> On 01 Oct 2015, at 03:06, Felix Gallo wrote:
>
> SITUATION 2.
>
> I then realized that I had TSO enabled on the interface, which seems to
> interact very badly with pf. So I disabled it and started creating the
> jails again. Again, it hung the box, but this time seemed to take a lot
> long
Hi,
I've found a little time to look at the pf TSO issue (which made pf
unusable on Xen VMs, like Amazon EC2).
I've posted the patch here:
https://reviews.freebsd.org/D3779
It still needs a bit more testing, but so far it looks good.
I'd be very grateful for any brave souls who want to give thi
t I'd appreciate further testing and/or
review.
Regards,
Kristof
On 2015-10-02 12:08:05 (+0200), Kristof Provost wrote:
> Hi,
>
> I've found a little time to look at the pf TSO issue (which made pf
> unusable on Xen VMs, like Amazon EC2).
>
> I've posted the pat
On 2015-10-11 13:16:08 (+0200), Miłosz Kaniewski
wrote:
> I have FreeBSD machine which forwards packets between host1 and host2. This
> machine has also an additional interface (em2) which act as span interface
> - all traffic between host1 and host2 is copied into it.
> To achieve this scenario
> On 13 Oct 2015, at 05:51, David Mehler wrote:
> Some things I know definitely aren't working is the ipv6 allowing of
> ssh and http, ipv6 ping doesn't work gives a udp error, ftp from the
> machine the data connection doesn't come through, i'm assuming i'll
> have that same problem when I set u
> On 13 Oct 2015, at 18:59, David Mehler wrote:
> Thanks. How do I get icmpv6 going? That is certainly a problem I'm having.
>
I’d start off simply allowing all icmpv6 traffic:
pass in inet6 proto icmp6
Regards,
Kristof
___
freebsd-pf@freebsd.org mai
On 2015-11-07 21:36:28 (+0100), Miłosz Kaniewski
wrote:
> 2015-10-12 16:28 GMT+02:00 David DeSimone :
> But unfortunately I still have a problem with 'dup-to' option. I hope you
> don't
> mind if I will describe it here, as it is still connected with network
> scheme I
> used in my first post.
>
On 2015-11-08 01:03:15 (+0100), Kristof Provost wrote:
> It certainly looks wrong. I can also reproduce your observation that
> this doesn't happen when 'no state' is added to the rule.
>
I've been looking at this for a bit, and I think I understand what's
On 2015-11-15 13:04:27 (+0100), Miłosz Kaniewski
wrote:
> > I suppose we could mark packets in pf_route() as M_SKIP_FIREWALL, but
> > that might have other consequences.
> >
> >
> I looked into old pf code to look for some tips. First commit worth
> mentioning is 1.215
> (I took commit numbers fr
On 2015-11-15 18:33:49 (+0100), Kristof Provost wrote:
> On the other hand, perhaps there's something we can do about the state
> matching. The problems all start because we match state on the
> duplicated packet. That's not correct, because the rule is set on e.g.
> e
On 2015-11-25 05:36:07 (-0500), J David wrote:
> It appears that “synproxy state” rules cause TCPs connection to be
> negotiated without any options except MSS.
>
...
> Is this behavior intentional? If so, perhaps it should be mentioned
> on the man page? If not, should we open a bug report on
> On 14 Dec 2015, at 21:04, murdoch.j...@moumantai.de wrote:
> this might sound as a strange question, but when I activate the PF
> firewall using a minimal rule set (see below), uploading files to
> AWS S3 becomes impossible.
...
> I am lost. Anyone any ideas.
Am I right in assuming that the Fre
> On 14 Dec 2015, at 21:38, murdoch.j...@moumantai.de wrote:
> yes, the machine runs on Amazon and yes again -tso fixed the problem.
>
> Could I have seen this somehow watching the pf log? Maybe package length?
