On 5/3/06, Hisham Mardam Bey [EMAIL PROTECTED] wrote:
Persistent connections seem to disconnect after a while
set timeout { adaptive.start 6000, adaptive.end 12000 }
set limit states 2
You probably want to re-read how adaptive timeouts work. If the number
of active states reaches
This is totally repeatable, and keeps biting me. Is this a bug or feature?
# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.465 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=255 time=0.068 ms
--- 127.0.0.1 ping statistics ---
2 packets
On 4/21/06, Daniel Hartmeier [EMAIL PROTECTED] wrote:
I think it's expected that -N only reads and honours NAT rules, and
ignores anything else, including any options like 'set skip'. The man
page is clear on that, IMO.
What isn't so clear is whether it should first clear (reset) all options
files.
Hope this list doesn't strip attachments.
Umm, 350K of attachments to a mailing list... I'm certainly glad I'm
not hosting this mailing list. Anything over about 20K I'd suggest
posting on an ftp/htp server somewhere.
--
Jon Simola
Systems Administrator
ABC Communications
queue names are
limited to 15 chars?
/etc/pf.conf:42: queue name 'throttle_rwout_base' too long (max 15 chars)
The obvious reason would have to be pick N, and I'll show you a user
that complains they need N+1
(OpenBSD 3.9 Snapshot)
--
Jon Simola
Systems Administrator
ABC Communications
0 - fxp0
192.168.22/24 link#1 UC 00 - fxp0
224/4 127.0.0.1 URS 00 33224 lo0
Has this been snipped? On my boxes local addresses and aliases show up
in netstat output.
--
Jon Simola
Systems Administrator
ABC
UDP but don't make the
state entry.
nc(1) can be used to construct arbitrary tcp/udp proxies which sounds
like what you're looking for.
--
Jon Simola
Systems Administrator
ABC Communications
OpenBSD 3.7
--
Jon Simola
Systems Administrator
ABC Communications
commands
works better, ala:
# cat /etc/hostname.em0
inet 10.0.3.4 255.255.252.0 NONE
# cat /etc/hostname.carp8
carpdev em0 vhid 8 pass bloogh advbase 200 advskew 1
inet 10.0.0.8 255.255.252.0
up
OpenBSD 3.8
--
Jon Simola
Systems Administrator
ABC Communications
quick on $int_if from any to $idiot
block in quick on $int_if from $idiot to any
--
Jon Simola
Systems Administrator
ABC Communications
or set limit for example counted, are this rule numbers after the
rules are optimized ? Is there a way to see the rule number and actual
rule with pfctl command :-)))?
You're so close... pfctl -vvs rule shows the rule numbers, which
becomes really handy with the new optimizer.
--
Jon Simola
#pfctl -vT delete -t blocked_ips 10.0.0.0/8
--
Jon Simola
Systems Administrator
ABC Communications
it should (although I understand why and how it
does). My apologies for the red herring.
--
Jon Simola
Systems Administrator
ABC Communications
for lo0.
--
Jon Simola
Systems Administrator
ABC Communications
problems.
binat on rl1 from $wife to any - (rl1)
pass in on em0 route-to (rl1 gw1) from $wife to any keep state
Hopefully that helps or gives you an idea.
--
Jon Simola
Systems Administrator
ABC Communications
, I don't see any differences.
--
Jon Simola
Systems Administrator
ABC Communications
traffic and virus traffic bursts
down to a reasonable level.
--
Jon Simola
Systems Administrator
ABC Communications
50 new TCP connections within 30 seconds, pf will
add its address to the table. Further connection attempts from the box
will then get blocked by the first rule.
Great, another wonderful feature that the $12K BrandName(TM) traffic
shaper box cannot do. I hate that thing.
--
Jon Simola
Systems
On Fri, 28 Jan 2005 10:37:44 -0800, Gustavo A. Baratto
[EMAIL PROTECTED] wrote:
Is it (or will be) possible to set different state timeouts for different
rules?
Like this?
pass in on vlan101 from vlan101:network to any keep state (max 5000,
source-track rule, max-src-states 50,
bandwidth
usage by my users, I've started looking at this as a possibility.
Has there been any other work done in this direction with PF, or am I
forging my own trail, so to speak?
Jon Simola [EMAIL PROTECTED]
20 matches
Mail list logo
