From owner-freebsd-pf@FreeBSD.ORG Sun May 17 01:07:31 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A9C8106564A for ; Sun, 17 May 2009 01:07:31 +0000 (UTC) (envelope-from irix@ukr.net) Received: from storage.ukr.net (storage.ukr.net [195.214.192.39]) by mx1.freebsd.org (Postfix) with ESMTP id F036A8FC2B for ; Sun, 17 May 2009 01:07:30 +0000 (UTC) (envelope-from irix@ukr.net) Received: from [80.73.6.130] (helo=ZHUAZI) by storage.ukr.net with esmtpsa ID 1M5UUr-000A7R-El for freebsd-pf@freebsd.org; Sun, 17 May 2009 03:44:57 +0300 Date: Sun, 17 May 2009 03:45:41 +0300 From: irix X-Priority: 3 (Normal) Message-ID: <1393808851.20090517034541@ukr.net> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: 8bit Subject: altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: irix@ukr.net List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2009 01:07:31 -0000 Hello Freebsd-pf, Sorry for my english. OpenBSD team is abandon the altq project. Maybe FreeBSD team does not come as OpenBSD team. In Kernel is present "options ALTQ_CDNR # Traffic conditioner", that is may be used for simple ingress traffic shaping (like dummynet). Maybe you may add this function to pfctl to make use it. Maybe after this OpenBSD team is backport this function to base. Also lacking in pf/altq dynamic queues like in dummynet with dst-masks (src-masks)(ipfw pipe 10 config mask dst-ip 0x000000ff bw 1024bit/s queue; ipfw add pipe 10 tcp from any to 1.1.1.0/24 via fxp0), when with one rule may create many dynamic queues for per ip shaping from subnet. This maybe useful for many people, because pf is most popular firewall. Thank you. -- Best regards, irix mailto:irix@ukr.net From owner-freebsd-pf@FreeBSD.ORG Sun May 17 04:41:52 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 54EF5106566C for ; Sun, 17 May 2009 04:41:52 +0000 (UTC) (envelope-from espartano.mail@gmail.com) Received: from mail-ew0-f159.google.com (mail-ew0-f159.google.com [209.85.219.159]) by mx1.freebsd.org (Postfix) with ESMTP id D734E8FC20 for ; Sun, 17 May 2009 04:41:51 +0000 (UTC) (envelope-from espartano.mail@gmail.com) Received: by ewy3 with SMTP id 3so3201064ewy.43 for ; Sat, 16 May 2009 21:41:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=4U6+7Llybbe033REao6J0KygG5kXCi7hVn493QjCLrs=; b=CVgDHsrBdNeVSf5cp9gWVrMhUEltR0H8tFnv2gh0PWdsBAnUFUQ7ZHdZFvwdw9LB0e ZdlNfV9l9i79XJFHNU90iGqsAOX963IdvmLVmlOj3upnCdoEFfm72y4K4wTUY6qr5DjQ dpX3WwNb7v7vSytbPhV38pn+H6m1I/AIXkjMQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=cTlxflrDGmck5lPRnceC92FDPKlYRHPhwmE2E8reUQiIbFRzU8lOmHjj5xXzT83+ni UfyN0oASutBszbwMUEcQ7aLwjubIlHfVvCrBimYzRbEIhOdPv3e5aJZjtyAttELW4Bb8 8stdaCJ1nD0eSTo9sr84i/nDSoy8qviqWJ5eI= MIME-Version: 1.0 Received: by 10.216.11.67 with SMTP id 45mr1755888wew.53.1242535309629; Sat, 16 May 2009 21:41:49 -0700 (PDT) In-Reply-To: <4A0F20A8.6040200@gmail.com> References: <736c47cb0905131752s29a0198xea15a95df7d42e94@mail.gmail.com> <4A0B70D3.3080405@radel.com> <4A0F20A8.6040200@gmail.com> Date: Sat, 16 May 2009 23:41:49 -0500 Message-ID: From: Espartano To: David Figuera Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Question about numbers of connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2009 04:41:52 -0000 On Sat, May 16, 2009 at 3:23 PM, David Figuera wr= ote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Espartano wrote: >> Ok, I think that I didn't explain it very well, I don=B4t have any hight >> speed network, I only have used my Alix board at my house, but I >> wondering how much work the Alix board could support, more >> specifically I wonder if the Alix board could manage about 1 thousand >> concurrent connections through a 100Mbps network making round-robin to >> load balance and spread the connections between 3 or 4 servers, I >> think that the Alix board could do it, It is only =A0a hypothetical case >> but I would like to know if I can trust on my Alix board to do this >> kind of job or not. > > If you're thinking about buying an ALIX and you are not sure if it's goin= g > to do the trick, well, I'm not very sure, but I think it will work just f= ine. > > I have an ALIX 2C3 (Geode LX800 @500MHz) and would make some tests. > > > PS: Are you subscribed to freebsd-es list as well? I think I've seen you = there. Yes, Already I'm subscriber to freebsd-es list too :) --=20 "Linux is for people who hate Windows, BSD is for people who love UNIX". "Documentation is like sex: when it is good, it is very, very good; and when it is bad, it is better than nothing." From owner-freebsd-pf@FreeBSD.ORG Sun May 17 04:46:39 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA33C1065674 for ; Sun, 17 May 2009 04:46:39 +0000 (UTC) (envelope-from grishin-mailing-lists@minselhoz.samara.ru) Received: from mail.minselhoz.samara.ru (mail.minselhoz.samara.ru [195.128.135.231]) by mx1.freebsd.org (Postfix) with ESMTP id 996D08FC26 for ; Sun, 17 May 2009 04:46:39 +0000 (UTC) (envelope-from grishin-mailing-lists@minselhoz.samara.ru) Received: from [95.79.160.39] (helo=[192.168.0.15]) by mail.minselhoz.samara.ru with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5XjE-0006uB-GE; Sun, 17 May 2009 09:12:00 +0500 Message-ID: <4A0F8E99.1080904@minselhoz.samara.ru> Date: Sun, 17 May 2009 09:12:09 +0500 From: Yuriy Grishin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090403 SeaMonkey/1.1.16 MIME-Version: 1.0 To: Espartano References: <736c47cb0905131752s29a0198xea15a95df7d42e94@mail.gmail.com> <4A0B70D3.3080405@radel.