From owner-freebsd-pf@freebsd.org Sun Jun 10 21:00:45 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AD3231004DE2 for ; Sun, 10 Jun 2018 21:00:45 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 431DC77B76 for ; Sun, 10 Jun 2018 21:00:45 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id 01E141004DDC; Sun, 10 Jun 2018 21:00:45 +0000 (UTC) Delivered-To: pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4AE21004DDA for ; Sun, 10 Jun 2018 21:00:44 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9F1BF77B69 for ; Sun, 10 Jun 2018 21:00:44 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id B907F20FE0 for ; Sun, 10 Jun 2018 21:00:43 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w5AL0hTt075718 for ; Sun, 10 Jun 2018 21:00:43 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w5AL0haJ075710 for pf@FreeBSD.org; Sun, 10 Jun 2018 21:00:43 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201806102100.w5AL0haJ075710@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 10 Jun 2018 21:00:43 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.26 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jun 2018 21:00:45 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Mon Jun 11 11:51:43 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B46821018812 for ; Mon, 11 Jun 2018 11:51:43 +0000 (UTC) (envelope-from mehdizadeh.fatemeh@gmail.com) Received: from mail-ua0-x229.google.com (mail-ua0-x229.google.com [IPv6:2607:f8b0:400c:c08::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4A4D4803EA for ; Mon, 11 Jun 2018 11:51:43 +0000 (UTC) (envelope-from mehdizadeh.fatemeh@gmail.com) Received: by mail-ua0-x229.google.com with SMTP id n4-v6so13319242uad.6 for ; Mon, 11 Jun 2018 04:51:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=WF57llFZnN/jGXKxXUrkEGgAxvqhLO1eghuppgiKaLY=; b=tbgptdA+zk/wlfkN8XZMs5ZoPCNeV+wifQ/inomk5ikRgY+fn9ok+yw6rjCrAKEKz6 1YNmh+pFZSsB0NRVqKDnNNkqNnwpqvJQxPWwMzDslDz/16MUWF56Ie0rqDgUBrGBp6wk PCT4UYuD1UxGSE7Ll1itTOQiOHFb56p+0NfQJcWCF1L/7G1hRit1Kg3CwfSkvlW37gmg Xqzw1HxAvxxl75SZQQZoJF4kCoS4oIs2CC1/lh2NcPALCuAXT45SK1i9TOGMj3t3MTaU V2xcNIiQJJUL1z6dncH1scWBnUncze34XGAou5B7JvAUPxCGKMBVyWAJbHNTOPd86Dfq EEaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=WF57llFZnN/jGXKxXUrkEGgAxvqhLO1eghuppgiKaLY=; b=AvSU8knuexxhwG7iZTwKJJQkgPclnyFgM6ylwzjbNSSSXhrtqKZJ1OPnFfb6iyPwms zSmFm/09bjzJTkp/UfJGS+GTeOB1rF3AOeNqr9iNU8aYrLlplhT1cvXmlMyQe9HG9KOu OmWmod9x+vp3c6OIZoYwfz5yPqRROCo/vWjUus2DW57ZRiLa/fkiwha2AE3F9cliyTXh buU0MDo2c8+Jigk7ocQW+F7Sf+g1RkSUUxSxH9RcMSs1CsnT2lD7/Do/YR9J3m8746Gq Z12pWVvdrLwCH7XeoVBJ3HnEtOqRMfW13jYx2Y5e8DHwHepECRugefJ/+aps6q6eIyPt uDKw== X-Gm-Message-State: APt69E3yOup+65TRtsujnia2rYnnpn/C1li3k5GNWXqyyTbq7jwmvh5L k5LdDQAbFv7vaLLm690skdpGLnsN2XBxwfHKDfQ= X-Google-Smtp-Source: ADUXVKK+XBKy/3ERMVGTHK/xeRDTHQrSpzMCtxiGVqSmSLtBGUl1yuIPjO6bmwdOY5KIAU/x4/7dRHFXGDogTuH7VQM= X-Received: by 2002:a9f:3613:: with SMTP id r19-v6mr11688448uad.49.1528717902665; Mon, 11 Jun 2018 04:51:42 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:ab0:195c:0:0:0:0:0 with HTTP; Mon, 11 Jun 2018 04:51:42 -0700 (PDT) From: Fatemeh Mehdizadeh Date: Mon, 11 Jun 2018 16:21:42 +0430 Message-ID: Subject: pf nat log does not show source and destination port To: freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jun 2018 11:51:43 -0000 Hi all, I'm using pf to create nat. I'm on FreeBSD9.2. I want enable logs for nat translations, so