rences on google
e.g. Remko has the first hit here:
http://www.evilcoder.org/content/view/545/33/
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ A
Hi Hugo,
On Tuesday 29 May 2007 00:42, Hugo Koji Kobayashi wrote:
> While making some tests with fragmented udp DNS responses (with
> EDNS0), we discovered a possible problem with pf in FreeBSD 6.2 and
> 7.0 (200705 snapshot).
>
> Our test is a DNS query to an DNSSEC enabled server which replies w
a huge benefit)
- interface handling (groups etc.)
- pfsync / pflog update (not 100% sure about these due to libpcap /
tcpdump dependency)
While at it, I might also introduce needed ABI breakage for netgraph
interaction.
Anything else?
--
/"\ Best regards, | [EMAIL PROT
MP and other infrastructure. Also
coming FreeBSD specific features (e.g. netgraph) will make a verbatim
sync impossible.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/
(pf, ipfw, ipf, vlans, ipsec, altq ...)
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
nderstand your setup correctly: pf
is running on the DNS server i.e. the destination address of the datagram
is a local address?
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.ne
On Saturday 02 June 2007, Michal Mertl wrote:
> Max Laier wrote:
> > [ moving this to the more specific list ]
> >
> > On Friday 01 June 2007, LI Xin wrote:
> > > Stanislaw Halik wrote:
> > > > Heya,
> > > >
> > > > Are there a
On Friday 01 June 2007, Henrik Brix Andersen wrote:
> Hi Max,
>
> On Fri, Jun 01, 2007 at 05:17:52PM +0200, Max Laier wrote:
> > Submit your list of features and I'll see what I can do this weekend.
> > My list includes:
> >
> > - keep state and flags S/SA
On Sunday 03 June 2007, Gergely CZUCZY wrote:
> On Sun, Jun 03, 2007 at 11:43:10PM +0800, LI Xin wrote:
> > Max Laier wrote:
> > [...]
> >
> > > How do people feel about removing ftp-proxy from the base
> > > altogether? I think it's better off in p
t; 40 datagrams output
> udp:
> 36 datagrams received
> 3 with bad checksum
> 33 delivered
> 41 datagrams output
Aha! Can you confirm that "bad checksum" increases for every fragmented
packet and I'll look for a cure
On Monday 04 June 2007, Dag-Erling Smørgrav wrote:
> Max Laier <[EMAIL PROTECTED]> writes:
> > Anything else?
>
> ftp-proxy(8) and tftp-proxy(8) would be nice...
... I'm at it. Could you maybe lend a hand with importing libevent[1]
which is a requirement for ftp-pr
On Friday 01 June 2007, Max Laier wrote:
> [ moving this to the more specific list ]
> ...
> Anything else?
Contrary to earlier remarks, I'll do an almost complete import of pf as
per OpenBSD 4.1, not supported features will be disabled. These include
routing: tags, multipath, e
On Wednesday 06 June 2007, Dag-Erling Smørgrav wrote:
> Max Laier <[EMAIL PROTECTED]> writes:
> > Dag-Erling Smørgrav <[EMAIL PROTECTED]> writes:
> > > Max Laier <[EMAIL PROTECTED]> writes:
> > > > Anything else?
> > >
> > > ftp
llman - he just happend to be the most
recent one to hit the problem.
On Wednesday 18 April 2007, Tillman Hodgson wrote:
> On Wed, Apr 18, 2007 at 10:13:42PM +0200, Max Laier wrote:
> > On Wednesday 18 April 2007 21:28, Tillman Hodgson wrote:
> > > Oh, interesting! I'm re
sorry for the rant.
This does *not* mean that everybody else can stop testing now! Please
follow Tillman's example and report back (just keep me in CC this
time ;)).
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67
On Wednesday 06 June 2007, Chris Marlatt wrote:
> Max Laier wrote:
> > and again ... the thread ends here - zero feedback received :-( Does
> > anyone care about user/group rules at all? If so - speak up now or
> > I'll just disable them with the upcoming update!!!
