Meant to go to list; I was interrupted by a phone call at the crucial moment...
-- Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html (and check the home page whilst you're there) ---------- Forwarded message ---------- Date: Tue, 4 Nov 2014 11:54:40 +1100 (EST) From: Dave Horsfall <d...@horsfall.org> To: Doug Hardie <bc...@lafn.org> Subject: Re: Getting tables to work in PF On Mon, 3 Nov 2014, Doug Hardie wrote: >Do the rules show after that? I’ve never seen that last line before. I >suspect it indicates an error of some sort. DIOCSETSTATUSIF? I thought it was part of the ALTQ stuff. net/pfvar.h only has this to say: #define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if) and in pf(4): DIOCSETSTATUSIF struct pfioc_if *pi Specify the interface for which statistics are accumulated. As for "ifconfig fxp0" (the only NIC on the box): fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC> ether00:08:02:c4:b4:49 inet10.0.0.3 netmask 0xffffff00 broadcast 10.0.0.255 media:Ethernet autoselect (100baseTX <full-duplex>) status:active The rules? Not a sausage. It's behaving as though it's reading the file (which it is), but not honouring the rules themselves (which it isn't). Here: aneurin# pfctl -s all No ALTQ support in kernel ALTQ related functions disabled FILTER RULES: INFO: Status: Enabled for 1 days 04:14:05 Debug: Urgent State Table Total Rate current entries 0 searches 209120 2.1/s inserts 0 0.0/s removals 0 0.0/s Counters match 209120 2.1/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 813 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 6000 states adaptive.end 12000 states src.track 0s LIMITS: states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 200000 TABLES: spammers woodpeckers OS FINGERPRINTS: 696 fingerprints loaded aneurin# So, if pf(4) actually known to work on: FreeBSD aneurin.horsfall.org 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:07:27 UTC 2011 r...@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 and if so, does anyone have a working sample pf.conf from such a box? There's no kernel source on the thing, so I cannot rebuild with ALTQ, and my DVD is busted so I cannot upgrade; if I can load up an 8GB USB stick with FreeBSD then that could be one upgrade path, I suppose, but I don't know if this thing (a Compaq Evo) will boot from USB. -- Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html(and check the home page whilst you're there) _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"