From owner-freebsd-pf@FreeBSD.ORG Sun Sep 18 08:25:59 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E09D16A41F for ; Sun, 18 Sep 2005 08:25:59 +0000 (GMT) (envelope-from solinym@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BF1D43D45 for ; Sun, 18 Sep 2005 08:25:59 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by zproxy.gmail.com with SMTP id z31so83314nzd for ; Sun, 18 Sep 2005 01:25:58 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=U6/HMHvxHZhDv52GdQHsV05gvaUPSE+fxV+g4uwwFQmgz4vUHTnaLoEuKb3yEoQbM3Zb/h7HBvd5fv2JLFHvT8XNUx8Vmh+Vi728TaG4H0HS5BeZu4mO0bZG5sBrPVgW3FE+N58y97uPH6N3F1q4/WTsGyhRV6mbe9oCz5Ag5Cc= Received: by 10.54.160.8 with SMTP id i8mr481858wre; Sun, 18 Sep 2005 01:25:58 -0700 (PDT) Received: by 10.54.78.9 with HTTP; Sun, 18 Sep 2005 01:25:58 -0700 (PDT) Message-ID: Date: Sun, 18 Sep 2005 03:25:58 -0500 From: "Travis H." To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: new pf-related tool: dfd_keeper X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: solinym@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Sep 2005 08:25:59 -0000 Hey, Just letting people know that a dynamic firewall daemon, (sort of a command shell for the firewall), is available for FreeBSD & pf. It's called dfd_keeper, and I'm looking for ideas, suggestions, developers, and testers. You can find it here: http://www.lightconsulting.com/~travis/dfd/dfd_keeper/ I'd like to evolve from this into a more complete system. For example: I'd like to integrate it with snort, honeypots, and maybe snortsam. I'd like to have a pcap-based sniffer that invokes commands not related to security incidents... for example active-mode FTP, IRC DCC, talk, p2p applications, etc. I'd like to have a pcap-reading library written in a buffer-safe language that does several things: 1) Decode IPs and TCP/UDP ports, generating "top 100 probed ports", "top 100 blocking rules", etc. over various time periods. 2) Port scan detector, see: http://www.cipherdyne.com/psad/ 3) Statistics for optimization of rules 4) Port knocking, see: http://www.cipherdyne.org/fwknop/ 5) Abuse of network resources (spam, worms, scanning by internal hosts, arp flooding, bandwidth cap overflow, etc.) I'd like to have a web interface which displays: 1) All of the info from the pcap program above 2) The OS fingerprint history of various IPs 3) ifgraph/smokeping output 4) statistics gathered from arpwatch (MAC history of an IP, IP history of a MAC, &c.) 5) Fancy visualizations of the multi-dimensional stastitical information that firewall logs contain: 5a) graphviz 5b) LGL, http://bioinformatics.icmb.utexas.edu/lgl/ 5c) volsuite 5d) OpenQVIS I'd like to have a web interface for toggling/setting firewall rules. Specifically, on/off commands would have a checkbox, multi-mode commands radio buttons, the list-based commands have an "add" text entry field, etc. I'd like to protect the traffic to dfd_keeper with cryptography. I'd like to implement a coherent system of authorization, so that certain hosts/programs/users could access some commands, but not others. Currently the model is "all or nothing". I'd like to add persistence to dfd_keeper so that blocked hosts stay blocked. This will involve some re-structuring due to limitations of python pickling code. I'd like to write an expect script that can shut ports off on managed switches. Combined with the "abuse of resources" detector above, this means no more manually handling worm invasions! Could also implement this with arp spoofing, if not patented by Mirage Networks. All these cooperating packages might be easiest to configure with some custom afterinstall scripts or maybe even a Live! CD distro for an instant "firewall appliance". If you are interested in any of these topics, have suggestions or comments, please email me and ask to be added to my email list. --=20 http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B From owner-freebsd-pf@FreeBSD.ORG Mon Sep 19 09:45:11 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27BA516A41F for ; Mon, 19 Sep 2005 09:45:11 +0000 (GMT) (envelope-from isy@infoweapons.com) Received: from ws2.infoweapons.com (ws2.infoweapons.com [203.177.161.