It’d be hard to spot. The problem was related to the checksums, so you’d have
to exp
> On 04 Mar 2016, at 03:58, Melissa Pilgrim
> wrote:
>
> Now that pf in 10.2 supports IPv6 fragments, how do you configure pf to allow
> them? I'm still seeing UDP PMTU breakage specifically with FreeBSD and pf
> related to the packet filter not passing fragments. The basic "fragment
> rea
> On 13 Mar 2016, at 06:31, Yakov Feldman wrote:
>
> I am trying to block the process that is listening upon the port 9110 on my
> MacBook Pro in order to simulate network interruption.
>
Are you running FreeBSD or OS X?
If you’re running OS X you’ll need to talk to Apple about this.
Regards,
On 2016-04-22 23:43:29 (-0700), samira wrote:
> I using FreeBSD9.2
It's worth noting that FreeBSD 9.2 is no longer supported (and hasn't
been since the end of 2014). You really should upgrade to something with
security support.
That could be 9.3, but that release will only be supported until th
Hi Max,
On 19 May 2016, at 19:49, Max wrote:
The number of used frags (almost) never decreases. I don't have enough
experience in programming. But I guess that the problem may be in
"frag->fr_timeout = time_second;" in pf_fillup_fragment() (pf_norm.c).
It should be "frag->fr_timeout = time_up
On 20 May 2016, at 18:57, Max wrote:
20.05.2016 11:53, Kristof Provost пишет:
On 19 May 2016, at 19:49, Max wrote:
The number of used frags (almost) never decreases. I don't have
enough experience in programming. But I guess that the problem may
be in "frag->fr_timeout = tim
On 31 Jul 2016, at 19:46, Radek Krejča wrote:
I need to set TOS to 0 and remark it with rules.
I am trying to use scrub to set tos to 0, but I have problem:
scrub all fragment reassemble no-df set-tos 0
give Illegal value
but scrub all fragment reassemble no-df set-tos 1
is working.
I am try
On 10 Aug 2016, at 9:28, Radek Krejča wrote:
I need to shape 10G traffic, but I cant make bandwidth higher than
4.26 Gbit:
pfctl shows:
altq on int0 cbq bandwidth 4.26Gb tbrsize 36000 queue {
default_nat..
but in pf.conf is:
altq on $int_if cbq bandwidth 8550Mb queue { default_
On 10 Aug 2016, at 11:19, Radek Krejča wrote:
That looks like you might be hitting the maximum of an unsigned
integer.
Try using relative specifications (i.e. as a percentage) instead.
Yes, I think so. But I dont know, that I can say relative
specification for inteface bandwidth. Could you show
On 10 Aug 2016, at 14:38, Radek Krejča wrote:
I have changed bandwidth to 100%, 90% or 95%. Syntax OK, but value
stops at 1.27Gbit (it looks, that 1Gbit is default)
When I give ifconfig, I see:
media: Ethernet autoselect (10Gbase-SR )
It looks that "autodetection" of pf is broken to.
I was
On 10 Aug 2016, at 16:23, Radek Krejča wrote:
> this patch seems to be working.
>
Thanks for testing!
> I will post bugreport.
>
The patch has already been committed to head (r303663).
A bug would still be useful so I don’t forget to merge it back to 11 and 10.
Regards,
Kristof
__
On 28 Sep 2016, at 13:53, Franco Fichtner wrote:
The main culprit of pfil not working correctly is pf's
route-to and reply-to (and the tag formerly known as fastroute)
as they would call if_output directly on the ifnet and consume
their packets this way. That transmit code is also copied from
if_
On 6 Oct 2016, at 6:57, Eugene M. Zheganin wrote:
> pf still lacks the DSCP handling, will it be difficult/expensive to add
> this ? AFAIK ipfw got this recently.
>
pf has set-tos and tos keywords. What is it not letting you do?
Regards,
Kristof
___
free
On 6 Oct 2016, at 10:30, Franco Fichtner wrote:
On 06 Oct 2016, at 10:10 AM, Kristof Provost wrote:
On 6 Oct 2016, at 6:57, Eugene M. Zheganin wrote:
pf still lacks the DSCP handling, will it be difficult/expensive to
add
this ? AFAIK ipfw got this recently.
pf has set-tos and tos keywords
On 6 Oct 2016, at 15:01, Mark Martinec wrote:
Just adding recognition to a parser for a couple of DSCP constants
to be mapped to TOS is not the solution. Keep in mind that DSCP
is a 6-bit field, and TOS is an 8-bit field. The remaining two bits
are used for ECN (Explicit Congestion Notification).
