From owner-freebsd-pf@FreeBSD.ORG Mon Aug 13 03:54:30 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A15DC16A417 for ; Mon, 13 Aug 2007 03:54:30 +0000 (UTC) (envelope-from dian@spin.net.id) Received: from smtp-r.spin.net.id (smtp.spin.net.id [203.134.232.10]) by mx1.freebsd.org (Postfix) with ESMTP id 450B213C457 for ; Mon, 13 Aug 2007 03:54:30 +0000 (UTC) (envelope-from dian@spin.net.id) Received: from localhost (localhost.spin.net.id [127.0.0.1]) by smtp-r.spin.net.id (Postfix) with ESMTP id 61C9A84453 for ; Mon, 13 Aug 2007 10:41:22 +0700 (WIT) X-Virus-Scanned: by amavisd-new using ClamAV at spin.net.id Received: from smtp-r.spin.net.id ([203.134.232.10]) by localhost (smtp-r.spin.net.id [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LweAjRrmWE8H for ; Mon, 13 Aug 2007 10:41:21 +0700 (WIT) Received: from [203.134.235.133] (unknown [203.134.235.133]) by smtp-r.spin.net.id (Postfix) with ESMTP id 8EED784431 for ; Mon, 13 Aug 2007 10:41:21 +0700 (WIT) Message-ID: <46BFD392.2020804@spin.net.id> Date: Mon, 13 Aug 2007 10:44:18 +0700 From: Dian Candra User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Using PF + ALTQ in FreeBSD 6.2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dian@spin.net.id List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 03:54:30 -0000 Dear All, I'm using ALTQ + PF in my BSD 6.2 box. This machiine acting as router. After try to configuring ALT+PF, I have some problem to limit incoming and outgoing traffic. Does anyone could help me to solve my problem ? JFI : my router interface are fxp0 and rl0 with diagram : client -> rl0------fxp0 ---> internet (router) I could limit outgoing traffic from client, but not incoming traffic. Thanks, Dian From owner-freebsd-pf@FreeBSD.ORG Mon Aug 13 04:30:58 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D058316A41B for ; Mon, 13 Aug 2007 04:30:57 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id 707C413C457 for ; Mon, 13 Aug 2007 04:30:57 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1IKRZw-000163-R2 for freebsd-pf@freebsd.org; Mon, 13 Aug 2007 04:30:56 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1IKRZw-0006TO-LJ for freebsd-pf@freebsd.org; Mon, 13 Aug 2007 04:30:56 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 4BFB88E296; Sun, 12 Aug 2007 23:30:50 -0500 (CDT) Date: Sun, 12 Aug 2007 23:30:50 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070813043049.GA32692@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <46BFD392.2020804@spin.net.id> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <46BFD392.2020804@spin.net.id> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: Using PF + ALTQ in FreeBSD 6.2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 04:30:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dian Candra wrote: > > client -> rl0------fxp0 ---> internet > (router) > > I could limit outgoing traffic from client, but not incoming traffic. I'm curious what you think your router can do to prevent hosts on the internet from sending traffic too fast. Once you have received the packets, it is too late to limit their arrival rate. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGv955FSrKRjX5eCoRApZ2AJ9uvyIL3W1F/g1T/8J6OKAepKSK+gCeKpzq 14DXl/Ayjo2ZsR07s9FHfH8= =qCr3 -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Mon Aug 13 11:08:30 2007 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E15916A501 for ; Mon, 13 Aug 2007 11:08:30 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1681813C48D for ; Mon, 13 Aug 2007 11:08:30 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7DB8TPU047772 for ; Mon, 13 Aug 2007 11:08:29 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7DB8SrW047768 for freebsd-pf@FreeBSD.org; Mon, 13 Aug 2007 11:08:28 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 13 Aug 2007 