in pf.cpnf: table { 20.20.20.2,20.20.20.3,20.20.20.4,20.20.20.5 } nat log on 'eth0' from { 10.10.10.0/24} to any -> round-robin sticky-address After ping request I have a log: # tcpdump -t -r pflog IP 20.20.20.3 > 20.20.20.1: ICMP echo request, id 4147, seq 0, length 64 The problem is that I want my log shows the source port and destination port and NOT show id, seq and length. Thanks for your help From owner-freebsd-pf@freebsd.org Mon Jun 11 22:23:45 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6D1A01005705 for ; Mon, 11 Jun 2018 22:23:45 +0000 (UTC) (envelope-from srs0=u+m5=i5=sigsegv.be=kristof@codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A910581D1E for ; Mon, 11 Jun 2018 22:23:44 +0000 (UTC) (envelope-from srs0=u+m5=i5=sigsegv.be=kristof@codepro.be) Received: from [169.254.240.65] (unknown [66.171.165.146]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 52C205E749; Tue, 12 Jun 2018 00:23:38 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigsegv.be; s=mail; t=1528755820; bh=CkRunhve3TnLlydKEligw1a5/n3ksdjaO/L77ACKCUY=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=rfLXdGfjiHKtc75+eBcxHbgFEbLV5OD6CxKmxF13m13Hz1sx91C1thUzU9C2YvUoW HlSghmnmmTEAQ1LJQEVZrFNKw3XVD5eb/zeZSWu2ok5xed4mjmj7a+o+J+zM+B/Dgp tXinE1bFLLZt5XFhfbjNGz6s8OasJskgbHAxzKoo= From: "Kristof Provost" To: "Fatemeh Mehdizadeh" Cc: freebsd-pf@freebsd.org Subject: Re: pf nat log does not show source and destination port Date: Mon, 11 Jun 2018 18:23:33 -0400 X-Mailer: MailMate (2.0BETAr6113) Message-ID: <8F0561C0-67A6-4479-8F0D-72A038CC1280@sigsegv.be> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jun 2018 22:23:45 -0000 Hi Fatemeh, On 11 Jun 2018, at 7:51, Fatemeh Mehdizadeh wrote: > Hi all, > I'm using pf to create nat. I'm on FreeBSD9.2. Note that FreeBSD 9.2 is not a supported version. It went out of support at the end of 2014. (See https://www.freebsd.org/security/unsupported.html) I would strongly recommend upgrading to a supported version: https://www.freebsd.org/security/security.html#sup > I want enable logs for > nat translations, so > in pf.cpnf: > > table { 20.20.20.2,20.20.20.3,20.20.20.4,20.20.20.5 } > nat log on 'eth0' from { 10.10.10.0/24} to any -> > round-robin sticky-address > > After ping request I have a log: > # tcpdump -t -r pflog > IP 20.20.20.3 > 20.20.20.1: ICMP echo request, id 4147, seq 0, length > 64 > pflog logs the entire packet (with a pf-specific header with information about the matched rules), so you can parse whatever information you want out of that. > The problem is that I want my log shows the source port and > destination port and NOT show id, seq and length. > You may get enough information by simply telling tcpdump to be more verbose: # tcpdump -t -v -r pflog (Repeat the ‘-v’ flag for even more information.) Regards, Kristof From owner-freebsd-pf@freebsd.org Thu Jun 14 18:35:07 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B13F0101BAB4 for ; Thu, 14 Jun 2018 18:35:07 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from viclamta32p.bpe.bigpond.com (viclamta32p.bpe.bigpond.com [203.38.21.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "Openwave Messaging Inc." (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D3F237A101 for ; Thu, 14 Jun 2018 18:35:03 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from smtp.telstra.com ([10.10.26.4]) by viclafep32p-svc.bpe.nexus.telstra.com.au with ESMTP id <20180614174021.UOAK30440.viclafep32p-svc.bpe.nexus.telstra.com.au@smtp.telstra.com> for ; Fri, 15 Jun 2018 03:40:21 +1000 X-RG-Spam: Unknown X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedthedrleefgdduudeiucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuuffpveftpgfvgffnuffvtfetnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpeffhffvuffkfgggtgesthdttddttdervdenucfhrhhomhepffgrvhgvucfjohhrshhfrghllhcuoegurghvvgeshhhorhhsfhgrlhhlrdhorhhgqeenucfkphepuddutddrudeguddrudelfedrvdeffeenucfrrghrrghmpehhvghloheprghnvghurhhinhdrhhhorhhsfhgrlhhlrdhorhhgpdhinhgvthepuddutddrudeguddrudelfedrvdeffedpmhgrihhlfhhrohhmpeeouggrvhgvsehhohhrshhfrghllhdrohhrgheqpdhrtghpthhtohepoehfrhgvvggsshguqdhpfhesfhhrvggvsghsugdrohhrgheqnecuvehluhhsthgvrhfuihiivgeptd X-RG-VS-CLASS: clean Received: from aneurin.horsfall.org (110.141.193.233) by smtp.telstra.com (9.0.019.26-1) id 5B0418AC02F0AA87 for freebsd-pf@freebsd.org; Fri, 15 Jun 2018 03:40:21 +1000 Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.15.2/8.15.2) with ESMTP id w5EHeKEW068910 for ; Fri, 15 Jun 2018 03:40:20 +1000 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.15.2/8.15.2/Submit) with ESMTP id w5EHeJf2068907 for ; Fri, 15 Jun 2018 03:40:20 +1000 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Fri, 15 Jun 2018 03:40:19 +1000 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Is there an upper limit to PF's tables? Message-ID: User-Agent: Alpine 2.21.999 (BSF 260 2018-02-26) X-GPG-Public-Key: http://www.horsfall.org/gpgkey.pub X-GPG-Fingerprint: 05B4 FFBC 0218 B438 66E0 587B EF46 7357 EF5E F58B X-Home-Page: http://www.horsfall.org/ X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2018 18:35:07 -0000 I can't get access to kernel sauce right now, but I'm hitting over 1,000 entries from woodpeckers[*] etc; is there some upper limit, or is it just purely dynamic? aneurin% freebsd-version 10.4-RELEASE-p9 [*] A fairly loose definition in the anti-spammer community, but it includes attempts every few *seconds* when they encounter my RFC-compliant banner, when I make 'em wait a bit for my 220, and those who regard 5xx as a challenge. Perhaps I should consider an external firewall; at the moment the (consumer-grade) router allows only certain services to certain servers (and doesn't bother logging the rejects, much to my disgust) and its "IP blocking" simply doesn't work, so the mail server blocks the spammer IPs instead (entire countries where necessary). -- Dave, who has been accused of being an "anti-spam nazi" From owner-freebsd-pf@freebsd.org Thu Jun 14 19:03:00 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ACF7D101D8A6 for ; Thu, 14 Jun 2018 19:03:00 +0000 (UTC) (envelope-from ian.freislich@capeaugusta.com) Received: from mail-yw0-x243.google.com (mail-yw0-x243.google.com [IPv6:2607:f8b0:4002:c05::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4EAD77BB96 for ; Thu, 14 Jun 2018 19:03:00 +0000 (UTC) (envelope-from ian.freislich@capeaugusta.com) Received: by mail-yw0-x243.google.com with SMTP id k18-v6so1963679ywm.11 for ; Thu, 14 Jun 2018 12:03:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=capeaugusta-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=MugyRqNG8iKEaFvb5uopcmKxWjtWKT137BQIiFWRCnw=; b=YaC2JVavLlNL8hX0lPIxGRZyciqq78l/mQXzRrA3FWdRdiwWlQcUASrNcYn2aLZ7Ai eZO1HNLYG1WBblodROOtnT7Qht9ObTfaxgugU5wzmfVKtuk3R0KS+f6J8VTAOo4qe8Mq /6WJnlV/TmzwlBya2+LvU51NsxLmNixJ9ZJ6BABsOBfyTqwgFPTmD5ms5ztzCvkFwRDo KsnV0MywhYvdvNV0vS8yR+ytJPiF5Gp4bVu6tpqebSHfiBLSKS/MHSBrpQFTQXiILI06 elROk4eTG8tP0MhxKTW1+/l0QX9rmVd1+fyrB2SBGiO4FpZnVdror2Ro2KE5rc7ywxEI nCog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=MugyRqNG8iKEaFvb5uopcmKxWjtWKT137BQIiFWRCnw=; b=OdIyyM0MEF4fFUuCgDmQiLYHtAlhCatwE2uEW/9kCy8PKDEcZY5Saz7YjWJPbTSKoE olGRWRK+EIm+nc8G7DM9qyEcIl35fsTi/3i9pX2enD+e37+3wCUx4HWU9gTtwBpwV8cV l/YQ162Jq4xk8V2cVEBK9HXVbIGzmmgHmRJtevlyTVFRjneH/HSKBsJQJKlu/SdWQuIg XsKDxY1v0CPtaTkqcPWHalms2OKkXOgPYYuWsHkXlvF7qRmsuK9/JWDbnk7VR+C9P1hc X/mlhjmKT5d5juCWj6bH29SPhbLMQdPhd2xgtwpVQcXCmIBsL9p0C5EfSqEsBYEGOfxB jz2A== X-Gm-Message-State: APt69E3M4psniCOsMRWgsrwMvuYFkCT5DPaEK2g72+S05JATggwt0r90 B1E1IBHSdj7Ccg0F4fBXuslPRHMKPaFUIp6CgHdxkHOiQueO+JJrGySkmvB++Nu2rNwtgeRY9aV GNs1PNYLLiM/XDdc0xp8irHeyB8j/dYUC4zASJSW3PRXi7cb+KD+wMFgVkzHYc3oOqV3GVAmuTF ivoTqk X-Google-Smtp-Source: ADUXVKKoOUNyKHl9MxavRzedtbvJbxYvNDzDWwPiAI1LUmSuW8w9oZXNqX7k7J292pmrLoxy9vIB2Q== X-Received: by 2002:a81:594:: with SMTP id 142-v6mr2092125ywf.295.1529002979200; Thu, 14 Jun 2018 12:02:59 -0700 (PDT) Received: from [10.0.11.220] ([64.53.114.237]) by smtp.gmail.com with ESMTPSA id m62-v6sm2297274ywf.87.2018.06.14.12.02.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Jun 2018 12:02:58 -0700 (PDT) Subject: Re: Is there an upper limit to PF's tables? To: Dave Horsfall , FreeBSD PF List References: From: Ian FREISLICH Message-ID: <62bf79b4-0c38-ec94-3bf6-d99ccbd45300@capeaugusta.com> Date: Thu, 14 Jun 2018 15:02:57 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable Content-Language: en-US X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2018 19:03:00 -0000 On 06/14/2018 01:40 PM, Dave Horsfall wrote: > I can't get access to kernel sauce right now, but I'm hitting over=20 > 1,000 entries from woodpeckers[*] etc; is there some upper limit, or=20 > is it just purely dynamic? > > =C2=A0 aneurin% freebsd-version > =C2=A0 10.4-RELEASE-p9 You're ultimately physically bound by memory, however there are=20 configurable limits, see pf.conf(5): set timeout { \ =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 adaptive.start=C2=A0 X, \ =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 adaptive.end=C2=A0=C2=A0=C2=A0 = Y \ =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } set limit states AA set limit frags BB set limit src-nodes CC I've run pf with over 1.5M states, but the limits do have to be tuned. Ian > [*] > > A fairly loose definition in the anti-spammer community, but it=20 > includes attempts every few *seconds* when they encounter my=20 > RFC-compliant banner, when I make 'em wait a bit for my 220, and those=20 > who regard 5xx as a challenge. > > Perhaps I should consider an external firewall; at the moment the=20 > (consumer-grade) router allows only certain services to certain=20 > servers (and doesn't bother logging the rejects, much to my disgust)=20 > and its "IP blocking" simply doesn't work, so the mail server blocks=20 > the spammer IPs instead (entire countries where necessary). > > -- Dave, who has been accused of being an "anti-spam nazi" > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.or=20 --=20 From owner-freebsd-pf@freebsd.org Thu Jun 14 19:18:18 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 78865101E935 for ; Thu, 14 Jun 2018 19:18:18 +0000 (UTC) (envelope-from srs0=8j94=ja=sigsegv.be=kristof@codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 