On 4/10/06, James Nachlin <[EMAIL PROTECTED]> wrote:
> I'm having a strange situation where I'm getting back errors when
> connecting to a web server (lighttpd) from IE, which I do not get from
> firefox and I don't get connecting directly, not through the pf firewall.
>
> To the client, this appe
Hi everyone,
I'm running an OpenBSD 3.8-stable nat gateway in an environment with multiple
uplinks. pf is configured to load balance outgoing traffic originating from
my internal lan. My pf.conf is attached at the very end.
The only unusual feature in my setup is that all my uplink gateways ar
I'm looking to understand the proper way to get v6 carp to behave.
The problem is, that when I have one of the firewalls reboot, and its carp
interfaces become 'master', the v6 somehow thinks there is a duplicate v6
address for the address(es) I have configured on the carp interfaces.
In my case,
thanks Rmkml
I also started to debug with clasicall method , checking out the rule
options which i have put with great enthusiasm to do the job as it must
be done :(
queue is must, bandwith is also. scrube didnot change anything ,
modulate is not for inbound rules
But i had to disable S/SA flags
with S/SAFR blocks are fairly less.
fxp0 tcpdump
Apr 10 16:20:26.355483 rule 10/(match) [uid 0, pid 11420] block in on
fxp0:
85.100.9.86.2834 > 212.154.36.10.443: [|tcp] (ttl 118, id 37642, len
40, bad
cksum 0! differs by 5a67)
--
But if i disable S/SA for internal -> out
then i would get wrong state tables from in -> out and wrong queue
will be assinged and my state table will be overwhelmed again. ( esp at
times FW reset)
now, I am sure I know the reson of outbound blocks, those are all
inactive connections, and kille
with
# tcpdump -n -e -o -vvv -ttt -i pflog0 port 443
rule 10/(match) [uid 0, pid 1807] block in on fxp0: 85.100.124.74.14464
> server1.443: [|tcp] (ttl 249, id 65259, len 40, bad cksum 0! differs by f890)
block in on fxp0: 81.215.12.114.2051 > server1.443: [|tcp] (ttl 250, id
62897, len 40, bad c
I'm still working on porting our unicast stream servers behind PF
firewall runs on openbsd3.8.
That is a hidden, bridged firewall.
Now, Im testing with only one server, which is streaming from tcp port
443 to nearly 500-1000 instannt browser embedded java clients.
Traffic makes up to 2 ~ 3Mbps
Sorry for less information..
Now I'm in Inhouse Network (em1) and try to connect to Staging Network (em2).
When use passive ftp.. there are errors like this..
1144651969.072458 rule 0/(match) block in on em1: 192.168.1.181.1366 >
192.168.202.71.1326: S 2656931431:2656931431(0) win 65535 (DF)
114
