Hello.
This message was just posted to the linux-kernel mailing-list.
Any comment on this? Is there actually any bug in pf support for window
scaling that could significantly drop the throughput?
---BeginMessage---
On Tue, 16 Nov 2004 15:46:25 -0800
Harry Edmon [EMAIL PROTECTED] wrote:
On Tue, Oct 19, 2004 at 03:14:26PM -0700, Sean wrote:
Anyway, to address the original posters question, the only systems I've
seen pf ported to are FreeBSD and NetBSD.
and DragonFlyBSD.
Is it planned to add PF shirts to the OpenBSD store?
That one is cute :)
http://openbsd.org/papers/bsdcan04-pf/mgp2.html
--
__ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com-*\ __
\ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' /
\/ a href
On Fri, Aug 20, 2004 at 12:21:46PM -0700, Ken Simpson wrote:
Is there way in pf to move a particular TCP connection from one
queue to another -- while the connection is still live? I don't
imagine it would be really difficult; isn't it just a case of changing
an entry in the state table?
it works for daemons but not for users logged through ssh?
--
__ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com-*\ __
\ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' /
\/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/
It looks like there's an odd bug with the user directive in -current.
Here's a very basic pf.conf :
pass all
block out from any to 10.0.0.0/8 user john
Unfortunately, the second rules seems to always match, regardless of the
user.
--
__ /*-Frank DENIS (Jedi/Sector One) j
On Tue, Mar 16, 2004 at 12:24:36PM -0800, Paul B. Henson wrote:
We're running an X86 box with 512MB ram, nmbclusters = 8192, nkmempages =
81920
Didn't Cedric say that nkmempages 16384 on x86 was instable?
Did you test it that way for a long time?
--
__ /*-Frank DENIS (Jedi/Sector
Hello.
Is there any kernel parameter like NMBCLUSTERS or NKMEMPAGES to increase
in order to let pf work with millions of states? The host has 1Gb ram and
does nothing but transparent firewalling.
TIA,
--
__ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com
many states max will it keep?
Best regards,
--
__ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com-*\ __
\ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' /
\/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/
box.
--
__ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com-*\ __
\ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' /
\/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/
.
--
__ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com-*\ __
\ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' /
\/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/
and the 'suspends' counter increases. Should I raise
the qlength value? What are the implications of having it too low or too
high?
Best regards,
--
__ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com-*\ __
\ '/a href=http://www.PureFTPd.Org/; Secure FTP Server
be way higher.
And no, PF doesn't support this.
--
__ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com-*\ __
\ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' /
\/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/
always get the same source address?
--
__ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __
\ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' /
\/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/
file.
--
__ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __
\ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' /
\/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/
and reliably predict TCP ISNs. There are a lot of arguments against this
kind of limit, but per rule/source ip pairs are at least less DOSable than
plain per rule limits.
Or through a DDOS, but a firewall rule can hardly protect against this.
--
__ /*- Frank DENIS (Jedi/Sector One
running today's -current.
--
__ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __
\ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' /
\/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/
pfctl segfaults when it encounters a no-rdr keyword with no previous
line with the rdr keyword.
$ echo 'no rdr on lo0 from any to any' | sudo /tmp/pfctl -f -
zsh: 3713 segmentation fault sudo /tmp/pfctl -f -
GDB backtrace :
Program received signal SIGSEGV, Segmentation fault.
yyparse ()
On Sat, Dec 21, 2002 at 06:27:18PM +0100, Jedi/Sector One wrote:
pfctl segfaults when it encounters a no-rdr keyword with no previous
line with the rdr keyword.
This little patch may improve things.
--
Apprenons le francais grace a l'Internet :
je me demande si les pb de base de donnee
22512
nop,nop,timestamp 3437298 1686345941 (DF) [tos 0x10]
tons of similar packets are following.
--
__ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __
\ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' /
\/ a href=http://www.Jedi.Claranet.Fr
On Thu, Nov 28, 2002 at 08:03:41PM +0100, Daniel Hartmeier wrote:
Can you try to get a tcpdump -nvvvpSi $INT (-S shows absolute sequence
numbers)
[snip snip]
Stuff sent privately to Daniel.
--
__ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __
\ '/a href=http
21 matches
Mail list logo