From owner-freebsd-pf@FreeBSD.ORG  Sun Mar 19 18:27:51 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@hub.freebsd.org
Delivered-To: freebsd-pf@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7DE2916A400;
	Sun, 19 Mar 2006 18:27:51 +0000 (UTC)
	(envelope-from linimon@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0DFAB43D5D;
	Sun, 19 Mar 2006 18:27:45 +0000 (GMT)
	(envelope-from linimon@FreeBSD.org)
Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k2JIRjKe009660;
	Sun, 19 Mar 2006 18:27:45 GMT
	(envelope-from linimon@freefall.freebsd.org)
Received: (from linimon@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k2JIRj7H009656;
	Sun, 19 Mar 2006 18:27:45 GMT (envelope-from linimon)
Date: Sun, 19 Mar 2006 18:27:45 GMT
From: Mark Linimon <linimon@FreeBSD.org>
Message-Id: <200603191827.k2JIRj7H009656@freefall.freebsd.org>
To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org
Cc: 
Subject: Re: kern/94694: pf don't follow IP changes on IF-defined rules
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Mar 2006 18:27:51 -0000

Synopsis: pf don't follow IP changes on IF-defined rules

Responsible-Changed-From-To: freebsd-bugs->freebsd-pf
Responsible-Changed-By: linimon
Responsible-Changed-When: Sun Mar 19 18:27:17 UTC 2006
Responsible-Changed-Why: 
Over to maintainer.

http://www.freebsd.org/cgi/query-pr.cgi?pr=94694

From owner-freebsd-pf@FreeBSD.ORG  Sun Mar 19 18:37:08 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@hub.freebsd.org
Delivered-To: freebsd-pf@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 65B3616A420;
	Sun, 19 Mar 2006 18:37:08 +0000 (UTC)
	(envelope-from mlaier@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 239D043D49;
	Sun, 19 Mar 2006 18:37:08 +0000 (GMT)
	(envelope-from mlaier@FreeBSD.org)
Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k2JIb7C1011076;
	Sun, 19 Mar 2006 18:37:07 GMT
	(envelope-from mlaier@freefall.freebsd.org)
Received: (from mlaier@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k2JIb7ZW011072;
	Sun, 19 Mar 2006 18:37:07 GMT (envelope-from mlaier)
Date: Sun, 19 Mar 2006 18:37:07 GMT
From: Max Laier <mlaier@FreeBSD.org>
Message-Id: <200603191837.k2JIb7ZW011072@freefall.freebsd.org>
To: phoemix@harmless.hu, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org
Cc: 
Subject: Re: kern/94694: pf don't follow IP changes on IF-defined rules
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Mar 2006 18:37:08 -0000

Synopsis: pf don't follow IP changes on IF-defined rules

State-Changed-From-To: open->closed
State-Changed-By: mlaier
State-Changed-When: Sun Mar 19 18:35:55 UTC 2006
State-Changed-Why: 
As described in the pf.conf(5) manual page, this can be done by enclosing
the interface name in "(" and ")".

http://www.freebsd.org/cgi/query-pr.cgi?pr=94694

From owner-freebsd-pf@FreeBSD.ORG  Mon Mar 20 04:47:04 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B7ED916A400
	for <freebsd-pf@freebsd.org>; Mon, 20 Mar 2006 04:47:04 +0000 (UTC)
	(envelope-from mike@sentex.net)
Received: from smarthost2.sentex.ca (smarthost2.sentex.ca [205.211.164.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4D9B443D45
	for <freebsd-pf@freebsd.org>; Mon, 20 Mar 2006 04:47:04 +0000 (GMT)
	(envelope-from mike@sentex.net)
Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18])
	by smarthost2.sentex.ca (8.13.4/8.13.4) with ESMTP id k2K4l2rm032576
	for <freebsd-pf@freebsd.org>; Sun, 19 Mar 2006 23:47:02 -0500 (EST)
	(envelope-from mike@sentex.net)
Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27])
	by lava.sentex.ca (8.13.3/8.13.3) with ESMTP id k2K4l1P3059094
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <freebsd-pf@freebsd.org>; Sun, 19 Mar 2006 23:47:01 -0500 (EST)
	(envelope-from mike@sentex.net)
Message-Id: <6.2.3.4.0.20060319230922.085947b0@64.7.153.2>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4
Date: Sun, 19 Mar 2006 23:46:22 -0500
To: freebsd-pf@freebsd.org
From: Mike Tancsa <mike@sentex.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Virus-Scanned: by amavisd-new
X-Scanned-By: MIMEDefang 2.51 on 205.211.164.50
Subject: Strange problem with UDP packets and openvpn
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2006 04:47:04 -0000


I have been having some problems with pf and openvpn on RELENG_6.  I 
use UDP as the transport and I wanted to try blocking access from 
certain established connections, however it never seems to work.

I add just two rules

block in log quick proto udp from any to any
block out log quick proto udp from any to any

Yet it does not kill the connection, (ip address 1.1.1.1 bound on lo0 
ports 11648, 11649)

tcpdump -i vlan38 -n -c 20 not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan38, link-type EN10MB (Ethernet), capture size 96 bytes
23:09:29.433952 IP 1.1.1.1.11649 > 199.212.134.18.65116: UDP, length 69
23:09:29.441073 IP 199.212.134.18.65116 > 1.1.1.1.11649: UDP, length 69
23:09:29.597941 IP 205.211.165.120.62612 > 1.1.1.51.53:  25588+ PTR? 
18.134.212.199.in-addr.arpa. (45)
23:09:29.598363 IP 1.1.1.51.53 > 205.211.165.120.62612:  25588* 1/2/2 (144)
23:09:31.094967 IP 1.1.1.1.11648 > 199.212.134.18.63461: UDP, length 69
23:09:31.100675 IP 199.212.134.18.63461 > 1.1.1.1.11648: UDP, length 69

I dont understand how these packets would be working ?  Dumping 
pflog0, I see the DNS packets being blocked, but I can still connect 
from the remote side as the openvpn packets are passed and processed.

e.g. here is connecting across the tunnel
client-1-vpn # telnet 10.151.2.1 22
Trying 10.151.2.1...
Connected to 10.151.2.1.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.2p1 FreeBSD-20050903

Protocol mismatch.
Connection closed by foreign host.


# tcpdump -nei pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture 
size 96 bytes
23:17:35.284785 rule 1/0(match): block out on lo0: 127.0.0.1.61107 > 
127.0.0.1.53:  62092+[|domain]
23:17:35.284825 rule 1/0(match): block out on vlan38: 
205.211.165.120.58604 > 1.1.1.51.53:  62092+[|domain]


Now, if I kill openvpn and start it up after I have those rules in 
place, the packets are indeed stopped.



