bit.listserv.openbsd-pf Google Group

Re: pf is blocking too much connections?

pe...@bsdly.net (Peter N. M. Hansteen) — Sat, 14 Nov 2009 21:02:24 UT

The statistics don't really show us much of anything by themselves.
What are the actual error messages? What does your rule set say? Do
you have meaningful log data (pflog or otherwise)? That's the kind of
information we would need to help you debug, diagnose and fix.
One random thought - does your rule set include such things as limits

Re: pf is blocking too much connections?

mcbr...@openbsd.org (Ryan McBride) — Sat, 14 Nov 2009 12:08:51 UT

Looking at these stats, I would guess that you are running with the
default limit of states, 10,000. You have nearly 10,000 in your state
table now, and every time you get to the limit, new connections fail
(the 'memory' counter: 13.7/s).
You can check with pfctl -sm, and change the limit with 'set limit

pf is blocking too much connections?

ventas_en_e...@terra.es (LeiV) — Sat, 14 Nov 2009 11:38:57 UT

Hi,
I have a openbsd pf firewall protecting a web server, I have noticed that
some pages gives me errors when browsing through my site (sometimes it works
sometimes not), then I looked at pf and saw that is blocking a lot of
connectyions, how do I know which connections is blocking?
Status: Enabled for 202 days 23:34:57 Debug: Urgent

Filter on specific TTL value?

ian.ch...@sers.ox.ac.uk (Ian Chard) — Thu, 12 Nov 2009 14:34:40 UT

Hi,
Is it possible to filter on a specific TTL value? Long story short:
there are rogue packets being generated somewhere in our network's core,
and I can reliably identify them with a combination of IP TOS, TCP flags
and TTL value. I'd like to filter them out with pf if at all possible.
Cheers

Re: CBQ download limits failed...

rob...@openbsd.pap.st (Robert) — Thu, 12 Nov 2009 08:04:37 UT

On Wed, 11 Nov 2009 17:26:06 +0100
Limiting incoming bandwidth on the external interface doesn't work.
You can have some success if you queue traffic to your lan on the
internal interface.
Have a look at the pf faq [link] ,
especially the examples.
- Robert

Re: CBQ download limits failed...

f...@free.fr (Laurent Cheylus) — Thu, 12 Nov 2009 00:09:43 UT

HI,
(...)
(...)
You defined altq rule and queue for nomy2 on $ext_if2 but the pass rule
is on $int_if.
Add a 'pass out' rule on $ext_if2 to assign packets in 'nomy2' queue and
modify your 'pass in on $int_if' rule.
Laurent

CBQ download limits failed...

jordi.esp...@opengea.org (Jordi Espasa Clofent) — Wed, 11 Nov 2009 16:59:58 UT

Hi all,
I'm trying to implement queue using PF in OpenBSD box. The pf.conf looks
like:
ext_if1="fxp0"
ext_gw1="217.126.43.2"
ext_if2="bge1"
ext_gw2="192.168.10.1"
lesmes="192.168.0.121"
alejandro="192.168.0.51"
xevi="192.168.0.124"
santi="192.168.0.49"
dominis = "{" $lesmes $alejandro $xevi $santi "}"

RE: Trace packets through PF

mksm...@adhost.com (Michael K. Smith - Adhost) — Tue, 10 Nov 2009 19:38:45 UT

Hello Elliott:
You can look at the state tables with 'pfctl -s state'. It's not packet
based but, rather, flow based. That will show you whether or not you
have state all the way through your PF box. If you believe it's being
blocked, use 'block in log' in /etc/pf.conf and then 'tcpdump -n -e -ttt

Trace packets through PF

elli...@mywedding.com (Elliott Barrere) — Tue, 10 Nov 2009 19:05:20 UT

Hi all,
Is there a general way to watch a packet's progress through PF and see
when and where it's stopped? Something akin to "packet-tracer" on
Cisco maybe?
Thanks in advance!
-elliott-

Re: german t-com´s vdsl

axel....@chaos1.de (Axel Rau) — Sat, 07 Nov 2009 13:25:47 UT

Am 07.11.2009 um 07:08 schrieb Tobias Wigand:
Did you have a look at XORP
[link]
?
So, your linux box is not involved in none-IPTV traffic via VDSL?
Axel
---
axel....@chaos1.de PGP-Key:29E99DD6 +49 151 2300 9283 computing @
chaos claudius

Re: german t-com´s vdsl

li...@underscore.de (Tobias Wigand) — Sat, 07 Nov 2009 13:09:43 UT

Hi,
Yes I had but there was no IGMP Proxy functionality. It was on the TODO
list though.
It just does Multicast Routing / IGMP proxying, announces the few nets
that have to be routed via Vlan8 dynamically and firewalls itself with
user unfriendly IPTables ;)
On a sidenote, I would order the cheapest IPTV VDSL offer. The others

Re: german t-com´s vdsl

li...@underscore.de (Tobias Wigand) — Sat, 07 Nov 2009 06:48:05 UT

Assuming the same technical infrastructure is used for that offer: yes.
I have always found the guys at the onlinekosten.de forum to be very
helpful, maybe you can ask there to know for sure.
Never tried that.
Anyway the HowTo is outdated and does not work anymore for IPTV. Vlan8
is used for Multicast now and the required IGMP version is v3 there.

Re: german t-com´s vdsl

axel....@chaos1.de (Axel Rau) — Thu, 05 Nov 2009 10:06:51 UT

Am 22.01.2008 um 09:12 schrieb Tobias Wigand:
2 questions come into mind:
- Does the new IP-only (w/o IPTV) offer (started in Sep-2009 by German
Telekom)
still requires the vlan setup?
- How does the vlan setup interferes with a carp/pfsync configuration?
Axel
---
axel....@chaos1.de PGP-Key:29E99DD6 +49 151 2300 9283 computing @

Virgin Hate: Virgin Forced Clips

woodsonpec...@gmail.com (peck Woodson) — Tue, 03 Nov 2009 12:35:00 UT

============================== ============================== =============
========= My sister lose her virginity with me (video)
=========
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVV
========= ENTER HERE:
=========
========= [link]

Re: syntax error while using scrub with OpenBSD 4.6

stephan.ricka...@startek.ch (Stephan A. Rickauer) — Wed, 28 Oct 2009 13:07:12 UT

[link]