From owner-freebsd-pf@FreeBSD.ORG Sun Oct 23 00:54:34 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FAD316A41F for ; Sun, 23 Oct 2005 00:54:34 +0000 (GMT) (envelope-from brunomiguel@dequim.ist.utl.pt) Received: from gecea.ist.utl.pt (gecea.ist.utl.pt [193.136.140.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id D683B43D45 for ; Sun, 23 Oct 2005 00:54:33 +0000 (GMT) (envelope-from brunomiguel@dequim.ist.utl.pt) Received: from [66.30.10.101] (c-66-30-10-101.hsd1.ma.comcast.net [66.30.10.101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gecea.ist.utl.pt (Postfix) with ESMTP id 4527C410B; Sun, 23 Oct 2005 01:54:32 +0100 (WEST) Message-ID: <435ADF39.90700@dequim.ist.utl.pt> Date: Sat, 22 Oct 2005 20:54:17 -0400 From: Bruno Afonso User-Agent: Thunderbird 1.4 (Windows/20050908) MIME-Version: 1.0 To: Bill Marquette References: <000b01c5d644$54527f20$0132a8c0@delta> <4359ED5B.7010303@dequim.ist.utl.pt> <55e8a96c0510220651t47fa063ayefd1dcffd63950a6@mail.gmail.com> <435A6025.5060602@dequim.ist.utl.pt> <55e8a96c0510221659g7ac457b1gc696f392a249fee3@mail.gmail.com> In-Reply-To: <55e8a96c0510221659g7ac457b1gc696f392a249fee3@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD + MPD + PF + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Oct 2005 00:54:34 -0000 Bill Marquette wrote: >> Yes, I have now tried and verified that it works, but not as we would >> like to in the sense of a meta interface, eg: >> >> altq on { tun0 tun1 tun2 } cbq bandwidth 1Mb queue { a b } >> queue a bandwidth 700Kb cbq(default) >> queue b bandwidth 300Kb >> >> >> which turns itself into... (from pfctl -sq) >> >> >> queue root_tun0 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} >> queue a bandwidth 700Kb cbq( default ) >> queue b bandwidth 300Kb >> queue root_tun1 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} >> queue a bandwidth 700Kb cbq( default ) >> queue b bandwidth 300Kb >> queue root_tun2 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} >> queue a bandwidth 700Kb cbq( default ) >> queue b bandwidth 300Kb >> >> >> What would I want with this? To create a queue that is shared by every >> interface, so limiting globally every interface to a maximum of 1Mb each >> and all of them to 1Mb each too, in a cqb borrowing shared way. For >> examply, I'd like a to never exceed 700Kb taking into account every >> interface. This makes perfect sense if I have a limited ammount of bw to >> share among each client, which, in a real world, happens 99,9% of the >> time because resources are limited. >> >> So, the syntax works, but it does achieve what I mentioned before, the >> meta interface concept. The example you give is only useful for >> simplifying rulesets, although it's more difficult for humans to understand. > > > From what I understand, that binds queue 'a' to every interface. The > queue definition still limits the queue itself to 700Kb, but allows > you to assign traffic to that queue on each interface that queue is > bound to. I can't find the email that I read that suggests it now > (machine having recently been wiped and google not being terribly > forthcoming with the answer). > > Have you verified this not working with real traffic, or just the > pfctl -sq output? At this time I don't have a multi-interface box at > my disposal, so I can't easily test this. The machine I'm taking care of ( thousands of miles away) not always has traffic so it's difficult for me to test this :( Before answering you I googled for it too and couldn't find it. Since this isn't documented, I am really skeptic but hoping to be proven wrong :) best > > --Bill -- Bruno Afonso, Biological Engineer Dana-Farber Cancer Institute 1 Jimmy Fund Way Smith Building Boston, MA 02115 phone: (617)-632-5105 GABBA Graduate Student (http://gabba.up.pt) Homepage @ http://brunoafonso.net/ From owner-freebsd-pf@FreeBSD.ORG Sun Oct 23 08:37:55 2005 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8F0F16A41F for ; Sun, 23 Oct 2005 08:37:55 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (cell.sick.ru [217.72.144.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A14843D45 for ; Sun, 23 Oct 2005 08:37:55 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.3/8.13.3) with ESMTP id j9N8bqpj040207 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 23 Oct 2005 12:37:52 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.3/8.13.1/Submit) id j9N8bpRu040206; Sun, 23 Oct 2005 12:37:51 +0400 (MSD) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Sun, 23 Oct 2005 12:37:51 +0400 From: Gleb Smirnoff To: Josh Finlay Message-ID: <20051023083751.GV59364@cell.sick.ru> References: <000b01c5d644$54527f20$0132a8c0@delta> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <000b01c5d644$54527f20$0132a8c0@delta> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@FreeBSD.org Subject: Re: FreeBSD + MPD + PF + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Oct 2005 08:37:56 -0000 On Fri, Oct 21, 2005 at 11:35:39PM +1000, Josh Finlay wrote: J> I tried a few examples I found, no luck, found another thing I will need to J> fix first: J> J> pfctl: ng0: driver does not support altq J> J> I searched for a patch for the ng_iface driver, but no luck. Recently ng_iface(4) has gained ALTQ support in CURRENT. I will merge this to RELENG_5 and RELENG_6 after the 6.0-RELEASE is out. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-pf@FreeBSD.ORG Sun Oct 23 08:40:56 2005 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3D6616A41F for ; Sun, 23 Oct 2005 08:40:55 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (cell.sick.ru [217.72.144.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F69843D48 for ; Sun, 23 Oct 2005 08:40:54 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.3/8.13.3) with ESMTP id j9N8ej57040230 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 23 Oct 2005 12:40:45 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.3/8.13.1/Submit) id j9N8eWIc040229; Sun, 23 Oct 2005 12:40:32 +0400 (MSD) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Sun, 23 Oct 2005 12:40:32 +0400 From: Gleb Smirnoff To: Sorin Gheorghe Message-ID: <20051023084032.GW59364@cell.sick.ru> References: <000c01c5d3bc$29031f30$0100a8c0@whitestar> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <000c01c5d3bc$29031f30$0100a8c0@whitestar> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@FreeBSD.org Subject: Re: pf patch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Oct 2005 08:40:56 -0000 On Tue, Oct 18, 2005 at 11:15:54AM +0300, Sorin Gheorghe wrote: S> did someone have the pf patch for tunning pf, i heard that pf has 6 classes and if i can patch the pf to remove some classes, it will become performant to shappe 10-15 kpps of trafic. pf doesn't shapes traffic, but altq does. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-pf@FreeBSD.ORG Sun Oct 23 14:46:23 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A631D16A41F for ; Sun, 23 Oct 2005 14:46:23 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from mail14.syd.optusnet.com.au (mail14.syd.optusnet.com.au [211.29.132.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id E0C1943D48 for ; Sun, 23 Oct 2005 14:46:18 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from delta (d220-236-173-176.dsl.nsw.optusnet.com.au [220.236.173.176]) by mail14.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id j9NEkFiU022904; Mon, 24 Oct 2005 00:46:16 +1000 Message-ID: <010001c5d7e0$8669bd50$6200a8c0@delta> From: "Josh Finlay" To: "Bill Marquette" References: <000b01c5d644$54527f20$0132a8c0@delta><4359ED5B.7010303@dequim.ist.utl.pt><55e8a96c0510220651t47fa063ayefd1dcffd63950a6@mail.gmail.com><435A6025.5060602@dequim.ist.utl.pt> <55e8a96c0510221659g7ac457b1gc696f392a249fee3@mail.gmail.com> Date: Mon, 24 Oct 2005 00:46:16 +1000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD + MPD + PF + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Oct 2005 14:46:23 -0000 Ok I've tried to study the PF FAQ on OpenBSD.org and learn a few things from some of the rules you've given. Here is my current pf.conf to date: (note: de0 goes to my lan, vr0 goes to my modem, mpd still uses ng0 but the traffic is still essentially coming in/out on vr0 right?) ExtIF="vr0" IntIF="de0" set loginterface $ExtIF scrub in all scrub out all random-id max-mss 1440 altq on $ExtIF priq bandwidth 128Kb queue { std_out, ssh_im_out, dns_out, tcp_ack_out } queue std_out priq(default) queue ssh_im_out priority 4 priq(red) queue dns_out priority 5 queue tcp_ack_out priority 6 altq on $IntIF cbq bandwidth 512Kb queue { std_in, ssh_im_in, dns_in } queue std_in bandwidth 384Kb cbq(default) queue ssh_im_in bandwidth 64Kb priority 4 queue dns_in bandwidth 64Kb priority 5 local_net = "192.168.0.0/24" ssh_ports = "{ 22 }" im_ports = "{ 1863 5190 5222 }" nat on $IntIF from $local_net to any -> ($ExtIF) pass in quick on lo0 all pass out quick on lo0 all pass out on $ExtIF inet proto tcp from ($ExtIF) to any flags S/SA \ keep state queue(std_out, tcp_ack_out) pass out on $ExtIF inet proto { udp icmp } from ($ExtIF) to any keep state pass out on $ExtIF inet proto { tcp udp } from ($ExtIF) to any port domain \ keep state queue dns_out pass out on $ExtIF inet proto tcp from ($ExtIF) to any port $ssh_ports \ flags S/SA keep state queue(std_out, ssh_im_out) pass out on $ExtIF inet proto tcp from ($ExtIF) to any port $im_ports \ flags S/SA keep state queue(ssh_im_out, tcp_ack_out) pass in on $IntIF from $local_net pass out on $IntIF proto { tcp udp } from any port domain to $local_net \ queue dns_in pass out on $IntIF proto tcp from any port $ssh_ports to $local_net \ queue(std_in, ssh_im_in) pass out on $IntIF proto tcp from any port $im_ports to $local_net \ queue ssh_im_in --end I have also only just installed the second nic in the machine before that, de0 was doing all the work. i am stuck with a small problem, which ive had no experience with, once i tell mpd to connect via vr0, i get connectivity on the router but not on any other machines on the network. they are still using de0's ip (192.168.0.101) as their gateway, but its not able to do any internet traffic. this is the same if i bind a ping to 192.168.0.101 (ie. ping -S 192.168.0.101 host.name) i get no response while mpd is using vr0, but if its using de0 like before it works fine. is this something in pf i need to fix? or do I need to somehow route traffic from de0 to vr0, im in the dark about this, like I said ive had no experience with a second nic. this rules apply fine. but with the above problem on hand, i havent been able to see if they actually work yet. let me know if I messed it all up or not ;) ----- Original Message ----- From: "Bill Marquette" To: "Bruno Afonso" Cc: Sent: Sunday, October 23, 2005 9:59 AM Subject: Re: FreeBSD + MPD + PF + ALTQ > On 10/22/05, Bruno Afonso wrote: >> Bill Marquette wrote: >> > On 10/22/05, Bruno Afonso wrote: >> >> The download part is the problematic one IF they're not all connected >> >> to >> >> the same network interface. Why ? Because altq only works PER >> >> interface >> >> and tun0, tun1, tun2, etc are each and single one, one interface on >> >> its own. >> >> >> >> You basically have to >> >> >> >> altq on tun0 >> >> >> >> altq on tun1, etc.. >> >> >> >> What we would need in this case would be a meta-interface that altq >> >> would work on, but that is not available. Bottom line: you can't >> >> control >> >> with PF global bw over an interface-span. This is probably necessary >> >> for >> >> a full commercial deployment. Don't know of any plans to implement >> >> this... >> >> >> >> meta_if {tun0, tun1} >> >> >> >> altq on meta_1 ... >> >> >> >> would be nice. :-) >> > >> > You mean something like: >> > altq on { fxp0 fxp1 } bandwidth 100Mb hfsc queue { a b } >> > queue a bandwidth 50Mb hfsc(default) >> > queue b bandwidth 50Mb hfsc >> > This works today :) >> >> Yes, I have now tried and verified that it works, but not as we would >> like to in the sense of a meta interface, eg: >> >> altq on { tun0 tun1 tun2 } cbq bandwidth 1Mb queue { a b } >> queue a bandwidth 700Kb cbq(default) >> queue b bandwidth 300Kb >> >> >> which turns itself into... (from pfctl -sq) >> >> >> queue root_tun0 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} >> queue a bandwidth 700Kb cbq( default ) >> queue b bandwidth 300Kb >> queue root_tun1 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} >> queue a bandwidth 700Kb cbq( default ) >> queue b bandwidth 300Kb >> queue root_tun2 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} >> queue a bandwidth 700Kb cbq( default ) >> queue b bandwidth 300Kb >> >> >> What would I want with this? To create a queue that is shared by every >> interface, so limiting globally every interface to a maximum of 1Mb each >> and all of them to 1Mb each too, in a cqb borrowing shared way. For >> examply, I'd like a to never exceed 700Kb taking into account every >> interface. This makes perfect sense if I have a limited ammount of bw to >> share among each client, which, in a real world, happens 99,9% of the >> time because resources are limited. >> >> So, the syntax works, but it does achieve what I mentioned before, the >> meta interface concept. The example you give is only useful for >> simplifying rulesets, although it's more difficult for humans to >> understand. > > >>From what I understand, that binds queue 'a' to every interface. The > queue definition still limits the queue itself to 700Kb, but allows > you to assign traffic to that queue on each interface that queue is > bound to. I can't find the email that I read that suggests it now > (machine having recently been wiped and google not being terribly > forthcoming with the answer). > > Have you verified this not working with real traffic, or just the > pfctl -sq output? At this time I don't have a multi-interface box at > my disposal, so I can't easily test this. > > --Bill > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Sun Oct 23 19:54:27 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9495416A41F for ; Sun, 23 Oct 2005 19:54:27 +0000 (GMT) (envelope-from roger@gwch.net) Received: from mxout.hispeed.ch (mxout.hispeed.ch [62.2.95.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id A119843D48 for ; Sun, 23 Oct 2005 19:54:26 +0000 (GMT) (envelope-from roger@gwch.net) Received: from mail.gwch.net (84-73-90-203.dclient.hispeed.ch [84.73.90.203]) (authenticated bits=0) by mxout.hispeed.ch (8.12.6/8.12.6/tornado-1.0) with ESMTP id j9NJsKiX024095 for ; Sun, 23 Oct 2005 21:54:24 +0200 Received: from localhost (link [127.0.0.1]) by mail.gwch.net (Postfix) with ESMTP id C9B05405A1 for ; Sun, 23 Oct 2005 21:54:19 +0200 (CEST) Received: from mail.gwch.net ([127.0.0.1]) by localhost (mail.gwch.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25037-10 for ; Sun, 23 Oct 2005 21:54:15 +0200 (CEST) Received: from [10.0.0.94] (frodo.gwch.net [192.168.2.101]) by mail.gwch.net (Postfix) with ESMTP id 6C34A4058A for ; Sun, 23 Oct 2005 21:54:15 +0200 (CEST) From: Roger Grosswiler To: freebsd-pf@freebsd.org Content-Type: text/plain Date: Sun, 23 Oct 2005 21:54:04 +0200 Message-Id: <1130097244.5844.4.camel@niobe> Mime-Version: 1.0 X-Mailer: Evolution 2.4.