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: Question about numbers of connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2009 04:46:40 -0000 Espartano wrote: > On Wed, May 13, 2009 at 8:16 PM, Jon Radel wrote: > >> Sam Wun wrote: >> >>> Alix is for home user. >>> >>> >> Which is just about as useful as the OP asking if the machine can handle "a >> lot of traffic without troubles" without giving us any hint whether he means >> traffic that keeps a 128 kbps DSL line semi-busy or if he has a 100 mbps >> fiber to his house that's practically melting from all the traffic. :-) >> >> That said, I'll report that for years I used a "consumer class" Celeron >> machine with 384 MB of RAM to act as a firewall for some web sites with a T1 >> (1.5 mbps) of traffic hitting it at times, and had no known issues. I've >> upgraded a bit by now but mainly just because rather than to solve any >> particular issue. >> >> > > Ok, I think that I didn't explain it very well, I donīt have any hight > speed network, I only have used my Alix board at my house, but I > wondering how much work the Alix board could support, more > specifically I wonder if the Alix board could manage about 1 thousand > concurrent connections through a 100Mbps network making round-robin to > load balance and spread the connections between 3 or 4 servers, I > think that the Alix board could do it, It is only a hypothetical case > but I would like to know if I can trust on my Alix board to do this > kind of job or not. > > In other hand, what kind of embedded hardware do you recomend to > manage this kind of jobs ? maybe the answer could be buying a real > server and replace the hard disk with a CF memory using NanoBSD + PF. > > Thanks a lot for your patience. > > I have a Pentium III machine with 128Mbytes SDRAM two realtek cards and FreeBSD 6.3 It serves 40 pppoe users (raduis+mysql+mpd). It connected to a Wi-Max 2Mbps link and does altq shaping (cbq). In addition spamd and pfstat runs there (there is a bandwidth graphic here http 80.76.128.74 ). More than 500Gbytes/month flows through this gateway. In general it works satisfactory but as you can see the uptime is no good. That is because it has no UPS (ungraceful reboots are often). It's a very stressful mode and the hardware its runs on is used (I just took an old pc of my friend). But it works more than a year! Another story : I build a bittorrent-downloader for my friend lately. It was a P-200MMX with two Intel cards and 96Mbytes of RAM. I tested It in my LAN and It gave about 8Mbps. So if you take a good hardware network card that performs most the work by itself (not by CPU via the driver) I suppose you can easily achieve 30-50Mbps. Also read this http://www.openbsd.org/faq/pf/perf.html -- Code cheap ($3 per an application) From owner-freebsd-pf@FreeBSD.ORG Sun May 17 17:57:02 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D8FD61065672 for ; Sun, 17 May 2009 17:57:02 +0000 (UTC) (envelope-from matheusber@gmail.com) Received: from mail-qy0-f173.google.com (mail-qy0-f173.google.com [209.85.221.173]) by mx1.freebsd.org (Postfix) with ESMTP id 89ABE8FC08 for ; Sun, 17 May 2009 17:57:02 +0000 (UTC) (envelope-from matheusber@gmail.com) Received: by qyk3 with SMTP id 3so5134580qyk.3 for ; Sun, 17 May 2009 10:57:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:received:received :message-id:in-reply-to:references:date:subject:from:to:user-agent :mime-version:content-type:content-transfer-encoding:x-priority :importance; bh=QzxL8LDss5d7oWRS42rRLPdLr3xij3fsKGxYTMc+fAM=; b=H8e72Sz9lPNorvO6ipVlqcoW05mLZ/i1x7zwE4+F7FlYsp0g0F1vhZj2zMabiibWmi RDkUhXSHZ5ti95be7JAbBEZYoylTrnPx+4+wpmIJTuYkxpvFvjq9IleSpgd0yIKtNC1g Y6ptg2hLkSZvOJ0yPXgxhyQvTfQpmsB9p959Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:in-reply-to:references:date:subject:from:to :user-agent:mime-version:content-type:content-transfer-encoding :x-priority:importance; b=aQ4oCKnEIXdxki5h6CaROrQmBeibgrtHuOGtZ3EfoeGJGb4VbAgZV+gW0xGTDq//Q7 yKzyUffq2S3PNKwZcwr3aR03ID/ekkI7WWQGPzFL64h/ugqpUqX6QwQQPLjSrIAFIG4W 00eo4X0ThBUXpjVi0yzh3gQQ2sn+6JJsyrgwk= Received: by 10.224.60.74 with SMTP id o10mr5630491qah.229.1242581538657; Sun, 17 May 2009 10:32:18 -0700 (PDT) Received: from cygnus.homeunix.com (201008164081.user.veloxzone.com.br [201.8.164.81]) by mx.google.com with ESMTPS id 5sm3523134qwg.39.2009.05.17.10.32.17 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 17 May 2009 10:32:17 -0700 (PDT) Sender: Nenhum_de_Nos Received: by cygnus.homeunix.com (Postfix, from userid 80) id A15ADB8143; Sun, 17 May 2009 14:32:14 -0300 (BRT) Received: from 189.92.212.153 (SquirrelMail authenticated user matheus) by cygnus.homeunix.com with HTTP; Sun, 17 May 2009 14:32:14 -0300 (BRT) Message-ID: <516ec81c51d6232dd6e1ae75e852c4e5.squirrel@cygnus.homeunix.com> In-Reply-To: <1393808851.20090517034541@ukr.net> References: <1393808851.20090517034541@ukr.net> Date: Sun, 17 May 2009 14:32:14 -0300 (BRT) From: "Nenhum_de_Nos" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.15 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2009 17:57:03 -0000 On Sat, May 16, 2009 21:45, irix wrote: > Hello Freebsd-pf, > > Sorry for my english. > > OpenBSD team is abandon the altq project. I just got curious about this: where you heard that OpenBSD is abandoning altq ? thanks, matheus -- We will call you cygnus, The God of balance you shall be A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? http://en.wikipedia.org/wiki/Posting_style From owner-freebsd-pf@FreeBSD.ORG Sun May 17 20:22:45 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 41923106566C for ; Sun, 17 May 2009 20:22:45 +0000 (UTC) (envelope-from repcsike@gmail.com) Received: from mail-ew0-f159.google.com (mail-ew0-f159.google.com [209.85.219.159]) by mx1.freebsd.org (Postfix) with ESMTP id 976AA8FC0C for ; Sun, 17 May 2009 20:22:44 +0000 (UTC) (envelope-from repcsike@gmail.com) Received: by ewy3 with SMTP id 3so3492191ewy.43 for ; Sun, 17 May 2009 13:22:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=10VG6iAid5uzb+pHvXVj7Ejk6w2+R3Oqjn1yUdBWp2s=; b=TeCfHnSxaE2CP7TA2nKark0eXw+YUnC/e7pagAfav2xTtDmvq+lWe+Pu7iZs4GOSMF ieUIdRkQMmLMMGS8Uc3RiBu5M6S9AgGgWymfpjHlFGlHfL/5RdxOUss7Fodu38PspnTs 57Rv9XJ6+pSDl3JgCFB2ZUw+FDErFkMoUtXQs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=S4Aqh31zLi32ZzHb47dA8phNC4r7k4BhVZRM4OnTM68ekMfpkw71S/uuvdabUa7o5p OWCWVNnB6meoi0ld8QF5k0PyGUtv3mNrmsIj62hdqoirVbOL/ClSLj/8E90R/BhIMbqm fWr3X3UiSHgB3uWBEwJQhw0COSIMAG9if2JU4= MIME-Version: 1.0 Received: by 10.216.45.206 with SMTP id p56mr1896088web.88.1242589852767; Sun, 17 May 2009 12:50:52 -0700 (PDT) Date: Sun, 17 May 2009 21:50:52 +0200 Message-ID: From: Kevin Smith To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF Nat Problem after PPP reconnection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2009 20:22:45 -0000 