From owner-freebsd-pf@FreeBSD.ORG Mon Mar 3 11:07:13 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B38A810656C2 for ; Mon, 3 Mar 2008 11:07:13 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id ACC0F8FC1A for ; Mon, 3 Mar 2008 11:07:13 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m23B7Dro022139 for ; Mon, 3 Mar 2008 11:07:13 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m23B7DMm022135 for freebsd-pf@FreeBSD.org; Mon, 3 Mar 2008 11:07:13 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 3 Mar 2008 11:07:13 GMT Message-Id: <200803031107.m23B7DMm022135@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2008 11:07:13 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/117827 pf [pf] [panic] kernel panic with pf and ng o kern/120281 pf [request] lost returning packets to PF for a rdr rule 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c f kern/116645 pf [request] pfctl -k does not work in securelevel 3 o kern/118355 pf [pf] [patch] pfctl help message options order false -t f kern/119661 pf [pf] "queue (someq, empy_acks)" doesn't work o kern/120057 pf [patch] Allow proper settings of ALTQ_HFSC. The check o bin/120974 pf [patch] bsnmpd(1) snmp_pf module work incorrect when D 11 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 3 17:23:04 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D23361065672 for ; Mon, 3 Mar 2008 17:23:04 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-defer01.adhost.com (mail-defer01.adhost.com [216.211.128.150]) by mx1.freebsd.org (Postfix) with ESMTP id 8538D8FC19 for ; Mon, 3 Mar 2008 17:23:04 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-in06.adhost.com (mail-in06.adhost.com [10.212.3.16]) by mail-defer01.adhost.com (Postfix) with ESMTP id 30DDCED558 for ; Mon, 3 Mar 2008 09:03:16 -0800 (PST) (envelope-from mksmith@adhost.com) Received: from ad-exh01.adhost.lan (unknown [216.211.143.69]) by mail-in06.adhost.com (Postfix) with ESMTP id 3313E16482E for ; Mon, 3 Mar 2008 09:03:14 -0800 (PST) (envelope-from mksmith@adhost.com) MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft Exchange V6.5 x-pgp-mapi-encoding-version: 2.5.0 x-cr-hashedpuzzle: ABDl AFLu Csf/ DiZO E9RA FDx/ FFtY FNMs Fsxn Gs93 HQXp IWXt IfQ+ KTwL KqP9 LBXp; 1; ZgByAGUAZQBiAHMAZAAtAHAAZgBAAGYAcgBlAGUAYgBzAGQALgBvAHIAZwA=; Sosha1_v1; 7; {FEE41A83-C7B2-4696-8443-CD102834B9DE}; bQBrAHMAbQBpAHQAaABAAGEAZABoAG8AcwB0AC4AYwBvAG0A; Mon, 03 Mar 2008 17:03:11 GMT; QwBvAG4AZgB1AHMAaQBvAG4AIABhAGIAbwB1AHQAIABGAFQAUAAgAHQAaAByAG8AdQBnAGgAIABQAEYA Content-Type: multipart/signed; boundary="PGP_Universal_738A4CB6_76D060E2_30180347_CDEA134E"; protocol="application/pgp-signature"; micalg=pgp-sha1 x-cr-puzzleid: {FEE41A83-C7B2-4696-8443-CD102834B9DE} x-pgp-encoding-format: MIME x-pgp-encoding-version: 2.0.2 Content-class: urn:content-classes:message Date: Mon, 3 Mar 2008 09:03:11 -0800 Message-ID: <17838240D9A5544AAA5FF95F8D520316036997D3@ad-exh01.adhost.lan> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Confusion about FTP through PF Thread-Index: Ach9UHK6+r19qzLrTKO3jfoP/eGh4w== From: "Michael K. Smith - Adhost" To: Subject: Confusion about FTP through PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2008 17:23:04 -0000 --PGP_Universal_738A4CB6_76D060E2_30180347_CDEA134E Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: QUOTED-PRINTABLE Hello All: I am confused about using FTP through PF. We have been running with a work= ing ftp-proxy setup that allows our internal servers to ftp out with no tro= uble. I am now interested in putting an FTP server behind my PF configurat= ion and I've not been too successful. If I am running an FTP server, is it necessary to proxy the connections thr= ough the PF boxes or can I just allow the FTP connections through PF to tho= se servers? If it's necessary, does anyone have a configuration that will = work for an FTP server servicing inbound FTP connections from the Internet = to a server behind PF? I have tried using ftp-proxy and pftpx, but the configuration guidelines fr= om the MAN pages of both don't see to work. I actually used them verbatim.= Finally, this is FreeBSD 6.3p1 with the default PF. Here's what I have relevant to ftp at the moment, where liv_ftp_int is behi= nd PF, liv_ftp_ext is in front. $vlan2_if is the outside interface on a va= lid IP and $vlan924_if is the inside interface on the 10.214 subnet (10.214= .0.1) which serves as the default gateway for the subnet. liv_ftp_int=3D"10.214.0.13" liv_ftp_ext=3D"x.x.x.x" table persist { \ $liv_ftp_ext, \ nat-anchor "ftp-proxy/*" nat on $vlan2_if from $liv_ftp_int to any -> $liv_ftp_ext rdr-anchor "ftp-proxy/*" rdr on $vlan2_if proto tcp from any to port 21 -> 127.0.0.1 p= ort 8021 rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 21 -> $liv_ftp= _int rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 20 -> $liv_ftp= _int rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 443 -> $liv_ft= p_int block in quick on $vlan2_if proto tcp from any to ! port 21 anchor "ftp-proxy/*" Regards, Mike --PGP_Universal_738A4CB6_76D060E2_30180347_CDEA134E Content-Type: application/pgp-signature; name="PGP.sig" Content-Transfer-Encoding: 7BIT Content-Disposition: attachment; filename="PGP.sig" -----BEGIN PGP SIGNATURE----- Version: 9.8.0 (Build 2158) iQEVAwUBR8wvT/TXQhZ+XcVAAQjCWwf+NUSd70qYT6BkgzyBSl+HovYnLqeEMd/R l1PeuSh+PI3y4bBl0qW6AVz9FWd9pltBmBXvokuLEbr/n7/rOng5eTuleSMEQrqN nEdJ+sFfv9TE01IPSucSWUUEN3wABBewUsmYY9kurllaKg38CRORfdf0pQZoWVUF QhIyco5TWtCfPCfaPRw6wTyPZU2vJpRTDVyGAnrEHcbNcUnsaIPnXusJvfA1orl6 aTH1NnVlH1QWKlqtxIQjk3pgugrPiYGd/pQJKZtiuh5uNbk4Ghe3EWDQpaO75jSc YY7waco3xEw2O6brgB7QHUGf92iEf4IIJgzQLHdJDtlLgEjun3QQ+Q== =9nrM -----END PGP SIGNATURE----- --PGP_Universal_738A4CB6_76D060E2_30180347_CDEA134E-- From owner-freebsd-pf@FreeBSD.ORG Tue Mar 4 00:08:05 2008 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF0EA106566B for ; Tue, 4 Mar 2008 00:08:04 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-defer01.adhost.com (mail-defer01.adhost.com [216.211.128.150]) by mx1.freebsd.org (Postfix) with ESMTP id C84BE8FC17 for ; Tue, 4 Mar 2008 00:08:04 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-in01.adhost.com (mail-in01.adhost.com [10.212.3.11]) by mail-defer01.adhost.com (Postfix) with ESMTP id 24785EBD93 for ; Mon, 3 Mar 2008 15:48:54 -0800 (PST) (envelope-from mksmith@adhost.com) Received: from ad-exh01.adhost.lan (unknown [216.211.143.69]) by mail-in01.adhost.com (Postfix) with ESMTP id 47BA361C26 for ; Mon, 3 Mar 2008 15:48:53 -0800 (PST) (envelope-from mksmith@adhost.com) MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft Exchange V6.5 x-pgp-mapi-encoding-version: 2.5.0 x-cr-hashedpuzzle: Aamy B5Pa B/nm CMTz CZ55 DnD2 EGbq EYzM ExLs FvvH Hjqp H56u I0zx JhBk J6A7 KGd5; 1; cABmAEAAZgByAGUAZQBiAHMAZAAuAG8AcgBnAA==; Sosha1_v1; 7; {635CE9B4-AD2A-4CD6-AECD-2968805C5CC7}; bQBrAHMAbQBpAHQAaABAAGEAZABoAG8AcwB0AC4AYwBvAG0A; Mon, 03 Mar 2008 23:48:50 GMT; QwBvAG4AZgB1AHMAaQBvAG4AIABhAGIAbwB1AHQAIABQAEYAIABhAG4AZAAgAEYAVABQAA== Content-Type: multipart/signed; boundary="PGP_Universal_0FFA6029_72C37056_E5CADDAF_46FFE0BA"; protocol="application/pgp-signature"; micalg=pgp-sha1 x-cr-puzzleid: {635CE9B4-AD2A-4CD6-AECD-2968805C5CC7} x-pgp-encoding-format: MIME x-pgp-encoding-version: 2.0.2 Content-class: urn:content-classes:message Date: Mon, 3 Mar 2008 15:48:50 -0800 Message-ID: <17838240D9A5544AAA5FF95F8D5203160369992A@ad-exh01.adhost.lan> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Confusion about PF and FTP Thread-Index: Ach9iR4MtGqaZgmMTqCsZDANkCgqWw== From: "Michael K. Smith - Adhost" To: Cc: Subject: Confusion about PF and FTP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2008 00:08:05 -0000 --PGP_Universal_0FFA6029_72C37056_E5CADDAF_46FFE0BA Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: QUOTED-PRINTABLE Hello All: I am confused about using FTP through PF. We have been running with a work= ing ftp-proxy setup that allows our internal servers to ftp out with no tro= uble. I am now interested in putting an FTP server behind my PF configurat= ion and I've not been too successful. If I am running an FTP server, is it necessary to proxy the connections thr= ough the PF boxes or can I just allow the FTP connections through PF to tho= se servers? If it's necessary, does anyone have a configuration that will = work for an FTP server servicing inbound FTP connections from the Internet = to a server behind PF? I have tried using ftp-proxy and pftpx, but the configuration guidelines fr= om the MAN pages of both don't see to work. I actually used them verbatim.= Finally, this is FreeBSD 6.3p1 with the default PF. Here's what I have relevant to ftp at the moment, where liv_ftp_int is behi= nd PF, liv_ftp_ext is in front. $vlan2_if is the outside interface on a va= lid IP and $vlan924_if is the inside interface on the 10.214 subnet (10.214= .0.1) which serves as the default gateway for the subnet. liv_ftp_int=3D"10.214.0.13" liv_ftp_ext=3D"x.x.x.x" table persist { \ $liv_ftp_ext, \ nat-anchor "ftp-proxy/*" nat on $vlan2_if from $liv_ftp_int to any -> $liv_ftp_ext rdr-anchor "ftp-proxy/*" rdr on $vlan2_if proto tcp from any to port 21 -> 127.0.0.1 p= ort 8021 rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 21 -> $liv_ftp= _int rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 20 -> $liv_ftp= _int rdr on ! $vlan924_if proto tcp from any to $liv_ftp_ext port 443 -> $liv_ft= p_int block in quick on $vlan2_if proto tcp from any to ! port 21 anchor "ftp-proxy/*" Regards, Mike --PGP_Universal_0FFA6029_72C37056_E5CADDAF_46FFE0BA Content-Type: application/pgp-signature; name="PGP.sig" Content-Transfer-Encoding: 7BIT Content-Disposition: attachment; filename="PGP.sig" -----BEGIN PGP SIGNATURE----- Version: 9.8.0 (Build 2158) iQEVAwUBR8yOYvTXQhZ+XcVAAQgbLgf/cr5Xj6FypYMrrbu1T0yhIRbLVvkrXMxp 0pd4moNRavgJCCwb1Q0MqwGsLNsKYS48HTrvOnQ1nBr3KnCQiDVpUaeI3VntkTa+ XVuhK1BoM+4/N4i7BRB/5MNQY4yYUQOyc+OsO32rcNb+JHY/UYqJN5lfMN5xmCln zGXquCono4JyIHqRWIbPKNDHIPh0OI5F9w8oJMMU7zhep3VJvvtY9tyWRawEpepG 6PqV+Qv7WFQprvsDUS0YmQyjp/ozugJB7PY5rMrzhjZ+vCMlMf/I/iorvZxfBXIS IJ22OQ6zrqFJl5Xk2DwX2/XX4dfwLJ0QRti+83wqCfWLnd+H1px6OA== =dRl1 -----END PGP SIGNATURE----- --PGP_Universal_0FFA6029_72C37056_E5CADDAF_46FFE0BA-- From owner-freebsd-pf@FreeBSD.ORG Tue Mar 4 01:02:17 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 76AA61065672 for ; Tue, 4 Mar 2008 01:02:17 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 6A43B8FC1E for ; Tue, 4 Mar 2008 01:02:16 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id CFA331CC033; Mon, 3 Mar 2008 17:02:16 -0800 (PST) Date: Mon, 3 Mar 2008 17:02:16 -0800 From: Jeremy Chadwick To: "Michael K. Smith - Adhost" Message-ID: <20080304010216.GA57085@eos.sc1.parodius.com> References: <17838240D9A5544AAA5FF95F8D520316036997D3@ad-exh01.adhost.