From owner-freebsd-pf@FreeBSD.ORG Mon Oct 27 16:18:46 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1CC406B7 for ; Mon, 27 Oct 2014 16:18:46 +0000 (UTC) Received: from mail1.bemta3.messagelabs.com (mail1.bemta3.messagelabs.com [195.245.230.171]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail1.bemta3.messagelabs.com", Issuer "VeriSign Class 3 International Server CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9EAAED3F for ; Mon, 27 Oct 2014 16:18:44 +0000 (UTC) Received: from [85.158.137.19] by server-11.bemta-3.messagelabs.com id 1B/8F-02834-8BE6E445; Mon, 27 Oct 2014 16:11:36 +0000 X-Env-Sender: Aleksej.Spenst@harman.com X-Msg-Ref: server-6.tower-39.messagelabs.com!1414426295!13303072!1 X-Originating-IP: [194.121.90.173] X-StarScan-Received: X-StarScan-Version: 6.12.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 7892 invoked from network); 27 Oct 2014 16:11:36 -0000 Received: from unassigned (HELO HIKAWSEXHC01.ad.harman.com) (194.121.90.173) by server-6.tower-39.messagelabs.com with AES128-SHA encrypted SMTP; 27 Oct 2014 16:11:36 -0000 Received: from HIKAWSEXMB02.ad.harman.com ([169.254.2.176]) by HIKAWSEXHC01.ad.harman.com ([172.16.1.111]) with mapi id 14.03.0195.001; Mon, 27 Oct 2014 17:11:34 +0100 From: "Spenst, Aleksej" To: "freebsd-pf@freebsd.org" Subject: How to block IP range Thread-Topic: How to block IP range Thread-Index: Ac/yAK0p7fXyWmHOQQKNl9Uxk8B7fw== Date: Mon, 27 Oct 2014 16:11:33 +0000 Message-ID: Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.16.102.147] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2014 16:18:46 -0000 Hi All, Is there any syntax to block a certain IP range? For example, I need to block only 100 IPs in the range: 10.0.0.1-10.0.0.100 I can't use the netmask like "block on eth0 from 10.0.0/24" since this will= block 256 addresses. I don't want also to write all IPs separated by comma like "block on eth0 f= rom {10.0.0.1,10.0.0.2,.....}" since this will generate 100 separate rules = (and this is also a very long rule). Are there any other ways? Thank you! Aleksej. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 27 16:24:41 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0F2D0B3F; Mon, 27 Oct 2014 16:24:41 +0000 (UTC) Received: from mail.in-addr.com (mail.in-addr.com [IPv6:2a01:4f8:191:61e8::2525:2525]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C6ACDE32; Mon, 27 Oct 2014 16:24:40 +0000 (UTC) Received: from gjp by mail.in-addr.com with local (Exim 4.84 (FreeBSD)) (envelope-from ) id 1Xin5t-0002fb-Cd; Mon, 27 Oct 2014 16:24:33 +0000 Date: Mon, 27 Oct 2014 16:24:33 +0000 From: Gary Palmer To: "Spenst, Aleksej" Subject: Re: How to block IP range Message-ID: <20141027162433.GB6851@in-addr.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2014 16:24:41 -0000 On Mon, Oct 27, 2014 at 04:11:33PM +0000, Spenst, Aleksej wrote: > Hi All, > > Is there any syntax to block a certain IP range? > For example, I need to block only 100 IPs in the range: 10.0.0.1-10.0.0.100 > I can't use the netmask like "block on eth0 from 10.0.0/24" since this will block 256 addresses. > I don't want also to write all IPs separated by comma like "block on eth0 from {10.0.0.1,10.0.0.2,.....}" since this will generate 100 separate rules (and this is also a very long rule). > Are there any other ways? tables? you can do things like table persist file "/etc/pf/blocked_hosts.table" block in quick log on $ext_if_ipv4 from to any Regards, Gary From owner-freebsd-pf@FreeBSD.ORG Mon Oct 27 16:30:59 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CDA362A9; Mon, 27 Oct 2014 16:30:59 +0000 (UTC) Received: from mail-wg0-x22b.google.com (mail-wg0-x22b.google.com [IPv6:2a00:1450:400c:c00::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 42003EA6; Mon, 27 Oct 2014 16:30:59 +0000 (UTC) Received: by mail-wg0-f43.google.com with SMTP id n12so6117632wgh.14 for ; Mon, 27 Oct 2014 09:30:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=zdoML7ABKSsvVaKNhzUzPUaiXHeNdWSA5U4B/4h17DQ=; b=w+HjWLAsIaCdiLsSc2p2PgHkcdXhieyU1v00ZNJZuu/WHWncaD4LSuyu5HxUzlhc25 7tCXKncitPOnHsAgEOoDtswX9iPBmsepaxwKNKVtiki2LHcXvn0qn5YuFBXYcbM9/0AQ ANyg8rf+HnHvoK8aJwVMhvz6T9jbDeRlQb3F9/90AHj71Mcg504Jamtcp42iXgl269Ff swKgBMSQ7NQqcrZnkZeXG8/9B6EK6/+7baG00yuwXlVCOZhLJOOFfBhfZqPr/niknylP rCdIo9okcRuyVFjAx06yQRYOkOW48GCOPMcx4babvLuog3bKamrnFjyC0Ges4SRvuPq8 0X8w== MIME-Version: 1.0 X-Received: by 10.194.243.164 with SMTP id