On 11 Oct 2016, at 10:34, Kamil Choudhury wrote:
I've seen some mention of checksum issues on NAT limiting performance,
but that
seems to have been fixed as of 10.2 in an errata. Have I stumbled upon
an actual
problem, or have I misconfigured something?
It’s worth trying the workaround (i.e. d
On 8 Jan 2017, at 15:55, Marek Zarychta wrote:
Is it a bug to be officially submitted or it will not be possible to
use
reply-to for UDP traffic anymore?
The problem description doesn’t ring any bells with me, but I’m also
not sure
I’ve fully understood it. Can you document a minimal reproduc
On 9 Jan 2017, at 18:25, Marek Zarychta wrote:
On Sun, Jan 08, 2017 at 07:08:10PM +0100, Kristof Provost wrote:
On 8 Jan 2017, at 15:55, Marek Zarychta wrote:
The problem description doesn’t ring any bells with me, but I’m
also
not sure
I’ve fully understood it. Can you document a minimal
On 9 Jan 2017, at 18:25, Marek Zarychta wrote:
On Sun, Jan 08, 2017 at 07:08:10PM +0100, Kristof Provost wrote:
On 8 Jan 2017, at 15:55, Marek Zarychta wrote:
The problem description doesn’t ring any bells with me, but I’m
also
not sure
I’ve fully understood it. Can you document a minimal
On 27 Feb 2017, at 21:08, Ross wrote:
Hello
One of my machines panics almost every day. It is always like this:
first
there is a number of messages about "sonewconn: pcb
0xf80085478740:
pru_attach() failed" at the same time and then panic. Here's an
example:
... many lines of sonewco
On 5 Mar 2017, at 21:42, Kristof Provost wrote:
There’s only a couple of calls to uma_zfree() in
pf_get_translations().
These are:
* uma_zfree(V_pf_state_key_z, skp);
* uma_zfree(V_pf_state_key_z, *nkp);
* uma_zfree(V_pf_state_key_z, *skp);
Going by the inconsistent pointer use the first
So it turns out I shouldn't commit things when jet lagged.
You want r314810 in head. The other one was mistakenly done in stable/11. It
needed to go there sooner or later so I'm just going to leave it.
Regards,
Kristof
> On 5 Mar 2017, at 22:19, Kristof Provost wrote:
>
On 20 Mar 2017, at 23:08, Marin Bernard wrote:
Yet, it appears that pf is able to handle references to enc(4) in its
ruleset
even if the kernel does not support it. Is it expected behaviour? Is
it
safe to use such a configuration on a production machine ?
pf accepts rules for interfaces that d
On 21 Mar 2017, at 9:43, Marin Bernard wrote:
Thanks for answering. Yes, I know that pf accepts rules mentioning
inexistent
interfaces. What puzzles me here is that my ruleset is actually
working.
With peer0 = 1.2.3.4 and peer1 = 5.6.7.8, the following ruleset works
as
expected:
-
peers =
On 21 Mar 2017, at 12:44, Miroslav Lachman wrote:
Kristof Provost wrote on 2017/03/21 10:18:
On 21 Mar 2017, at 9:43, Marin Bernard wrote:
If there is no SA, it is impossible for a peer to ping another. As
soon
as IKE creates a SA, however, ping starts working. As you can see,
the last rule
On 28 Mar 2017, at 9:33, Eugene M. Zheganin wrote:
I need to implement QoS on a 10G interface (ix(4)) with bandwidth of
4-5 Gbit/sec. In general I'm using pf on FreeBSD, since I like it more
than ipfw. But I'm aware that it's kind of ancient and wasn't updated
for a long time from the upstream
On 29 Mar 2017, at 22:06, Chris H wrote:
OK. My association with FreeBSD has made me a prime
target for every male hormone distributor on the net.
