On Wed, Aug 20, 2008 at 07:02:28AM -0700, Jeff Simmons wrote:
>
> ike passive esp from $lan_net to $remote_lan_net peer $remote_gw_addr
> ike passive esp from $T1-2_addr to $remote_gw_addr
do you totally want passive, or is that just an artifact of trying
to get things work reliably?
> pass
On Thu, May 22, 2008 at 03:42:45PM -0400, Chris Smith wrote:
> Are there some limitations to what rules can apply labels? I'm trying to
> add a label to a rdr rule but keep getting a syntax error.
when i have this question, i search from the bottom of the pf.conf
manpage up (the grammar secti
On Mon, May 12, 2008 at 11:44:29PM -0700, Trevor Talbot wrote:
> You might also need to use the static-port option for udp nat rules:
>
> nat pass log on $ext_if proto udp from $funshine port $COH_ports to any ->
> 85.200.10.151 static-port
yeah, i was gonna say static port too, but trevor bea
On Tue, Apr 24, 2007 at 09:49:32AM +0200, Federico Giannici wrote:
> jared r r spiegel wrote:
> >On Tue, Apr 24, 2007 at 01:42:26AM -0400, jared r r spiegel wrote:
> >>On Mon, Apr 23, 2007 at 10:12:56AM +0200, Federico Giannici wrote:
> >>
> >>>How can I m
On Tue, Apr 24, 2007 at 01:42:26AM -0400, jared r r spiegel wrote:
> On Mon, Apr 23, 2007 at 10:12:56AM +0200, Federico Giannici wrote:
>
> > How can I make a single queue don't borrow ALL the traffic?
>
> upperlimit
in this case it is probably not super import
On Mon, Apr 23, 2007 at 10:12:56AM +0200, Federico Giannici wrote:
> How can I make a single queue don't borrow ALL the traffic?
upperlimit
On Wed, Mar 07, 2007 at 02:36:35PM +0800, Edy wrote:
> Hi,
>
> I am wondering if anyone has sample config on limiting bandwidth per
> source IP?
> For example, limiting an IP 192.168.1.2 for service http to 30Kb/sec
if you want to limit outgoing bandwidth per incoming source IP,
you need to
On Tue, Feb 27, 2007 at 04:37:27PM -0600, Travis H. wrote:
> I am not sure if this is pf-related, but has anyone seen
> this error message, and what condition actually causes it?
> Incomplete arp table? Out of memory? Something else?
i've seen it in the situation where something happens
that
On Wed, Nov 08, 2006 at 12:22:19AM +0100, Michiel van Baak wrote:
> On 22:12, Tue 07 Nov 06, C?dric Berger wrote:
> > There is no way it can work on a 32-bit i386 system.
> >
> > This kind of pointer limitation is the first reason why
> > ppl move to 64-bit systems, so that might be worth testing
On Fri, Jul 28, 2006 at 12:49:32PM -0700, andrew fresh wrote:
>
> Is this something I am doing wrong, or is it a bug I should file?
>
> The problem I am seeing is that there are 2 interfaces in the "wild"
> group. If you look at the output below, you will see that in the first
> conf file the
On Thu, Jul 27, 2006 at 03:51:15PM -0400, Peter wrote:
> I am writing a shell script to handle simple IP accounting and I'm
> getting an error I cannot solve. Here is the pertinent snippet:
>
> PORT_IN=$(pfctl -sl | grep $i | grep $LABEL | cut -d ' ' -f 9)# bytes
> PORT_IN=$(echo "scale=3; $
On Tue, Feb 28, 2006 at 11:22:48PM -0500, Yasholomew Yashinski wrote:
>
> I'm not sure what changed, as I haven't made any changes in the past 48
> hours that I recall other than a portupgrade, however when I got home
> this afternoon my NAT was hosed. I'm using tun0 (PPPoE over hme0) on
> FreeBSD
On Sun, May 07, 2006 at 03:31:22PM +0700, sugeng riadi wrote:
> i want shaping trafik to client by port or aplication, but my config
> not runing properly,
>
> the ftp package canot over from gw
>
> any one help me please..!!??
