On Thu, Aug 14, 2014 at 02:56:45PM -0400, Alan McKay wrote:
internalIPS = { 1 2 3 }
externalIPS = { 4 5 6 }
pass in quick log on $extIf inet proto tcp from any to (externalIPs)
port (some port) rdr-to (internalIPs)
Maybe I'm just hallucinating :-)
There's no such thing with lists or
I think you're passing some packets statelessly, because you don't block
correctly by default:
nat on vr0 from !(vr0) to any - (vr0) round-robin
scrub on vr0 all no-df fragment reassemble
scrub on vr0 all reassemble tcp
block drop in log on vr0 all
pass out quick on ath0/rl0 keep state.
I rebuilt your setup but can't reproduce the problem.
I picked A.A.A.A=3.3.3.3 and B.B.B.B=4.4.4.4 and used FreeBSD 8.3-STABLE
i386 with GENERIC plus IPSEC, and installed ipsec-tools-0.8.0_3.
-- gatewayA --
/etc/rc.conf
ifconfig_em0=inet
On Sat, May 11, 2013 at 09:10:09AM -0600, JCA wrote:
I would be interested to use milter-regex to filter incoming emails
according to the relay host. When an email arrives, sendmail logs a line
containing several fields, like 'from', 'size', 'msgtype', etc. and their
values. One of those
If you need NAT, you have to do that on the external interface, and it
requires (implies, even) creating states.
However, you can filter statelessly on the internal interface (the
states won't match there (wrong direction, if-bound), dropping outgoing
TCP RST, passing everything else.
Sounds
On Fri, Apr 05, 2013 at 07:03:52PM +1100, Cameron Simpson wrote:
I was imagining NATing on an internal virtual interface to a private
address on some kind of internal virtual interface; this might keep
the necessary state without being the outmost layer.
And then to do stateless filtering
Yes, bridge between em2 and em3.
Assign the IP (used as gateway by the clients) to bridge0.
You'll have to duplicate the MAC filter rules per interface.
The pf rules need to match both interfaces with 'on { em2 em3 }',
and floating state-policy (default) will simply work. No increase in
On Wed, Jan 16, 2013 at 10:19:45AM +0100, Leslie Jensen wrote:
The squid access.log says tcp_miss which should mean that the
website has not replied.
The browser shows the squid access denied screen.
I cannot see any denied packets with tcpdump.
Commenting out the rdr rule gives direct
Wait, the squid server is on a separate host, on the $int_if side of the
firewall (the same side the clients are on)?
Then transparent proxying would require reflection, and doesn't work, see
http://www.openbsd.org/faq/pf/rdr.html#reflect
If squid is seeing TCP_MISS errors, that probably means
On Tue, Jan 15, 2013 at 11:50:14AM +0100, Leslie Jensen wrote:
2013-01-15 11:10, Daniel Hartmeier skrev:
Wait, the squid server is on a separate host, on the $int_if side of the
firewall (the same side the clients are on)?
Yes! This machine has been in service since Freebsd 7.2.
It's one
You currently have the following rules
pass out log on $ext_if inet proto tcp from $proxy to any port
$proxy_services keep state
# pass out
pass out log
What's the point of these? Whenever the first rule would match, the
second one would always override it, making the first one
On Mon, Jan 14, 2013 at 03:30:21PM +0100, Johan Helsingius wrote:
I have a small network, connected by 2 ADSL connections, and
want to load-share the connections. All examples of route-to
round-robin that I have seen have used 2 separate interfaces,
but as both my ADSL modems are on the same
On Tue, Jan 15, 2013 at 09:46:37AM -0600, Karl O. Pinc wrote:
Something that's not mentioned that
comes to mind is ICMP redirection. (Without thinking
about it a lot it seems like it should be a good candidate.)