wz4mr3284151wjc.129.1414427457630; Mon, 27 Oct 2014 09:30:57 -0700 (PDT) Received: by 10.194.223.1 with HTTP; Mon, 27 Oct 2014 09:30:57 -0700 (PDT) In-Reply-To: <20141027162433.GB6851@in-addr.com> References: <20141027162433.GB6851@in-addr.com> Date: Mon, 27 Oct 2014 17:30:57 +0100 Message-ID: Subject: Re: How to block IP range From: Cristiano Deana To: Gary Palmer Content-Type: text/plain; charset=UTF-8 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2014 16:30:59 -0000 On Mon, Oct 27, 2014 at 5:24 PM, Gary Palmer wrote: Hi >> For example, I need to block only 100 IPs in the range: 10.0.0.1-10.0.0.100 > tables? > > you can do things like > > table persist file "/etc/pf/blocked_hosts.table" > block in quick log on $ext_if_ipv4 from to any I'm adding the fast way to build the file: sh -c 'for ip in `jot 100 1 100`; do echo 10.0.0.$ip >> /etc/pf/blocked_hosts.table; done' -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/ From owner-freebsd-pf@FreeBSD.ORG Mon Oct 27 16:37:55 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 99B3879C; Mon, 27 Oct 2014 16:37:55 +0000 (UTC) Received: from mail.in-addr.com (mail.in-addr.com [IPv6:2a01:4f8:191:61e8::2525:2525]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5A659FB4; Mon, 27 Oct 2014 16:37:55 +0000 (UTC) Received: from gjp by mail.in-addr.com with local (Exim 4.84 (FreeBSD)) (envelope-from ) id 1XinId-0002is-Pw; Mon, 27 Oct 2014 16:37:43 +0000 Date: Mon, 27 Oct 2014 16:37:43 +0000 From: Gary Palmer To: Cristiano Deana Subject: Re: How to block IP range Message-ID: <20141027163743.GC6851@in-addr.com> References: <20141027162433.GB6851@in-addr.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2014 16:37:55 -0000 On Mon, Oct 27, 2014 at 05:30:57PM +0100, Cristiano Deana wrote: > On Mon, Oct 27, 2014 at 5:24 PM, Gary Palmer wrote: > > Hi > > >> For example, I need to block only 100 IPs in the range: 10.0.0.1-10.0.0.100 > > > tables? > > > > you can do things like > > > > table persist file "/etc/pf/blocked_hosts.table" > > block in quick log on $ext_if_ipv4 from to any > > I'm adding the fast way to build the file: > > sh -c 'for ip in `jot 100 1 100`; do echo 10.0.0.$ip >> > /etc/pf/blocked_hosts.table; done' You can also make it a bit more efficient and use a few CIDR networks. To cover 10.0.0.1-10.0.0.100 you would need. 10.0.0.1/32 10.0.0.2/31 10.0.0.4/30 10.0.0.8/29 10.0.0.16/28 10.0.0.32/27 10.0.0.64/27 10.0.0.96/30 10.0.0.100/32 I used an ancient perl tool called 'aggis' to get the above. There are probably more modern tools around. Regards, Gary From owner-freebsd-pf@FreeBSD.ORG Mon Oct 27 16:45:44 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 44E66BAC; Mon, 27 Oct 2014 16:45:44 +0000 (UTC) Received: from mail1.bemta14.messagelabs.com (mail1.bemta14.messagelabs.com [193.109.254.119]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail1.bemta14.messagelabs.com", Issuer "VeriSign Class 3 International Server CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A9D9913E; Mon, 27 Oct 2014 16:45:33 +0000 (UTC) Received: from [85.158.140.211] by server-15.bemta-14.messagelabs.com id 5E/39-02699-3057E445; Mon, 27 Oct 2014 16:38:27 +0000 X-Env-Sender: Aleksej.Spenst@harman.com X-Msg-Ref: server-6.tower-194.messagelabs.com!1414427842!20618211!1 X-Originating-IP: [194.121.90.173] X-StarScan-Received: X-StarScan-Version: 6.12.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 17217 invoked from network); 27 Oct 2014 16:37:22 -0000 Received: from unassigned (HELO HIKAWSEXHC01.ad.harman.com) (194.121.90.173) by server-6.tower-194.messagelabs.com with AES128-SHA encrypted SMTP; 27 Oct 2014 16:37:22 -0000 Received: from HIKAWSEXMB02.ad.harman.com ([169.254.2.176]) by HIKAWSEXHC01.ad.harman.com ([172.16.1.111]) with mapi id 14.03.0195.001; Mon, 27 Oct 2014 17:37:21 +0100 From: "Spenst, Aleksej" To: Cristiano Deana , Gary Palmer Subject: AW: How to block IP range Thread-Topic: How to block IP range Thread-Index: Ac/yAK0p7fXyWmHOQQKNl9Uxk8B7f///8t2AgAAByoD//+494A== Date: Mon, 27 Oct 2014 16:37:19 +0000 Message-ID: References: <20141027162433.GB6851@in-addr.com> In-Reply-To: Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.16.102.147] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2014 16:45:44 -0000 SGkgQ3JpcywgR2FyeSwNCg0KVGhhbmsgeW91IQ0KDQpXaWxsIHRoaXMgZ2VuZXJhdGUgMTAwIHNl cGFyYXRlIHJ1bGVzIG9yIGp1c3Qgb25lIHJ1bGU/DQpJZiBvbmx5IG9uZSBydWxlLCBob3cgdGhl IG51bWJlciBvZiBJUCBhZGRyZXNzZXMgaW4gdGhlIHJhbmdlIGluZmx1ZW5jZXMgdGhlIHBlcmZv