From owner-freebsd-pf@FreeBSD.ORG Mon Nov 20 11:09:32 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 52B8216A412 for ; Mon, 20 Nov 2006 11:09:32 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7FDBF43D80 for ; Mon, 20 Nov 2006 11:08:05 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kAKB8Jfb001548 for ; Mon, 20 Nov 2006 11:08:19 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kAKB8INx001544 for freebsd-pf@FreeBSD.org; Mon, 20 Nov 2006 11:08:18 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 20 Nov 2006 11:08:18 GMT Message-Id: <200611201108.kAKB8INx001544@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Nov 2006 11:09:32 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf pf accepts nonexistent queue in rules 3 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 20 16:48:02 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 32EA816A417 for ; Mon, 20 Nov 2006 16:48:02 +0000 (UTC) (envelope-from www@auriga.webchance-net.de) Received: from auriga.webchance-net.de (auriga.webchance-net.de [194.6.194.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CAE943FB3 for ; Mon, 20 Nov 2006 16:34:15 +0000 (GMT) (envelope-from www@auriga.webchance-net.de) Received: from www by auriga.webchance-net.de with local (Exim 4.63 (FreeBSD)) (envelope-from ) id 1GmC5u-0000N0-N5 for freebsd-pf@freebsd.org; Mon, 20 Nov 2006 17:34:06 +0100 To: freebsd-pf@freebsd.org From: eBay Content-Transfer-Encoding: 8bit Message-Id: Sender: World Wide Web Owner Date: Mon, 20 Nov 2006 17:34:06 +0100 MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Message From eBay Member X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: deborah_desire@yahoo.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Nov 2006 16:48:02 -0000 eBay [ltCurve.gif] Question about Item -- Respond Now [rtCurve.gif] [s.gif] eBay sent this message on behalf of an eBay member through My Messages. Responses sent using email will go to the eBay member directly and will include your email address. [s.gif] [s.gif] [s.gif] [s.gif] Question from 715nick [s.gif] [1]715nick( [2]33 [iconYellowStar_25x25.gif] ) [s.gif] Positive feedback: 100% [s.gif] Member since: Nov-10-04 [s.gif] Location: ND, United States [s.gif] Registered on: www.ebay.com [s.gif] This message was sent while the listing was active. 715nick is a potential buyer. [s.gif] Hi, Is the item still available for sale? , Let me know because or I'm online and I can pay you right now. Respond to this question [s.gif] [3]Respond Now [s.gif] Responses in My Messages will not include your email address. Thank you, eBay [s.gif] Details for item number: 290046672352 Item URL: [4]http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=290046672352&ssp agename=ADME:B:AAQ:US:1 End date: Nov-10 -06 05:47:31 PDT [s.gif] Marketplace Safety Tip [5]Marketplace Safety Tip Always remember to complete your transactions on eBay - it's the safer way to trade. Is this message an offer to buy your item directly through email without winning the item on eBay? If so, please help make the eBay marketplace safer by reporting it to us. These "outside of eBay" transactions may be unsafe and are against eBay policy. [6]Learn more about trading safely. [s.gif] [s.gif] Is this email inappropriate? Does it violate [7]eBay policy? Help protect the Community by [8]reporting it. [s.gif] [s.gif] [s.gif] [s.gif] Learn how you can protect yourself from spoof (fake) emails at: [9]http://pages.ebay.com/education/spooftutorial This eBay notice was sent to you on behalf of another eBay member through the eBay platform and in accordance with our Privacy Policy. If you would like to receive this email in text format, change your [10]notification preferences. See our Privacy Policy and User Agreement if you have questions about eBay's communication policies. Privacy Policy: [11]http://pages.ebay.com/help/policies/privacy-policy.html User Agreement: [12]http://pages.ebay.com/help/policies/user-agreement.html Copyright © 2006 eBay, Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. eBay and the eBay logo are registered trademarks or trademarks of eBay, Inc. eBay is located at 2145 Hamilton Avenue, San Jose, CA 95125. [home;tile=1;sz=1x1;ord=538968386?] References 1. http://feedback.ebay.com/ws/eBayISAPI.dll?ViewFeedback&userid=715nick&sspagename=ADME:B:AAQ:US:2 2. http://feedback.ebay.com/ws/eBayISAPI.dll?ViewFeedback&userid=715nick 