Hello Everyone!! May be its no the first time you read about it; but these are my first lessons with ipf rules. I have to "kill" or block the msn service but only in a few of IP's, not at all. Do yo know the way to do this? I tried with: block out proto tcp from any to 192.168.1.10 port=1863 Surely i am in a mistake. I thank yours opinions. Flor.
From: [EMAIL PROTECTED]: freebsd-pf Digest, Vol 145, Issue 3To: [EMAIL PROTECTED]: Wed, 4 Jul 2007 12:00:26 +0000Send freebsd-pf mailing list submissions to freebsd-pf@freebsd.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freebsd.org/mailman/listinfo/freebsd-pfor, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specificthan "Re: Contents of freebsd-pf digest..." --Archivo adjunto de mensaje reenviado--From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: [EMAIL PROTECTED]: Tue, 3 Jul 2007 15:24:58 +0200Subject: Re: HEADSUP: pf 4.1 importOn Tuesday 03 July 2007, Max Laier wrote:> Users of pf should hold off a bit as I plan to commit a tiny ABI break> after the update is finished in order to be able to add netgraph> support in the future. After that a full "buildworld buildkernel> installkernel installworld mergemaster"-run is advised.>> Will send an all clear when done. this is it. Though my post commit build is still running, things should be alright again. Users of pf please note that tcpdump and libpcap need additional patches that need to go through the vendor first. I'm trying to get things moving there, but for the time being, please use the attached patch to understand the new pflog format. Anyone with hands at tcpdump.org? Help appreciated! -- FreeBSD Status reports due: 07/07/07 :-) /"\ Best regards, | [EMAIL PROTECTED] / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]/ \ ASCII Ribbon Campaign | Against HTML Mail and News --Archivo adjunto de mensaje reenviado--From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: [EMAIL PROTECTED]: Tue, 3 Jul 2007 15:32:09 +0200Subject: Re: HEADSUP: pf 4.1 importIn case you wondered, too. The signature on my last message was bad because the ?list? applied the following cleanup: -Content-Type: text/x-diff; charset="iso-8859-6"; - name="pf.41.tcpdump_local.diff" +Content-Type: text/x-diff; + charset="iso-8859-6"; + name="pf.41.tcpdump_local.diff" The patch is good - there is no conspiracy ;) -- FreeBSD Status reports due: 07/07/07 :-) /"\ Best regards, | [EMAIL PROTECTED] / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]/ \ ASCII Ribbon Campaign | Against HTML Mail and News --Archivo adjunto de mensaje reenviado--From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: Tue, 3 Jul 2007 15:34:49 +0200Subject: Re: Current problem reports assigned to youI'll ask all owners of pf-related PRs to reevaluate the problem in light of the update. It's unlikely that fixes can easily be backported, but I will try if positive feedback is available. -- FreeBSD Status reports due: 07/07/07 :-) /"\ Best regards, | [EMAIL PROTECTED] / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]/ \ ASCII Ribbon Campaign | Against HTML Mail and News --Archivo adjunto de mensaje reenviado--From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: Tue, 3 Jul 2007 19:23:13 +0300Subject: ALTQ + CBQ -> http & ftpHello everyone. Probabily this is not the first email on this topic, so I'll be brief:I have the following queues: altq on xl0 cbq bandwidth 5000Kb queue { def, ftp, http, ssh, icmp, ack }queue ack bandwidth 50Kb priority 7 cbq(borrow)queue ssh bandwidth 50Kb priority 6 { ssh_login, ssh_bulk } queue ssh_login bandwidth 25% priority 6 cbq(borrow) queue ssh_bulk bandwidth 75% priority 5 cbq(borrow)queue http bandwidth 4000Kb priority 5 cbqqueue ftp bandwidth 390Kb priority 2 cbq(borrow)queue def bandwidth 500Kb priority 1 cbq(default)queue icmp bandwidth 10Kb priority 0 cbq... and these rules for http & ftp traffic: pass in log-all quick on $ext_if1 proto tcp from any to <jails> port {80, 8080} flags S/SA synproxy state queue http pass in log quick on $ext_if1 proto tcp from any to <jails> port ftp flags S/SA synproxy statepass out log-all quick on $ext_if1 proto {tcp,udp} from $external_addr1 \to any port 65530:65534 flags S/SA keep state queue ftp The thing is that ftp is in passive mode and