Fact is; I can guarantee ~89 SPAM attempts in under 5
minutes, after creating a pr on bugzilla. At first I
was angry, and frustrated. But decided to m
On 14 Apr 2017, at 8:24, Max wrote:
"pfctl -F info" command doesn't clear limit counters (shown in "pfctl
-vsi" output).
I think, should be
--- sys/netpfil/pf/pf_ioctl.c.orig 2017-04-14 09:10:25.17138
+0300
+++ sys/netpfil/pf/pf_ioctl.c 2017-04-14 09:13:21.55365 +0300
@@ -1835,
On 30 Jul 2017, at 22:19, Heikki Paatela wrote:
I was having kernel panics with 10.2-RELEASE earlier, caused by
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202351. It would
seem
that some change that has happened between 11.0 and 11.1 has
introduced a
similar problem.
The patch fixed th
On 1 Aug 2017, at 11:30, Kajetan Staszkiewicz wrote:
> Hey, group.
>
> A thought came to me: is it really the best thing to panic when errors are
> encountered within pf? I understand there are situations where it is safer for
> the kernel to not continue running like some low-level operations in m
On 14 Sep 2017, at 16:21, Dave Cottlehuber wrote:
Outgoing traffic (from a jail) via PF NAT over a LAGG/LACP sometimes
has
the *backup* CARP IP address assigned to it.
###
running configs ##
pfctl indeed shows its a round-robin
On 15 Sep 2017, at 11:31, Dave Cottlehuber wrote:
Can you explain what $if:0 resolves to, for example how does it relate
to to the primary ipv4/6 addresses bound to that interface?
I couldn't find a reference in the usual ifconfig manpages about this
(ifname:#) format, the BNF grammar for pf.co
On 7 Nov 2017, at 23:43, irukandji via freebsd-pf wrote:
> Hi Everyone,
>
> Problem: isolating jail away from internal network and host "hosting"
> it.
> Environment: jail with 192.168.1.100, host 192.168.1.200, VIMAGE
> enabled kernel, VNET (vnet0:JID) over bridge interface (bridge0),
> single net
On 2 Dec 2017, at 4:56, John Jasen wrote:
> Attempts to run tftp-proxy across a freebsd system running pf result in
> very slow performance and an endless amount of:
>
> "pf connection lookup failed (no rdr?)"
> Is there something that has regressed in 11.1, or am I missing something?
>
I’m not aw
On 4 Dec 2017, at 19:57, John Jasen wrote:
Depending on circumstances, we see a lot or a very few of the
following
messages:
"pf connection lookup failed (no rdr?)"
That means the state lookup (using ioctl(DIOCNATLOOK)) failed.
There seem to be a couple of possible reasons why that might happe
On 6 Dec 2017, at 21:25, John Jasen wrote:
On 12/04/2017 02:47 PM, Kristof Provost wrote:
On 4 Dec 2017, at 19:57, John Jasen wrote:
Depending on circumstances, we see a lot or a very few of the
following
messages:
"pf connection lookup failed (no rdr?)"
