From owner-freebsd-pf@freebsd.org Sun Oct 9 21:00:27 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7C993C0734F for ; Sun, 9 Oct 2016 21:00:27 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3C2A9265 for ; Sun, 9 Oct 2016 21:00:27 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u99L01aQ089625 for ; Sun, 9 Oct 2016 21:00:27 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201610092100.u99L01aQ089625@kenobi.freebsd.org> From: bugzilla-noreply@FreeBSD.org To: freebsd-pf@FreeBSD.org Subject: Problem reports for freebsd-pf@FreeBSD.org that need special attention Date: Sun, 09 Oct 2016 21:00:27 +0000 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Oct 2016 21:00:27 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Tue Oct 11 08:40:49 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 812F4C0C3D0 for ; Tue, 11 Oct 2016 08:40:49 +0000 (UTC) (envelope-from Kamil.Choudhury@anserinae.net) Received: from mxe.anserinae.net (mxe.anserinae.net [45.32.7.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 596468B5 for ; Tue, 11 Oct 2016 08:40:49 +0000 (UTC) (envelope-from Kamil.Choudhury@anserinae.net) Received: by mxe.anserinae.net (Postfix, from userid 58) id 2EC6B64645; Tue, 11 Oct 2016 08:35:32 +0000 (UTC) Authentication-Results: mxe.anserinae.net; dkim=pass (1024-bit key; unprotected) header.d=anserinae.net header.i=@anserinae.net header.b=ruPUJARV X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on abpsvc01.infra.prod.anserinae.net X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.1 Received: from exchange.infra.prod.anserinae.net (awpsvc02.infra.prod.anserinae.net [10.0.0.12]) by mxe.anserinae.net (Postfix) with ESMTP id 2D7F46258F for ; Tue, 11 Oct 2016 08:35:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=anserinae.net; s=arcdkim; t=1476174931; bh=5TZFdRaSeIsd0cKstf9TESC6Of00GwRk07pz1YZ3b3M=; h=From:To:Subject:Date; b=ruPUJARVvmaEoxbu8Rr155ESTUffFNRSCSspJv2VqDJlX7iQNNXR3krdwSVHFdOe2 w6n9u6WTkCExHeNlH80gWawaQYjDJrVJKuFSVpO5hypmtT6QwiYoISL0GvW6SJuRSr NxDuBrIt9Scxlh7554saLSKlXSaeO8WZKe94Zk08= Received: from JANUS.anserinae.net ([fe80::908d:ec50:f618:6c9d]) by janus.anserinae.net ([fe80::908d:ec50:f618:6c9d%15]) with mapi id 14.03.0174.001; Tue, 11 Oct 2016 08:34:54 +0000 From: Kamil Choudhury To: "freebsd-pf@freebsd.org" Subject: Slow NAT on 10.3-RELEASE Thread-Topic: Slow NAT on 10.3-RELEASE Thread-Index: AdIjmmj3wS8DlGgbSOWtnjkN5hkhFw== Date: Tue, 11 Oct 2016 08:34:53 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2016 08:40:49 -0000 Hey freebsd-pf:=20 I'm on FreeBSD 10.3-RELEASE, and attempting to route all traffic from jail1= to the=20 internet out of router.vtnet0 using PF. It *works*, but not well: boundary'= s=20 NAT tops out at a blistering 20KBps on a 100Mbps internet connection.