From owner-freebsd-pf@FreeBSD.ORG Sun Feb 4 12:47:48 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 53FAE16A405 for ; Sun, 4 Feb 2007 12:47:48 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 157BD13C471 for ; Sun, 4 Feb 2007 12:47:47 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7ce1.q.ppp-pool.de [89.53.124.225]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id B2B82128831 for ; Sun, 4 Feb 2007 13:47:41 +0100 (CET) Received: from [192.168.18.3] (unknown [192.168.18.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 066282E56C; Sun, 4 Feb 2007 13:47:22 +0100 (CET) Message-ID: <45C5D5DB.9050407@vwsoft.com> Date: Sun, 04 Feb 2007 13:47:23 +0100 From: Volker User-Agent: Thunderbird 1.5.0.9 (X11/20070119) MIME-Version: 1.0 To: =?UTF-8?B?0JLQu9Cw0LTQuNC80LjRgCDQmtCw0L/Rg9GB0YLQuNC9?= References: In-Reply-To: X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: SPAMD stop passing mail from WHITE-list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Feb 2007 12:47:48 -0000 On 12/23/-58 20:59, ;048<8@ 0?CAB8= wrote: > 2. If i have some malware on my PC and use mail-client program. If I send the same message some times I automatically get into WHITE-list and my malware can spam as much as it must? Not really related to your spamd problem, but probably useful... If you need to limit an internal client system for sending out mail through your system, IMO you may also use pf's limit functions. Imagine something like: pass in quick on $int_if from any to $int_if port smtp keep state (max-src-conn 1, max-src-conn-rate 2/60) This should limit an internal client to one concurrent connection and a maximum of 2 connections per 60 seconds and so mass mailing by abusing your mail gateway should be impossible. Combining this by a rule like 'block in quick on $int_if from any to ! $int_if port smtp' should efficiently block spam originating from your internal net. And for the malware issues, I would like to recommend not to install and use malware! ;) Greetings, Volker From owner-freebsd-pf@FreeBSD.ORG Mon Feb 5 11:11:44 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A718016A485 for ; Mon, 5 Feb 2007 11:11:43 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 920A113C494 for ; Mon, 5 Feb 2007 11:11:43 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l15BBhZE026050 for ; Mon, 5 Feb 2007 11:11:43 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l15BBfnI026046 for freebsd-pf@FreeBSD.org; Mon, 5 Feb 2007 11:11:41 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 5 Feb 2007 11:11:41 GMT Message-Id: <200702051111.l15BBfnI026046@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Feb 2007 11:11:44 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf pf accepts nonexistent queue in rules o kern/106400 pf fatal trap 12 at restart of PF with ALTQ if ng0 device 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Feb 5 14:05:59 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B867216A401 for ; Mon, 5 Feb 2007 14:05:58 +0000 (UTC) (envelope-from daniel@dgnetwork.com.br) Received: from mail.mastercabo.com.br (mail.mastercabo.com.br [200.179.179.14]) by mx1.freebsd.org (Postfix) with SMTP id D030713C481 for ; Mon, 5 Feb 2007 14:05:57 +0000 (UTC) (envelope-from daniel@dgnetwork.com.br) Received: (qmail 33520 invoked by uid 1008); 5 Feb 2007 13:38:33 -0000 X-Spam-Checker-Version: SpamAssassin 3.1.7-unknown (2006-10-05) on srvmail1 X-Spam-Level: X-Spam-Status: No, score=-2.4 required=4.7 tests=AWL,BAYES_00 autolearn=ham version=3.1.7-unknown Received: from unknown (HELO ?10.0.0.1?) (daniel@dgnetwork.com.br@200.243.216.36) by mail.mastercabo.com.br with SMTP; 5 Feb 2007 13:38:28 -0000 Message-ID: <45C73377.8040502@dgnetwork.com.br> Date: Mon, 05 Feb 2007 11:39:03 -0200 From: =?ISO-8859-1?Q?Daniel_Dias_Gon=E7alves?= Organization: DGNET Network Solutions User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: Subject: Nat Log X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: daniel@dgnetwork.com.br List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Feb 2007 14:06:00 -0000 It is possible to record logs of all connections nated with the PF? Already tried to use "nat log on...", without success. Thanks. -- Daniel Dias Gonalves DGNET Network Solutions daniel@dgnetwork.com.br http://www.dgnetwork.com.br/ +55 37-99824809 +55 37-32421109 From owner-freebsd-pf@FreeBSD.ORG Mon Feb 5 14:41:02 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8FA1C16A400 for ; Mon, 5 Feb 2007 14:41:02 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.149.33.74]) by mx1.freebsd.org (Postfix) with ESMTP id 5478D13C4A3 for ; Mon, 5 Feb 2007 14:41:02 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 0B401544BE; Mon, 5 Feb 2007 14:40:59 +0000 (GMT) From: "Greg Hennessy" To: , , References: <45C73377.8040502@dgnetwork.com.br> In-Reply-To: <45C73377.8040502@dgnetwork.com.br> Date: Mon, 5 Feb 2007 14:40:47 -0000 Message-ID: <000001c74933$9fea4a40$dfbedec0$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcdJMopAwZfcDT9JSZm4nNLOlXy5gAAAJsXQ Content-Language: en-gb x-cr-hashedpuzzle: AbOK A9mZ F0JU Gt79 I2Og Ka6W PZqh R+gw TNpV UdfG VPuZ VZ2D YRje aeeD bkRv c74z; 3; ZABhAG4AaQBlAGwAQABkAGcAbgBlAHQAdwBvAHIAawAuAGMAbwBtAC4AYgByADsAZgByAGUAZQBiAHMAZAAtAG4AZQB0AEAAZgByAGUAZQBiAHMAZAAuAG8AcgBnADsAZgByAGUAZQBiAHMAZAAtAHAAZgBAAGYAcgBlAGUAYgBzAGQALgBvAHIAZwA=; Sosha1_v1; 7; {2A5DDBD9-4FF6-46C5-AACD-04E3E54906F7}; ZwByAGUAZwAuAGgAZQBuAG4AZQBzAHMAeQBAAG4AdgBpAHoALgBuAGUAdAA=; Mon, 05 Feb 2007 14:40:40 GMT; UgBFADoAIABOAGEAdAAgAEwAbwBnAA== x-cr-puzzleid: {2A5DDBD9-4FF6-46C5-AACD-04E3E54906F7} Cc: Subject: RE: Nat Log X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Feb 2007 14:41:02 -0000 > > It is possible to record logs of all connections nated with the PF? > Already tried to use "nat log on...", without success. > The version of PF used in FreeBSD (OpenBSD rev 3.7 I believe) doesn't have the log option for either nat pass or rdr pass. That facility came in later versions of PF. Greg From owner-freebsd-pf@FreeBSD.ORG Mon Feb 5 15:34:45 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3561716A406 for ; Mon, 5 Feb 2007 15:34:45 +0000 (UTC) (envelope-from db@nipsi.de) Received: from mx.meta-spinner.de (mx.meta-spinner.de [213.39.242.178]) by mx1.freebsd.org (Postfix) with ESMTP id ED47A13C48E for ; Mon, 5 Feb 2007 15:34:44 +0000 (UTC) (envelope-from db@nipsi.de) Received: from mx.meta-spinner.de (localhost [127.0.0.1]) by mx.meta-spinner.de (Postfix) with ESMTP id D2A417FED8 for ; Mon, 5 Feb 2007 16:05:19 +0100 (CET) Received: from [192.168.1.101] (unknown [192.168.1.101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.meta-spinner.de (Postfix) with ESMTP id 839D17FDDE for ; Mon, 5 Feb 2007 16:05:19 +0100 (CET) Message-ID: <45C747AE.2060901@nipsi.de> Date: Mon, 05 Feb 2007 16:05:18 +0100 From: Dennis Berger User-Agent: Thunderbird 1.5.0.9 (X11/20070103) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: RE: spamd-4.0 port tester wanted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Feb 2007 15:34:45 -0000 Hi List, spamd works for me. spamd-setup too. spamlogd doesn't work. Which means it simply doesn't start at all. A short ktrace -di revealed that freebsds BPF doesn't understand a certain ioctl command. We know that openbsd and freebsds bpf implementation are different. one should compile spamlogd with debugging symbols and discover this. Maybe i'll do it later and submit a patch. regards, -Dennis From owner-freebsd-pf@FreeBSD.ORG Mon Feb 5 15:34:45 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3756316A407 for ; Mon, 5 Feb 2007 15:34:45 +0000 (UTC) (envelope-from db@nipsi.de) Received: from mx.meta-spinner.de (mx.meta-spinner.de [213.39.242.178]) by mx1.freebsd.org (Postfix) with ESMTP id ED5CA13C491 for ; Mon, 5 Feb 2007 15:34:44 +0000 (UTC) (envelope-from db@nipsi.de) Received: from mx.meta-spinner.de (localhost [127.0.0.1]) by mx.meta-spinner.de (Postfix) with ESMTP id E39E180098 for ; Mon, 5 Feb 2007 16:12:28 +0100 (CET) Received: from [192.168.1.101] (unknown [192.168.1.101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.meta-spinner.de (Postfix) with ESMTP id 91A3F7FDDE for ; Mon, 5 Feb 2007 16:12:28 +0100 (CET) Message-ID: <45C74959.6000906@nipsi.de> Date: Mon, 05 Feb 2007 16:12:25 +0100 From: Dennis Berger User-Agent: Thunderbird 1.5.0.9 (X11/20070103) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <45C747AE.2060901@nipsi.de> In-Reply-To: <45C747AE.2060901@nipsi.de> Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: Re: spamd-4.0 port tester wanted X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Feb 2007 15:34:45 -0000 pflog module wasn't loaded! my fault. Dennis Berger schrieb: > Hi List, > spamd works for me. > spamd-setup too. > spamlogd doesn't work. Which means it simply doesn't start at all. A > short ktrace -di revealed that freebsds BPF doesn't understand a > certain ioctl command. We know that openbsd and freebsds bpf > implementation are different. > one should compile spamlogd with debugging symbols and discover this. > Maybe i'll do it later and submit a patch. > > regards, > -Dennis > > From owner-freebsd-pf@FreeBSD.ORG Mon Feb 5 16:10:55 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7D72716A403 for ; Mon, 5 Feb 2007 16:10:43 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from f75.mail.ru (f75.mail.ru [194.67.57.175]) by mx1.freebsd.org (Postfix) with ESMTP id A4D2D13C4AC for ; Mon, 5 Feb 2007 16:10:41 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from mail by f75.mail.ru with local id 1HE6QS-0002K7-00 for freebsd-pf@freebsd.org; Mon, 05 Feb 2007 19:10:40 +0300 Received: from [82.114.107.25] by win.mail.ru with HTTP; Mon, 05 Feb 2007 19:10:40 +0300 From: =?koi8-r?Q?=F7=CC=C1=C4=C9=CD=C9=D2_=EB=C1=D0=D5=D3=D4=C9=CE?= To: freebsd-pf@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [82.114.107.25] Date: Mon, 05 Feb 2007 19:10:40 +0300 In-Reply-To: <20070204120053.DED7316A6ED@hub.freebsd.org> References: <20070204120053.DED7316A6ED@hub.freebsd.org> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Subject: Re: Re: SPAMD stop passing mail from WHITE-list (Peter N. M. Hansteen) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?koi8-r?Q?=F7=CC=C1=C4=C9=CD=C9=D2_=EB=C1=D0=D5=D3=D4=C9=CE?= List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Feb 2007 16:10:55 -0000 > > I have spamd configured like in > > http://home.nuug.no/~peter/pf/en/spamd.html > > with greylisting enabled > > > > and i meet some problems with it: > > Well, you have my attention. I am would be very interested in getting > to know about any inaccuracies in that document, and certainly any > that trip people up. > > > 1. My 2 FreeBSD routers stopped to pass mail from WHITE-list. First > > one - when spamd grows to 500 Megabytes. Second - 350 Meg. > > At the point where things stop working, what content does the > whitelist table have? ie, anything recognizable or (incredibly) zero > size? One possibility - a far fetched one, admittedly - is that > hosts in your whitelist got themselves greytrapped (if you did set > that up). Nothing unusual, but that the mail stops forwarding from the whitelist. i.e. the sender resends the mail, gets in WHITE-list in spamd, but the mail does not actually pass the router. Many users started to complain and I forgot to look into pfctl -t spamd-white -T show but actually I have no BLACK list, and I still don't have a good idea how to use TRAPs automatically...I try to put some adresses in TRAP-list manually, but I can catch only myself in test purposes. > > > When I do: > > cat /dev/null > /var/db/spamd > > all starts to work again > > This sounds like somehow your initally whitelisted hosts got > themselves blacklisted, or the whitelist is somehow bypassed. > As I wrote above they could not get into BLACK-list because i don't have any. And it could not bypass anyhow, because I have such redirect rules: pfctl -sn rdr pass inet proto tcp from to any port = smtp -> 127.0.0.1 port 8025 rdr pass inet proto tcp from ! to any port = smtp -> 127.0.0.1 port 8025 .... > > 2. If i have some malware on my PC and use mail-client program. If I > > send the same message some times I automatically get into WHITE-list > > and my malware can spam as much as it must? > > If your malware manages to behave RFC-correctly, that is, resend after > what the greylisting host considers a reasonable interval, it will > manage to send whatever it's trying to send. No...not malware...suppose that a user doesn't know about malware and uses Outlook to send his mail. He'll get into THE WHITE-list and spamd can't stop HIS malware? tusen takk at du har blitt interessert i problemet mitt From owner-freebsd-pf@FreeBSD.ORG Mon Feb 5 16:39:23 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0424416A401 for ; Mon, 5 Feb 2007 16:39:22 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from f22.mail.ru (f22.mail.ru [194.67.57.55]) by mx1.freebsd.org (Postfix) with ESMTP id B8A2E13C491 for ; Mon, 5 Feb 2007 16:39:21 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from mail by f22.mail.ru with local id 1HE6sC-000Ht1-00 for freebsd-pf@freebsd.org; Mon, 05 Feb 2007 19:39:20 +0300 Received: from [82.114.107.25] by win.mail.ru with HTTP; Mon, 05 Feb 2007 19:39:20 +0300 From: Vladimir Kapustin To: freebsd-pf@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [82.114.107.25] Date: Mon, 05 Feb 2007 19:39:20 +0300 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Subject: Re: Re: SPAMD stop passing mail from WHITE-list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vladimir Kapustin List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Feb 2007 16:39:23 -0000 > > I have spamd configured like in > > http://home.nuug.no/~peter/pf/en/spamd.html > > with greylisting enabled > > > > and i meet some problems with it: > > Well, you have my attention. I am would be very interested in getting > to know about any inaccuracies in that document, and certainly any > that trip people up. > > > 1. My 2 FreeBSD routers stopped to pass mail from WHITE-list. First > > one - when spamd grows to 500 Megabytes. Second - 350 Meg. > > At the point where things stop working, what content does the > whitelist table have? ie, anything recognizable or (incredibly) zero > size? One possibility - a far fetched one, admittedly - is that > hosts in your whitelist got themselves greytrapped (if you did set > that up). Nothing unusual, but that the mail stops forwarding from the whitelist. i.e. the sender resends the mail, gets in WHITE-list in spamd, but the mail does not actually pass the router. Many users started to complain and I forgot to look into pfctl -t spamd-white -T show but actually I have no BLACK list, and I still don't have a good idea how to use TRAPs automatically...I try to put some adresses in TRAP-list manually, but I can catch only myself in test purposes. > > > When I do: > > cat /dev/null > /var/db/spamd > > all starts to work again > > This sounds like somehow your initally whitelisted hosts got > themselves blacklisted, or the whitelist is somehow bypassed. > As I wrote above they could not get into BLACK-list because i don't have any. And it could not bypass anyhow, because I have such redirect rules: pfctl -sn rdr pass inet proto tcp from to any port = smtp -> 127.0.0.1 port 8025 rdr pass inet proto tcp from ! to any port = smtp -> 127.0.0.1 port 8025 .... > > 2. If i have some malware on my PC and use mail-client program. If I > > send the same message some times I automatically get into WHITE-list > > and my malware can spam as much as it must? > > If your malware manages to behave RFC-correctly, that is, resend after > what the greylisting host considers a reasonable interval, it will > manage to send whatever it's trying to send. No...not malware...suppose that a user doesn't know about malware and uses Outlook to send his mail. He'll get into THE WHITE-list and spamd can't stop HIS malware? tusen takk at du har blitt interessert i problemet mitt From owner-freebsd-pf@FreeBSD.ORG Mon Feb 5 16:56:13 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7B33A16A400 for ; Mon, 5 Feb 2007 16:56:10 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from mx3.mail.ru (mx3.mail.ru [194.67.23.149]) by mx1.freebsd.org (Postfix) with ESMTP id DC8D013C481 for ; Mon, 5 Feb 2007 16:56:09 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from [80.244.229.35] (port=23481 helo=VLADIMIR) by mx3.mail.ru with asmtp id 1HE78R-000Bc1-00 for freebsd-pf@freebsd.org; Mon, 05 Feb 2007 19:56:07 +0300 X-Nat-Received: from [192.168.1.110]:2545 [ident-empty] by smtp-proxy.vltele.com with TPROXY id 1170694405.14727 Date: Mon, 5 Feb 2007 19:56:07 +0300 From: Vladimir Kapustin X-Mailer: The Bat! (v3.85.03) Professional Organization: vltele.com X-Priority: 3 (Normal) Message-ID: <1757167701.20070205195607@mail.ru> To: freebsd-pf@freebsd.org References: E1HD4Bj-000D25-00.msgs_for_me-mail-ru@f30.mail.ru MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: SPAMD stop passing mail from WHITE-list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vladimir Kapustin List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Feb 2007 16:56:14 -0000 > > I have spamd configured like in > > http://home.nuug.no/~peter/pf/en/spamd.html > > with greylisting enabled > > > > and i meet some problems with it: > > Well, you have my attention. I am would be very interested in getting > to know about any inaccuracies in that document, and certainly any > that trip people up. > > > 1. My 2 FreeBSD routers stopped to pass mail from WHITE-list. First > > one - when spamd grows to 500 Megabytes. Second - 350 Meg. > > At the point where things stop working, what content does the > whitelist table have? ie, anything recognizable or (incredibly) zero > size? One possibility - a far fetched one, admittedly - is that > hosts in your whitelist got themselves greytrapped (if you did set > that up). Nothing unusual, but that the mail stops forwarding from the whitelist. i.e. the sender resends the mail, gets in WHITE-list in spamd, but the mail does not actually pass the router. Many users started to complain and I forgot to look into pfctl -t spamd-white -T show but actually I have no BLACK list, and I still don't have a good idea how to use TRAPs automatically...I try to put some adresses in TRAP-list manually, but I can catch only myself in test purposes. > > > When I do: > > cat /dev/null > /var/db/spamd > > all starts to work again > > This sounds like somehow your initally whitelisted hosts got > themselves blacklisted, or the whitelist is somehow bypassed. > As I wrote above they could not get into BLACK-list because i don't have any. And it could not bypass anyhow, because I have such redirect rules: pfctl -sn rdr pass inet proto tcp from to any port = smtp -> 127.0.0.1 port 8025 rdr pass inet proto tcp from ! to any port = smtp -> 127.0.0.1 port 8025 .... > > 2. If i have some malware on my PC and use mail-client program. If I > > send the same message some times I automatically get into WHITE-list > > and my malware can spam as much as it must? > > If your malware manages to behave RFC-correctly, that is, resend after > what the greylisting host considers a reasonable interval, it will > manage to send whatever it's trying to send. No...not malware...suppose that a user doesn't know about malware and uses Outlook to send his mail. He'll get into THE WHITE-list and spamd can't stop HIS malware? tusen takk at du har blitt interessert i problemet mitt From owner-freebsd-pf@FreeBSD.ORG Mon Feb 5 17:12:08 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C1ED316A40D for ; Mon, 5 Feb 2007 17:12:01 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 2A42E13C467 for ; Mon, 5 Feb 2007 17:12:00 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail 31909 invoked by uid 0); 5 Feb 2007 16:45:19 -0000 Received: from 213.61.170.18 by www119.gmx.net with HTTP; Mon, 05 Feb 2007 17:45:19 +0100 (CET) Content-Type: text/plain; charset="utf-8" Date: Mon, 05 Feb 2007 17:45:19 +0100 From: "Olli Hauer" In-Reply-To: Message-ID: <20070205164519.142040@gmx.net> MIME-Version: 1.0 References: <20070204120053.DED7316A6ED@hub.freebsd.org> To: =?iso-8859-1?B?ItCS0LvQsNC00LjQvNC40YAg0JrQsNC/0YPRgdGC0LjQvSI=?