On 18/10/2010 19:10, Ermal Luçi wrote:
Feedback is very welcome.
It's not the useful feedback you are waiting for, but can't stop
myself.. it's such a good news, I think a lot of people were waiting for
it. Just want to say thank you, your great contribution is very appreci
. I don't understand why was it not stopped by pf?
And how can I tune my rules to be able to control DHCP conversation?
Michael
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mai
tion, I was not aware of that.
Michael
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Hi,
Is it possible to set multiple loginterfaces in pf.conf? The man page
says no but maybe there is some workarounds?
I'm using FreeBSD 8.1-R
Michael
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-
any given time so I thought I need
multiple loginterfaces?
Michael
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Hello,
Is pf in FreeBSD 8.2-R open by default? So that it is NATing and allows
anything when it fails to load user provided rules?
Michael
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe
Hello.
Apart from bugfixes are there any new features? Or where can I find a
changelog?
Thank you in advance, M.
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf
eb_ports -> $jail_web_adr
nat log on $jail_if proto tcp from $jail_mail_adr to ($ext_if) port
$jail_mail_ports -> $jail_mail_adr
rdr log on $jail_if proto tcp from $jail_net to $ext_if port
$jail_mail_ports -> $jail_mail_adr
---
Cheers
Michael
_
Hi —
[ I am including freebsd-pf@FreeBSD.org now and removing
freebsd-j...@freebsd.org ]
[ Thread starts at
https://lists.freebsd.org/pipermail/freebsd-net/2017-December/049470.html ]
Eugene Grosbein wrote:
> Michael Grimm wrote:
>> Kristof Provost wrote:
>>
Bjoern A. Zeeb wrote:
>
> On 22 Dec 2017, at 20:30, Michael Grimm wrote:
>> Hi —
>>
>> [ I am including freebsd-pf@FreeBSD.org now and removing
>> freebsd-j...@freebsd.org ]
>> [ Thread starts at
>> https://lists.freebsd.org/piper
traffic. The switches are Foundry SI-800g.
Also doing about 25k/sec searches with 400 inserts a second and 270
removals and 407 matches/sec. The state table seems to run about
70,000 to 90,000
Are there issues I should be aware of and should pf be able to handle
this kind of
P server is
tracking time to wtihin +300/-200 microseconds which is impossible
with a unstable network.
With the change the state table is running around 20k entries.
Do you know if these issues are present in the betas of 7.0, which I
understand is using pf 4.1?
--
Michael Conlen
On Oct
Hi everyone,
I just installed pf on FreeBSD 6.2 for a firewall/NAT/load-balancer ... but I'm
having some trouble. I'm pretty sure that it isn't actually splitting the
outgoing traffic (trying to load-balance over two uplinks), and the users are
experiencing intermittent trouble resolving DNS
Hello Michael:
I think you want to use "reply-to" instead of "route-to" on load
balance rules since you need it to go out the same interface it came
in on. This will work in conjunction with any connection that has
state, so make sure your DNS pass rule has keep-s
Thanks to both of you ... it looks okay remotely - I'll test it on-site
tomorrow.
-mike> Date: Tue, 1 Jan 2008 21:56:34 -0800> From: [EMAIL PROTECTED]> To:
freebsd-pf@freebsd.org> Subject: Re: load-balancing, DNS> > Hi Michael,> >
Another method that you ca
I don't know if this is restricted to reply-to. I have an almost identical
setup (except, using route-to) and have the same problem. Anyone have any
ideas?
