> Sent: Tuesday, April 29, 2025 at 1:35 AM
> From: "Zé Loff"
> To: "ed bennett"
> Cc: "misc@openbsd.org"
> Subject: Re: I need help with pf and smtpd.conf to deal with an ongoing
> attack on port 25 that is sending out emails.
>
> On M
>Apart from that, you might be able to do something different with your
>MTA: you can configure it to listen on the egress interface, allowing
>only for local delivery, *and* to listen on lo0, allowing those messages
>to be forwarded. This shouldn't be too hard to do with OpenSMTPD.
Shouldn't a U
Open Mail Relay: Why It Is Considered A Spammer's Dream
https://www.duocircle.com/content/mail-relay-smtp/open-mail-relay
An open mail relay is a Simple Mail Transfer Protocol (SMTP) server
configured in such a way that it allows anybody on the Internet to send
e-mail through it https://en.wikipe
On Mon, Apr 28, 2025 at 12:32:56PM +, ed bennett wrote:
> I only want to receive incoming emails and only send emails from the server
> itself,
> either with scripts or while logged on with ssh.
> I've completely blocked port 25 and the submission ports.
> With 25 open, I can't even login and
On Mon, Apr 28, 2025 at 12:32:56PM +, ed bennett wrote:
> I only want to receive incoming emails and only send emails from the server
> itself,
> either with scripts or while logged on with ssh.
> I've completely blocked port 25 and the submission ports.
> With 25 open, I can't even login and
I only want to receive incoming emails and only send emails from the server
itself,
either with scripts or while logged on with ssh.
I've completely blocked port 25 and the submission ports.
With 25 open, I can't even login and I have to use IPMI.
First what can I do with just pf? I haven't found
On Tue, Mar 21, 2017, at 16:56, Marko Cupać wrote:
> ...
>
> What exactly I should pass on enc interface so that the above packet
> passes?
>
> Thank you in advance.
Hi,
You probably need to allow ipencap protocol packets. I also need l2tp
packets, but that depends on whether you use it.
--
Fran
Hi,
I have OpenBSD-based branch office router which connects to
cisco-based hq router via ipsec-protected gre tunnel (transport mode).
If I 'set skip on enc' everything works fine, but I would like to
tighten rules on enc a bit as well, not as much for the sake of
functionality as for the sake of
On Fri, 2 Dec 2016 12:14:56 + (UTC)
Stuart Henderson wrote:
> On 2016-11-25, Marko Cupać wrote:
> > Hi,
> >
> > I'd like to do limit bandwidth on gre tunnel protected with ipsec in
> > transport mode.
> I haven't tried this exact scenario. But I understand the general way
> things work and
On 2016-11-25, Marko Cupać wrote:
> Hi,
>
> I'd like to do limit bandwidth on gre tunnel protected with ipsec in
> transport mode.
>
> I've set single default queue on gre interface, matched everything
> that goes out to that queue, and finally passed everything out that
> interface:
>
> # SNIP
>
Hi,
I'd like to do limit bandwidth on gre tunnel protected with ipsec in
transport mode.
I've set single default queue on gre interface, matched everything
that goes out to that queue, and finally passed everything out that
interface:
# SNIP
queue mother on gre204 bandwidth 25M min 25M max 25M
Hello,
THat solved the issue but I have about 20 rulesets that have the same
syntax. I dont see anything yet also about this.
Please elaborate.
Andres
On Thu, Apr 22, 2010 at 3:59 PM, Alexander Hall wrote:
> On 04/22/10 18:22, Allie Daneman wrote:
>> Why are you doing "from any to (fxp0)" ? Th
On 04/22/10 18:22, Allie Daneman wrote:
> Why are you doing "from any to (fxp0)" ? That's your problem. Change all
I fail to see why that would cause any issues. Care to elaborate?
