Date: Wed, 4 Jul 2007 09:48:44 -0500 From: =?iso-8859-1?Q?Flor_Estela_Hern=E1ndez_Aguilar?= <feh_aguilar@hotmail.com> To: <freebsd-pf@freebsd.org> Subject: How to kill messenger? Message-ID: <BAY138-W4C60B7D81E9836D10CA329E030@phx.gbl>
next in thread | raw e-mail | index | archive | help
Hello Everyone!! =20 May be its no the first time you read about it; but these are my first less= ons with ipf rules. I have to "kill" or block the msn service but only in = a few of IP's, not at all. Do yo know the way to do this? I tried with: =20 block out proto tcp from any to 192.168.1.10 port=3D1863 =20 Surely i am in a mistake. =20 I thank yours opinions. =20 Flor. From: freebsd-pf-request@freebsd.orgSubject: freebsd-pf Digest, Vol 145, Is= sue 3To: freebsd-pf@freebsd.orgDate: Wed, 4 Jul 2007 12:00:26 +0000Send fre= ebsd-pf mailing list submissions to freebsd-pf@freebsd.org To subscribe or = unsubscribe via the World Wide Web, visit http://lists.freebsd.org/mailman/= listinfo/freebsd-pfor, via email, send a message with subject or body 'help= ' to freebsd-pf-request@freebsd.org You can reach the person managing the l= ist at freebsd-pf-owner@freebsd.org When replying, please edit your Subject= line so it is more specificthan "Re: Contents of freebsd-pf digest..." --Archivo adjunto de mensaje reenviado--From: max@love2party.netCC: freebsd= -pf@freebsd.orgTo: freebsd-current@freebsd.orgDate: Tue, 3 Jul 2007 15:24:5= 8 +0200Subject: Re: HEADSUP: pf 4.1 importOn Tuesday 03 July 2007, Max Laie= r wrote:> Users of pf should hold off a bit as I plan to commit a tiny ABI = break> after the update is finished in order to be able to add netgraph> su= pport in the future. After that a full "buildworld buildkernel> installker= nel installworld mergemaster"-run is advised.>> Will send an all clear when= done. this is it. Though my post commit build is still running, things sh= ould be alright again. Users of pf please note that tcpdump and libpcap nee= d additional patches that need to go through the vendor first. I'm trying = to get things moving there, but for the time being, please use the attached= patch to understand the new pflog format. Anyone with hands at tcpdump.org= ? Help appreciated! -- FreeBSD Status reports due: 07/07/07 :-) /"\ Best = regards, | mlaier@freebsd.org\ / Max Laier = | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mla= ier@EFnet/ \ ASCII Ribbon Campaign | Against HTML Mail and Ne= ws --Archivo adjunto de mensaje reenviado--From: max@love2party.netCC: freebsd= -pf@freebsd.orgTo: freebsd-current@freebsd.orgDate: Tue, 3 Jul 2007 15:32:0= 9 +0200Subject: Re: HEADSUP: pf 4.1 importIn case you wondered, too. The s= ignature on my last message was bad because the ?list? applied the followin= g cleanup: -Content-Type: text/x-diff; charset=3D"iso-8859-6"; - n= ame=3D"pf.41.tcpdump_local.diff" +Content-Type: text/x-diff; + charset= =3D"iso-8859-6"; + name=3D"pf.41.tcpdump_local.diff" The patch is good - = there is no conspiracy ;) -- FreeBSD Status reports due: 07/07/07 :-) /"\ = Best regards, | mlaier@freebsd.org\ / Max Laier = | ICQ #67774661 X http://pf4freebsd.love2party.net/ = | mlaier@EFnet/ \ ASCII Ribbon Campaign | Against HTML Mail a= nd News --Archivo adjunto de mensaje reenviado--From: max@love2party.netTo: freebsd= -pf@freebsd.orgDate: Tue, 3 Jul 2007 15:34:49 +0200Subject: Re: Current pro= blem reports assigned to youI'll ask all owners of pf-related PRs to reeval= uate the problem in light of the update. It's unlikely that fixes can easi= ly be backported, but I will try if positive feedback is available. -- Free= BSD Status reports due: 07/07/07 :-) /"\ Best regards, = | mlaier@freebsd.org\ / Max Laier | ICQ #677746= 61 X http://pf4freebsd.love2party.net/ | mlaier@EFnet/ \ ASCII Ribbon C= ampaign | Against HTML Mail and News --Archivo adjunto de mensaje reenviado--From: andrei.manescu@clicknet.roTo:= freebsd-pf@freebsd.orgDate: Tue, 3 Jul 2007 19:23:13 +0300Subject: ALTQ + = CBQ -> http & ftpHello everyone. Probabily this is not the first email on t= his topic, so I'll be brief:I have the following queues: altq on xl0 cbq ba= ndwidth 5000Kb queue { def, ftp, http, ssh, icmp, ack }queue ack bandwidth = 50Kb priority 7 cbq(borrow)queue ssh bandwidth 50Kb priority 6 { ssh_login,= ssh_bulk } queue ssh_login bandwidth 25% priority 6 cbq(borrow) queu= e ssh_bulk bandwidth 75% priority 5 cbq(borrow)queue http bandwidth 4000Kb = priority 5 cbqqueue ftp bandwidth 390Kb priority 2 cbq(borrow)queue def ban= dwidth 500Kb priority 1 cbq(default)queue icmp bandwidth 10Kb priority 0 cb= q... and these rules for http & ftp traffic: pass in log-all quick on $ext_= if1 proto tcp from any to <jails> port {80, 8080} flags S/SA synproxy state= queue http pass in log quick on $ext_if1 proto tcp from any to <jails> por= t ftp flags S/SA synproxy statepass out log-all quick on $ext_if1 proto {tc= p,udp} from $external_addr1 \to any port 65530:65534 flags S/SA keep state = queue ftp The thing is that ftp is in passive mode and when there is traffi= c both on http & ftp each type of transfer has ~50% of the bandwidth, so th= e higher priority from http queue doesn't apply at all. Has anyone some sug= gestion for the rules above ? Thank you in advance for your pacience and wi= sdom :) Andrei.