A followup with at least partial answers to some questions posted here:
https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html
Enjoy!
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.
"If I remember correctly, the fee is customs + shipping costs, however".
I believe with DHL and FedEx that's the case, very straightforward. With
UPS it's shipping + UPS's own brokerage fee, which covers customs fees and
is typically more than the actual fees. I only use DHL, FedEx and USPS for
i
Good evening,
> Does anyone know of a Canadian reseller carrying the book? Starch
> ships UPS, and UPS will hammer me with $80 in "brokerage" fees,
> which I refuse to pay.
I am not Canadian so I can't really give any advice on where to buy
books from, but a few work arounds do come to mind:
1.
> probably pass, because misc@openbsd.org doesn't append to the body of
> the message, nor does it rewrite the basic Subject/To/From headers,
> unlike some other lists do.
>
> Anyhow, a copy can also be obtained at:
>
> * https://marc.info/?l=openbsd-misc&m=175205773526134&w=2
>
> And the pre-order is at:
>
> * https://nostarch.com/book-of-pf-4th-edition
>
> Best regards,
> Constantine.
>
>
Does anyone know of a Canadian reseller carrying the book? Starch
ships UPS, and UPS will hammer me with $80 in "brokerage" fees,
which I refuse to pay.
I checked with Indigo, but they don't have it in their catalog.
Maybe one of the maker-oriented sellers has it?
And no, I don't deal with Amazo
weren't included, the DKIM would
> probably pass, because misc@openbsd.org doesn't append to the body of
> the message, nor does it rewrite the basic Subject/To/From headers,
> unlike some other lists do.
>
> Anyhow, a copy can also be obtained at:
>
> * https://marc.info/?l=openbsd-misc&m=175205773526134&w=2
>
> And the pre-order is at:
>
> * https://nostarch.com/book-of-pf-4th-edition
>
> Best regards,
> Constantine.
>
do.
Anyhow, a copy can also be obtained at:
* https://marc.info/?l=openbsd-misc&m=175205773526134&w=2
And the pre-order is at:
* https://nostarch.com/book-of-pf-4th-edition
Best regards,
Constantine.
You can share the link
Francisco Valladolid H.
-- http://blog.bsdguy.net - Jesus Christ follower.
On Thu 10 Jul 2025 at 7:08 a.m. Sonic wrote:
> Great news. I have the previous versions and have added this one.
>
>
Great news. I have the previous versions and have added this one.
The current price that No
Starch is listing for the e-book version seems very reasonable.
- J
On 7/9/25 17:27, Pietro Leone Pola Falletti di Villafalletto wrote:
The 3rd edition is 10 years old. I suppose the major difference is due
to syntax changes in pf.
I loved the third edition, I&#
The 3rd edition is 10 years old. I suppose the major difference is due to
syntax changes in pf.
I loved the third edition, I'll buy the 4th for sure.
Bye, Pietro.
Jul 9, 2025 14:35:01 Polarian :
> Good afternoon,
>
> I know this is probably a stupid question, but how differ
Good afternoon,
I know this is probably a stupid question, but how different is it from
the 3rd edition?
Aka is it worth picking it up if you have the 3rd edition?
Thanks,
--
Polarian
Jabber/XMPP: polar...@icebound.dev
Friends,
Long rumored and eagerly anticipated by some, the fourth edition of The Book of
PF is now available for preorder from the publisher's site at
https://nostarch.com/book-of-pf-4th-edition
The text is in the final editing phases, and we are hoping to have physical
copies availab
> Sent: Tuesday, April 29, 2025 at 1:35 AM
> From: "Zé Loff"
> To: "ed bennett"
> Cc: "misc@openbsd.org"
> Subject: Re: I need help with pf and smtpd.conf to deal with an ongoing
> attack on port 25 that is sending out emails.
>
> On M
>Apart from that, you might be able to do something different with your
>MTA: you can configure it to listen on the egress interface, allowing
>only for local delivery, *and* to listen on lo0, allowing those messages
>to be forwarded. This shouldn't be too hard to do with OpenSMTPD.