/Alexander
> the rules like that to "from any to any" since you're already putting
> the rule on that interface and
Why are you doing "from any to (fxp0)" ? That's your problem. Change all
the rules like that to "from any to any" since you're already putting
the rule on that interface and it should fix you up. As long as you're
not redirecting you can turn logging on specific rules and see why
they're blocki
Hello,
Yes it loaded properly. Yes I had missied the macro for the external
NIC it is included in the original ruleset. t_externa = "fxp0"
This is the result for pfctl -sr:
match in all scrub (no-df)
block drop all
pass out all flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (f
## Traffic IN
pass in log quick on $t_externa inet proto { tcp, udp } from any
to ($t_externa) \
port { 22 8080 } keep state
In your pf configuration it doesn't show where you actually define the
macro for your interface $t_externa.
Are you sure the rules you run are
Hello all.
I have a ruleset where iam explicitly allowing incoming connections
on port 22.. (default is block log all) .. for some weird reason
they are getting blocked
log says: Apr 21 17:09:49.105052 rule 1/(match) block in on fxp0:
my.client.ip.here.54711 > my.server.ip.here.22: S
299965829
Hello,
I was wondering if someone can help me with PF rules..it doesn't have to be
exact syntax-maybe a high level explanation might be enough.
Internet
|
BSD
|
/ \
192.168.10.0/241
2010/3/17 N. Arley Dealey
> Help! I'm obviously overlooking something really obvious but I just can't
> see it.
>
> I'm building my first PF-based router/firewall using OpenBSD 4.6. For now,
> what I
> need it to do is pretty simple:
>
>1. Allow all outbound traffic via NAT and allow all inbo
Help! I'm obviously overlooking something really obvious but I just
can't see it.
I'm building my first PF-based router/firewall using OpenBSD 4.6. For
now, what I
need it to do is pretty simple:
1. Allow all outbound traffic via NAT and allow all inbound responses.
2. Allow only ssh
Stuart Henderson escreveu:
On 2008-12-30, Giancarlo Razzolini wrote:
fRANz escreveu:
Hi.
I've some trouble with this configuration:
LAN -- fw (openbsd 4.4) -- adsl router
LAN: 192.168.100.0/24
fw int int: sis1
fw int ind: 192.168.100.2
fw ext int: sis0
fw ext ind: 10.0.0.2
router in
On 2008-12-30, Giancarlo Razzolini wrote:
> fRANz escreveu:
>> Hi.
>>
>> I've some trouble with this configuration:
>>
>> LAN -- fw (openbsd 4.4) -- adsl router
>>
>> LAN: 192.168.100.0/24
>> fw int int: sis1
>> fw int ind: 192.168.100.2
>> fw ext int: sis0
>> fw ext ind: 10.0.0.2
>> router int in
fRANz escreveu:
Hi.
I've some trouble with this configuration:
LAN -- fw (openbsd 4.4) -- adsl router
LAN: 192.168.100.0/24
fw int int: sis1
fw int ind: 192.168.100.2
fw ext int: sis0
fw ext ind: 10.0.0.2
router int ind: 10.0.0.1
I try to configure pf to redirect all web traffic from internal
On 27 Dec 2008 at 1:02, fRANz wrote:
> On Fri, Dec 26, 2008 at 7:50 PM, System Administrator
> wrote:
>
> > Here is a hint to simpler life: to avoid assymtric routing make sure
> > that all you redirect (RDR) rules fully traverse the firewall, i.e. the
> > source and destination are connected t
On Fri, Dec 26, 2008 at 7:50 PM, System Administrator wrote:
> Here is a hint to simpler life: to avoid assymtric routing make sure
> that all you redirect (RDR) rules fully traverse the firewall, i.e. the
> source and destination are connected to different interfaces. In your
> case that would m
What you are attempting is known as "assymetric routing". An extensive
search of the archives will show that it has been discussed a number of
times, and the configuration you are attempting _can_ be made to work.
However, to get it working [properly] requires a fairly advanced
routing an pf kn
Hi.
I've some trouble with this configuration:
LAN -- fw (openbsd 4.4) -- adsl router
LAN: 192.168.100.0/24
fw int int: sis1
fw int ind: 192.168.100.2
fw ext int: sis0
fw ext ind: 10.0.0.2
router int ind: 10.0.0.1
I try to configure pf to redirect all web traffic from internal lan to
an interna
# pfctl -e
pf enabled
# ping www.terra.com.br
PING www.terra.com.br (200.176.3.142): 56 data bytes
ping: sendto: No route to host
ping: wrote www.terra.com.br 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote www.terra.com.br 64 chars, ret=-1
--- www.terra.com.br ping statistics -
Just passing through while looking for something else, but can help:
Aaron proficuous.com> writes:
> my pf.conf:
> ...
