From owner-freebsd-pf@FreeBSD.ORG Mon Jul 18 11:02:23 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA20E16A422 for ; Mon, 18 Jul 2005 11:02:23 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A15EA43D45 for ; Mon, 18 Jul 2005 11:02:23 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6IB2Naj098262 for ; Mon, 18 Jul 2005 11:02:23 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6IB2Mk1098256 for freebsd-pf@freebsd.org; Mon, 18 Jul 2005 11:02:22 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 18 Jul 2005 11:02:22 GMT Message-Id: <200507181102.j6IB2Mk1098256@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 11:02:24 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- p [2005/05/19] ia64/81284 pf Unaligned Reference with pf on 5.4/IA64 o [2005/06/15] kern/82271 pf cbq scheduler cause bad latency 2 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- p [2005/05/04] kern/80627 pf pf_test6: kif == NULL ... o [2005/05/15] conf/81042 pf /etc/pf.os doesn't match FreeBSD 5.3->5.4 2 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 18 12:00:46 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C04216A41C for ; Mon, 18 Jul 2005 12:00:46 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B2CFD43D48 for ; Mon, 18 Jul 2005 12:00:45 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6IC0jCt008214 for ; Mon, 18 Jul 2005 12:00:45 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6IC0jPo008213; Mon, 18 Jul 2005 12:00:45 GMT (envelope-from gnats) Date: Mon, 18 Jul 2005 12:00:45 GMT Message-Id: <200507181200.j6IC0jPo008213@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: "Boris Staeblow" Cc: Subject: Re: kern/77308: ALTQ doesn't seem to be working on tun0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Boris Staeblow List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 12:00:46 -0000 The following reply was made to PR kern/77308; it has been noted by GNATS. From: "Boris Staeblow" To: , Cc: Subject: Re: kern/77308: ALTQ doesn't seem to be working on tun0 Date: Mon, 18 Jul 2005 13:50:08 +0200 Hello, i have the same problem here! Even 50% upload bandwidth limitation will result in a massive drop of the download rate. My setup: - ADSL 6000/576 - userland ppp - FreeBSD 5-STABLE - pf with ALTQ and priq queueing on the tun-device Boris Staeblow From owner-freebsd-pf@FreeBSD.ORG Mon Jul 18 21:42:49 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAB6F16A41C for ; Mon, 18 Jul 2005 21:42:49 +0000 (GMT) (envelope-from brad@shockwebhost.com) Received: from fed1rmmtao10.cox.net (fed1rmmtao10.cox.net [68.230.241.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A06C43D48 for ; Mon, 18 Jul 2005 21:42:49 +0000 (GMT) (envelope-from brad@shockwebhost.com) Received: from 337vdub.localdomain ([24.251.146.127]) by fed1rmmtao10.cox.net (InterMail vM.6.01.04.00 201-2131-118-20041027) with ESMTP id <20050718214249.SAZC1860.fed1rmmtao10.cox.net@337vdub.localdomain> for ; Mon, 18 Jul 2005 17:42:49 -0400 From: Brad Bendy To: freebsd-pf@freebsd.org Date: Mon, 18 Jul 2005 14:41:11 -0700 User-Agent: KMail/1.6.2 MIME-Version: 1.0 Content-Disposition: inline Organization: Shock Webhosting, LLC. Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <200507181441.11366.brad@shockwebhost.com> Subject: Multiple subnets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: brad@shockwebhost.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 21:42:50 -0000 Hello- I am wondering how I would go about having multiple WAN subnets coming over one ethernet interface, basically bridge mode I guess, then have firewall rulesets based on the destination IP. Right now I use m0n0wall with one WAN subnet, but I need to expand to have multiple CIDR blocks from my provider. I know there has to be a way to do this, but not sure how. Any help/links would be great! Thanks Brad From owner-freebsd-pf@FreeBSD.ORG Tue Jul 19 04:26:24 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6A5D16A41C for ; Tue, 19 Jul 2005 04:26:24 +0000 (GMT) (envelope-from Lewis@Alumni.Duke.edu) Received: from smtpauth04.mail.atl.earthlink.net (smtpauth04.mail.atl.earthlink.net [209.86.89.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id 44F8843D48 for ; Tue, 19 Jul 2005 04:26:24 +0000 (GMT) (envelope-from Lewis@Alumni.Duke.edu) Received: from [24.238.217.126] (helo=[192.168.1.102]) by smtpauth04.mail.atl.earthlink.net with asmtp (Exim 4.34) id 1DujgV-0001RP-KV; Tue, 19 Jul 2005 00:26:23 -0400 In-Reply-To: <42D6B8D9.000001.16708@mfront7.yandex.ru> References: <42D6B8D9.000001.16708@mfront7.yandex.ru> Mime-Version: 1.0 (Apple Message framework v733) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <73864AD4-7FCF-4087-9069-BB42E0FAC8C5@Alumni.Duke.edu> Content-Transfer-Encoding: 7bit From: "Christopher D. Lewis" Date: Mon, 18 Jul 2005 23:26:22 -0500 To: alex-bsd@yandex.ru X-Mailer: Apple Mail (2.733) X-ELNK-Trace: 0cfbe610720e5fbae2c06d429514ad5c9ef193a6bfc3dd4838284d8631558ddf3430c806480ce9fe2601a10902912494350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 24.238.217.126 Cc: freebsd-pf@freebsd.org Subject: Re: PF & BLOCK MP3 (AVI) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2005 04:26:24 -0000 On Jul 14, 2005, at 2:11 PM, alex-bsd wrote: > On a gateway for a local network in rules of firewall it is > possible to add a following line: > -A FORWARD -s 192.168.x.x -p tcp -m string --string ".mp3" -j DROP > If the internal client of this network requests a resource with > name containing ".mp3" he will not receive the answer (www.mp3.com, > www.music.com/Mozart.mp3, etc.). > Accordingly similar is possible to make with words "porno" "avi" > and etc. > I do not consider that it is 100 % protection against downloading > (from internet) by users mp3 files. Not only is it not 100% protection, but the cost of doing this is astronomical, requiring serious changes to how the kernel handles packets (e.g., the kernel reassembles the packets), the RAM required to run pf (you could be simultaneously reassembling a large number of packets, which could include a large number of maliciously crafted packets whose transmission are never actually completed by the attacker), and the security of the system (DoS is facilitated by dramatic resource consumption of the proposed feature. The request for www.music.com/mozart.mp3 is not guaranteed to be contained in a single packet. You would have to assemble whole streams of packets to conduct the investigation your proposed rule would require in order to operate in every case, rather than only in the occasional case in which ".mp3" happened to occur in a single packet. This does not mean the packet might not get fragmented by the time your firewall sees it, though. I think the reasons for omitting this sort of "feature" in a firewall have been adequately discussed on pf-related lists. Using your firewall to restrict access to DNS servers other than the one containing your whitelisted sites might be a strategy, or using proxies to conduct filtering on streams, but cramming this into the kernel is an invitation for in-kernel bugs, denial of service, loss of use of hardware that used to be able to run your pf-containing OS but cannot with new resource consumption, and as you so eloquently state you still don't really stop this, you just invite attackers (or authors of filesharing apps, or whomever) to write around your new filter strategy. On the other hand, if you are willing to risk $500, Daniel has said he is game to test just how effective the feature is :-) Best regards, Chris From owner-freebsd-pf@FreeBSD.ORG Tue Jul 19 07:50:47 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37D7516A41C for ; Tue, 19 Jul 2005 07:50:47 +0000 (GMT) (envelope-from craig@aus.sh) Received: from mx1.aus.sh (mx1.aus.sh [203.144.22.158]) by mx1.FreeBSD.org (Postfix) with SMTP id 4FBF543D45 for ; Tue, 19 Jul 2005 07:50:43 +0000 (GMT) (envelope-from craig@aus.sh) Received: (qmail 73249 invoked from network); 19 Jul 2005 07:55:43 -0000 Received: from unknown (HELO ausshcraig) (203.144.20.190) by mx1.aus.sh with SMTP; 19 Jul 2005 07:55:43 -0000 From: "Craig - AUS.SHop" To: , Date: Tue, 19 Jul 2005 17:50:03 +1000 Message-ID: <008d01c58c36$888be7c0$0800a8c0@ausshcraig> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 In-Reply-To: <200507181441.11366.brad@shockwebhost.com> Importance: Normal Cc: Subject: RE: Multiple subnets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2005 07:50:47 -0000 Hi Brad, I am new to freebsd-pf, however my decision to use it was based on exactly your predicament. After a bit of head scratching and Googling, I now have a 5.4 box with 4 interfaces (2 x WAN + 2 x lan) My WAN's are PPPOE and my LAN's are both public IP blocks (a /29 and a /27) I have a second firewall on one of the IP's which does NAT for another private lan My pfruleset allows unrestricted traffic across the lan's which is important since you don't want to be "talking" across the two WAN's when the boxes are all in the same room. Filtering is done on inbound on the two WAN's (tun0 and tun1 in my case). I use the reply-to