However when I tried ICMP redirection on OpenBSD
years ago I couldn't get it to
On Sat, Jan 12, 2013 at 08:03:41AM +0100, Leslie Jensen wrote:
New suggested rule that gives syntax error
# rdr in on $int_if inet proto tcp from ! $proxy to any port
$proxy_services - $proxy $proxyport tag rdr_proxy
1) Remove in (rdr implies incoming direction)
2) Remove tag rdr_proxy (newer
On Mon, Apr 23, 2012 at 02:23:20PM -0700, Kyle Lanclos wrote:
However, this does jog another potential failure mode. Some of our older
OpenBSD firewalls (going back to OpenBSD) will occasionally (maybe once a
year) lose a network interface. If you logged in at the console of a
host while it
On Mon, Apr 23, 2012 at 11:49:14AM -0700, Kyle Lanclos wrote:
Where this presents a problem is if the current CARP master loses a single
network interface (cable unplugged, isolated hardware failure, sysadmin
failure, etc.), as opposed to the CARP master failing entirely. The slave
will
On Fri, Apr 08, 2011 at 03:42:41PM +0300, Bojidara Marinchovska wrote:
So the correct question is how to accomplish
pass in quick on $netif from {$test1, $test2} to x.x.x.x
block in quick on $netif from any to x.x.x.x
with only 1 rule ?
While negating a list never does what you want,
On Wed, Jan 05, 2011 at 08:42:03PM -0800, Bonnie Packet wrote:
So my question is, again how regular packets from the Net pass out to
the wireless network over rl0. Is this somehow a function of the NAT
rules that I don't understand? Or something to do with established TCP
connections being
On Fri, Mar 13, 2009 at 10:25:15AM +0100, Jeremie Le Hen wrote:
% Mar 13 08:18:52 yoda /netbsd: pf: BAD state: TCP 82.233.239.98:39225
82.233.239.98:39225 88.187.38.85:80 [lo=3443494040 high=3443494041 win=2048
modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 S seq=3041360721 ack=0 len=0
On Thu, Mar 12, 2009 at 10:13:53AM +0100, Jeremie Le Hen wrote:
% yoda# nmap -sS AAA.BBB.CCC.DDD
% Starting Nmap 4.65 ( http://nmap.org ) at 2009-03-12 08:00 CET
% sendto in send_ip_packet: sendto(4, packet, 44, 0, AAA.BBB.CCC.DDD, 16) =
No route to host
% Offending packet: TCP
On Wed, Nov 26, 2008 at 12:52:47PM -0600, Patric wrote:
ext_if = xl2
int_if = xl1
localnet = $int_if:network
nat on $ext_if from $localnet to any - ($ext_if)
pass from { lo0, $localnet } to any keep state
__
this is pretty much the most basic natting pf.conf
On Wed, Apr 02, 2008 at 04:27:17PM -0700, Adam Richards wrote:
While I'd prefer a yes pf can do this answer, I will accept a
no...but here are the code sections you'll want to look at to
start your patch work answer. ;)
No, pf can't do it. Not because it's technically impossible or
On Wed, Feb 27, 2008 at 11:28:28AM -0800, Daniel Duerr wrote:
I understand from the pf documentation (and logic) that you cannot
queue incoming packets on an interface, makes sense... In various
examples around the net, however, I've seen people attaching queues
to inbound rules as
On Sun, Feb 24, 2008 at 01:28:43AM +1300, Michael Adams wrote:
Any help most appreciated, I'm really stumped by this!
Thanks, and apologies if it's a stupid question.
http://www.openbsd.org/faq/pf/rdr.html#reflect
Daniel
On Tue, Feb 12, 2008 at 07:40:14PM +0100, Helmut Schneider wrote:
Is that expected?
No, it's a bug introduced with pf.c 1.534 after 4.1 was released.
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c.diff?r1=1.533r2=1.534f=h
For IPv6 TCP, calling pf_check_proto_cksum() with AF_INET
route-to != reply-to
Daniel
If I understand correctly, you have serveral uplinks, and you redirect
requests coming from each uplink to dedicated servers, i.e. server A
handles all requests coming in through uplink A.
You want the return packets to go back through the appropriate uplink.
This should work:
Use rdr on the
On Wed, Jan 23, 2008 at 01:49:31AM +0300, Ogogon !!! wrote:
How to me to adjust milter-regex that the authorized remote users could
send mail from any address?
Check what macros and values the milter gets from sendmail, either by
logging daemon.debug in syslog.conf or running the milter with
Most of your BAD state messages are of the form
pf: BAD state: TCP X.X.129.45:80 X.X.129.45:80 X.X.246.205:1771
[lo=4006379205 high=4006444151 win=17424 modulator=0]
[lo=2523483440 high=2523483440 win=65535 modulator=0] 4:4 A
seq=2523483440 (2523483440) ack=4006379205 len=1452
On Mon, Dec 17, 2007 at 03:52:00PM +0100, Henrik Johansen wrote:
You can find the requested dump here:
http://blog.myunix.dk/pf/tcpdump.sanitized
The corresponding BAD state error is here:
http://blog.myunix.dk/pf/messages_tcpdump.sanitized
There is nothing obviously wrong with the dump.
