From owner-freebsd-pf@FreeBSD.ORG Sun Apr 28 07:07:45 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 0B8D281D for ; Sun, 28 Apr 2013 07:07:45 +0000 (UTC) (envelope-from noname.esst@yahoo.com) Received: from nm13-vm0.bullet.mail.bf1.yahoo.com (nm13-vm0.bullet.mail.bf1.yahoo.com [98.139.213.79]) by mx1.freebsd.org (Postfix) with SMTP id 98E9F1BB6 for ; Sun, 28 Apr 2013 07:07:44 +0000 (UTC) Received: from [98.139.212.144] by nm13.bullet.mail.bf1.yahoo.com with NNFMP; 28 Apr 2013 07:07:43 -0000 Received: from [98.139.212.218] by tm1.bullet.mail.bf1.yahoo.com with NNFMP; 28 Apr 2013 07:07:43 -0000 Received: from [127.0.0.1] by omp1027.mail.bf1.yahoo.com with NNFMP; 28 Apr 2013 07:07:43 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 580928.34771.bm@omp1027.mail.bf1.yahoo.com Received: (qmail 4856 invoked by uid 60001); 28 Apr 2013 07:07:43 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1367132863; bh=BhFq+iNPxZ+v0A04c9d+rIbMTJIeNOXbHEP4SqPHXMc=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=B5FtAjdQrakjw1avSNkKwMi06tvgPAi/qBqOp0tqq3VDa68Letnbzunx99Fx1+RhepySxuub6d8Ev/wX94U227DJqv1BKR0sKiU6nYI67YhcLr2X9Q1pU8CuLLurZ5JrkenSLwm+xUX4faC0T52wmAOQvMeglv8jD1MHJSbKsmc= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=JokHANIqQsjYGP8o3jCWXxgGp8ZO8aODoV8Qx8WSmN3vHmw35LK/J4Cy/XvZ5yt9wW6pcRN5qcBRODzU4FFPuFGKryhy93K1ZF0FoFCSsH24UKslh53VvTcDOmEpwlus7odWgYqsbwF8CIp0IFSFMBz0XX9ebDNiiId6zL83xzY=; X-YMail-OSG: MWJQfzYVM1mlwdcAprUiW7mN0_j6TVRI67Vutf5XfMIfPe3 t8g4t5OfKDvLWofjgHsmwug49e2xhkRKrRdj9o76yE2ILuZ3HlPNj5FqXONx 9b9GD2qz5ZDrCzaO1Lu3r77E1nuAjhsDuS2p2qrWI_X.SYesviL5mis.WYvM SRDm6CcDmz1z26fwZcubYJirWFGEqGlnB99mSxESOXHlOXZPZ1BsTDpuUUE6 qG_NwxTsV9VU_nBgsT_ZLDlIa9Cw5SShadbClHRNbfqkpe..8A3FytarX.UQ WAem4xxzDkqd4uUo4oZolP3WgzrQKgNIPGJCbB1Js9QL7bTSdB_CbenEr6OT 6m02tqYmZZEI1r5med9uAQRq32n_lkqQi2iISlneFHN_7u_nOh1hv0yJxwTi nKFfiWp8rtFE6dEHUWmyIrb_t3ifLVRjltu7z80tYVxxFAt3ki_z01jf9wkD 6 Received: from [89.165.120.140] by web162701.mail.bf1.yahoo.com via HTTP; Sun, 28 Apr 2013 00:07:43 PDT X-Rocket-MIMEInfo: 002.001, SGkgYWxsCkluIElQRlcgd2UgY2FuIHVzZSAiaXBwcmVjZWRlbmNlIiB0byBtYXRjaCBhIHNwZWNpZmllZCBwcmVjZWRlbmNlLiBJcyBpdCBwb3NzaWJsZSB0byBkbyBzbyB3aXRoIHBmPyBIb3c_CgpUaGFua3MBMAEBAQE- X-Mailer: YahooMailWebService/0.8.141.536 Message-ID: <1367132863.4359.YahooMailNeo@web162701.mail.bf1.yahoo.com> Date: Sun, 28 Apr 2013 00:07:43 -0700 (PDT) From: Nomad Esst Subject: check precedence with pf To: "freebsd-pf@freebsd.org" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Nomad Esst List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Apr 2013 07:07:45 -0000 Hi all In IPFW we can use "ipprecedence" to match a specified precedence. Is it possible to do so with pf? How? Thanks From owner-freebsd-pf@FreeBSD.ORG Sun Apr 28 12:33:09 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 3D0CEDF8 for ; Sun, 28 Apr 2013 12:33:09 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.bsdly.net (cl-426.sto-01.se.sixxs.net [IPv6:2001:16d8:ff00:1a9::2]) by mx1.freebsd.org (Postfix) with ESMTP id E595713B8 for ; Sun, 28 Apr 2013 12:33:08 +0000 (UTC) Received: from sonofskinny.bsdly.net ([192.168.103.254] helo=deeperthought.bsdly.net) by skapet.bsdly.net with esmtp (Exim 4.77) (envelope-from ) id 1UWQmv-0002XF-EC; Sun, 28 Apr 2013 14:33:05 +0200 From: peter@bsdly.net (Peter N. M. Hansteen) To: freebsd-pf@freebsd.org Subject: Re: check precedence with pf References: <1367132863.4359.YahooMailNeo@web162701.mail.bf1.yahoo.com> Date: Sun, 28 Apr 2013 14:33:04 +0200 In-Reply-To: <1367132863.4359.YahooMailNeo@web162701.mail.bf1.yahoo.com> (Nomad Esst's message of "Sun, 28 Apr 2013 00:07:43 -0700 (PDT)") Message-ID: <871u9uygvz.fsf@deeperthought.bsdly.