hello.
rather by stupid error, i ended up moving up to 3.3 ( -current )
on my main NAT gateway at home.
myself and a friend have an isakmpd VPN between us.
perhaps it was not the only way to do it, but one way we got
routing to work between the two VPN subnets ( 192.168.7/27,
1
On Thu, Mar 27, 2003 at 02:31:00PM -0500, David Powers wrote:
[ I was experimenting with a recent build of -current (3/25/2003) ...
a tcpdump -vv on both ends showed ...
do I just have a bad build of current? ]
this might not be wholly relavant, but i was in a similar boat recently,
expe
> will
> the following work? Does pf syntax allow this?
>
> BadTCPFlags="{ FUP, FUP/FUP, SF/SFRA, /SFRA, F/SFRA, U/SFRAU, P, \
> FS/FS, FSRPAU, /FSRPAU }"
>
> block in quick proto tcp all flags $BadTCPFlags
hi adam.
i made only a slight modification to this: namely inserted
'on fxp
> Nikolay Denev wrote:
> The provider shapes me at 512/128Kb local and 64/16Kb internetional traffic.
this might totally be a stupid nonsense idea, but a good half of my
ideas are stupid nonsense but also crazy enough to work.
what if you created two vlans, each using your external interfac
On Sat, Jun 14, 2003 at 04:52:26PM -0400, Michael Purcaro wrote:
> /etc/inetd.conf
> 127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w 20 192.168.1.2 80
>
> /etc/pf.conf
> rdr on $ext_if proto tcp from any to any port 80 -> $WWW_IP port 80
> rdr on $int_if proto tcp from $int_net
if i say:
altq on fxp1 hfsc bandwidth 100Mb queue { q1 q2 q3 q4 }
queue q1 hfsc(default)
queue q2
queue q3
queue q4
i get the error:
altq on fxp1 hfsc bandwidth 100Mb tbrsize 12000 queue { q1 q2 q3 q4 }
queue q1
queue q2
pfctl: link-sharing sc exceeds parent's sc
queue q2
pfctl: link-
aloha.
i'm messing with a pf.conf trying hfsc queues; i'm probably
creating more complexity than i need here -- but just out of
curiosity, is there meant to be a limit of 62 queues for hfsc
type queues, or a limit of 62 in general ?
in the main, "work-in-progress" pf.conf, i have tw
On Sat, Jun 28, 2003 at 11:37:06PM -0600, jared r r spiegel wrote:
> curiosity, is there meant to be a limit of 62 queues for hfsc
> type queues, or a limit of 62 in general ?
duh.
/usr/src/sys/altq/altq_hfsc.h
/* special class handles */
#define HFSC_NULLCLASS_HANDLE 0
#
On Sat, Jun 28, 2003 at 11:37:06PM -0600, jared r r spiegel wrote:
>
> pfctl: DIOCADDALTQ: Invalid argument.
here's an odd one ( they're all odd to me ).
i've now made two altq declarations.
one on the internal interface:
( cbq, consisting of 118 queues total, pa
On Thu, Jul 10, 2003 at 10:44:10PM -0400, Jason Dixon wrote:
> Is there any way to ftp-proxy an outgoing passive ftp connection through
> a default block policy on the internal interface?
yeah, i'm using the "user proxy" thing like this :
===
i="
On Thu, Jul 17, 2003 at 05:06:11PM -0300, Alejandro G. Belluscio wrote:
>
> altq on $ext_if priq bandwidth 1Mb queue { q_pri, q_int, q_def, q_low }
> queue q_pri priority 5
> >queue q_int priotity 4
> queue q_def priority 3 priq(default)
> queue q_low priority 2
>
> If I change the "q_int"
On Fri, Jul 18, 2003 at 08:37:04PM +0200, Angel Todorov wrote:
>
> limit the upload rate to a certain value for each IP in a certain network ?
>
> for example 10kbit/sec for each ip in 172.16.0.0/16
it might be suboptimal, but you could create a queue for each IP,
and then a literal pass ru
On Wed, Jul 23, 2003 at 01:36:13AM -0300, Alejandro G. Belluscio wrote:
> I just wonder if some hash attack could be used against the state
> matching code without flags, like the recens DNS attack.
