On Thu, Mar 27, 2003 at 02:31:00PM -0500, David Powers wrote:
[ I was experimenting with a recent build of -current (3/25/2003) ...
a tcpdump -vv on both ends showed ...
do I just have a bad build of current? ]
this might not be wholly relavant, but i was in a similar boat recently,
Nikolay Denev wrote:
The provider shapes me at 512/128Kb local and 64/16Kb internetional traffic.
this might totally be a stupid nonsense idea, but a good half of my
ideas are stupid nonsense but also crazy enough to work.
what if you created two vlans, each using your external interface
On Sat, Jun 14, 2003 at 04:52:26PM -0400, Michael Purcaro wrote:
/etc/inetd.conf
127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w 20 192.168.1.2 80
/etc/pf.conf
rdr on $ext_if proto tcp from any to any port 80 - $WWW_IP port 80
rdr on $int_if proto tcp from $int_net to
aloha.
i'm messing with a pf.conf trying hfsc queues; i'm probably
creating more complexity than i need here -- but just out of
curiosity, is there meant to be a limit of 62 queues for hfsc
type queues, or a limit of 62 in general ?
in the main, work-in-progress pf.conf, i have two
On Thu, Jul 10, 2003 at 10:44:10PM -0400, Jason Dixon wrote:
Is there any way to ftp-proxy an outgoing passive ftp connection through
a default block policy on the internal interface?
yeah, i'm using the user proxy thing like this :
===
i=fxp1
On Fri, Jul 18, 2003 at 08:37:04PM +0200, Angel Todorov wrote:
limit the upload rate to a certain value for each IP in a certain network ?
for example 10kbit/sec for each ip in 172.16.0.0/16
it might be suboptimal, but you could create a queue for each IP,
and then a literal pass rule
On Wed, Jul 23, 2003 at 01:36:13AM -0300, Alejandro G. Belluscio wrote:
I just wonder if some hash attack could be used against the state
matching code without flags, like the recens DNS attack.
http://www.cs.rice.edu/~scrosby/hash/
hmm. the paper mentions squid, and it seems to be of a
On Thu, Jul 24, 2003 at 12:19:30AM -0600, Richard D. Gutery wrote:
and nothing else (or to be more correct the FIRST GATEWAY address in mygate).
Any suggestions or ideas would be appreciated.
as i'm not in a similar scenario, i don't know if this would be as easy
as the suggestion
On Mon, Aug 04, 2003 at 02:55:08PM +1000, Craig Barraclough wrote:
Hi all,
I've got a strange occurence with connection to one of my boxes, during ssh
connections, I'll quite commonly have the connection freeze then drop, with
an entry in pflog:
snip
Followed by a series of (13) resets:
On Sat, Aug 16, 2003 at 03:22:38AM +0200, Daniel Hartmeier wrote:
On Sat, Aug 16, 2003 at 12:09:44AM +0200, Andy wrote:
Is there any easy way to achieve this?
A common solution is to redirect all incoming connections to a HTTP
proxy like squid, which accepts incoming connections, reads
On Mon, Aug 25, 2003 at 09:27:52AM +0200, Alexandre Dulaunoy wrote:
I would like to set the timeout of a specific TCP service with pf. It
seems that the values are globals (tcp.closing and so on...).
Is it possible to make a timeout for a specific TCP port ? I have
looked in pf.conf(5)
On Mon, Aug 25, 2003 at 01:44:54AM -0600, jared r r spiegel wrote:
from pf.conf(5): ( line ~200 )
These values can be defined both globally and for each rule. When
used on a per-rule basis, the values relate to the number of states
created by the rule, otherwise to the total number
On Tue, Aug 26, 2003 at 12:31:24PM -0400, J. Sabino wrote:
Is there a shorter way to do 1 to 1 RDR? Consider the following:
rdr on $ext proto tcp from any to $ip port 24099 - 192.168.1.20 port 24099
rdr on $ext proto tcp from any to $ip port 24100 - 192.168.1.20 port 24100
rdr on $ext proto
On Mon, Sep 22, 2003 at 07:18:06PM -0400, Elijah Savage wrote:
track hits on that certain rule.
tack a unique label on each one.