=20 Here's the topology I'm working with:=20 client1.tap0 <--1--> tap1.intermediate1.tap0 <--2--> tap0.boundary.vtnet0= -> internet .vtnet0-->internet .vtnet0--> internet .vlan0 | +--> jail1 (10.0.0.33) There are layers of PF firewalls; stripped of all nonsense here are their p= f.confs: [client1] if_ext =3D "vtnet0" set skip on lo0 scrub in nat on $if_ext from { 10.0.0.0/24 } to any -> ($if_ext:0) pass in all pass out all pass in quick on tap0 reply-to (tap0 192.168.53.1) proto tcp from any to an= y keep state (floating) pass out quick on $if_ext route-to (tap0 192.168.53.1) from 10.0.0.0/24 to = any keep state (floating) [intermediate] if_ext =3D "vtnet0" set skip on lo0 scrub in pass in all pass out all pass in quick on tap1 reply-to (tap1 192.168.2.1) proto tcp from any to any= keep state (floating) pass out quick on $if_ext route-to (tap1 192.168.2.1) from 10.0.0.0/24 to a= ny keep state (floating) [boundary] if_ext =3D "vtnet0" set skip on lo0 scrub in rdr on $if_ext proto tcp from any to $if_ext port 25 -> 10.0.0.33 nat on $if_ext from { 10.0.0.0/24 } to any -> ($if_ext:0) pass in all pass out all Diagnostics:=20 iperf from jail1 to boundary.tap0 is about 50-60Mbps, so I am ruling out=20 configuration issues on Links 1 and 2.=20 All hosts can ping everyone, and ping packets to the internet from jail1 go= =20 out the door to the internet from boundary1. It looks, therefore, like rout= ing is set up correctly as well on all the hosts.=20 All of these hosts are virtualized on Vultr (haven't tried on DO or EC2).=20 Links 1 and 2 are OpenVPN connections, FWIW. I've seen some mention of checksum issues on NAT limiting performance, but = that=20 seems to have been fixed as of 10.2 in an errata. Have I stumbled upon an a= ctual=20 problem, or have I misconfigured something?=20 Thanks in advance,=20 Kamil From owner-freebsd-pf@freebsd.org Tue Oct 11 17:19:59 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 370F8C0D3A0 for ; Tue, 11 Oct 2016 17:19:59 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 04911A3F for ; Tue, 11 Oct 2016 17:19:59 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [10.0.2.164] (ptr-2hj4tbph7h3f7lvq61pgulzlb.ip6.access.telenet.be [IPv6:2a02:1811:2419:4e02:2575:5452:579f:956f]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 3AA4E15C53; Tue, 11 Oct 2016 19:19:56 +0200 (CEST) From: "Kristof Provost" To: "Kamil Choudhury" Cc: "freebsd-pf@freebsd.org" Subject: Re: Slow NAT on 10.3-RELEASE Date: Tue, 11 Oct 2016 16:47:47 +0200 Message-ID: <5D92FF1D-F24C-465D-9502-B6D9A7276628@FreeBSD.org> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6057) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2016 17:19:59 -0000 On 11 Oct 2016, at 10:34, Kamil Choudhury wrote: > I've seen some mention of checksum issues on NAT limiting performance, > but that > seems to have been fixed as of 10.2 in an errata. Have I stumbled upon > an actual > problem, or have I misconfigured something? > It’s worth trying the workaround (i.e. disable all checksum offloading on your interfaces). I’ve had at least one bug report indicating that the checksum patch is not 100% correct, but I’ve not had the time to investigate that in-depth. What virtualisation system are you using? Regards, Kristof From owner-freebsd-pf@freebsd.org Tue Oct 11 18:01:15 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8CFE1C0D14A for ; Tue, 11 Oct 2016 18:01:15 +0000 (UTC) (envelope-from zeus@ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [148.251.53.