RE: pf; XP firewall; and MS Remote Desktop

Peter wrote: > I have a user that is on WinXP. She uses Microsoft's Remote Desktop > to connect to a remote server (TCP port 3389). I have installed > OpenBSD > 3.8 to act as firewall for the office. She complains of serious > intermittent latency problems for this particular network usage > (i

RE: dropped packets when queueing

Travis H. wrote: > I'm having issues with queueing. When I enable cbq, it seems like it > slows at lot of stuff down. This would make sense if I was severely > throttling stuff, but I hardly ever reach full capacity, and each > class has "borrow". Nevertheless, I'm seeing lots of dropped packets

RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall

gt; Any other thoughts? > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Melameth, Daniel D. > Sent: Saturday, March 11, 2006 12:27 AM > To: pf@benzedrine.cx > Subject: RE: Solution Request: I need to initiate outbound PPTP > reques

RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall

Peter N. M. Hansteen wrote: > "Chris Willis" <[EMAIL PROTECTED]> writes: > > What changes need to be made to the ruleset to allow outbound PPTP > > connections? Here is the existing NAT rule I though might work > > based on browsing the Archives: > > googlemancy on PF NAT PPTP seems to indicate t

RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall

Chris Willis wrote: > I have setup a FreeBSD box running PF for a client. It is the > 'firewall' for their internal LAN. > > I cannot make an outbound VPN connection from their LAN to any other > microsoft PPTP VPN server. > > The VPN connections work fine from any machine that plugs in to the >

RE: ACK priority and TCP flags

Brad Waite wrote: > Read through http://www.benzedrine.cx/ackpri.html which makes perfect > sense (for the most part). What I'm getting hung up on is the use of > the TCP flags in the filtering: > > pass out on $ext_if proto tcp from $ext_if to any flags S/SA \ > keep state queue (q_def,

RE: PF Connection Throttling (prevent DoS)

Forrest Aldrich wrote: > I saw an older thread where someone asked about this, but it applied > to a web server. > > I'm seeing a jump in the number of botnet smtp floods on my system, > and it's time to implement something more proactive. Since I use PF, > that's the logical place to start... (

RE: viewing pf rules in tcpdump output

Peter wrote: > --- "Melameth, Daniel D." <[EMAIL PROTECTED]> wrote: > > Peter wrote: > > > Question: Why does tcpdump show pf rules when I use the pflog0 > > > interface in combination with the -e switch (link layer)? It's a > > > fanta

RE: viewing pf rules in tcpdump output

ed wrote: > Another question, how do you associate the rule number to line in > pf.conf, without doing the obvious mental exercise, with many rules > it can be a chore. pfctl -vvs rules

RE: viewing pf rules in tcpdump output

Peter wrote: > Question: Why does tcpdump show pf rules when I use the pflog0 > interface in combination with the -e switch (link layer)? It's a > fantastic feature but it seems like an odd way to arrive at it. > > rule 0/(match) [uid 0, pid 14885] pass out on fxp0: esp 192.168.1.1 > > 192.168.2.

RE: rdr - problem with 10000 connections

peceka wrote: > I've set up router on OpenBSD 3.7: .. > It runs good but only if there is not so much connections to this web > server. But when I do many connections (i'm using: ab -n 1 -c 100 > http://192.168.1.212/index.html) to this machine, connection to it > hangs. > > doing telnet loc

RE: rule not matching

jesse wrote: > Sorry, I was actually in the process of taking the 'flags S/SA' part > out, but hadn't done so completely. It was foolish of me to start to > remove the flags clause. For some reason the packets which I want to > match this rule are being processed somewhere else and when I run > 'pf

RE: rule not matching

I'm not certain if it's related or not, but on a cursory review, your {80,20,21} rule specifies flags and doesn't specify any flags... jesse wrote: > I'm trying to prioritize certain traffic. One of the rules (from any > to domain.com) DOES work and takes up most of the pipe, as I would > like. Ho

RE: pinging same host on the internet from two different LAN stations

Pejman Moghadam wrote: > Melameth, Daniel D. wrote : > > FWIW, while I haven't looked into this in detail, it appears Windows > > clients always use the same ICMP ID--512... > > I think this is right, beacuse of this state entry : > > self icmp 192.168.1.18:512

RE: pinging same host on the internet from two different LAN stations

Daniel Hartmeier wrote: > On Tue, Jul 26, 2005 at 05:58:18AM -0700, Pejman Moghadam wrote: > > I have one FreeBSD 5.4 router/firewall box in my LAN that do NAT > > with PF. > > The problem is I can't ping the same machine on the internet from > > two or more different machines on my LAN at the sam

RE: altq priq Anomaly?

Amir S Mesry wrote: > Interesting issue, I have't encountered it. 3MB Down/384KB Up. > > altq on $eth0 priq bandwidth 325Kb queue { q_pri, q_def } > queue q_pri priority 7 > queue q_def priority 1 priq(default > > What program are you using to measure it? Please see my original post... FTP.

RE: altq priq Anomaly?