feature on these pass rules to ensure that replies go out the same interface that the request came from. Outbound traffic from each subnet is directed out the appropriate WAN by passing in on the LAN interfaces with the route-to feature directing to the appropriate WAN interface. Happy to give you some examples if you want them. I don't know about doing it all on one WAN interface, but if your provider is happy to route both subnets over the one endpoint, then I cant see that it would be an issue. I wanted the additional bandwidth rather than the extra IP's, so it was important for me to keep the WAN interface separate Good luck Craig -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Brad Bendy Sent: Tuesday, 19 July 2005 7:41 AM To: freebsd-pf@freebsd.org Subject: Multiple subnets Hello- I am wondering how I would go about having multiple WAN subnets coming over one ethernet interface, basically bridge mode I guess, then have firewall rulesets based on the destination IP. Right now I use m0n0wall with one WAN subnet, but I need to expand to have multiple CIDR blocks from my provider. I know there has to be a way to do this, but not sure how. Any help/links would be great! Thanks Brad _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Jul 19 11:01:24 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9152516A41C for ; Tue, 19 Jul 2005 11:01:24 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: from smtp.eu.tiauto.com (smtp.eu.tiauto.com [195.127.176.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2B1943D45 for ; Tue, 19 Jul 2005 11:01:20 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: by euex01.resource.tiauto.com with Internet Mail Service (5.5.2657.72) id ; Tue, 19 Jul 2005 13:01:17 +0200 Message-ID: From: "Constant, Benjamin" To: 'Max Laier' Date: Tue, 19 Jul 2005 13:01:16 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Cc: freebsd-pf@freebsd.org Subject: RE: ALTQ support on bge interface? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2005 11:01:24 -0000 Hi, I finaly patched my RELENG_5 system and compile the stuff without any problem. My configuration is using cbq algorithm and traffic is correctly assign to the queues. I don't know if they are specific area that I should test but as far as I can see it sounds quite good. Thanks, Benjamin Constant > -----Original Message----- > From: Max Laier [mailto:max@love2party.net] > Sent: jeudi 14 juillet 2005 22:32 > To: freebsd-pf@freebsd.org > Cc: Florian C. Smeets; Constant, Benjamin > Subject: Re: ALTQ support on bge interface? > > On Monday 11 July 2005 13:32, Florian C. Smeets wrote: > > > As it is quite often used (e.g.: HP DL380 server), are there any > > > plan to support ALTQ on bge interface? > > > > bge has altq suppot in -CURRENT but it seems that it was > never merged > > back to RELENG_5. > > Here is a patch relative to RELENG_5. Please take it for a > spin and let me know if it works reliably. > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News > The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. This communication is from TI Automotive. From owner-freebsd-pf@FreeBSD.ORG Tue Jul 19 12:34:12 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51CD416A41F for ; Tue, 19 Jul 2005 12:34:12 +0000 (GMT) (envelope-from kl@vsen.dk) Received: from www.EnableIT.dk (r2d2.enableit.dk [195.35.83.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id B181143D46 for ; Tue, 19 Jul 2005 12:34:11 +0000 (GMT) (envelope-from kl@vsen.dk) Received: from localhost (localhost [127.0.0.1]) by www.EnableIT.dk (Postfix) with ESMTP id 8C054600EB for ; Tue, 19 Jul 2005 14:40:30 +0200 (CEST) Received: from [192.168.10.51] (gw02.telmore.dk [62.242.232.132]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by www.EnableIT.dk (Postfix) with ESMTP id 6C955558D for ; Tue, 19 Jul 2005 14:40:28 +0200 (CEST) Message-ID: <42DCF377.6020407@vsen.dk> Date: Tue, 19 Jul 2005 14:35:03 +0200 From: Klavs Klavsen User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050329) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <42D376E6.7090708@vsen.dk> In-Reply-To: <42D376E6.7090708@vsen.dk> X-Enigmail-Version: 0.90.2.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at EnableIT.dk Subject: Re: preempt not working? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2005 12:34:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Everyone has carp.preempt working? Do I need to use ifstated instead of carp.preempt - or perhaps it is required, for preempt to work somehow? If anyone can point me to a doc that deals with preempt - I'd be very happy. The manual doesn't :( on 07/12/05 09:53 Klavs Klavsen wrote: > Hi guys, > > Am I misunderstanding the meaning of preempt? > > I have a test setup in vmware - and it looks like this: > > fw09# ifconfig > lnc0: flags=108943 mtu 1500 > inet 192.168.11.209 netmask 0xffff0000 broadcast 192.168.255.255 > inet6 fe80::20c:29ff:fe80:e1a7%lnc0 prefixlen 64 scopeid 0x1 > ether 00:0c:29:80:e1:a7 > lnc1: flags=108943 mtu 1500 > inet 10.0.0.9 netmask 0xffffff00 broadcast 10.0.0.255 > inet6 fe80::20c:29ff:fe80:e1b1%lnc1 prefixlen 64 scopeid 0x2 > ether 00:0c:29:80:e1:b1 > lnc2: flags=108943 mtu 1500 > inet 172.16.1.9 netmask 0xffffff00 broadcast 172.16.1.255 > inet6 fe80::20c:29ff:fe80:e1bb%lnc2 prefixlen 64 scopeid 0x3 > ether 00:0c:29:80:e1:bb > plip0: flags=108810 mtu 1500 > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > pflog0: flags=141 mtu 33208 > pfsync0: flags=41 mtu 1348 > pfsync: syncif: lnc2 maxupd: 128 > carp0: flags=41 mtu 1500 > inet 192.168.11.208 netmask 0xffffffff > carp: BACKUP vhid 1 advbase 1 advskew 0 > carp1: flags=41 mtu 1500 > inet 10.0.0.1 netmask 0xffffff00 > carp: BACKUP vhid 2 advbase 1 advskew 0 > carp2: flags=41 mtu 1500 > inet 172.16.1.8 netmask 0xffffff00 > carp: BACKUP vhid 3 advbase 1 advskew 0 > carp3: flags=41 mtu 1500 > inet 192.168.11.210 netmask 0xffffffff > carp: MASTER vhid 4 advbase 1 advskew 0 > fw09# sysctl -a | grep pree | grep -v 118 > net.inet.carp.preempt: 1 > > carp3 is master, because carp3 on the secondary isn't up. As I > understand the preempt flag, that should result in this host taking over > MASTER for all carp interfaces. The other host has an anskew of a 100 > (as it is default secondary) - but it still stays MASTER for carp0,1 and > 2 :( > - -- Regards, Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk PGP: 7E063C62/2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFC3PN2PToLeX4GPGIRAi52AKCYXR9a8IHHW4VMGYmcWpb6Dd3l+ACgtdLn GJLFQZnMm7TIJ2LB3ZWeeFw= =43b1 -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Tue Jul 19 14:52:12 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E80A616A421 for ; Tue, 19 Jul 2005 14:52:12 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7DD6143D4C for ; Tue, 19 Jul 2005 14:52:12 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by rproxy.gmail.com with SMTP id f1so1621065rne for ; Tue, 19 Jul 2005 07:51:59 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=DoaHTRTQJ3jrE9YTgu/vN9TY66tIO9bRZSisdpsW5zHTSvUWpqhwCsiOowcPaIW4ty5rpwlmd4RHSgu9rn8YaJ7RyN4i+ALVUpvZSLqPO70h22oOTE1GZvL4ai7/kpWYI1JStjDbH8t0zAPRQBfgkKgBV9/MlMXsEVV9IaKoSAU= Received: by 10.38.12.74 with SMTP id 74mr2866746rnl; Tue, 19 Jul 2005 07:51:59 -0700 (PDT) Received: by 10.38.207.79 with HTTP; Tue, 19 Jul 2005 07:51:59 -0700 (PDT) Message-ID: Date: Tue, 19 Jul 2005 10:51:59 -0400 From: Scott Ullrich To: Klavs Klavsen In-Reply-To: <42DCF377.6020407@vsen.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <42D376E6.7090708@vsen.dk> <42DCF377.6020407@vsen.dk> Cc: freebsd-pf@freebsd.org Subject: Re: preempt not working? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Scott Ullrich List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2005 14:52:13 -0000 On 7/19/05, Klavs Klavsen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > Everyone has carp.preempt working? >=20 > Do I need to use ifstated instead of carp.preempt - or perhaps it is > required, for preempt to work somehow? >=20 > If anyone can point me to a doc that deals with preempt - I'd be very > happy. The manual doesn't :( Preempt currently works just fine with FreeBSD 6. What version are you run= ning? Give http://www.countersiege.com/doc/pfsync-carp/ a look. It govers over preempt a bit. Scott From owner-freebsd-pf@FreeBSD.ORG Wed Jul 20 05:46:45 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7C8C16A41F for ; Wed, 20 Jul 2005 05:46:45 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: from web32401.mail.mud.yahoo.com (web32401.mail.mud.yahoo.com [68.142.207.194]) by mx1.FreeBSD.org (Postfix) with SMTP id 5FFCA43D46 for ; Wed, 20 Jul 2005 05:46:45 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: (qmail 68434 invoked by uid 60001); 20 Jul 2005 05:46:44 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=RqUIpVGkrMHbBK/zqQLcRfJFXV38/8YKIIDd6OSy4/of4i6/mYoz2jnNI88o96TI0epMFo+eiOt5yBEZCnoQDClL5f3lOJB63gFxbl7KVD0W9buZtwub/X7o19YX0XJ22sCAyIDchS002N9ZrNaokKLOgtz+v81LZKYyYWYeg3I= ; Message-ID: <20050720054644.68432.qmail@web32401.mail.mud.yahoo.com> Received: from [217.218.230.2] by web32401.mail.mud.yahoo.com via HTTP; Tue, 19 Jul 2005 22:46:44 PDT Date: Tue, 19 Jul 2005 22:46:44 -0700 (PDT) From: Pejman Moghadam To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: NAT problem with icmp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 05:46:46 -0000 Hi, Here is simple explanation : This is my pf.conf extif="{ ed0 }" extip="{ (ed0) }" table { 192.168.1.0/24 } nat on $extif from to any -> $extip pass all I want to ping from my lan stations to a public dns server like 192.9.9.3 look at my state table: # pfctl -ss self icmp 192.168.1.18:512 -> 1.2.3.4:512 -> 192.9.9.3:512 0:0 take a look to icmp traffic: internal interface : # tcpdump -c 10 -i dc0 -nq icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on dc0, link-type EN10MB (Ethernet), capture size 96 bytes 10:00:51.538006 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 37394 10:00:51.671439 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 43538 10:00:52.199114 IP 192.168.1.18 > 192.9.9.3: icmp 40: echo request seq 37650 10:00:52.538007 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 37650 10:00:52.672876 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 43794 10:00:53.210683 IP 192.168.1.18 > 192.9.9.3: icmp 40: echo request seq 37906 10:00:53.554918 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 37906 10:00:53.674441 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 44050 10:00:54.212218 IP 192.168.1.18 > 192.9.9.3: icmp 40: echo request seq 38162 10:00:54.551131 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 38162 10 packets captured 26 packets received by filter 0 packets dropped by kernel external interface: # tcpdump -c 10 -i ed0 -nq icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ed0, link-type EN10MB (Ethernet), capture size 96 bytes 10:02:42.839665 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 6419 10:02:42.909906 IP 1.2.3.4 > 192.9.9.3: icmp 40: echo request seq 275 10:02:43.248794 IP 192.9.9.3 > 1.2.3.4: icmp 40: echo reply seq 275 10:02:43.841123 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 6675 10:02:43.921558 IP 1.2.3.4 > 192.9.9.3: icmp 40: echo request seq 531 10:02:44.263806 IP 192.9.9.3 > 1.2.3.4: icmp 40: echo reply seq 531 10:02:44.842665 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 6931 10:02:44.923035 IP 1.2.3.4 > 192.9.9.3: icmp 40: echo request seq 787 10:02:45.262390 IP 192.9.9.3 > 1.2.3.4: icmp 40: echo reply seq 787 10:02:45.844227 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 7187 10 packets captured 12 packets received by filter 0 packets dropped by kernel The problem is : I can pinging to 192.9.9.3 from only one of my stations.(192.168.1.18) Other stations show "Request timed out." So... is there any problem with nating icmp packects in pf ? Or this is just my mistake in pf.conf Thanks in advance __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Wed Jul 20 07:38:41 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E9B016A41F for ; Wed, 20 Jul 2005 07:38:41 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACF9943D49 for ; Wed, 20 Jul 2005 07:38:40 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id B127225249D for ; Wed, 20 Jul 2005 08:38:37 +0100 (BST) From: "Greg Hennessy" To: Date: Wed, 20 Jul 2005 08:38:37 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcWM8IrhFsO4SbVkTIyvTLUEEEvhNQADC3oA X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 In-Reply-To: <20050720054644.68432.qmail@web32401.mail.mud.yahoo.com> Message-Id: <20050720073837.AA41F1C@gw2.local.net> Subject: RE: NAT problem with icmp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 07:38:41 -0000 > Hi, > Here is simple explanation : > This is my pf.conf > > extif="{ ed0 }" > extip="{ (ed0) }" > table { 192.168.1.0/24 } > nat on $extif from to any -> $extip pass all The syntax for the nat statement above doesn't look right. > I want to ping from my lan stations to a public dns server > like 192.9.9.3 look at my state table: You need to add a pass rule on the inside interface to make it so. At the very least your packet filtering policy should consist of the following in addition to what you have above. ICMP="inet proto icmp" KS="keep state" intif="dc0" . . set block-policy return # # If using CURRENT otherwise use the pass rule below. set skip on lo0 . . . block log all # on 5.x instead of 'set skip' pass on lo0 all keep state # pass in log quick on $intif $ICMP from $intif:network to !$intif:network icmp-type echoreq $KS Make sure you have routing enabled as appropriate. Greg From owner-freebsd-pf@FreeBSD.ORG Wed Jul 20 08:53:13 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7651D16A41F for ; Wed, 20 Jul 2005 08:53:13 +0000 (GMT) (envelope-from aalesina@yahoo.com) Received: from web32602.mail.mud.yahoo.com (web32602.mail.mud.yahoo.com [68.142.207.229]) by mx1.FreeBSD.org (Postfix) with SMTP id 0B7A043D46 for ; Wed, 20 Jul 2005 08:53:12 +0000 (GMT) (envelope-from aalesina@yahoo.com) Received: (qmail 40262 invoked by uid 60001); 20 Jul 2005 08:53:12 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=eehPU1SqBSYSJvXQDD3qMjKxPyRUgBmGkAdfCphtqZvVzRLTlJOSFYeoZskEP2E+omDkAkZzCL1IpVcS4DgPRaxFErOw0gxNstbqjzMH36Ntlaz8GNqw8Bsl+8zTVs7bC5ysJVLSYwXCPXVrsaUwcoz+hP79gu5JSs3c94aFu0c= ; Message-ID: <20050720085312.40260.qmail@web32602.mail.mud.yahoo.com> Received: from [24.6.214.44] by web32602.mail.mud.yahoo.com via HTTP; Wed, 20 Jul 2005 01:53:11 PDT Date: Wed, 20 Jul 2005 01:53:11 -0700 (PDT) From: Alberto Alesina To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: PF NAT and DNS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 08:53:13 -0000 Hi all, Does PF NAT have support for DNS ALG as described in RFC 2694 - DNS extensions to "Network Address Translators" (changing IP addresses in DNS payloads for certain DNS traffic types based on NAT entries)? If not, what is the PF recommended way for avoiding issues with DNS/NAT when the DNS server and DNS clients are on different sides of the NAT? Thanks a lot, Alberto Alesina __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Wed Jul 20 10:24:22 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4AF6D16A41F for ; Wed, 20 Jul 2005 10:24:22 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix4-2.free.fr (postfix4-2.free.fr [213.228.0.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id C835343D46 for ; Wed, 20 Jul 2005 10:24:21 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-2.free.fr (Postfix) with ESMTP id 06F033220D8; Wed, 20 Jul 2005 12:24:21 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id E0EDF405B; Wed, 20 Jul 2005 12:24:11 +0200 (CEST) Date: Wed, 20 Jul 2005 12:24:11 +0200 From: Jeremie Le Hen To: Alberto Alesina Message-ID: <20050720102411.GU39292@obiwan.tataz.chchile.org> References: <20050720085312.40260.qmail@web32602.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050720085312.40260.qmail@web32602.mail.mud.yahoo.com> User-Agent: Mutt/1.5.9i Cc: freebsd-pf@freebsd.org Subject: Re: PF NAT and DNS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 10:24:22 -0000 Hi Alberto, > Does PF NAT have support for DNS ALG as described in > RFC 2694 - DNS extensions to "Network Address > Translators" (changing IP addresses in DNS payloads > for certain DNS traffic types based on NAT entries)? AFAIK, no, this is not supported, and this is not planned to be. > If not, what is the PF recommended way for avoiding > issues with DNS/NAT when the DNS server and DNS > clients are on different sides of the NAT? I would advice you to create a DNS server for the internal side. Another solution that I'm currently using (but it may not be applicable in you case) is to move the DNS server in the internal network. Then I use Bind9's zones to make a different reply whether the request is coming from the internal network or from Internet). Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-pf@FreeBSD.ORG Wed Jul 20 13:28:22 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 493CA16A41F for ; Wed, 20 Jul 2005 13:28:22 +0000 (GMT) (envelope-from dexter@ambidexter.com) Received: from tortoise.way.lv (7.lmuza.lv [195.13.151.139]) by mx1.FreeBSD.org (Postfix) with ESMTP id D8F9343D48 for ; Wed, 20 Jul 2005 13:28:21 +0000 (GMT) (envelope-from dexter@ambidexter.com) Received: from localhost (localhost [127.0.0.1]) by tortoise.way.lv (Postfix) with ESMTP id BE3491FED58 for ; Wed, 20 Jul 2005 16:28:11 +0300 (EEST) Received: from tortoise.way.lv ([127.0.0.1]) by localhost (tortoise [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26312-08 for ; Wed, 20 Jul 2005 16:28:02 +0300 (EEST) Received: from [192.168.1.100] (unknown [62.85.46.110]) by tortoise.way.lv (Postfix) with ESMTP id CE0B41FED52 for ; Wed, 20 Jul 2005 16:28:01 +0300 (EEST) Mime-Version: 1.0 Message-Id: Date: Wed, 20 Jul 2005 16:28:13 +0300 To: freebsd-pf@freebsd.org From: Michael Dexter Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at way.lv Subject: 5.x ipdivert.ko with pf and natd? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 13:28:22 -0000 Hello, I did not succeed with this question with the main questions list. I would like to use natd with packet filter under FreeBSD 5.4. The rc.conf man page states that I want: natd_enable="YES" and that "if the kernel was not built with options IPDIVERT, the ipdivert.ko kernel module will be loaded." Unfortunately, the module ipdivert.ko does not appear to exist in /boot/kernel/ ... but I do see it in 6.x filesystem. I tried building a kernel with: options IPDIVERT and that did not appear to produce the module (depends on ipfw though I want to use pf?). I do however see the source in: /usr/src/sys/netinet/ip_divert.c 1. Am I overlooking the prebuilt module in 5.x? 2. Can I simply build the module on its own without a full buildkernel? 3. Given that buildkernel did not produce it, how can I produce it? Best regards, Michael Dexter From owner-freebsd-pf@FreeBSD.ORG Wed Jul 20 13:38:40 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A51316A422 for ; Wed, 20 Jul 2005 13:38:40 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C10843D4C for ; Wed, 20 Jul 2005 13:38:39 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3C3F9.dip.t-dialin.net [84.163.195.249] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML2Dk-1DvEmT0vGX-0004wE; Wed, 20 Jul 2005 15:38:37 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Wed, 20 Jul 2005 15:38:29 +0200 User-Agent: KMail/1.8 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1784300.SyTzSKW3UW"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200507201538.35906.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Michael Dexter Subject: Re: 5.x ipdivert.ko with pf and natd? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 13:38:40 -0000 --nextPart1784300.SyTzSKW3UW Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 20 July 2005 15:28, Michael Dexter wrote: > I would like to use natd with packet filter under FreeBSD 5.4. Why? What does natd provide that PF's internal NAT engine does not? Note that PF does not provide any means of using divert sockets. In order = to=20 use natd you have to use IPFW. Let us know what you are trying to achieve in the end and I am about sure w= e=20 can tell you how to do it without natd altogether. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1784300.SyTzSKW3UW Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBC3lPbXyyEoT62BG0RAirYAJsFyrTsA00ZNfc6yIR0deZl8CX78wCeKkgb uu1Nv9pkAqATFTZD2gXWa7Q= =BtEX -----END PGP SIGNATURE----- --nextPart1784300.SyTzSKW3UW-- From owner-freebsd-pf@FreeBSD.ORG Wed Jul 20 13:39:09 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 039C116A42C for ; Wed, 20 Jul 2005 13:39:09 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8429343D4C for ; Wed, 20 Jul 2005 13:39:06 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id E1FE124C9D0 for ; Wed, 20 Jul 2005 14:39:02 +0100 (BST) From: "Greg Hennessy" To: Date: Wed, 20 Jul 2005 14:39:03 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 Thread-Index: AcWNL1nUqamZa4AsRLm7Xh1Lx+lPmQAAPbBQ In-Reply-To: Message-Id: <20050720133903.9DC2D2D@gw2.local.net> Subject: RE: 5.x ipdivert.ko with pf and natd? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 13:39:09 -0000 > I did not succeed with this question with the main questions list. > > I would like to use natd with packet filter under FreeBSD 5.4. > One has to ask *why* ? When pf comes with inbuilt address translation. Greg From owner-freebsd-pf@FreeBSD.ORG Wed Jul 20 17:20:17 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 881D116A41F for ; Wed, 20 Jul 2005 17:20:17 +0000 (GMT) (envelope-from alex-bsd@yandex.ru) Received: from mfront7.yandex.ru (mfront7.yandex.ru [213.180.200.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B13343D45 for ; Wed, 20 Jul 2005 17:20:16 +0000 (GMT) (envelope-from alex-bsd@yandex.ru) Received: from YAMAIL (mfront7.yandex.ru) by mail.yandex.ru id ; Wed, 20 Jul 2005 21:20:13 +0400 Date: Wed, 20 Jul 2005 21:20:13 +0400 (MSD) From: "alex-bsd" Sender: alex-bsd@yandex.ru Message-Id: <42DE87CD.000002.18833@mfront7.yandex.ru> MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] Errors-To: alex-bsd@yandex.ru To: Lewis@Alumni.Duke.edu X-Source-Ip: 83.237.59.80 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: PF & BLOCK MP3 (AVI) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: alex-bsd@yandex.ru List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 17:20:17 -0000 I not absolutely understand, how we can play with Daniel. In the work I do not use Linux. Many my friends use Linux as gateway. Presence this function in IPTABLES is very convenient for them. This function IPTABLES is used by them enough for a long time, any problems connected with use of this opportunity at them was not observed. The filtration mp3 files is used for economy of the traffic. Many managers and secretaries use Internet only for downloading mp3 and avi :) Check of a content is done by them only on the internal interface (check inquiry of the client) Whether will be dangerous DoS attacks if check of a content will be used ONLY on the local interface? I doubt that the secretary will start to attack gateway:) Instead of a bet, I wish to suggest to developers create a paid patch for realization of this opportunity. It is ready to pay for it 50 $, IMHO I think not only I would buy a patch (In the sum it should turn out more than 500 $). P.S. I hope my offer will not offend developers. From owner-freebsd-pf@FreeBSD.ORG Wed Jul 20 18:02:46 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD84E16A41F for ; Wed, 20 Jul 2005 18:02:45 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix4-2.free.fr (postfix4-2.free.fr [213.228.0.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56B8F43D49 for ; Wed, 20 Jul 2005 18:02:45 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-2.free.fr (Postfix) with ESMTP id C43E2323371; Wed, 20 Jul 2005 20:02:43 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 27BDB405B; Wed, 20 Jul 2005 20:02:33 +0200 (CEST) Date: Wed, 20 Jul 2005 20:02:33 +0200 From: Jeremie Le Hen To: alex-bsd Message-ID: <20050720180233.GW39292@obiwan.tataz.chchile.org> References: <42DE87CD.000002.18833@mfront7.yandex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42DE87CD.000002.18833@mfront7.yandex.ru> User-Agent: Mutt/1.5.9i Cc: freebsd-pf@freebsd.org Subject: Re: PF & BLOCK MP3 (AVI) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 18:02:46 -0000 Hi Alex, > I not absolutely understand, how we can play with Daniel. > In the work I do not use Linux. > Many my friends use Linux as gateway. > Presence this function in IPTABLES is very convenient for them. > This function IPTABLES is used by them enough for a long time, any > problems connected with use of this opportunity at them was not observed. > > The filtration mp3 files is used for economy of the traffic. > Many managers and secretaries use Internet only for downloading mp3 > and avi :) > > Check of a content is done by them only on the internal interface > (check inquiry of the client) > > Whether will be dangerous DoS attacks if check of a content will be used > ONLY on the local interface? > I doubt that the secretary will start to attack gateway:) You clearly don't understand this topic very well in regard of what you are saying. - Blocking packets containing the string ".mp3" will block HTTP and DNS requests, this is partly true. But this will also block the webpage that are speaking of the MP3 format without providing MP3 files to download ; this will also block mails that contains the string ".mp3" which means that your users won't be able to exchange private mails speaking of MP3s. There may be some cookies or hash values used in a dynamic website containing the string ".mp3" too, this would prevent you and your users from using them optimally, dropping unexpected random packets in this case. Furthermore, you should now that most AVIs and MP3s are downloaded with P2P, so you should block P2P instead. This is done by only enabling a few authorized ports to go through your firewall (HTTP, DNS, ...). - Firewalls actually only look at packet header which is in worst case less that 100 bytes. With a MTU of 1500 bytes, making the firewall look the whole packet will *obviously* decrease performance a lot. While Linux used to have everything and most crazy things available as kernel patches spread all over the web, BSD used to implement only neat and efficient solutions. The NetFilter ``string'' match is not what we can call a neat and efficient solution (see above). - Finally, to emphasize the fact that you don't know what you are talking about, filtering on the internal interface won't change things for two reasons : * All traffic from your LAN to the internet and inversely will go through your firewall anyway. * If you were clever enough, you would use your ``string'' match at the bottom of your rules to optimize performances. Even if you are redirecting some ports on you internal network, whether the packet will be drop or not won't make the difference since the whole packet content will be scanned anyway. So please, stop pissing us off now, and go use Linux. If you still want to use FreeBSD, please learn to understand want people are telling you and stop felling that you know everything better than others : when the firewall developper himself tells you that an idea is foolish, there are very good chances that this idea is foolish. Sorry for being rude, but you went too far this time. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-pf@FreeBSD.ORG Wed Jul 20 18:36:03 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 140EF16A41F for ; Wed, 20 Jul 2005 18:36:03 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6417043D46 for ; Wed, 20 Jul 2005 18:36:02 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j6KIa2WE026402 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 20 Jul 2005 20:36:02 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j6KIa1lV032389; Wed, 20 Jul 2005 20:36:01 +0200 (MEST) Date: Wed, 20 Jul 2005 20:36:01 +0200 From: Daniel Hartmeier To: alex-bsd Message-ID: <20050720183601.GG20314@insomnia.benzedrine.cx> References: <42DE87CD.000002.18833@mfront7.yandex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42DE87CD.000002.18833@mfront7.yandex.ru> User-Agent: Mutt/1.5.6i Cc: Lewis@Alumni.Duke.edu, freebsd-pf@freebsd.org Subject: Re: PF & BLOCK MP3 (AVI) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 18:36:03 -0000 On Wed, Jul 20, 2005 at 09:20:13PM +0400, alex-bsd wrote: > Presence this function in IPTABLES is very convenient for them. I'm not sure, but could it be that you over-estimate 'convenience' in this case? Because it appears to be rather simple to add a http proxy to the mix which solves the problem both conveniently AND reliably. Take squid or Apache mod_proxy, shouldn't take more than a rainy afternoon to set it up transparently (using pf to rdr all port 80 traffic through it) for blocking requests based on filename regex matching. What's not perfectly convenient about that? This is not a black art that requires hours upon hours of complex installation and configuration. Maybe someone can step in and outline the configuration for you. If you have the choice between a solid solution that requires two hours of setup and an unreliable hack that takes two minutes, do you really choose the hack? What you're asking for is that a programmers spends two WEEKS worth of time giving you this choice on pf/BSD. Doesn't make sense to me, sorry. Daniel From owner-freebsd-pf@FreeBSD.ORG Wed Jul 20 19:47:16 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA3C016A41F for ; Wed, 20 Jul 2005 19:47:16 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67DE843D45 for ; Wed, 20 Jul 2005 19:47:16 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id BA4D225000C for ; Wed, 20 Jul 2005 20:47:11 +0100 (BST) From: "Greg Hennessy" Cc: Date: Wed, 20 Jul 2005 20:47:13 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcWNWXHAImz70QW+Sn+uWv1xCrL1zAACiANg In-Reply-To: <20050720180233.GW39292@obiwan.tataz.chchile.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 Message-Id: <20050720194713.5F32F28@gw2.local.net> Subject: RE: PF & BLOCK MP3 (AVI) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 19:47:16 -0000 > > Sorry for being rude, but you went too far this time. > You weren't rude Jeremie, I would have been even less charitable but you beat me to it. Greg From owner-freebsd-pf@FreeBSD.ORG Wed Jul 20 22:04:31 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5475B16A41F for ; Wed, 20 Jul 2005 22:04:31 +0000 (GMT) (envelope-from alex-bsd@yandex.ru) Received: from pantene.yandex.ru (pantene.yandex.ru [213.180.200.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id C96A943D49 for ; Wed, 20 Jul 2005 22:04:30 +0000 (GMT) (envelope-from alex-bsd@yandex.ru) Received: from YAMAIL (pantene.yandex.ru) by mail.yandex.ru id ; Thu, 21 Jul 2005 02:04:15 +0400 Date: Thu, 21 Jul 2005 02:04:15 +0400 (MSD) From: "alex-bsd" Sender: alex-bsd@yandex.ru Message-Id: <42DECA5F.000001.17960@pantene.yandex.ru> MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] Errors-To: alex-bsd@yandex.ru To: freebsd-pf@freebsd.org X-Source-Ip: 83.237.59.80 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Closed subject "PF & BLOCK MP3 (AVI)" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: alex-bsd@yandex.ru List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 22:04:31 -0000 Hi Daniel & Jeremie I have already closed this theme last week! Just answered on the yesterday's message. I enough for a long time use PF and squid and in general I cope with blocking of that that I want. If developers consider that this functionality will negatively affect reliability and safety it is better to them to know! To me constantly speak that there are many ways to bypass these interdictions! I WITH DO NOT ARGUE!!!! Certainly under an interdiction on a word mp3 (or any another) can blocked a "innocent" site. BSD much more conservative OS, than Linux I too do not argue. Far not always innovations in Linux affects positively reliability and stability of this OS. Certainly I choose reliability and stability for this reason I use BSD. I did not use and I do not plan to use LINUX. > While Linux used to have everything and most crazy things available as > kernel patches spread all over the web, BSD used to implement only > neat and efficient solutions. The NetFilter ``string'' match is not > what we can call a neat and efficient solution (see above). This stupid idea use in very popular OS, and normal works, my friends did not complain of problems. I suggest to close this theme at last. P.S. > Finally, to emphasize the fact that you don't know what you are talking > about, filtering on the internal interface won't change things for > two reasons : I badly know English language as could not formulate a question precisely.(The sense is often deformed while translating) Good luck in development of the necessary functionalities From owner-freebsd-pf@FreeBSD.ORG Thu Jul 21 08:24:07 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2CB2F16A41F for ; Thu, 21 Jul 2005 08:24:07 +0000 (GMT) (envelope-from roger@gwch.net) Received: from mail.gwch.net (80-219-201-207.dclient.hispeed.ch [80.219.201.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF9C343D49 for ; Thu, 21 Jul 2005 08:24:06 +0000 (GMT) (envelope-from roger@gwch.net) Received: from localhost (link [127.0.0.1]) by mail.gwch.net (Postfix) with ESMTP id 7CF5A40878 for ; Thu, 21 Jul 2005 10:27:09 +0200 (CEST) Received: from mail.gwch.net ([127.0.0.1]) by localhost (mail.gwch.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00734-07 for ; Thu, 21 Jul 2005 10:27:06 +0200 (CEST) Received: from www.gwch.net (pluto.gwch.net [192.168.2.103]) by mail.gwch.net (Postfix) with ESMTP id C738540875 for ; Thu, 21 Jul 2005 10:27:06 +0200 (CEST) Received: from 62.2.21.164 (SquirrelMail authenticated user rogerg) by www.gwch.net with HTTP; Thu, 21 Jul 2005 10:24:02 +0200 (CEST) Message-ID: <12978.62.2.21.164.1121934242.squirrel@www.gwch.net> Date: Thu, 21 Jul 2005 10:24:02 +0200 (CEST) From: "Roger Grosswiler" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.4-2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: amavisd-new at gwch.net Subject: Hello X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2005 08:24:07 -0000 Hi, i just started with pf. Do you have some online-documentation about the pf (except the sources on openbsd) Thanks for any information Roger From owner-freebsd-pf@FreeBSD.ORG Thu Jul 21 08:58:05 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3D6A16A41F for ; Thu, 21 Jul 2005 08:58:05 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com (mail.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C66643D46 for ; Thu, 21 Jul 2005 08:58:03 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.51 #0 (FreeBSD 4.11-STABLE)) id 1DvWsN-0005uH-Ir by authid for ; Thu, 21 Jul 2005 11:57:55 +0300 Date: Thu, 21 Jul 2005 11:57:55 +0300 From: Odhiambo Washington To: freebsd-pf@freebsd.org Message-ID: <20050721085755.GB11845@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , freebsd-pf@freebsd.org References: <12978.62.2.21.164.1121934242.squirrel@www.gwch.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <12978.62.2.21.164.1121934242.squirrel@www.gwch.net> X-Disclaimer: Any views expressed in this message, where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.9i (2005-03-13) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.9i Subject: Re: Hello X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2005 08:58:05 -0000 * On 21/07/05 10:24 +0200, Roger Grosswiler wrote: > Hi, > > i just started with pf. Do you have some online-documentation about the pf > (except the sources on openbsd) > > Thanks for any information > Hi Roger, You can use the OpenBSD FAQ: http://www.openbsd.org/faq/pf/index.html -Wash http://www.netmeister.org/news/learn2quote.html -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ Shaw's Principle: Build a system that even a fool can use, and only a fool will want to use it. From owner-freebsd-pf@FreeBSD.ORG Thu Jul 21 10:37:45 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBAC816A422 for ; Thu, 21 Jul 2005 10:37:45 +0000 (GMT) (envelope-from 000.fbsd@quip.cz) Received: from smtp.etmail.cz (smtp.etmail.cz [160.218.43.