From owner-freebsd-pf@FreeBSD.ORG Sun Jan 14 09:09:28 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0AB3E16A407 for ; Sun, 14 Jan 2007 09:09:28 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id 9CBFD13C45E for ; Sun, 14 Jan 2007 09:09:27 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so993198uge for ; Sun, 14 Jan 2007 01:09:26 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=hK3shEveYVwbkqDHTuk501+ygmSXmTTR5cAUsK4AH6Y8bcpdF/4llYwaL23LXMVnFzWhWt7D5bCcmU+XmaiDaJurC5iX/y1m76J4qsSlSObtGhHYK2vKV9HDL15Si29BoUJtvXVEgwmMPREMxgT0bijMpmCOlbJxG/vT2XvEkTo= Received: by 10.67.29.12 with SMTP id g12mr3534294ugj.1168765763955; Sun, 14 Jan 2007 01:09:23 -0800 (PST) Received: by 10.66.255.10 with HTTP; Sun, 14 Jan 2007 01:09:23 -0800 (PST) Message-ID: <499c70c0701140109x52556e29ncdef302fc9585474@mail.gmail.com> Date: Sun, 14 Jan 2007 12:09:23 +0300 From: "Abdullah Al-Marrie" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: pf rules to allow tlds X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 09:09:28 -0000 Hello folks, Is there away to make a table contains tlds to connect to a webserver. For example I want to allow users fom country like .sa to connect, to the webserver and deny the rest of hosts. I searched google and didn't find away to do such thing. -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ From owner-freebsd-pf@FreeBSD.ORG Sun Jan 14 09:16:56 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B7D0816A407 for ; Sun, 14 Jan 2007 09:16:56 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id 75E7513C442 for ; Sun, 14 Jan 2007 09:16:56 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id 14E027BFEB5; Sun, 14 Jan 2007 10:16:55 +0100 (CET) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id Xgiz6x4WLL8l; Sun, 14 Jan 2007 10:16:54 +0100 (CET) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id B03C17BFCFA; Sun, 14 Jan 2007 10:16:54 +0100 (CET) Date: Sun, 14 Jan 2007 10:16:54 +0100 From: Gergely CZUCZY To: Abdullah Al-Marrie Message-ID: <20070114091654.GA87642@harmless.hu> References: <499c70c0701140109x52556e29ncdef302fc9585474@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="VbJkn9YxBvnuCH5J" Content-Disposition: inline In-Reply-To: <499c70c0701140109x52556e29ncdef302fc9585474@mail.gmail.com> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@freebsd.org Subject: Re: pf rules to allow tlds X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 09:16:56 -0000 --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jan 14, 2007 at 12:09:23PM +0300, Abdullah Al-Marrie wrote: > Hello folks, >=20 > Is there away to make a table contains tlds to connect to a webserver. >=20 > For example I want to allow users fom country like .sa to connect, to > the webserver and deny the rest of hosts. >=20 > I searched google and didn't find away to do such thing. look up all the CIDRs that were registred by the countries of your choice, put them into a table, and there it goes. Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --VbJkn9YxBvnuCH5J Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owFNUj1oFEEUPhNUHBAM2Gj1sLG43XNvc+RnJTExickFokGDFoowt/vubsjszDoz m8sG7MU/RKwUtBMtBAuxs7LQykokva2tvW/3vGj35ps33/e9b96T4+O1sYlv7z/c rD98+uLQu7GfnXqaO6d6fsrNjlB+Mwia/sz0VCv0p/xWOBUE0zOtMOnOhjgbrLz9 fWRJK4fK+VtFhhE43HXnMsmFOg9xnxuLbi53XX+GjfqWhc20FU5oFYFQUig8uNsy XNkuGn9FxToRqhfBnVw7TPzMCOV4RyJjVxRcy5UH61xBs+VBSJaAO2iGUTAbhZOb G1APJoPAg8VOkkvJ+7Ao/Q1ujEAYGKKL2DysoZQaulpuW4/Nz4UBYW0Lro8GgQ94 AU5DyrfpAJUwxGSS5qIemdjylgCFsStLDgPsWDQ7aBojtkvaAO7yNKO3bRhwNewk 2QHk1GtJPSWSXDlTgBQk1bD8P2KPauIhS//YgasEElRFBRu0DnQX+to6eyDcBovc xH1MoKd1j+SrRyJRZx10BdWj+RINNo/7xEVZN5jUehvyrPRY0S+1l6+WkVC4gzIW gz1hnSHeTqXPhuYF2tJEoXNDf65FjB5kuSs7UvrhKp4qQq80woYRC0fmkEyziwV6 jK2i6aEsYGkvj/cKlnIhnY6gN4QbcQUv0EalEq1t9HPGfL+c9waiKh04yqIBq3Sg cC1YLXcQMqNJN/07BDfCYoPduzB+uFau7mjvJ8bW9muv7n6/fmLz6/2jjz4/f7Cw 7x0Tp360ay+j+uv1Z29+nf7i3f505uTjy7fq8cc/ =AizT -----END PGP SIGNATURE----- --VbJkn9YxBvnuCH5J-- From owner-freebsd-pf@FreeBSD.ORG Sun Jan 14 09:32:00 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5550616A407 for ; Sun, 14 Jan 2007 09:32:00 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174]) by mx1.freebsd.org (Postfix) with ESMTP id E5C9D13C448 for ; Sun, 14 Jan 2007 09:31:59 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so994132uge for ; Sun, 14 Jan 2007 01:31:58 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nK2ZkZJbhEGXVK73lJuBr5dExfcJkJ/oLvSYlILIO4pcYaxTtaKYsz/8obO25FnUz0KE9aXyqJwcTbUlpda1NlN22VH8sYgL+/QSdBvTsFfgxS/gx0odFII7a8eOTUS9gB6p5Opwp2rffMEOFWvVbGSxAsdX+GD5VKpJY804IpY= Received: by 10.66.243.4 with SMTP id q4mr3578818ugh.1168767118502; Sun, 14 Jan 2007 01:31:58 -0800 (PST) Received: by 10.66.255.10 with HTTP; Sun, 14 Jan 2007 01:31:58 -0800 (PST) Message-ID: <499c70c0701140131o74931087kcf06dd9c55d2e071@mail.gmail.com> Date: Sun, 14 Jan 2007 12:31:58 +0300 From: "Abdullah Al-Marrie" To: "Gergely CZUCZY" In-Reply-To: <20070114091654.GA87642@harmless.hu> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <499c70c0701140109x52556e29ncdef302fc9585474@mail.gmail.com> <20070114091654.GA87642@harmless.hu> Cc: freebsd-pf@freebsd.org Subject: Re: pf rules to allow tlds X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 09:32:00 -0000 On 1/14/07, Gergely CZUCZY wrote: > On Sun, Jan 14, 2007 at 12:09:23PM +0300, Abdullah Al-Marrie wrote: > > Hello folks, > > > > Is there away to make a table contains tlds to connect to a webserver. > > > > For example I want to allow users fom country like .sa to connect, to > > the webserver and deny the rest of hosts. > > > > I searched google and didn't find away to do such thing. > look up all the CIDRs that were registred by the > countries of your choice, put them into a table, and > there it goes. > > Bye, > > Gergely Czuczy > mailto: gergely.czuczy@harmless.hu > > -- I couldn't find accurate info about the cidrs in the net, beside they are changing from time to time, I wish I could use domains, if this is an option please let me know :) -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ From owner-freebsd-pf@FreeBSD.ORG Sun Jan 14 09:35:01 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C17E316A416 for ; Sun, 14 Jan 2007 09:35:01 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id 73D2713C455 for ; Sun, 14 Jan 2007 09:35:01 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id 5D8A57BFD5F; Sun, 14 Jan 2007 10:35:00 +0100 (CET) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id H4PPv3D8gKF1; Sun, 14 Jan 2007 10:35:00 +0100 (CET) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 06E947BFD12; Sun, 14 Jan 2007 10:34:59 +0100 (CET) Date: Sun, 14 Jan 2007 10:34:59 +0100 From: Gergely CZUCZY To: Abdullah Al-Marrie Message-ID: <20070114093459.GA87944@harmless.hu> References: <499c70c0701140109x52556e29ncdef302fc9585474@mail.gmail.com> <20070114091654.GA87642@harmless.hu> <499c70c0701140131o74931087kcf06dd9c55d2e071@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc" Content-Disposition: inline In-Reply-To: <499c70c0701140131o74931087kcf06dd9c55d2e071@mail.gmail.com> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@freebsd.org Subject: Re: pf rules to allow tlds X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 09:35:01 -0000 --C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jan 14, 2007 at 12:31:58PM +0300, Abdullah Al-Marrie wrote: > I couldn't find accurate info about the cidrs in the net, beside they > are changing from time to time, I wish I could use domains, if this is > an option please let me know :) you cannot use domains, there are several reasons for that: 1) pf is not doing domain resolving at packet-matching time 2) DNS names are both changing 3) DNS names can point outside of the given country 4) reverse DNS entries can be missing 5) reverse DNS entries can point outside of the country start here: http://www.iana.org/ Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owF1U79rFEEUPhO0GEiRQkgh8qw05Payd5efKzHGJAaFGDHxB4jI3O7buyG7M+vM 25yXIgg2FhaiZRBtBFMIFjaCnb3/gL1Y2FnZ+ebCBQWthnk/vu9735t5NjJcGRr9 8v7D3Ymnz/ePvRu+1ZrISyLdDnJpd5QO6mFYD+Zm56emgtlgZjoM49Zsc6YRx/NN rK8e/FpeNppQU7DVKzACwoc0WWRS6fMQd6R1SAslpcGcGNStKFcYp0gZHYHSmdJ4 lNuyUrsUbbCqY5Mo3Y7gQWkIk6CwSpNsZSjEhobNUlfhqtRQn6pCIwxnQRLUG1Gz Hk3PXV+HibAZhlVYaiVllskOLGXBurRWIXQtw0XiAlyB2JRZos8SpEonIOO4tJKQ JaUGZMuUBNRBiFViHQf7F41UhRY6laC/9xhHWvSD6jarhdSaHEjlnDX9s8o8XeU6 AzooHUJicvbHVUGljKIY3XkgDabwrkCRoeSyDAkYaVubLkTjomdKiKXWhv4GYR0s wctwuINWZmC53WgHqbGclRSJ+jgUKdOA706Ml3rYz7XOZDs+wA4WMt5G4s1T3PEh P4FojMPKtU3QMkfXp2kZ6hyNLJp/plkfFAxPwPb1XTJp37i22kHtLdBke2JqnHlZ K4/he3nzvJrD7hZCrpzzyNP/r/onxwBdOJKWwNsSQYeoiCYnu91uTUkta8a2J4W4 1MOqEGto25j1YHm3jHd7gv3IyETQPgzX4n74Ij/iPEPnap1SiCBYaITiNqL2Uggd 1WCNL7wRB95JhMIafqa561vPhimHNfFkcfh4xf+WwVcbHbr3ufKq2D/3aC/8sXHy 7Y03305U7o98DQ4qr1+Ovfh+c/jUnU8/P14+83hh7PTeov0N =PdUi -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc-- From owner-freebsd-pf@FreeBSD.ORG Sun Jan 14 09:59:12 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 086E316A4C2 for ; Sun, 14 Jan 2007 09:59:12 +0000 (UTC) (envelope-from huzeyfe.onal@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.freebsd.org (Postfix) with ESMTP id 963DC13C448 for ; Sun, 14 Jan 2007 09:59:11 +0000 (UTC) (envelope-from huzeyfe.onal@gmail.com) Received: by nf-out-0910.google.com with SMTP id k27so1716144nfc for ; Sun, 14 Jan 2007 01:59:10 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ABxQpZzKU+5LVjNd6RPPRqQyRUCUbap8c23y+U+qSQrKjO7pmhfqSag6AwH5Yllsjqit0lNJoV3cHoIIcHsgxungM83SobSvV6YwRUIZCCyPMCkJ5/QdnzoOdH8i1HjerJoXXU4xmRljB8oJYszCxcgEptS3OF/J/7Jq/V3sjaA= Received: by 10.49.94.18 with SMTP id w18mr2679048nfl.1168768743531; Sun, 14 Jan 2007 01:59:03 -0800 (PST) Received: by 10.49.9.19 with HTTP; Sun, 14 Jan 2007 01:59:03 -0800 (PST) Message-ID: Date: Sun, 14 Jan 2007 11:59:03 +0200 From: "Huzeyfe Onal" To: "Abdullah Al-Marrie" In-Reply-To: <499c70c0701140131o74931087kcf06dd9c55d2e071@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <499c70c0701140109x52556e29ncdef302fc9585474@mail.gmail.com> <20070114091654.GA87642@harmless.hu> <499c70c0701140131o74931087kcf06dd9c55d2e071@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: pf rules to allow tlds