On 9/25/24 14:31, Peter N. M. Hansteen wrote:
> On Wed, Sep 25, 2024 at 02:26:18PM +0200, Peter N. M. Hansteen wrote:
>> Another related set of examples and explanations can be found in the blog
>> post
>
> I sense a complete URL would have been beneficial here, as in
>
> https://nxdomain.no/~p
On Wed, Sep 25, 2024 at 02:26:18PM +0200, Peter N. M. Hansteen wrote:
> Another related set of examples and explanations can be found in the blog post
I sense a complete URL would have been beneficial here, as in
https://nxdomain.no/~peter/forcing_the_password_gropers_through_a_smaller_hole.html
On Wed, Sep 25, 2024 at 02:06:14PM +0200, Christian Schulte wrote:
> Hello @misc,
>
> I am currently searching for a way to implement sendmail's connection control
> features using pf. In sendmail I am using:
>
> dnl # Define connection throttling and
Hello @misc,
I am currently searching for a way to implement sendmail's connection control
features using pf. In sendmail I am using:
dnl # Define connection throttling and window length
define(`confCONNECTION_RATE_THROTTLE', `15')dnl
define(`confCONNECTION_RATE_WINDOW_SIZE&
>
>
>
> 1 - PF with the 'no state' rule should let the traffic flow,
> it means that PF has a bug, or
> 2 - PF behaves as expected and traffic must not flow, or
> 3 - the 'no state' rule is the wrong rule to let the traffic flow.
> If so, I ign
I have an architecture like the one of the picture in attachment,
and I have an issue with PF.
I don't if it's a bug of, maybe I should post to b...@openbsd.org.
I created a virtual network with VXLAN, it's 192.168.3.0/24.
VTEP1 and VTEP2 are connected to H3 via p2p interfaces:
10
> Several sources of useful information are available, Tom already mentioned
> The Book of PF and the article about tracking down a source of disruption
> based on netflow data.
>
> It is possible that you could find something useful in the slides for the
> latest "Network Manageme
reflect the actual traffic patterns you are dealing with.
Several sources of useful information are available, Tom already mentioned
The Book of PF and the article about tracking down a source of disruption
based on netflow data.
It is possible that you could find something useful in the slides for
Hi Marc,
are you saying you are experiencing congestion and you want to identify
the source of the congestion?
iftop and pftop can give information on the top talkers on your network,
if you want to do more comprehensive and historical analysis check out
Peter Handsteen(of Book of PF fame
Hello,
We are experiencing congestion issues with PF and I would like some help
finding the cause.
Here is what i have been able to gather so far:
ROOT:host:/root > pfctl -sm
stateshard limit 60
src-nodes hard limit6
frags hard limit12000
tab
On 2024-09-11, WATANABE Takeo wrote:
> on Tue, 10 Sep 2024 20:22:40 +0200
> Mike Fischer wrote:
>
>> The easiest way to test whether pf(4) is interfering with your YubiKey is to
>> temporarily turn off pf(4) (`doas pfctl -d`) and test. If the problem
>> persists
on Tue, 10 Sep 2024 20:22:40 +0200
Mike Fischer wrote:
> The easiest way to test whether pf(4) is interfering with your YubiKey is to
> temporarily turn off pf(4) (`doas pfctl -d`) and test. If the problem
> persists then pf(4) is not the cause.
> Turn pf(4) back on again aft
The easiest way to test whether pf(4) is interfering with your YubiKey is to
temporarily turn off pf(4) (`doas pfctl -d`) and test. If the problem persists
then pf(4) is not the cause.
Turn pf(4) back on again after your test (`doas pfctl -e` or `doas reboot`).
Note: Turning off pf(4) should
> and that I can log in with ed25519-sk key authentication if I stop pf.
>>
>> It occurred to me again that the pf.conf I had written might be the problem.
>
> It should not matter whether PF is enabled or not, as long as the loaded rules
> allow your SSH traffic to pass. I wo
On Tue, Sep 10, 2024 at 08:32:05PM +0900, WATANABE Takeo wrote:
> I found out that I can log in with normal public key
> cryptography authentication (ed25519) in the same pf.conf environment,
> and that I can log in with ed25519-sk key authentication if I stop pf.
>
> It occurred t
for key authentication using ed25519-sk.
>
> I found out that I can log in with normal public key
> cryptography authentication (ed25519) in the same pf.conf environment,
> and that I can log in with ed25519-sk key authentication if I stop pf.
