On 2024-12-29 10:14, Jon Fineman wrote:
On Tue, Dec 24, 2024 at 06:42:49PM -0400, Ricky Cintron wrote:
On 2024-12-24 08:27, Jon Fineman wrote:
third sub net ($wired3) (10.0.3.x) I would like to restrict traffic
between it
and the ISP. Clients on 10.0.3.x should not be able to access the
othe
On Tue, Dec 24, 2024 at 06:42:49PM -0400, Ricky Cintron wrote:
On 2024-12-24 08:27, Jon Fineman wrote:
third sub net ($wired3) (10.0.3.x) I would like to restrict
traffic between it
and the ISP. Clients on 10.0.3.x should not be able to access the
other sub nets.
Some notes:
- You wrote t
On 2024-12-24 08:27, Jon Fineman wrote:
On Tue, Dec 24, 2024 at 02:26:18AM +0100, Markus Wernig wrote:
On 12/23/24 19:31, Jon Fineman wrote:
third sub net ($wired3) (10.0.3.x) I would like to restrict traffic
between it
and the ISP. Clients on 10.0.3.x should not be able to access the
other s
On Tue, Dec 24, 2024 at 02:26:18AM +0100, Markus Wernig wrote:
On 12/23/24 19:31, Jon Fineman wrote:
third sub net ($wired3) (10.0.3.x) I would like to restrict traffic between it
and the ISP. Clients on 10.0.3.x should not be able to access the
other sub nets.
Take a look at the rules from y
On 12/23/24 19:31, Jon Fineman wrote:
third sub net ($wired3) (10.0.3.x) I would like to restrict traffic between it
and the ISP. Clients on 10.0.3.x should not be able to access the
other sub nets.
Take a look at the rules from your pf.conf:
> block out quick from $wired3 to { $wired1 $wire
On 2022-12-24 02:32, Philipp Buehler wrote:
Am 22.12.2022 21:37 schrieb J Doe:
set skip on lo0
. . .
antispoof quick for $ext_if
This one will be faster (a tad) if you do not plan for more
detailled filtering (and who does so on lo0 besides the
esoteric ones).
ciao
Hi Philipp,
T
Am 22.12.2022 21:37 schrieb J Doe:
set skip on lo0
. . .
antispoof quick for $ext_if
This one will be faster (a tad) if you do not plan for more
detailled filtering (and who does so on lo0 besides the
esoteric ones).
ciao
--
pb
Am 13.12.2022 22:11 schrieb J Doe:
set skip on !$ext_if
... with the idea that this skips all interfaces (virtual or
otherwise) _EXCEPT_ em0, which is the real Ethernet NIC that I want to
perform filtering on ?
Yes, but likely to need a space between ! and $.
ciao
--
pb
On 2022-12-13 01:23, Philipp Buehler wrote:
Am 13.12.2022 06:02 schrieb J Doe:
set skip on { lo0, vif* }
in pf.conf(5) the GRAMMAR shows:
ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
"{" interface-list "}"
So you could do "set skip on
Am 13.12.2022 06:02 schrieb J Doe:
set skip on { lo0, vif* }
in pf.conf(5) the GRAMMAR shows:
ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
"{" interface-list "}"
So you could do "set skip on { lo0 vif0 vif1 }" for explicit, or you
use inter
On Fri, 2021-07-23 at 08:21 +0200, Harald Dunkel wrote:
> Deutsche Telekom gives me a new /56 prefix for my internal net and
> a new /64 prefix for the external connection on every reboot of my
> modem. The old internal prefix is not routed anymore. Question is,
> how can I tell pf to use the new
On 12/28/14 15:35, Harald Dunkel wrote:
>
> Thats cool. Where did you find this? Searching on openbsd.org
> for "_pf" revealed only
> http://www.openbsd.org/papers/ven05-henning/mgp00011.txt .
> This is surely something that should go to the man page or to
> the FAQs for pf.
>
PS: Another impor
On Sun, Dec 28, 2014 at 9:35 AM, Harald Dunkel wrote:
> On 12/28/14 13:51, Maxim Khitrov wrote:
>>
>> These tables are under the hidden "_pf" anchor:
>>
>> pfctl -a _pf -t extern -T show
>>
>
> Thats cool. Where did you find this? Searching on openbsd.org
> for "_pf" revealed only
> http://www.op
On 12/28/14 13:51, Maxim Khitrov wrote:
>
> These tables are under the hidden "_pf" anchor:
>
> pfctl -a _pf -t extern -T show
>
Thats cool. Where did you find this? Searching on openbsd.org
for "_pf" revealed only
http://www.openbsd.org/papers/ven05-henning/mgp00011.txt .