cm1hbmNlIG9mIHBmPw0KDQo+IHNoIC1jICdmb3IgaXAgaW4gYGpvdCAxMDAgMSAxMDBgOyBkbyBl Y2hvIDEwLjAuMC4kaXAgPj4gL2V0Yy9wZi9ibG9ja2VkX2hvc3RzLnRhYmxlOyBkb25lJw0KDQpp cyBpdCBhIHR5cG8/IEkgZ290IHRoZSBlcnJvcjogInNoOiBqb3Q6IGNhbm5vdCBleGVjdXRlIC0g Tm8gc3VjaCBmaWxlIG9yIGRpcmVjdG9yeSINCg0KVGhhbmtzLA0KQWxla3Nlai4NCg0KDQotLS0t LVVyc3Byw7xuZ2xpY2hlIE5hY2hyaWNodC0tLS0tDQpWb246IENyaXN0aWFubyBEZWFuYSBbbWFp bHRvOmNyaXN0aWFuby5kZWFuYUBnbWFpbC5jb21dIA0KR2VzZW5kZXQ6IE1vbnRhZywgMjcuIE9r dG9iZXIgMjAxNCAxNzozMQ0KQW46IEdhcnkgUGFsbWVyDQpDYzogU3BlbnN0LCBBbGVrc2VqOyBm cmVlYnNkLXBmQGZyZWVic2Qub3JnDQpCZXRyZWZmOiBSZTogSG93IHRvIGJsb2NrIElQIHJhbmdl DQoNCk9uIE1vbiwgT2N0IDI3LCAyMDE0IGF0IDU6MjQgUE0sIEdhcnkgUGFsbWVyIDxncGFsbWVy QGZyZWVic2Qub3JnPiB3cm90ZToNCg0KSGkNCg0KPj4gRm9yIGV4YW1wbGUsIEkgbmVlZCB0byBi bG9jayBvbmx5IDEwMCBJUHMgaW4gdGhlIHJhbmdlOiANCj4+IDEwLjAuMC4xLTEwLjAuMC4xMDAN Cg0KPiB0YWJsZXM/DQo+DQo+IHlvdSBjYW4gZG8gdGhpbmdzIGxpa2UNCj4NCj4gdGFibGUgPGJs b2NrZWRfaG9zdHM+IHBlcnNpc3QgZmlsZSAiL2V0Yy9wZi9ibG9ja2VkX2hvc3RzLnRhYmxlIg0K PiBibG9jayBpbiBxdWljayBsb2cgb24gJGV4dF9pZl9pcHY0IGZyb20gPGJsb2NrZWRfaG9zdHM+ IHRvIGFueQ0KDQpJJ20gYWRkaW5nIHRoZSBmYXN0IHdheSB0byBidWlsZCB0aGUgZmlsZToNCg0K c2ggLWMgJ2ZvciBpcCBpbiBgam90IDEwMCAxIDEwMGA7IGRvIGVjaG8gMTAuMC4wLiRpcCA+PiAv ZXRjL3BmL2Jsb2NrZWRfaG9zdHMudGFibGU7IGRvbmUnDQoNCg0KLS0NCkNyaXMsIG1lbWJlciBv ZiBHLlUuRi5JDQpJdGFsaWFuIEZyZWVCU0QgVXNlciBHcm91cA0KaHR0cDovL3d3dy5ndWZpLm9y Zy8NCg== From owner-freebsd-pf@FreeBSD.ORG Mon Oct 27 16:53:29 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D498EF30; Mon, 27 Oct 2014 16:53:29 +0000 (UTC) Received: from mail.in-addr.com (mail.in-addr.com [IPv6:2a01:4f8:191:61e8::2525:2525]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9471924E; Mon, 27 Oct 2014 16:53:29 +0000 (UTC) Received: from gjp by mail.in-addr.com with local (Exim 4.84 (FreeBSD)) (envelope-from ) id 1XinXj-0002lZ-Hu; Mon, 27 Oct 2014 16:53:19 +0000 Date: Mon, 27 Oct 2014 16:53:19 +0000 From: Gary Palmer To: "Spenst, Aleksej" Subject: Re: How to block IP range Message-ID: <20141027165319.GD6851@in-addr.com> References: <20141027162433.GB6851@in-addr.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2014 16:53:29 -0000 On Mon, Oct 27, 2014 at 04:37:19PM +0000, Spenst, Aleksej wrote: > Hi Cris, Gary, > > Thank you! > > Will this generate 100 separate rules or just one rule? Hi, One rule. > If only one rule, how the number of IP addresses in the range influences the performance of pf? Probably, although I haven't tested that. See my later e-mail for a set of CIDR ranges that may work better. > > sh -c 'for ip in `jot 100 1 100`; do echo 10.0.0.$ip >> /etc/pf/blocked_hosts.table; done' > > is it a typo? I got the error: "sh: jot: cannot execute - No such file or directory" Works for me. Do you have /usr/bin/jot? It exists on FreeBSD boxes but may not on Linux. Regards, Gary > > Thanks, > Aleksej. > > > -----Urspr??ngliche Nachricht----- > Von: Cristiano Deana [mailto:cristiano.deana@gmail.com] > Gesendet: Montag, 27. Oktober 2014 17:31 > An: Gary Palmer > Cc: Spenst, Aleksej; freebsd-pf@freebsd.org > Betreff: Re: How to block IP range > > On Mon, Oct 27, 2014 at 5:24 PM, Gary Palmer wrote: > > Hi > > >> For example, I need to block only 100 IPs in the range: > >> 10.0.0.1-10.0.0.100 > > > tables? > > > > you can do things like > > > > table persist file "/etc/pf/blocked_hosts.table" > > block in quick log on $ext_if_ipv4 from to any > > I'm adding the fast way to build the file: > > sh -c 'for ip in `jot 100 1 100`; do echo 10.0.0.$ip >> /etc/pf/blocked_hosts.table; done' > > > -- > Cris, member of G.U.F.I > Italian FreeBSD User Group > http://www.gufi.org/ From owner-freebsd-pf@FreeBSD.ORG Mon Oct 27 16:53:31 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F0829F32 for ; Mon, 27 Oct 2014 16:53:31 +0000 (UTC) Received: from mail.egr.msu.edu (gribble.egr.msu.edu [35.9.37.169]) by mx1.freebsd.org (Postfix) with ESMTP id C8A7024F for ; Mon, 27 Oct 2014 16:53:31 +0000 (UTC) Received: from gribble (localhost [127.0.0.1]) by mail.egr.msu.edu (Postfix) with ESMTP id 9A1C43F153 for ; Mon, 27 Oct 2014 12:53:23 -0400 (EDT) X-Virus-Scanned: amavisd-new at egr.msu.edu Received: from mail.egr.msu.edu ([127.0.0.1]) by gribble (gribble.egr.msu.