From owner-freebsd-pf@FreeBSD.ORG Tue Apr 26 01:33:22 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 406C616A4CF for ; Tue, 26 Apr 2005 01:33:21 +0000 (GMT) Received: from fuse1.fusemail.net (smtp.fusemail.net [69.31.1.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id A814943D45 for ; Tue, 26 Apr 2005 01:33:20 +0000 (GMT) (envelope-from brianjohn@fusemail.com) Received: from fusemail.com by fuse1.fusemail.net with asmtp (FuseMail extSMTP) id 1DQEwe-0006Ii-Lx for freebsd-pf@freebsd.org; Mon, 25 Apr 2005 20:33:00 -0500 Message-ID: <426D9A4D.8090700@fusemail.com> Date: Mon, 25 Apr 2005 20:33:01 -0500 From: Brian John User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050412) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: multipart/mixed; boundary="------------000203080509010909060103" Subject: Simple configuration X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2005 01:33:22 -0000 This is a multi-part message in MIME format. --------------000203080509010909060103 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hello, I just want to setup a simple configuration. I am using my FreeBSD desktop for 3 things: - p2p downloading - Browsing and Mail - ssh Right now ssh always times out on me when I try to connect to this box remotely, I think it is probably because I am downloading too much. I want to make my p2p programs be able to use my full bandwidth, but when a client is trying to ssh in or I want browse or check mail I want those to take priority over downloading (or at least not timeout). I have a DSL modem which averages about 2 Mb. I've been working on my pf.conf for several hours now and so far it just doesn't seem to be working. I spent a lot of time reading the manual and looking up stuff on Google but it seems everyone else's uses are much more complex than mine. Attached is my pf.conf. Can anyone help me out? Thanks! /Brian --------------000203080509010909060103 Content-Type: text/plain; name="pf.conf" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="pf.conf" # $FreeBSD: src/etc/pf.conf,v 1.1.2.1 2004/09/17 18:27:14 mlaier Exp $ # $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $ # # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # Macros: define common values, so they can be referenced and changed easily. #ext_if="ext0" # replace with actual external interface name i.e., dc0 #int_if="int0" # replace with actual internal interface name i.e., dc1 #internal_net="10.1.1.1/8" #external_addr="192.168.1.1" ext_if="vr0" # Tables: similar to macros, but more flexible for many addresses. #table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } # Options: tune the behavior of pf, default values are given. #set timeout { interval 10, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set timeout { adaptive.start 0, adaptive.end 0 } #set limit { states 10000, frags 5000 } #set loginterface none #set optimization normal #set block-policy drop #set require-order yes #set fingerprints "/etc/pf.os" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. #scrub in all # Queueing: rule-based bandwidth control. #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } #queue dflt bandwidth 5% cbq(default) #queue developers bandwidth 80% #queue marketing bandwidth 15% altq on $ext_if cbq bandwidth 2Mb queue { web , p2p , ssh } queue web bandwidth 40% priority 6 cbq(borrow) queue ssh bandwidth 40% priority 6 cbq(borrow) queue p2p bandwidth 20% cbq(borrow default) # Translation: specify how addresses are to be mapped or redirected. # nat: packets going out through $ext_if with source address $internal_net will # get translated as coming from the address of $ext_if, a state is created for # such packets, and incoming packets will be redirected to the internal address. #nat on $ext_if from $internal_net to any -> ($ext_if) # rdr: packets coming in on $ext_if with destination $external_addr:1234 will # be redirected to 10.1.1.1:5678. A state is created for such packets, and # outgoing packets will be translated as coming from the external address. #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678 # rdr outgoing FTP requests to the ftp-proxy #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # spamd-setup puts addresses to be redirected into table . #table persist #no rdr on { lo0, lo1 } from any to any #rdr inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 # Filtering: the implicit first two rules are #pass in all #pass out all # block all incoming packets but allow ssh, pass all outgoing tcp and udp # connections and keep state, logging blocked packets. #block in log all #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state #pass out on $ext_if proto { tcp, udp } all keep state # pass incoming packets destined to the addresses given in table . #pass in on $ext_if proto { tcp, udp } from any to port 80 keep state # pass incoming ports for ftp-proxy #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state # assign packets to a queue. #pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing #pass in on $ext_if proto tcp all pass in on $ext_if proto tcp from any to any port 22 keep state queue ssh pass in on $ext_if proto tcp from any to any port 80 keep state queue web #pass out on $ext_if all pass out on $ext_if proto tcp from any to any port 22 keep state queue ssh pass out on $ext_if