-
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpoK4Q2ba1Co.pgp
Description: PGP signature
Synopsis: pf does not use IPv6 interface addresses at startups
State-Changed-From-To: open->closed
State-Changed-By: mlaier
State-Changed-When: Wed Jun 13 11:43:49 UTC 2007
State-Changed-Why:
Can be fixed otherwise. Patch not a good idea in general - sorry.
http://www.freebsd.org/cgi/query-pr.c
The following reply was made to PR bin/113650; it has been noted by GNATS.
From: Max Laier <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED],
[EMAIL PROTECTED]
Cc:
Subject: Re: bin/113650: pf does not use IPv6 interface addresses at startups
Date: Wed, 13 Jun 2007 13:43:51 +0200
The better fix
UPDATE available details below:
On Sunday 10 June 2007, Max Laier wrote:
> http://people.freebsd.org/~mlaier/PF41/
>
> enjoy.
>
> A word of caution: This is almost completely untested (eventhough this
> email passed through a minimal ruleset of pf 4.1 ;). I'd like to
debugger might also be insightful.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpn7kzhw0oPH.pgp
Description: PGP signature
0-1480
> pf_normalize_ip: reass frag 39811 @ 1480-1484
> pf_reassemble: 1484 < 1484?
That's a configuration problem. Something seems to assume a MTU of 1484
while there really is a bottleneck with only 1480 which leads to heavy
fragmentation. You should find the offender
penBSD 3.7. Yes, "log" is not
valid for rdr rules in that version. No, "pass" is valid on rdr rules.
There is also an update to OpenBSD 4.1 code available from
http://people.freebsd.org/~mlaier/PF41/ for testing.
--
/"\ Best regards, | [EMA
And again ...
On Wednesday 13 June 2007, Max Laier wrote:
> UPDATE available details below:
>
> On Sunday 10 June 2007, Max Laier wrote:
> > http://people.freebsd.org/~mlaier/PF41/
> >
> > enjoy.
minor update to fix a build issue. There is some initial pfsync loc
't be able to sync an old
and a new box. It should be possible to sync with a OpenBSD 4.1 box,
however.
Enjoy and report back!
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party
On Sunday 17 June 2007, Dalibor Gudzic wrote:
> On 6/15/07, Max Laier <[EMAIL PROTECTED]> wrote:
> > Yes, FreeBSD RELENG_6's pf is based on OpenBSD 3.7.
>
> I don't want to bore everyone with this but I was wondering whether
> it's possible to know what ex
On Sunday 17 June 2007, Eygene Ryabinkin wrote:
> Max, good day.
>
> Sat, Jun 16, 2007 at 03:47:24AM +0200, Max Laier wrote:
> > $subject at: http://people.freebsd.org/~mlaier/PF41/
>
> I glanced over the new code and found that no changes were
> introduced to the alt
how to test them when there's bit's missing.
Feel free to write down your lessons learned and publish them ;)
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL P
On Saturday 16 June 2007, Max Laier wrote:
> $subject at: http://people.freebsd.org/~mlaier/PF41/
New drop (20070621) out.
Much better tested - thanks to qemu (which I finally got working w/ carp
[use the re nics and twiddle vlanhwtag after the carp interfaces are up].
Now I only need a
On Monday 25 June 2007, Abdullah Ibn Hamad Al-Marri wrote:
> On 6/21/07, Max Laier <[EMAIL PROTECTED]> wrote:
> > On Saturday 16 June 2007, Max Laier wrote:
> > > $subject at: http://people.freebsd.org/~mlaier/PF41/
> >
> > New drop (20070621) out.