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 946F143D45 for ; Mon, 19 Sep 2005 09:45:10 +0000 (GMT) (envelope-from isy@infoweapons.com) Received: from [10.3.2.25] ([10.3.2.25]) by ws2.infoweapons.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Mon, 19 Sep 2005 17:45:08 +0800 Message-ID: <432E88A5.5000803@infoweapons.com> Date: Mon, 19 Sep 2005 17:45:09 +0800 From: "Ivan R. Sy Jr." User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050914) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 19 Sep 2005 09:45:08.0852 (UTC) FILETIME=[D274EB40:01C5BCFE] Subject: CARP state and run this scrip X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2005 09:45:11 -0000 hi all. i was playing with ports/net/ifstated and somehow its not working. i would be needing a daemon. that monitors the state of CARP and execute a script if the carp's state would be master or slave. example /usr/local/etc/ifstated.conf state master { init { run "echo 'master'" } } state backup { init { run "echo 'slave'" } } is there any chance someone have done such daemon? thanks! From owner-freebsd-pf@FreeBSD.ORG Mon Sep 19 11:02:18 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3241916A41F for ; Mon, 19 Sep 2005 11:02:18 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E0A8E43D46 for ; Mon, 19 Sep 2005 11:02:17 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j8JB2HLf018158 for ; Mon, 19 Sep 2005 11:02:17 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j8JB2HU7018152 for freebsd-pf@freebsd.org; Mon, 19 Sep 2005 11:02:17 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 19 Sep 2005 11:02:17 GMT Message-Id: <200509191102.j8JB2HU7018152@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2005 11:02:18 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [patch] /etc/pf.os doesn't match FreeBSD 1 problem total. From owner-freebsd-pf@FreeBSD.ORG Tue Sep 20 02:53:09 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F4D416A41F; Tue, 20 Sep 2005 02:53:09 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-02-eri0.ohiordc.rr.com (ms-smtp-02-smtplb.ohiordc.rr.com [65.24.5.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2AB6043D45; Tue, 20 Sep 2005 02:53:08 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from titan (cpe-65-31-44-187.woh.res.rr.com [65.31.44.187]) by ms-smtp-02-eri0.ohiordc.rr.com (8.12.10/8.12.7) with SMTP id j8K2r5XV008516; Mon, 19 Sep 2005 22:53:06 -0400 (EDT) Message-ID: <000701c5bd8e$98fa18a0$0100a8c0@titan> From: "Dave" To: Date: Mon, 19 Sep 2005 22:54:19 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Virus-Scanned: Symantec AntiVirus Scan Engine Cc: freebsd-pf@freebsd.org Subject: pftpx failing on freebsd 5.4-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2005 02:53:09 -0000 Hello, I'm trying to get ftp working from my lan to the internet. I'm using a deny by default policy and only allowing out specific traffic. My rules are below. I start pftpx and load the pf.conf file, all is good, until i try to ftp. Going from the gateway box ftp can at least log on to the site and does a 200EPRT command which eventually times out, anything behind the gateway doesn't even get that far. I log everything via pflog and i do not see any ftp or pftpx output in the logs at all. In /var/log/messages i do see this: Sep 19 22:36:07 guardian kernel: pflog0: promiscuous mode enabled Sep 19 22:36:55 guardian pftpx[630]: #3 pf operation failed: Invalid argument Sep 19 22:36:55 guardian pftpx[630]: #3 pf rule removal failed: Invalid argument Sep 19 22:39:55 guardian pftpx[630]: #4 pf operation failed: Invalid argument Sep 19 22:39:55 guardian pftpx[630]: #4 pf rule removal failed: Invalid argument Any help