Re: pf.conf(5): How to implement sendmail's connection/rate control features with pf?

2024-09-25 Thread Christian Schulte
On 9/25/24 14:31, Peter N. M. Hansteen wrote: > On Wed, Sep 25, 2024 at 02:26:18PM +0200, Peter N. M. Hansteen wrote: >> Another related set of examples and explanations can be found in the blog >> post > > I sense a complete URL would have been beneficial here, as in > > https://nxdomain.no/~p

Re: pf.conf(5): How to implement sendmail's connection/rate control features with pf?

2024-09-25 Thread Peter N. M. Hansteen
On Wed, Sep 25, 2024 at 02:26:18PM +0200, Peter N. M. Hansteen wrote: > Another related set of examples and explanations can be found in the blog post I sense a complete URL would have been beneficial here, as in https://nxdomain.no/~peter/forcing_the_password_gropers_through_a_smaller_hole.html

Re: pf.conf(5): How to implement sendmail's connection/rate control features with pf?

2024-09-25 Thread Peter N. M. Hansteen
On Wed, Sep 25, 2024 at 02:06:14PM +0200, Christian Schulte wrote: > Hello @misc, > > I am currently searching for a way to implement sendmail's connection control > features using pf. In sendmail I am using: > > dnl # Define connection throttling and

pf.conf(5): How to implement sendmail's connection/rate control features with pf?

2024-09-25 Thread Christian Schulte
Hello @misc, I am currently searching for a way to implement sendmail's connection control features using pf. In sendmail I am using: dnl # Define connection throttling and window length define(`confCONNECTION_RATE_THROTTLE', `15')dnl define(`confCONNECTION_RATE_WINDOW_SIZE&

Re: PF block traffic on Virtual Network. Bug?

2024-09-23 Thread Luca Di Gregorio
> > > > 1 - PF with the 'no state' rule should let the traffic flow, > it means that PF has a bug, or > 2 - PF behaves as expected and traffic must not flow, or > 3 - the 'no state' rule is the wrong rule to let the traffic flow. > If so, I ign

PF block traffic on Virtual Network. Bug?

2024-09-21 Thread Luca Di Gregorio
I have an architecture like the one of the picture in attachment, and I have an issue with PF. I don't if it's a bug of, maybe I should post to b...@openbsd.org. I created a virtual network with VXLAN, it's 192.168.3.0/24. VTEP1 and VTEP2 are connected to H3 via p2p interfaces: 10

Re: Pf congestion troubleshooting

2024-09-17 Thread Marc Boisis
> Several sources of useful information are available, Tom already mentioned > The Book of PF and the article about tracking down a source of disruption > based on netflow data. > > It is possible that you could find something useful in the slides for the > latest "Network Manageme

Re: Pf congestion troubleshooting

2024-09-13 Thread Peter N. M. Hansteen
reflect the actual traffic patterns you are dealing with. Several sources of useful information are available, Tom already mentioned The Book of PF and the article about tracking down a source of disruption based on netflow data. It is possible that you could find something useful in the slides for

Re: Pf congestion troubleshooting

2024-09-13 Thread Tom Smyth
Hi Marc, are you saying you are experiencing congestion and you want to identify the source of the congestion? iftop and pftop can give information on the top talkers on your network, if you want to do more comprehensive and historical analysis check out Peter Handsteen(of Book of PF fame

Pf congestion troubleshooting

2024-09-12 Thread Marc Boisis
Hello, We are experiencing congestion issues with PF and I would like some help finding the cause. Here is what i have been able to gather so far: ROOT:host:/root > pfctl -sm stateshard limit 60 src-nodes hard limit6 frags hard limit12000 tab

Re: The relationship between pf and yubkey(FIDO2) (About OpenSSH)

2024-09-11 Thread Stuart Henderson
On 2024-09-11, WATANABE Takeo wrote: > on Tue, 10 Sep 2024 20:22:40 +0200 > Mike Fischer wrote: > >> The easiest way to test whether pf(4) is interfering with your YubiKey is to >> temporarily turn off pf(4) (`doas pfctl -d`) and test. If the problem >> persists

Re: The relationship between pf and yubkey(FIDO2) (About OpenSSH)

2024-09-11 Thread WATANABE Takeo
on Tue, 10 Sep 2024 20:22:40 +0200 Mike Fischer wrote: > The easiest way to test whether pf(4) is interfering with your YubiKey is to > temporarily turn off pf(4) (`doas pfctl -d`) and test. If the problem > persists then pf(4) is not the cause. > Turn pf(4) back on again aft