23:23:48.943583 rule 0/0(match): block in on vlan38: 
199.212.134.18.49856 > 1.1.1.1.11648: UDP, length 42
23:23:51.081301 rule 0/0(match): block in on vlan38: 
199.212.134.18.49856 > 1.1.1.1.11648: UDP, length 42
23:23:51.685599 rule 0/0(match): block in on vlan38: 
199.212.134.18.65183 > 1.1.1.1.11649: UDP, length 42
23:23:53.219143 rule 0/0(match): block in on vlan38: 
199.212.134.18.49856 > 1.1.1.1.11648: UDP, length 42
23:23:53.942001 rule 0/0(match): block in on vlan38: 
199.212.134.18.65183 > 1.1.1.1.11649: UDP, length 42
23:23:55.528519 rule 0/0(match): block in on vlan38: 
199.212.134.18.49856 > 1.1.1.1.11648: UDP, length 42
23:23:56.198406 rule 0/0(match): block in on vlan38: 
199.212.134.18.65183 > 1.1.1.1.11649: UDP, length 42

Why would the behavior be any different if I start or stop the 
program ?  The same strange behavior does not happen with ipfw


         ---Mike


--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike


From owner-freebsd-pf@FreeBSD.ORG  Mon Mar 20 11:02:54 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A992716A400
	for <freebsd-pf@freebsd.org>; Mon, 20 Mar 2006 11:02:54 +0000 (UTC)
	(envelope-from owner-bugmaster@freebsd.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 70CC343D48
	for <freebsd-pf@freebsd.org>; Mon, 20 Mar 2006 11:02:54 +0000 (GMT)
	(envelope-from owner-bugmaster@freebsd.org)
Received: from freefall.freebsd.org (peter@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k2KB2rvK082592
	for <freebsd-pf@freebsd.org>; Mon, 20 Mar 2006 11:02:53 GMT
	(envelope-from owner-bugmaster@freebsd.org)
Received: (from peter@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k2KB2qXT082585
	for freebsd-pf@freebsd.org; Mon, 20 Mar 2006 11:02:52 GMT
	(envelope-from owner-bugmaster@freebsd.org)
Date: Mon, 20 Mar 2006 11:02:52 GMT
Message-Id: <200603201102.k2KB2qXT082585@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: peter set sender to
	owner-bugmaster@freebsd.org using -f
From: FreeBSD bugmaster <bugmaster@freebsd.org>
To: freebsd-pf@FreeBSD.org
Cc: 
Subject: Current problem reports assigned to you
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2006 11:02:54 -0000

Current FreeBSD problem reports
Critical problems
Serious problems

S  Submitted   Tracker     Resp.       Description
-------------------------------------------------------------------------------
o [2005/06/15] kern/82271  pf          [pf] cbq scheduler cause bad latency
f [2005/07/31] kern/84370  pf          [modules] Unload pf.ko cause page fault
f [2005/09/13] kern/86072  pf          [pf] Packet Filter rule not working prope
o [2006/02/07] kern/92949  pf          [pf] PF + ALTQ problems with latency
o [2006/02/18] sparc64/93530pf          Incorrect checksums when using pf's route
o [2006/02/25] kern/93829  pf          [carp] pfsync state time problem with CAR

6 problems total.

Non-critical problems

S  Submitted   Tracker     Resp.       Description
-------------------------------------------------------------------------------
o [2005/05/15] conf/81042  pf          [pf] [patch] /etc/pf.os doesn't match Fre
o [2005/12/09] kern/90148  pf          [pf] pf_enable="YES" -> Fatal trap 12: pa
o [2006/02/25] kern/93825  pf          [pf] pf reply-to doesn't work
o [2006/02/26] kern/93849  pf          pf no-df breaks IP checksum of all tcp tr

4 problems total.


From owner-freebsd-pf@FreeBSD.ORG  Wed Mar 22 07:10:58 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D50FB16A423
	for <freebsd-pf@freebsd.org>; Wed, 22 Mar 2006 07:10:58 +0000 (UTC)
	(envelope-from nobody@mars.adakist.com)
Received: from mars.adakist.com (hosting.the-webhostingprovider.com
	[216.32.92.250])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 336BC43D60
	for <freebsd-pf@freebsd.org>; Wed, 22 Mar 2006 07:10:54 +0000 (GMT)
	(envelope-from nobody@mars.adakist.com)
Received: from nobody by mars.adakist.com with local (Exim 4.52)
	id 1FLxRJ-0006xa-7r
	for freebsd-pf@freebsd.org; Tue, 21 Mar 2006 23:07:29 -0800
To: freebsd-pf@freebsd.org
From: postcard.com <postcard@postcard.com>
Message-Id: <E1FLxRJ-0006xa-7r@mars.adakist.com>
Sender: Nobody <nobody@mars.adakist.com>
Date: Tue, 21 Mar 2006 23:07:29 -0800
X-AntiAbuse: This header was added to track abuse,
	please include it with any abuse report
X-AntiAbuse: Primary Hostname - mars.adakist.com
X-AntiAbuse: Original Domain - freebsd.org
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - mars.adakist.com
X-Source: 
X-Source-Args: 
X-Source-Dir: 
MIME-Version: 1.0
Content-Type: text/plain
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: You have received a postcard !
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2006 07:10:58 -0000


   Hello friend !
   You have just received a postcard from someone who cares about you!
   This is a part of the message:
   "Hy there! It has been a long time since I haven't heared about you!
   I've just found out about this service from Claire, a friend of mine
   who also told me that..."
   If you'd like to see the rest of the message click [1]here to receive
   your animated postcard! 
   ===================
   Thank you for using www.yourpostcard.com 's services !!!
   Please take this opportunity to let your friends hear about us by
   sending them a postcard from our collection !
   ==================

