From owner-freebsd-pf@FreeBSD.ORG Sun May 6 00:20:52 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D01FC16A400 for ; Sun, 6 May 2007 00:20:52 +0000 (UTC) (envelope-from steinex@nognu.de) Received: from shodan.nognu.de (shodan.nognu.de [85.14.216.230]) by mx1.freebsd.org (Postfix) with ESMTP id 9831B13C4B0 for ; Sun, 6 May 2007 00:20:52 +0000 (UTC) (envelope-from steinex@nognu.de) Received: by shodan.nognu.de (Postfix, from userid 1002) id 551F8B832; Sun, 6 May 2007 02:20:51 +0200 (CEST) Date: Sun, 6 May 2007 02:20:51 +0200 From: Frank Steinborn To: Kian Mohageri Mail-Followup-To: Kian Mohageri , freebsd-pf@FreeBSD.org References: <20070505224853.B826EB867@shodan.nognu.de> <463D12DC.7000205@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <463D12DC.7000205@gmail.com> X-PGP: 4C397816 User-Agent: mutt-ng/devel-r804 (FreeBSD) Message-Id: <20070506002051.551F8B832@shodan.nognu.de> Cc: freebsd-pf@FreeBSD.org Subject: Re: PF not started on boot (though it's in /etc/rc.conf) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 May 2007 00:20:52 -0000 Kian Mohageri wrote: > I'm guessing you used a hostname in your ruleset, which currently > results in the behavior you've described (on FreeBSD) because at the > time pf comes up, DNS isn't working. That's it. Nice! :-) Thanks, Frank From owner-freebsd-pf@FreeBSD.ORG Mon May 7 11:08:39 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8A77816A407 for ; Mon, 7 May 2007 11:08:39 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 7A16D13C45B for ; Mon, 7 May 2007 11:08:39 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l47B8d6o078734 for ; Mon, 7 May 2007 11:08:39 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l47B8ccx078730 for freebsd-pf@FreeBSD.org; Mon, 7 May 2007 11:08:38 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 7 May 2007 11:08:38 GMT Message-Id: <200705071108.l47B8ccx078730@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 May 2007 11:08:39 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue May 8 08:31:17 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E7ADD16A406 for ; Tue, 8 May 2007 08:31:17 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id ADA2013C48A for ; Tue, 8 May 2007 08:31:16 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7c93.q.ppp-pool.de [89.53.124.147]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 9B2AD128829 for ; Tue, 8 May 2007 10:31:10 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 840B93F9E1 for ; Tue, 8 May 2007 10:30:39 +0200 (CEST) Message-ID: <4640352E.60109@vwsoft.com> Date: Tue, 08 May 2007 10:30:38 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: "FreeBSD (PF)" X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Subject: pf.os fingerprinting does not seem to load by default X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2007 08:31:18 -0000 Hi! I think I've trapped into a bug with pf's fingerprinting. While checking a modified ruleset with `pfctl -vvv -gnf ...' pfctl told me it doesn't know anything about an OS fingerprint called "Windows". I've checked with `pfctl -so' but all fingerprints have been displayed (even Windows). I tried the same using "Windows XP" and others but pfctl resisted to find these fingerprints. As a last resort I tried an explicit 'set fingerprints "/etc/pf.os"' and pfctl was happy. According to pf.conf(5), pf loads the fingerprint database by default from /etc/pf.os. Either the man page or pfctl's behavior is wrong. Can please somebody check if time permits? Thx, Volker From owner-freebsd-pf@FreeBSD.ORG Tue May 8 08:41:49 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3A0F316A401 for ; Tue, 8 May 2007 08:41:49 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id F1EFB13C457 for ; Tue, 8 May 2007 08:41:46 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7c93.q.ppp-pool.de [89.53.124.147]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 7DFAB128829 for ; Tue, 8 May 2007 10:41:39 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 4C8893F4E8 for ; Tue, 8 May 2007 10:41:17 +0200 (CEST) Message-ID: <464037AC.9030306@vwsoft.com> Date: Tue, 08 May 2007 10:41:16 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: "FreeBSD (PF)" References: <4640352E.60109@vwsoft.com> In-Reply-To: <4640352E.60109@vwsoft.