Re: PF Rules for Dual Upstream Gateways

On 2023-11-22, Ian Timothy wrote: > Hello, > > I have two ISPs where one connection is primary and the other is > low-bandwidth for temporary failover only. ifstated handles the failover by > simply changing the default gateway. But under normal conditions I want to be > able to connect via eit

Re: PF rules to block out every IP from a given country

Hi, On 07/12/2022 18:36, Peter N. M. Hansteen wrote: ...> and can now be found at https://nxdomain.no/~peter/ripe2cidr_country.sh.txt -- as it says in the script itself, a trivial hack. And I might add, it comes with *NO* warranties of any kind. I think instead of : grep allocated in the two

Re: PF rules to block out every IP from a given country

On 2022-12-07, Peter N. M. Hansteen wrote: > On Wed, Dec 07, 2022 at 10:28:27AM +1100, Damian McGuckin wrote: >> >> Has anybody created rules such as this and if so, do you have an example? > > As others have already indicated, the PF way to do anything like this would be > to generate a list of

Re: PF rules to block out every IP from a given country

On Wed, Dec 07, 2022 at 10:28:27AM +1100, Damian McGuckin wrote: > > Has anybody created rules such as this and if so, do you have an example? As others have already indicated, the PF way to do anything like this would be to generate a list of addresses and networks you want to address (block in

Re: PF rules to block out every IP from a given country

On Wed, 7 Dec 2022 at 08.55 Damian McGuckin wrote: > > Has anybody created rules such as this and if so, do you have an example? > > Stay safe - Damian > Check this Example: https://www.muntaza.id/pf/2020/02/03/pf-firewall-bagian-kedua.html I write in Indonesia, you can use Google Translate to

Re: PF rules to block out every IP from a given country

Take a look at PF-Badhost. Here is a decent write-up: https://undeadly.org/cgi?action=article;sid=20210119113425 Craig > On Dec 6, 2022, at 18:28, Damian McGuckin wrote: > > > Has anybody created rules such as this and if so, do you have an example? > > Stay safe - Damian > > Pacific Engin

Re: PF rules to block out every IP from a given country

Considering you solved the issue with getting all IPs for a given country correctly (and perhaps updating it sometimes): 1. Dump all IP addresses/ranges into a file (eg. blocked.ips) 2. add table file  /path/to/blocked.ips add "persist" if you want. 3. create rule to block all incoming connections

Re: pf rules after crash

On Sat, Jul 10, 2021, at 11:30 AM, Stuart Henderson wrote: > On 2021-07-10, Peter Nicolai Mathias Hansteen wrote: > > For whatever reason your pf.conf did not parse to a valid config, so rc’s > > own default rules were kept in place. > > Yep. dmesg -s might give a clue. Thank you both, I suspec

Re: pf rules after crash

On 2021-07-10, Peter Nicolai Mathias Hansteen wrote: > For whatever reason your pf.conf did not parse to a valid config, so rc’s own > default rules were kept in place. Yep. dmesg -s might give a clue.

Re: pf rules after crash

> 10. jul. 2021 kl. 05:11 skrev Allan Streib : > > Hi, > > I have a KVM host running OpenBSD 6.9 for a few days. It crashed today for > some reason, and when I logged in and realized the uptime had changed, I > checked the pf rules out of curiosity since I have been experimenting with > pf.

Re: pf rules vs late pppoe0 setup

On Sun, 26 Apr 2020 13:54:27 +0200, Jan Stary wrote: > Is there a recommended way to deal with this? If I correctly understood your problem, the solution: (from pf.conf(5)) > Host name resolution and interface to address translation are > done at ruleset load-time. When the address of an inter

Re: PF Rules

On 08/26/16 14:55, Leo Silva wrote: > I'd like some help with the following rules on pf. > I'm trying to block all https requests outgoing from my network and unblock > just some IPs. > The blocked IPs are allowed to access specifics sites that are placed in files > with the domain names that I wan

Re: PF rules block some websites (?)

On 11/01/15 11:51, Marco Prause wrote: > Hi Piotr, > > just a guess, but you might hit some path mtu discovery issue. > On customer paths with e.g. mtu less than 1500 it should help to > discover the minimal mtu and while blocking the don't fragment bit, > which is used for pmtud, pmtud won't work.

