From bryanalves at gmail.com Sun Jan 4 04:00:56 2009 From: bryanalves at gmail.com (Bryan Alves) Date: Sun Jan 4 04:01:04 2009 Subject: Using PF ALTQ to schedule NAT jail traffic Message-ID: <92f477740901031928m373dfed5v2033542fdbd2769c@mail.gmail.com> I'm using a FreeBSD box to do the routing, NAT, and firewall duties for my home network. There are also a couple of jails located on the machine, providing various services. One of these jails is running a torrent client 24/7. I isolated the torrent client to a jail in an attempt to more effectively schedule packets going to and from it. However, I'm having problems properly tagging packets that are originating from the jail destined for the internet. First, my ifconfig: ------------------------- em0: flags=8843 metric 0 mtu 9000 options=19b ether 00:1b:21:29:b0:b0 inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255 inet 192.168.10.200 netmask 0xffffffff broadcast 192.168.10.200 inet 192.168.10.201 netmask 0xffffffff broadcast 192.168.10.201 inet 192.168.10.202 netmask 0xffffffff broadcast 192.168.10.202 inet 192.168.10.203 netmask 0xffffffff broadcast 192.168.10.203 inet 192.168.10.204 netmask 0xffffffff broadcast 192.168.10.204 media: Ethernet 1000baseTX status: active em1: flags=8843 metric 0 mtu 1500 options=19b ether 00:1b:21:29:b0:ab inet 173.48.75.167 netmask 0xffffff00 broadcast 173.48.75.255 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 pflog0: flags=141 metric 0 mtu 33160 ------------------------------ And now my current PF rules: --------------------------------------------- ext_if = "em1" int_if = "em0" localnet = $int_if:network torrent_ports = "57100:57199" web_ports = "81" gateway = "192.168.10.1" httpd_jail = "192.168.10.200" samba_jail = "192.168.10.201" slimserver_jail = "192.168.10.202" torrent_jail = "192.168.10.203" desktop = "192.168.10.111" set loginterface $ext_if scrub on $ext_if altq on $ext_if bandwidth 4550Kb hfsc queue { q_high, q_med, q_low } queue q_high bandwidth 25% priority 6 qlimit 250 hfsc queue q_med bandwidth 45% priority 4 qlimit 250 hfsc (default) queue q_low bandwidth 30% priority 3 qlimit 500 hfsc nat on $ext_if from $localnet to any -> ($ext_if) #Port Forwards rdr on $ext_if proto tcp from any to any port ssh -> $gateway rdr on $ext_if proto tcp from any to any port $web_ports -> $httpd_jail rdr on $ext_if proto tcp from any to any port $torrent_ports -> $torrent_jail #Nat Reflection rdr on $int_if proto tcp from $localnet to $ext_if port ssh -> $gateway rdr on $int_if proto tcp from $localnet to $ext_if port $web_ports -> $httpd_jail no nat on $int_if proto tcp from $int_if to $localnet nat on $int_if proto tcp from $localnet to $gateway port ssh -> $int_if nat on $int_if proto tcp from $localnet to $httpd_jail port $web_ports -> $int_if antispoof for $ext_if #block in quick on $ext_if from to any block log all pass on lo0 #Allow all LAN traffic pass in on $int_if from $localnet to any keep state pass out on $int_if from any to $localnet keep state #Tag special traffic so it gets queued right pass in on $int_if from $desktop to any tag DESKTOP pass in on $int_if from $torrent_jail to any tag TORRENT pass in on $int_if from $httpd_jail to any tag HTTPD #In on ext_if pass in on $ext_if proto tcp from any to $httpd_jail port $web_ports keep state queue (q_high) pass in on $ext_if proto { tcp, udp } from any to $torrent_jail port $torrent_ports keep state queue (q_low) pass in on $ext_if proto tcp from any to any port ssh modulate state queue (q_high) pass in on $ext_if proto gre from any to any keep state queue (q_high) pass in on $ext_if proto tcp from any to any port pptp keep state queue (q_high) #Out on ext_if pass out on $ext_if proto tcp all modulate state queue (q_med) pass out on $ext_if proto { udp, icmp } all keep state queue (q_med) pass out on $ext_if proto gre all keep state queue (q_high) #Queue tagged traffic pass out on $ext_if proto { tcp, udp } from any to any tagged TORRENT queue (q_low) pass out on $ext_if from any to any tagged DESKTOP queue (q_high) pass out on $ext_if from any to any tagged HTTPD queue (q_high) ------------------------------------------------ The behavior of tagging NAT traffic so that it gets queued on the outside interface works correctly in the case of the DESKTOP tag, which is a different physical machine. No packets pass through the firewall and get tagged with either TORRENT or HTTPD, however. Torrent traffic from 192.168.10.203 which originates from the jail passes through on the "pass out on $ext_if proto tcp all modulate state queue (q_med) rule instead, since it wasn't tagged on it's way through the NAT. The 2nd "in on ext_if" rule properly catches packets and puts them into the right queue, and statefully the responses from these pass through it as well. It's the packets that non-statefully originate from the jail that I can't catch. I suspect this has something to do with jail using lo0 to manage the traffic, but I'm not sure how to fix it. I tried to tcpdump the lo0, em1, and em0 interfaces to find this traffic, but I can't find the traffic at all How can I modify my rules and/or aliases so that I can properly tag all traffic that originates from a specific jail? From bugmaster at FreeBSD.org Mon Jan 5 11:06:58 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jan 5 11:08:51 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200901051106.n05B6uHP002871@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 26 problems total. From jumper99 at gmx.de Fri Jan 9 21:02:30 2009 From: jumper99 at gmx.de (Helmut Schneider) Date: Fri Jan 9 21:02:37 2009 Subject: Version >= 4.3 Message-ID: Hi, since 4.3 and above finally support include-statements does anyone know a roadmap when FreeBSD will switch from 4.1 to >= 4.3? Thanks, Helmut -- No Swen today, my love has gone away My mailbox stands for lorn, a symbol of the dawn From max at love2party.net Fri Jan 9 21:18:18 2009 From: max at love2party.net (Max Laier) Date: Fri Jan 9 21:18:24 2009 Subject: Version >= 4.3 In-Reply-To: References: Message-ID: <200901092218.15401.max@love2party.net> On Friday 09 January 2009 22:02:16 Helmut Schneider wrote: > since 4.3 and above finally support include-statements does anyone know a > roadmap when FreeBSD will switch from 4.1 to >= 4.3? Short answer: As in any volunteer project, when somebody does the work. Longer answer: I did import the vendor code into subversion with the general plan to import a newer version into Current, but my free time is rather limited these days and I probably won't get to it for quite some time. I might be able to work on it in late February, early March ... though I'm not sure I can afford to do it without funding. I'll have to look into that after my current projects are mature enough to figure out when exactly I'll have an opening. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From jumper99 at gmx.de Fri Jan 9 22:09:26 2009 From: jumper99 at gmx.de (Helmut Schneider) Date: Fri Jan 9 22:09:35 2009 Subject: Version >= 4.3 References: <200901092218.15401.max@love2party.net> Message-ID: Max Laier wrote: > On Friday 09 January 2009 22:02:16 Helmut Schneider wrote: >> since 4.3 and above finally support include-statements does anyone know a >> roadmap when FreeBSD will switch from 4.1 to >= 4.3? > > Short answer: As in any volunteer project, when somebody does the work. > > Longer answer: I did import the vendor code into subversion with the > general plan to import a newer version into Current, but my free time > is rather limited these days and I probably won't get to it for quite > some time. > > I might be able to work on it in late February, early March ... though > I'm not sure I can afford to do it without funding. I'll have to look > into that after my current projects are mature enough to figure out > when exactly I'll have an opening. I know one can't buy much from words but thanks for your efforts. -- No Swen today, my love has gone away My mailbox stands for lorn, a symbol of the dawn From linimon at FreeBSD.org Sun Jan 11 08:04:52 2009 From: linimon at FreeBSD.org (linimon@FreeBSD.org) Date: Sun Jan 11 08:05:03 2009 Subject: conf/130381: [ip6] ipv6 not fully configured when pf startup script is run Message-ID: <200901111604.n0BG4ol6083939@freefall.freebsd.org> Old Synopsis: ipv6 not fully configured when pf startup script is run New Synopsis: [ip6] ipv6 not fully configured when pf startup script is run Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sun Jan 11 16:04:17 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=130381 From bzeeb-lists at lists.zabbadoz.net Sun Jan 11 11:00:19 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sun Jan 11 11:00:25 2009 Subject: conf/130381: [ip6] ipv6 not fully configured when pf startup script is run Message-ID: <200901111900.n0BJ0I1v013860@freefall.freebsd.org> The following reply was made to PR conf/130381; it has been noted by GNATS. From: "Bjoern A. Zeeb" To: bug-followup@FreeBSD.org, sdalu@sdalu.com Cc: Gert Doering Subject: Re: conf/130381: [ip6] ipv6 not fully configured when pf startup script is run Date: Sun, 11 Jan 2009 18:47:45 +0000 (UTC) Gert Doering had complained about this back in November on freebsd-rc: http://docs.freebsd.org/cgi/mid.cgi?20081106125643.GG8535 -- Bjoern A. Zeeb The greatest risk is not taking one. From bugmaster at FreeBSD.org Mon Jan 12 03:06:58 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jan 12 03:08:44 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200901121106.n0CB6uGF092074@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 27 problems total. From mmitar at gmail.com Mon Jan 12 17:37:11 2009 From: mmitar at gmail.com (Mitar) Date: Mon Jan 12 17:37:17 2009 Subject: rdr pass rule Message-ID: Hi! I have a system where my daemon is running on a public IP on a high port (so that it does not need root privileges, and it is binded to a public IP as it runs in a jail) and I would like to translate it to a lower port. I would like that just this lower port is publicly accessible. This can be done with: rdr pass on $int_untrust proto tcp from any to $addr_svc port $svc_ext -> $addr_svc port $svc_int This makes only $svc_ext port accessible as $svc_int port is closed (not opened) for traffic. But I would like to assign this traffic to a queue and thus I cannot use pass option. I wanted to create a rdr rule without pass option and a separate pass rule later on. But the problem is that, as far as I understand, pass rules are applied after rdr, so I can set them only on an internal port (to which I am translating public port). But then the question is how can I open this internal port so that it is not opened to a public, only to a traffic coming through a rdr rule? Is there a general way how one can transcribe rdr pass option to a pass rule which would behave in the same way as rdr pass? Mitar From max at love2party.net Tue Jan 13 06:51:06 2009 From: max at love2party.net (Max Laier) Date: Tue Jan 13 06:51:13 2009 Subject: rdr pass rule In-Reply-To: References: Message-ID: <200901131551.03193.max@love2party.net> On Tuesday 13 January 2009 02:14:50 Mitar wrote: > Hi! > > I have a system where my daemon is running on a public IP on a high > port (so that it does not need root privileges, and it is binded to a > public IP as it runs in a jail) and I would like to translate it to a > lower port. I would like that just this lower port is publicly > accessible. This can be done with: > > rdr pass on $int_untrust proto tcp from any to $addr_svc port $svc_ext > -> $addr_svc port $svc_int > > This makes only $svc_ext port accessible as $svc_int port is closed > (not opened) for traffic. > > But I would like to assign this traffic to a queue and thus I cannot > use pass option. I wanted to create a rdr rule without pass option and > a separate pass rule later on. But the problem is that, as far as I > understand, pass rules are applied after rdr, so I can set them only > on an internal port (to which I am translating public port). But then > the question is how can I open this internal port so that it is not > opened to a public, only to a traffic coming through a rdr rule? > > Is there a general way how one can transcribe rdr pass option to a > pass rule which would behave in the same way as rdr pass? The simplest way off the top of my head: Use a "rdr ... tag"-rule and "pass ... tagged" later on. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From usgrishin at samaradom.ru Tue Jan 13 11:07:27 2009 From: usgrishin at samaradom.ru (Yuriy Grishin) Date: Tue Jan 13 11:08:47 2009 Subject: ALTQ cbq : borrowing when no tfaffic with higher priority Message-ID: <496CDAA6.1000600@samaradom.ru> Hello, I have a gate with some traffic comes directly from it (wget, rtorrent). And I have two computers behind the gate with NAT. My target is to allow to borrow full bandwith for traffic that comes directly from the gate BUT throttle this traffic to minimum rate when the computers behind the gate are active. I wrote the rule set : ------------------------------- ... ##--queues ## real bandwith 1Mb symmetrical channel ## use altq at 97% altq on $ext_if cbq bandwidth 970Kb queue { qme, qmywife, qgateway, qack } queue qme bandwidth 50% priority 3 cbq ( borrow ) queue qmywife bandwidth 30% priority 2 cbq ( borrow ) queue qgateway bandwidth 1% priority 0 cbq ( default borrow ) queue qack bandwidth 19% priority 5 cbq ( borrow ) ##--nat & rdr nat on $ext_if from $int_if:network to any -> $ext_if ##--rules block all pass in on $int_if from $me to any queue (qme, qack) pass in on $int_if from $mywife to any queue (qmywife, qack) .... pass out on $ext_if from $ext_if to any ... ------------------------------- In fact it allows to use ~30% of the link throughput for my wife and 50% for me while the gateway is downloading. It seems that it guarantees bandwidth parameter values only. I don't understand the duty of priority parameter then! How to make the gate get off the link while other computers are downloading? From lumiwa at gmail.com Tue Jan 13 14:24:26 2009 From: lumiwa at gmail.com (Mitja) Date: Tue Jan 13 14:27:45 2009 Subject: pflog Message-ID: <200901131603.26659.lumiwa@gmail.com> Hi! When I check my system with "vmstat" I got: vmstat procs memory page disks faults cpu r b w avm fre flt re pi po fr sr ad0 da0 in sy cs us sy id 0 1 0 425M 434M 62 0 0 0 68 0 0 0 111 838 861 1 1 ******** In the procs section I have all the time b:1 When I check my settings I found that happened after pflog_enable="YES" in rc.conf. I red man pflog but I don't know how to save this "problem". I have FreeBSD 7.1 but the same was on FreeBSD 7.0 too. Thanks in advance... From peter.wullinger at gmail.com Wed Jan 14 00:39:46 2009 From: peter.wullinger at gmail.com (Peter Wullinger) Date: Wed Jan 14 00:39:53 2009 Subject: pflog In-Reply-To: <200901131603.26659.lumiwa@gmail.com> References: <200901131603.26659.lumiwa@gmail.com> Message-ID: Hello, 2009/1/13 Mitja > Hi! > > When I check my system with "vmstat" I got: > > vmstat > procs memory page disks faults > cpu > r b w avm fre flt re pi po fr sr ad0 da0 in sy cs us > sy > id > 0 1 0 425M 434M 62 0 0 0 68 0 0 0 111 838 861 1 > 1 > ******* > In the procs section I have all the time b:1 > I cannot confirm without further information, but the single process blocked/busy here seems to be the "pflogd" daemon waiting for incoming packets on the pflog0 interface. If you read the man page for pflogd(8), where exactly is the "problem"? Regards, Peter From vwe at FreeBSD.org Wed Jan 14 14:26:30 2009 From: vwe at FreeBSD.org (vwe@FreeBSD.org) Date: Wed Jan 14 14:26:42 2009 Subject: kern/103281: pfsync reports bulk update failures Message-ID: <200901142226.n0EMQSn1095312@freefall.freebsd.org> Synopsis: pfsync reports bulk update failures Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: vwe Responsible-Changed-When: Wed Jan 14 22:26:18 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=103281 From vwe at FreeBSD.org Wed Jan 14 14:26:54 2009 From: vwe at FreeBSD.org (vwe@FreeBSD.org) Date: Wed Jan 14 14:27:01 2009 Subject: kern/103283: pfsync fails to sucessfully transfer some sessions Message-ID: <200901142226.n0EMQqXo095359@freefall.freebsd.org> Synopsis: pfsync fails to sucessfully transfer some sessions Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: vwe Responsible-Changed-When: Wed Jan 14 22:26:42 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=103283 From tommyhp2 at yahoo.com Fri Jan 16 20:55:47 2009 From: tommyhp2 at yahoo.com (Tommy Pham) Date: Fri Jan 16 20:56:19 2009 Subject: [OT?] help w/ ip route to (cancel) Message-ID: <886151.51833.qm@web38201.mail.mud.yahoo.com> ----- Original Message ---- From: Tommy Pham To: freebsd-pf@freebsd.org Sent: Friday, January 16, 2009 8:39:36 PM Subject: [OT?] help w/ ip route to Hi, I have this simple setup. < internet >? ---- < FreeBSD w/ pf > ---- < LAN > The wan is 10.1.1.32/29 and LAN is 10.10.10.0/24. Using PF, Is it possible to route an internal IP say 10.10.10.21? so that all outbound traffic from it?appear to be from 10.1.1.36 on the WAN?? Or do I need to change the routing FreeBSD? Thanks, Tommy nvm... I forgot about 1:1 mapping :D Thanks!! From tommyhp2 at yahoo.com Fri Jan 16 21:06:19 2009 From: tommyhp2 at yahoo.com (Tommy Pham) Date: Fri Jan 16 21:06:26 2009 Subject: [OT?] help w/ ip route to Message-ID: <151994.18927.qm@web38203.mail.mud.yahoo.com> Hi, I have this simple setup. < internet >? ---- < FreeBSD w/ pf > ---- < LAN > The wan is 10.1.1.32/29 and LAN is 10.10.10.0/24. Using PF, Is it possible to route an internal IP say 10.10.10.21? so that all outbound traffic from it?appear to be from 10.1.1.36 on the WAN?? Or do I need to change the routing FreeBSD? Thanks, Tommy From peter at allicient.co.uk Sat Jan 17 10:18:34 2009 From: peter at allicient.co.uk (Peter Maxwell) Date: Sat Jan 17 10:18:44 2009 Subject: [OT?] help w/ ip route to (cancel) In-Reply-To: <886151.51833.qm@web38201.mail.mud.yahoo.com> References: <886151.51833.qm@web38201.mail.mud.yahoo.com> Message-ID: <7731938b0901171018j78895dacx8cb1af2dd3a54122@mail.gmail.com> Tommy, As I think you've discovered, you're probably after a NAT solution here rather than source/policy based routing. Best wishes, Peter 2009/1/17 Tommy Pham : > ----- Original Message ---- > From: Tommy Pham > To: freebsd-pf@freebsd.org > Sent: Friday, January 16, 2009 8:39:36 PM > Subject: [OT?] help w/ ip route to > > Hi, > > I have this simple setup. > < internet > ---- < FreeBSD w/ pf > ---- < LAN > > The wan is 10.1.1.32/29 and LAN is 10.10.10.0/24. > > Using PF, Is it possible to route an internal IP say 10.10.10.21 > so that all outbound traffic from it appear to be from 10.1.1.36 on > the WAN? Or do I need to change the routing FreeBSD? > > Thanks, > Tommy > > > nvm... I forgot about 1:1 mapping :D > Thanks!! > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From siquijorphilips at gmail.com Sun Jan 18 03:05:50 2009 From: siquijorphilips at gmail.com (Siquijor Philips) Date: Sun Jan 18 03:05:57 2009 Subject: PF with TSO Message-ID: Hi, FreeBSD-7.1 is shipped with TCP segmentation offload (TSO) feature to some network interface cards by default such as Intel and Broadcom. I would like to know if there's any impact when PF is enabled together with TSO in terms of performance and packet inspection? Thank you, Regards, Siquijor From infos at dnswatch.com Sun Jan 18 03:43:49 2009 From: infos at dnswatch.com (infos@dnswatch.com) Date: Sun Jan 18 03:43:58 2009 Subject: basic rule request - allow_all/block_bad Message-ID: <59e0bfe9193784283b7c7aaa2d958ad7.dnswclient@webmail.dnswatch.com> Greetings, I know very little about creating an initial pf.conf. I know /very/ /much/ that I want/need PF, and will need a fair amount of time to "tune" pf to work optimally for each server. BUT, in an effort to get started, I'm hoping that some kind soul will provide me with a very basic pf.conf that will not interrupt the current application/server block policies I already have in place - which is to say; I currently block at the application/server, but hope to merge (transfer) them to PF. So. can anyone share a pf.conf that will allow all, but block ALL_EVIL_IP requests on ALL ports? In other words, if I only wanted to block (drop) ALL traffic coming from a /single/ IP address. How would I do it? I have one (active) NIC in each of my servers, and there are anywhere from 3 to 12 IP's aliased to them above and beyond the IP assigned to the host itself. All addresses are fully qualified, internet route-able addresses (no internal/private IP's). Thank you for all your time and consideration. --Chris From fbsdmail at dnswatch.com Sun Jan 18 04:12:59 2009 From: fbsdmail at dnswatch.com (fbsdmail@dnswatch.com) Date: Sun Jan 18 04:13:07 2009 Subject: Blocking udp flood trafiic using pf, hints welcome Message-ID: <2b1dc259cdb3912c5dc6ba9be9929e9b.dnswclient@webmail.dnswatch.com> Greetings, On Sun, Nov 9, 2008 at 4:37 AM, Elvir Kuric wrote: > > Hi all, > > > > I am playing with pf tool on openbsd/freebsd platforms and it is super > > tool for firewalls. On thing is interesting for me, and I am hopping > > someone has expeience with this. > > > > If I say > > > > block log all > > block in log (all) quick on $ext_if proto udp from any to $ext_if > > > > this would block all traffic on $ext_if, but on my ext_if I recive a > > lot of ( huge amount ) of udp generated traffic which make me a lot > > of problems. > > I also tryed to add small pipe and play with ALTQ to handle this but > > it did not help a lot. Also I know that every packet which hit my > > ext_if should be > > processed ( or least take a little processor resources, if I block > > it with keyword quick ), but I am wondering is there some way to > > decrease impact on system > > when a lot of packets arive in short time. > > > > My question would be, what are your experinces with battling against > > boring udp flooders ? Platform are FreeBSD / OpenBSD and all works > > like a charm except time to time, stupid udp flood atacks. > > > > Not sure if this will help in your situation, but you could try > setting the 'blackhole' for UDP. (There is also one for TCP.) > > net.inet.tcp.blackhole > net.inet.udp.blackhole Those options require a bit more syntax. The options I've been using as part of my installs are: net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 and while they will nearly prevent you from becoming a "drone", they won't prevent you from being attacked /by/ a "drone". I know from personal experience. :( Good advice on your part, none the less. :) Best wishes. --Chris > -- > Glen Barber From fbsdmail at dnswatch.com Sun Jan 18 04:13:49 2009 From: fbsdmail at dnswatch.com (fbsdmail@dnswatch.com) Date: Sun Jan 18 04:13:55 2009 Subject: Blocking udp flood trafiic using pf, hints welcome Message-ID: <9f9bf26296b3f05db555b7f37bd42226.dnswclient@webmail.dnswatch.com> Greetings, see below... > On Sun, Nov 09, 2008 at 10:37:29AM +0100, Elvir Kuric wrote: > > I am playing with pf tool on openbsd/freebsd platforms and it is super > > tool for firewalls. On thing is interesting for me, and I am hopping > > someone has expeience with this. > > > > If I say > > > > block log all > > block in log (all) quick on $ext_if proto udp from any to $ext_if > > > > this would block all traffic on $ext_if, but on my ext_if I recive a > > lot of ( huge amount ) of udp generated traffic which make me a lot > > of problems. > > I also tryed to add small pipe and play with ALTQ to handle this but > > it did not help a lot. Also I know that every packet which hit my > > ext_if should be > > processed ( or least take a little processor resources, if I block > > it with keyword quick ), but I am wondering is there some way to > > decrease impact on system > > when a lot of packets arive in short time. > > > > My question would be, what are your experinces with battling against > > boring udp flooders ? Platform are FreeBSD / OpenBSD and all works > > like a charm except time to time, stupid udp flood atacks. > > First, you should be very careful with use of the "log" directive on > your rules. I've personally witnessed an attack which triggered "log" > entries in block rules causing pflog to log at such a tremendous/fast > rate, that newsyslog could not rotate+compress the log files fast > enough, resulting in CPU maxing out and so on (a true self-induced > denial-of-service). Consider this warning. :-) > > Secondly, and this is more a direct answer of your question: I believe > what you're referring to is a UDP-based DoS attack against your FreeBSD > machine(s). > > The "block" directives you're using will only stop your FreeBSD box from > responding to those packets (whatever you do, silently deny those > packets; do not use "reject", or else your box will be trying to send > back denial responses to the attackers, which just makes the problem > worse). It *cannot* solve the problem of your network connection > becoming saturated. > > Your next question will be: "okay, so how do I solve this problem?" This > is where it gets both technical and political. There are two things to > do first: > > 1) See if the attacks are distributed (multiple IPs or even spoofed IPs > hitting your machine with UDP packets). If they're distributed or > spoofed, you're out of luck. > > If the packets are legitimate (e.g. some compromised machine on the > Internet is being used to attack you), you need to find out who own that > IP address, and contact them. ARIN (WHOIS) can be of help here. Pray > they have an abuse department. If you do not get a prompt response > (24-48 hours), try to figure out who their upstream network provider is, > and send them a similar message. Continue up the chain until you get a > response. Phone calls (even international) often work wonders > decreasing mitigation time. > > 2) Investigate your own machine. I cannot stress this enough. Most DoS > attacks I've seen in my years ARE NOT random -- there's a reason they > happen. > > The majority of attacks I've seen involve IRC in some way, either as a > central cause of attack (arguments, channel takeovers, whatever), or > indirectly (a compromised account on your machine). If your machine is > a shell box for friends/customers, I highly recommend considering *not* > permitting IRC from it; this includes bouncers and eggdrops. > > Many IRC-induced attacks are done against a machine solely to knock it > offline (so the user on IRC pings out for a channel takeover, or just to > keep the user from getting back on IRC). > > And if your machine(s) run IRC servers... well, this is one of the many > dangers in hosting a server. You have to weigh what's more important to > you in this case: IRC, or the availability of your machines. I speak > from personal experience as someone who used to administrate a public > EFnet server, and as someone who has used IRC for the past 16 years. > Whichever matters to you more is what you should stick with. > > The second most common reason for attack I've seen are controversial > websites or domain names -- things that induce arguments, controversy or > heated discussions, or are of a "shady" nature and would bring shady > or questionable attention to you (e.g. wehaveeggdropshellz.com). If > you host anything like this, consider suspending it, or removing the > customer due to incidents which cause the network to become unavailable. > Remember: one customer/user is not worth sacrificing all the rest. > > Finally: work with your own service/uplink provider. In the case of a > very large-scale attack, your ISP will need to do the filtering to > ensure that the packets never reach your machine. "What can they filter > on if it's DDoS?" Good question -- very little. But your uplink should > at least be told of the problem, both out of respect, and for your own > benefit (especially if you are billed for *incoming* traffic!) > > If you don't find decent answers here, I highly recommend freebsd-net > or freebsd-isp. Others may have better advice. > > Footnote: Like SMTP and spam, IRC as an entity is not evil or bad -- the > problem is that in this day and age, it can breed trouble. I don't want > to sound like I'm slamming IRC ("IRC sucks! Ban IRC!"); I'm not. I'm > simply pointing out the realities that are involved with IRC in this day > and age. The degree of anonymity DoS and IRC provide sometimes brings > out the worst in people, and that's sad. Hello Jeremy, I just joined this list. Then started parsing the archive, and ran into this - what you refer to, is exactly the reason I'm getting off my a$$ and getting PF configured on my servers - something I've been too busy to get to, but now finding myself /having/ to. :( To the point. I'm receiving an inordinate amount of UDP traffic lodged against DNS on all the servers. I immediately fired off emails to the RP's, and received prompt responses. /However/ one of the RP's indicated they've been up against this since /Christmas/. While I'm not going to mention the Firm, I will tell you that they are quite large (xxx.xxx.128.0/20 - xxx.xxx.128.0 - xxx.xxx.143.255). I've now been suffering the consequences for 3 days, with no end in sight. So, while I have a hard time understanding how an entity managing such a large amount of IP real-estate, can't figure out how to keep from becoming/continuing to produce "drone's", I /do/ understand that /I/ am capable of putting up a wall to block the abuse emanating from their network. Which brings me here. :) Am I correct in understanding from your response that FreeBSD PF can't effectively drop UDP packets? My current defence (aside from my application/server block polocies) is some sysctl(8)/sysctl(5) tunables: net.inet.udp.log_in_vain=0 net.inet.tcp.log_in_vain=1 net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 net.inet.tcp.icmp_may_rst=0 net.inet.tcp.drop_synfin=1 # don't accept sourcerouted packets (they are evil) net.inet.ip.accept_sourceroute=0 net.inet.ip.sourceroute=0 security.bsd.see_other_uids=0 While all of these are not INET TCP/ICMP/SYN/UDP related, it's a pretty good rule of thumb for sysctl security tunables. But isn't there some pf.conf that I can create that will simply drop all UDP traffic from the offending IP? Based on the data in my logs, and my understanding of all the powerful tools that are available (for both good, /and/ evil), I'm near positive that the attacker is bouncing the packets off the "drones" with HPING. Anyway, I felt the need to chime in when I noticed you addressed all the topics that described my current situation, hoping PF would be the solution (my savior). Best wishes. --Chris > -- > | Jeremy Chadwick jdc at parodius.com | > | Parodius Networking http://www.parodius.com/ | > | UNIX Systems Administrator Mountain View, CA, USA | > | Making life hard for others since 1977. PGP: 4BD6C0CB | From fbsdmail at dnswatch.com Sun Jan 18 05:55:19 2009 From: fbsdmail at dnswatch.com (fbsdmail@dnswatch.com) Date: Sun Jan 18 05:55:25 2009 Subject: Blocking udp flood trafiic using pf, hints welcome In-Reply-To: <7731938b0901180510p4be2e580h9d1c8f75cbbc2255@mail.gmail.com> References: <9f9bf26296b3f05db555b7f37bd42226.dnswclient@webmail.dnswatch.com> <7731938b0901180510p4be2e580h9d1c8f75cbbc2255@mail.gmail.com> Message-ID: Hello Peter, and thank you for your reply... On Sun, January 18, 2009 5:10 am, Peter Maxwell wrote: > Comments inline... > > >> Hello Jeremy, >> I just joined this list. Then started parsing the archive, and >> ran into this - what you refer to, is exactly the reason I'm getting off >> my a$$ and getting PF configured on my servers - something I've been too >> busy to get to, but now finding myself /having/ to. :( To the point. I'm >> receiving an inordinate amount of UDP traffic lodged against DNS on all >> the servers. I immediately fired off emails to the RP's, and received >> prompt responses. /However/ one of the RP's indicated they've been up >> against this since /Christmas/. While I'm not going to mention the Firm, >> I will tell you that they are quite large >> (xxx.xxx.128.0/20 - xxx.xxx.128.0 - xxx.xxx.143.255). I've now >> been suffering the consequences for 3 days, with no end in sight. So, >> while I have a hard time understanding how an entity managing such a >> large amount of IP real-estate, can't figure out how to keep from >> becoming/continuing to produce "drone's", I /do/ understand that /I/ am >> capable of putting up a wall to block the abuse emanating from their >> network. Which brings me here. :) Am I correct in understanding from >> your response that FreeBSD PF can't effectively drop UDP packets? My >> current defence (aside from my application/server block polocies) is >> some sysctl(8)/sysctl(5) tunables: >> > > > Chris, you've rather missed the point here: pf can easily drop the UDP > packets, however *whatever* you do there's going to be CPU cycles used to > drop them. You could use a whole different array of packet > filters/firewalls to drop the UDP packets but its still going to drag down > your firewall machine and/or internet connection. Hence the only real > solution is upstream filtering, or if you are piering directly your router > should be fast enough. Oh, I understood the thread topic, but got the impression from Jeremy's reply, that attempting to block UDP via PF wasn't feasible. It was also my understanding that the OP's biggest shortcoming was his attempt to log all the communication. For me neither will be an issue; 1) I'm not interested in anything more than "first attempts" in the logs. 2) All the servers have a spare onboard NIC that I haven't even enabled yet. Which means I can "bind" them, there-by allowing me better throughput to hadlde excessive traffic. 