appreciated, i'd really like to get this going. Thanks. Dave. # pf.conf # for use on gateway box # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # macros # define the two network interfaces ext_if="xl0" int_if="xl1" # define our networks lan_net="192.168.7.0/24" # define servers lan_server="192.168.7.3" nameservers = "{ xxx }" isp_dhcp_server = "xxx" # define services int_to_lan_services = "{ ssh, smtp, www, pop3, https, pop3s, 8000 }" lan_to_int_services = "{ ftp-data, ftp, ssh, smtp, 43, domain, http, pop3, nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795, 2401, 4000, 5000, 5001, 5190, cvsup, 6112, 6667, 8000, 8080, 8505, 8880, 9102 }" # options set optimization normal set block-policy return set require-order yes set fingerprints "/etc/pf.os" # This helps protect against my maximum states being reached # when being port scanned. set timeout tcp.closed 1 set timeout { interval 10, frag 30 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 10000, frags 5000 } # normalize packets to prevent fragmentation attacks scrub on $ext_if all random-id reassemble tcp scrub on $int_if inet no-df # nat # translate lan client addresses to that of the externalinterface nat on $ext_if from $int_if:network to any -> ($ext_if) nat-anchor "pftpx/*" # redirections rdr on $ext_if proto tcp from any to any port $int_to_lan_services -> $lan_server # pftpx ftp proxy rdr-anchor "pftpx/*" rdr pass on $int_if proto tcp from $int_if:network to any port 21 -> 127.0.0.1 port 8021 # default deny block log all # immediately prevent IPv6 traffic from entering or leaving all interfaces block quick inet6 all # pass loopback traffic pass quick on lo0 all # pftpx proxy traffic anchor "pftpx /*" # antispoof options antispoof quick for $ext_if inet antispoof quick for $int_if inet # External interface (Incoming) # Allow dhcp in pass in quick on $ext_if inet proto udp from $isp_dhcp_server port bootps to 255.255.255.255 port bootpc # Allow internet requests through in order to contact lan server # keep state on this connection pass in quick on $ext_if inet proto tcp from any to $lan_server port $int_to_lan_services flags S/SA keep state pass in quick on $ext_if inet proto udp from any to $lan_server port 1194 keep state # External interface (outgoing) # allow dhcp out pass out quick on $ext_if inet proto udp from $ext_if to any port bootps # allow UDP requests to port 53 from firewall to exit ext_if # in order to contact internet nameservers (keep state on this connection) pass out quick on $ext_if inet proto udp from $ext_if to $nameservers port 53 keep state # allow UDP requests to port 123 from firewall to exit ext_if # in order to contact internet ntp servers # (keep state on this connection) pass out quick on $ext_if inet proto udp from $ext_if to any port 123 keep state # Allow traffic from lan clients to exit $ext_if # (After natting is performed) in order to contact internet servers # (Keep state on this connection) pass out quick on $ext_if inet proto tcp from $ext_if to any port $lan_to_int_services flags S/SA keep state # allow out the default range for traceroute(8): # "base+nhops*nqueries-1" (33434+64*3-1) pass out quick on $ext_if inet proto udp from any to any \ port 33433 >< 33626 keep state # Internal interface (incoming) # allow lan broadcasts pass in quick on $int_if proto { tcp, udp } from $lan_net to $int_if:broadcast # allow UDP requests to port 53 from lan clients to enter LAN # in order to perform dns queries on the firewall # (keep state on this connection) pass in quick on $int_if inet proto udp from $lan_net to $int_if port 53 keep state # allow UDP requests to ports 67, 68, and 123 from lan clients to enter lan # in order to perform dhcp and ntp queries on the firewall # ( Keep state on this connection) pass in quick on $int_if inet proto udp from $lan_net to $int_if port { 67, 68, 123, 6112 } keep state # allow lan traffic from lan clients to enter lan # in order