On 2025-01-29, louise9...@gmail.com wrote:
> I have IGMP Snooping enabled on both my access points and my switch. Should I
> disable them or keep them enabled?
IGMP snooping is to reduce the forwarding of multicast frames by
listening to group membership requests and _only_ forwarding mcast
to
I have IGMP Snooping enabled on both my access points and my switch. Should I
disable them or keep them enabled?
Thank you,
Lewis Ingraham
On Sat, Jan 25, 2025 at 10:15:59PM -0800, louise9...@gmail.com wrote:
> Hi thank you for answering! Thanks to your advice I was able to get
> airplay working successfully! However SSDP discovery on the Roku app
> doesn’t seem to be working despite me having enabled it as well as
> communication fro
Hi thank you for answering! Thanks to your advice I was able to get airplay
working successfully! However SSDP discovery on the Roku app doesn’t seem to be
working despite me having enabled it as well as communication from the networks
on the needed ports for the Rokus to be recognized in the Ro
louise9...@gmail.com wrote:
> Hi I have a firewall that I’m trying to get working with mdns across
> different vlans. Chrome on the main network(ix0:network) doesn’t even pick up
> the chromecast and I have tried to allow MDNS as well as setting up openmdns
> but it still doesn’t work. On the I
I was able to configure /32 for ipv4.
in the example below, I use vlan10 and a private address for testing.
Each host in separated using PVLAN.
On the openbsd (router) side, I just do
ifconfig vlan10 inet 172.16.216.1/32
route add -inet 172.16.216.0/24 -llinfo -link -static -iface vlan10
On
On Sat, Sep 28, 2024 at 01:24:46PM -, Stuart Henderson wrote:
> On 2024-09-28, Nicolas Goy wrote:
> > On Fri Sep 27, 2024 at 5:45 AM CEST, David Gwynne wrote:
> >>
> >> using a /32 on each host with a single shared gateway ip for the
> >> subnet should work too. the config on the protected hos
On 2024-09-28, Nicolas Goy wrote:
> On Fri Sep 27, 2024 at 5:45 AM CEST, David Gwynne wrote:
>>
>> using a /32 on each host with a single shared gateway ip for the
>> subnet should work too. the config on the protected host side sounded
>> fiddly though, especially if you have multiple hosts on pr
On Fri Sep 27, 2024 at 5:45 AM CEST, David Gwynne wrote:
>
> we have done this with PVLAN at work. the firewalls are set up with
> promisc ports on the network, and the hosts are all on isolated ports.
> we use a normal subnet on this network, ie, we allocate a /25 (or /24,
> whatever) and set up c
On Thu, Sep 26, 2024 at 07:21:38PM +0200, Nicolas Goy wrote:
> Hello,
>
> I want to use OpenBSD as firewall for a configuration where every hosts is
> isolated.
cool.
> For example, let's say I have 1.0.0.0/24 subnet and 2000::/56 subnet.
>
> I want each host to have a single ip for ipv4, and a
On Thu, Sep 26, 2024 at 09:44:41PM +0200, Nicolas Goy wrote:
> I might not have been clear enough, the 1.0.0.0/24 example is a public /24
> routable network, not a 10.0.0.0/8 network.
>
> What I want is to be able to use as much as this network as possible (here 2
> ip
> per host) and allow firew
On 9/26/24 15:44, Nicolas Goy wrote:
[trimmed]
I might not have been clear enough, the 1.0.0.0/24 example is a public /24
routable network, not a 10.0.0.0/8 network.
What I want is to be able to use as much as this network as possible (here 2 ip
per host) and allow firewall rules between hosts.
On Thu Sep 26, 2024 at 8:57 PM CEST, Peter N. M. Hansteen wrote:
> On Thu, Sep 26, 2024 at 07:21:38PM +0200, Nicolas Goy wrote:
> > Hello,
> >
> > I want to use OpenBSD as firewall for a configuration where every hosts is
> > isolated.
> >
> > For example, let's say I have 1.0.0.0/24 subnet and 2
On Thu, Sep 26, 2024 at 07:21:38PM +0200, Nicolas Goy wrote:
> Hello,
>
> I want to use OpenBSD as firewall for a configuration where every hosts is
> isolated.
