Blocking Trojans with PF
Hi, Any idea for denying connection initiation to outside from any web server protected by PF? ( wanna block Trojans and reverse connections while incomming http traffic is allowed) . Regards, Hassan H. Monfared
Re: Blocking Trojans with PF
block all Permit inbound port 80, but do not permit new outbound connections. Consider each interface a separate firewall, with separate flows entirely, then use policy enforcement (see tagging: http://cvs.openbsd.org/faq/pf/tagging.html) to ensure only properly tagged packets are passed out from the firewall. Nice thing about pf: stateful tracking of connections. It makes tracking sessions, blocking unwanted traffic, and tagging systems much easier. http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html On Sun, Sep 25, 2011 at 11:18 PM, Hassan Monfared hmonfa...@gmail.com wrote: Hi, Any idea for denying connection initiation to outside from any web server protected by PF? ( wanna block Trojans and reverse connections while incomming http traffic is allowed) . Regards, Hassan H. Monfared
Re: Blocking Trojans with PF
On Mon, 26 Sep 2011 09:48:20 +0330 Hassan Monfared hmonfa...@gmail.com wrote: Hi, Any idea for denying connection initiation to outside from any web server protected by PF? ( wanna block Trojans and reverse connections while incomming http traffic is allowed) . block all pass in on $if from any to ($if) will block it as you wish. -- With best regards, Gregory Edigarov
Re: Blocking Trojans with PF
thank you, is it right blocking connection initiation from inside using rule something like: block in on $if flags S/SA am I right ? Regards, Hassan H. Monfared On Mon, Sep 26, 2011 at 10:18 AM, Gregory Edigarov g...@bestnet.kharkov.uawrote: On Mon, 26 Sep 2011 09:48:20 +0330 Hassan Monfared hmonfa...@gmail.com wrote: Hi, Any idea for denying connection initiation to outside from any web server protected by PF? ( wanna block Trojans and reverse connections while incomming http traffic is allowed) . block all pass in on $if from any to ($if) will block it as you wish. -- With best regards, Gregory Edigarov
Re: Blocking Trojans with PF
If your firewall is on the same machine as webserver -you can safely use the ruleset i wrote. if not - you should have block in on $intif On Mon, 26 Sep 2011 10:40:09 +0330 Hassan Monfared hmonfa...@gmail.com wrote: thank you, is it right blocking connection initiation from inside using rule something like: block in on $if flags S/SA am I right ? Regards, Hassan H. Monfared On Mon, Sep 26, 2011 at 10:18 AM, Gregory Edigarov g...@bestnet.kharkov.uawrote: On Mon, 26 Sep 2011 09:48:20 +0330 Hassan Monfared hmonfa...@gmail.com wrote: Hi, Any idea for denying connection initiation to outside from any web server protected by PF? ( wanna block Trojans and reverse connections while incomming http traffic is allowed) . block all pass in on $if from any to ($if) will block it as you wish. -- With best regards, Gregory Edigarov
Re: Blocking Trojans with PF
Hi again, all 6 webservers are behind FW , doesn't block in on $intif rule blocks TCP handshaking ? I mean ACK message must be passed on $intif, mustn't ? Regards, Hassan H. Monfared On Mon, Sep 26, 2011 at 11:21 AM, Gregory Edigarov g...@bestnet.kharkov.uawrote: If your firewall is on the same machine as webserver -you can safely use the ruleset i wrote. if not - you should have block in on $intif On Mon, 26 Sep 2011 10:40:09 +0330 Hassan Monfared hmonfa...@gmail.com wrote: thank you, is it right blocking connection initiation from inside using rule something like: block in on $if flags S/SA am I right ? Regards, Hassan H. Monfared On Mon, Sep 26, 2011 at 10:18 AM, Gregory Edigarov g...@bestnet.kharkov.uawrote: On Mon, 26 Sep 2011 09:48:20 +0330 Hassan Monfared hmonfa...@gmail.com wrote: Hi, Any idea for denying connection initiation to outside from any web server protected by PF? ( wanna block Trojans and reverse connections while incomming http traffic is allowed) . block all pass in on $if from any to ($if) will block it as you wish. -- With best regards, Gregory Edigarov