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pl9aUafqEEjq for ; Mon, 27 Oct 2014 12:53:23 -0400 (EDT) Received: from EGR authenticated sender Message-ID: <544E7883.1000705@egr.msu.edu> Date: Mon, 27 Oct 2014 12:53:23 -0400 From: Adam McDougall User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: How to block IP range References: In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2014 16:53:32 -0000 On 10/27/2014 12:11, Spenst, Aleksej wrote: > Hi All, > > Is there any syntax to block a certain IP range? > For example, I need to block only 100 IPs in the range: 10.0.0.1-10.0.0.100 > I can't use the netmask like "block on eth0 from 10.0.0/24" since this will block 256 addresses. > I don't want also to write all IPs separated by comma like "block on eth0 from {10.0.0.1,10.0.0.2,.....}" since this will generate 100 separate rules (and this is also a very long rule). > Are there any other ways? > > Thank you! > Aleksej. > > > >From the manpage in 10: Ranges of addresses are specified by using the ‘-’ operator. For instance: “10.1.1.10 - 10.1.1.12” means all addresses from 10.1.1.10 to 10.1.1.12, hence addresses 10.1.1.10, 10.1.1.11, and 10.1.1.12. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 27 19:00:42 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2F46292B; Mon, 27 Oct 2014 19:00:42 +0000 (UTC) Received: from udns.ultimatedns.net (unknown [IPv6:2602:d1:b4d6:e600:4261:86ff:fef6:aa2a]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EAF6A226; Mon, 27 Oct 2014 19:00:41 +0000 (UTC) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id s9RJ1vfI066674; Mon, 27 Oct 2014 12:01:57 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) To: Cristiano Deana , Gary Palmer In-Reply-To: <20141027163743.GC6851@in-addr.com> References: <20141027162433.GB6851@in-addr.com> , <20141027163743.GC6851@in-addr.com> From: "Chris H" Subject: Re: How to block IP range Date: Mon, 27 Oct 2014 12:01:57 -0700 Content-Type: text/plain; charset=UTF-8; format=fixed MIME-Version: 1.0 Message-id: Content-Transfer-Encoding: 8bit Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2014 19:00:42 -0000 On Mon, 27 Oct 2014 16:37:43 +0000 Gary Palmer wrote > On Mon, Oct 27, 2014 at 05:30:57PM +0100, Cristiano Deana wrote: > > On Mon, Oct 27, 2014 at 5:24 PM, Gary Palmer wrote: > > > > Hi > > > > >> For example, I need to block only 100 IPs in the range: > > >> 10.0.0.1-10.0.0.100 > > > > tables? > > > > > > you can do things like > > > > > > table persist file "/etc/pf/blocked_hosts.table" > > > block in quick log on $ext_if_ipv4 from to any > > > > I'm adding the fast way to build the file: > > > > sh -c 'for ip in 'jot 100 1 100'; do echo 10.0.0.$ip >> > > /etc/pf/blocked_hosts.table; done' > > You can also make it a bit more efficient and use a few CIDR networks. To > cover 10.0.0.1-10.0.0.100 you would need. > > 10.0.0.1/32 > 10.0.0.2/31 > 10.0.0.4/30 > 10.0.0.8/29 > 10.0.0.16/28 > 10.0.0.32/27 > 10.0.0.64/27 > 10.0.0.96/30 > 10.0.0.100/32 > > I used an ancient perl tool called 'aggis' to get the above. There are > probably more modern tools around. A search against ports, or at FreshPorts for cidr will give you quite a few useful utils for calculating /xx (CIDR) ranges. ports/net-mgmt/cidr is just one example. HTH --Chris > > Regards, > > Gary > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Oct 28 08:37:54 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A4AD13B4 for ; Tue, 28 Oct 2014 08:37:54 +0000 (UTC) Received: from mail1.bemta5.messagelabs.com (mail1.bemta5.messagelabs.com [195.245.231.137]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail1.bemta5.messagelabs.com", Issuer "VeriSign Class 3 International Server CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 172B88A5 for ; Tue, 28 Oct 2014 08:37:53 +0000 (UTC) Received: from [85.158.139.51] by server-1.bemta-5.messagelabs.com id 42/A8-02954-D345F445; Tue, 28 Oct 2014 08:30:53 +0000 X-Env-Sender: Aleksej.Spenst@harman.com X-Msg-Ref: server-14.tower-180.messagelabs.com!1414485052!35987071!1 X-Originating-IP: [194.121.90.173] X-StarScan-Received: X-StarScan-Version: 6.12.