# pfctl -vsl
shows you, in order: (from pfctl(8))
-s labels Show per-rule statistics (label, evaluations, pack-
ets, bytes)
On Sun, Oct 12, 2003 at 11:13:18PM -0500, Jay Moore wrote:
If I have a redirect as I do, why do I need a rule that allows the redirect to
actually take place?
Put another way: do I need the redirect with the pass rule for spamd?
it's like RISC vs CISC, or something...
think of that 'pf
On Wed, Nov 26, 2003 at 11:18:41AM +0100, Thelmo Loisio wrote:
All run correctly and it's a charm but now for some reasons that
overcomes my willing i cannot set this as the def gw for my lan and as
soon as i don't set this as the def gw all stop working,
for it to work
again i've to set it
yeah... maybe using DNS resolution to specify hosts
your rules pertain to rather than just using their IPs is
not such a hot idea...
especially as it pertains to remote reboots.
whoops.
jared
--
[ openbsd 3.4 GENERIC ( jan 5 ) // i386 ]
On Fri, Jan 09, 2004 at 07:32:55PM -0500, Munish Chopra wrote:
On a different note, it was mentioned on IRC that keeping state
while using ALTQ is likely a bad idea. Could someone please point to
a discussion about this in the archives somewhere, or elaborate
personally?
I don't
On Wed, Jan 28, 2004 at 05:38:42PM +0700, Egbert Krook wrote:
altq on $int_if cbq bandwidth 100% queue { net_int, www_int }
queue net_intbandwidth 1.0Mb { std_int, it_int, boss_int }
queue std_int cbq(default)
queue it_int bandwidth 500Kb cbq(borrow)
queue boss_int priority 3
On Fri, Jan 30, 2004 at 02:48:27PM +0700, Egbert Krook wrote:
Hi Jared,
Thanks a lot for your response.
n/p. too bad i only vaguely have a clue what i'm talking about G
I've tried adding cbq(borrow) using the following combinations. None
achieve the effect described in the FAQ.
-
On Thu, Jan 29, 2004 at 11:33:22AM +0100, [EMAIL PROTECTED] wrote:
since I have upgraded from 3.4-stable to -current,
snip
It appears the setting set loginterface tun0,
http://openbsd.rt.fm/faq/upgrade-minifaq.html#3.4.3
^^ is that it? i know that after my -current was past that point,
On Thu, Jan 29, 2004 at 07:30:09PM -0800, Andre LaBranche wrote:
For some reason, all traffic to and from NAT'd machines falls into the
default inbound / outbound queues.
do you mean the default with respect to cbq( default ), or the default
with respect to the queue you're deciding you
On Fri, Feb 13, 2004 at 07:07:04PM -0700, j knight wrote:
It sounds to me like he's setup his clients to use squid but has now
decided to ditch squid. He wants to do trickery with pf so that he
doesn't have to go around again to each client and remove the proxy
settings.
ahh!; yes, i
On Sat, Feb 14, 2004 at 02:35:28AM -0800, Octavian Hornoiu wrote:
I have tried using the rules I know from ipfilter on freebsd
to forward port 0 with gre and all that but I cannot seem to get pf to
accept the ruleset without it complaining about syntax. How is this
accomplished via the newer
On Sat, Jan 31, 2004 at 03:13:48AM -0700, jared r r spiegel wrote:
http://www-2.cs.cmu.edu/~hzhang/HFSC/software.html
i tried last week getting the altq-2.??? and -3.??? tar.gz from that page because
i became smitten with wanting to be able to use the graphical user
interface
On Fri, Feb 20, 2004 at 11:46:25PM +0100, Cedric Berger wrote:
Brent Bolin wrote:
Hello,
Does anybody know of a way to capture statistics on multiple
interfaces running pf
Aha!
Up to recently, that was impossible to grab stats on more than
one interface with PF. You can now do it now
On Thu, Feb 26, 2004 at 12:38:34AM +0100, Darek Eliasz wrote:
I'm getting an error with the following:
all_web = { $web1 $albums }
Should be:
all_web = { $web1, $albums }
nonono. commas do not matter for this!
i see people give this advice frequently.
if you check the GRAMMAR
i was going to bitch about not searching archives, but
last time i touched on this topic was on misc@, so i don't
think i can really complain...
