From owner-freebsd-pf@FreeBSD.ORG Sat Nov 25 23:35:32 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EF47816A40F for ; Sat, 25 Nov 2006 23:35:32 +0000 (UTC) (envelope-from pp@pp.dyndns.biz) Received: from mxfep04.bredband.com (mxfep04.bredband.com [195.54.107.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B69643D6A for ; Sat, 25 Nov 2006 23:34:41 +0000 (GMT) (envelope-from pp@pp.dyndns.biz) Received: from ironport.bredband.com ([195.54.107.82] [195.54.107.82]) by mxfep04.bredband.com with ESMTP id <20061125233520.RBGF22909.mxfep04.bredband.com@ironport.bredband.com> for ; Sun, 26 Nov 2006 00:35:20 +0100 Received: from c-58d8e055.107-1-64736c10.cust.bredbandsbolaget.se (HELO gatekeeper.pp.dyndns.biz) ([85.224.216.88]) by ironport.bredband.com with ESMTP/TLS/AES256-SHA; 26 Nov 2006 00:35:15 +0100 Received: from phobos ([192.168.69.67]) by gatekeeper.pp.dyndns.biz (8.13.6/8.13.6) with ESMTP id kAPNYc13064365 for ; Sun, 26 Nov 2006 00:34:43 +0100 (CET) (envelope-from pp@pp.dyndns.biz) From: "Morgan" Sender: "pp" To: Date: Sun, 26 Nov 2006 00:34:41 +0100 Message-ID: <007401c710ea$486fd9f0$152ea8c0@phobos> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <82832a960611251357i3aa7f926ufeca7263f869f24e@mail.gmail.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Thread-Index: AccQ4y168IS2fQuZRZyB+U8yTwyvWQABuTGQ Subject: SV: using OpenBSD's spamd on fbsd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Nov 2006 23:35:33 -0000 > documentation isn't the best with the FreeBSD spamd. > > I was wondering how it could be logged so I can see if I have > it set up properly. > > I see it in sockstat and I have 9476 addresses blocked. I'm > just trying to get it logged. in OpenBSD, it's seems to do > this in the /var/log/daemon > Do a "touch /var/log/spamd" and add this to /etc/syslog.conf !spamd *.* /var/log/spamd Then "killall -HUP syslogd" to restart syslog. /PP From owner-freebsd-pf@FreeBSD.ORG Sun Nov 26 00:18:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2950416A415 for ; Sun, 26 Nov 2006 00:18:53 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com [38.99.2.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id 355D743D4C for ; Sun, 26 Nov 2006 00:18:02 +0000 (GMT) (envelope-from reed@reedmedia.net) Received: from pool-71-123-204-253.dllstx.fios.verizon.net ([71.123.204.253] helo=reedmedia.net) by ca.pugetsoundtechnology.com with esmtpa (Exim 4.54) id 1Go7bE-0002E2-Ri; Sat, 25 Nov 2006 16:10:25 -0800 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 21275-1164500086; Sat, 25 Nov 2006 18:14:50 -0600 Date: Sat, 25 Nov 2006 18:14:46 -0600 (CST) From: "Jeremy C. Reed" To: tim m In-Reply-To: <82832a960611251357i3aa7f926ufeca7263f869f24e@mail.gmail.com> Message-ID: References: <82832a960611251155p2d7b6c9bud79834fc23c38528@mail.gmail.com> <6a1189840611251305x1662ea9fiaff50baa8210eceb@mail.gmail.com> <82832a960611251357i3aa7f926ufeca7263f869f24e@mail.gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-pf@freebsd.org Subject: Re: using OpenBSD's spamd on fbsd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Nov 2006 00:18:53 -0000 > I was wondering how it could be logged so I can see if I have it set up > properly. In addition to viewing logs ... You can also run "spamdb" to see the spamd database And run pfctl to show your spamd-white tables. From owner-freebsd-pf@FreeBSD.ORG Sun Nov 26 14:21:42 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 003BC16A492 for ; Sun, 26 Nov 2006 14:21:41 +0000 (UTC) (envelope-from timsan775@googlemail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00E7343D53 for ; Sun, 26 Nov 2006 14:20:46 +0000 (GMT) (envelope-from timsan775@googlemail.com) Received: by ug-out-1314.google.com with SMTP id o2so887926uge for ; Sun, 26 Nov 2006 06:21:39 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=OMWrQTHhWP+E/uqw1+wYJU2ylKyMWdowV13iOLDvNknk8PBZuFbXc46aV5NtQxYAQIjq8lWixArEvTidUqdSXPkgja3dtcMTSfvQNlAccWgNQUw5A+8F6uSQSnA94+zgaGQVczKenLju2wzb5MJiDRLh8Qc2Fh+2uif1YRgOstg= Received: by 10.78.201.15 with SMTP id y15mr12310779huf.1164550899360; Sun, 26 Nov 2006 06:21:39 -0800 (PST) Received: by 10.78.45.7 with HTTP; Sun, 26 Nov 2006 06:21:39 -0800 (PST) Message-ID: <82832a960611260621t688c69cfrf58118bca964f06a@mail.gmail.com> Date: Sun, 26 Nov 2006 14:21:39 +0000 From: "tim m" To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 References: <82832a960611251155p2d7b6c9bud79834fc23c38528@mail.gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: using OpenBSD's spamd on fbsd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Nov 2006 14:21:42 -0000 I'm really trying to get it working, but so far zero success in catching any spam. my sockstat is: nobody spamd 96373 4 tcp4 192.168.1.65:8025 *:* nobody spamd 96373 5 tcp4 127.0.0.1:8026 *:* (is the 127.0.0.1:8026 right? in /etc/services it says spamd 8026) my pf.conf is: ext_if="fxp0" scrub in all table persist rdr pass inet proto tcp from to any \ port smtp -> $ext_if port 8025 pass in log on $ext_if proto tcp to any port smtp keep state pass out log on $ext_if proto tcp to port smtp keep state telnet 192.168.1.65 8025 works fine. (the box is behind a router which sends all smtp to this box) /var/log/spamd shows only: Nov 26 14:34:32 ebi spamd[95972]: listening for incoming connections. Nov 26 14:47:59 ebi spamd[95972]: 192.168.1.65: connected (1/0) Nov 26 14:49:08 ebi spamd[95972]: 192.168.1.65: disconnected after 69 seconds. Nov 26 14:50:25 ebi spamd[96100]: listening for incoming connections. Nov 26 14:55:15 ebi spamd[96215]: listening for incoming connections. Nov 26 15:02:58 ebi spamd[96373]: listening for incoming connections. I've done: /usr/local/etc/rc.d/pfstamd start (the status says it's up and running) spamd-setup pfctl -e -f /etc/pf.conf ebi# pfctl -ss self tcp 192.168.1.65:50262 -> 64.70.19.33:25 SYN_SENT:CLOSED self tcp 192.168.1.65:25 <- 194.109.127.152:4635 FIN_WAIT_2:FIN_WAIT_2 ebi# pfctl -t spamd -T show | wc -l 9476 thus, is there something I've overlooked? t. 2006/11/26, Massimo Lusetti < mlusetti@gmail.com>: > > On 11/25/06, tim m wrote: > > > hello all, > > > > I'm looking for experiences from others who have been using OpenBSD's > spamd > > on FreeBSD. > > > > Is it working well? Has your spam really been less? And what is your > > /usr/local/etc/spamd.conf like? > > > > > > If you use it as you should you can achieve a lot. We even switched off > DSPAM. > > Regards > -- > Massimo > http://meridio.blogspot.com > From owner-freebsd-pf@FreeBSD.ORG Sun Nov 26 15:57:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4889916A415 for ; Sun, 26 Nov 2006 15:57:57 +0000 (UTC) (envelope-from pp@pp.dyndns.biz) Received: from mxfep01.bredband.com (mxfep01.bredband.com [195.54.107.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id D224443D73 for ; Sun, 26 Nov 2006 15:57:01 +0000 (GMT) (envelope-from pp@pp.dyndns.biz) Received: from ironport.bredband.com ([195.54.107.82] [195.54.107.82]) by mxfep01.bredband.com with ESMTP id <20061126155754.VQKL17968.mxfep01.bredband.com@ironport.bredband.com> for ; Sun, 26 Nov 2006 16:57:54 +0100 Received: from c-58d8e055.107-1-64736c10.cust.bredbandsbolaget.se (HELO gatekeeper.pp.dyndns.biz) ([85.224.216.88]) by ironport.bredband.com with ESMTP/TLS/AES256-SHA; 26 Nov 2006 16:57:54 +0100 Received: from phobos ([192.168.69.67]) by gatekeeper.pp.dyndns.biz (8.13.6/8.13.6) with ESMTP id kAQFvnbL077885 for ; Sun, 26 Nov 2006 16:57:53 +0100 (CET) (envelope-from pp@pp.dyndns.biz) From: "Morgan" Sender: "pp" To: Date: Sun, 26 Nov 2006 16:57:50 +0100 Message-ID: <00b501c71173$a0c51410$152ea8c0@phobos> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <82832a960611260621t688c69cfrf58118bca964f06a@mail.gmail.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Thread-Index: AccRZj657rfgBAcDT/e5m4xqj2kV8gACyOLw Subject: SV: using OpenBSD's spamd on fbsd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Nov 2006 15:57:57 -0000 > I'm really trying to get it working, but so far zero success > in catching any spam. > > my sockstat is: > > nobody spamd 96373 4 tcp4 192.168.1.65:8025 *:* > nobody spamd 96373 5 tcp4 127.0.0.1:8026 *:* > > (is the 127.0.0.1:8026 right? in /etc/services it says spamd 8026) My /etc/services looks like this: spamd 8025/tcp # # spamd(8) spamd-cfg 8026/tcp # # spamd(8) configuration 8026/tcp is the port spamd-setup uses to configure spamd with new blacklisted ip-addresses on the fly. If both 8025 and 8026 are called spamd in your /etc/services it's probably not a good thing. > my pf.conf is: > > ext_if="fxp0" > > scrub in all > > table persist > rdr pass inet proto tcp from to any \ > port smtp -> $ext_if port 8025 > > pass in log on $ext_if proto tcp to any port smtp keep state > pass out log on $ext_if proto tcp to port smtp keep state These are my relevant parts: table persist rdr on $ext_if proto tcp from to any port 25 -> 127.0.0.1 port 8025 pass in quick on $ext_if inet proto tcp from any to any port { 25, 8025 } flags S/SA keep state * It's redundant (and probably not correct) to pass the data both in the RDR rule and the pass rule further down. * Your RDR rule lacks data on what interface it should work on. I'm not sure if it defaults to ALL interfaces in that case but you should probably specify the external interface. * I'm redirecting to localhost as was shown in the setup example, it's probably a bad idea security wise but it works for me. I'm not sure how the RDR rule handles a redirect from/to the same interface. Maybe worth a try to change that. * Your pass rule seems to miss the source host "from any". Does pf load this without complaining? Guess it doesn't matter anyway since you're passing the packets in the RDR rule which I choose not to do. > telnet 192.168.1.65 8025 works fine. > (the box is behind a router which sends all smtp to this box) > > /var/log/spamd shows only: > > Nov 26 14:34:32 ebi spamd[95972]: listening for incoming connections. > Nov 26 14:47:59 ebi spamd[95972]: 192.168.1.65: connected > (1/0) Nov 26 14:49:08 ebi spamd[95972]: 192.168.1.65: > disconnected after 69 seconds. > Nov 26 14:50:25 ebi spamd[96100]: listening for incoming connections. > Nov 26 14:55:15 ebi spamd[96215]: listening for incoming connections. > Nov 26 15:02:58 ebi spamd[96373]: listening for incoming connections. This looks good assuming you telneted from the box itself. By default the logfile doesn't contain much info on each connection. A few examples from my log: Nov 24 09:11:01 gatekeeper spamd[1064]: 222.122.179.234: disconnected after 2 seconds. lists: korea Nov 24 09:19:38 gatekeeper spamd[1064]: 222.122.179.234: connected (1/1), lists: korea Nov 24 09:26:16 gatekeeper spamd[1064]: 222.122.179.234: disconnected after 398 seconds. lists: korea Nov 24 09:49:25 gatekeeper spamd[1064]: 213.41.75.81: connected (1/1), lists: myblack Nov 24 09:55:53 gatekeeper spamd[1064]: 213.41.75.81: disconnected after 388 seconds. lists: myblack Nov 24 10:55:58 gatekeeper spamd[1064]: 213.41.75.81: connected (1/1), lists: myblack Nov 24 11:02:26 gatekeeper spamd[1064]: 213.41.75.81: disconnected after 388 seconds. lists: myblack You can add pfspamd_flags="-v" to your /etc/rc.conf to have a more verbose logging if you wish but it's generally not useful unless you want to make detailed statistics of the blocked mail. Except from the /etc/pf.conf parts I can't really see that there's anything wrong with your setup. Unless my suggestions works I assume you simply don't have had any connections yet from the addresses in the spamd table. Regards PP From owner-freebsd-pf@FreeBSD.ORG Sun Nov 26 16:42:01 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4D69216A403 for ; Sun, 26 Nov 2006 16:42:01 +0000 (UTC) (envelope-from timsan775@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5854D43D7C for ; Sun, 26 Nov 2006 16:40:51 +0000 (GMT) (envelope-from timsan775@googlemail.com) Received: by nf-out-0910.google.com with SMTP id x37so1797686nfc for ; Sun, 26 Nov 2006 08:41:44 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=X/faBWLnaBm/XpVvViVO14xghTYb7gbfxt4mvMyrAzxRVKqPzC3dwy9YW4WRE6u3/Io73gDrlTfBRdLfX90XOj/rW0NWHlCFGaEuPKsIsWwSQV8GytL6JW3vDx4hPzVWd6mgiBAP9HUx+P2wPlHNRWZHsWjUHoEo3OCJvybQsv8= Received: by 10.78.180.16 with SMTP id c16mr8308356huf.1164559303440; Sun, 26 Nov 2006 08:41:43 -0800 (PST) Received: by 10.78.45.7 with HTTP; Sun, 26 Nov 2006 08:41:43 -0800 (PST) Message-ID: <82832a960611260841m5843cbb1pf0ea438fac7dd09a@mail.gmail.com> Date: Sun, 26 Nov 2006 16:41:43 +0000 From: "tim m" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ta for the help with spamd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Nov 2006 16:42:01 -0000 thanks for the help with spamd. from my /var/log/spamd: Nov 26 17:06:58 ebi spamd[96373]: 222.84.36.210: disconnected after 3941 seconds. lists: china Nov 26 17:07:02 ebi spamd[96373]: 220.77.103.191: disconnected after 4 seconds. lists: korea Nov 26 17:10:33 ebi spamd[96373]: 221.8.172.1: connected (1/1), lists: china Nov 26 17:17:45 ebi spamd[96373]: 221.8.172.1: disconnected after 432 seconds. lists: china Nov 26 17:24:50 ebi spamd[97497]: listening for incoming connections. Nov 26 17:25:11 ebi spamd[97497]: 61.75.177.176: connected (1/1), lists: korea Nov 26 17:25:14 ebi spamd[97497]: 61.75.177.176: disconnected after 3 seconds. lists: korea Nov 26 17:31:51 ebi spamd[97497]: 24.3.185.61: connected (1/1), lists: spews1 spews2 Nov 26 17:31:54 ebi spamd[97497]: 24.3.185.61: disconnected after 3 seconds. lists: spews1 spews2 it's looking good :) Two quick questions though: in /usr/local/etc/spamd.conf .. are the blocks for China and Korea for every IP-number in those countries? And I can imangine that the blacklist does change, do you need to setup a crontab to update spamd-setup like once a day? t. From owner-freebsd-pf@FreeBSD.ORG Sun Nov 26 17:16:51 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 01F8B16A403 for ; Sun, 26 Nov 2006 17:16:51 +0000 (UTC) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com (ns2.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3602443DCB for ; Sun, 26 Nov 2006 17:12:34 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.63 #0 (FreeBSD 4.11-STABLE)) id 1GoNZE-000KLV-Qp by authid for ; Sun, 26 Nov 2006 20:13:24 +0300 Date: Sun, 26 Nov 2006 20:13:24 +0300 From: Odhiambo Washington To: freebsd-pf@freebsd.org Message-ID: <20061126171324.GA55309@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , freebsd-pf@freebsd.org References: <82832a960611260841m5843cbb1pf0ea438fac7dd09a@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <82832a960611260841m5843cbb1pf0ea438fac7dd09a@mail.gmail.com> X-Disclaimer: Any views expressed in this message, where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.13 (2006-08-11) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.13 (2006-08-11) Subject: Re: ta for the help with spamd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Nov 2006 17:16:51 -0000 * On 26/11/06 16:41 +0000, tim m wrote: | thanks for the help with spamd. | | from my /var/log/spamd: | | Nov 26 17:06:58 ebi spamd[96373]: 222.84.36.210: disconnected after 3941 | seconds. lists: china | Nov 26 17:07:02 ebi spamd[96373]: 220.77.103.191: disconnected after 4 | seconds. lists: korea | Nov 26 17:10:33 ebi spamd[96373]: 221.8.172.1: connected (1/1), lists: china | Nov 26 17:17:45 ebi spamd[96373]: 221.8.172.1: disconnected after 432 | seconds. lists: china | Nov 26 17:24:50 ebi spamd[97497]: listening for incoming connections. | Nov 26 17:25:11 ebi spamd[97497]: 61.75.177.176: connected (1/1), lists: | korea | Nov 26 17:25:14 ebi spamd[97497]: 61.75.177.176: disconnected after 3 | seconds. lists: korea | Nov 26 17:31:51 ebi spamd[97497]: 24.3.185.61: connected (1/1), lists: | spews1 spews2 | Nov 26 17:31:54 ebi spamd[97497]: 24.3.185.61: disconnected after 3 seconds. | lists: spews1 spews2 | | it's looking good :) | | Two quick questions though: | | in /usr/local/etc/spamd.conf .. are the blocks for China and Korea for every | IP-number in those countries? Out of curiosity, your organization does not do any business with China and Korea? -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ Using TSO is like kicking a dead whale down the beach. -- S. C. Johnson From owner-freebsd-pf@FreeBSD.ORG Sun Nov 26 17:18:58 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BBAEA16A4D2 for ; Sun, 26 Nov 2006 17:18:58 +0000 (UTC) (envelope-from pp@pp.dyndns.biz) Received: from mxfep02.bredband.com (mxfep02.bredband.com [195.54.107.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id B69F243D68 for ; Sun, 26 Nov 2006 17:16:42 +0000 (GMT) (envelope-from pp@pp.dyndns.biz) Received: from ironport2.bredband.com ([195.54.107.84] [195.54.107.84]) by mxfep02.bredband.com with ESMTP id <20061126171734.BUIL16896.mxfep02.bredband.com@ironport2.bredband.com> for ; Sun, 26 Nov 2006 18:17:34 +0100 Received: from c-58d8e055.107-1-64736c10.cust.bredbandsbolaget.se (HELO gatekeeper.pp.dyndns.biz) ([85.224.216.88]) by ironport2.bredband.com with ESMTP/TLS/AES256-SHA; 26 Nov 2006 18:17:34 +0100 Received: from phobos ([192.168.69.67]) by gatekeeper.pp.dyndns.biz (8.13.6/8.13.6) with ESMTP id kAQHHU5t078978 for ; Sun, 26 Nov 2006 18:17:33 +0100 (CET) (envelope-from pp@pp.dyndns.biz) From: "Morgan" Sender: "pp" To: Date: Sun, 26 Nov 2006 18:17:32 +0100 Message-ID: <00b601c7117e$c22b7d50$152ea8c0@phobos> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <82832a960611260841m5843cbb1pf0ea438fac7dd09a@mail.gmail.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Thread-Index: AccReeQpuHN02WHvRtS/zMZXKtAh9AABGnQA Subject: SV: ta for the help with spamd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Nov 2006 17:18:58 -0000 > Two quick questions though: > > in /usr/local/etc/spamd.conf .. are the blocks for China and > Korea for every IP-number in those countries? No, the blocks only include the addresses that have been identified as spammers according to the rules defined by each blacklister. > And I can imangine that the blacklist does change, do you > need to setup a crontab to update spamd-setup like once a day? Yes, a /usr/local/sbin/spamd-setup in crontab once an hour would be a good thing. /PP From owner-freebsd-pf@FreeBSD.ORG Sun Nov 26 17:21:40 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 99AAA16A47C for ; Sun, 26 Nov 2006 17:21:40 +0000 (UTC) (envelope-from timsan775@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49AA043DC2 for ; Sun, 26 Nov 2006 17:19:23 +0000 (GMT) (envelope-from timsan775@googlemail.com) Received: by nf-out-0910.google.com with SMTP id x37so1807059nfc for ; Sun, 26 Nov 2006 09:20:12 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=jXxCiD32U/tHtuswOrSZZs2kWYA+NsDhWSYXdddV0Emwz+ZXaOws4ph3lmW+AYRZW+JAvstwm6fHtI8h2zkllgFAcX/wrBxBa9/akyfwzcTz3VMqu5tZs7KbqtS0wOGbSs44GrhlBcG8Jq7vQOPcHSSJSa+IkMls26qfLalkwTA= Received: by 10.78.51.9 with SMTP id y9mr12394081huy.1164561611897; Sun, 26 Nov 2006 09:20:11 -0800 (PST) Received: by 10.78.45.7 with HTTP; Sun, 26 Nov 2006 09:20:11 -0800 (PST) Message-ID: <82832a960611260920s5cba03e2i70eec2d1782b3a1b@mail.gmail.com> Date: Sun, 26 Nov 2006 17:20:11 +0000 From: "tim m" To: freebsd-pf@freebsd.org In-Reply-To: <20061126171324.GA55309@ns2.wananchi.com> MIME-Version: 1.0 References: <82832a960611260841m5843cbb1pf0ea438fac7dd09a@mail.gmail.com> <20061126171324.GA55309@ns2.wananchi.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: ta for the help with spamd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Nov 2006 17:21:40 -0000 well, yes. With China, which is the reason I took out off of the Chinese IP block. Seems a little extreme, but they should get the message ... someday. t. 2006/11/26, Odhiambo Washington : > > * On 26/11/06 16:41 +0000, tim m wrote: > | thanks for the help with spamd. > | > | from my /var/log/spamd: > | > | Nov 26 17:06:58 ebi spamd[96373]: 222.84.36.210: disconnected after 3941 > | seconds. lists: china > | Nov 26 17:07:02 ebi spamd[96373]: 220.77.103.191: disconnected after 4 > | seconds. lists: korea > | Nov 26 17:10:33 ebi spamd[96373]: 221.8.172.1: connected (1/1), lists: > china > | Nov 26 17:17:45 ebi spamd[96373]: 221.8.172.1: disconnected after 432 > | seconds. lists: china > | Nov 26 17:24:50 ebi spamd[97497]: listening for incoming connections. > | Nov 26 17:25:11 ebi spamd[97497]: 61.75.177.176: connected (1/1), lists: > | korea > | Nov 26 17:25:14 ebi spamd[97497]: 61.75.177.176: disconnected after 3 > | seconds. lists: korea > | Nov 26 17:31:51 ebi spamd[97497]: 24.3.185.61: connected (1/1), lists: > | spews1 spews2 > | Nov 26 17:31:54 ebi spamd[97497]: 24.3.185.61: disconnected after 3 > seconds. > | lists: spews1 spews2 > | > | it's looking good :) > | > | Two quick questions though: > | > | in /usr/local/etc/spamd.conf .. are the blocks for China and Korea for > every > | IP-number in those countries? > > > Out of curiosity, your organization does not do any business with China > and Korea? > > > > > -Wash > > http://www.netmeister.org/news/learn2quote.html > > DISCLAIMER: See http://www.wananchi.com/bms/terms.php > > -- > +======================================================================+ > |\ _,,,---,,_ | Odhiambo Washington > Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com > |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 > '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 > +======================================================================+ > > Using TSO is like kicking a dead whale down the beach. > -- S. C. Johnson > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Mon Nov 27 11:09:25 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DAB5016A51F for ; Mon, 27 Nov 2006 11:09:25 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 02FBB43DC4 for ; Mon, 27 Nov 2006 11:07:36 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kARB8aQR092045 for ; Mon, 27 Nov 2006 11:08:36 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kARB8Zrm092041 for freebsd-pf@FreeBSD.org; Mon, 27 Nov 2006 11:08:35 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 27 Nov 2006 11:08:35 GMT Message-Id: <200611271108.kARB8Zrm092041@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Nov 2006 11:09:26 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf pf accepts nonexistent queue in rules 3 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 27 16:53:34 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 736B816AA66 for ; Mon, 27 Nov 2006 16:53:34 +0000 (UTC) (envelope-from gro@abbottcollection.com) Received: from abbottcollection.com (d01m-213-44-214-53.d4.club-internet.fr [213.44.214.53]) by mx1.FreeBSD.org (Postfix) with SMTP id 4E4E943D46 for ; Mon, 27 Nov 2006 16:52:32 +0000 (GMT) (envelope-from gro@abbottcollection.com) Message-ID: <000001c71243$bfa4dcf0$c951a8c0@qbkhct> From: "Abednego Wickstrom" To: freebsd-pf@freebsd.org Date: Mon, 27 Nov 2006 08:47:39 -0800 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: nystagmu X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Abednego Wickstrom List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Nov 2006 16:53:34 -0000 Hi, =20 VjAGRA_yl_$1,78 CjALiS_qt_$3,00 LEVjTRA_sp_$3,33 =20 www [dot] rx44 [dot] info _____ =20 now. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 27 18:42:44 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 825AA16A416 for ; Mon, 27 Nov 2006 18:42:44 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from s200aog10.obsmtp.com (s200aog10.obsmtp.com [207.126.144.124]) by mx1.FreeBSD.org (Postfix) with SMTP id 6AA514412A for ; Mon, 27 Nov 2006 18:01:43 +0000 (GMT) (envelope-from tom@tomjudge.com) Received: from source ([63.174.175.251]) by eu1sys200aob010.postini.com ([207.126.147.11]) with SMTP; Mon, 27 Nov 2006 18:02:44 UTC Received: from [0.0.0.0] (buffy.mintel.co.uk [10.0.0.37]) by bbbx3.usdmm.com (Postfix) with ESMTP id 365855C70 for ; Mon, 27 Nov 2006 12:02:40 -0600 (CST) Message-ID: <456B27C7.4030704@tomjudge.com> Date: Mon, 27 Nov 2006 18:00:39 +0000 From: Tom Judge User-Agent: Thunderbird 1.5.0.7 (X11/20060922) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: PF and ALTQ queue option. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Nov 2006 18:42:44 -0000 Hi, I am looking at using cbq to prioritise video conference traffic over all of the rest of the traffic crossing our VPN. I was just wondering if the following configuration would to this (The vpn link is 2Mbit, in I will be running pf+altq at both ends of the link). altq on em0 cbq qbandwidth 2Mb queue { normal, vidconf } queue normal bandwidth 1Mb priority 0 cbq(ecn) queue vidconf bandwidth 1Mb priority 1 cbq(ecn) pass in on em0 from 172.17.0.123 to 10.0.0.123 queue vidconf pass out on em0 from 10.0.0.123 to 172.17.0.123 queue vidconf pass in on em0 from any to any queue normal pass out on em0 from any to any queue normal pass in quick on em0 from 172.17.0.0/16 to 10.0.0.0/16 pass out quick on em0 from 10.0.0.0/16 to 172.17.0.0/16 The main question I have is which queue will the traffic between 10.0.0.123 and 172.17.0.123. In the pf world it would seem it gets queued in normal, is this correct? if it is i guess i have to invert the rules like so: pass in on em0 from any to any queue normal pass out on em0 from any to any queue normal pass in on em0 from 172.17.0.123 to 10.0.0.123 queue vidconf pass out on em0 from 10.0.0.123 to 172.17.0.123 queue vidconf Thanks Tom From owner-freebsd-pf@FreeBSD.ORG Mon Nov 27 20:24:59 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5C2C216A47B for ; Mon, 27 Nov 2006 20:24:59 +0000 (UTC) (envelope-from linux@giboia.org) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FE6E456BA for ; Mon, 27 Nov 2006 18:59:48 +0000 (GMT) (envelope-from linux@giboia.org) Received: by wr-out-0506.google.com with SMTP id i28so242048wra for ; Mon, 27 Nov 2006 11:00:49 -0800 (PST) Received: by 10.78.204.7 with SMTP id b7mr13561828hug.1164654047246; Mon, 27 Nov 2006 11:00:47 -0800 (PST) Received: by 10.78.175.17 with HTTP; Mon, 27 Nov 2006 11:00:46 -0800 (PST) Message-ID: <6e6841490611271100t8f21e29ic4d4810f389c6fef@mail.gmail.com> Date: Mon, 27 Nov 2006 17:00:46 -0200 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: <456B27C7.4030704@tomjudge.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <456B27C7.4030704@tomjudge.com> Subject: Re: PF and ALTQ queue option. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Nov 2006 20:24:59 -0000 Correct, you need use your second example. Gilberto 2006/11/27, Tom Judge : > Hi, > > I am looking at using cbq to prioritise video conference traffic over > all of the rest of the traffic crossing our VPN. I was just wondering > if the following configuration would to this (The vpn link is 2Mbit, in > I will be running pf+altq at both ends of the link). > > > > altq on em0 cbq qbandwidth 2Mb queue { normal, vidconf } > queue normal bandwidth 1Mb priority 0 cbq(ecn) > queue vidconf bandwidth 1Mb priority 1 cbq(ecn) > > pass in on em0 from 172.17.0.123 to 10.0.0.123 queue vidconf > pass out on em0 from 10.0.0.123 to 172.17.0.123 queue vidconf > > pass in on em0 from any to any queue normal > pass out on em0 from any to any queue normal > > pass in quick on em0 from 172.17.0.0/16 to 10.0.0.0/16 > pass out quick on em0 from 10.0.0.0/16 to 172.17.0.0/16 > > > The main question I have is which queue will the traffic between > 10.0.0.123 and 172.17.0.123. In the pf world it would seem it gets > queued in normal, is this correct? if it is i guess i have to invert the > rules like so: > > pass in on em0 from any to any queue normal > pass out on em0 from any to any queue normal > > pass in on em0 from 172.17.0.123 to 10.0.0.123 queue vidconf > pass out on em0 from 10.0.0.123 to 172.17.0.123 queue vidconf > > > Thanks > > Tom > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Mon Nov 27 22:24:59 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EF1E516A47B for ; Mon, 27 Nov 2006 22:24:59 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp-out4.blueyonder.co.uk (smtp-out4.blueyonder.co.uk [195.188.213.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7066543EBE for ; Mon, 27 Nov 2006 21:59:02 +0000 (GMT) (envelope-from tom@tomjudge.com) Received: from [172.23.170.142] (helo=anti-virus02-09) by smtp-out4.blueyonder.co.uk with smtp (Exim 4.52) id 1GooWB-0003A9-Bg; Mon, 27 Nov 2006 22:00:03 +0000 Received: from [82.43.34.109] (helo=[192.168.0.2]) by asmtp-out2.blueyonder.co.uk with esmtp (Exim 4.52) id 1GooW7-0007NX-P1; Mon, 27 Nov 2006 21:59:59 +0000 Message-ID: <456B619D.5000703@tomjudge.com> Date: Mon, 27 Nov 2006 22:07:25 +0000 From: Tom Judge User-Agent: Thunderbird 1.5.0.7 (X11/20060922) MIME-Version: 1.0 To: Gilberto Villani Brito References: <456B27C7.4030704@tomjudge.com> <6e6841490611271100t8f21e29ic4d4810f389c6fef@mail.gmail.com> In-Reply-To: <6e6841490611271100t8f21e29ic4d4810f389c6fef@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "FreeBSD \(PF\)" Subject: Re: PF and ALTQ queue option. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Nov 2006 22:25:00 -0000 Gilberto Villani Brito wrote: > Correct, you need use your second example. > > Gilberto > Thanks, I have another query, if the last rule does not include a queue directive will the the traffic pass through altq or will it just pass thought the system bypassing the queue (see example rules below)? Thanks Tom pass in on em0 from any to any queue normal pass out on em0 from any to any queue normal pass in on em0 from 172.17.0.123 to 10.0.0.123 queue vidconf pass out on em0 from 10.0.0.123 to 172.17.0.123 queue vidconf pass in quick on em0 from 172.17.0.0/16 to 10.0.0.0/16 pass out quick on em0 from 10.0.0.0/16 to 172.17.0.0/16 > 2006/11/27, Tom Judge : >> Hi, >> >> I am looking at using cbq to prioritise video conference traffic over >> all of the rest of the traffic crossing our VPN. I was just wondering >> if the following configuration would to this (The vpn link is 2Mbit, in >> I will be running pf+altq at both ends of the link). >> >> >> >> altq on em0 cbq qbandwidth 2Mb queue { normal, vidconf } >> queue normal bandwidth 1Mb priority 0 cbq(ecn) >> queue vidconf bandwidth 1Mb priority 1 cbq(ecn) >> >> pass in on em0 from 172.17.0.123 to 10.0.0.123 queue vidconf >> pass out on em0 from 10.0.0.123 to 172.17.0.123 queue vidconf >> >> pass in on em0 from any to any queue normal >> pass out on em0 from any to any queue normal >> >> pass in quick on em0 from 172.17.0.0/16 to 10.0.0.0/16 >> pass out quick on em0 from 10.0.0.0/16 to 172.17.0.0/16 >> >> >> The main question I have is which queue will the traffic between >> 10.0.0.123 and 172.17.0.123. In the pf world it would seem it gets >> queued in normal, is this correct? if it is i guess i have to invert the >> rules like so: >> >> pass in on em0 from any to any queue normal >> pass out on em0 from any to any queue normal >> >> pass in on em0 from 172.17.0.123 to 10.0.0.123 queue vidconf >> pass out on em0 from 10.0.0.123 to 172.17.0.123 queue vidconf >> >> From owner-freebsd-pf@FreeBSD.ORG Tue Nov 28 06:43:19 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A402516A416 for ; Tue, 28 Nov 2006 06:43:19 +0000 (UTC) (envelope-from artem@aws-net.org.ua) Received: from saturn.interami.com (saturn.interami.com [193.41.48.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FA7443CC4 for ; Tue, 28 Nov 2006 06:41:48 +0000 (GMT) (envelope-from artem@aws-net.org.ua) Received: from sigma.interami.com (sigma.interami.com [193.41.48.133]) by saturn.interami.com (8.13.1/8.13.1) with ESMTP id kAS6fS8j026133; Tue, 28 Nov 2006 08:41:28 +0200 (EET) (envelope-from artem@aws-net.org.ua) Received: from 85.90.193.58 (SquirrelMail authenticated user artem) by sigma.interami.com with HTTP; Tue, 28 Nov 2006 08:41:33 +0200 (EET) Message-ID: <57950.85.90.193.58.1164696093.squirrel@sigma.interami.com> In-Reply-To: <456B619D.5000703@tomjudge.com> References: <456B27C7.4030704@tomjudge.com> <6e6841490611271100t8f21e29ic4d4810f389c6fef@mail.gmail.com> <456B619D.5000703@tomjudge.com> Date: Tue, 28 Nov 2006 08:41:33 +0200 (EET) From: "Artyom Viklenko" To: "Tom Judge" User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Status: No, score=-0.3 required=8.0 tests=AWL autolearn=disabled version=3.1.4 X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on saturn.interami.com X-Antivirus: Dr.Web (R) for Mail Servers on saturn.interami.com host X-Antivirus-Code: 100000 X-Mailman-Approved-At: Tue, 28 Nov 2006 12:42:18 +0000 Cc: "FreeBSD " "@saturn.interami.com Subject: Re: PF and ALTQ queue option. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Nov 2006 06:43:19 -0000 > Gilberto Villani Brito wrote: >> Correct, you need use your second example. >> >> Gilberto >> > > Thanks, I have another query, if the last rule does not include a queue > directive will the the traffic pass through altq or will it just pass > thought the system bypassing the queue (see example rules below)? You can define default queue in your config and all rules without queue will be linked to this default queue on egress interface: altq on em0 cbq qbandwidth 2Mb queue { normal, vidconf } queue normal bandwidth 1Mb priority 0 cbq(ecn default) queue vidconf bandwidth 1Mb priority 1 cbq(ecn) > > > Thanks > > Tom > > pass in on em0 from any to any queue normal > pass out on em0 from any to any queue normal > > pass in on em0 from 172.17.0.123 to 10.0.0.123 queue vidconf > pass out on em0 from 10.0.0.123 to 172.17.0.123 queue vidconf > > pass in quick on em0 from 172.17.0.0/16 to 10.0.0.0/16 > pass out quick on em0 from 10.0.0.0/16 to 172.17.0.0/16 > > > >> 2006/11/27, Tom Judge : >>> Hi, >>> >>> I am looking at using cbq to prioritise video conference traffic over >>> all of the rest of the traffic crossing our VPN. I was just wondering >>> if the following configuration would to this (The vpn link is 2Mbit, in >>> I will be running pf+altq at both ends of the link). >>> >>> >>> >>> altq on em0 cbq qbandwidth 2Mb queue { normal, vidconf } >>> queue normal bandwidth 1Mb priority 0 cbq(ecn) >>> queue vidconf bandwidth 1Mb priority 1 cbq(ecn) >>> >>> pass in on em0 from 172.17.0.123 to 10.0.0.123 queue vidconf >>> pass out on em0 from 10.0.0.123 to 172.17.0.123 queue vidconf >>> >>> pass in on em0 from any to any queue normal >>> pass out on em0 from any to any queue normal >>> >>> pass in quick on em0 from 172.17.0.0/16 to 10.0.0.0/16 >>> pass out quick on em0 from 10.0.0.0/16 to 172.17.0.0/16 >>> >>> >>> The main question I have is which queue will the traffic between >>> 10.0.0.123 and 172.17.0.123. In the pf world it would seem it gets >>> queued in normal, is this correct? if it is i guess i have to invert >>> the >>> rules like so: >>> >>> pass in on em0 from any to any queue normal >>> pass out on em0 from any to any queue normal >>> >>> pass in on em0 from 172.17.0.123 to 10.0.0.123 queue vidconf >>> pass out on em0 from 10.0.0.123 to 172.17.0.123 queue vidconf >>> >>> > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem FreeBSD: The Power to Serve - http://www.freebsd.org From owner-freebsd-pf@FreeBSD.ORG Tue Nov 28 20:25:27 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4A67F16A415 for ; Tue, 28 Nov 2006 20:25:27 +0000 (UTC) (envelope-from linux@giboia.org) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.237]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB69B43D3F for ; Tue, 28 Nov 2006 20:23:25 +0000 (GMT) (envelope-from linux@giboia.org) Received: by wr-out-0506.google.com with SMTP id i28so505562wra for ; Tue, 28 Nov 2006 12:23:29 -0800 (PST) Received: by 10.78.185.15 with SMTP id i15mr1288476huf.1164745047853; Tue, 28 Nov 2006 12:17:27 -0800 (PST) Received: by 10.78.175.17 with HTTP; Tue, 28 Nov 2006 12:17:27 -0800 (PST) Message-ID: <6e6841490611281217o1c9bfcd3x7515bf6ce34038ee@mail.gmail.com> Date: Tue, 28 Nov 2006 18:17:27 -0200 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: HFSC. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Nov 2006 20:25:27 -0000 I have this rules working: altq on em0 hfsc bandwidth 100% queue net_em0 queue net_em0 bandwidth 30Mb hfsc(red realtime 30Mb upperlimit 30Mb) { voip_em0 net1_em0 inquima_em0 \ ibilink_em0 flextv_em0 } queue voip_em0 bandwidth 64Kb priority 7 hfsc(red realtime 64Kb upperlimit 64Kb) queue flextv_em0 bandwidth 256Kb priority 7 hfsc(red realtime 256Kb upperlimit 256Kb) queue inquima_em0 bandwidth 256Kb priority 7 hfsc(red realtime 256Kb upperlimit 256Kb) \ { inquimavoip_em0 inquimatraf_em0 } queue inquimavoip_em0 bandwidth 128Kb priority 7 hfsc(red realtime 128Kb upperlimit 256Kb) queue inquimatraf_em0 bandwidth 128Kb priority 1 hfsc(red realtime 128Kb upperlimit 256Kb) queue ibilink_em0 bandwidth 256Kb priority 7 hfsc(red realtime 256Kb upperlimit 256Kb) queue net1_em0 bandwidth 16Mb priority 1 hfsc(default) And my firewall works very well, but if I put more one rule like this: altq on em0 hfsc bandwidth 100% queue net_em0 queue net_em0 bandwidth 30Mb hfsc(red realtime 30Mb upperlimit 30Mb) { voip_em0 net1_em0 inquima_em0 cliente_em0 \ ibilink_em0 flextv_em0 } queue voip_em0 bandwidth 64Kb priority 7 hfsc(red realtime 64Kb upperlimit 64Kb) queue flextv_em0 bandwidth 256Kb priority 7 hfsc(red realtime 256Kb upperlimit 256Kb) queue inquima_em0 bandwidth 256Kb priority 7 hfsc(red realtime 256Kb upperlimit 256Kb) \ { inquimavoip_em0 inquimatraf_em0 } queue inquimavoip_em0 bandwidth 128Kb priority 7 hfsc(red realtime 128Kb upperlimit 256Kb) queue inquimatraf_em0 bandwidth 128Kb priority 1 hfsc(red realtime 128Kb upperlimit 256Kb) queue ibilink_em0 bandwidth 256Kb priority 7 hfsc(red realtime 256Kb upperlimit 256Kb) new=> queue cliente_em0 bandwidth 128Kb priority 1 hfsc(realtime 128Kb upperlimit 128Kb) queue net1_em0 bandwidth 16Mb priority 1 hfsc(default) My firewall begins show No buffer space available in ping and my traffic go down. I think this problem is with my limits, but where can I see this?? Gilberto From owner-freebsd-pf@FreeBSD.ORG Tue Nov 28 21:33:03 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A97A916A415 for ; Tue, 28 Nov 2006 21:33:03 +0000 (UTC) (envelope-from clacroix@cegep-ste-foy.qc.ca) Received: from missive.cegep-ste-foy.qc.ca (missive.cegep-ste-foy.qc.ca [199.202.105.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 29A3A43CA0 for ; Tue, 28 Nov 2006 21:32:43 +0000 (GMT) (envelope-from clacroix@cegep-ste-foy.qc.ca) Received: from missive.cegep-ste-foy.qc.ca (localhost.cegep-ste-foy.qc.ca [127.0.0.1]) by missive.cegep-ste-foy.qc.ca (Postfix) with ESMTP id A6FE6570BA for ; Tue, 28 Nov 2006 16:32:31 -0500 (EST) Received: from sti-test.cegep-ste-foy.qc.ca (sti-test.cegep-ste-foy.qc.ca [199.202.105.98]) by missive.cegep-ste-foy.qc.ca (Postfix) with ESMTP id 8C77457085 for ; Tue, 28 Nov 2006 16:32:31 -0500 (EST) From: Charles Lacroix To: "FreeBSD " Date: Tue, 28 Nov 2006 16:32:05 -0500 User-Agent: KMail/1.9.4 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200611281632.05280.clacroix@cegep-ste-foy.qc.ca> X-Virus-Scanned: ClamAV using ClamSMTP Subject: Question about pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Nov 2006 21:33:03 -0000 hi, i read some of the pf.conf man page and i found something really neat for my servers. It's not 100% what i need but very close and i was hoping you pf gurus could help me out with this one. I have created the following rules and i have 2 small problems. table {} persist block quick on $ext_if proto tcp from to $external_addr port 23 pass in on $ext_if proto tcp to $external_addr port 23 flags S/SA modulate \ state (max-src-conn-rate 5/60, overload flush global) 1. I wanted to do is make sure the ip's get unbanned after let's say 30 minutes or so. 2. When my ip gets into badhosts, most of my current ssh connections hang. it's kinda strange since my block rule is specific on the telnet port. any ideas/comments Thanks Charles From owner-freebsd-pf@FreeBSD.ORG Tue Nov 28 21:45:21 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F1B8B16A403 for ; Tue, 28 Nov 2006 21:45:21 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.237]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8491343CAA for ; Tue, 28 Nov 2006 21:45:11 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wr-out-0506.google.com with SMTP id i28so524726wra for ; Tue, 28 Nov 2006 13:45:15 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=JZP0d5C5PEO6K0/swydkOHsrEewyHncNREfDv5aPrZ/0WoRWD/eQwuajAhEbN+EkqzHk+Ji5baEdywMYq1Fs2zSu1n36OGsl+TVf4aZE/kKqUPHaagH3+qtDarsavzvW77aMxojhGukv+LLk6XgkiIFM2e6qb9ryUXZdLE9q6t8= Received: by 10.78.128.11 with SMTP id a11mr1396653hud.1164750314622; Tue, 28 Nov 2006 13:45:14 -0800 (PST) Received: by 10.78.153.10 with HTTP; Tue, 28 Nov 2006 13:45:14 -0800 (PST) Message-ID: <8eea04080611281345m5a2587a8i8acfe5a0d219a8f3@mail.gmail.com> Date: Tue, 28 Nov 2006 13:45:14 -0800 From: "Jon Simola" To: "Charles Lacroix" In-Reply-To: <200611281632.05280.clacroix@cegep-ste-foy.qc.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200611281632.05280.clacroix@cegep-ste-foy.qc.ca> Cc: FreeBSD Subject: Re: Question about pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Nov 2006 21:45:22 -0000 On 11/28/06, Charles Lacroix wrote: > table {} persist > block quick on $ext_if proto tcp from to $external_addr port 23 > pass in on $ext_if proto tcp to $external_addr port 23 flags S/SA modulate \ > state (max-src-conn-rate 5/60, overload flush global) > > 1. I wanted to do is make sure the ip's get unbanned after let's say 30 > minutes or so. You need an external utility, http://expiretable.fnord.se/ is one I've looked at, there are a couple other similar ones. > 2. When my ip gets into badhosts, most of my current ssh connections hang. > it's kinda strange since my block rule is specific on the telnet port. That's exactly what you've asked pf to do with "flush global" -- Jon From owner-freebsd-pf@FreeBSD.ORG Wed Nov 29 12:42:51 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A312016A49E for ; Wed, 29 Nov 2006 12:42:51 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.datadok.no (skapet.datadok.no [194.54.107.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7115743D1F for ; Wed, 29 Nov 2006 12:42:27 +0000 (GMT) (envelope-from peter@bsdly.net) Received: from thingy.datadok.no ([194.54.103.97] helo=thingy.datadok.no.bsdly.net ident=peter) by skapet.datadok.no with esmtp (Exim 4.60) (envelope-from ) id 1GpOld-0006zg-6J for freebsd-pf@freebsd.org; Wed, 29 Nov 2006 13:42:25 +0100 To: freebsd-pf@freebsd.org References: <8eea04080611281345m5a2587a8i8acfe5a0d219a8f3@mail.gmail.com> From: peter@bsdly.net (Peter N. M. Hansteen) Date: Wed, 29 Nov 2006 13:42:19 +0100 In-Reply-To: <8eea04080611281345m5a2587a8i8acfe5a0d219a8f3@mail.gmail.com> (Jon Simola's message of "Tue, 28 Nov 2006 13:45:14 -0800") Message-ID: <87y7puxw44.fsf@thingy.datadok.no> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Question about pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Nov 2006 12:42:51 -0000 "Jon Simola" writes: > You need an external utility, http://expiretable.fnord.se/ is one I've > looked at, there are a couple other similar ones. expiretable is in ports too, as /usr/ports/security/expiretable X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 28CF416A416 for ; Wed, 29 Nov 2006 17:15:07 +0000 (UTC) (envelope-from clacroix@cegep-ste-foy.qc.ca) Received: from missive.cegep-ste-foy.qc.ca (missive.cegep-ste-foy.qc.ca [199.202.105.