X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 09:59:12 -0000 Hi, maybe you can use http://www.ip2country.net/ip2country/ip_country_list.html . On 1/14/07, Abdullah Al-Marrie wrote: > On 1/14/07, Gergely CZUCZY wrote: > > On Sun, Jan 14, 2007 at 12:09:23PM +0300, Abdullah Al-Marrie wrote: > > > Hello folks, > > > > > > Is there away to make a table contains tlds to connect to a webserver. > > > > > > For example I want to allow users fom country like .sa to connect, to > > > the webserver and deny the rest of hosts. > > > > > > I searched google and didn't find away to do such thing. > > look up all the CIDRs that were registred by the > > countries of your choice, put them into a table, and > > there it goes. > > > > Bye, > > > > Gergely Czuczy > > mailto: gergely.czuczy@harmless.hu > > > > -- > > I couldn't find accurate info about the cidrs in the net, beside they > are changing from time to time, I wish I could use domains, if this is > an option please let me know :) > > > -- > Regards, > > -Abdullah Ibn Hamad Al-Marri > Arab Portal > http://www.WeArab.Net/ > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Huzeyfe ONAL huzeyfe@enderunix.org http://www.enderunix.org/huzeyfe +90 555 255 4593 Ag guvenligi listesine uye oldunuz mu? http://www.huzeyfe.net/netsec.html --- From owner-freebsd-pf@FreeBSD.ORG Sun Jan 14 14:03:31 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0D08216A407 for ; Sun, 14 Jan 2007 14:03:31 +0000 (UTC) (envelope-from myninku@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.242]) by mx1.freebsd.org (Postfix) with ESMTP id BDC2D13C441 for ; Sun, 14 Jan 2007 14:03:30 +0000 (UTC) (envelope-from myninku@gmail.com) Received: by an-out-0708.google.com with SMTP id c24so691204ana for ; Sun, 14 Jan 2007 06:03:29 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=AOe8oFajSL2PqzMbW0K/HEdE8rfJKvlKK0gb13ol2WP48oYuiEZ+9szfkAce4YatccgUAlYdL6kksUL8hMzZKgSVVXkMnK1Jb8CJiAbVAYxIYVATyX0ZVZMuV/zedczKhTCDJn+oIofDry0xw7qWkKGeJCCTIxzGAQb6GiL8344= Received: by 10.100.11.7 with SMTP id 7mr1841406ank.1168783409701; Sun, 14 Jan 2007 06:03:29 -0800 (PST) Received: from heaven ( [124.81.224.197]) by mx.google.com with ESMTP id c13sm8746848anc.2007.01.14.06.03.26; Sun, 14 Jan 2007 06:03:29 -0800 (PST) Message-ID: <003d01c73884$036815e0$829b7cde@heaven> From: "vicky" To: "Abdullah Al-Marrie" , "Gergely CZUCZY" References: <499c70c0701140109x52556e29ncdef302fc9585474@mail.gmail.com><20070114091654.GA87642@harmless.hu> <499c70c0701140131o74931087kcf06dd9c55d2e071@mail.gmail.com> Date: Mon, 15 Jan 2007 09:03:18 -0000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="UTF-8"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Cc: freebsd-pf@freebsd.org Subject: Re: pf rules to allow tlds X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 14:03:31 -0000 i use CIDRs for maual routing that goes outside country or not. usully that can be known by bgp table routing. ----- Original Message ----- From: "Abdullah Al-Marrie" To: "Gergely CZUCZY" Cc: Sent: Sunday, January 14, 2007 9:31 AM Subject: Re: pf rules to allow tlds > On 1/14/07, Gergely CZUCZY wrote: >> On Sun, Jan 14, 2007 at 12:09:23PM +0300, Abdullah Al-Marrie wrote: >> > Hello folks, >> > >> > Is there away to make a table contains tlds to connect to a webserver. >> > >> > For example I want to allow users fom country like .sa to connect, to >> > the webserver and deny the rest of hosts. >> > >> > I searched google and didn't find away to do such thing. >> look up all the CIDRs that were registred by the >> countries of your choice, put them into a table, and >> there it goes. >> >> Bye, >> >> Gergely Czuczy >> mailto: gergely.czuczy@harmless.hu >> >> -- > > I couldn't find accurate info about the cidrs in the net, beside they > are changing from time to time, I wish I could use domains, if this is > an option please let me know :) > > > -- > Regards, > > -Abdullah Ibn Hamad Al-Marri > Arab Portal > http://www.WeArab.Net/ > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Mon Jan 15 11:08:21 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 26F8816A60D for ; Mon, 15 Jan 2007 11:08:21 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 176E913C4CE for ; Mon, 15 Jan 2007 11:08:20 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l0FB8K0q031785 for ; Mon, 15 Jan 2007 11:08:20 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l0FB8JxQ031781 for freebsd-pf@FreeBSD.org; Mon, 15 Jan 2007 11:08:19 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 15 Jan 2007 11:08:19 GMT Message-Id: <200701151108.l0FB8JxQ031781@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jan 2007 11:08:21 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf pf accepts nonexistent queue in rules o kern/106400 pf fatal trap 12 at restart of PF with ALTQ if ng0 device 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Thu Jan 18 00:07:00 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 872FF16A40F for ; Thu, 18 Jan 2007 00:07:00 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by mx1.freebsd.org (Postfix) with ESMTP id 26E9113C441 for ; Thu, 18 Jan 