On 2025-04-18, TSS wrote:
> But also, I don't really want to modify the binary or have my own version
> of xl2tpd that I compile from source. I know I was concerned about speed
> earlier, but I can accept a little bit of pf delay for the convenience of
> running stock code that someone else mainta
Am 20.04.2025 10:54 schrieb Stuart Henderson:
there is a lookup, but I'm not sure whether it ignores the nat-to rule
entirely, or just the port. I suspect it probably ignores the rule
entirely. (the complication with UDP is that there's no real state
in the protocol, so PF just works on timers).
On 2025-04-20, Philipp Buehler
wrote:
> Am 19.04.2025 19:57 schrieb Stuart Henderson:
>> However: I don't think it's all that likely to help, I'd expect your
>> upstream nat to have already changed the source port...
>
> `quick` comes to mind ofc - and also the fact about "already changed" if
> t
Am 19.04.2025 19:57 schrieb Stuart Henderson:
However: I don't think it's all that likely to help, I'd expect your
upstream nat to have already changed the source port...
`quick` comes to mind ofc - and also the fact about "already changed" if
the leet-rule comes first IF `from` is used, mind:
On 2025-04-18, TSS wrote:
> Hi again. I hope it's not unwelcome to ask a pf question here; I hope
> this one isn't too elementary.
>
> I have a daemon that sends and receives UDP packets on port 1337. For
> reasons, I would like to use pf on my computer (i.e. the one that's
> running the daemon) t
Am 18.04.2025 18:13 schrieb TSS:
Search engines have not helped me out with this one, but my search
skills
were dubious even before the AI era.
how about:
pass out quick on vio0 proto udp from any port 1337 nat-to (vio0) port
13337
pass in quick on vio0 proto udp from any to self port 31337
On Fri, Apr 18, 2025 at 02:10:44PM -0700, obs...@loopw.com wrote:
> fwiw, even if its only ports being translated its still called NAT (PAT
> is a subset of NAT) - internally its all going through the same NAT
> functions.
I guess this makes me feel better about it being harder to Google.
> break
> .. |
>+---+ o * . ~ *|
>| my |--> UDP 1337 --> % . pf : . --|--> UDP 31337 --> clouds
>|special| + . magic + |and
>|daemon |<-- UDP 1337 <-- * _ , + <--|--- UDP 31337
On Fri, Apr 18, 2025 at 03:17:24PM -0400, Mike wrote:
> Is your ISP blocking traffic or are you just doing this to see if you can?
> I just can't think of a use case for what you're trying to do and wondering
> if there could be a different way to achieve what you're trying to do.
There is another
To add to my last email, you can do it in iptables but doesn't seem to be a
way to go it in pf. For whatever reason I feel invested in this thread and
might boot up an openbsd VM to try myself
On Fri, Apr 18, 2025, 3:17 PM Mike wrote:
> I don't think you can do that.
>
> Is your ISP blocking tra
I don't think you can do that.
Is your ISP blocking traffic or are you just doing this to see if you can?
I just can't think of a use case for what you're trying to do and wondering
if there could be a different way to achieve what you're trying to do.
On Fri, Apr 18, 2025, 12:16 PM TSS wrote:
I am now able to make it work, though it was through trial and errors, so I'll
appreciate any help in understanding why my solution works!
If my configuration is like this, it all works fine:
block all
pass out inet all keep state
# Config to allow virtual Machine VMM to access the internet
DNS
04-psyche.tot...@icloud.com writes:
> Hi all,
>
> I have setup a virtual machine on my openbsd box, following the guide
> https://www.openbsd.org/faq/faq16.html#VMMnet
>
> I have trouble configuring pf to give the the VM access to the internet.
>
> If my /etc/pf.conf contains the following lines,
On 2024-12-29 10:14, Jon Fineman wrote:
On Tue, Dec 24, 2024 at 06:42:49PM -0400, Ricky Cintron wrote:
On 2024-12-24 08:27, Jon Fineman wrote:
third sub net ($wired3) (10.0.3.x) I would like to restrict traffic
between it
and the ISP. Clients on 10.0.3.x should not be able to access the
othe
On Tue, Dec 24, 2024 at 06:42:49PM -0400, Ricky Cintron wrote:
On 2024-12-24 08:27, Jon Fineman wrote:
third sub net ($wired3) (10.0.3.x) I would like to restrict
traffic between it
and the ISP. Clients on 10.0.3.x should not be able to access the
other sub nets.
