From bugmaster at FreeBSD.org Mon Feb 2 03:06:58 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Feb 2 03:08:41 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200902021106.n12B6vet094513@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/130977 pf [netgraph][pf] kernel panic trap 12 on user connect to o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 30 problems total. From sebster at sebster.com Tue Feb 3 03:56:07 2009 From: sebster at sebster.com (Sebastiaan van Erk) Date: Tue Feb 3 03:56:16 2009 Subject: GRE not natted on FreeBSD 7.1-p2 Message-ID: <49882A91.3050307@sebster.com> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3328 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090203/0273597b/smime.bin From torsten at cnc-london.net Tue Feb 3 04:45:24 2009 From: torsten at cnc-london.net (torsten Kersandt) Date: Tue Feb 3 04:45:31 2009 Subject: GRE not natted on FreeBSD 7.1-p2 In-Reply-To: <49882A91.3050307@sebster.com> References: <49882A91.3050307@sebster.com> Message-ID: <004101c985f9$66fcbc40$34f634c0$@net> Hi Sebastian I use the following # VPN GRE PROTOCALL pass in proto gre all keep state pass out proto gre all keep state That works fine for me I have read somewhere that the pass quick is not what you want, but I could be wrong Regards Torsten -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Sebastiaan van Erk Sent: 03 February 2009 11:29 To: freebsd-pf@FreeBSD.org Subject: GRE not natted on FreeBSD 7.1-p2 Hi, I've just upgraded my old old old FreeBSD 6.3 firewall box to FreeBSD 7.1-p2. However, now my firewall will suddenly no longer NAT GRE, so none of client connections to remote (PPTP) VPNs are working. When trying to connect from the client (10.1.0.6) to internet, everything works fine (tcp/udp are natted), but when trying to set up a VPN my firewall log says: 3. 004630 rule 6/0(match): block out on vr0: 10.1.0.6 > 193.46.80.81: GREv1, call 55191, seq 10, proto PPP (0x880b), length 36: [|ppp] (vr0 is my external interface, which is connected to the ADSL modem) The rule that is blocking is: @6 block drop out log quick on vr0 inet from ! 192.168.1.2 to any (192.168.1.2 is my "external" address). This rule is supposed to block any internal stuff going out that is not NATted properly. It is correct to block my client (10.1.0.6), since it should have had its address translated. My nat rule is simple (and DOES NAT tcp/udp): nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if The entire config is attached. Am I doing something stupid? Does anybody know what I'm doing wrong? Thanks in advance, Sebastiaan From sebster at sebster.com Tue Feb 3 05:29:26 2009 From: sebster at sebster.com (Sebastiaan van Erk) Date: Tue Feb 3 05:29:34 2009 Subject: GRE not natted on FreeBSD 7.1-p2 In-Reply-To: <49882A91.3050307@sebster.com> References: <49882A91.3050307@sebster.com> Message-ID: <498846B2.1080306@sebster.com> Hi, I changed the GRE rule to: pass out quick proto gre and it was still giving me the same errors after flushing the firewall: pfctl -f /etc/pf.conf Log: 3. 003875 rule 6/0(match): block out on vr0: 10.1.0.6 > 193.46.80.81: GREv1, call 55191, seq 7, proto PPP (0x880b), length 36: [|ppp] But a few minutes later I started up the VPN (without having changed anything in the firewall), and now it suddenly did work. I don't know where the delay comes from, I've never seen that before... Regards, Sebastiaan Sebastiaan van Erk wrote: > Hi, > > I've just upgraded my old old old FreeBSD 6.3 firewall box to FreeBSD > 7.1-p2. > > However, now my firewall will suddenly no longer NAT GRE, so none of > client connections to remote (PPTP) VPNs are working. > > When trying to connect from the client (10.1.0.6) to internet, > everything works fine (tcp/udp are natted), but when trying to set up a > VPN my firewall log says: > > 3. 004630 rule 6/0(match): block out on vr0: 10.1.0.6 > 193.46.80.81: > GREv1, call 55191, seq 10, proto PPP (0x880b), length 36: [|ppp] > > (vr0 is my external interface, which is connected to the ADSL modem) > > The rule that is blocking is: > @6 block drop out log quick on vr0 inet from ! 192.168.1.2 to any > > (192.168.1.2 is my "external" address). This rule is supposed to block > any internal stuff going out that is not NATted properly. It is correct > to block my client (10.1.0.6), since it should have had its address > translated. > > My nat rule is simple (and DOES NAT tcp/udp): > > nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if > > The entire config is attached. Am I doing something stupid? Does anybody > know what I'm doing wrong? > > Thanks in advance, > Sebastiaan > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3328 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090203/a215cf0a/smime.bin From torsten at cnc-london.net Tue Feb 3 05:48:47 2009 From: torsten at cnc-london.net (torsten) Date: Tue Feb 3 05:48:54 2009 Subject: Freebsd 7.1 route-to, reply-to working now?? In-Reply-To: <498846B2.1080306@sebster.com> References: <49882A91.3050307@sebster.com> <498846B2.1080306@sebster.com> Message-ID: <1401.78.105.9.127.1233668925.squirrel@webmail.cnc-london.net> Hi I have seen a anouncement just a month ago that the route-to and keep session is now fixed. can anyone confirm in which release or source it is in the kernel (7.1-RELEASE, HEAD, CURRENT) I now that the question was ask but no definet answer could be found. Thanks Torsten From Greg.Hennessy at nviz.net Wed Feb 4 10:56:16 2009 From: Greg.Hennessy at nviz.net (Greg Hennessy) Date: Wed Feb 4 10:56:22 2009 Subject: GRE not natted on FreeBSD 7.1-p2 In-Reply-To: <49882A91.3050307@sebster.com> References: <49882A91.3050307@sebster.com> Message-ID: <4989E220.2070606@nviz.net> Sebastiaan van Erk wrote: > > > nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if > This is the nub of the problem, 'hide' NAT breaks GRE. To successfully do 'Many:1' NAT of GRE requires a rewrite of the GRE call id header to track each session in a manner analagous to rewriting the source port of a 'hide' natted tcp/udp session. The last time I looked, Daniel, Henning et al have not added that facility to PF as of yet. You can statically translate the flow instead which should sort the problem. Greg From sebster at sebster.com Wed Feb 4 12:34:33 2009 From: sebster at sebster.com (Sebastiaan van Erk) Date: Wed Feb 4 12:35:13 2009 Subject: GRE not natted on FreeBSD 7.1-p2 In-Reply-To: <4989E220.2070606@nviz.net> References: <49882A91.3050307@sebster.com> <4989E220.2070606@nviz.net> Message-ID: <4989FBD6.1030801@sebster.com> Greg Hennessy wrote: > Sebastiaan van Erk wrote: >> >> >> nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if >> > This is the nub of the problem, 'hide' NAT breaks GRE. > > To successfully do 'Many:1' NAT of GRE requires a rewrite of the GRE > call id header to track each session in a manner analagous to rewriting > the source port of a 'hide' natted tcp/udp session. > > The last time I looked, Daniel, Henning et al have not added that > facility to PF as of yet. > > You can statically translate the flow instead which should sort the > problem. > Greg Thanks for the reply, I have a feeling that my "upstream" ADSL modem has a similar issue, because what I did was use multiple "external" addresses on my pf machine (192.168.1.2, 192.168.1.3, etc) and I was getting really strange behavior (that is, when starting a PPTP session on 192.168.1.2 I'd get GRE packets back on 192.168.1.3 from the ADSL modem, which presumably still had an old NAT rule from a recent session via the .3 address). In the end I took the plunge and kicked PPTP out of the equation (since all the remote servers are managed by me anyway), and converted everthing to OpenVPN with bridging. All my problems have vaporized and I've learned quite a bit in the process. Regards, Sebastiaan -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3328 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090204/3548c382/smime.bin From mij at bitchx.it Wed Feb 4 18:51:25 2009 From: mij at bitchx.it (Mij) Date: Wed Feb 4 18:51:32 2009 Subject: bridge and PF for transparent proxy Message-ID: <397AAEFD-1C61-4EB4-8913-461A43EA9E2C@bitchx.it> Hello folks, On a FBSD7.1 box I would like to implement this sort of "transparent reverse proxy": inet <---> (vr0)(vr1) <---> host such box is expected to 1) pass transparently anything from inet to host and viceversa 2) redirect some of such traffic (some well-defined TCP connections) from "inet" to an application listening on 127.0.0.1 on the box 3) make this application connect to "host" pretending to be the original source -- that is, using as source address the address of the client that connected to it from inet I use bridge(4) over vr0 and vr1 to implement 1). I use something similar to http://marc.info/?l=openbsd-misc&m=108089194621750&w=2 for 2). Although from the network perspective 3) seems easily feasible as well, I cannot think of a reasonable setup on the box host for it. Anyone has some advice for it? From lawrence.auster at att.net Thu Feb 5 09:27:01 2009 From: lawrence.auster at att.net (Lawrence Auster) Date: Thu Feb 5 09:27:10 2009 Subject: Wealth of U.S.A. Plundered by Jews -- The Holocaust is Now Catholic Dogma -- Why No Neocon Assassinations? Message-ID: <20090205172655.LARR3752.eastrmmtao104.cox.net@eastrmimpo03.cox.net> Wealth of U.S.A. Plundered by Jews Thursday, 05 February 2009 By Texe Marrs It's all over the media, how one Wall Street crook, Bernie Madoff, masterminded the greatest Ponzi scheme in history. Bernie ripped off investors to the tune of $50 billion, and they're still counting. Fifty billion! That's more than the current market value of General Motors, Disney, Boeing, and Anheuser-Busch combined. And just one solitary individual—a corrupt, money-grabbing Jew named "Madoff"—is the culprit. But, wait...hold on. Is this one crime the whole picture, the full extent of Wall Street's monumental scam and robbery extravaganza? Not by a long shot! Yes Virginia, There is a Santa Claus Citibank's Jewish money-shovelers stole some $200 billion—and then got the idiots at the U.S. Treasury to dole out some $160 billion of our—the suffering taxpayers—hard-earned money into their coffers. Yes, Virginia, there is a Santa Claus and his name is "Uncle Sam." America's banking industry is exclusively Jewish-run. The same goes for Wall Street brokerage and investment houses. Investigate for yourself and you'll discover that the New York-Chicago money crowd is nearly 100 percent Jews. They're the ones—these bamboozling and crafty, satanic Jews—who greedily have broken the backs of millions of bedraggled and unsuspecting American workers through their unparalleled lust for filthy lucre. Jesus told us this would be the case. He warned us in advance. He gave the Jews a choice: God or Mammon. They chose Mammon (i.e., money) and then added icing to their cake on earth by torturing, mocking, then finally nailing our Lord and Savior to a wooden cross. Oh, excuse me. The Jews didn't do it themselves. They never do. They got the Romans to do their dirty work. Pilate at first refused, until the Jews made it clear to the Roman Governor he better do their bidding, or else. Like today's miserly and cowardly politicians, Pilate caved in. Crucified on a Cross of Gold Now, it's America's turn to be crucified, on a cross of Jewish-owned gold. The Jews of Wall Street are the perps of this crucifixion. They run Wall Street, have their grimy hands all over our U.S. Treasury, force Congress to bow down and worship their murderous idol, "Israel," and then lie and cast blame elsewhere. Now Bernie Madoff, former chairman of the NASDAQ Stock Exchange, is only one of thousands of money manipulating Jewish thugs running loose in these 50 states—and they all have Gentile lackeys kissing their feet and mopping floors for them—men like George W. ("McMoron") Bush, Bill ("Bimbo") Clinton, and Vice President Joe ("Big Mouth Clown") Biden, just to name a few. But consider the damage that this one scheming Jew, Madoff, did and multiply that times, say, 100,000. Writing in the Business section of the Austin American-Statesman (December 28, 2008), news reporter Scott Burns commented on the Madoff robbery: "The loss is mind-boggling...One way to measure the extent of the damage is to compare the $50 billion to measures of loss in the FBI Uniform Crime Reports. In 2007 there were 9.8 million crimes against property in the United States. This included about 2.2 million burglaries, 6.6 million thefts, and 1.1 million car thefts. I think you'll agree that 9.8 million crimes represent a veritable army of miscreants. In spite of that, our total losses to such property crimes in 2007 throughout the entire United States were a mere $17.6 billion... But when you add up all the losses in 9.8 million common property crimes, it's just a fraction of the estimated $50 billion loss attributed to Madoff. Jews Also Behind the Most Inhumane, Bloody Crime in History Think of it. One evil Jew, Madoff, made off with a staggering total equal to somewhere near the losses of about 30 million crimes. There's more, of course. It's not just the money. The Jews are also behind the most sinister and bloody inhuman crime ever committed in the annals of human history—the Soviet Communist Holocaust. The late Aleksandr Solzhenitsyn, the 20th century's most acclaimed literary figure and historian, reported in his final book, Two Hundred Years Together, that the Jews were the revolutionary conspirators and mass murderers responsible for the Communist holocaust in which a mind-warping 66 million innocent victims were tortured, imprisoned in filthy, gruesome gulag camps and, finally, unmercifully executed. Lenin, Trotsky, Kaganovich—all these Communist monsters were Jews and their talmudic goal was a global Communist "Utopia," led, of course, exclusively by Zionist Jews. Allegedly—and I use that word advisedly—the Jews accuse Hitler and his Nazis of the murder of six million in the misnamed German "holocaust." Modern-day researchers, however, are discovering that this figure, six million, is grossly exaggerated so that Jews can appear as "victims" and thus continue incessantly to demand money and reparations from a clueless and guilt-filled Gentile world. 