On Fri, May 2, 2008 at 7:35 AM, B A <[EMAIL PROTECTED]> wrote:
> Hello!
>
>
>
> I have question about PF.
>
>
>
> I have just found interesting behavior of of PF.
>
> For example if I fix source port and run from my PC:
>
>echo 'aaa' | nc -p www.my.rerver 80
>
> I got response.
>
>
On Thu, Apr 10, 2008 at 1:29 AM, Paul de Weerd <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> The new 4.3 CD set has just arrived here in Zurich, Switzerland ! I've
> put up a pic on http://www.weirdnet.nl/images/openbsd43set.jpg ..
> looking very cool yet again ;)
>
Artwork looks great!
Are those t
On Feb 20, 2008 10:51 AM, Ryan Corder <[EMAIL PROTECTED]> wrote:
>
> On Wed, Feb 20, 2008 at 08:32:31AM -0800, Rami Sik wrote:
> | I would like to see what you'd suggest as a log analyzer tool(s) on a
> | centralized log server running syslog-ng.
> |
> | I also need to use a specific tool as PF log
On Feb 19, 2008 8:42 PM, Steve B <[EMAIL PROTECTED]> wrote:
> My employer has given me some free colo space and I thought I would take
> advantage of it to do remote system logging. Those of you here who are doing
> it, could you comment on whether you are using Syslog-NG or something else,
> and w
On Dec 25, 2007 10:54 AM, Daniel <[EMAIL PROTECTED]> wrote:
> Hi!
>
> I'm having this problem:
>
> # pfctl -sr |fgrep ftp
> [...]
> pass out on rl0 inet proto tcp from to <__automatic_39c048b4_0>
> port = ftp flags S/SA keep state
>
> What is that automatic stuff?
It's a table identifier. The op
On Dec 19, 2007 8:25 PM, Nick Guenther <[EMAIL PROTECTED]> wrote:
> On Dec 19, 2007 7:53 PM, Kian Mohageri <[EMAIL PROTECTED]> wrote:
> > On Dec 19, 2007 10:26 AM, Nick Guenther <[EMAIL PROTECTED]> wrote:
> > > I've seen this problem intermittently before.
On Dec 19, 2007 10:26 AM, Nick Guenther <[EMAIL PROTECTED]> wrote:
> I've seen this problem intermittently before. Every once in a while,
> this happens (the adapter it happens on doesn't matter):
>
> # dhclient de0
> DHCPREQUEST on de0 to 255.255.255.255 port 67
> DHCPREQUEST on de0 to 255.255.255
On 6/13/07, Stuart Henderson <[EMAIL PROTECTED]> wrote:
On 2007/06/13 02:00, Kian Mohageri wrote:
> Is my best option to kill syslogd from rc.local or manually edit /etc/rc?
How about leaving them both running, and binding syslog-ng to just
the relevant IP address?
Thank you al
Hello,
I was setting up a central logserver this afternoon and some of the
functionality I need wasn't in the stock syslogd(8), so I chose to use
syslog-ng.
I noticed that you cannot specify syslogd=NO or syslogd_flags=NO to
disable it (in rc.conf.local), and I was mostly curious why.
I'm sure
On 6/6/07, Robert Warning <[EMAIL PROTECTED]> wrote:
Hello everybody,
I've been getting some strange errors with this dual port nic. My
system is a dual core AMD64 system running 4.1-stable with
multiprocessor support enabled. The chipset of the card is 82571EB.
This problem also occurs w
On 6/2/07, Theo de Raadt <[EMAIL PROTECTED]> wrote:
The c2k7 hackathon is over, with roughly 50 developers attending the
event for 10 days in Calgary.
So many projects were started or finished, it is basically impossible
for me to describe all the projects.
Hope you guys out there enjoy the cha
Henning Brauer wrote:
> * Chris Smith <[EMAIL PROTECTED]> [2007-04-25 00:42]:
>> Using openbsd as a firewall in several cases - a few small businesses, and
>> also for home use. Some websites, such as grc.com, stress that "stealth
>> mode"
>> (which openbsd handles with ease) is the safest. But
On 4/24/07, Lars Hansson <[EMAIL PROTECTED]> wrote:
>
> Kian Mohageri wrote:
> > I could argue either way, but my preference is 'block drop' most of the
> > time.