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22201 invoked from network); 28 Oct 2014 08:30:53 -0000 Received: from unassigned (HELO HIKAWSEXHC03.ad.harman.com) (194.121.90.173) by server-14.tower-180.messagelabs.com with AES128-SHA encrypted SMTP; 28 Oct 2014 08:30:53 -0000 Received: from HIKAWSEXMB02.ad.harman.com ([169.254.2.176]) by HIKAWSEXHC03.ad.harman.com ([172.16.1.113]) with mapi id 14.03.0195.001; Tue, 28 Oct 2014 09:30:50 +0100 From: "Spenst, Aleksej" To: Adam McDougall , "freebsd-pf@freebsd.org" Subject: AW: How to block IP range Thread-Topic: How to block IP range Thread-Index: Ac/yAK0p7fXyWmHOQQKNl9Uxk8B7f///+uuA//7rMUA= Date: Tue, 28 Oct 2014 08:30:49 +0000 Message-ID: References: <544E7883.1000705@egr.msu.edu> In-Reply-To: <544E7883.1000705@egr.msu.edu> Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.16.102.147] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2014 08:37:54 -0000 Hi Adam, > From the manpage in 10: > Ranges of addresses are specified by using the '-' operator. For > instance: "10.1.1.10 - 10.1.1.12" means all addresses from 10.1.1.10 to 1= 0.1.1.12, hence addresses 10.1.1.10, 10.1.1.11, and 10.1.1.12. It's interesting that when I write this rule in pf.conf: block in quick on eth0 from "10.0.0.1 - 10.0.0.100" to 10.0.0.0 and load the rules then pfctl does not complain about any syntax errors. However, if I look what rules are loaded with "pfctl -s rules" then I see o= nly: block drop in quick on eth0 inet from 10.0.0.1 to 10.0.0.0 So, it seems that my pfctl takes only the first address from the range and = generates only 1 rule for this IP. Hmm... Thanks, Aleksej. -----Urspr=FCngliche Nachricht----- Von: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] Im = Auftrag von Adam McDougall Gesendet: Montag, 27. Oktober 2014 17:53 An: freebsd-pf@freebsd.org Betreff: Re: How to block IP range On 10/27/2014 12:11, Spenst, Aleksej wrote: > Hi All, >=20 > Is there any syntax to block a certain IP range? > For example, I need to block only 100 IPs in the range:=20 > 10.0.0.1-10.0.0.100 I can't use the netmask like "block on eth0 from 10.0= .0/24" since this will block 256 addresses. > I don't want also to write all IPs separated by comma like "block on eth0= from {10.0.0.1,10.0.0.2,.....}" since this will generate 100 separate rule= s (and this is also a very long rule). > Are there any other ways? >=20 > Thank you! > Aleksej. >=20 >=20 >=20 >From the manpage in 10: Ranges of addresses are specified by using the '-' operator. For instance: "10.1.1.10 - 10.1.1.12" means all addresses from 10.1.1.10 to 10.= 1.1.12, hence addresses 10.1.1.10, 10.1.1.11, and 10.1.1.12. _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Oct 28 08:56:55 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 681CA568 for ; Tue, 28 Oct 2014 08:56:55 +0000 (UTC) Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F0921A86 for ; Tue, 28 Oct 2014 08:56:54 +0000 (UTC) Received: by mail-wi0-f172.google.com with SMTP id d1so5035593wiv.17 for ; Tue, 28 Oct 2014 01:56:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=oFmSYQ4455wsG6G/pitJrJFHqvPqa3HQiteEUdZ4DNA=; b=blAUHT5TXhRBL4dL9dAEi4x2099LLMTJAgG8LnVjpAHh2xVv26NCQ65LHy9PHN8I+8 25urnE+CdlpeJ5sqnFYDL+Xa5o/XpKgQP0IpuGm+NoGWU7FXNBFRCwwVzLNJ/v1cRgIU JoT4cA0SJq4Bwv0jcq/I6y7fRbOtj3c8B+5P2Lnh7PouKqxoTlC6+5tzQPBN3wSaCJTq RuGVsHfhKFyykmK6OP9MA3HSap7xWMQ78chxAaA23tBU4zn5QE8imMoLKTrL8rLdyaWt sHrRwGYOJ/O3ftE3SJaG8bNzpZpZsFZczQvwwtNgzbv6rJ2q+NCWRkaxH7d6M3UlSjze MueQ== MIME-Version: 1.0 X-Received: by 10.181.13.208 with SMTP id fa16mr26055626wid.61.1414486613177; Tue, 28 Oct 2014 01:56:53 -0700 (PDT) Received: by 10.194.223.1 with HTTP; Tue, 28 Oct 2014 01:56:53 -0700 (PDT) In-Reply-To: References: <544E7883.1000705@egr.msu.edu> Date: Tue, 28 Oct 2014 09:56:53 +0100 Message-ID: Subject: Re: How to block IP range From: Cristiano Deana To: "Spenst, Aleksej" Content-Type: text/plain; charset=UTF-8 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2014 08:56:55 -0000 On Tue, Oct 28, 2014 at 9:30 AM, Spenst, Aleksej wrote: Hi > block in quick on eth0 from "10.0.0.1 - 10.0.0.100" to 10.0.0.0 > > and load the rules then pfctl does not complain about any syntax errors. > However, if I look what rules are loaded with "pfctl -s rules" then I see only: > > block drop in quick on eth0 inet from 10.0.0.1 to 10.0.0.0 that should be "{ 10.0.0.1 - 10.0.0.100 }" # grep test /etc/pf.conf test="{ 10.0.0.1 - 10.0.0.100 }" block in quick on $ext_if from $test # pfctl -nvf /etc/pf.conf | grep 10.0 test = "{ 10.0.0.1 - 10.0.0.100 }" block drop in quick on em1 inet from 10.0.0.1 - 10.0.0.100 to any -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/ From owner-freebsd-pf@FreeBSD.ORG Wed Oct 29 11:19:42 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 21117788 for ; Wed, 29 Oct 2014 11:19:42 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 08892921 for ; Wed, 29 Oct 2014 11:19:42 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id