to contact internet servers (keep state on this connection) pass in quick on $int_if inet proto tcp from $lan_net to any port $lan_to_int_services flags S/SA keep state # allow requests from lan admin to enter LAN # in order to ping/traceroute any system (firewall, dmz server, and internet hosts) pass in quick on $int_if inet proto icmp from $lan_net to any icmp-type 8 keep state # Internal interface (Outgoing) # Allow internet requests to exit lan # in order to contact internet servers pass out quick on $int_if inet proto tcp from any to $lan_server port $int_to_lan_services keep state # Firewall connects to the lan server via scp/ssh for backup purposes pass out quick on $int_if inet proto tcp from $int_if to $lan_server port 22 flags S/SA keep state # firewall connects back to the storage daemon # on the lan server port 9103 to enable it to back up pass out quick on $int_if inet proto tcp from $int_if to $lan_server port { 9101, 9102, 9103 } flags S/SA keep state From owner-freebsd-pf@FreeBSD.ORG Thu Sep 22 11:20:27 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D5E6E16A41F for ; Thu, 22 Sep 2005 11:20:27 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id A26A943D46 for ; Thu, 22 Sep 2005 11:20:23 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.3/8.13.3) with ESMTP id j8MBKH8g017419 for ; Thu, 22 Sep 2005 15:20:18 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.3/8.13.3/Submit) id j8MBKHJv017418 for freebsd-pf@freebsd.org; Thu, 22 Sep 2005 15:20:17 +0400 (MSD) (envelope-from yar) Date: Thu, 22 Sep 2005 15:20:17 +0400 From: Yar Tikhiy To: freebsd-pf@freebsd.org Message-ID: <20050922112017.GB16325@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.9i Subject: PF in /etc/rc.d: some issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Sep 2005 11:20:27 -0000 Hi there, I think we have a couple of issues regarding PF set-up during the system boot process. First, in the presence of vlan's or other dynamic interfaces it can be hard to ensure that pfsync0 will appear after its syncdev on the final list of interfaces built inside /etc/network.subr from several rc.conf variables and other sources. Consequently, pfsync0 won't get up because it is configured before its syncdev is up and running. IMHO, this problem can be addressed by creating a separate rcNG script for pfsync, which I already did in my systems using PF (see below.) Second, /etc/rc.d/pf script starts before DAEMON and LOGIN, which is too late IMHO. Can we make it start before "routing"? In an ideal world, a firewall should start before "netif", but I'm unsure if PF can start when not all interfaces mentioned in pf.conf are present in the system yet. -- Yar %%% #!/bin/sh # PROVIDE: pfsync # REQUIRE: root mountcritlocal netif # KEYWORD: nojail . /etc/rc.subr name="pfsync" rcvar=`set_rcvar` start_precmd="pfsync_prestart" start_cmd="pfsync_start" stop_cmd="pfsync_stop" load_rc_config "$name" pfsync_if=${pfsync_if:-"pfsync0"} pfsync_prestart() { case "$pfsync_syncdev" in '') warn "pfsync_syncdev is not set, nothing done" return 1 ;; esac return 0 } pfsync_start() { echo "Enabling pfsync." ifconfig "$pfsync_if" syncdev "$pfsync_syncdev" up } pfsync_stop() { echo "Disabling pfsync." ifconfig "$pfsync_if" -syncdev down } load_rc_config "$name" run_rc_command "$1" From owner-freebsd-pf@FreeBSD.ORG Thu Sep 22 12:12:27 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DFF616A41F for ; Thu, 22 Sep 2005 12:12:27 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id A121443D45 for ; Thu, 22 Sep 2005 12:12:26 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3FF52.dip.t-dialin.net [84.163.255.82] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKxQS-1EIPvq2j1U-0002xm; Thu, 22 Sep 2005 14:12:06 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Thu, 22 Sep 2005 14:12:52 +0200 User-Agent: KMail/1.8.2 References: <20050922112017.GB16325@comp.chem.msu.su> In-Reply-To: <20050922112017.GB16325@comp.chem.msu.su> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3297214.txTQd2FXKA"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200509221413.03576.