On 6 Aug 2016, at 15:54, Niklaas Baudet von Gersdorff wrote:
Hi,
In the manual I read the advice to disable the firewall on the
loopback interface (`set skip on lo0`) It makes sense to me: Why
would I want to firewall traffic on the loopback interface?
I have jails with IPs assigned on lo1. In
On 8 Aug 2016, at 8:19, Niklaas Baudet von Gersdorff wrote:
Ernie Luzar [2016-08-07 13:20 -0400] :
Aha. So once I assigned those traffic from/to jails should go
through lo1 solely?
YES.
Thank you for clarifying that and your help. So, I attached
additional IP addresses on the jail host sid
On 21 Mar 2017, at 11:46, Kurt Jaeger wrote:
Hi!
If you want to filter on it it should work if you add ???device
enc??? to your
kernel config. The man page suggests that should then allow you to
filter IPSec
traffic on enc0.
Shouldn't it be included in GENERIC if IPSec is now part of it?
On 21 Mar 2017, at 12:12, Miroslav Lachman wrote:
> Bjoern A. Zeeb wrote on 2017/03/21 12:56:
>> On 21 Mar 2017, at 11:46, Kurt Jaeger wrote:
>>
>>> Hi!
>>>
>>>>> If you want to filter on it it should work if you add ???device
>>>>>
On 30 May 2017, at 16:17, Kajetan Staszkiewicz wrote:
Hello,
I have a setup where FreeBSD-based routers serving datacenters are
connected
via gif tunnels which are additionally encrypted using transport mode
IPsec.
Each router runs pf and provides firewalling between multiple VLANs.
Tunnel
On 22 Dec 2017, at 20:30, Michael Grimm wrote:
Hi —
[ I am including freebsd-pf@FreeBSD.org now and removing
freebsd-j...@freebsd.org ]
[ Thread starts at
https://lists.freebsd.org/pipermail/freebsd-net/2017-December/049470.html
]
(#) there is a *dramatic* performance loss (
On 23 Dec 2017, at 14:06, Michael Grimm wrote:
I will skip these questions for the time being, because I did solve my
issue 15 minutes before your mail ;-) And I feel sorry for all your
now "wasted" efforts in trying to help me.
That’s OK. You solved the issue; that’s what’s important!
Bec
ftp-proxy in ports. Pick your poison.
ports.
--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
The following reply was made to PR conf/130381; it has been noted by GNATS.
From: "Bjoern A. Zeeb"
To: bug-follo...@freebsd.org, sd...@sdalu.com
Cc: Gert Doering
Subject: Re: conf/130381: [ip6] ipv6 not fully configured when pf startup
script is run
Date: Sun, 11 Jan 2009 18:47:45
y on doesn't seem to work with
8.0.
If 7.2 won't work for my needs, but 8 or 9-CURRENT will, is anyone aware
of an updated ipfw DSCP patch? I haven't seen anything on Google or the
freebsd-ipfw mailing list.
what is DSCP?
I guess Differentiated Services CodePoint (if talking MP
ar it is and how to get it.
That might, btw., be the better list to ask VIMAGE questions;)
/bz
--
Bjoern A. Zeeb It will not break if you know what you are doing.
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman
The following reply was made to PR kern/144311; it has been noted by GNATS.
From: "Bjoern A. Zeeb"
To: bug-follo...@freebsd.org, kasah...@nc.kyushu-u.ac.jp
Cc:
Subject: Re: kern/144311: [pf] [icmp] massive ICMP storm on lo0 occurs when
using pf(4) 'reply-to'
Date: Sat,
--
Bjoern A. Zeeb You have to have visions!
Stop bit received. Insert coin for new address family.
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail
software that sits on top of the syntax in a UI, etc.
/bz
--
Bjoern A. Zeeb You have to have visions!
Stop bit received. Insert coin for new address family.
___
freebsd-pf@freebsd.org mailing list
http://lists.f
atch RSN and put it into HEAD afterwards.
>
> And there are various other messages on the lists that you are welcome to
> search for if interested.
>
>
> Good Luck.
