From owner-freebsd-pf@FreeBSD.ORG Sun Feb 25 00:04:26 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ADD9116A478 for ; Sun, 25 Feb 2007 00:04:26 +0000 (UTC) (envelope-from spam_quarantine@xserve1.eeinternational.org) Received: from xserve1.eeinternational.org (50-36-13-69.cust.propagation.net [69.13.36.50]) by mx1.freebsd.org (Postfix) with ESMTP id ABB6813C4A8 for ; Sun, 25 Feb 2007 00:04:25 +0000 (UTC) (envelope-from spam_quarantine@xserve1.eeinternational.org) Received: from localhost (localhost [127.0.0.1]) by xserve1.eeinternational.org (Postfix) with ESMTP id 29735371B5A8 for ; Sat, 24 Feb 2007 18:12:10 -0600 (CST) Received: from xserve1.eeinternational.org ([127.0.0.1]) by localhost (50-36-13-69.cust.propagation.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05836-08 for ; Sat, 24 Feb 2007 18:12:10 -0600 (CST) Received: by xserve1.eeinternational.org (Postfix, from userid 2624) id 0CA3E3705602; Sat, 24 Feb 2007 17:27:53 -0600 (CST) To: freebsd-pf@freebsd.org From: no-reply@bussinesideas.com Message-Id: <20070224232753.0CA3E3705602@xserve1.eeinternational.org> Date: Sat, 24 Feb 2007 17:27:53 -0600 (CST) X-Virus-Scanned: by amavisd-new at eeinternational.org MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: http://leet.110mb.com The latest bussiness idea ! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Feb 2007 00:04:27 -0000 Hello ! We are sorry if we distrubed you . Your email is in our email bank . We found out that you are an active bussiness man ,so we were wondering if you are interested in a bussiness idea . If so , please check out site for all the info. http://leet.110mb.com We apologise again if this e-mail bottered you in anyway . Thank you ! From owner-freebsd-pf@FreeBSD.ORG Sun Feb 25 09:36:21 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C37DB16A400 for ; Sun, 25 Feb 2007 09:36:21 +0000 (UTC) (envelope-from yashy@mail.yashy.com) Received: from proksie.yashy.com (mail.yashy.com [24.68.237.147]) by mx1.freebsd.org (Postfix) with ESMTP id AB23013C478 for ; Sun, 25 Feb 2007 09:36:21 +0000 (UTC) (envelope-from yashy@mail.yashy.com) Received: from [192.168.1.15] (unknown [192.168.1.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by proksie.yashy.com (Postfix) with ESMTP id CF3D75C32 for ; Sun, 25 Feb 2007 01:15:29 -0800 (PST) Message-ID: <45E15392.5090800@mail.yashy.com> Date: Sun, 25 Feb 2007 01:14:58 -0800 From: Yasholomew Yashinski User-Agent: Icedove 1.5.0.9 (X11/20061220) MIME-Version: 1.0 To: freebsd-pf@freebsd.org. X-Enigmail-Version: 0.94.2.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: spamlogd issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Feb 2007 09:36:21 -0000 I followed the steps at: http://www.hackepedia.org/?title=Spamd # uname -srm FreeBSD 6.0-STABLE sparc64 # pkg_info -W /usr/local/libexec/spamlogd /usr/local/libexec/spamlogd was installed by package spamd-3.7_2 spamdb shows several hundred GREY entries since yesterday. GREY|216.168.29.4|||1172200562|1224040562|1224040562|17|0 As you can see there have been 17 attempts, it should have been changed to white by now, the next day. I have two issues. 1) If you run date -r on the timestamps, for some reason it's showing 2008? 2) spamd appears to be running fine, and is logging to /var/log/spamd as well as debug.log. I manually started spamlogd (not sure how it should be started): root 19819 0.0 0.2 2592 864 ?? Is 12:02PM 0:00.00 /usr/local/libexec/spamlogd from the man page: spamlogd sends log messages to syslogd(8) using facility daemon. spamlogd will log each connection it sees at level LOG_DEBUG. however: /var/log# grep spamlogd * /var/log# but more important than logging, it has not converted any GREYs to WHITE or BLACK? Not sure what to do here... Thanks in Advance, -- Yashy From owner-freebsd-pf@FreeBSD.ORG Sun Feb 25 12:04:41 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2257E16A403 for ; Sun, 25 Feb 2007 12:04:41 +0000 (UTC) (envelope-from johan@terrettaz.ch) Received: from vz-linux-01-vps-245.datacomm.ch (vz-linux-01-vps-245.datacomm.ch [212.40.19.245]) by mx1.freebsd.org (Postfix) with ESMTP id B572313C47E for ; Sun, 25 Feb 2007 12:04:40 +0000 (UTC) (envelope-from johan@terrettaz.ch) Received: (qmail 7488 invoked by uid 0); 25 Feb 2007 13:04:34 +0100 Date: 25 Feb 2007 13:04:34 +0100 Message-ID: <20070225120434.7456.qmail@vz-linux-01-vps-245.datacomm.ch> From: johan@terrettaz.ch To: freebsd-pf@freebsd.org CC: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Content-Disposition: inline Subject: Re: freebsd-pf Digest, Vol 126, Issue 7 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Feb 2007 12:04:41 -0000 Cette adresse email n'existe plus, vous pouvez contacter Johan Tornay à sa nouvelle adresse : johan.tornay@terrettaz.ch Merci de votre compréhension Terrettaz Informatique http://www.terrettaz.ch info@terrettaz.ch From owner-freebsd-pf@FreeBSD.ORG Sun Feb 25 12:37:16 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3279A16A407 for ; Sun, 25 Feb 2007 12:37:16 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id BC96413C494 for ; Sun, 25 Feb 2007 12:37:15 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.27.65] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1HLIcr1INK-0002tm; Sun, 25 Feb 2007 13:37:14 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org, Sergey Klusov Date: Sun, 25 Feb 2007 13:40:09 +0100 User-Agent: KMail/1.9.5 References: <913541362.20070220170645@gmail.com> In-Reply-To: <913541362.20070220170645@gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2695153.DtRCEGBi1P"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200702251340.17037.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Provags-ID2: V01U2FsdGVkX18WpTCZt6QM97wf95Vy0rlISySFTScKEyM0mU4sFklolX7McfwxY1e+waoEiZprNOzqULi9b2llCbYo9/ZgwS60A5ElfiqS1MUlUgIPFXixTw== Cc: Subject: Re: anchor X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Feb 2007 12:37:16 -0000 --nextPart2695153.DtRCEGBi1P Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 20 February 2007 13:06, Sergey Klusov wrote: > Hello, > i'm trying to use anchors on freebsd6.0 and can't get it working > right. > > Here is my example: > > pfctl -f - < block all > anchor anch > EOM > > pfctl -a anch/s1 -f - < pass quick proto tcp from any to any port 25 > EOM > > and it doesn't work at all > no traffic is allowed (can't telnet to remote host, not on 25-th port, > not on any other) > if i use 'anchor anch/*' instead of 'anchor anch' then there is ANY > traffic allowed, not only on 25-th port > > tried to use 'anch:s1' instead of 'anch/s1' - same effect. > > What do i do wrong? The rule you are loading into the anchor does not do what you think it=20 does. It will allow the packet from your local telnet to a remote host's=20 port 25, but the reply won't be let in as the rule doesn't keep state and=20 your telnet will be listening on a port other than 25. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2695153.DtRCEGBi1P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF4YOwXyyEoT62BG0RAtjyAJ4mB8JyH/OGxvHMwYwdJt3SY2+duACfcYL4 v2qHPi9pP1D8b8QQfe5nLdg= =wNBm -----END PGP SIGNATURE----- --nextPart2695153.DtRCEGBi1P-- From owner-freebsd-pf@FreeBSD.ORG Mon Feb 26 11:15:38 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A153916A406 for ; Mon, 26 Feb 2007 11:15:38 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 909E313C4B8 for ; Mon, 26 Feb 2007 11:15:38 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l1QBFc00005503 for ; Mon, 26 Feb 2007 11:15:38 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l1QBFXRc005499 for freebsd-pf@FreeBSD.org; Mon, 26 Feb 2007 11:15:33 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 26 Feb 2007 11:15:33 GMT Message-Id: <200702261115.l1QBFXRc005499@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Feb 2007 11:15:38 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf pf accepts nonexistent queue in rules o kern/106400 pf fatal trap 12 at restart of PF with ALTQ if ng0 device 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Feb 28 19:12:02 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 05CF916A402 for ; Wed, 28 Feb 2007 19:12:02 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.188]) by mx1.freebsd.org (Postfix) with ESMTP id 6490C13C4B5 for ; Wed, 28 Feb 2007 19:12:00 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: by mu-out-0910.google.com with SMTP id g7so219176muf for ; Wed, 28 Feb 2007 11:12:00 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=b3qwuelcGk/rI80LQ4176s+Jpx7XKvH856ioSlSadvz0KVTQ8Zx8fX30CDirjg9ANh0ffflRFKhFeXqO7uguz64wVjRnzTftN0Q7BoEAgt05BAAArY/AA+35tN40mrssYfw+WxEvLDLa6ZIrS8Luu/wjDutmY9mepmoShWNcK0g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=liTq89dHs/obVynVNNobRQ+6A++z4I8zaWBkWq+jgVx0YS8u38nW84LXGwws9gjVqhdNqadiLBmO9LOYVJJI/572nJXoU/iem8Z+nlu7skcNPW+6HVnMNADXxiQw/vov9bBrrBJRL65sAuoPyMVfEt7HIL9aXHBZ7fL+C2W/Gbs= Received: by 10.82.163.13 with SMTP id l13mr287944bue.1172689919897; Wed, 28 Feb 2007 11:11:59 -0800 (PST) Received: by 10.82.151.16 with HTTP; Wed, 28 Feb 2007 11:11:59 -0800 (PST) Message-ID: Date: Wed, 28 Feb 2007 16:11:59 -0300 From: "Eduardo Meyer" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: flags tcp and abscence of flag X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Feb 2007 19:12:02 -0000 Hello, I need write a PF rule that does what this IPFW rule do: deny log tcp from any to any tcpflags fin,!syn,!rst,!ack in Someone told me to do this: block drop log in quick from any to any flags F/SRA But as far as I read the PF FAQ and man page, this is incorrect. However I did not find a way to to make a rule with absence of a flag, just like the !flag on ipfw. Can someone please convert this simple ipfw rule to of? Thank you. -- =========== Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-pf@FreeBSD.ORG Wed Feb 28 19:42:47 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AF5B116A405 for ; Wed, 28 Feb 2007 19:42:47 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com [38.99.2.247]) by mx1.freebsd.org (Postfix) with ESMTP id 9E7AE13C48D for ; Wed, 28 Feb 2007 19:42:47 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from pool-71-123-204-253.dllstx.fios.verizon.net ([71.123.204.253] helo=reedmedia.net) by ca.pugetsoundtechnology.com with esmtpa (Exim 4.54) id 1HMUhJ-0003Q9-Tt; Wed, 28 Feb 2007 11:42:46 -0800 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 23968-1172691762; Wed, 28 Feb 2007 13:42:44 -0600 Date: Wed, 28 Feb 2007 13:42:42 -0600 (CST) From: "Jeremy C. Reed" To: Eduardo Meyer In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-pf@freebsd.org Subject: Re: flags tcp and abscence of flag X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Feb 2007 19:42:47 -0000 On Wed, 28 Feb 2007, Eduardo Meyer wrote: > I need write a PF rule that does what this IPFW rule do: > > deny log tcp from any to any tcpflags fin,!syn,!rst,!ack in > > Someone told me to do this: > > block drop log in quick from any to any flags F/SRA This means: look at the SYN, RST, ACK flags but only match if the SYN flag is set. I think you want: flags F/FSRA So it will also inspect for the FIN flag. Scrubbing will change this too. > But as far as I read the PF FAQ and man page, this is incorrect. > However I did not find a way to to make a rule with absence of a flag, > just like the !flag on ipfw. > > Can someone please convert this simple ipfw rule to of? Jeremy C. Reed From owner-freebsd-pf@FreeBSD.ORG Wed Feb 28 19:48:40 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 35F5B16A404 for ; Wed, 28 Feb 2007 19:48:40 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.freebsd.org (Postfix) with ESMTP id BF79313C428 for ; Wed, 28 Feb 2007 19:48:39 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: by