pf and SMP and busy wires

Hello, I like pf very much and I was planning to use it as a "central" firewall at one of the customers like this: subnet_3 | | subnet_1 -- PF_firewall --- subnet_2 |

pf randomly blocks specific packets?

Hello, I have a FreeBSD 7.0 system with jails (and services in them). In one of the jails there is an Apache server, which also runs on the host system (and forwards traffic using mod_proxy to the jailed Apache). Everything works as expected, I only have problems with pf which seems to block

Re: pf randomly blocks specific packets?

Hey, Does removing "reassemble tcp" from your scrub rules fix anything? Will try and let you know if it helps. Thanks, Nejc ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to

Re: pf randomly blocks specific packets?

Hey, Does removing "reassemble tcp" from your scrub rules fix anything? Will try and let you know if it helps. Looks like this doesn't help. I still get those blocks logged in pflog. By the way, if I comment out "block log all" from pf.conf, the pf doesn't block those packets any more. But I

Re: pf randomly blocks specific packets?

Hello, Note: You can remove "keep state". This is implicit for newer version of pf. Note: These keep state, see above. You might want to add "no state" here, to decrease state table usage. But if it is "no state" it means it eats more CPU? Or not? From the frequency of the logs, it looks li

pf and jails

Hello, I have a server with multiple jails of different types (service jails, user jails, ...). In my rc.conf I have (the relevant parts): # Host ifconfig_bge0="a.b.c.242 netmask 255.255.255.240" # Host ifconfig_bge0_alias0="a.b.c.243 netmask 255.255.255.255" # Common defaultrouter="a.b.c.241"

Proxying broadcasts?

Hello, I have a central FreeBSD 7.0 router running pf with SERVERS and USERS1 and USERS2 networks attached to it. I also have some Sybase SQL servers on SERVERS network, which use broadcasts to announce themselves to the network. Before, when there were no separate segments, everything worked

Source port translation only

Hi, I want to do (stateful) source port translation (restriction actually) on my outgoing packets, but no source address translation. And I want to do it for IPv6. So if there is a TCP packet like this: SRC ADDR: 2001:db8::10 DST ADDR: 2001:c0de: SRC PORT: 53523 DST PORT: 80 I want to trans

Re: Source port translation only

Hi, Push net.inet.ip.portrange.reservedhigh 1023 -> 2048 ? - and - Adjust net.inet.ip.portrange.last net.inet.ip.portrange.first lower ? this is only relevant for hosts, which are sourcing the packets, not for the gateway devices. I want to have a NAT device/gateway which would port-restri