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV version 0.87, clamav-milter version 0.87 on smtp-04.tornado.cablecom.ch X-Virus-Scanned: amavisd-new at gwch.net X-Virus-Status: Clean X-DCC-spamcheck-02.tornado.cablecom.ch-Metrics: smtp-04.tornado.cablecom.ch 32701; Body=1 Fuz1=1 Fuz2=1 Subject: pf not loading X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Oct 2005 19:54:27 -0000 Hello, i installed 6.0 RC1 and filled pf_enable="YES" as i did in 5.4 But, no pf is loaded while startup. no /dev/pf is there. i can kldload pf, but then the ruleset won't be loaded too. even pfctl -f /etc/pf.conf does not change this. does somebody have the same? or does somebody know how to correct? Thx, Roger From owner-freebsd-pf@FreeBSD.ORG Sun Oct 23 20:08:05 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 96C7216A41F for ; Sun, 23 Oct 2005 20:08:05 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 345AA43D60 for ; Sun, 23 Oct 2005 20:07:59 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3F1B4.dip.t-dialin.net [84.163.241.180] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML29c-1ETm8L0zpJ-0006Ux; Sun, 23 Oct 2005 22:07:57 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Sun, 23 Oct 2005 22:07:37 +0200 User-Agent: KMail/1.8.2 References: <1130097244.5844.4.camel@niobe> In-Reply-To: <1130097244.5844.4.camel@niobe> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3285906.1aHGWabM5o"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200510232207.53352.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: pf not loading X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Oct 2005 20:08:05 -0000 --nextPart3285906.1aHGWabM5o Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 23 October 2005 21:54, Roger Grosswiler wrote: > i installed 6.0 RC1 and filled pf_enable=3D"YES" as i did in 5.4 > > But, no pf is loaded while startup. no /dev/pf is there. i can kldload > pf, but then the ruleset won't be loaded too. even pfctl -f /etc/pf.conf > does not change this. This is not very precise. What happens when you pfctl -f /etc/pf.conf ? A= re=20 you sure you can kldload pf? > does somebody have the same? or does somebody know how to correct? Are you, by chance, using a custom kernel without INET6? In that case tryi= ng=20 to kldload pf will error out on the console. To build the pf module withou= t=20 INET6 you need to define NO_INET6 in make.conf while building pf.ko. Also= =20 make sure you have bpf in your kernel. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3285906.1aHGWabM5o Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDW+2ZXyyEoT62BG0RAhYOAJwOR/xLN9USYjZgpWKf0ov3ZHswCwCfRTYW kxOAWqzgU302OL8kAN5vXZA= =t35J -----END PGP SIGNATURE----- --nextPart3285906.1aHGWabM5o-- From owner-freebsd-pf@FreeBSD.ORG Mon Oct 24 11:02:13 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A410516A420 for ; Mon, 24 Oct 2005 11:02:13 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 51A1243D45 for ; Mon, 24 Oct 2005 11:02:13 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j9OB2DBP062047 for ; Mon, 24 Oct 2005 11:02:13 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j9OB2C3P062041 for freebsd-pf@freebsd.org; Mon, 24 Oct 2005 11:02:12 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 24 Oct 2005 11:02:12 GMT Message-Id: <200510241102.j9OB2C3P062041@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 11:02:13 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency o [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope 2 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre 1 problem total. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 24 13:29:29 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3600816A48F for ; Mon, 24 Oct 2005 13:29:29 +0000 (GMT) (envelope-from roger@gwch.net) Received: from smtp.hispeed.ch (mxout.hispeed.ch [62.2.95.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D47843D5A for ; Mon, 24 Oct 2005 13:29:28 +0000 (GMT) (envelope-from roger@gwch.net) Received: from mail.gwch.net (84-73-90-203.dclient.hispeed.ch [84.73.90.203]) (authenticated bits=0) by smtp.hispeed.ch (8.12.6/8.12.6/taifun-1.0) with ESMTP id j9ODTQPB009721; Mon, 24 Oct 2005 15:29:26 +0200 Received: from localhost (link [127.0.0.1]) by mail.gwch.net (Postfix) with ESMTP id 84F3240547; Mon, 24 Oct 2005 15:29:26 +0200 (CEST) Received: from mail.gwch.net ([127.0.0.1]) by localhost (mail.gwch.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12756-06; Mon, 24 Oct 2005 15:29:21 +0200 (CEST) Received: from niobe.gwch.net (frodo.gwch.net [192.168.2.101]) by mail.gwch.net (Postfix) with ESMTP id 04FFE40509; Mon, 24 Oct 2005 15:29:21 +0200 (CEST) From: Roger Grosswiler To: Max Laier In-Reply-To: <200510232207.53352.max@love2party.net> References: <1130097244.5844.4.camel@niobe> <200510232207.53352.max@love2party.net> Content-Type: text/plain Date: Mon, 24 Oct 2005 15:29:26 +0200 Message-Id: <1130160566.699.2.camel@niobe> Mime-Version: 1.0 X-Mailer: Evolution 2.4.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV version 0.87, clamav-milter version 0.87 on smtp-06.tornado.cablecom.ch X-Virus-Scanned: amavisd-new at gwch.net X-Virus-Status: Clean X-DCC-spamcheck-02.tornado.cablecom.ch-Metrics: smtp-06.tornado.cablecom.ch 32701; Body=2 Fuz1=2 Fuz2=2 Cc: freebsd-pf@freebsd.org Subject: Re: pf not loading X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 13:29:29 -0000 Hello... Am Sonntag, den 23.10.2005, 22:07 +0200 schrieb Max Laier: > On Sunday 23 October 2005 21:54, Roger Grosswiler wrote: > > i installed 6.0 RC1 and filled pf_enable="YES" as i did in 5.4 > > > > But, no pf is loaded while startup. no /dev/pf is there. i can kldload > > pf, but then the ruleset won't be loaded too. even pfctl -f /etc/pf.conf > > does not change this. > > This is not very precise. What happens when you pfctl -f /etc/pf.conf ? Are > you sure you can kldload pf? yes, i am. i even saw, that pf.conf has been loaded. pf -sA doesn't show anymore filters & rules, i have to select pfctl -s all - then i see the rules. > > > does somebody have the same? or does somebody know how to correct? > > Are you, by chance, using a custom kernel without INET6? In that case trying > to kldload pf will error out on the console. To build the pf module without > INET6 you need to define NO_INET6 in make.conf while building pf.ko. Also > make sure you have bpf in your kernel. > I tried also using ipv6 support, but still no hope, pf is not loaded on bootup. :-( Roger From owner-freebsd-pf@FreeBSD.ORG Mon Oct 24 15:02:38 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7082E16A41F for ; Mon, 24 Oct 2005 15:02:38 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCAE543D45 for ; Mon, 24 Oct 2005 15:02:36 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3CE0A.dip.t-dialin.net [84.163.206.10] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML25U-1EU3qL11CF-0005ip; Mon, 24 Oct 2005 17:02:33 +0200 From: Max Laier To: Roger Grosswiler Date: Mon, 24 Oct 2005 17:02:27 +0200 User-Agent: KMail/1.8.2 References: <1130097244.5844.4.camel@niobe> <200510232207.53352.max@love2party.net> <1130160566.699.2.camel@niobe> In-Reply-To: <1130160566.699.2.camel@niobe> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1176758.KXNgfrnXcG"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200510241702.39502.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: pf not loading X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 15:02:38 -0000 --nextPart1176758.KXNgfrnXcG Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 24 October 2005 15:29, Roger Grosswiler wrote: > Hello... > > Am Sonntag, den 23.10.2005, 22:07 +0200 schrieb Max Laier: > > On Sunday 23 October 2005 21:54, Roger Grosswiler wrote: > > > i installed 6.0 RC1 and filled pf_enable=3D"YES" as i did in 5.4 > > > > > > But, no pf is loaded while startup. no /dev/pf is there. i can kldload > > > pf, but then the ruleset won't be loaded too. even pfctl -f > > > /etc/pf.conf does not change this. > > > > This is not very precise. What happens when you pfctl -f /etc/pf.conf = ?=20 > > Are you sure you can kldload pf? > > yes, i am. i even saw, that pf.conf has been loaded. pf -sA doesn't show > anymore filters & rules, i have to select pfctl -s all - then i see the > rules. If you meant to say "pfctl -sA", that shows Anchors not "filters & rules". = =20 "pfctl -s rules" is what you want. > > > does somebody have the same? or does somebody know how to correct? > > > > Are you, by chance, using a custom kernel without INET6? In that case > > trying to kldload pf will error out on the console. To build the pf > > module without INET6 you need to define NO_INET6 in make.conf while > > building pf.ko. Also make sure you have bpf in your kernel. > > I tried also using ipv6 support, but still no hope, pf is not loaded on > bootup. After booting try (as root): # /etc/rc.d/pf rcvar # /etc/rc.d/pf status # /etc/rc.d/pf start and watch the console (#dmesg -a) for error messages. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1176758.KXNgfrnXcG Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDXPePXyyEoT62BG0RAhERAJ9szQCRg3uF2GjTg0gZbcm138I6mgCeOEkL 4ZYaD9blWRlNwDEZFs1mkO8= =D6wB -----END PGP SIGNATURE----- --nextPart1176758.KXNgfrnXcG-- From owner-freebsd-pf@FreeBSD.ORG Mon Oct 24 16:34:07 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47D3416A41F for ; Mon, 24 Oct 2005 16:34:07 +0000 (GMT) (envelope-from gallasch@free.de) Received: from gedankenkraft.free.de (gedankenkraft.free.de [193.28.225.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B35043D49 for ; Mon, 24 Oct 2005 16:34:06 +0000 (GMT) (envelope-from gallasch@free.de) Received: (qmail 78593 invoked by uid 1005); 24 Oct 2005 16:34:05 -0000 Received: from gallasch@free.de by gedankenkraft.free.de by uid 82 with qmail-scanner-1.20 (spamassassin: 2.63. Clear:RC:1(193.28.225.190):SA:0(-104.9/4.0):. Processed in 1.005373 secs); 24 Oct 2005 16:34:05 -0000 X-Spam-Status: No Received: from orwell.free.de (HELO [193.28.225.190]) (gallasch@[193.28.225.190]) (envelope-sender ) by gedankenkraft.free.de (qmail-ldap-1.03) with RC4-SHA encrypted SMTP for ; 24 Oct 2005 16:34:04 -0000 Mime-Version: 1.0 (Apple Message framework v734) Content-Transfer-Encoding: 7bit Message-Id: <6BDA08CF-3930-4F37-BB47-EAC722391D41@free.de> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-pf@freebsd.org From: Kai Gallasch Date: Mon, 24 Oct 2005 18:34:03 +0200 X-Mailer: Apple Mail (2.734) Subject: FreeBSD 6.0RC1 - pf and big tables, pfspamd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 16:34:07 -0000 Hi list. Following setup: - FreeBSD 6.0RC1 + pf - /usr/ports/mail/spamd + recommended pf.conf for spamd - several huge rbl zonefiles in rbldnsd format - pf.conf table persist no rdr on { lo0, lo1 } from any to any rdr inet proto tcp from to any port smtp -> 192.168.0.100 port 8025 When I startup my spamd installation I am loading the zonefiles into the table through method "file" from disk It all works as expected, but when I load some of my bigger rbl zonefiles through command "spamd-setup" the application uses up huge amounts of memory and finally stops with error "malloc failed" - too bad. (and this after about an hour runtime, cough!) Probably spamd never was planned to get along with millions of entries in a table.. If I try to squeeze in the IPs manually through pfctl I get the error shorty# pfctl -t spamd -Tr -f spammers.txt pfctl: Cannot allocate memory. spammers.txt is about 30M in size and contains about 2 million entries Has someone found a workaround for using (and handling) up to 10 million IPs inside a pf table? :-) without using high end hardware (I currently use for testing pentium3, 1Ghz, 512M main memmory) pf: Is there a possibility to abuse pf in the following fashion? rdr inet proto tcp from a.b.c.d/32 [if dnsquery d.c.b.a.list.dsbl.org == 127.0.0.2] to any port smtp -> 192.168.0.100 port 8025 For example /usr/ports/dns/rbldnsd can handle such huge amounts of rbl data and even reloads take only a few seconds (with > 100M rbl files!!) If a firewall rule would be possible to do local RBL queries one could have the best of both worlds - use - as in my case rblndsd for keeping the rbldata and the pf for a flexible response to incoming spam.. Any idea? -- "Whenever bicycles are broken, or menaced by international communism, Bicycle Repair Man is ready!" From owner-freebsd-pf@FreeBSD.ORG Mon Oct 24 21:37:58 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56E4916A41F for ; Mon, 24 Oct 2005 21:37:58 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from mail04.syd.optusnet.com.au (mail04.syd.optusnet.com.au [211.29.132.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75C7D43D73 for ; Mon, 24 Oct 2005 21:37:50 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from delta (d220-236-173-176.dsl.nsw.optusnet.com.au [220.236.173.176]) by mail04.