2007 00:06:59 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by nf-out-0910.google.com with SMTP id k27so27887nfc for ; Wed, 17 Jan 2007 16:06:59 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=B9KDVIy/OHe2ZDbAH+KaNpH2kxIK1KuPh1C59r+KW9JkH1eQAaYiemipKZYrpw+4jJD4MGEq9yNw4wsx4a9bdT0sAoSRoGUfn+FZi+F8itdvk9XqPEXKY6Tz+xELaOh53UIEoqN9lACf/BxkHiLynyVORhX4qJc7EVfpjTJTHjY= Received: by 10.82.183.19 with SMTP id g19mr43745buf.1169077090435; Wed, 17 Jan 2007 15:38:10 -0800 (PST) Received: by 10.82.186.11 with HTTP; Wed, 17 Jan 2007 15:38:10 -0800 (PST) Message-ID: Date: Wed, 17 Jan 2007 18:38:10 -0500 From: "Scott Ullrich" To: FreeBSD MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Using scrub + rdr gre does not work as expected X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jan 2007 00:07:00 -0000 Hi, We are trying to track down an issue when using the Frickin PPTP proxy. When we use "scrub in all random-id fragment reassemble" the GRE traffic fails to get rdr'd properly. If we remove the scrub directive the traffic flows as it should. Here is a look at the state list both ways: With scrub: self gre 192.168.10.198 <- 192.168.10.1 MULTIPLE:MULTIPLE self gre 192.168.1.199 -> 192.168.10.1 SINGLE:NO_TRAFFIC self gre 192.168.10.1 -> 192.168.1.199 MULTIPLE:MULTIPLE Without scrub: self gre 127.0.0.1 <- 192.168.10.1 <- 192.168.1.199 NO_TRAFFIC:SINGLE Also, why is the IP address changing in these states? We are only using .199 here as a test. Anyone have an idea? This works okay on OpenBSD 3.6. I am told by the Frickin PPTP author that it works ok on 6.0 but it appears broken on 6.2. FreeBSD pfsense.local 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 15:32:48 EST 2007 sullrich@default.domain.com:/usr/obj.pfSense/usr/src/sys/pfSense.6 i386 Thanks in advance! From owner-freebsd-pf@FreeBSD.ORG Thu Jan 18 19:55:15 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DAF1016A415 for ; Thu, 18 Jan 2007 19:55:15 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by mx1.freebsd.org (Postfix) with ESMTP id 5BFEC13C428 for ; Thu, 18 Jan 2007 19:55:14 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by nf-out-0910.google.com with SMTP id k27so278170nfc for ; Thu, 18 Jan 2007 11:55:13 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=rdVtdUprc06Xz1+WUTh4BzU9MbZV6oOOHMqpFB0db5nTlffNr4Yk3+2MoRgiU7A6QwUqhGsZyPHIwLBn6uWQDcIFFf4++pqilg4GW3CnsqRNSrrfMbNYHV+qUL3rhlCuguujLpwRibGkK6q4GPkwVKPwqtG7OefUJfPfB8SvDU4= Received: by 10.82.183.19 with SMTP id g19mr338704buf.1169150113193; Thu, 18 Jan 2007 11:55:13 -0800 (PST) Received: by 10.82.184.15 with HTTP; Thu, 18 Jan 2007 11:55:12 -0800 (PST) Message-ID: Date: Thu, 18 Jan 2007 14:55:12 -0500 From: "Scott Ullrich" To: FreeBSD In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Subject: Re: Using scrub + rdr gre does not work as expected X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jan 2007 19:55:16 -0000 On 1/17/07, Scott Ullrich wrote: > Hi, > > We are trying to track down an issue when using the Frickin PPTP > proxy. When we use "scrub in all random-id fragment reassemble" the > GRE traffic fails to get rdr'd properly. If we remove the scrub > directive the traffic flows as it should. Here is a look at the state > list both ways: > > With scrub: > > self gre 192.168.10.198 <- 192.168.10.1 MULTIPLE:MULTIPLE > self gre 192.168.1.199 -> 192.168.10.1 SINGLE:NO_TRAFFIC > self gre 192.168.10.1 -> 192.168.1.199 MULTIPLE:MULTIPLE > > Without scrub: > > self gre 127.0.0.1 <- 192.168.10.1 <- 192.168.1.199 NO_TRAFFIC:SINGLE > > Also, why is the IP address changing in these states? We are only > using .199 here as a test. > > Anyone have an idea? This works okay on OpenBSD 3.6. I am told by > the Frickin PPTP author that it works ok on 6.0 but it appears broken > on 6.2. > > FreeBSD pfsense.local 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 > 15:32:48 EST 2007 > sullrich@default.domain.com:/usr/obj.pfSense/usr/src/sys/pfSense.6 > i386 > > Thanks in advance! > Here is an update to this. We tried to skip scrubbing on lo0 with "set skip on lo0" but the problem persists. For some reason PF is using the wrong IP address in the states list: # pfctl -ss | grep gre self gre 192.168.10.198 <- 192.168.10.1 NO_TRAFFIC:SINGLE self gre 192.168.1.199 -> 192.168.10.1 SINGLE:NO_TRAFFIC self gre 192.168.10.1 -> 192.168.1.199 MULTIPLE:MULTIPLE NOTE: 198 is not even an active host on this network. The host does not exist at all. This seems like a bug. From owner-freebsd-pf@FreeBSD.ORG Thu Jan 18 20:05:07 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DD9D016A412 for ; Thu, 18 Jan 2007 20:05:07 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.freebsd.org (Postfix) with ESMTP id 9B4B413C474 for ; Thu, 18 Jan 2007 20:05:06 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so246976uge for ; Thu, 18 Jan 2007 12:05:05 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=UIL7KqrJzQvBsmJFfSTnMNNHUrb/2epETBfNwXkvzxpHpxhiPrmrxYilpkjNGy9ZHp17ZUAotiZ5oCSAgqvs00wpS6Khi6ubMXBv8TWl4JEwYcvICJMO5qH4ZPIkYBrch9di+wZdPzqWWUYZsyxpeOn0zUauIvfGyToFQy25ZyY= Received: by 