From owner-freebsd-pf@FreeBSD.ORG Mon Jul 3 11:03:08 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32DC916A633 for ; Mon, 3 Jul 2006 11:03:08 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FDBB43D45 for ; Mon, 3 Jul 2006 11:03:07 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k63B37UH069916 for ; Mon, 3 Jul 2006 11:03:07 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k63B35sx069910 for freebsd-pf@freebsd.org; Mon, 3 Jul 2006 11:03:05 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 3 Jul 2006 11:03:05 GMT Message-Id: <200607031103.k63B35sx069910@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jul 2006 11:03:08 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route 4 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2006/02/25] kern/93825 pf [pf] pf reply-to doesn't work o [2006/03/27] kern/94992 pf [pf] [patch] pfctl complains about ALTQ m o [2006/04/21] bin/96150 pf pfctl(8) -k non-functional 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 3 12:15:39 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BB2E16A415 for ; Mon, 3 Jul 2006 12:15:39 +0000 (UTC) (envelope-from jeankerry@hotmail.com) Received: from bay0-omc1-s3.bay0.hotmail.com (bay0-omc1-s3.bay0.hotmail.com [65.54.246.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 292AA43DB8 for ; Mon, 3 Jul 2006 12:15:32 +0000 (GMT) (envelope-from jeankerry@hotmail.com) Received: from hotmail.com ([65.54.162.82]) by bay0-omc1-s3.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 3 Jul 2006 05:15:31 -0700 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 3 Jul 2006 05:15:31 -0700 Message-ID: Received: from 128.40.42.4 by BAY108-DAV10.phx.gbl with DAV; Mon, 03 Jul 2006 12:15:29 +0000 X-Originating-IP: [128.40.42.4] X-Originating-Email: [jeankerry@hotmail.com] X-Sender: jeankerry@hotmail.com From: "Kerry Jean" To: Date: Mon, 3 Jul 2006 13:15:27 +0100 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-OriginalArrivalTime: 03 Jul 2006 12:15:31.0830 (UTC) FILETIME=[61205960:01C69E9A] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Redirecting packets to the machine itself X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jul 2006 12:15:39 -0000 Hi, I am new to FreeBSD and PF. I am porting an application from Linux to = FreeBSD. One aspect is that packets destined for another machine on port = 3322 are also captured by a Linux router and forwarded to port 3323 on = that router. As a result the router will receive and read the packet = while still allowing it to be forwarded. This was done simply in Linux = using iptables with "iptables -t nat -A PREROUTING -p udp --dport = 3322 -j REDIRECT --to-ports 3323" Is this possible in FreeBSD using PF or any of the other firewall = programs? I want PF (or another FreeBSD application) to redirect packets = destined for port 3322 (on any machine) to be redirected to port 3323 on = the local machine but also forwarded to the other machines. Any help would be really appreciated. Regards, Anthony From owner-freebsd-pf@FreeBSD.ORG Mon Jul 3 18:50:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33BD916A412 for ; Mon, 3 Jul 2006 18:50:46 +0000 (UTC) (envelope-from Vikash.Badal@is.co.za) Received: from morpheus.is.co.za (morpheus.is.co.za [196.35.45.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 402AF43D99 for ; Mon, 3 Jul 2006 18:50:37 +0000 (GMT) (envelope-from Vikash.Badal@is.co.za) Received: from morpheus.is.co.za (localhost.is.co.za [127.0.0.1]) by morpheus.is.co.za (Postfix) with ESMTP id 4325EF19E6 for ; Mon, 3 Jul 2006 20:50:35 +0200 (SAST) Received: from ZABRYSVISMFW.af.didata.local (zajnbisit.mfw.is.co.za [196.26.2.106]) by morpheus.is.co.za (Postfix) with ESMTP id 1515BF19CF for ; Mon, 3 Jul 2006 20:50:35 +0200 (SAST) Received: from zabrysvisex03.af.didata.local (Not Verified[10.1.8.13]) by ZABRYSVISMFW.af.didata.local with NetIQ MailMarshal (v5.5.6.5) id ; Mon, 03 Jul 2006 20:51:01 +0200 Received: from ZABRYSVISEX04.af.didata.local ([10.1.8.148]) by zabrysvisex03.af.didata.local with Microsoft SMTPSVC(6.0.3790.211); Mon, 3 Jul 2006 20:50:34 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 3 Jul 2006 20:50:34 +0200 Message-ID: <740109F1ED7BA14EB02307DEF26487AB0580EC9F@ZABRYSVISEX04.af.didata.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Inspecting a gre tunnel passing through a freebsd pf firewall ? Thread-Index: Acae0ZCvQ8AzYhVaRK6TXJtY28xNcQ== From: "Vikash Badal" To: X-OriginalArrivalTime: 03 Jul 2006 18:50:34.0906 (UTC) FILETIME=[9142B7A0:01C69ED1] X-AV-Checked: ClamAV using ClamSMTP Subject: Inspecting a gre tunnel passing through a freebsd pf firewall ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jul 2006 18:50:46 -0000 Greetings, Is it possible to inspect and filter a gre tunnel passing through a pf based freebsd firewall ? I would like to rate limit certain traffic (syn, http etc) that is encapsulated in the gre tunnel passing thru the freebsd firewall? Is this possible ? If so how ?