> On 20 Mar 2025, at 12:46, Kihaguru Gathura wrote:
>
> Hello,
>
> Using parentheses around the interface (from 41.90.23.240 to ($ext_if) port
> ssh modulate state) name tells pf to re-resolve the address dynamically
> whenever the interface is ready during the reboot giving time for pf rule
, 10:23 Kihaguru Gathura,
wrote:
> Hello,
>
> Openbsd 7.6 upon restart, pf rules fail to load with error (no IP address
> found for em0 /etc/pf.conf:26: could not parse host specification).
> However, performing "pfctl -nf /etc/pf.conf && pfctl -vf /etc/pf.conf"
>
, 10:30 Kihaguru Gathura,
wrote:
> Hello,
>
> Openbsd 7.6 upon restart, pf rules fail to load with error (no IP address
> found for em0 /etc/pf.conf:26: could not parse host specification).
> However, performing "pfctl -nf /etc/pf.conf && pfctl -vf /etc/pf.conf"
>
On 2025-03-20, Kihaguru Gathura wrote:
>
> Openbsd 7.6 upon restart, pf rules fail to load with error (no IP address
> found for em0 /etc/pf.conf:26: could not parse host specification).
> However, performing "pfctl -nf /etc/pf.conf && pfctl -vf /etc/pf.conf"
> m
Hi peter,
I've done a bit of homework. The machine is connected to a public static IP
via LTE modem on bridge mode.
To inform pf a bit more, I updated the pf.conf file with the following
lines:
pass in on em0 from 41.90.23.0/24 to 41.90.23.240
pass out on em0 from 41.90.23.240 to 41.90.23
Hi peter,
I've done a bit of homework. The machine is connected to a public static IP
via LTE modem on bridge mode.
To inform pf a bit more, I updated the pf.conf file with the following
lines:
pass in on em0 from 41.90.23.0/24 to 41.90.23.240
pass out on em0 from 41.90.23.240 to 41.90.23
On Thu, Mar 20, 2025 at 07:23:20PM +1100, Jon Higgs wrote:
> Looks like you might have missed an "inet". :)
Yes, that's it exactly. If you leave out the protocol specification,
the rule will apply to both inet and inet6, which will of course fail
if the interface does not have an IPv6 addess assig
On Thu, Mar 20, 2025 at 10:23:12AM +0300, Kihaguru Gathura wrote:
> Openbsd 7.6 upon restart, pf rules fail to load with error (no IP address
> found for em0 /etc/pf.conf:26: could not parse host specification).
> However, performing "pfctl -nf /etc/pf.conf && pfctl -vf /e
On 20/03/25 10:23, Kihaguru Gathura wrote:
> What are the potential scenario causing the line 26 (from 41.90.23.240
> to $ext_if port ssh modulate state) to present itself as syntax error
> during restart?
Looks like you might have missed an "inet". :)
Hello,
Openbsd 7.6 upon restart, pf rules fail to load with error (no IP address
found for em0 /etc/pf.conf:26: could not parse host specification).
However, performing "pfctl -nf /etc/pf.conf && pfctl -vf /etc/pf.conf"
manually after logging in gets the rules loaded successfull
On Wed, Dec 18, 2024 at 11:51:26AM +1000, David Gwynne wrote:
>if you're feeling brave you can try the diff i sent to the 'PPPoE
>passthrough with "GigaHub" is very slow' thread on misc@ a week or so
>ago which skips the queue for pppoe data packets.
