> Something like: pass in log on $int_if route-to ($int_if 127.0.0.1) from
> 192.168.103.1 synproxy state
Interesting, the client shows :
CONNECTED(0003)
Pflog shows (this time 192.168.103.69 was used in place of 192.168.103.1):
1294126958.718778 rule 0/0(match): pass in on ed0: (tos 0x0,
>From studying squid rules, I found the following pf rule set. Does this do
something similar to what I'm after? I tried something like this but it
didn't help.
int_if="gem0"
ext_if="kue0"
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128
pass in on $int_if inet proto
Is there a way to see what the rule is doing? It didn't have any effect.
I've been trying different combinations, sometimes targeting
192.168.103.2. One test locked up the host.
> On 1/2/11 9:04 PM, j...@experts-exchange.com wrote:
>> Here I want :
>>
>> nn:nn:nn.nn IP 127.0.0.1.51791 > 192
> In other software such as HTTP that you took for example, there's this
> special X-Forwarded-For header which covers this very need.
Squid can talk SSL, so insertion of XFF is possible. But for other
applications, XFF is of no use.
> IMO you shouldn't have to tweak around with the firewall or t
Hi Damien,
Here I am using HTTP traffic as an illustration, but for other generic
services without the built in SSL layer, it would be highly advantageous
to be able to add stunnel to do the job. The target application (e.g. VNC,
database client/server connection, and so on) need not be re-coded.
Folks,
I am trying to use stunnel & pf to devise a transparent proxy, but am
unable to figure out how to do it. What I have is ext ip -> stunnel ->
http service, but the http service does not know where to route back the
packets, and remains in a sync state.
00:40:28.313038 IP 192.168.103.2.517
Thank you. This is very helpful to know. I guess I'll just have to
rewrite it then. Appreciate your help with this.
Yuriy Grishin wrote:
Jay Aikat wrote:
The large queue limit is just for testing purposes. Once I figure out
this logging of the queue at better granularity, I plan to
queuing - just FYI.
Thanks.
Yuriy Grishin wrote:
Jay Aikat wrote:
Hi,
I am looking for a way to log queue stats at less than 1 second
intervals.
On my FreeBSD router, the pf.conf file is configured as follows:
> altq on $ext_if1 priq bandwidth 622Mb qlimit 65535 queue { tcp_q1 }
>
an get queue lengths per second at best.
$ pftop -s 1 -v queue -d 1000 > pftop.out
Is there an option in pftop to log stats per millisecond, or even 100ms?
The -s option above seems to default to 1 second at best.
Thanks for any pointers you can give
assed on. Thanks in advance for
your help.
--Jay.
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
vice holes, applying to both
# internal and external hosts.
pass in quick on $bridge_if proto udp from $lan_ips to any port domain
pass in quick on $bridge_if proto tcp from any to any port ssh \
flags S/SA synproxy state \
(max-src-conn-rate 5/20, overload flush global)
--
Jay L. T. Co
Jay L. T. Cornwall wrote:
Even without 'block out all', the simple presence of:
pass out quick on $bridge_if
Causes NAT to stop. tcpdump on vr1 shows that packets with private IPs
are passing to the WAN (and being filtered upstream). What is causing
NAT to stop functioning by the p
AN (and being filtered upstream). What is causing
NAT to stop functioning by the presence of a loose rule? Does the
default 'pass all' have additional flags necessary for NAT to function
correctly?
Thanks,
--
Jay L. T. Cornwall
http://www.jcornwall.me.uk/
_
-> PF integration "use" it.
I'm just not clear on how.
Any ideas or suggestions?
Thanks,
Jay
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ll.
thanks again for your suggestion.
GeeJay
TI Automotive
> -Original Message-
> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]
On Behalf Of Gee Jay
> Sent: mardi 6 décembre 2005 21:09
> To: freebsd-pf@freebsd.org
> Subject: Can PF do Cone NAT ?
> > Dear Gentl
Dear Gentlemen,
I am struggling to set up NAT / Port redirection on a PFSense firewall
(which uses PF) for the SIP Protocol or rather its RTP media streams.
By all appearances the NAT in PF seems to work as a symmetric NAT which
causes SIP in certain cases to fail.
The VOIP provider in question
16 matches
Mail list logo