161C27C65F for ; Thu, 14 Jun 2018 19:18:17 +0000 (UTC) (envelope-from srs0=8j94=ja=sigsegv.be=kristof@codepro.be) Received: from [172.28.128.1] (ptr-8rgnodtjdbovduoc3fi.18120a2.ip6.access.telenet.be [IPv6:2a02:1811:240b:b802:946:1a08:b660:7c5e]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id BC95063908; Thu, 14 Jun 2018 21:18:15 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigsegv.be; s=mail; t=1529003895; bh=ePSrJqqTX0uPX3BIJCiQ40L5d5FvQzrnd6T2E8ONE5I=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=aSccIVv0ODj5xr0gRDZM+hOBTR1z4KRAGTOaMXj/m0fqAJw0nvfqgBsmek1fYvzG0 EnLSFmWrlcW12ai8AIujQ3d+iEKL3bbUV3CD5xfIuTMpmXXClcCbq5cPci7BFO9sxT chI+xibhEDngwZuDxxoHqDK/py7R1qJ0KhM3m9Mk= From: "Kristof Provost" To: "Dave Horsfall" Cc: "FreeBSD PF List" Subject: Re: Is there an upper limit to PF's tables? Date: Thu, 14 Jun 2018 21:18:14 +0200 X-Mailer: MailMate (2.0BETAr6113) Message-ID: <215BBC34-F4BC-42C7-9B90-3AEC2CFB858D@sigsegv.be> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.26 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2018 19:18:18 -0000 On 14 Jun 2018, at 19:40, Dave Horsfall wrote: > I can't get access to kernel sauce right now, but I'm hitting over > 1,000 entries from woodpeckers[*] etc; is there some upper limit, or > is it just purely dynamic? > > aneurin% freebsd-version > 10.4-RELEASE-p9 > Ian already gave some good information, but it’s important to note that there are a number of different limits, and the maximum number of states is different from the limit on table sizes. There’s no immediate limit to the number of addresses in a table. It mostly depends on having enough memory. On 12 you may start to run into issues loading it in one go once you have more than 65k entries. If you do run into that, that particular limit can be tuned using `sysctl net.pf.request_maxcount` Regards, Kristof From owner-freebsd-pf@freebsd.org Thu Jun 14 19:44:21 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 582CD1020D44 for ; Thu, 14 Jun 2018 19:44:21 +0000 (UTC) (envelope-from SRS0=8dHG=JA=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 510DE7DBB1 for ; Thu, 14 Jun 2018 19:44:19 +0000 (UTC) (envelope-from SRS0=8dHG=JA=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 5354728423; Thu, 14 Jun 2018 21:44:09 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 3AA6A28411; Thu, 14 Jun 2018 21:44:08 +0200 (CEST) Subject: Re: Is there an upper limit to PF's tables? To: Dave Horsfall , FreeBSD PF List References: From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <41eb69f5-a2ba-7546-f7c8-b97eb179d22e@quip.cz> Date: Thu, 14 Jun 2018 21:44:08 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2018 19:44:21 -0000 Dave Horsfall wrote on 2018/06/14 19:40: > I can't get access to kernel sauce right now, but I'm hitting over 1,000 > entries from woodpeckers[*] etc; is there some upper limit, or is it > just purely dynamic? > >   aneurin% freebsd-version >   10.4-RELEASE-p9 One of our customers have machine with 10.4 too. They are blocking all Tor IP addresses. The table has 272574 entries now. There were/(are) some problems with reload of PF: # service pf reload Reloading pf rules. /etc/pf.conf:37: cannot define table reserved: Cannot allocate memory /etc/pf.conf:38: cannot define table czech_net: Cannot allocate memory /etc/pf.conf:39: cannot define table goodguys: Cannot allocate memory /etc/pf.conf:40: cannot define table badguys: Cannot allocate memory /etc/pf.conf:41: cannot define table tor_net: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded Even if there is "set limit table-entries 300000" I do not understand PF internals but I think PF needs twice the memory for reload (if there are already a lot of entries). Because workaround for this was simple as reload PF with empty table and then load table entries: # mv /etc/pf.tor_net.table /etc/pf.tor_net.table.BaK # touch /etc/pf.tor_net.table # pfctl -t tor_net -T flush 201703 addresses deleted. # pfctl -vf /etc/pf.conf # pfctl -t tor_net -T replace -f /etc/pf.tor_net.table.BaK So loading all entries in to empty table works fine, but reloading didn't work. Miroslav Lachman From owner-freebsd-pf@freebsd.org Thu Jun 14 20:03:58 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6C2561022222 for ; Thu, 14 Jun 2018 20:03:58 +0000 (UTC) (envelope-from ian.freislich@capeaugusta.com) Received: from mail-yw0-x22c.google.com (mail-yw0-x22c.google.com [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 08B257E799 for ; Thu, 14 Jun 2018 20:03:57 +0000 (UTC) (envelope-from ian.freislich@capeaugusta.com) Received: by mail-yw0-x22c.google.com with SMTP id t198-v6so2582641ywc.3 for ; Thu, 14 Jun 2018 13:03:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=capeaugusta-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=9XzOgFU4/GGT0uKFQUlnE1+ofjwxRgk8xnOy3XhK2BE=; b=nwVsdXFgT+vEMlqpdd5wSXyukMF4xLgr3lu/dckSdREybg9/2e4bnB0+3Q8m4GMhzP 2IVQy6eCuTqgVMSojhWVgFhCkZtkuqh3Ybu5nz/BL6ifkb1O3V4YIbKLDPB9M+Gu9qtl 6jeFWNc3l7MOv+O1O7YSt8Dmnpkzsg+gLiAnJsm2OdDTjlHPGi8o8Bnv5DPhUxhonSVh 7JCz6Ea9XREM/o2bouKwLufOBtMf5Utz8a7bHYx5SEMG0TUYwliUiRrR/H9j7Jk1RF7n rpzpP12hMT0sPS5LBZF6iViVvYYN+xbyOeKassMPBYvoLzNpVps25SXBcT0XKiFyT44l NpnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=9XzOgFU4/GGT0uKFQUlnE1+ofjwxRgk8xnOy3XhK2BE=; b=WYh2wBQQUnaZ+7v9gt0VtwdXfv+nOxWX2GrLXviDH8PVfUYzNUVD/3qcFHVWZj6cxl cmTnPcqzDnTJuv3/qEs9dcHf/pS6wi+4fbh7uGYUYMfcxeou4wbMvSHvT6AdjsZz7mm9 bysF2Zpzlv5BmuKJS5HBSm5KfyGi9GBckgtru00Xf3JtuH2nxPOn/1nyGhGvoCuobC1t 2SynvHlown+4/ZqZvHtePuK7VnnjRr2z8TtJuqanws4fw77p5qin8iP4G/VvN2CRpXdg KEdRwaVFuvxcaa8KPFLzjO4rEvQNRr9q+cz0Aw7KoDxWesSvLiJ4E2KyFyELrXOYfKmw xFlg== X-Gm-Message-State: APt69E0UIfDWWidz4w0CUjE1VfwQf0AZ8OinP3IxLSqJ8F5ETXun9g3X atn3HknsnMA2DFl/0LeuhFGsy+EKSIMMleW1IBsYQUIGdzk9fnolRXCmiteHznHH5t091fo00LR 6WNcuGv/Ivm5Kywzfbkw2LGacZk+ej8325ULjUpfkHWk6TUFzK6PvY1sjvy/XQvU+8/nUqKXsG/ 8+4xPc X-Google-Smtp-Source: ADUXVKL4i9IO7+4N8kzdztV5Wh5YMIrvEilNeRl9ax0odaRTeLNNoZiRmG47o/UK7d+5utLeMEz9pw== X-Received: by 2002:a81:348e:: with SMTP id b136-v6mr2236327ywa.29.1529006636783; Thu, 14 Jun 2018 13:03:56 -0700 (PDT) Received: from [10.0.11.220] ([64.53.114.237]) by smtp.gmail.com with ESMTPSA id w189-v6sm2549986yww.62.2018.06.14.13.03.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Jun 2018 13:03:56 -0700 (PDT) Subject: Re: Is there an upper limit to PF's tables? To: Miroslav Lachman <000.fbsd@quip.cz>, Dave Horsfall , FreeBSD PF List References: <41eb69f5-a2ba-7546-f7c8-b97eb179d22e@quip.cz> From: Ian FREISLICH Message-ID: Date: Thu, 14 Jun 2018 16:03:50 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <41eb69f5-a2ba-7546-f7c8-b97eb179d22e@quip.cz> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable Content-Language: en-US X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2018 20:03:58 -0000 On 