RE: pf rdr not redirecting completely

The problem is with the client being behind the transparent bridged interface, the management interface is not part of the bridge and when clients hit the rdr rule without hitting the IP stack it will not work if without an addressed bridge. To work-around this I've noticed some referencing to u

Re: 8.0-CURRENT: having pf enabled without any rules impacts forwarding performance

Max Laier wrote: On Wednesday 25 March 2009 00:13:55 Deomid Ryabkov wrote: i have a machine with nc running through it. with pf disabled, i see 960-970 mbit/s through it (as reported by systat -ifstat). just having pf enabled, with empty ruleset: # pfctl -vs nat # pfctl -vs rules # reduces

Re: 8.0-CURRENT: having pf enabled without any rules impacts forwarding performance

On Wednesday 25 March 2009 00:13:55 Deomid Ryabkov wrote: > i have a machine with nc running through it. > with pf disabled, i see 960-970 mbit/s through it (as reported by systat > -ifstat). > just having pf enabled, with empty ruleset: > > # pfctl -vs nat > # pfctl -vs rules > # > > reduces throu

8.0-CURRENT: having pf enabled without any rules impacts forwarding performance

i have a machine with nc running through it. with pf disabled, i see 960-970 mbit/s through it (as reported by systat -ifstat). just having pf enabled, with empty ruleset: # pfctl -vs nat # pfctl -vs rules # reduces throughput to about 700 mbit. this seems wrong. any ideas why this might be ha

Re: first firewall with pf

"block in quick on $ext_if all" being the last and "block in on $ext_if all" being the first do absolutely the same thing. No point in changing. Eric, you might want to just do "set skip on lo" instead of allowing all through it, and add "scrub in" to normalize packets coming in. Dave Feuste

Re: SOLVED-pf + altq + cbq(borrow) not borrowing from parent - all LAN

The problem is known and not fixed for 2 years?! I'm starting to think that replacing my linux router with freebsd is not such a good idea at all. Peter wrote: Saw that. First I thought "definitely must be fixed by now, I'm doing something wrong"... Then, hmmm...does openbsd example w

Re: SOLVED-pf + altq + cbq(borrow) not borrowing from parent - all LAN

> Peter wrote: >> iH, >> cbq does not work as advertised >> child will not borrow from parent unless parent borrows from root >> So a tree did not work: >> root >> parent1 >> p1.child1(borrow) >> p1.child2(borrow) >> parent2 >> p2.child1(borrow) >> p2.child2(borrow) >> >> *chi

Re: first firewall with pf

On Tue, Mar 24, 2009 at 06:47:40PM +0300, Eric Magutu wrote: > does the rule to block all other traffic have to be explicitly mentioned? > > On Tue, Mar 24, 2009 at 6:27 PM, Eric Magutu wrote: > > > Thanks I'll change that > > > > > > On Tue, Mar 24, 2009 at 6:20 PM, Glen Barber wrote: > > > >>

RE: first firewall with pf

Hello: > # > #interfaces # > # > ext_if="bce0" > ext_if2="bce1" > I would also define your inside interface(s), not just your outside. Let's call it "bce2" for the example: int_if="bce2" > > # > #allow all connections fro

Re: first firewall with pf

> On Tue, Mar 24, 2009 at 10:47 AM, Eric Magutu wrote: > [snip] >> >> ## >> #block all other traffic # >> ## >> >> # should be last rule >> >> block in quick on $ext_if all >> >> > > This should not be the last rule. PF implements the rules in a > t

Re: first firewall with pf

Hi Mike, I will make the changes, there is no internal interface though. Yes I meant SMTP Thanks for your input On Tue, Mar 24, 2009 at 6:56 PM, Michael K. Smith - Adhost < mksm...@adhost.com> wrote: > Hello: > > > > > # > > #interfaces # > > # > > ext_if="bce0" > > ext_i

Re: SOLVED-pf + altq + cbq(borrow) not borrowing from parent - all LAN

Peter wrote: > iH, > cbq does not work as advertised > child will not borrow from parent unless parent borrows from root > So a tree did not work: > root > parent1 > p1.child1(borrow) > p1.child2(borrow) > parent2 > p2.child1(borrow) > p2.child2(borrow) > > *child* does not b

Re: first firewall with pf

On Tue, Mar 24, 2009 at 11:47 AM, Eric Magutu wrote: > does the rule to block all other traffic have to be explicitly mentioned? > Yes. -- Glen Barber ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsu

Re: first firewall with pf

does the rule to block all other traffic have to be explicitly mentioned? On Tue, Mar 24, 2009 at 6:27 PM, Eric Magutu wrote: > Thanks I'll change that > > > On Tue, Mar 24, 2009 at 6:20 PM, Glen Barber wrote: > >> On Tue, Mar 24, 2009 at 10:47 AM, Eric Magutu wrote: >> [snip] >> > >> > ###

Re: first firewall with pf

On Tue, Mar 24, 2009 at 10:47 AM, Eric Magutu wrote: [snip] > > ## > #block all other traffic # > ## > > # should be last rule > > block in quick on $ext_if all > > This should not be the last rule. PF implements the rules in a top-down fashion, wh

SOLVED-pf + altq + cbq(borrow) not borrowing from parent - all LAN

iH, cbq does not work as advertised child will not borrow from parent unless parent borrows from root So a tree did not work: root parent1 p1.child1(borrow) p1.child2(borrow) parent2 p2.child1(borrow) p2.child2(borrow) *child* does not borrow, unless parent is set to borrow f

Re: first firewall with pf

Thanks I'll change that On Tue, Mar 24, 2009 at 6:20 PM, Glen Barber wrote: > On Tue, Mar 24, 2009 at 10:47 AM, Eric Magutu wrote: > [snip] > > > > ## > > #block all other traffic # > > ## > > > > # should be last rule > > > > block in quick on $ex

first firewall with pf

Hi, I am converting some systems from Linux to freeBSD and I'm new to pf. I wanted to run this on a live system but I'm not sure if everything is correct. Can you please advise me if it would work and if there is anything I need to add or remove to make it work. I have written the following pf.conf