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Apr 2013 12:33:09 -0000 Nomad Esst writes: > In IPFW we can use "ipprecedence" to match a specified precedence. Is > it possible to do so with pf? How? If I'm not horribly mistaken, you would match on 'tos' instead (see man pf.conf for details) - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. From owner-freebsd-pf@FreeBSD.ORG Mon Apr 29 11:06:49 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9FE2B3C1 for ; Mon, 29 Apr 2013 11:06:49 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 91FDE192C for ; Mon, 29 Apr 2013 11:06:49 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r3TB6nWB018226 for ; Mon, 29 Apr 2013 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r3TB6nUQ018224 for freebsd-pf@FreeBSD.org; Mon, 29 Apr 2013 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 29 Apr 2013 11:06:49 GMT Message-Id: <201304291106.r3TB6nUQ018224@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Apr 2013 11:06:49 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176763 pf [pf] [patch] Removing pf Source entries locks kernel. o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 52 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed May 1 07:46:54 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 63C64B0 for ; Wed, 1 May 2013 07:46:54 +0000 (UTC) (envelope-from noname.esst@yahoo.com) Received: from nm24-vm0.bullet.mail.bf1.yahoo.com (nm24-vm0.bullet.mail.bf1.yahoo.com [98.139.213.161]) by mx1.freebsd.org (Postfix) with ESMTP id F08701059 for ; Wed, 1 May 2013 07:46:53 +0000 (UTC) Received: from [98.139.215.140] by nm24.bullet.mail.bf1.yahoo.com with NNFMP; 01 May 2013 07:46:53 -0000 Received: from [98.139.212.251] by tm11.bullet.mail.bf1.yahoo.com with NNFMP; 01 May 2013 07:46:53 -0000 Received: from [127.0.0.1] by omp1060.mail.bf1.yahoo.com with NNFMP; 01 May 2013 07:46:53 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 47614.11757.bm@omp1060.mail.bf1.yahoo.com Received: (qmail 72729 invoked by uid 60001); 1 May 2013 07:46:53 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1367394412; bh=B0dQevEWdP3hR7dzXZRZQIfoQ6DdgtAZS6rTg9jFRDg=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=CI4hrlrAS6oRQC+z9ofg2RrWxLTtjkd7ESyUOfFUAz2DJdK7am7dS/l92U5NSMmHEqAjfSV78AlGskb1cvkaiooROZcSQaBbJr/7SJ1TrnOP4MjtaSb1Wm2i2usXtte3f0rGMgRQhkFiViSscouQeNhHOXuNnoh7MXXuywRP7PA= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=PzDp7j4YnX+Em4bYDGXFXeIHmegxHajJLA0zMK65B1H/pv2NyxfpeQuxLtpddYn4WSrI43Exk71jv1/pvmKtqysUIEfwp++Gadjg1os0up0xoCf+mgZUsA7rrU+hLM4CRQwjTfZOIj1JuiqJM7r5mi4ZdievgPMcF5cXQnVLpJw=; X-YMail-OSG: ltoJKXoVM1nuQvh6kAZylrsIUSAJavSPdpAdIRTi3f.vQu. .5EGaKwE6egDJz9C99D0eKJiln43ZHBrpOfGH4FaZ65czRanHRmLHlYwBHW9 PuUVnmMbMVT95l0NvqUvNc6MbSy2om26daznS7j13i1Vyh4Yuv0jXqflQEsT Ba2j6qCNZySP4xC2aynkxa4Y2rpvXGSX3ROkossawLX3xP6bGTeiRd5PctlO Fw1hN.H6NIA4v7sZtyKr6Qyqna5YYeHw5D4rmvypomaJzbjcYSz0RIupqJsg hyYw96ekplT7hPyM8EkD78FJdOtUz7HMOhQ1uhFAPdy6gv9hPoKA7PpvlbAO wDh2RnMXQzbgP8GpLzyxyOTtjaETIhPnnKVpR1yTGebpZQEpnzTpI1Uh.1VI Ms8zKRSShP6iV.7uSrYB8os3Df2V94XxnAkz8h4o0kj2tAo1NI4KPz0hELg- - Received: from [89.165.120.140] by web162703.mail.bf1.yahoo.com via HTTP; Wed, 01 May 2013 00:46:52 PDT X-Rocket-MIMEInfo: 002.001, SGkgbGlzdApJIGhhdmUgYmVlbiB1c2luZyBJUEZXIGZvciB5ZWFycywgbm93IGJlY2F1c2Ugb2Ygc29tZSByZWFzb25zIEknbSBtaWdyYXRpbmcgdG8gUEYuIEluIElQRlcgd2UgY2FuIHVzZSB0aGUgInNraXB0byIga2V5d29yZCBpbiBvcmRlciB0byBjaGFuZ2UgdGhlIG9yZGVyIG9mIGNoZWNraW5nIHRoZSBydWxlcy4gSG93IGNhbiBJIGRvIHRoaXMgaW4gUEY_IEFub3RoZXIgb25lLCBpcyBpdCBwb3NzaWJsZSB0byBmaWx0ZXIgaW4vb3V0IGNvbWluZyB0cmFmZmljIGFjY29yZGluZyB0byB0aGUgc291cmMBMAEBAQE- X-Mailer: YahooMailWebService/0.8.141.536 Message-ID: <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> Date: Wed, 1 May 2013 00:46:52 -0700 (PDT) From: Nomad Esst Subject: skipto keyword in pf To: pf list MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Nomad Esst List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 May 2013 07:46:54 -0000 Hi list I have been using IPFW for years, now because of some reasons I'm migrating to PF. In IPFW we can use the "skipto" keyword in order to change the order of checking the rules. How can I do this in PF? Another one, is it possible to filter in/out coming traffic according to the source/destination MAC address separately? Thank you all ... From owner-freebsd-pf@FreeBSD.ORG Thu May 2 00:29:27 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id B8960B7 for ; Thu, 2 May 2013 00:29:27 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id 75F8A1C0E for ; Thu, 2 May 2013 00:29:27 +0000 (UTC) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id 673491FF0060; Wed, 1 May 2013 19:59:51 -0400 (EDT) Thread-Index: Ac5Gx/fuTbam65opS0+7VNf9S7P/wg== Received: from hometx-733b1p1.corp.verio.net ([10.144.2.53]) by iad-wprd-xchw01.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Wed, 1 May 2013 19:59:50 -0400 Received: by hometx-733b1p1.corp.verio.net (sSMTP sendmail emulation); Wed, 01 May 2013 18:59:47 -0500 Date: Wed, 1 May 2013 18:59:47 -0500 Content-Transfer-Encoding: 7bit From: "David DeSimone" To: "Nomad Esst" Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913 Importance: normal Priority: normal Subject: Re: skipto keyword in pf Message-ID: <20130501235946.GS6396@verio.net> Mail-Followup-To: Nomad Esst , pf list References: <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Disposition: inline In-Reply-To: <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> Precedence: bulk User-Agent: Mutt/1.5.20 (2009-12-10) X-OriginalArrivalTime: 01 May 2013 23:59:50.0176 (UTC) FILETIME=[F74CBA00:01CE46C7] Cc: pf list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 May 2013 00:29:27 -0000 Nomad Esst wrote: > > I have been using IPFW for years, now because of some reasons I'm > migrating to PF. In IPFW we can use the "skipto" keyword in order to > change the order of checking the rules. How can I do this in PF? PF processes rules from top to bottom for every packet, only aborting the rule evaluation in the case that the "quick" keyword is used to render a decision immediately. If you are trying to avoid having to evaluate all of your rules on every packet, you should read up on the "anchor" feature, which allows you to perform a type of "subroutine call", evaluating a different ruleset upon some condition. You could conceivably use that to evaluate some rules and come to a decision without having to evaluate all of the rules in a policy. It would take some rethinking of your existing