> &g
On Saturday 16 June 2007, Max Laier wrote:
> $subject at: http://people.freebsd.org/~mlaier/PF41/
yet another drop (20070625) available. This should fix all remaining
issues with user/group rules. One slight limitation is that rules
with "log(all, user)" will only log the user
On Monday 04 June 2007, Max Laier wrote:
> Hi again,
>
> On Monday 04 June 2007, Hugo Koji Kobayashi wrote:
> > pf is running on the DNS client machine. The DNS server is on a
> > completely different network (I don't control this server). The
> > client can send
On Thursday 28 June 2007, Hugo Koji Kobayashi wrote:
> On Thu, Jun 28, 2007 at 07:19:25PM +0200, Max Laier wrote:
> > Just to confirm I'm testing the right
> > cases, my setup looks like:
> >
> > Host1 Host2 Host3
> >
> > netsend -> pf scr
[ Please don't top post, fixed ]
On Thursday 28 June 2007, Vadym Chepkov wrote:
> From: "Max Laier" <[EMAIL PROTECTED]>, Thursday, June 28, 2007 3:34 PM
> > On Thursday 28 June 2007, Hugo Koji Kobayashi wrote:
> > > On Thu, Jun 28, 2007 at 07:19:25PM
On Friday 29 June 2007, Pyun YongHyeon wrote:
> On Thu, Jun 28, 2007 at 10:56:01PM +0200, Max Laier wrote:
> > [ Please don't top post, fixed ]
> >
> > On Thursday 28 June 2007, Vadym Chepkov wrote:
> > > From: "Max Laier" <[EMAIL PRO
On Friday 29 June 2007, Max Laier wrote:
> On Friday 29 June 2007, Pyun YongHyeon wrote:
> > On Thu, Jun 28, 2007 at 10:56:01PM +0200, Max Laier wrote:
> > > > > The only thing common about your setup seems to be the bge(4)
> > > > > NIC. Can you try di
since pfctl -vvvsI -i tun0.
Addresses are written "(tun0)" not "tun0".
--
FreeBSD Status reports due: 07/07/07 :-)
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMA
to be able to add netgraph support
in the future. After that a full "buildworld buildkernel installkernel
installworld mergemaster"-run is advised.
Will send an all clear when done.
--
FreeBSD Status reports due: 07/07/07 :-)
/"\ Best regards, | [EMAIL
On Tuesday 03 July 2007, Thomas Quinot wrote:
> * Max Laier, 2007-07-03 :
> > in the course of this afternoon (CEST) I'll import the OpenBSD 4.1
> > version of pf. The build might break for a short time, but I'll try
> > to keep it as short as possible.
>
> Th
On Tuesday 03 July 2007, Max Laier wrote:
> Users of pf should hold off a bit as I plan to commit a tiny ABI break
> after the update is finished in order to be able to add netgraph
> support in the future. After that a full "buildworld buildkernel
> installkernel installworld me
8859-6";
+ name="pf.41.tcpdump_local.diff"
The patch is good - there is no conspiracy ;)
--
FreeBSD Status reports due: 07/07/07 :-)
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2part
EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpPLT7Zmuuff.pgp
Description: PGP signature
Hi Brian,
On Tuesday 10 July 2007, Brian A. Seklecki wrote:
> On Tue, 2007-07-03 at 12:26 +0200, Max Laier wrote:
> > All,
> >
> > in the course of this afternoon (CEST) I'll import the OpenBSD 4.1
> > version
>
> We'll also have to see if Joel Knigh
On Tuesday 10 July 2007, Henrik Brix Andersen wrote:
> Hi,
>
> On Sat, Jun 16, 2007 at 03:47:24AM +0200, Max Laier wrote:
> > To make testing easier I'm working on RELENG_6 patches as well, but
> > it will be a bit to get through the fix/build/repeat-cycles.
>
> I
er, however, you might need something different. I'd
simply use a rule to "pin" the rapidshare netblock to a certain uplink.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2pa
tart to already.
Thanks a lot! If you are unable to provoke a deadlock, please let us know
as well. Include a few setup details (ruleset, SMP, special sysctl
settings ...) so we can look for patterns.
