On Tue, May 03, 2011 at 10:31:57AM +0100, Vincent Hoffman wrote:
> On 03/05/2011 10:16, Jeremy Chadwick wrote:
>
>
> > Sadly I don't see a way with bsnmpd(8) to monitor things like interrupt
> > usage, etc. otherwise I'd be graphing that. The more monitoring
On Tue, May 03, 2011 at 10:48:00AM +0200, Daniel Hartmeier wrote:
> On Mon, May 02, 2011 at 06:58:54PM -0700, Jeremy Chadwick wrote:
>
> > Status: Enabled for 76 days 06:49:10 Debug: Urgent
>
> > The "pf uptime" shown above, by the way, matche
ame time, pf's state counter started gradually incrementing for
reasons unknown -- an indicator that something bad was happening, almost
certainly within pf itself, or somewhere within the kernel. I'm inclined
to believe pf, because existing/ESTABLISHED stateful entries continued
to
On Tue, May 03, 2011 at 07:22:10AM +0200, Vlad Galu wrote:
> On Tue, May 3, 2011 at 3:58 AM, Jeremy Chadwick
> wrote:
>
> > (Please keep me CC'd as I'm not subscribed to freebsd-pf. And apologies
> > for cross-posting, but the issue is severe enough that I wanted
On Tue, May 03, 2011 at 01:06:34AM -0400, Jason Hellenthal wrote:
> On Mon, May 02, 2011 at 06:58:54PM -0700, Jeremy Chadwick wrote:
> >(Please keep me CC'd as I'm not subscribed to freebsd-pf. And apologies
> >for cross-posting, but the issue is severe enough that I want
f anyone has advice (or has seen the above problem), or is interested
in debugging it -- as I said, I have a vmcore -- I'm happy to assist in
any way I can. I would hate for someone else to get bit by this, and
really am hoping its something that has been fixed between February and
now.
-
On Thu, Jan 27, 2011 at 09:38:22PM +0100, Damien Fleuriot wrote:
> On 1/27/11 8:57 PM, Jeremy Chadwick wrote:
>
<...snipping out stuff...>
> We're also considering moving to faster machines but I don't think that
> will help much with our problem.
>
> I suppo
cture. You can no longer rely on
a single machine to handle this amount of traffic.
As for the network errors you see -- to get low-level NIC and driver
statistics, you'll need to run "sysctl dev.igb.X.stats=1" then run
"dmesg" and look at the numbers shown (the sysctl com
On Thu, Jan 27, 2011 at 06:31:29PM +0100, Damien Fleuriot wrote:
>
>
> On 1/27/11 6:27 PM, Jeremy Chadwick wrote:
> > On Thu, Jan 27, 2011 at 10:57:14AM +0100, Damien Fleuriot wrote:
> >> Hello list,
> >>
> >> I have a problem with interrupts, network ca
would be able to confirm for sure; CC'ing him
here.
Could you please provide output from the following commands?
* pciconf -lvcb (only include igbX entries, thanks)
* sysctl -a | grep msi
Thanks.
I can't help with the CARP-related issues or other stuff you&#x
thought Max's response was both professional and ethical. His
question was an honest one, and you've answered it just as honestly. No
harm done.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.co
ndicate the source of their
problems
If you weren't referring to these features, what were you referring to?
I'm curious to know.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX System
On Mon, Nov 10, 2008 at 09:15:08AM +0100, Sebastian Tymków wrote:
> I wonder how does udp.blackhole working with DNS. Does it interfere bind or
> no ?
No.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking
eebsd-net
or freebsd-isp. Others may have better advice.
Footnote: Like SMTP and spam, IRC as an entity is not evil or bad -- the
problem is that in this day and age, it can breed trouble. I don't want
to sound like I'm slamming IRC ("IRC sucks! Ban IRC!"); I&
ideas what could cause this issue?
> (this is not pf related anymore, but perhaps someone has a quick answer).
