> > You wouldn't complain if you put a 'rm -f /' at the end of
> > /etc/rc.local, now would you ? You won't get a warning for it either.
>
> that can be fixed.
>
> Index: rm.c
> ===
> RCS file: /cvs/src/bin/rm/rm.c,v
> retrieving rev
On 2009-07-17, Paul de Weerd wrote:
>
> You wouldn't complain if you put a 'rm -f /' at the end of
> /etc/rc.local, now would you ? You won't get a warning for it either.
that can be fixed.
Index: rm.c
===
RCS file: /cvs/src/bin/rm/
Holger, we should adhere to KISS principle.
So, pf rulesets are fine like they are if they are working as expected,
and this is our case. If you're missing some warning feature maybe you
would try to write an aux app -` la lint for C- that could parse a
pf.conf and look for suspect behaviour.
On Fri, Jul 17, 2009 at 11:11:22AM +0200, Holger Glaess wrote:
| you are right but i think it is really helpful if pfctl give an
| warning if he found those kind of line that you can decide if this
| rule to want or a miss typo that have to be correct.
And the next guy wants a warning when you blo
> On Fri, Jul 17, 2009 at 10:35:03AM +0200, Holger Glaess wrote:
> | sorry ... for my bad ugly english i have less practice .
> |
> |
> | i talk about from a line with just "pass" nothing else.
> |
> |
> | example.
> |
> | pf.conf -
> |
> |
> | block in on wan all
> | block out on wan
On Fri, Jul 17, 2009 at 10:35:03AM +0200, Holger Glaess wrote:
| sorry ... for my bad ugly english i have less practice .
|
|
| i talk about from a line with just "pass" nothing else.
|
|
| example.
|
| pf.conf -
|
|
| block in on wan all
| block out on wan all
|
| # correct li
> On Fri, Jul 17, 2009 at 09:59:51AM +0200, Holger Glaess wrote:
>
>> hi
>>
>> as an result of missconfiguration i found a line
>> with just an "pass".
>>
>> why did not detect the pfctl syntax parser a single lonely pass ?
>>
>> is this commando first valid if they have options , parameter like
>>
On Fri, Jul 17, 2009 at 09:59:51AM +0200, Holger Glaess wrote:
| hi
|
| as an result of missconfiguration i found a line
| with just an "pass".
|
| why did not detect the pfctl syntax parser a single lonely pass ?
|
| is this commando first valid if they have options , parameter like
| on interf
On Fri, Jul 17, 2009 at 09:59:51AM +0200, Holger Glaess wrote:
> hi
>
> as an result of missconfiguration i found a line
> with just an "pass".
>
> why did not detect the pfctl syntax parser a single lonely pass ?
>
> is this commando first valid if they have options , parameter like
> on inter
On 2009-07-17, Holger Glaess wrote:
> hi
>
> as an result of missconfiguration i found a line
> with just an "pass".
>
> why did not detect the pfctl syntax parser a single lonely pass ?
>
> is this commando first valid if they have options , parameter like
> on interface from a to b ?
>
>
> in my
hi
as an result of missconfiguration i found a line
with just an "pass".
why did not detect the pfctl syntax parser a single lonely pass ?
is this commando first valid if they have options , parameter like
on interface from a to b ?
in my mind the parser have to bring at least a warning it kil
hi,
maybe synproxy is conflicting somehow with rdr states? try keep state
instead, just to test it... but I'm not sure. As dan said, do a "block log
all" and run tcpdump on pflog0 while you'r trying to connect.
you can also do this, i like tagging :)
rdr on $ext_if proto tcp from any to $ext_if
Daniel Boyd(dan...@boydemail.com)@2009.05.07 13:26:42 -0500:
> I'm having some problems getting pf to forward ports. My computer is
> running a fresh install of OpenBSD 4.5.
>
> My internal network is using 172.17.2.0/24 and I need pf to do NAT and
> forward some ports to two internal servers.
I'm having some problems getting pf to forward ports. My computer is
running a fresh install of OpenBSD 4.5.
My internal network is using 172.17.2.0/24 and I need pf to do NAT and
forward some ports to two internal servers.
