Re: pf rules not being loaded during boot on 7.1-PRERELEASE

On 10/04/08 01:22, Bruce Cran wrote: > On Sat, 04 Oct 2008 00:40:45 +0200 > Volker <[EMAIL PROTECTED]> wrote: >> You seem to have a rule like: >> >> pass ... on tun0 from any to tun0 ... >> >> If you change that into: >> >> pass ... on tun0 f

Re: pf rules not being loaded during boot on 7.1-PRERELEASE

oking into my crystal ball... ;) You seem to have a rule like: pass ... on tun0 from any to tun0 ... If you change that into: pass ... on tun0 from any to (tun0) ... pf will happily parse your rules and activate your firewall even while tun0 does not already have an IP address. You may al

LOR with pf + synproxy state

me -a`: FreeBSD cesar.sz.vwsoft.com 7.0-STABLE FreeBSD 7.0-STABLE #38: Sun Aug 17 15:12:10 CEST 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/CESAR i386 Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: pf version 3.7 on freebsd

On 06/18/07 20:48, Dalibor Gudzic wrote: > On 6/17/07, Max Laier <[EMAIL PROTECTED]> wrote: > >> >> Yeah, I have been slacking in that department. I think we should take it >> to the wiki instead. Volunteers welcome! > > > > OK, what exactly is needed? Someone to keep the things up to date o

Re: USER/GROUP rules on the chopping Block

up, I'll be the first one to contradict (no Max, this is not against you). Probably I should give the same level of support to others as it's been given to me (sad to say, which will then be zero). Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

filtering bridges [was: PF error message looping on screen]

On 06/16/07 21:29, Adam McDougall wrote: > On Sat, Jun 16, 2007 at 05:20:39PM +0200, Volker wrote: ... > If that doesn't help, I recommend rewriting your rules a bit and use > 'set state-policy if-bound' (which I'm using most as I find it better > to adminis

Re: PF error message looping on screen. System Locked.

On 06/16/07 15:26, Roger Miranda wrote: > On Thursday 14 June 2007 10:19, Volker wrote: >> [re-added cc:pf to have a wider audience, please keep this] >> >> On 06/14/07 16:21, Roger Miranda wrote: >>>> I remember a discussion about your machine in stable@ some time

Re: pf(4) + fetch(1) + http://ftp.gnu.org

state flags S/SA > pass out on $ext_if proto {udp, icmp} all keep state > pf.conf -- end --- > > Any idea what's wrong here? Vlad, if we're out of ideas, there would be something wrong... ;) My first try is to replace your 'pass out on $ext_if ... modulate state ..

Re: PF error message looping on screen. System Locked.

kets. You should get a debugger into your kernel (like Max suggested) and probably also use `pfctl -x loud' or `pfctl -x misc' to get more messages out of pf. If these messages are popping up again, break the system into the debugger and l

Re: PF error message looping on screen. System Locked.

Are you by any chance being able to get a photopicture (with fast shutter time) of the debug messages? Do you have anything in /var/log/debug.log /var/log/messages which might be useful? I think we first need an idea of what messages are popping up. Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: USER/GROUP rules on the chopping Block

to get that box into an LOR, I'm unable to do so easy. As I need to verify an unpatched against a patched system, I need to find a _reliable_ way to get the box LORing. I've added two pf rules which should (AFAIK) get this into an LOR: pass out log quick on $if_lan all user volker keep s

Re: USER/GROUP rules on the chopping Block [ Re: Panic on boot with April 16 src (lengthy info attached) ]

me up to date (I'm not on current@) and I'll beta test for you and give you any needed feed back. >From my view, the response issue can somewhat been seen as the core team sitting on an island and the user base is far, far away of them. Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: fbsd 6.2 pf starts -- but not on boot

David, On 06/06/07 01:44, David DeSimone wrote: > Volker <[EMAIL PROTECTED]> wrote: >> pass in on bla0 from any to bla0 > >> which will all require pf to get the interface's IP address and all >> will fail if that interface does not yet exist... > > Ah,

