d is slow!
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
* Wesley M. [2011-10-19 09:53]:
> PF is a good firewall, we can play with QoS/IP,Ports filter/NAT/ Src NAT/
> Statefull/Load Balancing/scrub
> But it is not a NIDS. ;-)
of course it isn't an IDS. we don't do marketing snake oil.
--
Henning Brauer, h...@bsws.de, henn...
* Barry Grumbine [2011-10-17 20:10]:
> There are two ports for this:
> http://openports.se/sysutils/apc-upsd
> http://openports.se/sysutils/upsd
my recommendation for that kind of task is still nut. not
vendor-specific as an added bonus.
--
Henning Brauer, h...@bsws.de, henn...@openb
>
> >
> >
> >
>
>
> --
> Michel Blais
> Administrateur rC)seau / Network administrator
> Targo Communications
> www.targo.ca
> 514-448-0773
>
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
the quirks of a new rcs system.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
itory will never be in a place outside direct control of the
> developers and especially Theo.
and using an rcs system without it being in base (and thus, suitably
licensed) won't happen either.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Se
truncate protocol
> information for other protocols. Other file parsers may desire a
> higher snaplen.
>
> it seems to me that the default is 160. am I wrong?
>
> #define DEF_SNAPLEN 160 /* pfloghdr + ip hdr + proto hdr fit usually
> */
correc
* STeve Andre' [2011-09-23 01:52]:
> avoid the T61 series as they use nVidia
my T61 has no single nvidia device in it.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root
s.
can we please keep this marketing crap off the lists?
not even is this irrelevant marketing speech, it is even more
irrelevant since xen doesn't run on openbsd.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting,
+%m)
awesome.
trying to be clever is always so awesome, and almost always leads to
problems.
now, your code is awesome to produce something that looks like a
military aircraft registration.
it is entirely useless otherwise.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services,
* Nico Kadel-Garcia [2011-09-11 16:31]:
> core UNIX and Linux system tools such as Subversion
one thing's for sure: you're funny.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedi
* Tomas Bodzar [2011-09-08 18:33]:
> Are some of the devs attending or no one invited?
> http://www.bsdday.eu/2011
first time I personally hear about this at all.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Ma
PF_ACPY(&pd->ndaddr, pd->dst, pd->af);
+ if (pd->sport)
+ pd->nsport = *pd->sport;
+ if (pd->dport)
+ pd->ndport = *pd->dport;
+
return (0);
}
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
04] pass in on em1: [orig
src 172.16.8.1:22, dst 172.16.7.1:2302] 0.0.0.0.0 > 0.0.0.0.0: . [tcp
sum ok] 2741764166:2741764166(0) ack 1558002165 win 2172
(DF) [tos 0x8] (ttl 64, id
53354, len 52, bad cksum 32f! differs by 6723)
as in, we swap in zero-addresses in the non-NAT case. hav
access speed
(foremost: latency) is the #1 bottleneck on firewall/router style
setups.
> I would be delighted if what I've been
> reading is wrong :-)
be delighted
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hostin
because something in the way changed things.
usually some kind of tunnel or encryption.
in a perfect world we'd find all these codepathes and add the calls to
pf_pkt_addr_changed(). we're not making much progress lately in
idetifying the few remaining ones tho :((
--
Henning Brauer, h...@
* Nick [2011-06-29 17:41]:
> ouch. We've provided the gun. You are providing the foot. You
> decide what to do with them.
use the right one. donate the left one to me. could use a new ankle
joint.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://b
e
indeed
> can you please discuss the bad side effects of doing so?
you look like a retard.
we laugh about you.
you won't get any help.
and much more.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DN
* Martin Schrvder [2011-06-05 21:44]:
> 2011/6/3 Kevin Chadwick :
> > preference for ipv4 since I first compared them. The fact programmers
> > don't like it, tops it off.
> Carrier grade NAT is so much better than IPv6....
easily.
--
Henning Brauer, h...@bsws.de, hen
Intel Pro/1000 MT cards were used.
>
> I should mention that we had a large number of virtual interfaces (300+)
> for routing traffic among these VLANs. So maybe this was the cause.