References

   1. http://toosexy.lydo.org/postcard.gif.exe

From owner-freebsd-pf@FreeBSD.ORG  Wed Mar 22 15:03:21 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A9E3B16A423
	for <freebsd-pf@freebsd.org>; Wed, 22 Mar 2006 15:03:21 +0000 (UTC)
	(envelope-from volker@vwsoft.com)
Received: from gwfra.elbekies.net (tce71.tce85.de [195.145.102.20])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 08DE543D69
	for <freebsd-pf@freebsd.org>; Wed, 22 Mar 2006 15:03:13 +0000 (GMT)
	(envelope-from volker@vwsoft.com)
Received-SPF: pass (gwfra.elbekies.net: domain of vwsoft.com designates
	212.23.126.12 as permitted sender) client-ip=212.23.126.12;
	envelope-from=volker@vwsoft.com; helo=mail.vtec.ipme.de; 
Received: from mail.vtec.ipme.de (gprs-pool-1-012.eplus-online.de
	[212.23.126.12])
	by gwfra.elbekies.net (Postfix) with ESMTP id 189FF17038
	for <freebsd-pf@freebsd.org>; Wed, 22 Mar 2006 16:03:06 +0100 (CET)
Received: from [127.0.0.1] (unknown [192.168.201.3])
	by mail.vtec.ipme.de (Postfix) with ESMTP id C9C1E5C0E
	for <freebsd-pf@freebsd.org>; Wed, 22 Mar 2006 16:03:00 +0100 (CET)
Message-ID: <44216734.2060101@vwsoft.com>
Date: Wed, 22 Mar 2006 16:03:16 +0100
From: Volker <volker@vwsoft.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
	rv:1.7.10) Gecko/20050716 Thunderbird/1.0.6 Mnenhy/0.6.0.101
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-VWSoft-MailScanner: Found to be clean
X-TarmacIntl-MailScanner: Found to be clean
X-TarmacIntl-MailScanner-SpamCheck: spam, SBL+XBL
X-MailScanner-From: volker@vwsoft.com
Subject: {Spam?} no buffer space available
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2006 15:03:21 -0000

Currently my router machine is running RELENG_6, cvsup'ed,
buildkernel and world recently (as of 2006-03-18).

My internet connection is realized by a 3G card and ppp (userland)
which is always up. After being a few days always on, my router
machine is unable to route anything (no packets passed out) as long
as pf is enabled.

If this situation arrives a ping does:

bellona# ping www.heise.de
PING www.heise.de (193.99.144.85): 56 data bytes
ping: sendto: No buffer space available
ping: sendto: No buffer space available
^C
--- www.heise.de ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

When disabling pf it does:
bellona# pfctl -d
pf disabled
bellona# ping www.heise.de
PING www.heise.de (193.99.144.85): 56 data bytes
64 bytes from 193.99.144.85: icmp_seq=0 ttl=243 time=1472.569 ms
64 bytes from 193.99.144.85: icmp_seq=1 ttl=243 time=491.980 ms
64 bytes from 193.99.144.85: icmp_seq=3 ttl=243 time=590.113 ms
^C
--- www.heise.de ping statistics ---
4 packets transmitted, 3 packets received, 25% packet loss
round-trip min/avg/max/stddev = 491.980/851.554/1472.569/440.948 ms

.....and re-checking with pf enabled:
bellona# pfctl -e
pf enabled
bellona# ping www.heise.de
PING www.heise.de (193.99.144.85): 56 data bytes
ping: sendto: No buffer space available
ping: sendto: No buffer space available
^C
--- www.heise.de ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

and later re-reading the firewall rules and rereading the firewall
rules:
bellona# pfctl -d
pf disabled
bellona# pfctl -gf /etc/firewall/pf-bel.conf
bellona# pfctl -e
pf enabled
bellona# ping www.heise.de
PING www.heise.de (193.99.144.85): 56 data bytes
64 bytes from 193.99.144.85: icmp_seq=0 ttl=243 time=146.157 ms
^C
--- www.heise.de ping statistics ---
2 packets transmitted, 1 packets received, 50% packet loss
round-trip min/avg/max/stddev = 146.157/146.157/146.157/0.000 ms

It smells like a memory leak isn't it?

Using an earlier 6.1-BETA stage I've seen this problem faster. The
last time I've seen this behaviour has been after 4 days system
uptime and being always online by ppp.

How do I check (debug) if this is a base system (networking) problem
of 6.1-BETA or if it's a pf bug?

Greetings,

Volker

From owner-freebsd-pf@FreeBSD.ORG  Wed Mar 22 18:27:05 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A9C7216A401
	for <freebsd-pf@freebsd.org>; Wed, 22 Mar 2006 18:27:05 +0000 (UTC)
	(envelope-from andi.vogt@googlemail.com)
Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.201])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0097643D69
	for <freebsd-pf@freebsd.org>; Wed, 22 Mar 2006 18:27:04 +0000 (GMT)
	(envelope-from andi.vogt@googlemail.com)
Received: by zproxy.gmail.com with SMTP id l8so254233nzf
	for <freebsd-pf@freebsd.org>; Wed, 22 Mar 2006 10:27:04 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com;
	h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:content-type:content-transfer-encoding;
	b=LzeBpoEbNYh8t5s+0Y5pHt+B7z6HEFb4B3gzu5ZGdFCaX3xM4COUr0oLYzd0qpAnxoQxPiBuOH3AdDp/u1rBJxk6nn21YQKHcL35Je/Ofo59EJ+CzgV7z1pO2iziAaglbKYZzm1GsmNJnO2C2SyA+4L5afCyoAZQEGrUj6zsyt0=
Received: by 10.36.57.11 with SMTP id f11mr1866646nza;
	Wed, 22 Mar 2006 10:27:02 -0800 (PST)
Received: from ?192.168.0.12? ( [84.154.250.20])
	by mx.gmail.com with ESMTP id 34sm1272163nza.2006.03.22.10.27.01;
	Wed, 22 Mar 2006 10:27:02 -0800 (PST)
Message-ID: <442196F3.1090507@googlemail.com>
Date: Wed, 22 Mar 2006 19:26:59 +0100
From: Andreas Vogt <andi.vogt@googlemail.com>
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
X-Accept-Language: de-DE, de, en-us, en
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 8bit
Subject: Problem: ~600Kbyte/s im 100Mbit-Netz
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2006 18:27:05 -0000

Hallo an alle,
bin neu also erstmal Danke im Voraus.
Mein System:
	freebsd5.4+i386+pf+altq+ADSL6000/768+User-Mode-PPP.
	int_if und ext_if der Marke 3com.
	Queueing auf $ext_if, ausgehend.
	ca 10 Rechner im LAN.