Simple: you've created a wonderful, beautiful bottleneck by using netcat
as a form of buffering mechanism. You can tune netcat to your hearts
content, and probably im
On Tue, Nov 04, 2008 at 11:23:08AM +0100, Matthias Kellermann wrote:
> Jeremy Chadwick wrote:
> > Try changing "synproxy state" to "keep state", and see if you have the
> > same problem. Note that you may need to reset your state table after
> > changing t
On Tue, Nov 04, 2008 at 10:52:08AM +0100, Matthias Kellermann wrote:
> Jeremy Chadwick wrote:
> > On Tue, Nov 04, 2008 at 10:15:26AM +0100, Matthias Kellermann wrote:
> >> # tcpdump -netttvvi pflog0
> >> 00 rule 0/0(match): pass in on sis0: (tos 0x10, ttl 64, id 2666
>
> Anybody has an idea whats wrong here?
This is not a pf problem. tcpdump's snaplen defaults to 56 bytes, which
is too small when reading from pflog. Use the -s flag to increase the
snaplen to 256 bytes, for example.
--
| Jeremy Chadwickjdc at
ioned fix:
Status: Enabled for 25 days 04:49:53 Debug: Urgent
Counters
state-mismatch 534540.0/s
This number was significantly higher prior to the fix being committed.
> I have "set skip on lo0" to prevent the problem, bu
nd that generates the same
> error. I tried just using:
> (max-src-conn-rate 100/10)
>
> but that too gives me a syntax error.
>
> Any help is appreciated.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking
On Fri, Oct 03, 2008 at 04:17:03AM -0700, Jeremy Chadwick wrote:
> On Thu, Oct 02, 2008 at 09:57:55PM +0100, Bruce Cran wrote:
> > I recently upgraded my i386 router from 7.0 to 7.1-PRERELEASE. I
> > rebooted it today but despite pf_enable="YES" being in /etc/rc.conf
256 to
your tcpdump argument and run it again.
It looks to me like you have a rule problem; possibly IMAP+SSL isn't
being permitted through, so the block ends up happening as a result of
an ambiguous "block in on em0" rule you have.
--
| Jeremy Chadwick
0 and not
some other interface?
2) Is pf processing even enabled? pfctl -s info | head -1
Also, you removed the freebsd-pf mailing list from your response to me.
I don't know why, so I've re-added it.
If none of the above helps, then I'm out of ideas and David or Max will
have to
p
shows *bidirectional* traffic, both from the bad host and *to* to the
bad host. OP's server is replying to the packet which pf has supposedly
blocked.
This is why I think it's a state tracking thing and he might need
to use -k.
--
| Jeremy Chadwickjd
persist" | "const" | "file" string |
"{" [ tableaddr-list ] "}"
tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
Note in tableaddr-list the string: [ "," ]. This means the comm
On Mon, Sep 08, 2008 at 08:51:39AM -0700, Jeremy Chadwick wrote:
> On Mon, Sep 08, 2008 at 07:13:35PM +0400, Dmitry Rybin wrote:
> > PF doesn't block some IP
> >
> > === pf.conf ===
> >
> > ext_if="bge0"
> > table { 78.107.71.38 8
6.156.122.89.bl.spamcop.net. (47)
> 0x: 4500 004b ae68 4000 3b11 0685 4e6b 4726
> 0x0010: c30e 3215 91f8 0035 0037 18d5 c464 0100
> 0x0020: 0001 0331 3636 0331 3536
> 0x0030: 0331 3232 0238 3902 626c 0773 7061 6d63
> 0x0040
On Wed, Sep 03, 2008 at 06:17:59PM +0200, Peter Wullinger wrote:
> I'll reply to Jeremy, since his answer somehow confused me.
>
> In epistula a Jeremy Chadwick, die horaque Wed Sep 3 17:26:32 2008:
> > I'm a bit confused by these rules and your network configuratio
x acting *as* a gateway?
Rule #3 allows any outbound packet from 1.2.3.1 (which isn't even an IP
address bound to bge0), arriving on the bge0 interface, destined to
1.0.0.2. I wonder if this rule is backwards (IPs in from/to should be
reversed).
If none of this helps, others
der
used at the time. We pulled our entire infrastructure out of their
datacenter one we found out they had no form of switch or router
failover/redundancy, and that despite being in California, they were
using Telia (a Swedish ISP) to peer with large carriers like AT&T and
MCI.
l fine.