I can immediately come up with 5 changes after 4.7 that massively
change the picture, so that comparision i
> The offsets you are seeing are newly caclulated differences between
> what ntpd thinks is the time and the clocks time.
yup
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Roo
* Michael Sioutis [2011-05-15 18:49]:
> What else could I use it for?
doorstop?
monitor stand?
projectile for the next IETF meeting?
seriously, a dirt cheap atom will be gazillion times faster and pay
for itself quickly on the power bill.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.
so, a couple of us made it to this year's BSDcan in Ottawa.
Henning and Ryan gave a presentation to celebrate pf's 10th birthday.
Claudio spoke about vscsi and iscsid.
Kristaps talked about mandoc and Ingo about its integration into the
OpenBSD tree.
And as usual there was a quick OpenBSD status u
* Wesley MOUEDINE ASSABY [2011-05-11 12:25]:
> But it works now. Just in modifying "recvspace" value for a higher...
yeah right, changing the size of a socket buffer will help a lot for a
forwarded connection where no sockets are involved
--
Henning Brauer, h...@bsws.de, henn..
,
>
> Wesley MOUEDINE ASSABY
> www.mouedine.net
>
> On Tue, 10 May 2011 15:59:09 -0600, Daniel Melameth
> wrote:
> >Try sysctl net.inet.tcp.recvspace=65535. This is resolved in 4.9.
>
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Servi
etting all devices to
> >100baseTX full-duplex.
that is extremely bad advice.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
* Alexander Hall [2011-05-10 11:33]:
> On 05/10/11 11:16, Henning Brauer wrote:
> > * Andrew Fresh [2011-05-10 02:20]:
> >> On Mon, May 09, 2011 at 04:59:17PM -0700, Stefan N wrote:
> >>> Are my steps correct?
> >>
> >> Close, but install sets a
not even really necessarily, but easier that way).
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
g
> states of the tree.
indeed. it is not exactly the first time pf ioctls changed.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
* Tyler Morgan [2011-05-05 00:43]:
> I bet I'm not the only
> person using RAIDFrame close to production without realizing it's
> not even maintained code.
if "it's not in GENERIC" is not a strong enough hint, I dunno.
--
Henning Brauer, h...@bsws.de, henn...
* Nico Kadel-Garcia [2011-05-04 14:55]:
> I've been using the very helpful notes at
> http://www.eclectica.ca/howto/openbsd-software-raid-howto.php,
they are not helpful, they are 100% obsolete.
you want softraid(4), which is, surprise! in GENERIC.
--
Henning Brauer, h...@bs
earlier) kernel.
or just reboot with a 4.9 kernel before upgrading userland.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
* Emille Blanc [2011-04-30 19:56]:
> since TFTP uses UDP, pf won't create a state
wrong.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
d it obvious obvious: it is pretty likely that some future
version of openbsd will drop raidframe entirely, users will have to
dump & restore.
so if you're looking for an install that is supposed to live for a
while (that includes version upgrades of course) you are way better of
running
does then
> work. Is there no graceful way to do this? Seems odd that bgpd has to
> completely stop to change settings on network statements. `bgpctl
> network` doesn't seem to have any type of refresh, just add and flush.
if this doesn't work with reload and clearing the session(
appear to be valid. I've also
> tried them in the 'neighbor' statement with no luck. Doing so there
> also seems odd since I would have to have multiple neighbor statements
> for each originating prefix.
match out to any prefix $foo set $bar
(note that this doe
ed
so you have something in there relying on something not available
early enough on the boot process. primarily suspect is dns.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
hink they are for some
> kind of devil-music rock band or something.
and that isn't actually THAT faar off, is it? ;)
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
x27;t work without and stays in init. and the macaddr depends on the
vhid so it is set late-ish.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
compile/GENERIC.MP.
>
> What should I do?
rm -rf ./compile/GENERIC.MP/
and reconfig. occasionally make clean is not enough.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
* Matt S [2011-04-05 18:01]:
> I have been following npppd and PIPEX with some excitement, especially the
> support for L2TP. Do you know if npppd will be ready for OpenBSD 4.9 RELEASE
> and enabled in the build?
4.9 comes without npppd.
--
Henning Brauer, h...@bsws.de, henn...@op
> firewall's IP address as the virtual one so to avoid losing
> connectivity
that of course works just fine. the outage is the time for the new mac
addr for that IP to propagate, the time that takes heavily dpeends on
your switches.
--
Henning Brauer, h...@bsws.de, henn...@openbsd
oose you're still just electing a bunch of nutheads.
but the leftwing nuts are more fun to drink with
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
* Amit Kulkarni [2011-03-31 03:54]:
> Hey you guys are going to bump up the default and enable bigmem as
> default too? :) Is it scheduled for this hackathon?
you gotta ask our middle management which milestones are scheduled.
oh. hmm. wait. whatever.