=20 Thanks Vikash Please note: This email and its content are subject to the disclaimer as = displayed at the following link http://www.is.co.za/disc.asp. Should you = not have Web access, send a mail to disclaimers@is.co.za and a copy will = be emailed to you. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 3 23:48:26 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25F8E16A500 for ; Mon, 3 Jul 2006 23:48:26 +0000 (UTC) (envelope-from apache@km20932-01.keymachine.de) Received: from km20932-01.keymachine.de (ns.km20932-01.keymachine.de [84.19.184.119]) by mx1.FreeBSD.org (Postfix) with ESMTP id 643C643D5A for ; Mon, 3 Jul 2006 23:48:23 +0000 (GMT) (envelope-from apache@km20932-01.keymachine.de) Received: from km20932-01.keymachine.de (localhost [127.0.0.1]) by km20932-01.keymachine.de (8.12.11/8.12.11) with ESMTP id k640n91Z005323 for ; Tue, 4 Jul 2006 02:49:09 +0200 Received: (from apache@localhost) by km20932-01.keymachine.de (8.12.11/8.12.11/Submit) id k640n9kt005322; Tue, 4 Jul 2006 02:49:09 +0200 Date: Tue, 4 Jul 2006 02:49:09 +0200 Message-Id: <200607040049.k640n9kt005322@km20932-01.keymachine.de> From: Chase Bank To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Chase Online. Banking Account registration information X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jul 2006 23:48:26 -0000 [chaseNew.gif] Chase Bank Online. Department Notice You have received this email because you or someone had used your account from different locations. For security purpose, we are required to open an investigation into this matter. In order to safeguard your account, we require that you confirm your banking details. To help speed up this process, please access the following link so we can complete the verification of your Chase Online. Banking Account registration information : To get started, please click the link below: [1]https://www.chase.com Please Note: If we do no receive the appropriate account verification within 48 hours, then we will assume this Chase Bank account is fraudulent and will be suspended. The purpose of this verification is to ensure that your bank account has not been fraudulently used and to combat the fraud from our community. Regards, Chase Bank - Chase Online. Banking Department _________________________________________________________________ Securities (including mutual funds and variable life insurance), annuities and insurance products are not bank deposits and are not insured by the FDIC or any other agency of the United States, nor are they obligations of, nor insured or guaranteed by, JPMorgan Chase Bank, N.A., CISC, CIA, CMIA or their affiliates. Securities (including mutual funds and variable life insurance) and annuities involve investment risks, including the possible loss of value. References 1. http://cms.ucall.com/ From owner-freebsd-pf@FreeBSD.ORG Tue Jul 4 12:55:49 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E57116A4DA for ; Tue, 4 Jul 2006 12:55:49 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.ipactive.de [85.214.39.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 245BF43D46 for ; Tue, 4 Jul 2006 12:55:48 +0000 (GMT) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (gprs-pool-1-023.eplus-online.de [212.23.126.23]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 8353F33D05 for ; Tue, 4 Jul 2006 14:55:41 +0200 (CEST) Received: from [192.168.201.3] (unknown [192.168.201.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 4DE282E51E; Tue, 4 Jul 2006 14:55:37 +0200 (CEST) Message-ID: <44AA6560.6030000@vwsoft.com> Date: Tue, 04 Jul 2006 14:56:00 +0200 From: Volker User-Agent: Thunderbird 1.5.0.4 (X11/20060610) MIME-Version: 1.0 To: Kerry Jean References: In-Reply-To: X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: Redirecting packets to the machine itself X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jul 2006 12:55:49 -0000 On 12/23/-58 20:59, Kerry Jean wrote: > Is this possible in FreeBSD using PF or any of the other firewall programs? I want PF (or another FreeBSD application) to redirect packets destined for port 3322 (on any machine) to be redirected to port 3323 on the local machine but also forwarded to the other machines. What about a 'dup-to' route option? see `man pf.conf' Greetings, Volker From owner-freebsd-pf@FreeBSD.ORG Fri Jul 7 18:03:43 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A125016A4DD for ; Fri, 7 Jul 2006 18:03:43 +0000 (UTC) (envelope-from rand@meridian-enviro.com) Received: from newman.meridian-enviro.com (newman.meridian-enviro.com [207.109.235.