thanks,
-mike> Date: Wed, 18 Jun 2008 08:59:13 +0400> From: [EMAIL PROTECTED]> To:
freebsd-pf@freebsd.org> Subject: reply-to speed is
On Mon, Oct 19, 2009 at 11:48 AM, Jed Gainer wrote:
> I wanted to setup a machine as my LAN gateway and have it load balance over
> multiple WANs. When I found http://www.openbsd.org/faq/pf/pools.html I
> choose FreeBSD as the machines OS. After getting it up and running, and
> acting as a gateway
On Sat, Nov 21, 2009 at 1:07 PM, Victor Lyapunov
wrote:
> rule 4/0(match): pass out on em0: (tos 0x0, ttl 127, id 19860, offset
> 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 >
> 209.85.129.111.465: tcp 28 [bad hdr length 0 - too short, < 20]
This looks to be your problem-- bad hdr
On Sat, Nov 21, 2009 at 1:23 PM, Michael Proto wrote:
> On Sat, Nov 21, 2009 at 1:07 PM, Victor Lyapunov
> wrote:
>
>> rule 4/0(match): pass out on em0: (tos 0x0, ttl 127, id 19860, offset
>> 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 >
>> 209.85
On Wed, Jun 23, 2010 at 4:15 PM, Peter Maxwell wrote:
> Hmmm, off the top of my head: I wonder if you could use Snort and have that
> do full packet inspection for you. Then you should be able to script an
> alert if the string is found and call pfctl to add the offending IP address
> to a table
On Wed, Jul 28, 2010 at 2:55 PM, Spenst, Aleksej
wrote:
> Hi All,
>
> I have to provide for my system better security and I guess it would be
> better to start pf.conf with the "block all" rule opening afterwards only
> those incoming and outcoming ports that are supposed to be used by the syste
On Tue, Jun 7, 2011 at 3:50 PM, Gary Palmer wrote:
> Hi,
>
> I noticed after running test-ipv6.com at home that I was getting
>
> 2011-06-07 20:35:55.588335 rule 279/0(match): block in on gif0:
> 2001:4998:0:6::11 > : frag (0|1424) 80 > 62594: . 0:1392(1392) ack 1
> win 8211
> 2011-06-07 20:35:
On Fri, Jul 29, 2011 at 8:11 PM, Chris wrote:
> Hello,
>
> I'm having a heck of a time trying to get PF to work with IPv6 on a
> few FreeBSD machines, mainly regarding NDP and RAs. Does anyone have a
> sample ruleset they can share
> for a server system that has a few services exposed?
>
I'm runn
2011/10/11 Виталий Владимирович :
>
> I have the IPSec tunnel FreeBSD <-> CISCO. Tunnel works fine but I can
> filtering traffic inside tunnel with PF.
>
> pf.conf
>
> ..
>
> ipsec_if="gif0"
>
> ...
> block in all
> block out all
>
> ### EXT_IF_OUT
>
> pass out log quick on $ext_if inet f
Ladies and Gentlemen,
Every once and a while I run into an issue wherein the symmetric NAT of pf
causes me grief. I've found some older mailing list entries asking about PF
and Cone or Full Cone NAT (such as this one from 2005:
http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00804.html), but
tting of "flags any" and/or "no state" to tcp6 rules
- Adding private IPv6 addresses to my jails and implement nat66
- Activating rtadvd
But without any success, so, what's going wrong here:
- Is it my setup regarding pf?
- Is it my setup in general?
- Is it a screwed IPv6 ro
Hi --
I forgot to mention: this happens with "FreeBSD 9.1-RELEASE #0 r244594" and
"FreeBSD 9.1-PRERELEASE #0 r244694".
Regards,
Michael
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
Hi --
On 28.12.2012, at 12:59, Michael Grimm wrote:
> But without any success, so, what's going wrong here:
> - Is it my setup regarding pf?
> - Is it my setup in general?
> - Is it a screwed IPv6 routing?
> - Or something else?
What I can say now, is:
- It has nothing
Hi --
On 29.12.2012, at 13:07, Kimmo Paasiala wrote:
> On Sat, Dec 29, 2012 at 1:54 PM, CyberLeo Kitsana
> wrote:
>> On 12/28/2012 05:59 AM, Michael Grimm wrote:
>>> I do run both my primary and secondary nameservers (distinct servers) in
>>> FreeBSD jail
Without seeing the ruleset in question it's hard to say, but if rule 2 also
uses the quick keyword, then it won't reach the certain expected rule you
mention. Again, hard to say without seeing at least rule 2 and the expected
rule, and better the whole ruleset.
On Thu, Apr 4, 2013 at 10:35 AM, Ca
Hello James,
It's still a little unclear to me how you want traffic to flow in this
environment (in particular how the user traffic is arriving on the box),
but it'll probably be easier if you can have each class of user using a
different subnet. Regardless, it appears that you've set the default
r' whilst running an ftp
download. No matter what I do, it says the rule list is empty. When
running it with '-s a' I see that there are entries for the ftp
connections in the state table, but still no rules.
Is it supposed to behave that way or s
Hi again,
another problem with my new pftpx setup is that because of
rdr on xl0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
only connections coming in via the internal interface get redirected to
pftpx. Due to that FTP connections originating on the machine itself
don't work
r
> This will show your rules. ;)
As usual the error sits in front of the computer. ;)
Thanks for the lightning response - it works like a charm and shows lots
of rules.
--
bye, Michael
I like Kaba!
