.
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Thu, May 07, 2009 at 10:53:18AM -0400, Darrin Chandler wrote:
>On Thu, May 07, 2009 at 12:03:23PM +, Stuart Henderson wrote:
>> There are some useful things on the site, but please, use with a big
>>
connections over a time interval. The connection rate is an
approximation calculated as a moving average.
You may also want to use synproxy for ssh and take a look at
max-src-states. I have examples here: http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org
On Tue, Oct 23, 2007 at
e the handshakes are completed, the
sequence number modulators (see previous section) are used to translate
further packets of the connection. Synproxy state includes modulate state.
(pf.conf man page)
--
Calomel @ http://calomel.org
On Tue, Oct 23, 2007 at 11:23:05PM -0500, david l goodrich wrote:
&g
back to its previous
setting on reboot.
OpenBSD Pf Firewall "how to" ( pf.conf )
http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org
On Thu, Oct 25, 2007 at 09:15:22AM +0300, Timo Myyr? wrote:
>Hi,
>
>I'm currently trying to configure small home network:
>AD
Siju,
Has the device name changed? Perhaps to /dev/cd0a
--
Calomel @ http://calomel.org
OpenSource Research and Reference
On Thu, Oct 25, 2007 at 07:12:59PM +0530, Siju George wrote:
>Hi,
>
>I installed OpenBSD 4.2 on CD on my amd64 that was running OpenBSD 4.0 fine.
>I tried
Pieter,
To remove the ^M characters at the end of all lines in vi, use:
:%s/^V^M//g
The ^v is a CONTROL-V character and ^m is a CONTROL-M. When you type this,
it will look like this:
:%s/^M//g
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Fri, Oct 26, 2007 at 03:45
You need to use at least samba-2.2.7a and use the audit.so module. The
samba source code has what you need. Check out the information in
~samba/examples/VFS/audit.c and in the README file in that directory.
--
Calomel @ http://calomel.org
OpenSource Research and Reference
On Sun, Oct 28, 2007
/bootable_openbsd_cd.html
--
Calomel @ http://calomel.org
OpenSource Research and Reference
On Fri, Nov 02, 2007 at 03:12:30AM +0800, Bibby wrote:
>Hi, all.
>
>Part of file: 4.2/i386/INSTALL.i386:
>---
>
>cdrom42.fsThe i386 boot and installation 2.88MB
>flopp
Rod,
You are absolutely correct. Using the "--reject *iso" directive for wget in
the instructions will now filter out all iso files from downloading. The
wording on the web page has been cleaned up and clarified.
Thanks for your feedback, it is appreciated.
--
Calomel @ http://c
% )
queue bulk bandwidth 5% priority 1 qlimit 50 hfsc (realtime 5% default)
And use the ack with the queue name on the rules like, "queue (edd, ack)"
This might help you out with the directive definitions.
http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org
O
You can use geteltorito.pl by Rainer Krienke. It will extract what it needs
from the "cdemu42.iso" image and make a new cdrom42.fs image. Just takes a
second.
Check out Step 3, option 2 at Making a bootable OpenBSD install CD
http://calomel.org/bootable_openbsd_cd.html
--
Calo
I believe the boot image must be less than 9900 sectors to be used on a
bootable cdrom. bsd.rd would be too large.
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Wed, Nov 07, 2007 at 07:45:52PM -0500, Steve Shockley wrote:
>Calomel wrote:
>>You can use getel
ed or most popular ports or ip's. Well NetFlow
is what your looking for. NetFlow is an open but proprietary network
protocol developed by Cisco Systems to run on Cisco IOS-enabled equipment
for collecting IP traffic information.
http://www.pantz.org/software/flowtools/configflowtoolspfflow.html
--
Chris,
It looks like you have quite a few questions. The obsd list will not write
your firewall for you, but this should get you started in the right
direction.
Hierarchical Fair Service Curve (HFSC) of OpenBSD
http://calomel.org/pf_hfsc.html
--
Calomel @ http://calomel.org
Open Source
uot; using the backup user. If "ls" is successful, the wrapper in not
working.
If anyone has any other recommendations I would be interested in hearing
about them. There is always room for improvement.
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Tue, Nov 13
amount of bandwidth
specified by "realtime". See if this link helps you out.
Hierarchical Fair Service Curve (HFSC) of OpenBSD
http://calomel.org/pf_hfsc.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Fri, Nov 16, 2007 at 04:56:51AM +0300, Jonathan S
the "altq on $ExtIf bandwidth 744Kb" line to
reflect this. If the rest of the queues are setup to use a percentage of
the primary bandwidth amount then every thing will fall into line. Lastly,
refresh pf for the new settings to take effect.
