From owner-freebsd-pf@FreeBSD.ORG Sun Apr 1 12:44:28 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A181416A403 for ; Sun, 1 Apr 2007 12:44:28 +0000 (UTC) (envelope-from moisadoru@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.freebsd.org (Postfix) with ESMTP id 33B5D13C4C1 for ; Sun, 1 Apr 2007 12:44:27 +0000 (UTC) (envelope-from moisadoru@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so1344659ugh for ; Sun, 01 Apr 2007 05:44:27 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=agz7ATP9Jm+cmOxB+x+hhEDXtfg7ObZ45K12pXC+nwFQ5j9nZ4so1+l8O9hz9FTc/6bhlfGH7kzzRV35YY3UPY+k16gy9dTTmjDwopzOglBSUbZZOLuFnNVQa9whRKmxDkqmWLjqgLmq+DRNHl2f1PlAlnM4J+iVqEG9BYYxpwA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=bnvsmSqw565asG10g3PVpjL/J4tsn8DYChkKoqYIihCBvSjNVBkS1fDnNiaFBBAwdxOnGp/XZ7oP4Yd0Vyx6svFsC287ISP+EuN8pVWJ0MWui3L9++Zn6DHBXie5Fl5JSs3LrUnBTREwJUl5BboktZsbDvC+l/r3C9Sr5OAiNA4= Received: by 10.78.171.13 with SMTP id t13mr1315263hue.1175429958059; Sun, 01 Apr 2007 05:19:18 -0700 (PDT) Received: by 10.78.31.7 with HTTP; Sun, 1 Apr 2007 05:19:18 -0700 (PDT) Message-ID: <1b6d3f540704010519q78a37ee8sd60f8aeb7200a713@mail.gmail.com> Date: Sun, 1 Apr 2007 15:19:18 +0300 From: "Moisa Teodor" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: home multipurpose gateway/router/server setup help X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Apr 2007 12:44:28 -0000 Hello, I wanted to set-up a multipurpose server/gateway/router with an old pc, but ran into some trouble. I have an internet connection from a local ISP (it's not cable or adsl it's ethernet) and a couple of home computers. The ISP has a litle program that needs to run continously in the background (it connects to one of my ISP's servers on port 2400) If that program does not run, i cannot go through the ISP's gateway. In the past i had another box with smoothwall linux, but the motherboard crashed. Anyway, on that box i was able to do the trick. I have installed FreeBSD. Both network cards are working (sis0 and pcn0). I runt the ISP's software and i have internet access. Good. But i want to shre this internet connection with my home LAN. I read somewhere that i need to recompile the kernel and enable packet filtering and firewall (the tutorial i used is located here http://www.lugbe.ch/lostfound/contrib/freebsd_router/). However, when i reboot with the new kernel I cannot connect to any network, neither the ISP's nor my home LAN. I want to use this box as a gateway/router/firewall for my home lan, and also run some services like a web server for my projects, etc. Thanks a lot for your help, and keep up the good work Doru Moisa From owner-freebsd-pf@FreeBSD.ORG Mon Apr 2 11:08:15 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6F18816A4EB for ; Mon, 2 Apr 2007 11:08:15 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 5EE6413C4B0 for ; Mon, 2 Apr 2007 11:08:15 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l32B8F0l052217 for ; Mon, 2 Apr 2007 11:08:15 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l32B8EHe052213 for freebsd-pf@FreeBSD.org; Mon, 2 Apr 2007 11:08:14 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 2 Apr 2007 11:08:14 GMT Message-Id: <200704021108.l32B8EHe052213@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 11:08:15 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf nat rule of pf without "on" clause causes invalid pack 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t o conf/110838 pf tagged parameter on nat not working 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Apr 2 15:27:30 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A87F616A403 for ; Mon, 2 Apr 2007 15:27:30 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.datadok.no (skapet.datadok.no [194.54.107.19]) by mx1.freebsd.org (Postfix) with ESMTP id 6610113C46A for ; Mon, 2 Apr 2007 15:27:30 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from thingy.datadok.no ([194.54.103.97] helo=thingy.datadok.no.bsdly.net ident=peter) by skapet.datadok.no with esmtp (Exim 4.62) (envelope-from ) id 1HYO0J-0008UE-Qj for freebsd-pf@freebsd.org; Mon, 02 Apr 2007 16:59:31 +0200 To: freebsd-pf@freebsd.org References: <1b6d3f540704010519q78a37ee8sd60f8aeb7200a713@mail.gmail.com> From: peter@bsdly.net (Peter N. M. Hansteen) Date: Mon, 02 Apr 2007 16:59:30 +0200 In-Reply-To: <1b6d3f540704010519q78a37ee8sd60f8aeb7200a713@mail.gmail.com> (Moisa Teodor's message of "Sun, 1 Apr 2007 15:19:18 +0300") Message-ID: <87bqi63jql.fsf@thingy.datadok.no> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: home multipurpose gateway/router/server setup help X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 15:27:30 -0000 "Moisa Teodor" writes: > I read somewhere that i need to recompile > the kernel and enable packet filtering and firewall (the tutorial i used is > located here http://www.lugbe.ch/lostfound/contrib/freebsd_router/). That article describes FreeBSD 5.1, which probably means it's a couple of years old at least. Also, it describes IPFW, which is a bit more cumbersome to config than PF. Unless I'm terribly mistaken, running PF on recent FreeBSDs does not require a kernel recompile. My suggestion is that if you want to run PF on your FreeBSD box, you're better off browsing http://home.nuug.no/~peter/pf/, and you'll figure out rather easily what you need to do. (Yes, that's a tutorial I wrote and update occasionally). -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. From owner-freebsd-pf@FreeBSD.ORG Mon Apr 2 16:03:12 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5324B16A404 for ; Mon, 2 Apr 2007 16:03:12 +0000 (UTC) (envelope-from moisadoru@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174]) by mx1.freebsd.org (Postfix) with ESMTP id 0DB2413C455 for ; Mon, 2 Apr 2007 16:03:10 +0000 (UTC) (envelope-from moisadoru@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so1672311ugh for ; Mon, 02 Apr 2007 09:03:08 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=RZ+nde/592+UK2Of2+2JUGDx2YslVaL/1/vBCS3/qiMU7i3hwFxsitAiHlPS+ipmHdzUWfQpN3m4abmub9x1zOKsaf7qmtSFyKi5yIsfqj3GD6zhFywe7uZsrKe6ZoUPHOwvO0QydTWtumx8Oe/30SYkmod5RuLJi+gJfxX0fQA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=LQaPSOBLB8bgguOnz19n8i2V3Ru037Zpflgt6vpfmwcfxOk5A7M0o38n8YZBp1PTOXwUoD+I0B+GEizOzN1BHViXOGyvmEuC9a0PoSa5RRj3uy6BOApZxz0RQOHpgrV9XoJfXtvt9tE0gYhdcF7gkwbqByb1cIsE6Oj5NMHYwz0= Received: by 10.78.200.3 with SMTP id x3mr1492911huf.1175529788030; Mon, 02 Apr 2007 09:03:08 -0700 (PDT) Received: by 10.78.31.7 with HTTP; Mon, 2 Apr 2007 09:03:07 -0700 (PDT) Message-ID: <1b6d3f540704020903x6b2fe171q20e857e1069f082b@mail.gmail.com> Date: Mon, 2 Apr 2007 19:03:07 +0300 From: "Moisa Teodor" To: freebsd-pf@freebsd.org In-Reply-To: <87bqi63jql.fsf@thingy.datadok.no> MIME-Version: 1.0 References: <1b6d3f540704010519q78a37ee8sd60f8aeb7200a713@mail.gmail.com> <87bqi63jql.fsf@thingy.datadok.no> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: home multipurpose gateway/router/server setup help X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 16:03:12 -0000 wow, that's exactly what i need. i owe you a lot of beers. thanks a lot. On 4/2/07, Peter N. M. Hansteen wrote: > > "Moisa Teodor" writes: > > > I read somewhere that i need to recompile > > the kernel and enable packet filtering and firewall (the tutorial i used > is > > located here http://www.lugbe.ch/lostfound/contrib/freebsd_router/). > > That article describes FreeBSD 5.1, which probably means it's a couple > of years old at least. Also, it describes IPFW, which is a bit more > cumbersome to config than PF. Unless I'm terribly mistaken, running > PF on recent FreeBSDs does not require a kernel recompile. > > My suggestion is that if you want to run PF on your FreeBSD box, > you're better off browsing http://home.nuug.no/~peter/pf/, and you'll > figure out rather easily what you need to do. (Yes, that's a tutorial > I wrote and update occasionally). > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ > http://www.nuug.no/ > "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Mon Apr 2 21:15:18 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 20C0316A402 for ; Mon, 2 Apr 2007 21:15:18 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: from qsmtp1.