>
> For example, let's say I have 1.0.0.0/24 subnet and 2000::/56 subnet.
>
> I want each host to have a single ip for ipv4, and a /64
May I suggest relaying these more basic questions to @rookies mail-list? I
think it would be great if we could have this channel reactivated,
dedicated to help folks like Karel learn how to navigate more basic stuff,
and keep misc@ for intermediary / advanced users inquiries.
On Wed, 17 Apr 2024 a
On 4/16/24 10:27 AM, Karel Lucas wrote:
First and most importantly, I would like to apologize to anyone who was
disturbed by my conversation. It is not my intention to offend people. I
may be curt, but that's not because it's in my character. In daily life
I work with electronics and computer
This is my dmesg, if anyone is interested:
OpenBSD 7.4 (GENERIC.MP) #3: Wed Feb 28 06:23:33 MST 2024
r...@syspatch-74-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4047122432 (3859MB)
avail mem = 3904729088 (3723MB)
random: good seed from bootblocks
mpath0 at root
scs
First and most importantly, I would like to apologize to anyone who was
disturbed by my conversation. It is not my intention to offend people. I
may be curt, but that's not because it's in my character. In daily life
I work with electronics and computers and am much less familiar with
networks.
On Tue, Apr 16, 2024 at 12:01:38AM +0200, Karel Lucas wrote:
>
> Op 15-04-2024 om 22:20 schreef Peter N. M. Hansteen:
> > On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote:
> > > This gives the following error messages when booting:
> > > no IP address found for igc1:network
> > > /etc
I give up.
The obviously incomplete, hand edited ifconfig output shows three
interfaces that are (or appear to be, judging from the excerpts that
we are given) not configured with IP addresses, two of which
have a link, while the last does not.
For reasons unknown these three are joined in a thre
On 2024-04-15, Karel Lucas wrote:
> /etc/hostname.bridge0:
> add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip
> igc2 up
bridging with PF is an advanced topic, please get familiar with PF on a standard
routed firewall first
--
Please keep replies on the mailing list.
Op 15-04-2024 om 22:20 schreef Peter N. M. Hansteen:
On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote:
This gives the following error messages when booting:
no IP address found for igc1:network
/etc/pf.conf:41: could not parse host specification
no IP address found for igc2:network
That's a possibility I hadn't thought of yet. But how do I do that, and
on which page can I find that in your book?
Op 15-04-2024 om 22:17 schreef Peter N. M. Hansteen:
The other option - if your network layout is such that it makes
sense to treat them to the same rule criteria - would be to ma
Op 14-04-2024 om 21:57 schreef Jens Kaiser:
Hello Karel,
if you want to start simply, then I would recommend to remove all marcos
from your pf.conf which are not referenced. You can add them later if
needed. As already state by others, there is a syntax error in marco
martians. If there are sy
On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote:
> This gives the following error messages when booting:
> no IP address found for igc1:network
> /etc/pf.conf:41: could not parse host specification
> no IP address found for igc2:network
> /etc/pf.conf:42: could not parse host specificat
On Mon, Apr 15, 2024 at 10:01:59PM +0200, Karel Lucas wrote:
> They both give a syntax error by booting.
>
> Op 14-04-2024 om 17:45 schreef Zé Loff:
> > pass in on $int_if proto udp to port 53
> > pass in on $int_if proto udp to $nameservers port 53
You're not giving us a lot to work wi
This gives the following error messages when booting:
no IP address found for igc1:network
/etc/pf.conf:41: could not parse host specification
no IP address found for igc2:network
/etc/pf.conf:42: could not parse host specification
Op 14-04-2024 om 19:59 schreef Peter N. M. Hansteen:
On Sun, Ap
They both give a syntax error by booting.
Op 14-04-2024 om 17:45 schreef Zé Loff:
pass in on $int_if proto udp to port 53
pass in on $int_if proto udp to $nameservers port 53
I'm a long time network engineer/firewall admin/make things work on our network
when it is broken.
