From owner-freebsd-pf@FreeBSD.ORG Mon Aug 27 11:08:29 2007 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF43D16A421 for ; Mon, 27 Aug 2007 11:08:29 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C96E213C46A for ; Mon, 27 Aug 2007 11:08:29 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7RB8TaF020612 for ; Mon, 27 Aug 2007 11:08:29 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7RB8S3I020608 for freebsd-pf@FreeBSD.org; Mon, 27 Aug 2007 11:08:28 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 27 Aug 2007 11:08:28 GMT Message-Id: <200708271108.l7RB8S3I020608@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Aug 2007 11:08:30 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/115640 pf [net] [pf] pfctl -k dont works 6 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Aug 28 00:10:10 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BEE4816A418 for ; Tue, 28 Aug 2007 00:10:10 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.191]) by mx1.freebsd.org (Postfix) with ESMTP id 2847F13C48D for ; Tue, 28 Aug 2007 00:10:09 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so1329780nfb for ; Mon, 27 Aug 2007 17:10:08 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=tfeY6HuBDRd5SOuIiR9t2+q3xgrwbQ7XG3StkamsfpvGOozt3A5H9i6E75MQRrrj+nJQEVStCsMXd1jDFXK174pEKU6Aif8OaR7WAS9HkkCXVPQ1iKt3j3NTHjj7ntjO/jIwan80E8kQeGdrRPygUOFt2WiNUJ1QVyvDR92uF/8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=OanO3RE7UYI7CduDPBUHXHV4wQ8GJvZMx8AbHI4MenZtV7jPbGUFkDdqmGFgUufuqYqY7Y9raCo5/b7hg3YOkbfnmxF345iXafoN8jWg1AhUd9ldI07UrsxaA2mTn7oVSODuuYpOaqb1psvP7/UqDgVjYBNXyuRdemT1S8RXsOg= Received: by 10.78.21.7 with SMTP id 7mr4452182huu.1188259808118; Mon, 27 Aug 2007 17:10:08 -0700 (PDT) Received: by 10.78.15.17 with HTTP; Mon, 27 Aug 2007 17:10:07 -0700 (PDT) Message-ID: <55e8a96c0708271710n82428eet8c714b9e8d30a3aa@mail.gmail.com> Date: Mon, 27 Aug 2007 19:10:07 -0500 From: "Bill Marquette" To: "Max Laier" In-Reply-To: <200708230006.32294.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <55e8a96c0708221242h2d5e7d15q847e6fac7cf60554@mail.gmail.com> <200708230006.32294.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Aug 2007 00:10:10 -0000 On 8/22/07, Max Laier wrote: > There are two reasons why we increase the send error counter. Either the > internal deferred work queue is full or ip_output fails. Could you > locate "pfsyncstats.pfsyncs_oerrors++" in your source code and replace > either occurrence with a printf(). Maybe use the attached. This way we > will know what exactly fails and if it is ip_output, why. Here's what we get with the patch: pfsync_senddef: ip_output 64 # netstat -s -p pfsync pfsync: 1264507 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for bad ttl 0 packets shorter than header 0 packets discarded for bad version 0 packets discarded for bad HMAC 0 packets discarded for bad action 0 packets discarded for short packet 0 states discarded for bad values 0 stale states 115608 failed state lookup/inserts 86591 packets sent (IPv4) 0 packets sent (IPv6) 0 send failed due to mbuf memory error 37231 send error and a dmesg # dmesg Copyright (c) 1992-2007 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 6.2-RELEASE-p6 #0: Mon Aug 27 17:24:24 UTC 2007 root@hostname.somedomain.com:/usr/obj/usr/src/sys/HA-PFOPTS-SYNCDEBUG Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Xeon(TM) CPU 2.80GHz (2790.97-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0xf27 Stepping = 7 Features=0xbfebfbff Features2=0x4400> Logical CPUs per core: 2 real memory = 1073717248 (1023 MB) avail memory = 1041539072 (993 MB) ACPI APIC Table: MADT: Forcing active-low polarity and level trigger for SCI ioapic0 irqs 0-15 on motherboard ioapic1 irqs 16-31 on motherboard ioapic2 irqs 32-47 on motherboard ioapic3 irqs 48-63 on motherboard kbd1 at kbdmux0 ath_hal: 0.9.17.2 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) acpi0: on motherboard acpi0: Power Button (fixed) Timecounter "ACPI-safe" frequency 3579545 Hz quality 1000 acpi_timer0: <32-bit timer at 3.579545MHz> port 0x920-0x923 on acpi0 cpu0: on acpi0 pcib0: on acpi0 pci0: on pcib0 pci0: at device 3.0 (no driver attached) pci0: at device 4.0 (no driver attached) pci0: at device 4.2 (no driver attached) isab0: at device 15.0 on pci0 isa0: on isab0 atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x2000-0x200f at device 15.1 on pci0 ata0: on atapci0 ata1: on atapci0 ohci0: mem 0xf5ef0000-0xf5ef0fff irq 7 at device 15.2 on pci0 ohci0: [GIANT-LOCKED] usb0: OHCI version 1.0, legacy support usb0: SMM does not respond, resetting usb0: on ohci0 usb0: USB revision 1.0 uhub0: (0x1166) OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered pcib1: on acpi0 pci1: on pcib1 ciss0: port 0x3000-0x30ff mem 0xf7cc0000-0xf7cfffff,0xf7bf0000-0xf7bf3fff irq 30 at device 3.0 on pci1 ciss0: [GIANT-LOCKED] pcib2: on acpi0 pci2: on pcib2 pcib3: on acpi0 pci3: on pcib3 em0: port 0x4000-0x403f mem 0xf7de0000-0xf7dfffff irq 20 at device 1.0 on pci3 em0: Ethernet address: 00:07:e9:10:d6:58 em1: port 0x4040-0x407f mem 0xf7dc0000-0xf7ddffff irq 21 at device 1.1 on pci3 em1: Ethernet address: 00:07:e9:10:d6:59 pcib4: on acpi0 pci6: on pcib4 em2: port 0x5000-0x503f mem 0xf7fe0000-0xf7ffffff,0xf7f80000-0xf7fbffff irq 24 at device 1.0 on pci6 em2: Ethernet address: 00:04:23:a7:0f:0e em3: port 0x5040-0x507f mem 0xf7f60000-0xf7f7ffff,0xf7f00000-0xf7f3ffff irq 25 at device 1.1 on pci6 em3: Ethernet address: 00:04:23:a7:0f:0f pci6: at device 30.0 (no driver attached) acpi_tz0: on acpi0 atkbdc0: port 0x60,0x64 irq 1 on acpi0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] psm0: irq 12 on atkbdc0 psm0: [GIANT-LOCKED] psm0: model Generic PS/2 mouse, device ID 0 sio0: port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 sio0: type 16550A fdc0: port 0x3f2-0x3f5 irq 6 drq 2 on acpi0 fdc0: [FAST] fd0: <1440-KB 3.5" drive> on fdc0 drive 0 pmtimer0 on isa0 orm0: at iomem 0xc0000-0xc7fff,0xc8000-0xcbfff,0xee000-0xeffff on isa0 ppc0: parallel port not found. sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> sio1: configured irq 3 not in bitmap of probed irqs 0 sio1: port may not be enabled vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Timecounter "TSC" frequency 2790968808 Hz quality 800 Timecounters tick every 1.000 msec acd0: CDROM at ata0-master PIO4 da0 at ciss0 bus 0 target 0 lun 0 da0: Fixed Direct Access SCSI-0 device da0: 135.168MB/s transfers da0: 34727MB (71122560 512 byte sectors: 255H 32S/T 8716C) Trying to mount root from ufs:/dev/da0s2a pfsync_senddef: ip_output 64 From owner-freebsd-pf@FreeBSD.ORG Tue Aug 28 00:23:31 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91FA316A417 for ; Tue, 28 Aug 2007 00:23:31 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 21C3913C469 for ; Tue, 28 Aug 2007 00:23:31 +0000 (UTC) (envelope-from max@love2party.net) Received: from dslb-088-066-001-035.pools.arcor-ip.net [88.66.1.35] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis), id 0ML31I-1IPorh29Hg-0001Oj; Tue, 28 Aug 2007 02:23:29 +0200 From: Max Laier Organization: FreeBSD To: "Bill Marquette" Date: Tue, 28 Aug 2007 02:23:07 +0200 User-Agent: KMail/1.9.7 References: <55e8a96c0708221242h2d5e7d15q847e6fac7cf60554@mail.gmail.com> <200708230006.32294.max@love2party.net> <55e8a96c0708271710n82428eet8c714b9e8d30a3aa@mail.gmail.com> In-Reply-To: <55e8a96c0708271710n82428eet8c714b9e8d30a3aa@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1364010.fhYbcre3fJ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200708280223.27279.