proto tcp from any to any port 80 keep state queue web --------------000203080509010909060103-- From owner-freebsd-pf@FreeBSD.ORG Tue Apr 26 17:17:33 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38E0216A4CE for ; Tue, 26 Apr 2005 17:17:33 +0000 (GMT) Received: from mss1.myactv.net (mss1.myactv.net [24.89.0.26]) by mx1.FreeBSD.org (Postfix) with SMTP id 9CD0643D53 for ; Tue, 26 Apr 2005 17:17:32 +0000 (GMT) (envelope-from chris@xecu.net) Received: (qmail 20726 invoked from network); 26 Apr 2005 17:17:31 -0000 Received: from dyn-153-112-163.myactv.net (HELO ?127.0.0.1?) (24.153.112.163) by new.mss1.myactv.net with SMTP; 26 Apr 2005 17:17:31 -0000 Message-ID: <426E77AB.2050009@xecu.net> Date: Tue, 26 Apr 2005 13:17:31 -0400 From: Christopher McGee User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Pf and altq performance problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2005 17:17:33 -0000 I apologize if this is the wrong list for this, but if it is, please let me know. The firewall in question has 6 intel pro 100+ cards installed. Only 2 are in use, the others are for future projects once this thing is working the way it should be. The public interface has 1 publicly routable IP from a /29 and the private interface handles 2 class C's that are publicly routable. Basically when queue1 on my firewall starts pushing the full amount of bandwidth, things that use the dflt queue become unreachable or VERY slow. The dflt queue NEVER uses it's full amount of bandwidth, generally around 3mbit/s on average. I have tried limiting queue1 to 12Mb/s and it seemed to alleviate some of the problem, but we still get the occasional unreachable server message. I'm starting to think this is just an inherent problem in FreeBSD 5.3. Maybe I just need to upgrade to 5.4 when it is released, but I don't think there were many pf updates in that release. This machine used to run ipfw and did it pretty much flawlessly with the full 25 Mb of bandwidth. Here's what I think is the relevant information, let me know if more information is needed: firewall# pfctl -s queue queue root_fxp0 bandwidth 25Mb priority 0 cbq( wrr root ) {dflt, queue1} queue dflt bandwidth 8Mb priority 4 qlimit 150 cbq( borrow default ) queue queue1 bandwidth 17Mb qlimit 3500 firewall# pfctl -vvsq queue root_fxp0 bandwidth 25Mb priority 0 cbq( wrr root ) {dflt, queue1} [ pkts: 93469435 bytes: 57111963278 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] queue dflt bandwidth 8Mb priority 4 qlimit 150 cbq( borrow default ) [ pkts: 47160837 bytes: 20420146684 dropped pkts: 294 bytes: 105068 ] [ qlength: 0/150 borrows: 2667554 suspends: 237 ] queue queue1 bandwidth 12Mb qlimit 3500 [ pkts: 46308598 bytes: 36691816594 dropped pkts: 5236343 bytes: 4887084090 ] [ qlength: 0/3500 borrows: 0 suspends: 13971654 ] queue root_fxp0 bandwidth 25Mb priority 0 cbq( wrr root ) {dflt, queue1} [ pkts: 93472817 bytes: 57113671748 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 676.4 packets/s, 2.73Mb/s ] queue dflt bandwidth 8Mb priority 4 qlimit 150 cbq( borrow default ) [ pkts: 47163588 bytes: 20421636153 dropped pkts: 294 bytes: 105068 ] [ qlength: 0/150 borrows: 2667640 suspends: 237 ] [ measured: 550.2 packets/s, 2.38Mb/s ] queue queue1 bandwidth 12Mb qlimit 3500 [ pkts: 46309229 bytes: 36692035595 dropped pkts: 5236343 bytes: 4887084090 ] [ qlength: 0/3500 borrows: 0 suspends: 13971654 ] [ measured: 126.2 packets/s, 350.40Kb/s ] queue root_fxp0 bandwidth 25Mb priority 0 cbq( wrr root ) {dflt, queue1} [ pkts: 93475932 bytes: 57115159111 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 649.7 packets/s, 2.56Mb/s ] queue dflt bandwidth 8Mb priority 4 qlimit 150 cbq( borrow default ) [ pkts: 47166144 bytes: 20422995656 dropped pkts: 294 bytes: 105068 ] [ qlength: 0/150 borrows: 2667788 suspends: 237 ] [ measured: 530.7 packets/s, 2.28Mb/s ] queue queue1 bandwidth 12Mb qlimit 3500 [ pkts: 46309788 bytes: 36692163455 dropped pkts: 5236343 bytes: 4887084090 ] [ qlength: 0/3500 borrows: 0 suspends: 13971657 ] [ measured: 119.0 packets/s, 277.49Kb/s ] From owner-freebsd-pf@FreeBSD.ORG Wed Apr 27 18:24:45 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 42D3416A4CE for ; Wed, 27 Apr 2005 18:24:45 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEA5743D53 for ; Wed, 27 Apr 2005 18:24:44 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.207] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1DQrDH-0005ET-00 for freebsd-pf@freebsd.org; Wed, 27 Apr 2005 20:24:43 +0200 Received: from [84.163.196.50] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1DQrDH-00036M-00 for freebsd-pf@freebsd.org; Wed, 27 Apr 2005 20:24:43 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Wed, 27 Apr 2005 20:24:35 +0200 User-Agent: KMail/1.8 References: <200504200112.41260.max@love2party.net> In-Reply-To: <200504200112.41260.max@love2party.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2001817.PQBjNLUivN"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200504272024.41241.