On Mon, Sep 03, 2007 at 08:17:45AM +0200, Tobias Marx wrote:
### outgoing http loadbalancing ###
anchor http_out out on $extif_1 from clients to any
load anchor http_out from /bla/http_out
And the problem is?
You get a syntax error when trying to load the ruleset? If so, from
which file?
On Mon, Sep 03, 2007 at 10:22:53PM +1200, Russell Fulton wrote:
I take it from the silence that the answer is that pf lacks this
functionality at the moment. Bother :)
Yes, that's correct.
What would the overhead be of setting up a queue for every source
address (1024 of them) ? Will
On Mon, Sep 03, 2007 at 11:37:22AM +0200, Tobias Marx wrote:
can someone verify this behaviour?
I doubt this has anything to do with anchors. To verify, you can move
the contents of http_out into the main ruleset (and remove the anchor
call), and reboot, as a test. Watch out for error messages
On Fri, Aug 17, 2007 at 11:01:20AM -0700, Dylan Martin wrote:
Or, is there another way around this problem? A way to make an
alias for an interface, say?
Interface groups work pretty well for that, see ifconfig(8). In most
cases, the default 'egress' group (containing only the interface where
On Fri, Aug 10, 2007 at 09:50:57AM +0200, Javier Solorzano wrote:
I collect with /usr/local/bin/pfstat -q -r myip:port -d /var/db/adam.db
and produce graphics with /usr/local/bin/pfstat -c /etc/
pfstat.adam.conf -d /var/db/adam.db -p
You need to specify the alternate configuration file with
Looks like the blocked packets were IP fragments. For stateful
filtering, IP fragments must be reassembled, try adding
scrub in fragment reassemble
at the top of your ruleset.
Daniel
On Fri, Feb 02, 2007 at 02:12:12PM -0800, Michael K. Smith - Adhost wrote:
self tcp 10.211.100.110:110 - x.x.x.164:110 - x.x.x.98:52857
ESTABLISHED:ESTABLISHED
[526026435 + 65535] wscale 1 [2600240610 + 65665] wscale 0
age 00:00:03, expires in 04:59:57, 3:2 pkts, 168:154 bytes, rule 9
On Wed, Feb 07, 2007 at 04:47:00AM +0800, frank hu wrote:
So my question is why PF create state while the first 3-way handshakes
didn't complete? What is right usage of synproxy rule to protect port
from DoS attack?
That's what synproxy does, by design. It does protect the recipient
from
On Mon, Jan 29, 2007 at 04:33:45PM +0100, Thomas Althoff wrote:
I did the crash procedure on 3.9 and found that this is the line
causing the problem
if (!r-max_states || r-states r-max_states)
I have upgraded my boxes to 4.0-current, no change.
If you can reproduce it with a recent
I'd first make sure it's not CARP related (i.e. all packets always pass
through one box), by (temporarily) turning off the backup box. If, for
some reason, packets would flow through both boxes (some through the
master, some through the backup), things would break in funny ways.
Now that
On Thu, Jan 11, 2007 at 09:46:39PM -0600, Travis H. wrote:
So, surprisingly, many OSes don't synchronize their TCP timestamp
clock to their system clock, so effectively they leak the skew of
that clock, even if they are synching their system clock via NTP.
I am wondering what the current
On Thu, Dec 14, 2006 at 02:47:16PM -0800, Michael K. Smith - Adhost wrote:
Our problem is with state maintenance upon failover. It appears the
state tables are properly synced between the devices but, when we fail
to our secondary firewall, established connections through the firewalls
fail.
On Mon, Dec 04, 2006 at 02:02:38PM +0100, Axel Rau wrote:
If flags S/SA would just be ignored by none-tcp packets, I would be
happy.
Be happy, it is. ;)
But the man page says:
This rule only applies to TCP packets that have the flags a set
out of set b.
This means to
On Wed, Dec 13, 2006 at 05:52:03PM +0100, Albert Shih wrote:
It's a problem with FreeBSD or it's with pf ?
With neither, you're assuming a state entry has the same effect in pf as
in ipfw, which is not the case.