Some notes:
- You wrote t
On 2024-12-24 08:27, Jon Fineman wrote:
On Tue, Dec 24, 2024 at 02:26:18AM +0100, Markus Wernig wrote:
On 12/23/24 19:31, Jon Fineman wrote:
third sub net ($wired3) (10.0.3.x) I would like to restrict traffic
between it
and the ISP. Clients on 10.0.3.x should not be able to access the
other s
On Tue, Dec 24, 2024 at 02:26:18AM +0100, Markus Wernig wrote:
On 12/23/24 19:31, Jon Fineman wrote:
third sub net ($wired3) (10.0.3.x) I would like to restrict traffic between it
and the ISP. Clients on 10.0.3.x should not be able to access the
other sub nets.
Take a look at the rules from y
On 12/23/24 19:31, Jon Fineman wrote:
third sub net ($wired3) (10.0.3.x) I would like to restrict traffic between it
and the ISP. Clients on 10.0.3.x should not be able to access the
other sub nets.
Take a look at the rules from your pf.conf:
> block out quick from $wired3 to { $wired1 $wire
Дана 24/11/11 10:13AM, Peter N. M. Hansteen написа:
> or with G's trackers
That's where ungoogled-chromium (thankfully available as an official
package in OpenBSD) with uMatrix[1] addon come in handy.
[1]: https://github.com/gorhill/uMatrix
On Mon, Nov 11, 2024 at 08:37:13AM +, Richard Bostrom wrote:
> I would like to build a music server using samba, minidlna, navidrome, maybe
> jellyfin.
> I need to know the simple firewall rules to open up the firewall for inbound
> traffic for samba, jellyfin etc.
>
> I am used to ufw. I do
>
>
>
> 1 - PF with the 'no state' rule should let the traffic flow,
> it means that PF has a bug, or
> 2 - PF behaves as expected and traffic must not flow, or
> 3 - the 'no state' rule is the wrong rule to let the traffic flow.
> If so, I ignore what rule should be used in /etc/pf.conf.
>
Hi,
thank you very much for your help, it was a NAS sending 4000pps of "arp who-as"
to all of this clients.
Marc
> On 13 Sep 2024, at 12:16, Peter N. M. Hansteen wrote:
>
> Hi,
>
> As Tom mentioned, one of the least resource consuming ways to identify sources
> and volumes of the traffic seen
Hi,
As Tom mentioned, one of the least resource consuming ways to identify sources
and volumes of the traffic seen on or in and out of your network is to set up
for pflow aka netflow sensors and collectors.
Based on the data you collect you can then analyse and make decisions
that hopefully refl
Hi Marc,
are you saying you are experiencing congestion and you want to identify
the source of the congestion?
iftop and pftop can give information on the top talkers on your network,
if you want to do more comprehensive and historical analysis check out
Peter Handsteen(of Book of PF fame)
h
Hello whistlez,
whistlez...@riseup.net (whistlez), 2024.06.20 (Thu) 02:49 (CEST):
> I have sslsplit listening on 127.0.0.1 port 10443 and I want redirect
> all my outgoing desktop web traffic to sslsplit, then localhost port
> 10443. SSLSPLIT is just a kind of transparent proxy but cannot be use
On 13/06/2024 14:51, Willy Manga wrote:
Hi,
On 12/06/2024 12:50, Kapetanakis Giannis wrote:
Hi,
[...]
2) I've found this tool yesterday (iprange) that it's job is to
optimize large sets of IPs/Networks
https://github.com/firehol/iprange/wiki
I think that's why you have the 'tables' [1] str
Hi,
On 12/06/2024 12:50, Kapetanakis Giannis wrote:
Hi,
[...]
2) I've found this tool yesterday (iprange) that it's job is to optimize large
sets of IPs/Networks
https://github.com/firehol/iprange/wiki
I think that's why you have the 'tables' [1] structure with pf
1. https://man.openbsd.org
On 19/05/2024 19:35, Kapetanakis Giannis wrote:
> On 19/05/2024 14:37, Stuart Henderson wrote:
>> On 2024-05-19, Kapetanakis Giannis wrote:
>>> This is a bit strange. pf works normal, but rules after an enchor an
>>> being attached to the anchor (somehow).
