Re: carp between RELENG_6 and RELENG_7

On Wed, Apr 2, 2008 at 7:57 AM, Mike Tancsa <[EMAIL PROTECTED]> wrote: > Does anyone know if there are there any issues running a pair of FreeBSD > boxes, one RELENG_6 and one RELENG_7 in carp failover ? Are there any > compatibility issues ? I believe the pfsync protocol version (and correspondi

Re: Res: Res: Dropped Packets

On Fri, Mar 7, 2008 at 4:40 PM, Lorenz Helleis <[EMAIL PROTECTED]> wrote: > This is an internal firewall... I think the entry in the table session is > desapearing, so the client needs to make > another conection. I´m thinking > about create a stateless rule. I suspect this will only decrease

Re: LOR in pf on 6.2

On Jan 29, 2008 1:35 PM, Max Laier <[EMAIL PROTECTED]> wrote: > From the pf.conf(5) in RELENG_6_2: > > BUGS > Due to a lock order reversal (LOR) with the socket layer, the use of the > group and user filter parameter in conjuction with a Giant-free netstack > can result in a deadlock. If you

LOR in pf on 6.2

Been having some kernel locks on some machines at work, not sure if this LOR is related (and I see an XXX LOR comment in the code too, so I'm guessing it's been seen before) although I have certainly had some of the machines lock during bootup right around the place that this LOR prints out. Jan 2

Re: pfsync errors

On 9/5/07, Max Laier <[EMAIL PROTECTED]> wrote: > > Another way to go is setting the queuelength for the internal processing > queue to something insanely high (1000+). This will most likely work > around the problem at the cost of burning (mbuf) memory. Assuming mbuf memory is essentially free t

Re: pfsync errors

On 9/5/07, Rian Shelley <[EMAIL PROTECTED]> wrote: > As far as I can tell, am having the same problem described by bill > marquette. I have two firewalls using pfsync, where the secondary > firewall just increases its state count steadily. > > I created a simple libpcap progra

Re: pfsync errors

On 8/28/07, Max Laier <[EMAIL PROTECTED]> wrote: > > I'm going to toy with some settings for the em(4) driver in > > loader.conf and see if I can raise the txd and rxd descriptors since > > we're not running on 82542 or 82543 chipped hardware we can go above > > 256 descriptors. Raised it to 4096

Re: pfsync errors

On 8/27/07, Bill Marquette <[EMAIL PROTECTED]> wrote: > > > Here's what we get with the patch: > > > pfsync_senddef: ip_output 64 > > > > that's EHOSTDOWN ... that's strange. Are you using syncpeer? After converting both sides to using syncpee

Re: pfsync errors

On 8/27/07, Max Laier <[EMAIL PROTECTED]> wrote: > On Tuesday 28 August 2007, Bill Marquette wrote: > > On 8/22/07, Max Laier <[EMAIL PROTECTED]> wrote: > > > There are two reasons why we increase the send error counter. Either > > > the internal deferre

Re: pfsync errors

On 8/22/07, Max Laier <[EMAIL PROTECTED]> wrote: > There are two reasons why we increase the send error counter. Either the > internal deferred work queue is full or ip_output fails. Could you > locate "pfsyncstats.pfsyncs_oerrors++" in your source code and replace > either occurrence with a prin

Re: pfsync errors

On 8/22/07, Max Laier <[EMAIL PROTECTED]> wrote: > There are two reasons why we increase the send error counter. Either the > internal deferred work queue is full or ip_output fails. Could you > locate "pfsyncstats.pfsyncs_oerrors++" in your source code and replace > either occurrence with a prin

pfsync errors

For the last two days I've been troubleshooting a wierd issue where my secondary firewall in a pfsync/carp cluster isn't maintaining a state table similar in size to the primary - it's slowly increasing to the max size. I think I've finally tracked it down to ip_output() returning an error, but at

ng_tag and pf?

Is it possible to use ng_tag in conjunction with pf? I have a setup in OpenBSD currently where I use the bridge interface to apply a tag to a packet based on the mac address so that when pf gets the packet it can apply a reply-to rule to it to keep traffic flows symmetric (the upstream device(s)

Re: How to balance my own outgoing traffic?