11:08:28 GMT Message-Id: <200708131108.l7DB8SrW047768@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 11:08:30 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114567 pf [pf] LOR pf_ioctl.c + if.c 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 13 13:28:19 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 920C016A417 for ; Mon, 13 Aug 2007 13:28:19 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: from core.rxsec.com (core.rxsec.com [64.132.46.102]) by mx1.freebsd.org (Postfix) with SMTP id 292D513C46C for ; Mon, 13 Aug 2007 13:28:18 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: (qmail 83687 invoked by uid 2009); 13 Aug 2007 12:53:43 -0000 Received: from 10.1.0.101 by core.rxsec.com (envelope-from , uid 2008) with qmail-scanner-1.25-st-qms (clamdscan: 0.86.2/1102. spamassassin: 3.0.4. perlscan: 1.25-st-qms. Clear:RC:0(10.1.0.101):SA:0(-4.4/5.0):. Processed in 1.592096 secs); 13 Aug 2007 12:53:43 -0000 X-Spam-Status: No, hits=-4.4 required=5.0 X-Antivirus-RXSEC-Mail-From: cmarlatt@rxsec.com via core.rxsec.com X-Antivirus-RXSEC: 1.25-st-qms (Clear:RC:0(10.1.0.101):SA:0(-4.4/5.0):. Processed in 1.592096 secs Process 83670) Received: from unknown (HELO ?10.1.0.101?) (cmarlatt@rxsec.com@10.1.0.101) by core.rxsec.com with SMTP; 13 Aug 2007 12:53:41 -0000 Message-ID: <46C0562A.8060201@rxsec.com> Date: Mon, 13 Aug 2007 09:01:30 -0400 From: Chris Marlatt Organization: Receive Security User-Agent: Thunderbird 1.5.0.12 (X11/20070604) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <46BFD392.2020804@spin.net.id> <20070813043049.GA32692@verio.net> In-Reply-To: <20070813043049.GA32692@verio.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Using PF + ALTQ in FreeBSD 6.2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 13:28:19 -0000 David DeSimone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I'm curious what you think your router can do to prevent hosts on the > internet from sending traffic too fast. > > Once you have received the packets, it is too late to limit their > arrival rate. > Can't ipfw do this through dummynet? It seems to work fine for me in my tests. Now yes it's not really preventing them from sending traffic, but it should still be able to queue it and invoke latency to simulate a slower link/pipe. Regards, Chris From owner-freebsd-pf@FreeBSD.ORG Mon Aug 13 13:49:54 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 61A6016A418 for ; Mon, 13 Aug 2007 13:49:54 +0000 (UTC) (envelope-from dian@spin.net.id) Received: from smtp-r.spin.net.id (smtp.spin.net.id [203.134.232.10]) by mx1.freebsd.org (Postfix) with ESMTP id 072C813C458 for ; Mon, 13 Aug 2007 13:49:53 +0000 (UTC) (envelope-from dian@spin.net.id) Received: from localhost (localhost.spin.net.id [127.0.0.1]) by smtp-r.spin.net.id (Postfix) with ESMTP id 3624E84474 for ; Mon, 13 Aug 2007 20:57:01 +0700 (WIT) X-Virus-Scanned: by amavisd-new using ClamAV at spin.net.id Received: from smtp-r.spin.net.id ([203.134.232.10]) by localhost (smtp-r.spin.net.id [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aA6mMzWrsgYB for ; Mon, 13 Aug 2007 20:56:55 +0700 (WIT) Received: from [203.134.235.133] (unknown [203.134.235.133]) by smtp-r.spin.net.id (Postfix) with ESMTP id 406C58444E for ; Mon, 13 Aug 2007 20:56:55 +0700 (WIT) Message-ID: <46C063DD.50008@spin.net.id> Date: Mon, 13 Aug 2007 20:59:57 +0700 From: Dian Candra User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <46BFD392.2020804@spin.net.id> <20070813043049.GA32692@verio.net> <46C0562A.8060201@rxsec.com> In-Reply-To: <46C0562A.8060201@rxsec.