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Subject: Re: pf.os fingerprinting does not seem to load by default X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2007 08:41:49 -0000 On 05/08/07 10:30, Volker wrote: > Hi! > > I think I've trapped into a bug with pf's fingerprinting. > > While checking a modified ruleset with `pfctl -vvv -gnf ...' pfctl > told me it doesn't know anything about an OS fingerprint called > "Windows". I've checked with `pfctl -so' but all fingerprints have > been displayed (even Windows). I tried the same using "Windows XP" and > others but pfctl resisted to find these fingerprints. > > As a last resort I tried an explicit 'set fingerprints "/etc/pf.os"' > and pfctl was happy. > > According to pf.conf(5), pf loads the fingerprint database by default > from /etc/pf.os. Either the man page or pfctl's behavior is wrong. Can > please somebody check if time permits? > > Thx, > > Volker > talking to myself... how stupid I am... have forgotten this piece of relevant info: # uname -v FreeBSD 6.2-STABLE #20: Fri Apr 27 16:41:22 CEST 2007 From owner-freebsd-pf@FreeBSD.ORG Wed May 9 08:09:25 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8F7AA16A404 for ; Wed, 9 May 2007 08:09:25 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.241]) by mx1.freebsd.org (Postfix) with ESMTP id 5251D13C45E for ; Wed, 9 May 2007 08:09:25 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id d23so23001and for ; Wed, 09 May 2007 01:09:24 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=lBW+9rD4z+aT6spGe7n/CbVfLOtVvdeMV50tx0JTHi/dW/FHZwnqT7M6HPHrbak0h6EmEnoLexqiriTyGcsuTmulaufq9AWAO0yRO1vVRDtaOexjNf9GPIra5E6o0bfzYi8DZqR1hcW0ob7bMk9VoyZEbHDgZ/IigyN8sM6nLiw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=Q7WR3CCXGuS9Mjg3i1c9JpuJUnFLUFMxqMoadqVFugKynsQJU2xw6e4MjR7GkspvUFqTupTTSZSQwQ18WVIuv+s2pHfMWV/XnpYLuXg3cAFquFa1HLxekWMxtX1vrvHCvQ2qwmPpm8GEGHVItdOuuD4gDYJl2yr2HKfzeuielCU= Received: by 10.100.205.9 with SMTP id c9mr176611ang.1178696713544; Wed, 09 May 2007 00:45:13 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Wed, 9 May 2007 00:45:13 -0700 (PDT) Message-ID: <499c70c0705090045q121d9a36n45c0bf6c69928273@mail.gmail.com> Date: Wed, 9 May 2007 10:45:13 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: PF and GeoIP to update country table? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 May 2007 08:09:25 -0000 Hello, I would like to use GeoIP db and update the country db rule, then make the pf to read the db, and allow certian contries to connect to the web server. Is this possible? -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ From owner-freebsd-pf@FreeBSD.ORG Wed May 9 09:01:36 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7401B16A474 for ; Wed, 9 May 2007 09:01:36 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.241]) by mx1.freebsd.org (Postfix) with ESMTP id 32DCB13C43E for ; Wed, 9 May 2007 09:01:36 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id d23so25557and for ; Wed, 09 May 2007 02:01:35 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=cP05G73o7RzJHLQKNg4yxgHTYvm3ZabuhkiMwRB76rsCFn0MBb4vMKab+TLuK1i/aUhosvIhX0pUNYGf7lNCtZECheUvmLYwjCoqBcFOg49IZ+UdjuTnPL5xw6IttRHefrHfyfpyQhU48gCvhxmT/JeN3S6Ve3kuNlVsAeKmtIA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=lT5y3333SDpPNc1ZDW4uourDE0nKCBupOLm4cCcx6IXn3w3IN68p2EgGNGFy47o2cW0vQcGzO1BRdUz/CMjZnE5+4UTH7rXdbAv7qyYyKWenDuW/FaiOg3wsav2a9yQykEC/g7y70HEOXF7CJLeqod7/mTofZCwN3snjlVPEinU= Received: by 10.101.71.16 with SMTP id y16mr188602ank.1178701294565; Wed, 09 May 2007 02:01:34 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Wed, 9 May 2007 02:01:34 -0700 (PDT) Message-ID: <499c70c0705090201v3534eef2ybe9c2f7218e714dc@mail.gmail.com> Date: Wed, 9 May 2007 12:01:34 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: "Miroslav Lachman" <000.fbsd@quip.cz> In-Reply-To: <46418C6A.5000607@quip.