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD78B43D45 for ; Fri, 7 Jul 2006 18:03:42 +0000 (GMT) (envelope-from rand@meridian-enviro.com) X-Envelope-To: Received: from delta.meridian-enviro.com (delta.meridian-enviro.com [10.10.10.43]) by newman.meridian-enviro.com (8.13.1/8.13.1) with ESMTP id k67I3fbg029264 for ; Fri, 7 Jul 2006 13:03:41 -0500 (CDT) (envelope-from rand@meridian-enviro.com) Date: Fri, 07 Jul 2006 13:03:40 -0500 Message-ID: <87ejwx1edf.wl%rand@meridian-enviro.com> From: "Douglas K. Rand" To: freebsd-pf@freebsd.org User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.8 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.6 Emacs/21.3 (i386--freebsd) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII X-Virus-Scanned: ClamAV 0.88/1589/Fri Jul 7 09:37:51 2006 on newman.meridian-enviro.com X-Virus-Status: Clean Subject: pfsync & carp problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Jul 2006 18:03:43 -0000 I'm testing a new set of firewalls using pfsync and carp to replace an existing IP Filter firewall and I'm having occasional problems with TCP sessions failing over. More often than not the fail over works fine, but some times when I reboot the master firewall the TCP session hangs, and when the backup firewall transfers from MASTER to BACKUP the session stays hung. The state exists on both firewalls right after the master comes back: master# pfctl -v -s state [...] self tcp 67.134.74.224:58786 -> 204.152.184.134:80 ESTABLISHED:ESTABLISHED [69234942 + 65535] wscale 1 [1597172605 + 63712] wscale 0 age 00:07:37, expires in 23:59:10, 0:0 pkts, 0:0 bytes self tcp 204.152.184.134:80 <- 67.134.74.224:58786 ESTABLISHED:ESTABLISHED [1597172605 + 63712] wscale 0 [69234942 + 65535] wscale 1 age 00:07:37, expires in 23:59:02, 0:0 pkts, 0:0 bytes [...] slave# pfctl -v -s state [...] self tcp 67.134.74.224:58786 -> 204.152.184.134:80 ESTABLISHED:ESTABLISHED [69234942 + 65535] wscale 1 [1597172605 + 63712] wscale 0 age 00:07:01, expires in 23:57:54, 19885:23629 pkts, 1037055:35439120 bytes, rule 187 self tcp 204.152.184.134:80 <- 67.134.74.224:58786 ESTABLISHED:ESTABLISHED [1597172605 + 63712] wscale 0 [69234942 + 65535] wscale 1 age 00:07:01, expires in 23:57:54, 19885:23629 pkts, 1037055:35439120 bytes, rule 187 [...] But after a few minutes the state goes away on both firewalls. Both systems are running FreeBSD 6.1-p2. From owner-freebsd-pf@FreeBSD.ORG Fri Jul 7 18:32:49 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8CB5616A4DF for ; Fri, 7 Jul 2006 18:32:49 +0000 (UTC) (envelope-from rand@meridian-enviro.com) Received: from newman.meridian-enviro.com (newman.meridian-enviro.com [207.109.235.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03E7943D72 for ; Fri, 7 Jul 2006 18:32:29 +0000 (GMT) (envelope-from rand@meridian-enviro.com) X-Envelope-To: Received: from delta.meridian-enviro.com (delta.meridian-enviro.com [10.10.10.43]) by newman.meridian-enviro.com (8.13.1/8.13.1) with ESMTP id k67IWSFc030120 for ; Fri, 7 Jul 2006 13:32:28 -0500 (CDT) (envelope-from rand@meridian-enviro.com) Received: (from rand@localhost) by delta.meridian-enviro.com (8.13.6/8.13.6/Submit) id k67IWSSc004648; Fri, 7 Jul 2006 13:32:28 -0500 (CDT) (envelope-from rand@delta.meridian-enviro.com) To: freebsd-pf@freebsd.org References: <87ejwx1edf.wl%rand@meridian-enviro.com> From: rand@meridian-enviro.com (Douglas K. Rand) Date: 07 Jul 2006 13:32:26 -0500 In-Reply-To: <87ejwx1edf.wl%rand@meridian-enviro.com> Message-ID: <87zmfl466d.fsf@delta.meridian-enviro.com> Lines: 45 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Virus-Scanned: ClamAV 0.88/1589/Fri Jul 7 09:37:51 2006 on newman.meridian-enviro.com X-Virus-Status: Clean Subject: Re: pfsync & carp problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Jul 2006 18:32:49 -0000 Doug> I'm testing a new set of firewalls using pfsync and carp to replace an Doug> existing IP Filter firewall and I'm having occasional problems with Doug> TCP sessions failing over. Some more information after I discovered the -x loud option to pfctl. When the master firewall goes down and the already established TCP session hangs, I get these messages on the slave: pf: BAD state: TCP 67.134.74.224:52173 67.134.74.224:52173 204.152.184.134:80 [lo=2943781408 high=2943846943 win=33304 modulator=0 wscale=1] [lo=3255565389 high=3255629101 win=65535 modulator=0 wscale=0] 4:4 A seq=3255634893 ack=2943781408 len=1448 ackskew=0 pkts=21109:24835 dir=in,rev pf: State failure on: 1 | pf: BAD state: TCP 67.134.74.224:52173 67.134.74.224:52173 204.152.184.134:80 [lo=2943781408 high=2943846943 win=33304 modulator=0 wscale=1] [lo=3255565389 high=3255629101 win=65535 modulator=0 wscale=0] 4:4 A seq=3255634893 ack=2943781408 len=1448 ackskew=0 pkts=21109:24835 dir=in,rev pf: State failure on: 1 | pf: BAD state: TCP 67.134.74.224:52173 67.134.74.224:52173 204.152.184.134:80 [lo=2943781408 high=2943846943 win=33304 modulator=0 wscale=1] [lo=3255565389 high=3255629101 win=65535 modulator=0 wscale=0] 4:4 A seq=3255634893 ack=2943781408 len=1448 ackskew=0 pkts=21109:24835 dir=in,rev pf: State failure on: 1 | pf: BAD state: TCP 67.134.74.224:52173 67.134.74.224:52173 204.152.184.134:80 [lo=2943781408 high=2943846943 win=33304 modulator=0 wscale=1] [lo=3255565389 high=3255629101 win=65535 modulator=0 wscale=0] 4:4 A seq=3255634893 ack=2943781408 len=1448 ackskew=0 pkts=21109:24835 dir=in,rev pf: State failure on: 1 | pf: BAD state: TCP 67.134.74.224:52173 67.134.74.224:52173 