06/14/2018 03:44 PM, Miroslav Lachman wrote: > Dave Horsfall wrote on 2018/06/14 19:40: >> I can't get access to kernel sauce right now, but I'm hitting over=20 >> 1,000 entries from woodpeckers[*] etc; is there some upper limit, or=20 >> is it just purely dynamic? >> >> =C2=A0=C2=A0 aneurin% freebsd-version >> =C2=A0=C2=A0 10.4-RELEASE-p9 > > One of our customers have machine with 10.4 too. They are blocking all=20 > Tor IP addresses. The table has 272574 entries now. > > There were/(are) some problems with reload of PF: > > > # service pf reload > Reloading pf rules. > /etc/pf.conf:37: cannot define table reserved: Cannot allocate memory > /etc/pf.conf:38: cannot define table czech_net: Cannot allocate memory > /etc/pf.conf:39: cannot define table goodguys: Cannot allocate memory > /etc/pf.conf:40: cannot define table badguys: Cannot allocate memory > /etc/pf.conf:41: cannot define table tor_net: Cannot allocate memory > pfctl: Syntax error in config file: pf rules not loaded > > Even if there is "set limit table-entries 300000" > > I do not understand PF internals but I think PF needs twice the memory=20 > for reload (if there are already a lot of entries). > Because workaround for this was simple as reload PF with empty table=20 > and then load table entries: Did you try setting the table limit to 500000?=C2=A0 I believe that PF does= a=20 copyin from pfctl essentially building the new inactive ruleset and=20 switching to it at commit.=C2=A0 This would result in the twice memory=20 requirement you're seeing.=C2=A0 It has been a long long time for me so I'v= e=20 probably not explained correctly. Ian --=20 From owner-freebsd-pf@freebsd.org Thu Jun 14 20:22:59 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1ED291000FD0 for ; Thu, 14 Jun 2018 20:22:59 +0000 (UTC) (envelope-from SRS0=8dHG=JA=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B0ACF7FEAA for ; Thu, 14 Jun 2018 20:22:58 +0000 (UTC) (envelope-from SRS0=8dHG=JA=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 4009828450; Thu, 14 Jun 2018 22:22:57 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 0328E28459; Thu, 14 Jun 2018 22:22:55 +0200 (CEST) Subject: Re: Is there an upper limit to PF's tables? To: Ian FREISLICH , Dave Horsfall , FreeBSD PF List References: <41eb69f5-a2ba-7546-f7c8-b97eb179d22e@quip.cz> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <284a180b-6247-1bd5-d683-1e704b601628@quip.cz> Date: Thu, 14 Jun 2018 22:22:55 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2018 20:22:59 -0000 Ian FREISLICH wrote on 2018/06/14 22:03: > On 06/14/2018 03:44 PM, Miroslav Lachman wrote: >> # service pf reload >> Reloading pf rules. >> /etc/pf.conf:37: cannot define table reserved: Cannot allocate memory >> /etc/pf.conf:38: cannot define table czech_net: Cannot allocate memory >> /etc/pf.conf:39: cannot define table goodguys: Cannot allocate memory >> /etc/pf.conf:40: cannot define table badguys: Cannot allocate memory >> /etc/pf.conf:41: cannot define table tor_net: Cannot allocate memory >> pfctl: Syntax error in config file: pf rules not loaded >> >> Even if there is "set limit table-entries 300000" >> >> I do not understand PF internals but I think PF needs twice the memory >> for reload (if there are already a lot of entries). >> Because workaround for this was simple as reload PF with empty table >> and then load table entries: > > Did you try setting the table limit to 500000?  