'bittorrent queue' is effective search for misc@ archive,
with respect to this.
hopefully i will make sense. i notice you have no rdr on
On Sat, Mar 06, 2004 at 08:07:51PM +0059, Jedi/Sector One wrote:
Hello.
Is there any rule of thumb in order to find out the right value for the
qlength knob of cbq schedulers?
I have to restrict the outgoing traffic to 110 Mb/s on a gigabit link.
The default value of qlength
On Mon, Mar 15, 2004 at 08:47:17PM +0800, Lars Hansson wrote:
We have one client (more to come, wich is why this is a bit
of a concern) that has very high packet/second
rate while the actual bitrate is fairly low (small VOIP packets) and
Am I missing something obvious here, or is cbq not
On Mon, Mar 15, 2004 at 10:54:36PM -0500, Dr. David Johnson wrote:
I think the only other data that may help is that my
friend says his DSL link is supposed to be 144 up, and
288 down, but in using some Internet sites that are
supposed to measure speed, these show downloads of
only about a
On Mon, Apr 12, 2004 at 04:09:24PM +0200, Mario Lopez wrote:
a Squid proxy for transparent proxy
snip
I have correctly configured squid for
normal proxy support (if I specify proxy on browesers it all works
flawlesly)
can you confirm if you have built squid as FLAVOR=transparent and also
On Fri, Apr 16, 2004 at 11:21:10PM +0200, Miroslav Kubik wrote:
I would like to have new option in traffic shaping. I feel like restrict
connection speed according to connection persistence.
It could be very
useful because I would set for the first few seconds higher speed. So the
traffic
On Thu, Apr 22, 2004 at 09:21:51AM +0200, Per-Olov Sjöholm wrote:
If you have a std firewall not set up as a bridge everything is clear
(shape on the outgoing interface).
But if you want to shape traffic on both directions on a bridge ?
so you're asking two questions at once it seems?
On Wed, Apr 21, 2004 at 09:50:03AM +0200, Wolfgang Pichler wrote:
I've triied these rules:
altq on $ext_if priq bandwidth 1280Kb queue{dns, ssh, mail, www, ftp,
other}
queue dns priority 14 priq(red)
queue ssh priority 13 priq(red)
queue mail priority 12
On Tue, May 11, 2004 at 10:21:27PM +0200, Jedi/Sector One wrote:
pass all
block out from any to 10.0.0.0/8 user john
Unfortunately, the second rules seems to always match, regardless of the
user.
i had that too
user only for UDP and TCP, so i think that if you don't do only
On Wed, May 12, 2004 at 09:08:11AM +0200, Jedi/Sector One wrote:
On Tue, May 11, 2004 at 04:27:59PM -0600, jared r r spiegel wrote:
if you 'block out inet proto {tcp udp} from any to 10.0.0.0/8 user john'
does it work?
Noppe, it still matches all the time.
It looks like it works
On Mon, May 17, 2004 at 03:58:05PM -0600, [EMAIL PROTECTED] wrote:
Hello,
I set up a transparent firewall running 3.4. Now Ive been
asked to run squid on the same box as the firewall to increase
web traffic (hopefully). Ive installed another NIC with
an IP and set up squid to listen on
On Mon, May 17, 2004 at 09:22:55PM +0300, Juri Malinovski wrote:
Firewall: FreeBSD 4.10-STABLE, pf version 2.03 from ports.
Ftp server: proftpd 1.2.9 with passive port's range 5-55000
Requirements: local users connect to internal ftp-server using external ip.
snip
From local machine
On Fri, May 21, 2004 at 04:27:19PM -0400, Chad M Stewart wrote:
Take for example a web server sitting in the DMZ, where DMZ is using
say 192.168.4.0/24, i.e. NAT is being used. The packet comes in via
something like
pass in on $wan_if inet proto tcp from any to $www_srv port 80 synproxy
On Wed, Jul 28, 2004 at 12:44:34PM -0700, [EMAIL PROTECTED] wrote:
I have a mail server behind a obsd 3.5 firewall and I am having timeout errors
when I try and send an email with a large (5MB or greater) attachment.
i would have the knee-jerk reaction that this is not due to pf.