___
freebsd-pf@freebsd.org mailing list
http://l
On Thu, Jul 07, 2005 at 02:37:25PM -0400, Scott Ullrich wrote:
> > another problem with my new pftpx setup is that because of
> >
> > rdr on xl0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
> >
> > only connections coming in via the internal interface get redirected to
> > pf
Hello,
I'm having trouble silencing pfsync. It insists on broadcasting packets
like this
rule 38/0(match): block out on xl1: 10.10.1.2 > 0.0.0.0: pfsync 228
to the external network interface for every state change. Up until now I
circumvented that by adding the no-sync option to every rule. But
.
I do however see the source in: /usr/src/sys/netinet/ip_divert.c
1. Am I overlooking the prebuilt module in 5.x?
2. Can I simply build the module on its own without a full buildkernel?
3. Given that buildkernel did not produce it, how can I produce it?
Best rega
y such as the
following is not needed and is perhaps ignored.
pass in on $ext_if inet proto tcp from any to $ext_if port 80 flags
S/SA \ modulate state
Is there any way to apply flags to rdr traffic to limit protocols or ports?
Appreciated,
Michael.
_
I was having trouble implementing the ftp-proxy daemon as well
I got it working after doing a few things,
I upgraded to 6.0 (its a old U1 Sparc64 Sun netra)
I discovered from the pf.conf man that it says "the use of the group and
user filter parameter in conjunction with a Giant-free netstack can
repeated 121 times
Nov 10 15:03:37 server2 last message repeated 278 times
Any suggestions? Thanks!
Regards,
Michael Jeung
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Roman Gorohov. wrote:
Hello list.
I'm planning to configure pf in bridged environment(using if_bridge on 6.1),
so I have question if transparent proxy will work?
Is the any working config, or some known issues?
TIA, Roman Gorohov.
___
What kind o
Hi all,
I have some questions about pf rules, and just want to get some things
clear in my mind about how PF works, no doubt some of the answers will
be obvious to some.
I wanted to create some pf rules for TCP that can withstand loosing
state but still utilizing the advantage of single line f
Dmitry Andrianov wrote:
Hello.
I might remove these in the future but just want to at least
do some testing on a firewall setup for many reasons such as
it has 2 separate links and want to try changing between the
links/routes without affecting state.
I'm not sure how this should w
Daniel Hartmeier wrote:
On Tue, Jul 11, 2006 at 03:40:38PM +1000, Michael Vince wrote:
That still doesn't really answer my question and I also am looking for a
flags example of what would guarantee to provide the desired behavior.
If you don't specify a 'flags' o
Greg Hennessy wrote:
So ultimately what your saying is PF is too clever now and
can never be simplified like UDP state modes for single line
The notion of UDP keeping state is overstated.
Basic layer 3 'keep state' for UDP is nothing more than a watchdog timer
tracking how long i
Greg Hennessy wrote:
I did mention it a few times but I suppose I wasn't clear
about it, but I really do want to use "single line firewall
rules", and the only way to do this is to keep state, if
there are other ways/rules to have really flexible firewall
but still with stateful inspecti
CARP_LOG was logging thousands of
"carp_input: received len 20 < sizeof(struct carp_header)"
in my local /var/log/messages file:
After hours of research (and a lot of kernel rebuilds), I discover some
Freevrrpd multicast packets on my network that were triggering CARP_LOG to
produce this message.
mmoll added a subscriber: mmoll.
mmoll added a comment.
what's the status here?
REVISION DETAIL
https://reviews.freebsd.org/D1944
EMAIL PREFERENCES
https://reviews.freebsd.org/settings/panel/emailpreferences/
To: nvass-gmx.com, bz, trociny, kristof, gnn, zec, rodrigc, glebius, eri
Cc: mmol
mmoll added a comment.
Nikos, could you have a look into PR 205743?
REVISION DETAIL
https://reviews.freebsd.org/D1944
EMAIL PREFERENCES
https://reviews.freebsd.org/settings/panel/emailpreferences/
To: nvass-gmx.com, bz, trociny, kristof, gnn, zec, rodrigc, glebius, eri
Cc: mmoll, javier_
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Hello All:
We are having issues with a ³standard² configuration and getting passive ftp
to work. Here are our present rules related to one server $liv_ftp_int/ext
nat on $vlan2_if from $liv_ftp_int to any -> $liv_ftp_ext
rdr pass on ! $vlan924_if proto tcp from any to $liv_ftp_ext port { ftp,
9
You can use the ($int_if) for traffic terminating on the firewall. Any
traffic going through to another host needs to have the destination defined.