= , freebsd-pf@freebsd.org X-Authenticated: #1956535 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 3 Content-Transfer-Encoding: 8bit Cc: Subject: Re: Re: SPAMD stop passing mail from WHITE-list (Peter N. M. Hansteen) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Feb 2007 17:12:09 -0000 Datum: Mon, 05 Feb 2007 19:10:40 +0300 Von: "Владимир Капустин" An: freebsd-pf@freebsd.org CC: Betreff: Re: Re: SPAMD stop passing mail from WHITE-list (Peter N. M. Hansteen) > > > I have spamd configured like in > > > http://home.nuug.no/~peter/pf/en/spamd.html > > > with greylisting enabled > > > > > > and i meet some problems with it: > > > > Well, you have my attention. I am would be very interested in getting > > to know about any inaccuracies in that document, and certainly any > > that trip people up. > > > > > 1. My 2 FreeBSD routers stopped to pass mail from WHITE-list. First > > > one - when spamd grows to 500 Megabytes. Second - 350 Meg. > > > > At the point where things stop working, what content does the > > whitelist table have? ie, anything recognizable or (incredibly) zero > > size? One possibility - a far fetched one, admittedly - is that > > hosts in your whitelist got themselves greytrapped (if you did set > > that up). > > > Nothing unusual, but that the mail stops forwarding from the whitelist. > i.e. the sender resends the mail, gets in WHITE-list in spamd, but the > mail > does not actually pass the router. > Many users started to complain and I forgot to look into > > pfctl -t spamd-white -T show > > but actually I have no BLACK list, and I still don't have a good idea > how to use TRAPs automatically...I try to put some adresses in TRAP-list > manually, but I can catch only myself in test purposes. > > > > > > > When I do: > > > cat /dev/null > /var/db/spamd > > > all starts to work again > > > > This sounds like somehow your initally whitelisted hosts got > > themselves blacklisted, or the whitelist is somehow bypassed. > > > > > As I wrote above they could not get into BLACK-list because i don't have > any. And it could not bypass anyhow, because I have such redirect rules: > > pfctl -sn > rdr pass inet proto tcp from to any port = smtp -> 127.0.0.1 port > 8025 > rdr pass inet proto tcp from ! to any port = smtp -> > 127.0.0.1 port 8025 > .... > > > > > 2. If i have some malware on my PC and use mail-client program. If I > > > send the same message some times I automatically get into WHITE-list > > > and my malware can spam as much as it must? > > > > If your malware manages to behave RFC-correctly, that is, resend after > > what the greylisting host considers a reasonable interval, it will > > manage to send whatever it's trying to send. > > > No...not malware...suppose that a user doesn't know about malware and uses > Outlook to send > his mail. He'll get into THE WHITE-list and spamd can't stop HIS malware? > > > tusen takk at du har blitt interessert i problemet mitt > _______________________________________________ Is the spamd database really 350MB-500MB?? If you do a spamdb | grep WHITE | wc -l spamdb | grep TRAPPED | wc -l How many records are there? Do you also have another table that loads many records to pf tables? Some checks to count these records. pfctl -sT spamd spamd-white another-table Then count these tables. pfctl -t spam -Ts | wc -l pfctl -t spamd-pass | wc -l pfctl -t another-table | wc -l For example: If PF can store with regular settings ~200.000 records in tables, then the 200.001 record is not stored in the table and you dont get an error for that. The spamdb deamon calls for every whitelisted IP 'pfctl -tspam-white -Ta $IP' -- "Feel free" - 5 GB Mailbox, 50 FreeSMS/Monat ... Jetzt GMX ProMail testen: http://www.gmx.net/de/go/promail?ac=OM.GX.GX003K11711T4781a From owner-freebsd-pf@FreeBSD.ORG Mon Feb 5 21:29:54 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0D4ED16A488 for ; Mon, 5 Feb 2007 21:29:54 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from mx33.mail.ru (mx33.mail.ru [194.67.23.194]) by mx1.freebsd.org (Postfix) with ESMTP id 885B313C4BA for ; Mon, 5 Feb 2007 21:29:48 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from [80.244.229.35] (port=31201 helo=VLADIMIR) by mx33.mail.ru with asmtp id 1HEBPG-000NOU-00 for freebsd-pf@freebsd.org; Tue, 06 Feb 2007 00:29:46 +0300 X-Nat-Received: from [192.168.1.110]:3022 [ident-empty] by smtp-proxy.vltele.com with TPROXY id 1170710823.11156 Date: Tue, 6 Feb 2007 00:29:46 +0300 From: Vladimir Kapustin X-Mailer: The Bat! (v3.85.03) Professional Organization: vltele.com X-Priority: 3 (Normal) Message-ID: <1535216240.20070206002946@mail.ru> To: freebsd-pf@freebsd.org References: E1HE6QS-0002K7-00.msgs_for_me-mail-ru@f75.mail.ru MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: SPAMD stop passing mail from WHITE-list (Peter N. M. Hansteen) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vladimir Kapustin List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Feb 2007 21:29:54 -0000 > > Is the spamd database really 350MB-500MB?? > root@router1# du -h /var/db/spamd 200M /var/db/spamd This is the result after 3 days from zerouing /var/db/spamd > If you do a > spamdb | grep WHITE | wc -l > spamdb | grep TRAPPED | wc -l > > How many records are there? spamdb | grep WHITE | wc -l 52 spamdb | grep TRAPPED | wc -l 0 as I said earlier: > > ......and I still don't have a good idea > > how to use TRAPs automatically...I try to put some adresses in TRAP-list > > manually, but I can catch only myself in test purposes. > Do you also have another table that loads many records to pf tables? Yes - the biggest is: pfctl -t good -T show | wc -l 2105 I have about 10 tables, but each of the other tables contains less than 10 records From owner-freebsd-pf@FreeBSD.ORG Tue Feb 6 12:56:31 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 219AD16A400 for ; Tue, 6 Feb 2007 12:56:31 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from mx27.mail.ru (mx27.mail.ru [194.67.23.64]) by mx1.freebsd.org (Postfix) with ESMTP id D385113C49D for ; Tue, 6 Feb 2007 12:56:30 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from [80.244.229.35] (port=10730 helo=VLADIMIR) by mx27.mail.ru with asmtp id 1HEPs4-0003ug-00 for freebsd-pf@freebsd.org; Tue, 06 Feb 2007 15:56:29 +0300 X-Nat-Received: from [192.168.1.110]:4281 [ident-empty] by smtp-proxy.vltele.com with TPROXY id 1170766425.15813 Date: Tue, 6 Feb 2007 15:56:25 +0300 From: Vladimir Kapustin X-Mailer: The Bat! (v3.85.03) Professional Organization: vltele.com X-Priority: 3 (Normal) Message-ID: <859855731.20070206155625@mail.ru> To: freebsd-pf@freebsd.org References: E1HD4Bj-000D25-00.msgs_for_me-mail-ru@f30.mail.ru MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: SPAMD stop passing mail from WHITE-list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vladimir Kapustin List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 12:56:31 -0000 >> 2. If i have some malware on my PC and use mail-client program. If I send the same message some times I automatically get >into WHITE-list and my malware can spam as much as it must? > >Not really related to your spamd problem, but probably useful... > >If you need to limit an internal client system for sending out mail >through your system, IMO you may also use pf's limit functions. > >Imagine something like: > >pass in quick on $int_if from any to $int_if port smtp keep state >(max-src-conn 1, max-src-conn-rate 2/60) > >This should limit an internal client to one concurrent connection >and a maximum of 2 connections per 60 seconds and so mass mailing by >abusing your mail gateway should be impossible. > >Combining this by a rule like 'block in quick on $int_if from any to >! $int_if port smtp' should efficiently block spam originating from >your internal net. > Yes, it seems to be a good idea, if I can combine this method with spamd functionality. I have similar iptables filter on my recent Linux gateway, but with the growth of network effectivity began to decrease. >And for the malware issues, I would like to recommend not to install >and use malware! ;) > Earlier, I've caught some spammers and blocked their IP in LAN - it was a good motivation to set up antiviruses and another useful soft. I'm thinking about combination (if it this is possible) of these two methods and I'd like to add some more functionality into your method : any IP, that tries to send more than max-src-conn-rate will be put in some table and all IPs from these tables will be automatically blocked on smtp port and some other - to make more demonstrable to IP-keepers that they have some malware. From owner-freebsd-pf@FreeBSD.ORG Tue Feb 6 13:35:44 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BA4E016A402 for ; Tue, 6 Feb 2007 13:35:44 +0000 (UTC) (envelope-from freebsd-pf@magma.ca) Received: from mx2-7.spamtrap.magma.ca (mx2-7.spamtrap.magma.ca [209.217.78.166]) by mx1.freebsd.org (Postfix) with ESMTP id 5300713C428 for ; Tue, 6 Feb 2007 13:35:44 +0000 (UTC) (envelope-from freebsd-pf@magma.ca) Received: from mail3.magma.ca (mail3.internal.magma.ca [10.0.10.13]) by mx2-7.spamtrap.magma.ca (8.13.1/8.13.1) with ESMTP id l16DZgRs023791 for ; Tue, 6 Feb 2007 08:35:42 -0500 Received: from kkmeyhy7ba1b1d (ottawa-hs-64-26-176-88.s-ip.magma.ca [64.26.176.88]) (authenticated bits=0) by mail3.magma.ca (Magma's Mail Server) with ESMTP id l16DZeKV014313 for ; Tue, 6 Feb 2007 08:35:42 -0500 From: "Kevin K." To: References: E1HD4Bj-000D25-00.msgs_for_me-mail-ru@f30.mail.ru <859855731.20070206155625@mail.ru> In-Reply-To: <859855731.20070206155625@mail.ru> Date: Tue, 6 Feb 2007 08:35:55 -0500 Message-ID: <002501c749f3$bb1a1dc0$314e5940$@ca> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcdJ7j0hHsz/3nccQiKotyjoVF00ZwAA+ahg Content-Language: en-us X-magma-MailScanner-Information: Magma Mailscanner Service X-magma-MailScanner: Clean X-Spam-Status: Subject: PF & Windows Vista X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 13:35:44 -0000 I am using FreeBSD 6.2-release w/ PF. Everything seems to be okay, except the fact that Windows Vista machines cant get through the network. I have tried many things, including just using a skeleton PF configuration and I'm still having trouble. Just curious if anyone has experienced issues with this? If so, any suggestions or resolutions would be appreciated. Below is what we thought would fix the vista issue, but to no avail : ### Office for Vista issue -- no state pass in log quick on $ext_if inet proto tcp from xxx.xxx.xxx.xxx/32 to any pass in quick on $ext_if inet proto udp from xxx.xxx.xxx.xxx/32 to any pass in quick on $ext_if inet proto icmp from xxx.xxx.xxx.xxx/32 to any pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.xxx/32 to any From owner-freebsd-pf@FreeBSD.ORG Tue Feb 6 13:42:21 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4748216A407 for ; Tue, 6 Feb 2007 13:42:21 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [210.51.165.229]) by mx1.freebsd.org (Postfix) with ESMTP id E3B7013C4B7 for ; Tue, 6 Feb 2007 13:42:20 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from localhost (tarsier.geekcn.org [210.51.165.229]) by tarsier.geekcn.org (Postfix) with ESMTP id E5DAEEB0ADB; Tue, 6 Feb 2007 21:42:19 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([210.51.165.229]) by localhost (mail.geekcn.org [210.51.165.229]) (amavisd-new, port 10024) with ESMTP id pNN-Bd5caMxk; Tue, 6 Feb 2007 21:42:12 +0800 (CST) Received: from [192.168.1.32] (unknown [221.219.159.17]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTP id E697BEB09CD; Tue, 6 Feb 2007 21:42:11 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:organization:user-agent:mime-version:to:cc: subject:references:in-reply-to:x-enigmail-version:content-type; b=mXVYtZ9+OLthuVNWIBtFVyevvYSJAQM1ZSHI3j8QoqpBJjqtumBAr9rDjCOvXMMo+ eno2CaJLv7jxy/n25waKw== Message-ID: <45C885B3.3000508@delphij.net> Date: Tue, 06 Feb 2007 21:42:11 +0800 From: LI Xin Organization: The FreeBSD Project User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: "Kevin K." References: E1HD4Bj-000D25-00.msgs_for_me-mail-ru@f30.mail.ru <859855731.20070206155625@mail.ru> <002501c749f3$bb1a1dc0$314e5940$@ca> In-Reply-To: <002501c749f3$bb1a1dc0$314e5940$@ca> X-Enigmail-Version: 0.94.1.0 Content-Type: multipart/signed; micalg=pgp-ripemd160; protocol="application/pgp-signature"; boundary="------------enig909AE898EEDC35180C7DA1C5" Cc: freebsd-pf@freebsd.org Subject: Re: PF & Windows Vista X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 13:42:21 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig909AE898EEDC35180C7DA1C5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Kevin K. wrote: > I am using FreeBSD 6.2-release w/ PF. Everything seems to be okay, exce= pt > the fact that Windows Vista machines cant get through the network. I ha= ve > tried many things, including just using a skeleton PF configuration and= I'm > still having trouble. >=20 > Just curious if anyone has experienced issues with this? If so, any > suggestions or resolutions would be appreciated.=20 >=20 > Below is what we thought would fix the vista issue, but to no avail : >=20 >=20 > ### Office for Vista issue -- no state >=20 > pass in log quick on $ext_if inet proto tcp from xxx.xxx.xxx.xxx/32 to = any > pass in quick on $ext_if inet proto udp from xxx.xxx.xxx.xxx/32 to any > pass in quick on $ext_if inet proto icmp from xxx.xxx.xxx.xxx/32 to any= > pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.xxx/32 to any Do you imply that you have other operating system behind your FreeBSD wall, but have not this sort of issue? Is the problem Vista specific? Cheers, --=20 Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! --------------enig909AE898EEDC35180C7DA1C5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFyIWzOfuToMruuMARAwZXAJ45UKnHrcHYCawV+DYTDZkqAxcGEACdGhsG fLcD5kWqoOvrxmGkigVg7j0= =lKjK -----END PGP SIGNATURE----- --------------enig909AE898EEDC35180C7DA1C5-- From owner-freebsd-pf@FreeBSD.ORG Tue Feb 6 13:49:05 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D806916A400 for ; Tue, 6 Feb 2007 13:49:05 +0000 (UTC) (envelope-from freebsd-pf@magma.ca) Received: from mx5-4.spamtrap.magma.ca (mx5-4.spamtrap.magma.ca [209.217.78.139]) by mx1.freebsd.org (Postfix) with ESMTP id 8092913C494 for ; Tue, 6 Feb 2007 13:49:03 +0000 (UTC) (envelope-from freebsd-pf@magma.ca) Received: from mail1.magma.ca (mail1.internal.magma.ca [10.0.10.11]) by mx5-4.spamtrap.magma.ca (8.13.1/8.13.1) with ESMTP id l16DmiYQ009794; Tue, 6 Feb 2007 08:48:45 -0500 Received: from kkmeyhy7ba1b1d (ottawa-hs-64-26-176-88.s-ip.magma.ca [64.26.176.88]) (authenticated bits=0) by mail1.magma.ca (Magma's Mail Server) with ESMTP id l16Dmi2I017727; Tue, 6 Feb 2007 08:48:45 -0500 From: "Kevin K." To: "'LI Xin'" References: E1HD4Bj-000D25-00.msgs_for_me-mail-ru@f30.mail.ru <859855731.20070206155625@mail.ru> <002501c749f3$bb1a1dc0$314e5940$@ca> <45C885B3.3000508@delphij.net> In-Reply-To: <45C885B3.3000508@delphij.net> Date: Tue, 6 Feb 2007 08:48:58 -0500 Message-ID: <004601c749f5$8dd0b930$a9722b90$@ca> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcdJ9KHf8rjufhFQTL+X6PMPrV8H7wAAMh+w Content-Language: en-us X-magma-MailScanner-Information: Magma Mailscanner Service X-magma-MailScanner: Clean X-Spam-Status: Cc: freebsd-pf@freebsd.org Subject: RE: PF & Windows Vista X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 13:49:06 -0000 >Do you imply that you have other operating system behind your FreeBSD wall, but have not this sort of issue? Is the >problem Vista specific? Only FreeBSD machines are behind the firewall. The issue lies with a Vista machine accessing the network through the firewall. The connection attempt (regardless of protocol) eventually times out. From owner-freebsd-pf@FreeBSD.ORG Tue Feb 6 15:37:28 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 398AA16A402 for ; Tue, 6 Feb 2007 15:37:28 +0000 (UTC) (envelope-from freebsd-pf@magma.ca) Received: from mx1-3.spamtrap.magma.ca (mx1-3.spamtrap.magma.ca [209.217.78.154]) by mx1.freebsd.org (Postfix) with ESMTP id D4A2613C4A5 for ; Tue, 6 Feb 2007 15:37:27 +0000 (UTC) (envelope-from freebsd-pf@magma.ca) Received: from mail4.magma.ca (mail4.internal.magma.ca [10.0.10.14]) by mx1-3.spamtrap.magma.ca (8.13.1/8.13.1) with ESMTP id l16FbJB0017277; Tue, 6 Feb 2007 10:37:19 -0500 Received: from kkmeyhy7ba1b1d (ottawa-hs-64-26-176-88.s-ip.magma.ca [64.26.176.88]) (authenticated bits=0) by mail4.magma.ca (Magma's Mail Server) with ESMTP id l16FbI4o028769; Tue, 6 Feb 2007 10:37:19 -0500 From: "Kevin K." To: "'Kevin K.'" , "'LI Xin'" References: E1HD4Bj-000D25-00.msgs_for_me-mail-ru@f30.mail.ru <859855731.20070206155625@mail.ru> <002501c749f3$bb1a1dc0$314e5940$@ca> <45C885B3.3000508@delphij.net> <004601c749f5$8dd0b930$a9722b90$@ca> In-Reply-To: <004601c749f5$8dd0b930$a9722b90$@ca> Date: Tue, 6 Feb 2007 10:37:32 -0500 Message-ID: <005301c74a04$b8528990$28f79cb0$@ca> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcdJ9KHf8rjufhFQTL+X6PMPrV8H7wAAMh+wAAObXxA= Content-Language: en-us X-magma-MailScanner-Information: Magma Mailscanner Service X-magma-MailScanner: Clean X-Spam-Status: Cc: freebsd-pf@freebsd.org Subject: RE: PF & Windows Vista X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 15:37:28 -0000 > > >Do you imply that you have other operating system behind your FreeBSD > wall, > but have not this sort of issue? Is the >problem Vista specific? > > > Only FreeBSD machines are behind the firewall. The issue lies with a > Vista > machine accessing the network through the firewall. The connection > attempt > (regardless of protocol) eventually times out. > To clarify even further (sorry for the 2nd msg). Most (if not all) other machines are able to access my network through the PF firewall without any issues (xp/2000/nt , linux, bsd). As soon as a Windows Vista machine tries to access my network, the connection attempt