Re: instable vpn after upgrading to 4.8
On Mon, Dec 20, 2010 at 11:54:57PM +0100, Axel Rau wrote: > Am 20.12.2010 um 12:50 schrieb Axel Rau: > > > After upgrading to 4.8 (stable) the vpn starts blocking in one > > direction after 2 days of uptime of the gateway pair. > Today it took only 2 hours to start blocking. > Blocking cab be prevented by keeping a ping running. I have started experiencing similar stuff around 3 months ago. It never happened before 3 months ago, and I haven't changed any PF/IPsec settings. Unfortunately, I am unable to track it down though, so this kind of bug report is useless. I tunnel out imap connections, so it's easy to notice any problems with IPsec tunnel. Once it happens, it takes around 10 minutes for tunnel to recover. I will try to see if I can get more details. OpenBSD 4.8-current (GENERIC) #460: Sat Oct 30 10:30:25 MDT 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) CPU 2.66GHz ("GenuineIntel" 686-class) 2.68 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CNXT-ID,CX16,xTPR real mem = 535326720 (510MB) avail mem = 516562944 (492MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/26/06, BIOS32 rev. 0 @ 0xfa9e0, SMBIOS rev. 2.3 @ 0xf0100 (34 entries) bios0: vendor Award Software International, Inc. version "FA" date 12/26/2006 bios0: Gigabyte Technology Co., Ltd. 8I865GME-775-RH acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC acpi0: wakeup devices HUB0(S4) USB0(S1) USB1(S1) USB2(S1) USB3(S1) USBE(S1) PCI0(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 133MHz ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 4, remapped to apid 2 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (HUB0) acpicpu0 at acpi0 acpitz0 at acpi0: critical temperature 75 degC acpibtn0 at acpi0: PWRB bios0: ROM list: 0xc/0xa400! pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82865G Host" rev 0x02 vga1 at pci0 dev 2 function 0 "Intel 82865G Video" rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xf000, size 0x800 inteldrm0 at vga1: apic 2 int 16 (irq 5) drm0 at inteldrm0 uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: apic 2 int 16 (irq 5) uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: apic 2 int 19 (irq 6) uhci2 at pci0 dev 29 function 2 "Intel 82801EB/ER USB" rev 0x02: apic 2 int 18 (irq 11) uhci3 at pci0 dev 29 function 3 "Intel 82801EB/ER USB" rev 0x02: apic 2 int 16 (irq 5) ehci0 at pci0 dev 29 function 7 "Intel 82801EB/ER USB2" rev 0x02: apic 2 int 23 (irq 9) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb0 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xc2 pci1 at ppb0 bus 1 fxp0 at pci1 dev 8 function 0 "Intel PRO/100 VE" rev 0x02, i82562: apic 2 int 20 (irq 10), address 00:16:e6:d9:0f:eb inphy0 at fxp0 phy 1: i82562G 10/100 PHY, rev. 0 ichpcib0 at pci0 dev 31 function 0 "Intel 82801EB/ER LPC" rev 0x02 pciide0 at pci0 dev 31 function 2 "Intel 82801EB SATA" rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 76318MB, 156299375 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6 ichiic0 at pci0 dev 31 function 3 "Intel 82801EB/ER SMBus" rev 0x02: apic 2 int 17 (irq 3) iic0 at ichiic0 spdmem0 at iic0 addr 0x50: 512MB DDR SDRAM non-parity PC3200CL3.0 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb4 at uhci3: USB revision 1.0 uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1 isa0 at ichpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 it0 at isa0 port 0x2e/2: IT8718F rev 2, EC port 0x290 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 mtrr: Pentium Pro MTRR support
Clínica Sistémica - Verano 2011
Responder a: i...@escuelasistemica.com.ar [IMAGE] La Escuela sistimica Argentina es una institucisn que desarrolla actividades de formacisn de Terapeutas familiares sistimicos, investigacisn y asistencia psicolsgica. Director: Dr. Horacio Serebrinsky - Director Acadimico: Dr. Marcelo R. Ceberio CURSOS DE VERANO 2011 Clmnica sistimica Estamos inscribiendo! La Escuela organiza un curso introductorio de clmnica sistimica con el fin de que los que deseen capitalizar el tiempo de vacaciones en formacisn puedan lograrlo con un curso de excelencia. El curso se desarrollara en 10 clases introductorias y clmnicas sobre diferentes tematicas dentro del marco del pensamiento sistimico y en clases de Supervisisn Clmnica, dictadas por especialistas de la Escuela. Cada una de las clases son interdependientes, por lo que es posible tomar el curso completo como asm tambiin las clases que sean del interis de los profesionales. * Curso I: Semana del 24 al 28 de enero de 09 a 14.30hs * Curso II: Semana del 21 al 25 de febrero de 16 a 21hs * Curso III: Enero a Marzo los dmas miircoles de 18 a 21hs (Inicia 05 de enero) CLASES: Introduccisn al pensamiento sistimico, Fobias y panico, Clmnica de niqos, Adicciones desde el modelo sistimico, Psicosis desde el modelo sistimico, Diversidades Familiares, Trastornos alimentarios, Terapia de pareja, Hipnosis Ericksoniana y Cierre clmnico. DOCENTES: Dr. H. SEREBRINSKY, Dr. M. RODRIGUEZ CEBERIO, Lic. C. DES CHAMPS, Lic. G. PIATTI, Lic. M. PERRONE, Lic. F. RUBANO, Lic. S. MUIQO, Lic. L. LOCKER. INSCRIPCISN PREVIA ESCUELA SISTIMICA ARGENTINA Fray J. S. M. Oro 1843 (C1414DBC) Cap. Fed. Tel/ Fax: 4774-2875/6112 - 4899-1053 i...@escuelasistemica.com.ar / www.escuelasistemica.com.ar
Re: Print server