First, ICMP Echo Request ( "ping" ) works, you proved that when you sent an
Echo Request to a host using it's IP address. The fact that DNS host
resolution fails has nothing to do with ICMP Echo
> On Apr 14, 2024, at 08:09, Karel Lucas wrote:
>
> Hi all,
Hi.
> So let's start simple and then proceed step by step. I want to continue with
> ping so that I can test the connection to the internet. This works: ping -c
> 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. A
Hello Karel,
if you want to start simply, then I would recommend to remove all marcos
from your pf.conf which are not referenced. You can add them later if
needed. As already state by others, there is a syntax error in marco
martians. If there are syntax errors in pf.conf, the rules are not
loade
On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote:
> Hi all,
>
> Everything about PF is all very confusing to me at the moment, so any help
> is appreciated. So let's start simple and then proceed step by step. I want
> to continue with ping so that I can test the connection to the inter
There is a typo on the second line of the martians definition (spurious comma
and space).
Michael
> On Apr 14, 2024, at 11:09, Karel Lucas wrote:
>
> Hi all,
>
> Everything about PF is all very confusing to me at the moment, so any help is
> appreciated. So let's start simple and then procee
On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote:
> Hi all,
>
> Everything about PF is all very confusing to me at the moment, so any help
> is appreciated. So let's start simple and then proceed step by step. I want
> to continue with ping so that I can test the connection to the inter
Hi,
Please keep this on the list.
On Sat, Nov 18, 2023 at 06:35:35AM -0800, louise9...@gmail.com wrote:
> Hi thank you, I will try to change my rules accordingly. Also some questions:
> 1. I saw you talked about the block all rule. Does this cover traffic between
> vlans/networks as I’m trying t
Hi John, I I have enabled forwarding in my sysctl.conf.
Thank you,
Lewis ingraham
> On Nov 17, 2023, at 8:52 AM, Lewis Ingraham wrote:
>
>
> Hello i am trying to configure OpenBSD as a firewall but I can't get it to
> ping outside the firewall and subsequently unable to reach the internet w
On Fri, Nov 17, 2023 at 08:52:19AM -0800, Lewis Ingraham wrote:
> Hello i am trying to configure OpenBSD as a firewall but I can't get it to
> ping outside the firewall and subsequently unable to reach the internet
> with devices behind the firewall. I tried changing my pf.conf to match the
> FAQ (
On 11/17/2023 9:52 AM, Lewis Ingraham wrote:
Hello i am trying to configure OpenBSD as a firewall but I can't get it to
ping outside the firewall and subsequently unable to reach the internet
with devices behind the firewall. I tried changing my pf.conf to match the
FAQ (as best as i could) and s
Is PF blocking anything?
tcpdump -neipflog0 -vv
Are comcast one of those ISPs that only route your prefix if you've
requested it via DHCPv6-PD?
>
Hi,
Have you tested your configuration without any firewall?
--
alarig
signature.asc
Description: PGP signature
On 2015-11-10, sven falempin wrote:
> Ok , I agree, and thank you for the accurate answer.
>
>
> OTOH the server was rejecting all the other request, (i do not think it
> was badly configure)
> and it ended up rejecting the good one also (after a lng time of use)
> I first look in nsd manpage
Ok , I agree, and thank you for the accurate answer.
OTOH the server was rejecting all the other request, (i do not think it
was badly configure)
and it ended up rejecting the good one also (after a lng time of use)
I first look in nsd manpages to see if i could figure why and found nothing
On 11/09/15 16:45, sven falempin wrote:
> For the first time ever i did something with iptable
> that i dont know how to do (simply) with
> pf.
> Something i think it is usefull.
>
> I have a domain server, nsd, it serves whatever.com,
Authoritative server, then.
> the server is like flooded wit
Thank you Pedro fot
http://ftp.openbsd.org/pub/OpenBSD/5.8/packages/amd64/dnsfilter-0.4p0.tgz
I am not sure this is as good as it could be, according to the mail there
is room for improvement.
Worth a test , and it s better to improve than to add up yet another small
program,
i wonder how good i
Hi,
I guess one could use pf's divert-to and dnsfilter.
http://marc.info/?l=openbsd-misc&m=134187877220567&w=2
Regards,
Pedro Caetano
On Mon, Nov 9, 2015 at 9:45 PM, sven falempin
wrote:
> For the first time ever i did something with iptable
> that i dont know how to do (simply) with
> pf.