> http://www.cs.rice.edu/~scrosby/hash/
hmm. the paper mentions squid, and it seems to be of a
On Thu, Jul 24, 2003 at 12:19:30AM -0600, Richard D. Gutery wrote:
> and nothing else (or to be more correct the FIRST GATEWAY address in mygate).
>
> Any suggestions or ideas would be appreciated.
as i'm not in a similar scenario, i don't know if this would be as easy
as the suggestion impl
On Mon, Aug 04, 2003 at 02:55:08PM +1000, Craig Barraclough wrote:
> Hi all,
> I've got a strange occurence with connection to one of my boxes, during ssh
> connections, I'll quite commonly have the connection freeze then drop, with
> an entry in pflog:
> Followed by a series of (13) resets:
On Mon, Aug 11, 2003 at 06:56:23PM -0700, Trevor Talbot wrote:
>
> Keep in mind the filter rules are applied _after_ translation, which
> affects the port numbers. $tcp_in should include 3389 instead of 4001
> and 4002.
>
also keep in mind that you'll forget that fact about 700 times.
yo
On Sat, Aug 16, 2003 at 03:22:38AM +0200, Daniel Hartmeier wrote:
> On Sat, Aug 16, 2003 at 12:09:44AM +0200, Andy wrote:
>
> > Is there any easy way to achieve this?
>
> A common solution is to redirect all incoming connections to a HTTP
> proxy like squid, which accepts incoming connections, re
On Mon, Aug 25, 2003 at 09:27:52AM +0200, Alexandre Dulaunoy wrote:
>
> I would like to set the timeout of a specific TCP service with pf. It
> seems that the values are globals (tcp.closing and so on...).
> Is it possible to make a timeout for a specific TCP port ? I have
> looked in pf.conf(
On Mon, Aug 25, 2003 at 01:44:54AM -0600, jared r r spiegel wrote:
> from pf.conf(5): ( line ~200 )
>
> These values can be defined both globally and for each rule. When
> used on a per-rule basis, the values relate to the number of states
> created by the rule, otherwi
On Tue, Aug 26, 2003 at 12:31:24PM -0400, J. Sabino wrote:
> Is there a shorter way to do 1 to 1 RDR? Consider the following:
>
> rdr on $ext proto tcp from any to $ip port 24099 -> 192.168.1.20 port 24099
> rdr on $ext proto tcp from any to $ip port 24100 -> 192.168.1.20 port 24100
> rdr on $ext
On Mon, Sep 22, 2003 at 07:18:06PM -0400, Elijah Savage wrote:
> track hits on that certain rule.
tack a unique label on each one.
# pfctl -vsl
shows you, in order: (from pfctl(8))
-s labels Show per-rule statistics (label, evaluations, pack-
ets, bytes) o
On Sun, Oct 12, 2003 at 11:13:18PM -0500, Jay Moore wrote:
> If I have a redirect as I do, why do I need a rule that allows the redirect to
> actually take place?
>
> Put another way: do I need the redirect with the pass rule for spamd?
it's like RISC vs CISC, or something...
think of that
On Fri, Oct 31, 2003 at 12:02:32PM -0700, Colin Harford wrote:
> So, before I get flamed, yes, I do know of pfstat, ipaudit, etc. What
> I am after is something from the cli.
> Sort of like pfctl -s info, or when using altq: pfctl -vvsq.
> Does anyone know of a good way to do this, without going
On Wed, Nov 26, 2003 at 11:18:41AM +0100, Thelmo Loisio wrote:
> All run correctly and it's a charm but now for some reasons that
> overcomes my willing i cannot set this as the def gw for my lan and as
> soon as i don't set this as the def gw all stop working,
> for it to work
> again i've to set
yeah... maybe using DNS resolution to specify hosts
your rules pertain to rather than just using their IPs is
not such a hot idea...
especially as it pertains to remote reboots.
whoops.
jared
--
[ openbsd 3.4 GENERIC ( jan 5 ) // i386 ]
On Fri, Jan 09, 2004 at 07:32:55PM -0500, Munish Chopra wrote:
>
> > > On a different note, it was mentioned on IRC that keeping state
> > > while using ALTQ is likely a bad idea. Could someone please point to
> > > a discussion about this in the archives somewhere, or elaborate
> > > personally?
