From owner-freebsd-pf@FreeBSD.ORG  Mon May 21 11:08:37 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@FreeBSD.org
Delivered-To: freebsd-pf@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 945B616A4EE
	for <freebsd-pf@FreeBSD.org>; Mon, 21 May 2007 11:08:37 +0000 (UTC)
	(envelope-from owner-bugmaster@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.freebsd.org (Postfix) with ESMTP id 8193C13C45D
	for <freebsd-pf@FreeBSD.org>; Mon, 21 May 2007 11:08:37 +0000 (UTC)
	(envelope-from owner-bugmaster@FreeBSD.org)
Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l4LB8bBf028846
	for <freebsd-pf@FreeBSD.org>; Mon, 21 May 2007 11:08:37 GMT
	(envelope-from owner-bugmaster@FreeBSD.org)
Received: (from linimon@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l4LB8aTX028842
	for freebsd-pf@FreeBSD.org; Mon, 21 May 2007 11:08:36 GMT
	(envelope-from owner-bugmaster@FreeBSD.org)
Date: Mon, 21 May 2007 11:08:36 GMT
Message-Id: <200705211108.l4LB8aTX028842@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: linimon set sender to
	owner-bugmaster@FreeBSD.org using -f
From: FreeBSD bugmaster <bugmaster@FreeBSD.org>
To: freebsd-pf@FreeBSD.org
Cc: 
Subject: Current problem reports assigned to you
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 21 May 2007 11:08:37 -0000

Current FreeBSD problem reports
Critical problems

S Tracker      Resp.      Description
--------------------------------------------------------------------------------
o kern/111220  pf         [pf] repeatable hangs while manipulating pf tables

1 problem total.

Serious problems

S Tracker      Resp.      Description
--------------------------------------------------------------------------------
o kern/82271   pf         [pf] cbq scheduler cause bad latency
o kern/92949   pf         [pf] PF + ALTQ problems with latency
o kern/110698  pf         [pf] nat rule of pf without "on" clause causes invalid

3 problems total.

Non-critical problems

S Tracker      Resp.      Description
--------------------------------------------------------------------------------
f conf/81042   pf         [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4
o sparc/93530  pf         [pf] Incorrect checksums when using pf's route-to on s
o kern/93825   pf         [pf] pf reply-to doesn't work
o kern/103304  pf         [pf] pf accepts nonexistent queue in rules
o kern/106400  pf         [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d
o kern/110174  pf         [pf] pf pass route-to does not assign correct IP for t
s conf/110838  pf         tagged parameter on nat not working on FreeBSD 5.2

7 problems total.


From owner-freebsd-pf@FreeBSD.ORG  Mon May 21 16:40:09 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id DE3A416A400
	for <freebsd-pf@freebsd.org>; Mon, 21 May 2007 16:40:08 +0000 (UTC)
	(envelope-from domze.sa@gmail.com)
Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.250])
	by mx1.freebsd.org (Postfix) with ESMTP id A0BDD13C447
	for <freebsd-pf@freebsd.org>; Mon, 21 May 2007 16:40:08 +0000 (UTC)
	(envelope-from domze.sa@gmail.com)
Received: by an-out-0708.google.com with SMTP id d23so387121and
	for <freebsd-pf@freebsd.org>; Mon, 21 May 2007 09:40:08 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta;
	h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type;
	b=LPyJY5DvtWX4lkbdCcY2mwli8aJLnq9TermcysmH5voFuWlsZNywAVuw6QOsqP+uvVQ11688Tqx3mvut74GG0ElnZKjw8uP6/zAYmbQ9MRsIYCsMAApEf1IM6h+cURexd4MjGxMQmSg0fOenb6LZC2bWwof5FDZNY19fFqEFaxI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
	h=received:message-id:date:from:to:subject:mime-version:content-type;
	b=qSXbVSvqtPKm8+nhajg1S2B4EgDlc3Vmfgm2lB12SuDA2nKUQFKUbIVu1KL+z+OsWO+aIVQfsZPDTpARU3a7gkT6/eQkZmOMybI1PX3r+bcU1XadqyQYhoees+oeg5qWmTu/rsnSSZnbdnGrPWHcmCC4yJA8vv19qbcKLKSDGIA=
Received: by 10.100.137.18 with SMTP id k18mr3084452and.1179764057673;
	Mon, 21 May 2007 09:14:17 -0700 (PDT)
Received: by 10.100.248.6 with HTTP; Mon, 21 May 2007 09:14:17 -0700 (PDT)
Message-ID: <31071b200705210914g1d54d6dfr131597f0f8391ae6@mail.gmail.com>
Date: Mon, 21 May 2007 12:14:17 -0400
From: "Dominique SA" <domze.sa@gmail.com>
To: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: Support for ALTQ and TXP* interfaces
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 21 May 2007 16:40:09 -0000

I was wondering when is altq going to be supported for TXP* interfaces?

Thanks

Dominique

From owner-freebsd-pf@FreeBSD.ORG  Tue May 22 10:21:20 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 9F9BA16A41F
	for <freebsd-pf@freebsd.org>; Tue, 22 May 2007 10:21:20 +0000 (UTC)
	(envelope-from dzalewski@open-craft.com)
Received: from zeus.lunarpages.com (zeus.lunarpages.com [216.193.211.2])
	by mx1.freebsd.org (Postfix) with ESMTP id 8724613C455
	for <freebsd-pf@freebsd.org>; Tue, 22 May 2007 10:21:20 +0000 (UTC)
	(envelope-from dzalewski@open-craft.com)
Received: from [196.218.200.206] (helo=polonium.opencraft.local)
	by zeus.lunarpages.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63)
	(envelope-from <dzalewski@open-craft.com>) id 1HqQvX-00045Z-0y
	for freebsd-pf@freebsd.org; Tue, 22 May 2007 02:45:22 -0700
From: Dominik Zalewski <dzalewski@open-craft.com>
Organization: OpenCraft
To: freebsd-pf@freebsd.org
Date: Tue, 22 May 2007 12:44:55 +0300
User-Agent: KMail/1.9.6
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200705221244.55997.dzalewski@open-craft.com>
X-AntiAbuse: This header was added to track abuse,
	please include it with any abuse report
X-AntiAbuse: Primary Hostname - zeus.lunarpages.com
X-AntiAbuse: Original Domain - freebsd.org
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - open-craft.com
X-Source: 
X-Source-Args: 
X-Source-Dir: 
Subject: empty ACKs and hfsc
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: dzalewski@open-craft.com
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 May 2007 10:21:20 -0000

Dear All,

I was wondering what will be the best setting for empty ACKs queue in my 
example. Is 50Kb will be enough for ?

