From owner-freebsd-pf@FreeBSD.ORG Mon Mar 23 11:07:01 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 89269106564A for ; Mon, 23 Mar 2009 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5CAE38FC1B for ; Mon, 23 Mar 2009 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n2NB71Oc004095 for ; Mon, 23 Mar 2009 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n2NB70AM004091 for freebsd-pf@FreeBSD.org; Mon, 23 Mar 2009 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 23 Mar 2009 11:07:00 GMT Message-Id: <200903231107.n2NB70AM004091@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Mar 2009 11:07:01 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent o kern/132176 pf [pf] pf stalls connection when using route-to [regress o kern/130977 pf [netgraph][pf] kernel panic trap 12 on user connect to o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 32 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 23 16:03:58 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 668CB10656EA for ; Mon, 23 Mar 2009 16:03:58 +0000 (UTC) (envelope-from fbsdq@peterk.org) Received: from poshta.pknet.net (poshta.pknet.net [216.241.167.213]) by mx1.freebsd.org (Postfix) with SMTP id 1C56A8FC1B for ; Mon, 23 Mar 2009 16:03:57 +0000 (UTC) (envelope-from fbsdq@peterk.org) Received: (qmail 45176 invoked from network); 23 Mar 2009 16:03:57 -0000 Received: from poshta.pknet.net (HELO pop.pknet.net) (216.241.167.213) by poshta.pknet.net with SMTP; 23 Mar 2009 16:03:57 -0000 Received: from 216.241.167.212 (SquirrelMail authenticated user fbsdq@peterk.org) by webmail.pknet.net with HTTP; Mon, 23 Mar 2009 10:03:57 -0600 (MDT) Message-ID: <62927.216.241.167.212.1237824237.squirrel@webmail.pknet.net> Date: Mon, 23 Mar 2009 10:03:57 -0600 (MDT) From: "Peter" To: "forn" User-Agent: SquirrelMail/1.4.11 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org Subject: Re: more tests - pf + altq + cbq(borrow) not borrowing from parent - all LAN X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Mar 2009 16:04:09 -0000 > > Hello. I'm having the same problem. My system is 7.1-Stable i386. > Here's entire pf.conf: snip > With this config, speed of traffic in queue www5 never goes higher > than 250Kb. > But, if queue localq is set to borrow, as follows: snip > then queue www5 is able to take the full bandwidth of 2Mb (which is > correct). > The physical link speed far surpasses 2Mb (actually, these are all > virtual machines set up for testing on the same server), so this can't > be a problem. iH, Installed openbsd 4.4 [VM on ESX] - Still seeing the same problem - Using one of the pf faq examples - still can't figure out what I'm missing: OpenBSD openbsd.my.domain 4.4 GENERIC#1021 i386 # grep -v "^#" /etc/pf.conf |grep -v ^$ set skip on lo0 altq on vic0 cbq bandwidth 5Mb queue { std, ssh, ftp } queue std bandwidth 1Mb cbq(default) queue ssh bandwidth 500Kb { ssh_login, ssh_bulk } queue ssh_login bandwidth 50% priority 4 cbq(borrow) queue ssh_bulk bandwidth 50% cbq(borrow) queue ftp bandwidth 500Kb priority 3 cbq(borrow red) pass in quick on vic0 proto tcp from any to port 222 flags S/SA keep state queue ssh_login pass in on vic0 proto tcp from any flags S/SA keep state pass out on vic0 proto tcp from any to any flags S/SA keep state queue ssh_login pfctl -vvsq shows the 'ssh_login' queue is being used. doing sftp transfer over sshd on port 222 [just to isolate it] traffic stays at ~250Kb, does not borrow queue root_vic0 on vic0 bandwidth 5Mb priority 0 cbq( wrr root ) {std, ssh, ftp} [ pkts: 799 bytes: 781987 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 32.4 packets/s, 271.97Kb/s ] queue std on vic0 bandwidth 1Mb cbq( default ) [ pkts: 115 bytes: 16978 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 5.2 packets/s, 6.20Kb/s ] queue ssh on vic0 bandwidth 500Kb {ssh_login, ssh_bulk} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue ssh_login on vic0 bandwidth 250Kb priority 4 cbq( borrow ) [ pkts: 684 bytes: 765009 dropped pkts: 0 bytes: 0 ] [ qlength: 14/ 50 borrows: 508 suspends: 97 ] [ measured: 27.2 packets/s, 265.77Kb/s ] queue ssh_bulk on vic0 bandwidth 250Kb cbq( borrow ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue ftp on vic0 bandwidth 500Kb priority 3 cbq( red borrow ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] Changing the parent 'ssh' queue to borrow: # grep -v "^#" /etc/pf.conf |grep -v ^$ set skip on lo0 altq on vic0 cbq bandwidth 5Mb queue { std, ssh, ftp } queue std bandwidth 1Mb cbq(default) queue ssh bandwidth 500Kb cbq(borrow) { ssh_login, ssh_bulk } queue ssh_login bandwidth 50% priority 4 cbq(borrow) queue ssh_bulk bandwidth 50% cbq(borrow) queue ftp bandwidth 500Kb priority 3 cbq(borrow red) pass in quick on vic0 proto tcp from any to port 222 flags S/SA keep state queue ssh_login pass in on vic0 proto tcp from any flags S/SA keep state pass out on vic0 proto tcp from any to any flags S/SA keep state queue ssh_login traffic pretty much uses up right near 5MB... So not a FreeBSD issue it almost seems like it. Have not tried OpenBSD mailing list yet. I'm misunderstanding how pf/cbq should work? ]Peter[ From owner-freebsd-pf@FreeBSD.ORG Tue Mar 24 15:16:23 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D0B31065686 for ; Tue, 24 Mar 2009 15:16:23 +0000 (UTC) (envelope-from emagutu@gmail.com) Received: from mail-ew0-f171.google.com (mail-ew0-f171.google.com [209.85.219.171]) by mx1.freebsd.org (Postfix) with ESMTP id 9C8088FC1A for ; Tue, 24 Mar 2009 15:16:22 +0000 (UTC) (envelope-from emagutu@gmail.com) Received: by ewy19 with SMTP id 19so1848305ewy.43 for ; Tue, 24 Mar 2009 08:16:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=MC1s0d5m89C8wQ5Bo+CP6TrOqaCe49NkD/Cj+kjE1+U=; b=JDBWM+9t3879ws1K7igmI7WEUJ/XJiWdUxebMG9M+eAOSVAYiB9xvFt8jQJGYpLl2I pRKG3Fo83xvuM/Dbjmhapo9g6anlJ/6pPNMvrD8NdgTfJE2XBWCptuA3MT/gF5NrL3LG aAf9pdIWZjtkGTE9HRqF6oADaA5xcAiR6nAb8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=vRG01nZnG/rElkq5swMclqSO/uaAc1kN+3tB9NIPvTZxiDFXr2baZJ4QIsaiWtFf7F 16asIAdS7Hfz4in2qGWpaajCwDnCXjSY94QLMWztNkFOCnBbeShkvsENIZmnr+DZIu+M XrnSyprnC1HYhGVsupvh0Ee2esQT/bwarLv0Q= MIME-Version: 1.0 Received: by 10.216.19.212 with SMTP id n62mr3145723wen.66.1237906056639; Tue, 24 Mar 2009 07:47:36 -0700 (PDT) Date: Tue, 24 Mar 2009 17:47:36 +0300 Message-ID: From: Eric Magutu To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: first firewall with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 15:16:25 -0000 Hi, I am converting some systems from Linux to freeBSD and I'm new to pf. I wanted to run this on a live system but I'm not sure if everything is correct. Can you please advise me if it would work and if there is anything I need to add or remove to make it work. I have written the following pf.conf: ######## #Tests # ######## #check syntax of rules # pfctl -vf /etc/pf.conf #interpret rules but don't load # pfctl -nf /etc/pf.conf ############# #interfaces # ############# ext_if="bce0" ext_if2="bce1" ##################### #ports to be opened # ##################### #tcp ports good_port_tcp="{ 22, 80, 110, 143, 161, 443, 873, 3306, 40555 }" #udp ports good_port_udp="{ 161, 873 }" ############################################# #allow all connections from and to loopback # ############################################# pass in quick on lo0 all keep state pass out quick on lo0 all keep state ######################################################## #allow all connections out through external interfaces # ######################################################## pass out quick on $ext_if all keep state pass out quick on $ext_if2 all keep state ############## #Blocked ips # ############## # 1.2.3.4 is the ip you want to block block in quick on $ext_if inet 1.2.3.4 # 1.2.3.4/24 is the ip range you want to block block in quick on $ext_if inet 1.2.3.4/24 ############################ #smtp connections allowed # ############################ #a.b.c.d is the server's ip #Euro servers pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep state #American servers pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep state #from the old iptables??? pass in quick on $ext_if proto tcp from x.x.x.x/27 to a.b.c.d port 22 keep state ################################### # pass traffic from allowed ports # ################################### #pass traffic from allowed tcp ports pass in quick on $ext_if inet proto tcp from any to a.b.c.d port $good_port_tcp keep state #pass traffic from allowed udp ports pass in quick on $ext_if inet proto tcp from any to a.b.c.d port $good_port_tcp keep state ########################################## # allow connections from NMC and servers # ########################################## #x.x.x.x/12 are the internal ips NMC access with pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/12 to a.b.c.d keep state #x.x.x.x/24 are the ips for the other European servers pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to a.b.c.d keep state #x.x.x.x/24 are the ips for the American servers pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to a.b.c.d keep state ########################## #block all other traffic # ########################## # should be last rule block in quick on $ext_if all ################################################## #for any questions contact Eric# ################################################## -- Regards, Eric Magutu From owner-freebsd-pf@FreeBSD.ORG Tue Mar 24 15:27:43 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 70D1A106568F for ; Tue, 24 Mar 2009 15:27:43 +0000 (UTC) (envelope-from emagutu@gmail.com) Received: from mail-ew0-f171.google.com (mail-ew0-f171.google.com [209.85.219.171]) by mx1.freebsd.org (Postfix) with ESMTP id BD7198FC16 for ; Tue, 24 Mar 2009 15:27:42 +0000 (UTC) (envelope-from emagutu@gmail.com) Received: by ewy19 with SMTP id 19so1853150ewy.43 for ; Tue, 24 Mar 2009 08:27:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=TMImF9wPqkLGDxRESqrU18wFI7bwMm405gXnnx23CUg=; b=ModjJOtdSUwaJIG6gSUgO1H9KfD23Le9pBdcA50cO8VTpm9UkNE0/jfZrVN5db3vxx T+nReYazEdV8oVaoqdibnXJRGOaU2FyKTJTilFGzjtN5kHbJgInuYRGMEd/8bfB7OF5e txnzMa4+Iw1Yk+HJaWtHkLhl/KPaeoc0Ud8Pg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=HKBmTHmgAhj2g4PhXg4d3HJiZ4zy8BX3FeqCWBcPGTKVzPHmjehfMvu075BbNMSKDX M8IlSX7EjQzicnbi6Un5cpBJXw2it5rfz0p4+TGsQhASehZfNjVnArXN4+D7Sw7K0ISZ B+WfZo5Qud/ibxsPTY3FHt/62uLy+Fj7aXXXY= MIME-Version: 1.0 Received: by 10.216.55.207 with SMTP id k57mr3169143wec.106.1237908461678; Tue, 24 Mar 2009 08:27:41 -0700 (PDT) In-Reply-To: <4ad871310903240820j50d89ac1xacd732eab8adc55d@mail.gmail.com> References: <4ad871310903240820j50d89ac1xacd732eab8adc55d@mail.gmail.com> Date: Tue, 24 Mar 2009 18:27:41 +0300 Message-ID: From: Eric Magutu To: Glen Barber Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: first firewall with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 15:27:51 -0000 Thanks I'll change that On Tue, Mar 24, 2009 at 6:20 PM, Glen Barber wrote: > On Tue, Mar 24, 2009 at 10:47 AM, Eric Magutu wrote: > [snip] > > > > ########################## > > #block all other traffic # > > ########################## > > > > # should be last rule > > > > block in quick on $ext_if all > > > > > > This should not be the last rule. PF implements the rules in a > top-down fashion, where the last rule always wins. Without actually > loading this ruleset on my own system, it appears this rule will block > all incoming / outgoing traffic completely. > > This rule should be placed above all of your 'pass' rules. > > > -- > Glen Barber > -- Regards, Eric Magutu From owner-freebsd-pf@FreeBSD.ORG Tue Mar 24 15:39:25 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 00A3110656BF for ; Tue, 24 Mar 2009 15:39:25 +0000 (UTC) (envelope-from fbsdq@peterk.org) Received: from poshta.pknet.net (poshta.pknet.net [216.241.167.213]) by mx1.freebsd.org (Postfix) with SMTP id 9EFE08FC25 for ; Tue, 24 Mar 2009 15:39:24 +0000 (UTC) (envelope-from fbsdq@peterk.org) Received: (qmail 10043 invoked from network); 24 Mar 2009 15:39:23 -0000 Received: from poshta.pknet.net (HELO pop.pknet.net) (216.241.167.213) by poshta.pknet.net with SMTP; 24 Mar 2009 15:39:23 -0000 Received: from 216.241.167.212 (SquirrelMail authenticated user fbsdq@peterk.org) by webmail.pknet.net with HTTP; Tue, 24 Mar 2009 09:39:23 -0600 (MDT) Message-ID: <59094.216.241.167.212.1237909163.squirrel@webmail.pknet.net> Date: Tue, 24 Mar 2009 09:39:23 -0600 (MDT) From: "Peter" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.11 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: SOLVED-pf + altq + cbq(borrow) not borrowing from parent - all LAN X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 15:39:25 -0000 iH, cbq does not work as advertised child will not borrow from parent unless parent borrows from root So a tree did not work: root parent1 p1.child1(borrow) p1.child2(borrow) parent2 p2.child1(borrow) p2.child2(borrow) *child* does not borrow, unless parent is set to borrow from root. parent borrows no problem. Tried this on openbsd 4.4 - same results. short answer: '%s/cbq/hfsc/g' solution that's worked for me: altq on fxp0 bandwidth 100Mb hfsc queue {internal external} queue internal bandwidth 98Mb hfsc(default) queue external bandwidth 876Kb hfsc(upperlimit 876Kb) {poshta abakan usrx11 imvas } queue poshta bandwidth 70% hfsc(realtime 70%) queue abakan bandwidth 10% hfsc(realtime 10%) queue usrx11 bandwidth 10% hfsc(realtime 10%) queue imvas bandwidth 10% hfsc(realtime 10%) When I did not put in the upperlimit for 'external' queue, it would borrow up to 100Mb from root queue. - making the external queue children pointless. This way interal LAN goes at 98Mb, and external WAN is limited to 876Kb and then I break it up further by IPs. Downloading from usrx11 - speed = ~100KB as soon as I start a dl from poshta, usrx11 speed drops to ~12KB, and poshta speed goes to ~86KB. As soon as dl from poshta is cancelled, dl from usrx11 goes to ~100KB ]Peter[ >> >> Hello. I'm having the same problem. My system is 7.1-Stable i386. >> Here's entire pf.conf: > snip >> With this config, speed of traffic in queue www5 never goes higher >> than 250Kb. >> But, if queue localq is set to borrow, as follows: > snip >> then queue www5 is able to take the full bandwidth of 2Mb (which is >> correct). >> The physical link speed far surpasses 2Mb (actually, these are all >> virtual machines set up for testing on the same server), so this >> can't >> be a problem. > > iH, > Installed openbsd 4.4 [VM on ESX] - Still seeing the same problem - > Using one of the pf faq examples - still can't figure out what I'm > missing: > > OpenBSD openbsd.my.domain 4.4 GENERIC#1021 i386 > > # grep -v "^#" /etc/pf.conf |grep -v ^$ > set skip on lo0 > altq on vic0 cbq bandwidth 5Mb queue { std, ssh, ftp } > queue std bandwidth 1Mb cbq(default) > queue ssh bandwidth 500Kb { ssh_login, ssh_bulk } > queue ssh_login bandwidth 50% priority 4 cbq(borrow) > queue ssh_bulk bandwidth 50% cbq(borrow) > queue ftp bandwidth 500Kb priority 3 cbq(borrow red) > pass in quick on vic0 proto tcp from any to port 222 flags S/SA keep state > queue ssh_login > pass in on vic0 proto tcp from any flags S/SA keep state > pass out on vic0 proto tcp from any to any flags S/SA keep state queue > ssh_login > > pfctl -vvsq shows the 'ssh_login' queue is being used. > doing sftp transfer over sshd on port 222 [just to isolate it] > traffic stays at ~250Kb, does not borrow > > queue root_vic0 on vic0 bandwidth 5Mb priority 0 cbq( wrr root ) {std, > ssh, ftp} > [ pkts: 799 bytes: 781987 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 0 suspends: 0 ] > [ measured: 32.4 packets/s, 271.97Kb/s ] > queue std on vic0 bandwidth 1Mb cbq( default ) > [ pkts: 115 bytes: 16978 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 0 suspends: 0 ] > [ measured: 5.2 packets/s, 6.20Kb/s ] > queue ssh on vic0 bandwidth 500Kb {ssh_login, ssh_bulk} > [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 0 suspends: 0 ] > [ measured: 0.0 packets/s, 0 b/s ] > queue ssh_login on vic0 bandwidth 250Kb priority 4 cbq( borrow ) > [ pkts: 684 bytes: 765009 dropped pkts: 0 bytes: > 0 ] > [ qlength: 14/ 50 borrows: 508 suspends: 97 ] > [ measured: 27.2 packets/s, 265.77Kb/s ] > queue ssh_bulk on vic0 bandwidth 250Kb cbq( borrow ) > [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 0 suspends: 0 ] > [ measured: 0.0 packets/s, 0 b/s ] > queue ftp on vic0 bandwidth 500Kb priority 3 cbq( red borrow ) > [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 0 suspends: 0 ] > [ measured: 0.0 packets/s, 0 b/s ] > > > Changing the parent 'ssh' queue to borrow: > # grep -v "^#" /etc/pf.conf |grep -v ^$ > set skip on lo0 > altq on vic0 cbq bandwidth 5Mb queue { std, ssh, ftp } > queue std bandwidth 1Mb cbq(default) > queue ssh bandwidth 500Kb cbq(borrow) { ssh_login, ssh_bulk } > queue ssh_login bandwidth 50% priority 4 cbq(borrow) > queue ssh_bulk bandwidth 50% cbq(borrow) > queue ftp bandwidth 500Kb priority 3 cbq(borrow red) > pass in quick on vic0 proto tcp from any to port 222 flags S/SA keep state > queue ssh_login > pass in on vic0 proto tcp from any flags S/SA keep state > pass out on vic0 proto tcp from any to any flags S/SA keep state queue > ssh_login > > traffic pretty much uses up right near 5MB... > > So not a FreeBSD issue it almost seems like it. > Have not tried OpenBSD mailing list yet. > I'm misunderstanding how pf/cbq should work? > > ]Peter[ > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Tue Mar 24 15:44:46 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DAF6C106568A for ; Tue, 24 Mar 2009 15:44:46 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from mail-fx0-f167.google.com (mail-fx0-f167.google.com [209.85.220.167]) by mx1.freebsd.org (Postfix) with ESMTP id 6A5BB8FC2F for ; Tue, 24 Mar 2009 15:44:46 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: by fxm11 with SMTP id 11so2197850fxm.43 for ; Tue, 24 Mar 2009 08:44:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=I8eOfW0fZY9i3zFKCdDghYDGd4n4J3suyYqAiUpZ4oQ=; b=eSGacsbbhXnVUCVy4G9cqKQI8LbJkfsGWEEjCTvBOPZsjIndeN2mrv2lVgorKOF2B3 sSdaQxdIQ38yBARePJzQ9N+aszZ81+Hd6ttN9zkR56wF6z6IiyDcGNFq6q7ElFqhHAGX AigcjderjTADsxa9rQ9CUJ1dk+kRHXiGOwTUI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=R5J+koTjM9byclKnGsnmdDEUZaNxqU7PIonORbgXvcnz+fFDq40vYv+mY4dZud2k5X 8PY9/rwGwu/aSEjkytoLHOctZYQY0cI33GFG+ViJZ2LQl2U1PcbgiY6n6sAAyMf2CL5W v5yoic37GmJSmSNPWEoYpMrW5Gezb/bY0LHdM= MIME-Version: 1.0 Received: by 10.103.223.2 with SMTP id a2mr3689049mur.54.1237908051543; Tue, 24 Mar 2009 08:20:51 -0700 (PDT) In-Reply-To: References: Date: Tue, 24 Mar 2009 11:20:51 -0400 Message-ID: <4ad871310903240820j50d89ac1xacd732eab8adc55d@mail.gmail.com> From: Glen Barber To: Eric Magutu Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: first firewall with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 15:44:47 -0000 On Tue, Mar 24, 2009 at 10:47 AM, Eric Magutu wrote: [snip] > > ########################## > #block all other traffic # > ########################## > > # should be last rule > > block in quick on $ext_if all > > This should not be the last rule. PF implements the rules in a top-down fashion, where the last rule always wins. Without actually loading this ruleset on my own system, it appears this rule will block all incoming / outgoing traffic completely. This rule should be placed above all of your 'pass' rules. -- Glen Barber From owner-freebsd-pf@FreeBSD.ORG Tue Mar 24 15:47:42 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A17710656BF for ; Tue, 24 Mar 2009 15:47:42 +0000 (UTC) (envelope-from emagutu@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.25]) by mx1.freebsd.org (Postfix) with ESMTP id B29568FC0C for ; Tue, 24 Mar 2009 15:47:41 +0000 (UTC) (envelope-from emagutu@gmail.com) Received: by ey-out-2122.google.com with SMTP id 4so415079eyf.7 for ; Tue, 24 Mar 2009 08:47:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=ozsZQrSOKgt65ujcAug78gfp3lscKgL/VDsp/jaxgs4=; b=gg5ly1itgQOyVTcSL4UscDnX40N/HAwt9fn/4nE2SJ5qgvAdeTqxkkuhm2DCNjAZKt Qw/M4zEvNweLtnpkVr5lWHs6onzvIIEov0Ye0npBv8AjW7rAM0ynmNxUSME+2CeeG184 umUpbOOFtW+IHKwUNSiNoC3BUq6/A35jc9UvM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=pUjHJOy6lL8zKEOg72XujhywO9DzZdqrrBW5m0/v5+hyBV7JkrxzoEB0C7CFGOPikz wLffvnJnOAT9YyfWIeT6IUaVXTruZS9t0Jwm/1WcxUBI7dDuSZVWbAId84PM4mdG4+Hd 1OPW9EJYY+01jyp6r3N108QQ8a4/FGm/H0sk8= MIME-Version: 1.0 Received: by 10.216.8.212 with SMTP id 62mr3173349wer.160.1237909660558; Tue, 24 Mar 2009 08:47:40 -0700 (PDT) In-Reply-To: References: <4ad871310903240820j50d89ac1xacd732eab8adc55d@mail.gmail.com> Date: Tue, 24 Mar 2009 18:47:40 +0300 Message-ID: From: Eric Magutu To: Glen Barber Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: first firewall with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 15:47:45 -0000 does the rule to block all other traffic have to be explicitly mentioned? On Tue, Mar 24, 2009 at 6:27 PM, Eric Magutu wrote: > Thanks I'll change that > > > On Tue, Mar 24, 2009 at 6:20 PM, Glen Barber wrote: > >> On Tue, Mar 24, 2009 at 10:47 AM, Eric Magutu wrote: >> [snip] >> > >> > ########################## >> > #block all other traffic # >> > ########################## >> > >> > # should be last rule >> > >> > block in quick on $ext_if all >> > >> > >> >> This should not be the last rule. PF implements the rules in a >> top-down fashion, where the last rule always wins. Without actually >> loading this ruleset on my own system, it appears this rule will block >> all incoming / outgoing traffic completely. >> >> This rule should be placed above all of your 'pass' rules. >> >> >> -- >> Glen Barber >> > > > > -- > Regards, > Eric Magutu > > -- Regards, Eric Magutu From owner-freebsd-pf@FreeBSD.ORG Tue