From owner-freebsd-pf@FreeBSD.ORG Mon Apr 18 22:07:38 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 399D216A4CE for ; Mon, 18 Apr 2005 22:07:38 +0000 (GMT) Received: from chimie.u-strasbg.fr (chimie.u-strasbg.fr [130.79.34.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id D60F743D4C for ; Mon, 18 Apr 2005 22:07:37 +0000 (GMT) (envelope-from gb@isis.u-strasbg.fr) Received: from localhost (localhost.u-strasbg.fr [127.0.0.1]) by chimie.u-strasbg.fr (Postfix) with ESMTP id 05E2D23EF7 for ; Tue, 19 Apr 2005 00:07:37 +0200 (CEST) Received: from chimie.u-strasbg.fr ([127.0.0.1]) by localhost (chimie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20541-05 for ; Tue, 19 Apr 2005 00:07:36 +0200 (CEST) Received: from 6nq.u-strasbg.fr (chimie.u-strasbg.fr [130.79.34.77]) by chimie.u-strasbg.fr (Postfix) with ESMTP id BEF0123EEF for ; Tue, 19 Apr 2005 00:07:36 +0200 (CEST) Received: by 6nq.u-strasbg.fr (Postfix, from userid 1001) id BC05564BF; Tue, 19 Apr 2005 00:02:37 +0200 (CEST) Date: Tue, 19 Apr 2005 00:02:37 +0200 From: Guy Brand To: freebsd-pf@freebsd.org Message-ID: <20050418220237.GJ867@chimie.u-strasbg.fr> References: <72c3a957050411062060eea5cc@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <72c3a957050411062060eea5cc@mail.gmail.com> User-Agent: Mutt/1.5.9i X-Virus-Scanned: by ClamAV at chimie.u-strasbg.fr Subject: Re: pf + bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Apr 2005 22:07:38 -0000 On 11 April at 13:20, Sergey Lyubka wrote: > I am trying to build a transparent filtering box. > Box is running freebsd 5.4, pf and bridge, this is > the setup: FreeBSD has no support for pf in its bridge code. Neither has it IPv6 support. gb From owner-freebsd-pf@FreeBSD.ORG Tue Apr 19 06:53:25 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DF9316A4CE for ; Tue, 19 Apr 2005 06:53:25 +0000 (GMT) Received: from ms-smtp-02-eri0.texas.rr.com (ms-smtp-02.texas.rr.com [24.93.47.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8380743D45 for ; Tue, 19 Apr 2005 06:53:24 +0000 (GMT) (envelope-from syah@io.com) Received: from lemuria (cpe-68-206-102-46.satx.res.rr.com [68.206.102.46]) j3J6rLe1015244 for ; Tue, 19 Apr 2005 01:53:22 -0500 (CDT) Date: Tue, 19 Apr 2005 01:53:21 -0500 From: Ryan Stark To: freebsd-pf@freebsd.org Message-Id: <20050419015321.2b893054.syah@io.com> In-Reply-To: <20050418220237.GJ867@chimie.u-strasbg.fr> References: <72c3a957050411062060eea5cc@mail.gmail.com> <20050418220237.GJ867@chimie.u-strasbg.fr> X-Mailer: Sylpheed version 1.9.7 (GTK+ 2.6.4; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA1"; boundary="Signature=_Tue__19_Apr_2005_01_53_21_-0500_VrzMqbiUE4=xMrvN" X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: Re: pf + bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Apr 2005 06:53:25 -0000 --Signature=_Tue__19_Apr_2005_01_53_21_-0500_VrzMqbiUE4=xMrvN Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, 19 Apr 2005 00:02:37 +0200 Guy Brand wrote: > On 11 April at 13:20, Sergey Lyubka wrote: >=20 > > I am trying to build a transparent filtering box. > > Box is running freebsd 5.4, pf and bridge, this is > > the setup: >=20 > FreeBSD has no support for pf in its bridge code. Neither has it > IPv6 support. >=20 I have been using using FreeBSD & pf as a transparent bridge since 5.2. (Before that, I was using OpenBSD & pf) Mine looks something like this: in | | fxp0, 0.0.0.0 ----- | | | |--- fxp1, (internal admin interface) | | ----- | | fxp1, 0.0.0.0 cat /etc/sysctl.conf #bridging enable for fxp0,fxp1 net.link.ether.bridge.config=3Dfxp0:0,fxp1:0 net.link.ether.bridge.enable=3D1 cat rc.conf pflog_enable=3D"YES" =20 # Set to YES to enable packet filter logging pf_rules=3D"/etc/host.pf.conf" =20 # rules definition file for pf. different than default. mergemaster # likes to clobber default pflog_enable=3D"YES" =20 # Set to YES to enable packet filter logging ifconfig fxp0: flags=3D8943 mtu 1500 options=3D48 ether 00:90:27:59:03:71 media: Ethernet autoselect (10baseT/UTP) status: active fxp1: flags=3D8943 mtu 1500 options=3D48 ether 00:a0:c9:d8:8f:b1 media: Ethernet autoselect (100baseTX ) status: active slightly dated, but fully functional ruleset can be found here: http://www.io.com/sirius/pf.conf-3.3.example Hope that might clear up any confusion. With regards to Sergey's original question; I have not played with the web proxy on the bridge, however I have used the ftp proxy module on my NAT- gateway machine with no problems. Maybe using there would work better? --=20 Ryan Stark | syah io com BOFH excuse #365: parallel processors running perpendicular today --Signature=_Tue__19_Apr_2005_01_53_21_-0500_VrzMqbiUE4=xMrvN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCZKrhzETXYDWf4IIRAil4AJwJGlObJDre5G0IR7HlgSEZQCB4/ACg1z2N eahCdf9Wpqoo+93nkptMnFc= =oBhc -----END PGP SIGNATURE----- --Signature=_Tue__19_Apr_2005_01_53_21_-0500_VrzMqbiUE4=xMrvN-- From owner-freebsd-pf@FreeBSD.ORG Tue Apr 19 11:40:25 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 95EC016A4D5 for ; Tue, 19 Apr 