queues looks strange for me.
I can guess, possible _cause_ of such behavior - host is runninig on
virtual hardware under VMWare Hypervisor, but can't understand the
_process_ itself.
Kind regards,
Ilya A. Kovalenko
;
else
Kind regards,
Ilya A. Kovalenko
SA, SpecialEQ SW sections
JSC Oganer-Service
(sorry for winmua-broken diff)
Index: altq.h
===
RCS file: /cvs/src/sys/altq/altq.h,v
retrieving revision 1.6
diff -r1.6 altq.h
48c48
/* simple token backet meter profile */
---
/* simple token bucket meter profile */
So, single state entry affects traffic on single interface only ?
It is little a bit different than that.
A state also has a 'direction' associated with it.
So, a state matches either incoming or outgoing traffic.
As long as the direction matches, the interface does not
really matter.
or if-bound does not
change situation.
Questions:
Is this some kind of feature ? Is there any solution to make PF
behave other way (for example, to work w/ first ruleset variant) ?
Ilya A. Kovalenko (mailto:[EMAIL PROTECTED])
you must be cofnused here. dunno. people rarely have problems in that
area.
Hmm, maybe, I'm, truly, too stupid to work with PF ...
I'll re-test on clean environment it and write to the list.
i thought we did that with -vv or so
hmm ... alas, no such warnings with -vv:
evil# pfctl -vv -f
next fault). Maybe, due driver imperfection.
So I recommend you to avoid VIA NICs.
Ilya A. Kovalenko
S.A.
pfctl(8) silently ignores nonexisting table and queue names.
I suppose, it is some kind of feature (like dynamic creation,
or so),
CB Yes, that's a feature: the table can be created later by some daemon
CB like spamd.
..
CB ... so you can easily spot empty table: pfctl -vvsr | grep ':0'
hmm,
Greetings,
pfctl(8) silently ignores nonexisting table and queue names.
I suppose, it is some kind of feature (like dynamic creation,
or so), but such silent handling complicates debugging typos
on ruleset.
Can pfctl(8), at least, display warnings ?
Thank you,
Ilya A. Kovalenko
, without
external lists preprocess or dynamic table loading.
IMHO, my suggest was pretty simple, and at the same time, very
efficient for PF's core flexibility. Developers don't think so. Sad.
Ilya A. Kovalenko
Better is the worst enemy of Good
More correct shorter diff, against -current (21.12)
-
diff 2 orig/pfctl_parser.h ../pfctl-current/pfctl_parser.h
--- orig/pfctl_parser.h Thu Nov 18 21:57:45 2004
+++ ../pfctl-current/pfctl_parser.h Thu Nov 18 21:09:24 2004
@@ -149,4 +149,5 @@
Here is diff (against 3.6-stable), that implements loading list to table
in inverted form, by rule like this:
table private file priv_nets.tab file-inv pub_hosts.tab
Unfortunately, it demands more changes, than I expected :(, so I don't
think that it has a chance to be accepted.
Feature to load/add address list from file onto table in INVERTED
form (i.e. replacing A.B.C.D - ! A.B.C.D vice versa) from
table rule (sth. like file-inverted name) and command line
(sth. like -T add-inverted/load-inverted).
DH You could use sed(1) to do that, like
DH # sed -e 's/^/!/'
to select more light inspection mode for such
cases (w/ postfix like keep light-state :).
Anyway, I can't and do not try to decide something for developers.
Ilya A. Kovalenko (mailto:[EMAIL PROTECTED])
S.A. SpeciaEQ SW section
JSC Oganer-Service
?):
These hosts, probably, infected w/ Lovesan (aka MS-blast) virus. It
scans networks for vulnerable Windows boxes to infect.
but you, should see it as incoming requests, than, your host replys.
Ilya A. Kovalenkomailto:[EMAIL PROTECTED]
JO i will assume that you do not have delusions that this should work with
JO NAT-ed connections, because it most certainly will not.
of course, it will not, because pf must alter both directions.
passing packets).
I guess, it is not bug, just some feature (like some
tcp-window-related state protection). So think, is there reasons to
correct this PF behavior.
Thank you
Ilya A. Kovalenko
three or
JW four times before we could identify and disconnect the offending
JW student(s).
hmm ... what about just
block in quick proto tcp from any to any port {135, 137, 445}
works fine for me
Ilya A. Kovalenko
.
Documentation, not maillist arhive (I guess, nobody needs an
differrence explanation).
Thank you.
Ilya A. Kovalenko
S.A, SpecialEQ SW section
JSC Oganer-Service
For archives:
IAK I trying to pass any outgoing TCP connections from my
IAK office (nPrivate) onto campus network (nPublic) sites,
IAK
+
-Should it work ?
+Should such ruleset work ?
Previously, I've used construction like this
[ ... skipped ... ]
-
Ilya A. Kovalenko
free for any RTFM links)
Thank you.
Ilya A. Kovalenko
S.A, SpecialEQ SW section
JSC Oganer-Service
Greetings,
Reckon as mad idea.
Is there any posibilites/ideas for PF-ruleset tracing - automatic
finding out last matching rule for specific packet(s), on active
(kernel) ruleset or ruleset loaded into some kind of filter emulation.
Best regards,
Ilya A. Kovalenko
CB But the real question I've is why do you need that.
CB You can just do the opposite table:
CB table x { 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}
CB And then use the table in negative rules, like:
CB pass in from !x
hmm, yes, it's better idea.
not work (as said on FAQ)
construction 0/1 128/1 seems to work
How I should do it ?
Thank you.
Ilya A. Kovalenko
Greetings,
Shell we ever see HFSC scheduler on PF FAQ Queueing section ?
Thank you.
Ilya A. Kovalenko (mailto:[EMAIL PROTECTED])
S.A.
JSC Oganer-Service
MOB Does anyone know, how to account per-direction traffic with PF?
MOB Imagine I have a rule:
MOB pass in on $int_if from $some_machine to any keep state label some-machine
MOB When I invoke /sbin/pfctl -sl I get something like:
MOB some-machine 5904 2510 130379
MOB where 130371 (the last
bandwidth
# (re-assingning Repository traffic to developers queue)
pass in on if0 from 10.0.2.34 to $hRepository queue developers
Something like that ...
This leaves PF to be more flexible powerful.
Ilya A. Kovalenko (mailto:[EMAIL PROTECTED])
S.A.
JSC Oganer-Service
27 matches
Mail list logo
