From owner-freebsd-pf@FreeBSD.ORG Sun Oct 29 10:48:27 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D6EC716A403 for ; Sun, 29 Oct 2006 10:48:27 +0000 (UTC) (envelope-from gloomygroup@hotmail.com) Received: from bay0-omc2-s4.bay0.hotmail.com (bay0-omc2-s4.bay0.hotmail.com [65.54.246.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8662A43D46 for ; Sun, 29 Oct 2006 10:48:25 +0000 (GMT) (envelope-from gloomygroup@hotmail.com) Received: from hotmail.com ([207.46.8.243]) by bay0-omc2-s4.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 29 Oct 2006 02:48:25 -0800 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 29 Oct 2006 02:48:25 -0800 Message-ID: Received: from 207.46.8.251 by by118fd.bay118.hotmail.msn.com with HTTP; Sun, 29 Oct 2006 10:48:23 GMT X-Originating-IP: [202.79.53.71] X-Originating-Email: [gloomygroup@hotmail.com] X-Sender: gloomygroup@hotmail.com From: "Gloomy Group" To: freebsd-pf@freebsd.org Date: Sun, 29 Oct 2006 10:48:23 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 29 Oct 2006 10:48:25.0206 (UTC) FILETIME=[C28F5160:01C6FB47] Subject: pf altq not showing root traffic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Oct 2006 10:48:27 -0000 Hi, I have setup pf and altq traffic shapping on freebsd 6.1. my configuration is as follows; ext_if="rl0" int_if="rl1" table {192.168.0.1/27} scrub in all altq on $int_if hfsc bandwidth 912Kb queue{client1_down, default_down} altq on $ext_if hfsc bandwidth 256Kb queue{client1_up, default_up } # define queue for download queue default_down bandwidth 32Kb hfsc (realtime 32Kb upperlimit 32Kb default) queue default_up bandwidth 32Kb hfsc (realtime 32Kb upperlimit 32Kb default) queue client1_down bandwidth 64Kb hfsc (realtime 64Kb upperlimit 64Kb) # define queue for upload queue client1_up bandwidth 64Kb hfsc (realtime 64Kb upperlimit 64Kb) pass out quick on $int_if from any to queue client1_down label client1_down pass out quick on ext_if from to any queue client1_up label client1_up --------------------------------------------------------------------------------------------------- Shapping is working fine, except root_rl0 and root_rl1 traffic is not shown. What's wrong with my confiugration? below is the output of "pfctl -s queue -v" command bw-shaper# pfctl -s queue -v queue root_rl1 bandwidth 912Kb priority 0 {default_down, client1_down} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue default_down bandwidth 32Kb hfsc( default realtime 32Kb upperlimit 32Kb ) [ pkts: 1078 bytes: 108628 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue client1_down bandwidth 64Kb hfsc( realtime 64Kb upperlimit 64Kb ) [ pkts: 1625 bytes: 1395472 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue root_rl0 bandwidth 256Kb priority 0 {default_up, client1_up} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue default_up bandwidth 32Kb hfsc( default realtime 32Kb upperlimit 32Kb ) [ pkts: 422 bytes: 30116 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue client1_up bandwidth 64Kb hfsc( realtime 64Kb upperlimit 64Kb ) [ pkts: 1586 bytes: 383594 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] Ohcarol. _________________________________________________________________ Get today's hot entertainment gossip http://movies.msn.com/movies/hotgossip?icid=T002MSN03A07001 From owner-freebsd-pf@FreeBSD.ORG Sun Oct 29 14:06:37 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 492A516A40F for ; Sun, 29 Oct 2006 14:06:37 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC77143D45 for ; Sun, 29 Oct 2006 14:06:36 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by nz-out-0102.google.com with SMTP id o37so913807nzf for ; Sun, 29 Oct 2006 06:06:35 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=K2bDF6aMK5sqOmOtGP1PA1FyQ/obsKzrTslpCMUytQ67AQO44fiIRRBS86QLjCU2hIMMPihC8CnefqaYWRp1T1FQlCb2xrNHw51tPkB0JN0/BgUqakZm1szY+1JPXvaOrWNF5zRkr2BxaYD5JxBsvysyEMXgln9P63/ot5gYqhQ= Received: by 10.35.119.11 with SMTP id w11mr2712414pym; Sun, 29 Oct 2006 06:06:35 -0800 (PST) Received: by 10.35.131.17 with HTTP; Sun, 29 Oct 2006 06:06:35 -0800 (PST) Message-ID: <55e8a96c0610290606g3d38ae67l50e217c1c622ec2a@mail.gmail.com> Date: Sun, 29 Oct 2006 09:06:35 -0500 From: "Bill Marquette" To: "Gloomy Group" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Cc: freebsd-pf@freebsd.org Subject: Re: pf altq not showing root traffic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Oct 2006 14:06:37 -0000 On 10/29/06, Gloomy Group wrote: > Hi, > > I have setup pf and altq traffic shapping on freebsd 6.1. my configuration > is as follows; > > ext_if="rl0" > int_if="rl1" > > table {192.168.0.1/27} > scrub in all > > altq on $int_if hfsc bandwidth 912Kb queue{client1_down, default_down} > altq on $ext_if hfsc bandwidth 256Kb queue{client1_up, default_up } > > # define queue for download > queue default_down bandwidth 32Kb hfsc (realtime 32Kb upperlimit 32Kb > default) > queue default_up bandwidth 32Kb hfsc (realtime 32Kb upperlimit 32Kb default) > > queue client1_down bandwidth 64Kb hfsc (realtime 64Kb upperlimit 64Kb) > > # define queue for upload > queue client1_up bandwidth 64Kb hfsc (realtime 64Kb upperlimit 64Kb) > > pass out quick on $int_if from any to queue client1_down label > client1_down > pass out quick on ext_if from to any queue client1_up label > client1_up > --------------------------------------------------------------------------------------------------- > > Shapping is working fine, except root_rl0 and root_rl1 traffic is not shown. > What's wrong with my confiugration? > below is the output of "pfctl -s queue -v" command > > bw-shaper# pfctl -s queue -v > queue root_rl1 bandwidth 912Kb priority 0 {default_down, client1_down} > [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 > ] > [ qlength: 0/ 50 ] > queue default_down bandwidth 32Kb hfsc( default realtime 32Kb upperlimit > 32Kb ) > [ pkts: 1078 bytes: 108628 dropped pkts: 0 bytes: 0 > ] > [ qlength: 0/ 50 ] > queue client1_down bandwidth 64Kb hfsc( realtime 64Kb upperlimit 64Kb ) > [ pkts: 1625 bytes: 1395472 dropped pkts: 0 bytes: 0 > ] > [ qlength: 0/ 50 ] > queue root_rl0 bandwidth 256Kb priority 0 {default_up, client1_up} > [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 > ] > [ qlength: 0/ 50 ] > queue default_up bandwidth 32Kb hfsc( default realtime 32Kb upperlimit 32Kb > ) > [ pkts: 422 bytes: 30116 dropped pkts: 0 bytes: 0 > ] > [ qlength: 0/ 50 ] > queue client1_up bandwidth 64Kb hfsc( realtime 64Kb upperlimit 64Kb ) > [ pkts: 1586 bytes: 383594 dropped pkts: 0 bytes: 0 > ] > [ qlength: 0/ 50 ] > > > > Ohcarol. I don't believe pf will show the cumulative child queue traffic in the parent queues (it would be nice to have the option). I don't see anywhere where you assigned traffic to the root queues (not even sure if you can) and the default queues are both in your child queues. >From what I've seen, I don't believe you have anything to be concerned about. --Bill From owner-freebsd-pf@FreeBSD.ORG Sun Oct 29 14:52:03 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE1BB16A403 for ; Sun, 29 Oct 2006 14:52:03 +0000 (UTC) (envelope-from gloomygroup@hotmail.com) Received: from bay0-omc1-s26.bay0.hotmail.com (bay0-omc1-s26.bay0.hotmail.com [65.54.246.98]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FB6143D77 for ; Sun, 29 Oct 2006 14:51:56 +0000 (GMT) (envelope-from gloomygroup@hotmail.com) Received: from hotmail.com ([207.46.8.247]) by bay0-omc1-s26.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 29 Oct 2006 06:51:56 -0800 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 29 Oct 2006 06:51:56 -0800 Message-ID: Received: from 207.46.8.251 by by118fd.bay118.hotmail.msn.com with HTTP; Sun, 29 Oct 2006 14:51:51 GMT X-Originating-IP: [202.79.53.71] X-Originating-Email: [gloomygroup@hotmail.com] X-Sender: gloomygroup@hotmail.com In-Reply-To: <55e8a96c0610290606g3d38ae67l50e217c1c622ec2a@mail.gmail.com> From: "Gloomy Group" To: bill.marquette@gmail.com Date: Sun, 29 Oct 2006 14:51:51 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 29 Oct 2006 14:51:56.0307 (UTC) FILETIME=[C7746630:01C6FB69] Cc: freebsd-pf@freebsd.org Subject: Re: pf altq not showing root traffic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Oct 2006 14:52:03 -0000 Heloo bill Can you point me what's wrong in my configuration. As I want to graph total bandwidth and each client individual bandwidth. But as there is any traffic in root queue I can't view the actuall total traffic of all clients. Can you guide me what's wrong here? >From: "Bill Marquette" >To: "Gloomy Group" >CC: freebsd-pf@freebsd.org >Subject: Re: pf altq not showing root traffic >Date: Sun, 29 Oct 2006 09:06:35 -0500 > >On 10/29/06, Gloomy Group wrote: >>Hi, >> >>I have setup pf and altq traffic shapping on freebsd 6.1. my