From owner-freebsd-pf@FreeBSD.ORG Mon Dec 1 11:07:00 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5FF141065673 for ; Mon, 1 Dec 2008 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4BCB58FC1F for ; Mon, 1 Dec 2008 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mB1B70Ek052637 for ; Mon, 1 Dec 2008 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mB1B6xtI052633 for freebsd-pf@FreeBSD.org; Mon, 1 Dec 2008 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 1 Dec 2008 11:06:59 GMT Message-Id: <200812011106.mB1B6xtI052633@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Dec 2008 11:07:00 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 25 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Dec 1 22:53:12 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 60AB11065672; Mon, 1 Dec 2008 22:53:12 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from mr0.ht-systems.ru (mr0.ht-systems.ru [78.110.50.55]) by mx1.freebsd.org (Postfix) with ESMTP id 16C208FC18; Mon, 1 Dec 2008 22:53:12 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from [85.21.245.235] (helo=orion.SpringDaemons.com) by smtp.ht-systems.ru with esmtpa (Exim 4.62) (envelope-from ) id 1L7H9n-00067Y-NX; Tue, 02 Dec 2008 01:22:19 +0300 Received: from orion (localhost [127.0.0.1]) by orion.SpringDaemons.com (Postfix) with SMTP id DB17C398F3; Tue, 2 Dec 2008 01:23:55 +0300 (MSK) Date: Tue, 2 Dec 2008 01:23:50 +0300 From: Stanislav Sedov To: david_5073@yahoo.com Message-Id: <20081202012350.5f2415f3.stas@FreeBSD.org> In-Reply-To: <425805.11833.qm@web38505.mail.mud.yahoo.com> References: <692660060811290748i33059137g3977e51f692d8340@mail.gmail.com> <425805.11833.qm@web38505.mail.mud.yahoo.com> Organization: The FreeBSD Project X-XMPP: ssedov@jabber.ru X-Voice: +7 916 849 20 23 X-PGP-Fingerprint: F21E D6CC 5626 9609 6CE2 A385 2BF5 5993 EB26 9581 X-Mailer: carrier-pigeon Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-isp@freebsd.org, Marcello Barreto , freebsd-pf@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Dec 2008 22:53:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 29 Nov 2008 08:26:57 -0800 (PST) David Roseman mentioned: > It also has a traffic monitor that is indispensable in tracking down > DOS attacks, worms and out of control servers. I'd pay $500. just for the monitor. I have a problem, I fire up the monitor and bingo, I find the > problem. I think you can buy the lowest priced license and still use the > monitor and gather statistics no matter how large your network is. > How does this traffic monitor differ from tcpdump? From pictures it looks like just a web-interface for tcpdump and nothing more... - -- Stanislav Sedov ST4096-RIPE -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAkk0Y/sACgkQK/VZk+smlYFIMgCePZdDAbMJRrH/L7uvrTDoPGk6 LfYAn1BWfBBDyTTmALteVUEFcxfMvOib =jnfa -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Mon Dec 1 23:35:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79CA51065672 for ; Mon, 1 Dec 2008 23:35:49 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28]) by mx1.freebsd.org (Postfix) with ESMTP id 31D088FC12 for ; Mon, 1 Dec 2008 23:35:48 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so1086945ywe.13 for ; Mon, 01 Dec 2008 15:35:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=wjzUSxyWZUyB+2BTPvrqbqVjxVQaRe9Fsubdw3fo4SE=; b=QN1O57TotR2ghv8oPolInMZHaQaxt+vl9ETXWB6zDJ7pLS1YicMrfiUQ6uofApUlE9 0e/qNoITeVLGhaPS3RsPAoB8a8SKpqmLN3e4TZLmdmVOILvrz0UITAYFldyr61JSrNx/ Tn9yV44R+Unxf+8byeoEO3AVlc6+6zgGESIWk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=VH0/QDbkW+ClZMjsOTMkGiHQnq/38p3mmvZHI4oOZb5yQUWnGQnRweYgeu+eCsfExq QtNEdManWLZTLshYMzrR0HGhHYYI3Pty0Z4ahwxLytQIrPb1r1hkeTZXKkdmNoecJiHW +HCrpyIJvpnzPKd6VpcoRYvvFVO3RGoitgrqQ= Received: by 10.65.133.12 with SMTP id k12mr12163339qbn.65.1228172920116; Mon, 01 Dec 2008 15:08:40 -0800 (PST) Received: by 10.64.184.9 with HTTP; Mon, 1 Dec 2008 15:08:40 -0800 (PST) Message-ID: <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> Date: Mon, 1 Dec 2008 17:08:40 -0600 From: "Sam Fourman Jr." To: david_5073@yahoo.com In-Reply-To: <705757.42117.qm@web38504.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> Cc: freebsd-isp@freebsd.org, Marcello Barreto , freebsd-pf@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Dec 2008 23:35:49 -0000 > You should consider a commercial product rather than relying on > old and somewhat unreliable technology. We've been able to squeeze a > lot more customers onto our network for a $3500. investment. It paid for > itself in 2 months. We have a dual-core 2.33Ghz system passing 95Mb/s > with 12000 rules in place and it runs at about 10%. The latest version is > truly amazing. So I would like to hear some ideas on how we could use FreeBSD or any other BSD to limit bandwidth per customer( say one customer (with root access) per server ) I attended BSDCan 2008 in Canada this may, and I asked a few of the pfsense devlopers this exact question it was meet with limited feedback. I guess what I would like to know is What is the limitation of what we can achieve with FreeBSD would it be appropriate given the topic to cross post this to misc@openbsd.org? Sam Fourman Jr. Fourman Networks From owner-freebsd-pf@FreeBSD.ORG Tue Dec 2 00:22:52 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0A3E81065679 for ; Tue, 2 Dec 2008 00:22:52 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.191]) by mx1.freebsd.org (Postfix) with ESMTP id 93FE88FC08 for ; Tue, 2 Dec 2008 00:22:51 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by nf-out-0910.google.com with SMTP id h3so1451192nfh.33 for ; Mon, 01 Dec 2008 16:22:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=OnM0ZufUwKju/RZUTHElzN0x2Z142XDyPw+uwzGWlEo=; b=S6/kmLg1xXGfSajIdtB4X+fi+jO+LkV14VKuVpqE/529ZjB6sZ2/ppd7THvqEM37Ox VsyvxQ+Tbt3btCz1ZiHLWqK231UA5EfTFgVt7BMVmPqhgLGU1W4UXYkvqDonDv/5hfzm CD/b/NZUH3qX9sQb9iBFHzhMiMtz+VgNjtApQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=UuAYh/CySFHDv0LB9E6wFbQ21cdqR8DxH99SnE1G8AivxXgQZeDRYRJLQJwAsJ4oZd 4Oh7HRUhWZAwqVZblgO+wFIZ7ekc2h9AnYSIgccLGuKB0PbphTepgdn76OHAzrxSCWdH mWLgROo2qqn4v888YrVwP8V8jKz13WvUjW+2U= Received: by 10.103.172.7 with SMTP id z7mr4871752muo.15.1228175677312; Mon, 01 Dec 2008 15:54:37 -0800 (PST) Received: by 10.103.1.7 with HTTP; Mon, 1 Dec 2008 15:54:37 -0800 (PST) Message-ID: Date: Mon, 1 Dec 2008 18:54:37 -0500 From: "Scott Ullrich" To: "Sam Fourman Jr." In-Reply-To: <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> Cc: freebsd-isp@freebsd.org, david_5073@yahoo.com, Marcello Barreto , freebsd-pf@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2008 00:22:52 -0000 On Mon, Dec 1, 2008 at 6:08 PM, Sam Fourman Jr. wrote: >> You should consider a commercial product rather than relying on >> old and somewhat unreliable technology. We've been able to squeeze a >> lot more customers onto our network for a $3500. investment. It paid for >> itself in 2 months. We have a dual-core 2.33Ghz system passing 95Mb/s >> with 12000 rules in place and it runs at about 10%. The latest version is >> truly amazing. > > So I would like to hear some ideas on how we could use FreeBSD or any other BSD > to limit bandwidth per customer( say one customer (with root access) > per server ) > > I attended BSDCan 2008 in Canada this may, and I asked a few of the > pfsense devlopers this exact question > it was meet with limited feedback. There was not much to report at that point. However, pfSense 2.0 has per user bandwidth ported from DragonFlyBSD. If you would like to test the patch, it is located here: http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/patches/RELENG_7_1/fairq.RELENG_7.diff?rev=1.3;content-type=text%2Fplain Scott From owner-freebsd-pf@FreeBSD.ORG Tue Dec 2 07:56:38 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C32401065673 for ; Tue, 2 Dec 2008 07:56:38 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from mail34.syd.optusnet.com.au (mail34.syd.optusnet.com.au [211.29.133.218]) by mx1.freebsd.org (Postfix) with ESMTP id 51F0F8FC1D for ; Tue, 2 Dec 2008 07:56:37 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from server.vk2pj.dyndns.org (c122-106-215-175.belrs3.nsw.optusnet.com.au [122.106.215.175]) by mail34.