>
> this my config
does the config load correctly?
'pfctl -nvf
On Sat, Apr 29, 2006 at 09:49:18AM +, Michal Soltys wrote:
>
> But
>
> If I change altq line and set bandwidth to something smaller - like 10Mb
> - problems show up. Throughput on ftp drops brutally to around 150 - 250 Kb
>
> Also if I use for example cbq in the following way (regardles
On Mon, May 01, 2006 at 05:55:42AM -0700, Gnat wrote:
> I need some help on setting up IP aliasing with NAT. The need is to
> create static NAT entries for some users due to a limit of 4 sessions
> per Public IP Address for a VPN server. I have 5 addresses from my ISP
> and wanted to use these t
[EMAIL PROTECTED] wrote:
> > works just as good as it possibly could if pf had a "download" queue
> > mechanism, if not better.
>
> This works adequetly (How could it be "better"? Sounds like zealot
> speak to me.
to answer that, i believe there's no room for discussion there, then.
> if the
On Sat, Apr 29, 2006 at 05:10:40PM +0200, Stanislaw Halik wrote:
>
> I can speak for myself - I can't afford both the hardware and the
> electricity bill for a separate machine. Maybe downstream limiting isn't
> very robust, but IMO is the biggest thing pf/altq lacks.
i queue the incoming downs
On Thu, Jan 05, 2006 at 01:33:42PM +0059, Claudio Jeker wrote:
> On Thu, Jan 05, 2006 at 06:46:54AM -0500, jared r r spiegel wrote:
> >
> > bgpd has (should have?) enough info from its config
> > to know if it should send an addr_remove (i think this is the one)
> &
On Sun, Feb 12, 2006 at 01:43:45AM -0600, Travis H. wrote:
>
> I got a VPN set up but I'm wondering how to make all traffic go over
> the VPN to the remote end, which is a gateway to the internet.
>
> If I mess with my default route, my traffic stops flowing at all.
if you want all traffic to
On Sat, Feb 04, 2006 at 12:59:41AM +0100, Jonas Davidsson wrote:
> Pf does not seem to allow UDP packets destined for port 0 out, TCP packets to
> the same port pass without problems.
> If nothing else, this breaks nmaps os-detection mode.
>
> with 'pass quick on em0'
> [send_ip] sendto: No route
> Tr0go wrote:
> >
> > table persist
<...>
> > BUT, surprisingly at some time the table
> > "self cleaned"
nahh, you reloaded pf :) that's how this happens to
everyone i've run across, myself included.
> > "persist" keyword should keep all those enemys' IP
> > until next reboot, isn'it ?
On Thu, Jan 05, 2006 at 03:18:22AM +0100, Sylwester S. Biernacki wrote:
> On Thursday, January 5, 2006, at 01:15:00, jared r r spiegel wrote:
>
> > - establish session with A and learn about 1.2.3.4/30; 1.2.3.4/30 is
> > written to pftable
> > - establish session with B
On Wed, Jan 04, 2006 at 09:42:44PM +0100, Sylwester S. Biernacki wrote:
>
> What do you think about it? Any ideas what to look for?
one - if you are reloading pf ( pfctl -f /etc/pf.conf ), that will
clear the table; but that's probably not your issue.
two - if you have two peers,
On Fri, Dec 02, 2005 at 12:27:53AM +, Karl O. Pinc wrote:
>
> I thought the queues were tied to the interfaces, so that, for
> instance, queue on the LAN interface could not borrow bandwidth
> from a queue on the DMZ interface. So then you either need to
> partition your WAN bandwidth between
> >
> > > Queuing doesn't make sense inbound anyway; once you've received the
> > > packet, it has already consumed your bandwidth, and thus queuing won't
> > > change anything.
> >
> > queueing could delay ACK reply being sent and then whole connection
> > would get throttled.
