From owner-freebsd-pf@FreeBSD.ORG Sun Sep 7 07:14:54 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B14141065681 for ; Sun, 7 Sep 2008 07:14:54 +0000 (UTC) (envelope-from secucatcher@free.fr) Received: from smtp6-g19.free.fr (smtp6-g19.free.fr [212.27.42.36]) by mx1.freebsd.org (Postfix) with ESMTP id 6F0058FC13 for ; Sun, 7 Sep 2008 07:14:54 +0000 (UTC) (envelope-from secucatcher@free.fr) Received: from smtp6-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp6-g19.free.fr (Postfix) with ESMTP id 60536196FA; Sun, 7 Sep 2008 09:14:53 +0200 (CEST) Received: from desktop (abv73-1-88-186-56-129.fbx.proxad.net [88.186.56.129]) by smtp6-g19.free.fr (Postfix) with ESMTP id 00857197A3; Sun, 7 Sep 2008 09:14:52 +0200 (CEST) Date: Sun, 7 Sep 2008 09:14:52 +0200 From: To: "David DeSimone" Message-ID: <20080907091452.65d14b4a@desktop> In-Reply-To: <20080906223103.GK1949@verio.net> References: <1220706618.48c2813ab9cc6@imp.free.fr> <20080906204042.16491860@desktop> <20080906191403.GJ1949@verio.net> <20080906214155.52c6f2e7@desktop> <20080906223103.GK1949@verio.net> X-Mailer: Claws Mail 2.6.1 (GTK+ 2.10.11; i486-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: bidirectional NAT in PF? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2008 07:14:54 -0000 Le Sat, 6 Sep 2008 17:31:04 -0500 "David DeSimone" a pris sa plume: > There is no direct way to do > this, so I am wondering if two different rules could be matched at > different times during the packet's transit through the gateway. yes maybe nat and a rdr could be the solution. From owner-freebsd-pf@FreeBSD.ORG Sun Sep 7 13:58:18 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34DC41065670 for ; Sun, 7 Sep 2008 13:58:18 +0000 (UTC) (envelope-from yar.tikhiy@gmail.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.189]) by mx1.freebsd.org (Postfix) with ESMTP id B411B8FC08 for ; Sun, 7 Sep 2008 13:58:17 +0000 (UTC) (envelope-from yar.tikhiy@gmail.com) Received: by fk-out-0910.google.com with SMTP id k31so809953fkk.11 for ; Sun, 07 Sep 2008 06:58:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:mime-version :content-transfer-encoding:message-id:content-type:to:from:subject :date:x-mailer:sender; bh=8gs/5Zt3fbXdgIb5/W28buO/I8x00rVMxVsgZuzEZ4Y=; b=k8IwqfELUsQVlkpbHJW4y18YukguYCd/jPG1vifEZ26e5PUsaqhSFInX1waC1Vk9LD f4VAFhqvWXmV7w8b1pwYYxHsueBUuhV9IBkjHnJR003dD2S3QeeWWtO1soxMciNSHYl5 sLXQ0gYH3ghPTp1Qkt2kYnMBta8dPSVJWjkGA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:content-transfer-encoding:message-id:content-type:to :from:subject:date:x-mailer:sender; b=JI/Qs+9lmQc6runvMu1tiPI4EBq99jdcXYAYUFHuB3QxO3EqWdOp1q+mBXtJeQQUc7 O/hTF1DBLb8TrJk6SaR84OWDGuuFU2eSCLPgUGowlwovBNiCiiimUei//f+sKS94CLd3 BhI70HhYKyvGVA58R76buN8enhqGXNzc2BqHE= Received: by 10.180.227.2 with SMTP id z2mr10349263bkg.20.1220794403647; Sun, 07 Sep 2008 06:33:23 -0700 (PDT) Received: from ?10.10.10.6? ( [83.237.56.217]) by mx.google.com with ESMTPS id p9sm2480085fkb.5.2008.09.07.06.33.21 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 07 Sep 2008 06:33:22 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v753.1) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-pf@freebsd.org From: Yar Tikhiy Date: Sun, 7 Sep 2008 17:33:07 +0400 X-Mailer: Apple Mail (2.753.1) Sender: Yar Tikhiy Subject: pf creating states by default now? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2008 13:58:18 -0000 Hi all, After upgrading a production machine from 6.x to 7.x, I noticed that pf would create states from rules without "keep state". IMSMR, it hadn't happened before, and the pf.conf(5) manpage still says one has to specify "keep state" explicitly for pf to create states. Just examined this issue more closely on a CURRENT machine. If I load the following simple pf.conf file: > set skip on lo0 > block return all > pass out all > pass in inet proto icmp all icmp-type echoreq > pass in inet proto tcp from any to any port 22 then I get these actual rules as shown by "pfctl -s rules": > block return all > pass out all flags S/SA keep state > pass in inet proto icmp all icmp-type echoreq keep state > pass in inet proto tcp from any to any port = ssh flags S/SA keep > state Looks like pfctl or pf itself added stateful semantics to my pf.conf that weren't there initially. Is this effect intended and, if so, how can I tell pf not to create states from certain rules? Thanks! And excuse me if I'm just missing something. Yar From owner-freebsd-pf@FreeBSD.ORG Sun Sep 7 15:30:02 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9DDE8106567F for ; Sun, 7 Sep 2008 15:30:02 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from websrv01.jr-hosting.nl (websrv01.jr-hosting.nl [78.47.69.233]) by mx1.freebsd.org (Postfix) with ESMTP id 6167B8FC1B for ; Sun, 7 Sep 2008 15:30:02 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from [195.64.94.120] (helo=axantucar.local) by websrv01.jr-hosting.nl with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KcLmm-000Kni-NI; Sun, 07 Sep 2008 17:02:44 +0200 Message-ID: <48C3ED10.7080601@FreeBSD.org> Date: Sun, 07 Sep 2008 17:02:40 +0200 From: Remko Lodder User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: Yar Tikhiy References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pf creating states by default now? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2008 15:30:02 -0000 Yar Tikhiy wrote: > > > Looks like pfctl or pf itself added stateful semantics to my pf.conf > that weren't there initially. Is this effect intended and, if so, how > can I tell pf not to create states from certain rules? > > Thanks! And excuse me if I'm just missing something. > > Yar > Hi Yar, Yes since 7.0 this behaviour is intented. flags S/SA and keep state are implied now. If you do not want to use them you set ''no state'' to get rid of the statefull filter. I think that also grabs the flags S/SA because that tells you when the statefull filter is being setup. Hope this helps, remko -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Sun Sep 7 15:58:35 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 21BE0106566C for ; Sun, 7 Sep 2008 15:58:35 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 82F588FC1C for ; Sun, 7 Sep 2008 15:58:34 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail 21667 invoked by uid 0); 7 Sep 2008 15:31:51 -0000 Received: from 194.231.39.124 by www043.gmx.net with HTTP; Sun, 07 Sep 2008 17:31:51 +0200 (CEST) Content-Type: text/plain; charset="iso-8859-1" Date: Sun, 07 Sep 2008 17:31:51 +0200 From: "Olli Hauer" In-Reply-To: Message-ID: <20080907153151.310630@gmx.net> MIME-Version: 1.0 References: To: Yar Tikhiy , freebsd-pf@freebsd.org X-Authenticated: #1956535 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 3 X-Provags-ID: V01U2FsdGVkX194iJw2Mj54mG64y1LJChfkBrBcZunHI9abVk85YQ 7mYIaPAjnbQShf9fmPQlSPpWSR3r59hqx6Jw== Content-Transfer-Encoding: 8bit X-GMX-UID: 08Hxe2ZOPTR+K4DpLDIwVAU5c2tpZMte Cc: Subject: Re: pf creating states by default now? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2008 15:58:35 -0000 > Hi all, > > After upgrading a production machine from 6.x to 7.x, > I noticed that pf would create states from rules without > "keep state". IMSMR, it hadn't happened before, and > the pf.conf(5) manpage still says one has to specify > "keep state" explicitly for pf to create states. > > Just examined this issue more closely on a CURRENT machine. > If I load the following simple pf.conf file: > > > set skip on lo0 > > block return all > > pass out all > > pass in inet proto icmp all icmp-type echoreq > > pass in inet proto tcp from any to any port 22 > > > then I get these actual rules as shown by "pfctl -s rules": > > > block return all > > pass out all flags S/SA keep state > > pass in inet proto icmp all icmp-type echoreq keep state > > pass in inet proto tcp from any to any port = ssh flags S/SA keep > > state > > > Looks like pfctl or pf itself added stateful semantics to my pf.conf > that weren't there initially. Is this effect intended and, if so, how > can I tell pf not to create states from certain rules? > > Thanks! And excuse me if I'm just missing something. > > Yar > Yes, it is not in man pf.conf(5) but in the Rel Notes http://www.freebsd.org/releases/7.0R/relnotes.html See also http://openbsd.org/faq/upgrade41.html (1.2. Operational changes) The man page match the OpenBSD one http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+4.3 What is your reason for not using 'S/SA keep state' at this rules? You can disable this with the 'no state' keyword Regards, olli -- Psssst! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine für Alle: http://www.gmx.net/de/go/messenger03 From owner-freebsd-pf@FreeBSD.ORG Sun Sep 7 20:53:38 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99DBD1065674 for ; Sun, 7 Sep 2008 20:53:38 +0000 (UTC) (envelope-from yar.tikhiy@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.159]) by mx1.freebsd.org (Postfix) with ESMTP id 325CC8FC1A for ; Sun, 7 Sep 2008 20:53:37 +0000 (UTC) (envelope-from yar.tikhiy@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so1191334fgb.35 for ; Sun, 07 Sep 2008 13:53:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:in-reply-to:references :mime-version:x-priority:content-type:message-id:cc :content-transfer-encoding:from:subject:date:to:x-mailer:sender; bh=/tZg+3/uMnfXUf0dBdbuLlCK92STnri99+VqiHF8Mr4=; b=wO2fW1KjemIh30Y7LEcUcGqDoW/MliDmsPPlzFaA95a9G2wVzo/ijw+FDxWXNJvrvV kH7+iLaRJW4iWEY3guWqaFf35xg/LHjtWnhCenGki170K2PnDhwAE2HetGcNLPTO73FM QQyk/sUB0r/539xFpSjwZJiptvZ4JF11Xr4z8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=in-reply-to:references:mime-version:x-priority:content-type :message-id:cc:content-transfer-encoding:from:subject:date:to :x-mailer:sender; b=cYfNPH/C3vXVbSyKnYEVIUo3tu7NNbJbLE7O/b1kBIG79N/XfdWiYQF6hhLAgivAVE /bfPEA8O9F62Giutnp7FVu2VfRASnaENZDX7L7ivbZzlM2b3NsKEUeZIgoneE15q383U efJVDCMGnje4eRnJg36K+oynCvQttcE2xWpGQ= Received: by 10.181.37.11 with SMTP id p11mr10455646bkj.101.1220820816514; Sun, 07 Sep 2008 13:53:36 -0700 (PDT) Received: from ?10.10.10.6? ( [83.237.56.217]) by mx.google.com with ESMTPS id 21sm2595452fkx.13.2008.09.07.13.53.34 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 07 Sep 2008 13:53:35 -0700 (PDT) In-Reply-To: <20080907153151.310630@gmx.net> References: <20080907153151.310630@gmx.net> Mime-Version: 1.0 (Apple Message framework v753.1) X-Priority: 3 Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Yar Tikhiy Date: Mon, 8 Sep 2008 00:53:20 +0400 To: Olli Hauer X-Mailer: Apple Mail (2.753.1) Sender: Yar Tikhiy Cc: freebsd-pf@freebsd.org Subject: Re: pf creating states by default now? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2008 20:53:38 -0000 On Sep 7, 2008, at 7:31 PM, Olli Hauer wrote: >> Looks like pfctl or pf itself added stateful semantics to my pf.conf >> that weren't there initially. Is this effect intended and, if so, >> how >> can I tell pf not to create states from certain rules? >> >> Thanks! And excuse me if I'm just missing something. >> >> Yar >> > > Yes, it is not in man pf.conf(5) but in the Rel Notes http:// > www.freebsd.org/releases/7.0R/relnotes.html > See also http://openbsd.org/faq/upgrade41.html (1.2. Operational > changes) Thank you for pointing me out! > The man page match the OpenBSD one http://www.openbsd.org/cgi-bin/ > man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+4.3 And in OpenBSD-current the manpage still reads: "...keep state must be specified explicitly to apply [stateful tracking] options to a rule." Perhaps we can fix this issue in our src tree and then send the patch upstream to the OpenBSD folks, can't we? In Subversion, the price of touching an imported file is not nearly as high as it used to be in CVS. > What is your reason for not using 'S/SA keep state' at this rules? I think I'm hitting some obscure issue with pf state synchronisation between two routers, so I'd like to prevent at least internal connections from being torn when a switch from the master to the backup router occurs via carp. The routers have a lot of vlan interfaces, and I'd like to limit stateful filtering to the uplink vlan only. > You can disable this with the 'no state' keyword I see now. Your help is much appreciated! Yar From owner-freebsd-pf@FreeBSD.ORG Sun Sep 7 21:09:11 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3EC9D1065673 for ; Sun, 7 Sep 2008 21:09:11 +0000 (UTC) (envelope-from mail_list@realcomputerguy.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.239]) by mx1.freebsd.org (Postfix) with ESMTP id 126E68FC16 for ; Sun, 7 Sep 2008 21:09:10 +0000 (UTC) (envelope-from mail_list@realcomputerguy.com) Received: by wr-out-0506.google.com with SMTP id c8so646221wra.27 for ; Sun, 07 Sep 2008 14:09:10 -0700 (PDT) Received: by 10.90.91.9 with SMTP id o9mr18149561agb.35.1220821749856; Sun, 07 Sep 2008 14:09:09 -0700 (PDT) Received: from davinci.realcomputerguy.soho ( [68.61.77.153]) by mx.google.com with ESMTPS id 7sm4039610hsx.13.2008.09.07.14.09.08 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 07 Sep 2008 14:09:09 -0700 (PDT) From: Chris Smith To: freebsd-pf@freebsd.org Date: Sun, 7 Sep 2008 17:09:06 -0400 References: <20080907153151.310630@gmx.net> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200809071709.06945.pf_free@chrissmith.org> Sender: Chris Smith Subject: Re: pf creating states by default now? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2008 21:09:11 -0000 On Sunday 07 September 2008 04:53:20 pm Yar Tikhiy wrote: > And in OpenBSD-current the manpage still reads: "...keep state > must be specified explicitly to apply [stateful tracking] options > to a rule." Not in the -current running here. The manpage reads: "A number of options related to stateful tracking can be applied on a per-rule basis. keep state, modulate state and synproxy state support these options, and keep state must be specified explicitly to apply options to a rule." And the "options" referred to are listed in that section, such as max, timeout, no-sync, sloppy, etc. If you're not applying the options, keep state is implied. From owner-freebsd-pf@FreeBSD.ORG Sun Sep 7 21:24:17 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DDCBC1065672 for ; Sun, 7 Sep 2008 21:24:17 +0000 (UTC) (envelope-from yar.tikhiy@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.159]) by mx1.freebsd.org (Postfix) with ESMTP id 74FB78FC08 for ; Sun, 7 Sep 2008 21:24:17 +0000 (UTC) (envelope-from yar.tikhiy@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so1196211fgb.35 for ; Sun, 07 Sep 2008 14:24:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:in-reply-to:references :mime-version:content-type:message-id:cc:content-transfer-encoding :from:subject:date:to:x-mailer:sender; bh=JkeeQuKgrHn6FmWzrSKfw656tEl+vscn0JMyFRmMqKs=; b=DUc2aKieLFKCblBtMwmyFDI8HSUDagtN+CKWj9NS00E0Pdn5XfGFY6GmEyvEPzqw39 rad5Ctg/LX7EMS167G8U2dPWKCm9ygsXjLN70W9ewfsFm46y580EM5RmbC6ts+xTdgSe MwVlOA0qAJfqoqY7SKEULTfWgEE6sVCZSYsSM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=in-reply-to:references:mime-version:content-type:message-id:cc :content-transfer-encoding:from:subject:date:to:x-mailer:sender; b=axD2wgHQJk+WzNeIiTUZD072uSTqHkLF4RjmSruvDAQy6W6pJLIeGtX4Rz2Rl7PHcB jdudAtGHUZ/zGowb6aUh+dGr5v6UFQMozan2v5FtWmE1vf9wNS3CM6NZKPn0wuwLRGF8 o8YSAhd1If9aijVyFriSHqrgEZYWd+tmOh8JA= Received: by 10.180.239.7 with SMTP id m7mr10482642bkh.87.1220822655841; Sun, 07 Sep 2008 14:24:15 -0700 (PDT) Received: from ?10.10.10.6? ( [83.237.56.217]) by mx.google.com with ESMTPS id c28sm2598262fka.18.2008.09.07.14.24.13 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 07 Sep 2008 14:24:14 -0700 (PDT) In-Reply-To: <200809071709.06945.pf_free@chrissmith.org> References: <20080907153151.310630@gmx.net> <200809071709.06945.pf_free@chrissmith.org> Mime-Version: 1.0 (Apple Message framework v753.1) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <0663003B-EF24-4A3C-BB2F-53C2ED99DC16@comp.chem.msu.su> Content-Transfer-Encoding: 7bit From: Yar Tikhiy Date: Mon, 8 Sep 2008 01:23:59 +0400 To: Chris Smith X-Mailer: Apple Mail (2.753.1) Sender: Yar Tikhiy Cc: freebsd-pf@freebsd.org Subject: Re: pf creating states by default now? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2008 21:24:17 -0000 On Sep 8, 2008, at 1:09 AM, Chris Smith wrote: > On Sunday 07 September 2008 04:53:20 pm Yar Tikhiy wrote: >> And in OpenBSD-current the manpage still reads: "...keep state >> must be specified explicitly to apply [stateful tracking] options >> to a rule." > > Not in the -current running here. The manpage reads: > "A number of options related to stateful tracking can be applied on > a per-rule > basis. keep state, modulate state and synproxy state support these > options, > and keep state must be specified explicitly to apply options to a > rule." > > And the "options" referred to are listed in that section, such as max, > timeout, no-sync, sloppy, etc. If you're not applying the options, > keep state > is implied. Sorry, I misread that paragraph. I also missed this: pass The packet is passed; state is created state unless the no state option is specified. By default pf(4) filters packets statefully; the first time a packet matches a pass rule, a state entry is created; for subsequent packets the filter checks whether the packet matches any state. Excuse me for the noise. Yar From owner-freebsd-pf@FreeBSD.ORG Sun Sep 7 21:31:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 702A61065683 for ; Sun, 7 Sep 2008 21:31:45 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id DDDAF8FC08 for ; Sun, 7 Sep 2008 21:31:44 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail 19448 invoked by uid 0); 7 Sep 2008 21:31:43 -0000 Received: from 194.231.39.124 by www123.gmx.net with HTTP; Sun, 07 Sep 2008 23:31:43 +0200 (CEST) Content-Type: text/plain; charset="iso-8859-1" Date: Sun, 07 Sep 2008 23:31:43 +0200 From: "Olli Hauer" In-Reply-To: Message-ID: <20080907213143.15910@gmx.net> MIME-Version: 1.0 References: <20080907153151.310630@gmx.net> To: Yar Tikhiy X-Authenticated: #1956535 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 3 X-Provags-ID: V01U2FsdGVkX1+cxQYVaoCcBTOkLnlZyW8/uxb+6s/t0bkkXwAdlR RHbNEte++9qfQaINE9AKZIIYDN9yXc7G5Iqg== Content-Transfer-Encoding: 8bit X-GMX-UID: USWmHHAmbXB+SdKoLzQ2XMoiLyUmZUio Cc: freebsd-pf@freebsd.org Subject: Re: pf creating states by default now? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2008 21:31:45 -0000 > >> Looks like pfctl or pf itself added stateful semantics to my pf.conf > >> that weren't there initially. Is this effect intended and, if so, > >> how > >> can I tell pf not to create states from certain rules? > >> > >> Thanks! And excuse me if I'm just missing something. > >> > >> Yar > >> > > > > Yes, it is not in man pf.conf(5) but in the Rel Notes http:// > > www.freebsd.org/releases/7.0R/relnotes.html > > See also http://openbsd.org/faq/upgrade41.html (1.2. Operational > > changes) > > Thank you for pointing me out! > > > The man page match the OpenBSD one http://www.openbsd.org/cgi-bin/ > > man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+4.3 > > And in OpenBSD-current the manpage still reads: "...keep state > must be specified explicitly to apply [stateful tracking] options > to a rule." > > Perhaps we can fix this issue in our src tree and then send the > patch upstream to the OpenBSD folks, can't we? In Subversion, the > price of touching an imported file is not nearly as high as it used > to be in CVS. > Yes, parts of the document shoud be updated. > > What is your reason for not using 'S/SA keep state' at this rules? > > I think I'm hitting some obscure issue with pf state synchronisation > between two routers, so I'd like to prevent at least internal > connections > from being torn when a switch from the master to the backup router > occurs > via carp. The routers have a lot of vlan interfaces, and I'd like to > limit > stateful filtering to the uplink vlan only. > > > You can disable this with the 'no state' keyword > > I see now. Your help is much appreciated! > > Yar Hm, maybe something like this can be your solution (example for ssh traffic) # no state rule to manage the router interface (not carp/vlans/cloned interfaces) pass in quick inet proto tcp from $internal to $if_base:0 port 22 no state # all other ssh traffic pass in inet proto tcp from any to any port 22 Regards, olli -- Psssst! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine für Alle: http://www.gmx.net/de/go/messenger03 From owner-freebsd-pf@FreeBSD.ORG Mon Sep 8 02:22:25 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 52E521065676 for ; Mon, 8 Sep 2008 02:22:25 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 40B4B8FC24 for ; Mon, 8 Sep 2008 02:22:25 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m882MPc7006766 for ; Mon, 8 Sep 2008 02:22:25 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m882MOks006762 for freebsd-pf@FreeBSD.org; Mon, 8 Sep 2008 02:22:24 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 8 Sep 2008 02:22:24 GMT Message-Id: <200809080222.m882MOks006762@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 02:22:25 -0000 The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 19 problems total. Bugs can be in one of several states: o - open A problem report has been submitted, no sanity checking performed. a - analyzed The problem is understood and a solution is being sought. f - feedback Further work requires additional information from the originator or the community - possibly confirmation of the effectiveness of a proposed solution. p - patched A patch has been committed, but some issues (MFC and / or confirmation from originator) are still open. r - repocopy The resolution of the problem report is dependent on a repocopy operation within the CVS repository which is awaiting completion. s - suspended The problem is not being worked on, due to lack of information or resources. This is a prime candidate for somebody who is looking for a project to do. If the problem cannot be solved at all, it will be closed, rather than suspended. c - closed A problem report is closed when any changes have been integrated, documented, and tested -- or when fixing the problem is abandoned. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 8 07:05:07 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F3681065680 for ; Mon, 8 Sep 2008 07:05:06 +0000 (UTC) (envelope-from mouss@netoyen.net) Received: from imlil.netoyen.net (imlil.netoyen.net [91.121.103.130]) by mx1.freebsd.org (Postfix) with ESMTP id 1FC1B8FC2B for ; Mon, 8 Sep 2008 07:05:06 +0000 (UTC) (envelope-from mouss@netoyen.net) Received: from localhost (localhost [127.0.0.1]) by imlil.netoyen.net (Postfix) with ESMTP id B80B7E54829 for ; Mon, 8 Sep 2008 08:50:54 +0200 (CEST) X-Virus-Scanned: amavisd-new at netoyen.net Received: from [192.168.1.65] (ouzoud.netoyen.net [82.239.111.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mouss@netoyen.net) by smtp.netoyen.net (Postfix) with ESMTPSA id 5A963E54826 for ; Mon, 8 Sep 2008 08:50:52 +0200 (CEST) Message-ID: <48C4CB18.6010905@netoyen.net> Date: Mon, 08 Sep 2008 08:50:00 +0200 From: mouss User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <1220706618.48c2813ab9cc6@imp.free.fr> <20080906204042.16491860@desktop> <20080906191403.GJ1949@verio.net> <20080906214155.52c6f2e7@desktop> <20080906223103.GK1949@verio.net> In-Reply-To: <20080906223103.GK1949@verio.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: bidirectional NAT in PF? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 07:05:07 -0000 David DeSimone wrote: > I think I am using the wrong terminology. I should probably call it > "double NAT" to differentiate it. "binat" works fine but it still only > changes ONE of the IP's being translated (the source IP). In PF, you > can use "nat" to translate the source IP, and "redir" to change the dest > IP, but what if you want to change both? There is no direct way to do > this, so I am wondering if two different rules could be matched at > different times during the packet's transit through the gateway. > the common way is to use two rules: a nat and an rdr. This is used to fix the "reflection problem" for instance. I have used it with ipfilter in the past (though not for a reflection issue, but for a dmz setup), but I guess it works similarly on pf and other filters. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 8 15:36:10 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 41563106564A for ; Mon, 8 Sep 2008 15:36:10 +0000 (UTC) (envelope-from kirgudu@kirgudu.org) Received: from po-out-1718.google.com (po-out-1718.google.com [72.14.252.155]) by mx1.freebsd.org (Postfix) with ESMTP id 23E698FC0A for ; Mon, 8 Sep 2008 15:36:09 +0000 (UTC) (envelope-from kirgudu@kirgudu.org) Received: by po-out-1718.google.com with SMTP id c31so3137072poi.3 for ; Mon, 08 Sep 2008 08:36:09 -0700 (PDT) Received: by 10.141.28.4 with SMTP id f4mr8926234rvj.35.1220886815643; Mon, 08 Sep 2008 08:13:35 -0700 (PDT) Received: by 10.141.40.18 with HTTP; Mon, 8 Sep 2008 08:13:35 -0700 (PDT) Message-ID: <9bc4ff5c0809080813t1c370b72pce80dfa64f91fa41@mail.gmail.com> Date: Mon, 8 Sep 2008 19:13:35 +0400 From: "Dmitry Rybin" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: FreeBSD 7.1-PRERELEASE Trouble X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 15:36:10 -0000 PF doesn't block some IP!!!! === pf.conf === ext_if="bge0" table { 78.107.71.38 89.179.195.34 } block quick from pass out pass in === pf.conf === # pfctl -e -f /etc/pf.conf # tcpdump -netxi bge0 host 89.179.195.34 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 69: 89.179.195.34.2357 > 195.14.50.21.53: 35869+ A? emils.com. (27) 0x0000: 4500 0037 3034 0000 3811 4089 59b3 c322 0x0010: c30e 3215 0935 0035 0023 0314 8c1d 0100 0x0020: 0001 0000 0000 0000 0565 6d69 6c73 0363 0x0030: 6f6d 0000 0100 01 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 84: 195.14.50.21.53 > 89.179.195.34.2357: 48025 ServFail 0/0/1 (42) 0x0000: 4500 0046 84a8 0000 4011 0000 c30e 3215 0x0010: 59b3 c322 0035 0935 0032 c7de bb99 8182 0x0020: 0001 0000 0000 0001 0377 7777 0565 6d69 0x0030: 6c73 0363 6f6d 0000 0100 0100 0029 1000 0x0040: 0000 0000 0000 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 73: 195.14.50.21.53 > 89.179.195.34.2357: 22012 ServFail 0/0/0 (31) 0x0000: 4500 003b 84a9 0000 4011 0000 c30e 3215 0x0010: 59b3 c322 0035 0935 0027 3dbc 55fc 8182 0x0020: 0001 0000 0000 0000 0377 7777 0565 6d69 0x0030: 6c73 0363 6f6d 0000 0100 01 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 69: 195.14.50.21.53 > 89.179.195.34.2357: 35869 ServFail 0/0/0 (27) 0x0000: 4500 0037 84ac 0000 4011 0000 c30e 3215 0x0010: 59b3 c322 0035 0935 0023 8291 8c1d 8182 0x0020: 0001 0000 0000 0000 0565 6d69 6c73 0363 0x0030: 6f6d 0000 0100 01 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 73: 89.179.195.34.2357 > 195.14.50.21.53: 48025+ A? www.emils.com. (31) 0x0000: 4500 003b 3035 0000 3811 4084 59b3 c322 0x0010: c30e 3215 0935 0035 0027 58a1 bb99 0100 0x0020: 0001 0000 0000 0000 0377 7777 0565 6d69 0x0030: 6c73 0363 6f6d 0000 0100 01 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 73: 195.14.50.21.53 > 89.179.195.34.2357: 48025 ServFail 0/0/0 (31) 0x0000: 4500 003b 84ae 0000 4011 0000 c30e 3215 0x0010: 59b3 c322 0035 0935 0027 d81e bb99 8182 0x0020: 0001 0000 0000 0000 0377 7777 0565 6d69 0x0030: 6c73 0363 6f6d 0000 0100 01 tcpdump -netxi bge0 host 78.107.71.38 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 94: 78.107.71.38.37367 > 195.14.50.21.53: 38168+ A? nc-71-51-232-31.dhcp.embarqhsd.net. (52) 0x0000: 4500 0050 ae4f 4000 3b11 0699 4e6b 4726 0x0010: c30e 3215 91f7 0035 003c e6ca 9518 0100 0x0020: 0001 0000 0000 0000 0f6e 632d 3731 2d35 0x0030: 312d 3233 322d 3331 0464 6863 7009 656d 0x0040: 6261 7271 6873 6403 6e65 7400 0001 0001 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 89: 78.107.71.38.37368 > 195.14.50.21.53: 50276+ A? 166.156.122.89.bl.spamcop.net. (47) 0x0000: 4500 004b ae68 4000 3b11 0685 4e6b 4726 0x0010: c30e 3215 91f8 0035 0037 18d5 c464 0100 0x0020: 0001 0000 0000 0000 0331 3636 0331 3536 0x0030: 0331 3232 0238 3902 626c 0773 7061 6d63 0x0040: 6f70 036e 6574 0000 0100 01 Add to pf.conf block quick from 89.179.195.34 - same, doesn't work. May be trouble in config? From owner-freebsd-pf@FreeBSD.ORG Mon Sep 8 15:51:42 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A6561065672 for ; Mon, 8 Sep 2008 15:51:42 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA01.westchester.pa.mail.comcast.net (qmta01.westchester.pa.mail.comcast.net [76.96.62.16]) by mx1.freebsd.org (Postfix) with ESMTP id 143118FC1A for ; Mon, 8 Sep 2008 15:51:41 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA07.westchester.pa.mail.comcast.net ([76.96.62.59]) by QMTA01.westchester.pa.mail.comcast.net with comcast id CF531a00G1GhbT851FrgW2; Mon, 08 Sep 2008 15:51:41 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA07.westchester.pa.mail.comcast.net with comcast id CFrf1a00F4v8bD73TFrgG5; Mon, 08 Sep 2008 15:51:40 +0000 X-Authority-Analysis: v=1.0 c=1 a=U0t_b_6yAAAA:8 a=QycZ5dHgAAAA:8 a=BIUh0tMYbBFbtTDp-OgA:9 a=6PhuX9K32VIlt5KQtLIA:7 a=OtcWpvfOfz7NsbshIy-3AxnoDp4A:4 a=W10XNLwuQ2AA:10 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 92F2517B84E; Mon, 8 Sep 2008 08:51:39 -0700 (PDT) Date: Mon, 8 Sep 2008 08:51:39 -0700 From: Jeremy Chadwick To: Dmitry Rybin Message-ID: <20080908155139.GA72633@icarus.home.lan> References: <9bc4ff5c0809080813t1c370b72pce80dfa64f91fa41@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9bc4ff5c0809080813t1c370b72pce80dfa64f91fa41@mail.gmail.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD 7.1-PRERELEASE Trouble X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 15:51:42 -0000 On Mon, Sep 08, 2008 at 07:13:35PM +0400, Dmitry Rybin wrote: > PF doesn't block some IP!!!! > > === pf.conf === > > ext_if="bge0" > table { 78.107.71.38 89.179.195.34 } > > block quick from > pass out > pass in > === pf.conf === > > # pfctl -e -f /etc/pf.conf > > # tcpdump -netxi bge0 host 89.179.195.34 > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 69: > 89.179.195.34.2357 > 195.14.50.21.53: 35869+ A? emils.com. (27) > 0x0000: 4500 0037 3034 0000 3811 4089 59b3 c322 > 0x0010: c30e 3215 0935 0035 0023 0314 8c1d 0100 > 0x0020: 0001 0000 0000 0000 0565 6d69 6c73 0363 > 0x0030: 6f6d 0000 0100 01 > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 84: > 195.14.50.21.53 > 89.179.195.34.2357: 48025 ServFail 0/0/1 (42) > 0x0000: 4500 0046 84a8 0000 4011 0000 c30e 3215 > 0x0010: 59b3 c322 0035 0935 0032 c7de bb99 8182 > 0x0020: 0001 0000 0000 0001 0377 7777 0565 6d69 > 0x0030: 6c73 0363 6f6d 0000 0100 0100 0029 1000 > 0x0040: 0000 0000 0000 > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 73: > 195.14.50.21.53 > 89.179.195.34.2357: 22012 ServFail 0/0/0 (31) > 0x0000: 4500 003b 84a9 0000 4011 0000 c30e 3215 > 0x0010: 59b3 c322 0035 0935 0027 3dbc 55fc 8182 > 0x0020: 0001 0000 0000 0000 0377 7777 0565 6d69 > 0x0030: 6c73 0363 6f6d 0000 0100 01 > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 69: > 195.14.50.21.53 > 89.179.195.34.2357: 35869 ServFail 0/0/0 (27) > 0x0000: 4500 0037 84ac 0000 4011 0000 c30e 3215 > 0x0010: 59b3 c322 0035 0935 0023 8291 8c1d 8182 > 0x0020: 0001 0000 0000 0000 0565 6d69 6c73 0363 > 0x0030: 6f6d 0000 0100 01 > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 73: > 89.179.195.34.2357 > 195.14.50.21.53: 48025+ A? www.emils.com. (31) > 0x0000: 4500 003b 3035 0000 3811 4084 59b3 c322 > 0x0010: c30e 3215 0935 0035 0027 58a1 bb99 0100 > 0x0020: 0001 0000 0000 0000 0377 7777 0565 6d69 > 0x0030: 6c73 0363 6f6d 0000 0100 01 > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 73: > 195.14.50.21.53 > 89.179.195.34.2357: 48025 ServFail 0/0/0 (31) > 0x0000: 4500 003b 84ae 0000 4011 0000 c30e 3215 > 0x0010: 59b3 c322 0035 0935 0027 d81e bb99 8182 > 0x0020: 0001 0000 0000 0000 0377 7777 0565 6d69 > 0x0030: 6c73 0363 6f6d 0000 0100 01 > > tcpdump -netxi bge0 host 78.107.71.38 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 94: > 78.107.71.38.37367 > 195.14.50.21.53: 38168+ A? > nc-71-51-232-31.dhcp.embarqhsd.net. (52) > 0x0000: 4500 0050 ae4f 4000 3b11 0699 4e6b 4726 > 0x0010: c30e 3215 91f7 0035 003c e6ca 9518 0100 > 0x0020: 0001 0000 0000 0000 0f6e 632d 3731 2d35 > 0x0030: 312d 3233 322d 3331 0464 6863 7009 656d > 0x0040: 6261 7271 6873 6403 6e65 7400 0001 0001 > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 89: > 78.107.71.38.37368 > 195.14.50.21.53: 50276+ A? > 166.156.122.89.bl.spamcop.net. (47) > 0x0000: 4500 004b ae68 4000 3b11 0685 4e6b 4726 > 0x0010: c30e 3215 91f8 0035 0037 18d5 c464 0100 > 0x0020: 0001 0000 0000 0000 0331 3636 0331 3536 > 0x0030: 0331 3232 0238 3902 626c 0773 7061 