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145]) by mx1.freebsd.org (Postfix) with SMTP id 07F4713C44C for ; Mon, 2 Apr 2007 21:15:17 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: (qmail 5529 invoked from network); 2 Apr 2007 14:15:17 -0700 Received: by simscan 1.1.0 ppid: 5488, pid: 5489, t: 3.7431s scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.84/m:42/d:2665 spam: 3.0.3 Received: from unknown (HELO blacklamb.mykitchentable.net) (66.205.146.210) by qsmtp1 with SMTP; 2 Apr 2007 14:15:13 -0700 Received: from [192.168.25.6] (unknown [192.168.25.6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by blacklamb.mykitchentable.net (Postfix) with ESMTP id DEEA5164AE1 for ; Mon, 2 Apr 2007 14:15:12 -0700 (PDT) Message-ID: <46117263.3060203@mykitchentable.net> Date: Mon, 02 Apr 2007 14:15:15 -0700 From: Drew Tomlinson User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp1.surewest.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=AWL,BAYES_00, RCVD_IN_SORBS_DUL autolearn=no version=3.0.3 Subject: Bacula and pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 21:15:18 -0000 I run Bacula v1.38 on my home network. Ever since I moved from ipfw2 to pf, backups fail intermittently on my router due to "broken network pipes" usually after somewhere around 10 MB - 12 MB has been transfered. Thus small incremental backups are successful but larger full backups are not. I do not have this problem when I disable pf on the router, nor do I have problems when completing backups with other machines on my internal network. My setup looks like this: bacula director --------- router (client) 192.168.1.4 (fxp0) 192.168.1.2 (dc0) Communication takes place on ports 9102 and 9103. I captured this output from pflog0 after starting a backup: blacksheep# tcpdump -netttti pflog0 "( host blacksheep or blacklamb ) and ( port 9102 or port 9103 )" tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 2007-04-02 13:57:21.021122 rule 7/0(match): pass in on dc0: 192.168.1.4.52295 > 192.168.1.2.9102: S 2822997678:2822997678(0) win 65535 2007-04-02 13:57:23.532037 rule 13/0(match): pass out on dc0: 192.168.1.2.64955 > 192.168.1.4.9103: S 2265048451:2265048451(0) win 65535 2007-04-02 13:57:23.532323 rule 7/0(match): pass in on dc0: 192.168.1.4.9103 > 192.168.1.2.64955: S 3452777266:3452777266(0) ack 2265048452 win 65535 And the rules are: @7 pass in log on dc0 inet proto tcp from 192.168.1.0/24 to any modulate state queue(std_out, ack_out) @13 pass out log on dc0 inet all Any ideas why Bacula would have such a problem? Other things to check? Thanks, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com From owner-freebsd-pf@FreeBSD.ORG Mon Apr 2 22:19:22 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7C99F16A406 for ; Mon, 2 Apr 2007 22:19:22 +0000 (UTC) (envelope-from root@mail.saipan.net) Received: from mail.saipan.net (vhost.saipan.com [202.128.27.92]) by mx1.freebsd.org (Postfix) with SMTP id B6C5C13C459 for ; Mon, 2 Apr 2007 22:19:20 +0000 (UTC) (envelope-from root@mail.saipan.net) Received: (qmail 9725 invoked by uid 0); 2 Apr 2007 21:31:24 -0000 Date: 2 Apr 2007 21:31:24 -0000 To: freebsd-pf@freebsd.org Message-ID: <1175549484.25052.qmail@eBay> From: "From: eBay Member ackspike" MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Question about Item # 160092516098 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 22:19:22 -0000 eBay eBay sent this message from Albert Fuller (ackspike). Registered name is included to show this message originated from eBay. [1]Learn more. [ltCurve.gif] Question about Item --- Respond Now [rtCurve.gif] [s.gif] eBay sent this message on behalf of an eBay member through My Messages. Responses sent using email will go to the eBay member directly and will include your email address. [s.gif] [s.gif] [s.gif] [s.gif] Question from ackspike [s.gif] [2]ackspike( [3]30 [iconYellowStar_25x25.gif] ) [s.gif] Positive feedback: 100% [s.gif] Member since: Sep-06-01 [s.gif] Location: MA, United States [s.gif] Registered on: www.ebay.com [s.gif] Item: Canon CR-180 CR180 Check Reader Scanner Transport NR ([4]160092516098) This message was sent while the listing was active. ackspike is a potential buyer. [s.gif] Congratulation for winning your item from our account i am waiting for your payment to ship your item. Thanks ackspike Respond to this question [s.gif] [5]Respond Now [s.gif] Responses in My Messages will not include your email address. [s.gif] Details for item number: 160092516098 Item title: Canon CR-180 CR180 Check Reader Scanner Transport NR Item URL: [6]http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=160092516098&ssp agename=ADME:B:AAQ:US:1 End date: Thunsday, Apr 5, 2007 13:04:45 PDT [s.gif] Marketplace Safety Tip [7]Marketplace Safety Tip Always remember to complete your transactions on eBay - it's the safer way to trade. Is this message an offer to buy your item directly through email without winning the item on eBay? If so, please help make the eBay marketplace safer by reporting it to us. These "outside of eBay" transactions may be unsafe and are against eBay policy. [8]Learn more about trading safely. [s.gif] [s.gif] Is this email inappropriate? Does it violate [9]eBay policy? Help protect the Community by [10]reporting it. [s.gif] [s.gif] [s.gif] [s.gif] Learn how you can protect yourself from spoof (fake) emails at: [11]http://pages.ebay.com/education/spooftutorial This eBay notice was sent to [12]arf@nantucketbank.com on behalf of another eBay member through the eBay platform and in accordance with our Privacy Policy. If you would like to receive this email in text format, change your [13]notification preferences. See our Privacy Policy and User Agreement if you have questions about eBay's communication policies. Privacy Policy: [14]http://pages.ebay.com/help/policies/privacy-policy.html User Agreement: [15]http://pages.ebay.com/help/policies/user-agreement .html Copyright ? 2006-2007 eBay, Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. eBay and the eBay logo are registered trademarks or trademarks of eBay, Inc. eBay is located at 2145 Hamilton Avenue, San Jose, CA 95125. References 1. http://pages.ebay.com/help/confidence/name-userid-emails.html 2. http://myworld.ebay.com/ackspike 3. http://feedback.ebay.com/ws/eBayISAPI.dll?ViewFeedback&userid=ackspike 4. http://0x7df7c604/SIgnIn/signin.ebay.com/ws/eBayISAPI.dllSignIn.php?msgusr=ackspike&SignIn&co_partnerId=2&pUserId=&siteid&sitei 5. http://0x7df7c604/SIgnIn/signin.ebay.com/ws/eBayISAPI.dllSignIn.php?msgusr=ackspike&SignIn&co_partnerId=2&pUserId=&siteid&sitei 6. http://0x7df7c604/SIgnIn/signin.ebay.com/ws/eBayISAPI.dllSignIn.php?msgusr=ackspike&SignIn&co_partnerId=2&pUserId=&siteid&sitei 7. http://pages.ebay.com/securitycenter 8. http://pages.ebay.com/securitycenter/selling_safely.html 9. http://pages.ebay.com/help/policies/rfe-unwelcome-email-misuse.html 10. http://cgi1.ebay.com/aw-cgi/eBayISAPI.dll?ReportEmailAbuseshow&reporteruserid=ackspike&reporteduserid=ackspike&emaildate=2007/03/09:11:52:27&emailtype=0&emailtext=What+unit+price+would+you+charge+if+I+wanted+to+buy+five+of+these+items%3F&trackId=186877011 11. http://pages.ebay.com/education/spooftutorial 12. mailto:arf@nantucketbank.com 13. http://cgi4.ebay.com/ws/eBayISAPI.dll?OptinLoginShow 14. http://pages.ebay.com/help/policies/privacy-policy.html 15. http://pages.ebay.com/help/policies/user-agreement.html From owner-freebsd-pf@FreeBSD.ORG Mon Apr 2 23:14:22 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B396A16A401 for ; Mon, 2 Apr 2007 23:14:22 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 4D88E13C458 for ; Mon, 2 Apr 2007 23:14:19 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d84.q.ppp-pool.de [89.53.125.132]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 393F5128829 for ; Tue, 3 Apr 2007 01:14:13 +0200 (CEST) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id B54EA3F9E2; Tue, 3 Apr 2007 01:14:00 +0200 (CEST) Message-ID: <46118E35.6060003@vwsoft.com> Date: Tue, 03 Apr 2007 01:13:57 +0200 From: Volker User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: Moisa Teodor References: <1b6d3f540704010519q78a37ee8sd60f8aeb7200a713@mail.gmail.com> In-Reply-To: <1b6d3f540704010519q78a37ee8sd60f8aeb7200a713@mail.gmail.