3) they are all multi-cpu servers. So I have enough cycles available. Thanks again, for taking the time to reply. --Chris >> net.inet.udp.log_in_vain=0 net.inet.tcp.log_in_vain=1 >> >> net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 >> >> net.inet.tcp.icmp_may_rst=0 net.inet.tcp.drop_synfin=1 >> >> # don't accept sourcerouted packets (they are evil) >> net.inet.ip.accept_sourceroute=0 net.inet.ip.sourceroute=0 >> >> security.bsd.see_other_uids=0 >> >> While all of these are not INET TCP/ICMP/SYN/UDP related, it's >> a pretty good rule of thumb for sysctl security tunables. But isn't there >> some pf.conf that I can create that will simply drop all UDP traffic >> from the offending IP? Based on the data in my logs, and my >> understanding of all the powerful tools that are available (for both >> good, /and/ evil), I'm near positive that the attacker is bouncing the >> packets off the "drones" with HPING. Anyway, I felt the need to chime in >> when I noticed you addressed all the topics that described my current >> situation, hoping PF would be the solution (my savior). >> >> Best wishes. >> >> >> --Chris >> >> > From fbsdmail at dnswatch.com Sun Jan 18 09:42:28 2009 From: fbsdmail at dnswatch.com (fbsdmail@dnswatch.com) Date: Sun Jan 18 09:43:11 2009 Subject: Blocking udp flood trafiic using pf, hints welcome In-Reply-To: <7731938b0901180844j2d143903q41cc131ef64a2c24@mail.gmail.com> References: <9f9bf26296b3f05db555b7f37bd42226.dnswclient@webmail.dnswatch.com> <7731938b0901180510p4be2e580h9d1c8f75cbbc2255@mail.gmail.com> <7731938b0901180844j2d143903q41cc131ef64a2c24@mail.gmail.com> Message-ID: <0ec20388586080a91b7ee1ec8ffb7e64.dnswclient@webmail.dnswatch.com> Hello again Peter, and thank you for your thoughtful reply... On Sun, January 18, 2009 8:44 am, Peter Maxwell wrote: > 2009/1/18 : > >> Hello Peter, and thank you for your reply... >> >> >> On Sun, January 18, 2009 5:10 am, Peter Maxwell wrote: >> >>> Comments inline... >>> >>> >>> >>>> Hello Jeremy, >>>> I just joined this list. Then started parsing the archive, and >>>> ran into this - what you refer to, is exactly the reason I'm getting >>>> off my a$$ and getting PF configured on my servers - something I've >>>> been too busy to get to, but now finding myself /having/ to. :( To >>>> the point. I'm receiving an inordinate amount of UDP traffic lodged >>>> against DNS on all the servers. I immediately fired off emails to >>>> the RP's, and received prompt responses. /However/ one of the RP's >>>> indicated they've been up against this since /Christmas/. While I'm >>>> not going to mention the Firm, I will tell you that they are quite >>>> large (xxx.xxx.128.0/20 - xxx.xxx.128.0 - xxx.xxx.143.255). I've now >>>> been suffering the consequences for 3 days, with no end in sight. >>>> So, >>>> while I have a hard time understanding how an entity managing such a >>>> large amount of IP real-estate, can't figure out how to keep from >>>> becoming/continuing to produce "drone's", I /do/ understand that >>>> /I/ am >>>> capable of putting up a wall to block the abuse emanating from their >>>> network. Which brings me here. :) Am I correct in understanding >>>> from your response that FreeBSD PF can't effectively drop UDP >>>> packets? My current defence (aside from my application/server block >>>> polocies) is some sysctl(8)/sysctl(5) tunables: >>>> >>> >>> >>> Chris, you've rather missed the point here: pf can easily drop the >>> UDP >>> packets, however *whatever* you do there's going to be CPU cycles used >>> to drop them. You could use a whole different array of packet >>> filters/firewalls to drop the UDP packets but its still going to drag >>> down your firewall machine and/or internet connection. Hence the only >>> real solution is upstream filtering, or if you are piering directly >>> your router should be fast enough. >> >> Oh, I understood the thread topic, but got the impression from >> Jeremy's reply, that attempting to block UDP via PF wasn't feasible. >> It was also my understanding that the OP's biggest shortcoming was >> his attempt to log all the communication. > > Appologies, I think I've missed a post somewhere along the way - pf > can deal with UDP no bother. > >> >> For me neither will be an issue; >> >> >> 1) I'm not interested in anything more than "first attempts" in >> the logs. > > pf does handle UDP quite well, Glad to hear it. :) > although UDP is technically stateless pf > will create a state for it based on IP/port numbers. Default logging also > only logs the *first* packet in a state, so if you enable logging by > default it will only log the first packet - although in high traffic > scenarios that in itself may kill a box. > > >> >> 2) All the servers have a spare onboard NIC that I haven't even >> enabled yet. Which means I can "bind" them, there-by allowing me better >> throughput to hadlde excessive traffic. > > I take it your upstream pipe(s) is/are bigger? Somewhat dynamic. > > >> >> 3) they are all multi-cpu servers. So I have enough cycles available. >> > > Then you're probably ok with the logging ;-) Might be worthwhile > setting up the box and testing it first, then you'll know whether the disc > array, etc will keep up. As you'd generally use tcpdump to view the logs, > always copy them off the firewall box first. Assuming I feel the need to scan the PF log(s), I imagine dump(8) will suit me just fine. :) > > If you're interested, pf can also do state sync so if you've got two > boxes you can have a redundant configuration. Never tried it with pf, but > have used the equivalent with Checkpoint firewalls and it is invaluable > (e.g. you can swap then out without losing service). Sounds like a plan. This project could turn out to be a real testament to FreeBSD, and PF itself. I have only one problem - this will be a first go 'round with PF. I'll need to experiment on one of the servers. I don't suppose you'd be willing to /suggest/ a reasonable "starting point" for a pf.conf, would you? Assuming you (or anyone else) would - a little more info is in order; I'll slice out a /27 segment, and just start small. ;) OH, and I have no private IP's involved - think dummynet. To make the numbers easy to work with, I'll use the following: ifconfig_fxp0="inet xxx.xxx.xxx.1 netmask 255.255.255.224" as I mentioned, all of the servers have at least 3 /aliased/ IP's ifconfig_fxp0_alias0="inet xxx.xxx.xxx.3 netmask 255.255.255.255" ifconfig_fxp0_alias1="inet xxx.xxx.xxx.4 netmask 255.255.255.255" ifconfig_fxp0_alias2="inet xxx.xxx.xxx.5 netmask 255.255.255.255" xxx.xxx.xxx.0 --> NET xxx.xxx.xxx.1 --> NS1 (this is the box we're dealing with) xxx.xxx.xxx.2 --> any ... xxx.xxx.xxx.3 --> alias0 xxx.xxx.xxx.4 --> alias1 xxx.xxx.xxx.5 --> alias2 ... xxx.xxx.xxx.30 --> gateway xxx.xxx.xxx.30 --> BCAST Given this scenario, what would be a simple starting (but working) pf.conf, that would allow trapping (drop) the UDP spam, but not really mess with anything currently in use (NFS,SSH,WWW,DNS,etc...)? While I haven't setup PF before, I have done a boatload of reading. Only problem being; I can't seem to find anything similar to my needs. Most all are designed for traffic shaping, are NAT'd, or are OpenBSD centric. So I've been afraid to try to adapt any of them on my /first/ go'round. My scenario /seems/ like it'd be pretty easy - assuming I had any /prior/ experience with PF. ;) Thank you again for your response! Best wishes. --Chris > > > >> >> Thanks again, for taking the time to reply. >> >> >> --Chris >> >> >>>> net.inet.udp.log_in_vain=0 net.inet.tcp.log_in_vain=1 >>>> >>>> net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 >>>> >>>> net.inet.tcp.icmp_may_rst=0 net.inet.tcp.drop_synfin=1 >>>> >>>> # don't accept sourcerouted packets (they are evil) >>>> net.inet.ip.accept_sourceroute=0 net.inet.ip.sourceroute=0 >>>> >>>> security.bsd.see_other_uids=0 >>>> >>>> While all of these are not INET TCP/ICMP/SYN/UDP related, it's >>>> a pretty good rule of thumb for sysctl security tunables. But isn't >>>> there some pf.conf that I can create that will simply drop all UDP >>>> traffic from the offending IP? Based on the data in my logs, and my >>>> understanding of all the powerful tools that are available (for >>>> both good, /and/ evil), I'm near positive that the attacker is >>>> bouncing the packets off the "drones" with HPING. Anyway, I felt the >>>> need to chime in when I noticed you addressed all the topics that >>>> described my current situation, hoping PF would be the solution (my >>>> savior). >>>> >>>> Best wishes. >>>> >>>> >>>> >>>> --Chris >>>> >>>> >>>> >>> >> >> >> > From 000.fbsd at quip.cz Sun Jan 18 11:45:50 2009 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Sun Jan 18 11:45:58 2009 Subject: basic rule request - allow_all/block_bad In-Reply-To: <59e0bfe9193784283b7c7aaa2d958ad7.dnswclient@webmail.dnswatch.com> References: <59e0bfe9193784283b7c7aaa2d958ad7.dnswclient@webmail.dnswatch.com> Message-ID: <497382D3.8040408@quip.cz> infos@dnswatch.com wrote: > Greetings, > I know very little about creating an initial pf.conf. > I know /very/ /much/ that I want/need PF, and will need a fair amount > of time to "tune" pf to work optimally for each server. > BUT, in an effort to get started, I'm hoping that some kind soul will > provide me with a very basic pf.conf that will not interrupt the > current application/server block policies I already have in place - > which is to say; I currently block at the application/server, but hope > to merge (transfer) them to PF. So. can anyone share a pf.conf that will > allow all, but block ALL_EVIL_IP requests on ALL ports? > In other words, if I only wanted to block (drop) ALL traffic coming from a > /single/ IP address. How would I do it? > I have one (active) NIC in each of my servers, and there are anywhere from 3 > to 12 IP's aliased to them above and beyond the IP assigned to the host > itself. All addresses are fully qualified, internet route-able addresses > (no internal/private IP's). If you really need to block one IP, you can use following simple ruleset: block in quick from 10.20.30.40 to any pass all If you need to block more than one address, or you need easy manipulation with list of addresses, you can use tables in ruleset: table persist file "/etc/pf.badguys.table" block in quick from to any pass all You can put IPs in to persistent file /etc/pf.badguys.table, these IPs will be loaded in the boot time. You can add / remove address on the fly by pfctl command: pfctl -t badguys -T add 10.11.12.13 pfctl -t badguys -T delete 10.11.12.13 Miroslav Lachman From bordjukov at gmail.com Sun Jan 18 12:00:05 2009 From: bordjukov at gmail.com (Petko Bordjukov) Date: Sun Jan 18 12:00:11 2009 Subject: kern/127920: [pf] ipv6 and synproxy don't play well together Message-ID: <200901182000.n0IK04Wm023676@freefall.freebsd.org> The following reply was made to PR kern/127920; it has been noted by GNATS. From: Petko Bordjukov To: bug-followup@FreeBSD.org, hlh@restart.be Cc: Subject: Re: kern/127920: [pf] ipv6 and synproxy don't play well together Date: Sun, 18 Jan 2009 21:29:56 +0200 I am having the same problem. FreeBSD router.supranet.eu 7.1-RELEASE-p2 FreeBSD 7.1-RELEASE-p2 #2: Wed Jan 14 15:58:07 EET 2009 root@router.xxx.yyy:/var/src/sys/i386/compile/H5A8S i386 pf.conf: > ... > > # Settings > > set block-policy drop > set skip on lo0 > > ## TRAFFIC NORMALIZATION > scrub in on $ext_if all fragment reassemble > scrub out on $ext_if all fragment reassemble random-id no-df > scrub in on $tunnel_if all fragment reassemble > scrub out on $tunnel_if all fragment reassemble random-id no-df > > # Queueing > > # Translation > > > # Filtering > > # activate spoofing protection for all interfaces > # block in log quick from urpf-failed > antispoof log quick for $loopback_if label "Antispoof for $if interface." > antispoof log quick for $int_if label "Antispoof for $if interface." > > # default rule > block log all label "Block all." > block in on $ext_if proto { tcp udp } from any to any port { 137, 138, 139, 445 } label "Block netbios broadcasts and don't log." > > pass out from self to any modulate state label "Permit outgoing traffic from the firewall." > pass out on !