2005 11:40:25 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C45E43D7C for ; Tue, 19 Apr 2005 11:40:23 +0000 (GMT) (envelope-from dinzdale@gmail.com) Received: by rproxy.gmail.com with SMTP id j1so1184827rnf for ; Tue, 19 Apr 2005 04:40:23 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=V59ZjnLSKPZZiHAsXz+AYqHveBir/kcELrw/sFKj72UjjPWQp3r/Ory9+TaMkNWvbKt6iOlRCPBrNwXxDhHqwIcsR5VlUvWKqwlhgCmNkB0gi1LPZyV7knL8hmX6VvtY17MVn2/GIwq1ASe17ka9sQ+1kJq1AIji1jXxa562rVU= Received: by 10.38.66.58 with SMTP id o58mr627128rna; Tue, 19 Apr 2005 04:40:22 -0700 (PDT) Received: by 10.38.11.55 with HTTP; Tue, 19 Apr 2005 04:40:22 -0700 (PDT) Message-ID: Date: Tue, 19 Apr 2005 13:40:22 +0200 From: stephen To: pf , freebsd-pf@freebsd.org In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <42b49716050413161030e7abea@mail.gmail.com> <42b49716050414060657eacab9@mail.gmail.com> <42b4971605041409206c74fc53@mail.gmail.com> <42b497160504170906c56fb6d@mail.gmail.com> Subject: Re: pflog and traffic via gif_if X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: stephen List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Apr 2005 11:40:25 -0000 Hi, I've found something that perhaps someone could explain to me... Previously I had problems allowing traffic to pass via my gif interface.. as far as the gif tunnel is setup, it works 100% as when I flushed my ruleset or disabled PF, there wasn't a problem. Before I started out blocking outbound services , I had a pass out on $ext_if from any to any keep state rule, and the gif seemed to work fine... Once I had blocked all traffic in/out on the $ext_if and $int_if, I had to open ports one by one on both so that traffic could pass... The initial rule for the tunnel was: ###tunnel filters pass in on $gif_if all pass out on $gif_if all pass in on $ext_if inet proto ipencap from any to any pass out on $ext_if inet proto ipencap from any to any Once I was logging stuff properly, and using tcpdump, I noticed i had to open $int_if/rl0 to allow traffic on ports 135,137-139 so my windows boxes from behind firewall could talk to the windows boxes on the other side of the tunnel... this makes sense as traffic would have to enter the box per se, via my NIC, before being routed to the other lan through the gif tunnel. 000000 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id 61411, offset 0, flags [DF], length: 48) 10.0.88.23.3736 > 10.0.89.1.445: S [tcp sum ok] 3464632695:3464632695(0) win 65535 000483 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id 61412, offset 0, flags [DF], length: 48) 10.0.88.23.3737 > 10.0.89.1.139: S [tcp sum ok] 2514062872:2514062872(0) win 65535 530734 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id 61413, offset 0, flags [DF], length: 48) 10.0.88.23.3736 > 10.0.89.1.445: S [tcp sum ok] 3464632695:3464632695(0) win 65535 000230 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id 61414, offset 0, flags [DF], length: 48) 10.0.88.23.3737 > 10.0.89.1.139: S [tcp sum ok] 2514062872:2514062872(0) win 65535 437281 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id 61419, offset 0, flags [DF], length: 48) 10.0.88.23.3736 > 10.0.89.1.445: S [tcp sum ok] 3464632695:3464632695(0) win 65535 000247 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id 61420, offset 0, flags [DF], length: 48) 10.0.88.23.3737 > 10.0.89.1.139: S [tcp sum ok] 2514062872:2514062872(0) win 65535 000477 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id 61421, offset 0, flags [none], length: 78) 10.0.88.23.137 > 10.0.89.1.137: >>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST TrnID=3D0x864C OpCode=3D0 NmFlags=3D0x0 Rcode=3D0 QueryCount=3D1 AnswerCount=3D0 AuthorityCount=3D0 AddressRecCount=3D0 QuestionRecords: Name=3D WARNING: Short packet. Try increasing the snap length ^C 7 packets captured 7 packets received by filter 0 packets dropped by kernel So I added rules for the $int_if/$int_if: ###tunnel filters pass in on $gif_if all pass out on $gif_if all pass in on $ext_if inet proto ipencap from any to any pass out on $ext_if inet proto ipencap from any to any pass in on $int_if proto { udp,tcp } from any to any port { 135,137:139,445 } keep state pass out on $int_if proto { udp,tcp } from any to any port { 135,137:139,445 } keep state and ran tcpdump again: Tue Apr 19 09:17:10 root@bollox:/home/stephen# tcpdump -n -e -ttt -vv -i pf= log0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 000000 rule 31/0(match): block in on tun0: IP (tos 0x0, ttl 126, id 34146, offset 0, flags [DF], length: 48) 165.165.153.89.3479 > 165.165.167.17.445: S [tcp sum ok] 2834692615:2834692615(0) win 64800 395435 rule 31/0(match): block in on tun0: IP (tos 0x0, ttl 126, id 34156, offset 0, flags [DF], length: 48) 165.165.153.89.3479 > 165.165.167.17.445: S [tcp sum ok] 2834692615:2834692615(0) win 64800 -snipped out some other packets that were not relevant- 546633 rule 31/0(match): block in on tun0: IP (tos 0x0, ttl 126, id 34194, offset 0, flags [DF], length: 48) 165.165.153.89.3479 > 165.165.167.17.445: S [tcp sum ok] 2834692615:2834692615(0) win 64800 ^C 6 packets captured 6 packets received by filter 0 packets dropped by kernel The way I see it traffic destined for 10.0.89.0 should be allowed to enter via the NIC (10.0.88.254) as PF is allowing any source IP to reach any destination IP if ports are 135,137-139,445 But now here's what I don't get.. I then had to allow traffic to pass via the same ports on $ext_if/tun0, when the routing table is routing the traffic via the gif tunnel (routing is set up fine, when ruleset flushed, works 100%). So I thought let me just try it out (as thats what tcpdump is telling me is blocked) even though it sounds a little sketchy... ###tunnel filters pass in on $gif_if all pass out on $gif_if all pass in on $ext_if inet proto ipencap from any to any pass out on $ext_if inet proto ipencap from any to any pass in on $int_if proto { udp,tcp } from any to any port { 135,137:139,445 } keep state pass out on $int_if proto { udp,tcp } from any to any port { 135,137:139,445 } keep state pass in on $ext_if proto { udp,tcp } from any to any port { 135,137:139,445 } keep state pass out on $ext_if proto { udp,tcp } from any to any port { 135,137:139,445 } keep state and that works perfectly. The only thing I can think of is that pf sees the gif interface as a virtual device and doesnt apply the rule to the virtual device but rather the physical device the virtual device uses (tun0/$ext_if) which seems very unlikely but i can't think what else it could be as i see references to the tun0 device in tcpdump (the rl0/$int_if references in tcpump in the first instance seems obvious... have to allow the traffic in via the NIC to the local lan before being able to transport it to the other lan via the gif tunnel) Any comments/ views on this? Perhaps there is something not 100% with my conf? (although it is working now, it's not really ideal passing netbios traffic from any to any) Tue Apr 19 09:26:53 root@bollox:/home/stephen# uname -a FreeBSD bollox.soh.local 5.3-STABLE FreeBSD 5.3-STABLE #2: Mon Mar 7 18:09:46 SAST 2005 =20 stephen@bollox.soh.local:/usr/obj/usr/src/sys/BOLLOX i386 Tue Apr 19 10:21:13 root@bollox:/home/stephen# cat /etc/pf.conf ########## /etc/pf.conf ##### macros int_if =3D "rl0" ext_if =3D "tun0" gif_if =3D "gif3" icmp_types =3D "echoreq" dns =3D "{ 196.25.1.1 }" mail1 =3D "{ dbn.stormnet.co.za }" mail2 =3D "{ smtp.saix.net }" p2p_ports =3D " { 6346 }" p2p_clients =3D "{ 10.0.88.5 , 10.0.88.11 , 10.0.88.12 , 10.0.88.23 }" studio =3D "{ 10.0.88.5 , 10.0.88.11 , 10.0.88.12 }" sh =3D "10.0.88.23/24" priv_nets =3D "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" soh =3D"{ 10.0.88.1 , 10.0.88.2 , 10.0.88.3 , 10.0.88.4 , 10.0.88.5 , 10.0.88.6 , 10.0.88.7 , 10.0.88.8 , 10.0.88.9 , 10.0.88.10 , 10.0.88.11 , 10.0.88.12 , 10.0.88.13 , 10.0.88.14 , 10.0.88.15 , 10.0.88.16 , 10.0.88.17 , 10.0.88.18 , 10.0.88.19 , 10.0.88.20 , 10.0.88.21 , 10.0.88.22 , 10.0.88.23 , 10.0.88.24 , 10.0.88.25 , 10.0.88.26 , 10.0.88.27 , 10.0.88.28 , 10.0.88.29 , 10.0.88.30 }" vpn_conf =3D "{ x.y.z.237 }" ##### aliases int_net=09=09=3D "{" $int_if:network "}" ##### behavior options set optimization aggressive set block-policy return set loginterface $ext_if set fingerprints "/etc/pf.os" ##### scrub scrub in all ##### nat/rdr nat on $ext_if from $int_net to any -> ($ext_if) rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128 rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 ##### anti spoofing protection #antispoof quick for $int_if inet #antispoof quick for $ext_if inet #antispoof quick for lo0 #block drop in on $ext_if from $priv_nets to any #block drop out on $ext_if from any to $priv_nets #####filter rules ###default block and log all block log all block in log quick inet6 all block out log quick inet6 all pass in quick=09 inet proto icmp all icmp-type $icmp_types keep state pass out quick inet proto icmp all icmp-type $icmp_types keep state pass quick =09 on lo0 all ###filter rules for $int_if inbound block in log =09on $int_if all #pass in on $int_if from $soh to $int_if keep state pass in on $int_if proto tcp from any to $int_if port 2222 keep state #pass in on $int_if proto tcp from any to $dns keep state=20 pass in on $int_if proto { udp,tcp } from $int_net to any port =3D 53 keep= state pass in on $int_if proto tcp from $soh to any port =3D 3128 flags S/SA keep state pass in on $int_if proto tcp from $soh to any port =3D 443 flags S/SA keep= state=20 #pass in on $int_if proto tcp from $int_net to $int_if port { 21,20 } keep = state #pass in on $int_if proto tcp from $int_net to any port 8021 keep state pass in on $int_if proto tcp from $soh to $int_if port 25 keep state=20 pass in on $int_if proto tcp from $soh to $int_if port 110 keep state=20 pass in on $int_if proto { udp,tcp } from $int_net to any port 6346 keep s= tate pass in on $int_if proto tcp from $int_net to ($ext_if) port { 25,110 } keep state pass in on $int_if proto tcp from $int_net to $mail1 port { 25,110 } keep = state pass in on $int_if proto