On May 12, 2008, at 2:32 PM, Christer Solskogen wrote:
If I do not use the binat-rule, connecting to games (in CoH) will
not work. But CoH also seems to be the only game with that kind of
problem.
IF the ports are right shouldn't this be enough?
CoH_ports = { 6112 , 9100 , 30260 }
rdr
On Apr 8, 2008, at 11:59 PM, Adam Richards wrote:
You're looking at creating 1:1 mappings from internal IPs to
150-500k public IPs.
No. Sorry, I should've been clearer: 1:1 mappings between, say, a /
18 worth of public IP space to something like a /13 worth of
possible private IP space.
Adam Richards wrote:
I need to be able to create *stateless* nat rules for at least
150,000 entries, potentially to grow to 1/2million entries. The
reason has to do with being able to work in an asymetric routing
environment -- stateless nat must be used because traffic might not
egress
On Dec 19, 2007, at 4:58 AM, Jordi Espasa Clofent wrote:
I'm testing my FW with OpenBSD 4.2+pf in bridging mode. At present
moment I've done test with iperf and netperf tools, using a 32/64/128K
packets.
*blinks* Is this ethernet? On non-jumbo-frames gear, the max ethernet
frame size is
On Dec 19, 2007, at 7:11 AM, Jordi Espasa Clofent wrote:
The idea is put the FW, obviously, between the Cta6 wire and the main
gigabit switch. because of that I buildup de FW as a bridge.
Okay.
So, I need to benchmark the FW with little size packets. The question
is
¿Is there any tool which
On Monday, May 29, 2006, at 10:48 US/Pacific, Karl O. Pinc wrote:
On 05/29/2006 07:02:40 AM, Steven Surdock wrote:
I found that cbq didn't borrow as aggressively as I expected.
Switching to the hfsc scheduler approached closer to what I wanted.
That does seem to be better, but I clearly am
On Tuesday, May 30, 2006, at 08:22 US/Pacific, Karl O. Pinc wrote:
On 05/29/2006 10:06:32 PM, Trevor Talbot wrote:
hfsc(linkshare) is what the bandwidth setting controls.
If hfc(linkshare) and bandwidth are the same thing, then what
happens if you specify both?
The hfsc(linkshare) value
On Tuesday, May 2, 2006, at 19:52 US/Pacific, Lars Hansson wrote:
On Wednesday 03 May 2006 00:15, Karl O. Pinc wrote:
On 05/02/2006 02:22:33 AM, Lars Hansson wrote:
The majority of users/developers has a separate firewall and then
download queing is just a matter of doing it on the inside
On Saturday, Apr 29, 2006, at 08:58 US/Pacific, Daniel Hartmeier wrote:
On Sat, Apr 29, 2006 at 05:10:40PM +0200, Stanislaw Halik wrote:
I can speak for myself - I can't afford both the hardware and the
electricity bill for a separate machine. Maybe downstream limiting
isn't
very robust,
On Friday, Mar 24, 2006, at 05:27 US/Pacific, Daniel Dias Gonçalves
wrote:
I use the following rules in the IPFW:
$fwcmd add 100 pipe 13 ip from 192.168.0.0/24 to any in
$fwcmd add 101 pipe 14 ip from any to 192.168.0.0/24 out
$fwcmd pipe 13 config mask src-ip 0x00ff bw 150Kbit/s queue
On Sunday, Apr 2, 2006, at 00:26 US/Pacific, [EMAIL PROTECTED] wrote:
Is there a document that describes how to translate common IPFilter
constructs to pf? This would be helpful for people migrating (like
me). Specifically, I'm looking for the pf equivalent of IPFilter's
map $ext_if
On Sunday, Feb 5, 2006, at 11:37 US/Pacific, Brad Waite wrote:
pass out on $ext_if proto tcp from $ext_if to any flags S/SA \
keep state queue (q_def, q_pri)
Both this page and the FAQ examples indicate that the above rule will
assign ACKs to the higher priority queue, but I can't
On Friday, Aug 5, 2005, at 15:18 US/Pacific, Karl O. Pinc wrote:
I was also hoping to get some comment from somebody who'd tried
queueing inbound traffic from a WAN link using a 2 port box to see how
successful they were in improving perceived bandwidth.