For example I've put this kind of rule
pass in on $first-nic proto tcp
On Thu, Nov 30, 2006 at 04:00:37PM +, Karl O. Pinc wrote:
The clean solution would be if pf had some sort of #include
mechanisim. Then the macros that abstract the interfaces could
be written into include-ed files and everything else would be
sane.
pfctl -D int_if=foo -f /etc/pf.conf
On Fri, Dec 01, 2006 at 02:14:14PM +1300, Russell Fulton wrote:
pass in quick on fxp0 all allow-opts
Am I correct in thinking that this line effectively passes *all* traffic
in on fxp0 with no more checking because of the 'quick' option?
Yes, it does.
The rule is meant to illustrate
On Fri, Nov 10, 2006 at 11:10:47AM -0800, Nathan Valentine wrote:
Reference: http://www.benzedrine.cx/ackpri.html
One of the rules in that document is:
pass out on $ext_if proto tcp from $ext_if to any flags S/SA \
keep state queue (q_def, q_pri)
The 'flags S/SA' part of this rule
On Thu, Nov 09, 2006 at 03:11:55PM +0100, Pierre-Yves Ritschard wrote:
It works as expected but this looks like a 'state-policy ifbound'
behavior right ?
I tested this with latest (11/7) current available on my mirror and
the behavior is the same.
You're probably misreading what
On Tue, Nov 07, 2006 at 06:08:52PM +, Paul Pruett wrote:
A nominal i386 computer with only a meg of ram
without limit changes would not load it.
Neither would a stock GENERIC kernel on any architecture. The reason is
that those 600+MB of table entries are allocated from kernel memory. And
On Mon, Nov 06, 2006 at 02:21:58PM -0800, Michael K. Smith - Adhost wrote:
We are looking at pulling in a listing of about 70,000 IP entries (most
of them are hosts, not subnets) into a PF Table. Is there any hard
limitation to the configuration size or ability to parse through
something
On Sat, Oct 07, 2006 at 06:29:46PM +0200, Federico Giannici wrote:
Having received no useful replies, let me try a simpler question: How
can I identify (i.e. filter) TCP ACKs with no data payload?
I know how to identify ACKs, but is there any way to identify packets
with no payload,
On Wed, Aug 16, 2006 at 06:56:49AM +0200, Michal Soltys wrote:
George Pontis wrote:
Daniel - any attempt that I can muster to subscribe to the pf mailing
list fails because spamassassin flags it as spam. The recommended text
subscribe in the body of the message is rated as spam and the
On Wed, Aug 16, 2006 at 02:04:32PM -0700, George Pontis wrote:
pass in quick on $int_if \
route-to ($ext_if2 $ext_gw2) \
inet proto tcp from 192.168.1.120 to any flags S/SA \
keep state (floating) \
You seem to be assuming that a floating state created on $int_if will
On Wed, Aug 16, 2006 at 08:33:10PM -0700, George Pontis wrote:
#
# route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
ext_if2 to ext_gw2
#
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any flags
S/SA keep state
pass out on $ext_if1 route-to ($ext_if2
On Tue, Jul 25, 2006 at 01:07:06PM -0400, mnothic wrote:
I need documentation it approaches incoming traffic in an IP ALIAS and
port redirected to a private IP and port
Start with the pf.conf(5) man page, as on
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf
There is nothing special
On Wed, Jul 19, 2006 at 01:35:51PM +0530, Rajkumar S. wrote:
And these rules are dynamic ie, the rule one might be for 10 minutes
and after which it needs to be deleted.
The current way is to flush the anchor and then load the anchor with
all the rules except the one deleted. It is a
On Thu, Jul 13, 2006 at 11:07:46AM -0400, Peter wrote:
I have installed the pfstat 1.7 package on my 3.8 system. The trouble
is that I do not get any data being graphed. Here is my test setup:
# cat /etc/pf.conf
pass log all
Add set loginterface fxp0, which designates one interface to
On Wed, Jul 12, 2006 at 03:25:28PM +1000, Adam Clark wrote:
traffic going to hosts behing the box were showing in on pflog0, but
no traffic to 10.17.10.254 shows. If I put a log-all on a line that
matches the traffic on the $ext_if interface it shows that in deed
traffic is heading towards
On Tue, Jul 11, 2006 at 05:52:21PM -0500, Travis H. wrote:
If pfstatd makes statistics available to network clients like pfstat,
how does one tell pfstat to use the network? I see no options for
such, and putting the hostname on the command line just generates an
error.
You need pfstat-2.2,
On Wed, Jul 05, 2006 at 01:34:34PM +0200, Daniel Rapp wrote:
pf: BAD state: TCP aaa.aaa.aaa.aaa:25 aaa.aaa.aaa.aaa:25
ccc.ccc.ccc.ccc:2554 [lo=1937461566 high=1937478751 win=65535 modulator=0]
[lo=740836633 high=740902095 win=17184 modulator=0] 4:4 R seq=1937461566
ack=740836633 len=0
On Tue, Jul 04, 2006 at 12:12:51PM +0200, Daniel Rapp wrote:
pass out quick on $WAN proto tcp all flags S/SA
Why no 'keep state' here? You really only pass out SYNs, don't pass
SYN+ACK back in, and neither pass further (non-SYN) packets? Makes no
sense.
If i do a tcpdump -e -n -ttt -vv -i
On Wed, Jul 05, 2006 at 02:07:42PM +0200, Daniel Rapp wrote:
pf: BAD state: TCP aaa.aaa.aaa.aaa:25 aaa.aaa.aaa.aaa:25
bbb.bbb.bbb.bbb:2554 [lo=1937461566 high=1937478751 win=65535 modulator=0]
[lo=740836633 high=740902095 win=17184 modulator=0] 4:4 R seq=1937461566
ack=740836633 len=0
On Fri, Jun 30, 2006 at 09:40:38PM -0700, Mark Voelker wrote:
I'm frequently hearing (not only in these threads) that pf is
thought to be buggy with regards to window scaling that and that
it can cause problems like those described in these threads.
Problems like this occur when people use
On Thu, Jun 29, 2006 at 11:37:41AM +1000, David Diggles wrote:
-quote section from pf.conf
anchor test/*
load anchor test from /etc/pf/anchors/test
-quote section from pf.conf
(this pf.conf has a default block set)
anchor test/* will cause evaluation of all sub-anchors of
On Tue, Jun 27, 2006 at 09:17:18AM +0530, Ajith Kumar wrote:
I had modified the entry like this
pass in quick log on fxp0 from any to x.x.x.x keep state flags S/SA #1
pass out quick log on fxp1 from any to x.x.x.x keep state flags S/SA #2
pass in quick log on fxp1 from x.x.x.x to
On Tue, Jun 06, 2006 at 04:01:09PM +0200, Antoine Jacoutot wrote:
How would you translate the following ?
= deny ip from any to 145.238.0.0/255.255.0.255
The parser doesn't yet support such netmasks, you'll have to manually
expand to all combinations, using a table makes evaluation faster:
On Fri, May 26, 2006 at 11:09:51AM +0530, Siju George wrote:
host1 = 192.168.1.1
host2 = 192.168.1.2
all_hosts = { $host1 $host2 }
is that an error ?
No, it's correct if you want to use $all_hosts in a
On Tue, May 23, 2006 at 03:31:46PM -0700, andrew fresh wrote:
host_list = { $hosts }
port_list = { $ports }
Try adding
q_host_list = '{' $hosts '}'
q_port_list = '{' $ports '}'
then replace
end_03 = proto tcp from $host_list to any port $port_list
with
end_03 = proto tcp from
On Thu, May 18, 2006 at 04:10:22PM -0400, Chad M Stewart wrote:
For some reason I'm not seeing every blocked packet logged.
Why do you expect every blocked packet to get logged? Not all your block
rules use 'log'. Packets could easily get blocked by a rule without 'log',
hence get blocked but
On Thu, May 18, 2006 at 04:38:44PM -0400, Chad M Stewart wrote:
# cat /etc/pf.conf |grep -v ^# |grep block
set block-policy return
block in log all
block log quick inet proto tcp from ssh-denied to $ssh_servers port
ssh label accessive-ssh
Ok, so all your block rules do have the 'log'
On Thu, May 18, 2006 at 05:24:28PM -0400, Chad M Stewart wrote:
Status: Enabled for 0 days 02:05:34 Debug: Urgent
The differences in the pfctl -si outputs look like it MUST be a block
rule without 'log' matching those packets, after all.
The grep in your /etc/pf.conf might have been
On Thu, May 18, 2006 at 04:38:44PM -0400, Chad M Stewart wrote:
set skip on lo0
set skip on $pfsync_if# might not want this
These two lines don't add up, the second one replaces the first,
so lo0 is not really skipped. Use a single set skip line, listing
all interfaces to be skipped at
On Thu, May 18, 2006 at 06:32:37PM -0400, Chad M Stewart wrote:
Perhaps it is just my tired brain but it seems strange
that in other rules carp0 is used as the incoming interface.