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3F9343E50 for ; Wed, 29 Nov 2006 17:02:37 +0000 (GMT) (envelope-from clacroix@cegep-ste-foy.qc.ca) Received: from missive.cegep-ste-foy.qc.ca (localhost.cegep-ste-foy.qc.ca [127.0.0.1]) by missive.cegep-ste-foy.qc.ca (Postfix) with ESMTP id 06321570AD for ; Wed, 29 Nov 2006 12:00:58 -0500 (EST) Received: from sti-test.cegep-ste-foy.qc.ca (sti-test.cegep-ste-foy.qc.ca [199.202.105.98]) by missive.cegep-ste-foy.qc.ca (Postfix) with ESMTP id E031F57076 for ; Wed, 29 Nov 2006 12:00:57 -0500 (EST) From: Charles Lacroix To: freebsd-pf@freebsd.org Date: Wed, 29 Nov 2006 12:01:19 -0500 User-Agent: KMail/1.9.5 References: <8eea04080611281345m5a2587a8i8acfe5a0d219a8f3@mail.gmail.com> <87y7puxw44.fsf@thingy.datadok.no> In-Reply-To: <87y7puxw44.fsf@thingy.datadok.no> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200611291201.19887.clacroix@cegep-ste-foy.qc.ca> X-Virus-Scanned: ClamAV using ClamSMTP Subject: Re: Question about pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Nov 2006 17:15:07 -0000 Great, i installed it and went to your "pseudo html type/shameless" and it's exacly what i wanted to do. I'm testing it out this week and next week if everything is working like expected i will push this into production. Thanks alot for quick answer. Charles On Wednesday 29 November 2006 07:42, Peter N. M. Hansteen wrote: > "Jon Simola" writes: > > You need an external utility, http://expiretable.fnord.se/ is one I've > > looked at, there are a couple other similar ones. > > expiretable is in ports too, as /usr/ports/security/expiretable > > Date: Wed, 29 Nov 2006 19:33:06 +0100 User-Agent: KMail/1.9.4 References: <6e6841490611281217o1c9bfcd3x7515bf6ce34038ee@mail.gmail.com> In-Reply-To: <6e6841490611281217o1c9bfcd3x7515bf6ce34038ee@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3151795.9ss9OGSgKo"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200611291933.12705.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: HFSC. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Nov 2006 18:33:31 -0000 --nextPart3151795.9ss9OGSgKo Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 28 November 2006 21:17, Gilberto Villani Brito wrote: > I have this rules working: > altq on em0 hfsc bandwidth 100% queue net_em0 > queue net_em0 bandwidth 30Mb hfsc(red realtime 30Mb upperlimit 30Mb) > { voip_em0 net1_em0 inquima_em0 \ > > ibilink_em0 flextv_em0 } > queue voip_em0 bandwidth 64Kb priority 7 hfsc(red realtime 64Kb > upperlimit 64Kb) > queue flextv_em0 bandwidth 256Kb priority 7 hfsc(red realtime > 256Kb upperlimit 256Kb) > queue inquima_em0 bandwidth 256Kb priority 7 hfsc(red realtime > 256Kb upperlimit 256Kb) \ > { inquimavoip_em0 > inquimatraf_em0 } > queue inquimavoip_em0 bandwidth 128Kb priority 7 hfsc(red > realtime 128Kb upperlimit 256Kb) > queue inquimatraf_em0 bandwidth 128Kb priority 1 hfsc(red > realtime 128Kb upperlimit 256Kb) > queue ibilink_em0 bandwidth 256Kb priority 7 hfsc(red realtime > 256Kb upperlimit 256Kb) > queue net1_em0 bandwidth 16Mb priority 1 hfsc(default) > > And my firewall works very well, but if I put more one rule like this: > altq on em0 hfsc bandwidth 100% queue net_em0 > queue net_em0 bandwidth 30Mb hfsc(red realtime 30Mb upperlimit 30Mb) > { voip_em0 net1_em0 inquima_em0 cliente_em0 \ > > ibilink_em0 flextv_em0 } > queue voip_em0 bandwidth 64Kb priority 7 hfsc(red realtime 64Kb > upperlimit 64Kb) > queue flextv_em0 bandwidth 256Kb priority 7 hfsc(red realtime > 256Kb upperlimit 256Kb) > queue inquima_em0 bandwidth 256Kb priority 7 hfsc(red realtime > 256Kb upperlimit 256Kb) \ > { inquimavoip_em0 > inquimatraf_em0 } > queue inquimavoip_em0 bandwidth 128Kb priority 7 hfsc(red > realtime 128Kb upperlimit 256Kb) > queue inquimatraf_em0 bandwidth 128Kb priority 1 hfsc(red > realtime 128Kb upperlimit 256Kb) > queue ibilink_em0 bandwidth 256Kb priority 7 hfsc(red realtime > 256Kb upperlimit 256Kb) > new=3D> queue cliente_em0 bandwidth 128Kb priority 1 hfsc(realtime > 128Kb upperlimit 128Kb) > queue net1_em0 bandwidth 16Mb priority 1 hfsc(default) > > My firewall begins show No buffer space available in ping and my > traffic go down. > I think this problem is with my limits, but where can I see this?? Just to this last question: pfctl -vvsq will give you a "live" update of=20 the queue statistics. There is also pftop from ports which also has a=20 nice display mode for queue stats. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3151795.9ss9OGSgKo Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFbdJoXyyEoT62BG0RApJVAJ4k+09v6m2c+s+l34Vl6o87pc5DUgCeJ42W MfVBN2RHwqDgKfFi19grgkQ= =PZsm -----END PGP SIGNATURE----- --nextPart3151795.9ss9OGSgKo-- From owner-freebsd-pf@FreeBSD.ORG Wed Nov 29 20:42:59 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 93FE516A40F for ; Wed, 29 Nov 2006 20:42:59 +0000 (UTC) (envelope-from linux@giboia.org) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.233]) by mx1.FreeBSD.org (Postfix) with ESMTP id B85F843C9D for ; Wed, 29 Nov 2006 20:42:53 +0000 (GMT) (envelope-from linux@giboia.org) Received: by wr-out-0506.google.com with SMTP id i28so715766wra for ; Wed, 29 Nov 2006 12:42:57 -0800 (PST) Received: by 10.78.185.7 with SMTP id i7mr2665513huf.1164832975199; Wed, 29 Nov 2006 12:42:55 -0800 (PST) Received: by 10.78.175.17 with HTTP; Wed, 29 Nov 2006 12:42:55 -0800 (PST) Message-ID: <6e6841490611291242n422935bdia08d4c0f36b0a5bc@mail.gmail.com> Date: Wed, 29 Nov 2006 18:42:55 -0200 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: <200611291933.12705.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <6e6841490611281217o1c9bfcd3x7515bf6ce34038ee@mail.gmail.com> <200611291933.12705.max@love2party.net> Subject: Re: HFSC. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Nov 2006 20:42:59 -0000 I dont have rule for cliente_em0, why are the packages passing throught this rule??? queue root_em0 bandwidth 1Gb priority 0 {net_em0} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue net_em0 bandwidth 16Mb {voip_em0, flextv_em0, inquima_em0, ibilink_em0, cliente_em0, net1_em0} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue voip_em0 bandwidth 64Kb priority 7 hfsc( red upperlimit 64Kb ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue flextv_em0 bandwidth 256Kb priority 7 hfsc( red upperlimit 256Kb ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue inquima_em0 bandwidth 256Kb priority 7 hfsc( red upperlimit 256Kb ) {inquimavoip_em0, inquimatraf_em0} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue inquimavoip_em0 bandwidth 128Kb priority 7 hfsc( red upperlimit 256Kb ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue inquimatraf_em0 bandwidth 128Kb hfsc( red upperlimit 256Kb ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue ibilink_em0 bandwidth 256Kb priority 7 hfsc( red upperlimit 256Kb ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue cliente_em0 bandwidth 128Kb priority 7 hfsc( upperlimit 128Kb ) [ pkts: 1201 bytes: 1028312 dropped pkts: 51 bytes: 44818 ] [ qlength: 40/ 50 ] queue net1_em0 bandwidth 14Mb hfsc( default ) [ pkts: 50710 bytes: 11528763 dropped pkts: 36854 bytes: 7844117 ] [ qlength: 44/ 50 ] Gilberto Villani Brito 2006/11/29, Max Laier : > On Tuesday 28 November 2006 21:17, Gilberto Villani Brito wrote: > > I have this rules working: > > altq on em0 hfsc bandwidth 100% queue net_em0 > > queue net_em0 bandwidth 30Mb hfsc(red realtime 30Mb upperlimit 30Mb) > > { voip_em0 net1_em0 inquima_em0 \ > > > > ibilink_em0 flextv_em0 } > > queue voip_em0 bandwidth 64Kb priority 7 hfsc(red realtime 64Kb > > upperlimit 64Kb) > > queue flextv_em0 bandwidth 256Kb priority 7 hfsc(red realtime > > 256Kb upperlimit 256Kb) > > queue inquima_em0 bandwidth 256Kb priority 7 hfsc(red realtime > > 256Kb upperlimit 256Kb) \ > > { inquimavoip_em0 > > inquimatraf_em0 } > > queue inquimavoip_em0 bandwidth 128Kb priority 7 hfsc(red > > realtime 128Kb upperlimit 256Kb) > > queue inquimatraf_em0 bandwidth 128Kb priority 1 hfsc(red > > realtime 128Kb upperlimit 256Kb) > > queue ibilink_em0 bandwidth 256Kb priority 7 hfsc(red realtime > > 256Kb upperlimit 256Kb) > > queue net1_em0 bandwidth 16Mb priority 1 hfsc(default) > > > > And my firewall works very well, but if I put more one rule like this: > > altq on em0 hfsc bandwidth 100% queue net_em0 > > queue net_em0 bandwidth 30Mb hfsc(red realtime 30Mb upperlimit 30Mb) > > { voip_em0 net1_em0 inquima_em0 cliente_em0 \ > > > > ibilink_em0 flextv_em0 } > > queue voip_em0 bandwidth 64Kb priority 7 hfsc(red realtime 64Kb > > upperlimit 64Kb) > > queue flextv_em0 bandwidth 256Kb priority 7 hfsc(red realtime > > 256Kb upperlimit 256Kb) > > queue inquima_em0 bandwidth 256Kb priority 7 hfsc(red realtime > > 256Kb upperlimit 256Kb) \ > > { inquimavoip_em0 > > inquimatraf_em0 } > > queue inquimavoip_em0 bandwidth 128Kb priority 7 hfsc(red > > realtime 128Kb upperlimit 256Kb) > > queue inquimatraf_em0 bandwidth 128Kb priority 1 hfsc(red > > realtime 128Kb upperlimit 256Kb) > > queue ibilink_em0 bandwidth 256Kb priority 7 hfsc(red realtime > > 256Kb upperlimit 256Kb) > > new=> queue cliente_em0 bandwidth 128Kb priority 1 hfsc(realtime > > 128Kb upperlimit 128Kb) > > queue net1_em0 bandwidth 16Mb priority 1 hfsc(default) > > > > My firewall begins show No buffer space available in ping and my > > traffic go down. > > I think this problem is with my limits, but where can I see this?? > > Just to this last question: pfctl -vvsq will give you a "live" update of > the queue statistics. There is also pftop from ports which also has a > nice display mode for queue stats. > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News > > > From owner-freebsd-pf@FreeBSD.ORG Thu Nov 30 10:52:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 222E516A415 for ; Thu, 30 Nov 2006 10:52:31 +0000 (UTC) (envelope-from artem@aws-net.org.ua) Received: from saturn.interami.com (saturn.interami.com [193.41.48.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CFA043CAD for ; Thu, 30 Nov 2006 10:52:20 +0000 (GMT) (envelope-from artem@aws-net.org.ua) Received: from sigma.interami.com (sigma.interami.com [193.41.48.133]) by saturn.interami.com (8.13.1/8.13.1) with ESMTP id kAUAqJHv029254 for ; Thu, 30 Nov 2006 12:52:20 +0200 (EET) (envelope-from artem@aws-net.org.ua) Received: from 217.12.197.82 (SquirrelMail authenticated user artem) by sigma.interami.com with HTTP; Thu, 30 Nov 2006 12:52:26 +0200 (EET) Message-ID: <62972.217.12.197.82.1164883946.squirrel@sigma.interami.com> Date: Thu, 30 Nov 2006 12:52:26 +0200 (EET) From: "Artyom Viklenko" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Status: No, score=-0.2 required=8.0 tests=AWL autolearn=disabled version=3.1.4 X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on saturn.interami.com X-Antivirus: Dr.Web (R) for Mail Servers on saturn.interami.com host X-Antivirus-Code: 100000 Subject: PF-NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Nov 2006 10:52:31 -0000 Hi, All! PF-NAT in FreeBSD does not support multiple instances of pptp connections from internal network. If it will be improved in some time in the future? What about using libalias in pf or if it possible to use ng_nat in pf? May be I'm klueless... please, point me in right direction. :) -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem FreeBSD: The Power to Serve - http://www.freebsd.org From owner-freebsd-pf@FreeBSD.ORG Thu Nov 30 13:14:06 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DE7D416A511 for ; Thu, 30 Nov 2006 13:14:06 +0000 (UTC) (envelope-from linux@giboia.org) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 44E1043D36 for ; Thu, 30 Nov 2006 13:13:04 +0000 (GMT) (envelope-from linux@giboia.org) Received: by wr-out-0506.google.com with SMTP id i28so816599wra for ; Thu, 30 Nov 2006 05:12:49 -0800 (PST) Received: by 10.78.160.2 with SMTP id i2mr3510438hue.1164892368272; Thu, 30 Nov 2006 05:12:48 -0800 (PST) Received: by 10.78.175.17 with HTTP; Thu, 30 Nov 2006 05:12:48 -0800 (PST) Message-ID: <6e6841490611300512t73dca3ddt106d58a3e63bc1f1@mail.gmail.com> Date: Thu, 30 Nov 2006 11:12:48 -0200 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: <62972.217.12.197.82.1164883946.squirrel@sigma.interami.