configuration >>is as follows; >> >>ext_if="rl0" >>int_if="rl1" >> >>table {192.168.0.1/27} >>scrub in all >> >>altq on $int_if hfsc bandwidth 912Kb queue{client1_down, default_down} >>altq on $ext_if hfsc bandwidth 256Kb queue{client1_up, default_up } >> >># define queue for download >>queue default_down bandwidth 32Kb hfsc (realtime 32Kb upperlimit 32Kb >>default) >>queue default_up bandwidth 32Kb hfsc (realtime 32Kb upperlimit 32Kb >>default) >> >>queue client1_down bandwidth 64Kb hfsc (realtime 64Kb upperlimit 64Kb) >> >># define queue for upload >>queue client1_up bandwidth 64Kb hfsc (realtime 64Kb upperlimit 64Kb) >> >>pass out quick on $int_if from any to queue client1_down label >>client1_down >>pass out quick on ext_if from to any queue client1_up label >>client1_up >>--------------------------------------------------------------------------------------------------- >> >>Shapping is working fine, except root_rl0 and root_rl1 traffic is not >>shown. >>What's wrong with my confiugration? >>below is the output of "pfctl -s queue -v" command >> >>bw-shaper# pfctl -s queue -v >>queue root_rl1 bandwidth 912Kb priority 0 {default_down, client1_down} >> [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: >>0 >>] >> [ qlength: 0/ 50 ] >>queue default_down bandwidth 32Kb hfsc( default realtime 32Kb upperlimit >>32Kb ) >> [ pkts: 1078 bytes: 108628 dropped pkts: 0 bytes: >>0 >>] >> [ qlength: 0/ 50 ] >>queue client1_down bandwidth 64Kb hfsc( realtime 64Kb upperlimit 64Kb ) >> [ pkts: 1625 bytes: 1395472 dropped pkts: 0 bytes: >>0 >>] >> [ qlength: 0/ 50 ] >>queue root_rl0 bandwidth 256Kb priority 0 {default_up, client1_up} >> [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: >>0 >>] >> [ qlength: 0/ 50 ] >>queue default_up bandwidth 32Kb hfsc( default realtime 32Kb upperlimit >>32Kb >>) >> [ pkts: 422 bytes: 30116 dropped pkts: 0 bytes: >>0 >>] >> [ qlength: 0/ 50 ] >>queue client1_up bandwidth 64Kb hfsc( realtime 64Kb upperlimit 64Kb ) >> [ pkts: 1586 bytes: 383594 dropped pkts: 0 bytes: >>0 >>] >> [ qlength: 0/ 50 ] >> >> >> >>Ohcarol. > >I don't believe pf will show the cumulative child queue traffic in the >parent queues (it would be nice to have the option). I don't see >anywhere where you assigned traffic to the root queues (not even sure >if you can) and the default queues are both in your child queues. >From what I've seen, I don't believe you have anything to be concerned >about. > >--Bill _________________________________________________________________ Use your PC to make calls at very low rates https://voiceoam.pcs.v2s.live.com/partnerredirect.aspx From owner-freebsd-pf@FreeBSD.ORG Sun Oct 29 15:01:19 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1FC3D16A403 for ; Sun, 29 Oct 2006 15:01:19 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8768943D58 for ; Sun, 29 Oct 2006 15:01:18 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by nz-out-0102.google.com with SMTP id o37so921334nzf for ; Sun, 29 Oct 2006 07:01:18 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Jtya3hzkiwQmWAtlgz3et3TygKmJy2RYpL3b2r84IMKUgAPz0YeO/vVABSH1DjzAHkfQix6cITN0aKbw8OC/M74cau364OLVbIuKUjn1wKm6Cnhq3ltUtO7k841eMsPBAP2ye5hEEI9mtY5BJ9cZPNdu7Ve0rP6LegWHaEUypT0= Received: by 10.35.107.20 with SMTP id j20mr2667541pym; Sun, 29 Oct 2006 07:01:17 -0800 (PST) Received: by 10.35.131.17 with HTTP; Sun, 29 Oct 2006 07:01:17 -0800 (PST) Message-ID: <55e8a96c0610290701k77ab005bof9be4248b33f7705@mail.gmail.com> Date: Sun, 29 Oct 2006 10:01:17 -0500 From: "Bill Marquette" To: "Gloomy Group" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <55e8a96c0610290606g3d38ae67l50e217c1c622ec2a@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: pf altq not showing root traffic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Oct 2006 15:01:19 -0000 On 10/29/06, Gloomy Group wrote: > Heloo bill > > Can you point me what's wrong in my configuration. As I want to graph total > bandwidth and each client individual bandwidth. But as there is any traffic > in root queue I can't view the actuall total traffic of all clients. > Can you guide me what's wrong here? You'll need to parse the pfctl -vvsq output yourself and tally up the bandwidth in use per queue. pf doesn't roll those figures up and apply to the parent queue in a queue tree (since you can usually assign traffic to those queues, it could be confusing to see the child bandwidth applied to it also). --Bill From owner-freebsd-pf@FreeBSD.ORG Sun Oct 29 16:49:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC36C16A40F for ; Sun, 29 Oct 2006 16:49:28 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 6D1BF43D88 for ; Sun, 29 Oct 2006 16:49:27 +0000 (GMT) (envelope-from ohauer@gmx.de) Received: (qmail invoked by alias); 29 Oct 2006 16:49:26 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.30]) [194.231.39.124] by mail.gmx.net (mp034) with SMTP; 29 Oct 2006 17:49:26 +0100 X-Authenticated: #1956535 Message-ID: <4544DB91.20506@gmx.de> Date: Sun, 29 Oct 2006 17:49:21 +0100 From: Olli Hauer User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: Gloomy Group References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: freebsd-pf@freebsd.org Subject: Re: pf altq not showing root traffic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Oct 2006 16:49:28 -0000 Gloomy Group wrote: > Hi, > > I have setup pf and altq traffic shapping on freebsd 6.1. my > configuration is as follows; > > ext_if="rl0" > int_if="rl1" > > table {192.168.0.1/27} > scrub in all > > altq on $int_if hfsc bandwidth 912Kb queue{client1_down, default_down} > altq on $ext_if hfsc bandwidth 256Kb queue{client1_up, default_up } > > # define queue for download > queue default_down bandwidth 32Kb hfsc (realtime 32Kb upperlimit 32Kb > default) > queue default_up bandwidth 32Kb hfsc (realtime 32Kb upperlimit 32Kb > default) > > queue client1_down bandwidth 64Kb hfsc (realtime 64Kb upperlimit 64Kb) > > # define queue for upload > queue client1_up bandwidth 64Kb hfsc (realtime 64Kb upperlimit 64Kb) > > pass out quick on $int_if from any to queue client1_down label > client1_down > pass out quick on ext_if from to any queue client1_up label > client1_up > --------------------------------------------------------------------------------------------------- > > > Shapping is working fine, except root_rl0 and root_rl1 traffic is not > shown. What's wrong with my confiugration? > below is the output of "pfctl -s queue -v" command > > bw-shaper# pfctl -s queue -v > queue root_rl1 bandwidth 912Kb priority 0 {default_down, client1_down} > [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 ] > queue default_down bandwidth 32Kb hfsc( default realtime 32Kb > upperlimit 32Kb ) > [ pkts: 1078 bytes: 108628 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 ] > queue client1_down bandwidth 64Kb hfsc( realtime 64Kb upperlimit 64Kb ) > [ pkts: 1625 bytes: 1395472 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 ] > queue root_rl0 bandwidth 256Kb priority 0 {default_up, client1_up} > [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 ] > queue default_up bandwidth 32Kb hfsc( default realtime 32Kb upperlimit > 32Kb ) > [ pkts: 422 bytes: 30116 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 ] > queue client1_up bandwidth 64Kb hfsc( realtime 64Kb upperlimit 64Kb ) > [ pkts: 1586 bytes: 383594 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 ] > > > > Ohcarol. > maybe you can get the traffic this way (since you have labels) pfctl -vsl here is an interesing article about that. http://www.samag.com/documents/s=9053/sam0403j/0403j.htm olli From owner-freebsd-pf@FreeBSD.ORG Sun Oct 29 17:44:27 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A583816A407 for ; Sun, 29 Oct 2006 17:44:27 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D2DE43D49 for ; Sun, 29 Oct 2006 17:44:19 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.187.86] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1GeEhk0jLn-0006vP; Sun, 29 Oct 2006 18:44:16 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sun, 29 Oct 2006 19:44:08 +0200 User-Agent: KMail/1.9.4 References: <4544DB91.20506@gmx.de> In-Reply-To: <4544DB91.20506@gmx.de> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3369477.JH1HCv7kPo"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200610291844.15191.