> >
> > it works
On Sun, Oct 23, 2005 at 07:08:44AM -0700, Joe Advisor wrote:
> so all of the clients
> are basically matching to the external public IP... so
> basically I can't individually control the upload
> bandwidth.
for this, i use tags. tags aren't bound to an iface, so if you
tag from the clients u
On Tue, Oct 18, 2005 at 11:50:41AM -0400, Jon Hart wrote:
> What I'd like is to disable scrub's tcp reassembly on per
> host/port/protol basis, something along the lines of:
>
>scrub all no-df random-id fragment reassemble reassemble tcp
>no scrub inet proto tcp from any to $SAN_NET port
On Thu, Oct 06, 2005 at 03:48:17PM -0400, Dave wrote:
>My second problem, i'm trying to do mpd vpn, which relies on gre. I've
> got a natted vpn server at 192.168.1.3 but when an external connection
> happens, that is one outside my firewall from a windows box i get an error
> 619, which af
On Wed, Oct 05, 2005 at 02:23:29PM -0700, Zack Lawson wrote:
> As soon as I add a carp
> interface with more than one digit (ie carp10, carp11 or carp23), the
> backup host (with the higher advskew value) starts switching between
> MASTER and BACKUP on seemingly random carp interfaces. The fact tha
On Sat, Oct 01, 2005 at 06:53:12PM -0400, Matt Van Mater wrote:
> I have a similar setup to what Daniel specifies in
> http://www.benzedrine.cx/ackpri.html but have a nagging question that
> I haven't been able to find an answer for.
>
> Why do you need to specify bandwidth on the parent queue in
On Fri, Sep 23, 2005 at 03:00:12PM -0400, Chad M Stewart wrote:
>
> nat on $ext_if tagged LAN_INET tag LAN_INET_NAT -> ($ext_if)
>
> The problem is that pfctl complains about a syntax problem with that
> line.
[/home/jrrs] $ echo "nat on em0 tagged 1 tag 2 -> (em0)" | pfctl -nvf-
stdin:1: synt
On Wed, Sep 14, 2005 at 01:26:12PM -0400, Brandon Mercer wrote:
>
> What I was figuring is that I need to shape the "general" bandwidth on
> the interface, i.e. give the VPN say 512Kb/512Kb and if that isn't in
> use let it be used by the other services that will be connecting to that
> interface.
On Sat, Sep 03, 2005 at 09:48:16PM -0400, Peter Matulis wrote:
>
> ipfm does
> not seem to be maintained anymore (since 2002).
one thing that sometimes works, for your own use, is to find a
newer release (distfile wise, from the main project page), bump
that up in the makefile, do a make
On Tue, Aug 02, 2005 at 11:34:55PM -0500, Kevin wrote:
>
> You can solve this by using tags:
>
> nat on $ext_if inet from any to any tagged aramith -> 69.13.34.94
> . . .
> pass out from any to any user aramith tag aramith
please remember to specify tcp/udp when doing 'user' or
On Mon, Jul 18, 2005 at 12:10:41PM -0400, Daniel T. Staal wrote:
>
> I'm not to interested in exact rules at this point; I can figure those
> out. I'm just looking for what people think is the best way to use the
> tools to do the job: least ports opened, least hassle, least resources,
> etc.
>
On Tue, Jun 28, 2005 at 04:52:17PM +0100, Bob wrote:
> I thought the problem was that you needed to limit incoming traffic as
> well as outgoing traffic.
i've found that limiting incoming data by queueing on the internal
"LAN-facing" interface can be very beneficial if configured
correctl
On Thu, Jun 09, 2005 at 05:34:40PM +0200, TAMONE Francois - System Engineer
wrote:
>
> And what about performace then ?
> Would not this scheme impact double on the kernel in several parts of it ?
the bridge was put up with various hosts from his RFC1918 /24 hanging
off different bridge inte
> >>On Jun 6, 2005, at 9:27 AM, Jason Dixon wrote:
..> >>> Try the following rule:
> >>>
> >>>pass on rl0 keep state
i've a limited experience with a bridge so far, but what about, say:
--bridgename.bridge0--
add rl0
add rl1
rule pass in on rl0 tag rl0
rule pass in on rl1 tag rl1
up
--
On Thu, May 26, 2005 at 09:09:59AM +0200, Peter N. M. Hansteen wrote:
> Porkodi <[EMAIL PROTECTED]> writes:
>
> > Please help me in per user basis bandwidth sharing.