Hello, I have a weird problem I couldn't solve. I have it from 7.0, after ppp reconnects to the ISP weird stuff happening, packets don't come back, the connection to the ISP gets very slow, http requests got timed out or load but items missing or the connection gets reset, but only for the computers behind NAT. I'm using PF for filtering and for natting too. I have a dynamic IP address from my ISP, but it's not forcing the reconnection every 24 hours (happening once or twice a week). I tried the following things: tweak mtu from 1492 to 1452. no use. reload the whole pf config with pfctl -F all -f /etc/pf.conf - no use look at netstat -m and -rn all looks alright- memory is ok, routing looks ok, and i can initiate connections from the box. tun0 interface looks alright ip address is ok, and gw is ok too. only rebooting the computer solves the problem after this! I tried pfctl -F nat and I set up ipnat, and now NAT is working alright. Here are the data and configs: uname -a FreeBSD homeserver.workgroup.local 7.1-RELEASE-p4 FreeBSD 7.1-RELEASE-p4 #1: Wed Apr 15 19:03:33 CEST 2009 repcsi@homeserver.workgroup.local:/usr/obj/usr/src/sys/REPCSI i386 The kernel (/usr/src/sys/i386/conf/REPCSI)was built from the 7.1 GENERIC with these addons: #PF device<><------>pf<----><------><------>#PF OpenBSD packet-filter firewall device<><------>pflog<-><------><------>#logging support interface for PF device<><------>pfsync<><------><------>#synchronization interface for PF device<><------>carp<--><------><------>#Common Address Redundancy Protocol #ALTQ options <------>ALTQ options <------>ALTQ_CBQ<------># Class Based Queueing options <------>ALTQ_RED<------># Random Early Detection options <------>ALTQ_RIO<------># RED In/Out options <------>ALTQ_HFSC<-----># Hierarchical Packet Scheduler options <------>ALTQ_CDNR<-----># Traffic conditioner options <------>ALTQ_PRIQ<-----># Priority Queueing options <------>ALTQ_NOPCC<----># Required for SMP build /etc/rc.conf relevant sections: ifconfig_nfe0="inet 172.20.0.1 netmask 255.255.255.0" ifconfig_fxp0="MTU 1492 UP" ifconfig_tun0="DHCP" gateway_enable="YES" ppp_enable="YES" ppp_profile="dsl" ppp_mode="ddial" ppp_nat="NO" ppp_user="root" pf_enable="YES" pf_rules="/etc/pf.conf" pf_program="/sbin/pfctl" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" /etc/ppp/ppp.conf default: set log Phase Chat LCP IPCP CCP tun command # set log Phase tun command ident user-ppp VERSION (built COMPILATIONDATE) set timeout 0 set reconnect 5 999 set device /dev/cuad1 set speed 115200 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \ \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" set timeout 180<------><------><------># 3 minute idle timer (the default) enable dns<---><------><------><------># request DNS info (for resolv.conf) papchap: set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 add default HISADDR<--><------><------># Add a (sticky) default route dsl: set device PPPoE:fxp0 set mtu max 1452 set authname USERNAME set authkey PASSWORD set dial set login set ifaddr 10.0.0.1/0 10.0.0.2/0 add default HISADDR nat enable no set cd off set crtscts off set redial 0 0 enable lqr echo enable lcp enable dns /etc/ppp/ppp.linkup dsl: !bg sh -c "/sbin/pfctl -F all -f /etc/pf.conf" /etc/ppp/ppp.linkdown < had to set this up for testing because ppp restart couldn't destroy the tun0 interface and ppp used tun1 after that ;\ however at reconnect it destroys it, and tells me this command is invalid.: dsl: !bg ifconfig tun0 destroy /etc/pf.conf - i just added log for debugging but without log the behaviour was the same ext_if = "tun0" int_if = "nfe0" ext_ad = "(tun0)" prv_ads = "172.20.0.0/24" nat_p = "{tcp, udp, icmp}" tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s, ntp, 43 }" udp_services = "{ domain, ntp }" client_out = "{ ftp-data, ftp, ssh, domain, pop3, auth, nntp, http, https, 446, icmp_types = "{ echoreq, unreach }" table persist martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }" proxy="127.0.0.1" # ftp proxy IP proxyport="8021" # ftp proxy port scrub in all altq on $ext_if priq bandwidth 400Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) nat on $ext_if proto $nat_p from $prv_ads to any -> ($ext_if) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport block in log all pass out log on $ext_if proto tcp from any to any queue (q_def, q_pri) pass in log on $ext_if proto tcp from any to any queue (q_def, q_pri) block return log pass out log keep state anchor "ftp-proxy/*" set skip on { lo0, $int_if } block in log quick from urpf-failed antispoof log for $ext_if block drop in log (all) quick on $ext_if from { $martians, } to any block drop out log (all) quick on $ext_if from any to $martians pass out log on $ext_if proto tcp to any port $tcp_services pass out log on $ext_if proto udp to any port $udp_services pass out log on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state pass log inet proto icmp all icmp-type $icmp_types keep state pass log inet proto tcp from any to $ext_if port ssh keep state (max-src-conn 5, max-src-conn-rate 3/5 overload flush global) Thanks for every reply :) Best Regards, Repcsi From owner-freebsd-pf@FreeBSD.ORG Sun May 17 20:59:51 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B8DD1065672 for ; Sun, 17 May 2009 20:59:51 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id EA3488FC17 for ; Sun, 17 May 2009 20:59:50 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-019-074.pools.arcor-ip.net [88.66.19.74]) by mrelayeu.kundenserver.de (node=mreu2) with ESMTP (Nemesis) id 0MKv5w-1M5nSX213J-0001MN; Sun, 17 May 2009 22:59:50 +0200 Received: (qmail 83497 invoked from network); 17 May 2009 20:59:48 -0000 Received: from kvm.laiers.local (HELO kvm.localnet) (192.168.4.188) by ns1.laiers.local with SMTP; 17 May 2009 20:59:48 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sun, 17 May 2009 22:58:45 +0200 User-Agent: KMail/1.11.3 (Linux/2.6.30-rc3-ARCH; KDE/4.2.3; x86_64; ; ) References: In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200905172258.46521.