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: pf altq not showing root traffic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Oct 2006 17:44:27 -0000 --nextPart3369477.JH1HCv7kPo Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 29 October 2006 17:49, Olli Hauer wrote: > Gloomy Group wrote: > > Hi, > > > > I have setup pf and altq traffic shapping on freebsd 6.1. my > > configuration is as follows; > > > > ext_if=3D"rl0" > > int_if=3D"rl1" > > > > table {192.168.0.1/27} > > scrub in all > > > > altq on $int_if hfsc bandwidth 912Kb queue{client1_down, > > default_down} altq on $ext_if hfsc bandwidth 256Kb queue{client1_up, > > default_up } > > > > # define queue for download > > queue default_down bandwidth 32Kb hfsc (realtime 32Kb upperlimit 32Kb > > default) > > queue default_up bandwidth 32Kb hfsc (realtime 32Kb upperlimit 32Kb > > default) > > > > queue client1_down bandwidth 64Kb hfsc (realtime 64Kb upperlimit > > 64Kb) > > > > # define queue for upload > > queue client1_up bandwidth 64Kb hfsc (realtime 64Kb upperlimit 64Kb) > > > > pass out quick on $int_if from any to queue client1_down > > label client1_down > > pass out quick on ext_if from to any queue client1_up label > > client1_up > > --------------------------------------------------------------------- > >------------------------------ > > > > > > Shapping is working fine, except root_rl0 and root_rl1 traffic is not > > shown. What's wrong with my confiugration? > > below is the output of "pfctl -s queue -v" command > > > > bw-shaper# pfctl -s queue -v > > queue root_rl1 bandwidth 912Kb priority 0 {default_down, > > client1_down} [ pkts: 0 bytes: 0 dropped pkts: =20 > > 0 bytes: 0 ] > > [ qlength: 0/ 50 ] > > queue default_down bandwidth 32Kb hfsc( default realtime 32Kb > > upperlimit 32Kb ) > > [ pkts: 1078 bytes: 108628 dropped pkts: 0 bytes: > > 0 ] > > [ qlength: 0/ 50 ] > > queue client1_down bandwidth 64Kb hfsc( realtime 64Kb upperlimit > > 64Kb ) [ pkts: 1625 bytes: 1395472 dropped pkts: 0 > > bytes: 0 ] > > [ qlength: 0/ 50 ] > > queue root_rl0 bandwidth 256Kb priority 0 {default_up, client1_up} > > [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: > > 0 ] > > [ qlength: 0/ 50 ] > > queue default_up bandwidth 32Kb hfsc( default realtime 32Kb > > upperlimit 32Kb ) > > [ pkts: 422 bytes: 30116 dropped pkts: 0 bytes: > > 0 ] > > [ qlength: 0/ 50 ] > > queue client1_up bandwidth 64Kb hfsc( realtime 64Kb upperlimit 64Kb > > ) [ pkts: 1586 bytes: 383594 dropped pkts: 0 bytes: > > 0 ] > > [ qlength: 0/ 50 ] > > > > > > > > Ohcarol. > > maybe you can get the traffic this way (since you have labels) > > pfctl -vsl > > here is an interesing article about that. > http://www.samag.com/documents/s=3D9053/sam0403j/0403j.htm If you are looking for "real time" stats in curses try sysutils/pftop. =20 =46or mrgt/rrd-tool like graphs check out sysutils/pfstat. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3369477.JH1HCv7kPo Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFROhvXyyEoT62BG0RAqkqAJ4sgolnaWRjyflMvzw3f1iHuIPtnACeISLp QPlAWs4rUU3Bc9V3CTpm2MY= =8Eh8 -----END PGP SIGNATURE----- --nextPart3369477.JH1HCv7kPo-- From owner-freebsd-pf@FreeBSD.ORG Mon Oct 30 11:08:32 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0955316A5FA for ; Mon, 30 Oct 2006 11:08:32 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D51B143D6D for ; Mon, 30 Oct 2006 11:08:30 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k9UB8U2l085948 for ; Mon, 30 Oct 2006 11:08:30 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k9UB8TAc085944 for freebsd-pf@FreeBSD.org; Mon, 30 Oct 2006 11:08:29 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 30 Oct 2006 11:08:29 GMT Message-Id: <200610301108.k9UB8TAc085944@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Oct 2006 11:08:32 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency f kern/86072 pf [pf] Packet Filter rule not working properly (with SYN o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 4 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/94992 pf [pf] [patch] pfctl complains about ALTQ missing o kern/103304 pf pf accepts nonexistent queue in rules 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 31 11:14:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 352FE16A40F for ; Tue, 31 Oct 2006 11:14:28 +0000 (UTC) (envelope-from gloomygroup@hotmail.com) Received: from bay0-omc3-s20.bay0.hotmail.com (bay0-omc3-s20.bay0.hotmail.com [65.54.246.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id E48D043D70 for ; Tue, 31 Oct 2006 11:14:27 +0000 (GMT) (envelope-from gloomygroup@hotmail.com) Received: from hotmail.com ([207.46.8.221]) by bay0-omc3-s20.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 31 Oct 2006 03:14:27 -0800 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 31 Oct 2006 03:14:27 -0800 Message-ID: Received: from 207.46.8.251 by by118fd.bay118.hotmail.msn.com with HTTP; Tue, 31 Oct 2006 11:14:26 GMT X-Originating-IP: [202.79.53.71] X-Originating-Email: [gloomygroup@hotmail.com] X-Sender: gloomygroup@hotmail.com From: "Gloomy Group" To: freebsd-pf@freebsd.org Date: Tue, 31 Oct 2006 11:14:26 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 31 Oct 2006 11:14:27.0499 (UTC) FILETIME=[BA95CFB0:01C6FCDD] Subject: Rules passing through default queue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Oct 2006 11:14:28 -0000 why all of My uplink traffic is going through default queues? Below is my pf.conf configuration ------------------------------- #Download interface is rl1 and upload interface is rl0 ext_if="rl0" int_if="rl1" table { 201.xx.xx.0/24 } #Macros for Private network net_priv = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }" #Define port for usual internet services ports_web = "{80 8080 443 25 110 143 993}" ssh_port = "{22}" #OPTIONS #Default response for block filter set block-policy drop #Statistics loggin on set loginterface $ext_if #TRAFFIC Normalization# #Filter traffic for unusual traffic scrub in all #--Define the parent queues #--First define upstream parent queue altq on $ext_if hfsc bandwidth 128Kb queue { up_def, up_usr1, up_usr2 } #--Define download parent queue altq on $int_if hfsc bandwidth 64Kb queue { dn_def, dn_usr1, dn_usr2 } #--UPSTREAM child queue #--Default upstream queue queue up_def bandwidth 20% { up_def_def, up_def_web, up_def_quick } queue up_def_def priority 1 bandwidth 50% hfsc (default ecn) queue up_def_web priority 3 bandwidth 25% hfsc (ecn) queue up_def_quick priority 6 bandwidth 25% hfsc (ecn) #--USR1 upstream queue queue up_usr1 bandwidth 51.2Kb { up_usr1_def, up_usr1_web, up_usr1_quick } queue up_usr1_def priority 2 bandwidth 50% hfsc (realtime 50% ecn) queue up_usr1_web priority 4 bandwidth 25% hfsc (realtime 25% ecn) queue up_usr1_quick priority 7 bandwidth 25% hfsc (realtime 25% ecn) #--USR2 upstream queue queue up_usr2 bandwidth 40% {up_usr2_def up_usr2_web up_usr2_quick} queue up_usr2_def priority 2 bandwidth 50% hfsc (ecn) queue up_usr2_web priority 4 bandwidth 25% hfsc (ecn) queue up_usr2_quick priority 7 bandwidth 25% hfsc (ecn) #--DOWNSTREAM child queue #--Default downstream queue queue dn_def bandwidth 20% {dn_def_def dn_def_web dn_def_quick} queue dn_def_def priority 1 bandwidth 50% hfsc (default ecn) queue dn_def_web priority 3 bandwidth 25% hfsc (ecn) queue dn_def_quick priority 6 bandwidth 25% hfsc (ecn) #--USR1 downstream queue queue dn_usr1 bandwidth 40% {dn_usr1_def dn_usr1_web dn_usr1_quick} queue dn_usr1_def priority 2 bandwidth 50% hfsc (realtime 50% ecn) queue dn_usr1_web priority 4 bandwidth 25% hfsc (realtime 50% ecn) queue dn_usr1_quick priority 7 bandwidth 25% hfsc (ecn) #--USR2 downstream queue queue dn_usr2 bandwidth 40% {dn_usr2_def dn_usr2_web dn_usr2_quick} queue dn_usr2_def priority 2 bandwidth 50% hfsc (ecn) queue dn_usr2_web priority 4 bandwidth 25% hfsc (ecn) queue dn_usr2_quick priority 7 bandwidth 25% hfsc (ecn) #---Default Filter----# block log all #--Allow all on loopback interface---# pass quick on lo0 all #Deny in and out of private networks block in quick on $ext_if from $net_priv to any block out quick on $ext_if from any to $net_priv #Allow incoming SSH traffic to this server pass in quick on $ext_if inet proto tcp from to $ext_if port 22 keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out quick on $ext_if proto {tcp, udp, icmp} all keep state #Allow icmp traffic from our network pass in quick on $ext_if inet proto icmp from to $ext_if icmp-type 8 keep state pass out quick on $ext_if proto {tcp udp} from any to any port domain keep state queue up_def_quick pass out quick on $ext_if proto {tcp udp} from 201.xx.xx.2 to any port $ports_web keep state queue up_usr1_web pass out quick on $ext_if from 201.xx.xx.2 to any keep state queue up_usr1_def pass out quick on $ext_if proto {tcp udp} from 201.xx.xx.3 to any port $ports_web queue up_usr2_web pass out quick on $ext_if from 201.xx.xx.3 to any queue up_usr2_def pass out on $ext_if keep state queue (up_def_def up_def_quick) pass out on $ext_if proto {tcp udp} from any to any port $ports_web keep state queue (up_def_web up_def_quick) #--Filter and queue internal interface traffic ##Allow other incoming traffic from internal network pass in on $int_if from $int_if:network to any #--Assign outgoing traffic from other interface to queue for downstream pass out quick on $int_if proto {tcp udp} from any port domain to any queue dn_quick pass out quick on $int_if proto {tcp udp} from any port $ports_web to 201.xx.xx.2 queue dn_usr1_web pass out quick on $int_if from any to 201.xx.xx.2 queue dn_usr1_def pass out quick on $int_if proto {tcp udp} from any port $ports_web to 201.xx.xx.3 queue dn_usr2_web pass out quick on $int_if from any to 201.xx.xx.3 queue dn_usr2_def pass out on $int_if queue (dn_def_def dn_def_quick) pass out on $int_if proto {tcp udp} from any port $ports_web to any queue (dn_def_web dn_def_quick) #--Deny spoofing antispoof for $ext_if antispoof for $int_if pfctl -sq -vv shows that my uplink traffic traffic is going through default queue rules while download is passing through correct queue and is working fine. ------------------------------ queue root_rl0 bandwidth 128Kb priority 0 {up_def, up_usr1, up_usr2} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_def bandwidth 25.60Kb {up_def_def, up_def_web, up_def_quick} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_def_def bandwidth 12.80Kb hfsc( red ecn default ) [ pkts: 211 bytes: 131140 dropped pkts: 0 bytes: 0 ] [ qlength: 3/ 50 ] [ measured: 11.2 packets/s, 127.02Kb/s ] queue up_def_web bandwidth 6.40Kb priority 3 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_def_quick bandwidth 6.40Kb priority 6 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_usr1 bandwidth 51.20Kb {up_usr1_def, up_usr1_web, up_usr1_quick} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_usr1_def bandwidth 25.60Kb priority 2 hfsc( red ecn realtime 25.60Kb ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_usr1_web bandwidth 12.80Kb priority 4 hfsc( red ecn realtime 12.80Kb ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_usr1_quick bandwidth 12.80Kb priority 7 hfsc( red ecn realtime 12.80Kb ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_usr2 bandwidth 51.20Kb {up_usr2_def, up_usr2_web, up_usr2_quick} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_usr2_def bandwidth 25.60Kb priority 2 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_usr2_web bandwidth 12.80Kb priority 4 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_usr2_quick bandwidth 12.80Kb priority 7 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue root_rl1 bandwidth 64Kb priority 0 {dn_def, dn_usr1, dn_usr2} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_def bandwidth 12.80Kb {dn_def_def, dn_def_web, dn_def_quick} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_def_def bandwidth 6.40Kb hfsc( red ecn default ) [ pkts: 2 bytes: 544 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_def_web bandwidth 3.20Kb priority 3 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_def_quick bandwidth 3.20Kb priority 6 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_usr1 bandwidth 25.60Kb {dn_usr1_def, dn_usr1_web, dn_usr1_quick} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_usr1_def bandwidth 12.80Kb priority 2 hfsc( red ecn realtime 12.80Kb ) [ pkts: 59 bytes: 20514 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 2.2 packets/s, 8.99Kb/s ] queue dn_usr1_web bandwidth 6.40Kb priority 4 hfsc( red ecn realtime 12.80Kb ) [ pkts: 174 bytes: 95677 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 5.6 packets/s, 2.42Kb/s ] queue dn_usr1_quick bandwidth 6.40Kb priority 7 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_usr2 bandwidth 25.60Kb {dn_usr2_def, dn_usr2_web, dn_usr2_quick} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_usr2_def bandwidth 12.80Kb priority 2 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_usr2_web bandwidth 6.40Kb priority 4 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_usr2_quick bandwidth 6.40Kb priority 7 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] _________________________________________________________________ Try Search Survival Kits: Fix up your home and better handle your cash with Live Search! http://imagine-windowslive.com/search/kits/default.aspx?kit=improve&locale=en-US&source=hmtagline From owner-freebsd-pf@FreeBSD.ORG Wed Nov 1 01:56:07 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3CEA16A403 for ; Wed, 1 Nov 2006 01:56:07 +0000 (UTC) (envelope-from gloomygroup@hotmail.com) Received: from bay0-omc3-s8.bay0.hotmail.com (bay0-omc3-s8.bay0.hotmail.com [65.54.246.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9473C43D45 for ; Wed, 1 Nov 2006 01:56:07 +0000 (GMT) (envelope-from gloomygroup@hotmail.com) Received: from hotmail.com ([207.46.8.231]) by bay0-omc3-s8.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 31 Oct 2006 17:56:07 -0800 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 31 Oct 2006 17:56:07 -0800 Message-ID: Received: from 207.46.8.251 by by118fd.bay118.hotmail.msn.com with HTTP; Wed, 01 Nov 2006 01:56:06 GMT X-Originating-IP: [202.79.53.71] X-Originating-Email: [gloomygroup@hotmail.com] X-Sender: gloomygroup@hotmail.com From: "Gloomy Group" To: freebsd-pf@freebsd.org Date: Wed, 01 Nov 2006 01:56:06 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 01 Nov 2006 01:56:07.0309 (UTC) FILETIME=[E5543BD0:01C6FD58] Subject: how to view only single queue with pfctl command X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Nov 2006 01:56:07 -0000 How can I view only single queue with pfctl -sq -v command ? pfctl -sq -v shows the list of all queues as shown below; I want to view only single queue like up_def_def queue so that I can get the bytes to graph. Or is there any other possible ways to make mrtg for different queues? queue root_rl0 bandwidth 128Kb priority 0 {up_def, up_usr1, up_usr2} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue up_def bandwidth 25.60Kb {up_def_def, up_def_web, up_def_quick} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue up_def_def bandwidth 12.80Kb hfsc( red ecn default ) [ pkts: 971 bytes: 94857 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue up_def_web bandwidth 6.40Kb priority 3 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue up_def_quick bandwidth 6.40Kb priority 6 hfsc( red ecn ) [ pkts: 63 bytes: 5726 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] _________________________________________________________________ Try the next generation of search with Windows Live Search today! http://imagine-windowslive.com/minisites/searchlaunch/?locale=en-us&source=hmtagline From owner-freebsd-pf@FreeBSD.ORG Wed Nov 1 10:17:33 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8228916A40F for ; Wed, 1 Nov 2006 10:17:33 +0000 (UTC) (envelope-from pp@pp.dyndns.biz) Received: from mxfep01.bredband.com (mxfep01.bredband.com [195.54.107.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9470443D45 for ; Wed, 1 Nov 2006 10:17:32 +0000 (GMT) (envelope-from pp@pp.dyndns.biz) Received: from ironport.bredband.com ([195.54.107.82] [195.54.107.82]) by mxfep01.bredband.com with ESMTP id <20061101101731.FSYM9747.mxfep01.bredband.com@ironport.bredband.com> for ; Wed, 1 Nov 2006 11:17:31 +0100 Received: from c-58d8e055.107-1-64736c10.cust.bredbandsbolaget.se (HELO gatekeeper.pp.dyndns.biz) ([85.224.216.88]) by ironport.bredband.com with ESMTP/TLS/AES256-SHA; 01 Nov 2006 11:17:27 +0100 Received: from phobos ([192.168.69.67]) by gatekeeper.pp.dyndns.biz (8.13.6/8.13.6) with ESMTP id kA1AHH1p010541 for ; Wed, 1 Nov 2006 11:17:24 +0100 (CET) (envelope-from pp@pp.dyndns.biz) From: Sender: "pp" To: Date: Wed, 1 Nov 2006 11:17:04 +0100 Message-ID: <064601c6fd9e$e3df2530$152ea8c0@phobos> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 11 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Thread-Index: Acb9WO6uxFDPqHdBQwe+5XJ2Fc0qQwARXetA Subject: SV: how to view only single queue with pfctl command X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Nov 2006 10:17:33 -0000 > -----Ursprungligt meddelande----- > Fr=E5n: owner-freebsd-pf@freebsd.org=20 > [mailto:owner-freebsd-pf@freebsd.org] F=F6r Gloomy Group > Skickat: den 1 november 2006 02:56 > Till: freebsd-pf@freebsd.org > =C4mne: how to view only single queue with pfctl command >=20 > How can I view only single queue with pfctl -sq -v command ?