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.new-ukraine.org", Issuer "smtp.new-ukraine.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 245E937E for ; Tue, 11 Oct 2016 18:01:14 +0000 (UTC) (envelope-from zeus@ibs.dn.ua) Received: on behalf of honored client by relay.ibs.dn.ua with ESMTP id u9BHxJbr033950 for on Tue, 11 Oct 2016 20:59:20 +0300 (EEST) Message-ID: <20161011205913.33949@relay.ibs.dn.ua> Date: Tue, 11 Oct 2016 20:59:13 +0300 From: "Zeus Panchenko" To: cc: Subject: psync for sshguard table sync on several hosts Organization: I.B.S. LLC Reply-To: "Zeus Panchenko" X-Attribution: zeus Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEWxsbGdnZ3U1NQTExN cXFzx8fG/v7+f8hyWAAACXUlEQVQ4jUWSwXYiIRBFi4yyhtjtWpmRdTL0ZC3TJOukDa6Rc+T/P2F eFepwtFvr8upVFVDua8mLWw6La4VIKTuMdAPOebdU55sQs3n/D1xFFPFGVGh4AHKttr5K0bS6g7N ZCge7qpVLB+f1Z2WAj2OKXwIWt/bXpdXSiu8KXbviWkHxF5td9+lg2e3xlI2SCvatK8YLfHyh9lw 15yrad8Va5eXg4Llr7QmAaC+dL9sDt9iad/DX3OKvLMBf+dm0A0QuMrTvYIevSik1IaSVvgjIHt5 lSCG2ynNRpEcBZ8cgDWk+Ns99qzsYYV3MZoppWzGtYlTO9+meG6m/g92iNO9LfQB2JZsMpoJs7QG ku2KtabRK0bZRwDLyBDvwlxTm6ZlP7qyOqLcfqtLexpDSB4M0H3I/PQy1emvjjzgK+A0LmMKl6Lq zlqzh0VGAw440F6MJd8cY0nI7wiF/fVIBGY7UNCAXy6DmfYGCLLI0wtDbVcDUMqtJLmAhLqODQAe riERAxXJ1/QYGpa0ymqyytpKC19MNXHjvFmEsfcHIrncFR4xdbYWgmfEGLCcZokpGbGj1egMR+6M 1BkNX1pDdhPcOXpAnAeLQUwQLYepgQoZVNGS61yaE8CYA7gYAcWKzwGstACY2HTFvvOwk4FXAG/a mKHni/EcA/GkOk7I0IK7UMIf3+SahU8/FJdiE7KcuWdM3MFocUDEEIX9LfJoo4xV5tnNKc3jJuSs SZWgnnhepgU1zN4Hii18yW4RwDX52CXUtk0Hqz6cHOIUkWaX8fDcB+J7y1y2xDHwjv/8Buu8Ekz6 7tXQAAAAASUVORK5CYII= X-Mailer: MH-E 8.3.1; nil; GNU Emacs 24.3.1 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable X-NewUkraine-Agent: mailfromd (7.99.92) X-NewUkraine-URL: https://mail.prozora-kraina.org/smtp.html X-NewUkraine-VirStat: NO X-NewUkraine-VirScan: ScanPE, ScanELF, ScanOLE2, ScanMail, PhishingSignatures, ScanHTML, ScanPDF X-NewUkraine-SpamStat: NO X-NewUkraine-SpamScore: -1.900 of 3.500 X-NewUkraine-SpamKeys: AWL,BAYES_00,NO_RECEIVED,NO_RELAYS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2016 18:01:15 -0000 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, please advise I think of pfsync-ing sshguard table content among several hosts to get one big table on each host, since IP blocked on one host I want to be blocked on all others automatically (all hosts are terminated in one VPN) ... am I correct to consider psync as right way to get that? =2D --=20 Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlf9KHEACgkQr3jpPg/3oyojOwCgpZbc04rwL41LIIDaVDPgR7Vi