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id j9OLbmEf015384 for ; Tue, 25 Oct 2005 07:37:48 +1000 Message-ID: <008f01c5d8e3$308c15f0$0132a8c0@delta> From: "Josh Finlay" To: References: <000b01c5d644$54527f20$0132a8c0@delta><4359ED5B.7010303@dequim.ist.utl.pt><55e8a96c0510220651t47fa063ayefd1dcffd63950a6@mail.gmail.com><435A6025.5060602@dequim.ist.utl.pt><55e8a96c0510221659g7ac457b1gc696f392a249fee3@mail.gmail.com> <010001c5d7e0$8669bd50$6200a8c0@delta> Date: Tue, 25 Oct 2005 07:37:52 +1000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: Re: FreeBSD + MPD + PF + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 21:37:58 -0000 Just giving this message a bit of a bump. I've looked into: route add -net 192.168.0.0/24 192.168.1.1 in an attempt to route between the two interfaces but i just get "file exists" errors, even if i "route flush" before hand. like I said earlier, routing is -not- my forte. ----- Original Message ----- From: "Josh Finlay" To: "Bill Marquette" Cc: Sent: Monday, October 24, 2005 12:46 AM Subject: Re: FreeBSD + MPD + PF + ALTQ > Ok I've tried to study the PF FAQ on OpenBSD.org and learn a few things > from some of the rules you've given. > > Here is my current pf.conf to date: > (note: de0 goes to my lan, vr0 goes to my modem, mpd still uses ng0 but > the traffic is still essentially coming in/out on vr0 right?) > > ExtIF="vr0" > IntIF="de0" > > set loginterface $ExtIF > scrub in all > scrub out all random-id max-mss 1440 > > altq on $ExtIF priq bandwidth 128Kb queue { std_out, ssh_im_out, dns_out, > tcp_ack_out } > queue std_out priq(default) > queue ssh_im_out priority 4 priq(red) > queue dns_out priority 5 > queue tcp_ack_out priority 6 > > altq on $IntIF cbq bandwidth 512Kb queue { std_in, ssh_im_in, dns_in } > queue std_in bandwidth 384Kb cbq(default) > queue ssh_im_in bandwidth 64Kb priority 4 > queue dns_in bandwidth 64Kb priority 5 > > local_net = "192.168.0.0/24" > ssh_ports = "{ 22 }" > im_ports = "{ 1863 5190 5222 }" > > nat on $IntIF from $local_net to any -> ($ExtIF) > pass in quick on lo0 all > pass out quick on lo0 all > > pass out on $ExtIF inet proto tcp from ($ExtIF) to any flags S/SA \ > keep state queue(std_out, tcp_ack_out) > pass out on $ExtIF inet proto { udp icmp } from ($ExtIF) to any keep > state > pass out on $ExtIF inet proto { tcp udp } from ($ExtIF) to any port > domain \ > keep state queue dns_out > pass out on $ExtIF inet proto tcp from ($ExtIF) to any port $ssh_ports \ > flags S/SA keep state queue(std_out, ssh_im_out) > pass out on $ExtIF inet proto tcp from ($ExtIF) to any port $im_ports \ > flags S/SA keep state queue(ssh_im_out, tcp_ack_out) > > pass in on $IntIF from $local_net > pass out on $IntIF proto { tcp udp } from any port domain to $local_net \ > queue dns_in > pass out on $IntIF proto tcp from any port $ssh_ports to $local_net \ > queue(std_in, ssh_im_in) > pass out on $IntIF proto tcp from any port $im_ports to $local_net \ > queue ssh_im_in > > --end > > I have also only just installed the second nic in the machine > before that, de0 was doing all the work. > i am stuck with a small problem, which ive had no experience with, once i > tell mpd to connect via vr0, i get connectivity on the router but not on > any other machines on the network. > they are still using de0's ip (192.168.0.101) as their gateway, but its > not able to do any internet traffic. > this is the same if i bind a ping to 192.168.0.101 (ie. ping -S > 192.168.0.101 host.name) i get no response while mpd is using vr0, but if > its using de0 like before it works fine. > > is this something in pf i need to fix? or do I need to somehow route > traffic from de0 to vr0, im in the dark about this, like I said ive had no > experience with a second nic. > > this rules apply fine. but with the above problem on hand, i havent been > able to see if they actually work yet. let me know if I messed it all up > or not ;) > > ----- Original Message ----- > From: "Bill Marquette" > To: "Bruno Afonso" > Cc: > Sent: Sunday, October 23, 2005 9:59 AM > Subject: Re: FreeBSD + MPD + PF + ALTQ > > >> On 10/22/05, Bruno Afonso wrote: >>> Bill Marquette wrote: >>> > On 10/22/05, Bruno Afonso wrote: >>> >> The download part is the problematic one IF they're not all connected >>> >> to >>> >> the same network interface. Why ? Because altq only works PER >>> >> interface >>> >> and tun0, tun1, tun2, etc are each and single one, one interface on >>> >> its own. >>> >> >>> >> You basically have to >>> >> >>> >> altq on tun0 >>> >> >>> >> altq on tun1, etc.. >>> >> >>> >> What we would need in this case would be a meta-interface that altq >>> >> would work on, but that is not available. Bottom line: you can't >>> >> control >>> >> with PF global bw over an interface-span. This is probably necessary >>> >> for >>> >> a full commercial deployment. Don't know of any plans to implement >>> >> this... >>> >> >>> >> meta_if {tun0, tun1} >>> >> >>> >> altq on meta_1 ... >>> >> >>> >> would be nice. :-) >>> > >>> > You mean something like: >>> > altq on { fxp0 fxp1 } bandwidth 100Mb hfsc queue { a b } >>> > queue a bandwidth 50Mb hfsc(default) >>> > queue b bandwidth 50Mb hfsc >>> > This works today :) >>> >>> Yes, I have now tried and verified that it works, but not as we would >>> like to in the sense of a meta interface, eg: >>> >>> altq on { tun0 tun1 tun2 } cbq bandwidth 1Mb queue { a b } >>> queue a bandwidth 700Kb cbq(default) >>> queue b bandwidth 300Kb >>> >>> >>> which turns itself into... (from pfctl -sq) >>> >>> >>> queue root_tun0 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} >>> queue a bandwidth 700Kb cbq( default ) >>> queue b bandwidth 300Kb >>> queue root_tun1 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} >>> queue a bandwidth 700Kb cbq( default ) >>> queue b bandwidth 300Kb >>> queue root_tun2 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} >>> queue a bandwidth 700Kb cbq( default ) >>> queue b bandwidth 300Kb >>> >>> >>> What would I want with this? To create a queue that is shared by every >>> interface, so limiting globally every interface to a maximum of 1Mb each >>> and all of them to 1Mb each too, in a cqb borrowing shared way. For >>> examply, I'd like a to never exceed 700Kb taking into account every >>> interface. This makes perfect sense if I have a limited ammount of bw to >>> share among each client, which, in a real world, happens 99,9% of the >>> time because resources are limited. >>> >>> So, the syntax works, but it does achieve what I mentioned before, the >>> meta interface concept. The example you give is only useful for >>> simplifying rulesets, although it's more difficult for humans to >>> understand. >> >> >>>From what I understand, that binds queue 'a' to every interface. The >> queue definition still limits the queue itself to 700Kb, but allows >> you to assign traffic to that queue on each interface that queue is >> bound to. I can't find the email that I read that suggests it now >> (machine having recently been wiped and google not being terribly >> forthcoming with the answer). >> >> Have you verified this not working with real traffic, or just the >> pfctl -sq output? At this time I don't have a multi-interface box at >> my disposal, so I can't easily test this. >> >> --Bill >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Oct 25 01:08:47 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C650716A41F for ; Tue, 25 Oct 2005 01:08:47 +0000 (GMT) (envelope-from brunomiguel@dequim.ist.utl.pt) Received: from gecea.ist.utl.pt (gecea.ist.utl.pt [193.136.140.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 267BC43D46 for ; Tue, 25 Oct 2005 01:08:46 +0000 (GMT) (envelope-from brunomiguel@dequim.ist.utl.pt) Received: from [66.30.10.101] (c-66-30-10-101.hsd1.ma.comcast.net [66.30.10.101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gecea.ist.utl.pt (Postfix) with ESMTP id 3D2C040CE; Tue, 25 Oct 2005 02:08:44 +0100 (WEST) Message-ID: <435D85A6.7020106@dequim.ist.utl.pt> Date: Mon, 24 Oct 2005 21:08:54 -0400 From: Bruno Afonso User-Agent: Thunderbird 1.4 (Windows/20050908) MIME-Version: 1.0 To: Josh Finlay References: <000b01c5d644$54527f20$0132a8c0@delta><4359ED5B.7010303@dequim.ist.utl.pt><55e8a96c0510220651t47fa063ayefd1dcffd63950a6@mail.gmail.com><435A6025.5060602@dequim.ist.utl.pt><55e8a96c0510221659g7ac457b1gc696f392a249fee3@mail.gmail.com> <010001c5d7e0$8669bd50$6200a8c0@delta> <008f01c5d8e3$308c15f0$0132a8c0@delta> In-Reply-To: <008f01c5d8e3$308c15f0$0132a8c0@delta> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD + MPD + PF + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 01:08:48 -0000 Josh Finlay wrote: > Just giving this message a bit of a bump. > > I've looked into: > > route add -net 192.168.0.0/24 192.168.1.1 > in an attempt to route between the two interfaces > but i just get "file exists" errors, even if i "route flush" before hand. > > like I said earlier, routing is -not- my forte. Do yourself a favour, use current or wait for 6.0 to come out or ask for patches :-) BA > > ----- Original Message ----- From: "Josh Finlay" > > To: "Bill Marquette" > Cc: > Sent: Monday, October 24, 2005 12:46 AM > Subject: Re: FreeBSD + MPD + PF + ALTQ > > >> Ok I've tried to study the PF FAQ on OpenBSD.org and learn a few >> things from some of the rules you've given. >> >> Here is my current pf.conf to date: >> (note: de0 goes to my lan, vr0 goes to my modem, mpd still uses ng0 >> but the traffic is still essentially coming in/out on vr0 right?) >> >> ExtIF="vr0" >> IntIF="de0" >> >> set loginterface $ExtIF >> scrub in all >> scrub out all random-id max-mss 1440 >> >> altq on $ExtIF priq bandwidth 128Kb queue { std_out, ssh_im_out, >> dns_out, tcp_ack_out } >> queue std_out priq(default) >> queue ssh_im_out priority 4 priq(red) >> queue dns_out priority 5 >> queue tcp_ack_out priority 6 >> >> altq on $IntIF cbq bandwidth 512Kb queue { std_in, ssh_im_in, dns_in } >> queue std_in bandwidth 384Kb cbq(default) >> queue ssh_im_in bandwidth 64Kb priority 4 >> queue dns_in bandwidth 64Kb priority 5 >> >> local_net = "192.168.0.0/24" >> ssh_ports = "{ 22 }" >> im_ports = "{ 1863 5190 5222 }" >> >> nat on $IntIF from $local_net to any -> ($ExtIF) >> pass in quick on lo0 all >> pass out quick on lo0 all >> >> pass out on $ExtIF inet proto tcp from ($ExtIF) to any flags S/SA \ >> keep state queue(std_out, tcp_ack_out) >> pass out on $ExtIF inet proto { udp icmp } from ($ExtIF) to any keep >> state >> pass out on $ExtIF inet proto { tcp udp } from ($ExtIF) to any port >> domain \ >> keep state queue dns_out >> pass out on $ExtIF inet proto tcp from ($ExtIF) to any port $ssh_ports \ >> flags S/SA keep state queue(std_out, ssh_im_out) >> pass out on $ExtIF inet proto tcp from ($ExtIF) to any port $im_ports \ >> flags S/SA keep state queue(ssh_im_out, tcp_ack_out) >> >> pass in on $IntIF from $local_net >> pass out on $IntIF proto { tcp udp } from any port domain to >> $local_net \ >> queue dns_in >> pass out on $IntIF proto tcp from any port $ssh_ports to $local_net \ >> queue(std_in, ssh_im_in) >> pass out on $IntIF proto tcp from any port $im_ports to $local_net \ >> queue ssh_im_in >> >> --end >> >> I have also only just installed the second nic in the machine >> before that, de0 was doing all the work. >> i am stuck with a small problem, which ive had no experience with, >> once i tell mpd to connect via vr0, i get connectivity on the router >> but not on any other machines on the network. >> they are still using de0's ip (192.168.0.101) as their gateway, but >> its not able to do any internet traffic. >> this is the same if i bind a ping to 192.168.0.101 (ie. ping -S >> 192.168.0.101 host.name) i get no response while mpd is using vr0, but >> if its using de0 like before it works fine. >> >> is this something in pf i need to fix? or do I need to somehow route >> traffic from de0 to vr0, im in the dark about this, like I said ive >> had no experience with a second nic. >> >> this rules apply fine. but with the above problem on hand, i havent >> been able to see if they actually work yet. let me know if I messed it >> all up or not ;) >> >> ----- Original Message ----- From: "Bill Marquette" >> >> To: "Bruno Afonso" >> Cc: >> Sent: Sunday, October 23, 2005 9:59 AM >> Subject: Re: FreeBSD + MPD + PF + ALTQ >> >> >>> On 10/22/05, Bruno Afonso wrote: >>>> Bill Marquette wrote: >>>> > On 10/22/05, Bruno Afonso wrote: >>>> >> The download part is the problematic one IF they're not all >>>> connected >> to >>>> >> the same network interface. Why ? Because altq only works PER >> >>>> interface >>>> >> and tun0, tun1, tun2, etc are each and single one, one interface >>>> on >> its own. >>>> >> >>>> >> You basically have to >>>> >> >>>> >> altq on tun0 >>>> >> >>>> >> altq on tun1, etc.. >>>> >> >>>> >> What we would need in this case would be a meta-interface that altq >>>> >> would work on, but that is not available. Bottom line: you can't >>>> >> control >>>> >> with PF global bw over an interface-span. This is probably >>>> necessary >> for >>>> >> a full commercial deployment. Don't know of any plans to >>>> implement >> this... >>>> >> >>>> >> meta_if {tun0, tun1} >>>> >> >>>> >> altq on meta_1 ... >>>> >> >>>> >> would be nice. :-) >>>> > >>>> > You mean something like: >>>> > altq on { fxp0 fxp1 } bandwidth 100Mb hfsc queue { a b } >>>> > queue a bandwidth 50Mb hfsc(default) >>>> > queue b bandwidth 50Mb hfsc >>>> > This works today :) >>>> >>>> Yes, I have now tried and verified that it works, but not as we would >>>> like to in the sense of a meta interface, eg: >>>> >>>> altq on { tun0 tun1 tun2 } cbq bandwidth 1Mb queue { a b } >>>> queue a bandwidth 700Kb cbq(default) >>>> queue b bandwidth 300Kb >>>> >>>> >>>> which turns itself into... (from pfctl -sq) >>>> >>>> >>>> queue root_tun0 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} >>>> queue a bandwidth 700Kb cbq( default ) >>>> queue b bandwidth 300Kb >>>> queue root_tun1 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} >>>> queue a bandwidth 700Kb cbq( default ) >>>> queue b bandwidth 300Kb >>>> queue root_tun2 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} >>>> queue a bandwidth 700Kb cbq( default ) >>>> queue b bandwidth 300Kb >>>> >>>> >>>> What would I want with this? To create a queue that is shared by every >>>> interface, so limiting globally every interface to a maximum of 1Mb >>>> each >>>> and all of them to 1Mb each too, in a cqb borrowing shared way. For >>>> examply, I'd like a to never exceed 700Kb taking into account every >>>> interface. This makes perfect sense if I have a limited ammount of >>>> bw to >>>> share among each client, which, in a real world, happens 99,9% of the >>>> time because resources are limited. >>>> >>>> So, the syntax works, but it does achieve what I mentioned before, the >>>> meta interface concept. The example you give is only useful for >>>> simplifying rulesets, although it's more difficult for humans to >>>> understand. >>> >>> >>>> From what I understand, that binds queue 'a' to every interface. The >>> queue definition still limits the queue itself to 700Kb, but allows >>> you to assign traffic to that queue on each interface that queue is >>> bound to. I can't find the email that I read that suggests it now >>> (machine having recently been wiped and google not being terribly >>> forthcoming with the answer). >>> >>> Have you verified this not working with real traffic, or just the >>> pfctl -sq output? At this time I don't have a multi-interface box at >>> my disposal, so I can't easily test this. >>> >>> --Bill >>> _______________________________________________ >>> freebsd-pf@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>> >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- Bruno Afonso, Biological Engineer Dana-Farber Cancer Institute 1 Jimmy Fund Way Smith Building Boston, MA 02115 phone: (617)-632-5105 GABBA Graduate Student (http://gabba.up.pt) Homepage @ http://brunoafonso.net/ From owner-freebsd-pf@FreeBSD.ORG Tue Oct 25 01:24:39 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E726716A41F for ; Tue, 25 Oct 2005 01:24:39 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from mail26.syd.optusnet.com.au (mail26.syd.optusnet.com.au [211.29.133.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8B9D43D4C for ; Tue, 25 Oct 2005 01:24:37 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from delta (d220-236-173-176.dsl.nsw.optusnet.com.au [220.236.173.176]) by mail26.