=20 > pfctl -sq -v shows the list of all queues as shown below; I=20 > want to view only single queue like up_def_def queue so that=20 > I can get the bytes to graph. Or is there any other possible=20 > ways to make mrtg for different queues? >=20 Have a look at sysutils/pfstat. I installed it just a few days ago on my router and it works perfectly. I used the config file at http://www.benzedrine.cx/pfstat.html as a template and only had to = change the interface name and the queue names. /PP From owner-freebsd-pf@FreeBSD.ORG Wed Nov 1 19:41:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0192316A40F for ; Wed, 1 Nov 2006 19:41:20 +0000 (UTC) (envelope-from linux@giboia.org) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE7B143D5C for ; Wed, 1 Nov 2006 19:41:14 +0000 (GMT) (envelope-from linux@giboia.org) Received: by ug-out-1314.google.com with SMTP id m2so1551873uge for ; Wed, 01 Nov 2006 11:41:13 -0800 (PST) Received: by 10.78.90.10 with SMTP id n10mr267802hub; Wed, 01 Nov 2006 11:41:13 -0800 (PST) Received: by 10.78.175.17 with HTTP; Wed, 1 Nov 2006 11:41:12 -0800 (PST) Message-ID: <6e6841490611011141h5972ab8k87f35bb168e86164@mail.gmail.com> Date: Wed, 1 Nov 2006 17:41:12 -0200 From: "Gilberto Villani Brito" To: freebsd-pf@freebsd.org In-Reply-To: <65A313B6966.00000132falexsandro@inbox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <65A313B6966.00000132falexsandro@inbox.com> Subject: Re: PF/Altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Nov 2006 19:41:20 -0000 I don't know do that, so if you learn, please, send me a e-mail. Gilberto 2006/10/5, Flavio Silva : > Hi People! > > I would like your help, in creating a rule to control the bandwidth for= 200 hosts... > i'm trying to set a limit to 64kbit/s for each host. > There is any way to do this using altq without to had to create a queue= for each host? > > Thanks in advance, > > Fl=E1vio > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Nov 1 20:38:17 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C5F216A40F for ; Wed, 1 Nov 2006 20:38:17 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from nxm.secservers.com (nxm.secservers.com [193.85.228.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id A7E3043D78 for ; Wed, 1 Nov 2006 20:37:23 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from [127.0.0.1] (nxm.secservers.com. [193.85.228.22]) by nxm.secservers.com (8.13.4/8.13.4) with ESMTP id kA1Kb9JR074444; Wed, 1 Nov 2006 21:37:10 +0100 (CET) (envelope-from mime@traveller.cz) From: Michal Mertl To: Gilberto Villani Brito In-Reply-To: <6e6841490611011141h5972ab8k87f35bb168e86164@mail.gmail.com> References: <65A313B6966.00000132falexsandro@inbox.com> <6e6841490611011141h5972ab8k87f35bb168e86164@mail.gmail.com> Content-Type: text/plain Date: Wed, 01 Nov 2006 21:37:00 +0100 Message-Id: <1162413420.1025.6.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.8.1.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: PF/Altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Nov 2006 20:38:17 -0000 Gilberto Villani Brito wrote: > I don't know do that, so if you learn, please, send me a e-mail. > > Gilberto > > 2006/10/5, Flavio Silva : > > Hi People! > > > > I would like your help, in creating a rule to control the bandwidth for 200 hosts... > > i'm trying to set a limit to 64kbit/s for each host. > > There is any way to do this using altq without to had to create a queue for each host? I don't think there is with pf & altq but there is with ipfw (see man ipfw, section TRAFFIC SHAPER (DUMMYNET) CONFIGURATION, item mask). I had some issues with IPFW traffic shaping in the past though (it introduced large delays) but it was probably local configuration's specific problem. Michal From owner-freebsd-pf@FreeBSD.ORG Thu Nov 2 13:11:06 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7DC1D16A407 for ; Thu, 2 Nov 2006 13:11:06 +0000 (UTC) (envelope-from cizek.milan@seznam.cz) Received: from mxh.seznam.cz (mxhn.seznam.cz [212.80.76.26]) by mx1.FreeBSD.org (Postfix) with SMTP id 7DC4B43D72 for ; Thu, 2 Nov 2006 13:11:04 +0000 (GMT) (envelope-from cizek.milan@seznam.cz) Received: (qmail 26934 invoked by uid 0); 2 Nov 2006 13:11:03 -0000 To: freebsd-pf@freebsd.org Date: Thu, 02 Nov 2006 14:11:02 +0100 (CET) From: =?us-ascii?Q?Cizek=2EMilan?= Received: from [80.95.254.10] by email.seznam.cz with HTTP for cizek.milan@seznam.cz; Thu, 2 Nov 2006 14:11:02 +0100 (CET) Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii" Mime-Version: 1.0 Message-Id: <2662.4978-21595-1431088027-1162473062@seznam.cz> X-Abuse: helpdesk@seznam.cz X-Seznam-User: Cizek.Milan@seznam.cz Subject: clients can't see each other with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Nov 2006 13:11:06 -0000 I have the following problem which i can't resolve. Situation: wi0 interface (xi626) is running in hostap mode - everything is OK. I start PF (pfctl -e), which does QoS (PRIQ) - it act same way also with clean "pass all" configuration. From this point WiFi clients can't see each other. Everything else is OK, only clients on same subnet associated to wi0 can't connect each other. Seem like the HW bridge on interface level stopped work. Thanks for any answers. I noticed this problem from version 6.0-RELEASE to actual 6.2-PRERELEASE. From owner-freebsd-pf@FreeBSD.ORG Thu Nov 2 14:02:01 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D893016A521 for ; Thu, 2 Nov 2006 14:02:01 +0000 (UTC) (envelope-from larkine@gmail.com) Received: from smtp6-g19.free.fr (smtp6-g19.free.fr [212.27.42.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id A1EC243DBB for ; Thu, 2 Nov 2006 14:01:35 +0000 (GMT) (envelope-from larkine@gmail.com) Received: from [127.0.0.1] (mac76-2-82-241-6-173.fbx.proxad.net [82.241.6.173]) by smtp6-g19.free.fr (Postfix) with ESMTP id 8BA1D435F8 for ; Thu, 2 Nov 2006 15:01:32 +0100 (CET) Message-ID: <4549FA63.4030107@gmail.com> Date: Thu, 02 Nov 2006 15:02:11 +0100 From: Larkine User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: FreeBSD 6.1 with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: larkine@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Nov 2006 14:02:01 -0000 Hello, I got a laptop with the operating system FreeBSD 6.1 and an ADSL modem to connect on the internet. I would like to setup a personnal firewall on my computer and I choose OpenBSD pf. The only network interface is ndis0. The filtering method is quite simple : everything is blocked and only what I need is authorized. However I have a problem with FTP protocol. I try ftp-proxy but this was unsuccessful. Could you help me about this? I remind I got only one host and one network interface. Thank you very much. From owner-freebsd-pf@FreeBSD.ORG Thu Nov 2 14:56:38 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A88A16A4C2 for ; Thu, 2 Nov 2006 14:56:38 +0000 (UTC) (envelope-from list@manuelmartini.it) Received: from freebsd.manuelmartini.it (freebsd.manuelmartini.it [213.92.90.91]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6618143DDC for ; Thu, 2 Nov 2006 14:53:47 +0000 (GMT) (envelope-from list@manuelmartini.it) Received: (qmail 70496 invoked from network); 2 Nov 2006 15:53:33 +0100 Received: from unknown (HELO DELORIAN) (62.101.64.91) by freebsd.manuelmartini.it with AES256-SHA encrypted SMTP; 2 Nov 2006 15:53:33 +0100 Date: Thu, 2 Nov 2006 15:53:42 +0100 From: Martin To: freebsd-pf@freebsd.org Message-ID: <20061102155342.20f9ce07@DELORIAN> In-Reply-To: <4549FA63.4030107@gmail.com> References: <4549FA63.4030107@gmail.com> X-Mailer: Sylpheed-Claws 2.5.6 (GTK+ 2.10.6; i486-pc-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig__24KrIyn0jO=KAng4W6e9TF"; protocol="application/pgp-signature"; micalg=PGP-SHA1 Subject: Re: FreeBSD 6.1 with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Nov 2006 14:56:38 -0000 --Sig__24KrIyn0jO=KAng4W6e9TF Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Il giorno Thu, 02 Nov 2006 15:02:11 +0100 Larkine ha scritto: > Hello, >=20 > I got a laptop with the operating system FreeBSD 6.1 and an ADSL modem > to connect on the internet. I would like to setup a personnal firewall > on my computer and I choose OpenBSD pf. The only network interface is > ndis0. >=20 > The filtering method is quite simple : everything is blocked and only > what I need is authorized. However I have a problem with FTP > protocol. I try ftp-proxy but this was unsuccessful. Could you help > me about this? I remind I got only one host and one network interface. >=20 > Thank you very much. You can try pftpx and put anchor on your pf.conf file see u --Sig__24KrIyn0jO=KAng4W6e9TF Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFFSgZ28T4XZ3+2W6URAlkAAJ9lwkr3DifDqH3iMXOEynOhKbhBCwCdH6Et lUNMdX6gfUhajrpdEuIrmhs= =Lxne -----END PGP SIGNATURE----- --Sig__24KrIyn0jO=KAng4W6e9TF-- From owner-freebsd-pf@FreeBSD.ORG Thu Nov 2 22:17:40 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B95FA16A49E for ; Thu, 2 Nov 2006 22:17:40 +0000 (UTC) (envelope-from fr33man@fr33man.ru) Received: from server.localserver.ru (server.localserver.ru [63.246.133.