6d63 > 0x0040: 6f70 036e 6574 0000 0100 01 > > Add to pf.conf > block quick from 89.179.195.34 - same, doesn't work. > > May be trouble in config? Please show the output of "pfctl -s rules". -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Mon Sep 8 16:04:37 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD605106564A for ; Mon, 8 Sep 2008 16:04:37 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA06.emeryville.ca.mail.comcast.net (qmta06.emeryville.ca.mail.comcast.net [76.96.30.56]) by mx1.freebsd.org (Postfix) with ESMTP id A54F38FC16 for ; Mon, 8 Sep 2008 16:04:37 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA10.emeryville.ca.mail.comcast.net ([76.96.30.28]) by QMTA06.emeryville.ca.mail.comcast.net with comcast id CAkq1a0080cQ2SLA6G4dmw; Mon, 08 Sep 2008 16:04:37 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA10.emeryville.ca.mail.comcast.net with comcast id CG4a1a00q4v8bD78WG4bst; Mon, 08 Sep 2008 16:04:36 +0000 X-Authority-Analysis: v=1.0 c=1 a=U0t_b_6yAAAA:8 a=QycZ5dHgAAAA:8 a=Jv7NiQiXL6lxGgFqKjMA:9 a=dVago8PzXv0MqIRdC6IA:7 a=cnYQEJfbVj1nUToMS3vlvXaeusUA:4 a=W10XNLwuQ2AA:10 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id D043C17B84E; Mon, 8 Sep 2008 09:04:34 -0700 (PDT) Date: Mon, 8 Sep 2008 09:04:34 -0700 From: Jeremy Chadwick To: Dmitry Rybin Message-ID: <20080908160434.GA72812@icarus.home.lan> References: <9bc4ff5c0809080813t1c370b72pce80dfa64f91fa41@mail.gmail.com> <20080908155139.GA72633@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080908155139.GA72633@icarus.home.lan> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD 7.1-PRERELEASE Trouble X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 16:04:37 -0000 On Mon, Sep 08, 2008 at 08:51:39AM -0700, Jeremy Chadwick wrote: > On Mon, Sep 08, 2008 at 07:13:35PM +0400, Dmitry Rybin wrote: > > PF doesn't block some IP!!!! > > > > === pf.conf === > > > > ext_if="bge0" > > table { 78.107.71.38 89.179.195.34 } > > > > block quick from > > pass out > > pass in > > === pf.conf === > > > > # pfctl -e -f /etc/pf.conf > > > > # tcpdump -netxi bge0 host 89.179.195.34 > > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 69: > > 89.179.195.34.2357 > 195.14.50.21.53: 35869+ A? emils.com. (27) > > 0x0000: 4500 0037 3034 0000 3811 4089 59b3 c322 > > 0x0010: c30e 3215 0935 0035 0023 0314 8c1d 0100 > > 0x0020: 0001 0000 0000 0000 0565 6d69 6c73 0363 > > 0x0030: 6f6d 0000 0100 01 > > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 84: > > 195.14.50.21.53 > 89.179.195.34.2357: 48025 ServFail 0/0/1 (42) > > 0x0000: 4500 0046 84a8 0000 4011 0000 c30e 3215 > > 0x0010: 59b3 c322 0035 0935 0032 c7de bb99 8182 > > 0x0020: 0001 0000 0000 0001 0377 7777 0565 6d69 > > 0x0030: 6c73 0363 6f6d 0000 0100 0100 0029 1000 > > 0x0040: 0000 0000 0000 > > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 73: > > 195.14.50.21.53 > 89.179.195.34.2357: 22012 ServFail 0/0/0 (31) > > 0x0000: 4500 003b 84a9 0000 4011 0000 c30e 3215 > > 0x0010: 59b3 c322 0035 0935 0027 3dbc 55fc 8182 > > 0x0020: 0001 0000 0000 0000 0377 7777 0565 6d69 > > 0x0030: 6c73 0363 6f6d 0000 0100 01 > > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 69: > > 195.14.50.21.53 > 89.179.195.34.2357: 35869 ServFail 0/0/0 (27) > > 0x0000: 4500 0037 84ac 0000 4011 0000 c30e 3215 > > 0x0010: 59b3 c322 0035 0935 0023 8291 8c1d 8182 > > 0x0020: 0001 0000 0000 0000 0565 6d69 6c73 0363 > > 0x0030: 6f6d 0000 0100 01 > > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 73: > > 89.179.195.34.2357 > 195.14.50.21.53: 48025+ A? www.emils.com. (31) > > 0x0000: 4500 003b 3035 0000 3811 4084 59b3 c322 > > 0x0010: c30e 3215 0935 0035 0027 58a1 bb99 0100 > > 0x0020: 0001 0000 0000 0000 0377 7777 0565 6d69 > > 0x0030: 6c73 0363 6f6d 0000 0100 01 > > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 73: > > 195.14.50.21.53 > 89.179.195.34.2357: 48025 ServFail 0/0/0 (31) > > 0x0000: 4500 003b 84ae 0000 4011 0000 c30e 3215 > > 0x0010: 59b3 c322 0035 0935 0027 d81e bb99 8182 > > 0x0020: 0001 0000 0000 0000 0377 7777 0565 6d69 > > 0x0030: 6c73 0363 6f6d 0000 0100 01 > > > > tcpdump -netxi bge0 host 78.107.71.38 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes > > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 94: > > 78.107.71.38.37367 > 195.14.50.21.53: 38168+ A? > > nc-71-51-232-31.dhcp.embarqhsd.net. (52) > > 0x0000: 4500 0050 ae4f 4000 3b11 0699 4e6b 4726 > > 0x0010: c30e 3215 91f7 0035 003c e6ca 9518 0100 > > 0x0020: 0001 0000 0000 0000 0f6e 632d 3731 2d35 > > 0x0030: 312d 3233 322d 3331 0464 6863 7009 656d > > 0x0040: 6261 7271 6873 6403 6e65 7400 0001 0001 > > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 89: > > 78.107.71.38.37368 > 195.14.50.21.53: 50276+ A? > > 166.156.122.89.bl.spamcop.net. (47) > > 0x0000: 4500 004b ae68 4000 3b11 0685 4e6b 4726 > > 0x0010: c30e 3215 91f8 0035 0037 18d5 c464 0100 > > 0x0020: 0001 0000 0000 0000 0331 3636 0331 3536 > > 0x0030: 0331 3232 0238 3902 626c 0773 7061 6d63 > > 0x0040: 6f70 036e 6574 0000 0100 01 > > > > Add to pf.conf > > block quick from 89.179.195.34 - same, doesn't work. > > > > May be trouble in config? > > Please show the output of "pfctl -s rules". Also, you might want to ensure the entries in the table are getting hit: pfctl -T show -t dnsflood -v If the counters for Block are getting incremented, then the rule is working. What might be happening is pf has a state table entry which is allowing the machine in table to still continue sending packets to it, on the same TCP/UDP socket as before. You can verify this by using "pfctl -s state | grep ip" To remove the states, use pfctl -k ip. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Mon Sep 8 16:12:32 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 30AF21065671 for ; Mon, 8 Sep 2008 16:12:32 +0000 (UTC) (envelope-from jille@quis.cx) Received: from smtp1.versatel.nl (smtp1.versatel.nl [62.58.50.88]) by mx1.freebsd.org (Postfix) with ESMTP id 9EDD28FC13 for ; Mon, 8 Sep 2008 16:12:31 +0000 (UTC) (envelope-from jille@quis.cx) Received: (qmail 5051 invoked by uid 0); 8 Sep 2008 15:45:49 -0000 Received: from ip83-113-174-82.adsl2.static.versatel.nl (HELO istud.quis.cx) ([82.174.113.83]) (envelope-sender ) by smtp1.versatel.nl (qmail-ldap-1.03) with SMTP for < >; 8 Sep 2008 15:45:49 -0000 Received: from [192.168.1.4] (ille [192.168.1.4]) by istud.quis.cx (Postfix) with ESMTP id DA3965C1D; Mon, 8 Sep 2008 17:45:48 +0200 (CEST) Message-ID: <48C548A8.9030204@quis.cx> Date: Mon, 08 Sep 2008 17:45:44 +0200 From: Jille User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Dmitry Rybin References: <9bc4ff5c0809080813t1c370b72pce80dfa64f91fa41@mail.gmail.com> In-Reply-To: <9bc4ff5c0809080813t1c370b72pce80dfa64f91fa41@mail.gmail.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD 7.1-PRERELEASE Trouble X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 16:12:32 -0000 Hello, Dmitry Rybin wrote: > PF doesn't block some IP!!!! > > === pf.conf === > > ext_if="bge0" > table { 78.107.71.38 89.179.195.34 } Afaik you need to separate them with a comma (,) -- Jille > > block quick from > pass out > pass in > === pf.conf === > > # pfctl -e -f /etc/pf.conf > > # tcpdump -netxi bge0 host 89.179.195.34 > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 69: > 89.179.195.34.2357 > 195.14.50.21.53: 35869+ A? emils.com. (27) > 0x0000: 4500 0037 3034 0000 3811 4089 59b3 c322 > 0x0010: c30e 3215 0935 0035 0023 0314 8c1d 0100 > 0x0020: 0001 0000 0000 0000 0565 6d69 6c73 0363 > 0x0030: 6f6d 0000 0100 01 > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 84: > 195.14.50.21.53 > 89.179.195.34.2357: 48025 ServFail 0/0/1 (42) > 0x0000: 4500 0046 84a8 0000 4011 0000 c30e 3215 > 0x0010: 59b3 c322 0035 0935 0032 c7de bb99 8182 > 0x0020: 0001 0000 0000 0001 0377 7777 0565 6d69 > 0x0030: 6c73 0363 6f6d 0000 0100 0100 0029 1000 > 0x0040: 0000 0000 0000 > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 73: > 195.14.50.21.53 > 89.179.195.34.2357: 22012 ServFail 0/0/0 (31) > 0x0000: 4500 003b 84a9 0000 4011 0000 c30e 3215 > 0x0010: 59b3 c322 0035 0935 0027 3dbc 55fc 8182 > 0x0020: 0001 0000 0000 0000 0377 7777 0565 6d69 > 0x0030: 6c73 0363 6f6d 0000 0100 01 > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 69: > 195.14.50.21.53 > 89.179.195.34.2357: 35869 ServFail 0/0/0 (27) > 0x0000: 4500 0037 84ac 0000 4011 0000 c30e 3215 > 0x0010: 59b3 c322 0035 0935 0023 8291 8c1d 8182 > 0x0020: 0001 0000 0000 0000 0565 6d69 6c73 0363 > 0x0030: 6f6d 0000 0100 01 > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 73: > 89.179.195.34.2357 > 195.14.50.21.53: 48025+ A? www.emils.com. (31) > 0x0000: 4500 003b 3035 0000 3811 4084 59b3 c322 > 0x0010: c30e 3215 0935 0035 0027 58a1 bb99 0100 > 0x0020: 0001 0000 0000 0000 0377 7777 0565 6d69 > 0x0030: 6c73 0363 6f6d 0000 0100 01 > 00:1c:c4:81:2f:9e > 00:00:0c:07:ac:00, ethertype IPv4 (0x0800), length 73: > 195.14.50.21.53 > 89.179.195.34.2357: 48025 ServFail 0/0/0 (31) > 0x0000: 4500 003b 84ae 0000 4011 0000 c30e 3215 > 0x0010: 59b3 c322 0035 0935 0027 d81e bb99 8182 > 0x0020: 0001 0000 0000 0000 0377 7777 0565 6d69 > 0x0030: 6c73 0363 6f6d 0000 0100 01 > > tcpdump -netxi bge0 host 78.107.71.38 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 94: > 78.107.71.38.37367 > 195.14.50.21.53: 38168+ A? > nc-71-51-232-31.dhcp.embarqhsd.net. (52) > 0x0000: 4500 0050 ae4f 4000 3b11 0699 4e6b 4726 > 0x0010: c30e 3215 91f7 0035 003c e6ca 9518 0100 > 0x0020: 0001 0000 0000 0000 0f6e 632d 3731 2d35 > 0x0030: 312d 3233 322d 3331 0464 6863 7009 656d > 0x0040: 6261 7271 6873 6403 6e65 7400 0001 0001 > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 89: > 78.107.71.38.37368 > 195.14.50.21.53: 50276+ A? > 166.156.122.89.bl.spamcop.net. (47) > 0x0000: 4500 004b ae68 4000 3b11 0685 4e6b 4726 > 0x0010: c30e 3215 91f8 0035 0037 18d5 c464 0100 > 0x0020: 0001 0000 0000 0000 0331 3636 0331 3536 > 0x0030: 0331 3232 0238 3902 626c 0773 7061 6d63 > 0x0040: 6f70 036e 6574 0000 0100 01 > > Add to pf.conf > block quick from 89.179.195.34 - same, doesn't work. > > May be trouble in config? > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Mon Sep 8 16:22:30 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C3A891065670 for ; Mon, 8 Sep 2008 16:22:30 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA06.westchester.pa.mail.comcast.net (qmta06.westchester.pa.mail.comcast.net [76.96.62.56]) by mx1.freebsd.org (Postfix) with ESMTP id 71D508FC27 for ; Mon, 8 Sep 2008 16:22:30 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA13.westchester.pa.mail.comcast.net ([76.96.62.52]) by QMTA06.westchester.pa.mail.comcast.net with comcast id CBMQ1a00917dt5G56GNVeJ; Mon, 08 Sep 2008 16:22:29 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA13.westchester.pa.mail.comcast.net with comcast id CGNU1a0034v8bD73ZGNUTz; Mon, 08 Sep 2008 16:22:29 +0000 X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=birOxeX1a296Z7ILt3kA:9 a=7D21DPO13uxih4apwWEA:7 a=Z-RUfXnrJUVucMexnifcnRVtmC8A:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id DED9217B84F; Mon, 8 Sep 2008 09:22:27 -0700 (PDT) Date: Mon, 8 Sep 2008 09:22:27 -0700 From: Jeremy Chadwick To: Jille Message-ID: <20080908162227.GA73221@icarus.home.lan> References: <9bc4ff5c0809080813t1c370b72pce80dfa64f91fa41@mail.gmail.com> <48C548A8.9030204@quis.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48C548A8.9030204@quis.cx> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD 7.1-PRERELEASE Trouble X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 16:22:30 -0000 On Mon, Sep 08, 2008 at 05:45:44PM +0200, Jille wrote: > Dmitry Rybin wrote: > > PF doesn't block some IP!!!! > > > > === pf.conf === > > > > ext_if="bge0" > > table { 78.107.71.38 89.179.195.34 } > > Afaik you need to separate them with a comma (,) This is incorrect. You can use a comma or a space, as the BNF grammar in pf.conf specifies. Here's the grammar break-down, one step at a time: line = ( option | pf-rule | nat-rule | binat-rule | rdr-rule | antispoof-rule | altq-rule | queue-rule | trans-anchors | anchor-rule | anchor-close | load-anchor | table-rule | ) table-rule = "table" "<" string ">" [ tableopts-list ] tableopts-list = tableopts-list tableopts | tableopts tableopts = "persist" | "const" | "file" string | "{" [ tableaddr-list ] "}" tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec Note in tableaddr-list the string: [ "," ]. This means the comma is optional between items within the braces. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Mon Sep 8 18:04:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EEC22106566B for ; Mon, 8 Sep 2008 18:04:14 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id 9F1BB8FC1E for ; Mon, 8 Sep 2008 18:04:14 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id 936121FF0083 for ; Mon, 8 Sep 2008 14:04:13 -0400 (EDT) thread-index: AckR3U07c5/FntmoSLCACKFx237IBA== Received: from limbo.int.dllstx01.us.it.verio.net ([10.10.10.11]) by iad-wprd-xchw01.corp.verio.net with Microsoft SMTPSVC(6.0.3790.1830); Mon, 8 Sep 2008 14:04:13 -0400 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id C1BBB8E29B; Mon, 8 Sep 2008 13:04:07 -0500 (CDT) Date: Mon, 8 Sep 2008 13:04:07 -0500 From: "David DeSimone" Content-Transfer-Encoding: 7bit To: Message-ID: <20080908180407.GB4100@verio.net> Content-Class: urn:content-classes:message Mail-Followup-To: freebsd-pf@freebsd.org Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992 References: <9bc4ff5c0809080813t1c370b72pce80dfa64f91fa41@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; x-action=pgp-signed; charset="us-ascii" Content-Disposition: inline In-reply-to: <9bc4ff5c0809080813t1c370b72pce80dfa64f91fa41@mail.gmail.com> Precedence: bulk User-Agent: Mutt/1.5.9i X-OriginalArrivalTime: 08 Sep 2008 18:04:13.0734 (UTC) FILETIME=[4D320C60:01C911DD] Subject: Re: FreeBSD 7.1-PRERELEASE Trouble X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 18:04:15 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dmitry Rybin wrote: > > PF doesn't block some IP!!!! > > === pf.conf === > > ext_if="bge0" > table { 78.107.71.38 89.179.195.34 } > > block quick from > pass out > pass in > === pf.conf === > > # pfctl -e -f /etc/pf.conf > > # tcpdump -netxi bge0 host 89.179.195.34 > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 69: > 89.179.195.34.2357 > 195.14.50.21.53: 35869+ A? emils.com. (27) > 0x0000: 4500 0037 3034 0000 3811 4089 59b3 c322 > 0x0010: c30e 3215 0935 0035 0023 0314 8c1d 0100 > 0x0020: 0001 0000 0000 0000 0565 6d69 6c73 0363 > 0x0030: 6f6d 0000 0100 01 Even if PF causes the packet to be dropped, it will still show up on your inbound interface. You cannot prevent the packet from being sent to you unless you block it further upstream. - -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFIxWkXFSrKRjX5eCoRApOkAJ9q/Ndg9Wrcfnss//PcD1lePdCGVQCfRAja 5ltkyqIlojWZzzto7PQNRNI= =c8Ig -----END PGP SIGNATURE----- This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 8 18:50:39 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AFCAA10656B6 for ; Mon, 8 Sep 2008 18:50:39 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA06.westchester.pa.mail.comcast.net (qmta06.westchester.pa.mail.comcast.net [76.96.62.56]) by mx1.freebsd.org (Postfix) with ESMTP id 5F7058FC16 for ; Mon, 8 Sep 2008 18:50:39 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA13.westchester.pa.mail.comcast.net ([76.96.62.52]) by QMTA06.westchester.pa.mail.comcast.net with comcast id CHEB1a00517dt5G56Jqe4Z; Mon, 08 Sep 2008 18:50:38 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA13.westchester.pa.mail.comcast.net with comcast id CJqb1a00B4v8bD73ZJqePn; Mon, 08 Sep 2008 18:50:38 +0000 X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=9B4vnotUTRuY-4j5ID4A:9 a=g6QS1T7mJpcVtAXKvNQA:7 a=MPfi64eZPMkfKnSjD3GeV2-xVmkA:4 a=W10XNLwuQ2AA:10 a=EoioJ0NPDVgA:10 a=b6gnn4OyobwA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 61B0417B84E; Mon, 8 Sep 2008 11:50:35 -0700 (PDT) Date: Mon, 8 Sep 2008 11:50:35 -0700 From: Jeremy Chadwick To: freebsd-pf@freebsd.org Message-ID: <20080908185035.GA76018@icarus.home.lan> References: <9bc4ff5c0809080813t1c370b72pce80dfa64f91fa41@mail.gmail.com> <20080908180407.GB4100@verio.