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: PF in /etc/rc.d: some issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Sep 2005 12:12:27 -0000 --nextPart3297214.txTQd2FXKA Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 22 September 2005 13:20, Yar Tikhiy wrote: > Hi there, > > I think we have a couple of issues regarding PF set-up during the > system boot process. I'm pretty sure we do - unfortunately. > First, in the presence of vlan's or other dynamic interfaces it can > be hard to ensure that pfsync0 will appear after its syncdev on the > final list of interfaces built inside /etc/network.subr from several > rc.conf variables and other sources. Consequently, pfsync0 won't > get up because it is configured before its syncdev is up and running. > IMHO, this problem can be addressed by creating a separate rcNG script > for pfsync, which I already did in my systems using PF (see below.) Sounds reasonable, but put at least an additional $pfsync_ifconfig_flags at= =20 the end of the ifconfig so that people can specify maxupd. pfsync.4 needs = to=20 be updated for this as well. > Second, /etc/rc.d/pf script starts before DAEMON and LOGIN, which > is too late IMHO. Can we make it start before "routing"? In an > ideal world, a firewall should start before "netif", but I'm unsure > if PF can start when not all interfaces mentioned in pf.conf are > present in the system yet. The only remaining problem (that I know of) is "set loginterface" on a=20 non-existing interface. Everything else should be taken care of by now. =20 This late startup was in fact a bandaid to get things working back then, bu= t=20 the problems have been shaken out and now that "set loginterface" is more o= r=20 less obsolete by $pfctl -vsI -i anyway, we could move it back t= o=20 where it belongs. I'd like to keep that change in HEAD for the time being,= =20 however. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3297214.txTQd2FXKA Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDMp/PXyyEoT62BG0RAs+6AJ9qbMF5eiz1Sgn/phf+IUF4ocPdRQCfeaAL SEDJaEuI1+SUzUKDi7ACQLw= =KKZJ -----END PGP SIGNATURE----- --nextPart3297214.txTQd2FXKA-- From owner-freebsd-pf@FreeBSD.ORG Thu Sep 22 15:33:42 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D46DB16A41F for ; Thu, 22 Sep 2005 15:33:42 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1F9743D5E for ; Thu, 22 Sep 2005 15:33:35 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by qproxy.gmail.com with SMTP id p26so67168qbb for ; Thu, 22 Sep 2005 08:33:33 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=X9farfZQU2UkVyqL5U1Mh4AUltIDO0I8WTXWpJmqshvdO/d1gLYzGLXOo+O0GpMfTCXzYuXayTPvPlS/CJFb/IAvnDhxh7O/xO0Pzvs0RrMmr9Lj/0fDKPmTh+zipVPPX+ljCtrZm0lAjtT5vyjOZbTYLJ2Saz/D/uoqokPQex8= Received: by 10.65.22.16 with SMTP id z16mr169642qbi; Thu, 22 Sep 2005 08:08:01 -0700 (PDT) Received: by 10.64.184.1 with HTTP; Thu, 22 Sep 2005 08:08:01 -0700 (PDT) Message-ID: Date: Thu, 22 Sep 2005 11:08:01 -0400 From: Scott Ullrich To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Recent BETA4 - BETA5 carp breakage? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Scott Ullrich List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Sep 2005 15:33:43 -0000 Greetings. I'm starting to see a problem on pfSense on the latest betas with CARP. When rebooting a primary firewall CARP hands over to the backup just fine. But when the master comes back online I loose all my connections. Is anyone else seeing these problems with recent BETAS? Thanks in advance! Scott From owner-freebsd-pf@FreeBSD.ORG Fri Sep 23 01:33:50 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6613B16A41F for ; Fri, 23 Sep 2005 01:33:50 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id D610943D46 for ; Fri, 23 Sep 