>
> I have searched the freebsd-pf list archives, but it only allows me one page
> of search results for some reason. I have also Googled a bit and have finally
> posted here. Very confused.
The version of FreeBSD you're using is important here. What version?
--
| Jere
vice versa? This would be on
> a FreeBSD 7.0 installation. As a second note, if it's not supported
> now would it be possible to add this support?
Do you mean something like faithd(8)?
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking
was "modulate state". Sorry if the answer is
> obvious, but any idea why a new NIC might have aggravated this?
A new NIC wouldn't have had anything to do with the problem; it's
probably always been there, or you just didn't notice it before. :-)
--
| Jeremy Chadwick
ot; instead of "keep state" (since on
RELENG_6 "keep state" is not implicit).
Are you using "reassemble tcp", "synproxy state", or "modulate
state" directives?
Does disabling RFC1323 (see sysctl) make a difference at all?
Are you blindly filter
- Forwarded message from James Shupe <[EMAIL PROTECTED]> -
> From: James Shupe <[EMAIL PROTECTED]>
> To: Jeremy Chadwick <[EMAIL PROTECTED]>
> Date: Wed, 27 Aug 2008 20:26:59 -0500
> Subject: Re: Squid/ Danguardian + Transparent Bridge
>
> I've
ase you should probably configure it to bind to 127.0.0.1 -- or if
you cannot, set up an appropriate firewall rule in pf to block that
traffic (so people on the Internet cannot connect to 4.4.4.4 port 8080
and talk to Dansguardian directly).
Hope this helps.
--
| Jeremy Chadwick
pf not being able to keep track of state on such
packets (performance hit), and you'll need to tune your pf rules to
match on traffic going both directions (since there's no longer a state
kept)
Max, does this sound correct?
--
| Jeremy Chadwickjdc at paro
I want to?
The manpage to pfctl doesn't really indicate this is possible.
You could simply delete then re-create the label rule, I would think.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX S
On Wed, Aug 20, 2008 at 07:16:11PM +0200, Leslie Jensen wrote:
> Jeremy Chadwick skrev:
>> On Wed, Aug 20, 2008 at 04:13:01PM +0200, Leslie Jensen wrote:
>>> I've done some testing with Steve Gibsons "Shields up"
>>> https://www.grc.com/x/ne.dll?bh0bk
stealth so that the ports are not
> visible from the Internet.
>
> Is there a way to achieve this with PF?
The "block" directive, along with "set block-policy drop" should suffice
for accomplishing this in pf.
--
| Jeremy Chadwickjdc at p
any rdr
> rule.
Clients connecting ***to*** the FreeBSD server would be considered an
incoming connection, not an outgoing one.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administra
>> pass quick on $int_Jails all
> Note: These keep state, see above. You might want to add "no state" here,
> to decrease state table usage.
Or better use, use "set skip on $int_Loop $int_Jails", and avoid having
pf process any of them.
--
| Jeremy Chadwick
>
> Everything works as expected, I only have problems with pf which seems to
> block certain
> packets randomly (not all of them).
>
> {snip}
Does removing "reassemble tcp" from your scrub rules fix anything?
I cannot comment on the rest of the ruleset.
--
| Jeremy
D+7.0-stable&format=html#end
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since
d be able to add
entries of said FQDNs to /etc/hosts to avoid doing actual recursive DNS
lookups. (I'm curious about this myself, since we have some pf.conf
rules which refer to IPs bound to our servers, and I've always wanted
to switch them over to FQDNs that are listed in /etc/hosts..
mething upstream, versus named on the same box) had all of those
entries cached, or has very good overall response time for DNS lookups.
In the case of the OP, I believe he runs his own named.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking
On Fri, Jul 04, 2008 at 04:32:13AM -0700, Jeremy Chadwick wrote:
> On Thu, Jul 03, 2008 at 08:55:21AM -0700, Kian Mohageri wrote:
> > A similar/related problem was addressed in OpenBSD 4.3
> > (http://www.openbsd.org/plus43.html).