>>>
>>> All states that are created from
On 5/19/24 13:37, Stuart Henderson wrote:
I can confirm this is a problem, definitely seen in 7.4, I can't remember
if 7.3 was affected. 7.2 from Dec 22 seems ok.
Yes, 7.3 is affected. It is the same problem reported here:
https://marc.info/?l=openbsd-misc&m=168754952806369
On 19/05/2024 14:37, Stuart Henderson wrote:
On 2024-05-19, Kapetanakis Giannis wrote:
This is a bit strange. pf works normal, but rules after an enchor an
being attached to the anchor (somehow).
All states that are created from rules after the anchor, show the anchor
(pf rule) number instead
On 2024-05-19, Kapetanakis Giannis wrote:
> This is a bit strange. pf works normal, but rules after an enchor an
> being attached to the anchor (somehow).
>
> All states that are created from rules after the anchor, show the anchor
> (pf rule) number instead of (only) the rule number in pfctl -v
> I don't think there is at present. There are no "only use v4" or "only
> use v6" addresses modifiers, and pf isn't figuring out for itself that
> it only makes sense to use addresses from the relevant family for
> af-to translation addresses (although it _does_ do this for nat-to).
Good to know.
On 2024-03-15, Evan Sherwood wrote:
>
> Is there a way to configure this without hard-coding my IPv4 address?
> I do not think my IPv4 address from my ISP is static, thus my original
> interest in the ($wan:0) form.
I don't think there is at present. There are no "only use v4" or "only
use v6" ad
> Try changing ($wan:0) to $(wan) and see what happens.
Huh, that worked! Thanks!
Try changing ($wan:0) to $(wan) and see what happens.
> Can you try if the same happens with a more specific rule (for
> testing)?
>
> i.e.:
>
> pass in on igc3 inet6 from "put actual v6 prefix here" to 64:ff9b::/96
> af-to inet from "actual IP on igc0"/32
This worked! Specifically, I think the ($wan:0) was the problem. I
could've sworn I tried this
On 2024-03-15, Tobias Fiebig via misc wrote:
>
> Moin,
>> # perform nat64 (NOT WORKING)
>> pass in to 64:ff9b::/96 af-to inet from ($wan:0)
>
> Can you try if the same happens with a more specific rule (for
> testing)?
>
> i.e.:
>
> pass in on igc3 inet6 from "put actual v6 prefix here" to
Moin,
> # perform nat64 (NOT WORKING)
> pass in to 64:ff9b::/96 af-to inet from ($wan:0)
Can you try if the same happens with a more specific rule (for
testing)?
i.e.:
pass in on igc3 inet6 from "put actual v6 prefix here" to 64:ff9b::/96
af-to inet from "actual IP on igc0"/32
I am su
> On Thu, Nov 30, 2023 at 03:55:49PM +0300, 4 wrote:
>>
>> "cbq can entirely be expressed in it" ok. so how do i set priorities for
>> queues in hfsc for my local(not for a router above that knows nothing about
>> my existence. tos is an absolutely unviable concept in the real world)
>> pf-rout
On 2023/12/01 15:57, 4 wrote:
> >But CBQ doesn't help anyway, you still have this same problem.
> the problem when both from below and from above can be told to you "go and
> fuck yourself" can't be solved, but cbq gives us two mechanisms we need-
> priorities and traffic restriction. nothing mor
> On 2023-12-01, 4 wrote:
>I don't know why you are going on about SMT here.
i'm talking about not sacrificing functionality for the sake of hypothetical
performance. the slides say that using queues degrades performance by 10%. and
you're saying there won't be anything in the queues until an o
On Fri, 1 Dec 2023 04:56:40 +0300
4 wrote:
> match proto icmp set prio(6 7) queue(6-fly 7-ack)
> how is this supposed to work at all? i.e. packets are placed both in
> prio's queues 6/7(in theory priorities and queues are the same
> thing), and in hsfc's queues 6-fly/7-ack at once?
