From owner-freebsd-pf@freebsd.org Sun Jul 5 15:40:13 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 286FAA44A for ; Sun, 5 Jul 2015 15:40:13 +0000 (UTC) (envelope-from the.lists@mgm51.com) Received: from oneyou.mcmli.com (oneyou.mcmli.com [IPv6:2607:f2f8:af30::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "oneyou.mcmli.com", Issuer "RapidSSL SHA256 CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0EF221197 for ; Sun, 5 Jul 2015 15:40:12 +0000 (UTC) (envelope-from the.lists@mgm51.com) Received: from sentry.24cl.com (sentry.24cl.com [IPv6:2001:558:6017:a2:c48f:b89e:4255:ea63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "sentry.24cl.com", Issuer "Mike's Certificate Authority" (verified OK)) by oneyou.mcmli.com (Postfix) with ESMTPS id 3mPZ3X4zMyzP8x0 for ; Sun, 5 Jul 2015 11:40:08 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mgm51.com; s=mgm51-02; t=1436110808; bh=9dmc0rY7Ad6PQEgfckVGy3F8wsoG0IQ3ThRNc9oy9QA=; h=To:From:Subject:Message-ID:Date; b=CH2SJZHw7N9PDhUgltbjmO3DKEno00fAOXamfFq09AOgFxqjXkpXAYsXsK9HfmJ65 RsLuJxhn/8AXl4ymFeUjuWPjwI/9v5xFFuWY1kC1KBvh9RqsA1vHsuCIuFwfUOVmLT WHE+tP37DWuSp1grY8sOav4k7yXRAr0eSlZSXUNe2+lGJYz5Kf4SFTc+5YOR3H+VOE Sg3sVH3orF4sWFG69MlzQ/EdCaeAMWdKkHuRjaiRZXPL8WrTV5vO7Axb0yz3iWx5Yy Pk5miVpFzSloye/L3wnHRO0KqWW8X+tjluGIDZFhmyRlzy+UcH3C4he1NBibcp9gVB 6nokBXpLk52/g== Received: from [IPv6:fdcf:b715:2f4d:1:e169:387a:67ec:aa85] (unknown [IPv6:fdcf:b715:2f4d:1:e169:387a:67ec:aa85]) by sentry.24cl.com (Postfix) with ESMTP id 3mPZ3W45bDz1nYR for ; Sun, 5 Jul 2015 11:40:07 -0400 (EDT) To: freebsd-pf@freebsd.org From: Mike Subject: counters for addresses in pfctl show table Message-ID: <55994FD7.5020200@mgm51.com> Date: Sun, 5 Jul 2015 11:40:07 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Jul 2015 15:40:13 -0000 10.1-RELEASE-p12 FreeBSD 10.1-RELEASE-p12 #0 r284495 I have a question about the stats in pfctl. The man page for pfctl has the following example: # pfctl -t test -vTshow 129.128.5.191 Cleared: Thu Feb 13 18:55:18 2003 In/Block: [ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 10 Bytes: 840 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass: [ Packets: 10 Bytes: 840 ] Yet, when I run that same command, I do not get the counters: # pfctl -t FullBlock -vTshow No ALTQ support in kernel ALTQ related functions disabled 1.5.0.0/16 Cleared: Wed Jun 17 11:46:41 2015 14.23.51.0/24 Cleared: Wed Jun 17 11:46:41 2015 What do I need to do in order to see the counters for the individual addresses in a table? Is AltQ support needed? From owner-freebsd-pf@freebsd.org Sun Jul 5 16:08:15 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 47271A890 for ; Sun, 5 Jul 2015 16:08:15 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 083201F2C for ; Sun, 5 Jul 2015 16:08:14 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: by igblr2 with SMTP id lr2so100275984igb.0 for ; Sun, 05 Jul 2015 09:08:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Tyfd6GgxNN/pw99oH0fz2YKLM24cWNVMUNwPC7yifSY=; b=BLuXgtHb+kE0pbB6gNJCjrHiLEdsTYpfDXPdNE8KVSt0abZFq3K0A4k8p4I+7dVnxO MIOiNE0cnr2isoBNnpcc/HYPudz1qBDUU7jgGgPf2XwMLI3ZAK0gxcVbFBZNa1Njy4fR jeHMSTRI4QtLGpxcUu1MO4X+/Smp5DYOGh6MU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=Tyfd6GgxNN/pw99oH0fz2YKLM24cWNVMUNwPC7yifSY=; b=UKErL0Clv/V0r1c0TYgREEb3xxx3gKbDtapi/Cg5zbrFkaSooZjtK2Az5JmVOFoHFM V5XdcmrEZLwzyS2bZSmrtS5F1GfRyDt6LQFcwSEDoPdgJ0CbUmHKki4o59VbfsP6yx8N +/R+yx1bMx1Q8mPuwU0r3Ry1n+7AO7Fs0FX2LT6rpxSLP8Cx0SiE+ZXhLTNw2fb49BKd zWw9y3BiNpP3n5Kt//igVy6J0PuDSASrNkEGj2Yeqbrgzj2oh7ENMNQLSDnDDcI/NkR/ jzZ8ZWkNBHOn6AjrPw/UaOS+/jVps0RYtcDRhRTWZoHtihb9pVRNFklPngE4wsbTaFB3 42dA== X-Gm-Message-State: ALoCoQkN4NtL8n2JT+nyE1GWXZPqeWDazi6uSiC96T9Ug/m5feVN0k8+QwdwpjWavFMoi28562il