ADSL 2mbit/512kbit

### External interface ###
altq on $ext_if hfsc bandwidth 500Kb queue { std_out, tcp_ack_out, voip_out, \ 			     
ssh_out, www_out, smtp_out }
 queue std_out     bandwidth 50Kb             hfsc(default)
 queue tcp_ack_out bandwidth 50Kb  priority 7 hfsc(ecn)
 queue voip_out    bandwidth 100Kb priority 5 hfsc(realtime 100Kb upperlimit \ 
100Kb)
 queue ssh_out     bandwidth 50Kb  priority 3 hfsc(realtime 50Kb)
 queue www_out     bandwidth 150Kb priority 2 hfsc(realtime 150Kb upperlimit \ 
200Kb)
 queue smtp_out    bandwidth 100Kb priority 1 hfsc(realtime 100Kb upperlimit \ 
100Kb)


Thank in advance,

Dominik

From owner-freebsd-pf@FreeBSD.ORG  Tue May 22 22:00:15 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 4510A16A46D
	for <freebsd-pf@freebsd.org>; Tue, 22 May 2007 22:00:15 +0000 (UTC)
	(envelope-from chris@hitnet.RWTH-Aachen.DE)
Received: from mta-1.ms.rz.rwth-aachen.de (mta-1.ms.rz.RWTH-Aachen.DE
	[134.130.7.72])
	by mx1.freebsd.org (Postfix) with ESMTP id EE80913C447
	for <freebsd-pf@freebsd.org>; Tue, 22 May 2007 22:00:14 +0000 (UTC)
	(envelope-from chris@hitnet.RWTH-Aachen.DE)
Received: from circe ([134.130.3.36]) by mta-1.ms.rz.RWTH-Aachen.de
	(Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007))
	with ESMTP id <0JIG00IRAPRDFYA0@mta-1.ms.rz.RWTH-Aachen.de> for
	freebsd-pf@freebsd.org; Tue, 22 May 2007 23:45:13 +0200 (CEST)
Received: from talos.rz.RWTH-Aachen.DE ([134.130.3.22])
	by circe (MailMonitor for SMTP v1.2.2 ) ; Tue,
	22 May 2007 23:45:13 +0200 (MEST)
Received: from bigboss.hitnet.rwth-aachen.de
	(bigspace.hitnet.RWTH-Aachen.DE [137.226.181.2])	by
	smarthost.rwth-aachen.de
	(8.13.8/8.13.1/1) with ESMTP id l4MLjCtS004750;
	Tue, 22 May 2007 23:45:12 +0200
Received: from haakonia.hitnet.rwth-aachen.de ([137.226.181.92])
	by bigboss.hitnet.rwth-aachen.de with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32)	(Exim 4.50)	id 1HqcBJ-0005eD-5T;
	Tue, 22 May 2007 23:46:13 +0200
Received: by haakonia.hitnet.rwth-aachen.de (Postfix, from userid 1001)
	id A48913F40A; Tue, 22 May 2007 23:45:12 +0200 (CEST)
Date: Tue, 22 May 2007 23:45:12 +0200
From: Christian Brueffer <brueffer@FreeBSD.org>
In-reply-to: <31071b200705210914g1d54d6dfr131597f0f8391ae6@mail.gmail.com>
To: Dominique SA <domze.sa@gmail.com>
Message-id: <20070522214512.GA1877@haakonia.hitnet.RWTH-Aachen.DE>
MIME-version: 1.0
Content-type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="Bn2rw/3z4jIqBvZU"
Content-disposition: inline
X-Operating-System: FreeBSD 6.2-STABLE
X-PGP-Key: http://people.FreeBSD.org/~brueffer/brueffer.key.asc
X-PGP-Fingerprint: A5C8 2099 19FF AACA F41B  B29B 6C76 178C A0ED 982D
References: <31071b200705210914g1d54d6dfr131597f0f8391ae6@mail.gmail.com>
User-Agent: Mutt/1.5.11
Cc: freebsd-pf@freebsd.org
Subject: Re: Support for ALTQ and TXP* interfaces
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 May 2007 22:00:15 -0000


--Bn2rw/3z4jIqBvZU
Content-Type: multipart/mixed; boundary="sm4nu43k4a2Rpi4c"
Content-Disposition: inline


--sm4nu43k4a2Rpi4c
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, May 21, 2007 at 12:14:17PM -0400, Dominique SA wrote:
> I was wondering when is altq going to be supported for TXP* interfaces?
>=20

As soon as we find someone to test patches.  Are you interested?  The
procedure is outlined at http://people.freebsd.org/~mlaier/ALTQ_driver/

The patch is attached.

- Christian

--=20
Christian Brueffer	chris@unixpages.org	brueffer@FreeBSD.org
GPG Key:	 http://people.freebsd.org/~brueffer/brueffer.key.asc
GPG Fingerprint: A5C8 2099 19FF AACA F41B  B29B 6C76 178C A0ED 982D

--sm4nu43k4a2Rpi4c
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="if_txp.c.diff"
Content-Transfer-Encoding: quoted-printable

Index: if_txp.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /data/ncvs/freebsd/src/sys/dev/txp/if_txp.c,v
retrieving revision 1.44
diff -u -r1.44 if_txp.c
--- if_txp.c	4 Mar 2007 03:38:08 -0000	1.44
+++ if_txp.c	22 May 2007 21:41:03 -0000
@@ -330,7 +330,9 @@
 	ifp->if_watchdog =3D txp_watchdog;
 	ifp->if_init =3D txp_init;
 	ifp->if_baudrate =3D 100000000;
-	ifp->if_snd.ifq_maxlen =3D TX_ENTRIES;
+	IFQ_SET_MAXLEN(&ifp->if_snd, TX_ENTRIES);
+	ifp->if_snd.ifq_drv_maxlen =3D TX_ENTRIES;
+	IFQ_SET_READY(&ifp->if_snd);
 	ifp->if_hwassist =3D 0;
 	txp_capabilities(sc);
=20
@@ -1281,7 +1283,7 @@
 	cnt =3D r->r_cnt;
=20
 	while (1) {
-		IF_DEQUEUE(&ifp->if_snd, m);
+		IFQ_DEQUEUE(&ifp->if_snd, m);
 		if (m =3D=3D NULL)
 			break;
=20
@@ -1362,7 +1364,7 @@
 	ifp->if_drv_flags |=3D IFF_DRV_OACTIVE;
 	r->r_prod =3D firstprod;
 	r->r_cnt =3D firstcnt;
-	IF_PREPEND(&ifp->if_snd, m);
+	IF_DRV_PREPEND(&ifp->if_snd, m);
 	return;
 }
=20