tcp from $int_net to $mail2 port { 25,110 } keep = state pass in on $int_if proto tcp from $int_net to any port { 2222 } keep state ###filter rules for $int_if outbound block out log on $int_if all #pass out on $int_if all keep state #pass out on $int_if inet proto tcp from $int_if to $int_net port 20 keep s= tate ###filter rules for $ext_if inbound block in log on $ext_if all #pass in on $ext_if inet proto tcp from any to ($ext_if) port 20 keep sta= te #pass in on $ext_if inet proto tcp from any to ($ext_if) port 21 keep sta= te pass in on $ext_if inet proto tcp from any to ($ext_if) port 25 keep sta= te pass in on $ext_if inet proto tcp from any to ($ext_if) port 110 keep sta= te #pass in on $ext_if inet proto tcp from any to ($ext_if) port 2222 keep st= ate #pass in on $ext_if inet proto tcp from any to any=09 port 55000:57000 kee= p state ##block nmap's fingerprinting attempt(FIN, URG, PSH) block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP ###filter rules for $ext_if outbound block out log =09on $ext_if all pass out on $ext_if inet proto udp from any =09 to $dns port 53 keep st= ate=20 #pass out on $ext_if inet proto tcp from any =09 to $dns port 53 flags S/SA keep state pass out on $ext_if inet proto tcp from ($ext_if) to $vpn_conf=09flags S/SA keep state #pass out on $ext_if inet proto tcp from ($ext_if) to any port 21 keep stat= e #pass out on $ext_if inet proto tcp from ($ext_if) to any port 20 keep stat= e=20 #pass out on $ext_if inet proto tcp from ($ext_if) to any port 8021 keep st= ate pass out on $ext_if inet proto tcp from ($ext_if) to $mail1 port 25 keep s= tate=20 pass out on $ext_if inet proto tcp from ($ext_if) to $mail1 port 110 keep state pass out on $ext_if inet proto tcp from ($ext_if) to $mail2 port 25 keep s= tate=20 pass out on $ext_if inet proto tcp from ($ext_if) to any port 80 keep stat= e=20 pass out on $ext_if inet proto tcp from ($ext_if) to any port 443 keep sta= te=20 pass out on $ext_if inet proto tcp from ($ext_if) to any port 6346 keep st= ate=20 pass out on $ext_if inet proto tcp from ($ext_if) to any port { 22,2222 } keep state =20 ###tunnel filters pass in on $gif_if all pass out on $gif_if all pass in on $ext_if inet proto ipencap from any to any =09=09=09=09=20 pass out on $ext_if inet proto ipencap from any to any =09=09=09=20 pass in on $int_if proto { udp,tcp } from any to any port { 135,137:139,445 } keep state pass out on $int_if proto { udp,tcp } from any to any port { 135,137:139,445 } keep state pass in on $ext_if proto { udp,tcp } from any to any port { 135,137:139,445 } keep state pass out on $ext_if proto { udp,tcp } from any to any port { 135,137:139,445 } keep state ps: the reason ports and hosts are seperated is because of labelling pps: everything related to ftp has been commented out because I cant get it working, but thats another battle for another day =3D] Thanks, Stephen From owner-freebsd-pf@FreeBSD.ORG Tue Apr 19 23:12:42 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1C3C16A4CE; Tue, 19 Apr 2005 23:12:42 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE3A643D39; Tue, 19 Apr 2005 23:12:41 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.209] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1DO1tY-0001kw-00; Wed, 20 Apr 2005 01:12:40 +0200 Received: from [84.163.229.8] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1DO1tY-0004hm-00; Wed, 20 Apr 2005 01:12:41 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Wed, 20 Apr 2005 01:12:30 +0200 User-Agent: KMail/1.8 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart6834756.50gp7hMCWt"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200504200112.41260.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: freebsd-net@freebsd.org Subject: New PF (OpenBSD 3.7 ***ALPHA-preview***) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Apr 2005 23:12:42 -0000 --nextPart6834756.50gp7hMCWt Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline All, at: http://people.freebsd.org/~mlaier/pf37/ you will find the first shot at the long awaited import of a new version of= =20 pf. This is level with what is likely to be shipped as OpenBSD 3.7 and=20 includes *most* of the features. Some are not yet implemented: - Filtering on route labels (we don't have any). - Return-rst on IP-less bridges (bridge support is still behind; There is= =20 work ongoing to improve this as well, though.). - Congestion prevention/graceful comeback (subject to future work). There are, however, some hightlights that came with OpenBSD 3.6 and will be= =20 coming with OpenBSD 3.7 (from the OpenBSD release notes): + pfctl(8) now provides a rules optimizer to help improve filtering speed. + pf, now supports nested anchors. + Support limiting TCP connections by establishment rate, automatically=20 adding flooding IP addresses to tables and flushing states=20 (max-src-conn-rate, overload , flush global). + Improved functionality of tags (tag and tagged for translation rules,=20 tagging of all packets matching state entries). + Improved diagnostics (error messages and additional counters from=20 pfctl -si). + New keyword set skip on to skip filtering on arbitrary interfaces, like= =20 loopback.