I am not sure
On 2023-12-01, 4 wrote:
>> On 2023-11-30, 4 wrote:
>>> we can simply calculate such a basic thing as the flow rate by dividing the
>>> number of bytes in the past packets by the time. we can control the speed
>>> through delays in sending packets. this is one side of the question. as for
>>> t
> On 2023-11-30, 4 wrote:
>> we can simply calculate such a basic thing as the flow rate by dividing the
>> number of bytes in the past packets by the time. we can control the speed
>> through delays in sending packets. this is one side of the question. as for
>> the sequence, priorities work h
On 2023-11-30, 4 wrote:
> we can simply calculate such a basic thing as the flow rate by dividing the
> number of bytes in the past packets by the time. we can control the speed
> through delays in sending packets. this is one side of the question. as for
> the sequence, priorities work here. y
> On Wed, 29 Nov 2023 00:12:02 +0300
> 4 wrote:
>> i haven't used queues for a long time, but now there is a need.
>> previously, queues had not only a hierarchy, but also a priority. now
>> there is no priority, only the hierarchy exists.
> It took me quite some time to wrap my head around this
> On 11/29/23 6:47 PM, Stuart Henderson wrote:
>> On 2023-11-29, Daniel Ouellet wrote:
yes, all this can be make without hierarchy, only with priorities(because
hierarchy it's priorities), but who and why decided that eight would be
enough? the one who created cbq- he created it f
On Wed, 29 Nov 2023 00:12:02 +0300
4 wrote:
> i haven't used queues for a long time, but now there is a need.
> previously, queues had not only a hierarchy, but also a priority. now
> there is no priority, only the hierarchy exists.
It took me quite some time to wrap my head around this, having
On Thu, 2023-11-30 at 15:55 +0300, 4 wrote:
> "cbq can entirely be expressed in it" ok. so how do i set priorities
> for queues in hfsc
You stack HFSC with link-share service curves with linkshare criterion
1:0 - or in pf.conf(5) terms: "bandwidth 1" and "bandwidth 0".
Or you do not configure queu
On 11/29/23 6:47 PM, Stuart Henderson wrote:
On 2023-11-29, Daniel Ouellet wrote:
yes, all this can be make without hierarchy, only with priorities(because hierarchy it's
priorities), but who and why decided that eight would be enough? the one who created cbq- he
created it for practical t
> On Thu, Nov 30, 2023 at 02:57:23PM +0300, 4 wrote:
>> so what happened to cbq? why such the powerful and useful thing was removed?
>> or Theo delete it precisely because it was too good for obsd? %D
> Actually, the new queueing system was done by Henning, planned as far back
> as (at least) 201
On Thu, Nov 30, 2023 at 03:55:49PM +0300, 4 wrote:
>
> "cbq can entirely be expressed in it" ok. so how do i set priorities for
> queues in hfsc for my local(not for a router above that knows nothing about
> my existence. tos is an absolutely unviable concept in the real world)
> pf-router? i d
> On 2023-11-29, 4 wrote:
>> here is a simple task, there are millions of such tasks. there is an
>> internet connection, and although it is declared as symmetrical 100mbit
>> it's 100 for download, but for upload it depends on the time of day, so
>> we can forget about the channel width and focus
On Thu, Nov 30, 2023 at 02:57:23PM +0300, 4 wrote:
> so what happened to cbq? why such the powerful and useful thing was removed?
> or Theo delete it precisely because it was too good for obsd? %D
Actually, the new queueing system was done by Henning, planned as far back
as (at least) 2012 (https
so what happened to cbq? why such the powerful and useful thing was removed? or
Theo delete it precisely because it was too good for obsd? %D
On 2023-11-29, Daniel Ouellet wrote:
>> yes, all this can be make without hierarchy, only with priorities(because
>> hierarchy it's priorities), but who and why decided that eight would be
>> enough? the one who created cbq- he created it for practical tasks. but this
>> "hateful eight" and thi
On 2023-11-29, 4 wrote:
> here is a simple task, there are millions of such tasks. there is an
> internet connection, and although it is declared as symmetrical 100mbit
> it's 100 for download, but for upload it depends on the time of day, so
> we can forget about the channel width and focus on th
yes, all this can be make without hierarchy, only with priorities(because hierarchy it's
priorities), but who and why decided that eight would be enough? the one who created cbq- he
created it for practical tasks. but this "hateful eight" and this "flat-earth"-
i don't understand what use they
> On Wed, Nov 29, 2023 at 12:12:02AM +0300, 4 wrote:
>> i haven't used queues for a long time, but now there is a need. previously,
>> queues had not only a hierarchy, but also a priority. now there is no
>> priority, only the hierarchy exists. i was surprised, but i thought that
>> this is qu
On Wed, Nov 29, 2023 at 12:12:02AM +0300, 4 wrote:
> i haven't used queues for a long time, but now there is a need. previously,
> queues had not only a hierarchy, but also a priority. now there is no
> priority, only the hierarchy exists. i was surprised, but i thought that this
> is quite in t
On 2023-11-22, Ian Timothy wrote:
> Hello,
>
> I have two ISPs where one connection is primary and the other is
> low-bandwidth for temporary failover only. ifstated handles the failover by
> simply changing the default gateway. But under normal conditions I want to be
> able to connect via eit
Thnx, this seems toasting better..