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Considered BETA now [Re: New PF (OpenBSD 3.7 ***ALPHA-preview***)] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Apr 2005 18:24:45 -0000 --nextPart2001817.PQBjNLUivN Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 20 April 2005 01:12, Max Laier wrote: > All, > > at: > http://people.freebsd.org/~mlaier/pf37/ > > you will find the first shot at the long awaited import of a new version = of > pf. This is level with what is likely to be shipped as OpenBSD 3.7 and > includes *most* of the features. Until now I have gotten zero feedback concerning this! If you are not will= ing=20 to test, you will have to live with the consequences! I have done some tests myself, however, and my soekris box seems stable and= =20 happy with the code so far. I consider it to be BETA-stage now and urge=20 everybody - once more - PLEASE TEST THIS AND SEND FEEDBACK, NOW! > Updates will be posted to the freebsd-pf mailing list. Thanks. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2001817.PQBjNLUivN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCb9jpXyyEoT62BG0RAq4CAJ9HYK+qO5NSBOhe62HwP71wVhcWDACcClpy Ko9fvYQPmaaK9EYFr12rAnc= =LSj3 -----END PGP SIGNATURE----- --nextPart2001817.PQBjNLUivN-- From owner-freebsd-pf@FreeBSD.ORG Wed Apr 27 18:50:34 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97FD816A4CE for ; Wed, 27 Apr 2005 18:50:34 +0000 (GMT) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15A6043D78 for ; Wed, 27 Apr 2005 18:50:34 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id E64E22537B4 for ; Wed, 27 Apr 2005 19:50:24 +0100 (BST) From: "Greg Hennessy" To: "'Max Laier'" , Date: Wed, 27 Apr 2005 19:50:16 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <200504272024.41241.max@love2party.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 Thread-Index: AcVLV1ryshay/gtNQROhJg009BC86gAAHpzA Message-Id: <20050427185016.AB09C16@gw2.local.net> Subject: RE: Considered BETA now [Re: New PF (OpenBSD 3.7 ***ALPHA-preview***)] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Apr 2005 18:50:34 -0000 Hi Max, been meaning to log this, just subscribed today. Consider if you will the following, policy excerpts have been running fine under OBSD 3.4 and your excellent handiwork prior to the 3.7 import on Free. Pristine CURRENT as of ~ # uname -a FreeBSD gw2.local.net 6.0-CURRENT FreeBSD 6.0-CURRENT #38: Tue Apr 26 09:37:04 BST 2005 root@gw2.local.net:/usr/obj/usr/src/sys/GH i386 PF and ALTQ conf'd in statically. ~ # cat /etc/pf-nbt.conf Ext="hme1" RPC_NBT="{ epmap, netbios-ns, netbios-dgm, netbios-ssn, microsoft-ds }" # Drop NBT on external interface block quick on $Ext inet proto {tcp,udp} to any port $RPC_NBT # ~ # grep -i nbt /etc/pf.conf # Discard unwanted NBT traffic anchor nbt load anchor nbt:nbt from "/etc/pf-nbt.conf" # Appears to parse & load ok ~ # pfctl -v -a nbt:nbt -f /etc/pf-nbt.conf Ext = "hme1" Int = "hme0" RPC_NBT = "{ epmap, netbios-ns, netbios-dgm, netbios-ssn, microsoft-ds }" block drop quick on hme1 inet proto tcp from any to any port = loc-srv block drop quick on hme1 inet proto tcp from any to any port = netbios-ns block drop quick on hme1 inet proto tcp from any to any port = netbios-dgm block drop quick on hme1 inet proto tcp from any to any port = netbios-ssn block drop quick on hme1 inet proto tcp from any to any port = microsoft-ds block drop quick on hme1 inet proto udp from any to any port = loc-srv block drop quick on hme1 inet proto udp from any to any port = netbios-ns block drop quick on hme1 inet proto udp from any to any port = netbios-dgm block drop quick on hme1 inet proto udp from any to any port = netbios-ssn block drop quick on hme1 inet proto udp from any to any port = microsoft-ds However, no joy. ~ # pfctl -v -s Anchors -a nbt:nbt ~ # pfctl -v -s Anchors -a nbt ~ # Have been running the 3.7 code for a week, if you need other info from me, just ask. Cheers Greg > -----Original Message----- > From: owner-freebsd-pf@freebsd.org > [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Max Laier > Sent: 27 April 2005 19:25 > To: freebsd-pf@freebsd.org > Subject: Considered BETA now [Re: New PF (OpenBSD 3.7 > ***ALPHA-preview***)] > > On Wednesday 20 April 2005 01:12, Max Laier wrote: > > All, > > > > at: > > http://people.freebsd.org/~mlaier/pf37/ > > > > you will find the first shot at the long awaited import of a new > > version of pf. This is level with what is likely to be shipped as > > OpenBSD 3.7 and includes *most* of the features. > > Until now I have gotten zero feedback concerning this! If > you are not willing to test, you will have to live with the > consequences! > > I have done some tests myself, however, and my soekris box > seems stable and happy with the code so far. I consider it > to be BETA-stage now and urge everybody - once more - PLEASE > TEST THIS AND SEND FEEDBACK, NOW! > > > Updates will be posted to the freebsd-pf mailing list. Thanks. > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News > From owner-freebsd-pf@FreeBSD.ORG Wed Apr 27 18:59:05 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B073716A4CF for ; Wed, 27 Apr 2005 18:59:05 +0000 (GMT) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDF5E43D39 for ; Wed, 27 Apr 2005 18:59:04 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) j3RIx37d009929 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 27 Apr 2005 20:59:03 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.3/8.12.10/Submit) id j3RIx2LK017122; Wed, 27 Apr 2005 20:59:02 +0200 (MEST) Date: Wed, 27 Apr 2005 20:59:02 +0200 From: Daniel Hartmeier To: Greg Hennessy Message-ID: <20050427185902.GC1264@insomnia.benzedrine.cx> References: <200504272024.41241.max@love2party.net> <20050427185016.AB09C16@gw2.local.