This is surely somet
On Sun, Dec 28, 2014 at 6:38 AM, Harald Dunkel wrote:
> Hi folks,
>
> pfctl can give me an extended list of tables showing interface
> group names, "self", etc. Sample:
>
> # pfctl -g -sT
> egress
> egress:0
> extern
> extern:network
> intern:network
gwes ohxer:
What is the recommended pf.conf to get symmetrical routing
for incoming and outgoing connections using a dual-homed
gateway and internal hosts with static IPs on both WANs?
I'm assuming "route-to" and "reply-to" are the correct
tools to use.
I've looked at the FAQ, g
David Hardy writes:
> no rdr on $cus inet proto tcp from to any port www
>
> we use a web cache, but want to exempt some clients from being transparently
> proxied to it.
the quick escape is likely just that - an appropriately placed pass
quick or match quick with the appropriate rdr-to, depend
--- David Hardy [Thu, Jul 15, 2010 at 12:09:07PM -0600]: ---
> I'm upgrading a obsd firewall/router to 4.7 from 4.2 and am having to make
> all kinds of changes, but one I can't figure out is why it's choking on:
>
> no rdr on $cus inet proto tcp from to any port www
>
> we use a web cache, but
On Thu, 17 Sep 2009 10:20:37 +0200
Ivan Radovanovic wrote:
> Iqigo Ortiz de Urbina napisa:
> > You could also take a look at the match, tag and tagged keywords in
> > pf.conf.
> >
> > Additionally, you may require parsing your custom logs (pflogN
> > interfaces or binary logs in /var/log/) in or
Iqigo Ortiz de Urbina napisa:
You could also take a look at the match, tag and tagged keywords in pf.conf.
Additionally, you may require parsing your custom logs (pflogN interfaces or
binary logs in /var/log/) in order to populate your tables for use in the
main ruleset or anchors.
Have a nice
Iqigo Ortiz de Urbina napisa:
You could also take a look at the match, tag and tagged keywords in
pf.conf.
Additionally, you may require parsing your custom logs (pflogN
interfaces or binary logs in /var/log/) in order to populate your
tables for use in the main ruleset or anchors.
Have a n
Girish Venkatachalam napisa:
On Thu, Aug 27, 2009 at 4:59 PM, Ivan Radovanovic wrote:
Thanks for your respone. If I understand you correctly pf kernel module
actually supports operating with tables based on positive conditions (ie not
only when rule is broken, but also when rule is true), and
On Thu, Aug 27, 2009 at 4:59 PM, Ivan Radovanovic wrote:
> Thanks for your respone. If I understand you correctly pf kernel module
> actually supports operating with tables based on positive conditions (ie not
> only when rule is broken, but also when rule is true), and the way to define
> rules of
Girish Venkatachalam napisa:
Please read up on pf(4) anchors.
And also on connection overloads in pf.conf(5).
Stuff like max-conn-rate and so on.
You already said you know about pf(4) tables. You need to populate the tables
based on different criteria. I know that connection overload is one.
On Thu, Aug 27, 2009 at 4:32 PM, Ivan Radovanovic wrote:
> I am new into pf configuration and I am curious if it is possible to add
> some host into table in firewall rules if some conditions are met (not
> if they are broken). I was thinking about some way to prevent port
> scanning of machine and
Steve Welham wrote:
The block policy only applies to the "block" rule. In this case the icmp
unreachable is matching state since it is corresponding icmp traffic as
noted in the PF FAQ http://www.openbsd.org/faq/pf/filter.html#state
That indeed makes a lot of sense :)
Thank you both for your
> # tcpdump -n -i sis2 'icmp'
> 19:21:05.848459 wan_if.ip > external.host: icmp: echo request
> 19:21:05.868202 external.host > wan_if.ip: icmp: echo reply
> 19:21:05.868499 wan_if.ip > external.host: icmp: host wan_if.ip unreachable
>
> I was obviously expecting the first two lines but I assumed
On Thu, Feb 02, 2006 at 05:59:54PM -0500, Dave Feustel wrote:
> I found the solution in the pf faq: skip lo0.
> This rule is not mentioned in Artymiak's book
> which I had been reading. I will now read the
> complete pf faq to see what I have not been
> aware of.
You can also do ``set skip on lo'
On 1/14/06, Daniel Ouellet <[EMAIL PROTECTED]> wrote:
> I didn't spend to much time on this one, but I think the above should
> give you an idea as to how to go about it. Might work just as is if you
> add the ports you want to protect inside your LAN, or may need some
> minor changes, but it is su
Sebastian Rother wrote:
Hello everybody,
PF offers a great OS-Detection wich enable me to block all Packets from
NMAP (OS: NMAP).
But I thought about another problem.
How can I drop the IP of an nmap-scanning computer into a table?
Such an overload-option (like for max-src-conn) would be very
On 12/29/05, Dave Feustel <[EMAIL PROTECTED]> wrote:
> On Thursday 29 December 2005 20:27, David Higgs wrote:
> > You're either the victim of a truncated display or lacking in
> > fundamental DNS knowledge.