So the
I see lots of traffic on the pfsync0 interface (dedicated interface/vlan).
Now the problem is that states never seem to live more than a few minutes
Creating stateless rules shows that this problem is definately related to
states as everything works flawlessly (no disconnections) when
On Mon, Oct 11, 2004 at 05:47:50PM -0300, Gustavo wrote:
pfctl: DIOCADDALTQ: Invalid argument
kernel and userland out of synch?
any time i have had pfctl give _ioctl_ errors, i've had my kernel
and userland out of synch.
if it is a syntax error, pfctl tells me syntax error.
On Mon, Oct 11, 2004 at 09:56:58AM +0800, Kenneth Oncinian wrote:
Hi List,
Is there a project right now or is there an application which I can use
to graph measured queues of pf/ALTQ?
check out symon in ports/sysutils
also check out the author's homepage for a .gz of the 'syweb' port.
On Sat, Oct 30, 2004 at 07:57:23PM -0400, Jason Opperisano wrote:
rdr pass on $ext_if proto tcp from any to $ext_if port 6881 -
$inside_host port 6881
this is exactly correct; but should you care to ever be
seeding or on more than one torrent at a time, you would benefit
from
On Thu, Nov 04, 2004 at 10:47:06PM -0600, Matt Sellers wrote:
## PF.CONF
# Trial Test - Route all 80 over SBC, rest to RCN
int_if = bge0
lan_net = 10.0.0.0/24
ext_if_sbc = fxp0
ext_if_rcn = re0
ext_gw_sbc = 67.36.180.95
nat on $ext_if_sbc from $lan_net to any - ($ext_if_sbc)
nat on
On Fri, Nov 05, 2004 at 04:34:25PM -0800, Brian Street wrote:
On Friday, November 5, jared wrote:
nat on $ext_if_sbc from $lan_net to any - ($ext_if_sbc)
nat on $ext_if_rcn from $lan_net to any - ($ext_if_rcn)
this second nat line isn't ever going to be evaluated by a packet
i'm trying to setup a simple pf.conf for a machine who is the
YP master, NFS server, and Samba server. most of my nfs traffic
is coming across the wire as fragments, so i'm trying to catch
those fragments into the nfs queue with the keyword 'fragment'.
i have put a label on that rule
On Sat, Nov 13, 2004 at 11:24:44AM -0700, jared r r spiegel wrote:
--
doublewide.hklocal.net $ sudo cat /etc/pffrag.conf
e=fxp0
nfs=2049
trustedhosts={ VPN HKLOCAL }
table VPN persist const {192.168.0.0
For those unfamiliar with the technique, it is like
knocking a certain pattern/code on a door to open it.
anyone unfamiliar with the technique hasn't read the archives
whatsoever and thus is not going to garner favour from anyone
here at all.
Has anyone heard of anyone working on a
On Sun, Dec 19, 2004 at 10:29:49PM +1100, A wrote:
My heartfelt thanks for all the assistance there. ffs, you speak like
some sort of lord who cannot be bothered assisting the peasants. I get
an inkling you eminate for from such lofty heights. Now, I admit I am
not on the main bsd list (even
On Mon, Jan 03, 2005 at 02:33:37PM -0800, John Ricardo wrote:
1. In general, where does priority count? Are priority values only
considered at a parent queue with respect to the child queues, or are
they considered at the root with respect to all the leaf queues, or...?
i am currently
On Mon, Jan 17, 2005 at 02:48:07PM -0600, Rick Barter wrote:
Michael Erdely wrote:
You're doing a block all and then aren't allowing esp traffic out.
Try adding the following with your tcp, udp and icmp pass out rules:
pass out $log_flg on $ext_if proto esp all keep state
When
On Fri, Feb 11, 2005 at 03:39:17PM +, Bob wrote:
Is there a clear HFSC explanation somewhere, with real simple examples?
Preferably that apply directly to PF which uses three SC types, not two.
