From owner-freebsd-pf@FreeBSD.ORG Sun Oct 24 22:10:30 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5424316A4CE for ; Sun, 24 Oct 2004 22:10:30 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 271AE43D1F for ; Sun, 24 Oct 2004 22:10:30 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i9OMAUkx070318 for ; Sun, 24 Oct 2004 22:10:30 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i9OMATO7070316; Sun, 24 Oct 2004 22:10:29 GMT (envelope-from gnats) Date: Sun, 24 Oct 2004 22:10:29 GMT Message-Id: <200410242210.i9OMATO7070316@freefall.freebsd.org> To: pf@FreeBSD.org From: Max Laier Subject: Re: kern/72444: PF can't properly detect interface after 'ifconfig XXX name YYY' X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Max Laier List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Oct 2004 22:10:30 -0000 The following reply was made to PR kern/72444; it has been noted by GNATS. From: Max Laier To: freebsd-gnats-submit@freebsd.org, ed@il.fontys.nl Cc: Subject: Re: kern/72444: PF can't properly detect interface after 'ifconfig XXX name YYY' Date: Mon, 25 Oct 2004 00:00:17 +0200 --Boundary-00=_zXCfBCdi0Ycu4DN Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline I have uploaded an updated diff. This version should do better with module load/unload and allow the use of "6to4" interfaces. Please test and tell me if it introduces other problems. Diff attached or at: http://people.freebsd.org/~mlaier/pf_if.c.diff -- Max --Boundary-00=_zXCfBCdi0Ycu4DN Content-Type: text/x-diff; charset="us-ascii"; name="pf_if.c.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="pf_if.c.diff" Index: pf_if.c =================================================================== RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_if.c,v retrieving revision 1.6 diff -u -r1.6 pf_if.c --- pf_if.c 14 Sep 2004 15:20:24 -0000 1.6 +++ pf_if.c 24 Oct 2004 21:52:45 -0000 @@ -157,12 +157,11 @@ #ifdef __FreeBSD__ PF_LOCK(); IFNET_RLOCK(); - TAILQ_FOREACH(ifp, &ifnet, if_link) - if (ifp->if_dunit != IF_DUNIT_NONE) { - IFNET_RUNLOCK(); - pfi_attach_ifnet(ifp); - IFNET_RLOCK(); - } + TAILQ_FOREACH(ifp, &ifnet, if_link) { + IFNET_RUNLOCK(); + pfi_attach_ifnet(ifp); + IFNET_RLOCK(); + } IFNET_RUNLOCK(); PF_UNLOCK(); pfi_dummy = pfi_if_create("notyet", pfi_self, @@ -248,8 +247,7 @@ pfi_attach_ifnet_event(void *arg __unused, struct ifnet *ifp) { PF_LOCK(); - if (ifp->if_dunit != IF_DUNIT_NONE) - pfi_attach_ifnet(ifp); + pfi_attach_ifnet(ifp); PF_UNLOCK(); } @@ -341,8 +339,8 @@ /* add/modify interface */ if (p == NULL) - p = pfi_if_create(ifp->if_xname, q, - realname?PFI_IFLAG_INSTANCE:PFI_IFLAG_PLACEHOLDER); + p = pfi_if_create(ifp->if_xname, q, PFI_IFLAG_INSTANCE | + (realname?0:PFI_IFLAG_PLACEHOLDER)); else { /* remove from the dummy group */ /* XXX: copy stats? We should not have any!!! */ @@ -354,10 +352,9 @@ q->pfik_addcnt++; TAILQ_INSERT_TAIL(&q->pfik_grouphead, p, pfik_instances); - if (realname) { + if (realname) p->pfik_flags &= ~PFI_IFLAG_PLACEHOLDER; - p->pfik_flags |= PFI_IFLAG_INSTANCE; - } + p->pfik_flags |= PFI_IFLAG_INSTANCE; } if (p == NULL) panic("pfi_attach_ifnet: " @@ -874,6 +871,7 @@ if (p->pfik_rules > 0 || p->pfik_states > 0) { /* move back to the dummy group */ p->pfik_parent = pfi_dummy; + p->pfik_flags &= ~PFI_IFLAG_INSTANCE; pfi_dummy->pfik_addcnt++; TAILQ_INSERT_TAIL(&pfi_dummy->pfik_grouphead, p, pfik_instances); @@ -912,11 +910,8 @@ */ IFNET_RLOCK(); - TAILQ_FOREACH(ifp, &ifnet, if_link) { - if (ifp->if_dunit == IF_DUNIT_NONE) - continue; + TAILQ_FOREACH(ifp, &ifnet, if_link) pfi_newgroup(ifp->if_dname, PFI_IFLAG_DYNAMIC); - } IFNET_RUNLOCK(); #else char *buses[] = PFI_DYNAMIC_BUSES; --Boundary-00=_zXCfBCdi0Ycu4DN-- From owner-freebsd-pf@FreeBSD.ORG Mon Oct 25 11:04:00 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D2F116A4CE for ; Mon, 25 Oct 2004 11:04:00 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1306E43D31 for ; Mon, 25 Oct 2004 11:04:00 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i9PB3xkS079989 for ; Mon, 25 Oct 2004 11:03:59 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i9PB3xWT079983 for pf@freebsd.org; Mon, 25 Oct 2004 11:03:59 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 25 Oct 2004 11:03:59 GMT Message-Id: <200410251103.i9PB3xWT079983@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: pf@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Oct 2004 11:04:00 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2004/10/08] kern/72444 pf PF can't properly detect interface after 1 problem total. Non-critical problems From owner-freebsd-pf@FreeBSD.ORG Mon Oct 25 14:28:22 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F52416A4CE for ; Mon, 25 Oct 2004 14:28:22 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF57543D41 for ; Mon, 25 Oct 2004 14:28:21 +0000 (GMT) (envelope-from brent.bolin@gmail.com) Received: by rproxy.gmail.com with SMTP id 79so345105rnk for ; Mon, 25 Oct 2004 07:28:21 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=FATFu9qXjLB5v4BckwABPe2IGojmA7CLVcJAKar43kjzpUS0bKv4onX0T8od9prrj+9fY79aabrNYBuLRX4mo3PFlo72p+DTfs00pFTYLaymrultiU/yFCFdeQS6FCVN/sxJJ3AYEcIpE/ErHCEBAqBeoOOL5c3Q1u2bDcIt4gQ= Received: by 10.38.78.27 with SMTP id a27mr1116209rnb; Mon, 25 Oct 2004 07:28:18 -0700 (PDT) Received: by 10.38.14.50 with HTTP; Mon, 25 Oct 2004 07:28:10 -0700 (PDT) Message-ID: <787dcac2041025072846a0f24a@mail.gmail.com> Date: Mon, 25 Oct 2004 09:28:10 -0500 From: BB To: FreeBSD-pf mail list Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Why is Altq not in the GENERIC kernel ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: BB List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Oct 2004 14:28:22 -0000 From owner-freebsd-pf@FreeBSD.ORG Mon Oct 25 15:59:48 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13E7616A4CE for ; Mon, 25 Oct 2004 15:59:48 +0000 (GMT) Received: from gunfright.epcdirect.co.uk (gunfright.epcdirect.co.uk [195.10.242.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6196E43D53 for ; Mon, 25 Oct 2004 15:59:47 +0000 (GMT) (envelope-from freebsd-isp@epcdirect.co.uk) Received: from lfarr (l-farr.int.epcdirect.co.uk [192.168.6.200]) by gunfright.epcdirect.co.uk (Postfix) with ESMTP id 4043068377; Mon, 25 Oct 2004 16:59:46 +0100 (BST) From: "Lawrence Farr" To: "'Aled Treharne'" , Date: Mon, 25 Oct 2004 16:59:44 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: Thread-Index: AcS48ZWWpeDqtd2fRy6lsxJzefbeqQBo7x4A Message-Id: <20041025155946.4043068377@gunfright.epcdirect.co.uk> Subject: RE: NAT with IP != primary external IP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Oct 2004 15:59:48 -0000 > -----Original Message----- > From: owner-freebsd-pf@freebsd.org > [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Aled Treharne > Sent: 23 October 2004 12:15 > To: freebsd-pf@freebsd.org > Subject: NAT with IP != primary external IP > > Hi guys. > > I'm trying to set up a firewall on a box for a friend. The > arrangement is > fairly simple, bunch of machines behind the FBSD box, FBSD > box connected to > ADSL. What I'd like to do (because I wanted to in the first > place, and now > it's annoying me) is to have 2 Ips on the external i/f on the > FBSD box, and > have one as the machine's primary IP and t'other solely as > the NAT IP. I've > tried putting various Ips in the places that make sense to > me, but I just > couldn't get it to work[1]. > > Is this possible, and if so, would someone be so kind as to > tell me how? I'm > trying to move over to pf from ipfw, and if I can get it > working, I've got a > strong case for using it at work as well. > > Thanks in advance for your sage advice. :) > > Cheers, > Aled. > > [1] This is just one place where I prefer linux's eth0:alias1 > type labelling > of sub-interfaces over FreeBSD's > just-put-multiple-ips-on-one-interface way. I use the following: ext_ipa="1.2.3.4" axt_ipb="1.2.3.5" net_if="fxp0" table { 7.8.9.0/24, 4.5.6.0/24 } nat on $net_if from to any -> $ext_ipb So traffic matching gets sent out via $ext_ipb, all other traffic comes out on $ext_ipa. Regards, Lawrence Farr From owner-freebsd-pf@FreeBSD.ORG Tue Oct 26 05:24:09 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B90A16A4CE for ; Tue, 26 Oct 2004 05:24:09 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id E376843D2D for ; Tue, 26 Oct 2004 05:24:08 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i9Q5MjAh062042 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 26 Oct 2004 14:22:45 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i9Q5NuIk005060 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 26 Oct 2004 14:23:56 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.12.10/8.12.10/Submit) id i9Q5Nt4t005059; Tue, 26 Oct 2004 14:23:55 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Tue, 26 Oct 2004 14:23:55 +0900 From: Pyun YongHyeon To: Aled Treharne Message-ID: <20041026052355.GA4914@kt-is.co.kr> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: NAT with IP != primary external IP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Oct 2004 05:24:09 -0000 On Sat, Oct 23, 2004 at 12:15:21PM +0100, Aled Treharne wrote: > Hi guys. > > I'm trying to set up a firewall on a box for a friend. The arrangement is > fairly simple, bunch of machines behind