Mar 24 15:48:32 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 883791065672 for ; Tue, 24 Mar 2009 15:48:32 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from mail-fx0-f167.google.com (mail-fx0-f167.google.com [209.85.220.167]) by mx1.freebsd.org (Postfix) with ESMTP id 14E8A8FC1C for ; Tue, 24 Mar 2009 15:48:31 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: by fxm11 with SMTP id 11so2199414fxm.43 for ; Tue, 24 Mar 2009 08:48:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=8j+ExAgAt2HCwnT5Ua0M5gkNrh+FPwqVKojHlcxYXNU=; b=guxQxyKJ1sAnb+bwwy3GT+hGuGOU6EI8OJLroS25i0EUyVkSoSZlg8S5H0nuOE4iJO 9Pva2eyn1IMLA3xb3wJDdHNBuUVLRzv64LX5hdOFuk0vEgpnMI/3MWyuwHoWFuK7O34X vbYx7j1iog38P75Ri4llvv/5LxE8xX8q7QgxI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=waMrefhEvpYUNyO9PuO1shV3cQ4M9ab62qVH5tneKD1HTq46M/YJc7/WMYhdshKrtC 7itpmmoZIvzihD8/DMzmdXzPNXjxfIIw0Ev7FXDNx4El8Mj/5hy0mXKVNsBiHaixVb0M tyQaxlWjd74bCmEB1tYaOb918iypGlcDormGY= MIME-Version: 1.0 Received: by 10.103.192.2 with SMTP id u2mr3712428mup.2.1237909711013; Tue, 24 Mar 2009 08:48:31 -0700 (PDT) In-Reply-To: References: <4ad871310903240820j50d89ac1xacd732eab8adc55d@mail.gmail.com> Date: Tue, 24 Mar 2009 11:48:30 -0400 Message-ID: <4ad871310903240848o77577209n25f12cd5f45d3cfc@mail.gmail.com> From: Glen Barber To: Eric Magutu Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: first firewall with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 15:48:33 -0000 On Tue, Mar 24, 2009 at 11:47 AM, Eric Magutu wrote: > does the rule to block all other traffic have to be explicitly mentioned? > Yes. -- Glen Barber From owner-freebsd-pf@FreeBSD.ORG Tue Mar 24 16:04:11 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 623F010656EB for ; Tue, 24 Mar 2009 16:04:11 +0000 (UTC) (envelope-from pp@pp.dyndns.biz) Received: from proxy3.bredband.net (proxy3.bredband.net [195.54.101.73]) by mx1.freebsd.org (Postfix) with ESMTP id 159418FC15 for ; Tue, 24 Mar 2009 16:04:10 +0000 (UTC) (envelope-from pp@pp.dyndns.biz) Received: from ironport.bredband.com (195.54.101.120) by proxy3.bredband.net (7.3.139) id 49C0B9D70024B77B for freebsd-pf@freebsd.org; Tue, 24 Mar 2009 17:04:09 +0100 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AtouAMehyElV4jp1PGdsb2JhbACBUJQNAQEBAR4XC71Sg3YG X-IronPort-AV: E=Sophos;i="4.38,413,1233529200"; d="scan'208";a="498632628" Received: from c-753ae255.107-1-64736c10.cust.bredbandsbolaget.se (HELO gatekeeper.pp.dyndns.biz) ([85.226.58.117]) by ironport1.bredband.com with ESMTP; 24 Mar 2009 17:03:55 +0100 Received: from [192.168.69.67] (phobos [192.168.69.67]) by gatekeeper.pp.dyndns.biz (8.14.2/8.14.2) with ESMTP id n2OG3qJ1006015 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 24 Mar 2009 17:03:53 +0100 (CET) (envelope-from pp@pp.dyndns.biz) Message-ID: <49C90468.4030604@pp.dyndns.biz> Date: Tue, 24 Mar 2009 17:03:52 +0100 From: Pojken Purken User-Agent: Thunderbird 2.0.0.21 (X11/20090324) MIME-Version: 1.0 To: Peter References: <59094.216.241.167.212.1237909163.squirrel@webmail.pknet.net> In-Reply-To: <59094.216.241.167.212.1237909163.squirrel@webmail.pknet.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: SOLVED-pf + altq + cbq(borrow) not borrowing from parent - all LAN X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 16:04:13 -0000 Peter wrote: > iH, > cbq does not work as advertised > child will not borrow from parent unless parent borrows from root > So a tree did not work: > root > parent1 > p1.child1(borrow) > p1.child2(borrow) > parent2 > p2.child1(borrow) > p2.child2(borrow) > > *child* does not borrow, unless parent is set to borrow from root. > parent borrows no problem. Tried this on openbsd 4.4 - same results. > > short answer: '%s/cbq/hfsc/g' Nice catch. Problem seems to have been around since 2007. http://lists.freebsd.org/pipermail/freebsd-pf/2007-February/003021.html /Morgan From owner-freebsd-pf@FreeBSD.ORG Tue Mar 24 16:09:20 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F6DF10658DB for ; Tue, 24 Mar 2009 16:09:20 +0000 (UTC) (envelope-from emagutu@gmail.com) Received: from mail-ew0-f171.google.com (mail-ew0-f171.google.com [209.85.219.171]) by mx1.freebsd.org (Postfix) with ESMTP id D317D8FC1A for ; Tue, 24 Mar 2009 16:09:19 +0000 (UTC) (envelope-from emagutu@gmail.com) Received: by ewy19 with SMTP id 19so1875117ewy.43 for ; Tue, 24 Mar 2009 09:09:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=2M3eQmJVzY+z+mFdMy4+dUPmvZYKYqNIanlNUJOas8g=; b=kS8rVkAxJzuXuryQaUpoK5wIm0Z20GWAVMAfXS0VwtLxmLxCPaqt+K8GnhMnwO8NG7 12xEVblpZeTNZcVE+Y37wIWFkpTHSp0hM1mPZgnzYXMyu6TR4FF+1ug8eUKjvzxMcjhF XrfmJWJUOY1wkGbP5bmecfk8Gv1/bwljFbKpE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=K1dF255CWGynXI9CwldYvf9r03k+UcReu4IGmPOjVkNcxYTdx+eqZ24sE329g9xGa8 xZBX9MJc21YDDERK/QygInDIy4jho3YKoYJSiGBEEcWMcg06GMiBflkBrDeNtGktAZaW 6bDXapEJo4OkDJ7rkkOQwm0jS3zlgYmYCUtVE= MIME-Version: 1.0 Received: by 10.216.74.78 with SMTP id w56mr3183537wed.105.1237910958616; Tue, 24 Mar 2009 09:09:18 -0700 (PDT) In-Reply-To: <17838240D9A5544AAA5FF95F8D52031605B42800@ad-exh01.adhost.lan> References: <17838240D9A5544AAA5FF95F8D52031605B42800@ad-exh01.adhost.lan> Date: Tue, 24 Mar 2009 19:09:18 +0300 Message-ID: From: Eric Magutu To: "Michael K. Smith - Adhost" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: first firewall with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 16:09:26 -0000 Hi Mike, I will make the changes, there is no internal interface though. Yes I meant SMTP Thanks for your input On Tue, Mar 24, 2009 at 6:56 PM, Michael K. Smith - Adhost < mksmith@adhost.com> wrote: > Hello: > > > > > ############# > > #interfaces # > > ############# > > ext_if="bce0" > > ext_if2="bce1" > > > I would also define your inside interface(s), not just your outside. Let's > call it "bce2" for the example: > > int_if="bce2" > > > > > > ############################################# > > #allow all connections from and to loopback # > > ############################################# > > > > pass in quick on lo0 all keep state > > pass out quick on lo0 all keep state > > > You might want to add anti-spoofing as well (can't come in on your IP's) > > antispoof quick for { lo $ext_if $ext_if2 } inet > > > ######################################################## > > #allow all connections out through external interfaces # > > ######################################################## > > > You can shorten these (as below) > > > pass out quick on $ext_if all keep state > > pass out quick on $ext_if2 all keep state > pass out quick on { $ext_if $ext_if2 $int_if } > > Also, add an inbound allow for your inside interface, unless you want to > block things more granularly. > > pass in quick on $int_if > > > > > > ############################ > > #smtp connections allowed # > > ############################ > > > Did you mean SSH? If you meant SMTP you should change 22 to 25 > > >#a.b.c.d is the server's ip > > #Euro servers > > pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 > keep > > state > > > > #American servers > > pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 > keep > > state > > > > #from the old iptables??? > > pass in quick on $ext_if proto tcp from x.x.x.x/27 to a.b.c.d port 22 > keep > > state > > > > > > ################################### > > # pass traffic from allowed ports # > > ################################### > > > > > > #pass traffic from allowed tcp ports > > pass in quick on $ext_if inet proto tcp from any to a.b.c.d port > > $good_port_tcp keep state > > > > #pass traffic from allowed udp ports > > pass in quick on $ext_if inet proto tcp from any to a.b.c.d port > > $good_port_tcp keep state > > > > ########################################## > > # allow connections from NMC and servers # > > ########################################## > > > > I would limit ICMP to echo-request from the outside. > > pass in quick on { $ext_if $ext_if2 } proto icmp from x.x.x.x/12 to a.b.c.d > icmp-type { echoreq trace } > > > #x.x.x.x/12 are the internal ips NMC access with > > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/12 to > > a.b.c.d keep state > > > > #x.x.x.x/24 are the ips for the other European servers > > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to > > a.b.c.d keep state > > > > #x.x.x.x/24 are the ips for the American servers > > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to > > a.b.c.d keep state > > > > > > ########################## > > #block all other traffic # > > ########################## > > > > # should be last rule > > > > block in quick on $ext_if all > > Should be first as previously discussed. > > Regards, > > Mike > -- Regards, Eric Magutu From owner-freebsd-pf@FreeBSD.ORG Tue Mar 24 16:13:09 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB5461065A7C for ; Tue, 24 Mar 2009 16:13:09 +0000 (UTC) (envelope-from fbsdq@peterk.org) Received: from poshta.pknet.net (poshta.pknet.net [216.241.167.213]) by mx1.freebsd.org (Postfix) with SMTP id 3B1AB8FC50 for ; Tue, 24 Mar 2009 16:13:04 +0000 (UTC) (envelope-from fbsdq@peterk.org) Received: (qmail 19053 invoked from network); 24 Mar 2009 16:13:03 -0000 Received: from poshta.pknet.net (HELO pop.pknet.net) (216.241.167.213) by poshta.pknet.net with SMTP; 24 Mar 2009 16:13:03 -0000 Received: from 216.241.167.212 (SquirrelMail authenticated user fbsdq@peterk.org) by webmail.pknet.net with HTTP; Tue, 24 Mar 2009 10:13:03 -0600 (MDT) Message-ID: <53529.216.241.167.212.1237911183.squirrel@webmail.pknet.net> Date: Tue, 24 Mar 2009 10:13:03 -0600 (MDT) From: "Peter" To: "Glen Barber" User-Agent: SquirrelMail/1.4.11 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: Eric Magutu , freebsd-pf@freebsd.org Subject: Re: first firewall with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 16:13:30 -0000 > On Tue, Mar 24, 2009 at 10:47 AM, Eric Magutu wrote: > [snip] >> >> ########################## >> #block all other traffic # >> ########################## >> >> # should be last rule >> >> block in quick on $ext_if all >> >> > > This should not be the last rule. PF implements the rules in a > top-down fashion, where the last rule always wins. Without actually > loading this ruleset on my own system, it appears this rule will block > all incoming / outgoing traffic completely. > > This rule should be placed above all of your 'pass' rules. > > > -- > Glen Barber Notice he has the 'quick' keyword in all his rules - Placing this rule on top will 'quick' block everyone without parsing any other rules. rules ~should~ be: block all pass out keep state block quick proto tcp from ZZ to port XX pass in proto tcp port XX keep state pass in proto tcp port YY keep state this will allow outbound everything allow inbound only on ports XX,YY except from ZZ all other packets will match rule 'block all' ]Peter[ From owner-freebsd-pf@FreeBSD.ORG Tue Mar 24 16:13:54 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D92F10659C7 