Re: PF rules loading bug on OpenBSD 5.6

Am Mittwoch, den 03.12.2014, 11:08 +0800 schrieb Cosmo Wu: > > and it parsed correctly using > command " pfctl -nf /etc/pf.conf.test" > > > > when I loaded it from the > command " pfctl -f /etc/pf.conf.test " > > > > it grumbled: > > > > pfctl: > DIOCXCOMMIT: Invalid argument Happens usually,

Re: PF rules loading bug on OpenBSD 5.6

Could anyone run into these problems? thanks! On 14.11.2014 14:50, Cosmo Wu wrote: > Hi Misc , > > > There is a no-syntax-error pf config file ( such a pf.conf.test ) , > > but another queue named differently is created on the same interface. > > and it parsed correctly using command " pfctl -

Re: pf rules

2011/4/17, gdrm : table persist file "/etc/terlarang" block in quick on re0 from in /etc/terlarang 10.0.0.0/8 192.168.0.0/16 xxx.xxx.xxx.xxx Muhammad Muntaza bin Hatta -- Indonesia http://muntaza.wordpress.com

Re: pf rules for Load Balance Incoming Connections for webservers

> But, it always directs to one particular ip address. How to see load > balancing? > > today, I myself learnt it from the below url > http://www.openbsd.org/faq/pf/pools.html#incoming match in on $ext_if proto tcp to port 80 rdr-to $web_servers \ round-robin *sticky-address * * * Successiv

Re: pf rules for Load Balance Incoming Connections for webservers

2011/2/1 Indunil Jayasooriya > # macros > (...) > > web_servers = "{ 192.168.x.64, 192.168.x.66, 192.168.x.67 } lan_net="192.168.x.0/24" > A table isn't better? I mean, we can control it without reloading the pf rules and the matching algorithm is better.

Re: pf rules for Load Balance Incoming Connections for webservers

> > *match in on $ext_if inet proto tcp to $ext_if port 8080 rdr-to > $web_servers > > \ > > round-robin sticky-address * > > You need to pass the inbound traffic somehow (match doesn't do this). > Either change the 'match in' above to 'pass in', YES, changed. It worked. > or add anothe

Re: pf rules for Load Balance Incoming Connections for webservers

Indunil Jayasooriya P?P8QP5Q: Hi list, I have 3 web servers running on port 8080 behind PF firewall. I am trying to load balance these incoming connections to these web servers. I wrote rules as below. Pls pay attention to *highligthed BOLD* rules . they are the once I have written. But, I

Re: pf rules for Load Balance Incoming Connections for webservers

On Tue, Feb 01, 2011 at 02:22:25PM +0530, Indunil Jayasooriya wrote: > I have 3 web servers running on port 8080 behind PF firewall. I am trying > to load balance these incoming connections to these web servers. > > I wrote rules as below. Pls pay attention to *highligthed BOLD* rules . > they a

Re: pf rules and routings

Hello, World! I've found my bug by myself. So for those interested, have a look below. Antoine Junod <[EMAIL PROTECTED]> writes: [...] > I'm facing what I think is a problem in my pf.conf rules set. Here is > my setup: > > I've a private network, 192.168.1.0/24, with 192.168.1.1 being the > def

Re: PF Rules

David Newman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/7/07 8:59 AM, Stuart Henderson wrote: On 2007/09/07 08:41, David Newman wrote: 1. I believe "keep state" is still needed when using queuing. The pf.conf manpage says it must be specified explicitly to apply options to a rul

Re: PF Rules

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/7/07 8:59 AM, Stuart Henderson wrote: > On 2007/09/07 08:41, David Newman wrote: >> 1. I believe "keep state" is still needed when using queuing. The >> pf.conf manpage says it must be specified explicitly to apply options to >> a rule. > > Only

Re: PF Rules

On 2007/09/07 08:41, David Newman wrote: > > 1. I believe "keep state" is still needed when using queuing. The > pf.conf manpage says it must be specified explicitly to apply options to > a rule. Only for state-related options (max-src-conn-rate and so); queue is separate (and may also be used wh