Shouldn't a U
Open Mail Relay: Why It Is Considered A Spammer's Dream
https://www.duocircle.com/content/mail-relay-smtp/open-mail-relay
An open mail relay is a Simple Mail Transfer Protocol (SMTP) server
configured in such a way that it allows anybody on the Internet to send
e-mail through it https://en.wikipe
can't even login and I have to use IPMI.
> First what can I do with just pf? I haven't found any useful examples and
> it's not
> clear to me exactly how to only allow local connections to send out emails
> work
> but still receive outside emails.
>
> After tha
can't even login and I have to use IPMI.
> First what can I do with just pf? I haven't found any useful examples and
> it's not
> clear to me exactly how to only allow local connections to send out emails
> work
> but still receive outside emails.
It is not cle
I only want to receive incoming emails and only send emails from the server
itself,
either with scripts or while logged on with ssh.
I've completely blocked port 25 and the submission ports.
With 25 open, I can't even login and I have to use IPMI.
First what can I do with just pf? I hav
> I am trying to write my first ruleset for router and firewall, how can I
> trim the ruleset?
> block return# block stateless traffic
> pass# establish keep-state
> block all
Apart from all the others suggestions you already got, I think having
block, pass, block in a row allow
;192.168.1.0/24" # LAN 1 subnet
> int_net2 = "192.168.2.0/24" # LAN 2 subnet
> int_net3 = "192.168.3.0/24" # DMZ subnet
> wifi_net = "192.168.4.0/24" # Wireless network subnet
rather than setting macros, you can set interface groups on the
interfa
Hi,
I would start by naming your internal interface variables in a meaningful way.
It would make things much more readable for yourself and reduce the risk of a
mental mistake.
Eg:
int_lan1
int_lan2
int_dmz
And similarly with int_net1.
Just a thought...
Cheers,
Steve W
On April 27, 2025 5
$int_net3 keep state
> pass in on $int_if3 from $int_net3 to $int_net1 keep state
>
> pass in on $ext_if proto icmp all icmp-type echoreq keep state
> pass in on $int_if1 proto icmp all icmp-type echoreq keep state
> pass in on $int_if2 proto icmp all icmp-type echoreq keep s
I am trying to write my first ruleset for router and firewall, how can I
trim the ruleset?
set skip on lo
block return# block stateless traffic
pass# establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
b
On 2025-04-18, TSS wrote:
> But also, I don't really want to modify the binary or have my own version
> of xl2tpd that I compile from source. I know I was concerned about speed
> earlier, but I can accept a little bit of pf delay for the convenience of
> running stock code
Am 20.04.2025 10:54 schrieb Stuart Henderson:
there is a lookup, but I'm not sure whether it ignores the nat-to rule
entirely, or just the port. I suspect it probably ignores the rule
entirely. (the complication with UDP is that there's no real state
in the protocol, so PF just works
me as the original IP).
>> Also: I don't remember what happens if there's an active PF state
>> already
>> using this port - maybe the nat will be ignored, maybe the packet will
>> be dropped.
>
> used is in use and wont be used again - there's a lookup f
t IF `from` is used, mind:
match out from $mylan to box1337 port 1337 nat-to
$whatever_maybe_public-ip 31337
match out from $mylan to any nat-to $public-ip # this wont match 1337
packets, since
"from" is already mangled
Also: I don't remember what happens if there's an acti
On 2025-04-18, TSS wrote:
> Hi again. I hope it's not unwelcome to ask a pf question here; I hope
> this one isn't too elementary.
>
> I have a daemon that sends and receives UDP packets on port 1337. For
> reasons, I would like to use pf on my computer (i.e. the one th
Am 18.04.2025 18:13 schrieb TSS:
Search engines have not helped me out with this one, but my search
skills
were dubious even before the AI era.
how about:
pass out quick on vio0 proto udp from any port 1337 nat-to (vio0) port
13337
pass in quick on vio0 proto udp from any to self port 31337
it. Who knows, the knowledge of how to
do this (if it's possible) may come in handy someday.