nf-out-0910.google.com with SMTP id k27so640238nfc for ; Wed, 28 Feb 2007 11:48:38 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YCVAedFbPIQL+JQkoD9Xb9WEdoYwbUZp6ippE/yJI+3itk7wTxIaWNysU5yFE6WKLww9xaxdexRFpRtQ18RHLyNithn4fZ+kXUg9W3aW7SLupRAzgw5hDlrblWYSDnjHAwCkE5m2oac/gzggkzwTcCHNFmGagOr8vT1jofk/sVQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=P4Nv0kMxUl2CpGEdtQUZ52yNlYwsUDcvcqRCfjcF8lVMJZCwMd0hAXWPagskYbKsDN1vON6fOU5ovL5n2u6m3Sa0opXp2wDWo9i3cwFI2wHiTO3VE0Nn8T1sBeimtN/ASRahdCk0MyV7oF2meed3HZN5SS9xS3l/0kpptuhrIr0= Received: by 10.82.135.13 with SMTP id i13mr329932bud.1172692117892; Wed, 28 Feb 2007 11:48:37 -0800 (PST) Received: by 10.82.151.16 with HTTP; Wed, 28 Feb 2007 11:48:37 -0800 (PST) Message-ID: Date: Wed, 28 Feb 2007 16:48:37 -0300 From: "Eduardo Meyer" To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Subject: Re: flags tcp and abscence of flag X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Feb 2007 19:48:40 -0000 On 2/28/07, Jeremy C. Reed wrote: > On Wed, 28 Feb 2007, Eduardo Meyer wrote: > > > I need write a PF rule that does what this IPFW rule do: > > > > deny log tcp from any to any tcpflags fin,!syn,!rst,!ack in > > > > Someone told me to do this: > > > > block drop log in quick from any to any flags F/SRA > > This means: look at the SYN, RST, ACK flags but only match if the SYN flag > is set. > > I think you want: > > flags F/FSRA > > So it will also inspect for the FIN flag. Translating to human lang, what I want is "look everywhere and match only packets with fin set but syn, rst and ack unset. How can I do the "unset" evaluation? -- =========== Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-pf@FreeBSD.ORG Wed Feb 28 20:27:04 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 87BA016A403 for ; Wed, 28 Feb 2007 20:27:04 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.freebsd.org (Postfix) with ESMTP id 4DF8513C48E for ; Wed, 28 Feb 2007 20:27:04 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 5DD522BACC9 for ; Wed, 28 Feb 2007 20:26:59 +0000 (GMT) From: "Greg Hennessy" To: "'Eduardo Meyer'" , References: In-Reply-To: Date: Wed, 28 Feb 2007 20:26:53 -0000 Message-ID: <000f01c75b76$c8c34f20$5a49ed60$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcdbbxEdkpZw+sMdTA6EXw7HVCd8/QAB3eeA Content-Language: en-gb x-cr-hashedpuzzle: CCYs CIbg Cxa1 EdBf Esa1 EtWE F5em H90K LxGl QbE2 Qmk7 Qt+7 Rfu+ SPeq TvWn UG8a; 2; ZAB1AGQAdQAuAG0AZQB5AGUAcgBAAGcAbQBhAGkAbAAuAGMAbwBtADsAZgByAGUAZQBiAHMAZAAtAHAAZgBAAGYAcgBlAGUAYgBzAGQALgBvAHIAZwA=; Sosha1_v1; 7; {E858EEBD-E925-4E43-B611-C9A0CF070CC0}; ZwByAGUAZwAuAGgAZQBuAG4AZQBzAHMAeQBAAG4AdgBpAHoALgBuAGUAdAA=; Wed, 28 Feb 2007 20:26:48 GMT; UgBFADoAIABmAGwAYQBnAHMAIAB0AGMAcAAgAGEAbgBkACAAYQBiAHMAYwBlAG4AYwBlACAAbwBmACAAZgBsAGEAZwA= x-cr-puzzleid: {E858EEBD-E925-4E43-B611-C9A0CF070CC0} X-Antivirus: avast! (VPS 000719-0, 28/02/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: flags tcp and abscence of flag X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Feb 2007 20:27:04 -0000 > > Can someone please convert this simple ipfw rule to of? > Judicious use of 'scrub' will take nuke most if not all invalidly flagged packets. greg From owner-freebsd-pf@FreeBSD.ORG Thu Mar 1 08:36:34 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 817D716A400 for ; Thu, 1 Mar 2007 08:36:34 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.freebsd.org (Postfix) with ESMTP id 2CA4813C491 for ; Thu, 1 Mar 2007 08:36:32 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.13.8/8.13.4) with ESMTP id l218aSOP014765 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 1 Mar 2007 09:36:28 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.8/8.12.10/Submit) id l218aRtT019544; Thu, 1 Mar 2007 09:36:27 +0100 (MET) Date: Thu, 1 Mar 2007 09:36:27 +0100 From: Daniel Hartmeier To: Eduardo Meyer Message-ID: <20070301083627.GA16493@insomnia.benzedrine.cx> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: flags tcp and abscence of flag X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Mar 2007 08:36:34 -0000 On Wed, Feb 28, 2007 at 04:48:37PM -0300, Eduardo Meyer wrote: > Translating to human lang, what I want is "look everywhere and match > only packets with fin set but syn, rst and ack unset. > > How can I do the "unset" evaluation? "flags F/FSRA" does precisely that. It is not the same as "flags F/F", which would only test whether FIN is set. Daniel From owner-freebsd-pf@FreeBSD.ORG Thu Mar 1 15:23:13 2007 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2A77816A520 for ; Thu, 1 Mar 2007 15:23:13 +0000 (UTC) (envelope-from mcdouga9@daemon.egr.msu.edu) Received: from daemon.egr.msu.edu (daemon.egr.msu.edu [35.9.44.65]) by mx1.freebsd.org (Postfix) with ESMTP id 153C613C4A3 for ; Thu, 1 Mar 2007 15:23:12 +0000 (UTC) (envelope-from mcdouga9@daemon.egr.msu.edu) Received: by daemon.egr.msu.edu (Postfix, from userid 21281) id 5E5BF1CCB3; Thu, 1 Mar 2007 09:51:49 -0500 (EST) Date: Thu, 1 Mar 2007 09:51:49 -0500 From: Adam McDougall To: pf@freebsd.org Message-ID: <20070301145149.GB4354@egr.msu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.13 (2006-08-11) Cc: Subject: Require table definition if referenced by a rule? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Mar 2007 15:23:13 -0000 Is there a way to make pfctl ensure that a table exists before allowing any rule to refer to it? For example, I found out I had a rule that references table but I had only defined a table called , and didn't realize I left off the d in the rule. does not exist, so the rule had no function. I can understand that this behavior might be a desirable feature, but I'm wondering if there is a way to make pfctl check. Thanks. From owner-freebsd-pf@FreeBSD.ORG Thu Mar 1 22:30:35 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2387016A405 for ; Thu, 1 Mar 2007 22:30:35 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp801.mail.ird.yahoo.com (smtp801.mail.ird.yahoo.com [217.146.188.61]) by mx1.freebsd.org (Postfix) with SMTP id B611613C46B for ; Thu, 1 Mar 2007 22:30:34 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 3588 invoked from network); 1 Mar 2007 22:30:33 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@81.157.42.3 with plain) by smtp801.mail.ird.yahoo.com with SMTP; 1 Mar 2007 22:30:33 -0000 X-YMail-OSG: HsG5kh8VM1l9wCI9Xwa5tEPsBnXQ7mrykT2S0mnN.5nagQxxvfeTd6eRQN86ynPzMxDpYi6uN9G_zDo9ZwiMrLI8t.aExQLejRDNwFO1seSEFwcXwA-- Message-ID: <45E75454.2060302@tomjudge.com> Date: Thu, 01 Mar 2007 22:31:48 +0000 From: Tom Judge User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Tracing packets passing through PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Mar 2007 22:30:35 -0000 Hi, I was wondering if there is any way to trace packets as they pass through PF and possibly even the network stack. If someone could give me some pointers on this it would be greatly appreciated. Tom From owner-freebsd-pf@FreeBSD.ORG Thu Mar 1 23:14:45 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F417C16A401 for ; Thu, 1 Mar 2007 23:14:44 +0000 (UTC) (envelope-from antik@bsd.ee) Received: from smtp-gw1.starman.ee (smtp-out5.starman.ee [85.253.0.7]) by mx1.freebsd.org (Postfix) with ESMTP id B38E013C46B for ; Thu, 1 Mar 2007 23:14:44 +0000 (UTC) (envelope-from antik@bsd.ee) Received: from mx1.starman.ee (mx1.starman.ee [62.65.192.16]) by smtp-gw1.starman.ee (Postfix) with ESMTP id 80EBBA214C2 for ; Fri, 2 Mar 2007 00:43:51 +0200 (EET) Received: from [192.168.2.100] (pc219.host1.ida.starman.ee [62.65.240.219]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.starman.ee (Postfix) with ESMTP id BD8F223C53A for ; Fri, 2 Mar 2007 00:43:51 +0200 (EET) From: Andrei Kolu To: freebsd-pf@freebsd.org Date: Fri, 2 Mar 2007 00:43:50 +0200 User-Agent: KMail/1.9.5 References: <45E75454.2060302@tomjudge.com> In-Reply-To: <45E75454.2060302@tomjudge.com> MIME-Version: 1.0 Content-Disposition: inline Message-Id: <200703020043.50798.antik@bsd.ee> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Virus-Scanned: by Amavisd-New at mx1.starman.ee Subject: Re: Tracing packets passing through PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Mar 2007 23:14:45 -0000 On Friday 02 March 2007 00:31, Tom Judge wrote: > Hi, > > I was wondering if there is any way to trace packets as they pass > through PF and possibly even the network stack. If someone could give > me some pointers on this it would be greatly appreciated. > pass in on rl0 all label "incoming" pass out on rl0 all label "departing" From owner-freebsd-pf@FreeBSD.ORG Fri Mar 2 08:06:51 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 39A9016A402 for ; Fri, 2 Mar 2007 08:06:51 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.149.33.74]) by mx1.freebsd.org (Postfix) with ESMTP id 03DF813C467 for ; Fri, 2 Mar 2007 08:06:50 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 9A19F559C3 for ; Fri, 2 Mar 2007 08:06:48 +0000 (GMT) From: "Greg Hennessy" To: "'Tom Judge'" , References: <45E75454.2060302@tomjudge.com> In-Reply-To: <45E75454.2060302@tomjudge.com> Date: Fri, 2 Mar 2007 08:06:39 -0000 Message-ID: <000601c75ca1$b4d7a570$1e86f050$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcdcVXzaWmBxqCujROi93TVXUXd3zAATBSHg Content-Language: en-gb X-Antivirus: avast! (VPS 000720-0, 01/03/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: Tracing packets passing through PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Mar 2007 08:06:51 -0000 > I was wondering if there is any way to trace packets as they pass > through PF and possibly even the network stack. If someone could give > me some pointers on this it would be greatly appreciated. A full tcpdump on the ingress and egress interfaces,a bpf filter will find the interesting bits for you. Greg From owner-freebsd-pf@FreeBSD.ORG Fri Mar 2 09:56:26 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 45A7416A40F for ; Fri, 2 Mar 2007 09:56:26 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.freebsd.org (Postfix) with ESMTP id 0F0F513C46B for ; Fri, 2 Mar 2007 09:56:26 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 513BF2BC592 for ; Fri, 2 Mar 2007 09:56:23 +0000 (GMT) From: "Greg Hennessy" To: "'Tom Judge'" References: <45E75454.2060302@tomjudge.com> <000601c75ca1$b4d7a570$1e86f050$@Hennessy@nviz.net> <45E7F00B.6010306@tomjudge.com> In-Reply-To: <45E7F00B.6010306@tomjudge.com> Date: Fri, 2 Mar 2007 09:56:14 -0000 Message-ID: <001901c75cb1$040435a0$0c0ca0e0$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcdcrrXyTz/FG65ZRciIDPk15lUhawAAjLLw Content-Language: en-gb X-Antivirus: avast! (VPS 000720-0, 01/03/2007), Outbound message X-Antivirus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: RE: Tracing packets passing through PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Mar 2007 09:56:26 -0000 > > I actually need to see how a packet that the IPSEC code generates is > passes through PF (What rules it is (not) matching etc). At the moment > it seems that it is either a) not passing through pf at all, b) For > some > reason not matching the source routing rule. > > Is there anyway to see this, possibly by setting debuging to loud > (pfctl > -x loud) ? Are you filtering on the loopback by any chance ? Or have you set skip on lo0 ? Greg From owner-freebsd-pf@FreeBSD.ORG Fri Mar 2 10:03:28 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3D32816A400 for ; Fri, 2 Mar 2007 10:03:28 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from s200aog10.obsmtp.com (s200aog10.obsmtp.com [207.126.144.124]) by mx1.freebsd.org (Postfix) with SMTP id 7C0D313C48E for ; Fri, 2 Mar 2007 10:03:27 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from source ([217.206.187.80]) by eu1sys200aob010.postini.com ([207.126.147.11]) with SMTP; Fri, 02 Mar 2007 10:03:26 UTC