Reference: http://calomel.org/pf_hfsc.html
-
/4.2
with ALTQ (HFSC) without issue. CPU usage for the interrupts are around 33%
on a amd64 2.2GHz.
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Mon, Nov 12, 2007 at 02:05:54PM -0300, Fernando Braga wrote:
>Hi,
>
>I've setup a bridge over a 200Mb link, a
Try using the ftp-proxy daemon. The proxy will take care of what ports need
to be open and close them when they are not needed. It will make your life
easier.
Ftp-proxy "how to" (forward and reverse)
http://calomel.org/ftp_proxy.html
--
Calomel @ http://calomel.org
Open Source Re
an example.
OpenBSD Pf Firewall "how to" ( pf.conf )
http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Tue, Dec 25, 2007 at 10:22:09AM -0800, Chris Cappuccio wrote:
>upnp is also necessary for other multiplayer games like xbox live.
hen see clients connect and download 100 meg
per minute there is a problem and the ips can be blocked or slowed.
Thanks for your time,
--
Calomel @ http://calomel.org
Open Source Research and Reference
r would be around
24-26.
What is your grey listed time out? By default I believe it is set at 25
minutes. (-G 25:4:864) Perhaps it is too low or too high?
This is probably not your issue, but may give you a place to start.
Spamd anti-spam "how to" (spamdb)
http://calomel.org/spamd_conf
"how to" ( pf.conf )
http://calomel.org/pf_config.html
Hope this helps.
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Thu, Jan 31, 2008 at 10:50:43AM -0600, Cache Hit wrote:
>Hello,
>
>I've been successfully using the max-src-conn and max-src-conn-rat
how to" (spamdb)
http://calomel.org/spamd_config.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Fri, Feb 08, 2008 at 11:07:15AM +0100, Raimo Niskanen wrote:
>Apparently we (our mail server) got targeted by a zombie network
>since suddenly there were s
ort $SshPort
$SynState tagged OPENSSH
OpenBSD Pf Firewall "how to" ( pf.conf )
http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Fri, Feb 08, 2008 at 08:35:44AM -0500, S. Scott Sima, CISA, CISM wrote:
>(sorry, orig post
All macros, redirections and rules must be in the that uses it anchor as I
understand it. Take a look at the anchors section of this link.
OpenBSD Pf Firewall "how to" ( pf.conf )
http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org
Open Source Research and Referenc
On Mon, Feb 11, 2008 at 11:17:35AM +0100, Raimo Niskanen wrote:
>On Fri, Feb 08, 2008 at 11:20:31AM -0500, Calomel wrote:
>> Raimo,
>>
>> Can you use the spamd.alloweddomains to whitelist email addresses and
>> domains you accept mail for? Any email sent to your mail s
Check out pfflowd.
Configuration of NetFlow, Flowtools, pfflowd on OpenBSD
http://www.pantz.org/software/flowtools/configflowtoolspfflow.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Fri, Feb 15, 2008 at 09:22:33AM -0500, Richard Daemon wrote:
>Hi all,
>
amd_config.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Mon, Feb 25, 2008 at 09:48:20PM -0600, Aaron Martinez wrote:
>I've got spamd up and running in the default greylisting mode on a 4.2
>stable system. Things seem to be working great, however I've no
anchors are not pfsync states and thus are not transfered to
the backup firewall through pfsync.
But, if the users issue a reconnect to your ftp server after the firewall
fail over they will connect without issue.
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Wed, Mar 12
rt 22
Protocol 2
StrictModes yes
SyslogFacility AUTH
TCPKeepAlive yes
UseDNS no
UsePrivilegeSeparation yes
X11Forwarding no
## sftp directives
Subsystem sftp internal-sftp
Match User ftp
ForceCommand internal-sftp
ChrootDirectory /ftp_jail
http://calomel.org/sftp_chroot.html
--
Ca
yes
X11Forwarding no
## sftp directives
Subsystem sftp internal-sftp -f AUTH -l DEBUG3
Match User ftp
ForceCommand internal-sftp
ChrootDirectory /ftp_jail
http://calomel.org/sftp_chroot.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Thu, Mar 13, 20
;BAD request method"
request header expect "GET"
request header expect "HEAD"
Since it is a work in progress, our full relayd.conf file can be found
here for reference:
Relayd proxy "how to" (relayd.conf)
http://calomel.org/relayd.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
'src-limit'
value in pfctl -si to see how many packets were dropped in this way.