times out (www, ftp, ssh). I'd like to know if anyone else has experienced something similar with Vista and their firewall. I realize it may be something with Vista, but this issue seems to be related with PF firewalls and Vista. From owner-freebsd-pf@FreeBSD.ORG Tue Feb 6 17:30:18 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 85CF116A401 for ; Tue, 6 Feb 2007 17:30:18 +0000 (UTC) (envelope-from freebsd-pf@magma.ca) Received: from mx2-7.spamtrap.magma.ca (mx2-7.spamtrap.magma.ca [209.217.78.166]) by mx1.freebsd.org (Postfix) with ESMTP id 1C4AC13C4A8 for ; Tue, 6 Feb 2007 17:30:17 +0000 (UTC) (envelope-from freebsd-pf@magma.ca) Received: from mail2.magma.ca (mail2.internal.magma.ca [10.0.10.12]) by mx2-7.spamtrap.magma.ca (8.13.1/8.13.1) with ESMTP id l16HUG8m021625 for ; Tue, 6 Feb 2007 12:30:16 -0500 Received: from kkmeyhy7ba1b1d (ottawa-hs-64-26-176-88.s-ip.magma.ca [64.26.176.88]) (authenticated bits=0) by mail2.magma.ca (Magma's Mail Server) with ESMTP id l16HUEAa000593 for ; Tue, 6 Feb 2007 12:30:16 -0500 From: "Kevin K." To: References: E1HD4Bj-000D25-00.msgs_for_me-mail-ru@f30.mail.ru <859855731.20070206155625@mail.ru> <002501c749f3$bb1a1dc0$314e5940$@ca> <45C8A300.9050301@bsdsystems.de> In-Reply-To: <45C8A300.9050301@bsdsystems.de> Date: Tue, 6 Feb 2007 12:30:29 -0500 Message-ID: <006301c74a14$7fd9a5c0$7f8cf140$@ca> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcdKBhQMcRM/l/B3TTCOk+CX1UKDgAADkOUw Content-Language: en-us X-magma-MailScanner-Information: Magma Mailscanner Service X-magma-MailScanner: Clean X-Spam-Status: Subject: RE: PF & Windows Vista X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 17:30:18 -0000 Dennis Berger wrote: > We have a vista client and openbsd 3.9 pf box here. no problems at all. > What you could try is something like this. > > pass in quick on $ext_if fastroute inet proto tcp from $somewhere to > any > I'm going to try that, but I'm looking for a solution where I don't have to add $somewhere for each vista machine trying to get in. From owner-freebsd-pf@FreeBSD.ORG Tue Feb 6 17:57:14 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B199716A405 for ; Tue, 6 Feb 2007 17:57:13 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-defer01.adhost.com (mail-defer01.adhost.com [216.211.128.150]) by mx1.freebsd.org (Postfix) with ESMTP id 8DF2A13C494 for ; Tue, 6 Feb 2007 17:57:13 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-in07.adhost.com (mail-in07.adhost.com [10.211.128.140]) by mail-defer01.adhost.com (Postfix) with ESMTP id 709ABECCAF for ; Tue, 6 Feb 2007 09:30:41 -0800 (PST) (envelope-from mksmith@adhost.com) Received: from ad-exh01.adhost.lan (unknown [216.211.143.69]) by mail-in07.adhost.com (Postfix) with ESMTP id E4F2B1B5092 for ; Tue, 6 Feb 2007 09:30:40 -0800 (PST) (envelope-from mksmith@adhost.com) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Tue, 6 Feb 2007 09:30:28 -0800 Message-ID: <17838240D9A5544AAA5FF95F8D52031601A8BD24@ad-exh01.adhost.lan> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: PFSync Not Working Correctly thread-index: AcdKFH44nmfXG62oSESitobwvzTS7Q== From: "Michael K. Smith - Adhost" To: Subject: PFSync Not Working Correctly X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 17:57:14 -0000 Hello All: I have two 6.2 RELEASE servers working in failover mode as PF Load Balancers. When the MASTER box is failed (through reboot or interface shutdown, etc.) the BACKUP box becomes MASTER as expected, but connections that existed through the MASTER before the failover do not transfer as expected to the new MASTER. New connections work immediately. When I issue a 'pfctl -vvss' the established connection shows up correctly in the state tables on both machines, so I would expect the established connection to work immediately upon failover. =20 If anyone has any insights I'd be grateful. I can also post any relevent output or config snippets if someone thinks they would help. Regards, Mike From owner-freebsd-pf@FreeBSD.ORG Tue Feb 6 22:18:49 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9FB7D16A400 for ; Tue, 6 Feb 2007 22:18:49 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.freebsd.org (Postfix) with ESMTP id 345AF13C48D for ; Tue, 6 Feb 2007 22:18:48 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so294188nfc for ; Tue, 06 Feb 2007 14:18:47 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=aXUrmWFqbK0JTAL0KqoKwzHQ0HbrMGE6Qum3kNTiEUTV3n4Tc8hfOYM0p9fH8dfE0kbbihE4hykVM0VXNRrDS00sY9oLN+A/2gcKC9rC+4luCHDMHYeZIkIvvYZhpwG54hnyD+lNdTu/YBC0Fqiax5ApyUVRK0FV2fIHkDuwj6s= Received: by 10.82.153.5 with SMTP id a5mr5316824bue.1170798716176; Tue, 06 Feb 2007 13:51:56 -0800 (PST) Received: by 10.82.150.17 with HTTP; Tue, 6 Feb 2007 13:51:55 -0800 (PST) Message-ID: Date: Tue, 6 Feb 2007 13:51:55 -0800 From: "Kian Mohageri" To: "Michael K. Smith - Adhost" In-Reply-To: <17838240D9A5544AAA5FF95F8D52031601A8BD24@ad-exh01.adhost.lan> MIME-Version: 1.0 References: <17838240D9A5544AAA5FF95F8D52031601A8BD24@ad-exh01.adhost.lan> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: PFSync Not Working Correctly X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 22:18:49 -0000 On 2/6/07, Michael K. Smith - Adhost wrote: > > Hello All: > > I have two 6.2 RELEASE servers working in failover mode as PF Load > Balancers. When the MASTER box is failed (through reboot or interface > shutdown, etc.) the BACKUP box becomes MASTER as expected, but > connections that existed through the MASTER before the failover do not > transfer as expected to the new MASTER. New connections work > immediately. > > When I issue a 'pfctl -vvss' the established connection shows up > correctly in the state tables on both machines, so I would expect the > established connection to work immediately upon failover. > > If anyone has any insights I'd be grateful. I can also post any > relevent output or config snippets if someone thinks they would help. Increase pf verbosity, and also tcpdump -i pflog0 (you do block log, right?) on your new MASTER when connections are failing. That will tell you if there is a state mismatch going on when connections fail over. You first want to make sure the mid-connection packets are even reaching the new master. -- Kian Mohageri From owner-freebsd-pf@FreeBSD.ORG Tue Feb 6 23:08:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1680E16A400 for ; Tue, 6 Feb 2007 23:08:42 +0000 (UTC) (envelope-from richardtector@thekeelecentre.com) Received: from mx0.thekeelecentre.com (mx0.thekeelecentre.com [217.206.238.167]) by mx1.freebsd.org (Postfix) with ESMTP id 7382013C471 for ; Tue, 6 Feb 2007 23:08:41 +0000 (UTC) (envelope-from richardtector@thekeelecentre.com) Received: from localhost (mailfil.mx0.thekeelecentre.com [217.206.238.165]) by mx0.thekeelecentre.com (Postfix) with ESMTP id C844E40D7; Tue, 6 Feb 2007 22:37:24 +0000 (GMT) X-Virus-Scanned: by amavisd-new at mx0.thekeelecentre.com Received: from mx0.thekeelecentre.com ([217.206.238.167]) by localhost (mailfil.mx0.thekeelecentre.com [217.206.238.165]) (amavisd-new, port 10024) with ESMTP id x6-mcGtskoms; Tue, 6 Feb 2007 22:37:22 +0000 (GMT) Received: from [10.0.2.11] (82-71-32-9.dsl.in-addr.zen.co.uk [82.71.32.9]) by mx0.thekeelecentre.com (Postfix) with ESMTP id 8055D4061; Tue, 6 Feb 2007 22:37:21 +0000 (GMT) Message-ID: <45C90320.7030207@thekeelecentre.com> Date: Tue, 06 Feb 2007 22:37:20 +0000 From: Richard Tector User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: "Michael K. Smith - Adhost" References: <17838240D9A5544AAA5FF95F8D52031601A8BD24@ad-exh01.adhost.lan> In-Reply-To: <17838240D9A5544AAA5FF95F8D52031601A8BD24@ad-exh01.adhost.lan> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms090106010604020502050709" Cc: freebsd-pf@freebsd.org Subject: Re: PFSync Not Working Correctly X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 23:08:43 -0000 This is a cryptographically signed message in MIME format. --------------ms090106010604020502050709 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Michael K. Smith - Adhost wrote: > Hello All: > > I have two 6.2 RELEASE servers working in failover mode as PF Load > Balancers. When the MASTER box is failed (through reboot or interface > shutdown, etc.) the BACKUP box becomes MASTER as expected, but > connections that existed through the MASTER before the failover do not > transfer as expected to the new MASTER. New connections work > immediately. > > When I issue a 'pfctl -vvss' the established connection shows up > correctly in the state tables on both machines, so I would expect the > established connection to work immediately upon failover. > > If anyone has any insights I'd be grateful. I can also post any > relevent output or config snippets if someone thinks they would help. Are the interfaces the same in both machines? If the states are if-bound, they wont match packets on the backup server if the interface names are different. Regards, Richard --------------ms090106010604020502050709 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIHPDCC A5owggMDoAMCAQICAQcwDQYJKoZIhvcNAQEEBQAwgYExCzAJBgNVBAYTAlVLMRYwFAYDVQQI Ew1TdGFmZm9yZHNoaXJlMQ4wDAYDVQQHEwVLZWVsZTEZMBcGA1UEChMQVGhlIEtlZWxlIENl bnRyZTEvMC0GA1UEAxMmVGhlIEtlZWxlIENlbnRyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw HhcNMDYwOTI5MTQyNTM4WhcNMTAwOTI5MTQyNTM4WjCBijELMAkGA1UEBhMCVUsxFjAUBgNV BAgTDVN0YWZmb3Jkc2hpcmUxGTAXBgNVBAoTEFRoZSBLZWVsZSBDZW50cmUxFzAVBgNVBAMT DlJpY2hhcmQgVGVjdG9yMS8wLQYJKoZIhvcNAQkBFiByaWNoYXJkdGVjdG9yQHRoZWtlZWxl Y2VudHJlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxAE7t9Z0xg5iVOnqE2q7 UhaRoPrygXPXnZ4bHM8P2E4VKfpCP9tmU5rqP/zDwOKwUAFZsv1yHvzMj2d4S8nTP3eC75YY pztd1tiGIUyi2O1vtQuVrcogCC0Xe8TovubsjeosoEN6kujkTLhgWKj+/jDtb0ELiSwh7NnN CoStDvcCAwEAAaOCARUwggERMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wg R2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBR5NRc2TrF8Qfj9ZMKvq5m5Lh9IFTCB tgYDVR0jBIGuMIGrgBSNCaM0QC1N5Hiyb/MPAVd/ouQEEqGBh6SBhDCBgTELMAkGA1UEBhMC VUsxFjAUBgNVBAgTDVN0YWZmb3Jkc2hpcmUxDjAMBgNVBAcTBUtlZWxlMRkwFwYDVQQKExBU aGUgS2VlbGUgQ2VudHJlMS8wLQYDVQQDEyZUaGUgS2VlbGUgQ2VudHJlIENlcnRpZmljYXRl IEF1dGhvcml0eYIJAJZYbH4e6XXnMA0GCSqGSIb3DQEBBAUAA4GBABy7Pq1hPDwR2vUs9Jlh LHXE1xLe/COWwTjmZ95mnvsX6XL6eVEzuc0xE66Mf1pyFxDKXxTCBj+G/ialE9AYiXTJAAVJ uvhvkm/u1vXdlNlfQJDRnZKFxrZsIT03LIysq+Hb4qZDpQvgWUUyGib4Ze7pNXPp8HOtlTgB ICafws5LMIIDmjCCAwOgAwIBAgIBBzANBgkqhkiG9w0BAQQFADCBgTELMAkGA1UEBhMCVUsx FjAUBgNVBAgTDVN0YWZmb3Jkc2hpcmUxDjAMBgNVBAcTBUtlZWxlMRkwFwYDVQQKExBUaGUg S2VlbGUgQ2VudHJlMS8wLQYDVQQDEyZUaGUgS2VlbGUgQ2VudHJlIENlcnRpZmljYXRlIEF1 dGhvcml0eTAeFw0wNjA5MjkxNDI1MzhaFw0xMDA5MjkxNDI1MzhaMIGKMQswCQYDVQQGEwJV SzEWMBQGA1UECBMNU3RhZmZvcmRzaGlyZTEZMBcGA1UEChMQVGhlIEtlZWxlIENlbnRyZTEX MBUGA1UEAxMOUmljaGFyZCBUZWN0b3IxLzAtBgkqhkiG9w0BCQEWIHJpY2hhcmR0ZWN0b3JA dGhla2VlbGVjZW50cmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEATu31nTG DmJU6eoTartSFpGg+vKBc9ednhsczw/YThUp+kI/22ZTmuo//MPA4rBQAVmy/XIe/MyPZ3hL ydM/d4LvlhinO13W2IYhTKLY7W+1C5WtyiAILRd7xOi+5uyN6iygQ3qS6ORMuGBYqP7+MO1v QQuJLCHs2c0KhK0O9wIDAQABo4IBFTCCAREwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHk1FzZOsXxB+P1kwq+r mbkuH0gVMIG2BgNVHSMEga4wgauAFI0JozRALU3keLJv8w8BV3+i5AQSoYGHpIGEMIGBMQsw CQYDVQQGEwJVSzEWMBQGA1UECBMNU3RhZmZvcmRzaGlyZTEOMAwGA1UEBxMFS2VlbGUxGTAX BgNVBAoTEFRoZSBLZWVsZSBDZW50cmUxLzAtBgNVBAMTJlRoZSBLZWVsZSBDZW50cmUgQ2Vy dGlmaWNhdGUgQXV0aG9yaXR5ggkAllhsfh7pdecwDQYJKoZIhvcNAQEEBQADgYEAHLs+rWE8 PBHa9Sz0mWEsdcTXEt78I5bBOOZn3mae+xfpcvp5UTO5zTETrox/WnIXEMpfFMIGP4b+JqUT 0BiJdMkABUm6+G+Sb+7W9d2U2V9AkNGdkoXGtmwhPTcsjKyr4dvipkOlC+BZRTIaJvhl7uk1 c+nwc62VOAEgJp/CzksxggMbMIIDFwIBATCBhzCBgTELMAkGA1UEBhMCVUsxFjAUBgNVBAgT DVN0YWZmb3Jkc2hpcmUxDjAMBgNVBAcTBUtlZWxlMRkwFwYDVQQKExBUaGUgS2VlbGUgQ2Vu dHJlMS8wLQYDVQQDEyZUaGUgS2VlbGUgQ2VudHJlIENlcnRpZmljYXRlIEF1dGhvcml0eQIB BzAJBgUrDgMCGgUAoIIB6TAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJ BTEPFw0wNzAyMDYyMjM3MjBaMCMGCSqGSIb3DQEJBDEWBBTnlO1EjqQ0WPfL8aXMsP+/gbkN 3DBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG 9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBmAYJKwYBBAGCNxAEMYGKMIGHMIGB MQswCQYDVQQGEwJVSzEWMBQGA1UECBMNU3RhZmZvcmRzaGlyZTEOMAwGA1UEBxMFS2VlbGUx GTAXBgNVBAoTEFRoZSBLZWVsZSBDZW50cmUxLzAtBgNVBAMTJlRoZSBLZWVsZSBDZW50cmUg Q2VydGlmaWNhdGUgQXV0aG9yaXR5AgEHMIGaBgsqhkiG9w0BCRACCzGBiqCBhzCBgTELMAkG A1UEBhMCVUsxFjAUBgNVBAgTDVN0YWZmb3Jkc2hpcmUxDjAMBgNVBAcTBUtlZWxlMRkwFwYD VQQKExBUaGUgS2VlbGUgQ2VudHJlMS8wLQYDVQQDEyZUaGUgS2VlbGUgQ2VudHJlIENlcnRp ZmljYXRlIEF1dGhvcml0eQIBBzANBgkqhkiG9w0BAQEFAASBgG9Z/0kyq1CUvNdU6/MbkS+C 9vYFvkdftGhdAscSRPktFgqA0uiwIR1QEnXmDevWFuV+orsN/2QSdozW2vVMiYupippCFSwI 8kIA5E6I0wlBJLJcaZCFID7E1NOk6tJqmYbtucL9SGhwE106XAL/8x2Lt/fMGSy6Ag/MDXMr ivu8AAAAAAAA --------------ms090106010604020502050709-- From owner-freebsd-pf@FreeBSD.ORG Wed Feb 7 08:20:35 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A429816A401 for ; Wed, 7 Feb 2007 08:20:35 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.freebsd.org (Postfix) with ESMTP id 6B39413C474 for ; Wed, 7 Feb 2007 08:20:35 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 80BC42B6BA2 for ; Wed, 7 Feb 2007 08:20:32 +0000 (GMT) From: "Greg Hennessy" To: "'Kevin K.'" , "'LI Xin'" References: E1HD4Bj-000D25-00.msgs_for_me-mail-ru@f30.mail.ru <859855731.20070206155625@mail.ru> <002501c749f3$bb1a1dc0$314e5940$@ca> <45C885B3.3000508@delphij.net> <004601c749f5$8dd0b930$a9722b90$@ca> <005301c74a04$b8528990$28f79cb0$@ca> In-Reply-To: <005301c74a04$b8528990$28f79cb0$@ca> Date: Wed, 7 Feb 2007 08:20:15 -0000 Message-ID: <001301c74a90$cbef6b80$63ce4280$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 thread-index: AcdJ9KHf8rjufhFQTL+X6PMPrV8H7wAAMh+wAAObXxAAIxq00A== Content-Language: en-gb Cc: freebsd-pf@freebsd.org Subject: RE: PF & Windows Vista X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Feb 2007 08:20:35 -0000 > I'd like to know if anyone else has experienced something similar with > Vista and their firewall. I realize it may be something with Vista, but this > issue seems to be related with PF firewalls and Vista. > I have ran (and am running ) vista with CTCP enabled and disabled through PF just fine. Silly question, are all your tcp keep state rules establishing state on flags S/SA only ? What's the default block log all rule telling you regarding the connection ? Have you tcpdumped an incoming session from that system through both ingress and egress interfaces to see what's happening ? Greg From owner-freebsd-pf@FreeBSD.ORG Wed Feb 7 12:43:18 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8628C16A408 for ; Wed, 7 Feb 2007 12:43:18 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 776EB13C4C6 for ; Wed, 7 Feb 2007 12:43:05 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d51.q.ppp-pool.de [89.53.125.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id D1D6812883D; Wed, 7 Feb 2007 13:42:59 +0100 (CET) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 9AF202E568; Wed, 7 Feb 2007 13:42:53 +0100 (CET) Message-ID: <45C9C94E.8080806@vwsoft.com> Date: Wed, 07 Feb 2007 13:42:54 +0100 From: Volker User-Agent: Thunderbird 1.5.0.9 (X11/20070119) MIME-Version: 1.0 To: "Kevin K." References: E1HD4Bj-000D25-00.msgs_for_me-mail-ru@f30.mail.ru <859855731.20070206155625@mail.ru> <002501c749f3$bb1a1dc0$314e5940$@ca> In-Reply-To: <002501c749f3$bb1a1dc0$314e5940$@ca> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: PF & Windows Vista X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Feb 2007 12:43:19 -0000 On 12/23/-58 20:59, Kevin K. wrote: > I am using FreeBSD 6.2-release w/ PF. Everything seems to be okay, except > the fact that Windows Vista machines cant get through the network. I have > tried many things, including just using a skeleton PF configuration and I'm > still having trouble. > > Just curious if anyone has experienced issues with this? If so, any > suggestions or resolutions would be appreciated. > > Below is what we thought would fix the vista issue, but to no avail : > > > ### Office for Vista issue -- no state > > pass in log quick on $ext_if inet proto tcp from xxx.xxx.xxx.xxx/32 to any > pass in quick on $ext_if inet proto udp from xxx.xxx.xxx.xxx/32 to any > pass in quick on $ext_if inet proto icmp from xxx.xxx.xxx.xxx/32 to any > pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.xxx/32 to any Kevin, helping you with just this snippet of rules is like fishing in the dark. Your rules do the following: A connection coming from a single IP address (/32) is passing the firewall on the external IF. As it does not create state (no keep state option) the answer to that incoming connection will probably never reach the originating IP address. As you're logging but do not keep state, you're getting a whole bunch of log entries which might render your logs unreadable (every packet is being logged instead of every connection). If your rules work properly for other hosts (again, your snippet of rules is useless for supporting you) I'm wondering if your Vista machine does IPv6 and does not try v4? I don't know Vista at all but I guess v6 support is built in. Greetings, Volker From owner-freebsd-pf@FreeBSD.ORG Wed Feb 7 15:06:06 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6B5FB16A401 for ; Wed, 7 Feb 2007 15:06:06 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.datadok.no (skapet.datadok.no [194.54.107.19]) by mx1.freebsd.org (Postfix) with ESMTP id 257B913C4B6 for ; Wed, 7 Feb 2007 15:06:06 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from thingy.bsdly.net ([10.168.103.11] helo=thingy.datadok.no.bsdly.net ident=peter) by skapet.datadok.no with esmtp (Exim 4.62) (envelope-from ) id 1HEoN3-0002IY-0m for freebsd-pf@freebsd.org; Wed, 07 Feb 2007 16:06:05 +0100 To: freebsd-pf@freebsd.org References: From: peter@bsdly.net (Peter N. M. Hansteen) Date: Wed, 07 Feb 2007 16:06:03 +0100 In-Reply-To: (Vladimir Kapustin's message of "Mon, 05 Feb 2007 19:39:20 +0300") Message-ID: <87ireegg84.fsf@thingy.datadok.no> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: SPAMD stop passing mail from WHITE-list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Feb 2007 15:06:06 -0000 Vladimir Kapustin writes: > Nothing unusual, but that the mail stops forwarding from the > whitelist. i.e. the sender resends the mail, gets in WHITE-list in > spamd, but the mail does not actually pass the router. That and the sheer size of your spamdb is weird. > pfctl -sn > rdr pass inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 > rdr pass inet proto tcp from ! to any port smtp -> 127.0.0.1 port 8025 try making your rdr interface specific, ie rdr pass on $ext_if and see if it makes a difference > No...not malware...suppose that a user doesn't know about malware > and uses Outlook to send his mail. He'll get into THE WHITE-list > and spamd can't stop HIS malware? Mail from a whitelisted IP address will pass. Please contact me off-list (the address works, with greylisting ;)) if you want me to see if I can reproduce the problem here, I'll probably need larger chunks of your config than you would sensibly put on a public list. > tusen takk at du har blitt interessert i problemet mitt Nr du flger min