[1] http://sources.zabbadoz.net/freebsd/lor.html
--
/"\ Best regards,
only limit is (kernel)
memory. In order to not panic there is an upper limit on states, but
that can be adjusted with "set limit states". Read pf.conf(5)
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X htt
I am working on a patch to bring over carpdev functionality sponsored by
pil.sk This will, however, take a bit longer than I initially though it
would.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X
quot;\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
signature.asc
Description: This is a digitally signed message part.
unreachable.
See http://lists.freebsd.org/pipermail/freebsd-pf/2007-July/003563.html
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign
ported in FreeBSD-CURRENT with
> the big import of PF from OpenBSD 4.1.
> I'm CC-ing Max to notify him of the bug present in -STABLE and to ask
> him to deal with the issue by either porting the fix from OpenBSD, or
> by documenting that modulate/synproxy state is broken.
Good ca
. It
appears that this will inevitably interact with ALTQ. I don't know
anyone using ALTQ so I need users to raise their hands to eventually
test prospective changes.
Thanks.
-Kip
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
signature.asc
Description: This is a digitally signed message part.
more
> queues than ALTQ would support. ipfw's "mask src-ip" and "mask dst-ip"
> work nicely for this.
>
> Best of luck in finding a functional solution.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
signature.asc
Description: This is a digitally signed message part.
On Wednesday 22 August 2007, Alexandre Biancalana wrote:
> Someone have news about ifconfig carpdev option implementation on
> FreeBSD ?
I'm preoccupied with academia at the moment. I will do it after September
10th.
--
/"\ Best regards, | [EMAIL PRO
The following reply was made to PR kern/115725; it has been noted by GNATS.
From: Max Laier <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED],
[EMAIL PROTECTED]
Cc:
Subject: Re: kern/115725: pf nat -> ($if) works only intermittently
Date: Wed, 22 Aug 2007 23:44:39 +0200
> nat pass on
now what exactly fails and if it is ip_output, why.
> # netstat -i -Iem2
> NameMtu Network Address Ipkts IerrsOpkts
> Oerrs Coll em21500 00:04:23:a6:b7:be 40932871327
> 1359271127 0 0
> em21500 192.168.100.2 l4dupfw
On Tuesday 28 August 2007, Bill Marquette wrote:
> On 8/22/07, Max Laier <[EMAIL PROTECTED]> wrote:
> > There are two reasons why we increase the send error counter. Either
> > the internal deferred work queue is full or ip_output fails. Could
> > you locate "p
d queue",
MTX_DEF);
if_attach(ifp);
But there might be other reasons like timing wrt the locks. I'll have to
check for details. It might also be a good idea to MFC the taskqueue
approach from CURRENT, rather than using the callout ... that's a bit of
work however.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
signature.asc
Description: This is a digitally signed message part.
Respect maximum length */
if (fragoff + ip_len > IP_MAXPACKET) {
DPFPRINTF(("max packet %d\n", fragoff + ip_len));
goto bad;
}
so
scrub in on $ext_if
should keep you save.
--
/"\ Best regards,
ns.
If this box can take a downtime once in a while (i.e. not 100% mission
critical) and you are interested in helping, then consider running the
latest CURRENT. It is in good shape and has the newest pf (4.1). Just
grab a snapshot or compile from source.
--
/"\ Best regards,
ich isn't
easily solveable.
Another way to go is setting the queuelength for the internal processing
queue to something insanely high (1000+). This will most likely work
around the problem at the cost of burning (mbuf) memory.
[1] http://people.freebsd.org/~mlaier/PF41/
--
/"\ Bes
On Thursday 06 September 2007, Bill Marquette wrote:
> On 9/5/07, Max Laier <[EMAIL PROTECTED]> wrote:
> > Another way to go is setting the queuelength for the internal
> > processing queue to something insanely high (1000+). This will most
> > likely work around
trying to get through
tcpdump.org. The pflog header changed (once again) and changes are
required. Sorry for the mess.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL P
nd do
the resolution in the kernel.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
signature.asc
Description: This is a digitally signed message part.
onnection will not have a state entry and be blocked.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail
ot something I'd recommend to use or even test. I'll
do cleanup, testing and polishing over the coming days and let you know
when it's in testable shape.