On Thu, Dec 23, 2010 at 10:40:27PM +0100, Jean-Francois wrote: > Le Wednesday 22 December 2010 23:40:03, Jacob Meuser a icrit : > > On Wed, Dec 22, 2010 at 11:20:47PM +0100, Jean-Francois wrote: > > > Hello, > > > > > > I would like to use a printer on the server and share it like samba > > > supports, have it a shared network printer through openbsd server. > > > > > > The printer is actually a usb one that I would like to connect to the > > > server. Is this basically working ? supported ? > > > > usb printers? see ulpt(4). some also work as ugen(4), if the driver > > supports that. > > > > > Printer is Brother HL 2030, driver seems available for Linux. Can you > > > recommend the best way to proceed ? It's first time for me, I saw things > > > such as cups, never dive into yet. > > > > > > Thanks. > > > > http://www.openprinting.org/printer/Brother/Brother-HL-2030 > > > > that gives you some hints. granted, they're talking about linux so > > not all of that is relevant, but the recommeded driver is hl1250, which > > is in the 'gs' binary of the ghostscript package. > > Hi, > I'm not used to install printer on Unix, not sure to understand if ulpt / ugen > are enough to handle that printer ? Need cups or a printer driver ? you don't /need/ cups. it might be easier, or it might be a pain. you do, however, need to set up a print filter (sometimes referred to as a driver (yes, it's confusing)) because your device doesn't do postscript natively. > I > Installed only samba server at the moment. samba is a whole other issue. get your printer working locally first. http://onlamp.com/pub/a/bsd/2004/07/08/FreeBSD_Basics.html should get you started http://www.freebsd.org/doc/handbook/printing.html is a bit more verbose. it's also somewhat dated, but lpd has not changed much over the years. -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
7 Estrategias de marketing rentables
[IMAGE] [IMAGE] Buenos dmas, en esta oportunidad queremos compartir con usted siete nuevas estrategias para maximizar la visibilidad de su empresa minimizando su inversisn , lo cual le puede ser de gran utilidad. A continuacisn podra observar los 7 puntos de los que vamos a hablar en nuestro sitio web en forma gratuita: 1. Marketing viral. 2. Bases de datos empresas. 3. Email marketing. 4. El telemarketing. 5. Blogging. 6. Publicar artmculos en Internet. 7. Marketing Msvil. Para leer el artmculo completo con las descripciones de cada una de las estrategias haga click aqum Esperamos que les sirva para poder empezar con la publicidad de su empresa a un bajo costo, aclaramos que el articulo es para que tengan una idea de lo que pueden hacer para dar a conocer su empresa. (4968) Sino desea recibir mas informacisn envmenos un email a bases.email...@gmail.com con el asunto R E M O V E R, si le causamos alguna molestia le pedimos disculpas, nuestra intencisn es dar a conocer en forma gratuita los diferentes medios que existen para hacer publicidad invirtiendo poco dinero. (4967)
Re: Diff between amd64 and i386 packages
On Fri, Dec 24, 2010 at 01:02:12AM +0100, Cato Auestad wrote: > Hi, > > I'm not sure whether or not this will be of interest to anyone, > but I've compiled a diff of the packages available in i386 > compared to amd64 (if anyone wants to try the other without -- lossing essential packages). I haven't been able to find a ++ losing essential packages). I haven't been able to find a -- similar diff online, so maybe this someone will find this useful. ++ similar diff online, so maybe someone will find this useful. > > http://www.bleakgadfly.com/notes/amd64_i386_diff.txt > > |- Cato Auestad > |- www.bleakgadfly.com > |- www.bleakgadfly.me > |- www.openbsd.org
Diff between amd64 and i386 packages
Hi, I'm not sure whether or not this will be of interest to anyone, but I've compiled a diff of the packages available in i386 compared to amd64 (if anyone wants to try the other without lossing essential packages). I haven't been able to find a similar diff online, so maybe this someone will find this useful. http://www.bleakgadfly.com/notes/amd64_i386_diff.txt |- Cato Auestad |- www.bleakgadfly.com |- www.bleakgadfly.me |- www.openbsd.org
Re: set nano as deafult when editing crontab
On 2010/12/23 4:48 PM, Orestes Leal R. wrote: I want to edit the crontab with nano but by default vi it's invoked when I do 'crontab -e' Did you read crontab(1)?
AVIS DE RECRUTEMENT DU PERSONNEL
This is a MIME-encoded message that applegateltd22 sent through Multiply. To read it, you need a HTML-capable mail client.
Re: Print server
Le Wednesday 22 December 2010 23:40:03, Jacob Meuser a icrit : > On Wed, Dec 22, 2010 at 11:20:47PM +0100, Jean-Francois wrote: > > Hello, > > > > I would like to use a printer on the server and share it like samba > > supports, have it a shared network printer through openbsd server. > > > > The printer is actually a usb one that I would like to connect to the > > server. Is this basically working ? supported ? > > usb printers? see ulpt(4). some also work as ugen(4), if the driver > supports that. > > > Printer is Brother HL 2030, driver seems available for Linux. Can you > > recommend the best way to proceed ? It's first time for me, I saw things > > such as cups, never dive into yet. > > > > Thanks. > > http://www.openprinting.org/printer/Brother/Brother-HL-2030 > > that gives you some hints. granted, they're talking about linux so > not all of that is relevant, but the recommeded driver is hl1250, which > is in the 'gs' binary of the ghostscript package. Hi, I'm not used to install printer on Unix, not sure to understand if ulpt / ugen are enough to handle that printer ? Need cups or a printer driver ? I Installed only samba server at the moment.