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <17838240D9A5544AAA5FF95F8D520316036997D3@ad-exh01.adhost.lan> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-pf@freebsd.org Subject: Re: Confusion about FTP through PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2008 01:02:17 -0000 On Mon, Mar 03, 2008 at 09:03:11AM -0800, Michael K. Smith - Adhost wrote: > Hello All: First, is there a reason you sent your message twice, 6 hours apart, with different subject lines? Sorry if I sound crass, but I'm not sure why you did this. :-) > I am confused about using FTP through PF. We have been running with a working ftp-proxy setup that allows our internal servers to ftp out with no trouble. I am now interested in putting an FTP server behind my PF configuration and I've not been too successful. > > If I am running an FTP server, is it necessary to proxy the connections through the PF boxes or can I just allow the FTP connections through PF to those servers? If it's necessary, does anyone have a configuration that will work for an FTP server servicing inbound FTP connections from the Internet to a server behind PF? You need to understand the FTP protocol's modes of operation when it comes to data transfers to properly fix your rules. An FTP server listens on TCP port 21 for incoming connections which can be referred to as "control" connections (e.g. commands the FTP client is submitting to the server). However, for directory listings and file transfers, FTP has two modes of operation: active and passive. The mode used can be selected by the FTP client. Passive is pretty much the standard mode of operation now in all FTP clients, but supporting both modes is important. Active mode causes the FTP client to use the PORT command, while passive mode causes the FTP client to use the PASV command. In active mode, the FTP client will open a listening TCP port (on the clients' side), and then send the PORT command to the FTP server, which includes the clients' IP and listening port #. The FTP server, using TCP port 20 (e.g. source = public:20, dest = ftpclient:someport) as its source port, connects to the TCP port specified by the FTP client, and the data transfer begins. This is a problem for FTP clients behind firewalls, as I'm sure you can imagine -- which is what passive is for. In passive mode, the FTP client will send a PASV command to the FTP server. The FTP server will then open a listening TCP port (on the FTP servers' side), and will respond to the clients' PASV command with the IP address and port # the client should connect to. The TCP port # used is *dynamic*, which makes it very difficult to properly siphon through a firewall. There's a couple workarounds for this. ftp-proxy is one, but the one I prefer to use is based on this: FreeBSD's ftpd(8) allows to specify a range of TCP ports the FTP server will use when opening a listening port on PASV. See the -U option in the ftpd(8) manpage. The default range is 49152 to 65535. With this in mind, you can poke holes in your firewall for those ports, redirecting any connections to 49152:65535 to the FTP server's internal IP address. This is taken from our pf.conf on our production FTP server. The FTP server has a public IP address 72.20.106.8, but uses pf(4) to deny all incoming packets and permit all outgoing packets: # Punch holes for FTP. The rule looks complex, so here it is explained: # # - Make sure pass rule only applies to 72.20.106.8 (ftp.sc1.parodius.com) # - Permit incoming connections to port 21 (main FTP service) # - Permit incoming connections to ports 49152-65535 (FTP passive mode) # - TCP port 20 is actually for **outbound** connections in FTP active mode, # and since we allow all outbound traffic, we don't need a rule for it. # - TCP ports 49152-65535 come from ftpd(8) and ip(4) manpages; there are # sysctl(8) knobs for theses, but we shouldn't mess with those. # pass in quick on $ext_if inet proto tcp from any to 72.20.106.8 port { ftp, 49152:65535 } modulate state flags S/SA Understanding how the protocol works is key to understanding how to properly administrate a firewall that has to deal with FTP. So I hope this helps clear up some of the confusion. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Tue Mar 4 06:50:06 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F04781065674; Tue, 4 Mar 2008 06:50:06 +0000 (UTC) (envelope-from philip@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D57B78FC29; Tue, 4 Mar 2008 06:50:06 +0000 (UTC) (envelope-from philip@FreeBSD.org) Received: from freefall.freebsd.org (philip@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m246o6F0023548; Tue, 4 Mar 2008 06:50:06 GMT (envelope-from philip@freefall.freebsd.org) Received: (from philip@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m246o6Uq023544; Tue, 4 Mar 2008 06:50:06 GMT (envelope-from philip) Date: Tue, 4 Mar 2008 06:50:06 GMT Message-Id: <200803040650.m246o6Uq023544@freefall.freebsd.org> To: philip@FreeBSD.org, freebsd-pf@FreeBSD.org, philip@FreeBSD.org From: philip@FreeBSD.org Cc: Subject: Re: bin/120974: [patch] bsnmpd(1) snmp_pf module work incorrect when DIOCGETALTQ return queue list not in qid order X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2008 06:50:07 -0000 Synopsis: [patch] bsnmpd(1) snmp_pf module work incorrect when DIOCGETALTQ return queue list not in qid order Responsible-Changed-From-To: freebsd-pf->philip Responsible-Changed-By: philip Responsible-Changed-When: Tue Mar 4 06:50:06 UTC 2008 Responsible-Changed-Why: I'll take this one. I have some more snmp_pf work in the pipeline. http://www.freebsd.org/cgi/query-pr.cgi?pr=120974 From owner-freebsd-pf@FreeBSD.ORG Tue Mar 4 10:11:00 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 62BE91065674 for ; Tue, 4 Mar 2008 10:11:00 +0000 (UTC) (envelope-from silver.salonen@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.freebsd.org (Postfix) with ESMTP id EA1658FC2C for ; Tue, 4 Mar 2008 10:10:59 +0000 (UTC) (envelope-from silver.salonen@gmail.com) Received: by ug-out-1314.google.com with SMTP id y2so2668652uge.37 for ; Tue, 04 Mar 2008 02:10:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id; bh=4mNOIlSmrObp2fDtt1oPGnf1L1ILwT9TUMUiQn1M6MY=; b=ihKFQh3zvIDflcSDehkBJ/woF7y76X9fRAyp1x0R4+agXaPzi/b6mYbW4McL962Pwcm31J3OJ2oOO6T8XsKheV6Kp6XifCmRW2JN0T1S7S4zNXmySi4EnBzNwJCpjfAIYpdEOVirR+G4fpivJZPKc9yXUY8BxcphldBpBR7TCOg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id; b=GiJR+TCtrmjV1pm6p/e/ErQpT9694TYeKekEC5N1cu02kVkL/TiDRfXR5jVykbcOc+Z83vmfcSfy4cL+dkHGYundjEEsz+HFGkKSk7UVtpBnhCV7NeUr0rI5acMG2w24ADoiGdevmU5anT7zB3qIabPvRb15V2FGhMEPzcqwdSM= Received: by 10.78.107.8 with SMTP id f8mr2106699huc.40.1204623827727; Tue, 04 Mar 2008 01:43:47 -0800 (PST) Received: from ?192.168.8.99? ( [195.50.198.178]) by mx.google.com with ESMTPS id i5sm3788769mue.7.2008.03.04.01.43.44 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 04 Mar 2008 01:43:45 -0800 (PST) From: Silver Salonen To: freebsd-pf@freebsd.org Date: Tue, 4 Mar 2008 11:43:37 +0200 User-Agent: KMail/1.9.9 References: <200712180934.58755.silver.salonen@gmail.com> In-Reply-To: <200712180934.58755.silver.salonen@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200803041143.37873.silver.salonen@gmail.com> Subject: Re: occasional "Operation not permitted" on state-mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2008 10:11:00 -0000 On Tuesday 18 December 2007 09:34, Silver Salonen wrote: > Sometimes I get just some connection timeout: CRITICAL - Socket timeout after > 2 seconds (I don't know what could cause that). > > I can see this behaviour in about every FreeBSD/PF machine I have. Hello. I'm still sitting on this error. It hasn't been so urgent as it's working quite OK, so I've been busy with other things. On testing the connection with Nagios plugin check_tcp to port 22, I've got the timeouts every minute or so - actually it's quite random and depends on traffic activity. The tcpdump shows that a packet leaves one side but never reaches the other. This one seems not to be related to the state-mismatch issue, as the counter doesn't increase or anything. I set pfctl debugging do 'loud', but I see nothing appearing in log at the time I get timeout. Some observations - connection from port 57733 is successful, but connection from port 57734 times out. * tcpdump on external interface SRC: ===== 11:21:07.358157 IP src-bsd.57733 > dst-bsd.ssh: S 57016355:57016355(0) win 65535 11:21:07.380850 IP dst-bsd.ssh > src-bsd.57733: S 3006112695:3006112695(0) ack 57016356 win 65535 11:21:07.381137 IP src-bsd.57733 > dst-bsd.ssh: . ack 1 win 33304 11:21:07.381302 IP src-bsd.57733 > dst-bsd.ssh: F 1:1(0) ack 1 win 33304 11:21:07.401295 IP dst-bsd.ssh > src-bsd.57733: . ack 2 win 33304 11:21:07.414093 IP dst-bsd.ssh > src-bsd.57733: P 1:40(39) ack 2 win 33304 11:21:07.414320 IP src-bsd.57733 > dst-bsd.ssh: R 57016357:57016357(0) win 0 11:21:07.414333 IP dst-bsd.ssh > src-bsd.57733: F 40:40(0) ack 2 win 33304 11:21:07.414373 IP src-bsd.57733 > dst-bsd.ssh: R 57016357:57016357(0) win 0 11:21:08.445833 IP src-bsd.57734 > dst-bsd.ssh: S 3894885836:3894885836(0) win 65535 ===== DST: ===== 11:21:07.354764 IP src-bsd.57733 > dst-bsd.ssh: S 57016355:57016355(0) win 65535 11:21:07.354849 IP dst-bsd.ssh > src-bsd.57733: S 3006112695:3006112695(0) ack 57016356 win 65535 11:21:07.368066 IP src-bsd.57733 > dst-bsd.ssh: . ack 1 win 33304 11:21:07.374921 IP src-bsd.57733 > dst-bsd.ssh: F 1:1(0) ack 1 win 33304 11:21:07.375032 IP dst-bsd.ssh > src-bsd.57733: . ack 2 win 33304 11:21:07.387897 IP dst-bsd.ssh > src-bsd.57733: P 1:40(39) ack 2 win 33304 11:21:07.388215 IP dst-bsd.ssh > src-bsd.57733: F 40:40(0) ack 2 win 33304 11:21:07.440012 IP src-bsd.57733 > dst-bsd.ssh: R 57016357:57016357(0) win 0 11:21:07.440187 IP src-bsd.57733 > dst-bsd.ssh: R 57016357:57016357(0) win 0 ===== * tcpdump on pflog0 For observing action from PF point of view, I set logging on these rules: SRC: ===== pass out log on $ext_if proto tcp all modulate state queue(std, tcp_ack) ===== DST: ===== block log all pass in log on $ext_if proto tcp from $src to ($ext_if) port ssh pass out log on $ext_if proto tcp from ($ext_if) port ssh to any queue (ssh_bulk ssh_login) pass in log on $ext_if proto tcp from $src to ($ext_if) port ssh queue ssh ===== So 'tcpdump -i pflog0 -nettt' shows: SRC: ===== 1. 082479 rule 19/0(match): pass out on fxp0: src-bsd.57733 > dst-bsd.22: S 2351929505:2351929505(0) win 65535 1. 087715 rule 19/0(match): pass out on fxp0: src-bsd.57734 > dst-bsd.22: S 4213894461:4213894461(0) win 65535 ===== DST: ===== 1. 010760 rule 186/0(match): pass in on fxp0: src-bsd.57733 > dst-bsd.22: S 57016355:57016355(0) win 65535 000025 rule 184/0(match): pass out on fxp0: dst-bsd.22 > src-bsd.57733: S 3006112695:3006112695(0) ack 57016356 win 65535 013247 rule 186/0(match): pass in on fxp0: src-bsd.57733 > dst-bsd.22: . ack 1 win 33304 006913 rule 186/0(match): pass in on fxp0: src-bsd.57733 > dst-bsd.22: F 1:1 (0) ack 1 win 33304 000022 rule 184/0(match): pass out on fxp0: dst-bsd.22 > src-bsd.57733: . ack 2 win 33304 012858 rule 184/0(match): pass out on fxp0: dst-bsd.22 > src-bsd.57733: P 1:40 (39) ack 2 win 33304 000324 rule 184/0(match): pass out on fxp0: dst-bsd.22 > src-bsd.57733: F 40:40(0) ack 2 win 33304 051836 rule 186/0(match): pass in on fxp0: src-bsd.57733 > dst-bsd.22: R 57016357:57016357(0) win 0 000162 rule 186/0(match): pass in on fxp0: src-bsd.57733 > dst-bsd.22: R 57016357:57016357(0) win 0 ===== Any suggestions where the packet is getting lost or how should I debug it further? -- Silver From owner-freebsd-pf@FreeBSD.ORG Tue Mar 4 10:31:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0637C1065672 for ; Tue, 4 Mar 2008 10:31:27 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 0251E8FC24 for ; Tue, 4 Mar 2008 10:31:26 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 9AC381CC033; Tue, 4 Mar 2008 02:31:26 -0800 (PST) Date: Tue, 4 Mar 2008 02:31:26 -0800 From: Jeremy Chadwick To: Silver Salonen Message-ID: <20080304103126.GA83840@eos.sc1.parodius.com> References: <200712180934.58755.silver.salonen@gmail.com> <200803041143.37873.silver.salonen@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200803041143.37873.silver.salonen@gmail.com> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-pf@freebsd.org Subject: Re: occasional "Operation not permitted" on state-mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2008 10:31:27 -0000 On Tue, Mar 04, 2008 at 11:43:37AM +0200, Silver Salonen wrote: > Any suggestions where the packet is getting lost or how should I debug it > further? Something I've seen on RELENG_6 and RELENG_7: Sometimes using "modulate state" works fine, while in some other cases, using it results in state mismatches. In those cases, I use "keep state" which appears to work fine. I don't have the details of all my testing available (I was in a very big hurry to get the issue solved, since it was affecting our production boxes), but reproducing it should be easy once we get our dev/test box in the datacenter. The only proof I have of this is the state-mismatch counter on our production machines, and reports from users saying "when I scp data to/from some of the boxes, the connection sometimes gets closed randomly" (hence the "I was in a big hurry to fix it" :-) ). eos# pfctl -s info | grep mismatch state-mismatch 332027 0.1/s anubis# pfctl -s info | grep mismatch state-mismatch 1514 0.0/s northstar# pfctl -s info | grep mismatch state-mismatch 12439 0.0/s -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Tue Mar 4 10:39:40 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C26641065674 for ; Tue, 4 Mar 2008 10:39:40 +0000 (UTC) (envelope-from silver.salonen@gmail.com) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.188]) by mx1.freebsd.org (Postfix) with ESMTP id 59B818FC13 for ; Tue, 4 Mar 2008 10:39:39 +0000 (UTC) (envelope-from silver.salonen@gmail.com) Received: by gv-out-0910.google.com with SMTP id n40so751296gve.39 for ; Tue, 04 Mar 2008 02:39:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id; bh=bDoGjPbJBtnX/MHPMZ6uxGAEtRgODG8QwPA4QYoRRXI=; b=Fs7D++MvrHl7mWtOaKwVN7n+1zNmMTJLhK9e2V4Y8bKfPdtDa7lc8A4GDjKouOKWKPAfdjz4aaL+/A/yxH4Tk85gWGHOOOboDZ7EbRdYqJg1kKV14j4FXcOwejJEPciWDhyY1T4RmJGKZ96vG+Ii+8mR+QL9xldk1F+AF6sYhBU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id; b=rQaTlMi+cW05DJEmDE0ICphihyjKS8AX1JrhfdiAiqVD0qYwCNbqQc1h7Me6n2jvNMixnMNhzgj4Be/OgNFg4gt8MbVZW7NV+MFyAxGxGQb765x1Y1M3PKM0n9ihCl6uPXz2SvORB3asDKYO9ixMRJ/DOG8IVqI3j7Qzw+EgX14= Received: by 10.78.141.12 with SMTP id o12mr2347030hud.22.1204627178183; Tue, 04 Mar 2008 02:39:38 -0800 (PST) Received: from ?192.168.8.99? ( [195.50.198.178]) by mx.google.com with ESMTPS id u9sm3997549muf.4.2008.03.04.02.39.36 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 04 Mar 2008 02:39:37 -0800 (PST) From: Silver Salonen To: Jeremy Chadwick Date: Tue, 4 Mar 2008 12:39:32 +0200 User-Agent: KMail/1.9.9 References: <200712180934.58755.silver.salonen@gmail.com> <200803041143.37873.silver.salonen@gmail.com> <20080304103126.GA83840@eos.sc1.parodius.com> In-Reply-To: <20080304103126.GA83840@eos.sc1.parodius.