From owner-freebsd-pf@FreeBSD.ORG Mon Jun 21 11:07:01 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 51D921065688 for ; Mon, 21 Jun 2010 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 373F18FC26 for ; Mon, 21 Jun 2010 11:07:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o5LB71e3098335 for ; Mon, 21 Jun 2010 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o5LB70SJ098330 for freebsd-pf@FreeBSD.org; Mon, 21 Jun 2010 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 21 Jun 2010 11:07:00 GMT Message-Id: <201006211107.o5LB70SJ098330@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jun 2010 11:07:01 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 45 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 21 14:08:27 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 55A18106566C for ; Mon, 21 Jun 2010 14:08:27 +0000 (UTC) (envelope-from bsemene@cyanide-studio.com) Received: from relay.cyanide-studio.com (relay.cyanide-studio.com [91.121.7.6]) by mx1.freebsd.org (Postfix) with ESMTP id 1262C8FC15 for ; Mon, 21 Jun 2010 14:08:26 +0000 (UTC) Received: from mail.cyanide-studio.com (LAubervilliers-153-52-12-153.w217-128.abo.wanadoo.fr [217.128.107.153]) by relay.cyanide-studio.com (Postfix) with ESMTP id 883DF965AF4 for ; Mon, 21 Jun 2010 13:50:09 +0000 (UTC) Received: from localhost (unknown [10.1.8.14]) by mail.cyanide-studio.com (Postfix) with ESMTP id AFA8B17BF439 for ; Mon, 21 Jun 2010 15:48:04 +0200 (CEST) Received: from mail.cyanide-studio.com ([10.1.8.3]) by localhost (mailguard.cyanide-studio.com [10.1.8.14]) (amavisd-maia, port 10024) with ESMTP id 82944-03 for ; Mon, 21 Jun 2010 15:48:04 +0200 (CEST) Received: from [10.1.8.123] (unknown [10.1.8.123]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: bsemene@cyanide-studio.com) by mail.cyanide-studio.com (Postfix) with ESMTP id 8AA1C17BF438 for ; Mon, 21 Jun 2010 15:48:04 +0200 (CEST) Message-ID: <4C1F6D93.2060306@cyanide-studio.com> Date: Mon, 21 Jun 2010 15:48:03 +0200 From: Bastien Semene User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.10) Gecko/20100512 Lightning/1.0b1 Thunderbird/3.0.5 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Problem with logging on message log file instead of security X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jun 2010 14:08:27 -0000 Hi, First, the problem concerns ipmon, but I didn't find its mailing list on the website listing : http://lists.freebsd.org/mailman/listinfo I'm sorry if I missed it, and I will be glad if someone can point me the right mailing list. The problem is that my firewall logs are written in the /var/log/messages instead of the /var/log/security log file. Ipmon manual says that by default messages should be sent to the security facility. /etc/rc.conf : ipfilter_enable="YES" ipfilter_rules="/etc/ipf.rules" ipmon_enable="YES" ipmon_flags="-Ds" ipnat_enable="YES" ipnat_rules="/etc/ipnat.rules" syslogd_flags = "-s -b localhost" /etc/syslog.conf : *.err;kern.warning;auth.notice;mail.crit /dev/console *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages security.* /var/log/security auth.info;authpriv.info /var/log/auth.log mail.info /var/log/maillog lpr.info /var/log/lpd-errs ftp.info /var/log/xferlog cron.* /var/log/cron user.* /var/log/user.log *.=debug /var/log/debug.log *.emerg * !startslip *.* /var/log/slip.log !ppp *.* /var/log/ppp.log Does someone encountered this problem before ? -- Bastien Semene Administrateur Réseau& Système Cyanide Studio - FRANCE From owner-freebsd-pf@FreeBSD.ORG Mon Jun 21 14:58:20 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4E91E106566C for ; Mon, 21 Jun 2010 14:58:20 +0000 (UTC) (envelope-from bsemene@cyanide-studio.com) Received: from relay.cyanide-studio.com (relay.cyanide-studio.com [91.121.7.6]) by mx1.freebsd.org (Postfix) with ESMTP id 09AE08FC0C for ; Mon, 21 Jun 2010 14:58:19 +0000 (UTC) Received: from mail.cyanide-studio.com (LAubervilliers-153-52-12-153.w217-128.abo.wanadoo.fr [217.128.107.153]) by relay.cyanide-studio.com (Postfix) with ESMTP id 76EE6964003 for ; Mon, 21 Jun 2010 15:00:01 +0000 (UTC) Received: from localhost (unknown [10.1.8.14]) by mail.cyanide-studio.com (Postfix) with ESMTP id E779117BF434 for ; Mon, 21 Jun 2010 16:58:16 +0200 (CEST) Received: from mail.cyanide-studio.com ([10.1.8.3]) by localhost (mailguard.cyanide-studio.com [10.1.8.14]) (amavisd-maia, port 10024) with ESMTP id 85324-09 for ; Mon, 21 Jun 2010 16:58:16 +0200 (CEST) Received: from [10.1.8.123] (unknown [10.1.8.123]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: bsemene@cyanide-studio.com) by mail.cyanide-studio.com (Postfix) with ESMTP id C26FA17BF431 for ; Mon, 21 Jun 2010 16:58:16 +0200 (CEST) Message-ID: <4C1F7E0B.2060908@cyanide-studio.com> Date: Mon, 21 Jun 2010 16:58:19 +0200 From: Bastien Semene User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.10) Gecko/20100512 Lightning/1.0b1 Thunderbird/3.0.5 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4C1F6D93.2060306@cyanide-studio.com> In-Reply-To: <4C1F6D93.2060306@cyanide-studio.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: Problem with logging on message log file instead of security X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jun 2010 14:58:20 -0000 Update : The problem seems to be from ipmon. I sent messages with the logger tool and it correctly redirected them to the /var/log/security log file, for the security.{info;notice;warning;err} messages. Le 21/06/2010 15:48, Bastien Semene a écrit : > Hi, > > First, the problem concerns ipmon, but I didn't find its mailing list > on the website listing : http://lists.freebsd.org/mailman/listinfo > I'm sorry if I missed it, and I will be glad if someone can point me > the right mailing list. > > The problem is that my firewall logs are written in the > /var/log/messages instead of the /var/log/security log file. > Ipmon manual says that by default messages should be sent to the > security facility. > > /etc/rc.conf : > ipfilter_enable="YES" > ipfilter_rules="/etc/ipf.rules" > ipmon_enable="YES" > ipmon_flags="-Ds" > ipnat_enable="YES" > ipnat_rules="/etc/ipnat.rules" > syslogd_flags = "-s -b localhost" > > /etc/syslog.conf : > *.err;kern.warning;auth.notice;mail.crit /dev/console > *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err > /var/log/messages > security.* /var/log/security > auth.info;authpriv.info /var/log/auth.log > mail.info /var/log/maillog > lpr.info /var/log/lpd-errs > ftp.info /var/log/xferlog > cron.* /var/log/cron > user.* /var/log/user.log > *.=debug /var/log/debug.log > *.emerg * > !startslip > *.* /var/log/slip.log > !ppp > *.