There is a video stream which is 24x7 on. Firefox plays it back and unfortunately keeps going into HD mode which is not desirable, causing gigabytes of unwanted traffic. I have not found any way to fix it into a lower quality in client computer. Thus I'm thinking about throttling it in my FreeBSD router. IPFW can do it, but there is more than one remote IP address which must be throttled, complicating the setup. I have NATD running, but my understanding is there is no throttling option. Ideas how to do it with least pain are welcome. Thanks ..read more

I've setup pf to block any traffic contained in 2 files. however I've found that some, but not all, traffic from ip addresses that should be blocked is getting through. pflog shows some traffic from blocked ips being dropped, while my postfix and apache logs show some traffic from the same ip addresses. pf.conf Code: ext_if="vtnet0" scrub in table <block-em> persist file "/etc/pf.blocked.ip.conf" block drop in log (all) quick on $ext_if from <block-em> to any table <stretchoid> persist file "/etc/pf.blocked.stretchoid" block drop in log (all) quick on $ext_if from < ..read more

Wasn't sure how to phrase the topic question. What I'm wondering is if the priority flag is used for rules, is it just a matter of which packets have the higher priority, or does it get *more* prioritized at higher priority levels? Like for instance, if I have some traffic at the default priority 3, but I want some other sort of traffic to be higher priority. Relative to the priority 3 traffic, is the prioritization exactly the same whether it is priority 4 or priority 7? Or would it get more and more prioritized the higher the number I set ..read more

Hello Forum, I am conducting tests on a L7 filter setup using BPF, IPFW, and TAG, based on the resource: Tutorial_NETGRAPH_A4_Slides.pdf. I am particularly interested in the section "BPF + IPFW + TAG = L7 Filter". During experiments on my FreeBSD system, I encountered an issue where packets do not seem to enter the rules I set up in IPFW, despite my efforts to smoothly route packets through BPF for tagging. Could this indicate that I have not correctly configured my Ethernet driver? I welcome discussion from anyone interested or experienced in this topic. Thank you ..read more

Howdy, just picking your brain on this. I use 13.2-RELEASE for my home firewall, nothing fancy, just a few rules on pf and DHCP server. I want to upgrade but undecided for 13.3 or 14.0. I don't think there are significant upgrades to networking/pf on 14.0 so leaning towards 13.3 as my perception is that perhaps is a bit more stable? Thoughts? I appreciate y'alls input ..read more

I split out my entire ruleset into various anchors for more fine-grained control, but it does not seem to work as expected. In particular, I have an anchor that allows traffic to the specific VPN service I use for work at a preset time of day. It is also worth pointing out that my generic web anchor has a table of devices it passes traffic to/from and this device is not included in that table (nor is it added dynamically). The rationale being that all traffic should only be going through the VPN (the exceptions to that are allowing traffic to Apple for periodic updates, Microsoft for teams an ..read more

Hello everyone, I would like to use pf and ipfw at the same time for different tasks, but I can not understand who is activated first (if there is an order) when a rule is received. Also trying to verify this, I can’t figure out where the pf and ipfw log files are located on both OPNsense and FreeBSD. Please, help me. Thanks in advance ..read more

I have a pf firewall script that I've been putting together (partly converting from my old ipfw script and partly improving for current needs), and I cannot figure out what is going on here with my samba jail. I use samba as a time machine backup target for Mac, and with pf disabled it works just fine. But the moment I turn it on, all attempts fail. I must be missing something obvious here but I don't see what it is. I made a trimmed down copy of my script that removes everything except the rules affecting the Samba jail and the host in an attempt to figure out why the connection is failing ..read more

I am connecting to a wireguard server - say 1.2.3.4 When wg0 is down, internet should be blocked and it does get blocked as required. Is it possible to have a pf.conf which at the same time regardless of the state of wg0 down/up allow myself to ssh in? Code: lan=re0 wifi=wlan0 vpn=tun0 wireguardnetwork=wg0 nat on wlan0 from 10.0.0.0/24 to any -> (wifi) block in all block all set skip on lo set skip on $wireguardnetwork set skip on $vpn pass on $wifi proto { udp,tcp } to 208.67.222.222 pass on $wifi proto udp to 1.2.3.4 port 60100 pass on $wifi proto tcp to 1.2.3.4 port 443 pass on ..read more

I can access the BVCP web interface on my FreeBSD workstation when I have the PF firewall disabled, but whenever I have PF firewall enabled and try to connect to a BVCP web interface, I get the following error: "Unable to connect to Backend module". I would expect it to work if I open inbound port 443 for https and port 8086 for BVCP in my pf.conf, but something else needs to be configured, as well, to get it working. Does anyone have any idea what I need to fix in this pf.conf to allow access to the backend module? Code: ext_if = "em0" local_net = "192.168.50.0/24" block all pass in prot ..read more