But also, I don't really want to modify the binary or have my own version
of xl2tpd that I compile from source. I know I was concerned about speed
earlier, but I can accept a little bit of pf dela
> .. |
>+---+ o * . ~ *|
>| my |--> UDP 1337 --> % . pf : . --|--> UDP 31337 --> clouds
>|special| + . magic + |and
>|daemon |<-- UDP 1337 &l
Practically, what winds
up happening is that just one of my hosts can use l2tp; the other fails
to connect, probably because the tunneling service doesn't understand
what all the "extra" packets from the same consumer broadband IP are all
about.
The pf trick I'm looking for all
To add to my last email, you can do it in iptables but doesn't seem to be a
way to go it in pf. For whatever reason I feel invested in this thread and
might boot up an openbsd VM to try myself
On Fri, Apr 18, 2025, 3:17 PM Mike wrote:
> I don't think you can do that.
>
> I
12:16 PM TSS wrote:
> Hi again. I hope it's not unwelcome to ask a pf question here; I hope
> this one isn't too elementary.
>
> I have a daemon that sends and receives UDP packets on port 1337. For
> reasons, I would like to use pf on my computer (i.e. the one that
Hi again. I hope it's not unwelcome to ask a pf question here; I hope
this one isn't too elementary.
I have a daemon that sends and receives UDP packets on port 1337. For
reasons, I would like to use pf on my computer (i.e. the one that's
running the daemon) to take the daemon
bsd.org/faq/faq16.html#VMMnet
>>
>> I have trouble configuring pf to give the the VM access to the internet.
>>
>> If my /etc/pf.conf contains the following lines, I don't have access to the
>> internet from the VM:
>>
>> --
>> block
04-psyche.tot...@icloud.com writes:
> Hi all,
>
> I have setup a virtual machine on my openbsd box, following the guide
> https://www.openbsd.org/faq/faq16.html#VMMnet
>
> I have trouble configuring pf to give the the VM access to the internet.
>
> If my /etc/pf.conf cont
Hi all,
I have setup a virtual machine on my openbsd box, following the guide
https://www.openbsd.org/faq/faq16.html#VMMnet
I have trouble configuring pf to give the the VM access to the internet.
If my /etc/pf.conf contains the following lines, I don't have access to the
internet from t
patch on
>> libexec/snmpd/snmpd_metrics/pf.c is applied correctly.
>>
>> So the bug has moved elsewhere.. but where ?
>>
>> Marc
>>
>>
>>> On 11 Jun 2024, at 17:41, Martijn van Duren
>>> wrote:
>>>
>>> movin
; > moving to tech@
> >
> > On Tue, 2024-06-11 at 15:38 +0200, Marc Boisis wrote:
> > > Like Kapetanakis I have the 64 interface desc empty:
> > > > snmpget -v2c -c public 127.0.0.1 OPENBSD-PF-MIB::pfIfDescr.64
> > > OPENBSD-PF-MIB::pfIfDescr.6
wrote:
>
> moving to tech@
>
> On Tue, 2024-06-11 at 15:38 +0200, Marc Boisis wrote:
>> Like Kapetanakis I have the 64 interface desc empty:
>>> snmpget -v2c -c public 127.0.0.1 OPENBSD-PF-MIB::pfIfDescr.64
>> OPENBSD-PF-MIB::pfIfDescr.64 = STRING:
>>
>
her device on $wired1 which it can't access (good).
At least now I have a much better understanding of the PF rules. Not
great but better.
Thanks.
Jon
That's good. Just keep at it, read the man pages, learn from other pf
configuration files you come across, and put it all together.
st now I have a much better understanding of the PF rules. Not
great but better.
Thanks.