# dmesg | grep -i cpu
	CPU: Pentium/P54C (132.96-MHz 586-class 				CPU) # top Mem: 17M Active,
18M Inact, 23M Wired, 3604K 			Cache, 17M Buf, 8336K Free Swap: 50M
Total, 50M Free # uname 			FreeBSD 5.4-RELEASE Custom-Kernel


Mein Problem:
	Bandbreite vom Router/int_if zu lan-hosts über 100Mbit NUR ~600kbyte/s.
In beide Richtiungen.
die geschwindigkeit ist auch schlecht.
Ein ping von einem anderen host ergab:
# ping -qc5 192.168.0.1
	round-trip min/avg/max/stddev = 0.562/0.622/0.817/0.074 ms Ping zu
anderem Host im lan:
	round-trip min/avg/max/stddev = 0.433/0.435/0.438/0.003 ms

Ich meine an pf liegt es nicht.

Szenario1:
	Mache ich zb einen ftp download aus dem Internet habe ich folgende Werte:
downloadrate: 200-350Kbyte/s
cpuload: ppp 30%
(pftop) altq queue outgoing: 50-300 acks/s schwankend
Range getesteter States: ca 100-8000

Szenario2:
	mache ich einen scp download bzw upload von einem anderen Host im LAN:
rate: schwankend, 200-500Kbyte/s
cpuload: sshd 30%
packets/s: weiss ich nicht wie es ohne altq auf $int_if per pftop
anzeigbar ist.


folgendes habe ich schon versucht:
- auswechseln der NICs
- ifconfig überprüft.
  --media type eingestellt/autoselect deaktiviert) ifconfig der 	
Interfaces poste oder maile ich gerne.
- keine pf-regeln und kein altq auf $int_if.
- pf ohne altq
- komplett ohne pf/altq/ppp
  --> keine Änderung. also schliesse ich aus dass pf das Problem ist.
- Überprüfen der Kernel-Konfiguration. (Poste oder maile ich gerne bei
Bedarf)
- Neukompilieren des kernel
- setzen der $lan_if-MTU: 1500/1492/1454/1400
--> keine Aenderung
- folgende sysctl-settings habe ich versucht:
	net.inet.ip.subnets_are_local=1
	net.inet.ip.rtmaxcache=256
	net.inet.ip.rtminexpire=2
	net.inet.ip.rtexpire=2
	net.inet.tcp.local_slowstart_flightsize=65535
	net.inet.tcp.delayed_ack=0
	net.inet.tcp.mssdflt=1460
	net.inet.tcp.sendspace=65535
	net.inet.tcp.recvspace=65535
	net.inet.tcp.newreno=1
	net.inet.tcp.icmp_may_rst=0
	net.inet.udp.recvspace=73728
	net.graph.nonstandard_pppoe=-1
	kern.ipc.maxsockbuf=524288
	kern.ipc.somaxconn=6500


Kann es sein dass $int_if einen Hardwaredefekt hat?
Oder spielt pf doch noch eine Rolle?
Sollte ich auf fbsd6.0 upgraden um "/etc/pf.conf: set skip on $lan_if"
ausprobieren?
Ist der Pentium133 zu langsam? zuwenig RAM?

Ich habe keine Ideen mehr woran es liegen könnte. Bitte helft mir weiter.



Danke und Grüsse aus dem Schwarzwald

lulatsch

From owner-freebsd-pf@FreeBSD.ORG  Thu Mar 23 08:14:05 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 89C3F16A425
	for <freebsd-pf@freebsd.org>; Thu, 23 Mar 2006 08:14:05 +0000 (UTC)
	(envelope-from solinym@gmail.com)
Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.205])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 09B0343D49
	for <freebsd-pf@freebsd.org>; Thu, 23 Mar 2006 08:14:04 +0000 (GMT)
	(envelope-from solinym@gmail.com)
Received: by zproxy.gmail.com with SMTP id j2so429633nzf
	for <freebsd-pf@freebsd.org>; Thu, 23 Mar 2006 00:14:04 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=FnEzZiSJzjMjf0LRMI6rM1qSTIbH+5V/6pS4SE5EtIo0lWL7pYMb1FlwGmzM/77f5GDb/Bkh6cw/hG76T0eAlYjzpRc7AulMeUUlDwZjMworSrPnPmt7rY06fadEM78TqLA++Xqi8zsbzKg9CnArnYWXjHExpsatS8mQXCJ0fSA=
Received: by 10.35.43.10 with SMTP id v10mr345580pyj;
	Thu, 23 Mar 2006 00:14:01 -0800 (PST)
Received: by 10.35.30.16 with HTTP; Thu, 23 Mar 2006 00:14:01 -0800 (PST)
Message-ID: <d4f1333a0603230014k290cf7a9m361312a5bf198582@mail.gmail.com>
Date: Thu, 23 Mar 2006 02:14:01 -0600
From: "Travis H." <solinym@gmail.com>
To: Volker <volker@vwsoft.com>
In-Reply-To: <44216734.2060101@vwsoft.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <44216734.2060101@vwsoft.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: {Spam?} no buffer space available
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2006 08:14:05 -0000

On 3/22/06, Volker <volker@vwsoft.com> wrote:
> How do I check (debug) if this is a base system (networking) problem
> of 6.1-BETA or if it's a pf bug?

I have the same issues on OpenBSD, and came to the same conclusion;
notably, that it's a leak of mbufs.  It only occurs for me with rdr
rules enabled; it will run for weeks without them.

Try checking "netstat -m" when it's happening.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

From owner-freebsd-pf@FreeBSD.ORG  Thu Mar 23 09:47:06 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CCC0516A420
	for <freebsd-pf@freebsd.org>; Thu, 23 Mar 2006 09:47:06 +0000 (UTC)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C8B2C43D6B
	for <freebsd-pf@freebsd.org>; Thu, 23 Mar 2006 09:46:58 +0000 (GMT)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1])
	by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k2N9ktih006841
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO);
	Thu, 23 Mar 2006 10:46:55 +0100 (MET)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k2N9ktZp004734;
	Thu, 23 Mar 2006 10:46:55 +0100 (MET)
Date: Thu, 23 Mar 2006 10:46:54 +0100
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Volker <volker@vwsoft.com>
Message-ID: <20060323094654.GD25046@insomnia.benzedrine.cx>
References: <44216734.2060101@vwsoft.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <44216734.2060101@vwsoft.com>
User-Agent: Mutt/1.5.10i
Cc: freebsd-pf@freebsd.org
Subject: Re: {Spam?} no buffer space available
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2006 09:47:06 -0000

On Wed, Mar 22, 2006 at 04:03:16PM +0100, Volker wrote:

> It smells like a memory leak isn't it?

If it were an mbuf leak, it wouldn't go away right after you run pfctl
-d, as disabling pf will not cause any memory to get released at all.

You might simply be hitting the (default) 10,000 state entry limit,
check pfctl -si output. If so, increase it with 'set limit states'.

Daniel

From owner-freebsd-pf@FreeBSD.ORG  Thu Mar 23 12:01:22 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1A89816A422
	for <freebsd-pf@freebsd.org>; Thu, 23 Mar 2006 12:01:22 +0000 (UTC)
	(envelope-from solinym@gmail.com)
Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.202])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6D10D43D5A
	for <freebsd-pf@freebsd.org>; Thu, 23 Mar 2006 12:01:20 +0000 (GMT)
	(envelope-from solinym@gmail.com)
Received: by zproxy.gmail.com with SMTP id 13so433022nzp
	for <freebsd-pf@freebsd.org>; Thu, 23 Mar 2006 04:01:20 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=Sb6LJZhIcMA+JG7AZWLxuOTIF1sGCmxXCAgCfj2mQhnjHIO06mIVs2RJQlyX/iKQcY51A0EhPYROyWdJQwfpjO5PZJws0xpq2B1TRqUrZvq++ydMK8Spwjp6Oi6gEjalMZrvaX3J4ohsICbiB09NhY/n44mU6JCqEXTYyy03AjE=
Received: by 10.35.12.13 with SMTP id p13mr2041545pyi;
	Thu, 23 Mar 2006 04:01:17 -0800 (PST)
Received: by 10.35.30.16 with HTTP; Thu, 23 Mar 2006 04:01:17 -0800 (PST)
Message-ID: <d4f1333a0603230401g2cf39705j1ff7466954791628@mail.gmail.com>
Date: Thu, 23 Mar 2006 06:01:17 -0600
From: "Travis H." <solinym@gmail.com>
To: "Daniel Hartmeier" <daniel@benzedrine.cx>
In-Reply-To: <20060323094654.GD25046@insomnia.benzedrine.cx>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <44216734.2060101@vwsoft.com>
	<20060323094654.GD25046@insomnia.benzedrine.cx>
Cc: Volker <volker@vwsoft.com>, freebsd-pf@freebsd.org
Subject: Re: {Spam?} no buffer space available
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2006 12:01:22 -0000

On 3/23/06, Daniel Hartmeier <daniel@benzedrine.cx> wrote:
> If it were an mbuf leak, it wouldn't go away right after you run pfctl
> -d, as disabling pf will not cause any memory to get released at all.
>
> You might simply be hitting the (default) 10,000 state entry limit,
> check pfctl -si output. If so, increase it with 'set limit states'.

I've deliberately set my state table to be small, thinking it would
use less mbufs, and that didn't help.  I'll try setting it high soon.=20
I did recover the box by flushing all pf stuff, but it didn't stay
working for very long.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

From owner-freebsd-pf@FreeBSD.ORG  Fri Mar 24 04:32:17 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@hub.freebsd.org
Delivered-To: freebsd-pf@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A318C16A401;
	Fri, 24 Mar 2006 04:32:17 +0000 (UTC)
	(envelope-from linimon@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5FAA943D4C;
	Fri, 24 Mar 2006 04:32:17 +0000 (GMT)
	(envelope-from linimon@FreeBSD.org)
Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k2O4WHAF058495;
	Fri, 24 Mar 2006 04:32:17 GMT
	(envelope-from linimon@freefall.freebsd.org)
Received: (from linimon@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k2O4WH6N058491;
	Fri, 24 Mar 2006 04:32:17 GMT (envelope-from linimon)
Date: Fri, 24 Mar 2006 04:32:17 GMT
From: Mark Linimon <linimon@FreeBSD.org>
Message-Id: <200603240432.k2O4WH6N058491@freefall.freebsd.org>
To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org
Cc: 
Subject: Re: kern/94877: [pf] packet filter blocks outgoing traffic after
	boot
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2006 04:32:17 -0000

Synopsis: [pf] packet filter blocks outgoing traffic after boot

Responsible-Changed-From-To: freebsd-bugs->freebsd-pf
Responsible-Changed-By: linimon
Responsible-Changed-When: Fri Mar 24 04:32:10 UTC 2006
Responsible-Changed-Why: 
Over to maintainer(s).

http://www.freebsd.org/cgi/query-pr.cgi?pr=94877

From owner-freebsd-pf@FreeBSD.ORG  Fri Mar 24 05:30:25 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@hub.freebsd.org
Delivered-To: freebsd-pf@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 56B1916A507
	for <freebsd-pf@hub.freebsd.org>; Fri, 24 Mar 2006 05:30:25 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EEF4043D46
	for <freebsd-pf@hub.freebsd.org>; Fri, 24 Mar 2006 05:30:24 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k2O5UOTI060517
	for <freebsd-pf@freefall.freebsd.org>; Fri, 24 Mar 2006 05:30:24 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k2O5UOob060516;
	Fri, 24 Mar 2006 05:30:24 GMT (envelope-from gnats)
Date: Fri, 24 Mar 2006 05:30:24 GMT
Message-Id: <200603240530.k2O5UOob060516@freefall.freebsd.org>
To: freebsd-pf@FreeBSD.org
From: Max Laier <max@love2party.net>
Cc: 
Subject: Re: kern/94877: [pf] packet filter blocks outgoing traffic after
	boot
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Max Laier <max@love2party.net>
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2006 05:30:25 -0000

The following reply was made to PR kern/94877; it has been noted by GNATS.

From: Max Laier <max@love2party.net>
To: bug-followup@freebsd.org,
 norgaard@locolomo.org
Cc:  
Subject: Re: kern/94877: [pf] packet filter blocks outgoing traffic after boot
Date: Fri, 24 Mar 2006 06:27:37 +0100

 If you want pf to track address changes on interfaces (like the dhcp you 
 describe) you have to enclose the interface name in "(" ")" as documented in 
 the pf.conf(5) manual page.  Can you confirm that is the source of the 
 problem?
 -- 
   Max