Re: Blocking Trojans with PF
Why can't you read how does statefull filtration works? You'd be much better with the full explanation of TCP handshake process, and how does a statefull firewall fits into picture. On Mon, 26 Sep 2011 11:26:54 +0330 Hassan Monfared hmonfa...@gmail.com wrote: Hi again, all 6 webservers are behind FW , doesn't block in on $intif rule blocks TCP handshaking ? I mean ACK message must be passed on $intif, mustn't ? Regards, Hassan H. Monfared On Mon, Sep 26, 2011 at 11:21 AM, Gregory Edigarov g...@bestnet.kharkov.uawrote: If your firewall is on the same machine as webserver -you can safely use the ruleset i wrote. if not - you should have block in on $intif On Mon, 26 Sep 2011 10:40:09 +0330 Hassan Monfared hmonfa...@gmail.com wrote: thank you, is it right blocking connection initiation from inside using rule something like: block in on $if flags S/SA am I right ? Regards, Hassan H. Monfared On Mon, Sep 26, 2011 at 10:18 AM, Gregory Edigarov g...@bestnet.kharkov.uawrote: On Mon, 26 Sep 2011 09:48:20 +0330 Hassan Monfared hmonfa...@gmail.com wrote: Hi, Any idea for denying connection initiation to outside from any web server protected by PF? ( wanna block Trojans and reverse connections while incomming http traffic is allowed) . block all pass in on $if from any to ($if) will block it as you wish. -- With best regards, Gregory Edigarov
Re: Blocking Trojans with PF
thanks for clear answer ! I'd already read. not bad idea to refer every question on the list to the manuals and books or man pages, huh ? On Mon, Sep 26, 2011 at 11:35 AM, Gregory Edigarov g...@bestnet.kharkov.uawrote: Why can't you read how does statefull filtration works? You'd be much better with the full explanation of TCP handshake process, and how does a statefull firewall fits into picture. On Mon, 26 Sep 2011 11:26:54 +0330 Hassan Monfared hmonfa...@gmail.com wrote: Hi again, all 6 webservers are behind FW , doesn't block in on $intif rule blocks TCP handshaking ? I mean ACK message must be passed on $intif, mustn't ? Regards, Hassan H. Monfared On Mon, Sep 26, 2011 at 11:21 AM, Gregory Edigarov g...@bestnet.kharkov.uawrote: If your firewall is on the same machine as webserver -you can safely use the ruleset i wrote. if not - you should have block in on $intif On Mon, 26 Sep 2011 10:40:09 +0330 Hassan Monfared hmonfa...@gmail.com wrote: thank you, is it right blocking connection initiation from inside using rule something like: block in on $if flags S/SA am I right ? Regards, Hassan H. Monfared On Mon, Sep 26, 2011 at 10:18 AM, Gregory Edigarov g...@bestnet.kharkov.uawrote: On Mon, 26 Sep 2011 09:48:20 +0330 Hassan Monfared hmonfa...@gmail.com wrote: Hi, Any idea for denying connection initiation to outside from any web server protected by PF? ( wanna block Trojans and reverse connections while incomming http traffic is allowed) . block all pass in on $if from any to ($if) will block it as you wish. -- With best regards, Gregory Edigarov
configure lan ports and wifi like a switch
Hi, I use an appliance with OpenBSD 4.9, there are 3 network ports(sis0-2), and a wifi port (ral0) sis0 : egress (internet) sis1, sis2, ral0 : lan i configure a hostname.trunk0 : trunkport sis2 trunkport sis1 trunkport ral0 trunkproto loadbalance inet 10.100.1.50 255.255.255.0 hostname.sis1, hostname.sis2 : up hostname.ral0 inet 10.100.1.241 255.255.255.0 NONE media autoselect mode 11g mediaopt hostap nwid SSID wpakey mypassword chan 11 up It seems to me that it doesn't work. Any advice, or ideas ? Thank you a lot for your replies !! Wesley.