I do not believe packets dropped by a rate limited rule are logged as
logging a DDOS attack might stress the machine.
Hope this helps.
OpenBSD Pf Firewall "how to" ( pf.conf )
http://calomel.o
"high" queue.
Hope this helps
PF Config "how to" (pf.conf)
http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org/
Open Source Research and Reference
On Wed, Mar 26, 2008 at 04:41:01PM -0700, Lord Sporkton wrote:
>I have this rule in my PF
>and its not wo
ode.
Note that in some versions, Squid limits dns_children to 32. To increase it
beyond that value, you would have to edit the source code.
Hope this helps.
Squid config "how to" (squid.conf)
http://calomel.org/squid.html
--
Calomel @ http://calomel.org
Open Source Research an
ystem rescue cd" and run badblocks from there
without removing the drive from the current machine.
NON-destructive BadBlock test (1gig ram in machine)
badblocks -b 4096 -c 98304 -p 0 -s /dev/hda
For a more detailed explanation http://calomel.org/badblocks_wipe.html
--
Calomel @ http://c
uld be happy to
help.
--
Calomel @ http://calomel.org
On Fri, Oct 05, 2007 at 08:25:26AM -0400, a.padilla wrote:
>ext_if ="rl0" #macro for external interface
>int_if ="dc0" #macro for internal interface
>
>localnet= $int_if:network
>
>nat on $ext_if from $l
matheus,
It is the order. The fist queue is for bulk packets and the second is for
ack packets.
Daniel Hartmeier has a detailed page with examples that may make this
clearer.
Prioritizing empty TCP ACKs with pf and ALTQ
http://www.benzedrine.cx/ackpri.html
--
Calomel @ http://calomel.org
Tony,
I agree with lars, squid is an excellent choice to proxy http and https.
Here are some instructions and a working example if you need them.
Squid Proxy (Secure, Paranoid and Non-caching)
http://calomel.org/squid.html
--
Calomel @ http://calomel.org
On Tue, Oct 09, 2007 at 03
proto tcp from $DMZ to any port ftp -> lo0 port 8021
Filtering #
pass in log on $DMZIf inet proto tcp from $DMZ to lo0 port 8021 $TcpState
$FtpIntIf
Ftp-Proxy "how to" (forward and reverse proxy)
https://calomel.org/ftp_proxy.html
proxy "how to" (relayd.conf)
http://calomel.org/relayd.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Tue, Mar 18, 2008 at 05:07:53PM -0400, Calomel wrote:
>We are looking to do some URL path and request method filtering with relayd
>if possible. M
We use a simple Perl script to analyze the spamd logs and generate HTML
output.
Spamd Statistics Script (annoying spammers)
http://calomel.org/spamd_stats.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Thu, Apr 03, 2008 at 10:19:18AM -0300, Jose Fragoso
You also need to tell pfstat what action you want to do. You can query to
collect the pf interface statistics, generate new graphs or clean up the
database.
See if our page can help you out.
Pfstat "how to" ( pfstat.conf )
http://calomel.org/pfstat.html
--
Calomel @ http://c
e argument "-k" to drop connections
dependent on ip address. For example, If we wanted to drop all states from
any ip to our internal server at 10.10.10.22 we could execute:
pfctl -k 0.0.0.0/0 -k 10.10.10.22
Hope this helps.
PF Config "how to" (pf.conf)
http://calomel.or
re the firewalls overloaded?
You are welcome to check out some of the "how to's" I have at
http://calomel.org if you need to.
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Thu, Apr 10, 2008 at 12:35:17PM +0100, openbsd firewall wrote:
>Hello,
>
email from new
potential clients all the time then this method is not really that helpful.
If anyone has any other ideas on this topic I would also be interested in
hear them.
Hope this helps.
Spamd tarpit/greylisting anti-spam "how to"
http://calomel.org/spamd_config.html
--
Calo
ou want to dump those ips from the table to the text file you can
always do "pfctl -t bruteforce -T show >> /etc/bruteforce"
Hope this helps.
OpenBSD Pf Firewall "how to" ( pf.conf )
http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org
Open Source
Ropers,
You can find the badblocks utility prepackaged in "e2fsprogs".
Hope this helps,
BadBlocks Hard Drive Validation and/or Destructive Wipe
http://calomel.org/badblocks_wipe.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Fri, Apr 18, 200
olutions I would also be interested in
hearing about them.