On Tue, Jan 13, 2004 at 11:04:02AM -0500, Albert Rybalkin wrote:
> What I want to use is some sort of pf rule
> that would force certain outgoing packets (based on
> filtering criteria) to have their source address set
> to dhcp-leased address, i.e. something like "(fxp0:0)".
>
> Right now when t
On Wed, Jan 28, 2004 at 05:38:42PM +0700, Egbert Krook wrote:
> altq on $int_if cbq bandwidth 100% queue { net_int, www_int }
> queue net_intbandwidth 1.0Mb { std_int, it_int, boss_int }
> queue std_int cbq(default)
> queue it_int bandwidth 500Kb cbq(borrow)
> queue boss_int priority
On Fri, Jan 30, 2004 at 02:48:27PM +0700, Egbert Krook wrote:
> Hi Jared,
>
> Thanks a lot for your response.
n/p. too bad i only vaguely have a clue what i'm talking about
> I've tried adding cbq(borrow) using the following combinations. None
> achieve the effect described in the FAQ.
>
>
On Thu, Jan 29, 2004 at 11:33:22AM +0100, [EMAIL PROTECTED] wrote:
>
> since I have upgraded from 3.4-stable to -current,
> It appears the setting "set loginterface tun0",
http://openbsd.rt.fm/faq/upgrade-minifaq.html#3.4.3
^^ is that it? i know that after my -current was past that point,
On Fri, Jan 30, 2004 at 02:12:29PM -0800, Trevor Talbot wrote:
>
> The URL you were going to post didn't show
wow. i suck. it didn't show because i utterly omitted pasting
it. .
http://www.tik.ee.ethz.ch/~crossbow/rp/plugins/hfsc.html
> http://www.csl.sony.co.jp/person/kjc/kjc/software/T
On Thu, Jan 29, 2004 at 07:30:09PM -0800, Andre LaBranche wrote:
>
> For some reason, all traffic to and from NAT'd machines falls into the
> default inbound / outbound queues.
do you mean the default with respect to cbq( default ), or the default
with respect to the queue you're deciding yo
On Fri, Feb 13, 2004 at 03:17:08PM -0600, Brent Bolin wrote:
>
> Without going around and changing all the workstations from using the proxy,
> is there a way I can redirect lan connections to the firewall to port 3128
> to the net on port 80.
man 5 pf.conf ?
rdr on $int_if inet proto tcp from
On Fri, Feb 13, 2004 at 07:07:04PM -0700, j knight wrote:
>
> It sounds to me like he's setup his clients to use squid but has now
> decided to ditch squid. He wants to do trickery with pf so that he
> doesn't have to go around again to each client and remove the proxy
> settings.
ahh!; yes,
On Sat, Feb 14, 2004 at 02:35:28AM -0800, Octavian Hornoiu wrote:
> I have tried using the rules I know from ipfilter on freebsd
> to forward port 0 with gre and all that but I cannot seem to get pf to
> accept the ruleset without it complaining about syntax. How is this
> accomplished via the new
On Sat, Jan 31, 2004 at 03:13:48AM -0700, jared r r spiegel wrote:
>
> http://www-2.cs.cmu.edu/~hzhang/HFSC/software.html
>
> i tried last week getting the altq-2.??? and -3.??? tar.gz from that page because
> i became smitten with wanting to be able to use the
On Fri, Feb 20, 2004 at 11:46:25PM +0100, Cedric Berger wrote:
> Brent Bolin wrote:
>
> >Hello,
> >
> >Does anybody know of a way to capture statistics on multiple
> >interfaces running pf
> >
> Aha!
