Re: My PF faults list
Ilya A. Kovalenko wrote: Hmm, maybe, I'm, truly, too stupid to work with PF ... I'll re-test on clean environment it and write to the list. Hi Ilya Would you mind posting your entire config file(s) verbatim. Also post what version and is it current, release, stable that you are referring to. I would be interested in seeing just where the problem lies. regards BobD signature.asc Description: OpenPGP digital signature
Re: NAT-T support of PF
John Mok wrote: I hope someone to tell me if NAT-T support is available in PF, Yes it is, since 3.7. or 3.8 me thinks. Bob signature.asc Description: OpenPGP digital signature
Re: Fair distribution of borrowed bandwidth with a lot of users
Hi Federico Giannici Posting you pf.conf will be of considerable benefit when attempting to seek help for something that has the complexity you are currently dealing with. Additionally, the type connection you have, i.e. DSL, cable etc. as the variations each of these has throughout the day will skew the appearance of your results etc. Supplying your complete pf.conf correctly commented with what you are wanting each rule and queue to accomplish is a good place to start. You will consistently find that without adequate information it will be difficult for people to help you. Bob signature.asc Description: OpenPGP digital signature
Re: graphing pf stats
On Sunday 01 January 2006 18:52, you wrote: pfstat works well, it may be a nice starting point for you or it may do everything you want. Bob
Re: pf rules question
One method I use successfully is to insert a quick in a rule as that will then finish with the ruleset and send the packet on it's way letting you see if there is something in the ruleset that is causing the blocked packet. Bob
Re: Dup-to (Solved)
On Saturday 13 August 2005 02:06, you wrote: But first a funny (???) story. I had my 7 year old daughter volunteer to help me on Friday with my work, on my primary workstation, my notebook. I didn't even have to ask her nor did I have to ask her to push the enter key, she read the screen and interpreted it as Press the return key to boot the computer, and of course she did. I had burned a CD the night before and quite out of character, hadn't taken it out of the drive. I followed my usual process of many days, turning on the notebook and going to grab a java while it starts up. I ended up coming back to my office after about 6 or 7 minutes only to see one long red line going across the screen and another red line flashing across the screen just above the first. The CD was the latest honeynet roo and when you press enter it repartitions the drive and installs itself. I suppose here is a lesson in there for me. Now the dup-to resolution. What happened was I had listed the dup-to interface and destination address macros inside paranthesis separated by a coma and of course received a syntax error. Naturally being as gifted as I obviously am, ( see story above ) I substituted a pair of curly braces leaving the coma in but did not receive an error so I had assumed that the syntax was correct. After taking a break and rebuilding my notebook, I started thinking about the dup-to and remembered that I didn't see a coma nor curly braces in the man page or FAQ etc. I guess I am very used to separating values with that little coma. Parenthesis and no coma, all is well. Anyway Thanks for your responses, hope you got a bit of a chuckle out of the notebook story. Bob
Dup-to
I just realized I sent this email to the [EMAIL PROTECTED] list by mistake this morning, forgive the crosspost please This is a copy of that mail. Greets Dell 866MHz 256MB RAM OpenBSD 3.8 beta snapshot, or 3.7 GENERIC or 3.5 GENERIC All three have shown me the same problem. Three interfaces rl0, rl1 are the internal and external bridge interfaces, the bridge works just fine on all three OS versions. FXP0 is the logging interface to a log box. I have read what there is regarding dup-to and know it is straight forward, obviously I'm missing something. I also learned that log-all is now log (all). Not yet in the FAQ. After not being able to dup-to on the snapshot I thought maybe there is an issue with it so the other two releases were tried with the same result. As stated the IPless bridge works fine ( otherwise you wouldn't be reading this email). Here is the simplest form of what I now have. int_if = rl1 ext_if = rl0 log_if = fxp0 pass in on $ext_if dup-to $log_if all pass out on $ext_if dup-to $log_if all I have tried pass quick on each interface and on and on and on. rdr works great, it's seems I have missed something in dup-to. TCPdump shows that nothing is hitting the log interface, connectivity to the log box and back is fine so it would seem that it must be in regard to something I am missing (other than sleep I must say) Each setting produces the same result on any release. Is this not a simple operation regarding rules? I have a lot of firewalls running all over the countryside so I have done numerous detailed setups but have never setup a logging system like this that I can remember. Suggestions Thanks Bob
Re: ALTQ and VoIP
Greets I have learned some very valuable and time saving procedures to assist in the deployment of VOIP when using altq over the course of the last year that can possibly help you. The greatest lesson to date is that you need to work with you ISP and have them give you readings for your line condition, twice a week for a month. Call other ISP sales departments as a prospective client and ask them to measure your line, you will likely discover some interesting things about why you are or are not getting the bandwidth you expect and why there are seeming inconsistencies in your altq. Often altq is not the problem. What all this means is you probably aren't getting the bandwidth you are paying for. Remember you are dealing with commodity Internet and as such all of it's inherent problems. Bob
RE: Traffic Monitoring, IP
http://www.ntop.org might be what your looking for Bob
RE: Should I use CBQ or Priority Queueing ?
Hi Nicholas I wonder what's the best traffic shaping method available? Is it Class Based Queuing or Priority Queuing. My goal is to allow browsing the internet since local computers, while my DMZ-ed servers consume a lot of my upload bandwith. Right now, without traffic shaping, it's almost impossible to browse the internet while my servers receive a lot of queries (mail, www, ftp...). The scenario you have before you is quite complex even if you have done this type of setup before, especially with so many interfaces. The policy to follow to get started is the KISS formula. K eep I t S imple S tupid It has helped me conquer a lot of very complex tasks. You may find that priority queuing is quite adequate for the type of traffic you are using. This will allow you to learn about and get a better feel for traffic shaping before you move on to something more complex like cbq or hfsc. Bob D