>
> It occurred to me again that the
n the same pf.conf environment,
and that I can log in with ed25519-sk key authentication if I stop pf.
It occurred to me again that the pf.conf I had written might be the problem.
Could you please advise and discuss my pf.conf once more so that
it is more appropriate and I can log in with ed25519-s
> On Mon, Aug 26, 2024 at 11:27:02AM +0300, Maksim Rodin wrote:
> > Hello,
> > Here is my ugly script in testing which uses a postgres table to track bad
> > guys in
> > authlog and pf to lock them forever.
> > ---
> > #! /bin/ksh
> > MAX_RETRIES=2
On Mon, Aug 26, 2024 at 11:27:02AM +0300, Maksim Rodin wrote:
> Hello,
> Here is my ugly script in testing which uses a postgres table to track bad
> guys in
> authlog and pf to lock them forever.
> ---
> #! /bin/ksh
> MAX_RETRIES=2
> function finish_serving {
>
Hello,
Here is my ugly script in testing which uses a postgres table to track bad guys
in
authlog and pf to lock them forever.
---
#! /bin/ksh
MAX_RETRIES=2
function finish_serving {
echo "Finish serving";
exit 0;
}
function add_entry {
psql -U ecounter -d ecounte
hem, at relayd
>> level. It works as they never reach the web server but relayd is still
>> working to block them.
>>
>> I thought of parsing relayd logs to get those IPs and add them to a pf block
>> table, using an automated script.
>
> If the problem is
is still
> working to block them.
>
> I thought of parsing relayd logs to get those IPs and add them to a pf block
> table, using an automated script.
If the problem is that there are a lot of requests from the same hosts coming
in rapid-fire, it is
possible that state tracking rules with
IPs and add them to a pf block
table, using an automated script.
I also thought of using tags to forward the connections to a program that would
add the IP to the pf block table.
Would there be a simpler / smarter way to have relayd add an IP matching a
block rule into a pf table?
Thanks,
Joel
gateway
# routing
route add 135.32.101.17 192.168.1.254 # point vpn_public_ip to local gateway
So it seems my understanding of this pf rule is incorrect.
Can anyone help me use pf to override the default gateway?
Thanks!
Hi, kolipe-SAN.
on Sun, 04 Aug 2024 18:28:09 -0300
Crystal Kolipe wrote:
> On Mon, Aug 05, 2024 at 12:36:18AM +0900, WATANABE Takeo wrote:
>> Dear Sirs,
>>
>> Would you be willing to discuss how to write pf.conf?
>>
>> I'm using OpenBSD 7.5 AMD.
>> I want to limit the packets going in and out
ast
> until I get functionality I want. I have busy firewalls which block and
> log ~300 packets per second, pf handles it really well.
>
> Try something like:
>
> (temporarily remove `antispoof quick` until rest works, keep it above)
> block log all
> pass in on vio0 (what you
to add that I tried to load the pf.conf file you sent;
it looks like it works. (I did a quick test to see if the HTTP- and
SMTP-server are reachable.)
The loaded rules as returned by `pfctl -sr` would not allow much of your
desired traffic. However they do allow NDP traffic.
Your vio0 interface
v
> pass in inet6 proto udp from any port = 547 to any port = 546
> pass in proto carp all keep state (no-sync)
> pass out proto carp all !received-on any keep state (no-sync)
> moegi#
Your config, the result of `pfctl -vnf /etc/pf.conf` and the result of `pfctl
-sr` do not match. Did yo
Hi,Souji-SAN.
Thank you so much for your advice.
We will reply to you in due course.
on Sun, 04 Aug 2024 19:56:38 +0100
"Souji Thenria" wrote:
> On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote:
>> I am having trouble because all packets are blocked.
>> Please see below for a descripti
ich rules out the need for net.inet.ip.forwarding sysctl.
My general rule of the thumb is to log all blocked packets, at least
until I get functionality I want. I have busy firewalls which block and
log ~300 packets per second, pf handles it really well.
Try something like:
(temporarily remove `
On Mon, Aug 05, 2024 at 12:36:18AM +0900, WATANABE Takeo wrote:
> Dear Sirs,
>
> Would you be willing to discuss how to write pf.conf?
>
> I'm using OpenBSD 7.5 AMD.
> I want to limit the packets going in and out as follows
>
> 1. reject in principle : block all
> 2. when rejecting packets, do n
On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote:
I am having trouble because all packets are blocked.
Please see below for a description of the problem.
I would appreciate it if you could point out any problems.
The config looks ok so far; I don't see any problems.
Can you run 'pfctl -
Dear Sirs,
Would you be willing to discuss how to write pf.conf?
I'm using OpenBSD 7.5 AMD.
I want to limit the packets going in and out as follows
1. reject in principle : block all
2. when rejecting packets, do not log them.
3. there is only one interface (vio0) that goes in and out of the hos
I'm working on setting up an OpenBSD box to perform CLAT services for 464XLAT
on my network. v4-only clients will be behind the pf box, which uses af-to to
translate v4 packets to v6 and send them to my border NAT64 gateway.
Things are working pretty well, but I've bumped into an
cannot be used
> as a conventional proxy (set up on the browser config). Reading the
> pf.conf man seems that there isn't a way to do that.
is the sslsplit transparent proxy running on the same machine on which
your web browsing happens? If the answer is yes, then PF simple rdr-to
w
wants to send to my wireguard link (configured on this router) so I cooked up a
pf(4) line to match packets coming *in* on em2:
pass in on em2 proto tcp from 192.168.0.3 to (wg0:network) port
$nvr_wg0_a
out").
Also I tried to make an IF alias like this
ifconfig em0 inet 192.168.0.6 255.255.255.0
ifconfig em0 inet alias 192.168.0.7 255.255.255.0
my gw is 192.168.0.1
I put listening the sslsplit on 192.168.0.7 (the alias) port 10443 and I
make a pf rule like this:
pass out log on em0 proto tcp
the 'tables' [1] structure with pf
1. https://man.openbsd.org/pf.conf#TABLES
Sorry for the noise, I misread your question :P
--
Willy Manga
Hi,
On 12/06/2024 12:50, Kapetanakis Giannis wrote:
Hi,
[...]
2) I've found this tool yesterday (iprange) that it's job is to optimize large
sets of IPs/Networks
https://github.com/firehol/iprange/wiki
I think that's why you have the 'tables' [1] st
Hi,
I have a couple of questions about pf tables.
1) Does it use radix tree and especially Patricia tree?
Trying to read the code and searches on web pointed to that.
2) I've found this tool yesterday (iprange) that it's job is to optimize large
sets of IPs/Networks
https://github.c
; > > I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only
> > > > 64 physicals and carp interfaces but not my 45 vlan interfaces.
> > > >
> > > > My /etc/snmpd.conf
> > > > ROOT:amdrg2:/root > cat /etc/snmpd.con
On 11/06/2024 15:34, Martijn van Duren wrote:
> On Tue, 2024-06-11 at 14:56 +0300, Kapetanakis Giannis wrote:
>> On 10/06/2024 18:43, Marc Boisis wrote:
>>> Hello,
>>>
>>> I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only 64
&
Like Kapetanakis I have the 64 interface desc empty:
> snmpget -v2c -c public 127.0.0.1 OPENBSD-PF-MIB::pfIfDescr.64
OPENBSD-PF-MIB::pfIfDescr.64 = STRING:
So can we imagine a limit of 64 interfaces in the snmp (snmpd_metrics) code ?
> On 11 Jun 2024, at 14:34, Martijn van Duren
&
On Tue, 2024-06-11 at 14:56 +0300, Kapetanakis Giannis wrote:
> On 10/06/2024 18:43, Marc Boisis wrote:
> > Hello,
> >
> > I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only 64
> > physicals and carp interfaces but not my 45 vlan in
On 10/06/2024 18:43, Marc Boisis wrote:
> Hello,
>
> I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only 64
> physicals and carp interfaces but not my 45 vlan interfaces.
>
> My /etc/snmpd.conf
> ROOT:amdrg2:/root > cat /etc/snmpd.conf
> li
Hello Marc,
I don't have access to such a machine, but my vlan interfaces do show up
for me. Could you try and find a reproducer?
martijn@
On Mon, 2024-06-10 at 17:43 +0200, Marc Boisis wrote:
> Hello,
>
> I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I ha
Hello,
I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only 64
physicals and carp interfaces but not my 45 vlan interfaces.
My /etc/snmpd.conf
ROOT:amdrg2:/root > cat /etc/snmpd.conf
listen on 127.0.0.1 snmpv2c
read-only community public
"pfctl -sI" li
leaves, right?
Right.
> what does the gateway's routing table say about how to reach the destination
> network?
Good question. Does it matter what the routing table contains, when I am
explicitly specifying where to send a packet via a pf rule?