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <62972.217.12.197.82.1164883946.squirrel@sigma.interami.com> Subject: Re: PF-NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Nov 2006 13:14:07 -0000 Look this options: http://www.openbsd.org/faq/pf/options.html in your pf.conf. Gilberto 2006/11/30, Artyom Viklenko : > Hi, All! > > PF-NAT in FreeBSD does not support multiple > instances of pptp connections from internal network. > > If it will be improved in some time in the future? > What about using libalias in pf or if it possible > to use ng_nat in pf? > > May be I'm klueless... please, point me in right > direction. :) > > -- > Sincerely yours, > Artyom Viklenko. > ------------------------------------------------------- > artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem > FreeBSD: The Power to Serve - http://www.freebsd.org > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Nov 30 14:55:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D0FE716A708 for ; Thu, 30 Nov 2006 14:55:53 +0000 (UTC) (envelope-from artem@aws-net.org.ua) Received: from saturn.interami.com (saturn.interami.com [193.41.48.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id AEB2644007 for ; Thu, 30 Nov 2006 14:49:39 +0000 (GMT) (envelope-from artem@aws-net.org.ua) Received: from sigma.interami.com (sigma.interami.com [193.41.48.133]) by saturn.interami.com (8.13.1/8.13.1) with ESMTP id kAUEnarN037016; Thu, 30 Nov 2006 16:49:36 +0200 (EET) (envelope-from artem@aws-net.org.ua) Received: from 217.12.197.82 (SquirrelMail authenticated user artem) by sigma.interami.com with HTTP; Thu, 30 Nov 2006 16:49:43 +0200 (EET) Message-ID: <55273.217.12.197.82.1164898183.squirrel@sigma.interami.com> In-Reply-To: <6e6841490611300512t73dca3ddt106d58a3e63bc1f1@mail.gmail.com> References: <62972.217.12.197.82.1164883946.squirrel@sigma.interami.com> <6e6841490611300512t73dca3ddt106d58a3e63bc1f1@mail.gmail.com> Date: Thu, 30 Nov 2006 16:49:43 +0200 (EET) From: "Artyom Viklenko" To: "Gilberto Villani Brito" User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Status: No, score=-0.2 required=8.0 tests=AWL autolearn=disabled version=3.1.4 X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on saturn.interami.com X-Antivirus: Dr.Web (R) for Mail Servers on saturn.interami.com host X-Antivirus-Code: 100000 Cc: FreeBSD Subject: Re: PF-NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Nov 2006 14:55:53 -0000 > Look this options: http://www.openbsd.org/faq/pf/options.html in your > pf.conf. Sorry, which option exactly you mention? > > Gilberto > > 2006/11/30, Artyom Viklenko : >> Hi, All! >> >> PF-NAT in FreeBSD does not support multiple >> instances of pptp connections from internal network. >> >> If it will be improved in some time in the future? >> What about using libalias in pf or if it possible >> to use ng_nat in pf? >> >> May be I'm klueless... please, point me in right >> direction. :) >> >> -- >> Sincerely yours, >> Artyom Viklenko. >> ------------------------------------------------------- >> artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem >> FreeBSD: The Power to Serve - http://www.freebsd.org >> >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem FreeBSD: The Power to Serve - http://www.freebsd.org From owner-freebsd-pf@FreeBSD.ORG Thu Nov 30 16:14:09 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E1B5F16A4FD for ; Thu, 30 Nov 2006 16:14:09 +0000 (UTC) (envelope-from linux@giboia.org) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECC9C440C5 for ; Thu, 30 Nov 2006 16:03:53 +0000 (GMT) (envelope-from linux@giboia.org) Received: by ug-out-1314.google.com with SMTP id o2so1952401uge for ; Thu, 30 Nov 2006 08:03:57 -0800 (PST) Received: by 10.78.97.7 with SMTP id u7mr3695042hub.1164902637602; Thu, 30 Nov 2006 08:03:57 -0800 (PST) Received: by 10.78.175.17 with HTTP; Thu, 30 Nov 2006 08:03:57 -0800 (PST) Message-ID: <6e6841490611300803y577338adqf52918ef13ca7605@mail.gmail.com> Date: Thu, 30 Nov 2006 14:03:57 -0200 From: "Gilberto Villani Brito" To: "Artyom Viklenko" In-Reply-To: <55273.217.12.197.82.1164898183.squirrel@sigma.interami.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <62972.217.12.197.82.1164883946.squirrel@sigma.interami.com> <6e6841490611300512t73dca3ddt106d58a3e63bc1f1@mail.gmail.com> <55273.217.12.197.82.1164898183.squirrel@sigma.interami.com> Cc: FreeBSD Subject: Re: PF-NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Nov 2006 16:14:10 -0000 Maybe this: set limit option value Set various limits on pf's operation. * frags - maximum number of entries in the memory pool used for packet reassembly (scrub rules). Default is 5000. * src-nodes - maximum number of entries in the memory pool used for tracking source IP addresses (generated by the sticky-address and source-track options). Default is 10000. * states - maximum number of entries in the memory pool used for state table entries (filter rules that specify keep state). Default is 10000. or this: set timeout option value Set various timeouts (in seconds). * interval - seconds between purges of expired states and packet fragments. The default is 10. * frag - seconds before an unassembled fragment is expired. The default is 30. * src.track - seconds to keep a source tracking entry in memory after the last state expires. The default is 0 (zero). Try change this options. Gilberto 2006/11/30, Artyom Viklenko : > > > > Look this options: http://www.openbsd.org/faq/pf/options.html in your > > pf.conf. > > Sorry, which option exactly you mention? > > > > > Gilberto > > > > 2006/11/30, Artyom Viklenko : > >> Hi, All! > >> > >> PF-NAT in FreeBSD does not support multiple > >> instances of pptp connections from internal network. > >> > >> If it will be improved in some time in the future? > >> What about using libalias in pf or if it possible > >> to use ng_nat in pf? > >> > >> May be I'm klueless... please, point me in right > >> direction. :) > >> > >> -- > >> Sincerely yours, > >> Artyom Viklenko. > >> ------------------------------------------------------- > >> artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem > >> FreeBSD: The Power to Serve - http://www.freebsd.org > >> > >> > >> _______________________________________________ > >> freebsd-pf@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >> > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > > -- > Sincerely yours, > Artyom Viklenko. > ------------------------------------------------------- > artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem > FreeBSD: The Power to Serve - http://www.freebsd.org > > > From owner-freebsd-pf@FreeBSD.ORG Thu Nov 30 16:27:14 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8A86016A618 for ; Thu, 30 Nov 2006 16:27:14 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 704BD443FE for ; Thu, 30 Nov 2006 16:21:06 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id kAUGKmI3011774 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 30 Nov 2006 17:20:48 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id kAUGKmtV015572; Thu, 30 Nov 2006 17:20:48 +0100 (MET) Date: Thu, 30 Nov 2006 17:20:48 +0100 From: Daniel Hartmeier To: Gilberto Villani Brito Message-ID: <20061130162048.GB31746@insomnia.benzedrine.cx> References: <62972.217.12.197.82.1164883946.squirrel@sigma.interami.com> <6e6841490611300512t73dca3ddt106d58a3e63bc1f1@mail.gmail.com> <55273.217.12.197.82.1164898183.squirrel@sigma.interami.com> <6e6841490611300803y577338adqf52918ef13ca7605@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6e6841490611300803y577338adqf52918ef13ca7605@mail.gmail.com> User-Agent: Mutt/1.5.10i Cc: FreeBSD Subject: Re: PF-NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Nov 2006 16:27:14 -0000 On Thu, Nov 30, 2006 at 02:03:57PM -0200, Gilberto Villani Brito wrote: > Try change this options. None of those will help if you really want two concurrent PPTP connections to the same external peer. pf doesn't look into the payload of PPTP packets and hence can't decide which internal peer to dispatch incoming replies from the one external peer to (there are no port numbers helping there, like in TCP). You can try a userland PPTP proxy, like http://freshmeat.net/projects/frickin/ There are no plans to integrate PPTP proxy support into pf. While libalias_pptp and ng_nat look potentially helpful, you'd have to write that patch yourself, or find a developer that is using PPTP (not me ;) Daniel From owner-freebsd-pf@FreeBSD.ORG Thu Nov 30 16:37:38 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1C24316A40F for ; Thu, 30 Nov 2006 16:37:38 +0000 (UTC) (envelope-from aristeu.jr@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5472C43E02 for ; Thu, 30 Nov 2006 16:33:05 +0000 (GMT) (envelope-from aristeu.jr@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so2489763wxc for ; Thu, 30 Nov 2006 08:32:46 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=IMQQuWEDBE1q7F2NseOo9GW5l2SsLkucY/3z1BTUaRrpw4T65r2QjvIU80K4IqzPmGfgcgrwU+T5y/tJZxT4tiJ7TAkxtumY5ae1E3ma3Rur9VTkMHvr0kAeTOgB7r7uw9XGlezmH5jHc6XxJvjEBCVjb7bet6rQco0h1H8TLOY= Received: by 10.90.118.12 with SMTP id q12mr3892845agc.1164904366118; Thu, 30 Nov 2006 08:32:46 -0800 (PST) Received: by 10.90.99.8 with HTTP; Thu, 30 Nov 2006 08:32:46 -0800 (PST) Message-ID: <2c84c1de0611300832q67d25d13ndadfd2b52ddcf984@mail.gmail.com> Date: Thu, 30 Nov 2006 14:32:46 -0200 From: "Aristeu Gil Alves Jr" To: "Gilberto Villani Brito" , freebsd-pf@freebsd.org In-Reply-To: <6e6841490611300803y577338adqf52918ef13ca7605@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <62972.217.12.197.82.1164883946.squirrel@sigma.interami.com> <6e6841490611300512t73dca3ddt106d58a3e63bc1f1@mail.gmail.com> <55273.217.12.197.82.1164898183.squirrel@sigma.interami.com> <6e6841490611300803y577338adqf52918ef13ca7605@mail.gmail.com> Cc: Subject: Re: PF-NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Nov 2006 16:37:38 -0000 There's no way to share various PPTP client conections to the same PPTP server. pf nat only can handle one at the time, since there's no dst and src port to make more than one nat state. Thats what I heard. -- Aristeu Gil Alves Jr From owner-freebsd-pf@FreeBSD.ORG Thu Nov 30 16:42:50 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 96B1816A492 for ; Thu, 30 Nov 2006 16:42:50 