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id mB27uYZS027849 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 2 Dec 2008 18:56:35 +1100 X-Bogosity: Ham, spamicity=0.000000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.3/8.14.3) with ESMTP id mB27uYGN058390; Tue, 2 Dec 2008 18:56:34 +1100 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.3/8.14.3/Submit) id mB27uYP6058389; Tue, 2 Dec 2008 18:56:34 +1100 (EST) (envelope-from peter) Date: Tue, 2 Dec 2008 18:56:34 +1100 From: Peter Jeremy To: "Sam Fourman Jr." Message-ID: <20081202075634.GT51761@server.vk2pj.dyndns.org> References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lKbk9CFItQTD29wm" Content-Disposition: inline In-Reply-To: <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-isp@freebsd.org, freebsd-pf@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2008 07:56:38 -0000 --lKbk9CFItQTD29wm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2008-Dec-01 17:08:40 -0600, "Sam Fourman Jr." wrote: >So I would like to hear some ideas on how we could use FreeBSD or any othe= r BSD >to limit bandwidth per customer( say one customer (with root access) >per server ) That description sounds like it simplifies to "limit bandwidth based on IP address" - which is fairly trivial for ipfw+dummynet or pf+altq. ipfw+dummynet can also filter on uid/gid but I believe there are some race conditions in that code --=20 Peter Jeremy Please excuse any delays as the result of my ISP's inability to implement an MTA that is either RFC2821-compliant or matches their claimed behaviour. --lKbk9CFItQTD29wm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkk06jEACgkQ/opHv/APuIchZwCeIe0vTxM1Qi4urDU7QzrgTqKv BSQAoLeX4P6ASr4eJ6GKQ4TLvxCHVTtj =LXyD -----END PGP SIGNATURE----- --lKbk9CFItQTD29wm-- From owner-freebsd-pf@FreeBSD.ORG Tue Dec 2 09:12:33 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B3581106564A; Tue, 2 Dec 2008 09:12:33 +0000 (UTC) (envelope-from antik@bsd.ee) Received: from sorbesgroup.com (mail.sorbesgroup.com [217.159.241.118]) by mx1.freebsd.org (Postfix) with ESMTP id 75B028FC0C; Tue, 2 Dec 2008 09:12:33 +0000 (UTC) (envelope-from antik@bsd.ee) Received: from localhost (localhost.localdomain [127.0.0.1]) by sorbesgroup.com (Postfix) with ESMTP id 07A1F3C506CC; Tue, 2 Dec 2008 10:42:06 +0200 (EET) Received: from sorbesgroup.com ([127.0.0.1]) by localhost (sorbesgroup.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01540-02; Tue, 2 Dec 2008 10:42:04 +0200 (EET) Received: from [192.168.0.80] (andrei [192.168.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sorbesgroup.com (Postfix) with ESMTP id BE7783C5038C; Tue, 2 Dec 2008 10:42:03 +0200 (EET) Message-ID: <4934F4F3.1030808@bsd.ee> Date: Tue, 02 Dec 2008 10:42:27 +0200 From: Andrei Kolu User-Agent: Thunderbird 2.0.0.18 (Windows/20081105) MIME-Version: 1.0 To: Peter Jeremy , freebsd-pf@freebsd.org, freebsd-isp@freebsd.org References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> <20081202075634.GT51761@server.vk2pj.dyndns.org> In-Reply-To: <20081202075634.GT51761@server.vk2pj.dyndns.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at localhost Cc: Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2008 09:12:33 -0000 Peter Jeremy wrote: > On 2008-Dec-01 17:08:40 -0600, "Sam Fourman Jr." wrote: > >> So I would like to hear some ideas on how we could use FreeBSD or any other BSD >> to limit bandwidth per customer( say one customer (with root access) >> per server ) >> > > That description sounds like it simplifies to "limit bandwidth based on > IP address" - which is fairly trivial for ipfw+dummynet or pf+altq. > > ipfw+dummynet is really ugly traffic "shaper" (let's face it there is no shaping going on), because instead of limiting bandwidth it will drop packets to simulate bad connection. I hear many years about "trivial" configuration per user bandwidth limit with pf+altq but never saw ANY code... You can't set bandwidth limit with PF like 3Mbit per 100 clients if your lan card is 100Mbit. This is just lame- in reality clients never use all bandwidth and never all clients are connected all the time. Even Linux ipfilter does it for years with insane cryptic commandline but it just works. > ipfw+dummynet can also filter on uid/gid but I believe there are some > race conditions in that code > > From owner-freebsd-pf@FreeBSD.ORG Tue Dec 2 09:22:13 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E8DBC1065672; Tue, 2 Dec 2008 09:22:13 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from mail15.syd.optusnet.com.au (mail15.syd.optusnet.com.au [211.29.132.196]) by mx1.freebsd.org (Postfix) with ESMTP id 84A4B8FC19; Tue, 2 Dec 2008 09:22:13 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from server.vk2pj.dyndns.org (c122-106-215-175.belrs3.nsw.optusnet.com.au [122.106.215.175]) by mail15.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id mB29M4Sx026680 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 2 Dec 2008 20:22:06 +1100 X-Bogosity: Ham, spamicity=0.000000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.3/8.14.3) with ESMTP id mB29M4fr058669; Tue, 2 Dec 2008 20:22:04 +1100 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.3/8.14.3/Submit) id mB29M4Fg058668; Tue, 2 Dec 2008 20:22:04 +1100 (EST) (envelope-from peter) Date: Tue, 2 Dec 2008 20:22:04 +1100 From: Peter Jeremy To: Andrei Kolu Message-ID: <20081202092204.GU51761@server.vk2pj.dyndns.org> References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> <20081202075634.GT51761@server.vk2pj.dyndns.org> <4934F4F3.1030808@bsd.ee> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lYjFa3qL1bvncypl" Content-Disposition: inline In-Reply-To: <4934F4F3.1030808@bsd.ee> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-isp@freebsd.org, freebsd-pf@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2008 09:22:14 -0000 --lYjFa3qL1bvncypl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2008-Dec-02 10:42:27 +0200, Andrei Kolu wrote: >> That description sounds like it simplifies to "limit bandwidth based on >> IP address" - which is fairly trivial for ipfw+dummynet or pf+altq. >> =20 >ipfw+dummynet is really ugly traffic "shaper" (let's face it there is no= =20 >shaping going on), because instead of limiting bandwidth it will drop=20 >packets to simulate bad connection. I've been using ipfw+dummynet for traffic shaping for 7 or 8 years without problems (and have recently moved to pf+dummynet). I don't understand your comment about limiting bandwidth: An incoming packet is put on a queue that is emptied at no more than the (simulated) available outbound bandwidth. If the queue is full then incoming packets will be dropped. This is the same behaviour as any other router (or switch). What do you want/expect? > I hear many years about "trivial"=20 >configuration per user bandwidth limit with pf+altq but never saw ANY=20 >code... Note that I never mentioned per-user bandwidth with pf+altq - though it looks possible. There are some trivial traffic-shaping examples in pf.conf(5) but