pf+ftp-proxy / pf "company" example questions

2006-04-08 Thread Michal Soltys
Hello I have two (unreleated) questions - the first one regarding new ftp-proxy (the one using anchors) and the other regarding "company" example in official obsd faq (http://www.openbsd.org/faq/pf/queueing.html#example2) 1)... This is how I understand pf + ftp-proxy functionality: First, two

Re: borrow on all queues

2006-04-08 Thread Bill Marquette
On 4/7/06, Travis H. <[EMAIL PROTECTED]> wrote: > Does putting borrow on all child queues make any sense? > > The way I read it, it does, so like a child queue that isn't using its > bandwidth, can be borrowed by a sibling queue, is that correct? That's how it appeared to work in my tests. --Bill

Re: clarification of NAT behavior

2006-04-08 Thread Gabriel Wachman
Daniel Hartmeier wrote: Each packet is filtered on both interfaces, the internal one and the external one. On the external one you'll be seeing already translated packets, on the internal one not-yet (or back-)translated packets. I think that is the crux of my confusion. For example, I though

Re: contributions to pf FAQ/manpage whatever

2006-04-08 Thread Daniel Hartmeier
On Fri, Apr 07, 2006 at 09:09:30PM -0500, Travis H. wrote: > What would be the appropriate way to submit additions to the PF FAQ > and/or pf.conf manpage? Specifically, what is the source format, > where can I get the source (for the FAQ, I know where to get the > unformatted manpage), and to who

Re: clarification of NAT behavior

2006-04-08 Thread Daniel Hartmeier
On Fri, Apr 07, 2006 at 12:04:23PM -0400, Gabriel Wachman wrote: > >>>If NAT translation happens BEFORE any filter rules are evaluated > >>>(see http://www.openbsd.org/faq/pf/nat.html), then wouldn't it be > >>>true that an outbound packet from the internal network will be > >>>seen by the filteri

Re: pf -> no memory buffers

2006-04-08 Thread Travis H.
I removed all tagging and queueing and still had the problem. Attached is the output of "vmstat -m" shortly before the system was rebooted. If anyone has any troubleshooting ideas, I'm all ears. The only other thing that has changed lately is that I'm now using one of the Soekris 4-port PCI NICs

Re: PF and label expansion limitations

2006-04-08 Thread Travis H.
I don't see why you couldn't just feed your ruleset through a preprocessor like m4 before passing it to pfctl. It's just text. Make up your own syntactic sugar. Back in the days before pf, I used to do shell expansions along the lines of myhost="$(hostname)" ipf ... -f /dev/stdin

contributions to pf FAQ/manpage whatever

2006-04-08 Thread Travis H.
What would be the appropriate way to submit additions to the PF FAQ and/or pf.conf manpage? Specifically, what is the source format, where can I get the source (for the FAQ, I know where to get the unformatted manpage), and to whom exactly should I send the diffs? TIA -- Security Guru for Hire ht

borrow on all queues

2006-04-08 Thread Travis H.
Does putting borrow on all child queues make any sense? The way I read it, it does, so like a child queue that isn't using its bandwidth, can be borrowed by a sibling queue, is that correct? -- Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC