freebsd + squid + pf problem

2007-03-30 Thread he ccjj 

I use freebsd + squid + pf to setup a transprarent proxy box.
my /etc/pf.conf:
ext_if="{fxp0}"
int_if="{em0}"
int_net="{192.168.100.254/16}"

icmp_types="echoreq"

set block-policy return
set optimization aggressive
set skip on lo0

scrub in

nat on $ext_if from $int_net to any -> $ext_if
rdr pass on $int_if inet  proto tcp from $int_net to any port http ->
127.0.0.1 port 8080

antispoof quick for $ext_if inet

pass in on $ext_if keep state
pass out on $ext_if keep state
pass in on $int_if keep state
pass out on $int_if keep state

main parts of my /usr/local/etc/squid/squid.conf:

http_port localhost:8080 transparent
visible_hostname proxy
acl all src 0.0.0.0/0.0.0.0
..
http_access allow all
http_reply_access allow all
icp_access allow all
miss_access allow all
always_direct allow all

now I restart pf and squid, I can visit web site from clients.But I
can't use some p2p program, like
pplive(http://www.pplive.com/en/index.html). Why?

my squid version is 2.6, I tested under freebsd 6.1 and 6.2 (all after
portsnap fetch update and portupgrade -arR).
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: pf problem with table

2006-04-20 Thread Reinhold Platzoeder 
On Thu, 20 Apr 2006 09:21:40 +0200
[EMAIL PROTECTED] (Peter N. M. Hansteen) wrote:

> Reinhold Platzoeder <[EMAIL PROTECTED]> writes:
> 
> > My problem looks like the file is to big to be loaded into pf
> > My firewall stops responding when the file has about 7000 IPs in it
> > The old file has 104450 IPs in it and I would like to block them
> 
> You could try manipulating the table entries limits, ie
> 
> set limit table-entries 15
> 
> in your pf.conf would set the upper limit for number of entries in a
> table to 15.
> 

Hi

When I add this option I get a Syntax error
I have added it like this
set limit table-entries 15
and then i tried
set limit { states 1, frags 5000, table-entries 15 }

both times I get
pfctl: Bad pool name.
/etc/pf.conf:25: unable to set limit table-entries 15
pfctl: Syntax error in config file: pf rules not loaded


I also tried lowering the number with no success 



-- 
Reinhold Platzoeder

[EMAIL PROTECTED]
[EMAIL PROTECTED]

http://www.violetlan.net
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: pf problem with table

2006-04-20 Thread Peter N. M. Hansteen 
Reinhold Platzoeder <[EMAIL PROTECTED]> writes:

> My problem looks like the file is to big to be loaded into pf
> My firewall stops responding when the file has about 7000 IPs in it
> The old file has 104450 IPs in it and I would like to block them

You could try manipulating the table entries limits, ie

set limit table-entries 15

in your pf.conf would set the upper limit for number of entries in a
table to 15.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: pf problem with table

2006-04-19 Thread Reinhold Platzoeder 
On Wed, 19 Apr 2006 07:41:33 -0400
"fbsd" <[EMAIL PROTECTED]> wrote:

> Error msg means there is something wrong with the content of
> /etc/pfdata/blocklist-p2p
> 
> check that there are no blank lines in that file.
> 
> make file with only ten entries and test.
> Then add more content until you break it.
> maybe 1.7 MB file size is to large for max table size
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Reinhold
> Platzoeder
> Sent: Wednesday, April 19, 2006 2:17 AM
> To: freebsd-questions@freebsd.org
> Subject: pf problem with table
> 
> 
> Hi
> 
> I have a problem with FreeBSD 6 and pf
> I am trying to load a 1.7M file in to pf using a tables
> but I get this error
> 
> /etc/pf.conf:22: cannot define table p2pblock: Cannot allocate
> memory
> pfctl: Syntax error in config file: pf rules not loaded
> 
> the table config in pf.conf is
> table  persist file "/etc/pfdata/blocklist-p2p"
> block in log quick on $ext_if from  to any
> 
> I have tried it on two different machines and both gives me the same
> error
> 
> everything works when I comment these two lines out
> 
> Any ideas as to what i'm doing wrong?
> 
> Thanks
> 
> --
> Reinhold Platzoeder
> 
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> 
> http://www.violetlan.net
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
> 
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"

Hi

My problem looks like the file is to big to be loaded into pf
My firewall stops responding when the file has about 7000 IPs in it
The old file has 104450 IPs in it and I would like to block them

Does anyone know how I can get this file to load into pf without
killing my machine?