I will admit that I've never tried to actually use altq - I use dummynet because I need functionality that isn't present in altq. --=20 Peter Jeremy Please excuse any delays as the result of my ISP's inability to implement an MTA that is either RFC2821-compliant or matches their claimed behaviour. --lYjFa3qL1bvncypl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkk0/jwACgkQ/opHv/APuIcOugCgo8LM3HE/0oSzFy0HbcffjFm+ jaYAoJ3GQW98vGR9Szi2XyiM0dJoG1ek =xp16 -----END PGP SIGNATURE----- --lYjFa3qL1bvncypl-- From owner-freebsd-pf@FreeBSD.ORG Tue Dec 2 10:30:26 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 542C31065670 for ; Tue, 2 Dec 2008 10:30:26 +0000 (UTC) (envelope-from alexander.shevchenko@itv.ru) Received: from msk.itvgroup.ru (msk.itvgroup.ru [77.108.83.146]) by mx1.freebsd.org (Postfix) with ESMTP id 8C63F8FC21 for ; Tue, 2 Dec 2008 10:30:25 +0000 (UTC) (envelope-from alexander.shevchenko@itv.ru) Received: (qmail 83463 invoked by uid 2550); 2 Dec 2008 10:03:43 -0000 Received: from 10.0.0.166 by msk.itvgroup.ru (envelope-from , uid 2550) with qmail-scanner-2.02st (clamdscan: 0.91.1/5924. spamassassin: 3.2.4. perlscan: 2.02st. Clear:RC:1(10.0.0.166):. Processed in 0.042144 secs); 02 Dec 2008 10:03:43 -0000 Received: from unknown (HELO ashevchenko) (alexander.shevchenko@[10.0.0.166]) (envelope-sender ) by msk.itvgroup.ru (qmail-ldap-1.03) with RC4-MD5 encrypted SMTP for ; 2 Dec 2008 10:03:43 -0000 From: =?koi8-r?B?4czFy9PBzsTSIPvF197FzsvP?= To: Date: Tue, 2 Dec 2008 13:03:43 +0300 Message-ID: <76463C1E8CB14B958088F7E54C611560@ashevchenko> MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512 Thread-Index: AclUXikafeqGa47jSwuskopzgIvsEQAAIh0gAAGfSLA= Subject: RE: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2008 10:30:26 -0000 Using ipfw+dummynet you could easily limit bandwidth per ip: $IPFW pipe 4 config bw 50KByte/s mask dst-ip 0x000003ff $IPFW pipe 7 config bw 50KByte/s mask src-ip 0x000003ff $IPFW add pipe 4 ip from any to 172.16.16.0/22 via fxp0 in $IPFW add pipe 7 ip from 172.16.16.0/22 to any via fxp0 out Using pf+altq you could limit easily bandwith for all clients: altq on $int_if cbq bandwidth 1000Mb queue { powernet_local, powernet_inet } queue powernet_local bandwidth 95% cbq(default) queue powernet_inet bandwidth 40Mb pass out on $int_if from to queue powernet_local pass out on $int_if from ! to queue powernet_inet But you could not limit bandwidth per ip using PF. Ryan McBride wrote in it.listserv.openbsd-pf(http://groups.google.com/group/bit.listserv.openbsd-p f/msg/512d1eba9683cea6?hl=ru&dmode=source) > P.S. By the way, no chance to shaping like ipfw(dummynet), by getting > mask for all ip addresses? It's the last reason to stay with ipfw: No, there is nothing like this in PF right now. It's on my list of things to look at, but that list grows faster than I can get things done... -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Andrei Kolu Sent: Tuesday, December 02, 2008 11:42 AM To: Peter Jeremy; freebsd-pf@freebsd.org; freebsd-isp@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer ipfw+dummynet is really ugly traffic "shaper" (let's face it there is no shaping going on), because instead of limiting bandwidth it will drop packets to simulate bad connection. I hear many years about "trivial" configuration per user bandwidth limit with pf+altq but never saw ANY code... You can't set bandwidth limit with PF like 3Mbit per 100 clients if your lan card is 100Mbit. This is just lame- in reality clients never use all bandwidth and never all clients are connected all the time. Even Linux ipfilter does it for years with insane cryptic commandline but it just works. From owner-freebsd-pf@FreeBSD.ORG Tue Dec 2 13:13:47 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF643106564A for ; Tue, 2 Dec 2008 13:13:47 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from ns2.bafirst.com (72-12-2-19.static.networktel.net [72.12.2.19]) by mx1.freebsd.org (Postfix) with ESMTP id 89CAE8FC08 for ; Tue, 2 Dec 2008 13:13:47 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from HOME.encontacto.net ([189.129.8.53]) by ns2.bafirst.com with esmtp; Tue, 02 Dec 2008 07:03:44 -0600 id 000D52E4.49353230.00005F27 Received: from localhost (localhost [127.0.0.1]) (uid 80) by HOME.encontacto.net with local; Tue, 02 Dec 2008 07:03:43 -0600 id 0004AC1A.4935322F.0000B2FC Received: from ed.local.net.mx (ed.local.net.mx [192.168.1.65]) by econet.encontacto.net (Horde Framework) with HTTP; Tue, 02 Dec 2008 07:03:43 -0600 Message-ID: <20081202070343.34221p9405nzs76s@econet.encontacto.net> Date: Tue, 02 Dec 2008 07:03:43 -0600 From: eculp To: freebsd-isp@freebsd.org References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> <20081202075634.GT51761@server.vk2pj.dyndns.org> <4934F4F3.1030808@bsd.ee> <20081202092204.GU51761@server.vk2pj.dyndns.org> In-Reply-To: <20081202092204.GU51761@server.vk2pj.dyndns.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (5.0-cvs) X-Remote-Browser: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.18) Gecko/20081114 Firefox/2.0.0.18 X-IMP-Server: 189.129.8.53 X-Originating-IP: 192.168.1.65 X-Originating-User: eculp@encontacto.net Cc: freebsd-pf Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2008 13:13:48 -0000 Quoting Peter Jeremy : > On 2008-Dec-02 10:42:27 +0200, Andrei Kolu wrote: >>> That description sounds like it simplifies to "limit bandwidth based on >>> IP address" - which is fairly trivial for ipfw+dummynet or pf+altq. >>> >> ipfw+dummynet is really ugly traffic "shaper" (let's face it there is no >> shaping going on), because instead of limiting bandwidth it will drop >> packets to simulate bad connection. > > I've been using ipfw+dummynet for traffic shaping for 7 or 8 years > without problems (and have recently moved to pf+dummynet). I don't > understand your comment about limiting bandwidth: An incoming packet > is put on a queue that is emptied at no more than the (simulated) > available outbound bandwidth. If the queue is full then incoming > packets will be dropped. This is the same behaviour as any other > router (or switch). > > What do you want/expect? > >> I hear many years about "trivial" >> configuration per user bandwidth limit with pf+altq but never saw ANY >> code... > > Note that I never mentioned per-user bandwidth with pf+altq - though > it looks possible. There are some trivial traffic-shaping examples in > pf.conf(5) but I will admit that I've never tried to actually use altq > - I use dummynet because I need functionality that isn't present in > altq. I had forgotten that dummynet can be used with pf. Maybe i should =20 start this with a new subject but it is directly related in that I =20 need bandwidth control again that I don=B4t have since changing to pf. o- What needs to be patched/done to make them work together on Current and Releng? o- Are you happier with the combination of dummynet with pf than with IPFW? DummyNet was one of the reasons that I was slow to leave IPFW. Thanks and I am really not trying to hijack this thread, be glad to =20 start a new one. ed From owner-freebsd-pf@FreeBSD.ORG Tue Dec 2 16:38:22 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9AF111065673 for ; Tue, 2 Dec 2008 16:38:22 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.freebsd.org (Postfix) with ESMTP id 6CD308FC0C for ; Tue, 2 Dec 2008 16:38:22 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from [69.69.69.183] ([69.70.93.206]) by VL-MO-MR005.ip.videotron.ca (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0KB900DDWCUKAX90@VL-MO-MR005.ip.videotron.ca> for freebsd-pf@freebsd.org; Tue, 02 Dec 2008 