I have. It was a couple years ago
On Friday, Feb 18, 2005, at 07:07 US/Pacific, Jim Fron wrote:
As I mentioned before, using tcpdump on le0 and le2 shows traffic
arriving and departing on the correct interfaces all of the time,
regardless of bridge state. However, traffic appearing in pflog as
matching rules from the wrong
On Thursday, Jan 6, 2005, at 16:21 US/Pacific, Jason Murray wrote:
If I understand things properly when the packet comes in on $ext_if it
creates the state. Because the state is floating it should be picked
up when the packet tries to go out on $uat_if. Since it is in the
state table it should
On Sunday, Oct 17, 2004, at 14:15 US/Pacific, [EMAIL PROTECTED]
wrote:
On So, 17 Okt 2004, Oliver Humpage wrote:
State only works on the interface on which it was created. You will
need another keep state rule on the external interface allowing
packets out.
pf.conf(5) says that state is
On Monday, Oct 18, 2004, at 02:38 US/Pacific, Oliver Humpage wrote:
States always match address pairs directionally. Even though
floating is not physically tied to an interface, the packets on the
external interface will be going the wrong way with respect to
their addresses, and won't match
On Tuesday, Sep 28, 2004, at 09:47 US/Pacific, [EMAIL PROTECTED]
wrote:
Kevin writes:
Many IRC servers will drop sessions if they cannot talk to an ident
service on the originating end. If you don't want your users to be
on IRC; this could be considered as a benefit of blocking TCP/113 ;)
On Tuesday, Sep 28, 2004, at 16:34 US/Pacific, Daniel Hartmeier wrote:
On Tue, Sep 28, 2004 at 04:23:43PM -0700, Trevor Talbot wrote:
It is. It's a mitigating mechanism for many types of
worms/bots/whatever, since they aren't capable of poking holes in
their computer owner's broadband NAT
On Sunday, May 2, 2004, at 14:33 US/Pacific, ali asad lotia wrote:
http://midcom-p2p.sourceforge.net/
i get the following results when i run it
RESULTS:
Address translation: NAPT (Network Address and Port
Translation)
Consistent translation:NO (BAD for peer-to-peer)
Unsolicited
On Saturday, Apr 24, 2004, at 15:12 US/Pacific, Per-Olov Sjöholm wrote:
Henning Brauer said:
* Per-Olov Sjöholm [EMAIL PROTECTED] [2004-04-23 23:21]:
This is fact:
* Queue on the outgoing interface
* On a bridge it is according to the FAQ at OpenBSD STRONGLY
recommended to filter on just ONE
On Sunday, Apr 25, 2004, at 02:26 US/Pacific, Per-Olov Sjöholm wrote:
Have anybody made a packet flow picture for PF like the one Darren
Reed has for IP filter.
http://mniam.net/pf/pf.png
http://homepage.mac.com/quension/pf/flow.png
Daniel has a collection of links (including these) on the
On Saturday, Jan 24, 2004, at 09:42 US/Pacific, Per-Olov Sjöholm wrote:
A friend yesterday scanned my firewall with nessus. One thing he found
was that nessus said:
The remote host does not discard TCP SYN packet which have the FIN
flag set. Depending on the kind of firewall you are using, an
On Friday, Jan 23, 2004, at 13:45 US/Pacific, Mario Lopez wrote:
what I need to do is let pass anything that is comming from WIFI
Switch without restriction EXCEPT the traffic destined for several
machines in the WAN Switch
My configuration looks something like this:
|NAS DEVICE|--- xl2 --
On Monday, Jan 12, 2004, at 08:05 US/Pacific, Laurent Cheylus wrote:
I have done some tests without 'scrub' rule (scrub in all in my
pf.conf) but the incoming packets from 127.0.0.1 for my external
address are not logged either.