That means
On 7 Dec 2017, at 18:02, John Jasen wrote:
On Wed, Dec 6, 2017 at 5:01 PM, Kristof Provost
wrote:
On 6 Dec 2017, at 21:25, John Jasen wrote:
On 12/04/2017 02:47 PM, Kristof Provost wrote:
Okay, so this is interesting:
25013: ioctl(4,0xc04c4417 { IORW 0x44('D'), 23, 76 },0x7f
On 14 Dec 2017, at 8:16, Kristof Provost wrote:
On 7 Dec 2017, at 18:02, John Jasen wrote:
On Wed, Dec 6, 2017 at 5:01 PM, Kristof Provost
wrote:
On 6 Dec 2017, at 21:25, John Jasen wrote:
On 12/04/2017 02:47 PM, Kristof Provost wrote:
Okay, so this is interesting:
25013: ioctl
On 14 Feb 2018, at 23:47, Joe Jones wrote:
Hi,
we are running test traffic through our system, after between 1 and 12
hours we get a kernel panic, always in the pfr_pool_get function in
/usr/src/sys/netpfil/pf/pf_table.c line 2140. After a bit of
investigation I confirmed that ke2 is set to n
On 26 Feb 2018, at 17:06, Joe Jones wrote:
Hi Kristof,
we are not updating rules during the test although in production we
will reload the rule set from time to time. We are constantly adding
and removing from tables though, using the DIOCRADDADDRS and
DIOCRDELADDRS ioctl, also DIOCKILLSTATE
On 27 Feb 2018, at 20:40, Joe Jones wrote:
we have a kernel panic after compiling with witness and invariant
Feb 27 13:49:33 sovapn1 kernel: lock order reversal:
Feb 27 13:49:33 sovapn1 kernel: 1st 0xfe000fed78b8 pf_idhash
(pf_idhash) @ /usr/src/sys/netpfil/pf/pf.c:1078
Feb 27 13:49:33 sova
On 28 Feb 2018, at 9:52, Kristof Provost wrote:
On 27 Feb 2018, at 20:40, Joe Jones wrote:
we have a kernel panic after compiling with witness and invariant
Feb 27 13:49:33 sovapn1 kernel: lock order reversal:
Feb 27 13:49:33 sovapn1 kernel: 1st 0xfe000fed78b8 pf_idhash
(pf_idhash) @ /usr
On 1 Mar 2018, at 15:37, Joe Jones wrote:
yes we use pfsync. Yesterday we tried with pfsync switched off, the
box still locked up but this time without a panic.
We make the DIOCRADDADDRS ioctl on the master and the backup (we use
CARPed pairs).
Interesting. It might be related to pfsync. Is
On 14 Mar 2018, at 18:30, Steven Crangle wrote:
I was looking for some advice on the type of locking required to stop
a box panicking that utilises both napt and ip address prefixes.
My colleague made a post a while ago, and we ended up getting
distracted fixing other panics that showed up. Bu
Hi Fatemeh,
On 11 Jun 2018, at 7:51, Fatemeh Mehdizadeh wrote:
Hi all,
I'm using pf to create nat. I'm on FreeBSD9.2.
Note that FreeBSD 9.2 is not a supported version. It went out of support
at the end of 2014.
(See https://www.freebsd.org/security/unsupported.html)
I would strongly recommend
On 14 Jun 2018, at 19:40, Dave Horsfall wrote:
I can't get access to kernel sauce right now, but I'm hitting over
1,000 entries from woodpeckers[*] etc; is there some upper limit, or
is it just purely dynamic?
aneurin% freebsd-version
10.4-RELEASE-p9
Ian already gave some good information
On 18 Jun 2018, at 0:19, Chris H wrote:
Sorry. Looks like I might be coming to the party a little late. But
I'm
currently running a 9.3 box that runs as a IP (service) filter for
much
of a network. While I've patched the box well enough to keep it safe
to
continue running. I am reluctant to up(
On 23 Jun 2018, at 18:46, Marek Zarychta wrote:
On Sat, Jun 23, 2018 at 05:27:29PM +0200, Marek Zarychta wrote:
On Sun, Oct 16, 2016 at 08:17:13PM +0200, Marek Zarychta wrote:
The issue occurred first two years ago, after upgrade from 8 to 9
branch. Now this i386 machine is running 11.0-STABLE
On 24 Jun 2018, at 21:07, Marek Zarychta wrote:
On Sun, Jun 24, 2018 at 01:56:07PM +0200, Kristof Provost wrote:
On 23 Jun 2018, at 18:46, Marek Zarychta wrote:
On Sat, Jun 23, 2018 at 05:27:29PM +0200, Marek Zarychta wrote:
On Sun, Oct 16, 2016 at 08:17:13PM +0200, Marek Zarychta wrote:
The
On 25 Jun 2018, at 22:12, Joseph Ward wrote:
My current pf.conf contains the following lines (with a lot of other
stuff redacted for irrelevance):
ext_if="em0"
...
block log all
pass in on $ext_if proto tcp from any to any port 22 flags S/SA keep
state
and it works great; ssh is able to get
Hi Jakub,
On 30 Jun 2018, at 17:07, Jakub Chromy wrote:
I've just installed a 11.2-RELEASE guest under bhyve (hypervisor is
11.1-RELEASE)... and I cant use Virtio network interface with PF:
odine:/boot/kernel# /sbin/pfctl -n -f ~/local/tmp/pf.work
*pfctl: pfi_get_ifaces: Bad file descriptor*
On 2 Jul 2018, at 16:44, Felix J. Ogris wrote:
this is a fresh install of 11.2-RELEASE amd64 with a minimal pf rule
set. After the first reload/resync, any traffic on an interface that
is skipped via an interface group statement in pf.conf is rejected:
Thanks for the report.