> Up to recently, that was impossible to grab stats on more than
> one interface with PF. You can
On Thu, Feb 26, 2004 at 12:38:34AM +0100, Darek Eliasz wrote:
>
> > I'm getting an error with the following:
> >
> > all_web = "{" $web1 $albums "}"
> Should be:
> all_web = "{ $web1, $albums }"
nonono. commas do not matter for this!
i see people give this advice frequently.
if you check
i was going to bitch about not searching archives, but
last time i touched on this topic was on misc@, so i don't
think i can really complain...
'bittorrent queue' is effective search for misc@ archive,
with respect to this.
hopefully i will make sense. i notice you have no rdr on
On Sat, Mar 06, 2004 at 08:07:51PM +0059, Jedi/Sector One wrote:
> Hello.
>
> Is there any rule of thumb in order to find out the right value for the
> qlength knob of cbq schedulers?
>
> I have to restrict the outgoing traffic to 110 Mb/s on a gigabit link.
>
> The default value of ql
On Mon, Mar 15, 2004 at 08:47:17PM +0800, Lars Hansson wrote:
> We have one client (more to come, wich is why this is a bit
> of a concern) that has very high packet/second
> rate while the actual bitrate is fairly low (small VOIP packets) and
> Am I missing something obvious here, or is cbq no
On Mon, Mar 15, 2004 at 10:54:36PM -0500, Dr. David Johnson wrote:
> I think the only other data that may help is that my
> friend says his DSL link is supposed to be 144 up, and
> 288 down, but in using some Internet sites that are
> supposed to measure speed, these show downloads of
> only about
On Mon, Apr 12, 2004 at 04:09:24PM +0200, Mario Lopez wrote:
> a Squid proxy for transparent proxy
> I have correctly configured squid for
> normal proxy support (if I specify proxy on browesers it all works
> flawlesly)
can you confirm if you have built squid as FLAVOR=transparent and also
On Fri, Apr 16, 2004 at 11:21:10PM +0200, Miroslav Kubik wrote:
>
> I would like to have new option in traffic shaping. I feel like restrict
> connection speed according to connection persistence.
> It could be very
> useful because I would set for the first few seconds higher speed. So the
> traf
this is not a complaint or a worry or a question. i believe
the statement of the subject line is pf working properly.
here is just a heads up, in case someone who uses 'rdr pass'
wonders why their queueing doesn't seem to put packets into
the queue they want, but rather puts packets in
On Thu, Apr 22, 2004 at 09:21:51AM +0200, Per-Olov Sjöholm wrote:
>
> If you have a std firewall not set up as a bridge everything is clear
> (shape on the outgoing interface).
> But if you want to shape traffic on both directions on a bridge ?
so you're asking two questions at once it seems?
On Wed, Apr 21, 2004 at 09:50:03AM +0200, Wolfgang Pichler wrote:
>
> I've triied these rules:
>
> altq on $ext_if priq bandwidth 1280Kb queue{dns, ssh, mail, www, ftp,
> other}
> queue dns priority 14 priq(red)
> queue ssh priority 13 priq(red)
> queue mail priori
On Tue, May 11, 2004 at 10:21:27PM +0200, Jedi/Sector One wrote:
>
> pass all
> block out from any to 10.0.0.0/8 user john
>
> Unfortunately, the second rules seems to always match, regardless of the
> user.
i had that too
user only for UDP and TCP, so i think that if you don't do
On Wed, May 12, 2004 at 09:08:11AM +0200, Jedi/Sector One wrote:
> On Tue, May 11, 2004 at 04:27:59PM -0600, jared r r spiegel wrote:
> > if you 'block out inet proto {tcp udp} from any to 10.0.0.0/8 user john'
> > does it work?
>
> Noppe, it still matches a
On Mon, May 17, 2004 at 03:58:05PM -0600, [EMAIL PROTECTED] wrote:
> Hello,
>
> I set up a transparent firewall running 3.4. Now Ive been
> asked to run squid on the same box as the firewall to increase
> web traffic (hopefully). Ive installed another NIC with
> an IP and set up squid to listen
On Mon, May 17, 2004 at 09:22:55PM +0300, Juri Malinovski wrote:
>
> Firewall: FreeBSD 4.10-STABLE, pf version 2.03 from ports.