I've found plenty of documents, but they're all high-level overview
slideshows that are a
On Thu, Feb 10, 2005 at 07:59:31PM +, Bob wrote:
I couldn't get CBQ to use up all of the bandwidth. Even when only one
queue had any traffic, the bandwidth was never getting saturated.
...
Possibly (probably) it was something I was doing wrong. But I've changed
to HFSC now, and my
On Tue, Feb 15, 2005 at 07:58:05PM +0100, Nicolas wrote:
Post your pf.conf.
Unfortunately, the floppy disk is broken on my bastion. Since the
pf.conf is around 15ko, I'll avoid typing it... ;-)
can you ftp/scp it off and just post on the www somewhere?
that sometimes seems to fly for
On Fri, Feb 11, 2005 at 15:39 +, Bob wrote:
Preferably that apply directly to PF which uses three SC types, not two.
meaning also using an sc on the upperlimit directive?
i'm still just using upperlimit as a hard number, and not using a
curve for that.
On Wed, Feb 16, 2005 at
On Wed, Feb 16, 2005 at 08:41:57AM +0100, Nicolas wrote:
[FTP CLIENT]--[DEBIAN]--[OBSD BASTION]-WAN[FTP SERVER]
The Debian machine does ftp masquerading, but I don't see anything
anormal on that machine.
The error message on the bastion, in /var/log/daemon, is:
ftp-proxy[18326]:
On Wed, Mar 30, 2005 at 09:51:07PM -0500, [EMAIL PROTECTED] wrote:
Why are the following packets being blocked? I know that I have flags
S/SA modulate state, and that F or FP do not match S/SA, but does that
matter since its in state?
if you didn't get to solve this yet, is it perhaps a
On Wed, May 04, 2005 at 07:42:17PM +0200, DarkT wrote:
altq on $iface hfsc bandwidth 1Mb queue { 1 2 3 }
queue 1 hfsc(default realtime 50Kb linkshare 100Kb upperlimit 100Kb)
queue 2 hfsc( realtime 300Kb linkshare 400Kb upperlimit 400Kb )
queue 3 hfsc( realtime 400Kb linkshare 500Kb
On Thu, May 26, 2005 at 09:09:59AM +0200, Peter N. M. Hansteen wrote:
Porkodi [EMAIL PROTECTED] writes:
Please help me in per user basis bandwidth sharing.
Is there any way in pf with altq?
authpf with per user rules which assign the user's traffic to queues
should be possible.
the
On Jun 6, 2005, at 9:27 AM, Jason Dixon wrote:
.. Try the following rule:
pass on rl0 keep state
i've a limited experience with a bridge so far, but what about, say:
--bridgename.bridge0--
add rl0
add rl1
rule pass in on rl0 tag rl0
rule pass in on rl1 tag rl1
up
--
On Tue, Jun 28, 2005 at 04:52:17PM +0100, Bob wrote:
I thought the problem was that you needed to limit incoming traffic as
well as outgoing traffic.
i've found that limiting incoming data by queueing on the internal
LAN-facing interface can be very beneficial if configured
correctly.
On Mon, Jul 18, 2005 at 12:10:41PM -0400, Daniel T. Staal wrote:
I'm not to interested in exact rules at this point; I can figure those
out. I'm just looking for what people think is the best way to use the
tools to do the job: least ports opened, least hassle, least resources,
etc.
From
On Tue, Aug 02, 2005 at 11:34:55PM -0500, Kevin wrote:
You can solve this by using tags:
nat on $ext_if inet from any to any tagged aramith - 69.13.34.94
. . .
pass out from any to any user aramith tag aramith
please remember to specify tcp/udp when doing 'user' or
On Sat, Sep 03, 2005 at 09:48:16PM -0400, Peter Matulis wrote:
ipfm does
not seem to be maintained anymore (since 2002).
one thing that sometimes works, for your own use, is to find a
newer release (distfile wise, from the main project page), bump
that up in the makefile, do a make
On Wed, Sep 14, 2005 at 01:26:12PM -0400, Brandon Mercer wrote:
What I was figuring is that I need to shape the general bandwidth on
the interface, i.e. give the VPN say 512Kb/512Kb and if that isn't in
use let it be used by the other services that will be connecting to that
interface. Then
On Fri, Sep 23, 2005 at 03:00:12PM -0400, Chad M Stewart wrote:
nat on $ext_if tagged LAN_INET tag LAN_INET_NAT - ($ext_if)
The problem is that pfctl complains about a syntax problem with that
line.