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D4EF43D46 for ; Thu, 21 Jul 2005 10:37:42 +0000 (GMT) (envelope-from 000.fbsd@quip.cz) Received: from [192.168.0.111] (ip-85-160-17-60.eurotel.cz [85.160.17.60]) by smtp.etmail.cz (Postfix) with ESMTP id 90CB6194248 for ; Thu, 21 Jul 2005 12:37:35 +0200 (CEST) Message-ID: <42DF7AE3.6080307@quip.cz> Date: Thu, 21 Jul 2005 12:37:23 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040803 X-Accept-Language: cs, cz, en, en-us MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <12978.62.2.21.164.1121934242.squirrel@www.gwch.net> In-Reply-To: <12978.62.2.21.164.1121934242.squirrel@www.gwch.net> X-Enigmail-Version: 0.85.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Hello X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2005 10:37:45 -0000 Roger Grosswiler wrote: > Hi, > > i just started with pf. Do you have some online-documentation about the pf > (except the sources on openbsd) > > Thanks for any information > > Roger > > A lot of PF related links https://solarflux.org/pf/ -- Miroslav Lachman Webapplication Developer From owner-freebsd-pf@FreeBSD.ORG Thu Jul 21 20:48:40 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE4C016A420 for ; Thu, 21 Jul 2005 20:48:40 +0000 (GMT) (envelope-from magalhj@yahoo.com.br) Received: from web31611.mail.mud.yahoo.com (web31611.mail.mud.yahoo.com [68.142.198.157]) by mx1.FreeBSD.org (Postfix) with SMTP id 7217943D49 for ; Thu, 21 Jul 2005 20:48:38 +0000 (GMT) (envelope-from magalhj@yahoo.com.br) Received: (qmail 52345 invoked by uid 60001); 21 Jul 2005 20:48:37 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=XAw32SsqUhbnbTjRe7FoiOnk/D8lb7VZST2FPqlKFa06Qccg9U4wPtXXazCS61os+qHXFhR1Cpu6AizhllOguuMsLg+i9S3xODHubxs/wMvbXU9sRYccTwDGRGtqZTvBJVwY+Q8pwJmyDgh7lBDxrsMl4oVtylAlnkCvfs8zVm8= ; Message-ID: <20050721204837.52343.qmail@web31611.mail.mud.yahoo.com> Received: from [200.216.238.36] by web31611.mail.mud.yahoo.com via HTTP; Thu, 21 Jul 2005 17:48:37 ART Date: Thu, 21 Jul 2005 17:48:37 -0300 (ART) From: Aguiar Magalhaes To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Bypass squid with transparent proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2005 20:48:40 -0000 Hi list, Can the host 192.168.10.100 bypass the squid using transparent proxy ? I have a rule in my pf.conf: rdr on $dmz_if proto tcp from any to any port $web_ports -> 127.0.0.1 port 3128 Thanks _______________________________________________________ Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora! http://br.acesso.yahoo.com/ From owner-freebsd-pf@FreeBSD.ORG Thu Jul 21 23:21:14 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D887A16A420 for ; Thu, 21 Jul 2005 23:21:14 +0000 (GMT) (envelope-from richardtector@thekeelecentre.com) Received: from mx0.thekeelecentre.com (mx0.thekeelecentre.com [217.206.238.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43E8543D46 for ; Thu, 21 Jul 2005 23:21:05 +0000 (GMT) (envelope-from richardtector@thekeelecentre.com) Received: from av.mx0.thekeelecentre.com (av.mx0.thekeelecentre.com [217.206.238.166]) by mx0.thekeelecentre.com (Postfix) with ESMTP id A7047430F; Fri, 22 Jul 2005 00:21:04 +0100 (BST) Received: from mx0.thekeelecentre.com ([217.206.238.167]) by av.mx0.thekeelecentre.com (av.mx0.thekeelecentre.com [217.206.238.166]) (amavisd-new, port 10024) with ESMTP id 74755-05; Fri, 22 Jul 2005 00:21:04 +0100 (BST) Received: from webmail.thekeelecentre.com (webmail.thekeelecentre.com [217.206.238.169]) by mx0.thekeelecentre.com (Postfix) with ESMTP id 679424076; Fri, 22 Jul 2005 00:21:04 +0100 (BST) Received: from r-laptop.home.tector.org.uk (r-laptop.home.tector.org.uk [82.69.226.133]) by webmail.thekeelecentre.com (Horde MIME library) with HTTP for ; Fri, 22 Jul 2005 00:21:03 +0100 Message-ID: <20050722002103.gzbjkro5wso8kscc@webmail.thekeelecentre.com> Date: Fri, 22 Jul 2005 00:21:03 +0100 From: Richard Tector To: Aguiar Magalhaes References: <20050721204837.52343.qmail@web31611.mail.mud.yahoo.com> In-Reply-To: <20050721204837.52343.qmail@web31611.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.0.3) / FreeBSD-5.4 X-Virus-Scanned: by amavisd-new at mx0.thekeelecentre.com Cc: freebsd-pf@freebsd.org Subject: Re: Bypass squid with transparent proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2005 23:21:15 -0000 Quoting Aguiar Magalhaes : > Can the host 192.168.10.100 bypass the squid using > transparent proxy ? > > I have a rule in my pf.conf: > > rdr on $dmz_if proto tcp from any to any port > $web_ports -> 127.0.0.1 port 3128 > You could try something like: table { 192.168.10.100 } rdr on $dmz_if proto tcp from ! to any port $web_ports -> 127.0.0.1 port 3128 Or without using tables, just: rdr on $dmz_if proto tcp from !192.168.10.100 to any port $web_ports -> 127.0.0.1 port 3128 Regards, Richard From owner-freebsd-pf@FreeBSD.ORG Sat Jul 23 03:52:31 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A7DA16A420 for ; Sat, 23 Jul 2005 03:52:31 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: from web32407.mail.mud.yahoo.com (web32407.mail.mud.yahoo.com [68.142.207.200]) by mx1.FreeBSD.org (Postfix) with SMTP id C4B3243D49 for ; Sat, 23 Jul 2005 03:52:30 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: (qmail 51781 invoked by uid 60001); 23 Jul 2005 03:52:30 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=i1G9bXqhS5UBz4ifRdd1gtQUveANW5pfTKy+r53Kc41JJcG3uBMamwuKYJ6vq+eHTc3/qWEZngVnqwU0g3GKsU8RCzHmA7CUsvZWfMaHleSUL3KQ1ydMNcuVRpxPCF4yjnSZXQVvdpUmaCvRIZLvxJnPwXPNag+VBRIAo1badj4= ; Message-ID: <20050723035230.51779.qmail@web32407.mail.mud.yahoo.com> Received: from [217.218.230.2] by web32407.mail.mud.yahoo.com via HTTP; Fri, 22 Jul 2005 20:52:30 PDT Date: Fri, 22 Jul 2005 20:52:30 -0700 (PDT) From: Pejman Moghadam To: freebsd-pf@freebsd.org In-Reply-To: <20050720073837.AA41F1C@gw2.local.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: RE: NAT problem with icmp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2005 03:52:31 -0000 Dear Greg According to your guide i change my pf.conf , everything is working very well, but still i can ping a single ip address from only one of my clients, when i stop pinging on that station, an other one begining to ping. please check this out : #----------------------------- # Some definitions extif="{ ed0 }" extip="{ (ed0) }" intif="{ dc0 }" intip="{ (dc0) }" table { 192.168.1.0/24 } cache="192.168.1.1" lan_inet_tcp="{ 80 800 8000 8080 8383 3000 3128 2082 2095 443 21 20 25 110 23 22 5631 554 7070 5050 5001 5100 11999 1863 }" lan_inet_udp="{ 53 161 5632 5000 6970><7170 }" lan_inet_icmp="{ 192.9.9.3 }" fw_inet_tcp="{ 80 800 8000 8080 8383 3000 3128 2082 2095 443 21 20 25 110 23 22 5631 554 7070 5050 5001 5100 11999 1863 }" fw_inet_udp="{ 53 161 5632 5000 6970><7170}" fw_inet_icmp="{ 192.9.9.3 }" lan_fw_tcp="{ 80 22 3128 20 21 8021 }" lan_fw_udp="{ 53 161 }" lan_fw_icmp = "{ self }" fw_lan_tcp="{ 80 21 20 23 22 }" fw_lan_udp="{ 53 161 }" fw_lan_icmp="{ }" lan_lan_tcp="{ 80 20 21 25 110 23 22 5631 }" lan_lan_udp="{ 53 161 5632 }" lan_lan_icmp="{ }" #inet_fw_tcp #inet_fw_udp #inet_fw_icmp #inet_lan_tcp #inet_lan_udp #inet_lan_icmp #----------------------------- # normalization incoming packets scrub in all #----------------------------- # nat nat on $extif from to any -> $extip # ftp redirect for clients behind the firewall rdr on $intif inet proto tcp from to ! port 21 -> $intip port 8021 # http redirect local cache rdr on $intif inet proto tcp from to ! port 80 -> $intip port 3128 # http redirect remote cache #rdr on $intif inet proto tcp from to ! port 80 -> $cache port 3128 #nat on $intif from to $cache -> $intip #----------------------------- # policy block log all # anti spoofing antispoof quick for $intif inet # loopback pass quick on lo0 all #----------------------------- # LAN -> INET pass in quick on $intif inet proto icmp from to $lan_inet_icmp keep state pass in quick on $intif inet proto udp from to any port $lan_inet_udp keep state pass in quick on $intif inet proto tcp from to any port $lan_inet_tcp flags S/SA modulate state #----------------------------- # FW -> INET pass out quick on $extif inet proto icmp from $extip to $fw_inet_icmp keep state pass out quick on $extif inet proto udp from $extip to any port $fw_inet_udp keep state pass out quick on $extif inet proto tcp from $extip to any port $fw_inet_tcp flags S/SA modulate state #----------------------------- # LAN -> FW pass in quick on $intif inet proto icmp from to $lan_fw_icmp keep state pass in quick on $intif inet proto udp from to $intip port $lan_fw_udp keep state pass in quick on $intif inet proto tcp from to $intip port $lan_fw_tcp flags S/SA modulate state #----------------------------- # FW -> LAN pass out quick on $intif inet proto icmp from $intip to $fw_lan_icmp keep state pass out quick on $intif inet proto udp from $intip to any port $fw_lan_udp keep state pass out quick on $intif inet proto tcp from $intip to any port $fw_lan_tcp flags S/SA modulate state # for ftp-proxy connections :( pass out quick on $intif inet proto tcp from $intip to any flags S/SA modulate state #----------------------------- # LAN -> LAN pass in quick on $intif inet proto icmp from to $lan_lan_icmp keep state pass in quick on $intif inet proto udp from to port $lan_lan_udp keep state pass in quick on $intif inet proto tcp from to port $lan_lan_tcp flags S/SA modulate state #----------------------------- # INET -> FW # for ftp-proxy connections pass in quick on $extif inet proto tcp from any port 20 to $extip user proxy flags S/SA modulate state #----------------------------- # INET -> LAN #----------------------------- and again : >>The problem is : >>I can pinging to 192.9.9.3 from only one of my stations.(192.168.1.18) >>Other stations show "Request timed out."(192.168.1.19) >>So... is there any problem with nating icmp packects in pf ? >>Or this is just my mistake in pf.conf Thanks in advance Pejman Greg Hennessy wrote: > Hi, > Here is simple explanation : > This is my pf.conf > > extif="{ ed0 }" > extip="{ (ed0) }" > table { 192.168.1.0/24 } > nat on $extif from to any -> $extip pass all The syntax for the nat statement above doesn't look right. > I want to ping from my lan stations to a public dns server > like 192.9.9.3 look at my state table: You need to add a pass rule on the inside interface to make it so. At the very least your packet filtering policy should consist of the following in addition to what you have above. ICMP="inet proto icmp" KS="keep state" intif="dc0" . . set block-policy return # # If using CURRENT otherwise use the pass rule below. set skip on lo0 . . . block log all # on 5.x instead of 'set skip' pass on lo0 all keep state # pass in log quick on $intif $ICMP from $intif:network to !$intif:network icmp-type echoreq $KS Make sure you have routing enabled as appropriate. Greg _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --------------------------------- Start your day with Yahoo! - make it your home page From owner-freebsd-pf@FreeBSD.ORG Sat Jul 23 03:52:31 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3DE516A420 for ; Sat, 23 Jul 2005 03:52:31 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: from web32411.mail.mud.yahoo.com (web32411.mail.mud.yahoo.com [68.142.207.204]) by mx1.FreeBSD.org (Postfix) with SMTP id 55DFC43D4C for ; Sat, 23 Jul 2005 03:52:31 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: (qmail 38670 invoked by uid 60001); 23 Jul 2005 03:52:30 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=N/bPUJaUXP8t0i68wSlpP/QoZg73sQz8EsQvTXdtYHf9BzlnErsnlHwPQi3yvBEBaoBd6tgQgqf/7rQCmj5nenDkukmymuYWTLVk7uiXiye2i0dylsX7yf6BKY+fURCtuTv7rRgO1RzAgIwPrQwj7/NxjVa02ZrBrTc7uBvOciA= ; Message-ID: <20050723035230.38668.qmail@web32411.mail.mud.yahoo.com> Received: from [217.218.230.2] by web32411.mail.mud.yahoo.com via HTTP; Fri, 22 Jul 2005 20:52:30 PDT Date: Fri, 22 Jul 2005 20:52:30 -0700 (PDT) From: Pejman Moghadam To: freebsd-pf@freebsd.org In-Reply-To: <20050720073837.AA41F1C@gw2.local.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: RE: NAT problem with icmp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2005 03:52:32 -0000 Dear Greg According to your guide i change my pf.conf , everything is working very well, but still i can ping a single ip address from only one of my clients, when i stop pinging on that station, an other one begining to ping. please check this out : #----------------------------- # Some definitions extif="{ ed0 }" extip="{ (ed0) }" intif="{ dc0 }" intip="{ (dc0) }" table { 192.168.1.0/24 } cache="192.168.1.1" lan_inet_tcp="{ 80 800 8000 8080 8383 3000 3128 2082 2095 443 21 20 25 110 23 22 5631 554 7070 5050 5001 5100 11999 1863 }" lan_inet_udp="{ 53 161 5632 5000 6970><7170 }" lan_inet_icmp="{ 192.9.9.3 }" fw_inet_tcp="{ 80 800 8000 8080 8383 3000 3128 2082 2095 443 21 20 25 110 23 22 5631 554 7070 5050 5001 5100 11999 1863 }" fw_inet_udp="{ 53 161 5632 5000 6970><7170}" fw_inet_icmp="{ 192.9.9.3 }" lan_fw_tcp="{ 80 22 3128 20 21 8021 }" lan_fw_udp="{ 53 161 }" lan_fw_icmp = "{ self }" fw_lan_tcp="{ 80 21 20 23 22 }" fw_lan_udp="{ 53 161 }" fw_lan_icmp="{ }" lan_lan_tcp="{ 80 20 21 25 110 23 22 5631 }" lan_lan_udp="{ 53 161 5632 }" lan_lan_icmp="{ }" #inet_fw_tcp #inet_fw_udp #inet_fw_icmp #inet_lan_tcp #inet_lan_udp #inet_lan_icmp #----------------------------- # normalization incoming packets scrub in all #----------------------------- # nat nat on $extif from to any -> $extip # ftp redirect for clients behind the firewall rdr on $intif inet proto tcp from to ! port 21 -> $intip port 8021 # http redirect local cache rdr on $intif inet proto tcp from to ! port 80 -> $intip port 3128 # http redirect remote cache #rdr on $intif inet proto tcp from to ! port 80 -> $cache port 3128 #nat on $intif from to $cache -> $intip #----------------------------- # policy block log all # anti spoofing antispoof quick for $intif inet # loopback pass quick on lo0 all #----------------------------- # LAN -> INET pass in quick on $intif inet proto icmp from to $lan_inet_icmp keep state pass in quick on $intif inet proto udp from to any port $lan_inet_udp keep state pass in quick on $intif inet proto tcp from to any port $lan_inet_tcp flags S/SA modulate state #----------------------------- # FW -> INET pass out quick on $extif inet proto icmp from $extip to $fw_inet_icmp keep state pass out quick on $extif inet proto udp from $extip to any port $fw_inet_udp keep state pass out quick on $extif inet proto tcp from $extip to any port $fw_inet_tcp flags S/SA modulate state #----------------------------- # LAN -> FW pass in quick on $intif inet proto icmp from to $lan_fw_icmp keep state pass in quick on $intif inet proto udp from to $intip port $lan_fw_udp keep state pass in quick on $intif inet proto tcp from to $intip port $lan_fw_tcp flags S/SA modulate state #----------------------------- # FW -> LAN pass out quick on $intif inet proto icmp from $intip to $fw_lan_icmp keep state pass out quick on $intif inet proto udp from $intip to any port $fw_lan_udp keep state pass out quick on $intif inet proto tcp from $intip to any port $fw_lan_tcp flags S/SA modulate state # for ftp-proxy connections :( pass out quick on $intif inet proto tcp from $intip to any flags S/SA modulate state #----------------------------- # LAN -> LAN pass in quick on $intif inet proto icmp from to $lan_lan_icmp keep state pass in quick on $intif inet proto udp from to port $lan_lan_udp keep state pass in quick on $intif inet proto tcp from to port $lan_lan_tcp flags S/SA modulate state #----------------------------- # INET -> FW # for ftp-proxy connections pass in quick on $extif inet proto tcp from any port 20 to $extip user proxy flags S/SA modulate state #----------------------------- # INET -> LAN #----------------------------- and again : >>The problem is : >>I can pinging to 192.9.9.3 from only one of my stations.(192.168.1.18) >>Other stations show "Request timed out."(192.168.1.19) >>So... is there any problem with nating icmp packects in pf ? >>Or this is just my mistake in pf.conf Thanks in advance Pejman Greg Hennessy wrote: > Hi, > Here is simple explanation : > This is my pf.conf > > extif="{ ed0 }" > extip="{ (ed0) }" > table { 192.168.1.0/24 } > nat on $extif from to any -> $extip pass all The syntax for the nat statement above doesn't look right. > I want to ping from my lan stations to a public dns server > like 192.9.9.3 look at my state table: You need to add a pass rule on the inside interface to make it so. At the very least your packet filtering policy should consist of the following in addition to what you have above. ICMP="inet proto icmp" KS="keep state" intif="dc0" . . set block-policy return # # If using CURRENT otherwise use the pass rule below. set skip on lo0 . . . block log all # on 5.x instead of 'set skip' pass on lo0 all keep state # pass in log quick on $intif $ICMP from $intif:network to !$intif:network icmp-type echoreq $KS Make sure you have routing enabled as appropriate. Greg _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Sat Jul 23 07:02:30 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F9CF16A420 for ; Sat, 23 Jul 2005 07:02:30 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: from web32402.mail.mud.yahoo.com (web32402.mail.mud.yahoo.com [68.142.207.195]) by mx1.FreeBSD.org (Postfix) with SMTP id 7FA4143D46 for ; Sat, 23 Jul 2005 07:02:29 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: (qmail 25884 invoked by uid 60001); 23 Jul 2005 07:02:29 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=GkwkJT+HbYSmVyHIkS+a9OgTg3E6PyxDBk0iWA5UsKk8wk8Z+Wycqg6QSPKFmzYOqCdJYYK+oxO7G/qzzvr4oSQ4M05wYbXvJfFULCd3j0j9J+w5m1Ngnz3NbYM41ntUhFoRFv24KlK9Ph1T0OqokARwpVgX+lFCQJMAB84pu6w= ; Message-ID: <20050723070229.25882.qmail@web32402.mail.mud.yahoo.com> Received: from [217.218.230.2] by web32402.mail.mud.yahoo.com via HTTP; Sat, 23 Jul 2005 00:02:29 PDT Date: Sat, 23 Jul 2005 00:02:29 -0700 (PDT) From: Pejman Moghadam To: freebsd-pf@freebsd.org In-Reply-To: <20050723035230.38668.qmail@web32411.