--sm4nu43k4a2Rpi4c--

--Bn2rw/3z4jIqBvZU
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFGU2RobHYXjKDtmC0RAk8XAJ9shKkvsAuM4EcVCLSvfDdLIoF32ACeOaSE
9jdd+oKq88J7tdBPQDfEodw=
=AmK/
-----END PGP SIGNATURE-----

--Bn2rw/3z4jIqBvZU--


From owner-freebsd-pf@FreeBSD.ORG  Tue May 22 22:24:13 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 09B1F16A469
	for <freebsd-pf@freebsd.org>; Tue, 22 May 2007 22:24:13 +0000 (UTC)
	(envelope-from chris@hitnet.RWTH-Aachen.DE)
Received: from mta-2.ms.rz.rwth-aachen.de (mta-2.ms.rz.RWTH-Aachen.DE
	[134.130.7.73])
	by mx1.freebsd.org (Postfix) with ESMTP id B1B4513C45A
	for <freebsd-pf@freebsd.org>; Tue, 22 May 2007 22:24:12 +0000 (UTC)
	(envelope-from chris@hitnet.RWTH-Aachen.DE)
Received: from circe ([134.130.3.36]) by mta-2.ms.rz.RWTH-Aachen.de
	(Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007))
	with ESMTP id <0JIG000SNRKB4Y20@mta-2.ms.rz.RWTH-Aachen.de> for
	freebsd-pf@freebsd.org; Wed, 23 May 2007 00:24:11 +0200 (CEST)
Received: from talos.rz.RWTH-Aachen.DE ([134.130.3.22])
	by circe (MailMonitor for SMTP v1.2.2 ) ; Wed,
	23 May 2007 00:24:11 +0200 (MEST)
Received: from bigboss.hitnet.rwth-aachen.de
	(bigspace.hitnet.RWTH-Aachen.DE [137.226.181.2])	by
	smarthost.rwth-aachen.de
	(8.13.8/8.13.1/1) with ESMTP id l4MMOAHl010481;
	Wed, 23 May 2007 00:24:10 +0200
Received: from haakonia.hitnet.rwth-aachen.de ([137.226.181.92])
	by bigboss.hitnet.rwth-aachen.de with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32)	(Exim 4.50)	id 1Hqcmz-0007X4-WB;
	Wed, 23 May 2007 00:25:11 +0200
Received: by haakonia.hitnet.rwth-aachen.de (Postfix, from userid 1001)
	id 9A2993F40A; Wed, 23 May 2007 00:24:09 +0200 (CEST)
Date: Wed, 23 May 2007 00:24:09 +0200
From: Christian Brueffer <brueffer@FreeBSD.org>
In-reply-to: <20070522214512.GA1877@haakonia.hitnet.RWTH-Aachen.DE>
To: Dominique SA <domze.sa@gmail.com>
Message-id: <20070522222409.GB9318@haakonia.hitnet.RWTH-Aachen.DE>
MIME-version: 1.0
Content-type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="Qbvjkv9qwOGw/5Fx"
Content-disposition: inline
X-Operating-System: FreeBSD 6.2-STABLE
X-PGP-Key: http://people.FreeBSD.org/~brueffer/brueffer.key.asc
X-PGP-Fingerprint: A5C8 2099 19FF AACA F41B  B29B 6C76 178C A0ED 982D
References: <31071b200705210914g1d54d6dfr131597f0f8391ae6@mail.gmail.com>
	<20070522214512.GA1877@haakonia.hitnet.RWTH-Aachen.DE>
User-Agent: Mutt/1.5.11
Cc: freebsd-pf@freebsd.org
Subject: Re: Support for ALTQ and TXP* interfaces
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 May 2007 22:24:13 -0000


--Qbvjkv9qwOGw/5Fx
Content-Type: multipart/mixed; boundary="4bRzO86E/ozDv8r1"
Content-Disposition: inline


--4bRzO86E/ozDv8r1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, May 22, 2007 at 11:45:12PM +0200, Christian Brueffer wrote:
> On Mon, May 21, 2007 at 12:14:17PM -0400, Dominique SA wrote:
> > I was wondering when is altq going to be supported for TXP* interfaces?
> >=20
>=20
> As soon as we find someone to test patches.  Are you interested?  The
> procedure is outlined at http://people.freebsd.org/~mlaier/ALTQ_driver/
>=20
> The patch is attached.
>=20

The previous patch didn't compile, sorry.  New patch attached.

- Christian

--=20
Christian Brueffer	chris@unixpages.org	brueffer@FreeBSD.org
GPG Key:	 http://people.freebsd.org/~brueffer/brueffer.key.asc
GPG Fingerprint: A5C8 2099 19FF AACA F41B  B29B 6C76 178C A0ED 982D

--4bRzO86E/ozDv8r1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="if_txp.c.diff"
Content-Transfer-Encoding: quoted-printable

Index: if_txp.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /data/ncvs/freebsd/src/sys/dev/txp/if_txp.c,v
retrieving revision 1.44
diff -u -r1.44 if_txp.c
--- if_txp.c	4 Mar 2007 03:38:08 -0000	1.44
+++ if_txp.c	22 May 2007 21:41:03 -0000
@@ -330,7 +330,9 @@
 	ifp->if_watchdog =3D txp_watchdog;
 	ifp->if_init =3D txp_init;
 	ifp->if_baudrate =3D 100000000;
-	ifp->if_snd.ifq_maxlen =3D TX_ENTRIES;
+	IFQ_SET_MAXLEN(&ifp->if_snd, TX_ENTRIES);
+	ifp->if_snd.ifq_drv_maxlen =3D TX_ENTRIES;
+	IFQ_SET_READY(&ifp->if_snd);
 	ifp->if_hwassist =3D 0;
 	txp_capabilities(sc);
=20
@@ -1281,7 +1283,7 @@
 	cnt =3D r->r_cnt;
=20
 	while (1) {
-		IF_DEQUEUE(&ifp->if_snd, m);
+		IFQ_DEQUEUE(&ifp->if_snd, m);
 		if (m =3D=3D NULL)
 			break;
=20
@@ -1362,7 +1364,7 @@
 	ifp->if_drv_flags |=3D IFF_DRV_OACTIVE;
 	r->r_prod =3D firstprod;
 	r->r_cnt =3D firstcnt;
-	IF_PREPEND(&ifp->if_snd, m);
+	IFQ_DRV_PREPEND(&ifp->if_snd, m);
 	return;
 }
=20