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/KOBdoAioeuFjsqMMWvarK5ib4/vm5UTlWzyO mvkAZdszxYKy8+9jB86F2KjeP3x/h4L1nGfmdlF/6S6gL/APdj bCEhRn+OS+UpE6nEHRfgA== Cc: Subject: Re: PF Nat Problem after PPP reconnection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2009 20:59:51 -0000 On Sunday 17 May 2009 21:50:52 Kevin Smith wrote: > /etc/pf.conf - i just added log for debugging but without log the > behaviour was the same > > ext_if = "tun0" > int_if = "nfe0" > ext_ad = "(tun0)" change that to "(tun0:0)" - it's an FAQ, only we don't have a good place to document it. Suggestions - once again welcome. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Sun May 17 21:22:07 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC322106566C for ; Sun, 17 May 2009 21:22:07 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 539D98FC13 for ; Sun, 17 May 2009 21:22:07 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-019-074.pools.arcor-ip.net [88.66.19.74]) by mrelayeu.kundenserver.de (node=mreu2) with ESMTP (Nemesis) id 0MKv5w-1M5no60H0O-0000zL; Sun, 17 May 2009 23:22:06 +0200 Received: (qmail 83805 invoked from network); 17 May 2009 21:22:05 -0000 Received: from kvm.laiers.local (HELO kvm.localnet) (192.168.4.188) by router.laiers.local with SMTP; 17 May 2009 21:22:05 -0000 From: Max Laier Organization: FreeBSD To: Kevin Smith , freebsd-pf@freebsd.org Date: Sun, 17 May 2009 23:21:03 +0200 User-Agent: KMail/1.11.3 (Linux/2.6.30-rc3-ARCH; KDE/4.2.3; x86_64; ; ) References: <200905172258.46521.max@love2party.net> In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200905172321.03996.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+IAMBCJbc7tNEsa0L8fvzPuCOXWVSoKBD18Mg 2C2YsU1uqBec61ioR5hDjceQ1oCyKqK7N5gp2NmNqWSKs2+XJ1 dbxux3eLck6sR4Rr60K6g== Cc: Subject: Re: PF Nat Problem after PPP reconnection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2009 21:22:08 -0000 On Sunday 17 May 2009 23:08:32 Kevin Smith wrote: > You mean the ext_ad macro right ? > > What do you tell with that to pf, and why do I need it, can you tell me > ? :) http://www.freebsd.org/cgi/query-pr.cgi?pr=69954 > Thank you! > > 2009/5/17 Max Laier > > > On Sunday 17 May 2009 21:50:52 Kevin Smith wrote: > > > /etc/pf.conf - i just added log for debugging but without log the > > > behaviour was the same > > > > > > ext_if = "tun0" > > > int_if = "nfe0" > > > ext_ad = "(tun0)" > > > > change that to "(tun0:0)" - it's an FAQ, only we don't have a good > > place to document it. Suggestions - once again welcome. > > > > -- > > /"\ Best regards, | mlaier@freebsd.org > > \ / Max Laier | ICQ #67774661 > > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > > / \ ASCII Ribbon Campaign | Against HTML Mail and News > > !DSPAM:4a107cd6836601928620662! -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Sun May 17 23:47:41 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97114106566C for ; Sun, 17 May 2009 23:47:41 +0000 (UTC) (envelope-from irix@ukr.net) Received: from storage.ukr.net (storage.ukr.net [195.214.192.39]) by mx1.freebsd.org (Postfix) with ESMTP id 575C48FC08 for ; Sun, 17 May 2009 23:47:41 +0000 (UTC) (envelope-from irix@ukr.net) Received: from [80.73.6.130] (helo=ZHUAZI) by storage.ukr.net with esmtpsa ID 1M5q4y-000CrR-4u for freebsd-pf@freebsd.org; Mon, 18 May 2009 02:47:40 +0300 Date: Mon, 18 May 2009 02:48:22 +0300 From: irix X-Priority: 3 (Normal) Message-ID: <904030579.20090518024822@ukr.net> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: 8bit Subject: Re:altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: irix@ukr.net List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2009 23:47:41 -0000 Hello , First of all,person who is responsible for this answer for my question about dynamics queues and finely complete to merge cdnr into pf, that altq nothing else, and complete does not this function. You need and you do. We are not interested in this. But altq is not complete solution. From altqd make any abnormality. The idea of merging with pf excellent, but the realization of an unfinished, even at 30%. Removed 70% of traffic disciplince's (like blue, JoBBs), did not finish cdnr, nothing new added. How can this be called complete project? In DfBSD in altq add fairq, is one new option in altq for last six years. No development, the project is dead. I can understand, when project is complete, more it did not need to add. But altq in pf have almost nothing. And developers say it does not concern us. So I wrote up in maillist freebsd, as in most advanced bsd system. Developers who think for a few years in advance. > On Sat, May 16, 2009 21:45, irix wrote: > Hello Freebsd-pf, > > Sorry for my english. > > OpenBSD team is abandon the altq project. > >I just got curious about this: where you heard that OpenBSD is abandoning >altq ? > >thanks, > >matheus > >-- >We will call you cygnus, >The God of balance you shall be > >A: Because it messes up the order in which people normally read text. >Q: Why is top-posting such a bad thing? > >http://en.wikipedia.org/wiki/Posting_style -- Best regards, irix mailto:irix@ukr.net From owner-freebsd-pf@FreeBSD.ORG Mon May 18 00:24:21 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E31AC1065673 for ; Mon, 18 May 2009 00:24:20 +0000 (UTC) (envelope-from britneyfreek@googlemail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 6B9C38FC08 for ; Mon, 18 May 2009 00:24:20 +0000 (UTC) (envelope-from britneyfreek@googlemail.com) Received: by bwz9 with SMTP id 9so2913997bwz.43 for ; Sun, 17 May 2009 17:24:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=+GS28XeCdBSPjF6f0MFlyaoqGcg3J7rRysweEjlTL+M=; b=ZEwRea5p8ABwu6foSiochKHdSWoqAmdkjDEN//53ulCDTeHEmLScemdq0HfRI76zHj 8aboRApqprW1Tv9gQsoMUcxAMnimu00T87s9GBS1V0VYWok8eC6CsMxNDHxv+5qgLTIw 8qZ/Gg7kaJjt6JQVJWR+YpbMwRj/g6UhQGE7o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=ZdQ0RgsKlUfI07E87tUHCyMrrNej2jCTxSmnYRbQiCReWKcm8AewZ3reZaZ6IuQLmD 9T69MXAG7ypleCzyut81clNE7aHLDTzy2RUmeB5KpUoaaU6RnVf7t99ABEoFHzmQSpOg u2wcbh+CkXnmzzedpbLTULSyOxJuLR5IOwhBE= MIME-Version: 1.0 Received: by 10.223.106.14 with SMTP id v14mr3990555fao.49.1242604905738; Sun, 17 May 2009 17:01:45 -0700 (PDT) In-Reply-To: <200905172321.03996.max@love2party.net> References: <200905172258.46521.max@love2party.net> <200905172321.03996.max@love2party.net> Date: Mon, 18 May 2009 02:01:45 +0200 Message-ID: <2ad621ab0905171701r723f0898s672249600df4455c@mail.gmail.com> From: britneyfreek To: Max Laier Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: PF Nat Problem after PPP reconnection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2009 00:24:21 -0000 i've had such problems when using a mtu other than 1492... sorry, have no other solution. 