> Ftp server: proftpd 1.2.9 with passive port's range 5-55000
>
> Requirements: local users connect to internal ftp-server using external ip.
> From local machine
On Fri, May 21, 2004 at 04:27:19PM -0400, Chad M Stewart wrote:
>
> Take for example a web server sitting in the DMZ, where DMZ is using
> say 192.168.4.0/24, i.e. NAT is being used. The packet comes in via
> something like
>
> pass in on $wan_if inet proto tcp from any to $www_srv port 80 synp
On Wed, Jul 28, 2004 at 12:44:34PM -0700, [EMAIL PROTECTED] wrote:
>
> I have a mail server behind a obsd 3.5 firewall and I am having timeout errors
> when I try and send an email with a large (5MB or greater) attachment.
i would have the knee-jerk reaction that this is not due to pf.
> So th
On Fri, Aug 20, 2004 at 01:47:39PM -0700, Ken Simpson wrote:
> > > Is there any hard and fast reason why the queue can't go slower than
> > > 5.59Kb?
> >
> > timer resolution.
>
> So then perhaps I should have asked: Is there a way to make a
> connection move more slowly than 5.59Kbps using pf?
> I see lots of traffic on the pfsync0 interface (dedicated interface/vlan).
>
> Now the problem is that states never seem to live more than a few minutes
>
> Creating stateless rules shows that this problem is definately related to
> states as everything works flawlessly (no disconnections) wh
On Mon, Oct 11, 2004 at 05:47:50PM -0300, Gustavo wrote:
> pfctl: DIOCADDALTQ: Invalid argument
kernel and userland out of synch?
any time i have had pfctl give _ioctl_ errors, i've had my kernel
and userland out of synch.
if it is a syntax error, pfctl tells me syntax error.
jare
On Mon, Oct 11, 2004 at 09:56:58AM +0800, Kenneth Oncinian wrote:
> Hi List,
>
> Is there a project right now or is there an application which I can use
> to graph measured queues of pf/ALTQ?
check out symon in ports/sysutils
also check out the author's homepage for a .gz of the 'syweb' por
On Thu, Oct 14, 2004 at 09:54:08AM -0700, Justin Cluer wrote:
> # block in log on $dmz_if from $dmz_net to $lan_net
> # block in log on $dmz_if from $dmz_net to $cust_net
> As you can see, I have "block in log on $dmz_if from $dmz_net to
> $lan_net" at the beginning and end of the section. The sp
On Tue, Oct 26, 2004 at 03:47:27PM -0600, notrox wrote:
> I am running OpenBSD 3.5 and I am trying to do bandwidth limiting to a
> single IP.
> For some odd reason altq isnt borrowing from the root queue.
>
> -
On Sat, Oct 30, 2004 at 07:57:23PM -0400, Jason Opperisano wrote:
>
> rdr pass on $ext_if proto tcp from any to $ext_if port 6881 ->
> $inside_host port 6881
this is exactly correct; but should you care to ever be
seeding or on more than one torrent at a time, you would benefit
from g
On Thu, Nov 04, 2004 at 10:47:06PM -0600, Matt Sellers wrote:
> ## PF.CONF
> # Trial Test - Route all 80 over SBC, rest to RCN
> int_if = "bge0"
> lan_net = "10.0.0.0/24"
> ext_if_sbc = "fxp0"
> ext_if_rcn = "re0"
> ext_gw_sbc = "67.36.180.95"
>
>
> nat on $ext_if_sbc from $lan_net to any -> ($ex
On Fri, Nov 05, 2004 at 04:34:25PM -0800, Brian Street wrote:
>
> On Friday, November 5, jared wrote:
> >
> > nat on $ext_if_sbc from $lan_net to any -> ($ext_if_sbc)
> > nat on $ext_if_rcn from $lan_net to any -> ($ext_if_rcn)
>
> this second nat line isn't ever going to be evaluated by a pac
i'm trying to setup a simple pf.conf for a machine who is the
YP master, NFS server, and Samba server. most of my nfs traffic
is coming across the wire as fragments, so i'm trying to catch
those fragments into the nfs queue with the keyword 'fragment'.