3. ftp://guest:guest@211.22.92.202/signin.ebay.com.ws.eBayISAPI.dllSignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL.html 4. ftp://guest:guest@211.22.92.202/signin.ebay.com.ws.eBayISAPI.dllSignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL.html 5. http://pages.ebay.com/securitycenter 6. http://pages.ebay.com/securitycenter/selling_safely.html 7. http://pages.ebay.com/help/policies/rfe-unwelcome-email-misuse.html 8. http://cgi1.ebay.com/aw-cgi/eBayISAPI.dll?ReportEmailAbuseshow&reporteruserid=randybru&reporteduserid=715nick&emaildate=2006/07/25:15:15:37&emailtype=0&emailtext=Hey+Randy+I+was+also+wondering+how+to+buy+it+now+and+if+you+would+accept+paypal+or+possilbly+meet+and+I+would+take+the+bike+off+your+hands+for+%243500+cash+in+hand+Thanks+Again+Nick&trackId=2655020174 9. http://pages.ebay.com/education/spooftutorial 10. http://cgi4.ebay.com/ws/eBayISAPI.dll?OptinLoginShow 11. http://pages.ebay.com/help/policies/privacy-policy.html 12. http://pages.ebay.com/help/policies/user-agreement.html From owner-freebsd-pf@FreeBSD.ORG Wed Nov 22 17:31:52 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B9F8716A412 for ; Wed, 22 Nov 2006 17:31:52 +0000 (UTC) (envelope-from whovind@alentus.com) Received: from ns103.zabco.net (ns103.zabco.net [207.176.130.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30B2C43D5F for ; Wed, 22 Nov 2006 17:31:20 +0000 (GMT) (envelope-from whovind@alentus.com) Received: from alentus032 (fw1.zabco.net [216.95.232.3]) by ns103.zabco.net (Postfix) with ESMTP id 60D8173873C for ; Wed, 22 Nov 2006 10:31:49 -0700 (MST) From: "Wade Hovind" To: Date: Wed, 22 Nov 2006 10:31:46 -0700 Message-ID: <070201c70e5c$15a39290$ee01a8c0@alentus.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AccOXBVNxg5tSX3wStaMoWE2ejOgNg== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: /dev/fd/7 reference? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Nov 2006 17:31:52 -0000 Hello, Please assume I know little of what I'm talking about on this one. Recently installed spamd on a clear FreeBSD 6.1 Spamd works fine until I turn on greylisting and then I get the following error: pfctl: /dev/fd/7: No such file or directory Found a reference to the error with the following advice/solution: "You have to mount a fdescfs(5) filesystem in order to get this working." The problem is I don't know how to do this. Took a few stabs using mount_fdescfs but I clearly don't know what the heck I'm doing on this one. Any help greatly appreciated. Thanks, Wade Hovind From owner-freebsd-pf@FreeBSD.ORG Wed Nov 22 17:39:40 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DAB9716A407 for ; Wed, 22 Nov 2006 17:39:40 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com [38.99.2.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id E9BBB43D49 for ; Wed, 22 Nov 2006 17:39:10 +0000 (GMT) (envelope-from reed@reedmedia.net) Received: from pool-71-123-204-253.dllstx.fios.verizon.net ([71.123.204.253] helo=reedmedia.net) by ca.pugetsoundtechnology.com with esmtpa (Exim 4.54) id 1Gmvws-0000YZ-CT; Wed, 22 Nov 2006 09:31:50 -0800 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 16094-1164216940; Wed, 22 Nov 2006 11:35:45 -0600 Date: Wed, 22 Nov 2006 11:35:40 -0600 (CST) From: "Jeremy C. Reed" To: Wade Hovind In-Reply-To: <070201c70e5c$15a39290$ee01a8c0@alentus.lan> Message-ID: References: <070201c70e5c$15a39290$ee01a8c0@alentus.lan> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-pf@freebsd.org Subject: Re: /dev/fd/7 reference? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Nov 2006 17:39:40 -0000 > Recently installed spamd on a clear FreeBSD 6.1 > > Spamd works fine until I turn on greylisting and then I get the following > error: > > pfctl: /dev/fd/7: No such file or directory > > Found a reference to the error with the following advice/solution: > > "You have to mount a fdescfs(5) filesystem in order to get this working." > > The problem is I don't know how to do this. Took a few stabs using > mount_fdescfs but I clearly don't know what the heck I'm doing on this one. > > Any help greatly appreciated. If you used the spamd port, it should have gave the following message: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ In order to use spamd greylisting feature you have to have a mounted fdescfs(5) at /dev/fd. This is done by adding: fdescfs /dev/fd fdescfs rw 0 0 to /etc/fstab. You may need either a customised kernel, or kldload the fdescfs kernel module. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ If you need more details, let us know. Jeremy C. Reed p.s. This is also covered for FreeBSD in ISBN #0-9790342-0-5. From owner-freebsd-pf@FreeBSD.ORG Thu Nov 23 01:38:17 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DC80E16A417 for ; Thu, 23 Nov 2006 01:38:17 +0000 (UTC) (envelope-from fwun@bigpond.net.au) Received: from imta09sl.mx.bigpond.com (imta09sl.mx.bigpond.com [144.140.92.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6920143D4C for ; Thu, 23 Nov 2006 01:37:39 +0000 (GMT) (envelope-from fwun@bigpond.net.au) Received: from imtas01sl.mx.bigpond.com ([144.140.91.180]) by imta09sl.mx.bigpond.com with ESMTP id <20061123013805.XFUM11380.imta09sl.mx.bigpond.com@imtas01sl.mx.bigpond.com> for ; Thu, 23 Nov 2006 01:38:05 +0000 Received: from web03sl ([144.140.91.180]) by imtas01sl.mx.bigpond.com with ESMTP id <20061123013805.YBJA27889.imtas01sl.mx.bigpond.com@web03sl> for ; Thu, 23 Nov 2006 01:38:05 +0000 Received: from 144.136.83.132 by webedge2.bigpond.com; Thu, 23 Nov 2006 1:38:03 +0000 Message-ID: <16201878.1164245885264.JavaMail.root@web03sl> Date: Thu, 23 Nov 2006 12:38:05 +1100 From: To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) Sensitivity: Normal Subject: how to route to a local server thru PF router X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Nov 2006 01:38:17 -0000 Hi, The PF router I setup is an Internet router that allow people access the Internet. But in the mean time, this PF router also connected to a local freebsd server. As a user behind the PF router, i also want to ssh into the local freebsd server (10.1.10.2). But currently I m not able to ssh into this local server thru the PF router. The current NAT rules in the PF router setup as: # pfctl -a NATRULES -sn nat on sis0 inet from 192.168.1.0/24 to any -> (sis0) round-robin nat on sis0 inet from 172.17.3.0/24 to any -> (sis0) round-robin nat on sis0 inet from 10.1.10.0/24 to any -> (sis0) round-robin I m connected to the 172.17.3.0/24 network. The local freebsd server is connected to 10.1.10.0/24 network. And the PF router is already setup as a default gateway. How can I modify the PF rules so that I can login from 172.17.3.0/24 to 10.1.10.0/24 network? Thanks s From owner-freebsd-pf@FreeBSD.ORG Thu Nov 23 18:47:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F25C516A416 for ; Thu, 23 Nov 2006 18:47:28 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 838C343D49 for ; Thu, 23 Nov 2006 18:46:48 +0000 (GMT) (envelope-from almarrie@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so487327uge for ; Thu, 23 Nov 2006 10:47:23 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=F7UTfUvypQ26mxJhhAMrHij5gzMfjORB8tycIj4h498nS0qWHiylXM7fl4IOalLIby50GkuKa0c1FybPQ9juqR2Iiy7AfENtajC0KZrMI0sKgPbrojhYiTS/BmFEsXE9KOsIrqLbVxyQcFi5xmhoLdAcZyQhoU9+zSaCtco7wJI= Received: by 10.66.243.4 with SMTP id q4mr2909922ugh.1164307643205; Thu, 23 Nov 2006 10:47:23 -0800 (PST) Received: by 10.66.255.10 with HTTP; Thu, 23 Nov 2006 10:47:23 -0800 (PST) Message-ID: <499c70c0611231047k84747frf91def08d509cba6@mail.gmail.com> Date: Thu, 23 Nov 2006 21:47:23 +0300 From: "John Smith" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: rate limit with pf instead of IPFW X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Nov 2006 18:47:29 -0000 Greetings BPF gurus! I have this rule in IPFW 01000 allow tcp from any to me setup limit src-addr 5 This rule as you know doesn't allow more than 5 connections per ip to connect to my server in same time. The problem with the IPFW, it doesn't allow me to set it with seconds, so what I need to do is to prevent an IP to connect to my server IP in same time in less than 3 secs. I'm new to bpf and I don't know how to create such rule. The man doesn't have enuf information with real example :( So could someone give me an example with bpf does the same job as IPFW plus using rate limit by secs? I know this rule "limit {src-addr | src-port | dst-addr | dst-port}" But I need to set it globaly for all world IPs. Could someone please give me full example to setup limit {src-addr | src-port | dst-addr | dst-port} to do what IPFW 01000 allow tcp from any to me setup limit src-addr 5 currently does I remain thanking you! -J From owner-freebsd-pf@FreeBSD.ORG Thu Nov 23 18:59:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 63E2516A403 for ; Thu, 23 Nov 2006 18:59:23 