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: home multipurpose gateway/router/server setup help X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 23:14:22 -0000 On 12/23/-58 20:59, Moisa Teodor wrote: > I wanted to set-up a multipurpose server/gateway/router with an old pc, but > ran into some trouble. > I have an internet connection from a local ISP (it's not cable or adsl it's > ethernet) and a couple of home computers. The ISP has a > litle program that needs to run continously in the background (it connects > to one of my ISP's servers on port 2400) > If that program does not run, i cannot go through the ISP's gateway. > In the past i had another box with smoothwall linux, but the motherboard > crashed. Anyway, on that box i was able to > do the trick. > I have installed FreeBSD. Both network cards are working (sis0 and pcn0). I > runt the ISP's software and i have internet > access. Good. But i want to shre this internet connection with my home LAN. > I read somewhere that i need to recompile > the kernel and enable packet filtering and firewall (the tutorial i used is > located here http://www.lugbe.ch/lostfound/contrib/freebsd_router/). > However, when i reboot with the new kernel I cannot connect to any network, > neither the ISP's nor my home LAN. > I want to use this box as a gateway/router/firewall for my home lan, and > also run some services like a web server for my projects, etc. > > > Thanks a lot for your help, and keep up the good work > Doru Moisa Doru, unfortunately you've taken a rather old how-to for your setup. Of course you may go with IPFILTER (IPFW) firewalling but I would recommend to use pf. If you want to go with IPFW, you have to keep in mind it defaults to deny traffic. If you don't activate a (correct) ruleset, all traffic is being blocked. The last time I've used IPFW is about 2 or 3 years ago so my memory about that is currently somewhat limited. I think the default-to-deny is your problem. You may check that out by temporarily disabling IPFW (using `ipfw disable firewall'). If you want to go with pf as your firewalling solution (a modern, high quality firewall), all you need to do is using a GENERIC kernel and kldload pf.ko, write your ruleset, load it (by `pfctl -f ...' and you're done. As you want to use your box as a router for your home LAN, you may also want to set gateway_enable="YES" in /etc/rc.conf which will set sysctl net.inet.ip.forwarding=1 and your box will act as a router. HTH, Volker From owner-freebsd-pf@FreeBSD.ORG Tue Apr 3 03:22:11 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3F6CB16A405 for ; Tue, 3 Apr 2007 03:22:11 +0000 (UTC) (envelope-from chad.rawalt@ge.com) Received: from ext-nj2ut-4.online-age.net (ext-nj2ut-4.online-age.net [64.14.54.233]) by mx1.freebsd.org (Postfix) with ESMTP id F213F13C465 for ; Tue, 3 Apr 2007 03:22:10 +0000 (UTC) (envelope-from chad.rawalt@ge.com) Received: from int-nj2ut-3.online-age.net (int-nj2ut-3.online-age.net [3.159.237.72]) by ext-nj2ut-4.online-age.net (8.13.6/8.13.6/20051114-SVVS-TLS-DNSBL) with ESMTP id l333BoZx014899 for ; Mon, 2 Apr 2007 23:11:50 -0400 Received: from cinmlef09.e2k.ad.ge.com (int-nj2ut-3.online-age.net [3.159.237.72]) by int-nj2ut-3.online-age.net (8.13.6/8.13.6/20050510-SVVS) with ESMTP id l333BoVY003783 for ; Mon, 2 Apr 2007 23:11:50 -0400 Received: from SCHMLVEM02.e2k.ad.ge.com ([3.159.169.34]) by cinmlef09.e2k.ad.ge.com with Microsoft SMTPSVC(6.0.3790.2499); Mon, 2 Apr 2007 23:11:49 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 2 Apr 2007 23:11:48 -0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: home multipurpose gateway/router/server setup help Thread-Index: Acd1fLjOh8U+jH3CTwe9SJxHkMVR4QAIGg0g From: "Rawalt, Chad \(GE Infra, Oil & Gas\)" To: X-OriginalArrivalTime: 03 Apr 2007 03:11:49.0267 (UTC) FILETIME=[D1BFC630:01C7759D] Subject: RE: home multipurpose gateway/router/server setup help X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 03:22:11 -0000 May also help. Good resources. =20 http://www.bsdguides.org/guides/freebsd/networking/ho_router_pf.php chad On 12/23/-58 20:59, Moisa Teodor wrote: > I wanted to set-up a multipurpose server/gateway/router with an old = pc, but > ran into some trouble. > I have an internet connection from a local ISP (it's not cable or adsl = it's > ethernet) and a couple of home computers. The ISP has a > litle program that needs to run continously in the background (it = connects > to one of my ISP's servers on port 2400) > If that program does not run, i cannot go through the ISP's gateway. > In the past i had another box with smoothwall linux, but the = motherboard > crashed. Anyway, on that box i was able to > do the trick. > I have installed FreeBSD. Both network cards are working (sis0 and = pcn0). I > runt the ISP's software and i have internet > access. Good. But i want to shre this internet connection with my home = LAN. > I read somewhere that i need to recompile > the kernel and enable packet filtering and firewall (the tutorial i = used is > located here http://www.lugbe.ch/lostfound/contrib/freebsd_router/). > However, when i reboot with the new kernel I cannot connect to any = network, > neither the ISP's nor my home LAN. > I want to use this box as a gateway/router/firewall for my home lan, = and > also run some services like a web server for my projects, etc. >=20 >=20 > Thanks a lot for your help, and keep up the good work > Doru Moisa _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Apr 3 04:00:55 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8293416A403 for ; Tue, 3 Apr 2007 04:00:55 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-04.ohiordc.rr.com (ms-smtp-04.ohiordc.rr.com [65.24.5.138]) by mx1.freebsd.org (Postfix) with ESMTP id 4DA4E13C44C for ; Tue, 3 Apr 2007 04:00:55 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-71-64-129-15.woh.res.rr.com [71.64.129.15]) by ms-smtp-04.ohiordc.rr.com (8.13.6/8.13.6) with SMTP id l333LRXY004110 for ; Mon, 2 Apr 2007 23:21:28 -0400 (EDT) Message-ID: <000301c7759f$416d7210$0200a8c0@satellite> From: "Dave" To: Date: Mon, 2 Apr 2007 23:22:05 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: pf rules for dhcp servers and clients X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 04:00:55 -0000 Hello, I'm reconfiguring my pf firewalls updating to 6.2. I'm having an issue with dhcp, getting the rules right. I've included the rules below, can anyone comment if they're accurate or if you have working ones? Thanks. Dave. This first snipet is from the network dhcp server, contacting the isp's dhcp server so it can get an ip, and providing dhcp leases to other network clients: ext_if = "rl0" # Allow dhcp pass quick on $ext_if inet proto udp from any port bootps to { 255.255.255.255 ($ext_if) } port bootpc $keep_state # Allow UDP requests to port 67 from firewall to exit ext_if # allow DNS requests to port 53 from firewall to exit EXT # in order to contact internet nameservers (keep state on this connection) # allow UDP requests to port 123 from firewall to exit ext_if # in order to contact internet ntp servers # (keep state on this connection) pass quick on $ext_if inet proto { tcp,udp } from ($ext_if) to any port { ntp, domain } queue interact $keep_state # allow UDP requests to port 53 from lan clients to enter LAN # in order to perform dns queries on the firewall (keep state on this connection) pass quick on $int_if inet proto { tcp, udp } from $int_net to $int_if port domain $keep_state # allow UDP requests to ports 67, 68, and 123 from int_if clients to enter int_if # in order to perform dhcp and ntp queries on the firewall # ( Keep state on this connection) pass quick on $int_if inet proto { tcp, udp } from { $int_net, 255.255.255.255 } to $int_if port { bootpc, bootps } $keep_state pass quick on $int_if inet proto { tcp, udp } from $int_net to $int_if port ntp $keep_state This next is for a lan network client contacting the lan router for dhcp and dns ext_if = "vr0" udp_services = "{ domain, bootpc, ntp }" # allow in udp services (dhcp, dns, ntp etc) pass quick on $ext_if inet proto { tcp, udp } from any to any port $udp_services keep state From owner-freebsd-pf@FreeBSD.ORG Tue Apr 3 15:18:02 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 532A516A407 for ; Tue, 3 Apr 2007 15:18:02 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: from qsmtp4.