Re: scandir_push error in postfix
On Thu, Dec 23, 2010 at 5:15 PM, Orestes Leal R. wrote: > why from time to time (in postfix-sasl on 4.3) I got a > > scandir_push_defer: error access denied It's highly unlikely you are getting that message, because there's no function named scandir_push_defer in postfix.
Re: scandir_push error in postfix
On Thu, 23 Dec 2010 15:37:37 -0600, Ted Unangst wrote: On Thu, Dec 23, 2010 at 5:15 PM, Orestes Leal R. wrote: why from time to time (in postfix-sasl on 4.3) I got a scandir_push_defer: error access denied It's highly unlikely you are getting that message, because there's no function named scandir_push_defer in postfix. I'm doing from memory because that machine it's at home and right now I'm at work, but yes it happen, possibly not scandir_push_defer but something 'very' similar like scandir_push_something like defer or so.
scandir_push error in postfix
why from time to time (in postfix-sasl on 4.3) I got a scandir_push_defer: error access denied and I must do a: 'postfix set-permissions' to fix this?
Re: set nano as deafult when editing crontab
woww MG is new for me, thanks. On 12/23/10 15:48, Orestes Leal R. wrote: I want to edit the crontab with nano but by default vi it's invoked when I do 'crontab -e' What is wrong with mg? -luis -- Using Opera's revolutionary email client: http://www.opera.com/mail/
Re: set nano as deafult when editing crontab
On Thu, 23 Dec 2010 15:01:13 -0600, Martin Schrvder wrote: 2010/12/23 Orestes Leal R. : I want to edit the crontab with nano but by default vi it's invoked when I do 'crontab -e' man crontab -eEdit the current crontab using the editor specified by the VISUAL or EDITOR environment variables. :-) No Thank you!, by far OpenBSD it's best suited for my tasks than the 'bloated linux' debian. openbsd it's very small in his base system, I like that, I have a system running 4.3 acting for mail, pop3 server with only 1.0GB of disk space. Are you sure you don't want to use debian instead? :-) Best Martin
Re: set nano as deafult when editing crontab
On 12/23/10 15:48, Orestes Leal R. wrote: I want to edit the crontab with nano but by default vi it's invoked when I do 'crontab -e' What is wrong with mg? -luis
Re: set nano as deafult when editing crontab
Orestes Leal R. skrev 2010-12-23 22:48: I want to edit the crontab with nano but by default vi it's invoked when I do 'crontab -e' export VISUAL="nano -w"
Re: set nano as deafult when editing crontab
2010/12/23 Orestes Leal R. : > I want to edit the crontab with nano but by default vi it's invoked > when I do 'crontab -e' man crontab -eEdit the current crontab using the editor specified by the VISUAL or EDITOR environment variables. Are you sure you don't want to use debian instead? :-) Best Martin
Re: set nano as deafult when editing crontab
On Thu, Dec 23, 2010 at 03:48:49PM -0600, Orestes Leal R. wrote: :I want to edit the crontab with nano but by default vi it's invoked :when I do 'crontab -e' : -eEdit the current crontab using the editor specified by the VISUAL or EDITOR environment variables. After you exit from the editor, the modified crontab(5) will be installed automatically. env EDITOR=nano crontab -e
set nano as deafult when editing crontab
I want to edit the crontab with nano but by default vi it's invoked when I do 'crontab -e'
Re: blocked FIN packets
On Thu, Dec 23, 2010 at 08:17:23PM +0100, Jan Stary wrote: > Speculation: this looks to me like an end of a valid http session: > an internal clients reads a web page, and probably a few images, > everything goes through, but the last FIN does not. The first SYN > creates state that lets the subsequent packets through. Doesn't the > last FIN belong to the same state? Also, this is an outgoing packet, > which I explicitly allow. > What can possibly be blocking these FIN packets? > > On Dec 23 02:39:59, Daniel E. Hassler wrote: > > Timing. State has probably timed out before the blocked packets are > > received. Log the whole conversation - both ways for both Firefox and > > lynx. > > On Dec 23 04:45:04, Brian Seklecki (Mobile) wrote: > > set timeout tcp.finwait 900 > > set timeout tcp.closing 900 > > You are both probably right. Thank you. > > With lynx (that is, an internal client runs 'lynx www.ihned.cz') > the conversation looks like this (tcpdump follows): two tcp connections > are made (first receives 302 Found, the second one receives 200); > the data is read; both connections are correctly FIN'd, the FINs > are ack'd. No packets get blocked. > > 12:36:57.989903 mac.stare.cz.54703 > www.ihned.cz.www: S > 2635202717:2635202717(0) win 65535 743703535 0,sackOK,eol> (DF) > 12:36:58.006316 www.ihned.cz.www > mac.stare.cz.54703: S > 2401821844:2401821844(0) ack 2635202718 win 5792 3998698463 743703535,nop,wscale 7> > 12:36:58.006483 mac.stare.cz.54703 > www.ihned.cz.www: . ack 1 win 65535 > (DF) > 12:36:58.006979 mac.stare.cz.54703 > www.ihned.cz.www: P 1:303(302) ack 1 win > 65535 (DF) > 12:36:58.018389 www.ihned.cz.www > mac.stare.cz.54703: . ack 303 win 54 > > 12:36:58.036406 www.ihned.cz.www > mac.stare.cz.54703: P 1:169(168) ack 303 > win 54 > 12:36:58.036774 mac.stare.cz.54703 > www.ihned.cz.www: . ack 169 win 65535 > (DF) > 12:36:58.036920 www.ihned.cz.www > mac.stare.cz.54703: F 169:169(0) ack 303 > win 54 > 12:36:58.037094 mac.stare.cz.54703 > www.ihned.cz.www: . ack 170 win 65535 > (DF) > 12:36:58.037990 mac.stare.cz.54703 > www.ihned.cz.www: F 303:303(0) ack 170 > win 65535 (DF) > 12:36:58.046266 www.ihned.cz.www > mac.stare.cz.54703: . ack 304 win 54 > > > (The first connection which received 302 Found ends here; > the other one starts now.) > > 12:37:00.040373 mac.stare.cz.54704 > www.ihned.cz.www: S > 3284050248:3284050248(0) win 65535 743703555 0,sackOK,eol> (DF) > 12:37:00.052042 www.ihned.cz.www > mac.stare.cz.54704: S > 3325100471:3325100471(0) ack 3284050249 win 5792 3998698668 743703555,nop,wscale 7> > 12:37:00.052393 mac.stare.cz.54704 > www.ihned.cz.www: . ack 1 win 65535 > (DF) > 12:37:00.053022 mac.stare.cz.54704 > www.ihned.cz.www: P 1:299(298) ack 1 win > 65535 (DF) > 12:37:00.061764 www.ihned.cz.www > mac.stare.cz.54704: . ack 299 win 54 > > [...] > 12:37:00.220313 www.ihned.cz.www > mac.stare.cz.54704: . 82081:83449(1368) > ack 299 win 54 > 12:37:00.220486 www.ihned.cz.www > mac.stare.cz.54704: . 83449:84817(1368) > ack 299 win 54 > 12:37:00.220539 www.ihned.cz.www > mac.stare.cz.54704: FP 84817:84919(102) > ack 299 win 54 > 12:37:00.220620 mac.stare.cz.54704 > www.ihned.cz.www: . ack 82081 win 65535 > (DF) > 12:37:00.220858 mac.stare.cz.54704 > www.ihned.cz.www: . ack 84920 win 65309 > (DF) > 12:37:00.222642 mac.stare.cz.54704 > www.ihned.cz.www: F 299:299(0) ack 84920 > win 65535 (DF) > 12:37:00.229482 www.ihned.cz.www > mac.stare.cz.54704: . ack 300 win 54 > > > > With firefox on the other hand, this is what happens: six connections > are made (ports 54748-54753) to get the page itself and the css and the > images. Data is read on the connections; then the remote end sends > a FIN for one of these connections (I am isolating port 54768; the very > same happens on the other ports, too): > > [...] > 13:08:07.915873 www.ihned.cz.www > mac.stare.cz.54748: F 517:517(0) ack 637 > win 56 > > The internal client ACKs the FIN ... > > 13:08:07.916238 mac.stare.cz.54748 > www.ihned.cz.www: . ack 518 win 65535 > (DF) > > and sends its own FIN later: > > 13:08:21.284154 mac.stare.cz.54748 > www.ihned.cz.www: F 637:637(0) ack 518 > win 65535 (DF) > > Comparing the timestamps, that's fourteen seconds after the client > sent the ACK for the remote FIN. That should be soon enough: > > # pfctl -s timeouts | fgrep tcp > tcp.first 120s > tcp.opening 30s > tcp.established 86400s > tcp.closing 900s > tcp.finwait 45s > tcp.closed 90s > tcp.tsdiff 30s > > This FIN is *not* blocked, it goes out. However, no ACK is received > from the remote side for this FIN (why?). So the internal client sends > its FIN again a few times: > > 13:08:22.186559 mac.stare.cz.54748 > www.ihned.cz.www: F 637:637(0) ack 518 > win 65535 (DF) > 13:08:24.188168 mac.stare.cz.54748 > www.ihned.cz.
Re: blocked FIN packets