>
> Hopefully "most of the time" does not include ICMP.
>
>
It doesn't.
--
Kian Mohageri
ut
I see no reason a host should receive any response at all when it is trying
to
talk to a host that doesn't exist or a port that isn't actually listening.
Much of
that activity is simply host/port scanning.
I could argue either way, but my preference is 'block drop' most of the
time.
--
Kian Mohageri
On 4/20/07, Peter N. M. Hansteen <[EMAIL PROTECTED]> wrote:
>
> "Allie D." <[EMAIL PROTECTED]> writes:
>
> > YES ! It's on it's way !!
>
> got mine on wednesday :)
>
Mine arrived in Seattle, Washington yesterday (4/20).
Looks great! So psyched about the stickers...
--
Kian Mohageri
't heard Roundcube mentioned yet. We use it, and
it's at least pretty enough. Requires a database, unfortunately, but it
works with LDAP and our staff like it.
http://roundcube.net/
--
Kian Mohageri
t; bottleneck?
>
> It depends on the rate of the states changes.
> Here, we have ~30mbits on pfsync, for ~40mbits of traffic (!)
On our college campus with 50Mbps, we see ~8Mbps pfsync traffic.
Your ratio amazes me... What type of environment is that in?
--
Kian Mohageri
necessary with pf.
http://www.freebsd.org/cgi/cvsweb.cgi/src/share/examples/ipfw/change_rules.sh?annotate=1.2.2.5
--
Kian Mohageri
ly don't.
That said,
http://www.openbsd.org/faq/faq5.html#Options
--
Kian Mohageri
${host}:/etc/pf.conf; done
--
Kian Mohageri
On 3/16/07, Karl O. Pinc <[EMAIL PROTECTED]> wrote:
>
>
> On 03/16/2007 02:51:48 AM, Kian Mohageri wrote:
>
> > Yeah. Expectations aside, being condescending is never warranted.
>
> We've all spent more time on this than it's worth, but I would
> appreci
ere was a reason
it wasn't sent to security-announce@ instead of misc@, rather than saying
"This is terrible handling of a bug" after it was fixed almost immediately.
Seems some people spend very little time thanking the developers for the
immediate fix and instead go straight to suggestions on how to handle their
project better.
--
Kian Mohageri
atching mailing lists isn't enough, and this was
announced very early on the ERRATA page.
Do something for yourself.
--
Kian Mohageri
On 3/12/07, Darrin Chandler <[EMAIL PROTECTED]> wrote:
>
> Have you got yours yet?!
Just ordered the CD set and a poster myself!
--
Kian Mohageri
ep state
Last matching rule wins so the second example won't do what you're
expecting.
http://www.openbsd.org/faq/pf/filter.html
Also, try to use "flags S/SA" on all of your stateful TCP rules unless you
have a good reason not to.
--
Kian Mohageri
e will soon be the default behavior in pf...that says something
about it.
Also see the three articles Daniel Hartmeier wrote:
http://undeadly.org/cgi?action=article&sid=20060927091645
--
Kian Mohageri
t created a few thousand states and
I ended up putting in some rules to deal with it. Check your state table
for patterns...e.g. recurring ports, addresses with unreasonable numbers of
states, a lot of connections to port 2967 outside of your network, etc.
--
Kian Mohageri
s (as opposed to
actual network file shares). Your comment about "make-backup-before-change"
is somewhat frightening though :) If you don't have one already, you should
set up a system that does daily+ backups, depending on how often things
change.
--
Kian Mohageri
On 11/15/06, Stuart Henderson <[EMAIL PROTECTED]> wrote:
>
> On 2006/11/15 09:25, Kian Mohageri wrote:
> > On 11/14/06, Brian Keefer <[EMAIL PROTECTED]> wrote:
> > >
> > >
> > > FWIW I was having very similar problems with em(4) in OpenBSD 4.0
nough to bring VMware to it's knees and totally swamp my cheap
> switch.
>
The same card too?
--
Kian Mohageri
ou'll probably notice the same thing I did (OACTIVE in the output of
ifconfig). I couldn't find any patterns though, unfortunately. I know
there were some related changes in 4.0 though, so I'm hoping that fixes it.
