Doug Hardie wrote:
1. pf allows short cuts, but these also makes it more difficult to debug. I'd
separate NAT from filtering,
Ok. I guess you want some white space between them? Here it is with the white
space and comments:
ext_if="dc0"
table persist file "/etc/blackhole"
table per
On 23 January 2010, at 04:18, Erik Norgaard wrote:
> Doug Hardie wrote:
>
>> This is quite interesting. I can't figure out the rules on my system.
>
> Maybe try to simplify, clean up and structure your rules :)
>
>> Here is the pf.conf file with all comments removed:
>> table persist file "
Doug Hardie wrote:
This is quite interesting. I can't figure out the rules on my system.
Maybe try to simplify, clean up and structure your rules :)
Here is the pf.conf file with all comments removed:
table persist file "/etc/blackhole"
table persist
table persist
table persist file "/
On 22 January 2010, at 03:14, Erik Norgaard wrote:
> Doug Hardie wrote:
>> On 22 January 2010, at 01:45, Erik Norgaard wrote:
>>> To debug pf rules:
>>>
>>> - always add direction to the rule, pass or block, add interface to all
>>> rules except default policy, keep state on all pass rules
>>> -
On 22 January 2010, at 03:14, Erik Norgaard wrote:
> Doug Hardie wrote:
>> On 22 January 2010, at 01:45, Erik Norgaard wrote:
>>> To debug pf rules:
>>>
>>> - always add direction to the rule, pass or block, add interface to all
>>> rules except default policy, keep state on all pass rules
>>> -
On Fri, Jan 22, 2010 at 8:12 AM, kalin m wrote:
> how is it possible that if i have these rules below in pf.conf if i do:
> telnet that.host.org 25
>
> i get:
> Trying xx.xx.xx.xx...
> Connected to that.host.org.
> Escape character is '^]'.
you probably don't load pf.
pfctl -sa | grep Status
ech
On 1/22/10, kalin m wrote:
>
> hi all...
>
> doing testing with pf...
>
> how is it possible that if i have these rules below in pf.conf if i do:
> telnet that.host.org 25
>
> i get:
> Trying xx.xx.xx.xx...
> Connected to that.host.org.
> Escape character is '^]'.
> ... etc ...
>
>
> p
Doug Hardie wrote:
On 22 January 2010, at 01:45, Erik Norgaard wrote:
To debug pf rules:
- always add direction to the rule, pass or block, add interface to all
rules except default policy, keep state on all pass rules
- group your rules per direction, then per interface
- add log to all rule
On 22 January 2010, at 01:45, Erik Norgaard wrote:
> To debug pf rules:
>
> - always add direction to the rule, pass or block, add interface to all
> rules except default policy, keep state on all pass rules
> - group your rules per direction, then per interface
> - add log to all rules and wat
Erik Norgaard wrote:
kalin m wrote:
tcp_in = "{ www, https }"
ftp_in = "{ ftp }"
udp = "{ domain, ntp }"
ping = "echoreq"
set skip on lo
scrub in
antispoof for eth0 inet
block in all
pass out all keep state
pass proto udp to any port $udp
pass inet proto icmp all icmp-type $ping keep state
pa
kalin m wrote:
tcp_in = "{ www, https }"
ftp_in = "{ ftp }"
udp = "{ domain, ntp }"
ping = "echoreq"
set skip on lo
scrub in
antispoof for eth0 inet
block in all
pass out all keep state
pass proto udp to any port $udp
pass inet proto icmp all icmp-type $ping keep state
pass in inet proto tcp t
hi kalin,
my question is: are you telnet-ing to/from/through this machine with the
specified pf rules?
From: kalin m
To: freebsd-questions@freebsd.org
Sent: Fri, January 22, 2010 8:12:00 AM
Subject: pf rules
hi all...
doing testing with pf...
how is it pos
Jay Chandler пишет:
Michael Lednev wrote:
Hello.
Is there some tool to test rules-file for PF with arbitrary packets
without need for real traffic?
Yes. It's called netcat (nc on most systems).