* /var/log/ppp.log > > Does someone encountered this problem before ? > -- Bastien Semene Administrateur Réseau& Système Cyanide Studio - FRANCE From owner-freebsd-pf@FreeBSD.ORG Wed Jun 23 18:58:31 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B93CA1065673 for ; Wed, 23 Jun 2010 18:58:31 +0000 (UTC) (envelope-from claudiu.vasadi@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 513638FC15 for ; Wed, 23 Jun 2010 18:58:30 +0000 (UTC) Received: by wyb33 with SMTP id 33so5623701wyb.13 for ; Wed, 23 Jun 2010 11:58:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=qSRqE+bJ8uyxbh1if8s/0f60+biV6WbLuJJRgyZdb4s=; b=CtzvLewSiDZvaZx6dd4DV2LZgYPozLQn3aLS8pkaMA2dfOYIflGBcjOfyIqJ9mguDs o1iAtYOgJ/QwQqYMM4LFTxWpv5KfaG6VMUpdDv6FfnZF07xu9/M0fhZIh+eZyZMLJ72s xYfVV6X0+WyHdNGBFHOCEdjwYqz3UJb5mdm9E= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=W9dOs1+4H8s4fvQ8XLNBiO7DDX/GgHSW4sdltr59ONvhrNoBSm3x6Flx3aZEdtNtO7 4PHj6YpQ6BT0AsQWtX3CfUD3eU9tLQgxPXHpFEnkZd7x70KECuWguRIpZzL8UKmfY7JW BLtc2GI2sUiQOB90mKk2Z25ki6S+NZkV1QT9s= MIME-Version: 1.0 Received: by 10.216.158.147 with SMTP id q19mr2907755wek.64.1277317822258; Wed, 23 Jun 2010 11:30:22 -0700 (PDT) Received: by 10.216.18.77 with HTTP; Wed, 23 Jun 2010 11:30:22 -0700 (PDT) Date: Wed, 23 Jun 2010 20:30:22 +0200 Message-ID: From: claudiu vasadi To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: can pf block a string ? or better, to limit it ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2010 18:58:31 -0000 Hello fellas, system: freebsd 8.0 with pf A couple of years ago I wanted to limit a string with pf and I could not find a way to do it. Back in the day, I was running a dc++ software on FreeBSD and the most common way of flood was this "string attack". The idea was simple: more than "x" number of packages containing this "string" = dc++ software stuck. I remember a friend of mine was able to limit the number per second to something but I was unable to do the same in pf. Back then I was using FreeBSD6.2 but I can't find a way to do it even now. Can someone shed some light ? Were you trying something similar ? From owner-freebsd-pf@FreeBSD.ORG Wed Jun 23 19:18:51 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 504D3106564A for ; Wed, 23 Jun 2010 19:18:51 +0000 (UTC) (envelope-from britneyfreek@googlemail.com) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id DB3D58FC13 for ; Wed, 23 Jun 2010 19:18:50 +0000 (UTC) Received: by wwb24 with SMTP id 24so1011949wwb.13 for ; Wed, 23 Jun 2010 12:18:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:references:from:in-reply-to :mime-version:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=Yt75EYvqOy5heh2Z6j5rmGTXMq4Y4KI5IraZVtEvUTY=; b=rpXM5UPGN5AQ/LAg3+7KbWfVgztz2sCkOl3cTU8DBvSUQms8EH1T2BnjBfeaQ5in8v WXcZzGOrKhB7XMlPow+YI951ryfk7YZkppNt0XrcFekmUa7zfL2lQUPDRURjUEAEuFIi MNCD8GLB/LaQPZ3ej//FjLwU9i85RrpxezkGw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=references:from:in-reply-to:mime-version:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=mrFWixfavML1dKwI4/UUy55OX4E+7vF8Pvponoxyj8qvyO8MqLnZOKyz4Vzia11Q0k smTqfcJUHURP3Wt6sCgbINCckdZS1ZwnHOjo/UJK0yOYpOhbgOO+XfCITUGDeX7gnbXq HuPw95KA5gNAbwgfINNouhgPfyHdN3lwyqSd8= Received: by 10.227.141.137 with SMTP id m9mr8179941wbu.202.1277320729828; Wed, 23 Jun 2010 12:18:49 -0700 (PDT) References: From: no name In-Reply-To: Mime-Version: 1.0 (iPhone Mail 7D11) Date: Wed, 23 Jun 2010 21:18:35 +0200 Message-ID: <7114830758496124649@unknownmsgid> To: claudiu vasadi Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-pf@freebsd.org" Subject: Re: can pf block a string ? or better, to limit it ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2010 19:18:51 -0000 i can't recall it, was dc tcp or udp based? however, you could try to limit the number of possible connections in a specific time frame. using linux, you could even use the l7 ipfilter extension to inspect a packet's payload and do some limiting based on that. ... just some thoughts. --- =E2=80=9CYour time is limited, so don't waste it living someone else's life= . Don't be trapped by dogma - which is living with the results of other people's thinking. Don't let the noise of other's opinions drown out your own inner voice. And most important, have the courage to follow your heart and intuition. They somehow already know what you truly want to become. Everything else is secondary.=E2=80=9D - Steve Jobs Am 23.06.2010 um 20:30 schrieb claudiu vasadi : > Hello fellas, > > > system: freebsd 8.0 with pf > > > A couple of years ago I wanted to limit a string with pf and I could > not > find a way to do it. > > Back in the day, I was running a dc++ software on FreeBSD and the most > common way of flood was this "string attack". The idea was simple: > more than > "x" number of packages containing this "string" =3D dc++ software > stuck. I > remember a friend of mine was able to limit the number per second to > something but I was unable to do the same in pf. Back then I was using > FreeBSD6.2 but I can't find a way to do it even now. > > > Can someone shed some light ? Were you trying something similar ? > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Wed Jun 23 19:30:44 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 18DAE10659D5 for ; Wed, 23 Jun 2010 19:30:44 +0000 (UTC) (envelope-from claudiu.vasadi@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id A132F8FC14 for ; Wed, 23 Jun 2010 19:30:43 +0000 (UTC) Received: by wyb33 with SMTP id 33so5654430wyb.13 for ; Wed, 23 Jun 2010 12:30:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=JM02IpNO1NHOwCxeKpjqVKOz42u+FzAth9QiXtIPgrk=; b=p7iCvpuWGDC1O6ukNnz9IGScM1B2iXRkoLDixw8HZ6piHj4r/r3r8Xa8kN0qu3ztRx 2MLNfEzMLqT8odXXBxBRpqv5Dm7gkga4RL3g6BmCTa4v/qbpSMg69SJe/wDy1krdiTFz Gp15LTTDPMeGoNDDLThp3TfLPLZs/gNPFRjm8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=HGOIKuSyMqUdIpG/QQWHZx6vUd6MCc928T3M3uGWIZRSh+zoD5DSz1Y7fywaEQlJgz oKZqqnOwyHVZeAfq3/L+CCX4TUWz+4Nf5kt+31Mg1QDPT+1r3rRth3FojivkvJPKKKEn pZuC2C/hcU3agy9j5TXGuO5SA9MABNtzU+0qo= MIME-Version: 1.0 Received: by 10.216.161.21 with SMTP id v21mr6382280wek.73.1277321442760; Wed, 23 Jun 2010 12:30:42 -0700 (PDT) Received: by 10.216.18.77 with HTTP; Wed, 23 Jun 2010 12:30:39 -0700 (PDT) In-Reply-To: <7114830758496124649@unknownmsgid> References: <7114830758496124649@unknownmsgid> Date: Wed, 23 Jun 2010 21:30:39 +0200 Message-ID: From: claudiu vasadi To: no name Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-pf@freebsd.org" Subject: Re: can pf block a string ? or better, to limit it ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2010 19:30:44 -0000 On Wed, Jun 23, 2010 at 9:18 PM, no name wrote: > i can't recall it, was dc tcp or udp based? > "dc" ???? The number of possible connections in a specific time frame does not help if I have ~200-500 authentications requests/sec and I get 100-300 attacks (D/DOS) per sec. I thought about that one long ago, and no matter on which side I turn the problem, I always end up at the "impossible to filter strings" wall. I know iptables can do it but a couple of months ago when I was asked to conf. a linux box I went completely mad trying to learn iptables's syntax (god it's ugly). This is why I would prefer to avoid linux here. Plus, I'm dealing with pf way longer than iptables and linux for that matter (it was ~6 years ago when I worked with linux last time) From owner-freebsd-pf@FreeBSD.ORG Wed Jun 23 20:39:58 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F899106566B for ; Wed, 23 Jun 2010 20:39:58 +0000 (UTC) (envelope-from allicient3141@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id DC7D68FC0A for ; Wed, 23 Jun 2010 20:39:57 +0000 (UTC) Received: by bwz17 with SMTP id 17so536714bwz.13 for ; Wed, 23 Jun 2010 13:39:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type; bh=OQKc4duD+TQlh5r+Wxdhx+s4BBwVJ+7HU/w2hcmWTYQ=; b=KjvLPSAkw7rRNysBlhZiP5szOxxCjSSPbfb084g9/ZqGcWDzjchr8iXEBbgu4n8Av9 