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200803041239.33001.silver.salonen@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: occasional "Operation not permitted" on state-mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2008 10:39:40 -0000 On Tuesday 04 March 2008 12:31, Jeremy Chadwick wrote: > On Tue, Mar 04, 2008 at 11:43:37AM +0200, Silver Salonen wrote: > > Any suggestions where the packet is getting lost or how should I debug it > > further? > > Something I've seen on RELENG_6 and RELENG_7: > > Sometimes using "modulate state" works fine, while in some other cases, > using it results in state mismatches. In those cases, I use "keep > state" which appears to work fine. > > I don't have the details of all my testing available (I was in a very > big hurry to get the issue solved, since it was affecting our production > boxes), but reproducing it should be easy once we get our dev/test box > in the datacenter. > > The only proof I have of this is the state-mismatch counter on our > production machines, and reports from users saying "when I scp data > to/from some of the boxes, the connection sometimes gets closed > randomly" (hence the "I was in a big hurry to fix it" :-) ). > > eos# pfctl -s info | grep mismatch > state-mismatch 332027 0.1/s > > anubis# pfctl -s info | grep mismatch > state-mismatch 1514 0.0/s > > northstar# pfctl -s info | grep mismatch > state-mismatch 12439 0.0/s Actually, as I was saying, in my case, the state-mismatch counter isn't increasing neither on the source-machine nor on the destination-machine. This issue (the timeout, not the "operation not permitted") seems to be caused by smth else.. -- Silver From owner-freebsd-pf@FreeBSD.ORG Tue Mar 4 19:33:30 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E58431065671; Tue, 4 Mar 2008 19:33:30 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-in05.adhost.com (mail-in05.adhost.com [216.211.128.133]) by mx1.freebsd.org (Postfix) with ESMTP id C8B1B8FC18; Tue, 4 Mar 2008 19:33:30 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from ad-exh01.adhost.lan (unknown [216.211.143.69]) by mail-in05.adhost.com (Postfix) with ESMTP id 1E7AF16481D; Tue, 4 Mar 2008 11:33:29 -0800 (PST) (envelope-from mksmith@adhost.com) MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft Exchange V6.5 x-pgp-mapi-encoding-version: 2.5.0 x-pgp-encoding-format: MIME Content-Type: multipart/signed; boundary="PGP_Universal_15D556F9_5454DFDE_E4976344_1B32EFE7"; protocol="application/pgp-signature"; micalg=pgp-sha1 x-pgp-encoding-version: 2.0.2 Content-class: urn:content-classes:message Date: Tue, 4 Mar 2008 11:33:29 -0800 Message-ID: <17838240D9A5544AAA5FF95F8D52031603699A2A@ad-exh01.adhost.lan> In-Reply-To: <20080304010216.GA57085@eos.sc1.parodius.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Confusion about FTP through PF Thread-Index: Ach9k2XamDqTg51OQ/aJ9nKR9jLRVQAmrzww References: <17838240D9A5544AAA5FF95F8D520316036997D3@ad-exh01.adhost.lan> <20080304010216.GA57085@eos.sc1.parodius.com> From: "Michael K. Smith - Adhost" To: "Jeremy Chadwick" Cc: freebsd-pf@freebsd.org Subject: RE: Confusion about FTP through PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2008 19:33:31 -0000 --PGP_Universal_15D556F9_5454DFDE_E4976344_1B32EFE7 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: QUOTED-PRINTABLE Hello All: > pass in quick on $ext_if inet proto tcp from any to 72.20.106.8 port { > ftp, 49152:65535 } modulate state flags S/SA >=20 Thanks to Jeremy for the line above which works like a champ. The last pie= ce of the puzzle for me is to block all inbound ftp connections to servers = other than my ftp servers. I have the following configuration to that effe= ct. The two servers in the table are associated with valid, outside IP add= resses and the table shows up correctly with a 'pfctl -t ftp_servers -T sho= w'. table persist { \ =20 $liv_ftp_ext, \ $uft_01_ext \ } =20 block in log quick on $vlan2_if proto tcp from any to ! port = 21 When I load this rule ftp breaks to everything, including the = servers. Is it not possible to do a "!" in a block rule or is my syntax f= ubar? Regards, Mike --PGP_Universal_15D556F9_5454DFDE_E4976344_1B32EFE7 Content-Type: application/pgp-signature; name="PGP.sig" Content-Transfer-Encoding: 7BIT Content-Disposition: attachment; filename="PGP.sig" -----BEGIN PGP SIGNATURE----- Version: 9.8.0 (Build 2158) iQEVAwUBR82kCfTXQhZ+XcVAAQgWJQf+NEbPWMfnyCuNEeSS7mVyOpJV5Ic69nRq d2uKAUdx/1ZPZ3aUf5T/sQk69nU5hFGPIcVwrcLjvn5ISgE/TMVOCjqc+MfmsNnl DXZLJZXpsf6xMUr2a3c7BOnriZZYrJBryNGT5gJ6AY2QSW9eyHZwgQFZWXkwYwWj c7MXPQKXqxLjVMR3irBM1Pk6i9Ifu+Z96W8UhzbOAsR1YP3nHds2cBoPbxU9+ZuC ECAHVK7agjkh07ds9m5iYmfrRGfdut4mQqxDwcnO2kTqysNd0yW5yulipuzbgvPA nHyPnxVzImIFhDLRTxdRCQ57KgyE4p5JQpY+OStvJm6GxXQ29CLq1w== =9ROT -----END PGP SIGNATURE----- --PGP_Universal_15D556F9_5454DFDE_E4976344_1B32EFE7-- From owner-freebsd-pf@FreeBSD.ORG Wed Mar 5 01:19:10 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BDC091065680 for ; Wed, 5 Mar 2008 01:19:10 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id A9F3D8FC1D for ; Wed, 5 Mar 2008 01:19:10 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 745BE1CC033; Tue, 4 Mar 2008 17:19:10 -0800 (PST) Date: Tue, 4 Mar 2008 17:19:10 -0800 From: Jeremy Chadwick To: "Michael K. Smith - Adhost" Message-ID: <20080305011910.GA7678@eos.sc1.parodius.com> References: <17838240D9A5544AAA5FF95F8D520316036997D3@ad-exh01.adhost.lan> <20080304010216.GA57085@eos.sc1.parodius.com> <17838240D9A5544AAA5FF95F8D52031603699A2A@ad-exh01.adhost.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <17838240D9A5544AAA5FF95F8D52031603699A2A@ad-exh01.adhost.lan> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-pf@freebsd.org Subject: Re: Confusion about FTP through PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Mar 2008 01:19:10 -0000 On Tue, Mar 04, 2008 at 11:33:29AM -0800, Michael K. Smith - Adhost wrote: > > pass in quick on $ext_if inet proto tcp from any to 72.20.106.8 port { > > ftp, 49152:65535 } modulate state flags S/SA > > > Thanks to Jeremy for the line above which works like a champ. The last piece of the puzzle for me is to block all inbound ftp connections to servers other than my ftp servers. I have the following configuration to that effect. The two servers in the table are associated with valid, outside IP addresses and the table shows up correctly with a 'pfctl -t ftp_servers -T show'. > > table persist { \ > $liv_ftp_ext, \ > $uft_01_ext \ > } > > block in log quick on $vlan2_if proto tcp from any to ! port 21 > > When I load this rule ftp breaks to everything, including the servers. Is it not possible to do a "!" in a block rule or is my syntax fubar? A couple things: 1) What does "breaks to everything" mean? Does it mean the rule starts blocking traffic, or does it mean the rule works as expected but you get "random" disconnects once established, etc? 2) It also depends on where in your pf.conf that rule is located. You're using the "quick" operator, so in the case any incoming packet matches said criteria, rules past that point will not be analysed. This might not be the problem at all, but I thought I'd mention it just in case. 3) I would think that syntax would work, however the pf.conf manpage doesn't seem to indicate that you can a ! with a . It does indicate you can do !1.2.3.4 and so on, but that's not practical in this case. Folks familiar with pf's parser would have to comment on this. There's a logical workaround -- use 2 rules: pass in quick on $vlan2_if proto tcp from any to port 21 modulate state flags S/SA block in log quick on $vlan2_if proto tcp from any to any port 21 flags S/SA If this doesn't work, you should consider sniffing the pflog0 interface (I assume you have pflog enabled in rc.conf) and see what's being denied: tcpdump -s 256 -i pflog0 Finally, note that your block entry doesn't specify any TCP flags, so it's going to block everything, rather than just initial SYN and SYN+ACK situations. That can sometimes lead to what I described in #1. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Wed Mar 5 19:03:22 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 73FC31065674 for ; Wed, 5 Mar 2008 19:03:22 +0000 (UTC) (envelope-from eskuat@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.freebsd.org (Postfix) with ESMTP id 602898FC2B for ; Wed, 5 Mar 2008 19:03:21 +0000 (UTC) (envelope-from eskuat@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so1237738nfb.33 for ; Wed, 05 Mar 2008 11:03:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=ryMABSjVjntAkvnBthaVK9Yy1txt1y7UoyrJmIAxzWc=; b=BHthnDcQVJcFFYOS/7DQTfcYMozwq96S0ZwE4LlgOX4HOC8e3IfrgUnNMafdISxjXfsMA2kKuKti1nzWfco9BTVZ371GPlab5j5NUnCskE9k8uJOeyvZB1LDaPzlbPPbimSbtu1HNy3JGW4V1zRUwfgb/yjdEJPqitH1zpi1+bo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=dl6wTn4Ij1fOB8vLnHpKIh4p9OVzExK8Dg1ynzBr7OptBjtC69PZ+dmDWAV8P9siWyCFUwUt3pw87xjRVtB8rNvQbxHoxmLLfm/TjmcYAUUdmjcilXVEXOZe13QmsHZB3iXfmHO6ynJPQ1Oefcj6t6gna3YVvdPZlQFjIo89GdI= Received: by 10.78.201.8 with SMTP id y8mr7646711huf.18.1204742342300; Wed, 05 Mar 2008 10:39:02 -0800 (PST) Received: by 10.78.141.3 with HTTP; Wed, 5 Mar 2008 10:39:01 -0800 (PST) Message-ID: Date: Thu, 6 Mar 2008 00:39:01 +0600 From: "Kuat Eshengazin" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: using pf to emulate different source ip's X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Mar 2008 19:03:22 -0000 Hi, I'm testing a device with application layer firewall and one of the features requires HTTP connection from multiple IP-addresses. Device logs clients ip addresses and then depending on statistic calculation tries to do smth with such kind of requests in future (block or pass for example) Device directly connected to machine with Freebsd 7.0 + pf Is it possible to rewrite source ip addresses with pf? Is it possible to pick up source ip addresses from table or list randomly/round robin? I.ve tried to play with nat rules like nat on $ext_if inet from $ext_if to any -> 192.168.2.0/24 source-hash but there was no much success. Please CC me when answering. p.s. Currently what i.m doing is simply changing interface ip address by ifconfig command before each HTTP request. Thanks in advance From owner-freebsd-pf@FreeBSD.ORG Wed Mar 5 19:20:21 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 13263106566B for ; Wed, 5 Mar 2008 19:20:21 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: from web53705.mail.re2.yahoo.com (web53705.mail.re2.yahoo.com [206.190.37.26]) by mx1.freebsd.org (Postfix) with SMTP id C0A038FC21 for ; Wed, 5 Mar 2008 19:20:20 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: (qmail 14512 invoked by uid 60001); 5 Mar 2008 19:20:19 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=us2H3rJUrNnjOx86Wwr0WS135d3GhZr7/I29n2+xs5ARLO+Dqr/NFgAwBnjs+TJtuUdxE1k2ZJRQ/w8efhdhCviCWCwSDJRQ8YxZz0y0a6C4eyGSR6bknP9SczzabN3hnCBzvk219iVoCVz1a32gVOW6uza0AARIDck5ErDNqNQ=; X-YMail-OSG: E_mK3TkVM1niNcJRvHV_3CiBDnxRLmy9e1YYwbnzyKBOGm5FmKd4kglHi9P1bz2nZEIQCXin590K6hYzMZzf2NnWEtr2OSE_QkPxzfd8Ks52sNqiXkcJIKAwDorrqQ-- Received: from [200.201.112.31] by web53705.mail.re2.yahoo.com via HTTP; Wed, 05 Mar 2008 11:20:19 PST X-Mailer: YahooMailRC/902.35 YahooMailWebService/0.7.162 Date: Wed, 5 Mar 2008 11:20:19 -0800 (PST) From: Lorenz Helleis To: freebsd-pf@freebsd.org MIME-Version: 1.0 Message-ID: <722346.75611.qm@web53705.mail.re2.