From owner-freebsd-pf@FreeBSD.ORG Mon Jul 31 03:21:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCD5616A4DF for ; Mon, 31 Jul 2006 03:21:53 +0000 (UTC) (envelope-from lists@nabble.com) Received: from talk.nabble.com (www.nabble.com [72.21.53.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90CBC43D5D for ; Mon, 31 Jul 2006 03:21:53 +0000 (GMT) (envelope-from lists@nabble.com) Received: from [72.21.53.38] (helo=jubjub.nabble.com) by talk.nabble.com with esmtp (Exim 4.50) id 1G7OLo-0006Mf-R9 for freebsd-pf@freebsd.org; Sun, 30 Jul 2006 20:21:52 -0700 Message-ID: <5569580.post@talk.nabble.com> Date: Sun, 30 Jul 2006 20:21:52 -0700 (PDT) From: elmer To: freebsd-pf@freebsd.org In-Reply-To: <200607290107.34701.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-Sender: elmer.rivera@gmail.com X-Nabble-From: elmer References: <5540790.post@talk.nabble.com> <20060728124958.opaevzcg04s0gg4s@mail.bafirst.com> <200607290107.34701.max@love2party.net> Subject: Re: enable passive/active ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jul 2006 03:21:53 -0000 Hi, wow it works great, however how do i run this in the background? i cant see it under rc.d/? thanks -- View this message in context: http://www.nabble.com/enable-passive-active-ftp-tf2015778.html#a5569580 Sent from the freebsd-pf forum at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 31 11:03:42 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1E1E16A56A for ; Mon, 31 Jul 2006 11:03:42 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BAB5443DC4 for ; Mon, 31 Jul 2006 11:03:08 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k6VB37vj051898 for ; Mon, 31 Jul 2006 11:03:07 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k6VB36mn051894 for freebsd-pf@freebsd.org; Mon, 31 Jul 2006 11:03:06 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 31 Jul 2006 11:03:06 GMT Message-Id: <200607311103.k6VB36mn051894@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jul 2006 11:03:42 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route 4 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2006/02/25] kern/93825 pf [pf] pf reply-to doesn't work o [2006/03/27] kern/94992 pf [pf] [patch] pfctl complains about ALTQ m 3 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Aug 1 14:29:27 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAC3C16A4DF for ; Tue, 1 Aug 2006 14:29:27 +0000 (UTC) (envelope-from steinex@nognu.de) Received: from shodan.nognu.de (shodan.nognu.de [85.14.216.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6590E43D55 for ; Tue, 1 Aug 2006 14:29:27 +0000 (GMT) (envelope-from steinex@nognu.de) Received: by shodan.nognu.de (Postfix, from userid 1002) id 54F5CB828; Tue, 1 Aug 2006 16:29:25 +0200 (CEST) Date: Tue, 1 Aug 2006 16:29:25 +0200 From: Frank Steinborn To: freebsd-pf@FreeBSD.org Mail-Followup-To: freebsd-pf@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: mutt-ng/devel-r804 (FreeBSD) Message-Id: <20060801142925.54F5CB828@shodan.nognu.de> Cc: Subject: I'm getting sick - Problems filtering IPv6. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Aug 2006 14:29:27 -0000 At first, here is the complete ruleset: http://www.nognu.de/~steinex/pf.conf.txt The Problem: As you can see, i'm having a stateful outgoing rule for IPv6: pass out on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate state That works just fine. I can ping v6-hosts and surf the web via v6. But I want to open some daemons for the outside world, for example an nameserver: pass in on gif0 inet6 proto { tcp, udp } from any to 2001:1638:17ad::3 port 53 modulate state Let's try to connect to it know, from another box: $ telnet 2001:1638:17ad::3 53 Trying 2001:1638:17ad::3... Connected to 2001:1638:17ad::3. Escape character is '^]'. That works just fine! Yay! However, if i try the same on the same box running the named and the filter: $ telnet 2001:1638:17ad::3 53 Trying 2001:1638:17ad::3... That's it. It's not possible, and i'm really frustrated for days now. What is actually borked here? Let's have a look on the pflog0, what's dropping: 15:26:35.983709 rule 1/0(match): block in on gif0: 2001:1638:17ad::3.53 > 2001:1638:17ad::3.59761: tcp 40 [bad hdr length 4 - too short, < 20] Hmm. Bad hdr lenght? What's up here? If i change the rule pass out on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate state to pass on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate state all works fine. But that's not what i want, of course. Can anyone give me a clue what's wrong here? Please, it's driving me crazy! :-( I found one thing about the "bad hdr lenght" thing on the mailinglist, but I'm not sure if it's related. And it's from 