>
On Mon, Jul 27, 2015 at 10:52 PM, Joseph Crivello
wrote:
> If someone successfully attacks the firmware on any of your network cards,
> you are screwed no matter what. Any modern network card is going to have the
> ability to issue DMAs and can easily root your entire system.
>
(Somewhat of a r
Joseph Crivello [josephcrive...@gmail.com] wrote:
> If someone successfully attacks the firmware on any of your network cards,
> you are screwed no matter what. Any modern network card is going to have the
> ability to issue DMAs and can easily root your entire system.
If you are running OpenBSD
On Mon, Jul 27, 2015 at 11:10 AM, Quartz wrote:
>> These days you have "bypass" features in hardware that allow packets
>> to flow from one interface to another even if the firewall is turned
>> off.
>
> Can you elaborate on this?
Search for "intel nic bypass mode" and you'll find lots of details
On 2015-07-27, Quartz wrote:
> This is a little off-topic, but I should clarify that although this
> device's primary purpose is a firewall+router, it also has to provide a
> handful of other network related services that set a few requirements
> vis a vis hardware.
Depends what they are, but
These days you have "bypass" features in hardware that allow packets
to flow from one interface to another even if the firewall is turned
off.
Can you elaborate on this?
Also, that brings up another point wrt motherboards with multiple jacks;
are bios attacks something to worry about?
Havi
Em 27-07-2015 09:13, Kimmo Paasiala escreveu:
> It's next to impossible identify the make and
> model of the NIC that holds an IP address
With IPv6 and poor configuration, a remote attacker already have that
information. MAC addresses reveal a lot of information about a NIC.
Cheers,
Giancarlo Razz
Though, of course, if you have been actively developing your system,
or if you have already been subject to other root attempts, a root
attempt runs a significant risk of crashing it.
(And if you have been developing a lot, there's a decent chance you'll
have already crashed it so many times that
If someone successfully attacks the firmware on any of your network cards, you
are screwed no matter what. Any modern network card is going to have the
ability to issue DMAs and can easily root your entire system.
On Mon, Jul 27, 2015 at 7:37 AM, Christian Weisgerber
wrote:
> On 2015-07-27, Quartz wrote:
>
>> Some years ago I remember reading that when using OpenBSD (or any OS,
>> really) as a router+firewall it was considered inadvisable from a
>> security standpoint to have the different networks all att
It is certainly possible theoretically but you'll have to go to very
great lengths to imagine a scenario where a remote attacker could
exploit such a flaw. It's next to impossible identify the make and
model of the NIC that holds an IP address (if it is even directly
bound to a NIC, CARP and other
On Mon, Jul 27, 2015 at 12:46 PM, Quartz wrote:
> Some years ago I remember reading that when using OpenBSD (or any OS,
> really) as a router+firewall it was considered inadvisable from a security
> standpoint to have the different networks all attached to a single network
> card with multiple eth
turning out rather difficult to find a case that's small enough to fit. I'd
really like to use an itx system with multiple onboard ethernet jacks and
cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure
A Lanner FW7525 or even an Alix APU don't seem to be much larger...
On 2015-07-27, Quartz wrote:
> Some years ago I remember reading that when using OpenBSD (or any OS,
> really) as a router+firewall it was considered inadvisable from a
> security standpoint to have the different networks all attached to a
> single network card with multiple ethernet ports. Th
2015-07-27 11:46 GMT+02:00 Quartz :
> turning out rather difficult to find a case that's small enough to fit. I'd
> really like to use an itx system with multiple onboard ethernet jacks and
> cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure
A Lanner FW7525 or even an Al
Hi Hrvoje,
nestat -i shows nothing special.
NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls
lo0 3315291235 091235 0 0
lo0 33152 localhost/1 localhost91235 091235 0 0
lo0 33152 fe80:
On 4.11.2014. 21:48, jum...@yahoo.de wrote:
> Hi Remi,
>
> Thanks for your answer.
>
> nestat -m is ok, see.