TNIWUJel7quHrb0mZXin6fhhW9e3d5jtIkh/mc8U4mNc6mvZWgtPCFSDyjEantxmtUBN Yix9ryHZGsXl7M44pwlkshN1PjxhwWbf/JHDo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=U6Q9lJFTaHd/5DjVpnfjd2WzlZ6wcKqzrzdT5IIcYeTy4UGa4hS9tYIuWNDXKvGozL WJc4Cair1fgd8eEvcgzVY6r7yLk1GK6JFvDFOIghT5xkr2Z1hMn+Eghef9HQ1WHGKGBH mEB1VZodRXraNact+apGQbFJTeaNcrY8qPqtk= MIME-Version: 1.0 Received: by 10.204.81.196 with SMTP id y4mr6125641bkk.75.1277324146659; Wed, 23 Jun 2010 13:15:46 -0700 (PDT) Sender: allicient3141@gmail.com Received: by 10.204.78.194 with HTTP; Wed, 23 Jun 2010 13:15:46 -0700 (PDT) In-Reply-To: References: <7114830758496124649@unknownmsgid> Date: Wed, 23 Jun 2010 21:15:46 +0100 X-Google-Sender-Auth: MMQvJ-9ExI1_tHQYV5yTUSazOTo Message-ID: From: Peter Maxwell To: claudiu vasadi Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-pf@freebsd.org" Subject: Re: can pf block a string ? or better, to limit it ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2010 20:39:58 -0000 Hmmm, off the top of my head: I wonder if you could use Snort and have that do full packet inspection for you. Then you should be able to script an alert if the string is found and call pfctl to add the offending IP address to a table that blackholes it. Just a thought. Or if you want to do it "properly", I'm sure you could code something along the lines of a kernel module. On 23 June 2010 20:30, claudiu vasadi wrote: > On Wed, Jun 23, 2010 at 9:18 PM, no name >wrote: > > > i can't recall it, was dc tcp or udp based? > > > > > "dc" ???? > > > The number of possible connections in a specific time frame does not help > if I have ~200-500 authentications requests/sec and I get 100-300 attacks > (D/DOS) per sec. I thought about that one long ago, and no matter on which > side I turn the problem, I always end up at the "impossible to filter > strings" wall. > > I know iptables can do it but a couple of months ago when I was asked to > conf. a linux box I went completely mad trying to learn iptables's syntax > (god it's ugly). This is why I would prefer to avoid linux here. Plus, I'm > dealing with pf way longer than iptables and linux for that matter (it was > ~6 years ago when I worked with linux last time) > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Jun 23 21:10:32 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7FC941065676 for ; Wed, 23 Jun 2010 21:10:32 +0000 (UTC) (envelope-from mike@jellydonut.org) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 4419A8FC1A for ; Wed, 23 Jun 2010 21:10:31 +0000 (UTC) Received: by qwg8 with SMTP id 8so428208qwg.13 for ; Wed, 23 Jun 2010 14:10:31 -0700 (PDT) MIME-Version: 1.0 Received: by 10.224.27.145 with SMTP id i17mr5454942qac.180.1277327431358; Wed, 23 Jun 2010 14:10:31 -0700 (PDT) Received: by 10.229.51.6 with HTTP; Wed, 23 Jun 2010 14:10:31 -0700 (PDT) In-Reply-To: References: <7114830758496124649@unknownmsgid> Date: Wed, 23 Jun 2010 17:10:31 -0400 Message-ID: From: Michael Proto To: Peter Maxwell Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-pf@freebsd.org" Subject: Re: can pf block a string ? or better, to limit it ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2010 21:10:32 -0000 On Wed, Jun 23, 2010 at 4:15 PM, Peter Maxwell wrot= e: > Hmmm, off the top of my head: I wonder if you could use Snort and have th= at > do full packet inspection for you. =A0Then you should be able to script a= n > alert if the string is found and call pfctl to add the offending IP addre= ss > to a table that blackholes it. =A0Just a thought. > > Or if you want to do it "properly", I'm sure you could code something alo= ng > the lines of a kernel module. > What about proxying the connection with nstreams? http://www.freshports.org/net-mgmt/nstreams -Proto From owner-freebsd-pf@FreeBSD.ORG Wed Jun 23 22:29:33 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35BFA1065676 for ; Wed, 23 Jun 2010 22:29:33 +0000 (UTC) (envelope-from dudu@dudu.ro) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id CCF798FC1A for ; Wed, 23 Jun 2010 22:29:32 +0000 (UTC) Received: by wwb24 with SMTP id 24so1172236wwb.13 for ; Wed, 23 Jun 2010 15:29:31 -0700 (PDT) Received: by 10.216.161.202 with SMTP id w52mr3144623wek.10.1277332169469; Wed, 23 Jun 2010 15:29:29 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.48.198 with HTTP; Wed, 23 Jun 2010 15:29:09 -0700 (PDT) In-Reply-To: References: From: Vlad Galu Date: Thu, 24 Jun 2010 00:29:09 +0200 Message-ID: To: claudiu vasadi Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: can pf block a string ? or better, to limit it ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2010 22:29:33 -0000 http://www.inmon.com/support/sentinel_release.php On Wed, Jun 23, 2010 at 8:30 PM, claudiu vasadi wrote: > Hello fellas, > > > system: freebsd 8.0 with pf > > > A couple of years ago I wanted to limit a string with pf and I could not > find a way to do it. > > Back in the day, I was running a dc++ software on FreeBSD and the most > common way of flood was this "string attack". The idea was simple: more than > "x" number of packages containing this "string" = dc++ software stuck. I > remember a friend of mine was able to limit the number per second to > something but I was unable to do the same in pf. Back then I was using > FreeBSD6.2 but I can't find a way to do it even now. > > > Can someone shed some light ? Were you trying something similar ? > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Hi Claudiu, See the "STATEFUL TRACKING OPTIONS" chapter of pf.conf(5), particularly the "source-track", "max-src-nodes", "max-src-states", "max-src-conn" and "max-src-conn-rate" keywords. -- Good, fast & cheap. Pick any two. From owner-freebsd-pf@FreeBSD.ORG Thu Jun 24 05:13:52 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 818281065672 for ; Thu, 24 Jun 2010 05:13:52 +0000 (UTC) (envelope-from john-lists@johntate.org) Received: from hapkido.dreamhost.com (hapkido.dreamhost.com [66.33.216.122]) by mx1.freebsd.org (Postfix) with ESMTP id 52DBD8FC0A for ; Thu, 24 Jun 2010 05:13:51 +0000 (UTC) Received: from homiemail-a22.g.dreamhost.com (caiajhbdcbhh.dreamhost.com [208.97.132.177]) by hapkido.dreamhost.com (Postfix) with ESMTP id 1D08B17A52A for ; Wed, 23 Jun 2010 21:51:22 -0700 (PDT) Received: from homiemail-a22.