ip_input() drops packets with 127/8 in either address field when
On Wednesday, Jan 7, 2004, at 04:46 US/Pacific, Ed White wrote:
On Wednesday 07 January 2004 00:27, Trevor Talbot wrote:
On Tuesday, Jan 6, 2004, at 09:59 US/Pacific, Ed White wrote:
I was playing with a 3-if firewall with static IP 10.* when I got a
simple doubt: when is supposed to be used
On Wednesday, Jan 7, 2004, at 08:33 US/Pacific, Bernard El-Hagin wrote:
1. Block *everything* coming in on my external interface (tun0)
2. Pass everything out of tun0 and keep state
3. Pass everything in and out on loopback lo0
The way I see it, this should be good enough to surf the net, irc,
On Wednesday, Jan 7, 2004, at 17:14 US/Pacific, Tamas TEVESZ wrote:
On Wed, 7 Jan 2004, Bernard El-Hagin wrote:
1. Block *everything* coming in on my external interface (tun0)
do you think icmp is called a *control* protocol just because they
couldn't come up with a better name?
pf has this
On Tuesday, Jan 6, 2004, at 09:59 US/Pacific, Ed White wrote:
I was playing with a 3-if firewall with static IP 10.* when I got a
simple doubt: when is supposed to be used the bridge feature ?
When you want a switch (smart hub) instead of a router.
On Tuesday, Jan 6, 2004, at 18:00 US/Pacific, j knight wrote:
Henning Brauer wrote:
On Tue, Jan 06, 2004 at 03:48:36PM -0700, j knight wrote:
Henning Brauer wrote:
that is in practice true for 99% of you.
the state key does not include the interface, but the direction.
as long as routes do not
On Thursday, Jan 1, 2004, at 13:59 US/Pacific, James Cammarata wrote:
I finally noticed that packets with destination 127.0.0.1 were being
routed out my main external interface. Why? Don't ask me. So I added
this rule:
pass in quick on xl2 route-to lo0 from any to 127.0.0.1 keep state
Maybe
On Tuesday, Dec 30, 2003, at 14:25 US/Pacific, Ghazan Haider wrote:
I am running OpenBSD 3.4 as firewall on one machine, and have tried
for weeks to get ftp-proxy to run. Ive tried evey example in the
howtos. I can use the ftp sites from the OpenBSD itself, but not from
an internal computer. I
On Monday, Nov 24, 2003, at 13:51 US/Pacific, Kifah Abbad wrote:
there is already some kind of tagging in IP: tos value.
unfortunately, pf can not handle tos value for own purposes. from the
other side, tos width is 4 bits only so it can not handle much of
useful information (pf tags, for
On Monday, Oct 13, 2003, at 11:43 US/Pacific, Jay Moore wrote:
oh, where did I put that block diagram? :)
The original: http://mniam.net/pf/pf.png
My version: http://homepage.mac.com/quension/pf/flow.png
On Thursday, Sep 25, 2003, at 12:35 US/Pacific, Ste Jones wrote:
The idea is - compare mac addresses and IP address (listed in a hash
table for quick lookups)
If there is no entry drop the frame... otherwise let the frame get
decapusluted further up the stack well thats the idea...
On Saturday, Sep 13, 2003, at 06:48 US/Pacific, Daniel Hartmeier wrote:
On Sat, Sep 13, 2003 at 03:35:30PM +0200, Torsten wrote:
(lan_A)-( if_A: noIP )-|bridge|-( if_B: ip_B )(lan_B)
IP datagram from (lan_A) to ip_B
First appearance of the ip datagram within pf is: IN if_B (!)
IP comes
On Thursday, Sep 11, 2003, at 16:40 US/Pacific, Torsten wrote:
i have problems with pf on a openbsd 3.3-stable ethernet bridge.
my setup:
(lan_A)-( if_A: noIP )-|bridge|-( if_B: ip_B )(lan_B)
IP datagram from (lan_A) to ip_B
First appearance of the ip datagram within pf is: IN if_B (!)
On Monday, Sep 8, 2003, at 13:12 US/Pacific, Sigfred Håversen wrote:
Not sure if this should be reported as a bug or not, so please bear
with me.