Received: from [10.0.0.79] (bwb.mintel.co.uk [10.0.0.79]) by rodney.mintel.co.uk (Postfix) with ESMTP id 37A9918141B; Fri, 2 Mar 2007 09:39:34 +0000 (GMT) Message-ID: <45E7F00B.6010306@tomjudge.com> Date: Fri, 02 Mar 2007 09:36:11 +0000 From: Tom Judge User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: Greg Hennessy References: <45E75454.2060302@tomjudge.com> <000601c75ca1$b4d7a570$1e86f050$@Hennessy@nviz.net> In-Reply-To: <000601c75ca1$b4d7a570$1e86f050$@Hennessy@nviz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Tracing packets passing through PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Mar 2007 10:03:28 -0000 Greg Hennessy wrote: >> I was wondering if there is any way to trace packets as they pass >> through PF and possibly even the network stack. If someone could give >> me some pointers on this it would be greatly appreciated. > > A full tcpdump on the ingress and egress interfaces,a bpf filter will find > the interesting bits for you. > > > > Greg > > I actually need to see how a packet that the IPSEC code generates is passes through PF (What rules it is (not) matching etc). At the moment it seems that it is either a) not passing through pf at all, b) For some reason not matching the source routing rule. Is there anyway to see this, possibly by setting debuging to loud (pfctl -x loud) ? Tom From owner-freebsd-pf@FreeBSD.ORG Fri Mar 2 12:41:55 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 17CAD16A402 for ; Fri, 2 Mar 2007 12:41:55 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from s200aog10.obsmtp.com (s200aog10.obsmtp.com [207.126.144.124]) by mx1.freebsd.org (Postfix) with SMTP id 1C1AD13C442 for ; Fri, 2 Mar 2007 12:41:52 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from source ([217.206.187.80]) by eu1sys200aob010.postini.com ([207.126.147.11]) with SMTP; Fri, 02 Mar 2007 12:41:51 UTC Received: from [10.0.0.79] (bwb.mintel.co.uk [10.0.0.79]) by rodney.mintel.co.uk (Postfix) with ESMTP id 5EF2F18141F; Fri, 2 Mar 2007 12:41:51 +0000 (GMT) Message-ID: <45E81AC3.5020304@tomjudge.com> Date: Fri, 02 Mar 2007 12:38:27 +0000 From: Tom Judge User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: Greg Hennessy References: <45E75454.2060302@tomjudge.com> <000601c75ca1$b4d7a570$1e86f050$@Hennessy@nviz.net> <45E7F00B.6010306@tomjudge.com> <001901c75cb1$040435a0$0c0ca0e0$@Hennessy@nviz.net> In-Reply-To: <001901c75cb1$040435a0$0c0ca0e0$@Hennessy@nviz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Tracing packets passing through PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Mar 2007 12:41:55 -0000 Greg Hennessy wrote: >> I actually need to see how a packet that the IPSEC code generates is >> passes through PF (What rules it is (not) matching etc). At the moment >> it seems that it is either a) not passing through pf at all, b) For >> some >> reason not matching the source routing rule. >> >> Is there anyway to see this, possibly by setting debuging to loud >> (pfctl >> -x loud) ? > > Are you filtering on the loopback by any chance ? Or have you set skip on > lo0 ? > > > > Greg > > I have the following rules on lo0: pass in quick on lo0 inet from 127.0.0.1 to 127.0.0.1 label "RULE 2 -- ACCEPT " pass out quick on lo0 inet from 127.0.0.1 to 127.0.0.1 label "RULE 2 -- ACCEPT " However the ESP packet generated by the IPSEC code still makes it out onto the network but fails to hit the source route rules: pass out quick on bge1 route-to ( bge1 xxx.xxx.xxx.161 ) inet from xxx.xxx.xxx.169 to ! xxx.xxx.xxx.160/27 keep state label "RULE 18 -- " pass out quick on bge1 route-to ( bge1 yyy.yyy.yyy.65 ) inet from yyy.yyy.yyy.79 to ! yyy.yyy.yyy.64/27 keep state label "RULE 19 -- " Tom From owner-freebsd-pf@FreeBSD.ORG Fri Mar 2 20:15:45 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 71C5A16A404 for ; Fri, 2 Mar 2007 20:15:45 +0000 (UTC) (envelope-from brad-fbsd-pf@duttonbros.com) Received: from uno.mnl.com (uno.mnl.com [63.97.246.49]) by mx1.freebsd.org (Postfix) with SMTP id 3E7DB13C4A5 for ; Fri, 2 Mar 2007 20:15:45 +0000 (UTC) (envelope-from brad-fbsd-pf@duttonbros.com) Received: (qmail 16202 invoked by uid 85); 2 Mar 2007 19:49:04 -0000 Received: from 127.0.0.1 by uno (envelope-from , uid 89) with qmail-scanner-1.25 (spamassassin: 2.55. Clear:RC:1(127.0.0.1):. Processed in 0.039444 secs); 02 Mar 2007 19:49:04 -0000 Received: from unknown (HELO uno.mnl.com) (127.0.0.1) by localhost with SMTP; 2 Mar 2007 19:49:03 -0000 Received: from 192.168.0.13 (SquirrelMail authenticated user bdutton) by uno.mnl.com with HTTP; Fri, 2 Mar 2007 11:49:03 -0800 (PST) Message-ID: <1703.192.168.0.13.1172864943.squirrel@uno.mnl.com> Date: Fri, 2 Mar 2007 11:49:03 -0800 (PST) From: "Bradley W. Dutton" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.9a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: split line comments X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: brad-fbsd-pf@duttonbros.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Mar 2007 20:15:45 -0000 Hi, I'm not sure if this is a bug or feature, but the trailing slash used to split long lines works for comments too. Thanks, Brad root@uno[/etc][31]% cat pf.conf pass all # some comments \ block all pass all root@uno[/etc][32]% /etc/rc.d/pf reload Reloading pf rules. root@uno[/etc][33]% pfctl -sr pass all pass all root@uno[/etc][35]% cat pf.conf pass all # some comments block all pass all root@uno[/etc][36]% /etc/rc.d/pf reload Reloading pf rules. root@uno[/etc][37]% pfctl -sr pass all block drop all pass all From owner-freebsd-pf@FreeBSD.ORG Sat Mar 3 02:04:59 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E4DEE16A404 for ; Sat, 3 Mar 2007 02:04:59 +0000 (UTC) (envelope-from sr@innter.net) Received: from theseus.innter.net (theseus.innter.net [83.220.147.40]) by mx1.freebsd.org (Postfix) with ESMTP id 8869E13C478 for ; Sat, 3 Mar 2007 02:04:59 +0000 (UTC) (envelope-from