From owner-freebsd-pf@FreeBSD.ORG Sun Oct 10 19:00:11 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CEC7616A4CF for ; Sun, 10 Oct 2004 19:00:11 +0000 (GMT) Received: from xs4all.deze.org (deze.xs4all.nl [213.84.82.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB53E43D48 for ; Sun, 10 Oct 2004 19:00:10 +0000 (GMT) (envelope-from frank@deze.org) Received: by mail.voor.deze.org (Postfix, from userid 1006) id 69D15FE02; Sun, 10 Oct 2004 12:37:48 +0200 (CEST) Received: from corfu (corfu [192.168.1.2]) by mail.voor.deze.org (Postfix) with SMTP id 30E71FE15 for ; Sun, 10 Oct 2004 12:37:42 +0200 (CEST) Message-ID: <002001c4aeb5$2c3bd9d0$0201a8c0@deze.org> From: "Frank" To: Date: Sun, 10 Oct 2004 12:37:42 +0200 Organization: DeZe MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on drawbridge.deze.org X-Spam-Level: X-Spam-Status: No, hits=0.3 required=5.0 tests=AWL,BAYES_20,HTML_50_60, HTML_MESSAGE,NO_DNS_FOR_FROM autolearn=no version=2.64 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: CARP in RELENG_4 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Oct 2004 19:00:11 -0000 Hi, I'm thinking about using the CARP patchset http://people.freebsd.org/~mlaier/CARP/20040823-carp.RELENG_5.diff and porting it back to RELENG_4. Before I start doing that, I want to check first, if this is an = accomplishable goal. So, my question is, does anybody know a reason (eg. = major incompatibility beteen FreeBSD 4.x and FreeBSD 5.x) that makes = this task difficult or even impossible? Or can this be done easily = enough???? Regards, Frank From owner-freebsd-pf@FreeBSD.ORG Mon Oct 11 10:15:17 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F5CF16A4CE for ; Mon, 11 Oct 2004 10:15:17 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id B09BC43D5D for ; Mon, 11 Oct 2004 10:15:01 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.205] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CGxCm-0000UA-00; Mon, 11 Oct 2004 12:15:00 +0200 Received: from [217.227.147.248] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CGxCk-0003pY-00; Mon, 11 Oct 2004 12:15:00 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Mon, 11 Oct 2004 12:14:07 +0200 User-Agent: KMail/1.7 References: <002001c4aeb5$2c3bd9d0$0201a8c0@deze.org> In-Reply-To: <002001c4aeb5$2c3bd9d0$0201a8c0@deze.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1272398.Kxa4zORlv8"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200410111214.14779.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: CARP in RELENG_4 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Oct 2004 10:15:17 -0000 --nextPart1272398.Kxa4zORlv8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 10 October 2004 12:37, Frank wrote: > Hi, > > I'm thinking about using the CARP patchset > > http://people.freebsd.org/~mlaier/CARP/20040823-carp.RELENG_5.diff > > and porting it back to RELENG_4. > > Before I start doing that, I want to check first, if this is an > accomplishable goal. So, my question is, does anybody know a reason (eg. > major incompatibility beteen FreeBSD 4.x and FreeBSD 5.x) that makes this > task difficult or even impossible? Or can this be done easily enough???? You will certainly have some API gaps to fill. Some will be very obvious (a= s=20 you will just hit undefined functions) some will be more disturbing as=20 functions may act differently. All in all it should be doable. Yet with a=20 certain amount of work. That said, I don't see the point. RELENG_4 is past now, hail to RELENG_5 :-) =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1272398.Kxa4zORlv8 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBalz2XyyEoT62BG0RAoHuAJsHurYpFv5ZvKOblva3HoTRsilZEQCeLcmG C+2qkQ+VjL4ArqB1VRE1pfI= =9nHN -----END PGP SIGNATURE----- --nextPart1272398.Kxa4zORlv8-- From owner-freebsd-pf@FreeBSD.ORG Mon Oct 11 10:37:33 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 359C216A4CE for ; Mon, 11 Oct 2004 10:37:33 +0000 (GMT) Received: from xs4all.deze.org (deze.xs4all.nl [213.84.82.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0CA743D49 for ; Mon, 11 Oct 2004 10:37:32 +0000 (GMT) (envelope-from frank@deze.org) Received: by xs4all.deze.org (Postfix, from userid 1006) id 2A351FDFA; Mon, 11 Oct 2004 12:37:29 +0200 (CEST) Received: from corfu (corfu [192.168.1.2]) by xs4all.deze.org (Postfix) with ESMTP id 52F09FD96; Mon, 11 Oct 2004 12:37:21 +0200 (CEST) From: "Frank" To: "'Max Laier'" , Date: Mon, 11 Oct 2004 12:37:21 +0200 Organization: DeZe Message-ID: <9FAFEFB20AA5374391ED09FE09EE5885775C65@nlex003.nl.int.atosorigin.com> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 Importance: Normal In-Reply-To: <200410111214.14779.max@love2party.