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Kernel Tuning X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Mar 2008 19:20:21 -0000 hello,=0A=0ASomeone know how to increase the performance of a firewall usin= g things like kernel tuning??=0A=0AI had a problem with dropped packets , a= nd to solve this i change some itens on sysctl,=0A=0Anet.inet.ip.ifq.maxlen= =3D50=0A=0Ai change this value to 1024 to solve my problem...=0A=0ASomeone = know other values to change to increase the performance ? or to prevent som= e problem?=0A=0Athanks..=0A=0Asorry about my english mistakes ;)=0A =0AProv= =C3=A9rbios 1:27 =0A=0A Mas Deus escolheu as coisas loucas deste mundo p= ara confundir as=0As=C3=A1bias; e Deus escolheu as coisas fracas deste mund= o para confundir as=0Afortes;=0A=0A=0A=0A=0A Abra sua conta no Yahoo! = Mail, o =C3=BAnico sem limite de espa=C3=A7o para armazenamento!=0Ahttp://b= r.mail.yahoo.com/ From owner-freebsd-pf@FreeBSD.ORG Thu Mar 6 13:49:16 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0628106566C for ; Thu, 6 Mar 2008 13:49:16 +0000 (UTC) (envelope-from alaorneto@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.178]) by mx1.freebsd.org (Postfix) with ESMTP id 930C88FC1F for ; Thu, 6 Mar 2008 13:49:16 +0000 (UTC) (envelope-from alaorneto@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so2191409waf.3 for ; Thu, 06 Mar 2008 05:49:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:mime-version:content-type; bh=j3j7zN4e+K9YEib+Idr0DOJnYH3k9mrsP4DWUtI5Jm0=; b=o9OIJfiaEp0rY5urC9OuHv9jvMnkxCWNoRxo1f/CrUJr3uu2F84JQwu53qqhEAHLU22WI7FRDvqY1YviiKJXlpS/UE3KxAgGqMmjE+dZRnARWN4yW5gZHdb+iDpNXYZ9haXSv7Z/GtdyOMA8PMHZAX/qM0vAjg3CvWSqTurJWoo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:mime-version:content-type; b=yIKqt1Aap7bNSoUj9fNHygsw5cYeohdWzDWzpS4Mn0AoiLjtz0eRl6KcrmiuWAn25v3a+xwHgI4S1PxDe3vujuMLAv34TZkG1sxK8NsRN9cAfMzHvMQiJqMtIelA6wIjzaHwT5z98bEn3JJXOC2VvNkr+kVtdgOOmrAWAQLRSUY= Received: by 10.114.134.20 with SMTP id h20mr6847479wad.91.1204809679224; Thu, 06 Mar 2008 05:21:19 -0800 (PST) Received: by 10.114.235.15 with HTTP; Thu, 6 Mar 2008 05:21:19 -0800 (PST) Message-ID: <2949641c0803060521t3b4fb141u3201065639f68304@mail.gmail.com> Date: Thu, 6 Mar 2008 10:21:19 -0300 From: "Alaor Barroso de Carvalho Neto" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Please help me with my config X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 13:49:16 -0000 Hi guyz, let me explain what I have. I work in a school, we have access to the internet, two internal networks (academic and administrative) and we have to connect to some servers in another school because we share databases and to video-conference. I have a FreeBSD box with PF and squid, i want all my web traffic to pass through the squid, it's working. I want to academic net don't be able to communicate with administrative net, and the inverse, it's working. But I would like to my adm net to communicate with some servers in the other school network, and only this servers, no other ip would be accessible, it's NOT working. I can ping to the servers but I can't connect to the services ports (SQL Server, and so on). Here's my pf.conf: BEGIN OF CONFIG ext_if="em0" adm_if="xl0" acad_if="xl1" cefet_if="xl2" all_if="{ em0, xl0, xl1, xl2 }" ext_net="XXX.XXX.XXX.XXX/XX" adm_net="192.168.1.0/24" acad_net="192.168.2.0/24" cefet_net="10.10.0.0/16" cefet_servers="{ 10.10.0.10, 10.10.0.15, 10.10.0.213 }" internal_nets="{ 192.168.1.0/24, 192.168.2.0/24 }" tcp_services="{ ssh, smtp, domain, http, https, ftp, ftp-data, nntp, pop3, pop3s, auth, 3128 }" }" udp_services="{ domain, ntp }" proxy_ports="{ 80, 8000, 8080, 3128 }" martians="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }" set block-policy return scrub in all nat on $ext_if from $internal_nets to any -> ($ext_if) nat on $cefet_if from $adm_net to any -> ($cefet_if) rdr on $all_if proto tcp from any to any port $proxy_ports -> 127.0.0.1 port 3128 block all block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians block drop quick from $acad_net to $adm_net block drop quick from $adm_net to $acad_net pass quick proto icmp from any to any keep state pass quick from $adm_net to $cefet_servers keep state pass quick from $cefet_servers to $adm_net keep state block quick from any to $cefet_net block quick from $cefet_net to any pass proto tcp to any port $tcp_services keep state pass proto udp to any port $udp_services keep state antispoof for $all_if END OF CONFIG cefet_net is the network of the other school, and cefet_servers are the servers I want to communicate with, I want all ports and protocols to these servers, but it's not working. I need a light guyz. Thankz, and sorry my poor english. Alaor Neto From owner-freebsd-pf@FreeBSD.ORG Thu Mar 6 14:19:17 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 57EDA1065672; Thu, 6 Mar 2008 14:19:17 +0000 (UTC) (envelope-from virus@virus.org.ua) Received: from web3.hostdad.com (web3.hostdad.com [72.232.62.138]) by mx1.freebsd.org (Postfix) with ESMTP id 1E33C8FC21; Thu, 6 Mar 2008 14:19:16 +0000 (UTC) (envelope-from virus@virus.org.ua) Received: from web3.hostdad.com (localhost [127.0.0.1]) by web3.hostdad.com (8.14.1/8.13.8) with ESMTP id m26Dve01035652; Thu, 6 Mar 2008 13:57:40 GMT (envelope-from virus@virus.org.ua) Received: (from virus@localhost) by web3.hostdad.com (8.14.1/8.13.8/Submit) id m26DvdwS035651; Thu, 6 Mar 2008 15:57:39 +0200 (EET) (envelope-from virus@virus.org.ua) X-Authentication-Warning: web3.hostdad.com: virus set sender to virus@virus.org.ua using -f Date: Thu, 6 Mar 2008 15:57:39 +0200 From: "Andrey A. Belashkov" To: freebsd-pf@freebsd.org Message-ID: <20080306135739.GD79846@web3.hostdad.com> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline User-Agent: BCL 3.2b for MS-DOS 6.22 Cc: mlaier@freebsd.org, pf@benzedrine.cx Subject: pf + ftp troubles. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 14:19:17 -0000 Hello. I need setup non standart nat rules by pf for ftp. All outgoing ftp connections must nat behind 172.16.5.10 address assigned by mpd to ng0. I setup mpd, interface is up and if i use as source address 172.16.5.10 for ftp all is fine. But ftp function in php cant choose source address, so i need use nat. When i setup pf with rules: set optimization normal set block-policy return scrub in all nat on em0 from any to any port { 20 21 } -> 172.16.5.10 nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr on ng0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021 anchor "ftp-proxy/*" pass out quick on em0 route-to { (ng0 172.16.5.1) } from 172.16.5.10 to any keep state pass in all pass out all and start ftp-proxy with keys "-a 172.16.5.10 -r -vv -m 500" and try to connect any ftp server - server respond and show me his login prompt. But when i try list files on ftp, client cant setup data connection. In passive and in active modes. How i can fix this problem? OS: FreeBSD 7.0-RELEASE Thanks, Andrey. From owner-freebsd-pf@FreeBSD.ORG Thu Mar 6 14:39:33 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 86F8D1065676 for ; Thu, 6 Mar 2008 14:39:33 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 733708FC17 for ; Thu, 6 Mar 2008 14:39:33 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 5674B1CC033; Thu, 6 Mar 2008 06:39:33 -0800 (PST) Date: Thu, 6 Mar 2008 06:39:33 -0800 From: Jeremy Chadwick To: "Andrey A. Belashkov" Message-ID: <20080306143933.GA90628@eos.sc1.parodius.com> References: <20080306135739.GD79846@web3.hostdad.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080306135739.GD79846@web3.hostdad.com> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: mlaier@freebsd.org, pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: Re: pf + ftp troubles. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 14:39:33 -0000 On Thu, Mar 06, 2008 at 03:57:39PM +0200, Andrey A. Belashkov wrote: > Hello. > I need setup non standart nat rules by pf for ftp. > All outgoing ftp connections must nat behind 172.16.5.10 address > assigned by mpd to ng0. > > I setup mpd, interface is up and if i use as source address 172.16.5.10 > for ftp all is fine. But ftp function in php cant choose source address, > so i need use nat. > > When i setup pf with rules: > set optimization normal > set block-policy return > scrub in all > nat on em0 from any to any port { 20 21 } -> 172.16.5.10 > nat-anchor "ftp-proxy/*" > rdr-anchor "ftp-proxy/*" > rdr on ng0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021 > anchor "ftp-proxy/*" > pass out quick on em0 route-to { (ng0 172.16.5.1) } from 172.16.5.10 to any keep state > pass in all > pass out all > > and start ftp-proxy with keys "-a 172.16.5.10 -r -vv -m 500" and try to > connect any ftp server - server respond and show me his login prompt. > But when i try list files on ftp, client cant setup data connection. > In passive and in active modes. > > How i can fix this problem? Your pf rules for FTP are wrong. Please see this thread: http://lists.freebsd.org/pipermail/freebsd-pf/2008-March/004148.html -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Thu Mar 6 18:05:06 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 737BE106566B for ; Thu, 6 Mar 2008 18:05:06 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 2E5BC8FC39 for ; Thu, 6 Mar 2008 18:05:06 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1JXK3A-0004ky-Ls for freebsd-pf@freebsd.org; Thu, 06 Mar 2008 17:38:36 +0000 Received: from d463cebe.datahighways.de ([212.99.206.190]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 06 Mar 2008 17:38:36 +0000 Received: from ino-news by d463cebe.datahighways.de with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 06 Mar 2008 17:38:36 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: ino-news@spotteswoode.dnsalias.org (clemens fischer) Date: Thu, 06 Mar 2008 18:38:11 +0100 Lines: 21 Message-ID: <2pm5a5xds81.ln2@nntp.spotteswoode.dnsalias.org> X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: d463cebe.datahighways.de X-Archive: encrypt=none User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/7.0-STABLE (i386)) Sender: news Subject: pfsync is version 3 in RELENG_7 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 18:05:06 -0000 'uname -rms' -> FreeBSD 7.0-STABLE i386 i am looking for a way to get traffic statistics. with "device pf{,log,sync}" in the kernel config, i have the pfsync device, and net/pfflowd should analyze the state changes from pf. i get this: # pfflowd -D No export target defined ZZZZ -1 pfflowd[40130]: pfflowd listening on pfsync0 pfflowd[40130]: Unsupported pfsync version 3, exiting although http://pf4freebsd.love2party.net/ states: "In RELENG_7 - pf is at OpenBSD 4.1" shouldn't pfsync be of a more recent version, then? regards, clemens From owner-freebsd-pf@FreeBSD.ORG Thu Mar 6 18:34:13 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B43B11065671; Thu, 6 Mar 2008 18:34:13 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-in03.adhost.com (mail-in03.adhost.com [216.211.128.143]) by mx1.freebsd.org (Postfix) with ESMTP id 8A4978FC13; Thu, 6 Mar 2008 18:34:13 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from ad-exh01.adhost.lan (unknown [216.211.143.69]) by mail-in03.adhost.com (Postfix) with ESMTP id 11857119C3A; Thu, 6 Mar 2008 10:34:12 -0800 (PST) (envelope-from mksmith@adhost.com) MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft Exchange V6.5 x-pgp-mapi-encoding-version: 2.5.0 x-cr-hashedpuzzle: B/s= BTNC B1Xa CHRB DVxC FwrN LR1D NTG8 NslY QfmG QkeE RKVC RgpZ R2sd SGFA UIci; 2; ZgByAGUAZQBiAHMAZAAtAHAAZgBAAGYAcgBlAGUAYgBzAGQALgBvAHIAZwA7AGsAbwBpAHQAcwB1AEAAZgByAGUAZQBiAHMAZAAuAG8AcgBnAA==; Sosha1_v1; 7; {F3B56BD4-8A58-4920-AAAF-E0FCEA14B0D9}; bQBrAHMAbQBpAHQAaABAAGEAZABoAG8AcwB0AC4AYwBvAG0A; Thu, 06 Mar 2008 18:34:07 GMT; UgBFADoAIABDAG8AbgBmAHUAcwBpAG8AbgAgAGEAYgBvAHUAdAAgAEYAVABQACAAdABoAHIAbwB1AGcAaAAgAFAARgA= Content-Type: multipart/signed; boundary="PGP_Universal_2987A05B_A6E80269_3540D3AC_66BEDA8E"; protocol="application/pgp-signature"; micalg=pgp-sha1 x-cr-puzzleid: {F3B56BD4-8A58-4920-AAAF-E0FCEA14B0D9} x-pgp-encoding-format: MIME x-pgp-encoding-version: 2.0.2 Content-class: urn:content-classes:message Date: Thu, 6 Mar 2008 10:34:07 -0800 Message-ID: <17838240D9A5544AAA5FF95F8D52031603699CE4@ad-exh01.adhost.lan> In-Reply-To: <20080305011910.GA7678@eos.sc1.parodius.