On Dec 2, 2012 12:55 PM, "Laszlo Danielisz"
wrote:
> @Kevin, yes I'm using interfaces, is there any what not using them in
pf.conf?
I don't think so. I was replying by phone at the time so it was a little
short, I meant if you were using the interface in the rule vers
On Dec 1, 2012 3:55 PM, "Laszlo Danielisz"
wrote:
>
> Hi Everybody,
>
> Today I just found out that my pf rules are not loaded on boot if I
configure my machine's interface with DHCP
If you use your interface in your rules, for example,
pass in on em0
then you can tell pf to adapt to a changing
On Nov 20, 2012 9:44 AM, "Mark Martinec"
wrote:
>
> Paul Webster wrote:
> > I am aware this is a much discussed subject since the upgrade of PF,
> > I believe the final decision was that too many users are used to the old
> > style pf and an upgrade to the new syntax would cause too much
confusion
On 19 November 2012 18:56, David DeSimone wrote:
> This doesn't seem right, because even traffic coming in via the external
> interface will have its target IP changed to be the router, even if
> it is destined for some other place. Previously you were using "from
> $int_if:network" to prevent t
On Nov 19, 2012 5:54 PM, "Kevin Wilcox" wrote:
> It is. The "pass in" rule I used in my example assumes the inside
interface and the other devices it talks to are in the same network.
Correction, the "pass in" and "nat" rules, not just th
On Nov 19, 2012 3:12 PM, "Peter McAlpine" wrote:
>
> Thanks for your reply. I've tried the configuration you suggested but
> it's providing the same issue I was encountering before.
>
> My goal is to route all traffic from the tunnel out the external
> interface nat'ing it on the way out. Any traf
On 16 November 2012 09:40, Peter McAlpine wrote:
> data_if = "tap3"
> ext_if = "em0"
> set skip on lo0
> nat on $ext_if from !$ext_if:network to any -> ($ext_if)
> pass in on $ext_if route-to $data_if from any to !$ext_if:network
> The issue I'm having is that the 'pass' rule is not being matche
On Mon, Aug 20, 2012 at 11:53 AM, J David wrote:
> However, the nature of a DDOS attack is that there is not a single
> source IP. The source IP is either outright forged or one of a large
> number of compromised attacking hosts. So what I really want to do is
> have a "max-dst-states" rule tha
On Mon, May 2, 2011 at 10:41, Zhu Sha Zang wrote:
> I'm trying to block facebook access only using PF in FreeBSD 8.2.
>
> But putting the name or the ip returned with the command host
> www.facebook.com i can't deny any user to connect facebook.
>
> Some trick to do that?
>
> Thanks for now.
Sho
ch real
interface to associate with?
My understanding is that if no 'carpdev' directive is passed, carp will
detect the interface if its on the same subnet as the given carp ip.
If this can be done , please let me know!
Thanks,
Kevin
_
on any given day, afaik.
Im more worried about failover than I am about states being kept, but it
would be nice to utilize pfsync if it wouldn't be too risky.
Thanks,
Kevin
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman
is
to employ carp + pf to maintain some sort of automated failover mechanism
instead of a cold standby.
At the same time I don't want to change the architecture of my internal
network more than perhaps modifying the default gateways configured on each
dev
Hello,
I have a generally simplistic question about a potential scenario for a
FreeBSD PF with multiple gateways/routes.
The backend network would not consist of local or private ip addresses -
every device will have a public IP. There will be about 7 public subnets
that will be handled by
Hello all. I've been using FreeBSD 7.x and 8.x for bridged firewalls
and logging hasn't been an issue. Now I'm moving one of them to NAT
and I suddenly realise I have a major problem - I can't log the actual
translations.
Consider the following:
Client A - 10.1.1.1
Client B - 10.1.2.2
Remote serv
Hi everyone. I sent this out to freebsd-questions@ yesterday but
haven't had any nibbles.
I'm testing NAT on FreeBSD 8.1. My setup is very simple:
My workstation -> { internal network switch } -> FreeBSD 8.1routing
firewall with squid 3 -> { switch going to Internet }
My pf configuration is a ba
8865
397899380160
Any help would be greatly appreciated.