for ; Tue, 24 Mar 2009 16:13:53 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-defer02.adhost.com (mail-defer02.adhost.com [216.211.128.177]) by mx1.freebsd.org (Postfix) with ESMTP id 83DDF8FC43 for ; Tue, 24 Mar 2009 16:13:52 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-in01.adhost.com (mail-in01.adhost.com [10.212.3.11]) by mail-defer02.adhost.com (Postfix) with ESMTP id 6F7E61388A3C for ; Tue, 24 Mar 2009 08:56:40 -0700 (PDT) (envelope-from mksmith@adhost.com) Received: from ad-exh01.adhost.lan (exchange.adhost.com [216.211.143.69]) by mail-in01.adhost.com (Postfix) with ESMTP id 247C02D74E2; Tue, 24 Mar 2009 08:56:39 -0700 (PDT) (envelope-from mksmith@adhost.com) X-MimeOLE: Produced By Microsoft Exchange V6.5 MIME-Version: 1.0 x-pgp-encoding-format: MIME x-pgp-mapi-encoding-version: 2.5.0 Content-Type: multipart/signed; boundary="PGP_Universal_26B26C90_1D64BE14_62964B46_B2FA098D"; protocol="application/pgp-signature"; micalg=pgp-sha1 x-pgp-encoding-version: 2.0.2 Content-class: urn:content-classes:message Date: Tue, 24 Mar 2009 08:56:38 -0700 Message-ID: <17838240D9A5544AAA5FF95F8D52031605B42800@ad-exh01.adhost.lan> In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: first firewall with pf Thread-Index: Acmsk4an3jsLNlMDSFC8OpzVvBXroQAA7hIA References: From: "Michael K. Smith - Adhost" To: "Eric Magutu" , Cc: Subject: RE: first firewall with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 16:14:19 -0000 --PGP_Universal_26B26C90_1D64BE14_62964B46_B2FA098D Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: QUOTED-PRINTABLE Hello: > ############# > #interfaces # > ############# > ext_if=3D"bce0" > ext_if2=3D"bce1" >=20 I would also define your inside interface(s), not just your outside. Let's= call it "bce2" for the example: int_if=3D"bce2" >=20 > ############################################# > #allow all connections from and to loopback # > ############################################# >=20 > pass in quick on lo0 all keep state > pass out quick on lo0 all keep state >=20 You might want to add anti-spoofing as well (can't come in on your IP's) antispoof quick for { lo $ext_if $ext_if2 } inet > ######################################################## > #allow all connections out through external interfaces # > ######################################################## > You can shorten these (as below) > pass out quick on $ext_if all keep state > pass out quick on $ext_if2 all keep state pass out quick on { $ext_if $ext_if2 $int_if } Also, add an inbound allow for your inside interface, unless you want to bl= ock things more granularly. pass in quick on $int_if >=20 > ############################ > #smtp connections allowed # > ############################ >=20 Did you mean SSH? If you meant SMTP you should change 22 to 25 >#a.b.c.d is the server's ip > #Euro servers > pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep > state >=20 > #American servers > pass in quick on $ext_if proto tcp from x.x.x.x/26 to a.b.c.d port 22 keep > state >=20 > #from the old iptables??? > pass in quick on $ext_if proto tcp from x.x.x.x/27 to a.b.c.d port 22 keep > state >=20 >=20 > ################################### > # pass traffic from allowed ports # > ################################### >=20 >=20 > #pass traffic from allowed tcp ports > pass in quick on $ext_if inet proto tcp from any to a.b.c.d port > $good_port_tcp keep state >=20 > #pass traffic from allowed udp ports > pass in quick on $ext_if inet proto tcp from any to a.b.c.d port > $good_port_tcp keep state >=20 > ########################################## > # allow connections from NMC and servers # > ########################################## >=20 I would limit ICMP to echo-request from the outside. pass in quick on { $ext_if $ext_if2 } proto icmp from x.x.x.x/12 to a.b.c.d= icmp-type { echoreq trace }=20 > #x.x.x.x/12 are the internal ips NMC access with > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/12 to > a.b.c.d keep state >=20 > #x.x.x.x/24 are the ips for the other European servers > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to > a.b.c.d keep state >=20 > #x.x.x.x/24 are the ips for the American servers > pass in quick on $ext_if inet proto { tcp, udp, icmp } from x.x.x.x/24 to > a.b.c.d keep state >=20 >=20 > ########################## > #block all other traffic # > ########################## >=20 > # should be last rule >=20 > block in quick on $ext_if all Should be first as previously discussed. Regards, Mike --PGP_Universal_26B26C90_1D64BE14_62964B46_B2FA098D Content-Type: application/pgp-signature; name="PGP.sig" Content-Transfer-Encoding: 7BIT Content-Disposition: attachment; filename="PGP.sig" -----BEGIN PGP SIGNATURE----- Version: 9.9.1 (Build 287) iQEVAwUBSckCtvTXQhZ+XcVAAQjMLwf/TdiUofme3wtvqQtPO7fgfGJTTon31E7q +MltU01FDuR8sUdbdyxKk28rM0FYKcDrdvu0f9s3EyBsmow/i65b0D5pz3XspBUs Z5x9JRwJFFSBSGLtFhpg2ak9OpBQfdTLo74KTlUWa8eIpF6pCYE+WC/AYESEufIg 03UmETyLP9bdGnqA4LfYKAbq/xLRkopWwmH4GMyg67EjtIuINnIsy/jXRmpm6e9R jHIIGxzLmYktGaSVhfCwkPhyLkmRvb87SSA7r+u0YpqQNdxteWegqp7ksiyThGIp jxcgAN7OVO+VR6NKzw6rzjpNuEEZQRS3BeFUne/r3rN8rBYJvyMEOw== =Dqa/ -----END PGP SIGNATURE----- --PGP_Universal_26B26C90_1D64BE14_62964B46_B2FA098D-- From owner-freebsd-pf@FreeBSD.ORG Tue Mar 24 16:24:17 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6BAD41065BBB for ; Tue, 24 Mar 2009 16:24:17 +0000 (UTC) (envelope-from davidfeustel@comcast.net) Received: from QMTA02.emeryville.ca.mail.comcast.net (qmta02.emeryville.ca.mail.comcast.net [76.96.30.24]) by mx1.freebsd.org (Postfix) with ESMTP id 5186D8FC16 for ; Tue, 24 Mar 2009 16:24:17 +0000 (UTC) (envelope-from davidfeustel@comcast.net) Received: from OMTA10.emeryville.ca.mail.comcast.net ([76.96.30.28]) by QMTA02.emeryville.ca.mail.comcast.net with comcast id X3Mt1b0010cQ2SLA24B8Ny; Tue, 24 Mar 2009 16:11:08 +0000 Received: from localhost ([69.245.244.28]) by OMTA10.emeryville.ca.mail.comcast.net with comcast id X4B61b00E0dV8n18W4B6Rb; Tue, 24 Mar 2009 16:11:07 +0000 From: Dave Feustel To: Eric Magutu In-Reply-To: Message-Id: <20090324162417.5186D8FC16@mx1.freebsd.org> Date: Tue, 24 Mar 2009 16:24:17 +0000 (UTC) Cc: freebsd-pf@freebsd.org Subject: Re: first firewall with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfeustel@mindspring.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 16:24:22 -0000 On Tue, Mar 24, 2009 at 06:47:40PM +0300, Eric Magutu wrote: > does the rule to block all other traffic have to be explicitly mentioned? > > On Tue, Mar 24, 2009 at 6:27 PM, Eric Magutu wrote: > > > Thanks I'll change that > > > > > > On Tue, Mar 24, 2009 at 6:20 PM, Glen Barber wrote: > > > >> On Tue, Mar 24, 2009 at 10:47 AM, Eric Magutu wrote: > >> [snip] > >> > > >> > ########################## > >> > #block all other traffic # > >> > ########################## > >> > > >> > # should be last rule > >> > > >> > block in quick on $ext_if all Change this rule to block in on $ex_if all and then make it the first rule. The word 'quick' says don't evaluate any more rules if this matches. From owner-freebsd-pf@FreeBSD.ORG Tue Mar 24 18:03:52 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 12A141065675 for ; Tue, 24 Mar 2009 18:03:52 +0000 (UTC) (envelope-from fbsdq@peterk.org) Received: from poshta.pknet.net (poshta.pknet.net [216.241.167.213]) by mx1.freebsd.org (Postfix) with SMTP id A85E68FC1C for ; Tue, 24 Mar 2009 18:03:51 +0000 (UTC) (envelope-from fbsdq@peterk.org) Received: (qmail 48635 invoked from network); 24 Mar 2009 18:03:50 -0000 Received: from poshta.pknet.net (HELO pop.pknet.net) (216.241.167.213) by poshta.pknet.net with SMTP; 24 Mar 2009 18:03:50 -0000 Received: from 216.241.167.212 (SquirrelMail authenticated user fbsdq@peterk.org) by webmail.pknet.net with HTTP; Tue, 24 Mar 2009 12:03:50 -0600 (MDT) Message-ID: <56050.216.241.167.212.1237917830.squirrel@webmail.pknet.net> Date: Tue, 24 Mar 2009 12:03:50 -0600 (MDT) From: "Peter" To: "Pojken Purken" User-Agent: SquirrelMail/1.4.11 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org Subject: Re: SOLVED-pf + altq + cbq(borrow) not borrowing from parent - all LAN X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 18:03:52 -0000 > Peter wrote: >> iH, >> cbq does not work as advertised >> child will not borrow from parent unless parent borrows from root >> So a tree did not work: >> root >> parent1 >> p1.child1(borrow) >> p1.child2(borrow) >> parent2 >> p2.child1(borrow) >> p2.child2(borrow) >> >> *child* does not borrow, unless parent is set to borrow from root. >> parent borrows no problem. Tried this on openbsd 4.4 - same results. >> >> short answer: '%s/cbq/hfsc/g' > > Nice catch. Problem seems to have been around since 2007. > http://lists.freebsd.org/pipermail/freebsd-pf/2007-February/003021.html > /Morgan Saw that. First I thought "definitely must be fixed by now, I'm doing something wrong"... Then, hmmm...does openbsd example work in openbsd? Nope - Same borrowing problem on there. ]Peter[ From owner-freebsd-pf@FreeBSD.ORG Tue Mar 24 18:55:12 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E6C4D1065688 for ; Tue, 24 Mar 2009 18:55:12 +0000 (UTC) (envelope-from forn@ngs.ru) Received: from smtpout1.ngs.ru (smtpout1.ngs.ru [195.93.186.195]) by mx1.freebsd.org (Postfix) with ESMTP id 84B928FC0C for ; Tue, 24 Mar 2009 18:55:12 +0000 (UTC) (envelope-from forn@ngs.ru) Received: from [10.20.40.2] (host-89-31-116-35.academ.org [89.31.116.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: forn@ngs.ru) by smtp.ngs.ru (smtp) with ESMTP id D1BC63D1391E3 for ; Wed, 25 Mar 2009 00:55:09 +0600 (NOVT) Message-ID: <49C92C76.2000203@ngs.ru> Date: Wed, 25 Mar 2009 00:54:46 +0600 From: forn User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) To: freebsd-pf@freebsd.org References: <56050.216.241.167.212.1237917830.squirrel@webmail.pknet.net> In-Reply-To: <56050.216.241.167.212.1237917830.squirrel@webmail.pknet.net> Content-Transfer-Encoding: 7bit X-Anti-Virus: Kaspersky Anti-Virus for Sendmail with Milter API 5.6.20, bases: 20090324 #1773917, check: 20090324 clean MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: SOLVED-pf + altq + cbq(borrow) not borrowing from parent - all LAN X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 18:55:15 -0000 The problem is known and not fixed for 2 years?! I'm starting to think that replacing my linux router with freebsd is not such a good idea at all. Peter wrote: Saw that. First I thought "definitely must be fixed by now, I'm doing something wrong"... Then, hmmm...does openbsd example work in openbsd? Nope - Same borrowing problem on there. ]Peter[ _______________________________________________ [1]freebsd-pf@freebsd.org mailing list [2]http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to [3]"freebsd-pf-unsubscribe@freebsd.org" References 1. mailto:freebsd-pf@freebsd.org 2. http://lists.freebsd.org/mailman/listinfo/freebsd-pf 3. mailto:freebsd-pf-unsubscribe@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Tue Mar 24 19:06:15 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DD7BF106566B for ; Tue, 24 Mar 2009 19:06:15 +0000 (UTC) (envelope-from forn@ngs.ru) Received: from smtpout1.ngs.ru (smtpout1.ngs.ru [195.93.186.195]) by mx1.freebsd.org (Postfix) with ESMTP id 8604F8FC08 for ; Tue, 24 Mar 2009 19:06:15 +0000 (UTC) (envelope-from forn@ngs.ru) Received: from [10.20.40.2] (host-89-31-116-35.academ.org [89.31.116.