=20 + Several bugfixes improving stability. This import is in a very early stage and you should keep this in mind!=20 However, it should build and boot just fine. I have done some basic tests = to=20 weed out the common problems seen during the last imports, but didn't do=20 extensive testing yet. If you are in a position where you can test this, I= =20 am looking forward to getting your feedback! Updates will be posted to the freebsd-pf mailing list. Thanks. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart6834756.50gp7hMCWt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCZZBpXyyEoT62BG0RAnc7AJ9CvaKAtiBHBILKcSOPdIwHqP1fcQCfRVgj l0xORdFxxCmtMQaMyPno8X8= =cqUW -----END PGP SIGNATURE----- --nextPart6834756.50gp7hMCWt-- From owner-freebsd-pf@FreeBSD.ORG Tue Apr 19 23:38:13 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D919916A4CE for ; Tue, 19 Apr 2005 23:38:13 +0000 (GMT) Received: from mail.gmx.net (pop.gmx.de [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 1CED043D1F for ; Tue, 19 Apr 2005 23:38:13 +0000 (GMT) (envelope-from tomonage3@gmx.de) Received: (qmail invoked by alias); 19 Apr 2005 23:38:11 -0000 Received: from e178202179.adsl.alicedsl.de (EHLO [192.168.0.194]) [85.178.202.179] by mail.gmx.net (mp010) with SMTP; 20 Apr 2005 01:38:11 +0200 X-Authenticated: #10211679 User-Agent: Microsoft-Entourage/11.0.0.040405 Date: Wed, 20 Apr 2005 01:38:09 +0200 From: Jonathan Weiss To: Max Laier , FreeBSD-PF Message-ID: In-Reply-To: <200504200112.41260.max@love2party.net> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Y-GMX-Trusted: 0 Subject: AW: New PF (OpenBSD 3.7 ***ALPHA-preview***) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Apr 2005 23:38:14 -0000 Hi Max, > Updates will be posted to the freebsd-pf mailing list. Thanks. Thank you for your effort! Jonathan From owner-freebsd-pf@FreeBSD.ORG Wed Apr 20 19:03:07 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7DB1D16A4CE for ; Wed, 20 Apr 2005 19:03:07 +0000 (GMT) Received: from zixvpm01.seton.org (zixvpm01.seton.org [207.193.126.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9B3443D48 for ; Wed, 20 Apr 2005 19:03:06 +0000 (GMT) (envelope-from mgrooms@shrew.net) Received: from zixvpm01.seton.org (ZixVPM [127.0.0.1]) by Outbound.seton.org (Proprietary) with ESMTP id 8BE5F3600D1 for ; Wed, 20 Apr 2005 14:03:01 -0500 (CDT) Received: from smtp-out.seton.org (unknown [10.21.254.249]) by zixvpm01.seton.org (Proprietary) with ESMTP id 5F234330059; Wed, 20 Apr 2005 14:03:01 -0500 (CDT) Received: from localhost (unknown [127.0.0.1]) by smtp-out.seton.org (Postfix) with ESMTP id 5362C8014E24; Wed, 20 Apr 2005 14:03:01 -0500 (CDT) Received: from smtp-out.seton.org ([10.21.254.249]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 26726-39; Wed, 20 Apr 2005 14:03:01 -0500 (CDT) Received: from ausexfe02.seton.org (ausexfe02.seton.org [10.20.10.185]) by smtp-out.seton.org (Postfix) with ESMTP id 39A7A8014E23; Wed, 20 Apr 2005 14:03:01 -0500 (CDT) Received: from [10.20.160.190] ([10.20.160.190]) by ausexfe02.seton.org with Microsoft SMTPSVC(6.0.3790.211); Wed, 20 Apr 2005 14:02:56 -0500 Message-ID: <4266A869.9030607@shrew.net> Date: Wed, 20 Apr 2005 14:07:21 -0500 From: Matthew Grooms User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <425DB3F8.1070101@seton.org> <451cb30105041416324ada3f27@mail.gmail.com> <425FD9D5.90904@seton.org> <200504151743.59628.max@love2party.net> In-Reply-To: <200504151743.59628.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 20 Apr 2005 19:02:56.0338 (UTC) FILETIME=[8FD80320:01C545DB] X-Virus-Scanned: by amavisd-new at seton.org cc: Matthew Grooms cc: freebsd-pf@freebsd.org Subject: Re: pf rule macro help ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Apr 2005 19:03:07 -0000 Max, Thanks again for your help. I haven't dug through the parser code myself so I don't understand all the issues. It would be much easier if a ruleset author could use macros to group together networks that get used across many rules. For example ... net_a1 = "'192.168.1.0/24'" net_a2 = "'192.168.2.0/24'" net_a = $net_a1 $net_a2 net_b1 = "'192.168.3.0/24'" net_b2 = "'192.168.4.0/24'" net_b = $net_b1 $net_b2 nets = $net_a $net_b pass from { $nets } to any keep state ... when I try to load this ruleset I get the following errors ... pf.conf:9: syntax error pf.conf:11: macro 'nets' not defined pf.conf:11: syntax error Again, pfctl is more than happy to load this same ruleset if the "/24" subnet masks are removed. Is there a similar trick to get this sort of macro setup to work? I tried all sorts of quoted permutations when defining the second level macros but to no avail. It does make me chuckle a bit to think that the macro support in a firewall package would choke on subnet mask notation. Don't get me wrong, this feature is a great idea and I really want to be able to use it :) Any