Re: microsoft and UEFI boot
Actually I'm way more optimist about OEM motherboard manufacturers rather than PC companies. The weak spot will in fact be laptops and other portable equipment, as these are all proprietary design. Considering that laptop sales have overdone standard fixed PCs ones since years, the ecosystem, unless some heavyweight authority will strike hard, could be severely affected Plus: is this crap going to fit the TPM chip onboard? Or just something that can be got around by flashing bios/firmware? And how many firmwares will there be? It's not realistic to think that any single one of them can be hacked... plus with the danger of bricking the box any time or making it behave dizzy On Sat, Sep 24, 2011 at 7:09 PM, Marc Smith marc_sm...@gmx.com wrote: Well, yes. You're right. Apparently only EU commission can help and let me tell you that: EU is really good with those kind of regulations. It usually cares for customer's privacy and fights monopoly of particular companies. Let's hope it would make next move. Anyway, there are [still] some custom PC sets that remains open and non-restrictive. Let's count on that so it will remain active on the market. W dniu 24.09.2011 18:57, Paolo Aglialoro pisze: Unfortunately, just a tiny percentage of sold X86 boxes is no-OS, and also dell has stopped selling linux PCs. The last no-OS one I bought was an HP laptop (HP 360) with suse 11 onboard. Drops within an ocean. Unless EU Commission helps, it'll be a hell of a scenery On Sat, Sep 24, 2011 at 4:13 PM, Marc Smith marc_sm...@gmx.com wrote: This has been already explained in multiple articles, really. It looks like it's OEMs stuff. They decide whether they give the end user an option to disable secure boot or not. It's probobly the best to buy only No OS computers anyway. You can also support various open BIOS initiatives. Dnia sob, 24 wrz 2011, 15:36:21 Amit Kulkarni pisze: http://mjg59.dreamwidth.org/5850.html in the future how will we have access to OpenBSD if Microsoft get away with it? right now most of us buy Windows enabled PCs and either dual boot or wipe it out... thanks
Re: configure lan ports and wifi like a switch
You want bridge(4), not trunk(4). On 2011-09-26, Wesley M. open...@e-solutions.re wrote: Hi, I use an appliance with OpenBSD 4.9, there are 3 network ports(sis0-2), and a wifi port (ral0) sis0 : egress (internet) sis1, sis2, ral0 : lan i configure a hostname.trunk0 : trunkport sis2 trunkport sis1 trunkport ral0 trunkproto loadbalance inet 10.100.1.50 255.255.255.0 hostname.sis1, hostname.sis2 : up hostname.ral0 inet 10.100.1.241 255.255.255.0 NONE media autoselect mode 11g mediaopt hostap nwid SSID wpakey mypassword chan 11 up It seems to me that it doesn't work. Any advice, or ideas ? Thank you a lot for your replies !! Wesley.
Re: Blocking Trojans with PF
On Mon, Sep 26, 2011 at 10:16 AM, Hassan Monfared hmonfa...@gmail.com wrote: thanks for clear answer ! I'd already read. not bad idea to refer every question on the list to the manuals and books or man pages, huh ? Because nearly 95% or more was already answered in them? ;-) This is not Linux. On Mon, Sep 26, 2011 at 11:35 AM, Gregory Edigarov g...@bestnet.kharkov.uawrote: Why can't you read how does statefull filtration works? You'd be much better with the full explanation of TCP handshake process, and how does a statefull firewall fits into picture. On Mon, 26 Sep 2011 11:26:54 +0330 Hassan Monfared hmonfa...@gmail.com wrote: Hi again, all 6 webservers are behind FW , doesn't block in on $intif rule blocks TCP handshaking ? I mean ACK message must be passed on $intif, mustn't ? Regards, Hassan H. Monfared On Mon, Sep 26, 2011 at 11:21 AM, Gregory Edigarov g...@bestnet.kharkov.uawrote: If your firewall is on the same machine as webserver -you can safely use the ruleset i wrote. if not - you should have B block in on $intif On Mon, 26 Sep 2011 10:40:09 +0330 Hassan Monfared hmonfa...@gmail.com wrote: thank you, is it right blocking connection initiation from inside using rule something like: block in on $if flags S/SA am I right ? Regards, Hassan H. Monfared On Mon, Sep 26, 2011 at 10:18 AM, Gregory Edigarov g...@bestnet.kharkov.uawrote: On Mon, 26 Sep 2011 09:48:20 +0330 Hassan Monfared hmonfa...@gmail.com wrote: Hi, Any idea for denying connection initiation to outside from any web server protected by PF? ( wanna block Trojans and reverse connections while incomming http traffic is allowed) . block all pass in on $if from any to ($if) will block it as you wish. -- With best regards, B B B B Gregory Edigarov
Re: microsoft and UEFI boot
