nt database by default
from /etc/pf.os. Either the man page or pfctl's behavior is wrong. Can
please somebody check if time permits?
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
On 05/08/07 10:30, Volker wrote:
> Hi!
> I think I've trapped into a bug with pf's fingerprinting.
> While checking a modified ruleset with `pfctl -vvv -gnf ...' pfctl
> told me it doesn't know anything about an OS fingerprint called
> "W
end. Have a look at pfctl(8), especially
the parameters '-t' and '-T'. Doing a `pfctl -t mychinesewall -T
replace -f /tmp/dolistalltheworld.txt' would be enough.
freebsd-pf@freebsd.org mailing list
aphics etc.) may lead into may single tcp connections. This
means, don't set the limits too short before blocking an IP address.
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
o if some one can give a starting place to look, where I
> can do some hacking, that would also be fine.
I've never done that but what about giving the next hop with better
bandwidth twice?
freebsd-pf@freebsd.org mailing list
've finished
hacking pf rules for a snom 300 SIP phone, redirect connections from
the public outside to it and it's working fine for some weeks now.
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
rude, I know but it works).
Keep in mind, if you're under a DDoS attack, your bandwidth may still
be eaten up, but the effects on your machine will be limited when
using S/SA + synproxy state + bandwidth limiting.
If I get you wrong, please explain your problem a bit more detailed.
on SYN.
Last guess: I think you've set $pc to any just for testing. If you're
using NAT and setting this to anything different (any of your local IP
addresses), this rule will never match as the packet is being
processed _after_ NAT processing.
PS: Does anybody know what
P should
be served fair and a limited cbq queue for them on the external
interface and reach good results with that. If b/w is limited as other
traffic passes, these stations get their traffic through limited.
freebsd-pf@freebsd.org mai
ot;proxy" flags
"S/SA" keep state
in my ruleset (just made it that way last week). I still haven't
checked active ftp out but I think this will also work for active ftp
connections. You just need to also pass traffic in on $int_if for port
On 05/18/07 12:05, Umar wrote:
> Dear Volker
> Thanks for your reply!
> I have 1mb up and 1mb down DSL and i have total 20 client at this time.
>>> if you want to limit per IP address, you need to create one queue for
>>> every IP address in your
On 05/18/07 13:42, Umar wrote:
> Dear Volker
> Thanks again for your reply!
You're welcome!
> this is my pf.conf file
> int_if = "xl0"
> ext_if = "fxp0" (DSL)
> ltq on $ext_if hfsc bandwidth 1Mb queue { q
On 05/18/07 14:02, Umar wrote:
> Dear Volker!
> Thanks Again.!
>>> To me, this seems to be correct. Do you have a hard line break there?
> I re-typed
> queue qclient1 bandwidth 10Kb hfsc (rio)
> now its fine but S/SA
On 05/18/07 14:35, Umar wrote:
> Dear Volker!
> Sorry for disturbing you again!!
> pfctl: should have one default queue on fxp0
> pfctl: errors in altq config
> please help me to create default queue what will be the syntax thanks
that's why I was wr
On 05/18/07 22:17, Umar wrote:
> Dear Volker!
> Thanks its working fine.
> (pass in quick log on $int_if proto tcp from to any flags
> S/SA keep state queue client1)
> what will be the syntax if comes through ppp means I have
> c
ic, too or
otherwise no data communication will be established. Also it is most
likely that you will have to use an FTP proxy.
I suspect your whole problem is really not synproxy related.
> (Sorry for the previouly base64 encode mail caused by M
> that :)
cite from pf.conf(5):
ecn Enables ECN (Explicit Congestion Notification) on
this queue. ECN implies RED.
freebsd-pf@freebsd.org mailing list
has been created,
pf will happily load your ruleset.
The solution is to either have pf rules loaded late (later than ppp is
started) or use anchors and load ext rules into the anchor when the
ppp interface is up. The easier is to have the rules loading late
(check using rcorder) but this may also
Hi snow,
On 06/05/07 00:37, snowcrash+freebsd wrote:
> On 6/4/07, Volker <[EMAIL PROTECTED]> wrote:
>> without seeing your pf.conf ruleset,
> happy to send/post if required/helpful ...
I don't think it's required for now.