2009/5/17 Max Laier : > On Sunday 17 May 2009 23:08:32 Kevin Smith wrote: >> You mean the ext_ad macro right ? >> >> What do you tell with that to pf, and why do I need it, can you tell me >> ? :) > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D69954 > >> Thank you! >> >> 2009/5/17 Max Laier >> >> > On Sunday 17 May 2009 21:50:52 Kevin Smith wrote: >> > > /etc/pf.conf =C2=A0- i just added log for debugging but without log = the >> > > behaviour was the same >> > > >> > > ext_if =3D "tun0" >> > > int_if =3D "nfe0" >> > > ext_ad =3D "(tun0)" >> > >> > change that to "(tun0:0)" - it's an FAQ, only we don't have a good >> > place to document it. =C2=A0Suggestions - once again welcome. >> > >> > -- >> > /"\ =C2=A0Best regards, =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0| mlaier@freebsd.org >> > \ / =C2=A0Max Laier =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0| ICQ #67774661 >> > =C2=A0X =C2=A0 http://pf4freebsd.love2party.net/ =C2=A0| mlaier@EFnet >> > / \ =C2=A0ASCII Ribbon Campaign =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0| Against HTML Mail and News >> >> !DSPAM:4a107cd6836601928620662! > > -- > /"\ =C2=A0Best regards, =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0| mlaier@freebsd.org > \ / =C2=A0Max Laier =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0| ICQ #67774661 > =C2=A0X =C2=A0 http://pf4freebsd.love2party.net/ =C2=A0| mlaier@EFnet > / \ =C2=A0ASCII Ribbon Campaign =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0| Against HTML Mail and News > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Mon May 18 06:46:20 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D4575106564A for ; Mon, 18 May 2009 06:46:20 +0000 (UTC) (envelope-from mehmasarja@gmail.com) Received: from mail-px0-f106.google.com (mail-px0-f106.google.com [209.85.216.106]) by mx1.freebsd.org (Postfix) with ESMTP id AB2158FC08 for ; Mon, 18 May 2009 06:46:20 +0000 (UTC) (envelope-from mehmasarja@gmail.com) Received: by pxi4 with SMTP id 4so2061068pxi.3 for ; Sun, 17 May 2009 23:46:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:cc:content-type; bh=WSQpO9HEZvF1BqnI7BGg1NiQzDVqLcOD+cG0B4Hy0z4=; b=it4XHFe02JFDfRqe7QOOu+eWM7mPklMuXWPSb+Vfj2WS2YjYLQPVNCQQG63twgCdo3 asur4cItNitq9QiiutYt2i5sCYBsEKwajtkhNSAX+d3W99Ihn3MVLppF5U5EZRtdZvfB iJw5XwRmTnstnM56dDPNgz7BJ2nTyKhJLYvts= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:cc:content-type; b=PTUB96qhCsgMxnWt7iKVFjipr1Rj6PdCYhnyxBDgJmGZp9OSWEQ+kY1R4CeSkFjol+ 5kzZbTjdgVx8Y1jArGr1PBs87xVbM9Czeour7DF4MvgX/Sd1+gWVyTj0bpL9ie+khC3n giAcLzsLBV7uztykaU7v8kcY1nv9loJgOYIZo= MIME-Version: 1.0 Received: by 10.114.113.16 with SMTP id l16mr10466994wac.164.1242627640179; Sun, 17 May 2009 23:20:40 -0700 (PDT) Date: Sun, 17 May 2009 23:20:40 -0700 Message-ID: From: mehma sarja To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: ysidhu@ucolick.org Subject: Testing new firewall to replace operational firewall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2009 06:46:21 -0000 This is a long and complicated affair. I have warned you and you still persist on reading further. I will try to protect you as much as possible, but please be forewarned. GOAL I want to test two pf firewalls in-line - an old openBSD (3.7 #50, i386) is on the 'outside' and a new FreeBSD (7.2 #0 amd64) is on the 'inside.' The FreeBSD firewall does NOT have altq enabled. Here is the setup: INTERNET ===[outside port bridged to inside port OLD pf] === [outside port bridged to inside port NEW pf] === LAN CONTEXT a. The old firewall is in production and is running as expected - blocking and passing as we need. b. I am in the process of replacing it with a new one. It happens that OpenBSD was inconvenient on the hardware we have, so the new firewall is implemented on FreeBSD. I copied most stuff over and tested it within our network - which is not a complete test. c. So, one test is to put these two firewalls in tandem - just for testing. The idea being that the inside firewall will catch stuff going out and we can see it in the logs and the outside firewall will catch stuff coming in and we can see that as well. They should not have anything in the logs for stuff going the other ways. if you know what I mean. WHY ARE WE DOING THIS? We are replacing a production firewall and want to test the new one for about a month before taking the old one away. Is there a better way to test out the functionality over an extended period of time - without setting up a separate environment? RESULTS OF TEST The tandem configuration got hooked in and everything (by 'everything', I mean this is our single pipe in and out of our organization and we have a lot of other services we provide) works except smpts, https and maybe imaps and pop3s (we did not test for these since we quickly reverted back when we found out that some services were being blocked) DATA THAT MIGHT BE HELPFUL OLD FIREWALL - smtps pfctl -s rules|grep 465 pass in log quick on em0 inet proto tcp from any to 118.124.23.233 port = 465 flags S/SA modulate state pass in log quick on em0 inet proto tcp from any to 118.124.23.234 port = 465 flags S/SA modulate state pass in log quick on em0 inet proto tcp from any to 118.124.22.166 port = 465 flags S/SA modulate state pass in log quick on em0 inet proto tcp from 56.69.235.49 to 118.124.23.218 port = 465 flags S/SA modulate state em0 is the outside port of the bridge NEW FIREWALL - smtps pfctl -s rules|grep smtps pass in log quick on em0 inet proto tcp from any to 118.124.23.233 port = smtps flags S/SA modulate state pass in log quick on em0 inet proto tcp from any to 118.124.23.234 port = smtps flags S/SA modulate state pass in log quick on em0 inet proto tcp from