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a22.g.dreamhost.com (Postfix) with ESMTP id 139C41A8069; Wed, 23 Jun 2010 21:51:18 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=johntate.org; h=from:to:cc :references:in-reply-to:subject:date:message-id:mime-version :content-type:content-transfer-encoding; q=dns; s=johntate.org; b=nhCg8zB20OK4O8+5tV2J+jNyR6VY9uNYmgwcZ+1DBG5R0W409yAHjnRmsZAG4 QDoZoqQU/+A1F5OlNq+SD6MGv096fMQxzMwAWZ05hk2v9N0FohP69vzKIaVXfSy8 chuKW9LYtfXNMVoTP2TYz0Yjnz4oXC2+ft0OPt9oTTis/0= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=johntate.org; h=from:to:cc :references:in-reply-to:subject:date:message-id:mime-version :content-type:content-transfer-encoding; s=johntate.org; bh=3w/4 VXg64gO9uflGDDq3eUNsOpE=; b=e4wxZu+0CNPM2XDUKFyk4GEZdjxYN304H8hx rVjxZcc0vNQWSLdQPq8yR18K05Ww7cQTQ7fZPK/qnOtdYpbNpT6wgJHR0UK3i0/x REtglATaWxLXhPwfcsBXgelAYFWiT/7dLLfL94JhqFVF8fpouvJ9ANj2LTkJjtAL bijBbR4= Received: from MISES (unknown [202.164.202.87]) (Authenticated sender: john-lists@johntate.org) by homiemail-a22.g.dreamhost.com (Postfix) with ESMTPA id DD63E1A8063; Wed, 23 Jun 2010 21:51:16 -0700 (PDT) From: "John Lists Tate" To: "'Michael Proto'" , "'Peter Maxwell'" References: <7114830758496124649@unknownmsgid> In-Reply-To: Date: Thu, 24 Jun 2010 14:51:00 +1000 Message-ID: <010101cb1358$d92b3b50$8b81b1f0$@org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcsTGUadal5wVd7YS3KxvK2vxBiKKQAPzhHg Content-Language: en-us Cc: freebsd-pf@freebsd.org Subject: RE: can pf block a string ? or better, to limit it ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2010 05:13:52 -0000 This or writing a squid redirector are probably the best way to go about = it. You can just redirect everything through a program with pf in any case = and give that program the real work. John Tate. -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] = On Behalf Of Michael Proto Sent: Thursday, June 24, 2010 7:11 AM To: Peter Maxwell Cc: freebsd-pf@freebsd.org Subject: Re: can pf block a string ? or better, to limit it ? On Wed, Jun 23, 2010 at 4:15 PM, Peter Maxwell wrote: > Hmmm, off the top of my head: I wonder if you could use Snort and have that > do full packet inspection for you. =A0Then you should be able to = script an > alert if the string is found and call pfctl to add the offending IP address > to a table that blackholes it. =A0Just a thought. > > Or if you want to do it "properly", I'm sure you could code something along > the lines of a kernel module. > What about proxying the connection with nstreams? http://www.freshports.org/net-mgmt/nstreams -Proto _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Thu Jun 24 08:54:31 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F297106567A for ; Thu, 24 Jun 2010 08:54:31 +0000 (UTC) (envelope-from claudiu.vasadi@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id ADB138FC1A for ; Thu, 24 Jun 2010 08:54:30 +0000 (UTC) Received: by wyf22 with SMTP id 22so105254wyf.13 for ; Thu, 24 Jun 2010 01:54:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=Rzpg12IbIGq7MuA5tBdOoAYoRrTwEaiOzKmZkhjWxfU=; b=o0fVHcSAXrKezWuiQSwx1Oiez3BehbYtL1Xftc9I2nHmJvuWz41pqM1sfGdJgamNFJ /JfYG1DIjbChGHW1bWAwJc3PWfnzEAUbbw6SyPz1db2tmvGSbv9CCVHNkPaNKLNmN9RW B2JXF2M92XijK+Qn/zpNcdYcKhBfwSl2LCLlQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=qhD80oZJtgM9evjzoSbFIeKBeGK2rAFtetL5snQ/huthGG7TIZccOzxClxEGztht/u AHlgUQSqi2OggyLL88RdihMgA7TDrEj7pA24venedxizKX/cqtN/LheisVSRTnFRaHEy M6EMlUr/gMZ2uFq0aNeGdM7FIUSyBQi4tIcCc= MIME-Version: 1.0 Received: by 10.216.184.6 with SMTP id r6mr6916581wem.87.1277369669512; Thu, 24 Jun 2010 01:54:29 -0700 (PDT) Received: by 10.216.18.77 with HTTP; Thu, 24 Jun 2010 01:54:29 -0700 (PDT) In-Reply-To: <010101cb1358$d92b3b50$8b81b1f0$@org> References: <7114830758496124649@unknownmsgid> <010101cb1358$d92b3b50$8b81b1f0$@org> Date: Thu, 24 Jun 2010 10:54:29 +0200 Message-ID: From: claudiu vasadi To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: can pf block a string ? or better, to limit it ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2010 08:54:31 -0000 @Peter Maxwell: kernel coding is too much for me @Michael proto: nstreams ... reading about it @Vlad Galu: STATEFUL TRACKING OPTIONS has nothing to do with "string matching". I want to bock a particular string (ex: "test") and not filter by S/SA or other tcp flags @john: I was thinking about something similar I will let you know once I finish reading and testing. thx for your opinions and more are welcomed :) From owner-freebsd-pf@FreeBSD.ORG Thu Jun 24 14:42:35 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C8BCA106564A; Thu, 24 Jun 2010 14:42:35 +0000 (UTC) (envelope-from rafaelhfaria@cenadigital.com.br) Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 805B28FC1C; Thu, 24 Jun 2010 14:42:35 +0000 (UTC) Received: by gwb11 with SMTP id 11so1793640gwb.13 for ; Thu, 24 Jun 2010 07:42:34 -0700 (PDT) Received: by 10.229.250.78 with SMTP id mn14mr5282283qcb.16.1277388782814; Thu, 24 Jun 2010 07:13:02 -0700 (PDT) MIME-Version: 1.0 Received: by 10.150.201.16 with HTTP; Thu, 24 Jun 2010 07:12:42 -0700 (PDT) From: Rafael Henrique Faria Date: Thu, 24 Jun 2010 11:12:42 -0300 Message-ID: To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Unknown Behavior of PF+ALTQ on a Bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2010 14:42:35 -0000 Hi. I'm working on a Brige between a router Cisco 7200, and a 3Com 7900 switch. I have several subnetworks, and I need to balance the bandwidth between the= n. The Brigde is running: "FreeBSD dell05 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #0: Tue Jun 22 13:59:17 BRT 2010 rafaelhfaria@dell05:/usr/obj/usr/src/sys/BRIDGE amd64" I have the following lines in /boot/loader.conf: --- net.graph.maxalloc=3D512 net.graph.maxdgram=3D45000 net.graph.recvspace=3D45000 bridgestp_load=3D"YES" if_vlan_load=3D"YES" --- And my kernel is compiled with: device if_bridge device pf device pflog options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_PRIQ options ALTQ_NOPCC options DEVICE_POLLING options HZ=3D1000 options SHMSEG=3D16 options SHMMNI=3D32 options SHMMAX=3D2097152 options SHMALL=3D4096 options MAXFILES=3D8192 And the bridge configuration: cloned_interfaces=3D"bridge0 vlan1" ifconfig_bridge0=3D"addm bce0 stp bce0 addm bce1 stp bce1 up" ifconfig_bce0=3D"polling up" ifconfig_bce1=3D"polling up" ifconfig_vlan1=3D"inet 200.x.x.x netmask 0xFFFFFF00 broadcast 200.x.x.255 vlan 1 vlandev bce1" bce0 is connected to the Cisco 7200 ($wan_if in pf) bce1 is conencted to the 3Com 7900 ($lan_if in pf) And my sysctl for bridge: dell05# sysctl net.link.bridge net.link.bridge.ipfw: 0 net.link.bridge.inherit_mac: 0 net.link.bridge.log_stp: 0 net.link.bridge.pfil_local_phys: 1 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 0 net.link.bridge.ipfw_arp: 0 net.link.bridge.pfil_onlyip: 0 dell05# Ok... Now, the problem. With the following queue: altq on $lan_if bandwidth 33Mb hfsc queue { down_sub1, down_sub2, down_sub3, down_sub4, down_def } queue down_sub1 bandwidth 8Mb priority 1 qlimit 300 hfsc ( realtime 3.20Mb upperlimit 22.40Mb ) queue down_sub2 bandwidth 8Mb priority 1 qlimit 300 hfsc ( realtime 3.20Mb upperlimit 22.40Mb ) queue down_sub3 bandwidth 8Mb priority 1 qlimit 300 hfsc ( realtime 3.20Mb upperlimit 22.40Mb ) queue down_sub4 bandwidth 8Mb priority 1 qlimit 300 hfsc ( realtime 3.20Mb upperlimit 22.40Mb ) queue down_def bandwidth 128Kb hfsc ( default ) And with the following rules: pass in log quick on $lan_if from to any keep state queue ( down_su= b1 ) pass out log quick on $wan_if from to any keep state queue ( up_sub1= ) pass in log quick on $wan_if from any to keep state queue ( up_sub1= ) pass out log quick on $lan_if from any to keep state queue ( down_su= b1 ) (..) for each I have the pass rules like those. With the full use of the link, only a small part of the traffic gets into the correct queue. queue root_bce1 on bce1 bandwidth 33Mb priority 0 {down_sub1, down_sub2, down_sub3, down_sub4, down_def} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0= ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue down_sub1 on bce1 bandwidth 8Mb qlimit 300 hfsc( realtime 3.20Mb upperlimit 22.40Mb ) [ pkts: 53177 bytes: 50082785 dropped pkts: 0 bytes: 