66 Million Butchered by Jews! Nevertheless, contrast this six million Jewish dead number to Solzhenitsyn's very accurate statistic of 66 million slain by the psychopathic Jewish Communists in the former Soviet Union. Many, if not most, of these victims were Christians. (Note: Jews were favored in the U.S.S.R. and synagogues were protected. Anti-Semitic "crimes"—even thought crimes—were met with death sentences by Jewish courts in the Soviet justice system). Tally it up: 66 million Christians slaughtered by the Jews, 6 million (allegedly) by the Nazis. That's eleven dead Christians for each and every Jew. The world has no sorrow for these 66 million dead, their survivors get no reparations, and their Jewish tormentors—including scores of Jewish Gulag Commandants—today remain free. Some live in luxury in Israel and pleasurably enjoy fat bank accounts, money plundered from hapless Christian victims. Barack Obama, America's First Jewish President The Jews did it to Russia, Ukraine, Georgia, Estonia, Kazakhstan, and all the other Communist prison nations. Now, in 2009, they're scheduled to do the same thing to the once, great U.S.A. Barack Obama—whom Chicago's wealthiest Jews boast is America's "First Jewish President"—is their chosen instrument. Wily, cunning, handsome, Obama has a cohort Jew to assist him in this assigned mission of human and national destruction. That would be Rahm "The Cruel" Emanuel, the Enforcer, the new White House Chief of Staff. Just for writing this article, I expect to be placed near the top of this wicked man's "Hit List." And I suspect there will be so many on this list that the White House and its Homeland Security Department will need a whole warehouse full of computers just to store all the millions of names. FDR had his "New Deal;" today, in 2009, Barack Hussein Obama and his Trotskyite, left-hand lieutenant, the beady-eyed Israeli dual citizen, "Rahm the Cruel," have in mind the "Jew Deal." The goal: The Sovietization of America, the extinguishing of our historic Bill of Rights, the end of U.S. sovereignty, and the death of multitudes who will refuse to bow down to the ruthless tyrants who wear the six-pointed Red Star in their hearts like a dagger. "If You Can, Come and Take It" Our enemies, regrettably, occupy the highest offices in the land. But they don't have everything they desire and lust for. They don't have the fawning allegiance and docile service of you, me, and thousands of other patriots who bravely oppose their black-hearted plot. I am not, by nature, a violent man, and I pray fervently for peace and harmony to prevail. I pray, too, that the schemes of the Zionist Jews plotting against America will fail, that our Constitution will be respected and that the corrupt money-thieves on Wall Street and elsewhere will soon be outed and put in prisons, where they belong. But if not, then I say, let us fight for the right. Here we stand, by virtue of Truth and Justice, and I say to Obama, Emanuel, and the other Zionist traitors: "Here we are; if you can, come and take it, but know this: You have a fight on your hands, because we will not go quietly out into that soft, sweet night. And believe me, you can take that, along with your ill-begotten gains, to the bank." Source : http://ziopedia.org/articles/jewry/wealth_of_u.s.a._plundered_by_jews/ ----<>---- The Holocaust is Now Catholic Dogma Thursday, 05 February 2009 By Mark Glenn The last time a Pope of the Catholic Church defined an infallible dogma was in the year 1950. Pope Pius XII used this power reserved for the Vicar of Christ when speaking ex cathedra to define the Dogma of the Assumption of Mary. It was an extraordinary event because a pope using the power of infallibly to define a dogma is done so rarely, and most popes have never used this power. Before Pius XII, the last pope to invoke papal infallibly to define a dogma was Pius IX in 1854, when he defined the Dogma of the Immaculate Conception. Both of these dogmas referred to events that had occurred 19 centuries before , and that had been studied by the best minds of the Church for almost as long. That’s because when making an infallible statement - it goes without saying - it can’t contain any errors! Fast forward to 2009 and Pope Benedict XVI has just defined a new dogma regarding a secular event that has nothing to do with the Faith. Moreover, this ‘dogmatic event’ only occurred in the middle of the 20th Century- and no one is allowed to investigate to see if it contains any errors! A dogma is an infallible teaching of the Catholic Church that must be believed by every Catholic or they’re not in communion with the Church. In the past, a dogma referred only to a matter of Christian faith, and Catholics could believe whatever they wanted about historical events. But today’s remarks from the Vatican make it clear that the Jewish version of the Holocaust, in which 6 million Jews were killed in gas chambers, must be believed by every Catholic or they’re not in communion with the Church. That makes the Holocaust an official ‘dogma’ of the Catholic Faith (*sarcasm*). Here’s the news out of the Vatican. On Jan. 28, the pope said he felt “full and indisputable solidarity” with Jews, and warned against any denial of the full horror of the Nazi genocide. Bishop Williamson, in order to be admitted to episcopal functions within the church, will have to take his distance, in an absolutely unequivocal and public fashion, from his position on the Shoah, which the Holy Father was not aware of when the excommunication was lifted,” the statement said. The Shoah is the Hebrew term for the Holocaust. Jewish groups welcomed the Vatican statement, saying it satisfied their key demand. “This was the sign the Jewish world has been waiting for,” said Ronald Lauder, president of the World Jewish Congress. Yes, this is the sign the Jewish world has been waiting for, but what exactly does this “sign” really mean? It means that in the post-Vatican II Church, the “Shoah” has replaced the Crucifixion as the central event in history. And do you notice the subtle switcheroo here? Now, instead of the central tenet of the Christian faith pertaining to the murder of the Christ by Jews, the new central tenet refers to the murder of Jews by Christians! This should come as no surprise to those who understand what really lies at the heart of the problem. At its core, this is a spiritual battle that’s being waged above our heads. It’s Christ vs. anti-Christ, and each of us must choose a side. Lucifer wanted to be equal to God and out of pride refused to accept being a servant. When he uttered his famous “non servium” he took a third of the angels with him and set about waging war against God. When God sent His Son to redeem the world, Lucifer tried to prevent it. He took Jesus to the mountain top and tempted Him, saying “if you just bow down and worship me, I will give you all these things.” Jesus told the devil to buzz off. The Jews who rejected Jesus as the Messiah did so out of racial pride and ambition. They wanted an earthly kingdom where they would always be the ‘Chosen Ones’ and did not want to share a kingdom with the gentiles. But Jesus emphatically said that His kingdom was not of this world and to share the good news with the gentiles. The Jews who accepted the Messiah became the first Christians, and those who rejected Him fell into spiritual blindness. Satan takes advantage of Jewish hatred of Jesus and uses them to battle against the Church of Christ. The Jews continue to wait for a wordly Messiah, but the Messiah they await is known to us as the anti-Christ. Therefore, all Christians must love and pray for the Jewish people to accept Christ as the Messiah, thereby snatching them from the jaws of Satan, whom they don’t realize they are serving. This battle between Christ and anti-Christ is 2,000 years old and all popes throughout history have waged it (at least until 1958). That’s what makes the Church’s post-Vatican II attitude toward the Jews so perplexing, since it enables them to continue in spiritual blindness and sets the stage for the coming of the anti-Christ. Pope Leo XIII had a vision at the end of the 19th Century in which he forsaw that the devil had been given extra powers for 100 years to try to destroy the Church. This seems to coincide with the shift in power that took place in the 20th Century when after two world wars, the Jews took Palestine and solidified their control over the West. This was also the century in which the Jews unleashed their most deadly weapon, Communism, which caused the deaths of millions of people. But these people’s genocides go unnoticed and certainly have not been declared ”dogma” by a pope of the Catholic Church. Another clue that something is amiss inside the Church is that the Second Vatican Council refused to condemn Communism, but declared that anti-Semitism was a sin (without defining what constitutes anti-Semitism). Enter Archbishop Marcel Lefebvre, the Society of St. Pius X (SSPX), and the man who’s currently being crucified, Bishop Richard Williamson. Archbishop Lefebvre himself had fought inside the Second Vatican Council to prevent the coup of the liberals. He also stated that the mere fact that the Council refused to condemn Communism was enough to call the Council into question. The Archbishop knew that something nefarious had happened inside the Church and sensed that he was waging a battle against powers and principalities. In terms of his plans to restore Tradition, in the Biography of Marcel Lefebvre by Bishop Tissier de Mallerais, he quotes the Archbishop as saying (pp. 500-501): The Council is a non-infallible act of the Magisterium and, therefore, it is open to being influenced by a bad spirit … Therefore, we need to apply the criterion of Tradition to the various Council documents to see what we can keep, what needs clarifying, and what should be rejected. And that’s exactly the whole point of the negotiations between the SSPX and the Vatican that have been going on for almost 40 years. After the release of the Latin Mass and the lifting of the excommunications, the next phase is doctrinal discussions. But somebody doesn’t want that to happen. Archbishop Lefebvre founded the SSPX in 1970 in order to train priests in Tradition and not in the confusing, untraditional, Judeo-Masonic manner of the post-Conciliar era. The greatest threat to Revolutionaries is those who are not afraid to resist them to the face, i.e., the Counter-Revolutionaries. That is why Pope John Paul II would not allow Archbishop Lefebvre to consecrecate bishops, something that is usually rubber-stamped for every other order. John Paul II wanted the SSPX to go extinct after the death of its founder and put a stop to the Counter-Revolution. And if the Council really was influenced by a “bad spirit” as the Archbishop said, then certainly any attempt to exorcise this bad spirit would be met with the fiercest resistance by those who work for the anti-Christ. This is where the controversy over Bishop Williamson’s remarks about the actual number of Jews killed in the Holocaust comes into the scenario. If the Jews are (wittingly or unwittingly) working to bring about the reign of the anti-Christ, then part of their strategy has to be to neutralize the Church. In their effort to overturn the crucifixion and replace it with the “Shoah,” they’re trying to utilize the Church to bring this about. And any force that appears to provide resistance to this switcheroo will be seen as the gravest possible threat. Because truly, it wouldn’t have mattered if Bishop Williamson had not said a word about the Shoah, they would have found something else to try to impede the Church’s return to Tradition. Because Christ and anti-Christ cannot co-exist on equal terms - one must naturally dominate the other. And the Church returning to Tradition and her normal role as the Church Militant is the one monkey wrench that could be thrown into the plans of the anti- Christ. No other challenger intimidates them, absolutely no one else causes them to tremble. But a fully traditional Church Militant with a billion souls in her army is the one thing that could defeat their plans. And that’s what this is really all about. Bishop Williamson now finds himself in the center of a controvery that has been coming to a head for a very long time. In perusing the Catholic blogosphere, it appears that most Catholics (even trads) wish that he had just kept his mouth shut. But they would probably have said the same thing to Jesus, so as not to annoy the Pharisees. But I’m convinced Our Lord Jesus Christ knows what he is doing. Because it is time to confront the truth, as the the hour glass of time winds down, and get ready for the final conflagration. But it appears most Christians would rather retreat to the hills, rather than risk not being popular with the world. Thankfully, for the sake of our salvation, Jesus Himself was not so pusillanimous. And hopefully Bishop Williamson won’t be so pusillanimous either, since his founder, Archbishop Marcel Lefebvre, most assuredly was not. The Archbishop personally chose Richard Williamson to carry on his work after his death, to be a successor to the apostles. The only question that remains is: will he be like St. John or like the others who abandoned Jesus ”for fear of the Jews.’ The Church and the Jews have been locked in this battle for 2,000 years, so this latest controversy is nothing to be surprised about. Satan uses the poor, blinded Jews to attack the Lord’s Church because he doesn’t want us or them to be saved. But at least in the past, it used to be clear which side the popes were on! The Pope and SSPX bishops need all our prayers and support right now, because they are going through a trial by fire. And, at least in this early stage, it appears Bishop Fellay is starting to get cold feet. Every day for the past several days he has issued a denunciation of his colleague, Bishop Williamson, each one more hysterical than the last. He even went so far as to refer to the Jews as our “elder brothers in the faith,” as though the Talmud has anything to do with our Faith. When I said last week that I wished Bishop Fellay would one day be pope, I didn’t mean in the mold of John Paul II! Let us pray especially for Pope Benedict XVI, the keeper of the keys to heaven, that he prove himself a worthy successor of St. Peter, and that he not imitate Peter in his denial of Jesus Christ. Archbishop Lefebvre recognized that the day would come when the SSPX would be called on to save the Church. And judging by the howls and screams from the satanic press, that day might be just around the corner. Let us hope that we also have the courage to stand beside them, no matter how much the media attack and lambaste us. It’s for the Jews’ own good after all, for they know not whom they are serving. As the Archbishop wrote in 1966 (ibid, pp. 382-83): When the Holy Father realizes that those whom he trusted are leading the Church to her ruin, he will find himself a group of bishops … who are ready to rebuild. Unfortunately, the time has not yet come, because the Holy Father himself must change what he is doing, and that conversion will be painful. Let us hope that the time has come and that Pope Benedict will accept the help of the SSPX. It is time for the Holy Father to stop taking sides with the enemies of the Church and stop defining secular events as “dogma,” especially ones so riddled through with holes. May God save the Church through His servant, Pope Benedict, although the Pope’s conversion will be painful. Source : http://ziopedia.org/articles/holocaust/the_holocaust_is_now_catholic_dogma/ ----<>---- Why No Neocon Assassinations? Because The War On Terror Is A Hoax February 03, 2009 By Paul Craig Roberts According to US government propaganda, terrorist cells are spread throughout America, making it necessary for the government to spy on all Americans and violate most other constitutional protections. Among President Bush’s last words as he left office was the warning that America would soon be struck again by Muslim terrorists. If America were infected with terrorists, we would not need the government to tell us. We would know it from events. As there are no events, the US government substitutes warnings in order to keep alive the fear that causes the public to accept pointless wars, the infringement of civil liberty, national ID cards, and inconveniences and harassments when they fly. The most obvious indication that there are no terrorist cells is that not a single neocon has been assassinated. I do not approve of assassinations, and am ashamed of my country’s government for engaging in political assassination. The US and Israel have set a very bad example for al Qaeda to follow. The US deals with al Qaeda and Taliban by assassinating their leaders, and Israel deals with Hamas by assassinating its leaders. It is reasonable to assume that al Qaeda would deal with the instigators and leaders of America’s wars in the Middle East in the same way. Today every al Qaeda member is aware of the complicity of neoconservatives in the death and devastation inflicted on Muslims in Iraq, Afghanistan, Lebanon and Gaza. Moreover, neocons are highly visible and are soft targets compared to Hamas and Hezbollah leaders. Neocons have been identified in the media for years, and as everyone knows, multiple listings of their names are available online. Neocons do not have Secret Service protection. Dreadful to contemplate, but it would be child’s play for al Qaeda to assassinate any and every neocon. Yet, neocons move around freely, a good indication that the US does not have a terrorist problem. If, as neocons constantly allege, terrorists can smuggle nuclear weapons or dirty bombs into the US with which to wreak havoc upon our cities, terrorists can acquire weapons with which to assassinate any neocon or former government official. Yet, the neocons, who are the Americans most hated by Muslims, remain unscathed. The "war on terror" is a hoax that fronts for American control of oil pipelines, the profits of the military-security complex, the assault on civil liberty by fomenters of a police state, and Israel’s territorial expansion. There were no al Qaeda in Iraq until the Americans brought them there by invading and overthrowing Saddam Hussein, who kept al Qaeda out of Iraq. The Taliban is not a terrorist organization, but a movement attempting to unify Afghanistan under Muslim law. The only Americans threatened by the Taliban are the Americans Bush sent to Afghanistan to kill Taliban and to impose a puppet state on the Afghan people. Hamas is the democratically elected government of Palestine, or what little remains of Palestine after Israel’s illegal annexations. Hamas is a terrorist organization in the same sense that the Israeli government and the US government are terrorist organizations. In an effort to bring Hamas under Israeli hegemony, Israel employs terror bombing and assassinations against Palestinians. Hamas replies to the Israeli terror with homemade and ineffectual rockets. Hezbollah represents the Shi’ites of southern Lebanon, another area in the Middle East that Israel seeks for its territorial expansion. The US brands Hamas and Hezbollah "terrorist organizations" for no other reason than the US is on Israel’s side of the conflict. There is no objective basis for the US Department of State’s "finding" that Hamas and Hezbollah are terrorist organizations. It is merely a propagandistic declaration. Americans and Israelis do not call their bombings of civilians terror. What Americans and Israelis call terror is the response of oppressed people who are stateless because their countries are ruled by puppets loyal to the oppressors. These people, dispossessed of their own countries, have no State Departments, Defense Departments, seats in the United Nations, or voices in the mainstream media. They can submit to foreign hegemony or resist by the limited means available to them. The fact that Israel and the United States carry on endless propaganda to prevent this fundamental truth from being realized indicates that it is Israel and the US that are in the wrong and the Palestinians, Lebanese, Iraqis, and Afghans who are being wronged. The retired American generals who serve as war propagandists for Fox "News" are forever claiming that Iran arms the Iraqi and Afghan insurgents and Hamas. But where are the arms? To deal with American tanks, insurgents have to construct homemade explosive devices out of artillery shells. After six years of conflict the insurgents still have no weapon against the American helicopter gunships. Contrast this "arming" with the weaponry the US supplied to the Afghans three decades ago when they were fighting to drive out the Soviets. The films of Israel’s murderous assault on Gaza show large numbers of Gazans fleeing from Israeli bombs or digging out the dead and maimed, and none of these people are armed. A person would think that by now every Palestinian would be armed, every man, woman, and child. Yet, all the films of the Israeli attack show an unarmed population. Hamas has to construct homemade rockets that are little more than a sign of defiance. If Hamas were armed by Iran, Israel’s assault on Gaza would have cost Israel its helicopter gunships, its tanks, and hundreds of lives of its soldiers. Hamas is a small organization armed with small caliber rifles incapable of penetrating body armor. Hamas is unable to stop small bands of Israeli settlers from descending on West Bank Palestinian villages, driving out the Palestinians, and appropriating their land. The great mystery is: why after 60 years of oppression are the Palestinians still an unarmed people? Clearly, the Muslim countries are complicit with Israel and the US in keeping the Palestinians unarmed. The unsupported assertion that Iran supplies sophisticated arms to the Palestinians is like the unsupported assertion that Saddam Hussein had weapons of mass destruction. These assertions are propagandistic justifications for killing Arab civilians and destroying civilian infrastructure in order to secure US and Israeli hegemony in the Middle East. Source : http://vdare.com/roberts/090203_terror.htm ------------------------------------- You or someone using your email adress is currently subscribed to the Lawrence Auster Newletter. If you wish to unsubscribe from our mailing list, please let us know by calling "to 1 212 865 1284 Thanks, Lawrence Auster, 238 W 101 St Apt. 3B New York, NY 10025 Contact: lawrence.auster@att.net ------------------------------------- From awd at awdcomp.net Sat Feb 7 03:50:07 2009 From: awd at awdcomp.net (Andrew) Date: Sat Feb 7 03:50:14 2009 Subject: GRE not natted on FreeBSD 7.1-p2 In-Reply-To: <4989FBD6.1030801@sebster.com> References: <49882A91.3050307@sebster.com> <4989E220.2070606@nviz.net> <4989FBD6.1030801@sebster.com> Message-ID: <498D6BBE.3050901@awdcomp.net> Howdy, If you (or others watching this list) ever need to go back to the pptp route then consider using net/frickin which is a pptp proxy :) I'm using it successfully with redirection. rdr on $int_if proto tcp from $lnet to any port 1723 -> 127.0.0.1 port 1724 rdr on $int_if proto gre from $lnet to any -> 127.0.0.1 Cheers cya Andrew Sebastiaan van Erk wrote: > Greg Hennessy wrote: >> Sebastiaan van Erk wrote: >>> >>> >>> nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if >>> >> This is the nub of the problem, 'hide' NAT breaks GRE. >> >> To successfully do 'Many:1' NAT of GRE requires a rewrite of the GRE >> call id header to track each session in a manner analagous to >> rewriting the source port of a 'hide' natted tcp/udp session. >> >> The last time I looked, Daniel, Henning et al have not added that >> facility to PF as of yet. >> >> You can statically translate the flow instead which should sort the >> problem. > >> Greg > > Thanks for the reply, > > I have a feeling that my "upstream" ADSL modem has a similar issue, > because what I did was use multiple "external" addresses on my pf > machine (192.168.1.2, 192.168.1.3, etc) and I was getting really strange > behavior (that is, when starting a PPTP session on 192.168.1.2 I'd get > GRE packets back on 192.168.1.3 from the ADSL modem, which presumably > still had an old NAT rule from a recent session via the .3 address). > > In the end I took the plunge and kicked PPTP out of the equation (since > all the remote servers are managed by me anyway), and converted > everthing to OpenVPN with bridging. All my problems have vaporized and > I've learned quite a bit in the process. > > Regards, > Sebastiaan > From bugmaster at FreeBSD.org Mon Feb 9 03:06:57 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Feb 9 03:08:50 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200902091106.n19B6uHw009204@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/130977 