=20 --Archivo adjunto de mensaje reenviado--From: rea-fbsd@codelabs.ruCC: freeb= sd-pf@freebsd.orgTo: nate@root.org; max@love2party.netDate: Tue, 3 Jul 2007= 20:46:56 +0400Subject: Re: pf 4.1 Update available for testingNate, Max, g= ood day. Wed, Jun 20, 2007 at 11:04:23PM +0400, Eygene Ryabinkin wrote:> Th= is error can potentially be responsible to the weird bandwidth> values I am= having with the altq on my notebook. The issue is> described on the threa= d> http://lists.freebsd.org/pipermail/freebsd-current/2007-April/070730.h= tml> Basically, I am setting one BW limit in pf.conf and seeing another> on= e (much lower) via the ifstat utility.> > I was able only to test the comp= ilation of the new patched kernel.> No bandwidth tests were done: I have no= access to the fast LAN link> up to the Monday, 24th, sorry. May be I will= be able to setup> ng_eiface and test with it, but I am not fluent with the= netgraph.> Will post an update if tests will be carried. At last, carried = the tests. No luck: still seeing weirdbandwidth numbers as compared with t= he setting in the pf.conf. But still, the second issue about non-initialize= d variablescan be committed: it will not harm. What do you both think? Tha= nk you.-- Eygene=20 --Archivo adjunto de mensaje reenviado--From: nate@root.orgCC: freebsd-pf@f= reebsd.orgTo: rea-fbsd@codelabs.ruDate: Tue, 3 Jul 2007 11:18:45 -0700Subje= ct: Re: pf 4.1 Update available for testingEygene Ryabinkin wrote:> Nate, M= ax, good day.> > Wed, Jun 20, 2007 at 11:04:23PM +0400, Eygene Ryabinkin wr= ote:>> This error can potentially be responsible to the weird bandwidth>> v= alues I am having with the altq on my notebook. The issue is>> described o= n the thread>> http://lists.freebsd.org/pipermail/freebsd-current/2007-Ap= ril/070730.html>> Basically, I am setting one BW limit in pf.conf and seein= g another>> one (much lower) via the ifstat utility.>>>> I was able only t= o test the compilation of the new patched kernel.>> No bandwidth tests were= done: I have no access to the fast LAN link>> up to the Monday, 24th, sorr= y. May be I will be able to setup>> ng_eiface and test with it, but I am n= ot fluent with the netgraph.>> Will post an update if tests will be carried= .> > At last, carried the tests. No luck: still seeing weird> bandwidth nu= mbers as compared with the setting in the pf.conf.> > But still, the second= issue about non-initialized variables> can be committed: it will not harm.= What do you both think?> > Thank you. I'm reviewing your patch; started y= esterday. I think it can be donesimpler. I'll get back to you today. -- N= ate=20 --Archivo adjunto de mensaje reenviado--From: linux@giboia.orgTo: freebsd-p= f@freebsd.orgDate: Tue, 3 Jul 2007 15:35:22 -0300Subject: Re: ALTQ + CBQ ->= http & ftpOn 03/07/07, Andrei Manescu <andrei.manescu@clicknet.ro> wrote:>= Hello everyone.>> Probabily this is not the first email on this topic, so = I'll be brief:> I have the following queues:>> altq on xl0 cbq bandwidth 50= 00Kb queue { def, ftp, http, ssh, icmp, ack }> queue ack bandwidth 50Kb pri= ority 7 cbq(borrow)> queue ssh bandwidth 50Kb priority 6 { ssh_login, ssh_b= ulk }> queue ssh_login bandwidth 25% priority 6 cbq(borrow)> queue = ssh_bulk bandwidth 75% priority 5 cbq(borrow)> queue http bandwidth 4000Kb = priority 5 cbq> queue ftp bandwidth 390Kb priority 2 cbq(borrow)> queue def= bandwidth 500Kb priority 1 cbq(default)> queue icmp bandwidth 10Kb priorit= y 0 cbq> ... and these rules for http & ftp traffic:>> pass in log-all quic= k on $ext_if1 proto tcp from any to <jails> port {80, 8080} flags S/SA synp= roxy state queue http>> pass in log quick on $ext_if1 proto tcp from any to= <jails> port ftp flags S/SA synproxy state> pass out log-all quick on $ext= _if1 proto {tcp,udp} from $external_addr1 \> to any port 65530:65534 flags = S/SA keep state queue ftp>> The thing is that ftp is in passive mode and wh= en there is traffic both on http & ftp each type of transfer has ~50% of th= e bandwidth, so the higher priority from http queue doesn't apply at all.