11:37:32 -0500 (EST) Message-id: <493564BD.9020100@optiksecurite.com> Date: Tue, 02 Dec 2008 11:39:25 -0500 From: FreeBSD User-Agent: Thunderbird 2.0.0.18 (Windows/20081105) To: freebsd-pf@freebsd.org Subject: BAD state using PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2008 16:38:22 -0000 Hi everyone, I know this has been discussed earlier, but I'm not sure that the ephemeral port reuse is really my problem and if it is, I not sure what to do. There is my situation: I'm running FreeBSD 7.0-REL on a server running a jail to isolate MySQL. The jail is bind to 127.0.0.40 and I use RDR in pf.conf to redirect the traffic directed to port 3306 in the jail. This works great excepted that I got random "Can't connect to MySQL" when another jail (127.0.0.20) or when another server tries to connect to MySQL. I noticed that the State Mismatch counter of pfctl -vsi is increasing, so I enabled misc debugging (pfctl -xm). There is a snip of what I got in /var/log/messages: Dec 2 10:58:35 martin kernel: pf: BAD state: TCP 127.0.0.20:63485 127.0.0.20:63485 127.0.0.40:3306 [lo=3309233133 high=3309304807 win=8960 modulator=2304227691 wscale=3] [lo=1318579582 high=1318651262 win=8960 modulator=4106 wscale=3] 9:9 S seq=3346121963 (3346121963) ack=1318579582 len=0 ackskew=0 pkts=53:55 dir=out,fwd Dec 2 10:58:35 martin kernel: pf: BAD state: TCP 127.0.0.20:63485 127.0.0.20:63485 127.0.0.40:3306 [lo=3309233133 high=3309304807 win=8960 modulator=2304227691 wscale=3] [lo=1318579582 high=1318651262 win=8960 modulator=4106 wscale=3] 9:9 F seq=3346121964 (3346121964) Dec 2 11:17:59 martin kernel: pf: BAD state: TCP 127.0.0.20:62768 127.0.0.20:62768 127.0.0.40:3306 [lo=386778332 high=386850006 win=8960 modulator=2910169605 wscale=3] [lo=3296964218 high=3297035897 win=8960 modulator=4201 wscale=3] 9:9 S seq=452986485 (452986485) ack=3296964218 len=0 ackskew=0 pkts=18:16 dir=out,fwd Dec 2 11:17:59 martin kernel: pf: BAD state: TCP 127.0.0.20:62768 127.0.0.20:62768 127.0.0.40:3306 [lo=386778332 high=386850006 win=8960 modulator=2910169605 wscale=3] [lo=3296964218 high=3297035897 win=8960 modulator=4201 wscale=3] 9:9 F seq=452986486 (452986486) ack=3296964218 len=0 ackskew=0 pkts=18:16 dir=out,fwd So my question is how can I be sure that the problem is due to the port reuse? If so, what am I supposed to do to deal with this? Would the best solution be to decrease the tcp.closed timeout? Thanks everyone for your help! Martin From owner-freebsd-pf@FreeBSD.ORG Tue Dec 2 17:40:30 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2E8071065670 for ; Tue, 2 Dec 2008 17:40:30 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.24]) by mx1.freebsd.org (Postfix) with ESMTP id CF00A8FC18 for ; Tue, 2 Dec 2008 17:40:29 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: by qw-out-2122.google.com with SMTP id 9so737648qwb.7 for ; Tue, 02 Dec 2008 09:40:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=U0s/N9XB1fzn5St/DGmqJfNT8Ith1wmTO1ZoIsjjnqE=; b=v3GFqi5vgiwF61M/eOTJjgePJyYeQ2QZdkVkv7o0cevT+vJyvge8TZJQUKi586NvdQ hyNLVdbXkuFTtsXzPFMIE3sedt4+1uANnS5fg5eOe90OBKaxcKZNcP0xAe5KcwiS5wz/ tA6+2sgmk5NFieGJsZKfyQZ1RUHNWCjVVQKMY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=KKp7qxb6wjN0hIdBpUOP3iueeuajwayz8pugpEye9VKuw+FRd21Vh4lZLfF5iEaEUk rf6S4vTeXNRrNdEKr8ffaE33jyA0g+5KTlHkFPcf93XVsok6lJ3fC5XGC7Qf16PEi8QY DXDMfYPyUQyzxn/Bq5yz5VsCY4tWPqk0UoXG8= Received: by 10.65.204.2 with SMTP id g2mr13003778qbq.45.1228239628670; Tue, 02 Dec 2008 09:40:28 -0800 (PST) Received: by 10.64.184.9 with HTTP; Tue, 2 Dec 2008 09:40:28 -0800 (PST) Message-ID: <11167f520812020940w423bf0cco466a3423f762b291@mail.gmail.com> Date: Tue, 2 Dec 2008 11:40:28 -0600 From: "Sam Fourman Jr." To: eculp In-Reply-To: <20081202070343.34221p9405nzs76s@econet.encontacto.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> <20081202075634.GT51761@server.vk2pj.dyndns.org> <4934F4F3.1030808@bsd.ee> <20081202092204.GU51761@server.vk2pj.dyndns.org> <20081202070343.34221p9405nzs76s@econet.encontacto.net> Cc: freebsd-isp@freebsd.org, freebsd-pf Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2008 17:40:30 -0000 > I had forgotten that dummynet can be used with pf. Maybe i should start t= his > with a new subject but it is directly related in that I need bandwidth > control again that I don=B4t have since changing to pf. > > o- What needs to be patched/done to make them work together > on Current and Releng? > o- Are you happier with the combination of dummynet with pf > than with IPFW? > > DummyNet was one of the reasons that I was slow to leave IPFW. > > Thanks and I am really not trying to hijack this thread, be glad to start= a > new one. so you actually can use DummyNet w/ pf to limit bandwidth per ip? is there anyway to say.. ip address x must be used with MAC Address y then follow the per ip bandwidth limit if not then drop all traffic in and out? Sam Fourman Jr. Fourman Networks From owner-freebsd-pf@FreeBSD.ORG Tue Dec 2 18:08:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EEC2F1065676 for ; Tue, 2 Dec 2008 18:08:49 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: from mail-qy0-f18.google.com (mail-qy0-f18.google.com [209.85.221.18]) by mx1.freebsd.org (Postfix) with ESMTP id 8A6F58FC19 for ; Tue, 2 Dec 2008 18:08:49 +0000 (UTC) (envelope-from sfourman@gmail.com) Received: by qyk11 with SMTP id 11so3650669qyk.19 for ; Tue, 02 Dec 2008 10:08:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=Mqj/z4FqI1UnQ5DhZlzrlHNYwI8MowSL+LJmhR7vTdE=; b=GpL79wiXWFKxjU0X793vP/U1kwEItl4dFmoHkEDmFO/Sj1D4dEJmeUSYgGsdb3ZYhu p0CVwpG8jZ3Azts17mKAQatmS1jZklCgt5Al82IfdyH6vdxihmoVJa+Ti1tj7jT6Z05W cbpJznJnsINQDxZOw52pJ42VvEoyuP7jIAe50= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=JVR0T0QoQt2KlxGa080Vw4rMkrFJvGnbZH+imoGrxVHfgVUHljnrirxfxY45FsPfnS Lf4Y0pRSCkdQbo53rYgVmBWyXQp8z800wwG4rXzBs+PmkN2oM77OQvpehqsxuBsDpGbI BnpLjgJUcEbO2if/pfNnyRcBFcE7bWGRIsfL4= Received: by 10.64.232.9 with SMTP id e9mr13020698qbh.13.1228241328017; Tue, 02 Dec 2008 10:08:48 -0800 (PST) Received: by 10.64.184.9 with HTTP; Tue, 2 Dec 2008 10:08:47 -0800 (PST) Message-ID: <11167f520812021008r13cb927cy409af862f0bbaa9e@mail.gmail.com> Date: Tue, 2 Dec 2008 12:08:47 -0600 From: "Sam Fourman Jr." To: kstalledo@binarysalad.com In-Reply-To: <493575F7.7020904@binarysalad.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> <20081202075634.GT51761@server.vk2pj.dyndns.org> <4934F4F3.1030808@bsd.ee> <20081202092204.GU51761@server.vk2pj.dyndns.org> <20081202070343.34221p9405nzs76s@econet.encontacto.net> <11167f520812020940w423bf0cco466a3423f762b291@mail.gmail.com> <493575F7.7020904@binarysalad.com> Cc: freebsd-isp@freebsd.org, freebsd-pf Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2008 18:08:50 -0000 On Tue, Dec 2, 2008 at 11:52 AM, Kahlil Erwin Talledo wrote: > Sam Fourman Jr. wrote: >>> I had forgotten that dummynet can be used with pf. Maybe i should start= this >>> with a new subject but it is directly related in that I need bandwidth >>> control again that I don=B4t have since changing to pf. >>> >>> o- What needs to be patched/done to make them work together >>> on Current and Releng? >>> o- Are you happier with the combination of dummynet with pf >>> than with IPFW? >>> >>> DummyNet was one of the reasons that I was slow to leave IPFW. >>> >>> Thanks and I am really not trying to hijack this thread, be glad to sta= rt a >>> new one. >> >> so you actually can use DummyNet w/ pf to limit bandwidth per ip? >> >> is there anyway to say.. ip address x must be used with MAC Address y >> then follow the per ip bandwidth limit >> if not then drop all traffic in and out? > > you have to remember that mac is layer two and it can be easily spoofed. > so doing it that way might not be the best thing to do it. that's just > my two cents though. you are absolutely right, after thinking about it a bit more, the right idea would be to somehow limit bandwidth per ip or group of ip's(several bound to the same interface) any ideas? Sam Fourman Jr. Fourman Networks From owner-freebsd-pf@FreeBSD.ORG Tue Dec 2 19:03:12 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EAF2F1065686; Tue, 2 Dec 2008 19:03:12 +0000 (UTC) (envelope-from kstalledo@binarysalad.com) Received: from li41-209.members.linode.com (li41-209.members.linode.com [72.14.179.209]) by mx1.freebsd.org (Postfix) with ESMTP id B3C028FC27; Tue, 2 Dec 2008 19:03:12 +0000 (UTC) (envelope-from kstalledo@binarysalad.com) Received: from [76.76.164.30] (helo=Kais-Macbook-Pro.local) by li41-209.members.linode.