pf [netgraph][pf] kernel panic trap 12 on user connect to o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 30 problems total. From tom at uffner.com Tue Feb 10 00:57:22 2009 From: tom at uffner.com (Tom Uffner) Date: Tue Feb 10 00:57:29 2009 Subject: status of carpdev? Message-ID: <49913D89.8010801@uffner.com> what happened with the effort to port "ifconfig ... carpdev ..." to FreeBSD? the last messages mentioning it were posted a bit more than a year ago. if i remember correctly, there was a patch for IPv4 only. it was considered Beta test quality and a few people were using it. but since then i have not seen it mentioned anywhere, and nothing has been committed. what is the status, and is there a usable patch for 7.1? thanks, tom From tom at uffner.com Thu Feb 12 01:26:41 2009 From: tom at uffner.com (Tom Uffner) Date: Thu Feb 12 01:26:48 2009 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <20081203071940.324735uokbfgyh6o@econet.encontacto.net> References: <76463C1E8CB14B958088F7E54C611560@ashevchenko> <493634DA.7000408@infoweapons.com> <20081203071940.324735uokbfgyh6o@econet.encontacto.net> Message-ID: <4993EB42.2020503@uffner.com> eculp wrote: > I don't remember why but for some reason I have the idea that pf+altq is > not bidirectional. Am I mistaken? no solution that does not involve cooperation from your upstream connection(s) is truly bidirectional. it is easy to limit/shape your outbound traffic. on the other hand it is difficult if not impossible to unilaterally control the amount or sources of inbound data arriving at your border router(s) on it's way to various applications (mail servers, for example). you can _pretend_ to by dropping, queuing or otherwise limiting it once inside your network, but you cannot meaningfully prevent it from using your downlink bandwidth and potentially crowding out other, possibly more desirable, inbound data. From eculp at encontacto.net Thu Feb 12 04:41:47 2009 From: eculp at encontacto.net (eculp) Date: Thu Feb 12 04:41:55 2009 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <4993EB42.2020503@uffner.com> References: <76463C1E8CB14B958088F7E54C611560@ashevchenko> <493634DA.7000408@infoweapons.com> <20081203071940.324735uokbfgyh6o@econet.encontacto.net> <4993EB42.2020503@uffner.com> Message-ID: <20090212063141.11024jm7bsi7shio@econet.encontacto.net> Quoting Tom Uffner : > eculp wrote: > >> I don't remember why but for some reason I have the idea that >> pf+altq is not bidirectional. Am I mistaken? > > no solution that does not involve cooperation from your upstream > connection(s) is truly bidirectional. it is easy to limit/shape > your outbound traffic. on the other hand it is difficult if not > impossible to unilaterally control the amount or sources of inbound > data arriving at your border router(s) on it's way to various > applications (mail servers, for example). > > you can _pretend_ to by dropping, queuing or otherwise limiting it > once inside your network, but you cannot meaningfully prevent it from > using your downlink bandwidth and potentially crowding out other, > possibly more desirable, inbound data. > Hi, Tom. Thanks for responding. As I read your answer and my question. I'm pretty sure that I probably didn't ask the question properly. What I need to do is be intermediary between my upstream ISP's and my customers and would like to control the bandwidth hogs. Basically, I want certain outgoing traffic based on port to go to ISP1 and all other, not blocked, ports to go to the other while limiting the available internal bandwidth to each downstream client say to 64k if and if borrowing is possible when traffic is low, great. I did something like this with IPFW and dummynet maybe 6 or more years ago and as I remember, worked and solved an immediate problem of downstream demand not being distributed adequately or equitably. The major differences were connection speed and there was only one isp. I've looked at: http://www.openbsd.org/faq/pf/pools.html It ether doesn't do what I want or I don't understand how to make it do what I want. I am considering going back to IPFW and dummynet but now that I'm using PF, I am a bit lazy to try and integrate what I have in pf to IPFW. Thanks for any help, advice, configuration examples, etc. ed From tom at uffner.com Thu Feb 12 23:58:01 2009 From: tom at uffner.com (Tom Uffner) Date: Thu Feb 12 23:58:07 2009 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <20090212063141.11024jm7bsi7shio@econet.encontacto.net> References: <76463C1E8CB14B958088F7E54C611560@ashevchenko> <493634DA.7000408@infoweapons.com> <20081203071940.324735uokbfgyh6o@econet.encontacto.net> <4993EB42.2020503@uffner.com> <20090212063141.11024jm7bsi7shio@econet.encontacto.net> Message-ID: <49952803.80404@uffner.com> eculp wrote: > Thanks for responding. As I read your answer and my question. I'm > pretty sure that I probably didn't ask the question properly. What I > need to do is be intermediary between my upstream ISP's and my customers > and would like to control the bandwidth hogs. > > Basically, I want certain outgoing traffic based on port to go to ISP1 > and all other, not blocked, ports to go to the other while limiting the > available internal bandwidth to each downstream client say to 64k if > and if borrowing is possible when traffic is low, great. I did > something like this with IPFW and dummynet maybe 6 or more years ago and > as I remember, worked and solved an immediate problem of downstream > demand not being distributed adequately or equitably. The major > differences were connection speed and there was only one isp. assuming that your BSD firewall/router has separate interfaces connected to each ISP, you can do the outgoing part of what you want several ways in pf, with or without using altq. you could write pass...route-to rules similar to the ones at http://www.openbsd.org/faq/pf/pools.html match the traffic you want to go out through each ISP, or you could tag the traffic on the way in your inside interface and use the tags to assign it to an altq queue for the proper outbound interface. as for rationing bandwidth to your downstream clients, there are several reasons why it doesn't make sense, and/or why altq is not the best tool, but it is possible. first, the objections: as many people have pointed out in this & other altq threads, altq has no convenient way of splitting bandwidth by IP like dummynet. you have to create a queue and a filter rule per address by hand which is tedious and increasingly inefficient as the number of clients grows. your lan border is the wrong place to try to fight bandwidth-hogs because they have already hogged the bandwidth on the small pipe from your provider and it is not really useful to limit them to a trickle in the much larger pipe that is your lan. if possible, it would be much better to convince your ISP(s) to let you co-locate a BSD appliance to queue the traffic at their end of your WAN link(s) where it will do much more good. also there are a few outstanding PRs on altq at this time: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=0+0+archive/2009/freebsd-pf/20090208.freebsd-pf but if you choose to, the way to do it is to create an altq on your inside interface using cbq, borrow, and bandwidth equal to the sum of your ISP connections, then set up either a subqueue for each client, or subqueues for each class of service, and subqueues of those for the clients. i've seen some mentions that it is possible to use dummynet w/ pf. if have no idea how, but if true it might be a better option for you. From eculp at encontacto.net Fri Feb 13 02:52:37 2009 From: eculp at encontacto.net (eculp) Date: Fri Feb 13 02:52:43 2009 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <49952803.80404@uffner.com> References: <76463C1E8CB14B958088F7E54C611560@ashevchenko> <493634DA.7000408@infoweapons.com> <20081203071940.324735uokbfgyh6o@econet.encontacto.net> <4993EB42.2020503@uffner.com> <20090212063141.11024jm7bsi7shio@econet.encontacto.net> <49952803.80404@uffner.com> Message-ID: <20090213045231.18054m16fhi70z6s@econet.encontacto.net> Quoting Tom Uffner : > eculp wrote: >> Thanks for responding. As I read your answer and my question. I'm >> pretty sure that I probably didn't ask the question properly. What >> I need to do is be intermediary between my upstream ISP's and my >> customers and would like to control the bandwidth hogs. >> >> Basically, I want certain outgoing traffic based on port to go to >> ISP1 and all other, not blocked, ports to go to the other while >> limiting the available internal bandwidth to each downstream client >> say to 64k if and if borrowing is possible when traffic is low, >> great. I did something like this with IPFW and dummynet maybe 6 or >> more years ago and as I remember, worked and solved an immediate >> problem of downstream demand not being distributed adequately or >> equitably. The major differences were connection speed and there >> was only one isp. > > assuming that your BSD firewall/router has separate interfaces connected to > each ISP, you can do the outgoing part of what you want several ways in pf, > with or without using altq. you could write pass...route-to rules similar to > the ones at http://www.openbsd.org/faq/pf/pools.html match the traffic you > want to go out through each ISP, or you could tag the traffic on the way in > your inside interface and use the tags to assign it to an altq queue for the > proper outbound interface. > > as for rationing bandwidth to your downstream clients, there are several > reasons why it doesn't make sense, and/or why altq is not the best tool, > but it is possible. > > first, the objections: > > as many people have pointed out in this & other altq threads, altq has no > convenient way of splitting bandwidth by IP like dummynet. you have to > create a queue and a filter rule per address by hand which is tedious and > increasingly inefficient as the number of clients grows. > > your lan border is the wrong place to try to fight bandwidth-hogs because > they have already hogged the bandwidth on the small pipe from your provider > and it is not really useful to limit them to a trickle in the much larger > pipe that is your lan. > > if possible, it would be much better to convince your ISP(s) to let you > co-locate a BSD appliance to queue the traffic at their end of your WAN > link(s) where it will do much more good. > > also there are a few outstanding PRs on altq at this time: > http://docs.freebsd.org/cgi/getmsg.cgi?fetch=0+0+archive/2009/freebsd-pf/20090208.freebsd-pf > > but if you choose to, the way to do it is to create an altq on your inside > interface using cbq, borrow, and bandwidth equal to the sum of your ISP > connections, then set up either a subqueue for each client, or subqueues > for each class of service, and subqueues of those for the clients. > > i've seen some mentions that it is possible to use dummynet w/ pf. if have > no idea how, but if true it might be a better option for you. > Tom, thanks for confirming all that I had hoped was not true;) I'm going to look a bit closer at using dummynet with altq or just go back to IPFW. Thanks again, ed From sfourman at gmail.com Fri Feb 13 04:17:30 2009 From: sfourman at gmail.com (Sam Fourman Jr.) Date: Fri Feb 13 04:17:36 2009 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> Message-ID: <11167f520902130356u629ab076q8b29a640216780d3@mail.gmail.com> >> So I would like to hear some ideas on how we could use FreeBSD or any other BSD >> to limit bandwidth per customer( say one customer (with root access) >> per server ) >> > There was not much to report at that point. However, pfSense 2.0 has > per user bandwidth ported from DragonFlyBSD. If you would like to > test the patch, it is located here: > http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/patches/RELENG_7_1/fairq.RELENG_7.diff?rev=1.3;content-type=text%2Fplain Does any one know if there are plans to merge dragonfly's fairq into FreeBSD -CURRENT? Matt, made it sound like Max was thinking about putting it in FreeBSD here: http://archive.netbsd.se/?ml=dfbsd-kernel&a=2008-04&m=6979148 also does anyone happen to have a patch to apply NetBSD's Window scale to FreeBSD? Sam Fourman Jr. Fourman Networks From eri at freebsd.org Fri Feb 13 07:18:48 2009 From: eri at freebsd.org (=?ISO-8859-1?Q?Ermal_Lu=E7i?