2005: http://lists.freebsd.org/pipermail/freebsd-current/2005-November/057922.html Thanks for *any* hint, Frank From owner-freebsd-pf@FreeBSD.ORG Tue Aug 1 17:06:02 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6144C16A4DD for ; Tue, 1 Aug 2006 17:06:02 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3E1343D53 for ; Tue, 1 Aug 2006 17:06:00 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.178.141] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1G7xgq3HlX-0000nC; Tue, 01 Aug 2006 19:05:57 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 1 Aug 2006 19:05:49 +0200 User-Agent: KMail/1.9.3 References: <20060801142925.54F5CB828@shodan.nognu.de> In-Reply-To: <20060801142925.54F5CB828@shodan.nognu.de> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1241904.Y88FGmRPQu"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200608011905.55505.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: I'm getting sick - Problems filtering IPv6. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Aug 2006 17:06:02 -0000 --nextPart1241904.Y88FGmRPQu Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 01 August 2006 16:29, Frank Steinborn wrote: > At first, here is the complete ruleset: > http://www.nognu.de/~steinex/pf.conf.txt > > The Problem: > As you can see, i'm having a stateful outgoing rule for IPv6: > > pass out on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate > state > > That works just fine. I can ping v6-hosts and surf the web via v6. But > I want to open some daemons for the outside world, for example an > nameserver: > > pass in on gif0 inet6 proto { tcp, udp } from any to 2001:1638:17ad::3 > port 53 modulate state > > Let's try to connect to it know, from another box: > > $ telnet 2001:1638:17ad::3 53 > Trying 2001:1638:17ad::3... > Connected to 2001:1638:17ad::3. > Escape character is '^]'. > > That works just fine! Yay! However, if i try the same on the same box > running the named and the filter: > > $ telnet 2001:1638:17ad::3 53 > Trying 2001:1638:17ad::3... > > That's it. It's not possible, and i'm really frustrated for days now. > What is actually borked here? Let's have a look on the pflog0, what's > dropping: > > 15:26:35.983709 rule 1/0(match): block in on gif0: > 2001:1638:17ad::3.53 > 2001:1638:17ad::3.59761: tcp 40 [bad hdr > length 4 - too short, < 20] > > Hmm. Bad hdr lenght? What's up here? If i change the rule This really just is an artefact from a too short snaplen. Use -s 1500 and = you=20 get rid of it. The strange thing, however, is that this is the reply *from* port 53. So t= his=20 means the initial SYN got through alright. Can you check if a state has be= en=20 created (pfctl -vss) for that connection, please. I suspect that it has an= d=20 the problem would be that the reply doesn't match the state - for what ever= =20 reason. Please check if there is a state and let me know - thanks. > pass out on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate > state > to > pass on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate state > > all works fine. But that's not what i want, of course. Can anyone give > me a clue what's wrong here? Please, it's driving me crazy! :-( > > I found one thing about the "bad hdr lenght" thing on the mailinglist, > but I'm not sure if it's related. And it's from 2005: > http://lists.freebsd.org/pipermail/freebsd-current/2005-November/057922.h= tm >l =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1241904.Y88FGmRPQu Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQBEz4nzXyyEoT62BG0RAkg4AJ4kVmwAptqNDn8tx3tbJsGbvJ+ZpwCeIL8Y v8rTkhIDMfj/EvOi2zDD+Vg= =7/qX -----END PGP SIGNATURE----- --nextPart1241904.Y88FGmRPQu-- From owner-freebsd-pf@FreeBSD.ORG Tue Aug 1 17:20:48 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2511116A4DE for ; Tue, 1 Aug 2006 17:20:48 +0000 (UTC) (envelope-from steinex@nognu.de) Received: from shodan.nognu.de (shodan.nognu.de [85.14.216.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id D184843D9A for ; Tue, 1 Aug 2006 17:20:46 +0000 (GMT) (envelope-from steinex@nognu.de) Received: by shodan.nognu.de (Postfix, from userid 1002) id 5ED63B81E; Tue, 1 Aug 2006 19:20:45 +0200 (CEST) Date: Tue, 1 Aug 2006 19:20:45 +0200 From: Frank Steinborn To: Max Laier Mail-Followup-To: Max Laier , freebsd-pf@freebsd.org References: <20060801142925.54F5CB828@shodan.nognu.de> <200608011905.55505.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200608011905.55505.max@love2party.net> User-Agent: mutt-ng/devel-r804 (FreeBSD) Message-Id: <20060801172045.5ED63B81E@shodan.nognu.de> Cc: freebsd-pf@freebsd.org Subject: Re: I'm getting sick - Problems filtering IPv6. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Aug 2006 17:20:48 -0000 Max Laier wrote: > On Tuesday 01 August 2006 16:29, Frank Steinborn wrote: > > That's it. It's not possible, and i'm really frustrated for days now. > > What is actually borked here? Let's have a look on the pflog0, what's > > dropping: > > > > 15:26:35.983709 rule 1/0(match): block in on gif0: > > 2001:1638:17ad::3.53 > 2001:1638:17ad::3.59761: tcp 40 [bad hdr > > length 4 - too short, < 20] > > > > Hmm. Bad hdr lenght? What's up here? If i change the rule > > This really just is an artefact from a too short snaplen. Use -s 1500 and you > get rid of it. > > The strange thing, however, is that this is the reply *from* port 53. So this > means the initial SYN got through alright. Can you check if a state has been > created (pfctl -vss) for that connection, please. I suspect that it has and > the problem would be that the reply doesn't match the state - for what ever > reason. Please check if there is a state and let me know - thanks. Hello Max, a state is created, yes: self tcp 2001:1638:17ad::3[53] <- 2001:1638:17ad::3[62810] SYN_SENT:ESTABLISHED [342525613 + 65536](+2469478632) wscale 1 [3355548528 + 65537](+82545723) wscale 1 [1845438366 + 4880](+1776883750) [3423429433 + 65535](+3331864375) age 00:37:53, expires in 00:00:59, 2204:15980 pkts, 107106:2269450 bytes age 01:22:57, expires in 00:01:00, 5472:42944 pkts, 324485:6199453 bytes age 02:00:22, expires in 00:00:59, 11249:53620 pkts, 967458:7637333 bytes Strange thing :-( Thanks, Frank From owner-freebsd-pf@FreeBSD.ORG Wed Aug 2 14:07:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F80D16A4DE for ; Wed, 2 Aug 2006 14:07:41 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2776643D79 for ; Wed, 2 Aug 2006 14:07:39 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.177.237] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1G8HIF13cH-0003W0; Wed, 02 Aug 2006 16:01:51 +0200 From: Max Laier Organization: FreeBSD To: Frank Steinborn Date: Wed, 2 Aug 2006 16:01:42 +0200 User-Agent: KMail/1.9.3 References: <20060801142925.54F5CB828@shodan.nognu.de> <200608011905.55505.max@love2party.net> <20060801172045.5ED63B81E@shodan.nognu.de> In-Reply-To: <20060801172045.5ED63B81E@shodan.nognu.de> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1608172.dqaTIbRbDV"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200608021601.49038.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: I'm getting sick - Problems filtering IPv6. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Aug 2006 14:07:41 -0000 --nextPart1608172.dqaTIbRbDV Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 01 August 2006 19:20, Frank Steinborn wrote: > Max Laier wrote: > > On Tuesday 01 August 2006 16:29, Frank Steinborn wrote: > > > That's it. It's not possible, and i'm really frustrated for days now. > > > What is actually borked here? Let's have a look on the pflog0, what's > > > dropping: > > > > > > 15:26:35.983709 rule 1/0(match): block in on gif0: > > > 2001:1638:17ad::3.53 > 2001:1638:17ad::3.59761: tcp 40 [bad hdr > > > length 4 - too short, < 20] > > > > > > Hmm. Bad hdr lenght? What's up here? If i change the rule > > > > This really just is an artefact from a too short snaplen. Use -s 1500 > > and you get rid of it. > > > > The strange thing, however, is that this is the reply *from* port 53. = So > > this means the initial SYN got through alright. Can you check if a sta= te > > has been created (pfctl -vss) for that connection, please. I suspect > > that it has and the problem would be that the reply doesn't match the > > state - for what ever reason. Please check if there is a state and let > > me know - thanks. > > Hello Max, > > a state is created, yes: > > self tcp 2001:1638:17ad::3[53] <- 2001:1638:17ad::3[62810] > SYN_SENT:ESTABLISHED > [342525613 + 65536](+2469478632) wscale 1 [3355548528 + > 65537](+82545723) wscale 1 > [1845438366 + 4880](+1776883750) [3423429433 + 65535](+3331864375) > age 00:37:53, expires in 00:00:59, 2204:15980 pkts, 107106:2269450 > bytes > age 01:22:57, expires in 00:01:00, 5472:42944 pkts, 324485:6199453 > bytes > age 02:00:22, expires in 00:00:59, 11249:53620 pkts, 967458:7637333 > bytes > > > Strange thing :-( Indeed, and far from what I expected to see. These states exist for a long= =20 time and have seen lots of packets in both directions. Are you sure you=20 copied the right counters for that state? Can you please enable extended=20 logging with "pfctl -x misc" and report any related messages from console. = =20 Also, please recheck pfctl -vss for the right state counters. I do get thi= s=20 right, the "telnet 2001:1638:17ad::3 53" stalled right away? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1608172.dqaTIbRbDV Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQBE0LBNXyyEoT62BG0RAnXOAJ91YKj5tdX9sjThiF2zfLqq57/7SgCeJQ6l eENGizH8hmPcek+JxvULnN8= =34Bi -----END PGP SIGNATURE----- --nextPart1608172.dqaTIbRbDV-- From owner-freebsd-pf@FreeBSD.ORG Wed Aug 2 14:21:34 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30D7016A4E2 for ; Wed, 2 Aug 2006 14:21:34 +0000 (UTC) (envelope-from steinex@nognu.de) Received: from shodan.nognu.de (shodan.nognu.de [85.14.216.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9075443D53 for ; Wed, 2 Aug 2006 14:21:31 +0000 (GMT) (envelope-from steinex@nognu.de) Received: by shodan.nognu.de (Postfix, from userid 1002) id D0BBDB81E; Wed, 2 Aug 2006 16:21:29 +0200 (CEST) Date: Wed, 2 Aug 2006 16:21:29 +0200 From: Frank Steinborn To: Max Laier Mail-Followup-To: Max Laier , freebsd-pf@freebsd.org References: <20060801142925.54F5CB828@shodan.nognu.de> <200608011905.55505.max@love2party.net> <20060801172045.5ED63B81E@shodan.nognu.de> <200608021601.49038.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200608021601.49038.max@love2party.net> User-Agent: mutt-ng/devel-r804 (FreeBSD) Message-Id: <20060802142129.D0BBDB81E@shodan.nognu.de> Cc: freebsd-pf@freebsd.org Subject: Re: I'm getting sick - Problems filtering IPv6. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Aug 2006 14:21:34 -0000 Max Laier wrote: > > > > Hello Max, > > > > a state is created, yes: > > > > self tcp 2001:1638:17ad::3[53] <- 2001:1638:17ad::3[62810] > > SYN_SENT:ESTABLISHED > > [342525613 + 65536](+2469478632) wscale 1 [3355548528 + > > 65537](+82545723) wscale 1 > > [1845438366 + 4880](+1776883750) [3423429433 + 65535](+3331864375) > > age 00:37:53, expires in 00:00:59, 2204:15980 pkts, 107106:2269450 > > bytes > > age 01:22:57, expires in 00:01:00, 5472:42944 pkts, 324485:6199453 > > bytes > > age 02:00:22, expires in 00:00:59, 11249:53620 pkts, 967458:7637333 > > bytes > > > > > > Strange thing :-( > > Indeed, and far from what I expected to see. These states exist for a long > time and have seen lots of packets in both directions. Are you sure you > copied the right counters for that state? Can you please enable extended > logging with "pfctl -x misc" and report any related messages from console. > Also, please recheck pfctl -vss for the right state counters. I do get this > right, the "telnet 2001:1638:17ad::3 53" stalled right away? You are correct, I probably tried to many telnets so that states are left. I did it again, and here is the state from the telnet: self tcp 2001:1638:17ad::3[53] <- 2001:1638:17ad::3[59655] SYN_SENT:ESTABLISHED [2728554970 + 65536](+2360520929) wscale 1 [1947983223 + 65537](+3290820275) wscale 1 age 00:00:02, expires in 00:00:28, 1:1 pkts, 84:84 bytes, rule 45 There is nothing logged on the console due to pfctl -x misc, so i tried pfctl -x loud. However, the only thing i see are some "fingerprinted 84.191.87.127:64944 8576:118:0:48:403 (4) (TS=,M=536,W=0)" (IP's vary, of course, can't find v6 however) and "osfp no match against 3400000". But i guess that's not important here. And yes, you got it right - if I "telnet 2001:1638:17ad::3 53" it just stalls and times out after some time (even when i try block-policy return). But only on the box itself where pf and named is running, other boxes can access it fine. Thanks, Frank From owner-freebsd-pf@FreeBSD.ORG Wed Aug 2 14:26:25 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F24C16A4DD for ; Wed, 2 Aug 2006 14:26:25 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id C57D843D49 for ; Wed, 2 Aug 2006 14:26:24 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.177.237] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1G8Hfz2CaI-0005nu; Wed, 02 Aug 2006 16:26:24 +0200 From: Max Laier Organization: FreeBSD To: Frank Steinborn Date: Wed, 2 Aug 2006 16:26:11 +0200 User-Agent: KMail/1.9.3 References: <20060801142925.54F5CB828@shodan.nognu.de> <200608021601.49038.max@love2party.net> <20060802142129.D0BBDB81E@shodan.nognu.de> In-Reply-To: <20060802142129.D0BBDB81E@shodan.nognu.de> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1283078.kltt9RE5x8"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200608021626.21964.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: I'm getting sick - Problems filtering IPv6. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Aug 2006 14:26:25 -0000 --nextPart1283078.kltt9RE5x8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 02 August 2006 16:21, Frank Steinborn wrote: > Max Laier wrote: > > > Hello Max, > > > > > > a state is created, yes: > > > > > > self tcp 2001:1638:17ad::3[53] <- 2001:1638:17ad::3[62810] > > > SYN_SENT:ESTABLISHED > > > [342525613 + 65536](+2469478632) wscale 1 [3355548528 + > > > 65537](+82545723) wscale 1 > > > [1845438366 + 4880](+1776883750) [3423429433 + 65535](+3331864375) > > > age 00:37:53, expires in 00:00:59, 2204:15980 pkts, 107106:2269450 > > > bytes > > > age 01:22:57, expires in 00:01:00, 5472:42944 pkts, 324485:6199453 > > > bytes > > > age 02:00:22, expires in 00:00:59, 11249:53620 pkts, 967458:7637333 > > > bytes > > > > > > > > > Strange thing :-( > > > > Indeed, and far from what I expected to see. These states exist for a > > long time and have seen lots of packets in both directions. Are you su= re > > you copied the right counters for that state? Can you please enable > > extended logging with "pfctl -x misc" and report any related messages > > from console. Also, please recheck pfctl -vss for the right state > > counters. I do get this right, the "telnet 2001:1638:17ad::3 53" stall= ed > > right away? > > You are correct, I probably tried to many telnets so that states are > left. I did it again, and here is the state from the telnet: > > self tcp 2001:1638:17ad::3[53] <- 2001:1638:17ad::3[59655] > SYN_SENT:ESTABLISHED > [2728554970 + 65536](+2360520929) wscale 1 [1947983223 + > 65537](+3290820275) wscale 1 > age 00:00:02, expires in 00:00:28, 1:1 pkts, 84:84 bytes, rule 45 > > There is nothing logged on the console due to pfctl -x misc, so i > tried pfctl -x loud. However, the only thing i see are some > > "fingerprinted 84.191.87.127:64944 8576:118:0:48:403 (4) > (TS=3D,M=3D536,W=3D0)" (IP's vary, of course, can't find v6 however) > > and > > "osfp no match against 3400000". > > But i guess that's not important here. > > And yes, you got it right - if I "telnet 2001:1638:17ad::3 53" it just > stalls and times out after some time (even when i try block-policy > return). But only on the box itself where pf and named is running, > other boxes can access it fine. I have to try to reproduce this locally. What version are you running agai= n? Anyone seen similar things? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1283078.kltt9RE5x8 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQBE0LYNXyyEoT62BG0RAoSkAJ9Ff0a0frkpKl2LBCuVCPY5xS5RVwCfTKxo LloeM6d3EkQBz791TeDO+rI= =O/Uy -----END PGP SIGNATURE----- --nextPart1283078.kltt9RE5x8-- From owner-freebsd-pf@FreeBSD.ORG Wed Aug 2 14:35:09 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E03FC16A4DE for ; Wed, 2 Aug 2006 14:35:09 +0000 (UTC) (envelope-from steinex@nognu.de) Received: from shodan.nognu.de (shodan.nognu.de [85.14.216.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A8EA43D46 for ; Wed, 2 Aug 2006 14:35:09 +0000 (GMT) (envelope-from steinex@nognu.de) Received: by shodan.nognu.de (Postfix, from userid 1002) id D75D4B828; Wed, 2 Aug 2006 16:35:08 +0200 (CEST) Date: Wed, 2 Aug 2006 16:35:08 +0200 From: Frank Steinborn To: Max Laier Mail-Followup-To: Max Laier , freebsd-pf@freebsd.org References: <20060801142925.54F5CB828@shodan.nognu.de> <200608021601.49038.max@love2party.net> <20060802142129.D0BBDB81E@shodan.nognu.de> <200608021626.21964.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200608021626.21964.max@love2party.net> User-Agent: mutt-ng/devel-r804 (FreeBSD) Message-Id: <20060802143508.D75D4B828@shodan.nognu.de> Cc: freebsd-pf@freebsd.org Subject: Re: I'm getting sick - Problems filtering IPv6. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Aug 2006 14:35:10 -0000 Max Laier wrote: > I have to try to reproduce this locally. What version are you running again? > > Anyone seen similar things? 6.1-RELEASE-p3. I'd give you access to this box, if this helps. From owner-freebsd-pf@FreeBSD.ORG Wed Aug 2 14:53:03 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2006B16A4DF for ; Wed, 2 Aug 2006 14:53:03 +0000 (UTC) (envelope-from rajkumars@gmail.com) Received: from wx-out-0102.google.com (wx-out-0102.google.com [66.249.82.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id A3EE743D70 for ; Wed, 2 Aug 2006 14:53:02 +0000 (GMT) (envelope-from rajkumars@gmail.com) Received: by wx-out-0102.google.com with SMTP id i27so560229wxd for ; Wed, 02 Aug 2006 07:53:02 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=mn+eOPPjNJXpYRjJVyW7AqS35VzzOJPzaKSqOz0T7AbA4E9vqR/zHas8xC/R0M4ARpXIYv82901L9zCt2cDKAldFDq4jwD0cBMgbZuvCQbl1ugG2vdbIUJyI5FNHgG68xsEnKMHhKtHsS8z9MHqJVOD71iqevG82+QNQ+ZXBN4I= Received: by 10.78.107.8 with SMTP id f8mr355829huc; Wed, 02 Aug 2006 07:53:01 -0700 (PDT) Received: by 10.78.120.13 with HTTP; Wed, 2 Aug 2006 07:53:01 -0700 (PDT) Message-ID: <64de5c8b0608020753jf859f0cv5a96590f2b67c2e0@mail.gmail.com> Date: Wed, 2 Aug 2006 20:23:01 +0530 From: "Rajkumar S" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Snort inline for pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Aug 2006 14:53:03 -0000 Hi, Just wondering if there are some experimental patches that can support some thing similar to divert/QUEUE so that snort_inline can sit in between. I know this is some sort of an FAQ, and in general the answer is no, but just checking if there is some thing new happening. raj From owner-freebsd-pf@FreeBSD.ORG Wed Aug 2 16:02:55 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6D8616A4E0; Wed, 2 Aug 2006 16:02:55 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AEF443D4C; Wed, 2 Aug 2006 16:02:55 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.177.237] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1G8JBH1GJr-0000if; Wed, 02 Aug 2006 18:02:48 +0200 From: Max Laier Organization: FreeBSD To: Frank Steinborn Date: Wed, 2 Aug 2006 18:02:38 +0200 User-Agent: KMail/1.9.3 References: <20060801142925.54F5CB828@shodan.nognu.de> <200608021601.49038.max@love2party.net> <20060802142129.D0BBDB81E@shodan.nognu.de> In-Reply-To: <20060802142129.D0BBDB81E@shodan.nognu.de> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1516151.JIObnv37Nv"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200608021802.45589.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: gnn@freebsd.org, freebsd-pf@freebsd.org Subject: Re: I'm getting sick - Problems filtering IPv6. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Aug 2006 16:02:56 -0000 --nextPart1516151.JIObnv37Nv Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [please do not cut the audit trail from your replys - it really helps to ha= ve=20 all information in one email] Short recap for everybody: Using pf stateful rules for inet6 fails for=20 connections originating from the firewall itself to a service running on th= e=20 same box. Culprit seems to be interface selection in inet6 (switching=20 between the interface that has the address configured and lo0). See below. On Wednesday 02 August 2006 16:21, Frank Steinborn wrote: > Max Laier wrote: > > > Hello Max, > > > > > > a state is created, yes: > > > > > > self tcp 2001:1638:17ad::3[53] <- 2001:1638:17ad::3[62810] > > > SYN_SENT:ESTABLISHED > > > [342525613 + 65536](+2469478632) wscale 1 [3355548528 + > > > 65537](+82545723) wscale 1 > > > [1845438366 + 4880](+1776883750) [3423429433 + 65535](+3331864375) > > > age 00:37:53, expires in 00:00:59, 2204:15980 pkts, 107106:2269450 > > > bytes > > > age 01:22:57, expires in 00:01:00, 5472:42944 pkts, 324485:6199453 > > > bytes > > > age 02:00:22, expires in 00:00:59, 11249:53620 pkts, 967458:7637333 > > > bytes > > > > > > > > > Strange thing :-( > > > > Indeed, and far from what I expected to see. These states exist for a > > long time and have seen lots of packets in both directions. Are you su= re > > you copied the right counters for that state? Can you please enable > > extended logging with "pfctl -x misc" and report any related messages > > from console. Also, please recheck pfctl -vss for the right state > > counters. I do get this right, the "telnet 2001:1638:17ad::3 53" stall= ed > > right away? > > You are correct, I probably tried to many telnets so that states are > left. I did it again, and here is the state from the telnet: > > self tcp 2001:1638:17ad::3[53] <- 2001:1638:17ad::3[59655] > SYN_SENT:ESTABLISHED > [2728554970 + 65536](+2360520929) wscale 1 [1947983223 + > 65537](+3290820275) wscale 1 > age 00:00:02, expires in 00:00:28, 1:1 pkts, 84:84 bytes, rule 45 > > There is nothing logged on the console due to pfctl -x misc, so i > tried pfctl -x loud. However, the only thing i see are some > > "fingerprinted 84.191.87.127:64944 8576:118:0:48:403 (4) > (TS=3D,M=3D536,W=3D0)" (IP's vary, of course, can't find v6 however) > > and > > "osfp no match against 3400000". > > But i guess that's not important here. > > And yes, you got it right - if I "telnet 2001:1638:17ad::3 53" it just > stalls and times out after some time (even when i try block-policy > return). But only on the box itself where pf and named is running, > other boxes can access it fine. Using this simple test ruleset, I was able to spot the problem: pass quick on lo0 all pass quick on bge0 inet all block drop log all pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port =3D ssh \ flags S/SA keep state tcpdump on pflog0 shows that the initial SYN is coming from bge0. The repl= y=20 then comes via lo0 and matches the state (if state-policy is floating). Th= e=20 third packet (again via bge0) then does no longer match the state - however: 17:51:17.594100 rule 3/0(match): pass in on bge0: 3000::1.54335 > 3000::1.2= 2:=20 S 3551126931:3551126931(0) win 