--4bRzO86E/ozDv8r1--

--Qbvjkv9qwOGw/5Fx
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFGU22JbHYXjKDtmC0RAi10AJwKHWyC0j2/0eTbP6GwtMbPODOQ2QCg/0ko
3Afedfwm8OztkQbcIIjulF8=
=6tw/
-----END PGP SIGNATURE-----

--Qbvjkv9qwOGw/5Fx--


From owner-freebsd-pf@FreeBSD.ORG  Wed May 23 05:38:19 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 79CAE16A468
	for <freebsd-pf@freebsd.org>; Wed, 23 May 2007 05:38:19 +0000 (UTC)
	(envelope-from freebsdpf@academ.org)
Received: from mx6.academ.org (mx6.academ.org [85.118.224.218])
	by mx1.freebsd.org (Postfix) with ESMTP id 2812B13C458
	for <freebsd-pf@freebsd.org>; Wed, 23 May 2007 05:38:19 +0000 (UTC)
	(envelope-from freebsdpf@academ.org)
Received: from stronghold.academ.local (stronghold.academ.local
	[192.168.234.23]) (Authenticated sender: vgi@academ.org)
	by mx6.academ.org (Postfix) with ESMTP id A1F29EBC23
	for <freebsd-pf@freebsd.org>; Wed, 23 May 2007 12:06:48 +0700 (NOVST)
From: Vasily Ivanov <freebsdpf@academ.org>
Organization: Academ.org
To: freebsd-pf@freebsd.org
Date: Wed, 23 May 2007 12:06:50 +0700
User-Agent: KMail/1.9.5
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200705231206.50584.freebsdpf@academ.org>
X-Virus-Scanned: ClamAV version 0.88.7,
	clamav-milter version 0.88.7 on mail.academ.org
X-Virus-Status: Clean
X-Spam-Ystatus: hits=-1.1  R545 R4047 R4773 R4445 R4270 __R4812 R3537 R3538
	R3312 R2092
X-Spam-Flag: NO
X-Spam-Yversion: academ.org
Subject: source limiting NATed connections
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2007 05:38:19 -0000

Hi!

I am using PF on my external gateway, and wondering if it is possible to 
source limit state entries created by nat rules.

When I try to put rule like this: "nat on $ext_if from $private_net to any -> 
$nat_addr (source-track rule, max-src-states 10)" into pf.conf I get 
a "syntax error" message. 

There're no other rules besides firewalling the gateway itself in pf.conf.

Thanks a lot.

-- 
Vasily Ivanov

From owner-freebsd-pf@FreeBSD.ORG  Wed May 23 12:07:38 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 7B4CA16A400
	for <freebsd-pf@freebsd.org>; Wed, 23 May 2007 12:07:38 +0000 (UTC)
	(envelope-from peter@bsdly.net)
Received: from skapet.datadok.no (skapet.datadok.no [194.54.107.19])
	by mx1.freebsd.org (Postfix) with ESMTP id 38D1F13C483
	for <freebsd-pf@freebsd.org>; Wed, 23 May 2007 12:07:38 +0000 (UTC)
	(envelope-from peter@bsdly.net)
Received: from thingy.datadok.no
	([194.54.103.97] helo=thingy.datadok.no.bsdly.net ident=peter)
	by skapet.datadok.no with esmtp (Exim 4.62)
	(envelope-from <peter@bsdly.net>) id 1Hqpcv-00038F-8l
	for freebsd-pf@freebsd.org; Wed, 23 May 2007 14:07:37 +0200
To: freebsd-pf@freebsd.org
References: <200705231206.50584.freebsdpf@academ.org>
From: peter@bsdly.net (Peter N. M. Hansteen)
Date: Wed, 23 May 2007 14:07:36 +0200
In-Reply-To: <200705231206.50584.freebsdpf@academ.org> (Vasily Ivanov's
	message of "Wed, 23 May 2007 12:06:50 +0700")
Message-ID: <87wsyzvj3r.fsf@thingy.datadok.no>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: source limiting NATed connections
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2007 12:07:38 -0000

Vasily Ivanov <freebsdpf@academ.org> writes:

> When I try to put rule like this: "nat on $ext_if from $private_net to any -> 
> $nat_addr (source-track rule, max-src-states 10)" into pf.conf I get 
> a "syntax error" message. 

Put the source tracking part in your pass rules instead.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

From owner-freebsd-pf@FreeBSD.ORG  Wed May 23 12:57:30 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 3FA3216A400
	for <freebsd-pf@freebsd.org>; Wed, 23 May 2007 12:57:30 +0000 (UTC)
	(envelope-from freebsdpf@academ.org)
Received: from mx6.academ.org (mx6.academ.org [85.118.224.218])
	by mx1.freebsd.org (Postfix) with ESMTP id DF72F13C45B
	for <freebsd-pf@freebsd.org>; Wed, 23 May 2007 12:57:29 +0000 (UTC)
	(envelope-from freebsdpf@academ.org)
Received: from stronghold.academ.local (stronghold.academ.local
	[192.168.234.23]) (Authenticated sender: vgi@academ.org)
	by mx6.academ.org (Postfix) with ESMTP id B008EEBD06
	for <freebsd-pf@freebsd.org>; Wed, 23 May 2007 19:57:28 +0700 (NOVST)
From: Vasily Ivanov <freebsdpf@academ.org>
Organization: Academ.org
To: freebsd-pf@freebsd.org
Date: Wed, 23 May 2007 19:57:31 +0700
User-Agent: KMail/1.9.5
References: <200705231206.50584.freebsdpf@academ.org>
	<87wsyzvj3r.fsf@thingy.datadok.no>
In-Reply-To: <87wsyzvj3r.fsf@thingy.datadok.no>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200705231957.31447.freebsdpf@academ.org>
X-Virus-Scanned: ClamAV version 0.88.7,
	clamav-milter version 0.88.7 on mail.academ.org
X-Virus-Status: Clean
X-Spam-Ystatus: hits=-11.1  R545 R4047 R3507 R4773 __R4025 R4445 R3294 R4036
	R208 R4270 __R4812 R3537 R3538 R3312 R2092 R4045 R3295 R2618
	R4017 R4026 R4962
X-Spam-Flag: NO
X-Spam-Yversion: academ.org
Subject: Re: source limiting NATed connections
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2007 12:57:30 -0000

Hi, Peter, thanks for your reply.

On 23 May 2007 19:07, Peter N. M. Hansteen wrote:
> Vasily Ivanov <freebsdpf@academ.org> writes:
> > When I try to put rule like this: "nat on $ext_if from $private_net to
> > any -> $nat_addr (source-track rule, max-src-states 10)" into pf.conf I
> > get a "syntax error" message.
>
> Put the source tracking part in your pass rules instead.

