search for: oif

Displaying 20 results from an estimated 73 matches for "oif".

Did you mean: if
2005 Apr 29
1
problem with nth patch, counter parameter...I think
...e would be effecting the other, but it does. Here is my iptables -t mangle -L on tunnel server 2, before adding, and after adding. Chain POSTROUTING (policy ACCEPT) target prot opt source destination ROUTE all -- anywhere (Network C) every 2th packet #0 ROUTE oif:AMC_TUN1 gw:172.16.0.38 ROUTE all -- anywhere (Network C) every 2th packet #1 ROUTE oif:AMC_TUN2 gw:172.16.0.42 ROUTE all -- anywhere (Network D) every 2th packet #0 ROUTE oif:TB_TUN1 gw:172.16.0.26 ROUTE all -- anywhere (Network D) every...
2006 Dec 16
1
ipfw: did i forget anything?
...e-mail and pretty much deny everything else. If someone would have the time to have a quick look at this to see if there's anything wrong with it i would really appreciate it! Bye, jurjen. ps. here is my ruleset: #!/bin/sh ipfw -q flush cmd="ipfw -q add" ks="keep-state" oif="ath0" #setup the loopback $cmd 001 allow all from any to any via lo0 $cmd 002 deny all from any to 127.0.0.0/8 $cmd 003 deny ip from 127.0.0.0/8 to any #check state of incoming packets $cmd 010 check-state #### # Outgoing #allow outgoing connections to internetsites, ssh sites #...
2018 Jan 30
5
[Bug 1220] New: Reverse path filtering using "fib" needs better documentation
...at netfilter.org Reporter: f30 at f30.me Reverse path filtering means dropping a packet if connections to its source IP wouldn't use the same interface the packet arrived on. The nftables wiki states [1] that this can be implemented like: nft add rule x prerouting fib saddr . iif oif eq 0 drop Slides by Florian Westphal [2] suggest to use: nft add rule ... fib saddr . oif oif = 0 drop But this fails with "Invalid argument" even when replacing "=" by "==" or "eq". `fib saddr . iif oif eq 0` achieves the desired goal (except for bugs...
2005 Jan 26
0
Controlling Outbound traffic...alternative to dsl_qos_queue
...sl_qos_queue adds a QUEUE Target to the POSTROUTING chain for reading the MARKed packets , and i recently added a -j ROUTE target for my load balancing configuration to this chain: /sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner pure-ftpd -m nth --every 9 --packet 0 -j ROUTE --oif ppp1 /sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner pure-ftpd -m nth --every 9 --packet 1 -j ROUTE --oif ppp1 /sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner pure-ftpd -m nth --every 9 --packet 2 -j ROUTE --oif ppp1 /sbin/iptables -A POSTROUTING -o ppp+ -t...
2004 Feb 19
2
traffic normalizer for ipfw?
Hi there, Is there some way to configure ipfw to do traffic normalizing ("scrubbing", as in ipf for OpenBSD)? Is there any tool to do it for FreeBSD firewalling? I've heard that ipf was ported on current, anything else? TIA, /Dorin. __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools
2014 Jan 09
3
[Bug 884] New: the rule of TEE target with '--oif' option cannot be deleted.
https://bugzilla.netfilter.org/show_bug.cgi?id=884 Summary: the rule of TEE target with '--oif' option cannot be deleted. Product: iptables Version: 1.4.x Platform: i386 OS/Version: Fedora Status: NEW Severity: minor Priority: P5 Component: iptables AssignedTo: netfilter-buglog at...
2005 Aug 21
1
Security warning with sshd
In my recent security email, I got the following errors: cantona.dnswatchdog.com login failures: Aug 20 02:37:19 cantona sshd[9444]: fatal: Write failed: Operation not permitted Aug 20 04:30:42 cantona sshd[16142]: fatal: Write failed: Operation not permitted Aug 20 21:21:51 cantona sshd[45716]: fatal: Write failed: Operation not permitted So three questions: What is it? Should I be worried?
2003 Dec 23
2
address specified as 1.2.3.4/24{128,35-55,89} Is this Correct ????