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1L7ZRS-0004b0-9J; Tue, 02 Dec 2008 12:53:46 -0500 Message-ID: <493575F7.7020904@binarysalad.com> Date: Tue, 02 Dec 2008 13:52:55 -0400 From: Kahlil Erwin Talledo Organization: Binary Salad Solutions User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: "Sam Fourman Jr." References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> <20081202075634.GT51761@server.vk2pj.dyndns.org> <4934F4F3.1030808@bsd.ee> <20081202092204.GU51761@server.vk2pj.dyndns.org> <20081202070343.34221p9405nzs76s@econet.encontacto.net> <11167f520812020940w423bf0cco466a3423f762b291@mail.gmail.com> In-Reply-To: <11167f520812020940w423bf0cco466a3423f762b291@mail.gmail.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - li41-209.members.linode.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - binarysalad.com Cc: freebsd-isp@freebsd.org, freebsd-pf Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: kstalledo@binarysalad.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2008 19:03:13 -0000 Sam Fourman Jr. wrote: >> I had forgotten that dummynet can be used with pf. Maybe i should start this >> with a new subject but it is directly related in that I need bandwidth >> control again that I don´t have since changing to pf. >> >> o- What needs to be patched/done to make them work together >> on Current and Releng? >> o- Are you happier with the combination of dummynet with pf >> than with IPFW? >> >> DummyNet was one of the reasons that I was slow to leave IPFW. >> >> Thanks and I am really not trying to hijack this thread, be glad to start a >> new one. > > so you actually can use DummyNet w/ pf to limit bandwidth per ip? > > is there anyway to say.. ip address x must be used with MAC Address y > then follow the per ip bandwidth limit > if not then drop all traffic in and out? you have to remember that mac is layer two and it can be easily spoofed. so doing it that way might not be the best thing to do it. that's just my two cents though. > > Sam Fourman Jr. > Fourman Networks > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Dec 3 07:46:09 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F19F71065673 for ; Wed, 3 Dec 2008 07:46:09 +0000 (UTC) (envelope-from rmaglasang@infoweapons.com) Received: from infoweapons.com (mail0.infoweapons.org [204.2.248.50]) by mx1.freebsd.org (Postfix) with ESMTP id 918478FC12 for ; Wed, 3 Dec 2008 07:46:09 +0000 (UTC) (envelope-from rmaglasang@infoweapons.com) Received: from ([58.71.34.146]) by mail0.infoweapons.com with ESMTP id 4321444.1423242; Wed, 03 Dec 2008 02:30:53 -0500 Received: from [10.3.1.41] ([10.3.1.41]) by cebexch01.cebu.infoweapons.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Wed, 3 Dec 2008 15:30:49 +0800 Message-ID: <493634DA.7000408@infoweapons.com> Date: Wed, 03 Dec 2008 15:27:22 +0800 From: "Ronnel P. Maglasang" User-Agent: Thunderbird 1.5 (X11/20060613) MIME-Version: 1.0 To: =?KOI8-R?Q?=E1=CC=C5=CB=D3=C1=CE=C4=D2_=FB=C5=D7=DE=C5=CE=CB=CF?= References: <76463C1E8CB14B958088F7E54C611560@ashevchenko> In-Reply-To: <76463C1E8CB14B958088F7E54C611560@ashevchenko> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 8bit X-OriginalArrivalTime: 03 Dec 2008 07:30:49.0835 (UTC) FILETIME=[10A1C3B0:01C95519] Cc: freebsd-pf@freebsd.org Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Dec 2008 07:46:10 -0000 áÌÅËÓÁÎÄÒ ûÅ×ÞÅÎËÏ wrote: > Using ipfw+dummynet you could easily limit bandwidth per ip: > > $IPFW pipe 4 config bw 50KByte/s mask dst-ip 0x000003ff > $IPFW pipe 7 config bw 50KByte/s mask src-ip 0x000003ff > $IPFW add pipe 4 ip from any to 172.16.16.0/22 via fxp0 in > $IPFW add pipe 7 ip from 172.16.16.0/22 to any via fxp0 out > > > Using pf+altq you could limit easily bandwith for all clients: > > altq on $int_if cbq bandwidth 1000Mb queue { powernet_local, powernet_inet } > queue powernet_local bandwidth 95% cbq(default) > queue powernet_inet bandwidth 40Mb > > pass out on $int_if from to queue > powernet_local > pass out on $int_if from ! to queue > powernet_inet > > But you could not limit bandwidth per ip using PF. > > why not? you create pf+altq equivalent rules for ipfw+dummynet rules. you may look at policy based filtering if needed. you just have to play with "tag" and "tagged" directives. > Ryan McBride wrote in > it.listserv.openbsd-pf(http://groups.google.com/group/bit.listserv.openbsd-p > f/msg/512d1eba9683cea6?hl=ru&dmode=source) > > >> P.S. By the way, no chance to shaping like ipfw(dummynet), by getting >> mask for all ip addresses? It's the last reason to stay with ipfw: >> > > No, there is nothing like this in PF right now. It's on my list of > things to look at, but that list grows faster than I can get things > done... > > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On > Behalf Of Andrei Kolu > Sent: Tuesday, December 02, 2008 11:42 AM > To: Peter Jeremy; freebsd-pf@freebsd.org; freebsd-isp@freebsd.org > Subject: Re: PF + ALTQ - Bandwidth per customer > > ipfw+dummynet is really ugly traffic "shaper" (let's face it there is no > shaping going on), because instead of limiting bandwidth it will drop > packets to simulate bad connection. I hear many years about "trivial" > configuration per user bandwidth limit with pf+altq but never saw ANY > code... You can't set bandwidth limit with PF like 3Mbit per 100 clients > if your lan card is 100Mbit. This is just lame- in reality clients never > use all bandwidth and never all clients are connected all the time. Even > Linux ipfilter does it for years with insane cryptic commandline but it > just works. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Dec 3 13:19:43 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 81EF4106564A for ; Wed, 3 Dec 2008 13:19:43 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from ns2.bafirst.com (72-12-2-19.static.networktel.net [72.12.2.19]) by mx1.freebsd.org (Postfix) with ESMTP id 4A28A8FC17 for ; Wed, 3 Dec 2008 13:19:42 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from HOME.encontacto.net ([189.129.8.53]) by ns2.bafirst.com with esmtp; Wed, 03 Dec 2008 07:19:41 -0600 id 000D516C.4936876D.0000D849 Received: from localhost (localhost [127.0.0.1]) (uid 80) by HOME.encontacto.net with local; Wed, 03 Dec 2008 07:19:40 -0600 id 0004AC1A.4936876C.0000266D Received: from ed.local.net.mx (ed.local.net.mx [192.168.1.65]) by econet.encontacto.net (Horde Framework) with HTTP; Wed, 03 Dec 2008 07:19:40 -0600 Message-ID: <20081203071940.324735uokbfgyh6o@econet.encontacto.net> Date: Wed, 03 Dec 2008 07:19:40 -0600 From: eculp To: freebsd-pf@freebsd.org References: <76463C1E8CB14B958088F7E54C611560@ashevchenko> <493634DA.7000408@infoweapons.com> In-Reply-To: <493634DA.7000408@infoweapons.