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on drawbridge.deze.org X-Spam-Level: X-Spam-Status: No, hits=-1.5 required=5.0 tests=AWL,BAYES_00,NO_DNS_FOR_FROM autolearn=no version=2.64 Subject: RE: CARP in RELENG_4 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: frank@deze.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Oct 2004 10:37:33 -0000 Hi, The reason that I'm considering the backport is that I'm not yet convinced that RELENG_5 has the same level of stability as FreeBSD 4.x has. I understand of course that introducing this patch, might create an instability... But the patch itself is rather small, and not extrenely complex, so it might be worth a try. Regards, Frank -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Max Laier Sent: Monday, October 11, 2004 12:14 To: freebsd-pf@freebsd.org Subject: Re: CARP in RELENG_4 On Sunday 10 October 2004 12:37, Frank wrote: > Hi, > > I'm thinking about using the CARP patchset > > http://people.freebsd.org/~mlaier/CARP/20040823-carp.RELENG_5.diff > > and porting it back to RELENG_4. > > Before I start doing that, I want to check first, if this is an > accomplishable goal. So, my question is, does anybody know a reason (eg. > major incompatibility beteen FreeBSD 4.x and FreeBSD 5.x) that makes this > task difficult or even impossible? Or can this be done easily enough???? You will certainly have some API gaps to fill. Some will be very obvious (as you will just hit undefined functions) some will be more disturbing as functions may act differently. All in all it should be doable. Yet with a certain amount of work. That said, I don't see the point. RELENG_4 is past now, hail to RELENG_5 :-) -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Mon Oct 11 11:03:44 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B256D16A4CE for ; Mon, 11 Oct 2004 11:03:44 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F8D143D55 for ; Mon, 11 Oct 2004 11:03:44 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i9BB3hJS080403 for ; Mon, 11 Oct 2004 11:03:43 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i9BB3hv8080395 for pf@freebsd.org; Mon, 11 Oct 2004 11:03:43 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 11 Oct 2004 11:03:43 GMT Message-Id: <200410111103.i9BB3hv8080395@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: pf@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Oct 2004 11:03:44 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2004/10/08] kern/72444 pf PF can't properly detect interface after 1 problem total. Non-critical problems From owner-freebsd-pf@FreeBSD.ORG Fri Oct 15 13:19:42 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8CEA616A4D5 for ; Fri, 15 Oct 2004 13:19:42 +0000 (GMT) Received: from asgard.cryptotech.net (asgard.cryptotech.net [67.18.182.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2469543D5D for ; Fri, 15 Oct 2004 13:19:42 +0000 (GMT) (envelope-from sean@crypto.co.za) Received: from THUNDERBIRD (mail.wearcheck.co.za [196.7.230.3]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by asgard.cryptotech.net (Postfix) with ESMTP id 0ED0660C3 for ; Fri, 15 Oct 2004 08:22:12 -0500 (CDT) From: "Sean Preston" To: Date: Fri, 15 Oct 2004 15:19:30 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Thread-Index: AcSyuZp6dqnORCouQBGrhNEkxGZ7/g== Message-Id: <20041015132212.0ED0660C3@asgard.cryptotech.net> Subject: Installing on FreeBSD 5.2.