G8QAoOP5wj87qh4JpT7NePGvnZBbplp2 =3DNSkz =2D----END PGP SIGNATURE----- From owner-freebsd-pf@freebsd.org Wed Oct 12 06:41:44 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C5D75C0E8D9 for ; Wed, 12 Oct 2016 06:41:44 +0000 (UTC) (envelope-from mxb@alumni.chalmers.se) Received: from mail-lf0-x235.google.com (mail-lf0-x235.google.com [IPv6:2a00:1450:4010:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5100BAFE for ; Wed, 12 Oct 2016 06:41:43 +0000 (UTC) (envelope-from mxb@alumni.chalmers.se) Received: by mail-lf0-x235.google.com with SMTP id x79so65936239lff.0 for ; Tue, 11 Oct 2016 23:41:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alumni-chalmers-se.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=uHmQhn1u/+8ZxrM9u0Ksyg24Pzw5/a07OMpgp6A24xE=; b=lrp/1cAz8UgajTMFj6CynbmNdbiRr7VZXUoi4wScRZyTU1maqgMCv3QkCD6UCWB0N5 4Jf2dMYR7hWBcfYA4iN7NcOgZJC/I2NyS6+4e+Ofmkfp/PGOmNHQNrLMJlQxG7m1CEpA SNTNcjHtiUQK41Kw9bZ35FXShXM4O2+n6KmrkPBneo/mvX/JPv3mC+IiStboVU6BUEZe ygTNhPXDr2KD13tnd9DTDcRxJ73m/7g3XN34p5DuvMU6UAiV5etgfFmrg2CCxYqyWwt7 BZ+GMGzyEciWRbv3jtp+2xlyOUXRXwn9jb4tvQnkv/OewDEHqGlmBJOmHskMoAsmGAhm wGAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=uHmQhn1u/+8ZxrM9u0Ksyg24Pzw5/a07OMpgp6A24xE=; b=kNyBGVnxgh/qHUIh/GMzhKr2FvSjt2qF9xu7lsWXKZU8bOk5ZIYecfdD+84qB4yxQt sdPV2pAQiLPcgZqo4yY2YHoVeQPeqmvIcLLOgMBGMi93750/hfQCkU6ur84FD2qT7DJh CQMzeTPlNkrZXdojlg7FoPqnPs9UUT5AdPmJhPQS5jxH8E+efBgE95Q8VWlwd/U23//N RGg14a1CvkatQiUGiGm3bd0bEnP3z8S1I3cPgqlZT0FuFW6HQjO2S7GqyhZZOMkK06MT +QE2VhOQPBzV88bh1zZdLIHex+Lp6R5dlL9KtlNGRUoMNyrvKToikKrk3/nx6ego0TME FsEg== X-Gm-Message-State: AA6/9RkoI48aAvys9nI161dzEK4alb9gi9DvLVFlYJLEWVfEhwIPGe9Fb4bxDcJN7p6sOg== X-Received: by 10.25.31.9 with SMTP id f9mr6051774lff.34.1476254501557; Tue, 11 Oct 2016 23:41:41 -0700 (PDT) Received: from [172.16.3.1] ([79.136.58.140]) by smtp.gmail.com with ESMTPSA id m63sm1789609lfm.25.2016.10.11.23.41.40 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 11 Oct 2016 23:41:40 -0700 (PDT) Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: psync for sshguard table sync on several hosts From: mxb In-Reply-To: <20161011205913.33949@relay.ibs.dn.ua> Date: Wed, 12 Oct 2016 08:41:38 +0200 Cc: freebsd-pf@freebsd.org Message-Id: <2D0AF2DC-8E0C-429A-8D44-51890E2187FD@alumni.chalmers.se> References: <20161011205913.33949@relay.ibs.dn.ua> To: Zeus Panchenko X-Mailer: Apple Mail (2.3124) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 06:41:44 -0000 Use BGP to distribute list of IP addresses. Like it is done at http://bgp-spamd.net/ //mxb > On 11 okt. 2016, at 19:59, Zeus Panchenko wrote: > > Signed PGP part > hi, > > please advise > > I think of pfsync-ing sshguard table content among several hosts to get > one big table on each host, since IP blocked on one host I want to be > blocked on all others automatically (all hosts are terminated in one > VPN) ... > > am I correct to consider psync as right way to get that? > > -- > Zeus V. Panchenko jid:zeus@im.ibs.dn.ua > IT Dpt., I.B.S. LLC GMT+2 (EET) > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@freebsd.org Wed Oct 12 07:05:42 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5F52AC0EE33 for ; Wed, 12 Oct 2016 07:05:42 +0000 (UTC) (envelope-from zeus@ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [148.251.53.