Stefan Zill wrote: > Jon Hart wrote: > > On Thu, Jun 23, 2005 at 07:39:41AM -0400, Melameth, Daniel D. wrote: > > > The TCP ACKs are not the issue. The issue is I never get more > > > than half of what I set the bandwidth value to. > > > > I've ne

RE: altq priq Anomaly?

Jon Hart wrote: > On Thu, Jun 23, 2005 at 07:39:41AM -0400, Melameth, Daniel D. wrote: > > The TCP ACKs are not the issue. The issue is I never get more than > > half of what I set the bandwidth value to. > > I've never been able to get exactly the bandwidth I spec

RE: altq priq Anomaly?

Ingolf Zeiner Petersen wrote: > Melameth, Daniel D. wrote: > > > I implemented altq's priq a while back in the hope of "speeding > > > up" my overall 'net connection by prioritizing empty TCP ACKs. > > > However, I noticed that I was never comin

RE: altq priq Anomaly?

I sent this email back in March when I was running 3.5 and didn't look into this further because this was an older release--but now I'm running 3.7 and I have the same issue. Any ideas? No one on misc@ seems to... Melameth, Daniel D. wrote: > I sent something similar to this to mi

RE: "keep state" kills (ssh) session?!

You might want to include a tcpdump capture around the time of the failure from the OpenBSD box. Simon Kammerer wrote: > My pf.conf with OpenBSD 3.7 (GENERIC) > > > > int_if = "vr1" > ext_if = "vr0" > > int_net = "192.168.1.0/24" > ext_net = "192.168.0.0/24" > > block all > > pass quick on l

RE: Failed password for root...

tefol tefol wrote: > I manage several different pf firewalls around the country, and so I > need to have ssh access allowed. Occaisionally, (more and more > often lately), I get script kiddies having a go at brute forcing my > root password (see below) or brute forcing a selection of guessed > a

RE: can you help me measuring traffic using OpenBSD's pf?

Sean Kamath wrote: > >set loginterface > > Enable collection of packet and byte count statistics > > for the given > > interface. These statistics can be viewed using > > > > # pfctl -s info > > Huh. Didn't know about that. Any idea about the amount of > ov

RE: watching pflog

eric wrote: > Actually, you bring up an interesting idea; multiple interfaces for > logging. > > Is there any possibility that a far-off-wish-list couple include the > ability to route packets from a pflog device onto the wire and then > monitor that traffic? Say on a monitor network or somethi

RE: watching pflog

Russell Fulton wrote: > HI, > I want to monitor the output from pflog in more or less real > time. It isn't clear to me what is the best (read simplest ;) way > to do this. > What I really want is a version of tcpdump that will effectively do > a tail -f on /var/log/pf. Ideally it would

altq priq Anomaly?

I sent something similar to this to misc@ with nary a response so I hope someone on this specialized list can shed some light on this... I implemented altq's priq a while back in the hope of "speeding up" my overall 'net connection by prioritizing empty TCP ACKs. However, I noticed that I was ne

RE: Wireless router

On Wednesday, December 10, 2003 11:58 PM Eddie Breaux wrote: > I don't know if anyone watches "the sceen savers" on tech tv, but todays > episode showed how to make a wireless router than runs a program with a > free bsd shell. I know this isn't a free bsd forum so he

RE: Prioritized ack and getting bandwidth stats

On Sunday, September 14, 2003 8:59 AM, [EMAIL PROTECTED] wrote: > I am trying to get bandwidth stats of my 3 legged firewall. The firewall is > attached to an ADSL link so I have setup rules for to Priority Ack to > maintain performance. but when I uncomment the rules that are commented > below

RE: Fix pf(4) nat proxy port allocation for manually specified ranges... perhaps? (Resolved)

On Sunday, July 27, 2003 9:54 AM, Daniel Melameth wrote: > The following snippets DO NOT work fine under 3.3 stable (on > similar > machine): > nat on $ext inet proto udp from $ipp port = 5004 to $ipc -> $ext > port 5004 nat on $ext inet proto udp from $ipp port = 5567 to $

RE: Fix pf(4) nat proxy port allocation for manually specified ranges... perhaps?

On Sunday, July 27, 2003 2:48 AM, Trevor Talbot wrote: The following snippets DO NOT work fine under 3.3 stable (on similar machine): >>> nat on $ext inet proto udp from $ipp port = 5004 to $ipc -> $ext port 5004 nat on $ext inet proto udp from $ipp port = 5567 to $ipc >>>

RE: Fix pf(4) nat proxy port allocation for manually specified ranges... perhaps?

On Saturday, July 26, 2003 9:49 PM, Trevor Talbot wrote: > > Newbie running 3.3 stable with pf, dhcpd and isakmpd... > > > > ...recently upgraded to stable in the hopes of curing some ill that I > > have... and now I ask for peer review... > > > The following snippets DO NOT work fine under 3.3 st

Fix pf(4) nat proxy port allocation for manually specified ranges... perhaps?

Newbie running 3.3 stable with pf, dhcpd and isakmpd... ...recently upgraded to stable in the hopes of curing some ill that I have... and now I ask for peer review... (IP addresses changed to hypothetically protect the innocent...) The following snippets work fine under 3.2 release (on similar