Vasily Ivanov <[EMAIL PROTECTED]> writes:
> When I try to put rule like this: "nat on $ext_if from $private_net to any ->
> $nat_addr (source-track rule, max-src-states 10)" into pf.conf I get
> a "syntax error" message.
Put the source tracking part in yo
s possible that my tutorial at <http://home.nuug.no/~peter/pf/>
could be useful. (expect some updates for EuroBSDCon. yes, it's on.)
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
"R
e (ok, I'm in a few others ;))
[3] http://marc.info/?l=openbsd-misc&m=105723966516199&w=2
[4] http://home.nuug.no/~peter/pf/
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
"Remember to
"Vitaliy Vladimirovich" <[EMAIL PROTECTED]> writes:
> I need specify a range IP addresses in may spamd-whitelist table, e.g.
> 209.85.128.0-209.85.255.255.
> How can I do this correctly?
The address/netmask notation works, ie
209.85.128.0/17
--
Peter N. M. Hans
actually buys you, but
it's quite similar to blackhole.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949
not limited to
specific services as long as you can dream up sensible criteria and
some useful action to take on the hosts that end up in the overload
list.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nu
ut then I realized that OpenBSD's dhcpd is not identical
to the FreeBSD one so that particular feature may not be available
immediately to readers of this list.
Tables are nice, more apps that interface with pf through tables would
likely be welcome.
--
Peter N. M. Hansteen, member of the
the short term is to do the traffic shaping
and filtering a bit closer to the end user, where bandwidth is a bit
more scarce. In the slightly longer term, I'm sure a verified bug
report (with patches against -current code if feasible) would be much
appreciated.
- Peter
--
Peter N. M
Nomad Esst writes:
> In IPFW we can use "ipprecedence" to match a specified precedence. Is
> it possible to do so with pf? How?
If I'm not horribly mistaken, you would match on 'tos' instead (see man
pf.conf for details)
- P
--
Peter N. M. Hansteen, member of th
ridges have
their own tagging and filtering facilities that may be combined with PF
features.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious netw
include as soon as doable.
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: discon
uy the book, but I'll limit my plugging.)
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delil
f a conflict there will be between
the traffic shaping code that is likely to hit the OpenBSD tree in
time for 5.5 (due to be released May 1st 2014), but it would bear
looking into I suppose. The diff at http://bulabula.org/diffs/newqueue.diff
applied to a recent OpenBSD-current is what i
Rule Sets and Tools"
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.1
ssh or indeed to any
specific protocol.
Possible variations include setting up tiny queues, adding entries to
the table of addresses you block manually, scripting the same based on
parsing log files and probably a few more, limited only by your
imagination.
- Peter
--
Peter N. M. Hansteen, memb
ith and without ue0 plugged in?
- what does ifconfig -a output, with and without ue0 plugged in?
plus, what's the network topology? Is the box you're ssh-ing in from
in the directly connected network for either of the interfaces?
-Peter
--
Peter N. M. Hansteen, member of the firs
need for a point'n'click front end to your rule set is
a lot bigger than if you stay with PF.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammer
96.200.0/24"
table { 168.96.200.87, 168.96.200.8, 168.96.200.55, 168.96.200.196 }
nat on $ext_if from $localnet to any -> ($ext_if)
block all
pass from to any keep state
You may also want to take a peek at my PF tutorial located at
http://www.bgnett.no/~peter/pf/, updated with some w
rules. The altq example I lifted from
unix.se (http://www.bgnett.no/~peter/pf/en/altqbypct.html) for my PF
tutorial is similar enough to what you want to do that I think it should
get you there.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.n
so
> could someone clue me in?
spamd uses a mechanism pretty much like you describe[1], and you can
stop quite a lot of other silliness by crafting 'overload' rules[2].
[1] man spamd and http://www.bgnett.no/~peter/pf/en/spamd.html
[2] http://www.bgnett.no/~peter/pf/en/bruteforce.html
#x27;s really strange. Perhaps
> ftp-proxy can't work with computer with one network interface ?
I think you need to detangle your rule set quite a bit. For example,
"set skip on lo0" and doing all your filtering on the one physical
interface would be a good start.
--
Pe
LI Xin <[EMAIL PROTECTED]> writes:
> I mean the latter. Actually I have got the knowledge from a place I
> forgotten, I think this should be documented more significantly, e.g. in
> pkg-message.
IIRC this is in the pkg-message, but isn't really documented anywhere else jus
hange them
to point to the new address http://home.nuug.no/~peter/pf/ instead.
File and subdirectory names remain the same.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"Firs
tp://home.nuug.no/~peter/pf/en/bruteforce.html
for this specific topic
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-for
"Travis H." <[EMAIL PROTECTED]> writes:
> I believe in OpenBSD that ftp-proxy has been deprecated,
> and that users are encouraged to start using pftpx.
actually, a 'son of pftpx' is the new ftp-proxy in OpenBSD 3.9 and newer.
--
Peter N. M. Hanste
"tim m" <[EMAIL PROTECTED]> writes:
> I would like to get the greylisting up and running.
You need to ensure that spamlogd is running. See if
http://home.nuug.no/~peter/pf/en/spamd.html and so on isn't useful
--
Peter N. M. Hansteen, member of the first RFC 1149
foo -T show >/etc/tables/foo
or perhaps at regular intervals from cron, and declare your table
something like
table persist file /etc/tables/foo
> as su I type pfctl -t foo -Tl -f /etc/pf.conf but it returns nothing.
If you want to show table contents, a
$ sudo pfctl -t foo -T show
should b
If your malware manages to behave RFC-correctly, that is, resend after
what the greylisting host considers a reasonable interval, it will
manage to send whatever it's trying to send.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/
[you said you followed my recipe of sorts, so I do feel a
certain responsibility]
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard,
Daniel Dias Gon?alves <[EMAIL PROTECTED]> writes:
> I need to record logs of all connections nated from PF, has some way?
add 'log' to all pass rules which will involve NATed traffic.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.bl
4.1
release), but timed table expiry is already available with Henrik
Gustafsson's expiretable (in ports as /usr/ports/security/expiretable).
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
&
your FreeBSD box,
you're better off browsing http://home.nuug.no/~peter/pf/, and you'll
figure out rather easily what you need to do. (Yes, that's a tutorial
I wrote and update occasionally).
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.
rberos is among the basic requirements. Our
friend G turns up a lot of references for "sshd Active Directory", so
at least it's been tried before. It certainly sounds like useful
tutorial material if there isn't one available already. That is, if
anyone pf-savvy can be persuaded t
33 matches
Mail list logo