--
Kian Mohageri
>
>
I have a Thinkpad T43 running an OpenBSD snapshot at the moment. I dual
boot FreeBSD and OpenBSD on it.
I haven't run into any problems with basic functionality but I haven't tried
out much in the way of power management.
--
Kian Mohageri
ll ssh "limited") version of rexec/rsh. The way you
authenticate is obscured a bit, but not secured.
A neat project, I'll give you that. But I don't recommend it on a
production server.
--
Kian Mohageri
reset)
Do you have any firewalling going on between these machines?
--
Kian Mohageri
l is well,
> but if a DHCPDISCOVER request comes in, DHCPOFFER does not seem to reach
> the client.
Where is your DHCP server? Where is the DHCPOFFER being lost? Have you
sniffed on interface between the firewalls and DHCP server? The client and
firewalls?
--
Kian Mohageri
es on PF by Daniel Hartmeier (OpenBSD developer). I
found them to be very clear and concise and I'm pretty sure his explanations
will help you out.
http://www.undeadly.org
--
Kian Mohageri
On 10/12/06, S t i n g r a y <[EMAIL PROTECTED]> wrote:
>
> i am facing problems using hfsc with PF.
do you see anything wrong with this ? is there a bug in this ?
I don't mean to be rude but you *really* need to start learning how to look
into these things by yourself. It will help you out
On 10/10/06, chefren <[EMAIL PROTECTED]> wrote:
>
>
>
> On 10/10/06 4:46 AM, Kian Mohageri wrote:
> > On 10/9/06, Lars Hansson <[EMAIL PROTECTED]> wrote:
> >
> >> I guess you didn't understand; OpenBSD does not exist for you or me, it
> >>
On 10/9/06, Lars Hansson <[EMAIL PROTECTED]> wrote:
> > Asking for code submission if you want feature x or y doesn't really
> > float my boat. I only do some high level programming and I know nothing
> > about kernel internals.
>
> I guess you didn't understand; OpenBSD does not exist for you or
On 10/6/06, Ryan McBride <[EMAIL PROTECTED]> wrote:
>
> I've just committed code based on a suggestion made by Daniel Hartmeier
> to make flags S/SA keep state the default for rules.
Very cool. Thank you.
On 10/5/06, Ingo Schwarze <[EMAIL PROTECTED]> wrote:
>
>
> The structure of the OpenBSD project suggests that this project
> might be able to resist better than others. It is no company.
> It is no charity. It is not so small that it needs to grasp at
> every straw to survive. It is not so large
On 9/21/06, Greg Thomas <[EMAIL PROTECTED]> wrote:
>
> On 9/21/06, Spruell, Darren-Perot <[EMAIL PROTECTED]> wrote:
> > http://www.openbsd.org/40.html
> >
> > Every time I go through the release notes I can't help but squirm with
> > happiness in my seat.
> >
> > The progress is always impressive a
On 9/13/06, Monah Baki <[EMAIL PROTECTED]> wrote:
>
> Hi all,
>
> Yesterday I just received 8 public IP addresses from my ISP. I'm running
> ppp on my OpenBSD 3.9 server (DSL).
> My xl0 has the public IP address (67.100.x.x) provided to me by my ISP, my
> xl1 interface is my 192.168.3.1
> Once I ru
On 9/12/06, Gustavo Rios <[EMAIL PROTECTED]> wrote:
>
> While reading VPN(8) manual page, i could no figure it out in what
> interface context the following line applies:
>
> # Pass encrypted traffic to/from security gateways
> pass in proto esp from $GATEWAY_B to $GATEWAY_A
> pass out proto esp fr
> On CARP'd machines, it can be kinda handy, make a quick change on the
> primary, test it, if it works, run the script. If it doesn't, you can
> easily revert it by simply running the script on the standby machine.
>
> Nick.
>
>
Ah...that is a pretty cool idea. I was more curious about dynamical
Hello,
I was just curious if any of you sync pf tables between hosts, and how you
do it. I know it may be considered abusing tables, but in our setup, we
hold a list of registered clients within tables (which are updated
dynamically by scripts). We also use carp (and soon pfsync) for failover.