--
Henning Brauer, h...@bsws.de
* Scott McEachern [2011-03-31 01:26]:
> And what are we readers to wait for, anyway?
the bump.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
* Amit Kulkarni [2011-03-31 01:09]:
> On Wed, Mar 30, 2011 at 5:47 PM, Henning Brauer wrote:
> > * Amit Kulkarni [2011-03-31 00:45]:
> >> Nothing directly, just observing a comparison of default choice.
> >> OpenBSD opts for one strategy (bufcache = 10%) and Openso
* Amit Kulkarni [2011-03-31 00:45]:
> Nothing directly, just observing a comparison of default choice.
> OpenBSD opts for one strategy (bufcache = 10%) and Opensolaris opts
> for another (bufcache close to 100%).
you are wrong.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.o
* Amit Kulkarni [2011-03-30 23:19]:
> Might be okay for high physical memory machines but not low. I
> remember Opensolaris also filled out bufcache for ZFS, which was a
> bloated pig.
and ClaimsToBeOpen-Solaris' bufcache allocation strategies have
exactly what to do with openbsd
* lilit-aibolit [2011-03-25 11:06]:
> why so many people hate calomel.org?
hate? no.
ditch, because the "recommendations" there are bullshit.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Servi
1) stopping to push random buttons you obviously don't understand
2) submitting a proper bug report if the problem remains
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
* Kapetanakis Giannis [2011-03-21 22:31]:
> I want the master after it reboots (if backup is up) to wait for
> pfsync0 interface to come up, get the missing states from backup
> firewall and only then advskew carp
no need. that happens automagically.
--
Henning Brauer, h...@bsws
* jirib [2011-03-21 09:55]:
> On Sat, 19 Mar 2011 21:28:09 +0100
> Henning Brauer wrote:
> > > it was working for me - rdr-to outbound to a daemon on the firewall
> > > itself, but I deleted that virtual machine...
> > >rdr-to is usu
* jirib [2011-03-19 00:38]:
> On Fri, 25 Feb 2011 10:21:20 +0100
> Henning Brauer wrote:
>
> > * william dunand [2011-02-25 05:26]:
> > > > pass out log(matches) quick inet proto tcp from any to
> > > > 89.176.141.250 port = www rdr-to 127.0.0.1 port 8
is handled by an IGP (e. g. ospf)
> There is no other router deamon running on the servers (ie no ospfd).
well, you'll need one.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
* Claudio Jeker [2011-02-25 15:56]:
> On Fri, Feb 25, 2011 at 03:05:34PM +0100, Henning Brauer wrote:
> > * gb10hkzo-na...@yahoo.co.uk [2011-02-25
> > 13:09]:
> > > Is there a reason why the
> > > ability to ue pflow has not been implemented in
> > >
n the network edge is not a viable
> option for me.
I don't believe a word.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
y are described in the manpage.
this example hits a caveat.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
be, that's
> news to me and I have been wrong for many years then. Sure possible,
> but as I said. I never did and I may have been wrong for many
> years...
well, you have been wrong all the time then.
one IP per subnet with the real mask so there is a route, all others
with all
Well hell, now all I'm getting is kernel panics when I run "btconfig ubt0 up"
bt is badly broken and stays that way until someone cares enough to
fix it.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mai
o best time to test it!) will just
work.
rsu (4) - Realtek RTL8188SU/RTL8192SU USB IEEE 802.11b/g/n wireless network
device
urtwn (4) - Realtek RTL8188CU/RTL8192CU USB IEEE 802.11b/g/n wireless network
device
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.d
t, however, the masks are not.
you are screwing up routing. you want an all-ones netmask on each and
every IP address except one per subnet. alas you want 255.255.255.255
on the carp if's IPs.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Se
nge. :-)))
> I don't think that was ever a 'change' in pf...
indeed.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
n vlan2 inet proto tcp from
> > 10.100.100.0/24 to 10.10.4.114 - 10.10.4.116 flags S/SA keep
> > state
> >
> > So, the rule with the IP Range matches wrong dst address.
> > If I rewrite a rule without using a range, then it works
> > OK.