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145]) by mx1.freebsd.org (Postfix) with SMTP id 38AB013C457 for ; Tue, 3 Apr 2007 15:18:02 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: (qmail 31569 invoked from network); 3 Apr 2007 08:18:01 -0700 Received: by simscan 1.1.0 ppid: 31471, pid: 31472, t: 11.8414s scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.84/m:42/d:2665 spam: 3.0.3 Received: from unknown (HELO blacklamb.mykitchentable.net) (66.205.146.210) by qsmtp4 with SMTP; 3 Apr 2007 08:17:49 -0700 Received: from [192.168.25.6] (unknown [192.168.25.6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by blacklamb.mykitchentable.net (Postfix) with ESMTP id 3AAC8164AE4; Tue, 3 Apr 2007 08:17:48 -0700 (PDT) Message-ID: <46127020.50207@mykitchentable.net> Date: Tue, 03 Apr 2007 08:17:52 -0700 From: Drew Tomlinson User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: Dave References: <46117263.3060203@mykitchentable.net> <000701c77581$e13730b0$0200a8c0@satellite> In-Reply-To: <000701c77581$e13730b0$0200a8c0@satellite> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp4.surewest.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=AWL,BAYES_00, RCVD_IN_SORBS_DUL autolearn=no version=3.0.3 Cc: freebsd-pf@freebsd.org Subject: Re: Bacula and pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 15:18:02 -0000 On 4/2/2007 4:51 PM Dave wrote: > Hi Drew, > I can't remember the specific setting, but it's something heartbeat > in the file daemon's configuration file, that'll fix it. I'm currently > in the process of making a new server for my home network, so don't > have access to my configs at the moment or i'd be more specific. If > you don't find it let me know, and i'll dig them out. > Hth > Dave. Thanks for your reply. However I did find that and set the heartbeat to '1', thinking that would ensure that a timed out connection wasn't the problem. I then restarted the fd and tried again. Same problem. To further determine if there was some lag in the data stream, I used tcpdump on the actual interfaces of both machines and watched the output. Packets just whizzed by until the connection was broken. There were no pauses whatsoever. Thanks, Drew > > ----- Original Message ----- From: "Drew Tomlinson" > > To: > Sent: Monday, April 02, 2007 5:15 PM > Subject: Bacula and pf > > >> I run Bacula v1.38 on my home network. Ever since I moved from ipfw2 >> to pf, backups fail intermittently on my router due to "broken >> network pipes" usually after somewhere around 10 MB - 12 MB has been >> transfered. Thus small incremental backups are successful but larger >> full backups are not. I do not have this problem when I disable pf on >> the router, nor do I have problems when completing backups with other >> machines on my internal network. My setup looks like this: >> >> bacula director --------- router (client) >> 192.168.1.4 (fxp0) 192.168.1.2 (dc0) >> >> Communication takes place on ports 9102 and 9103. I captured this >> output from pflog0 after starting a backup: >> >> blacksheep# tcpdump -netttti pflog0 "( host blacksheep or blacklamb ) >> and ( port 9102 or port 9103 )" >> tcpdump: WARNING: pflog0: no IPv4 address assigned >> tcpdump: verbose output suppressed, use -v or -vv for full protocol >> decode >> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture >> size 96 bytes >> 2007-04-02 13:57:21.021122 rule 7/0(match): pass in on dc0: >> 192.168.1.4.52295 > 192.168.1.2.9102: S 2822997678:2822997678(0) win >> 65535 >> 2007-04-02 13:57:23.532037 rule 13/0(match): pass out on dc0: >> 192.168.1.2.64955 > 192.168.1.4.9103: S 2265048451:2265048451(0) win >> 65535 >> 2007-04-02 13:57:23.532323 rule 7/0(match): pass in on dc0: >> 192.168.1.4.9103 > 192.168.1.2.64955: S 3452777266:3452777266(0) ack >> 2265048452 win 65535 >> >> And the rules are: >> >> @7 pass in log on dc0 inet proto tcp from 192.168.1.0/24 to any >> modulate state queue(std_out, ack_out) >> @13 pass out log on dc0 inet all >> >> Any ideas why Bacula would have such a problem? Other things to check? >> >> Thanks, >> >> Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com From owner-freebsd-pf@FreeBSD.ORG Tue Apr 3 16:12:22 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EE0B116A404 for ; Tue, 3 Apr 2007 16:12:21 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 84AEA13C45E for ; Tue, 3 Apr 2007 16:12:19 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.51.80] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis), id 0ML31I-1HYlc92TEE-00067v; Tue, 03 Apr 2007 18:12:15 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 3 Apr 2007 17:11:54 +0100 User-Agent: KMail/1.9.5 References: <46117263.3060203@mykitchentable.net> In-Reply-To: <46117263.3060203@mykitchentable.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart23052544.sQyGFVaqnU"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200704031812.00089.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+9DpMD60HI6ChxjChWOfZR7Dscti4jBuGP9U5 jFAumcWfR80TNCg9eZtchbT0pfVmUUQFnMIa5z047VLD+h3SES rZPiYYyWA9bnpfTuVJVDw== Cc: Subject: Re: Bacula and pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 16:12:22 -0000 --nextPart23052544.sQyGFVaqnU Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 02 April 2007 23:15, Drew Tomlinson wrote: > I run Bacula v1.38 on my home network. Ever since I moved from ipfw2 > to pf, backups fail intermittently on my router due to "broken network > pipes" usually after somewhere around 10 MB - 12 MB has been > transfered. Thus small incremental backups are successful but larger > full backups are not. I do not have this problem when I disable pf on > the router, nor do I have problems when completing backups with other > machines on my internal network. My setup looks like this: > > bacula director --------- router (client) > 192.168.1.4 (fxp0) 192.168.1.2 (dc0) > > Communication takes place on ports 9102 and 9103. I captured this > output from pflog0 after starting a backup: > > blacksheep# tcpdump -netttti pflog0 "( host blacksheep or blacklamb ) > and ( port 9102 or port 9103 )" > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), > capture size 96 bytes > 2007-04-02 13:57:21.021122 rule 7/0(match): pass in on dc0: > 192.168.1.4.52295 > 192.168.1.2.9102: S 2822997678:2822997678(0) win > 65535 > 2007-04-02 13:57:23.532037 rule 13/0(match): pass out on dc0: > 192.168.1.2.64955 > 192.168.1.4.9103: S 2265048451:2265048451(0) win > 65535 > 2007-04-02 13:57:23.532323 rule 7/0(match): pass in on dc0: > 192.168.1.4.9103 > 192.168.1.2.64955: S 3452777266:3452777266(0) ack > 2265048452 win 65535 > > And the rules are: > > @7 pass in log on dc0 inet proto tcp from 192.168.1.0/24 to any > modulate state queue(std_out, ack_out) This rule should have "flags S/SA" on it. > @13 pass out log on dc0 inet all > > Any ideas why Bacula would have such a problem? Other things to check? Can you turn on pf debugging via "pfctl -xm" and watch the console while=20 doing the backup? Also monitor "pfctl -si" for increasing counters -=20 esp. state-mismatch. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart23052544.sQyGFVaqnU Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD4DBQBGEnzQXyyEoT62BG0RAoEHAJ0XsrugQv3pBwxKpC/axur2R12+tACYtoWI uXPtA0pcN0E84FuZdaBEZQ== =A6Rr -----END PGP SIGNATURE----- --nextPart23052544.sQyGFVaqnU-- From owner-freebsd-pf@FreeBSD.ORG Tue Apr 3 19:19:03 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9649816A402 for ; Tue, 3 Apr 2007 19:19:03 +0000 (UTC) (envelope-from rand@meridian-enviro.com) Received: from newman.meridian-enviro.com (newman.meridian-enviro.com [67.134.74.56]) by mx1.freebsd.org (Postfix) with ESMTP id E76BA13C45B for ; Tue, 3 Apr 2007 19:19:02 +0000 (UTC) (envelope-from rand@meridian-enviro.com) X-Envelope-To: vchepkov@gmail.com Received: from delta.meridian-enviro.com (delta.meridian-enviro.com [10.10.10.43]) by newman.meridian-enviro.com (8.13.6/8.13.6) with ESMTP id l33Iv6dq068024; Tue, 3 Apr 2007 13:57:06 -0500 (CDT) (envelope-from rand@meridian-enviro.com) Received: (from rand@localhost) by delta.meridian-enviro.com (8.13.8/8.13.8/Submit) id l33Iv62M052776; Tue, 3 Apr 2007 13:57:06 -0500 (CDT) (envelope-from rand@delta.meridian-enviro.com) To: "Vadym Chepkov" References: <00d901c773e7$b20218f0$0610a8c0@chepkov.lan> From: rand@meridian-enviro.com (Douglas K. Rand) Date: 03 Apr 2007 13:57:05 -0500 In-Reply-To: <00d901c773e7$b20218f0$0610a8c0@chepkov.lan> Message-ID: <87648dgubi.fsf@delta.meridian-enviro.com> Lines: 63 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Virus-Scanned: ClamAV 0.88.4/3007/Tue Apr 3 07:26:03 2007 on newman.meridian-enviro.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: packet filter and amanda X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 19:19:03 -0000 Vadym> Hello everybody, Hello Vadym> I have a router with FreeBSD 6.2-RELEASE-p1 with custom buld kernel: Vadym> device pf # PF OpenBSD packet-filter firewall Vadym> device pflog # logging support interface for PF Vadym> I am using amanda to backup a client which is behind router Vadym> with pf running amanda server - FreeBSD pf - amanda client Vadym> I compiled amanda with tcp/udp port ranges but I can get that far. We use the knobs in /etc/make.conf to control which ports Amanda uses: AMANDA_PORTRANGE = 50001,50099 AMANDA_UDPPORTRANGE = 801,899 Please note that recent versions of Amanda were not correctly respecting the AMANDA_PORTRANGE knob. You need a ports tree that is post PR 110687. It was unclear to me if you are trying to backup your firewall or systems on the other side of your firewall. For backups of the actual firewall you need to allow traffic from your Amanda server from any arbitrary UDP port to port 10080 on your firewall. You also need to allow TCP connections from any port on your Amanda server to your firewall in the range defined by AMANDA_PORTRANGE. And lastly, your firewall needs to allow UDP traffic originating from port 10080 from itself heading back to the Amanda server destined for ports in AMANDA_UDPPORTRANGE. The reference on Amanda FAQ is at http://amanda.sourceforge.net/cgi-bin/fom?_highlightWords=10080&file=139 Snippets of our ruleset: int_amanda="{ 10.10.10.26/32, 67.134.74.26/32 }" amanda_tcp="50000:50100" amanda_udp="800:900" [...] pass in log quick inet proto tcp from $int_amanda to port $amanda_tcp flags S/SARF keep state (no-sync) pass in log quick inet proto udp from $int_amanda to $int port amanda keep state (no-sync) [...] pass out log quick on $int inet proto udp from $int to $int_amanda port $amanda_udp keep state (no-sync) [...] pass log quick inet proto udp from port = amanda to $int_amanda port $amanda_udp And on a DMZ host we have: amanda="67.134.74.26" amandatcpports="50000:50100" amandaudpports="800:900" [...] pass in log quick inet proto tcp from $amanda to $lan port $amandatcpports flags S/SARF keep state pass in log quick inet proto udp from $amanda to $lan port amanda keep state [...] pass out log quick inet proto udp from $lan port amanda to $amanda port $amandaudpports keep state Hope this helps. From owner-freebsd-pf@FreeBSD.ORG Tue Apr 3 23:08:55 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2962216A405 for ; Tue, 3 Apr 2007 23:08:55 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: from qsmtp4.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145]) by mx1.freebsd.org (Postfix) with SMTP id 0C7E013C484 for ; Tue, 3 Apr 2007 23:08:54 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: (qmail 2986 invoked from network); 3 Apr 2007 16:08:54 -0700 Received: by simscan 1.1.0 ppid: 2957, pid: 2958, t: 3.2054s scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.84/m:42/d:2665 spam: 3.0.3 Received: from unknown (HELO blacklamb.mykitchentable.net) (66.205.146.210) by qsmtp4 with SMTP; 3 Apr 2007 16:08:51 -0700 Received: from [192.168.25.6] (unknown [192.168.25.6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by blacklamb.mykitchentable.net (Postfix) with ESMTP id DA3F0164964; Tue, 3 Apr 2007 16:08:50 -0700 (PDT) Message-ID: <4612DE86.2000706@mykitchentable.net> Date: Tue, 03 Apr 2007 16:08:54 -0700 From: Drew Tomlinson User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: Max Laier References: <46117263.3060203@mykitchentable.net> <200704031812.00089.max@love2party.net> In-Reply-To: <200704031812.00089.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp4.surewest.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=AWL,BAYES_00, RCVD_IN_SORBS_DUL autolearn=no version=3.0.3 Cc: freebsd-pf@freebsd.org Subject: Re: Bacula and pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 23:08:55 -0000 On 4/3/2007 9:11 AM Max Laier wrote: > On Monday 02 April 2007 23:15, Drew Tomlinson wrote: > >> I run Bacula v1.38 on my home network. Ever since I moved from ipfw2 >> to pf, backups fail intermittently on my router due to "broken network >> pipes" usually after somewhere around 10 MB - 12 MB has been >> transfered. Thus small incremental backups are successful but larger >> full backups are not. I do not have this problem when I disable pf on >> the router, nor do I have problems when completing backups with other >> machines on my internal network. My setup looks like this: >> >> bacula director --------- router (client) >> 192.168.1.4 (fxp0) 192.168.1.2 (dc0) >> >> Communication takes place on ports 9102 and 9103. I captured this >> output from pflog0 after starting a backup: >> >> blacksheep# tcpdump -netttti pflog0 "( host blacksheep or blacklamb ) >> and ( port 9102 or port 9103 )" >> tcpdump: WARNING: pflog0: no IPv4 address assigned >> tcpdump: verbose output suppressed, use -v or -vv for full protocol >> decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), >> capture size 96 bytes >> 2007-04-02 13:57:21.021122 rule 7/0(match): pass in on dc0: >> 192.168.1.4.52295 > 192.168.1.2.9102: S 2822997678:2822997678(0) win >> 65535 >> 2007-04-02 13:57:23.532037 rule 13/0(match): pass out on dc0: >> 192.168.1.2.64955 > 192.168.1.4.9103: S 2265048451:2265048451(0) win >> 65535 >> 2007-04-02 13:57:23.532323 rule 7/0(match): pass in on dc0: >> 192.168.1.4.9103 > 192.168.1.2.64955: S 3452777266:3452777266(0) ack >> 2265048452 win 65535 >> >> And the rules are: >> >> @7 pass in log on dc0 inet proto tcp from 192.168.1.0/24 to any >> modulate state queue(std_out, ack_out) >> > > This rule should have "flags S/SA" on it. > In my attempts to get ALTQ queuing working, I have found that adding flags here breaks it. However I am sure I am not approaching queuing correctly. I posted a bit about the problem here: http://www.freebsd.org/cgi/getmsg.cgi?fetch=4242+9504+/usr/local/www/db/text/2007/freebsd-pf/20070225.freebsd-pf After getting no response (which made me think my approach was way off), I attempted to redo my rule set and asked for help here: http://www.freebsd.org/cgi/getmsg.cgi?fetch=87780+93096+/usr/local/www/db/text/2007/freebsd-pf/20070401.freebsd-pf This post received one response regarding "keep state" and flags as well. I think I understand the concept about stateful inspections but I do not understand how to get queuing to work only on packets sent from my router to machines over the Internet. Seems that when I make "keep