Re: pfctl: DIOCADDQUEUE: No such process

2014-07-24 Thread Dahlberg, David 
Am Mittwoch, den 23.07.2014, 17:10 +0200 schrieb Loïc Blot:
 Hi @misc,
 This afternoon i got a very strange issue on a router/firewall. I
 added
 a rule and then the following error appears:
 
  pfctl -nf /etc/pf.conf
  pfctl -f /etc/pf.conf
 pfctl: DIOCADDQUEUE: No such process
 
 I don't have any queue configured on the firewall.
 
 I also tried pfctl -d; pfctl -e; pfctl -f /etc/pf.conf

I have seen this a few times. If it happens, then usually not
during/right after bootup, but on a running system and it won't even
accept even an empty pf.conf.

A reboot usually helps, but this is not really a  solution. Does pfctl
-Fa help?

Cheers

-- 
David Dahlberg 

Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845
Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277

OpenSMTPD force TLS issues

2014-06-05 Thread Dahlberg, David 
I encountered two problems with snmpd when trying to force TLS
connections. First a documentation issue. The man 5 snmpd.conf
states relay options would be:

| relay [backup [mx]] [as address] [source address] [hostname name]
| [hostnames names] [pki pkiname] [tls | verify]
[..]
| Note that the tls and verify options are mutually
| exclusive

In fact, verify does not work in 5.5, but one needs to add 
tls verify to the relay (not relay via) statement. 
I.e. the manpage should indeed show [tls [verify]].

The second issue is with listen on. The options tls-require 
and secure seem to be ignored there. Any suggestions?

Cheers

David

-- 
David Dahlberg 

Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845
Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277

Re: pf+voip

2014-05-27 Thread Dahlberg, David 
Am Dienstag, den 27.05.2014, 14:15 +0400 schrieb Dmitry Petrakoff:

 It is most unlikely the issue of pf or its rules. Simply because your
 issues are related to SIP (busy issue) and RTP/phone (voice volume).
 Pf does not have any SIP ALG built-in so can't affect VoIP.

Well that is not completely right. SIP negotiates parameters of a call
in one connection, and then opens media streams in both directions.
The problem is more or less the same as with (active) FTP, and some
packets filters are L7 aware and configure the required port forwardings
dynamically some aren't. (Actually most appliances/stacks are kind of
SIP aware but then fail erraticaly, when push comes to shove.)

I am pretty sure, that pf is /not/ SIP aware. So you have the following
options:

 * Get a public IP space
 * Use static port rdrs, configure your SIP application accordingly.
 * Get a public IPv6 space
 * Use STUN and other ugly NAT traversal mechanisms
 * Use an application layer gateway/proxy/PBX:
   I found Asterisk in packages, FreeSWITCH from source or
   siproxd in packages, which looks exactly right, but I do have no
   experiences with it.
 * Use IPv6, get rid of NAT. Seriously.

Cheers
David

 I'd like to suggest you to check busy issue with your VoIP provider or
 to check out different clients or phones.
 
 On 27.05.14 13:59, Швецов Михаил wrote:
  Does pf have specific rules for voip, may be example of working
  pf_rule with voip?
 
  Because for «standart rules» i have problems with voip.
 
  set skip on lo
 
  match out on pppoe0 from { em1:network } nat-to (pppoe0)
 
  block
 
  pass out
 
  pass in on { em1 }
 
  - after hanging up, the line near 3 minutes still busy (may be keep
  state set to no state in rules)
 
  - badly hear person on the phone (quiet)
 
 

-- 
David Dahlberg 

Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845
Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277