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (5.0-cvs) X-Remote-Browser: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.18) Gecko/20081114 Firefox/2.0.0.18 X-IMP-Server: 189.129.8.53 X-Originating-IP: 192.168.1.65 X-Originating-User: eculp@encontacto.net Subject: Re: PF + ALTQ - Bandwidth per customer X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Dec 2008 13:19:43 -0000 Quoting "Ronnel P. Maglasang" : > =D0=90=D0=BB=D0=B5=D0=BA=D1=81=D0=B0=D0=BD=D0=B4=D1=80 =D0=A8=D0=B5=D0=B2= =D1=87=D0=B5=D0=BD=D0=BA=D0=BE wrote: >> Using ipfw+dummynet you could easily limit bandwidth per ip: >> >> $IPFW pipe 4 config bw 50KByte/s mask dst-ip 0x000003ff >> $IPFW pipe 7 config bw 50KByte/s mask src-ip 0x000003ff >> $IPFW add pipe 4 ip from any to 172.16.16.0/22 via fxp0 in >> $IPFW add pipe 7 ip from 172.16.16.0/22 to any via fxp0 out >> >> >> Using pf+altq you could limit easily bandwith for all clients: >> >> altq on $int_if cbq bandwidth 1000Mb queue { powernet_local, powernet_ine= t } >> queue powernet_local bandwidth 95% cbq(default) >> queue powernet_inet bandwidth 40Mb >> >> pass out on $int_if from to queue >> powernet_local >> pass out on $int_if from ! to queue >> powernet_inet >> >> But you could not limit bandwidth per ip using PF. >> >> > why not? you create pf+altq equivalent rules for ipfw+dummynet rules. > you may look at policy based filtering if needed. you just have to play > with "tag" and "tagged" directives. I don't remember why but for some reason I have the idea that pf+altq =20 is not bidirectional. Am I mistaken? Thanks, ed > >> Ryan McBride wrote in >> it.listserv.openbsd-pf(http://groups.google.com/group/bit.listserv.openbs= d-p >> f/msg/512d1eba9683cea6?hl=3Dru&dmode=3Dsource) >> >> >>> P.S. By the way, no chance to shaping like ipfw(dummynet), by getting >>> mask for all ip addresses? It's the last reason to stay with ipfw: >>> >> >> No, there is nothing like this in PF right now. It's on my list of >> things to look at, but that list grows faster than I can get things >> done... >> -----Original Message----- >> From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] = On >> Behalf Of Andrei Kolu >> Sent: Tuesday, December 02, 2008 11:42 AM >> To: Peter Jeremy; freebsd-pf@freebsd.org; freebsd-isp@freebsd.org >> Subject: Re: PF + ALTQ - Bandwidth per customer >> >> ipfw+dummynet is really ugly traffic "shaper" (let's face it there =20 >> is no shaping going on), because instead of limiting bandwidth it =20 >> will drop packets to simulate bad connection. I hear many years =20 >> about "trivial" configuration per user bandwidth limit with pf+altq =20 >> but never saw ANY code... You can't set bandwidth limit with PF =20 >> like 3Mbit per 100 clients if your lan card is 100Mbit. This is =20 >> just lame- in reality clients never use all bandwidth and never all =20 >> clients are connected all the time. Even Linux ipfilter does it for =20 >> years with insane cryptic commandline but it just works. >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Dec 3 20:03:00 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 065001065670 for ; Wed, 3 Dec 2008 20:03:00 +0000 (UTC) (envelope-from alessandro.dev@gmail.com) Received: from mail-gx0-f19.google.com (mail-gx0-f19.google.com [209.85.217.19]) by mx1.freebsd.org (Postfix) with ESMTP id A31268FC17 for ; Wed, 3 Dec 2008 20:02:59 +0000 (UTC) (envelope-from alessandro.dev@gmail.com) Received: by gxk12 with SMTP id 12so2569099gxk.19 for ; Wed, 03 Dec 2008 12:02:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=Vnls/jB3iK2x68Xy/N4LvNOf1/6FrffFoDdTGAucvUU=; b=l54cbQI6KsDYjvsifV7LQRLscli+8I08tHcvzwaAJJXts2nnEe5b8z08dq5ssJX78D KxLYAFheBdtMrIZznaQOwDlq/IdfHZQHSRQ8jhTUrxVyBjHEAh1FIB/jPGlVuBiEHNQh dOp1132a0B0S1rCbQDBa4UVOSe3H1RtGQj87w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=Qj44HJXjiGn0Kl8ajqs25mJp1yOPX/sn++U3pMdkL1GXSOydh+2LGD8AR/QSsvelgY BwEMYX+DF9wcFvCT9CnBSYfYuNi+c5uRFftNF9HCeFS0dO+rUkup/5OaUXwjqxb2Zw5G 49q4R3/8u2eK/d9196wlA95DBvlJynqJOc2Ww= Received: by 10.142.161.13 with SMTP id j13mr5510498wfe.276.1228332814739; Wed, 03 Dec 2008 11:33:34 -0800 (PST) Received: by 10.142.53.2 with HTTP; Wed, 3 Dec 2008 11:33:34 -0800 (PST) Message-ID: <720e1f20812031133g11b1ec2ah2f7b3fdc7245dd54@mail.gmail.com> Date: Wed, 3 Dec 2008 19:33:34 +0000 From: "Alessandro Silveira" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Optimize HFSC X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Dec 2008 20:03:00 -0000 Hi, I have a Storage with high input traffic in a network, in add 192.168.16.8, and a playout in add 192.168.16.50. I am using Packet Filter for to ensure low delay in streams of video with samba, using real time, but i get poor results, someone know a best AltQ/PF configuration for streams. My Altq configuration: queue root_em0 bandwidth 1Gb priority 1 qlimit 100 {SYSTEM_QUEUE} queue SYSTEM_QUEUE bandwidth 1Gb qlimit 100 {AVNQOS1, SYSYTEM_DEFAULT} queue AVNQOS1 bandwidth 100Mb priority 7 qlimit 10000 hfsc( ecn realtime 100Mb upperlimit 100Mb ) But in Realtime m1 is 100Mb, m2 is 50MB and d is 18. My Rule configuration: pass out on em0 inet proto tcp from 192.168.16.8 to 192.168.16.50 tos 0x10 queue AVNQOS1 Thanks. P.S. Sorry for my bad english. From owner-freebsd-pf@FreeBSD.ORG Wed Dec 3 23:19:23 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 26BC9106567D for ; Wed, 3 Dec 2008 23:19:23 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.24]) by mx1.freebsd.org (Postfix) with ESMTP id D1C1A8FC12 for ; Wed, 3 Dec 2008 23:19:22 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by qw-out-2122.google.com with SMTP id 9so942035qwb.7 for ; Wed, 03 Dec 2008 15:19:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=xYlIGJ5NgxKRa9p2OpBsZ8jH6yhQL3sCzC1VdSbAuF8=; b=vPDiJ1t+gKZ4EAGxD2V9A1ATxoqKlQWRZGXEASBAWy3yzQINFtIzf7/3sc3kPlE2ek loPEsxdPs2LAhe2vaD/obONCxiWezQkPT/UvZ/9208ALQibo2+CmtSXFco2ATJuzEp8j XXVy1pn+27ELgrn7OZOuD6GH70e16YfZaZsxs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=fkLpPrHn89XBeJMPYdU8ozPbuaaebsV5kmRh6Ni5tEa6jXA3e1Rx8WorT2LSZHpz2R pbrMUHA3D3iZqV/64dtlDBgk7PYb6lkERe5BtM2TV8LAXNqwtOHdFBBu6HG3OA7r2Cv4 XyVAIuH4pdIq5sl8NTYl/nL/S85HID6Cssm4Q= Received: by 10.214.129.17 with SMTP id b17mr14173226qad.384.1228346361833; Wed, 03 Dec 2008 15:19:21 -0800 (PST) Received: by 10.214.79.17 with HTTP; Wed, 3 Dec 2008 15:19:21 -0800 (PST) Message-ID: <9a542da30812031519x56f690d2vbd0fc16b84db235c@mail.gmail.com> Date: Thu, 4 Dec 2008 00:19:21 +0100 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: "Alessandro Silveira" In-Reply-To: <720e1f20812031133g11b1ec2ah2f7b3fdc7245dd54@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <720e1f20812031133g11b1ec2ah2f7b3fdc7245dd54@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Optimize HFSC X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Dec 2008 23:19:23 -0000 On Wed, Dec 3, 2008 at 8:33 PM, Alessandro Silveira wrote: > Hi, > > I have a Storage with high input traffic in a network, in add > 192.168.16.8, and a playout in add 192.168.16.50. > > I am using Packet Filter for to ensure low delay in streams of video > with samba, using real time, but i get poor results, > someone know a best AltQ/PF configuration for streams. > > My Altq configuration: > > queue root_em0 bandwidth 1Gb priority 1 qlimit 100 {SYSTEM_QUEUE} > queue SYSTEM_QUEUE bandwidth 1Gb qlimit 100 {AVNQOS1, SYSYTEM_DEFAULT} > queue AVNQOS1 bandwidth 100Mb priority 7 qlimit 10000 hfsc( ecn > realtime 100Mb upperlimit 100Mb ) > > But in Realtime m1 is 100Mb, m2 is 50MB and d is 18. > > My Rule configuration: > > pass out on em0 inet proto tcp from 192.168.16.8 to 192.168.16.50 tos > 0x10 queue AVNQOS1 > > Thanks. > I understand it this way http://forum.pfsense.org/index.php/topic,11986.0.html Just consider that that post considers an patched pfctl to allow m1 smaller than m2. Reports say that it actually improves performance and it was the way initial HFSC implementation worked. > P.S. Sorry for my bad english. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Thu Dec 4 15:24:12 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35E8510656B6 for ; Thu, 4 Dec 2008 15:24:12 +0000 (UTC) (envelope-from samflanker@gmail.com) Received: from ik-out-1112.google.com (ik-out-1112.google.com [66.249.90.183]) by mx1.freebsd.org (Postfix) with ESMTP id B87BE8FC1B for ; Thu, 4 Dec 2008 15:24:11 +0000 (UTC) (envelope-from samflanker@gmail.com) Received: by ik-out-1112.google.com with SMTP id c21so3691803ika.3 for ; Thu, 04 Dec 2008 07:24:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:content-type :content-transfer-encoding; bh=rd4hmRDQnwH41dhDuSjk20ex0Z8rnDABCY2urs2WmA8=; b=JSCbN8oFkXbXDeJVGBSw/TKLOY/6FPdY1OmvjBGHsyq/PuALbwD4ND04VuhHvU/jjk WZZM9Lmy8YOhd19MdpteUeX6+mkcabuUYy2kaxWigC3uL6eGb7FPkd3NYp7yddVHlade u98hMpCUo/SDGNl4xahatswRjrZafBLALL1X8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :content-type:content-transfer-encoding; b=e8mvnGIMcudW5KB0cxi472hnNLmgSafpA3c0TVzUYMEcRwpQm2RYFMvfbeBocwpPiH AjluokwumHR7WUQuTFP3K9Ffz/OxEvABYd4f6oyNQ/ROcXbQMZyYcw7sbFMZu3plMZNY +CSXiYUT4T7SAKYDmLtgfRoqb0YtJsBA5CwRg= Received: by 10.210.86.10 with SMTP id j10mr16571067ebb.181.1228404250186; Thu, 04 Dec 2008 07:24:10 -0800 (PST) Received: from localhost.localdomain ([213.152.137.42]) by mx.google.com with ESMTPS id 7sm6295568eyg.42.2008.12.04.07.24.06 (version=SSLv3 cipher=RC4-MD5); Thu, 04 Dec 2008 07:24:07 -0800 (PST) Message-ID: <4937F627.8080602@gmail.com> Date: Thu, 04 Dec 2008 18:24:23 +0300 From: Vladimir Ermakov User-Agent: Thunderbird 2.0.0.18 (X11/20081119) MIME-Version: 1.0 To: freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: synproxy state does not work on FreeBSD 7.1-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2008 15:24:12 -0000 problem is fixed in OpenBSD 4.4 http://www.openbsd.org/plus44.html /Vladimir Ermakov From owner-freebsd-pf@FreeBSD.ORG Thu Dec 4 15:47:16 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 78D461065670 for ; Thu, 4 Dec 2008 15:47:16 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 0C4318FC2D for ; Thu, 4 Dec 2008 15:47:15 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-028-001.pools.arcor-ip.net [88.66.28.1]) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis) id 0MKwtQ-1L8GQ61p01-0004Ih; Thu, 04 Dec 2008 16:47:14 +0100 Received: (qmail 83387 invoked from network); 4 Dec 2008 15:47:14 -0000 Received: from unknown (HELO fbsd8.laiers.local) (192.168.4.151) by laiers.local with SMTP; 4 Dec 2008 15:47:14 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 4 Dec 2008 16:47:13 +0100 User-Agent: KMail/1.10.1 (FreeBSD/8.0-CURRENT; KDE/4.1.1; i386; ; ) References: <4937F627.8080602@gmail.com> In-Reply-To: <4937F627.8080602@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200812041647.14049.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+llC/lA15RnuhVSl0UKZBYwQ4jM9uLOOiYrWa HUKwL0m24ECVcpzA0MsdF7AZ3mAsv7eGUCSxdtRHR6gFmf95Fm 46n+9yFIjDmYPj+qkTkyA== Cc: freebsd-stable@freebsd.org, Vladimir Ermakov Subject: Re: synproxy state does not work on FreeBSD 7.1-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2008 15:47:16 -0000 On Thursday 04 December 2008 16:24:23 Vladimir Ermakov wrote: > problem is fixed in OpenBSD 4.4 > http://www.openbsd.org/plus44.html The bug this note refers to was introduced after OpenBSD 4.1 (our last import) and should not be present in the FreeBSD code. I'll double check in a bit to make sure synproxy is working, but I don't think it was broken after my last import ... do you have a particular test case that I could reproduce? -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Thu Dec 4 16:49:51 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DDE01106564A for ; Thu, 4 Dec 2008 16:49:50 +0000 (UTC) (envelope-from matheusber@gmail.com) Received: from mail-qy0-f18.google.com (mail-qy0-f18.google.com [209.85.221.18]) by mx1.freebsd.org (Postfix) with ESMTP id 805918FC12 for ; Thu, 4 Dec 2008 16:49:50 +0000 (UTC) (envelope-from matheusber@gmail.com) Received: by qyk11 with SMTP id 11so5074548qyk.19 for ; Thu, 04 Dec 2008 08:49:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:received:received:message-id :date:subject:from:to:user-agent:mime-version:content-type :content-transfer-encoding:x-priority:importance:sender; bh=orwDvRXY/mDtXhV6bZIJLLCx+Gt7vXrFPhcqE4Ej/9M=; b=C3kqdbFLDW164Lv6gtW6ImINrWNqzK3mCa4W0Rkb7/DFMeZlPEF7/huiT86O6FBK+n e9NkBA/Fu83RGNij2mmoLY364DJ8oFVOh/KCWCypOV+5pDj+QT4v9KLKIfgdxeR+ILlw Ax6KIZBGg0r0x1mXh9JU4JTb9CRCZPwFkhUh8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:subject:from:to:user-agent:mime-version :content-type:content-transfer-encoding:x-priority:importance:sender; b=sG+kNkvVZ2dUeD7Bik46gH5wzYBOgWYFaoSqntAbY8sx/VMudO4vMqryw1A0IumjtF bJNbsdaaYuoO4JNByN1cxa0anY/qrtlPBlpYeVYdbiJcSJ1xjdtOEbm7UkKbieo7gtzp WceomxAmNHKhCbAHRIaIcToKV3WdiIIEYXg+0= Received: by 10.214.12.8 with SMTP id 8mr15023789qal.65.1228407504941; Thu, 04 Dec 2008 08:18:24 -0800 (PST) Received: from cygnus.homeunix.com ([189.71.18.211]) by mx.google.com with ESMTPS id 6sm7164309ywn.0.2008.12.04.08.18.22 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 04 Dec 2008 08:18:24 -0800 (PST) Received: by cygnus.homeunix.com (Postfix, from userid 80) id 7D747B8070; Thu, 4 Dec 2008 13:18:16 -0300 (BRT) Received: from 200.186.60.37 (proxying for 10.12.1.211, 10.12.1.3) (SquirrelMail authenticated user matheus) by cygnus.homeunix.com with HTTP; Thu, 4 Dec 2008 14:18:16 -0200 (BRST) Message-ID: <1faecc59f0d150fd76b4c92c6043aaf8.squirrel@cygnus.homeunix.com> Date: Thu, 4 Dec 2008 14:18:16 -0200 (BRST) From: "Nenhum_de_Nos" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.15 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Sender: Nenhum_de_Nos Subject: issue with hfsc X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2008 16:49:51 -0000 hail, I have 7-STABLE running as a router, and now I found to have this issue: altq on $ext_if bandwidth 310Kb hfsc queue { ack_dns, ack_ssh, ack_msn, ack_http, ack_http2, ack_bolo, ack_jogos } queue ack_dns bandwidth 7% priority 7 qlimit 500 hfsc (realtime 5%) queue ack_ssh bandwidth 10% priority 6 qlimit 500 hfsc (realtime 20%) {ssh_bulk, ssh_login} queue ack_jogos bandwidth 20% priority 5 qlimit 500 hfsc (realtime 20%) queue ack_msn bandwidth 10% priority 4 qlimit 500 hfsc (realtime 5%) queue ack_http bandwidth 35% priority 3 qlimit 500 hfsc (realtime 15%) queue ack_http2 bandwidth 13% priority 6 qlimit 500 hfsc (realtime 10%) # queue ack_bolo bandwidth 1% priority 1 qlimit 500 hfsc (upperlimit 10% default) queue ack_bolo bandwidth 1% priority 1 qlimit 500 hfsc (realtime 1% default) altq on $int_if bandwidth 100Mb hfsc queue { http, ssh, dns, msn, bolo, jogos, lan } queue dns bandwidth 70Kb priority 7 qlimit 500 hfsc (realtime 50Kb) queue ssh bandwidth 100Kb priority 6 qlimit 500 hfsc (realtime 100Kb ) queue msn bandwidth 50Kb priority 5 qlimit 500 hfsc (realtime 50Kb) queue jogos bandwidth 100Kb priority 4 qlimit 500 hfsc (realtime 100Kb) queue http bandwidth 500Kb priority 3 qlimit 500 hfsc (realtime 350Kb) queue bolo bandwidth 180Kb priority 2 qlimit 500 hfsc (realtime 50Kb default) my problem is that http2 (and I assume the others also) just use all upload when ack_bolo has upperlimit XX, not with realtime YY. this "bolo" rule is the bulk (as for calomel's pf howto) and this should