A scrub on $ext_if reassemble tcp will deny some SuSE clients access
to some Microsoft IIS webservers. This appears to be an issue with
SuSE's
On Saturday, Sep 6, 2003, at 10:20 US/Pacific, stefan wrote:
Today i have tested first the output
from the command pfctl -s rules
On 3.2
@0 scrub in on xl0 all min-ttl 2 fragment reassemble
@1 scrub
...
On 3.3
scrub in on fxp0 all min-ttl 2 fragment reassemble
scrub out
...
It is possible to
On Friday, Aug 29, 2003, at 06:19 US/Pacific, Roberto Jobet wrote:
14:54:46.727210 rule 0/0(match): block in on xl1: 172.31.0.1.15583
10.0.0.3.3306: P 0:5(5) ack 1 win 17376 nop,nop,timestamp 321901777
1961997906 (DF) [tos 0x8]
even if there's a rule (# 21) that should let flow packets
On Friday, Aug 29, 2003, at 10:58 US/Pacific, Adam Getchell wrote:
I'm looking stress test pf, to provide numbers for a possible UC Davis
campus firewall based upon OpenBSD/pf.
I can get access to a read-only log of UC Davis' entire incoming
bandwidth. I'm looking to get it into tcpdump
On Wednesday, Aug 27, 2003, at 20:13 US/Pacific, Nick Buraglio wrote:
Is is possible to block specific sized icmp echo requests
(specifically 92 byte echo requests) with pf?
pf doesn't have any packet/payload length matching abilities.
On Tuesday, Aug 26, 2003, at 16:15 US/Pacific, Greg Dickinson wrote:
I'm rather new to pf :-) having just upgraded our firewall from obsd
3.9 to 3.2. The firewall was configured by a previous admin with five
interfaces, one each to the Internet, web server, student quarters,
administrative
On Monday, Aug 18, 2003, at 12:47 US/Pacific, Joey Lamonthe wrote:
Hello folks from pf, and Damien from gnomemeeting (I don't want to
wrote 2 e-mails..)
SPECS OF MY SYSTEM:
OpenBSD 3.3, stable release. This is a gateway with NAT and RDR rules
(You can see rules below)
Sometime it's work...
On Monday, Aug 18, 2003, at 15:50 US/Pacific, [EMAIL PROTECTED] wrote:
I'm having some problems using Pf in 3.3 current ( i386 )with
securemote.
This thread may help: http://www.benzedrine.cx/pf/msg01436.html
On Monday, Aug 11, 2003, at 18:35 US/Pacific, Scott Sipe wrote:
OpenBSD pf firewall for small network, adsl in, doing nat. I want to
rdr certain ports on the firewall to an internal server. My rdr and
pass lines work fine for some services (http [80], rsync [873], etc)
but two services DON'T
On Sunday, Aug 3, 2003, at 14:30 US/Pacific, Mark Bojara wrote:
When I only have a pass log rule and telnet to 196.4.160.2 53 I get
this:
23:18:54.694500 opium.co.za.4774 apollo.is.co.za.domain: S
4194577793:4194577793(0) win 65535 mss 1460,nop,wscale 0,[|tcp] (DF)
[tos 0x10]
Forgot to
On Friday, Aug 1, 2003, at 13:59 US/Pacific, Adam Coyne wrote:
I'd like to pass or block certain packets based on an inspection of
the payload after scrubbing. It might be fun if pf were able to use a
bpf-style expression like 'protocol[offset:size] = x' to create rules
which look at the data
On Monday, Aug 4, 2003, at 13:35 US/Pacific, Alexey E. Suslikov wrote:
BEFORE MERGE:
ok, assume what we have some already keepstated tcp connection.
everybody knows: once keepstated, such connection has ability to pass
any interface and any direction without necessity in the additional
pass
I wrote:
The two major losses from ALTQ are the traffic conditioner, and
fine-grained classification on an interface using translation.
Whoops. The translation loss was still present before the merge.