Re: fbsd 6.2 pf starts -- but not on boot

On 06/05/07 22:29, David DeSimone wrote: > Volker <[EMAIL PROTECTED]> wrote: >> without seeing your pf.conf ruleset, I guess you're using a ppp >> connection to your upstream provider and firewalling on the tunX >> interface (using tun0 as $ext_if). > >>

Re: fbsd 6.2 pf starts -- but not on boot

Hi snow, On 06/05/07 00:37, snowcrash+freebsd wrote: > On 6/4/07, Volker <[EMAIL PROTECTED]> wrote: >> without seeing your pf.conf ruleset, > > happy to send/post if required/helpful ... I don't think it's required for now. >> I guess you're using a p

Re: fbsd 6.2 pf starts -- but not on boot

has been created, pf will happily load your ruleset. The solution is to either have pf rules loaded late (later than ppp is started) or use anchors and load ext rules into the anchor when the ppp interface is up. The easier is to have the rules loading late (check using rcorder) but this may also

Re: cbq: adds red by default?

s > that :) ... cite from pf.conf(5): ecn Enables ECN (Explicit Congestion Notification) on this queue. ECN implies RED. HTH Volker ___ freebsd-pf@freebsd.org mailing list http://list

Re: have anyone configured "synproxy state" beforce

ic, too or otherwise no data communication will be established. Also it is most likely that you will have to use an FTP proxy. I suspect your whole problem is really not synproxy related. HTH Volker > (Sorry for the previouly base64 encode mail caused by M

Re: bandwidth controlling with ALTQ

On 05/18/07 22:17, Umar wrote: > Dear Volker! > > Thanks its working fine. > > (pass in quick log on $int_if proto tcp from 192.168.3.30 to any flags > S/SA keep state queue client1) > > what will be the syntax if 192.168.3.30 comes through ppp means I have > c

Re: bandwidth controlling with ALTQ

Umar, On 05/18/07 14:35, Umar wrote: > Dear Volker! > > Sorry for disturbing you again!! > > pfctl: should have one default queue on fxp0 > pfctl: errors in altq config > > please help me to create default queue what will be the syntax thanks that's why I was wr

Re: bandwidth controlling with ALTQ

Umar, On 05/18/07 14:02, Umar wrote: > Dear Volker! > > Thanks Again.! > >>> To me, this seems to be correct. Do you have a hard line break there? > > I re-typed > > queue qclient1 bandwidth 10Kb hfsc (rio) > > now its fine but S/SA

Re: bandwidth controlling with ALTQ

Umar, On 05/18/07 13:42, Umar wrote: > Dear Volker > > Thanks again for your reply! You're welcome! > this is my pf.conf file > > int_if = "xl0" > ext_if = "fxp0" (DSL) > > ltq on $ext_if hfsc bandwidth 1Mb queue { q

Re: bandwidth controlling with ALTQ

On 05/18/07 12:05, Umar wrote: > Dear Volker > > Thanks for your reply! > > I have 1mb up and 1mb down DSL and i have total 20 client at this time. > >>> if you want to limit per IP address, you need to create one queue for >>> every IP address in your

Re: bandwidth controlling with ALTQ

P should be served fair and a limited cbq queue for them on the external interface and reach good results with that. If b/w is limited as other traffic passes, these stations get their traffic through limited. HTH Volker ___ freebsd-pf@freebsd.org mai

Re: ftp, pf, passive ftp and fetch

ot;proxy" flags "S/SA" keep state in my ruleset (just made it that way last week). I still haven't checked active ftp out but I think this will also work for active ftp connections. You just need to also pass traffic in on $int_if for port 8

Re: Best way to decrease DDoS with pf.

oo rude, I know but it works). Keep in mind, if you're under a DDoS attack, your bandwidth may still be eaten up, but the effects on your machine will be limited when using S/SA + synproxy state + bandwidth limiting. If I get you wrong, please explain your problem a bit more detailed.