sr@innter.net) Received: from [192.168.1.3] ([82.200.252.74]) (authenticated bits=0) by theseus.innter.net (8.13.8/8.13.5) with ESMTP id l231rdKg023198 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 3 Mar 2007 02:53:41 +0100 (CET) Message-ID: <45E8D523.9010205@innter.net> Date: Sat, 03 Mar 2007 07:53:39 +0600 From: "Sergey N. Romanov" Organization: I.W. Innter.Net Webservice Ltd. User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-INNTER-MailScanner-Information: InnterNet AntiSpam and AntiVirus Protection System X-INNTER-MailScanner: Found to be clean X-INNTER-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-2.184, required 5, autolearn=not spam, AWL 0.41, BAYES_00 -2.60) X-INNTER-MailScanner-From: sr@innter.net X-Spam-Status: No Subject: PF performance problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Mar 2007 02:05:00 -0000 Hello, We have PF-related problems on our FreeBSD 6.2 server. This is web-server and we have large problems even with not so much requests amount (may be if more than 100-200/second) - we can't ping host, can't make any connection to host and etc. We can solved this problem only after PF restart (from console). Of course if requests amount the same then we have problem again immediately. I have made some tests... With disabled firewall "http_load -parallel 200 -seconds 60 urls" can make 4500 requests per second. No any problems with ping and etc. Then I have created simple (as I think) PF config ext_if = "em1" set skip on lo0 set skip on em0 set block-policy return block in log from any to any block out log from any to any pass in on $ext_if proto tcp from any to any port 80 flags S/SA keep state pass in quick on $ext_if proto udp from any to any keep state pass in quick on $ext_if proto icmp from any to any keep state pass out on $ext_if proto tcp from any to any flags S/SA modulate state pass out on $ext_if proto { udp, icmp } from any to any keep state and with this config http_load can make only about 75 requests per second :-(( With logging I can't see that any requests are blocked by block rule and I can see that passed amount is equal to amount in http_load report. Why we have this problem? Where to search for problem? -- Best regards From owner-freebsd-pf@FreeBSD.ORG Sat Mar 3 07:37:22 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AFCD616A401 for ; Sat, 3 Mar 2007 07:37:22 +0000 (UTC) (envelope-from blake@ekalb.net) Received: from rupert.ekalb.net (rupert.ekalb.net [208.47.103.24]) by mx1.freebsd.org (Postfix) with ESMTP id 9A3A313C46B for ; Sat, 3 Mar 2007 07:37:22 +0000 (UTC) (envelope-from blake@ekalb.net) Received: from [208.47.100.3] (c-208-47-100-3.wireless.sta.beamspeed.net [208.47.100.3]) by rupert.ekalb.net (Postfix) with ESMTP id 317F163744; Sat, 3 Mar 2007 00:02:24 -0700 (MST) In-Reply-To: <45E8D523.9010205@innter.net> References: <45E8D523.9010205@innter.net> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <7D241F60-205C-4C1E-9054-C7E6DBDFE6F6@ekalb.net> Content-Transfer-Encoding: 7bit From: Blake Covarrubias Date: Sat, 3 Mar 2007 00:05:01 -0700 To: Sergey N. Romanov X-Mailer: Apple Mail (2.752.2) Cc: freebsd-pf@freebsd.org Subject: Re: PF performance problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Mar 2007 07:37:22 -0000 On Mar 2, 2007, at 6:53 PM, Sergey N. Romanov wrote: > We have PF-related problems on our FreeBSD 6.2 server. This is > web-server and we have large problems even with not so much requests > amount (may be if more than 100-200/second) - we can't ping host, > can't > make any connection to host and etc. We can solved this problem only > after PF restart (from console). Of course if requests amount the same > then we have problem again immediately. Have you tried adjusting your state limit to a higher value in your PF options? http://www.openbsd.org/faq/pf/options.html -- Blake Covarrubias From owner-freebsd-pf@FreeBSD.ORG Sat Mar 3 15:42:06 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7584216A402 for ; Sat, 3 Mar 2007 15:42:06 +0000 (UTC) (envelope-from sr@innter.net) Received: from theseus.innter.net (theseus.innter.net [83.220.147.40]) by mx1.freebsd.org (Postfix) with ESMTP id 19A8913C481 for ; Sat, 3 Mar 2007 15:42:05 +0000 (UTC) (envelope-from sr@innter.net) Received: from [192.168.1.3] ([82.200.252.201]) (authenticated bits=0) by theseus.innter.net (8.13.8/8.13.5) with ESMTP id l23FfNh3053184 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 3 Mar 2007 16:41:25 +0100 (CET) Message-ID: <45E99722.6030706@innter.net> Date: Sat, 03 Mar 2007 21:41:22 +0600 From: "Sergey N. Romanov" Organization: I.W. Innter.Net Webservice Ltd. User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <45E8D523.9010205@innter.net> <7D241F60-205C-4C1E-9054-C7E6DBDFE6F6@ekalb.net> In-Reply-To: <7D241F60-205C-4C1E-9054-C7E6DBDFE6F6@ekalb.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-INNTER-MailScanner-Information: InnterNet AntiSpam and AntiVirus Protection System X-INNTER-MailScanner: Found to be clean X-INNTER-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-2.193, required 5, autolearn=not spam, AWL 0.41, BAYES_00 -2.60) X-INNTER-MailScanner-From: sr@innter.net X-Spam-Status: No Subject: Re: PF performance problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Mar 2007 15:42:06 -0000 Blake Covarrubias wrote: > Have you tried adjusting your state limit to a higher value in your PF > options? Yes, I have adjusted frags, src-nodes and states. Now this is possible to make about 400-500 requests/s. But this is not 4500 requests/s and too low for us in any case. -- Best regards From owner-freebsd-pf@FreeBSD.ORG Sat Mar 3 19:06:41 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 33B8E16A401 for ; Sat, 3 Mar 2007 19:06:41 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id B631A13C467 for ; Sat, 3 Mar 2007 19:06:40 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.49.220] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis), id 0ML2xA-1HNZYx26BO-00015V; Sat, 03 Mar 2007 20:06:37 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sat, 3 Mar 2007 20:06:27 +0100 User-Agent: KMail/1.9.5 References: <45E8D523.9010205@innter.net> <7D241F60-205C-4C1E-9054-C7E6DBDFE6F6@ekalb.net> <45E99722.6030706@innter.net> In-Reply-To: <45E99722.6030706@innter.