Re: The relationship between pf and yubkey(FIDO2) (About OpenSSH)

2024-09-10 Thread Mike Fischer
The easiest way to test whether pf(4) is interfering with your YubiKey is to temporarily turn off pf(4) (`doas pfctl -d`) and test. If the problem persists then pf(4) is not the cause. Turn pf(4) back on again after your test (`doas pfctl -e` or `doas reboot`). Note: Turning off pf(4) should

Re: The relationship between pf and yubkey(FIDO2) (About OpenSSH)

2024-09-10 Thread WATANABE Takeo
> and that I can log in with ed25519-sk key authentication if I stop pf. >> >> It occurred to me again that the pf.conf I had written might be the problem. > > It should not matter whether PF is enabled or not, as long as the loaded rules > allow your SSH traffic to pass. I wo

Re: The relationship between pf and yubkey(FIDO2) (About OpenSSH)

2024-09-10 Thread Peter N. M. Hansteen
On Tue, Sep 10, 2024 at 08:32:05PM +0900, WATANABE Takeo wrote: > I found out that I can log in with normal public key > cryptography authentication (ed25519) in the same pf.conf environment, > and that I can log in with ed25519-sk key authentication if I stop pf. > > It occurred t

Re: The relationship between pf and yubkey(FIDO2) (About OpenSSH)

2024-09-10 Thread Zé Loff
for key authentication using ed25519-sk. > > I found out that I can log in with normal public key > cryptography authentication (ed25519) in the same pf.conf environment, > and that I can log in with ed25519-sk key authentication if I stop pf. > > It occurred to me again that the

The relationship between pf and yubkey(FIDO2) (About OpenSSH)

2024-09-10 Thread WATANABE Takeo
n the same pf.conf environment, and that I can log in with ed25519-sk key authentication if I stop pf. It occurred to me again that the pf.conf I had written might be the problem. Could you please advise and discuss my pf.conf once more so that it is more appropriate and I can log in with ed25519-s

Re: Options to have relayd add IP to pf?

2024-08-26 Thread Maksim Rodin
> On Mon, Aug 26, 2024 at 11:27:02AM +0300, Maksim Rodin wrote: > > Hello, > > Here is my ugly script in testing which uses a postgres table to track bad > > guys in > > authlog and pf to lock them forever. > > --- > > #! /bin/ksh > > MAX_RETRIES=2

Re: Options to have relayd add IP to pf?

2024-08-26 Thread Zé Loff
On Mon, Aug 26, 2024 at 11:27:02AM +0300, Maksim Rodin wrote: > Hello, > Here is my ugly script in testing which uses a postgres table to track bad > guys in > authlog and pf to lock them forever. > --- > #! /bin/ksh > MAX_RETRIES=2 > function finish_serving { >

Re: Options to have relayd add IP to pf?

2024-08-26 Thread Maksim Rodin
Hello, Here is my ugly script in testing which uses a postgres table to track bad guys in authlog and pf to lock them forever. --- #! /bin/ksh MAX_RETRIES=2 function finish_serving { echo "Finish serving"; exit 0; } function add_entry { psql -U ecounter -d ecounte

Re: Options to have relayd add IP to pf?

2024-08-23 Thread Joel Carnat
hem, at relayd >> level. It works as they never reach the web server but relayd is still >> working to block them. >> >> I thought of parsing relayd logs to get those IPs and add them to a pf block >> table, using an automated script. > > If the problem is

Re: Options to have relayd add IP to pf?

2024-08-23 Thread Peter N. M. Hansteen
is still > working to block them. > > I thought of parsing relayd logs to get those IPs and add them to a pf block > table, using an automated script. If the problem is that there are a lot of requests from the same hosts coming in rapid-fire, it is possible that state tracking rules with

Options to have relayd add IP to pf?

2024-08-23 Thread Joel Carnat
IPs and add them to a pf block table, using an automated script. I also thought of using tags to forward the connections to a program that would add the IP to the pf block table. Would there be a simpler / smarter way to have relayd add an IP matching a block rule into a pf table? Thanks, Joel

pf route-to

2024-08-12 Thread 04-psyche . totter
gateway # routing route add 135.32.101.17 192.168.1.254 # point vpn_public_ip to local gateway So it seems my understanding of this pf rule is incorrect. Can anyone help me use pf to override the default gateway? Thanks!