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id B44B543D60 for ; Thu, 2 Nov 2006 22:17:37 +0000 (GMT) (envelope-from fr33man@fr33man.ru) Received: from [85.21.237.15] (helo=fr33man) by server.localserver.ru with esmtp (Exim 4.52) id 1GfksE-0007di-Kk for freebsd-pf@freebsd.org; Fri, 03 Nov 2006 01:17:23 +0300 From: "fr33man" To: Date: Fri, 3 Nov 2006 01:15:25 +0300 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: Acb+zGV3DKVHf2AzTTyomM1jhJjlHw== X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4963.1700 X-PopBeforeSMTPSenders: fr33man@fr33man.ru X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server.localserver.ru X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - fr33man.ru X-Source: X-Source-Args: X-Source-Dir: Message-Id: <20061102221737.B44B543D60@mx1.FreeBSD.org> X-Mailman-Approved-At: Thu, 02 Nov 2006 22:36:02 +0000 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Policy Based Routing pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Nov 2006 22:17:40 -0000 Hi all! I have one problem with pf. This is my network: ISP1 ISP2 | | | | | | | | FreeBSD(shield) | | | Local_Network My configuration: Local_Network has address: 192.168.1.0/24. Ip address of freebsd(hostname is shield) is 192.168.1.254 on the Local_Network and 192.168.98.2 on the ISP1 and external ip(for example 1.1.1.1) on ISP2. The default gateway is ISP1, and ip address of default gateway is 192.168.98.1. ISP2 gives me internet over vpn, and gateway on ISP2 is 172.17.0.1. This is output of `ifconfig`: shield@/usr/local/etc> ifconfig dc0: flags=8843 mtu 1500 options=8 inet 192.168.98.2 netmask 0xffffff00 broadcast 192.168.98.255 ether 00:05:1c:1e:6f:9e media: Ethernet autoselect (100baseTX ) status: active fxp0: flags=8843 mtu 1500 options=8 inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255 ether 00:00:4b:51:07:84 media: Ethernet autoselect (100baseTX ) status: active pfsync0: flags=0<> mtu 2020 pflog0: flags=0<> mtu 33208 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 ng0: flags=88d1 mtu 1440 inet 1.1.1.1 --> 172.17.0.1 netmask 0xffffffff shield@/usr/local/etc> I have compiled kernel with pf: device pf device pflog device pfsync And this is my pf.conf: shield@/usr/local/etc> cat /etc/pf.conf.back ext_if="ng0" scrub in all nat on $ext_if inet proto tcp from 192.168.1.230 port 80 -> $ext_if rdr on $ext_if inet proto tcp to $ext_if port www -> 192.168.1.230 port www pass in quick on $ext_if reply-to ($ext_if 172.17.0.1) inet proto tcp tagged WEB_SERVER flags S/SA keep state pass all shield@/usr/local/etc> 192.168.1.230 - web server ip address. And now I want tell you one very interesting thing! ;) If I have index.html size about 1 Kb on the web server, everyone can see it(from the internet), but if index.html is about 11 kb nobody can see it from the internet!!! Can you help me? -- WBR Ozerov Vasiliy I. Good Luck From owner-freebsd-pf@FreeBSD.ORG Thu Nov 2 23:10:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D28816A47E for ; Thu, 2 Nov 2006 23:10:31 +0000 (UTC) (envelope-from larkine@gmail.com) Received: from smtp6-g19.free.fr (smtp6-g19.free.fr [212.27.42.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3DF7D43D5A for ; Thu, 2 Nov 2006 23:10:23 +0000 (GMT) (envelope-from larkine@gmail.com) Received: from [127.0.0.1] (mac76-2-82-241-6-173.fbx.proxad.net [82.241.6.173]) by smtp6-g19.free.fr (Postfix) with ESMTP id 6EA0243381 for ; Fri, 3 Nov 2006 00:10:22 +0100 (CET) Message-ID: <454A7B1B.5090008@gmail.com> Date: Fri, 03 Nov 2006 00:11:23 +0100 From: Larkine User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: ftp-proxy or pftpx problem with FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: larkine@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Nov 2006 23:10:31 -0000 Hello :) I got a laptop with the operating system FreeBSD 6.1 and an ADSL modem to connect on the internet. I would like to setup a personnal firewall on my computer and I choose OpenBSD pf. The only network interface is ndis0. The filtering method is quite simple : everything is blocked and only what I need is authorized. However I have a problem with FTP protocol. I tryed ftp-proxy and pftpx without success :( ### First method with ftp-proxy. # rc.conf i added these lines: inetd_enable="YES" inetd_flags="-wW -c 60 -a 127.0.0.1" # inetd.conf I have this line: ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy After a reboot and with sockstat -4 command i have: root inetd 583 5 tcp4 127.0.0.1:8021 # pf.conf nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $int_inf proto tcp from any to any port 21 -> 127.0.0.1 port 8021 anchor "ftp-proxy/*" pass out proto tcp from $int_inf to any port 21 keep state Well, after i used ftp command the connexion works fine but with ls command i have this: ftp>ls 229 Entering Extended Passive Mode (|||9576|) 200 EPRT command successful Consider using EPSV. and after 40 seconds i have this: 150 Here comes the directory listing. ftp: poll timeout waiting before accept: Operation not permitted 426 Failure writing network stream. 225 No transfer to ABOR. ftp> I don't what happend but i think, the rdr don't work but why ? I don't know. ### Two method with pftpx # rc.conf I added this line: pftpx_enable="YES" After a reboot and with sockstat -4 command i have: proxy pftpx 495 3 tcp4 127.0.0.1:8021 *:* # pf.conf nat-anchor "pftpx/*" rdr-anchor "pftpx/*" rdr pass on $int_inf proto tcp from any to any port 21 -> 127.0.0.1 port 8021 anchor "pftpx/*" pass out proto tcp from $int_inf to any port 21 keep state Well, after i used ftp command the connexion works fine but i have the same problem. Just an question, why the rdr dont work at all on my computer ? What Happened ? Thank you so much :) From owner-freebsd-pf@FreeBSD.ORG Thu Nov 2 23:51:37 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 010B116A415 for ; Thu, 2 Nov 2006 23:51:37 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com [38.99.2.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0814D43D7E for ; Thu, 2 Nov 2006 23:51:28 +0000 (GMT) (envelope-from reed@reedmedia.net) Received: from pool-71-123-204-253.dllstx.fios.verizon.net ([71.123.204.253] helo=reedmedia.net) by ca.pugetsoundtechnology.com with esmtpa (Exim 4.54) id 1GfmHw-0003ry-DV; Thu, 02 Nov 2006 15:48:00 -0800 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 683-1162511331; Thu, 02 Nov 2006 17:48:54 -0600 Date: Thu, 2 Nov 2006 17:48:50 -0600 (CST) From: "Jeremy C. Reed" To: Larkine In-Reply-To: <454A7B1B.5090008@gmail.com> Message-ID: References: <454A7B1B.5090008@gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-pf@freebsd.org Subject: Re: ftp-proxy or pftpx problem with FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Nov 2006 23:51:37 -0000 > ### First method with ftp-proxy. > > # rc.conf > > i added these lines: > > inetd_enable="YES" > inetd_flags="-wW -c 60 -a 127.0.0.1" > > # inetd.conf > > I have this line: > > ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy > > After a reboot and with sockstat -4 command i have: > > root inetd 583 5 tcp4 127.0.0.1:8021 > > # pf.conf > > nat-anchor "ftp-proxy/*" > rdr-anchor "ftp-proxy/*" > rdr pass on $int_inf proto tcp from any to any port 21 -> 127.0.0.1 port > 8021 > > anchor "ftp-proxy/*" > pass out proto tcp from $int_inf to any port 21 keep state What version of ftp-proxy are you using? The ftp-proxy with FreeBSD 6.x doesn't use PF anchors. > Well, after i used ftp command the connexion works fine but with ls command > i have this: > > ftp>ls > 229 Entering Extended Passive Mode (|||9576|) > 200 EPRT command successful Consider using EPSV. > > and after 40 seconds i have this: > 150 Here comes the directory listing. > ftp: poll timeout waiting before accept: Operation not permitted > 426 Failure writing network stream. > 225 No transfer to ABOR. > ftp> > > I don't what happend but i think, the rdr don't work but why ? I don't know. What is your entire pf.conf? Have a look at your ftp-proxy manual page. You need to also allow the connections inbound. The man page has a two examples of this and mentions -u and -m and -M ftp-proxy options. As for your pftpx tests, use pfctl to show the rules for your "pftpx" anchor. Maybe that will tell you something. ISBN 0-9790342-0-5 From owner-freebsd-pf@FreeBSD.ORG Fri Nov 3 00:43:24 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05D6D16A40F for ; Fri, 3 Nov 2006 00:43:24 +0000 (UTC) (envelope-from larkine@gmail.com) Received: from smtp4-g19.free.fr (smtp4-g19.free.fr [212.27.42.