Thomas Steen Rasmussen wrote:
On 31-05-2011 19:45, Max Laier wrote:
On 05/31/2011 07:41 AM, Tom Lusty wrote:
Does anyone know the status of carpdev being ported over to
FreeBSD? I know there was some progress on this back in 2008-09,
but haven't seen anything since. I'm hoping that someone has
quentin.narvor wrote:
I'd like to dump (dup-to operation) all traffic from a subset of hosts
belonging to my internal network. This subset of hosts will be stored in
a table.
I have another table referring to blacklisted hosts (ie botnets, etc).
When a
packet goes through the firewall with desti
Gaurav Ghimire wrote:
Are there any possibilities that I could run a script (bash, perl) when
any rule is matched.
make sure the rule you want to trigger your script includes "log".
have your script tail pflog, and watch for your trigger rule before
performing its action.
_
Torsten Kersandt wrote:
HI
I personally have all ssh and alike ports closed on my servers.
If I want to connect to the server per ssh or whatever function, I login to a
hidden php which adds my current IP to a sql table.
I use sql because I'm not the only one using this and want to keep track w
Nico De Dobbeleer wrote:
# this should block OS fingerprints??
block in log quick proto tcp flags FUP/WEUAPRSF
block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick proto tcp flags SRAFU/WEUAPRSF
block in log quick proto tcp flags /WEUAPRSF
block in log quick proto tcp flag
Gaurav Ghimire wrote:
Just curious to know if we have something, some alerting system or mechanism
that provides the administrator with the daily reports that pf itself or some
other
tool collects on pf's behalf.
That probably reports the admin of:
~ Total connection counts matched on each rul
z0ran wrote:
i tried to rebuild my kernel with and without pf modules, i also rebuild
it without "make options DEBUG=-g" and without "# Debugging for use in
-current options KDB options GDB options DDB options INVARIANTS" (that
was sugestion from freebsd forum) and no matter what i do it always
z0ran wrote:
now, why is it pf.ko not available, any idea please, thanks in advance!
did you build your kernel & pf modules at the same time?
if not, try checking out the kernel sources for some consistent date
and doing a "make buildkernel", complete with all the modules.
that sort of error
I am curious what level of performance I should expect from the
firewall box described below in terms of packets/sec and bytes/sec.
it is an 800 MHz VIA c3 with a Gigabit switch on the inside interface
and 20 Mbs symetric Fios on the outside. both interfaces are 100 Mbs.
it is running sshd, bsnmp
Link wrote:
Thanks for your reply.
Tried rules you`ve listed.
Does not help
I`ve checked with tcpdump packets are still going out using default route.
hmm. it sounds like packets aren't matching the rules.
at this point all I can suggest is adding an explicit "pass log all" as
the first r
Zinevich Denis wrote:
"pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) to any" will not
work. But anyway question is not in syntax of rules, because nobody
touched it and it was working on 6.3, 7.1-p2, but not on 7.1-p3
Network is quite simple.
Server has 2 cards bce0 and bce1
bce0 - 172.2
Link wrote:
Tom Uffner wrote:
i'm having trouble making sense of that rule. could you explain (or maybe
draw a simple diagram) what you are trying to accomplish with it?
Seems that i found problem. And I`m going to post it to freebsd bugs.
you're probably better of staying on
Tom Uffner wrote:
what happened with the effort to port "ifconfig ... carpdev ..." to
FreeBSD?
the last messages mentioning it were posted a bit more than a year ago.
if i remember correctly, there was a patch for IPv4 only. it was considered
Beta test quality and a few people wer
eculp wrote:
Thanks for responding. As I read your answer and my question. I'm
pretty sure that I probably didn't ask the question properly. What I
need to do is be intermediary between my upstream ISP's and my customers
and would like to control the bandwidth hogs.