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: forn@ngs.ru) by smtp.ngs.ru (smtp) with ESMTP id 46DC0702CFE90 for ; Wed, 25 Mar 2009 01:06:14 +0600 (NOVT) Message-ID: <49C92F0E.6040109@ngs.ru> Date: Wed, 25 Mar 2009 01:05:50 +0600 From: forn User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <20090324162417.5186D8FC16@mx1.freebsd.org> In-Reply-To: <20090324162417.5186D8FC16@mx1.freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Anti-Virus: Kaspersky Anti-Virus for Sendmail with Milter API 5.6.20, bases: 20090324 #1773917, check: 20090324 clean Subject: Re: first firewall with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 19:06:16 -0000 "block in quick on $ext_if all" being the last and "block in on $ext_if all" being the first do absolutely the same thing. No point in changing. Eric, you might want to just do "set skip on lo" instead of allowing all through it, and add "scrub in" to normalize packets coming in. Dave Feustel wrote: > Change this rule to > block in on $ex_if all > and then make it the first rule. > The word 'quick' says don't evaluate any more rules if this matches. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Tue Mar 24 23:33:03 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0905D1065695 for ; Tue, 24 Mar 2009 23:33:03 +0000 (UTC) (envelope-from myself@rojer.pp.ru) Received: from wooster.rojer.pp.ru (wooster.rojer.pp.ru [80.68.242.188]) by mx1.freebsd.org (Postfix) with ESMTP id B30A68FC1F for ; Tue, 24 Mar 2009 23:33:02 +0000 (UTC) (envelope-from myself@rojer.pp.ru) Received: from wooster.rojer.pp.ru (localhost [127.0.0.1]) by wooster.rojer.pp.ru (Postfix) with ESMTP id B11FF114A0 for ; Wed, 25 Mar 2009 02:14:00 +0300 (MSK) X-Spam-Checker-Version: SpamAssassin 3.2.5-rojer (2008-06-10) on wooster.rojer.pp.ru X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.5-rojer Received: from [127.0.0.1] (localhost [127.0.0.1]) by wooster.rojer.pp.ru (Postfix) with ESMTPA id 887FE11468 for ; Wed, 25 Mar 2009 02:13:56 +0300 (MSK) Message-ID: <49C96933.4030901@rojer.pp.ru> Date: Tue, 24 Mar 2009 23:13:55 +0000 From: Deomid Ryabkov User-Agent: Thunderbird 2.0.0.21 (X11/20090318) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Subject: 8.0-CURRENT: having pf enabled without any rules impacts forwarding performance X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 23:33:03 -0000 i have a machine with nc running through it. with pf disabled, i see 960-970 mbit/s through it (as reported by systat -ifstat). just having pf enabled, with empty ruleset: # pfctl -vs nat # pfctl -vs rules # reduces throughput to about 700 mbit. this seems wrong. any ideas why this might be happening? OS: 8.0-CURRENT #0: Fri Feb 27 04:20:49 MSK 2009 thanks. -- Deomid Ryabkov aka Rojer myself@rojer.pp.ru rojer@sysadmins.ru ICQ: 8025844 From owner-freebsd-pf@FreeBSD.ORG Wed Mar 25 00:07:41 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B5C7C106564A for ; Wed, 25 Mar 2009 00:07:41 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 49D768FC1E for ; Wed, 25 Mar 2009 00:07:40 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-017-243.pools.arcor-ip.net [88.66.17.243]) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis) id 0ML21M-1LmGee3LAQ-0007x5; Wed, 25 Mar 2009 01:07:39 +0100 Received: (qmail 15218 invoked from network); 25 Mar 2009 00:07:36 -0000 Received: from fbsd8.laiers.local (192.168.4.200) by router.laiers.local with SMTP; 25 Mar 2009 00:07:36 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 25 Mar 2009 01:07:35 +0100 User-Agent: KMail/1.11.0 (FreeBSD/8.0-CURRENT; KDE/4.2.1; i386; ; ) References: <49C96933.4030901@rojer.pp.ru> In-Reply-To: <49C96933.4030901@rojer.pp.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200903250107.36160.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+LT5Q2wOv1nwzOeqj4ZF1oWHE7kL5gH0kg28l /L3j6LX5hvIdujNXffa4VxjG4UzCMehCpF5VBf94o3vk2LS8nj zhCTf/XfXypCkRhYciC/g== Cc: Deomid Ryabkov Subject: Re: 8.0-CURRENT: having pf enabled without any rules impacts forwarding performance X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Mar 2009 00:07:42 -0000 On Wednesday 25 March 2009 00:13:55 Deomid Ryabkov wrote: > i have a machine with nc running through it. > with pf disabled, i see 960-970 mbit/s through it (as reported by systat > -ifstat). > just having pf enabled, with empty ruleset: > > # pfctl -vs nat > # pfctl -vs rules > # > > reduces throughput to about 700 mbit. > this seems wrong. any ideas why this might be happening? You have to search the (empty) ruleset for the (implicit) default "pass all" rule. This is somewhat expensive. Then there is the pf mutex (quite expensive) and the pfil rm_lock (not so much). In addition the pf mutex is a single, global lock and thus reduces the opportunity for parallelism. > OS: 8.0-CURRENT #0: Fri Feb 27 04:20:49 MSK 2009 > > thanks. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Wed Mar 25 00:22:23 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 285D31065673 for ; Wed, 25 Mar 2009 00:22:23 +0000 (UTC) (envelope-from myself@rojer.pp.ru) Received: from wooster.rojer.pp.ru (wooster.rojer.pp.ru [80.68.242.188]) by mx1.freebsd.org (Postfix) with ESMTP id 7D5AA8FC0C for ; Wed, 25 Mar 2009 00:22:22 +0000 (UTC) (envelope-from myself@rojer.pp.ru) Received: from wooster.rojer.pp.ru (localhost [127.0.0.1]) by wooster.rojer.pp.ru (Postfix) with ESMTP id 9CE5D11468; Wed, 25 Mar 2009 03:22:20 +0300 (MSK) X-Spam-Checker-Version: SpamAssassin 3.2.5-rojer (2008-06-10) on wooster.rojer.pp.ru X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.5-rojer Received: from [127.0.0.1] (localhost [127.0.0.1]) by wooster.rojer.pp.ru (Postfix) with ESMTPA id 13C401144E; Wed, 25 Mar 2009 03:22:14 +0300 (MSK) Message-ID: <49C97936.6020208@rojer.pp.ru> Date: Wed, 25 Mar 2009 00:22:14 +0000 From: Deomid Ryabkov User-Agent: Thunderbird 2.0.0.21 (X11/20090318) MIME-Version: 1.0 To: Max Laier References: <49C96933.4030901@rojer.pp.ru> <200903250107.36160.max@love2party.net> In-Reply-To: <200903250107.36160.max@love2party.net> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms050706020307040607080008" Cc: freebsd-pf@freebsd.org Subject: Re: 8.0-CURRENT: having pf enabled without any rules impacts forwarding performance X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Mar 2009 00:22:23 -0000 This is a cryptographically signed message in MIME format. --------------ms050706020307040607080008 Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Max Laier wrote: > On Wednesday 25 March 2009 00:13:55 Deomid Ryabkov wrote: > >> i have a machine with nc running through it. >> with pf disabled, i see 960-970 mbit/s through it (as reported by systat >> -ifstat). >> just having pf enabled, with empty ruleset: >> >> # pfctl -vs nat >> # pfctl -vs rules >> # >> >> reduces throughput to about 700 mbit. >> this seems wrong. any ideas why this might be happening? >> > > You have to search the (empty) ruleset for the (implicit) default "pass all" > rule. This is somewhat expensive. Then there is the pf mutex (quite > expensive) and the pfil rm_lock (not so much). In addition the pf mutex is a > single, global lock and thus reduces the opportunity for parallelism. > > thanks for explanation, Max. further data point: ruleset with 8 nat rules that never match (but have to be checked) chops off further ~50 mbit. that i'm less worried about, but the initial hit for just enabling filtering does worry me quite a bit. is there anything to be done about that? is anything being done? or planned? [hardware is 2 x Xeon E5410 (2.3 GHz), network interfaces are Intel PRO/1000 PT] >> OS: 8.0-CURRENT #0: Fri Feb 27 04:20:49 MSK 2009 >> >> thanks. >> > > -- Deomid Ryabkov aka Rojer myself@rojer.pp.ru rojer@sysadmins.ru ICQ: 8025844 --------------ms050706020307040607080008 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJPTCC AvkwggJioAMCAQICEBU0d5vkMul3H0so5LmMhJ0wDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDcxNTE3NDkxNloX DTA5MDcxNTE3NDkxNlowXzEQMA4GA1UEBBMHUnlhYmtvdjEPMA0GA1UEKhMGRGVvbWlkMRcw FQYDVQQDEw5EZW9taWQgUnlhYmtvdjEhMB8GCSqGSIb3DQEJARYSbXlzZWxmQHJvamVyLnBw LnJ1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7usCPVDCUabcOpdLU8lsmBVG fsdPgzxaK6b2BDXXuIWIvih2Au6S040DFYB8Z9qj50oVsrrxnOBBG4hdJIC0N+VDqLyC+7vY jrFY3WFQxKmxKsQGwJJ632lf/ngEy98ROjwZk9lCK6EqpQ4pHTXznD8S27wiOPECh39AxYzK Ftq/9rBpp3jB/f2bqyVHk2E+6K+eDUyH01+C7k8v0FiYzIONU0P3jntRyw7/jtEAmhiirno4 jfRW1t/exTc+NlgK9WwHhjnxluwvvgOebd4SmWJ7zmddj92ROuVP764NBAtFmB/F52bjP3MN rNaQsIcLHttkMSLQu836sE2Wj3xQCwIDAQABoy8wLTAdBgNVHREEFjAUgRJteXNlbGZAcm9q ZXIucHAucnUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQBCT6FH7bvujC+a0dZ0 QM7vLb5cO7UUj2mV365xyYu70tDAOkxuvYCWKiLoTw5/wPgRs4kB/TqZMrHn/6awQDu/o3LG zS9up9CUeOoY6cER3OmJJXY3HhZxEbkA5ItlApTrfToGW61OH62bhE5WbFyLqfFC5e6lAlXE AjudFAiiuTCCAvkwggJioAMCAQICEBU0d5vkMul3H0so5LmMhJ0wDQYJKoZIhvcNAQEFBQAw YjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4x LDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDcx NTE3NDkxNloXDTA5MDcxNTE3NDkxNlowXzEQMA4GA1UEBBMHUnlhYmtvdjEPMA0GA1UEKhMG RGVvbWlkMRcwFQYDVQQDEw5EZW9taWQgUnlhYmtvdjEhMB8GCSqGSIb3DQEJARYSbXlzZWxm QHJvamVyLnBwLnJ1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7usCPVDCUabc OpdLU8lsmBVGfsdPgzxaK6b2BDXXuIWIvih2Au6S040DFYB8Z9qj50oVsrrxnOBBG4hdJIC0 N+VDqLyC+7vYjrFY3WFQxKmxKsQGwJJ632lf/ngEy98ROjwZk9lCK6EqpQ4pHTXznD8S27wi OPECh39AxYzKFtq/9rBpp3jB/f2bqyVHk2E+6K+eDUyH01+C7k8v0FiYzIONU0P3jntRyw7/ jtEAmhiirno4jfRW1t/exTc+NlgK9WwHhjnxluwvvgOebd4SmWJ7zmddj92ROuVP764NBAtF mB/F52bjP3MNrNaQsIcLHttkMSLQu836sE2Wj3xQCwIDAQABoy8wLTAdBgNVHREEFjAUgRJt eXNlbGZAcm9qZXIucHAucnUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQBCT6FH 7bvujC+a0dZ0QM7vLb5cO7UUj2mV365xyYu70tDAOkxuvYCWKiLoTw5/wPgRs4kB/TqZMrHn /6awQDu/o3LGzS9up9CUeOoY6cER3OmJJXY3HhZxEbkA5ItlApTrfToGW61OH62bhE5WbFyL qfFC5e6lAlXEAjudFAiiuTCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJ BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEa MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy dmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTEr MCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcw MDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUg Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1h aWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065ypla HmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FW