Scratch that one :)
On Thursday, Jul 31, 2003, at 12:09 US/Pacific, Georg Wendenburg wrote:
On an OBSD 3.2, on the pflog i have seen something like:
some date . rule 6/0(match): block in on rl0: xx.xx.xx.xx.pp
yy.yy.yy.yy.1424: udp 376 [ttl 1]
it's obvious this is a scan of the MS-SQL Worm, but i don't
On Sunday, Jul 27, 2003, at 22:28 US/Pacific, Mark Bojara wrote:
How can I allow passive ftp to certain hosts? I know that you can do
it by allowing ports 49152-65535 to the host but that isnt very
secure, is there a better way?
ftp-proxy is capable of handling it. There's also a 'reverse
On Wednesday, Jul 30, 2003, at 16:24 US/Pacific, Mark Bojara wrote:
Here is my tcpdump of pflog0:
Jul 31 01:23:48.272259 rule 1/0(match): block in on fxp0:
196.4.160.2.53 196.34.165.210.1588: S 1318784553:1318784553(0) ack
1889327994 win 65535 mss 1380,nop,nop,timestamp[|tcp]
Jul 31
On Saturday, Jul 26, 2003, at 19:55 US/Pacific, Melameth, Daniel D.
wrote:
Newbie running 3.3 stable with pf, dhcpd and isakmpd...
...recently upgraded to stable in the hopes of curing some ill that I
have... and now I ask for peer review...
The following snippets DO NOT work fine under 3.3
On Saturday, Jul 26, 2003, at 20:29 US/Pacific, Bryan Irvine wrote:
Is there a way to get pf to never use specific ports? For example a
client on my LAN might send a request for a certain webpage which gets
sent to the gateway from a certain port we'll say, 43101. The Request
hits the
On Thursday, Jul 24, 2003, at 10:59 US/Pacific, Mark Bojara wrote:
Ive just been thinking of a possible solution to my problem on
previous thread. How about I create vlan's and bridge them together.
So that it forms something like:
fxp0--altq--virtual interface--altq--dc?--host
The vlan
does apply.
You should keep the one-rule-per-interface setup, i.e. pass in on
$i01, pass out on $i03. You should also set each rule to use the
appropriate queue on that same interface, no matter which direction the
rule is for.
Does that make sense?
On Tue, 22 Jul 2003, Trevor Talbot wrote
the keep state will not apply.
I don't follow. If all of your rules specify queues, then the queues
will apply. Is there a case where you don't want to specify queues
that I missed?
On Wed, 23 Jul 2003, Trevor Talbot wrote:
On Tuesday, Jul 22, 2003, at 23:46 US/Pacific, Mark Bojara wrote:
Thanks
On Wednesday, Jul 23, 2003, at 10:21 US/Pacific, Mark Bojara wrote:
I was wondering if its possible to either set up one queue on a single
interface to do both incoming and outgoing traffic?
No, not at present.
Or maybe possibly having it on split interface's but assigned to one
queue. eg:
. It lacks the flexibility that most people would want anyway (rough
approximation of sharing, per-host limits, etc).
On Wed, 23 Jul 2003, Trevor Talbot wrote:
On Wednesday, Jul 23, 2003, at 10:21 US/Pacific, Mark Bojara wrote:
I was wondering if its possible to either set up one queue on a
single
On Wednesday, Jul 23, 2003, at 16:28 US/Pacific, matthew j weaver wrote:
On Wed, Jul 23, 2003 at 03:18:05PM -0700, Trevor Talbot wrote:
simple rate limiting, where traffic exceeding the limit is dropped.
