ween UDP and TCP. The
documentation I've looked at has been silent on whether the default pass
rule is expected to establish state (for versions of PF recent enough),
and I'm not quite curious enough to build a testbed right now. If
anyone knows the answer to this one, please do share. :-)
--Jon Radel
smime.p7s
Description: S/MIME Cryptographic Signature
tends to cut off the more energetic ones.
--Jon Radel
smime.p7s
Description: S/MIME Cryptographic Signature
g no, or
minimal, "pass in" rules. That way people can't send you random,
possibly nasty, packets which you accept simply because they used a
source port of 80.
--Jon Radel
smime.p7s
Description: S/MIME Cryptographic Signature
Guido van Rooij wrote:
> On Wed, Sep 03, 2008 at 08:42:52AM -0400, Jon Radel wrote:
>> Guido van Rooij wrote:
>>> Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0.
>>>
>>> ep0: 1.2.3.4/24
>>> bge0: 10.0.0.1/24
>>>
>>> rule
urn SYN/ACK comes in via bge0 and passes because of the state entry.
>
> Then the packet should be sent out via ep0, but it is blocked, as pflogd
> shows:
And does the problem go away when you put a "keep state" at the end of
line 1?
--Jon Radel
smime.p7s
Description: S/MIME Cryptographic Signature
Guido van Rooij wrote:
> On Wed, Sep 03, 2008 at 09:25:12AM -0400, Jon Radel wrote:
>>> I did test the folowing ruleset:
>>> pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state
>>> block drop out log quick on ep0 all
>>> pass out quick on bge0
Guido van Rooij wrote:
> On Wed, Sep 03, 2008 at 10:13:08AM -0400, Jon Radel wrote:
>>> And why is that so? This bascially rules out keep state on outgouing packets
>>> on any router-type system. That seems like an unnecessary limitation.
>> What? If you want state,
ing
> along the lines of:
>
> block drop all
>
> pass in on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state flags S/SA
> pass out on bge0 inet from 1.2.3.1 to 10.0.0.2 keep state flags S/SA
>
The OP didn't like that answer when I gave it to him. Maybe you've
managed to provide a more felicitous wording. ;-)
--Jon Radel
smime.p7s
Description: S/MIME Cryptographic Signature
originally established by a packet outbound on bge0 might cross on
either bge0 or bge1 traveling in the same direction with respect to the
FreeBSD router with the configuration.
In this case we're talking about packets that are traveling in one
direction with respect to the router on bge0 and the other direction on
ep0, so you'd need separate state entries no matter what you've done
with if-bound.
--Jon Radel
smime.p7s
Description: S/MIME Cryptographic Signature
y to any port 22 flags S/SA \
> keep state(max-src-conn 15, max-src-conn-rate 5/3, overload
> flush global)
And here I thought "keep state" was the default in the pf shipped with
FreeBSD 7.0....
Actually, it is, as is "flags S/SA" on TCP connections. Those defaults
came in with the PF from OpenBSD 4.1, which is what is used in FreeBSD 7.0.
--Jon Radel
smime.p7s
Description: S/MIME Cryptographic Signature
he end of
the first line has no space or tab character after it and is escaping
the newline character? You're trying to split a single line into two,
and that has to be done just so.
--Jon Radel
smime.p7s
Description: S/MIME Cryptographic Signature
ner, feel free to
rip that all out ;-)
After you get that running, I'd suggest you start making things fancier
with Miroslav's recommendation about using a table, putting in scrub
with some of the less agressive options, protecting yourself from
packets with spoofed addresses, etc.,
Ivan Petrushev wrote:
> So there is not spam protection or whatever installed on the software
> servicing the mail list? Abuse control? User registration approval?
>
> On Fri, Jan 30, 2009 at 8:46 AM, Jon Radel wrote:
>> Ivan Petrushev wrote:
>>> Excuse me, why such
.
I've upgraded a bit by now but mainly just because rather than to
solve any particular issue.
Without knowing more about the traffic to be put across the machine,
about the only real answer is: Try it and see what happens.
--
--Jon Radel
j...@radel.com
smime.p7s
Description: S/MIME Cryptographic Signature
to stage attacks on other
machines. On the other hand, if the firewall is on the server in
question, rather than being another piece of equipment, anybody who has
root can rearrange your firewall for you
--
--Jon Radel
j...@radel.com
enBSD website,
in particular something like
http://openbsd.org/faq/pf/index.html
and then ask follow-up questions on the appropriate OpenBSD mailing list.
--Jon Radel
j...@radel.com
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/ma
Yes, use a switch that handles vlans and make use of them.
--Jon Radel
j...@radel.com
Sent from my iPad
On Nov 20, 2012, at 2:15, Hooman Fazaeli wrote:
>
> With a topology like:
> - ADSL 1
> LAN PF Box
17 matches
Mail list logo