It took a while, but yesterday I installed a sn
On Thu, Jan 02, 2025 at 04:17:23PM +1000, David Gwynne wrote:
>On Thu, Dec 19, 2024 at 10:48:41PM +0100, Maurice Janssen wrote:
>> On Thu, Dec 19, 2024 at 09:40:20AM +1000, David Gwynne wrote:
>> >
>> >> On 19 Dec 2024, at 08:20, David Gwynne wrote:
>> >>
>> >>> On 19 Dec 2024, at 02:17, Maurice
On Thu, Dec 19, 2024 at 10:48:41PM +0100, Maurice Janssen wrote:
> On Thu, Dec 19, 2024 at 09:40:20AM +1000, David Gwynne wrote:
> >
> >> On 19 Dec 2024, at 08:20, David Gwynne wrote:
> >>
> >>> On 19 Dec 2024, at 02:17, Maurice Janssen wrote:
> >>> kstat(1) shows me that there are (nearly) no e
On Sat, Dec 28, 2024 at 08:18:29PM +0200, Kapetanakis Giannis wrote:
>On 19/12/2024 23:53, Maurice Janssen wrote:
>> On Thu, Dec 19, 2024 at 01:39:23PM +0200, Kapetanakis Giannis wrote:
>> > On 18/12/2024 18:22, Maurice Janssen wrote:
>> > > I moved the rules for the NTP traffic to the top and this
On 19/12/2024 23:53, Maurice Janssen wrote:
On Thu, Dec 19, 2024 at 01:39:23PM +0200, Kapetanakis Giannis wrote:
On 18/12/2024 18:22, Maurice Janssen wrote:
I moved the rules for the NTP traffic to the top and this seems to improve
things. But I'll leave it overnight to have some better stats
On Thu, Dec 19, 2024 at 01:39:23PM +0200, Kapetanakis Giannis wrote:
>On 18/12/2024 18:22, Maurice Janssen wrote:
>> I moved the rules for the NTP traffic to the top and this seems to improve
>> things. But I'll leave it overnight to have some better stats in the
>> morning.
>>
>> Best regards,
>>
On Thu, Dec 19, 2024 at 09:40:20AM +1000, David Gwynne wrote:
>
>> On 19 Dec 2024, at 08:20, David Gwynne wrote:
>>
>>> On 19 Dec 2024, at 02:17, Maurice Janssen wrote:
>>> kstat(1) shows me that there are (nearly) no errors on the rx side, but
>>> showed about 470k dropped packets (qdrops) on t
On 18/12/2024 18:22, Maurice Janssen wrote:
> I moved the rules for the NTP traffic to the top and this seems to improve
> things. But I'll leave it overnight to have some better stats in the
> morning.
>
> Best regards,
> Maurice
Jumping in since I've also recently added an ntp server in ntppool
> On 19 Dec 2024, at 08:20, David Gwynne wrote:
>
>
>
>> On 19 Dec 2024, at 02:17, Maurice Janssen wrote:
>>
>> On Wed, Dec 18, 2024 at 11:51:26AM +1000, David Gwynne wrote:
>>> Hey Maurice,
>>>
>>> bluhm@ just did a talk at eurobsdcon that might help you understand the
>>> different poin
> On 19 Dec 2024, at 02:17, Maurice Janssen wrote:
>
> On Wed, Dec 18, 2024 at 11:51:26AM +1000, David Gwynne wrote:
>> Hey Maurice,
>>
>> bluhm@ just did a talk at eurobsdcon that might help you understand the
>> different points to look at. my tldr version is if packets are being
>> dropped
On Wed, Dec 18, 2024 at 11:21:44AM -, Stuart Henderson wrote:
>On 2024-12-18, Janne Johansson wrote:
>>> I have an NTP server behind an OpenBSD firewall / router and seeing some
>>> packet loss. The NTP server (Leontp 1200) should be able to handle the
>>> load easily, so I suspect the packet
On Wed, Dec 18, 2024 at 11:51:26AM +1000, David Gwynne wrote:
>Hey Maurice,
>
>bluhm@ just did a talk at eurobsdcon that might help you understand the
>different points to look at. my tldr version is if packets are being
>dropped on the firewall it will be somewhere in the receive path. my
>experie
On 2024-12-18, Janne Johansson wrote:
>> I have an NTP server behind an OpenBSD firewall / router and seeing some
>> packet loss. The NTP server (Leontp 1200) should be able to handle the
>> load easily, so I suspect the packet loss occurs at the firewall/router
>> or elsewhere.
>> My first suspe
> I have an NTP server behind an OpenBSD firewall / router and seeing some
> packet loss. The NTP server (Leontp 1200) should be able to handle the
> load easily, so I suspect the packet loss occurs at the firewall/router
> or elsewhere.
> My first suspect was the state table on the firewall/route
??? 30k, well below the limit.?? The load
> on the router is also quite low (~98% idle).
>
> However, packet loss remains, albeit slightly lower.
>
> My second thought was that the switch may be dropping packets during peaks,
> as it has to buffer due to the difference in link s
buffer due to the difference in link speeds. The
Leontp has a 100 Mbps interface, while the rest is at 1 Gbps.