Regards,
Kevin Way___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
f any additional information is required.
Thanks,
Kevin
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
181.774 ms (DUP!)
64 bytes from 10.0.0.11: icmp_seq=5 ttl=64 time=363.855 ms (DUP!)
^C
--- 10.0.0.11 ping statistics ---
9 packets transmitted, 3 packets received, +3 duplicates, 66.7% packet loss
round-trip min/avg/max/stddev = 91.159/174.910/363.855/95.135 ms
If
>What are your settings for
>
> $ sysctl -a | grep bridge.pfil
#bridge options
net.link.bridge.pfil_onlyip=1
net.link.bridge.pfil_member=1
net.link.bridge.pfil_bridge=0
> Have you tried filtering only on one of the physical bridge interfaces,
> with net.link.bridge.pfil_bridge=0 and set skip o
# filter rules
pass in quick
pass out quick
pass quick on $mng_if proto pfsync
Note the only difference in config is the ip address of the pfsycn
interface. When both boxes are on , one or both of them start to really slow
down and ultimately freeze. No messages are pasted on the console and
/v
Hello,
I'd like to get thoughts / input to the following application of 2x FreeBSD
redundant firewalls.
I have two firewalls with transparent bridges of the inside/outside
interfaces (2 interfaces each firewall). A third interface is used for
PFSYNC state synchronization. Synchronization of
It would be great if this was built in. If not (as I
suspect), what alternatives could be had to implement some sort of status
checking, while still using PF's round-robing directive?
Thanks,
Kevin
___
freebsd-pf@free
>I have committed a patch that makes pf w/DSR setup work a week ago but
>have not yet MFC'ed it, the patch can be directly applied against
>8-STABLE, though.
Would you be able to share the patch with me? I am on 7.2-RELEASE, however.
Please advise.
> -Original Message-
> From: Tom Judge
> Sent: Wednesday, December 16, 2009 1:20 PM
> To: Kevin
> Cc: freebsd-pf@freebsd.org
> Subject: Re: PF Transparent Bridge Firewall + CARP
>
>[router]
> |
> [--switch 1--]
> |
ith my
current network environment :/
I suppose I could migrate to OpenBSD, but I was trying to avoid that.
Thanks,
Kevin
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "
RELEASE as well as 7.2-RELEASE.
Thanks in advance!
Kevin
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
> For tracking source IPs and adding them to a table, you can already do
> this, c.f. max-src-conn and overload in the pf.conf man page.
>
>
> If you use the overload keyword to dump the bad IPs into a table then
> as a quick and dirty solution for scripting you can the run a script
> from cron e
> -Original Message-
> From: Tom Judge
> Sent: Wednesday, December 16, 2009 1:20 PM
> To: Kevin
> Cc: freebsd-pf@freebsd.org
> Subject: Re: PF Transparent Bridge Firewall + CARP
>
>[router]
> |
> [--switch 1--]
> |
> -Original Message-
> From: Kevin [mailto:k...@kevinkevin.com]
> I have what I would consider not a standard firewall scenario that
> requires a second, redundant PF firewall. My first / main firewall is
> pf + transparent bridging with no internal network / ip address
me know.
Suggestions are welcome.
Thanks,
Kevin
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
> Gaurav Ghimire wrote:
> > Just curious to know if we have something, some alerting system or
> mechanism that provides the administrator with the daily reports that
> pf itself or some other
> > tool collects on pf's behalf.
> >
> > That probably reports the admin of:
> > ~ Total connection count
as what I can do on the firewall level,
of course.
Any help is greatly appreciated! :)
~kevin
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
state
pass out proto tcp from any to any keep state
Thanks in advance, Best Regards,
Kevin
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Hello,
I have a weird problem I couldn't solve. I have it from 7.0, after ppp
reconnects to the ISP weird stuff happening, packets don't come back, the
connection to the ISP gets very slow, http requests got timed out or load
but items missing or the connection gets reset, but only for the compute
Thank Eygene for the reply. It might be but I'm not sure. Anyone is
having the same setting or any info on this?
--
Regards
Kevin Foo
On Thu, Nov 27, 2008 at 10:00 PM, Eygene Ryabinkin <[EMAIL PROTECTED]> wrote:
> Kevin, good day.