help would be greatly appreciated, -Matthew Max Laier wrote: >On Friday 15 April 2005 17:12, Matthew Grooms wrote: > > >>Thanks for the response. I can use the macros that contain host >>addresses or host names. The problem occurs when I use a '/' in a macro >>and then nest it inside another macro like so ... >> >>net1 = "192.168.1.0/24" >>net2 = "192.168.2.0/24" >>all_nets = "{" $net1 $net2 "}" >>pass from $all_nets to any >> >> > >Make this: >net1 = "'192.168.1.0/24'" >net2 = "'192.168.2.0/24'" >all_nets = "{" $net1 $net2 "}" >pass from $all_nets to any > >Yes, it's a bit cryptic, but it's nearly impossible to fix the parser without >a major undertaking. This should probably go to the FAQ or the manpage even, >I posted a suggestion to OpenBSD's pf ML a while ago: >http://marc.theaimsgroup.com/?l=openbsd-pf&m=109725883904534&w=2 > >If OpenBSD doesn't take it, I'll put it into ours after 3.7 is imported. > > > >>It always causes a syntax error. The pf web page says you can nest >>macros so I don't know why it errors out. If you remove the "/24" >>portion of the net1 & net2 macros it works fine. >> >>I thought it may have had something to do with the fact that I am >>running an AMD64 SMP kernel. So I built an i386 UP box and tested the >>same four lines above ( with and without the net mask ) and got the same >>result. >> >>I know this is a volunteer effort ( and greatly appreciated at that ) >>but would it be possible for someone to independently confirm what I am >>seeing and for someone to tell me if this is the intended behavior. >> >>Thanks in advance, >> >>-Matthew >> >>McLone wrote: >> >> >>>On 4/14/05, Matthew Grooms wrote: >>> >>> >>>>host1 = "192.168.1.1" >>>>host2 = "192.168.1.2" >>>>all_hosts = "{" $host1 $host2 "}" >>>>... I always get a syntax error on the "all_nets =" line. >>>> >>>> >>>Bugs me too. AFAIK there's no way to nest macroses. >>>BTW "," isn't needed. >>> >>> >>BTW Thanks for the tip. >>_______________________________________________ >>freebsd-pf@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> > > > From owner-freebsd-pf@FreeBSD.ORG Thu Apr 21 08:39:19 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2688316A4CF for ; Thu, 21 Apr 2005 08:39:19 +0000 (GMT) Received: from gw02.mail.saunalahti.fi (gw02.mail.saunalahti.fi [195.197.172.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9266A43D2D for ; Thu, 21 Apr 2005 08:39:18 +0000 (GMT) (envelope-from gnarlie@ihku.org) Received: from punaposki.rauhankatu.lan (GKMCLXXVII.dsl.saunalahti.fi [85.76.254.78]) by gw02.mail.saunalahti.fi (Postfix) with ESMTP id 24606BD2F0 for ; Thu, 21 Apr 2005 11:39:17 +0300 (EEST) To: freebsd-pf@freebsd.org Date: Thu, 21 Apr 2005 11:39:15 +0300 From: =?iso-8859-15?Q?mikael_s=F6derholm?= Content-Type: text/plain; format=flowed; delsp=yes; charset=iso-8859-15 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: User-Agent: Opera M2/8.0 (Linux, build 1095) Subject: pf aware identd that works with nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Apr 2005 08:39:19 -0000 I've tried oidentd on freebsd&pf but it doesn't work with pf apparently, only ipf. So I'm wondering if there's a workaround or is there a identd that works with freebsd&pf? From owner-freebsd-pf@FreeBSD.ORG Thu Apr 21 14:24:03 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C63B16A4CE for ; Thu, 21 Apr 2005 14:24:03 +0000 (GMT) Received: from ms-smtp-03-eri0.ohiordc.rr.com (ms-smtp-03-smtplb.ohiordc.rr.com [65.24.5.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id 585B443D31 for ; Thu, 21 Apr 2005 14:24:02 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-65-31-44-74.woh.res.rr.com [65.31.44.74]) j3LENxYF027353 for ; Thu, 21 Apr 2005 10:23:59 -0400 (EDT) Message-ID: <000901c5467d$c1681f90$0200a8c0@satellite> From: "dave" To: Date: Thu, 21 Apr 2005 10:23:57 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: pf rules not allowing traffic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dave List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Apr 2005 14:24:03 -0000 Hello, I'm trying to get the below working on a 5.3 router. Internal traffic dhcp, at least is working, but external stuff, ntp, web browsing, etc. is not. When i load this ruleset i am unable to get out. Checking pflog doesn't help as i am not getting log information. There are no errors when i try to load this ruleset, any help appreciated. Thanks. Dave. # Macros: define common values, so they can be referenced and changed easily. EXT = "fxp0" LAN = "ep0" LAN_NET = "192.168.0.0/24" LAN_SERVER = "192.168.0.3" LAN_FIREWALL = "192.168.0.254" LAN_ADMIN = "192.168.0.2" TCP_INCOMING_SERVICES = "{ 22, 25, 80, 110, 143, 443, 465, 587, 873, 993, 995, 1723, 2401, 3306, 5432, 8000, 9101, 9102, 9103 }" TCP_OUTGOING_SERVICES = "{ 20, 21, 22, 25, 43, 53, 80, 110, 119, 143, 443, 1790, 1791, 1792, 1793, 1794, 1795, 2401, 5190, 5191, 5192, 5193, 5999, 8880 }" UDP_INCOMING_SERVICES = "{ 53, 68, 123 }" UDP_OUTGOING_SERVICES = "{ 53, 67, 123 }" # Tables: similar to macros, but more flexible