NAT is working just fine, (e.g. the internal computers can browse th
On Wed, Oct 29, 2008 at 8:06 PM, Christoph Leser <[EMAIL PROTECTED]> wrote:
>> On Wed, 29 Oct 2008 17:01:21 +1100, Mikel Lindsaar wrote:
>> >I've got a VPN running between two networks. Works fine for
>> basically
>> If so why would traffic from one LAN host at the 192.168.4.
>> end be any differen
> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von Rod Whitworth
> Gesendet: Mittwoch, 29. Oktober 2008 07:47
> An: OpenBSD general usage list
> Betreff: Re: How to debug IPSec and PF problem
>
>
> On Wed, 29 Oct
On Wed, 29 Oct 2008 17:01:21 +1100, Mikel Lindsaar wrote:
>Hi all,
>
>I've got a VPN running between two networks. Works fine for basically
>everything and very easy to setup, kudos to the guys that worked on
>ipsecctl and isakmpd.
>
>I have one problem though that I am trying to debug.
>
>Network
Hi all,
I've got a VPN running between two networks. Works fine for basically
everything and very easy to setup, kudos to the guys that worked on
ipsecctl and isakmpd.
I have one problem though that I am trying to debug.
Network looks like this:
192.168.11.250# Asterisk1
|
I use openbsd 4.3 i386 with vlans over a bridge and traffic is filtered.
When I add the vlan116 after vlan120 to the bridge, traffic on the vlan120
will be filtered by pf on the vlan116.
In pf.conf I need "pass in on vlan116" for incoming traffic on vlan120.
If I add the vlans in the correct ord
Hello,
I'm trying to use a large table stored in a file with pf on -current but
on system reboot pf chokes with Cannot Allocate Memory. However, once
the system is running (and unfortunately for some reason I cannot ssh
in when this happens so I have to be in front of it) I can load the
table
On Sun, May 11, 2008 at 10:11:14PM +0200, Rafal Brodewicz wrote:
> Hi.
> I have problem with pf on -current. It's enabled, but it doesn't work.
> It's behaving like there was an empty pf.conf.
make includes in /usr/src/incluse solved the problem.
Thanks anyway.
Hi.
I have problem with pf on -current. It's enabled, but it doesn't work.
It's behaving like there was an empty pf.conf.
Thanks for any help.
cc -O2 -pipe -Wall -Wmissing-prototypes -Wno-uninitialized -Wstrict-prototypes
-I/usr/src/sbin/pfctl -c /usr/src/sbin/pfctl/pfctl.c
/usr/src/sbin/pfctl
On Monday 20 February 2006 02:52, Reid Nichol wrote:
> I had something like this problem awhile ago. It had to do with
> something regarding the default max-mss values. Don't know the exact
> details, but changing the scrub lines to the below solved my issue,
> perhaps yours too.
>
>
> scrub in a
> No set options in pf.conf, i had "scrub in", then changed to "scrub
> in on
> $ext_if", then commented out at all.
> Quite simple NAT, couple rules redirecting incoming traffic, "pass
> out keep
> state". Or should I paste the whole thing?
>
> 3.9 GENERIC#597 i386, snapshot from 5th/6th Feb, o
Kind soul hinted at the presence of /var/run/dmesg.boot, so as not to waste
that advice, here it is ;)
OpenBSD 3.9-beta (GENERIC) #597: Sun Feb 5 21:14:35 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Athlon(tm) Processor ("AuthenticAMD" 686-class, 1KB L2 cache)
Ok, this is crazy. I read about that new OpenBSD LiveCD so I wanted to try it.
(http://g.paderni.free.fr/olivebsd/) I click on the page and... Nothing
happens. Neither in Opera nor Firefox (that's my desktop, linux). So, just to
verify, I open it via lynx from my OpenBSD router, and it opens...
Hi again, Steve.
> With any potential MTU issue I always start with something like
> "ping -vDs 1472 arenabg.com" from various hosts and routers.