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050427185016.AB09C16@gw2.local.net> User-Agent: Mutt/1.5.6i cc: freebsd-pf@freebsd.org Subject: Re: Considered BETA now [Re: New PF (OpenBSD 3.7 ***ALPHA-preview***)] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Apr 2005 18:59:05 -0000 On Wed, Apr 27, 2005 at 07:50:16PM +0100, Greg Hennessy wrote: > ~ # pfctl -v -s Anchors -a nbt:nbt Anchors have changed significantly in 3.7. Before, there were only two levels, like "first:second". Now they can be nested arbitrarily, and the syntax is like that of files within (sub)directories, like "first/second" "first/second/third" Note that ':' is replaced by '/' now. The semantics have also changed. Before, only the second level would actually contain rules. Now every level can contain rules. There's two forms of 'calls' now, which evaluate rules in anchors, like anchor "first/second" anchor "first/*" The first form (without the '*') will only evaluate the rules within the second anchor, while the second form will evaluate all rules within any sub-anchors of first (but not rules in first itself). See the updated pf.conf(5) man page, section ANCHORS for more details. If you've been using anchors before, you'll likely have to make some changes, at least to the syntax. Daniel From owner-freebsd-pf@FreeBSD.ORG Wed Apr 27 19:21:48 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F7D316A4CE for ; Wed, 27 Apr 2005 19:21:48 +0000 (GMT) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FA3D43D5A for ; Wed, 27 Apr 2005 19:21:48 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id E1257261CD1 for ; Wed, 27 Apr 2005 20:21:43 +0100 (BST) From: "Greg Hennessy" To: "'Daniel Hartmeier'" Date: Wed, 27 Apr 2005 20:21:35 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 In-Reply-To: <20050427185902.GC1264@insomnia.benzedrine.cx> Thread-Index: AcVLWzMFCOxHHDEHR+SaA7T4oHPR2AAAEyTA Message-Id: <20050427192135.06A0F16@gw2.local.net> cc: freebsd-pf@freebsd.org Subject: RE: Considered BETA now [Re: New PF (OpenBSD 3.7 ***ALPHA-preview***)] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Apr 2005 19:21:48 -0000 Good evening Daniel. > On Wed, Apr 27, 2005 at 07:50:16PM +0100, Greg Hennessy wrote: > > > ~ # pfctl -v -s Anchors -a nbt:nbt > > Anchors have changed significantly in 3.7. Before, there were > only two levels, like "first:second". Now they can be nested > arbitrarily, and the syntax is like that of files within > (sub)directories, like I thought as much, I have tried the 3.7 syntax thinking it might be the cause but it made no difference, hence the mail to Max. /me does a quick tweak. Et voila. # Discard unwanted NBT traffic anchor "nbt/*" load anchor "nbt/nbt" from "/etc/pf-nbt.conf" Pfctl does say its loading the anchor ok ~ # pfctl -vf /etc/pf.conf | grep -i anchor anchor "nbt/*" all Loading anchor nbt/nbt from /etc/pf-nbt.conf However ~ # pfctl -s Anchors nbt ~ # pfctl -s Anchors -a nbt nbt/nbt ~ # pfctl -s Anchors -a "nbt/nbt" ~ # Nothing. Trying it without any nesting doesn't make a difference. # Discard unwanted NBT traffic # anchor nbt load anchor nbt from "/etc/pf-nbt.conf" ~ # pfctl -F a -vf /etc/pf.conf | grep -i anchor rules cleared nat cleared 1 tables deleted. altq cleared 19 states cleared source tracking entries cleared pf: statistics cleared pf: interface flags reset anchor "nbt" all Loading anchor nbt from /etc/pf-nbt.conf ~ # pfctl -v -s Anchors nbt nbt/nbt ~ # pfctl -v -s Anchors nbt nbt/nbt ~ # pfctl -v -s Anchors -a nbt nbt/nbt ~ # pfctl -v -s Anchors -a nbt/nbt ~ # Greg > > "first/second" > "first/second/third" > > Note that ':' is replaced by '/' now. > > The semantics have also changed. Before, only the second > level would actually contain rules. Now every level can > contain rules. There's two forms of 'calls' now, which > evaluate rules in anchors, like > > anchor "first/second" > anchor "first/*" > > The first form (without the '*') will only evaluate the rules > within the second anchor, while the second form will evaluate > all rules within any sub-anchors of first (but not rules in > first itself). > > See the updated pf.conf(5) man page, section ANCHORS for more details. > If you've been using anchors before, you'll likely have to > make some changes, at least to the syntax. > > Daniel > From owner-freebsd-pf@FreeBSD.ORG Wed Apr 27 19:55:28 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 23F5416A4CE for ; Wed, 27 Apr 2005 19:55:28 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2C9443D2D for ; Wed, 27 Apr 2005 19:55:27 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.160] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1DQsd5-0003VW-00; Wed, 27 Apr 2005 21:55:27 +0200 Received: from [84.163.196.50] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1DQsd4-0003gd-00; Wed, 27 Apr 2005 21:55:26 +0200 From: Max Laier To: "Greg Hennessy" Date: Wed, 27 Apr 2005 21:55:17 +0200 User-Agent: KMail/1.8 References: <20050427192135.06A0F16@gw2.local.net> In-Reply-To: <20050427192135.06A0F16@gw2.local.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart8641249.zJTFMuc0yJ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200504272155.24456.