On 5/16/06, Travis H. [EMAIL PROTECTED] wrote:
I can't decide if it would be best for the firewall to be transparant
or not.
If you're talking about bridging, then that's in direct conflict with
your desire to admin it from the outside. The only way to admin a
bridging firewall is on the
On 4/13/06, Travis H. [EMAIL PROTECTED] wrote:
Just some suggestions.
2) Sticky queue assignments. Using tags for many purposes gets klunky.
This has come up on the list a couple times in the past (at least once
by myself). Using tags becomes an art when used for this and
eventually you
On 4/7/06, Travis H. [EMAIL PROTECTED] wrote:
Does putting borrow on all child queues make any sense?
The way I read it, it does, so like a child queue that isn't using its
bandwidth, can be borrowed by a sibling queue, is that correct?
That's how it appeared to work in my tests.
--Bill
On 3/31/06, Travis H. [EMAIL PROTECTED] wrote:
Is anyone else using tagging extensively and _not_ having problems
with running out of kernel buffer space? Do you do any retagging? Do
you tag on one interface and use the tag on another?
At work, all my rules are pass in ... tag ROUTED w/ a
I'm running into a small issue with squid on OpenBSD 3.5 (I
know...we're working on our 3.9 build right now) and I'm wondering if
anyone has run into it, or has any suggestions (other than upgrade to
3.9 unless you know the fix is in there for sure).
We've been seeing 503 No route to host errors
On 3/30/06, Daniel Hartmeier [EMAIL PROTECTED] wrote:
On Thu, Mar 30, 2006 at 01:58:19PM -0600, Bill Marquette wrote:
Any suggestions??? I'm guessing most people aren't seeing this as
they are connecting to multiple hosts, not a select few at a decent
connection rate.
Is squid re-using
On 11 Feb 2006 17:33:56 -0800, Jonathan Rogers [EMAIL PROTECTED] wrote:
Thanks much! ...but pfflowd is tremendous overkill for my situation
(where I just want to collect a few arbitrary traffic stats for a dozen
IPs at most). Nor do I have a second box to devote to stats collection,
nor the
On 2/10/06, Travis H. [EMAIL PROTECTED] wrote:
On 2/7/06, Daniel Hartmeier [EMAIL PROTECTED] wrote:
Also, what happens when a packet matches several queue assignments and
I'm not using the QUICK modifier in the rule? Is it last match wins?
I'm migrating from ipfw which is based on first
Redirecting to pf@benzedrine.cx and freebsd-pf@freebsd.org as slightly
more appropriate lists than misc@
On 2/8/06, Andrew Atrens [EMAIL PROTECTED] wrote:
Here's what I have today, that looks to be working well -
altq on $ext_if cbq bandwidth 100Mb queue { output_ext }
queue output_ext
On 1/18/06, Travis H. [EMAIL PROTECTED] wrote:
You get a packet into pf by sending the packet.
There is no easy way to resume processing. Once it has been sent to
userland, processing is over. There's nothing to resume.
If you're asking about this, you're probably out of your depth.
Or
On 1/17/06, Edmond Dantes [EMAIL PROTECTED] wrote:
I would like to do some content analysis on packets from a user space process,
something like a L7 filter. rdr seems the way to go, but I cannot understand
how to get the packets back into pf so it can continue with the rules and
maintain
On 1/5/06, Marcin Miksowski [EMAIL PROTECTED] # cat
/etc/hostname.carp0
inet 192.168.0.5 255.255.255.0 192.168.0.255 vhid 1 carpdev em1
advskew 1 pass 31337
# cat /etc/hostname.carp1
inet 111.111.111.13 255.255.255.0 111.111.111.255 vhid 2 carpdev em0
advskew 1 pass 31337
# cat
Reforwarding this...it was the holidays so maybe it got missed.
Anyone? Thanks!
--Bill
On 12/27/05, Bill Marquette [EMAIL PROTECTED] wrote:
Unless I'm missing something blatantly obvious (it wouldn't surprise
me), I can't find a way to figure out what queue a given state is
assigned
Unless I'm missing something blatantly obvious (it wouldn't surprise
me), I can't find a way to figure out what queue a given state is
assigned. Obviously, based on rules I could logically figure it out,
but I'm looking for a way with pfctl -ss (-vvss, etc) to be able to
see what's actually in
On 10/23/05, Nikolay Kalev [EMAIL PROTECTED] wrote:
Just un idea which i didn;t try myself. Try to tag every packet from the
internal network and then put it in the right queue with a separate rule
for that. Please tell me if it works :-)
This is how we do it in pfSense - except in reverse.
On 10/19/05, Jason Dixon [EMAIL PROTECTED] wrote:
I wouldn't be surprised if they're incompatible on the same segment.
They use the same protocol number, and I'm willing to be you have
identical VRID/VHID's in there. Even if the ID's are not the same,
the OS is trying to make sense of what it
On 10/19/05, Zack Lawson [EMAIL PROTECTED] wrote:
Hey everyone,
I am having an issue where CARP interfaces on the same network segment
as VRRP interfaces (on our ISP's routers) are causing the CARP
interfaces to malfunction.
I also get the following errors in /var/log/messages:
/bsd:
resend, didn't realize my previous was in HTML until the list blocked it :-/
On 10/11/05, Jason Dixon [EMAIL PROTECTED] wrote:
On Oct 11, 2005, at 3:38 AM, Travis H. wrote:
FYI, this archive:
http://www.benzedrine.cx/pf/
Has not been archiving since 12 Apr 2005.
Don't need it.
On 7/18/05, Gar Lum Ho [EMAIL PROTECTED] wrote:
Hi,
I'm try to limit bandwidth per IP using PF, after looking in the man pages,
PF does not seems to support this. Further search I find a patch that allows
you to do this that posted last year.
http://www.benzedrine.cx/pf/msg04055.html
On 5/26/05, Daniel Hartmeier [EMAIL PROTECTED] wrote:
On Thu, May 26, 2005 at 03:46:20PM -0500, Bill Marquette wrote:
I know this doesn't work today, does it make sense to? We can already
have from/to/port evals in anchor rules, why not allow tagged as
well? :)
Makes sense, consider
On 5/26/05, Bill Marquette [EMAIL PROTECTED] wrote:
I know this doesn't work today, does it make sense to? We can already
have from/to/port evals in anchor rules, why not allow tagged as
well? :)
pass in proto tcp from any to any port = 22 flags S/SA keep state tag
qHighDown
anchor
I know this doesn't work today, does it make sense to? We can already
have from/to/port evals in anchor rules, why not allow tagged as
well? :)
pass in proto tcp from any to any port = 22 flags S/SA keep state tag qHighDown
anchor aHighDown tagged qHighDown
BTW, that rule set (which isn't valid
I sent this to the freebsd pf list yesterday, but I think it's just as
pertinent to this list.
I'm trying to have pf do what's essentially a queue assignment in
one rule and a final pass/keep state in second rule. The man page for
FreeBSD 6 (and OpenBSD 3.7) reads like it should work the same
On Tue, 25 Jan 2005 13:15:30 -0500, Peter Fraser [EMAIL PROTECTED] wrote:
I tried the following. There is a block all earlier.
# be more generous with pings
block ininet proto icmpall icmp-type $icmp_types
tagicmp
pass in quickfrom PingUsers to any
I'm not sure what benefit you think you're getting from forcing the
ftp to come from the carp address. If the machines swap state (master
fails), the ftp will fail also as it's relying on a userland process
to facilitate it. You might want to check out ftpsesame
25 matches
Mail list logo