I added a 95M queue in my pf.conf with a qlimit of 1000, effectively
reducing the link speed between the OpenBSD and the switch to < 100
Mbps, but the packet loss remains.
pfctl -sq
On 9/25/24 14:31, Peter N. M. Hansteen wrote:
> On Wed, Sep 25, 2024 at 02:26:18PM +0200, Peter N. M. Hansteen wrote:
>> Another related set of examples and explanations can be found in the blog
>> post
>
> I sense a complete URL would have been beneficial here, as in
>
> https://nxdomain.no/~p
On Wed, Sep 25, 2024 at 02:26:18PM +0200, Peter N. M. Hansteen wrote:
> Another related set of examples and explanations can be found in the blog post
I sense a complete URL would have been beneficial here, as in
https://nxdomain.no/~peter/forcing_the_password_gropers_through_a_smaller_hole.html
On Wed, Sep 25, 2024 at 02:06:14PM +0200, Christian Schulte wrote:
> Hello @misc,
>
> I am currently searching for a way to implement sendmail's connection control
> features using pf. In sendmail I am using:
>
> dnl # Define connection throttling and window length
> define(`confCONNECTION_RATE_T
t-rate, set delay, queueing, state modulation but still fail
to get the full picture.
Following is the pf.conf I am currently using I would like to extend to get
those features. Thanks.
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
se
Hi, kolipe-SAN.
on Sun, 04 Aug 2024 18:28:09 -0300
Crystal Kolipe wrote:
> On Mon, Aug 05, 2024 at 12:36:18AM +0900, WATANABE Takeo wrote:
>> Dear Sirs,
>>
>> Would you be willing to discuss how to write pf.conf?
>>
>> I'm using OpenBSD 7.5 AMD.
>&
Hi.
on Mon, 5 Aug 2024 12:34:18 +0200
Marko Cupać wrote:
> Having only one network interface, I assume this firewall protects
> machine it resides on (a server), not network behind it (a router /
> firewall), which rules out the need for net.inet.ip.forwarding sysctl.
I see.
A lot of the mate
;>
>> The config looks ok so far; I don't see any problems.
>>
>> Can you run 'pfctl -s rules' and send the command output?
>> You can also run 'tcpdump' on the interface. Can you see in-coming or
>> out-coming packages for your specif
ny problems.
>>
>> Can you run 'pfctl -s rules' and send the command output?
>> You can also run 'tcpdump' on the interface. Can you see in-coming or
>> out-coming packages for your specified ports?
>
> We are sending you the results of the "
' on the interface. Can you see in-coming or
> out-coming packages for your specified ports?
We are sending you the results of the "pfctl -s rules" run,
the results of the "pfctl -vnf /etc/pf.conf" run
and the original "pf.conf" as attachments, just in case.
Th
On Mon, 05 Aug 2024 00:36:18 +0900 (JST)
WATANABE Takeo wrote:
> Dear Sirs,
>
> Would you be willing to discuss how to write pf.conf?
Having only one network interface, I assume this firewall protects
machine it resides on (a server), not network behind it (a router /
firewall), wh
On Mon, Aug 05, 2024 at 12:36:18AM +0900, WATANABE Takeo wrote:
> Dear Sirs,
>
> Would you be willing to discuss how to write pf.conf?
>
> I'm using OpenBSD 7.5 AMD.
> I want to limit the packets going in and out as follows
>
> 1. reject in principle : block all
&g
#x27;pfctl -s rules' and send the command output?
You can also run 'tcpdump' on the interface. Can you see in-coming or
out-coming packages for your specified ports?
pf.conf
tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
udp_services="{ d
Dear Sirs,
Would you be willing to discuss how to write pf.conf?
I'm using OpenBSD 7.5 AMD.
I want to limit the packets going in and out as follows
1. reject in principle : block all
2. when rejecting packets, do not log them.
3. there is only one interface (vio0) that goes in and out o
I started my RADXIDE peeking code (MIT) from
https://github.com/aplsimple/alited/
My RADXIDE has been lauched in few days and it has not syntax highlighing.
Alited is written completely in a simple Tcl/tk and it has syntax highlighting
functionalities.
