From owner-freebsd-pf@FreeBSD.ORG Mon Apr 25 11:07:05 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50BB61065673 for ; Mon, 25 Apr 2011 11:07:05 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 351BC8FC16 for ; Mon, 25 Apr 2011 11:07:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p3PB75Sc084645 for ; Mon, 25 Apr 2011 11:07:05 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p3PB74xc084643 for freebsd-pf@FreeBSD.org; Mon, 25 Apr 2011 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 25 Apr 2011 11:07:04 GMT Message-Id: <201104251107.p3PB74xc084643@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Apr 2011 11:07:05 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 46 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Apr 26 07:49:39 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6560D106564A for ; Tue, 26 Apr 2011 07:49:39 +0000 (UTC) (envelope-from zeus@relay.ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by mx1.freebsd.org (Postfix) with ESMTP id B42258FC0C for ; Tue, 26 Apr 2011 07:49:38 +0000 (UTC) Received: from relay.ibs.dn.ua (localhost [127.0.0.1]) by relay.ibs.dn.ua with ESMTP id p3Q7nRQF004524; Tue, 26 Apr 2011 10:49:27 +0300 (EEST) Received: (from zeus@localhost) by relay.ibs.dn.ua (8.14.4/8.14.4/Submit) id p3Q7nOCm004523; Tue, 26 Apr 2011 10:49:24 +0300 (EEST) Date: Tue, 26 Apr 2011 10:49:24 +0300 From: Zeus V Panchenko To: freebsd-pf@freebsd.org Message-ID: <20110426074924.GH87913@relay.ibs.dn.ua> Mail-Followup-To: freebsd-pf@freebsd.org, Daniel Hartmeier References: <20110210155622.GA60117@icarus.home.lan> <20110411054544.GC22812@relay.ibs.dn.ua> <20110411061730.GA26940@insomnia.benzedrine.cx> <20110411080648.GD22812@relay.ibs.dn.ua> <20110411085730.GB26940@insomnia.benzedrine.cx> <20110411152230.GA88862@relay.ibs.dn.ua> <20110415063632.GA14296@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20110415063632.GA14296@insomnia.benzedrine.cx> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 8.1-RELEASE X-Editor: GNU Emacs 23.2.1 Cc: Subject: former "transparent proxy traffic queue ..." X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: zeus@ibs.dn.ua List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 07:49:39 -0000 Daniel Hartmeier (daniel@benzedrine.cx) [11.04.15 09:37] wrote: > First, incoming and outgoing in context of pf.conf rules are > relative to the firewall (and not your LAN vs. the internet), > e.g. incoming means 'enters the firewall through an interface > from a network' and outgoing means 'exits the firewall through > an interface to a network'. yes, thanks, and i believe it is what i was trying to say, but failed > Second, with a squid proxy, there are actually two distinct > connections: one connection from the client to the proxy, and > another connection from the proxy to the server. There are > two different (random) source ports, and two different > destination ports (3128 and 80): > > 1) client:random1 -> proxy:3128 (incoming on if_lan) > 2) proxy:random2 -> server:80 (outgoing on if_wan) > > Both are filtered by pf, and both must be passed explicitely. yes, and what is concerning the outgoing traffic, i can see outgoing http queue works but what concerns to incoming (http server replies to my lan clients requests) traffic, it passes by the queue and counters for it remains empty ... i look on it via pftop ... so, i had simplified the task ... i excluded proxy stuff and trying now just to queue http traffic for the box passing by the proxy ... here is the pf.conf ------------------------------------------------------------------------------------ if_wan = "tun0" if_lan = "ale0" table persist file "/etc/pf.tbl.pass_wan" # allowed to direct (proxy less) http table persist file "/etc/pf.tbl.direct" ports_proxy = "http, https, ftp, ftp-data, ftps, ftps-data" set skip on lo0 set optimization conservative set ruleset-optimization basic set state-policy if-bound altq on $if_wan cbq bandwidth 1Mb queue { wan_rest, wan_http } queue wan_http bandwidth 150Kb priority 2 queue wan_rest bandwidth 850Kb cbq(default) altq on $if_lan cbq bandwidth 100% queue { lan_rest, lan_http,lan_voip, lan_smb, lan_prn } queue lan_http bandwidth 2Mb priority 2 queue lan_rest bandwidth 98Mb cbq(default) rdr on $if_lan proto { tcp, udp } from ! to ! 