any to 118.124.22.166 port = smtps flags S/SA modulate state pass in log quick on em0 inet proto tcp from 56.69.235.49 to 128.114.23.218 port = smtps flags S/SA modulate state OLD FIREWALL and NEW FIREWALL imaps DATA is the same pfctl -s rules|grep imaps pass in log quick on em0 inet proto tcp from any to 118.124.23.233 port = imaps flags S/SA modulate state pass in log quick on em0 inet proto tcp from any to 118.124.23.234 port = imaps flags S/SA modulate state OLD FIREWALL and NEW FIREWALL https DATA is the same pfctl -s rules|grep https pass in log quick on em0 inet proto tcp from any to 118.124.23.233 port = imaps flags S/SA modulate state pass in log quick on em0 inet proto tcp from any to 118.124.23.234 port = imaps flags S/SA modulate state OLD FIREWALL and NEW FIREWALL pop3s DATA is the same pfctl -s rules|grep pop3s pass in log quick on em0 inet proto tcp from any to 118.124.23.233 port = pop3s flags S/SA modulate state pass in log quick on em0 inet proto tcp from any to 118.124.23.234 port = pop3s flags S/SA modulate state MY CONJECTURES Referring to one rule: pass in log quick on em0 inet proto tcp from any to 118.124.23.233 port = imaps flags S/SA modulate state FIRST I suspect "modulate state" may be the culprit. Here is what the manual says: "modulate state - works only with TCP. PF will generate strong Initial Sequence Numbers (ISNs) for packets matching this rule." So we have 2 machines generating ISNs for the same connection. Could this be the problem? SECOND Are the "flags S/SA" altq functions? Because, as I said before, the new firewall is FreeBSD GENERIC kernel with altq not compiled in. Yudhvir "I play with fire....walls" === From owner-freebsd-pf@FreeBSD.ORG Mon May 18 08:45:24 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C00841065678 for ; Mon, 18 May 2009 08:45:24 +0000 (UTC) (envelope-from gm.jin.wang@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.239]) by mx1.freebsd.org (Postfix) with ESMTP id 96A6B8FC1B for ; Mon, 18 May 2009 08:45:24 +0000 (UTC) (envelope-from gm.jin.wang@gmail.com) Received: by rv-out-0506.google.com with SMTP id k40so1870629rvb.43 for ; Mon, 18 May 2009 01:45:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=rxB+sLgm7cme6ObAi968Vv1EUzvYsrA6IYOXDoBXjrQ=; b=bzNaqaKxb9QW+MDhE7lFvJRzkUDa+o8Sa10xuoJ9i+5g/nBTLvXn33TCuMn2YCG0/D 0BIiTFjosBCsX7qx/66++xnyURHRjRewnod7pFPdIdKMZWJgnoSrGKWoODJ3GNVdeCyx YWVQ909cWB8V/25mJSmQ9ZhabRb+tpQLRvmD0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=noOxKcFGcvaPuTbyHUYrnjQjgtLLzJbjwzVVYX5U4B02uWzoktwn/TTU5bDLdxbr9X 91FXIGnZA7L09AaQDxZZTGBKRggA2TGiDtf05dxYfdEIe0KvLRzUA0AayymPDoIm+cFw Ip+sc33kgq+6vFmOGf68IhlhjSzQR7lvEtr54= MIME-Version: 1.0 Received: by 10.114.61.1 with SMTP id j1mr10719438waa.207.1242635060122; Mon, 18 May 2009 01:24:20 -0700 (PDT) Date: Mon, 18 May 2009 16:24:20 +0800 Message-ID: <7f8c92fb0905180124m24346fc3x2b39c8d4a5bfa893@mail.gmail.com> From: jin wang To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Is there any plan to remove the global mutex lock (PF_LOCK/PF_UNLOCK) ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2009 08:45:25 -0000 From owner-freebsd-pf@FreeBSD.ORG Mon May 18 09:33:43 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8D94E106566C for ; Mon, 18 May 2009 09:33:43 +0000 (UTC) (envelope-from milu@dat.pl) Received: from jab.dat.pl (dat.pl [80.51.155.34]) by mx1.freebsd.org (Postfix) with ESMTP id 423C88FC19 for ; Mon, 18 May 2009 09:33:42 +0000 (UTC) (envelope-from milu@dat.pl) Received: from localhost (jsrv.dat.pl [127.0.0.1]) by jab.dat.pl (Postfix) with ESMTP id 2CD8F5E; Mon, 18 May 2009 11:14:34 +0200 (CEST) X-Virus-Scanned: amavisd-new at dat.pl Received: from jab.dat.pl ([127.0.0.1]) by localhost (jab.dat.pl [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 1co8HYcg595Z; Mon, 18 May 2009 11:14:31 +0200 (CEST) Received: from snifi.localnet (87-204-241-35.ip.netia.com.pl [87.204.241.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by jab.dat.pl (Postfix) with ESMTPSA id B58C647; Mon, 18 May 2009 11:14:30 +0200 (CEST) From: Maciej Milewski To: freebsd-pf@freebsd.org Date: Mon, 18 May 2009 11:14:23 +0200 User-Agent: KMail/1.11.2 (Linux/2.6.29-ARCH; KDE/4.2.2; x86_64; ; ) References: In-Reply-To: MIME-Version: 1.0 Message-Id: <200905181114.24507.milu@dat.pl> Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: ysidhu@ucolick.org Subject: Re: Testing new firewall to replace operational firewall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2009 09:33:43 -0000 Monday 18 May 2009 08:20:40 mehma sarja napisa=B3(a): > SECOND > Are the "flags S/SA" altq functions? Because, as I said before, the new > firewall is FreeBSD GENERIC kernel with altq not compiled in. No, they aren't as far as I know. Altq is a mechanism using for=20 queuing/traffic shaping. If you don't compile it it just can't be used. For= =20 more info please look at PF FAQ or pf manual. S/SA is from flags and means SYN and ACK.=20 Handbook says "FreeBSD 7.X -- PF is at OpenBSD 4.1" So this option (flags=20 S/SA) is set by default. If you omit it in config it will be set. =20 Best Regards, Maciej Milewski From owner-freebsd-pf@FreeBSD.ORG Mon May 18 10:40:18 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB77E106564A for ; Mon, 18 May 2009 10:40:18 +0000 (UTC) (envelope-from dr.pesko@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.186]) by mx1.freebsd.org (Postfix) with ESMTP id 47CDA8FC13 for ; Mon, 18 May 2009 10:40:18 +0000 (UTC) (envelope-from dr.pesko@gmail.com) Received: by mu-out-0910.google.com with SMTP id w9so1418815mue.3 for ; Mon, 18 May 2009 03:40:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=HoIDlO//whlkSSsYE4uCdXYJJSdljh9rkeFV/OBC9nE=; b=b/guTy8l6+vrGqw8kJFZZMzeGn3LHOnHnyuurgGZ9akgOubZtouh4wc8SZrTsZyw/k s5vnyQrnuofCCWtsdHk3I5BHOy6IsS4RDMQE3AVLuIfq04I9JymwIMqkaZQtz82WgYeb nFSqbU2URZInrRyzWZaFVOa8F21I2wuFbHMLQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=BcWZRwf/H5j/VISr7QSQgxEnp3exnKUKSB2dwAjM/FqGD7kw9JtVN/FCOCGTUF9TFk QF6nAYxvylZSzgOOtbs3bJdk+GZKZw+XQRZNP+0w66/mufpC4kiv/FOcKmuZ3V/kWVCk 86eljWx6LmGZKUJ/66zhZI3n+sWLAyW95TA2Y= Received: by 10.103.8.17 with SMTP id l17mr3953361mui.125.1242641662093; Mon, 