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Using PF + ALTQ in FreeBSD 6.2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dian@spin.net.id List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 13:49:54 -0000 Yes, it's work with Dummynet well, cause I'm using dummynet for some years. The problem is, with dummynet I could not do "borrow" bandwidth from the parent. So, I should move to ALTQ+PF, but unfortunately I'm facing a problem with it. Please give me some comment, If I use ALTQ+PF in my router, it's really could not limit incoming and outgoing traffic from/to my client ? Does no one have a bettter experience ? regards, Dian Chris Marlatt wrote: > David DeSimone wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I'm curious what you think your router can do to prevent hosts on the >> internet from sending traffic too fast. >> >> Once you have received the packets, it is too late to limit their >> arrival rate. >> > > Can't ipfw do this through dummynet? It seems to work fine for me in my > tests. > > Now yes it's not really preventing them from sending traffic, but it > should still be able to queue it and invoke latency to simulate a slower > link/pipe. > > Regards, > > Chris > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > From owner-freebsd-pf@FreeBSD.ORG Mon Aug 13 14:05:28 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0373C16A418 for ; Mon, 13 Aug 2007 14:05:28 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: from core.rxsec.com (core.rxsec.com [64.132.46.102]) by mx1.freebsd.org (Postfix) with SMTP id A8CE313C46B for ; Mon, 13 Aug 2007 14:05:27 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: (qmail 92665 invoked by uid 2009); 13 Aug 2007 13:57:32 -0000 Received: from 10.1.0.101 by core.rxsec.com (envelope-from , uid 2008) with qmail-scanner-1.25-st-qms (clamdscan: 0.86.2/1102. spamassassin: 3.0.4. perlscan: 1.25-st-qms. Clear:RC:0(10.1.0.101):SA:0(-4.4/5.0):. Processed in 5.508406 secs); 13 Aug 2007 13:57:32 -0000 X-Spam-Status: No, hits=-4.4 required=5.0 X-Antivirus-RXSEC-Mail-From: cmarlatt@rxsec.com via core.rxsec.com X-Antivirus-RXSEC: 1.25-st-qms (Clear:RC:0(10.1.0.101):SA:0(-4.4/5.0):. Processed in 5.508406 secs Process 92647) Received: from unknown (HELO ?10.1.0.101?) (cmarlatt@rxsec.com@10.1.0.101) by core.rxsec.com with SMTP; 13 Aug 2007 13:57:26 -0000 Message-ID: <46C0651B.5030800@rxsec.com> Date: Mon, 13 Aug 2007 10:05:15 -0400 From: Chris Marlatt Organization: Receive Security User-Agent: Thunderbird 1.5.0.12 (X11/20070604) MIME-Version: 1.0 To: dian@spin.net.id References: <46BFD392.2020804@spin.net.id> <20070813043049.GA32692@verio.net> <46C0562A.8060201@rxsec.com> <46C063DD.50008@spin.net.id> In-Reply-To: <46C063DD.50008@spin.net.id> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Using PF + ALTQ in FreeBSD 6.2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 14:05:28 -0000 Dian Candra wrote: > Yes, it's work with Dummynet well, cause I'm using dummynet for some > years. The problem is, with dummynet I could not do "borrow" bandwidth > from the parent. > So, I should move to ALTQ+PF, but unfortunately I'm facing a problem > with it. > Please give me some comment, If I use ALTQ+PF in my router, it's really > could not limit incoming and outgoing traffic from/to my client ? > Does no one have a bettter experience ? > > regards, > > Dian > I haven't had time to test this idea yet, maybe someone else can shed some light on this, but seeing as ALTQ can only queue outbound traffic, have you thought about queuing on both your external and internal interfaces? Simply changing perspective of the rules? This is dependent upon pf/ALTQ actually taking two "altq" statements in the pf.conf which I'm not certain it can do. It doesn't complain about the syntax but like I said before, I haven't tested this yet. You could also try to use a combination of pf and ipfw. I used such an implementation when I needed to do per ip bw limits and needed more queues than ALTQ would support. ipfw's "mask src-ip" and "mask dst-ip" work nicely for