204.152.184.134:80 [lo=2943781408 high=2943846943 win=33304 modulator=0 wscale=1] [lo=3255565389 high=3255629101 win=65535 modulator=0 wscale=0] 4:4 A seq=3255634893 ack=2943781408 len=1448 ackskew=0 pkts=21109:24835 dir=in,rev pf: State failure on: 1 | pf: BAD state: TCP 67.134.74.224:52173 67.134.74.224:52173 204.152.184.134:80 [lo=2943781408 high=2943846943 win=33304 modulator=0 wscale=1] [lo=3255565389 high=3255629101 win=65535 modulator=0 wscale=0] 4:4 A seq=3255634893 ack=2943781408 len=1448 ackskew=0 pkts=21109:24835 dir=in,rev pf: State failure on: 1 | And after the master comes up, I see these on the master: pf: BAD state: TCP 67.134.74.224:52173 67.134.74.224:52173 204.152.184.134:80 [lo=2943781408 high=2943846943 win=33304 modulator=0 wscale=1] [lo=3255565389 high=3255629101 win=65535 modulator=0 wscale=0] 4:4 A seq=3255634893 ack=2943781408 len=1448 ackskew=0 pkts=0:0 dir=in,rev pf: State failure on: 1 | pf: BAD state: TCP 67.134.74.224:52173 67.134.74.224:52173 204.152.184.134:80 [lo=2943781408 high=2943846943 win=33304 modulator=0 wscale=1] [lo=3255565389 high=3255629101 win=65535 modulator=0 wscale=0] 4:4 A seq=3255634893 ack=2943781408 len=1448 ackskew=0 pkts=0:0 dir=in,rev pf: State failure on: 1 | The state table on the master includes: self tcp 67.134.74.224:52173 -> 204.152.184.134:80 TIME_WAIT:TIME_WAIT [2943781408 + 65535] wscale 1 [3255565389 + 63712] wscale 0 age 00:08:29, expires in 00:00:48, 0:1 pkts, 0:40 bytes self tcp 204.152.184.134:80 <- 67.134.74.224:52173 TIME_WAIT:TIME_WAIT [3255565389 + 65160] wscale 0 [2943781408 + 65535] wscale 1 age 00:08:30, expires in 00:00:48, 0:1 pkts, 0:40 bytes And the slave has: self tcp 67.134.74.224:52173 -> 204.152.184.134:80 ESTABLISHED:ESTABLISHED [2943781408 + 65535] wscale 1 [3255565389 + 63712] wscale 0 age 00:07:10, expires in 23:56:40, 21109:24835 pkts, 1100808:37201523 bytes self tcp 204.152.184.134:80 <- 67.134.74.224:52173 ESTABLISHED:ESTABLISHED [3255565389 + 65160] wscale 0 [2943781408 + 65535] wscale 1 age 00:07:10, expires in 23:56:40, 21109:24835 pkts, 1100808:37201523 bytes From owner-freebsd-pf@FreeBSD.ORG Sat Jul 8 07:18:16 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 44DF516A4DA; Sat, 8 Jul 2006 07:18:16 +0000 (UTC) (envelope-from freebsd@bitparts.org) Received: from mail.bitparts.org (63-253-101-190.ip.mcleodusa.net [63.253.101.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8451243D5A; Sat, 8 Jul 2006 07:18:11 +0000 (GMT) (envelope-from freebsd@bitparts.org) Received: from [127.0.0.1] (71-11-157-24.dhcp.stls.mo.charter.com [71.11.157.24]) (authenticated bits=0) by mail.bitparts.org (8.13.6/8.13.6) with ESMTP id k687I8vH085176; Sat, 8 Jul 2006 02:18:10 -0500 (CDT) (envelope-from freebsd@bitparts.org) Message-ID: <44AF5C34.8000801@bitparts.org> Date: Sat, 08 Jul 2006 02:18:12 -0500 From: "J. Buck Caldwell" User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@freebsd.org, freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Received-SPF: pass (mail.bitparts.org: authenticated connection) receiver=mail.bitparts.org; client-ip=71.11.157.24; helo=[127.0.0.1]; envelope-from=freebsd@bitparts.org; x-software=spfmilter 0.93 http://www.acme.com/software/spfmilter/; Cc: Subject: SNMP access to pf ALTQ data? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jul 2006 07:18:16 -0000 Forgive the cross-posting, but I think I need a wider audience. Is it possible to track pf ALTQ usage with MRTG? I notice that FreeBSD's built-in bsnmpd has a module and mibs to support pf, but I know too little about SNMP to figure out how to access the queue stats. Specifically, I'm looking to make a series of MRTG graphs that show the total bytes that pass through each queue. I figure if worst comes to worst, I can work out a separate program that parses the output of 'pfctl -vsq' and returns that as MRTG-readable input, but it would be much smoother to get it via SNMP, if it can be done. Any help would be appreciated. I'm sure others would be interested in this as well. From owner-freebsd-pf@FreeBSD.ORG Sat Jul 8 08:35:00 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 000FB16A4DF for ; Sat, 8 Jul 2006 08:34:59 +0000 (UTC) (envelope-from dimas@dataart.com) Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0955343D45 for ; Sat, 8 Jul 2006 08:34:58 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from e1.universe.dart.spb ([192.168.10.44]) by relay1.dataart.com with esmtp (Exim 4.62) (envelope-from ) id 1Fz8HA-000CD5-U1 for freebsd-pf@freebsd.org; Sat, 08 Jul 2006 12:34:56 +0400 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Sat, 8 Jul 2006 12:32:13 +0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: proxies Thread-Index: AcaiaWP6PF9J63JrSdacTCmOd6L+5A== From: "Dmitry Andrianov" To: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: proxies X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jul 2006 08:35:00 -0000 Hello. =20 On Linux there are conntrack "modules" for many protocols available which: 1. identify related