[EMAIL PROTECTED]: Re: Network slowdown from 2.6.7 to 2.6.9]

Hello. This message was just posted to the linux-kernel mailing-list. Any comment on this? Is there actually any bug in pf support for window scaling that could significantly drop the throughput? ---BeginMessage--- On Tue, 16 Nov 2004 15:46:25 -0800 Harry Edmon [EMAIL PROTECTED] wrote:

Re: Linux port of pf

On Tue, Oct 19, 2004 at 03:14:26PM -0700, Sean wrote: Anyway, to address the original posters question, the only systems I've seen pf ported to are FreeBSD and NetBSD. and DragonFlyBSD.

PF shirts?

Is it planned to add PF shirts to the OpenBSD store? That one is cute :) http://openbsd.org/papers/bsdcan04-pf/mgp2.html -- __ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com-*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href

Re: Moving an existing TCP connection to a different queue

On Fri, Aug 20, 2004 at 12:21:46PM -0700, Ken Simpson wrote: Is there way in pf to move a particular TCP connection from one queue to another -- while the connection is still live? I don't imagine it would be really difficult; isn't it just a case of changing an entry in the state table?

Re: user directive broken in -current

it works for daemons but not for users logged through ssh? -- __ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com-*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/

user directive broken in -current

It looks like there's an odd bug with the user directive in -current. Here's a very basic pf.conf : pass all block out from any to 10.0.0.0/8 user john Unfortunately, the second rules seems to always match, regardless of the user. -- __ /*-Frank DENIS (Jedi/Sector One) j

Re: Keeping a lot of states

On Tue, Mar 16, 2004 at 12:24:36PM -0800, Paul B. Henson wrote: We're running an X86 box with 512MB ram, nmbclusters = 8192, nkmempages = 81920 Didn't Cedric say that nkmempages 16384 on x86 was instable? Did you test it that way for a long time? -- __ /*-Frank DENIS (Jedi/Sector

Keeping a lot of states

Hello. Is there any kernel parameter like NMBCLUSTERS or NKMEMPAGES to increase in order to let pf work with millions of states? The host has 1Gb ram and does nothing but transparent firewalling. TIA, -- __ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com

Re: Keeping a lot of states

many states max will it keep? Best regards, -- __ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com-*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/

Re: Step effect?

box. -- __ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com-*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/

Step effect?

. -- __ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com-*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/

Setting qlength

and the 'suspends' counter increases. Should I raise the qlength value? What are the implications of having it too low or too high? Best regards, -- __ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com-*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server

Re: Anything approximating ipfw 'limit' mechanism

be way higher. And no, PF doesn't support this. -- __ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com-*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/

dest-hash ?

always get the same source address? -- __ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/

Re: Port = domain

file. -- __ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/

Re: source limit

and reliably predict TCP ISNs. There are a lot of arguments against this kind of limit, but per rule/source ip pairs are at least less DOSable than plain per rule limits. Or through a DDOS, but a firewall rule can hardly protect against this. -- __ /*- Frank DENIS (Jedi/Sector One

Changing anchors clears queues?

running today's -current. -- __ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/

pfctl segfault

pfctl segfaults when it encounters a no-rdr keyword with no previous line with the rdr keyword. $ echo 'no rdr on lo0 from any to any' | sudo /tmp/pfctl -f - zsh: 3713 segmentation fault sudo /tmp/pfctl -f - GDB backtrace : Program received signal SIGSEGV, Segmentation fault. yyparse ()

Re: pfctl segfault

On Sat, Dec 21, 2002 at 06:27:18PM +0100, Jedi/Sector One wrote: pfctl segfaults when it encounters a no-rdr keyword with no previous line with the rdr keyword. This little patch may improve things. -- Apprenons le francais grace a l'Internet : je me demande si les pb de base de donnee

pf sending an ACK storm?!

22512 nop,nop,timestamp 3437298 1686345941 (DF) [tos 0x10] tons of similar packets are following. -- __ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr

Re: pf sending an ACK storm?!

On Thu, Nov 28, 2002 at 08:03:41PM +0100, Daniel Hartmeier wrote: Can you try to get a tcpdump -nvvvpSi $INT (-S shows absolute sequence numbers) [snip snip] Stuff sent privately to Daniel. -- __ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __ \ '/a href=http