X-Received: by 10.50.43.197 with SMTP id y5mr7418562igl.27.1436112493934; Sun, 05 Jul 2015 09:08:13 -0700 (PDT) Received: from [172.31.32.31] (cpe-65-26-235-118.wi.res.rr.com. [65.26.235.118]) by mx.google.com with ESMTPSA id y98sm2824117ioi.25.2015.07.05.09.08.12 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 05 Jul 2015 09:08:13 -0700 (PDT) Content-Type: multipart/signed; boundary=Apple-Mail-4555ECEF-CBA5-45BB-A0DB-C93501A341DC; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (1.0) Subject: Re: counters for addresses in pfctl show table From: Jason Hellenthal X-Mailer: iPhone Mail (12H143) In-Reply-To: <55994FD7.5020200@mgm51.com> Date: Sun, 5 Jul 2015 11:08:08 -0500 Cc: "freebsd-pf@freebsd.org" Content-Transfer-Encoding: 7bit Message-Id: <702AE8FF-3FDC-4EAD-9E8A-9C426E4FC940@dataix.net> References: <55994FD7.5020200@mgm51.com> To: Mike X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Jul 2015 16:08:15 -0000 --Apple-Mail-4555ECEF-CBA5-45BB-A0DB-C93501A341DC Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Add more -v's -- Jason Hellenthal JJH48-ARIN On Jul 5, 2015, at 10:40, Mike wrote: 10.1-RELEASE-p12 FreeBSD 10.1-RELEASE-p12 #0 r284495 I have a question about the stats in pfctl. The man page for pfctl has the following example: # pfctl -t test -vTshow 129.128.5.191 Cleared: Thu Feb 13 18:55:18 2003 In/Block: [ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 10 Bytes: 840 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass: [ Packets: 10 Bytes: 840 ] Yet, when I run that same command, I do not get the counters: # pfctl -t FullBlock -vTshow No ALTQ support in kernel ALTQ related functions disabled 1.5.0.0/16 Cleared: Wed Jun 17 11:46:41 2015 14.23.51.0/24 Cleared: Wed Jun 17 11:46:41 2015 What do I need to do in order to see the counters for the individual addresses in a table? Is AltQ support needed? _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --Apple-Mail-4555ECEF-CBA5-45BB-A0DB-C93501A341DC Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIUOTCCBjAw ggUYoAMCAQICAw6W0jANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0 YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx ODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENB MB4XDTE1MDcwMzExMTMyMVoXDTE2MDcwMzEyMjIwM1owSDEfMB0GA1UEAwwWamhlbGxlbnRoYWxA ZGF0YWl4Lm5ldDElMCMGCSqGSIb3DQEJARYWamhlbGxlbnRoYWxAZGF0YWl4Lm5ldDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBANMXq02HR+BljYCjZJTVlR/2hn9XFql0LWbc/aPCZCi1 1mL80ZIxRPPGybBoAaW5zAp8xjjvlJ02hyd4UoGv/smER7gnd6Scc9k9/SOBeH45hfYODfZeOWmr eD/S8D57hvHq3V1Tr1snDxoZGM+tq2yZ3MXlRBsYMvFcKlcMr0Qk6HGQqm6jdaDdAxtqqKIlUpdJ 2YSwEkn3BugJENzaF2iGAxf2unVcLJuY/lLXlCaC3zNz4v39AnImoJd1MpofddkvqT9xWrP/hMMs o71BfUxExnC25Z/QL0ZMKVl0IrWeGSOx+HoyrFt6FzLy+OMreI9UAP+8Fz7qH1qOW2KQmQsCAwEA AaOCAtwwggLYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr BgEFBQcDBDAdBgNVHQ4EFgQUxH7NhPrszRiJ4VHZkB013iqDI/owHwYDVR0jBBgwFoAUU3Ltkpzg 2ssBXHx+ljVO8tS4UYIwIQYDVR0RBBowGIEWamhlbGxlbnRoYWxAZGF0YWl4Lm5ldDCCAUwGA1Ud IASCAUMwggE/MIIBOwYLKwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0 YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29y ZGluZyB0byB0aGUgQ2xhc3MgMSBWYWxpZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRD b20gQ0EgcG9saWN5LCByZWxpYW5jZSBvbmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBj b21wbGlhbmNlIG9mIHRoZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCug KaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSB gTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9jbGll bnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFz czEuY2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJ KoZIhvcNAQELBQADggEBAEnnrZSSv+4GM9e4Y9Y58sdHWaxi+OI2m/AN4itxv6V/JeB/0NnEoPJ6 /KMmt8trRbwVdlSGgqfU7EkFcAYF8cfqh1pFfLzT0ak346wzgvI/PXjA9tL5p8yxbpN2VYvqGI3x HfGjh46K6EC6fB9Fz+PrDFluk4j+Q70S1FL555jhI3gXcGgiPBAsfH912EsEdLnJ4vTQsO48uQuX Dp+MrL8GFdLvACvqcWI7YulVUzZp0YNnN9A1qSe35d5ahTDftY2HzLnxcDJ++ce+UBhanZI/dFi9 Q5bK5T2yzUD+FnsR1d/DTEfWJVT/s4ZEjkSYo7FJbalZ+LPgpiL1xBsBDr8wggY0MIIEHKADAgEC AgEeMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQu MSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBT dGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAxNTVaFw0xNzEwMjQy MTAxNTVaMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xh c3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDHCYPMzi3YGrEppC4Tq5a+ijKDjKaIQZZVR63UbxIP6uq/I0fhCu+cQhoUfE6E RKKnu8zPf1Jwuk0tsvVCk6U9b+0UjM0dLep3ZdE1gblK/1FwYT5Pipsu2yOMluLqwvsuz9/9f1+1 PKHG/FaR/wpbfuIqu54qzHDYeqiUfsYzoVflR80DAC7hmJ+SmZnNTWyUGHJbBpA8Q89lGxahNvur yGaC/o2/ceD2uYDX9U8Eg5DpIpGQdcbQeGarV04WgAUjjXX5r/2dabmtxWMZwhZna//jdiSyrrSM TGKkDiXm6/3/4ebfeZuCYKzN2P8O2F/Xe2AC/Y7zeEsnR7FOp+uXAgMBAAGjggGtMIIBqTAPBgNV HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUU3Ltkpzg2ssBXHx+ljVO8tS4 UYIwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwZgYIKwYBBQUHAQEEWjBYMCcGCCsG AQUFBzABhhtodHRwOi8vb2NzcC5zdGFydHNzbC5jb20vY2EwLQYIKwYBBQUHMAKGIWh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNydDBbBgNVHR8EVDBSMCegJaAjhiFodHRwOi8vd3d3LnN0 YXJ0c3NsLmNvbS9zZnNjYS5jcmwwJ6AloCOGIWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2Nh LmNybDCBgAYDVR0gBHkwdzB1BgsrBgEEAYG1NwECATBmMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3 LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3Ns LmNvbS9pbnRlcm1lZGlhdGUucGRmMA0GCSqGSIb3DQEBBQUAA4ICAQAKgwh9eKssBly4Y4xerhy5 I3dNoXHYfYa8PlVLL/qtXnkFgdtY1o95CfegFJTwqBBmf8pyTUnFsukDFUI22zF5bVHzuJ+GxhnS qN2sD1qetbYwBYK2iyYA5Pg7Er1A+hKMIzEzcduRkIMmCeUTyMyikfbUFvIBivtvkR8ZFAk22BZy +pJfAoedO61HTz4qSfQoCRcLN5A0t4DkuVhTMXIzuQ8CnykhExD6x4e6ebIbrjZLb7L+ocR0y4Yj Cl/Pd4MXU91y0vTipgr/O75CDUHDRHCCKBVmz/Rzkc/b970MEeHt5LC3NiWTgBSvrLEuVzBKM586 YoRD9Dy3OHQgWI270g+5MYA8GfgI/EPT5G7xPbCDz+zjdH89PeR3U4So4lSXur6H6vp+m9TQXPF3 a0LwZrp8MQ+Z77U1uL7TelWO5lApsbAonrqASfTpaprFVkL4nyGH+NHST2ZJPWIBk81i6Vw0ny0q ZW2Niy/QvVNKbb43A43ny076khXO7cNbBIRdJ/6qQNq9Bqb5C0Q5nEsFcj75oxQRqlKf6TcvGbjx kJh8BYtv9ePsXklAxtm8J7GCUBthHSQgepbkOexhJ0wP8imUkyiPHQ0GvEnd83129fZjoEhdGwXV 27ioRKbj/cIq7JRXun0NbeY+UdMYu9jGfIpDLtUUGSgsg2zMGs5R4jCCB8kwggWxoAMCAQICAQEw DQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0 Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MDkxNzE5NDYzNloXDTM2MDkxNzE5NDYz NlowfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3Vy ZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwYjbCbxsRnx4 n5V7tTOQ8nJi1sE2ICIkXs7pd/JDCqIGZKTMjjb4OOYj8G5tsTzdcqOFHKHTPbQzK9Mvr/7qsEFZ Z7bEBn0KnnSF1nlMgDd63zkFUln39BtGQ6TShYXSw3HzdWI0uiyKfx6P7u000BHHls1SPboz1t1N 3gs7SkufwiYv+rUWHHI1d8o8XebK4SaLGjZ2XAHbdBQl/u21oIgP3XjKLR8HlzABLXJ5+kbWEyqo uaarg0kd5fLv3eQBjhgKj2NTFoViqQ4ZOsy1ZqbCa3QH5Cvhdj60bdj2ROFzYh87xL6gU1YlbFEJ 96qryr92/W2b853bvz1mvAxWqq+YSJU6S9+nWFDZOHWpW+pDDAL/mevobE1wWyllnN2qXcyvATHs DOvSjejqnHvmbvcnZgwaSNduQuM/3iE+e+ENcPtjqqhsGlS0XCV6yaLJixamuyx+F14FTVhuEh0B 7hIQDcYyfxj//PT6zW6R6DZJvhpIaYvClk0aErJpF8EKkNb6eSJIv7p7afhwx/p6N9jYDdJ2T1f/ kLfjkdLd78Jgt2c63f6qnPDUi39yIs7Gn5e2+K+KoBCo2fsYxra1XFI8ibYZKnMBCg8DsxJg8nov gdujbv8mMJf1i92JV7atPbOvK8W3dgLwpdYrmoYUKnL24zOMXQlLE9+7jHQTUksCAwEAAaOCAlIw ggJOMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgGuMB0GA1UdDgQWBBROC+8apEBbpRdphzDKNGhD 0EGu8jBkBgNVHR8EXTBbMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvc2ZzY2EtY3Js LmNybDAroCmgJ4YlaHR0cDovL2NybC5zdGFydGNvbS5vcmcvc2ZzY2EtY3JsLmNybDCCAV0GA1Ud IASCAVQwggFQMIIBTAYLKwYBBAGBtTcBAQEwggE7MC8GCCsGAQUFBwIBFiNodHRwOi8vY2VydC5z