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: freebsd-pf@freebsd.org Subject: Re: Considered BETA now [Re: New PF (OpenBSD 3.7 ***ALPHA-preview***)] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Apr 2005 19:55:28 -0000 --nextPart8641249.zJTFMuc0yJ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 27 April 2005 21:21, Greg Hennessy wrote: > Good evening Daniel. > > > On Wed, Apr 27, 2005 at 07:50:16PM +0100, Greg Hennessy wrote: > > > ~ # pfctl -v -s Anchors -a nbt:nbt > > > > Anchors have changed significantly in 3.7. Before, there were > > only two levels, like "first:second". Now they can be nested > > arbitrarily, and the syntax is like that of files within > > (sub)directories, like > > I thought as much, I have tried the 3.7 syntax thinking it might be the > cause but it made no difference, hence the mail to Max. > > /me does a quick tweak. > > Et voila. > > # Discard unwanted NBT traffic > anchor "nbt/*" > load anchor "nbt/nbt" from "/etc/pf-nbt.conf" > > Pfctl does say its loading the anchor ok > > ~ # pfctl -vf /etc/pf.conf | grep -i anchor > anchor "nbt/*" all > > Loading anchor nbt/nbt from /etc/pf-nbt.conf > > > However > > ~ # pfctl -s Anchors > nbt > ~ # pfctl -s Anchors -a nbt > nbt/nbt > ~ # pfctl -s Anchors -a "nbt/nbt" I think you want: # pfctl -a "nbt/nbt" -sr here. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart8641249.zJTFMuc0yJ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCb+4sXyyEoT62BG0RAngOAJ0V0dnmCmD/PtktqqtSZdXm+gbeDQCdHm3B o2F+ZUCWWgrLSWh9SqRnxKg= =ZKkn -----END PGP SIGNATURE----- --nextPart8641249.zJTFMuc0yJ-- From owner-freebsd-pf@FreeBSD.ORG Wed Apr 27 20:12:30 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B28BA16A4CE for ; Wed, 27 Apr 2005 20:12:30 +0000 (GMT) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 73DCE43D62 for ; Wed, 27 Apr 2005 20:12:30 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id C68292567D0 for ; Wed, 27 Apr 2005 21:12:14 +0100 (BST) From: "Greg Hennessy" To: "'Max Laier'" Date: Wed, 27 Apr 2005 21:12:04 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <200504272155.24456.max@love2party.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 Thread-Index: AcVLY9sesDDdm9MISR+SpEpgWy+vygAAMKVQ Message-Id: <20050427201204.E11222C@gw2.local.net> cc: freebsd-pf@freebsd.org Subject: RE: Considered BETA now [Re: New PF (OpenBSD 3.7***ALPHA-preview***)] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Apr 2005 20:12:30 -0000 > > I think you want: > > # pfctl -a "nbt/nbt" -sr > > here. > Well Done Sir, that explains it. I had thought the -v flag combined with -s Anchor should recurse through & display. Previously while using the ':' syntax, I had nbt traffic being logged & dropped on the outside interface & had assumed (because I couldn't see the contents of the anchor) that it was an issue with loading the table up. Please accept my apologies for the false alarm. Greg From owner-freebsd-pf@FreeBSD.ORG Wed Apr 27 21:43:26 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AA4316A4CE for ; Wed, 27 Apr 2005 21:43:26 +0000 (GMT) Received: from isber.ucsb.edu (research.isber.ucsb.edu [128.111.147.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3358A43D31 for ; Wed, 27 Apr 2005 21:43:26 +0000 (GMT) (envelope-from randall@isber.ucsb.edu) Received: from research.isber.ucsb.edu ([128.111.147.5]) by isber.ucsb.edu with esmtp (Exim 3.36 #2) id 1DQuJR-000BjN-00 for freebsd-pf@freebsd.org; Wed, 27 Apr 2005 14:43:17 -0700 Date: Wed, 27 Apr 2005 14:43:17 -0700 (PDT) From: randall ehren To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Scanner: exiscan *1DQuJR-000BjN-00*Ekvo44Nr6ac* (ISBER - Institute for Social, Behavioral, and Economic Research) Subject: pf + carp issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Apr 2005 21:43:26 -0000 hi - i am experiencing the same problem as previously reported but never answered at: http://lists.freebsd.org/pipermail/freebsd-pf/2005-March/000877.html everything works just fine except for one problem, i cannot get my carp0 device properly configured via a ifconfig_carp0 entry in /etc/rc.conf. >>The other thing I should mention is that I cannot get any of the carp >>interfaces to change to an up state using ifconfig_carp[n] entries in >>the rc.conf file no matter what I try. When the box comes up, they >>always have a flags value of zero and I have to manually set them to up >>after gaining remote console access. that's me too. here's what it looks like after booting: carp0: flags=1 mtu 1500 carp: INIT vhid 1 advbase 1 advskew 100 and then after i run: ifconfig carp0 up vhid 1 advskew 100 pass XXX XXX.XXX.XXX.XXX/24 it shows up correctly: carp0: flags=41 mtu 1500 inet XXX.XXX.XXX.XXX netmask 0xffffff00 carp: BACKUP vhid 1 advbase 1 advskew 100 and here is my /etc/rc.conf snippet: cloned_interfaces="carp0" ifconfig_carp0="up vhid 1 advskew 100 pass XXX XXX.XXX.XXX.XXX/24" the only other thing weird about the machine is that even though it has network access immediately upon the console being available it takes about five minutes before i see this: Apr 27 14:32:32 new-lrd2 kernel: em0: Link is up 1000 Mbps Full Duplex kinda odd. so, any ideas? thanks in advance, -randall -- :// randall s. ehren :// voice 805.893.5632 :// systems administrator :// isber|survey|avss.ucsb.edu :// institute for social, behavioral, and economic research From owner-freebsd-pf@FreeBSD.ORG Thu Apr 28 06:16:58 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0463E16A4CE for ; Thu, 28 Apr 2005 06:16:58 +0000 (GMT) Received: from isber.ucsb.edu (research.isber.ucsb.edu [128.111.147.