> > Is there any way in pf with altq?
>
> authpf with per user rules which assign the user's traffic to queues
> should be possib
On Fri, May 06, 2005 at 12:37:42PM -0400, Jason Dixon wrote:
>
> PF uses a method called "skip steps" to only compare
> against rules that are relevant.
for people curious on how to write the ruleset to be more amicable
to skipsteps ( eg - in such that is it not "fragmented", if you'll
exc
On Wed, May 04, 2005 at 07:42:17PM +0200, DarkT wrote:
>
> altq on $iface hfsc bandwidth 1Mb queue { 1 2 3 }
> queue 1 hfsc(default realtime 50Kb linkshare 100Kb upperlimit 100Kb)
> queue 2 hfsc( realtime 300Kb linkshare 400Kb upperlimit 400Kb )
> queue 3 hfsc( realtime 400Kb linkshare 500Kb upper
On Wed, Mar 30, 2005 at 09:51:07PM -0500, [EMAIL PROTECTED] wrote:
> Why are the following packets being blocked? I know that I have flags
> S/SA modulate state, and that F or FP do not match S/SA, but does that
> matter since its in state?
if you didn't get to solve this yet, is it perhaps a s
On Wed, Feb 16, 2005 at 08:47:37AM +0100, Nicolas wrote:
>
> You're right, everything is blocked by default on the bastion, not just
> inbound but also outbound! What ports, hosts and direction should I
> allow, in your opinion?
welp, i still don't have the answer about why ftp-proxy tried to m
On Wed, Feb 16, 2005 at 08:41:57AM +0100, Nicolas wrote:
>
> [FTP CLIENT]--[DEBIAN]--[OBSD BASTION]-WAN[FTP SERVER]
>
> The Debian machine does ftp masquerading, but I don't see anything
> anormal on that machine.
>
> The error message on the bastion, in /var/log/daemon, is:
> ftp-proxy[
> On Fri, Feb 11, 2005 at 15:39 +, Bob wrote:
> > Preferably that apply directly to PF which uses three SC types, not two.
meaning also using an on the upperlimit directive?
i'm still just using upperlimit as a hard number, and not using a
curve for that.
On Wed, Feb 16, 2005 at 01
On Tue, Feb 15, 2005 at 07:58:05PM +0100, Nicolas wrote:
> >
> > Post your pf.conf.
>
> Unfortunately, the floppy disk is broken on my bastion. Since the
> pf.conf is around 15ko, I'll avoid typing it... ;-)
can you ftp/scp it off and just post on the www somewhere?
that sometimes seems to f
On Thu, Feb 10, 2005 at 07:59:31PM +, Bob wrote:
>
> I couldn't get CBQ to use up all of the bandwidth. Even when only one
> queue had any traffic, the bandwidth was never getting saturated.
<...>
> Possibly (probably) it was something I was doing wrong. But I've changed
> to HFSC now, and m
On Fri, Feb 11, 2005 at 03:39:17PM +, Bob wrote:
> Is there a clear HFSC explanation somewhere, with real simple examples?
> Preferably that apply directly to PF which uses three SC types, not two.
>
> I've found plenty of documents, but they're all high-level overview
> slideshows that are
On Wed, Jan 19, 2005 at 01:02:10PM -0600, Kevin wrote:
> Are there any "gotchas" I should know about when using dns names in
> pf.conf, specifically in tables used as destinations for permit rules?
it is a good idea to reduce to an absolute minimum the amount
of dependency type lookups pf has
On Tue, Jan 18, 2005 at 09:56:03AM -0600, Rick Barter wrote:
>
> Why would I not see the dropped packets in my log file (pflog0).
in this case i think you would. i looked back at the original
pf.conf you posted that the other fellow replied to and the
'block all' didn't have the "$log_flg
On Mon, Jan 17, 2005 at 02:48:07PM -0600, Rick Barter wrote:
> Michael Erdely wrote:
> >You're doing a "block all" and then aren't allowing esp traffic out.