Speculation: this looks to me like an end of a valid http session: an internal clients reads a web page, and probably a few images, everything goes through, but the last FIN does not. The first SYN creates state that lets the subsequent packets through. Doesn't the last FIN belong to the same state? Also, this is an outgoing packet, which I explicitly allow. What can possibly be blocking these FIN packets? On Dec 23 02:39:59, Daniel E. Hassler wrote: > Timing. State has probably timed out before the blocked packets are > received. Log the whole conversation - both ways for both Firefox and > lynx. On Dec 23 04:45:04, Brian Seklecki (Mobile) wrote: > set timeout tcp.finwait 900 > set timeout tcp.closing 900 You are both probably right. Thank you. With lynx (that is, an internal client runs 'lynx www.ihned.cz') the conversation looks like this (tcpdump follows): two tcp connections are made (first receives 302 Found, the second one receives 200); the data is read; both connections are correctly FIN'd, the FINs are ack'd. No packets get blocked. 12:36:57.989903 mac.stare.cz.54703 > www.ihned.cz.www: S 2635202717:2635202717(0) win 65535 (DF) 12:36:58.006316 www.ihned.cz.www > mac.stare.cz.54703: S 2401821844:2401821844(0) ack 2635202718 win 5792 12:36:58.006483 mac.stare.cz.54703 > www.ihned.cz.www: . ack 1 win 65535 (DF) 12:36:58.006979 mac.stare.cz.54703 > www.ihned.cz.www: P 1:303(302) ack 1 win 65535 (DF) 12:36:58.018389 www.ihned.cz.www > mac.stare.cz.54703: . ack 303 win 54 12:36:58.036406 www.ihned.cz.www > mac.stare.cz.54703: P 1:169(168) ack 303 win 54 12:36:58.036774 mac.stare.cz.54703 > www.ihned.cz.www: . ack 169 win 65535 (DF) 12:36:58.036920 www.ihned.cz.www > mac.stare.cz.54703: F 169:169(0) ack 303 win 54 12:36:58.037094 mac.stare.cz.54703 > www.ihned.cz.www: . ack 170 win 65535 (DF) 12:36:58.037990 mac.stare.cz.54703 > www.ihned.cz.www: F 303:303(0) ack 170 win 65535 (DF) 12:36:58.046266 www.ihned.cz.www > mac.stare.cz.54703: . ack 304 win 54 (The first connection which received 302 Found ends here; the other one starts now.) 12:37:00.040373 mac.stare.cz.54704 > www.ihned.cz.www: S 3284050248:3284050248(0) win 65535 (DF) 12:37:00.052042 www.ihned.cz.www > mac.stare.cz.54704: S 3325100471:3325100471(0) ack 3284050249 win 5792 12:37:00.052393 mac.stare.cz.54704 > www.ihned.cz.www: . ack 1 win 65535 (DF) 12:37:00.053022 mac.stare.cz.54704 > www.ihned.cz.www: P 1:299(298) ack 1 win 65535 (DF) 12:37:00.061764 www.ihned.cz.www > mac.stare.cz.54704: . ack 299 win 54 [...] 12:37:00.220313 www.ihned.cz.www > mac.stare.cz.54704: . 82081:83449(1368) ack 299 win 54 12:37:00.220486 www.ihned.cz.www > mac.stare.cz.54704: . 83449:84817(1368) ack 299 win 54 12:37:00.220539 www.ihned.cz.www > mac.stare.cz.54704: FP 84817:84919(102) ack 299 win 54 12:37:00.220620 mac.stare.cz.54704 > www.ihned.cz.www: . ack 82081 win 65535 (DF) 12:37:00.220858 mac.stare.cz.54704 > www.ihned.cz.www: . ack 84920 win 65309 (DF) 12:37:00.222642 mac.stare.cz.54704 > www.ihned.cz.www: F 299:299(0) ack 84920 win 65535 (DF) 12:37:00.229482 www.ihned.cz.www > mac.stare.cz.54704: . ack 300 win 54 With firefox on the other hand, this is what happens: six connections are made (ports 54748-54753) to get the page itself and the css and the images. Data is read on the connections; then the remote end sends a FIN for one of these connections (I am isolating port 54768; the very same happens on the other ports, too): [...] 13:08:07.915873 www.ihned.cz.www > mac.stare.cz.54748: F 517:517(0) ack 637 win 56 The internal client ACKs the FIN ... 13:08:07.916238 mac.stare.cz.54748 > www.ihned.cz.www: . ack 518 win 65535 (DF) and sends its own FIN later: 13:08:21.284154 mac.stare.cz.54748 > www.ihned.cz.www: F 637:637(0) ack 518 win 65535 (DF) Comparing the timestamps, that's fourteen seconds after the client sent the ACK for the remote FIN. That should be soon enough: # pfctl -s timeouts | fgrep tcp tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s This FIN is *not* blocked, it goes out. However, no ACK is received from the remote side for this FIN (why?). So the internal client sends its FIN again a few times: 13:08:22.186559 mac.stare.cz.54748 > www.ihned.cz.www: F 637:637(0) ack 518 win 65535 (DF) 13:08:24.188168 mac.stare.cz.54748 > www.ihned.cz.www: F 637:637(0) ack 518 win 65535 (DF) 13:08:28.192462 mac.stare.cz.54748 > www.ihned.cz.www: F 637:637(0) ack 518 win 65535 (DF) 13:08:36.202517 mac.stare.cz.54748 > www.ihned.cz.www: F 637:637(0) ack 518 win 65535 (DF) 13:08:52.221585 mac.stare.cz.54748 > www.ihned.cz.www: F 637:637(0) ack 518 win 65535 (DF) 13:09:24.267275 mac.stare.cz.54748 > www.ihned.cz.www: F 637:637(0) ack 518 win 65535 (
Salut cher correspondant(e)
This is a MIME-encoded message that dianacox14 sent through Multiply. To read it, you need a HTML-capable mail client.
Re: pfsync nic problem.