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.new-ukraine.org", Issuer "smtp.new-ukraine.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E4B98A20 for ; Wed, 12 Oct 2016 07:05:41 +0000 (UTC) (envelope-from zeus@ibs.dn.ua) Received: on behalf of honored client by relay.ibs.dn.ua with ESMTP id u9C75ZiU075294 on Wed, 12 Oct 2016 10:05:37 +0300 (EEST) Message-ID: <20161012100530.75290@relay.ibs.dn.ua> Date: Wed, 12 Oct 2016 10:05:30 +0300 From: "Zeus Panchenko" To: "mxb" Cc: Subject: Re: pfsync for sshguard table sync on several hosts In-reply-to: Your message of Wed, 12 Oct 2016 08:41:38 +0200 <2D0AF2DC-8E0C-429A-8D44-51890E2187FD@alumni.chalmers.se> References: <20161011205913.33949@relay.ibs.dn.ua> <2D0AF2DC-8E0C-429A-8D44-51890E2187FD@alumni.chalmers.se> Organization: I.B.S. LLC Reply-To: "Zeus Panchenko" X-Attribution: zeus Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEWxsbGdnZ3U1NQTExN cXFzx8fG/v7+f8hyWAAACXUlEQVQ4jUWSwXYiIRBFi4yyhtjtWpmRdTL0ZC3TJOukDa6Rc+T/P2F eFepwtFvr8upVFVDua8mLWw6La4VIKTuMdAPOebdU55sQs3n/D1xFFPFGVGh4AHKttr5K0bS6g7N ZCge7qpVLB+f1Z2WAj2OKXwIWt/bXpdXSiu8KXbviWkHxF5td9+lg2e3xlI2SCvatK8YLfHyh9lw 15yrad8Va5eXg4Llr7QmAaC+dL9sDt9iad/DX3OKvLMBf+dm0A0QuMrTvYIevSik1IaSVvgjIHt5 lSCG2ynNRpEcBZ8cgDWk+Ns99qzsYYV3MZoppWzGtYlTO9+meG6m/g92iNO9LfQB2JZsMpoJs7QG ku2KtabRK0bZRwDLyBDvwlxTm6ZlP7qyOqLcfqtLexpDSB4M0H3I/PQy1emvjjzgK+A0LmMKl6Lq zlqzh0VGAw440F6MJd8cY0nI7wiF/fVIBGY7UNCAXy6DmfYGCLLI0wtDbVcDUMqtJLmAhLqODQAe riERAxXJ1/QYGpa0ymqyytpKC19MNXHjvFmEsfcHIrncFR4xdbYWgmfEGLCcZokpGbGj1egMR+6M 1BkNX1pDdhPcOXpAnAeLQUwQLYepgQoZVNGS61yaE8CYA7gYAcWKzwGstACY2HTFvvOwk4FXAG/a mKHni/EcA/GkOk7I0IK7UMIf3+SahU8/FJdiE7KcuWdM3MFocUDEEIX9LfJoo4xV5tnNKc3jJuSs SZWgnnhepgU1zN4Hii18yW4RwDX52CXUtk0Hqz6cHOIUkWaX8fDcB+J7y1y2xDHwjv/8Buu8Ekz6 7tXQAAAAASUVORK5CYII= X-Mailer: MH-E 8.3.1; nil; GNU Emacs 24.3.1 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" X-NewUkraine-Agent: mailfromd (7.99.92) X-NewUkraine-URL: https://mail.prozora-kraina.org/smtp.html X-NewUkraine-VirStat: NO X-NewUkraine-VirScan: ScanPE, ScanELF, ScanOLE2, ScanMail, PhishingSignatures, ScanHTML, ScanPDF X-NewUkraine-SpamStat: NO X-NewUkraine-SpamScore: -1.900 of 3.500 X-NewUkraine-SpamKeys: AWL,BAYES_00,NO_RECEIVED,NO_RELAYS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 07:05:42 -0000 --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable mxb wrote: > Use BGP to distribute list of IP addresses. > Like it is done at http://bgp-spamd.net/ what about pfsync indeed? I need black list of addresses I do can control on my own and to install