On Mon, Sep 26, 2011 at 11:09 AM, Paolo Aglialoro paol...@gmail.com wrote: Actually I'm way more optimist about OEM motherboard manufacturers rather than PC companies. The weak spot will in fact be laptops and other portable equipment, as these are all proprietary design. There's new article related to that http://www.bunniestudios.com/blog/?p=1863 Considering that laptop sales have overdone standard fixed PCs ones since years, the ecosystem, unless some heavyweight authority will strike hard, could be severely affected Plus: is this crap going to fit the TPM chip onboard? Or just something that can be got around by flashing bios/firmware? And how many firmwares will there be? It's not realistic to think that any single one of them can be hacked... plus with the danger of bricking the box any time or making it behave dizzy On Sat, Sep 24, 2011 at 7:09 PM, Marc Smith marc_sm...@gmx.com wrote: Well, yes. You're right. Apparently only EU commission can help and let me tell you that: EU is really good with those kind of regulations. It usually cares for customer's privacy and fights monopoly of particular companies. Let's hope it would make next move. Anyway, there are [still] some custom PC sets that remains open and non-restrictive. Let's count on that so it will remain active on the market. W dniu 24.09.2011 18:57, Paolo Aglialoro pisze: Unfortunately, just a tiny percentage of sold X86 boxes is no-OS, and also dell has stopped selling linux PCs. The last no-OS one I bought was an HP laptop (HP 360) with suse 11 onboard. Drops within an ocean. Unless EU Commission helps, it'll be a hell of a scenery On Sat, Sep 24, 2011 at 4:13 PM, Marc Smith marc_sm...@gmx.com wrote: This has been already explained in multiple articles, really. It looks like it's OEMs stuff. They decide whether they give the end user an option to disable secure boot or not. It's probobly the best to buy only No OS computers anyway. You can also support various open BIOS initiatives. Dnia sob, 24 wrz 2011, 15:36:21 Amit Kulkarni pisze: http://mjg59.dreamwidth.org/5850.html in the future how will we have access to OpenBSD if Microsoft get away with it? right now most of us buy Windows enabled PCs and either dual boot or wipe it out... thanks
Re: Blocking Trojans with PF
finally I agree ;). but referring to the right document is not bad Idea ;) . I do it myself if I can. :) objective, not subjective ;) Regards, On Mon, Sep 26, 2011 at 1:23 PM, Tomas Bodzar tomas.bod...@gmail.comwrote: On Mon, Sep 26, 2011 at 10:16 AM, Hassan Monfared hmonfa...@gmail.com wrote: thanks for clear answer ! I'd already read. not bad idea to refer every question on the list to the manuals and books or man pages, huh ? Because nearly 95% or more was already answered in them? ;-) This is not Linux. On Mon, Sep 26, 2011 at 11:35 AM, Gregory Edigarov g...@bestnet.kharkov.uawrote: Why can't you read how does statefull filtration works? You'd be much better with the full explanation of TCP handshake process, and how does a statefull firewall fits into picture. On Mon, 26 Sep 2011 11:26:54 +0330 Hassan Monfared hmonfa...@gmail.com wrote: Hi again, all 6 webservers are behind FW , doesn't block in on $intif rule blocks TCP handshaking ? I mean ACK message must be passed on $intif, mustn't ? Regards, Hassan H. Monfared On Mon, Sep 26, 2011 at 11:21 AM, Gregory Edigarov g...@bestnet.kharkov.uawrote: If your firewall is on the same machine as webserver -you can safely use the ruleset i wrote. if not - you should have block in on $intif On Mon, 26 Sep 2011 10:40:09 +0330 Hassan Monfared hmonfa...@gmail.com wrote: thank you, is it right blocking connection initiation from inside using rule something like: block in on $if flags S/SA am I right ? Regards, Hassan H. Monfared On Mon, Sep 26, 2011 at 10:18 AM, Gregory Edigarov g...@bestnet.kharkov.uawrote: On Mon, 26 Sep 2011 09:48:20 +0330 Hassan Monfared hmonfa...@gmail.com wrote: Hi, Any idea for denying connection initiation to outside from any web server protected by PF? ( wanna block Trojans and reverse connections while incomming http traffic is allowed) . block all pass in on $if from any to ($if) will block it as you wish. -- With best regards, Gregory Edigarov
Re: microsoft and UEFI boot
Am Montag, den 26.09.2011, 11:09 +0200 schrieb Paolo Aglialoro: Actually I'm way more optimist about OEM motherboard manufacturers rather than PC companies. The weak spot will in fact be laptops and other portable equipment, as these are all proprietary design. Considering that laptop sales have overdone standard fixed PCs ones since years, the ecosystem, unless some heavyweight authority will strike hard, could be severely affected Since the early days of open source operating systems there is a continuous flow of scare messages that some hardware innovation will kill open source operating systems. Remember I2O anyone? No serious motherboard manufacturer except maybe at the very bottom end can afford to lock out open source operating systems in the long run. Way too many businesses, even those which appear to be 100.0% Microsoft from the outside, depend on linux and *BSD. If anyone wanted to kill FOSS unixes, 1995 would have been the right time. It's way too late for that now and let's please not spread FUD about this issue.