> >
> > * In pf(4), allow state
#x27;d our main webserver, and
within about 15 minutes, state-mismatch was up to 22. We use tcp.closed
of 5 (which means 15 seconds).
Workarounds such as "no state" suffice, but if you use rdr rules, you
MUST track state, which means there's no way of winning in that case.
For sake
s sitting on 192.168.222.2 and is able to connect out.
> The only problem I'm having is that the rdr statement doesn't seem to be
> working.
Try adding "pass" to the rdr rule, e.g.: "rdr pass ..."
--
| Jeremy Chadwickjdc at parodius
d period, that they are immediately blackholed.
> Should I be using pf for this or would it be done better in some other
> utility?
ports/security/sshguard-pf
ports/security/blocksshd
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking
d kernel output":
http://wiki.freebsd.org/JeremyChadwick/Commonly_reported_issues
With regards to the errors from pf: no idea.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Adm
w dummynet has the capability you're looking for. See the
ipfw manpage, section "TRAFFIC SHAPER".
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator
On Tue, May 20, 2008 at 10:03:32PM -0700, Jason C. Wells wrote:
> Jeremy Chadwick wrote:
>
>> I believe it's because pf(4) doesn't make assumptions about what you
>> want to filter. NAT is stateful (it has to be, because packets are
>> being re-written, and the
nslation rule are only
automatically passed if the pass modifier is given, otherwise they are
still subject to block and pass rules.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX S
e was broken. In every case, the "state mismatch" counter
shown in pfctl -s info would increase.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator
oth my 7 systems
When using tcpdump with pflog, you'll need to specify a large frame size
to analyse/snoop; the default size is too small. Use -s 1024 to address
that.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http:/
roken; use keep state instead. Here's
the thread where I was informed of this fact:
http://lists.freebsd.org/pipermail/freebsd-pf/2008-March/004223.html
http://lists.freebsd.org/pipermail/freebsd-pf/2008-March/004227.html
--
| Jeremy Chadwickjdc at pa
n $interface proto tcp from any to port 2525 -> port 25
>
> But that's a wild guess (I'm *not* sure)
He'll need to specify an IP address for the redirection destination,
e.g.:
rdr on $interface proto tcp from any to port 2525 -> 127.0.0.1 port 25
--
| Jeremy Chadwick
x27;re using RELENG_7.
Regarding the need for the "pass out" line, Max has explained the
reason/need for it in another Email. It's not a bug.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/
eep state" on
those pass in/pass out rules you used. If you're using RELENG_7, "keep
state" is implicit, so you won't need to specify it in your config.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking
. But you cannot use wildcards
for domains. All hostnames given as a dst/src address will be resolved
first.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator M
able pf
> then they can access each other. The problem is that I'm doing
> load-balancing so when I disable pf my internet stops working.
Have you tried tinkering with the sysctls mentioned in bridge(4)? There
are even more available on RELENG_7, in the case you're using some
ted to Internet peering, which you have
absolutely no control over. Backbone providers break the Internet on a
nightly basis (this is not an exaggeration), and IRC is one of the most
"real-time" environments there is, so people notice.
--
| Jeremy Chadwick
d or garbled kernel output" below:
http://wiki.freebsd.org/JeremyChadwick/Commonly_reported_issues
I can't tell you what the actual cause of the pf_get_mtag messages
are, however.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Netwo
On Mon, Apr 07, 2008 at 07:17:29PM -0400, Elliott Perrin wrote:
> On Mon, 2008-04-07 at 16:07 -0700, Jeremy Chadwick wrote:
> > On Mon, Apr 07, 2008 at 11:02:33PM +0100, Torsten @ CNC-LONDON wrote:
> > > I'm running FreeBSD stable6.2 on all my servers and in the
ive ftp
>
> pass in log on $ext_if inet proto tcp from any to any port
> $PassiveFTP keep state
> pass in log on $ext_if inet proto udp from any to any port
> $PassiveFTP keep state
FTP is actually a TCP-based protocol, despite
ss what happens in this case.
This is why I solicit having 3 separate rules for each protocol (TCP =
flags S/SA keep state, UDP = keep state, ICMP = keep state).