Re: About pf Rule ( pf.conf

2024-08-07 Thread WATANABE Takeo
Hi, kolipe-SAN. on Sun, 04 Aug 2024 18:28:09 -0300 Crystal Kolipe wrote: > On Mon, Aug 05, 2024 at 12:36:18AM +0900, WATANABE Takeo wrote: >> Dear Sirs, >> >> Would you be willing to discuss how to write pf.conf? >> >> I'm using OpenBSD 7.5 AMD. >> I want to limit the packets going in and out

Re: About pf Rule ( pf.conf

2024-08-06 Thread WATANABE Takeo
ast > until I get functionality I want. I have busy firewalls which block and > log ~300 packets per second, pf handles it really well. > > Try something like: > > (temporarily remove `antispoof quick` until rest works, keep it above) > block log all > pass in on vio0 (what you

Re: About pf Rule ( pf.conf

2024-08-05 Thread Souji Thenria
to add that I tried to load the pf.conf file you sent; it looks like it works. (I did a quick test to see if the HTTP- and SMTP-server are reachable.) The loaded rules as returned by `pfctl -sr` would not allow much of your desired traffic. However they do allow NDP traffic. Your vio0 interface

Re: About pf Rule ( pf.conf

2024-08-05 Thread Mike Fischer
v > pass in inet6 proto udp from any port = 547 to any port = 546 > pass in proto carp all keep state (no-sync) > pass out proto carp all !received-on any keep state (no-sync) > moegi# Your config, the result of `pfctl -vnf /etc/pf.conf` and the result of `pfctl -sr` do not match. Did yo

Re: About pf Rule ( pf.conf

2024-08-05 Thread WATANABE Takeo
Hi,Souji-SAN. Thank you so much for your advice. We will reply to you in due course. on Sun, 04 Aug 2024 19:56:38 +0100 "Souji Thenria" wrote: > On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote: >> I am having trouble because all packets are blocked. >> Please see below for a descripti

Re: About pf Rule ( pf.conf

2024-08-05 Thread Marko Cupać
ich rules out the need for net.inet.ip.forwarding sysctl. My general rule of the thumb is to log all blocked packets, at least until I get functionality I want. I have busy firewalls which block and log ~300 packets per second, pf handles it really well. Try something like: (temporarily remove `

Re: About pf Rule ( pf.conf

2024-08-04 Thread Crystal Kolipe
On Mon, Aug 05, 2024 at 12:36:18AM +0900, WATANABE Takeo wrote: > Dear Sirs, > > Would you be willing to discuss how to write pf.conf? > > I'm using OpenBSD 7.5 AMD. > I want to limit the packets going in and out as follows > > 1. reject in principle : block all > 2. when rejecting packets, do n

Re: About pf Rule ( pf.conf

2024-08-04 Thread Souji Thenria
On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote: I am having trouble because all packets are blocked. Please see below for a description of the problem. I would appreciate it if you could point out any problems. The config looks ok so far; I don't see any problems. Can you run 'pfctl -

About pf Rule ( pf.conf

2024-08-04 Thread WATANABE Takeo
Dear Sirs, Would you be willing to discuss how to write pf.conf? I'm using OpenBSD 7.5 AMD. I want to limit the packets going in and out as follows 1. reject in principle : block all 2. when rejecting packets, do not log them. 3. there is only one interface (vio0) that goes in and out of the hos

pf af-to silently dropping oversized packets (affects pmtud)

2024-07-19 Thread Jason Healy
I'm working on setting up an OpenBSD box to perform CLAT services for 464XLAT on my network. v4-only clients will be behind the pf box, which uses af-to to translate v4 packets to v6 and send them to my border NAT64 gateway. Things are working pretty well, but I've bumped into an

Re: pf can't redirect outgoing traffic to localhost

2024-06-29 Thread Marcus MERIGHI
cannot be used > as a conventional proxy (set up on the browser config). Reading the > pf.conf man seems that there isn't a way to do that. is the sslsplit transparent proxy running on the same machine on which your web browsing happens? If the answer is yes, then PF simple rdr-to w

understanding pf(4) 'in' interface with bridge(4)