> >Try adding the following with your tcp, udp and icmp pass out rules:
> >pass out $log_flg on $ext_if proto esp all keep state
> >
> >When t
On Sun, Jan 09, 2005 at 11:59:00PM -0800, John Ricardo wrote:
> --- jared r r spiegel <[EMAIL PROTECTED]> wrote:
>
> > On Mon, Jan 03, 2005 at 02:33:37PM -0800, John Ricardo wrote:
> >
> > to directly answer your question, yes, the bandwidth specified is
>
On Mon, Jan 03, 2005 at 02:33:37PM -0800, John Ricardo wrote:
> 1. In general, where does "priority" count? Are priority values only
> considered at a parent queue with respect to the child queues, or are
> they considered at the root with respect to all the leaf queues, or...?
i am currently
On Mon, Jan 03, 2005 at 11:32:35AM +1100, Matt Pearce wrote:
>
> If I am running 2 rules for udp packets to be prioritized and I want a
> specific rule for prioritizing dns udp out to take preference over the
> generic udp altq out rule, do I need this rule to be above the generic
> rule and ha
On Thu, Dec 30, 2004 at 04:52:27PM -0500, Elijah Savage wrote:
> All,
>
> I want to clear this up a bit. I am not looking for some one to provide
> me with config files or say here is what you need to do I can do that on
> my own. What I am looking for is real world experience
i have used vpnc
On Sun, Dec 19, 2004 at 10:29:49PM +1100, A wrote:
> My heartfelt thanks for all the assistance there. ffs, you speak like
> some sort of lord who cannot be bothered assisting the peasants. I get
> an inkling you eminate for from such lofty heights. Now, I admit I am
> not on the main bsd list (eve
On Fri, Dec 17, 2004 at 06:05:39PM -0500, Roy Morris wrote:
> If you want to knock off most of the port pounding twits, stop allowing
> ssh from 'any', filter instead by source. If you can't do that, because you
> MUST have access from your remote laptop, then maybe try using a ssh
> rule that s
> For those unfamiliar with the technique, it is like
> knocking a certain pattern/code on a door to open it.
anyone unfamiliar with the technique hasn't read the archives
whatsoever and thus is not going to garner favour from anyone
here at all.
> Has anyone heard of anyone working on a p
On Sat, Nov 13, 2004 at 11:24:44AM -0700, jared r r spiegel wrote:
> --
>
> doublewide.hklocal.net $ sudo cat /etc/pffrag.conf
> e="fxp0"
>
> nfs="2049"
>
> trustedhosts
i'm trying to setup a simple pf.conf for a machine who is the
YP master, NFS server, and Samba server. most of my nfs traffic
is coming across the wire as fragments, so i'm trying to catch
those fragments into the nfs queue with the keyword 'fragment'.
i have put a label on that rule o
On Fri, Nov 05, 2004 at 04:34:25PM -0800, Brian Street wrote:
>
> On Friday, November 5, jared wrote:
> >
> > nat on $ext_if_sbc from $lan_net to any -> ($ext_if_sbc)
> > nat on $ext_if_rcn from $lan_net to any -> ($ext_if_rcn)
>
> this second nat line isn't ever going to be evaluated by a pac
On Thu, Nov 04, 2004 at 10:47:06PM -0600, Matt Sellers wrote:
> ## PF.CONF
> # Trial Test - Route all 80 over SBC, rest to RCN
> int_if = "bge0"
> lan_net = "10.0.0.0/24"
> ext_if_sbc = "fxp0"
> ext_if_rcn = "re0"
> ext_gw_sbc = "67.36.180.95"
>
>
> nat on $ext_if_sbc from $lan_net to any -> ($ex
On Sat, Oct 30, 2004 at 07:57:23PM -0400, Jason Opperisano wrote:
>
> rdr pass on $ext_if proto tcp from any to $ext_if port 6881 ->
> $inside_host port 6881
this is exactly correct; but should you care to ever be
seeding or on more than one torrent at a time, you would benefit
from g
On Tue, Oct 26, 2004 at 03:47:27PM -0600, notrox wrote:
> I am running OpenBSD 3.5 and I am trying to do bandwidth limiting to a
> single IP.