I think that’s th
On 2 Jul 2018, at 16:17, Kristof Provost wrote:
Hi Jakub,
On 30 Jun 2018, at 17:07, Jakub Chromy wrote:
I've just installed a 11.2-RELEASE guest under bhyve (hypervisor is
11.1-RELEASE)... and I cant use Virtio network interface with PF:
odine:/boot/kernel# /sbin/pfctl -n -f ~/loca
On 13 Aug 2018, at 0:09, Kajetan Staszkiewicz wrote:
Hello group,
Can anybody help me iwth pf_table.c and all operations on tables,
especially
pfr_update_stats? I'm working on implementing stats for redirection
targets,
that is for nat or route-to.
I'm going through the code and I've found o
On 13 Aug 2018, at 17:06, Kajetan Staszkiewicz wrote:
> On Monday, 13 August 2018 15:22:33 CEST Kristof Provost wrote:
>> rules (and associated tables) won’t just go away while there’s still
>> state,
>
> This is mostly what I wanted to ask about in this message. How is it ens
On 14 Aug 2018, at 0:32, Kajetan Staszkiewicz wrote:
On Monday, 13 August 2018 17:59:15 CEST Kristof Provost wrote:
How about this?
https://github.com/innogames/freebsd/commit/
d44a0d9487285fac8ed1d7372cc99cca83f616e6
That looks good to me.
There’s a few minor issues, things like inconsistent
On 15 Oct 2018, at 15:26, Andreas Longwitz wrote:
On two of my FreeBSD 10 (r338093) firewall servers some incoming ssh
connections stopped to work because pf started to create states with
expire time zero (instead of 86400 sec) for translation statements
like
rdr pass on em0 proto tcp from any
On 27 Oct 2018, at 5:22, Andreas Longwitz wrote:
Thanks very much for answer especially for the hint to openbsd.
I wonder if there’s an integer overflow in the of_state_expires()
calculation.
The OpenBSD people have a cast to u_int64_t in their version:
|timeout = (u_int64_t)timeout * (end - s
On 13 Nov 2018, at 22:01, Andreas Longwitz wrote:
Are there any hints why the counter pf_default_rule->states_cur
could get a negative value ?
I’m afraid I have no idea right now.
OK, in the meantime I did some more research and I am now quite sure
the
problem with the bogus pf_def
On 2018-12-13 01:02:32 (+0100), Goran Mekić wrote:
> I can't start PF as service from vnet jail. I have devfs rule to unhide
> bpf (for dhclient) and pf that the jail is using. I can run "pfctl -e -f
> /etc/pf.conf" but "service pf start" fails with:
>
> kldload: can't load pf: Operation not perm
On 2018-12-13 12:35:05 (+0100), Goran Mekić wrote:
> On Thu, Dec 13, 2018 at 09:30:12AM +0100, Kristof Provost wrote:
> > On 2018-12-13 01:02:32 (+0100), Goran Mekić wrote:
> > > I can't start PF as service from vnet jail. I have devfs rule to unhide
> > > bpf (fo
On 2018-12-13 13:06:00 (+0100), Kristof Provost wrote:
> On 2018-12-13 12:35:05 (+0100), Goran Mekić wrote:
> > On Thu, Dec 13, 2018 at 09:30:12AM +0100, Kristof Provost wrote:
> > > On 2018-12-13 01:02:32 (+0100), Goran Mekić wrote:
> > > > I can't start P
On 25 Jan 2019, at 9:37, James B. Byrne via freebsd-pf wrote:
I have limited knowledge of PF being in the process of transitioning
from 20+ years of RHEL/CentOS to FreeBSD. Neither do I possess a
great fund of knowledge respecting IP routing. That said this is my
problem:
On a small test LA
On 18 Feb 2019, at 18:30, Andreas Longwitz wrote:
Ok, thanks, I will commit the patch shortly. I do not see a point in
waiting
for two more weeks, sure report me if anything goes wrong.
your patch for counter(9) on i386 definitely solves my problem
discussed
in this thread.