>>= Has anyone some suggestion for the rules above ?>> Thank you in advance fo= r your pacience and wisdom :)>> Andrei.> __________________________________= _____________> freebsd-pf@freebsd.org mailing list> http://lists.freebsd.or= g/mailman/listinfo/freebsd-pf> To unsubscribe, send any mail to "freebsd-pf= -unsubscribe@freebsd.org"> How much is the traffic each connection?? -- Gi= lberto Villani BritoSystem AdministratorLondrina - PRBrazilgilbertovb(a)gma= il.com=20 --Archivo adjunto de mensaje reenviado--From: nate@root.orgCC: freebsd-pf@f= reebsd.orgTo: rea-fbsd@codelabs.ruDate: Tue, 3 Jul 2007 15:24:17 -0700Subje= ct: Re: pf 4.1 Update available for testingEygene Ryabinkin wrote:> Nate, M= ax, good day.> > Wed, Jun 20, 2007 at 07:26:09PM +0400, Eygene Ryabinkin wr= ote:>> Fine, thanks! So, you're happy with the way the problem was fixed?>= > I see that another function that uses tbr_callout is tbr_timeout,>> but i= t will not be called before tbr_set. So it seems to me that>> callout init= ialisation only in tbr_set is enough. But maybe I am>> missing something?>= > After some thinking I came to the idea that one more patch must be> appl= ied. The variables machclk_usepcc and machclk_per_tick can be> left uninit= ialised following the same codepath as for tbr_callout:> tsc_freq_changed()= touches only machclk_freq, but init_machclk> touches all three variables.>= > This error can potentially be responsible to the weird bandwidth> values= I am having with the altq on my notebook. The issue is> described on the = thread> http://lists.freebsd.org/pipermail/freebsd-current/2007-April/070= 730.html> Basically, I am setting one BW limit in pf.conf and seeing anothe= r> one (much lower) via the ifstat utility.> > I was able only to test the= compilation of the new patched kernel.> No bandwidth tests were done: I ha= ve no access to the fast LAN link> up to the Monday, 24th, sorry. May be I= will be able to setup> ng_eiface and test with it, but I am not fluent wit= h the netgraph.> Will post an update if tests will be carried.> > But I am = pretty sure that the altq_subr.c should be patched to> properly handle the = initialization of these two variables. The> only question is how to do it:= via my patch or using some different> strategy.> > No more words, the patc= h is attached. Comments are welcome!> I have tried to achieve the same go= al with a simpler patch. Here arethe changes: Be sure to initialize the ca= llout struct and other setup tasks beforeproceeding. Previously, machclk_f= req could be set to a non-zero valueby tsc_freq_changed(), preventing the c= allout from being initialized.To fix this, call init_machclk() from all pat= hs. init_machclk() issplit into two functions, one that only runs the firs= t time it iscalled. The second half runs each time the frequency changes a= ndcalibrates various items. Also, static variables are zero so no need toi= nitialize them. If you can test this, that would be great. Thanks,-- Nate --Archivo adjunto de mensaje reenviado--From: novel@FreeBSD.orgTo: freebsd-= pf@freebsd.orgDate: Wed, 4 Jul 2007 09:26:40 +0400Subject: using pfctl -s l= abels and keep state for traffic accountingHi, I'm going to use pf's label = feature for traffic accounting, i.e.creating an anchor for being able to ad= d/remove rules with labelson fly and parse the output of pfctl -s labels. H= owever, I spotted some problems with such an approach. When using 'keepstat= e' it seems to have some limitations. First of all, it doesn't seemto allow= to account in only one direction. Well, it was expected becausestates work= s that way. But calculating traffic in both directions give stange resuls t= oo. I have a rule: pass log quick on $ext_if proto tcp from self to some_ho= st porthttps label "labels:test", I have a file on https which I download. = After first try it gives: labels:test 284 23 2943 Then I add 'keep state',= reload the rules file, check if the countersare zeroed and download the sa= me file again and get: labels:test 3 46 29427 Why does it happen that way? = BTW, is there some other limitations to the approach of trafficaccounting b= ased on pf labels? Roman Bogorodskiy _________________________________________________________________ T=FA mundo y lo que te gusta en una p=E1gina que t=FA mismo creas: Live.com= =20 http://www.live.com/getstarted=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BAY138-W4C60B7D81E9836D10CA329E030>