>
> 203 mbufs in use:
> 193 mbufs allocated to data
> 2 mbufs allocated to packet headers
> 8 mbufs allocated to socket names and addresses
> 190/658/6144 mbuf 2048 byte clusters in use (
Hi Remi,
Thanks for your answer.
nestat -m is ok, see.
203 mbufs in use:
193 mbufs allocated to data
2 mbufs allocated to packet headers
8 mbufs allocated to socket names and addresses
190/658/6144 mbuf 2048 byte clusters in use (current/peak/max)
0/8/6144 mbuf 4096 byte clusters in use (curren
On Tue, Oct 28, 2014 at 10:13:54PM +0100, jum...@yahoo.de wrote:
> Hi Andy,
>
> sorry for the delay, but a lot of more important work were between your mail
> and this answer ;).
>
> >You can set a simple prio on a rule like;
> >pass proto tcp from $left to $right set prio (1,4)
>
> With PRIQ I
Hi Andy,
sorry for the delay, but a lot of more important work were between your
mail and this answer ;).
You can set a simple prio on a rule like;
pass proto tcp from $left to $right set prio (1,4)
With PRIQ I mean the scheduler priq instead of cbq.
Relevant lines of my current pf.conf ru
On 2014-10-09, Andy wrote:
> NB; This is the old syntax for queues and I strongly recommend reading
> the 3rd edition of "The book of PF" (A must read for *anyone* new or old
> to OpenBSD and PF) :) and using the new syntax
N.B. the "oldqueue" syntax goes away in 5.6, if you are writing a new
c
Hi,
Just so I understand what you have done, PRIQ is not the same as queuing.
You can set a simple prio on a rule like;
pass proto tcp from $left to $right set prio (1,4)
But this doesn't manage the situations where you have lots of different
types/profiles of traffic on your network.
For exam
Hi Andy,
This morning I have added Priority Queueing (PRIQ) to the ruleset and
prefer TCP ACK packets over everything else. I can see the queues with
systat queue but the change has no effect on the user experience nor the
throughput.
I have read something about adjust TCP send and receive w
Hi Ville,
What I read on the Internet so far about states [1]: The memory counter
shows how often pf tries to insert a state but failed. The reason could be
a hard limit of state entries.
I watched at the memory counter this afternoon and it doesn't increased,
still at 8764.
pfctl -s memo
On 3 October 2014 11:11, Ville Valkonen wrote:
> On 2 October 2014 23:36, wrote:
>>> $ sysctl kern.netlivelocks
>> kern.netlivelocks=2
>>
>> What does this means? I found something like a deadlock, when two processes
>> block each other, I'm right?
>
> This is useful information specially under
On 2 October 2014 23:36, wrote:
>> $ sysctl kern.netlivelocks
> kern.netlivelocks=2
>
> What does this means? I found something like a deadlock, when two processes
> block each other, I'm right?
This is useful information specially under the load. I don't have the
source code available at the mo
Hi Ville,
$ pfctl -si
Status: Enabled for 597 days 07:40:45Debug: err
Interface Stats for em0 IPv4 IPv6
Bytes In 30397895135138 4212405499
Bytes Out 358299989496464 64
Packets In
Passed
Hi Andy,
Setup some queues and prioritise your ACK's ;)
Good idea, I will try to implement a Priority Queueing with the old altq.
Best Regards,
Patrick
On Thu, 2 Oct 2014, Andy wrote:
Setup some queues and prioritise your ACK's ;)
The box is fine under the load I'm sure, but you'll still n
On 02-10-2014 17:30, System Administrator wrote:
> All these (otherwise valid) suggestions are useless until we know more
> about the specific firewall in question -- information best delivered
> in the form of dmesg, 'pfctl -si' output and other statistics as
> indicated in Ville's response below.
On 2 Oct 2014 at 18:15, Andy wrote:
> Setup some queues and prioritise your ACK's ;)
>
> The box is fine under the load I'm sure, but you'll still need to
> prioritise those TCP acknowledgments to make things snappy when lots of
> traffic is going on..
All these (otherwise valid) suggestions ar
Setup some queues and prioritise your ACK's ;)
The box is fine under the load I'm sure, but you'll still need to
prioritise those TCP acknowledgments to make things snappy when lots of
traffic is going on..