Re: pf+altq for bandwidth control

on SYN. Last guess: I think you've set $pc to any just for testing. If you're using NAT and setting this to anything different (any of your local IP addresses), this rule will never match as the packet is being processed _after_ NAT processing. HTH Volker PS: Does anybody know what&#

Re: Trouble getting IP Phone to work

've finished hacking pf rules for a snom 300 SIP phone, redirect connections from the public outside to it and it's working fine for some weeks now. Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Load balancing with ratio

o if some one can give a starting place to look, where I > can do some hacking, that would also be fine. raj, I've never done that but what about giving the next hop with better bandwidth twice? HTH Volker ___ freebsd-pf@freebsd.org mailing list

Re: PF and GeoIP to update country table?

aphics etc.) may lead into may single tcp connections. This means, don't set the limits too short before blocking an IP address. HTH Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Re: PF and GeoIP to update country table?

end. Have a look at pfctl(8), especially the parameters '-t' and '-T'. Doing a `pfctl -t mychinesewall -T replace -f /tmp/dolistalltheworld.txt' would be enough. HTH Volker ___ freebsd-pf@freebsd.org mailing list http://lists.f

Re: pf.os fingerprinting does not seem to load by default

On 05/08/07 10:30, Volker wrote: > Hi! > > I think I've trapped into a bug with pf's fingerprinting. > > While checking a modified ruleset with `pfctl -vvv -gnf ...' pfctl > told me it doesn't know anything about an OS fingerprint called > "W

pf.os fingerprinting does not seem to load by default

nt database by default from /etc/pf.os. Either the man page or pfctl's behavior is wrong. Can please somebody check if time permits? Thx, Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: testing load balancig work.

. AFAIK the way for you to go is to use rdr options. Also take a look at the round-robin options pf.conf(5). Other folks here on the list have the comfort of having two upstream connections and already tried things like that. Perhaps anybody else with some experience can com

Re: bandwidth limiting per ip with PF and ALTQ

hing else. You need to create one queue (for example) for your http server and assign all traffic to your http server into that queue. Having a queue with a guaranteed bandwidth for every connection (client) would require the creation of "dynamic queues" on the fly. I'm not aware of such

Re: logging pf in ASCII via syslog -- logs not saved

ks! > > I suspect there's a mistake in your script. Have you tried using `tcpdump | logger' manually? Have you tried using `set -x' in your shell script and checked if you see any errors? Have you removed the last `rm $FILE' and checked if $FILE is created well? Have y

debugging pf

es. Is there a way to direct debugging to pflog? I want to get an idea of the timing and see if this happens at the time where I expect a specific connection to fail. This gateway I'm trying to debug is serving a lot of users and I need to find the tree

Re: home multipurpose gateway/router/server setup help

ewall), all you need to do is using a GENERIC kernel and kldload pf.ko, write your ruleset, load it (by `pfctl -f ...' and you're done. As you want to use your box as a router for your home LAN, you may also want to set gateway_enable="YES" in /etc/rc.conf which will set sysctl net

Re: pf BUG?

nothing but just wide open (tm) and effectively useless. Anyway, I really don't understand your problem. Do you really want to have a firewall which does nothing but logging like crazy? BTW, the log-all option does not make sense when not being used in conjunction with statefu

Re: 6.2-STABLE: enc0 sees only outgoing packets in pf

On 03/26/07 08:47, Andre Albsmeier wrote: > On Mon, 26-Mar-2007 at 02:58:20 +0200, Volker wrote: >> Andrew, Andre & all, >> >> I've checked it out once more (with a corrected setup) and now have >> been able to block traffic on enc0 in both directions (no matte

Re: 6.2-STABLE: enc0 sees only outgoing packets in pf

t setup shows it is not just possible to block traffic on device enc0 using pf, but to see all traffic in the pf logs (if being configured to do so). Probably you're willing to show us your pf rules to have a look at it? Have pfun! ;) Volker __

Re: 6.2-STABLE: enc0 sees only outgoing packets in pf

nal IP address of the remote tunnel endpoint is in there. Will correct that and do another test. Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: 6.2-STABLE: enc0 sees only outgoing packets in pf

On 03/24/07 19:59, Andrew Thompson wrote: > On Sat, Mar 24, 2007 at 02:19:46PM +0100, Volker wrote: >> Andre, >> >> On 12/23/-58 20:59, Andre Albsmeier wrote: >>> [Retrying on -pf...] >>> >>> (This is FreeBSD 6.2-STABLE as of yesterday using pf an

Re: 6.2-STABLE: enc0 sees only outgoing packets in pf

my memories >> might be wrong) and play with it a bit. > > This should work as you say and if its not then thats a bug. Can you log > the packets with pflog to check they are being blocked. Will try to do so but first I have to solve an

Re: Nat and rdr.