On 3/27/07, Eduardo Meyer <[EMAIL PROTECTED]> wrote: Yes, round-robin will do. My problem is how to do this, I have tried the following kiind of approach: pass out on $ext_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto tcp from $myown to any flags S/SA modulate state

Re: pf altq not showing root traffic

On 10/29/06, Gloomy Group <[EMAIL PROTECTED]> wrote: Heloo bill Can you point me what's wrong in my configuration. As I want to graph total bandwidth and each client individual bandwidth. But as there is any traffic in root queue I can't view the actuall total traffic of all clients. Can you gui

Re: pf altq not showing root traffic

On 10/29/06, Gloomy Group <[EMAIL PROTECTED]> wrote: Hi, I have setup pf and altq traffic shapping on freebsd 6.1. my configuration is as follows; ext_if="rl0" int_if="rl1" table {192.168.0.1/27} scrub in all altq on $int_if hfsc bandwidth 912Kb queue{client1_down, default_down} altq on $ext

Re: NEW IDEAS

On 9/8/06, Rajkumar S <[EMAIL PROTECTED]> wrote: On 9/8/06, Max Laier <[EMAIL PROTECTED]> wrote: > On Thursday 07 September 2006 20:21, KES wrote: > > Archie Cobbs <[EMAIL PROTECTED]> wrote: > > >>KES wrote: > > >> How about 'ALTQ' node? or may be 'queue' node > > >> for packets scheduling > Th

Re: Exceeded Allotted Memory

On 8/28/06, beno <[EMAIL PROTECTED]> wrote: Hi; In trying to enable/run my pf ruleset with a rather large table I get an error that states that table is too large to load into memory. What's your definition of "rather large"? What memory? What do I need to free up? System memory and who kn

Re: Never Ask Questions On A Friday Afternoon

On 8/21/06, beno <[EMAIL PROTECTED]> wrote: > Daniel supplied the pointer to one (of several) threads on this matter > above. > You must be referring to this URL: http://marc.theaimsgroup.com/?t=11484264352&r=1&w=2 Unfortunately, it doesn't load, so that's not of any use. Loads here, your I

Re: Re: "Reset" Script, Anyone?

On 8/13/06, Volker <[EMAIL PROTECTED]> wrote: On 12/23/-58 20:59, James Seward wrote: > On 8/11/06, beno <[EMAIL PROTECTED]> wrote: >> I am half a world away from my console. If I make a mistake entering my >> PF rules, I could lock myself out. It would be nice if I had a script I >> could activa

Re: IP Address List

On 8/13/06, beno <[EMAIL PROTECTED]> wrote: Travis H. wrote: > Read http://catb.org/~esr/faqs/smart-questions.html > Then see the pf FAQ. > Try loading it, then displaying the rules it loaded. > This mlist is for questions that can't be answered by simple things > like that. Actually, all mailin

Re: firewall

On 8/11/06, Mihai Velicu <[EMAIL PROTECTED]> wrote: Which firewall is the best : IPFILTER or PF ? Regards, Mihai That's kind of like asking which shoes are the best, Nike or Adidas. It's a preference, both are good. You'll need to figure out which one feels best to you. --Bill ___

Re: promt solution with max-src-conn-rate

On 5/15/06, GreenX FreeBSD <[EMAIL PROTECTED]> wrote: > I'd advise against what you're trying to do. It won't make your box > more secure. Why? Simply so, on ssh you will not come any more. If I am not mistaken, probability of that the scanner will begin the check with "key" port, and further at

Re: PF Version

On 4/10/06, N. Ersen SISECI <[EMAIL PROTECTED]> wrote: > > Hi, > > Is it possible to someone to tell me which OpenBSD PF version is used > in 5.4, 5.5, 6.0 and 6.1? > > For example, > FreeBSD 5.4 -> OpenBSD 3.6 > FreeBSD 5.5 -> ?? > FreeBSD 6.0 -> ?? > FreeBSD 6.1 -> ?? More or less 3.7 (I seem t

Re: Log tag

On 4/4/06, husnu demir <[EMAIL PROTECTED]> wrote: > > On Tue, Apr 04, 2006 at 08:10:30AM -0500, Bill Marquette wrote: > > On 4/4/06, Bill Marquette <[EMAIL PROTECTED]> wrote: > > > On 4/4/06, N. Ersen SISECI <[EMAIL PROTECTED]> wrote: > > > > &g