In any case, here it is:
mjoelnir:/etc 7
On Fri, May 24, 2024 at 06:04:25PM +0200, Peter N. M. Hansteen wrote:
> On Thu, May 23, 2024 at 11:14:20AM +0200, Why 42? The lists account. wrote:
> > pfctl reports:
> > # pfctl -vvs rules | grep @
> > @0 block return log all
> > @1 pass in log on em0 inet proto udp from 192.168.178.16
On Thu, May 23, 2024 at 11:14:20AM +0200, Why 42? The lists account. wrote:
> pfctl reports:
> # pfctl -vvs rules | grep @
> @0 block return log all
> @1 pass in log on em0 inet proto udp from 192.168.178.166 to any tag UDP
> @2 pass out log on ure0 all flags S/SA tagged UDP
>
> I
Hi Guys,
Thanks for the feedback, to address your points:
1> Possibly stupid question, but did you set the sysctl(s) to enable forwarding?
Yes I tried this pf rule change with version 4 forwarding
(net.inet.ip.forwarding) both enabled and disabled.
Either way the pf "pass out tagged&
> > > between two systems, so I though perhaps I could use pf to do just that
> > > by writing some rules along the lines of:
> > >
> > > 1. pass in on iface A proto UDP ... tag mcast
> > > 2. pass out on iface B tagged mcast
> > >
On 23/05/2024 20:18, Peter N. M. Hansteen wrote:
On Thu, May 23, 2024 at 11:14:20AM +0200, Why 42? The lists account. wrote:
I need to quickly create a solution for forwarding multicast traffic
between two systems, so I though perhaps I could use pf to do just that
by writing some rules along
On Thu, May 23, 2024 at 11:14:20AM +0200, Why 42? The lists account. wrote:
> I need to quickly create a solution for forwarding multicast traffic
> between two systems, so I though perhaps I could use pf to do just that
> by writing some rules along the lines of:
>
> 1. pas
Hi All,
I need to quickly create a solution for forwarding multicast traffic
between two systems, so I though perhaps I could use pf to do just that
by writing some rules along the lines of:
1. pass in on iface A proto UDP ... tag mcast
2. pass out on iface B tagged mcast
And
On 19/05/2024 19:35, Kapetanakis Giannis wrote:
> On 19/05/2024 14:37, Stuart Henderson wrote:
>> On 2024-05-19, Kapetanakis Giannis wrote:
>>> This is a bit strange. pf works normal, but rules after an enchor an
>>> being attached to the anchor (somehow).
>>>
On 5/19/24 13:37, Stuart Henderson wrote:
I can confirm this is a problem, definitely seen in 7.4, I can't remember
if 7.3 was affected. 7.2 from Dec 22 seems ok.
Yes, 7.3 is affected. It is the same problem reported here:
https://marc.info/?l=openbsd-misc&m=168754952806369
On 19/05/2024 14:37, Stuart Henderson wrote:
On 2024-05-19, Kapetanakis Giannis wrote:
This is a bit strange. pf works normal, but rules after an enchor an
being attached to the anchor (somehow).
All states that are created from rules after the anchor, show the anchor
(pf rule) number instead
On 2024-05-19, Kapetanakis Giannis wrote:
> This is a bit strange. pf works normal, but rules after an enchor an
> being attached to the anchor (somehow).
>
> All states that are created from rules after the anchor, show the anchor
> (pf rule) number instead of (only) the rule
This is a bit strange. pf works normal, but rules after an enchor an
being attached to the anchor (somehow).
All states that are created from rules after the anchor, show the anchor
(pf rule) number instead of (only) the rule number in pfctl -vv and in
pflog.
Here is a quite simple example
On Mon, 15 Apr 2024, at 21:33, Thomas wrote:
> Hi all,
>
> I'm greatly enjoying OpenBSD and have it on most of my devices as I try
> to set up my "perfect lab". I would like some feedback / thoughts about
> one behaviour which I don't quite get.
>
> I have a VM for the world facing side of my ne
Hi all,
I'm greatly enjoying OpenBSD and have it on most of my devices as I try to set
up my "perfect lab". I would like some feedback / thoughts about one behaviour
which I don't quite get.
I have a VM for the world facing side of my network. I have a wireguard network
to link it up to a hom
> I don't think there is at present. There are no "only use v4" or "only
> use v6" addresses modifiers, and pf isn't figuring out for itself that
> it only makes sense to use addresses from the relevant family for
> af-to translation addresses (although it
se v4" or "only
use v6" addresses modifiers, and pf isn't figuring out for itself that
it only makes sense to use addresses from the relevant family for af-to
translation addresses (although it _does_ do this for nat-to).
