inet.carp.preempt=1
Any clue as to what could be the problem?
Thanks a lot,
Steve Johnson
Thanks for the information. This is the first time that I've used PF as
a router based firewall and not with NAT. I didn't know that the state
was on a per interface basis, and not global to the system. So this
means that unless I want to allow all outbound traffic from my firewall,
I need to h
the PF development or has it always been like that?
Thanks again to all for the responses and references,
Steve
Stuart Henderson wrote:
On 2008-05-08, Otto Moerbeek <[EMAIL PROTECTED]> wrote:
On Thu, May 08, 2008 at 07:23:41AM -0400, Steve Johnson wrote:
Thanks for the informatio
service will increase in load.
Thanks again,
Steve Johnson
as I was getting passed 750K sessions with conservative setting.
Thanks again for help,
Steve Johnson
least.
I don't recall Henning's rule, search the archive something like X times
your number of nics.
-Thomas
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Steve Johnson
Sent: den 8 maj 2008 23:18
To: misc@openbsd.org
Subject: PF Congestion and
of new sessions per second. I know it's something
very hardware demanding and even most enterprise class firewalls like
Juniper and Fortinet don't scale much more than a million even on their
higher end models, so that's why I'm curious as to what I could expect a
PF setup
Jordi Espasa Clofent wrote:
I was still wondering what could be considered "maximum" session
concurrency that I could expect, with various hardware combinations?
Is anyone that can tell me if it could be feasible with OpenBSD and
better hardware? Even if we have to move to a different platform
Henning Brauer wrote:
congestion in what sense? the congestion counter increasing? this isnot
necessarily a problem, it just must not grow fast. andof course you
want to bump your ipintrq length.
Yes, the congestion counter is what I meant. It's increasing at around
7/s when the traffic we
Hi,
I have a question regarding the ospfd route insertion in the ospf
database. I have 2 systems that have the same ospfd.conf
configuration, copied from the same CVS source, yet only 1 of them
actually adds them into the ospf database. This was validated with the
ospfctl show database self-origin
Hi,
I've seen the following message on the system console:
Message from syslogd@host at Thu Feb 10 10:11:51 2011 ...
host /bsd: pf: complete: 0xfe80d026ad00(1552)
Is this something I should worry about? I've tried searching for this and
haven't seem to be able to find a reference
Thanks,
St
Ahh, excellent. Indeed I did. Thanks a lot for the fast response.
On Thu, Feb 10, 2011 at 10:47 AM, Dan Harnett wrote:
> On Thu, Feb 10, 2011 at 10:16:42AM -0500, Steve Johnson wrote:
> > I've seen the following message on the system console:
> >
> > Message from sys
571EB). The running version is 4.8
GENERIC.MP#335 amd64. All they are doing is routing and filtering with PF
and PFSync.
Any idea what else I could tweak or modify to rectify these errors? Let me
know if there is anything else that I should include to provide additional
information.
Thanks,
Steve Johnson
On Mon, Mar 7, 2011 at 11:15 AM, Claudio Jeker wrote:
> On Mon, Mar 07, 2011 at 10:38:45AM -0500, Steve Johnson wrote:
> > Hi,
> >
> > I'm having some issues with network connectivity on a system. When doing
> > netstat -ns, I get a lot of errors with missed PCB c
bc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
mtrr: Pentium Pro MTRR support
uhub4 at uhub0 port 5 "Cypress Semiconductor USB2 Hub" rev 2.00/0.0b addr 2
softraid0 at root
root on sd0a swap on sd0b dump on sd0b
bnx0: address 00:15:c5:ef:ac:c8
brgphy0 at bnx0 phy 1: BCM5708C 10/100/1000baseT PHY, rev. 6
bnx1: address 00:15:c5:ef:ac:c6
brgphy1 at bnx1 phy 1: BCM5708C 10/100/1000baseT PHY, rev. 6
On Mon, Mar 7, 2011 at 12:43 PM, Stuart Henderson wrote:
> On 2011-03-07, Steve Johnson wrote:
> >
> > The stats from pfctl seem to be fine
>
> > memory 14809331.7/s
>
> that's a problem ..