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080908180407.GB4100@verio.net> User-Agent: Mutt/1.5.18 (2008-05-17) Subject: Re: FreeBSD 7.1-PRERELEASE Trouble X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 18:50:39 -0000 On Mon, Sep 08, 2008 at 01:04:07PM -0500, David DeSimone wrote: > Dmitry Rybin wrote: > > > > PF doesn't block some IP!!!! > > > > === pf.conf === > > > > ext_if="bge0" > > table { 78.107.71.38 89.179.195.34 } > > > > block quick from > > pass out > > pass in > > === pf.conf === > > > > # pfctl -e -f /etc/pf.conf > > > > # tcpdump -netxi bge0 host 89.179.195.34 > > 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 69: > > 89.179.195.34.2357 > 195.14.50.21.53: 35869+ A? emils.com. (27) > > 0x0000: 4500 0037 3034 0000 3811 4089 59b3 c322 > > 0x0010: c30e 3215 0935 0035 0023 0314 8c1d 0100 > > 0x0020: 0001 0000 0000 0000 0565 6d69 6c73 0363 > > 0x0030: 6f6d 0000 0100 01 > > Even if PF causes the packet to be dropped, it will still show up on > your inbound interface. You cannot prevent the packet from being sent > to you unless you block it further upstream. I was going to reply with the same thing, but aborted -- his tcpdump shows *bidirectional* traffic, both from the bad host and *to* to the bad host. OP's server is replying to the packet which pf has supposedly blocked. This is why I think it's a state tracking thing and he might need to use -k. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Tue Sep 9 06:10:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 211F11065671 for ; Tue, 9 Sep 2008 06:10:49 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA08.emeryville.ca.mail.comcast.net (qmta08.emeryville.ca.mail.comcast.net [76.96.30.80]) by mx1.freebsd.org (Postfix) with ESMTP id EBDF88FC14 for ; Tue, 9 Sep 2008 06:10:48 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA13.emeryville.ca.mail.comcast.net ([76.96.30.52]) by QMTA08.emeryville.ca.mail.comcast.net with comcast id CWAF1a00M17UAYkA8WAo4J; Tue, 09 Sep 2008 06:10:48 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA13.emeryville.ca.mail.comcast.net with comcast id CWAm1a0014v8bD78ZWAmlB; Tue, 09 Sep 2008 06:10:47 +0000 X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=ZH64th1v7a8_CrWiYPEA:9 a=Eice7ffi8wFAiwqhok4A:7 a=dbEbhf96fY8l3xN-KfqXtSXHKu4A:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 849E517B84E; Mon, 8 Sep 2008 23:10:45 -0700 (PDT) Date: Mon, 8 Sep 2008 23:10:45 -0700 From: Jeremy Chadwick To: Dmitry Rybin Message-ID: <20080909061045.GA88034@icarus.home.lan> References: <9bc4ff5c0809080813t1c370b72pce80dfa64f91fa41@mail.gmail.com> <20080908180407.GB4100@verio.net> <20080908185035.GA76018@icarus.home.lan> <9bc4ff5c0809082220v42bd264dp21088a15d3eb6319@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9bc4ff5c0809082220v42bd264dp21088a15d3eb6319@mail.gmail.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD 7.1-PRERELEASE Trouble X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 06:10:49 -0000 On Tue, Sep 09, 2008 at 09:20:20AM +0400, Dmitry Rybin wrote: > === pf.conf === > ext_if="bge0" > > block in quick from > pass out > pass in > === pf.conf === > # pfctl -f > # pfctl -t dnsflood -Tadd 78.107.71.38 > # pfctl -t dnsflood -Tadd 89.179.195.34 > # pfctl -t dnsflood -Tshow > 78.107.71.38 > 89.179.195.34 > > and so on. > # pfctl -k 78.107.71.38 > killed 1 states from 1 sources and 0 destinations > [root@earth /opt/home/kirgudu]# tcpdump -ibge0 -p -n host 78.107.71.38 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes > 09:12:37.260545 IP 78.107.71.38.46316 > 195.14.50.21.53: 21852+ TXT? > 170.225.6.117.bl.spamcop.net. (46) > 09:12:37.812533 IP 78.107.71.38.46317 > 195.14.50.21.53: 52423+ PTR? > 142.220.10.10.in-addr.arpa. (44) > 09:12:38.838395 IP 195.14.50.21.53 > 78.107.71.38.42859: 13664 ServFail > 0/0/0 (46) > 09:12:38.838420 IP 195.14.50.21.53 > 78.107.71.38.42859: 6698 ServFail 0/0/0 > (46) > 09:12:39.028347 IP 78.107.71.38.46318 > 195.14.50.21.53: 3221+ PTR? > 109.220.10.10.in-addr.arpa. (44) > 09:12:39.492471 IP 78.107.71.38.46319 > 195.14.50.21.53: 1887+ PTR? > 57.63.8.58.in-addr.arpa. (41) > > # pfctl -s state|grep 78.107.71.38 > all udp 195.14.50.21:53 -> 78.107.71.38:42859 MULTIPLE:MULTIPLE > > DNS service replying to the blocked host. > > # pfctl -s rules > block drop quick in on bge0 inet from to any > pass in all flags S/SA keep state > pass out all flags S/SA keep state Hmm, it appears that even with the "block" rule in place, and all previous state table entries flushed, the packet is somehow making it through. Does "pfctl -T show -t dnsflood -v" shows any hits for In/Block hits on the table entry for 78.107.71.38? (I doubt it, but I want to make sure). Only two ideas I have left: 1) Are you *absolutely sure* the packets are arriving on bge0 and not some other interface? 2) Is pf processing even enabled? pfctl -s info | head -1 Also, you removed the freebsd-pf mailing list from your response to me. I don't know why, so I've re-added it. If none of the above helps, then I'm out of ideas and David or Max will have to assist in figuring out the root cause. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Tue Sep 9 16:35:26 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5249A1065677 for ; Tue, 9 Sep 2008 16:35:26 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id 006018FC29 for ; Tue, 9 Sep 2008 16:35:25 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id CE3461FF00BE for ; Tue, 9 Sep 2008 12:35:24 -0400 (EDT) thread-index: AckSmg9Cike0a4jmTIOgi9Q9R0pMyg== Received: from limbo.int.dllstx01.us.it.verio.net ([10.10.10.11]) by iad-wprd-xchw01.corp.verio.net with Microsoft SMTPSVC(6.0.3790.1830); Tue, 9 Sep 2008 12:35:24 -0400 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id A37E28E29B; Tue, 9 Sep 2008 11:35:18 -0500 (CDT) Date: Tue, 9 Sep 2008 11:35:18 -0500 From: "David DeSimone" Content-Transfer-Encoding: 7bit To: Message-ID: <20080909163518.GF4571@verio.net> Content-Class: urn:content-classes:message Mail-Followup-To: freebsd-pf@freebsd.org Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992 References: <9bc4ff5c0809080813t1c370b72pce80dfa64f91fa41@mail.gmail.com> <20080908180407.GB4100@verio.net> <20080908185035.GA76018@icarus.home.lan> <9bc4ff5c0809082220v42bd264dp21088a15d3eb6319@mail.gmail.com> <20080909061045.GA88034@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; x-action=pgp-signed; charset="us-ascii" Content-Disposition: inline In-reply-to: <20080909061045.GA88034@icarus.home.lan> Precedence: bulk User-Agent: Mutt/1.5.9i X-OriginalArrivalTime: 09 Sep 2008 16:35:24.0627 (UTC) FILETIME=[0F369A30:01C9129A] Subject: Re: FreeBSD 7.1-PRERELEASE Trouble X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 16:35:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeremy Chadwick wrote: > > > # pfctl -k 78.107.71.38 > > killed 1 states from 1 sources and 0 destinations > > # pfctl -s state|grep 78.107.71.38 > > all udp 195.14.50.21:53 -> 78.107.71.38:42859 MULTIPLE:MULTIPLE > Hmm, it appears that even with the "block" rule in place, and all > previous state table entries flushed, the packet is somehow making it > through. I know my reading comprehension on this thread hasn't been very good, but I'm going to try again. pfctl -k did kill a state, but it appears that a reply packet from 195.14.50.21 recreated a state entry, probably just bad timing. You should try killing the state again, perhaps with pfctl -k 195.14.50.21 -k 78.107.71.38 And maybe before that, add an extra block rule in the opposite direction to block replies, at least temporarily just to stop these state entries from being recreated. - -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFIxqXFFSrKRjX5eCoRAqPGAJ9NuZHrFuridRMSDmLOIQlld0VfIACfX9Hx b5woCHBRpAu2wouD84vXqB8= =Pmof -----END PGP SIGNATURE----- This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. From owner-freebsd-pf@FreeBSD.ORG Tue Sep 9 23:48:12 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 948241065673 for ; Tue, 9 Sep 2008 23:48:12 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from mail-gx0-f17.google.com (mail-gx0-f17.google.com [209.85.217.17]) by mx1.freebsd.org (Postfix) with ESMTP id 41AA08FC19 for ; Tue, 9 Sep 2008 23:48:06 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: by gxk10 with SMTP id 10so12215652gxk.19 for ; Tue, 09 Sep 2008 