I believe that PF does a > copyin from pfctl essentially building the new inactive ruleset and > switching to it at commit.  This would result in the twice memory > requirement you're seeing.  It has been a long long time for me so I've > probably not explained correctly. No I didn't tried anything above 300000 but I will try it next time. (maybe 600000) Miroslav Lachman From owner-freebsd-pf@freebsd.org Fri Jun 15 15:11:20 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6B5DE100E340 for ; Fri, 15 Jun 2018 15:11:20 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from viclamta30p.bpe.bigpond.com (viclamta30p.bpe.bigpond.com [203.38.21.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "Openwave Messaging Inc." (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6056972ECE for ; Fri, 15 Jun 2018 15:11:18 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from smtp.telstra.com ([10.10.26.4]) by viclafep25p-svc.bpe.nexus.telstra.com.au with ESMTP id <20180615150042.PFZM16783.viclafep25p-svc.bpe.nexus.telstra.com.au@smtp.telstra.com> for ; Sat, 16 Jun 2018 01:00:42 +1000 X-RG-Spam: Unknown X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedthedrleeigdejjecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfupfevtfgpvffgnffuvfftteenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffujgfkfhgfgggtsehttddttddtredvnecuhfhrohhmpeffrghvvgcujfhorhhsfhgrlhhluceouggrvhgvsehhohhrshhfrghllhdrohhrgheqnecukfhppeduuddtrddugedurdduleefrddvfeefnecurfgrrhgrmhephhgvlhhopegrnhgvuhhrihhnrdhhohhrshhfrghllhdrohhrghdpihhnvghtpeduuddtrddugedurdduleefrddvfeefpdhmrghilhhfrhhomhepoegurghvvgeshhhorhhsfhgrlhhlrdhorhhgqedprhgtphhtthhopeeofhhrvggvsghsugdqphhfsehfrhgvvggsshgurdhorhhgqeenucevlhhushhtvghrufhiiigvpedt X-RG-VS-CLASS: clean Received: from aneurin.horsfall.org (110.141.193.233) by smtp.telstra.com (9.0.019.26-1) id 5B042371030B1D88 for freebsd-pf@freebsd.org; Sat, 16 Jun 2018 01:00:42 +1000 Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.15.2/8.15.2) with ESMTP id w5FF0f3Q083571 for ; Sat, 16 Jun 2018 01:00:41 +1000 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.15.2/8.15.2/Submit) with ESMTP id w5FF0fMj083568 for ; Sat, 16 Jun 2018 01:00:41 +1000 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Sat, 16 Jun 2018 01:00:41 +1000 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Re: Is there an upper limit to PF's tables? In-Reply-To: Message-ID: References: User-Agent: Alpine 2.21.999 (BSF 260 2018-02-26) X-GPG-Public-Key: http://www.horsfall.org/gpgkey.pub X-GPG-Fingerprint: 05B4 FFBC 0218 B438 66E0 587B EF46 7357 EF5E F58B X-Home-Page: http://www.horsfall.org/ X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2018 15:11:20 -0000 Thanks, all, for your suggestions; I suspect that this ancient server with but 512MB memory will need upgrading soon :-) Thankfully, all it does at the moment is act as my mail/web server, and an internal firewall to the Mac and Penguin boxes; I do my development work on the Mac[*], and test it out on those in turn (and usually ending up cursing Penguin/OS for egregiously breaking something). [*] Except for devices with a serial port, because I simply don't trust serial/USB adaptor cables and their shoddy drivers; my next FreeBSD server will still have genuine serial/parallel ports (it will also be a GPS NTP server, and FreeBSD supports the all-important PPS signal on the serial port). -- Dave