> For some odd reason altq isnt borrowing from the root queue.
>
> -
On Thu, Oct 14, 2004 at 09:54:08AM -0700, Justin Cluer wrote:
> # block in log on $dmz_if from $dmz_net to $lan_net
> # block in log on $dmz_if from $dmz_net to $cust_net
> As you can see, I have "block in log on $dmz_if from $dmz_net to
> $lan_net" at the beginning and end of the section. The sp
On Mon, Oct 11, 2004 at 09:56:58AM +0800, Kenneth Oncinian wrote:
> Hi List,
>
> Is there a project right now or is there an application which I can use
> to graph measured queues of pf/ALTQ?
check out symon in ports/sysutils
also check out the author's homepage for a .gz of the 'syweb' por
On Mon, Oct 11, 2004 at 05:47:50PM -0300, Gustavo wrote:
> pfctl: DIOCADDALTQ: Invalid argument
kernel and userland out of synch?
any time i have had pfctl give _ioctl_ errors, i've had my kernel
and userland out of synch.
if it is a syntax error, pfctl tells me syntax error.
jare
> I see lots of traffic on the pfsync0 interface (dedicated interface/vlan).
>
> Now the problem is that states never seem to live more than a few minutes
>
> Creating stateless rules shows that this problem is definately related to
> states as everything works flawlessly (no disconnections) wh
On Fri, Aug 20, 2004 at 01:47:39PM -0700, Ken Simpson wrote:
> > > Is there any hard and fast reason why the queue can't go slower than
> > > 5.59Kb?
> >
> > timer resolution.
>
> So then perhaps I should have asked: Is there a way to make a
> connection move more slowly than 5.59Kbps using pf?
On Wed, Jul 28, 2004 at 12:44:34PM -0700, [EMAIL PROTECTED] wrote:
>
> I have a mail server behind a obsd 3.5 firewall and I am having timeout errors
> when I try and send an email with a large (5MB or greater) attachment.
i would have the knee-jerk reaction that this is not due to pf.
> So th
On Fri, May 21, 2004 at 04:27:19PM -0400, Chad M Stewart wrote:
>
> Take for example a web server sitting in the DMZ, where DMZ is using
> say 192.168.4.0/24, i.e. NAT is being used. The packet comes in via
> something like
>
> pass in on $wan_if inet proto tcp from any to $www_srv port 80 synp
On Mon, May 17, 2004 at 09:22:55PM +0300, Juri Malinovski wrote:
>
> Firewall: FreeBSD 4.10-STABLE, pf version 2.03 from ports.
> Ftp server: proftpd 1.2.9 with passive port's range 5-55000
>
> Requirements: local users connect to internal ftp-server using external ip.
> From local machine
On Mon, May 17, 2004 at 03:58:05PM -0600, [EMAIL PROTECTED] wrote:
> Hello,
>
> I set up a transparent firewall running 3.4. Now Ive been
> asked to run squid on the same box as the firewall to increase
> web traffic (hopefully). Ive installed another NIC with
> an IP and set up squid to listen
On Wed, May 12, 2004 at 09:08:11AM +0200, Jedi/Sector One wrote:
> On Tue, May 11, 2004 at 04:27:59PM -0600, jared r r spiegel wrote:
> > if you 'block out inet proto {tcp udp} from any to 10.0.0.0/8 user john'
> > does it work?