dGFydGNvbS5vcmcvcG9saWN5LnBkZjA1BggrBgEFBQcCARYpaHR0cDovL2NlcnQuc3RhcnRjb20u b3JnL2ludGVybWVkaWF0ZS5wZGYwgdAGCCsGAQUFBwICMIHDMCcWIFN0YXJ0IENvbW1lcmNpYWwg KFN0YXJ0Q29tKSBMdGQuMAMCAQEagZdMaW1pdGVkIExpYWJpbGl0eSwgcmVhZCB0aGUgc2VjdGlv biAqTGVnYWwgTGltaXRhdGlvbnMqIG9mIHRoZSBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eSBQb2xpY3kgYXZhaWxhYmxlIGF0IGh0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3ku cGRmMBEGCWCGSAGG+EIBAQQEAwIABzA4BglghkgBhvhCAQ0EKxYpU3RhcnRDb20gRnJlZSBTU0wg Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwDQYJKoZIhvcNAQEFBQADggIBABZsmfRmDDT10IVefQrs 2hBOOBxe36YlBUuRMsHoO/E93UQJWwdJiinLZgK3sZr3JZgJPI4b4d02hytLu2jTOWY9oCbH8jmR HVGrgnt+1c5a5OIDV3Bplwj5XlimCt+MBppFFhY4Cl5X9mLHegIF5rwetfKe9Kkpg/iyFONuKIdE w5Aa3jipPKxDTWRFzt0oqVzyc3sE+Bfoq7HzLlxkbnMxOhK4vLMR5H2PgVGaO42J9E2TZns8A+3T mh2a82VQ9aDQdZ8vr/DqgkOY+GmciXnEQ45GcuNkNhKv9yUeOImQd37Da2q5w8tES6x4kIvnxywe SxFEyDRSJ80KXZ+FwYnVGnjylRBTMt2AhGZ12bVoKPthLr6EqDjAmRKGpR5nZK0GLi+pcIXHlg98 iWX1jkNUDqvdpYA5lGDANMmWcCyjEvUfSHu9HH5rt52Q9CI7rvj8Ksr6glKg769LVZPrwbXwIous NE4mIgShhyx1SrflfRPXuAxkwDbSyS+GEowjCcEbgjtzSaNqV4eU5dZ4xZlDY+NN4Hct4WWZcmkE GkcJ5g8BViT7H78OealYLrnECQF+lbptAAY+supKEDnY0Cv1v+x1v5cCxQkbCNxVN+KB+zeEQ2Ig yudWS2Xq/mzBJJMkoTTrBf+aIq6bfT/xZVEKpjBqs/SIHIAN/HKK6INeMYIDbzCCA2sCAQEwgZQw gYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUg RGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFBy aW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQQIDDpbSMAkGBSsOAwIaBQCgggGvMBgGCSqGSIb3 DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE1MDcwNTE2MDgwOVowIwYJKoZIhvcN AQkEMRYEFPxC+OmrKCTbPSazM28tg1RgtqKlMIGlBgkrBgEEAYI3EAQxgZcwgZQwgYwxCzAJBgNV BAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBD ZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50 ZXJtZWRpYXRlIENsaWVudCBDQQIDDpbSMIGnBgsqhkiG9w0BCRACCzGBl6CBlDCBjDELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENl cnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRl cm1lZGlhdGUgQ2xpZW50IENBAgMOltIwDQYJKoZIhvcNAQEBBQAEggEAm/XVgf4ujN7HKOdlPlGP fq8RdcUO6q2daZLue+5zizEyJ9OS7uxtn0Gipe6heeH50kfa9TUdQDVqC9c1zayUdKus9rmh05fy CE2JVfyp93Bj6cln+UmQPjNjwAk430NypwmCOGtWP3ZUDFytcrd9+ZXnchiGshasqRqGdtda3um8 xrjjJOIuQDaIQtkqgeQ7xpfuB4b8r+eDfRWdNz5JX5Rrm3E3CzRH/ssWSn8fhN171F4LrrymgIJc yGUfrdqliFhJbzMWLdCNwK3g6vwRNRCWfA1ICfncpPaEazg1ezbEtuGtpiNzzsoHQuMH3RCkgSim 6e30VZ17a+fRAQGoKwAAAAAAAA== --Apple-Mail-4555ECEF-CBA5-45BB-A0DB-C93501A341DC-- From owner-freebsd-pf@freebsd.org Sun Jul 5 16:26:30 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A8F52AC60 for ; Sun, 5 Jul 2015 16:26:30 +0000 (UTC) (envelope-from the.lists@mgm51.com) Received: from oneyou.mcmli.com (oneyou.mcmli.com [IPv6:2607:f2f8:af30::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "oneyou.mcmli.com", Issuer "RapidSSL SHA256 CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 870CA1BD9 for ; Sun, 5 Jul 2015 16:26:30 +0000 (UTC) (envelope-from the.lists@mgm51.com) Received: from sentry.24cl.com (sentry.24cl.com [IPv6:2001:558:6017:a2:c48f:b89e:4255:ea63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "sentry.24cl.com", Issuer "Mike's Certificate Authority" (verified OK)) by oneyou.mcmli.com (Postfix) with ESMTPS id 3mPb5151kXzP8x0 for ; Sun, 5 Jul 2015 12:26:29 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mgm51.com; s=mgm51-02; t=1436113589; bh=xnvegQQJyF1Eu9xk3nC/Sk1wsM1aBfyr9Exa8LEiZVk=; h=Subject:Cc:From:Message-ID:Date; b=Osnx63jzg7BiIjxXV+LOyrm1xHwmJ7gZ7vJY9zyZvQL/4rkchpv8vPL7zmCV3dg7o fgPGn6BYK4doLIfhoAdrGE06DHbt3b5pNf6VSifdx/vetBbW0qN4iVejmKlpl3uBox 9YESa+qUj2iz8MPdQREjPCUoECnG9d7A0JxmxRP3IZNQrFROC5KVVEfQm7NVMup6hc akQAyzb5dd1vpOdAfRPVy69+6qIXyQcNrlh0q67ePZEJbMQCK9FwrX7o1FNn1WYGX3 