rules, no doubt. > Another one, is it possible to filter in/out coming traffic according > to the source/destination MAC address separately? As far as I'm aware, PF is a layer-3 only filter, and has no ability to filter on MAC. -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you. From owner-freebsd-pf@FreeBSD.ORG Thu May 2 05:54:38 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id EC13438E for ; Thu, 2 May 2013 05:54:38 +0000 (UTC) (envelope-from noname.esst@yahoo.com) Received: from nm12-vm0.bullet.mail.bf1.yahoo.com (nm12-vm0.bullet.mail.bf1.yahoo.com [98.139.213.140]) by mx1.freebsd.org (Postfix) with SMTP id 9EEB415A9 for ; Thu, 2 May 2013 05:54:38 +0000 (UTC) Received: from [98.139.212.148] by nm12.bullet.mail.bf1.yahoo.com with NNFMP; 02 May 2013 05:54:37 -0000 Received: from [98.139.212.222] by tm5.bullet.mail.bf1.yahoo.com with NNFMP; 02 May 2013 05:54:37 -0000 Received: from [127.0.0.1] by omp1031.mail.bf1.yahoo.com with NNFMP; 02 May 2013 05:54:37 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 347907.35968.bm@omp1031.mail.bf1.yahoo.com Received: (qmail 12744 invoked by uid 60001); 2 May 2013 05:54:37 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1367474077; bh=nYYP53JS8yvJQOMgXXP+L/ZbNnIySp7Ku8Hyeijtrwg=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=bpOQ7+qdi2qoYRt4C+TdjqZ3KvQgf8WuuUoi5y4BeF05o+TxiS6LN+aWC2dWtoZ3XvIcil9O+Zce5CrWLroD6ZVarWkFk5QCrSH+eswkylq2A9/TofNOdr6eXxaZtE3qaXhpqimO820i2P7YnPsAniUPwICPrPvYsv+pmthL4zQ= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=0NTxt2mYRMT+wfpgpC0v22IWPVckHMp0SwQdvBr2lFj1W2z8DepwF2shq7M/SR8czVFb2Be/Kqhwxpujyn4PnmCjuXQa8u0Lvc0iVWufbFdp/QwEbrkMqM5mHuOZr+F8E50a6TNLLXwPUwI8P6QZSxhjb04LZBi1MF7qY1O63/Q=; X-YMail-OSG: hKqVLLgVM1l5fdf_NkkrkvmSFoLfWrY262y2uP35tx3xUa0 5kQeP93ijYZa41q7WnaVArGPTW3qbpdXy.EzbcGCnyIOFAu70y6NYJXHhw6u N6alBhUnyaXT8kBh_UPgvWgJaGjnRVBBxXhlh6RYZ2F7MX6LgPm1LPFaWXiD SWsvH3WCzAn1cKdAWiXmBlduc7J1evE8jZixFCDqo6n3s3q541BJMKdL0Xhl DQQXSR1.bRKmpQd5nMs8uxY.f9fZVaa9XKZyPsrJilHVRHYfSvZBdvZzBfa0 34FTJeNZtkp1iHaLqWzawr3GDCSQRUudcr9CpZ9hByxKueHO9R73ikKE.rSO iORubYT_aLm3jOwgmR6CtZGfaLxi9q4yQdqJ8mKcx79EKeb_32aWOChbduah zzYwLHkgoNBXEiWxqRONLxl9EmYCyvPm1lrZHQIa_nCpMC.PBxdQZGDDAeiu zF8Z.abU7v9W3ywv9XjIO Received: from [89.165.120.140] by web162705.mail.bf1.yahoo.com via HTTP; Wed, 01 May 2013 22:54:37 PDT X-Rocket-MIMEInfo: 002.001, Pj4gSSBoYXZlIGJlZW4gdXNpbmcgSVBGVyBmb3IgeWVhcnMsIG5vdyBiZWNhdXNlIG9mIHNvbWUgcmVhc29ucyBJJ20KCj4.IG1pZ3JhdGluZyB0byBQRi7CoCBJbiBJUEZXIHdlIGNhbiB1c2UgdGhlICJza2lwdG8iIGtleXdvcmQgaW4gb3JkZXIgdG8KPj4gY2hhbmdlIHRoZSBvcmRlciBvZiBjaGVja2luZyB0aGUgcnVsZXMuwqAgSG93IGNhbiBJIGRvIHRoaXMgaW4gUEY_Cgo.UEYgcHJvY2Vzc2VzIHJ1bGVzIGZyb20gdG9wIHRvIGJvdHRvbSBmb3IgZXZlcnkgcGFja2V0LCBvbmx5IGFib3J0aW5nCj50aGUBMAEBAQE- X-Mailer: YahooMailWebService/0.8.141.536 References: <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> <20130501235946.GS6396@verio.net> Message-ID: <1367474077.47142.YahooMailNeo@web162705.mail.bf1.yahoo.com> Date: Wed, 1 May 2013 22:54:37 -0700 (PDT) From: Nomad Esst Subject: Re: skipto keyword in pf To: David DeSimone In-Reply-To: <20130501235946.GS6396@verio.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: pf list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Nomad Esst List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 May 2013 05:54:39 -0000 >> I have been using IPFW for years, now because of some reasons I'm=0A=0A>= > migrating to PF.