O
On 8/17/06, Alastair Johnson <[EMAIL PROTECTED]> wrote:
>
> I have 2 OpenBSD 4.0beta firewalls arranged in a CARP
> failover configuration with PFsync.
>
> It seems to work very well for everything except NFS.
> My ssh, remote desktop and telnet connections seem to
> survive a failover very nicely.
On 8/7/06, J Moore <[EMAIL PROTECTED]> wrote:
>
> On Mon, Aug 07, 2006 at 10:51:02PM -0700, the unit calling itself Kian
> Mohageri wrote:
> > >
> > >B14xVu: Undefined variable.
> > >
> > >where "B14xVu" is a fragment of the password. Th
> B14xVu: Undefined variable.
>
> where "B14xVu" is a fragment of the password. The full password was:
> V$B14xVu
>
> I tried this on other user/password combinations, and got reasonable
> results. But the "$" char seems to cause a problem consistently. In all
> other cases, the result was either:
On 7/31/06, Tim Pushor <[EMAIL PROTECTED]> wrote:
>
> Sorry to bump this thread, but I'd really like to know how to
> troubleshoot something like this.
I'd suggest tcpdump'ing at the point when the connection fails, on the
pflog(4) interface of both machines, especially the backup which is
appar
> Wouldn't this do the trick?
>
> rdr on rl1 proto tcp from any to 192.168.1.121 port 80 -> 192.168.1.103
>
> "Redirect any port 80 traffic originally meant for me to 192.168.1.103"
Yes, but why are you asking if you already have the answer? As stated in
the man page, your traffic will also nee
Change 'syncif' to 'syncdev' in your hostname.pfsync files.
Also, out of curiosity, why are there two CARP addresses between the
workstation and firewalls?
Kian
On 9/20/06, Tim Pushor <[EMAIL PROTECTED]> wrote:
>
> Hi friends,
>
> I am trying to setup my first firewall w/failover via carp & pfsy
http://www.roundcube.net/
It is pretty new still, but I replaced SquirrelMail with it because
SquirrelMail is terrible. People seemed to like the change. Very simple to
configure, and it's pretty.
-Kian
On 7/19/06, Bachman Kharazmi <[EMAIL PROTECTED]> wrote:
>
> [EMAIL PROTECTED]:~/ > pkg_info
On 7/14/06, Jason Dixon <[EMAIL PROTECTED]> wrote:
>
> We have an OpenBSD 3.8 firewall that has been in production for the
> last six months. Until the last week or two, everything has been
> great. Recently while diagnosing a problem with the bonded T1 pair,
> I noticed the following error while
On 7/10/06, Lawrence Horvath <[EMAIL PROTECTED]> wrote:
>
> Im using a OpenBSD 3.9 server and a FreeBSD 6.1 server on either end
> of a firewall to test throughput and max open connections of the
> firewall, i tested throughput with netstrain(d) but im unsure how to
> test the max open connections,
I have been experiencing an issue lately where the internal NIC of our
firewall stops passing traffic until the interface is manually restarted (or
machine rebooted). This happens to whichever machine is MASTER of the
carp(4) group, but seems to only ever happen to the internal interface
though bo
Maybe you're really looking for something like spamd:
http://www.openbsd.org/spamd/
Much more effective than a trap e-mail address in my opinion?
Kian
On 6/1/06, Mike Spenard <[EMAIL PROTECTED]> wrote:
>
> What are some thoughts on purposely getting a spam trap email
> address acquired by spamm
> # DMZ Host
> rdr on $red_if proto tcp from any to any port $dmz_ports -> $dmz_host
This doesn't look right. If you redirect all connections on those ports to
the DMZ host, how do you expect your router to receive replies to those
unprivileged ($dmz_ports) ports for stuff like web browsing?
ents where they install files directly to
${LOCALBASE}
--
Kian Mohageri
ResTek, Western Washington University
[EMAIL PROTECTED]
Sorry - never mind. I cracked open my case after I got home to verify,
and I'm using a v4. v5 must be really new then, because I bought this
just a few weeks ago.
Kian
Kian Mohageri wrote:
Maybe someone on the mailing list can provide me with an answer to:
1. Can v5 af the card be
1, address
00:16:b6:57:1e:59
ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525
Hope that helps.
--
Kian Mohageri
Western Washington University
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
61 matches
Mail list logo