>> I guess you're using a p
On 06/05/07 22:29, David DeSimone wrote:
> Volker <[EMAIL PROTECTED]> wrote:
>> without seeing your pf.conf ruleset, I guess you're using a ppp
>> connection to your upstream provider and firewalling on the tunX
>> interface (using tun0 as $ext_if).
On 06/06/07 01:44, David DeSimone wrote:
> Volker <[EMAIL PROTECTED]> wrote:
>> pass in on bla0 from any to bla0
>> which will all require pf to get the interface's IP address and all
>> will fail if that interface does not yet exist...
> Ah,
me up to date (I'm not on current@) and I'll beta
test for you and give you any needed feed back.
>From my view, the response issue can somewhat been seen as the core
team sitting on an island and the user base is far, far away of them.
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
to get that box into an LOR, I'm unable to do so easy. As I need
to verify an unpatched against a patched system, I need to find a
_reliable_ way to get the box LORing.
I've added two pf rules which should (AFAIK) get this into an LOR:
pass out log quick on $if_lan all user volker keep s
Are you by any chance being able to get a photopicture (with fast
shutter time) of the debug messages? Do you have anything in
/var/log/debug.log /var/log/messages which might be useful?
I think we first need an idea of what messages are popping up.
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
You should get a debugger into your kernel (like Max suggested) and
probably also use `pfctl -x loud' or `pfctl -x misc' to get more
messages out of pf. If these messages are popping up again, break the
system into the debugger and l
state flags S/SA
> pass out on $ext_if proto {udp, icmp} all keep state
> pf.conf -- end ---
> Any idea what's wrong here?
if we're out of ideas, there would be something wrong... ;)
My first try is to replace your 'pass out on $ext_if ... modulate
state ..
On 06/16/07 15:26, Roger Miranda wrote:
> On Thursday 14 June 2007 10:19, Volker wrote:
>> [re-added cc:pf to have a wider audience, please keep this]
>> On 06/14/07 16:21, Roger Miranda wrote:
>>>> I remember a discussion about your machine in stable@ some time
On 06/16/07 21:29, Adam McDougall wrote:
> On Sat, Jun 16, 2007 at 05:20:39PM +0200, Volker wrote:
> If that doesn't help, I recommend rewriting your rules a bit and use
> 'set state-policy if-bound' (which I'm using most as I find it better
> to adminis
up, I'll be the first one to contradict (no Max, this is not
against you).
Probably I should give the same level of support to others as it's
been given to me (sad to say, which will then be zero).
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
On 06/18/07 20:48, Dalibor Gudzic wrote:
> On 6/17/07, Max Laier <[EMAIL PROTECTED]> wrote:
>> Yeah, I have been slacking in that department. I think we should take it
>> to the wiki instead. Volunteers welcome!
> OK, what exactly is needed? Someone to keep the things up to date o
me -a`:
FreeBSD cesar.sz.vwsoft.com 7.0-STABLE FreeBSD 7.0-STABLE #38: Sun Aug
17 15:12:10 CEST 2008
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/CESAR i386
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
oking into my crystal ball... ;)
You seem to have a rule like:
pass ... on tun0 from any to tun0 ...
If you change that into:
pass ... on tun0 from any to (tun0) ...
pf will happily parse your rules and activate your firewall even while
tun0 does not already have an IP address. You may al
On 10/04/08 01:22, Bruce Cran wrote:
> On Sat, 04 Oct 2008 00:40:45 +0200
> Volker <[EMAIL PROTECTED]> wrote:
>> You seem to have a rule like:
>> pass ... on tun0 from any to tun0 ...
>> If you change that into:
>> pass ... on tun0 f
e the problem to have more than one MS-PPTP VPN client
connecting to the same destination VPN server being NATed blues. If
there would be a better solution than frickin?
Thanks for any hints!
freebsd-pf@freebsd.org mailing list
from there (like it's possible with ppp).
On 2005-11-28 14:29, Josh Finlay wrote:
> Here's the full scenario,
> I'm running q3server (/usr/ports/games/q3server), bound to an external ip on
> iface ng0.. but LAN clients can't connect to it
after 4 days system
uptime and being always online by ppp.
How do I check (debug) if this is a base system (networking) problem
of 6.1-BETA or if it's a pf bug?
freebsd-pf@freebsd.org mailing list
it high soon.