r5Ijf3qYQ7RBPj51GeXWJWO7u6gM7brJ+EMUdFWetFenNzIILynWXrExK+T96nVCSE loGXSaf4V2QNA== Received: from [IPv6:fdcf:b715:2f4d:1:e169:387a:67ec:aa85] (unknown [IPv6:fdcf:b715:2f4d:1:e169:387a:67ec:aa85]) by sentry.24cl.com (Postfix) with ESMTP id 3mPb502J9zz1nYR for ; Sun, 5 Jul 2015 12:26:28 -0400 (EDT) Subject: Re: counters for addresses in pfctl show table References: <55994FD7.5020200@mgm51.com> <702AE8FF-3FDC-4EAD-9E8A-9C426E4FC940@dataix.net> Cc: "freebsd-pf@freebsd.org" From: Mike Message-ID: <55995AB4.2010109@mgm51.com> Date: Sun, 5 Jul 2015 12:26:28 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1 MIME-Version: 1.0 In-Reply-To: <702AE8FF-3FDC-4EAD-9E8A-9C426E4FC940@dataix.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Jul 2015 16:26:30 -0000 On 7/5/2015 12:08 PM, Jason Hellenthal wrote: > Add more -v's > This command # pfctl -t FullBlock -vvvvTshow still did not show the counters. From owner-freebsd-pf@freebsd.org Sun Jul 5 20:26:14 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8460CA96F for ; Sun, 5 Jul 2015 20:26:14 +0000 (UTC) (envelope-from fjo@ogris.de) Received: from box2.ogris.net (box2.ogris.net [IPv6:2a03:4000:6:2157::1]) by mx1.freebsd.org (Postfix) with ESMTP id 4CD5B15DE for ; Sun, 5 Jul 2015 20:26:14 +0000 (UTC) (envelope-from fjo@ogris.de) Received: from core7.intra.ogris.net (p4FC2EE6B.dip0.t-ipconnect.de [79.194.238.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by box2.ogris.net (Postfix) with ESMTPSA id E98486CB1; Sun, 5 Jul 2015 22:26:09 +0200 (CEST) Subject: Re: counters for addresses in pfctl show table To: Mike References: <55994FD7.5020200@mgm51.com> <702AE8FF-3FDC-4EAD-9E8A-9C426E4FC940@dataix.net> <55995AB4.2010109@mgm51.com> Cc: "freebsd-pf@freebsd.org" From: "Felix J. Ogris" Message-ID: <559992E0.3050608@ogris.de> Date: Sun, 5 Jul 2015 22:26:08 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1 MIME-Version: 1.0 In-Reply-To: <55995AB4.2010109@mgm51.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Jul 2015 20:26:14 -0000 Hi, add "counters" to your table definition, e.g. table persist counters { .... --Felix On 07/05/15 18:26, Mike wrote: > On 7/5/2015 12:08 PM, Jason Hellenthal wrote: >> Add more -v's >> > > This command > > # pfctl -t FullBlock -vvvvTshow > > > still did not show the counters. > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@freebsd.org Mon Jul 6 14:01:03 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A1AAEA18D for ; Mon, 6 Jul 2015 14:01:03 +0000 (UTC) (envelope-from the.lists@mgm51.com) Received: from oneyou.mcmli.com (oneyou.mcmli.com [IPv6:2607:f2f8:af30::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "oneyou.mcmli.com", Issuer "RapidSSL SHA256 CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 84B801C55 for ; Mon, 6 Jul 2015 14:01:03 +0000 (UTC) (envelope-from the.lists@mgm51.com) Received: from sentry.24cl.com (sentry.24cl.com [IPv6:2001:558:6017:a2:c48f:b89e:4255:ea63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "sentry.24cl.com", Issuer "Mike's Certificate Authority" (verified OK)) by oneyou.mcmli.com (Postfix) with ESMTPS id 3mQ7pj3wxwzP8x0 for ; Mon, 6 Jul 2015 10:01:01 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mgm51.com; s=mgm51-02; t=1436191261; bh=Y9MA5FLJ6PWNIexisDdattDzCkw6v82ORa8431n5/28=; h=Subject:Cc:From:Message-ID:Date; b=Q+PGvQeQyEA8ASr5UGnnpg8ja3Eeoy4NhfhwGM9RC/8DYBrk8CspGVKdVGoQAKtYh VhKF9TQQMQNvp9wo1As6MUTiQjvw5KIS3Jl1pFDOhO+kinc0cWZGY45Y8M3xu0VU8m sDnZ/0D8RxsMeHQse/oF7drPu870mhXBlBebVRbvFFLF0C0QnS7TjNzEloFa+28wCV QuxfF/L5j7vqb2LzUIWDWsSeG1zdSnzd7uZ4cwwO9qQPgOb91xcgXkIyapJ0URqxtJ SHxlMgGqBkdNZvtWFO0BCpo9LIouSu4urAy3Wp57H/9VPLKMKggwnjKHHyGGqkUooO sG5DX2cwPOxZQ== Received: from [IPv6:fdcf:b715:2f4d:1:e169:387a:67ec:aa85] (unknown [IPv6:fdcf:b715:2f4d:1:e169:387a:67ec:aa85]) by sentry.24cl.com (Postfix) with ESMTP id 3mQ7ph12mkz1nYR for ; Mon, 6 Jul 2015 10:01:00 -0400 (EDT) Subject: Re: counters for addresses in pfctl show table References: <55994FD7.5020200@mgm51.com> <702AE8FF-3FDC-4EAD-9E8A-9C426E4FC940@dataix.net> <55995AB4.2010109@mgm51.com> <559992E0.3050608@ogris.de> Cc: "freebsd-pf@freebsd.org" From: Mike Message-ID: <559A8A1D.80905@mgm51.com> Date: Mon, 6 Jul 2015 10:01:01 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1 MIME-Version: 1.0 In-Reply-To: <559992E0.3050608@ogris.de> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2015 14:01:03 -0000 On 7/5/2015 4:26 PM, Felix J. Ogris wrote: > Hi, > > add "counters" to your table definition, e.g. > > table persist counters { .... > Thanks for the reply. The addition of counters to the table definition (combined with a reload of the ruleset) did not change the output I was getting. The command # pfctl -t FullBlock -vvvvTshow still did not show the counters. From owner-freebsd-pf@freebsd.org Mon Jul 6 14:39:12 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BD081A9D3 for ; Mon, 6 Jul 2015 14:39:12 +0000 (UTC) (envelope-from freebsd-pf@dino.sk) Received: from mailhost.netlabit.sk (mailhost.netlabit.sk [84.245.65.72]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 50BD11289 for ; Mon, 6 Jul 2015 14:39:11 +0000 (UTC) (envelope-from freebsd-pf@dino.sk) Received: from zeta.dino.sk (fw1.dino.sk [84.245.95.252]) (AUTH: LOGIN milan) by mailhost.netlabit.sk with ESMTPA; Mon, 06 Jul 2015 16:33:58 +0200 id 00E2C40F.559A91D7.0000697A Date: Mon, 6 Jul 2015 16:33:58 +0200 From: Milan Obuch To: Ian FREISLICH Cc: Daniel Hartmeier , freebsd-pf@freebsd.org Subject: Re: Large scale NAT with PF - some weird problem Message-ID: <20150706163358.11a67ecf@zeta.dino.sk> In-Reply-To: <20150629125432.7aff9e66@zeta.dino.sk> References: <20150629114506.1cfd6f1b@zeta.dino.sk> <14e119e8fa8.2755.abfb21602af57f30a7457738c46ad3ae@capeaugusta.com> <20150621195753.7b162633@zeta.dino.sk> <20150623112331.668395d1@zeta.dino.sk> <20150628100609.635544e0@zeta.dino.sk> <20150629082654.GA22693@insomnia.benzedrine.ch> <20150629105201.7ee24e38@zeta.dino.sk> <20150629092932.GC22693@insomnia.benzedrine.ch> <20150629125432.7aff9e66@zeta.dino.sk> X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.27; i386-portbld-freebsd10.1) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2015 14:39:12 -0000 On Mon, 29 Jun 2015 12:54:32 +0200 Milan Obuch wrote: > On Mon, 29 Jun 2015 12:42:22 +0200 > Ian FREISLICH wrote: > > > Milan Obuch wrote: [ snip ] > > > In cisco speak, there is just > > > > > > ip route x.y.24.0 255.255.252.0 x.y.3.19 > > > > > > statement and that's it. Nothing more. Whole address range from > > > x.y.24.0 to x.y.27.254 is routed here as it should be. For > > > something like this ARP would be really evil solution. > > > > That's OK, as long as the NAT network is routed to your PF box it > > will work. > > > > This was just an explanation, I am sure this is OK, as I have some > network experience already for... well, a ong time. > > > The situation you mentioned in a previous message where you see > > lots and lots of NAT states for a single public IP address is what > > I suspected was happening. When you require more NAT states per > > IP than ephemeral ports you will run into issues because you will > > run out of NAT space. > > > > No, there were not much states per problematic IP, maybe just tens of > them for one or couple internal IPs. That's weird. > > > If the round-robin works with a smaller pool, then I suspect Glebius > > will be interested. > > > > Well, if he chimes in, I would only welcome