18 May 2009 03:14:22 -0700 (PDT) Received: from ?10.13.44.164? ([77.244.112.178]) by mx.google.com with ESMTPS id s10sm2694417mue.38.2009.05.18.03.14.20 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 18 May 2009 03:14:21 -0700 (PDT) Message-ID: <4A1134CF.4060605@gmail.com> Date: Mon, 18 May 2009 15:13:35 +0500 From: "Dr.Pesko" User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: altq with lagg X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2009 10:40:19 -0000 Hello everyone, Is it possible to use ALTQ with lagg and vlan interfaces? Thanks. Best Regards, Dr.Pesko From owner-freebsd-pf@FreeBSD.ORG Mon May 18 11:06:58 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 05F2910656C0 for ; Mon, 18 May 2009 11:06:58 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CAD968FC1D for ; Mon, 18 May 2009 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n4IB6vNV075751 for ; Mon, 18 May 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n4IB6vk9075747 for freebsd-pf@FreeBSD.org; Mon, 18 May 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 18 May 2009 11:06:57 GMT Message-Id: <200905181106.n4IB6vk9075747@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2009 11:06:58 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 31 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon May 18 15:30:03 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD5411065672 for ; Mon, 18 May 2009 15:30:03 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 473758FC20 for ; Mon, 18 May 2009 15:30:02 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by bwz9 with SMTP id 9so3270303bwz.43 for ; Mon, 18 May 2009 08:30:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=kR0mgdPPPIvXVBZZHdmFiGmjB+d0O79FJLPBEx7ciDg=; b=xTGaasG5vn75uA+2bZeO20/d5ouBns48Lbc3Dor4wxLoypXlZrVbkY84GrLlfrgN+0 XZMVmptmVyjNlQCC2o5LwdxqkxjVYe5NexuFUbZ7eF8MCdjcMvALmlYJyk26h6P7+h6r ANTkQuycbDuCBhktDCA7H7wN7upLkBcS+RZ4Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=kUQdtJMy9Hd+quJhssyVIMNbFc1gQgedpCEdHl19lD553WIo+d2fS0o6BAFj7BB4/8 oxnrVjG8gOP2G2h4tE/sxSiTSgWFwYsNY3S1Q2cMiMjcTBTKm3BDRDhyxOQfVASXGpzJ IrZ/3ZSdwNZsxkXChfqNPMldor0w5QA7YYM88= MIME-Version: 1.0 Received: by 10.204.119.129 with SMTP id z1mr6833535bkq.67.1242660601190; Mon, 18 May 2009 08:30:01 -0700 (PDT) In-Reply-To: <7f8c92fb0905180124m24346fc3x2b39c8d4a5bfa893@mail.gmail.com> References: <7f8c92fb0905180124m24346fc3x2b39c8d4a5bfa893@mail.gmail.com> From: Scott Ullrich Date: Mon, 18 May 2009 11:29:40 -0400 Message-ID: To: jin wang Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Is there any plan to remove the global mutex lock (PF_LOCK/PF_UNLOCK) ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2009 15:30:04 -0000 > Is there any plan to remove the global mutex lock (PF_LOCK/PF_UNLOCK) ? I believe the plan is to do a sync against openbsd-current after 8.0 release and then begin to restructure the locking to allow it run across multiple cores/cpus targeting 9.0. Scott From owner-freebsd-pf@FreeBSD.ORG Tue May 19 05:11:13 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 819521065680 for ; Tue, 19 May 2009 05:11:13 +0000 (UTC) (envelope-from mehmasarja@gmail.com) Received: from mail-pz0-f105.google.com (mail-pz0-f105.google.com [209.85.222.105]) by mx1.freebsd.org (Postfix) with ESMTP id 54D118FC15 for ; Tue, 19 May 2009 05:11:13 +0000 (UTC) (envelope-from mehmasarja@gmail.com) Received: by pzk3 with SMTP id 3so2473884pzk.3 for ; Mon, 18 May 2009 22:11:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=q7dCbA66IxT9Znr2dBL0OBOAxVkQMQL+Cuc3xaoNf8I=; b=SCXEvjQwQQKJRdN0EWyPgDDA7bgNGftqfWPaERWLKYMFSbNAptkVEUGg3RZA6zsc2a 5S8tzm1FAY1y4QeeoxR+CZUhU+dIJ7sj1BT0RSBkK8Vub/LMIwe0UnnXMv6D0uCb1psg XMtcEnrQiOQDocgJBY3am+UWzPTnXBbFdYfGg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=p6Xy7z9N7VX6hPl0qcQG2dj2Z581t9o4jhmE2N36QWV/9Uqi4jIujgBqaQk9NJJz44 n8srm5vT7jy+tje/0AEkWCInfq3Qnm7Eq67qWStCFmZvLVcccfxSEPCb/YjA6yD2Go2R wGpTjGO7YbmyM5/IN/LkTOVRaaeqCBL4Qr7aU= MIME-Version: 1.0 Received: by 10.114.113.16 with SMTP id l16mr12796349wac.164.1242709872876; Mon, 18 May 2009 22:11:12 -0700 (PDT) In-Reply-To: <200905181114.24507.milu@dat.pl> References: <200905181114.24507.milu@dat.pl> Date: Mon, 18 May 2009 22:11:12 -0700 Message-ID: From: mehma sarja To: Maciej Milewski Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: ysidhu@ucolick.org, freebsd-pf@freebsd.org Subject: Re: Testing new firewall to replace operational firewall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 May 2009 05:11:13 -0000 Maciej, Thanks for answering one question. Now, does anyone know anything about "modulated state" running on tandem firewalls causing problems? Yudhvir =3D=3D=3D 2009/5/18 Maciej Milewski > Monday 18 May 2009 08:20:40 mehma sarja napisa=B3(a): > > SECOND > > Are the "flags S/SA" altq functions? Because, as I said before, the new > > firewall is FreeBSD GENERIC kernel with altq not compiled in. > No, they aren't as far as I know. Altq is a mechanism using for > queuing/traffic shaping. If you don't compile it it just can't be used. F= or > more info please look at PF FAQ or pf manual. > > > S/SA is from flags and means SYN and ACK. > Handbook says "FreeBSD 7.X -- PF is at OpenBSD 4.1" So this option (flags > S/SA) is set by default. If you omit it in config it will be set. > > > > Best Regards, > Maciej Milewski > From owner-freebsd-pf@FreeBSD.ORG Tue May 19 09:55:29 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 790A2106567A for ; Tue, 19 May 2009 09:55:29 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from fallbackmx10.syd.optusnet.com.au (fallbackmx10.syd.optusnet.com.au [211.29.132.251]) by mx1.freebsd.org (Postfix) with ESMTP id 741968FC23 for ; Tue, 19 May 2009 09:55:23 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from mail36.syd.optusnet.com.au (mail36.syd.optusnet.com.au [211.29.133.76]) by fallbackmx10.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id n4J9ic3A016350 for ; Tue, 19 May 2009 19:44:38 +1000 Received: from server.vk2pj.dyndns.org (c122-106-216-167.belrs3.nsw.optusnet.com.au [122.106.216.167]) by mail36.