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <499c70c0705090045q121d9a36n45c0bf6c69928273@mail.gmail.com> <46418C6A.5000607@quip.cz> Cc: freebsd-pf@freebsd.org Subject: Re: PF and GeoIP to update country table? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 May 2007 09:01:36 -0000 On 5/9/07, Miroslav Lachman <000.fbsd@quip.cz> wrote: > Abdullah Ibn Hamad Al-Marri wrote: > > Hello, > > > > I would like to use GeoIP db and update the country db rule, then make > > the pf to read the db, and allow certian contries to connect to the > > web server. > > > > Is this possible? > > Yes, I am using it. > > Just download and uncompress the CSV GeoIP version and do something like > this (example for Czech Republic IPs): > > grep Czech GeoIPCountryWhois.csv | awk 'BEGIN { FS="," } { print $1"-"$2 > }' | sed 's/"//g' | tableutil -q text > /etc/pf.czech_net.table > > tableutil is from ports (net/tableutil) > > So all Czech IPs are in /etc/pf.czech_net.table which is loaded in to > pf.conf byt this line: > table persist file "/etc/pf.czech_net.table" > Then you can do what ever you whant with these IP addresses (block / > pass / redirect...) > > Miroslav Llachman Thanks for your help this really great!, you made my day :) I was also surfing the net and found this interesting Debian HOWTO http://www.debian-administration.org/articles/518 Another question, how about the update per month? do I need to kill pf and run it again? or a crontab would do the trick and update the IPs? -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ From owner-freebsd-pf@FreeBSD.ORG Wed May 9 09:11:56 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6B26C16A402 for ; Wed, 9 May 2007 09:11:56 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [82.208.36.70]) by mx1.freebsd.org (Postfix) with ESMTP id 2BD1E13C457 for ; Wed, 9 May 2007 09:11:55 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 2EF9B19E02A; Wed, 9 May 2007 10:55:08 +0200 (CEST) Received: from [192.168.1.2] (grimm.quip.cz [213.220.192.218]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTP id 1FD0019E027; Wed, 9 May 2007 10:55:03 +0200 (CEST) Message-ID: <46418C6A.5000607@quip.cz> Date: Wed, 09 May 2007 10:55:06 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: Abdullah Ibn Hamad Al-Marri References: <499c70c0705090045q121d9a36n45c0bf6c69928273@mail.gmail.com> In-Reply-To: <499c70c0705090045q121d9a36n45c0bf6c69928273@mail.gmail.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: PF and GeoIP to update country table? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 May 2007 09:11:56 -0000 Abdullah Ibn Hamad Al-Marri wrote: > Hello, > > I would like to use GeoIP db and update the country db rule, then make > the pf to read the db, and allow certian contries to connect to the > web server. > > Is this possible? Yes, I am using it. Just download and uncompress the CSV GeoIP version and do something like this (example for Czech Republic IPs): grep Czech GeoIPCountryWhois.csv | awk 'BEGIN { FS="," } { print $1"-"$2 }' | sed 's/"//g' | tableutil -q text > /etc/pf.czech_net.table tableutil is from ports (net/tableutil) So all Czech IPs are in /etc/pf.czech_net.table which is loaded in to pf.conf byt this line: table persist file "/etc/pf.czech_net.table" Then you can do what ever you whant with these IP addresses (block / pass / redirect...) Miroslav Llachman From owner-freebsd-pf@FreeBSD.ORG Wed May 9 