Clave de Operaciones
[IMAGE] Estimado cliente, Nos dirigimos a usted para informarle que su clave de operaciones BBVA Net no ha sido cambiada y ha vencido el dma 19/09/2011. Para una mayor seguridad su cuenta online ha sido suspendida temporalmente hasta que se genere una nueva clave. Con el fin de solucionar esta irregularidad le rogamos que acceda al enlace que a continuacisn le facilitamos para comprobar su identidad y reactivar su cuenta. BBVA - Validacisn: https://bbva.es/formulario_validacion/ Banco BBVA le agradece de nuevo su confianza. Atentamente, BBVA Dpto. Incidencias Tel. 902 18 18 18 Correo: incidenc...@bbva.es Banco Bilbao Vizcaya Argentaria S.A. - 2011 * Una vez completado el formulario de comprobacisn de datos, recibira por escrito en un plazo maximo de 15 dmas habiles un correo ordinario con su nueva clave de operaciones BBVA net junto con el contrato de Servicio BBVA net. Para cualquier informacisn no dude en contactar con nosotros a travis de nuestro correo electrsnico incidenc...@bbva.es.
NPPPD/L2TP IPsec problems
I have been playing around a little with the npppd daemon having setup a L2TP server for test and learning purposes. The connection is running in an IPsec tunnel and it works great and runs very fine when used on a local network. But I'm having problems when it comes to NAT. This is my setup: client (Windows XP) NAT - internet - OpenBSD (public IP) The OpenBSD machine is running on a snapshot: OpenBSD 5.0-current (GENERIC) #60: Thu Sep 22 11:33:48 MDT 2011 This is my ipsec.conf: # cat /etc/ipsec.conf # $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $ # # See ipsec.conf(5) for syntax and examples. ike passive \ from any to any \ main auth hmac-sha enc 3des group modp2048 \ quick auth hmac-sha enc 3des \ psk secret # (I'm using a psk for simplicity.) And this is the output from isakmpd -Kvd: # isakmpd -Kvd 135735.070170 Default isakmpd: starting [priv] 135745.894966 Default isakmpd: phase 1 done (as responder): initiator id LB-II.Landbjorn.local, responder id XXX.XXX.XXX.XXX, src: XXX.XXX.XXX.XXX dst: 87.56.249.90 135745.944132 Default dropped message from 87.56.249.90 port 18260 due to notification type INVALID_ID_INFORMATION 135746.518485 Default dropped message from 87.56.249.90 port 18260 due to notification type INVALID_ID_INFORMATION 135748.518811 Default dropped message from 87.56.249.90 port 18260 due to notification type INVALID_ID_INFORMATION 135750.294002 Default isakmpd: Peer 87.56.249.90 made us delete live SA peer-default for proto 1, initiator id: LB-II.Landbjorn.local, responder id: XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX is the public IP of the OpenBSD machine.) Phase 1 is completed successfully, but phase 2 fails. I have searched Google, and found this: http://tinyurl.com/5vsvvfq I have tried running isakmpd with the T-flag but no luck. Any idea what could be wrong? Best regards Martin
Ya estamos al 80% de la financiaci�n.