the FBSD box, FBSD box connected to > ADSL. What I'd like to do (because I wanted to in the first place, and now > it's annoying me) is to have 2 Ips on the external i/f on the FBSD box, and > have one as the machine's primary IP and t'other solely as the NAT IP. I've > tried putting various Ips in the places that make sense to me, but I just > couldn't get it to work[1]. > AFAIK, pf maintains a table for $interface and ($interface) is stored in a . If interface $interface has aliases, round-robin through them would be performed automatically by pf. If you want to disable the automatic round-robin in NAT you should let pf not to do so. For instance: nat on $interface inet from $internal_ips to any -> ($interface:0) or nat on $interface inet from $internal_ips to any -> $interface:0 or specify explicit IP address to use nat on $interface inet from $internal_ips to any -> $primary_ip > Is this possible, and if so, would someone be so kind as to tell me how? I'm > trying to move over to pf from ipfw, and if I can get it working, I've got a > strong case for using it at work as well. > > Thanks in advance for your sage advice. :) > > Cheers, > Aled. > > [1] This is just one place where I prefer linux's eth0:alias1 type labelling > of sub-interfaces over FreeBSD's just-put-multiple-ips-on-one-interface way. > -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Tue Oct 26 05:33:50 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAA1216A4CE for ; Tue, 26 Oct 2004 05:33:50 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7268943D46 for ; Tue, 26 Oct 2004 05:33:50 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i9Q5WNAh062635 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 26 Oct 2004 14:32:23 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i9Q5XZIk005094 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 26 Oct 2004 14:33:35 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.12.10/8.12.10/Submit) id i9Q5XYvP005093; Tue, 26 Oct 2004 14:33:34 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Tue, 26 Oct 2004 14:33:34 +0900 From: Pyun YongHyeon To: Daniel Graupner Message-ID: <20041026053334.GB4914@kt-is.co.kr> References: <417A988C.6030607@danielgraupner.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <417A988C.6030607@danielgraupner.de> User-Agent: Mutt/1.4.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: pf and multicast X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Oct 2004 05:33:51 -0000 On Sat, Oct 23, 2004 at 07:44:44PM +0200, Daniel Graupner wrote: > Hello, > > i'am currently using fbsd 5.2.1 and the security/pf port. With this port > i sadly can not match multicast traffic. My pf is running on a multicast > source an i want to create a rule that allows udp packets to a specific > multicast-address and port. > > Is it possible? > You may need "allow-opts" directive for a pass rule in order to allow packets with IP options set. pf normally blocks all packets with IP options set. Check with "pfctl -xm" whether pf drops the multicast packets. > Regards, > Daniel. -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Wed Oct 27 13:57:23 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BE2316A4CE for ; Wed, 27 Oct 2004 13:57:23 +0000 (GMT) Received: from gunfright.epcdirect.co.uk (gunfright.epcdirect.co.uk [195.10.242.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 787D643D46 for ; Wed, 27 Oct 2004 13:57:22 +0000 (GMT) (envelope-from freebsd-isp@epcdirect.co.uk) Received: from lfarr (l-farr.int.epcdirect.co.uk [192.168.6.200]) by gunfright.epcdirect.co.uk (Postfix) with ESMTP id C553C68004 for ; Wed, 27 Oct 2004 14:57:21 +0100 (BST) From: "Lawrence Farr" To: Date: Wed, 27 Oct 2004 14:57:19 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <20041026052355.GA4914@kt-is.co.kr> Thread-Index: AcS7HArtAWG/5hoKSmO6p937BxRG1wBDt8/Q Message-Id: <20041027135721.C553C68004@gunfright.epcdirect.co.uk> Subject: rdr to another machine and back X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Oct 2004 13:57:23 -0000 Hi, I'm trying to work out how to get a gateway machine to send all http requests to a separate machine and get them back, network looks like this: internet | | router-----------http_proxy | | | | ----internal------- So the router has 3 interfaces, one to the outside world, one externally available network and one internal. The proxy has 2 interfaces one to internal and one externally available. I can redirect port 80 to a proxy on the router without any issue, but want to send them to the separate proxy machine. Has anyone done this, or does anyone know of a howto? Many thanks Lawrence Farr