Alex is also, often, available and frien
On Tue, Jul 23, 2024 at 12:22 PM wrote:
>
> On Tue, Jul 23, 2024 at 03:46:56PM +0100, Tom Smyth wrote:
> >Folks,
> >I wondering had anyone tried to make a syntax highlighting for pf.conf
> >syntax,
> >
> >to help folks new to the pf.conf syntax in the ed
On Tue, Jul 23, 2024 at 03:46:56PM +0100, Tom Smyth wrote:
>Folks,
>I wondering had anyone tried to make a syntax highlighting for pf.conf syntax,
>
>to help folks new to the pf.conf syntax in the editor of their choice...
>
>I was thinking that this approach might be lower ha
I think vim already has it.
share/vim/${P}/syntax/pf.vim
> Le 23 juil. 2024 à 16:49, Tom Smyth a écrit :
>
> Folks,
> I wondering had anyone tried to make a syntax highlighting for pf.conf
> syntax,
>
> to help folks new to the pf.conf syntax in the editor of their
On 23/07/24 16:46, Tom Smyth wrote:
Folks,
I wondering had anyone tried to make a syntax highlighting for pf.conf syntax,
to help folks new to the pf.conf syntax in the editor of their choice...
I was thinking that this approach might be lower hanging fruit rather
than trying to write a rule
Folks,
I wondering had anyone tried to make a syntax highlighting for pf.conf syntax,
to help folks new to the pf.conf syntax in the editor of their choice...
I was thinking that this approach might be lower hanging fruit rather
than trying to write a rule editor in nsh (for now at least), and
On Mon, Jul 15, 2024 at 6:33 AM Irreverent Monk wrote:
> pass in on egress inet6 proto icmp6 all \
>
> icmp6-type { routeradv neighbrsol neighbradv }
>
> pass in on egress inet6 proto udp \
>
> from fe80::/10 port dhcpv6-server \
>
> to fe80::/10 port dhcpv6-client \
>
> no state
>
>
> bl
On 2024-07-15, Irreverent Monk wrote:
> Question 1: What's causing inbound ssh to only work with IP address and
> not DNS name?
No idea about that, there's no reason for this to affect anything unless
the DNS is broken or returning an incorrect address etc (or returning
a v6 address if you have
rl-C]
### Here's my sshd_config:
# grep -v ^# /etc/ssh/sshd_config
PermitRootLogin no
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
Subsystem sftp /usr/libexec/sftp-server
### Here is my /etc/pf.conf
# cat /etc/pf.conf
ext_if="ix0" # external interface/egr
Hello,
I just want to share my solution taken from "Building Linux and OpenBSD
firewalls" (av. on the Internet Archive) to solve the no traffic prb
caused the block "block in all" statement.
I moved the following statements:
# dns
pass in quick on $all_ifs proto udp from any port domain to any
://bsd.network/@dch/110501874752402311) they said:
"@pitrh I’m still waiting for it to explain my pf .conf setup to me”
Which is kinda the inverse of “make me a pf.conf file”. I am curious
if “explain to me this pf.conf in plain english” would work. :-)
Probably about as well. It&
:
"@pitrh I’m still waiting for it to explain my pf .conf setup to me”
Which is kinda the inverse of “make me a pf.conf file”. I am curious if
“explain to me this pf.conf in plain english” would work. :-)
Probably about as well. It's the "Chinese Room" AI concept
ll waiting for it to explain my pf .conf setup to me”
Which is kinda the inverse of “make me a pf.conf file”. I am curious if
“explain to me this pf.conf in plain english” would work. :-)
Sean
Prompted by a followup on Mastodon, I was enticed to see what feeding a prose
spec
for a pf.conf to ChatGPT would produce.
TL;DR: it failed miserably, but in a way that would have lead the gullible to
try it out raw, leading them down a route that would lead to loads of misery
and frustration
):
> > > I have a question regarding queuing and priorities in pf.conf on
> > > OpenBSD 7.2.
> > >
> > > I have a basic gateway configuration - a PC with two NIC's (em0, em1). One
> > > interface is connected to the LAN and one interface is connecte
lso does this.
>
> Good that you noticed that, but it's unnecessary. pf is smart enough to know
> what traffic to apply it to. It's good to compare the output of pfctl(8) to
> know
> exactly what's changing and how things are getting parsed (`pfctl -s rules`,
> `pfc
h I view her configuration itself as a bit of a special
case. I've experimented with configurations that complex, and these days I
mostly stick to the simple one rule configuration mentioned in pf.conf(5) under
QUEUEING.