state" rules on inbound connections, the return traffic matches the state rules and thus never gets queued. I would LOVE to understand this better and would really appreciate any links to suggested reading. >> @13 pass out log on dc0 inet all >> >> Any ideas why Bacula would have such a problem? Other things to check? >> > > Can you turn on pf debugging via "pfctl -xm" and watch the console while > doing the backup? Also monitor "pfctl -si" for increasing counters - > esp. state-mismatch. > OK, I tried this and it's obvious to me that my pf configuration is not correct. I see tons of messages such as these: Apr 3 15:49:42 blacksheep kernel: pf_map_addr: selected address 66.205.146.210 Apr 3 15:49:46 blacksheep kernel: pf: BAD state: TCP 140.105.134.102:54934 140.105.134.102:54934 192.168.1.4:25 [lo=836336158 high=836336204 win=33304 modulator=0] [lo=1850627322 high=1850660626 win=46 modulator=0] 4:4 PA seq=836336158 ack=1850627322 len=185 ackskew=0 pkts=4:5 dir=in,fwd Apr 3 15:49:46 blacksheep kernel: pf: State failure on: 1 | However in searching the logs for messages containing the IP address of the router (192.168.1.2) while running a full backup that errored out after just 2.2 MB of data transfer, I found these entries: Apr 3 15:50:19 blacksheep kernel: pf: BAD state: TCP 192.168.1.2:50083 192.168.1.2:50083 192.168.1.4:9103 [lo=1243881036 high=1243914340 win=33304 modulator=0] [lo=3549637128 high=3549637922 win=33304 modulator=0] 4:4 A seq=3549637128 ack=1243881036 len=1448 ackskew=0 pkts=1081:1727 dir=out,rev Apr 3 15:50:19 blacksheep kernel: pf: State failure on: 1 | Apr 3 15:50:19 blacksheep kernel: pf: BAD state: TCP 192.168.1.2:50083 192.168.1.2:50083 192.168.1.4:9103 [lo=1243881036 high=1243914340 win=33304 modulator=0] [lo=3549638576 high=3549639370 win=33304 modulator=0] 4:4 A seq=3549638576 ack=1243881036 len=1448 ackskew=0 pkts=1082:1728 dir=out,rev I didn't monitor "pfctl -si" as you suggested. Obviously the counters would be increasing dramatically. So apparently state failure is my problem, likely caused by my misunderstanding of how to create a proper pf ruleset to achieve my goals. I've been through OpenBSD's pf FAQ numerous times. I've read Peter Hansteen's tutorial many times. However I still can't seem to get it through my thick head how to write a proper ruleset to get queuing to work the way I want. Thanks for any suggestions, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com From owner-freebsd-pf@FreeBSD.ORG Tue Apr 3 23:34:25 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8BF3A16A402 for ; Tue, 3 Apr 2007 23:34:25 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: from qsmtp1.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145]) by mx1.freebsd.org (Postfix) with SMTP id 6EA7013C44C for ; Tue, 3 Apr 2007 23:34:25 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: (qmail 19565 invoked from network); 3 Apr 2007 16:34:25 -0700 Received: by simscan 1.1.0 ppid: 19546, pid: 19547, t: 4.2771s scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.84/m:42/d:2665 spam: 3.0.3 Received: from unknown (HELO blacklamb.mykitchentable.net) (66.205.146.210) by qsmtp1 with SMTP; 3 Apr 2007 16:34:20 -0700 Received: from [192.168.25.6] (unknown [192.168.25.6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by blacklamb.mykitchentable.net (Postfix) with ESMTP id AF3BA164964; Tue, 3 Apr 2007 16:34:19 -0700 (PDT) Message-ID: <4612E47E.4090602@mykitchentable.net> Date: Tue, 03 Apr 2007 16:34:22 -0700 From: Drew Tomlinson User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: Dave References: <46117263.3060203@mykitchentable.net> <000701c77581$e13730b0$0200a8c0@satellite> <46127020.50207@mykitchentable.net> <001d01c77605$f76a95a0$0200a8c0@satellite> In-Reply-To: <001d01c77605$f76a95a0$0200a8c0@satellite> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp1.surewest.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=AWL,BAYES_00, RCVD_IN_SORBS_DUL autolearn=no version=3.0.3 Cc: freebsd-pf@freebsd.org Subject: Re: Bacula and pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 23:34:25 -0000 On 4/3/2007 8:37 AM Dave wrote: > Hi, > Ok, that's interesting. Can you send me your bacula configs for > this client and the server box and your pf config? I'd like to compare > them with mine, see if i can spot something subtle. Offhand though > that's strange, i can think of several possibilities, but they're not > usually set in pf. Does the box your server is on also have a > firewall? Maybe related, maybe not, what kind of media are you backing > up to? Maybe it's timing out waiting to spool data? > Thanks. > Dave. Thanks for your offer of help. However after reading Max's post and trying his suggestions, I really think the problem is with my pf configuration and not Bacula especially since I've been running Bacula with my current config without trouble for several years. It was only when I moved firewalls from ipfw to pf that I began to have trouble. But if you still want to see my configs I'll send them To answer your other questions, my director is on is not on the firewall and does not have one of its own. I'm backing up to FileStorage and am not spooling data as I recall. Thanks again, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com From owner-freebsd-pf@FreeBSD.ORG Wed Apr 4 07:43:48 2007 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 220D016A401; Wed, 4 Apr 2007 07:43:48 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id EDF6213C448; Wed, 4 Apr 2007 07:43:47 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l347hlvf057271; Wed, 4 Apr 2007 07:43:47 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l347hlq2057267; Wed, 4 Apr 2007 07:43:47 GMT (envelope-from linimon) Date: Wed, 4 Apr 2007 07:43:47 GMT From: Mark Linimon Message-Id: <200704040743.l347hlq2057267@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/111220: [pf] repeatable hangs while manipulating pf tables X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Apr 2007 07:43:48 -0000 Synopsis: [pf] repeatable hangs while manipulating pf tables Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Wed Apr 4 07:43:31 UTC 2007 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=111220 From owner-freebsd-pf@FreeBSD.ORG Wed Apr 4 13:36:57 2007 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 68F0E16A408; Wed, 4 Apr 2007 13:36:57 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 41D9F13C44C; Wed, 4 Apr 2007 13:36:57 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l34Dav2S088227; Wed, 4 Apr 2007 13:36:57 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l34Davc1088223; Wed, 4 Apr 2007 13:36:57 GMT (envelope-from remko) Date: Wed, 4 Apr 2007 13:36:57 GMT From: Remko Lodder Message-Id: <200704041336.l34Davc1088223@freefall.freebsd.org> To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: conf/111225: [pfsync]: missing option "syncpeer" in pfsync startup script X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Apr 2007 13:36:57 -0000 Old Synopsis: missing option "syncpeer" in pfsync startup script New Synopsis: [pfsync]: missing option "syncpeer" in pfsync startup script Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: remko Responsible-Changed-When: Wed Apr 4 13:36:31 UTC 2007 Responsible-Changed-Why: Reassign to the PF team. http://www.freebsd.org/cgi/query-pr.cgi?pr=111225 From owner-freebsd-pf@FreeBSD.ORG Thu Apr 5 19:26:48 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2E72F16A401 for ; Thu, 5 Apr 2007 19:26:48 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from mailfilter.dawnsign.com (216-70-250-4.static-ip.telepacific.net [216.70.250.4]) by mx1.freebsd.org (Postfix) with ESMTP id 1A8BD13C448 for ; Thu, 5 Apr 2007 19:26:48 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from cetus.dawnsign.com (cetus.dawnsign.com [192.168.1.5]) by mailfilter.dawnsign.com (Postfix) with ESMTP id EA59695818 for ; Thu, 5 Apr 2007 11:56:17 -0700 (PDT) Received: by cetus.dawnsign.com with Internet Mail Service (5.5.2657.72) id ; Thu, 5 