when there is traffic both on http & ftp each type of transfer has ~50% of the bandwidth, so the higher priority from http queue doesn't apply at all. Has anyone some suggestion for the rules above ? Thank you in advance for your pacience and wisdom :) Andrei. --Archivo adjunto de mensaje reenviado--From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: [EMAIL PROTECTED]; [EMAIL PROTECTED]: Tue, 3 Jul 2007 20:46:56 +0400Subject: Re: pf 4.1 Update available for testingNate, Max, good day. Wed, Jun 20, 2007 at 11:04:23PM +0400, Eygene Ryabinkin wrote:> This error can potentially be responsible to the weird bandwidth> values I am having with the altq on my notebook. The issue is> described on the thread> http://lists.freebsd.org/pipermail/freebsd-current/2007-April/070730.html> Basically, I am setting one BW limit in pf.conf and seeing another> one (much lower) via the ifstat utility.> > I was able only to test the compilation of the new patched kernel.> No bandwidth tests were done: I have no access to the fast LAN link> up to the Monday, 24th, sorry. May be I will be able to setup> ng_eiface and test with it, but I am not fluent with the netgraph.> Will post an update if tests will be carried. At last, carried the tests. No luck: still seeing weirdbandwidth numbers as compared with the setting in the pf.conf. But still, the second issue about non-initialized variablescan be committed: it will not harm. What do you both think? Thank you.-- Eygene --Archivo adjunto de mensaje reenviado--From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: [EMAIL PROTECTED]: Tue, 3 Jul 2007 11:18:45 -0700Subject: Re: pf 4.1 Update available for testingEygene Ryabinkin wrote:> Nate, Max, good day.> > Wed, Jun 20, 2007 at 11:04:23PM +0400, Eygene Ryabinkin wrote:>> This error can potentially be responsible to the weird bandwidth>> values I am having with the altq on my notebook. The issue is>> described on the thread>> http://lists.freebsd.org/pipermail/freebsd-current/2007-April/070730.html>> Basically, I am setting one BW limit in pf.conf and seeing another>> one (much lower) via the ifstat utility.>>>> I was able only to test the compilation of the new patched kernel.>> No bandwidth tests were done: I have no access to the fast LAN link>> up to the Monday, 24th, sorry. May be I will be able to setup>> ng_eiface and test with it, but I am not fluent with the netgraph.>> Will post an update if tests will be carried.> > At last, carried the tests. No luck: still seeing weird> bandwidth numbers as compared with the setting in the pf.conf.> > But still, the second issue about non-initialized variables> can be committed: it will not harm. What do you both think?> > Thank you. I'm reviewing your patch; started yesterday. I think it can be donesimpler. I'll get back to you today. -- Nate --Archivo adjunto de mensaje reenviado--From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: Tue, 3 Jul 2007 15:35:22 -0300Subject: Re: ALTQ + CBQ -> http & ftpOn 03/07/07, Andrei Manescu <[EMAIL PROTECTED]> wrote:> Hello everyone.>> Probabily this is not the first email on this topic, so I'll be brief:> I have the following queues:>> altq on xl0 cbq bandwidth 5000Kb queue { def, ftp, http, ssh, icmp, ack }> queue ack bandwidth 50Kb priority 7 cbq(borrow)> queue ssh bandwidth 50Kb priority 6 { ssh_login, ssh_bulk }> queue ssh_login bandwidth 25% priority 6 cbq(borrow)> queue ssh_bulk bandwidth 75% priority 5 cbq(borrow)> queue http bandwidth 4000Kb priority 5 cbq> queue ftp bandwidth 390Kb priority 2 cbq(borrow)> queue def bandwidth 500Kb priority 1 cbq(default)> queue icmp bandwidth 10Kb priority 0 cbq> ... and these rules for http & ftp traffic:>> pass in log-all quick on $ext_if1 proto tcp from any to <jails> port {80, 8080} flags S/SA synproxy state queue http>> pass in log quick on $ext_if1 proto tcp from any to <jails> port ftp flags S/SA synproxy state> pass out log-all quick on $ext_if1 proto {tcp,udp} from $external_addr1 \> to any port 65530:65534 flags S/SA keep state queue ftp>> The thing is that ftp is in passive mode and when there is traffic both on http & ftp each type of transfer has ~50% of the bandwidth, so the higher priority from http queue doesn't apply at all.>> Has anyone some suggestion for the rules above ?