search for: ext_if

Hi All, I have an asterisk box on my DMZ, and I'm using a PF for my firewall, I can make a call but some reasons I have a dead air. Any Ideas? below are my rules... ext_if = "bce0" int_if = "bce1" altitude = "172.16.1.0/24" #### machines #### vbox = "172.16.1.1" uci = "172.16.1.4" voices = "203.172.x.1" ipc = "203.172.x.2" #### default deny #### set block-policy return set loginterface $ext_if se...

...nds jumps to 144kbps, its bad :-( and it is often. Root class is 20Mbit There are about 7000 classes (on two interfaces) an example script: =============================================================================================== #!/bin/sh TC="/sbin/tc" INT_IF="eth1" EXT_IF="eth0" $TC qdisc del dev $INT_IF root $TC qdisc del dev $EXT_IF root $TC qdisc add dev $INT_IF root handle 1: htb r2q 1 default 2000 # tried default r2q $TC qdisc add dev $EXT_IF root handle 1: htb r2q 1 default 2000 $TC class add dev $INT_IF parent 1: classid 1:1 htb quantum 60000 rate...

...! I have an error in this script as it is not working and I can''t figure out what that is. Anyone can help? Thanks! #!/bin/bash ### unitati de masura pt debit # kbps - kilobytes per second # mbps - megabytes per second # kbit - kilbits per second # mbit - megabits per second EXT_IF="eth0" INT_IF="eth1" TC=/sbin/tc IPTABLES=/sbin/iptables # RATE DOWNLOAD RAD_INET_ALL="1736kbit" RAD_INET_LOW="64kbit" RAD_INET_HIGH="256kbit" RAD_METRO_ALL="90mbit" RAD_METRO_LOW="70mbit" RAD_METRO_HIGH="80mbit&qu...

current setup SIP phone 192.168.1.30 --> linksys wrt54g sveasoft -- INTERNET -- (xl0) Firewall (xl2:172.16.0.50)--> (em1:172.16.0.101) Asterisk problem is RTP stream not oging trouhg from * to sip and vice versa. #1 and asterusk is pushing 192.168.1.30 back to linksys with 172 as return address.... or #2 asterisk trying to get back to me as 192.168 on public internet.. got

...0.48.0/25 for international traffic in 256 KBps classes and for metropolitan traffic 100 MB or approximatively. Thank you! #!/bin/bash ### unitati de masura pt debit # kbps - kilobytes per second # mbps - megabytes per second # kbit - kilbits per second # mbit - megabits per second EXT_IF="eth0" INT_IF="eth1" TC=/sbin/tc IPTABLES=/sbin/iptables # RATE DOWNLOAD RAD_INET_ALL="1736kbit" RAD_INET_LOW="64kbit" RAD_INET_HIGH="256kbit" RAD_METRO_ALL="90mbit" RAD_METRO_LOW="70mbit" RAD_METRO_HIGH="8...

...public IPs. I have to renumber my machine with a new block of public IPs so I thought I'd be clever and move all the jails onto loopback IPs. Then I could use PF to redirect the new IPs and the old ones to the corresponding jails. The relevant parts of my PF config look like this: > ext_if="em0" > loop_if="lo0" > > ext_addr="72.29.111.130" > loop_addr="127.0.0.101" > > ext_net ="72.29.111.128/27" > ext_net2="208.75.180.64/27" > loop_net="127.0.0.0/8" > > lo_simerson = "127.0.0...

...ing to use pf + ftp-proxy n a 6.1-PRERELEASE machine. I have this line on inetd.conf: ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -n And this lines on pf.conf: rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port ftp-proxy pass in quick on $ext_if inet proto tcp from any port ftp-data to $ext_if:0 user proxy flags S/SA keep state When one machine inside my network (e.g. 192.168.x.x) connects to an external ftp server (e.g. ftp.FreeBSD.org), data connection doesn't work. Connection comes to my firewall and is accepted but connection is...

...9;s ipf has a similar function (pf's syntax was originally based on Darren Reed's ipf's syntax) I need to learn to review the changes to pf in future OpenBSD updates :) The NAT syntax is like this (put this in your /etc/pf.conf file) # Name of the external (Internet-facing) interface ext_if="fxp0" # IP address of the local tinc instance tincloc_ip="10.3.4.5" # IP address of the remote tinc instance tincrem_ip="30.40.50.60" # Nat all UDP packets from the local tinc instance with a source port of 655 # destined for the tinc remote IP to the IP address of...