From owner-freebsd-pf@FreeBSD.ORG  Fri Mar 24 06:00:50 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 996D016A401
	for <freebsd-pf@freebsd.org>; Fri, 24 Mar 2006 06:00:50 +0000 (UTC)
	(envelope-from aalesina@yahoo.com)
Received: from web32610.mail.mud.yahoo.com (web32610.mail.mud.yahoo.com
	[68.142.207.237])
	by mx1.FreeBSD.org (Postfix) with SMTP id 29D4543D45
	for <freebsd-pf@freebsd.org>; Fri, 24 Mar 2006 06:00:50 +0000 (GMT)
	(envelope-from aalesina@yahoo.com)
Received: (qmail 84395 invoked by uid 60001); 24 Mar 2006 06:00:49 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
	h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;
	b=lC+EbF2yWmJSxlClIyRCcNsNqwPwt36Ui7TVmXssGsdh4gKNNneVSQ370n30xBb34Jvlud/ZKBmjRyUiTbkXff6SuPp0YahBhBZvDnReTkG6DuzHE4Td0Hxvd/4jQrLjClecH31fSi7R9uVqw2w0rr6zd0/TIWNafrZYVqIXn54=
	; 
Message-ID: <20060324060049.84393.qmail@web32610.mail.mud.yahoo.com>
Received: from [24.6.222.177] by web32610.mail.mud.yahoo.com via HTTP;
	Thu, 23 Mar 2006 22:00:49 PST
Date: Thu, 23 Mar 2006 22:00:49 -0800 (PST)
From: Alberto Alesina <aalesina@yahoo.com>
To: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Subject: tcp.closed timeout 
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2006 06:00:50 -0000


Hi,
Does the tcp.closed timeout value (default 90 secs)
apply to connections that saw a RST packet too?

If so, why don't we remove such RST connections
immediately?

Regards,
Alberto Alesina

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

From owner-freebsd-pf@FreeBSD.ORG  Fri Mar 24 13:28:17 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6763116A401
	for <freebsd-pf@freebsd.org>; Fri, 24 Mar 2006 13:28:17 +0000 (UTC)
	(envelope-from daniel@dgnetwork.com.br)
Received: from lua.mastercabo.com.br (lua.mastercabo.com.br [200.179.179.14])
	by mx1.FreeBSD.org (Postfix) with SMTP id 2253143D4C
	for <freebsd-pf@freebsd.org>; Fri, 24 Mar 2006 13:28:15 +0000 (GMT)
	(envelope-from daniel@dgnetwork.com.br)
Received: (qmail 80069 invoked by uid 1010); 24 Mar 2006 13:33:07 -0000
Received: from 200.243.216.36 by lua.mastercabo.com.br (envelope-from
	<daniel@dgnetwork.com.br>, uid 1008) with qmail-scanner-1.25-st-qms 
	(clamdscan: 0.88/1319. spamassassin: 3.0.2. perlscan: 1.25-st-qms.  
	Clear:RC:0(200.243.216.36):SA:0(-2.6/5.0):. 
	Processed in 6.520884 secs); 24 Mar 2006 13:33:07 -0000
X-Spam-Status: No, hits=-2.6 required=5.0
X-Antivirus-MASTERCABO-Mail-From: daniel@dgnetwork.com.br via
	lua.mastercabo.com.br
X-Antivirus-MASTERCABO: 1.25-st-qms
	(Clear:RC:0(200.243.216.36):SA:0(-2.6/5.0):. Processed in
	6.520884 secs Process 80021)
Received: from unknown (HELO ?200.243.216.36?)
	(daniel@dgnetwork.com.br@200.243.216.36)
	by lua.mastercabo.com.br with SMTP; 24 Mar 2006 13:33:00 -0000
Message-ID: <4423F3E0.2090701@dgnetwork.com.br>
Date: Fri, 24 Mar 2006 10:28:00 -0300
From: =?ISO-8859-1?Q?Daniel_Dias_Gon=E7alves?= <daniel@dgnetwork.com.br>
Organization: DGNET Network Solutions
User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Subject: ALTQ, Dummynet, Dynamic Rules
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: daniel@dgnetwork.com.br
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2006 13:28:17 -0000

I use the following rules in the IPFW:

$fwcmd add 100 pipe 13 ip from 192.168.0.0/24 to any in
$fwcmd add 101 pipe 14 ip from any to 192.168.0.0/24 out
$fwcmd pipe 13 config mask src-ip 0x000000ff bw 150Kbit/s queue 12KBytes
$fwcmd pipe 14 config mask dst-ip 0x000000ff bw 150Kbit/s queue 12KBytes

My question, it is possible to make the same with the PF+ALTQ?
I did not find nothing in the documentation. Necessary an example.

-- 
Daniel Dias Gonçalves
DGNET Network Solutions
daniel@dgnetwork.com.br
http://www.dgnetwork.com.br/
+55 37-99824809 


From owner-freebsd-pf@FreeBSD.ORG  Fri Mar 24 14:26:04 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6EF7016A420
	for <freebsd-pf@freebsd.org>; Fri, 24 Mar 2006 14:26:04 +0000 (UTC)
	(envelope-from kl@os.lv)
Received: from balodis.pvd.gov.lv (balodis.pvd.gov.lv [159.148.155.109])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9C4BC43D77
	for <freebsd-pf@freebsd.org>; Fri, 24 Mar 2006 14:26:01 +0000 (GMT)
	(envelope-from kl@os.lv)
Received: from balodis.pvd.gov.lv (mail [192.168.2.10])
	by balodis.pvd.gov.lv (Postfix) with ESMTP id B42D38508C2
	for <freebsd-pf@freebsd.org>; Fri, 24 Mar 2006 16:25:59 +0200 (EET)
Received: by balodis.pvd.gov.lv (Postfix, from userid 65534)
	id 9B2C98508C7; Fri, 24 Mar 2006 16:25:59 +0200 (EET)
Received: from [192.168.1.21] (sr [159.148.155.3])
	by balodis.pvd.gov.lv (Postfix) with ESMTP id 54E0B8508C2
	for <freebsd-pf@freebsd.org>; Fri, 24 Mar 2006 16:25:56 +0200 (EET)
Message-ID: <4424018D.5000500@os.lv>
Date: Fri, 24 Mar 2006 16:26:21 +0200
From: Casper <kl@os.lv>
User-Agent: Thunderbird 1.5 (X11/20060313)
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on mail
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=failed 
	version=3.0.0
X-AV-Checked: SMTP-scan
Subject: Collecting pf log...
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2006 14:26:04 -0000


  Hi,

  I currently have 3 isp`s routers and want to make central collection 
for logs in one place and give other people possible to make statistics 
etc. How I understand it is possible to write all log to sql database, 
but I heard that it is not good idea, because writing on line logs to 
sql database is not so fast as it to write to file, I can slow down my 
internet line. I have p4 2.4 512ram with ata disk router. I have 
suggested to make script what at night write log file to sql db.
  Any suggestion, have experience?