10.82.172.15 with SMTP id u15mr340883bue.1169150704779; Thu, 18 Jan 2007 12:05:04 -0800 (PST) Received: by 10.82.184.15 with HTTP; Thu, 18 Jan 2007 12:04:59 -0800 (PST) Message-ID: Date: Thu, 18 Jan 2007 15:04:59 -0500 From: "Scott Ullrich" To: "Daniel Hartmeier" In-Reply-To: <20070118200144.GH22031@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070118200144.GH22031@insomnia.benzedrine.cx> Cc: FreeBSD Subject: Re: Using scrub + rdr gre does not work as expected X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jan 2007 20:05:07 -0000 On 1/18/07, Daniel Hartmeier wrote: > On Thu, Jan 18, 2007 at 02:55:12PM -0500, Scott Ullrich wrote: > > > NOTE: 198 is not even an active host on this network. The host does > > not exist at all. This seems like a bug. > > Looks like it. Probably only reproducable with the tunnel, too. You > could try to narrow it down further between 'works without scrub' and > 'fails with scrub random-id fragment reassemble', like try just 'scrub' > and toggle 'random-id' and 'fragment reassemble' on and off in all > combinations... Thank you. We will try these combinations. We also plan on turning on debugging in pf using "set debug misc". Hopefully will have some information later tonight/tomorrow. Scott From owner-freebsd-pf@FreeBSD.ORG Thu Jan 18 20:23:47 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 793A416A412 for ; Thu, 18 Jan 2007 20:23:47 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.freebsd.org (Postfix) with ESMTP id E360513C465 for ; Thu, 18 Jan 2007 20:23:46 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.13.8/8.13.4) with ESMTP id l0IK1jIJ017231 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 18 Jan 2007 21:01:45 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.8/8.12.10/Submit) id l0IK1jwC014852; Thu, 18 Jan 2007 21:01:45 +0100 (MET) Date: Thu, 18 Jan 2007 21:01:45 +0100 From: Daniel Hartmeier To: Scott Ullrich Message-ID: <20070118200144.GH22031@insomnia.benzedrine.cx> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.12-2006-07-14 Cc: FreeBSD Subject: Re: Using scrub + rdr gre does not work as expected X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jan 2007 20:23:47 -0000 On Thu, Jan 18, 2007 at 02:55:12PM -0500, Scott Ullrich wrote: > NOTE: 198 is not even an active host on this network. The host does > not exist at all. This seems like a bug. Looks like it. Probably only reproducable with the tunnel, too. You could try to narrow it down further between 'works without scrub' and 'fails with scrub random-id fragment reassemble', like try just 'scrub' and toggle 'random-id' and 'fragment reassemble' on and off in all combinations... Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Jan 19 05:16:57 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6BAC316A407 for ; Fri, 19 Jan 2007 05:16:57 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 2A05613C44B for ; Fri, 19 Jan 2007 05:16:56 +0000 (UTC) (envelope-from tom@uffner.com) Received: from [10.69.69.60] (c-68-82-150-14.hsd1.de.comcast.net [68.82.150.14]) by eris.uffner.com (8.13.3/8.13.3) with ESMTP id l0J4sRnP091082 for ; Thu, 18 Jan 2007 23:54:28 -0500 (EST) (envelope-from tom@uffner.com) DomainKey-Signature: a=rsa-sha1; s=eris; d=uffner.com; c=nofws; q=dns; h=message-id:date:from:to:subject:references:in-reply-to; b=nJwhWUNmgyICv/9qpmJqszjOP4JDaUoLjKOROdNXr1aDUDs6tQQDeipBNu/yJYO8v X5NOKgcaH/T+ExoGTMmHg== Message-ID: <45B04EFE.6090800@uffner.com> Date: Thu, 18 Jan 2007 23:54:22 -0500 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.0.9) Gecko/20061231 SeaMonkey/1.0.7 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <45B04DF1.40800@uffner.com> In-Reply-To: <45B04DF1.40800@uffner.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (eris.uffner.com [192.168.1.212]); Thu, 18 Jan 2007 23:54:28 -0500 (EST) X-Virus-Scanned: ClamAV 0.88.6/2461/Wed Jan 17 21:45:47 2007 on eris.uffner.com X-Virus-Status: Clean Subject: Re: carp & spamd problems when using if_bridge + nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jan 2007 05:16:57 -0000 Tom Uffner wrote: > I am trying to build a redundant firewall with a NATed interface > and a bridged DMZ interface. Toward this end i have a pair of machines > w/ four network interfaces each (bge0, bge1, em0, em1). sorry, forgot to mention... 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #0: Sat Jan 6 18:59:09 UTC 2007 tom From owner-freebsd-pf@FreeBSD.ORG Fri Jan 19 05:16:58 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0C30616A415 for ; Fri, 19 Jan 2007 05:16:58 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id B3FFA13C44C for ; Fri, 19 Jan 2007 05:16:57 +0000 (UTC) (envelope-from tom@uffner.com) Received: from [10.69.69.60] (c-68-82-150-14.hsd1.de.comcast.net [68.82.150.14]) by eris.uffner.com (8.13.3/8.13.3) with ESMTP id l0J4nwBf090827 for ; Thu, 18 Jan 2007 23:50:00 -0500 (EST) (envelope-from tom@uffner.com) DomainKey-Signature: a=rsa-sha1; s=eris; d=uffner.com; c=nofws; q=dns; h=message-id:date:from:to:subject; b=c1p51Om336rdOeyDVyZLsk/izLPuGjO3wbanehOxDUSgMJ/92LSS9uixAvg9uA3qI GEfunLqyVDdCpKmAhgpSQ== Message-ID: <45B04DF1.40800@uffner.com> Date: Thu, 18 Jan 2007 23:49:53 -0500 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.0.9) Gecko/20061231 SeaMonkey/1.0.7 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (eris.uffner.com [192.168.1.212]); Thu, 18 Jan 2007 23:50:00 -0500 (EST) X-Virus-Scanned: ClamAV 0.88.6/2461/Wed Jan 17 21:45:47 2007 on eris.uffner.com X-Virus-Status: Clean Subject: carp & spamd problems when using if_bridge + nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jan 2007 05:16:58 -0000 I am trying to build a redundant firewall with a NATed interface and a bridged DMZ interface. Toward this end i have a pair of machines w/ four network interfaces each (bge0, bge1, em0, em1). my first thought was to bridge two of these, assign the outside IP to bridge0, then use the 3rd & 4th for my inside & pfsync interfaces, with carp0 sharing an ip between the bridge interfaces & carp1 sharing an ip on the inside interfaces. eg: box #0 cloned_interfaces="bridge0 carp0 carp1" ifconfig_bge0="up polling" ifconfig_em0="up polling" ifconfig_bridge0="addm bge0 addm em0 inet 207.245.109.6 netmask 255.255.255.0 up" ifconfig_bge1="inet 10.10.1.6 netmask 255.255.0.0 up" ifconfig_em1="inet 192.168.254.6 netmask 255.255.255.0" ifconfig_carp0="vhid 1 advskew 100 pass tengu 207.245.109.13/24" ifconfig_carp1="vhid 2 advskew 100 pass zruty 10.10.1.13/16" pfsync_enable="YES" pfsync_syncdev="em1" box #1 cloned_interfaces="bridge0 carp0 carp1" ifconfig_bge0="up polling" ifconfig_em0="up polling" ifconfig_bridge0="addm bge0 addm em0 inet 207.245.109.7 netmask 255.255.255.0 up" ifconfig_bge1="inet 10.10.1.7 netmask 255.255.0.0 up" ifconfig_em1="inet 192.168.254.7 netmask 255.255.255.0" ifconfig_carp0="vhid 1 advskew 100 pass tengu 207.245.109.13/24" ifconfig_carp1="vhid 2 advskew 100 pass zruty 10.10.1.13/16" pfsync_enable="YES" pfsync_syncdev="em1" this didn't work because i couldn't get the carp0 interface to run. i am now using: box #0 cloned_interfaces="bridge0 carp0 carp1" ifconfig_bge0="inet 207.245.109.6 netmask 255.255.255.0 up polling" ifconfig_bge1="inet 10.10.1.6 netmask 255.255.0.0 up" ifconfig_em0="up polling" ifconfig_em1="inet 192.168.254.6 netmask 255.255.255.0" ifconfig_bridge0="addm bge0 addm em0 up" ifconfig_carp0="vhid 1 advskew 100 pass tengu 207.245.109.13/24" ifconfig_carp1="vhid 2 advskew 100 pass zruty 10.10.1.13/16" pfsync_enable="YES" pfsync_syncdev="em1" box #1 cloned_interfaces="bridge0 carp0 carp1" ifconfig_bge0="inet 207.245.109.7 netmask 255.255.255.0 up polling" ifconfig_bge1="inet 10.10.1.7 netmask 255.255.0.0 up" ifconfig_em0="up polling" ifconfig_em1="inet 192.168.254.7 netmask 255.255.255.0" ifconfig_bridge0="addm bge0 addm em0 up" ifconfig_carp0="vhid 1 advskew 100 pass tengu 207.245.109.13/24" ifconfig_carp1="vhid 2 advskew 100 pass zruty 10.10.1.13/16" pfsync_enable="YES" pfsync_syncdev="em1" i am directing traffic from the external router to the firewall with proxy arp. this configuration at least comes up and sort of works, but hosts on the DMZ network (em0) cannot connect to hosts on the inside network (bge1) and vice versa though they can ping each other. what am i doing wrong w/ this network topology? here is my pf.conf: # Macros: define common values, so they can be referenced and changed easily. ext_if="bge0" dmz_if="em0" int_if="bge1" pfs_if="em1" nat_ip="carp0" vandal_ports="{ 20 21 22 25 53 80 110 143 443 465 587 993 995 2082 2083 2086 \ 2087 2095 2096 3306 6666 }" vandal_ports_udp="{ 53 123 }" # Tables: similar to macros, but more flexible for many addresses. table const { 10.10.1.8 10.10.1.9 10.10.1.11 10.10.1.12 10.10.1.15 10.10.1.23 } table const { 207.245.109.5 207.245.109.128/25 !207.245.109.128 } table const { 10.10/16 !10.10.8.6 !10.10.8.5 } table const { 10.10/16 } table const { 10.10.1.12 } table const { 207.245.109.12 } table const { 207.245.109.15 } #pass contains ext & no-grey & vandal table { 207.245.109.12 207.245.109.15 \ 207.245.109.128/25 !207.245.109.128 } table persist table persist # don't filter loopback or virtual interfaces set skip on { carp0 carp1 } # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all # Translation: specify how addresses are to be mapped or redirected. # nat: packets going out through $ext_if with source address $internal_net will # get translated as coming from the address of $ext_if, a state is created for # such packets, and incoming packets will be redirected to the internal address. nat on $ext_if from $int_if:network to any -> $nat_ip binat on $ext_if from 10.10.1.8 to any -> 207.245.109.8 # hbade.org binat on $ext_if from 10.10.1.9 to any -> 207.245.109.9 # delawarehomeshow.com binat on $ext_if from 10.10.1.11 to any -> 207.245.109.11 # gutenberg binat on $ext_if from 10.10.1.12 to any -> 207.245.109.12 # sedna binat on $dmz_if from 10.10.1.12 to any -> 207.245.109.12 # sedna # spamd-setup puts addresses to be redirected into table . rdr pass on $ext_if proto tcp from to ! port smtp -> 127.0.0.1 port 8025 rdr pass on $ext_if proto tcp from ! to ! port smtp -> 127.0.0.1 port 8025 rdr pass on $ext_if proto