Jon
On 2024-12-24 08:27, Jon Fineman wrote:
On Tue, Dec 24, 2024 at 02:26:18AM +0100, Markus Wernig wrote:
On 12/23/24 19:31, Jon Fineman wrote:
third sub net ($wired3) (10.0.3.x) I would like to restrict traffic
between it
and the ISP. Clients on 10.0.3.x should not be able to access the
other s
On Tue, Dec 24, 2024 at 02:26:18AM +0100, Markus Wernig wrote:
On 12/23/24 19:31, Jon Fineman wrote:
third sub net ($wired3) (10.0.3.x) I would like to restrict traffic between it
and the ISP. Clients on 10.0.3.x should not be able to access the
other sub nets.
Take a look at the rules from y
On 12/23/24 19:31, Jon Fineman wrote:
third sub net ($wired3) (10.0.3.x) I would like to restrict traffic between it
and the ISP. Clients on 10.0.3.x should not be able to access the
other sub nets.
Take a look at the rules from your pf.conf:
> block out quick from $wired3 to { $wired1 $wire
So new to PF, first time config.
I have my gateway with a connection to my ISP and three sub nets. The
third sub net ($wired3) (10.0.3.x) I would like to restrict traffic between it
and the ISP. Clients on 10.0.3.x should not be able to access the
other sub nets. But I can't keep the req
Дана 24/11/11 10:13AM, Peter N. M. Hansteen написа:
> or with G's trackers
That's where ungoogled-chromium (thankfully available as an official
package in OpenBSD) with uMatrix[1] addon come in handy.
[1]: https://github.com/gorhill/uMatrix
am used to ufw. I don't know the pf commands. Grateful for any help.
Going from any linux packet filtering to managing your packet filtering via
your favorite text editor and /etc/pf.conf is going to involve some adjustments
in approach, but I think the process will end up with something
Sirs and ladies.
I would like to build a music server using samba, minidlna, navidrome, maybe
jellyfin.
I need to know the simple firewall rules to open up the firewall for inbound
traffic for samba, jellyfin etc.
I am used to ufw. I don't know the pf commands. Grateful for any help.
On 9/25/24 14:31, Peter N. M. Hansteen wrote:
> On Wed, Sep 25, 2024 at 02:26:18PM +0200, Peter N. M. Hansteen wrote:
>> Another related set of examples and explanations can be found in the blog
>> post
>
> I sense a complete URL would have been beneficial here, as in
>
> https://nxdomain.no/~p
On Wed, Sep 25, 2024 at 02:26:18PM +0200, Peter N. M. Hansteen wrote:
> Another related set of examples and explanations can be found in the blog post
I sense a complete URL would have been beneficial here, as in
https://nxdomain.no/~peter/forcing_the_password_gropers_through_a_smaller_hole.html
On Wed, Sep 25, 2024 at 02:06:14PM +0200, Christian Schulte wrote:
> Hello @misc,
>
> I am currently searching for a way to implement sendmail's connection control
> features using pf. In sendmail I am using:
>
> dnl # Define connection throttling and
Hello @misc,
I am currently searching for a way to implement sendmail's connection control
features using pf. In sendmail I am using:
dnl # Define connection throttling and window length
define(`confCONNECTION_RATE_THROTTLE', `15')dnl
define(`confCONNECTION_RATE_WINDOW_SIZE&
>
>
>
> 1 - PF with the 'no state' rule should let the traffic flow,
> it means that PF has a bug, or
> 2 - PF behaves as expected and traffic must not flow, or
> 3 - the 'no state' rule is the wrong rule to let the traffic flow.
> If so, I ign
I have an architecture like the one of the picture in attachment,
and I have an issue with PF.
I don't if it's a bug of, maybe I should post to b...@openbsd.org.
I created a virtual network with VXLAN, it's 192.168.3.0/24.
VTEP1 and VTEP2 are connected to H3 via p2p interfaces:
10
> Several sources of useful information are available, Tom already mentioned
> The Book of PF and the article about tracking down a source of disruption
> based on netflow data.