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 774D143D4C for ; Fri, 3 Nov 2006 00:43:23 +0000 (GMT) (envelope-from larkine@gmail.com) Received: from [127.0.0.1] (mac76-2-82-241-6-173.fbx.proxad.net [82.241.6.173]) by smtp4-g19.free.fr (Postfix) with ESMTP id 986478866; Fri, 3 Nov 2006 01:43:22 +0100 (CET) Message-ID: <454A90F5.1040204@gmail.com> Date: Fri, 03 Nov 2006 01:44:37 +0100 From: Larkine User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: "Jeremy C. Reed" References: <454A7B1B.5090008@gmail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: ftp-proxy or pftpx problem with FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: larkine@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Nov 2006 00:43:24 -0000 Jeremy C. Reed a écrit : >> ### First method with ftp-proxy. >> >> # rc.conf >> >> i added these lines: >> >> inetd_enable="YES" >> inetd_flags="-wW -c 60 -a 127.0.0.1" >> >> # inetd.conf >> >> I have this line: >> >> ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy >> >> After a reboot and with sockstat -4 command i have: >> >> root inetd 583 5 tcp4 127.0.0.1:8021 >> >> # pf.conf >> >> nat-anchor "ftp-proxy/*" >> rdr-anchor "ftp-proxy/*" >> rdr pass on $int_inf proto tcp from any to any port 21 -> 127.0.0.1 port >> 8021 >> >> anchor "ftp-proxy/*" >> pass out proto tcp from $int_inf to any port 21 keep state > > What version of ftp-proxy are you using? > > The ftp-proxy with FreeBSD 6.x doesn't use PF anchors. > >> Well, after i used ftp command the connexion works fine but with ls command >> i have this: >> >> ftp>ls >> 229 Entering Extended Passive Mode (|||9576|) >> 200 EPRT command successful Consider using EPSV. >> >> and after 40 seconds i have this: >> 150 Here comes the directory listing. >> ftp: poll timeout waiting before accept: Operation not permitted >> 426 Failure writing network stream. >> 225 No transfer to ABOR. >> ftp> >> >> I don't what happend but i think, the rdr don't work but why ? I don't know. > > What is your entire pf.conf? > > Have a look at your ftp-proxy manual page. You need to also allow the > connections inbound. The man page has a two examples of this and mentions > -u and -m and -M ftp-proxy options. > > As for your pftpx tests, use pfctl to show the rules for your "pftpx" > anchor. Maybe that will tell you something. > > ISBN 0-9790342-0-5 > Hello :) Here my inetd.conf : ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u proxy -m 49151 -M 50000 Here my pf.conf file with ftp-proxy rules : # $FreeBSD: pf.conf,v 1.0 2006/10/31 21:49:20 olivier Exp $ # --------------------- # Macros. # --------------------- # Interfaces int_if_1="lo0" int_if_2="ndis0" # tcp flags tcpflags="flags S/SFRA" # Routeur/firewall Netgear wpnt834="192.168.1.1" # Proxy http proxy_http="proxy.free.fr" proxy_port="3128" # (pflog) logblock="" logpass="log" # --------------------- # Options. # --------------------- set block-policy drop # --------------------- # Normalization. # --------------------- scrub in all # --------------------- # Redirection. # --------------------- # ftp-proxy rdr pass on $int_if_2 proto tcp from any to any port 21 \ -> 127.0.0.1 port 8021 # --------------------- # Filtering # --------------------- # -------------- # default. # -------------- block $logblock all pass in quick on $int_if_1 all pass out quick on $int_if_1 all # Antispoof antispoof for { $int_if_1 $int_if_2 } block in $logblock quick from no-route block out $logblock quick from no-route # --------------- # User. # --------------- # Allow DHCP with routeur/firewall Netgear wpnt834 pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \ $wpnt834 port bootpc $tcpflags keep state # DNS pass out $logpass quick on $int_if_2 proto udp from ($int_if_2) to \ any port domain keep state # Proxy pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \ $proxy_http port $proxy_port $tcpflags keep state # Protocole ICMP # Autorise le ping vers d'autres machines pass out $logpass quick on $int_if_2 inet proto icmp from ($int_if_2) \ to any icmp-type 8 code 0 keep state # http et https pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \ any port { http https } $tcpflags keep state # ftp with ftp-proxy pass in on $int_if_2 inet proto tcp from any to $int_if_2 \ port > 49151 keep state # (MSN, IRC, ICQ et Jabber) pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \ any port { 16863 6667 5190 5222 } $tcpflags keep state # cvsup pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \ any port 5999 $tcpflags keep state # End of file The result is different. The connexion with freebsd ftp server doesn't work at all. With ftp command i have this message: Trying 62.243.72.50.... ftp: connect: Operation not permitted ftp> It's very difficult to configure pf when you have only one interface for me it's ndis0. The problem is the same with pftpx. It's really strange. Perhaps ftp-proxy can't work with computer with one network interface ? I don't know. Thanks in advance for your help ;) From owner-freebsd-pf@FreeBSD.ORG Fri Nov 3 14:31:02 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7483D16A403 for ; Fri, 3 Nov 2006 14:31:02 +0000 (UTC) (envelope-from fr33man@fr33man.ru) Received: from server.localserver.ru (server.localserver.ru [63.246.133.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6835543D62 for ; Fri, 3 Nov 2006 14:31:01 +0000 (GMT) (envelope-from fr33man@fr33man.ru) Received: from [85.21.237.15] (helo=fr33man) by server.localserver.ru with esmtp (Exim 4.52) id 1Gg04J-00009w-NI for freebsd-pf@freebsd.org; Fri, 03 Nov 2006 17:30:52 +0300 From: "fr33man" To: Date: Fri, 3 Nov 2006 17:28:50 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: Acb+zGV3DKVHf2AzTTyomM1jhJjlHwAh3ENQ X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4963.1700 In-Reply-To: <20061102221737.B44B543D60@mx1.FreeBSD.org> X-PopBeforeSMTPSenders: fr33man@fr33man.ru X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server.localserver.ru X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - fr33man.ru X-Source: X-Source-Args: X-Source-Dir: Message-Id: <20061103143101.6835543D62@mx1.FreeBSD.org> Subject: RE: Policy Based Routing pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Nov 2006 14:31:02 -0000 Thanks to all, I have solved the problem. Pf doesn't wrok because of mtu, On shield mtu was 1440: [fr33man@shield ~]$ ifconfig ng0 ng0: flags=88d1 mtu 1440 inet 84.47.165.43 --> 172.17.0.1 netmask 0xffffffff [fr33man@shield ~]$ And on the web server it was 1500. And now all works!! -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of fr33man Sent: Friday, November 03, 2006 1:15 AM To: freebsd-pf@freebsd.org Subject: Policy Based Routing pf Hi all! I have one problem with pf. This is my network: ISP1 ISP2 | | | | | | | | FreeBSD(shield) | | | Local_Network My configuration: Local_Network has address: 192.168.1.0/24. Ip address of freebsd(hostname is shield) is 192.168.1.254 on the Local_Network and 192.168.98.2 on the ISP1 and external ip(for example 1.1.1.1) on ISP2. The default gateway is ISP1, and ip address of default gateway is 192.168.98.1. ISP2 gives me internet over vpn, and gateway on ISP2 is 172.17.0.1. This is output of `ifconfig`: shield@/usr/local/etc> ifconfig dc0: flags=8843 mtu 1500 options=8 inet 192.168.98.2 netmask 0xffffff00 broadcast 192.168.98.255 ether 00:05:1c:1e:6f:9e media: Ethernet autoselect (100baseTX ) status: active fxp0: flags=8843 mtu 1500 options=8 inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255 ether 00:00:4b:51:07:84 media: Ethernet autoselect (100baseTX ) status: active pfsync0: flags=0<> mtu 2020 pflog0: flags=0<> mtu 33208 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 ng0: flags=88d1 mtu 1440 inet 1.1.1.1 --> 172.17.0.1 netmask 0xffffffff shield@/usr/local/etc> I have compiled kernel with pf: device pf device pflog device pfsync And this is my pf.conf: shield@/usr/local/etc> cat /etc/pf.conf.back ext_if="ng0" scrub in all nat on $ext_if inet proto tcp from 192.168.1.230 port 80 -> $ext_if rdr on $ext_if inet proto tcp to $ext_if port www -> 192.168.1.230 port www pass in quick on $ext_if reply-to ($ext_if 172.17.0.1) inet proto tcp tagged WEB_SERVER flags S/SA keep state pass all shield@/usr/local/etc> 192.168.1.230 - web server ip address. And now I want tell you one very interesting thing! ;) If I have index.html size about 1 Kb on the web server, everyone can see it(from the internet), but if index.html is about 11 kb nobody can see it from the internet!!! Can you help me? -- WBR Ozerov Vasiliy I. Good Luck _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Fri Nov 3 20:11:14 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6394416A415 for ; Fri, 3 Nov 2006 20:11:14 +0000 (UTC) (envelope-from fr33man@fr33man.ru) Received: from server.localserver.ru (server.localserver.ru [63.246.133.