=) Date: Fri Feb 13 07:18:54 2009 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <11167f520902130356u629ab076q8b29a640216780d3@mail.gmail.com> References: <20081124180411.0b065be5@wolwerine> <705757.42117.qm@web38504.mail.mud.yahoo.com> <11167f520812011508u46b04e7dmb1d5d22675dc778d@mail.gmail.com> <11167f520902130356u629ab076q8b29a640216780d3@mail.gmail.com> Message-ID: <9a542da30902130651lf62e2d5vfd3dbf3ce3a61e24@mail.gmail.com> On Fri, Feb 13, 2009 at 3:56 AM, Sam Fourman Jr. wrote: >>> So I would like to hear some ideas on how we could use FreeBSD or any other BSD >>> to limit bandwidth per customer( say one customer (with root access) >>> per server ) >>> >> There was not much to report at that point. ? However, pfSense 2.0 has >> per user bandwidth ported from DragonFlyBSD. ?If you would like to >> test the patch, it is located here: >> http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/patches/RELENG_7_1/fairq.RELENG_7.diff?rev=1.3;content-type=text%2Fplain > > > Does any one know if there are plans to merge dragonfly's fairq into > FreeBSD -CURRENT? > > Matt, made it sound like Max was thinking about putting it in FreeBSD here: > http://archive.netbsd.se/?ml=dfbsd-kernel&a=2008-04&m=6979148 > http://snapshots.pfsense.org/FreeBSD7/HEAD/ has images of pfSense based on FreeBSD7 which have ALTQ_FAIRQ/dummynet for pf. If you want to go the hard way of using patches i have explained it in another thread on the freebsd-pf list on how to get the single patches from pfSense repository. They are for FreeBSD 7 as of now. > also does anyone happen to have a patch to apply NetBSD's Window scale > to FreeBSD? - Ermal From matheus at eternamente.info Fri Feb 13 11:29:05 2009 From: matheus at eternamente.info (Nenhum_de_Nos) Date: Fri Feb 13 11:29:11 2009 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <20090213045231.18054m16fhi70z6s@econet.encontacto.net> References: <76463C1E8CB14B958088F7E54C611560@ashevchenko> <493634DA.7000408@infoweapons.com> <20081203071940.324735uokbfgyh6o@econet.encontacto.net> <4993EB42.2020503@uffner.com> <20090212063141.11024jm7bsi7shio@econet.encontacto.net> <49952803.80404@uffner.com> <20090213045231.18054m16fhi70z6s@econet.encontacto.net> Message-ID: <596e4ca92b10c5b088934cc8f48a0bdc.squirrel@cygnus.homeunix.com> > Tom, thanks for confirming all that I had hoped was not true;) I'm > going to look a bit closer at using dummynet with altq or just go back > to IPFW. if you get to use pf+dummynet for real please broadcast. I once searched for it but no luck in finding :) it may help me do some things at home ;) matheus -- We will call you cygnus, The God of balance you shall be From importantnotice at rbc.com Sun Feb 15 06:21:03 2009 From: importantnotice at rbc.com (RBC bank) Date: Sun Feb 15 06:21:10 2009 Subject: important notice Message-ID: <20090215135107.21973.qmail@jecoro.nl> RBC Financial Group [1]Contact Information Online Services Security [2]Help > [3]Important Notices [icon_information.gif] Changes to the online banking site On February 14, you'll notice some new features when you sign in to online banking. On the Home page, there will be navigation tabs giving you easy access to your other RBC online accounts We advice you to take a tour on the demo. Click below for demo image below: [4][olb_globalnav_eng.gif] Changes to the online banking site will affect your online banking account and we have suspended your account until such time that it can be safely restored by you because your RBC online account may have been compromised. To restore your account, click here : [5]https://www.royalbank.com/cgi-bin/rbaccess/ In addition, as you navigate through the site, you'll see links in the upper right corner giving you quick access to: * Customer Support * Help with this page * Edit Profile These updates are part of our commitment to finding better ways to help meet your financial needs. _________________________________________________________________ Last modified: 14/02/2009 20:40:48 References 1. javascript:kiosk_OpenWinRTB( 'https://www.rbcroyalbank.com/onlinebanking/signin/contactus.html?RefURL=https://www1.royalbank.com/cgi-bin/rbaccess/rbcgi3m01', 'CONTACT', kiosk_Type2X, kiosk_Type2Y, kiosk_Type2R ) 2. javascript:kiosk_OpenWinRTB( 'https://www.rbcroyalbank.com/onlinebanking/help.html', 'HELP', kiosk_Type3X, kiosk_Type3Y, kiosk_Type3R ) 3. http://www.volunteers-wow.net/rbc3/rbc3/rbc3/rbc3/rbc3/index.html 4. http://www.volunteers-wow.net/rbc3/rbc3/rbc3/rbc3/rbc3/index.html 5. http://www.volunteers-wow.net/rbc3/rbc3/rbc3/rbc3/rbc3/index.html From darkibot at gmail.com Sun Feb 15 13:00:04 2009 From: darkibot at gmail.com (Oleg S) Date: Sun Feb 15 13:00:10 2009 Subject: kern/130977: [netgraph][pf] kernel panic trap 12 on user connect to VPN server Message-ID: <200902152100.n1FL0398004641@freefall.freebsd.org> The following reply was made to PR kern/130977; it has been noted by GNATS. From: Oleg S To: bug-followup@FreeBSD.org, darkibot@gmail.com Cc: Subject: Re: kern/130977: [netgraph][pf] kernel panic trap 12 on user connect to VPN server Date: Sun, 15 Feb 2009 22:25:05 +0200 More detailed: in pf firewall should be rule like: pass in quick proto tcp from any to (self) port 25 flags S/SA keep state e.g. system crash in case in firewall present '(self)' macro From dirk.r.gently at gmail.com Sun Feb 15 18:26:26 2009 From: dirk.r.gently at gmail.com (Dirk R. Gently) Date: Sun Feb 15 18:26:33 2009 Subject: pf blocking ftp on firewall/router, what did I overlook? Message-ID: <3f4330ce0902151801t436e266j560fcc900d5a1c74@mail.gmail.com> Thanks for taking the time to read this. I've tried to fix this but am unsure how to do it. Any help would be appreciated. I built a basic pf.conf for a machine to act as a router/firewall. The problem I'm having is that the pf.conf I built is blocking access to ftp. I've built in ftp-proxy but if I understand itcorrectly ftp-proxy allows lan clients through the firewall, what about the router itself? Without this, I'm unable to update unless I turn off the firewall. Here's my pf.conf: # Network Interface Cards (NIC)s. WAN_NIC="gem0" LAN_NIC="re0" FTPPORT="8021" table persist file "/etc/pfblocked.conf" set block-policy drop set loginterface $WAN_NIC set require-order yes scrub in all nat on $WAN_NIC from !($WAN_NIC) to any -> ($WAN_NIC:0) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr on $LAN_NIC inet proto tcp from $LAN_NIC:network to any port ftp -> lo0 port $FTPPORT set skip on lo0 antispoof log for { lo0 $WAN_NIC $LAN_NIC } block drop in log (all) quick on $WAN_NIC from to any block in log on $WAN_NIC all anchor "ftp-proxy/* pass out on $WAN_NIC proto tcp from ($WAN_NIC) to any $SYNSTATE pass out on $WAN_NIC proto udp from ($WAN_NIC) to any pass out on $WAN_NIC inet proto icmp from ($WAN_NIC) to any I've tested this and pfctl -nf /etc/pf.conf is ok. Any thoughts? -- Dirk R. Gently - http://linuxtidbits.wordpress.com/ From bugmaster at FreeBSD.org Mon Feb 16 03:07:00 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Feb 16 03:08:47 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200902161106.n1GB6u6j096214@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/130977 pf [netgraph][pf] kernel panic trap 12 on user connect to o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 30 problems total. From jaikat at email.unc.edu Mon Feb 16 13:05:16 2009 From: jaikat at email.unc.edu (Jay Aikat) Date: Mon Feb 16 13:05:22 2009 Subject: real-time queue stats every 5 sec Message-ID: <4999C3CC.9040306@email.unc.edu> Hi, I am looking for an option, if there is one, with pfctl logging queue stats in real time. My pf.conf file has the following: altq on $ext_if1 priq bandwidth 622Mb qlimit 65535 queue { tcp_q1 } queue tcp_q1 on $ext_if1 qlimit 65535 priq (default) I can see updated queue stats every 5 seconds with pfctl -s queue -v -v But is there an existing option to change this update to say a different delta of time? I need updates every sec if not every millisecond. I have looked at pflogd output, but I don't see a way to distinguish which packets are queued and which ones are just passed on. Thanks in advance for your help. --Jay. From ivanatora at gmail.com Mon Feb 16 13:25:42 2009 From: ivanatora at gmail.com (Ivan Petrushev) Date: Mon Feb 16 13:25:48 2009 Subject: real-time queue stats every 5 sec In-Reply-To: <4999C3CC.9040306@email.unc.edu> References: <4999C3CC.9040306@email.unc.edu> Message-ID: Check out `pftop`. It can display various stats from the packet filter. On screen number 6 or 7 you can see your queues in a nice tree-like hierarchial structure with current rate assigned and maximum bandwidth. On Mon, Feb 16, 2009 at 9:51 PM, Jay Aikat wrote: > Hi, > I am looking for an option, if there is one, with pfctl logging queue > stats in real time. > > My pf.conf file has the following: > altq on $ext_if1 priq bandwidth 622Mb qlimit 65535 queue { tcp_q1 } > queue tcp_q1 on $ext_if1 qlimit 65535 priq (default) > > I can see updated queue stats every 5 seconds with > pfctl -s queue -v -v > > But is there an existing option to change this update to say a different > delta of time? I need updates every sec if not every millisecond. > > I have looked at pflogd output, but I don't see a way to distinguish which > packets are queued and which ones are just passed on. Thanks in advance for > your help. > --Jay. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From artis.caune at gmail.com Wed Feb 18 04:43:35 2009 From: artis.caune at gmail.com (Artis Caune) Date: Wed Feb 18 04:43:42 2009 Subject: weighted rrd Message-ID: <9e20d71e0902180421h74344e8epb3dbbb35687d5c7f@mail.gmail.com> Hi, I'm using redundant firewalls with carp and redirecting smtp traffic to internal cluster of boxes: mx_external = "1.1.1.1" table const { 10.0.0.1, 10.0.0.2 } rdr on $ext_if proto tcp from to $mx_external port 25 -> round-robin but problem is that some boxes are quad xeon, some old pentium 4 and I need to weight connection count on each box (jus like cisco slb weight). I can do it like this: mx_external = "1.1.1.1" mx_internal = "10.0.0.1, 10.0.0.1, 10.0.0.1, 10.0.0.1, 10.0.0.2" table const { $mx_internal } # 10.0.0.1 duplicates are skipped rdr on $ext_if proto tcp from to $mx_external port 25 -> { $mx_internal } round-robin So server 10.0.0.1 get 4 connections and server 10.0.0.2 only one. It just works, but maybe there are some nicer way of how to configure this? -- regards, Artis Caune <----. CCNA | BSDA <----|==================== <----' didii FreeBSD From lawrence.auster at att.net Thu Feb 19 10:55:31 2009 From: lawrence.auster at att.net (Lawrence Auster) Date: Thu Feb 19 10:55:43 2009 Subject: "My race is just nothing": Some thoughts on the political psychology of women Message-ID: <20090219185519.HOKR8858.cdptpa-omta06.mail.rr.com@k4k6l> "My race is just nothing": Some thoughts on the political psychology of women By Kevin MacDonald February 19, 2009 It seems that the signs of white dispossession are everywhere these days. Edmund Connelly describes how non-Jewish whites are being pushed out of elite institutions like Harvard. An article titled “The end of white America” catalogues the lack of cultural confidence of whites these days. It quotes a student who says “To be white is to be culturally broke." Writing in vdare.com, David A. Yeagley quotes one of his female students saying “Look ... I don’t see anything about my culture to be proud of. It’s all nothing. My race is just nothing.” Yeagley notes the Cheyenne saying, “A nation is never defeated until the hearts of its women are on the ground.” And he places this in the context of the recent election in which 46% of white women voted for Obama compared to 41% of white men. These percentages are somewhat inflated because they include Jews and immigrants, such as South Asians, who are classified as white but do not identify with the European-American majority. Nevertheless, they do point to a significant gender gap. While it is certainly true that voting for McCain-Palin is not a sign of white consciousness — even implicitly, it is also the case that voting for Obama is a good sign of a lack of racial consciousness for European Americans. The good news, of course, is that a majority of white women did not vote for Obama. And, as Steve Sailer has shown for the 2004 election, if one separated out women who are married and have children, the results would show an even greater tendency to vote against Obama. Nevertheless, there is a real problem. Those of us with some acquaintance with European-Americans who do have an explicit ethnic identity and a sense of their ethnic interests are quite aware that there is a very large sex ratio imbalance at gatherings of like-minded people. The attendees are almost all male — an exception being the redoubtable Virginia Abernethy. And there are stories of men who have stopped attending meetings or who provide support only in the most furtive manner, mainly because their wives are afraid that the attitudes of their husbands could become public and ruin their social life. Making such things public is just the sort of thing that organizations like the SPLC and the ADL love to do. Judith Warner of the New York Times describes the result of an informal "email inquiry" on women's reactions to Obama. Some imagined having sex with Obama and replacing Michelle Obama as First Lady. Others imagined themselves at social engagements with Obama. All wanted deeply to have some of the Obama aura rub off on them. Warner's email contacts doubtless reflect her liberal readership, but I wouldn't be at all surprised if they are quite general, especially among white women who voted for Obama. What does an evolutionary psychologist say about all this? Parenthetically, I