i have put a label on that rule o
On Sat, Nov 13, 2004 at 11:24:44AM -0700, jared r r spiegel wrote:
> --
>
> doublewide.hklocal.net $ sudo cat /etc/pffrag.conf
> e="fxp0"
>
> nfs="2049"
>
> trustedhosts
> For those unfamiliar with the technique, it is like
> knocking a certain pattern/code on a door to open it.
anyone unfamiliar with the technique hasn't read the archives
whatsoever and thus is not going to garner favour from anyone
here at all.
> Has anyone heard of anyone working on a p
On Fri, Dec 17, 2004 at 06:05:39PM -0500, Roy Morris wrote:
> If you want to knock off most of the port pounding twits, stop allowing
> ssh from 'any', filter instead by source. If you can't do that, because you
> MUST have access from your remote laptop, then maybe try using a ssh
> rule that s
On Sun, Dec 19, 2004 at 10:29:49PM +1100, A wrote:
> My heartfelt thanks for all the assistance there. ffs, you speak like
> some sort of lord who cannot be bothered assisting the peasants. I get
> an inkling you eminate for from such lofty heights. Now, I admit I am
> not on the main bsd list (eve
On Thu, Dec 30, 2004 at 04:52:27PM -0500, Elijah Savage wrote:
> All,
>
> I want to clear this up a bit. I am not looking for some one to provide
> me with config files or say here is what you need to do I can do that on
> my own. What I am looking for is real world experience
i have used vpnc
On Mon, Jan 03, 2005 at 11:32:35AM +1100, Matt Pearce wrote:
>
> If I am running 2 rules for udp packets to be prioritized and I want a
> specific rule for prioritizing dns udp out to take preference over the
> generic udp altq out rule, do I need this rule to be above the generic
> rule and ha
On Mon, Jan 03, 2005 at 02:33:37PM -0800, John Ricardo wrote:
> 1. In general, where does "priority" count? Are priority values only
> considered at a parent queue with respect to the child queues, or are
> they considered at the root with respect to all the leaf queues, or...?
i am currently
On Sun, Jan 09, 2005 at 11:59:00PM -0800, John Ricardo wrote:
> --- jared r r spiegel <[EMAIL PROTECTED]> wrote:
>
> > On Mon, Jan 03, 2005 at 02:33:37PM -0800, John Ricardo wrote:
> >
> > to directly answer your question, yes, the bandwidth specified is
>
On Mon, Jan 17, 2005 at 02:48:07PM -0600, Rick Barter wrote:
> Michael Erdely wrote:
> >You're doing a "block all" and then aren't allowing esp traffic out.
> >Try adding the following with your tcp, udp and icmp pass out rules:
> >pass out $log_flg on $ext_if proto esp all keep state
> >
> >When t
On Tue, Jan 18, 2005 at 09:56:03AM -0600, Rick Barter wrote:
>
> Why would I not see the dropped packets in my log file (pflog0).
in this case i think you would. i looked back at the original
pf.conf you posted that the other fellow replied to and the
'block all' didn't have the "$log_flg
On Wed, Jan 19, 2005 at 01:02:10PM -0600, Kevin wrote:
> Are there any "gotchas" I should know about when using dns names in
> pf.conf, specifically in tables used as destinations for permit rules?
it is a good idea to reduce to an absolute minimum the amount
of dependency type lookups pf has
On Fri, Feb 11, 2005 at 03:39:17PM +, Bob wrote:
> Is there a clear HFSC explanation somewhere, with real simple examples?
> Preferably that apply directly to PF which uses three SC types, not two.
>
> I've found plenty of documents, but they're all high-level overview
> slideshows that are
On Thu, Feb 10, 2005 at 07:59:31PM +, Bob wrote:
>
> I couldn't get CBQ to use up all of the bandwidth. Even when only one
> queue had any traffic, the bandwidth was never getting saturated.