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 770F444012 for ; Thu, 30 Nov 2006 16:35:47 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so1961330uge for ; Thu, 30 Nov 2006 08:35:37 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=lrp7wZ16MN3CwYwDGMQ6sYB/ga2h2YGhK9L5iJsYtlIuP9qJ5oFOFKgFY0wXbEOMeNXCTGONRD4x6LKBXTnvYPsDbj982Y7rXCK17RAOO+vqevjhOPCvHfhfvszmpZMAL/50J2mXVyHMhEsQWK78XC7k6CkGqo94aFF2Hrk6YCY= Received: by 10.82.129.8 with SMTP id b8mr848573bud.1164904537174; Thu, 30 Nov 2006 08:35:37 -0800 (PST) Received: by 10.82.177.12 with HTTP; Thu, 30 Nov 2006 08:35:37 -0800 (PST) Message-ID: Date: Thu, 30 Nov 2006 11:35:37 -0500 From: "Scott Ullrich" To: "Daniel Hartmeier" In-Reply-To: <20061130162048.GB31746@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <62972.217.12.197.82.1164883946.squirrel@sigma.interami.com> <6e6841490611300512t73dca3ddt106d58a3e63bc1f1@mail.gmail.com> <55273.217.12.197.82.1164898183.squirrel@sigma.interami.com> <6e6841490611300803y577338adqf52918ef13ca7605@mail.gmail.com> <20061130162048.GB31746@insomnia.benzedrine.cx> Cc: FreeBSD Subject: Re: PF-NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Nov 2006 16:42:50 -0000 On 11/30/06, Daniel Hartmeier wrote: > On Thu, Nov 30, 2006 at 02:03:57PM -0200, Gilberto Villani Brito wrote: > > > Try change this options. > > None of those will help if you really want two concurrent PPTP > connections to the same external peer. > > pf doesn't look into the payload of PPTP packets and hence can't decide > which internal peer to dispatch incoming replies from the one external > peer to (there are no port numbers helping there, like in TCP). > > You can try a userland PPTP proxy, like > > http://freshmeat.net/projects/frickin/ > > There are no plans to integrate PPTP proxy support into pf. While > libalias_pptp and ng_nat look potentially helpful, you'd have to write > that patch yourself, or find a developer that is using PPTP (not me ;) The author of Frickin just repoted on the pfSense forums that a majority of the issues with the proxy have been resolved in the SVN/CVS version of Frickin. If you go this route you may want to use the latest codebase. Scott From owner-freebsd-pf@FreeBSD.ORG Thu Nov 30 16:51:32 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2696816A403 for ; Thu, 30 Nov 2006 16:51:32 +0000 (UTC) (envelope-from aristeu.jr@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1984A43DB3 for ; Thu, 30 Nov 2006 16:40:39 +0000 (GMT) (envelope-from aristeu.jr@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so2491971wxc for ; Thu, 30 Nov 2006 08:40:47 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=mLRU/I5ouELFc9h9WKg/xs7VmKE8K7uG06db4DTkBy0POLE9qQovigIckAyYVWTelsU8EQzSG8gij7xCWoMEFPQN179tmcUuK3eDs29Delop825c8mnc5lyPGo5/Y+UTnDbirWx8nXD4dqR8VI5es/FR4PSi/rqCEQgtYPNjuZ8= Received: by 10.90.79.6 with SMTP id c6mr3808649agb.1164904847308; Thu, 30 Nov 2006 08:40:47 -0800 (PST) Received: by 10.90.99.8 with HTTP; Thu, 30 Nov 2006 08:40:46 -0800 (PST) Message-ID: <2c84c1de0611300840x4eeedc79n9ed18b230c0ecb3d@mail.gmail.com> Date: Thu, 30 Nov 2006 14:40:47 -0200 From: "Aristeu Gil Alves Jr" To: freebsd-pf@freebsd.org In-Reply-To: <2c84c1de0611300832q67d25d13ndadfd2b52ddcf984@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <62972.217.12.197.82.1164883946.squirrel@sigma.interami.com> <6e6841490611300512t73dca3ddt106d58a3e63bc1f1@mail.gmail.com> <55273.217.12.197.82.1164898183.squirrel@sigma.interami.com> <6e6841490611300803y577338adqf52918ef13ca7605@mail.gmail.com> <2c84c1de0611300832q67d25d13ndadfd2b52ddcf984@mail.gmail.com> Subject: Fwd: PF-NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Nov 2006 16:51:32 -0000 The solution I know is to make a vpn tunnel between the firewall and the PPTP server and allow the clients use the vpn tunnel. From owner-freebsd-pf@FreeBSD.ORG Thu Nov 30 17:35:16 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B359816A403 for ; Thu, 30 Nov 2006 17:35:16 +0000 (UTC) (envelope-from daniel@britishemail.co.uk) Received: from mail.britishemail.co.uk (mail.britishemail.co.uk [91.186.3.45]) by mx1.FreeBSD.org (Postfix) with SMTP id CD06C43CBA for ; Thu, 30 Nov 2006 17:35:04 +0000 (GMT) (envelope-from daniel@britishemail.co.uk) Received: (qmail 93978 invoked by uid 1010); 26 Nov 2006 13:35:59 -0000 Received: from 91.84.9.170 by yellow.nullroutes.com (envelope-from , uid 1008) with qmail-scanner-1.25-st-qms (clamdscan: 0.87/2239. spamassassin: 3.1.0. perlscan: 1.25-st-qms. Clear:RC:0(91.84.9.170):SA:0(0.3/5.0):. Processed in 2.964899 secs); 26 Nov 2006 13:35:59 -0000 X-Spam-Status: No, hits=0.3 required=5.0 X-Antivirus-britishemail.co.uk-Mail-From: daniel@britishemail.co.uk via yellow.nullroutes.com X-Antivirus-britishemail.co.uk: 1.25-st-qms (Clear:RC:0(91.84.9.170):SA:0(0.3/5.0):. Processed in 2.964899 secs Process 93970) Received: from your.resident-god.com (HELO homedaniel) (daniel@britishemail.co.uk@91.84.9.170) by mail.britishemail.co.uk with SMTP; 26 Nov 2006 13:35:56 -0000 From: "Daniel" To: Date: Sun, 26 Nov 2006 13:35:57 -0000 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 thread-index: AccRX82tcL95nv0oTca8FRZC1YiAJg== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Antivirus-britishemail.co.uk-Message-ID: <1164548157107093970@yellow.nullroutes.com> Message-Id: <20061130173504.CD06C43CBA@mx1.FreeBSD.org> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: opinion on this ruleset X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Nov 2006 17:35:16 -0000 I was wondering if I could get some opinions on this ruleset please - Basically, I have FreeBSD6.1, running an IRC server on ports 6697, 7000, 6659 thorough to 6671, 9999, 27888. I am also running a nameserver, so have opened TCP and UDP 53. I also want incoming on port 80 and 22. I have about 15 IP addresses assigned to my external interface... would it be better to make a table for these? Or is using the ext_if as a macro just as effective? ext_if="rl0" tcp_services="{ 22, 80, 53, 6633, 6697, 7000, 6659 >< 6671, 9999, 27888 }" udp_services="{ 53 } icmp_types="echoreq" set block-policy return set loginterface $ext_if set skip on lo scrub in block in pass out keep state antispoof quick for { lo $int_if } pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state pass in on $ext_if inet proto udp from any to ($ext_if) \ port $udp_services keep state pass in inet proto icmp all icmp-type $icmp_types keep state From owner-freebsd-pf@FreeBSD.ORG Thu Nov 30 17:40:55 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 45BD516A40F for ; Thu, 30 Nov 2006 17:40:55 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 61A7143CA2 for ; Thu, 30 Nov 2006 17:40:45 +0000 (GMT) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id 95D3B7BFF19; Thu, 30 Nov 2006 18:40:52 +0100 (CET) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id jxBiDg3AiR1H; Thu, 30 Nov 2006 18:40:46 +0100 (CET) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 4A5987BFF12; Thu, 30 Nov 2006 18:40:45 +0100 (CET) Date: Thu, 30 Nov 2006 18:40:45 +0100 From: Gergely CZUCZY To: Daniel Message-ID: <20061130174045.GA73984@harmless.hu> References: <20061130173504.CD06C43CBA@mx1.FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="VbJkn9YxBvnuCH5J" Content-Disposition: inline In-Reply-To: <20061130173504.CD06C43CBA@mx1.FreeBSD.org> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@freebsd.org Subject: Re: opinion on this ruleset X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Nov 2006 17:40:55 -0000 --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Nov 26, 2006 at 01:35:57PM -0000, Daniel wrote: > I was wondering if I could get some opinions on this ruleset please -=20 >=20 > Basically, I have FreeBSD6.1, running an IRC server on ports 6697, 7000, > 6659 thorough to 6671, 9999, 27888. I am also running a nameserver, so h= ave > opened TCP and UDP 53. I also want incoming on port 80 and 22. >=20 > I have about 15 IP addresses assigned to my external interface... would it > be better to make a table for these? Or is using the ext_if as a macro j= ust > as effective? >=20 >=20 > ext_if=3D"rl0" >=20 > tcp_services=3D"{ 22, 80, 53, 6633, 6697, 7000, 6659 >< 6671, 9999, 27888= }" > udp_services=3D"{ 53 } > icmp_types=3D"echoreq" >=20 > set block-policy return > set loginterface $ext_if >=20 > set skip on lo > scrub in >=20 > block in >=20 > pass out keep state >=20 > antispoof quick for { lo $int_if } >=20 > pass in on $ext_if inet proto tcp from any to ($ext_if) \ > port $tcp_services flags S/SA keep state here i'd suggest using synproxy state ($ext_if) translates to an ip address of the interface, and not to all addresses on the interface. so you might get some unexpected behaviour from these rules, watch out. as DNA had said, "expect the unexpected" ;) > pass in on $ext_if inet proto udp from any to ($ext_if) \ > port $udp_services keep state >=20 >=20 > pass in inet proto icmp all icmp-type $icmp_types keep state wrong. use this: pass in on $ext_if proto icmp if you wonder why, read the openbsd's FAQ on pf. or just google for it Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --VbJkn9YxBvnuCH5J Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owGNVUtvHEUQNjEkYoBDThwQUmFZCoaZyT6yD29YG9ubREYiMdiIQ5Cs3pnambZ7 uifdPbYnkW9IcOAAHECALPgDSBxIhOA/8EfgljMS1bMPbwgSjFarmerur6q++qr6 85cWFy5c/v2nn++++dmX3z3z46UXhytZYa1MgozpIy6Deq1WDzrN1e614FrQbTbr 7Va70YrjmHVuqJfPtpS0KG2wV+bYA4sn9mouGJfXIUqZNmj7hR0FXW+6b8BNrgy3 XMkecCm4xNnanmbSjFAHN2SkYi6THtwrlMU4yDWXlg0Fet4dCbuF9OG2OoJG24dG rdYGZqFW7zVbvVZn510IavT4MGCSo4BjTRA9bw224ZgZOFYyRoJLgI/IFKlCxJCg BaMyBJVzSaEZUBJsyg3oQiBlAblAZhCCfqPmrVV/sMkMj5gQpU84KTtCuKkRN3cH 7bDu00EpnRcmYfv9LTCoj1A72Fxpa6DdXu340HGBElS73Volf0qrIknBKjJ0CGOV Hsqw0+12QyAnLAMmjDrHBskyHEP7lACkfY/iIECVo8QY9rZ2KIAYPhjsQKs5xnAA x0xaYj9SmYOZBAXdWrW50QinKU7yYkNVWKi3YJvg4lijMWiAGcMT54XizUqg0qOW TBAuvYxYhGEYEt2OX24JbIj0s7RWHWCHhAtVUWGkyJZSIusAdzQQ7YVxgZHNwe5T pahyjA5FWsFB3yuMAyQbjkYYWX6E65OQx3GPD/WbgyUtaktTq43yfUcWj9C4tQeU qk9Z+8SNT5Q3q/9ZXcZVWXvr6WL0PYBTgoUi/idiqwmntMCjLN+31BOVGSMqLd6b BeIENRQqOgxyJXhUgkZbaDlZESqZUQjL41TmT5pDnruaCeUMkS6GRPl0QwU7951T lcBV7xAxB2OZxekSacA1oxpRl3E65KrwgFBhmdw7zk+fAOHSOZ3EQ1+uKai1lKMV RlqRNmXpSvv6ZM8KfERn6anEtTzPPowESwzsXt3dmA8sRY3Ar8RgiiRBYycyMKUk TyflZJd37sC6iSHIaJxjajViZiJQoLycfmZU+p4Tt1S22irEnJKrZp/bGrpeKlUB GU9S66aDV02HQuJJTnojzQ+ROoOrQo9Tr9Q7HhY+dZeNUkd66JFEB7c3qIsoJ8Zj H5bGCJW/c7gluL7i/SfRpLb/Q/S8KJ8u+5MVnUN3kq14cS+B0y4JYSbjeSCaqDIJ qQmxmpE971/CPsf0PPp0ZI4nLxynNDA1EiOOAzeohia+YuDmxnvVJBqFQEI8oBaH RKlkMh5ognibJRXRu4U6QVHC1v0iul96GePCqh4VqTKHUWV+my6fjIphwrTwvKAa 2x8i0oVASiFlhXCLPgpXfKMEjTiKlyZRRqspXSZMc4Oh9+n64nML7pabXpCXL7z6 7cL3N75+dLd36Zdff3vnlfyFg4t/PvvG82cLP3zy8JvDR389/urxF/4iv/ja2cOP 0z/+Bg== =aRcG -----END PGP SIGNATURE----- --VbJkn9YxBvnuCH5J-- From owner-freebsd-pf@FreeBSD.ORG Thu Nov 30 23:25:43 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0B5E516A4B3 for ; Thu, 30 Nov 2006 23:25:43 +0000 (UTC) (envelope-from lists@wm-access.no) Received: from lakepoint.domeneshop.no (smtp01.domeneshop.no [194.63.248.