=A0 In IPFW we can use the "skipto" keyword in order to= =0A>> change the order of checking the rules.=A0 How can I do this in PF?= =0A=0A>PF processes rules from top to bottom for every packet, only abortin= g=0A>the rule evaluation in the case that the "quick" keyword is used to=0A= >render a decision immediately.=0A=0A>If you are trying to avoid having to = evaluate all of your rules on every=0A>packet, you should read up on the "a= nchor" feature, which allows you to=0A>perform a type of "subroutine call",= evaluating a different ruleset upon=0A>some condition. You could conceivab= ly use that to evaluate some rules=0A>and come to a decision without having= to evaluate all of the rules in a=0A>policy.=A0 It would take some rethink= ing of your existing rules, no doubt.=0A=0A=0AHow is it possible? Could you= please come up with some examples?=0AThe traffic I want to decide about, f= irst, must match all features which I want and then do the decision about t= he traffic.=A0 =0A=0AThanks From owner-freebsd-pf@FreeBSD.ORG Thu May 2 07:21:17 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A6D74C1D for ; Thu, 2 May 2013 07:21:17 +0000 (UTC) (envelope-from z84f5da827serrofq-cs=serrofq.bet@bounce.twitter.com) Received: from ham-cannon.twitter.com (ham-cannon.twitter.com [199.59.148.234]) by mx1.freebsd.org (Postfix) with ESMTP id 91D981A77 for ; Thu, 2 May 2013 07:21:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; d=twitter.com; s=dkim-201303; c=relaxed/relaxed; q=dns/txt; i=@twitter.com; t=1367479265; h=From:Subject:Date:To; bh=xh9Q1tQqiDsHSTtEx4cCiDPTekQ=; b=a+tF77CBg3nAOcCcNF3evXTD54LiyMElTMuxLRtFKmGlCsCG0xK9nNh8afP9/gyN Cta9bMH4wjzsb5NxvMj0Ql5SJ5pTUfQXbP5x0naFOwlupd1T4jSydz740Aqtdq7S KVyFwAm8sRnvmelImjDa/wMsZKJbe/4nnyyLK0wKlN4=; X-MSFBL: ZnJlZWJzZC1wZkBmcmVlYnNkLm9yZ0BzbWYxLWJkcS0yMy1zcjEtMTY0QEV2ZXJ5 dGhpbmdA Date: Thu, 02 May 2013 07:21:05 +0000 From: "jabbaarbarelly (via Twitter)" To: freebsd-pf@freebsd.org Subject: jabbaarbarelly sent you an invitation MIME-Version: 1.0 Message-Id: <20130502072117.A6D74C1D@hub.freebsd.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 May 2013 07:21:17 -0000 jabbaarbarelly sent you an invitation Twitter helps you stay connected with what's happening right now and with the people and organizations you care about. Accept invitation https://twitter.com/i/70c101fb-f813-4231-9f6c-65b2f33efcca ------------------------ This message was sent by Twitter on behalf of Twitter users who entered your email address to invite you to Twitter. Unsubscribe: https://twitter.com/i/o?t=1&iid=5cc8c08b-e2c2-44d6-89af-8676bd8858d0&uid=0&c=ZNV%2BN6G7N7gem1MifgIcEw4i2qWTZy5m&nid=9+26 Need help? https://support.twitter.com From owner-freebsd-pf@FreeBSD.ORG Thu May 2 11:10:48 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8E89DC2C for ; Thu, 2 May 2013 11:10:48 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from smtp.lamaiziere.net (net.lamaiziere.net [94.23.254.147]) by mx1.freebsd.org (Postfix) with ESMTP id 5C3EC1488 for ; Thu, 2 May 2013 11:10:47 +0000 (UTC) Received: from roxette.lamaiziere.net (231.176.97.84.rev.sfr.net [84.97.176.231]) by smtp.lamaiziere.net (Postfix) with ESMTPA id 7397F8E85; Thu, 2 May 2013 13:10:40 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by roxette.lamaiziere.net (Postfix) with ESMTP id 91DFA309A; Thu, 2 May 2013 13:10:39 +0200 (CEST) Date: Thu, 2 May 