This work is generously sponsored by pil.dk.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laie
umps you sent in the other mail are pretty useless. What is required
is a dump from the internal interface and/or from the destination router
itself.
Are you sure you got the routing right on all boxes? Do you have
net.inet.ip.forwarding enabled? Where are you trying from?
--
/&q
eans you can't write a single rule that says "traffic
from $vlan10 must only go to $ext_if". In order to do this, you should
take a look at tagging.
> The $ext_if:network doesn't works for me.
--
/"\ Best regards, | [EMAIL PROT
On Friday 12 October 2007, Alexandre Biancalana wrote:
> On 9/19/07, Max Laier <[EMAIL PROTECTED]> wrote:
> > So here you go ... this is the ***ALPHA*** version of carpdev
> > support. Note that there are *a lot* of raw edges, untested areas and
> > missing features s
On Friday 12 October 2007, Gergely CZUCZY wrote:
> On Fri, Oct 12, 2007 at 06:55:02AM +0200, Max Laier wrote:
> > On Friday 12 October 2007, Alexandre Biancalana wrote:
> > > On 9/19/07, Max Laier <[EMAIL PROTECTED]> wrote:
> > > > So here you go ... this i
he socket in question. The pf.conf(5) man page explains
in detail. Look for the "user"/"group" modifiers.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAI
quot;no state" which can be
> applied to NAT, RDR, etc. Is there any chance this feature will be
> supported in FreeBSD?
The "no state" modifier is supported in FreeBSD (7.0 and later) for pass
rules only. This is the same in OpenBSD. Translation rules allways ha
erage 800 valid mail per day and so far in the last
> 24 hours, not one mail has come through using the existing spamd
> configuration.
Wild guess: Did you forget to mount fdescfs(5) by default? I know I've
been bitten by this before.
--
/"\ Best regards,
goes wrong). But if you have spare
time and lab machines, please test and report back! Details welcome ;)
IPv6 is still TBD.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/
ox to
> serve as "BACKUP". When I rebooted the OpenBSD box, everything failed
> over as it should, but I got more carp_iamatch errors on almost every
> vlan/carp pair. Could the OpenBSD <-> FreeBSD differences in carp be
> causing these errors??
Neither ar
rule is even hit? Check with "pfctl -vvvsr" and look at
the match/packets/bytes counters.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII
fter that. There are some things in there that break ABI
and will thus not be in any 7.x releases, but most of the performance
improvements can easily be MFCed later on.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X h
}
> 269
> ++
>
> Adding in ipv6 neighb* rules (comment out lines 47,48 in the attached
> ruleset) seem to not crash your box.
> This is on 7.0-BETA2 (i386,amd64) and from my own tests, this has
> been on 7.X, since around August back then. This does not seem
t;,
> m->lock_object.lo_name, 182 file, line));
> 183 WITNESS_CHECKORDER(&m->lock_object, opts | LOP_NEWORDER |
> LOP_EXCLUSIVE,
> 184 file, line);
> (kgdb)
>
>
> As the panic/page fault seems to be connected to the altq/
On Tuesday 27 November 2007, Florian Smeets wrote:
> Max Laier wrote:
> > On Tuesday 27 November 2007, Florian Smeets wrote:
> >> Hi
> >>
> >> i was able to reproduce a hang on a 7-STABLE (csuped just after
> >> Scotts critical section MFC) firewall wh
On Tuesday 04 December 2007, Alexandre Biancalana wrote:
> On Oct 27, 2007 7:11 PM, Max Laier <[EMAIL PROTECTED]> wrote:
> > ... the neverending story continues :-\
> >
> > I am making progress ... really, really slowly as I'm not at the top
> > of my healt
days ... unless somebody beats me to it.
Please report in case of failure *and* success! Thanks.