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 338A843CB5 for ; Thu, 30 Nov 2006 23:25:25 +0000 (GMT) (envelope-from lists@wm-access.no) Received: from [192.168.4.8] (polardego.arcticwireless.no [194.19.37.80]) (authenticated bits=0) by lakepoint.domeneshop.no (8.13.8/8.13.8) with ESMTP id kAUNPXmv011613 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 1 Dec 2006 00:25:34 +0100 Message-ID: <456F6859.5010205@wm-access.no> Date: Fri, 01 Dec 2006 00:25:13 +0100 From: =?ISO-8859-1?Q?Sten_Daniel_S=F8rsdal?= User-Agent: Thunderbird 1.5.0.8 (Windows/20061025) MIME-Version: 1.0 To: Aristeu Gil Alves Jr References: <62972.217.12.197.82.1164883946.squirrel@sigma.interami.com> <6e6841490611300512t73dca3ddt106d58a3e63bc1f1@mail.gmail.com> <55273.217.12.197.82.1164898183.squirrel@sigma.interami.com> <6e6841490611300803y577338adqf52918ef13ca7605@mail.gmail.com> <2c84c1de0611300832q67d25d13ndadfd2b52ddcf984@mail.gmail.com> In-Reply-To: <2c84c1de0611300832q67d25d13ndadfd2b52ddcf984@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: PF-NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Nov 2006 23:25:43 -0000 Aristeu Gil Alves Jr wrote: > There's no way to share various PPTP client conections to the same > PPTP server. pf nat only can handle one at the time, since there's no > dst and src port to make more than one nat state. >=20 > Thats what I heard. There is no src/dst port but there is Call ID in the modified GRE header. Each session gets a unique value from which sessions can be identified. Just about any cheap home firewall can do it these days, i wonder why the open source community is reluctant to take advantage. --=20 Sten Daniel S=F8rsdal From owner-freebsd-pf@FreeBSD.ORG Fri Dec 1 06:35:00 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5C15816A403 for ; Fri, 1 Dec 2006 06:35:00 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AFC243C9D for ; Fri, 1 Dec 2006 06:34:46 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id kB16YwLC002315 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 1 Dec 2006 07:34:58 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id kB16YvmN008729; Fri, 1 Dec 2006 07:34:57 +0100 (MET) Date: Fri, 1 Dec 2006 07:34:57 +0100 From: Daniel Hartmeier To: Sten Daniel =?iso-8859-1?Q?S=F8rsdal?= Message-ID: <20061201063457.GC602@insomnia.benzedrine.cx> References: <62972.217.12.197.82.1164883946.squirrel@sigma.interami.com> <6e6841490611300512t73dca3ddt106d58a3e63bc1f1@mail.gmail.com> <55273.217.12.197.82.1164898183.squirrel@sigma.interami.com> <6e6841490611300803y577338adqf52918ef13ca7605@mail.gmail.com> <2c84c1de0611300832q67d25d13ndadfd2b52ddcf984@mail.gmail.com> <456F6859.5010205@wm-access.no> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <456F6859.5010205@wm-access.no> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: PF-NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Dec 2006 06:35:00 -0000 On Fri, Dec 01, 2006 at 12:25:13AM +0100, Sten Daniel Sørsdal wrote: > Just about any cheap home firewall can do it these days, i > wonder why the open source community is reluctant to take advantage. The "if a $50 commercial box can do it, why can't pf?" argument pops up every now and then, maybe the answer is not obvious and deserves an explanation. The vendor of the $50 commercial box is working on economical principles. There is a certain cost of implementing the feature, they have to dispatch one of their developers for a certain amount of hours to implement it. Since they are selling a large number of boxes, the cost increases the price of each individual box only slightly. Whether the particular developer is interested in implementing the feature is not relevant. He/she gets paid to do it. In exchange, the vendor gains some advantage over the competition in the market. Or, put the other way, if they wouldn't implement the feature, they'd be at a disadvantage against the competition. So the cost of implementation is compensated by increased sales and profit. The vendor will do this calculation. You can be sure that if the expected increase in profit isn't higher than the cost, the vendor will not implement the feature, no matter how much the consumers demand it. That's how a commercial vendor works. That has nothing to do with how "the open source community" works. Open source is not a producer/consumer model, where the open source developers are the producers and the users the consumers, and the producers fight over market share to increase financial profit. The community works like this: if a feature is highly desired by a significant portion of the population, eventually one of those people will have the skills and time to implement it. He/she will then share the result with everyone else. Conversely, if a feature isn't ever implemented like that, you can conclude that it wasn't desired highly enough by a significant enough portion of the population. If you don't agree, prove me wrong, by implementing the feature ;) Daniel From owner-freebsd-pf@FreeBSD.ORG Sat Dec 2 12:15:50 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 87C9D16A47E for ; Sat, 2 Dec 2006 12:15:50 +0000 (UTC) (envelope-from ask@develooper.com) Received: from x8.develooper.com (x8.develooper.com [216.52.237.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id F374E43CCB for ; Sat, 2 Dec 2006 12:15:25 +0000 (GMT) (envelope-from ask@develooper.com) Received: (qmail 25123 invoked from network); 2 Dec 2006 12:15:45 -0000 Received: from gw.develooper.com (HELO ?10.0.201.111?) (ask@cleverpeople.org@64.81.84.140) by smtp.develooper.com with (AES128-SHA encrypted) SMTP; 2 Dec 2006 12:15:45 -0000 Mime-Version: 1.0 (Apple Message framework v752.2) Content-Transfer-Encoding: 7bit Message-Id: <40CEB709-1A81-4A98-988E-24768584F984@develooper.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-pf@freebsd.org From: =?ISO-8859-1?Q?Ask_Bj=F8rn_Hansen?= Date: Sat, 2 Dec 2006 04:15:43 -0800 X-Mailer: Apple Mail (2.752.2) Subject: carpdev ifconfig option? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Dec 2006 12:15:50 -0000 Hi, I see in the OpenBSD documentation that they have a "carpdev" option to specify which physical interface the redundancy group should run on. FreeBSD (current 6.2 code) doesn't have that option -- is there another way to accomplish the same thing? - ask -- http://develooper.com/ - http://askask.com/ From owner-freebsd-pf@FreeBSD.ORG Sat Dec 2 22:03:37 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 34BB616A407 for ; Sat, 2 Dec 2006 22:03:37 +0000 (UTC) (envelope-from agaletski@ukr.net) Received: from storage.ukr.net (storage.ukr.net [212.42.65.69]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03EE743C9D for ; Sat, 2 Dec 2006 22:03:13 +0000 (GMT) (envelope-from agaletski@ukr.net) Received: from mail by storage.ukr.net with local ID 1GqcxL-000Fdo-0o for freebsd-pf@freebsd.org; Sun, 03 Dec 2006 00:03:35 +0200 Received: from [193.232.65.168] by e.ukr.net with HTTP; Sat, 02 Dec 2006 22:03:35 +0000 (GMT) From: "Andriy Galetski" To: freebsd-pf@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 advanced X-Originating-IP: [193.232.65.168] Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: 8bit Message-Id: Date: Sun, 03 Dec 2006 00:03:35 +0200 Subject: Use pfflowd to flow tracking on FreeBSD6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Andriy Galetski List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Dec 2006 22:03:37 -0000 Hi. I have build FreeBSD6.1 kernel with options: device pf device pflog device pfsync PF filter work ok. I can monitor data passing through packetfilter using tcpdump -i pflog0 But I can`t use pfflowd with pfsync to pass stat to netflow collector. tcpdump -i pfsync0 tcpdump: WARNING: pfsync0: no IPv4 address assigned tcpdump: unsupported data link type 121 I spend 2 days with reading man and experimens unfortunately without success. Runing pfflowd -n host:port -D don`t show me any activity or debugging output. It`s look like pfflowd don`t get data from pfsync. In my opinion pfsync kernel part or pfflowd did`t work well on FreeBSD. I saw it on OpenBSD it`s work fine. Do someone successfully run pfflowd on FreeBSD6.1-6.2 ? From owner-freebsd-pf@FreeBSD.ORG Sat Dec 2 23:26:50 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6F30816A415 for ; Sat, 2 Dec 2006 23:26:50 +0000 (UTC) (envelope-from gb@isis.u-strasbg.fr) Received: from chimie.u-strasbg.fr (chimie.u-strasbg.fr [130.79.40.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9274443CAA for ; Sat, 2 Dec 2006 23:24:17 +0000 (GMT) (envelope-from gb@isis.u-strasbg.fr) Received: from localhost (localhost.localdomain [127.0.0.1]) by chimie.u-strasbg.fr (Postfix) with ESMTP id 93736FC1B for ; Sun, 3 Dec 2006 00:24:27 +0100 (CET) Received: from chimie.u-strasbg.fr ([127.0.0.1]) by localhost (chimie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12961-02 for ; Sun, 3 Dec 2006 00:24:27 +0100 (CET) Received: from 6nq.u-strasbg.fr (chimie.u-strasbg.fr [130.79.40.6]) by chimie.u-strasbg.fr (Postfix) with ESMTP id 565C1FC17 for ; Sun, 3 Dec 2006 00:24:27 +0100 (CET) Received: by 6nq.u-strasbg.fr (Postfix, from userid 1001) id 0031D1769C; Sun, 3 Dec 2006 00:21:46 +0100 (CET) Date: Sun, 3 Dec 2006 00:21:46 +0100 From: Guy Brand To: freebsd-pf@freebsd.org Message-ID: <20061202232146.GF1353@isis.u-strasbg.fr> References: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: x-gpg-fingerprint: B423 4924 012E 52F3 BA9E 547F CC8C 0BC5 9C0E B1CA x-gpg-key: 9C0EB1CA User-Agent: Mutt/1.5.13 (2006-08-11) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at chimie.u-strasbg.fr Subject: Re: Use pfflowd to flow tracking on FreeBSD6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Dec 2006 23:26:50 -0000 Andriy Galetski (agaletski@ukr.net) on 03/12/2006 at 00:03 wrote: > But I can`t use pfflowd with pfsync to pass stat to netflow collector. > > tcpdump -i pfsync0 > tcpdump: WARNING: pfsync0: no IPv4 address assigned > tcpdump: unsupported data link type 121 Hello, t1# uname -v FreeBSD 6.1-STABLE #3: Wed Aug 30 14:13:16 CEST 2006 This box uses: device if_bridge device pf device pflog device pfsync t1# ps fax|grep pfflow 1152 ?? Ss 3:50.09 /usr/local/sbin/pfflowd -n 127.0.0.1:2055 5775 ?? Ss 0:00.04 flow-capture -n 287 -N 0 -w /sec/ -S 5 0/0/2055 t1# tcpdump -n -i lo0 udp port 2055 23:58:41.459145 IP 127.0.0.1.63050 > 127.0.0.1.2055: UDP, length 552 23:58:41.459175 IP 127.0.0.1.63050 > 127.0.0.1.2055: UDP, length 552 ... t1# flow-export -f0 < /sec/ft-v05.2006-12-02.235501+0100 | flowdumper -s 2006/12/02 23:59:58 151.56.82.148.6348 -> 130.79.117.140.1173 6 12 750 2006/12/02 23:59:58 130.79.117.140.1176 -> 216.59.252.40.12200 6 7 288 2006/12/02 23:59:58 216.59.252.40.12200 -> 130.79.117.140.1176 6 6 256 2006/12/02 23:59:58 130.79.116.233.3225 -> 130.79.40.6.110 6 17 776 ... > In my opinion pfsync kernel part or pfflowd did`t work well > on FreeBSD. I saw it on OpenBSD it`s work fine. I see it on FreeBSD too. -- bug