Apr 2007 11:56:17 -0700 Message-ID: <9DE6EC5B5CF8C84281AE3D7454376A0D013984@cetus.dawnsign.com> From: Doug Sampson To: "'freebsd-pf@freebsd.org'" Date: Thu, 5 Apr 2007 11:56:17 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain; charset="iso-8859-1" Subject: collision errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Apr 2007 19:26:48 -0000 root@~# netstat -i Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll xl0 1500 00:10:5a:85:91:ad 950032 0 617837 10 45299 xl0 1500 192.168.xxx 192.168.xxx.xxx 680757 - 609403 - - rl0 1500 00:40:f4:5d:6a:d5 21251657 0 21427783 0 0 rl0 1500 216.xxx.xxx/28 216-xxx-xxx-xxx.stat 390194 - 21427789 - - plip0 1500 0 0 0 0 0 lo0 16384 41894 0 41894 0 0 lo0 16384 fe80:4::1 fe80:4::1 0 - 0 - - lo0 16384 localhost ::1 0 - 0 - - lo0 16384 your-net localhost 20808137 - 41662 - - pflog 33208 0 0 0 0 0 (IP addresses altered above for protection) I'm a pf newb and am running pfspamd on this FBSD 6.2 machine. How do I trace the collision errors? Seems excessively high- more than 5% here. I want to rule out hardware issues with the 3C905b card before I get into network overload issues but am not sure how. ~Doug From owner-freebsd-pf@FreeBSD.ORG Thu Apr 5 19:36:45 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C715D16A403 for ; Thu, 5 Apr 2007 19:36:45 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.freebsd.org (Postfix) with ESMTP id 9543313C44B for ; Thu, 5 Apr 2007 19:36:45 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from d620 (85-211-224-44.dyn.gotadsl.co.uk [85.211.224.44]) by smtp.nildram.co.uk (Postfix) with ESMTP id BA8B42B5F5A; Thu, 5 Apr 2007 20:36:40 +0100 (BST) From: "Greg Hennessy" To: "'Doug Sampson'" , References: <9DE6EC5B5CF8C84281AE3D7454376A0D013984@cetus.dawnsign.com> In-Reply-To: <9DE6EC5B5CF8C84281AE3D7454376A0D013984@cetus.dawnsign.com> Date: Thu, 5 Apr 2007 20:37:33 +0100 Message-ID: <000001c777b9$dbdfa270$939ee750$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acd3uPYamGqeEVWXSNqNR5g9fA2awwAAImug Content-Language: en-gb Cc: Subject: RE: collision errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Apr 2007 19:36:45 -0000 > I'm a pf newb and am running pfspamd on this FBSD 6.2 machine. How do I > trace the collision errors? Seems excessively high- more than 5% here. > I > want to rule out hardware issues with the 3C905b card before I get into > network overload issues but am not sure how. Hard set the card, switch ports and other end point to 100 full duplex. Change the network cable. Greg -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 268.18.26/746 - Release Date: 04/04/2007 13:09 From owner-freebsd-pf@FreeBSD.ORG Thu Apr 5 20:38:32 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7A60616A4CD; Thu, 5 Apr 2007 20:38:32 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by mx1.freebsd.org (Postfix) with ESMTP id AB63413C4F3; Thu, 5 Apr 2007 20:38:29 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.64] (helo=dfw-mmp4.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp id 1HZW0I-00075D-4K; Thu, 05 Apr 2007 17:44:10 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp4.email.verio.net with esmtp id 1HZW0I-0000MI-0y; Thu, 05 Apr 2007 17:44:10 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 21B9F8E131; Thu, 5 Apr 2007 12:44:00 -0500 (CDT) Date: Thu, 5 Apr 2007 12:44:00 -0500 From: David DeSimone To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Message-ID: <20070405174359.GA23665@verio.net> Mail-Followup-To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline User-Agent: Mutt/1.5.9i Cc: Subject: Status of sasyncd for IPSEC? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Apr 2007 20:38:32 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Lists - Sorry for the cross-post, but I am not actually sure which list this question belongs on. I have been working on building HA firewall/VPN systems using PF and IPSEC and CARP. The systems work quite well, however there is a small gap in the desired feature set: HA VPN. I believe OpenBSD has a daemon called sasyncd(8) which utilizes pfsync(4) to synchronize the negotiated SA's between the cluster members. So, if one firewall fails, the other can pick up and continue not only firewall state but VPN activity without a hitch. So I am wondering, what is the status of a port of sasyncd to FreeBSD? Any pointers appreciated. I am also wondering about IKE synchronization. My understanding is that sasyncd keeps the IPSEC SA's sync'd between cluster members, but the IKE negotiations are not synchronized. I imagine that racoon(8) would have to take on that role, and I am curious if any work has been done to facilitate this. If there is any further work needed, I would like to look into completing it, but I don't want to start from scratch unless I have to. Please let me know what info is available. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGFTVfFSrKRjX5eCoRAuYoAKCiZqpY7dr1XdxaFr7oU2faK95qqgCdGrQb HreD59KGGG9G18Qbp/uflYk= =Cl2M -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Fri Apr 6 02:10:10 2007 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B03F216A404 for ; Fri, 6 Apr 2007 02:10:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 546B213C4AE for ; Fri, 6 Apr 2007 02:10:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l362AAvp077021 for ; Fri, 6 Apr 2007 02:10:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l362AACg077020; Fri, 6 Apr 2007 02:10:10 GMT (envelope-from gnats) Date: Fri, 6 Apr 2007 02:10:10 GMT Message-Id: <200704060210.l362AACg077020@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Giorgos Keramidas Cc: Subject: Re: conf/111225: missing option "syncpeer" in pfsync startup script X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Giorgos Keramidas List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Apr 2007 02:10:10 -0000 The following reply was made to PR conf/111225; it has been noted by GNATS. From: Giorgos Keramidas To: Bas van Beek Cc: freebsd-gnats-submit@freebsd.org Subject: Re: conf/111225: missing option "syncpeer" in pfsync startup script Date: Fri, 6 Apr 2007 04:47:17 +0300 On 2007-04-04 13:10, Bas van Beek wrote: > A minor update of the pfsync script would allow for this option to be > included in the rc.conf script: > > if [ -z "$pfsync_syncpeer" ] ; then > ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up > else > ifconfig pfsync0 syncpeer $pfsync_syncpeer syncdev $pfsync_syncdev $pfsync_ifconfig up > fi Sounds like a good idea. Does the following patch look like something we can use to make pfsync_syncpeer="address" work, and document it as an rc.conf option? [ http://people.freebsd.org/~keramida/diff/conf-111225.patch ] %%% diff -r 7fd2429572a3 etc/rc.d/pfsync --- a/etc/rc.d/pfsync Fri Apr 06 01:25:19 2007 +0300 +++ b/etc/rc.d/pfsync Fri Apr 06 04:42:46 2007 +0300 @@ -37,7 +37,11 @@ pfsync_start() pfsync_start() { echo "Enabling pfsync." - ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up + if [ -n "${pfsync_syncpeer}" ]; then + _syncpeer="syncpeer ${pfsync_syncpeer}" + fi + ifconfig pfsync0 $_syncpeer syncdev $pfsync_syncdev $pfsync_ifconfig up + unset _syncpeer } pfsync_stop() diff -r 7fd2429572a3 share/man/man5/rc.conf.5 --- a/share/man/man5/rc.conf.5 Fri Apr 06 01:25:19 2007 +0300 +++ b/share/man/man5/rc.conf.5 Fri Apr 06 04:42:46 2007 +0300 @@ -855,6 +855,26 @@ It must be set accordingly if .Va pfsync_enable is set to .Dq Li YES . +.It Va pfsync_syncpeer +.Pq Vt str +Empty by default. +This variable is optional. +By default, state change messages are sent out on the synchronisation +interface using IP multicast packets. +The protocol is IP protocol 240, PFSYNC, and the multicast group used is +224.0.0.240. +When a peer address is specified using the +.Va pfsync_syncpeer +option, the peer address is used as a destination for the pfsync +traffic, and the traffic can then be protected using +.Xr ipsec 4 . +See the +.Xr pfsync 4 +manpage for more details about using +.Xr ipsec 4 +with +.Xr pfsync 4 +interfaces. .It Va pfsync_ifconfig .Pq Vt str Empty by default. %%% From owner-freebsd-pf@FreeBSD.ORG Fri Apr 6 21:30:09 2007 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B167B16A401 for ; Fri, 6 Apr 2007 21:30:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 5D48013C500 for ; Fri, 6 Apr 2007 21:30:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l36LU9k2012876 for ; Fri, 6 Apr 2007 21:30:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l36LU9F8012873; Fri, 6 Apr 2007 21:30:09 GMT (envelope-from gnats) Date: Fri, 6 Apr 2007 21:30:09 GMT Message-Id: <200704062130.l36LU9F8012873@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Giorgos Keramidas Cc: Subject: Re: conf/111225: missing option "syncpeer" in pfsync startup script X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Giorgos Keramidas List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Apr 2007 21:30:09 -0000 The following reply was made to PR conf/111225; it has been noted by GNATS. From: Giorgos Keramidas To: Bas van Beek Cc: freebsd-gnats-submit@freebsd.org Subject: Re: conf/111225: missing option "syncpeer" in pfsync startup script Date: Sat, 7 Apr 2007 00:24:55 +0300 > From: Giorgos Keramidas > To: Bas van Beek > Cc: freebsd-gnats-submit@freebsd.org > Subject: conf/111225: Re: conf/111225: missing option "syncpeer" in pfsync startup script > Date: Fri, 6 Apr 2007 04:47:17 +0300 > > Sounds like a good idea. Does the following patch look like something > we can use to make pfsync_syncpeer="address" work, and document it as an > rc.conf option? > > [ http://people.freebsd.org/~keramida/diff/conf-111225.patch ] The original version of the patch used 'unset' to keep $_syncpeer local, but Simon has pointed me at using "local _syncpeer" since then. I've updated the patch online with: %%% diff -r 7fd2429572a3 etc/rc.d/pfsync --- a/etc/rc.d/pfsync Fri Apr 06 01:25:19 2007 +0300 +++ b/etc/rc.d/pfsync Sat Apr 07 00:22:07 2007 +0300 @@ -36,8 +36,13 @@ pfsync_prestart() pfsync_start() { + local _syncpeer + echo "Enabling pfsync." - ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up + if [ -n "${pfsync_syncpeer}" ]; then + _syncpeer="syncpeer ${pfsync_syncpeer}" + fi + ifconfig pfsync0 $_syncpeer syncdev $pfsync_syncdev $pfsync_ifconfig up } pfsync_stop() diff -r 7fd2429572a3 share/man/man5/rc.conf.5 --- a/share/man/man5/rc.conf.5 Fri Apr 06 01:25:19 2007 +0300 +++ b/share/man/man5/rc.conf.5 Sat Apr 07 00:22:07 2007 +0300 @@ -855,6 +855,26 @@ It must be set accordingly if .Va pfsync_enable is set to .Dq Li YES . +.It Va pfsync_syncpeer +.Pq Vt str +Empty by default. +This variable is optional. +By default, state change messages are sent out on the synchronisation +interface using IP multicast packets. +The protocol is IP protocol 240, PFSYNC, and the multicast group used is +224.0.0.240. +When a peer address is specified using the +.Va pfsync_syncpeer +option, the peer address is used as a destination for the pfsync +traffic, and the traffic can then be protected using +.Xr ipsec 4 . +See the +.Xr pfsync 4 +manpage for more details about using +.Xr ipsec 4 +with +.Xr pfsync 4 +interfaces. .It Va pfsync_ifconfig .Pq Vt str Empty by default. %%% From owner-freebsd-pf@FreeBSD.ORG Sat Apr 7 17:45:55 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6DBF816A403; Sat, 7 Apr 2007 17:45:55 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id 022EE13C468; Sat, 7 Apr 2007 17:45:54 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.15.55] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1HaEz216wn-00041r; Sat, 07 Apr 2007 19:45:53 +0200 From: Max Laier Organization: FreeBSD To: Nate Lawson Date: Sat, 7 Apr 2007 18:45:44 +0100 User-Agent: KMail/1.9.5 References: <4617D3A6.8000201@root.org> In-Reply-To: <4617D3A6.8000201@root.org> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1565023.8ZCeSOeJC0"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200704071945.51273.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/1YiwzCRzP+ZrVGiJsPrszH9lpFNABSPhr8kV 0O+RyL5r32AMydwgk4FDSVikuIS8x3KPreJr91Mxx5QXm44oui 0ldj46Y7HJSC/isqGPE2A== Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: call for testers: altq in current X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Apr 2007 17:45:55 -0000 --nextPart1565023.8ZCeSOeJC0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 07 April 2007 19:23, Nate Lawson wrote: > A few weeks ago, I committed a change to ALTQ that I was only able to > compile-test. What I need is someone with a laptop or other > cpufreq-capable system that is also using ALTQ to verify that with > powerd running, the queuing timing is now reliable. > > Previously, altq would just cache the first value of the CPU freq it > saw (based on tsc_freq) and use that forever. Now it gets updated each > time the freq changes. I want to make sure the edge cases (i.e., freq > changes while a packet is being timed) work ok. I will try to give it a spin over the long weekend. Other testers please=20 note that you should test this without ALTQ_NOPCC. Looking at the patch=20 now, it seems that the eventhandler should take this into account, too. =20 i.e. when ALTQ_NOPCC is defined we emulate a 256Mhz clock with=20 microtime - this shouldn't be dependent on the real cpu frequency=20 (eventhough things will get strange when the clockspeed drops below=20 256Mhz). Sorry for not paying attention when you posted the patch. CC'ing freebsd-pf@ ... laptop anyone? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1565023.8ZCeSOeJC0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBGF9jPXyyEoT62BG0RAnBVAJ9KQwEuN07YBg5Y7SrNE4vNRXInawCdGRvw 5vPp/cN26WMz2BSlk9qJx7g= =amR7 -----END PGP SIGNATURE----- --nextPart1565023.8ZCeSOeJC0-- From owner-freebsd-pf@FreeBSD.ORG Sat Apr 7 19:00:03 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8F8E316A405 for ; Sat, 7 Apr 2007 19:00:03 +0000 (UTC) (envelope-from nate@root.org) Received: from root.org (root.org [67.118.192.226]) by mx1.freebsd.org (Postfix) with ESMTP id 54CA013C45E for ; Sat, 7 Apr 2007 19:00:03 +0000 (UTC) (envelope-from nate@root.org) Received: (qmail 17578 invoked from network); 7 Apr 2007 18:33:24 -0000 Received: from ppp-71-139-28-99.dsl.snfc21.pacbell.net (HELO ?10.0.0.235?) (nate-mail@71.139.28.99) by root.org with ESMTPA; 7 Apr 2007 18:33:24 -0000 Message-ID: <4617E3ED.9090400@root.org> Date: Sat, 07 Apr 2007 11:33:17 -0700 From: Nate Lawson User-Agent: Thunderbird 1.5.0.7 (X11/20061027) MIME-Version: 1.0 To: Max Laier References: <4617D3A6.8000201@root.org> <200704071945.51273.max@love2party.net> In-Reply-To: <200704071945.51273.max@love2party.net> X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: call for testers: altq in current X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Apr 2007 19:00:03 -0000 Max Laier wrote: > On Saturday 07 April 2007 19:23, Nate Lawson wrote: >> A few weeks ago, I committed a change to ALTQ that I was only able to >> compile-test. What I need is someone with a laptop or other >> cpufreq-capable system that is also using ALTQ to verify that with >> powerd running, the queuing timing is now reliable. >> >> Previously, altq would just cache the first value of the CPU freq it >> saw (based on tsc_freq) and use that forever. Now it gets updated each >> time the freq changes. I want to make sure the edge cases (i.e., freq >> changes while a packet is being timed) work ok. > > I will try to give it a spin over the long weekend. Other testers please > note that you should test this without ALTQ_NOPCC. Looking at the patch > now, it seems that the eventhandler should take this into account, too. > i.e. when ALTQ_NOPCC is defined we emulate a 256Mhz clock with > microtime - this shouldn't be dependent on the real cpu frequency > (eventhough things will get strange when the clockspeed drops below > 256Mhz). Sorry for not paying attention when you posted the patch. > > CC'ing freebsd-pf@ ... laptop anyone? Thanks Max. Yes, the microtime clock will be mostly unaffected by the CPU frequency. However, we may need to look into that case. -- Nate