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.par
eep state" option without flags. Google
> and
> Youtube sites seem to not continue displaying web pages but I can see that
> the
> connection were established with the Windows Vista node with Google and
> Youtube
> sites.
And I bet you have a large number of state-mis
er, handle state for UDP or ICMP. They're
stateless protocols, but pf does keep track of when the UDP connection
closes (or times out after a while), and the same with ICMP.
> What file in PF on FreeBSD kernel does state table structure is located?
I don't understand this question.
mailing list every time they want to know
what version of a program they're using. :-)
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator
On Wed, Mar 26, 2008 at 04:02:02PM +0100, Dalibor Gudzic wrote:
> On Wed, Mar 26, 2008 at 3:53 AM, Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
> > I'll try to explain it with a very small ruleset and a couple scenarios:
> >
> > $ext_if = network interfac
On Wed, Mar 26, 2008 at 09:09:30AM +, Greg Hennessy wrote:
> Jeremy Chadwick wrote:
>> There's been too many cases I've experienced where using "keep state"
>> blindly results in state-mismatch increasing at a very fast rate. When
>> I implemented this
tispoof", if your concern is someone spoofing
packets across $int_if
2) Consider using these rules instead:
pass in quick on $int_if from $mynet to any
pass out quick on $int_if from $mynet to any
block in quick on $int_if
{...other rules...}
--
| Jeremy Chadwic
dress of ours) with
the TCP flag SYN set (but only look at the SYN and ACK flags when doing
that comparison) -- and keep track of TCP state.
This explanation should also provide you an answer to what rule #2 is
for -- permitting outbound packets which DO NOT match that criteria.
You might be won
ly large.
There is a discussion as to whether or not tcpdump on FreeBSD should
default to using a larger snaplen size (128 would be good).
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNI
ve modes.
>
> How i can fix this problem?
Your pf rules for FTP are wrong. Please see this thread:
http://lists.freebsd.org/pipermail/freebsd-pf/2008-March/004148.html
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking
ould consider sniffing the pflog0 interface
(I assume you have pflog enabled in rc.conf) and see what's being
denied: tcpdump -s 256 -i pflog0
Finally, note that your block entry doesn't specify any TCP flags, so
it's going to block everything, rather than just initial SYN
hurry to fix it" :-) ).
eos# pfctl -s info | grep mismatch
state-mismatch3320270.1/s
anubis# pfctl -s info | grep mismatch
state-mismatch 15140.0/s
northstar# pfctl -s info | grep mismatch
state-mismatch
rstanding how the protocol works is key to understanding how to
properly administrate a firewall that has to deal with FTP. So I hope
this helps clear up some of the confusion.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking
VS commit list, but you'll
see changes for all branches/tags, and for everything (not just pf).
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator
guration -- you're missing a
lot of "option" arguments for ALTQ support. Add all of the ones I gave
you, follow the instructions for buildkernel/installkernel, and it
should all begin working.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius N
of df, and the contents of /etc/fstab?
>Stupid (?) question: Is there a way to manually create /dev/pf or can it
> be copied from another system?
No, it needs to be automatically created by pf via devfs.
>Thanks for taking the time to help this quasi-newbie. :)
No problem. It&
an reach from
your machine that has low latency (try pinging them). I happen to use
cvsup4, but they go all the way up to cvsup18.
After that, all you need to do to update changes to the ports tree as
well as your source tree (for world/kernel) is:
umask 022
cd /usr/src
make update
And that&
yes"
Otherwise, I've seen many systems where Apache upon being shut down then
start up complains about how it can't load the Accept filter.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking ht
* Output of uname -a on the machine which doesn't have /dev/pf
* Output of kldstat
* Your /etc/rc.conf
* Your /boot/loader.conf
* Your /etc/make.conf
* Your kernel configuration file
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking
represent (e.g. state-mismatch, congestion, normalise,
bad-offset, ip-option, etc.); some are obvious, while others are not.
--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems
webserver, and I just
recently applied pf rules there (particularly the "block in log all"
clause).
If tcpdump is needed against one of the src IPs, let me know and I can
sniff a session to see what might be going on before the state mismatch
occurs.
--
| Jeremy Chadwick
87 matches
Mail list logo