>
> netstat -m
> vmstat -m
> dmesg
" rev 0x12
> > pchb7 at pci0 dev 22 function 0 "Intel 5000 FBD" rev 0x12
> > ppb13 at pci0 dev 28 function 0 "Intel 6321ESB PCIE" rev 0x09
> > pci14 at ppb13 bus 4
> > ppb14 at pci14 dev 0 function 0 "ServerWorks PCIE-PCIX" rev 0xc3
> > pci15 at ppb14 bus 5
> > bnx1 at pci15 dev 0 function 0 "Broadcom BCM5708" rev 0x12: apic 2 int 16
> > (irq 5)
> > uhci0 at pci0 dev 29 function 0 "Intel 6321ESB USB" rev 0x09: apic 2 int
> 21
> > (irq 11)
> > uhci1 at pci0 dev 29 function 1 "Intel 6321ESB USB" rev 0x09: apic 2 int
> 20
> > (irq 10)
> > uhci2 at pci0 dev 29 function 2 "Intel 6321ESB USB" rev 0x09: apic 2 int
> 21
> > (irq 11)
> > ehci0 at pci0 dev 29 function 7 "Intel 6321ESB USB" rev 0x09: apic 2 int
> 21
> > (irq 11)
> > usb0 at ehci0: USB revision 2.0
> > uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
> > ppb15 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xd9
> > pci16 at ppb15 bus 16
> > vga1 at pci16 dev 13 function 0 "ATI ES1000" rev 0x02
> > wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> > wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> > radeondrm0 at vga1: apic 2 int 19 (irq 10)
> > drm0 at radeondrm0
> > pcib0 at pci0 dev 31 function 0 "Intel 6321ESB LPC" rev 0x09
> > pciide0 at pci0 dev 31 function 1 "Intel 6321ESB IDE" rev 0x09: DMA,
> channel
> > 0 configured to compatibility, channel 1 configured to compatibility
> > atapiscsi0 at pciide0 channel 0 drive 0
> > scsibus1 at atapiscsi0: 2 targets
> > cd0 at scsibus1 targ 0 lun 0: ATAPI
> > 5/cdrom removable
> > cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> > pciide0: channel 1 ignored (disabled)
> > usb1 at uhci0: USB revision 1.0
> > uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> > usb2 at uhci1: USB revision 1.0
> > uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> > usb3 at uhci2: USB revision 1.0
> > uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> > isa0 at pcib0
> > isadma0 at isa0
> > com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> > com0: console
> > com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> > pckbc0 at isa0 port 0x60/5
> > pckbd0 at pckbc0 (kbd slot)
> > pckbc0: using irq 1 for kbd slot
> > wskbd0 at pckbd0: console keyboard, using wsdisplay0
> > pcppi0 at isa0 port 0x61
> > spkr0 at pcppi0
> > mtrr: Pentium Pro MTRR support
> > uhub4 at uhub0 port 5 "Cypress Semiconductor USB2 Hub" rev 2.00/0.0b addr
> 2
> > softraid0 at root
> > root on sd0a swap on sd0b dump on sd0b
> > bnx0: address 00:15:c5:ef:ac:c8
> > brgphy0 at bnx0 phy 1: BCM5708C 10/100/1000baseT PHY, rev. 6
> > bnx1: address 00:15:c5:ef:ac:c6
> > brgphy1 at bnx1 phy 1: BCM5708C 10/100/1000baseT PHY, rev. 6
> >
> > On Mon, Mar 7, 2011 at 12:43 PM, Stuart Henderson >wrote:
> >
> >> On 2011-03-07, Steve Johnson wrote:
> >> >
> >> > The stats from pfctl seem to be fine
> >>
> >> > memory 14809331.7/s
> >>
> >> that's a problem ..
> >>
> >> netstat -m
> >> vmstat -m
> >> dmesg
roto tcp from any to 10.10.10.21/32 port 22
pass in log on bnx0 all
Is it normal that I need the pass out on bnx0 to create all proper state
entries, or should the first pass in rule have created them all? Is
there a key word to add to make it work properly on the first pass rule,
or am I missin
on VLAN interfaces
Below are configuration details, tcpdumps and logs that detail the setup.
http://pastebin.com/hbwrKmVr
Any idea as to what could be causing this would be appreciated!