There're no other pass/block rules, except protecting the gateway itself.
All firewalling and shaping is on the other box, the gw is handling BGP and 
NAT functions only.

There comes another question: if I add "pass in on $int_if from any to any 
keep state" rule (with source-tracking etc.), will it double the number of 
states in pf --  one state from nat rule, and one from keep state?
Because it's already about 12-15k states in peak times (7k minimum), and if it 
doubles...

-- 
Vasily Ivanov

From owner-freebsd-pf@FreeBSD.ORG  Thu May 24 18:16:11 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 9AE8916A421
	for <freebsd-pf@freebsd.org>; Thu, 24 May 2007 18:16:11 +0000 (UTC)
	(envelope-from cangak_stress@yahoo.com)
Received: from web50711.mail.re2.yahoo.com (web50711.mail.re2.yahoo.com
	[206.190.38.163])
	by mx1.freebsd.org (Postfix) with SMTP id 50D4B13C447
	for <freebsd-pf@freebsd.org>; Thu, 24 May 2007 18:16:11 +0000 (UTC)
	(envelope-from cangak_stress@yahoo.com)
Received: (qmail 48902 invoked by uid 60001); 24 May 2007 18:16:10 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
	h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
	b=e9AzVXwybSOk1jyqalnh/SshcDBefvVqdLb4dNVMOSQA+56qPu0yVPzJNq3mhTd1d5T9xwWe4t6Dm3Utd09kc667XkU5OqkMWm0jIK46HjP33NZys7BDiOoeqn/3uJCrDw5yDkWPUa9s8Z52GdzA78T6afrNEQw+Bq12JIodxMU=;
X-YMail-OSG: GhrXv0EVM1ndrKCQ55btcXQn5L74eCXnrhuQkVi3fTbRUTFk4wj7nTTEzyBFc6MNq7TR7u7CLayQJBdOUGH.ucFUJ9mfbpnDaP2kb0eKPYmWoFM5r1B.UH7cyiYeM16utfYodk7HA3mUGlg-
Received: from [222.124.180.102] by web50711.mail.re2.yahoo.com via HTTP;
	Thu, 24 May 2007 11:16:10 PDT
Date: Thu, 24 May 2007 11:16:10 -0700 (PDT)
From: cangak <cangak_stress@yahoo.com>
To: freebsd <freebsd-pf@freebsd.org>
MIME-Version: 1.0
Message-ID: <699842.48622.qm@web50711.mail.re2.yahoo.com>
X-Mailman-Approved-At: Thu, 24 May 2007 20:01:25 +0000
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: pf rule
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2007 18:16:11 -0000

hi all im newbie here i just install freebsd 6.0 whit pf support an d i want to allow just port list below.
  #YM
allow 5000-5100 
#telnet
23 
#chatting
6000-7000 
#ftp
21 
#http
80 
#smtp,pop,imap
25 
110 
#gmail
995 
465 
587 
#HTTPS
443 
#SSH
22 
#datacell
9191 
allow udp from any to any 161
allow udp from any to any 53
allow udp from any 53 to any
allow icmp from any to any
  if there any body tell me how to lsit this all port ? whit pf ?
  thanks


imajenasi tanpa batas
       Fussy? Opinionated? Impossible to please? Perfect.  Join Yahoo!'s user panel and lay it on us.http://us.rd.yahoo.com/evt=48516/*http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 hot CTA = Join Yahoo!'s user panel

From owner-freebsd-pf@FreeBSD.ORG  Fri May 25 07:59:10 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 4816F16A421
	for <freebsd-pf@freebsd.org>; Fri, 25 May 2007 07:59:10 +0000 (UTC)
	(envelope-from greg@bestnet.kharkov.ua)
Received: from relay.bestnet.ua (relay.bestnet.ua [193.124.57.92])
	by mx1.freebsd.org (Postfix) with ESMTP id 04BDD13C44B
	for <freebsd-pf@freebsd.org>; Fri, 25 May 2007 07:59:09 +0000 (UTC)
	(envelope-from greg@bestnet.kharkov.ua)
Received: from relay.bestnet.ua (db.bestnet.ua [127.0.0.1])
	by relay.bestnet.ua (Postfix) with ESMTP id 9F67BFB000A;
	Fri, 25 May 2007 10:39:19 +0300 (EEST)
Received: from [80.92.224.11] (greg.bestnet.kharkov.ua [80.92.224.11])
	by relay.bestnet.ua (Postfix) with ESMTP id 12596FB0009;
	Fri, 25 May 2007 10:39:19 +0300 (EEST)
Message-ID: <465692A6.1040406@bestnet.kharkov.ua>
Date: Fri, 25 May 2007 10:39:18 +0300
From: Gregory Edigarov <greg@bestnet.kharkov.ua>
User-Agent: Thunderbird 1.5.0.10 (X11/20070323)
MIME-Version: 1.0
To: cangak <cangak_stress@yahoo.com>
References: <699842.48622.qm@web50711.mail.re2.yahoo.com>
In-Reply-To: <699842.48622.qm@web50711.mail.re2.yahoo.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP
Cc: freebsd-pf@freebsd.org
Subject: Re: pf rule
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 25 May 2007 07:59:10 -0000

cangak wrote:
> hi all im newbie here i just install freebsd 6.0 whit pf support an d i want to allow just port list below.
>
>   
Man,

Nobody will help you doing your homework.
read and understand
man pf.conf
then come up with  questions.
 
or, be prepared to pay somebody at least $100 for a full ruleset.