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id n4J9iZiW010811 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 19 May 2009 19:44:35 +1000 X-Bogosity: Ham, spamicity=0.000000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.3/8.14.3) with ESMTP id n4J9iY2j005979; Tue, 19 May 2009 19:44:34 +1000 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.3/8.14.3/Submit) id n4J9iYUJ005978; Tue, 19 May 2009 19:44:34 +1000 (EST) (envelope-from peter) Date: Tue, 19 May 2009 19:44:34 +1000 From: Peter Jeremy To: mehma sarja Message-ID: <20090519094434.GA5943@server.vk2pj.dyndns.org> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="zYM0uCDKw75PZbzx" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.19 (2009-01-05) Cc: ysidhu@ucolick.org, freebsd-pf@freebsd.org Subject: Re: Testing new firewall to replace operational firewall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 May 2009 09:55:29 -0000 --zYM0uCDKw75PZbzx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2009-May-17 23:20:40 -0700, mehma sarja wrote: >I want to test two pf firewalls in-line - an old openBSD (3.7 #50, i386) is >on the 'outside' and a new FreeBSD (7.2 #0 amd64) is on the 'inside.' The >FreeBSD firewall does NOT have altq enabled. Here is the setup: I can't think of anything specific that would make this break. >I suspect "modulate state" may be the culprit. Here is what the manual say= s: >"modulate state - works only with TCP. PF will generate strong Initial >Sequence Numbers (ISNs) for packets matching this rule." So we have 2 >machines generating ISNs for the same connection. Could this be the proble= m? No. The inner firewall will generate "strong" ISNs and forward the packets. The outer firewall will then generate its own "strong" ISN and forward the packet to the internet. Neither firewall cares about the sequence numbers other than for tracking windows. >SECOND >Are the "flags S/SA" altq functions? No but I presume your testing took into account that inserting/removing the firewall would kill all existing TCP connections. My suggestion would be to do some repeat testing (hopefully you have a maintenance window or low-traffic period where you can afford a planned outage) with tcpdump running on inner, middle and outer interfaces and follow the packets through. Looking at how the packets are transformed will hopefully provide a clue as to what is not working the way you expect. --=20 Peter Jeremy --zYM0uCDKw75PZbzx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (FreeBSD) iEYEARECAAYFAkoSf4IACgkQ/opHv/APuIcNQQCdHt8H65pzo9XlhsMwkK96j1U2 KtkAnA/gEVSej69d196jd81EW6y8uO6N =xvpw -----END PGP SIGNATURE----- --zYM0uCDKw75PZbzx-- From owner-freebsd-pf@FreeBSD.ORG Tue May 19 14:54:56 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10398106566B for ; Tue, 19 May 2009 14:54:56 +0000 (UTC) (envelope-from alessandro.dev@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 91E7C8FC18 for ; Tue, 19 May 2009 14:54:55 +0000 (UTC) (envelope-from alessandro.dev@gmail.com) Received: by bwz9 with SMTP id 9so3872430bwz.43 for ; Tue, 19 May 2009 07:54:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=tQwo3xVpnS9uTV255/2DzqIuEGEOYunDQKCdsH3bjLc=; b=JgsWLcgujmxqBMXl7ejJkOp23QUIOZGRO3eBl+9XzyxYIjnjVIHqIRa7yp+E6cXn1R CAzzF4F7IOlGuhmcMRvhti/ZlcTMq17NnK9rVs5Vn+cRI0w/cKJWs7QPMiVIpoqpJZvR rX33u50XYIYo1dANUwM3iYdhv6JaXYwgdAtHM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=k5YfTl533RESz5RUvYkwfpzgiI12NIM0meHAIwkU+nGftJLzlEUVTwvOA8t7nyAZ8t D69PffLUcknNPmkOo/5k23FfYtz6TbcV8Jlt4Jik/m4rt6PLsb8VPPUg8ZC9AShLyvqq vfQnbztjzfk/dB2BYpdMd9E4ZuEC/U6USiuBU= MIME-Version: 1.0 Received: by 10.204.31.101 with SMTP id x37mr130779bkc.4.1242743137626; Tue, 19 May 2009 07:25:37 -0700 (PDT) Date: Tue, 19 May 2009 14:25:37 +0000 Message-ID: <720e1f20905190725q7659f6a5o5c64fa85aad996c8@mail.gmail.com> From: Alessandro Silveira To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Best method to stream X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 May 2009 14:54:56 -0000 I have a Storage with high input/output traffic in a network What is the best implementation for the transmission stream without delay HSFC or CBQ? Regards Alessandro From owner-freebsd-pf@FreeBSD.ORG Tue May 19 18:27:22 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5BE210656B9 for ; Tue, 19 May 2009 18:27:22 +0000 (UTC) (envelope-from dr.pesko@gmail.com) Received: from mail-fx0-f216.google.com (mail-fx0-f216.google.com [209.85.220.216]) by mx1.freebsd.org (Postfix) with ESMTP id 638C48FC33 for ; Tue, 19 May 2009 18:27:22 +0000 (UTC) (envelope-from dr.pesko@gmail.com) Received: by fxm12 with SMTP id 12so4049545fxm.43 for ; Tue, 19 May 2009 11:27:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=Kvw9EnDwdVuug3Epymx5RODyVlKt2LmL0RBOT35ydy0=; b=p9bCuxFFn2iVPeMdtmPyRSWJQ9BGEj7QOaYae0AcIyRJrRgvqxUmq4ZS/+QW7bgr9T s8p9M3gMAxQwSiwcYkzxlcmf3o9VvGm4uZG19Jz1oukfXll5W6zgaUes/aeHMmiWQz+p dlNXU9hYtvy35RSRMlZnRGOCW6rYpf8HXnvUk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=cRpVhITjNE8WbvgEs2CIriFbKCItUzBPQhsONI00pkhvvOtlHYperziXjLTPGB5CnK kT6YVcjYN2k7TyO8rXIhpZguefBnAo8OE5g6nJ7izQK/Gndkt8nGFt4Lu5TqZEBitDib Tuf7k2qOa/UPHVPLpAH6b4rEE8aSLf9giTQbI= Received: by 10.102.228.19 with SMTP id a19mr212788muh.10.1242757641463; Tue, 19 May 2009 11:27:21 -0700 (PDT) Received: from ?10.13.44.164? (mail.1inci.az [77.244.112.45]) by mx.google.com with ESMTPS id 23sm638182mun.46.2009.05.19.11.27.20 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 19 May 2009 11:27:20 -0700 (PDT) Message-ID: <4A12F9DA.3070604@gmail.com> Date: Tue, 19 May 2009 23:26:34 +0500 From: "Dr.Pesko" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090223 Thunderbird/3.0b2 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4A1134CF.4060605@gmail.com> In-Reply-To: <4A1134CF.4060605@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: altq with lagg X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 May 2009 18:27:23 -0000 On 5/18/2009 3:13 PM, Dr.Pesko wrote: > Hello everyone, > > Is it possible to use ALTQ with lagg and vlan interfaces? Thanks. > > Best Regards, > Dr.Pesko > Yesssss! It worsk! I just used "altq on lagg0 cbq blabla" in my pf.conf file. Thanks! Best Regards, Dr.Pesko