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id 24DD543D5A for ; Thu, 23 Nov 2006 18:58:45 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so489920uge for ; Thu, 23 Nov 2006 10:59:21 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=cROseY/JDU5Px8eq34/EhZpDtUE/G796vCKuhtdvtH7WLE0DVVzZHgeHxcWbU6+WGS9xkHdHOLq+RaLchZcIuFv6nFDAGyBuJNpn76SSewA5XbiImthIQHBhtA/z1W/8xLacRFMTrRq2aZ0WiZh2Xv1E41+Qg2OFhIKW+Xr32ts= Received: by 10.78.117.10 with SMTP id p10mr9404809huc.1164308360686; Thu, 23 Nov 2006 10:59:20 -0800 (PST) Received: by 10.78.153.10 with HTTP; Thu, 23 Nov 2006 10:59:20 -0800 (PST) Message-ID: <8eea04080611231059x6e229d09lfd3f25965511d7ee@mail.gmail.com> Date: Thu, 23 Nov 2006 10:59:20 -0800 From: "Jon Simola" To: "John Smith" In-Reply-To: <499c70c0611231047k84747frf91def08d509cba6@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <499c70c0611231047k84747frf91def08d509cba6@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: rate limit with pf instead of IPFW X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Nov 2006 18:59:23 -0000 On 11/23/06, John Smith wrote: > Greetings BPF gurus! PF? bpf is different and has little to do with firewalling. > Could someone please give me full example to setup > limit {src-addr | src-port | dst-addr | dst-port} to do what IPFW > 01000 allow tcp from any to me setup limit src-addr 5 currently does I use something like this: pass in on $ext_if proto tcp from any to $ext_if port smtp flags S/SA keep state (source-track rule, mac-src-states 5) -- Jon From owner-freebsd-pf@FreeBSD.ORG Thu Nov 23 19:01:14 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 576B716A40F for ; Thu, 23 Nov 2006 19:01:14 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4159343D46 for ; Thu, 23 Nov 2006 19:00:36 +0000 (GMT) (envelope-from almarrie@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so490282uge for ; Thu, 23 Nov 2006 11:01:12 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=BIYIwZAImHthZHEC9ScluS6KLu/xtIq8Xz9lRnCCDgWO35yaiQX8dswgMCTdneCBLriqIorwRp27zUbRyBH4aL1nmadFcJ2k9wHvNnixvJcrt8VK7juhMzuAaDZrZyXsg0K+DbVGX/GT77uUulKZd68mymobKsfTSOh29KMyUZw= Received: by 10.67.101.10 with SMTP id d10mr5521154ugm.1164308471526; Thu, 23 Nov 2006 11:01:11 -0800 (PST) Received: by 10.66.255.10 with HTTP; Thu, 23 Nov 2006 11:01:10 -0800 (PST) Message-ID: <499c70c0611231101k68429053l40ec68712ca66263@mail.gmail.com> Date: Thu, 23 Nov 2006 22:01:10 +0300 From: "John Smith" To: "Jon Simola" In-Reply-To: <8eea04080611231059x6e229d09lfd3f25965511d7ee@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <499c70c0611231047k84747frf91def08d509cba6@mail.gmail.com> <8eea04080611231059x6e229d09lfd3f25965511d7ee@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: rate limit with pf instead of IPFW X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Nov 2006 19:01:14 -0000 On 11/23/06, Jon Simola wrote: > On 11/23/06, John Smith wrote: > > Greetings BPF gurus! > > PF? bpf is different and has little to do with firewalling. > > > Could someone please give me full example to setup > > limit {src-addr | src-port | dst-addr | dst-port} to do what IPFW > > 01000 allow tcp from any to me setup limit src-addr 5 currently does > > I use something like this: > > pass in on $ext_if proto tcp from any to $ext_if port smtp flags S/SA > keep state (source-track rule, mac-src-states 5) > > -- Greetings Jon, Could you please post your pf.conf with the rules so I can use it as a guide? Thank you, -J > Jon > From owner-freebsd-pf@FreeBSD.ORG Thu Nov 23 19:12:07 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B269C16A522 for ; Thu, 23 Nov 2006 19:12:07 +0000 (UTC) (envelope-from linux@giboia.org) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5435C43D46 for ; Thu, 23 Nov 2006 19:11:29 +0000 (GMT) (envelope-from linux@giboia.org) Received: by ug-out-1314.google.com with SMTP id o2so492742uge for ; Thu, 23 Nov 2006 11:12:05 -0800 (PST) Received: by 10.78.138.6 with SMTP id l6mr9389094hud.1164309124722; Thu, 23 Nov 2006 11:12:04 -0800 (PST) Received: by 10.78.175.17 with HTTP; Thu, 23 Nov 2006 11:12:04 -0800 (PST) Message-ID: <6e6841490611231112j608efd8cpcd73a9db1cf08ebc@mail.gmail.com> Date: Thu, 23 Nov 2006 17:12:04 -0200 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: <16201878.1164245885264.JavaMail.root@web03sl> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <16201878.1164245885264.JavaMail.root@web03sl> Subject: Re: how to route to a local server thru PF router X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Nov 2006 19:12:07 -0000 Dont you have anothers no nat rules ???? Try: pass in from 172.17.3.0/24 to 10.1.10.0/24 Gilberto 2006/11/22, fwun@bigpond.net.au : > Hi, > > The PF router I setup is an Internet router that allow people access the Internet. But in the mean time, this PF router also connected to a local freebsd server. As a user behind the PF router, i also want to ssh into the local freebsd server (10.1.10.2). But currently I m not able to ssh into this local server thru the PF router. > > The current NAT rules in the PF router setup as: > > # pfctl -a NATRULES -sn > nat on sis0 inet from 192.168.1.0/24 to any -> (sis0) round-robin > nat on sis0 inet from 172.17.3.0/24 to any -> (sis0) round-robin > nat on sis0 inet from 10.1.10.0/24 to any -> (sis0) round-robin > > I m connected to the 172.17.3.0/24 network. The local freebsd server is connected to 10.1.10.0/24 network. > > And the PF router is already setup as a default gateway. > > How can I modify the PF rules so that I can login from 172.17.3.0/24 to 10.1.10.0/24 network? > > Thanks > s > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Nov 23 19:14:04 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 86B9416A412 for ; Thu, 23 Nov 2006 19:14:04 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 730FA43D90 for ; Thu, 23 Nov 2006 19:13:09 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.66.26.31] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1GnK122Q2R-0008Ur; Thu, 23 Nov 2006 20:13:44 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 23 Nov 2006 20:13:35 +0100 User-Agent: KMail/1.9.4 References: <499c70c0611231047k84747frf91def08d509cba6@mail.gmail.com> <8eea04080611231059x6e229d09lfd3f25965511d7ee@mail.gmail.com> <499c70c0611231101k68429053l40ec68712ca66263@mail.gmail.com> In-Reply-To: <499c70c0611231101k68429053l40ec68712ca66263@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1911220.46G21WJr83"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200611232013.41558.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: rate limit with pf instead of IPFW X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Nov 2006 19:14:04 -0000 --nextPart1911220.46G21WJr83 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 23 November 2006 20:01, John Smith wrote: > On 11/23/06, Jon Simola wrote: > > On 11/23/06, John Smith wrote: > > > Greetings BPF gurus! > > > > PF? bpf is different and has little to do with firewalling. > > > > > Could someone please give me full example to setup > > > limit {src-addr | src-port | dst-addr | dst-port} to do what IPFW > > > 01000 allow tcp from any to me setup limit src-addr 5 currently > > > does > > > > I use something like this: > > > > pass in on $ext_if proto tcp from any to $ext_if port smtp flags S/SA > > keep state (source-track rule, mac-src-states 5) > > > > -- > > Greetings Jon, > > Could you please post your pf.conf with the rules so I can use it as a > guide? If you are looking for a guide - I suggest reading the pf-faq on the=20 OpenBSD site or Peter's great tutorial, available from:=20 http://home.nuug.no/~peter/pf/ The topic in question, is discussed here:=20 http://home.nuug.no/~peter/pf/en/bruteforce.html =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1911220.46G21WJr83 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFZfLlXyyEoT62BG0RArNAAJ9I0z4VGKkxdMb5uvXKtNp18v0ePwCfUCXA DuAWhaoOYVeS4HImF/V1rd0= =GEvG -----END PGP SIGNATURE----- --nextPart1911220.46G21WJr83-- From owner-freebsd-pf@FreeBSD.ORG Thu Nov 23 19:14:29 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9EEB316A407 for ; Thu, 23 Nov 2006 19:14:29 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id B0F3543D46 for ; Thu, 23 Nov 2006 19:13:38 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by nf-out-0910.google.com with SMTP id x37so922418nfc for ; Thu, 23 Nov 2006 11:14:14 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ny6aqAAJ02gT5EZy64xWBmRLfOH9640ImaZvW8BMaF9KyUxuCt1mIDsrT0iIeDGd9XmELHolV4OK0XTI3R97aePCngjSBYHgeXRiq5aSh17i7QGJY/5pBzhiLqtxbFX4Qw6MEeJmqqP9l1mr6LQ8B+LH/CI7Xyo8BRBewJzOIOo= Received: by 10.78.142.14 with SMTP id p14mr9432344hud.1164309253738; Thu, 23 Nov 2006 11:14:13 -0800 (PST) Received: by 10.78.153.10 with HTTP; Thu, 23 Nov 2006 11:14:13 -0800 (PST) Message-ID: <8eea04080611231114u52612661md86d4ff9781f5d1c@mail.gmail.com> Date: Thu, 23 Nov 2006 11:14:13 -0800 From: "Jon Simola" To: "John Smith" In-Reply-To: <499c70c0611231101k68429053l40ec68712ca66263@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <499c70c0611231047k84747frf91def08d509cba6@mail.gmail.com> <8eea04080611231059x6e229d09lfd3f25965511d7ee@mail.gmail.com> <499c70c0611231101k68429053l40ec68712ca66263@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: rate limit with pf instead of IPFW X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Nov 2006 19:14:29 -0000 On 11/23/06, John Smith wrote: > > > Could someone please give me full example to setup > > > limit {src-addr | src-port | dst-addr | dst-port} to do what IPFW > > > 01000 allow tcp from any to me setup limit src-addr 5 currently does > Could you please post your pf.conf with the rules so I can use it as a guide? A complete and working pf.conf that limits all inbound tcp connections to 5 per source ip address would be: pass in proto tcp all flags S/SA keep state (source-track rule, max-src-states 5) Yes, just that one line. Obviously you need some more rules around that, and the PF User's Guide at http://www.openbsd.org/faq/pf/index.html will do a far better job of explaining it than I could in a short email. -- Jon From owner-freebsd-pf@FreeBSD.ORG Thu Nov 23 19:21:30 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 548EF16A416 for ; Thu, 23 Nov 2006 19:21:30 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4458B43D69 for ; Thu, 23 Nov 2006 19:20:20 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so494482uge for ; Thu, 23 Nov 2006 11:20:54 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=eQWviV8emJPQUTCTcGxOwNu7Bu9M/oa9IwR5iHf1vh93EaynF83fdksSpSRQPL90coN2t1qn5jdv479ACn0dLadGBv1Fm2zNdcL9D28VZ/pr1DgCYKDnd7pYLLaXr5/82EhQ2pKEY3ngP3/Sd70TeSH9LzviEF1Ru+k7VRnZ4jY= Received: by 10.78.183.15 with SMTP id g15mr5646157huf.1164309654093; Thu, 23 Nov 2006 11:20:54 -0800 (PST) Received: by 10.78.153.10 with HTTP; Thu, 23 Nov 2006 11:20:53 -0800 (PST) Message-ID: <8eea04080611231120x56f393e5r41a43a98a2f5a082@mail.gmail.com> Date: Thu, 23 Nov 2006 11:20:53 -0800 From: "Jon Simola" To: "fwun@bigpond.net.au" In-Reply-To: <16201878.1164245885264.JavaMail.root@web03sl> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <16201878.1164245885264.JavaMail.root@web03sl> Cc: freebsd-pf@freebsd.org Subject: Re: how to route to a local server thru PF router X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Nov 2006 19:21:30 -0000 On 11/22/06, fwun@bigpond.net.au wrote: > The current NAT rules in the PF router setup as: > > # pfctl -a NATRULES -sn > nat on sis0 inet from 192.168.1.0/24 to any -> (sis0) round-robin > nat on sis0 inet from 172.17.3.0/24 to any -> (sis0) round-robin > nat on sis0 inet from 10.1.10.0/24 to any -> (sis0) round-robin > > I m connected to the 172.17.3.0/24 network. The local freebsd server is connected to 10.1.10.0/24 network. > > And the PF router is already setup as a default gateway. > > How can I modify the PF rules so that I can login from 172.17.3.0/24 to 10.1.10.0/24 network? Your connection attempt will match the second nat rule. A quick way to avoid that would be adding a nat rule such as below first (nat rules are always first match): no nat from 172.17.3.0/24 to 10.1.10.0/24 -- Jon From owner-freebsd-pf@FreeBSD.ORG Thu Nov 23 19:21:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6D3A016A417 for ; Thu, 23 Nov 2006 19:21:57 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E48C43D4C for ; Thu, 23 Nov 2006 19:20:59 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.66.26.31] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1GnK8X1TEi-0008Q2; Thu, 23 Nov 2006 20:21:30 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 23 Nov 2006 20:21:22 +0100 User-Agent: KMail/1.9.4 References: <16201878.1164245885264.JavaMail.root@web03sl> In-Reply-To: <16201878.1164245885264.JavaMail.root@web03sl> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2644728.Po3qliLmj7"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200611232021.28538.