Maybe Ryan can comment, from
http://www.countersiege.com/doc/pfsync-carp/
When writing the rest of the pf
And after some head scratching one realizes that endianness matters with
database keys, and macppc isn't the best platform to spot that. ;)
Update on http://www.benzedrine.cx/pfstat-2.2.tar.gz
MD5 (pfstat-2.2.tar.gz) = 49ce4a028dfa00b65fccbabc96836c97
* fix endianness issues in database
On Tue, May 16, 2006 at 06:15:13PM +0200, Jonas Davidsson wrote:
Im getting some very strange numbers out of this now, number of states
for example, are shown to be around seven thousand in the graph,
while pfctl shows only 680. Most other values are just plain off.
That's via the remote TCP
Thanks for the feedback!
An update is on http://www.benzedrine.cx/pfstat-2.1.tar.gz
MD5 (pfstat-2.1.tar.gz) = 82bcef47cca25b3ff28a4628ccaee26b
* properly count line numbers when parsing configuration file,
so syntax error messages refer to the appropriate line
* support # comments in the
Here's a major update to pfstat. The most important changes:
* Add a small daemon 'pfstatd' which listens on a TCP port and, when
connected to, sends the statistical pf data in plain text to the
peer. This program has no dependancies (gd, X11, etc.), so it can
be easily installed on a small
On Mon, May 08, 2006 at 05:58:08PM +0300, Hisham Mardam Bey wrote:
Can this be achieved using pfsync? If so, what do I need to do to get
this working? If not, can pfsync be extended to allow for this or
should we look into something different altogether?
This currently won't work. pfsync does
On Thu, May 04, 2006 at 01:46:59PM +0300, Hisham Mardam Bey wrote:
I have an update on the situation. Here's what I did:
[client]--[loadbal]--[my 2 backends]-[samba server]
Doing this with only one interface (and bouncing incoming packets out
through the same interface) sounds like asking
On Mon, May 01, 2006 at 08:26:37PM -0400, jared r r spiegel wrote:
my5addrs=1.2.0.1 1.2.0.2 1.2.0.3 1.2.0.4 1.2.0.5
nat on $ext - { $my5addrs }
i've never dealt personally with multiple egress IPs, but that
syntax passes the parser
Yes, that should work. pf will automatically cycle
On Tue, May 02, 2006 at 02:32:31AM -0700, [EMAIL PROTECTED] wrote:
I'm not demanding anyone do anything, I'm not trolling, I just want to
get this acknowledged as an area for potential development. Why
everyone's so resistant to this is beyond me. That this is the only
extra feature I'd like
On Sat, Apr 29, 2006 at 04:26:19PM -0700, [EMAIL PROTECTED] wrote:
I'd have a look at this problem myself, but I'm not good with C. I was
hoping there was some sort of todo list I could petition this to be
added too, because lots of people here seem to agree this is pf's (and
ALTQ's) worst
On Sat, Apr 29, 2006 at 06:05:47AM -0700, [EMAIL PROTECTED] wrote:
I know this is possible because IPFW with dummynet doesn't have any
problems. If everyone loves PF because of its elegance why can't it do
something as simple as queue download traffic?
On Sat, Apr 29, 2006 at 05:10:40PM +0200, Stanislaw Halik wrote:
I can speak for myself - I can't afford both the hardware and the
electricity bill for a separate machine. Maybe downstream limiting isn't
very robust, but IMO is the biggest thing pf/altq lacks.
What I tried to express in the
On Fri, Apr 28, 2006 at 12:42:13PM +0400, Boris Polevoy wrote:
Is it bug or not?
Yes, it looks like a bug. Or, more than one, actually.
I assume what you expect the sequence to do is the same as
# echo 'anchor external' | pfctl -f -
# echo 'anchor internal' | pfctl -a external -f -
#
On Sat, Apr 22, 2006 at 05:44:07AM +, George Pontis wrote:
I am having a hard time routing a reply out the correct WAN interface.
In spite of using a reply-to and creating state, the packet is routed
to the other interface and then dropped.