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2084667.5KlCpX29Tu"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200703032006.34064.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Provags-ID2: V01U2FsdGVkX18jQPk3EZnv/20Oetfj2kzGqfs3HgZkSEYbJQR 1xz+NzpiFDH5hNvsdwCx1iejN/uwQDm0ocpyo1AHsQhcJZiH+g n+iHnGe+egMl3YqA/XR8A== Cc: Subject: Re: PF performance problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Mar 2007 19:06:41 -0000 --nextPart2084667.5KlCpX29Tu Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 03 March 2007 16:41, Sergey N. Romanov wrote: > Blake Covarrubias wrote: > > Have you tried adjusting your state limit to a higher value in your > > PF options? > > Yes, I have adjusted frags, src-nodes and states. Now this is possible > to make about 400-500 requests/s. But this is not 4500 requests/s and > too low for us in any case. How do you test? Are you by chance using abench (or similar) from one=20 probe box? In this case you are most likely exhausting your ephemeral=20 portrange. pf might be too restrictive in enforcing this rule, but you=20 can change the behavior by chaning the value for tcp.closed. Note that=20 this is purely due to the test setup and is unlikely to present itself in=20 a realworld situation - though some stupid reverse webcache setups are=20 prone to it as well. In order to verify that this is the cause, you should enable debugging=20 output (pfctl -xm) and watch the console while testing. "pfctl -si" is=20 your friend as well. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2084667.5KlCpX29Tu Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF6cc6XyyEoT62BG0RApABAJ4/I7iAWPx5BqPgE64zV5sH+uMZowCaA/jt hyiOAF41qACuzqqTz4RySX4= =eB+e -----END PGP SIGNATURE----- --nextPart2084667.5KlCpX29Tu-- From owner-freebsd-pf@FreeBSD.ORG Sat Mar 3 20:08:19 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 02C2D16A400 for ; Sat, 3 Mar 2007 20:08:19 +0000 (UTC) (envelope-from sr@innter.net) Received: from theseus.innter.net (theseus.innter.net [83.220.147.40]) by mx1.freebsd.org (Postfix) with ESMTP id 966F513C4A3 for ; Sat, 3 Mar 2007 20:08:18 +0000 (UTC) (envelope-from sr@innter.net) Received: from [192.168.1.3] ([82.200.252.201]) (authenticated bits=0) by theseus.innter.net (8.13.8/8.13.5) with ESMTP id l23K7hFh099724 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 3 Mar 2007 21:07:46 +0100 (CET) Message-ID: <45E9D58E.1060705@innter.net> Date: Sun, 04 Mar 2007 02:07:42 +0600 From: "Sergey N. Romanov" Organization: I.W. Innter.Net Webservice Ltd. User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <45E8D523.9010205@innter.net> <7D241F60-205C-4C1E-9054-C7E6DBDFE6F6@ekalb.net> <45E99722.6030706@innter.net> <200703032006.34064.max@love2party.net> In-Reply-To: <200703032006.34064.max@love2party.net> Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit X-INNTER-MailScanner-Information: InnterNet AntiSpam and AntiVirus Protection System X-INNTER-MailScanner: Found to be clean X-INNTER-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-2.202, required 5, autolearn=not spam, AWL 0.40, BAYES_00 -2.60) X-INNTER-MailScanner-From: sr@innter.net X-Spam-Status: No Subject: Re: PF performance problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Mar 2007 20:08:19 -0000 Max Laier wrote: > How do you test? Are you by chance using abench (or similar) from one > probe box? I use bench software on another server. In case if I use bench software on the same server we have about 2500 requests/s. > ... but you can change the behavior by chaning the value for tcp.closed. This is changed already. I have added in my config these lines set limit { frags 64000, src-nodes 128000, states 128000 } set timeout { tcp.closed 15 } After this we have about 400-500 requests/s during tests. > In order to verify that this is the cause, you should enable debugging > output (pfctl -xm) and watch the console while testing. "pfctl -si" is > your friend as well. With "pfctl -si" I can see that state-mismatch counter grow. With "pfctl -xm" I can see messages like this : 20:51:43 [0d] pf: State failure on: 1 | 5 20:51:43 [0d] pf: BAD state: TCP x.x.x.x:80 x.x.x.x:80 y.y.y.y:55186 [lo=655302705 high=655369312 win=33304 modulator=0 wscale=1] [lo=783251017 high=783317625 win=33304 modulator=0 wscale=1] 9:9 S seq=659466254 ack=783251017 len=0 ackskew=0 pkts=5:4 dir=in,fwd That this mean? -- Best regards, Sergey N. Romanov From owner-freebsd-pf@FreeBSD.ORG Sat Mar 3 21:37:33 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7CB8016A405 for ; Sat, 3 Mar 2007 21:37:33 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.229]) by mx1.freebsd.org (Postfix) with ESMTP id 2872313C47E for ; Sat, 3 Mar 2007 21:37:32 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so1054891wxc for ; Sat, 03 Mar 2007 13:37:32 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pvJBD2tzwX6JKbeTr2osV55YeChPseSCBZtlbfVQ0MNwS+6Pm4NOBMZtMB2RaeNLuD93yaRy5sMTYNBvmSbhiTCTJzGgb50EH+CQNYJ8/cGZqmAGDTA31eDb1ur31kPMTUu1n2MBZ14UUx1loNF1jLtkJEWNS8n3fyNlg/LPrBo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=MiL5mzRhspiSXxtG0b+sTd4C2pRgsDlEBzgWgW/IFz1loxvQjZG/P/3CExeH35C5Wxfkykr7ydDul14qDbRLhORJyhJY4Pg8Odg4rWA0+oOZsl6CuzEkATbN+fqj2Xseez5Gvz+MDuuk+phUBXmbLJYj82Usx9n0ZLwUdpV08GQ= Received: by 10.114.80.4 with SMTP id d4mr746719wab.1172956165598; Sat, 03 Mar 2007 13:09:25 -0800 (PST) Received: by 10.114.184.11 with HTTP; Sat, 3 Mar 2007 13:09:20 -0800 (PST) Message-ID: Date: Sat, 3 Mar 2007 16:09:20 -0500 From: "Chris Buechler" To: "Sergey N. Romanov" In-Reply-To: <45E9D58E.1060705@innter.