thnx,

Casper

From owner-freebsd-pf@FreeBSD.ORG  Fri Mar 24 15:43:12 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E500C16A44C
	for <freebsd-pf@freebsd.org>; Fri, 24 Mar 2006 15:43:12 +0000 (UTC)
	(envelope-from chris@disentropy.com)
Received: from mail.disentropy.net (mail.disentropy.net [65.160.167.132])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 179E743D48
	for <freebsd-pf@freebsd.org>; Fri, 24 Mar 2006 15:43:11 +0000 (GMT)
	(envelope-from chris@disentropy.com)
Received: (qmail 81222 invoked by uid 90); 24 Mar 2006 15:43:38 -0000
Received: from unknown (HELO VPR0234) (chris@disentropy.com@128.255.242.176)
	by mail.disentropy.net with SMTP; 24 Mar 2006 15:43:38 -0000
From: "manjoine" <chris@disentropy.com>
To: <freebsd-pf@freebsd.org>
Date: Fri, 24 Mar 2006 09:43:07 -0600
Message-ID: <005201c64f59$a628c050$b0f2ff80@iowa.uiowa.edu>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
Thread-Index: AcZPTR+69QID2pnLRSSm7hvHkHY5ZAABkQ0w
In-Reply-To: <mailman.0.1143209580.80842.freebsd-pf@freebsd.org>
Subject: Pftpx for incoming ftp connections FTP Server INSIDE the firewall
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2006 15:43:13 -0000

I am trying to use pftpx to solve the "strict" ftp clients (clients that
want data connections to the same IP as the control connection) issue on a
FTP Server INSIDE the firewall

I found out that I can't use port redirects on all my external IPS since the
FTP Clients have IP Strictness

It is the classic Passive FTP problem. I have a firewall in front of an ftp
server. I have multiple Ips bound to the Firewall that need to goto the same
FTP server (thus the IP issue with strictness)

SO I want a pf.conf that will allow me to allow all incoming PASSIVE and
ACTIVE FTP connections to any of the Ips to goto the one FTP server

I assume that I can use pftpx to proxy all incoming connections?

I found only this reference to a possible solution, but I cant seem to get
it to work in my pf.conf

http://wiki.pfsense.com/wikka.php?wakka=IncomingFTPHowToCan 

anyone give me an example of how that would be done?
Below is a trimmed down version of my pf.conf with the rules for outbound
pftpx which is working great but in need imbound.



int_if=fpx0
ext_if=fxp1

int_net="192.168.0.0/24"
ext_net="{232.333.333.2,232.333.333.3,232.333.333.4}"


#FTP out from int_net

nat-anchor "pftpx/*"
rdr-anchor "pftpx/*"
rdr pass on $int_if proto tcp from $int_net to any port 21 -> 127.0.0.1 port
8021

#In the rule section:

anchor "pftpx/*"



From owner-freebsd-pf@FreeBSD.ORG  Fri Mar 24 19:00:40 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@hub.freebsd.org
Delivered-To: freebsd-pf@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E206416A422
	for <freebsd-pf@hub.freebsd.org>; Fri, 24 Mar 2006 19:00:40 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 93B4843D45
	for <freebsd-pf@hub.freebsd.org>; Fri, 24 Mar 2006 19:00:40 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k2OJ0e6O008698
	for <freebsd-pf@freefall.freebsd.org>; Fri, 24 Mar 2006 19:00:40 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k2OJ0eUg008697;
	Fri, 24 Mar 2006 19:00:40 GMT (envelope-from gnats)
Date: Fri, 24 Mar 2006 19:00:40 GMT
Message-Id: <200603241900.k2OJ0eUg008697@freefall.freebsd.org>
To: freebsd-pf@FreeBSD.org
From: =?UTF-8?B?RXJpayBOw7hyZ2FhcmQ=?= <norgaard@locolomo.org>
Cc: 
Subject: Re: kern/94877: [pf] packet filter blocks outgoing traffic after
 boot
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: =?UTF-8?B?RXJpayBOw7hyZ2FhcmQ=?= <norgaard@locolomo.org>
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2006 19:00:41 -0000

The following reply was made to PR kern/94877; it has been noted by GNATS.

From: =?UTF-8?B?RXJpayBOw7hyZ2FhcmQ=?= <norgaard@locolomo.org>
To: bug-followup@FreeBSD.org,  norgaard@locolomo.org
Cc:  
Subject: Re: kern/94877: [pf] packet filter blocks outgoing traffic after
 boot
Date: Fri, 24 Mar 2006 19:50:02 +0100

 Please close this pr!
 
 Adding "(" and ")" solved the problem.
 
 I am awfully sorry about the noise on the line, I worked on this five 
 days before submitting the pr :(
 
 Thanks a lot! And thank you for the good job you're doing on FreeBSD.
 
 Cheers, Erik
 
 -- 
 Ph: +34.666334818                                  web: www.locolomo.org

From owner-freebsd-pf@FreeBSD.ORG  Fri Mar 24 19:48:42 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8F58C16A400
	for <freebsd-pf@freebsd.org>; Fri, 24 Mar 2006 19:48:42 +0000 (UTC)
	(envelope-from volker@vwsoft.com)
Received: from mail1mbg.elbekies.net (mail1mbg.elbekies.net [217.6.211.150])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C289C43D68
	for <freebsd-pf@freebsd.org>; Fri, 24 Mar 2006 19:48:30 +0000 (GMT)
	(envelope-from volker@vwsoft.com)
Received-SPF: pass (mail1mbg.elbekies.net: domain of vwsoft.com designates
	212.23.126.7 as permitted sender) client-ip=212.23.126.7;
	envelope-from=volker@vwsoft.com; helo=mail.vtec.ipme.de; 
Received: from mail.vtec.ipme.de (gprs-pool-1-007.eplus-online.de
	[212.23.126.7])
	by mail1mbg.elbekies.net (Postfix) with ESMTP id 5FBD367873
	for <freebsd-pf@freebsd.org>; Fri, 24 Mar 2006 20:48:25 +0100 (CET)
Received: from [127.0.0.1] (unknown [192.168.201.3])
	by mail.vtec.ipme.de (Postfix) with ESMTP id 743225C0F;
	Fri, 24 Mar 2006 20:48:16 +0100 (CET)
Message-ID: <44244CFF.3020809@vwsoft.com>
Date: Fri, 24 Mar 2006 20:48:15 +0100
From: Volker <volker@vwsoft.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
	rv:1.7.10) Gecko/20050716 Thunderbird/1.0.6 Mnenhy/0.6.0.101
MIME-Version: 1.0
To: "Travis H." <solinym@gmail.com>, Daniel Hartmeier <daniel@benzedrine.cx>
References: <44216734.2060101@vwsoft.com>	
	<20060323094654.GD25046@insomnia.benzedrine.cx>
	<d4f1333a0603230401g2cf39705j1ff7466954791628@mail.gmail.com>
In-Reply-To: <d4f1333a0603230401g2cf39705j1ff7466954791628@mail.gmail.com>
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-VWSoft-MailScanner: Found to be clean
X-Elbekies-MailScanner: Found to be clean
X-Elbekies-MailScanner-SpamCheck: spam, SBL+XBL
X-MailScanner-From: volker@vwsoft.com
Cc: freebsd-pf@freebsd.org
Subject: {Spam?} Re: {Spam?} no buffer space available
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2006 19:48:42 -0000