this. Best of luck in finding a functional solution. Regards, Chris From owner-freebsd-pf@FreeBSD.ORG Mon Aug 13 14:24:04 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3786516A418 for ; Mon, 13 Aug 2007 14:24:04 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id C1FCD13C4A6 for ; Mon, 13 Aug 2007 14:24:03 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.55.99] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1IKapl2CVg-0000R5; Mon, 13 Aug 2007 16:24:00 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 13 Aug 2007 16:23:46 +0200 User-Agent: KMail/1.9.7 References: <46BFD392.2020804@spin.net.id> <46C063DD.50008@spin.net.id> <46C0651B.5030800@rxsec.com> In-Reply-To: <46C0651B.5030800@rxsec.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2414247.F6UCYkNeeQ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200708131623.51962.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19cygdTigwaO6HfkGTisStFqDNhlZwEQhAXqRb hzsTnis/G8RUgfeSwXMdowgNpnbn/m8mKWLBpIDBhsQp9omhsV JGP38IZ0PtcfNTMUMbktv6cVhqkKi1yDVtfN8wGHaY= Cc: Subject: Re: Using PF + ALTQ in FreeBSD 6.2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2007 14:24:04 -0000 --nextPart2414247.F6UCYkNeeQ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 13 August 2007, Chris Marlatt wrote: > Dian Candra wrote: > > Yes, it's work with Dummynet well, cause I'm using dummynet for some > > years. The problem is, with dummynet I could not do "borrow" > > bandwidth from the parent. > > So, I should move to ALTQ+PF, but unfortunately I'm facing a problem > > with it. > > Please give me some comment, If I use ALTQ+PF in my router, it's > > really could not limit incoming and outgoing traffic from/to my > > client ? Does no one have a bettter experience ? > > > > regards, > > > > Dian > > I haven't had time to test this idea yet, maybe someone else can shed > some light on this, but seeing as ALTQ can only queue outbound traffic, > have you thought about queuing on both your external and internal > interfaces? Simply changing perspective of the rules? Yes, this is a functional approach. It's silly, but it does what you are=20 asking for. It doesn't matter if you use ALTQ or dummynet for this, btw. > This is dependent upon pf/ALTQ actually taking two "altq" statements in > the pf.conf which I'm not certain it can do. It doesn't complain about > the syntax but like I said before, I haven't tested this yet. > > You could also try to use a combination of pf and ipfw. I used such an > implementation when I needed to do per ip bw limits and needed more > queues than ALTQ would support. ipfw's "mask src-ip" and "mask dst-ip" > work nicely for this. > > Best of luck in finding a functional solution. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2414247.F6UCYkNeeQ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGwGl3XyyEoT62BG0RAs0EAJwNIrgKXLXel7eIuQCvQHVmBF5aPgCfTdmk 00NxLGWhp35bU8IAXr5BWCA= =NKzA -----END PGP SIGNATURE----- --nextPart2414247.F6UCYkNeeQ-- From owner-freebsd-pf@FreeBSD.ORG Tue Aug 14 19:23:43 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5E7A16A41A for ; Tue, 14 Aug 2007 19:23:43 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by mx1.freebsd.org (Postfix) with ESMTP id 8E47C13C469 for ; Tue, 14 Aug 2007 19:23:43 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp1-g19.free.fr (Postfix) with ESMTP id 4E3601AB2BA; Tue, 14 Aug 2007 21:23:42 +0200 (CEST) Received: from boleskine.patpro.net (boleskine.patpro.net [82.235.12.223]) by smtp1-g19.free.fr (Postfix) with ESMTP id 225031AB2A9; Tue, 14 Aug 2007 21:23:41 +0200 (CEST) Received: from [192.168.0.2] (unknown [192.168.0.2]) by boleskine.patpro.net (Postfix) with ESMTP id 26F5D1CC40; Tue, 14 Aug 2007 21:23:41 +0200 (CEST) In-Reply-To: <20070802062413.GB32306@insomnia.benzedrine.cx> References: <611A93D3-A392-493B-80ED-4C5AC77AA77A@patpro.net> <20070802062413.GB32306@insomnia.benzedrine.cx> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: <25950E32-2B7A-49C6-A6E0-98FFAB3574BE@patpro.net> Content-Transfer-Encoding: quoted-printable From: Patrick Proniewski Date: Tue, 14 Aug 2007 21:23:40 +0200 To: freebsd-pf@freebsd.org X-Mailer: Apple Mail (2.752.2) Cc: Greg Hennessy Subject: Re: strange "throttling" issue with pf on xDSL connection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2007 19:23:43 -0000 Hi all, On 02 ao=FBt 2007, at 08:24, Daniel Hartmeier wrote: > On Wed, Aug 01, 2007 at 05:42:19PM +0200, Patrick Proniewski wrote: > >> While playing around with systat I've discovered that the transfer >> rate can be as low as 20 KB/s and as high as 850 KB/s on a single >> download from http://test-debit.free.fr, but the mean value will >> always be around 120-150 KB/s when pf is active. =46rom one sample to >> another (every second), the transfer rate is very erratic. >> If I disable pf on ext_if (set skip on $ext_if), the transfer rate >> reaches quickly 850 KB/s and is almost stable. It decreases to >> 400-450 KB/s for 1 or 2 seconds, 3 or 4 times per minute. > > Enable pf debug logging (pfctl -xm), note output of pfctl -si, =20 > reproduce > the problem. Then run pfctl -si again. See /var/log/messages for lines > from pf. Post all three outputs ;) logging and other forensic methods were of no help here, but I've =20 made several tests, commenting and un-commenting pf rules. I've found =20= the guilty piece of rule. my pf.conf used to have this rule: pass out on $ext_if proto tcp all modulate state flags S/SA I've changed options to: pass out on $ext_if proto tcp all flags S/SA keep state then my bandwidth is no longer throttled ! Looks like the servers/networks I'm connected to do not like =20 "modulate state". regards, pat= From owner-freebsd-pf@FreeBSD.ORG Tue Aug 14 22:14:47 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6542A16A417 for ; Tue, 14 Aug 2007 22:14:47 +0000 (UTC) (envelope-from toomas@detalem.cq.hk) Received: from smtp-out.neti.ee (mail.neti.ee [194.126.101.114]) by mx1.freebsd.org (Postfix) with ESMTP id 179F113C494 for ; Tue, 14 Aug 2007 22:14:46 +0000 (UTC) (envelope-from toomas@detalem.cq.hk) Received: from smtp-out.neti.ee (relay8.neti.ee [88.196.174.139]) by HOT-Bounce1.estpak.ee (Postfix) with ESMTP id 11E2962F2EA for ; Wed, 15 Aug 2007 00:46:53 +0300 (EEST) X-Virus-Scanned: by amavisd-new-2.4.3 (20060930) (Debian) at neti.ee Received: from Relayhost2.neti.ee (Relayhost2 [88.196.174.142]) by MXR-8.estpak.ee (Postfix) with ESMTP id 33A281289F7 for ; Wed, 15 Aug 2007 00:46:48 +0300 (EEST) From: Toomas Pelberg To: freebsd-pf@freebsd.org Content-Type: text/plain Date: Wed, 15 Aug 2007 00:46:48 +0300 Message-Id: <1187128008.64655.9.camel@detalem.kicks-ass.net> Mime-Version: 1.0 X-Mailer: Evolution 2.10.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: pfctl -i X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2007 22:14:47 -0000 pfctl man page says: -i interface Restrict the operation to the given interface. ..what exactly is meant under the word "operation" ? My problem: I want to load a different ruleset for each interface ( jails ) and not care about what's in the ruleset as long as it doesn't affect anything outside the jail ( which is bound to a specific ip on a seperate interface ) I tried loading pfctl -i lo1 -f test.fire which contained "block quick all" ..which promptly killed everything :/ And no, it's not about using the loopback interface.. same goes for "real" interfaces like nve & fxp. Neither does it restrict you from loading "block quick on another_iterface all" and still killing everything.. OpenBSD seems to act the same, so it's probably not an porting bug. From owner-freebsd-pf@FreeBSD.ORG Wed Aug 15 