for many addresses. table { x.x.x.x, x.x.x.x } table { 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 } # Options: tune the behavior of pf set optimization aggressive set block-policy drop set require-order yes set fingerprints "/etc/pf.os" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. # Max-mss is needed due to mpd's poor mss handling scrub on $EXT all reassemble tcp scrub out all random-id max-mss 1440 # Queueing: rule-based bandwidth control. #altq on $EXT priq bandwidth 128Kb queue {bt_out, std_out, http_out, ssh_out, dns_out, ack_out} #queue bt_out on $EXT priority 0 priq(red) #queue std_out on $EXT priority 3 priq(default) #queue http_out on $EXT priority 5 priq #queue ssh_out on $EXT priority 7 priq #queue dns_out on $EXT priority 9 priq #queue ack_out on $EXT priority 11 priq # Translation: specify how addresses are to be mapped or redirected. # nat: packets going out through $EXT with source address $internal_net will # get translated as coming from the address of $EXT, a state is created for # such packets, and incoming packets will be redirected to the internal address. nat on $EXT from $LAN_NET to any -> ($EXT) # redirections # rdr outgoing FTP requests to the ftp-proxy rdr on $LAN proto tcp from any to any port ftp -> 127.0.0.1 port 8021 #rdr on $EXT proto tcp from any to any port 80 -> $LAN_SERVER port 80 # spam table setup and implementation # table < spammers #no rdr on { lo0, lo1 } from any to any # rdr < spammers # antispoof rules antispoof for $EXT inet # immediately prevent IPv6 traffic from entering or leaving all interfaces block quick inet6 all block all # loopback pass quick on lo0 all # incoming on $EXT # block by default #block in on $EXT all block in quick on $EXT from #DNS pass in quick on $EXT proto udp from port 53 to $EXT keep state #Incoming tcp pass in quick on $EXT proto tcp from any to $EXT port $TCP_INCOMING_SERVICES flags S/AUPRFS modulate state #dhcp from isp pass in quick on $EXT proto udp from any port 67 to 255.255.255.255 port 68 keep state queue(ack_out) #pptp pass in quick on $EXT proto gre from any to $LAN_SERVER keep state #-----------outgoing on $EXT---------------- #block out on $EXT all block out quick on $EXT from any to pass out quick on $EXT proto udp from $EXT to port 53 keep state pass out quick on $EXT proto tcp from $EXT to $LAN_NET port $TCP_OUTGOING_SERVICES keep state pass out quick on $EXT proto udp from $EXT to $LAN_NET port $UDP_OUTGOING_SERVICES keep state #-----------incoming on $LAN---------------- block in on $LAN all # allow broadcast pass quick on $LAN from any to 192.168.0.255 # allow in tcp and udp incoming pass in quick on $LAN proto tcp from $LAN_NET to any port $TCP_INCOMING_SERVICES flags S/AUPRFS modulate state pass in quick on $LAN proto udp from $LAN_NET to any port $UDP_INCOMING_SERVICES modulate state #allow out CDDB pass in quick on $LAN proto {tcp,udp} from $LAN_NET to any port 8880 flags S/SAFR keep state #-----------outgoing on $LAN---------------- block out on $LAN all # tcp and udp out pass out quick on $LAN proto tcp from $LAN_NET to $EXT port $TCP_OUTGOING_SERVICES flags S/AUPRFS modulate state pass out quick on $LAN proto udp from $LAN_NET to $EXT port $UDP_OUTGOING_SERVICES modulate state From owner-freebsd-pf@FreeBSD.ORG Thu Apr 21 14:57:38 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C03116A4CE for ; Thu, 21 Apr 2005 14:57:38 +0000 (GMT) Received: from mail.3gne.com (ded191-fbsd-174-39.netsonic.net [66.180.174.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F59443D2F for ; Thu, 21 Apr 2005 14:57:37 +0000 (GMT) (envelope-from nick@buraglio.com) Received: from localhost (localhost.3gne.com [127.0.0.1]) by mail.3gne.com (Postfix) with ESMTP id CEF49D592F; Thu, 21 Apr 2005 10:04:36 -0500 (CDT) Received: from [141.142.101.67] (precious.ncsa.uiuc.edu [141.142.101.67]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail.3gne.com (Postfix) with ESMTP id 93437D45E2; Thu, 21 Apr 2005 10:04:33 -0500 (CDT) In-Reply-To: <200504200112.41260.max@love2party.net> References: <200504200112.41260.max@love2party.net> Mime-Version: 1.0 (Apple Message framework v622) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <06b13c2cd4e3aa5a9ad412f3170e00ca@buraglio.com> Content-Transfer-Encoding: 7bit From: Nick Buraglio Date: Thu, 21 Apr 2005 09:57:21 -0500 To: Max Laier X-Mailer: Apple Mail (2.622) X-Virus-Scanned: by amavisd-new at 3gne.com cc: freebsd-pf@freebsd.org Subject: Re: New PF (OpenBSD 3.7 ***ALPHA-preview***) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Apr 2005 14:57:38 -0000 I was just digging for some info on the newer features and when they'd be available in freebsd. I'll get this on a testing box asap. The effort is greatly appreciated. ------------ - Nick Buraglio, Network Engineer, NCSA - Phone: 217.244.6428 - GnuPG Key: 0x2E5B44F4 ------------ On Apr 19, 2005, at 6:12 PM, Max Laier wrote: > All, > > at: > http://people.freebsd.org/~mlaier/pf37/ > > you will find the first shot at the long awaited import of a new > version