While the ALTQ framework does have that capability, it isn't exposed
in PF. It lacks
On Friday, Jul 18, 2003, at 17:13 US/Pacific, Ritz, Bruno wrote:
since i have setup pf if cannot reach the local ssh server anymore.
the rules i have are pretty simple:
-
if_ext=xl0
if_srv=xl1
if_users=xl2
ip_ext=w.x.y.z
ip_http=192.168.0.2
ip_user1=192.168.1.2
rdr
On Friday, Jul 18, 2003, at 13:26 US/Pacific, Angel Todorov wrote:
I use the following pf.conf file for an internal network that passes
through the openbsd gateway box then goes its way to the external
firewall - then outside The problem is that often packets are
dropped, for ex. pingging
On Friday, Jul 18, 2003, at 21:03 US/Pacific, Mark Fordham wrote:
I'm trying to get ALTQ working with the following setup without much
success. To test I'm doing a simultaneous FTP upload and download from
a
Windows box on the internal network. The upload is being limited to
100Kb as
expected
On Monday, Jul 21, 2003, at 23:48 US/Pacific, Mark Bojara wrote:
I am running OpenBSD 3.3-current with HFSC queueing and stateful
filters. If I enable my stateful filters anything defined via those
filters does not go through my queue filters and gets unlimited
bandwidth.
Below is my pf.conf
On Tuesday, Jul 22, 2003, at 06:43 US/Pacific, Henning Brauer wrote:
On Tue, Jul 22, 2003 at 02:55:47AM -0700, Trevor Talbot wrote:
Also note that most of your rules are a bit loose as far as TCP
goes. The upside is that they'll pick up existing connections when
you reboot/reconfigure
I wrote:
On Tuesday, Jul 22, 2003, at 06:43 US/Pacific, Henning Brauer wrote:
On Tue, Jul 22, 2003 at 02:55:47AM -0700, Trevor Talbot wrote:
Also note that most of your rules are a bit loose as far as TCP
goes. The upside is that they'll pick up existing connections when
you reboot
I wrote (again):
On Tuesday, Jul 22, 2003, at 06:43 US/Pacific, Henning Brauer wrote:
On Tue, Jul 22, 2003 at 02:55:47AM -0700, Trevor Talbot wrote:
Also note that most of your rules are a bit loose as far as TCP
goes. The upside is that they'll pick up existing connections when
you reboot
On Tuesday, Jul 22, 2003, at 15:27 US/Pacific, Alejandro G. Belluscio
wrote:
Basically, I think he refers to the use of 'flags' as being no
effective to block attacks. I don't think he refers to stateful
filtering. Which are very related but don't need to actually be used
together (think).
On Monday, Jul 14, 2003, at 17:47 US/Pacific, Damien Miller wrote:
Aaron Suen wrote:
Currently, there are two major ways to handle fragmented IP datagrams
in pf:
fragment reassembly, and those other ones. I say those other
ones
because fragment reassembly is [seems to be] the recommended
On Saturday, Jul 12, 2003, at 09:41 US/Pacific, Aaron Suen wrote:
home LANs. My concern is that viruses are smart enough to spread
through
the insecure MS netowork protocols, which can't be disabled normally
under various versions of Windows. I have Kerio firewall (It looks
like
a hacked-up
On Thursday, Jul 10, 2003, at 18:38 US/Pacific, Aaron Suen wrote:
Does anybody forsee a port, of some sorts, of pf for Windows?
Yeah, it sounds a little wild, but I could really use something
like this. I have a bunch of Windows clients on my home LAN, and
you can never really trust the LAN
On Thursday, Jul 10, 2003, at 19:44 US/Pacific, Jason Dixon wrote:
Is there any way to ftp-proxy an outgoing passive ftp connection
through
a default block policy on the internal interface?
The man page suggests that if you don't use -n, ftp-proxy will proxy
passive connections. You could
On Monday, Jul 7, 2003, at 23:12 US/Pacific, Tom Forbes wrote:
This may sound very basic, but I don't understand why pf is behaving
in the following manner. To wit, I have a pf.conf file that has two
lines:
block in on fxp0 all
block out on fxp0 all
fxp0 is my external interface.
I noticed
On Monday, Jul 7, 2003, at 12:47 US/Pacific, ALEX POPOV wrote:
Here's the problem: Company has several branches, connected over VPN
and a centr
al Exchange server. Because of the slow connections to the internet
and large nu
mber of branches/users email is increadibly slow especially during
On Sunday, Jul 6, 2003, at 07:55 US/Pacific, Elijah Savage wrote:
When I try to use a rdr on the $int_if nothing works is this possible
with squid on the same internal network as the pf internal interface?