--
With best regards,
    Gregory Edigarov


From owner-freebsd-pf@FreeBSD.ORG  Fri May 25 15:41:00 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id CAB8D16A46C
	for <freebsd-pf@freebsd.org>; Fri, 25 May 2007 15:41:00 +0000 (UTC)
	(envelope-from almarrie@gmail.com)
Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.244])
	by mx1.freebsd.org (Postfix) with ESMTP id 055E613C457
	for <freebsd-pf@freebsd.org>; Fri, 25 May 2007 15:40:59 +0000 (UTC)
	(envelope-from almarrie@gmail.com)
Received: by an-out-0708.google.com with SMTP id c14so269787anc
	for <freebsd-pf@freebsd.org>; Fri, 25 May 2007 08:40:55 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta;
	h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=Y8XoC4IYOkilFHkYAhFLI1w4GI1Sw+395EBwZ5gBX0hoN6K7jYjZKpmdV7WNiSDC3zoDuVqdwYPqrPc5+GgyhnVEwr3a+U5n8qVoDsJh8/DN7+aI9yTiv3yat60/m+pwy9GjeMiEm6dAHWa8UDB2GkSVNVVsUCimmjhiQ/jAbNA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=ShqwE8n8X3uqCIgH/ShIJLXtomaFxuwsAfb6KiFG63QXpv+QOD+Cn+VRIMEPB6D/T4bAIoDgvEUdQHu3EpEyi6wZgQcKrykcAUNPGpE46UAP6nT/dwLPDbadhN7dioCHihyRW6v0HDaG+AKBSUrtlzgwperroepHOTIZkAurnmo=
Received: by 10.100.177.16 with SMTP id z16mr2836576ane.1180107654494;
	Fri, 25 May 2007 08:40:54 -0700 (PDT)
Received: by 10.100.9.14 with HTTP; Fri, 25 May 2007 08:40:54 -0700 (PDT)
Message-ID: <499c70c0705250840o487ec16cg28af04f83ea1774d@mail.gmail.com>
Date: Fri, 25 May 2007 18:40:54 +0300
From: "Abdullah Ibn Hamad Al-Marri" <almarrie@gmail.com>
To: cangak <cangak_stress@yahoo.com>
In-Reply-To: <699842.48622.qm@web50711.mail.re2.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <699842.48622.qm@web50711.mail.re2.yahoo.com>
Cc: freebsd <freebsd-pf@freebsd.org>
Subject: Re: pf rule
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 25 May 2007 15:41:00 -0000

On 5/24/07, cangak <cangak_stress@yahoo.com> wrote:
> hi all im newbie here i just install freebsd 6.0 whit pf support an d i want to allow just port list below.
>   #YM
> allow 5000-5100
> #telnet
> 23
> #chatting
> 6000-7000
> #ftp
> 21
> #http
> 80
> #smtp,pop,imap
> 25
> 110
> #gmail
> 995
> 465
> 587
> #HTTPS
> 443
> #SSH
> 22
> #datacell
> 9191
> allow udp from any to any 161
> allow udp from any to any 53
> allow udp from any 53 to any
> allow icmp from any to any
>   if there any body tell me how to lsit this all port ? whit pf ?
>   thanks
>
>
> imajenasi tanpa batas


Hello,

Check these useful sites.

http://www.openbsd.org/faq/pf/tables.html
http://www.bgnett.no/~peter/pf/en/bruteforce.html
http://layer0.layeredtech.com/showthread.php?t=2164



-- 
Regards,

-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/

From owner-freebsd-pf@FreeBSD.ORG  Fri May 25 23:10:04 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 8897916A468
	for <freebsd-pf@freebsd.org>; Fri, 25 May 2007 23:10:04 +0000 (UTC)
	(envelope-from almarrie@gmail.com)
Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.249])
	by mx1.freebsd.org (Postfix) with ESMTP id 40CD313C45A
	for <freebsd-pf@freebsd.org>; Fri, 25 May 2007 23:10:02 +0000 (UTC)
	(envelope-from almarrie@gmail.com)
Received: by an-out-0708.google.com with SMTP id c14so335947anc
	for <freebsd-pf@freebsd.org>; Fri, 25 May 2007 16:09:59 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta;
	h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
	b=Bfg49fOKkumTtbLfhepLx+Um1QxYqNOuMDSe/4u6PUNf2U+ntA/IDkNajX/tqhm37SkXvjQLsEb2grsBUZapjyQGkjJZx+eikx7a+/VF2pgnc06J9hHHnlpMzcx7uG/QPTYwyI4KMunCbIXj8qDUGIU+YF+soEzVJ0nH2KcbC8s=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
	h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
	b=XYafa532s0d5ncLv8BkT/zDdBpbJp81PpgL9emaVnazSnNdhnww9CvexoeswAGWyEYJfuxObBNrfT91Ii/Bt6x9oGuRWyAnySd23e/ptseOt1kD3v+/KauuFjWTqNS0oLZKlKTFReKlAcag/BQSe/WozTOnvaSWrt6GiPUh5xEk=
Received: by 10.100.13.12 with SMTP id 12mr3066169anm.1180134599158;
	Fri, 25 May 2007 16:09:59 -0700 (PDT)
Received: by 10.100.9.14 with HTTP; Fri, 25 May 2007 16:09:59 -0700 (PDT)
Message-ID: <499c70c0705251609s6be5792bl1ca40076c69f6da3@mail.gmail.com>
Date: Sat, 26 May 2007 02:09:59 +0300
From: "Abdullah Ibn Hamad Al-Marri" <almarrie@gmail.com>
To: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: alot of State failure on: 2
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 25 May 2007 23:10:04 -0000

Hello,

My server is being flooded by a script kiddie against port 7325.

Here is the dmesg output.

pf: State failure on: 1       | 5
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4064 [lo=2903116211 high=2903120308 win=0 modulator=0]
[lo=3133254124 high=3133254125 win=4096 modulator=0] 4:2 SA
seq=3133254123 ack=2903116212 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:1232 [lo=1528732996 high=1528737092 win=65535
modulator=0] [lo=1110233468 high=1110299003 win=4096 modulator=0] 4:2
S seq=1615476339 ack=1110233468 len=0 ackskew=0 pkts=3:4 dir=in,fwd
pf: State failure on: 1       | 5
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4075 [lo=4260964132 high=4260968229 win=0 modulator=0]
[lo=524210142 high=524210143 win=4096 modulator=0] 4:2 SA
seq=524210141 ack=4260964133 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:1244 [lo=2193693082 high=2193697178 win=65535
modulator=0] [lo=1850636290 high=1850701825 win=4096 modulator=0] 4:2
S seq=2280473825 ack=1850636290 len=0 ackskew=0 pkts=3:4 dir=in,fwd
pf: State failure on: 1       | 5
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4106 [lo=2808910619 high=2808914716 win=0 modulator=0]
[lo=70028163 high=70028164 win=4096 modulator=0] 4:2 SA seq=70028162
ack=2808910620 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4142 [lo=3849039689 high=3849043786 win=0 modulator=0]
[lo=1357385265 high=1357385266 win=4096 modulator=0] 4:2 SA
seq=1357385264 ack=3849039690 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4136 [lo=1765130854 high=1765134951 win=0 modulator=0]
[lo=4245636096 high=4245636097 win=4096 modulator=0] 4:2 SA
seq=4245636095 ack=1765130855 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4155 [lo=2253582753 high=2253586850 win=0 modulator=0]
[lo=578092985 high=578092986 win=4096 modulator=0] 4:2 SA
seq=578092984 ack=2253582754 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4165 [lo=550262320 high=550266417 win=0 modulator=0]
[lo=3799579754 high=3799579755 win=4096 modulator=0] 4:2 SA
seq=3799579753 ack=550262321 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:1203 [lo=490558546 high=490562643 win=0 modulator=0]
[lo=3233895008 high=3233895009 win=4096 modulator=0] 4:2 SA
seq=3233895007 ack=490558547 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4188 [lo=1709375942 high=1709380039 win=0 modulator=0]
[lo=2834491968 high=2834491969 win=4096 modulator=0] 4:2 SA
seq=2834491967 ack=1709375943 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4178 [lo=1856654595 high=1856658692 win=0 modulator=0]
[lo=1762587611 high=1762587612 win=4096 modulator=0] 4:2 SA
seq=1762587610 ack=1856654596 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4211 [lo=438506757 high=438510854 win=0 modulator=0]
[lo=3182986845 high=3182986846 win=4096 modulator=0] 4:2 SA
seq=3182986844 ack=438506758 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4277 [lo=2147987817 high=2147991914 win=0 modulator=0]
[lo=1434323249 high=1434323250 win=4096 modulator=0] 4:2 SA
seq=1434323248 ack=2147987818 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |

Here is my pf.conf

ext_if="fxp0"
int_if="lo0"
tcp_services = "{ domain, www, 123, 5999, 7325, 7771, 59999 }"
udp_services = "{ domain, 123, 514 }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              240.0.0.0/4 }"
icmp_types = "8"
table <bruteforce> persist
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set skip on $int_if
set optimization normal
set block-policy drop
set require-order yes
set debug loud
set fingerprints "/etc/pf.os"
scrub in all
#scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400
#scrub in on $ext_if all no-df
#scrub on $ext_if  all reassemble tcp
antispoof for $ext_if inet
antispoof for $int_if
block in log on $ext_if all
block in quick on $ext_if from any to 255.255.255.255
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
block quick log from <bruteforce>
# Pass ICMP Type 8 (echo-reply) only with state
pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state
pass proto udp to any port $udp_services keep state
# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
pass out on $ext_if inet proto udp from any to any \
             port 33433 >< 33626 keep state
pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \
        flags S/SA keep state \
        (max-src-conn 30, max-src-conn-rate 30/3, \
         overload <bruteforce> flush global)
pass out proto tcp to any flags S/SA keep state
pass out proto udp to any keep state
# End

pfctl -vvsTables
-pa-r-  bruteforce
        Addresses:   579
        Cleared:     Thu Jan  1 00:00:00 1970
        References:  [ Anchors: 0                  Rules: 219                ]
        Evaluations: [ NoMatch: 60918665           Match: 51919907           ]
        In/Block:    [ Packets: 51919907           Bytes: 2562926165         ]
        In/Pass:     [ Packets: 0                  Bytes: 0                  ]
        In/XPass:    [ Packets: 0                  Bytes: 0                  ]
        Out/Block:   [ Packets: 0                  Bytes: 0                  ]
        Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
        Out/XPass:   [ Packets: 0                  Bytes: 0                  ]

tcpdump -n -e -ttt -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
000000 rule 77/0(match): block in on fxp0: 24.39.30.107.1340 >
66.90.108.40.7325: S 2502809781:2502809781(0) win 64240 <mss
1460,nop,nop,sackOK>
000007 rule 77/0(match): block in on fxp0: 24.39.30.107.1341 >
66.90.108.40.7325: S 2502851269:2502851269(0) win 64240 <mss
1460,nop,nop,sackOK>
000125 rule 77/0(match): block in on fxp0: 24.39.30.107.1343 >
66.90.108.40.7325: S 2502964552:2502964552(0) win 64240 <mss
1460,nop,nop,sackOK>
000039 rule 77/0(match): block in on fxp0: 84.1.154.50.3741 >
66.90.108.40.7325: S 1022062798:1022062798(0) win 65535 <mss
1460,nop,nop,sackOK>
000006 rule 77/0(match): block in on fxp0: 24.39.30.107.1342 >
66.90.108.40.7325: S 2502906432:2502906432(0) win 64240 <mss
1460,nop,nop,sackOK>
000087 rule 77/0(match): block in on fxp0: 24.39.30.107.1344 >
66.90.108.40.7325: S 2503024257:2503024257(0) win 64240 <mss
1460,nop,nop,sackOK>
000005 rule 77/0(match): block in on fxp0: 24.39.30.107.1350 >
66.90.108.40.7325: S 2503165130:2503165130(0) win 64240 <mss
1460,nop,nop,sackOK>
000026 rule 77/0(match): block in on fxp0: 24.39.30.107.1345 >
66.90.108.40.7325: S 2503084885:2503084885(0) win 64240 <mss
1460,nop,nop,sackOK>
000179 rule 77/0(match): block in on fxp0: 24.39.30.107.1346 >
66.90.108.40.7325: S 2503131377:2503131377(0) win 64240 <mss
1460,nop,nop,sackOK>
000018 rule 77/0(match): block in on fxp0: 84.0.144.75.1416 >
66.90.108.40.7325: S 2025750048:2025750048(0) win 65535 <mss
1440,nop,nop,sackOK>
000008 rule 77/0(match): block in on fxp0: 82.127.41.104.2831 >
66.90.108.40.7325: S 4128598212:4128598212(0) win 65535 <mss
1452,nop,nop,sackOK>
000366 rule 77/0(match): block in on fxp0: 84.5.97.92.1972 >
66.90.108.40.7325: S 3823128639:3823128639(0) win 16384 <mss
1440,nop,nop,sackOK>
000086 rule 77/0(match): block in on fxp0: 193.6.6.135.3819 >
66.90.108.40.7325: S 4260080384:4260080384(0) win 65535 <mss
1380,nop,nop,sackOK>
000112 rule 77/0(match): block in on fxp0: 82.50.127.107.2684 >
66.90.108.40.7325: S 3307955851:3307955851(0) win 65535 <mss
1452,nop,nop,sackOK>
003003 rule 77/0(match): block in on fxp0: 84.9.32.123.4869 >
66.90.108.40.7325: S 3742698697:3742698697(0) win 65535 <mss
1418,nop,nop,sackOK>
000011 rule 77/0(match): block in on fxp0: 201.51.254.195.2546 >
66.90.108.40.7325: S 4092558202:4092558202(0) win 65535 <mss
1440,nop,nop,sackOK>
000005 rule 77/0(match): block in on fxp0: 201.51.254.195.2545 >
66.90.108.40.7325: S 1627281497:1627281497(0) win 65535 <mss
1440,nop,nop,sackOK>

150 packets captured
10780 packets received by filter
9934 packets dropped by kernel