oppskrift, fler jeg at ansvaret faller mer p meg enn ellers [you said you followed my recipe of sorts, so I do feel a certain responsibility] -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. From owner-freebsd-pf@FreeBSD.ORG Wed Feb 7 15:24:48 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5970116A400 for ; Wed, 7 Feb 2007 15:24:48 +0000 (UTC) (envelope-from freebsd-pf@magma.ca) Received: from mx1-3.spamtrap.magma.ca (mx1-3.spamtrap.magma.ca [209.217.78.154]) by mx1.freebsd.org (Postfix) with ESMTP id E032813C4A5 for ; Wed, 7 Feb 2007 15:24:47 +0000 (UTC) (envelope-from freebsd-pf@magma.ca) Received: from mail2.magma.ca (mail2.internal.magma.ca [10.0.10.12]) by mx1-3.spamtrap.magma.ca (8.13.1/8.13.1) with ESMTP id l17FOjLP032499 for ; Wed, 7 Feb 2007 10:24:46 -0500 Received: from kkmeyhy7ba1b1d (ottawa-hs-64-26-176-88.s-ip.magma.ca [64.26.176.88]) (authenticated bits=0) by mail2.magma.ca (Magma's Mail Server) with ESMTP id l17FOfwT005879 for ; Wed, 7 Feb 2007 10:24:42 -0500 From: "Kevin K." To: References: E1HD4Bj-000D25-00.msgs_for_me-mail-ru@f30.mail.ru <859855731.20070206155625@mail.ru> <002501c749f3$bb1a1dc0$314e5940$@ca> <45C9C94E.8080806@vwsoft.com> In-Reply-To: <45C9C94E.8080806@vwsoft.com> Date: Wed, 7 Feb 2007 10:24:57 -0500 Message-ID: <00cc01c74acc$20d9d8c0$628d8a40$@ca> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcdKtYON1lJPDj0gRe+FCLrbGqARDgAFkECA Content-Language: en-us x-cr-hashedpuzzle: ADhM Cy1G DJw2 D6xQ FIzm GCFD GhKw G8zQ HYE6 HeMk HiCM HjKQ HmCi IXbx J5vH KPWU; 1; ZgByAGUAZQBiAHMAZAAtAHAAZgBAAGYAcgBlAGUAYgBzAGQALgBvAHIAZwA=; Sosha1_v1; 7; {E91BE206-98AD-4B5D-8630-C5DA940D49C8}; ZgByAGUAZQBiAHMAZAAtAHAAZgBAAG0AYQBnAG0AYQAuAGMAYQA=; Wed, 07 Feb 2007 15:24:51 GMT; UgBFADoAIABQAEYAIAAmACAAVwBpAG4AZABvAHcAcwAgAFYAaQBzAHQAYQA= x-cr-puzzleid: {E91BE206-98AD-4B5D-8630-C5DA940D49C8} X-magma-MailScanner-Information: Magma Mailscanner Service X-magma-MailScanner: Clean X-Spam-Status: Subject: RE: PF & Windows Vista X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Feb 2007 15:24:48 -0000 Volker wrote: > > Kevin, > > helping you with just this snippet of rules is like fishing in the > dark. > > Your rules do the following: A connection coming from a single IP > address (/32) is passing the firewall on the external IF. As it does > not create state (no keep state option) the answer to that incoming > connection will probably never reach the originating IP address. > > As you're logging but do not keep state, you're getting a whole > bunch of log entries which might render your logs unreadable (every > packet is being logged instead of every connection). > > If your rules work properly for other hosts (again, your snippet of > rules is useless for supporting you) I'm wondering if your Vista > machine does IPv6 and does not try v4? I don't know Vista at all but > I guess v6 support is built in. > > Greetings, > > Volker I was hoping that the issue was simple and common, due to Vista's emphasis on ipv6 among other networking issues. Either way, below is my entire pf configuration. I hope it helps. ### Firewalls are Sun Netra X1 UltraSPARC IIe 400 ext_if="dc1" int_if="dc0" loop_if="lo0" internal_addr="xxx.xxx.xxx.x external_addr="xx.xxx.xxx.xxx internal_net="xxx.xxx.xxx.x external_net="xx.xxx.xxx.xxx ### Load carp interfaces c1="carp1" c130="carp130" c131="carp131" c132="carp132" c133="carp133" c134="carp134" c135="carp135" c136="carp136" c137="carp137" c138="carp138" c139="carp139" c140="carp140" c141="carp141" c142="carp142" c143="carp143" c144="carp144" c145="carp145" c146="carp146" c147="carp147" c148="carp148" c149="carp149" c150="carp150" c151="carp151" c152="carp152" c153="carp153" c154="carp154" c155="carp155" c156="carp156" c157="carp157" c158="carp158" c159="carp159" c160="carp160" c161="carp161" c162="carp162" c163="carp163" c164="carp164" c165="carp165" c166="carp166" c167="carp167" c168="carp168" c169="carp169" c170="carp170" c171="carp171" c172="carp172" c173="carp173" c174="carp174" c175="carp175" c176="carp176" c177="carp177" c178="carp178" c179="carp179" c180="carp180" c181="carp181" c182="carp182" c183="carp183" c184="carp184" c185="carp185" c186="carp186" c187="carp187" c188="carp188" InServicesTCP = "{ http, https }" InServicesUDP = "{ domain, ntp, rpc }" OutServicesTCP = "{ http, https, whois }" OutServicesUDP = "{ ntp, domain, rpc }" ProtoBlocked = "{ tcp, udp }" table const file "/etc/firewall/carp_extaddr.tbl" table const file "/etc/firewall/ip_localblock.tbl" table persist file "/etc/firewall/ip_caught.tbl" file "/etc/firewall/ip_exploit.tbl" #table file "/etc/firewall/excess_conns.tbl" table persist table persist table persist table persist table persist table persist table persist table persist table persist table persist table persist table persist table persist table persist table persist table persist table persist table persist table persist table persist table const file "/etc/firewall/web_server_ips.tbl" #table persist file "/etc/firewall/ssh_hackers.tbl" table persist table persist file "/etc/firewall/sendmail_hacks.tbl" table persist file "/etc/firewall/blacklistproxies.tbl" table persist file "/etc/firewall/port_scanners.tbl" #### open for unabated users table { xx.xxx.xxx.xxx } #### nfs table for hosts #table { xxx.xxx.xxx.x ##### Safe users table { xxx.xxx.xxx.x } # Options: tune the behavior of pf, default values are given. set timeout { interval 30, frag 60, src.track 180 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 2000000, frags 1000000 } set loginterface none set optimization normal set block-policy drop set require-order yes set fingerprints "/etc/pf.os" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all ### rdr's rdr on $ext_if proto tcp from any to ($c130) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c131) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c132) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c133) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c134) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c135) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c136) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c137) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c138) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c139) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c140) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c141) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c142) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c143) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c144) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c145) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c146) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c147) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c148) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c149) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c150) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c151) port 80 -> xxx.xxx.xxx.x ### Port 443 required mappings rdr on $ext_if proto tcp from any to ($c131) port 443 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c132) port 443 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c133) port 443 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c134) port 443 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c135) port 443 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c147) port 443 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c143) port 443 -> xxx.xxx.xxx.x #### Port 22 maps rdr on $ext_if proto tcp from any to ($c130) port 22 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c135) port 22 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c143) port 22 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c147) port 22 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c151) port 22 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c169) port 22 -> xxx.xxx.xxx.x ##### Port 21 / FTP rdr on $ext_if proto tcp from any to ($c130) port 21 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c135) port 21 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c143) port 21 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c151) port 21 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c130) port 2121 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c135) port 2121 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c143) port 2121 -> xxx.xxx.xxx.x ##### Port 21 / FTP rdr on $ext_if proto tcp from any to ($c130) port 20 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c135) port 20 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c143) port 20 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c151) port 20 -> xxx.xxx.xxx.x ##### Passiv3 mod3 FtP rdr on $ext_if proto tcp from any to ($c130) port 50000:50050 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c135) port 50000:50050 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c143) port 50000:50050 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c151) port 50000:50050 -> xxx.xxx.xxx.x ##### Port 873 for rsync rdr on $ext_if proto tcp from any to ($c143) port 873 -> xxx.xxx.xxx.x ####### Nat back out for connections initiated behind the firewall nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x ### Carp specific pass rules pass quick on { dc0 } proto pfsync pass quick on { dc0 dc1 } proto carp keep state #### Before block in all is turned back on make sure you don't get locked out #### allow safeusers pass in quick on $ext_if inet proto tcp from to any flags S/SA keep state pass in quick on $ext_if inet proto udp from to any keep state pass in quick on $ext_if inet proto icmp from to any keep state ### Office for Vista issue -- no state pass in log quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to any pass in quick on $ext_if inet proto udp from xxx.xxx.xxx.x/32 to any pass in quick on $ext_if inet proto icmp from xxx.xxx.xxx.x/32 to any pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to any # Filtering ---- first up is the default block block in all #block in on $ext_if ### block private addresses block drop in quick on $ext_if from to any block drop out quick on $ext_if from any to ### Allow NFS traffic pass in quick on $int_if inet proto tcp from to xxx.xxx.xxx.x pass in quick on $int_if proto udp from to xxx.xxx.xxx.x pass out quick on $int_if inet proto tcp from xxx.xxx.xxx.x pass out quick on $int_if inet proto udp from xxx.xxx.xxx.x # Allow safehost access to web / FTP pass in quick on $ext_if inet proto tcp from to port $InServicesTCP flags S/SA keep state pass in quick on $ext_if inet proto tcp from to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from to xxx.xxx.xxx.x pass in quick on $ext_if inet proto icmp from to keep state #### Block sendmail hacks & port scans block drop quick from block drop quick from #### Block Excess connections - DoS - SSH hackers - but allow for them to recieve the generic message block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any block drop quick on $ext_if proto $ProtoBlocked from to any ### catch ssh hacks pass in quick on $ext_if inet proto tcp from any to any port 22 flags S/SA keep state (max-src-conn 1, max-src-conn-rate 1/200, overload flush global) pass in quick on $int_if inet proto tcp from any port 22 to any flags SA/SAFR keep state ### block caught pass out quick on $ext_if from any to xx.xxx.xxx.xxx pass in quick on $ext_if from xx.xxx.xxx.xxx pass out quick on $ext_if proto udp from $external_addr to any port 53 keep state block drop in quick on $ext_if from to any block drop in quick on $ext_if from to any block drop in quick on $ext_if from $ext_if to any block drop out quick on $ext_if from any to block drop out quick on $ext_if from any to $ext_if #### Explicit allow connections into the f/wall from the internal network pass in quick on $int_if proto tcp from $internal_net to $internal_addr port 22 flags S/SA keep state pass in quick on $int_if proto udp from $internal_net to $internal_addr port 53 keep state pass in quick on $int_if proto icmp from $internal_net to $internal_addr keep state ##### Apply anti-spoof blocks block drop in quick on $int_if from any to block drop in quick on $int_if from any to $internal_net ##### loopback interface pass in quick on $loop_if all pass out quick on $loop_if all ## block web access to this hosts BASE block drop in quick on $ext_if proto tcp from any to $external_addr port 443 pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x #### FtP SerViCeS --- 21 and PasSiVe pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x ###(max-src-conn 74, max-src-conn-rate 100/2, overload flush global) pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x ###### allow mail rsync, etc pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to xxx.xxx.xxx.x pass in quick on $int_if inet proto tcp from xxx.xxx.xxx.x pass in quick on $int_if inet proto tcp from xxx.xxx.xxx.x pass out quick on $ext_if inet proto tcp from any to any port 2620 flags S/SA keep state pass out quick on $ext_if inet proto udp from any to any port 2620 pass in quick on $ext_if inet proto tcp from any to any port 2620 flags S/SA keep state pass in quick on $ext_if inet proto udp from any to any port 2620 pass out quick on $int_if inet proto tcp from any to any port 2620 flags S/SA keep state pass out quick on $int_if inet proto udp from any to any port 2620 ##### dns services have to be allowed pass in quick on $ext_if inet proto udp from any to $external_addr port 53 keep state pass in quick on $ext_if inet proto udp from any port 53 to $internal_net keep state pass in quick on $ext_if inet proto udp from any port 53 to any keep state #### temp. ftp outbound for port updates / src updates / etc #pass in quick on $ext_if inet proto tcp from any to any port 21 keep state #pass in quick on $int_if inet proto tcp from any to any port 21 keep state #pass out quick on $ext_if inet proto tcp from any to any port 21 keep state #pass out quick on $int_if inet proto tcp from any to any port 21 keep state ##### with the block in all allow ns-2 full acess ######## END OF INBOUND allows on the ExTeRnAL InterFac3 ######## ### allow SA responses back to initial SYN inbounds pass in quick on $int_if proto tcp from port 80 to any flags SA/SAFR keep state pass in quick on $int_if proto tcp from port 443 to any flags SA/SAFR keep state pass in quick on $int_if proto tcp from port 21 to any flags SA/SAFR keep state pass in quick on $int_if proto tcp from port 20 to any flags SA/SAFR keep state pass in quick on $int_if proto tcp from port 50000:50050 to any flags SA/SAFR keep state pass in quick on $int_if proto tcp from to flags SA/SAFR keep state pass in quick on $int_if proto udp from to keep state pass in quick on $int_if proto icmp from to keep state pass in quick on $int_if proto tcp from to flags SA/SAFR keep state pass in quick on $int_if proto udp from to keep state pass in quick on $int_if proto icmp from to keep state pass in quick on $int_if proto tcp from xxx.xxx.xxx.x ### Vista rules pass in log quick on $int_if proto tcp from to xxx.xxx.xxx.x/32 pass in quick on $int_if proto udp from to xxx.xxx.xxx.x/32 pass in quick on $int_if proto icmp from to xxx.xxx.xxx.x/32 pass in quick on $int_if proto tcp from xxx.xxx.xxx.x ############ Some outbound rules ########### pass out quick on $ext_if proto udp from $external_addr to any port 123 keep state pass out quick on $ext_if proto tcp from $external_addr to any port 22 flags S/SA keep state pass out quick on $ext_if proto udp from $external_addr to any port 53 keep state pass out quick on $ext_if proto tcp from $external_addr to any port 80 flags S/SA keep state pass out quick on $ext_if proto tcp from $external_addr to any port 43 flags S/SA keep state pass out quick on $ext_if proto tcp from $external_addr to any port 443 flags S/SA keep state pass out quick on $ext_if proto tcp from $external_addr to any port 5999 flags S/SA keep state pass out quick on $ext_if proto tcp from $external_addr to xxx.xxx.xxx.x/32 port 25 flags S/SA keep state #allow traceroute from fw -> host , this is really slow and doesnt work properly #pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state #pass out quick on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state pass in quick on $int_if proto tcp from xxx.xxx.xxx.x block in quick on $int_if proto tcp from xxx.xxx.xxx.x block in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto udp from $internal_net to any port 53 keep state pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x #pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x #pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto udp from $internal_net to any port 123 keep state pass in quick on $int_if proto icmp from $internal_net to any keep state pass in quick on $int_if proto tcp from $internal_net to any port 43 flags S/SA keep state pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x #pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x #pass in quick on $int_if proto tcp from xxx.xxx.xxx.x From owner-freebsd-pf@FreeBSD.ORG Thu Feb 8 00:08:40 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B535116A402 for ; Thu, 8 Feb 2007 00:08:38 +0000 (UTC) (envelope-from marceloc@espoltel.net) Received: from jupiter.espoltel.net (jupiter.espoltel.net [200.49.242.4]) by mx1.freebsd.org (Postfix) with ESMTP id 7ACF013C48D for ; Thu, 8 Feb 2007 00:08:38 +0000 (UTC) (envelope-from marceloc@espoltel.net) Received: from localhost (localhost.espoltel.net [127.0.0.1]) by jupiter.espoltel.net (Postfix) with ESMTP id A6D5F2DB334 for ; Wed, 7 Feb 2007 18:51:42 -0500 (ECT) Received: from jupiter.espoltel.net ([127.0.0.1]) by localhost (jupiter.espoltel.net [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 77182-03 for ; Wed, 7 Feb 2007 18:51:18 -0500 (ECT) Received: from [172.26.5.40] (unknown [69.65.149.194]) by jupiter.espoltel.net (Postfix) with ESMTP id AF57A2DB302 for ; Wed, 7 Feb 2007 18:51:18 -0500 (ECT) From: Marcelo Celleri To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Organization: ESPOLTEL Date: Wed, 07 Feb 2007 18:47:31 -0500 Message-Id: <1170892051.4715.32.