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id j9P1ORw3021995; Tue, 25 Oct 2005 11:24:28 +1000 Message-ID: <001301c5d902$db39d6d0$0132a8c0@delta> From: "Josh Finlay" To: "Bruno Afonso" References: <000b01c5d644$54527f20$0132a8c0@delta><4359ED5B.7010303@dequim.ist.utl.pt><55e8a96c0510220651t47fa063ayefd1dcffd63950a6@mail.gmail.com><435A6025.5060602@dequim.ist.utl.pt><55e8a96c0510221659g7ac457b1gc696f392a249fee3@mail.gmail.com> <010001c5d7e0$8669bd50$6200a8c0@delta> <008f01c5d8e3$308c15f0$0132a8c0@delta> <435D85A6.7020106@dequim.ist.utl.pt> Date: Tue, 25 Oct 2005 11:24:32 +1000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD + MPD + PF + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 01:24:40 -0000 Looking forward to 6.0 :) Any idea on a release date? It will certainly make my life so much easier. ----- Original Message ----- From: "Bruno Afonso" To: "Josh Finlay" Cc: Sent: Tuesday, October 25, 2005 11:08 AM Subject: Re: FreeBSD + MPD + PF + ALTQ > Josh Finlay wrote: >> Just giving this message a bit of a bump. >> >> I've looked into: >> >> route add -net 192.168.0.0/24 192.168.1.1 >> in an attempt to route between the two interfaces >> but i just get "file exists" errors, even if i "route flush" before hand. >> >> like I said earlier, routing is -not- my forte. > > Do yourself a favour, use current or wait for 6.0 to come out or ask for > patches :-) > > BA > >> >> ----- Original Message ----- From: "Josh Finlay" >> >> To: "Bill Marquette" >> Cc: >> Sent: Monday, October 24, 2005 12:46 AM >> Subject: Re: FreeBSD + MPD + PF + ALTQ >> >> >>> Ok I've tried to study the PF FAQ on OpenBSD.org and learn a few things >>> from some of the rules you've given. >>> >>> Here is my current pf.conf to date: >>> (note: de0 goes to my lan, vr0 goes to my modem, mpd still uses ng0 but >>> the traffic is still essentially coming in/out on vr0 right?) >>> >>> ExtIF="vr0" >>> IntIF="de0" >>> >>> set loginterface $ExtIF >>> scrub in all >>> scrub out all random-id max-mss 1440 >>> >>> altq on $ExtIF priq bandwidth 128Kb queue { std_out, ssh_im_out, >>> dns_out, tcp_ack_out } >>> queue std_out priq(default) >>> queue ssh_im_out priority 4 priq(red) >>> queue dns_out priority 5 >>> queue tcp_ack_out priority 6 >>> >>> altq on $IntIF cbq bandwidth 512Kb queue { std_in, ssh_im_in, dns_in } >>> queue std_in bandwidth 384Kb cbq(default) >>> queue ssh_im_in bandwidth 64Kb priority 4 >>> queue dns_in bandwidth 64Kb priority 5 >>> >>> local_net = "192.168.0.0/24" >>> ssh_ports = "{ 22 }" >>> im_ports = "{ 1863 5190 5222 }" >>> >>> nat on $IntIF from $local_net to any -> ($ExtIF) >>> pass in quick on lo0 all >>> pass out quick on lo0 all >>> >>> pass out on $ExtIF inet proto tcp from ($ExtIF) to any flags S/SA \ >>> keep state queue(std_out, tcp_ack_out) >>> pass out on $ExtIF inet proto { udp icmp } from ($ExtIF) to any keep >>> state >>> pass out on $ExtIF inet proto { tcp udp } from ($ExtIF) to any port >>> domain \ >>> keep state queue dns_out >>> pass out on $ExtIF inet proto tcp from ($ExtIF) to any port $ssh_ports >>> \ >>> flags S/SA keep state queue(std_out, ssh_im_out) >>> pass out on $ExtIF inet proto tcp from ($ExtIF) to any port $im_ports \ >>> flags S/SA keep state queue(ssh_im_out, tcp_ack_out) >>> >>> pass in on $IntIF from $local_net >>> pass out on $IntIF proto { tcp udp } from any port domain to $local_net >>> \ >>> queue dns_in >>> pass out on $IntIF proto tcp from any port $ssh_ports to $local_net \ >>> queue(std_in, ssh_im_in) >>> pass out on $IntIF proto tcp from any port $im_ports to $local_net \ >>> queue ssh_im_in >>> >>> --end >>> >>> I have also only just installed the second nic in the machine >>> before that, de0 was doing all the work. >>> i am stuck with a small problem, which ive had no experience with, once >>> i tell mpd to connect via vr0, i get connectivity on the router but not >>> on any other machines on the network. >>> they are still using de0's ip (192.168.0.101) as their gateway, but its >>> not able to do any internet traffic. >>> this is the same if i bind a ping to 192.168.0.101 (ie. ping -S >>> 192.168.0.101 host.name) i get no response while mpd is using vr0, but >>> if its using de0 like before it works fine. >>> >>> is this something in pf i need to fix? or do I need to somehow route >>> traffic from de0 to vr0, im in the dark about this, like I said ive had >>> no experience with a second nic. >>> >>> this rules apply fine. but with the above problem on hand, i havent been >>> able to see if they actually work yet. let me know if I messed it all up >>> or not ;) >>> >>> ----- Original Message ----- From: "Bill Marquette" >>> >>> To: "Bruno Afonso" >>> Cc: >>> Sent: Sunday, October 23, 2005 9:59 AM >>> Subject: Re: FreeBSD + MPD + PF + ALTQ >>> >>> >>>> On 10/22/05, Bruno Afonso wrote: >>>>> Bill Marquette wrote: >>>>> > On 10/22/05, Bruno Afonso wrote: >>>>> >> The download part is the problematic one IF they're not all >>>>> connected >> to >>>>> >> the same network interface. Why ? Because altq only works PER >> >>>>> interface >>>>> >> and tun0, tun1, tun2, etc are each and single one, one interface >>>>> on >> its own. >>>>> >> >>>>> >> You basically have to >>>>> >> >>>>> >> altq on tun0 >>>>> >> >>>>> >> altq on tun1, etc.. >>>>> >> >>>>> >> What we would need in this case would be a meta-interface that altq >>>>> >> would work on, but that is not available. Bottom line: you can't >>>>> >> control >>>>> >> with PF global bw over an interface-span. This is probably >>>>> necessary >> for >>>>> >> a full commercial deployment. Don't know of any plans to >>>>> implement >> this... >>>>> >> >>>>> >> meta_if {tun0, tun1} >>>>> >> >>>>> >> altq on meta_1 ... >>>>> >> >>>>> >> would be nice. :-) >>>>> > >>>>> > You mean something like: >>>>> > altq on { fxp0 fxp1 } bandwidth 100Mb hfsc queue { a b } >>>>> > queue a bandwidth 50Mb hfsc(default) >>>>> > queue b bandwidth 50Mb hfsc >>>>> > This works today :) >>>>> >>>>> Yes, I have now tried and verified that it works, but not as we would >>>>> like to in the sense of a meta interface, eg: >>>>> >>>>> altq on { tun0 tun1 tun2 } cbq bandwidth 1Mb queue { a b } >>>>> queue a bandwidth 700Kb cbq(default) >>>>> queue b bandwidth 300Kb >>>>> >>>>> >>>>> which turns itself into... (from pfctl -sq) >>>>> >>>>> >>>>> queue root_tun0 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} >>>>> queue a bandwidth 700Kb cbq( default ) >>>>> queue b bandwidth 300Kb >>>>> queue root_tun1 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} >>>>> queue a bandwidth 700Kb cbq( default ) >>>>> queue b bandwidth 300Kb >>>>> queue root_tun2 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} >>>>> queue a bandwidth 700Kb cbq( default ) >>>>> queue b bandwidth 300Kb >>>>> >>>>> >>>>> What would I want with this? To create a queue that is shared by every >>>>> interface, so limiting globally every interface to a maximum of 1Mb >>>>> each >>>>> and all of them to 1Mb each too, in a cqb borrowing shared way. For >>>>> examply, I'd like a to never exceed 700Kb taking into account every >>>>> interface. This makes perfect sense if I have a limited ammount of bw >>>>> to >>>>> share among each client, which, in a real world, happens 99,9% of the >>>>> time because resources are limited. >>>>> >>>>> So, the syntax works, but it does achieve what I mentioned before, the >>>>> meta interface concept. The example you give is only useful for >>>>> simplifying rulesets, although it's more difficult for humans to >>>>> understand. >>>> >>>> >>>>> From what I understand, that binds queue 'a' to every interface. The >>>> queue definition still limits the queue itself to 700Kb, but allows >>>> you to assign traffic to that queue on each interface that queue is >>>> bound to. I can't find the email that I read that suggests it now >>>> (machine having recently been wiped and google not being terribly >>>> forthcoming with the answer). >>>> >>>> Have you verified this not working with real traffic, or just the >>>> pfctl -sq output? At this time I don't have a multi-interface box at >>>> my disposal, so I can't easily test this. >>>> >>>> --Bill >>>> _______________________________________________ >>>> freebsd-pf@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>>> >>> >>> _______________________________________________ >>> freebsd-pf@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > -- > Bruno Afonso, Biological Engineer > Dana-Farber Cancer Institute > 1 Jimmy Fund Way > Smith Building > Boston, MA 02115 > phone: (617)-632-5105 > GABBA Graduate Student (http://gabba.up.pt) > Homepage @ http://brunoafonso.net/ From owner-freebsd-pf@FreeBSD.ORG Tue Oct 25 08:14:26 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A939516A41F for ; Tue, 25 Oct 2005 08:14:26 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from mail04.syd.optusnet.com.au (mail04.syd.optusnet.com.au [211.29.132.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1AE843D49 for ; Tue, 25 Oct 2005 08:14:25 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from delta (d220-236-173-176.dsl.nsw.optusnet.com.au [220.236.173.176]) by mail04.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id j9P8ELI7015739; Tue, 25 Oct 2005 18:14:23 +1000 Message-ID: <003a01c5d93c$1ec158e0$0132a8c0@delta> From: "Josh Finlay" To: "Jon Otterholm" References: <000b01c5d644$54527f20$0132a8c0@delta> <4359ED5B.7010303@dequim.ist.utl.pt> <55e8a96c0510220651t47fa063ayefd1dcffd63950a6@mail.gmail.com> <435A6025.5060602@dequim.ist.utl.pt> <55e8a96c0510221659g7ac457b1gc696f392a249fee3@mail.gmail.com> <010001c5d7e0$8669bd50$6200a8c0@delta> <008f01c5d8e3$308c15f0$0132a8c0@delta> <1130223275.837.7.camel@localhost.localdomain> Date: Tue, 25 Oct 2005 18:14:26 +1000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD + MPD + PF + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 08:14:26 -0000 I have already enabled gateway_enable And that has been working, for quite some time now. But now I've added an additional nic. My original nic is de0 My new one is vr0 de0 talks to my network (192.168.0.0/24) vr0 is connected via straight cable to my modem, so its seperated from the rest of the network. what I want to do is "bridge" or "route" between the two. So that a computer on my network is attempting to access the internet, they do so via de0 and then de0 passes it on to vr0. If this makes sense. I hope this will help you understand what I am trying to achieve. gateway_enable="YES" alone does not do what I want for it to do. ----- Original Message ----- From: "Jon Otterholm" To: "Josh Finlay" Sent: Tuesday, October 25, 2005 4:54 PM Subject: Re: FreeBSD + MPD + PF + ALTQ > how is the net (192.168.0.0/24) connected to your machine? If your > machine has a address in the destination net (192.168.0.0/24) the route > allready exists as a persistant route and the only way to remove it is > to remove the address. > > If you can't get your machine to forward packets between the nets, try: > > echo "gateway_enable="YES" >> /etc/rc.conf > > and reboot. > > /Jon > > On Tue, 2005-10-25 at 07:37 +1000, Josh Finlay wrote: >> Just giving this message a bit of a bump. >> >> I've looked into: >> >> route add -net 192.168.0.0/24 192.168.1.1 >> in an attempt to route between the two interfaces >> but i just get "file exists" errors, even if i "route flush" before hand. >> >> like I said earlier, routing is -not- my forte. >> >> ----- Original Message ----- >> From: "Josh Finlay" >> To: "Bill Marquette" >> Cc: >> Sent: Monday, October 24, 2005 12:46 AM >> Subject: Re: FreeBSD + MPD + PF + ALTQ >> >> >> > Ok I've tried to study the PF FAQ on OpenBSD.org and learn a few things >> > from some of the rules you've given. >> > >> > Here is my current pf.conf to date: >> > (note: de0 goes to my lan, vr0 goes to my modem, mpd still uses ng0 but >> > the traffic is still essentially coming in/out on vr0 right?) >> > >> > ExtIF="vr0" >> > IntIF="de0" >> > >> > set loginterface $ExtIF >> > scrub in all >> > scrub out all random-id max-mss 1440 >> > >> > altq on $ExtIF priq bandwidth 128Kb queue { std_out, ssh_im_out, >> > dns_out, >> > tcp_ack_out } >> > queue std_out priq(default) >> > queue ssh_im_out priority 4 priq(red) >> > queue dns_out priority 5 >> > queue tcp_ack_out priority 6 >> > >> > altq on $IntIF cbq bandwidth 512Kb queue { std_in, ssh_im_in, dns_in } >> > queue std_in bandwidth 384Kb cbq(default) >> > queue ssh_im_in bandwidth 64Kb priority 4 >> > queue dns_in bandwidth 64Kb priority 5 >> > >> > local_net = "192.168.0.0/24" >> > ssh_ports = "{ 22 }" >> > im_ports = "{ 1863 5190 5222 }" >> > >> > nat on $IntIF from $local_net to any -> ($ExtIF) >> > pass in quick on lo0 all >> > pass out quick on lo0 all >> > >> > pass out on $ExtIF inet proto tcp from ($ExtIF) to any flags S/SA \ >> > keep state queue(std_out, tcp_ack_out) >> > pass out on $ExtIF inet proto { udp icmp } from ($ExtIF) to any keep >> > state >> > pass out on $ExtIF inet proto { tcp udp } from ($ExtIF) to any port >> > domain \ >> > keep state queue dns_out >> > pass out on $ExtIF inet proto tcp from ($ExtIF) to any port $ssh_ports >> > \ >> > flags S/SA keep state queue(std_out, ssh_im_out) >> > pass out on $ExtIF inet proto tcp from ($ExtIF) to any port $im_ports >> > \ >> > flags S/SA keep state queue(ssh_im_out, tcp_ack_out) >> > >> > pass in on $IntIF from $local_net >> > pass out on $IntIF proto { tcp udp } from any port domain to >> > $local_net \ >> > queue dns_in >> > pass out on $IntIF proto tcp from any port $ssh_ports to $local_net \ >> > queue(std_in, ssh_im_in) >> > pass out on $IntIF proto tcp from any port $im_ports to $local_net \ >> > queue ssh_im_in >> > >> > --end >> > >> > I have also only just installed the second nic in the machine >> > before that, de0 was doing all the work. >> > i am stuck with a small problem, which ive had no experience with, once >> > i >> > tell mpd to connect via vr0, i get connectivity on the router but not >> > on >> > any other machines on the network. >> > they are still using de0's ip (192.168.0.101) as their gateway, but its >> > not able to do any internet traffic. >> > this is the same if i bind a ping to 192.168.0.101 (ie. ping -S >> > 192.168.0.101 host.name) i get no response while mpd is using vr0, but >> > if >> > its using de0 like before it works fine. >> > >> > is this something in pf i need to fix? or do I need to somehow route >> > traffic from de0 to vr0, im in the dark about this, like I said ive had >> > no >> > experience with a second nic. >> > >> > this rules apply fine. but with the above problem on hand, i havent >> > been >> > able to see if they actually work yet. let me know if I messed it all >> > up >> > or not ;) >> > >> > ----- Original Message ----- >> > From: "Bill Marquette" >> > To: "Bruno Afonso" >> > Cc: >> > Sent: Sunday, October 23, 2005 9:59 AM >> > Subject: Re: FreeBSD + MPD + PF + ALTQ >> > >> > >> >> On 10/22/05, Bruno Afonso wrote: >> >>> Bill Marquette wrote: >> >>> > On 10/22/05, Bruno Afonso wrote: >> >>> >> The download part is the problematic one IF they're not all >> >>> >> connected >> >>> >> to >> >>> >> the same network interface. Why ? Because altq only works PER >> >>> >> interface >> >>> >> and tun0, tun1, tun2, etc are each and single one, one interface >> >>> >> on >> >>> >> its own. >> >>> >> >> >>> >> You basically have to >> >>> >> >> >>> >> altq on tun0 >> >>> >> >> >>> >> altq on tun1, etc.. >> >>> >> >> >>> >> What we would need in this case would be a