$int_if from $localnet6 to any modulate state label "Permit outgoing traffic from the local v6 net." > pass inet proto icmp all icmp-type { 0, 3, 4, 11 } keep state label "Permit safe ICMP." > # http://www.freebsd.org/cgi/man.cgi?query=icmp6 > pass inet6 proto icmp6 all icmp6-type { 1,2,3,4 } keep state label "Permit safe ICMPv6." > pass in on $tunnel_if inet6 proto icmp6 from $tun_endpoint icmp6-type {128,135,136} keep state label "Permit IPv6 ping, neighbor solic., advert. from endpoint." > > > # Allow access to services > pass in inet proto tcp from any to $pub_ips port $tcp_services synproxy state label "Access to $dstaddr $proto/$dstport." > > > > #### Trouble comes from this rule > pass in inet6 proto tcp from any to $pub_ips port $tcp_services synproxy state label "Access to $dstaddr $proto/$dstport." > > > > > pass in proto udp from any to $pub_ips port $udp_services keep state label "Access to $dstaddr $proto/$dstport." > pass in on $ext_if inet proto {tcp udp} from any to $localnet port $connectable synproxy state label "Allow incoming connections -> mapped $proto ports on $if." > > # trusted IPs > pass from to any keep state label "Grant access to trusted IPs." > > # trust local network > pass in on $int_if all modulate state label "Permit incoming traffic from the Local network." > pass out on $int_if proto {tcp, udp} from any to $localnet4 port $connectable modulate state label "Allow connections to mapped ports to reach LAN destinations." > pass proto tcp from any to $localnet6 port $client_tcp_services modulate state label "Allow IPv6 access to/from the ($proto) client services." > pass proto { tcp, udp } from any to $localnet6 port $connectable modulate state label "Allow IPv6 access to/from the connectable ($proto) ports." -- - Petko From bugmaster at FreeBSD.org Mon Jan 19 03:07:03 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jan 19 03:08:38 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200901191107.n0JB72CI063048@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 29 problems total. From fbsdmail at dnswatch.com Wed Jan 21 05:08:42 2009 From: fbsdmail at dnswatch.com (fbsdmail@dnswatch.com) Date: Wed Jan 21 05:08:49 2009 Subject: basic rule request - allow_all/block_bad In-Reply-To: <497382D3.8040408@quip.cz> References: <59e0bfe9193784283b7c7aaa2d958ad7.dnswclient@webmail.dnswatch.com> <497382D3.8040408@quip.cz> Message-ID: <2bac2a6d6830391e797190f7a398e7e6.dnswclient@webmail.dnswatch.com> Greetings Miroslav, and thank you for your reply... On Sun, January 18, 2009 11:28 am, Miroslav Lachman wrote: > infos@dnswatch.com wrote: > >> Greetings, >> I know very little about creating an initial pf.conf. >> I know /very/ /much/ that I want/need PF, and will need a fair amount >> of time to "tune" pf to work optimally for each server. BUT, in an effort >> to get started, I'm hoping that some kind soul will provide me with a >> very basic pf.conf that will not interrupt the current >> application/server block policies I already have in place - which is to >> say; I currently block at the application/server, but hope to merge >> (transfer) them to PF. So. can anyone share a pf.conf that will >> allow all, but block ALL_EVIL_IP requests on ALL ports? In other words, >> if I only wanted to block (drop) ALL traffic coming from a /single/ IP >> address. How would I do it? I have one (active) NIC in each of my >> servers, and there are anywhere from 3 to 12 IP's aliased to them above >> and beyond the IP assigned to the host itself. All addresses are fully >> qualified, internet route-able addresses (no internal/private IP's). >> > > If you really need to block one IP, you can use following simple ruleset: > > > block in quick from 10.20.30.40 to any pass all > > If you need to block more than one address, or you need easy > manipulation with list of addresses, you can use tables in ruleset: > > table persist file "/etc/pf.badguys.table" block in quick from > to any > pass all > > > You can put IPs in to persistent file /etc/pf.badguys.table, these IPs > will be loaded in the boot time. You can add / remove address on the fly by > pfctl command: pfctl -t badguys -T add 10.11.12.13 pfctl -t badguys -T > delete 10.11.12.13 Thank you. That's perfect! I seem to be stumped on one last issue; All the information, and pf.conf files all provide for 2 interfaces - INT_IF, and EXT_IF. Assuming a single NIC (ethernet adapter), and only Internet routable IP addresses, and a l0 (loopback). How would I define/use the 2 IF's? Dummynet, maybe? Thank you again for your thoughtful reply. --Chris > > Miroslav Lachman > > From fbsdmail at dnswatch.com Wed Jan 21 09:32:26 2009 From: fbsdmail at dnswatch.com (fbsdmail@dnswatch.com) Date: Wed Jan 21 09:32:32 2009 Subject: basic rule request - allow_all/block_bad In-Reply-To: <49775195.80809@radel.com> References: <59e0bfe9193784283b7c7aaa2d958ad7.dnswclient@webmail.dnswatch.com> <497382D3.8040408@quip.cz> <2bac2a6d6830391e797190f7a398e7e6.dnswclient@webmail.dnswatch.com> <49775195.80809@radel.com> Message-ID: <5b1b0988c6b59c6422697ab790624621.dnswclient@webmail.dnswatch.com> Greetings, and thank you for your reply... On Wed, January 21, 2009 8:47 am, Jon Radel wrote: > > fbsdmail@dnswatch.com wrote: > >>> block in quick from 10.20.30.40 to any pass all >>> >>> If you need to block more than one address, or you need easy >>> manipulation with list of addresses, you can use tables in ruleset: >>> >>> table persist file "/etc/pf.badguys.table" block in quick >>> from to any >>> pass all >>> >>> >>> You can put IPs in to persistent file /etc/pf.badguys.table, these >>> IPs >>> will be loaded in the boot time. You can add / remove address on the >>> fly by pfctl command: pfctl -t badguys -T add 10.11.12.13 pfctl -t >>> badguys -T delete 10.11.12.13 >> >> Thank you. That's perfect! >> >> >> I seem to be stumped on one last issue; >> All the information, and pf.conf files all provide for 2 interfaces - >> INT_IF, and EXT_IF. >> Assuming a single NIC (ethernet adapter), and only Internet routable >> IP addresses, and a l0 (loopback). How would I define/use the 2 IF's? >> Dummynet, maybe? >> >> > > Ick (if you don't mind my saying so). No, don't make your life hell by > coming up with dummy interfaces. The example line you were given by > Miroslav at very top of my reply is standalone if you wish. A rule set > like: > > > > set skip on l0 block in quick from 10.20.30.40 to any pass all > > should be completely stand-alone. It means: > > 1) Completely ignore the loopback interface for filtering purposes > (supposedly more efficient than setting up a pass all or something to > make sure other rules don't give you weird side effects on the loopback). > > 2) On any interface (since you didn't mention one in the rule) (other > than on lo0, since you're ignoring it) block any incoming packets that come > from 10.20.30.40. The fact that there's only one interface is of no > particular consequence. > > 3) Pass everything else in and out on all interfaces (other than lo0, > which is passing everything since it's being ignored). Again, that there > is only one interface is of no concern. > > All those INT_IF, etc., macros you see in examples are there because > it's considered best practice to use macros and document your rule set. For > a 3 line rule set where you're the only maintainer, feel free to rip that > all out.... ;-) > > After you get that running, I'd suggest you start making things fancier > with Miroslav's recommendation about using a table, putting in scrub with > some of the less agressive options, protecting yourself from packets with > spoofed addresses, etc., etc. All good advice. I decided shortly after sending this question, to simply dive in and take a chance. So I simply omitted the IF part I was asking about, and modified the suggestion(s) Miroslav was kind enough to offer. I have one NIC which is assigned the hosts address, I also have to additional IP's aliased against it. I only brought up lo0 because I wasn't sure if, or why that might be a consideration. Anyway, as you might imagine, Miroslav's suggestion worked perfectly - THANKS Miroslav. :-) I actually had several reoccurring "baddies" so I chose the "table" method. Now their noise has vanished. :-) Now, it's off to tweak (tune) the settings, and make some more additions, so as to make better use of it. Thank you again for taking the time to respond. Thanks again to you Miroslav. Best wishes. --Chris > > --Jon Radel > > > From jon at radel.com Wed Jan 21 09:47:51 2009 From: jon at radel.com (Jon Radel) Date: Wed Jan 21 09:48:03 2009 Subject: basic rule request - allow_all/block_bad In-Reply-To: <2bac2a6d6830391e797190f7a398e7e6.dnswclient@webmail.dnswatch.com> References: <59e0bfe9193784283b7c7aaa2d958ad7.dnswclient@webmail.dnswatch.com> <497382D3.8040408@quip.cz> <2bac2a6d6830391e797190f7a398e7e6.dnswclient@webmail.dnswatch.com> Message-ID: <49775195.80809@radel.com> fbsdmail@dnswatch.com wrote: >> block in quick from 10.20.30.40 to any pass all >> >> If you need to block more than one address, or you need easy >> manipulation with list of addresses, you can use tables in ruleset: >> >> table persist file "/etc/pf.badguys.table" block in quick from >> to any >> pass all >> >> >> You can put IPs in to persistent file /etc/pf.badguys.table, these IPs >> will be loaded in the boot time. You can add / remove address on the fly by >> pfctl command: pfctl -t badguys -T add 10.11.12.13 pfctl -t badguys -T >> delete 10.11.12.13 > > Thank you. That's perfect! > > I seem to be stumped on one last issue; > All the information, and pf.conf files all provide for 2 interfaces - > INT_IF, and EXT_IF. > Assuming a single NIC (ethernet adapter), and only Internet routable > IP addresses, and a l0 (loopback). How would I define/use the 2 IF's? > Dummynet, maybe? > Ick (if you don't mind my saying so). No, don't make your life hell by coming up with dummy interfaces. The example line you were given by Miroslav at very top of my reply is standalone if you wish. A rule set like: set skip on l0 block in quick from 10.20.30.40 to any pass all should be completely stand-alone. It means: 1) Completely ignore the loopback interface for filtering purposes (supposedly more efficient than setting up a pass all or something to make sure other rules don't give you weird side effects on the loopback). 2) On any interface (since you didn't mention one in the rule) (other than on lo0, since you're ignoring it) block any incoming packets that come from 10.20.30.40. The fact that there's only one interface is of no particular consequence. 3) Pass everything else in and out on all interfaces (other than lo0, which is passing everything since it's being ignored). Again, that there is only one interface is of no concern. All those INT_IF, etc., macros you see in examples are there because it's considered best practice to use macros and document your rule set. For a 3 line rule set where you're the only maintainer, feel free to rip that all out.... ;-) After you get that running, I'd suggest you start making things fancier with Miroslav's recommendation about using a table, putting in scrub with some of the less agressive options, protecting yourself from packets with spoofed addresses, etc., etc. --Jon Radel From mksmith at adhost.com Thu Jan 22 11:51:23 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Thu Jan 22 11:51:30 2009 Subject: Issues with PF and 7.1 Message-ID: <17838240D9A5544AAA5FF95F8D520316056585C1@ad-exh01.adhost.lan> Hello All: We are having memory issues with PF and 7.1p2 that we didn't experience with 6.3. Here's what happens. # pfctl -f /usr/local/etc/pf.conf /usr/local/etc/pf.conf:135: cannot define table smtpd_reject_policyd: Cannot allocate memory /usr/local/etc/pf.conf:139: cannot define table smtpd_reject_spam: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded # pfctl -t smtpd_reject_policyd -T flush 94390 addresses deleted. # pfctl -t smtpd_reject_spam -T flush 62464 addresses deleted. # pfctl -f /usr/local/etc/pf.conf So, after I flush the tables it loads. Sometimes, however, we get a global out of memory error " DIOCADDRULE: Cannot allocate memory " Here are my entries from pf.conf for various limits. Everything else is defaults. set limit tables 500 set limit table-entries 250000 set limit { states 1000000, src-nodes 300000, frags 100000 } set optimization normal set skip on lo0 set state-policy if-bound set timeout interval 300 set timeout src.track 1200 Finally, the box is using EM interfaces with VLAN's and has 4 Gig of physical RAM. There are two PF boxes in Active/Failover and the errors show up on both, although they seem to show up more often on the Backup device, which seems odd. Any help would be greatly appreciated. Regards, Mike -- Michael K. Smith - CISSP, GISP Chief Technical Officer - Adhost Internet LLC mksmith@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 474 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090122/06d94c52/PGP.pgp From sullrich at gmail.com Fri Jan 23 09:47:18 2009 From: sullrich at gmail.com (Scott Ullrich) Date: Fri Jan 23 09:47:24 2009 Subject: Issues with PF and 7.1 In-Reply-To: <17838240D9A5544AAA5FF95F8D520316056585C1@ad-exh01.adhost.lan> References: <17838240D9A5544AAA5FF95F8D520316056585C1@ad-exh01.adhost.lan> Message-ID: On Thu, Jan 22, 2009 at 2:32 PM, Michael K. Smith - Adhost wrote: > Hello All: > > We are having memory issues with PF and 7.1p2 that we didn't experience with 6.3. Here's what happens. > > # pfctl -f /usr/local/etc/pf.conf > /usr/local/etc/pf.conf:135: cannot define table smtpd_reject_policyd: Cannot allocate memory > /usr/local/etc/pf.conf:139: cannot define table smtpd_reject_spam: Cannot allocate memory > pfctl: Syntax error in config file: pf rules not loaded > # pfctl -t smtpd_reject_policyd -T flush > 94390 addresses deleted. > # pfctl -t smtpd_reject_spam -T flush > 62464 addresses deleted. > # pfctl -f /usr/local/etc/pf.conf > > So, after I flush the tables it loads. Sometimes, however, we get a global out of memory error " DIOCADDRULE: Cannot allocate memory " > > Here are my entries from pf.conf for various limits. Everything else is defaults. > > set limit tables 500 > set limit table-entries 250000 > set limit { states 1000000, src-nodes 300000, frags 100000 } > set optimization normal > set skip on lo0 > set state-policy if-bound > set timeout interval 300 > set timeout src.track 1200 > > Finally, the box is using EM interfaces with VLAN's and has 4 Gig of physical RAM. There are two PF boxes in Active/Failover and the errors show up on both, although they seem to show up more often on the Backup device, which seems odd. > > Any help would be greatly appreciated. My first response would have been to set set limit table-entries but you already did that. Next thing I would check is a shot in the dark, but worth trying.. What does sysctl vm.kmem_size_max show? Try increasing that size a bit in loader.conf and see if that helps. Scott From max at love2party.net Fri Jan 23 10:04:24 2009 From: max at love2party.net (Max Laier) Date: Fri Jan 23 10:04:32 2009 Subject: Issues with PF and 7.1 In-Reply-To: References: <17838240D9A5544AAA5FF95F8D520316056585C1@ad-exh01.adhost.lan> Message-ID: <200901231904.22558.max@love2party.net> On Friday 23 January 2009 18:21:32 Scott Ullrich wrote: > On Thu, Jan 22, 2009 at 2:32 PM, Michael K. Smith - Adhost > > wrote: > > Hello All: > > > > We are having memory issues with PF and 7.1p2 that we didn't experience > > with 6.3. Here's what happens. > > > > # pfctl -f /usr/local/etc/pf.conf > > /usr/local/etc/pf.conf:135: cannot define table smtpd_reject_policyd: > > Cannot allocate memory /usr/local/etc/pf.conf:139: cannot define table > > smtpd_reject_spam: Cannot allocate memory pfctl: Syntax error in config > > file: pf rules not loaded > > # pfctl -t smtpd_reject_policyd -T flush > > 94390 addresses deleted. > > # pfctl -t smtpd_reject_spam -T flush > > 62464 addresses deleted. > > # pfctl -f /usr/local/etc/pf.conf > > > > So, after I flush the tables it loads. Sometimes, however, we get a > > global out of memory error " DIOCADDRULE: Cannot allocate memory " > > > > Here are my entries from pf.conf for various limits. Everything else is > > defaults. > > > > set limit tables 500 > > set limit table-entries 250000 > > set limit { states 1000000, src-nodes 300000, frags 100000 } > > set optimization normal > > set skip on lo0 > > set state-policy if-bound > > set timeout interval 300 > > set timeout src.track 1200 > > > > Finally, the box is using EM interfaces with VLAN's and has 4 Gig of > > physical RAM. There are two PF boxes in Active/Failover and the errors > > show up on both, although they seem to show up more often on the Backup > > device, which seems odd. > > > > Any help would be greatly appreciated. > > My first response would have been to set set limit table-entries but > you already did that. > > Next thing I would check is a shot in the dark, but worth trying.. > > What does sysctl vm.kmem_size_max show? Try increasing that size a > bit in loader.conf and see if that helps. Seconded. My guess is that the system flushes buffers when you first load the tables due to memory pressure, so when you load the tables a second time there is more space available. This, however, suggest that you are pretty thin stretched regarding