Re: PF Rules

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/7/07 7:54 AM, mail-lists wrote: > I'm attempting to set up pf for a voip system. In order to prioritize > VoIP packets I have this queue: > > altq on $ext_if priq bandwidth 1.4Mb queue {std_out, voip_out, > tos_lowdelay_out} > queue std_out priq(

Re: PF Rules

On 2007/09/07 10:54, mail-lists wrote: > > This normally works very well. I'm planning to allow all inbound traffic to > my VOIP Server like this: > > pass in quick log on $ext_if proto {tcp,udp} from any to $VOIP_SERVERS port > $VOIP_PORTS You can queue here too, return traffic matching the st

Re: PF Rules with Interfacenames ...

Wild Karl-Heinz <[EMAIL PROTECTED]> writes: > Is this a feature or my fault? Not sure what you used to do, but you can set group additional names for interfaces yourself with ifconfig or via hostname.if -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.li

Re: pf rules

On 3/2/07, Pedro Drimel Neto <[EMAIL PROTECTED]> wrote: In a rule: pass in on dc0 from 192.168.0.0/24 to any port www If a webserver is running on firewall box, the network 192.168.0.0/24 will access it. Is there another way to introduce this rule? Cause I don't want that the network access t

Re: pf rules

Pedro Drimel Neto wrote: In a rule: pass in on dc0 from 192.168.0.0/24 to any port www If a webserver is running on firewall box, the network 192.168.0.0/24 will access it. Is there another way to introduce this rule? Cause I don't want that the network access the webserver on firewall box.

Re: pf rules

block in quick on $ext_if proto tcp from {!$me, !$mynet} to $ext_if port 80 read also http://www.openbsd.org/faq/pf/tables.html another way to deal with negative in your pf.conf is to use tables... maybe try a table with safeip combinations like, but do test and read and try variations, this

Re: pf rules

On 2/12/07, Artyom Goryainov <[EMAIL PROTECTED]> wrote: block in quick on $ext_if proto tcp from {!$me, !$mynet} to $ext_if port 80 You will probably want to see the PF FAQ [1] on this, specifically the section on Lists and Macros. It tells you why you should use tables for this purpose. The l

Re: PF rules for outgoing FTP from firewall

On 1/30/07, Steve Williams <[EMAIL PROTECTED]> wrote: Hi, I have a Sunfire V120, sparc64, OpenBSD 3.9 performing NAT and assorted firewall duties. It is working 100%, including proxying ftp requests from the internal network. Today I went to do an FTP directly from the server (perl CPAN), and

Re: pf rules order

Thanks for all replies. -- raff

Re: pf rules order

On Wed, Jan 10, 2007 at 01:10:32PM +0100, Henning Brauer wrote: > * Joachim Schipper <[EMAIL PROTECTED]> [2007-01-10 12:12]: > > On Wed, Jan 10, 2007 at 10:05:11AM +0100, raff wrote: > > > Hello misc. > > > > > > I want to block traffic from 192.168.9.8 to 192.168.1.0/24 > > > excluding 192.168.1.

Re: pf rules order

* Joachim Schipper <[EMAIL PROTECTED]> [2007-01-10 12:12]: > On Wed, Jan 10, 2007 at 10:05:11AM +0100, raff wrote: > > Hello misc. > > > > I want to block traffic from 192.168.9.8 to 192.168.1.0/24 > > excluding 192.168.1.6 > > Is there any difference between: > > > > block in all > > pass in on

Re: pf rules order

raff schrieb: > I want to block traffic from 192.168.9.8 to 192.168.1.0/24 > excluding 192.168.1.6 > Is there any difference between: > > block in all > pass in on xl1 from 192.168.9.8 to !192.168.1.0/24 modulate state > pass in on xl1 from 192.168.9.8 to 192.168.1.6 modulate state > > and > > b

Re: pf rules order

On Wed, Jan 10, 2007 at 10:05:11AM +0100, raff wrote: > Hello misc. > > I want to block traffic from 192.168.9.8 to 192.168.1.0/24 > excluding 192.168.1.6 > Is there any difference between: > > block in all > pass in on xl1 from 192.168.9.8 to !192.168.1.0/24 modulate state > pass in on xl1 from