Here is my top stats
last pid:  4899;  load averages:  0.00,  0.00,  0.00  up 1+02:06:53
01:23:55 30
processes:  1 running, 29 sleeping CPU states:  0.0% user, 0.0% nice,
0.0% system,  1.6% interrupt, 98.4% idle
Mem: 13M Active, 4884K Inact, 23M Wired, 2852K Cache, 13M Buf, 9788K
Free
Swap: 512M Total, 5364K Used, 507M Free, 1% Inuse

Thanks

-- 
Reinhold Platzoeder

[EMAIL PROTECTED]
[EMAIL PROTECTED]

http://www.violetlan.net
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: pf problem with table

2006-04-19 Thread fbsd 
Error msg means there is something wrong with the content of
/etc/pfdata/blocklist-p2p

check that there are no blank lines in that file.

make file with only ten entries and test.
Then add more content until you break it.
maybe 1.7 MB file size is to large for max table size



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Reinhold
Platzoeder
Sent: Wednesday, April 19, 2006 2:17 AM
To: freebsd-questions@freebsd.org
Subject: pf problem with table


Hi

I have a problem with FreeBSD 6 and pf
I am trying to load a 1.7M file in to pf using a tables
but I get this error

/etc/pf.conf:22: cannot define table p2pblock: Cannot allocate
memory
pfctl: Syntax error in config file: pf rules not loaded

the table config in pf.conf is
table  persist file "/etc/pfdata/blocklist-p2p"
block in log quick on $ext_if from  to any

I have tried it on two different machines and both gives me the same
error

everything works when I comment these two lines out

Any ideas as to what i'm doing wrong?

Thanks

--
Reinhold Platzoeder

[EMAIL PROTECTED]
[EMAIL PROTECTED]

http://www.violetlan.net
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

pf problem with table

2006-04-18 Thread Reinhold Platzoeder 
Hi

I have a problem with FreeBSD 6 and pf
I am trying to load a 1.7M file in to pf using a tables
but I get this error

/etc/pf.conf:22: cannot define table p2pblock: Cannot allocate memory
pfctl: Syntax error in config file: pf rules not loaded

the table config in pf.conf is
table  persist file "/etc/pfdata/blocklist-p2p"
block in log quick on $ext_if from  to any

I have tried it on two different machines and both gives me the same
error 

everything works when I comment these two lines out

Any ideas as to what i'm doing wrong?

Thanks

-- 
Reinhold Platzoeder

[EMAIL PROTECTED]
[EMAIL PROTECTED]

http://www.violetlan.net
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

re: PF problem!!!

2005-04-25 Thread Didier Wiroth 
did you enable the default variables  in rc.conf (or rc.conf.local)?
see:
grep -e pf_ -e pflog /etc/defaults/rc.conf
and set the appropriate variables.

regards,
didier



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: PF problem!!!

2005-04-25 Thread Peter N. M. Hansteen 
"Fafa Diliha Romanova" <[EMAIL PROTECTED]> writes:

> My question is: Why do I have to type this after everytime I've rebooted
> to make my NAT gateway server allow Internet access to my workstation?

Your rule set does not contain any rules which let packets pass *in* on
your internal interface. 

Remember, pf.conf is seen from the firewall's perspective. traffic
passes IN from elsewhere on either interface to the firewall, OUT to
elsewhere on either interface. You have rules which let traffic pass
in to the firewall on the external interface and out from the firewall
on the external interface, but none which let traffic in on the internal
interface.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

PF problem!!!

2005-04-25 Thread Fafa Diliha Romanova 
Hello!

I am running FreeBSD 5.4-STABLE, with PF as firewall and NAT server.

My question is: Why do I have to type this after everytime I've rebooted
to make my NAT gateway server allow Internet access to my workstation?

# pfctl -F a ; pfctl -Nf /etc/pf.conf ; pfctl -sr

Here is my /etc/pf.conf:

int_if="ep0"
ext_if="lnc0"

# *** Options
#
set block-policy drop

# *** Scrub incoming packets
#
scrub   in all

# *** NAT
#
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any \
port 21 -> 127.0.0.1 port 8021

# *** Default deny policy
#
block   drop log all

# *** Pass loopback traffic
#
passquick on lo0 all

# *** Outgoing
#
#
passout on $ext_if inet proto tcp \
from any to any flags S/SA keep state
passout on $ext_if inet proto { udp, icmp } \
from ($ext_if) to any keep state

# *** Bootstrap
#
passout on $ext_if inet proto udp \
from any port 68 to any port 67 keep state

# *** DNS and NTP
#
passout on $ext_if inet proto udp \
from ($ext_if) to any port { 53, 123 } keep state

# *** SSH and HTTP
#
passin on $ext_if inet proto tcp \
from any to ($ext_if) port { 22, 80 } flags S/SA keep state

# *** Active FTP
#
passin on $ext_if inet proto tcp \
from port 20 to ($ext_if) user proxy flags S/SA keep state

Thanks all!
-- Fafa

-- 
___
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"