2024-06-25 Thread Lévai , Dániel
wants to send to my wireguard link (configured on this router) so I cooked up a pf(4) line to match packets coming *in* on em2: pass in on em2 proto tcp from 192.168.0.3 to (wg0:network) port $nvr_wg0_a

pf can't redirect outgoing traffic to localhost

2024-06-19 Thread whistlez
out"). Also I tried to make an IF alias like this ifconfig em0 inet 192.168.0.6 255.255.255.0 ifconfig em0 inet alias 192.168.0.7 255.255.255.0 my gw is 192.168.0.1 I put listening the sslsplit on 192.168.0.7 (the alias) port 10443 and I make a pf rule like this: pass out log on em0 proto tcp

Re: pf tables questions

2024-06-13 Thread Willy Manga
the 'tables' [1] structure with pf 1. https://man.openbsd.org/pf.conf#TABLES Sorry for the noise, I misread your question :P -- Willy Manga

Re: pf tables questions

2024-06-13 Thread Willy Manga
Hi, On 12/06/2024 12:50, Kapetanakis Giannis wrote: Hi, [...] 2) I've found this tool yesterday (iprange) that it's job is to optimize large sets of IPs/Networks https://github.com/firehol/iprange/wiki I think that's why you have the 'tables' [1] st

pf tables questions

2024-06-12 Thread Kapetanakis Giannis
Hi, I have a couple of questions about pf tables. 1) Does it use radix tree and especially Patricia tree? Trying to read the code and searches on web pointed to that. 2) I've found this tool yesterday (iprange) that it's job is to optimize large sets of IPs/Networks https://github.c

Re: Missing vlan interfaces in OPENBSD-PF-MIB::pfIfTable

2024-06-12 Thread Martijn van Duren
; > > I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only > > > > 64 physicals and carp interfaces but not my 45 vlan interfaces. > > > > > > > > My /etc/snmpd.conf > > > > ROOT:amdrg2:/root > cat /etc/snmpd.con

Re: Missing vlan interfaces in OPENBSD-PF-MIB::pfIfTable

2024-06-11 Thread Kapetanakis Giannis
On 11/06/2024 15:34, Martijn van Duren wrote: > On Tue, 2024-06-11 at 14:56 +0300, Kapetanakis Giannis wrote: >> On 10/06/2024 18:43, Marc Boisis wrote: >>> Hello, >>> >>> I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only 64 &

Re: Missing vlan interfaces in OPENBSD-PF-MIB::pfIfTable

2024-06-11 Thread Marc Boisis
Like Kapetanakis I have the 64 interface desc empty: > snmpget -v2c -c public 127.0.0.1 OPENBSD-PF-MIB::pfIfDescr.64 OPENBSD-PF-MIB::pfIfDescr.64 = STRING: So can we imagine a limit of 64 interfaces in the snmp (snmpd_metrics) code ? > On 11 Jun 2024, at 14:34, Martijn van Duren &

Re: Missing vlan interfaces in OPENBSD-PF-MIB::pfIfTable

2024-06-11 Thread Martijn van Duren
On Tue, 2024-06-11 at 14:56 +0300, Kapetanakis Giannis wrote: > On 10/06/2024 18:43, Marc Boisis wrote: > > Hello, > > > > I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only 64 > > physicals and carp interfaces but not my 45 vlan in

Re: Missing vlan interfaces in OPENBSD-PF-MIB::pfIfTable

2024-06-11 Thread Kapetanakis Giannis
On 10/06/2024 18:43, Marc Boisis wrote: > Hello, > > I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only 64 > physicals and carp interfaces but not my 45 vlan interfaces. > > My /etc/snmpd.conf > ROOT:amdrg2:/root > cat /etc/snmpd.conf > li

Re: Missing vlan interfaces in OPENBSD-PF-MIB::pfIfTable

2024-06-11 Thread Martijn van Duren
Hello Marc, I don't have access to such a machine, but my vlan interfaces do show up for me. Could you try and find a reproducer? martijn@ On Mon, 2024-06-10 at 17:43 +0200, Marc Boisis wrote: > Hello, > > I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I ha

Missing vlan interfaces in OPENBSD-PF-MIB::pfIfTable

2024-06-10 Thread Marc Boisis
Hello, I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only 64 physicals and carp interfaces but not my 45 vlan interfaces. My /etc/snmpd.conf ROOT:amdrg2:/root > cat /etc/snmpd.conf listen on 127.0.0.1 snmpv2c read-only community public "pfctl -sI" li

Re: Q: Problems forwarding traffic using pf ...