[/home/jrrs] $ echo nat on em0 tagged 1 tag 2 - (em0) | pfctl -nvf-
stdin:1: syntax error
On Wed, Oct 05, 2005 at 02:23:29PM -0700, Zack Lawson wrote:
As soon as I add a carp
interface with more than one digit (ie carp10, carp11 or carp23), the
backup host (with the higher advskew value) starts switching between
MASTER and BACKUP on seemingly random carp interfaces. The fact that I
On Thu, Oct 06, 2005 at 03:48:17PM -0400, Dave wrote:
My second problem, i'm trying to do mpd vpn, which relies on gre. I've
got a natted vpn server at 192.168.1.3 but when an external connection
happens, that is one outside my firewall from a windows box i get an error
619, which after
On Tue, Oct 18, 2005 at 11:50:41AM -0400, Jon Hart wrote:
What I'd like is to disable scrub's tcp reassembly on per
host/port/protol basis, something along the lines of:
scrub all no-df random-id fragment reassemble reassemble tcp
no scrub inet proto tcp from any to $SAN_NET port 3260
Queuing doesn't make sense inbound anyway; once you've received the
packet, it has already consumed your bandwidth, and thus queuing won't
change anything.
queueing could delay ACK reply being sent and then whole connection
would get throttled.
it works really fine with
On Fri, Dec 02, 2005 at 12:27:53AM +, Karl O. Pinc wrote:
I thought the queues were tied to the interfaces, so that, for
instance, queue on the LAN interface could not borrow bandwidth
from a queue on the DMZ interface. So then you either need to
partition your WAN bandwidth between the
On Wed, Jan 04, 2006 at 09:42:44PM +0100, Sylwester S. Biernacki wrote:
What do you think about it? Any ideas what to look for?
one - if you are reloading pf ( pfctl -f /etc/pf.conf ), that will
clear the table; but that's probably not your issue.
two - if you have two peers, A
On Thu, Jan 05, 2006 at 03:18:22AM +0100, Sylwester S. Biernacki wrote:
On Thursday, January 5, 2006, at 01:15:00, jared r r spiegel wrote:
- establish session with A and learn about 1.2.3.4/30; 1.2.3.4/30 is
written to pftable IX
- establish session with B and learn about 1.2.3.4/30
Tr0go wrote:
table bruteforce persist
...
BUT, surprisingly at some time the table
self cleaned
nahh, you reloaded pf :) that's how this happens to
everyone i've run across, myself included.
persist keyword should keep all those enemys' IP
until next reboot, isn'it ?
no.
On Sat, Feb 04, 2006 at 12:59:41AM +0100, Jonas Davidsson wrote:
Pf does not seem to allow UDP packets destined for port 0 out, TCP packets to
the same port pass without problems.
If nothing else, this breaks nmaps os-detection mode.
with 'pass quick on em0'
[send_ip] sendto: No route to
On Sun, Feb 12, 2006 at 01:43:45AM -0600, Travis H. wrote:
I got a VPN set up but I'm wondering how to make all traffic go over
the VPN to the remote end, which is a gateway to the internet.
If I mess with my default route, my traffic stops flowing at all.
if you want all traffic to go
On Thu, Jan 05, 2006 at 01:33:42PM +0059, Claudio Jeker wrote:
On Thu, Jan 05, 2006 at 06:46:54AM -0500, jared r r spiegel wrote:
bgpd has (should have?) enough info from its config
to know if it should send an addr_remove (i think this is the one)
to pf based upon what addr
On Sat, Apr 29, 2006 at 05:10:40PM +0200, Stanislaw Halik wrote:
I can speak for myself - I can't afford both the hardware and the
electricity bill for a separate machine. Maybe downstream limiting isn't
very robust, but IMO is the biggest thing pf/altq lacks.
i queue the incoming
[EMAIL PROTECTED] wrote:
works just as good as it possibly could if pf had a download queue
mechanism, if not better.