meta-interface that >> >>> >> altq >> >>> >> would work on, but that is not available. Bottom line: you can't >> >>> >> control >> >>> >> with PF global bw over an interface-span. This is probably >> >>> >> necessary >> >>> >> for >> >>> >> a full commercial deployment. Don't know of any plans to implement >> >>> >> this... >> >>> >> >> >>> >> meta_if {tun0, tun1} >> >>> >> >> >>> >> altq on meta_1 ... >> >>> >> >> >>> >> would be nice. :-) >> >>> > >> >>> > You mean something like: >> >>> > altq on { fxp0 fxp1 } bandwidth 100Mb hfsc queue { a b } >> >>> > queue a bandwidth 50Mb hfsc(default) >> >>> > queue b bandwidth 50Mb hfsc >> >>> > This works today :) >> >>> >> >>> Yes, I have now tried and verified that it works, but not as we would >> >>> like to in the sense of a meta interface, eg: >> >>> >> >>> altq on { tun0 tun1 tun2 } cbq bandwidth 1Mb queue { a b } >> >>> queue a bandwidth 700Kb cbq(default) >> >>> queue b bandwidth 300Kb >> >>> >> >>> >> >>> which turns itself into... (from pfctl -sq) >> >>> >> >>> >> >>> queue root_tun0 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} >> >>> queue a bandwidth 700Kb cbq( default ) >> >>> queue b bandwidth 300Kb >> >>> queue root_tun1 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} >> >>> queue a bandwidth 700Kb cbq( default ) >> >>> queue b bandwidth 300Kb >> >>> queue root_tun2 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} >> >>> queue a bandwidth 700Kb cbq( default ) >> >>> queue b bandwidth 300Kb >> >>> >> >>> >> >>> What would I want with this? To create a queue that is shared by >> >>> every >> >>> interface, so limiting globally every interface to a maximum of 1Mb >> >>> each >> >>> and all of them to 1Mb each too, in a cqb borrowing shared way. For >> >>> examply, I'd like a to never exceed 700Kb taking into account every >> >>> interface. This makes perfect sense if I have a limited ammount of bw >> >>> to >> >>> share among each client, which, in a real world, happens 99,9% of the >> >>> time because resources are limited. >> >>> >> >>> So, the syntax works, but it does achieve what I mentioned before, >> >>> the >> >>> meta interface concept. The example you give is only useful for >> >>> simplifying rulesets, although it's more difficult for humans to >> >>> understand. >> >> >> >> >> >>>From what I understand, that binds queue 'a' to every interface. The >> >> queue definition still limits the queue itself to 700Kb, but allows >> >> you to assign traffic to that queue on each interface that queue is >> >> bound to. I can't find the email that I read that suggests it now >> >> (machine having recently been wiped and google not being terribly >> >> forthcoming with the answer). >> >> >> >> Have you verified this not working with real traffic, or just the >> >> pfctl -sq output? At this time I don't have a multi-interface box at >> >> my disposal, so I can't easily test this. >> >> >> >> --Bill >> >> _______________________________________________ >> >> freebsd-pf@freebsd.org mailing list >> >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> >> > >> > _______________________________________________ >> > freebsd-pf@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Oct 25 09:57:49 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0980216A41F for ; Tue, 25 Oct 2005 09:57:49 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from corwin.easynet.fr (smarthost168.mail.easynet.fr [212.180.1.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CCD843D45 for ; Tue, 25 Oct 2005 09:57:47 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from easyconnect2121135-233.clients.easynet.fr ([212.11.35.233] helo=smtp.zeninc.net) by corwin.easynet.fr with esmtp (Exim 4.50) id 1EULYw-0004sX-DB for freebsd-pf@freebsd.org; Tue, 25 Oct 2005 11:57:46 +0200 Received: from localhost.localdomain (spartacus.zen.inc [192.168.1.20]) by smtp.zeninc.net (smtpd) with ESMTP id D06DF3F17 for ; Tue, 25 Oct 2005 11:57:45 +0200 (CEST) Received: by localhost.localdomain (Postfix, from userid 1000) id CA28085609; Tue, 25 Oct 2005 11:57:45 +0200 (CEST) Date: Tue, 25 Oct 2005 11:57:45 +0200 From: VANHULLEBUS Yvan To: freebsd-pf@freebsd.org Message-ID: <20051025095745.GA2581@zeninc.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: All mail clients suck. This one just sucks less. Subject: Filtering IPSec traffic ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 09:57:49 -0000 Hi all. When setting up IPSec gates with traffic filtering (using pf, of course), I didn't find any solution / informations about how to filter IPSec traffic, except when using gif interfaces. On OpenBSD, it looks like all IPSec traffic comes from enc0, on Linux/Netfilter, they have for example the --mode tunnel to ensure the current packet comes from an IPSec tunnel, but how can I set up a filtering rule on FreeBSD, with pf, which specifies that a packet can only match if it was encapsulated ? Yvan. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 25 10:11:46 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DC5516A421 for ; Tue, 25 Oct 2005 10:11:46 +0000 (GMT) (envelope-from solinym@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id B846743D53 for ; Tue, 25 Oct 2005 10:11:45 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by wproxy.gmail.com with SMTP id i5so41009wra for ; Tue, 25 Oct 2005 03:11:45 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Rb7MLRGpSldbt91WYmfn/nojfyRVu1aonvuZlqvaxnEtIkk4rqMuwwYJWGesh9WAcJhYNEeKQWhY5D62DFLzvqzd//a1OqbB4U7FlCR5sFrcjl42xd+kvdNC5f2FJy+ysVBF19qt3FlcUi/CAbcxN01gTC2//9Z7Aelexls3JeM= Received: by 10.54.63.20 with SMTP id l20mr121436wra; Tue, 25 Oct 2005 03:11:45 -0700 (PDT) Received: by 10.54.81.7 with HTTP; Tue, 25 Oct 2005 03:11:45 -0700 (PDT) Message-ID: Date: Tue, 25 Oct 2005 05:11:45 -0500 From: "Travis H." To: Kai Gallasch In-Reply-To: <6BDA08CF-3930-4F37-BB47-EAC722391D41@free.de> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <6BDA08CF-3930-4F37-BB47-EAC722391D41@free.de> Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD 6.0RC1 - pf and big tables, pfspamd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 10:11:46 -0000 > Is there a possibility to abuse pf in the following fashion? > > rdr inet proto tcp from a.b.c.d/32 [if dnsquery d.c.b.a.list.dsbl.org > =3D=3D 127.0.0.2] to any port smtp -> 192.168.0.100 port 8025 Disclaimer: I don't speak for anyone. It would be nice, but then they'd need to link the resolver library into the kernel, and the kernel would block when doing lookups*, which is probably unacceptable. Or are you talking about doing the lookups when the rules are loaded? If that's the case, you can just preprocess the rules file and do your lookups yourself. [*] Unless you get tricky and do kernel preemption. More generally, it'd be nice if we could hook routing decisions to userland programs, but then the kernel has to make its decisions in kernel mode... to schedule a userland program and run it, you'd have to save your place and come back... I recently proposed on the pf mailing list that pf actually be a virtual machine which runs a simple program, then we could do lots of fancy optimization, and maybe JIT compilation of rules. There was talk of checkpoint having a patent on something similar (see the pf@benzedrine.cx archives for URL to the patent). Seems straightforward though, as bpf already does something like this, I wonder if that counts as prior art. -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B From owner-freebsd-pf@FreeBSD.ORG Tue Oct 25 11:16:23 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8C3D16A41F for ; Tue, 25 Oct 2005 11:16:23 +0000 (GMT) (envelope-from solinym@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 576EF43D53 for ; Tue, 25 Oct 2005 11:16:23 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by wproxy.gmail.com with SMTP id i5so44780wra for ; Tue, 25 Oct 2005 04:16:22 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=EJykA8Za8fI7Yqt7P4c4M7p2lzfvlpPRhMZCLZc/CT81aR46a4MmFBhKvrnk9WdTN5vF3Y6acmjCgChd+rSQihrNdqazfEQ1lqgQHcuIiRkgekCv1qlv7VN3xoo+INn5ftCf49r9kfpNDXYvlebtfDCdxXKKkPCvvd5QVMepefM= Received: by 10.54.146.19 with SMTP id t19mr143329wrd; Tue, 25 Oct 2005 04:16:22 -0700 (PDT) Received: by 10.54.81.7 with HTTP; Tue, 25 Oct 2005 04:16:22 -0700 (PDT) Message-ID: Date: Tue, 25 Oct 2005 06:16:22 -0500 From: "Travis H." To: VANHULLEBUS Yvan In-Reply-To: <20051025095745.GA2581@zeninc.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20051025095745.GA2581@zeninc.net> Cc: freebsd-pf@freebsd.org Subject: Re: Filtering IPSec traffic ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 11:16:23 -0000 I think you have to set up filtering on the external interface for UDP port 500 (for the ISAKMP) and IP protocols 50 and 51 (proto esp and proto ah, in pf.conf syntax). Then, the decrypted version appears on enc0, so you can match the decapsulated stuff. As I understand it. -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B From owner-freebsd-pf@FreeBSD.ORG Tue Oct 25 12:05:57 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71BE316A41F for ; Tue, 25 Oct 2005 12:05:57 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from corwin.easynet.fr (smarthost168.mail.easynet.fr [212.180.1.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8247943D7F for ; Tue, 25 Oct 2005 12:05:42 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from easyconnect2121135-233.clients.easynet.fr ([212.11.35.233] helo=smtp.zeninc.net) by corwin.easynet.fr with esmtp (Exim 4.50) id 1EUNYi-0002DC-O0 for freebsd-pf@freebsd.org; Tue, 25 Oct 2005 14:05:40 +0200 Received: from localhost.localdomain (spartacus.zen.inc [192.168.1.20]) by smtp.zeninc.net (smtpd) with ESMTP id 9FEF93F17 for ; Tue, 25 Oct 2005 14:05:39 +0200 (CEST) Received: by localhost.localdomain (Postfix, from userid 1000) id 8285C85609; Tue, 25 Oct 2005 14:05:39 +0200 (CEST) Date: Tue, 25 Oct 2005 14:05:39 +0200 From: VANHULLEBUS Yvan To: freebsd-pf@freebsd.org Message-ID: <20051025120539.GA2761@zeninc.net> References: <20051025095745.GA2581@zeninc.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: All mail clients suck. This one just sucks less. Subject: Re: Filtering IPSec traffic ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 12:05:57 -0000 On Tue, Oct 25, 2005 at 06:16:22AM -0500, Travis H. wrote: > I think you have to set up filtering on the external interface for UDP > port 500 (for the ISAKMP) and IP protocols 50 and 51 (proto esp and > proto ah, in pf.conf syntax). Yes, thanks, I know that :-) And, to be axact, I'll have to allow UDP 500/4500, as I'm using NAT-T (subliminal message: kernel patch still not included in FreeBSD...). > Then, the decrypted version appears on enc0, so you can match the > decapsulated stuff. That's the problem: enc0 doesn't seems to exists, at least on my FreeBSD6 gate (perhaps I missed something in the configuration, or perhaps this is not a "real" interface ?) !!! Such an interface would be very useful, for filtering IPSec traffic, and also to be able to dump traffic from/to IPSec peers, and would be, imho, the best solution (and would not be pf specific), but at least "some option" in the pf syntax would be interesting to be able to match traffic which come from an IPSec tunnel... Yvan. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 25 12:23:37 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D588F16A41F for ; Tue, 25 Oct 2005 12:23:37 +0000 (GMT) (envelope-from e-masson@kisoft-services.com) Received: from mallaury.nerim.net (smtp-102-tuesday.noc.nerim.net [62.4.17.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 596C743D46 for ; Tue, 25 Oct 2005 12:23:36 +0000 (GMT) (envelope-from e-masson@kisoft-services.com) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by mallaury.nerim.net (Postfix) with ESMTP id 024B24F3C9; Tue, 25 Oct 2005 14:23:27 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by srvbsdnanssv.interne.kisoft-services.com (Postfix) with ESMTP id 0C090D3E8; Tue, 25 Oct 2005 14:23:50 +0200 (CEST) Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) by localhost (srvbsdnanssv.interne.kisoft-services.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 54933-01; Tue, 25 Oct 2005 14:23:49 +0200 (CEST) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id 36C0BD3D0; Tue, 25 Oct 2005 14:23:49 +0200 (CEST) To: VANHULLEBUS Yvan From: Eric Masson In-Reply-To: <20051025120539.GA2761@zeninc.net> (VANHULLEBUS Yvan's message of "Tue, 25 Oct 2005 14:05:39 +0200") References: <20051025095745.GA2581@zeninc.net> <20051025120539.GA2761@zeninc.net> X-Operating-System: FreeBSD 5.4-RELEASE-p2 i386 Date: Tue, 25 Oct 2005 14:23:49 +0200 Message-ID: <861x29bx9m.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Jumbo Shrimp, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at interne.kisoft-services.com Cc: freebsd-pf@freebsd.org Subject: Re: Filtering IPSec traffic ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 12:23:37 -0000 VANHULLEBUS Yvan writes: Hi Yvan, > That's the problem: enc0 doesn't seems to exists, at least on my > FreeBSD6 gate (perhaps I missed something in the configuration, or > perhaps this is not a "real" interface ?) !!! The enc(4) interface doesn't exist in FreeBSD. Atm, I use gif tunnels and transport mode beetween gateways, so I'm able to filter on gifs. The other main advantage in my case is that routing is explicit (no SPD inspection to check how packets are treated by the stack) Éric Masson -- C'est chiant cette règle de blague obligatoire. En ce moment j'ai plutôt envie de voir des os pilés. Mais ça va passer : hop un mon gros noeud sur /dev/null et ça va mieux. -+- GNA in : - L'a pété un neunuerone -+- From owner-freebsd-pf@FreeBSD.ORG Tue Oct 25 12:43:08 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB97516A41F for ; Tue, 25 Oct 2005 12:43:08 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from caine.easynet.fr (smarthost167.mail.easynet.fr [212.180.1.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D44E43D45 for ; Tue, 25 Oct 2005 12:43:08 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from easyconnect2121135-233.clients.easynet.fr ([212.11.35.233] helo=smtp.zeninc.net) by caine.easynet.fr with esmtp (Exim 4.50) id 1EUO8x-0004uU-JU for freebsd-pf@freebsd.org; Tue, 25 Oct 2005 14:43:07 +0200 Received: from localhost.localdomain (spartacus.zen.inc [192.168.1.20]) by smtp.zeninc.net (smtpd) with ESMTP id 7A71E3F17 for ; Tue, 25 Oct 2005 14:43:01 +0200 (CEST) Received: by localhost.localdomain (Postfix, from userid 1000) id 55AE685609; Tue, 25 Oct 2005 14:43:01 +0200 (CEST) Date: Tue, 25 Oct 2005 14:43:01 +0200 From: VANHULLEBUS Yvan To: freebsd-pf@freebsd.org Message-ID: <20051025124301.GA2824@zeninc.net> References: <20051025095745.GA2581@zeninc.net> <20051025120539.GA2761@zeninc.net> <861x29bx9m.fsf@srvbsdnanssv.interne.kisoft-services.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <861x29bx9m.