>
> I definitely lack knowledge of DNS right now.
>
> > [EMAIL PROTECTED] host 5.191.160.66
On Thursday 29 December 2005 20:27, David Higgs wrote:
> You're either the victim of a truncated display or lacking in
> fundamental DNS knowledge.
I definitely lack knowledge of DNS right now.
> [EMAIL PROTECTED] host 5.191.160.66
> Host 66.160.191.5.in-addr.arpa not found: 3(NXDOMAIN)
> [EMAI
You're either the victim of a truncated display or lacking in
fundamental DNS knowledge.
[EMAIL PROTECTED] host 5.191.160.66
Host 66.160.191.5.in-addr.arpa not found: 3(NXDOMAIN)
[EMAIL PROTECTED] host dedicated5.thehideout.net
Host dedicated5.thehideout.net not found: 3(NXDOMAIN)
[EMAIL PROTECTED
Better (IMHO) to use bgpd to suck down the 'bogon' prefixes, and then
tag them for pf, see example here:
http://www.cymru.com/BGP/bogon-rs.html
/Pete
On 29. des. 2005, at 18.32, eric wrote:
On Thu, 2005-12-29 at 11:38:22 -0500, Dave Feustel proclaimed...
Has anyone on the list experience
On Thursday 29 December 2005 12:32, eric wrote:
> Re: pf question
I just noticed that it's 5.0.0.0/8, not 5.0.0.0/24.
--
Lose, v., experience a loss, get rid of, "lose the weight"
Loose, adj., not tight, let go, free, "loose clothing"
from http://www.liquifried.com/docs/security/reservednets.html
"For security purposes, reserved addresses should be prevented from both
entering and leaving a network
(i.e. ingress and egress filtering). Ideally, this filtering will be
multi-layer in nature; at a minimum, this sort
of filterin
On Thu, 2005-12-29 at 11:38:22 -0500, Dave Feustel proclaimed...
> Has anyone on the list experience with using pf to
> block ip addresses in the iana reserved ip address ranges list?
I don't think any of us have ever thought of that.
Oh wait..I may have... run this out of cron weekly
#!/bin/sh
Logical One wrote:
Thanks for the info and I have learned a bit from it, but not quite what
I'm after. I'm looking for how to direct traffic to a couple internal web
servers based on what IP alias of the external interface the traffic
connects to. For example:
Traffic connecting to xxx.xxx.xx
D] On Behalf Of
Daniel Ouellet
Sent: Sunday, December 18, 2005 12:16 AM
To: Logical One
Cc: misc@openbsd.org
Subject: Re: Pf question
Daniel Ouellet wrote:
> Logical One wrote:
>> Can someone give me
>> some idea of what RDR and PASS IN/OUT rules I'd need for just a
>> portio
Daniel Ouellet wrote:
Logical One wrote:
Can someone give me
some idea of what RDR and PASS IN/OUT rules I'd need for just a
portion of
this (say the web servers) and I can figure out the rest on my own?
Read here:
http://www.bgnett.no/~peter/pf/en/pf-firewall.pdf in PDF or
http://www.bgne
Logical One wrote:
Can someone give me
some idea of what RDR and PASS IN/OUT rules I'd need for just a portion of
this (say the web servers) and I can figure out the rest on my own?
Read here:
http://www.bgnett.no/~peter/pf/en/pf-firewall.pdf in PDF or
http://www.bgnett.no/~peter/pf/en/ in h
# Redirect all kinds of obnoxious trafffic to localhost port 24
rdr on { $ext_if1 , $ext_if2 } inet proto tcp from any to any \
port { 445, 135, 139, 5554, 5000, 1434, 15118 } -> 127.0.0.1 port 24
## First Rule
block in quick from label "Bad Hosts"
# Trap
pass in log quick inet proto t
> --On 26 June 2005 15:27 +0200, [EMAIL PROTECTED] wrote:
>
>> Is there any spamtrap-like Mechanism for the pf?
>> E.g. more skilled "badguys" don't use `nmap -sS &target`.
>> Such guys will limit their scans to just a few ports (3-6).
>
> Since this type of scan typically won't complete a 3-way ha
On Sun, Jun 26, 2005 at 03:27:01PM +0200, [EMAIL PROTECTED] wrote:
> I've a question related to PF.
>
> SpamD provides a trap. If somebody sends e-Mail to a e.g. special
> mailadress this host will be added to a list.
>
> Is there any spamtrap-like Mechanism for the pf?
> E.g. more skilled "badgu
--On 26 June 2005 15:27 +0200, [EMAIL PROTECTED] wrote:
Is there any spamtrap-like Mechanism for the pf?
E.g. more skilled "badguys" don't use `nmap -sS &target`.
Such guys will limit their scans to just a few ports (3-6).
Since this type of scan typically won't complete a 3-way handshake,
th
45 matches
Mail list logo