>> Thank you in advance for your pacience and wisdom :)>> Andrei.> _______________________________________________> freebsd-pf@freebsd.org mailing list> http://lists.freebsd.org/mailman/listinfo/freebsd-pf> To unsubscribe, send any mail to "[EMAIL PROTECTED]"> How much is the traffic each connection?? -- Gilberto Villani BritoSystem AdministratorLondrina - PRBrazilgilbertovb(a)gmail.com --Archivo adjunto de mensaje reenviado--From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: [EMAIL PROTECTED]: Tue, 3 Jul 2007 15:24:17 -0700Subject: Re: pf 4.1 Update available for testingEygene Ryabinkin wrote:> Nate, Max, good day.> > Wed, Jun 20, 2007 at 07:26:09PM +0400, Eygene Ryabinkin wrote:>> Fine, thanks! So, you're happy with the way the problem was fixed?>> I see that another function that uses tbr_callout is tbr_timeout,>> but it will not be called before tbr_set. So it seems to me that>> callout initialisation only in tbr_set is enough. But maybe I am>> missing something?> > After some thinking I came to the idea that one more patch must be> applied. The variables machclk_usepcc and machclk_per_tick can be> left uninitialised following the same codepath as for tbr_callout:> tsc_freq_changed() touches only machclk_freq, but init_machclk> touches all three variables.> > This error can potentially be responsible to the weird bandwidth> values I am having with the altq on my notebook. The issue is> described on the thread> http://lists.freebsd.org/pipermail/freebsd-current/2007-April/070730.html> Basically, I am setting one BW limit in pf.conf and seeing another> one (much lower) via the ifstat utility.> > I was able only to test the compilation of the new patched kernel.> No bandwidth tests were done: I have no access to the fast LAN link> up to the Monday, 24th, sorry. May be I will be able to setup> ng_eiface and test with it, but I am not fluent with the netgraph.> Will post an update if tests will be carried.> > But I am pretty sure that the altq_subr.c should be patched to> properly handle the initialization of these two variables. The> only question is how to do it: via my patch or using some different> strategy.> > No more words, the patch is attached. Comments are welcome!> I have tried to achieve the same goal with a simpler patch. Here arethe changes: Be sure to initialize the callout struct and other setup tasks beforeproceeding. Previously, machclk_freq could be set to a non-zero valueby tsc_freq_changed(), preventing the callout from being initialized.To fix this, call init_machclk() from all paths. init_machclk() issplit into two functions, one that only runs the first time it iscalled. The second half runs each time the frequency changes andcalibrates various items. Also, static variables are zero so no need toinitialize them. If you can test this, that would be great. Thanks,-- Nate --Archivo adjunto de mensaje reenviado--From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: Wed, 4 Jul 2007 09:26:40 +0400Subject: using pfctl -s labels and keep state for traffic accountingHi, I'm going to use pf's label feature for traffic accounting, i.e.creating an anchor for being able to add/remove rules with labelson fly and parse the output of pfctl -s labels. However, I spotted some problems with such an approach. When using 'keepstate' it seems to have some limitations. First of all, it doesn't seemto allow to account in only one direction. Well, it was expected becausestates works that way. But calculating traffic in both directions give stange resuls too. I have a rule: pass log quick on $ext_if proto tcp from self to some_host porthttps label "labels:test", I have a file on https which I download. After first try it gives: labels:test 284 23 2943 Then I add 'keep state', reload the rules file, check if the countersare zeroed and download the same file again and get: labels:test 3 46 29427 Why does it happen that way? BTW, is there some other limitations to the approach of trafficaccounting based on pf labels? Roman Bogorodskiy _________________________________________________________________ Tú mundo y lo que te gusta en una página que tú mismo creas: Live.com http://www.live.com/getstarted_______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