y688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEE QB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2 oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3Js MAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0x MzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYf qi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9l X5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNxMIIDbQIBATB2 MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQu MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQFTR3m+Qy 6XcfSyjkuYyEnTAJBgUrDgMCGgUAoIIB0DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG CSqGSIb3DQEJBTEPFw0wOTAzMjUwMDIyMTRaMCMGCSqGSIb3DQEJBDEWBBQMb1WzEyt9t5j5 BSbLf2XfAGhtvzBfBgkqhkiG9w0BCQ8xUjBQMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAO BggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgw gYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25z dWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJ c3N1aW5nIENBAhAVNHeb5DLpdx9LKOS5jISdMIGHBgsqhkiG9w0BCRACCzF4oHYwYjELMAkG A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhAVNHeb5DLpdx9LKOS5 jISdMA0GCSqGSIb3DQEBAQUABIIBABKzt9D6SuOV6sdTvVc4+QfWm9uotegVOHLqyhjmc6pL cMaiflyLV4napDCXVkpGX8SoB8KXblGhcKF+EJLgECXPvHcnevctkDWYxbsfv4rvvZD53L62 tnSvX66gsU52XvcUfUiFTfGem+C4jb9rlJTosVmMu4mBlIzdzjkaE3fJTOeSXW5T7ldl0qJB eu8Piv/CmTYPa1o2AXzdERjV8hEvwkKqoz9g1gvvQXDoroZjkWfjY1ueEVzs6lSuzo4GqKjm KjUrVuQpZwww0UMLg4fL2Yusv1/n5y4JJtziag3c3C3cg4qY0/bgNd/IYUyIQmVCBDQoq6kV 8t5dweL+n3sAAAAAAAA= --------------ms050706020307040607080008-- From owner-freebsd-pf@FreeBSD.ORG Wed Mar 25 03:46:32 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F424106566B for ; Wed, 25 Mar 2009 03:46:32 +0000 (UTC) (envelope-from pgoggins@cc.edu) Received: from xmail.cc.edu (xmail.carrollu.edu [140.104.8.8]) by mx1.freebsd.org (Postfix) with ESMTP id D3A428FC16 for ; Wed, 25 Mar 2009 03:46:31 +0000 (UTC) (envelope-from pgoggins@cc.edu) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Date: Tue, 24 Mar 2009 22:44:49 -0500 Message-ID: In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: pf rdr not redirecting completely Thread-Index: AcmZj79QZc2QaIDIQQugaRP7qaEdpgALWDSwA4O+knABS9lA8A== References: <49A7D547.9040801@ngc.net.ua><49A811D4.5030900@uffner.com><49A8177B.9010209@ngc.net.ua><49A85BD4.7050105@uffner.com><49A8FED7.3000603@ngc.net.ua> From: "Patrick Goggins" To: Subject: RE: pf rdr not redirecting completely X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Mar 2009 03:46:32 -0000 VGhlIHByb2JsZW0gaXMgd2l0aCB0aGUgY2xpZW50IGJlaW5nIGJlaGluZCB0aGUgdHJhbnNwYXJl bnQgYnJpZGdlZCBpbnRlcmZhY2UsIHRoZSBtYW5hZ2VtZW50IGludGVyZmFjZSBpcyBub3QgcGFy dCBvZiB0aGUgYnJpZGdlIGFuZCB3aGVuIGNsaWVudHMgaGl0IHRoZSByZHIgcnVsZSB3aXRob3V0 IGhpdHRpbmcgdGhlIElQIHN0YWNrIGl0IHdpbGwgbm90IHdvcmsgaWYgd2l0aG91dCBhbiBhZGRy ZXNzZWQgYnJpZGdlLiBUbyB3b3JrLWFyb3VuZCB0aGlzIEkndmUgbm90aWNlZCBzb21lIHJlZmVy ZW5jaW5nIHRvIHVzaW5nIHRoZSBleHBsaWNpdCByb3V0ZS10byBvcHRpb24gYnV0IGhhdmUgYmVl biBnZXR0aW5nIGEgc3ludGF4IGVycm9yDQoNClJkciBwYXNzIGluIG9uICRpbnRfaWYgcm91dGUt dG8gbG8wIHByb3RvIHRjcCBmcm9tIGFueSB0byBhbnkgcG9ydCA4MCAtPiAxMjcuMC4wLjEgcG9y dCA4MA0KDQpXaGF0IGFtIEkgbWlzc2luZyB3aXRoIHRoaXMgc3ludGF4Pw0KDQoNCn5QYXRyaWNr DQoNCg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IG93bmVyLWZyZWVic2QtcGZA ZnJlZWJzZC5vcmcgW21haWx0bzpvd25lci1mcmVlYnNkLXBmQGZyZWVic2Qub3JnXSBPbiBCZWhh bGYgT2YgUGF0cmljayBHb2dnaW5zDQpTZW50OiBXZWRuZXNkYXksIE1hcmNoIDE4LCAyMDA5IDg6 MjAgQU0NClRvOiBmcmVlYnNkLXBmQGZyZWVic2Qub3JnDQpTdWJqZWN0OiBwZiByZHIgbm90IHJl ZGlyZWN0aW5nIGNvbXBsZXRlbHkgKENvcnJlY3Rpb24pDQoNClNsaWdodCBjb3JyZWN0aW9uOg0K DQpXb3JraW5nIHJ1bGUNCnJkciBvbiAkaW50X2lmIHByb3RvIHRjcCBmcm9tIDE3Mi4yMC4wLjAv MTYgdG8gYW55IHBvcnQgezgwLCA0NDN9IC0+IDE3Mi4yMC41LjIzOSBwb3J0IDgwDQoNCnJ1bGUg YXR0ZW1wdGluZyBidXQgZG9lcyBub3Qgd29yaw0KcmRyIG9uICRpbnRfaWYgcHJvdG8gdGNwIGZy b20gMTcyLjIwLjAuMC8xNiB0byBhbnkgcG9ydCB7ODAsIDQ0M30gLT4gMTcyLjIwLjUuMjQwIHBv cnQgODANCg0KDQp+UGF0cmljaw0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJvbTog b3duZXItZnJlZWJzZC1wZkBmcmVlYnNkLm9yZyBbbWFpbHRvOm93bmVyLWZyZWVic2QtcGZAZnJl ZWJzZC5vcmddIE9uIEJlaGFsZiBPZiBQYXRyaWNrIEdvZ2dpbnMNClNlbnQ6IFdlZG5lc2RheSwg TWFyY2ggMTgsIDIwMDkgODoxNyBBTQ0KVG86IGZyZWVic2QtcGZAZnJlZWJzZC5vcmcNClN1Ympl Y3Q6IHBmIHJkciBub3QgcmVkaXJlY3RpbmcgY29tcGxldGVseQ0KDQpJJ20gcnVubmluZyBpbnRv IGEgcHJvYmxlbSB3aXRoIGEgdHJhbnNwYXJlbnQgYnJpZGdlIGFuZCB0aGUgcmRyIGZ1bmN0aW9u YWxpdHkgd2hlcmUgd2hlbiBhIGRldmljZSBoaXRzIHRoZSBydWxlIHRoZXkgYXJlIGJlaW5nIHJl ZGlyZWN0IGJ1dCBhcmUgdW5hYmxlIHRvIGZ1bGx5IGNvbm5lY3QgdG8gdGhlIHNlcnZlci4NCg0K DQpQZiBpcyBzZXQgdG8gc2tpcCBvbiB0aGUgbWFuYWdlbWVudCwgZXh0ZXJuYWwsIGFuZCBicmlk Z2VkIGludGVyZmFjZXM7IGZpbHRlcmluZyBpcyBqdXN0IG9uIHRoZSBpbnRlcm5hbCBpbnRlcmZh Y2UuDQoNCkV0aDA6IDE3Mi4yMC41LjI0MCAobWFuYWdlbWVudCBpbnRlcmZhY2UsIGFsc28gc2Vy dmluZyBhcGFjaGUgcGFnZXMpDQpFdGgxOiBleHRlcm5hbCwgbm9uLWFkZHJlc3NlZA0KRXRoMjog aW50ZXJuYWwsIG5vbi1hZGRyZXNzZWQNCkJyaWRnZTA6IGJyaWRnZSBiZXR3ZWVuIEV0aDEgYW5k IEV0aDINCkV0aDAgYW5kIEV0aDEgYXJlIG9uIHRoZSBzYW1lIHZsYW4NCg0KW0xhbiB3aGVyZSAx NzIuMjAuNS4yNDAgcmVzaWRlc10tLS1bbWFuYWdlZCBzd2l0Y2hdLS0tW2V4dGVybmFsIGludGVy ZmFjZV0tLS0tW2JyaWRnZTBdLS0tLS1baW50ZXJuYWwgaW50ZXJmYWNlXS0tLS0tLVt1bm1hbmFn ZWQgc3dpdGNoXS0tLS0tLVt0ZXN0IHN5c3RlbV0NCg0KSGVyZSdzIHRoZSBydWxlIEknbSB0cnlp bmcgdG8gcnVuOg0KDQpyZHIgb24gJGludF9pZiBwcm90byB0Y3AgZnJvbSAxNzIuMjAuMC4wLzE2 IHRvIGFueSBwb3J0IHs4MCwgNDQzfSAtPiAxNzIuMjAuNjguMzEgcG9ydCA4MA0KDQphZGRpdGlv bmFsbHkgdGhlIGZvbGxvd2luZyBydWxlcyBhcHBseToNCg0KcGFzcyBxdWljayBvbiAkaW50X2lm IHByb3RvIHRjcCBmcm9tIGFueSB0byBhbnkNCg0KDQpXaGVuIHRlc3RpbmcgdGhlIHJkciBydWxl IG9uIGFub3RoZXIgaXAgMTcyLjIwLjUuMjM5IChhbm90aGVyIHBoeXNpY2FsIHNlcnZlciksIHRo ZSBydWxlIHdvcmtzIGNvcnJlY3RseS4gSSdtIHRoaW5raW5nIGl0J3MgaGF2aW5nIGlzc3VlcyBn b2luZyBvdXQgYW5kIHRoZW4gY29taW5nIGJhY2sgaW4gYmVjYXVzZSBpdCdzIHNlZWluZyB0aGUg cmVxdWVzdCB0d2ljZSBhbmQgZHJvcHBpbmcgaXQ/Pz8gDQoNCg0KDQp+UGF0cmljaw0K From owner-freebsd-pf@FreeBSD.ORG Wed Mar 25 09:26:27 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B15EA1065692 for ; Wed, 25 Mar 2009 09:26:27 +0000 (UTC) (envelope-from sebster@sebster.com) Received: from mail.sebster.com (mail.sebster.com [193.46.80.82]) by mx1.freebsd.org (Postfix) with SMTP id E840C8FC19 for ; Wed, 25 Mar 2009 09:26:26 +0000 (UTC) (envelope-from sebster@sebster.com) Received: (qmail 4420 invoked from network); 25 Mar 2009 08:59:43 -0000 Received: from unknown (HELO ?192.168.1.34?) (sebster@195.240.254.51) by 10.0.98.3 with SMTP; 25 Mar 2009 08:59:43 -0000 Message-ID: <49C9F27F.3010505@sebster.com> Date: Wed, 25 Mar 2009 09:59:43 +0100 From: Sebastiaan van Erk User-Agent: Thunderbird 2.0.0.21 (X11/20090318) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms030107090002090101050409" Subject: state mismatch/connection issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Mar 2009 09:26:28 -0000 This is a cryptographically signed message in MIME format. --------------ms030107090002090101050409 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi, I'm running FreeBSD-7.0 RELEASE with the following patch to the kernel (I know it's integrated in the latest patchlevels which you get when you do freebsd-update, but since I'm still getting state-mismatches WITH the patch I'm holding off on the upgrade until I have more information as to the nature of the problem): *** net/pf.c 2007/09/07 21:34:10 1.558 --- net/pf.c 2007/09/18 19:45:59 1.559 *************** pf_test_state_tcp(struct pf_state **state, int directi *** 3730,3735 **** --- 3730,3751 ---- REASON_SET(reason, PFRES_SYNPROXY); return (PF_SYNPROXY_DROP); } + } + + if (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) && + dst->state >= TCPS_FIN_WAIT_2 && + src->state >= TCPS_FIN_WAIT_2) { + if (pf_status.debug >= PF_DEBUG_MISC) { + printf("pf: state reuse "); + pf_print_state(*state); + pf_print_flags(th->th_flags); + printf("\n"); + } + /* XXX make sure it's the same direction ?? */ + (*state)->src.state = (*state)->dst.state = TCPS_CLOSED; + pf_unlink_state(*state); + *state = NULL; + return (PF_DROP); } if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) { The problem I'm having is that I get intermittent connection refused/operation not permitted to another machine on the local network. When I do pfctl -s info I see *huge* numbers of state mismatches: Status: Enabled for 94 days 01:27:40 Debug: Urgent State Table Total Rate current entries 398 searches 986228319 121.4/s inserts 104049508 12.8/s removals 104049110 12.8/s Counters match 107482262 13.2/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 42 0.0/s memory 3125235 0.4/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 13919 0.0/s state-mismatch 3039814 0.4/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s This is causing serious problems at them moment. It seems that the state problems occur in certain small time windows (my nagios starts reporting that every service is connection refused/operation not permitted, which is about 20 services). Then I get 20 recovery messages. The firewall rules are trivially simple, $ext_if has 2 ips and $int_if has one: interfaces = "{" $ext_if "," $int_if "}" scrub in all set skip on lo0 antispoof for $interfaces inet block out log quick on $ext_if from !$ext_ip1 to any block in quick on $ext_if from any to 255.255.255.255 block log all pass in quick inet proto icmp all icmp-type $icmp_types pass in quick on $int_if from $int_net to any pass out quick on $int_if from any to $int_net pass out on $ext_if proto tcp all pass out on $ext_if proto { udp, icmp } all pass in on $ext_if proto tcp from any to $ext_ip1 port $tcp_services1 pass in on $ext_if proto tcp from any to $ext_ip2 port $tcp_services2 Does anybody have any idea what's going on and where I can look? This is a production server so it's seriously influencing the quality of the hosted services. :-( Regards, Sebastiaan --------------ms030107090002090101050409 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJUTCC AwMwggJsoAMCAQICEFN8DarMNuuKJDEtfs0UaqUwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDYzMDEzNTE1N1oX DTA5MDYzMDEzNTE1N1owaDEQMA4GA1UEBBMHdmFuIEVyazETMBEGA1UEKhMKU2ViYXN0aWFh bjEbMBkGA1UEAxMSU2ViYXN0aWFhbiB2YW4gRXJrMSIwIAYJKoZIhvcNAQkBFhNzZWJzdGVy QHNlYnN0ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJDDAeYHVmH/ GVxi+bhFx27dmg++9BdhPJfk8k041sqEqq7oXnR2GT54quY3Ac7A1BuOM2JvoICraGmjud4y b3EanRnqGIK6iH+VAhhTlV/Owrb2Qm1e13DLxwLp1SocSQl4IrEbF9Y5H3ASdIrE0iFqkpju nPiiHeNhz3LaI5ipjiluKYoH+F6gPx8njHoaDxPePCkSLg4r0IA0afLM74LVZxCRBZEfyRZS J6VVUJefKlz91dWSzR/3xSw/rO4u9Ds/Zh7VBUKy3K+YFryHxRpUek0gSepE1b70Q39L9Sqd M/NZqMvFpwrqgW2Zh2Nh8nqRge90maR4ypBzz3GzLwIDAQABozAwLjAeBgNVHREEFzAVgRNz ZWJzdGVyQHNlYnN0ZXIuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAS1Sk NMgDVzb0ktO9tPPacV0KdKhTYOHcICVmuDEe2sFHOkjLAI1iAKp640pqJEVqvRnfRcCFJ9hK koPjjVZ+ui2rVmJWBG6FSloLRS/YYED4tUAw6DQhK61UOpjkpQxjCdm+5bHG/2ZgJAda1j0x uiN822+xFkcaW/5PQgxSRxcwggMDMIICbKADAgECAhBTfA2qzDbriiQxLX7NFGqlMA0GCSqG