2013 13:10:38 +0200 From: Patrick Lamaiziere To: freebsd-pf@freebsd.org Subject: Re: skipto keyword in pf Message-ID: <20130502131038.72cc6020@davenulle.org> In-Reply-To: <1367474077.47142.YahooMailNeo@web162705.mail.bf1.yahoo.com> References: <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> <20130501235946.GS6396@verio.net> <1367474077.47142.YahooMailNeo@web162705.mail.bf1.yahoo.com> X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.17; amd64-portbld-freebsd9.1) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 May 2013 11:10:48 -0000 Le Wed, 1 May 2013 22:54:37 -0700 (PDT), Nomad Esst a écrit : > >If you are trying to avoid having to evaluate all of your rules on > >every packet, you should read up on the "anchor" feature, which > >allows you to perform a type of "subroutine call", evaluating a > >different ruleset upon some condition. You could conceivably use > >that to evaluate some rules and come to a decision without having to > >evaluate all of the rules in a policy.  It would take some > >rethinking of your existing rules, no doubt. > > > How is it possible? Could you please come up with some examples? > The traffic I want to decide about, first, must match all features > which I want and then do the decision about the traffic.  Well, tags could help here. With a concrete example of what you want, it would be easier to suggest a solution. Regards. From owner-freebsd-pf@FreeBSD.ORG Sat May 4 04:29:38 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B1BD6693 for ; Sat, 4 May 2013 04:29:38 +0000 (UTC) (envelope-from noname.esst@yahoo.com) Received: from nm28.bullet.mail.bf1.yahoo.com (nm28.bullet.mail.bf1.yahoo.com [98.139.212.187]) by mx1.freebsd.org (Postfix) with ESMTP id 3E7B3136B for ; Sat, 4 May 2013 04:29:38 +0000 (UTC) Received: from [98.139.215.141] by nm28.bullet.mail.bf1.yahoo.com with NNFMP; 04 May 2013 04:29:37 -0000 Received: from [98.139.212.206] by tm12.bullet.mail.bf1.yahoo.com with NNFMP; 04 May 2013 04:29:37 -0000 Received: from [127.0.0.1] by omp1015.mail.bf1.yahoo.com with NNFMP; 04 May 2013 04:29:37 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 449155.13617.bm@omp1015.mail.bf1.yahoo.com Received: (qmail 54224 invoked by uid 60001); 4 May 2013 04:29:37 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1367641777; bh=8+D1vWoj946Gok/j1cpxqLnQI0L3RY13N/jrEokF7ZM=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=xLoa6BLGseSEDht1axt/H3rUcAqzEpqoLyMDKvYVuYsPZJm5segQEf7CTrK/GpP1fTzCKsRAueP8A43JZ7ouyX1DCkC9S72K45totlq2LS2AhvCWWmYIctr8E/+kgPt5tvx+6kRqur8zzdWMvNt57Dca0v1DRVOP3SsuXyRp+wI= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=IIgYJ4PtcxtR5AomXC7TKpqz6bbOBRlBnSfwFMR404ZUvl3wzTxXY7jV5c3egc7kmCn8sizLkt2RfP+c4jYvXhvf/o3vtSxpxfTzuTdND/lSJfEB5rZ4CFSqmnXALQbvdH/P3wB8ATngHbJfU+cMAFWjCjjcCseMM+gUYJZUu3c=; X-YMail-OSG: loXzUYgVM1k50LhCfIoaV40cfcntkFtyVzkSWAqSX5uFml_ Fe5sbYrvIx1YVWs.xH5TFFy6.elH7t3wv9jnJkHXsCLIjqyGzi2BL3hDvw_b KpPsMDKeNSVE.8pPsHuRyBDoAnXadg_UsnvMZcl2Na4kAkfr5gWGUd7Mlko3 .Wq4yxVi1tv00_XjW5wdTsRQJtx15pcaexMDHOPhhseFzfAmTDjE30tRafsY evz3CnQXy3q3dJZIkacJmBSssxO9X1W3MP_2iBvL9y0_snCxMY5BSg.oN7hm JsvsyyTC1CamF5zpzM3AW6sSTkLIuo4aXzOiyWlNxqSQwJzJh3ELq2yrdf0_ 8RexxR35XpxkEO6tvZRd4M72wLt2zJZLarPmdAw71wbPOIswC3iEEx0MtRJx Qhg2CBHCR5c38dIQId.2IHT2I5QFh8sm._FOFQf6WdmMiftLNKQbm0ilYNzf d8GOBvD99aQcMTxOq3cc- Received: from [89.165.120.140] by web162702.mail.bf1.yahoo.com via HTTP; Fri, 03 May 