> >
> > OpenBS
ince ruleset reload is nicely atomic. if you flush, you
leave a window where everything is passed.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
* Harald Dunkel [2011-02-10 11:07]:
> A simple "block quick inet6" doesn't seem appropriate,
that is very appropriate.
plus
ifconfig $if -inet6
and you got rid of all that crap.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Se
rently, so super duper obvious:
INSTALL.*, SHA256, base*, bsd* are already synced. cdXZ.iso is in the
process of syncing and the rest is old, as in, from a previous snap.
do i need to point out now that the checksums in SHA256 won't match
for cd49.iso and everything after? and the same for
ybe a FAQ entry will be useful.
>
> This file is provided for you to be able to check that you downloaded
> the files correctly. The installation media uses an internal source for
> the checksum information.
and the mirroring process isn't atomic.
--
Henning Brauer, h...@bs
* Alessandro Baggi [2011-02-05 21:44]:
> Il 05/02/2011 20:35, Henning Brauer ha scritto:
> >* Alessandro Baggi [2011-02-05 20:33]:
> >>Hi List, i had registered me to the security list:
> >>security-annou...@openbsd.org since 9 Genuary 2011, but any email
> >&
ails?
since 09/01/2001, yeah, a couple.
in 2011, no.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
* Harald Dunkel [2011-02-04 14:31]:
> Is there some other way to avoid a lot of "keep state (no-sync)"
> statements?
is there some other way to make people READ the fucking mnapages we
put so much effort in?
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services
* Martin Schrvder [2011-02-02 18:35]:
> 2011/2/2 Henning Brauer :
> > who sez that your made up isp has to hand out network-wide unique IPs
> > to his customers?
> AFAIK Comcast already has >2^24 customers.
> Any major chinese or indian ISP has or will have >2^24 custom
* Martin Schrvder [2011-02-02 16:45]:
> 2011/2/2 Henning Brauer :
> > * Martin Schrvder [2011-02-02 15:06]:
> >> Unless you are an ISP with more than 2^24 customers.
> > you are talking bullshit. there is oh so much v4 space allocated that
> Currently an ISP with mor
* Martin Schrvder [2011-02-02 15:06]:
> 2011/2/2 Henning Brauer :
> > there is no ipv4 shortage. there is a a reclaiming issue.
> Unless you are an ISP with more than 2^24 customers.
you are talking bullshit. there is oh so much v4 space allocated that
isn't used. and gobs
sack=1
> net.inet.tcp.sendspace=262144
> net.inet.udp.recvspace=262144
> net.inet.udp.sendspace=262144
> vm.swapencrypt.enable=1
>
> On Tue, Feb 1, 2011 at 3:15 PM, Henning Brauer wrote:
>
> > * Steve Johnson [2011-02-01 20:35]:
> > > I currently have a syst
no ipv4 shortage. there is a a reclaiming issue.
all hail ipv4/64, while at it.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
his behavior before we implemented the PF
> systems.
you might hit some other limit, not necessarily pf. start with
checking sysctl net.inet.ifq - in particular drops, and increase
maxlen if you see it increasing.
depending on how you monitor you might also run into the icmp err rate
limit, play wit
eived before the filter when the FIB is only showing 400+ routes (there
> is only 1 session established at the moment). Is this normal?
yes
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
De
ing
> the FIB?
rather applying your filters
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
* Josh Smith [2011-02-01 13:31]:
> On Tuesday, February 1, 2011, Henning Brauer wrote:
> > * Joel Wiramu Pauling [2011-02-01 01:40]:
> >> The better option is to acquire IPv6 transit someway
> > getting ipvshit is never a better option.