<...>
> Possibly (probably) it was something I was doing wrong. But I've changed
> to HFSC now, and m
On Tue, Feb 15, 2005 at 07:58:05PM +0100, Nicolas wrote:
> >
> > Post your pf.conf.
>
> Unfortunately, the floppy disk is broken on my bastion. Since the
> pf.conf is around 15ko, I'll avoid typing it... ;-)
can you ftp/scp it off and just post on the www somewhere?
that sometimes seems to f
> On Fri, Feb 11, 2005 at 15:39 +, Bob wrote:
> > Preferably that apply directly to PF which uses three SC types, not two.
meaning also using an on the upperlimit directive?
i'm still just using upperlimit as a hard number, and not using a
curve for that.
On Wed, Feb 16, 2005 at 01
On Wed, Feb 16, 2005 at 08:41:57AM +0100, Nicolas wrote:
>
> [FTP CLIENT]--[DEBIAN]--[OBSD BASTION]-WAN[FTP SERVER]
>
> The Debian machine does ftp masquerading, but I don't see anything
> anormal on that machine.
>
> The error message on the bastion, in /var/log/daemon, is:
> ftp-proxy[
On Wed, Feb 16, 2005 at 08:47:37AM +0100, Nicolas wrote:
>
> You're right, everything is blocked by default on the bastion, not just
> inbound but also outbound! What ports, hosts and direction should I
> allow, in your opinion?
welp, i still don't have the answer about why ftp-proxy tried to m
On Wed, Mar 30, 2005 at 09:51:07PM -0500, [EMAIL PROTECTED] wrote:
> Why are the following packets being blocked? I know that I have flags
> S/SA modulate state, and that F or FP do not match S/SA, but does that
> matter since its in state?
if you didn't get to solve this yet, is it perhaps a s
On Wed, May 04, 2005 at 07:42:17PM +0200, DarkT wrote:
>
> altq on $iface hfsc bandwidth 1Mb queue { 1 2 3 }
> queue 1 hfsc(default realtime 50Kb linkshare 100Kb upperlimit 100Kb)
> queue 2 hfsc( realtime 300Kb linkshare 400Kb upperlimit 400Kb )
> queue 3 hfsc( realtime 400Kb linkshare 500Kb upper
On Fri, May 06, 2005 at 12:37:42PM -0400, Jason Dixon wrote:
>
> PF uses a method called "skip steps" to only compare
> against rules that are relevant.
for people curious on how to write the ruleset to be more amicable
to skipsteps ( eg - in such that is it not "fragmented", if you'll
exc
On Thu, May 26, 2005 at 09:09:59AM +0200, Peter N. M. Hansteen wrote:
> Porkodi <[EMAIL PROTECTED]> writes:
>
> > Please help me in per user basis bandwidth sharing.
> > Is there any way in pf with altq?
>
> authpf with per user rules which assign the user's traffic to queues
> should be possib
> >>On Jun 6, 2005, at 9:27 AM, Jason Dixon wrote:
..> >>> Try the following rule:
> >>>
> >>>pass on rl0 keep state
i've a limited experience with a bridge so far, but what about, say:
--bridgename.bridge0--
add rl0
add rl1
rule pass in on rl0 tag rl0
rule pass in on rl1 tag rl1
up
--
On Thu, Jun 09, 2005 at 05:34:40PM +0200, TAMONE Francois - System Engineer
wrote:
>
> And what about performace then ?
> Would not this scheme impact double on the kernel in several parts of it ?
the bridge was put up with various hosts from his RFC1918 /24 hanging
off different bridge inte
On Tue, Jun 28, 2005 at 04:52:17PM +0100, Bob wrote:
> I thought the problem was that you needed to limit incoming traffic as
> well as outgoing traffic.
i've found that limiting incoming data by queueing on the internal
"LAN-facing" interface can be very beneficial if configured
correctl
On Mon, Jul 18, 2005 at 12:10:41PM -0400, Daniel T. Staal wrote:
>
> I'm not to interested in exact rules at this point; I can figure those
> out. I'm just looking for what people think is the best way to use the
> tools to do the job: least ports opened, least hassle, least resources,
> etc.