If
Not that easily. See http://www.openbsd.org/faq/pf/rdr.html#reflect
On Wednesday, Jul 2, 2003, at 14:35 US/Pacific, Daniel Williams wrote:
Trevor Talbot wrote:
On Tuesday, Jul 1, 2003, at 23:53 US/Pacific, Daniel Hartmeier wrote:
On Tue, Jul 01, 2003 at 09:22:02PM -0700, Daniel Williams wrote:
/bsd: pf: state insert failed: tree_ext_gwy lan:
192.168.1.250
Probably not the best time to bring this up, but...
On Thursday, Jul 3, 2003, at 13:37 US/Pacific, Henning Brauer wrote:
[ on the NATLOOK ioctl ]
changing anything like that becomes less and less acceptable. pf is
widely deployed nowadays, and there are more 3rd party apps using the
interfaces
On Tuesday, Jul 1, 2003, at 23:53 US/Pacific, Daniel Hartmeier wrote:
On Tue, Jul 01, 2003 at 09:22:02PM -0700, Daniel Williams wrote:
/bsd: pf: state insert failed: tree_ext_gwy lan: 192.168.1.250:43445
gwy: #externalIP#:47566 ext: #externalHOST#:8080
There was a bug in the proxy port
On Wednesday, Jul 2, 2003, at 03:08 US/Pacific, Richard P. Matthews
wrote:
queue std_ext bandwidth 128Kb priority 3 cbq(default borrow)
queue game_ext_misc priority 2 cbq(default)
It's probably complaining about this. Only one queue can be the default
(it's used for all packets not assigned to
On Wednesday, Jul 2, 2003, at 10:53 US/Pacific, Morten Norby Larsen
wrote:
we have a three-legged firewall (internal, external, dmz) which seems
to block/somehow kill RTSP connections (or, more correctly, the RTP
part of an RTSP connection) from the internal network to the outer
world.
I
doesn't need to be in a specific place (such as the root
level); it just needs to exist.
-Original Message-
From: Trevor Talbot [mailto:[EMAIL PROTECTED]
On Wednesday, Jul 2, 2003, at 03:08 US/Pacific, Richard P. Matthews
wrote:
queue std_ext bandwidth 128Kb priority 3 cbq(default borrow
On Tuesday, Jul 1, 2003, at 00:32 US/Pacific, Philip Olsson wrote:
We want to bandwidth limit a subnet with cbq. So I need 2 queues and 2
rules per IP to limit the users speed. I Have changed MAX_CBQ_CLASSES
to 1024 but that didnt help. When I try to load the rules I get
pfctl: socket: Too
I haven't tested any of this, but from what I understand...
On Saturday, Jun 28, 2003, at 00:23 US/Pacific, jared r r spiegel wrote:
does this imply that with hfsc, bandwith must be distributed among
all
child queues such that the total bandwidth among them at that level
of the
tree
I wrote:
On Wednesday, Jun 25, 2003, at 02:21 US/Pacific, Ganbaa wrote:
I'm trying to do. I installed OpenBSD 3.3 and configured pf on the
our LAN.
OpenBSD box has 2 network cards (Internal and External). The purpose
is
testing to limit bandwidth for each hosts on the LAN. LAN has more
than
[ Dual response, Ganbaa sent me details in private. ]
On Wednesday, Jun 25, 2003, at 02:21 US/Pacific, Ganbaa wrote:
I'm trying to do. I installed OpenBSD 3.3 and configured pf on the our
LAN.
OpenBSD box has 2 network cards (Internal and External). The purpose is
testing to limit bandwidth for
On Sunday, Jun 22, 2003, at 17:41 US/Pacific, Tony Faoro wrote:
altq on $ext_if cbq bandwidth 240Kb queue { std_out, audio }
queue std_out cbq(default)
queue audio bandwidth 135Kb cbq
CBQ works on the basis of limits, rather than guarantees. At the
least, you should add a priority to the audio
On Sunday, Jun 22, 2003, at 16:04 US/Pacific, Damian McGuckin wrote:
[ VPN stuff concerning 3.3's NAT with ESP/AH ]
However, from one of these sites, you can use RDP, i.e. Terminal
Services,
over the VPN cleanly. But from another, we cannot, i.e.