>
> Noppe, it still matches a
On Tue, May 11, 2004 at 10:21:27PM +0200, Jedi/Sector One wrote:
>
> pass all
> block out from any to 10.0.0.0/8 user john
>
> Unfortunately, the second rules seems to always match, regardless of the
> user.
i had that too
user only for UDP and TCP, so i think that if you don't do
On Wed, Apr 21, 2004 at 09:50:03AM +0200, Wolfgang Pichler wrote:
>
> I've triied these rules:
>
> altq on $ext_if priq bandwidth 1280Kb queue{dns, ssh, mail, www, ftp,
> other}
> queue dns priority 14 priq(red)
> queue ssh priority 13 priq(red)
> queue mail priori
On Thu, Apr 22, 2004 at 09:21:51AM +0200, Per-Olov Sjöholm wrote:
>
> If you have a std firewall not set up as a bridge everything is clear
> (shape on the outgoing interface).
> But if you want to shape traffic on both directions on a bridge ?
so you're asking two questions at once it seems?
this is not a complaint or a worry or a question. i believe
the statement of the subject line is pf working properly.
here is just a heads up, in case someone who uses 'rdr pass'
wonders why their queueing doesn't seem to put packets into
the queue they want, but rather puts packets in
On Fri, Apr 16, 2004 at 11:21:10PM +0200, Miroslav Kubik wrote:
>
> I would like to have new option in traffic shaping. I feel like restrict
> connection speed according to connection persistence.
> It could be very
> useful because I would set for the first few seconds higher speed. So the
> traf
On Mon, Apr 12, 2004 at 04:09:24PM +0200, Mario Lopez wrote:
> a Squid proxy for transparent proxy
> I have correctly configured squid for
> normal proxy support (if I specify proxy on browesers it all works
> flawlesly)
can you confirm if you have built squid as FLAVOR=transparent and also
On Mon, Mar 15, 2004 at 10:54:36PM -0500, Dr. David Johnson wrote:
> I think the only other data that may help is that my
> friend says his DSL link is supposed to be 144 up, and
> 288 down, but in using some Internet sites that are
> supposed to measure speed, these show downloads of
> only about
On Mon, Mar 15, 2004 at 08:47:17PM +0800, Lars Hansson wrote:
> We have one client (more to come, wich is why this is a bit
> of a concern) that has very high packet/second
> rate while the actual bitrate is fairly low (small VOIP packets) and
> Am I missing something obvious here, or is cbq no
On Sat, Mar 06, 2004 at 08:07:51PM +0059, Jedi/Sector One wrote:
> Hello.
>
> Is there any rule of thumb in order to find out the right value for the
> qlength knob of cbq schedulers?
>
> I have to restrict the outgoing traffic to 110 Mb/s on a gigabit link.
>
> The default value of ql
i was going to bitch about not searching archives, but
last time i touched on this topic was on misc@, so i don't
think i can really complain...
'bittorrent queue' is effective search for misc@ archive,
with respect to this.
hopefully i will make sense. i notice you have no rdr on
On Thu, Feb 26, 2004 at 12:38:34AM +0100, Darek Eliasz wrote:
>
> > I'm getting an error with the following:
> >
> > all_web = "{" $web1 $albums "}"
> Should be:
> all_web = "{ $web1, $albums }"
nonono. commas do not matter for this!
i see people give this advice frequently.
if you check
On Fri, Feb 20, 2004 at 11:46:25PM +0100, Cedric Berger wrote:
> Brent Bolin wrote:
>
> >Hello,
> >
> >Does anybody know of a way to capture statistics on multiple
> >interfaces running pf
> >
> Aha!
> Up to recently, that was impossible to grab stats on more than
> one interface with PF. You can
On Sat, Jan 31, 2004 at 03:13:48AM -0700, jared r r spiegel wrote:
>
> http://www-2.cs.cmu.edu/~hzhang/HFSC/software.html
>
> i tried last week getting the altq-2.??? and -3.??? tar.gz from that page because
> i became smitten with wanting to be able to use the
On Sat, Feb 14, 2004 at 02:35:28AM -0800, Octavian Hornoiu wrote:
> I have tried using the rules I know from ipfilter on freebsd
> to forward port 0 with gre and all that but I cannot seem to get pf to
> accept the ruleset without it complaining about syntax. How is this
> accomplished via the new
On Fri, Feb 13, 2004 at 07:07:04PM -0700, j knight wrote:
>
> It sounds to me like he's setup his clients to use squid but has now
> decided to ditch squid. He wants to do trickery with pf so that he
> doesn't have to go around again to each client and remove the proxy
> settings.