Very funny. It will create "real traffic" which I want to avoid.
___
Michael Lednev wrote:
Hello.
Is there some tool to test rules-file for PF with arbitrary packets
without need for real traffic?
Yes. It's called netcat (nc on most systems).
--
Jay Chandler / KB1JWQ
Living Legend / Systems Exorcist
Today's Excuse: Second-system effect
__
On 2005-05-10 07:19, Fafa Hafiz Krantz <[EMAIL PROTECTED]> wrote:
> "Giorgos Keramidas" <[EMAIL PROTECTED]> wrote:
> > Show us the output of:
> >
> > # pfctl -sr
> >
> > [snip ruleset]
>
> Hello!
>
> # pfctl -sr
>
> scrub in all fragment reassemble
> block drop log all
> pass quick on lo0 all
>
> The rules I suggested are so that external machines can talk to your DNS
> server (querying about the domain it is authoritative for), and so that
> responses can get back to those machines.
>
> Your nameserver, however, may also be trying to get requests out. When
> it does this, by default, i
- Original Message -
From: "Giorgos Keramidas" <[EMAIL PROTECTED]>
To: "Fafa Hafiz Krantz" <[EMAIL PROTECTED]>, "Jan Grant" <[EMAIL PROTECTED]>
Subject: Re: PF RULES! But mine doesn't ...
Date: Tue, 10 May 2005 13:50:27 +0300
>
&g
On 2005-05-10 05:09, Fafa Hafiz Krantz <[EMAIL PROTECTED]> wrote:
>> It's a question of letting DNS traffic _in_ to your nameserver:
>>
>> pass in on $ext_if inet proto { tcp, udp } \
>> from any to ($ext_if) port 53
>>
>> ^^^ that lets the traffic in
>>
>> pass out on $ext_if inet proto {
On Tue, 10 May 2005, Fafa Hafiz Krantz wrote:
> Ok, after having added that it seems that my DNS works.
> The same goes for my WWW and mail server.
>
> SSH servers are all OK to connect to.
>
> I have to wait like 5 minutes after booting my computer
> before I can connect to those certain FTP si
> It's a question of letting DNS traffic _in_ to your nameserver:
>
> pass in on $ext_if inet proto { tcp, udp } \
> from any to ($ext_if) port 53
>
> ^^^ that lets the traffic in
>
> pass out on $ext_if inet proto { tcp, udp } \
> from ($ext_if) port 53 to any
>
> ^^^ and that
Correction:
Unless I COMMENT the default deny policy nothing seems to work.
--
Fafa Hafiz Krantz
Research Designer @ http://www.home.no/barbershop
Enlightened @ http://www.home.no/barbershop/smart/sharon.pdf
--
___
Sign-up for Ads
> It's a question of letting DNS traffic _in_ to your nameserver:
>
> pass in on $ext_if inet proto { tcp, udp } \
> from any to ($ext_if) port 53
>
> ^^^ that lets the traffic in
>
> pass out on $ext_if inet proto { tcp, udp } \
> from ($ext_if) port 53 to any
>
> ^^^ and that
Fafa Hafiz Krantz wrote:
Perhaps you should check the archives. :)
What do you mean? There are many archives out there ...
Please tell me which one?
Thanks!
--
Fafa Hafiz Krantz
Research Designer @ http://www.home.no/barbershop
Enlightened @ http://www.home.no/barbershop/smart/sharon.pdf
Did
Fafa Hafiz Krantz wrote:
Hello.
My ruleset is all twisted.
Unless I disable the default deny policy, this is what happens:
* My nameserver setup goes disfunctional.
* My web, mail and fileserver goes disfunctional.
* I cannot SSH and FTP into certain servers.
* I cannot ping my IP from the outs
On Sun, 8 May 2005, Fafa Hafiz Krantz wrote:
> Hello.
>
> My ruleset is all twisted.
> Unless I disable the default deny policy, this is what happens:
>
> * My nameserver setup goes disfunctional.
> * My web, mail and fileserver goes disfunctional.
> * I cannot SSH and FTP into certain server
25 matches
Mail list logo