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19800FGF8BZ8RvV2ESrTesgoTnC73N5BVhi9/8 K6bBkFZZM0Gxk+WPi5accI0ddXlhofdiJlvWCu1cbo5UNnx85k QIOoCYWS1RDj6Rp8JeDzWJBDIZtVJgB3sRObGELLfo= Cc: freebsd-pf@freebsd.org Subject: Re: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Aug 2007 00:23:31 -0000 --nextPart1364010.fhYbcre3fJ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 28 August 2007, Bill Marquette wrote: > On 8/22/07, Max Laier wrote: > > There are two reasons why we increase the send error counter. Either > > the internal deferred work queue is full or ip_output fails. Could > > you locate "pfsyncstats.pfsyncs_oerrors++" in your source code and > > replace either occurrence with a printf(). Maybe use the attached.=20 > > This way we will know what exactly fails and if it is ip_output, why. > > Here's what we get with the patch: > pfsync_senddef: ip_output 64 that's EHOSTDOWN ... that's strange. Are you using syncpeer? > # netstat -s -p pfsync > pfsync: > 1264507 packets received (IPv4) > 0 packets received (IPv6) > 0 packets discarded for bad interface > 0 packets discarded for bad ttl > 0 packets shorter than header > 0 packets discarded for bad version > 0 packets discarded for bad HMAC > 0 packets discarded for bad action > 0 packets discarded for short packet > 0 states discarded for bad values > 0 stale states > 115608 failed state lookup/inserts > 86591 packets sent (IPv4) > 0 packets sent (IPv6) > 0 send failed due to mbuf memory error > 37231 send error > But since the send error still increases it seems as if the internal queue= =20 is overflowing, too. This is something that must be fixed as well, but I=20 think the EHOSTDOWN from ip_output is more serious. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1364010.fhYbcre3fJ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBG02r/XyyEoT62BG0RAvozAJ40NwaTSxyyAOu/yWvh7b5G5I+JlgCeOoC2 SRWdk1Wqi50COvOxZU8QmSI= =4tJx -----END PGP SIGNATURE----- --nextPart1364010.fhYbcre3fJ-- From owner-freebsd-pf@FreeBSD.ORG Tue Aug 28 04:14:09 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D01F16A417 for ; Tue, 28 Aug 2007 04:14:09 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.freebsd.org (Postfix) with ESMTP id B0F5D13C457 for ; Tue, 28 Aug 2007 04:14:08 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so1370972nfb for ; Mon, 27 Aug 2007 21:14:07 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nHmptyqIBpgNeC1kEAPcR1JBaCFrZ8ko13Ms446D2+ES+7Hct+tnek/DOA5b/4C96/LjDTX5xAGzfqIajQ0282sERCCV88lJT7Eao2zjVNN1dVPgo6p5Kv/Q3QJOA6LK3KcDoOlEW6yjbLO22EQJPk5Lj0xmwiXG+c208jtA7XU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pkOYReLEUs/QhK3CNxT+NeIsJ1znjen1G9jnciHJQj59LVvV9F/rEf8QeQsZHgwA5JvWCTBA8keGuqT8FytqeTqytccQ8nATNU5PDx3Fwa70dQS41WBY6pBJ2tsoMq8SVjoHc0oZJetyfxWbLICt+rziLj+SSmn9CVx8x+L4FLw= Received: by 10.78.200.3 with SMTP id x3mr4507474huf.1188274446265; Mon, 27 Aug 2007 21:14:06 -0700 (PDT) Received: by 10.78.15.17 with HTTP; Mon, 27 Aug 2007 21:14:06 -0700 (PDT) Message-ID: <55e8a96c0708272114n42c0d9e7h675d1a9043bf3d80@mail.gmail.com> Date: Mon, 27 Aug 2007 23:14:06 -0500 From: "Bill Marquette" To: "Max Laier" In-Reply-To: <200708280223.27279.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <55e8a96c0708221242h2d5e7d15q847e6fac7cf60554@mail.gmail.com> <200708230006.32294.max@love2party.net> <55e8a96c0708271710n82428eet8c714b9e8d30a3aa@mail.gmail.com> <200708280223.27279.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Aug 2007 04:14:09 -0000 On 8/27/07, Max Laier wrote: > On Tuesday 28 August 2007, Bill Marquette wrote: > > On 8/22/07, Max Laier wrote: > > > There are two reasons why we increase the send error counter. Either > > > the internal deferred work queue is full or ip_output fails. Could > > > you locate "pfsyncstats.pfsyncs_oerrors++" in your source code and > > > replace either occurrence with a printf(). Maybe use the attached. > > > This way we will know what exactly fails and if it is ip_output, why. > > > > Here's what we get with the patch: > > pfsync_senddef: ip_output 64 > > that's EHOSTDOWN ... that's strange. Are you using syncpeer? I'll double check this, but with the reboot this box shouldn't be. I had configured them to use syncpeer during troubleshooting (we'd had issues prior to setting this). > But since the send error still increases it seems as if the internal queue > is overflowing, too. This is something that must be fixed as well, but I > think the EHOSTDOWN from ip_output is more serious. OK, I'll spend some more time on this in the morning and confirm all our settings. It's most interesting to me that those stats came from the secondary unit, not the primary (which isn't quite as easy to take down - even more so with our state tables not quite in sync). --Bill From owner-freebsd-pf@FreeBSD.ORG Tue Aug 28 10:19:27 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D32CF16A418 for ; Tue, 28 Aug 2007 10:19:27 +0000 (UTC) (envelope-from jon@seaholm.caamora.com.au) Received: from seaholm.caamora.com.au (seaholm.caamora.com.au [203.7.226.5]) by mx1.freebsd.org (Postfix) with ESMTP id 42AF813C46A for ; Tue, 28 Aug 2007 10:19:25 +0000 (UTC) (envelope-from jon@seaholm.caamora.com.au) Received: (from jon@localhost) by seaholm.caamora.com.au (8.11.1/8.11.1) id l7SAJgd02066; Tue, 28 Aug 2007 20:19:42 +1000 (EST) Message-ID: <20070828201942.07894@caamora.com.au> Date: Tue, 28 Aug 2007 20:19:42 +1000 From: jonathan michaels To: freebsd-pf Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.84e Organisation: Caamora, PO Box 144, Rosebery NSW 1445 Australia Subject: pflogd and newsyslog messages X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Aug 2007 10:19:27 -0000 greetings all, i had a few words with another person who posted a similar report. i do not think that this (what is happening is an error but i cannot find out why or understand how this is happening .. i would appreciate some assistance withe find out, please. the machine is a recycle p5 133 mhz with buslogic (bt-958) SCSI host adapter, a couple of scsi drives (hdd and cd) and 64 mb dram, a digital 21040 10 mhz nic (de0) std tsenglabs 4000 video card. this makes for a nice gateway/router machine. it has worked at this job for some 15/20 years and sits behind a un-interuptable (sine-wave conditioner and 2kva battery. it started out with freebsd v2.0.5-release and is now running freebsd v6.2-release. it ran freebsd v2 from 199? (when it was released) untill a couple of months ago when i formated the disk-drives and did a clean disk installation of freebsd v6.2-release. sorry i don not have much skill with freebsd v6 ad none with pf ( i have been a ipfw user, the one based on v2.0.5). i noticed these log message entries in /var/log/debug.log with this entry. Aug 25 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received Aug 26 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received Aug 27 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received Aug 28 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received i changed the /etc/newsyslog(5) entry so that it would gather the data in one file once a day, makes it easier to use tools like ethereal to view the days entries/data/happenings/stuff, when the newsyslog entry was as original this log entry would happen 3 or 4 times a day, as per my original reply to Michael and his error report, that is why i thought that