65535 17:51:17.594150 rule 3/0(match): pass out on lo0: 3000::1.22 > 3000::1.5433= 5:=20 S 3700289867:3700289867(0) ack 3551126932 win 65535 17:51:17.594157 rule 2/0(match): block in on bge0: 3000::1.22 > 3000::1.543= 35:=20 S 3700289867:3700289867(0) ack 3551126932 win 65535 Can somebody with a recent OpenBSD box please check the behavior of inet6=20 routing/interface selection there and report? As for a fix, I suspect that fixing the inet6 routing/interface selection w= ill=20 be far from trivial (and I have to check with the RFCs to see if we may=20 change it at all). Something is certainly broken in inet6-land as *none* o= f=20 these packets show up in any bpf - not on lo0 and neither on bge0. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1516151.JIObnv37Nv Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQBE0MylXyyEoT62BG0RAjxZAJ9DL9xMxin+RkKiqOCGxS9bi5E+WgCeJcpc Ln1+Y/4vPvtnvY0ghaKjjb8= =TF9U -----END PGP SIGNATURE----- --nextPart1516151.JIObnv37Nv-- From owner-freebsd-pf@FreeBSD.ORG Fri Aug 4 14:58:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 685E016A4E0 for ; Fri, 4 Aug 2006 14:58:54 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from reedmedia.net (pool-72-64-101-227.dllstx.fios.verizon.net [72.64.101.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 17CB043D5C for ; Fri, 4 Aug 2006 14:58:54 +0000 (GMT) (envelope-from reed@reedmedia.net) Received: by glacier.reedmedia.net (Postfix, from userid 1000) id DCC8B4DBC0; Fri, 4 Aug 2006 09:58:21 -0500 (CDT) Date: Fri, 4 Aug 2006 09:58:20 -0500 (CDT) From: "Jeremy C. Reed" To: freebsd-pf@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: spamd chapter reviewer needed X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Aug 2006 14:58:54 -0000 I have a chapter about spamd that needs review and improvement. It is BSD licensed and you can freely reuse it if you want. http://www.reedmedia.net/~reed/tmp-gh786meixfi/pf-book-spamd.20060803.html If you have any suggestions or examples or feedback, it would be much appreciated. The chapter could be integrated into the PF FAQ. I converted the PF FAQ to a book format, replaced text diagrams with graphics, added content so the book is usable by four BSD systems, and cleaned up punctuation, grammar, spelling and many, many other improvements including from feedback from around ten reviewers. (I provided well over 25 fixes including spelling to the parent project over six months ago, but they were ignored. Now I have hundreds of changes :) Thanks, Jeremy C. Reed From owner-freebsd-pf@FreeBSD.ORG Sat Aug 5 00:03:22 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 244A916A4DA for ; Sat, 5 Aug 2006 00:03:22 +0000 (UTC) (envelope-from lists@nabble.com) Received: from talk.nabble.com (www.nabble.com [72.21.53.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF3F843D45 for ; Sat, 5 Aug 2006 00:03:21 +0000 (GMT) (envelope-from lists@nabble.com) Received: from [72.21.53.38] (helo=jubjub.nabble.com) by talk.nabble.com with esmtp (Exim 4.50) id 1G99dQ-0006jt-U4 for freebsd-pf@freebsd.org; Fri, 04 Aug 2006 17:03:20 -0700 Message-ID: <5659689.post@talk.nabble.com> Date: Fri, 4 Aug 2006 17:03:20 -0700 (PDT) From: GB To: freebsd-pf@freebsd.org In-Reply-To: <44BA46C6.6030307@qunec.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-Sender: gbaratto@superb.net X-Nabble-From: GB References: <44B8F827.5000602@de.clara.net> <44B9398C.2080307@de.clara.net> <44B948CD.2060003@qunec.net> <44BA46C6.6030307@qunec.net> Subject: Re: RDR for locally generated traffic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Aug 2006 00:03:22 -0000 Christian, Did you ever managed to resolve this issue ? -- View this message in context: http://www.nabble.com/RDR-for-locally-generated-traffic-tf1947690.html#a5659689 Sent from the freebsd-pf forum at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Sat Aug 5 23:47:17 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.ORG Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFEC716A4DA for ; Sat, 5 Aug 2006 23:47:17 +0000 (UTC) (envelope-from gnn@neville-neil.com) Received: from mrout1-b.corp.dcn.yahoo.com (mrout1-b.corp.dcn.yahoo.com [216.109.112.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80DDF43D49 for ; Sat, 5 Aug 2006 23:47:17 +0000 (GMT) (envelope-from gnn@neville-neil.com) Received: from minion.local.neville-neil.com (proxy7.corp.yahoo.com [216.145.48.98]) by mrout1-b.corp.dcn.yahoo.com (8.13.6/8.13.6/y.out) with ESMTP id k75Nkij3037093; Sat, 5 Aug 2006 16:46:44 -0700 (PDT) Date: Sat, 05 Aug 2006 12:31:32 -0700 Message-ID: From: "George V. Neville-Neil" To: Max Laier In-Reply-To: <200608021802.45589.max@love2party.net> References: <20060801142925.54F5CB828@shodan.nognu.de> <200608021601.49038.max@love2party.net> <20060802142129.D0BBDB81E@shodan.nognu.de> <200608021802.45589.max@love2party.net> User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.8 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.6 Emacs/22.0.50 (i386-apple-darwin8.6.1) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: freebsd-pf@FreeBSD.ORG Subject: Re: I'm getting sick - Problems filtering IPv6. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Aug 2006 23:47:18 -0000 At Wed, 2 Aug 2006 18:02:38 +0200, max wrote: > > [please do not cut the audit trail from your replys - it really helps to have > all information in one email] > > Short recap for everybody: Using pf stateful rules for inet6 fails for > connections originating from the firewall itself to a service running on the > same box. Culprit seems to be interface selection in inet6 (switching > between the interface that has the address configured and lo0). See below. > > On Wednesday 02 August 2006 16:21, Frank Steinborn wrote: > > Max Laier wrote: > > > > Hello Max, > > > > > > > > a state is created, yes: > > > > > > > > self tcp 2001:1638:17ad::3[53] <- 2001:1638:17ad::3[62810] > > > > SYN_SENT:ESTABLISHED > > > > [342525613 + 65536](+2469478632) wscale 1 [3355548528 + > > > > 65537](+82545723) wscale 1 > > > > [1845438366 + 4880](+1776883750) [3423429433 + 65535](+3331864375) > > > > age 00:37:53, expires in 00:00:59, 2204:15980 pkts, 107106:2269450 > > > > bytes > > > > age 01:22:57, expires in 00:01:00, 5472:42944 pkts, 324485:6199453 > > > > bytes > > > > age 02:00:22, expires in 00:00:59, 11249:53620 pkts, 967458:7637333 > > > > bytes > > > > > > > > > > > > Strange thing :-( > > > > > > Indeed, and far from what I expected to see. These states exist for a > > > long time and have seen lots of packets in both directions. Are you sure > > > you copied the right counters for that state? Can you please enable > > > extended logging with "pfctl -x misc" and report any related messages > > > from console. Also, please recheck pfctl -vss for the right state > > > counters. I do get this right, the "telnet 2001:1638:17ad::3 53" stalled > > > right away? > > > > You are correct, I probably tried to many telnets so that states are > > left. I did it again, and here is the state from the telnet: > > > > self tcp 2001:1638:17ad::3[53] <- 2001:1638:17ad::3[59655] > > SYN_SENT:ESTABLISHED > > [2728554970 + 65536](+2360520929) wscale 1 [1947983223 + > > 65537](+3290820275) wscale 1 > > age 00:00:02, expires in 00:00:28, 1:1 pkts, 84:84 bytes, rule 45 > > > > There is nothing logged on the console due to pfctl -x misc, so i > > tried pfctl -x loud. However, the only thing i see are some > > > > "fingerprinted 84.191.87.127:64944 8576:118:0:48:403 (4) > > (TS=,M=536,W=0)" (IP's vary, of course, can't find v6 however) > > > > and > > > > "osfp no match against 3400000". > > > > But i guess that's not important here. > > > > And yes, you got it right - if I "telnet 2001:1638:17ad::3 53" it just > > stalls and times out after some time (even when i try block-policy > > return). But only on the box itself where pf and named is running, > > other boxes can access it fine. > > Using this simple test ruleset, I was able to spot the problem: > > pass quick on lo0 all > pass quick on bge0 inet all > block drop log all > pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port = ssh \ > flags S/SA keep state > > tcpdump on pflog0 shows that the initial SYN is coming from bge0. The reply > then comes via lo0 and matches the state (if state-policy is floating). The > third packet (again via bge0) then does no longer match the state - however: > > 17:51:17.594100 rule 3/0(match): pass in on bge0: 3000::1.54335 > 3000::1.22: > S 3551126931:3551126931(0) win 65535 2188256 0,sackOK,eol> > > 17:51:17.594150 rule 3/0(match): pass out on lo0: 3000::1.22 > 3000::1.54335: > S 3700289867:3700289867(0) ack 3551126932 win 65535 1,nop,nop,timestamp 2188256 2188256,sackOK,eol> > > 17:51:17.594157 rule 2/0(match): block in on bge0: 3000::1.22 > 3000::1.54335: > S 3700289867:3700289867(0) ack 3551126932 win 65535 1,nop,nop,timestamp 2188256 2188256,sackOK,eol> > > Can somebody with a recent OpenBSD box please check the behavior of inet6 > routing/interface selection there and report? > > As for a fix, I suspect that fixing the inet6 routing/interface selection will > be far from trivial (and I have to check with the RFCs to see if we may > change it at all). Something is certainly broken in inet6-land as *none* of > these packets show up in any bpf - not on lo0 and neither on bge0. > Please submit a PR. Later, George