>
On Tue, Aug 02, 2005 at 11:34:55PM -0500, Kevin wrote:
>
> You can solve this by using tags:
>
> nat on $ext_if inet from any to any tagged aramith -> 69.13.34.94
> . . .
> pass out from any to any user aramith tag aramith
please remember to specify tcp/udp when doing 'user' or
On Sat, Sep 03, 2005 at 09:48:16PM -0400, Peter Matulis wrote:
>
> ipfm does
> not seem to be maintained anymore (since 2002).
one thing that sometimes works, for your own use, is to find a
newer release (distfile wise, from the main project page), bump
that up in the makefile, do a make
On Wed, Sep 14, 2005 at 01:26:12PM -0400, Brandon Mercer wrote:
>
> What I was figuring is that I need to shape the "general" bandwidth on
> the interface, i.e. give the VPN say 512Kb/512Kb and if that isn't in
> use let it be used by the other services that will be connecting to that
> interface.
On Fri, Sep 23, 2005 at 03:00:12PM -0400, Chad M Stewart wrote:
>
> nat on $ext_if tagged LAN_INET tag LAN_INET_NAT -> ($ext_if)
>
> The problem is that pfctl complains about a syntax problem with that
> line.
[/home/jrrs] $ echo "nat on em0 tagged 1 tag 2 -> (em0)" | pfctl -nvf-
stdin:1: synt
On Sat, Oct 01, 2005 at 06:53:12PM -0400, Matt Van Mater wrote:
> I have a similar setup to what Daniel specifies in
> http://www.benzedrine.cx/ackpri.html but have a nagging question that
> I haven't been able to find an answer for.
>
> Why do you need to specify bandwidth on the parent queue in
On Wed, Oct 05, 2005 at 02:23:29PM -0700, Zack Lawson wrote:
> As soon as I add a carp
> interface with more than one digit (ie carp10, carp11 or carp23), the
> backup host (with the higher advskew value) starts switching between
> MASTER and BACKUP on seemingly random carp interfaces. The fact tha
On Thu, Oct 06, 2005 at 03:48:17PM -0400, Dave wrote:
>My second problem, i'm trying to do mpd vpn, which relies on gre. I've
> got a natted vpn server at 192.168.1.3 but when an external connection
> happens, that is one outside my firewall from a windows box i get an error
> 619, which af
On Tue, Oct 18, 2005 at 11:50:41AM -0400, Jon Hart wrote:
> What I'd like is to disable scrub's tcp reassembly on per
> host/port/protol basis, something along the lines of:
>
>scrub all no-df random-id fragment reassemble reassemble tcp
>no scrub inet proto tcp from any to $SAN_NET port
On Sun, Oct 23, 2005 at 07:08:44AM -0700, Joe Advisor wrote:
> so all of the clients
> are basically matching to the external public IP... so
> basically I can't individually control the upload
> bandwidth.
for this, i use tags. tags aren't bound to an iface, so if you
tag from the clients u
> >
> > > Queuing doesn't make sense inbound anyway; once you've received the
> > > packet, it has already consumed your bandwidth, and thus queuing won't
> > > change anything.
> >
> > queueing could delay ACK reply being sent and then whole connection
> > would get throttled.
> >
> > it works
On Fri, Dec 02, 2005 at 12:27:53AM +, Karl O. Pinc wrote:
>
> I thought the queues were tied to the interfaces, so that, for
> instance, queue on the LAN interface could not borrow bandwidth
> from a queue on the DMZ interface. So then you either need to
> partition your WAN bandwidth between
On Wed, Jan 04, 2006 at 09:42:44PM +0100, Sylwester S. Biernacki wrote:
>
> What do you think about it? Any ideas what to look for?
one - if you are reloading pf ( pfctl -f /etc/pf.conf ), that will
clear the table; but that's probably not your issue.
two - if you have two peers,
1 - 100 of 122 matches
Mail list logo