> pass in on fxp3 inet proto tcp from $lan_net port { ssh www ntp https smtp
imap imaps domain } to any
> ...
> pass in on fxp3 inet proto udp from $lan_net port { domain ntp }
Hi Aaron,
The problem is that you pass base on src not destination:
pass in on fxp3 inet proto tcp from $lan_net port { ssh www ntp https
smtp imap imaps domain } to any
it should be
pass in on fxp3 inet proto tcp from $lan_net to port { ssh www ntp https
smtp imap imaps domain }
Also be a
Preston Norvell wrote:
On 2007/12/01 3:04 PM, "Aaron" <[EMAIL PROTECTED]> muttered eloquently:
I believe I see the issue with general traffic flow. The clue being that
you are being blocked by the generic block drop in log rule (you can get
rule numbers with 'pfctl -vvsr'). You have the destin
On 2007/12/01 3:04 PM, "Aaron" <[EMAIL PROTECTED]> muttered eloquently:
I believe I see the issue with general traffic flow. The clue being that
you are being blocked by the generic block drop in log rule (you can get
rule numbers with 'pfctl -vvsr'). You have the destination port on the
source
I have decided to switch my linux routers over to openbsd and as such
need to have pf up and running on them. I have a test network that I am
testing this on and am having some issues getting things working as
expected.. My network configuration is as follows:
my ascii art sux so i'll try to
Hi All,
I'm trying to insert arbitrary pf state entries from my userland app.
I've repeatedly crashed my 4.2 box with bad pf ioctl DIOCADDSTATE
calls, and find it difficult to progress any further.
Does anyone have some sample code I can learn from?
TIA,
- Raja
* david l goodrich <[EMAIL PROTECTED]> [2007-10-26 15:02]:
> On Fri, 26 Oct 2007 15:13:19 +0300, "Mindaugas" <[EMAIL PROTECTED]>
> wrote:
> > Hi,
> >
> >
> >
> > Situacion, I have table abusers : table persist
> >
> > And pf rule which uses ir, so my question is
> >
> > How to set max host li
On Fri, 26 Oct 2007 15:13:19 +0300, "Mindaugas" <[EMAIL PROTECTED]>
wrote:
> Hi,
>
>
>
> Situacion, I have table abusers : table persist
>
> And pf rule which uses ir, so my question is
>
> How to set max host life time in table, without using pfctl -T expire
> number
> table?
After patching
"Mindaugas" <[EMAIL PROTECTED]> writes:
> How to set max host life time in table, without using pfctl -T expire number
> table?
There is AFAIK currently no way to specify that in pf.conf itself.
then again, it doesn't take much energy to run a pfctl expire from
cron job every some minutes or s
Hi,
Situacion, I have table abusers : table persist
And pf rule which uses ir, so my question is
How to set max host life time in table, without using pfctl -T expire number
table?
We have ipsec running on an internal firewall, with packets being
routed to the internal firewall via an external firewall. We wish to
move off of the internal 192.168.11.0/24 network and onto a net-10
network. What pf rules do we need to automatically translate between a
net-10 block and the inter
On Mon, Feb 06, 2006 at 01:10:20AM -0800, David Benfell wrote:
> Hello all,
>
> I'm trying to debug my packet filtering rules. The problem is that
> messages sent from my internal network are not getting through to the
> SMTP host on my OpenBSD 3.8-CURRENT system.
>
> The only output I'm getting
--- David Benfell <[EMAIL PROTECTED]> wrote:
> Hello all,
>
> I'm trying to debug my packet filtering rules. The problem is that
> messages sent from my internal network are not getting through to the
> SMTP host on my OpenBSD 3.8-CURRENT system.
A common debugging approach is to log on all blo
Hello all,
I'm trying to debug my packet filtering rules. The problem is that
messages sent from my internal network are not getting through to the
SMTP host on my OpenBSD 3.8-CURRENT system.
The only output I'm getting from tcpdump is:
Feb 06 00:56:09.237698 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 080
42 matches
Mail list logo