On Sat, Nov 11, 2023 at 06:32:26PM +0100, Daniele B. wrote:
>
> "Peter N. M. Hansteen" wrote:
>
> > something like the good old
> > https://home.nuug.no/~peter/pf/newest/log2syslog.html should still
> > work, I think.
> >
> > - Peter
>
>
> To disable pflogd completely what to you consider best
"Peter N. M. Hansteen" wrote:
> something like the good old
> https://home.nuug.no/~peter/pf/newest/log2syslog.html should still
> work, I think.
>
> - Peter
To disable pflogd completely what to you consider best:
ifconfig pflog0 down
or
pflogd_flags="-f /dev/null"
= Daniele Bonini
On 11.11.2023. 12:13, Stuart Henderson wrote:
> On 2023-11-11, Peter N. M. Hansteen wrote:
>> On Fri, Nov 10, 2023 at 08:23:54PM +0100, Hrvoje Popovski wrote:
>>> what would be best way to log pf logs in ascii and sent it to remote
>>> syslog ? I'm aware of pflow but I need ascii pf logs on remote
On 2023-11-11, Peter N. M. Hansteen wrote:
> On Fri, Nov 10, 2023 at 08:23:54PM +0100, Hrvoje Popovski wrote:
>> what would be best way to log pf logs in ascii and sent it to remote
>> syslog ? I'm aware of pflow but I need ascii pf logs on remote syslog
>> server.
>
> something like the good old
On Fri, Nov 10, 2023 at 08:23:54PM +0100, Hrvoje Popovski wrote:
> what would be best way to log pf logs in ascii and sent it to remote
> syslog ? I'm aware of pflow but I need ascii pf logs on remote syslog
> server.
something like the good old
https://home.nuug.no/~peter/pf/newest/log2syslog.ht
> On 15 Sep 2023, at 18:54, Stuart Henderson wrote:
>
> On 2023/09/15 13:40, Andy Lemin wrote:
>> Hi Stuart,
>>
>> Seeing as it seems like everyone is too busy, and my workaround
>> (not queue some flows on interfaces with queue defined) seems of no
>> interest,
>
> well, it might be, but I
On 2023/09/15 13:40, Andy Lemin wrote:
> Hi Stuart,
>
> Seeing as it seems like everyone is too busy, and my workaround
> (not queue some flows on interfaces with queue defined) seems of no
> interest,
well, it might be, but I'm not sure if it will fit with how
queues work..
> and my current hac
Hi Stuart,Seeing as it seems like everyone is too busy, and my workaround (not queue some flows on interfaces with queue defined) seems of no interest, and my current hack to use queuing on Vlan interfaces is a very incomplete and restrictive workaround;Would you please be so kind as to provide me
On Thu, Sep 14, 2023 at 7:23 PM Andrew Lemin wrote:
>
>
> On Wed, Sep 13, 2023 at 8:35 PM Stuart Henderson <
> stu.li...@spacehopper.org> wrote:
>
>> On 2023-09-13, Andrew Lemin wrote:
>> > I have noticed another issue while trying to implement a 'prio'-only
>> > workaround (using only prio orde
On Wed, Sep 13, 2023 at 8:35 PM Stuart Henderson
wrote:
> On 2023-09-13, Andrew Lemin wrote:
> > I have noticed another issue while trying to implement a 'prio'-only
> > workaround (using only prio ordering for inter-VLAN traffic, and HSFC
> > queuing for internet traffic);
> > It is not possibl
On Wed, Sep 13, 2023 at 8:22 PM Stuart Henderson
wrote:
> On 2023-09-12, Andrew Lemin wrote:
> > A, thats clever! Having bandwidth queues up to 34,352M would
> definitely
> > provide runway for the next decade :)
> >
> > Do you think your idea is worth circulating on tech@ for further
> > di
On 2023-09-13, Andrew Lemin wrote:
> I have noticed another issue while trying to implement a 'prio'-only
> workaround (using only prio ordering for inter-VLAN traffic, and HSFC
> queuing for internet traffic);
> It is not possible to have internal inter-vlan traffic be solely priority
> ordered w
On 2023-09-12, Andrew Lemin wrote:
> A, thats clever! Having bandwidth queues up to 34,352M would definitely
> provide runway for the next decade :)
>
> Do you think your idea is worth circulating on tech@ for further
> discussion? Queueing at bps resolution is rather redundant nowadays, even
On Wed, Sep 13, 2023 at 3:43 AM Andrew Lemin wrote:
> Hi Stuart.