2013 21:29:37 PDT X-Rocket-MIMEInfo: 002.001, PldlbGwsIHRhZ3MgY291bGQgaGVscCBoZXJlLiBXaXRoIGEgY29uY3JldGUgZXhhbXBsZSBvZiB3aGF0IHlvdSB3YW50LCBpdAo.d291bGQgYmUgZWFzaWVyIHRvIHN1Z2dlc3QgYSBzb2x1dGlvbi4KCj5SZWdhcmRzLgoKQXJlbid0IGFuY2hvcnMgdXNlZnVsIGFzIERhdmlkIERlU2ltb25lIHNhaWQ_IEFub3RoZXIgcXVlc3Rpb24sIGlzIGl0IHBvc3NpYmxlIHRvIG5lZ2F0ZSBhIHJ1bGUgb3IgZmVhdHVyZSBpbiBhIHJ1bGU_IEkgbWVhbiBwYXNzIGFsbCB0cmFmZmljIHdoaWNoIERPIE5PVCBtYXRjaCB0aGUBMAEBAQE- X-Mailer: YahooMailWebService/0.8.141.536 References: <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> <20130501235946.GS6396@verio.net> <1367474077.47142.YahooMailNeo@web162705.mail.bf1.yahoo.com> <20130502131038.72cc6020@davenulle.org> Message-ID: <1367641777.53540.YahooMailNeo@web162702.mail.bf1.yahoo.com> Date: Fri, 3 May 2013 21:29:37 -0700 (PDT) From: Nomad Esst Subject: Re: skipto keyword in pf To: Patrick Lamaiziere , "freebsd-pf@freebsd.org" In-Reply-To: <20130502131038.72cc6020@davenulle.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Nomad Esst List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 May 2013 04:29:38 -0000 >Well, tags could help here. With a concrete example of what you want, it >would be easier to suggest a solution. >Regards. Aren't anchors useful as David DeSimone said? Another question, is it possible to negate a rule or feature in a rule? I mean pass all traffic which DO NOT match the rule ? e.g. using "!" sign. From owner-freebsd-pf@FreeBSD.ORG Sat May 4 13:44:32 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 65D87B39 for ; Sat, 4 May 2013 13:44:32 +0000 (UTC) (envelope-from flo@smeets.im) Received: from mail.solomo.de (mail.solomo.de [5.9.87.18]) by mx1.freebsd.org (Postfix) with ESMTP id 2416C1BDC for ; Sat, 4 May 2013 13:44:31 +0000 (UTC) Received: from cpos1.nexxtmobile.de (localhost [127.0.0.1]) by mail.solomo.de (Postfix) with ESMTP id 1B239DC17; Sat, 4 May 2013 15:44:25 +0200 (CEST) X-Virus-Scanned: amavisd-new at nexxtmobile.de Received: from mail.solomo.de ([127.0.0.1]) by cpos1.nexxtmobile.de (cpos1.nexxtmobile.de [127.0.0.1]) (amavisd-new, port 10024) with LMTP id V2qYXNCCJPWb; Sat, 4 May 2013 15:44:23 +0200 (CEST) Received: from nibbler-osx.fritz.box (unknown [IPv6:2001:4dd0:ff00:8bb6:3864:efd0:2d80:97b9]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.solomo.de (Postfix) with ESMTPSA id 58D41DC0E; Sat, 4 May 2013 15:44:23 +0200 (CEST) Message-ID: <518510B6.8000309@smeets.im> Date: Sat, 04 May 2013 15:44:22 +0200 From: Florian Smeets User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:23.0) Gecko/20100101 Thunderbird/23.0a1 MIME-Version: 1.0 To: Jason Hellenthal , "freebsd-pf@FreeBSD.org" Subject: Re: IGMP with no matching rules References: <86C973B6-D12D-41AA-A1F9-D93E1C60856F@DataIX.net> In-Reply-To: <86C973B6-D12D-41AA-A1F9-D93E1C60856F@DataIX.net> X-Enigmail-Version: 1.6a1pre Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2QSLCCNIPDMCKCOVFCNDR" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 May 2013 13:44:32 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2QSLCCNIPDMCKCOVFCNDR Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 04.05.13 09:36, Jason Hellenthal wrote: > Hey Everyone, >=20 > Has anyone seen IGMP traffic hit there pflog interface even if there > are no rules matching that tell it to log ? >=20 > Anyone that has a pointer to eliminate the logging of the IGMP > traffic would be extremely helpful. This