>> Regarding the other rules and tests, the ::1 r
> Try changing ($wan:0) to $(wan) and see what happens.
Huh, that worked! Thanks!
Try changing ($wan:0) to $(wan) and see what happens.
> Can you try if the same happens with a more specific rule (for
> testing)?
>
> i.e.:
>
> pass in on igc3 inet6 from "put actual v6 prefix here" to 64:ff9b::/96
> af-to inet from "actual IP on igc0"/32
This worked! Specifically, I think the ($wan:0) was the problem. I
could've sworn I tried this
On 2024-03-15, Tobias Fiebig via misc wrote:
>
> Moin,
>> # perform nat64 (NOT WORKING)
>> pass in to 64:ff9b::/96 af-to inet from ($wan:0)
>
> Can you try if the same happens with a more specific rule (for
> testing)?
>
> i.e.:
>
> pass in on igc3 inet6 from "put actual v6 prefix here" to
Moin,
> # perform nat64 (NOT WORKING)
> pass in to 64:ff9b::/96 af-to inet from ($wan:0)
Can you try if the same happens with a more specific rule (for
testing)?
i.e.:
pass in on igc3 inet6 from "put actual v6 prefix here" to 64:ff9b::/96
af-to inet from "actual IP on igc0"/32
I am su
ood.
# dig ipv4.google.com +short
ipv4.l.google.com.
64:ff9b::8efa:bc0e
However, the pf rule using af-to does not appear to do anything and
I haven't been able to figure out why. When I try to ping6, I get 100%
packet loss.
I inspected packets through tcpdump (after adding "log&
r and slightly
> > varying results. guess i should go back and test ix with LRO off on
> > the pf box.
>
> Sorry, I don't get your problem. You changed your firewall NICs from
> ix(4) to mcx(4) and the throughput got slower? Or, the speed it varying
> between 0.9 gbps
n em and ix)
em(4) does not support the LRO feature, just TSO with mglocker's diff.
> and very consistently getting close to the full 1gbps
> thruoghput on single tcp connections now instead of slower and slightly
> varying results. guess i should go back and test ix with LRO off on
&g
e tcp connections now instead of slower and slightly
varying results. guess i should go back and test ix with LRO off on
the pf box.
I have setup a transparent Tor proxy with the following pf ruleset:
https://paste.c-net.org/WharfSeasick
It routes most importantly all TCP and DNS traffic through the Tor network.
Now I want to have another rule for I2P bittorrent, meaning that there is a rule
for traffic that must be routed
> On Thu, Nov 30, 2023 at 03:55:49PM +0300, 4 wrote:
>>
>> "cbq can entirely be expressed in it" ok. so how do i set priorities for
>> queues in hfsc for my local(not for a router above that knows nothing about
>> my existence. tos is an absolutely unvia
On 2023/12/01 15:57, 4 wrote:
> >But CBQ doesn't help anyway, you still have this same problem.
> the problem when both from below and from above can be told to you "go and
> fuck yourself" can't be solved, but cbq gives us two mechanisms we need-
> priorities and traffic restriction. nothing mor
> On 2023-12-01, 4 wrote:
>I don't know why you are going on about SMT here.
i'm talking about not sacrificing functionality for the sake of hypothetical
performance. the slides say that using queues degrades performance by 10%. and
you're saying there won't be anything in the queues until an o
igned to queue
6-fly, while ACKs would get priority of 7 and assigned to queue 7-ack.
Anyway, after years of usage, and lot of frustration in the beginning, I
find current approach more flexible, because in HFSC queue and priority
have to be the same, while in current pf we can set it to be exactly
>>> not a share of the total piece of the pie, and we don't need to know
>>> anything about the pie.
>
>> But unless you are sending more traffic than the *interface* speed,
>> you will be sending it out on receipt, there won't be any delays in
>> send
we don't need to know
>> anything about the pie.
> But unless you are sending more traffic than the *interface* speed,
> you will be sending it out on receipt, there won't be any delays in
> sending packets to the next-hop modem/router.
> There won't *be* any pa
ng
> about the pie.
But unless you are sending more traffic than the *interface* speed,
you will be sending it out on receipt, there won't be any delays in
sending packets to the next-hop modem/router.
There won't *be* any packets in the queue on the PF machine to send in
priority order.
> On Wed, 29 Nov 2023 00:12:02 +0300
> 4 wrote:
>> i haven't used queues for a long time, but now there is a need.
