On Fri, 12 Mar 2021 14:06:22 +0100
"Kristof Provost" wrote:
Hello,
> On 12 Mar 2021, at 14:00, Patrick Lamaiziere wrote:
> > I've read the code of pfctl a bit. If pfctl crashes in
> > pfctl_optimize_ruleset, is there a risk to leave pf in a bad state ?
> >
On Wed, 10 Mar 2021 20:48:15 +0100
"Kristof Provost" wrote:
Hello,
> > FreeBSD 11.4-RELEASE-p3 / amd64
> >
> > Yesterday while loading a ruleset, pfctl core dumped with a
> > segmentation fault (see gdb below)
> >
> > We are recently using some big tables so may be this is what
> > triggered the
Hello,
FreeBSD 11.4-RELEASE-p3 / amd64
Yesterday while loading a ruleset, pfctl core dumped with a
segmentation fault (see gdb below)
We are recently using some big tables so may be this is what triggered the
problem (?), i can't reproduce this.
I've found something on t...@openbsd.org that lo
On Mon, 20 Jan 2020 09:37:36 -0500
mike tancsa wrote:
> I have a process that runs every few min looking to see if the pf
> rules changed on some of our firewalls. On one customer unit, we
> have a "self" statement and the script detected a change this
> morning. The rule reads
>
> block log q
Le Mon, 25 Jun 2018 16:12:49 -0400,
Joseph Ward a écrit :
Hello,
> My goal is for this pf.conf to be able to be used on multiple systems
> which unfortunately have different network cards, so the interface
> names are different. If "egress" isn't going to work, is there
> another way to accompl
Le Fri, 25 Aug 2017 14:41:46 +0200,
Miroslav Lachman <000.f...@quip.cz> a écrit :
> I have PF rules with some large tables. The biggest one is with Tor
> IPs
> - 198239 entries in table tor_net.
...
> When I try to reload PF I get error like these:
>
> /etc/pf.conf.tmp:37: cannot define table
Le Mon, 24 Oct 2016 14:59:26 +0200,
Patrick Lamaiziere a écrit :
> (trying freebsd-pf)
>
> Hello,
>
> I have a pair of firewalls with carp, pf and pfsync and I see a large
> difference between the number of states (pfctl -si, current entries)
> on the firewalls. The pfsync
Hello,
I'm asking about the goal of the parameter maxupd of pfsync, ie when we
should change it ?
At work we have a lot of states (~1 200 000) with many changes and it
looks like we lose some states deletion across pfysnc. Does an
augmentation of maxupd could help ?
the manual :
The pfsync inte
Le Thu, 27 Oct 2016 19:23:38 +,
James Morris a écrit :
Hi,
Hello,
>
> While this does solve the issue of pushing traffic through igb0,
> however any income connections to igb1 from server B also get shunted
> out igb0.
>
> I was wondering if there is a way to do this in pf.
see PF route-
(trying freebsd-pf)
Hello,
I have a pair of firewalls with carp, pf and pfsync and I see a large
difference between the number of states (pfctl -si, current entries) on
the firewalls. The pfsync link is a 10 GB link witht around 20 Kpps on
load (don't think it's the issue).
pf1 is the master wit
Le Mon, 3 Nov 2014 23:12:52 +,
David DeSimone a écrit :
Hello,
> set skip on lo
>
> I'm pretty sure the loopback name should be "lo0" instead of just
> "lo".
Yes and no, the grammar (pf.conf)
set skip on
ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
Le Fri, 6 Sep 2013 00:49:50 +0100,
Lisa Muir <34.24...@gmail.com> a écrit :
Hello,
> I believe that PF has killed the cached connection, and when TB tries
> to talk through it, it patiently wait for an answer.
>
> I've looked at the
> set timeout option value
> directive for pf, but cannot deter
Le Mon, 26 Aug 2013 12:23:42 -0400,
"Mike." a écrit :
Hello,
> I've written a quick script to format the output of pfctl -v -s rules
> into a one-line-per-rule format. For me, this format is more useful.
>
> The script and sample output are available here:
>
> http://archive.mgm51.com/source
Le Tue, 7 May 2013 03:03:22 -0700 (PDT),
Nomad Esst a écrit :
> Hi list
Hello,
> Is it necessary to reload PF after each change done by pfctl? If
> yes, how?
No. PF itself is a kernel module, all the control is done by pfctl.
Regards.
___
freebsd-
Le Wed, 1 May 2013 22:54:37 -0700 (PDT),
Nomad Esst a écrit :
> >If you are trying to avoid having to evaluate all of your rules on
> >every packet, you should read up on the "anchor" feature, which
> >allows you to perform a type of "subroutine call", evaluating a
> >different ruleset upon some
Le Tue, 16 Oct 2012 09:13:38 +0200,
Patrick Lamaiziere a écrit :
Hello,
> To be sure that states are not involved at all I've used a serial
> console on the firewall (previous tests were made with ssh).
>
> So I don't understand why you don't reproduce this. I will m
Le Mon, 15 Oct 2012 17:52:03 +0200,
Olivier Cochard-Labbé a écrit :
Hello,
> And I've try to ssh from PC_1 to PC_2, and all traffic are drop (no
> ICMP generated) too.
>
> One remark: I'm using pf as module (not compiled in kernel).
The box was running a 9.1 prerelease from August 25, I've upd
Hello,
As far I can see, PF replies with an icmp unreachable if a packet is
droped in output, even if the block policy is "drop". Which is not the
intented behavior.
I've made few tests with this setup
host1 (192.168.1.60)<->(vr0:192.168.1.254) PF (vr2:192.168.200.254)
<-> host2 (192.168.200.2)
The following reply was made to PR kern/160370; it has been noted by GNATS.
From: Patrick Lamaiziere
To: bug-follo...@freebsd.org
Cc:
Subject: Re: misc/160370: Incorrect pfctl check of pf.conf
Date: Fri, 2 Sep 2011 14:23:55 +0200
Le Thu, 1 Sep 2011 17:14:54 GMT,
Vitalic a écrit :
Hi
19 matches
Mail list logo
