pfstat queries
Hi, is there any docs that describe which numbers are which in the output from pfstat -q ? I observe that most are zero and when I try and plot the byte counts etc. they come out as zeros. What do I have to do to get these stats? -- Russell Fulton/~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!
Re: pfstat queries
On Wed, Apr 14, 2004 at 02:56:25PM +1200, Russell Fulton wrote: is there any docs that describe which numbers are which in the output from pfstat -q ? The numbers are the same that pfctl -si prints, should become obvious when you compare the two, but see below. I observe that most are zero and when I try and plot the byte counts etc. they come out as zeros. What do I have to do to get these stats? You probably didn't use 'set loginterface' to specify what interface to gather the counters for. In that case, the counters remain zero, and pfctl -si omits the interface specific part of the output. Add the 'set loginterface' option to pf.conf and try again. Let it run for a couple of minutes, then re-run pfctl -si and pfstat -q, and compare outputs. Should make clear what each number of pfstat -q output refers to, if not, ask again :) Daniel
carp / ip aliases
hi, i am thinking of to replacing my single firewall setup with a failover pair using carp/pfsync. right now it´s one box with 3 nics (internal/external/dmz). i am natting the dmz hosts on the external interface 1:1, thus have a lot of ip aliases on the external interface. so, is it possible to give the carp interface aliases? if it is, whats the syntax? cheers tobias
Re: carp / ip aliases
On Wed, Apr 14, 2004 at 09:34:06AM +0200, Tobias Wigand wrote: i am thinking of to replacing my single firewall setup with a failover pair using carp/pfsync. right now it?s one box with 3 nics (internal/external/dmz). i am natting the dmz hosts on the external interface 1:1, thus have a lot of ip aliases on the external interface. so, is it possible to give the carp interface aliases? if it is, whats the syntax? Yes, just add them as if the carp interface was your physical interface. /etc/hostname.carp0: inet 192.168.6.1 255.255.255.0 inet alias 192.168.6.2 255.255.255.0 inet alias 192.168.6.3 255.255.255.0 inet alias 192.168.6.4 255.255.255.0
synflood defenses
Hi All, We have recently had a few outbound synfloods (from machines infected by one of the numerous 'bots'). An unfortunate side effect of this is that the state tables in pf eventually fill up and no legit new connections are accepted. I currently have set optimization conservative and I am guessing that this is not helping. I have also looked at the synpoxy state setting, but as I understand it this protects end hosts from synfloods and will have no affect on the state table usage. I have lots of memory on the firewalls and one thing that has occurred to me is that I could set the state table size much higher and have a monitor that pages someone when it goes above some reasonable limit. Another possibility is to tweak set timeout tcp.opening, what would be a reasonable value? -- the default seems to be 15minutes. H... would be nice to have this setting depend on the number of current states -- i.e. we time out non established sessions more aggressively when the state table is nearly full. There does not seem to be anyway of modifying the timeouts on the fly, i.e. with pfctl so I can't do this from a script. Any other suggestions? (Please tell me I've missed the obvious again ;) I really need that book! (yes it is on order and amazon say they have shipped it). -- Russell Fulton/~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!
more questions on timeouts
quoting pf.conf(5): tcp.first The state after the first packet. tcp.opening The state before the destination host ever sends a packet. I must be thick because I don't get the distinction between these two states. Does it work this way? src sends SYN = tcp.first dst sends SYN+ACK = tcp.opening src send ACK+data = tcp.established which seems logical to me. If so then it is not clear from the manpage. I.e which timeout should I tweak to protect against synfloods? An hour seems way too long to keep state for a SYN. -- Russell Fulton/~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!
problems with altq.
Hi, altq is just not working with these rules: altq on $OUT bandwidth 100% cbq queue { qo_def, qo_limit } queue qo_def cbq(default) queue qo_limit bandwidth 150Kb altq on $IN bandwidth 100% cbq queue { qi_def, qi_limit } queue qi_def cbq(default) queue qi_limit bandwidth 150Kb pass out quick on $IN inet proto {tcp,udp} from any to any port 1024 keep state queue qi_limit pass out quick on $OUT inet proto {tcp,udp} from any to any port 1024 keep state queue qo_limit It must be a syntax problem but I just cant figure out where ! AND Stats shows that the packets are being queued but I can download/upload at speeds way higher than 150Kbits/s. ugh? :) -- Maxime Labelle - [EMAIL PROTECTED]
viewing an anchor's table
Can't seem to figure out how to view an anchor's tables. I have: anchor zeier load anchor zeier:default from /opt/pf/zeier.pf And zeier.pf has: table zeier-hosts { \ 207.38.45.0/29 \ } caf4# pfctl -a zeier -sT zeier-hosts caf4# pfctl -a zeier -t zeier-hosts -Ts pfctl: Table does not exist. What's the right syntax? -- matthew zeier, Sr. Network Engineer | Nothing in life is to be feared. InteleNet Communications, Inc. | It is only to be understood. (949) 784-7904 | - Marie Curie