This works adequetly (How could it be better? Sounds like zealot
speak to me.
to answer that, i believe there's no room for discussion there, then.
if the boxes only
On Mon, May 01, 2006 at 05:55:42AM -0700, Gnat wrote:
I need some help on setting up IP aliasing with NAT. The need is to
create static NAT entries for some users due to a limit of 4 sessions
per Public IP Address for a VPN server. I have 5 addresses from my ISP
and wanted to use these to
On Sat, Apr 29, 2006 at 09:49:18AM +, Michal Soltys wrote:
But
If I change altq line and set bandwidth to something smaller - like 10Mb
- problems show up. Throughput on ftp drops brutally to around 150 - 250 Kb
Also if I use for example cbq in the following way (regardless if
On Sun, May 07, 2006 at 03:31:22PM +0700, sugeng riadi wrote:
i want shaping trafik to client by port or aplication, but my config
not runing properly,
the ftp package canot over from gw
any one help me please..!!??
this my config
does the config load correctly?
'pfctl -nvf
On Tue, Feb 28, 2006 at 11:22:48PM -0500, Yasholomew Yashinski wrote:
I'm not sure what changed, as I haven't made any changes in the past 48
hours that I recall other than a portupgrade, however when I got home
this afternoon my NAT was hosed. I'm using tun0 (PPPoE over hme0) on
FreeBSD 6.0
On Wed, Nov 08, 2006 at 12:22:19AM +0100, Michiel van Baak wrote:
On 22:12, Tue 07 Nov 06, C?dric Berger wrote:
There is no way it can work on a 32-bit i386 system.
This kind of pointer limitation is the first reason why
ppl move to 64-bit systems, so that might be worth testing
on a
On Tue, Feb 27, 2007 at 04:37:27PM -0600, Travis H. wrote:
I am not sure if this is pf-related, but has anyone seen
this error message, and what condition actually causes it?
Incomplete arp table? Out of memory? Something else?
i've seen it in the situation where something happens
that
On Wed, Mar 07, 2007 at 02:36:35PM +0800, Edy wrote:
Hi,
I am wondering if anyone has sample config on limiting bandwidth per
source IP?
For example, limiting an IP 192.168.1.2 for service http to 30Kb/sec
if you want to limit outgoing bandwidth per incoming source IP,
you need to
On Tue, Apr 24, 2007 at 01:42:26AM -0400, jared r r spiegel wrote:
On Mon, Apr 23, 2007 at 10:12:56AM +0200, Federico Giannici wrote:
How can I make a single queue don't borrow ALL the traffic?
upperlimit
in this case it is probably not super important to see your
whole pf.conf
On Tue, Apr 24, 2007 at 09:49:32AM +0200, Federico Giannici wrote:
jared r r spiegel wrote:
On Tue, Apr 24, 2007 at 01:42:26AM -0400, jared r r spiegel wrote:
On Mon, Apr 23, 2007 at 10:12:56AM +0200, Federico Giannici wrote:
How can I make a single queue don't borrow ALL the traffic
On Mon, May 12, 2008 at 11:44:29PM -0700, Trevor Talbot wrote:
You might also need to use the static-port option for udp nat rules:
nat pass log on $ext_if proto udp from $funshine port $COH_ports to any -
85.200.10.151 static-port
yeah, i was gonna say static port too, but trevor beat me
On Thu, May 22, 2008 at 03:42:45PM -0400, Chris Smith wrote:
Are there some limitations to what rules can apply labels? I'm trying to
add a label to a rdr rule but keep getting a syntax error.
when i have this question, i search from the bottom of the pf.conf
manpage up (the grammar
On Wed, Aug 20, 2008 at 07:02:28AM -0700, Jeff Simmons wrote:
ike passive esp from $lan_net to $remote_lan_net peer $remote_gw_addr
ike passive esp from $T1-2_addr to $remote_gw_addr
do you totally want passive, or is that just an artifact of trying
to get things work reliably?
pass in
93 matches
Mail list logo