2024-06-07 Thread Why 42? The lists account.
leaves, right? Right. > what does the gateway's routing table say about how to reach the destination > network? Good question. Does it matter what the routing table contains, when I am explicitly specifying where to send a packet via a pf rule? In any case, here it is: mjoelnir:/etc 7

Re: Q: Problems forwarding traffic using pf ...

2024-05-24 Thread Zé Loff
On Fri, May 24, 2024 at 06:04:25PM +0200, Peter N. M. Hansteen wrote: > On Thu, May 23, 2024 at 11:14:20AM +0200, Why 42? The lists account. wrote: > > pfctl reports: > > # pfctl -vvs rules | grep @ > > @0 block return log all > > @1 pass in log on em0 inet proto udp from 192.168.178.16

Re: Q: Problems forwarding traffic using pf ...

2024-05-24 Thread Peter N. M. Hansteen
On Thu, May 23, 2024 at 11:14:20AM +0200, Why 42? The lists account. wrote: > pfctl reports: > # pfctl -vvs rules | grep @ > @0 block return log all > @1 pass in log on em0 inet proto udp from 192.168.178.166 to any tag UDP > @2 pass out log on ure0 all flags S/SA tagged UDP > > I

Re: Q: Problems forwarding traffic using pf ...

2024-05-24 Thread Why 42? The lists account.
Hi Guys, Thanks for the feedback, to address your points: 1> Possibly stupid question, but did you set the sysctl(s) to enable forwarding? Yes I tried this pf rule change with version 4 forwarding (net.inet.ip.forwarding) both enabled and disabled. Either way the pf "pass out tagged&

Re: Q: Problems forwarding traffic using pf ...

2024-05-23 Thread Zé Loff
> > > between two systems, so I though perhaps I could use pf to do just that > > > by writing some rules along the lines of: > > > > > > 1. pass in on iface A proto UDP ... tag mcast > > > 2. pass out on iface B tagged mcast > > >

Re: Q: Problems forwarding traffic using pf ...

2024-05-23 Thread Kapetanakis Giannis
On 23/05/2024 20:18, Peter N. M. Hansteen wrote: On Thu, May 23, 2024 at 11:14:20AM +0200, Why 42? The lists account. wrote: I need to quickly create a solution for forwarding multicast traffic between two systems, so I though perhaps I could use pf to do just that by writing some rules along

Re: Q: Problems forwarding traffic using pf ...

2024-05-23 Thread Peter N. M. Hansteen
On Thu, May 23, 2024 at 11:14:20AM +0200, Why 42? The lists account. wrote: > I need to quickly create a solution for forwarding multicast traffic > between two systems, so I though perhaps I could use pf to do just that > by writing some rules along the lines of: > > 1. pas

Q: Problems forwarding traffic using pf ...

2024-05-23 Thread Why 42? The lists account.
Hi All, I need to quickly create a solution for forwarding multicast traffic between two systems, so I though perhaps I could use pf to do just that by writing some rules along the lines of: 1. pass in on iface A proto UDP ... tag mcast 2. pass out on iface B tagged mcast And

Re: pf anchors attached to irrelevant states

2024-05-20 Thread Kapetanakis Giannis
On 19/05/2024 19:35, Kapetanakis Giannis wrote: > On 19/05/2024 14:37, Stuart Henderson wrote: >> On 2024-05-19, Kapetanakis Giannis wrote: >>> This is a bit strange. pf works normal, but rules after an enchor an >>> being attached to the anchor (somehow). >>>

Re: pf anchors attached to irrelevant states

2024-05-19 Thread Markus Wernig
On 5/19/24 13:37, Stuart Henderson wrote: I can confirm this is a problem, definitely seen in 7.4, I can't remember if 7.3 was affected. 7.2 from Dec 22 seems ok. Yes, 7.3 is affected. It is the same problem reported here: https://marc.info/?l=openbsd-misc&m=168754952806369

Re: pf anchors attached to irrelevant states

2024-05-19 Thread Kapetanakis Giannis
On 19/05/2024 14:37, Stuart Henderson wrote: On 2024-05-19, Kapetanakis Giannis wrote: This is a bit strange. pf works normal, but rules after an enchor an being attached to the anchor (somehow). All states that are created from rules after the anchor, show the anchor (pf rule) number instead