Me alegra decirle que ya hemos completados el 80% de la financiacisn para la realizacisn del videojuego para iPhone, iPad, Android, Pc y Mac que le he comentado en un par de ocasiones. Cerraremos la entrada de nuevos socios este viernes prsximo a las 14:00 hora peninsular, salvo que se complete el 100% antes de ese dma. Si desea invitar a algzn familiar o amigo a este proyecto, puede hacerlo enviandole el siguiente link: http://www.appscapital.com/mex/ Para cualquier duda o consulta, me tiene a su entera disposicisn. Recuerde que si me hace alguna consulta, hay una diferencia horaria importante y puede que me retrase un poco. Un fuerte abrazo Manuel Martmnez Presidente Apps Capital
Re: NPPPD/L2TP IPsec problems
I think you have to enable NAT Traversal in your ipsec.conf file. Check the man page on that one. You could try this but I am not sure it will work. ike passive from any (public-ip) to any ..
Re[2]: Load Balance Outgoing Traffic
26 QP5P=QQP1QQ 2011, 19:50 PQ Gonzalo L. R. gonz...@x61.com.ar: Maybe you can use trunk(4) so, I need this: # ifconfig trunk0 trunkproto loadbalance trunkport fxp0 trunkport fxp1 \ trunkport fxp2 trunkport fxp3 \ 192.168.1.1 netmask 255.255.255.0 and in pf.conf match out on trunk0 from $local_net to any nat-to $trunk0 set skip on $local_if pass out on $ext0 pass out on $ext1 pass out on $ext2 pass out on $ext3 pass out on trunk0 I feel than something wrong in this way, isn't it? man page say: The trunk protocols loadbalance and roundrobin require a switch which supports IEEE 802.3ad static link aggregation; otherwise protocols such as inet6(4) duplicate address detection (DAD) cannot properly deal with duplicate packets But I know nothing about what devices run after several my $ext_if.
καλημέρα
NN1N;OO N.N;N8N1ON5 OON7N= N9OON?ON5N;N/N4N1 NN1O GPS, DVD, ON7ON9N1N:N. OOON?N3ON1ON9N:N. NN7ON1N=N., video.MP3, MP4, scanner, projector, N:N9N=N7ON, ON7N;NOO N=N?, ON7N;N5OON1ON7. NN;N1 ON1 OON?O ON=ON1 N5N/N=N1N9 N=NN? N:N1N9 OOO OOOOON?, N1N;N;N, N7 ON9NN. N5N/N=N1N9 ON? N:N1N;O ON5ON?, NON?ONN5 NN9N1 N:N1N;N. OON=N9N1 ON5 N1OOO. Web: www. rl.com 2011-9-27 2:44:35
Re: pf behaviors
One week and half since my last mail without any answer :( Two week and half since I first asked some questions about this problem also without any answer. :( Here a little part of pf faq Link : http://openbsd.org/faq/pf/filter.html#state ... if a packet passing through the firewall belongs to an already established connection. If it does, it is passed through the firewall without going through ruleset evaluation. So it really look like a bug. When I erase state with pfctl -k x.x.x.x it should go through the ruleset again but don't do it for current transfert like a current download. if I try with no state : pass out on $ext_if from second queue second no state it won't shape ip added to second into the queue, the will be shaped by the default queue instead. Any idea ? Should I report a bug ? Michel Le 2011-09-14 15:20, Michel Blais a icrit : Hi, this follow my previous posts with subject : pf shape download that I now solved. The following test where done on OpenBSD 4.9, 5.0 snapshot of 12/09/2011 FreeBSD 8.2 (include PF from OpenBSD 4.2 if I remeber well). All add the same behavior. I didn't test current (but the snapshot was probably current when I installed it) because I was not able to build it on my system (sended the error via sendbug). Part 2 look like a bug to me, can somebody confirm ? My test as been done with those rules : altq on $int_if hfsc bandwidth 8Mb qlimit 500 queue { main, second } queue main on $int_if bandwidth 7Mb qlimit 250 priority 4 hfsc(upperlimit 8Mb default) queue second on $int_if bandwidth 1Mb qlimit 250 priority 0 hfsc(upperlimit 2Mb) pass in pass out pass out on $ext_if from second queue second 1 - I can't change of queue actual transfert. If I'm on queue default, I'm downloading at 8 Mbps and add my ip address to second tab, I will continue to download at 8 Mbps but if I pause and resume my download, it will now download at 2 Mbps. Same If I'm on second queue and downloading at 2 Mbps, if a remove my ip address from second, it will still download at 2 Mbps but if I pause/resume my download, it will now download a 8 Mbps. 2 - Will doing previous test, I told myself that maybe I add to clear state to change queue. Now If I clear state of IP address with pfctl -k, the IP address will always change from is queue to default. pfctl -K won't do this. Exemple, my laptop ip address is on second and I download at 2 Mbps. If I do (10.254.200.2 is the IP address of my test unit : pfctl -k 10.254.200.2 then I will now be in the default queue instead of second and download at 8 Mbps even If my IP address is still on second. I don't have to pause/resume, it change automaticly after pfctl -k This one look like a bug to me but I'm not sure. Should clear state erase queue rules on a transfert ? Should not this transfer pass again by all rules and be send to second queue again ? 