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: All mail clients suck. This one just sucks less. Subject: Re: Filtering IPSec traffic ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 12:43:08 -0000 On Tue, Oct 25, 2005 at 02:23:49PM +0200, Eric Masson wrote: > VANHULLEBUS Yvan writes: > > Hi Yvan, Hi Eric :-) > > That's the problem: enc0 doesn't seems to exists, at least on my > > FreeBSD6 gate (perhaps I missed something in the configuration, or > > perhaps this is not a "real" interface ?) !!! > > The enc(4) interface doesn't exist in FreeBSD. Yep, unfortunately... > Atm, I use gif tunnels and transport mode beetween gateways, so I'm able > to filter on gifs. The other main advantage in my case is that routing > is explicit (no SPD inspection to check how packets are treated by the > stack) And the main problem of using gif interfaces seems to be a gif + IPSec + filtering + forwarding problem for (at least) big TCP sessions (see the thread on freebsd-net). I'll try to do some tests with gif interfaces to see the advantages and drawbacks, but this "bug" described in the gif(4) man page seems to be a big drawback for me (I'm quite always using Tunnel mode for net-2-net IPSec tunnels): "The gif device may not interoperate with peers which are based on different specifications, and are picky about outer header fields. For example, you cannot usually use gif to talk with IPsec devices that use IPsec tunnel mode." Yvan. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 25 13:32:57 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2149A16A41F for ; Tue, 25 Oct 2005 13:32:57 +0000 (GMT) (envelope-from e-masson@kisoft-services.com) Received: from mallaury.nerim.net (smtp-102-tuesday.noc.nerim.net [62.4.17.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91E2243D45 for ; Tue, 25 Oct 2005 13:32:56 +0000 (GMT) (envelope-from e-masson@kisoft-services.com) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by mallaury.nerim.net (Postfix) with ESMTP id 30F534F3CA; Tue, 25 Oct 2005 15:32:44 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by srvbsdnanssv.interne.kisoft-services.com (Postfix) with ESMTP id CDBA1D3F6; Tue, 25 Oct 2005 15:33:07 +0200 (CEST) Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) by localhost (srvbsdnanssv.interne.kisoft-services.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 55291-01; Tue, 25 Oct 2005 15:33:06 +0200 (CEST) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id B6077D3E5; Tue, 25 Oct 2005 15:33:06 +0200 (CEST) To: VANHULLEBUS Yvan From: Eric Masson In-Reply-To: <20051025124301.GA2824@zeninc.net> (VANHULLEBUS Yvan's message of "Tue, 25 Oct 2005 14:43:01 +0200") References: <20051025095745.GA2581@zeninc.net> <20051025120539.GA2761@zeninc.net> <861x29bx9m.fsf@srvbsdnanssv.interne.kisoft-services.com> <20051025124301.GA2824@zeninc.net> X-Operating-System: FreeBSD 5.4-RELEASE-p2 i386 Date: Tue, 25 Oct 2005 15:33:06 +0200 Message-ID: <86slupafhp.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Jumbo Shrimp, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at interne.kisoft-services.com Cc: freebsd-pf@freebsd.org Subject: Re: Filtering IPSec traffic ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 13:32:57 -0000 VANHULLEBUS Yvan writes: > And the main problem of using gif interfaces seems to be a gif + IPSec > + filtering + forwarding problem for (at least) big TCP sessions (see > the thread on freebsd-net). Just checked, maybe it's a regression, this kind of setup works on a prototype I've set up for a customer (early 5.x release) and in production (ipsec transport/gif/ipf on 4.8 and 4.10 boxes). > I'll try to do some tests with gif interfaces to see the advantages > and drawbacks, but this "bug" described in the gif(4) man page seems > to be a big drawback for me (I'm quite always using Tunnel mode for > net-2-net IPSec tunnels): > > "The gif device may not interoperate with peers which are based on > different specifications, and are picky about outer header fields. > For example, you cannot usually use gif to talk with IPsec devices > that use IPsec tunnel mode." Not really a bug per se, different encap specs, nothing more. It should interoperate with a similar setup like *BSD gifs on ipsec transport or linux ipip on ipsec transport mode. I've tried with gre instead of gif tunnels in the early 5.x release days and it failed, maybe I should give it a try one of these days (too much daily job atm...) Éric -- L'attitude qui consiste a rappeler a un contributeur que sa poste est contraire a la charte du NG, me parait pedante, anale et probablement aussi "hors-sujet". Ce qui m'enerve plus qu' une poste sur le TeX... -+- Dr NV in GNU : Les a(nale)ventures de Docteur Juste Tex. -+- From owner-freebsd-pf@FreeBSD.ORG Tue Oct 25 15:54:58 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 09AD816A41F for ; Tue, 25 Oct 2005 15:54:58 +0000 (GMT) (envelope-from sven.d.meier@gmx.net) Received: from esna.cc.strath.ac.uk (vif-mailread-e.cc.strath.ac.uk [130.159.16.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6FFD243D4C for ; Tue, 25 Oct 2005 15:54:57 +0000 (GMT) (envelope-from sven.d.meier@gmx.net) Received: from eee-gw.net.strath.ac.uk ([130.159.100.166]:54195 helo=[192.168.4.109]) by esna.cc.strath.ac.uk with esmtp (Exim 4.34 #1) id 1EUR8Y-0004y6-Od for ; Tue, 25 Oct 2005 15:54:54 +0000 Mime-Version: 1.0 (Apple Message framework v734) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-pf@freebsd.org From: Sven Meier Date: Tue, 25 Oct 2005 16:54:51 +0100 X-Mailer: Apple Mail (2.734) X-Strath-Information: Contact for more information X-Strath-Scan: clean X-Strath-UBECheck: Subject: pfauth on 5.4 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 15:54:58 -0000 Hello, I'm using pf on FreeBSD 5.4 and was thinking of using pfauth to secure access from my wireless network. Somehow I don't seem to find much documentation about pfauth on FreeBSD. Has it not been ported along with PF itself? If not, can anyone recommend an alternative with similar functionality? I've been looking around for this for while now so any help with this will be much appreciated, Sven. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 25 16:10:47 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A1D516A41F for ; Tue, 25 Oct 2005 16:10:47 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4BBC143D70 for ; Tue, 25 Oct 2005 16:10:43 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3FA0E.dip.t-dialin.net [84.163.250.14] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwpI-1EURNo2Qby-00080B; Tue, 25 Oct 2005 18:10:40 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Tue, 25 Oct 2005 18:10:27 +0200 User-Agent: KMail/1.8.2 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1627027.fQVG2hdF2R"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200510251810.39390.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: pfauth on 5.4 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 16:10:47 -0000 --nextPart1627027.fQVG2hdF2R Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 25 October 2005 17:54, Sven Meier wrote: > Hello, > > I'm using pf on FreeBSD 5.4 and was thinking of using pfauth to > secure access from my wireless network. Somehow I don't seem to find > much documentation about pfauth on FreeBSD. Has it not been ported > along with PF itself? Are you thinking of authpf? /usr/sbin/authpf - authpf(8) ... it's all there and should be functional. = =20 Documentation is as OpenBSD 3.5 - FreeBSD 6.0 as OpenBSD 3.7 > If not, can anyone recommend an alternative with similar functionality? > I've been looking around for this for while now so any help with this > will be much appreciated, =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1627027.fQVG2hdF2R Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDXlj/XyyEoT62BG0RAjnRAJ9fNWbm8sow/W3lCkn/fYitkyOGAgCcDQHD XUcfP8Rqx2BYqqh6atdNrZA= =02ED -----END PGP SIGNATURE----- --nextPart1627027.fQVG2hdF2R-- From owner-freebsd-pf@FreeBSD.ORG Tue Oct 25 22:18:14 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A46F016A41F for ; Tue, 25 Oct 2005 22:18:14 +0000 (GMT) (envelope-from josh@montarotech.net) Received: from mail09.syd.optusnet.com.au (mail09.syd.optusnet.com.au [211.29.132.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1827343D53 for ; Tue, 25 Oct 2005 22:18:13 +0000 (GMT) (envelope-from josh@montarotech.net) Received: from delta (d58-105-150-147.dsl.nsw.optusnet.com.au [58.105.150.147]) by mail09.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id j9PMICpR001330 for ; Wed, 26 Oct 2005 08:18:12 +1000 Message-ID: <008701c5d9b2$005d0770$0132a8c0@delta> From: "Josh Finlay" To: Date: Wed, 26 Oct 2005 08:18:17 +1000 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: FreeBSD 6.0-RC1 + ALTQ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 22:18:14 -0000 Hi, I've just cvsup'd from 5.3-RELEASE to 6.0-RC1 - went nice and smoothly = actually. I thought that the ng0 had support for ALTQ in 6.0-RC1? Am I wrong here? I'm still getting that ng0 does not suppot altq? Is there a patch maybe? From owner-freebsd-pf@FreeBSD.ORG Wed Oct 26 01:09:33 2005 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3C8D16A41F; Wed, 26 Oct 2005 01:09:33 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from mail07.syd.optusnet.com.au (mail07.syd.optusnet.com.au [211.29.132.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59E2843D46; Wed, 26 Oct 2005 01:09:32 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from delta (d58-105-150-147.dsl.nsw.optusnet.com.au [58.105.150.147]) by mail07.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id j9Q19Uk6015037; Wed, 26 Oct 2005 11:09:31 +1000 Message-ID: <00a201c5d9c9$ef2bdbd0$0132a8c0@delta> From: "Josh Finlay" To: "Gleb Smirnoff" References: <000b01c5d644$54527f20$0132a8c0@delta> <20051023083751.GV59364@cell.sick.ru> Date: Wed, 26 Oct 2005 11:09:36 +1000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="koi8-r"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: freebsd-pf@FreeBSD.org Subject: Re: FreeBSD + MPD + PF + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2005 01:09:34 -0000 Gleb, my best friend! ;) ;) I've just cvsup'd to RELENG_6, would you have a nice pretty patch to give ng_iface(4) ALTQ functionality? I must have read wrong in previous messages, I thought RELENG_6 already had this merged in, but upon re-reading I found I was actually wrong, and my only real reason for going to RELENG_6 was for the ALTQ support on ng_iface. So i'm itching to get it kicking ;) ----- Original Message ----- From: "Gleb Smirnoff" To: "Josh Finlay" Cc: Sent: Sunday, October 23, 2005 6:37 PM Subject: Re: FreeBSD + MPD + PF + ALTQ > On Fri, Oct 21, 2005 at 11:35:39PM +1000, Josh Finlay wrote: > J> I tried a few examples I found, no luck, found another thing I will > need to > J> fix first: > J> > J> pfctl: ng0: driver does not support altq > J> > J> I searched for a patch for the ng_iface driver, but no luck. > > Recently ng_iface(4) has gained ALTQ support in CURRENT. I will > merge this to RELENG_5 and RELENG_6 after the 6.0-RELEASE > is out. > > -- > Totus tuus, Glebius. > GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-pf@FreeBSD.ORG Wed Oct 26 06:36:41 2005 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC91A16A421 for ; Wed, 26 Oct 2005 06:36:41 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (cell.sick.ru [217.72.144.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12DCA43D53 for ; Wed, 26 Oct 2005 06:36:40 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.3/8.13.3) with ESMTP id j9Q6acnx089152 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 26 Oct 2005 10:36:38 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.3/8.13.1/Submit) id j9Q6abrI089151; Wed, 26 Oct 2005 10:36:37 +0400 (MSD) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Wed, 26 Oct 2005 10:36:37 +0400 From: Gleb Smirnoff To: Josh Finlay Message-ID: <20051026063637.GW41520@cell.sick.ru> References: <000b01c5d644$54527f20$0132a8c0@delta> <20051023083751.GV59364@cell.sick.ru> <00a201c5d9c9$ef2bdbd0$0132a8c0@delta> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <00a201c5d9c9$ef2bdbd0$0132a8c0@delta> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@FreeBSD.org Subject: Re: FreeBSD + MPD + PF + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2005 06:36:41 -0000 On Wed, Oct 26, 2005 at 11:09:36AM +1000, Josh Finlay wrote: J> Gleb, my best friend! ;) ;) J> J> I've just cvsup'd to RELENG_6, would you have a nice pretty patch to give J> ng_iface(4) ALTQ functionality? J> J> I must have read wrong in previous messages, I thought RELENG_6 already had J> this merged in, but upon re-reading I found I was actually wrong, and my J> only real reason for going to RELENG_6 was for the ALTQ support on ng_iface. J> J> So i'm itching to get it kicking ;) The patch can be obtained this way: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netgraph/ng_iface.c.diff?r1=text&tr1=1.43.2.1&r2=text&tr2=1.46 I will merge the change to RELENG_6 after 6.0-RELEASE is out. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-pf@FreeBSD.ORG Wed Oct 26 07:39:15 2005 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFE8116A41F; Wed, 26 Oct 2005 07:39:15 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from mail19.syd.optusnet.com.au (mail19.syd.optusnet.com.au [211.29.132.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5857643D45; Wed, 26 Oct 2005 07:39:15 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from delta (d58-105-150-147.dsl.nsw.optusnet.com.au [58.105.150.147]) by mail19.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id j9Q7dB4d000639; Wed, 26 Oct 2005 17:39:12 +1000 Message-ID: <000601c5da00$5f82a5e0$0132a8c0@delta> From: "Josh Finlay" To: "Gleb Smirnoff" References: <000b01c5d644$54527f20$0132a8c0@delta> <20051023083751.GV59364@cell.sick.ru> <00a201c5d9c9$ef2bdbd0$0132a8c0@delta> <20051026063637.GW41520@cell.sick.ru> Date: Wed, 26 Oct 2005 17:39:17 +1000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="koi8-r"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: freebsd-pf@FreeBSD.org Subject: Re: FreeBSD + MPD + PF + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2005 07:39:16 -0000 Thanks alot. :) Patched now. Hrm, would I need to buildworld again? Hope not, 4hrs waiting heh... ----- Original Message ----- From: "Gleb Smirnoff" To: "Josh Finlay" Cc: Sent: Wednesday, October 26, 2005 4:36 PM Subject: Re: FreeBSD + MPD + PF + ALTQ > On Wed, Oct 26, 2005 at 11:09:36AM +1000, Josh Finlay wrote: > J> Gleb, my best friend! ;) ;) > J> > J> I've just cvsup'd to RELENG_6, would you have a nice pretty patch to > give > J> ng_iface(4) ALTQ functionality? > J> > J> I must have read wrong in previous messages, I thought RELENG_6 already > had > J> this merged in, but upon re-reading I found I was actually wrong, and > my > J> only real reason for going to RELENG_6 was for the ALTQ support on > ng_iface. > J> > J> So i'm itching to get it kicking ;) > > The patch can be obtained this way: > > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netgraph/ng_iface.c.diff?r1=text&tr1=1.43.2.1&r2=text&tr2=1.46 > > I will merge the change to RELENG_6 after 6.0-RELEASE is out. > > -- > Totus tuus, Glebius. > GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-pf@FreeBSD.ORG Wed Oct 26 07:41:52 2005 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA8EB16A41F for ; Wed, 26 Oct 2005 07:41:52 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (cell.sick.ru [217.72.144.