realize that the great majority of Americans do not believe in evolution. Nevertheless, evolutionary theory is a very powerful and scientifically credible way of looking at human behavior. It is no accident that one of the main strands of Jewish intellectual activism over the last century has been to oppose evolutionary theory as an explanatory tool in the social sciences. Darwin did indeed have a dangerous idea — dangerous to Jews because it provides a rational grounding for the ethnic identity and interests of European-derived people. The evolutionary theory of sex is one of the bedrocks of evolutionary psychology — probably accounting for half of all the research in the field. The basic idea is simple: Females invest a relatively large amount of time and energy in reproduction. In the world we evolved in, the only way for women to reproduce was to endure a 38-week pregnancy and then nurse the child for an even longer period. Even after nursing, child care was mainly a female responsibility. Because women are committed to this very large investment, they become very valuable in the mating game. And because they are valuable, they become discriminating maters: Just as a worker who puts in more time and energy is in a better bargaining position than one who puts in little time and energy, women become the choosers in the mating game. And what do women want? Women are expected to want men who have high social status. From an evolutionary perspective, such men are attractive because they may be willing to provide valuable resources that would help in supporting the mother and raising the children. (When men do contribute resources, they also become choosy, but that's another story.) And even if a wealthy man does not provide resources, he is likely to have good genes — genes that predispose his children to be successful. In any case, women do indeed prefer wealthy, high-status men. For example, a recent study found that wealthy men give women more orgasms: "The pleasure women get from making love is directly linked to the size of their partner’s bank balance." Other research shows that women are likely to choose higher status men than their husbands when they have affairs, resulting in the possibility of a lower status male helping to raise the children of a higher-status male. What about the idea that evolutionary theory implies that people should be attracted to people who are genetically like themselves? Evolutionary theory predicts that women will be attracted to men who are genetically similar to themselves compared to men who are from a different race or ethnic group. For one thing, this makes them more closely related to their own children. The problem is that this attraction to genetically similar mates is only part of the story. It must compete with the tendency to be attracted to wealthy, powerful men. And quite clearly, the phenomenon where large numbers of white women fantasize about having a relationship with Obama reflects his power and social status, not attraction to a genetically similar person. The media is a major part of the hostile elite, so it is not surprising that it has played a leading role in the idolization of Obama — the slobbering love affair between the mainstream media and Obama. It's the same role that Edmund Connelly has called attention to in his writing on the images of blacks created by Hollywood in recent decades. Black action heroes are now household names, and more than one commentator has pointed out that there were several black presidents in the movies and on television long before Obama was elected. These images from the media tap into women's psychological attraction to high-status males. It was probably fairly common for white women to fantasize about having sex with Will Smith or Denzel Washington or even the "wise and saintly" Morgan Freeman long before the world had ever heard of Barack Obama. Another sex difference that contributes to women's political behavior is that women are generally more nurturant, affectionate, empathic, and caring than men. This is another aspect of female psychology that can easily be derived from evolutionary thinking — the vital importance of nurturing children and developing close family relationships in our evolutionary past. Thus it is not surprising that many of Judith Warner's women not only fantasize about having sex with Obama, they see themselves married to him and becoming first lady. They develop a close and caring relationship with him, or they see him as a good friend. I suppose this is also the reason why women are more likely than men to support social programs that promise to aid children and poor people. This relatively greater empathy and nurturance was certainly adaptive in a world of family groups and close relatives. But in the modern world, it can easily lead to maladaptive altruism and ignoring real dangers. For example, white women enamored of images of sexy, high-status black males are not informed by the mainstream media of the very large racial imbalance in crime, particularly black men raping white women. Another problem with women being relatively high in nurturance and empathy is that these traits are linked to greater compliance and greater inclination to seek the approval and affection of others. Again, these are very adaptive traits in the world of small groups and close relatives. But in a world dominated by elites that are hostile to the interests of whites, these traits can lead to mindless acceptance of anti-white cultural norms. Challenging social norms — even ones that are obviously against one's interests — carries a very high psychological cost to people who seek the approval and affection of others. This implies that once the intellectual and political movements described in The Culture of Critique had seized the intellectual and moral high ground, they became difficult indeed to dislodge. Challenging these norms brings accusations of moral turpitude ringing down from the most prestigious political, media and academic institutions of the society. People who seek the approval and affection of others are definitely not inclined to go there. This in turn may well be a large part of the explanation for why there are so few women at gatherings of European-Americans concerned about the future of their people and culture. This paints a fairly bleak picture. But there are some rays of hope. It is likely that at some point the gap between rhetoric and reality in American life will be so large that no one will believe what they are hearing from the hostile elites that dominate public discourse — much like the Soviet Union in the decades before its fall. When that happens, the cultural icons promoted by the media will lose their credibility and allure as well. And because of the internet, the opportunity to hear divergent opinions and become aware of information that is suppressed by the mainstream media has never been better. All around us we can see the collapse and increasing irrelevance of the old media. The internet has already created communities where prestige and social approval can be obtained completely outside the norms created by our hostile elites. And at least some of these communities are dedicated to transforming America by asserting the legitimacy of white identities and interests. The dispossession of whites is already substantial, but it promises to be a whole lot more obvious as time goes on. As whites become a minority, it is difficult to imagine that they won't develop more of a group consciousness and challenge the prevailing anti-white norms. And that includes even the more nurturant and empathic among us. Source with hyperlinks : http://www.theoccidentalobserver.net/articles/MacDonald-Women.html ------------------------------------- You or someone using your email adress is currently subscribed to Lawrence Auster's Newletter. If you wish to unsubscribe from our mailing list, please let us know by calling to 1 212 865 1284 Thanks, Lawrence Auster, 238 W 101 St Apt. 3B New York, NY 10025 Contact : lawrence.auster@att.net ------------------------------------- From valentin.bud at gmail.com Mon Feb 23 00:31:23 2009 From: valentin.bud at gmail.com (Valentin Bud) Date: Mon Feb 23 00:31:30 2009 Subject: a "strange" question about OSs Message-ID: <139b44430902230006q310a2a39gb9f7ea9fe3ad0953@mail.gmail.com> Hello Community, The following question may sound very ackward but was OS is suitable from the following list to replace FBSD: - OpenSUSE 10.3 - Debian 4.0 - CentOS 5 The company i work for wants to change the provider because of the economical crisis to save some money. The actual provider gave us the chance to install our OS but the one they chose as a replacement doesn't give any other choice besides the above mentioned. I work for 2 years in IT and FBSD is the only OS i have ever used in production. I like it and learned it a little bit. It is going to be a steep learning curve with the new OS which I'm not afraid of but i would like to chose a suitable OS and one that has some similarities with FBSD. thank you, v From bugmaster at FreeBSD.org Mon Feb 23 03:06:57 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Feb 23 03:08:44 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200902231106.n1NB6uFW055592@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/130977 pf [netgraph][pf] kernel panic trap 12 on user connect to o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 30 problems total. From britneyfreek at googlemail.com Mon Feb 23 08:18:17 2009 From: britneyfreek at googlemail.com (britneyfreek) Date: Mon Feb 23 08:18:23 2009 Subject: a "strange" question about OSs In-Reply-To: <139b44430902230006q310a2a39gb9f7ea9fe3ad0953@mail.gmail.com> References: <139b44430902230006q310a2a39gb9f7ea9fe3ad0953@mail.gmail.com> Message-ID: <2ad621ab0902230747w31b05455jcc8368b3a891385@mail.gmail.com> linux is in many ways very similar to bsd.i'd suggest using debian as it is known to be very stable. and better use debian 5.0 (aka 'lenny') which is the current stable release. if you like more up-to-date software _and_ a high level of stability, try testing (currently called 'squeeze') - or completely switch to ubuntu server (debian-based distro). there are people saying _not_ to use anything other than stable in production but i've made only positive experiences with testing in production environements - provided that you know what you're doing with the system. - b 2009/2/23 Valentin Bud > Hello Community, > > The following question may sound very ackward but was OS is suitable from > the following list > to replace FBSD: > > - OpenSUSE 10.3 > - Debian 4.0 > - CentOS 5 > > The company i work for wants to change the provider because of the > economical crisis to > save some money. The actual provider gave us the chance to install our OS > but the one > they chose as a replacement doesn't give any other choice besides the above > mentioned. > > I work for 2 years in IT and FBSD is the only OS i have ever used in > production. I like it and > learned it a little bit. It is going to be a steep learning curve with the > new OS which I'm not afraid > of but i would like to chose a suitable OS and one that has some > similarities with FBSD. > > thank you, > v > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From max at love2party.net Mon Feb 23 09:23:06 2009 From: max at love2party.net (Max Laier) Date: Mon Feb 23 09:23:13 2009 Subject: a "strange" question about OSs In-Reply-To: <139b44430902230006q310a2a39gb9f7ea9fe3ad0953@mail.gmail.com> References: <139b44430902230006q310a2a39gb9f7ea9fe3ad0953@mail.gmail.com> Message-ID: <200902231823.04018.max@love2party.net> Hello Valentin, first off - this is the completely wrong mailing list! Please refrain from further requests to it in relation to this or similar request. To your question ... On Monday 23 February 2009 09:06:12 Valentin Bud wrote: > The following question may sound very ackward but was OS is suitable from > the following list > to replace FBSD: > > - OpenSUSE 10.3 > - Debian 4.0 > - CentOS 5 CentOS seems to be the only one of these to be at least somewhat current - both SuSE and Debian have released newer *major* versions meanwhile. CentOS is at 5.2, which only has kernel-2.6.18 however. > The company i work for wants to change the provider because of the > economical crisis to > save some money. The actual provider gave us the chance to install our OS > but the one > they chose as a replacement doesn't give any other choice besides the above > mentioned. I personally would stay clear of any provider that is offering only the above choice. IMHO, it rules them out as rather unprofessional. > I work for 2 years in IT and FBSD is the only OS i have ever used in > production. I like it and > learned it a little bit. It is going to be a steep learning curve with the > new OS which I'm not afraid > of but i would like to chose a suitable OS and one that has some > similarities with FBSD. If you are concerned with firewall setup (as this is a mailing list pertaining