Basically, I want certa
eculp wrote:
I don't remember why but for some reason I have the idea that pf+altq is
not bidirectional. Am I mistaken?
no solution that does not involve cooperation from your upstream
connection(s) is truly bidirectional. it is easy to limit/shape
your outbound traffic. on the other hand it
what happened with the effort to port "ifconfig ... carpdev ..." to
FreeBSD?
the last messages mentioning it were posted a bit more than a year ago.
if i remember correctly, there was a patch for IPv4 only. it was considered
Beta test quality and a few people were using it. but since then i have
the sample config file /etc/pf.conf is not included in the 7.0-STABLE
minimal installation.
was this an accidental omission, as it appears to be since the rest
of the pf files including /etc/pf.os are included, or was it done by
design?
tom
___
freebsd
Mark Pagulayan wrote:
Yes I am using net.link.bridge.pfil_member: 1. What is the effect of
this on the bridge interface.
see if_bridge(4) for full details. in short they control whether or not
filtering is available on the member interfaces and/or the bridge.
net.link.bridge.pfil_local_phys:
Mark Pagulayan wrote:
We are using PF from FreeBSD 7.0 and using the rules we used from
openbsd 4.0 PF. With the help of Jeremy chadwick, I found out that
modulate state is broken in FreeBSD PF so I replaced all rules that uses
modulate state to use keep state.
FreeBSD 7.0 uses PF 4.1 so a num
Mark Pagulayan wrote:
I am using bridge pf:
I only allow pass all on my internal interface. So there is no other
rule for that interface. How do I know that states are mismatched for
both internal and external?
could you post your full ruleset and a quick description of your net
topology? the
Kian Mohageri wrote:
On Wed, May 14, 2008 at 3:45 PM, Mark Pagulayan
The way I see this is that this rule would be applied to udp traffic as
well which will be dropped/blocked because flags only work for tcp and
this might be the cause of state-mismatches that I see in the table -
'flags S/SA
Mark Pagulayan wrote:
OS: FreeBSD 7.0-RELEASE
Please correct me if I am wrong that PF 4.1 in FreeBSD 7.0 automatically
inserts 'Flags S/SA' to rules?
this is correct.
The problem is that when it comes to this rule:
pass in quick on $int_if
after loading to pf
pass in quick on em0 flags
is there documentation somewhere (other than reading the source code)
of exactly what all of the fields in the output from "pfctl -ss" (and
"pfctl -vvvgss") mean, and all of the possible values.
most of it seems pretty obvious, but it would still be nice to have
a way to be sure i'm not misinterp
Tom Uffner wrote:
changed my scrub rule to "scrub all no-df fragment reassemble"
no effect.
if it makes difference, the nfs server runs debian stable w/ linux 2.6.18
kernel, and my client is FreeBSD 8.0-CURRENT #160: Tue Apr 8 07:49:18
EDT 2008
adding random-id as discussed
Torsten @ CNC-LONDON wrote:
The following rule sorted it on my nfs shares
scrub in all no-df
scrub out all no-df
I've seen this mentioned on some website and that cured the same problem you
had
changed my scrub rule to "scrub all no-df fragment reassemble"
no effect.
if it
my kernel is logging errors like these:
Apr 26 04:15:13 xiombarg kernel: nfs send error 1 for server
10.69.69.21:/data0/music
Apr 27 23:20:21 xiombarg kernel: nfs send error 1 for server
10.69.69.21:/data0/music
Apr 29 15:35:07 xiombarg kernel: nfs send error 1 for server
10.69.69.21:/data0/mus
If I deploy a pf firewall on a network where the attached routers or
hosts can not or will not route the appropriate traffic to the firewall,
then the firewall must direct that traffic to itself by either binding
the addresses of devices behind it or by publishing proxy-arp for them.
For various
I am trying to build a redundant firewall with a NATed interface
and a bridged DMZ interface. Toward this end i have a pair of machines
w/ four network interfaces each (bge0, bge1, em0, em1).
my first thought was to bridge two of these, assign the outside IP to
bridge0, then use the 3rd & 4th for
Tom Uffner wrote:
I am trying to build a redundant firewall with a NATed interface
and a bridged DMZ interface. Toward this end i have a pair of machines
w/ four network interfaces each (bge0, bge1, em0, em1).
sorry, forgot to mention...
6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #0: Sat Jan 6 18
29 matches
Mail list logo