s9TBJfoN085287 for ; Wed, 29 Oct 2014 11:19:41 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 182401] [pf] pf state for some IPs reaches 4294967295 suspicously Date: Wed, 29 Oct 2014 11:19:42 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: oguz@labristeknoloji.com X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: version Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Oct 2014 11:19:42 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182401 oguz@labristeknoloji.com changed: What |Removed |Added ---------------------------------------------------------------------------- Version|unspecified |10.0-RELEASE -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Wed Oct 29 11:25:25 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7E8C4878 for ; Wed, 29 Oct 2014 11:25:25 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 65EA19D7 for ; Wed, 29 Oct 2014 11:25:25 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id s9TBPP3R094585 for ; Wed, 29 Oct 2014 11:25:25 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 182401] [pf] pf state for some IPs reaches 4294967295 suspicously Date: Wed, 29 Oct 2014 11:25:25 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: oguz@labristeknoloji.com X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Oct 2014 11:25:25 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182401 --- Comment #2 from oguz@labristeknoloji.com --- This bug continues on 10 release. Sample rule creating such entries: @60 pass in log (all) quick on ix0 proto tcp from any to port = https flags S/SA keep state (source-track rule, max-src-conn 800, max-src-conn-rate 4000/3, overload flush global, src.track 3) [ Evaluations: 31341832 Packets: 2368992857 Bytes: 1561551774393 States: 4294956463] [ Inserted: uid 0 pid 9899 State Creations: 29985791] -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Wed Oct 29 12:04:40 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 56E44438 for ; Wed, 29 Oct 2014 12:04:40 +0000 (UTC) Received: from mail-la0-x231.google.com (mail-la0-x231.google.com [IPv6:2a00:1450:4010:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CCB75E03 for ; Wed, 29 Oct 2014 12:04:39 +0000 (UTC) Received: by mail-la0-f49.google.com with SMTP id ge10so2335101lab.22 for ; Wed, 29 Oct 2014 05:04:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; bh=0JMFeKtyRvZDB7lH5RZanq/PZMxgscU4bebJMDPmdbs=; b=E3i2Yt9Zxrda8ceu4Qlvj/PlQIhchBWofWMWd2ACfPYSk0WcfjLHbzM47SxZ1CFylX XGEHc/wiKUXKXywwUdfViE+Pew1m4r/BFmhpKLQjAvsGm05/L/zK4FEQHnYTxWG+qOkf fqxHjJT4k8NKmFPLkr6CIAIHH+rBmg421c1UUdYHM1cY7siKgkbEnd84QgpS9GKZnDGB vv2/DDGK3AWpC2oxI3beTbdrZ3rh3NKlR9PSjUWVIqlOOmDr7QFcEbn95DeSqDLFFA2o HBvisGXx8ctAipvmEUTm4AfRvV4uikQOV3/3zlbxI+4WLo1Miukrk/pRTOjg7SU6l6F2 rBCw== X-Received: by 10.152.8.100 with SMTP id q4mr10697078laa.48.1414584277438; Wed, 29 Oct 2014 05:04:37 -0700 (PDT) MIME-Version: 1.0 Received: by 10.112.48.133 with HTTP; Wed, 29 Oct 2014 05:04:17 -0700 (PDT) In-Reply-To: References: From: Oguz Yilmaz Date: Wed, 29 Oct 2014 14:04:17 +0200 Message-ID: Subject: Re: SynProxy had a trouble when located front of a router device To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Oct 2014 12:04:40 -0000 Hello, Does pf synproxy support synproxying when internal side is 8021q VLAN? Best Regards, -- Oguz YILMAZ On Fri, Oct 24, 2014 at 1:52 PM, Tugrul Erdogan wrote: > I have important founding. I think it is about VLAN between FreeBSD-Route= r > in diagram. > > While Attacker-FreeBSD connection is normal IP connection, FreeBSD-Router > connection was tagged VLAN 159. > While FreeBSD-Router connection is VLAN based, synproxy rule State > Creations value increase, synproxy sends ACKS to the Attacker. > However synproxy replay with original server does not working ( The routi= ng > rule counter on os routing table which redirect packets to FreeBSD-Router > side is increasing but the packet can not be created ). > When I change FreeBSD-Router connection to normal IP connection without > VLAN, it starts to working. > > What can be the problem and solution? > > > > > On Thu, Oct 23, 2014 at 9:36 PM, Tugrul Erdogan > wrote: > >> Update: >> >> The topololgy has been redrawed below: >> >> >> | Atacker | <-> | FreeBSD | <-> | Router | <-> | Victim | >> >> >> Thanks, >> >> >> PS: Although connections lost by pf synproxy, the pings (form attacker t= o >> victim) can succesfully returns. >> >> >> >> >> On