freebsd + squid + pf problem
I use freebsd + squid + pf to setup a transprarent proxy box. my /etc/pf.conf: ext_if="{fxp0}" int_if="{em0}" int_net="{192.168.100.254/16}" icmp_types="echoreq" set block-policy return set optimization aggressive set skip on lo0 scrub in nat on $ext_if from $int_net to any -> $ext_if rdr pass on $int_if inet proto tcp from $int_net to any port http -> 127.0.0.1 port 8080 antispoof quick for $ext_if inet pass in on $ext_if keep state pass out on $ext_if keep state pass in on $int_if keep state pass out on $int_if keep state main parts of my /usr/local/etc/squid/squid.conf: http_port localhost:8080 transparent visible_hostname proxy acl all src 0.0.0.0/0.0.0.0 .. http_access allow all http_reply_access allow all icp_access allow all miss_access allow all always_direct allow all now I restart pf and squid, I can visit web site from clients.But I can't use some p2p program, like pplive(http://www.pplive.com/en/index.html). Why? my squid version is 2.6, I tested under freebsd 6.1 and 6.2 (all after portsnap fetch update and portupgrade -arR). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf problem with table
On Thu, 20 Apr 2006 09:21:40 +0200 [EMAIL PROTECTED] (Peter N. M. Hansteen) wrote: > Reinhold Platzoeder <[EMAIL PROTECTED]> writes: > > > My problem looks like the file is to big to be loaded into pf > > My firewall stops responding when the file has about 7000 IPs in it > > The old file has 104450 IPs in it and I would like to block them > > You could try manipulating the table entries limits, ie > > set limit table-entries 15 > > in your pf.conf would set the upper limit for number of entries in a > table to 15. > Hi When I add this option I get a Syntax error I have added it like this set limit table-entries 15 and then i tried set limit { states 1, frags 5000, table-entries 15 } both times I get pfctl: Bad pool name. /etc/pf.conf:25: unable to set limit table-entries 15 pfctl: Syntax error in config file: pf rules not loaded I also tried lowering the number with no success -- Reinhold Platzoeder [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.violetlan.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf problem with table
Reinhold Platzoeder <[EMAIL PROTECTED]> writes: > My problem looks like the file is to big to be loaded into pf > My firewall stops responding when the file has about 7000 IPs in it > The old file has 104450 IPs in it and I would like to block them You could try manipulating the table entries limits, ie set limit table-entries 15 in your pf.conf would set the upper limit for number of entries in a table to 15. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf problem with table
On Wed, 19 Apr 2006 07:41:33 -0400 "fbsd" <[EMAIL PROTECTED]> wrote: > Error msg means there is something wrong with the content of > /etc/pfdata/blocklist-p2p > > check that there are no blank lines in that file. > > make file with only ten entries and test. > Then add more content until you break it. > maybe 1.7 MB file size is to large for max table size > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Reinhold > Platzoeder > Sent: Wednesday, April 19, 2006 2:17 AM > To: freebsd-questions@freebsd.org > Subject: pf problem with table > > > Hi > > I have a problem with FreeBSD 6 and pf > I am trying to load a 1.7M file in to pf using a tables > but I get this error > > /etc/pf.conf:22: cannot define table p2pblock: Cannot allocate > memory > pfctl: Syntax error in config file: pf rules not loaded > > the table config in pf.conf is > table persist file "/etc/pfdata/blocklist-p2p" > block in log quick on $ext_if from to any > > I have tried it on two different machines and both gives me the same > error > > everything works when I comment these two lines out > > Any ideas as to what i'm doing wrong? > > Thanks > > -- > Reinhold Platzoeder > > [EMAIL PROTECTED] > [EMAIL PROTECTED] > > http://www.violetlan.net > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" Hi My problem looks like the file is to big to be loaded into pf My firewall stops responding when the file has about 7000 IPs in it The old file has 104450 IPs in it and I would like to block them Does anyone know how I can get this file to load into pf without killing my machine? Here is my top stats last pid: 4899; load averages: 0.00, 0.00, 0.00 up 1+02:06:53 01:23:55 30 processes: 1 running, 29 sleeping CPU states: 0.0% user, 0.0% nice, 0.0% system, 1.6% interrupt, 98.4% idle Mem: 13M Active, 4884K Inact, 23M Wired, 2852K Cache, 13M Buf, 9788K Free Swap: 512M Total, 5364K Used, 507M Free, 1% Inuse Thanks -- Reinhold Platzoeder [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.violetlan.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: pf problem with table