> As you vary the sizes you should receive either an echo-reply or a
> packet-too-big (confirm with a packet sniffer). If you don't receive any
> re
2005/12/7, Steve Welham <[EMAIL PROTECTED]>:
> > I tried to connect the cable for the internet directly to one
> > of the client machines behind the firewall (Debian GNU/Linux
> > 3.1) and the site loads perfectly, so I came to the
> > conclusion that my PF rules are blocking the packets. So, I
> >
2005/12/7, Stuart Henderson <[EMAIL PROTECTED]>:
> >> Your test with 'telnet' gives small enough packets that it probably
> >> won't be affected by PMTU problems.
> >
> > The conclusion that my problem is not PMTU related did not come
> > from the telnet test. From what I've read on this, I think t
Your test with 'telnet' gives small enough packets that it probably
won't be affected by PMTU problems.
The conclusion that my problem is not PMTU related did not come
from the telnet test. From what I've read on this, I think that
descreasing the mtu on my side enough should remove the problem
> I tried to connect the cable for the internet directly to one
> of the client machines behind the firewall (Debian GNU/Linux
> 3.1) and the site loads perfectly, so I came to the
> conclusion that my PF rules are blocking the packets. So, I
> left a minimal PF setup (pass all keep state + NAT
2005/12/7, Stuart Henderson <[EMAIL PROTECTED]>:
> --On 07 December 2005 12:33 +0200, Alexander Iliev wrote:
>
> > So far so good - the setup works very well with just one problem. My
> > ISP passes the traffic for two certain sites through a transparent
> > proxy. I reached to this conclusion due
--On 07 December 2005 12:33 +0200, Alexander Iliev wrote:
So far so good - the setup works very well with just one problem. My
ISP passes the traffic for two certain sites through a transparent
proxy. I reached to this conclusion due to the following:
It may be that the site is using Squid as
Hi there.
First I want to state that I don't claim the problem I'm describing
below to be OpenBSD problem. It looks to me like a problem in the
particular set of setups between me, my ISP and the problem site.
Now, to the problem.
I'm using OpenBSD 3.8-release box as a router between a private n
On Tuesday, August 30, 2005, [EMAIL PROTECTED] wrote:
> So my problem is that i can't access any of my web server via internet
but it works in local
Locate these pf.conf rules:
> block all
> pass in on $ext_if proto tcp from any to $web_srv port 80 flags S/SA
synproxy state
> pass in on $ext_
Hi
I have a problem with openbsd with pf
I try to do
[(fxp0) - 100.0.100.10] -> [web server 1 (100.0.100.1)]
|
[openbsd (xl0)] <---> Internet
|
[(sis0) - 100.0.200.10] -> [web server 2 (100.0.200.1)]
i hope it's enough clear...
So my problem is that i can't access any of my we
hi:
my content of pf.conf is
#set macros
ext_if="vr0"
int_if="bge0"
ext_ip="222.185.xxx.xxx"
int_ip="192.168.0.1"
webserver="192.168.0.2"
priv_net="{127.0.0.0/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8}"
scrub in all
#give NAT to the internal address
nat on $ext_if from $webserver to any ->$ext_
Hi all.
i've configured an old pentium III with OpenBSD 3.7 like this:
x.y.z.240/29 --rl1|gateway|rl0 --x.y.z.248/29
|
rl2
/etc/hostname.rl0
up
/etc/hostname.rl1
up
/etc/hostname.rl2
inet 192.168.1.1 255.255.255.0 NONE
/etc/hostname
On Fri, May 06, 2005 at 01:35:12PM +0200, Didier Wiroth wrote:
> I've to disable pf to be able to make cvsup updates.
>
> Tcpdump on pflog0 does not show any blocked/dropped traffic.
are you actually having 'log' in every instance of
'block' action in pf.conf?
if disabling pf lets every
On 5/6/05, Didier Wiroth <[EMAIL PROTECTED]> wrote:
> I have a pf firewall(-bridge) with a cvsup looking like this:
> pass in quick on fxp1 inet proto tcp from to any port = cvsup
> flags S/SA keep state
If I recall correctly, cvsup should work fine with any firewall
permitting outbound connectio
Hello,
I have a pf firewall(-bridge) with a cvsup looking like this:
pass in quick on fxp1 inet proto tcp from to any port = cvsup
flags S/SA keep state
Unfortunately cvsup does not pass through the firewall(-bridge) (for
every cvsup server I try I have the same problem):
Connecting to cvsup.no.
41 matches
Mail list logo
