On Tue, Jan 5, 2010 at 8:34 PM, Robert <rob...@openbsd.pap.st> wrote:
.... > nat and rdr are now declared with match rules. But 'pass' still works: pass out on em0 inet from 192.168.1.0/24 to any flags S/SA keep state nat-to (em0) round-robin >> An issue today was the box totally froze after I removed one of the >> redundant rules, did 'pfctl -f /etc/pf.conf', and ran 'systat queues'. >> As soon as I ran systat it froze dead. Not even a panic. > > You say you killed a box by trying to load a ruleset? > Checked the config with -n before loading? No, I am saying I killed the box by removing a single existing rule from the ruleset and running systat. it froze as soon as I ran 'systat queues' . After a reboot the box has no trouble running the ruleset. > The queues on the internal interface in that example are used to limit > download speeds from the "internet". Can't do that on the external > interface. And yes, if not done right those rules would mess with > traffic that is internal and should not have hit those queues in the > first place. Hmm... I simply copied the example, and my internal interface became bandwidth-limited as in the example. Thanks.