The routing to the interface with the default
On Sat, Apr 22, 2006 at 03:37:35PM -0700, Allie Daneman wrote:
Apr 22 14:53:52.935466 rule 18/(match) pass out on xl0: 24.XX.XX.X.50599
216.XXX.XX.XX.53: [|domain]
Apr 22 14:53:53.015842 rule 13/(match) block in on xl0: 216.XXX.XX.XX.61144
24.XX.XX.X.50599: udp 116 [tos 0x20]
The query is
On Fri, Apr 21, 2006 at 11:38:11AM -0700, Jon Simola wrote:
This is totally repeatable, and keeps biting me. Is this a bug or feature?
I think it's expected that -N only reads and honours NAT rules, and
ignores anything else, including any options like 'set skip'. The man
page is clear on that,
I guess what you want is simply this
Index: pfctl.c
===
RCS file: /cvs/src/sbin/pfctl/pfctl.c,v
retrieving revision 1.244
diff -u -r1.244 pfctl.c
--- pfctl.c 17 Nov 2005 20:52:39 - 1.244
+++ pfctl.c 21 Apr 2006
On Tue, Apr 18, 2006 at 10:27:53PM -0700, [EMAIL PROTECTED] wrote:
altq on $int_if bandwidth 100Mb cbq queue { ether, nattraffic }
queue ether bandwidth 70% cbq
queue nattraffic bandwidth 30% cbq (default) { out_, in_ }
queue out_ bandwidth 64Kb cbq { out_me, out_others }
queue out_me
On Wed, Apr 19, 2006 at 10:30:47AM -0400, Roy Morris wrote:
huh? - I must be misreading/understanding the question
pass out on $some_if from x to z proto tcp keep state
That's src equals x AND dst equals y. What Travis is asking for is
src equals x OR dst equals x.
It can be done in two
On Mon, Apr 10, 2006 at 06:28:24PM -0400, James Nachlin wrote:
I'm having a strange situation where I'm getting back errors when
connecting to a web server (lighttpd) from IE, which I do not get from
firefox and I don't get connecting directly, not through the pf firewall.
To the client,
On Fri, Apr 07, 2006 at 12:04:23PM -0400, Gabriel Wachman wrote:
If NAT translation happens BEFORE any filter rules are evaluated
(see http://www.openbsd.org/faq/pf/nat.html), then wouldn't it be
true that an outbound packet from the internal network will be
seen by the filtering engine as a
On Fri, Apr 07, 2006 at 09:09:30PM -0500, Travis H. wrote:
What would be the appropriate way to submit additions to the PF FAQ
and/or pf.conf manpage? Specifically, what is the source format,
where can I get the source (for the FAQ, I know where to get the
unformatted manpage), and to whom
On Wed, Apr 05, 2006 at 11:49:12PM +0200, Per-Olov Sjöholm wrote:
The PF rule...
pass in quick on $EXTERNAL_INT inet from any to $COLOC_IPS_1 label
TEST:$dstaddr# keep state
Gives a label like
TEST:65.45.128.128/25# 230 3099 1511793 1370 148914 1729 1362879
Is there an easy way
On Thu, Apr 06, 2006 at 09:52:34AM -0400, Peter wrote:
Do you know if there is something going on to make this possible?
And today the only way is a rule for each customer IP in pf.conf
then?
Or are there maybe other tools except labels in PF to make this
statistics to
work in an
On Fri, Mar 31, 2006 at 10:25:14PM -0600, Travis H. wrote:
On further experimentation, I am convinced there is a memory leak when
using tagging. I would experience net death after 1-3 days of
activity. Nothing I could do would free up any space, except for
rebooting.
If this is on OpenBSD,
On Thu, Mar 30, 2006 at 11:51:36AM +0200, Fredrik Widlund wrote:
Is this a wscale issue desyncing the session? I'm guessing here, but
does PF set the window to 46 receiving the data push from the server,
while C still believes it's 57927 and sends out 59 bytes? What is
wrong here, PF
On Wed, Mar 29, 2006 at 03:07:10PM -0500, David Steinbrunner wrote:
I currently have a working anchor that I would like to split into many
anchors. The anchor is meant for the rules related to a table so the parent
anchor defines the table and then the child anchors hold different types of
On Thu, Mar 30, 2006 at 06:34:02PM +, George Pontis wrote:
For a rule that matches both UDP and TCP packets, is flags S/SA
safely ignored for UDP ?
Yes, the rule matches UDP packets as if the flags S/SA wasn't there.
Daniel
1 - 100 of 525 matches
Mail list logo