of > pf. This is level with what is likely to be shipped as OpenBSD 3.7 and > includes *most* of the features. Some are not yet implemented: > > - Filtering on route labels (we don't have any). > - Return-rst on IP-less bridges (bridge support is still behind; > There is > work ongoing to improve this as well, though.). > - Congestion prevention/graceful comeback (subject to future work). > > There are, however, some hightlights that came with OpenBSD 3.6 and > will be > coming with OpenBSD 3.7 (from the OpenBSD release notes): > > + pfctl(8) now provides a rules optimizer to help improve filtering > speed. > + pf, now supports nested anchors. > + Support limiting TCP connections by establishment rate, > automatically > adding flooding IP addresses to tables and flushing states > (max-src-conn-rate, overload
, flush global). > + Improved functionality of tags (tag and tagged for translation > rules, > tagging of all packets matching state entries). > + Improved diagnostics (error messages and additional counters from > pfctl -si). > + New keyword set skip on to skip filtering on arbitrary interfaces, > like > loopback. > + Several bugfixes improving stability. > > This import is in a very early stage and you should keep this in mind! > > However, it should build and boot just fine. I have done some basic > tests to > weed out the common problems seen during the last imports, but didn't > do > extensive testing yet. If you are in a position where you can test > this, I > am looking forward to getting your feedback! > > Updates will be posted to the freebsd-pf mailing list. Thanks. > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Thu Apr 21 22:04:10 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4F9516A4CE for ; Thu, 21 Apr 2005 22:04:10 +0000 (GMT) Received: from mailhost.u-strasbg.fr (mailhost.u-strasbg.fr [130.79.200.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F1EC43D39 for ; Thu, 21 Apr 2005 22:04:09 +0000 (GMT) (envelope-from Philippe.Pegon@crc.u-strasbg.fr) Received: from sokaris.u-strasbg.fr (sokaris.u-strasbg.fr [IPv6:2001:660:2402::101])id j3LM47mq045279 ; Fri, 22 Apr 2005 00:04:07 +0200 (CEST) Received: from [192.168.0.100] (crc.u-strasbg.fr [IPv6:2001:660:2402:1001::1]) j3LM46tt060807 ; Fri, 22 Apr 2005 00:04:07 +0200 (CEST) Message-ID: <42682451.3060602@crc.u-strasbg.fr> Date: Fri, 22 Apr 2005 00:08:17 +0200 From: Philippe PEGON User-Agent: Mozilla Thunderbird 1.0 (X11/20050116) X-Accept-Language: fr, en MIME-Version: 1.0 To: Ryan Stark References: <72c3a957050411062060eea5cc@mail.gmail.com> <20050418220237.GJ867@chimie.u-strasbg.fr> <20050419015321.2b893054.syah@io.com> In-Reply-To: <20050419015321.2b893054.syah@io.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.6 (mailhost.u-strasbg.fr [IPv6:2001:660:2402::155]); Fri, 22 Apr 2005 00:04:08 +0200 (CEST) X-Antivirus: scanned by sophos at u-strasbg.fr cc: freebsd-pf@freebsd.org Subject: Re: pf + bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Apr 2005 22:04:10 -0000 Ryan Stark a écrit : > On Tue, 19 Apr 2005 00:02:37 +0200 > Guy Brand wrote: > > >>On 11 April at 13:20, Sergey Lyubka wrote: >> >> >>>I am trying to build a transparent filtering box. >>>Box is running freebsd 5.4, pf and bridge, this is >>>the setup: >> >> FreeBSD has no support for pf in its bridge code. Neither has it >> IPv6 support. >> > > I have been using using FreeBSD & pf as a transparent bridge since 5.2. > (Before that, I was using OpenBSD & pf) > > Mine looks something like this: > > in > | > | fxp0, 0.0.0.0 > ----- > | | > | |--- fxp1, (internal admin interface) > | | > ----- > | > | fxp1, 0.0.0.0 > > cat /etc/sysctl.conf > > #bridging enable for fxp0,fxp1 > net.link.ether.bridge.config=fxp0:0,fxp1:0 > net.link.ether.bridge.enable=1 > > cat rc.conf > > pflog_enable="YES" > # Set to YES to enable packet filter logging > > pf_rules="/etc/host.pf.conf" > # rules definition file for pf. different than default. mergemaster > # likes to clobber default > > pflog_enable="YES" > # Set to YES to enable packet filter logging > > > > ifconfig > > fxp0: flags=8943 mtu > 1500 options=48 > ether 00:90:27:59:03:71 > media: Ethernet autoselect (10baseT/UTP) > status: active > fxp1: flags=8943 mtu > 1500 options=48 > ether 00:a0:c9:d8:8f:b1 > media: Ethernet autoselect (100baseTX ) > status: active > > slightly dated, but fully functional ruleset can be found > here: > > http://www.io.com/sirius/pf.conf-3.3.example > > Hope that might clear up any confusion. It seems that according to an old thread (see below) that pfil hook for outbound packets is absent. Are you sure that your "pass out" rule are evaluated ? Under these conditions, pf can't run correctly in bridge mode. http://lists.freebsd.org/pipermail/freebsd-pf/2004-December/thread.html#621 > > With regards to Sergey's original question; I have not > played with the web proxy on the bridge, however I have used the > ftp proxy module on my NAT- gateway machine with no problems. Maybe > using there would work better? -- Philippe PEGON