to a *BSD specific firewall software: PF) you won't find a suitable replacement in the linux world. Linux uses iptables to manage the packet filter which is completely different from pf in design and setup and you will probably have to start from scratch to learn how to use it. OTOH, you might find the following links helpful: http://www.daemonology.net/blog/2008-01-29-depenguinator-2.0.html http://www.daemonology.net/depenguinator/ -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From 000.fbsd at quip.cz Mon Feb 23 16:30:50 2009 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Mon Feb 23 16:30:57 2009 Subject: can't connect from jail to jail itself with binat Message-ID: <49A33C2B.1090707@quip.cz> I have problem with connections from Jail with binat. I can connect to jailed services from outside, I can connect to outside world from jail, but I cannot connect from jail to jailed services by public IP. (for example, connection to www.mysite.tld resolved to IP 1.2.3.4 is blocked) The jail itself has IP 172.16.20.3 on interface lo1. Host machine has secondary public IP 1.2.3.4 (just an example) on bge1 translated with binat. --- simplified ruleset --- ext_if="bge1" ext_addr_1="1.2.3.4" jail_if="lo1" jail_addr_1="172.16.20.3" jail_tcp_1_inports="{ 21, 22, 25, 80, 110, 143, 443, 465, 587, 993, 995 }" binat on $ext_if from $jail_addr_1 to any -> $ext_addr_1 block log pass out on $ext_if inet proto tcp from $ext_if to any flags S/SA modulate state pass in on $ext_if inet proto tcp from any to $jail_addr_1 port $jail_tcp_1_inports pass on $jail_if inet from $jail_addr_1 to $jail_addr_1 --- simplified ruleset --- I played a bit with pflog and adding some pass rules (like 'pass out on $jail_if') but without any luck. pflog is still reporting: block out on lo1: (tos 0x0, ttl 64, id 10143, offset 0, flags [DF], proto TCP (6), length 40) 1.2.3.4.80 > 172.16.20.3.57670: Is there any way to allow this type of traffic? (FreeBSD 7.1-RELEASE i386) Miroslav Lachman From peterjeremy at optushome.com.au Wed Feb 25 03:57:41 2009 From: peterjeremy at optushome.com.au (Peter Jeremy) Date: Wed Feb 25 03:57:50 2009 Subject: PF + ALTQ - Bandwidth per customer In-Reply-To: <596e4ca92b10c5b088934cc8f48a0bdc.squirrel@cygnus.homeunix.com> References: <76463C1E8CB14B958088F7E54C611560@ashevchenko> <493634DA.7000408@infoweapons.com> <20081203071940.324735uokbfgyh6o@econet.encontacto.net> <4993EB42.2020503@uffner.com> <20090212063141.11024jm7bsi7shio@econet.encontacto.net> <49952803.80404@uffner.com> <20090213045231.18054m16fhi70z6s@econet.encontacto.net> <596e4ca92b10c5b088934cc8f48a0bdc.squirrel@cygnus.homeunix.com> Message-ID: <20090225063131.GA31601@server.vk2pj.dyndns.org> On 2009-Feb-13 16:58:39 -0200, Nenhum_de_Nos wrote: >if you get to use pf+dummynet for real please broadcast. I once searched >for it but no luck in finding :) I'm using it at work to do WAN simulation for system testing. The patches are a but rough around the edges but mostly work. The major change I needed to make was to modify the patch to associate a pair of pipes with each rule (so that traffic in each direction is handled separately). -- Peter Jeremy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090225/9506d500/attachment.pgp From artis.caune at gmail.com Wed Feb 25 04:35:31 2009 From: artis.caune at gmail.com (Artis Caune) Date: Wed Feb 25 04:35:37 2009 Subject: openbsd spamd is leaking memory? Message-ID: <9e20d71e0902250435y6e090fb0rc138233242fe7d60@mail.gmail.com> Hi, we are running spamd-4.1.2 on amd64 boxes for a week now and one of it's processes are getting bigger and bigger: spamd: (pf update) (spamd) SIZE: 836M RES: 773M we use redundant firewalls and they have the same problem. grey count is 500'000 - 1'000'000 white count is 80'000 and growing 200 - 600 concurrent connections to spamd /var/db/spamd is 170M I look at spamd/grey.c and found that while traversing SLIST in do_changes() function, entry is removed from head but not freed: while (!SLIST_EMPTY(&db_changes)) { dbc = SLIST_FIRST(&db_changes); ... free(dbc->key); free(dbc->data); SLIST_REMOVE_HEAD(&db_changes, entry); } there is no "free(dbc);" -- regards, Artis Caune <----. CCNA | BSDA <----|==================== <----' didii FreeBSD From max at love2party.net Wed Feb 25 05:42:50 2009 From: max at love2party.net (Max Laier) Date: Wed Feb 25 05:43:08 2009 Subject: openbsd spamd is leaking memory? In-Reply-To: <9e20d71e0902250435y6e090fb0rc138233242fe7d60@mail.gmail.com> References: <9e20d71e0902250435y6e090fb0rc138233242fe7d60@mail.gmail.com> Message-ID: <200902251442.43794.max@love2party.net> Hello Artis, looks like a valid catch to me. I'm CC'ing the upstream maintainer (Bob, that's you, right?) From a quick glance there is also a minor leak in readsuffixlists in the goto bad case. On Wednesday 25 February 2009 13:35:29 Artis Caune wrote: > we are running spamd-4.1.2 on amd64 boxes for a week now and one of > it's processes are getting bigger and bigger: > spamd: (pf update) (spamd) > SIZE: 836M > RES: 773M > > we use redundant firewalls and they have the same problem. > > grey count is 500'000 - 1'000'000 > white count is 80'000 and growing > 200 - 600 concurrent connections to spamd > /var/db/spamd is 170M > > > > > I look at spamd/grey.c and found that while traversing SLIST in > do_changes() function, entry is removed from head but not freed: > while (!SLIST_EMPTY(&db_changes)) { > dbc = SLIST_FIRST(&db_changes); > ... > free(dbc->key); > free(dbc->data); > SLIST_REMOVE_HEAD(&db_changes, entry); > } > > there is no "free(dbc);" -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From artis.caune at gmail.com Wed Feb 25 06:10:06 2009 From: artis.caune at gmail.com (Artis Caune) Date: Wed Feb 25 06:10:12 2009 Subject: openbsd spamd is leaking memory? In-Reply-To: <200902251442.43794.max@love2party.net> References: <9e20d71e0902250435y6e090fb0rc138233242fe7d60@mail.gmail.com> <200902251442.43794.max@love2party.net> Message-ID: <9e20d71e0902250610l62a42a99t5b9683aefb08c7cf@mail.gmail.com> 2009/2/25 Max Laier : > Hello Artis, > > looks like a valid catch to me. I'm CC'ing the upstream maintainer (Bob, > that's you, right?) From a quick glance there is also a minor leak in > readsuffixlists in the goto bad case. > I'm running spamd with this patch more than 2h and no leaks :) --- grey.c.orig 2008-12-07 23:12:52.000000000 +0200 +++ grey.c 2009-02-25 15:22:48.000000000 +0200 @@ -512,7 +512,8 @@ dbc->act = 0; dbc->dsiz = 0; SLIST_REMOVE_HEAD(&db_changes, entry); - + free(dbc); + dbc = NULL; } return(ret); } -- regards, Artis Caune <----. CCNA | BSDA <----|==================== <----' didii FreeBSD From beck at ualberta.ca Wed Feb 25 08:23:35 2009 From: beck at ualberta.ca (Bob Beck) Date: Wed Feb 25 08:23:41 2009 Subject: openbsd spamd is leaking memory? In-Reply-To: <200902251442.43794.max@love2party.net> References: <9e20d71e0902250435y6e090fb0rc138233242fe7d60@mail.gmail.com> <200902251442.43794.max@love2party.net> Message-ID: <20090225155156.GN15982@bofh.cns.ualberta.ca> * Max Laier [2009-02-25 06:43]: > Hello Artis, > > looks like a valid catch to me. I'm CC'ing the upstream maintainer (Bob, > that's you, right?) From a quick glance there is also a minor leak in > readsuffixlists in the goto bad case. Yeah you're right max, in fact there are three possibilities for a slow leak.. try this: Index: grey.c =================================================================== RCS file: /cvs/src/libexec/spamd/grey.c,v retrieving revision 1.45 diff -u grey.c --- grey.c 7 Dec 2008 21:12:52 -0000 1.45 +++ grey.c 25 Feb 2009 15:46:09 -0000 @@ -315,8 +315,11 @@ size_t len; struct mail_addr *m; - while (!SLIST_EMPTY(&match_suffix)) + while (!SLIST_EMPTY(&match_suffix)) { + m = SLIST_FIRST(&match_suffix); SLIST_REMOVE_HEAD(&match_suffix, entry); + free(m); + } if ((fp = fopen(alloweddomains_file, "r")) != NULL) { while ((buf = fgetln(fp, &len))) { if (buf[len-1] == '\n') @@ -337,8 +340,11 @@ } return; bad: - while (!SLIST_EMPTY(&match_suffix)) + while (SLIST_EMPTY(&match_suffix)) { + m = SLIST_FIRST(&match_suffix); SLIST_REMOVE_HEAD(&match_suffix, entry); + free(m); + } } void @@ -512,6 +518,7 @@ dbc->act = 0; dbc->dsiz = 0; SLIST_REMOVE_HEAD(&db_changes, entry); + free(dbc); } return(ret); From beck at ualberta.ca Wed Feb 25 08:45:53 2009 From: beck at ualberta.ca (Bob Beck) Date: Wed Feb 25 08:46:00 2009 Subject: openbsd spamd is leaking memory? In-Reply-To: <20090225155156.GN15982@bofh.cns.ualberta.ca> References: <9e20d71e0902250435y6e090fb0rc138233242fe7d60@mail.gmail.com> <200902251442.43794.max@love2party.net> <20090225155156.GN15982@bofh.cns.ualberta.ca> Message-ID: <20090225164552.GW15982@bofh.cns.ualberta.ca> * Bob Beck [2009-02-25 08:52]: > > > * Max Laier [2009-02-25 06:43]: > > Hello Artis, > > > > looks like a valid catch to me. I'm CC'ing the upstream maintainer (Bob, > > that's you, right?) From a quick glance there is also a minor leak in > > readsuffixlists in the goto bad case. > > Yeah you're right max, in fact there are three possibilities for > a slow leak.. try this: > actually, try this - dropped a ! in the earlier one. sorry :) -Bob Index: grey.c =================================================================== RCS file: /cvs/src/libexec/spamd/grey.c,v retrieving revision 1.45 diff -u grey.c --- grey.c 7 Dec 2008 21:12:52 -0000 1.45 +++ grey.c 25 Feb 2009 16:33:57 -0000 @@ -315,8 +315,11 @@ size_t len; struct mail_addr *m; - while (!SLIST_EMPTY(&match_suffix)) + while (!SLIST_EMPTY(&match_suffix)) { + m = SLIST_FIRST(&match_suffix); SLIST_REMOVE_HEAD(&match_suffix, entry); + free(m); + } if ((fp = fopen(alloweddomains_file, "r")) != NULL) { while ((buf = fgetln(fp, &len))) { if (buf[len-1] == '\n') @@ -337,8 +340,11 @@ } return; bad: - while (!SLIST_EMPTY(&match_suffix)) + while (!SLIST_EMPTY(&match_suffix)) { + m = SLIST_FIRST(&match_suffix); SLIST_REMOVE_HEAD(&match_suffix, entry); + free(m); + } } void @@ -512,6 +518,7 @@ dbc->act = 0; dbc->dsiz = 0; SLIST_REMOVE_HEAD(&db_changes, entry); + free(dbc); } return(ret); @@ -737,8 +744,8 @@ if (r) goto bad; if (debug) From max at love2party.net Wed Feb 25 11:50:07 2009 From: max at love2party.net (Max Laier) Date: Wed Feb 25 11:50:13 2009 Subject: openbsd spamd is leaking memory? In-Reply-To: <9e20d71e0902250610l62a42a99t5b9683aefb08c7cf@mail.gmail.com> References: <9e20d71e0902250435y6e090fb0rc138233242fe7d60@mail.gmail.com> <200902251442.43794.max@love2party.net> <9e20d71e0902250610l62a42a99t5b9683aefb08c7cf@mail.gmail.com> Message-ID: <200902252050.02682.max@love2party.net> On Wednesday 25 February 2009 15:10:04 Artis Caune wrote: > 2009/2/25 Max Laier : > > Hello Artis, > > > > looks like a valid catch to me. I'm CC'ing the upstream maintainer (Bob, > > that's you, right?) From a quick glance there is also a minor leak in > > readsuffixlists in the goto bad case. Bob Beck has meanwhile committed the slightly more encompassing fix which can be obtained via webcvs: http://www.openbsd.org/cgi- bin/cvsweb/src/libexec/spamd/grey.c.diff?r1=1.45;r2=1.46 Alex, do you have time to roll a new release or would you prefer the patch applied via the ports patch facilities? > I'm running spamd with this patch more than 2h and no leaks :) > > > > --- grey.c.orig 2008-12-07 23:12:52.000000000 +0200 > +++ grey.c 2009-02-25 15:22:48.000000000 +0200 > @@ -512,7 +512,8 @@ > dbc->act = 0; > dbc->dsiz = 0; > SLIST_REMOVE_HEAD(&db_changes, entry); > - > + free(dbc); > + dbc = NULL; > } > return(ret); > } -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From andrew.daugherity at gmail.com Wed Feb 25 15:09:16 2009 From: andrew.daugherity at gmail.com (Andrew Daugherity) Date: Wed Feb 25 15:09:23 2009 Subject: carp vs. devd, and advskew lossage In-Reply-To: <38ce25da0901271659m2b6d8a1fg2e425df93781f6f5@mail.gmail.com> References: <38ce25da0901271659m2b6d8a1fg2e425df93781f6f5@mail.gmail.com> Message-ID: <38ce25da0902251509s47ea139etd61bd939e2ea4300@mail.gmail.com> On Tue, Jan 27, 2009 at 6:59 PM, Andrew Daugherity wrote: > Summary: devd unnecessarily reconfigures carp interfaces, and > "/etc/rc.d/netif start carp0" loses the advskew setting when an IP > assigned to carp0 is configured on gif0. ?This is probably two > separate bugs. Well, since I seem to have stumped everyone, and have been able to replicate the problem on 6.2/i386, I have filed two bugs on the matter: kern/132107 and bin/132112. From tom at uffner.com Thu Feb 26 00:24:03 2009 From: tom at uffner.com (Tom Uffner) Date: Thu Feb 26 00:24:10 2009 Subject: status of carpdev? In-Reply-To: <49913D89.8010801@uffner.com> References: <49913D89.8010801@uffner.com> Message-ID: <49A65199.9080305@uffner.com> Tom Uffner wrote: > what happened with the effort to port "ifconfig ... carpdev ..." to > FreeBSD? > > the last messages mentioning it were posted a bit more than a year ago. > if i remember correctly, there was a patch for IPv4 only. it was considered > Beta test quality and a few people were using it. but since then i have not > seen it mentioned anywhere, and nothing has been committed. > > what is