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Confusion about FTP through PF Thread-Index: Ach+Xu1oVuKC5kiMS0qLkYa3Oiu/RgBWGpSA References: <17838240D9A5544AAA5FF95F8D520316036997D3@ad-exh01.adhost.lan> <20080304010216.GA57085@eos.sc1.parodius.com> <17838240D9A5544AAA5FF95F8D52031603699A2A@ad-exh01.adhost.lan> <20080305011910.GA7678@eos.sc1.parodius.com> From: "Michael K. Smith - Adhost" To: "Jeremy Chadwick" Cc: freebsd-pf@freebsd.org Subject: RE: Confusion about FTP through PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 18:34:13 -0000 --PGP_Universal_2987A05B_A6E80269_3540D3AC_66BEDA8E Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: QUOTED-PRINTABLE Hello Jeremy (et. al.): We found the issue and I wanted to share the solution. As before, this rule worked as expected: # -- pass in quick on $vlan2_if inet proto tcp from any to port { = ftp, 49152:65535 } modulate state flags S/SA # -- However, when the following rule was in place, we couldn't get any ftp traf= fic to the ftp servers. We tried modifying the rule by replacing ! with individual IP's and server macros, but nothing seemed to fix it= . However, when we removed the rule entirely, we could ftp to the servers,= but we could also ftp to the PF devices themselves, which was not what we = wanted. #-- block in log quick on $vlan2_if proto tcp from any to ! port = 21 #-- Next, we tried this rule, but we experienced the same results. #-- block in log quick on $vlan2_if proto tcp from any to any port 21 flags S/SA #-- Finally, we had success. #-- block in log on $vlan2_if proto tcp from any to port 21 flags S/= SA #-- Where #-- table const { self } #-- This allows ftp traffic through the PF firewall to the ftp servers but disa= llows ftp connections to the PF devices themselves. which are allowed to pa= ss with #-- pass in quick on $vlan2_if proto tcp from any to port { ftp, = 49152:65535 } modulate state flags S/SA #-- Thanks again to Jeremy for the various rules and the explanation of ftp met= hodology, without which we would have gotten stuck with the 49152:65535 por= t range requirements. Regards, Mike --PGP_Universal_2987A05B_A6E80269_3540D3AC_66BEDA8E Content-Type: application/pgp-signature; name="PGP.sig" Content-Transfer-Encoding: 7BIT Content-Disposition: attachment; filename="PGP.sig" -----BEGIN PGP SIGNATURE----- Version: 9.8.0 (Build 2158) iQEVAwUBR9A5H/TXQhZ+XcVAAQjQwwgAt+ZlkrBUetji9UcG4aNnFO+kL8mycGM8 BxT+gQXCt3UizevGBBbGna5dP12VLbaFCSghgoqW6BsEbqZXWk2aWyGPameMtGPW mA/WZ/IEhLolgJt0wpbqc5AcyyG+dRAFXDt8YMk+CR4Y9zduh9bWUUE7FXpDirMX fpWxgYxFQSorjWz/uG/Th6RSuufAQGOoJy4d/e8uy62t0J3ptKRFqbgnl4qFaFTG dKmnSbyhMA5/N9ZFMhtBSlDyfjjmc7uLTP8dYIopka6USuLR2ZYf67l/TABUEjbf ARjES5GwHb6P42Gr5BW6j44X56Vd7rHf85dieqpmrmuF9nXw52y2zg== =968B -----END PGP SIGNATURE----- --PGP_Universal_2987A05B_A6E80269_3540D3AC_66BEDA8E-- From owner-freebsd-pf@FreeBSD.ORG Thu Mar 6 18:45:59 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 658FC1065672 for ; Thu, 6 Mar 2008 18:45:59 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 215AF8FC12 for ; Thu, 6 Mar 2008 18:45:58 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1JXL6I-0000G7-Do for freebsd-pf@freebsd.org; Thu, 06 Mar 2008 18:45:54 +0000 Received: from d463cebe.datahighways.de ([212.99.206.190]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 06 Mar 2008 18:45:54 +0000 Received: from ino-news by d463cebe.datahighways.de with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 06 Mar 2008 18:45:54 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: ino-news@spotteswoode.dnsalias.org (clemens fischer) Date: Thu, 06 Mar 2008 19:45:24 +0100 Lines: 24 Message-ID: <4nq5a5xl3g1.ln2@nntp.spotteswoode.dnsalias.org> References: <2pm5a5xds81.ln2@nntp.spotteswoode.dnsalias.org> X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: d463cebe.datahighways.de X-Archive: encrypt=none User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/7.0-STABLE (i386)) Sender: news Subject: Re: pfsync is version 3 in RELENG_7 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 18:45:59 -0000 On Thu, 06 Mar 2008 18:38:11 +0100 clemens fischer wrote: > i get this: > > # pfflowd -D > No export target defined > ZZZZ -1 > pfflowd[40130]: pfflowd listening on pfsync0 > pfflowd[40130]: Unsupported pfsync version 3, exiting > > although http://pf4freebsd.love2party.net/ states: > > "In RELENG_7 - pf is at OpenBSD 4.1" > > shouldn't pfsync be of a more recent version, then? comparing the sources in /usr/src/sys/contrib/pf/net/if_pfsync.[ch] and pfflowd/pfflowd-0.6/pfflowd.[ch] , it turns out that pfflowd expects the version in struct pfsync_header.version to be `2', not even `3', so it is too low. so is this a ports issue? in this case, i'd simply file a PR ... regards, clemens From owner-freebsd-pf@FreeBSD.ORG Thu Mar 6 18:47:16 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7BF91065673 for ; Thu, 6 Mar 2008 18:47:16 +0000 (UTC) (envelope-from roberto@keltia.freenix.fr) Received: from keltia.freenix.fr (keltia.freenix.org [IPv6:2001:660:330f:f820:213:72ff:fe15:f44]) by mx1.freebsd.org (Postfix) with ESMTP id 6CC718FC35 for ; Thu, 6 Mar 2008 18:47:16 +0000 (UTC) (envelope-from roberto@keltia.freenix.fr) Received: from localhost (localhost [127.0.0.1]) by keltia.freenix.fr (Postfix/TLS) with ESMTP id 7571C146E for ; Thu, 6 Mar 2008 19:47:15 +0100 (CET) X-Virus-Scanned: amavisd-new at keltia.freenix.fr Received: from keltia.freenix.fr ([127.0.0.1]) by localhost (keltia.freenix.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I-TdSqyIc7w5 for ; Thu, 6 Mar 2008 19:47:12 +0100 (CET) Received: by keltia.freenix.fr (Postfix/TLS, from userid 101) id B41071462; Thu, 6 Mar 2008 19:47:12 +0100 (CET) Date: Thu, 6 Mar 2008 19:47:12 +0100 From: Ollivier Robert To: freebsd-pf@freebsd.org Message-ID: <20080306184712.GA22235@keltia.freenix.fr> References: <2pm5a5xds81.ln2@nntp.spotteswoode.dnsalias.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2pm5a5xds81.ln2@nntp.spotteswoode.dnsalias.org> X-Operating-System: MacOS X / Macbook Pro - FreeBSD 6.2 / Dell D820 SMP User-Agent: Mutt/1.5.17 (2007-11-01) Subject: Re: pfsync is version 3 in RELENG_7 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 18:47:16 -0000 According to clemens fischer: > "In RELENG_7 - pf is at OpenBSD 4.1" > > shouldn't pfsync be of a more recent version, then? Yes, you need pfflowd 0.7 to understand pfsync3. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr Darwin sidhe.keltia.net Version 9.2.0: Tue Feb 5 16:13:22 PST 2008; i386 From owner-freebsd-pf@FreeBSD.ORG Thu Mar 6 19:10:47 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02EBB106566B for ; Thu, 6 Mar 2008 19:10:47 +0000 (UTC) (envelope-from thompsa@FreeBSD.org) Received: from heff.fud.org.nz (203-109-251-39.static.bliink.ihug.co.nz [203.109.251.39]) by mx1.freebsd.org (Postfix) with ESMTP id A50C58FC2B for ; Thu, 6 Mar 2008 19:10:46 +0000 (UTC) (envelope-from thompsa@FreeBSD.org) Received: from heff.fud.org.nz (localhost [127.0.0.1]) by heff.fud.org.nz (Postfix) with ESMTP id 5DC868440; Fri, 7 Mar 2008 07:56:54 +1300 (NZDT) Received: (from thompsa@localhost) by heff.fud.org.nz (8.14.2/8.14.2/Submit) id m26Iuri6040573; Fri, 7 Mar 2008 07:56:53 +1300 (NZDT) (envelope-from thompsa@FreeBSD.org) X-Authentication-Warning: heff.fud.org.nz: thompsa set sender to thompsa@FreeBSD.org using -f Date: Fri, 7 Mar 2008 07:56:53 +1300 From: Andrew Thompson To: Ollivier Robert Message-ID: <20080306185653.GB11173@heff.fud.org.nz> References: <2pm5a5xds81.ln2@nntp.spotteswoode.dnsalias.org> <20080306184712.GA22235@keltia.freenix.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080306184712.GA22235@keltia.freenix.fr> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-pf@FreeBSD.org Subject: Re: pfsync is version 3 in RELENG_7 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 19:10:47 -0000 On Thu, Mar 06, 2008 at 07:47:12PM +0100, Ollivier Robert wrote: > According to clemens fischer: > > "In RELENG_7 - pf is at OpenBSD 4.1" > > > > shouldn't pfsync be of a more recent version, then? > > Yes, you need pfflowd 0.7 to understand pfsync3. I'm listed as the port maintainer but havnt updated it in years, if anyone wants to update the port and take ownership then feel free. Andrew From owner-freebsd-pf@FreeBSD.ORG Thu Mar 6 20:17:34 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2DAE51065670 for ; Thu, 6 Mar 2008 20:17:34 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id DB4AE8FC20 for ; Thu, 6 Mar 2008 20:17:33 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1JXMWw-000535-Dd for freebsd-pf@freebsd.org; Thu, 06 Mar 2008 20:17:30 +0000 Received: from d463cebe.datahighways.de ([212.99.206.190]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 06 Mar 2008 20:17:30 +0000 Received: from ino-news by d463cebe.datahighways.de with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 06 Mar 2008 20:17:30 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: ino-news@spotteswoode.dnsalias.org (clemens fischer) Date: Thu, 06 Mar 2008 21:09:20 +0100 Lines: 25 Message-ID: References: <2pm5a5xds81.ln2@nntp.spotteswoode.dnsalias.org> <20080306184712.GA22235@keltia.freenix.fr> <20080306185653.GB11173@heff.fud.org.nz> X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: d463cebe.datahighways.de X-Archive: encrypt=none User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/7.0-STABLE (i386)) Sender: news Subject: Re: pfsync is version 3 in RELENG_7 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 20:17:34 -0000 Andrew Thompson: > Ollivier Robert wrote: > >> According to clemens fischer: >> >> > "In RELENG_7 - pf is at OpenBSD 4.1" >> > >> > shouldn't pfsync be of a more recent version, then? >> >> Yes, you need pfflowd 0.7 to understand pfsync3. > > I'm listed as the port maintainer but havnt updated it in years, if > anyone wants to update the port and take ownership then feel free. well, your port is good nonetheless. i looked up the download URL, got pfflowd-0.7 and fixed it up using your patches. the most significant change in 0.7 are the 64-bit counters for bytes and packets and, of course, the version bump in the protocol header. it really is straight forward, could you please handle this for 0.7? you can use your previous patches almost unchanged. if not: i won't take the port, but i'd be willing to send the diffs on request. regards, clemens From owner-freebsd-pf@FreeBSD.ORG Fri Mar 7 13:57:15 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C17FC1065672 for ; Fri, 7 Mar 2008 13:57:15 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: from web53704.mail.re2.yahoo.com (web53704.mail.re2.yahoo.com [206.190.37.25]) by mx1.freebsd.org (Postfix) with SMTP id 6EB8B8FC1B for ; Fri, 7 Mar 2008 13:57:15 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: (qmail 91126 invoked by uid 60001); 7 Mar 2008 13:57:14 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=jVYtUJTQ3FI8kNxt1KvVWt5G6IVbUS0hXY7cAE+WnYdbinV3W5h7+ysqFQ3+5ZqTu5vF+q6erfUJyETi7opYDYCYE4iaRcgB4DnHkexAmESX1v2+jbH6tStJ/ChalwYrsMsnnFSa8bGqglplv+4LUh9u8RTx9dbXF0ZBIF5Pee0=; X-YMail-OSG: BjF4w.wVM1nCBSY07Uv.jkP1Bow3rKTxeJdWi.D8LZTLIqzQUNcwS0T8eA7md4K5uxGP6Cn_zcZafH_nGHdv7O7TgiNz.qkEfCO_my20.ADfueeo6u6sCuOYgOszAQ-- Received: from [200.201.112.31] by web53704.mail.re2.yahoo.com via HTTP; Fri, 07 Mar 2008 05:57:14 PST X-Mailer: YahooMailRC/902.35 YahooMailWebService/0.7.162 Date: Fri, 7 Mar 2008 05:57:14 -0800 (PST) From: Lorenz Helleis To: freebsd-pf@freebsd.org MIME-Version: 1.0 Message-ID: <659091.90986.qm@web53704.mail.re2.