> match out on $ext_if inet proto tcp set queue dataq set prio (5, 6)
On 2023-01-13 18:09, J Doe wrote:
Hello,
I have a question regarding queuing and priorities in pf.conf on OpenBSD
7.2.
I have a basic gateway configuration - a PC with two NIC's (em0, em1).
One interface is connected to the LAN and one interface is connected to
the Internet with a p
On 2023-01-14 11:37, Marcus MERIGHI wrote:
Hello,
not an answer but a little input below...
gene...@nativemethods.com (J Doe), 2023.01.14 (Sat) 00:09 (CET):
I have a question regarding queuing and priorities in pf.conf on
OpenBSD 7.2.
I have a basic gateway configuration - a PC with two
Hello,
not an answer but a little input below...
gene...@nativemethods.com (J Doe), 2023.01.14 (Sat) 00:09 (CET):
> I have a question regarding queuing and priorities in pf.conf on
> OpenBSD 7.2.
>
> I have a basic gateway configuration - a PC with two NIC's (em0, em1). O
Hello,
I have a question regarding queuing and priorities in pf.conf on OpenBSD
7.2.
I have a basic gateway configuration - a PC with two NIC's (em0, em1).
One interface is connected to the LAN and one interface is connected to
the Internet with a public IP and with a bandwid
Hello,
On Mon, Oct 10, 2022 at 06:52:00AM +0200, Bjorn Ketelaars wrote:
>
> (reply also send to tech@)
>
> In 2011 henning@ removed fiddling with the ip checksum of normalised
> packets in sys/net/pf_norm.c (r1.131). Rationale was that the checksum
> is always recalculated in all output paths a
d checksums [0]. At first I believed this was the result of
> hardware checksum offloading. However, after some more digging I found
> that my pf.conf was to blame, specifically:
>
> match inet scrub (max-mss 1460, no-df, random-id)
>
> Removing `no-df` and `random-id` as argumen
rdware checksum offloading. However, after some more digging I found
that my pf.conf was to blame, specifically:
match inet scrub (max-mss 1460, no-df, random-id)
Removing `no-df` and `random-id` as argument causes mcast-proxy to
accept all incoming IGMP packets resulting in a working solution.
After g
ternet via pppoe(4), which uses em(4)
> as the physical interface.
>
> The router has a /etc/hostname.wg0 file that connects it as a client to
> my VPN provider on boot. Then, /etc/pf.conf has a nat-to rule for
> WireGuard, for IP masquerading. Here's said rule:
>
> match
Hello. I have an APU4D4 running OpenBSD and acting as a router for my
home network. It connects to the Internet via pppoe(4), which uses em(4)
as the physical interface.
The router has a /etc/hostname.wg0 file that connects it as a client to
my VPN provider on boot. Then, /etc/pf.conf has a nat
.255.255
host min : 0.0.0.1
host max : 127.255.255.254
hosts/net : 2147483646
> Since I don't want to filter any of the Wireguard traffic, at the top of
> the pf.conf, I have:
> set skip on wg0
You might not want to _filter_ it, but for some configurations you may
find i
Hello!
hamdi201...@gmail.com (Andreas X), 2020.12.29 (Tue) 13:53 (CET):
> > > I happen to come across this blog today that may help
> > > you clarify some of your questions:
> >
> > https://ozgur.kazancci.com/secure-fast-vpn-server-wireguard-setup-on-openbsd-and-configure-windows-10-clients-to-con
>
>
>
> > I happen to come across this blog today that may help
> > you clarify some of your questions:
> >
>
>
> https://ozgur.kazancci.com/secure-fast-vpn-server-wireguard-setup-on-openbsd-and-configure-windows-10-clients-to-connect-through-it/
>
> I hope it helps. I am planning to set up one m
Hi,
wgport 53
Unbound is configured to only listen on the loopback interface, so that
shouldn't be interfering...
But it does
https://www.mail-archive.com/misc@openbsd.org/msg175837.html
Hi Steve,
On 20/12/28 04:14PM, Steve Williams wrote:
> ...
>
> I am not sure where my issue is...
