2010/6/12 Vadim Jukov :
> This is a work-in-progress patch that implements direct packet inspection
> in PF.
Is there a reason not to reuse bpf for this?
13 June 2010 P3. 19:14:39 Vadim Zhukov wrote:
> Thank you, I got the point. Yes, my patch is intended for some simple
> case only, when writing a program for filtering is a little bit
> overkill. I understand that there is no silver bullet, and, of course,
> separate proxy app is needed in complex
Thank you, I got the point. Yes, my patch is intended for some simple
case only, when writing a program for filtering is a little bit
overkill. I understand that there is no silver bullet, and, of course,
separate proxy app is needed in complex cases. Well, there are reasons
having both rdr-to and
Thank you, Theo (and everyone else who worked on it) for vether.
It works beautifully. My firewall now can run with two interfaces
where it needed three before and my pf.conf is 30 lines shorter with
simpler rules.
The configuration iswan <-> sk0 <-> bridge <-> re0 <-> lan
On 2010/06/13 21:01, Rod Whitworth wrote:
> On Sun, 13 Jun 2010 10:48:49 +0100, Stuart Henderson wrote:
>
> >On 2010/06/13 17:31, Rod Whitworth wrote:
> >> On Sun, 13 Jun 2010 07:44:26 +0100, Jason McIntyre wrote:
> >>
> >> >On Sun, Jun 13, 2010 at 12:36:52PM +1000, Rod Whitworth wrote:
> >> >> T
On Sun, 13 Jun 2010, Vadim Zhukov wrote:
> No, no, it's me who is excluding this way. :) Moving packets through
> userland and reimplementing states in the app is not the simpliest,
> most reliable and - last but not least - fastest way, IMHO. Please
> prove me if I'm wrong.
Well, in a sense, pro
On Sun, 13 Jun 2010 10:48:49 +0100, Stuart Henderson wrote:
>On 2010/06/13 17:31, Rod Whitworth wrote:
>> On Sun, 13 Jun 2010 07:44:26 +0100, Jason McIntyre wrote:
>>
>> >On Sun, Jun 13, 2010 at 12:36:52PM +1000, Rod Whitworth wrote:
>> >> The rule:
>> >> pass in on $int_if inet proto tcp to any
On 2010/06/13 17:31, Rod Whitworth wrote:
> On Sun, 13 Jun 2010 07:44:26 +0100, Jason McIntyre wrote:
>
> >On Sun, Jun 13, 2010 at 12:36:52PM +1000, Rod Whitworth wrote:
> >> The rule:
> >> pass in on $int_if inet proto tcp to any port ftp \
> >> rdr-to 127.0.0.1 port 8021
> >>
> >> in the ex
No, no, it's me who is excluding this way. :) Moving packets through
userland and reimplementing states in the app is not the simpliest,
most reliable and - last but not least - fastest way, IMHO. Please
prove me if I'm wrong.
2010/6/13, Bret S. Lambert :
> On Sun, Jun 13, 2010 at 12:41:01PM +0400
ym(4) needs the following in addition.
I haven't gotten any test results on this yet ... a lot of the
code in audioce(4) and audiocs(4) in sparc64 and sparc come from
here ... the plan is to split the MI code out and share instead
of having it copied in several places. so, this is not just for
th
On Sun, Jun 13, 2010 at 12:41:01PM +0400, Vadim Zhukov wrote:
> Hm-m-m, could you explain better, please? I don't see the way to do
> such filtering with diverting, excluding writing a proxy app listening
> all the traffic.
Why do you assume I'm excluding a proxy app?
>
> 2010/6/13, Bret S. Lamb
Hm-m-m, could you explain better, please? I don't see the way to do
such filtering with diverting, excluding writing a proxy app listening
all the traffic.
2010/6/13, Bret S. Lambert :
> Is there some reason that divert sockets (``man divert'') can't do
> this for you?
>
> On Sun, Jun 13, 2010 at
On Sun, Jun 13, 2010 at 05:31:39PM +1000, Rod Whitworth wrote:
> >
> >if the point of that rule is the same as the point of the rule in
> >ftp-proxy(8), then the rule should really match the man page (which uses
> >"quick") or vice versa.
>
> Note that the ftp-proxy manpage does "pass in quick" wi
On Sun, 13 Jun 2010 07:44:26 +0100, Jason McIntyre wrote:
>On Sun, Jun 13, 2010 at 12:36:52PM +1000, Rod Whitworth wrote:
>> The rule:
>> pass in on $int_if inet proto tcp to any port ftp \
>> rdr-to 127.0.0.1 port 8021
>>
>> in the example ruleset on http://www.openbsd.org/faq/pf/example1.ht
14 matches
Mail list logo