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: by Amavis-new and ClamaV at ESPOLTEL Subject: Borrow in CBQ doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: marceloc@espoltel.net List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 00:08:40 -0000 Hi everyone, I'm working with ALTQ, but I realize that the borrow option in cbq queues doesn't work at least like the manual says "A child class can borrow bandwidth from its parent class as long as excess bandwidth is available", I isolated 2 PC's (pc, laptop) and made some tests with this configuration: altq on $int_if bandwidth 100Mb cbq queue { vip, adm_fin, it_cac, test } queue vip bandwidth 50Mb cbq(default) queue test bandwidth 192Kb cbq { pc, laptop } queue pc bandwidth 128Kb cbq (borrow, ecn) queue laptop bandwidth 64Kb priority 7 cbq (borrow, ecn) queue adm_fin bandwidth 384Kb cbq queue it_cac bandwidth 512Kb cbq pass out quick on $int_if from any to 172.26.5.42 keep state queue laptop pass out quick on $int_if from any to 172.26.5.40 keep state queue pc The shaping was good, when this 2 machines were receiving traffic at the same time, pc got 128Kbps and laptop got 64Kbps, but I was expecting that when I turn off one of the PCs the other had all the bandwidth associated with the queue (192Kb) but the results wasn't what I wanted. =20 When I used only the "pc" the maximum bandwidth was 140Kbps, and with the laptop the maximum was 80Kbps, for worst, these weren't stables values, then I made some changes like taking off the ecn parameter or changing priorities, then I got more stable values but almost the same maximums. Then I test the hfsc queues, they work pretty well in these cases, but I wanted to change an altq configuration with a lot of queues and sub-queues and my server gave me this error: pfctl: DIOCADDALTQ: Cannot allocate memory. Apparently it was a lot work to process for my server :( I would like to find the way to making work this "borrow" option, please tell me if someone of you had the same problem or if my configuration it's wrong.=20 PD: here is my kernel config for ALTQ: options ALTQ options ALTQ_CBQ # Class Bases Queueing options ALTQ_RED # Random Early Detection options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler options ALTQ_PRIQ # Priority Queueing Thanks a Lot, =20 ---------------------------------- Marcelo C=C3=A9lleri M. Jefe IP ESPOLTEL S.A. PBX 593 04 2514477 Ext. 114 ---------------------------------- From owner-freebsd-pf@FreeBSD.ORG Thu Feb 8 03:00:20 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E285C16A400 for ; Thu, 8 Feb 2007 03:00:18 +0000 (UTC) (envelope-from freebsd-pf@magma.ca) Received: from mx2-7.spamtrap.magma.ca (mx2-7.spamtrap.magma.ca [209.217.78.166]) by mx1.freebsd.org (Postfix) with ESMTP id 713E113C481 for ; Thu, 8 Feb 2007 03:00:18 +0000 (UTC) (envelope-from freebsd-pf@magma.ca) Received: from mail3.magma.ca (mail3.internal.magma.ca [10.0.10.13]) by mx2-7.spamtrap.magma.ca (8.13.1/8.13.1) with ESMTP id l1830FGY004471 for ; Wed, 7 Feb 2007 22:00:15 -0500 Received: from kkmeyhy7ba1b1d (ottawa-hs-64-26-176-88.s-ip.magma.ca [64.26.176.88]) (authenticated bits=0) by mail3.magma.ca (Magma's Mail Server) with ESMTP id l1830ErE018127 for ; Wed, 7 Feb 2007 22:00:15 -0500 From: "Kevin K." To: Date: Wed, 7 Feb 2007 22:00:30 -0500 Message-ID: <000a01c74b2d$4bc28800$e3479800$@ca> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcdLHrKM7dHXaQZtRzWyRjpf+lav4AADgsCQAAASGhA= Content-Language: en-us X-magma-MailScanner-Information: Magma Mailscanner Service X-magma-MailScanner: Clean X-Spam-Status: Subject: RE: PF & Windows Vista X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 03:00:20 -0000 > David Nguyen wrote: > >I've installed Vista recently and it detected the network drivers and > "seemed" to be working (default drivers with >Vista). I thought it was > the network, but it was actually the network drivers that came with > vista (nForce). I would >retrieve a DHCP, but would not communicate. no > ping, no dns > > > >I then installed the ones from nVidia site and everything worked. So > it may be the drivers are broken, have you tried >installing the > manufacturers drivers. I hope this helps. > > > >Cheers > >David > > I think the issue is with Vista working fine with other networks / firewalls (as far as I can tell) ,but with my freebsd PF firewall it is not able to connect to anything behind it. From owner-freebsd-pf@FreeBSD.ORG Thu Feb 8 09:27:05 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D209B16A417 for ; Thu, 8 Feb 2007 09:27:02 +0000 (UTC) (envelope-from marko.lerota@claresco.hr) Received: from zid.claresco.hr (zid.claresco.hr [85.114.42.226]) by mx1.freebsd.org (Postfix) with ESMTP id 17B1313C481 for ; Thu, 8 Feb 2007 09:27:01 +0000 (UTC) (envelope-from marko.lerota@claresco.hr) Received: (qmail 74028 invoked by uid 1001); 8 Feb 2007 09:25:48 -0000 To: marceloc@espoltel.net Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWgnbRLVpRNVY9jMRPh s21jSlEyNVX45Mv4zI+sbUclFAtMVpT8V0lFAAACZ0lEQVR4nG3Tv2vbQBQHcFMogWyeNeVK BLXGl5j6xnABOaNTuXFGmWpwtw519yj4soW6AatT4GKD3+aDZrl/rt/Tr9qlGiz7Pn7v3bsf HVc/NrIiSfElqH53GgijcCqzk/+AmBF5cN0DsFlIRGMh/oHuqxkTM6VlzB4EoZEs2aSZOASb EQJYZpweQshE697GTDndBXtgp9LIT9+OpDGHEfb9knk+nx+jfN1JCVZMCl6XwFm0a2EXztZD 3s4fj47ZbKI2VeBmJImeEfGLJ+M9sDPilX7IB5rN6sdfcGhuoHU+LC4nxfnI7YOJtdb95Gb+ fbgJ2uJ2ZgaA++f5ZzBqNCCYfMTd5q0BfBVNqm7I8gUjQ+YtXotRW6PH9AEj+dKs/KuNQAl5 o/NY+QkonW8aQAl0oXMYPvRiXIM4pRJifbXytnhTA8alBx/jefG2ar3DBlt34/PXz9M+nMVN iNaPUdCApJc2ItejOmLGoK1qQLV9pJmXBnL10DYoBA5aHNfj8ZNwZa5O4CzgTJeilKJmrQJs IHIt1/7/Sg2p3iq/Hz0/5W05rq4M9aN2B5FLohUP4ylVyfxhEIjAs8J4PhIJ9U+CEroogib5 BXAf7bB4vkfAzgPFt1tM9sJZAOH+lCexhwswuNtim4QTZdokqo4o89LkH7V6iFxICeqfp+Wh fmUuGPunLj2Meti6Cn4DjJ/UReROqR+aqawAi/JkfgKE64rrfkhjU8MtT8ivR4S5n6Yo08A7 HvgAlHDWRSGlNSDxwK9HtXy4FS2I60EdUIJM+Ut9OZNJG4CpbEQW1VBQoQoPuBw2EVa4P0u0 TgzQF+VoAAAAAElFTkSuQmCC In-Reply-To: <1170892051.4715.32.camel@localhost.localdomain> (Marcelo Celleri's message of "Wed, 07 Feb 2007 18:47:31 -0500") References: <1170892051.4715.32.camel@localhost.localdomain> Organization: *BSD Users - Fanatics Dept. From: Marko Lerota Date: Thu, 08 Feb 2007 10:25:48 +0100 Message-ID: <86ireddmqr.fsf@sparrow.local> User-Agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-pf@freebsd.org Subject: Re: Borrow in CBQ doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 09:27:06 -0000 Marcelo Celleri writes: > Hi everyone, > > I'm working with ALTQ, but I realize that the borrow option in cbq > queues doesn't work at least like the manual says "A child class can > borrow bandwidth from its parent class as long as excess bandwidth is > available" You are not the only one who find that problem. It must be a bug. I switched to hfsc and borrowing works fine. altq on $int_if hfsc bandwidth 4800Kb queue { def adm usr ser} queue def bandwidth 30Kb hfsc (default realtime 30Kb) queue usr bandwidth 600Kb hfsc (red realtime 600Kb) queue adm bandwidth 2000Kb hfsc (red realtime 2000Kb) queue ser bandwidth 1000Kb hfsc (red realtime 1000Kb) pass inet proto { tcp, udp } from $admins to any keep state queue adm pass inet proto { tcp, udp } from $users to any keep state queue usr pass inet proto { tcp, udp } from $servers to any keep state queue ser I have this in kernel options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build options ALTQ_DEBUG options ALTQ_PRIQ # Priority Queueing -- One cannot sell the earth upon which the people walk Tacunka Witco From owner-freebsd-pf@FreeBSD.ORG Thu Feb 8 11:02:18 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1151016A400 for ; Thu, 8 Feb 2007 11:02:18 +0000 (UTC) (envelope-from beastie@mra.co.id) Received: from mx3.mra.co.id (fw.mra.co.id [202.57.14.4]) by mx1.freebsd.org (Postfix) with ESMTP id B673E13C491 for ; Thu, 8 Feb 2007 11:02:17 +0000 (UTC) (envelope-from beastie@mra.co.id) Received: from localhost (localhost.mra.co.id [127.0.0.1]) by mx3.mra.co.id (Postfix) with ESMTP id 3893E30FF8; Thu, 8 Feb 2007 17:25:20 +0700 (WIT) Received: from mx3.mra.co.id ([127.0.0.1]) by localhost (mx3.mra.co.id [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 02514-19; Thu, 8 Feb 2007 17:25:20 +0700 (WIT) Received: from mail.mra.co.id (unknown [172.16.0.224]) by mx3.mra.co.id (Postfix) with ESMTP id F35D830FF1; Thu, 8 Feb 2007 17:25:19 +0700 (WIT) Received: from 172.16.0.228 (unknown [172.16.0.228]) by mail.mra.co.id (Postfix) with ESMTP id 6AA6965F821A; Thu, 8 Feb 2007 17:51:09 +0700 (WIT) From: Muhammad Reza To: Marko Lerota In-Reply-To: <86ireddmqr.fsf@sparrow.local> References: <1170892051.4715.32.camel@localhost.localdomain> <86ireddmqr.fsf@sparrow.local> Content-Type: text/plain Date: Thu, 08 Feb 2007 17:49:25 +0700 Message-Id: <1170931765.20774.2.camel@beastie.mra.co.id> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 (2.0.2-22) Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at mra.co.id Cc: freebsd-pf@freebsd.org Subject: Re: Borrow in CBQ doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 11:02:18 -0000 On Thu, 2007-02-08 at 10:25 +0100, Marko Lerota wrote: > Marcelo Celleri writes: > > > Hi everyone, > > > > I'm working with ALTQ, but I realize that the borrow option in cbq > > queues doesn't work at least like the manual says "A child class can > > borrow bandwidth from its parent class as long as excess bandwidth is > > available" > > You are not the only one who find that problem. It must be a bug. > I switched to hfsc and borrowing works fine. > > altq on $int_if hfsc bandwidth 4800Kb queue { def adm usr ser} > queue def bandwidth 30Kb hfsc (default realtime 30Kb) > queue usr bandwidth 600Kb hfsc (red realtime 600Kb) > queue adm bandwidth 2000Kb hfsc (red realtime 2000Kb) > queue ser bandwidth 1000Kb hfsc (red realtime 1000Kb) > > pass inet proto { tcp, udp } from $admins to any keep state queue adm > pass inet proto { tcp, udp } from $users to any keep state queue usr > pass inet proto { tcp, udp } from $servers to any keep state queue ser > > I have this in kernel > > options ALTQ > options ALTQ_CBQ # Class Bases Queuing (CBQ) > options ALTQ_RED # Random Early Detection (RED) > options ALTQ_RIO # RED In/Out > options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) > options ALTQ_PRIQ # Priority Queuing (PRIQ) > options ALTQ_NOPCC # Required for SMP build > options ALTQ_DEBUG > options ALTQ_PRIQ # Priority Queueing but it's work fine with OpenBSD regards Reza From owner-freebsd-pf@FreeBSD.ORG Thu Feb 8 13:16:47 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4EC9C16A407 for ; Thu, 8 Feb 2007 13:16:30 +0000 (UTC) (envelope-from marko.lerota@claresco.hr) Received: from zid.claresco.hr (zid.claresco.hr [85.114.42.226]) by mx1.freebsd.org (Postfix) with ESMTP id A479913C4AA for ; Thu, 8 Feb 2007 13:16:29 +0000 (UTC) (envelope-from marko.lerota@claresco.hr) Received: (qmail 75410 invoked by uid 1001); 8 Feb 2007 13:15:15 -0000 To: Muhammad Reza Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWgnbRLVpRNVY9jMRPh s21jSlEyNVX45Mv4zI+sbUclFAtMVpT8V0lFAAACZ0lEQVR4nG3Tv2vbQBQHcFMogWyeNeVK BLXGl5j6xnABOaNTuXFGmWpwtw519yj4soW6AatT4GKD3+aDZrl/rt/Tr9qlGiz7Pn7v3bsf HVc/NrIiSfElqH53GgijcCqzk/+AmBF5cN0DsFlIRGMh/oHuqxkTM6VlzB4EoZEs2aSZOASb EQJYZpweQshE697GTDndBXtgp9LIT9+OpDGHEfb9knk+nx+jfN1JCVZMCl6XwFm0a2EXztZD 3s4fj47ZbKI2VeBmJImeEfGLJ+M9sDPilX7IB5rN6sdfcGhuoHU+LC4nxfnI7YOJtdb95Gb+ fbgJ2uJ2ZgaA++f5ZzBqNCCYfMTd5q0BfBVNqm7I8gUjQ+YtXotRW6PH9AEj+dKs/KuNQAl5 o/NY+QkonW8aQAl0oXMYPvRiXIM4pRJifbXytnhTA8alBx/jefG2ar3DBlt34/PXz9M+nMVN iNaPUdCApJc2ItejOmLGoK1qQLV9pJmXBnL10DYoBA5aHNfj8ZNwZa5O4CzgTJeilKJmrQJs IHIt1/7/Sg2p3iq/Hz0/5W05rq4M9aN2B5FLohUP4ylVyfxhEIjAs8J4PhIJ9U+CEroogib5 BXAf7bB4vkfAzgPFt1tM9sJZAOH+lCexhwswuNtim4QTZdokqo4o89LkH7V6iFxICeqfp+Wh fmUuGPunLj2Meti6Cn4DjJ/UReROqR+aqawAi/JkfgKE64rrfkhjU8MtT8ivR4S5n6Yo08A7 HvgAlHDWRSGlNSDxwK9HtXy4FS2I60EdUIJM+Ut9OZNJG4CpbEQW1VBQoQoPuBw2EVa4P0u0 TgzQF+VoAAAAAElFTkSuQmCC In-Reply-To: <1170931765.20774.2.camel@beastie.mra.co.id> (Muhammad Reza's message of "Thu, 08 Feb 2007 17:49:25 +0700") References: <1170892051.4715.32.camel@localhost.localdomain> <86ireddmqr.fsf@sparrow.local> <1170931765.20774.2.camel@beastie.mra.co.id> Organization: *BSD Users - Fanatics Dept. From: Marko Lerota Date: Thu, 08 Feb 2007 14:15:15 +0100 Message-ID: <86abzou6xo.fsf@sparrow.local> User-Agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-pf@freebsd.org Subject: Re: Borrow in CBQ doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 13:16:47 -0000 Muhammad Reza writes: > but it's work fine with OpenBSD Yes, and the ethernet devices also work better, but I will stay on FreeBSD ;) -- One cannot sell the earth upon which the people walk Tacunka Witco From owner-freebsd-pf@FreeBSD.ORG Thu Feb 8 14:20:38 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0EA8216A406 for ; Thu, 8 Feb 2007 14:20:37 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost2.sentex.ca (smarthost2.sentex.ca [205.211.164.50]) by mx1.freebsd.org (Postfix) with ESMTP id 99D9613C441 for ; Thu, 8 Feb 2007 14:20:36 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost2.sentex.ca (8.13.8/8.13.8) with ESMTP id l18E6IPK052615; Thu, 8 Feb 2007 09:06:18 -0500 (EST) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.6/8.13.3) with ESMTP id l18E6Ikb054671 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 8 Feb 2007 09:06:18 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <200702081406.l18E6Ikb054671@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 08 Feb 2007 09:08:23 -0500 To: Marko Lerota From: Mike Tancsa In-Reply-To: <86abzou6xo.fsf@sparrow.local> References: <1170892051.4715.32.camel@localhost.localdomain> <86ireddmqr.fsf@sparrow.local> <1170931765.20774.2.camel@beastie.mra.co.id> <86abzou6xo.fsf@sparrow.local> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: Borrow in CBQ doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 14:20:39 -0000 At 08:15 AM 2/8/2007, Marko Lerota wrote: >Muhammad Reza writes: > > > but it's work fine with OpenBSD > >Yes, and the ethernet devices also work better, but I will >stay on FreeBSD ;) Really ? Which drivers ? I found bge and em to be less supported and slower than on FreeBSD. ---Mike From owner-freebsd-pf@FreeBSD.ORG Thu Feb 8 14:48:11 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A30DC16A417 for ; Thu, 8 Feb 2007 14:48:05 +0000 (UTC) (envelope-from marceloc@espoltel.net) Received: from jupiter.espoltel.net (jupiter.espoltel.net [200.49.242.4]) by mx1.freebsd.org (Postfix) with ESMTP id 5A44013C471 for ; Thu, 8 Feb 2007 14:48:03 +0000 (UTC) (envelope-from marceloc@espoltel.net) Received: from localhost (localhost.espoltel.net [127.0.0.1]) by jupiter.espoltel.net (Postfix) with ESMTP id A75BF2DB355; Thu, 8 Feb 2007 09:51:52 -0500 (ECT) Received: from jupiter.espoltel.net ([127.0.0.1]) by localhost (jupiter.espoltel.net [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 95451-08; Thu, 8 Feb 2007 09:51:25 -0500 (ECT) Received: from [172.26.5.40] (unknown [69.65.149.194]) by jupiter.espoltel.net (Postfix) with ESMTP id C2DB62DB2DE; Thu, 8 Feb 2007 09:51:25 -0500 (ECT) From: Marcelo Celleri To: Marko Lerota In-Reply-To: <86ireddmqr.fsf@sparrow.local> References: <1170892051.4715.32.camel@localhost.localdomain> <86ireddmqr.fsf@sparrow.local> Content-Type: multipart/mixed; boundary="=-iWFIJ8uyhJvBC1KKSxwm" Organization: ESPOLTEL Date: Thu, 08 Feb 2007 09:47:33 -0500 Message-Id: <1170946053.4734.10.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 X-Virus-Scanned: by Amavis-new and ClamaV at ESPOLTEL Cc: freebsd-pf@freebsd.org Subject: Re: Borrow in CBQ doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: marceloc@espoltel.net List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 14:48:12 -0000 --=-iWFIJ8uyhJvBC1KKSxwm Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Thanks for your answers, but like I said I cannot switch to hfsc where I have the main configuration for my customers, because I have a lot of queues and the server gives me: pfctl: DIOCADDALTQ: Cannot allocate memory I don't know if something could be wrong in my config or is just the amount of processes to support, which could be the maximum number of hfsc queues to support related with the amount of memory? Also I attached my config file, hoping that you can tell me if something is wrong. On jue, 2007-02-08 at 10:25 +0100, Marko Lerota wrote: > Marcelo Celleri writes: >=20 > > Hi everyone, > > > > I'm working with ALTQ, but I realize that the borrow option in cbq > > queues doesn't work at least like the manual says "A child class can > > borrow bandwidth from its parent class as long as excess bandwidth is > > available" >=20 > You are not the only one who find that problem. It must be a bug.=20 > I switched to hfsc and borrowing works fine. =20 >=20 > altq on $int_if hfsc bandwidth 4800Kb queue { def adm usr ser} > queue def bandwidth 30Kb hfsc (default realtime 30Kb) > queue usr bandwidth 600Kb hfsc (red realtime 600Kb)=20 > queue adm bandwidth 2000Kb hfsc (red realtime 2000Kb)=20 > queue ser bandwidth 1000Kb hfsc (red realtime 1000Kb) >=20 > pass inet proto { tcp, udp } from $admins to any keep state queue adm > pass inet proto { tcp, udp } from $users to any keep state queue usr > pass inet proto { tcp, udp } from $servers to any keep state queue ser >=20 > I have this in kernel=20 >=20 > options ALTQ > options ALTQ_CBQ # Class Bases Queuing (CBQ) > options ALTQ_RED # Random Early Detection (RED) = =20 > options ALTQ_RIO # RED In/Out > options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) > options ALTQ_PRIQ # Priority Queuing (PRIQ) > options ALTQ_NOPCC # Required for SMP build > options ALTQ_DEBUG > options ALTQ_PRIQ # Priority Queueing >=20 --=20 ---------------------------------- Marcelo C=C3=A9lleri M. Jefe IP ESPOLTEL S.A. PBX 593 04 2514477 Ext. 114 ---------------------------------- --=-iWFIJ8uyhJvBC1KKSxwm Content-Disposition: attachment; filename=pf.conf Content-Type: text/plain; name=pf.conf; charset=utf-8 Content-Transfer-Encoding: 7bit ext_if="em0" int_if="em1" #PORT DEFINITIONS tcp_voip="1024:1502,1718:1720,2950,4555,4569,5036,5060,5061" udp_voip="4000:4220,6801,17000:17046,30000:30046" tcp_prio1="20,21,80,81,443,1863" tcp_prio2="25,110,143" p2p="1214,3531,4329,4661:4665,4672,4900:4999,6257,6346,6699,6881" table {A.A.A.3, A.A.A.4, A.A.A.2, B.B.B.3, B.B.B.254} table { Y.Y.Y.0/24 } table persist file "/etc/custom/pymes" table persist file "/etc/custom/pymes256_n3" table persist file "/etc/custom/pymes256_n6" table persist file "/etc/custom/pymes128_n2" table persist file "/etc/custom/residencial_128" table persist file "/etc/custom/corte_de_servicio" # Queueing: rule-based bandwidth control [Download]. altq on $int_if hfsc bandwidth 100Mb queue { std, core, salinas, uees, lnaval, tes, ecomundo, coe, \ montepiedra, andec, copol, asuncion_pri, asuncion_sec, offset, afgye, calcivar, zona3, corpecuador, ststeban, \ extradio, capig, capig_mail, esmena, marianitas, diteca, canizares, delfos, metain, \ pym256_n3, pym256_n4, pym128, pym128_n2, residencial } # PREMIUM SERVICES ###################### # # MAIN QUEUE _ _ _ _ queue A: Best prio, more BW (voip,www,ftp) # |_ queue B: BW for correo-e (If exist Client MailServer) # |_ queue C: Low BW, worst prio (P2P, non common aplication) # queue std bandwidth 50.0Mb hfsc(default) queue core bandwidth 1.5Mb hfsc (upperlimit 1.5Mb) queue salinas bandwidth 2Mb hfsc (upperlimit 2Mb) queue uees bandwidth 2Mb hfsc (upperlimit 2Mb) { uees1, uees2, ueesdf } queue uees1 bandwidth 78% priority 3 hfsc(ecn) queue uees2 bandwidth 14% priority 2 hfsc(ecn) queue ueesdf bandwidth 8% hfsc(ecn) queue lnaval bandwidth 192Kb hfsc (upperlimit 192Kb) { ln_voip, ln_sec, ln_pri } queue ln_sec bandwidth 87% priority 4 hfsc(ecn) queue ln_pri bandwidth 13% priority 2 hfsc(ecn) queue tes bandwidth 720Kb hfsc (upperlimit 720Kb) { tes1, tes2, tesdf } queue tes1 bandwidth 78% priority 3 hfsc(ecn) queue tes2 bandwidth 14% priority 2 hfsc(ecn) queue tesdf bandwidth 8% hfsc(ecn) queue ecomundo bandwidth 512Kb hfsc (upperlimit 512Kb) { ecomundo1, ecomundo2, ecomundodf } queue ecomundo1 bandwidth 70% priority 3 hfsc(ecn) queue ecomundo2 bandwidth 20% priority 2 hfsc(ecn) queue ecomundodf bandwidth 10% hfsc(ecn) queue coe bandwidth 768Kb hfsc (upperlimit 768Kb) { coe1, coedf } queue coe1 bandwidth 75% priority 2 hfsc(ecn) queue coedf bandwidth 25% hfsc(ecn) queue andec bandwidth 608Kb hfsc (upperlimit 608Kb) { andec1, andec2, andecdf } queue andec1 bandwidth 70% priority 4 hfsc queue andec2 bandwidth 20% priority 3 hfsc(ecn) queue andecdf bandwidth 10% priority 2 hfsc(ecn) queue copol bandwidth 336Kb hfsc (upperlimit 336Kb) { copol1, copol2, copoldf } queue copol1 bandwidth 70% priority 3 hfsc(ecn) queue copol2 bandwidth 20% priority 2 hfsc(ecn) queue copoldf bandwidth 10% hfsc(ecn) queue asuncion_pri bandwidth 224Kb hfsc (upperlimit 224Kb) { asuncion_pri1, asuncion_pri2, asuncion_pridf } queue asuncion_pri1 bandwidth 70% priority 3 hfsc(ecn) queue asuncion_pri2 bandwidth 20% priority 2 hfsc(ecn) queue asuncion_pridf bandwidth 10% hfsc(ecn) queue asuncion_sec bandwidth 288Kb hfsc (upperlimit 288Kb) { asuncion_sec1, asuncion_sec2, asuncion_secdf } queue asuncion_sec1 bandwidth 70% priority 3 hfsc(ecn) queue asuncion_sec2 bandwidth 20% priority 2 hfsc(ecn) queue asuncion_secdf bandwidth 10% hfsc(ecn) queue offset bandwidth 384Kb hfsc (upperlimit 384Kb) { offset1, offset2, offsetdf } queue offset1 bandwidth 70% priority 3 hfsc(ecn) queue offset2 bandwidth 20% priority 2 hfsc(ecn) queue offsetdf bandwidth 10% hfsc(ecn) queue afgye bandwidth 320Kb hfsc (upperlimit 320Kb) { afgye1, afgye2, afgyedf } queue afgye1 bandwidth 70% priority 3 hfsc(ecn) queue afgye2 bandwidth 20% priority 2 hfsc(ecn) queue afgyedf bandwidth 10% hfsc(ecn) queue calcivar bandwidth 384Kb hfsc (upperlimit 384Kb) { calcivar1, calcivar2, calcivardf } queue calcivar1 bandwidth 70% priority 3 hfsc(ecn) queue calcivar2 bandwidth 20% priority 2 hfsc(ecn) queue calcivardf bandwidth 10% hfsc(ecn) queue esmena bandwidth 256Kb hfsc (upperlimit 256Kb) { esmena1, esmenadf } queue esmena1 bandwidth 80% priority 3 hfsc(ecn) queue esmenadf bandwidth 20% hfsc(ecn) queue zona3 bandwidth 256Kb hfsc (upperlimit 256Kb) { zona3voip, zona3df } queue zona3voip bandwidth 82Kb priority 3 hfsc(ecn) queue zona3df bandwidth 174Kb hfsc(ecn) queue capig bandwidth 144Kb hfsc (upperlimit 144Kb) { capig1, capigdf } queue capig1 bandwidth 80% priority 3 hfsc(ecn) queue capigdf bandwidth 20% hfsc(ecn) queue capig_mail bandwidth 128Kb hfsc (upperlimit 128Kb) queue corpecuador bandwidth 128Kb hfsc (upperlimit 140Kb, realtime 128Kb) { corpecuador1, corpecuadordf } queue corpecuador1 bandwidth 80% priority 3 hfsc(ecn) queue corpecuadordf bandwidth 20% hfsc(ecn) queue montepiedra bandwidth 128Kb hfsc (upperlimit 140Kb, realtime 128Kb) { montepiedra1, montepiedradf } queue montepiedra1 bandwidth 80% priority 3 hfsc(ecn) queue montepiedradf bandwidth 20% hfsc(ecn) queue extradio bandwidth 128Kb hfsc (upperlimit 140Kb, realtime 128Kb) { extradio1, extradiodf } queue extradio1 bandwidth 80% priority 3 hfsc(ecn) queue extradiodf bandwidth 20% hfsc(ecn) queue ststeban bandwidth 128Kb hfsc (upperlimit 140Kb, realtime 128Kb) { ststeban1, ststebandf } queue ststeban1 bandwidth 80% priority 3 hfsc(ecn) queue ststebandf bandwidth 20% hfsc(ecn) queue marianitas bandwidth 96Kb hfsc (upperlimit 106Kb, realtime 96Kb) { marianitas1, marianitasdf } queue marianitas1 bandwidth 80% priority 3 hfsc(ecn) queue marianitasdf bandwidth 20% hfsc(ecn) queue canizares bandwidth 64Kb hfsc (upperlimit 72Kb, realtime 64Kb) { canizares_voip, canizaresdf } queue canizares_voip bandwidth 35% priority 3 hfsc(ecn) queue canizaresdf bandwidth 65% hfsc(ecn) queue diteca bandwidth 64Kb hfsc (upperlimit 72Kb, realtime 64Kb) { diteca1, ditecadf } queue diteca1 bandwidth 90% priority 3 hfsc(ecn) queue ditecadf bandwidth 10% hfsc(ecn) queue delfos bandwidth 64Kb hfsc (upperlimit 72Kb, realtime 64Kb) { delfos1, delfosdf } queue delfos1 bandwidth 90% priority 3 hfsc(ecn) queue delfosdf bandwidth 10% hfsc(ecn) queue metain bandwidth 64Kb hfsc (upperlimit 72Kb, realtime 64Kb) { metain1, metaindf } queue metain1 bandwidth 90% priority 3 hfsc(ecn) queue metaindf bandwidth 10% hfsc(ecn) ## SHARED SERVICES ############################# queue pym128 bandwidth 512Kb hfsc (upperlimit 560Kb, realtime 512Kb) { pym128_a, pym128_b, pym128_df } queue pym128_a bandwidth 80% priority 3 hfsc(ecn) queue pym128_df bandwidth 20% hfsc(ecn) # # MAIN QUEUE _ _ _ queue A: Best prio, BW for VoIP or low delay traffic # |_ queue B: More BW, ( Almost everything less P2P) # |_ queue C: Low BW, Worst prio (P2P) # queue pym256_n3 bandwidth 408Kb hfsc (upperlimit 408Kb, realtime 440Kb){ pym256_n3a, pym256_n3b, pym256_n3df } queue pym256_n3a bandwidth 12% priority 3 hfsc(ecn) queue pym256_n3b bandwidth 78% priority 2 hfsc(ecn) queue pym256_n3df bandwidth 10% hfsc(ecn) queue pym256_n6 bandwidth 300Kb hfsc (upperlimit 330Kb, realtime 300Kb) { pym256_n6a, pym256_n6b, pym256_n6df } queue pym256_n6a bandwidth 12% priority 3 hfsc(ecn) queue pym256_n6b bandwidth 78% priority 2 hfsc(ecn) queue pym256_n6df bandwidth 10% hfsc(ecn) queue pym128_n2 bandwidth 256Kb hfsc (upperlimit 280Kb, realtime 256Kb) { pym128_n2a, pym128_n2b, pym128_n2df } queue pym128_n2a bandwidth 12% priority 3 hfsc(ecn) queue pym128_n2b bandwidth 78% priority 2 hfsc(ecn) queue pym128_n2df bandwidth 10% hfsc(ecn) queue residencial bandwidth 840Kb hfsc (upperlimit 900Kb, realtime 840Kb) { residencial1, residencialdf } queue residencial1 bandwidth 80% priority 3 hfsc(ecn) queue residencialdf bandwidth 20% hfsc(ecn) # FILTERS ############### pass out quick on $int_if from any to queue core pass out quick on $int_if from any to W.W.W.0/24 queue salinas pass out quick on $int_if proto { tcp,udp } from any port 53 to Y.Y.Y.0/24 queue uees1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to Y.Y.Y.0/24 queue uees1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio2 } to Y.Y.Y.0/24 queue uees2 pass out quick on $int_if from any to Y.Y.Y.0/24 queue ueesdf pass out on $int_if from any to X.X.X.77 queue ln_pri pass out on $int_if from any to X.X.X.78 queue ln_voip pass out on $int_if from any to X.X.X.76 queue ln_sec pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to X.X.X.48/28 queue tes1 pass out quick on $int_if proto { tcp,udp } from any port 53 to X.X.X.48/28 queue tes1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio2 } to X.X.X.48/28 queue tes2 pass out quick on $int_if from any to X.X.X.48/28 queue tesdf pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to { X.X.X.66 X.X.X.67 X.X.X.68 } queue ecomundo1 pass out quick on $int_if proto { tcp,udp } from any port 53 to { X.X.X.66 X.X.X.67 X.X.X.68 } queue ecomundo1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio2 } to { X.X.X.66 X.X.X.67 X.X.X.68 } queue ecomundo2 pass out quick on $int_if from any to { X.X.X.66 X.X.X.67 X.X.X.68 X.X.X.69 } queue ecomundodf pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to X.X.X.120/30 queue coe1 pass out quick on $int_if proto { tcp,udp } from any port 53 to X.X.X.120/30 queue coe1 pass out quick on $int_if from any to X.X.X.120/30 queue coedf #pass out quick on $int_if proto udp from any port 8000 to 200.49.242.17 queue andec1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to { X.X.X.34, X.X.X.35 } queue andec1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio2 } to { X.X.X.34, X.X.X.35 } queue andec2 pass out quick on $int_if from any to { X.X.X.34, X.X.X.35 } queue andecdf pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to Z.Z.Z.16/29 keep state queue copol1 pass out quick on $int_if proto { tcp,udp } from any port 53 to Z.Z.Z.16/29 keep state queue copol1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio2 } to Z.Z.Z.16/29 keep state queue copol2 pass out quick on $int_if from any to Z.Z.Z.16/29 keep state queue copoldf #pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to X.X.X.83 queue asuncion_pri1 #pass out quick on $int_if proto { tcp,udp } from any port 53 to X.X.X.83 queue asuncion_pri1 #pass out quick on $int_if proto { tcp } from any port { $tcp_prio2 } to X.X.X.83 queue asuncion_pri2 #pass out quick on $int_if from any to X.X.X.83 queue asuncion_pridf #pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to X.X.X.84 queue asuncion_sec1 #pass out quick on $int_if proto { tcp,udp } from any port 53 to X.X.X.84 queue asuncion_sec1 #pass out quick on $int_if proto { tcp } from any port { $tcp_prio2 } to X.X.X.84 queue asuncion_sec2 #pass out quick on $int_if from any to X.X.X.84 queue asuncion_secdf pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to { X.X.X.80 } queue offset1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio2 } to { X.X.X.80 } queue offset2 pass out quick on $int_if from any to { X.X.X.80 } queue offsetdf pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to { X.X.X.42 } queue calcivar1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio2 } to { X.X.X.42 } queue calcivar2 pass out quick on $int_if from any to { X.X.X.42 } queue calcivardf pass out quick on $int_if proto { tcp } from any port { $tcp_voip } to { X.X.X.80 } queue afgye1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to { X.X.X.80 } queue afgye1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio2 } to { X.X.X.80 } queue afgye2 pass out quick on $int_if from any to { X.X.X.80 } queue afgyedf pass out quick on $int_if proto { tcp } from any port { $tcp_voip } to X.X.X.46 queue esmena1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to X.X.X.46 queue esmena1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio2 } to X.X.X.46 queue esmena1 pass out quick on $int_if from any to X.X.X.46 queue esmenadf pass out quick on $int_if from any to X.X.X.124 queue zona3df pass out quick on $int_if from any to X.X.X.125 queue zona3voip pass out quick on $int_if proto { tcp } from any port { $tcp_voip } to X.X.X.98 queue capig1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to X.X.X.98 queue capig1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio2 } to X.X.X.98 queue capig1 pass out quick on $int_if from any to X.X.X.98 queue capigdf pass out on $int_if from any to 200.49.246.250 queue capig_mail pass out quick on $int_if proto { tcp } from any port { $tcp_voip } to X.X.X.44 queue corpecuador1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to X.X.X.44 queue corpecuador1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio2 } to X.X.X.44 queue corpecuador1 pass out quick on $int_if from any to X.X.X.44 queue corpecuadordf pass out quick on $int_if proto { tcp } from any port { $tcp_voip } to Z.Z.Z.33 queue montepiedra1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to Z.Z.Z.33 queue montepiedra1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio2 } to Z.Z.Z.33 queue montepiedra1 pass out quick on $int_if from any to Z.Z.Z.33 queue montepiedradf pass out quick on $int_if proto { tcp } from any port { $tcp_voip } to X.X.X.108 queue extradio1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to X.X.X.108 queue extradio1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio2 } to X.X.X.108 queue extradio1 pass out quick on $int_if from any to X.X.X.108 queue extradiodf pass out quick on $int_if proto { tcp } from any port { $tcp_voip } to X.X.X.71 queue ststeban1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to X.X.X.71 queue ststeban1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio2 } to X.X.X.71 queue ststeban1 pass out quick on $int_if from any to X.X.X.71 queue ststebandf pass out quick on $int_if proto { tcp } from any port { $tcp_voip } to X.X.X.87 queue marianitas1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to X.X.X.87 queue marianitas1 pass out quick on $int_if proto { tcp } from any port { $tcp_prio2 } to X.X.X.87 queue marianitas1 pass out quick on $int_if from any to X.X.X.87 queue marianitasdf pass out quick on $int_if from any to X.X.X.142 queue canizaresdf pass out quick on $int_if from any to X.X.X.143 queue canizares_voip pass out quick on $int_if proto { tcp } from any port { $p2p } to X.X.X.115 queue ditecadf pass out quick on $int_if from any to X.X.X.115 queue diteca1 pass out quick on $int_if proto { tcp } from any port { $p2p } to X.X.X.73 queue delfosdf pass out quick on $int_if from any to X.X.X.73 queue delfos1 pass out quick on $int_if proto { tcp } from any port { $p2p } to X.X.X.113 queue metaindf pass out quick on $int_if from any to X.X.X.113 queue metain1 pass out quick on $int_if proto { tcp } from any port { $p2p } to queue pym128_df pass out quick on $int_if proto { tcp } from any port { $tcp_voip } to queue pym128_a pass out quick on $int_if proto { udp } from any port { $udp_voip } to queue pym128_a pass out quick on $int_if from any to queue pym128_b pass out quick on $int_if proto { tcp } from any port { $p2p } to queue pym256_n3df pass out quick on $int_if proto { tcp } from any port { $tcp_voip } to queue pym256_n3a pass out quick on $int_if proto { udp } from any port { $udp_voip } to queue pym256_n3a pass out quick on $int_if from any to queue pym256_n3b pass out quick on $int_if proto { tcp } from any port { $p2p } to queue pym256_n6df pass out quick on $int_if proto { tcp } from any port { $tcp_voip } to queue pym256_n6a pass out quick on $int_if proto { udp } from any port { $udp_voip } to queue pym256_n6a pass out quick on $int_if from any to queue pym256_n6b pass out quick on $int_if proto { tcp } from any port { $p2p } to queue pym128_n2df pass out quick on $int_if proto { tcp } from any port { $tcp_voip } to queue pym128_n2a pass out quick on $int_if proto { udp } from any port { $udp_voip } to queue pym128_n2a pass out quick on $int_if from any to queue pym128_n2b pass out quick on $int_if proto { tcp } from any port { $tcp_prio1 } to queue residencial1 pass out quick on $int_if proto { tcp } from any port { $tcp_voip } to queue residencial1 pass out quick on $int_if proto { udp } from any port { $udp_voip } to queue residencial1 pass out quick on $int_if proto { tcp,udp } from any to queue residencialdf --=-iWFIJ8uyhJvBC1KKSxwm-- From owner-freebsd-pf@FreeBSD.ORG Thu Feb 8 14:53:38 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 167D316A403 for ; Thu, 8 Feb 2007 14:53:36 +0000 (UTC) (envelope-from marko.lerota@claresco.hr) Received: from zid.claresco.hr (zid.claresco.hr [85.114.42.226]) by mx1.freebsd.org (Postfix) with ESMTP id 0CD1A13C49D for ; Thu, 8 Feb 2007 14:53:34 +0000 (UTC) (envelope-from marko.lerota@claresco.hr) Received: (qmail 83305 invoked by uid 1001); 8 Feb 2007 14:52:17 -0000 To: Mike Tancsa Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWgnbRLVpRNVY9jMRPh s21jSlEyNVX45Mv4zI+sbUclFAtMVpT8V0lFAAACZ0lEQVR4nG3Tv2vbQBQHcFMogWyeNeVK BLXGl5j6xnABOaNTuXFGmWpwtw519yj4soW6AatT4GKD3+aDZrl/rt/Tr9qlGiz7Pn7v3bsf HVc/NrIiSfElqH53GgijcCqzk/+AmBF5cN0DsFlIRGMh/oHuqxkTM6VlzB4EoZEs2aSZOASb EQJYZpweQshE697GTDndBXtgp9LIT9+OpDGHEfb9knk+nx+jfN1JCVZMCl6XwFm0a2EXztZD 3s4fj47ZbKI2VeBmJImeEfGLJ+M9sDPilX7IB5rN6sdfcGhuoHU+LC4nxfnI7YOJtdb95Gb+ fbgJ2uJ2ZgaA++f5ZzBqNCCYfMTd5q0BfBVNqm7I8gUjQ+YtXotRW6PH9AEj+dKs/KuNQAl5 o/NY+QkonW8aQAl0oXMYPvRiXIM4pRJifbXytnhTA8alBx/jefG2ar3DBlt34/PXz9M+nMVN iNaPUdCApJc2ItejOmLGoK1qQLV9pJmXBnL10DYoBA5aHNfj8ZNwZa5O4CzgTJeilKJmrQJs IHIt1/7/Sg2p3iq/Hz0/5W05rq4M9aN2B5FLohUP4ylVyfxhEIjAs8J4PhIJ9U+CEroogib5 BXAf7bB4vkfAzgPFt1tM9sJZAOH+lCexhwswuNtim4QTZdokqo4o89LkH7V6iFxICeqfp+Wh fmUuGPunLj2Meti6Cn4DjJ/UReROqR+aqawAi/JkfgKE64rrfkhjU8MtT8ivR4S5n6Yo08A7 HvgAlHDWRSGlNSDxwK9HtXy4FS2I60EdUIJM+Ut9OZNJG4CpbEQW1VBQoQoPuBw2EVa4P0u0 TgzQF+VoAAAAAElFTkSuQmCC In-Reply-To: <200702081406.l18E6Ikb054671@lava.sentex.ca> (Mike Tancsa's message of "Thu, 08 Feb 2007 09:08:23 -0500") References: <1170892051.4715.32.camel@localhost.localdomain> <86ireddmqr.fsf@sparrow.local> <1170931765.20774.2.camel@beastie.mra.co.id> <86abzou6xo.fsf@sparrow.local> <200702081406.l18E6Ikb054671@lava.sentex.ca> Organization: *BSD Users - Fanatics Dept. From: Marko Lerota Date: Thu, 08 Feb 2007 15:52:17 +0100 Message-ID: <86veicpuqm.fsf@sparrow.local> User-Agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-pf@freebsd.org Subject: Re: Borrow in CBQ doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 14:53:38 -0000 Mike Tancsa writes: > Really ? Which drivers ? I found bge and em to be less supported and > slower than on FreeBSD. There are some issues with bge and em drivers (kernel panics and timeouts). You have complete discussion on freebsd-stable mailing list. -- One cannot sell the earth upon which the people walk Tacunka Witco From owner-freebsd-pf@FreeBSD.ORG Thu Feb 8 15:41:39 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E220616A48F for ; Thu, 8 Feb 2007 15:41:38 +0000 (UTC) (envelope-from marceloc@espoltel.net) Received: from jupiter.espoltel.net (jupiter.espoltel.net [200.49.242.4]) by mx1.freebsd.org (Postfix) with ESMTP id 8EF6B13C4A6 for ; Thu, 8 Feb 2007 15:41:36 +0000 (UTC) (envelope-from marceloc@espoltel.net) Received: from localhost (localhost.espoltel.net [127.0.0.1]) by jupiter.espoltel.net (Postfix) with ESMTP id CA8802DB37A; Thu, 8 Feb 2007 10:45:26 -0500 (ECT) Received: from jupiter.espoltel.net ([127.0.0.1]) by localhost (jupiter.espoltel.net [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 97492-09; Thu, 8 Feb 2007 10:45:03 -0500 (ECT) Received: from [172.26.5.40] (unknown [69.65.149.194]) by jupiter.espoltel.net (Postfix) with ESMTP id 2F7082DB36D; Thu, 8 Feb 2007 10:45:03 -0500 (ECT) From: Marcelo Celleri To: Scott Ullrich In-Reply-To: References: <1170892051.4715.32.camel@localhost.localdomain> <86ireddmqr.fsf@sparrow.local> <1170946053.4734.10.camel@localhost.localdomain> Content-Type: text/plain; charset=UTF-8 Organization: ESPOLTEL Date: Thu, 08 Feb 2007 10:41:06 -0500 Message-Id: <1170949266.4734.21.