SIb3DQEBBQUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QTAeFw0wODA2MzAxMzUxNTdaFw0wOTA2MzAxMzUxNTdaMGgxEDAOBgNVBAQTB3ZhbiBFcmsx EzARBgNVBCoTClNlYmFzdGlhYW4xGzAZBgNVBAMTElNlYmFzdGlhYW4gdmFuIEVyazEiMCAG CSqGSIb3DQEJARYTc2Vic3RlckBzZWJzdGVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBALCQwwHmB1Zh/xlcYvm4Rcdu3ZoPvvQXYTyX5PJNONbKhKqu6F50dhk+eKrm NwHOwNQbjjNib6CAq2hpo7neMm9xGp0Z6hiCuoh/lQIYU5VfzsK29kJtXtdwy8cC6dUqHEkJ eCKxGxfWOR9wEnSKxNIhapKY7pz4oh3jYc9y2iOYqY4pbimKB/heoD8fJ4x6Gg8T3jwpEi4O K9CANGnyzO+C1WcQkQWRH8kWUielVVCXnypc/dXVks0f98UsP6zuLvQ7P2Ye1QVCstyvmBa8 h8UaVHpNIEnqRNW+9EN/S/UqnTPzWajLxacK6oFtmYdjYfJ6kYHvdJmkeMqQc89xsy8CAwEA AaMwMC4wHgYDVR0RBBcwFYETc2Vic3RlckBzZWJzdGVyLmNvbTAMBgNVHRMBAf8EAjAAMA0G CSqGSIb3DQEBBQUAA4GBAEtUpDTIA1c29JLTvbTz2nFdCnSoU2Dh3CAlZrgxHtrBRzpIywCN YgCqeuNKaiRFar0Z30XAhSfYSpKD441Wfrotq1ZiVgRuhUpaC0Uv2GBA+LVAMOg0ISutVDqY 5KUMYwnZvuWxxv9mYCQHWtY9MbojfNtvsRZHGlv+T0IMUkcXMIIDPzCCAqigAwIBAgIBDTAN BgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTES MBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UE CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBl cnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0 aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMC WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAK MNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTX p6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYB Af8CAQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBl cnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYD VQQDExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2as Zw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSe JVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHT HUb/XV9lTzGCA3EwggNtAgEBMHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp bCBJc3N1aW5nIENBAhBTfA2qzDbriiQxLX7NFGqlMAkGBSsOAwIaBQCgggHQMBgGCSqGSIb3 DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA5MDMyNTA4NTk0M1owIwYJKoZI hvcNAQkEMRYEFGsiiFdvEXGmJFJ5WvjOttxTZqRDMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZI AWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUr DgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTEl MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEFN8DarMNuuKJDEtfs0UaqUwgYcGCyqG SIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp bmcgQ0ECEFN8DarMNuuKJDEtfs0UaqUwDQYJKoZIhvcNAQEBBQAEggEAILsayitdUh9jm+tv hc0UqLlT9lm5q8wydEZeDatDlTbOeC6mypqbVVVjj4CgSkvxgRopDzj3GTmNHcTvSOdms1Na Q+zV7ILniwkscSM3S4aS80kiznA3z4QM50KdSlwQMRcP9xCXhQ5SinvTlFrD0KzfrwzMjP99 RcMJOm+dbAhrIEeCf37/YkVgIEvBN6O3sidzmji0MGkIEbCSxCqefoavu0fIs1/uKkWQt7zw wfC9GyYaxuDf7O/L62cPlom6Uc7BEzoysxA2Q6RwbZL4/uvOR+00Wmy9tCq99l8YvWP3T6Hm 37A/0mnNPmaRtYWgpfPz3Fxt/cltzsX61/2CpgAAAAAAAA== --------------ms030107090002090101050409-- From owner-freebsd-pf@FreeBSD.ORG Wed Mar 25 17:22:32 2009 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0FB2106585C; Wed, 25 Mar 2009 17:22:32 +0000 (UTC) (envelope-from brucec@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7FAA38FC14; Wed, 25 Mar 2009 17:22:32 +0000 (UTC) (envelope-from brucec@FreeBSD.org) Received: from freefall.freebsd.org (brucec@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n2PHMWHd017435; Wed, 25 Mar 2009 17:22:32 GMT (envelope-from brucec@freefall.freebsd.org) Received: (from brucec@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n2PHMWSP017431; Wed, 25 Mar 2009 17:22:32 GMT (envelope-from brucec) Date: Wed, 25 Mar 2009 17:22:32 GMT Message-Id: <200903251722.n2PHMWSP017431@freefall.freebsd.org> To: brucec@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: brucec@FreeBSD.org Cc: Subject: Re: bin/86635: [patch] pfctl(8): allow new page character (^L) in pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Mar 2009 17:22:42 -0000 Synopsis: [patch] pfctl(8): allow new page character (^L) in pf.conf Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: brucec Responsible-Changed-When: Wed Mar 25 17:22:07 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=86635 From owner-freebsd-pf@FreeBSD.ORG Thu Mar 26 13:23:27 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2A191065678 for ; Thu, 26 Mar 2009 13:23:27 +0000 (UTC) (envelope-from alexiy@mail.kar.net) Received: from blackbox.kar.net (blackbox.vtv.kiev.ua [195.178.131.134]) by mx1.freebsd.org (Postfix) with ESMTP id 1EE368FC26 for ; Thu, 26 Mar 2009 13:23:26 +0000 (UTC) (envelope-from alexiy@mail.kar.net) Received: from [127.0.0.1] ([195.178.152.45]) by blackbox.kar.net (8.14.2/8.14.2) with ESMTP id n2QDDPcV055123 for ; Thu, 26 Mar 2009 15:13:25 +0200 (EET) (envelope-from alexiy@mail.kar.net) Message-ID: <49CB7DC7.3090500@mail.kar.net> Date: Thu, 26 Mar 2009 15:06:15 +0200 From: =?UTF-8?B?0JDQu9C10LrRgdC10Lk=?= User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 090325-0, 25.03.2009), Outbound message X-Antivirus-Status: Clean X-Spam-Status: No, score=-91.6 required=6.0 tests=AWL,BAYES_99,RDNS_NONE, USER_IN_WHITELIST autolearn=no version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on blackbox.kar.net X-Virus-Scanned: ClamAV 0.92.1/9169/Thu Mar 26 06:13:48 2009 on blackbox.kar.net X-Virus-Status: Clean Subject: nat and filtering rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Mar 2009 13:23:29 -0000 Hi, I'm running FreeBSD 7.1-RC1 and Packet Filter as the firewall. I have the following setup: A LAN using private address range behind the gateway that is doing NAT. I want to use PF with ALTQ on the gateway to limit bandwidth by IP addresses for the computers in the LAN. Here are the relevant parts of the configuration file file: ############################## #Translation # ############################## nat on $ext_if from $internal_net to any -> ($ext_if) ############################## #Queueing # ############################## #Download ... altq on $int_if cbq bandwidth 10Mb queue { me_d, comp_d, mach_d, dd} queue comp_d bandwidth 2Mb cbq queue me_d bandwidth 5Mb cbq(borrow) queue mach_d bandwidth 2Mb cbq queue dd bandwidth 1Mb cbq(default borrow) #Upload... altq on $ext_if cbq bandwidth 10Mb queue { me_u, comp_u, mach_u, du} queue comp_u bandwidth 2Mb cbq queue me_u bandwidth 5Mb cbq(borrow) queue mach_u bandwidth 2Mb cbq queue du bandwidth 1Mb cbq(default borrow) ############################## #Filtering # ############################## # setup a default deny policy block all #Here $me, $comp and $mach are IPs from the LAN #upload #me pass in on $int_if from $me to any queue me_u #comp pass in on $int_if from $comp to any queue comp_u #mach pass in on $int_if from $mach to any queue mach_u #download #me pass out log on $int_if from any to $me queue me_d #comp pass out on $int_if from any to $comp queue comp_d #mach pass out on $int_if from any to $mach queue mach_d Right now all the traffic coming from the Internet to the LAN is assigned to the default queue "dd". I may be wrong here, but judging from the blank output of the log, the rule pass out log on $int_if from any to $me queue me_d is not catching anything. Even if this rule is commented out I am still able to access the Internet from this host in the LAN. I assume that it is the implicit keep state in this rule: pass in on $int_if from $me to any queue me_u that takes care of both the packets originating from the LAN and returning there. Is it really so, or did I misunderstand something? How is it possible to assign the traffic coming from the Internet to the LAN through the NAT to the correct queues? -- Regards, Alex From owner-freebsd-pf@FreeBSD.ORG Thu Mar 26 15:08:39 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BF18B106566C for ; Thu, 26 Mar 2009 15:08:39 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.159]) by mx1.freebsd.org (Postfix) with ESMTP id CDF2B8FC31 for ; Thu, 26 Mar 2009 15:08:38 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by fg-out-1718.google.com with SMTP id 13so198055fge.12 for ; Thu, 26 Mar 2009 08:08:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=itX7gYeyAL7NqW3cX2KjOk8ZaqsrJ1LGuo1LemD0sAs=; b=LhxMJjZRg/pslTZd3Ur9e2igHuEnq3J7OCIjnlprGqw7mjMk2+xJ4MJ+A9cA+Z5j8r mRr9Hjx8PdfFCjf2dmJP1A4ndt/b/GgFn0JSgvO1nmmXCiqQXHkhsnQIn95mZe85SojV EtnD34inKGNecVTGONOFBH30tsz5iimE4LLxY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=VWCZRrwU1sHLWGExpdFToXZi75aMHpW+j/cTKOzKa+Hhh2hxBVx0ZY4yZLMFNN/l8X bIQCASR4JEhG12CIjddqaeyimvsfcFzZg062e+OlMQp0yhzsGiXpamQS0G6PIkrttpsL CH5VA444jedM3SJFNRzBJ+va4dEpCw9z2p1XI= MIME-Version: 1.0 Sender: ermal.luci@gmail.com Received: by 10.86.95.20 with SMTP id s20mr1167848fgb.77.1238078801145; Thu, 26 Mar 2009 07:46:41 -0700 (PDT) In-Reply-To: <49CB7DC7.3090500@mail.kar.net> References: <49CB7DC7.3090500@mail.kar.net> Date: Thu, 26 Mar 2009 15:46:40 +0100 X-Google-Sender-Auth: 8b2aeacafc62b7e5 Message-ID: <9a542da30903260746n1045a708j533cb10505fae95b@mail.gmail.com> From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: =?KOI8-R?B?4czFy9PFyg==?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: nat and filtering rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Mar 2009 15:08:40 -0000 Try the modified configuration it should give you what are you after. altq on $int_if cbq bandwidth 10Mb queue { me, comp, mach, =A0dd} queue on $int_if comp bandwidth 2Mb cbq queue on $int_if me bandwidth 5Mb cbq(borrow) queue on $int_if mach bandwidth 2Mb cbq queue on $int_if dd bandwidth 1Mb cbq(default borrow) altq on $ext_if cbq =A0bandwidth 10Mb queue { me, comp, mach, =A0dd} queue on $ext_if comp bandwidth 2Mb cbq queue on $ext_if me bandwidth 5Mb cbq(borrow) queue on $ext_if mach bandwidth 2Mb cbq queue on $ext_if dd bandwidth 1Mb cbq(default borrow) block all pass in on $int_if from $me to any queue me pass in on $int_if from $mach to any queue mach pass in on $int_if from $mach to any queue mach --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Sat Mar 28 14:38:04 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 312A6106566B for ; Sat, 28 Mar 2009 14:38:04 +0000 (UTC) (envelope-from ja@unc.edu) Received: from mxpm.isis.unc.edu (mxp3.isis.unc.edu [152.2.2.161]) by mx1.freebsd.org (Postfix) with ESMTP id CC4C08FC18 for ; Sat, 28 Mar 2009 14:38:03 +0000 (UTC) (envelope-from ja@unc.edu) Received: from smtp.unc.edu (smtpsrv2.isis.unc.edu [152.2.2.250]) by mxp3.isis.unc.edu (8.14.3/8.14.3) with ESMTP id n2SDj2co011662 for ; Sat, 28 Mar 2009 09:45:02 -0400 Received: from [152.2.131.30] (aikat-pc.cs.unc.edu [152.2.131.30]) (authenticated bits=0) by smtp.unc.edu (8.14.3/8.14.3) with ESMTP id n2SDj1C9027163 for ; Sat, 28 Mar 2009 09:45:02 -0400 (EDT) Message-ID: <49CE29DB.7010803@unc.edu> Date: Sat, 28 Mar 2009 09:44:59 -0400 From: Jay Aikat Organization: University of North Carolina at Chapel Hill User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.7400:2.4.4, 1.2.40, 4.0.166 definitions=2009-03-28_05:2009-03-27, 2009-03-28, 2009-03-27 signatures=0 X-Proofpoint-Spam-Details: rule=uncdefault_notspam policy=uncdefault