Because fetchin
On 19 Feb 2019, at 22:53, Andreas Longwitz wrote:
Kristof Provost wrote:
Because fetching a counter is a rather expansive function we
should use
counter_u64_fetch() in pf_state_expires() only when necessary. A
"rdr
pass" rule should not cause more effort than separate
On 1 Apr 2019, at 18:47, Rodney W. Grimes wrote:
I know for a fact that there is desire, with financials avaliable,
to get our code updated. I do not think there is any specific
criteria desired, other than moved closer to the OpenBSD version.
It’s a good goal, but there are three major issues
On 1 Apr 2019, at 23:06, Rodney W. Grimes wrote:
On 1 Apr 2019, at 18:47, Rodney W. Grimes wrote:
Those are:
- scalability
The project funding source is OS agnostic, would it help if the
OpenBSD pf implementation was redone in a way that it had fine
grained locking. Would it be possible to a
> On 22 May 2019, at 04:53, The Doctor via freebsd-questions
> wrote:
>
> How do I set up in /etc/rc.conf an eth1 that will
> attach ifself to the back of the router in my packet filtering (pf) box,
> namely the $ext_if ?
>
You want to set a macro in your pf.conf, as documented in its man pag
> On 2019-07-29 18:44:00 (+0100), Paul Webster via freebsd-pf
> wrote:
> >
> > Sent from Mail for Windows 10
> >
> > From: mike tancsa
> > Sent: 29 July 2019 17:06
> > To: freebsd-pf@freebsd.org
> > Subject: pf and dummynet
> >
> > I have a box I need to shape inbound and outbound traffic. It
On 29 Jul 2019, at 20:22, mike tancsa wrote:
On 7/29/2019 1:51 PM, Kristof Provost wrote:
Also beware of gotchas with things like IPv6 fragment handling or
route-to.
I do not consider mixing firewalls to be a supported configuration.
If
it breaks you get to keep the pieces.
Thanks, I was
On 29 Jul 2019, at 22:15, Rodney W. Grimes wrote:
>> On 29 Jul 2019, at 20:22, mike tancsa wrote:
>>> On 7/29/2019 1:51 PM, Kristof Provost wrote:
>> In general I?d expect quality of service and bandwidth limits to only
>> be effective in the upstream direction (when
On 20 Aug 2019, at 11:36, Tom Marcoen wrote:
Hey all,
I'm quite new to FreeBSD so appologies if this is a stupid question.
Is there a good reason for not upgrading PF to the version from
OpenBSD
6.5?
There are several reasons why updating pf is a non-trivial problem.
From an e-mail I sent o
On 20 Aug 2019, at 12:32, Goran Mekić wrote:
> On Tue, Aug 20, 2019 at 11:49:18AM +0200, Kristof Provost wrote:
>> One thing I’ve thought of trying, and that might be an interesting stepping
>> stone, is to create a port (/usr/ports/net/opf or whatever) of OpenBSD’s pf.
>> In
On 6 Sep 2019, at 2:51, ravi new wrote:
In packet filter rule ,there is a text called "tracker" what is use of
this?
I’ve not seen ‘tracker’ before in pf rules. Do you have an
example?
Can i find syntax of packet filter rules of freebsd.
man 5 pf.conf
Regards,
Kristof
___
On 23 Dec 2019, at 12:00, Andreas Longwitz wrote:
On one of my servers a saw some messages
dssinet kernel:
[zone: pf frag entries] PF frag entries limit reached
The output of the command
vmstat -z | grep "pf frag entries"
was
pf frag entries:40, 5000,0, 5000, 18760, 0,
On 26 Dec 2019, at 1:13, Özkan KIRIK wrote:
Hi,
I want to block SYN with data packets.