my situation was like his, and it was an error report. uuum i am not, sorry, i do not know what is happening here, would somebody explain to me what is happening and why pflogd is making this log entry, please. i looked at Google, there was only one entry but it was associated with an error situation, a fatal trap 12 in fact, mine is not like that, it appears to be pflogd telling me that it is doing, something, i do not understand. is it possible to turn this off ?? will it hide something if turn this off ?? kind regards jonathan please excuse my typing/spelling, english is not my first language and i am disabled from birth. -- ================================================================ powered by .. QNX, OS9 and freeBSD -- http://caamora com au/operating system ==== === appropriate solution in an inappropriate world === ==== From owner-freebsd-pf@FreeBSD.ORG Tue Aug 28 10:43:02 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A061B16A417 for ; Tue, 28 Aug 2007 10:43:02 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id 459B913C467 for ; Tue, 28 Aug 2007 10:43:02 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id l7SAgliM028887 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 28 Aug 2007 12:42:47 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id l7SAgl9O016152; Tue, 28 Aug 2007 12:42:47 +0200 (MEST) Date: Tue, 28 Aug 2007 12:42:47 +0200 From: Daniel Hartmeier To: jonathan michaels Message-ID: <20070828104247.GG18273@insomnia.benzedrine.cx> References: <20070828201942.07894@caamora.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070828201942.07894@caamora.com.au> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf Subject: Re: pflogd and newsyslog messages X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Aug 2007 10:43:02 -0000 On Tue, Aug 28, 2007 at 08:19:42PM +1000, jonathan michaels wrote: > Aug 25 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received > Aug 26 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received > Aug 27 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received > Aug 28 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received These are perfectly normal. Once every hour, per /etc/crontab, your cron(8) is calling newsyslog(8) to rotate log files according to /etc/newsyslog.conf, which by default contains # logfilename [owner:group] mode count size when flags [/pid_file] [sig_num] /var/log/pflog 600 3 100 * JB /var/run/pflogd.pid If an invokation finds /var/log/pflog larger than 100 kB, it will rotate the file (rename the old file, create a new empty one) and send the pflogd process a SIGHUP signal. The signal tells pflogd to re-open its log file. This is necessary because the process doesn't open and close the file each time it appends an entry, but opens the file only once on startup and keeps appending through the open file handle. Without a signal, pflogd wouldn't close and reopen the log file, and continue appending to the old file. Depending on how newsyslog rotated it, that would mean either that the old file would continue to grow or an unlinked file (not visible with ls(1)) would grow until the last open file handle to it is closed (when pflogd dies). pflogd is logging the receiption the signal with the debug message you quoted above. Usually, you wouldn't log debug level messages to a file, but you must have edited /etc/syslog.conf to do so. So, if the messages bother you, either don't log *.debug or specifically exclude pflogd. Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Aug 28 13:04:28 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C4EFF16A418 for ; Tue, 28 Aug 2007 13:04:28 +0000 (UTC) (envelope-from jon@seaholm.caamora.com.au) Received: from seaholm.caamora.com.au (seaholm.caamora.com.au [203.7.226.5]) by mx1.freebsd.org (Postfix) with ESMTP id 0BDD013C467 for ; Tue, 28 Aug 2007 13:04:26 +0000 (UTC) (envelope-from jon@seaholm.caamora.com.au) Received: (from jon@localhost) by seaholm.caamora.com.au (8.11.1/8.11.1) id l7SD4YH02381; Tue, 28 Aug 2007 23:04:34 +1000 (EST) Message-ID: <20070828230434.49695@caamora.com.au> Date: Tue, 28 Aug 2007 23:04:34 +1000 From: jonathan michaels To: Daniel Hartmeier References: <20070828201942.07894@caamora.com.au> <20070828104247.GG18273@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.84e In-Reply-To: <20070828104247.GG18273@insomnia.benzedrine.cx>; from Daniel Hartmeier on Tue, Aug 28, 2007 at 12:42:47PM +0200 Organisation: Caamora, PO Box 144, Rosebery NSW 1445 Australia Cc: freebsd-pf Subject: Re: pflogd and newsyslog messages X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Aug 2007 13:04:28 -0000 daniel, thanks and appreciations fro your promt and timely responce. On Tue, Aug 28, 2007 at 12:42:47PM +0200, Daniel Hartmeier wrote: > On Tue, Aug 28, 2007 at 08:19:42PM +1000, jonathan michaels wrote: > > > Aug 25 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received > > Aug 26 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received > > Aug 27 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received > > Aug 28 00:00:02 ???????? pflogd[350]: [priv]: msg PRIV_OPEN_LOG received > > These are perfectly normal. Once every hour, per /etc/crontab, your > cron(8) is calling newsyslog(8) to rotate log files according to > /etc/newsyslog.conf, which by default contains > > # logfilename [owner:group] mode count size when flags [/pid_file] [sig_num] > /var/log/pflog 600 3 100 * JB /var/run/pflogd.pid > > If an invokation finds /var/log/pflog larger than 100 kB, it will rotate i changed mine to rotate the log at midnight, regardless of teh file size, it makes it easier for me to handle the files ( amongs other things i live with severe arthritis, that is why my typing is bad sometimes). > the file (rename the old file, create a new empty one) and send the > pflogd process a SIGHUP signal. The signal tells pflogd to re-open its > log file. This is necessary because the process doesn't open and close > the file each time it appends an entry, but opens the file only once on > startup and keeps appending through the open file handle. Without a > signal, pflogd wouldn't close and reopen the log file, and continue > appending to the old file. Depending on how newsyslog rotated it, that > would mean either that the old file would continue to grow or an > unlinked file (not visible with ls(1)) would grow until the last open > file handle to it is closed (when pflogd dies). > > pflogd is logging the receiption the signal with the debug message you > quoted above. Usually, you wouldn't log debug level messages to a file, > but you must have edited /etc/syslog.conf to do so. So, if the messages > bother you, either don't log *.debug or specifically exclude pflogd. i don;t know enough to make those sorts of changes, my pf is what came with the freebsd that i installed, thank you for this explanation, i now understand what is going on and will make teh changes to to keep this out of teh log file i have left teh question and yor answer in this post so that it goes into the file/archive so that other people like me, (pf beginners) will be able to find yor answer, there is no place written this answer. again thank you and much appreciations kind regards jonathan -- ================================================================ powered by .. QNX, OS9 and freeBSD -- http://caamora com au/operating system ==== === appropriate solution in an inappropriate world === ==== From