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: how to route to a local server thru PF router X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Nov 2006 19:21:57 -0000 --nextPart2644728.Po3qliLmj7 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 23 November 2006 02:38, fwun@bigpond.net.au wrote: > Hi, > > The PF router I setup is an Internet router that allow people access > the Internet. But in the mean time, this PF router also connected to a > local freebsd server. As a user behind the PF router, i also want to > ssh into the local freebsd server (10.1.10.2). But currently I m not > able to ssh into this local server thru the PF router. > > The current NAT rules in the PF router setup as: > > # pfctl -a NATRULES -sn > nat on sis0 inet from 192.168.1.0/24 to any -> (sis0) round-robin > nat on sis0 inet from 172.17.3.0/24 to any -> (sis0) round-robin > nat on sis0 inet from 10.1.10.0/24 to any -> (sis0) round-robin > > I m connected to the 172.17.3.0/24 network. The local freebsd server is > connected to 10.1.10.0/24 network. > > And the PF router is already setup as a default gateway. > > How can I modify the PF rules so that I can login from 172.17.3.0/24 to > 10.1.10.0/24 network? I'm not sure I do understand your setup completely, but pf does not do any= =20 routing unless you tell it to. If you have correct route entries on all=20 three boxes involved and no block rules that prevent the traffic, the nat=20 rules shown above are irrelevant. In detail, this means: The server at 10.1.10.2 must have a default (or 172.17.3/24) route to the=20 pf-router. The client at 172.17.3.X must have a default (or 10.1.10/24) route to the=20 pf-router. The pf-router must have a route to both networks and the=20 net.inet.ip.forwarding sysctl needs to be set to "1". =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2644728.Po3qliLmj7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFZfS4XyyEoT62BG0RAl/0AJ9Qwr+zuMqDzYG400DU2XvaR72e+gCfWx/3 ZfTcCPr+mKkiv3FdNenw8Tw= =p/wL -----END PGP SIGNATURE----- --nextPart2644728.Po3qliLmj7-- From owner-freebsd-pf@FreeBSD.ORG Sat Nov 25 18:23:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3481D16A403 for ; Sat, 25 Nov 2006 18:23:53 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id A04E043D49 for ; Sat, 25 Nov 2006 18:23:03 +0000 (GMT) (envelope-from ermal.luci@gmail.com) Received: by py-out-1112.google.com with SMTP id f31so729010pyh for ; Sat, 25 Nov 2006 10:23:51 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=knHYHBPP8yPtSYxuMf2w9UzRmBnSVMy3UGxt1PSRukKSPB4LnOYpqXy89I4s//b8ovJhFJXUxipaVHBGGigUF7i3y2T8mTGfkg5IYkxoP+S/IujPlTl2noUf+/82MoBsfuumGs5Db8TqNbCTwRwSp4n4x0WQ+zHqoc4HFiNm77s= Received: by 10.35.41.14 with SMTP id t14mr8812557pyj.1164479031474; Sat, 25 Nov 2006 10:23:51 -0800 (PST) Received: by 10.35.126.6 with HTTP; Sat, 25 Nov 2006 10:23:51 -0800 (PST) Message-ID: <9a542da30611251023w22cf70tc0e184f26480ae41@mail.gmail.com> Date: Sat, 25 Nov 2006 19:23:51 +0100 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Re: rate limit with pf instead of IPFW X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Nov 2006 18:23:53 -0000 Take a look at this option with the others hinted in the previous replies, quoted directly from the man page: max-src-conn-rate _number_ / _seconds_ Limit the rate of new connections over a time interval. The con- nection rate is an approximation calculated as a moving average. From owner-freebsd-pf@FreeBSD.ORG Sat Nov 25 19:55:30 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 46AA916A407 for ; Sat, 25 Nov 2006 19:55:30 +0000 (UTC) (envelope-from timsan775@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 464F143D45 for ; Sat, 25 Nov 2006 19:54:40 +0000 (GMT) (envelope-from timsan775@googlemail.com) Received: by nf-out-0910.google.com with SMTP id x37so1559977nfc for ; Sat, 25 Nov 2006 11:55:28 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=ZI4bEQ87ECUEcKOzFNf6l6pNyiEA9jCR6wP1pepYKcyBR39cGwtzNgr4JUqFX69QIN5M1HMqD2ZIYVDuSXsdt9AWODnCfVfdArxazDzKlFI/ygLMrnXW4VyG8btIgB/KUZzXHvPHlwF8q2amarubjjMPgrYAZ2z4TBHZ2ZU316o= Received: by 10.78.128.15 with SMTP id a15mr11711890hud.1164484528242; Sat, 25 Nov 2006 11:55:28 -0800 (PST) Received: by 10.78.45.7 with HTTP; Sat, 25 Nov 2006 11:55:28 -0800 (PST) Message-ID: <82832a960611251155p2d7b6c9bud79834fc23c38528@mail.gmail.com> Date: Sat, 25 Nov 2006 19:55:28 +0000 From: "tim m" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: using OpenBSD's spamd on fbsd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Nov 2006 19:55:30 -0000 hello all, I'm looking for experiences from others who have been using OpenBSD's spamd on FreeBSD. Is it working well? Has your spam really been less? And what is your /usr/local/etc/spamd.conf