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id D364543D58 for ; Thu, 28 Apr 2005 06:16:57 +0000 (GMT) (envelope-from randall@ucsb.edu) Received: from localhost ([127.0.0.1] helo=[192.168.2.57]) by isber.ucsb.edu with esmtp (Exim 3.36 #2) id 1DR2KP-000Kh2-00; Wed, 27 Apr 2005 23:16:49 -0700 Message-ID: <42707FD3.1010308@ucsb.edu> Date: Wed, 27 Apr 2005 23:16:51 -0700 From: randall ehren Organization: ISBER User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: randall ehren References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanner: exiscan *1DR2KP-000Kh2-00*gUNpk7mBUqA* (ISBER - Institute for Social, Behavioral, and Economic Research) cc: freebsd-pf@freebsd.org Subject: Re: pf + carp issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2005 06:16:58 -0000 > everything works just fine except for one problem, i cannot get my carp0 > device properly configured via a ifconfig_carp0 entry in /etc/rc.conf. well, a couple hours later i managed to fix the problem, how exactly i still do not know. i did two things at once: 1) i changed my em0 interface from DHCP to use a static address 2) i added the following line to my /etc/rc.conf: network_interfaces="lo0 em0 em1 carp0 pfsync0" so it was one thing or another, at this point it works so that's all i care about. also of interest is that if you run an SSH server on your virtual (carp0) interface, then you need to have a pf ruleset for that device: from /etc/pf.conf: pass in quick inet proto tcp from any to $ext_if port 22 flags S/SA keep state pass in quick inet proto tcp from any to $carp_if port 22 flags S/SA keep state i'll do a writeup of all this tomorrow and post a link to the list, currently the only example online is for openbsd so it'd be nice to have a freebsd version. thanks to all those got PF and CARP running on freebsd, it's opening up a lot of doors for what we can do within our server environment. -randall -- :// randall s. ehren :// voice 805.893.5632 :// systems administrator :// isber|survey|avss.ucsb.edu :// institute for social, behavioral, and economic research From owner-freebsd-pf@FreeBSD.ORG Thu Apr 28 14:26:01 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4CDAE16A4CE for ; Thu, 28 Apr 2005 14:26:01 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B16C43D2D for ; Thu, 28 Apr 2005 14:26:00 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1DR9xn-0008B6-00 for freebsd-pf@freebsd.org; Thu, 28 Apr 2005 16:25:59 +0200 Received: from [84.163.235.74] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1DR9xn-0003IK-00 for freebsd-pf@freebsd.org; Thu, 28 Apr 2005 16:25:59 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Thu, 28 Apr 2005 16:25:40 +0200 User-Agent: KMail/1.8 References: <200504200112.41260.max@love2party.net> <200504272024.41241.max@love2party.net> In-Reply-To: <200504272024.41241.max@love2party.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3420026.OtdS6b5Tkq"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200504281625.45653.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: Considered BETA now [Re: New PF (OpenBSD 3.7 ***ALPHA-preview***)] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2005 14:26:01 -0000 --nextPart3420026.OtdS6b5Tkq Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 27 April 2005 20:24, Max Laier wrote: > On Wednesday 20 April 2005 01:12, Max Laier wrote: > > All, > > > > at: > > http://people.freebsd.org/~mlaier/pf37/ > > > > you will find the first shot at the long awaited import of a new version > > of pf. This is level with what is likely to be shipped as OpenBSD 3.7 > > and includes *most* of the features. > > Until now I have gotten zero feedback concerning this! If you are not > willing to test, you will have to live with the consequences! > > I have done some tests myself, however, and my soekris box seems stable a= nd > happy with the code so far. I consider it to be BETA-stage now and urge > everybody - once more - PLEASE TEST THIS AND SEND FEEDBACK, NOW! > > > Updates will be posted to the freebsd-pf mailing list. Thanks. Edwin Brown just reminds me that ifconfig(8) has undergone a major rework.= =20 Hence the patch in the tarball does not apply to RELENG_5. As a temporary= =20 workaround you can disable pfsync support for ifconfig (see Makefile in=20 sbin/ifconfig). I'll come up with a RELENG_5 patch later today. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3420026.OtdS6b5Tkq Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCcPJpXyyEoT62BG0RAg8sAJ0aL0mWFQcoj/+rEaPYx/mqj2i5OwCggMv/ 8LsY8qotCY/paQW2VLtEZZk= =D2qO -----END PGP SIGNATURE----- --nextPart3420026.OtdS6b5Tkq-- From owner-freebsd-pf@FreeBSD.ORG Thu Apr 28 23:05:10 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1AB116A4CE for ; Thu, 28 Apr 2005 23:05:10 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0219843D5C for ; Thu, 28 Apr 2005 23:05:10 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3D307.dip.t-dialin.net[84.163.211.7] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwh2-1DRI4D0NiU-00069u; Fri, 29 Apr 2005 01:05:09 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Fri, 29 Apr 2005 01:05:01 +0200 User-Agent: KMail/1.8 References: <200504200112.41260.max@love2party.net> <200504272024.41241.max@love2party.net> <200504281625.45653.max@love2party.net> In-Reply-To: <200504281625.45653.max@love2party.