owner-freebsd-pf@FreeBSD.ORG Tue Aug 28 20:44:13 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C36416A420 for ; Tue, 28 Aug 2007 20:44:13 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.freebsd.org (Postfix) with ESMTP id E6C2613C480 for ; Tue, 28 Aug 2007 20:44:12 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so1586665nfb for ; Tue, 28 Aug 2007 13:44:11 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=i2hGVqTrkRv+YGSG1A3JcDW3TgdFtkDesGq75KO+xUk2r4e7talLEHhewL941ELzlC1KAk2Hq5by28iF4TA95mOFFTjWCXhMPBtD5hHyumN3ismhNukzz96OLRK13e62tObkT6JqEgg7JjDQZ/lOJ1t4PKY38IVFj4wQpmYChR4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=bning5erZuiw/k3r04TxoeOtja9X+dEnHrW1PwKtjFYiBCVUcBGbVU2zuWuS+CrxB+1bqhP8bywtL6Xsj1sYgbfC0OKtE299mEOHaq56Ws1UWfEEQjNpAd2Dn5YSBCnnI3lWVLpCA1VBqZDVQnjibqu4FXVeShUGckdW7KRgXD4= Received: by 10.78.186.9 with SMTP id j9mr5221525huf.1188333851045; Tue, 28 Aug 2007 13:44:11 -0700 (PDT) Received: by 10.78.15.17 with HTTP; Tue, 28 Aug 2007 13:44:10 -0700 (PDT) Message-ID: <55e8a96c0708281344y62bbb152k3f2a7e9d375a2acd@mail.gmail.com> Date: Tue, 28 Aug 2007 15:44:10 -0500 From: "Bill Marquette" To: "Max Laier" In-Reply-To: <55e8a96c0708272114n42c0d9e7h675d1a9043bf3d80@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <55e8a96c0708221242h2d5e7d15q847e6fac7cf60554@mail.gmail.com> <200708230006.32294.max@love2party.net> <55e8a96c0708271710n82428eet8c714b9e8d30a3aa@mail.gmail.com> <200708280223.27279.max@love2party.net> <55e8a96c0708272114n42c0d9e7h675d1a9043bf3d80@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Aug 2007 20:44:13 -0000 On 8/27/07, Bill Marquette wrote: > > > Here's what we get with the patch: > > > pfsync_senddef: ip_output 64 > > > > that's EHOSTDOWN ... that's strange. Are you using syncpeer? After converting both sides to using syncpeer, I now got this in my dmesg after reboot: Trying to mount root from ufs:/dev/da0s2a pfsync_senddef: ip_output 65 pfsync_senddef: ip_output 65 $ netstat -s -ppfsync && sleep 1 && netstat -s -ppfsync pfsync: 699811 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for bad ttl 0 packets shorter than header 0 packets discarded for bad version 0 packets discarded for bad HMAC 0 packets discarded for bad action 0 packets discarded for short packet 0 states discarded for bad values 0 stale states 61740 failed state lookup/inserts 46728 packets sent (IPv4) 0 packets sent (IPv6) 0 send failed due to mbuf memory error 23020 send error pfsync: 704677 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for bad ttl 0 packets shorter than header 0 packets discarded for bad version 0 packets discarded for bad HMAC 0 packets discarded for bad action 0 packets discarded for short packet 0 states discarded for bad values 0 stale states 62032 failed state lookup/inserts 47070 packets sent (IPv4) 0 packets sent (IPv6) 0 send failed due to mbuf memory error 23221 send error The other pfsyncstats.pfsyncs_oerrors++ is after a IF_HANDOFF macro, I traced it back to if_handoff() in if.c, but I'm not sure how to track it down any further as it look like it's _IF_QFULL(ifq) that's triggering the return 0. I'm going to toy with some settings for the em(4) driver in loader.conf and see if I can raise the txd and rxd descriptors since we're not running on 82542 or 82543 chipped hardware we can go above 256 descriptors. --Bill From owner-freebsd-pf@FreeBSD.ORG Tue Aug 28 20:53:50 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 348E216A46B for ; Tue, 28 Aug 2007 20:53:50 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.179]) by mx1.freebsd.org (Postfix) with ESMTP id A6A5E13C4A5 for ; Tue, 28 Aug 2007 20:53:49 +0000 (UTC) (envelope-from max@love2party.net) Received: from dslb-088-066-017-000.pools.arcor-ip.net [88.66.17.0] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1IQ84K0nAP-0008Hy; Tue, 28 Aug 2007 22:53:48 +0200 From: Max Laier Organization: FreeBSD To: "Bill Marquette" Date: Tue, 28 Aug 2007 22:53:38 +0200 User-Agent: KMail/1.9.7 References: <55e8a96c0708221242h2d5e7d15q847e6fac7cf60554@mail.gmail.com> <55e8a96c0708272114n42c0d9e7h675d1a9043bf3d80@mail.gmail.com> <55e8a96c0708281344y62bbb152k3f2a7e9d375a2acd@mail.gmail.com> In-Reply-To: <55e8a96c0708281344y62bbb152k3f2a7e9d375a2acd@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart8114292.2W39dtXNfE"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200708282253.46740.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19cNpV5f1ayQQMNuf0rs58vASj/xiY5ZzrssXh UihMx/KScld3QE8EtXBIsWJys9hdyBEF4IL+nrr3WXMv9Aia1A Tc4sQxS/NdBgIGhpuNIQNvzq3UhMZ02GauNoYc6B7A= Cc: freebsd-pf@freebsd.org Subject: Re: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Aug 2007 20:53:50 -0000 --nextPart8114292.2W39dtXNfE Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 28 August 2007, Bill Marquette wrote: > On 8/27/07, Bill Marquette wrote: > > > > Here's what we get with the patch: > > > > pfsync_senddef: ip_output 64 > > > > > > that's EHOSTDOWN ... that's strange. Are you using syncpeer? > > After converting both sides to using syncpeer, I now got this in my > dmesg after reboot: > > Trying to mount root from ufs:/dev/da0s2a > pfsync_senddef: ip_output 65 > pfsync_senddef: ip_output 65 > > $ netstat -s -ppfsync && sleep 1 && netstat -s -ppfsync > pfsync: > 699811 packets received (IPv4) > 0 packets received (IPv6) > 0 packets discarded for bad interface > 0 packets discarded for bad ttl > 0 packets shorter than header > 0 packets discarded for bad version > 0 packets discarded for bad HMAC > 0 packets discarded for bad action > 0 packets discarded for short packet > 0 states discarded for bad values > 0 stale states > 61740 failed state lookup/inserts > 46728 packets sent (IPv4) > 0 packets sent (IPv6) > 0 send failed due to mbuf memory error > 23020 send error > pfsync: > 704677 packets received (IPv4) > 0 packets received (IPv6) > 0 packets discarded for bad interface > 0 packets discarded for bad ttl > 0 packets shorter than header > 0 packets discarded for bad version > 0 packets discarded for bad HMAC > 0 packets discarded for bad action > 0 packets discarded for short packet > 0 states discarded for bad values > 0 stale states > 62032 failed state lookup/inserts > 47070 packets sent (IPv4) > 0 packets sent (IPv6) > 0 send failed due to mbuf memory error > 23221 send error > > The other pfsyncstats.pfsyncs_oerrors++ is after a IF_HANDOFF macro, I > traced it back to if_handoff() in if.c, but I'm not sure how to track > it down any further as it look like it's _IF_QFULL(ifq) that's > triggering the return 0. > > I'm going to toy with some settings for the em(4) driver in > loader.conf and see if I can raise the txd and rxd descriptors since > we're not running on 82542 or 82543 chipped hardware we can go above > 256 descriptors. No that's the internal work deferral queue. Try something like the=20 following in contrib/pf/net/if_pfsync.c: @@ -229,7 +229,7 @@ callout_init(&sc->sc_bulk_tmo, NET_CALLOUT_MPSAFE); callout_init(&sc->sc_bulkfail_tmo, NET_CALLOUT_MPSAFE); callout_init(&sc->sc_send_tmo, NET_CALLOUT_MPSAFE); =2D sc->sc_ifq.ifq_maxlen =3D ifqmaxlen; + sc->sc_ifq.ifq_maxlen =3D 2 * ifqmaxlen; mtx_init(&sc->sc_ifq.ifq_mtx, ifp->if_xname, "pfsync send queue", MTX_DEF); if_attach(ifp); But there might be other reasons like timing wrt the locks. I'll have to=20 check for details. It might also be a good idea to MFC the taskqueue=20 approach from CURRENT, rather than using the callout ... that's a bit of=20 work however. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart8114292.2W39dtXNfE Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBG1ItaXyyEoT62BG0RAiQXAJ96MwKuzLsyXcgFzZr7bCEZPxA4xACfTcB4 MHwsRAisyPoCIDsRZUn/6gQ= =IcpH -----END PGP SIGNATURE----- --nextPart8114292.2W39dtXNfE-- From owner-freebsd-pf@FreeBSD.ORG Tue Aug 28 21:53:41 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7F1A16A478 for ; Tue, 28 Aug 2007 21:53:41 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.freebsd.org (Postfix) with ESMTP id 24C0913C442 for ; Tue, 28 Aug 2007 21:53:40 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so1603607nfb for ; Tue, 28 Aug 2007 14:53:40 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YuCTlSO7KrToBSG7txcakqGimFXShJp6pKi9YSu1l54WCy03Eke7oXaJ7hqgrgp6hZ6056hag5ZuKM6Gz8AOaIAo2OZ+GbwpCvpWmLM2pATFNzs8IZ2dip7+ARvKb/n6fNAZQ+sijdDuWh5MBXxtUbqCGTQA0KeDrRDmUwvSRRw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=g6DBYkAkKn8DZBJW6rFaVBVDlj53siBPpoBQ9Q/vgkQg6Jwyoo8buIXeMf6IDnMXC2lV4RyByHOb6DALOWte8bT1QTggEINOEfqQLKRkRQMQnRTM8krUttw/hLOpb/ogCNMUqHywIy38iaytXoxhfpKZ0mqptIIzvHJ48SZgyI8= Received: by 10.78.172.20 with SMTP id u20mr5267948hue.1188338019770; Tue, 28 Aug 2007 14:53:39 -0700 (PDT) Received: by 10.78.15.17 with HTTP; Tue, 28 Aug 2007 14:53:39 -0700 (PDT) Message-ID: <55e8a96c0708281453y2a4a7ffdw1c5959a3c6fef7b9@mail.gmail.com> Date: Tue, 28 Aug 2007 16:53:39 -0500 From: "Bill Marquette" To: "Max Laier" In-Reply-To: <200708282253.46740.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <55e8a96c0708221242h2d5e7d15q847e6fac7cf60554@mail.gmail.com> <55e8a96c0708272114n42c0d9e7h675d1a9043bf3d80@mail.gmail.com> <55e8a96c0708281344y62bbb152k3f2a7e9d375a2acd@mail.gmail.com> <200708282253.46740.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Aug 2007 21:53:41 -0000 On 8/28/07, Max Laier wrote: > > I'm going to toy with some settings for the em(4) driver in > > loader.conf and see if I can raise the txd and rxd descriptors since > > we're not running on 82542 or 82543 chipped hardware we can go above > > 256 descriptors. Raised it to 4096 for both txd and rxd with no impact (may help something else, who knows). > No that's the internal work deferral queue. Try something like the > following in contrib/pf/net/if_pfsync.c: > > @@ -229,7 +229,7 @@ > callout_init(&sc->sc_bulk_tmo, NET_CALLOUT_MPSAFE); > callout_init(&sc->sc_bulkfail_tmo, NET_CALLOUT_MPSAFE); > callout_init(&sc->sc_send_tmo, NET_CALLOUT_MPSAFE); > - sc->sc_ifq.ifq_maxlen = ifqmaxlen; > + sc->sc_ifq.ifq_maxlen = 2 * ifqmaxlen; > mtx_init(&sc->sc_ifq.ifq_mtx, ifp->if_xname, "pfsync send queue", > MTX_DEF); > if_attach(ifp); > > But there might be other reasons like timing wrt the locks. I'll have to > check for details. It might also be a good idea to MFC the taskqueue > approach from CURRENT, rather than using the callout ... that's a bit of > work however. That seems to have halved the error rate, not sure if it's not just the time of day though (we're now past our peak traffic load by a few hours). $ netstat -s -ppfsync && sleep 1 && netstat -s -ppfsync pfsync: 383169 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for bad ttl 0 packets shorter than header 0 packets discarded for bad version 0 packets discarded for bad HMAC 0 packets discarded for bad action 0 packets discarded for short packet 0 states discarded for bad values 0 stale states 35622 failed state lookup/inserts 23635 packets sent (IPv4) 0 packets sent (IPv6) 0 send failed due to mbuf memory error 5580 send error pfsync: 387782 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for bad ttl 0 packets shorter than header 0 packets discarded for bad version 0 packets discarded for bad HMAC 0 packets discarded for bad action 0 packets discarded for short packet 0 states discarded for bad values 0 stale states 35711 failed state lookup/inserts 23876 packets sent (IPv4) 0 packets sent (IPv6) 0 send failed due to mbuf memory error 5676 send error --Bill From owner-freebsd-pf@FreeBSD.ORG Thu Aug 30 19:39:23 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A281116A417 for ; Thu, 30 Aug 2007 19:39:23 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: from web53701.mail.re2.yahoo.com (web53701.mail.re2.yahoo.com [206.190.37.22]) by mx1.freebsd.org (Postfix) with SMTP id 6A62613C474 for ; Thu, 30 Aug 2007 19:39:22 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: (qmail 64436 invoked by uid 60001); 30 Aug 2007 19:12:20 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=3nbx5bdmiEIdzpv6A00qfBt+KyPtA1Y7m339xSShIATl+BKIHcRYCEOluj7kekJxOGaKMZG3JQyaugoleaXkJOUkXez+/ZNnER5IuRyS7I0rDN15hrPD5T2T/jqJdUruMuV2rw+skr/tGERbPnmkPt8Th0YORuvJdmIlz/XdzyU=; X-YMail-OSG: a_yBcQAVM1kYK1_eD.8DGW3RsE5GiCBZdCrM4PYFobe0HDxyK2wTVfLTnMeZOtA4T0Hnhyh0GTKK4d8qfgBR5abOloFGIjsnCyWSyYONRudS12CEFOm4Eb5LeVSTk812BThuHQkX4AciUNU- Received: from [69.147.97.215] by web53701.mail.re2.yahoo.com via HTTP; Thu, 30 Aug 2007 12:12:19 PDT X-Mailer: YahooMailRC/651.48 YahooMailWebService/0.7.134 Date: Thu, 30 Aug 2007 12:12:19 -0700 (PDT) From: Lorenz Helleis To: freebsd-pf@freebsd.org MIME-Version: 1.0 Message-ID: <107702.63851.qm@web53701.mail.re2.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ping of death X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Aug 2007 19:39:23 -0000 Nessus give it to me:=0A=0AMensagem: =0AThe machine crashed when pinged wit= h an incorrectly fragmented packet.=0AThis is known as the 'jolt' or 'ping = of death' denial of service attack.=0A=0AAn attacker may use this flaw to s= hut down this server,=0Athus preventing you from working properly.=0A=0ASol= ution : contact your operating system vendor for a patch.=0A=0A=0A=0A =0A= =0AHow can i fix this using pf ??=0A=0Athanks=0ALorenz=0A=0A=0A=0A Fli= ckr agora em portugu=EAs. Voc=EA clica, todo mundo v=EA.=0Ahttp://www.flick= r.com.br/ From owner-freebsd-pf@FreeBSD.ORG Thu Aug 30 20:22:54 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 12A6716A421 for ; Thu, 30 Aug 2007 20:22:54 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 98AC713C465 for ; Thu, 30 Aug 2007 20:22:53 +0000 (UTC) (envelope-from max@love2party.net) Received: from dslb-088-066-029-033.pools.arcor-ip.net [88.66.29.33] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis), id 0ML31I-1IQqXU0Bdn-0001NW; Thu, 30 Aug 2007 22:22:52 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 30 Aug 2007 22:22:39 +0200 User-Agent: KMail/1.9.7 References: <107702.63851.qm@web53701.mail.re2.yahoo.com> In-Reply-To: <107702.63851.qm@web53701.mail.re2.yahoo.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart5532724.30vefhT4s1"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200708302222.50629.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+S0TpqlnJq8n3JQUA26uPvF1m+ZGrtDYa0PEe QEvNFW7QuP3839SObMT19kkGddmqbYVoQhpC44HD3TrhfIXLbB bYrfzqhPkdxu+30RS9aMbrFHNhLD5i59l+v3rtJREc= Cc: Subject: Re: ping of death X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Aug 2007 20:22:54 -0000 --nextPart5532724.30vefhT4s1 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 30 August 2007, Lorenz Helleis wrote: > Nessus give it to me: > > Mensagem: > The machine crashed when pinged with an incorrectly fragmented packet. > This is known as the 'jolt' or 'ping of death' denial of service > attack. > > An attacker may use this flaw to shut down this server, > thus preventing you from working properly. > > Solution : contact your operating system vendor for a patch. > > How can i fix this using pf ?? basic scrubbing will take care of the classic 'ping of death': /* Respect maximum length */ if (fragoff + ip_len > IP_MAXPACKET) { DPFPRINTF(("max packet %d\n", fragoff + ip_len)); goto bad; } so=20 scrub in on $ext_if=20 should keep you save. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart5532724.30vefhT4s1 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBG1ycaXyyEoT62BG0RAtexAJ41Evwjz4wdyOajLwpGmljlXzFQxACfSV8d pMjWWFi42vHqiPVefug6kxo= =T86h -----END PGP SIGNATURE----- --nextPart5532724.30vefhT4s1-- From owner-freebsd-pf@FreeBSD.ORG Thu Aug 30 20:32:16 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D68F16A419 for ; Thu, 30 Aug 2007 20:32:16 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.185]) by mx1.freebsd.org (Postfix) with ESMTP id E867F13C46A for ; Thu, 30 Aug 2007 20:32:15 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so230422rvb for ; Thu, 30 Aug 2007 13:32:15 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=HSGoe5riiN3RitgVODFdQzajLfR5fzYfzhwguovLG0JdzB0m4int7xdqaxYIouZ1h3KdLsSWLX8asWkj5XgiVpOve4Awhjx3nfhm5lBXgpZe7PD8ktpUEHAJ1KwOWeeWL5o+Uwo0qcwAT0PMmzHRUedcJKDoZjiFALTIJkxK38g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=CyCDZAz+izRckr/aA7m3hdMCQze2hbFabuhmWH3WKJwHuA2dzvOZFf+SnlNoFwTDOrNuI2YL33hELxywSaZx4Ntr/qAtbWvGS0FAs0ZVUWD4PAfD6uobCey+FVSf6/wg4WTaAOpRVOpQXum6RetFI/LGwqeyWrjdbD1jUN/LDRE= Received: by 10.141.15.19 with SMTP id s19mr364339rvi.1188504351104; Thu, 30 Aug 2007 13:05:51 -0700 (PDT) Received: by 10.141.27.10 with HTTP; Thu, 30 Aug 2007 13:05:50 -0700 (PDT) Message-ID: Date: Thu, 30 Aug 2007 16:05:50 -0400 From: "Chris Buechler" Cc: freebsd-pf@freebsd.org In-Reply-To: <107702.63851.qm@web53701.mail.re2.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <107702.63851.qm@web53701.mail.re2.yahoo.com> Subject: Re: ping of death X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Aug 2007 20:32:16 -0000 On 8/30/07, Lorenz Helleis wrote: > Nessus give it to me: > > Mensagem: > The machine crashed when pinged with an incorrectly fragmented packet. > This is known as the 'jolt' or 'ping of death' denial of service attack. > > An attacker may use this flaw to shut down this server, > thus preventing you from working properly. > > Solution : contact your operating system vendor for a patch. > > How can i fix this using pf ?? > You'll have to be a whole lot more specific - did a machine actually crash? If not, that's a false positive from Nessus. If so, what machine crashed? One running FreeBSD with pf? One behind a firewall running FreeBSD with pf? -Chris From owner-freebsd-pf@FreeBSD.ORG Fri Aug 31 13:58:39 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B37A16A468 for ; Fri, 31 Aug 2007 13:58:39 +0000 (UTC) (envelope-from rbenq@hotmail.com) Received: from bay0-omc3-s3.bay0.hotmail.com (bay0-omc3-s3.bay0.hotmail.com [65.54.246.203]) by mx1.freebsd.org (Postfix) with ESMTP id 57F4E13C459 for ; Fri, 31 Aug 2007 13:58:39 +0000 (UTC) (envelope-from rbenq@hotmail.com) Received: from hotmail.com ([65.54.169.43]) by bay0-omc3-s3.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Fri, 31 Aug 2007 06:24:41 -0700 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 31 Aug 2007 06:24:41 -0700 Message-ID: Received: from 65.54.169.200 by by114fd.bay114.hotmail.msn.com with HTTP; Fri, 31 Aug 2007 13:24:39 GMT X-Originating-IP: [189.6.95.237] X-Originating-Email: [rbenq@hotmail.com] X-Sender: rbenq@hotmail.com From: "Ricardo Benq" To: freebsd-pf@freebsd.org Date: Fri, 31 Aug 2007 13:24:39 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 31 Aug 2007 13:24:41.0249 (UTC) FILETIME=[49857110:01C7EBD2] Subject: Updating PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Aug 2007 13:58:39 -0000 Hello, I'm using PF from a 6.1 FreeBSD kernel (Just added pf_enable="YES" in rc.conf) and also using Firewall Builder. How do I know what version is running? What are the options to update PF? Is there a how-to? Thanks in Advance, Ben. P.S.: I'm not good with compiling source code and stuff :( _________________________________________________________________ MSN Messenger: instale grátis e converse com seus amigos. http://messenger.msn.com.br From owner-freebsd-pf@FreeBSD.ORG Fri Aug 31 14:01:53 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1CD9C16A417 for ; Fri, 31 Aug 2007 14:01:53 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id CD76A13C442 for ; Fri, 31 Aug 2007 14:01:52 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id 287357BFF34; Fri, 31 Aug 2007 16:01:19 +0200 (CEST) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id 5OlgMZB9oixF; Fri, 31 Aug 2007 16:01:18 +0200 (CEST) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id BC5D07BFF2B; Fri, 31 Aug 2007 16:01:18 +0200 (CEST) Date: Fri, 31 Aug 2007 16:01:18 +0200 From: Gergely CZUCZY To: Ricardo Benq Message-ID: <20070831140118.GA9900@harmless.hu> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="oyUTqETQ0mS9luUI" Content-Disposition: inline In-Reply-To: User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@freebsd.org Subject: Re: Updating PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Aug 2007 14:01:53 -0000 --oyUTqETQ0mS9luUI Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 31, 2007 at 01:24:39PM +0000, Ricardo Benq wrote: > Hello, >=20 > I'm using PF from a 6.1 FreeBSD kernel (Just added pf_enable=3D"YES" in r= c.conf) and also using Firewall Builder. > How do I know what version is running? > What are the options to update PF? Is there a how-to? wait for 7.0-RELEASE and use that. it's not something that you can just upgrade out of the system and why would you like to update it? Sincerely, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --oyUTqETQ0mS9luUI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owFNks9rE0EUx9MWLwMKuQrio5e2NrtuGk3a1TT2R1Ij/ihNoYiCTHffZsfMzmxn ZrOmf4GCBynehKrgTQQPPRf04NGLF/8T8aA4m1pxTm/ee/N9n/fmvTg7VZosf/14 9GD++cGriQ+Tn3dnk8wY0XcSqoZMOFXPqzpLS57n1J0GrUVh3aP1sNqIrna+X3TX pDAojLM9StEHg0/M5ZRTJq5BEFOl0TQzEzmL5DRvnelUamaYFD4wwZnAf7FtRYWO UDltEciQib4Pe5k0GDqpYsLQXY6E3BPQUawCK1kfatUKLHheA6gBr+ovXPFrS5t3 YN6zpwJbLKAqlLCKYg9yZYV8sgw3kXNZIcvNBc/eujMJZNqWgs0OREomQKHuVm0J xNXeOgxQCeQweyvTBmgYYghp9AhFwdKsrU/fb/embRugmiRwAymiOaAiBMq1/Kvb YQpzyjmsZoyHqNyCQeZgwbowENbKY4s/RKXtTIBpUJkQ9mXLJu4UIaoQTIwg02Jq GoyVTkNq0DK3oKuLoE2hEMvcMbJFcsoMRFJBw/Wcrfbt9kqvPcbKdKFEjUuYmdEg pAEtEzRxAVoEYCQzCKiAx0W/WdpXNLSFMwMyGjPokTaYEFKo5fEIcpnxcPyKswH+ h8ZMi5AeE4FF46MKIRuo+taCtf0s2B+RhDJupA/9E7cbjN037M4kHLV244wQxyk+ aQdRMLRdojYubNiLbUNbcD5ESJW0P5HoE3qqmEaXPG1NnSkVy3m61uXJ4ZfS683u wXFtceKw/Onc3fNz+n3vkn9UevPyNwwe/rjuH3+7cPzu7a+fj54dlv8A =C64X -----END PGP SIGNATURE----- --oyUTqETQ0mS9luUI-- From owner-freebsd-pf@FreeBSD.ORG Fri Aug 31 14:13:52 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0FC816A494 for ; Fri, 31 Aug 2007 14:13:52 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp1.bethere.co.uk (smtp1.betherenow.co.uk [87.194.0.68]) by mx1.freebsd.org (Postfix) with ESMTP id AB84C13C458 for ; Fri, 31 Aug 2007 14:13:52 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from thebeast (87-194-161-158.bethere.co.uk [87.194.161.158]) by smtp1.bethere.co.uk (Postfix) with SMTP id 8769AD018F; Fri, 31 Aug 2007 15:13:30 +0100 (BST) From: "Greg Hennessy" To: "'Ricardo Benq'" , References: In-Reply-To: Date: Fri, 31 Aug 2007 15:13:30 +0100 Message-ID: <000e01c7ebd9$1b94ddc0$52be9940$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acfr14s+b+mRiokKQBKC8KShdWsxIgAASGLQ Content-Language: en-gb X-Antivirus: avast! (VPS 000770-0, 30/08/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: Updating PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Aug 2007 14:13:53 -0000 > Hello, > > I'm using PF from a 6.1 FreeBSD kernel (Just added pf_enable="YES" in > rc.conf) and also using Firewall Builder. Updating why exactly ? > How do I know what version is running? You are running the version of PF which ships as standard with FreeBSD 6.1. Which IIRC is the same as shipped with OpenBSD 3.6. > What are the options to update PF? Is there a how-to? Yes, update your kernel to whatever the last STABLE release of 6.1 is. > Thanks in Advance, Ben. > > P.S.: I'm not good with compiling source code and stuff Time to learn, it's not hard and the handbook is your friend. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ greg From owner-freebsd-pf@FreeBSD.ORG Fri Aug 31 14:17:06 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F47416A421 for ; Fri, 31 Aug 2007 14:17:06 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id CE00C13C468 for ; Fri, 31 Aug 2007 14:17:05 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id 17E587BFF5C; Fri, 31 Aug 2007 16:16:58 +0200 (CEST) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id UAf+r3RjKqsy; Fri, 31 Aug 2007 16:16:57 +0200 (CEST) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id A26337BFF46; Fri, 31 Aug 2007 16:16:57 +0200 (CEST) Date: Fri, 31 Aug 2007 16:16:57 +0200 From: Gergely CZUCZY To: "Sam Fourman Jr." Message-ID: <20070831141657.GA11440@harmless.hu> References: <20070831140118.GA9900@harmless.hu> <11167f520708310713l6823d6a5g8607ea395e8d5b78@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="cWoXeonUoKmBZSoM" Content-Disposition: inline In-Reply-To: <11167f520708310713l6823d6a5g8607ea395e8d5b78@mail.gmail.com> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@freebsd.org Subject: Re: Updating PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Aug 2007 14:17:06 -0000 --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 31, 2007 at 09:13:58AM -0500, Sam Fourman Jr. wrote: > On 8/31/07, Gergely CZUCZY wrote: > > On Fri, Aug 31, 2007 at 01:24:39PM +0000, Ricardo Benq wrote: > > > Hello, > > > > > > I'm using PF from a 6.1 FreeBSD kernel (Just added pf_enable=3D"YES" = in rc.conf) and also using Firewall Builder. > > > How do I know what version is running? > > > What are the options to update PF? Is there a how-to? > > wait for 7.0-RELEASE and use that. >=20 > Would you happen to know when they will have a 7.0 RC out? as usual. "real soon" (tm) :) http://www.freebsd.org/releases/7.0R/schedule.html Sincerely, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --cWoXeonUoKmBZSoM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owFtU71rFEEUj0abBRFtbR7XaMjt3m7ukrus5vNypwkGQy4SokWY7L67HZydWecj m8tfIGIhQipBbbRTLCwtbMROLFWw0E4ESwsRdDZfWtjN+/q93++9N3dPDA4cPfX2 +Yvrw3fu3T/ydPDWxnBqtOY9NyVyk3I38P3ADYJazXdrbhXr1WrDj+rdEX8jHmu0 35c+NAXXyLW70s8wBI1bupIxQvl5iBIiFeoJo7tuwznIm6MqE4pqKngIlDPK8TC2 IglXXZRui0ciprwXwk0jNMZuJinXZIOh41zh0Ja0DDOmB9WgDCO+XweiwR8Pg2o4 2phZBNcf9f0ydEgKbWFkSjgsSA9yabFCZxIsRKNSDSp+vQwXUfaQ9aF57Wrz2hpc yBKBKd2atuRThkp5iZn8W7lb+//2QThSC6vjS4sw7PtF+2UaERkLmEV+81+ESbiE jInynrHvmj+bglFWMiy1oStFCgTGvMD2QpztzMENlBwZnFswSgOJY4wh664jL2Yy UZ0rrbU6JZhwKAcZeZHg3SEgPAbClNjHbVOJOWEMZg1lMUrvgIzIwbKchxvcvvLE atlEqex+gCqQhnNbPbWfvFqEiUTQCYLIii0q0LZFFhONlvsUzKsiaFMIJCJ3tdir zQnV0BUS6p7vLrcut2Y6rV2KRhVoRFs+EyO+zV0VhsXQFwYSkmXIC/x9boWRYB9y anUkZLNoYvFguQnC6CmHKAtnCPOgJJEwUELwEpzT6RCEQ06idRZWKnmee1071g0V e0L2KhIZEoWqYpGWKypKMDYMvUSnzHGcDuWRVcP6Zcc5vJVtE233nZRQpkUIvT23 F+26/70cx3HdQtQqIqdoB4NKe/bkOLWqlaXHrIRMCrvEVO1OwQ6XKvScW1ODxweK /3XwOU8dXZ8eeDD57OXO9zfs97sf5Ngn83p9/faXrYGHa2d+fTv5qOmefhU8+Vn7 /PHx7NedPw== =9I5b -----END PGP SIGNATURE----- --cWoXeonUoKmBZSoM-- From owner-freebsd-pf@FreeBSD.ORG Fri Aug 31 14:40:27 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82DD216A417 for ; Fri, 31 Aug 2007 14:40:27 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.184]) by mx1.freebsd.org (Postfix) with ESMTP id 0F30C13C45A for ; Fri, 31 Aug 2007 14:40:26 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: by fk-out-0910.google.com with SMTP id b27so752150fka for ; Fri, 31 Aug 2007 07:39:57 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=uQoEUsBVnNjeV7G1GONf3+SOKLmxgGUyuul2a6p3WRXi53ceTghts5oKDZbMrfqFirLmELe+ea9WGZAe55GAw9/jhOjAmKlyqOdpTdpDu5l2ICwXMdWHtOZRbPfRilAqVVB8ynRynm0BI7IkXrnqDLc82Q4AHAKDvfrL3Y2iSwE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=OpTRYsuBGrgQQfHjauQ0//tuGWfizaQJSLCVJSCXcoHnQuNOEdr0J0wh68lBMD+AATYnf+WejzjlbFX9wBevCW/cQxQxeZ8EFUf2KewXcZKmUeFPbcjbO0zBFqu/mYPSDSvGNUuj5zJ1bDbG6C9ZG61iJXMTwT2Jjw/PVVGr6EE= Received: by 10.82.170.2 with SMTP id s2mr3784485bue.1188569638358; Fri, 31 Aug 2007 07:13:58 -0700 (PDT) Received: by 10.86.52.6 with HTTP; Fri, 31 Aug 2007 07:13:58 -0700 (PDT) Message-ID: <11167f520708310713l6823d6a5g8607ea395e8d5b78@mail.gmail.com> Date: Fri, 31 Aug 2007 09:13:58 -0500 From: "Sam Fourman Jr." To: "Gergely CZUCZY" In-Reply-To: <20070831140118.GA9900@harmless.hu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070831140118.GA9900@harmless.hu> Cc: freebsd-pf@freebsd.org Subject: Re: Updating PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Aug 2007 14:40:27 -0000 On 8/31/07, Gergely CZUCZY wrote: > On Fri, Aug 31, 2007 at 01:24:39PM +0000, Ricardo Benq wrote: > > Hello, > > > > I'm using PF from a 6.1 FreeBSD kernel (Just added pf_enable="YES" in rc.conf) and also using Firewall Builder. > > How do I know what version is running? > > What are the options to update PF? Is there a how-to? > wait for 7.0-RELEASE and use that. Would you happen to know when they will have a 7.0 RC out? > it's not something that you can just upgrade out of the system > > and why would you like to update it? > > Sincerely, > > Gergely Czuczy > mailto: gergely.czuczy@harmless.hu > > -- > Weenies test. Geniuses solve problems that arise. > > From owner-freebsd-pf@FreeBSD.ORG Fri Aug 31 17:08:32 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A1F2516A418 for ; Fri, 31 Aug 2007 17:08:32 +0000 (UTC) (envelope-from rbenq@hotmail.com) Received: from bay0-omc2-s14.bay0.hotmail.com (bay0-omc2-s14.bay0.hotmail.com [65.54.246.150]) by mx1.freebsd.org (Postfix) with ESMTP id 8B66F13C465 for ; Fri, 31 Aug 2007 17:08:32 +0000 (UTC) (envelope-from rbenq@hotmail.com) Received: from hotmail.com ([65.54.169.33]) by bay0-omc2-s14.