kvm and should really increase it. I'd shoot for at least 512M which I believe is the maximum in 7.1 with the stock kernel. It seems that there is work in progress to increase that limit for amd64 in releng_7, however. Increasing this is worthwhile in any case, as I have a hard time imagining what else you'd be doing with those 4G on the firewalls (unless you are running heavy webcaches on them, too). -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From mksmith at adhost.com Fri Jan 23 15:07:30 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Fri Jan 23 15:07:36 2009 Subject: Issues with PF and 7.1 In-Reply-To: <200901231904.22558.max@love2party.net> References: <17838240D9A5544AAA5FF95F8D520316056585C1@ad-exh01.adhost.lan> <200901231904.22558.max@love2party.net> Message-ID: <17838240D9A5544AAA5FF95F8D52031605658786@ad-exh01.adhost.lan> Hello All: > > What does sysctl vm.kmem_size_max show? Try increasing that size a > > bit in loader.conf and see if that helps. > > Seconded. My guess is that the system flushes buffers when you first load the > tables due to memory pressure, so when you load the tables a second time there > is more space available. This, however, suggest that you are pretty thin > stretched regarding kvm and should really increase it. I'd shoot for at least > 512M which I believe is the maximum in 7.1 with the stock kernel. It seems > that there is work in progress to increase that limit for amd64 in releng_7, > however. Increasing this is worthwhile in any case, as I have a hard time > imagining what else you'd be doing with those 4G on the firewalls (unless you > are running heavy webcaches on them, too). > Thanks for the info. In stages, we upped the vm.kmem_size_max from 300M to 1536M after modifying the kernel (we actually tried 2048M but that caused a panic). With the 1536M setting the 'DIOCADDRULE: Cannot allocate memory' doesn't occur anymore, but we still have to flush the tables manually when the system comes up. Now, at least, the flush actually works and PF loads successfully, but only after we do the flush on all the tables. As you can imagine, this is not optimal for unattended/random reboots, which we see about 3 times a week. Regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 474 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090123/d56a6680/PGP.pgp From lawrence.auster at att.net Sun Jan 25 07:47:01 2009 From: lawrence.auster at att.net (Lawrence Auster) Date: Sun Jan 25 07:47:44 2009 Subject: Why are the Zionist leaders in Israel so happy about the new President? Message-ID: <20090125151632.JTEC16090.cdptpa-omta01.mail.rr.com@2ao1z> Why is the President of Israel, the terrorist who just oversaw the Zionist mass murder and maiming of thousands of Palestinians so happy that Obama is President of the USA? by David Duke Read the excerpt from the Israeli News about how President Perez and Israel think that Obama�s becoming U.S. President is great day for Israel. "Israel�s President Shimon Peres ecstatic over the election of Obama" Ronen Medzini Israel News Jan. 21 �Today is a great day not only for the United States of America, but for the entire world,� President Shimon Peres wrote in a letter addressed to Barack Obama on the day of his inauguration as president of the United States. �Obama was elected by the United States, but as a matter of fact, he was chosen by the whole of humankind,� Why is Peres so ecstatic? Why shouldn�t he be, he knows that Obama is completely in the grip of the extremist Jewish Zionists in America, and he knows that the greater Obama�s popularity and idol worship, the more Obama can do for the International Zionist Cause. Any thinking and caring human being who realizes that the Zionist-controlled American foreign policy has been a disaster for the robbed and murdered people of Palestine, Lebanon, Iraq and a catastrophe for the 50,000 American wounded in Iraq and Afghanistan, as well as an economic catastrophe for the hardworking Americans who pay trillions to finance these wars for Israel � must wake up the fact that supporting Obama and increasing his popularity will only aid Zionist terrorism, war, and their murder and oppression of the Palestinians. It will also hasten the economic suffering of billions of people around the world as his popularity enables him to more easily aid the Zionist International Bankers steal the wealth of the United States, Europe and the world. Obama is totally in the bloodstained and green ink- stained hands of the Zionists. The hard truth is that the more good will and support Obama has also gives more power to support the Zionist agenda! Mark my words. The Obama Presidency will be disaster for America and for the world. Obama was put into office by the Zionists. His top two cohorts for years have been the radical Jews David Axelrod and Rahm Emmanuel. Both have long records of radical Zionism and have been attack dogs against anyone perceived as having the slightest opposition to Israel. One such victim was Sen. Charles Percy, who both men worked to defeat and destroy because he dared to only be 99 percent rather than 100 percent pro-Israel. Rahm Emmanuel, a dual citizen of Israel who went to fight for Israel, he has a long pedigree of Jewish extremism. His father served in the Irgun Terrorist Gang and he himself is named after an Irgun terrorist. Zionist leaders in Chicago actually call Obama �the first Jewish President� and boast that Jews were key players in Obama�s every step up the ladder to President. from the very earliest days, extremist Jews were the largest contributors to his campaign. In the beginning of his Presidential bid, three Hollywood Jews that constantly make movies about Jewish suffering, but never about the Zionist terrorism and theft against the Palestinian people, Steven Spielberg, David Geffen, and Jeffrey Katzenberg raised 1.2 million for Obama in a single Hollywood party. By the time Obama�s campaign was in full swing, he had huge support from the criminal Zionist International Banking firms such as Goldman Sachs and Lehman brothers. Goldman Sachs was Obama�s biggest single contributor, and his vast war chest came not from American manufacturing firms like GM or even American oil companies, (not one was in his top twenty) it was overwhelmingly dominated by Zionist international bankers, the same ones whose thievery and fraud are giving the world this economic depression. For those looking for meaningful social and political change, do you really think it will come from this man who has already been bought heart, head and soul by the most powerful czars of the international financial establishment and the biggest globalists in the world? I know that many are desperate for change, so desperate that you want to believe anything. But in the face of these facts can�t you see that Obama will be even more dangerous to freedom and justice than even George Bush and his band of Neocons were. What better way to wipe out George Bush�s hated legacy and make the world believe that America has really changed than with the election of Obama. But, all the real Zionist power, Zionist media power, and Zionist financial power in America is still in place, even stronger than ever. Many Americans and others around the world who want to do good are now telling us how wonderful Obama will be as president. What a great change it will be from the old policies. This is because of the Zionist-Controlled media hype, promoting Obama. The fact is that these poor sods are ignorantly helping the radical Zionist agenda in Israel and around the world. Every day that you don�t help expose Obama for the Zionist servant that he actually is, his popularity will be a greater danger to peace and freedom. If the Zionist terrorist Shimon Perez is happy about the coronation of Obama, then why in the hell should you be? �David Duke Source : http://www.davidduke.com/general/7303_7303.html ------------------------------------- You or someone using your email adress is currently subscribed to the Lawrence Auster Newletter. If you wish to unsubscribe from our mailing list, please let us know by calling to 1 212 865 1284 Thanks, Lawrence Auster, 238 W 101 St Apt. 3B New York, NY 10025 Contact: lawrence.auster@att.net ------------------------------------- From linimon at FreeBSD.org Sun Jan 25 12:34:04 2009 From: linimon at FreeBSD.org (linimon@FreeBSD.org) Date: Sun Jan 25 12:34:11 2009 Subject: misc/130977: [netgraph][pf] kernel panic trap 12 on user connect to VPN server Message-ID: <200901252034.n0PKY1ZY033002@freefall.freebsd.org> Synopsis: [netgraph][pf] kernel panic trap 12 on user connect to VPN server Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sun Jan 25 20:33:47 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=130977 From bugmaster at FreeBSD.org Mon Jan 26 03:07:03 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jan 26 03:08:36 2009 Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org Message-ID: <200901261107.n0QB70K2024342@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/130977 pf [netgraph][pf] kernel panic trap 12 on user connect to o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 30 problems total. From andrew.daugherity at gmail.com Tue Jan 27 17:22:20 2009 From: andrew.daugherity at gmail.com (Andrew Daugherity) Date: Tue Jan 27 17:22:28 2009 Subject: carp vs. devd, and advskew lossage Message-ID: <38ce25da0901271659m2b6d8a1fg2e425df93781f6f5@mail.gmail.com> Summary: devd unnecessarily reconfigures carp interfaces, and "/etc/rc.d/netif start carp0" loses the advskew setting when an IP assigned to carp0 is configured on gif0. This is probably two separate bugs. I've got a pair of 7.1/amd64 boxen acting as load-balancers in a CARP failover pair. One has advskew 0, the other advskew 100, so that the first one is preferred. I also have configured a gif(4) interface on each to tunnel between two private networks at different sites. Both the public and private IP on gif0 are assigned to carp0, and connections through this tunnel fail over as expected. Life is good, except for the following annoyances: The problem is that if I configure gif0 in rc.conf, the "slave" (configured advskew 100) comes up with advskew 0 instead, and becomes the carp0 master on boot about 50% of the time. If, however, I comment out the configuration for gif0 in rc.conf and then run the ifconfig and route commands for plumbing gif0 after the box is up, carp0 has advskew 100 as expected. Also, if I use IPs that are unique to that box for gif0 (and not configured on a carp interface), carp0 is configured properly with advskew 100. Of course, in this case the tunnel doesn't fail over. However, I discovered the problem goes deeper than this. After enabling rc_debug and watching the console scrollback, I discovered that carp0 was initially configured correctly by rc.d/netif, and then after devd started, it called the (misnamed) pccard_ether script on interfaces it thinks aren't "up", which includes carp0. pccard_ether in turn calls "rc.d/netif start carp0". Besides needless reconfiguring carp0 (and doing so incorrectly when the gif issue is in play), this also calls "rc.d/routing static" again which then complains about the routes already existing. I solved the devd issue by telling it to ignore carp attach events, by installing the following as /usr/local/etc/devd/carp.conf: ==== # don't have devd call network_start on carp0; for some reason this # loses the advskew setting (besides being entirely superfluous). notify 100 { match "system" "IFNET"; match "subsystem" "carp[0-9]+"; match "type" "ATTACH"; action "echo devd called on $subsystem, type $type"; }; ==== The second bug is that "rc.d/netif start carp0" always brings it up with advskew 0 when a carp IP is assigned to gif0, regardless of the ifconfig_carp0 setting in rc.conf. If, however, I do "rc.d/netif stop" and then "rc.d/netif start" (with no interface specified, and of course from the console), carp0 is brought up with the correct advskew setting. So then... should I file one or two bugs for this? Assuming I'm not missing something, both of these issues seem to be incorrect behavior. From lawrence.auster at att.net Thu Jan 29 14:28:44 2009 From: lawrence.auster at att.net (Lawrence Auster) Date: Thu Jan 29 14:29:05 2009 Subject: The =?iso-8859-1?q?=93Military=2C?= Industrial =?iso-8859-1?q?Complex=94?= is no more -- The Hidden Massive Racial Discrimination in America against Whites Message-ID: <20090129220509.LWGL12540.fed1rmmtao106.cox.net@fed1rmimpo02.cox.net> The �Military, Industrial Complex� is no more. Today it is the Political, Financial and Media � Zionist Complex! 1/28/2009 An short essay by Dr. David Duke The �Military-Industrial complex� really has no relevance to the real holders of global power today. America is the most powerful military and economic nation on earth. The powers that control the levers of political power in America possess the greatest power the world has ever seen. Who really has power over the government today? Is it the fabled �Military, Industrial Complex�? An effective gauge of direct political power in America is �to discover who provided the pivotal amounts of the billion-dollar recent campaigns for U.S. President. You can look directly at campaign contributions for every candidate from the Federal Election Commission in order to find out who holds the real power in politics. So, who holds the real power over the American political establishment? Let�s first look at who does not hold much power over the establishment. 