00:38:03 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC7B116A420 for ; Wed, 15 Aug 2007 00:38:03 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.233]) by mx1.freebsd.org (Postfix) with ESMTP id AD56213C45B for ; Wed, 15 Aug 2007 00:38:03 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so694965nzf for ; Tue, 14 Aug 2007 17:38:02 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=n6PvrLX+Pf4bh85AWoCa4LFnv9F7xwLevZ/dn45ScNDcThQkR2JgJfIIjf6LRVQEWQkpOzeJlAEjsazyHWv6pIVjuJihqUZErEKZRd3YDfTXBpsZowKRY8JQMoLCa5YtO9BtFhWAh5aNOIx8kkHce2XFa/8cSEdrlLc0puRTk00= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=q0Xy7rZVqBnfJ2SXwi4tHDtRMr5S41rMl9yeNuKomyFC0DeyhwhvI+Rjvoswj7/TBx8EZq7mUKZeROF6BaX1dYX9H6Tpt40ylwy2T0b0KnXaV/SlykK6tJGHupGof/c/Bf15SkR5XNVRTs1uJWbgCPYoPROjqmcoDI4yL4jbtk8= Received: by 10.143.40.12 with SMTP id s12mr778416wfj.1187136803789; Tue, 14 Aug 2007 17:13:23 -0700 (PDT) Received: by 10.142.147.5 with HTTP; Tue, 14 Aug 2007 17:13:23 -0700 (PDT) Message-ID: <8eea04080708141713w2e485fe2t49ff909304561fb5@mail.gmail.com> Date: Tue, 14 Aug 2007 17:13:23 -0700 From: "Jon Simola" To: freebsd-pf@freebsd.org In-Reply-To: <1187128008.64655.9.camel@detalem.kicks-ass.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1187128008.64655.9.camel@detalem.kicks-ass.net> Subject: Re: pfctl -i X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Aug 2007 00:38:04 -0000 On 8/14/07, Toomas Pelberg wrote: > pfctl man page says: > > -i interface > Restrict the operation to the given interface. > > ..what exactly is meant under the word "operation" ? This would be one of those things that is obvious once you've seen an example and thought about it for a while. $sudo pfctl -si |grep -A1 State State Table Total Rate current entries 34056 $sudo pfctl -i vlan170 -ss |wc -l 1172 In this case, only show states bound to the vlan170 interface. > My problem: I want to load a different ruleset for each interface > ( jails ) and not care about what's in the ruleset as long as it doesn't > affect anything outside the jail ( which is bound to a specific ip on a > seperate interface ) You probably want to look into anchors. -- Jon From owner-freebsd-pf@FreeBSD.ORG Wed Aug 15 01:48:36 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9DDD116A419 for ; Wed, 15 Aug 2007 01:48:36 +0000 (UTC) (envelope-from toomas@detalem.cq.hk) Received: from smtp-out.neti.ee (smtp-out.neti.ee [194.126.126.39]) by mx1.freebsd.org (Postfix) with ESMTP id 6130013C45A for ; Wed, 15 Aug 2007 01:48:36 +0000 (UTC) (envelope-from toomas@detalem.cq.hk) X-Virus-Scanned: by amavisd-new-2.4.3 (20060930) (Debian) at neti.ee Received: from Relayhost1.neti.ee (Relayhost1 [88.196.174.141]) by MXR-8.estpak.ee (Postfix) with ESMTP id B428712283D for ; Wed, 15 Aug 2007 04:48:32 +0300 (EEST) From: Toomas Pelberg To: freebsd-pf@freebsd.org In-Reply-To: <8eea04080708141713w2e485fe2t49ff909304561fb5@mail.gmail.com> References: <1187128008.64655.9.camel@detalem.kicks-ass.net> <8eea04080708141713w2e485fe2t49ff909304561fb5@mail.gmail.com> Content-Type: text/plain Date: Wed, 15 Aug 2007 04:48:34 +0300 Message-Id: <1187142514.64859.55.camel@detalem.kicks-ass.net> Mime-Version: 1.0 X-Mailer: Evolution 2.10.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: Re: pfctl -i X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Aug 2007 01:48:36 -0000 On Tue, 2007-08-14 at 17:13 -0700, Jon Simola wrote: > On 8/14/07, Toomas Pelberg wrote: > > pfctl man page says: > > > > -i interface > > Restrict the operation to the given interface. > > > > ..what exactly is meant under the word "operation" ? > > This would be one of those things that is obvious once you've seen an example > and thought about it for a while. > > $sudo pfctl -si |grep -A1 State > State Table Total Rate > current entries 34056 > $sudo pfctl -i