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Fri, 31 Aug 2007 10:06:44 -0700 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 31 Aug 2007 10:06:41 -0700 Message-ID: Received: from 65.54.169.200 by by114fd.bay114.hotmail.msn.com with HTTP; Fri, 31 Aug 2007 17:06:40 GMT X-Originating-IP: [201.41.100.155] X-Originating-Email: [rbenq@hotmail.com] X-Sender: rbenq@hotmail.com In-Reply-To: <20070831141657.GA11440@harmless.hu> From: "Ricardo Benq" To: phoemix@harmless.hu, sfourman@gmail.com Date: Fri, 31 Aug 2007 17:06:40 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 31 Aug 2007 17:06:41.0500 (UTC) FILETIME=[4D0271C0:01C7EBF1] Cc: freebsd-pf@freebsd.org Subject: Re: Updating PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Aug 2007 17:08:32 -0000 The "problem" I´m facing is that Firewall Builder generates rules for PF 3.x e 4.x and the rules for PF 4.x doesn´t work (I get a syntax error when loading them.) This way I thought I have an old version of PF and since I´m still testing its functionalities to see if its worth using in a production environment I think is a good idea to have the latest version. Also, the option for "Pass all outgoing" in Firewall Builder doesn´t seem to work well. It has to generate both IN an OUT rules... but this may be a Firewall Builder issue rather than a PF bug. From: Gergely CZUCZY To: "Sam Fourman Jr." CC: Ricardo Benq , freebsd-pf@freebsd.org Subject: Re: Updating PF Date: Fri, 31 Aug 2007 16:16:57 +0200 On Fri, Aug 31, 2007 at 09:13:58AM -0500, Sam Fourman Jr. wrote: > On 8/31/07, Gergely CZUCZY wrote: > > On Fri, Aug 31, 2007 at 01:24:39PM +0000, Ricardo Benq wrote: > > > Hello, > > > > > > I'm using PF from a 6.1 FreeBSD kernel (Just added pf_enable="YES" in rc.conf) and also using Firewall Builder. > > > How do I know what version is running? > > > What are the options to update PF? Is there a how-to? > > wait for 7.0-RELEASE and use that. > > Would you happen to know when they will have a 7.0 RC out? as usual. "real soon" (tm) :) http://www.freebsd.org/releases/7.0R/schedule.html Sincerely, Gergely Czuczy mailto: gergely.czuczy@harmless.hu -- Weenies test. Geniuses solve problems that arise. << attach3 >> _________________________________________________________________ MSN Messenger: instale grátis e converse com seus amigos. http://messenger.msn.com.br From owner-freebsd-pf@FreeBSD.ORG Fri Aug 31 17:53:52 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7B84516A419 for ; Fri, 31 Aug 2007 17:53:52 +0000 (UTC) (envelope-from maillists@matlock.ca) Received: from simq2-srv.bellnexxia.net (simq2.bellnexxia.net [206.47.199.152]) by mx1.freebsd.org (Postfix) with ESMTP id 1BE4313C481 for ; Fri, 31 Aug 2007 17:53:51 +0000 (UTC) (envelope-from maillists@matlock.ca) Received: from [10.10.10.100] ([142.167.247.159]) by simmts8-srv.bellnexxia.net (InterMail vM.5.01.06.13 201-253-122-130-113-20050324) with ESMTP id <20070831172139.JFPU11648.simmts8-srv.bellnexxia.net@[10.10.10.100]>; Fri, 31 Aug 2007 13:21:39 -0400 From: Paul Matlock To: Ricardo Benq In-Reply-To: References: Content-Type: text/plain Date: Fri, 31 Aug 2007 14:21:25 -0300 Message-Id: <1188580885.4676.7.camel@kimura> Mime-Version: 1.0 X-Mailer: Evolution 2.10.1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Updating PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Aug 2007 17:53:52 -0000 On Fri, 2007-31-08 at 17:06 +0000, Ricardo Benq wrote: > This way I thought I have an old version of PF and since Im still testing > its functionalities to see if its worth using in a production environment I > think is a good idea to have the latest version. It may be best for you to use OpenBSD 4.1 if you want to test the latest version of PF. There has been a score of changes since OpenBSD 3.6. Oh, and it is definitely worth using in a production environment. I've been running it for a few years, we replaced a checkpoint vpn network with it and have never looked back :-) Paul From owner-freebsd-pf@FreeBSD.ORG Fri Aug 31 18:52:31 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D20F916A417 for ; Fri, 31 Aug 2007 18:52:31 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 648D113C4A3 for ; Fri, 31 Aug 2007 18:52:30 +0000 (UTC) (envelope-from max@love2party.net) Received: from dslb-088-066-041-005.pools.arcor-ip.net [88.66.41.5] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1IRBbG0SFK-0006xK; Fri, 31 Aug 2007 20:52:10 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 31 Aug 2007 20:51:53 +0200 User-Agent: KMail/1.9.7 References: <000e01c7ebd9$1b94ddc0$52be9940$@Hennessy@nviz.net> In-Reply-To: <000e01c7ebd9$1b94ddc0$52be9940$@Hennessy@nviz.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3065478.yhFaRzrIBL"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200708312052.08070.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+X2OPHnyBukxLJXJEGaGrMB3cxdOw0Z8mlYKa b1BkZPTimJiaoan05tn+GPSbh6WJ6y6WiLs24Vuu2drvHnsl0I uknFBQESUyJ96378GZuAaaS46JrWetwapt+bl5zKno= Cc: Greg Hennessy Subject: Re: Updating PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Aug 2007 18:52:31 -0000 --nextPart3065478.yhFaRzrIBL Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 31 August 2007, Greg Hennessy wrote: > > Hello, > > > > I'm using PF from a 6.1 FreeBSD kernel (Just added pf_enable=3D"YES" in > > rc.conf) and also using Firewall Builder. > > Updating why exactly ? > > > How do I know what version is running? > > You are running the version of PF which ships as standard with FreeBSD > 6.1. Which IIRC is the same as shipped with OpenBSD 3.6. 3.7 in RELENG_6, 3.5 in RELENG_5, 4.1 in what is to become RELENG_7. > > What are the options to update PF? Is there a how-to? > > Yes, update your kernel to whatever the last STABLE release of 6.1 is. There are also patches for RELENG_6 to update to 4.1 pf, but given your=20 inexperience with compilation that might not be the best choice for you. =20 In any case, they are at: http://people.freebsd.org/~mlaier/PF41/ with=20 instructions. If this box can take a downtime once in a while (i.e. not 100% mission=20 critical) and you are interested in helping, then consider running the=20 latest CURRENT. It is in good shape and has the newest pf (4.1). Just=20 grab a snapshot or compile from source. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3065478.yhFaRzrIBL Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBG2GNYXyyEoT62BG0RAlUiAJ9ZNr4mZiuzWCGXUds/fTkWGyTfVwCfc+VK C93jG5J63Ew71tK49CqWBm4= =xeMD -----END PGP SIGNATURE----- --nextPart3065478.yhFaRzrIBL-- From owner-freebsd-pf@FreeBSD.ORG Sat Sep 1 08:44:47 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2772B16A419 for ; Sat, 1 Sep 2007 08:44:47 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp1.bethere.co.uk (smtp1.betherenow.co.uk [87.194.0.68]) by mx1.freebsd.org (Postfix) with ESMTP id DFED013C457 for ; Sat, 1 Sep 2007 08:44:46 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from thebeast (87-194-161-158.bethere.co.uk [87.194.161.158]) by smtp1.bethere.co.uk (Postfix) with SMTP id 03A05D0027; Sat, 1 Sep 2007 09:44:39 +0100 (BST) From: "Greg Hennessy" To: "'Max Laier'" , References: <000e01c7ebd9$1b94ddc0$52be9940$@Hennessy@nviz.net> <200708312052.08070.max@love2party.net> In-Reply-To: <200708312052.08070.max@love2party.net> Date: Sat, 1 Sep 2007 09:44:39 +0100 Message-ID: <001701c7ec74$581b3cd0$0851b670$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcfsAWLLTC7/B7RxQhSAaXHHlsOgawAcb6iQ Content-Language: en-gb X-Antivirus: avast! (VPS 000770-2, 01/09/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: Updating PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Sep 2007 08:44:47 -0000 > > You are running the version of PF which ships as standard with > FreeBSD > > 6.1. Which IIRC is the same as shipped with OpenBSD 3.6. > > 3.7 in RELENG_6, 3.5 in RELENG_5, 4.1 in what is to become RELENG_7. > My mistake Max :-), thanks for the correction. > If this box can take a downtime once in a while (i.e. not 100% mission > critical) and you are interested in helping, then consider running the > latest CURRENT. It is in good shape and has the newest pf (4.1). I would concur. > Just > grab a snapshot or compile from source. > Given that the OP is not confident building from source and is treating the installation as an appliance by using FWBuilder to manage security policy, Unless he has driver issues, I would second the advice w.r.t installing OpenBSD 4.1 instead. Greg