A - 3.1 using RDP over VPN - OK
I'm playing with pf/altq code for a project of mine, and some of it may
be of interest to people here. The diffs are for -current only.
http://homepage.mac.com/quension/pf/qexp0.diff
The first diff gives pf DiffServ and ECN awareness (IP level; TCP level
ECN is already present). The
On Friday, Jun 20, 2003, at 06:59 US/Pacific, David Chubb wrote:
However to connect to a remote RDP (Remote Desktop Client)
connection I have
to disable the Packet filter before it will allow the connection to
go
through. The remote site looks at the logs and it shows the incoming
connection
On Friday, Jun 20, 2003, at 10:07 US/Pacific, Stefan
Sonnenberg-Carstens wrote:
I think you would not have to blow up the pf code itself too much.
Simply put, take a look at the packet in ip_input.c.
Look, if it should be destinated to some of your real server.
Calculate the next real server to
On Thursday, Jun 19, 2003, at 06:30 US/Pacific, Elijah Savage wrote:
I tried to setup queing based on the faq and website. But I just can't
get it to work. Downloading is great but as soon as I start to upload
my
speed drops way down to about the same speed as the upload. I have
played around
On Monday, Jun 16, 2003, at 13:16 US/Pacific, David Chubb wrote:
I have set net.inet.esp.enable=1 in the sysctl.conf (and rebooted to
make
sure the changes took).
This is just to enable support on the box itself. It doesn't affect
packet passing.
However to connect to a remote RDP (Remote
On Thursday, Jun 19, 2003, at 17:14 US/Pacific, David Le Corfec wrote:
On Thursday 19 June 2003 23:21, Trevor Talbot wrote:
pass in on $ext_if proto tcp from any to $ext_if flags S/SA keep
state queue (q_def, q_pri)
You probably don't want this one, since you have the more-selective
rule above
On Thursday, Jun 12, 2003, at 22:48 US/Pacific, Roland Chan wrote:
As I understand the source hash option, it will redirect the packet to
one
of a set of IPs based on a hash of the source address.
This is dandy in a 'sticky load balancing' situation, when you have a
power
of two number of
On Saturday, Jun 14, 2003, at 13:52 US/Pacific, Michael Purcaro wrote:
I've been using OpenBSD 3.3 release with great success to do
redirection
from external and internal IPs to internal IPs. I've been using TCP
proxying
as noted in the FAQ.
The only thing I haven't been able to figure out is
On Tuesday, Jun 10, 2003, at 05:07 US/Pacific, Tobias Wigand wrote:
same here, works great with a saturated link. i can upload with full
speed
and it doesn´t slow down my downloads at all!
Great!
okay, surfing around while uploading is slower than normal, but thats
something we have to live
Here's the story on pf/altq with ppp/pppoe.
Good traffic discipline requires fine-grained control, which means
getting
as close to the wire as possible. Otherwise, lots of buffering tends to
get in the way. For ALTQ, the external interface is the best place to
set
up on, hence the
On Thursday, Jun 5, 2003, at 03:14 US/Pacific, Uwe Dippel wrote:
Fresh install of 3.3 along FAQ, first reboot, nothing but bringing up
PPPoE:
ifconfig up xl0
route -n flush
ppp -ddial pppoe
You' re right, it disconnects, but how !
When I remove the phone cable: nothing happens, route stays, tun0
On Thursday, Jun 5, 2003, at 07:22 US/Pacific, ghost wrote:
Now, My ICQ Client and Ftp client seems work fine.
Glad to hear it.
But,My ftp client can use two ADSL to download files.
If I can do something that I can download files with two ADSL both at
the same time?
Not from the same site.
1 - 100 of 124 matches
Mail list logo