(and lo0) with the IP address of your external interface might give you strange results. Greetings, Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: 6.2-STABLE: enc0 sees only outgoing packets in pf

currently a bit of a hack and currently probably only useful for packet / connection logging but not for real firewalling. You might check out if you're able to block anything on enc0 (my memories might be wrong) and play with it a bit. I suspect packets do not really pass device e

Re: pf logging differences

evvi ...' (the -vv parameters gives more output but might annoy you for SMB / netbios traffic). HTH, Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Re: Tracing packets passing through PF

Are you using IPSEC or FAST_IPSEC? Are you using GIF tunnels? Are you using ENC? Could you please give us your routing table (partially)? Thanks, Volker smime.p7s Description: S/MIME Cryptographic Signature

Re: home router with internal services available question

the packet flow using tcpdump (either on pflog0 or your real network NIC). HTH, Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: SPAMD stop passing mail from WHITE-list

Ed, On 02/11/07 15:54, [EMAIL PROTECTED] wrote: > Quoting Volker <[EMAIL PROTECTED]>: > > I just set up a machine using your suggestions, correctly I hope ;) > I have set it up as: > > block drop in quick on $ext_if from to any > > pass in quick on $ext_if proto

Re: Re: SPAMD stop passing mail from WHITE-list

Ed, On 12/23/-58 20:59, [EMAIL PROTECTED] wrote: > Quoting Volker <[EMAIL PROTECTED]>: > >> On 12/23/-58 20:59, ;048<8@ 0?CAB8=rote: >>> 2. If i have some malware on my PC and use mail-client program. If I >>> send the same message some times I autom

Re: PF & Windows Vista

r snippet of rules is useless for supporting you) I'm wondering if your Vista machine does IPv6 and does not try v4? I don't know Vista at all but I guess v6 support is built in. Greetings, Volker ___ freebsd-pf@freebsd.org mailing list http:/

Re: SPAMD stop passing mail from WHITE-list

spam originating from your internal net. And for the malware issues, I would like to recommend not to install and use malware! ;) Greetings, Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscrib

Re: ALTQ support for usb NICs?

between both kernel builds. Beside the throughput question, the patch seems to be ok - please commit! ;) Greetings, Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ALTQ support for usb NICs?

t permitted" messages a bit strange. Next, I'll test w/ ALTQ enabled for that interface but it will take half an hour (will drop another note to the ML). FreeBSD bellona.sz.vwsoft.com 6.2-STABLE FreeBSD 6.2-STABLE #6: Tue Jan 30 23:28:14 CET 2007 [EMAIL PROTECTED]:/usr/obj/usr/src

Re: ALTQ support for usb NICs?

Max, On 01/28/07 01:53, Max Laier wrote: > On Saturday 27 January 2007 15:54, Volker wrote: >> I'm wondering about the following: Are there any technical reasons >> for not having ALTQ support for most (all?) usb NICs? >> >> Or did just too less people ask for i

Re: RE: PF in kernel or as a module

sk why, it's probably historic from the 5.2 days). Never done any benchmarking but on the other side I never experienced any performance problems. Greetings, Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

ALTQ support for usb NICs?