On 12/23/2010 06:43 PM, Johan Beisser wrote: On Thu, Dec 23, 2010 at 9:19 AM, Alessandro Baggi wrote: Hi list, I've tried to use the groups field for pfsync. I've changed in my pf rules, the wan interface ext="xl0" with ext="egress", then when I try to get a fault with firewall 1, firewall 2 become master, but all connections die. In state tables of firewall 2 there are "syncronized" states for xl0, but the "wan" interface is rl2. It's normal that all connections die, there are not valid states for rl2. Then at this point the problem persist. There is something that I've missed with ifconfig groups field? This is my misconfiguration or "the use of groups field" is not a valid issue for this problem? Please post your pf.conf, ifconfig output and dmesg. There may be another issue not addressed. dmesg of Firewall 1 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III ("GenuineIntel" 686-class, 512KB L2 cache) 448 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,SSE real mem = 335114240 (319MB) avail mem = 319672320 (304MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 02/10/99, BIOS32 rev. 0 @ 0xec700, SMBIOS rev. 2.1 @ 0xf20ba (46 entries) bios0: vendor Compaq version "686T2" date 02/10/99 bios0: Compaq Deskpro EP/SB Series apm0 at bios0: Power Management spec V1.2 (BIOS managing devices) apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xec700/0x3900 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7360/128 (6 entries) pcibios0: PCI Interrupt Router at 000:20:0 ("Intel 82371AB PIIX4 ISA" rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xe/0x8000! cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03 intelagp0 at pchb0 agp0 at intelagp0: aperture at 0x4400, size 0x400 ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03 pci1 at ppb0 bus 1 "Matrox MGA G200 AGP" rev 0x03 at pci1 dev 0 function 0 not configured vga1 at pci0 dev 13 function 0 "Matrox MGA G200 PCI" rev 0x01 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) xl0 at pci0 dev 14 function 0 "3Com 3c905B 100Base-TX" rev 0x30: irq 11, address 00:10:5a:2e:0f:9e exphy0 at xl0 phy 24: 3Com internal media interface rl0 at pci0 dev 15 function 0 "Realtek 8139" rev 0x10: irq 11, address 00:1d:0f:c4:0c:1d rlphy0 at rl0 phy 0: RTL internal PHY rl1 at pci0 dev 16 function 0 "Realtek 8139" rev 0x10: irq 11, address 00:1d:0f:c4:17:cb rlphy1 at rl1 phy 0: RTL internal PHY piixpcib0 at pci0 dev 20 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02 pciide0 at pci0 dev 20 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA, 78167MB, 160086528 sectors atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: ATAPI 5/cdrom removable wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) uhci0 at pci0 dev 20 function 2 "Intel 82371AB USB" rev 0x01: irq 11 piixpm0 at pci0 dev 20 function 3 "Intel 82371AB Power" rev 0x02: SMI iic0 at piixpm0 spdmem0 at iic0 addr 0x50: 128MB SDRAM non-parity PC133CL2 spdmem1 at iic0 addr 0x51: 128MB SDRAM non-parity PC100CL3 spdmem2 at iic0 addr 0x52: 64MB SDRAM non-parity PC66CL2 isa0 at piixpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 biomask ff65 netmask ff65 ttymask mtrr: Pentium Pro MTRR support uhidev0 at uhub0 port 2 configuration 1 interface 0 "C&C Technology Inc. HID Keyboard/Mouse PS/2 to USB Translator" rev 2.00/1.64 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub0 port 2 configuration 1 interface 1 "C&C Technology Inc. HID Keyboard/Mouse PS/2 to USB Translator" rev 2.00/1.64 addr 2 uhidev1: iclass 3/1, 3 report ids ums0 at uhidev1 reportid 1: 5 buttons, Z dir wsmouse0 at ums0 mux 0 uhid0 at uhidev1 reportid 2: input=1, output=0, feature=0 uhid1 at uhidev1 reportid 3: input=5, output=0, feature=0 softraid0 at root root on wd0a swap on wd0b dump on wd0b syncing disks... done rebooting... OpenBSD 4.8 (GENERIC) #136: Mon Au
Re: pfsync nic problem.
On 23 December 2010 18:24, Alessandro Baggi wrote: > > This problem is not theoretical. but the dmesg, pf.conf and ifconfig output is. :~)
Re: pfsync nic problem.
On 12/22/2010 01:18 AM, Stuart Henderson wrote: On 2010-12-19, Alessandro Baggi wrote: Hi list. I've a little question about pfsync. Supposing to have two firewall, with 3 nic, one for lan, one for wan and one for DMZ, and supposing a similar scenario: firewall 1 firewall 2 WAN: re0WAN: xl0 LAN: rl0 LAN: rl0 DMZ: rl1DMZ: rl1 when pfsync send the interface state updates on backup firewall, pfsync update the table of states for the name of interfaces of first firewall? (in my scenario, the syncronization won't works for re0 and xl0, right? Then, firewall 2 box must have nic card name equal to nic card name of first firewall or they can to be different? if this is the issue, and having those scenario, there is a method to make a valid update for re0 and xl0? thanks in advance. states don't normally depend on the interface (and if you *do* make them dependent on that with if-bound states, i'm not sure if pfsync handles that...) are you having problems or is this theoretical? if you're having problems then send a dmesg and full details. if it's theoretical, why don't you just try it for yourself? this stuff is easy to check and first-hand experience beats a post from some random dude on a mailing list. This problem is not theoretical.
Fatura Zero
[IMAGE] Promogco Fatura Zero. Para participar, basta cadastrar o cartco no link abaixo. http://www.visa.com.br/faturazero Lembramos que para acessar link, recomendamos utilizar Internet Explorer. Os pontos acumulados transformam-se em cupons automaticamente que concorrem a Promogco Fatura Zero, quanto mais cupons mais chances de ganhar a um ano de Fatura Zero, a cada R$30,00 em compras equivale a um cupon da promogco.
Re: pfsync nic problem.
On Thu, Dec 23, 2010 at 9:19 AM, Alessandro Baggi wrote: > > Hi list, I've tried to use the groups field for pfsync. I've changed in my > pf rules, the wan interface ext="xl0" with ext="egress", then when I try to > get a fault with firewall 1, firewall 2 become master, but all connections > die. In state tables of firewall 2 there are "syncronized" states for xl0, > but the "wan" interface is rl2. It's normal that all connections die, there > are not valid states for rl2. Then at this point the problem persist. > There is something that I've missed with ifconfig groups field? This is my > misconfiguration or "the use of groups field" is not a valid issue for this > problem? Please post your pf.conf, ifconfig output and dmesg. There may be another issue not addressed.