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: by Amavis-new and ClamaV at ESPOLTEL Cc: freebsd-pf@freebsd.org Subject: Re: Borrow in CBQ doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: marceloc@espoltel.net List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 15:41:39 -0000 I think that the number of queues is bigger than 64, so I have to change this value in the kernel config and then recompile it? Is there another way to do it? I'm scared to death only with the idea of recompiling in my production server :( On jue, 2007-02-08 at 10:19 -0500, Scott Ullrich wrote: > On 2/8/07, Marcelo Celleri wrote: > > > > Thanks for your answers, but like I said I cannot switch to hfsc wher= e I > > have the main configuration for my customers, because I have a lot of > > queues and the server gives me: > > > > pfctl: DIOCADDALTQ: Cannot allocate memory > > > > I don't know if something could be wrong in my config or is just the > > amount of processes to support, which could be the maximum number of > > hfsc queues to support related with the amount of memory? >=20 > How many queues are you adding ? HFSC is limited to 64: >=20 > #define HFSC_MAX_CLASSES 64 >=20 > You might get away with increasing this number a bit? >=20 > Scott --=20 ---------------------------------- Marcelo C=C3=A9lleri M. Jefe IP ESPOLTEL S.A. PBX 593 04 2514477 Ext. 114 ---------------------------------- From owner-freebsd-pf@FreeBSD.ORG Thu Feb 8 15:45:13 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4FEF316A400 for ; Thu, 8 Feb 2007 15:45:12 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 15E3E13C467 for ; Thu, 8 Feb 2007 15:45:11 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.13.6/8.13.6) with ESMTP id l18FjBxa041912; Thu, 8 Feb 2007 10:45:11 -0500 (EST) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.6/8.13.3) with ESMTP id l18Fj5G1055103 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 8 Feb 2007 10:45:10 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <200702081545.l18Fj5G1055103@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 08 Feb 2007 10:47:10 -0500 To: Marko Lerota From: Mike Tancsa In-Reply-To: <86veicpuqm.fsf@sparrow.local> References: <1170892051.4715.32.camel@localhost.localdomain> <86ireddmqr.fsf@sparrow.local> <1170931765.20774.2.camel@beastie.mra.co.id> <86abzou6xo.fsf@sparrow.local> <200702081406.l18E6Ikb054671@lava.sentex.ca> <86veicpuqm.fsf@sparrow.local> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: ClamAV version 0.88.3, clamav-milter version 0.88.3 on clamscanner2 X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: Borrow in CBQ doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 15:45:13 -0000 At 09:52 AM 2/8/2007, Marko Lerota wrote: >Mike Tancsa writes: > > > Really ? Which drivers ? I found bge and em to be less supported and > > slower than on FreeBSD. > >There are some issues with bge and em drivers (kernel panics and timeouts). >You have complete discussion on freebsd-stable mailing list. Yes, I know those threads for the bge, but its for pretty specific versions of the chips with specific media settings. As for the em nics, the only timeouts I know of are on specific motherboard chipsets and might be more a general hardware issue than software. Besides, some these NICs didnt even work in OpenBSD or had other problems. ---Mike >-- >One cannot sell the earth upon which the people walk > Tacunka Witco From owner-freebsd-pf@FreeBSD.ORG Thu Feb 8 15:54:00 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 78F3A16A405 for ; Thu, 8 Feb 2007 15:53:58 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp812.mail.ird.yahoo.com (smtp812.mail.ird.yahoo.com [217.146.188.72]) by mx1.freebsd.org (Postfix) with SMTP id 6AEB613C467 for ; Thu, 8 Feb 2007 15:53:57 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 66816 invoked from network); 8 Feb 2007 15:53:56 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@81.157.42.3 with plain) by smtp812.mail.ird.yahoo.com with SMTP; 8 Feb 2007 15:53:56 -0000 X-YMail-OSG: xYa0Au4VM1nGor8niDEILtrJ6M8KrtEWcgEynzu.qphPoZwExb3r4vxpxbj9lT2e8ulFcTLbVsTJIzw_H.WzvVqHG8RVq_tNXBeN0YNIVjjsv2J2WLj4jraeRlG1J3MHO0sa7BZMIZOR4i4Vco0F_1mldGnBxYdlo110T23ThFvrPang4532b8Rs0P8J4IpLN4bn549evqcMaA-- Message-ID: <45CB47B3.6060402@tomjudge.com> Date: Thu, 08 Feb 2007 15:54:27 +0000 From: Tom Judge User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: Tom Judge References: <45BF6DFE.9060307@tomjudge.com> In-Reply-To: <45BF6DFE.9060307@tomjudge.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: PF Policy routing failing to route ESP packets correctly X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 15:54:00 -0000 Tom Judge wrote: > Hi, > > I am having some problems getting policy routing of outbound ESP packets > to work correctly. It seems the routing works fine for everything but > esp packets. Is this a known bug? > > Tom > > Relevent PF rules: > > table { 100.198.71.78 , 100.198.71.66 } > > > pass out quick route-to ( fxp0 100.198.71.65 ) inet from > to ! 100.198.71.64/28 keep state label "RULE 21 -- " > Just a bump on this thread to see if anyone has any ideas about this problem. Here is a slightly better description of the problem. The network layout is available at: http://www.tomjudge.com/tmp/tunnels.png From the diagram Host A and B both have there default gateway set as ISP A's router, and have a PF rule that should route traffic from ISP B's addresses to ISP B's router. This seems to work for all traffic except the IPSEC ESP packets which always get transmitted to the default gateway that is set on the host. It seems that they do not pass through the firewall or for some reason do not match the route-to rule. Can anyone suggest a solution to this problem? PF rule Host A: (First rule in rule set) pass out quick on bge1 route-to ( bge1 112.0.0.1 ) inet from 112.0.0.2 to ! 112.0.0.0/27 keep state PF rule Host B: (First rule in rule set) pass out quick on bge1 route-to ( bge1 114.0.0.1 ) inet from 114.0.0.2 to ! 114.0.0.0/27 keep state Thanks Tom From owner-freebsd-pf@FreeBSD.ORG Thu Feb 8 15:58:42 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 62BEF16A400 for ; Thu, 8 Feb 2007 15:58:38 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id B537C13C47E for ; Thu, 8 Feb 2007 15:58:33 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.58.204] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1HFBfA145i-0002dU; Thu, 08 Feb 2007 16:58:20 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 8 Feb 2007 16:58:12 +0100 User-Agent: KMail/1.9.5 References: <1170892051.4715.32.camel@localhost.localdomain> <200702081406.l18E6Ikb054671@lava.sentex.ca> <86veicpuqm.fsf@sparrow.local> In-Reply-To: <86veicpuqm.fsf@sparrow.local> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4376361.XBfVXieO42"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200702081658.19158.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Provags-ID2: V01U2FsdGVkX18gyKcHn3AzHC8o1Z5i2pbjOmVgcY1L6p+VyWR7a+4BAvGcduNghcH9cXayZQpLbTbBwd8kvUf1AIk8EZUcAVKNWLilPbijWBK+f+MTAW5JOA== Cc: Subject: FUD [Re: Borrow in CBQ doesn't work] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 15:58:42 -0000 --nextPart4376361.XBfVXieO42 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 08 February 2007 15:52, Marko Lerota wrote: > Mike Tancsa writes: > > Really ? Which drivers ? I found bge and em to be less supported and > > slower than on FreeBSD. > > There are some issues with bge and em drivers (kernel panics and > timeouts). You have complete discussion on freebsd-stable mailing list. Can we stick to facts and possibly on topic, as well? and ... on that note: Is there a PR about the CBQ borrow issues? If not, could you file one? I= =20 won't get to it shortly. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4376361.XBfVXieO42 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFy0ibXyyEoT62BG0RAiZ4AJsHB+dMFUadILsTT4iCQv5RS2TPeACdFeD7 uM3QFt9+Ak8f+O4y/IPUuJ0= =o8Cw -----END PGP SIGNATURE----- --nextPart4376361.XBfVXieO42-- From owner-freebsd-pf@FreeBSD.ORG Thu Feb 8 17:28:22 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9B68C16A40A for ; Thu, 8 Feb 2007 17:28:22 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from farris.bafirst.com (adsl-065-081-102-002.sip.jan.bellsouth.net [65.81.102.2]) by mx1.freebsd.org (Postfix) with ESMTP id BC69C13C4B5 for ; Thu, 8 Feb 2007 17:28:19 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from HOME.encontacto.net ([189.129.2.116]) by farris.bafirst.com with esmtp; Thu, 08 Feb 2007 11:17:57 -0600 id 0006D415.45CB5B45.0000ED1F Received: from localhost (localhost [127.0.0.1]) (uid 80) by HOME.encontacto.net with local; Thu, 08 Feb 2007 11:17:56 -0600 id 0004AC20.45CB5B44.0000B5A0 Received: from dsl-189-129-2-116.prod-infinitum.com.mx (dsl-189-129-2-116.prod-infinitum.com.mx [189.129.2.116]) by correo.encontacto.net (Horde MIME library) with HTTP; Thu, 08 Feb 2007 11:17:55 -0600 Message-ID: <20070208111755.81jaocgn4w880k4g@correo.encontacto.net> X-Priority: 3 (Normal) Date: Thu, 08 Feb 2007 11:17:55 -0600 From: "eculp@encontacto.net" To: freebsd-pf@freebsd.org References: <45C5D5DB.9050407@vwsoft.com> In-Reply-To: <45C5D5DB.9050407@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.2-cvs) Subject: Re: SPAMD stop passing mail from WHITE-list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 17:28:22 -0000 Quoting Volker : > On 12/23/-58 20:59, =12;048<8@ =1A0?CAB8=3D wrote: >> 2. If i have some malware on my PC and use mail-client program. If =20 >> I send the same message some times I automatically get into =20 >> WHITE-list and my malware can spam as much as it must? > > Not really related to your spamd problem, but probably useful... > > If you need to limit an internal client system for sending out mail > through your system, IMO you may also use pf's limit functions. > > Imagine something like: > > pass in quick on $int_if from any to $int_if port smtp keep state > (max-src-conn 1, max-src-conn-rate 2/60) > > This should limit an internal client to one concurrent connection > and a maximum of 2 connections per 60 seconds and so mass mailing by > abusing your mail gateway should be impossible. > > Combining this by a rule like 'block in quick on $int_if from any to > ! $int_if port smtp' should efficiently block spam originating from > your internal net. Has anyone tried using a table and blocking smtp connections similar =20 to the ssh brute force solution that I've often seen on the list and =20 have been using happily for some time? Something like: pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp keep stat= e (max-src-conn 1, max-src-conn-rate 2/60, overload =20 flush global) block drop in quick on $ext_if from Could it work and be controlable or would it make a bad situation worse? Thanks, ed > > And for the malware issues, I would like to recommend not to install > and use malware! ;) > > Greetings, > > Volker From owner-freebsd-pf@FreeBSD.ORG Thu Feb 8 17:30:48 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5CCC416A407 for ; Thu, 8 Feb 2007 17:30:48 +0000 (UTC) (envelope-from marceloc@espoltel.net) Received: from jupiter.espoltel.net (jupiter.espoltel.net [200.49.242.4]) by mx1.freebsd.org (Postfix) with ESMTP id 11ECE13C4B8 for ; Thu, 8 Feb 2007 17:30:39 +0000 (UTC) (envelope-from marceloc@espoltel.net) Received: from localhost (localhost.espoltel.net [127.0.0.1]) by jupiter.espoltel.net (Postfix) with ESMTP id 602592DB32B; Thu, 8 Feb 2007 12:34:30 -0500 (ECT) Received: from jupiter.espoltel.net ([127.0.0.1]) by localhost (jupiter.espoltel.net [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 01929-03; Thu, 8 Feb 2007 12:34:10 -0500 (ECT) Received: from [172.26.5.40] (unknown [69.65.149.194]) by jupiter.espoltel.net (Postfix) with ESMTP id 2CCF72DB300; Thu, 8 Feb 2007 12:34:10 -0500 (ECT) From: Marcelo Celleri To: Scott Ullrich In-Reply-To: References: <1170892051.4715.32.camel@localhost.localdomain> <86ireddmqr.fsf@sparrow.local> <1170946053.4734.10.camel@localhost.localdomain> <1170949266.4734.21.camel@localhost.localdomain> Content-Type: text/plain; charset=UTF-8 Organization: ESPOLTEL Date: Thu, 08 Feb 2007 12:30:15 -0500 Message-Id: <1170955815.4734.27.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: by Amavis-new and ClamaV at ESPOLTEL Cc: freebsd-pf@freebsd.org Subject: Re: Borrow in CBQ doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: marceloc@espoltel.net List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 17:30:48 -0000 Thanks a lot for all your answers, I will try changing to 512 hfsc classes and we'll see what happens... On jue, 2007-02-08 at 10:48 -0500, Scott Ullrich wrote: > I believe that is the only way. HFSC queues do not scale linearly due > to the algorithm in use or something or another.. :) >=20 > go out to /usr/src/sys and do a grep -R "HFSC_MAX_CLASSES" and change > it. I doubt you'll have much problems if your not going over 256 > classes or so. Give it a try. >=20 > Scott >=20 >=20 > On 2/8/07, Marcelo Celleri wrote: > > > > I think that the number of queues is bigger than 64, so I have to cha= nge > > this value in the kernel config and then recompile it? Is there anoth= er > > way to do it? I'm scared to death only with the idea of recompiling i= n > > my production server :( > > > > > > On jue, 2007-02-08 at 10:19 -0500, Scott Ullrich wrote: > > > On 2/8/07, Marcelo Celleri wrote: > > > > > > > > Thanks for your answers, but like I said I cannot switch to hfsc = where I > > > > have the main configuration for my customers, because I have a lo= t of > > > > queues and the server gives me: > > > > > > > > pfctl: DIOCADDALTQ: Cannot allocate memory > > > > > > > > I don't know if something could be wrong in my config or is just = the > > > > amount of processes to support, which could be the maximum number= of > > > > hfsc queues to support related with the amount of memory? > > > > > > How many queues are you adding ? HFSC is limited to 64: > > > > > > #define HFSC_MAX_CLASSES 64 > > > > > > You might get away with increasing this number a bit? > > > > > > Scott > > -- > > ---------------------------------- > > Marcelo C=C3=A9lleri M. > > Jefe IP > > ESPOLTEL S.A. > > PBX 593 04 2514477 Ext. 114 > > ---------------------------------- > > > > --=20 ---------------------------------- Marcelo C=C3=A9lleri M. Jefe IP ESPOLTEL S.A. PBX 593 04 2514477 Ext. 114 ---------------------------------- From owner-freebsd-pf@FreeBSD.ORG Thu Feb 8 21:10:46 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 70FB416A406 for ; Thu, 8 Feb 2007 21:10:46 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from mx27.mail.ru (mx27.mail.ru [194.67.23.64]) by mx1.freebsd.org (Postfix) with ESMTP id 30FF513C48D for ; Thu, 8 Feb 2007 21:10:45 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from [80.244.229.35] (port=61222 helo=VLADIMIR) by mx27.mail.ru with asmtp id 1HFGXU-0006m1-00 for freebsd-pf@freebsd.org; Fri, 09 Feb 2007 00:10:44 +0300 X-Nat-Received: from [192.168.1.110]:2671 [ident-empty] by smtp-proxy.vltele.com with TPROXY id 1170968878.20377 Date: Fri, 9 Feb 2007 00:10:46 +0300 From: Vladimir Kapustin X-Mailer: The Bat! (v3.85.03) Professional Organization: vltele.com X-Priority: 3 (Normal) Message-ID: <48171004.20070209001046@mail.ru> To: freebsd-pf@freebsd.org References: E1HE6sC-000Ht1-00.msgs_for_me-mail-ru@f22.mail.ru MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: SPAMD stop passing mail from WHITE-list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vladimir Kapustin List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 21:10:46 -0000 >> Nothing unusual, but that the mail stops forwarding from the >> whitelist. i.e. the sender resends the mail, gets in WHITE-list in >> spamd, but the mail does not actually pass the router. > >That and the sheer size of your spamdb is weird. > I have about 1000 users behind each router, and many of them have malware on theirs PCs. >> pfctl -sn >> rdr pass inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 >> rdr pass inet proto tcp from ! to any port smtp -> 127.0.0.1 port 8025 > >try making your rdr interface specific, ie rdr pass on $ext_if and see >if it makes a difference > Now all is OK. Should I change rdr-rules only if the situation repeats to see if it really helps? Is there any way to combine the spamd functionality with max-src-conn-rate limitation? I worried only about spam FROM my LOCAL NET. And the spamd itself doesn't save me from getting into different spam-lists. If only I could limit the spam-rate on $int_if by PF-rules and then use spamd on $ext_if, I think it would be a good help. >> No...not malware...suppose that a user doesn't know about malware >> and uses Outlook to send his mail. He'll get into THE WHITE-list >> and spamd can't stop HIS malware? > >Mail from a whitelisted IP address will pass. > >Please contact me off-list (the address works, with greylisting ;)) if >you want me to see if I can reproduce the problem here, I'll probably >need larger chunks of your config than you would sensibly put on a >public list. Jeg vil gjerne sende deg hvilke som helst stykker av min configs. Kan du spesifisere hva jeg bor sende? From owner-freebsd-pf@FreeBSD.ORG Fri Feb 9 08:39:54 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5DD6716A400 for ; Fri, 9 Feb 2007 08:39:54 +0000 (UTC) (envelope-from snklusov@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172]) by mx1.freebsd.org (Postfix) with ESMTP id EB49813C4A7 for ; Fri, 9 Feb 2007 08:39:53 +0000 (UTC) (envelope-from snklusov@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so659969uge for ; Fri, 09 Feb 2007 00:39:53 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:date:from:reply-to:x-priority:message-id:to:subject:mime-version:content-type:content-transfer-encoding; b=IUb4M8Y3eQGgv3h8/rC27hQxnnVnB22cJkpDNEP5IKdUUR+2fJCK2cGNds/+QyT97U4+Vy2ZIgg808NnKi84HIDeinUEvjdVfBeSHvUboFdRf4nZlffhoxQocnLvy7TKTcr0vw8ryseD9kSkAdtw5RAEyMMcHvDWzht2dYycYZc= Received: by 10.67.29.12 with SMTP id g12mr10980578ugj.1171008893761; Fri, 09 Feb 2007 00:14:53 -0800 (PST) Received: from w-uit-oa-01.ards.local ( [212.76.164.162]) by mx.google.com with ESMTP id e34sm4522175ugd.2007.02.09.00.14.53; Fri, 09 Feb 2007 00:14:53 -0800 (PST) Date: Fri, 9 Feb 2007 13:14:52 +0500 From: Sergey Klusov X-Priority: 3 (Normal) Message-ID: <603063073.20070209131452@gmail.com> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: netgraph X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Sergey Klusov List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Feb 2007 08:39:54 -0000 Hi Is there some way to tag packets via netgraph and then filter them with pf rules, based on this tags? What i want to do exactly is to mark IM logon packets with ng_bpf and then allow only some users to procceed. From owner-freebsd-pf@FreeBSD.ORG Fri Feb 9 11:16:15 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AE00716A400 for ; Fri, 9 Feb 2007 11:16:15 +0000 (UTC) (envelope-from daniel@dgnetwork.com.br) Received: from mail.mastercabo.com.br (mail.mastercabo.com.br [200.179.179.14]) by mx1.freebsd.org (Postfix) with SMTP id DB14B13C48D for ; Fri, 9 Feb 2007 11:16:14 +0000 (UTC) (envelope-from daniel@dgnetwork.com.br) Received: (qmail 57117 invoked by uid 1008); 9 Feb 2007 11:17:02 -0000 X-Spam-Checker-Version: SpamAssassin 3.1.7-unknown (2006-10-05) on srvmail3 X-Spam-Level: X-Spam-Status: No, score=-1.9 required=4.7 tests=AWL,BAYES_00,SUBJ_ALL_CAPS autolearn=no version=3.1.7-unknown Received: from unknown (HELO ?10.0.0.1?) (daniel@dgnetwork.com.br@200.243.216.36) by mail.mastercabo.com.br with SMTP; 9 Feb 2007 11:16:58 -0000 Message-ID: <45CC57ED.6090409@dgnetwork.com.br> Date: Fri, 09 Feb 2007 09:15:57 -0200 From: =?ISO-8859-1?Q?Daniel_Dias_Gon=E7alves?