0= ] [ qlength: 0/300 ] [ measured: 364.5 packets/s, 2.81Mb/s ] queue down_sub2 on bce1 bandwidth 8Mb qlimit 300 hfsc( realtime 3.20Mb upperlimit 22.40Mb ) [ pkts: 90724 bytes: 79670459 dropped pkts: 0 bytes: 0= ] [ qlength: 0/300 ] [ measured: 744.6 packets/s, 5.20Mb/s ] queue down_sub3 on bce1 bandwidth 8Mb qlimit 300 hfsc( realtime 3.20Mb upperlimit 22.40Mb ) [ pkts: 38333 bytes: 37384626 dropped pkts: 0 bytes: 0= ] [ qlength: 0/300 ] [ measured: 285.2 packets/s, 2.35Mb/s ] queue down_sub4 on bce1 bandwidth 8Mb qlimit 300 hfsc( realtime 3.20Mb upperlimit 22.40Mb ) [ pkts: 80385 bytes: 69021129 dropped pkts: 0 bytes: 0= ] [ qlength: 0/300 ] [ measured: 585.1 packets/s, 3.92Mb/s ] queue down_def on bce1 bandwidth 128Kb hfsc( default ) [ pkts: 268756 bytes: 336423531 dropped pkts: 121 bytes: 81921= ] [ qlength: 0/ 50 ] [ measured: 1615.4 packets/s, 16.49Mb/s ] watching the pflog interface, I can see that the pass rules are working, no traffic is getting out of one of the rules (I have put an "pass log all" to check this). All the rules are working... but they aren't sending the traffic to the specified queue. If someone have a glue for this... Any suggestion are welcome. Thank's in advance. --=20 Rafael Henrique da Silva Faria Grupo de Sistemas e Redes Servi=E7o T=E9cnico de Inform=E1tica Faculdade de Ci=EAncias e Letras do Campus de Araraquara - UNESP From owner-freebsd-pf@FreeBSD.ORG Thu Jun 24 17:04:39 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C24C106564A for ; Thu, 24 Jun 2010 17:04:39 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id A01308FC1C for ; Thu, 24 Jun 2010 17:04:38 +0000 (UTC) Received: by wwb24 with SMTP id 24so1921640wwb.13 for ; Thu, 24 Jun 2010 10:04:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:sender:received :in-reply-to:references:from:date:x-google-sender-auth:message-id :subject:to:cc:content-type:content-transfer-encoding; bh=7IEXZQX6/kbh2ydcewecYjAXzf3XxuivbgHFVzrrRDk=; b=ZzV62MVMoeuBJZzMGmbdGGTwKQ+3jVCNLfY6xxQhEj/dUm3lRjm6KbcBgfCZKOUf3H rKSezwrLHlVAXOEKr+MqOLuZ6GoQtUX20cd5D11teWK5QlRdxUxZH7R7eHXh+jxhndyZ IHH1G2FN7g73d83mQjk0Qe/kDy+Jnu+pgZBTk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=H49lE+Z96s7fWNOny1rCdBUFRItuUoLFbpw6U9k5vt4a/YnNzJLIFqTcsab4+WJv3z eVqrHYhOScpdnFI+JAMjqXNT6NqTkuoyI8yQwk732frj9x90CpeuifeJ5daZAXzuuTHn QnZyAANKk/X9xpOiG0Bx6SWCsvU4IglHb8vns= Received: by 10.216.184.136 with SMTP id s8mr4086298wem.4.1277399077171; Thu, 24 Jun 2010 10:04:37 -0700 (PDT) MIME-Version: 1.0 Sender: ermal.luci@gmail.com Received: by 10.216.25.4 with HTTP; Thu, 24 Jun 2010 10:04:17 -0700 (PDT) In-Reply-To: References: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Date: Thu, 24 Jun 2010 18:04:17 +0100 X-Google-Sender-Auth: SECe-ttfJw7wmjfgE53OsNGaHWM Message-ID: To: Rafael Henrique Faria Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Unknown Behavior of PF+ALTQ on a Bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2010 17:04:39 -0000 On Thu, Jun 24, 2010 at 3:12 PM, Rafael Henrique Faria wrote: > Hi. > > I'm working on a Brige between a router Cisco 7200, and a 3Com 7900 switc= h. > I have several subnetworks, and I need to balance the bandwidth between t= hen. > > The Brigde is running: "FreeBSD dell05 8.1-PRERELEASE FreeBSD > 8.1-PRERELEASE #0: Tue Jun 22 13:59:17 BRT 2010 > rafaelhfaria@dell05:/usr/obj/usr/src/sys/BRIDGE =A0amd64" > > I have the following lines in /boot/loader.conf: > --- > net.graph.maxalloc=3D512 > net.graph.maxdgram=3D45000 > net.graph.recvspace=3D45000 > bridgestp_load=3D"YES" > if_vlan_load=3D"YES" > --- > > And my kernel is compiled with: > device =A0 =A0 =A0 =A0 =A0if_bridge > device =A0 =A0 =A0 =A0 =A0pf > device =A0 =A0 =A0 =A0 =A0pflog > options =A0 =A0 =A0 =A0 ALTQ > options =A0 =A0 =A0 =A0 ALTQ_CBQ > options =A0 =A0 =A0 =A0 ALTQ_RED > options =A0 =A0 =A0 =A0 ALTQ_RIO > options =A0 =A0 =A0 =A0 ALTQ_HFSC > options =A0 =A0 =A0 =A0 ALTQ_PRIQ > options =A0 =A0 =A0 =A0 ALTQ_NOPCC > options =A0 =A0 =A0 =A0 DEVICE_POLLING > options =A0 =A0 =A0 =A0 HZ=3D1000 > options =A0 =A0 =A0 =A0 SHMSEG=3D16 > options =A0 =A0 =A0 =A0 SHMMNI=3D32 > options =A0 =A0 =A0 =A0 SHMMAX=3D2097152 > options =A0 =A0 =A0 =A0 SHMALL=3D4096 > options =A0 =A0 =A0 =A0 MAXFILES=3D8192 > > And the bridge configuration: > cloned_interfaces=3D"bridge0 vlan1" > ifconfig_bridge0=3D"addm bce0 stp bce0 addm bce1 stp bce1 up" > ifconfig_bce0=3D"polling up" > ifconfig_bce1=3D"polling up" > ifconfig_vlan1=3D"inet 200.x.x.x netmask 0xFFFFFF00 broadcast > 200.x.x.255 vlan 1 vlandev bce1" > > bce0 is connected to the Cisco 7200 ($wan_if in pf) > bce1 is conencted to the 3Com 7900 ($lan_if in pf) > > And my sysctl for bridge: > dell05# sysctl net.link.bridge > net.link.bridge.ipfw: 0 > net.link.bridge.inherit_mac: 0 > net.link.bridge.log_stp: 0 > net.link.bridge.pfil_local_phys: 1 > net.link.bridge.pfil_member: 1 > net.link.bridge.pfil_bridge: 0 > net.link.bridge.ipfw_arp: 0 > net.link.bridge.pfil_onlyip: 0 > dell05# > > Ok... > > Now, the problem. > > With the following queue: > altq on $lan_if bandwidth 33Mb hfsc queue { down_sub1, down_sub2, > down_sub3, down_sub4, down_def } > =A0 queue down_sub1 =A0 bandwidth 8Mb priority 1 qlimit 300 hfsc ( > realtime 3.20Mb upperlimit 22.40Mb ) > =A0 queue down_sub2 =A0 bandwidth 8Mb priority 1 qlimit 300 hfsc ( > realtime 3.20Mb upperlimit 22.40Mb ) > =A0 queue down_sub3 =A0bandwidth 8Mb priority 1 qlimit 300 hfsc ( > realtime 3.20Mb upperlimit 22.40Mb ) > =A0 queue down_sub4 =A0bandwidth 8Mb priority 1 qlimit 300 hfsc ( > realtime 3.20Mb upperlimit 22.40Mb ) > =A0 queue down_def =A0 =A0 bandwidth 128Kb hfsc ( default ) > > And with the following rules: > pass in =A0log quick on $lan_if from to any keep state queue ( dow= n_sub1 ) > pass out log quick on $wan_if from to any keep state queue ( up_su= b1 ) > pass in =A0log quick on $wan_if from any to keep state queue ( up_= sub1 ) > pass out log quick on $lan_if from any to keep state queue ( down_= sub1 ) > > (..) for each I have the pass rules like those. > > > With the full use of the link, only a small part of the traffic gets > into the correct queue. > > queue root_bce1 on bce1 bandwidth 33Mb priority 0 {down_sub1, > down_sub2, down_sub3, down_sub4, down_def} > =A0[ pkts: =A0 =A0 =A0 =A0 =A00 =A0bytes: =A0 =A0 =A0 =A0 =A00 =A0dropped= pkts: =A0 =A0 =A00 bytes: =A0 =A0 =A00 ] > =A0[ qlength: =A0 0/ 50 ] > =A0[ measured: =A0 =A0 0.0 packets/s, 0 b/s ] > queue =A0down_sub1 on bce1 bandwidth 8Mb qlimit 300 hfsc( realtime > 3.20Mb upperlimit 22.40Mb ) > =A0[ pkts: =A0 =A0 =A053177 =A0bytes: =A0 50082785 =A0dropped pkts: =A0 = =A0 =A00 bytes: =A0 =A0 =A00 ] > =A0[ qlength: =A0 0/300 ] > =A0[ measured: =A0 364.5 packets/s, 2.81Mb/s ] > queue =A0down_sub2 on bce1 bandwidth 8Mb qlimit 300 hfsc( realtime > 3.20Mb upperlimit 22.40Mb ) > =A0[ pkts: =A0 =A0 =A090724 =A0bytes: =A0 79670459 =A0dropped pkts: =A0 = =A0 =A00 bytes: =A0 =A0 =A00 ] > =A0[ qlength: =A0 0/300 ] > =A0[ measured: =A0 744.6 packets/s, 5.20Mb/s ] > queue =A0down_sub3 on bce1 bandwidth 8Mb qlimit 300 hfsc( realtime > 3.20Mb upperlimit 22.40Mb ) > =A0[ pkts: =A0 =A0 =A038333 =A0bytes: =A0 37384626 =A0dropped pkts: =A0 = =A0 =A00 bytes: =A0 =A0 =A00 ] > =A0[ qlength: =A0 0/300 ] > =A0[ measured: =A0 285.2 packets/s, 2.35Mb/s ] > queue =A0down_sub4 on bce1 bandwidth 8Mb qlimit 300 hfsc( realtime > 3.20Mb upperlimit 22.40Mb ) > =A0[ pkts: =A0 =A0 =A080385 =A0bytes: =A0 69021129 =A0dropped pkts: =A0 = =A0 =A00 bytes: =A0 =A0 =A00 ] > =A0[ qlength: =A0 0/300 ] > =A0[ measured: =A0 585.1 packets/s, 3.92Mb/s ] > queue =A0down_def on bce1 bandwidth 128Kb hfsc( default ) > =A0[ pkts: =A0 =A0 268756 =A0bytes: =A0336423531 =A0dropped pkts: =A0 =A0= 121 bytes: =A081921 ] > =A0[ qlength: =A0 0/ 50 ] > =A0[ measured: =A01615.4 packets/s, 16.49Mb/s ] > > watching the pflog interface, I can see that the pass rules are > working, no traffic is getting out of one of the rules (I have put an > "pass log all" to check this). > > All the rules are working... but they aren't sending the traffic to > the specified queue. > > If someone have a glue for this... > Any suggestion are welcome. > > Thank's in advance. Sorry but i do not see any evidence that what you claim is true! --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Thu Jun 24 17:18:31 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 98C831065672; Thu, 24 Jun 2010 17:18:31 +0000 (UTC) (envelope-from rafaelhfaria@cenadigital.com.br) Received: from mail-pw0-f54.google.com (mail-pw0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 6907A8FC18; Thu, 24 Jun 2010 17:18:31 +0000 (UTC) Received: by pwj1 with SMTP id 1so2250809pwj.13 for ; Thu, 24 Jun 2010 10:18:27 -0700 (PDT) Received: by 10.114.164.37 with SMTP id m37mr9901230wae.39.1277399907488; Thu, 24 Jun 2010 10:18:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.150.201.16 with HTTP; Thu, 24 Jun 2010 10:18:07 -0700 (PDT) In-Reply-To: References: From: Rafael Henrique Faria Date: Thu, 24 Jun 2010 14:18:07 -0300 Message-ID: To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Unknown Behavior of PF+ALTQ on a Bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2010 17:18:31 -0000 On Thu, Jun 24, 2010 at 14:04, Ermal Lu=E7i wrote: > On Thu, Jun 24, 2010 at 3:12 PM, Rafael Henrique Faria > wrote: >> Hi. >> >> I'm working on a Brige between a router Cisco 7200, and a 3Com 7900 swit= ch. >> I have several subnetworks, and I need to balance the bandwidth between = then. >> >> The Brigde is running: "FreeBSD dell05 8.1-PRERELEASE FreeBSD >> 8.1-PRERELEASE #0: Tue Jun 22 13:59:17 BRT 2010 >> rafaelhfaria@dell05:/usr/obj/usr/src/sys/BRIDGE =A0amd64" >> >> I have the following lines in /boot/loader.conf: >> --- >> net.graph.maxalloc=3D512 >> net.graph.maxdgram=3D45000 >> net.graph.recvspace=3D45000 >> bridgestp_load=3D"YES" >> if_vlan_load=3D"YES" >> --- >> >> And my kernel is compiled with: >> device =A0 =A0 =A0 =A0 =A0if_bridge >> device =A0 =A0 =A0 =A0 =A0pf >> device =A0 =A0 =A0 =A0 =A0pflog >> options =A0 =A0 =A0 =A0 ALTQ >> options =A0 =A0 =A0 =A0 ALTQ_CBQ >> options =A0 =A0 =A0 =A0 ALTQ_RED >> options =A0 =A0 =A0 =A0 ALTQ_RIO >> options =A0 =A0 =A0 =A0 ALTQ_HFSC >> options =A0 =A0 =A0 =A0 ALTQ_PRIQ >> options =A0 =A0 =A0 =A0 ALTQ_NOPCC >> options =A0 =A0 =A0 =A0 DEVICE_POLLING >> options =A0 =A0 =A0 =A0 HZ=3D1000 >> options =A0 =A0 =A0 =A0 SHMSEG=3D16 >> options =A0 =A0 =A0 =A0 SHMMNI=3D32 >> options =A0 =A0 =A0 =A0 SHMMAX=3D2097152 >> options =A0 =A0 =A0 =A0 SHMALL=3D4096 >> options =A0 =A0 =A0 =A0 MAXFILES=3D8192 >> >> And the bridge configuration: >> cloned_interfaces=3D"bridge0 vlan1" >> ifconfig_bridge0=3D"addm bce0 stp bce0 addm bce1 stp bce1 up" >> ifconfig_bce0=3D"polling up" >> ifconfig_bce1=3D"polling up" >> ifconfig_vlan1=3D"inet 200.x.x.x netmask 0xFFFFFF00 broadcast >> 200.x.x.255 vlan 1 vlandev bce1" >> >> bce0 is connected to the Cisco 7200 ($wan_if in pf) >> bce1 is conencted to the 3Com 7900 ($lan_if in pf) >> >> And my sysctl for bridge: >> dell05# sysctl net.link.bridge >> net.link.bridge.ipfw: 0 >> net.link.bridge.inherit_mac: 0 >> net.link.bridge.log_stp: 0 >> net.link.bridge.pfil_local_phys: 1 >> net.link.bridge.pfil_member: 1 >> net.link.bridge.pfil_bridge: 0 >> net.link.bridge.ipfw_arp: 0 >> net.link.bridge.pfil_onlyip: 0 >> dell05# >> >> Ok... >> >> Now, the problem. >> >> With the following queue: >> altq on $lan_if bandwidth 33Mb hfsc queue { down_sub1, down_sub2, >> down_sub3, down_sub4, down_def } >> =A0 queue down_sub1 =A0 bandwidth 8Mb priority 1 qlimit 300 hfsc ( >> realtime 3.20Mb upperlimit 22.40Mb ) >> =A0 queue down_sub2 =A0 bandwidth 8Mb priority 1 qlimit 300 hfsc ( >> realtime 3.20Mb upperlimit 22.40Mb ) >> =A0 queue down_sub3 =A0bandwidth 8Mb priority 1 qlimit 300 hfsc ( >> realtime 3.20Mb upperlimit 22.40Mb ) >> =A0 queue down_sub4 =A0bandwidth 8Mb priority 1 qlimit 300 hfsc ( >> realtime 3.20Mb upperlimit 22.40Mb ) >> =A0 queue down_def =A0 =A0 bandwidth 128Kb hfsc ( default ) >> >> And with the following rules: >> pass in =A0log quick on $lan_if from to any keep state queue ( do= wn_sub1 ) >> pass out log quick on $wan_if from to any keep state queue ( up_s= ub1 ) >> pass in =A0log quick on $wan_if from any to keep state queue ( up= _sub1 ) >> pass out log quick on $lan_if from any to keep state queue ( down= _sub1 ) >> >> (..) for each I have the pass rules like those. >> >> >> With the full use of the link, only a small part of the traffic gets >> into the correct queue. >> >> queue root_bce1 on bce1 bandwidth 33Mb priority 0 {down_sub1, >> down_sub2, down_sub3, down_sub4, down_def} >> =A0[ pkts: =A0 =A0 =A0 =A0 =A00 =A0bytes: =A0 =A0 =A0 =A0 =A00 =A0droppe= d pkts: =A0 =A0 =A00 bytes: =A0 =A0 =A00 ] >> =A0[ qlength: =A0 0/ 50 ] >> =A0[ measured: =A0 =A0 0.0 packets/s, 0 b/s ] >> queue =A0down_sub1 on bce1 bandwidth 8Mb qlimit 300 hfsc( realtime >> 3.20Mb upperlimit 22.40Mb ) >> =A0[ pkts: =A0 =A0 =A053177 =A0bytes: =A0 50082785 =A0dropped pkts: =A0 = =A0 =A00 bytes: =A0 =A0 =A00 ] >> =A0[ qlength: =A0 0/300 ] >> =A0[ measured: =A0 364.5 packets/s, 2.81Mb/s ] >> queue =A0down_sub2 on bce1 bandwidth 8Mb qlimit 300 hfsc( realtime >> 3.20Mb upperlimit 22.40Mb ) >> =A0[ pkts: =A0 =A0 =A090724 =A0bytes: =A0 79670459 =A0dropped pkts: =A0 = =A0 =A00 bytes: =A0 =A0 =A00 ] >> =A0[ qlength: =A0 0/300 ] >> =A0[ measured: =A0 744.6 packets/s, 5.20Mb/s ] >> queue =A0down_sub3 on bce1 bandwidth 8Mb qlimit 300 hfsc( realtime >> 3.20Mb upperlimit 22.40Mb ) >> =A0[ pkts: =A0 =A0 =A038333 =A0bytes: =A0 37384626 =A0dropped pkts: =A0 = =A0 =A00 bytes: =A0 =A0 =A00 ] >> =A0[ qlength: =A0 0/300 ] >> =A0[ measured: =A0 285.2 packets/s, 2.35Mb/s ] >> queue =A0down_sub4 on bce1 bandwidth 8Mb qlimit 300 hfsc( realtime >> 3.20Mb upperlimit 22.40Mb ) >> =A0[ pkts: =A0 =A0 =A080385 =A0bytes: =A0 69021129 =A0dropped pkts: =A0 = =A0 =A00 bytes: =A0 =A0 =A00 ] >> =A0[ qlength: =A0 0/300 ] >> =A0[ measured: =A0 585.1 packets/s, 3.92Mb/s ] >> queue =A0down_def on bce1 bandwidth 128Kb hfsc( default ) >> =A0[ pkts: =A0 =A0 268756 =A0bytes: =A0336423531 =A0dropped pkts: =A0 = =A0121 bytes: =A081921 ] >> =A0[ qlength: =A0 0/ 50 ] >> =A0[ measured: =A01615.4 packets/s, 16.49Mb/s ] >> >> watching the pflog interface, I can see that the pass rules are >> working, no traffic is getting out of one of the rules (I have put an >> "pass log all" to check this). >> >> All the rules are working... but they aren't sending the traffic to >> the specified queue. >> >> If someone have a glue for this... >> Any suggestion are welcome. >> >> Thank's in advance. > > Sorry