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id EDE6743D46 for ; Fri, 3 Nov 2006 20:11:13 +0000 (GMT) (envelope-from fr33man@fr33man.ru) Received: from [85.21.237.15] (helo=fr33man) by server.localserver.ru with esmtp (Exim 4.52) id 1Gg5NV-0003LO-4K for freebsd-pf@freebsd.org; Fri, 03 Nov 2006 23:11:01 +0300 From: "fr33man" To: Date: Fri, 3 Nov 2006 23:09:02 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: Acb/ZSvnEHoSzrzwRuaJvClak6Bu4gAHNE3A X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4963.1700 In-Reply-To: <20061103162900.GQ63502@ns2.wananchi.com> X-PopBeforeSMTPSenders: fr33man@fr33man.ru X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server.localserver.ru X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - fr33man.ru X-Source: X-Source-Args: X-Source-Dir: Message-Id: <20061103201113.EDE6743D46@mx1.FreeBSD.org> Subject: RE: Policy Based Routing pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Nov 2006 20:11:14 -0000 The first, that I change my pf rule from this: pass in on $ext_if reply-to ($ext_if $ext_gateway) inet proto tcp tagged WEB_SERVER keep state to this: pass in log-all on $ext_if reply-to ($ext_if $ext_gateway) inet proto tcp tagged WEB_SERVER keep state Then, I tried to access to my site, and on console I was listening pflog0 interface with tcpdump: web# tcpdump -i pflog0 ... skipped ... web# I have seen icmp packets going to web server. In the packets I have seen errors about mtu. Then I enter this command on the web server: stronghold# ifconfig xl0 xl0: flags=8843 mtu 1500 options=9 inet6 fe80::204:79ff:fe66:2d87%xl0 prefixlen 64 scopeid 0x1 inet 10.10.20.2 netmask 0xffffff00 broadcast 10.10.20.255 ether 00:04:79:66:2d:87 media: Ethernet autoselect (100baseTX ) status: active stronghold# ifconfig xl0 mtu 1440 stronghold# ifconfig xl0 xl0: flags=8843 mtu 1440 options=9 inet6 fe80::204:79ff:fe66:2d87%xl0 prefixlen 64 scopeid 0x1 inet 10.10.20.2 netmask 0xffffff00 broadcast 10.10.20.255 ether 00:04:79:66:2d:87 media: Ethernet autoselect (100baseTX ) status: active stronghold# I changed mtu to 1440, because my vpn channel was with mtu 1440: shield@/root> ifconfig ng0 ng0: flags=88d1 mtu 1440 inet 84.47.165.43 --> 172.17.0.1 netmask 0xffffffff shield@/root> That's all. If there will be any questions, tou can ask me. ;) ICQ: 539-555 Skype: fr33manees Email: fr33man@fr33man.ru -- Goodluck -----Original Message----- From: Odhiambo Washington [mailto:wash@wananchi.com] On Behalf Of Odhiambo WASHINGTON Sent: Friday, November 03, 2006 7:29 PM To: fr33man Subject: Re: Policy Based Routing pf Hi Freeman, Could you please post the complete solution? Or just post the whole solution to me. Thanking you in advance!! * On 03/11/06 17:28 +0300, fr33man wrote: | Thanks to all, I have solved the problem. Pf doesn't wrok because of mtu, | On shield mtu was 1440: | | [fr33man@shield ~]$ ifconfig ng0 | ng0: flags=88d1 mtu 1440 | inet 84.47.165.43 --> 172.17.0.1 netmask 0xffffffff | [fr33man@shield ~]$ | | And on the web server it was 1500. And now all works!! | | | -----Original Message----- | From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On | Behalf Of fr33man | Sent: Friday, November 03, 2006 1:15 AM | To: freebsd-pf@freebsd.org | Subject: Policy Based Routing pf | | Hi all! | | | | I have one problem with pf. This is my network: | | | | ISP1 ISP2 | | | | | | | | | | | | | | | | | | FreeBSD(shield) | | | | | | | | | | | Local_Network | | | | My configuration: | | | | Local_Network has address: 192.168.1.0/24. | | Ip address of freebsd(hostname is shield) is 192.168.1.254 on the | Local_Network and 192.168.98.2 on the ISP1 and external ip(for example | 1.1.1.1) on ISP2. | | The default gateway is ISP1, and ip address of default gateway is | 192.168.98.1. | | ISP2 gives me internet over vpn, and gateway on ISP2 is 172.17.0.1. This is | output of `ifconfig`: | | | | shield@/usr/local/etc> ifconfig | | dc0: flags=8843 mtu 1500 | | options=8 | | inet 192.168.98.2 netmask 0xffffff00 broadcast 192.168.98.255 | | ether 00:05:1c:1e:6f:9e | | media: Ethernet autoselect (100baseTX ) | | status: active | | fxp0: flags=8843 mtu 1500 | | options=8 | | inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255 | | ether 00:00:4b:51:07:84 | | media: Ethernet autoselect (100baseTX ) | | status: active | | pfsync0: flags=0<> mtu 2020 | | pflog0: flags=0<> mtu 33208 | | lo0: flags=8049 mtu 16384 | | inet 127.0.0.1 netmask 0xff000000 | | ng0: flags=88d1 mtu 1440 | | inet 1.1.1.1 --> 172.17.0.1 netmask 0xffffffff | | shield@/usr/local/etc> | | | | I have compiled kernel with pf: | | | | device pf | | device pflog | | device pfsync | | | | And this is my pf.conf: | | | | shield@/usr/local/etc> cat /etc/pf.conf.back | | | | ext_if="ng0" | | | | scrub in all | | | | nat on $ext_if inet proto tcp from 192.168.1.230 port 80 -> $ext_if | | | | rdr on $ext_if inet proto tcp to $ext_if port www -> 192.168.1.230 port www | | | | pass in quick on $ext_if reply-to ($ext_if 172.17.0.1) inet proto tcp tagged | WEB_SERVER flags S/SA keep state | | | | pass all | | shield@/usr/local/etc> | | | | 192.168.1.230 - web server ip address. | | | | And now I want tell you one very interesting thing! ;) | | | | If I have index.html size about 1 Kb on the web server, everyone can see | it(from the internet), but if index.html is about 11 kb nobody can see it | from the internet!!! | | | | Can you help me? | | | | -- | | WBR Ozerov Vasiliy I. | | Good Luck | | | | _______________________________________________ | freebsd-pf@freebsd.org mailing list | http://lists.freebsd.org/mailman/listinfo/freebsd-pf | To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" | | | _______________________________________________ | freebsd-pf@freebsd.org mailing list | http://lists.freebsd.org/mailman/listinfo/freebsd-pf | To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ Of course there's no reason for it, it's just our policy. From owner-freebsd-pf@FreeBSD.ORG Sat Nov 4 04:43:45 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3397B16A40F for ; Sat, 4 Nov 2006 04:43:45 +0000 (UTC) (envelope-from gururajts@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6987643D4C for ; Sat, 4 Nov 2006 04:43:44 +0000 (GMT) (envelope-from gururajts@gmail.com) Received: by nf-out-0910.google.com with SMTP id c31so1691275nfb for ; Fri, 03 Nov 2006 20:43:43 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=Ej1MwO1solJug9TBByz+2ajPJniYtIuaa6A7zoLS/K+HkmL+JkTaBWt+6QSr9VPBk4dBiz5XdHxlfJD3boCZgTALRSzm4UkneARy4SzaGLLBQWdGzqauDpPBYZ4qGNkqwblVkJh82D0UPTLm4UjZHqs8RXJSQAOUZjFSToa/OIE= Received: by 10.78.41.7 with SMTP id o7mr519597huo.1162615423122; Fri, 03 Nov 2006 20:43:43 -0800 (PST) Received: by 10.78.177.12 with HTTP; Fri, 3 Nov 2006 20:43:42 -0800 (PST) Message-ID: Date: Sat, 4 Nov 2006 10:13:42 +0530 From: "Gururaj T.S." To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: PF + Frickin problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Nov 2006 04:43:45 -0000 Hi all, I run pf 1.0.1 on my freeBSD 6.1 I have configured the ip adderess as 192.168.1.33/24 primary IP and 192.168.1.230/32 as alias. I run frickin in this box. When I connect to a vpn server via frickin on the primary IP it works perfect. But, when I connect to VPN to aliased IP (setting frickin to listen to alias), it does not connect. tcpdump result shows that the traffic goes out perfectly. The problem lies in the reply. The reply comes back to the primary ip 192.168.1.33 instead of 192.168.1.230. PF rules permit the traffic to this vpn server. I am not able to figure out what is going wrong here. Could anyone please help me to crack this problem? Thanks. From owner-freebsd-pf@FreeBSD.ORG Sat Nov 4 12:07:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D58DA16A628 for ; Sat, 4 Nov 2006 12:07:28 +0000 (UTC) (envelope-from peter@bgnett.no) Received: from skapet.datadok.no (skapet.datadok.no [194.54.107.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C48443D80 for ; Sat, 4 Nov 2006 12:07:28 +0000 (GMT) (envelope-from peter@bgnett.no) Received: from [10.168.103.11] (helo=thingy.datadok.no.bsdly.net ident=peter) by skapet.datadok.no with esmtp (Exim 4.60) (envelope-from ) id 1GgKJ4-0000a0-IT for freebsd-pf@freebsd.org; Sat, 04 Nov 2006 13:07:26 +0100 To: freebsd-pf@freebsd.org References: <454A90F5.1040204@gmail.com> From: peter@bgnett.no (Peter N. M. Hansteen) Date: Sat, 04 Nov 2006 13:07:25 +0100 In-Reply-To: <454A90F5.1040204@gmail.com> (larkine@gmail.com's message of "Fri, 03 Nov 2006 01:44:37 +0100") Message-ID: <877iybh0ua.fsf@thingy.datadok.no> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: ftp-proxy or pftpx problem with FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Nov 2006 12:07:28 -0000 Larkine writes: > It's very difficult to configure pf when you have only one interface for > me it's ndis0. To me your rule set looks awfully complicated for a system with only one physical network interface. > The problem is the same with pftpx. It's really strange. Perhaps > ftp-proxy can't work with computer with one network interface ? I think you need to detangle your rule set quite a bit. For example, "set skip on lo0" and doing all your filtering on the one physical interface would be a good start. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds