From owner-freebsd-pf@FreeBSD.ORG Sun Nov 28 21:49:39 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A822B16A4D3 for ; Sun, 28 Nov 2004 21:49:39 +0000 (GMT) Received: from sparky.gotobg.net (sparky.gotobg.net [212.36.9.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2445243D41 for ; Sun, 28 Nov 2004 21:49:39 +0000 (GMT) (envelope-from mzk@anti-offline.net) Received: from [83.228.114.66] (helo=mzk) by sparky.gotobg.net with smtp (Exim 4.43 (FreeBSD)) id 1CYWvA-000760-M0 for freebsd-pf@freebsd.org; Sun, 28 Nov 2004 23:49:28 +0200 From: mzk To: X-Mailer: PocoMail 3.2 (2000) - Licensed Version Date: Sun, 28 Nov 2004 23:51:45 +0200 Message-ID: <20041128235145.942843@mzk> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - sparky.gotobg.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - anti-offline.net X-Source: X-Source-Args: X-Source-Dir: Subject: PF strange problem. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Nov 2004 21:49:39 -0000 First sorry my English and sorry my other mistakes, but that is my first= post in mailing list ever. :-) Today i understood my pf doesn't work properly. For each host of my network= i have 4 rules, 2 out (from int_if) and 2 in like: pass out quick on $int_if from to $host queue peering_host_in pass out quick on $int_if from any to $host queue host_in pass in quick on $int_if proto { tcp, udp } from $host to port= $ports pass in quick on $int_if proto { tcp, udp } from $host to any port $ports The problem is, that the first `peering` rule works like the second one ->= it pass everything from anyone using the peering_host_in queue. If i= comment it, the second rule works, but that's not the idea. So my= international connection (the second rules) is overloaded and i could not= make good QoS. I am using GENERIC with these options, added by me -> # custom options; # pf support; device pf device pflog device pfsync # ALTQ options; options ALTQ #alternate queueing options ALTQ_CBQ #class based queueing ##options ALTQ_WFQ #weighted fair queueing ##options ALTQ_FIFOQ #fifo queueing options ALTQ_RED #random early detection ##options ALTQ_FLOWVALVE #flowvalve for RED (needs RED) options ALTQ_RIO #triple red for diffserv (needs RED) ##options ALTQ_LOCALQ #local use options ALTQ_HFSC #hierarchical fair service curve ##options ALTQ_ECN #ecn extention to tcp (needs RED) ##options ALTQ_IPSEC #check ipsec in IPv4 options ALTQ_CDNR #diffserv traffic conditioner ##options ALTQ_BLUE #blue by wu-chang feng options ALTQ_PRIQ #priority queue options ALTQ_NOPCC #don't use processor cycle counter #options ALTQ_DEBUG #for debugging #options IPDIVERT options IPSTEALTH #options IPFILTER My pf.conf is abot 600 lines, so i will not paste it here. If you request it= i can upload it somewhere. Thanks in advance and sorry for every my= mistake! From owner-freebsd-pf@FreeBSD.ORG Sun Nov 28 22:28:01 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C498B16A4CE for ; Sun, 28 Nov 2004 22:28:01 +0000 (GMT) Received: from gw02.mail.saunalahti.fi (gw02.mail.saunalahti.fi [195.197.172.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id 08ECF43D41 for ; Sun, 28 Nov 2004 22:28:01 +0000 (GMT) (envelope-from gnarlie@ihku.org) Received: from punaposki.rauhankatu.lan (GMMML.dsl.saunalahti.fi [85.76.243.251]) by gw02.mail.saunalahti.fi (Postfix) with ESMTP id D520678865; Mon, 29 Nov 2004 00:27:59 +0200 (EET) To: mzk , freebsd-pf@freebsd.org References: <20041128235145.942843@mzk> Message-ID: Date: Mon, 29 Nov 2004 00:27:58 +0200 From: =?iso-8859-15?Q?mikael_s=F6derholm?= Content-Type: text/plain; format=flowed; delsp=yes; charset=iso-8859-15 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit In-Reply-To: <20041128235145.942843@mzk> User-Agent: Opera M2/7.60 (Linux, build 862) Subject: Re: PF strange problem. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Nov 2004 22:28:01 -0000 If you have 'quick' in the rule it won't go thru any other rules after that. On Sun, 28 Nov 2004 23:51:45 +0200, mzk wrote: > First sorry my English and sorry my other mistakes, but that is my first post in mailing list ever. :-) > Today i understood my pf doesn't work properly. For each host of my network i have 4 rules, 2 out (from int_if) and 2 in like: > > pass out quick on $int_if from to $host queue peering_host_in > pass out quick on $int_if from any to $host queue host_in > pass in quick on $int_if proto { tcp, udp } from $host to port $ports > pass in quick on $int_if proto { tcp, udp } from $host to any port $ports > > The problem is, that the first `peering` rule works like the second one -> it pass everything from anyone using the peering_host_in queue. If i comment it, the second rule works, but that's not the idea. So my international connection (the second rules) is overloaded and i could not make good QoS. I am using GENERIC with these options, added by me -> > > # custom options; > > # pf support; > device pf > device pflog > device pfsync > > # ALTQ options; > options ALTQ #alternate queueing > options ALTQ_CBQ #class based queueing > ##options ALTQ_WFQ #weighted fair queueing > ##options ALTQ_FIFOQ #fifo queueing > options ALTQ_RED #random early detection > ##options ALTQ_FLOWVALVE #flowvalve for RED (needs RED) > options ALTQ_RIO #triple red for diffserv (needs RED) > ##options ALTQ_LOCALQ #local use > options ALTQ_HFSC #hierarchical fair service curve > ##options ALTQ_ECN #ecn extention to tcp (needs RED) > ##options ALTQ_IPSEC #check ipsec in IPv4 > options ALTQ_CDNR #diffserv traffic conditioner > ##options ALTQ_BLUE #blue by wu-chang feng > options ALTQ_PRIQ #priority queue > options ALTQ_NOPCC #don't use processor cycle counter > #options ALTQ_DEBUG #for debugging > > #options IPDIVERT > options IPSTEALTH > #options IPFILTER > > My pf.conf is abot 600 lines, so i will not paste it here. If you request it i can upload it somewhere. Thanks in advance and sorry for every my mistake! > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Sun Nov 28 22:37:25 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 616B516A4CE for ; Sun, 28 Nov 2004 22:37:25 +0000 (GMT) Received: from sparky.gotobg.net (sparky.gotobg.net [212.36.9.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DDE443D48 for ; Sun, 28 Nov 2004 22:37:25 +0000 (GMT) (envelope-from mzk@anti-offline.net) Received: from [83.228.114.66] (helo=mzk) by sparky.gotobg.net with smtp (Exim 4.43 (FreeBSD)) id 1CYXfP-0008Mt-62 for freebsd-pf@freebsd.org; Mon, 29 Nov 2004 00:37:15 +0200 From: mzk To: X-Mailer: PocoMail 3.2 (2000) - Licensed Version Date: Mon, 29 Nov 2004 00:39:35 +0200 Message-ID: <2004112903935.976191@mzk> In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - sparky.gotobg.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - anti-offline.net X-Source: X-Source-Args: X-Source-Dir: Subject: Re: PF strange problem. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Nov 2004 22:37:25 -0000 I tried removing `quick` and the effect was the use of the next rule, which= i don't want. Exactly for QoS i am using the quick keyword in my rules.= Otherwise the hosts will receive much slower speed for the table.= >=A0If you have 'quick' in the rule it won't go thru any other rules >=A0after that. > >=A0On Sun, 28 Nov 2004 23:51:45 +0200, mzk >=A0wrote: > >>=A0First sorry my English and sorry my other mistakes, but that is >>=A0my first post in mailing list ever. :-) >>=A0Today i understood my pf doesn't work properly. For each host of >>=A0my network i have 4 rules, 2 out (from int_if) and 2 in like: >> >>=A0pass out quick on $int_if from =A0to $host queue >>=A0peering_host_in pass out quick on $int_if from any to $host queue >>=A0host_in pass in quick on $int_if proto { tcp, udp } from $host to >>=A0=A0port $ports pass in quick on $int_if proto { tcp, udp } >>=A0from $host to any port $ports >> >>=A0The problem is, that the first `peering` rule works like the >>=A0second one ->=A0it pass everything from anyone using the >>=A0peering_host_in queue. If i comment it, the second rule works, >>=A0but that's not the idea. So my international connection (the >>=A0second rules) is overloaded and i could not make good QoS. I am >>=A0using GENERIC with these options, added by me -> >> >>=A0# custom options; >> >>=A0# pf support; >>=A0device =A0 =A0 =A0 =A0 =A0pf >>=A0device =A0 =A0 =A0 =A0 =A0pflog >>=A0device =A0 =A0 =A0 =A0 =A0pfsync >> >>=A0# ALTQ options; >>=A0options =A0 =A0 =A0 =A0 ALTQ =A0 =A0 =A0 =A0 =A0 =A0#alternate queueing options >>=A0 =A0ALTQ_CBQ =A0 =A0 =A0 =A0#class based queueing ##options >>=A0ALTQ_WFQ =A0 =A0 =A0 =A0#weighted fair queueing ##options >>=A0ALTQ_FIFOQ =A0 =A0 =A0#fifo queueing options =A0 =A0 =A0 =A0 ALTQ_RED >>=A0#random early detection ##options =A0 =A0 =A0 =A0 =A0 =A0 =A0 ALTQ_FLOWVALVE >>=A0#flowvalve for RED (needs RED) options =A0 =A0 =A0 =A0 ALTQ_RIO >>=A0#triple red for diffserv (needs RED) ##options >>=A0ALTQ_LOCALQ =A0 =A0 #local use options =A0 =A0 =A0 =A0 ALTQ_HFSC >>=A0#hierarchical fair service curve ##options =A0 =A0 =A0 =A0 =A0 =A0 =A0 ALTQ_ECN >>=A0 =A0 =A0 =A0 #ecn extention to tcp (needs RED) ##options >>=A0ALTQ_IPSEC =A0 =A0 =A0#check ipsec in IPv4 options =A0 =A0 =A0 =A0 ALTQ_CDNR >>=A0 =A0 #diffserv traffic conditioner ##options >>=A0ALTQ_BLUE =A0 =A0 =A0 #blue by wu-chang feng options =A0 =A0 =A0 =A0 ALTQ_PRIQ >>=A0 =A0 =A0 #priority queue >>=A0options =A0 =A0 =A0 =A0 ALTQ_NOPCC =A0 =A0 =A0#don't use processor cycle >>=A0counter #options =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ALTQ_DEBUG =A0 =A0 =A0#for debugging >> >>=A0#options =A0 =A0 =A0 =A0IPDIVERT >>=A0options =A0 =A0 =A0 =A0 IPSTEALTH >>=A0#options =A0 =A0 =A0 =A0IPFILTER >> >>=A0My pf.conf is abot 600 lines, so i will not paste it here. If you >>=A0request it i can upload it somewhere. Thanks in advance and sorry >>=A0for every my mistake! >> >>=A0_______________________________________________ >>=A0freebsd-pf@freebsd.org mailing list >>=A0http://lists.freebsd.org/mailman/listinfo/freebsd-pf To >>=A0unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Mon Nov 29 19:01:40 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7050F16A4CE for ; Mon, 29 Nov 2004 19:01:40 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAA9743D62 for ; Mon, 29 Nov 2004 19:01:39 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CYqmI-0000WQ-00; Mon, 29 Nov 2004 20:01:38 +0100 Received: from [217.83.4.92] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CYqmI-00085l-00; Mon, 29 Nov 2004 20:01:38 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Mon, 29 Nov 2004 20:01:59 +0100 User-Agent: KMail/1.7.1 References: <20041128235145.942843@mzk> In-Reply-To: <20041128235145.942843@mzk> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart6225242.WpBz4xAVmt"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200411292002.10067.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: PF strange problem. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Nov 2004 19:01:40 -0000 --nextPart6225242.WpBz4xAVmt Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 28 November 2004 22:51, mzk wrote: > First sorry my English and sorry my other mistakes, but that is my first > post in mailing list ever. :-) Today i understood my pf doesn't work > properly. For each host of my network i have 4 rules, 2 out (from int_if) > and 2 in like: > > pass out quick on $int_if from to $host queue peering_host_in > pass out quick on $int_if from any to $host queue host_in > pass in quick on $int_if proto { tcp, udp } from $host to port > $ports > pass in quick on $int_if proto { tcp, udp } from $host to any port=20 > $ports Okay, first of all some generic notes: 1) Consider stateful rules. It will not only make the firewall faster but w= ill=20 also make sure that all outgoing traffic of a "connection" is enqueued to t= he=20 same queue. This simplifies the ruleset a lot. 2) Use "$pfctl -vv -tpeering -Ttest [someip]" to verify that the table real= ly=20 contains what you think it does. > The problem is, that the first `peering` rule works like the second one -> > it pass everything from anyone using the peering_host_in queue. If i > comment it, the second rule works, but that's not the idea. So my > international connection (the second rules) is overloaded and i could not > make good QoS. I am using GENERIC with these options, added by me -> I don't really get what you are saying here. Sorry. Can you try to rephrase= ,=20 please? Maybe you can also include the rules in question with match-counter= s:=20 "$pfctl -vvsr" and the queue stats: "$pfctl -vsq" Both are also good tools= =20 for debugging the ruleset. I hope these pointers help, and am really sorry that I don't fully understa= nd=20 what the problem is. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart6225242.WpBz4xAVmt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBq3IxXyyEoT62BG0RAphcAJwJIUhWbJtXUXt/NfDI483nCH8ZeQCdGfhI xKW7rkZARD1QNgDQ1q+mG3U= =PzFK -----END PGP SIGNATURE----- --nextPart6225242.WpBz4xAVmt-- From owner-freebsd-pf@FreeBSD.ORG Mon Nov 29 19:07:14 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A15D16A4CE for ; Mon, 29 Nov 2004 19:07:14 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AB1543D69 for ; Mon, 29 Nov 2004 19:07:14 +0000 (GMT) (envelope-from josh.kayse@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so108898wra for ; Mon, 29 Nov 2004 11:07:12 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=sfqBaVMOT1nMrM+X3Wa03I1VWhBPqdZ/AwHkCMYFZeN0bkMbnRctBtnXVDLIpX99PYLMpAk88pdt5vFP7zxewdInHTCZwQ2Il/aidceVMVe+Qk2LzABq03J4473jtmYoXs4UEX4Pln5lGOPhsnVZ2kROx4giuAVKnTmVyS9ohpA= Received: by 10.54.18.6 with SMTP id 6mr46962wrr; Mon, 29 Nov 2004 11:06:20 -0800 (PST) Received: by 10.54.23.33 with HTTP; Mon, 29 Nov 2004 11:06:19 -0800 (PST) Message-ID: <7c8f2792041129110672937ae7@mail.gmail.com> Date: Mon, 29 Nov 2004 14:06:19 -0500 From: Josh Kayse To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: [pf4freebsd] Re: pfsync X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: gtg062h@mail.gatech.edu List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Nov 2004 19:07:14 -0000 I don't know if you are still interested in updates, but I have run the pfsync patch on FreeBSD 5.3 and it seems to be working great. Keep up the great work :) -- Joshua Kayse Computer Engineering From owner-freebsd-pf@FreeBSD.ORG Mon Nov 29 19:19:26 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A257C16A4CE for ; Mon, 29 Nov 2004 19:19:26 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3DA3D43D5D for ; Mon, 29 Nov 2004 19:19:26 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.209] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CYr3T-0006SI-00; Mon, 29 Nov 2004 20:19:23 +0100 Received: from [217.83.4.92] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CYr3T-0002sA-00; Mon, 29 Nov 2004 20:19:23 +0100 From: Max Laier To: gtg062h@mail.gatech.edu Date: Mon, 29 Nov 2004 20:19:49 +0100 User-Agent: KMail/1.7.1 References: <7c8f2792041129110672937ae7@mail.gmail.com> In-Reply-To: <7c8f2792041129110672937ae7@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1172718.UaXbK7sO2z"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200411292019.59902.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: freebsd-pf@freebsd.org Subject: Re: [pf4freebsd] Re: pfsync X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Nov 2004 19:19:26 -0000 --nextPart1172718.UaXbK7sO2z Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 29 November 2004 20:06, Josh Kayse wrote: > I don't know if you are still interested in updates, but I have run > the pfsync patch on FreeBSD 5.3 and it seems to be working great. > Keep up the great work :) I *am* interested in details. It's also part of the ongoing CARP patchset a= nd=20 I'll likely commit them in one go. Can you please tell me some details about how you tested? Are you peering t= wo=20 =46reeBSD boxes or Free- and OpenBSD or something completely different? TIA. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1172718.UaXbK7sO2z Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBq3ZfXyyEoT62BG0RAgiJAJ0aZmocJZJiDPKS7SF609rdskcZIACffpet TVo+Kis3rjm9C8b7V1CXzDM= =8z/k -----END PGP SIGNATURE----- --nextPart1172718.UaXbK7sO2z-- From owner-freebsd-pf@FreeBSD.ORG Mon Nov 29 19:33:24 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 813DB16A4CE for ; Mon, 29 Nov 2004 19:33:24 +0000 (GMT) Received: from gw01.mail.saunalahti.fi (gw01.mail.saunalahti.fi [195.197.172.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00EC543D66 for ; Mon, 29 Nov 2004 19:33:24 +0000 (GMT) (envelope-from gnarlie@ihku.org) Received: from punaposki.rauhankatu.lan (GMMML.dsl.saunalahti.fi [85.76.243.251]) by gw01.mail.saunalahti.fi (Postfix) with ESMTP id A83E39DB6D for ; Mon, 29 Nov 2004 21:33:22 +0200 (EET) Date: Mon, 29 Nov 2004 21:33:21 +0200 To: freebsd-pf@freebsd.org References: <7c8f2792041129110672937ae7@mail.gmail.com> <200411292019.59902.max@love2party.net> From: =?iso-8859-15?Q?mikael_s=F6derholm?= Content-Type: text/plain; format=flowed; delsp=yes; charset=iso-8859-15 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: In-Reply-To: <200411292019.59902.max@love2party.net> User-Agent: Opera M2/7.60 (Linux, build 862) Subject: could my pf.conf be improved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Nov 2004 19:33:24 -0000 This might be a little offtopic but I am running the pf on freebsd so... :P Could the config I have be improved some way and/or am I doing something totally wrong. The config: http://ihku.org/~gnarlie/pf.conf From owner-freebsd-pf@FreeBSD.ORG Tue Nov 30 00:33:09 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 797ED16A4CE for ; Tue, 30 Nov 2004 00:33:09 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21E8443D2F for ; Tue, 30 Nov 2004 00:33:09 +0000 (GMT) (envelope-from josh.kayse@gmail.com) Received: by wproxy.gmail.com with SMTP id 70so1932382wra for ; Mon, 29 Nov 2004 16:33:07 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=JZYjQDXUGnbX1xHLR8zAmj+AoDcs6atxFj8ntmTly75rhFE7iCI/zYlOJ8hvB3ULrZvMqVkoFPcxjQIIHDzuV1wawpXKl57iccVP987zbQVSuuhlesi/Ki/colY+7osl/8MRd6ZWpQt+OhAHieRnFtvCnG1EJhZNwEyKiYz5Rco= Received: by 10.54.38.68 with SMTP id l68mr882418wrl; Mon, 29 Nov 2004 11:30:06 -0800 (PST) Received: by 10.54.23.33 with HTTP; Mon, 29 Nov 2004 11:30:02 -0800 (PST) Message-ID: <7c8f2792041129113041d636be@mail.gmail.com> Date: Mon, 29 Nov 2004 14:30:02 -0500 From: Josh Kayse To: Max Laier In-Reply-To: <200411292019.59902.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <7c8f2792041129110672937ae7@mail.gmail.com> <200411292019.59902.max@love2party.net> cc: freebsd-pf@freebsd.org Subject: Re: [pf4freebsd] Re: pfsync X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: gtg062h@mail.gatech.edu List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2004 00:33:09 -0000 On Mon, 29 Nov 2004 20:19:49 +0100, Max Laier wrote: > On Monday 29 November 2004 20:06, Josh Kayse wrote: > > I don't know if you are still interested in updates, but I have run > > the pfsync patch on FreeBSD 5.3 and it seems to be working great. > > Keep up the great work :) > > I *am* interested in details. It's also part of the ongoing CARP patchset and > I'll likely commit them in one go. > > Can you please tell me some details about how you tested? Are you peering two > FreeBSD boxes or Free- and OpenBSD or something completely different? > > TIA. > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News > > > I'm peering between two FreeBSD boxes in a bridged firewall mode. It's successful enough for me to failover between the two without losing tcp sessions so far. I still have some more testing to go, but I'd say it's working well. Exact details of setup: 2 FreeBSD 5.3 boxes cvsup'd against RELENG_5 and rebuilt as of Sunday (with the patch of course) 3 Interfaces, em0, em1, xl0 pfsync over xl0 em1 has a public ip address em0 has no address using a patched version of freevrrpd to handle failovers (don't like having all the multicast packets flying around, and didn't want to rely on smart switches to handle the loop) works well so far if you want any other information, let me know, i'll be glad to work with you Keep up the great work -josh -- Joshua Kayse Computer Engineering From owner-freebsd-pf@FreeBSD.ORG Tue Nov 30 14:25:43 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3568D16A4CE for ; Tue, 30 Nov 2004 14:25:43 +0000 (GMT) Received: from sparky.gotobg.net (sparky.gotobg.net [212.36.9.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E4F943D4C for ; Tue, 30 Nov 2004 14:25:42 +0000 (GMT) (envelope-from mzk@anti-offline.net) Received: from [83.228.114.66] (helo=mzk) by sparky.gotobg.net with smtp (Exim 4.43 (FreeBSD)) id 1CZ8wX-000GJ1-Cv for freebsd-pf@freebsd.org; Tue, 30 Nov 2004 16:25:25 +0200 From: mzk To: X-Mailer: PocoMail 3.2 (2000) - Licensed Version Date: Tue, 30 Nov 2004 16:27:53 +0200 Message-ID: <20041130162753.312353@mzk> In-Reply-To: <200411292002.10067.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - sparky.gotobg.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - anti-offline.net X-Source: X-Source-Args: X-Source-Dir: Subject: Re: PF strange problem. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2004 14:25:43 -0000 >=A0On Sunday 28 November 2004 22:51, mzk wrote: >>=A0First sorry my English and sorry my other mistakes, but that is >>=A0my first post in mailing list ever. :-) Today i understood my pf >>=A0doesn't work properly. For each host of my network i have 4 >>=A0rules, 2 out (from int_if) and 2 in like: >> >>=A0pass out quick on $int_if from =A0to $host queue >>=A0peering_host_in pass out quick on $int_if from any to $host queue >>=A0host_in pass in quick on $int_if proto { tcp, udp } from $host to >>=A0=A0port $ports >>=A0pass in quick on $int_if proto { tcp, udp } from $host to any >>=A0port $ports >> > >=A0Okay, first of all some generic notes: >=A01) Consider stateful rules. It will not only make the firewall >=A0faster but will also make sure that all outgoing traffic of a >=A0"connection" is enqueued to the same queue. This simplifies the >=A0ruleset a lot. >=A02) Use "$pfctl -vv -tpeering -Ttest [someip]" to verify that the >=A0table really contains what you think it does. I tried these notes, thanks! 1) stateful rules should speed up my firewall 2) i understood my peering table (pf actually) works correctly > >>=A0The problem is, that the first `peering` rule works like the >>=A0second one ->=A0it pass everything from anyone using the >>=A0peering_host_in queue. If i comment it, the second rule works, >>=A0but that's not the idea. So my international connection (the >>=A0second rules) is overloaded and i could not make good QoS. I am >>=A0using GENERIC with these options, added by me -> >> > >=A0I don't really get what you are saying here. Sorry. Can you try to >=A0rephrase, please? Maybe you can also include the rules in question >=A0with match-counters: "$pfctl -vvsr" and the queue stats: "$pfctl - >=A0vsq" Both are also good tools for debugging the ruleset. The upper supposition is almost wrong. I found the problem, which was: my= peering table consist of hundreds of networks. One of these networks is= mine. When ftp-proxy is running (so i can run ftp for my users), it is with= `peering` ip (ip of the internal interface or some another router interface= ip), so client of my network does not actually download from ftp host= somewhere in the net, it downloads from the router's internal interface ip.= For the router's internal ip i have no queue definitions, no shape.= Therefore everybody can download without speed limit from ftp sites. ;). > >=A0I hope these pointers help, and am really sorry that I don't fully >=A0understand what the problem is. These pointers were very very useful for me! Thank you! I have to get some= English courses ;) From owner-freebsd-pf@FreeBSD.ORG Tue Nov 30 17:50:45 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2A5F16A4CE for ; Tue, 30 Nov 2004 17:50:45 +0000 (GMT) Received: from web52210.mail.yahoo.com (web52210.mail.yahoo.com [206.190.39.92]) by mx1.FreeBSD.org (Postfix) with SMTP id 3567143D2F for ; Tue, 30 Nov 2004 17:50:45 +0000 (GMT) (envelope-from mirobercik@yahoo.com) Received: (qmail 72093 invoked by uid 60001); 30 Nov 2004 17:50:44 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=obqXP78UB73NovlWmMNP3jYcqxr52Y3JtBIicj20+mleS2ZgQnxITSFszIreGB8tJ1w9cn7cNsWL8YzgFD/AotODg9qnCIaauwn5B/iB2rKkFh/pSw4x3edm5oB/qJvKjMUhWFsVFg4yFUfOAXq8ZIjEXHZsZhvqjy/jQAvwEek= ; Message-ID: <20041130175044.72091.qmail@web52210.mail.yahoo.com> Received: from [193.110.229.165] by web52210.mail.yahoo.com via HTTP; Tue, 30 Nov 2004 09:50:44 PST Date: Tue, 30 Nov 2004 09:50:44 -0800 (PST) From: Robert M To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: 3 gateways problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2004 17:50:45 -0000 Hello, I have a problem with source routing via 3 gateways. All I need, is to be able to get in to my local machine via 'rdr' rule. All connections are routed via firewall box with 4 ethernet cards. I don't want this done via 'binat' ruel as I only want to rdr some ports. When telneting from external host to: 83.16.196.130 port 22 -> I want to be redirected to 192.168.1.1 port 22 As well as: 194.110.229.163 port 22 -> 192.168.1.1 22 This also can be done by adding a new eg. 192.168.1.2 IP to my local machine, but it requires daemon binging setting changes.. so I'd rather not. The problem is that 1/2 connections are estabilished properly. I assume it's a problem with rule: pass in quick on $ifInt route-to { ($ifDSL3 $gwDSL3),($ifDSL3 $gwDSL3) } from 192.168.1.1 to ! $netLocal keep state where system doesn't know, which gateway should be used for return packet. Below is my pf.conf (sorry it's messy a little). OS: FreeBSD fw 5.2-CURRENT FreeBSD 5.2-CURRENT #4: Fri Jul 16 16:17:52 UTC 2004 root@fw:/usr/obj/usr/src/sys/TUNED i386 Thank you! Regards, Robert ------- pf.conf ----- # vars ifInt="rl0" ifDSL1="rl1" ifDSL2="rl2" ifDSL3="rl3" exLocal="192.168.0.3" exDSL3="194.110.229.164" robertLocal="192.168.0.4" robertDSL3="194.110.229.165" develDSL3="194.110.229.163" fwDSL3="194.110.229.162" ## networds netDSL1="83.16.196.120/29" # dsl1 gwDSL1="83.16.196.121" # gw netDSL2="83.16.196.128/29" # dsl2 gwDSL2="83.16.196.129" # gw netPSN="192.168.0.0/24" # Private Service Network ( netDMZ="192.168.1.0/24" # Demilitarized Zone (hostDevel) hostDevel="192.168.1.1" # devel netLocal="192.168.0.0/16" # psn+dmz netDSL3="194.110.229.160/27" # DSL3 gwDSL3="194.110.229.161" # gw ## altq altq on $ifDSL1 priq bandwidth 250Kb queue { q1pri, q1ssh, q1def } queue q1pri priority 7 queue q1ssh priority 5 queue q1def priority 1 priq(default) altq on $ifDSL2 priq bandwidth 250Kb queue { q2pri, q2ssh, q2def } queue q2pri priority 7 queue q2ssh priority 5 queue q2def priority 1 priq(default) altq on $ifDSL3 priq bandwidth 2000Kb queue { q3pri, q3ssh, q3def } queue q3pri priority 7 queue q3ssh priority 5 queue q3def priority 1 priq(default) ## nat 1:n (output) nat on $ifDSL1 from $netLocal to ! $netLocal -> 83.16.196.122 # dsl1 nat on $ifDSL2 from $hostDevel to ! $netLocal -> 83.16.196.130 # dsl2 nat on $ifDSL2 from $netLocal to ! $netLocal -> 83.16.196.130 nat on $ifDSL3 from $netLocal to ! $netLocal -> 194.110.229.162 # DSL3 nat on $ifDSL3 from 192.168.1.1 to ! $netLocal -> $develDSL3 # devel(DSL3) ## nat 1:1 (input) # devel rdr on $ifDSL1 proto tcp from any to 83.16.196.123 port { 21, 22, 25, 80, 110, 443, 465, 993, 995, 19000:19500 } -> 192. 168.1.1 rdr on $ifDSL2 proto tcp from any to 83.16.196.130 port { 21, 22, 25, 80, 110, 443, 465, 993, 995, 19000:19500 } -> 192. 168.1.1 rdr on $ifDSL3 proto tcp from any to 194.110.229.163 port { 21, 22, 25, 80, 110, 443, 465, 993, 995, 19000:19500 } -> 19 2.168.1.1 rdr on $ifDSL2 proto tcp from any to 83.16.196.131 port { 25 } -> 192.168.1.1 port 2030 rdr on $ifInt proto tcp from $netLocal to 83.16.196.130 port { 21, 22, 25, 80, 110, 443, 137, 138, 139, 465, 993, 995, 2401 } -> 192.168.1.1 rdr on $ifDSL1 proto tcp from any to 83.16.196.122 port { 443 } -> 192.168.0.3 port 22 rdr on $ifDSL2 proto tcp from any to 83.16.196.130 port { 6100, 6101, 6102 } -> 192.168.0.3 rdr on $ifDSL1 proto tcp from any to 83.16.196.122 port { 5900 } -> 192.168.0.4 rdr on $ifDSL1 proto tcp from any to 83.16.196.122 port { 5901 } -> 192.168.0.6 port 5900 rdr on $ifDSL2 proto tcp from any to 83.16.196.130 port { 5901 } -> 192.168.0.6 port 5900 rdr on $ifDSL1 proto tcp from any to 83.16.196.122 port { 5801 } -> 192.168.0.6 rdr on $ifDSL1 proto udp from any to 83.16.196.122 port { 5801 } -> 192.168.0.6 rdr on $ifDSL1 proto tcp from any to 83.16.196.122 port { 5903 } -> 192.168.0.24 port 3389 rdr on $ifDSL1 proto tcp from any to 83.16.196.122 port { 3389 } -> 192.168.0.24 rdr on $ifDSL1 proto tcp from any to 83.16.196.122 port { 3390 } -> 192.168.0.5 port 3389 rdr on $ifDSL1 proto tcp from 80.55.58.238 to 83.16.196.122 port { 6000 } -> 192.168.0.9 port 6000 rdr on $ifDSL1 proto udp from 80.55.58.238 to 83.16.196.122 port { 177 } -> 192.168.0.9 port 177 rdr on $ifDSL1 proto tcp from 80.55.58.238 to 83.16.196.122 port { 22 } -> 192.168.0.9 port 22 rdr on $ifDSL2 proto tcp from any to 83.16.196.132 port { 25 } -> 192.168.1.1 port 27 ## binat binat on $ifDSL3 from $exLocal to ! $netLocal -> $exDSL3 binat on $ifDSL3 from $robertLocal to ! $netLocal -> $robertDSL3 # source routing pass in quick on $ifInt route-to { ($ifDSL3 $gwDSL3),($ifDSL3 $gwDSL3) } from 192.168.1.1 to ! $netLocal keep state pass in quick on $ifInt route-to { ($ifDSL1 $gwDSL1) } from any to 136.159.158.52 keep state # -> myweb via dsl2 pass in quick on $ifInt route-to { ($ifDSL3 $gwDSL3) } from { 192.168.0.3 , 192.168.0.4 } to ! $netLocal keep state # -> DSL3 pass in quick on $ifInt route-to { ($ifDSL1 $gwDSL1) } from $netPSN to ! $netLocal keep state # -> dsl1 pass in quick on $ifInt route-to { ($ifDSL2 $gwDSL2) } from $netDMZ to ! $netLocal keep state # -> dsl2 # queues # DSL1 pass out on $ifDSL1 proto tcp from any to any port 22 flags S/SA \ keep state queue (q1ssh, q1pri) pass out on $ifDSL1 proto tcp from $ifDSL1 to any flags S/SA \ keep state queue (q1def, q1pri) pass in on $ifDSL1 proto tcp from any to $ifDSL1 flags S/SA \ keep state queue (q1def, q1pri) #DSL 2 pass out on $ifDSL2 proto tcp from any to any port 22 flags S/SA \ keep state queue (q2ssh, q2pri) pass out on $ifDSL2 proto tcp from $ifDSL2 to any flags S/SA \ keep state queue (q2def, q2pri) pass in on $ifDSL2 proto tcp from any to $ifDSL2 flags S/SA \ keep state queue (q2def, q2pri) #DSL3 pass out on $ifDSL3 proto tcp from any to any port 22 flags S/SA \ keep state queue (q3ssh, q3pri) pass out on $ifDSL3 proto tcp from $ifDSL3 to any flags S/SA \ keep state queue (q3def, q3pri) pass in on $ifDSL3 proto tcp from any to $ifDSL3 flags S/SA \ keep state queue (q3def, q3pri) --- end of pf.conf ---- __________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail From owner-freebsd-pf@FreeBSD.ORG Tue Nov 30 19:01:10 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B85416A4CE for ; Tue, 30 Nov 2004 19:01:10 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id C85FB43D5E for ; Tue, 30 Nov 2004 19:01:08 +0000 (GMT) (envelope-from dr.clau@gmail.com) Received: by rproxy.gmail.com with SMTP id b11so529820rne for ; Tue, 30 Nov 2004 11:01:02 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:return-path:message-id:disposition-notification-to:date:from:user-agent:x-accept-language:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:x-enigmail-supports:content-type; b=ZoXa1h74fJZO3rtYRcqM9X1gvyWU0G4h3rsMSoOrdYlROXeNfitwrBOV4+9bGaSNEy2NvXcedDpWGmbV6Y2Jb59pSz/uIZsXeranLY3j8/+FeTTzZS0qYC688G5yL8ImqRqhWbwyNNhZ2i0tqsWaH8e7gBhDSzNFfpfKQgiKUjI= Received: by 10.38.101.70 with SMTP id y70mr620005rnb; Tue, 30 Nov 2004 11:01:02 -0800 (PST) Received: from ?82.79.29.15? ([82.79.29.15]) by smtp.gmail.com with ESMTP id 79sm1077rna; Tue, 30 Nov 2004 11:01:02 -0800 (PST) Message-ID: <41ACC3AE.4020309@gmail.com> Date: Tue, 30 Nov 2004 21:02:06 +0200 From: Claudiu Dragalia-Paraipan User-Agent: Mozilla Thunderbird 0.9 (X11/20041125) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Robert M References: <20041130175044.72091.qmail@web52210.mail.yahoo.com> In-Reply-To: <20041130175044.72091.qmail@web52210.mail.yahoo.com> X-Enigmail-Version: 0.89.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigBA86253A7F57B70C811E1610" cc: freebsd-pf@freebsd.org Subject: Re: 3 gateways problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2004 19:01:10 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigBA86253A7F57B70C811E1610 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi, maybe this helps you. It is a part of the PF FAQ that you can find at http://www.openbsd.org/faq/pf/ ---------- http://cvs.openbsd.org/faq/pf/pools.html ... To ensure that packets with a source address belonging to $ext_if1 are always routed to $ext_gw1 (and similarly for $ext_if2 and $ext_gw2), the following two lines should be included in the ruleset: pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 \ to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 \ to any Finally, NAT can also be used on each outgoing interface: nat on $ext_if1 from $lan_net to any -> ($ext_if1) nat on $ext_if2 from $lan_net to any -> ($ext_if2) ... ---------- Robert M wrote: > Hello, > > I have a problem with source routing via 3 gateways. > > All I need, is to be able to get in to my local > machine > via 'rdr' rule. > > All connections are routed via firewall box > with 4 ethernet cards. > > I don't want this done via 'binat' ruel as I only > want to rdr some ports. > > When telneting from external host to: > 83.16.196.130 port 22 -> I want to be redirected to > 192.168.1.1 port 22 > As well as: > 194.110.229.163 port 22 -> 192.168.1.1 22 > > This also can be done by adding a new eg. 192.168.1.2 > IP to my local machine, but it requires daemon binging > setting changes.. so I'd rather not. > > The problem is that 1/2 connections are estabilished > properly. > > I assume it's a problem with rule: > pass in quick on $ifInt route-to { ($ifDSL3 > $gwDSL3),($ifDSL3 $gwDSL3) } from 192.168.1.1 to ! > $netLocal keep state > > where system doesn't know, which gateway should be > used > for return packet. > > Below is my pf.conf (sorry it's messy a little). > > OS: FreeBSD fw 5.2-CURRENT FreeBSD 5.2-CURRENT #4: Fri > Jul 16 16:17:52 UTC 2004 > root@fw:/usr/obj/usr/src/sys/TUNED i386 > > Thank you! > > Regards, > Robert > > ------- pf.conf ----- > # vars > ifInt="rl0" > ifDSL1="rl1" > ifDSL2="rl2" > ifDSL3="rl3" > > exLocal="192.168.0.3" > exDSL3="194.110.229.164" > robertLocal="192.168.0.4" > robertDSL3="194.110.229.165" > develDSL3="194.110.229.163" > fwDSL3="194.110.229.162" > > ## networds > netDSL1="83.16.196.120/29" # dsl1 > gwDSL1="83.16.196.121" # gw > > netDSL2="83.16.196.128/29" # dsl2 > gwDSL2="83.16.196.129" # gw > > netPSN="192.168.0.0/24" # Private Service > Network ( > > netDMZ="192.168.1.0/24" # Demilitarized Zone > (hostDevel) > hostDevel="192.168.1.1" # devel > netLocal="192.168.0.0/16" # psn+dmz > > netDSL3="194.110.229.160/27" # DSL3 > gwDSL3="194.110.229.161" # gw > > ## altq > altq on $ifDSL1 priq bandwidth 250Kb queue { q1pri, > q1ssh, q1def } > queue q1pri priority 7 > queue q1ssh priority 5 > queue q1def priority 1 priq(default) > > altq on $ifDSL2 priq bandwidth 250Kb queue { q2pri, > q2ssh, q2def } > queue q2pri priority 7 > queue q2ssh priority 5 > queue q2def priority 1 priq(default) > altq on $ifDSL3 priq bandwidth 2000Kb queue { q3pri, > q3ssh, q3def } > queue q3pri priority 7 > queue q3ssh priority 5 > queue q3def priority 1 priq(default) > > > ## nat 1:n (output) > nat on $ifDSL1 from $netLocal to ! $netLocal -> > 83.16.196.122 # dsl1 > nat on $ifDSL2 from $hostDevel to ! $netLocal -> > 83.16.196.130 # dsl2 > nat on $ifDSL2 from $netLocal to ! $netLocal -> > 83.16.196.130 > nat on $ifDSL3 from $netLocal to ! $netLocal -> > 194.110.229.162 # DSL3 > nat on $ifDSL3 from 192.168.1.1 to ! $netLocal -> > $develDSL3 # devel(DSL3) > > ## nat 1:1 (input) > # devel > rdr on $ifDSL1 proto tcp from any to > 83.16.196.123 port { 21, 22, 25, 80, 110, 443, 465, > 993, 995, 19000:19500 } -> 192. > 168.1.1 > rdr on $ifDSL2 proto tcp from any to > 83.16.196.130 port { 21, 22, 25, 80, 110, 443, 465, > 993, 995, 19000:19500 } -> 192. > 168.1.1 > rdr on $ifDSL3 proto tcp from any to > 194.110.229.163 port { 21, 22, 25, 80, 110, 443, 465, > 993, 995, 19000:19500 } -> 19 > 2.168.1.1 > > rdr on $ifDSL2 proto tcp from any to > 83.16.196.131 port { 25 } -> 192.168.1.1 port 2030 > rdr on $ifInt proto tcp from $netLocal to > 83.16.196.130 port { 21, 22, 25, 80, 110, 443, 137, > 138, 139, 465, 993, 995, 2401 } > -> 192.168.1.1 > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 443 } -> 192.168.0.3 port 22 > rdr on $ifDSL2 proto tcp from any to 83.16.196.130 > port { 6100, 6101, 6102 } -> 192.168.0.3 > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 5900 } -> 192.168.0.4 > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 5901 } -> 192.168.0.6 port 5900 > rdr on $ifDSL2 proto tcp from any to 83.16.196.130 > port { 5901 } -> 192.168.0.6 port 5900 > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 5801 } -> 192.168.0.6 > rdr on $ifDSL1 proto udp from any to 83.16.196.122 > port { 5801 } -> 192.168.0.6 > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 5903 } -> 192.168.0.24 port 3389 > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 3389 } -> 192.168.0.24 > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > port { 3390 } -> 192.168.0.5 port 3389 > rdr on $ifDSL1 proto tcp from 80.55.58.238 to > 83.16.196.122 port { 6000 } -> 192.168.0.9 port 6000 > rdr on $ifDSL1 proto udp from 80.55.58.238 to > 83.16.196.122 port { 177 } -> 192.168.0.9 port 177 > rdr on $ifDSL1 proto tcp from 80.55.58.238 to > 83.16.196.122 port { 22 } -> 192.168.0.9 port 22 > rdr on $ifDSL2 proto tcp from any to 83.16.196.132 > port { 25 } -> 192.168.1.1 port 27 > > ## binat > binat on $ifDSL3 from $exLocal to ! $netLocal -> > $exDSL3 > binat on $ifDSL3 from $robertLocal to ! $netLocal -> > $robertDSL3 > > # source routing > pass in quick on $ifInt route-to { ($ifDSL3 > $gwDSL3),($ifDSL3 $gwDSL3) } from 192.168.1.1 to ! > $netLocal keep state > pass in quick on $ifInt route-to { ($ifDSL1 $gwDSL1) } > from any to 136.159.158.52 keep state # -> myweb via > dsl2 > pass in quick on $ifInt route-to { ($ifDSL3 $gwDSL3) } > from { 192.168.0.3 , 192.168.0.4 } to ! $netLocal keep > state # -> DSL3 > pass in quick on $ifInt route-to { ($ifDSL1 $gwDSL1) } > from $netPSN to ! $netLocal keep state # -> dsl1 > pass in quick on $ifInt route-to { ($ifDSL2 $gwDSL2) } > from $netDMZ to ! $netLocal keep state # -> dsl2 > > # queues > # DSL1 > pass out on $ifDSL1 proto tcp from any to any port 22 > flags S/SA \ > keep state queue (q1ssh, q1pri) > pass out on $ifDSL1 proto tcp from $ifDSL1 to any > flags S/SA \ > keep state queue (q1def, q1pri) > pass in on $ifDSL1 proto tcp from any to $ifDSL1 > flags S/SA \ > keep state queue (q1def, q1pri) > > #DSL 2 > pass out on $ifDSL2 proto tcp from any to any port 22 > flags S/SA \ > keep state queue (q2ssh, q2pri) > pass out on $ifDSL2 proto tcp from $ifDSL2 to any > flags S/SA \ > keep state queue (q2def, q2pri) > pass in on $ifDSL2 proto tcp from any to $ifDSL2 > flags S/SA \ > keep state queue (q2def, q2pri) > > > #DSL3 > pass out on $ifDSL3 proto tcp from any to any port 22 > flags S/SA \ > keep state queue (q3ssh, q3pri) > pass out on $ifDSL3 proto tcp from $ifDSL3 to any > flags S/SA \ > keep state queue (q3def, q3pri) > pass in on $ifDSL3 proto tcp from any to $ifDSL3 > flags S/SA \ > keep state queue (q3def, q3pri) > --- end of pf.conf ---- > > > > > __________________________________ > Do you Yahoo!? > Yahoo! Mail - You care about security. So do we. > http://promotions.yahoo.com/new_mail > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Claudiu Dragalina-Paraipan dr.clau@gmail.com --------------enigBA86253A7F57B70C811E1610 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBrMOzm0FWxb+swkQRAhy5AJ4uIErr55NGLI9hNHf1E66NeIMNlACePJry 86vU+o9lKWlBeKWXyggjF/I= =HOTx -----END PGP SIGNATURE----- --------------enigBA86253A7F57B70C811E1610-- From owner-freebsd-pf@FreeBSD.ORG Tue Nov 30 22:07:52 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 015DE16A4CE for ; Tue, 30 Nov 2004 22:07:52 +0000 (GMT) Received: from web52202.mail.yahoo.com (web52202.mail.yahoo.com [206.190.39.84]) by mx1.FreeBSD.org (Postfix) with SMTP id 7DB5043D45 for ; Tue, 30 Nov 2004 22:07:51 +0000 (GMT) (envelope-from mirobercik@yahoo.com) Received: (qmail 75200 invoked by uid 60001); 30 Nov 2004 22:07:51 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=YNExfg2rAEo/CyGlLV4wlswMN6l/NTkssL1TdMEUUYP3HrdjwyFFM/PdlSFYSNfEx6rBqG0ZLXRezL8Jtk16wnM2VkjDGN9pkPifHDDbKLR1Uhjkr4nvxq5exUSP3/+D0Bk48bUy7Q4LeN9yBJuMwOQbJ9mcMu+xJCA8Yxr+Lyw= ; Message-ID: <20041130220750.75198.qmail@web52202.mail.yahoo.com> Received: from [80.55.58.238] by web52202.mail.yahoo.com via HTTP; Tue, 30 Nov 2004 14:07:50 PST Date: Tue, 30 Nov 2004 14:07:50 -0800 (PST) From: Robert M To: Claudiu Dragalia-Paraipan In-Reply-To: <41ACC3AE.4020309@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-pf@freebsd.org Subject: Re: 3 gateways problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2004 22:07:52 -0000 Hi, Thank your for your reply. I have read the manual before. I did try adding the following lines to the end of my pf.conf file, but this didn't help though. --- pass out on $ifDSL1 route-to ($ifDSL2 $gwDSL2) from $ifDSL2 to any pass out on $ifDSL1 route-to ($ifDSL3 $gwDSL3) from $ifDSL3 to any pass out on $ifDSL2 route-to ($ifDSL1 $gwDSL1) from $ifDSL1 to any pass out on $ifDSL2 route-to ($ifDSL3 $gwDSL3) from $ifLimes to any pass out on $ifDSL3 route-to ($ifDSL1 $gwDSL1) from $ifDSL1 to any pass out on $ifDSL3 route-to ($ifDSL2 $gwDSL2) from $ifDSL2 to any ---- Maybe I misunderstood the 'meaning' of these rules ? I'm suspecting a "bug" in pf.conf file :-( Ps. do you know any website where I can learn about advanced pf/altq networking ? I would like to simply limit internet speed to 256Kbit/s with priq in each queue to every user on my 2Mbit line. Thank you! Regards, -- Robert --- Claudiu Dragalia-Paraipan wrote: > Hi, > > maybe this helps you. It is a part of the PF FAQ > that you can find at > http://www.openbsd.org/faq/pf/ > > ---------- http://cvs.openbsd.org/faq/pf/pools.html > ... > To ensure that packets with a source address > belonging to $ext_if1 are > always routed to $ext_gw1 (and similarly for > $ext_if2 and $ext_gw2), the > following two lines should be included in the > ruleset: > > pass out on $ext_if1 route-to ($ext_if2 > $ext_gw2) from $ext_if2 \ > to any > pass out on $ext_if2 route-to ($ext_if1 > $ext_gw1) from $ext_if1 \ > to any > > Finally, NAT can also be used on each outgoing > interface: > > nat on $ext_if1 from $lan_net to any -> > ($ext_if1) > nat on $ext_if2 from $lan_net to any -> > ($ext_if2) > ... > ---------- > > > > > > > Robert M wrote: > > Hello, > > > > I have a problem with source routing via 3 > gateways. > > > > All I need, is to be able to get in to my local > > machine > > via 'rdr' rule. > > > > All connections are routed via firewall box > > with 4 ethernet cards. > > > > I don't want this done via 'binat' ruel as I only > > want to rdr some ports. > > > > When telneting from external host to: > > 83.16.196.130 port 22 -> I want to be redirected > to > > 192.168.1.1 port 22 > > As well as: > > 194.110.229.163 port 22 -> 192.168.1.1 22 > > > > This also can be done by adding a new eg. > 192.168.1.2 > > IP to my local machine, but it requires daemon > binging > > setting changes.. so I'd rather not. > > > > The problem is that 1/2 connections are > estabilished > > properly. > > > > I assume it's a problem with rule: > > pass in quick on $ifInt route-to { ($ifDSL3 > > $gwDSL3),($ifDSL3 $gwDSL3) } from 192.168.1.1 to ! > > $netLocal keep state > > > > where system doesn't know, which gateway should be > > used > > for return packet. > > > > Below is my pf.conf (sorry it's messy a little). > > > > OS: FreeBSD fw 5.2-CURRENT FreeBSD 5.2-CURRENT #4: > Fri > > Jul 16 16:17:52 UTC 2004 > > root@fw:/usr/obj/usr/src/sys/TUNED i386 > > > > Thank you! > > > > Regards, > > Robert > > > > ------- pf.conf ----- > > # vars > > ifInt="rl0" > > ifDSL1="rl1" > > ifDSL2="rl2" > > ifDSL3="rl3" > > > > exLocal="192.168.0.3" > > exDSL3="194.110.229.164" > > robertLocal="192.168.0.4" > > robertDSL3="194.110.229.165" > > develDSL3="194.110.229.163" > > fwDSL3="194.110.229.162" > > > > ## networds > > netDSL1="83.16.196.120/29" # dsl1 > > gwDSL1="83.16.196.121" # gw > > > > netDSL2="83.16.196.128/29" # dsl2 > > gwDSL2="83.16.196.129" # gw > > > > netPSN="192.168.0.0/24" # Private Service > > Network ( > > > > netDMZ="192.168.1.0/24" # Demilitarized > Zone > > (hostDevel) > > hostDevel="192.168.1.1" # devel > > netLocal="192.168.0.0/16" # psn+dmz > > > > netDSL3="194.110.229.160/27" # DSL3 > > gwDSL3="194.110.229.161" # gw > > > > ## altq > > altq on $ifDSL1 priq bandwidth 250Kb queue { > q1pri, > > q1ssh, q1def } > > queue q1pri priority 7 > > queue q1ssh priority 5 > > queue q1def priority 1 priq(default) > > > > altq on $ifDSL2 priq bandwidth 250Kb queue { > q2pri, > > q2ssh, q2def } > > queue q2pri priority 7 > > queue q2ssh priority 5 > > queue q2def priority 1 priq(default) > > altq on $ifDSL3 priq bandwidth 2000Kb queue { > q3pri, > > q3ssh, q3def } > > queue q3pri priority 7 > > queue q3ssh priority 5 > > queue q3def priority 1 priq(default) > > > > > > ## nat 1:n (output) > > nat on $ifDSL1 from $netLocal to ! $netLocal -> > > 83.16.196.122 # dsl1 > > nat on $ifDSL2 from $hostDevel to ! $netLocal -> > > 83.16.196.130 # dsl2 > > nat on $ifDSL2 from $netLocal to ! $netLocal -> > > 83.16.196.130 > > nat on $ifDSL3 from $netLocal to ! $netLocal -> > > 194.110.229.162 # DSL3 > > nat on $ifDSL3 from 192.168.1.1 to ! $netLocal -> > > $develDSL3 # devel(DSL3) > > > > ## nat 1:1 (input) > > # devel > > rdr on $ifDSL1 proto tcp from any to > > 83.16.196.123 port { 21, 22, 25, 80, 110, 443, > 465, > > 993, 995, 19000:19500 } -> 192. > > 168.1.1 > > rdr on $ifDSL2 proto tcp from any to > > 83.16.196.130 port { 21, 22, 25, 80, 110, 443, > 465, > > 993, 995, 19000:19500 } -> 192. > > 168.1.1 > > rdr on $ifDSL3 proto tcp from any to > > 194.110.229.163 port { 21, 22, 25, 80, 110, 443, > 465, > > 993, 995, 19000:19500 } -> 19 > > 2.168.1.1 > > > > rdr on $ifDSL2 proto tcp from any to > > 83.16.196.131 port { 25 } -> 192.168.1.1 port 2030 > > rdr on $ifInt proto tcp from $netLocal to > > 83.16.196.130 port { 21, 22, 25, 80, 110, 443, > 137, > > 138, 139, 465, 993, 995, 2401 } > > -> 192.168.1.1 > > > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > > port { 443 } -> 192.168.0.3 port 22 > > rdr on $ifDSL2 proto tcp from any to 83.16.196.130 > > port { 6100, 6101, 6102 } -> 192.168.0.3 > > > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > > port { 5900 } -> 192.168.0.4 > > > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > > port { 5901 } -> 192.168.0.6 port 5900 > > rdr on $ifDSL2 proto tcp from any to 83.16.196.130 > > port { 5901 } -> 192.168.0.6 port 5900 > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > > port { 5801 } -> 192.168.0.6 > > rdr on $ifDSL1 proto udp from any to 83.16.196.122 > > port { 5801 } -> 192.168.0.6 > > rdr on $ifDSL1 proto tcp from any to 83.16.196.122 > === message truncated === > ATTACHMENT part 2 application/pgp-signature name=signature.asc __________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail From owner-freebsd-pf@FreeBSD.ORG Tue Nov 30 22:24:06 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A3F216A4CE for ; Tue, 30 Nov 2004 22:24:06 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1327743D62 for ; Tue, 30 Nov 2004 22:24:06 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.161] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CZGPl-0003D9-00; Tue, 30 Nov 2004 23:24:05 +0100 Received: from [84.128.137.129] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CZGPl-00059c-00; Tue, 30 Nov 2004 23:24:05 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Tue, 30 Nov 2004 23:24:35 +0100 User-Agent: KMail/1.7.1 References: <20041130220750.75198.qmail@web52202.mail.yahoo.com> In-Reply-To: <20041130220750.75198.qmail@web52202.mail.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3087078.Wf80JODFUv"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200411302324.43713.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: 3 gateways problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2004 22:24:06 -0000 --nextPart3087078.Wf80JODFUv Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 30 November 2004 23:07, Robert M wrote: > I'm suspecting a "bug" in pf.conf file :-( > > Ps. do you know any website where I can learn > about advanced pf/altq networking ? > I would like to simply limit internet speed > to 256Kbit/s with priq in each queue to every user on > my 2Mbit line. https://solarflux.org/pf/ has quite a few examples to start from. It's a bi= t=20 outdated, but still of some value. Other than that, "Building Firewalls wit= h=20 OpenBSD and PF" by Jacek Artymiak [http://www.openbsd.org/books.html#book1]= =20 is a good book to get the background. > Thank you! > > Regards, =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3087078.Wf80JODFUv Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBrPMrXyyEoT62BG0RAgmhAJ9MBPI3ir2e0wFc0xmg/VrcKPGrUwCePCny LNpLbrteHIpYLMprBLz1dVU= =4GnR -----END PGP SIGNATURE----- --nextPart3087078.Wf80JODFUv-- From owner-freebsd-pf@FreeBSD.ORG Wed Dec 1 00:42:30 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBFB016A4CE for ; Wed, 1 Dec 2004 00:42:30 +0000 (GMT) Received: from web52203.mail.yahoo.com (web52203.mail.yahoo.com [206.190.39.85]) by mx1.FreeBSD.org (Postfix) with SMTP id 5216E43D39 for ; Wed, 1 Dec 2004 00:42:30 +0000 (GMT) (envelope-from mirobercik@yahoo.com) Received: (qmail 74712 invoked by uid 60001); 1 Dec 2004 00:42:29 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=BRswYqSDYrS9uV8mXQCWREY2E/KzxJbj1HRDBgyfAezIO611yLrRssnokBnClZ6eyEjGp4DesX76qZ4cSTAAw3Zvyzo94H4Sv+ArQu6kRbyqSO/Q6kqxQPrkdvy/ec+xgyldxpbbCyvEY1Hw5P0JfyCAazz6ArRAUoUrnf3MWh4= ; Message-ID: <20041201004229.74710.qmail@web52203.mail.yahoo.com> Received: from [80.55.58.238] by web52203.mail.yahoo.com via HTTP; Tue, 30 Nov 2004 16:42:29 PST Date: Tue, 30 Nov 2004 16:42:29 -0800 (PST) From: Robert M To: Max Laier , freebsd-pf@freebsd.org In-Reply-To: <200411302324.43713.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: 3 gateways problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 00:42:30 -0000 --- Max Laier wrote: > On Tuesday 30 November 2004 23:07, Robert M wrote: > > I'm suspecting a "bug" in pf.conf file :-( > > > > Ps. do you know any website where I can learn > > about advanced pf/altq networking ? > > I would like to simply limit internet speed > > to 256Kbit/s with priq in each queue to every user > on > > my 2Mbit line. > > https://solarflux.org/pf/ has quite a few examples > to start from. It's a bit > outdated, but still of some value. Other than that, > "Building Firewalls with > OpenBSD and PF" by Jacek Artymiak > [http://www.openbsd.org/books.html#book1] > is a good book to get the background. I've studied solarflux a bit. As for the book, will buy it asap. Also late 'thank you' for porting pf to FreeBSD ! Regards, -- Robert __________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail From owner-freebsd-pf@FreeBSD.ORG Wed Dec 1 04:52:04 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C64BC16A4CE for ; Wed, 1 Dec 2004 04:52:04 +0000 (GMT) Received: from mail.ouestil.com (home.ouestil.com [81.56.27.190]) by mx1.FreeBSD.org (Postfix) with SMTP id 262D443D5C for ; Wed, 1 Dec 2004 04:52:03 +0000 (GMT) (envelope-from cmoulin@simplerezo.com) Received: (qmail 9683 invoked by uid 98); 1 Dec 2004 04:52:01 -0000 Received: from 192.168.1.153 by xeon-web.ouestil.com (envelope-from , uid 82) with qmail-scanner-1.24 (clamdscan: 0.80/533. f-prot: 4.1.1/3.13.4. spamassassin: 3.0.0. Clear:RC:1(192.168.1.153):. Processed in 0.254861 secs); 01 Dec 2004 04:52:01 -0000 X-Qmail-Scanner-Mail-From: cmoulin@simplerezo.com via xeon-web.ouestil.com X-Qmail-Scanner: 1.24 (Clear:RC:1(192.168.1.153):. Processed in 0.254861 secs) Received: from unknown (HELO nbferrari) (192.168.1.153) by mail.ouestil.com with SMTP; 1 Dec 2004 04:52:01 -0000 From: =?iso-8859-1?Q?Cl=E9ment_MOULIN?= To: , , Date: Wed, 1 Dec 2004 05:51:35 +0100 Organization: SimpleRezo MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook, Build 11.0.6353 thread-index: AcTXYW7hlr9cPZCNRce1VhCPPF760Q== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Qmail-Scanner-Message-ID: <11018767216989675@xeon-web.ouestil.com> Message-Id: <20041201045203.262D443D5C@mx1.FreeBSD.org> Subject: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 04:52:04 -0000 Hi, I'm afraid about having find a freebsd 5X security issue. We have recently upgraded one gateway from 4.10 to 5.3... Following = network used: =20 [ISP]--xl1--[FW01]-----xl0--em0--[SR01] | |--fxp0--em0--[SR02] On fw01, we have one jail. =20 So fw01 is configured as a bridge on xl1,xl0,fxp0. Services works = (before and after upgrade). On 4.10, we used IPFilter as firewall and for network traffic = accounting. Since upgrade, INCOMING traffic accounting does not work anymore = (OUTGOING working fine)... Thinking this can be a ipfilter issue, and because we are planning to = change for great OpenBSD pf, we have try to do accounting with pf... but same behaviour occurs (tests have be done with big files). From/to inet fw01 jail sr01 sr02 Internet - ok ok KO KO Fw01 ok - ok ok ok Jail ok ok - ok ok Sr01 KO* ok ok - KO Sr02 KO* ok ok KO - * with pf enabled, scp connexion going "stalled" very quickly (stop = between 100 and 300 Kb of traffic) Worst thing, the "default rule" accounting (any to any) does not report "unreported" traffic... feels like rules are not processed. So I = deciding to make another test with pf. Adding "block in quick proto tcp from any to [jail_port] port smtp"; Testing: works fine. But we the same rule with the sr01 as destination host, IT DOESN'T WORK: from internet, fw01 or sr02, we can connect to the tcp port !!!!!!!!!!!!!!!!! It's not pf related, because, same behaviour occurs = with IPF!!!!!!!! Details fw01: running FreeBSD 5.3, GENERIC kernel, with modules =3D acpi, ipl, = bridge, nullfs and pf. Sr01: FreeBSD 5.2.1, custom kernel Sr02: FreeBSD 5.3, GENERIC kernel ------------------------------------pf.conf set loginterface fxp1 jail=3D**IP** sr01=3D**IP** sr02=3D**IP** #block in quick proto tcp from any to $sr01 port smtp pass quick from any to $jail keep state label 0 pass quick from $jail to any keep state label 1 pass quick from any to $sr02 keep state label 6 pass quick from $sr02 to any keep state label 7 pass quick from any to $sr01 keep state label 10 pass quick from $sr01 to any keep state label 11 pass all ------------------------------------ Seems to be bridge freebsd 5.3 support related...=20 Can someone take a look at this? Thanks! -- Cl=E9ment Moulin SimpleRezo - Simplifiez-vous le r=E9seau ! T=E9l.: +33 871 763 102 - Web: http://www.simplerezo.com/ From owner-freebsd-pf@FreeBSD.ORG Wed Dec 1 08:28:02 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8591016A4CE for ; Wed, 1 Dec 2004 08:28:02 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19B8B43D1D for ; Wed, 1 Dec 2004 08:28:02 +0000 (GMT) (envelope-from dr.clau@gmail.com) Received: by rproxy.gmail.com with SMTP id 34so238449rns for ; Wed, 01 Dec 2004 00:27:59 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:return-path:message-id:disposition-notification-to:date:from:user-agent:x-accept-language:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:x-enigmail-supports:content-type; b=mHOYwx+cVC55w6xB9AJxlAnWtL02R2OISiXjpDGKjSZQXoo2e0A1B/1Pr0AdBotvVWH7p0TIiVMOBSAKWquiaprK/6EhmpBIP28F4ngJE7AGswl6CPZdRqJ1MzK4m8JuvNDsT5caEu483sn0se7rdUs5gTJii1JncEFWxkoWMKs= Received: by 10.38.8.67 with SMTP id 67mr10667rnh; Wed, 01 Dec 2004 00:27:59 -0800 (PST) Received: from ?82.79.29.15? ([82.79.29.15]) by smtp.gmail.com with ESMTP id 62sm2962rna; Wed, 01 Dec 2004 00:27:59 -0800 (PST) Message-ID: <41AD80D3.3090005@gmail.com> Date: Wed, 01 Dec 2004 10:29:07 +0200 From: Claudiu Dragalia-Paraipan User-Agent: Mozilla Thunderbird 0.9 (X11/20041125) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Robert M References: <20041130220750.75198.qmail@web52202.mail.yahoo.com> In-Reply-To: <20041130220750.75198.qmail@web52202.mail.yahoo.com> X-Enigmail-Version: 0.89.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig35989E87B6FF80149BB7A688" cc: freebsd-pf@freebsd.org Subject: Re: 3 gateways problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 08:28:02 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig35989E87B6FF80149BB7A688 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Try to add 'flags S/SA' to your route-to rules. If it does not work, watch with pfctl -vsr and -vsn which rules you hit and when. Check if states are created for connection coming from outside with pfctl -ss. Regards, Robert M wrote: > Hi, > > Thank your for your reply. > > I have read the manual before. > > I did try adding the following lines to > the end of my pf.conf file, but this didn't help > though. > > --- > pass out on $ifDSL1 route-to ($ifDSL2 $gwDSL2) from > $ifDSL2 to any > pass out on $ifDSL1 route-to ($ifDSL3 $gwDSL3) from > $ifDSL3 to any > pass out on $ifDSL2 route-to ($ifDSL1 $gwDSL1) from > $ifDSL1 to any > pass out on $ifDSL2 route-to ($ifDSL3 $gwDSL3) from > $ifLimes to any > pass out on $ifDSL3 route-to ($ifDSL1 $gwDSL1) from > $ifDSL1 to any > pass out on $ifDSL3 route-to ($ifDSL2 $gwDSL2) from > $ifDSL2 to any > ---- > > Maybe I misunderstood the 'meaning' of these rules ? > > I'm suspecting a "bug" in pf.conf file :-( > > Ps. do you know any website where I can learn > about advanced pf/altq networking ? > I would like to simply limit internet speed > to 256Kbit/s with priq in each queue to every user on > my 2Mbit line. > > Thank you! > > Regards, > -- Claudiu Dragalina-Paraipan dr.clau@gmail.com --------------enig35989E87B6FF80149BB7A688 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBrYDYm0FWxb+swkQRAn8kAKCH8nISJTh+gJear5S+aersQJLJmACfWnnw UxjTfJ+2jw3aA9/Rg4XGSvM= =KJRn -----END PGP SIGNATURE----- --------------enig35989E87B6FF80149BB7A688-- From owner-freebsd-pf@FreeBSD.ORG Wed Dec 1 11:09:20 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9365416A4CF for ; Wed, 1 Dec 2004 11:09:20 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2055E43D41 for ; Wed, 1 Dec 2004 11:09:20 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id iB1B8gAh022558 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 1 Dec 2004 20:08:42 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.13.1/8.13.1) with ESMTP id iB1B9IUf010003 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 1 Dec 2004 20:09:18 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.13.1/8.13.1/Submit) id iB1B9CfA010002; Wed, 1 Dec 2004 20:09:12 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Wed, 1 Dec 2004 20:09:12 +0900 From: Pyun YongHyeon To: Cl?ment MOULIN Message-ID: <20041201110912.GA9840@kt-is.co.kr> References: <20041201045203.262D443D5C@mx1.FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041201045203.262D443D5C@mx1.FreeBSD.org> User-Agent: Mutt/1.4.2.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 11:09:20 -0000 On Wed, Dec 01, 2004 at 05:51:35AM +0100, Cl?ment MOULIN wrote: > Hi, > > I'm afraid about having find a freebsd 5X security issue. > > We have recently upgraded one gateway from 4.10 to 5.3... Following network > used: > > [ISP]--xl1--[FW01]-----xl0--em0--[SR01] > | > |--fxp0--em0--[SR02] > > On fw01, we have one jail. > > So fw01 is configured as a bridge on xl1,xl0,fxp0. Services works (before > and after upgrade). > On 4.10, we used IPFilter as firewall and for network traffic accounting. > Since upgrade, INCOMING traffic accounting does not work anymore (OUTGOING > working fine)... > > Thinking this can be a ipfilter issue, and because we are planning to change > for great OpenBSD pf, we have try to do accounting with pf... but same > behaviour occurs (tests have be done with big files). > > From/to inet fw01 jail sr01 sr02 > Internet - ok ok KO KO > Fw01 ok - ok ok ok > Jail ok ok - ok ok > Sr01 KO* ok ok - KO > Sr02 KO* ok ok KO - > > * with pf enabled, scp connexion going "stalled" very quickly (stop between > 100 and 300 Kb of traffic) > > > Worst thing, the "default rule" accounting (any to any) does not report > "unreported" traffic... feels like rules are not processed. So I deciding to > make another test with pf. > > Adding "block in quick proto tcp from any to [jail_port] port smtp"; > Testing: works fine. > But we the same rule with the sr01 as destination host, IT DOESN'T WORK: > from internet, fw01 or sr02, we can connect to the tcp port > !!!!!!!!!!!!!!!!! It's not pf related, because, same behaviour occurs with > IPF!!!!!!!! > > > > Details > fw01: running FreeBSD 5.3, GENERIC kernel, with modules = acpi, ipl, bridge, > nullfs and pf. > Sr01: FreeBSD 5.2.1, custom kernel > Sr02: FreeBSD 5.3, GENERIC kernel > > ------------------------------------pf.conf > set loginterface fxp1 > > jail=**IP** > sr01=**IP** > sr02=**IP** > > #block in quick proto tcp from any to $sr01 port smtp > > pass quick from any to $jail keep state label 0 > pass quick from $jail to any keep state label 1 > pass quick from any to $sr02 keep state label 6 > pass quick from $sr02 to any keep state label 7 > pass quick from any to $sr01 keep state label 10 > pass quick from $sr01 to any keep state label 11 > > pass all > ------------------------------------ > > > Seems to be bridge freebsd 5.3 support related... > Can someone take a look at this? Thanks! > Both pf and ipf can't create *states* in bridge mode. That restriction comes from bridge(4). Since pf/ipf couldn't create states it will drop the packet when it thinks the packet is in out of TCP window. If you want to use pf/ipf in bridge mode, don't use stateful inspection. One more note: filtering works only for inbound traffics in bridge mode. -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Wed Dec 1 13:21:02 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA54416A4CE for ; Wed, 1 Dec 2004 13:21:02 +0000 (GMT) Received: from mail.ouestil.com (home.ouestil.com [81.56.27.190]) by mx1.FreeBSD.org (Postfix) with SMTP id F2A3143D6D for ; Wed, 1 Dec 2004 13:21:01 +0000 (GMT) (envelope-from cmoulin@simplerezo.com) Received: (qmail 83376 invoked by uid 98); 1 Dec 2004 13:21:01 -0000 Received: from 192.168.1.153 by xeon-web.ouestil.com (envelope-from , uid 82) with qmail-scanner-1.24 (clamdscan: 0.80/533. f-prot: 4.1.1/3.13.4. spamassassin: 3.0.0. Clear:RC:1(192.168.1.153):. Processed in 0.272442 secs); 01 Dec 2004 13:21:01 -0000 X-Qmail-Scanner-Mail-From: cmoulin@simplerezo.com via xeon-web.ouestil.com X-Qmail-Scanner: 1.24 (Clear:RC:1(192.168.1.153):. Processed in 0.272442 secs) Received: from unknown (HELO nbferrari) (192.168.1.153) by mail.ouestil.com with SMTP; 1 Dec 2004 13:21:00 -0000 From: =?iso-8859-1?Q?Cl=E9ment_MOULIN?= To: Date: Wed, 1 Dec 2004 14:20:40 +0100 Organization: SimpleRezo MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcTXljgh4n2iD0UOSEOlZ+4RX159/QABtdlw X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <20041201110912.GA9840@kt-is.co.kr> X-Qmail-Scanner-Message-ID: <110190726069883358@xeon-web.ouestil.com> Message-Id: <20041201132101.F2A3143D6D@mx1.FreeBSD.org> cc: freebsd-security@freebsd.org cc: freebsd-questions@freebsd.org cc: freebsd-pf@freebsd.org Subject: RE: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 13:21:03 -0000 Pyun YongHyeon wrote: >Both pf and ipf can't create *states* in bridge mode. That restriction comes from bridge(4). Since pf/ipf couldn't create states it will drop the packet when it thinks the packet is in out of TCP window. > >If you want to use pf/ipf in bridge mode, don't use stateful inspection. >One more note: filtering works only for inbound traffics in bridge mode. If you're right, it SHOULD really be specified in bridge(4), but I'm not very sure about this, since I see states with pfctl and no packets are dropped in my case (except maybe in scp from internet to sr01) ! Finally, I have found the main problem. Both for ipf/pf, I have to set sysctl "net.link.ether.bridge.ipf" to 1... That does'nt exists on FreeBSD 4X. After that, incoming traffic is filtered (accounting works, blocking rules too). We REALLY need to specify this in FreeBSD handbook (sections 14.9 - firewalls and 24.5.4 - bridging) and Migration Guide of 5X, since it could be a big security hole. My last problem is that scping from sr01 to internet that stalled after 144KB exactly (internet to sr01 works) ! This is a pf issue, since it occurs only when pf is enabled. -- Clement Moulin SimpleRezo - Simplifiez-vous le reseau ! Web: http://www.simplerezo.com/ From owner-freebsd-pf@FreeBSD.ORG Wed Dec 1 13:23:40 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1674916A4CE for ; Wed, 1 Dec 2004 13:23:40 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id A86CC43D1D for ; Wed, 1 Dec 2004 13:23:39 +0000 (GMT) (envelope-from josh.kayse@gmail.com) Received: by wproxy.gmail.com with SMTP id 68so186291wri for ; Wed, 01 Dec 2004 05:23:39 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=Me/tcYbCmRfvS//EDWNKG/N1h+7/S/ZBKrtv9DMOY9NL4BAfSBmBgcbHlc5DsFFBWSlZZhJO4ZKCWCadOiGOBwI6WUC5Y7B5wxgrkBh9hzV7hpFXtFSvxg4hQbU/xrB2cr4YM2QTdfoEmY5qv3d5vPt0FqVDxQEhj6cXl+4wG04= Received: by 10.54.41.71 with SMTP id o71mr664537wro; Wed, 01 Dec 2004 05:23:39 -0800 (PST) Received: by 10.54.23.33 with HTTP; Wed, 1 Dec 2004 05:23:39 -0800 (PST) Message-ID: <7c8f27920412010523730447de@mail.gmail.com> Date: Wed, 1 Dec 2004 08:23:39 -0500 From: Josh Kayse To: yongari@kt-is.co.kr In-Reply-To: <20041201110912.GA9840@kt-is.co.kr> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20041201045203.262D443D5C@mx1.FreeBSD.org> <20041201110912.GA9840@kt-is.co.kr> cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: gtg062h@mail.gatech.edu List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 13:23:40 -0000 On Wed, 1 Dec 2004 20:09:12 +0900, Pyun YongHyeon wrote: > On Wed, Dec 01, 2004 at 05:51:35AM +0100, Cl?ment MOULIN wrote: > > > > Hi, > > > > I'm afraid about having find a freebsd 5X security issue. > > > > We have recently upgraded one gateway from 4.10 to 5.3... Following network > > used: > > > > [ISP]--xl1--[FW01]-----xl0--em0--[SR01] > > | > > |--fxp0--em0--[SR02] > > > > On fw01, we have one jail. > > > > So fw01 is configured as a bridge on xl1,xl0,fxp0. Services works (before > > and after upgrade). > > On 4.10, we used IPFilter as firewall and for network traffic accounting. > > Since upgrade, INCOMING traffic accounting does not work anymore (OUTGOING > > working fine)... > > > > Thinking this can be a ipfilter issue, and because we are planning to change > > for great OpenBSD pf, we have try to do accounting with pf... but same > > behaviour occurs (tests have be done with big files). > > > > From/to inet fw01 jail sr01 sr02 > > Internet - ok ok KO KO > > Fw01 ok - ok ok ok > > Jail ok ok - ok ok > > Sr01 KO* ok ok - KO > > Sr02 KO* ok ok KO - > > > > * with pf enabled, scp connexion going "stalled" very quickly (stop between > > 100 and 300 Kb of traffic) > > > > > > Worst thing, the "default rule" accounting (any to any) does not report > > "unreported" traffic... feels like rules are not processed. So I deciding to > > make another test with pf. > > > > Adding "block in quick proto tcp from any to [jail_port] port smtp"; > > Testing: works fine. > > But we the same rule with the sr01 as destination host, IT DOESN'T WORK: > > from internet, fw01 or sr02, we can connect to the tcp port > > !!!!!!!!!!!!!!!!! It's not pf related, because, same behaviour occurs with > > IPF!!!!!!!! > > > > > > > > Details > > fw01: running FreeBSD 5.3, GENERIC kernel, with modules = acpi, ipl, bridge, > > nullfs and pf. > > Sr01: FreeBSD 5.2.1, custom kernel > > Sr02: FreeBSD 5.3, GENERIC kernel > > > > ------------------------------------pf.conf > > set loginterface fxp1 > > > > jail=**IP** > > sr01=**IP** > > sr02=**IP** > > > > #block in quick proto tcp from any to $sr01 port smtp > > > > pass quick from any to $jail keep state label 0 > > pass quick from $jail to any keep state label 1 > > pass quick from any to $sr02 keep state label 6 > > pass quick from $sr02 to any keep state label 7 > > pass quick from any to $sr01 keep state label 10 > > pass quick from $sr01 to any keep state label 11 > > > > pass all > > ------------------------------------ > > > > > > Seems to be bridge freebsd 5.3 support related... > > Can someone take a look at this? Thanks! > > > > Both pf and ipf can't create *states* in bridge mode. That restriction > comes from bridge(4). Since pf/ipf couldn't create states it will > drop the packet when it thinks the packet is in out of TCP window. > > If you want to use pf/ipf in bridge mode, don't use stateful inspection. > One more note: filtering works only for inbound traffics in bridge mode. > > -- > Regards, > Pyun YongHyeon > http://www.kr.freebsd.org/~yongari | yongari@freebsd.org > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > I know it's been touched on in the past, but can you explain why stateful inspection does not work in a bridged mode? And why it only filters for inbound traffic? Does ipfw suffer from the same feature? Thanks. -josh -- Joshua Kayse Computer Engineering From owner-freebsd-pf@FreeBSD.ORG Wed Dec 1 17:43:23 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A83CC16A4CE for ; Wed, 1 Dec 2004 17:43:23 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53F9D43D66 for ; Wed, 1 Dec 2004 17:43:23 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 68so971500wra for ; Wed, 01 Dec 2004 09:43:19 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=JsYWSAgroLlwQV3m9m15PnTp1A+FysRfBUdRAF1MyjRjLfcrNvpHcoRhRjyyzg7vBqiujZD8GqgwV+yfrf3eiR8MJsKyeFK3aobwgTKv9xH/NRNkZ4RZ8MTp1dondUTR2NEB8Hd0nNnChfv3unVSLjSQd306xbFE/2ZcNJ3p8bM= Received: by 10.54.6.79 with SMTP id 79mr790299wrf; Wed, 01 Dec 2004 09:43:19 -0800 (PST) Received: by 10.54.39.49 with HTTP; Wed, 1 Dec 2004 09:43:19 -0800 (PST) Message-ID: <8eea0408041201094326d6726c@mail.gmail.com> Date: Wed, 1 Dec 2004 09:43:19 -0800 From: Jon Simola To: freebsd-pf@freebsd.org In-Reply-To: <7c8f27920412010523730447de@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20041201045203.262D443D5C@mx1.FreeBSD.org> <20041201110912.GA9840@kt-is.co.kr> <7c8f27920412010523730447de@mail.gmail.com> Subject: Re: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 17:43:23 -0000 On Wed, 1 Dec 2004 08:23:39 -0500, Josh Kayse wrote: > I know it's been touched on in the past, but can you explain why > stateful inspection does not work in a bridged mode? And why it only > filters for inbound traffic? Does ipfw suffer from the same feature? 'man ipfw' and look at the PACKET FLOW section. Bridged packets are only passed to the firewall at layer2 and only via the bdg_forward path. There is no path through ip_output or ether_output_frame, so it's easiest to think of ipfw being unable to check packets only as they enter and not as they leave. From owner-freebsd-pf@FreeBSD.ORG Thu Dec 2 03:26:01 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5402316A4CE for ; Thu, 2 Dec 2004 03:26:01 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86CCE43D2F for ; Thu, 2 Dec 2004 03:26:00 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id iB23PBAh062923 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 2 Dec 2004 12:25:11 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.13.1/8.13.1) with ESMTP id iB23Pv6n012496 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Dec 2004 12:25:57 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.13.1/8.13.1/Submit) id iB23Pvog012495; Thu, 2 Dec 2004 12:25:57 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Thu, 2 Dec 2004 12:25:57 +0900 From: Pyun YongHyeon To: Cl?ment MOULIN Message-ID: <20041202032557.GB12155@kt-is.co.kr> References: <20041201110912.GA9840@kt-is.co.kr> <200412011320.iB1DKaAf028201@ns.kt-is.co.kr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200412011320.iB1DKaAf028201@ns.kt-is.co.kr> User-Agent: Mutt/1.4.2.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 03:26:01 -0000 On Wed, Dec 01, 2004 at 02:20:40PM +0100, Cl?ment MOULIN wrote: > > Pyun YongHyeon wrote: > >Both pf and ipf can't create *states* in bridge mode. That restriction > comes from bridge(4). Since pf/ipf couldn't create states it will drop the > packet when it thinks the packet is in out of TCP window. > > > >If you want to use pf/ipf in bridge mode, don't use stateful inspection. > >One more note: filtering works only for inbound traffics in bridge mode. > > > If you're right, it SHOULD really be specified in bridge(4), but I'm not > very sure about this, since I see states with pfctl and no packets are > dropped in my case (except maybe in scp from internet to sr01) ! > Are you sure you can see *states* with "pfctl -ss"? Both pf/ipf can't create states since it couldn't see ANY outbound packets in bridge environments. In jail(fw01), you can see states since packets go through L3 hook points. > Finally, I have found the main problem. Both for ipf/pf, I have to set > sysctl "net.link.ether.bridge.ipf" to 1... That does'nt exists on FreeBSD > 4X. After that, incoming traffic is filtered (accounting works, blocking > rules too). Yes, incoming poackets only in bridged setup. > We REALLY need to specify this in FreeBSD handbook (sections 14.9 - > firewalls and 24.5.4 - bridging) and Migration Guide of 5X, since it could > be a big security hole. > Agreed. We need more clear documentations for pf/ipf in bridge environments. > My last problem is that scping from sr01 to internet that stalled after > 144KB exactly (internet to sr01 works) ! This is a pf issue, since it occurs > only when pf is enabled. > For states created by pf without seeing the first SYN packet, its connection is fragile. Since pf didn't see options like window scale pf will drop the connection eventually when it thinks the sequence number of the packet is in out of TCP window. The duration of the connection depends on your application/setup etc. -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Thu Dec 2 03:39:25 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9442916A4CE for ; Thu, 2 Dec 2004 03:39:25 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 153E443D1F for ; Thu, 2 Dec 2004 03:39:25 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id iB23cZAh063845 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 2 Dec 2004 12:38:36 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.13.1/8.13.1) with ESMTP id iB23dMDC012537 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Dec 2004 12:39:22 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.13.1/8.13.1/Submit) id iB23dKax012536; Thu, 2 Dec 2004 12:39:20 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Thu, 2 Dec 2004 12:39:20 +0900 From: Pyun YongHyeon To: gtg062h@mail.gatech.edu Message-ID: <20041202033920.GC12155@kt-is.co.kr> References: <20041201045203.262D443D5C@mx1.FreeBSD.org> <20041201110912.GA9840@kt-is.co.kr> <7c8f27920412010523730447de@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7c8f27920412010523730447de@mail.gmail.com> User-Agent: Mutt/1.4.2.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 03:39:25 -0000 On Wed, Dec 01, 2004 at 08:23:39AM -0500, Josh Kayse wrote: [...] > > I know it's been touched on in the past, but can you explain why > stateful inspection does not work in a bridged mode? And why it only > filters for inbound traffic? Does ipfw suffer from the same feature? > Thanks. > Both pf/ipf should see inbound/outbound traffic in order to create states. But in bridge(4), pfil(9) hook for outbound packet is absent. ipfw can create states without seeing outbound packet. Maybe it would be authors intention to reduce overhead by not checking packets in both directions. I guess ipfw can't filter outbound packet in bridged setup too. Long time ago, I wrote a patch to add pfil(9) outbound hook in bridge setup. The patch makes pf's scrub rule work too. It wouldn't apply to 5.3R but you can see the point. http://www.kr.freebsd.org/~yongari/patches/bridge.patch > -josh > > -- > Joshua Kayse > Computer Engineering -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Thu Dec 2 08:18:16 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF3F016A4CE for ; Thu, 2 Dec 2004 08:18:16 +0000 (GMT) Received: from postfix3-2.free.fr (postfix3-2.free.fr [213.228.0.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4AEEF43D53 for ; Thu, 2 Dec 2004 08:18:16 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (unknown [82.233.239.98]) by postfix3-2.free.fr (Postfix) with ESMTP id 47F07C062; Thu, 2 Dec 2004 09:18:13 +0100 (CET) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id CD689412C; Thu, 2 Dec 2004 09:17:13 +0100 (CET) Date: Thu, 2 Dec 2004 09:17:13 +0100 From: Jeremie Le Hen To: Pyun YongHyeon Message-ID: <20041202081713.GO79919@obiwan.tataz.chchile.org> References: <20041201045203.262D443D5C@mx1.FreeBSD.org> <20041201110912.GA9840@kt-is.co.kr> <7c8f27920412010523730447de@mail.gmail.com> <20041202033920.GC12155@kt-is.co.kr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041202033920.GC12155@kt-is.co.kr> User-Agent: Mutt/1.5.6i cc: gtg062h@mail.gatech.edu cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 08:18:16 -0000 > Both pf/ipf should see inbound/outbound traffic in order to > create states. But in bridge(4), pfil(9) hook for outbound packet > is absent. ipfw can create states without seeing outbound packet. > Maybe it would be authors intention to reduce overhead by not > checking packets in both directions. > > I guess ipfw can't filter outbound packet in bridged setup too. > > Long time ago, I wrote a patch to add pfil(9) outbound hook > in bridge setup. The patch makes pf's scrub rule work too. > It wouldn't apply to 5.3R but you can see the point. > > http://www.kr.freebsd.org/~yongari/patches/bridge.patch Could we hope to see this patch merged some day ? Are there major drawbacks with this pfil outbound hook in bridge setup ? At first glance, it seems to be cool that pf and ipf perform the same while in routing or bridging mode. Best regards, -- Jeremie Le Hen jeremie@le-hen.org From owner-freebsd-pf@FreeBSD.ORG Thu Dec 2 08:59:03 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B4EE16A4CE for ; Thu, 2 Dec 2004 08:59:03 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id D8DCA43D45 for ; Thu, 2 Dec 2004 08:59:02 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id iB28wAAh085797 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 2 Dec 2004 17:58:10 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.13.1/8.13.1) with ESMTP id iB28x1Zs013481 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Dec 2004 17:59:01 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.13.1/8.13.1/Submit) id iB28wwUh013480; Thu, 2 Dec 2004 17:58:58 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Thu, 2 Dec 2004 17:58:58 +0900 From: Pyun YongHyeon To: Jeremie Le Hen Message-ID: <20041202085858.GC12562@kt-is.co.kr> References: <20041201045203.262D443D5C@mx1.FreeBSD.org> <20041201110912.GA9840@kt-is.co.kr> <7c8f27920412010523730447de@mail.gmail.com> <20041202033920.GC12155@kt-is.co.kr> <20041202081713.GO79919@obiwan.tataz.chchile.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041202081713.GO79919@obiwan.tataz.chchile.org> User-Agent: Mutt/1.4.2.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: gtg062h@mail.gatech.edu cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 08:59:03 -0000 On Thu, Dec 02, 2004 at 09:17:13AM +0100, Jeremie Le Hen wrote: > > Both pf/ipf should see inbound/outbound traffic in order to > > create states. But in bridge(4), pfil(9) hook for outbound packet > > is absent. ipfw can create states without seeing outbound packet. > > Maybe it would be authors intention to reduce overhead by not > > checking packets in both directions. > > > > I guess ipfw can't filter outbound packet in bridged setup too. > > > > Long time ago, I wrote a patch to add pfil(9) outbound hook > > in bridge setup. The patch makes pf's scrub rule work too. > > It wouldn't apply to 5.3R but you can see the point. > > > > http://www.kr.freebsd.org/~yongari/patches/bridge.patch > > Could we hope to see this patch merged some day ? Are there major > drawbacks with this pfil outbound hook in bridge setup ? At first AFAIK, none. If ipfw don't want to handle outbound traffic as it was before, it can do that without registering outbound hook. > glance, it seems to be cool that pf and ipf perform the same while in > routing or bridging mode. > I guess andre is working on new hook interface in bridge environments. Once it's done pf/ipf can create real states, I believe. Of course, that is not sufficient to run pf in bridge mode. Scrubbing of pf needs special handling since it has to fragment assembled IP packets and to generate ICMP messages in case of DF bit set. All these work could be done after andre's enhancements. Sorry, I don't want to duplicate work and at present, I have more important pending jobs (at least to me) in sparc64. > Best regards, > -- > Jeremie Le Hen > jeremie@le-hen.org -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Thu Dec 2 22:21:32 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9798C16A4CE for ; Thu, 2 Dec 2004 22:21:32 +0000 (GMT) Received: from mail.ouestil.com (home.ouestil.com [81.56.27.190]) by mx1.FreeBSD.org (Postfix) with SMTP id 6483843D46 for ; Thu, 2 Dec 2004 22:21:31 +0000 (GMT) (envelope-from cmoulin@simplerezo.com) Received: (qmail 62797 invoked by uid 98); 2 Dec 2004 22:21:29 -0000 Received: from 192.168.1.153 by xeon-web.ouestil.com (envelope-from , uid 82) with qmail-scanner-1.24 (clamdscan: 0.80/533. f-prot: 4.1.1/3.13.4. spamassassin: 3.0.0. Clear:RC:1(192.168.1.153):. Processed in 0.270808 secs); 02 Dec 2004 22:21:29 -0000 X-Qmail-Scanner-Mail-From: cmoulin@simplerezo.com via xeon-web.ouestil.com X-Qmail-Scanner: 1.24 (Clear:RC:1(192.168.1.153):. Processed in 0.270808 secs) Received: from unknown (HELO nbferrari) (192.168.1.153) by mail.ouestil.com with SMTP; 2 Dec 2004 22:21:29 -0000 From: =?iso-8859-1?Q?Cl=E9ment_MOULIN?= To: Date: Thu, 2 Dec 2004 23:21:01 +0100 Organization: SimpleRezo MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <20041202032557.GB12155@kt-is.co.kr> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcTYHqmlFba7+7w6TOqs35rpHes9egAKnFww X-Qmail-Scanner-Message-ID: <110202608969862788@xeon-web.ouestil.com> Message-Id: <20041202222131.6483843D46@mx1.FreeBSD.org> cc: freebsd-pf@freebsd.org Subject: RE: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 22:21:32 -0000 Pyun YongHyeon wrote: >Are you sure you can see *states* with "pfctl -ss"? >Both pf/ipf can't create states since it couldn't see ANY outbound >packets in bridge environments. In jail(fw01), you can see states >since packets go through L3 hook points. Yes I do (with pf) : $ pfctl -ss No ALTQ support in kernel ALTQ related functions disabled self tcp ...:3556 <- ...:80 CLOSED:SYN_SENT self tcp ...:3557 <- ...:80 CLOSED:SYN_SENT self tcp ...:2970 <- ...:80 CLOSED:SYN_SENT self tcp ...:80 <- ...:3556 ESTABLISHED:ESTABLISHED self tcp ...:80 <- ...:3557 ESTABLISHED:ESTABLISHED self tcp ...:80 <- ...:2970 ESTABLISHED:ESTABLISHED self tcp ...:80 -> ...:3559 ESTABLISHED:FIN_WAIT_2 self tcp ...:80 -> ...:3565 ESTABLISHED:FIN_WAIT_2 self udp ...:64715 -> ...:53 MULTIPLE:SINGLE self udp ...:53 <- ...:64715 NO_TRAFFIC:SINGLE (I have remove IP from output) -- Clement Moulin From owner-freebsd-pf@FreeBSD.ORG Fri Dec 3 07:36:37 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4AF0216A4CE for ; Fri, 3 Dec 2004 07:36:37 +0000 (GMT) Received: from as102.htnet.hr (as102.htnet.hr [195.29.150.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFEED43D31 for ; Fri, 3 Dec 2004 07:36:33 +0000 (GMT) (envelope-from dean@glasistre.hr) Received: from ls401.htnet.hr (ls401.htnet.hr [195.29.150.2]) by as102.htnet.hr (0.0.0/8.12.10) with ESMTP id iB37aUU3253604; Fri, 3 Dec 2004 08:36:30 +0100 (CET) Received: from [10.0.2.140] (xgate.glasistre.hr [195.29.81.174] (may be forged)) by ls401.htnet.hr (0.0.0/8.12.10) with ESMTP id iB37aTjg005349; Fri, 3 Dec 2004 08:36:29 +0100 Message-ID: <41B0178A.8040504@glasistre.hr> Date: Fri, 03 Dec 2004 08:36:42 +0100 From: Dean Benazic User-Agent: Mozilla Thunderbird 0.7.3 (X11/20041016) X-Accept-Language: en-us, en MIME-Version: 1.0 To: max@love2party.net, freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Trace: as102.htnet.hr 1102059390 236435 195.29.150.2 (Fri, 03 Dec 2004 08:36:30 +0100) Subject: carp + pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Dec 2004 07:36:37 -0000 hi! can you somehow add in your diff file this: /etc/protocols carp 112 CARP vrrp # Common Address Redundancy Protocol then will be easy to use the keyword carp instead of vrrp in pf: pass in on $someIF proto carp thanks, -- Dean Benazic www.glasistre.hr From owner-freebsd-pf@FreeBSD.ORG Fri Dec 3 10:06:43 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE61E16A4CE for ; Fri, 3 Dec 2004 10:06:42 +0000 (GMT) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id F17D543D53 for ; Fri, 3 Dec 2004 10:06:41 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) iB3A6civ017394 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 3 Dec 2004 11:06:39 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.1/8.12.10/Submit) id iB3A6cPR004946; Fri, 3 Dec 2004 11:06:38 +0100 (MET) Date: Fri, 3 Dec 2004 11:06:37 +0100 From: Daniel Hartmeier To: Pyun YongHyeon Message-ID: <20041203100637.GH21064@insomnia.benzedrine.cx> References: <20041201110912.GA9840@kt-is.co.kr> <200412011320.iB1DKaAf028201@ns.kt-is.co.kr> <20041202032557.GB12155@kt-is.co.kr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041202032557.GB12155@kt-is.co.kr> User-Agent: Mutt/1.4.1i cc: Cl?ment MOULIN cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Dec 2004 10:06:43 -0000 On Thu, Dec 02, 2004 at 12:25:57PM +0900, Pyun YongHyeon wrote: > Are you sure you can see *states* with "pfctl -ss"? > Both pf/ipf can't create states since it couldn't see ANY outbound > packets in bridge environments. In jail(fw01), you can see states > since packets go through L3 hook points. pf can very well create states on a FreeBSD bridge, they just don't work properly. The problem is not creating the state entry, but that pf does not see all packets involved in the connection in both directions. For example, if you have a bridge with two real interfaces xl0 and xl1, and a TCP connection passing through the bridge (say, from the xl0 network to the xl1 one). As I understand it, pf filtering only happens for packets coming in on xl0 and coming in on xl1, but not going out on xl0 or going out on xl1. The initial SYN packet of the connection will first pass in on xl0, where it's being filtered by pf. If you have a last-matching rule like pass in on xl0 proto tcp ... keep state the packet will successfully create a state entry and gets passed. This state entry will also match any further packets of the connection coming in on xl0 (i.e. packets from the active peer who opened the connection). But packets flowing in the reverse direction (replies from the passive peer) are not filtered by pf on xl0, pf never sees outgoing packets on xl0, due to the missing hook. Hence, no such packets are associated with the state entry, and the state entry never becomes fully established. The sequence number tracking code in pf relies on seeing all packets of a connection. For instance, it reads the passive peer's initial sequence number (ISN) from the SYN+ACK packet, and uses acknowledgments sent by the passive peer to advance the window of allowed segments for the active peer. Missing all these packets from the passive peer, the state entry never gets completed, and the connection eventually stalls. Some features (like 'modulate state') will even prevent a successful handshake in this case. If you're using 'floating states' (the default) instead of interface-bound states, you might expect that packets from the passive peer seen incoming on xl1 should resolve the problem. But that's not the case. Replies coming in on xl1 do NOT match the state entry created by the SYN on xl0, because the direction (incoming) and the source/destination addresses/port (from passive to active) do not match. Imagine you had all hooks, i.e. pf would see each packet on each interface. If the bridge consists of just two interfaces, you can filter on only one of them, as each packet passing in or out on one interface must also pass on the other, so you could just use pass quick on xl1 block all pass in on xl0 proto tcp ... keep state That would work fine. Packets (of either direction) on xl0 would create or match states, packets on xl1 would pass without matching states. If you want to filter on both interfaces, you'd use block all pass in on xl0 proto tcp ...criteria A... keep state pass out on xl1 proto tcp ...criteria A... keep state pass in on xl1 proto tcp ...criteria B... keep state pass out on xl0 proto tcp ...criteria B... keep state Each connection passing through the firewall would create TWO state entries, one on each interface. Each packet related to a connection would first match one state when incoming on one interface, then match the other state on the second interface. But either way, pf needs to see packets passing through an interface in both directions. It does not contain hardcoded assumptions like "this is a bridge, treat incoming packets on xl1 as if they were outgoing on xl0" or the like. You can check what packets pf sees in what direction on which interfaces by using a single rule like pass log all and watching pflog with tcpdump. The OP quoted fully established state entries, which I wouldn't have expected. I don't think this is supposed to work at all on bridges yet. It's not solvable by a configuration trick, it really needs the missing hooks in bridge code. I didn't know about that sysctl for ipfilter, though, that might affect things for pf. Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Dec 3 22:55:23 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E8A916A533 for ; Fri, 3 Dec 2004 22:55:23 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1C5A43D55 for ; Fri, 3 Dec 2004 22:55:22 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.179] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CaMKg-0002Tx-00 for freebsd-pf@freebsd.org; Fri, 03 Dec 2004 23:55:22 +0100 Received: from [84.128.130.154] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CaMKf-0005Ui-00 for freebsd-pf@freebsd.org; Fri, 03 Dec 2004 23:55:22 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Fri, 3 Dec 2004 23:55:59 +0100 User-Agent: KMail/1.7.1 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3775003.kq7OYRQBAJ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412032356.00086.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: New CARP patchset X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Dec 2004 22:55:23 -0000 --nextPart3775003.kq7OYRQBAJ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline All, again I have put up a new CARP patchset. I have not made as much progress a= s I=20 planned to, still there has been some progress and it's worth updating. Esp= =2E=20 if you are using it with IPv6. As always the patch is at: http://people.freebsd.org/~mlaier/CARP/ There are two (and a half) issues remaining: - VLAN interfaces can't be used as parent interface. - ifconfig carpX down/destroy doesn't completely cleanup the parent=20 interface (e.g. parent remains PROMISC) - "arp_rtrequest: bad gateway ... (!AF_LINK)" Anything else? Please let me know! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3775003.kq7OYRQBAJ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBsO8AXyyEoT62BG0RAuh4AJ9FfXrtqpiDE0sJaWoxzbGXHFO/JACggdez /pWb4R0THPtWX4o526uE1Ng= =2TRe -----END PGP SIGNATURE----- --nextPart3775003.kq7OYRQBAJ-- From owner-freebsd-pf@FreeBSD.ORG Sat Dec 4 02:44:33 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 651E216A4CE for ; Sat, 4 Dec 2004 02:44:33 +0000 (GMT) Received: from birkenwald.de (ppp-62-245-208-235.mnet-online.de [62.245.208.235]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B4AE43D31 for ; Sat, 4 Dec 2004 02:43:27 +0000 (GMT) (envelope-from berni@birkenwald.de) To: freebsd-pf@freebsd.org From: Bernhard Schmidt Date: Sat, 4 Dec 2004 02:34:03 +0000 (UTC) Lines: 22 Message-ID: Subject: IPv6 MLD packets blocked X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Dec 2004 02:44:33 -0000 Hi, I'm currently trying to enable IPv6 multicast forwarding on my FreeBSD home gateway. With both pim6sd and xorp I had the problem that MLD (IGMP for IPv6) from clients did not come through to the appropriate daemon and therefor groups are never subscribed. This seems to be a problem with pf. When I disable pf with "pfctl -d" it works like a charm; when I enable pf again, even with the simple ruleset pass all it breaks. I've uploaded a sample of a MLD packet to http://www.birkenwald.de/~berni/tmp/mld.dump FreeBSD heimdall.birkenwald.de 5.3-STABLE FreeBSD 5.3-STABLE #0: Wed Nov 24 00:48:49 CET 2004 root@heimdall.birkenwald.de:/usr/obj/usr/src/sys/HEIMDALL i386 Thanks Bernhard From owner-freebsd-pf@FreeBSD.ORG Sat Dec 4 18:57:29 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9A1716A4CE for ; Sat, 4 Dec 2004 18:57:29 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id D90F643D3F for ; Sat, 4 Dec 2004 18:57:28 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.160] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1Caf5z-0007HM-00; Sat, 04 Dec 2004 19:57:27 +0100 Received: from [84.128.130.154] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1Caf5z-0003Po-00; Sat, 04 Dec 2004 19:57:27 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Sat, 4 Dec 2004 19:58:05 +0100 User-Agent: KMail/1.7.1 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart6561382.xf86ZO2IIh"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412041958.11601.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: Bernhard Schmidt Subject: Re: IPv6 MLD packets blocked X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Dec 2004 18:57:29 -0000 --nextPart6561382.xf86ZO2IIh Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 04 December 2004 03:34, Bernhard Schmidt wrote: > Hi, > > I'm currently trying to enable IPv6 multicast forwarding on my FreeBSD > home gateway. With both pim6sd and xorp I had the problem that MLD (IGMP > for IPv6) from clients did not come through to the appropriate daemon > and therefor groups are never subscribed. > > This seems to be a problem with pf. When I disable pf with "pfctl -d" it > works like a charm; when I enable pf again, even with the simple ruleset > > pass all Does your setup include a 6to4 (stf(4)) device? If so then you should move = to=20 a RELENG_5 with pf_if.c, rev. 1.5.2.2. (you can simply move that one file). To debug a problem like this you should use a ruleset like: block log all pass all and watch pflog on tcpdump. It'll give you information why a packet is=20 dropped. Increasing the verbosity of pf's debug facilities might also be=20 helpful: # pfctl -xm > it breaks. I've uploaded a sample of a MLD packet to > > http://www.birkenwald.de/~berni/tmp/mld.dump > > FreeBSD heimdall.birkenwald.de 5.3-STABLE FreeBSD 5.3-STABLE #0: Wed Nov > 24 00:48:49 CET 2004 pf_if.c went in "Nov 24 16:57:32 2004 UTC" so you might have missed it. > root@heimdall.birkenwald.de:/usr/obj/usr/src/sys/HEIMDALL i386 =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart6561382.xf86ZO2IIh Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBsgjDXyyEoT62BG0RAk0EAJ45QNNJyao0E5XME0NcKTIH2bbKXACffUg2 bui09Am2plXqfk/Tdmsjy6o= =o0GT -----END PGP SIGNATURE----- --nextPart6561382.xf86ZO2IIh-- From owner-freebsd-pf@FreeBSD.ORG Sat Dec 4 19:13:10 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B3BB16A4E5 for ; Sat, 4 Dec 2004 19:13:10 +0000 (GMT) Received: from mx02.mucip.net (mx02.mucip.net [81.92.162.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4F2B43D31 for ; Sat, 4 Dec 2004 19:13:09 +0000 (GMT) (envelope-from berni@birkenwald.de) Received: from localhost (localhost [127.0.0.1]) by mx02.mucip.net (Postfix) with ESMTP id 2DF00520C; Sat, 4 Dec 2004 20:13:08 +0100 (CET) Received: from mx02.mucip.net ([127.0.0.1])10024) with ESMTP id 23731-02; Sat, 4 Dec 2004 20:13:07 +0100 (CET) Received: from cholera.birkenwald.intern (cholera.ipv6.birkenwald.de [IPv6:2001:a60:f001:1:2e0:18ff:fef4:5c37]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by mailout.mucip.net (Postfix) with ESMTP id 03757520B; Sat, 4 Dec 2004 20:13:06 +0100 (CET) From: Bernhard Schmidt To: Max Laier In-Reply-To: <200412041958.11601.max@love2party.net> References: <200412041958.11601.max@love2party.net> Content-Type: text/plain Date: Sat, 04 Dec 2004 20:13:06 +0100 Message-Id: <1102187586.12613.28.camel@cholera> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at mucip.net cc: freebsd-pf@freebsd.org Subject: Re: IPv6 MLD packets blocked X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Dec 2004 19:13:10 -0000 Hi, > > I'm currently trying to enable IPv6 multicast forwarding on my FreeBSD > > home gateway. With both pim6sd and xorp I had the problem that MLD (IGMP > > for IPv6) from clients did not come through to the appropriate daemon > > and therefor groups are never subscribed. > > > > This seems to be a problem with pf. When I disable pf with "pfctl -d" it > > works like a charm; when I enable pf again, even with the simple ruleset > > > > pass all > Does your setup include a 6to4 (stf(4)) device? If so then you should move to > a RELENG_5 with pf_if.c, rev. 1.5.2.2. (you can simply move that one file). No, but several gif-Interfaces. The interface I have troubles with receiving MLD messages is a plain ethernet, vr(4). > To debug a problem like this you should use a ruleset like: > > block log all > pass all > > and watch pflog on tcpdump. It'll give you information why a packet is > dropped. No packets are dropped according to tcpdump, but it still doesn't work. > Increasing the verbosity of pf's debug facilities might also be > helpful: # pfctl -xm Should that help when no packets are dropped? I can see no obvious error messages in syslog. Even setting the debug level to 'loud' doesn't give me anything. I would assume that pf is dropping because of the router alert option set in MLD messages (see the dump). > pf_if.c went in "Nov 24 16:57:32 2004 UTC" so you might have missed it. No changes for != stf, right? Bernhard From owner-freebsd-pf@FreeBSD.ORG Sat Dec 4 20:03:25 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C392416A4CE for ; Sat, 4 Dec 2004 20:03:25 +0000 (GMT) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id D5E1543D5C for ; Sat, 4 Dec 2004 20:03:22 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) iB4K3Fo3016580 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sat, 4 Dec 2004 21:03:15 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.1/8.12.10/Submit) id iB4K3Eug011660; Sat, 4 Dec 2004 21:03:14 +0100 (MET) Date: Sat, 4 Dec 2004 21:03:13 +0100 From: Daniel Hartmeier To: Bernhard Schmidt Message-ID: <20041204200312.GE32076@insomnia.benzedrine.cx> References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.4.1i cc: freebsd-pf@freebsd.org Subject: Re: IPv6 MLD packets blocked X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Dec 2004 20:03:25 -0000 On Sat, Dec 04, 2004 at 02:34:03AM +0000, Bernhard Schmidt wrote: > http://www.birkenwald.de/~berni/tmp/mld.dump The decoded packet looks sane: Dec 04 03:32:09.031473 0:e0:18:f4:5c:37 33:33:0:0:88:88 86dd 86: fe80::2e0:18ff:fef4:5c37 > ff1e::8888: HBH (rtalert: 0x0000) icmp6: multicast listener report max resp delay: 0 addr: ff1e::8888 [hlim 1] (len 32) 0000: 6000 0000 0020 0001 fe80 0000 0000 0000 `.... ..þ....... 0010: 02e0 18ff fef4 5c37 ff1e 0000 0000 0000 .à.ÿþô\7ÿ....... 0020: 0000 0000 0000 8888 3a00 0502 0000 0100 ........:....... 0030: 8300 f7d1 0000 0000 ff1e 0000 0000 0000 ..÷Ñ....ÿ....... 0040: 0000 0000 0000 8888 ........ IPv6 header (ip6_hdr) ip6_flow 0x6000 0000 ip6_plen 0x0020 ip6_nxt 0x00 (IPPROTO_HOPOPTS) ip6_hlim 0x01 ip6_src 0xfe80 0000 0000 0000 02e0 18ff fef4 5c37 ip6_dst 0xff1e 0000 0000 0000 0000 0000 0000 8888 Extention header (ip6_ext) ip6e_nxt 0x3a (IPPROTO_ICMPV6) ip6e_len 0x00 (8 bytes) ip6_opt ip6o_type 0x05 (IP6OPT_ROUTER_ALERT) ip6o_len 0x02 ip6or_value 0x0000 (IP6_ALERT_MLD) ICMPV6 (icmp6_hdr) icmp6_type 0x83 (MLD_LISTENER_REPORT) icmp6_code 0x00 icmp6_cksum 0xf7d1 (mld_hdr) mld_maxdelay 0x0000 mld_reserved 0x0000 mld_addr 0xff1e 0000 0000 0000 0000 0000 0000 8888 This should not be dropped, at least I can't spot where it would be. Can you make sure that you don't get _anything_ in /var/log/message with pfctl -xm when such a packet is dropped? If you compare pfctl -si counter before and after a drop, do any of them increase? This makes sure we're looking in the right places. Thanks. Daniel From owner-freebsd-pf@FreeBSD.ORG Sat Dec 4 20:24:46 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34C8716A4CE for ; Sat, 4 Dec 2004 20:24:46 +0000 (GMT) Received: from mx02.mucip.net (mx02.mucip.net [81.92.162.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94C8A43D2D for ; Sat, 4 Dec 2004 20:24:45 +0000 (GMT) (envelope-from berni@birkenwald.de) Received: from localhost (localhost [127.0.0.1]) by mx02.mucip.net (Postfix) with ESMTP id E63D3520C; Sat, 4 Dec 2004 21:24:43 +0100 (CET) Received: from mx02.mucip.net ([127.0.0.1])10024) with ESMTP id 23955-02; Sat, 4 Dec 2004 21:24:43 +0100 (CET) Received: from cholera.birkenwald.intern (cholera.ipv6.birkenwald.de [IPv6:2001:a60:f001:1:2e0:18ff:fef4:5c37]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by mailout.mucip.net (Postfix) with ESMTP id 40502520B; Sat, 4 Dec 2004 21:24:43 +0100 (CET) From: Bernhard Schmidt To: Daniel Hartmeier In-Reply-To: <20041204200312.GE32076@insomnia.benzedrine.cx> References: <20041204200312.GE32076@insomnia.benzedrine.cx> Content-Type: text/plain Date: Sat, 04 Dec 2004 21:24:42 +0100 Message-Id: <1102191882.12613.39.camel@cholera> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at mucip.net cc: freebsd-pf@freebsd.org Subject: Re: IPv6 MLD packets blocked X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Dec 2004 20:24:46 -0000 Hi, > > http://www.birkenwald.de/~berni/tmp/mld.dump > > The decoded packet looks sane: [...] > This should not be dropped, at least I can't spot where it would be. > > Can you make sure that you don't get _anything_ in /var/log/message with > pfctl -xm when such a packet is dropped? Nothing, I kept it running that way and the only kernel messages I got so far are Dec 4 20:16:51 heimdall kernel: pf_map_addr: selected address 62.245.160.121 with my regular ruleset which is probably NATing or something like that. > If you compare pfctl -si counter before and after a drop, do any of > them increase? I'll have to offload some traffic from the box, unfortunately it has the PPP connection (to my provider) and no display. I could disconnect PPP, but I would still have ssh (probably counting). I can say though that the following counters bad-offset 0 0.0/s fragment 4 0.0/s short 158 0.0/s normalize 0 0.0/s memory 8 0.0/s do not increase when a report is dropped. I can say quite sure that the match counter doesn't increase also (I run the command before and after I sent a packet, if the update of the counter is sufficiently fast it is not in there) and that there is no state for this packet. BTW, I've opened a PR for that, misc/74683 Bernhard