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D0D243D5D for ; Wed, 26 Oct 2005 07:41:49 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.3/8.13.3) with ESMTP id j9Q7flwd090324 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 26 Oct 2005 11:41:47 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.3/8.13.1/Submit) id j9Q7fl0U090323; Wed, 26 Oct 2005 11:41:47 +0400 (MSD) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Wed, 26 Oct 2005 11:41:46 +0400 From: Gleb Smirnoff To: Josh Finlay Message-ID: <20051026074146.GZ41520@cell.sick.ru> References: <000b01c5d644$54527f20$0132a8c0@delta> <20051023083751.GV59364@cell.sick.ru> <00a201c5d9c9$ef2bdbd0$0132a8c0@delta> <20051026063637.GW41520@cell.sick.ru> <000601c5da00$5f82a5e0$0132a8c0@delta> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <000601c5da00$5f82a5e0$0132a8c0@delta> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@FreeBSD.org Subject: Re: FreeBSD + MPD + PF + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2005 07:41:53 -0000 On Wed, Oct 26, 2005 at 05:39:17PM +1000, Josh Finlay wrote: J> Thanks alot. :) J> J> Patched now. J> J> Hrm, would I need to buildworld again? J> Hope not, 4hrs waiting heh... Only kernel if you compile ng_iface into kernel, and only module if you load it dynamically. P.S. Please, do not top quote. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-pf@FreeBSD.ORG Wed Oct 26 02:55:55 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4B3416A41F for ; Wed, 26 Oct 2005 02:55:54 +0000 (GMT) (envelope-from daniel@dgnetwork.com.br) Received: from zeus.yan.com.br (zeus.yan.com.br [200.202.253.10]) by mx1.FreeBSD.org (Postfix) with SMTP id AFFA643D45 for ; Wed, 26 Oct 2005 02:55:53 +0000 (GMT) (envelope-from daniel@dgnetwork.com.br) Received: (qmail 25468 invoked by uid 1023); 26 Oct 2005 02:55:32 -0000 Received: from daniel@dgnetwork.com.br by zeus by uid 1023 with qmail-scanner-1.22 (uvscan: v4.1.60/v4366. fsecure: 4.11/3190/2003-09-23/2002-12-17. 2003-09-22/. Clear:RC:1(201.19.89.24):. Processed in 0.503584 secs); 26 Oct 2005 02:55:32 -0000 Received: from unknown (HELO ?192.168.1.2?) (daniel@dgnetwork.com.br@201.19.89.24) by zeus.yan.com.br with SMTP; 26 Oct 2005 02:55:31 -0000 Message-ID: <435EF038.8000407@dgnetwork.com.br> Date: Wed, 26 Oct 2005 00:55:52 -0200 From: =?ISO-8859-1?Q?Daniel_Dias_Gon=E7alves?= Organization: DGNET Network Solutions User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: pt-br, pt MIME-Version: 1.0 To: pf@benzedrine.cx, yongari@kt-is.co.kr, mlaier@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Wed, 26 Oct 2005 17:02:24 +0000 Cc: Subject: Load Balancing Outgoing, its possible ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: daniel@dgnetwork.com.br List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2005 02:55:55 -0000 Complicated ? Its possible ? TELECOM LOAD SHARING PER PACKET ------------------------------------------------------------------------------------------ | | | | | | | | | | | | ------------------------------------- ------------------------------------- CISCO 2600 (6mbps) HAUWEI (6mbps) LOAD SHARING PER PACKET LOAD SHARING PER PACKET ------------------------------------- ------------------------------------- Ethernet (64.XX.XX.1/30) Ethernet (65.XX.XX.1/30) | | | | | | | | XL0 (64.XX.XX.2/30) XL1 (65.XX.XX.2/30) ------------------------------------------------------------------------------------------ FREEBSD 5.4 + PF ------------------------------------------------------------------------------------------ XL2 (192.168.0.254/24, 64.XX.XX.5/30, 65.XX.XX.5/30) | | ------------------ SWITCH ------------------------------- IP: 65.XX.XX.6/30 ------------------ GW: 65.XX.XX.5 / \ / \ IP: 192.168.0.10/24 IP: 64.XX.XX.6/30 GW: 192.168.0.254 GW: 64.XX.XX.5 and more clients ... I need load balancing outgoing traffic from: 192.168.0.0/24 ( NAT ) and 64.XX.XX.0/24, 65.XX.XX.0/24 It is possible to make this balancing with the PF ? Exists some software that I make this ? Zebra can help me? This type of balancing gives to problems with the navigation of the user of NAT or IP valid ? If it is possible, wanted to see examples with rules. Thanks, -- Daniel Dias Gonçalves DGNET Network Solutions daniel@dgnetwork.com.br (37) 99824809 From owner-freebsd-pf@FreeBSD.ORG Thu Oct 27 02:45:58 2005 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAC4E16A41F; Thu, 27 Oct 2005 02:45:58 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from mail19.syd.optusnet.com.au (mail19.syd.optusnet.com.au [211.29.132.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0815543D48; Thu, 27 Oct 2005 02:45:57 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from delta (d58-105-150-147.dsl.nsw.optusnet.com.au [58.105.150.147]) by mail19.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id j9R2jtPJ018365; Thu, 27 Oct 2005 12:45:55 +1000 Message-ID: <006901c5daa0$9215ec60$0132a8c0@delta> From: "Josh Finlay" To: "Gleb Smirnoff" References: <000b01c5d644$54527f20$0132a8c0@delta> <20051023083751.GV59364@cell.sick.ru> <00a201c5d9c9$ef2bdbd0$0132a8c0@delta> <20051026063637.GW41520@cell.sick.ru> <000601c5da00$5f82a5e0$0132a8c0@delta> <20051026074146.GZ41520@cell.sick.ru> Date: Thu, 27 Oct 2005 12:46:02 +1000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="koi8-r"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: freebsd-pf@FreeBSD.org Subject: Re: FreeBSD + MPD + PF + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2005 02:45:58 -0000 Excellent! Patched, recompiled. Working now :) Except for my PF rules. I've attached the rules i'm using for PF, I guess I don't really "understand" how ALTQ "works". My rules: (im attempting to do a QoS-like configuration on a 512/128kbps adsl connection) ExtIF="ng0" IntIF="de0" set loginterface $ExtIF scrub in all scrub out all random-id max-mss 1440 altq on $ExtIF priq bandwidth 128Kb queue { std_out, ssh_im_out, dns_out, tcp_ack_out } queue std_out priq(default) queue ssh_im_out priority 4 priq(red) queue dns_out priority 5 queue tcp_ack_out priority 6 altq on $IntIF cbq bandwidth 512Kb queue { std_in, ssh_im_in, dns_in } queue std_in bandwidth 384Kb cbq(default) queue ssh_im_in bandwidth 64Kb priority 4 queue dns_in bandwidth 64Kb priority 5 local_net = "192.168.0.0/24" ssh_ports = "{ 22 }" im_ports = "{ 1863 5190 5222 }" nat on $IntIF from $INTERNAL to any -> ($ExtIF) pass in quick on lo0 all pass out quick on lo0 all pass out on $ExtIF inet proto tcp from ($ExtIF) to any flags S/SA \ keep state queue(std_out, tcp_ack_out) pass out on $ExtIF inet proto { udp icmp } from ($ExtIF) to any keep state pass out on $ExtIF inet proto { tcp udp } from ($ExtIF) to any port domain \ keep state queue dns_out pass out on $ExtIF inet proto tcp from ($ExtIF) to any port $ssh_ports \ flags S/SA keep state queue(std_out, ssh_im_out) pass out on $ExtIF inet proto tcp from ($ExtIF) to any port $im_ports \ flags S/SA keep state queue(ssh_im_out, tcp_ack_out) pass in on $IntIF from $local_net pass out on $IntIF proto { tcp udp } from any port domain to $local_net \ queue dns_in pass out on $IntIF proto tcp from any port $ssh_ports to $local_net \ queue(std_in, ssh_im_in) pass out on $IntIF proto tcp from any port $im_ports to $local_net \ queue ssh_im_in --EOF-- My knowledge in ALTQ is so limited it isn't funny. Without proper knowledge of ALTQ, it makes it difficult for me to perform a simple configuration such as this without some help. So thank you in advance for being patient with me. My main aim is to share my link (512kbps down, 128kbps up) evenly over my network, but at the same time if only one machine is utilizing the network then i believe that computer should have all the bandwidth, if two computers then those two should share the bandwidth 50/50, etc etc. Regards, Josh Finlay From owner-freebsd-pf@FreeBSD.ORG Thu Oct 27 22:17:35 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4266116A41F for ; Thu, 27 Oct 2005 22:17:35 +0000 (GMT) (envelope-from kickdaddy@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id D019043D4C for ; Thu, 27 Oct 2005 22:17:34 +0000 (GMT) (envelope-from kickdaddy@gmail.com) Received: by zproxy.gmail.com with SMTP id 40so328216nzk for ; Thu, 27 Oct 2005 15:17:32 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=MIQJziJ38RR4kmfQrp4ru/XKxs4RwAcsvmiBo6z5tmrLqR9BU4lr2wPi8my4lEdssLrJeuoK9o+qdA/ZruhPKFPe4alht/hqqeVuv0XmMX41MNbddWb1iEXcjJSYkYvVMhiq3rFVUhkndKZ+dfcEe48Y7evz6+MgQLLiw3GARRE= Received: by 10.37.21.60 with SMTP id y60mr2674350nzi; Thu, 27 Oct 2005 15:17:32 -0700 (PDT) Received: by 10.36.86.1 with HTTP; Thu, 27 Oct 2005 15:17:32 -0700 (PDT) Message-ID: <45666470510271517i647a7c2eq28f86454a11d6655@mail.gmail.com> Date: Thu, 27 Oct 2005 15:17:32 -0700 From: Sean Leach To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF routing packets over wrong interface X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2005 22:17:35 -0000 Hi all, Using FreeBSD 5.3. I have a gateway with a DSL line and a cable line (DSL i= s fxp1 and cable is fxp0). My DSL line is my default line, so the default gateway of the machine is set to the gateway for my DSL provider. The problem is, when I send traffic in the cable interface, the machine routes the traffic over the DSL line back out and the traffic is lost to th= e sending host. I have these rules: pass out on $dsl_if route-to ($cable_if $cable_gw) from $cable_if to any keep state pass out on $cable_if route-to ($dsl_if $dsl_gw) from $dsl_if to any keep state but they don't seem to help. How do I force packets that came in fxp0 back out fxp0 and vice versa? Thanks! From owner-freebsd-pf@FreeBSD.ORG Fri Oct 28 10:34:56 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 73EC216A41F for ; Fri, 28 Oct 2005 10:34:56 +0000 (GMT) (envelope-from daniel@dgnetwork.com.br) Received: from zeus.yan.com.br (zeus.yan.com.br [200.202.253.10]) by mx1.FreeBSD.org (Postfix) with SMTP id EC23343D4C for ; Fri, 28 Oct 2005 10:34:54 +0000 (GMT) (envelope-from daniel@dgnetwork.com.br) Received: (qmail 5516 invoked by uid 1023); 28 Oct 2005 10:34:27 -0000 Received: from daniel@dgnetwork.com.br by zeus by uid 1023 with qmail-scanner-1.22 (uvscan: v4.1.60/v4366. fsecure: 4.11/3190/2003-09-23/2002-12-17. 2003-09-22/. Clear:RC:1(201.19.84.78):. Processed in 0.655562 secs); 28 Oct 2005 10:34:27 -0000 Received: from unknown (HELO ?192.168.1.2?) (daniel@dgnetwork.com.br@201.19.84.78) by zeus.yan.com.br with SMTP; 28 Oct 2005 10:34:26 -0000 Message-ID: <4361FE7E.50607@dgnetwork.com.br> Date: Fri, 28 Oct 2005 08:33:34 -0200 From: =?ISO-8859-1?Q?Daniel_Dias_Gon=E7alves?= Organization: DGNET Network Solutions User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: pt-br, pt MIME-Version: 1.0 To: freebsd-pf@freebsd.org, freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: Subject: Load Balancing Outgoing, its possible ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: daniel@dgnetwork.com.br List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2005 10:34:56 -0000 Complicated ? Its possible ? TELECOM LOAD SHARING PER PACKET ------------------------------------------------------------------------------------------ | | | | | | | | | | | | ------------------------------------- ------------------------------------- CISCO 2600 (6mbps) HAUWEI (6mbps) LOAD SHARING PER PACKET LOAD SHARING PER PACKET ------------------------------------- ------------------------------------- Ethernet (64.XX.XX.1/30) Ethernet (65.XX.XX.1/30) | | | | | | XL0 (64.XX.XX.2/30) XL1 (65.XX.XX.2/30) ------------------------------------------------------------------------------------------ FREEBSD 5.4 + PF ------------------------------------------------------------------------------------------ XL2 (192.168.0.254/24, 64.XX.XX.5/30, 65.XX.XX.5/30) | | ------------------ SWITCH ------------------------------- IP: 65.XX.XX.6/30 ------------------ GW: 65.XX.XX.5 / \ / \ IP: 192.168.0.10/24 IP: 64.XX.XX.6/30 GW: 192.168.0.254 GW: 64.XX.XX.5 and more clients ... I need load balancing outgoing traffic from: 192.168.0.0/24 ( NAT ) and 64.XX.XX.0/24, 65.XX.XX.0/24 It is possible to make this balancing with the PF ? Exists some software that I make this ? Zebra can help me? This type of balancing gives to problems with the navigation of the user of NAT or IP valid ? If it is possible, wanted to see examples with rules. Thanks, -- Daniel Dias Gonçalves DGNET Network Solutions daniel@dgnetwork.com.br (37) 99824809 From owner-freebsd-pf@FreeBSD.ORG Fri Oct 28 14:15:40 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 90A9E16A424 for ; Fri, 28 Oct 2005 14:15:40 +0000 (GMT) (envelope-from mocart@pinco.pl) Received: from pinco.pl (gw-z-futuro.pinco.pl [62.233.197.58]) by mx1.FreeBSD.org (Postfix) with SMTP id 0CD5F43D45 for ; Fri, 28 Oct 2005 14:15:38 +0000 (GMT) (envelope-from mocart@pinco.pl) Received: (qmail 51952 invoked by uid 1001); 28 Oct 2005 14:18:06 -0000 Date: Fri, 28 Oct 2005 16:18:06 +0200 From: =?utf-8?Q?=C5=81ukasz?= Dudek To: Daniel Dias =?iso-8859-1?Q?Gon=E7alves?= Message-ID: <20051028141806.GA51784@pinco.pl> References: <4361FE7E.50607@dgnetwork.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4361FE7E.50607@dgnetwork.com.br> User-Agent: Mutt/1.5.11 Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Load Balancing Outgoing, its possible ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2005 14:15:40 -0000 Dnia Fri, Oct 28, 2005 at 08:33:34AM -0200, Daniel Dias Gonçalves napisaÅ‚(a): > > It is possible to make this balancing with the PF ? Exists some software > that I make this ? Zebra can help me? > This type of balancing gives to problems with the navigation of the user > of NAT or IP valid ? > If it is possible, wanted to see examples with rules. > it is possible. #BALANCING TWO INTERNET CONNECTIONS # #People who have multiple net connections and are unable to use a proper #multipath routing solution (ie. BGP4) can use this to balance *outgoing* #traffic across the two connections, with something like this: # # nat on $ext_if1 from $int_subnet to any -> ($ext_if1) nat on $ext_if2 from $int_subnet to any -> ($ext_if2) # ## routing for internal subnets pass in on $int_if \ # route-to { ( $ext_if1 $gateway1), ( $ext_if2 $gateway2 ) } round-robin \ # from $int_subnet to any keep state # ## need the next rules to properly pass traffic to/from the external IPs pass out on $ext_if2 route-to ($ext_if1 $gateway1) from $ext_if1 to any pass out on $ext_if1 route-to ($ext_if2 $gateway2) from $ext_if2 to any # # #Please note that this is only the skeleton of a ruleset that would work #in such a situation; care must be taken to ensure that the correct route-to options are put on each rule which needs to be balanced pozdr mocart From owner-freebsd-pf@FreeBSD.ORG Fri Oct 28 15:21:16 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A4CF16A41F; Fri, 28 Oct 2005 15:21:16 +0000 (GMT) (envelope-from gbryant@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id A88B143D48; Fri, 28 Oct 2005 15:21:15 +0000 (GMT) (envelope-from gbryant@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id 3115B6013; Fri, 28 Oct 2005 17:07:56 +0200 (CEST) Received: from (165.146.215.66 [165.146.215.66]) by MailEnable Inbound Mail Agent with ESMTP; Fri, 28 Oct 2005 17:26:55 +0200 Message-ID: <43624181.5010305@roamingsolutions.net> Date: Fri, 28 Oct 2005 17:19:29 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: daniel@dgnetwork.com.br References: <4361FE7E.50607@dgnetwork.com.br> In-Reply-To: <4361FE7E.50607@dgnetwork.com.