>
> It is possible that you could find something useful in the slides for the
> latest "Network Manageme
reflect the actual traffic patterns you are dealing with.
Several sources of useful information are available, Tom already mentioned
The Book of PF and the article about tracking down a source of disruption
based on netflow data.
It is possible that you could find something useful in the slides for
Hi Marc,
are you saying you are experiencing congestion and you want to identify
the source of the congestion?
iftop and pftop can give information on the top talkers on your network,
if you want to do more comprehensive and historical analysis check out
Peter Handsteen(of Book of PF fame
Hello,
We are experiencing congestion issues with PF and I would like some help
finding the cause.
Here is what i have been able to gather so far:
ROOT:host:/root > pfctl -sm
stateshard limit 60
src-nodes hard limit6
frags hard limit12000
tab
On 2024-09-11, WATANABE Takeo wrote:
> on Tue, 10 Sep 2024 20:22:40 +0200
> Mike Fischer wrote:
>
>> The easiest way to test whether pf(4) is interfering with your YubiKey is to
>> temporarily turn off pf(4) (`doas pfctl -d`) and test. If the problem
>> persists
on Tue, 10 Sep 2024 20:22:40 +0200
Mike Fischer wrote:
> The easiest way to test whether pf(4) is interfering with your YubiKey is to
> temporarily turn off pf(4) (`doas pfctl -d`) and test. If the problem
> persists then pf(4) is not the cause.
> Turn pf(4) back on again aft
The easiest way to test whether pf(4) is interfering with your YubiKey is to
temporarily turn off pf(4) (`doas pfctl -d`) and test. If the problem persists
then pf(4) is not the cause.
Turn pf(4) back on again after your test (`doas pfctl -e` or `doas reboot`).
Note: Turning off pf(4) should
> and that I can log in with ed25519-sk key authentication if I stop pf.
>>
>> It occurred to me again that the pf.conf I had written might be the problem.
>
> It should not matter whether PF is enabled or not, as long as the loaded rules
> allow your SSH traffic to pass. I wo
On Tue, Sep 10, 2024 at 08:32:05PM +0900, WATANABE Takeo wrote:
> I found out that I can log in with normal public key
> cryptography authentication (ed25519) in the same pf.conf environment,
> and that I can log in with ed25519-sk key authentication if I stop pf.
>
> It occurred t
for key authentication using ed25519-sk.
>
> I found out that I can log in with normal public key
> cryptography authentication (ed25519) in the same pf.conf environment,
> and that I can log in with ed25519-sk key authentication if I stop pf.
>
> It occurred to me again that the
n the same pf.conf environment,
and that I can log in with ed25519-sk key authentication if I stop pf.
It occurred to me again that the pf.conf I had written might be the problem.
Could you please advise and discuss my pf.conf once more so that
it is more appropriate and I can log in with ed25519-s
> On Mon, Aug 26, 2024 at 11:27:02AM +0300, Maksim Rodin wrote:
> > Hello,
> > Here is my ugly script in testing which uses a postgres table to track bad
> > guys in
> > authlog and pf to lock them forever.
> > ---
> > #! /bin/ksh
> > MAX_RETRIES=2
On Mon, Aug 26, 2024 at 11:27:02AM +0300, Maksim Rodin wrote:
> Hello,
> Here is my ugly script in testing which uses a postgres table to track bad
> guys in
> authlog and pf to lock them forever.
> ---
> #! /bin/ksh
> MAX_RETRIES=2
> function finish_serving {
>
Hello,
Here is my ugly script in testing which uses a postgres table to track bad guys
in
authlog and pf to lock them forever.
---
#! /bin/ksh
MAX_RETRIES=2
function finish_serving {
echo "Finish serving";
exit 0;
}
function add_entry {
psql -U ecounter -d ecounte
hem, at relayd
>> level. It works as they never reach the web server but relayd is still
>> working to block them.
>>
>> I thought of parsing relayd logs to get those IPs and add them to a pf block
>> table, using an automated script.
>
> If the problem is
is still
> working to block them.