> Why the negativity surroundin
* Joel Wiramu Pauling [2011-02-01 01:40]:
> The better option is to acquire IPv6 transit someway
getting ipvshit is never a better option.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedica
* Jason McIntyre [2011-02-01 01:14]:
> On Mon, Jan 31, 2011 at 11:27:18PM +0100, Henning Brauer wrote:
> >
> > i don't understand the confusion. we have a state table (let me
> > nitpick: it's a tree). a packet comes in. we do a lookup in the table,
> > look
; > couple of associated structs. a more detailed explanation of the new
> > state table logic is in my "faster packets" slides:
> > http://quigon.bsws.de/papers/2009/eurobsdcon-faster_packets/
> > especially slide 40 to 52
> i'm just curious - it would he
* Jason McIntyre [2011-01-31 18:14]:
> On Mon, Jan 31, 2011 at 11:28:13AM +0100, Henning Brauer wrote:
> > then i change my mind and we should add a note that the default pass
> > behaviour (NOT rule, even tho there kinda is a default rule
> > internally...) doesn't lead
* Peter Hessler [2011-01-31 09:37]:
> On 2011 Jan 30 (Sun) at 22:48:17 +0100 (+0100), Henning Brauer wrote:
> :* Peter Hessler [2011-01-30 22:23]:
> :> On 2011 Jan 30 (Sun) at 19:04:50 +0100 (+0100), Henning Brauer wrote:
> :> :* Stuart Henderson [2011-01-30 19:03]:
> :>
* Peter Hessler [2011-01-30 22:23]:
> On 2011 Jan 30 (Sun) at 19:04:50 +0100 (+0100), Henning Brauer wrote:
> :* Stuart Henderson [2011-01-30 19:03]:
> :> I disagree, I think it is worth mentioning explicity - I have seen
> :> a few people run into problems because they
* Stuart Henderson [2011-01-30 19:03]:
> On 2011-01-30, Henning Brauer wrote:
> > * Jason McIntyre [2011-01-30 16:37]:
> >> ok, so that's not so bad. in a way we're already there: pf.conf(5) notes
> >> in PACKET FILTERING first:
> >>
> >
passed
> effectively with "no state" applied. is that sufficiently important that
> we should say it?
I don't think so.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
* Jason McIntyre [2011-01-30 09:13]:
> On Sat, Jan 29, 2011 at 06:26:29PM +0100, Henning Brauer wrote:
> > * Ted Unangst [2011-01-29 17:36]:
> > > On Sat, Jan 29, 2011 at 5:37 AM, Henning Brauer
> > > wrote:
> > > > no, that's wrong. match ru
* Ted Unangst [2011-01-29 17:36]:
> On Sat, Jan 29, 2011 at 5:37 AM, Henning Brauer
> wrote:
> > no, that's wrong. match rules that matched during evaluation get their
> > counters updated. aka, your rule did not match.
>
> ok, that's wrong. :)
>
>
1398 Packets: 0 Bytes: 0 States: 0
> ]
> > [ Inserted: uid 0 pid 931 State Creations: 0 ]
> >
> > I would expect that rule to match the packets to port 80 and make the
> > counters go up, but they stay stuck at 0. Why is that?
>
--
He
+ tproxy.8 Fri Oct 24 13:56:21 2008
+@@ -46,6 +46,9 @@ tproxy \- transparently re-direct HTTP requests to a H
+ .B \-p
+ ]
+ [
++.B \-S
++]
++[
+ .B \-f \fIforced-url
+ ]
+ [
+@@ -96,6 +99,9 @@ Operate in proxy only mode. Normally if the connection
+ will try and connect transparently to the intended desti
* Oliver Peter [2011-01-24 15:13]:
> On Mon, Jan 24, 2011 at 01:33:53PM +0100, Henning Brauer wrote:
> > * Oliver Peter [2011-01-24 11:56]:
> > > The tcp option in resolv.conf might be reasonable for a single workstation
> > > but due to the protocol overhead not appr
* Oliver Peter [2011-01-24 11:56]:
> The tcp option in resolv.conf might be reasonable for a single workstation
> but due to the protocol overhead not appropriate for larger networks / many
> clients.
people keep claiming this bullshit. remains bullshit.
--
Henning Brauer, h...@bsws
based on various levels of
> traffic?
yeah, easily.
not at all.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
I do that all the time. however, 2G is ridiculous and won't even work
on many of our platforms. I typically use 256M.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootse
issue.
give it up. you obviously have no idea what you're talking about. an
ifaddr is tiny.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
; couple of hundred alias addresses?
there is an impact, ifaddrs are kept in a simple linked list. in
-current there is also an RB tree (which makes the impact much much
much smaller) but it isn't used everywhere yet.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http
* Orestes Leal R. [2011-01-21 15:50]:
> What it's the limit of number alias that a single ethernet interface
> can support?
memory.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedica
happens every time a
rule matches i.e. a single packet can get logged more than once.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
eflect packets back through the
> interface they arrive on, they can only be redirected
> to hosts connected to different interfaces or to the
> firewall itself."
>
>
> Which one is right? Any helpful comment would be highly
> appreciated.
with the extra nat-to it works.
301 - 400 of 1586 matches
Mail list logo