Error msg means there is something wrong with the content of /etc/pfdata/blocklist-p2p check that there are no blank lines in that file. make file with only ten entries and test. Then add more content until you break it. maybe 1.7 MB file size is to large for max table size -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Reinhold Platzoeder Sent: Wednesday, April 19, 2006 2:17 AM To: freebsd-questions@freebsd.org Subject: pf problem with table Hi I have a problem with FreeBSD 6 and pf I am trying to load a 1.7M file in to pf using a tables but I get this error /etc/pf.conf:22: cannot define table p2pblock: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded the table config in pf.conf is table persist file "/etc/pfdata/blocklist-p2p" block in log quick on $ext_if from to any I have tried it on two different machines and both gives me the same error everything works when I comment these two lines out Any ideas as to what i'm doing wrong? Thanks -- Reinhold Platzoeder [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.violetlan.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
pf problem with table
Hi I have a problem with FreeBSD 6 and pf I am trying to load a 1.7M file in to pf using a tables but I get this error /etc/pf.conf:22: cannot define table p2pblock: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded the table config in pf.conf is table persist file "/etc/pfdata/blocklist-p2p" block in log quick on $ext_if from to any I have tried it on two different machines and both gives me the same error everything works when I comment these two lines out Any ideas as to what i'm doing wrong? Thanks -- Reinhold Platzoeder [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.violetlan.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
re: PF problem!!!
did you enable the default variables in rc.conf (or rc.conf.local)? see: grep -e pf_ -e pflog /etc/defaults/rc.conf and set the appropriate variables. regards, didier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: PF problem!!!
"Fafa Diliha Romanova" <[EMAIL PROTECTED]> writes: > My question is: Why do I have to type this after everytime I've rebooted > to make my NAT gateway server allow Internet access to my workstation? Your rule set does not contain any rules which let packets pass *in* on your internal interface. Remember, pf.conf is seen from the firewall's perspective. traffic passes IN from elsewhere on either interface to the firewall, OUT to elsewhere on either interface. You have rules which let traffic pass in to the firewall on the external interface and out from the firewall on the external interface, but none which let traffic in on the internal interface. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
PF problem!!!
Hello! I am running FreeBSD 5.4-STABLE, with PF as firewall and NAT server. My question is: Why do I have to type this after everytime I've rebooted to make my NAT gateway server allow Internet access to my workstation? # pfctl -F a ; pfctl -Nf /etc/pf.conf ; pfctl -sr Here is my /etc/pf.conf: int_if="ep0" ext_if="lnc0" # *** Options # set block-policy drop # *** Scrub incoming packets # scrub in all # *** NAT # nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $int_if proto tcp from any to any \ port 21 -> 127.0.0.1 port 8021 # *** Default deny policy # block drop log all # *** Pass loopback traffic # passquick on lo0 all # *** Outgoing # # passout on $ext_if inet proto tcp \ from any to any flags S/SA keep state passout on $ext_if inet proto { udp, icmp } \ from ($ext_if) to any keep state # *** Bootstrap # passout on $ext_if inet proto udp \ from any port 68 to any port 67 keep state # *** DNS and NTP # passout on $ext_if inet proto udp \ from ($ext_if) to any port { 53, 123 } keep state # *** SSH and HTTP # passin on $ext_if inet proto tcp \ from any to ($ext_if) port { 22, 80 } flags S/SA keep state # *** Active FTP # passin on $ext_if inet proto tcp \ from port 20 to ($ext_if) user proxy flags S/SA keep state Thanks all! -- Fafa -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"