connections and let them go through firewall (like FTP data is related to FTP control) 2. Let things work through NAT - translate addresses in the FTP control connections, identify different PPTP connections even if they go to the same endpoint etc =20 So the question is: does pf have anything similar? I'm most interested in FTP, RPC and establishing multiple PPTP connections through NAT to the same endpoint. =20 Currently I use ftpsesame for FTP - it does its job great but it is FTP specific solution obviously, RPC would requirs another application listening for traffic (bpf) and changing firewall. Is there a more clean way? =20 Regards, Dmitry Andrianov =20 From owner-freebsd-pf@FreeBSD.ORG Sat Jul 8 08:44:01 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AF4F16A4DD for ; Sat, 8 Jul 2006 08:44:01 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id E568943D45 for ; Sat, 8 Jul 2006 08:43:55 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k688hnHT025038 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sat, 8 Jul 2006 10:43:49 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k688hio1000253; Sat, 8 Jul 2006 10:43:44 +0200 (MEST) Date: Sat, 8 Jul 2006 10:43:43 +0200 From: Daniel Hartmeier To: "Douglas K. Rand" Message-ID: <20060708084343.GA32262@insomnia.benzedrine.cx> References: <87ejwx1edf.wl%rand@meridian-enviro.com> <87zmfl466d.fsf@delta.meridian-enviro.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87zmfl466d.fsf@delta.meridian-enviro.com> User-Agent: Mutt/1.5.10i Cc: mcbride@openbsd.org, freebsd-pf@freebsd.org Subject: Re: pfsync & carp problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jul 2006 08:44:01 -0000 On Fri, Jul 07, 2006 at 01:32:26PM -0500, Douglas K. Rand wrote: > Some more information after I discovered the -x loud option to > pfctl. When the master firewall goes down and the already established > TCP session hangs, I get these messages on the slave: > > pf: BAD state: TCP 67.134.74.224:52173 67.134.74.224:52173 204.152.184.134:80 [lo=2943781408 high=2943846943 win=33304 modulator=0 wscale=1] [lo=3255565389 high=3255629101 win=65535 modulator=0 wscale=0] 4:4 A seq=3255634893 ack=2943781408 len=1448 ackskew=0 pkts=21109:24835 dir=in,rev > pf: State failure on: 1 | This means the web server is trying to send data to the client that is out of (what pf thinks is legal for) its window. The last ACK from the client that pf's state saw was 3255562493 (advertising th_win 33304 wscale factor 2^1), hence the upper boundary of what the client accepts is 3255562493 + 2*33304 == seqhi 3255629101. The packet's end, th_seq 3255634893 + len 1448 == 3255636341 is larger than the client's seqhi 3255629101 (by 7240, which is 5*1448). Hence it is blocked. The fact that the server retransmits the same segment over and over without going back to older segments probably means that it has gotten an ACK from the client for 3255634893. So how can the server have received an ACK up to 3255634893 when pf's state has only seen an ACK for 3255562493? I guess this depends on how you shut down the master in the first place. For instance, if its kernel would, for a brief period of time, continue to forward packets while pf is no longer seeing packets, this would be possible. Also, there's a certain latency between pf updating its state entry based on a passing packet and pfsync actually transmitting that update to the slave. If an update was lost because the box was shutting down precisely in that moment, I guess there is a chance for such a race. How are you disconnecting the master? Does this occur when you physically disconnect the ethernet cable towards the server first? I'm not sure if there's any code that should try to prevent this scenario in a normal shutdown/reboot case (like disabling forwarding or taking down interfaces in a certain order first). Ryan, do we address this, or is it just a rare but expected case that this might occur? Or did I miss anything and this shouldn't occur for some reason? Daniel From owner-freebsd-pf@FreeBSD.ORG Sat Jul 8 09:03:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E7D8B16A4DD; Sat, 8 Jul 2006 09:03:54 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36F8443D5A; Sat, 8 Jul 2006 09:03:46 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k6893PSu001343 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sat, 8 Jul 2006 11:03:25 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k6892oUs009931; Sat, 8 Jul 2006 11:02:50 +0200 (MEST) Date: Sat, 8 Jul 2006 11:02:49 +0200 From: Daniel Hartmeier To: "J. Buck Caldwell" Message-ID: <20060708090249.GB32262@insomnia.benzedrine.cx> References: <44AF5C34.8000801@bitparts.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44AF5C34.8000801@bitparts.org> User-Agent: Mutt/1.5.10i Cc: Philip Paeps , freebsd-pf@freebsd.org Subject: Re: SNMP access to pf ALTQ data? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jul 2006 09:03:55 -0000 On Sat, Jul 08, 2006 at 02:18:12AM -0500, J. Buck Caldwell wrote: > Is it possible to track pf ALTQ usage with MRTG? I notice that FreeBSD's > built-in bsnmpd has a module and mibs to support pf, but I know too > little about SNMP to figure out how to access the queue stats. > > Specifically, I'm looking to make a series of MRTG graphs that show the > total bytes that pass through each queue. I figure if worst comes to > worst, I can work out a separate program that parses the output of > 'pfctl -vsq' and returns that as MRTG-readable input, but it would be > much smoother to get it via SNMP, if it can be done. Some queue related values are available, take a look at http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/bsnmpd/modules/snmp_pf/ especially the BEGEMOT-PF-MIB.txt file. But pf_snmp.c doesn't use the DIOCGETQSTATS ioctl to fetch those byte counters you're looking for. Maybe Philip can add them. One example of how to fetch the queue stats is pfctl itself, another is pfstat-2.2 pf.c query_queues(), see http://www.benzedrine.cx/pfstat.html (make sure to grab pfstat-2.2.tar.gz, older versions didn't fetch queue stats, either) It's basically just doing DIOCGETQSTATS after DIOCGETALTQ and reading the counters, somewhat depending on queue type. Daniel From owner-freebsd-pf@FreeBSD.ORG Sat Jul 8 11:12:38 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBA9616A4DD for ; Sat, 8 Jul 2006 11:12:38 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.18.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id E0A4B43D49 for ; Sat, 8 Jul 2006 11:12:37 +0000 (GMT) (envelope-from freebsd-listen@fabiankeil.de) Received: (qmail 8055 invoked from network); 8 Jul 2006 11:12:35 -0000 Received: from unknown (HELO localhost) (775067@[217.50.131.7]) (envelope-sender ) by smtprelay01.ispgateway.de (qmail-ldap-1.03) with SMTP for ; 8 Jul 2006 11:12:35 -0000 Date: Sat, 8 Jul 2006 13:12:25 +0200 From: Fabian Keil To: Daniel Hartmeier Message-ID: <20060708131225.51feb8f3@localhost> In-Reply-To: <20060708090249.GB32262@insomnia.benzedrine.cx> References: <44AF5C34.8000801@bitparts.org> <20060708090249.GB32262@insomnia.benzedrine.cx> X-Mailer: Sylpheed-Claws 2.3.1 (GTK+ 2.8.19; i386-portbld-freebsd6.1) X-PGP-KEY-URL: http://www.fabiankeil.de/gpg-keys/freebsd-listen-2006-08-19.asc Mime-Version: 1.0 Content-Type: multipart/signed; boundary=Sig_WqfD.y_aPUVjtZjAsuyc4vi; protocol="application/pgp-signature"; micalg=PGP-SHA1 Cc: freebsd-pf@freebsd.org Subject: pfstat 2.2 and FreeBSD (was: SNMP access to pf ALTQ data?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jul 2006 11:12:38 -0000 --Sig_WqfD.y_aPUVjtZjAsuyc4vi Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Daniel Hartmeier wrote: > On Sat, Jul 08, 2006 at 02:18:12AM -0500, J. Buck Caldwell wrote: >=20 > > Is it possible to track pf ALTQ usage with MRTG? I notice that > > FreeBSD's built-in bsnmpd has a module and mibs to support pf, but > > I know too little about SNMP to figure out how to access the queue > > stats. > Some queue related values are available, take a look at >=20 > http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/bsnmpd/modules/snmp_pf/ >=20 > especially the BEGEMOT-PF-MIB.txt file. >=20 > But pf_snmp.c doesn't use the DIOCGETQSTATS ioctl to fetch those byte > counters you're looking for. >=20 > Maybe Philip can add them. One example of how to fetch the queue stats > is pfctl itself, another is pfstat-2.2 pf.c query_queues(), see >=20 > http://www.benzedrine.cx/pfstat.html >=20 > (make sure to grab pfstat-2.2.tar.gz, older versions didn't fetch > queue stats, either) Yesterday I installed pfstat 2.2 on FreeBSD RELENG_6. It compiled cleanly, but fetching the statistics failed with "ioctl DIOCIGETIFACES not supported by device" (not the exact wording). To get it running I used: (update for sysutils/pfstat from 1.7 to 2.2) Could someone with FreeBSD PF foo please check patch-pf.c for correctness? Fabian --=20 http://www.fabiankeil.de/ --Sig_WqfD.y_aPUVjtZjAsuyc4vi Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQFEr5MhjV8GA4rMKUQRAkLbAKC3Ae1z2POamCK+yuHjTgT9U1YNiACg0gBU hZdOEJE33WwKU49bDk80HS4= =H68+ -----END PGP SIGNATURE----- --Sig_WqfD.y_aPUVjtZjAsuyc4vi-- From owner-freebsd-pf@FreeBSD.ORG Sat Jul 8 18:04:52 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B9E416A4E0 for ; Sat, 8 Jul 2006 18:04:52 +0000 (UTC) (envelope-from philip@paeps.cx) Received: from gateway.nixsys.be (gateway.nixsys.be [195.144.77.