2005 01:33:49 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by qproxy.gmail.com with SMTP id p26so122463qbb for ; Thu, 22 Sep 2005 18:33:48 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=dQZ3reu+CrUy/SIQiT2ga8fTa5CunrloYXvL/tqezY50gs5+THJwHrL+Tla+1TD5IjfEMOr/lbfUzJo/9kQuKKWccGIpsQrFy/QxmlKQn9GcdBPPqeQxzuHlaaIJag4iS3V3tSgXRMTyN+FVA4nGdln0UaD1nA6zVzuHzpilm5U= Received: by 10.65.20.14 with SMTP id x14mr186926qbi; Thu, 22 Sep 2005 14:42:27 -0700 (PDT) Received: by 10.64.184.1 with HTTP; Thu, 22 Sep 2005 14:42:27 -0700 (PDT) Message-ID: Date: Thu, 22 Sep 2005 17:42:27 -0400 From: Scott Ullrich To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Subject: Re: Recent BETA4 - BETA5 carp breakage? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Scott Ullrich List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 01:33:50 -0000 On 9/22/05, Scott Ullrich wrote: > I'm starting to see a problem on pfSense on the latest betas with > CARP. When rebooting a primary firewall CARP hands over to the > backup just fine. But when the master comes back online I loose all > my connections. Is anyone else seeing these problems with recent > BETAS? Just a followup. Reverting the following files seem to have fixed the issu= es: src/sys/contrib/pf/net/pf.c src/sys/contrib/pf/net/pf_ioctl.c src/sys/netinet/ip_carp.c Can someone else confirm or deny that carp is broken in the latest betas? Thanks in advance! Scott From owner-freebsd-pf@FreeBSD.ORG Fri Sep 23 01:38:56 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCDB316A41F for ; Fri, 23 Sep 2005 01:38:56 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A96B43D46 for ; Fri, 23 Sep 2005 01:38:55 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3FDD6.dip.t-dialin.net [84.163.253.214] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKxQS-1EIcWb0uaA-0006Qo; Fri, 23 Sep 2005 03:38:53 +0200 From: Max Laier To: freebsd-pf@freebsd.org, Scott Ullrich Date: Fri, 23 Sep 2005 03:38:35 +0200 User-Agent: KMail/1.8.2 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1553696.r5xplJ4EKO"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200509230338.47339.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Recent BETA4 - BETA5 carp breakage? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 01:38:56 -0000 --nextPart1553696.r5xplJ4EKO Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 22 September 2005 23:42, Scott Ullrich wrote: > On 9/22/05, Scott Ullrich wrote: > > I'm starting to see a problem on pfSense on the latest betas with > > CARP. When rebooting a primary firewall CARP hands over to the > > backup just fine. But when the master comes back online I loose all > > my connections. Is anyone else seeing these problems with recent > > BETAS? > > Just a followup. Reverting the following files seem to have fixed the > issues: > > src/sys/contrib/pf/net/pf.c > src/sys/contrib/pf/net/pf_ioctl.c > src/sys/netinet/ip_carp.c =46rom which revision to which? > Can someone else confirm or deny that carp is broken in the latest > betas? Thanks in advance! CARP or pfsync? The problem described seems to be more of a pfsync issue. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1553696.r5xplJ4EKO Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDM1ynXyyEoT62BG0RAru2AJ0beVBlM8j2iL6u5FDVfbV9bz5JXACfTFsQ RMJ/W8XU6W/iX/iDARmPyTg= =4rc4 -----END PGP SIGNATURE----- --nextPart1553696.r5xplJ4EKO-- From owner-freebsd-pf@FreeBSD.ORG Fri Sep 23 07:06:25 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86A2716A41F for ; Fri, 23 Sep 2005 07:06:25 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB5BF43D46 for ; Fri, 23 Sep 2005 07:06:21 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by qproxy.gmail.com with SMTP id p26so147215qbb for ; Fri, 23 Sep 2005 00:06:19 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nagq1GoVWLhO4gDbEWSYgcx0U1YS+W+mghkbalidpvc9WYWnwFGzHAOGWaWOFy5a2Cdbki31jbxDdzibgjCa0uAuwLHcgowveR716uwuJIAalWChVekJujH0oWXK4H1rgktpXDbd2moBX/CEUYVQn/FwFI4QT63ID9qk+EIejRs= Received: by 10.64.204.20 with SMTP id b20mr197294qbg; Thu, 22 Sep 2005 18:46:31 -0700 (PDT) Received: by 10.64.184.1 with HTTP; Thu, 22 Sep 2005 18:46:31 -0700 (PDT) Message-ID: Date: Thu, 22 Sep 2005 21:46:31 -0400 From: Scott Ullrich To: Max Laier In-Reply-To: <200509230338.47339.