Hi All,
Does anyone know of any equiv of expire table from the ports ? Its
now broken on RELENG_12 and 13.x
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253547
---Mike
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mail
161.232
> Cleared: Thu Mar 4 08:09:50 2021
>
> According to
> https://www.freebsd.org/cgi/man.cgi?query=pcap-filter&sektion=7
> reason code
> True if the packet was logged with the specified PF reason
> code.
> The known codes
I am trying to track down the IPs that are hitting my src limits, but I
dont seem them logged. According to
https://www.freebsd.org/cgi/man.cgi?query=pflogd&sektion=8
I should be able to see the reason something got blocked
e.g. if I have something like
pass in log on $outside_nic proto tcp fr
Is there any way in pf to redirect one port to a range of ports ? e.g
rdr pass log on $public_nic proto tcp from any to $public_nat_ip port
80 -> $web_server port 80:100
Much like round robin load balancing on outbound nat, I want to round
robin through ports if possible.
---Mike
I think it used to work, but am wondering when things got changed to
tuntap in the driver, did it break altq or something else ?
I have a simple set of rules as
altq on tun504 bandwidth 960Kb hfsc queue { offsite, alltraff }
queue alltraff bandwidth 70% priority 8 qlimit 500 hfsc (realtime 60%)
On 1/22/2020 5:13 AM, Miroslav Lachman wrote:
> mike tancsa wrote on 2020/01/20 15:37:
>> Also, is there a better way to monitor pf rule changes ? I dont see
>> any mention in FreeBSD audit ?
>
> Monitoring of PF rules is kind of hard and not just because of
> automatic t
On 1/20/2020 10:16 AM, Patrick Lamaiziere wrote:
> What would trigger the table name to change like that ?
> I think that names of automatic tables are more or less random. I've
> got two firewalls using the same ruleset (pf.conf) and the name
> of the automatic table for self is not the sam
I have a process that runs every few min looking to see if the pf rules
changed on some of our firewalls. On one customer unit, we have a
"self" statement and the script detected a change this morning. The
rule reads
block log quick from to self
block log quick from self to
but when shown it
On 7/29/2019 7:39 PM, Nikos Vassiliadis wrote:
> Hi,
>
> On 2019-07-29 19:06, mike tancsa wrote:
> Maybe you could use pipe viewer (pv in ports or packages) on the
> ZFS host to limit the bandwidth in userspace.
Thanks, the replication is being done via TLS+Certs/Zepl. It has a
On 7/29/2019 2:38 PM, Kristof Provost wrote:
>
> On 29 Jul 2019, at 20:22, mike tancsa wrote:
>
> On 7/29/2019 1:51 PM, Kristof Provost wrote:
>
> Also beware of gotchas with things like IPv6 fragment handling or
> route-to.
>
> I do not cons
On 7/29/2019 1:51 PM, Kristof Provost wrote:
>
> Also beware of gotchas with things like IPv6 fragment handling or
> route-to.
>
> I do not consider mixing firewalls to be a supported configuration. If
> it breaks you get to keep the pieces.
Thanks, I was worried about that! Is there a way to get
compile them both in the kernel.
>
>
>
> You basically end up with: (pf)(ipfw)(system)(ipfw)(pf) – assuming pf
> was loaded first
>
>
>
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>
> *From: *mike tancsa
I have a box I need to shape inbound and outbound traffic. It seems altq
can only shape outbound packets and not limit inbound ? If thats the
case, what is the current state of mixing ipfw, dummynet and pf ?
Writing large complex firewall rules works better from a readability POV
(for us anyways)
leset, without affecting the live
> environment. But therefore I need to process the hole ruleset, to not
> get unhandy suprises with some rules when going live.
>
>
> Am 15.06.2017 um 21:18 schrieb Mike Tancsa:
>> On 6/15/2017 2:21 PM, Malte Graebner wrote:
>>> Hell
s.