score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-0811170000 definitions=main-0903280056 Subject: pftop queue stats X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Mar 2009 14:38:04 -0000 Hi, I am looking for a way to log queue stats at less than 1 second intervals. On my FreeBSD router, the pf.conf file is configured as follows: > altq on $ext_if1 priq bandwidth 622Mb qlimit 65535 queue { tcp_q1 } > queue tcp_q1 on $ext_if1 qlimit 65535 priq (default) Using pftop, I can get queue lengths per second at best. $ pftop -s 1 -v queue -d 1000 > pftop.out Is there an option in pftop to log stats per millisecond, or even 100ms? The -s option above seems to default to 1 second at best. Thanks for any pointers you can give me. --Jay. From owner-freebsd-pf@FreeBSD.ORG Sat Mar 28 14:45:59 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F57A10656BB for ; Sat, 28 Mar 2009 14:45:59 +0000 (UTC) (envelope-from grishin-mailing-lists@minselhoz.samara.ru) Received: from mail.minselhoz.samara.ru (mail.minselhoz.samara.ru [195.128.135.231]) by mx1.freebsd.org (Postfix) with ESMTP id B3EAC8FC20 for ; Sat, 28 Mar 2009 14:45:58 +0000 (UTC) (envelope-from grishin-mailing-lists@minselhoz.samara.ru) Received: from [94.180.156.209] (helo=[192.168.0.15]) by mail.minselhoz.samara.ru with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1LnZn5-000DBT-23; Sat, 28 Mar 2009 18:45:43 +0400 Message-ID: <49CE3822.409@minselhoz.samara.ru> Date: Sat, 28 Mar 2009 18:45:54 +0400 From: Yuriy Grishin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.19) Gecko/20081204 SeaMonkey/1.1.14 MIME-Version: 1.0 To: Jay Aikat References: <49CE29DB.7010803@unc.edu> In-Reply-To: <49CE29DB.7010803@unc.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pftop queue stats X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Mar 2009 14:45:59 -0000 Jay Aikat wrote: > Hi, > I am looking for a way to log queue stats at less than 1 second > intervals. > > On my FreeBSD router, the pf.conf file is configured as follows: > > altq on $ext_if1 priq bandwidth 622Mb qlimit 65535 queue { tcp_q1 } > > queue tcp_q1 on $ext_if1 qlimit 65535 priq (default) > > Using pftop, I can get queue lengths per second at best. > $ pftop -s 1 -v queue -d 1000 > pftop.out > > Is there an option in pftop to log stats per millisecond, or even > 100ms? The -s option above seems to default to 1 second at best. > > Thanks for any pointers you can give me. I suppose that there should be some pre-defined variables in the source code. BTW Why do you use an extremely large qlimit? From owner-freebsd-pf@FreeBSD.ORG Sat Mar 28 14:52:17 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 08F881065670 for ; Sat, 28 Mar 2009 14:52:17 +0000 (UTC) (envelope-from ja@unc.edu) Received: from mxpm.isis.unc.edu (mxp3.isis.unc.edu [152.2.2.161]) by mx1.freebsd.org (Postfix) with ESMTP id A12338FC0A for ; Sat, 28 Mar 2009 14:52:16 +0000 (UTC) (envelope-from ja@unc.edu) Received: from smtp.unc.edu (smtpsrv2.isis.unc.edu [152.2.2.250]) by mxp3.isis.unc.edu (8.14.3/8.14.3) with ESMTP id n2SEqFGG021271; Sat, 28 Mar 2009 10:52:15 -0400 Received: from [152.2.131.30] (aikat-pc.cs.unc.edu [152.2.131.30]) (authenticated bits=0) by smtp.unc.edu (8.14.3/8.14.3) with ESMTP id n2SEqEHM000262; Sat, 28 Mar 2009 10:52:15 -0400 (EDT) Message-ID: <49CE399C.2080406@unc.edu> Date: Sat, 28 Mar 2009 10:52:12 -0400 From: Jay Aikat Organization: University of North Carolina at Chapel Hill User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Yuriy Grishin References: <49CE29DB.7010803@unc.edu> <49CE3822.409@minselhoz.samara.ru> In-Reply-To: <49CE3822.409@minselhoz.samara.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.7400:2.4.4, 1.2.40, 4.0.166 definitions=2009-03-28_05:2009-03-27, 2009-03-28, 2009-03-27 signatures=0 X-Proofpoint-Spam-Details: rule=uncdefault_notspam policy=uncdefault score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-0811170000 definitions=main-0903280066 Cc: freebsd-pf@freebsd.org Subject: Re: pftop queue stats X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Mar 2009 14:52:17 -0000 The large queue limit is just for testing purposes. Once I figure out this logging of the queue at better granularity, I plan to have more realistic queue limits. These are for experiments I am running in our lab to study network traffic characteristics and the effect of that on router queuing - just FYI. Thanks. Yuriy Grishin wrote: > Jay Aikat wrote: >> Hi, >> I am looking for a way to log queue stats at less than 1 second >> intervals. >> >> On my FreeBSD router, the pf.conf file is configured as follows: >> > altq on $ext_if1 priq bandwidth 622Mb qlimit 65535 queue { tcp_q1 } >> > queue tcp_q1 on $ext_if1 qlimit 65535 priq (default) >> >> Using pftop, I can get queue lengths per second at best. >> $ pftop -s 1 -v queue -d 1000 > pftop.out >> >> Is there an option in pftop to log stats per millisecond, or even >> 100ms? The -s option above seems to default to 1 second at best. >> >> Thanks for any pointers you can give me. > > I suppose that there should be some pre-defined variables in the source > code. > BTW Why do you use an extremely large qlimit? From owner-freebsd-pf@FreeBSD.ORG Sat Mar 28 15:08:28 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C279810656C1 for ; Sat, 28 Mar 2009 15:08:28 +0000 (UTC) (envelope-from grishin-mailing-lists@minselhoz.samara.ru) Received: from mail.minselhoz.samara.ru (mail.minselhoz.samara.ru [195.128.135.231]) by mx1.freebsd.org (Postfix) with ESMTP id 747868FC14 for ; Sat, 28 Mar 2009 15:08:28 +0000 (UTC) (envelope-from grishin-mailing-lists@minselhoz.samara.ru) Received: from [94.180.156.209] (helo=[192.168.0.15]) by mail.minselhoz.samara.ru with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1Lna8r-000H7j-KL; Sat, 28 Mar 2009 19:08:13 +0400 Message-ID: <49CE3D6B.90503@minselhoz.samara.ru> Date: Sat, 28 Mar 2009 19:08:27 +0400 From: Yuriy Grishin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.19) Gecko/20081204 SeaMonkey/1.1.14 MIME-Version: 1.0 To: Jay Aikat References: <49CE29DB.7010803@unc.edu> <49CE3822.409@minselhoz.samara.ru> <49CE399C.2080406@unc.edu> In-Reply-To: <49CE399C.2080406@unc.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pftop queue stats X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Mar 2009 15:08:29 -0000 Jay Aikat wrote: > The large queue limit is just for testing purposes. Once I figure out > this logging of the queue at better granularity, I plan to have more > realistic queue limits. > > These are for experiments I am running in our lab to study network > traffic characteristics and the effect of that on router queuing - > just FYI. > > Thanks. I see.... There is no simple way to use a value less than 1 with "-s" parameter because : **********pftop.c*********** case 's': delay = atoi(optarg); if (delay < 1) delay = 1; break; **********pftop.c*********** and : **********engine.c********** int delay = 5; **********engine.c********** Although, you can rewrite the program. From owner-freebsd-pf@FreeBSD.ORG Sat Mar 28 15:13:31 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B431F1065670 for ; Sat, 28 Mar 2009 15:13:31 +0000 (UTC) (envelope-from ja@unc.edu) Received: from mxpm.isis.unc.edu (mxp2.isis.unc.edu [152.2.2.160]) by mx1.freebsd.org (Postfix) with ESMTP id 569C68FC12 for ; Sat, 28 Mar 2009 15:13:30 +0000 (UTC) (envelope-from ja@unc.edu) Received: from smtp.unc.edu (smtpsrv2.isis.unc.edu [152.2.2.250]) by mxp2.isis.unc.edu (8.14.1/8.14.1) with ESMTP id n2SFDUVM021771 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 28 Mar 2009 11:13:30 -0400 Received: from [152.2.131.30] (aikat-pc.cs.unc.edu [152.2.131.30]) (authenticated bits=0) by smtp.unc.edu (8.14.3/8.14.3) with ESMTP id n2SFDT1T001322; Sat, 28 Mar 2009 11:13:29 -0400 (EDT) Message-ID: <49CE3E97.3020509@unc.edu> Date: Sat, 28 Mar 2009 11:13:27 -0400 From: Jay Aikat Organization: University of North Carolina at Chapel Hill User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Yuriy Grishin References: <49CE29DB.7010803@unc.edu> <49CE3822.409@minselhoz.samara.ru> <49CE399C.2080406@unc.edu> <49CE3D6B.90503@minselhoz.samara.ru> In-Reply-To: <49CE3D6B.90503@minselhoz.samara.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.7400:2.4.4, 1.2.40, 4.0.166 definitions=2009-03-28_05:2009-03-27, 2009-03-28, 2009-03-27 signatures=0 X-Proofpoint-Spam-Details: rule=uncdefault_notspam policy=uncdefault score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-0811170000 definitions=main-0903280068 Cc: freebsd-pf@freebsd.org Subject: Re: pftop queue stats X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Mar 2009 15:13:32 -0000 Thank you. This is very helpful to know. I guess I'll just have to rewrite it then. Appreciate your help with this. Yuriy Grishin wrote: > Jay Aikat wrote: >> The large queue limit is just for testing purposes. Once I figure out >> this logging of the queue at better granularity, I plan to have more >> realistic queue limits. >> >> These are for experiments I am running in our lab to study network >> traffic characteristics and the effect of that on router queuing - >> just FYI. >> >> Thanks. > > I see.... > > There is no simple way to use a value less than 1 with "-s" parameter > because : > > **********pftop.c*********** > case 's': > delay = atoi(optarg); > if (delay < 1) > delay = 1; > break; > **********pftop.c*********** > and : > **********engine.c********** > int delay = 5; > **********engine.c********** > > Although, you can rewrite the program. From owner-freebsd-pf@FreeBSD.ORG Sat Mar 28 17:52:54 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 42D2B106566B for ; Sat, 28 Mar 2009 17:52:54 +0000 (UTC) (envelope-from grishin-mailing-lists@minselhoz.samara.ru) Received: from mail.minselhoz.samara.ru (mail.minselhoz.samara.ru [195.128.135.231]) by mx1.freebsd.org (Postfix) with ESMTP id E4DAF8FC08 for ; Sat, 28 Mar 2009 17:52:53 +0000 (UTC) (envelope-from grishin-mailing-lists@minselhoz.samara.ru) Received: from [94.180.156.209] (helo=[192.168.0.15]) by mail.minselhoz.samara.ru with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1Lnchy-000HQX-BN; Sat, 28 Mar 2009 21:52:38 +0400 Message-ID: <49CE63F4.5010906@minselhoz.samara.ru> Date: Sat, 28 Mar 2009 21:52:52 +0400 From: Yuriy Grishin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.19) Gecko/20081204 SeaMonkey/1.1.14 MIME-Version: 1.0 To: Jay Aikat References: <49CE29DB.7010803@unc.edu> <49CE3822.409@minselhoz.samara.ru> <49CE399C.2080406@unc.edu> <49CE3D6B.90503@minselhoz.samara.ru> <49CE3E97.3020509@unc.edu> In-Reply-To: <49CE3E97.3020509@unc.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pftop queue stats X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Mar 2009 17:52:54 -0000 Jay Aikat wrote: > Thank you. This is very helpful to know. I guess I'll just have to > rewrite it then. Appreciate your help with this. > Not at all.