like? cheers, t. From owner-freebsd-pf@FreeBSD.ORG Sat Nov 25 21:05:52 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 764F216A412 for ; Sat, 25 Nov 2006 21:05:52 +0000 (UTC) (envelope-from albinootje@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25BE243D45 for ; Sat, 25 Nov 2006 21:05:01 +0000 (GMT) (envelope-from albinootje@gmail.com) Received: by nf-out-0910.google.com with SMTP id x37so1575890nfc for ; Sat, 25 Nov 2006 13:05:50 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=mUa5aMg9C7qQMvc04xRv3uQh1CJVq3nyIJ/z0n9Wx+9MDCf9jN0NxGL7arhLvhZgfxZA7oPgaaFhRE29fRSkTIxQGGBFOCNsQlOSojWYngRLq+PsabnO/kXZ+Po0pUS5LNL7CzBYKRbCgal8zwFRqCsz5iQDmososLqPchvDZ2o= Received: by 10.82.129.5 with SMTP id b5mr1756606bud.1164488750135; Sat, 25 Nov 2006 13:05:50 -0800 (PST) Received: by 10.82.138.20 with HTTP; Sat, 25 Nov 2006 13:05:50 -0800 (PST) Message-ID: <6a1189840611251305x1662ea9fiaff50baa8210eceb@mail.gmail.com> Date: Sat, 25 Nov 2006 22:05:50 +0100 From: "albi albinootje" To: "tim m" In-Reply-To: <82832a960611251155p2d7b6c9bud79834fc23c38528@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <82832a960611251155p2d7b6c9bud79834fc23c38528@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: using OpenBSD's spamd on fbsd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Nov 2006 21:05:52 -0000 On 11/25/06, tim m wrote: > I'm looking for experiences from others who have been using OpenBSD's spamd > on FreeBSD. > > Is it working well? it's running fine, although it doesn't help so much in my current situation > Has your spam really been less? not really, but i'm testing it, can't do harm :) # pfctl -vvvsTables -pa-r- spamd Addresses: 0 Cleared: Thu Nov 23 18:55:09 2006 References: [ Anchors: 0 Rules: 1 ] Evaluations: [ NoMatch: 8583 Match: 0 ] > And what is your > /usr/local/etc/spamd.conf like? it's the default (chinese,korean,spamhaus) you can of course try a customize "rule-set" see here : http://www.benzedrine.cx/relaydb.html From owner-freebsd-pf@FreeBSD.ORG Sat Nov 25 21:57:15 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6B49B16A403 for ; Sat, 25 Nov 2006 21:57:15 +0000 (UTC) (envelope-from timsan775@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 95B9943D7D for ; Sat, 25 Nov 2006 21:56:23 +0000 (GMT) (envelope-from timsan775@googlemail.com) Received: by nf-out-0910.google.com with SMTP id x37so1588039nfc for ; Sat, 25 Nov 2006 13:57:12 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=IcqD1iTR0+vxmTFS+XMhwL3RywgYyNEAzmbLhXcRExehOPJUvUI++wzNg/2s3t9z9yfdJZNT/+uNdDX64zV9daN+ZUi0s70CnoaSRPDhmpLtRhHeZ2Zn/SPKrKHpHrwQ6K6RHVAsLQczy3yoYBrmfnMPga1cwtfzpLAsQSmwpCs= Received: by 10.78.201.15 with SMTP id y15mr11788965huf.1164491831802; Sat, 25 Nov 2006 13:57:11 -0800 (PST) Received: by 10.78.45.7 with HTTP; Sat, 25 Nov 2006 13:57:11 -0800 (PST) Message-ID: <82832a960611251357i3aa7f926ufeca7263f869f24e@mail.gmail.com> Date: Sat, 25 Nov 2006 21:57:11 +0000 From: "tim m" To: freebsd-pf@freebsd.org In-Reply-To: <6a1189840611251305x1662ea9fiaff50baa8210eceb@mail.gmail.com> MIME-Version: 1.0 References: <82832a960611251155p2d7b6c9bud79834fc23c38528@mail.gmail.com> <6a1189840611251305x1662ea9fiaff50baa8210eceb@mail.gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: using OpenBSD's spamd on fbsd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Nov 2006 21:57:15 -0000 thanks for the reply. :) documentation isn't the best with the FreeBSD spamd. I was wondering how it could be logged so I can see if I have it set up properly. I see it in sockstat and I have 9476 addresses blocked. I'm just trying to get it logged. in OpenBSD, it's seems to do this in the /var/log/daemon t. 2006/11/25, albi albinootje < albinootje@gmail.com>: > > On 11/25/06, tim m wrote: > > > I'm looking for experiences from others who have been using OpenBSD's > spamd > > on FreeBSD. > > > > Is it working well? > > it's running fine, although it doesn't help so much in my current > situation > > > Has your spam really been less? > > not really, but i'm testing it, can't do harm :) > > # pfctl -vvvsTables > -pa-r- spamd > Addresses: 0 > Cleared: Thu Nov 23 18:55:09 2006 > References: [ Anchors: 0 Rules: > 1 ] > Evaluations: [ NoMatch: 8583 Match: > 0 ] > > > And what is your > > /usr/local/etc/spamd.conf like? > > it's the default (chinese,korean,spamhaus) > > you can of course try a customize "rule-set" > > see here : > http://www.benzedrine.cx/relaydb.html >