>
> --
>
> Regards, (jhell)
> Jason Hellenthal
>
--
Bjoern A. Zeeb
sure to which extend they now check. If you trust your hosts you can use
something like:
pass log quick inet6 proto ipv6-frag all
to let the ipv6 fragments pass through without inspection.
/bz
--
Bjoern A. Zeeb You have to have visi
s the packet
on the path but if I am going to write 32k of data to UDP you'll see
a lot of fragments no matter what.
Actually this is the most common frag6 source I am seeing -- large
DNS replies due to DNSsec, etc.
/bz
--
Bjoern A. Zeeb You have to ha
Begin forwarded message:
> From: "Bjoern A. Zeeb"
> Date: June 28, 2011 11:57:25 AM GMT+00:00
> To: src-committ...@freebsd.org, svn-src-...@freebsd.org,
> svn-src-h...@freebsd.org
> Subject: svn commit: r223637 - in head: . contrib/pf/authpf
> contrib/pf/ftp-pro
s/contrib/pf/net sys/modules
> s...
> Date: Tue, 28 Jun 2011 11:57:25 +0000 (UTC)
> From: Bjoern A. Zeeb
> To: src-committ...@freebsd.org, svn-src-...@freebsd.org,
> svn-src-h...@freebsd.org
>
> Author: bz
> Date: Tue Jun 28 11:57:25 2011
> New Revision: 223637
On Jun 28, 2011, at 2:55 PM, Bjoern A. Zeeb wrote:
> On Jun 28, 2011, at 12:13 PM, Anton Yuzhaninov wrote:
>
>> Original Message
>> Subject: svn commit: r223637 - in head: . contrib/pf/authpf
>> contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pf
0
> flo@tb:~ # sudo pfctl -ss| wc -l
> No ALTQ support in kernel
> ALTQ related functions disabled
> 12
>
> Every new connection is added to the current entries but it seems they are
> never removed?!
>
> I've set debug t
om $ipsec_if to any
>> block quick on $ipsec_if
>>
>> But I still ping the second point of IPSec tunnel.
>> Where is my mistake?
>
> IIRC you also need the following in your kernel config:
>
> options IPSEC_FILTERTUNNEL
>
> (I think it use
,
as in before any ipsec or routing decision; for long time pf had no concept
of this, and yes, the pf in FreeBSD still lacks it.
/bz
--
Bjoern A. Zeeb You have to have visions!
Stop bit received. Insert coin for new address family.
Hi,
for all of you. pfsync will be next. If you want to fetch the patch, it's
also here:
http://people.freebsd.org/~bz/20111019-01-pf-state-removal.diff
I'll make sure it'll be part of RC2.
/bz
Begin forwarded message:
> From: "Bjoern A. Zeeb"
> Date: 19.
e and recompile.
It's not all pf fixes but all for today and I'd really feel better for MFCing
them in a couple of days if I get a couple of success reports;)
/bz
--
Bjoern A. Zeeb You have to have visions!
Stop bit received. Insert coin for new
u probably want these two:
http://lists.freebsd.org/pipermail/freebsd-pf/2011-October/006360.html
http://lists.freebsd.org/pipermail/freebsd-pf/2011-October/006364.html
there are additional fixes from glebius in head r226609 and r226623.
I will try these.
Thanks.
--
Bjoe
hitespace
and all was fixed and nothing applied anymore.
I am currently waiting (about a week) for someone else to finish some pf
changes and
will then probably unifdef the code and add the final derived version as went
into OpenBSD.
/bz
--
Bjoern A. Zeeb You
originates and even if
it's for documentation purposes to eventually decide if re-using the mbuf there
is really cheaper to allocating a new one as other people lately found
transporting other properties along with the mbuf and re-using that can lead to
odd results.
/bz
--
Bjoern A. Z
rnel and either have the PR
problem fixed or the printf removed. The latter can be done quickly the
former needs a bit of time...
/bz
--
Bjoern A. Zeeb You have to have visions!
It does not matter how good you are.
G_9 Branchpoint.
> So maybe the Fix was not complete?
See thread from earlier this month on freebsd-pf
--
Bjoern A. Zeeb You have to have visions!