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2008 13:57:15 -0000 hello.=0A=0AI have a firewall with 75.000 simultaneous conections, and i se= t the limit to 100.000.=0A=0AI think the hardware is OK, but when increase = the traffic on the network, some connections is dropped. I did not increa= se other value, like table, src-nodes.... How do I know if is everthing ok = with the other values ?=0A=0Awhat happen if the number of connections touch= the limit of 100.000 ? it will drop the idle conections ? or what ?=0A=0A= thanks...=0A =0AProv=C3=A9rbios 1:27 =0A=0A Mas Deus escolheu as coisas = loucas deste mundo para confundir as=0As=C3=A1bias; e Deus escolheu as cois= as fracas deste mundo para confundir as=0Afortes;=0A=0A=0A=0A=0A Abra = sua conta no Yahoo! Mail, o =C3=BAnico sem limite de espa=C3=A7o para armaz= enamento!=0Ahttp://br.mail.yahoo.com/ From owner-freebsd-pf@FreeBSD.ORG Fri Mar 7 15:52:58 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E4461065670 for ; Fri, 7 Mar 2008 15:52:58 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: from core.rxsec.com (core.rxsec.com [64.132.46.102]) by mx1.freebsd.org (Postfix) with SMTP id AE6EA8FC19 for ; Fri, 7 Mar 2008 15:52:57 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: (qmail 62489 invoked by uid 2009); 7 Mar 2008 15:19:36 -0000 Received: from 10.1.0.239 by core.rxsec.com (envelope-from , uid 2008) with qmail-scanner-1.25-st-qms (clamdscan: 0.86.2/1102. spamassassin: 3.0.4. perlscan: 1.25-st-qms. Clear:RC:0(10.1.0.239):SA:0(-4.4/5.0):. Processed in 5.473674 secs); 07 Mar 2008 15:19:36 -0000 X-Spam-Status: No, hits=-4.4 required=5.0 X-Antivirus-RXSEC-Mail-From: cmarlatt@rxsec.com via core.rxsec.com X-Antivirus-RXSEC: 1.25-st-qms (Clear:RC:0(10.1.0.239):SA:0(-4.4/5.0):. Processed in 5.473674 secs Process 62478) Received: from unknown (HELO ?10.1.0.239?) (cmarlatt@rxsec.com@10.1.0.239) by core.rxsec.com with SMTP; 7 Mar 2008 15:19:30 -0000 Message-ID: <47D15E8B.8040207@rxsec.com> Date: Fri, 07 Mar 2008 10:26:03 -0500 From: Chris Marlatt Organization: Receive Security User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: Lorenz Helleis References: <659091.90986.qm@web53704.mail.re2.yahoo.com> In-Reply-To: <659091.90986.qm@web53704.mail.re2.yahoo.com> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2008 15:52:58 -0000 Lorenz Helleis wrote: > hello. > > I have a firewall with 75.000 simultaneous conections, and i set the limit to 100.000. > > I think the hardware is OK, but when increase the traffic on the network, some connections is dropped. I did not increase other value, like table, src-nodes.... How do I know if is everthing ok with the other values ? > > what happen if the number of connections touch the limit of 100.000 ? it will drop the idle conections ? or what ? > From my experience new connections will appear to timeout as PF has no more sessions available for new connections. As sessions die off organically new connections will be permitted but there is nothing actively killing old / idle connections to make way for new sessions if the limit is reached. Depending on how much memory you have you should be fine increasing the max session limit. I've had some of my firewalls over 1,000,000 sessions without a problem. You may want to check your switch for errors and watch your interface (netstat -I IFACE -nd 1) to see when/where your drops are. What kind of cpu usage are you seeing when you start dropping the packets? Regards, Chris From owner-freebsd-pf@FreeBSD.ORG Fri Mar 7 16:39:34 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1FC71106566C for ; Fri, 7 Mar 2008 16:39:34 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: from web53704.mail.re2.yahoo.com (web53704.mail.re2.yahoo.com [206.190.37.25]) by mx1.freebsd.org (Postfix) with SMTP id C182A8FC16 for ; Fri, 7 Mar 2008 16:39:33 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: (qmail 10075 invoked by uid 60001); 7 Mar 2008 16:39:32 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Message-ID; b=KNwxxVtUGDnL/L/vqKY+itvIq1T+U/ZsJ2+baUxC+ec4fZL3KJIA9nXx/6uSpg3x1yOCEEjA/ZXY6DJlMNvUw0JPOZOSV9Svm0EGEGLL2jhpzfStoB4usZzOSNbF6rc24I+RIQLmEvVU+e3mvVrf9UbNd9MYxcufhOHVwoZkWQg=; Received: from [200.201.112.31] by web53704.mail.re2.yahoo.com via HTTP; Fri, 07 Mar 2008 08:39:32 PST X-Mailer: YahooMailRC/902.35 YahooMailWebService/0.7.162 Date: Fri, 7 Mar 2008 08:39:32 -0800 (PST) From: Lorenz Helleis To: Chris Marlatt MIME-Version: 1.0 Message-ID: <745345.9793.qm@web53704.mail.re2.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Res: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2008 16:39:34 -0000 I don't think that is a hardware problem, sometimes the "congestion rate" = increase to 1500,0/s and the "state-mismatch" to 300.0/s.. I don't know if = it is normal... =0A=0AI think that the conections is being droped when incr= ease a lot the number of packets on the network. =0A=0A=0A=0Acan you tell m= e about your firewall ? I will need to install a biggest one here, and I'm= a little afraid to do. Can you show me some configuration? the traffic = of you network?, hardware? conections ?=0A=0Alook some configurations.... d= o i need to increase something ?=0A=0A=0A# pfctl -sm = = =0Astates hard limit 100000=0Asrc-nodes hard li= mit 10000=0Afrags hard limit 5000=0Atables hard limit= 1000=0Atable-entries hard limit 200000=0A=0A=0A# top=0A=0Aload avera= ges: 0.20, 0.12, 0.09 13:29:40=0A35= processes: 34 idle, 1 on processor=0ACPU0 states: 0.6% user, 0.0% nice,= 0.7% system, 0.0% interrupt, 98.7% idle=0ACPU1 states: 0.1% user, 0.0%= nice, 0.2% system, 0.0% interrupt, 99.7% idle=0A=0A# vmstat -i=0A=0Ainte= rrupt total rate=0Airq0/clock 25= 7506609 199=0Airq0/ipi 183393879 142=0Airq81/e= m0 8638587188 6706=0Airq83/skc0 601166= 0768 4667=0Airq80/fxp0 2292732543 1779=0Airq64/ahc0= 7012560 5=0Airq112/pckbc0 = 8 0=0ATotal 17390893555 13501=0A=0A# pfctl -s= i=0A=0AState Table Total Rate=0A curr= ent entries 5005 =0A searches = 30026832082 441000.4/s=0A inserts 4= 06964726 5977.0/s=0A removals 406959721 = 5977.0/s=0ACounters=0A match 417436387 = 6130.8/s=0A bad-offset 0 0.0/s=0A= fragment 1939 0.0/s=0A short = 154 0.0/s=0A normalize = 34858 0.5/s=0A memory = 0 0.0/s=0A bad-timestamp 0 = 0.0/s=0A congestion 834349 12.3/s=0A i= p-option 24 0.0/s=0A proto-cksum = 5572 0.1/s=0A state-mismatch = 491286 7.2/s=0A=0A=0A=0A=0A =0AProv=C3=A9rbios 1:27 =0A= =0A Mas Deus escolheu as coisas loucas deste mundo para confundir as=0As= =C3=A1bias; e Deus escolheu as coisas fracas deste mundo para confundir as= =0Afortes;=0A=0A----- Mensagem original ----=0ADe: Chris Marlatt =0APara: Lorenz Helleis =0ACc: freebs= d-pf@freebsd.org=0AEnviadas: Sexta-feira, 7 de Mar=C3=A7o de 2008 12:26:03= =0AAssunto: Re: Dropped Packets=0A=0ALorenz Helleis wrote:=0A> hello.=0A> = =0A> I have a firewall with 75.000 simultaneous conections, and i set the l= imit to 100.000.=0A> =0A> I think the hardware is OK, but when increase the= traffic on the network, some connections is dropped. I did not increase = other value, like table, src-nodes.... How do I know if is everthing ok wit= h the other values ?=0A> =0A> what happen if the number of connections touc= h the limit of 100.000 ? it will drop the idle conections ? or what ?=0A> = =0A=0A From my experience new connections will appear to timeout as PF has = no =0Amore sessions available for new connections. As sessions die off =0Ao= rganically new connections will be permitted but there is nothing =0Aactive= ly killing old / idle connections to make way for new sessions if =0Athe li= mit is reached.=0A=0A=0ADepending on how much memory you have you should be= fine increasing the =0Amax session limit. I've had some of my firewalls ov= er 1,000,000 sessions =0Awithout a problem.=0A=0AYou may want to check your= switch for errors and watch your interface =0A(netstat -I IFACE -nd 1) to = see when/where your drops are. What kind of =0Acpu usage are you seeing whe= n you start dropping the packets?=0A=0ARegards,=0A=0A Chris=0A=0A=0A=0A= =0A=0A=0A Abra sua conta no Yahoo! Mail, o =C3=BAnico sem limite de es= pa=C3=A7o para armazenamento!=0Ahttp://br.mail.yahoo.com/ From owner-freebsd-pf@FreeBSD.ORG Fri Mar 7 18:08:41 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 167671065675 for ; Fri, 7 Mar 2008 18:08:41 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.freebsd.org (Postfix) with ESMTP id 86FA88FC1B for ; Fri, 7 Mar 2008 18:08:40 +0000 (UTC) (envelope-from max@love2party.net) Received: from amd64.laiers.local (dslb-088-066-002-164.pools.arcor-ip.net [88.66.2.164]) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis) id 0MKwtQ-1JXgnD0jm2-0003zZ; Fri, 07 Mar 2008 18:55:40 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 7 Mar 2008 18:55:52 +0100 User-Agent: KMail/1.9.7 References: <745345.9793.qm@web53704.mail.re2.yahoo.com> In-Reply-To: <745345.9793.qm@web53704.mail.re2.yahoo.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1625571.DsbZ511TKX"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200803071855.58986.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+Ey482tbPuXhdCtV4J/SefD6ZEWKKNhtwt6uc A3fZMk0kZdwB1/Z0PhD+dIm+FMnwEJOBPxyIga27hWszkzFe8q OCCzfFbzpf7z4GHdDdqhBmCwKXQwVJGhu1bOIhzTEk= Cc: Subject: Re: Res: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2008 18:08:41 -0000 --nextPart1625571.DsbZ511TKX Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [ please don't top-post ] On Friday 07 March 2008, Lorenz Helleis wrote: > I don't think that is a hardware problem, sometimes the "congestion > rate" increase to 1500,0/s and the "state-mismatch" to 300.0/s.. I > don't know if it is normal... > > I think that the conections is being droped when increase a lot the > number of packets on the network. > > > > can you tell me about your firewall ? I will need to install a biggest > one here, and I'm a little afraid to do. Can you show me some > configuration? the traffic of you network?, hardware? conections ? > > look some configurations.... do i need to increase something ? > > > # pfctl -sm > states hard limit 100000 > src-nodes hard limit 10000 > frags hard limit 5000 > tables hard limit 1000 > table-entries hard limit 200000 > > > # top > > load averages: 0.20, 0.12, 0.09 =20 > 13:29:40 35 processes: 34 idle, 1 on processor > CPU0 states: 0.6% user, 0.0% nice, 0.7% system, 0.0% interrupt, > 98.7% idle CPU1 states: 0.1% user, 0.0% nice, 0.2% system, 0.0% > interrupt, 99.7% idle > > # vmstat -i > > interrupt total rate > irq0/clock 257506609 199 > irq0/ipi 183393879 142 > irq81/em0 8638587188 6706 > irq83/skc0 6011660768 4667 > irq80/fxp0 2292732543 1779 These interrupt numbers don't seem to match up with the above load=20 numbers. I'd expect a higher interrupt load. You could also try to=20 replace the sk(4) adapter with another em(4) or the like? I have had=20 trouble with sk(4) in the past. > irq64/ahc0 7012560 5 > irq112/pckbc0 8 0 > Total 17390893555 13501 > > # pfctl -si > > State Table Total Rate > current entries 5005 > searches 30026832082 441000.4/s 441kpps are quite a load! And this is with only 5000 connections. While=20 =46reeBSD can forward 1Mpps and more on commodity hardware 500-700kpps is=20 probably the limit with (sensible) firewalling. It'd be surprised if you=20 could do significantly better with anything else. N.B. that this could=20 be improved by using fine grained locking for pf - this is on my TODO=20 list for quite some time, but I didn't yet get to it. > inserts 406964726 5977.0/s > removals 406959721 5977.0/s > Counters > match 417436387 6130.8/s > bad-offset 0 0.0/s > fragment 1939 0.0/s > short 154 0.0/s > normalize 34858 0.5/s > memory 0 0.0/s > bad-timestamp 0 0.0/s > congestion 834349 12.3/s > ip-option 24 0.0/s > proto-cksum 5572 0.1/s > state-mismatch 491286 7.2/s > > > > > > Prov=C3=A9rbios 1:27 > > Mas Deus escolheu as coisas loucas deste mundo para confundir as > s=C3=A1bias; e Deus escolheu as coisas fracas deste mundo para confundir = as > fortes; > > ----- Mensagem original ---- > De: Chris Marlatt > Para: Lorenz Helleis > Cc: freebsd-pf@freebsd.org > Enviadas: Sexta-feira, 7 de Mar=C3=A7o de 2008 12:26:03 > Assunto: Re: Dropped Packets > > Lorenz Helleis wrote: > > hello. > > > > I have a firewall with 75.000 simultaneous conections, and i set the > > limit to 100.000. > > > > I think the hardware is OK, but when increase the traffic on the > > network, some connections is dropped. I did not increase other > > value, like table, src-nodes.... How do I know if is everthing ok > > with the other values ? > > > > what happen if the number of connections touch the limit of 100.000 ? > > it will drop the idle conections ? or what ? > > From my experience new connections will appear to timeout as PF has no > more sessions available for new connections. As sessions die off > organically new connections will be permitted but there is nothing > actively killing old / idle connections to make way for new sessions if > the limit is reached. > > > Depending on how much memory you have you should be fine increasing the > max session limit. I've had some of my firewalls over 1,000,000 > sessions without a problem. > > You may want to check your switch for errors and watch your interface > (netstat -I IFACE -nd 1) to see when/where your drops are. What kind of > cpu usage are you seeing when you start dropping the packets? > > Regards, > > Chris > > > > > > > Abra sua conta no Yahoo! Mail, o =C3=BAnico sem limite de espa=C3= =A7o para > armazenamento! http://br.mail.yahoo.com/ > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1625571.DsbZ511TKX Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBH0YGuXyyEoT62BG0RAnTEAJ0WUjYE8Nuezc2TpmJ2LfAViUFSOwCdGorD 6Ve+CregFKwXlz7aVJiw1XM= =iNSe -----END PGP SIGNATURE----- --nextPart1625571.DsbZ511TKX-- From owner-freebsd-pf@FreeBSD.ORG Fri Mar 7 18:16:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E3C51065670 for ; Fri, 7 Mar 2008 18:16:14 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: from web53701.mail.re2.yahoo.com (web53701.mail.re2.yahoo.com [206.190.37.22]) by mx1.freebsd.org (Postfix) with SMTP id 49D898FC18 for ; Fri, 7 Mar 2008 18:16:14 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: (qmail 4873 invoked by uid 60001); 7 Mar 2008 18:16:13 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Message-ID; b=rDTM8atMu64Au1mZKlDVnH+x1vra1HnJnKFrJpv/eIP3pgPVIx+afooMkcUycL0USZPiiFOdkXgOPrbHMgftyK2SadpuW/nnvMwOxVDyTGXBPeNCezNJQITu1JMW0YxU/698PYIn2ESeC/7y2x8LY+5ZWorkXaHs8EtfQMsMZAE=; X-YMail-OSG: oq2euaoVM1lH8PbKFAJcz_cdFstufwlPjBRTGYL7.jFEoW1O4CyATsN8xyy5nA8CdS4KhATXGv5Qovmq0v5.ecd72AKk4bflr5zhWdS4ncN3YVDSYA7E.mbtzRr1IP.RtRpSeQbFy1oTCQ-- Received: from [200.201.112.31] by web53701.mail.re2.yahoo.com via HTTP; Fri, 07 Mar 2008 10:16:13 PST X-Mailer: YahooMailRC/902.35 YahooMailWebService/0.7.162 Date: Fri, 7 Mar 2008 10:16:13 -0800 (PST) From: Lorenz Helleis To: Max Laier , freebsd-pf@freebsd.org MIME-Version: 1.0 Message-ID: <523685.2819.qm@web53701.mail.re2.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Res: Res: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2008 18:16:14 -0000 Max.. =0A=0Athe Current entry is not 5005. I got this value after "pfctl -= d"... =0Athe number of concurrent connections is 70.000=0A=0A=0AIn this mom= ent my firewall is disable until i find a solution to solve this problem. I= think i will try to increase the number of states and change the NIC. =0A= =0AI use a Gigabit card and the traffic is 300Mbs and the concurrent sessio= ns 70.000. =0A =0AAnd now i'm studing about tables entries, src-nodes .. = =0A=0A=0AProv=C3=A9rbios 1:27 =0A=0A Mas Deus escolheu as coisas loucas = deste mundo para confundir as=0As=C3=A1bias; e Deus escolheu as coisas frac= as deste mundo para confundir as=0Afortes;=0A=0A----- Mensagem original ---= -=0ADe: Max Laier =0APara: freebsd-pf@freebsd.org=0ACc:= Lorenz Helleis ; Chris Marlatt =0AEnviadas: Sexta-feira, 7 de Mar=C3=A7o de 2008 14:55:52=0AAssunto: = Re: Res: Dropped Packets=0A=0A[ please don't top-post ]=0A=0AOn Friday 07 M= arch 2008, Lorenz Helleis wrote:=0A> I don't think that is a hardware probl= em, sometimes the "congestion=0A> rate" increase to 1500,0/s and the "stat= e-mismatch" to 300.0/s.. I=0A> don't know if it is normal...=0A>=0A> I thin= k that the conections is being droped when increase a lot the=0A> number of= packets on the network.=0A>=0A>=0A>=0A> can you tell me about your firewal= l ? I will need to install a biggest=0A> one here, and I'm a little afraid= to do. Can you show me some=0A> configuration? the traffic of you netwo= rk?, hardware? conections ?=0A>=0A> look some configurations.... do i need = to increase something ?=0A>=0A>=0A> # pfctl -sm=0A> states hard limi= t 100000=0A> src-nodes hard limit 10000=0A> frags hard lim= it 5000=0A> tables hard limit 1000=0A> table-entries hard li= mit 200000=0A>=0A>=0A> # top=0A>=0A> load averages: 0.20, 0.12, 0.09 = =0A> 13:29:40 35 processes: 34 idle, 1 = on processor=0A> CPU0 states: 0.6% user, 0.0% nice, 0.7% system, 0.0% i= nterrupt,=0A> 98.7% idle CPU1 states: 0.1% user, 0.0% nice, 0.2% system,= 0.0%=0A> interrupt, 99.7% idle=0A>=0A> # vmstat -i=0A>=0A> interrupt = total rate=0A> irq0/clock 257506609 = 199=0A> irq0/ipi 183393879 142=0A> irq81/em0 = 8638587188 6706=0A> irq83/skc0 60116607= 68 4667=0A> irq80/fxp0 2292732543 1779=0A=0AThese i= nterrupt numbers don't seem to match up with the above load =0Anumbers. I'= d expect a higher interrupt load. You could also try to =0Areplace the sk(= 4) adapter with another em(4) or the like? I have had =0Atrouble with sk(4= ) in the past.=0A=0A> irq64/ahc0 7012560 5=0A> ir= q112/pckbc0 8 0=0A> Total = 17390893555 13501=0A>=0A> # pfctl -si=0A>=0A> State Table = Total Rate=0A> current entries = 5005=0A> searches 30026832082 441000.4/s=0A=0A= 441kpps are quite a load! And this is with only 5000 connections. While = =0AFreeBSD can forward 1Mpps and more on commodity hardware 500-700kpps is = =0Aprobably the limit with (sensible) firewalling. It'd be surprised if yo= u =0Acould do significantly better with anything else. N.B. that this coul= d =0Abe improved by using fine grained locking for pf - this is on my TODO = =0Alist for quite some time, but I didn't yet get to it.=0A=0A> inserts = 406964726 5977.0/s=0A> removals = 406959721 5977.0/s=0A> Counters=0A> match = 417436387 6130.8/s=0A> bad-offset = 0 0.0/s=0A> fragment 1939= 0.0/s=0A> short 154 = 0.0/s=0A> normalize 34858 0.5/s=0A> = memory 0 0.0/s=0A> bad-times= tamp 0 0.0/s=0A> congestion = 834349 12.3/s=0A> ip-option = 24 0.0/s=0A> proto-cksum 5572 = 0.1/s=0A> state-mismatch 491286 7= .2/s=0A>=0A>=0A>=0A>=0A>=0A> Prov=C3=A9rbios 1:27=0A>=0A> Mas Deus esco= lheu as coisas loucas deste mundo para confundir as=0A> s=C3=A1bias; e Deus= escolheu as coisas fracas deste mundo para confundir as=0A> fortes;=0A>=0A= > ----- Mensagem original ----=0A> De: Chris Marlatt = =0A> Para: Lorenz Helleis =0A> Cc: freebsd-pf@f= reebsd.org=0A> Enviadas: Sexta-feira, 7 de Mar=C3=A7o de 2008 12:26:03=0A> = Assunto: Re: Dropped Packets=0A>=0A> Lorenz Helleis wrote:=0A> > hello.=0A>= >=0A> > I have a firewall with 75.000 simultaneous conections, and i set t= he=0A> > limit to 100.000.=0A> >=0A> > I think the hardware is OK, but when= increase the traffic on the=0A> > network, some connections is dropped. = I did not increase other=0A> > value, like table, src-nodes.... How do I kn= ow if is everthing ok=0A> > with the other values ?=0A> >=0A> > what happen= if the number of connections touch the limit of 100.000 ?=0A> > it will d= rop the idle conections ? or what ?=0A>=0A> From my experience new connect= ions will appear to timeout as PF has no=0A> more sessions available for ne= w connections. As sessions die off=0A> organically new connections will be = permitted but there is nothing=0A> actively killing old / idle connections = to make way for new sessions if=0A> the limit is reached.=0A>=0A>=0A> Depen= ding on how much memory you have you should be fine increasing the=0A> max = session limit. I've had some of my firewalls over 1,000,000=0A> sessions wi= thout a problem.=0A>=0A> You may want to check your switch for errors and w= atch your interface=0A> (netstat -I IFACE -nd 1) to see when/where your dro= ps are. What kind of=0A> cpu usage are you seeing when you start dropping t= he packets?=0A>=0A> Regards,=0A>=0A> Chris=0A>=0A>=0A>=0A>=0A>=0A>=0A> = Abra sua conta no Yahoo! Mail, o =C3=BAnico sem limite de espa=C3=A7o= para=0A> armazenamento! http://br.mail.yahoo.com/=0A> ____________________= ___________________________=0A> freebsd-pf@freebsd.org mailing list=0A> htt= p://lists.freebsd.org/mailman/listinfo/freebsd-pf=0A> To unsubscribe, send = any mail to "freebsd-pf-unsubscribe@freebsd.org"=0A=0A=0A=0A-- =0A/"\ Best= regards, | mlaier@freebsd.org=0A\ / Max Laier = | ICQ #67774661=0A X http://pf4freebsd.love2party.net/= | mlaier@EFnet=0A/ \ ASCII Ribbon Campaign | Against HTML M= ail and News=0A=0A=0A=0A=0A=0A=0A Abra sua conta no Yahoo! Mail, o =C3= =BAnico sem limite de espa=C3=A7o para armazenamento!=0Ahttp://br.mail.yaho= o.com/ From owner-freebsd-pf@FreeBSD.ORG Fri Mar 7 20:11:35 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D85A1065675 for ; Fri, 7 Mar 2008 20:11:35 +0000 (UTC) (envelope-from kurt-list-freebsd@androme.com) Received: from fafnir.androme.com (fafnir.androme.com [62.58.96.158]) by mx1.freebsd.org (Postfix) with ESMTP id 3375D8FC1A for ; Fri, 7 Mar 2008 20:11:34 +0000 (UTC) (envelope-from kurt-list-freebsd@androme.com) Received: by fafnir.androme.com (Postfix, from userid 1003) id 4DC72C46CFC; Fri, 7 Mar 2008 20:56:20 +0100 (CET) Message-ID: <47D19DE3.3000007@androme.com> Date: Fri, 07 Mar 2008 20:56:19 +0100 From: Kurt Dethier User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: ftp-proxy and route-to X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2008 20:11:35 -0000 Hi all, I'm trying to send some outgoing traffic via a second internet connection. Traffic like http works ok, I can use route-to in the rules to send the traffic out on the correct interface and nat to the correct public ip. But I can't get this to work for ftp-proxy. The ftp-proxy man page says I need a rule like: pass out proto tcp from $proxy to any port 21 but those connections are always going out on the interface of the default route. Is it possible to make those connections go out on another interface ? Also I think I would need a route-to and reply-to in the anchor rules created by ftp-proxy. Is this possible ? Thanks for any help. regards, Kurt From owner-freebsd-pf@FreeBSD.ORG Fri Mar 7 20:56:59 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ADBE11065685 for ; Fri, 7 Mar 2008 20:56:59 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 2D3BB8FC18 for ; Fri, 7 Mar 2008 20:56:58 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-002-164.pools.arcor-ip.net [88.66.2.164]) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis) id 0ML21M-1JXjce0MnP-00020X; Fri, 07 Mar 2008 21:56:57 +0100 Received: (qmail 36149 invoked by uid 80); 7 Mar 2008 20:56:22 -0000 Received: from 192.168.4.151 (SquirrelMail authenticated user mlaier) by router.laiers.local with HTTP; Fri, 7 Mar 2008 21:56:22 +0100 (CET) Message-ID: <54535.192.168.4.151.1204923382.squirrel@router.laiers.local> In-Reply-To: <523685.2819.qm@web53701.mail.re2.yahoo.com> References: <523685.2819.qm@web53701.mail.re2.yahoo.com> Date: Fri, 7 Mar 2008 21:56:22 +0100 (CET) From: "Max Laier" To: "Lorenz Helleis" User-Agent: SquirrelMail/1.4.13 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Provags-ID: V01U2FsdGVkX1+LMgy82eLq19RrZM5NkNFp+UIwEI4h9Zwc0ai EGY/0CzEuEsyfFJ3EGm1JkHyYJbcKVXTWyyFUxu6bdKu8atF5J aCEGRY7rgHwSOEEETydGw== Cc: freebsd-pf@freebsd.org Subject: Re: Res: Res: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2008 20:56:59 -0000 AGAIN: PLEASE DON'T TOP-POST! Am Fr, 7.03.2008, 19:16, schrieb Lorenz Helleis: > Max.. > > the Current entry is not 5005. I got