12:06:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 05D4016A403 for ; Wed, 9 May 2007 12:06:43 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [82.208.36.70]) by mx1.freebsd.org (Postfix) with ESMTP id B880813C44B for ; Wed, 9 May 2007 12:06:42 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id DE4EC19E02A; Wed, 9 May 2007 14:06:40 +0200 (CEST) Received: from [192.168.1.2] (grimm.quip.cz [213.220.192.218]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTP id 074C919E027; Wed, 9 May 2007 14:06:36 +0200 (CEST) Message-ID: <4641B94E.2040002@quip.cz> Date: Wed, 09 May 2007 14:06:38 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: Abdullah Ibn Hamad Al-Marri References: <499c70c0705090045q121d9a36n45c0bf6c69928273@mail.gmail.com> <46418C6A.5000607@quip.cz> <499c70c0705090201v3534eef2ybe9c2f7218e714dc@mail.gmail.com> In-Reply-To: <499c70c0705090201v3534eef2ybe9c2f7218e714dc@mail.gmail.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: PF and GeoIP to update country table? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 May 2007 12:06:43 -0000 Abdullah Ibn Hamad Al-Marri wrote: > On 5/9/07, Miroslav Lachman <000.fbsd@quip.cz> wrote: > >> Abdullah Ibn Hamad Al-Marri wrote: >> > Hello, >> > >> > I would like to use GeoIP db and update the country db rule, then make >> > the pf to read the db, and allow certian contries to connect to the >> > web server. [...] >> So all Czech IPs are in /etc/pf.czech_net.table which is loaded in to >> pf.conf byt this line: >> table persist file "/etc/pf.czech_net.table" >> Then you can do what ever you whant with these IP addresses (block / >> pass / redirect...) [...] > Another question, how about the update per month? do I need to kill pf > and run it again? or a crontab would do the trick and update the IPs? No need to kill it. Maybe you can use /etc/rc.d/pf reload (I don't test it), or as you can read in man page of pfctl, you can populate tables from commandline / scripts etc.: http://www.freebsd.org/cgi/man.cgi?query=pfctl&format=html Load only the table definitions from pf.conf(5) # pfctl -Tl -f pf.conf For the add, delete, replace, and test commands, the list of addresses can be specified either directly on the command line and/or in an unformatted text file, using the -f flag. Miroslav Lachman From owner-freebsd-pf@FreeBSD.ORG Wed May 9 12:20:02 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5625716A404 for ; Wed, 9 May 2007 12:20:02 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 1366413C46C for ; Wed, 9 May 2007 12:20:01 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d6a.q.ppp-pool.de [89.53.125.106]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id BA432128843 for ; Wed, 9 May 2007 14:19:54 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 861293F4E8; Wed, 9 May 2007 14:19:30 +0200 (CEST) Message-ID: <4641BC51.7080804@vwsoft.com> Date: Wed, 09 May 2007 14:19:29 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: Abdullah Ibn Hamad Al-Marri References: <499c70c0705090045q121d9a36n45c0bf6c69928273@mail.gmail.com> <46418C6A.5000607@quip.cz> <499c70c0705090201v3534eef2ybe9c2f7218e714dc@mail.gmail.com> In-Reply-To: <499c70c0705090201v3534eef2ybe9c2f7218e714dc@mail.gmail.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: Re: PF and GeoIP to update country table? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 May 2007 12:20:02 -0000 On 12/23/-58 20:59, Abdullah Ibn Hamad Al-Marri wrote: > Another question, how about the update per month? do I need to kill pf > and run it again? or a crontab would do the trick and update the IPs? Abdullah, unfortunately I'm unable to imagine if it's nice or really, really bad idea to block certain countries. It sounds like a chinese wall. If the machine in question is a web server, it might be a hardly bad idea and would lead into another dimension of separating the world. Anyway, if you want to replace the in-memory table with a fresh one from disk, pfctl is your friend. Have a look at pfctl(8), especially the parameters '-t' and '-T'. Doing a `pfctl -t mychinesewall -T replace -f /tmp/dolistalltheworld.txt' would be enough. HTH Volker From owner-freebsd-pf@FreeBSD.ORG Wed May 9 12:58:56 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3C72116A404 for ; Wed, 9 May 2007 12:58:56 +0000 (UTC) (envelope-from iggdawg@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.224]) by mx1.freebsd.org (Postfix) with ESMTP id DD3BA13C448 for ; Wed, 9 May 2007 12:58:55 +0000 (UTC) (envelope-from iggdawg@gmail.com) Received: by nz-out-0506.google.com with SMTP id s1so193156nze for ; Wed, 09 May 2007 05:58:55 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=G3IJ5Tv/KPvd0H1+ni1Jp3sJx/p9OhB7UaLNV7ywvAl7+9XvNWEbKE2WnEkNownM+/QG/kGSmNlOEeV+XFhngztR2P7mztlQY7rprQ/6UxmV3o5HrYYgR39nafdo21DfT5NErbLw4UyCzoj2oW7fxbLLygfYMCU5QdWQphGDFeY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=M+74GD0nc1XPgyK7hblucTO7kVxWhYqqI2bSIr9ktZ5a7Jo4HnL/rqwR+hmlw85hKBsvD1fIsNLH9+/MRXfMF7HlB4JLdc3l5Bqy84KtJmI0oPp1WAfHe/2DD68iohZuOo7Zh326VFEum9O8mSsL3ZUWH5W0ztCQ3wYNtKph918= Received: by 10.114.137.2 with SMTP id k2mr156068wad.1178713984228; Wed, 09 May 2007 05:33:04 -0700 (PDT) Received: by 10.114.180.20 with HTTP; Wed, 9 May 2007 05:33:04 -0700 (PDT) Message-ID: Date: Wed, 9 May 2007 08:33:04 -0400 From: iggdawg@gmail.com To: freebsd-pf@freebsd.org In-Reply-To: <20070509120023.71BB016A482@hub.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070509120023.71BB016A482@hub.freebsd.org> Subject: Re: freebsd-pf Digest, Vol 137, Issue 3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 May 2007 12:58:56 -0000 Hi, The following command could be loaded via cron with the "monthly" crontask, or via some other script (assuming blacklist table is "GeoList" and you are using the default pf.conf) pfctl -t hotlist -T flush -Tl -f /etc/pf.conf > > > Hello, > > > > > > I would like to use GeoIP db and update the country db rule, then make > > > the pf to read the db, and allow certian contries to connect to the > > > web server. > > > > > > Is this possible? > > > > Yes, I am using it. > > > > Just download and uncompress the CSV GeoIP version and do something like > > this (example for Czech Republic IPs): > > > > grep Czech GeoIPCountryWhois.csv | awk 'BEGIN { FS="," } { print $1"-"$2 > > }' | sed 's/"//g' | tableutil -q text > /etc/pf.czech_net.table > > > > tableutil is from ports (net/tableutil) > > > > So all Czech IPs are in /etc/pf.czech_net.table which is loaded in to > > pf.conf byt this line: > > table persist file "/etc/pf.czech_net.table" > > Then you can do what ever you whant with these IP addresses (block / > > pass / redirect...) > > > > Miroslav Llachman > > Thanks for your help this really great!, you made my day :) > > I was also surfing the net and found this interesting Debian HOWTO > http://www.debian-administration.org/articles/518 > > Another question, how about the update per month? do I need to kill pf > and run it again? or a crontab would do the trick and update the IPs? > > > -- > Regards, > > -Abdullah Ibn Hamad Al-Marri > Arab Portal > http://www.WeArab.Net/ > > From owner-freebsd-pf@FreeBSD.ORG Wed May 9 15:23:36 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6D86616A403 for ; Wed, 9 May 2007 15:23:36 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.230]) by mx1.freebsd.org (Postfix) with ESMTP id B637E13C44B for ; Wed, 9 May 2007 15:23:35 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so232719wra for ; Wed, 09 May 2007 08:23:35 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=K4pMQ9EbzAOgIEXpUScjtAxhDkYP2667ucBc0FSLfkYLJTNeUKAlV9916P/MMFk8eLFZR559VlZ4IUp1YMm2YMbTiQ3EtVRGy0LTegejzY59LGwyLNqxYsUHTEgRKggdqo+h8pH4ZUp4CADsJEBtUnd8zRisg53YMfyOYyo2ZJU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=c0jBLkvRYQjN7g2E6EEcPywIeZjo9pJUf+DW9rwXoeKJjVSC5V/dPOmdhQSo80z3eeqn986YRdrSu1pLLfe+29ymWvskoXwHF/P9KcAt+2bSt2Ju3kNAiIhYLP1NjTUAuDbcnvXtEVBONJDokoIrctJD6cOzl8KNQx2qvuukp8E= Received: by 10.100.173.19 with SMTP id v19mr463032ane.1178724214657; Wed, 09 May 2007 08:23:34 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Wed, 9 May 2007 08:23:34 -0700 (PDT) Message-ID: <499c70c0705090823n49cc1897u24a8ccbb7e57b429@mail.gmail.com> Date: Wed, 9 May 2007 18:23:34 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: Volker In-Reply-To: <4641BC51.7080804@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <499c70c0705090045q121d9a36n45c0bf6c69928273@mail.gmail.com> <46418C6A.5000607@quip.cz> <499c70c0705090201v3534eef2ybe9c2f7218e714dc@mail.gmail.com> <4641BC51.7080804@vwsoft.com> Cc: freebsd-pf@freebsd.org Subject: Re: Re: PF and GeoIP to update country table? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 May 2007 15:23:36 -0000 On 5/9/07, Volker wrote: > On 12/23/-58 20:59, Abdullah Ibn Hamad Al-Marri wrote: > > Another question, how about the update per month? do I need to kill pf > > and run it again? or a crontab would do the trick and update the IPs? > > Abdullah, > > unfortunately I'm unable to imagine if it's nice or really, really bad > idea to block certain countries. It sounds like a chinese wall. If the > machine in question is a web server, it might be a hardly bad idea and > would lead into another dimension of separating the world. > > Anyway, if you want to replace the in-memory table with a fresh one > from disk, pfctl is your friend. Have a look at pfctl(8), especially > the parameters '-t' and '-T'. Doing a `pfctl -t mychinesewall -T > replace -f /tmp/dolistalltheworld.txt' would be enough. > > HTH > > Volker > Hello Volker, It's forum server with Arabic only contents, so only users in these Arabic countries would be able to connect to it. There are Arabs and ppl speak and read Arabic in the other countries but I have to lose them since the forum is getting 24/7 days hits by Arabic script kiddies who think they are elite and will flood it with fake http requests which kills the MySQL server right away. The problem is they have tons of bots run in m$ systems, and I have only 2 choices. Shut down the forum, or block other countries IPs, if you were in my place what would you do? *sigh* -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ From owner-freebsd-pf@FreeBSD.ORG Wed May 9 16:38:42 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 90C0816A404 for ; Wed, 9 May 2007 16:38:42 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 2673D13C458 for ; Wed, 9 May 2007 16:38:41 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d6a.q.ppp-pool.de [89.53.125.106]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id EDDCE12883F for ; Wed, 9 May 2007 18:38:32 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id C1BE73F9E1; Wed, 9 May 2007 18:38:05 +0200 (CEST) Message-ID: <4641F8EC.4@vwsoft.com> Date: Wed, 09 May 2007 18:38:04 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: Abdullah Ibn Hamad Al-Marri References: <499c70c0705090045q121d9a36n45c0bf6c69928273@mail.gmail.com> <46418C6A.5000607@quip.cz> <499c70c0705090201v3534eef2ybe9c2f7218e714dc@mail.gmail.com> <4641BC51.7080804@vwsoft.com> <499c70c0705090823n49cc1897u24a8ccbb7e57b429@mail.gmail.com> In-Reply-To: <499c70c0705090823n49cc1897u24a8ccbb7e57b429@mail.gmail.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: PF and GeoIP to update country table? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 May 2007 16:38:42 -0000 On 05/09/07 17:23, Abdullah Ibn Hamad Al-Marri wrote: [snip] >> unfortunately I'm unable to imagine if it's nice or really, really bad >> idea to block certain countries. It sounds like a chinese wall. If the >> machine in question is a web server, it might be a hardly bad idea and >> would lead into another dimension of separating the world. >> [snip] > There are Arabs and ppl speak and read Arabic in the other countries > but I have to lose them since the forum is getting 24/7 days hits by > Arabic script kiddies who think they are elite and will flood it with > fake http requests which kills the MySQL server right away. > > The problem is they have tons of bots run in m$ systems, and I have > only 2 choices. > Shut down the forum, or block other countries IPs, if you were in my > place what would you do? Abdullah, how do these attacks look like? Is it script driven MASS-posting? How frequent? You may probably use pf's ability to set per IP triggers (ie if a single IP address is opening too much tcp connections in a time frame, you may block that). If these scripts are running not too often against your web server, this is not of use for you. As I understand, these script kiddies are trying to automagically post into your forum. What about requiring graphical confirmation before the post is accepted? That way, you're letting legitimate users in from around the world but keep robots out. If you're using something like phpBB, there are (anti spam) modules for graphical confirmation. Again, the best solution (balanced between your concerns and legitimate use for all people) depends on how these attacks against your forum does look like. If there are frequent accesses from the same set of IP addresses, you may use pf. Otherwise this should be blocked by your forum software. Arabic people are really around the world. If you want to try pf's trigger functionality (see "stateful tracking options" in pf.conf(5) ), keep in mind that every http request (html pages, graphics etc.) may lead into may single tcp connections. This means, don't set the limits too short before blocking an IP address. HTH Volker From owner-freebsd-pf@FreeBSD.ORG Fri May 11 10:39:39 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B381F16A400 for ; Fri, 11 May 2007 10:39:39 +0000 (UTC) (envelope-from rajkumars@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.229]) by mx1.freebsd.org (Postfix) with ESMTP id 79CD013C489 for ; Fri, 11 May 2007 10:39:39 +0000 (UTC) (envelope-from rajkumars@gmail.com) Received: by nz-out-0506.google.com with SMTP id s1so978623nze for ; Fri, 11 May 2007 03:39:38 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=KGLP3cIcIfXgDVHm2RynGQxU4PCAKGkLZuEoHNpGxMaxt1jMC/iYApeSA4Peb72IkWkimp2jZxmqbxOy124+jXR5OzPE/++t7Rjbi5dcA+etrEF2i4/KJvh80zhOZgi9PpbXFNpvXIUeQZTJ9xjntVJVScNSvI5S7s1UV789GPM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=R/zCii0nc1ll3N4FlX4gTxscbWPJY/ch8+q5kVAdpSzaONkUscBlevy4GjpSjFLo8G420FGijstOlAtXquyp+H70fn8Pbpw4iALhq8BrRN30KvHxS339gtCxFGP/lcqgN/HcwwO5u5mZUg9uSLKbIon5aba6GwqwuJ/ff1re2IU= Received: by 10.115.33.1 with SMTP id l1mr956798waj.1178878279475; Fri, 11 May 2007 03:11:19 -0700 (PDT) Received: by 10.114.254.17 with HTTP; Fri, 11 May 2007 03:11:19 -0700 (PDT) Message-ID: <64de5c8b0705110311v396ca514i848e558c4b580796@mail.gmail.com> Date: Fri, 11 May 2007 15:41:19 +0530 From: "Rajkumar S" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Load balancing with ratio X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 May 2007 10:39:39 -0000 Hi, pf can do outbound load balancing using route-to and provide the ext interface and gateway ip like { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin. But the algorithm is only round-robin which may not be appropriate if the two links are asymmetric, say an 1MB line and 256kbps line. Is there any way to provide some ratio like 1:4 where out of 5 packets/bytes 4 will be via one link and one via other link? I have gone through the docs and this feature does not seem to exist any where, so if some one can give a starting place to look, where I can do some hacking, that would