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Antivirus: avast! (VPS 0543-2, 2005/10/27), Outbound message X-Antivirus-Status: Clean Cc: freebsd-net@freebsd.org, FreeBSD , freebsd-pf@freebsd.org Subject: Re: Load Balancing Outgoing, its possible ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2005 15:21:16 -0000 Daniel Dias Gonçalves wrote: > > Complicated ? Its possible ? > > TELECOM > LOAD SHARING PER PACKET > ------------------------------------------------------------------------------------------ > > | | | | > | | > | | | | > | | > ------------------------------------- > ------------------------------------- > CISCO 2600 (6mbps) HAUWEI (6mbps) > LOAD SHARING PER PACKET LOAD SHARING PER > PACKET > ------------------------------------- > ------------------------------------- > Ethernet (64.XX.XX.1/30) Ethernet > (65.XX.XX.1/30) > | | > | | > | | > XL0 (64.XX.XX.2/30) XL1 > (65.XX.XX.2/30) > ------------------------------------------------------------------------------------------ > > FREEBSD 5.4 + PF > ------------------------------------------------------------------------------------------ > > XL2 (192.168.0.254/24, 64.XX.XX.5/30, 65.XX.XX.5/30) > | > | > ------------------ > SWITCH > ------------------------------- IP: 65.XX.XX.6/30 > > ------------------ GW: > 65.XX.XX.5 > / \ > / \ > IP: 192.168.0.10/24 IP: 64.XX.XX.6/30 > GW: 192.168.0.254 GW: 64.XX.XX.5 > and more clients ... > I need load balancing outgoing traffic from: > 192.168.0.0/24 ( NAT ) > and 64.XX.XX.0/24, 65.XX.XX.0/24 > > It is possible to make this balancing with the PF ? Exists some > software that I make this ? Zebra can help me? > This type of balancing gives to problems with the navigation of the > user of NAT or IP valid ? > If it is possible, wanted to see examples with rules. > > Thanks, > If you do not manage to come right with PF, I have a working example of a similar setup using IPFW & natd. Let me know if you would like the config files. Regards Graham From owner-freebsd-pf@FreeBSD.ORG Fri Oct 28 15:44:42 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37F9516A41F; Fri, 28 Oct 2005 15:44:42 +0000 (GMT) (envelope-from csmith@bonddesk.com) Received: from msmisps01.bonddesk.com (msmisps01.bonddesk.com [12.47.70.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 687B143D70; Fri, 28 Oct 2005 15:44:30 +0000 (GMT) (envelope-from csmith@bonddesk.com) Received: from mimail.bdg.local ([10.132.16.100]) by chmail.bdg.local with Microsoft SMTPSVC(6.0.3790.1830); Fri, 28 Oct 2005 11:44:29 -0400 Received: from 10.133.16.35 ([10.133.16.35]) by mimail.bdg.local ([10.132.16.100]) with Microsoft Exchange Server HTTP-DAV ; Fri, 28 Oct 2005 15:44:28 +0000 Received: from csmith-dt.bdg.local by mimail.bonddesk.com; 28 Oct 2005 11:44:28 -0400 From: Corey Smith To: G Bryant In-Reply-To: <43624181.5010305@roamingsolutions.net> References: <4361FE7E.50607@dgnetwork.com.br> <43624181.5010305@roamingsolutions.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Date: Fri, 28 Oct 2005 11:44:27 -0400 Message-Id: <1130514267.81705.101.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 FreeBSD GNOME Team Port X-OriginalArrivalTime: 28 Oct 2005 15:44:29.0011 (UTC) FILETIME=[7B6C5A30:01C5DBD6] Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org, FreeBSD Subject: Re: Load Balancing Outgoing, its possible ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2005 15:44:42 -0000 On Fri, 2005-10-28 at 17:19 +0200, G Bryant wrote: > Daniel Dias Gon=E7alves wrote: >=20 > > > > It is possible to make this balancing with the PF ? Exists some=20 > > software that I make this ? Zebra can help me? > > This type of balancing gives to problems with the navigation of the=20 > > user of NAT or IP valid ? > > If it is possible, wanted to see examples with rules. > > It would be much better to do per flow load balancing then per packet. With per packet your TCP flows will arrive out of order which is a bad situation since it will lead to a large number of retransmissions and zero-window acknowledgments. The only tunable to help correct that is to allow selective acknowledgments. You are going to get much higher utilization on your load balanced lines by using per flow with multiple TCP connections. Anybody know how to implement per flow load balancing in FreeBSD? Are multiple default routes supported? It would be beautiful if you could put multiple routes with the same metric into the kernel and then the kernel would enable per flow load balancing of the routes... -Corey Smith From owner-freebsd-pf@FreeBSD.ORG Fri Oct 28 16:03:34 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E474216A421 for ; Fri, 28 Oct 2005 16:03:34 +0000 (GMT) (envelope-from daniel@dgnetwork.com.br) Received: from zeus.yan.com.br (zeus.yan.com.br [200.202.253.10]) by mx1.FreeBSD.org (Postfix) with SMTP id DA35643D48 for ; Fri, 28 Oct 2005 16:03:32 +0000 (GMT) (envelope-from daniel@dgnetwork.com.br) Received: (qmail 3671 invoked by uid 1023); 28 Oct 2005 16:03:04 -0000 Received: from daniel@dgnetwork.com.br by zeus by uid 1023 with qmail-scanner-1.22 (uvscan: v4.1.60/v4366. fsecure: 4.11/3190/2003-09-23/2002-12-17. 2003-09-22/. Clear:RC:1(201.19.130.165):. Processed in 0.570881 secs); 28 Oct 2005 16:03:04 -0000 Received: from unknown (HELO ?192.168.1.2?) (daniel@dgnetwork.com.br@201.19.130.165) by zeus.yan.com.br with SMTP; 28 Oct 2005 16:03:03 -0000 Message-ID: <43624BCE.6010907@dgnetwork.com.br> Date: Fri, 28 Oct 2005 14:03:26 -0200 From: =?ISO-8859-1?Q?Daniel_Dias_Gon=E7alves?= Organization: DGNET Network Solutions User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: pt-br, pt MIME-Version: 1.0 To: Corey Smith , freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org, freebsd-pf@freebsd.org References: <4361FE7E.50607@dgnetwork.com.br> <43624181.5010305@roamingsolutions.net> <1130514267.81705.101.camel@localhost> In-Reply-To: <1130514267.81705.101.camel@localhost> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: Subject: Re: Load Balancing Outgoing, its possible ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: daniel@dgnetwork.com.br List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2005 16:03:35 -0000 Corey Smith escreveu: >On Fri, 2005-10-28 at 17:19 +0200, G Bryant wrote: > > >>Daniel Dias Gonçalves wrote: >> >> >> >>>It is possible to make this balancing with the PF ? Exists some >>>software that I make this ? Zebra can help me? >>>This type of balancing gives to problems with the navigation of the >>>user of NAT or IP valid ? >>>If it is possible, wanted to see examples with rules. >>> >>> >>> > >It would be much better to do per flow load balancing then per packet. >With per packet your TCP flows will arrive out of order which is a bad >situation since it will lead to a large number of retransmissions and >zero-window acknowledgments. > >The only tunable to help correct that is to allow selective >acknowledgments. > >You are going to get much higher utilization on your load balanced lines >by using per flow with multiple TCP connections. > >Anybody know how to implement per flow load balancing in FreeBSD? Are >multiple default routes supported? > >It would be beautiful if you could put multiple routes with the same >metric into the kernel and then the kernel would enable per flow load >balancing of the routes... > > It would be very good if could make this. >-Corey Smith > > > > Which the solution? -- Daniel Dias Gonçalves DGNET Network Solutions daniel@dgnetwork.com.br (37) 99824809 From owner-freebsd-pf@FreeBSD.ORG Fri Oct 28 16:23:47 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B867816A41F; Fri, 28 Oct 2005 16:23:47 +0000 (GMT) (envelope-from csmith@bonddesk.com) Received: from msmisps01.bonddesk.com (msmisps01.bonddesk.com [12.47.70.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 238A443D45; Fri, 28 Oct 2005 16:23:47 +0000 (GMT) (envelope-from csmith@bonddesk.com) Received: from mimail.bdg.local ([10.132.16.100]) by chmail.bdg.local with Microsoft SMTPSVC(6.0.3790.1830); Fri, 28 Oct 2005 12:23:45 -0400 Received: from 10.133.16.35 ([10.133.16.35]) by mimail.bdg.local ([10.132.16.100]) with Microsoft Exchange Server HTTP-DAV ; Fri, 28 Oct 2005 16:23:44 +0000 Received: from csmith-dt.bdg.local by mimail.bonddesk.com; 28 Oct 2005 12:23:44 -0400 From: Corey Smith To: daniel@dgnetwork.com.br In-Reply-To: <43624BCE.6010907@dgnetwork.com.br> References: <4361FE7E.50607@dgnetwork.com.br> <43624181.5010305@roamingsolutions.net> <1130514267.81705.101.camel@localhost> <43624BCE.6010907@dgnetwork.com.br> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Date: Fri, 28 Oct 2005 12:23:44 -0400 Message-Id: <1130516624.81705.107.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 FreeBSD GNOME Team Port X-OriginalArrivalTime: 28 Oct 2005 16:23:46.0091 (UTC) FILETIME=[F85A37B0:01C5DBDB] Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: Load Balancing Outgoing, its possible ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2005 16:23:47 -0000 On Fri, 2005-10-28 at 14:03 -0200, Daniel Dias Gon=E7alves wrote: > It would be very good if could make this. > > Which the solution? Linux supports this feature if you build advanced routing options into the kernel. The only FreeBSD code I've seen to do something like this is at: http://www.dsm.fordham.edu/~tanzer/multipath/=20 Unfortunately it hasn't been updated past FreeBSD 4.8. Maybe a FreeBSD winter-of-code project? :) Any takers? -Corey Smith From owner-freebsd-pf@FreeBSD.ORG Sat Oct 29 11:01:32 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBCE616A41F for ; Sat, 29 Oct 2005 11:01:32 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from smtp6-g19.free.fr (smtp6-g19.free.fr [212.27.42.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6812943D46 for ; Sat, 29 Oct 2005 11:01:32 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by smtp6-g19.free.fr (Postfix) with ESMTP id 13E349657; Sat, 29 Oct 2005 13:01:31 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 1F29D405A; Sat, 29 Oct 2005 13:01:06 +0200 (CEST) Date: Sat, 29 Oct 2005 13:01:05 +0200 From: Jeremie Le Hen To: Eric Masson Message-ID: <20051029110105.GA38361@obiwan.tataz.chchile.org> References: <20051025095745.GA2581@zeninc.net> <20051025120539.GA2761@zeninc.net> <861x29bx9m.fsf@srvbsdnanssv.interne.kisoft-services.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <861x29bx9m.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Filtering IPSec traffic ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Oct 2005 11:01:32 -0000 Hi, Eric, Yvan, > The enc(4) interface doesn't exist in FreeBSD. > > Atm, I use gif tunnels and transport mode beetween gateways, so I'm able > to filter on gifs. The other main advantage in my case is that routing > is explicit (no SPD inspection to check how packets are treated by the > stack) I also use gif(4) for now at a workaround. I would like to be more precise for the records though. AFAIK, OpenBSD's enc(4) interface sees traffic from an IPSec session, whether in transport or tunnel mode. When tunnel mode is used, you should see IP encapsulated traffic and thus use the "ipencap" keyword in pf (as stated in OpenBSD's vpn(8) manual page). FreeBSD doesn't have the enc(4) interface. It will not be able to see traffic neither in transport or tunnel mode and as Eric stated, the kernel does have to check SPD policy in addition to the routing table. To work around this, you can use gif(4) which will basically do IP-over-IP encapsulation and then use IPSec transport mode to encrypt the traffic whose upper protocol is IPv4 : % ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 % spdadd 1.2.3.4 5.6.7.8 ip4 -P in ipsec esp/transport//require; % spdadd 5.6.7.8 1.2.3.4 ip4 -P out ipsec esp/transport//require; Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-pf@FreeBSD.ORG Sat Oct 29 19:27:10 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84B1416A41F for ; Sat, 29 Oct 2005 19:27:10 +0000 (GMT) (envelope-from leccine@gmail.com) Received: from nproxy.gmail.com (nproxy.gmail.com [64.233.182.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id D192243D45 for ; Sat, 29 Oct 2005 19:27:09 +0000 (GMT) (envelope-from leccine@gmail.com) Received: by nproxy.gmail.com with SMTP id n15so244822nfc for ; Sat, 29 Oct 2005 12:27:08 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=sgtm+PGX5dTqoSA0kTjT5eonSSDcGM1NMRz51pP5LPiNj2okNa/UG3Zkq6BGwhbzsrRFIKJxzSN82DZKRAbFqtJCDkcKR2uRoxV44e+dcQj7+FmmbHLWtypwCsPR6AEoHRhVJsS9afwTF1iOwWit3aY9mfVvyfg0b3yFOQT66bA= Received: by 10.48.157.3 with SMTP id f3mr511123nfe; Sat, 29 Oct 2005 12:27:08 -0700 (PDT) Received: from ?192.168.0.2? ( [80.99.231.218]) by mx.gmail.com with ESMTP id p43sm575960nfa.2005.10.29.12.27.07; Sat, 29 Oct 2005 12:27:08 -0700 (PDT) Message-ID: <4363CD03.9050408@gmail.com> Date: Sat, 29 Oct 2005 21:26:59 +0200 From: =?UTF-8?B?U3p1a8OhY3MgSXN0dsOhbg==?= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; hu-HU; rv:1.7.11) Gecko/20050728 Mnenhy/0.7.2.0 X-Accept-Language: hu MIME-Version: 1.0 To: Josh Finlay , freebsd-pf@freebsd.org References: <000b01c5d644$54527f20$0132a8c0@delta> <20051023083751.GV59364@cell.sick.ru> <00a201c5d9c9$ef2bdbd0$0132a8c0@delta> <20051026063637.GW41520@cell.sick.ru> <000601c5da00$5f82a5e0$0132a8c0@delta> <20051026074146.GZ41520@cell.sick.ru> <006901c5daa0$9215ec60$0132a8c0@delta> <43626A88.4090603@gmail.com> <001801c5dc11$4e2f61d0$0132a8c0@delta> In-Reply-To: <001801c5dc11$4e2f61d0$0132a8c0@delta> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: Subject: Re: FreeBSD + MPD + PF + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Oct 2005 19:27:10 -0000 but if you define a queue on a device every packet will match in the default queue, not? sorry i didnt checked the reply mail address so the last mail was "what if i have file server on this machine too, and i need 100Mbit to acces the fileserver? i mean than i need an 100M queue for internal traffic and 128K for internet traffic, right? is this possible to do? " Josh Finlay írta: > Well maybe you would need to only queue on ip's 192.168.0.0/24 > and ignore the queue for !192.168.0.0/24 > > im not sure how to go about this > but ive seen it done before ;) > >