16:48:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:mime-version:content-type:content-transfer-encoding :content-disposition:x-google-sender-auth; bh=zDWMrltz4EXeDjFGY6JcCk1SklYJJ1Hut6jYwTfpNfk=; b=qZeuVmwZMooDI5RU3Y4Hud92xiSbie58/4Xhy+adNAf6wrN1NlaOldbIIbMhdjH5WI rO7aZnfatazdwsNTQRlDGeDJ0CIpkyz03QhjRcaqcMTjXAREPVtGHMDa6ZKItaBiC/FS 1WtCuvYf9LqyI4gu3mwjl2kF0CKXWXpuybl3Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:sender:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition:x-google-sender-auth; b=lFH2rj4vb6Y7J+lRZv5fjwkUXrhmx6ZOOpMOZBIak7Ej54WfUlR5dFQmKaUsvQUoS+ YyeKcpFetbrbPUDmMHBqOt8cGwjBq/PieThkJe9DIvicGeWI1QVxW7r2Oqlm2b7M9PEF oxT6IzpTf1vDkPYSORrw5fwqZLBvxaS8y08PQ= Received: by 10.86.70.3 with SMTP id s3mr364147fga.51.1221002107549; Tue, 09 Sep 2008 16:15:07 -0700 (PDT) Received: by 10.86.65.4 with HTTP; Tue, 9 Sep 2008 16:15:07 -0700 (PDT) Message-ID: <7731938b0809091615i6a9624fape21e0711cbbde447@mail.gmail.com> Date: Wed, 10 Sep 2008 00:15:07 +0100 From: "Peter Maxwell" Sender: allicient3141@googlemail.com To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: b22e838282053694 Subject: pf not creating state on cloned local interface (with FreeBSD jail) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 23:48:12 -0000 Hi, Looking for anyone's help on this: I'm not sure if pf's behaviour is correct, if its a bug, if it is working correctly, or if I'm just trying to do something that really shouldn't be done. Anyway, my setup and issue is as follows: Kernel is GENERIC 7.0-STABLE #1, amd64 with IPSEC and ALTQ options added. There is one external interface and I've created a series of cloned interfaces; lo1, lo2, lo3,,,, lox; each assigned IP 10.0.x.1/24 where the x is the same as the cloned interface number. There are no other 10. addresses in the routing table. I felt it was preferable to create cloned interfaces rather than aliased IPs on lo0 for the jails (i.e. I didn't want any possibilty of the jailed services being able to access a host service on lo0). I don't have, and wouldn't be able to justify enough public addresses for this. The salient parts of my pf.conf (very much condensed) are set state-policy if-bound scrub all antispoof on re0 (external interface) set skip on lo0 There are processes (e.g. apache) in each of the jails binding to each of the 10.0.x.1 IP addresses. Now here's the crunch... when I add a "set skip on lo?" for each of the cloned interfaces all is good and well, each of the services can talk to each other and I can add appropriate NAT rules to allow access out to the internet. However, I want to prevent general network access across the cloned interfaces (and hence jails), i.e I want to give apache access to mysql, say, but not to the smtp server. So the extra "set skip lo?" lines are removed and only "set skip lo0" remains. Which then requires creation of appropriate rules. If I try and setup rules to allow access from the main host into a jailed service (keeping it simple to start with), it seems to require two rules (one to pass in, the other to pass out - i.e. its not keeping state). If I take the example of apache running on 10.0.3.1 (lo3) in a jail, the necessary rules to allow access from the host system (i.e. not from another jail) is: pass in log on lo3 proto tcp from any to any flags S/SA modulate state pass out log on lo3 proto tcp from any to any flags S/SA modulate state I know the rules are a bit general, but that's shouldn't be important just now. If I take a look at the logs for apache the source IP for the incoming packets are 10.0.3.1 (the jail IP, the same IP as apache is running on), which I'm guessing is the standard behaviour (have done a rdr test with the "set skip" lines in place from an external IP and it takes the appropriate source address in that scenario). If the "pass out" is removed, an "Operation not permitted" error is generated (which is sort of what I expected). If the "pass in" rule is omitted then it just stalls (which really is not what I expected). If tcpdump is ran on pflog0, you cannot see the expected initial SYN packets and all you can see is a load of SYN/ACKs getting blocked. When both rules are in place and I check the output of "pfctl -s r" there is something like (and it seems to work): lo3 tcp 10.0.3.1:63167 -> 10.0.3.1:80 ESTABLISHED:ESTABLISHED lo3 tcp 10.0.3.1:80 <- 10.0.3.1:63167 ESTABLISHED:ESTABLISHED which says to me there's two state entries been created where there should only be one, that being the first line (and that I should also expect some nasty problems down the line if I leave it like that). Should the first "pass out" rule not be enough to create a state entry from which the return packets get matched? If I add a "set skip" for every cloned interface except lo3, then similar behaviour is seen - two rules are needed. Any help or advice is appreciated. Cheers, Peter From owner-freebsd-pf@FreeBSD.ORG Wed Sep 10 16:58:40 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 655FD1065678 for ; Wed, 10 Sep 2008 16:58:40 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay1-bcrtfl2.verio.net (relay1-bcrtfl2.verio.net [131.103.218.142]) by mx1.freebsd.org (Postfix) with ESMTP id 0DCC18FC1C for ; Wed, 10 Sep 2008 16:58:39 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay1-bcrtfl2.verio.net (Postfix) with ESMTP id 8106EB0380D7 for ; Wed, 10 Sep 2008 12:58:38 -0400 (EDT) thread-index: AckTZnifSmyL+jyBSpqKGSAOI6vSUw== Received: from limbo.int.dllstx01.us.it.verio.net ([10.10.10.11]) by iad-wprd-xchw01.corp.verio.net with Microsoft SMTPSVC(6.0.3790.1830); Wed, 10 Sep 2008 12:58:38 -0400 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id A18698E29B; Wed, 10 Sep 2008 11:58:32 -0500 (CDT) Date: Wed, 10 Sep 2008 11:58:32 -0500 From: "David DeSimone" Content-Transfer-Encoding: 7bit To: Message-ID: <20080910165831.GC5570@verio.net> Content-Class: urn:content-classes:message Mail-Followup-To: freebsd-pf@freebsd.org Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992 References: <7731938b0809091615i6a9624fape21e0711cbbde447@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; x-action=pgp-signed; charset="us-ascii" Content-Disposition: inline In-reply-to: <7731938b0809091615i6a9624fape21e0711cbbde447@mail.gmail.com> Precedence: bulk User-Agent: Mutt/1.5.9i X-OriginalArrivalTime: 10 Sep 2008 16:58:38.0733 (UTC) FILETIME=[78940BD0:01C91366] Subject: Re: pf not creating state on cloned local interface (with FreeBSD jail) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2008 16:58:40 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Peter Maxwell wrote: > > pass in log on lo3 proto tcp from any to any flags S/SA modulate state > pass out log on lo3 proto tcp from any to any flags S/SA modulate state I have heard it mentioned several times on this list (and experienced it myself) that "modulate state" does not work. But I don't really know why it doesn't work, and what behavior you should expect if you attempt to use it. I would suggest you try "keep state" instead, before proceeding further. - -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFIx/y3FSrKRjX5eCoRApccAJ492tm3v/SlPBTH0gXduuRZeS857ACeO+/G yfF/1KpNN9H4EmzU49P7SO0= =DH6a -----END PGP SIGNATURE----- This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. From owner-freebsd-pf@FreeBSD.ORG Sat Sep 13 10:05:21 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0FFE41065672; Sat, 13 Sep 2008 10:05:21 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D806A8FC1A; Sat, 13 Sep 2008 10:05:20 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m8DA5KrW009856; Sat, 13 Sep 2008 10:05:20 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m8DA5K4Q009852; Sat, 13 Sep 2008 10:05:20 GMT (envelope-from linimon) Date: Sat, 13 Sep 2008 10:05:20 GMT Message-Id: <200809131005.m8DA5K4Q009852@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/127345: [pf] Problem with PF on FreeBSD7.0 [regression] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 10:05:21 -0000 Old Synopsis: Problem with PF on FreeBSD7.0 New Synopsis: [pf] Problem with PF on FreeBSD7.0 [regression] Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sat Sep 13 10:04:14 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=127345