>
> I thought of parsing relayd logs to get those IPs and add them to a pf block
> table, using an automated script.
If the problem is that there are a lot of requests from the same hosts coming
in rapid-fire, it is
possible that state tracking rules with
IPs and add them to a pf block
table, using an automated script.
I also thought of using tags to forward the connections to a program that would
add the IP to the pf block table.
Would there be a simpler / smarter way to have relayd add an IP matching a
block rule into a pf table?
Thanks,
Joel
gateway
# routing
route add 135.32.101.17 192.168.1.254 # point vpn_public_ip to local gateway
So it seems my understanding of this pf rule is incorrect.
Can anyone help me use pf to override the default gateway?
Thanks!
Hi, kolipe-SAN.
on Sun, 04 Aug 2024 18:28:09 -0300
Crystal Kolipe wrote:
> On Mon, Aug 05, 2024 at 12:36:18AM +0900, WATANABE Takeo wrote:
>> Dear Sirs,
>>
>> Would you be willing to discuss how to write pf.conf?
>>
>> I'm using OpenBSD 7.5 AMD.
>> I want to limit the packets going in and out
ast
> until I get functionality I want. I have busy firewalls which block and
> log ~300 packets per second, pf handles it really well.
>
> Try something like:
>
> (temporarily remove `antispoof quick` until rest works, keep it above)
> block log all
> pass in on vio0 (what you
to add that I tried to load the pf.conf file you sent;
it looks like it works. (I did a quick test to see if the HTTP- and
SMTP-server are reachable.)
The loaded rules as returned by `pfctl -sr` would not allow much of your
desired traffic. However they do allow NDP traffic.
Your vio0 interface
v
> pass in inet6 proto udp from any port = 547 to any port = 546
> pass in proto carp all keep state (no-sync)
> pass out proto carp all !received-on any keep state (no-sync)
> moegi#
Your config, the result of `pfctl -vnf /etc/pf.conf` and the result of `pfctl
-sr` do not match. Did yo
Hi,Souji-SAN.
Thank you so much for your advice.
We will reply to you in due course.
on Sun, 04 Aug 2024 19:56:38 +0100
"Souji Thenria" wrote:
> On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote:
>> I am having trouble because all packets are blocked.
>> Please see below for a descripti
ich rules out the need for net.inet.ip.forwarding sysctl.
My general rule of the thumb is to log all blocked packets, at least
until I get functionality I want. I have busy firewalls which block and
log ~300 packets per second, pf handles it really well.
Try something like:
(temporarily remove `
On Mon, Aug 05, 2024 at 12:36:18AM +0900, WATANABE Takeo wrote:
> Dear Sirs,
>
> Would you be willing to discuss how to write pf.conf?
>
> I'm using OpenBSD 7.5 AMD.
> I want to limit the packets going in and out as follows
>
> 1. reject in principle : block all
> 2. when rejecting packets, do n
On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote:
I am having trouble because all packets are blocked.
Please see below for a description of the problem.
I would appreciate it if you could point out any problems.
The config looks ok so far; I don't see any problems.
Can you run 'pfctl -
Dear Sirs,
Would you be willing to discuss how to write pf.conf?
I'm using OpenBSD 7.5 AMD.
I want to limit the packets going in and out as follows
1. reject in principle : block all
2. when rejecting packets, do not log them.
3. there is only one interface (vio0) that goes in and out of the hos
I'm working on setting up an OpenBSD box to perform CLAT services for 464XLAT
on my network. v4-only clients will be behind the pf box, which uses af-to to
translate v4 packets to v6 and send them to my border NAT64 gateway.
Things are working pretty well, but I've bumped into an
cannot be used
> as a conventional proxy (set up on the browser config). Reading the
> pf.conf man seems that there isn't a way to do that.
is the sslsplit transparent proxy running on the same machine on which
your web browsing happens? If the answer is yes, then PF simple rdr-to
w
wants to send to my wireguard link (configured on this router) so I cooked up a
pf(4) line to match packets coming *in* on em2:
pass in on em2 proto tcp from 192.168.0.3 to (wg0:network) port
$nvr_wg0_a
out").