It does not matter how good you are. It matters what good you do!
___
freebsd
The following reply was made to PR kern/163208; it has been noted by GNATS.
From: "Bjoern A. Zeeb"
To: =?iso-8859-1?Q?Tilman_Keskin=F6z?=
Cc: Fabian Keil ,
bug-follo...@freebsd.org,
freebsd-pf@freebsd.org
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Sat, 21 J
break and not perform. Pick any
single one at this point and let us know which one you'd prefer.
A couple of developers lately had this discussion (though not everyone was
present). I'll however be curious which way our users want it to be ...
/bz
--
Bjoern A. Zeeb
I suppose I
> could e-mail the original PF list to figure that out though.
>
mostly http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/ look for files
matching *pf*
--
Bjoern A. Zeeb You have to have visions!
It does not matter how good you are. I
f we shall unifdef pf as soon as someone
get some other work in, so the entire #ifdef __FreeBSD__ checks would be
gone.
I think that's a lot better solution than further mangling things.
/bz
--
Bjoern A. Zeeb You have to have
pic of said panics.
> http://i40.tinypic.com/2q00etz.jpg
>
>
> Any advice on solving this will be appreciated.
VIMAGE is experimental. pf is not yet supported as are a couple of other
things including most cloned interfaces etc.
--
Bjoern A. Zeeb You
t
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
--
Bjoern A. Zeeb You have to have visions!
It does not matter how good you are. It matters what good you do!
__
are other issues when you do that at pfil(9)
> E> level.
>
> Well, playing with two firewalls was never safe and clear, there always
> be edge cases in such setups.
A lot of people have used ipfw to filter L2 MAC addresses etc and pf for
everything else in the past. So certainl
however unconditionally allow all fragments and trust a (bad) end host
system:
pass log quick inet6 proto ipv6-frag all
(it has log set for a reason to be able to track them here)
/bz
--
Bjoern A. Zeeb You have to have visions!
It does not matter how good you are.
xpereincing problems with packets dropped due to
invalid checksums with IPv6 and pf after the recent merges, can you
report back if you also see this without "modulate state" in your
pf.conf (if you have 'modulate' in there, can you try changing it to
'keep' and see if th
On Wed, 1 Aug 2012, Matthew Seaman wrote:
On 01/08/2012 18:13, Bjoern A. Zeeb wrote:
Any of you who are expereincing problems with packets dropped due to
invalid checksums with IPv6 and pf after the recent merges, can you
report back if you also see this without "modulate state&quo
/Open we need to implement, ... more cherry picking on some
changes ....;-)
--
Bjoern A. Zeeb You have to have visions!
Stop bit received. Insert coin for new address family.
___
freebsd-pf@freebsd.org m
s/has been pondered; we'll see who might come forward.
/bz
--
Bjoern A. Zeeb You have to have visions!
Stop bit received. Insert coin for new address family.
___
freebsd-pf@freebsd.org mailing list
http://li
ld be interesting to know if these things were
related.
--
Bjoern A. Zeeb You have to have visions!
Stop bit received. Insert coin for new address family.
___
freebsd-pf@freebsd.org mailing list
http://lists.freebs
tly.
There should be some posting from me on net@ or ipfw@ from sometime in
the last decade.
/bz
--
Bjoe
yet, and
that’s Apple. Has anyone considered looking at their implementation shipping
on millions of devices, requiring similar “API stability” as FreeBSD would love
to support?
Just a few things from the top of my head.
—
Bjoern A. Zeeb Charles Haddon
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
bz added a comment.
Can I have you guys have a look at https://reviews.freebsd.org/D6924
Thanks
REVISION DETAIL
https://reviews.freebsd.org/D1944
EMAIL PREFERENCES
https://reviews.freebsd.org/settings/panel/emailpreferences/
To: nvass-gmx.com, trociny, kristof, gnn, zec, rodrigc, gl
bz reopened this revision.
bz added a comment.
This revision is now accepted and ready to land.
Even if this would have been merged properly and not broken the build there's
still stuff that is wrong for initialisation with different net contexts in
this and that needs to be fixed properly.
REV
48 matches
Mail list logo