Thu, Oct 23, 2014 at 9:25 PM, Tugrul Erdogan < >> h.tugrul.erdogan@gmail.com> wrote: >> >>> Hi, >>> >>> I have a trouble at pf synproxy state handshak=C4=B1ng mechanism. I hav= e been >>> using pf for years, but first time I have a router at the backpane of >>> topology. The schema of my topology given below: >>> >>> --------------------- --------------------------= - >>> ------------------- ---------------------- >>> >>> Attacker <----------> FreeBSD(Test) >>> <-----------> Router <----> Victim >>> >>> ------------------- --------------------------= - >>> ----------------- ------------------- >>> >>> I am trying to connect from attacker to the victim from port 80. Withou= t >>> synproxy rule I have successfully conneting. Whenever I activate synpro= xy >>> state, the client(attacker) side handshaking completing (the outer >>> interface of FreeBSD device) >>> >>> 21:09:53.531421 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [S], se= q >>> 1458776780, win 5840, options [mss 1460,sackOK,TS val 1336836512 ecr >>> 0,nop,wscale 7], length 0 >>> 21:09:53.531494 IP AA.BB.189.100.80 > AA.BB.183.93.51510: Flags [S.], s= eq >>> 2093170245, ack 1458776781, win 0, options [mss 1460], length 0 >>> 21:09:53.531524 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ac= k >>> 1, win 5840, length 0 >>> 21:09:56.533680 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ac= k >>> 1, win 5840, length 0 >>> 21:10:02.532255 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ac= k >>> 1, win 5840, length 0 >>> >>> after that the "pfct -vvss" showing: >>> >>> ix1 tcp AA.BB..183.93:51513 -> AA.BB..189.100:80 PROXY:DST >>> >>> and there is no package at inner interface of FreeBSD device at the >>> result of tcpdump. After some seconds FreeBSD generates RST package bot= h >>> side. (There is no handshake SYN or ACK packages generated by pf synpro= xy >>> at the inner interface) >>> >>> I think that the problem is about the router beacuse I had had successf= ul >>> connections before the router device. When I turn off the synproxy or a= dd >>> "keep state" instead of "synproxy state" I can successfully connecting. >>> >>> I want to take your opinions about why the handshake packages could not >>> be generate by pf synproxy? >>> >>> Regards, >>> Tugrul >>> >>> >> > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Thu Oct 30 09:23:52 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BA4DC175 for ; Thu, 30 Oct 2014 09:23:52 +0000 (UTC) Received: from mx.lissyara.su (mx.lissyara.su [91.227.18.11]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7428ED71 for ; Thu, 30 Oct 2014 09:23:51 +0000 (UTC) Received: from [62.80.166.26] (port=62280 helo=[10.5.5.55]) by mx.lissyara.su with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.82 (FreeBSD)) (envelope-from ) id 1Xjlig-0001Em-RE for freebsd-pf@freebsd.org; Thu, 30 Oct 2014 12:08:38 +0300 Message-ID: <54520016.8000100@lissyara.su> Date: Thu, 30 Oct 2014 11:08:38 +0200 From: "skeletor@lissyara.su" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: shaping traffic + src limit Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Description: if spam count > 60 - this is spam X-Spam-Count: 0 X-Spam-Description: if spam count > 60 - this is spam X-Spam-Count: 0 X-Descriptions: powered by www.lissyara.su X-Bounce-ID: mx.lissyara.su X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Oct 2014 09:23:52 -0000 Hello. Recently, I have found interesting question: shaping traffic with altq and max for connections. So, we have such rules: nat on $wan1 proto tcp from to any -> ($wan1) ... queue comp1 bandwidth 40Mb priority 4 queue comp2 bandwidth 40Mb priority 4 ... pass out quick on $vlan20 from any to 10.100.7.60 queue comp1 no state pass out quick on $vlan20 from any to 10.100.7.61 queue comp2 no state ... pass in quick on $vlan20 route-to ($wan1 $gw1) from to !10.0.0.0/8 no state but we cannot apply to this rules '... keep-state (max 200)', because we already have 'no state'. Is it possible to solve? Thanks. From owner-freebsd-pf@FreeBSD.ORG Fri Oct 31 01:07:23 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3CBE1B39 for ; Fri, 31 Oct 2014 01:07:23 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 24879CF7 for ; Fri, 31 Oct 2014 01:07:23 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id s9V17NSQ076282 for ; Fri, 31 Oct 2014 01:07:23 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 182401] [pf] pf