-- 
Regards,

-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/

From owner-freebsd-pf@FreeBSD.ORG  Sat May 26 01:13:42 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 2B55D16A41F
	for <freebsd-pf@freebsd.org>; Sat, 26 May 2007 01:13:42 +0000 (UTC)
	(envelope-from kian.mohageri@gmail.com)
Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.187])
	by mx1.freebsd.org (Postfix) with ESMTP id B242713C448
	for <freebsd-pf@freebsd.org>; Sat, 26 May 2007 01:13:41 +0000 (UTC)
	(envelope-from kian.mohageri@gmail.com)
Received: by mu-out-0910.google.com with SMTP id w9so531619mue
	for <freebsd-pf@freebsd.org>; Fri, 25 May 2007 18:13:40 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta;
	h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=l4mhxcP9fVPNgV2E+TuYHNkS/YxhKgzCW+QjHA1kDpR04ie91OQOCclbgaPBOGjVwQT++TQlJy2wEZirdKjpW1vs649gW7BP7HgRCioNExYDo/7tRikRe1hWjd+6OY1n+mgabyZQAiYXoxy6plEqwKzqWwUxTeTisP0AS7/hapY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=c532/wPVRtpblgodjLhVF/sbCR6fcYOEpZNxA4a8cSVhZPZONOZDYu7o3vR0TMD7xBcLDDNvoay3vT6P7t6tupJUlpK5WD2HC+G1YycaSxEhlGHAmqy7AToyNAEZ6C9GiSSBUcEtWZ8YljWUV+P0/T2J7EyjhHoaf9j8pQhcdcI=
Received: by 10.82.176.3 with SMTP id y3mr6603694bue.1180142020472;
	Fri, 25 May 2007 18:13:40 -0700 (PDT)
Received: by 10.82.175.13 with HTTP; Fri, 25 May 2007 18:13:40 -0700 (PDT)
Message-ID: <fee88ee40705251813i5a24f027jd880d8b2828e4638@mail.gmail.com>
Date: Fri, 25 May 2007 18:13:40 -0700
From: "Kian Mohageri" <kian.mohageri@gmail.com>
To: "Abdullah Ibn Hamad Al-Marri" <almarrie@gmail.com>
In-Reply-To: <499c70c0705251609s6be5792bl1ca40076c69f6da3@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <499c70c0705251609s6be5792bl1ca40076c69f6da3@mail.gmail.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: alot of State failure on: 2
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 26 May 2007 01:13:42 -0000

On 5/25/07, Abdullah Ibn Hamad Al-Marri <almarrie@gmail.com> wrote:
> Hello,
>
> My server is being flooded by a script kiddie against port 7325.


What exactly is your question?

You can decrease the verbosity of PF (read the pfctl man page) if you
don't want to see those messages.

Kian

From owner-freebsd-pf@FreeBSD.ORG  Sat May 26 01:27:51 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id DF3E416A41F
	for <freebsd-pf@freebsd.org>; Sat, 26 May 2007 01:27:51 +0000 (UTC)
	(envelope-from almarrie@gmail.com)
Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.247])
	by mx1.freebsd.org (Postfix) with ESMTP id 9644D13C458
	for <freebsd-pf@freebsd.org>; Sat, 26 May 2007 01:27:51 +0000 (UTC)
	(envelope-from almarrie@gmail.com)
Received: by an-out-0708.google.com with SMTP id c14so345109anc
	for <freebsd-pf@freebsd.org>; Fri, 25 May 2007 18:27:50 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta;
	h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=op7nYHzEahAJgv3GrTgXjjZpizFSDBXgfcBl1dV++EHVRZGWtsfTh8P4Gf/ZdTPABV0Af4lKm9HNMD1xObxN+9W2mhaoz0fCN5u/GzS+cz+D/zAQkV6KM/Exv1+PnD0gZbbbbmWSY/WjT2dOe4b3Xned3rQR4ZyLhZ+81GJF0Hs=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=gFcyzC/VcqslvzPqxiMP1YRJEL1ifFJJ7bS2erpEUvdST5hGufAfKRzulQmDx/GedDriHN1iF357qqAVSPSfcsF1eq8UlOU2bqsTPXFQGEobmeAXVBrssGqYI46nppJoGF341lORVFL/2oYi43EuHPZjeLdNcJIXV73bZ36qdZs=
Received: by 10.100.122.8 with SMTP id u8mr3155602anc.1180142869630;
	Fri, 25 May 2007 18:27:49 -0700 (PDT)
Received: by 10.100.9.14 with HTTP; Fri, 25 May 2007 18:27:49 -0700 (PDT)
Message-ID: <499c70c0705251827y5297382cs46af00cae15012ed@mail.gmail.com>
Date: Sat, 26 May 2007 04:27:49 +0300
From: "Abdullah Ibn Hamad Al-Marri" <almarrie@gmail.com>
To: "Kian Mohageri" <kian.mohageri@gmail.com>
In-Reply-To: <fee88ee40705251813i5a24f027jd880d8b2828e4638@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <499c70c0705251609s6be5792bl1ca40076c69f6da3@mail.gmail.com>
	<fee88ee40705251813i5a24f027jd880d8b2828e4638@mail.gmail.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: alot of State failure on: 2
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 26 May 2007 01:27:52 -0000

On 5/26/07, Kian Mohageri <kian.mohageri@gmail.com> wrote:
> On 5/25/07, Abdullah Ibn Hamad Al-Marri <almarrie@gmail.com> wrote:
> > Hello,
> >
> > My server is being flooded by a script kiddie against port 7325.
>
>
> What exactly is your question?
>
> You can decrease the verbosity of PF (read the pfctl man page) if you
> don't want to see those messages.
>
> Kian
>

My question is, why all these failure msgs and the state-mismatch?

Status: Enabled for 1 days 08:28:30             Debug: Loud

Hostid: 0x02a0ce3f

Interface Stats for fxp0              IPv4             IPv6
  Bytes In                     13566244426                0
  Bytes Out                     5093968616                0
  Packets In
    Passed                        17739895                0
    Blocked                      140741343                0
  Packets Out
    Passed                        18797493                0
    Blocked                        1031426                0

State Table                          Total             Rate
  current entries                      113
  searches                       177905411         1521.7/s
  inserts                          2542930           21.8/s
  removals                         2542817           21.8/s
Counters
  match                          140456174         1201.4/s
  bad-offset                             0            0.0/s
  fragment                               1            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                          51776858          442.9/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                   1464193           12.5/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                           1075            0.0/s
  synproxy                         1889417           16.2/s

Am I doing something wrong with me rules causes the failure and the
state-mismatch?
-- 
Regards,

-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/