1) It is not the military. There is not any organized military monetary influence or even significant political influence of the military over the politicians. In fact, no one in military positions of authority are allowed to openly get involved in politics. No active sergeant, lieutenant, or General can send out a directive to the men under him to support or oppose a particular candidate (the one exception I know to that was when the Louisiana commanding general of the National Guard, under Jewish influence, sent a letter to all national guardsmen telling them that it was their �patriotic duty� to vote against David Duke and for the Liberal corrupt former Governor, Edwin Edwards. Even that caused a scandal in military circles, as it should have. 2) It is NOT major manufacturing or even the huge oil companies. There was not one oil company and only a couple of legitimate manufacturing or industrial concerns on Obama and McCain�s top twenty contributor list. The list was completely dominated by Zionist international banking firms. If one combines every defense contractor�s contributions the money they give in politics is minuscule compared to Zionist international banks. They don�t even come close to the power in lobbying that AIPAC and a couple of dozen more Jewish extremist organizations have. Jewish lobbyists literally get almost unanimous support in Congress for outrageous giveaways to Israel, a nation that has committed terrorism against us and killed or maimed scores of Americans. I am not talking about contracts here, I am speaking about giving away billions of dollars to a foreign nation. So, so much for the media-popularized term, the military-industrial complex In direct political money and lobbying then, Zionists are the undisputed masters of the American political establishment. In addition to their control through the use of money as an inducement or a threat, they have tens of thousands of Jewish extremists scattered throughout the entire bureaucracy who are very conscious of supporting their brethren and supporting the organized Jewish agenda. They also are ready to act against any Gentile who dares to go against Israel or the Jewish agenda. How will a Jewish federal judge rule in a huge litigation issue between Jewish and non-Jewish parties? Why was the biggest robber in the history of the world, Bernie Madoff who stole over 50 billion dollars and who ruined tens of thousands of families, only charged with one criminal count, and allowed to stay in his luxury apartment to await trial? Is there an organized Jewish agenda? Absolutely. In fact, the leading and most powerful Jewish groups have a supra-organization called the Council of Presidents (composed of the most powerful 5 dozen Jewish organizations in America). They issue detailed positions not just on Mideast policy but on many other issues that have nothing to do with Israel, aspects of domestic policy including issues such as opening America�s borders. They even assume positions on issues that you wouldn�t even think would have unanimity among Jews, such as abortion rights. Their job is to make sure that Jewish power is absolutely united on what they decide are their common agendas. Next, we must talk about one of the most influential parts of the American political process, the mass media. The media, such as the NY Times and the Washington Post (the newspaper read by every member of America�s government and bureaucracy in Washington). The Washington Post can determine even what issues Congress will discuss and it greatly affects the publicity for or against those issues. Broadcast and cable television also have an enormous impact, and we can include movies, books, magazines and the newspaper chains that reach down into almost every American community. As my chapters in Jewish Supremacism on �Jewish Media Supremacy� document, the ownership, depth and breadth of Jewish influence in the media is simply breathtaking. In media, whether you speak of owners, administrators, managers, editors, producers, writers, correspondents, pundits and reporters, there is an army of Jews who are animated by the Holocaust and the issues of the organized Jewish community. If you haven�t yet read them, you simply must see the evidence on the Jewish supremacy in media I have compiled in my books Jewish Supremacism and My Awakening. The other great seat of establishment power is simply money, huge sums of money and the willingness to use those funds on behalf of an agenda. The biggest concentrations of wealth in the world today are in the Zionist international banks, and in financial groups that the Jews completely control such as the Federal Reserve Corporation, the same forces that have led us to the doorstep of a great depression. It is no accident that Alan Greenspan and Ben Shalom Bernanke are the last two of the Federal Reserve czars. Even in days of World War I, an immensely rich, Jewish international banker, Jacob Schiff, voiced pride in the fact that he was instrumental in weakening Czarist Russia (the government that Jews universally hated), and that he supported Russia�s enemies so as to make Russia ripe for communist overthrow (Jewish groups brag of his help to Japan in the Russo-Japanese War so as to hurt the Russian government). Schiff also gave millions of dollars to directly finance the Jews who led and organized the Russian revolution and the Bolshevik terror in Russia. There is no disputing of these facts. Plenty of Jewish history books detail all of it. So, frankly, financial power in the control of people who will use it for an agenda is also a key ingredient of real power. Again, the financial power in the hands of modern day Jacob Schiff�s, is an incredibly powerful weapon. So forget about the �Military-Industrial Complex.� That is passe. In today�s world it makes more sense to speak about the �Political, Financial and Media Zionist complex.� That is the real core of power that bends everything whether it be local laws, or giant corporations, to its will. Even if one of the world�s richest firms, such as Microsoft (which is now by the way run by a Jewish extremist), would buck the political, financial, and media Zionist complex, it would be broken by government fiat, the Jewish-influenced courts (such as anti-trust actions), and by vicious attacks by the Jewish-influenced media. Microsoft would either be dismembered or destroyed. Such are the realities of the modern world. There is no longer a �military industrial complex,� but there is a Political and media and financial Zionist complex that rules us and aims to control the whole world. No single part of this behemoth can be defeated, because it can use its other assets to defend the section under attack. It can only be brought down by concentrating all our political and ideological fire right on the core the problem, International Zionism and its driving impetus: Jewish Supremacism. �Dr. David Duke Source : http://www.davidduke.com/general/forget-the-military-industrial-complex-today-its-the-political-financial-and-media-zionist-complex_7394.html ---- The Hidden Massive Racial Discrimination in America against Whites 1/29/2009 The main argument for affirmative action is that institutions should reflect racial percentages of population, if not there must be de facto racial discrimination. Here is the breakdown of students by race at America�s premier university, Obama�s alma mater, Harvard. Even though non-Jewish White Americans are almost 70 percent of the population and on average score much higher on entrance exams, they are only about 22 percent of the Harvard student body. So what race is really the victim of racial discrimination? For those who are truly dedicated to stopping racial discrimination, what are you going to do about this massive discrimination, or does it not matter to you because White people happen to be the victims? The hidden, massive racial discrimination that goes on in America against White people! A U.S. Government study offers proof that European Americans face massive institutional racial discrimination that affects millions of the most talented and educated of our people Introduction by Dr. David Duke � As most of you know, the term �white supremacist� has become literally a prefix of my name when I am in the news. It is the media�s way to condition readers not to pay attention to what I say because I am a �white supremacist.� The truth is I am not a White supremacist, and I seek no supremacy or control over any people, but I do demand that the rights of people of European descent to be respected as much as any other people�s rights. The fact is that in the United States of America, Canada, the UK in many areas of Europe Whites face a powerful state-sanctioned, and often mandated, racial discrimination against White people who are better-qualified than their non-White counterparts. It may be surprising to some reading this, but millions of discriminated against Whites are often poorer and who face more difficult social situations than many of their non-White counterparts who are being given preference over them. It also affects the most talented of our people. Many Whites are under the mistaken impression that the White victims of racial discrimination are mostly from the low income and low IQ sectors of the population. Nothing could be further from the truth. In actuality, the percentages of Whites who are victims of racial discrimination are much higher in the sectors of the White population with the highest intelligence and greatest abilities. The facts are shocking, but true. Most people know that most universities have programs of admittance that give less-qualified minorities preference over better-qualified Whites. Almost all of the Fortune 500 largest corporations have affirmative action and diversity programs that discriminate against White people, both male and female, in hiring. They also have programs of discrimination that favor non-Whites in promotions and advancement. This is true in the academic area as well. You can look at almost any academic department of any American university and you will see in place a strong racial bias for �minorities� in preface over Whites in hiring and advancement. Whether you are talking about a university History, English or Math department in almost any university these policies are in place and powerful. These racial discriminatory policies are real, and they can be easily proven to exist. But, now we thanks to a government study, there is even a more powerful way to show their real impact on tens of mi llions of White Americans. The brilliant economist and author whose pen name is Yggdrasil has compiled the data from the National Longitudinal Survey of Youth (NLSY) 1979, which was a massive study conducted by the Department of Labor to track the lives of 155,000 Americans by race, IQ, income, education and other factors to see how remedial efforts for minorities were doing. It was done after the installation of so called �affirmative action� programs which gave preference to non-White groups over whites. The NLSY study is meant to follow this huge sampling for their entire lives to see how diversity is working out for America. The data is from this ongoing study is tangible proof of the horrendous level of racial discrimination going on against White people. I will link you to Yggdrasil�s fine paper in a moment, but let me first give you a couple of snippets from his work that proves the existence of massive racial discrimination going on against our people. Here is a chart showing the ethnic breakdown of the most prestigious university in the United States of America: Harvard. America�s premier university is extremely expensive (unless you receive special grants and scholarships) and a degree from it just about guarantees its graduates the best paid and prestigious jobs America has to offer. Affirmative action advocates have long said the companies or institutions that don�t reflect the actual racial population percentages are de facto racist and discriminatory. So what is the situation at Harvard, non-Jewish Whites who are about 70 pecent of the American population are only about 22 percent of the Harvard student body. One should first consider the fact that Whites are represented in the top two percentile level on college admission tests on an average that is a 5 times higher rate than non-White groups. If one then factors in the fact that Whites are also 70 percent of the population, there should be at least 25 times more Whites who would be better qualified than the non-White students currently at Harvard. But even though these Whites are the best and brightest America has to offer they are limited to only 20 percent of Harvard students! Such is nothing more than blatant, racial discrimination. Another interesting fact one can gleam from this chart and many in the NLSY studies that Jewish over-representation is not based simply on the fact that Jews have a high intelligence, they often do twice as well as their intelligence bracket would indicate. Such would suggest the intra-tribal support system for group cohesion and advancements aids their success rate. The NLSY data also shows how incomes today in the USA correlate with race and intelligence. Let�s take a look NLSY tracking studies of intelligent White women, these are White women in the 90 to 97 percent IQ bracket as compared to Black women in that same high 90 to 97 percent IQ bracket. The average Black females of that IQ level earned an average of approximately $54,000 per year through 1996, whereas White females on the same IQ level earned only half of that amount, about $28,000 per year through 1996. When White women in the same intelligent bracket of Black women earn half of the average amount that the Black women do, that�s real racial discrimination. I am not referring here to a few White women who are at least equally qualified but getting half the salary that Black women do, I am talking about the average White women in America! The NLSY is a big enough sample that reflects the whole nation. In fact it is meant to. The average White woman of high intelligence earns one-half of what Black women do of the same intelligence! I obviously don�t like this racial discrimination against our people. Neither does the economist Yggdrasil. We advocate that the best person regardless of race gets whatever college admission or job or promotion their abilities dictate. We have no fear of how well our people will do on a fair playing field. Because we stand for true civil rights, human rights in the matter, we are called racists, and the real capper: �white supremacists.� There are many people in America and around the world who are ignorant of the facts of anti-White racial discrimination. The media acts like it doesn�t exist. Even after the election of an affirmative action African-American President, America is still painted as an anti-Black racist country. The truth is that European Americans are facing racial discrimination in the very institutions and nation that our forefathers created. Our movement is truly a liberation movement like any other in the world that strives for a people to free and live in society of our own values rather than oppressive society imposed upon us. We are not racists or supremacists trying to deny the rights of others. We are human rights activists defending our people�s rights and heritage. �Dr. David Duke Source & Charts : http://www.davidduke.com/general/the-real-racial-discrimination-that-goes-on-in-america_7407.html ----- Obama�s Mideast Jewish Wet Dream Team George Mitchell is the new American envoy now in the Mideast. Who is Mitchell and who are the key players in Obama�s Mideast policy team? First, let�s examine the major players on the Obama foreign policy team. Roger Cohen writing in The New York Times on January 11, 2009 wrote some things that if he were a Gentile would have earned him some attacks as an �anti-Semite.� He pointed out the incredible top-heavy pro-Zionist content of the team which is supposed to broker a fair and just peace in the Mideast. In discussing the team he identified them with these words: They include Dennis Ross (the veteran Clinton administration Mideast peace envoy who may now extend his brief to Iran) [a long-time Jewish Zionist]; James Steinberg [Jewish Zionist] (as deputy secretary of state) ; Dan Kurtzer [Jewish Zionist] (the former U.S. ambassador to Israel); Dan Shapiro [Jewish Zionist] (a longtime aide to Obama); and Martin Indyk [Jewish Zionist] another former ambassador to Israel who is close to the incoming secretary of state, Hillary Clinton.) Now, I have nothing against smart, driven, liberal, Jewish (or half-Jewish) males; I�ve looked in the mirror. I know or have talked to all these guys, except Shapiro. They�re knowledgeable, broad-minded and determined. Still, on the diversity front they fall short. On the change-you-can-believe-in front, they also leave something to be desired. Cohen did not even mention that the two closest advisers to Obama, the guys that filter almost everything that Obama see and hears and makes the day to day decisions of running the oval office. They are David Axelrod and Rahm Emmanuel, two long time dedicated Jewish extremists. Emmanuel, son of an Irgun terrorist and named after another Irgun terrorist, even fought in the Israeli Army. Now we come to the new envoy to the Mideast, George Mitchell of Maine, the man who is supposed to be a broadminded and just arbitrator between Israel and the Palestinians. The Jewish-influenced has made a big point of Mitchell�s Lebanese ancestry. What the Zionist media doesn�t tell you is that he has been completely under the control of AIPAC and radical Zionists for years. As Senate Majority Leader he rammed through everything Israel wanted. He even supported the Senate resolution that gave Israel unconditional support during the Zionist massacre of thousands of Gaza civilians. In fact, originally an appointee to the Senate, Mitchell owes his entire Senate career on the massive support given him in 1982 and since by AIPAC and 27 other Jewish extremist controlled political action committees that AIPAC arranged. AIPAC�s Tom Dine summarized AIPAC�s success in Mitchell�s election by saying that �American Jews are thus able to form our own foreign policy agenda.