172.16/12 port { $ports_proxy } -> $if_lan:0 port 3128 nat on $if_wan from to any -> ($if_wan) antispoof for { $if_wan, $if_lan } block in log(all) pass in log(all) inet proto icmp all icmp-type echoreq pass in log(all) on $if_wan inet proto { tcp, udp } from { } to ($if_wan) port ssh pass in log(all) on $if_lan from $if_lan:network to any pass out log(all) on $if_wan block drop out log on $if_wan from any to { 127/8, 10/8, 172.16/12, 192.168/16 } pass out log (all) on $if_wan inet proto tcp from any to any port { $ports_proxy } queue wan_http pass in log (all) on $if_lan inet proto tcp from any port { $ports_proxy } to 172.12.10.12 queue lan_http ------------------------------------------------------------------------------------ so, when i launch wget on the box from the table address, i see in > pfctl -k 172.16.10.12 ; tcpdump -n -i pflog0 -ettt -s0 host 172.16.10.12 ... 00:00:00.001251 rule 18/0(match): pass in on tun0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 00:00:00.000004 rule 10/0(match): pass out on ale0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 00:00:00.000480 rule 10/0(match): pass in on ale0: 172.16.10.12.40650 > 213.130.10.226.80: Flags [R], seq 2961119950, win 0, length 0 00:00:00.001240 rule 18/0(match): pass in on tun0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 00:00:00.000007 rule 10/0(match): pass out on ale0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 00:00:00.000447 rule 10/0(match): pass in on ale0: 172.16.10.12.40650 > 213.130.10.226.80: Flags [R], seq 2961119950, win 0, length 0 00:00:00.001019 rule 18/0(match): pass in on tun0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 00:00:00.000006 rule 10/0(match): pass out on ale0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 00:00:00.000446 rule 10/0(match): pass in on ale0: 172.16.10.12.40650 > 213.130.10.226.80: Flags [R], seq 2961119950, win 0, length 0 00:00:00.001530 rule 18/0(match): pass in on tun0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 00:00:00.000006 rule 10/0(match): pass out on ale0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 00:00:00.000447 rule 10/0(match): pass in on ale0: 172.16.10.12.40650 > 213.130.10.226.80: Flags [R], seq 2961119950, win 0, length 0 00:00:00.001067 rule 18/0(match): pass in on tun0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 00:00:00.000006 rule 10/0(match): pass out on ale0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 ... where > pfctl -gsr ... @10 pass in log (all) on ale0 inet from 10.200.50.0/24 to any flags S/SA keep state (if-bound) [ Skip steps: d=12 p=18 sp=24 da=14 dp=18 ] [ queue: qname= qid=0 pqname= pqid=0 ] ... @18 pass out log (all) on tun0 inet proto tcp from any to any port = http flags S/SA keep state (if-bound) queue wan_http [ Skip steps: i=24 d=24 f=38 p=32 sa=30 sp=24 da=24 ] [ queue: qname=wan_http qid=2 pqname= pqid=2 ] ... @24 pass out log (all) on ale0 inet proto tcp from any port = http to 172.12.10.12 flags S/SA keep state (if-bound) queue lan_http [ Skip steps: i=30 d=30 f=38 p=32 sa=30 da=30 dp=30 ] [ queue: qname=lan_http qid=6 pqname= pqid=6 ] ... here we see outgoing via $if_wan traffic successfully coming through wan_http queue, the rull 18 but no traffic comming trough the rull 24 but 10 instead ... so, what am i missing, please? why pflog row: ... rule 10/0(match): pass out on ale0: 213.130.10.226.80 > 172.16.10.12.40650: ... not matches my pf.conf rull @24: pass out log (all) on ale0 inet proto tcp from any port = http to 172.12.10.12 flags S/SA keep state (if-bound) queue lan_http ? why can not i catch $if_int (ale0) outgoing (to lan, from pf) http traffic to the queue lan_http ? thank you much for taking time to read all this and reply. -- Zeus V. Panchenko IT Dpt., IBS ltd GMT+2 (EET) From owner-freebsd-pf@FreeBSD.ORG Tue Apr 26 08:57:52 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 195C51065672 for ; Tue, 26 Apr 2011 08:57:52 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 8A14B8FC15 for ; Tue, 26 Apr 2011 08:57:50 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p3Q8vmCr004432 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO) for ; Tue, 26 Apr 2011 10:57:48 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p3Q8vlkD001744 for freebsd-pf@freebsd.org; Tue, 26 Apr 2011 10:57:47 +0200 (MEST) Date: Tue, 26 Apr 2011 10:57:47 +0200 From: Daniel Hartmeier To: freebsd-pf@freebsd.org Message-ID: <20110426085747.GA1204@insomnia.benzedrine.cx> References: <20110210155622.GA60117@icarus.home.lan> <20110411054544.GC22812@relay.ibs.dn.ua> <20110411061730.GA26940@insomnia.benzedrine.cx> <20110411080648.GD22812@relay.ibs.dn.ua> <20110411085730.GB26940@insomnia.benzedrine.cx> <20110411152230.GA88862@relay.ibs.dn.ua> <20110415063632.GA14296@insomnia.benzedrine.cx> <20110426074924.GH87913@relay.ibs.dn.