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5EFA443D4C for ; Sat, 8 Jul 2006 18:04:51 +0000 (GMT) (envelope-from philip@paeps.cx) Received: from wotan.home.paeps.cx (wotan.home.paeps.cx [IPv6:2001:6f8:32f:10:a00:20ff:fe9b:138c]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "wotan.home.paeps.cx", Issuer "NixSys CA" (verified OK)) by gateway.nixsys.be (Postfix) with ESMTP id 6C99040ED; Sat, 8 Jul 2006 20:04:49 +0200 (CEST) Received: from fasolt.home.paeps.cx (fasolt.home.paeps.cx [IPv6:2001:6f8:32f:10:250:fcff:feb3:b725]) by wotan.home.paeps.cx (Postfix) with ESMTP id AB0D961B0; Sat, 8 Jul 2006 20:04:47 +0200 (CEST) Received: from fasolt.home.paeps.cx (philip@localhost [127.0.0.1]) by fasolt.home.paeps.cx (8.13.6/8.13.6) with ESMTP id k68I4jSO054633; Sat, 8 Jul 2006 20:04:45 +0200 (CEST) (envelope-from philip@fasolt.home.paeps.cx) Received: (from philip@localhost) by fasolt.home.paeps.cx (8.13.6/8.13.6/Submit) id k68I4hi3054632; Sat, 8 Jul 2006 20:04:43 +0200 (CEST) (envelope-from philip) Date: Sat, 8 Jul 2006 20:04:43 +0200 From: Philip Paeps To: Daniel Hartmeier Message-ID: <20060708180443.GA21937@fasolt.home.paeps.cx> References: <44AF5C34.8000801@bitparts.org> <20060708090249.GB32262@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060708090249.GB32262@insomnia.benzedrine.cx> X-Date-in-Rome: ante diem VIII Idus Iulias MMDCCLIX ab Urbe Condida X-PGP-Fingerprint: FA74 3C27 91A6 79D5 F6D3 FC53 BF4B D0E6 049D B879 X-Message-Flag: Get a proper mailclient! X-Phase-of-Moon: The Moon is Waxing Gibbous (93% of Full) Organization: Happily Disorganized User-Agent: Mutt/1.5.11 Cc: freebsd-pf@freebsd.org Subject: Re: SNMP access to pf ALTQ data? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jul 2006 18:04:52 -0000 On 2006-07-08 11:02:49 (+0200), Daniel Hartmeier wrote: > On Sat, Jul 08, 2006 at 02:18:12AM -0500, J. Buck Caldwell wrote: > > Is it possible to track pf ALTQ usage with MRTG? I notice that FreeBSD's > > built-in bsnmpd has a module and mibs to support pf, but I know too little > > about SNMP to figure out how to access the queue stats. > > > > Specifically, I'm looking to make a series of MRTG graphs that show the > > total bytes that pass through each queue. I figure if worst comes to > > worst, I can work out a separate program that parses the output of 'pfctl > > -vsq' and returns that as MRTG-readable input, but it would be much > > smoother to get it via SNMP, if it can be done. > > Some queue related values are available, take a look at > > http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/bsnmpd/modules/snmp_pf/ > > especially the BEGEMOT-PF-MIB.txt file. I've not had much time lately to keep pf_snmp up to date with reality. > But pf_snmp.c doesn't use the DIOCGETQSTATS ioctl to fetch those byte > counters you're looking for. > > Maybe Philip can add them. I'll take a look at that this weekend. Thanks for the tip! - Philip -- Philip Paeps Calm down ... it is only ones and zeros philip@freebsd.org "Oh, a very useful philosophical animal, your average tortoise. Outrunning metaphorical arrows, beating hares in races... very handy." -- (Terry Pratchett, Small Gods) From owner-freebsd-pf@FreeBSD.ORG Sat Jul 8 18:22:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 65D0116A4DF for ; Sat, 8 Jul 2006 18:22:57 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA92E43D46 for ; Sat, 8 Jul 2006 18:22:56 +0000 (GMT) (envelope-from phoemix@harmless.hu) Received: from localhost (localhost [127.0.0.1]) by marvin (Postfix) with ESMTP id C005920001CB; Sat, 8 Jul 2006 20:22:54 +0200 (CEST) Received: from marvin.harmless.hu ([127.0.0.1]) by localhost (marvin [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 13251-08; Sat, 8 Jul 2006 20:22:53 +0200 (CEST) Received: by marvin (Postfix, from userid 1000) id 1F1E620001C9; Sat, 8 Jul 2006 20:22:53 +0200 (CEST) Date: Sat, 8 Jul 2006 20:22:53 +0200 To: Dmitry Andrianov Message-ID: <20060708182252.GA18258@marvin.harmless.hu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5mCyUwZo2JvN/JJP" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.9i From: phoemix@harmless.hu (Gergely CZUCZY) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at harmless.hu Cc: freebsd-pf@freebsd.org Subject: Re: proxies X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jul 2006 18:22:57 -0000 --5mCyUwZo2JvN/JJP Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jul 08, 2006 at 12:32:13PM +0400, Dmitry Andrianov wrote: > Hello. > =20 > On Linux there are conntrack "modules" for many protocols available > which: > 1. identify related connections and let them go through firewall (like > FTP data is related to FTP control) > 2. Let things work through NAT - translate addresses in the FTP control > connections, identify different PPTP connections even if they go to the > same endpoint etc > =20 > So the question is: does pf have anything similar? I'm most interested > in FTP, RPC and establishing multiple PPTP connections through NAT to > the same endpoint. > =20 > Currently I use ftpsesame for FTP - it does its job great but it is FTP > specific solution obviously, RPC would requirs another application > listening for traffic (bpf) and changing firewall. Is there a more clean > way? we do it a bit different way. man ftp-proxy that's for FTP, but a similar program can be constructed for different protocolls the connection is redirected to the -proxy application, which mines out from the state table where it ought to go, it connects to there, and acts like a proxy all the way. Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu PGP: http://phoemix.harmless.hu/phoemix.pgp Weenies test. Geniuses solve problems that arise. --5mCyUwZo2JvN/JJP Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEr/f8bBsEN0U7BV0RAgduAJ9ccCnvo0fvlv1UUMRq0utXLtiFDwCffFTl cJTkgW+Z1BLO2lLGgTd9jZc= =myNz -----END PGP SIGNATURE----- --5mCyUwZo2JvN/JJP-- From owner-freebsd-pf@FreeBSD.ORG Sat Jul 8 19:36:44 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDDCB16A4DD for ; Sat, 8 Jul 2006 19:36:44 +0000 (UTC) (envelope-from rand@meridian-enviro.com) Received: from newman.meridian-enviro.com (newman.meridian-enviro.com [207.109.235.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B28243D46 for ; Sat, 8 Jul 2006 19:36:44 +0000 (GMT) (envelope-from rand@meridian-enviro.com) X-Envelope-To: freebsd-pf@freebsd.org Received: from delta.meridian-enviro.com (delta.meridian-enviro.com [10.10.10.43]) by newman.meridian-enviro.com (8.13.1/8.13.1) with ESMTP id k68JaY22074851; Sat, 8 Jul 2006 14:36:34 -0500 (CDT) (envelope-from rand@meridian-enviro.com) Date: Sat, 8 Jul 2006 14:36:34 -0500 (CDT) From: "Douglas K. Rand" To: Daniel Hartmeier In-Reply-To: <20060708084343.GA32262@insomnia.benzedrine.cx> Message-ID: <20060708143036.B12430@delta.meridian-enviro.com> References: <87ejwx1edf.wl%rand@meridian-enviro.com> <87zmfl466d.fsf@delta.meridian-enviro.com> <20060708084343.GA32262@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: ClamAV 0.88/1589/Fri Jul 7 09:37:51 2006 on newman.meridian-enviro.com X-Virus-Status: Clean Cc: mcbride@openbsd.org, freebsd-pf@freebsd.org Subject: Re: pfsync & carp problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jul 2006 19:36:44 -0000 >> Some more information after I discovered the -x loud option to >> pfctl. When the master firewall goes down and the already established >> TCP session hangs, I get these messages on the slave: >> pf: BAD state: TCP 67.134.74.224:52173 67.134.74.224:52173 204.152.184.134:80 [lo=2943781408 high=2943846943 win=33304 modulator=0 wscale=1] [lo=3255565389 high=3255629101 win=65535 modulator=0 wscale=0] 4:4 A seq=3255634893 ack=2943781408 len=1448 ackskew=0 pkts=21109:24835 dir=in,rev >> pf: State failure on: 1 | > This means the web server is trying to send data to the client that is > out of (what pf thinks is legal for) its window. > How are you disconnecting the master? Does this occur when you physically > disconnect the ethernet cable towards the server first? I've had my test TCP session hang by using both reboot and shutdown -r and also by dropping the master into the kernel debugger and then after a few minutes "cont"inuing. > Ryan, do we address this, or is it just a rare but expected case that this > might occur? Or did I miss anything and this shouldn't occur for some reason? It doesn't see to rare to me. My test firewalls are forwarding packets for a single TCP session. (A fetch of a FreeSBIE ISO.) Given two hours I'm confident I can cause the problem to occur. (Admiditly in those two hours I'm causing a failover far more often that production firewalls should see in a year or two. But, and maybe I'm guessing wrong here, I would expect that if a single TCP stream has problems, I'm very likely to see a problem with multiple established sessions.) Thanks for the response. If you have suggestions on further testing that I should do, I'm game. Far easier now than after they go production. (If they do with pfsync.) From owner-freebsd-pf@FreeBSD.ORG Sat Jul 8 19:41:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C64E16A4DA for ; Sat, 8 Jul 2006 19:41:41 +0000 (UTC) (envelope-from dimas@dataart.com) Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0240143D45 for ; Sat, 8 Jul 2006 19:41:40 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from e1.universe.dart.spb ([192.168.10.44]) by relay1.dataart.com with esmtp (Exim 4.62) (envelope-from ) id 1FzIgM-000PVj-Ll; Sat, 08 Jul 2006 23:41:38 +0400 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Sat, 8 Jul 2006 23:38:55 +0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: proxies Thread-Index: Acaiv0ntEqRBALQURu+wVt3sI41PbQABZdLg From: "Dmitry Andrianov" To: "Gergely CZUCZY" Cc: freebsd-pf@freebsd.org Subject: RE: proxies X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jul 2006 19:41:41 -0000 > we do it a bit different way. > man ftp-proxy Well, it is _completely_ different way. It is only applicable on the gateway router (which performs NAT) but can not be used on our internal router because this way FTP server does not see client's real IP. There are two different things:=20 a) punching holes in the firewall to accept related connections b) "patching" traffic to translate Ips contained in the application level data On the NAT-less router I obviously only need first. The approach you suggesting always do both and there is no way of avoiding second. > that's for FTP, but a similar program can be constructed for different protocolls Actually, my question was if PPTP, H323 etc modules _already_ available. >From your anwser I guess no... Thanks Regards, Dmitry Andrianov