but i do not see any evidence that what you claim is true! > > -- > Ermal > My subnets are all /24, so table const { 200.x.1.0/24 } table const { 200.x.2.0/24 } table const { 200.x.3.0/24 } table const { 200.x.4.0/24 } In my network, I only have thoses subnets. With: pass all from to any queue sub1 pass all from any to queue sub1 pass all from to any queue sub2 pass all from any to queue sub2 pass all from to any queue sub3 pass all from any to queue sub3 pass all from to any queue sub4 pass all from any to queue sub4 pass all (sent to default queue) The queues have to get all the traffic from my network. But it don't. If I put an log option to the last pass all rule, and do a tcpdump to pflog0, no packet is showed. So, the rules are working OK. But with "pfctl -vvs queue", it shows: sub1: 2.81Mb/s sub2: 5.20Mb/s sub3: 2.35Mb/s sub4: 3.92Mb/s default: 16.49Mb/s As I can understand, with the pass rules, all the traffic from that subnets, need to get into that queue. So... with the pass rule of the , all the traffic data from that subnet, need to get into the queue sub1, the same with sub2, sub3, and sub4. But, Why, I have a high traffic in the default queue? There is no packet at the last pass all rule. So, no packet is missing the other rules. What I want, it to get all the traffic from 200.x.1.0/24, into the sub1 queue, and get limited by this queue, not the default queue. And again, the same with sub2-4. I'm using HFSC, but I'll try with CBQ. --=20 Rafael Henrique da Silva Faria Grupo de Sistemas e Redes Servi=E7o T=E9cnico de Inform=E1tica Faculdade de Ci=EAncias e Letras do Campus de Araraquara - UNESP From owner-freebsd-pf@FreeBSD.ORG Thu Jun 24 19:42:36 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 87B5D1065674; Thu, 24 Jun 2010 19:42:36 +0000 (UTC) (envelope-from rafaelhfaria@cenadigital.com.br) Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 30F878FC16; Thu, 24 Jun 2010 19:42:36 +0000 (UTC) Received: by gwb11 with SMTP id 11so2055799gwb.13 for ; Thu, 24 Jun 2010 12:42:35 -0700 (PDT) Received: by 10.229.181.16 with SMTP id bw16mr5610708qcb.223.1277408555371; Thu, 24 Jun 2010 12:42:35 -0700 (PDT) MIME-Version: 1.0 Received: by 10.150.201.16 with HTTP; Thu, 24 Jun 2010 12:42:15 -0700 (PDT) In-Reply-To: References: From: Rafael Henrique Faria Date: Thu, 24 Jun 2010 16:42:15 -0300 Message-ID: To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: Unknown Behavior of PF+ALTQ on a Bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2010 19:42:36 -0000 Just to be more clean: My pf.conf: ---- wan_if=3D"bce0" set limit { states 100000, frags 20000 } set loginterface $wan_if set optimization normal set block-policy drop set fingerprints "/etc/pf.os" set skip on lo altq on $wan_if cbq bandwidth 100% queue { out_bal, out_std } queue out_bal bandwidth 50% priority 0 cbq queue out_std bandwidth 50% priority 0 cbq (default borrow) pass out on $wan_if queue (out_bal) ---- The "pfctl -vvs queue" show: ---- queue root_bce0 on bce0 bandwidth 1Gb priority 0 cbq( wrr root ) {out_bal, out_std} [ pkts: 50117 bytes: 13947411 dropped pkts: 0 bytes: 0= ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 3869.4 packets/s, 8.31Mb/s ] queue out_bal on bce0 bandwidth 500Mb priority 0 [ pkts: 33198 bytes: 7175985 dropped pkts: 0 bytes: 0= ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 2591.3 packets/s, 4.36Mb/s ] queue out_std on bce0 bandwidth 500Mb priority 0 cbq( borrow default ) [ pkts: 16919 bytes: 6771426 dropped pkts: 0 bytes: 0= ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 1278.1 packets/s, 3.95Mb/s ] ---- So, my question is: why the default queue is being used, If I have a rule to use the out_bal queue to all outgoing traffic on that interface? I need to redirect all the traffic from a subnet (/24) to one queue (incoming and outgoing traffic)... so what I can understand is that, this is not possible with PF+ALTQ. Am I wrong? --=20 Rafael Henrique da Silva Faria Grupo de Sistemas e Redes Servi=E7o T=E9cnico de Inform=E1tica Faculdade de Ci=EAncias e Letras do Campus de Araraquara - UNESP From owner-freebsd-pf@FreeBSD.ORG Thu Jun 24 21:00:07 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AA2B7106564A for ; Thu, 24 Jun 2010 21:00:07 +0000 (UTC) (envelope-from buchtajz@borsice.net) Received: from mx.sitkom.cz (mx.sitkom.cz [109.164.0.132]) by mx1.freebsd.org (Postfix) with ESMTP id 53A248FC12 for ; Thu, 24 Jun 2010 21:00:07 +0000 (UTC) Received: from spamd.mail.sitkom.cz (mail.mx.sitkom.cz [10.13.126.5]) by mx.mail.sitkom.cz (Postfix) with ESMTP id C7CEE1C673D for ; Thu, 24 Jun 2010 22:41:36 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.mx.sitkom.cz X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.1 Received: from avscan.mail.sitkom.cz (mx.sitkom.cz [109.164.0.132]) by spamd.mail.sitkom.cz (Postfix) with ESMTP id A0A381C66F2 for ; Thu, 24 Jun 2010 22:41:36 +0200 (CEST) Received: from [10.10.0.12] (manwe.buchtikov.borsice.sfn [10.10.0.12]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.sitkom.cz (Postfix) with ESMTPSA id 831CB1C6417 for ; Thu, 24 Jun 2010 22:41:36 +0200 (CEST) Message-ID: <4C23C2EC.8060102@borsice.net> Date: Thu, 24 Jun 2010 22:41:16 +0200 From: Michal Buchtik User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.10) Gecko/20100622 Thunderbird/3.0.5 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: Re: Unknown Behavior of PF+ALTQ on a Bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2010 21:00:07 -0000 Hi, On 2010/06/24 21:42, Rafael Henrique Faria wrote: > So, my question is: why the default queue is being used, If I have a > rule to use the out_bal queue to all outgoing traffic on that > interface? > > I need to redirect all the traffic from a subnet (/24) to one queue > (incoming and outgoing traffic)... so what I can understand is that, > this is not possible with PF+ALTQ. Am I wrong? > > I never try pf on bridge, but on router. You must create queues on every interface (only outgoing packets are queued) and pass rules on every interface too. States created then directs packets to right queue. Try something like: pass in log quick on $lan_if from to any tag SUB1_UP keep state queue ( down_sub1 ) pass out log quick on $wan_if tagged SUB1_UP keep state queue (up_sub1) pass in log quick on $wan_if from any to tag SUB1_DOWN keep state queue ( up_sub1 ) pass out log quick on $lan_if tagged SUB1_DOWN keep state queue ( down_sub1 ) or try "no state", but with performance decrease. This is only working solution I found (on router). From owner-freebsd-pf@FreeBSD.ORG Thu Jun 24 21:56:44 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E2BC1065672; Thu, 24 Jun 2010 21:56:44 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id CB22E8FC27; Thu, 24 Jun 2010 21:56:43 +0000 (UTC) Received: by wwb24 with SMTP id 24so2186449wwb.13 for ; Thu, 24 Jun 2010 14:56:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:sender:received :in-reply-to:references:from:date:x-google-sender-auth:message-id :subject:to:cc:content-type:content-transfer-encoding; bh=wD1oRSZfP1a5y7IaM9wR/7WCxuEBtU2HdNn21x1vmYg=; b=tCj7GlODijDxEbllFU0GZfic5Ny884w98wp7Q5q5Tq4NwFp2Q2/+slNtTiV1FJIetH ImyPJ5rd41E02BhTkS9IiorS04l+tV0z/Hjb9V6moIdv4g08b8IVcdrDx8R6PajVrYlx 