| |
| |
| |
|
Page: 1 2 3
Comments:
<0> he had his chance to **** the **** up
<0> er, shut
<1> **** works :!
<2> lol
<0> all he had to do was say nothing until tomorrow
<1> ban is over-rated.. +ik ****head this bitch
<1> +ikl ****head 1
<1> Today is Easter for eastern orthodox
<1> i mean christm*** ;)
<3> what?
<0> everytime i see tobiasu's hostmask i wonder if he is a mirbsd user ;-)
<1> Its christmas for Eastern Orthodox people
<3> what's eastern orthodox?
<0> russian churhc
<0> churhc
<0> church
<3> :o
<0> the greeks are orthodox too, iirc
<0> greek orthodox?
<3> i'm orthodox and we have christmas on 25 of december
<3> that's why my original "what?"
<0> they split from rome when the whole byzantium thing happened
<0> well, i don't know about the accuracy of the christmas thing ;-)
<3> must be the russian thingie
<2> NicM: why mirbsd?
<0> i just know the russians went into this whole delusional thing about being the "new constantinople"
<3> i'm romanian but i think we're greek orthodox. as you can tell me and religion don't have much in common
<0> tobiasu, freeforge.net?
<1> Slippery" same difference
<1> Slippery: Eastern Orthodox, Bulgarian Orthodox, Greek Orthodox, Serbian Orthodox
<0> to be honest, i forget the main difference between the orthodox and roman churches
<1> the main one is the calendar
<0> i know they split when the church moved to constantinople
<0> nah, there was a philosophical point
<0> they had like a year of $many popes
<1> each have their own pope
<2> NicM: ah, freeforge is basically a shell server for some friends, it also happens to run some stuff for mirbsd
<0> ah
<3> i know two main differences: catholic priests can't have wives and the easter date is computed differently
<0> there have been some overtures in the past to recombine or at least sort of relink
<3> yes
<0> they are closer than the RCs and the prods anyway
<3> the former pope was the first to visit an orthodox country and that country was romania
<0> yeh, i remember that
<1> too bad ipsec is soo tight to host ip that it is almost impossible to use with non static ips :(
<1> although i may force all my wlan traffic through ipsec
<1> take that, and rewind it back..
<1> heh.. so ipsec is for site-to-site vpn while isakmpd is for client-to-site?
<1> anyway to have multiple interfaces in a single pf rule?
<4> { if0 , if1 }
<1> without it spanning two rules?
<4> it will span two rules
<1> damn it
<1> block in log quick on ! $WLAN from <IPSpoof-WLAN> to any
<4> there's no other logical approach. if interfaces should have multiple definition within a rule, why not source addresses, or tcp flags, or anything else
<1> it also kills my enc interface
<4> so don't use quick
<1> i have to
<4> lead with a block and then select stuff to p***.. it's no big performance hit
<1> i did
<1> even moving p*** quick on enc0 before it didnt help
<1> rule 1/(match) p*** in
<1> rule 0/(match) block out
<1> lol
<1> even with keep state crapola attached toit
<1> due to my anti-spoofing setup
<1> wow
<1> wierd
<1> check this out
<1> p*** in on enc0: ipX > ipY: icmp: echo request
<1> block out on hme2: ipX > ipY: icmp: echo request
<1> the block comes out from the default drop rule
<5> it should
<5> anything from the ipsec tunnel will end up being translated.. only if there's a translation for it. if you don't explicity p*** the traffic on a given interface, it won't go anywhere
<1> what do you mean?
<1> translated into what?
<5> enc0 is just the interface where the traffic is unbundled
<1> i see
<5> that traffic still has to be routed, as per the routing table
<5> once there, it has to be handed to the interface that has the destination
<5> if that interface isn't permitting traffic from the source host out, it won't go anywhere
<1> i see.. thats confusing, as the ipX is the same IP of the device
<5> if it's not defined explicitly, the default rule will apply
<1> so if i write a rule p*** in from IPx
<1> it doesnt have to use the tunnel
<5> it still has to be p***ed out, or otherwise match inside of a state table
<1> unless i say p*** in on $internal_interface from IPx
<1> right?
<5> that should work
<1> eeek.. i try to stay away from p***ing on interfaces
<1> but just for the sake of it.. i will try
<1> very bad implementation of ipsec.. i thought it would give you an actual IP address
<1> and the client would have its routing table altered, but i guess not
<5> well, here's what i'd do
<1> Jan 06 22:25:07.329873 rule 1/(match) p*** in on enc0: 172.16.0.101 > 192.168.1.150: icmp: echo request
<5> move to packet tagging
<1> it worked this time
<5> funky.
<1> i dont like it at all
<5> shove your rules to pastebin, i'll take a look at them
<1> :)
<5> won't gaurantee i'll see anything, but it won't hurt
<1> i know what the issue is
<5> my solution is to write the rules as interface independant as i could
<1> same here
<1> let me paste this portion of it
<5> sure
<1> ~ checkpoint style http://pastebin.ca/309034
<5> lots of blocking
<1> yeah
<1> i've looked into tagging
<1> and i didnt like it
<5> i find it to be very useful
<1> yeah
<1> but this way i can keep track of my networks, and it scales
<1> how do you tag your packets
<1> i dont see how practical it is
<1> i guess i am missing something from this faq
<1> http://www.openbsd.org/faq/pf/tagging.html#policy
<1> i am looking at this complete policy
<1> it looks very routing table dependent
<1> jb_: the link i sent you is based on spoof with pf
<1> except i expanded on it
<5> http://pastebin.ca/309037
<1> ok
<1> check this out
<1> /msg jb_ http://pastebin.ca/309040
<1> ;(
<1> what do you think
<1> its much cleaner, i think --)
<5> yeah, not bad. i'm not one for a large amount of block rules. one block, then p*** from there based on what's permitted in to the firewall
<1> i can see that on a small network :)
<5> yep
<5> larger network, might be a bit of a pain
<1> but when you have networks changing without you knowing
<1> you need to adapt
<5> that's specifically to prevent "-O" from working
<1> yeah
<5> active OS fingerprinting in nmap
<5> i'm upgrading the FW to 4.0-current fairly soon
<1> i need to implement queue
<5> worthwhile
<5> i had cbq in there for a long time
<5> got annoying fast
<5> i also need to redo my tagging for the squeezebox
<5> so i can apply 2 or 3 tags
<1> i just need to prioritize my voip over all
<1> ok.. i need to go make some margaritas
<1> woman is getting ancious
Return to
#openbsd
or
Go to some related
logs:
arp cannot intuit interface index and type for
niggr
#computers
#computers
10048 only one usage of each trend
#politics
Fedora lmhostid
#windows
cache:SCx_Fmi8tIUJ:www.quotesdb.info/efnet/firebird/22Feb2006/1.html password na
#freebsd
|
|