� Of course, Dine spoke the complete and unvarnished truth. American and Israeli extremist Jews do indeed control the foreign policy of the United States. Such control has long gone on in concert with past U.S. Presidents and it goes on today with Obama. Only difference is that today there is a greater danger because many in America and around the world falsely believe that Obama represents change. With the incredible respect and adulation given to Obama, he is in a much better position to support the Zionist war agenda and ultimately do far more harm than a discredited George Bush. Hold on to your hats, America. I predict Obama will usher in war and conflagration that will make George Bush�s presidency seem mild in comparison. He has already announced a doubling of American troops in Afghanistan. Can a catastrophic war with Iran be far behind? Jewish extremists want this war and Obama is completely under their control! � Dr. David Duke Source : http://www.davidduke.com/general/who-is-on-obamas-dream-team-for-mideast-peace_7380.html ------------------------------------- You or someone using your email adress is currently subscribed to the Lawrence Auster Newletter. If you wish to unsubscribe from our mailing list, please let us know by calling "to 1 212 865 1284 Thanks, Lawrence Auster, 238 W 101 St Apt. 3B New York, NY 10025 Contact: lawrence.auster@att.net ------------------------------------- From ivanatora at gmail.com Thu Jan 29 22:37:44 2009 From: ivanatora at gmail.com (Ivan Petrushev) Date: Thu Jan 29 22:38:01 2009 Subject: =?windows-1252?q?Re=3A_The_=93Military=2C_Industrial_Complex=94_?= =?windows-1252?q?is_no_more_--_The_Hidden_Massive_Racial_Discrimin?= =?windows-1252?q?ation_in_America_against_Whites?= In-Reply-To: <20090129220509.LWGL12540.fed1rmmtao106.cox.net@fed1rmimpo02.cox.net> References: <20090129220509.LWGL12540.fed1rmmtao106.cox.net@fed1rmimpo02.cox.net> Message-ID: Excuse me, why such a spam comes to the members of freebsd-pf mail list? On Fri, Jan 30, 2009 at 12:05 AM, Lawrence Auster wrote: > The "Military, Industrial Complex" is no more. Today it is the Political, Financial and Media ? Zionist Complex! > 1/28/2009 > > An short essay by Dr. David Duke > > The "Military-Industrial complex" really has no relevance to the real holders of global power today. > > America is the most powerful military and economic nation on earth. The powers that control the levers of political power in America possess the greatest power the world has ever seen. > > Who really has power over the government today? Is it the fabled "Military, Industrial Complex"? > > An effective gauge of direct political power in America is "to discover who provided the pivotal amounts of the billion-dollar recent campaigns for U.S. President. You can look directly at campaign contributions for every candidate from the Federal Election Commission in order to find out who holds the real power in politics. > > So, who holds the real power over the American political establishment? > > Let's first look at who does not hold much power over the establishment. > > 1) It is not the military. There is not any organized military monetary influence or even significant political influence of the military over the politicians. In fact, no one in military positions of authority are allowed to openly get involved in politics. No active sergeant, lieutenant, or General can send out a directive to the men under him to support or oppose a particular candidate (the one exception I know to that was when the Louisiana commanding general of the National Guard, under Jewish influence, sent a letter to all national guardsmen telling them that it was their "patriotic duty" to vote against David Duke and for the Liberal corrupt former Governor, Edwin Edwards. Even that caused a scandal in military circles, as it should have. > > 2) It is NOT major manufacturing or even the huge oil companies. There was not one oil company and only a couple of legitimate manufacturing or industrial concerns on Obama and McCain's top twenty contributor list. The list was completely dominated by Zionist international banking firms. If one combines every defense contractor's contributions the money they give in politics is minuscule compared to Zionist international banks. They don't even come close to the power in lobbying that AIPAC and a couple of dozen more Jewish extremist organizations have. Jewish lobbyists literally get almost unanimous support in Congress for outrageous giveaways to Israel, a nation that has committed terrorism against us and killed or maimed scores of Americans. I am not talking about contracts here, I am speaking about giving away billions of dollars to a foreign nation. > > So, so much for the media-popularized term, the military-industrial complex > > In direct political money and lobbying then, Zionists are the undisputed masters of the American political establishment. In addition to their control through the use of money as an inducement or a threat, they have tens of thousands of Jewish extremists scattered throughout the entire bureaucracy who are very conscious of supporting their brethren and supporting the organized Jewish agenda. They also are ready to act against any Gentile who dares to go against Israel or the Jewish agenda. > > How will a Jewish federal judge rule in a huge litigation issue between Jewish and non-Jewish parties? Why was the biggest robber in the history of the world, Bernie Madoff who stole over 50 billion dollars and who ruined tens of thousands of families, only charged with one criminal count, and allowed to stay in his luxury apartment to await trial? > > Is there an organized Jewish agenda? Absolutely. In fact, the leading and most powerful Jewish groups have a supra-organization called the Council of Presidents (composed of the most powerful 5 dozen Jewish organizations in America). They issue detailed positions not just on Mideast policy but on many other issues that have nothing to do with Israel, aspects of domestic policy including issues such as opening America's borders. They even assume positions on issues that you wouldn't even think would have unanimity among Jews, such as abortion rights. Their job is to make sure that Jewish power is absolutely united on what they decide are their common agendas. > > Next, we must talk about one of the most influential parts of the American political process, the mass media. The media, such as the NY Times and the Washington Post (the newspaper read by every member of America's government and bureaucracy in Washington). > > The Washington Post can determine even what issues Congress will discuss and it greatly affects the publicity for or against those issues. Broadcast and cable television also have an enormous impact, and we can include movies, books, magazines and the newspaper chains that reach down into almost every American community. As my chapters in Jewish Supremacism on "Jewish Media Supremacy" document, the ownership, depth and breadth of Jewish influence in the media is simply breathtaking. > > In media, whether you speak of owners, administrators, managers, editors, producers, writers, correspondents, pundits and reporters, there is an army of Jews who are animated by the Holocaust and the issues of the organized Jewish community. If you haven't yet read them, you simply must see the evidence on the Jewish supremacy in media I have compiled in my books Jewish Supremacism and My Awakening. > > The other great seat of establishment power is simply money, huge sums of money and the willingness to use those funds on behalf of an agenda. The biggest concentrations of wealth in the world today are in the Zionist international banks, and in financial groups that the Jews completely control such as the Federal Reserve Corporation, the same forces that have led us to the doorstep of a great depression. It is no accident that Alan Greenspan and Ben Shalom Bernanke are the last two of the Federal Reserve czars. > > Even in days of World War I, an immensely rich, Jewish international banker, Jacob Schiff, voiced pride in the fact that he was instrumental in weakening Czarist Russia (the government that Jews universally hated), and that he supported Russia's enemies so as to make Russia ripe for communist overthrow (Jewish groups brag of his help to Japan in the Russo-Japanese War so as to hurt the Russian government). Schiff also gave millions of dollars to directly finance the Jews who led and organized the Russian revolution and the Bolshevik terror in Russia. There is no disputing of these facts. Plenty of Jewish history books detail all of it. > > So, frankly, financial power in the control of people who will use it for an agenda is also a key ingredient of real power. Again, the financial power in the hands of modern day Jacob Schiff's, is an incredibly powerful weapon. > > So forget about the "Military-Industrial Complex." That is passe. > > In today's world it makes more sense to speak about the "Political, Financial and Media Zionist complex." That is the real core of power that bends everything whether it be local laws, or giant corporations, to its will. Even if one of the world's richest firms, such as Microsoft (which is now by the way run by a Jewish extremist), would buck the political, financial, and media Zionist complex, it would be broken by government fiat, the Jewish-influenced courts (such as anti-trust actions), and by vicious attacks by the Jewish-influenced media. Microsoft would either be dismembered or destroyed. > > Such are the realities of the modern world. > > There is no longer a "military industrial complex," but there is a Political and media and financial Zionist complex that rules us and aims to control the whole world. > > No single part of this behemoth can be defeated, because it can use its other assets to defend the section under attack. It can only be brought down by concentrating all our political and ideological fire right on the core the problem, International Zionism and its driving impetus: Jewish Supremacism. > > ?Dr. David Duke > > Source : http://www.davidduke.com/general/forget-the-military-industrial-complex-today-its-the-political-financial-and-media-zionist-complex_7394.html > > ---- > > The Hidden Massive Racial Discrimination in America against Whites > 1/29/2009 > > The main argument for affirmative action is that institutions should reflect racial percentages of population, if not there must be de facto racial discrimination. Here is the breakdown of students by race at America's premier university, Obama's alma mater, Harvard. Even though non-Jewish White Americans are almost 70 percent of the population and on average score much higher on entrance exams, they are only about 22 percent of the Harvard student body. So what race is really the victim of racial discrimination? For those who are truly dedicated to stopping racial discrimination, what are you going to do about this massive discrimination, or does it not matter to you because White people happen to be the victims? > > The hidden, massive racial discrimination that goes on in America against White people! > > A U.S. Government study offers proof that European Americans face massive institutional racial discrimination that affects millions of the most talented and educated of our people > > Introduction by Dr. David Duke ? As most of you know, the term "white supremacist" has become literally a prefix of my name when I am in the news. It is the media's way to condition readers not to pay attention to what I say because I am a "white supremacist." The truth is I am not a White supremacist, and I seek no supremacy or control over any people, but I do demand that the rights of people of European descent to be respected as much as any other people's rights. > > The fact is that in the United States of America, Canada, the UK in many areas of Europe Whites face a powerful state-sanctioned, and often mandated, racial discrimination against White people who are better-qualified than their non-White counterparts. It may be surprising to some reading this, but millions of discriminated against Whites are often poorer and who face more difficult social situations than many of their non-White counterparts who are being given preference over them. > > It also affects the most talented of our people. Many Whites are under the mistaken impression that the White victims of racial discrimination are mostly from the low income and low IQ sectors of the population. Nothing could be further from the truth. In actuality, the percentages of Whites who are victims of racial discrimination are much higher in the sectors of the White population with the highest intelligence and greatest abilities. The facts are shocking, but true. > > Most people know that most universities have programs of admittance that give less-qualified minorities preference over better-qualified Whites. Almost all of the Fortune 500 largest corporations have affirmative action and diversity programs that discriminate against White people, both male and female, in hiring. They also have programs of discrimination that favor non-Whites in promotions and advancement. This is true in the academic area as well. You can look at almost any academic department of any American university and you will see in place a strong racial bias for "minorities" in preface over Whites in hiring and advancement. Whether you are talking about a university History, English or Math department in almost any university these policies are in place and powerful. These racial discriminatory policies are real, and they can be easily proven to exist. But, now we thanks to a government study, there is even a more powerful way to show their real impact on tens of mi > llions of White Americans. > > The brilliant economist and author whose pen name is Yggdrasil has compiled the data from the National Longitudinal Survey of Youth (NLSY) 1979, which was a massive study conducted by the Department of Labor to track the lives of 155,000 Americans by race, IQ, income, education and other factors to see how remedial efforts for minorities were doing. > > It was done after the installation of so called "affirmative action" programs which gave preference to non-White groups over whites. The NLSY study is meant to follow this huge sampling for their entire lives to see how diversity is working out for America. The data is from this ongoing study is tangible proof of the horrendous level of racial discrimination going on against White people. I will link you to Yggdrasil's fine paper in a moment, but let me first give you a couple of snippets from his work that proves the existence of massive racial discrimination going on against our people. > > Here is a chart showing the ethnic breakdown of the most prestigious university in the United States of America: Harvard. America's premier university is extremely expensive (unless you receive special grants and scholarships) and a degree from it just about guarantees its graduates the best paid and prestigious jobs America has to offer. > > Affirmative action advocates have long said the companies or institutions that don't reflect the actual racial population percentages are de facto racist and discriminatory. So what is the situation at Harvard, non-Jewish Whites who are about 70 pecent of the American population are only about 22 percent of the Harvard student body. > > One should first consider the fact that Whites are represented in the