I am going to cut to the chase here since I am no wireguard or OpenBSD
expert; however, I happen to come across this blog today that may help
you clarify some of your questions:
https://ozgur.kazanc
wedIPs = 0.0.0.0/1
Endpoint = :53
Since I don't want to filter any of the Wireguard traffic, at the top of
the pf.conf, I have:
set skip on wg0
Then I am allowing incoming traffic to port 53.
# Wireguard running on DNS port
pass in on egress inet proto udp from any to (egress) port { dom
On Mon, Dec 21, 2020 at 07:28:54PM -0800, Sean Kamath wrote:
> > On Dec 21, 2020, at 14:24, Aham Brahmasmi wrote:
> > For the defaults, I try to explicitly write some of them sometimes. I
> > find this helpful because it is difficult for me to remember what the
> > defaults are. However, I do unde
> On Dec 21, 2020, at 14:24, Aham Brahmasmi wrote:
> For the defaults, I try to explicitly write some of them sometimes. I
> find this helpful because it is difficult for me to remember what the
> defaults are. However, I do understand that I run the risk of being
> caught unawares if the defaults
Namaste Peter,
Tusen takk for your reply.
> Sent: Saturday, December 19, 2020 at 3:32 PM
> From: "Peter Nicolai Mathias Hansteen"
> To: "misc"
> Subject: Re: pf.conf parser/lint
>
>
>
> > 19. des. 2020 kl. 14:50 skrev Aham Brahmasmi :
> >
of the more important ones you’re likely to
get.
Adding to that, in my experience, the important thing is to make your
configurations as simple as possible but not simpler :)
I would like to stress using pf.conf readability features as helpers to keeping
your config maintainable, so
* use servi
Namaste Theo,
I apologize for reincarnating this thread.
> Sent: Friday, September 04, 2020 at 5:33 PM
> From: "Theo de Raadt"
> To: "Tommy Nevtelen"
> Cc: misc@openbsd.org
> Subject: Re: pf.conf parser/lint
>
> Tommy Nevtelen wrote:
>
>
> We provide over FIVE ways to identify ports without using the hardware
> driver names, but hey... this discussion is about the theory you can
> check overall behaviour of a system by ignoring the important parts.
I always put a description and group field in my hostname config so that
it allow m
Tommy Nevtelen wrote:
> On 04/09/2020 18.07, Brian Brombacher wrote:
> > Well, let’s say a Linter doesn’t exist and you can’t invest time to make
> > one. Do you have a lower environment, mirror-exact ideally, to run tests
> > on the pre-receive hook?
> >
> > It’s an interesting issue you’re t
On 04/09/2020 18.07, Brian Brombacher wrote:
Well, let’s say a Linter doesn’t exist and you can’t invest time to make one.
Do you have a lower environment, mirror-exact ideally, to run tests on the
pre-receive hook?
It’s an interesting issue you’re trying to solve ;)
I didn't say I can't inv
> On Sep 4, 2020, at 12:03 PM, Tommy Nevtelen wrote:
>
> On 04/09/2020 17.40, Brian Brombacher wrote:
On Sep 4, 2020, at 11:28 AM, Brian Brombacher wrote:
>>>
>>>
On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote:
Hi there misc!
Is there an external pfctl
Tommy Nevtelen wrote:
> On 04/09/2020 17.24, Brian Brombacher wrote:
> >
> >> On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote:
> >>
> >> Hi there misc!
> >>
> >> Is there an external pfctl linter? we have bunch pf firwalls for which we
> >> generate rules but also write some manual ones that
On 04/09/2020 17.40, Brian Brombacher wrote:
On Sep 4, 2020, at 11:28 AM, Brian Brombacher wrote:
On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote:
Hi there misc!
Is there an external pfctl linter? we have bunch pf firwalls for which we
generate rules but also write some manual ones tha
On 04/09/2020 17.24, Brian Brombacher wrote:
On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote:
Hi there misc!
Is there an external pfctl linter? we have bunch pf firwalls for which we
generate rules but also write some manual ones that get merged. Would be nice
if we could lint the rules
> On Sep 4, 2020, at 11:28 AM, Brian Brombacher wrote:
>
>
>
>> On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote:
>>
>> Hi there misc!
>>
>> Is there an external pfctl linter? we have bunch pf firwalls for which we
>> generate rules but also write some manual ones that get merged. Wou
> On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote:
>
> Hi there misc!