has been fairly frustrating > up to this point trying to either create a rule to catch it that does > not specify logging or eliminate rules that shouldn't be matching but > do. >=20 It would be easier to tell with your rule set, but I think this may be related to IP options, look for allow-opts in pf.conf(5). Florian ------enig2QSLCCNIPDMCKCOVFCNDR Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAlGFELYACgkQapo8P8lCvwmwMQCfZd2ObWwKzyFDygeALM78FbCO YkgAoIOKN690SN4us/gsr46BHKeUqeQX =FE0H -----END PGP SIGNATURE----- ------enig2QSLCCNIPDMCKCOVFCNDR-- From owner-freebsd-pf@FreeBSD.ORG Sat May 4 14:52:39 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B1200160 for ; Sat, 4 May 2013 14:52:39 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-gh0-f169.google.com (mail-gh0-f169.google.com [209.85.160.169]) by mx1.freebsd.org (Postfix) with ESMTP id 744CE1DE7 for ; Sat, 4 May 2013 14:52:38 +0000 (UTC) Received: by mail-gh0-f169.google.com with SMTP id r1so455406ghr.14 for ; Sat, 04 May 2013 07:52:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=x-received:subject:from:content-type:x-mailer:message-id:date:to :content-transfer-encoding:mime-version; bh=rX/kLOBTj0VORsryRiH88nN3Us6TjpSFx7THPBpFGGU=; b=PGYcCt3j/JJaDgTN/AqJ7zsC5wQERH9qNBHdsCvnjRUJcR2Eh/i9UxgH8kkYOkTpo/ ew7kr4UIrenTSR+D3xcq45hEFVJ9U45LdL4xPHT44Uqr+6IVHQhEkZ1s++VJ/X/BTbge bYRlEBrrrbhjSSpOGUe+AYeyxDmcvo5NNvLM8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:subject:from:content-type:x-mailer:message-id:date:to :content-transfer-encoding:mime-version:x-gm-message-state; bh=rX/kLOBTj0VORsryRiH88nN3Us6TjpSFx7THPBpFGGU=; b=AvpJsyZcMP/OAWHEQfYiP6IqYk2hb7+6RCCHy5spsN4JfA2L5mVgsivojnizxVtOJl wI2Nb3an/yVmMlbpZaL2ZPcHR/bgrYROW3/AQJeBMH5QltI5kXERbfJJ+6KEd2npQ1nv IWk7csNeTtChFqC9n3rASX71XcSj0pSR7qxzJkc3noGeYcniIk0+ZNJKLZdQ9KrhSeL8 3qINZCa6hyD/LMymetpzWkd7Uzw2vvrpuJ4olBl2AhWkSd3yz+Z8NJP+IPKA9k5Mv0DH ykzds0au+ksOJg9X+pqC8siXZRRNAMR8x/Z6UxSs1Bqj8skZbHsVIwwfruj3eVWzR41a U6bw== X-Received: by 10.236.75.163 with SMTP id z23mr12080569yhd.163.1367652975323; Sat, 04 May 2013 00:36:15 -0700 (PDT) Received: from [192.168.30.77] (24-236-152-143.dhcp.aldl.mi.charter.com. [24.236.152.143]) by mx.google.com with ESMTPSA id j27sm27610233yhf.18.2013.05.04.00.36.13 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 04 May 2013 00:36:14 -0700 (PDT) Subject: IGMP with no matching rules From: Jason Hellenthal X-Mailer: iPhone Mail (10B329) Message-Id: <86C973B6-D12D-41AA-A1F9-D93E1C60856F@DataIX.net> Date: Sat, 4 May 2013 03:36:07 -0400 To: "freebsd-pf@FreeBSD.org" Mime-Version: 1.0 (1.0) X-Gm-Message-State: ALoCoQmQM9ukJrRZ42tJatW0O+Pswe/dfOgonfnj8YGWt1CRiz8o8HFyp0PO6+Bc19qQ1BFGMjHK Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 May 2013 14:52:39 -0000 Hey Everyone, Has anyone seen IGMP traffic hit there pflog interface even if there are no r= ules matching that tell it to log ? Anyone that has a pointer to eliminate the logging of the IGMP traffic would= be extremely helpful. This has been fairly frustrating up to this point try= ing to either create a rule to catch it that does not specify logging or eli= minate rules that shouldn't be matching but do. Interfaces involved... if_lagg if_bridge if_dc if_ath pflog Forwarding enabled No skipped interfaces in pf FreeBSD STABLE 8.3 as of yesterday. Please keep me CC'd Thanks & Top posting is eminent... --=20 Jason Hellenthal JJH48-ARIN -(2^(N-1))