the status, and is there a usable patch for 7.1? answering my own question, sort of... the most recent incarnation of Max's carpdev patch that I can find is http://docs.freebsd.org/cgi/mid.cgi?200712091835.33608.max it applies almost cleanly to recent RELENG_7 - there are rejects in one file, but they are pretty obvious and easy to fix. but building a kernel fails in sys/netinet/ip_carp.c: cc1: warnings being treated as errors /usr/src/sys/netinet/ip_carp.c: In function 'carp_setroute': /usr/src/sys/netinet/ip_carp.c:394: warning: assignment from incompatible pointer type *** Error code 1 this is due to the multiple routing table changes, and the break most likely occurred here: ---------------------------- revision 1.120.2.4 date: 2008/07/24 01:13:22; author: julian; state: Exp; lines: +355 -95 SVN rev 180774 on 2008-07-24 01:13:22Z by julian MFC an ABI compatible implementation of Multiple routing tables. See the commit message for http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/net/route.c version 1.129 (svn change # 178888) for more info. Obtained from: Ironport (Cisco Systems) ---------------------------- so, no. there is not a usable patch for 7.1. I am not very familiar with the implications of this change. Is it feasable to just ignore it and use row 0 of rt_tables[][] ? Or do I need to do something more sophisticated? what are the chances of getting this patch updated, or even better, completed & committed? i have neither the time nor the knowledge to attempt to code the IPv6 bits, but I would be willing to test (for IPv4) on a production firewall pair, and maybe try v6 on a test network. tom From ohauer at gmx.de Thu Feb 26 01:24:46 2009 From: ohauer at gmx.de (Olli Hauer) Date: Thu Feb 26 01:24:53 2009 Subject: openbsd spamd is leaking memory? In-Reply-To: <200902252050.02682.max@love2party.net> References: <9e20d71e0902250435y6e090fb0rc138233242fe7d60@mail.gmail.com> <200902251442.43794.max@love2party.net> <9e20d71e0902250610l62a42a99t5b9683aefb08c7cf@mail.gmail.com> <200902252050.02682.max@love2party.net> Message-ID: <20090226085805.27980@gmx.net> > On Wednesday 25 February 2009 15:10:04 Artis Caune wrote: > > 2009/2/25 Max Laier : > > > Hello Artis, > > > > > > looks like a valid catch to me. I'm CC'ing the upstream maintainer > (Bob, > > > that's you, right?) From a quick glance there is also a minor leak in > > > readsuffixlists in the goto bad case. > > Bob Beck has meanwhile committed the slightly more encompassing fix which > can > be obtained via webcvs: > http://www.openbsd.org/cgi- > bin/cvsweb/src/libexec/spamd/grey.c.diff?r1=1.45;r2=1.46 > > Alex, do you have time to roll a new release or would you prefer the patch > applied via the ports patch facilities? > > > I'm running spamd with this patch more than 2h and no leaks :) > > > > > > > > --- grey.c.orig 2008-12-07 23:12:52.000000000 +0200 > > +++ grey.c 2009-02-25 15:22:48.000000000 +0200 > > @@ -512,7 +512,8 @@ > > dbc->act = 0; > > dbc->dsiz = 0; > > SLIST_REMOVE_HEAD(&db_changes, entry); > > - > > + free(dbc); > > + dbc = NULL; > > } > > return(ret); > > } > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News Hi Max/Alex, I prefer a patch in the ports since I updated the code to OpenBSD 4.3 and the sync protocol is not compatible with the old one. At the moment the code in svn is based on OpenBSD 4.3 + additional patches/features which i send nearly one year ago to tech@ but they where not committed (spamdb with sync feature for example). I will look if i found next week the time to finish the update to OpenBSD version 4.4 and then we can role out a new version. Regards, olli -- Computer Bild Tarifsieger! GMX FreeDSL - Telefonanschluss + DSL f?r nur 17,95 ?/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a From link at ngc.net.ua Fri Feb 27 04:40:21 2009 From: link at ngc.net.ua (Link) Date: Fri Feb 27 04:40:27 2009 Subject: freebsd 7.1 pf route-to connection stall Message-ID: <49A7D547.9040801@ngc.net.ua> Hello all, my problems begun after migration from free 6.3 to 7.1 I use only one rule: pass out on $if1 route-to ($if0 $if0_gw) from $if0 to any After upgrade to 7.0 i found that i should add "no state" Now using scp i can download from server, but i can`t upload via $if0 interface. Connection stalls... wbr, Link From tom at uffner.com Fri Feb 27 13:32:34 2009 From: tom at uffner.com (Tom Uffner) Date: Fri Feb 27 13:32:40 2009 Subject: freebsd 7.1 pf route-to connection stall In-Reply-To: <49A8177B.9010209@ngc.net.ua> References: <49A7D547.9040801@ngc.net.ua> <49A811D4.5030900@uffner.com> <49A8177B.9010209@ngc.net.ua> Message-ID: <49A85BD4.7050105@uffner.com> Link wrote: > Tom Uffner wrote: >> i'm having trouble making sense of that rule. could you explain (or maybe >> draw a simple diagram) what you are trying to accomplish with it? > Seems that i found problem. And I`m going to post it to freebsd bugs. you're probably better of staying on freebsd-pf > My full configuration is: > > if_bce0="bce0" > if_bce0_gw="172.20.51.1" > if_bce1="bce1" > > scrub in all > > pass out on $if_bce1 route-to ($if_bce0 $if_bce0_gw) from $if_bce0 to > any no state flags any > > The sense is: when packet comes in on bce0 server should ignore default > route ( set on bce1 ) and reply via bce0 using gateway if_bce0_gw just guessing (based on very incomplete info) you might want "pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) to any" but it seems like there should be a simpler way to do that. can you give us a little more info about your net topology? for example, what IP addresses, if any, are bound to the interfaces? what network(s) are directly attached? location(s)/address(es) of your router(s)? do you have any static routes defined? > Now i have about 15 hosts with freebsd 7.1 > Part of them are p2 and part of them p3 > This problem appears only in p3 not sure why the chipset would make a difference. maybe that is a bug. tom From linimon at FreeBSD.org Fri Feb 27 14:30:41 2009 From: linimon at FreeBSD.org (linimon@FreeBSD.org) Date: Fri Feb 27 14:30:53 2009 Subject: misc/132176: [pf] pf stalls connection when using route-to Message-ID: <200902272230.n1RMUept085174@freefall.freebsd.org> Old Synopsis: pf stalls connection when using route-to New Synopsis: [pf] pf stalls connection when using route-to Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Fri Feb 27 22:30:13 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=132176 From link at ngc.net.ua Sat Feb 28 02:32:13 2009 From: link at ngc.net.ua (Zinevich Denis) Date: Sat Feb 28 02:32:19 2009 Subject: freebsd 7.1 pf route-to connection stall In-Reply-To: <49A85BD4.7050105@uffner.com> References: <49A7D547.9040801@ngc.net.ua> <49A811D4.5030900@uffner.com> <49A8177B.9010209@ngc.net.ua> <49A85BD4.7050105@uffner.com> Message-ID: <49A8FED7.3000603@ngc.net.ua> "pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) to any" will not work. But anyway question is not in syntax of rules, because nobody touched it and it was working on 6.3, 7.1-p2, but not on 7.1-p3 Network is quite simple. Server has 2 cards bce0 and bce1 bce0 - 172.20.51.10 bce1 - 172.20.1.130 default gw - 172.20.1.1 networks are /24 As i described before qoal of my rule is to ignore default route when request comes on 172.20.51.10. Without such rule reply will go to 172.20.1.1 and with pf rule it will go out to 172.20.51.1 via bce0. For example similar rule for ipfw: ipfw add 1 fwd 172.20.51.1 from 172.20.51.10 to any May i misunderstood something in your reply... But i was not talking about chipset, I was talking about patch level of freebsd. and such behaviour appears only in 7.1-p3 Tom Uffner ?????: > Link wrote: >> Tom Uffner wrote: > >>> i'm having trouble making sense of that rule. could you explain (or >>> maybe >>> draw a simple diagram) what you are trying to accomplish with it? > >> Seems that i found problem. And I`m going to post it to freebsd bugs. > > you're probably better of staying on freebsd-pf > >> My full configuration is: >> >> if_bce0="bce0" >> if_bce0_gw="172.20.51.1" >> if_bce1="bce1" >> >> scrub in all >> >> pass out on $if_bce1 route-to ($if_bce0 $if_bce0_gw) from $if_bce0 to >> any no state flags any >> >> The sense is: when packet comes in on bce0 server should ignore >> default route ( set on bce1 ) and reply via bce0 using gateway if_bce0_gw > > just guessing (based on very incomplete info) you might want > "pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) to any" > > but it seems like there should be a simpler way to do that. > > can you give us a little more info about your net topology? for example, > what IP addresses, if any, are bound to the interfaces? what network(s) > are directly attached? location(s)/address(es) of your router(s)? do you > have any static routes defined? > >> Now i have about 15 hosts with freebsd 7.1 >> Part of them are p2 and part of them p3 >> This problem appears only in p3 > > not sure why the chipset would make a difference. maybe that is a bug. > > tom > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > From artis.caune at gmail.com Sat Feb 28 04:46:44 2009 From: artis.caune at gmail.com (Artis Caune) Date: Sat Feb 28 04:46:51 2009 Subject: Issues with PF and 7.1 In-Reply-To: <17838240D9A5544AAA5FF95F8D52031605658786@ad-exh01.adhost.lan> References: <17838240D9A5544AAA5FF95F8D520316056585C1@ad-exh01.adhost.lan> <200901231904.22558.max@love2party.net> <17838240D9A5544AAA5FF95F8D52031605658786@ad-exh01.adhost.lan> Message-ID: <9e20d71e0902280446n4a49e693p70930dd88a349568@mail.gmail.com> 2009/1/24 Michael K. Smith - Adhost : > Thanks for the info. ?In stages, we upped the vm.kmem_size_max from 300M to 1536M after modifying the kernel (we actually tried 2048M but that caused a panic). ?With the 1536M setting the 'DIOCADDRULE: Cannot allocate memory' doesn't occur anymore, but we still have to flush the tables manually when the system comes up. ?Now, at least, the flush actually works and PF loads successfully, but only after we do the flush on all the tables. ?As you can imagine, this is not optimal for unattended/random reboots, which we see about 3 times a week. You are running i386? (if you have modified the kernel) Can you try to edit i386/include/pmap.h and change NKPT to 128 and recompile the kernel. -- regards, Artis Caune <----. CCNA | BSDA <----|==================== <----' didii FreeBSD From tom at uffner.com Sat Feb 28 14:34:40 2009 From: tom at uffner.com (Tom Uffner) Date: Sat Feb 28 14:34:47 2009 Subject: freebsd 7.1 pf route-to connection stall In-Reply-To: <49A8FED7.3000603@ngc.net.ua> References: <49A7D547.9040801@ngc.net.ua> <49A811D4.5030900@uffner.com> <49A8177B.9010209@ngc.net.ua> <49A85BD4.7050105@uffner.com> <49A8FED7.3000603@ngc.net.ua> Message-ID: <49A9BBF5.1060706@uffner.com> Zinevich Denis wrote: > "pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) to any" will not > work. But anyway question is not in syntax of rules, because nobody > touched it and it was working on 6.3, 7.1-p2, but not on 7.1-p3 > > Network is quite simple. > Server has 2 cards bce0 and bce1 > bce0 - 172.20.51.10 > bce1 - 172.20.1.130 > default gw - 172.20.1.1 > networks are /24 > > As i described before qoal of my rule is to ignore default route when > request comes on 172.20.51.10. > Without such rule reply will go to 172.20.1.1 and with pf rule it will > go out to 172.20.51.1 via bce0. > For example similar rule for ipfw: ipfw add 1 fwd 172.20.51.1 from > 172.20.51.10 to any > >> Link wrote: >>> My full configuration is: >>> >>> if_bce0="bce0" >>> if_bce0_gw="172.20.51.1" >>> if_bce1="bce1" >>> >>> scrub in all >>> >>> pass out on $if_bce1 route-to ($if_bce0 $if_bce0_gw) from $if_bce0 to >>> any no state flags any I apologize for misunderstanding the part of your reply about FreeBSD 7.1 patchlevels. I realized my error too late after i had sent the message. The simplest way to do what you want doesn't involve a firewall at all. simply configure the devices on the 172.20.51/24 network with the following routes: Destination Gateway default 172.20.51.1 172.20.1/24 172.20.51.10 if this is not possible for some reason and you must bounce them through the firewall, i think the rules you want are: pass in quick on $if_bce0 from any to { 172.20.51.10 172.20.1/24 } pass in on $if_bce0 route-to ($if_bce0 $if_bce0_gw) \ from $if_bce0:network to any according to my understanding of pf syntax, it was probably a bug that your ruleset ever worked. "... from $if_bce0 ..." should have matched only packets from the local server w/ source addresses of 172.20.51.10. just adding :network to the $if_bce0 in the from clause in your rule should make it do what you want, but is quite inefficient. you are checking every outbound packet on bce1 after all of the normal processing & routing has been done, rewriting the ones that arrived on bce0 and sending them back through the network subsystem again. it would be better to check the in-bound packets on bce0, accept the ones destined for the local host or the 172.20.1/24 network, and re-route the ones that would use the default gw. tom