>
> Is there an external pfctl linter? we have bunch pf firwalls for which we
> generate rules but also write some manual ones that get merged. Would be nice
> if we could lint the rules before committed to vcs.. (yes
On Fri, Sep 4, 2020 at 10:51 AM Tommy Nevtelen wrote:
>
> Hi there misc!
>
> Is there an external pfctl linter? we have bunch pf firwalls for which
> we generate rules but also write some manual ones that get merged. Would
> be nice if we could lint the rules before committed to vcs.. (yes we
> te
Hi there misc!
Is there an external pfctl linter? we have bunch pf firwalls for which
we generate rules but also write some manual ones that get merged. Would
be nice if we could lint the rules before committed to vcs.. (yes we
test before they are applied on the machines as well but that is w
pf.conf set state-defaults pflow seemingly not exporting traffic
My money is on state-defaults working and I just am doing something
wrong, but I can't figure out what it is.
The sensor's information:
OpenBSD 6.7 (GENERIC.MP) #4: Wed Jul 15 11:16:20 MDT 2020
r...@syspatch-67-amd64.o
On Tue, 21 Jul 2020 19:35:17 +0200, Peter Nicolai Mathias Hansteen
wrote:
> pfctl -vnf pf.conf
oh indeed it says
pass out log on vlan10 proto tcp all flags S/SA modulate state
(if-bound)
but I understood why my pflow setup still works: it takes the flow from
the internal interfaces :)
on $ext_if proto { tcp, udp } all modulate state
>
> (I checked the rule is used because if I comment it the outgoing
> traffic doesn't go anymore)
The only way to be sure is to look at the actually loaded rule set (systat
rules or pfctl -vnf pf.conf), the boxes I have within eas
On Tue, 21 Jul 2020 18:52:40 +0200, Peter Nicolai Mathias Hansteen
wrote:
> > 21. jul. 2020 kl. 17:42 skrev marfabastewart
> > :
> >
> > pf.conf set state-defaults pflow seemingly not exporting traffic
> >
> > My money is on state-defaults working and I just
> 21. jul. 2020 kl. 17:42 skrev marfabastewart :
>
> pf.conf set state-defaults pflow seemingly not exporting traffic
>
> My money is on state-defaults working and I just am doing something
> wrong, but I can't figure out what it is.
>
> The sensor's informat
>
> -- Forwarded message --
> From: Kevin Chadwick
> To: misc@openbsd.org
> Cc:
> Bcc:
> Date: Sun, 14 Jun 2020 13:58:39 +
> Subject: Thoughts or links on optimally secure defaults for pf.conf and
> fstab, whilst aiming to minimise support issues.
lock all ICMP)
you may need no-df on the scrub rule.
>From the description in pf.conf(5) no-df on "set reassemble" is something else,
can't say I've ever needed to use that.
> Any thoughts or links on the most secure pf.conf that remains being compatible
> with any network?
"block" :)
On 2020-06-14 13:58, Kevin Chadwick wrote:
> set reassemble yes no-df
> match scrub (random-id max-mss 1389)
>
> Should I drop the no-df from set reassemble? Any other recommendations
> welcome?
To be clear. Previously, with scrub (no-df... the set reassemble line was
missing/default.
before and I am now using without issue, so far.
set reassemble yes no-df
match scrub (random-id max-mss 1389)
Should I drop the no-df from set reassemble? Any other recommendations welcome?
Any thoughts or links on the most secure pf.conf that remains being compatible
with any network?
Thank You
> 6. mai 2020 kl. 22:00 skrev Lars Bonnesen :
>
> Is it no longer important to group block/pass in/out for speed optimization?
>
> I see many "modern" pf.conf where everything is mixed more or less randomly
My advice would be to write your pf.conf in a way
pfctl has an ruleset optimizer built in, which handles most of that.
So, it is best if you write rules in a way that makes sense.
Lars Bonnesen wrote:
> Is it no longer important to group block/pass in/out for speed optimization?
>
> I see many "modern" pf.conf where every
Is it no longer important to group block/pass in/out for speed optimization?
I see many "modern" pf.conf where everything is mixed more or less randomly
Regards, Lars.
t is what happens.
>
> I have read online and man pages etc, and all say that the "block return" and
> "pass" rules are not necessary. In fact the example given at
> https://www.openbsd.org/faq/pf/filter.html does not have these two initial
> rules. These def
1 - 100 of 599 matches
Mail list logo
