includes "log".
>
> have your script tail pflog, and watch for your trigger rule before
> perf
2009/12/15 Linda Messerschmidt :
> On Tue, Dec 15, 2009 at 11:08 AM, Peter Maxwell wrote:
>> I'm pretty sure you can run tcpdump against a packet capture from the
>> pflog interface on the pf box; that will include fields like
>> block/pass and rule number for each p
Hi Linda,
I'm pretty sure you can run tcpdump against a packet capture from the
pflog interface on the pf box; that will include fields like
block/pass and rule number for each packet filtered. That way you at
least know what rule is dropping/passing your packets. And if my
memory serves me righ
2009/8/23 Len Conrad :
>
> I'm looking for something like bruteblock that logwatches (smtp, ssh, ftp,
> whatever) and inserts/removes TCP block rules into pf for x hours, so the
> protocol daemons are involved.
>
Are you sure you really need this in the first place? Others may
disagree, but th
Comments inline...
2009/7/14 Aleksic Predrag :
> On Tue, 14 Jul 2009 01:22:06 +0100
> Peter Maxwell wrote:
>
> > Can you post the output of: pfctl -s r
>
> # pfctl -sr
> scrub in all random-id fragment reassemble
> block drop log (all) all
> block drop in on sk0
Hi Aleksic,
On a cursory glance, your pf.conf looks ok. The tcpdump you supplied
is showing both incoming and outgoing packets being blocked which is
wierd - why would there be a return packet if the initial SYN didn't
get through?
Can you post the output of: pfctl -s r
What happens if you try
Hi Yuzhaninov,
Interestingly enough, I checked the pf.conf man page for max-src-conn:
"For stateful TCP connections, limits on established connections (connec-
tions which have completed the TCP 3-way handshake) can also be enforced
per source IP.
max-src-conn
Limits t
Tommy,
As I think you've discovered, you're probably after a NAT solution
here rather than source/policy based routing.
Best wishes,
Peter
2009/1/17 Tommy Pham :
> - Original Message
> From: Tommy Pham
> To: freebsd-pf@freebsd.org
> Sent: Friday, January 16, 2009 8:39:36 PM
> Subject:
Hi Leslie,
The message you're getting is usually associated with the rule base
blocking an outbound connection - so check that you've opened all the
outbound ports that squid needs in your pf.conf. Tip: you can use
tcpdump to see what's going on, the openbsd pf pages at
http://www.openbsd.org/faq
I have only skim read the bug report, however in report it says "every
second connection" which sounds like what happens when you have
outgoing connections from an interface that has two IPs assigned (had
got bitten with this when using IPSec over an interface that had two
IPs assigned). Except th
Hi Elvir,
I'd second the advice given further up the thread about getting your
ISP to filter upstream - that's about the only really effective
solution. Once UDP packets hit your firewall's external interface
there's very little you can do about it.
The only other advice I could offer is;
i) Ma
Hi,
Looking for anyone's help on this:
I'm not sure if pf's behaviour is correct, if its a bug, if it is
working correctly, or if I'm just trying to do something that really
shouldn't be done. Anyway, my setup and issue is as follows:
Kernel is GENERIC 7.0-STABLE #1, amd64 with IPSEC and ALTQ
30 matches
Mail list logo