This work is sponsored by pil.dk
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/
of the turds which end up floating in everyone's midst as a
> result, if you'll pardon the analogy.
/* no comment */
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ |
data for us to figure out what your
setup looks like. Regular tcp state mismatch usually hints that pf isn't
seeing all packets of the conversation. This can be caused by triangular
routing, load balanceing or if_bridge (which is difficult to get right in
some scenarios).
You should figure out the exact path your tcp packets are taking (back and
forth) and make sure pf sees all of them. Enabling additional pf logging
(pfctl -xm) helps to figure out what kind of mismatch is happening.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
signature.asc
Description: This is a digitally signed message part.
(-vvgsr) and ifconfig should be supplied.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
ny to $host_ip port 26 -> $jail_ip port
> 22
>
> pass in quick all
> pass out quick all
> ___
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "[EMAIL PROT
On Wednesday 09 January 2008, Alexandre Biancalana wrote:
> On 12/9/07, Max Laier <[EMAIL PROTECTED]> wrote:
> > Please report in case of failure *and* success! Thanks.
>
> Hi Max !
>
> Yesterday put one firewall running pf with this patch and everything
> worked
The following reply was made to PR kern/120057; it has been noted by GNATS.
From: Max Laier <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED],
[EMAIL PROTECTED]
Cc:
Subject: Re: kern/120057: [patch] Allow proper settings of ALTQ_HFSC. The check
i wrong since even with the values forbidden fro
LOR, but Giant will protect from the dead-
lock.
A better fix is in RELENG_7 ... backporting won't make much sense.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL
gt;
> You may want to check your switch for errors and watch your interface
> (netstat -I IFACE -nd 1) to see when/where your drops are. What kind of
> cpu usage are you seeing when you start dropping the packets?
>
> Regards,
>
> Chris
>
>
>
>
>
>
>
; e Deus escolheu as coisas fracas deste mundo para confundir as
> fortes;
>
> - Mensagem original
> De: Max Laier <[EMAIL PROTECTED]>
> Para: freebsd-pf@freebsd.org
> Cc: Lorenz Helleis <[EMAIL PROTECTED]>; Chris Marlatt
> <[EMAIL PROTECTED]>
>
The following reply was made to PR kern/121668; it has been noted by GNATS.
From: Max Laier <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED],
[EMAIL PROTECTED]
Cc:
Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules
Date: Thu, 13 Mar 2008 20:26:39 +0100
&g
e backup routine. More details at:
>
> http://bacula.org/en/rel-manual/Dealing_with_Firewalls.html#SECTION0047
>22000
>
> The section suggests using port forwarding to redirect packets to port
> 9103 but I have been unsuccessful. Please note that there is no
>
ll of them (where usually the uplink is the limiting
factor) - then FreeBSD and pf can certainly provide what you need.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PR
The following reply was made to PR kern/117827; it has been noted by GNATS.
From: Max Laier <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED],
[EMAIL PROTECTED]
Cc:
Subject: Re: kern/117827: [pf] [panic] kernel panic with pf and ng
Date: Sat, 29 Mar 2008 01:56:36 +0100
Here are MFC patch
The following reply was made to PR kern/106400; it has been noted by GNATS.
From: Max Laier <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED],
[EMAIL PROTECTED]
Cc:
Subject: Re: kern/106400: [pf] fatal trap 12 at restart of PF with ALTQ if ng0
device has detached
Date: Sat, 29 Mar 2008 01:56:46
as well.
I'll have a go at it, stay tuned.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign
On Tuesday 01 April 2008 14:24:25 Max Laier wrote:
> On Tuesday 01 April 2008 01:27:23 Thomas Rasmussen wrote:
> > Any plans to update pftop in ports to 0.7 ?
> >
> > http://www.eee.metu.edu.tr/~canacar/pftop/ says:
> > Changes in version 0.7:
> > This version adds
regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
___
freebsd-pf@fre
1 - 100 of 389 matches
Mail list logo