On 02/10/14 17:13, Ville Valkonen wrote:
Hello Patrick,
On 2 October 2014 17:32, Pa
Hello Patrick,
On 2 October 2014 17:32, Patrick wrote:
> Hi,
>
> I use a OpenBSD based firewall (version 5.2, I know I should upgrade but ...)
> between a 8 host cluster of Linux server and 300 clients which will access
> this clutser via VNC. Each server is connected with one gigabit port to a
jum...@yahoo.de (Patrick), 2014.10.02 (Thu) 16:32 (CEST):
> Hi,
>
> I use a OpenBSD based firewall (version 5.2, I know I should upgrade
> but ...) between a 8 host cluster of Linux server and 300 clients
> which will access this clutser via VNC. Each server is connected with
> one gigabit port to
Le Wed, 09 Jul 2014 20:33:47 +0200,
Mxher a écrit :
Hello,
> >> I'm doing few more tests and now I'm wondering if this is possible
> >> to disallow CARP to have some resources on serverA and others on
> >> serverB?
You can use ifstated to implement your own logic.
I have a pair of firewall, th
First, thanks for trying to help!
Le 09/07/2014 07:08, Remi Locherer a écrit :
> On Mon, Jul 07, 2014 at 08:44:43PM +0200, Mxher wrote:
>> Hello again,
>>
>> I'm doing few more tests and now I'm wondering if this is possible to
>> disallow CARP to have some resources on serverA and others on serve
On Mon, Jul 07, 2014 at 08:44:43PM +0200, Mxher wrote:
> Hello again,
>
> I'm doing few more tests and now I'm wondering if this is possible to
> disallow CARP to have some resources on serverA and others on serverB?
Have you set the sysctl net.inet.carp.preempt=1?
>
> Here is my tests (advbase
Hello again,
I'm doing few more tests and now I'm wondering if this is possible to
disallow CARP to have some resources on serverA and others on serverB?
Here is my tests (advbase=1 and advskew=0 for every interfaces on both
servers):
* Initial state
root@obsd1:~# ifconfig HA |grep status
Le 06/07/2014 12:05, Otto Moerbeek a écrit :
> On Sun, Jul 06, 2014 at 10:59:16AM +0200, Janne Johansson wrote:
>
>> The sysctl for carp.preempt controls if they should all fail at the same
>> time.
>
> read carp(4). It contains answers to some questions asked.
>
> -Otto
>
>> Den 6 jul 2
On Sun, Jul 06, 2014 at 10:59:16AM +0200, Janne Johansson wrote:
> The sysctl for carp.preempt controls if they should all fail at the same
> time.
read carp(4). It contains answers to some questions asked.
-Otto
> Den 6 jul 2014 10:12 skrev "Adam Thompson" :
>
> > On July 6, 2014 2:51
The sysctl for carp.preempt controls if they should all fail at the same
time.
Den 6 jul 2014 10:12 skrev "Adam Thompson" :
> On July 6, 2014 2:51:03 AM CDT, Mxher wrote:
> >Le 06/07/2014 04:34, Giancarlo Razzolini a écrit :
> >> Em 05-07-2014 16:20, Mxher escreveu:
> >>> 1) Can I group multiple
On July 6, 2014 2:51:03 AM CDT, Mxher wrote:
>Le 06/07/2014 04:34, Giancarlo Razzolini a écrit :
>> Em 05-07-2014 16:20, Mxher escreveu:
>>> 1) Can I group multiple virtuals ips to make them switch all at the
>same
>>> time using CARP ?
>> AFAIK, no. But you can use ifstated.
>I have to admit that
Le 06/07/2014 04:34, Giancarlo Razzolini a écrit :
> Em 05-07-2014 16:20, Mxher escreveu:
>> 1) Can I group multiple virtuals ips to make them switch all at the same
>> time using CARP ?
> AFAIK, no. But you can use ifstated.
I have to admit that I didn't knew about ifstated; I will test it.
>> 2)
Le 05/07/2014 22:37, sven falempin a écrit :
>
> read the FAQ, dont forget to sync the states and use ifstated to change the
> modem state when swithcing master fw.