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: RE :RE: NAT problem with icmp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2005 07:02:30 -0000 hi i found other issue like this in ipfilter faq (http://www.phildev.net/ipf/IPFprob.html#prob11) : "11. I'm using NAT and I can't ping the same machine on the internet from two different machines on my LAN at the same time : It isn't possible to map ports on ICMP packets. Hence, once a state table entry is set up to a particular target, only one machine can ping that target until the state table entry expires. For TCP and UDP, portmapping allows simultaneous connections to external targets from multiple machines in the LAN." is this also right about pf ? thanks in advance Pejman Moghadam wrote: Dear Greg According to your guide i change my pf.conf , everything is working very well, but still i can ping a single ip address from only one of my clients, when i stop pinging on that station, an other one begining to ping. please check this out : #----------------------------- # Some definitions extif="{ ed0 }" extip="{ (ed0) }" intif="{ dc0 }" intip="{ (dc0) }" table { 192.168.1.0/24 } cache="192.168.1.1" lan_inet_tcp="{ 80 800 8000 8080 8383 3000 3128 2082 2095 443 21 20 25 110 23 22 5631 554 7070 5050 5001 5100 11999 1863 }" lan_inet_udp="{ 53 161 5632 5000 6970><7170 }" lan_inet_icmp="{ 192.9.9.3 }" fw_inet_tcp="{ 80 800 8000 8080 8383 3000 3128 2082 2095 443 21 20 25 110 23 22 5631 554 7070 5050 5001 5100 11999 1863 }" fw_inet_udp="{ 53 161 5632 5000 6970><7170}" fw_inet_icmp="{ 192.9.9.3 }" lan_fw_tcp="{ 80 22 3128 20 21 8021 }" lan_fw_udp="{ 53 161 }" lan_fw_icmp = "{ self }" fw_lan_tcp="{ 80 21 20 23 22 }" fw_lan_udp="{ 53 161 }" fw_lan_icmp="{ }" lan_lan_tcp="{ 80 20 21 25 110 23 22 5631 }" lan_lan_udp="{ 53 161 5632 }" lan_lan_icmp="{ }" #inet_fw_tcp #inet_fw_udp #inet_fw_icmp #inet_lan_tcp #inet_lan_udp #inet_lan_icmp #----------------------------- # normalization incoming packets scrub in all #----------------------------- # nat nat on $extif from to any -> $extip # ftp redirect for clients behind the firewall rdr on $intif inet proto tcp from to ! port 21 -> $intip port 8021 # http redirect local cache rdr on $intif inet proto tcp from to ! port 80 -> $intip port 3128 # http redirect remote cache #rdr on $intif inet proto tcp from to ! port 80 -> $cache port 3128 #nat on $intif from to $cache -> $intip #----------------------------- # policy block log all # anti spoofing antispoof quick for $intif inet # loopback pass quick on lo0 all #----------------------------- # LAN -> INET pass in quick on $intif inet proto icmp from to $lan_inet_icmp keep state pass in quick on $intif inet proto udp from to any port $lan_inet_udp keep state pass in quick on $intif inet proto tcp from to any port $lan_inet_tcp flags S/SA modulate state #----------------------------- # FW -> INET pass out quick on $extif inet proto icmp from $extip to $fw_inet_icmp keep state pass out quick on $extif inet proto udp from $extip to any port $fw_inet_udp keep state pass out quick on $extif inet proto tcp from $extip to any port $fw_inet_tcp flags S/SA modulate state #----------------------------- # LAN -> FW pass in quick on $intif inet proto icmp from to $lan_fw_icmp keep state pass in quick on $intif inet proto udp from to $intip port $lan_fw_udp keep state pass in quick on $intif inet proto tcp from to $intip port $lan_fw_tcp flags S/SA modulate state #----------------------------- # FW -> LAN pass out quick on $intif inet proto icmp from $intip to $fw_lan_icmp keep state pass out quick on $intif inet proto udp from $intip to any port $fw_lan_udp keep state pass out quick on $intif inet proto tcp from $intip to any port $fw_lan_tcp flags S/SA modulate state # for ftp-proxy connections :( pass out quick on $intif inet proto tcp from $intip to any flags S/SA modulate state #----------------------------- # LAN -> LAN pass in quick on $intif inet proto icmp from to $lan_lan_icmp keep state pass in quick on $intif inet proto udp from to port $lan_lan_udp keep state pass in quick on $intif inet proto tcp from to port $lan_lan_tcp flags S/SA modulate state #----------------------------- # INET -> FW # for ftp-proxy connections pass in quick on $extif inet proto tcp from any port 20 to $extip user proxy flags S/SA modulate state #----------------------------- # INET -> LAN #----------------------------- and again : >>The problem is : >>I can pinging to 192.9.9.3 from only one of my stations.(192.168.1.18) >>Other stations show "Request timed out."(192.168.1.19) >>So... is there any problem with nating icmp packects in pf ? >>Or this is just my mistake in pf.conf Thanks in advance Pejman Greg Hennessy wrote: > Hi, > Here is simple explanation : > This is my pf.conf > > extif="{ ed0 }" > extip="{ (ed0) }" > table { 192.168.1.0/24 } > nat on $extif from to any -> $extip pass all The syntax for the nat statement above doesn't look right. > I want to ping from my lan stations to a public dns server > like 192.9.9.3 look at my state table: You need to add a pass rule on the inside interface to make it so. At the very least your packet filtering policy should consist of the following in addition to what you have above. ICMP="inet proto icmp" KS="keep state" intif="dc0" . . set block-policy return # # If using CURRENT otherwise use the pass rule below. set skip on lo0 . . . block log all # on 5.x instead of 'set skip' pass on lo0 all keep state # pass in log quick on $intif $ICMP from $intif:network to !$intif:network icmp-type echoreq $KS Make sure you have routing enabled as appropriate. Greg _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --------------------------------- Start your day with Yahoo! - make it your home page From owner-freebsd-pf@FreeBSD.ORG Sat Jul 23 12:32:42 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 402F816A41F for ; Sat, 23 Jul 2005 12:32:42 +0000 (GMT) (envelope-from bettan@nerim.net) Received: from kraid.nerim.net (smtp-106-saturday.nerim.net [62.4.16.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id D8B3C43D45 for ; Sat, 23 Jul 2005 12:32:40 +0000 (GMT) (envelope-from bettan@nerim.net) Received: from danielle (linux-win.org [62.212.96.206]) by kraid.nerim.net (Postfix) with SMTP id 19B3C40E25 for ; Sat, 23 Jul 2005 14:32:38 +0200 (CEST) Message-ID: <001c01c58f82$9deecac0$0301a8c0@danielle> From: "cell" To: Date: Sat, 23 Jul 2005 14:32:40 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Problems with pf and file transferts MSN X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2005 12:32:42 -0000 Hello , i have a gateway on freebsd 5.4 and i use pf but i have a = problem my two computer on windows xp behind my gateway who uses MSN = messenger.File transferts are very slow and i don't know good rules for = pf for this problem.I dont know what ports to open for msn = messenger.Anyone have a solution ? From owner-freebsd-pf@FreeBSD.ORG Sat Jul 23 14:10:28 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F075416A41F for ; Sat, 23 Jul 2005 14:10:28 +0000 (GMT) (envelope-from dimitry@andric.com) Received: from tensor.xs4all.nl (tensor.xs4all.nl [194.109.160.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8753843D4C for ; Sat, 23 Jul 2005 14:10:28 +0000 (GMT) (envelope-from dimitry@andric.com) Received: from kilgore.dim (kilgore.dim [192.168.0.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by tensor.xs4all.nl (Postfix) with ESMTP id 9B630B83F; Sat, 23 Jul 2005 16:10:26 +0200 (CEST) Date: Sat, 23 Jul 2005 16:10:11 +0200 From: Dimitry Andric X-Mailer: The Bat! (v3.51.9) Professional X-Priority: 3 (Normal) Message-ID: <61513422.20050723161011@andric.com> To: cell In-Reply-To: <001c01c58f82$9deecac0$0301a8c0@danielle> References: <001c01c58f82$9deecac0$0301a8c0@danielle> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="----------4118C1713864252" Cc: freebsd-pf@freebsd.org Subject: Re: Problems with pf and file transferts MSN X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dimitry Andric List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2005 14:10:29 -0000 ------------4118C1713864252 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit On 2005-07-23 at 14:32:40 cell wrote: > Hello , i have a gateway on freebsd 5.4 and i use pf but i have a > problem my two computer on windows xp behind my gateway who uses MSN > messenger.File transferts are very slow and i don't know good rules > for pf for this problem.I dont know what ports to open for msn > messenger.Anyone have a solution ? This isn't specifically PF-related, but you might want to check out the information from Microsoft anyway (which you would have found by googling for about 1 minute): http://support.microsoft.com/kb/278887 ------------4118C1713864252 Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFC4k/DsF6jCi4glqMRArV0AKCKOBG5L960ArGF+uEClvJDCejb3ACeM2VM l4CRf5/Zt6IgDHdAXWq6ppg= =X4qr -----END PGP MESSAGE----- ------------4118C1713864252--