Could you include a complete copy (sanitized, of course) of your pf.conf
file? There might be something else at work but it's hard to tell without
t
Hi folks,
I am using FreeBSD (semi)-CURRENT, here is my uname:
FreeBSD gambit.gargantuan.com 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Wed
Mar 15 12:56:49 EST 2006
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/GAMBIT i386
I have the following lines (among others) in my pf.conf file:
...
antispoof quick
Hey guys, I sent this to current@ but got no bites. Anyone here have a
comment or suggestion on a better fix? The patch to change the order of
execution of /etc/rc.d stuff is working nice here, so I am trying to get
the (positive) attention of a developer/committer.
Thanks for your attention.
-
Hi again,
Nobody piped-up to say that my rc.d re-ordering was the wrong fix, so I
filed a PR with the relevant information as well as the patch.
conf/96343
Thanks, have a great day.
--
Mike Oliver, KI4OFU
[see complete headers for contact information]
pgpPu8gSCxVO1.pgp
Description: PGP signa
Hello David:
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:owner-freebsd-
> [EMAIL PROTECTED] On Behalf Of David Verzolla
> Sent: Thursday, September 27, 2007 9:25 AM
> To: freebsd-pf@freebsd.org
> Subject: Rule doubt
>
> Hi All,
> Its possible creates a rule that can match all t
Hello All:
I am confused about using FTP through PF. We have been running with a working
ftp-proxy setup that allows our internal servers to ftp out with no trouble. I
am now interested in putting an FTP server behind my PF configuration and I've
not been too successful.
If I am running an F
Hello All:
I am confused about using FTP through PF. We have been running with a working
ftp-proxy setup that allows our internal servers to ftp out with no trouble. I
am now interested in putting an FTP server behind my PF configuration and I've
not been too successful.
If I am running an F
Hello All:
> pass in quick on $ext_if inet proto tcp from any to 72.20.106.8 port {
> ftp, 49152:65535 } modulate state flags S/SA
>
Thanks to Jeremy for the line above which works like a champ. The last piece
of the puzzle for me is to block all inbound ftp connections to servers other
than m
Hello Jeremy (et. al.):
We found the issue and I wanted to share the solution.
As before, this rule worked as expected:
# --
pass in quick on $vlan2_if inet proto tcp from any to port { ftp,
49152:65535 } modulate state flags S/SA
# --
However, when the following rule was in place, we couldn'
if it's not supported now would it be possible to add this
support?
Regards,
Mike
--
Michael K. Smith - CISSP, GISP
Chief Technical Officer - Adhost Internet LLC
[EMAIL PROTECTED]
w: +1 (206) 404-9500 f: +1 (206) 404-9050
PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D
h,
although they seem to show up more often on the Backup device, which seems odd.
Any help would be greatly appreciated.
Regards,
Mike
--
Michael K. Smith - CISSP, GISP
Chief Technical Officer - Adhost Internet LLC
mksm...@adhost.com
w: +1 (206) 404-9500 f: +1 (206) 404-9050
PGP: B49A DDF5 8611
Hello All:
> > What does sysctl vm.kmem_size_max show? Try increasing that size a
> > bit in loader.conf and see if that helps.
>
> Seconded. My guess is that the system flushes buffers when you first load the
> tables due to memory pressure, so when you load the tables a second time there
>
Hello:
> #
> #interfaces #
> #
> ext_if="bce0"
> ext_if2="bce1"
>
I would also define your inside interface(s), not just your outside. Let's
call it "bce2" for the example:
int_if="bce2"
>
> #
> #allow all connections fro
Hello Aleksic:
>
> no nat on $extIF inet proto {tcp, udp} from $intIF:network to
> $intIF2:network
> no nat on $extIF inet proto {tcp, udp} from $intIF2:network to
> $intIF:network
>
If nothing else, these rules won't match because the traffic isn't
traversing the External Interface.
no nat on $
Hello All:
I have two 6.2 RELEASE servers working in failover mode as PF Load
Balancers. When the MASTER box is failed (through reboot or interface
shutdown, etc.) the BACKUP box becomes MASTER as expected, but
connections that existed through the MASTER before the failover do not
transfer as exp
Hello Vadym:
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:owner-freebsd-
> [EMAIL PROTECTED] On Behalf Of Vadym Chepkov
> Sent: Wednesday, April 11, 2007 9:24 PM
> To: [EMAIL PROTECTED]
> Subject: DMZ problem
>
> Hello everyone,
>
> I earlier asked a question about Amanda, stil
67 matches
Mail list logo