I read the pf.conf manual, but couldn't find a clear way to do this.
Is it possible to match packets greater then N bytes using pf on
FreeBSD
12.1 stable?
There isn’t a way to express this in pf right now
On 26 Dec 2019, at 1:20, Özkan KIRIK wrote:
> Hi,
>
> I need last match timestamps for each rule. ipfw has an option for this.
> But pfctl -v -sr command doesnt show last match timestamp.
> Is there way to gather this information in pf?
>
Pf does not track this.
What are you trying to accomplish?
On 27 Dec 2019, at 21:49, Franco Fichtner wrote:
Hi,
On 27. Dec 2019, at 6:45 PM, Kristof Provost
wrote:
What are you trying to accomplish?
Some people believe that "last match" is a great metric to audit rules
for
intrusion detection and all sorts ruleset optimisation and
> On 28 Dec 2019, at 12:52, Andreas Longwitz wrote:
>
> In the meantime I have understand I was wrong about the code snippet
>
>> mc2 = m_dup(m, M_NOWAIT);
>> if (mc2 != NULL) {
>> /* Keep the layer3 header aligned */
>> int i = min(mc2->m_pkthdr.len, max_protohdr);
>> mc2
On 27 Feb 2020, at 10:08, J.R. Oldroyd wrote:
I read back and found the thread last August "Update to PF from
OpenBSD
6.5".
I was going to ask the same thing but, given the complexities
discussed
in the responses there, perhaps the question should be asked a
different
way round.
How much wo
On 29 Feb 2020, at 0:35, Sean Yeh wrote:
Hi FreeBSD-pf members,
I hope you guys are enjoying your weekend!
I was wondering if any of you happened to know if the code for the
ALTQ
feature of pf could be separated and used for NetBSD's pf function.
I'm
currently investigating methods to improve
On 21 Jun 2020, at 23:11, David Mehler wrote:
Anyone a pf expert wanting to make some extra money?
I'm in need of consulting, I'm having an issue with my PF
configuration, I've got a much longer message with output and netstat
and all that, if anyone is interested email me privately with rates
a
On 22 Jun 2020, at 2:06, David Mehler wrote:
Thanks for all your replies.
Donald, the IPv6 dns is working fine in this situation.
Kristof, here's what I originally had in my pf.conf file for ICMP:
pass out quick on $ext_if proto { icmp, icmp6 } modulate state
pass in quick on $ext_if proto { i
On 26 Jun 2020, at 13:56, Özkan KIRIK wrote:
My goal is save pkt/byte counters of each expired/killed/closed states
into
a txt file.
What is the right way to do this in userspace ?
There’s no real right way to do this using pf. There are a couple of
things that’ll get close, but no 100% solut
On 10 Jul 2020, at 19:57, l.m.v.br...@xs4all.nl wrote:
Hello,
I am using pfSense, build on top of pf. And of course pfSense/pf is a
terrific firewall, however the world is changing in the direction of
IPV6 and that leads to new issues and related new requirements.
One of the major issues is
On 10 Jul 2020, at 22:37, Ultima wrote:
Hey Kristof,
(It’s already possible to use pf on top of a bridge in
bump-in-the-wire mode. Given the gotchas in that code I **strongly**
recommend people don’t use that functionality.)
Do you mind going into details on the gotchas or providing links?
On 12 Oct 2020, at 23:48, Andreas Longwitz wrote:
Hello,
now I can confirm (on FreeBSD 10 Stable) what you see on fb2 when your
program udp_client is running on fb1. pf creates a state for the first
packet only, for the other packets pf failes to create a state with
messages like
pf: stack key
On 14 Oct 2020, at 18:52, J David wrote:
On 12 Oct 2020, at 23:48, Andreas Longwitz wrote:
pf gives this messages in debug mode (pfctl -x loud).
Yes, with that setting I'm also seeing those messages.
On Tue, Oct 13, 2020 at 5:35 PM Kristof Provost
wrote:
I see the same ‘stack key a
1 - 100 of 135 matches
Mail list logo