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart8020342.iqWc5Apt19"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200504290105.06938.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: Considered BETA now [Re: New PF (OpenBSD 3.7 ***ALPHA-preview***)] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2005 23:05:11 -0000 --nextPart8020342.iqWc5Apt19 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline All, updated tarball (should now be buildable on our 64bit archs as well) has be= en=20 uploaded to: http://people.freebsd.org/~mlaier/pf37/pf37.20050429.tar.gz This includes an ifconfig patch for RELENG_5 and HEAD, make sure you use th= e=20 right one. And: PLEASE LET ME KNOW IF IT WORKS FOR YOU OR NOT! Thanks! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart8020342.iqWc5Apt19 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCcWwiXyyEoT62BG0RAhCKAJ9gShp8GK3xYo5xdZ0oQfxbmbk4rACeJsqC H0tX8GYwruhBlFlcPUf6NLs= =o+EJ -----END PGP SIGNATURE----- --nextPart8020342.iqWc5Apt19-- From owner-freebsd-pf@FreeBSD.ORG Thu Apr 28 23:55:05 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 272C316A4CE for ; Thu, 28 Apr 2005 23:55:05 +0000 (GMT) Received: from isber.ucsb.edu (research.isber.ucsb.edu [128.111.147.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0681E43D2D for ; Thu, 28 Apr 2005 23:55:05 +0000 (GMT) (envelope-from randall@ucsb.edu) Received: from localhost ([127.0.0.1] helo=[128.111.147.11]) by isber.ucsb.edu with esmtp (Exim 3.36 #2) id 1DRIqO-000HMG-00; Thu, 28 Apr 2005 16:54:56 -0700 Message-ID: <427177D2.4060808@ucsb.edu> Date: Thu, 28 Apr 2005 16:54:58 -0700 From: randall ehren User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <200504200112.41260.max@love2party.net> <200504272024.41241.max@love2party.net> <200504281625.45653.max@love2party.net> <200504290105.06938.max@love2party.net> In-Reply-To: <200504290105.06938.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanner: exiscan *1DRIqO-000HMG-00*JG6lmJ4t1Ts* (ISBER - Institute for Social, Behavioral, and Economic Research) cc: freebsd-pf@freebsd.org Subject: Re: Considered BETA now [Re: New PF (OpenBSD 3.7 ***ALPHA-preview***)] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2005 23:55:05 -0000 > updated tarball (should now be buildable on our 64bit archs as well) has been > uploaded to: http://people.freebsd.org/~mlaier/pf37/pf37.20050429.tar.gz is this needed if you are running: FreeBSD 5.4-STABLE #1: Wed Apr 27 14:48:55 PDT 2005 -randall -- :// randall s. ehren :// voice 805.893.5632 :// systems administrator :// isber|survey|avss.ucsb.edu :// institute for social, behavioral, and economic research From owner-freebsd-pf@FreeBSD.ORG Thu Apr 28 23:58:04 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5768D16A4CE for ; Thu, 28 Apr 2005 23:58:04 +0000 (GMT) Received: from makeworld.com (makeworld.com [216.201.118.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id 075D843D58 for ; Thu, 28 Apr 2005 23:58:04 +0000 (GMT) (envelope-from racerx@makeworld.com) Received: from localhost (localhost.com [127.0.0.1]) by makeworld.com (Postfix) with ESMTP id 540F660EA; Thu, 28 Apr 2005 18:58:03 -0500 (CDT) Received: from makeworld.com ([127.0.0.1]) by localhost (makeworld.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 34218-09; Thu, 28 Apr 2005 18:58:00 -0500 (CDT) Received: from [216.201.118.138] (racerx.makeworld.com [216.201.118.138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by makeworld.com (Postfix) with ESMTP id D8B6060E7; Thu, 28 Apr 2005 18:57:57 -0500 (CDT) Message-ID: <4271788A.5040304@makeworld.com> Date: Thu, 28 Apr 2005 18:58:02 -0500 From: Chris User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050414) X-Accept-Language: en-us, en MIME-Version: 1.0 To: randall ehren References: <200504200112.41260.max@love2party.net> <200504272024.41241.max@love2party.net> <200504281625.45653.max@love2party.net> <200504290105.06938.max@love2party.net> <427177D2.4060808@ucsb.edu> In-Reply-To: <427177D2.4060808@ucsb.edu> X-Enigmail-Version: 0.91.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by ClamAV 0.75.1/amavisd-new-2.2.1 (20041222) at makeworld.com - Isn't it ironic cc: freebsd-pf@freebsd.org Subject: Re: Considered BETA now [Re: New PF (OpenBSD 3.7 ***ALPHA-preview***)] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: racerx@makeworld.com List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2005 23:58:04 -0000 randall ehren wrote: >> updated tarball (should now be buildable on our 64bit archs as well) >> has been uploaded to: >> http://people.freebsd.org/~mlaier/pf37/pf37.20050429.tar.gz > > > is this needed if you are running: > FreeBSD 5.4-STABLE #1: Wed Apr 27 14:48:55 PDT 2005 > > -randall > How are you running 5.4-STABLE when 5.4-RELEASE isnt out yet? -- Best regards, Chris Friends come and go, but enemies accumulate. From owner-freebsd-pf@FreeBSD.ORG Fri Apr 29 00:02:05 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0DAE16A4CE for ; Fri, 29 Apr 2005 00:02:05 +0000 (GMT) Received: from smtp-relay.tamu.edu (smtp-relay.tamu.edu [165.91.143.