Re: randomize spamd-setup time in cron?
frantisek holop writes: > for a couple of days now i am getting love messages every hour > from cron about spamd-setup: > > ftp: Receiving HTTP reply: Connection reset by peer I've been getting those too, more often than usual over the last 2-3 days. Hopefully the underlying problem will be corrected. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: randomize spamd-setup time in cron?
hmm, on Thu, Dec 23, 2010 at 02:41:05PM +, Jason McIntyre said that > On Thu, Dec 23, 2010 at 02:51:38PM +0100, frantisek holop wrote: > > hmm, on Wed, Dec 22, 2010 at 12:54:04AM +0100, frantisek holop said that > > > are there some numbers how big traffic are > > > we generating with this? is this an issue? > > > > i see that in the currect crontabs the spamd-setup line is commented > > out. spamd-setup(8) does not mention cron at all. > > i am a bit confused, is it ok to uncomment that line? > > if it is, how often should spamd-setup run? > > > > spamd(8) is the best place for an overview of how everything fits > together. and it does document there that it needs to be run by cron. yes, thanks, i found it: spamd-setup(8) should be run periodically by cron(8). When run in blacklist-only mode, the -b flag should be specified. Use crontab(1) to uncomment the entry in root's crontab. although i must confess, i personally think this would be better placed in spamd-setup as it relates to it directly. but it's obvious people in charge gave it thought so dont mind me :] -f -- if the limit was 250, there'd be no speeders...
Re: pfsync nic problem.
On 12/19/2010 07:49 PM, Johan Beisser wrote: On Sun, Dec 19, 2010 at 9:12 AM, Alessandro Baggi wrote: Hi list. I've a little question about pfsync. Supposing to have two firewall, with 3 nic, one for lan, one for wan and one for DMZ, and supposing a similar scenario: firewall 1 firewall 2 WAN: re0WAN: xl0 LAN: rl0 LAN: rl0 DMZ: rl1DMZ: rl1 when pfsync send the interface state updates on backup firewall, pfsync update the table of states for the name of interfaces of first firewall? (in my scenario, the syncronization won't works for re0 and xl0, right? I don't see why not. Adjust your pf rules to use the groups field for the interface if you're worried. Hi list, I've tried to use the groups field for pfsync. I've changed in my pf rules, the wan interface ext="xl0" with ext="egress", then when I try to get a fault with firewall 1, firewall 2 become master, but all connections die. In state tables of firewall 2 there are "syncronized" states for xl0, but the "wan" interface is rl2. It's normal that all connections die, there are not valid states for rl2. Then at this point the problem persist. There is something that I've missed with ifconfig groups field? This is my misconfiguration or "the use of groups field" is not a valid issue for this problem? thanks in advance.
FELICITATION!!VOTRE EMAIL EST GAGNANT
This is a MIME-encoded message that tiragepepsi023 sent through Multiply. To read it, you need a HTML-capable mail client.
Buon Natale e felice anno nuovo.....
FUNJET ASSOCIAZIONE SPORTIVA DILETTANTISTICA FUNJET www.funjet.it i...@funjet.it Felice Natale e Buon 2011 A.S.D. Funjet [IMAGE] [IMAGE]
Re: randomize spamd-setup time in cron?
On Thu, Dec 23, 2010 at 02:51:38PM +0100, frantisek holop wrote: > hmm, on Wed, Dec 22, 2010 at 12:54:04AM +0100, frantisek holop said that > > are there some numbers how big traffic are > > we generating with this? is this an issue? > > i see that in the currect crontabs the spamd-setup line is commented > out. spamd-setup(8) does not mention cron at all. > i am a bit confused, is it ok to uncomment that line? > if it is, how often should spamd-setup run? > spamd(8) is the best place for an overview of how everything fits together. and it does document there that it needs to be run by cron. jmc
Salut cher correspondant(e)
This is a MIME-encoded message that dianacox7 sent through Multiply. To read it, you need a HTML-capable mail client.
Re: randomize spamd-setup time in cron?
hmm, on Wed, Dec 22, 2010 at 12:54:04AM +0100, frantisek holop said that > are there some numbers how big traffic are > we generating with this? is this an issue? i see that in the currect crontabs the spamd-setup line is commented out. spamd-setup(8) does not mention cron at all. i am a bit confused, is it ok to uncomment that line? if it is, how often should spamd-setup run? for a couple of days now i am getting love messages every hour from cron about spamd-setup: ftp: Receiving HTTP reply: Connection reset by peer ftp: Receiving HTTP reply: Connection reset by peer ftp: Receiving HTTP reply: Connection reset by peer # $OpenBSD: spamd.conf,v 1.3 2007/05/12 00:43:41 cnst Exp $ -f -- exam is a four-letter word for torture.
Re: 64 bit cvsup pkg?