Re: Log tag

On 4/4/06, Bill Marquette <[EMAIL PROTECTED]> wrote: > On 4/4/06, N. Ersen SISECI <[EMAIL PROTECTED]> wrote: > > > > > > Hi, > > > > Is it possible to label the log entries? > > We can do it in IPF with set-tag (log=48). > > Is there a sim

Re: Log tag

On 4/4/06, N. Ersen SISECI <[EMAIL PROTECTED]> wrote: > > > Hi, > > Is it possible to label the log entries? > We can do it in IPF with set-tag (log=48). > Is there a similiar method in PF? > > > IPF Rule: > pass in log first quick on bge0 proto tcp from any to 10.1.2.3 port = 22 > flags S/SA keep

Re: Traffic mysteriously dropping

On 3/31/06, Christopher McGee <[EMAIL PROTECTED]> wrote: > A quick follow up since I realize I left out a little detail. I have > tried this on 5.4-RELEASE-p8 and 6.0-RELEASE-p6. I've been trying to > get altq working properly also, but it's been disabled until I work out > the above problem. > >

Re: HFSC issues in RELENG_6

On 2/26/06, Andrew Thompson <[EMAIL PROTECTED]> wrote: > On Sat, Feb 25, 2006 at 10:12:55PM -0600, Bill Marquette wrote: > > On 2/25/06, Andrew Thompson <[EMAIL PROTECTED]> wrote: > > > You may want to test with another network card to verify that sis(4) is > &g

Re: kern/93829: [carp] pfsync state time problem with CARP + Arp.Balance

The following reply was made to PR kern/93829; it has been noted by GNATS. From: "Bill Marquette" <[EMAIL PROTECTED]> To: "Jon Simola" <[EMAIL PROTECTED]> Cc: freebsd-pf@freebsd.org, [EMAIL PROTECTED] Subject: Re: kern/93829: [carp] pfsync state time problem with C

Re: kern/93829: [carp] pfsync state time problem with CARP + Arp.Balance

On 2/26/06, Jon Simola <[EMAIL PROTECTED]> wrote: > On 2/25/06, Mark Linimon <[EMAIL PROTECTED]> wrote: > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=93829 > > > pfsync0: flags=41 mtu 1348 > >pfsync: syncdev: fxp0 syncpeer: 15.1.1.1 maxupd: 128 > > > ### Pfsync Rule > > pass quick on { e

Re: HFSC issues in RELENG_6

On 2/25/06, Andrew Thompson <[EMAIL PROTECTED]> wrote: > You may want to test with another network card to verify that sis(4) is > actually working correctly with ALTQ. I am having ALTQ problems which > went away when using a xl(4) card. I am waiting for a sis card to arrive > in the mail so I can

HFSC issues in RELENG_6

I've been having massive issues with HFSC for a while. I finally spent some time working on it this weekend. I'm testing by using my VOIP phone with a 90Kb codec. Here's a stripped down config that works perfectly: altq on sis1 hfsc(upperlimit 768Kb) queue { qWANdef } altq on sis0 hfsc(upperlimi

Re: Hfsc configuration problems

On 2/22/06, Jon Simola <[EMAIL PROTECTED]> wrote: > Leave out the linkshare and bandwidth, just use realtime and > upperlimit. And the priority of the queues matters, in the above each > of the queues can go as high as 81Mb (90% of 90Mb) but if more than > one tries to go above 45Mb, the one with t

Re: Hfsc configuration problems

On 2/22/06, Christopher McGee <[EMAIL PROTECTED]> wrote: > Jon Simola wrote: > > >On 2/22/06, Christopher McGee <[EMAIL PROTECTED]> wrote: > > > > > >>I've been trying to get hfsc working properly, but I'm obviously doing > >>something wrong because I keep getting errors like this: > >> > >>pfctl:

Re: kern/92949: [pf] PF + ALTQ problems with latency

On 2/14/06, Mark Linimon <[EMAIL PROTECTED]> wrote: > Old Synopsis: PF + ALTQ problems with latency > New Synopsis: [pf] PF + ALTQ problems with latency > > Responsible-Changed-From-To: freebsd-i386->freebsd-pf > Responsible-Changed-By: linimon > Responsible-Changed-When: Tue Feb 14 06:54:04 UTC 20

Re: some (hopefully basic) altq questions ...