---Mike
--
-------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
___
freebsd-pf@freebsd.org mailing list
https:
oto tcp from any to any port = http flags S/SA
keep state queue http
[ Evaluations: 3 Packets: 13038 Bytes: 13118285States:
1 ]
[ Inserted: uid 0 pid 1836 State Creations: 1 ]
--
---
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.
e \
(max-src-conn 6, max-src-conn-rate 3/30, \
overload flush global)
pass in log inet proto tcp from to self port ssh keep state
---Mike
--
---
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services sinc
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/013_pf.patch
http://helith.net/txt/openbsd_4.3-current_pf_null_pointer_dereference_kernel_panic.txt
Not sure if this impacts FreeBSD or not ?
---Mike
Mike
At 09:34 AM 5/23/2008, Vitaliy Vladimirovich wrote:
Hi,
Try in CIDR notation. e.g. 209.85.128.0/17
I know about CIDR notation, and what about if I need specify
something similary 10.0.10.1-10.0.10.8??
I usually do it in a series of CIDR notations when it does not match
normal boundaries.
At 07:24 AM 5/23/2008, Vitaliy Vladimirovich wrote:
Hi,all!
I need specify a range IP addresses in may spamd-whitelist table,
e.g. 209.85.128.0-209.85.255.255.
How can I do this correctly?
Hi,
Try in CIDR notation. e.g. 209.85.128.0/17
---Mike
Thanks in advance!
At 07:47 PM 4/2/2008, Bill Marquette wrote:
I believe the pfsync protocol version (and corresponding struct)
changed between these two releases. If the lack of state
synchronization can be lived with (ie. it's a high availability
address for a service, not a firewall), you should have no other
i
Does anyone know if there are there any issues running a pair of
FreeBSD boxes, one RELENG_6 and one RELENG_7 in carp failover ? Are
there any compatibility issues ?
---Mike
Mike Tancsa
ds the "bad header" errors.
---Mike
----
Mike Tancsa, tel +1 519 651 3400
Sentex Communications,[EMAIL PROTECTED]
Providing Int
At 11:09 PM 1/2/2008, David DeSimone wrote:
The mistake you're making here is the consider pf's syntax to be a
combined AND'd statement of boolean logic, which it is not. It is
really just simple macro expansion, which does not equate to the same
thing.
Thanks for the detailed explanation! Re
.3-PRERELEASE #0: Fri Dec 14
15:02:59 EST 2007
I dont see anything new in the pf tree since then.
---Mike
Mike Tancsa, tel +1 519 651 3400
Sentex Communications,
keep state
Is there a better way to handle all the aliased IP addresses then to
manually put them on tun0 ?
---Mike
--------
Mike Tancsa, tel +1 519 651 3400
Sentex
At 02:56 PM 9/12/2007, Max Laier wrote:
You are missing the attached patch - which I am trying to get through
tcpdump.org. The pflog header changed (once again) and changes are
required. Sorry for the mess.
Hi,
Thanks very much, that does indeed fix the problem!
---Mike
_
stening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
size 96 bytes
I should see entries on the second tcpdump of pflog0, but it too does
not filter it correctly.
It is hitting the rule
block in log on $ext_if all
---Mike
-----
At 09:52 AM 2/8/2007, Marko Lerota wrote:
Mike Tancsa <[EMAIL PROTECTED]> writes:
> Really ? Which drivers ? I found bge and em to be less supported and
> slower than on FreeBSD.
There are some issues with bge and em drivers (kernel panics and timeouts).
You have complete d
At 08:15 AM 2/8/2007, Marko Lerota wrote:
Muhammad Reza <[EMAIL PROTECTED]> writes:
> but it's work fine with OpenBSD
Yes, and the ethernet devices also work better, but I will
stay on FreeBSD ;)
Really ? Which drivers ? I found bge and em to be less supported and
slower than on FreeBSD.
e behavior does not happen with ipfw
---Mike
--------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications,[EMAIL PROTECTED]
Providing Internet since 1994
31 matches
Mail list logo