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF92F43D5F for ; Fri, 29 Apr 2005 00:02:04 +0000 (GMT) (envelope-from tyler@tamu.edu) Received: from [128.194.150.12] (vpn-12.cs.tamu.edu [128.194.150.12]) by smtp-relay.tamu.edu (8.12.10/8.12.10) with ESMTP id j3T01u5t084746; Thu, 28 Apr 2005 19:01:58 -0500 (CDT) In-Reply-To: <4271788A.5040304@makeworld.com> References: <200504200112.41260.max@love2party.net> <200504272024.41241.max@love2party.net> <200504281625.45653.max@love2party.net> <200504290105.06938.max@love2party.net> <427177D2.4060808@ucsb.edu> <4271788A.5040304@makeworld.com> Mime-Version: 1.0 (Apple Message framework v728) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: "R. Tyler Ballance" Date: Thu, 28 Apr 2005 19:01:59 -0500 To: racerx@makeworld.com X-Mailer: Apple Mail (2.728) cc: freebsd-pf@freebsd.org cc: randall ehren Subject: Re: Considered BETA now [Re: New PF (OpenBSD 3.7 ***ALPHA-preview***)] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 00:02:05 -0000 >> >> is this needed if you are running: >> FreeBSD 5.4-STABLE #1: Wed Apr 27 14:48:55 PDT 2005 >> >> -randall >> >> > > How are you running 5.4-STABLE when 5.4-RELEASE isnt out yet? > Magic :) Max, I'm sorry I can't test this for another week or two, finals are coming up. Hope you get enough feedback before then, if not, i''ll make sure to get you some ;) -R. Tyler Ballance From owner-freebsd-pf@FreeBSD.ORG Fri Apr 29 03:34:26 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9064516A4CE for ; Fri, 29 Apr 2005 03:34:26 +0000 (GMT) Received: from isber.ucsb.edu (research.isber.ucsb.edu [128.111.147.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B58343D5F for ; Fri, 29 Apr 2005 03:34:26 +0000 (GMT) (envelope-from randall@ucsb.edu) Received: from localhost ([127.0.0.1] helo=[192.168.2.57]) by isber.ucsb.edu with esmtp (Exim 3.36 #2) id 1DRMGd-000L4y-00; Thu, 28 Apr 2005 20:34:15 -0700 Message-ID: <4271AB3A.8040804@ucsb.edu> Date: Thu, 28 Apr 2005 20:34:18 -0700 From: randall ehren Organization: ISBER User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: racerx@makeworld.com References: <200504200112.41260.max@love2party.net> <200504272024.41241.max@love2party.net> <200504281625.45653.max@love2party.net> <200504290105.06938.max@love2party.net> <427177D2.4060808@ucsb.edu> <4271788A.5040304@makeworld.com> In-Reply-To: <4271788A.5040304@makeworld.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanner: exiscan *1DRMGd-000L4y-00*0VYxyJ98wHo* (ISBER - Institute for Social, Behavioral, and Economic Research) cc: freebsd-pf@freebsd.org Subject: Re: Considered BETA now [Re: New PF (OpenBSD 3.7 ***ALPHA-preview***)] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 03:34:26 -0000 >>is this needed if you are running: >> FreeBSD 5.4-STABLE #1: Wed Apr 27 14:48:55 PDT 2005 >> > > How are you running 5.4-STABLE when 5.4-RELEASE isnt out yet? *default release=cvs tag=RELENG_5 http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cutting-edge.html -randall -- :// randall s. ehren :// voice 805.893.5632 :// systems administrator :// isber|survey|avss.ucsb.edu :// institute for social, behavioral, and economic research From owner-freebsd-pf@FreeBSD.ORG Fri Apr 29 19:03:08 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EF2916A4CF for ; Fri, 29 Apr 2005 19:03:08 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA5F743D2D for ; Fri, 29 Apr 2005 19:03:07 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by rproxy.gmail.com with SMTP id a41so605811rng for ; Fri, 29 Apr 2005 12:03:07 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ngljVr5pdCtw6PqF2YVJdG2hn0+UB+Gw06evGbXSxTMmxA2OdoOvSZ2nXqpdDLr1GebSR4pSPMNG1RkNnNhcMfbJpNUCCxNuCKJae8ebJrKROgD/OEgGd0zBGWjKCz5gFGkr+j9ol4+cVhNncWURvGLYqhXj6+pD1MvGPFBrjXM= Received: by 10.38.12.8 with SMTP id 8mr3906014rnl; Fri, 29 Apr 2005 12:03:07 -0700 (PDT) Received: by 10.38.207.37 with HTTP; Fri, 29 Apr 2005 12:03:07 -0700 (PDT) Message-ID: Date: Fri, 29 Apr 2005 15:03:07 -0400 From: Scott Ullrich To: Max Laier In-Reply-To: <200504290105.06938.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200504200112.41260.max@love2party.net> <200504272024.41241.max@love2party.net> <200504281625.45653.max@love2party.net> <200504290105.06938.max@love2party.net> cc: freebsd-pf@freebsd.org Subject: Re: Considered BETA now [Re: New PF (OpenBSD 3.7 ***ALPHA-preview***)] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Scott Ullrich List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 19:03:08 -0000 On 4/28/05, Max Laier wrote: > All, >=20 > updated tarball (should now be buildable on our 64bit archs as well) has = been > uploaded to: http://people.freebsd.org/~mlaier/pf37/pf37.20050429.tar.gz >=20 > This includes an ifconfig patch for RELENG_5 and HEAD, make sure you use = the > right one. >=20 > And: PLEASE LET ME KNOW IF IT WORKS FOR YOU OR NOT! Thanks! Thanks for the patches!! I've got them all set in pfSense but seem to be running into a odd pfsync i= ssue: pfsync0: flags=3D41 mtu 1348 =09pfsync: syncif: fxp1 maxupd: -536870672 Has anyone else seen this? I initially back ported ifconfig from current and had the same problem then started with a fresh STABLE copy and keep coming up with this issue. FreeBSD pfsense.local 5.4-RC3 FreeBSD 5.4-RC3 #0: Fri Apr 29 16:18:32 UTC 2005 sullrich@builder.livebsd.com:/usr/obj/usr/src/sys/FREESBIE.5 i386 Scott