Re: pf rules and binat

On 12/23/2005 05:22:28 AM, Kilaru Sambaiah wrote: I need to do the following: 1) Allow only ssh to firewall 2) Allow 80, 443 fron net to web server through binat 3) Allow 25 and 143 to mail server Rdr may do what you want (maybe along with some natting too but my brain is full at the moment a

Re: pf rules and binat

On 12/23/2005 05:22:28 AM, Kilaru Sambaiah wrote: I have a question regarding pf and binat. I need to protect mail server and web server behind firewall. I am planning to run pf with binat rules. I need to do the following: 1) Allow only ssh to firewall 2) Allow 80, 443 fron net to web serve

Re: [Fwd: Re: pf rules generation policy]

On Fri, 21 Oct 2005 09:59:12 +0200 Guido Tschakert <[EMAIL PROTECTED]> spake: > Kilaru Sambaiah wrote: > > Hello All, > > I am linux administrator and use iptables for firewall. I use > > shorewall, which you > > need to be setting up only policy based on your box is having one > > interface o

[Fwd: Re: pf rules generation policy]

Kilaru Sambaiah wrote: Hello All, I am linux administrator and use iptables for firewall. I use shorewall, which you need to be setting up only policy based on your box is having one interface or two interfaces or three. Policy, zone, interfaces, rules these are all I need to edit. Is th

Re: pf rules question

On Sun, Aug 14, 2005 at 10:13:33PM +0200, Erik Wikstr?m wrote: > On 2005-08-14 19:17, stan wrote: > >On Sun, Aug 14, 2005 at 12:24:43PM -0400, stan wrote: > >>I've got 2 rules like this: > >> > >>pass out on $int_if from any to any keep state > >>pass in on $int_if from any to any keep state > >>

Re: pf rules question

On 2005-08-14 19:17, stan wrote: On Sun, Aug 14, 2005 at 12:24:43PM -0400, stan wrote: I've got 2 rules like this: pass out on $int_if from any to any keep state pass in on $int_if from any to any keep state That I think I should be able to replace with: pass out on $int_if from any to any

Re: pf rules question

On 2005-08-14 21:41, stan wrote: On Sun, Aug 14, 2005 at 09:13:07PM +0200, Erik Wikstr?m wrote: On 2005-08-14 19:17, stan wrote: >On Sun, Aug 14, 2005 at 12:24:43PM -0400, stan wrote: >>I've got 2 rules like this: >> >>pass out on $int_if from any to any keep state >>pass in on $int_if from any

Re: pf rules question

On Sun, Aug 14, 2005 at 09:13:07PM +0200, Erik Wikstr?m wrote: > On 2005-08-14 19:17, stan wrote: > >On Sun, Aug 14, 2005 at 12:24:43PM -0400, stan wrote: > >>I've got 2 rules like this: > >> > >>pass out on $int_if from any to any keep state > >>pass in on $int_if from any to any keep state > >>

Re: pf rules question

On 2005-08-14 19:17, stan wrote: On Sun, Aug 14, 2005 at 12:24:43PM -0400, stan wrote: I've got 2 rules like this: pass out on $int_if from any to any keep state pass in on $int_if from any to any keep state That I think I should be able to replace with: pass out on $int_if from any to any

Re: pf rules question

On Sun, Aug 14, 2005 at 12:24:43PM -0400, stan wrote: > I've got 2 rules like this: > > pass out on $int_if from any to any keep state > pass in on $int_if from any to any keep state > > That I think I should be able to replace with: > > pass out on $int_if from any to any keep state > pass in

Re: PF RULES! But mine doesn't ...

"Fafa Hafiz Krantz" <[EMAIL PROTECTED]> writes: > Can anyone tell what's wrong? Yes. Your rule set doesn't actually let anything pass *through* your firewall. Some of traffic from the outside is able to communicate with your ext_if, but as far as I can see traffic originating in int_if:network i

Re: PF RULES! But mine doesn't ...

On Sun, 08 May 2005 05:21:54 -0500, Fafa Hafiz Krantz wrote: >Hello. Goodbye Troll. >From the land "down under": Australia. Do we look from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.