be the least packets to go. http2 is for Folding@Home uploads, to be more than ack_bolo (p2p) and less than http. if I use uperlimit 10%, it works ok, but when not uploading from F@H, I loose bandwidth for p2p. if I put realtime 1%, it takes almost all bandwidth :( if anyone has anything to help, thanks in advance, matheus -- We will call you cygnus, The God of balance you shall be From owner-freebsd-pf@FreeBSD.ORG Thu Dec 4 17:28:37 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 092A9106568F for ; Thu, 4 Dec 2008 17:28:37 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 8E6A98FC25 for ; Thu, 4 Dec 2008 17:28:35 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-028-001.pools.arcor-ip.net [88.66.28.1]) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis) id 0ML2xA-1L8I0A2wJv-0007Uz; Thu, 04 Dec 2008 18:28:35 +0100 Received: (qmail 84823 invoked from network); 4 Dec 2008 17:28:34 -0000 Received: from unknown (HELO fbsd8.laiers.local) (192.168.4.151) by laiers.local with SMTP; 4 Dec 2008 17:28:34 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 4 Dec 2008 18:28:33 +0100 User-Agent: KMail/1.10.1 (FreeBSD/8.0-CURRENT; KDE/4.1.1; i386; ; ) References: <4937F627.8080602@gmail.com> <200812041647.14049.max@love2party.net> In-Reply-To: <200812041647.14049.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200812041828.34033.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19RbBe5eb5syZuHhjhoF4CypR8l/pMZWkfL/DM DwHalUj39yOsReg+DnMkpa5Monk8RCVd5odFMQBJvzN4CoxSyf EWZzje2D6kxCoNcuvDU5g== Cc: freebsd-stable@freebsd.org, Vladimir Ermakov Subject: Re: synproxy state does not work on FreeBSD 7.1-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2008 17:28:37 -0000 On Thursday 04 December 2008 16:47:13 Max Laier wrote: > On Thursday 04 December 2008 16:24:23 Vladimir Ermakov wrote: > > problem is fixed in OpenBSD 4.4 > > http://www.openbsd.org/plus44.html > > The bug this note refers to was introduced after OpenBSD 4.1 (our last > import) and should not be present in the FreeBSD code. I'll double check > in a bit to make sure synproxy is working, but I don't think it was broken > after my last import ... do you have a particular test case that I could > reproduce? Okay ... here is the story: First off, "synproxy state" is *NOT* broken! But you need to be careful how you use it. If you - like the OP - intend to use it to protect a service running on the same box as your pf, you must make sure to "set skip on lo0" or it will not work. If you are protecting a box behind the pf box, there is no need for that. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Fri Dec 5 07:16:02 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E19FF106564A for ; Fri, 5 Dec 2008 07:16:02 +0000 (UTC) (envelope-from samflanker@gmail.com) Received: from ik-out-1112.google.com (ik-out-1112.google.com [66.249.90.176]) by mx1.freebsd.org (Postfix) with ESMTP id 715698FC17 for ; Fri, 5 Dec 2008 07:16:02 +0000 (UTC) (envelope-from samflanker@gmail.com) Received: by ik-out-1112.google.com with SMTP id c21so3989327ika.3 for ; Thu, 04 Dec 2008 23:16:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=Tk6Xc7gqJBYg/JvnoDoV9CPLcqTZgS8gzxb1jcn6AwA=; b=oLuNhrXYRZejXsgQFWSDU70XKgqCLZl9qwRDzHQyCzmiL3madM/voF/7if/VYaG2CU cOiaG2iRk9QGnlD0ZXtLo4srYYhi8MFOMgBTl2lj+XkcZinfxCrkbIqXxRtj4cp/YsaP lI6NNeo9X0r7f5QIcdC1vbQJWYd+6QltkYW4o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=C+WNgiUsfz/3XesO14ePbYV4kmrHD6JTS7HfrpTmVe3HagEkTdO1J/fCic9gzpFu84 luruUmzfvFuasIZBW4A73m2lc8t5SZHa1U5bIKycnvGAxtW12GmeexT/xesUGYnK0d+a kXufbNktJ35heBaXgf6gnzTGtzLUwmknHUVN4= Received: by 10.210.76.19 with SMTP id y19mr17121801eba.52.1228461361181; Thu, 04 Dec 2008 23:16:01 -0800 (PST) Received: from localhost.localdomain ([213.152.137.42]) by mx.google.com with ESMTPS id 3sm6543998eyj.41.2008.12.04.23.15.58 (version=SSLv3 cipher=RC4-MD5); Thu, 04 Dec 2008 23:15:59 -0800 (PST) Message-ID: <4938D540.4080304@gmail.com> Date: Fri, 05 Dec 2008 10:16:16 +0300 From: Vladimir Ermakov User-Agent: Thunderbird 2.0.0.18 (X11/20081119) MIME-Version: 1.0 To: Max Laier References: <4937F627.8080602@gmail.com> <200812041647.14049.max@love2party.net> <200812041828.34033.max@love2party.net> In-Reply-To: <200812041828.34033.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: synproxy state does not work on FreeBSD 7.1-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Dec 2008 07:16:03 -0000 Max Laier wrote: > > > Okay ... here is the story: First off, "synproxy state" is *NOT* broken! But > you need to be careful how you use it. If you - like the OP - intend to use > it to protect a service running on the same box as your pf, you must make sure > to "set skip on lo0" or it will not work. If you are protecting a box behind > the pf box, there is no need for that. > > Max, sorry for your time. Thanks, i solved the problem. /Vladimir Ermakov From owner-freebsd-pf@FreeBSD.ORG Fri Dec 5 08:23:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99D2A1065673 for ; Fri, 5 Dec 2008 08:23:14 +0000 (UTC) (envelope-from samflanker@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.freebsd.org (Postfix) with ESMTP id 248288FC1A for ; Fri, 5 Dec 2008 08:23:13 +0000 (UTC) (envelope-from samflanker@gmail.com) Received: by nf-out-0910.google.com with SMTP id h3so2372872nfh.33 for ; Fri, 05 Dec 2008 00:23:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=JnUSQwgtLw+J71Hiq0uFzr3XGYXxhY/KEZM+1Mmyuo4=; b=w620ysG3MrddbZ24hLNOmcD7ylls6D24Rdggwy/OeoKq6IUerRwm+NV3o6ScT7uWyJ ILMpRmK8enA5156QuqTLm17S7MTwobPjXIxoWePt0h9LKPv0Bm1n4Ce2fJk4G7zBq42f 3I55PA5U7zxJMaVWm3dV7GRW5U/r6qf8/26BA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=GUBJDi3J+Q1hjf+h9jpgpxQGiYIgoxIh4KcrZlCMkgJjRSWPgDCc7DWdeDfC7aasro bW4QNYej8HzZ4gnNUWn5MB0gCFXjXA+HQ/5ScFzWXxB81sPXXIMpasvHxYB4YUaQybqx /2ovc+G5fDkKd/NwwuIDEywDRlTY02gWTqur8= Received: by 10.210.126.18 with SMTP id y18mr11852187ebc.120.1228465392883; Fri, 05 Dec 2008 00:23:12 -0800 (PST) Received: from localhost.localdomain ([213.152.137.42]) by mx.google.com with ESMTPS id 23sm120008eya.57.2008.12.05.00.23.10 (version=SSLv3 cipher=RC4-MD5); Fri, 05 Dec 2008 00:23:11 -0800 (PST) Message-ID: <4938E500.9090805@gmail.com> Date: Fri, 05 Dec 2008 11:23:28 +0300 From: Vladimir Ermakov User-Agent: Thunderbird 2.0.0.18 (X11/20081119) MIME-Version: 1.0 To: Max Laier References: <4937F627.8080602@gmail.com> <200812041647.14049.max@love2party.net> <200812041828.34033.max@love2party.net> In-Reply-To: <200812041828.34033.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: synproxy state does not work on FreeBSD 7.1-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Dec 2008 08:23:14 -0000 Max Laier wrote: > On Thursday 04 December 2008 16:47:13 Max Laier wrote: > >> On Thursday 04 December 2008 16:24:23 Vladimir Ermakov wrote: >> >>> problem is fixed in OpenBSD 4.4 >>> http://www.openbsd.org/plus44.html >>> >> The bug this note refers to was introduced after OpenBSD 4.1 (our last >> import) and should not be present in the FreeBSD code. I'll double check >> in a bit to make sure synproxy is working, but I don't think it was broken >> after my last import ... do you have a particular test case that I could >> reproduce? >> > > Okay ... here is the story: First off, "synproxy state" is *NOT* broken! But > you need to be careful how you use it. If you - like the OP - intend to use > it to protect a service running on the same box as your pf, you must make sure > to "set skip on lo0" or it will not work. If you are protecting a box behind > the pf box, there is no need for that. > > Can a `synproxy state` to work on the CARP interface? /Vladimir Ermakov