>
>
Actually I read it but I didn't notice ifstated; after a quick look it
seems quite interesting.
Thank you.
Em 05-07-2014 16:20, Mxher escreveu:
> 1) Can I group multiple virtuals ips to make them switch all at the same
> time using CARP ?
AFAIK, no. But you can use ifstated.
> 2) About modems interfaces, I can't have them UP on both firewalls at
> the same time.
> How would you managed that?
You're dial
On Sat, Jul 5, 2014 at 3:20 PM, Mxher wrote:
> Hello everyone,
>
> At work we are using a firewall cluster of two Linux servers but I'm
> trying to change this; especially to replace iptables/netfilter by pf
> (mostly for performances and 'easy to maintain' reasons).
>
> Here is the thing: right
On Mon, Jul 09, 2012 at 10:21:47PM +0200, Peter Hessler wrote:
> Use 'pfctl -vvss' to see which rule it is matching on. I bet you have a
> rule that matches that traffic.
That was the hint I needed. Thanks! It did cross my mind and I did dump
the states before but I must have missed that IP in
Use 'pfctl -vvss' to see which rule it is matching on. I bet you have a
rule that matches that traffic.
On 2012 Jul 09 (Mon) at 20:34:55 +0200 (+0200), Peter J. Philipp wrote:
:Hi,
:
:Was there any bugfixes between 5.0 and 5.1 that would allow certain packets
:through the pf filter? I have a ca
I would take steps to see if another rule is being matched when you see the
flaw?
Brian
On Jul 9, 2012 12:28 PM, "Peter J. Philipp" wrote:
>
> On Mon, Jul 09, 2012 at 12:47:18PM -0600, Luis Coronado wrote:
> > You need to provide more information about your situation to be able to
> > help you.
On Mon, Jul 09, 2012 at 12:47:18PM -0600, Luis Coronado wrote:
> You need to provide more information about your situation to be able to
> help you. dmesg, pf ruleset, network config., etc.
>
> -luis
Due to the sensitivity of the host I cannot do that. But I'll tell you what
I will do. Upgrade.
You need to provide more information about your situation to be able to
help you. dmesg, pf ruleset, network config., etc.
-luis
On Mon, Jul 9, 2012 at 12:34 PM, Peter J. Philipp wrote:
> Hi,
>
> Was there any bugfixes between 5.0 and 5.1 that would allow certain packets
> through the pf filte
- Original Message -
| - Original Message -
| | Hi All,
| |
| | I've been battling this issue for a couple of days now and I'm
| | hoping
| | someone might have a possible fix for it. Any help is greatly
| | appreciated.
| |
| | I have a workstation which is on a network routed thro
- Original Message -
| Hi All,
|
| I've been battling this issue for a couple of days now and I'm hoping
| someone might have a possible fix for it. Any help is greatly
| appreciated.
|
| I have a workstation which is on a network routed through VPN client
| device
| The clients are on VL
MArtin Grados Marquina writes:
> Sorry, but PF does not run well on openbsd? then do not understand why I have
> to go alone to the freebsd lists.
There are significant differences between the PF in FreeBSD (equivalent
to OpenBSD 4.1, roughly) and recent OpenBSD versions, meaning that the
correc
Re: Firewall PF WITH NETWORK ALIAS
Sorry, but PF does not run well on openbsd? then do not understand why I have
to go alone to the freebsd lists.
you understand when someone needs help with a problem and need some idea for
solution?
I am sorry to have bothered anyone, but my only intention was
On 05/25/11 05:12, MArtin Grados Marquina wrote:
> In the past, i configure a virtual machine with "firewall PF" in FreeBSD 8.1
> with three network interface (in pf.conf)
1. As sthen@ pointed out, try a FreeBSD list for questions regarding
FreeBSD's PF.
2. You posted my private reply to a mailin
On 2011-05-25, MArtin Grados Marquina wrote:
> In the past, i configure a virtual machine with "firewall PF" in FreeBSD 8.1
Wrong mailing list.
This list is for OpenBSD.
1 - 100 of 193 matches
Mail list logo