Also I tried to make an IF alias like this
ifconfig em0 inet 192.168.0.6 255.255.255.0
ifconfig em0 inet alias 192.168.0.7 255.255.255.0
my gw is 192.168.0.1
I put listening the sslsplit on 192.168.0.7 (the alias) port 10443 and I
make a pf rule like this:
pass out log on em0 proto tcp
the 'tables' [1] structure with pf
1. https://man.openbsd.org/pf.conf#TABLES
Sorry for the noise, I misread your question :P
--
Willy Manga
Hi,
On 12/06/2024 12:50, Kapetanakis Giannis wrote:
Hi,
[...]
2) I've found this tool yesterday (iprange) that it's job is to optimize large
sets of IPs/Networks
https://github.com/firehol/iprange/wiki
I think that's why you have the 'tables' [1] st
Hi,
I have a couple of questions about pf tables.
1) Does it use radix tree and especially Patricia tree?
Trying to read the code and searches on web pointed to that.
2) I've found this tool yesterday (iprange) that it's job is to optimize large
sets of IPs/Networks
https://github.c
; > > I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only
> > > > 64 physicals and carp interfaces but not my 45 vlan interfaces.
> > > >
> > > > My /etc/snmpd.conf
> > > > ROOT:amdrg2:/root > cat /etc/snmpd.con
On 11/06/2024 15:34, Martijn van Duren wrote:
> On Tue, 2024-06-11 at 14:56 +0300, Kapetanakis Giannis wrote:
>> On 10/06/2024 18:43, Marc Boisis wrote:
>>> Hello,
>>>
>>> I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only 64
&
Like Kapetanakis I have the 64 interface desc empty:
> snmpget -v2c -c public 127.0.0.1 OPENBSD-PF-MIB::pfIfDescr.64
OPENBSD-PF-MIB::pfIfDescr.64 = STRING:
So can we imagine a limit of 64 interfaces in the snmp (snmpd_metrics) code ?
> On 11 Jun 2024, at 14:34, Martijn van Duren
&
On Tue, 2024-06-11 at 14:56 +0300, Kapetanakis Giannis wrote:
> On 10/06/2024 18:43, Marc Boisis wrote:
> > Hello,
> >
> > I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only 64
> > physicals and carp interfaces but not my 45 vlan in
On 10/06/2024 18:43, Marc Boisis wrote:
> Hello,
>
> I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only 64
> physicals and carp interfaces but not my 45 vlan interfaces.
>
> My /etc/snmpd.conf
> ROOT:amdrg2:/root > cat /etc/snmpd.conf
> li
Hello Marc,
I don't have access to such a machine, but my vlan interfaces do show up
for me. Could you try and find a reproducer?
martijn@
On Mon, 2024-06-10 at 17:43 +0200, Marc Boisis wrote:
> Hello,
>
> I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I ha
Hello,
I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only 64
physicals and carp interfaces but not my 45 vlan interfaces.
My /etc/snmpd.conf
ROOT:amdrg2:/root > cat /etc/snmpd.conf
listen on 127.0.0.1 snmpv2c
read-only community public
"pfctl -sI" li
leaves, right?
Right.
> what does the gateway's routing table say about how to reach the destination
> network?
Good question. Does it matter what the routing table contains, when I am
explicitly specifying where to send a packet via a pf rule?
In any case, here it is:
mjoelnir:/etc 7
On Fri, May 24, 2024 at 06:04:25PM +0200, Peter N. M. Hansteen wrote:
> On Thu, May 23, 2024 at 11:14:20AM +0200, Why 42? The lists account. wrote:
> > pfctl reports:
> > # pfctl -vvs rules | grep @
> > @0 block return log all
> > @1 pass in log on em0 inet proto udp from 192.168.178.16
1 - 100 of 1112 matches
Mail list logo