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Wed, Jun 04, 2008 at 05:02:45PM +0100, Joe Warren-Meeks wrote:
>Hey guys,
>
>I have a a pair of OpenBSD firewalls, using carp+pf protecting all
>our se
helps.
Guide to SSL Certificates
https://calomel.org/ssl_certs.html
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Sun, Jun 15, 2008 at 03:02:48AM +1000, Damien Miller wrote:
>On Sat, 14 Jun 2008, Khalid Schofield wrote:
>
>> Hi,
>> I need to
flags S/SA
Hope this helps,
OpenBSD Pf Firewall "how to" ( pf.conf )
https://calomel.org/pf_config.html
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Fri, Jun 20, 2008 at 02:10:52PM -0700, Robert Gilaard wrote:
>Hi folks,
>
>All the time I had the fo
Juan,
You can use email addresses, domains or partial domains in your
spamd.alloweddomains file.
Spamd tarpit/greylisting anti-spam "how to" (spamdb)
https://calomel.org/spamd_config.html
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Sat, Jun 21, 200
clients.
Nginx web server "how to"
https://calomel.org/nginx.html
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Sun, Jul 20, 2008 at 03:14:40PM +0100, Nuno Magalh??es wrote:
>I have an old Compaq Armada 1500c with 32MB of RAM i want to use as a
>webs
to 8590Mb the value flips twice and we are
left with 65.41Kb.
altq on $ExtIf bandwidth 8590Mb hfsc queue { ack, web}
queue root_em0 on em0 bandwidth 65.41Kb priority 0 {ack, web}
Thanks.
--
Calomel @ https://calomel.org
Open Source Research and Reference
them out.
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Thu, Jul 07, 2011 at 09:28:13AM -0400, Ermal Lu?i wrote:
>On Wed, Jul 6, 2011 at 5:25 PM, Calomel Org
> wrote:
>> ALTQ using hfsc is limited to a maximum parent bandwidth of 4294Mb.
>> Thi
Addresses: 12
Cleared: Wed Dec 31 19:00:00 1969
pfctl -a games -vvs Tables
--a-r-C BLOCKTEMP games
Addresses: 0
Cleared: Wed Jun 2 16:40:14 2010
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Wed, Jun 02, 2010 at 04:23:54PM -0400
Connected to openbsd.sunsite.ualberta.ca.
ftp> ls
227 Entering Passive Mode (129,128,5,191,214,178)
150 Opening ASCII mode data connection for '/bin/ls'.
total 8
drwxr-xr-x 2 0 0 512 May 4 2009 etc
drwxr-xr-x 3 0 0 512 Jul 21 2009 pub
226 Transfer complete.
Was this the probl
our ps3 and NHL10 rules in an anchor to clean things up. How
about adding QOS so the gamers get higher network priority? :)
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Thu, Jun 03, 2010 at 02:14:53AM -0400, Teemu Rinta-aho wrote:
>On Jun 3, 2010, at 3:51 AM,
modified is 10.0.0.50, then the resulting address will be 192.0.2.50.
If the address pool is 192.0.2.1/25 and the address being modified is
10.0.0.130, then the resulting address will be 192.0.2.2.
http://www.openbsd.org/faq/pf/pools.html
--
Calomel @ https://calomel.org
Open Source Research
follows:
Root Queue (2Mbps)
Queue A (1Mbps)
Queue B (500Kbps)
Queue C (500Kbps)
Also, you can use HFSC queueing for this as well.
Hierarchical Fair Service Curve (HFSC) of OpenBSD
https://calomel.org/pf_hfsc.html
--
Calomel @ https://calomel.org
Open Source Research and
probability value only. For ex-
ample, the following rule will drop 20% of incoming ICMP packets:
block in proto icmp probability 20%
I do not believe you can add latency timings using PF. I agree, this
would be very helpful for testing.
--
Calomel @ https://calomel.org
Open Source
/apm_control.html
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Fri, Feb 05, 2010 at 11:37:16AM -0500, Jean-Francois wrote:
>Le vendredi 05 fivrier 2010 11:17:51, vous avez icrit :
>> On 04/02/2010 23:02, Jean-Francois wrote:
>> > All,
>> >
&
.
OpenSMTPD "how to" (smtpd.conf)
https://calomel.org/opensmtpd.html
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Tue, Jul 21, 2009 at 12:23:31PM -0400, Lars Nooden wrote:
>I find the two manpages, smtpd(8) and smtpd.conf(5), in current.
>
>I
64 matches
Mail list logo