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200509230338.47339.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: Recent BETA4 - BETA5 carp breakage? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Scott Ullrich List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 07:06:25 -0000 On 9/22/05, Max Laier wrote: > CARP or pfsync? The problem described seems to be more of a pfsync issue= . Sorry, I should have said pfsync. Oddly enough I recompiled the kernel to a different HZ (2000 to 1000) and its working fine again. Sorry for the noise. Scott From owner-freebsd-pf@FreeBSD.ORG Fri Sep 23 11:37:09 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C395316A420 for ; Fri, 23 Sep 2005 11:37:09 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13BB443D95 for ; Fri, 23 Sep 2005 11:36:57 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3C430.dip.t-dialin.net [84.163.196.48] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML2ov-1EIlrK0dMr-0003cW; Fri, 23 Sep 2005 13:36:54 +0200 From: Max Laier To: Scott Ullrich Date: Fri, 23 Sep 2005 13:37:28 +0200 User-Agent: KMail/1.8.2 References: <200509230338.47339.max@love2party.net> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1466972.NophUI8Smv"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200509231337.43012.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: Recent BETA4 - BETA5 carp breakage? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 11:37:09 -0000 --nextPart1466972.NophUI8Smv Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 23 September 2005 03:46, Scott Ullrich wrote: > On 9/22/05, Max Laier wrote: > > CARP or pfsync? The problem described seems to be more of a pfsync > > issue. > > Sorry, I should have said pfsync. > > Oddly enough I recompiled the kernel to a different HZ (2000 to 1000) > and its working fine again. So the synopsis seems to be: pfsync defunct with high HZ. That's bad and=20 needs to be investigated. Can you please make sure that your source tree w= as=20 otherwise clean and submitt a PR for this? Let me know as soon as you have= a=20 ticket number. Thanks. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1466972.NophUI8Smv Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDM+kGXyyEoT62BG0RAqsFAJ92+7tyhHuD+8Rm0ua1g/ybCH116ACfUAfZ U2MybRd/Rh6nxbwk8+IZr6A= =lhTo -----END PGP SIGNATURE----- --nextPart1466972.NophUI8Smv-- From owner-freebsd-pf@FreeBSD.ORG Fri Sep 23 19:08:11 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A301B16A41F for ; Fri, 23 Sep 2005 19:08:11 +0000 (GMT) (envelope-from Philippe.Pegon@crc.u-strasbg.fr) Received: from mailhost.u-strasbg.fr (mailhost.u-strasbg.fr [130.79.200.158]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0975143D46 for ; Fri, 23 Sep 2005 19:08:10 +0000 (GMT) (envelope-from Philippe.Pegon@crc.u-strasbg.fr) Received: from baal.u-strasbg.fr ([IPv6:2001:660:2402:0:202:a5ff:fe4f:16e6]) by mailhost.u-strasbg.fr (8.13.3/jtpda-5.5pre1) with ESMTP id j8NJ88uk001982 for ; Fri, 23 Sep 2005 21:08:08 +0200 (CEST) Received: from [127.0.0.1] (crc.u-strasbg.fr [IPv6:2001:660:2402:1001::1]) by baal.u-strasbg.fr (8.13.4/jtpda-5.5pre1) with ESMTP id j8NJ882d021087 for ; Fri, 23 Sep 2005 21:08:08 +0200 Message-ID: <4334520D.8020907@crc.u-strasbg.fr> Date: Fri, 23 Sep 2005 21:05:49 +0200 From: Philippe PEGON User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050731) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.87/1098/Thu Sep 22 22:57:50 2005 on mr8.u-strasbg.fr X-Virus-Scanned: ClamAV 0.87/1098/Thu Sep 22 22:57:50 2005 on baal.u-strasbg.fr