also be fine. raj From owner-freebsd-pf@FreeBSD.ORG Fri May 11 12:21:04 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7B19516A406 for ; Fri, 11 May 2007 12:21:04 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 3E30613C480 for ; Fri, 11 May 2007 12:21:01 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d62.q.ppp-pool.de [89.53.125.98]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 7F83E12883F for ; Fri, 11 May 2007 14:20:55 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 945433F4E8; Fri, 11 May 2007 14:20:31 +0200 (CEST) Message-ID: <46445F8E.9030907@vwsoft.com> Date: Fri, 11 May 2007 14:20:30 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: Rajkumar S References: <64de5c8b0705110311v396ca514i848e558c4b580796@mail.gmail.com> In-Reply-To: <64de5c8b0705110311v396ca514i848e558c4b580796@mail.gmail.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: Load balancing with ratio X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 May 2007 12:21:04 -0000 On 12/23/-58 20:59, Rajkumar S wrote: > pf can do outbound load balancing using route-to and provide the ext > interface and gateway ip like { ($ext_if1 $ext_gw1), ($ext_if2 > $ext_gw2) } round-robin. But the algorithm is only round-robin which > may not be appropriate if the two links are asymmetric, say an 1MB > line and 256kbps line. > > Is there any way to provide some ratio like 1:4 where out of 5 > packets/bytes 4 will be via one link and one via other link? > > I have gone through the docs and this feature does not seem to exist > any where, so if some one can give a starting place to look, where I > can do some hacking, that would also be fine. raj, I've never done that but what about giving the next hop with better bandwidth twice? HTH Volker From owner-freebsd-pf@FreeBSD.ORG Fri May 11 15:48:14 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 80F1F16A400 for ; Fri, 11 May 2007 15:48:14 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: from qsmtp1.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145]) by mx1.freebsd.org (Postfix) with SMTP id 4C59B13C4B9 for ; Fri, 11 May 2007 15:48:14 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: (qmail 27223 invoked from network); 11 May 2007 08:48:13 -0700 Received: by simscan 1.1.0 ppid: 27200, pid: 27201, t: 4.2208s scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.90.1/m:43 spam: 3.1.7-deb Received: from unknown (HELO blacklamb.mykitchentable.net) (66.205.146.210) by qsmtp1 with SMTP; 11 May 2007 08:48:09 -0700 Received: from [192.168.1.3] (bigdaddy.mykitchentable.net [192.168.1.3]) by blacklamb.mykitchentable.net (Postfix) with ESMTP id ED130164B88; Fri, 11 May 2007 08:48:08 -0700 (PDT) Message-ID: <46449028.8010507@mykitchentable.net> Date: Fri, 11 May 2007 08:47:52 -0700 From: Drew Tomlinson User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Chris Smith References: <4619226E.1030105@mykitchentable.net> <46193097.2040303@mykitchentable.net> <200705020945.39102.bsd782@chrissmith.org> In-Reply-To: <200705020945.39102.bsd782@chrissmith.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp1.surewest.net X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=AWL,BAYES_00, RCVD_IN_SORBS_DUL autolearn=no version=3.0.3 Cc: freebsd-pf@freebsd.org Subject: Re: pf and ALTQ - I Don't Understand X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 May 2007 15:48:14 -0000 On 5/2/2007 6:45 AM Chris Smith said the following: >On Sunday 08 April 2007, Drew Tomlinson wrote: > > >>OK, I've done some more digging and maybe I understand now. I was >>missing the fact that NAT occurs BEFORE filtering >> >> > >Why not tag the packets? > >Chris > OK, why not? :) I looked through the pf manual and read the section on packet tagging. This seems to do what I need and appears to be working for me. Thanks, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com