The man page gives this example, however, when I attempt to use it, it seems to block the whole set? Could someone tell me what's going wrong here please. Thanks heaps.. This works, ${fwcmd} add deny log all from any to 203.1.96.1 in via ${oif} This blocks the whole IP block, not just the list? ${fwcmd} add deny log all from any to 203.1.96.0/24{2,6-25,27-154,156-19 9,204-254} in via ${oif} the man page bit... list: {num | num-num}[,list] Matches all addresses with base address addr (specified as a dot-...
2018 Jan 30
7
[Bug 1221] New: "fib" produces strange results with an IPv6 default route
...OS: Debian GNU/Linux Status: NEW Severity: major Priority: P5 Component: kernel Assignee: pablo at netfilter.org Reporter: f30 at f30.me I am trying to implement reverse path filtering using "fib" rules like `fib saddr . iif oif 0 drop`. I don't understand why exactly (see #1220), but this generally works for IPv4 and IPv6 without a default route. However, "fib" starts to behave strangely with a v6 default route. Assume a host with two interfaces, enp0s5 and enp0s6, and the following IP addresses: > ip...
2008 Apr 21
2
graphics history
...e history by code. Any ideas? Thanks and best regards, Norbert -- ********************************************************** Mag. Norbert Neuwirth ?sterreichisches Institut f?r Familienforschung (?IF) - Universit?t Wien Austrian Institute for Family Studies - University of Vienna http://www.oif.ac.at e-mail: norbert.neuwirth at oif.ac.at tel: +43-1-4277-489-11 fax: +43-1-4277-9-489 address: A-1010 Wien, Grillparzerstra?e 7/9
2005 Feb 02
2
Packet Level Load Balance inbound/outbound success with nth and route
...ip addr add 172.16.0.2/30 dev client_tun1 ip addr add 172.16.0.6/30 dev client_tun2 traffic outbound from the client doesnt need to go out the tunnel, but it does need to be split --client-- iptables -A POSTROUTING --source 66.81.23.0/24 -t mangle -m nth --counter 0 --every 2 --packet 0 -j ROUTE --oif eth1 --gw 64.20.12.45 iptables -A POSTROUTING --source 66.81.23.0/24 -t mangle -m nth --counter 0 --every 2 --packet 1 -j ROUTE --oif eth2 --gw 64.20.12.49 traffic inbound to the client will go to the server, and come to client through the tunnel --server-- iptables -A POSTROUTING --destination 66...
2024 Jul 16
4
[Bug 1761] New: nft_fib checks only the main route table when iif is a slave of a master vrf interface
...s: NEW Severity: normal Priority: P5 Component: kernel Assignee: pablo at netfilter.org Reporter: tsv1991 at gmail.com Root case: I want to do the NOTRACK in the PREROUTING chain for traffic that has a "daddr" route pointing to a specific oif. What I do: "nft add rule inet notracks PREROUTING fib daddr oif br999 counter notrack" The issue: nftables always checks only main routing table, though the iif for traffic is slave for master vrf interface also oif always will be slave for master vrf interface. Details: We have VR...
2016 Mar 08
4
[Bug 1057] New: Allow for multiple protocols to be specified in a rule
...: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: karol at babioch.de Since DNS is allowed over both UDP as well as TCP, I have to specify two rules each time I want to allow DNS traffic. This looks something like this: oif eth0 udp dport domain accept oif eth0 tcp dport domain accept In an example found online [1] someone showed the following example: {udp, tcp} sport domain ip daddr 127.0.0.1 accept Apparently this was never tested. At least it doesn't work for me. For the example above it would look...
2004 Feb 14
2
Localhost traffic and ipfw rules
...0.1 (Ack+Reset zero data) with source MAC of my default gateway and I can't seem to block this traffic. Snort picked up the traffic and I have confirmed with tcpdump. So I decided I needed to examine my anti-spoof rules. I already had this one deny ip from any to 127.0.0.0/8 in recv ${oif} This never triggered on this traffic so I figured it must be looking for a SYN before it would trigger. So I added the following: deny tcp from 127.0.0.1 to ${oif} tcpflags ack,rst This still didn't block the traffic. So, I added the following: deny ip from 127.0.0.0/8 to ${o...