>
> On Wed, Sep 13, 2023 at 12:25 AM Stuart Henderson <
> stu.li...@spacehopper.org> wrote:
>
>> On 2023-09-12, Andrew Lemin wrote:
>> > Hi all,
>> > Hope this finds you well.
>> >
>> > I have discovered that PF's queueing is still
Hi Stuart.
On Wed, Sep 13, 2023 at 12:25 AM Stuart Henderson
wrote:
> On 2023-09-12, Andrew Lemin wrote:
> > Hi all,
> > Hope this finds you well.
> >
> > I have discovered that PF's queueing is still limited to 32bit bandwidth
> > values.
> >
> > I don't know if this is a regression or not.
>
On 2023-09-12, Andrew Lemin wrote:
> Hi all,
> Hope this finds you well.
>
> I have discovered that PF's queueing is still limited to 32bit bandwidth
> values.
>
> I don't know if this is a regression or not.
It's not a regression, it has been capped at 32 bits afaik forever
(certainly was like t
On Thu, Aug 31, 2023 at 04:10:06PM +0200, Gabor LENCSE wrote:
> Dear David,
>
> Thank you very much for all the new information!
>
> I keep only those parts that I want to react.
>
> > > It is not a fundamental issue, but it seems to me that during my tests not
> > > only four but five CPU cores
Dear David,
Thank you very much for all the new information!
I keep only those parts that I want to react.
It is not a fundamental issue, but it seems to me that during my tests not
only four but five CPU cores were used by IP packet forwarding:
the packet processing is done in kernel threads
On Wed, Aug 30, 2023 at 09:54:45AM +0200, Gabor LENCSE wrote:
> Dear David,
>
> Thank you very much for your detailed answer! Now I have got the explanation
> for seemingly rather strange things. :-)
>
> However, I have some further questions. Let me explain what I do now so that
> you can more c
Dear David,
Thank you very much for your detailed answer! Now I have got the
explanation for seemingly rather strange things. :-)
However, I have some further questions. Let me explain what I do now so
that you can more clearly see the background.
I have recently enabled siitperf to use mul
On Mon, Aug 28, 2023 at 01:46:32PM +0200, Gabor LENCSE wrote:
> Hi Lyndon,
>
> Sorry for my late reply. Please see my answers inline.
>
> On 8/24/2023 11:13 PM, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote:
> > Gabor LENCSE writes:
> >
> > > If you are interested, you can find the results in Tables 18
Hi Lyndon,
Sorry for my late reply. Please see my answers inline.
On 8/24/2023 11:13 PM, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote:
Gabor LENCSE writes:
If you are interested, you can find the results in Tables 18 - 20 of
this (open access) paper: https://doi.org/10.1016/j.comcom.2023.08.009
Th
On Thu, Aug 24, 2023 at 12:31 PM Lyndon Nerenberg (VE7TFX/VE6BBM)
wrote:
> For over a year now we have been seeing instability on our firewalls
> that seems to kick in when our state tables approach 200K entries.