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Oct 2004 13:19:42 -0000 Hi Sorry to have to ask this. I have done a number of searches and tried to figure this out but having some problems. I am running FreeBSD 5.2.1 and would like to use pf with the traffic shaping stuff (altq I think) and everything I read says it is a part of the base from 5.2 upwards. What do I need to do to install it on my system because I don't seem to have it as part of my base system. Currently my supfile uses RELENG_5_2 as the tag is this the problem? IF so what should I be using. The other thing is how stable is it as I want to use the system in a production environment. Thanks Sean --- Sean Preston sean@crypto.co.za From owner-freebsd-pf@FreeBSD.ORG Fri Oct 15 16:25:38 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A136E16A4CE for ; Fri, 15 Oct 2004 16:25:38 +0000 (GMT) Received: from web13606.mail.yahoo.com (web13606.mail.yahoo.com [216.136.175.117]) by mx1.FreeBSD.org (Postfix) with SMTP id 6CC9643D2F for ; Fri, 15 Oct 2004 16:25:38 +0000 (GMT) (envelope-from ioannvelikiy@yahoo.com) Message-ID: <20041015162538.60753.qmail@web13606.mail.yahoo.com> Received: from [213.94.197.137] by web13606.mail.yahoo.com via HTTP; Fri, 15 Oct 2004 09:25:37 PDT Date: Fri, 15 Oct 2004 09:25:37 -0700 (PDT) From: Sergey Lyubka To: pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: rdr + bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Oct 2004 16:25:38 -0000 I am trying to setup transparent proxy. The box has two interfaces, em0 (0.0.0.0, outside interface) em1 (10.0.0.3, inside interface) pf and bridge are running on the box. Proxy is running on the box, listening on 127.0.0.1:8080 This is the pf.conf: ------------------ int_if="em1" ext_if="em0" rdr on $int_if inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080 pass in pass out ------------------- But, when I am trying to access any site from the inside, I see packets emitted by em0, which have destination address 127.0.0.1:8080 Proxy does not receive anything. nfa# sysctl -a | grep bridge net.link.ether.bridge_cfg: em0,em1 net.link.ether.bridge_ipfw: 1 net.link.ether.bridge_ipf: 1 net.link.ether.bridge.config: em0,em1 net.link.ether.bridge.enable: 1 net.link.ether.bridge.predict: 45 net.link.ether.bridge.dropped: 0 net.link.ether.bridge.packets: 80 net.link.ether.bridge.ipfw_collisions: 0 net.link.ether.bridge.ipfw_drop: 0 net.link.ether.bridge.copy: 0 net.link.ether.bridge.ipfw: 1 net.link.ether.bridge.ipf: 1 net.link.ether.bridge.debug: 0 net.link.ether.bridge.version: 031224 nfa# uname -a FreeBSD nfa 5.3-BETA7 FreeBSD 5.3-BETA7 #20: Fri Oct 15 15:41:14 UTC 2004 root@valenok.netfort-iss.com:/usr/obj/usr/src/sys/MANAGER i386 Any ideas ? _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Fri Oct 15 21:25:31 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 741CF16A4CE for ; Fri, 15 Oct 2004 21:25:31 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4C6843D1F for ; Fri, 15 Oct 2004 21:25:30 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CIZZq-0000Yb-00; Fri, 15 Oct 2004 23:25:30 +0200 Received: from [84.128.143.89] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CIZZp-0005YY-00; Fri, 15 Oct 2004 23:25:29 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Fri, 15 Oct 2004 23:24:57 +0200 User-Agent: KMail/1.7 References: <20041015132212.0ED0660C3@asgard.cryptotech.net> In-Reply-To: <20041015132212.0ED0660C3@asgard.cryptotech.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1183746.0xYKexpAmU"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200410152325.06151.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: Installing on FreeBSD 5.2.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Oct 2004 21:25:31 -0000 --nextPart1183746.0xYKexpAmU Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 15 October 2004 15:19, Sean Preston wrote: > Hi > > Sorry to have to ask this. I have done a number of searches and tried to > figure this out but having some problems. I am running FreeBSD 5.2.1 and > would like to use pf with the traffic shaping stuff (altq I think) and > everything I read says it is a part of the base from 5.2 upwards.=20 Where do you get that information from? ALTQ was imported June 12th 2004 in= to=20 =46reeBSD. This is quite some time after the 5.2(.1) release was cut. > What do I need to do to install it on my system because I don't seem to h= ave=20 > it as part of my base system. You need patches from rofug.ro which are outdated and you have to compile t= he=20 pf port with special options etc. etc. ... All in all nothing you want to b= e=20 near. I urge - once again - that everybody who is considering pf in=20 productive use should move to RELENG_5 and get everything out of the box an= d=20 in way better shape than possible in 5.2.1 + port (+ altq patches ...) > Currently my supfile uses RELENG_5_2 as the tag is this the problem? IF = so > what should I be using. The other thing is how stable is it as I want to > use the system in a production environment. Don't go near it. Though it will work and is in productive use on quite a f= ew=20 big sites, I suggest everybody who wants to build a productive pf(+altq)=20 system today to check out 5.3R ... the BETA releases are already much highe= r=20 quality than the 5.2.1 (technologie demo) release. There are some pending=20 issues, but chances are that you will never hit them - while the chance for= =20 hitting something bad in 5.2.1 + pf-port + altq-patches is *way* bigger! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1183746.0xYKexpAmU Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBcEAyXyyEoT62BG0RAt1hAJ9sZJd6FLy07dSxENX8CRVBP8Rj/QCfRRLt q8DHjo9Ugphc2yg18vcNT78= =HRpN -----END PGP SIGNATURE----- --nextPart1183746.0xYKexpAmU-- From owner-freebsd-pf@FreeBSD.ORG Fri Oct 15 21:36:24 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E43C916A4CE for ; Fri, 15 Oct 2004 21:36:23 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6645C43D3F for ; Fri, 15 Oct 2004 21:36:23 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.161] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CIZkM-0007FX-00; Fri, 15 Oct 2004 23:36:22 +0200 Received: from [84.128.143.89] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CIZkM-0006V9-00; Fri, 15 Oct 2004 23:36:22 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Fri, 15 Oct 2004 23:35:51 +0200 User-Agent: KMail/1.7 References: <20041015162538.60753.qmail@web13606.mail.yahoo.com> In-Reply-To: <20041015162538.60753.qmail@web13606.mail.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1460632.WhSUmhIcN7"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200410152335.59316.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: Sergey Lyubka Subject: Re: rdr + bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Oct 2004 21:36:24 -0000 --nextPart1460632.WhSUmhIcN7 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Unfortunately FreeBSD's bridge code is far from optimal. It lacks a lot of= =20 functionality when compared to Net/OpenBSD's if_bridge. At the moment this= =20 constrains pf to a very limited subset of possible functionalities. There h= as=20 been an effort to port over if_bridge, but that died for some reason. In order to fix your specific problem you might want to try to add a "route= =2Dto=20 (lo0 127.0.0.1)"-rule for the redirected traffic but I can't confirm that=20 this will really help. All in all, I have to admit that pf gives a rather poor performance with th= e=20 =46reeBSD bridge code. On Friday 15 October 2004 18:25, Sergey Lyubka wrote: > I am trying to setup transparent proxy. > The box has two interfaces, > em0 (0.0.0.0, outside interface) > em1 (10.0.0.3, inside interface) > > pf and bridge are running on the box. > Proxy is running on the box, listening on 127.0.0.1:8080 > This is the pf.conf: > ------------------ > int_if=3D"em1" > ext_if=3D"em0" > rdr on $int_if inet proto tcp from any to any port 80 -> 127.0.0.1 port > 8080 > pass in > pass out > ------------------- > > But, when I am trying to access any site from the inside, > I see packets emitted by em0, which have destination address > 127.0.0.1:8080 > > Proxy does not receive anything. > > nfa# sysctl -a | grep bridge > net.link.ether.bridge_cfg: em0,em1 > net.link.ether.bridge_ipfw: 1 > net.link.ether.bridge_ipf: 1 > net.link.ether.bridge.config: em0,em1 > net.link.ether.bridge.enable: 1 > net.link.ether.bridge.predict: 45 > net.link.ether.bridge.dropped: 0 > net.link.ether.bridge.packets: 80 > net.link.ether.bridge.ipfw_collisions: 0 > net.link.ether.bridge.ipfw_drop: 0 > net.link.ether.bridge.copy: 0 > net.link.ether.bridge.ipfw: 1 > net.link.ether.bridge.ipf: 1 > net.link.ether.bridge.debug: 0 > net.link.ether.bridge.version: 031224 > > nfa# uname -a > FreeBSD nfa 5.3-BETA7 FreeBSD 5.3-BETA7 #20: Fri Oct 15 15:41:14 UTC > 2004 root@valenok.netfort-iss.com:/usr/obj/usr/src/sys/MANAGER > i386 > > Any ideas ? > > > > _______________________________ > Do you Yahoo!? > Declare Yourself - Register online to vote today! > http://vote.yahoo.com > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1460632.WhSUmhIcN7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBcEK/XyyEoT62BG0RAql4AJ0c2q7J1PzW+e5n9Ieiol7dW+tjdwCdGIO4 YlDm0V062nS3Ws97F4SM1R0= =/3vb -----END PGP SIGNATURE----- --nextPart1460632.WhSUmhIcN7--