On Thu, Dec 23, 2010 at 1:00 PM, Indunil Jayasooriya wrote: > Hi . > > Thanks for your info. Sorry for the delay in thanking the list. I downloaded > csup-20090407.tgz and now started updating the 64bit OpenBSD system. anyway, > I preapared a Doc for it. Since OpenBSD is open, I want to send the > preapared my Open Doc for everyone. Pls sahere it. > * http://www.openbsd.org/cvsup.html "Alternatively, the csup package is written in C and provides a drop-in compatible client. "
Re: blocked FIN packets
set skip on lo set block-policy drop set timeout tcp.finwait 900 set timeout tcp.closing 900 (There also an adaptive setting based on load) Your client, if its really a mac, may have a sysctl like ...net.inet.tcp.finwait2_timeout: 6 ... net.inet.tcp.finwait2_timeout: FIN-WAIT2 timeout Or something similar ~BAS
Re: blocked FIN packets
Timing. State has probably timed out before the blocked packets are received. Log the whole conversation - both ways for both Firefox and lynx. On 12/23/10 12:47 AM, Jan Stary wrote: On Dec 22 19:54:28, Forman, Jeffrey wrote: On Wed, Dec 22, 2010 at 5:41 PM, Jan Stary wrote: Speculation: this looks to me like an end of a valid http session: an internal clients reads a web page, and probably a few images, everything goes through, but the last FIN does not. The first SYN creates state that lets the subsequent packets through. Doesn't the last FIN belong to the same state? Also, this is an outgoing packet, which I explicitly allow. What can possibly be blocking these FIN packets? Jan, I have run into a similiar situation where I had packets getting blocked through my OpenBSD fw and could not figure out why. The couple pieces of code I tend to use to debug such a thing: 1. The 'log' and 'log (all)' statements in pf.conf. Take your pick of the two and throw them on all your block statements. Yes, that's how I see the blocked packets. 2. Following that, I run 'tcpdump -n -ttt -e -i pflog0'. This shows me not only the packets being logged, but also the pf rules blocking them. Example: Dec 22 19:24:13.564109 rule 8/(match) block in on vr0: 115.178.83.69.6000> 96.21.64.23.2967: S 449708032:449708032(0) win 16384 [tos 0x20] Thanks. It's some time I have read tcpdump(8). 09:07:02.849975 rule 15/(match) block in on vr1: mac.stare.cz.54254> www.ihned.cz.www: F 2622397051:2622397051(0) ack 1936803033 win 65535 (DF) I see this is rule 8. I then run 'pfctl -s rules -vv' [...] I find that by combining these two debugging tools, I am able to pin point the rule that might be blocking a specific set of connections. The rule that's blocking my FIN packets is the "block drop log all". Which is the only block rule I have, the rest of pf.conf just explicitly allows the intended traffic (see the original mail). So my question remains: if these are FINs of the few http conections that take place when an internal client looks at www.ihned.cz (which it seems), why are they not let through by the state that was created form these connections? This is blocked 'in' on the internal interface (vr1), where the 'in' rules are (see orig mail for full pf.conf): pass in on $int proto icmp from any to ($int) pass in on $int proto { tcp udp } from any to ($int) port bootps pass in on $int proto { tcp udp } from any to ($int) port domain pass in on $int proto tcp from any to ($int) port ssh pass in on $intfrom any to !($int) tag INT Maybe I am missing something here: the first four rules are supposed to allow traffic from the internal hosts to the gateway itself (dhcp etc), and the fifth rule is supposed to pass traffic to the outside (which gets natted later on the external interface). A packet such as mac.stare.cz.54254> www.ihned.cz.www: F 2622397051:2622397051(0) seems to me to be that case (right?). The only communication that the internal client (mac.stare.cz) has with the outside host (www.ihned.cz) is that a browser (firefox) is used to look at a webpage. If the internal clients does the same with lynx, there are no blocked FIN packets on the internal interface. What am I missing here? Thank you for your time Jan
FELICITATION!!!HEINEKEN
This is a MIME-encoded message that directionhein192 sent through Multiply. To read it, you need a HTML-capable mail client.
Re: blocked FIN packets
On Dec 22 19:54:28, Forman, Jeffrey wrote: > On Wed, Dec 22, 2010 at 5:41 PM, Jan Stary wrote: > > > Speculation: this looks to me like an end of a valid http session: > > an internal clients reads a web page, and probably a few images, > > everything goes through, but the last FIN does not. The first SYN > > creates state that lets the subsequent packets through. Doesn't the > > last FIN belong to the same state? Also, this is an outgoing packet, > > which I explicitly allow. > > > > What can possibly be blocking these FIN packets? > > > > > Jan, > > I have run into a similiar situation where I had packets getting blocked > through my OpenBSD fw and could not figure out why. > > The couple pieces of code I tend to use to debug such a thing: > > 1. The 'log' and 'log (all)' statements in pf.conf. Take your pick of the > two and throw them on all your block statements. Yes, that's how I see the blocked packets. > 2. Following that, I run 'tcpdump -n -ttt -e -i pflog0'. This shows me not > only the packets being logged, but also the pf rules blocking them. Example: > Dec 22 19:24:13.564109 rule 8/(match) block in on vr0: 115.178.83.69.6000 > > 96.21.64.23.2967: S 449708032:449708032(0) win 16384 [tos 0x20] Thanks. It's some time I have read tcpdump(8). 09:07:02.849975 rule 15/(match) block in on vr1: mac.stare.cz.54254 > www.ihned.cz.www: F 2622397051:2622397051(0) ack 1936803033 win 65535 (DF) > I see this is rule 8. I then run 'pfctl -s rules -vv' > [...] > I find that by combining these two debugging tools, I am able to pin > point the rule that might be blocking a specific set of connections. The rule that's blocking my FIN packets is the "block drop log all". Which is the only block rule I have, the rest of pf.conf just explicitly allows the intended traffic (see the original mail). So my question remains: if these are FINs of the few http conections that take place when an internal client looks at www.ihned.cz (which it seems), why are they not let through by the state that was created form these connections? This is blocked 'in' on the internal interface (vr1), where the 'in' rules are (see orig mail for full pf.conf): pass in on $int proto icmp from any to ($int) pass in on $int proto { tcp udp } from any to ($int) port bootps pass in on $int proto { tcp udp } from any to ($int) port domain pass in on $int proto tcp from any to ($int) port ssh pass in on $intfrom any to !($int) tag INT Maybe I am missing something here: the first four rules are supposed to allow traffic from the internal hosts to the gateway itself (dhcp etc), and the fifth rule is supposed to pass traffic to the outside (which gets natted later on the external interface). A packet such as mac.stare.cz.54254 > www.ihned.cz.www: F 2622397051:2622397051(0) seems to me to be that case (right?). The only communication that the internal client (mac.stare.cz) has with the outside host (www.ihned.cz) is that a browser (firefox) is used to look at a webpage. If the internal clients does the same with lynx, there are no blocked FIN packets on the internal interface. What am I missing here? Thank you for your time Jan