0eipnpV+LtRo12XqhX3sw71+vhTXYE7HfJknk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=xSWGe6WJFjUcuL+YmwBaEaLg2xg3qLr6NiM9Qf4ztS34yl4/kJmqzixaUQoytEX3ol v0uTYF1QaM+b+H7duCMYg5Po2zA6JlSxkvKiBK2Oa7dkjaLGhSrgNPQXOnaSjqEDntWR s5enggk0AKRsvisiczRviv4lq2FA4pEfljBmU= Received: by 10.216.85.17 with SMTP id t17mr7919192wee.30.1277416602262; Thu, 24 Jun 2010 14:56:42 -0700 (PDT) MIME-Version: 1.0 Sender: ermal.luci@gmail.com Received: by 10.216.25.4 with HTTP; Thu, 24 Jun 2010 14:56:22 -0700 (PDT) In-Reply-To: References: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Date: Thu, 24 Jun 2010 23:56:22 +0200 X-Google-Sender-Auth: nqNfi4jPfnO-9VH1x9VpbNs8Fcc Message-ID: To: Rafael Henrique Faria Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Unknown Behavior of PF+ALTQ on a Bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2010 21:56:44 -0000 2010/6/24 Rafael Henrique Faria : > Just to be more clean: > > My pf.conf: > ---- > wan_if=3D"bce0" > > set limit { states 100000, frags 20000 } > set loginterface $wan_if > set optimization normal > set block-policy drop > set fingerprints "/etc/pf.os" > set skip on lo > > altq on $wan_if cbq bandwidth 100% queue { out_bal, out_std } > =A0 queue out_bal bandwidth 50% priority 0 cbq > =A0 queue out_std bandwidth 50% priority 0 cbq (default borrow) > > pass out on $wan_if queue (out_bal) > ---- > The problem is that this rule will not match any traffic that initiated as incoming on $wan_if. Try this instead: pass out all queue (out_bal) It will do the magic. > > The "pfctl -vvs queue" show: > > ---- > queue root_bce0 on bce0 bandwidth 1Gb priority 0 cbq( wrr root ) > {out_bal, out_std} > =A0[ pkts: =A0 =A0 =A050117 =A0bytes: =A0 13947411 =A0dropped pkts: =A0 = =A0 =A00 bytes: =A0 =A0 =A00 ] > =A0[ qlength: =A0 0/ 50 =A0borrows: =A0 =A0 =A00 =A0suspends: =A0 =A0 =A0= 0 ] > =A0[ measured: =A03869.4 packets/s, 8.31Mb/s ] > queue =A0out_bal on bce0 bandwidth 500Mb priority 0 > =A0[ pkts: =A0 =A0 =A033198 =A0bytes: =A0 =A07175985 =A0dropped pkts: =A0= =A0 =A00 bytes: =A0 =A0 =A00 ] > =A0[ qlength: =A0 0/ 50 =A0borrows: =A0 =A0 =A00 =A0suspends: =A0 =A0 =A0= 0 ] > =A0[ measured: =A02591.3 packets/s, 4.36Mb/s ] > queue =A0out_std on bce0 bandwidth 500Mb priority 0 cbq( borrow default ) > =A0[ pkts: =A0 =A0 =A016919 =A0bytes: =A0 =A06771426 =A0dropped pkts: =A0= =A0 =A00 bytes: =A0 =A0 =A00 ] > =A0[ qlength: =A0 0/ 50 =A0borrows: =A0 =A0 =A00 =A0suspends: =A0 =A0 =A0= 0 ] > =A0[ measured: =A01278.1 packets/s, 3.95Mb/s ] > ---- > > So, my question is: why the default queue is being used, If I have a > rule to use the out_bal queue to all outgoing traffic on that > interface? > > I need to redirect all the traffic from a subnet (/24) to one queue > (incoming and outgoing traffic)... so what I can understand is that, > this is not possible with PF+ALTQ. Am I wrong? > > -- > Rafael Henrique da Silva Faria > Grupo de Sistemas e Redes > > Servi=E7o T=E9cnico de Inform=E1tica > Faculdade de Ci=EAncias e Letras do Campus de Araraquara - UNESP > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Thu Jun 24 23:01:38 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AEBDD106564A; Thu, 24 Jun 2010 23:01:38 +0000 (UTC) (envelope-from rafaelhfaria@cenadigital.com.br) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 388208FC0A; Thu, 24 Jun 2010 23:01:37 +0000 (UTC) Received: by vws13 with SMTP id 13so3121321vws.13 for ; Thu, 24 Jun 2010 16:01:37 -0700 (PDT) Received: by 10.220.127.79 with SMTP id f15mr5419326vcs.271.1277420497267; Thu, 24 Jun 2010 16:01:37 -0700 (PDT) MIME-Version: 1.0 Received: by 10.220.87.85 with HTTP; Thu, 24 Jun 2010 16:01:17 -0700 (PDT) In-Reply-To: References: From: Rafael Henrique Faria Date: Thu, 24 Jun 2010 20:01:17 -0300 Message-ID: To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Unknown Behavior of PF+ALTQ on a Bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2010 23:01:38 -0000 On Thu, Jun 24, 2010 at 18:56, Ermal Lu=E7i wrote: > 2010/6/24 Rafael Henrique Faria : >> Just to be more clean: >> >> My pf.conf: >> ---- >> wan_if=3D"bce0" >> >> set limit { states 100000, frags 20000 } >> set loginterface $wan_if >> set optimization normal >> set block-policy drop >> set fingerprints "/etc/pf.os" >> set skip on lo >> >> altq on $wan_if cbq bandwidth 100% queue { out_bal, out_std } >> =A0 queue out_bal bandwidth 50% priority 0 cbq >> =A0 queue out_std bandwidth 50% priority 0 cbq (default borrow) >> >> pass out on $wan_if queue (out_bal) >> ---- >> > The problem is that this rule will not match any traffic that > initiated as incoming on $wan_if. > > Try this instead: > =A0pass out all queue (out_bal) > > It will do the magic. I tried it... but nothing changes... the same behavior. queue root_bce0 on bce0 bandwidth 1Gb priority 0 cbq( wrr root ) {out_bal, out_std} [ pkts: 76573 bytes: 14784373 dropped pkts: 0 bytes: 0= ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 2774.1 packets/s, 4.15Mb/s ] queue out_bal on bce0 bandwidth 500Mb priority 0 [ pkts: 27413 bytes: 8197630 dropped pkts: 0 bytes: 0= ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 1040.4 packets/s, 2.34Mb/s ] queue out_std on bce0 bandwidth 500Mb priority 0 cbq( borrow default ) [ pkts: 49160 bytes: 6586743 dropped pkts: 0 bytes: 0= ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 1733.7 packets/s, 1.81Mb/s ] I have tried a lot of rules... including: pass all queue out_bal But without success... If this is not the regular behavior of PF+ALTQ, my suspect is on the Bridge itself... >> >> The "pfctl -vvs queue" show: >> >> ---- >> queue root_bce0 on bce0 bandwidth 1Gb priority 0 cbq( wrr root ) >> {out_bal, out_std} >> =A0[ pkts: =A0 =A0 =A050117 =A0bytes: =A0 13947411 =A0dropped pkts: =A0 = =A0 =A00 bytes: =A0 =A0 =A00 ] >> =A0[ qlength: =A0 0/ 50 =A0borrows: =A0 =A0 =A00 =A0suspends: =A0 =A0 = =A00 ] >> =A0[ measured: =A03869.4 packets/s, 8.31Mb/s ] >> queue =A0out_bal on bce0 bandwidth 500Mb priority 0 >> =A0[ pkts: =A0 =A0 =A033198 =A0bytes: =A0 =A07175985 =A0dropped pkts: = =A0 =A0 =A00 bytes: =A0 =A0 =A00 ] >> =A0[ qlength: =A0 0/ 50 =A0borrows: =A0 =A0 =A00 =A0suspends: =A0 =A0 = =A00 ] >> =A0[ measured: =A02591.3 packets/s, 4.36Mb/s ] >> queue =A0out_std on bce0 bandwidth 500Mb priority 0 cbq( borrow default = ) >> =A0[ pkts: =A0 =A0 =A016919 =A0bytes: =A0 =A06771426 =A0dropped pkts: = =A0 =A0 =A00 bytes: =A0 =A0 =A00 ] >> =A0[ qlength: =A0 0/ 50 =A0borrows: =A0 =A0 =A00 =A0suspends: =A0 =A0 = =A00 ] >> =A0[ measured: =A01278.1 packets/s, 3.95Mb/s ] >> ---- >> >> So, my question is: why the default queue is being used, If I have a >> rule to use the out_bal queue to all outgoing traffic on that >> interface? >> >> I need to redirect all the traffic from a subnet (/24) to one queue >> (incoming and outgoing traffic)... so what I can understand is that, >> this is not possible with PF+ALTQ. Am I wrong? >> >> -- >> Rafael Henrique da Silva Faria >> Grupo de Sistemas e Redes >> >> Servi=E7o T=E9cnico de Inform=E1tica >> Faculdade de Ci=EAncias e Letras do Campus de Araraquara - UNESP >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> > > > > -- > Ermal > --=20 Rafael Henrique da Silva Faria Grupo de Sistemas e Redes Servi=E7o T=E9cnico de Inform=E1tica Faculdade de Ci=EAncias e Letras do Campus de Araraquara - UNESP