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <45E8D523.9010205@innter.net> <7D241F60-205C-4C1E-9054-C7E6DBDFE6F6@ekalb.net> <45E99722.6030706@innter.net> <200703032006.34064.max@love2party.net> <45E9D58E.1060705@innter.net> Cc: freebsd-pf@freebsd.org Subject: Re: PF performance problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Mar 2007 21:37:33 -0000 On 3/3/07, Sergey N. Romanov wrote: > Max Laier wrote: > > > How do you test? Are you by chance using abench (or similar) from one > > probe box? > > I use bench software on another server. > That's exactly what Max is talking about - this is a very poor way to test a web server, especially behind a stateful firewall, because you're going to exhaust your ephemeral port range. It's not anything you're going to see in real usage of the server, unless real usage is thousands of requests per second from the same IP. > With "pfctl -si" I can see that state-mismatch counter grow. > Likely because you're re-using ephemeral ports before the previous state is closed, as Max suggested. A new packet comes in from the same source IP with the same source and destination ports as a previous TCP connection, but this one doesn't match the connection that already exists in the state table because it's a new connection. You should really find a better way to test your server, like using multiple simultaneous probes or a single one binding to numerous different source IP's. Either/or should eliminate your perceived performance problem, and is a much more realistic test of the actual load the server will see. There are probably some state-related settings you could tweak for this specific test, but someone else will have to chime in on that because I don't know for sure. I would leave it as is and fix your test. -Chris From owner-freebsd-pf@FreeBSD.ORG Sat Mar 3 22:25:37 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1C42916A403 for ; Sat, 3 Mar 2007 22:25:37 +0000 (UTC) (envelope-from sr@innter.net) Received: from theseus.innter.net (theseus.innter.net [83.220.147.40]) by mx1.freebsd.org (Postfix) with ESMTP id AF26D13C46B for ; Sat, 3 Mar 2007 22:25:36 +0000 (UTC) (envelope-from sr@innter.net) Received: from [192.168.1.3] ([82.200.252.201]) (authenticated bits=0) by theseus.innter.net (8.13.8/8.13.5) with ESMTP id l23MOuil023934 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 3 Mar 2007 23:24:58 +0100 (CET) Message-ID: <45E9F5B7.5000007@innter.net> Date: Sun, 04 Mar 2007 04:24:55 +0600 From: "Sergey N. Romanov" Organization: I.W. Innter.Net Webservice Ltd. User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <45E8D523.9010205@innter.net> <7D241F60-205C-4C1E-9054-C7E6DBDFE6F6@ekalb.net> <45E99722.6030706@innter.net> <200703032006.34064.max@love2party.net> <45E9D58E.1060705@innter.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-INNTER-MailScanner-Information: InnterNet AntiSpam and AntiVirus Protection System X-INNTER-MailScanner: Found to be clean X-INNTER-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-2.211, required 5, autolearn=not spam, AWL 0.39, BAYES_00 -2.60) X-INNTER-MailScanner-From: sr@innter.net X-Spam-Status: No Subject: Re: PF performance problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Mar 2007 22:25:37 -0000 Chris Buechler wrote: > You should really find a better way to test your server Thanks for your info. I don't know how to make requests from many different ips. I can assign 100 - 200 ip addresses to a network interface on web-server and then will make requests to all these addresses from some different servers at once. I will have more realistic results with this test? -- Best regards, Sergey N. Romanov From owner-freebsd-pf@FreeBSD.ORG Sat Mar 3 22:34:13 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2A51016A401 for ; Sat, 3 Mar 2007 22:34:13 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id B44B113C428 for ; Sat, 3 Mar 2007 22:34:12 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.45.53] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1HNcnk1Rg9-0001mw; Sat, 03 Mar 2007 23:34:06 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sat, 3 Mar 2007 23:33:53 +0100 User-Agent: KMail/1.9.5 References: <45E8D523.9010205@innter.net> <45E9F5B7.5000007@innter.net> In-Reply-To: <45E9F5B7.5000007@innter.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1592811.1MQg2Ln1YY"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200703032333.59573.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Provags-ID2: V01U2FsdGVkX18rC5zRfZRNme7qTKL7bQIWKtZe3hCdOCxObmF CXwg4DE9EVEhCl+2yoN3I2miOidNNSjIV5EbjjLOFs9wV2ARAw NusPTcU+768o0H+r3SWYQ== Cc: Subject: Re: PF performance problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Mar 2007 22:34:13 -0000 --nextPart1592811.1MQg2Ln1YY Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 03 March 2007 23:24, Sergey N. Romanov wrote: > Chris Buechler wrote: > > You should really find a better way to test your server > > Thanks for your info. > I don't know how to make requests from many different ips. > I can assign 100 - 200 ip addresses to a network interface on > web-server and then will make requests to all these addresses from some > different servers at once. I will have more realistic results with this > test? You can also do the same on the probe host. Usually the benchmark tools=20 have an option to specify the source address to bind to. You should also=20 change "net.inet.ip.portrange" ... esp. turn of ".randomized" and set ".[hi]first" to something lower e.g. 1025 =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1592811.1MQg2Ln1YY Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF6ffXXyyEoT62BG0RAujiAJ9A521nT9oYhEy1Boaz/ZX4JKt4gQCfRW13 qKX/zr0EunT/pjt8A/3Yly0= =vTi1 -----END PGP SIGNATURE----- --nextPart1592811.1MQg2Ln1YY--