On Tue, Jan 25, 2005 at 06:19:36PM -0300, Emilio Lucena wrote:
> Then the traffic is delivered to squid to be dealt with. But, then this
> means squid will use the default route to open the http connection to the
> Internet server and bypass the load balance rule, right?
Yes, the connections f
>From what I could understand, the tcp_outgoing_address is only really used
if you are not doing NAT on the external connections, right?
If that is the case, the proposed rule will never be matched, and the web
traffic will only go through the default outbound interface, bypassing the
load-balanc
On Jan 26, 2005, at 2:44 PM, Daniel Hartmeier wrote:
On Wed, Jan 26, 2005 at 12:49:13PM -0500, Peter Fraser wrote:
Daniel Hartmeier [EMAIL PROTECTED] wrote that my use of tagging
should work. So I moved the tagging rules to the very top of my rule set
and did a traceroute from a different machi
On Wed, Jan 26, 2005 at 12:49:13PM -0500, Peter Fraser wrote:
> Daniel Hartmeier [EMAIL PROTECTED] wrote that my use of tagging
> should work. So I moved the tagging rules to the very top of my rule set
> and did a traceroute from a different machine . This is the result
I think you didn't menti
Daniel Hartmeier [EMAIL PROTECTED] wrote that my use of tagging
should work. So I moved the tagging rules to the very top of my rule set
and did a traceroute from a different machine . This is the result
# pfctl -vvvsr
@0 scrub in all fragment reassemble
[ Evaluations: 121941Packets: 63360
On Wed, Jan 26, 2005 at 09:48:06AM -0500, [EMAIL PROTECTED] wrote:
> On Tue, 25 Jan 2005, Christopher Linn wrote:
>
> >i am interested 9in using altq to limit the outflow from an rfc1918
> >NAT'd network to alleviate the possibility of e.g. DDoS attacks
> >originating from within the NAT.
> >
> >o
ASAIK pf rate-limits based on bits per second, not packets per second.
qlimit controls depth of queues, not how fast they are emptied.
You could have two queues, one for syn packets and one for other traffic.
The syn packet queue can be rate limited to X bits/second which can be
based on known
Kevin,
First of all, thanks for your help.
On Tue, 25 Jan 2005, Kevin wrote:
> Can you provide more information on your load-balancing configuration,
> specifically on what the two external interfaces are connected through?
> Are you doing any NAT?
Yes .. we are doing NAT.
lan_net=$int_if:net
On Wed, Jan 26, 2005 at 11:44:21AM +0100, marc gmx wrote:
> The counter "Packets In/Blocked" for interface bge0 indicate a value
> of 124, WHY ???
One explanation would be that those 124 packets had invalid IP or UDP
checksums. Before you assume that's impossible, check the output of
$ netsta
I continue to try to use nat with pf on OpenBSD.
I send 1000 snmp request ( UDP packet ) for 1000 differents IP.
The packets pass from interface bge0 to interface bge1.
I put the nat on interface bge1.
There is an important lost of packets.
The counter "Packets In/Blocked" for interface bge0 in
10 matches
Mail list logo