vlan170 -ss |wc -l > 1172 So -i only works in combination with -s ? If so, i think it should be mentioned in the man page. > In this case, only show states bound to the vlan170 interface. > > > My problem: I want to load a different ruleset for each interface > > ( jails ) and not care about what's in the ruleset as long as it doesn't > > affect anything outside the jail ( which is bound to a specific ip on a > > seperate interface ) > > You probably want to look into anchors. While I can use an anchor to limit to the interface, it's an rather ugly hack. Care to show an elegant solution how to anchor unspecified number of user rules? I could just as well pass over the supplied ruleset with an perl script that skips any rules not starting with pass/block in/out on jail_interface. pfctl -i & -f combo would've been great for this purpose. From owner-freebsd-pf@FreeBSD.ORG Thu Aug 16 00:07:18 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 40E9B16A41B for ; Thu, 16 Aug 2007 00:07:18 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp804.mail.ird.yahoo.com (smtp804.mail.ird.yahoo.com [217.146.188.64]) by mx1.freebsd.org (Postfix) with SMTP id ADEC613C461 for ; Thu, 16 Aug 2007 00:07:17 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 44001 invoked from network); 16 Aug 2007 00:07:16 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@86.140.28.215 with plain) by smtp804.mail.ird.yahoo.com with SMTP; 16 Aug 2007 00:07:16 -0000 X-YMail-OSG: ONiOFdEVM1mTWk5MaEc7m_U.7HvdHM49WO03.IVhcWhU0fdl3.UulTIldKp5eDQh8SLpVWS2jA4J0sMu.037I0wbSXqy3EReIA-- Message-ID: <46C3A3E0.7090601@tomjudge.com> Date: Thu, 16 Aug 2007 02:09:52 +0100 From: Tom Judge User-Agent: Thunderbird 1.5.0.12 (X11/20070604) MIME-Version: 1.0 To: Toomas Pelberg References: <1187128008.64655.9.camel@detalem.kicks-ass.net> <8eea04080708141713w2e485fe2t49ff909304561fb5@mail.gmail.com> <1187142514.64859.55.camel@detalem.kicks-ass.net> In-Reply-To: <1187142514.64859.55.camel@detalem.kicks-ass.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pfctl -i X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Aug 2007 00:07:18 -0000 Toomas Pelberg wrote: > On Tue, 2007-08-14 at 17:13 -0700, Jon Simola wrote: >> On 8/14/07, Toomas Pelberg wrote: >>> pfctl man page says: >>> >>> -i interface >>> Restrict the operation to the given interface. >>> >>> ..what exactly is meant under the word "operation" ? >> This would be one of those things that is obvious once you've seen an example >> and thought about it for a while. >> >> $sudo pfctl -si |grep -A1 State >> State Table Total Rate >> current entries 34056 >> $sudo pfctl -i vlan170 -ss |wc -l >> 1172 > > So -i only works in combination with -s ? If so, i think it should be > mentioned > in the man page. I have not tested this but what happens if you try to load the following rule set with the pfctl -i lo1 -f rules pass on lo0 all block on lo1 all If the output of 'pfctl -srules' shows both rules then the -i flag has no effect on the operation of the -f flag. Tom > >> In this case, only show states bound to the vlan170 interface. >> >>> My problem: I want to load a different ruleset for each interface >>> ( jails ) and not care about what's in the ruleset as long as it doesn't >>> affect anything outside the jail ( which is bound to a specific ip on a >>> seperate interface ) >> You probably want to look into anchors. > > While I can use an anchor to limit to the interface, it's an rather ugly > hack. > Care to show an elegant solution how to anchor unspecified number of > user rules? > > I could just as well pass over the supplied ruleset with an perl script > that skips > any rules not starting with pass/block in/out on jail_interface. > > pfctl -i & -f combo would've been great for this purpose. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"