Thanks,
Steve Johnson
ould do to correct it? I'm pretty sure that this would be the reason
why ARP replies are not getting to the requesting system.
Thanks again,
Steve
On 08/03/2010 12:57 PM, Steve Johnson wrote:
Hi,
I have an issue with setting up CARP interfaces for VLAN system
interfaces. For some r
s Resolution Protocol (reply)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: reply (0x0002)
[Is gratuitous: False]
Sender MAC address: IETF-VRRP-virtual-router-VRID_28
(00:00:5e:00:01:28)
Sender IP address: 10.0.80
;Cypress Semiconductor USB2 Hub" rev 2.00/0.0b addr 2
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
root on sd0a swap on sd0b dump on sd0b
bnx0: address 00:1e:c9:b2:64:cf
brgphy0 at bnx0 phy 1: BCM5708C 10/100/1000baseT PHY, rev. 6
bnx1: address 00:1e:c9:b2:64:cd
brgph
port 0x61
midi0 at pcppi0:
spkr0 at pcppi0
mtrr: Pentium Pro MTRR support
uhub5 at uhub0 port 5 "Cypress Semiconductor USB2 Hub" rev 2.00/0.0b addr 2
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
root on sd0a swap on sd0b dump on sd0b
bnx0: address 00:1e:c9:b2:64:cf
brgp
g, and
that by the looks of it it should be, I thought I'd ask just one last
time in case someone else sees this and might have a hint.
Thanks again!
Steve
On 08/10/2010 08:15 AM, Steve Johnson wrote:
Sorry about forgetting dmesg, thanks for the info about inline/pastebin.
Sinc
Excellent, thanks a lot for the reply! Really appreciated. I'll try this
out today and will update with results.
Steve
On 08/16/2010 06:58 PM, Stuart Henderson wrote:
On 2010-08-16, Steve Johnson wrote:
Hi,
I'm really sorry to resend about this, but I have tried to do th
All is working fine! Thanks a lot and sorry I had missed the original reply.
On 08/17/2010 07:21 AM, Steve Johnson wrote:
Excellent, thanks a lot for the reply! Really appreciated. I'll try this
out today and will update with results.
Steve
On 08/16/2010 06:58 PM, Stuart Henderson wrote
increase that number and if so, would this be a bad
practice? If need be I can always stop ladvd, but ideally we'd rather have
it on.
Thanks,
Steve Johnson
: listening on bnx1, link-type EN10MB
This is on amd64 (in case it changes anything)
On Tue, Feb 1, 2011 at 11:13 AM, Bret S. Lambert wrote:
> On Tue, Feb 01, 2011 at 09:23:05AM -0500, Steve Johnson wrote:
> > Hi,
> >
> > I wanted to know what was the restriction on B
Thanks. Pretty much what I had read on some older posts about limits of 10
but they were based on 4.1 and someone had replied that a lot had changed
since then, so I wanted to make sure that it was still indeed the case, and
that there should be no important impact in adding them.
Thanks for the a
Hi,
I currently have a system that has no match rule in the ruleset, but that
uses tables for a big chunk of the traffic, including our monitoring station
that has a pretty high SNMP request rate. That system has a state table that
usually stabilizes between 15-20K sessions, with a session search
net.inet.tcp.mssdflt=1472
net.inet.tcp.recvspace=262144
net.inet.tcp.rfc1323=1
net.inet.tcp.rfc3390=1
net.inet.tcp.sack=1
net.inet.tcp.sendspace=262144
net.inet.udp.recvspace=262144
net.inet.udp.sendspace=262144
vm.swapencrypt.enable=1
On Tue, Feb 1, 2011 at 3:15 PM, Henning Brauer wrote:
> * St
Ok, thanks for the tip. I've removed the settings through sysctl, but
unfortunately I still see those alerts being triggered, then mostly resolved
during the next check.
The system seems to have some issues during heavy UDP session bursts (the
monitoring system issues a stream of requests to a cou
31 matches
Mail list logo