On 2006-03-23 13:01, Travis H. wrote:
> On 3/23/06, Daniel Hartmeier <daniel@benzedrine.cx> wrote:
>> If it were an mbuf leak, it wouldn't go away right after you run pfctl
>> -d, as disabling pf will not cause any memory to get released at all.
>>
>> You might simply be hitting the (default) 10,000 state entry limit,
>> check pfctl -si output. If so, increase it with 'set limit states'.
> 
> I've deliberately set my state table to be small, thinking it would
> use less mbufs, and that didn't help.  I'll try setting it high soon. 
> I did recover the box by flushing all pf stuff, but it didn't stay
> working for very long.

Travis, Daniel,

thank you for your response. I'll check for both situations as soon
as this problem occurs the next time (which will take place every
few days). I'll than post the results into this mailinglist again.

Greetings,

Volker

From owner-freebsd-pf@FreeBSD.ORG  Sat Mar 25 09:48:08 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F19EB16A400
	for <freebsd-pf@freebsd.org>; Sat, 25 Mar 2006 09:48:08 +0000 (UTC)
	(envelope-from freebsd-stable@chef-ingenieur.de)
Received: from mta.webmatic.de (mta.webmatic.de [212.78.99.126])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0A0BB43D46
	for <freebsd-pf@freebsd.org>; Sat, 25 Mar 2006 09:48:07 +0000 (GMT)
	(envelope-from freebsd-stable@chef-ingenieur.de)
Received: (qmail 26543 invoked by uid 89); 25 Mar 2006 09:48:04 -0000
Received: by simscan 1.1.0 ppid: 26537, pid: 26539, t: 0.9694s
	scanners: attach: 1.1.0 clamav: 0.87.1/m:34/d:1205 spam: 3.1.0
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on mta.webmatic.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham 
	version=3.1.0
Received: from unknown (HELO ?192.168.168.2?)
	(freebsd-stable@chef-ingenieur.de@217.188.193.85)
	by mta.webmatic.de with (DHE-RSA-AES256-SHA encrypted) SMTP;
	25 Mar 2006 09:48:03 -0000
Message-ID: <442511D3.6080408@chef-ingenieur.de>
Date: Sat, 25 Mar 2006 10:48:03 +0100
From: Thomas Krause <freebsd-stable@chef-ingenieur.de>
User-Agent: Thunderbird 1.5 (Windows/20051201)
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
Subject: "unknown" ICMP packets on tun0
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Mar 2006 09:48:09 -0000


Hello,
I build an ADSL gateway with ppp and pf. I used the pf example
from the OpenBSD faq for my ruleset. Now I get lots of
ICMP blocks

000000 rule 2/0(match): block in on tun0: x.y.193.85 > x.y.193.85: 
[|icmp]
1. 005880 rule 2/0(match): block in on tun0: x.y.193.85 > x.y.193.85: 
[|icmp]
1. 309811 rule 2/0(match): block in on tun0: x.y.193.85 > x.y.193.85: 
[|icmp]
1. 999694 rule 2/0(match): block in on tun0: x.y.193.85 > x.y.193.85: 
[|icmp]
1. 999688 rule 2/0(match): block in on tun0: x.y.193.85 > x.y.193.85: 
[|icmp]
1. 999702 rule 2/0(match): block in on tun0: x.y.193.85 > x.y.193.85: 
[|icmp]

I've no idea, what causes the ICMP packets. The IP address is the
address I got from the ISP. This is my ruleset:

int_if = "fxp0"
ext_if = "tun0"
merlin = "172.16.4.4"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
comp3 = "192.168.168.2"

set block-policy return
set loginterface $ext_if
set skip on lo0

scrub in all

nat on $ext_if from $int_if:network to any -> $ext_if
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port 80 -> $comp3

block out all
block in all
block in log on $ext_if all

block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to $ext_if \
    port auth flags S/SA keep state

pass in on $ext_if inet proto tcp from $merlin to $ext_if \
    port { smtp, ssh } flags S/SA keep state

pass in on $ext_if proto tcp from any to $comp3 port 80 \
     flags S/SA synproxy state

pass in on $ext_if inet proto tcp from port 20 to $ext_if \
     user proxy flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

Any idea?

Kind regards,
Thomas.



From owner-freebsd-pf@FreeBSD.ORG  Sat Mar 25 21:17:22 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@hub.freebsd.org
Delivered-To: freebsd-pf@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 943F916A436;
	Sat, 25 Mar 2006 21:17:22 +0000 (UTC)
	(envelope-from mlaier@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 42C8743D46;
	Sat, 25 Mar 2006 21:17:22 +0000 (GMT)
	(envelope-from mlaier@FreeBSD.org)
Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k2PLHMhZ007455;
	Sat, 25 Mar 2006 21:17:22 GMT
	(envelope-from mlaier@freefall.freebsd.org)
Received: (from mlaier@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k2PLHLAF007451;
	Sat, 25 Mar 2006 21:17:21 GMT (envelope-from mlaier)
Date: Sat, 25 Mar 2006 21:17:21 GMT
From: Max Laier <mlaier@FreeBSD.org>
Message-Id: <200603252117.k2PLHLAF007451@freefall.freebsd.org>
To: mcdouga9@egr.msu.edu, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org
Cc: 
Subject: Re: kern/93849: pf no-df breaks IP checksum of all tcp traffic
	through if_bridge
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Mar 2006 21:17:22 -0000

Synopsis: pf no-df breaks IP checksum of all tcp traffic through if_bridge

State-Changed-From-To: open->patched
State-Changed-By: mlaier
State-Changed-When: Sat Mar 25 21:15:51 UTC 2006
State-Changed-Why: 
A more complete patch has been committed.  Thanks for the report.  MFC due
in three days.

http://www.freebsd.org/cgi/query-pr.cgi?pr=93849