> The number varies, but it's a safe bet that once we cross the 180K
> threshold, the
On Thu, Aug 24, 2023 at 2:57 PM Gabor LENCSE wrote:
> I used OpenBSD 7.1 PF during stateful NAT64 benchmarking measurements
> from 400,000 to 40,000,000 states. (Of course, its connection setup and
> packet forwarding performance degraded with the number of states, but
> the degradation was not ve
Gabor LENCSE writes:
> If you are interested, you can find the results in Tables 18 - 20 of
> this (open access) paper: https://doi.org/10.1016/j.comcom.2023.08.009
Thanks for the pointer -- that's a very interesting paper.
After giving it a quick read through, one thing immediately jumps
out.
Hi,
But my immediate (and only -- please do NOT start a bikeshed on
ruleset design!) question is:
Is there a practical limit on the number of states pf can handle?
I used OpenBSD 7.1 PF during stateful NAT64 benchmarking measurements
from 400,000 to 40,000,000 states. (Of course, its
On Thu, Jul 20, 2023 at 05:52:07PM +, mabi wrote:
> --- Original Message ---
> On Wednesday, July 19th, 2023 at 10:58 PM, Stuart Henderson
> wrote:
>
> > For rules that pass traffic to your authoritative DNS servers,
> > I don't think you need much longer than the time taken to answ
--- Original Message ---
On Wednesday, July 19th, 2023 at 10:58 PM, Stuart Henderson
wrote:
> For rules that pass traffic to your authoritative DNS servers,
> I don't think you need much longer than the time taken to answer a
> query. So could be quite a bit less.
Right good point, I wi
Hi,
Are you already using your DNS server's response rate limiting features?
Not yet, as I still believe I should stop as much as possible such traffic at
the firewall before it even reaches the network behind my firewall. So at the
software/daemon/service level it would be my last line of de
On 2023/07/19 19:54, mabi wrote:
> --- Original Message ---
> On Wednesday, July 19th, 2023 at 9:32 PM, Stuart Henderson
> wrote:
>
> > If PF is struggling as it is, there's a good chance it will buckle
> > completely if it has to do source tracking too
>
> That is also something I thou
--- Original Message ---
On Wednesday, July 19th, 2023 at 9:32 PM, Stuart Henderson
wrote:
> If PF is struggling as it is, there's a good chance it will buckle
> completely if it has to do source tracking too
That is also something I thought might be the case :|
> Did you already tweak
On 2023/07/19 19:13, mabi wrote:
> --- Original Message ---
> On Wednesday, July 19th, 2023 at 12:40 PM, Stuart Henderson
> wrote:
>
> > I don't think you understood what I wrote then - they are the
> > opposite of helpful here.
>
> No, I do understand what you wrote but I should have e
--- Original Message ---
On Wednesday, July 19th, 2023 at 12:40 PM, Stuart Henderson
wrote:
> I don't think you understood what I wrote then - they are the
> opposite of helpful here.
No, I do understand what you wrote but I should have explained my case in more
details. Behind my Open
On 19/07/2023 13:31, Stuart Henderson wrote:
> On 2023-07-19, Kapetanakis Giannis wrote:
>> Maybe even better, can it run under relayd (redirect) on top of carp?
> That's just rdr-to behind the scenes, no problem with that, though if
> you want to do per IP rate limiting alongside load-balancing
On 2023-07-19, mabi wrote:
> --- Original Message ---
> On Tuesday, July 18th, 2023 at 10:59 PM, Stuart Henderson
> wrote:
>
>
>> PF's state-tracking options are only for TCP. (Blocking an IP
>> based on number of connections from easily spoofed UDP is a good
>> way to let third parties
On 2023-07-19, Kapetanakis Giannis wrote:
> On 18/07/2023 23:59, Stuart Henderson wrote:
>> PF's state-tracking options are only for TCP. (Blocking an IP
>> based on number of connections from easily spoofed UDP is a good
>> way to let third parties prevent your machine from communicating
>> with
--- Original Message ---
On Tuesday, July 18th, 2023 at 10:59 PM, Stuart Henderson
wrote:
> PF's state-tracking options are only for TCP. (Blocking an IP
> based on number of connections from easily spoofed UDP is a good
> way to let third parties prevent your machine from communicating
On 18/07/2023 23:59, Stuart Henderson wrote:
> PF's state-tracking options are only for TCP. (Blocking an IP
> based on number of connections from easily spoofed UDP is a good
> way to let third parties prevent your machine from communicating
> with IPs that may well get in the way i.e. trigger a "
1 - 100 of 1022 matches
Mail list logo