Redirecting to pf@benzedrine.cx and freebsd-pf@freebsd.org as slightly more appropriate lists than misc@ On 2/8/06, Andrew Atrens <[EMAIL PROTECTED]> wrote: > Here's what I have today, that looks to be working well - > > > altq on $ext_if cbq bandwidth 100Mb queue { output_ext } > queue output_ext

Re: Current problem reports assigned to you

On 2/6/06, FreeBSD bugmaster <[EMAIL PROTECTED]> wrote: > Current FreeBSD problem reports > Critical problems > Serious problems > > S Submitted Tracker Resp. Description > --- > o [2005/06/15] kern/82271 pf

Re: Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection?

On 1/31/06, Dmitry Andrianov <[EMAIL PROTECTED]> wrote: > Hello. > > To my understanding, you can apply nat rule to tagged packets only. This > should do the trick. > > nat on $ext_if tagged TAG1 -> 192.168.33.14 > nat on $ext_if tagged TAG2 -> 192.168.33.15 You can apply tags to NATs, however the

Re: PF + PPPoE

On 1/17/06, stephen <[EMAIL PROTECTED]> wrote: > what rudi means to say is, in his rc.conf he has stuck instructions > for his ppp to start on boot, and for pf to load on boot. problem is > freebsd creates tun0 when ppp runs for the first time, not when the > machine boots up, and as his pf.conf re

Re: PF + PPPoE

On 1/17/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > >Without the ruleset it's going to be kind of difficult to help. This > >does work, which means there's something wrong with your rules. > > > >--Bill > > My apologies, here is my pf.conf file: > > #define Macros > ext_if = "tun0" > in

Re: PF + PPPoE

On 1/16/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Good day, > > I am using freebsd 6.0 with PF and running a ADSL PPPoE internet connection. > > My PF ruleset uses tun0 for the external interface but sometimes the ppp > dialler does not start in time and the PF rules fail to load. Then af

Re: address mapping with pf

binat is likely what you want. --Bill On 12/16/05, Robert <[EMAIL PROTECTED]> wrote: > can pf do address mapping ? > > i hava a server with 5 ips on the ext_if > and i want to map an ip to let's say 192.168.1.11 > ___ > freebsd-pf@freebsd.org mailing li

Re: FreeBSD + MPD + PF + ALTQ

On 10/22/05, Bruno Afonso <[EMAIL PROTECTED]> wrote: > Bill Marquette wrote: > > On 10/22/05, Bruno Afonso <[EMAIL PROTECTED]> wrote: > >> The download part is the problematic one IF they're not all connected to > >> the same network interface. Why ? Be

Re: FreeBSD + MPD + PF + ALTQ

On 10/22/05, Bruno Afonso <[EMAIL PROTECTED]> wrote: > The download part is the problematic one IF they're not all connected to > the same network interface. Why ? Because altq only works PER interface > and tun0, tun1, tun2, etc are each and single one, one interface on its own. > > You basically

synproxy state and route-to issues

I've got a machine setup with two internet facing interfaces that I want to do policy based routing on. FreeBSD 6 beta 4 First two octets of the IP addresses intentionally masked. dc0 == lan (192.168.1.1/24 ) dc1 == isp1 (192.168.186.1/24 ) dc2 ==

Re: Authpf and windows client(s) ...

No, authpf is a login shell. If you don't want to use SSH, then you need to write your own client, daemon, and/or authpf-like application. --Bill On 8/24/05, Mircea Popescu <[EMAIL PROTECTED]> wrote: > ok, but any other solution? > > > > On 8/25/05, Bill Marquette

Re: Authpf and windows client(s) ...

On 8/24/05, Mircea Popescu <[EMAIL PROTECTED]> wrote: > Hi! > > I want to use authpf in order to give access to internet for some windows XP > PC's. > > Now, I know that the client PC (using WinXP in this case) should initiate > somehow a ssh conexion to the FreeBSD server. > My problem would be

ALTQ last match queing?

Hi, I'm trying to have pf do what's essentially a queue assignment in one rule and a final pass/keep state in second rule. The man page for FreeBSD 6 (and OpenBSD 3.7) reads like it should work the same as tags. The rule a packet hits that has a queue is the last queue the packet gets. "During t