BGP infrastructure for local needs looks excessive isn't psync aimed for the tasks like this one? =2D-=20 Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlf94LkACgkQr3jpPg/3oyoWIQCfeWbjaoXi3fHfe8dlu5p50L+2 TeQAn3rQT3YeTfbCtnc144ev+Y7q9KGB =980v -----END PGP SIGNATURE----- --=-=-=-- From owner-freebsd-pf@freebsd.org Wed Oct 12 08:34:13 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6C324C0DA55 for ; Wed, 12 Oct 2016 08:34:13 +0000 (UTC) (envelope-from mxb@alumni.chalmers.se) Received: from mail-lf0-x234.google.com (mail-lf0-x234.google.com [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E1397A00 for ; Wed, 12 Oct 2016 08:34:12 +0000 (UTC) (envelope-from mxb@alumni.chalmers.se) Received: by mail-lf0-x234.google.com with SMTP id x79so67917224lff.0 for ; Wed, 12 Oct 2016 01:34:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alumni-chalmers-se.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=nIz35tUsDWnaZoCnedCRtJ8sUI0K9rNss5aN5RB4nF0=; b=WQi0CS8eB3JbxDqag9A6kgRM6B6yA43XxxkvASvQS1Dy+HpeRa+nyKcwtVimPzTBwU pT3cVzmtnwlbCbHWIBhcF6yeY4PDDQzE5yEkIOgxi7bc6z9leMv/lGa3j7j0Pg8eNcM4 kHuZsOUhZryX8TRIl0ymCbfRptbY0x7KwPAUKDd0teg2jtFm0PK4b/3igYRtWHFrHrjo q4//us8HPRS4Mmpr0qOGUqSqekwhhrHHnRPzBdvsB0gL1RAwhIst6ZPlqByLAccLQC6s 7MFtsEFbgjtH4pGe1XhNYeMbvS0Y1HEMJAMEFJ28TAgze9N6yLT458boojcwOzzrBoyU sDmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=nIz35tUsDWnaZoCnedCRtJ8sUI0K9rNss5aN5RB4nF0=; b=BVhX7ymlmhYfduXodPpLyAEW0vliyIQXzTFzW9UdYx35xnanFmGmpT5n8tD+0j1h07 utUXfSfhSF6M96q10qOaqsdQOxML7AFY7m5q/Nbn3Y/JbzMz+0MoReV6XGvTTgJ5MRnk dHqltJDqHVQ5WSZ5raxj99gYDQI23EoA8sMJR8r1Gfo2ZsJVF2MOJGHTUGSQ0Q6W2YP+ DGt2gqWYzuQiFfXX83VBK90XO22kXe754yYupETPtIvwbpH3h+jMWjj2k8osbE/kbxfV Rz6Lc6xWj+jS2Q5SA17O8JMEGN6LFVREZCX1folJbKt3KYXFOy/MkaKO03naALQK5z8x h6zw== X-Gm-Message-State: AA6/9RlWQWiEh1WaEzCMlTG/syESUvXMWPiwaLGr/WbdNXQo6LJCyi9GChgjgxTqOyS5+w== X-Received: by 10.25.22.77 with SMTP id m74mr6331463lfi.143.1476261249950; Wed, 12 Oct 2016 01:34:09 -0700 (PDT) Received: from [172.16.3.1] ([79.136.58.140]) by smtp.gmail.com with ESMTPSA id 23sm1872420ljf.9.2016.10.12.01.34.08 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 12 Oct 2016 01:34:09 -0700 (PDT) Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: pfsync for sshguard table sync on several hosts From: mxb In-Reply-To: <20161012100530.75290@relay.ibs.dn.ua> Date: Wed, 12 Oct 2016 10:34:07 +0200 Cc: freebsd-pf@freebsd.org Message-Id: <1BB0BE2C-E281-480C-9EA3-CCF9ADE0CCD8@alumni.chalmers.se> References: <20161011205913.33949@relay.ibs.dn.ua> <2D0AF2DC-8E0C-429A-8D44-51890E2187FD@alumni.chalmers.se> <20161012100530.75290@relay.ibs.dn.ua> To: Zeus Panchenko X-Mailer: Apple Mail (2.3124) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 08:34:13 -0000 > On 12 okt. 2016, at 09:05, Zeus Panchenko wrote: > > isn't psync aimed for the tasks like this one? No, it is not. PFSync is for replicating states between two or more nodes(firewalls).