X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.6 (mailhost.u-strasbg.fr [IPv6:2001:660:2402::158]); Fri, 23 Sep 2005 21:08:09 +0200 (CEST) X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.0.4 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mr8.u-strasbg.fr Subject: carp with vlan X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 19:08:11 -0000 Hi, somebody knows if it's planned to support carp on vlan with em interfaces on FreeBSD 6 ? thanks -- Philippe PEGON From owner-freebsd-pf@FreeBSD.ORG Fri Sep 23 21:30:21 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0341E16A41F for ; Fri, 23 Sep 2005 21:30:21 +0000 (GMT) (envelope-from sporadic@brannstrom.as) Received: from chb63.neoplus.adsl.tpnet.pl (chb63.neoplus.adsl.tpnet.pl [83.30.255.63]) by mx1.FreeBSD.org (Postfix) with SMTP id 8741F43D46 for ; Fri, 23 Sep 2005 21:30:16 +0000 (GMT) (envelope-from sporadic@brannstrom.as) Received: from 112.37.79.100 (EHLO Zeiss) by chb63.neoplus.adsl.tpnet.pl with SMTP; Fri, 23 Sep 2005 23:30:14 +0200 id 4574870380Salem84660 for freebsd-pf@freebsd.org; Fri, 23 Sep 2005 23:30:14 +0200 Mime-Version: 1.0 (Apple Message framework v728) Content-Transfer-Encoding: 7bit Message-Id: <6143535522.39870313@chb63.neoplus.adsl.tpnet.pl> Content-Type: text/plain; charset=US-ASCII; format=flowed To: freebsd-pf@freebsd.org From: Jack Date: Fri, 23 Sep 2005 23:30:13 +0200 X-Mailer: Apple Mail (2.728) Subject: Any software just for 15$ - 99$ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 21:30:21 -0000 Windows XP + Office XP = $80. http://ousw.p5c7veddv8vxp77kcppkup7p.bultowmifd.com/?ufbnlc I'd shut it down and give the money back to the shareholders. People who throw kisses are hopelessly lazy. Only actions give life strength; only moderation gives it a charm. Everyone is having a harder time than it appears. Reason is God's crowning gift to man. Times have not become more violent. They have just become more televised. From owner-freebsd-pf@FreeBSD.ORG Sat Sep 24 23:42:09 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF0C116A41F for ; Sat, 24 Sep 2005 23:42:09 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 499DE43D48 for ; Sat, 24 Sep 2005 23:42:07 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by qproxy.gmail.com with SMTP id p26so325517qbb for ; Sat, 24 Sep 2005 16:42:06 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Cyy6GzVSAx3SIZUk8S79MfIouoQ2EIbV1/kMdwwuY2NL5S80WatFtOlwZL7wrA1UtNyy16e0NiZZehs9+poUx13kYDjMX9tBUtrn8mWXvGL17aeVSfChoto9fB74NxxN6vWK9OLc9bhnBq9wvber/tWb5goh+ElRYTe+u8HumRo= Received: by 10.64.210.20 with SMTP id i20mr226217qbg; Fri, 23 Sep 2005 07:47:51 -0700 (PDT) Received: by 10.64.184.1 with HTTP; Fri, 23 Sep 2005 07:47:51 -0700 (PDT) Message-ID: Date: Fri, 23 Sep 2005 10:47:51 -0400 From: Scott Ullrich To: Max Laier In-Reply-To: <200509231337.43012.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200509230338.47339.max@love2party.net> <200509231337.43012.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: Recent BETA4 - BETA5 carp breakage? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Scott Ullrich List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Sep 2005 23:42:09 -0000 On 9/23/05, Max Laier wrote: > So the synopsis seems to be: pfsync defunct with high HZ. That's bad and > needs to be investigated. Can you please make sure that your source tree= was > otherwise clean and submitt a PR for this? Let me know as soon as you ha= ve a > ticket number. Thanks. After testing all of yesterday the problem is back. I had a winamp stream playing almost for 7 hours solid but IRC and Jabber both seem to drop from time to time when handing back to the master (this is with box boxes at a HZ=3D1000). I also noticed the master box once online is slowly syncing the state tables. Before the state tables seem to rapidly sync but its a bit slower now. I'll continue to do tests today and tomorrow trying to narrow it down some more. Scott