state for some IPs reaches 4294967295 suspicously Date: Fri, 31 Oct 2014 01:07:23 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: jason.unovitch@gmail.com X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Oct 2014 01:07:23 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182401 jason.unovitch@gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jason.unovitch@gmail.com --- Comment #3 from jason.unovitch@gmail.com --- May be fixed in STABLE for 10.1. Take a look at https://svnweb.freebsd.org/base?view=revision&revision=263029 -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Fri Oct 31 13:10:02 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 34432214 for ; Fri, 31 Oct 2014 13:10:02 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1BCF7E38 for ; Fri, 31 Oct 2014 13:10:02 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id s9VDA1vc093279 for ; Fri, 31 Oct 2014 13:10:01 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 182401] [pf] pf state for some IPs reaches 4294967295 suspicously Date: Fri, 31 Oct 2014 13:10:02 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: oguz@labristeknoloji.com X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Oct 2014 13:10:02 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182401 --- Comment #4 from oguz@labristeknoloji.com --- We have tried with 10.1 rc3 . The problem exist also in this version. 172.16.2.2 -> 0.0.0.0 ( states 4294967295, connections 0, rate 0.0/3s ) -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Fri Oct 31 13:10:34 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 26BBA258 for ; Fri, 31 Oct 2014 13:10:34 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 096FDE3F for ; Fri, 31 Oct 2014 13:10:34 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id s9VDAXeG095953 for ; Fri, 31 Oct 2014 13:10:33 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 182401] [pf] pf state for some IPs reaches 4294967295 suspicously Date: Fri, 31 Oct 2014 13:10:34 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.1-RC2 X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: oguz@labristeknoloji.com X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: version Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Oct 2014 13:10:34 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182401 oguz@labristeknoloji.com changed: What |Removed |Added ---------------------------------------------------------------------------- Version|10.0-RELEASE |10.1-RC2 -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Fri Oct 31 14:35:09 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C1406E0C for ; Fri, 31 Oct 2014 14:35:09 +0000 (UTC) Received: from mail-lb0-x229.google.com (mail-lb0-x229.google.com [IPv6:2a00:1450:4010:c04::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D653A1C for ; Fri, 31 Oct 2014 14:35:09 +0000 (UTC) Received: by mail-lb0-f169.google.com with SMTP id p9so537769lbv.0 for ; Fri, 31 Oct 2014 07:35:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=BGmzeVCzv3jEeKoHiWLscCsjU0gwRhDvlxvPUpjOp5A=; b=tvWNVUt5ldUk0Y/VvGt3cy9irjLq48drzZuGKKVmNo7MUVEzz/wY3uk5udjv3dq1RS XGt2P5qUYI8fBlqpLC6LJL58t8jGaUme0TkMiW7Vfe9keyeGxlHqmTHEkNt5i+rPjGzs oIdcDqyoYgcb35jq1EwBJHc1Gq4uyWJcLFgJrPr7r0IfoXSI99bf1mpw6YuHV2DM39y5 N0l1f+0fKeeYUN3KsExddZW4ygAaZckRdjOAnSqo/MkQbH0BNN/IZoNS3nlIY9ONHSw1 roRY6GHIpLQ+eGvkJj47kvznPL5EFVurOArsZxJcebFzmk5sU9vGkytI894xFGr4Kdvg rMfg== MIME-Version: 1.0 X-Received: by 10.112.162.41 with SMTP id xx9mr26394736lbb.21.1414766106436; Fri, 31 Oct 2014 07:35:06 -0700 (PDT) Received: by 10.25.15.93 with HTTP; Fri, 31 Oct 2014 07:35:06 -0700 (PDT) Date: Fri, 31 Oct 2014 07:35:06 -0700 Message-ID: Subject: 9.x vs 10.x PF performance using ALTQ From: Nick Rogers To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Oct 2014 14:35:09 -0000 Hello, I have a question about the performance changes to PF introduced in 10.0. I understand that PF is now able to take advantage of multiple CPUs / SMP better because of finer grain locking. Does this also apply to using ALTQ w/ HFSC? Can I expect packet forwarding performance to increase when upgrading from 9.x to 10.x when using ALTQ? My understanding is that ALTQ is still locked to a single core, or is this no longer true? Also, I compile my igb driver with the LEGACY_IGB_TX to be able to use igb(4) interfaces with ALTQ. Can I still expect to see a performance increase with the PF changes in 10.x? Thanks, -Nick