Re: pf anchors attached to irrelevant states

2024-05-19 Thread Stuart Henderson
On 2024-05-19, Kapetanakis Giannis wrote: > This is a bit strange. pf works normal, but rules after an enchor an > being attached to the anchor (somehow). > > All states that are created from rules after the anchor, show the anchor > (pf rule) number instead of (only) the rule

pf anchors attached to irrelevant states

2024-05-19 Thread Kapetanakis Giannis
This is a bit strange. pf works normal, but rules after an enchor an being attached to the anchor (somehow). All states that are created from rules after the anchor, show the anchor (pf rule) number instead of (only) the rule number in pfctl -vv and in pflog. Here is a quite simple example

Re: Issue with pf route-to and routing tables

2024-04-16 Thread Thomas
On Mon, 15 Apr 2024, at 21:33, Thomas wrote: > Hi all, > > I'm greatly enjoying OpenBSD and have it on most of my devices as I try > to set up my "perfect lab". I would like some feedback / thoughts about > one behaviour which I don't quite get. > > I have a VM for the world facing side of my ne

Issue with pf route-to and routing tables

2024-04-15 Thread Thomas
Hi all, I'm greatly enjoying OpenBSD and have it on most of my devices as I try to set up my "perfect lab". I would like some feedback / thoughts about one behaviour which I don't quite get. I have a VM for the world facing side of my network. I have a wireguard network to link it up to a hom

Re: pf nat64 rule not matching

2024-03-15 Thread Evan Sherwood
> I don't think there is at present. There are no "only use v4" or "only > use v6" addresses modifiers, and pf isn't figuring out for itself that > it only makes sense to use addresses from the relevant family for > af-to translation addresses (although it

Re: pf nat64 rule not matching

2024-03-15 Thread Stuart Henderson
se v4" or "only use v6" addresses modifiers, and pf isn't figuring out for itself that it only makes sense to use addresses from the relevant family for af-to translation addresses (although it _does_ do this for nat-to). >> Regarding the other rules and tests, the ::1 r

Re: pf nat64 rule not matching

2024-03-15 Thread Evan Sherwood
> Try changing ($wan:0) to $(wan) and see what happens. Huh, that worked! Thanks!

Re: pf nat64 rule not matching

2024-03-15 Thread Lyndon Nerenberg (VE7TFX/VE6BBM)
Try changing ($wan:0) to $(wan) and see what happens.

Re: pf nat64 rule not matching

2024-03-15 Thread Evan Sherwood
> Can you try if the same happens with a more specific rule (for > testing)? > > i.e.: > > pass in on igc3 inet6 from "put actual v6 prefix here" to 64:ff9b::/96 > af-to inet from "actual IP on igc0"/32 This worked! Specifically, I think the ($wan:0) was the problem. I could've sworn I tried this

Re: pf nat64 rule not matching

2024-03-15 Thread Stuart Henderson via misc
On 2024-03-15, Tobias Fiebig via misc wrote: > > Moin, >>     # perform nat64 (NOT WORKING) >>     pass in to 64:ff9b::/96 af-to inet from ($wan:0) > > Can you try if the same happens with a more specific rule (for > testing)? > > i.e.: > > pass in on igc3 inet6 from "put actual v6 prefix here" to

Re: pf nat64 rule not matching

2024-03-15 Thread Tobias Fiebig via misc
Moin, >     # perform nat64 (NOT WORKING) >     pass in to 64:ff9b::/96 af-to inet from ($wan:0) Can you try if the same happens with a more specific rule (for testing)? i.e.: pass in on igc3 inet6 from "put actual v6 prefix here" to 64:ff9b::/96 af-to inet from "actual IP on igc0"/32 I am su

pf nat64 rule not matching

2024-03-14 Thread Evan Sherwood via misc
ood. # dig ipv4.google.com +short ipv4.l.google.com. 64:ff9b::8efa:bc0e However, the pf rule using af-to does not appear to do anything and I haven't been able to figure out why. When I try to ping6, I get 100% packet loss. I inspected packets through tcpdump (after adding "log&

Re: 10gbps pf nat firewall ix to mcx

2024-02-12 Thread Chris Cappuccio
r and slightly > > varying results. guess i should go back and test ix with LRO off on > > the pf box. > > Sorry, I don't get your problem. You changed your firewall NICs from > ix(4) to mcx(4) and the throughput got slower? Or, the speed it varying > between 0.9 gbps

Re: 10gbps pf nat firewall ix to mcx

2024-02-12 Thread jan
n em and ix) em(4) does not support the LRO feature, just TSO with mglocker's diff. > and very consistently getting close to the full 1gbps > thruoghput on single tcp connections now instead of slower and slightly > varying results. guess i should go back and test ix with LRO off on &g

10gbps pf nat firewall ix to mcx

2024-02-11 Thread Chris Cappuccio
e tcp connections now instead of slower and slightly varying results. guess i should go back and test ix with LRO off on the pf box.