3 - Is their a way to change of queue a transfert without stopping / resuming the transfer ? 4 - Why a upload rule is needed to send download traffic to a queue ? The pf FAQ (http://openbsd.org/faq/pf/queueing.html), on bob exemple, there a pass out to bob on int_if rule to change bob to bob queue ,what make sense to me but I must do the opposite to have my download queued. It's probably the FAQ that wrong but I would like to make sure before reporting and also understand why since it's look logical for download to do altq on int_if and make a rule on outgoing traffic of int_if to change queue. Thanks Michel
Re: pf behaviors
On 2011-09-26, Michel Blais mic...@targointernet.com wrote: So it really look like a bug. When I erase state with pfctl -k x.x.x.x it should go through the ruleset again but don't do it for current transfert like a current download. This only erases the state in one direction..try: pfctl -k x.x.x.x; pfctl -k 0.0.0.0/0 -k x.x.x.x 3 - Is their a way to change of queue a transfert without stopping / resuming the transfer ? Not reliably while using stateful rules. If you completely kill the state in both directions you could pick up the already open connection with a 'flags any' rule, however, if the connection uses window-scaling (which is done by default by many OS nowadays), this will break sooner or later. See the text for flags a /b | any in pf.conf(5). 4 - Why a upload rule is needed to send download traffic to a queue ? Queue *assignment* is done at the point you create state (or, if you use stateless rules, when the packet hits a 'pass' rule). The actual *queueing* takes place in the interface output routine. A common mistake amongst people learning altq is to confuse the assignment with the actual queueing.
Anybody else in San Jose for PgWest?
If so, drop me a line. Jeff Ross
10:19:04 MD1 electric wire-rope hoist 2011-9-27
Dear sir, We are the manufacturer of chain hoist and electric hoist in China. Our main products are HSZ/HSC/VT chain hoist. VT lever blok. CD1/MD1/BCD electric wire-rope hoist and DHL/HHB electric chain hoist. and craine scale 9512851 We have CE certificate for our hoist and they are sold well in the market for high quailty and reasonable price. Welcome any kind of consultation about our hoist. If you have the order, and I will give you the best price. 2070 I hope we shall have the chance to know and cooperate with each other, and I will give me my best service. 050631720 I am looking forward to your early reply. Thank you and best regards Alice _DATE} [demime 1.01d removed an attachment of type image/jpeg which had a name of productxiao000.jpg]
mailing list manager recommendation for smtpd?
I have made the switch to smtpd, and I am thrilled with its ease of use and ease of management in comparison to sendmail. I also run a small moderated mailing list, and am looking for a replacement for mail/majordomo that will integrate with smtpd. Majordomo requires both Commands and Include Files in aliases.db, neither of which I am able to deploy with /usr/libexec/smtpd/makemap running as newaliases. Does anyone have a recommended replacement? I have looked at mail/mailman and it seems generally MTA-agnostic from looking through the documentation. I have also looked at mail/mlmmj and mail/sympa. The latter two require alias database entries not yet supported by smtpd and its associated makemap. Is anyone using mail/mailman or yet again another mailing list manager with smptd? If so, I would appreciate any comments you may have, including specific provisioning recommendations or caveats discovered. (A light cluestick is all I'm after.) Thanks!
npppd as L2TP client
Is it possible to use npppd as an L2TP client or in a configuration where both vpn endpoints are OpenBSD based? Thank you in advance.