tcp from any to port smtp -> $int_if port 25 # Filtering: the implicit first two rules are #pass in all #pass out all # block all inbound traffic not matched by a rule below, don't log smb packets block in log on $ext_if all block in on $ext_if proto udp from any port 137:139 # return ident instead of dropping to prevent email delay block return in on $ext_if proto tcp to any port 113 # allow all loopback traffic pass quick on lo0 all pass quick on bridge0 all # block packets claiming to be from an internal address #antispoof for $ext_if # allow CARP & pfsync pass quick on { $pfs_if } proto pfsync keep state (no-sync) pass on { $ext_if $dmz_if $int_if } proto carp keep state # allow all traffic on inside interface unless blocked by a rule below pass on { $dmz_if $int_if } all # allow all outbound connections pass out on $ext_if flags S/SA keep state # allow ssh / scp to entire network pass in on $ext_if proto tcp to port ssh flags S/SA keep state # allow ping & traceroute pass in inet proto icmp # allow dns queries, etc. pass in on $ext_if proto {tcp udp} from any to carp0 port domain flags S/SA keep state pass in log on $ext_if proto {tcp udp} from any to carp1 port domain flags S/SA keep state # allow outside traffic to vandal pass on $ext_if proto tcp to port $vandal_ports flags S/SA keep state pass on $ext_if proto udp to port $vandal_ports_udp keep state # will need to modify all vandal rules because traffic will transit # DMZ not EXT interface # allow passive mode ftp via ftpsesame on vandal anchor "ftpsesame/*" in on $ext_if proto tcp from any to # allow vandal & office ntp pass log on $ext_if proto udp from {207.245.109.5 207.245.121.208/28} \ to {10.10.1.11 10.10.1.12 207.245.109.14} port ntp keep state # allow email connections pass in on $ext_if proto tcp from any \ to { carp0 } port smtp flags S/SA keep state pass in on $ext_if proto tcp from any \ to { } port {submission imap imaps pop3 pop3s} flags S/SA keep state # allow http / https to some sites pass in on $ext_if proto tcp from any to port http flags S/SA keep state pass in on $ext_if proto tcp from any to port https flags S/SA keep state # secure ldap queries pass in on $ext_if proto tcp from { 207.245.121.208/28 68.82.150.14 } \ to carp0 port ldaps flags S/SA keep state # bacula & amanda pass in on $ext_if proto tcp from 207.245.109.5 to 10.10.1.11 port 9101:9103 keep state pass in on $ext_if proto udp from 207.245.109.0/24 to 10.10.1.12 port 10080 keep state pass in on $ext_if proto udp from 207.245.109.5 port 10080 to 10.10.1.12 keep state # hbade rules pass in on $ext_if proto tcp from any to 10.10.1.8 port 3306 flags S/SA keep state -- it is definitely not optimal but i will worry about that after it works. the addresses 207.245.109.5 & 207.245.109.129-254 are on the DMZ, the rest of 207.245.109/24 is NATed to 10.10.1.x if it is in use. another problem i have is with pf's spamd: for some reason addresses on the DMZ network don't seem to get redirected to 127.0.0.1:8025, but the ones on the inside/NAT network do. this doesn't make sense to me because the rdr is on the outside interface (bge0) where there is no difference between the two sets of addresses. what is going on here? thanks, Tom From owner-freebsd-pf@FreeBSD.ORG Fri Jan 19 06:24:27 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5025016A40F; Fri, 19 Jan 2007 06:24:27 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.freebsd.org (Postfix) with ESMTP id DB25F13C448; Fri, 19 Jan 2007 06:24:26 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.34.31] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1H7nAn1SRj-0001Jd; Fri, 19 Jan 2007 07:24:25 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 19 Jan 2007 07:24:17 +0100 User-Agent: KMail/1.9.5 References: <45B00817.4060509@krauss-privat.de> In-Reply-To: <45B00817.4060509@krauss-privat.de> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3838993.EmbjCpI0Mu"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200701190724.23706.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Andreas =?iso-8859-1?q?Krau=DF?= Subject: Re: dhclient - new IP via DHCP on WAN - NAT dont work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jan 2007 06:24:27 -0000 --nextPart3838993.EmbjCpI0Mu Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [ Moving badly filed pf(sense) PR to the more appropriate list ] On Friday 19 January 2007 00:51, Andreas Krau=DF wrote: > Hi FreeBSD-Team, > > i use "PfSende" a FreeBSD based Firewall-System and have a large > Problem. Please see > > http://cvstrac.pfsense.com/tktview?tn=3D1207 freebsd-stable@ is clearly the wrong mailing list and you do not give=20 enough details, either. In order to debug this problem we need to know=20 the pf rules you (or pfsense in this case) are using. In order to=20 operate with dynamic IPs you need to use the "(ifnX)" syntax - I'm not=20 sure if pfsense does this by default. In addition there is a problem=20 with ppp under some circumstances that requires "(tun0:0)" in order to=20 fully get the IP update. > > Ticket 1207: new IP via DHCP on WAN - NAT dont work > > I have the same Problem, described at Ticket #1176 > - and I down know, why > this Ticket was Closed without any Result ??? > > My Pfsense works behind a Cable Modem. Some times i get a new > WAN-IP-Adress from my Provider via DHCP. > > Pfsense updates the Interfaces Page und the complete WebGUI show > the new IP. But NAT-Connections to my server behind the Firewall dont > work. > > And its not a DNS-Problem. My Server behind the Firewall checks the > IP, and after a IP-Change a little Scripts make a DNS update via > nsupdate. So the resolved IP is correct !! > > After a reboot -> pfsense and NAT-Connections wirks fine !! > > Questions - send me a mail. > > Best regards > > Andreas Krauss > > [Append remarks ] > > > Remarks: > > /2007-Jan-18 16:07:54 by anonymous:/ > We have attempted to fix this with no luck. This is a FreeBSD dhclient > issue. Please install FreeBSD and post a bug report to > freebsd-stable@freebsd.org =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3838993.EmbjCpI0Mu Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFsGQXXyyEoT62BG0RAtuSAJ9wCmz5a3TNRLuaqSSJOfVm2MHCqwCfWBvR +K2Zbp0hgHOWwG0ogqmzORs= =apVY -----END PGP SIGNATURE----- --nextPart3838993.EmbjCpI0Mu-- From owner-freebsd-pf@FreeBSD.ORG Fri Jan 19 11:04:44 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 76BDA16A407 for ; Fri, 19 Jan 2007 11:04:44 +0000 (UTC) (envelope-from marko.lerota@claresco.hr) Received: from claresco.hr (zid.claresco.hr [85.114.42.226]) by mx1.freebsd.org (Postfix) with ESMTP id ADD3413C45A for ; Fri, 19 Jan 2007 11:04:43 +0000 (UTC) (envelope-from marko.lerota@claresco.hr) Received: (qmail 56706 invoked by uid 1001); 19 Jan 2007 10:15:13 -0000 To: Tom Uffner Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWgnbRLVpRNVY9jMRPh s21jSlEyNVX45Mv4zI+sbUclFAtMVpT8V0lFAAACZ0lEQVR4nG3Tv2vbQBQHcFMogWyeNeVK BLXGl5j6xnABOaNTuXFGmWpwtw519yj4soW6AatT4GKD3+aDZrl/rt/Tr9qlGiz7Pn7v3bsf HVc/NrIiSfElqH53GgijcCqzk/+AmBF5cN0DsFlIRGMh/oHuqxkTM6VlzB4EoZEs2aSZOASb EQJYZpweQshE697GTDndBXtgp9LIT9+OpDGHEfb9knk+nx+jfN1JCVZMCl6XwFm0a2EXztZD 3s4fj47ZbKI2VeBmJImeEfGLJ+M9sDPilX7IB5rN6sdfcGhuoHU+LC4nxfnI7YOJtdb95Gb+ fbgJ2uJ2ZgaA++f5ZzBqNCCYfMTd5q0BfBVNqm7I8gUjQ+YtXotRW6PH9AEj+dKs/KuNQAl5 o/NY+QkonW8aQAl0oXMYPvRiXIM4pRJifbXytnhTA8alBx/jefG2ar3DBlt34/PXz9M+nMVN iNaPUdCApJc2ItejOmLGoK1qQLV9pJmXBnL10DYoBA5aHNfj8ZNwZa5O4CzgTJeilKJmrQJs IHIt1/7/Sg2p3iq/Hz0/5W05rq4M9aN2B5FLohUP4ylVyfxhEIjAs8J4PhIJ9U+CEroogib5 BXAf7bB4vkfAzgPFt1tM9sJZAOH+lCexhwswuNtim4QTZdokqo4o89LkH7V6iFxICeqfp+Wh fmUuGPunLj2Meti6Cn4DjJ/UReROqR+aqawAi/JkfgKE64rrfkhjU8MtT8ivR4S5n6Yo08A7 HvgAlHDWRSGlNSDxwK9HtXy4FS2I60EdUIJM+Ut9OZNJG4CpbEQW1VBQoQoPuBw2EVa4P0u0 TgzQF+VoAAAAAElFTkSuQmCC In-Reply-To: <45B04DF1.40800@uffner.com> (Tom Uffner's message of "Thu, 18 Jan 2007 23:49:53 -0500") References: <45B04DF1.40800@uffner.com> Organization: *BSD Users - Fanatics Dept. From: Marko Lerota Date: Fri, 19 Jan 2007 11:15:13 +0100 Message-ID: <86k5zjwcem.fsf@sparrow.local> User-Agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-pf@freebsd.org Subject: Re: carp & spamd problems when using if_bridge + nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jan 2007 11:04:44 -0000 Tom Uffner writes: > box #0 > cloned_interfaces="bridge0 carp0 carp1" > ifconfig_carp0="vhid 1 advskew 100 pass tengu 207.245.109.13/24" > ifconfig_carp1="vhid 2 advskew 100 pass zruty 10.10.1.13/16" > > box #1 > cloned_interfaces="bridge0 carp0 carp1" > ifconfig_carp0="vhid 1 advskew 100 pass tengu 207.245.109.13/24" > ifconfig_carp1="vhid 2 advskew 100 pass zruty 10.10.1.13/16" > > this didn't work because i couldn't get the carp0 interface to run. maybe this would help from man (4)pfsync If it is preferable that one firewall handle the traffic, the advskew on the backup firewall's carp(4) interfaces should be set to something higher than the primary's. You have the same advskew. Also try to remove bridge0 from cloned_interfaces. > i am now using: > > hosts on the DMZ network (em0) cannot connect to hosts on the inside > network (bge1) and vice versa though they can ping each other. > > here is my pf.conf: > > # don't filter loopback or virtual interfaces > set skip on { carp0 carp1 } maybe you should have set skip on { lo0 bridge0 carp0 carp1 } or pass quick on lo0 all pass quick on bridge0 all before block in log on $ext_if all > # block all inbound traffic not matched by a rule below, don't log smb > packets > block in log on $ext_if all > block in on $ext_if proto udp from any port 137:139 > > # return ident instead of dropping to prevent email delay > block return in on $ext_if proto tcp to any port 113 > > # allow all loopback traffic > pass quick on lo0 all > pass quick on bridge0 all > > # block packets claiming to be from an internal address > #antispoof for $ext_if > > # allow CARP & pfsync > pass quick on { $pfs_if } proto pfsync keep state (no-sync) > pass on { $ext_if $dmz_if $int_if } proto carp keep state > > # allow all traffic on inside interface unless blocked by a rule below > pass on { $dmz_if $int_if } all -- One cannot sell the earth upon which the people walk Tacunka Witco