Allowing i2p bittorrent traffic in a transparently proxied enviroment with pf

2023-12-06 Thread dsecuredrose99
I have setup a transparent Tor proxy with the following pf ruleset: https://paste.c-net.org/WharfSeasick It routes most importantly all TCP and DNS traffic through the Tor network. Now I want to have another rule for I2P bittorrent, meaning that there is a rule for traffic that must be routed

Re: pf queues

2023-12-01 Thread 4
> On Thu, Nov 30, 2023 at 03:55:49PM +0300, 4 wrote: >> >> "cbq can entirely be expressed in it" ok. so how do i set priorities for >> queues in hfsc for my local(not for a router above that knows nothing about >> my existence. tos is an absolutely unvia

Re: pf queues

2023-12-01 Thread Stuart Henderson
On 2023/12/01 15:57, 4 wrote: > >But CBQ doesn't help anyway, you still have this same problem. > the problem when both from below and from above can be told to you "go and > fuck yourself" can't be solved, but cbq gives us two mechanisms we need- > priorities and traffic restriction. nothing mor

Re: pf queues

2023-12-01 Thread 4
> On 2023-12-01, 4 wrote: >I don't know why you are going on about SMT here. i'm talking about not sacrificing functionality for the sake of hypothetical performance. the slides say that using queues degrades performance by 10%. and you're saying there won't be anything in the queues until an o

Re: pf queues

2023-12-01 Thread Marko Cupać
igned to queue 6-fly, while ACKs would get priority of 7 and assigned to queue 7-ack. Anyway, after years of usage, and lot of frustration in the beginning, I find current approach more flexible, because in HFSC queue and priority have to be the same, while in current pf we can set it to be exactly

Re: pf queues

2023-12-01 Thread Stuart Henderson
>>> not a share of the total piece of the pie, and we don't need to know >>> anything about the pie. > >> But unless you are sending more traffic than the *interface* speed, >> you will be sending it out on receipt, there won't be any delays in >> send

Re: pf queues

2023-12-01 Thread 4
we don't need to know >> anything about the pie. > But unless you are sending more traffic than the *interface* speed, > you will be sending it out on receipt, there won't be any delays in > sending packets to the next-hop modem/router. > There won't *be* any pa

Re: pf queues

2023-12-01 Thread Stuart Henderson
ng > about the pie. But unless you are sending more traffic than the *interface* speed, you will be sending it out on receipt, there won't be any delays in sending packets to the next-hop modem/router. There won't *be* any packets in the queue on the PF machine to send in priority order.

Re: pf queues

2023-11-30 Thread 4
> On Wed, 29 Nov 2023 00:12:02 +0300 > 4 wrote: >> i haven't used queues for a long time, but now there is a need. >> previously, queues had not only a hierarchy, but also a priority. now >> there is no priority, only the hierarchy exists. > It took me quite some time to wrap my head around this

Re: pf queues

2023-11-30 Thread 4
; so what am i missing? >>> >>> man pf.conf >>> >>> Look for set tos. Just a few lines below set prio in the man age, >>> >>> You can have more then 8 if you need/have to. >> > Only useful if devices upstream of the PF router know their availabl

Re: pf queues

2023-11-30 Thread Marko Cupać
to understand exactly which rule triggers assignment to which queue. Now all of the above is fine for home gateway with just "internet" and "lan". Things get much more complicated if there are multiple VLANs on internal interface, GRE / GIF of wireguard tunnels on external int

Re: pf queues

2023-11-30 Thread David Dahlberg
On Thu, 2023-11-30 at 15:55 +0300, 4 wrote: > "cbq can entirely be expressed in it" ok. so how do i set priorities > for queues in hfsc You stack HFSC with link-share service curves with linkshare criterion 1:0 - or in pf.conf(5) terms: "bandwidth 1" and "bandwidth 0". Or you do not configure queu