ahh!; yes,
On Fri, Feb 13, 2004 at 03:17:08PM -0600, Brent Bolin wrote:
>
> Without going around and changing all the workstations from using the proxy,
> is there a way I can redirect lan connections to the firewall to port 3128
> to the net on port 80.
man 5 pf.conf ?
rdr on $int_if inet proto tcp from
On Thu, Jan 29, 2004 at 07:30:09PM -0800, Andre LaBranche wrote:
>
> For some reason, all traffic to and from NAT'd machines falls into the
> default inbound / outbound queues.
do you mean the default with respect to cbq( default ), or the default
with respect to the queue you're deciding yo
On Fri, Jan 30, 2004 at 02:12:29PM -0800, Trevor Talbot wrote:
>
> The URL you were going to post didn't show
wow. i suck. it didn't show because i utterly omitted pasting
it. .
http://www.tik.ee.ethz.ch/~crossbow/rp/plugins/hfsc.html
> http://www.csl.sony.co.jp/person/kjc/kjc/software/T
On Thu, Jan 29, 2004 at 11:33:22AM +0100, [EMAIL PROTECTED] wrote:
>
> since I have upgraded from 3.4-stable to -current,
> It appears the setting "set loginterface tun0",
http://openbsd.rt.fm/faq/upgrade-minifaq.html#3.4.3
^^ is that it? i know that after my -current was past that point,
On Fri, Jan 30, 2004 at 02:48:27PM +0700, Egbert Krook wrote:
> Hi Jared,
>
> Thanks a lot for your response.
n/p. too bad i only vaguely have a clue what i'm talking about
> I've tried adding cbq(borrow) using the following combinations. None
> achieve the effect described in the FAQ.
>
>
On Wed, Jan 28, 2004 at 05:38:42PM +0700, Egbert Krook wrote:
> altq on $int_if cbq bandwidth 100% queue { net_int, www_int }
> queue net_intbandwidth 1.0Mb { std_int, it_int, boss_int }
> queue std_int cbq(default)
> queue it_int bandwidth 500Kb cbq(borrow)
> queue boss_int priority
On Tue, Jan 13, 2004 at 11:04:02AM -0500, Albert Rybalkin wrote:
> What I want to use is some sort of pf rule
> that would force certain outgoing packets (based on
> filtering criteria) to have their source address set
> to dhcp-leased address, i.e. something like "(fxp0:0)".
>
> Right now when t
On Fri, Jan 09, 2004 at 07:32:55PM -0500, Munish Chopra wrote:
>
> > > On a different note, it was mentioned on IRC that keeping state
> > > while using ALTQ is likely a bad idea. Could someone please point to
> > > a discussion about this in the archives somewhere, or elaborate
> > > personally?
yeah... maybe using DNS resolution to specify hosts
your rules pertain to rather than just using their IPs is
not such a hot idea...
especially as it pertains to remote reboots.
whoops.
jared
--
[ openbsd 3.4 GENERIC ( jan 5 ) // i386 ]
On Wed, Nov 26, 2003 at 11:18:41AM +0100, Thelmo Loisio wrote:
> All run correctly and it's a charm but now for some reasons that
> overcomes my willing i cannot set this as the def gw for my lan and as
> soon as i don't set this as the def gw all stop working,
> for it to work
> again i've to set
On Fri, Oct 31, 2003 at 12:02:32PM -0700, Colin Harford wrote:
> So, before I get flamed, yes, I do know of pfstat, ipaudit, etc. What
> I am after is something from the cli.
> Sort of like pfctl -s info, or when using altq: pfctl -vvsq.
> Does anyone know of a good way to do this, without going
1 - 100 of 122 matches
Mail list logo