>
> Thu, Nov 27, 2008 at 08:26:55PM +0
eebsd-pf/2004-October/000522.html
However, the bridge code of FreeBSD was blamed for poor performance
and lack of functionalities. A more recent post on freebsd-net
mailing list on similar issue.
http://lists.freebsd.org/pipermail/freebsd-net/2008-September/019556.html
Any ideas? TIA.
P/S : ple
You can use tools from ports like trafshow, iftop and pftop to display the
statistics that you are looking for.
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:owner-freebsd-
> [EMAIL PROTECTED] On Behalf Of Vitaliy Vladimirovich
> Sent: Tuesday, June 03, 2008 3:56 PM
> To: freebsd
You cannot track state of stateless protocols such as UDP.
> -Original Message-
> From: Ansar Mohammed [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, May 07, 2008 4:54 PM
> To: 'Jille'
> Cc: 'Kevin K'; freebsd-pf@freebsd.org
> Subject: RE: UDP we
Try pass out proto udp from any to any port 53
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:owner-freebsd-
> [EMAIL PROTECTED] On Behalf Of Ansar Mohammed
> Sent: Wednesday, May 07, 2008 1:34 PM
> To: freebsd-pf@freebsd.org
> Subject: UDP weirdness
>
> I have a very simple confi
S/SA keep state. I'm scrub in all +
scrub out all , and basically it's a standard setup.
I'm wondering if anyone can help me more. I have my PF rules if more
information is needed but hopefully someone has a suggestion without
requiring that.
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:owner-freebsd-
> [EMAIL PROTECTED] On Behalf Of Vitaliy Vladimirovich
> Sent: Wednesday, March 26, 2008 6:58 AM
> To: Jeremy Chadwick
> Cc: freebsd-pf@freebsd.org
> Subject: Re[2]: PF rules for internal interface
>
> --- Original Mes
The only thing I can think of is if maybe the firewall uses the Microsoft
server as DNS, and you should be able to resolve computer names and write
rules in PF accordingly.
I am planning on implementing a couple FBSD PF boxes in front of some
Windows servers, so it would be interesting if anyone e
> David Nguyen wrote:
> >I've installed Vista recently and it detected the network drivers and
> "seemed" to be working (default drivers with >Vista). I thought it was
> the network, but it was actually the network drivers that came with
> vista (nForce). I would >retrieve a DHCP, but would not com
Volker wrote:
>
> Kevin,
>
> helping you with just this snippet of rules is like fishing in the
> dark.
>
> Your rules do the following: A connection coming from a single IP
> address (/32) is passing the firewall on the external IF. As it does
> not create state
Dennis Berger wrote:
> We have a vista client and openbsd 3.9 pf box here. no problems at all.
> What you could try is something like this.
>
> pass in quick on $ext_if fastroute inet proto tcp from $somewhere to
> any
>
I'm going to try that, but I'm looking for a solution where I don't have t
>
> >Do you imply that you have other operating system behind your FreeBSD
> wall,
> but have not this sort of issue? Is the >problem Vista specific?
>
>
> Only FreeBSD machines are behind the firewall. The issue lies with a
> Vista
> machine accessing the network through the firewall. The conn
>Do you imply that you have other operating system behind your FreeBSD wall,
but have not this sort of issue? Is the >problem Vista specific?
Only FreeBSD machines are behind the firewall. The issue lies with a Vista
machine accessing the network through the firewall. The connection attempt
(re
I am using FreeBSD 6.2-release w/ PF. Everything seems to be okay, except
the fact that Windows Vista machines cant get through the network. I have
tried many things, including just using a skeleton PF configuration and I'm
still having trouble.
Just curious if anyone has experienced issues with t
I'm curious if there has been some benchmarking done to compare the two
methods of enabling PF.
The security debate could be argued to be circumstantial, but I'd like to
hear from people who use it in production via loaded module, as my only
experience with PF is building it into the kernel.
-
I am curious how i could set my pf firewall to allow passive mode
connections via random ports. I get "illegal port range" when trying to
connect / directory list on an external ftp site.
I have some general ideas as to how i could remedy this but i thought
i'd post it here first. Thanks in a
50 matches
Mail list logo