= Organization: DGNET Network Solutions User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: Subject: PF NAT LOG X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: daniel@dgnetwork.com.br List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Feb 2007 11:16:15 -0000 I need to record logs of all connections nated from PF, has some way? Thanks. -- Daniel Dias Gonalves DGNET Network Solutions daniel@dgnetwork.com.br http://www.dgnetwork.com.br/ +55 37-99824809 +55 37-32421109 From owner-freebsd-pf@FreeBSD.ORG Fri Feb 9 12:54:04 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5D5DF16A400 for ; Fri, 9 Feb 2007 12:54:04 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.datadok.no (skapet.datadok.no [194.54.107.19]) by mx1.freebsd.org (Postfix) with ESMTP id 1B8FF13C441 for ; Fri, 9 Feb 2007 12:54:01 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from thingy.datadok.no ([194.54.103.97] helo=thingy.datadok.no.bsdly.net ident=peter) by skapet.datadok.no with esmtp (Exim 4.62) (envelope-from ) id 1HFVGK-0006mk-4n for freebsd-pf@freebsd.org; Fri, 09 Feb 2007 13:54:00 +0100 To: freebsd-pf@freebsd.org References: <45CC57ED.6090409@dgnetwork.com.br> From: peter@bsdly.net (Peter N. M. Hansteen) Date: Fri, 09 Feb 2007 13:53:57 +0100 In-Reply-To: <45CC57ED.6090409@dgnetwork.com.br> (Daniel Dias Gon's message of "Fri, 09 Feb 2007 09:15:57 -0200") Message-ID: <87k5yrze3e.fsf@thingy.datadok.no> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: PF NAT LOG X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Feb 2007 12:54:04 -0000 Daniel Dias Gon?alves writes: > I need to record logs of all connections nated from PF, has some way? add 'log' to all pass rules which will involve NATed traffic. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. From owner-freebsd-pf@FreeBSD.ORG Fri Feb 9 13:01:05 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 61AE616A402 for ; Fri, 9 Feb 2007 13:01:05 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id ED88413C441 for ; Fri, 9 Feb 2007 13:01:04 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7cdb.q.ppp-pool.de [89.53.124.219]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id C178512883F; Fri, 9 Feb 2007 14:00:57 +0100 (CET) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 96EDE2E56D; Fri, 9 Feb 2007 14:00:45 +0100 (CET) Message-ID: <45CC707C.5030608@vwsoft.com> Date: Fri, 09 Feb 2007 14:00:44 +0100 From: Volker User-Agent: Thunderbird 1.5.0.9 (X11/20070119) MIME-Version: 1.0 To: "eculp@encontacto.net" References: <45C5D5DB.9050407@vwsoft.com> <20070208111755.81jaocgn4w880k4g@correo.encontacto.net> In-Reply-To: <20070208111755.81jaocgn4w880k4g@correo.encontacto.net> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: Re: SPAMD stop passing mail from WHITE-list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Feb 2007 13:01:05 -0000 Ed, On 12/23/-58 20:59, eculp@encontacto.net wrote: > Quoting Volker : > >> On 12/23/-58 20:59, ;048<8@ 0?CAB8=rote: >>> 2. If i have some malware on my PC and use mail-client program. If I >>> send the same message some times I automatically get into WHITE-list >>> and my malware can spam as much as it must? >> >> Not really related to your spamd problem, but probably useful... >> >> If you need to limit an internal client system for sending out mail >> through your system, IMO you may also use pf's limit functions. >> >> Imagine something like: >> >> pass in quick on $int_if from any to $int_if port smtp keep state >> (max-src-conn 1, max-src-conn-rate 2/60) >> >> This should limit an internal client to one concurrent connection >> and a maximum of 2 connections per 60 seconds and so mass mailing by >> abusing your mail gateway should be impossible. >> >> Combining this by a rule like 'block in quick on $int_if from any to >> ! $int_if port smtp' should efficiently block spam originating from >> your internal net. > > Has anyone tried using a table and blocking smtp connections similar to > the ssh brute force solution that I've often seen on the list and have > been using happily for some time? Yes, I'm doing this on some mail hubs. You should make sure not to block legitimate smtp clients by these rules, so take values high enough to let backup MXes etc. deliver their mail. For me, values of conn-src-rate 80/90 (maximum 80 connections in 90 seconds) work well. Using max-src-conn-rate of 30/90 caused problems when the machine has been offline for some reason and the backup MX wanted to send all buffered mail messages. Your mileage will vary! ;) > Something like: > > pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp keep > state > (max-src-conn 1, max-src-conn-rate 2/60, overload > flush global) > block drop in quick on $ext_if from Nope, that's the wrong way. You let pass smtp (by a quick rule) but the block rule is after that. That is rendering your blocklist useless as all traffic is passing by the first rule. AFAIK the first connection causing an overload is being dropped but subsequent connections are still passing (as long as they don't overload). It should look like: block drop in quick on $ext_if from to any pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp keep state ( max-src-conn [ANYVAL], max-src-conn-rate [ANYVAL]/[ANYTIME], overload flush global ) Whenever any host is overloading ssh or smtp access, I'm loading their IP address into the blockhosts table and so the machine will never again talk to that IP address (forever!). You may want to do it different (for example flushing the table once a week or at midnight). One machine running this for months has already blocked 1400 IP addresses and as far as I've checked, all have been dynamic zombies (no regular mail clients have been blocked by that). I haven't found a way to use that mechanism to block such hosts for, say 120 minutes (which would be a great feature). > Could it work and be controlable or would it make a bad situation worse? You may use a blocking mechanism like that for any other host service, too. If you're going to use that for UDP "connections" you should be aware that they're connectionless and so options like " max-src-connXXX" don't match here. HTH, Volker From owner-freebsd-pf@FreeBSD.ORG Fri Feb 9 14:53:16 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 44FAD16A400; Fri, 9 Feb 2007 14:53:16 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.149.33.74]) by mx1.freebsd.org (Postfix) with ESMTP id 1156713C47E; Fri, 9 Feb 2007 14:53:15 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from d620 (84-12-184-253.dyn.gotadsl.co.uk [84.12.184.253]) by smtp.nildram.co.uk (Postfix) with ESMTP id 933E44F3AD; Fri, 9 Feb 2007 14:53:12 +0000 (GMT) From: "Greg Hennessy" To: , , Date: Fri, 9 Feb 2007 14:53:21 -0000 Message-ID: <000601c74c5a$0ed77f80$0201a8c0@d620> MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <45CC57ED.6090409@dgnetwork.com.br> Thread-Index: AcdMPdAEZYzNis8GSk2OMnMXajQh/gAG9Vwg X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Cc: Subject: RE: PF NAT LOG X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Feb 2007 14:53:16 -0000 > > I need to record logs of all connections nated from PF, has some way? > Tag the nat rule and then apply that tag to an egress rule of the form pass out log quick on blah.... tagged natted Greg -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.441 / Virus Database: 268.17.32/677 - Release Date: 08/02/2007 21:04 From owner-freebsd-pf@FreeBSD.ORG Fri Feb 9 18:13:52 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1DCFE16A400 for ; Fri, 9 Feb 2007 18:13:52 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.freebsd.org (Postfix) with ESMTP id 7311B13C48D for ; Fri, 9 Feb 2007 18:13:50 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.13.8/8.13.4) with ESMTP id l19IDqk9020700 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 9 Feb 2007 19:13:52 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.8/8.12.10/Submit) id l19IDpG1025554; Fri, 9 Feb 2007 19:13:51 +0100 (MET) Date: Fri, 9 Feb 2007 19:13:51 +0100 From: Daniel Hartmeier To: "Kevin K." Message-ID: <20070209181351.GC30276@insomnia.benzedrine.cx> References: <859855731.20070206155625@mail.ru> <002501c749f3$bb1a1dc0$314e5940$@ca> <45C9C94E.8080806@vwsoft.com> <00cc01c74acc$20d9d8c0$628d8a40$@ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <00cc01c74acc$20d9d8c0$628d8a40$@ca> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: PF & Windows Vista X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Feb 2007 18:13:52 -0000 On Wed, Feb 07, 2007 at 10:24:57AM -0500, Kevin K. wrote: > I was hoping that the issue was simple and common, due to Vista's emphasis > on ipv6 among other networking issues. Either way, below is my entire pf > configuration. I hope it helps. I'm afraid you'll have to do the usual debug routine: 1) enable debug logging (pfctl -xm, output in /var/log/messages) 2) run pfctl -si and store the output 3) pick one external host that reliably reproduces the problem 4) on the external interface, run tcpdump -s 1600 -nvvvSpi $ext_if host $ip and tcp 5) reproduce the problem once, from initial SYN to the point where the connection fails 6) run pfctl -vvss, and note any state entries related to the failed connection 7) re-run pfctl -si and store the output (of interest are any counters increasing besides the obvious ones) 8) check /var/log/messages for any output from pf (related to the failed connection, or at least the host $ip) If you provide the output of those steps, that could narrow it down. In case the results are too large, put them on a web page somehwere and post the URL instead. Daniel From owner-freebsd-pf@FreeBSD.ORG Sat Feb 10 14:18:45 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F3F1316A401 for ; Sat, 10 Feb 2007 14:18:44 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.datadok.no (skapet.datadok.no [194.54.107.19]) by mx1.freebsd.org (Postfix) with ESMTP id B1BFC13C471 for ; Sat, 10 Feb 2007 14:18:44 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from thingy.bsdly.net ([10.168.103.11] helo=thingy.datadok.no.bsdly.net ident=peter) by skapet.datadok.no with esmtp (Exim 4.62) (envelope-from ) id 1HFt3r-0007wd-2k for freebsd-pf@freebsd.org; Sat, 10 Feb 2007 15:18:43 +0100 To: freebsd-pf@freebsd.org References: <45CC707C.5030608@vwsoft.com> From: peter@bsdly.net (Peter N. M. Hansteen) Date: Sat, 10 Feb 2007 15:18:41 +0100 In-Reply-To: <45CC707C.5030608@vwsoft.com> (volker@vwsoft.com's message of "Fri, 09 Feb 2007 14:00:44 +0100") Message-ID: <87ireaqeny.fsf@thingy.datadok.no> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: SPAMD stop passing mail from WHITE-list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Feb 2007 14:18:45 -0000 Volker writes: > I haven't found a way to use that mechanism to block such hosts for, > say 120 minutes (which would be a great feature). pfctl is in the process of growing an expire feature (in OpenBSD-current now, in all likelihood part of the OpenBSD 4.1 release), but timed table expiry is already available with Henrik Gustafsson's expiretable (in ports as /usr/ports/security/expiretable). -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. From owner-freebsd-pf@FreeBSD.ORG Sat Feb 10 15:21:24 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 86BED16A402 for ; Sat, 10 Feb 2007 15:21:24 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.179]) by mx1.freebsd.org (Postfix) with ESMTP id 177AA13C494 for ; Sat, 10 Feb 2007 15:21:23 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.6.207] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1HFu2H2bmy-0002Xa; Sat, 10 Feb 2007 16:21:21 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sat, 10 Feb 2007 16:20:54 +0100 User-Agent: KMail/1.9.5 References: <200612161335.kBGDZkMj012022@freefall.freebsd.org> <061229091759A.42827@www.mmlab.cse.yzu.edu.tw> <200612291518.39222.max@love2party.net> In-Reply-To: <200612291518.39222.max@love2party.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1466578.z0NtyKnVV7"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200702101621.00430.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Provags-ID2: V01U2FsdGVkX19DQIi/IlWzBikfqV0Jl0zpupBjFSDVjqA80Pit91Kvl94/NKonw+NUf7JFIfnrnBPYrOoNGpnyJRncdq1lbYoMObDaZ94K00noVxn66DR5rA== Cc: Tai-hwa Liang Subject: Re: debug.mpsafenet=1 vs. user/group rules [Re: kern/106805: ...] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Feb 2007 15:21:24 -0000 --nextPart1466578.z0NtyKnVV7 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hello, after 6 weeks in HEAD I have received ZERO additional feedback! Does=20 anyone (other than avatar) care? On Friday 29 December 2006 15:18, Max Laier wrote: > I just put this in HEAD, a diff to RELENG_6 is attached. Please follow > avatar's example and test and report back! > > Just apply and put "options PF_MPSAFE_UGID" in your kernconf or > append "-DPF_MPSAFE_UGID" to your CFLAGS in make.conf. The latter > works for the module build as well. Don't forgot to turn > debug.mpsafenet back on. > > I'd also be interested in the output of "pfctl -si", in particular the > match counter and the State searches in order to get a picture of your > traffic pattern and how the patch might impact on it. > > On Friday 29 December 2006 02:21, Tai-hwa Liang wrote: > > On Sat, 16 Dec 2006, Max Laier wrote: > > [...] > > > > > The attached diff circumvents the problem by **always** doing the > > > credential lookup *before* walking the pf rules. This has the > > > benefit, that it works (at least I think it should), but there is a > > > price to pay. Now we have to pay for the socket lookup for *every* > > > tcp and udp packet instead of just for those that really hit > > > uid/gid rules. That's why I decided to make is a config option > > > "PF_MPFSAFE_UGID" which you can turn on if you are running a setup > > > that will benefit. The patch turns it on for the module-built by > > > default. > > > > > > A possible scenario that should benefit is a big iron SMP box > > > running lot of services that you want to filter using *stateful* > > > uid/gid rules. For this setup where a huge percentage of the > > > packets that are not captured by states eventually match a uid/gid > > > rule, you will even get added parallelism with this patch. > > > > > > On every other typical setup, it should be better to avoid > > > user/group rules or to disable mpsafenet. > > > > > > In order for this to hit the tree, I need tests confirming that it > > > really helps and possibly benchmarks that qualify the impact of it. > > > Thanks. > > > > Your patch works great here. The box in question never ran into a > > single lockup in the last 7 days. > > Great - Thanks for the report! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1466578.z0NtyKnVV7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFzeLcXyyEoT62BG0RAiwBAJ4zuq/mXUYtemMv4nfbFxCdrTmE2wCfRxQQ J+g59oOP/VAo6+VtotpWabQ= =iHMH -----END PGP SIGNATURE----- --nextPart1466578.z0NtyKnVV7-- From owner-freebsd-pf@FreeBSD.ORG Sat Feb 10 21:36:19 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 99BF716A503 for ; Sat, 10 Feb 2007 21:36:19 +0000 (UTC) (envelope-from dan@langille.org) Received: from supernews.unixathome.org (supernews.unixathome.org [216.168.29.4]) by mx1.freebsd.org (Postfix) with ESMTP id 855AB13C47E for ; Sat, 10 Feb 2007 21:36:19 +0000 (UTC) (envelope-from dan@langille.org) Received: from localhost (localhost [127.0.0.1]) by supernews.unixathome.org (Postfix) with ESMTP id 7EC5D17028 for ; Sat, 10 Feb 2007 13:05:49 -0800 (PST) X-Virus-Scanned: amavisd-new at unixathome.org Received: from supernews.unixathome.org ([127.0.0.1]) by localhost (supernews.unixathome.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25W24DZClvKd for ; Sat, 10 Feb 2007 13:05:45 -0800 (PST) Received: from bast.unixathome.org (bast.unixathome.org [74.104.199.163]) by supernews.unixathome.org (Postfix) with ESMTP id 34D1917020 for ; Sat, 10 Feb 2007 13:05:45 -0800 (PST) Received: from [10.55.0.99] (wocker.unixathome.org [10.55.0.99]) by bast.unixathome.org (Postfix) with ESMTP id D040DB89A for ; Sat, 10 Feb 2007 16:05:44 -0500 (EST) From: "Dan Langille" To: freebsd-pf@freebsd.org Date: Sat, 10 Feb 2007 16:05:44 -0500 MIME-Version: 1.0 Message-ID: <45CDED58.2056.1A642A00@dan.langille.org> Priority: normal X-mailer: Pegasus Mail for Windows (4.41) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Subject: pf starts, but no rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Feb 2007 21:36:19 -0000 Hi folks, Yesterday I rebooted a server to load a new kernel. After the reboot, the firewall rules were not loaded. $ grep pf /etc/rc.conf pf_enable="YES" pflog_enable="YES" pf_rules="/etc/pf.rules" I never checked for the rules until today and found this: [dan@nyi:~] $ sudo pfctl -sa | less Password: No ALTQ support in kernel ALTQ related functions disabled FILTER RULES: INFO: Status: Enabled for 0 days 19:59:39 Debug: None Hostid: 0x36eae8cf State Table Total Rate current entries 0 searches 5515422 76.6/s etc... Loading the rules manually works: [dan@nyi:~] $ sudo pfctl -f /etc/pf.rules No ALTQ support in kernel ALTQ related functions disabled [dan@nyi:~] $ After loading, pfctl -sa shows the output I would expect. Ideas? Suggestions? Is anyone else using PF with a pf_rules specified? FWIW, I notice I have one host identified by FQDN in my rules. -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php PGCon - The PostgreSQL Conference - http://www.pgcon.org/ From owner-freebsd-pf@FreeBSD.ORG Sat Feb 10 21:53:30 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4DA8916A400 for ; Sat, 10 Feb 2007 21:53:30 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.freebsd.org (Postfix) with ESMTP id DCC9613C442 for ; Sat, 10 Feb 2007 21:53:29 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so1489293nfc for ; Sat, 10 Feb 2007 13:53:28 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=Gi5OrIpvSbRqIyfgep/fv/4PGiDepDfrUSAUO0WP6ljyj8xyVfqDgT9mIwLjDzdV8t2M5xv9BwygG7hj+jYzjpweQLD2Vk5LoZG51pf3dXAqRes6SjXSxg2dMaWVm7wmxLgFwrfeyWctYuzMB/SHiFMV9DrMH+gBf4qV/E27uak= Received: by 10.82.113.6 with SMTP id l6mr6451937buc.1171144408452; Sat, 10 Feb 2007 13:53:28 -0800 (PST) Received: by 10.82.150.17 with HTTP; Sat, 10 Feb 2007 13:53:28 -0800 (PST) Message-ID: Date: Sat, 10 Feb 2007 13:53:28 -0800 From: "Kian Mohageri" To: "Dan Langille" In-Reply-To: <45CDED58.2056.1A642A00@dan.langille.org> MIME-Version: 1.0 References: <45CDED58.2056.1A642A00@dan.langille.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Feb 2007 21:53:30 -0000 On 2/10/07, Dan Langille wrote: > > Hi folks, > > Yesterday I rebooted a server to load a new kernel. After the > reboot, the firewall rules were not loaded. > > $ grep pf /etc/rc.conf > pf_enable="YES" > pflog_enable="YES" > pf_rules="/etc/pf.rules" > > I never checked for the rules until today and found this: > > > > [dan@nyi:~] $ sudo pfctl -sa | less > Password: > No ALTQ support in kernel > ALTQ related functions disabled > FILTER RULES: > > INFO: > Status: Enabled for 0 days 19:59:39 Debug: None > > Hostid: 0x36eae8cf > > State Table Total Rate > current entries 0 > searches 5515422 76.6/s > > etc... > > Loading the rules manually works: > > [dan@nyi:~] $ sudo pfctl -f /etc/pf.rules > No ALTQ support in kernel > ALTQ related functions disabled > [dan@nyi:~] $ > > After loading, pfctl -sa shows the output I would expect. > > Ideas? Suggestions? > > Is anyone else using PF with a pf_rules specified? > > FWIW, I notice I have one host identified by FQDN in my rules. I had this problem as well, and it is because at the time the pf rules are loaded, the FQDN cannot be resolved. I believe that is because of the "BEFORE: routing" dependency in /etc/rc.d/pf. -- Kian Mohageri