> I did recover the box by flushing all pf stuff, but it didn't stay
> working for very long.
Travis, Daniel,
thank you for your response. I'll check for both situations as soon
as this problem occurs the next time (which will take plac
nconfigured interfaces (or at least do not let them being included
when it comes to 'self' rules). IMHO 'self' should never validate to
an IP address like
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
so forwarded to the other machines.
What about a 'dup-to' route option? see `man pf.conf'
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
5 minutes
or you may just use `echo "pfctl -d" | at + 5 minutes' which would
just disable pf and your box will be accessible if something has
gone wrong within 5 minutes.
If you're happy with your new rules, you may `atrm' the job.
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ut even a good choice if you
can use one).
I guess (and even after re-reading the original post) the original
poster doesn't have a com terminal session. Doing things like that
in a ssh session is a bad idea. Just wanted to note this without
going into a fundamental discussion. ;)
#x27;t get panics ATM.
Running RELENG_6, almost recently csup'ed.
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
all queue nonexistent
pass quick on ng0 all queue q_low
queue root_ng0 bandwidth 64Kb priority 0 cbq( wrr root ) {q_low}
queue q_low bandwidth 64Kb cbq( rio borrow default )
Huh? Queueing to a nonexistent queue?
en able to do so. I really tried hard to panic
it. I guess it has been a temporary side effect which disappeared
'magically' by any other recent source changes.
I'll try again to panic the machine later today with my original
ruleset. So if I don't post another mess
> /Jon
you may use a command like:
`pfctl -t commit -Ts > /path/to/tablefile'
to write the contents of the table out to disk.
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
eue (int_in)
>>> I have done some test with iperf with no luck.
>>> Is there something wrong with this rule set to acompilished my need ?
>>> Please help
>>> Regards
>>> Reza
you're really using just one queue:
> block on xl1
> pass in on xl1 from any to $lan
> pass out on xl1 from $lan to any
> pass out log on xl1 from to keep state
flags S/SA queue (int_out)
As $lan is 172.16/24 rule number 3 (which goes to queue dflt_out)
catches all the packets you're wanting for queue int_out.
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
On 2006-11-09 13:40, Volker wrote:
> As $lan is 172.16/24 rule number 3 (which goes to queue dflt_out)
> catches all the packets you're wanting for queue int_out.
Sorry, I've been wrong as there's no 'quick' keyword being used so I
The following reply was made to PR kern/106400; it has been noted by GNATS.
From: Volker <[EMAIL PROTECTED]>
Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0
device has detached
Date: Wed, 06 Dec 2006 14:16:42 +0100
On 12/06/06 14:37, Max Laier wrote:
> On Wednesday 06 December 2006 14:20, Volker wrote:
>> The following reply was made to PR kern/106400; it has been noted by
>> From: Volker <[EMAIL PROTECTED]>
The following reply was made to PR kern/106400; it has been noted by GNATS.
From: Volker <[EMAIL PROTECTED]>
To: "Boris S." <[EMAIL PROTECTED]>
Subject: Re: kern/106400: fatal trap 12 at restart of PF with ALTQ if ng0
device has
I'm wondering about the following: Are there any technical reasons
for not having ALTQ support for most (all?) usb NICs?
Or did just too less people ask for it?
freebsd-pf@freebsd.org mailing list
sk why, it's probably historic from the 5.2 days).
Never done any benchmarking but on the other side I never
experienced any performance problems.
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
On 01/28/07 01:53, Max Laier wrote:
> On Saturday 27 January 2007 15:54, Volker wrote:
>> I'm wondering about the following: Are there any technical reasons
>> for not having ALTQ support for most (all?) usb NICs?
>> Or did just too less people ask for i
t permitted" messages a bit strange.
Next, I'll test w/ ALTQ enabled for that interface but it will take
half an hour (will drop another note to the ML).
FreeBSD bellona.sz.vwsoft.com 6.2-STABLE FreeBSD 6.2-STABLE #6: Tue
Jan 30 23:28:14 CET 2007
[EMAIL PROTECTED]:/usr/obj/usr/src
between both kernel
Beside the throughput question, the patch seems to be ok - please
commit! ;)
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
spam originating from
your internal net.