Re: pf queues

2023-11-30 Thread Daniel Ouellet
then 8 if you need/have to. Only useful if devices upstream of the PF router know their available bandwidth and can do some QoS themselves. Same can be said for CoS as well. You can only control what's going out of your own network. After that as soon as it reach your ISP or what not, y

Re: pf queues

2023-11-30 Thread 4
you were running most certainly needed > an upgrade anyway. "cbq can entirely be expressed in it" ok. so how do i set priorities for queues in hfsc for my local(not for a router above that knows nothing about my existence. tos is an absolutely unviable concept in the real world) pf-router? i don't see a word about it in man pf.conf

Re: pf queues

2023-11-30 Thread Peter N. M. Hansteen
On Thu, Nov 30, 2023 at 03:55:49PM +0300, 4 wrote: > > "cbq can entirely be expressed in it" ok. so how do i set priorities for > queues in hfsc for my local(not for a router above that knows nothing about > my existence. tos is an absolutely unviable concept in the real

Re: pf queues

2023-11-30 Thread 4
much to allocate to each connection, so even the basic bandwidth > control can't really work, let alone prioritising access to the > available capacity. > Priorities work when you are trying to transmit more out of an interface > than the bandwidth available on that interface. > S

Re: pf queues

2023-11-30 Thread Peter N. M. Hansteen
On Thu, Nov 30, 2023 at 02:57:23PM +0300, 4 wrote: > so what happened to cbq? why such the powerful and useful thing was removed? > or Theo delete it precisely because it was too good for obsd? %D Actually, the new queueing system was done by Henning, planned as far back as (at least) 2012 (https

Re: pf queues

2023-11-30 Thread 4
so what happened to cbq? why such the powerful and useful thing was removed? or Theo delete it precisely because it was too good for obsd? %D

Re: pf queues

2023-11-29 Thread Stuart Henderson
man age, > > You can have more then 8 if you need/have to. Only useful if devices upstream of the PF router know their available bandwidth and can do some QoS themselves.

Re: pf queues

2023-11-29 Thread Stuart Henderson
n the basic bandwidth control can't really work, let alone prioritising access to the available capacity. Priorities work when you are trying to transmit more out of an interface than the bandwidth available on that interface. Say you have a box running PF with a 1Gb interface to a (router/mod

Re: pf queues

2023-11-29 Thread Daniel Ouellet
yes, all this can be make without hierarchy, only with priorities(because hierarchy it's priorities), but who and why decided that eight would be enough? the one who created cbq- he created it for practical tasks. but this "hateful eight" and this "flat-earth"- i don't understand what use they

Re: pf queues

2023-11-29 Thread 4
ng with queues? > the older ALTQ system was replaced by a whole new system back in OpenBSD 5.5 > (or actually, altq lived on as oldqeueue through 5.6), and the syntax is both > very different and in most things much simpler to deal with. > The most extensive treatment available is

Re: pf queues

2023-11-28 Thread Peter N. M. Hansteen
w system back in OpenBSD 5.5 (or actually, altq lived on as oldqeueue through 5.6), and the syntax is both very different and in most things much simpler to deal with. The most extensive treatment available is in The Book of PF, 3rd edition (actually the introduction of the new queues was the reason f

pf queues

2023-11-28 Thread 4
i haven't used queues for a long time, but now there is a need. previously, queues had not only a hierarchy, but also a priority. now there is no priority, only the hierarchy exists. i was surprised, but i thought that this is quite in the way of Theo, and it is possible to simplify the queue me

Re: PF Rules for Dual Upstream Gateways

2023-11-23 Thread Stuart Henderson
ble to connect via either connection at any time without changing the > default gateway. > > A long time ago under the old pf syntax I had this in /etc/pf.conf which > worked fine, and as far as I can remember was the only thing needed to enable > this desired behavior: > >

PF Rules for Dual Upstream Gateways

2023-11-22 Thread Ian Timothy
the default gateway. A long time ago under the old pf syntax I had this in /etc/pf.conf which worked fine, and as far as I can remember was the only thing needed to enable this desired behavior: pass in on $wan1_if reply-to ( $wan1_if $wan1_gw ) pass in on $wan2_if reply-to ( $wan2_if $wan2_gw

Re: pf logging in ascii and send to remote syslog

2023-11-11 Thread Daniele B.
Thnx, this seems toasting better..

  1   2   3   4   5   6   7   8   9   10   >