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110426074924.GH87913@relay.ibs.dn.ua> User-Agent: Mutt/1.5.12-2006-07-14 Subject: Re: former "transparent proxy traffic queue ..." X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 08:57:52 -0000 On Tue, Apr 26, 2011 at 10:49:24AM +0300, Zeus V Panchenko wrote: > here we see outgoing via $if_wan traffic successfully coming through wan_http queue, the rull 18 > but no traffic comming trough the rull 24 but 10 instead ... > > so, what am i missing, please? > > why pflog row: > ... rule 10/0(match): pass out on ale0: 213.130.10.226.80 > 172.16.10.12.40650: ... > not matches my pf.conf rull @24: > pass out log (all) on ale0 inet proto tcp from any port = http to 172.12.10.12 flags S/SA keep state (if-bound) queue lan_http > ? Ah, I see. Your rule @24 restricts the _source_ port: pass in log (all) on $if_lan inet proto tcp from any port { $ports_proxy } \ to 172.12.10.12 queue lan_http Remember, only the initial (first) packet of a connection causes ruleset evaluation, hence rules can be said to apply to the initial packets of connections (everything else is covered by states). You don't need to think about the packets flowing in reverse at all. So, take the initial packet of that connection (the HTTP connection from client to proxy, incoming on the LAN interface), what are its source and destination ports? The source port is random, the destination port is 3128. So, change the above rule to pass in log (all) on $if_lan inet proto tcp from any \ to 172.12.10.12 port 3128 queue lan_http HTH, Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Apr 26 11:46:18 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11A89106566C for ; Tue, 26 Apr 2011 11:46:18 +0000 (UTC) (envelope-from zeus@relay.ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by mx1.freebsd.org (Postfix) with ESMTP id 8630B8FC15 for ; Tue, 26 Apr 2011 11:46:16 +0000 (UTC) Received: from relay.ibs.dn.ua (localhost [127.0.0.1]) by relay.ibs.dn.ua with ESMTP id p3QBk8dH015877; Tue, 26 Apr 2011 14:46:08 +0300 (EEST) Received: (from zeus@localhost) by relay.ibs.dn.ua (8.14.4/8.14.4/Submit) id p3QBk5rU015876; Tue, 26 Apr 2011 14:46:05 +0300 (EEST) Date: Tue, 26 Apr 2011 14:46:05 +0300 From: Zeus V Panchenko To: freebsd-pf@freebsd.org Message-ID: <20110426114605.GC8525@relay.ibs.dn.ua> Mail-Followup-To: freebsd-pf@freebsd.org, Daniel Hartmeier References: <20110210155622.GA60117@icarus.home.lan> <20110411054544.GC22812@relay.ibs.dn.ua> <20110411061730.GA26940@insomnia.benzedrine.cx> <20110411080648.GD22812@relay.ibs.dn.ua> <20110411085730.GB26940@insomnia.benzedrine.cx> <20110411152230.GA88862@relay.ibs.dn.ua> <20110415063632.GA14296@insomnia.benzedrine.cx> <20110426074924.GH87913@relay.ibs.dn.ua> <20110426085747.GA1204@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20110426085747.GA1204@insomnia.benzedrine.cx> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 8.1-RELEASE X-Editor: GNU Emacs 23.2.1 X-Face: iVBORw0KGgoAAAANSUhEUgAAACoAAAAqBAMAAAA37dRoAAAAFVBMVEWjjoiZhHDWzcZuW1U Cc: Subject: Re: former "transparent proxy traffic queue ..." X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: zeus@ibs.dn.ua List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 11:46:18 -0000 now it works, thank you Daniel much! Daniel Hartmeier (daniel@benzedrine.cx) [11.04.26 11:58] wrote: > Remember, only the initial (first) packet of a connection causes > ruleset evaluation, hence rules can be said to apply to the initial > packets of connections (everything else is covered by states). may you point me, where is it described, since i didn't meet it in pf related man pages pf(4) and pf.conf(5) > You don't need to think about the packets flowing in reverse at all. but i was, since my previous firewall was ipfw+dummynet i still a bit missing the logics :( as for the wan interface, i can configure outgoing from wan interface queue as i understande pass out on $if_wan inet proto tcp from any to any port http queue wan_http and it is correct but as for reverse packets it was logical to my mind, to catch them outgoing from lan interface to lan ... but the queue directed traffic is defined by the outgoing from lan request ... still a bit weird for me ... > So, take the initial packet of that connection (the HTTP connection from > client to proxy, incoming on the LAN interface) it is the key i was lacking thnx again -- Zeus V. Panchenko IT Dpt., IBS ltd GMT+2 (EET)