And for the malware issues, I would like to recommend not to install
and use malware! ;)
freebsd-pf@freebsd.org mailing list
To unsubscrib
r snippet of
rules is useless for supporting you) I'm wondering if your Vista
machine does IPv6 and does not try v4? I don't know Vista at all but
I guess v6 support is built in.
freebsd-pf@freebsd.org mailing list
On 12/23/-58 20:59, [EMAIL PROTECTED] wrote:
> Quoting Volker <[EMAIL PROTECTED]>:
>> On 12/23/-58 20:59, ;048<8@ 0?CAB8=rote:
>>> 2. If i have some malware on my PC and use mail-client program. If I
>>> send the same message some times I autom
On 02/11/07 15:54, [EMAIL PROTECTED] wrote:
> Quoting Volker <[EMAIL PROTECTED]>:
> I just set up a machine using your suggestions, correctly I hope ;)
> I have set it up as:
> block drop in quick on $ext_if from to any
> pass in quick on $ext_if proto
the packet flow using tcpdump
(either on pflog0 or your real network NIC).
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
evvi ...' (the
-vv parameters gives more output but might annoy you for SMB /
netbios traffic).
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
currently a bit of a hack and currently probably only useful for
packet / connection logging but not for real firewalling. You might
check out if you're able to block anything on enc0 (my memories
might be wrong) and play with it a bit.
I suspect packets do not really pass device e
(and lo0) with the IP address of your external interface
might give you strange results.
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
my memories
>> might be wrong) and play with it a bit.
> This should work as you say and if its not then thats a bug. Can you log
> the packets with pflog to check they are being blocked.
Will try to do so but first I have to solve an
On 03/24/07 19:59, Andrew Thompson wrote:
> On Sat, Mar 24, 2007 at 02:19:46PM +0100, Volker wrote:
>> Andre,
>> On 12/23/-58 20:59, Andre Albsmeier wrote:
>>> [Retrying on -pf...]
>>> (This is FreeBSD 6.2-STABLE as of yesterday using pf an
nal IP address of the remote tunnel endpoint is in there.
Will correct that and do another test.
freebsd-pf@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
t setup shows it is not just possible to block
traffic on device enc0 using pf, but to see all traffic in the pf
logs (if being configured to do so).
Probably you're willing to show us your pf rules to have a look at it?
Have pfun! ;)
On 03/26/07 08:47, Andre Albsmeier wrote:
> On Mon, 26-Mar-2007 at 02:58:20 +0200, Volker wrote:
>> Andrew, Andre & all,
>> I've checked it out once more (with a corrected setup) and now have
>> been able to block traffic on enc0 in both directions (no matte
nothing but just wide open (tm) and effectively useless.
Anyway, I really don't understand your problem. Do you really want
to have a firewall which does nothing but logging like crazy? BTW,
the log-all option does not make sense when not being used in
conjunction with statefu
ewall), all you need to do is using a GENERIC kernel
and kldload pf.ko, write your ruleset, load it (by `pfctl -f ...'
and you're done.
As you want to use your box as a router for your home LAN, you may
also want to set gateway_enable="YES" in /etc/rc.conf which will set
sysctl net
Is there a way to direct debugging to pflog? I want to get an idea of
the timing and see if this happens at the time where I expect a
specific connection to fail.
This gateway I'm trying to debug is serving a lot of users and I need
to find the tree
I suspect there's a mistake in your script. Have you tried using
`tcpdump | logger' manually?
Have you tried using `set -x' in your shell script and checked if you
see any errors? Have you removed the last `rm $FILE' and checked if
$FILE is created well? Have y
hing else.
You need to create one queue (for example) for your http server and
assign all traffic to your http server into that queue. Having a queue
with a guaranteed bandwidth for every connection (client) would
require the creation of "dynamic queues" on the fly. I'm not aware of
AFAIK the way for you to go is to use rdr options. Also take a look at
the round-robin options pf.conf(5). Other folks here on the list have
the comfort of having two upstream connections and already tried
things like that. Perhaps anybody else with some experience can
Are you using IPSEC or FAST_IPSEC? Are you using GIF tunnels? Are
you using ENC? Could you please give us your routing table (partially)?
Description: S/MIME Cryptographic Signature
75 matches
Mail list logo