2020 Jan 15
4
[Bug 1397] New: What am I doing wrong!?
...Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: tad1073 at gmail.com code snippet table inet nat { chain prerouting { type nat hook prerouting priority dstnat; policy accept; fib saddr . iif oif 0 counter drop fib saddr . iif oif "lo" counter accept fib saddr . iif oif "$inet_if" counter accept fib daddr . iif type { local, broadcast, multicast } counter accept ip daddr 10.0.0.11 tcp dport 80 dnat to 8080 ip daddr 10.0.0.11 udp dp...
2003 Jun 02
6
4.8-Stable DummyNet
Hi. We just opened a gaming center and have chosen to run a FreeBsd box for our firewall. IPFW is configured at it's very basic running natd through rl0 and allowing any to any connections from the lan to the outer world. Natd controls access to the lan. We have a 6.0 mb/s ADSL net connection for all the gaming clients to use, however if a gamer starts downloading a file, that file
2023 Apr 14
5
[Bug 1673] New: bug egress hook virtio interface with VLAN
...5 y......!36:;w9.. 0x0130: c03d 17ff ff00 0064 0004 c75b 2dfc 6e1b .=.....d...[-.n. 0x0140: 42ba 8108 c849 f941 dfcb 5000 9101 01ff B....I.A..P..... 0x0150: 0000 0000 0000 0000 ........ nft monitor : trace id 195bb0a6 netdev filter egress packet: oif "enp6s19.100" @nh,0,320 0xe5050000401194a000000000ffffffff00440043013486f501010600f97b4c020000000000000000 trace id 195bb0a6 netdev filter egress rule meta nftrace set 1 (verdict continue) trace id 195bb0a6 netdev filter egress rule log group 30 (verdict continue) trace id 195bb0a6 netdev...
2023 Apr 14
3
[Bug 1672] New: bug egress hook virtio interface with VLAN
...5 y......!36:;w9.. 0x0130: c03d 17ff ff00 0064 0004 c75b 2dfc 6e1b .=.....d...[-.n. 0x0140: 42ba 8108 c849 f941 dfcb 5000 9101 01ff B....I.A..P..... 0x0150: 0000 0000 0000 0000 ........ nft monitor : trace id 195bb0a6 netdev filter egress packet: oif "enp6s19.100" @nh,0,320 0xe5050000401194a000000000ffffffff00440043013486f501010600f97b4c020000000000000000 trace id 195bb0a6 netdev filter egress rule meta nftrace set 1 (verdict continue) trace id 195bb0a6 netdev filter egress rule log group 30 (verdict continue) trace id 195bb0a6 netdev...
2005 Aug 10
0
network traffic can''t be seen by iptables when no bridge presents
In my project, I tried to use iptables, instead of bridge, to direct networking traffics from one VM to another in one host. What I am doing is I delete xen-br0, and I have two VMs that have IP addresses of 10.8.0.51 and 10.8.0.52. I use iptables -t mangle -A FORWARD -d 10.8.0.51 -j ROUTE --oif vif1.0 iptables -t mangle -A FORWARD -d 10.8.0.52 -j ROUTE --oif vif2.0 vif1.0 and vif2.0 are the virtual network interfaces of two VMs. In order to debug the above rules, I log all the traffics: iptables -t mangle -A PREROUTING -j LOG --log-level debug --log-prefix "log-everything" I...
2003 Dec 23
0
No subject
The man page gives this example, however, when I attempt to use it, it ssems to block the whole set? Could someone tell me what's going wrong here please. Thanks heaps.. This works, ${fwcmd} add deny log all from any to 203.1.96.1 in via ${oif} This blocks the whole IP block, not just the list? ${fwcmd} add deny log all from any to 203.1.96.0/24{2,6-25,27-154,156-19 9,204-254} in via ${oif} the man page bit... list: {num | num-num}[,list] Matches all addresses with base address addr (specified as a dot-...