top two percentile level on college admission tests on an average that is a 5 times higher rate than non-White groups. If one then factors in the fact that Whites are also 70 percent of the population, there should be at least 25 times more Whites who would be better qualified than the non-White students currently at Harvard. But even though these Whites are the best and brightest America has to offer they are limited to only 20 percent of Harvard students! Such is nothing more than blatant, racial discrimination. Another interesting fact one can gleam from this chart and many in the NLSY studies that Jewish over-representation is not based simply on the fact that Jews have a high intelligence, they often do twice as well as their intelligence bracket would indicate. Such would suggest the intra-tribal support system for group cohesion and advancements aids their success rate. > > The NLSY data also shows how incomes today in the USA correlate with race and intelligence. Let's take a look NLSY tracking studies of intelligent White women, these are White women in the 90 to 97 percent IQ bracket as compared to Black women in that same high 90 to 97 percent IQ bracket. The average Black females of that IQ level earned an average of approximately $54,000 per year through 1996, whereas White females on the same IQ level earned only half of that amount, about $28,000 per year through 1996. > > When White women in the same intelligent bracket of Black women earn half of the average amount that the Black women do, that's real racial discrimination. > > I am not referring here to a few White women who are at least equally qualified but getting half the salary that Black women do, I am talking about the average White women in America! The NLSY is a big enough sample that reflects the whole nation. In fact it is meant to. The average White woman of high intelligence earns one-half of what Black women do of the same intelligence! > > I obviously don't like this racial discrimination against our people. Neither does the economist Yggdrasil. We advocate that the best person regardless of race gets whatever college admission or job or promotion their abilities dictate. We have no fear of how well our people will do on a fair playing field. Because we stand for true civil rights, human rights in the matter, we are called racists, and the real capper: "white supremacists." > > There are many people in America and around the world who are ignorant of the facts of anti-White racial discrimination. The media acts like it doesn't exist. Even after the election of an affirmative action African-American President, America is still painted as an anti-Black racist country. The truth is that European Americans are facing racial discrimination in the very institutions and nation that our forefathers created. Our movement is truly a liberation movement like any other in the world that strives for a people to free and live in society of our own values rather than oppressive society imposed upon us. > > We are not racists or supremacists trying to deny the rights of others. > > We are human rights activists defending our people's rights and heritage. > > ?Dr. David Duke > Source & Charts : http://www.davidduke.com/general/the-real-racial-discrimination-that-goes-on-in-america_7407.html > > ----- > > Obama's Mideast Jewish Wet Dream Team > > George Mitchell is the new American envoy now in the Mideast. Who is Mitchell and who are the key players in Obama's Mideast policy team? > > First, let's examine the major players on the Obama foreign policy team. Roger Cohen writing in The New York Times on January 11, 2009 wrote some things that if he were a Gentile would have earned him some attacks as an "anti-Semite." He pointed out the incredible top-heavy pro-Zionist content of the team which is supposed to broker a fair and just peace in the Mideast. In discussing the team he identified them with these words: > > They include Dennis Ross (the veteran Clinton administration Mideast peace envoy who may now extend his brief to Iran) [a long-time Jewish Zionist]; James Steinberg [Jewish Zionist] (as deputy secretary of state) ; Dan Kurtzer [Jewish Zionist] (the former U.S. ambassador to Israel); Dan Shapiro [Jewish Zionist] (a longtime aide to Obama); and Martin Indyk [Jewish Zionist] another former ambassador to Israel who is close to the incoming secretary of state, Hillary Clinton.) > > Now, I have nothing against smart, driven, liberal, Jewish (or half-Jewish) males; I've looked in the mirror. I know or have talked to all these guys, except Shapiro. They're knowledgeable, broad-minded and determined. Still, on the diversity front they fall short. On the change-you-can-believe-in front, they also leave something to be desired. > > Cohen did not even mention that the two closest advisers to Obama, the guys that filter almost everything that Obama see and hears and makes the day to day decisions of running the oval office. They are David Axelrod and Rahm Emmanuel, two long time dedicated Jewish extremists. Emmanuel, son of an Irgun terrorist and named after another Irgun terrorist, even fought in the Israeli Army. > > Now we come to the new envoy to the Mideast, George Mitchell of Maine, the man who is supposed to be a broadminded and just arbitrator between Israel and the Palestinians. The Jewish-influenced has made a big point of Mitchell's Lebanese ancestry. What the Zionist media doesn't tell you is that he has been completely under the control of AIPAC and radical Zionists for years. > > As Senate Majority Leader he rammed through everything Israel wanted. He even supported the Senate resolution that gave Israel unconditional support during the Zionist massacre of thousands of Gaza civilians. In fact, originally an appointee to the Senate, Mitchell owes his entire Senate career on the massive support given him in 1982 and since by AIPAC and 27 other Jewish extremist controlled political action committees that AIPAC arranged. AIPAC's Tom Dine summarized AIPAC's success in Mitchell's election by saying that "American Jews are thus able to form our own foreign policy agenda." > > Of course, Dine spoke the complete and unvarnished truth. American and Israeli extremist Jews do indeed control the foreign policy of the United States. Such control has long gone on in concert with past U.S. Presidents and it goes on today with Obama. Only difference is that today there is a greater danger because many in America and around the world falsely believe that Obama represents change. With the incredible respect and adulation given to Obama, he is in a much better position to support the Zionist war agenda and ultimately do far more harm than a discredited George Bush. > > Hold on to your hats, America. I predict Obama will usher in war and conflagration that will make George Bush's presidency seem mild in comparison. He has already announced a doubling of American troops in Afghanistan. Can a catastrophic war with Iran be far behind? Jewish extremists want this war and Obama is completely under their control! > > ? Dr. David Duke > > Source : http://www.davidduke.com/general/who-is-on-obamas-dream-team-for-mideast-peace_7380.html > > > > ------------------------------------- > You or someone using your email adress is currently subscribed to the Lawrence Auster > Newletter. If you wish to unsubscribe from our mailing list, please let us know by calling "to 1 212 865 1284 > > Thanks, > > Lawrence Auster, > 238 W 101 St Apt. 3B > New York, NY 10025 > Contact: lawrence.auster@att.net > ------------------------------------- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From ivanatora at gmail.com Fri Jan 30 01:45:47 2009 From: ivanatora at gmail.com (Ivan Petrushev) Date: Fri Jan 30 01:45:54 2009 Subject: =?windows-1252?q?Re=3A_The_=93Military=2C_Industrial_Complex=94_?= =?windows-1252?q?is_no_more_--_The_Hidden_Massive_Racial_Discrimin?= =?windows-1252?q?ation_in_America_against_Whites?= In-Reply-To: <4982A23B.6020809@radel.com> References: <20090129220509.LWGL12540.fed1rmmtao106.cox.net@fed1rmimpo02.cox.net> <4982A23B.6020809@radel.com> Message-ID: So there is not spam protection or whatever installed on the software servicing the mail list? Abuse control? User registration approval? On Fri, Jan 30, 2009 at 8:46 AM, Jon Radel wrote: > Ivan Petrushev wrote: >> Excuse me, why such a spam comes to the members of freebsd-pf mail list? >> >> On Fri, Jan 30, 2009 at 12:05 AM, Lawrence Auster >> wrote: > ....crap trimmed.... > > Oh, for heaven's sake get a grip. DO NOT SEND THE WHOLE LOAD OF CRAP TO > ALL OF US YET AGAIN! At very least, learn to trim. > > As to your question: Because somebody sent it to the mailing list. > Doh! There are a lot of these going to many technical mailing lists, > many with forged return addresses. > > --Jon Radel > > From max at love2party.net Fri Jan 30 02:09:45 2009 From: max at love2party.net (Max Laier) Date: Fri Jan 30 02:09:52 2009 Subject: Spam In-Reply-To: References: <20090129220509.LWGL12540.fed1rmmtao106.cox.net@fed1rmimpo02.cox.net> <4982A23B.6020809@radel.com> Message-ID: <200901301109.41392.max@love2party.net> On Friday 30 January 2009 10:45:46 Ivan Petrushev wrote: > So there is not spam protection or whatever installed on the software > servicing the mail list? Abuse control? User registration approval? The FreeBSD mailing lists have a very high S:N ratio thanks to the excellent job of our postmasters. Every now and then, however, spam does slip through. Your whining doesn't help the matter in any way - esp. if you requote the message. > On Fri, Jan 30, 2009 at 8:46 AM, Jon Radel wrote: > > Ivan Petrushev wrote: > >> Excuse me, why such a spam comes to the members of freebsd-pf mail list? > >> > >> On Fri, Jan 30, 2009 at 12:05 AM, Lawrence Auster > >> wrote: > > > > ....crap trimmed.... > > > > Oh, for heaven's sake get a grip. DO NOT SEND THE WHOLE LOAD OF CRAP TO > > ALL OF US YET AGAIN! At very least, learn to trim. > > > > As to your question: Because somebody sent it to the mailing list. > > Doh! There are a lot of these going to many technical mailing lists, > > many with forged return addresses. > > > > --Jon Radel > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > !DSPAM:4982cc5c68861640720005! -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From inf0s at 1command.com Fri Jan 30 02:29:09 2009 From: inf0s at 1command.com (inf0s@1command.com) Date: Fri Jan 30 02:29:16 2009 Subject: The ?Military, Industrial Complex? is no more -- The Hidden Massive Racial Discrimination in America against Whites In-Reply-To: References: <20090129220509.LWGL12540.fed1rmmtao106.cox.net@fed1rmimpo02.cox.net> <4982A23B.6020809@radel.com> Message-ID: <20090130020219.beajlt1j40080w8w@webmail.1command.com> The /real/ question here; is why there isn't /more/ spam on this list - really. I've been working on an anti-spam solution for about 9 months. It's a completely automated system. In the first 3 months it had garnered over 5 million spam sources - that's over 5 million IP addresses. Each and every IP was an /actual/ spam source - not one false positive. So, given all the lists they manage here, it's nothing but remarkable that we're not seeing more spam than we do. In my opinion, after being on this list for several years, we see damn little spam. Best wishes. --Chris Quoting Ivan Petrushev : > So there is not spam protection or whatever installed on the software > servicing the mail list? Abuse control? User registration approval? > > On Fri, Jan 30, 2009 at 8:46 AM, Jon Radel wrote: >> Ivan Petrushev wrote: >>> Excuse me, why such a spam comes to the members of freebsd-pf mail list? >>> >>> On Fri, Jan 30, 2009 at 12:05 AM, Lawrence Auster >>> wrote: >> ....crap trimmed.... >> >> Oh, for heaven's sake get a grip. DO NOT SEND THE WHOLE LOAD OF CRAP TO >> ALL OF US YET AGAIN! At very least, learn to trim. >> >> As to your question: Because somebody sent it to the mailing list. >> Doh! There are a lot of these going to many technical mailing lists, >> many with forged return addresses. >> >> --Jon Radel >> >> > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From jon at radel.com Fri Jan 30 07:45:15 2009 From: jon at radel.com (Jon Radel) Date: Fri Jan 30 07:45:21 2009 Subject: OT Spam technology was: Re: The "Military, Industrial Complex" is no more -- The Hidden Massive Racial Discrimination in America against Whites In-Reply-To: References: <20090129220509.LWGL12540.fed1rmmtao106.cox.net@fed1rmimpo02.cox.net> <4982A23B.6020809@radel.com> Message-ID: <4983207A.3070502@radel.com> Ivan Petrushev wrote: > So there is not spam protection or whatever installed on the software > servicing the mail list? Abuse control? User registration approval? > > On Fri, Jan 30, 2009 at 8:46 AM, Jon Radel wrote: >> Ivan Petrushev wrote: >>> Excuse me, why such a spam comes to the members of freebsd-pf mail list? >>> >>> On Fri, Jan 30, 2009 at 12:05 AM, Lawrence Auster >>> wrote: >> ....crap trimmed.... >> >> Oh, for heaven's sake get a grip. DO NOT SEND THE WHOLE LOAD OF CRAP TO >> ALL OF US YET AGAIN! At very least, learn to trim. >> >> As to your question: Because somebody sent it to the mailing list. >> Doh! There are a lot of these going to many technical mailing lists, >> many with forged return addresses. >> >> --Jon Radel >> >> Hmmmm...that's about as useful as my asking why you were allowed to forward personal mail I sent to you on to this mailing list. (Heads up: many people consider that rather rude.) I'm not sure you've sufficiently thought through how a spam filter works. Suffice it to say, until there is some pattern of abuse established, there's not much an automated filter can do. You need some word choice, pattern of words, formatting style, source address, header, phone number, URL and/or some combination of these which has in some fashion been determined to be "bad". Consequently, the first couple examples of a soberly worded political statement really aren't going to trigger any automated spam filtering, no matter how far out on whichever fringe that statement might be to humans who can actually comprehend what it says. "Abuse control" Beautiful words. Describe what you mean with enough precision so that somebody can program something up that a brutally literal minded computer can follow. "User registration approval" Pray tell, unless the list managers pay for intensive background investigations for all new subscribers, how are they to reliably tell the difference between somebody who plans to send as many screeds as possible before being cut off and some PF fan boy just dying to drone on about why Cisco SIP fixup makes ASAs so inferior to what PF does? About the only way to keep this from ever happening is to have a moderated list which depends on security much stronger than the return address of the moderator. (This particular "set" of messages has been seen recently on some announcement lists where the sender simply forged the return address of a moderator.) However, a moderated list has costs of its own, requiring much volunteer or paid labor and, unless you pay for a staff of 6+, generally involving what can be substantial delays. All that said, there are various heuristic methods in play to increase the cost and reduce the probability of spamming on the FreeBSD mailing lists, which is why the noise from spam is so low. Lower even than the noise from people writing about the spam. And now I've finished adding noise. Respond privately, please, if you for whatever reason feel you have more to add to this discussion. And refrain, if you don't mind, from forwarding my personal mail to a mailing list. --Jon Radel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3283 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090130/ca329048/smime.bin