>> previously, queues had not only a hierarchy, but also a priority. now
>> there is no priority, only the hierarchy exists.
> It took me quite some time to wrap my head around this
; so what am i missing?
>>>
>>> man pf.conf
>>>
>>> Look for set tos. Just a few lines below set prio in the man age,
>>>
>>> You can have more then 8 if you need/have to.
>> > Only useful if devices upstream of the PF router know their availabl
to understand
exactly which rule triggers assignment to which queue.
Now all of the above is fine for home gateway with just "internet" and
"lan". Things get much more complicated if there are multiple VLANs on
internal interface, GRE / GIF of wireguard tunnels on external
int
On Thu, 2023-11-30 at 15:55 +0300, 4 wrote:
> "cbq can entirely be expressed in it" ok. so how do i set priorities
> for queues in hfsc
You stack HFSC with link-share service curves with linkshare criterion
1:0 - or in pf.conf(5) terms: "bandwidth 1" and "bandwidth 0".
Or you do not configure queu
then 8 if you need/have to.
Only useful if devices upstream of the PF router know their available
bandwidth and can do some QoS themselves.
Same can be said for CoS as well. You can only control what's going out
of your own network. After that as soon as it reach your ISP or what
not, y
you were running most certainly needed
> an upgrade anyway.
"cbq can entirely be expressed in it" ok. so how do i set priorities for queues
in hfsc for my local(not for a router above that knows nothing about my
existence. tos is an absolutely unviable concept in the real world) pf-router?
i don't see a word about it in man pf.conf
On Thu, Nov 30, 2023 at 03:55:49PM +0300, 4 wrote:
>
> "cbq can entirely be expressed in it" ok. so how do i set priorities for
> queues in hfsc for my local(not for a router above that knows nothing about
> my existence. tos is an absolutely unviable concept in the real
much to allocate to each connection, so even the basic bandwidth
> control can't really work, let alone prioritising access to the
> available capacity.
> Priorities work when you are trying to transmit more out of an interface
> than the bandwidth available on that interface.
> S
On Thu, Nov 30, 2023 at 02:57:23PM +0300, 4 wrote:
> so what happened to cbq? why such the powerful and useful thing was removed?
> or Theo delete it precisely because it was too good for obsd? %D
Actually, the new queueing system was done by Henning, planned as far back
as (at least) 2012 (https
so what happened to cbq? why such the powerful and useful thing was removed? or
Theo delete it precisely because it was too good for obsd? %D
man age,
>
> You can have more then 8 if you need/have to.
Only useful if devices upstream of the PF router know their available
bandwidth and can do some QoS themselves.
n the basic bandwidth
control can't really work, let alone prioritising access to the
available capacity.
Priorities work when you are trying to transmit more out of an interface
than the bandwidth available on that interface.
Say you have a box running PF with a 1Gb interface to a
(router/mod
yes, all this can be make without hierarchy, only with priorities(because hierarchy it's
priorities), but who and why decided that eight would be enough? the one who created cbq- he
created it for practical tasks. but this "hateful eight" and this "flat-earth"-
i don't understand what use they
ng with queues?
> the older ALTQ system was replaced by a whole new system back in OpenBSD 5.5
> (or actually, altq lived on as oldqeueue through 5.6), and the syntax is both
> very different and in most things much simpler to deal with.
> The most extensive treatment available is
w system back in OpenBSD 5.5
(or actually, altq lived on as oldqeueue through 5.6), and the syntax is both
very different and in most things much simpler to deal with.
The most extensive treatment available is in The Book of PF, 3rd edition
(actually the introduction of the new queues was the reason f
i haven't used queues for a long time, but now there is a need. previously,
queues had not only a hierarchy, but also a priority. now there is no priority,
only the hierarchy exists. i was surprised, but i thought that this is quite in
the way of Theo, and it is possible to simplify the queue me
ble to connect via either connection at any time without changing the
> default gateway.
>
> A long time ago under the old pf syntax I had this in /etc/pf.conf which
> worked fine, and as far as I can remember was the only thing needed to enable
> this desired behavior:
>
>
the default gateway.
A long time ago under the old pf syntax I had this in /etc/pf.conf which worked
fine, and as far as I can remember was the only thing needed to enable this
desired behavior:
pass in on $wan1_if reply-to ( $wan1_if $wan1_gw )
pass in on $wan2_if reply-to ( $wan2_if $wan2_gw
Thnx, this seems toasting better..
1 - 100 of 1061 matches
Mail list logo