Hey list and possible Arne... I try to get traffic shaping working on my firewall but getting cunfused with settings, but first my current setup: tcclasses file: #INTERFACE MARK RATE CEIL PRIORITY OPTIONS $EXT_IF 10 64kbit full 1 tcp-ack,tos-minimize-delay $EXT_IF 20 full/3 full/2 2 default $EXT_IF 30 8kbit 16kbit 3 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE For now I want tree marks, 10: For ssh trafic that n...

Has anybody on this managed to get ChilliSpot and Shorewall to work together? I have managed to get it to work with the supplied firewall script but if I wanted to do my firewall like that I would not be using Shorewall. At any rate, I am having all kinds of trouble translating the supplied rules to something that Shorewall would understand. If anybody has already done it I would love to see the

...seeing repeated bruteforce attempts on SSH. I've configured my pf install to ratelimit TCP connections to port 22 and to automatically add IP-addresses that connect too fast to a table that's filtered: table <lamers> { } block quick from <lamers> to any pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 modulate state (source-track rule max-src-nodes 8 max-src-conn 8 max-src-conn-rate 3/60 overload <lamers> flush global) This works as expected, IP-addresses are added to the 'lamers'-table every once in a while. However, there apparen...

...verity: minor Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: ian.kumlien at gmail.com This might be known, 0.7 is old - but if it isn't then... ;) I added two rules like this in table nat, chain prerouting (with a hook): iifname $ext_if ip saddr $external_dns_servers tcp dport $external_dns_ports dnat to numgen inc mod 3 map { 0: 10.0.0.2, 1: 10.0.0.3, 2: 10.0.0.4 } iifname $ext_if ip saddr $external_dns_servers udp dport $external_dns_ports dnat to numgen inc mod 3 map { 0: 10.0.0.2, 1: 10.0.0.3, 2: 10.0.0.4 } And they do work,...

ive got such network: |--------| |-------------| | WORLD |---|ROUTER/server| ------ NATED LAN |--------| |-------------| I want to use imq on ROUTER, what behaviour to choose ? AA, BA, AB, BB ?? --

I have configured asterisk with the AMP php configuration utility. I am able to make outgoing calls through broadvoice but incoming calls are sent to BV's Voicemail and never actually enter the IVR. When I show sip debug info through the asterisk prompt it actually reads the incoming call from BV but then issues a busy signal sending the call to BV's voicemail. I also modified

I try use setup traffic shaping with Shorewall-4.0.2 and have fault. When i start Shorewall with tc-files configured i get follow messages: ... RTNETLINK answers: No such file or directory We have an error talking to the kernel ERROR: Command "tc filter add dev eth2 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 500kbit burst 10k drop flowid :1" Failed

Any BFD/AFP softwares available for FreeBSD 4.10? Im getting flooded with ssh and ftp attempts.

...over strange behaviour of shaping traffic that i setup from Shorewall-4.0.2. I know that this is not Shorewall problem but may be somebody from list can help me or explain this situation. I have follow interfaces in 'tcdevices' files: #INTERFACE IN-BANDWITH OUT-BANDWIDTH # $EXT_IF 500kbit 248kbit $INT1_IF 500mbit 500mbit $INT2_IF 500mbit 500mbit $DMZ_IF 500mbit 500mbit follow rules in 'tcrules' file for tested interface (INT1_IF): 31:F $EXT_IF $INT1_IF:$ADM_IP all 32:F $EXT_IF...

Hi, I am using icecast2-2.4.1,1 on FreeBSD 10.1-RELEASE. In order to be able to stream on port 80, I have redirected port 8080 to port 80 by means of firewall on icecast server itself (packet filter): rdr pass on $ext_if proto tcp to port 80 -> 127.0.0.1 port 8000 The only thing that bothers me is the fact that autogenerated playlist files (m3u, xspf and vclt) in web interface direct to port 8000. Is there a way to change them so they point to desired port instead to the port specified in configuration file?...

Has anyone implemented a script to block IPs which are attacking on POP3 ports using dovecot logs to indicate repetitive failed login attempts? sshblack does this nicely for ssh (port 22) attacks by monitoring the /var/log/secure file. I am considering rewriting this to POP3 port (110), but if it has already been done, I sure don't need the practice. Thanks!

...9 18:23:24 CEST 2007 root@scone.ki.iif.hu:/usr/obj/usr/src/sys/SCONE i386 >Description: The pf firewall does not use the IPv6 addresses at startups. If you start using pf firewall with IPv6 enabled the IPv6 addressess are not used: e.g. in case of pf rule: pass out quick proto tcp from $ext_if to any keep state the real rule will be: pass out quick inet proto tcp from "IPv4_ADDRESS_OF_EXTERNAL_INTERFACE" to any keep state the IPv6 address of the external did not take into consideration since IPv6 address not configured yet. >How-To-Repeat: Try using interface name...