that. Currently I am > waiting for any signs of troubles with shrinked pool, if there will be > any. > > Milan > For about a week, I did not receive any complaints, so I think it works for now. I still see some hits for src-limit counter in 'pfctl -vs info' output, currently at 347, so it is approx. at 50 hits a day. If there is some good docs on these counters, I surely would like to know. I mean something like 'if this counter reaches 1000 (or 1000 daily or something similar), then it is sign of some problem'. Also, in 'pfctl -sa' output, there are currently three states with states count of 4294967295, 4294967295 and 4294967293, respectively. This one is for me sign of some trouble as it strongly resembles underflow of 32 bit integer counter, interpreted as unsigned number. Regards, Milan From owner-freebsd-pf@freebsd.org Mon Jul 6 15:04:19 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E52BCAF3F for ; Mon, 6 Jul 2015 15:04:19 +0000 (UTC) (envelope-from fjo-lists@ogris.de) Received: from box2.ogris.net (box2.ogris.net [IPv6:2a03:4000:6:2157::1]) by mx1.freebsd.org (Postfix) with ESMTP id AC1CE11DE for ; Mon, 6 Jul 2015 15:04:19 +0000 (UTC) (envelope-from fjo-lists@ogris.de) Received: from hf-mac-fjo-001.dts-systeme.intra (fjo-mbp.dts.de [81.89.251.80]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by box2.ogris.net (Postfix) with ESMTPSA id 135547172; Mon, 6 Jul 2015 17:04:07 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\)) Subject: Re: counters for addresses in pfctl show table From: "Felix J. Ogris" In-Reply-To: <559A8A1D.80905@mgm51.com> Date: Mon, 6 Jul 2015 17:04:05 +0200 Cc: "freebsd-pf@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: References: <55994FD7.5020200@mgm51.com> <702AE8FF-3FDC-4EAD-9E8A-9C426E4FC940@dataix.net> <55995AB4.2010109@mgm51.com> <559992E0.3050608@ogris.de> <559A8A1D.80905@mgm51.com> To: Mike X-Mailer: Apple Mail (2.2102) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2015 15:04:20 -0000 Hi, it will show the counters only if the table is actively used by the = ruleset, i.e. if it=E2=80=99s non empty and gets some pass/block = actions. =E2=80=94Felix > On 06 Jul 2015, at 16:01, Mike wrote: >=20 > On 7/5/2015 4:26 PM, Felix J. Ogris wrote: >> Hi, >>=20 >> add "counters" to your table definition, e.g. >>=20 >> table persist counters { .... >>=20 >=20 > Thanks for the reply. >=20 > The addition of counters to the table definition (combined with a = reload > of the ruleset) did not change the output I was getting. >=20 > The command >=20 > # pfctl -t FullBlock -vvvvTshow >=20 >=20 > still did not show the counters. >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@freebsd.org Mon Jul 6 19:52:20 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 592B3995137 for ; Mon, 6 Jul 2015 19:52:20 +0000 (UTC) (envelope-from the.lists@mgm51.com) Received: from oneyou.mcmli.com (oneyou.mcmli.com [IPv6:2607:f2f8:af30::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "oneyou.mcmli.com", Issuer "RapidSSL SHA256 CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3BF651B34 for ; Mon, 6 Jul 2015 19:52:20 +0000 (UTC) (envelope-from the.lists@mgm51.com) Received: from sentry.24cl.com (sentry.24cl.com [IPv6:2001:558:6017:a2:c48f:b89e:4255:ea63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "sentry.24cl.com", Issuer "Mike's Certificate Authority" (verified OK)) by oneyou.mcmli.com (Postfix) with ESMTPS id 3mQHc33ZTxzP8x3 for ; Mon, 6 Jul 2015 15:52:19 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mgm51.com; s=mgm51-02; t=1436212339; bh=cGbbRD3HV0tk+AKsrmuAgABZ1Hwh5494acgnvbZvHbs=; h=Subject:Cc:From:Message-ID:Date; b=oBvPTEP7evz2SdFyux+9Ye83uSepPXfjWm2XrjcLSiNyanblsRGtd1G+/zwo4fUUZ Z+bUwcqqC3LiCDhRmd3eRCgqK+puL0kLVOWrEqkzMUhUw3fUM8fDNQOCCDq+1Fck6H hBIiDv9r2WTWne8QL4HX0iwZuLN+hjwDo5fhhfKAiYskEWZbR5oCtSGaDox4eV8pj4 9AguufXEyclIVRUkX7knn5jz90t0YZb8TxSU+ncmUPXvhxeApS2m469HSTzfNuYrPd z6UlbVsVUUle394N1o5hq3yqIQVKQrYqnM4L6N+4nfr/fU29x9L4WRmsdqpo7EdiK9 64GrFVoVpZu7A== Received: from [IPv6:fdcf:b715:2f4d:1:e169:387a:67ec:aa85] (unknown [IPv6:fdcf:b715:2f4d:1:e169:387a:67ec:aa85]) by sentry.24cl.com (Postfix) with ESMTP id 3mQHc20nFjz1nYR for ; Mon, 6 Jul 2015 15:52:18 -0400 (EDT) Subject: Re: counters for addresses in pfctl show table References: <55994FD7.5020200@mgm51.com> <702AE8FF-3FDC-4EAD-9E8A-9C426E4FC940@dataix.net> <55995AB4.2010109@mgm51.com> <559992E0.3050608@ogris.de> <559A8A1D.80905@mgm51.com> Cc: "freebsd-pf@freebsd.org" From: Mike Message-ID: <559ADC73.5080700@mgm51.com> Date: Mon, 6 Jul 2015 15:52:19 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2015 19:52:20 -0000 On 7/6/2015 11:04 AM, Felix J. Ogris wrote: > Hi, > > it will show the counters only if the table is actively used > by the ruleset, i.e. if it’s non empty and gets some > pass/block actions. > > —Felix OK, that seems to be it. The counters were all zero, so they were not shown. Thanks for the assist! From owner-freebsd-pf@freebsd.org Thu Jul 9 14:49:01 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90F8699708B for ; Thu, 9 Jul 2015 14:49:01 +0000 (UTC) (envelope-from freebsd-pf@dino.sk) Received: from mailhost.netlabit.sk (mailhost.netlabit.sk [84.245.65.72]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 282331C51 for ; Thu, 9 Jul 2015 14:49:00 +0000 (UTC) (envelope-from freebsd-pf@dino.sk) Received: from zeta.dino.sk (fw1.dino.sk [84.245.95.252]) (AUTH: LOGIN milan) by mailhost.netlabit.sk with ESMTPA; Thu, 09 Jul 2015 16:48:51 +0200 id 00E93C14.559E89D3.0000EC74 Date: Thu, 9 Jul 2015 16:48:50 +0200 From: Milan Obuch To: Ian FREISLICH Cc: Daniel Hartmeier , freebsd-pf@freebsd.org Subject: Re: Large scale NAT with PF - some weird problem Message-ID: <20150709164850.334058c6@zeta.dino.sk> In-Reply-To: <20150706163358.11a67ecf@zeta.dino.sk> References: <20150629114506.1cfd6f1b@zeta.dino.sk> <14e119e8fa8.2755.abfb21602af57f30a7457738c46ad3ae@capeaugusta.com> <20150621195753.7b162633@zeta.dino.sk> <20150623112331.668395d1@zeta.dino.sk> <20150628100609.635544e0@zeta.dino.sk> <20150629082654.GA22693@insomnia.benzedrine.ch> <20150629105201.7ee24e38@zeta.dino.sk> <20150629092932.GC22693@insomnia.benzedrine.ch> <20150629125432.7aff9e66@zeta.dino.sk> <20150706163358.11a67ecf@zeta.dino.sk> X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.27; i386-portbld-freebsd10.1) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2015 14:49:01 -0000 On Mon, 6 Jul 2015 16:33:58 +0200 Milan Obuch wrote: > On Mon, 29 Jun 2015 12:54:32 +0200 > Milan Obuch wrote: > > > On Mon, 29 Jun 2015 12:42:22 +0200 > > Ian FREISLICH wrote: [ snip ] > > > If the round-robin works with a smaller pool, then I suspect > > > Glebius will be interested. > > > > > > > Well, if he chimes in, I would only welcome that. Currently I am > > waiting for any signs of troubles with shrinked pool, if there will > > be any. > > > > For about a week, I did not receive any complaints, so I think it > works for now. > I did a small experiment, after working some time with no troubles with pool x.y.26.0/24, I tried with x.y.27.0/24, and it troubled again. IP in question is x.y.27.152, as soon as it gets used, affected customer/device has no access to internet. Really weird. So it is not sheer pool size leading to troubles, it is the inclusion of this one IP (maybe some more, but not frequently) in pool which does result in trouble. I am baffled. Regards, Milan