Hi! I'm wondering about the following: Are there any technical reasons for not having ALTQ support for most (all?) usb NICs? Or did just too less people ask for it? Greetings, Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebs

Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached

The following reply was made to PR kern/106400; it has been noted by GNATS. From: Volker <[EMAIL PROTECTED]> To: "Boris S." <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has

Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached

On 12/06/06 14:37, Max Laier wrote: > On Wednesday 06 December 2006 14:20, Volker wrote: >> The following reply was made to PR kern/106400; it has been noted by >> GNATS. >> >> From: Volker <[EMAIL PROTECTED]> >> To: [EMAIL PROTECTED], [EMAIL PROTECTED] &g

Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached

The following reply was made to PR kern/106400; it has been noted by GNATS. From: Volker <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0 device has detached Date: Wed, 06 Dec 2006 14:16:42 +0100

Re: pf.conf + altq problem

On 2006-11-09 13:40, Volker wrote: > As $lan is 172.16/24 rule number 3 (which goes to queue dflt_out) > catches all the packets you're wanting for queue int_out. > Sorry, I've been wrong as there's no 'quick' keyword being used so I w

Re: Re: pf.conf + altq problem

eue (int_in) >>> >>> I have done some test with iperf with no luck. >>> Is there something wrong with this rule set to acompilished my need ? >>> Please help >>> >>> Regards >>> Reza Reza, you're really using just one queue: > block on xl1 > pass in on xl1 from any to $lan > pass out on xl1 from $lan to any > pass out log on xl1 from 172.16.0.228 to 202.57.14.1 keep state flags S/SA queue (int_out) As $lan is 172.16/24 rule number 3 (which goes to queue dflt_out) catches all the packets you're wanting for queue int_out. HTH, Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: table persist file

it > > /Jon > > Jon, you may use a command like: `pfctl -t commit -Ts > /path/to/tablefile' to write the contents of the table out to disk. HTH, Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: altq on ng0 sometimes causing system panic

en able to do so. I really tried hard to panic it. I guess it has been a temporary side effect which disappeared 'magically' by any other recent source changes. I'll try again to panic the machine later today with my original ruleset. So if I don't post another mess

queue to nonexistent?

all queue nonexistent pass quick on ng0 all queue q_low ALTQ: queue root_ng0 bandwidth 64Kb priority 0 cbq( wrr root ) {q_low} queue q_low bandwidth 64Kb cbq( rio borrow default ) Huh? Queueing to a nonexistent queue? Greetings, Volker ___ freeb

altq on ng0 sometimes causing system panic

#x27;t get panics ATM. Running RELENG_6, almost recently csup'ed. Greetings, Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: "Reset" Script, Anyone?

ut even a good choice if you can use one). I guess (and even after re-reading the original post) the original poster doesn't have a com terminal session. Doing things like that in a ssh session is a bad idea. Just wanted to note this without going into a fundamental discussion. ;) Volker ___

Re: Re: "Reset" Script, Anyone?

5 minutes or you may just use `echo "pfctl -d" | at + 5 minutes' which would just disable pf and your box will be accessible if something has gone wrong within 5 minutes. If you're happy with your new rules, you may `atrm' the job. Greetings, Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Redirecting packets to the machine itself

so forwarded to the other machines. What about a 'dup-to' route option? see `man pf.conf' Greetings, Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: problem with keyword self

nconfigured interfaces (or at least do not let them being included when it comes to 'self' rules). IMHO 'self' should never validate to an IP address like 0.0.0.0. Greetings, Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"

{Spam?} Re: {Spam?} no buffer space available

it high soon. > I did recover the box by flushing all pf stuff, but it didn't stay > working for very long. Travis, Daniel, thank you for your response. I'll check for both situations as soon as this problem occurs the next time (which will take plac

{Spam?} no buffer space available

after 4 days system uptime and being always online by ppp. How do I check (debug) if this is a base system (networking) problem of 6.1-BETA or if it's a pf bug? Greetings, Volker ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/ma

Re: RDR with dynamic IP

ules from there (like it's possible with ppp). Greetings, Volker On 2005-11-28 14:29, Josh Finlay wrote: > Here's the full scenario, > > I'm running q3server (/usr/ports/games/q3server), bound to an external ip on > iface ng0.. but LAN clients can't connect to it

pf, nat, 2 public IP-addresses

e the problem to have more than one MS-PPTP VPN client connecting to the same destination VPN server being NATed blues. If there would be a better solution than frickin? Thanks for any hints! Volker ___ freebsd-pf@freebsd.org mailing list http://lists.fre