this value after "pfctl -d"... then these numbers are completely useless! > the number of concurrent connections is 70.000 Okay, so let's say every connection just passes ~10pps (that's not even 7kB/s with standard TCP) then you have to forward 700kpps. This is a *huge* load, even without firewalling. If you count in scrubbing and "just" statefull lookups, this is about the maximum that you can hope to push with commodity hardware. Sure, PCIe has removed one of the worst bottlenecks, but as I pointed out in my other reply - pf is still "giant"-locked and thus poses a bottleneck of it's own, but there are few (if any) alternatives. If you are serious about wanting a *firewall* for security. Otherwise you can use IPFW w/o states! Which will give some concurrency and less per-packet overhead due to fewer sanity checks. > > In this moment my firewall is disable until i find a solution to solve > this problem. I think i will try to increase the number of states and > change the NIC. > > I use a Gigabit card and the traffic is 300Mbs and the concurrent sessions > 70.000. > > And now i'm studing about tables entries, src-nodes .. > > > Provérbios 1:27 > > Mas Deus escolheu as coisas loucas deste mundo para confundir as > sábias; e Deus escolheu as coisas fracas deste mundo para confundir as > fortes; > > ----- Mensagem original ---- > De: Max Laier > Para: freebsd-pf@freebsd.org > Cc: Lorenz Helleis ; Chris Marlatt > > Enviadas: Sexta-feira, 7 de Março de 2008 14:55:52 > Assunto: Re: Res: Dropped Packets > > [ please don't top-post ] > > On Friday 07 March 2008, Lorenz Helleis wrote: >> I don't think that is a hardware problem, sometimes the "congestion >> rate" increase to 1500,0/s and the "state-mismatch" to 300.0/s.. I >> don't know if it is normal... >> >> I think that the conections is being droped when increase a lot the >> number of packets on the network. >> >> >> >> can you tell me about your firewall ? I will need to install a biggest >> one here, and I'm a little afraid to do. Can you show me some >> configuration? the traffic of you network?, hardware? conections ? >> >> look some configurations.... do i need to increase something ? >> >> >> # pfctl -sm >> states hard limit 100000 >> src-nodes hard limit 10000 >> frags hard limit 5000 >> tables hard limit 1000 >> table-entries hard limit 200000 >> >> >> # top >> >> load averages: 0.20, 0.12, 0.09 >> 13:29:40 35 processes: 34 idle, 1 on processor >> CPU0 states: 0.6% user, 0.0% nice, 0.7% system, 0.0% interrupt, >> 98.7% idle CPU1 states: 0.1% user, 0.0% nice, 0.2% system, 0.0% >> interrupt, 99.7% idle >> >> # vmstat -i >> >> interrupt total rate >> irq0/clock 257506609 199 >> irq0/ipi 183393879 142 >> irq81/em0 8638587188 6706 >> irq83/skc0 6011660768 4667 >> irq80/fxp0 2292732543 1779 > > These interrupt numbers don't seem to match up with the above load > numbers. I'd expect a higher interrupt load. You could also try to > replace the sk(4) adapter with another em(4) or the like? I have had > trouble with sk(4) in the past. > >> irq64/ahc0 7012560 5 >> irq112/pckbc0 8 0 >> Total 17390893555 13501 >> >> # pfctl -si >> >> State Table Total Rate >> current entries 5005 >> searches 30026832082 441000.4/s > > 441kpps are quite a load! And this is with only 5000 connections. While > FreeBSD can forward 1Mpps and more on commodity hardware 500-700kpps is > probably the limit with (sensible) firewalling. It'd be surprised if you > could do significantly better with anything else. N.B. that this could > be improved by using fine grained locking for pf - this is on my TODO > list for quite some time, but I didn't yet get to it. > >> inserts 406964726 5977.0/s >> removals 406959721 5977.0/s >> Counters >> match 417436387 6130.8/s >> bad-offset 0 0.0/s >> fragment 1939 0.0/s >> short 154 0.0/s >> normalize 34858 0.5/s >> memory 0 0.0/s >> bad-timestamp 0 0.0/s >> congestion 834349 12.3/s >> ip-option 24 0.0/s >> proto-cksum 5572 0.1/s >> state-mismatch 491286 7.2/s >> >> >> >> >> >> Provérbios 1:27 >> >> Mas Deus escolheu as coisas loucas deste mundo para confundir as >> sábias; e Deus escolheu as coisas fracas deste mundo para confundir as >> fortes; >> >> ----- Mensagem original ---- >> De: Chris Marlatt >> Para: Lorenz Helleis >> Cc: freebsd-pf@freebsd.org >> Enviadas: Sexta-feira, 7 de Março de 2008 12:26:03 >> Assunto: Re: Dropped Packets >> >> Lorenz Helleis wrote: >> > hello. >> > >> > I have a firewall with 75.000 simultaneous conections, and i set the >> > limit to 100.000. >> > >> > I think the hardware is OK, but when increase the traffic on the >> > network, some connections is dropped. I did not increase other >> > value, like table, src-nodes.... How do I know if is everthing ok >> > with the other values ? >> > >> > what happen if the number of connections touch the limit of 100.000 ? >> > it will drop the idle conections ? or what ? >> >> From my experience new connections will appear to timeout as PF has no >> more sessions available for new connections. As sessions die off >> organically new connections will be permitted but there is nothing >> actively killing old / idle connections to make way for new sessions if >> the limit is reached. >> >> >> Depending on how much memory you have you should be fine increasing the >> max session limit. I've had some of my firewalls over 1,000,000 >> sessions without a problem. >> >> You may want to check your switch for errors and watch your interface >> (netstat -I IFACE -nd 1) to see when/where your drops are. What kind of >> cpu usage are you seeing when you start dropping the packets? >> >> Regards, >> >> Chris >> >> >> >> >> >> >> Abra sua conta no Yahoo! Mail, o único sem limite de espaço para >> armazenamento! http://br.mail.yahoo.com/ >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News > > > > > > > Abra sua conta no Yahoo! Mail, o único sem limite de espaço para > armazenamento! > http://br.mail.yahoo.com/ -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Fri Mar 7 21:20:38 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB99A1065675 for ; Fri, 7 Mar 2008 21:20:38 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: from core.rxsec.com (core.rxsec.com [64.132.46.102]) by mx1.freebsd.org (Postfix) with SMTP id 425F88FC1A for ; Fri, 7 Mar 2008 21:20:38 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: (qmail 69190 invoked by uid 2009); 7 Mar 2008 21:13:55 -0000 Received: from 10.1.0.239 by core.rxsec.com (envelope-from , uid 2008) with qmail-scanner-1.25-st-qms (clamdscan: 0.86.2/1102. spamassassin: 3.0.4. perlscan: 1.25-st-qms. Clear:RC:0(10.1.0.239):SA:0(-4.4/5.0):. Processed in 1.380395 secs); 07 Mar 2008 21:13:55 -0000 X-Spam-Status: No, hits=-4.4 required=5.0 X-Antivirus-RXSEC-Mail-From: cmarlatt@rxsec.com via core.rxsec.com X-Antivirus-RXSEC: 1.25-st-qms (Clear:RC:0(10.1.0.239):SA:0(-4.4/5.0):. Processed in 1.380395 secs Process 69175) Received: from unknown (HELO ?10.1.0.239?) (cmarlatt@rxsec.com@10.1.0.239) by core.rxsec.com with SMTP; 7 Mar 2008 21:13:53 -0000 Message-ID: <47D1B19A.4080903@rxsec.com> Date: Fri, 07 Mar 2008 16:20:26 -0500 From: Chris Marlatt Organization: Receive Security User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: Max Laier , Lorenz Helleis References: <523685.2819.qm@web53701.mail.re2.yahoo.com> <54535.192.168.4.151.1204923382.squirrel@router.laiers.local> In-Reply-To: <54535.192.168.4.151.1204923382.squirrel@router.laiers.local> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Res: Res: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2008 21:20:38 -0000 Max Laier wrote: > AGAIN: PLEASE DON'T TOP-POST! > > Am Fr, 7.03.2008, 19:16, schrieb Lorenz Helleis: >> Max.. >> >> the Current entry is not 5005. I got this value after "pfctl -d"... > > then these numbers are completely useless! > Indeed, do you have any min & max number for bps and pps for this firewall's internal and external interfaces? On which interface are you dropping the packets? Regards, Chris From owner-freebsd-pf@FreeBSD.ORG Fri Mar 7 22:40:43 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 241EC106566C for ; Fri, 7 Mar 2008 22:40:43 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: from web53707.mail.re2.yahoo.com (web53707.mail.re2.yahoo.com [206.190.37.28]) by mx1.freebsd.org (Postfix) with SMTP id C4A748FC27 for ; Fri, 7 Mar 2008 22:40:40 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: (qmail 32160 invoked by uid 60001); 7 Mar 2008 22:40:40 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Message-ID; b=T0ChhvMvJWF46G0LW9b5msl1os+/BGWWPLxGP32VPPd2nPgWEpkrLnQpcXWW0dC+cmMM05VY/OEVl2CQBtvhuQEX+PXK/57rylpv9zClHDinLuHAduddp2VofmpXFO9WNEKORWCb7BZ8X4jA2MqopPpfX4gSzSXpot9abSR7PD0=; X-YMail-OSG: OY2uQ1sVM1lArxsXn4ak0X8VwCcYtNmfv_3zK25CEunG_UeCPogPC2WTw0qwwsmErA-- Received: from [189.26.0.125] by web53707.mail.re2.yahoo.com via HTTP; Fri, 07 Mar 2008 14:40:40 PST X-Mailer: YahooMailRC/902.35 YahooMailWebService/0.7.162 Date: Fri, 7 Mar 2008 14:40:40 -0800 (PST) From: Lorenz Helleis To: Chris Marlatt , Max Laier MIME-Version: 1.0 Message-ID: <312816.32112.qm@web53707.mail.re2.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Res: Res: Res: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2008 22:40:43 -0000 Indeed, do you have any min & max number for bps and pps for this =0Afirewa= ll's internal and external interfaces? On which interface are you =0Adroppi= ng the packets?=0A=0ARegards,=0A=0A Chris=0A=0A=0A=0A300Mbps and 20.0= 00 pps. But i will do a biggest firewall. =0A=0AThis is an internal fire= wall... I think the entry in the table session is desapearing, so the clie= nt needs to make another conection. I=C2=B4m thinking about create a state= less rule. =0A=0A=0A=0A=0A=0A=0A Abra sua conta no Yahoo! Mail, o =C3= =BAnico sem limite de espa=C3=A7o para armazenamento!=0Ahttp://br.mail.yaho= o.com/ From owner-freebsd-pf@FreeBSD.ORG Fri Mar 7 22:56:31 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D52A2106566B for ; Fri, 7 Mar 2008 22:56:31 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: from core.rxsec.com (core.rxsec.com [64.132.46.102]) by mx1.freebsd.org (Postfix) with SMTP id 67A598FC12 for ; Fri, 7 Mar 2008 22:56:31 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: (qmail 94966 invoked by uid 2009); 7 Mar 2008 22:49:48 -0000 Received: from 10.1.0.239 by core.rxsec.com (envelope-from , uid 2008) with qmail-scanner-1.25-st-qms (clamdscan: 0.86.2/1102. spamassassin: 3.0.4. perlscan: 1.25-st-qms. Clear:RC:0(10.1.0.239):SA:0(-4.4/5.0):. Processed in 1.557407 secs); 07 Mar 2008 22:49:48 -0000 X-Spam-Status: No, hits=-4.4 required=5.0 X-Antivirus-RXSEC-Mail-From: cmarlatt@rxsec.com via core.rxsec.com X-Antivirus-RXSEC: 1.25-st-qms (Clear:RC:0(10.1.0.239):SA:0(-4.4/5.0):. Processed in 1.557407 secs Process 94957) Received: from unknown (HELO ?10.1.0.239?) (cmarlatt@rxsec.com@10.1.0.239) by core.rxsec.com with SMTP; 7 Mar 2008 22:49:46 -0000 Message-ID: <47D1C815.5050004@rxsec.com> Date: Fri, 07 Mar 2008 17:56:21 -0500 From: Chris Marlatt Organization: Receive Security User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: Lorenz Helleis References: <312816.32112.qm@web53707.mail.re2.yahoo.com> In-Reply-To: <312816.32112.qm@web53707.mail.re2.yahoo.com> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: Res: Res: Res: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2008 22:56:31 -0000 Lorenz Helleis wrote: > Indeed, do you have any min & max number for bps and pps for this > firewall's internal and external interfaces? On which interface are you > dropping the packets? > > Regards, > > Chris > > > > 300Mbps and 20.000 pps. But i will do a biggest firewall. > > This is an internal firewall... I think the entry in the table session is desapearing, so the client needs to make another conection. I´m thinking about create a stateless rule. > Do the machines generating the traffic have multiple paths? The only time I've really seen pf have problems with sessions is when the devices send and receive traffic via different paths or multiple paths (i.e. traffic comes in via firewall01 but goes out firewall02 and firewall01 and firewall02 do not implement pfsync). Regards, Chris