From owner-freebsd-pf@FreeBSD.ORG Sun Jul 4 05:25:07 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DF09106566B for ; Sun, 4 Jul 2010 05:25:07 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id ED3258FC22 for ; Sun, 4 Jul 2010 05:25:06 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1OVHhP-0002tF-T6 for freebsd-pf@freebsd.org; Sun, 04 Jul 2010 07:25:04 +0200 Received: from static-78-8-147-77.ssp.dialog.net.pl ([78.8.147.77]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 04 Jul 2010 07:25:03 +0200 Received: from mwisnicki+freebsd by static-78-8-147-77.ssp.dialog.net.pl with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 04 Jul 2010 07:25:03 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: Marcin Wisnicki Date: Sun, 4 Jul 2010 05:24:10 +0000 (UTC) Lines: 36 Message-ID: References: <4C2F3B3D.70306@interactive-net.de> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: static-78-8-147-77.ssp.dialog.net.pl User-Agent: Pan/0.132 (Waxed in Black) Subject: Re: urpf-failed & ipv6 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2010 05:25:07 -0000 On Sat, 03 Jul 2010 15:29:33 +0200, Reinhard Haller wrote: > Hi, > > I recently discovered a strange behavior on my border router. In the > following ruleset: > > block log all > block in log quick from urpf-failed to any pass quick on $int_if inet6 > proto udp from any to any port ripng block drop on !$int_if inet6 proto > udp from any to any port ripng > > all occurrences of > > fe80::%$int_if -> ff02::9 > > were blocked by the urpf-failed rule. > > Any suggestuions why this happens? Probably this change: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c#rev1.625 seems it's not yet merged to freebsd. I'm using following as a temporary solution (adapted from rc.firewall): block log all anchor "ipv6-link-local" quick inet6 { pass proto icmp6 from :: to ff02::/16 pass proto icmp6 from fe80::/10 to fe80::/10 pass proto icmp6 from fe80::/10 to ff02::/16 pass from fe80::/10 to ff02::/16 pass from (self:network) to ff02::/16 pass proto udp from fe80::/10 to (self) port dhcpv6-client } block in log quick from urpf-failed From owner-freebsd-pf@FreeBSD.ORG Sun Jul 4 13:27:20 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B518010659C9 for ; Sun, 4 Jul 2010 13:27:20 +0000 (UTC) (envelope-from mkhitrov@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 6C76D8FC13 for ; Sun, 4 Jul 2010 13:27:20 +0000 (UTC) Received: by vws6 with SMTP id 6so5107005vws.13 for ; Sun, 04 Jul 2010 06:27:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:from:date :message-id:subject:to:content-type; bh=MXu6QF9bpoaCAd12MMfMLdQ0oZF0Z0KTuiYRttcED+o=; b=WbT1M5I+Z6VLN2l0jGZxxhwalK/jzD7oH1YYukbodn9+e/b9NObQrLnLIR+UMUoUnN NQ/vSKRD+/bnuxQPHfbPM3cRu7BzV10cM3Seqlh8OzmyMQIowXO3iZ3xRV3aVPYP1GTX 3zudRXtKq6cb3QaooJCKQr22enffqY3ulrn6g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=BWEY7pfWkw99BMlzy2lbcMpILLWPqwUB14HtyQZc47knQqZiOARnpviSKiyeFIC4Oy rUV+l4qFT+wpLQNSc7WwZn6v5oRnZCyCEuIXz/uP5c5n42pdYh+XLN0lprcvbVFXoLum pJrUmN/8Vy+hK1SXQdlPSlLogU4QSWHZS8sng= Received: by 10.229.240.199 with SMTP id lb7mr754327qcb.132.1278250033164; Sun, 04 Jul 2010 06:27:13 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.88.197 with HTTP; Sun, 4 Jul 2010 06:26:53 -0700 (PDT) From: Maxim Khitrov Date: Sun, 4 Jul 2010 09:26:53 -0400 Message-ID: To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: Same priority pf/altq queues not supported? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2010 13:27:20 -0000 Hello all, I'm configuring pf on FreeBSD 7.3 and would like to use the following altq settings: altq on $ext priq bandwidth 9240Kb queue {low, red, med, top} altq on {$int1, $int2, $srv} priq bandwidth 100Mb queue {low, red, med, top} queue low priority 1 priq(default) # Default priority queue queue red priority 1 priq(red) # Default priority TCP queue with RED queue med priority 2 # DNS, DHCP, ACKs, and TOS == lowdelay queue top priority 3 # ICMP, NTP When I try to load these settings, I get the following errors: pfctl: low and red have the same priority pfctl: low and red have the same priority pfctl: low and red have the same priority pfctl: low and red have the same priority /etc/pf.conf:79: errors in queue definition OpenBSD 4.1 documentation states that "if two or more queues are assigned the same priority then those queues are processed in a round-robin fashion." Is there any specific reason why this behavior was altered in the FreeBSD port? I'm not really sure of what to do, because I don't want to prioritize or deprioritize TCP traffic, and I can't have RED enabled for any other protocol. If you have any other general-purpose queuing suggestions, please let me know. - Max From owner-freebsd-pf@FreeBSD.ORG Sun Jul 4 16:42:15 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A5EBE106564A for ; Sun, 4 Jul 2010 16:42:15 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 5EF048FC1E for ; Sun, 4 Jul 2010 16:42:15 +0000 (UTC) Received: by qwg5 with SMTP id 5so1942944qwg.13 for ; Sun, 04 Jul 2010 09:42:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:content-type :content-transfer-encoding:subject:date:message-id:to:mime-version :x-mailer; bh=TYfTOZ8DdVxtw//H8Ldh1TKchO9OUnXdPoT+JCgXeVE=; b=qFxN8DrVK1Om05EPbFLe8BqbahnYV0mnMemn4rXCD3POxvLmz6CMqxqzoZNw+w4czq VmG9i8cYX5GsVm9gPId6K5ec41YI0vBU178XtbN26gLLqDv6ZeFdY5K+HToDA4QpWoyz WA50GrOGUCFo6OXecXdJQi8OoXy98Qj3qr400= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:content-type:content-transfer-encoding:subject:date:message-id :to:mime-version:x-mailer; b=wHhk3cOg6fEl4ptmrXLpx1Q4xvHnvfGsMzieK5nQQ4ahU+cBTWALEMtic+cfEVjhgQ MBI9ixNTw2TJbVtH2uLL/bGJ3Sqat15cUeZRP5MCFKzaLfdWzB6tPwJXXwQbpr2csKB2 GMUbh+bcdqLzlDESdhFjggsVWI+rjVgIyr4MI= Received: by 10.224.2.85 with SMTP id 21mr799572qai.83.1278261724332; Sun, 04 Jul 2010 09:42:04 -0700 (PDT) Received: from vvcmac.chepkov.lan (pool-70-109-58-70.clppva.fios.verizon.net [70.109.58.70]) by mx.google.com with ESMTPS id h20sm13663593qcm.45.2010.07.04.09.42.03 (version=SSLv3 cipher=RC4-MD5); Sun, 04 Jul 2010 09:42:03 -0700 (PDT) From: Vadym Chepkov Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Sun, 4 Jul 2010 12:42:02 -0400 Message-Id: <2E7C4886-FF06-4FA8-A651-97057FA86239@gmail.com> To: freebsd-pf@freebsd.org Mime-Version: 1.0 (Apple Message framework v1081) X-Mailer: Apple Mail (2.1081) Subject: pf and ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2010 16:42:15 -0000 Hi, pftpx port was removed in FreeBSD. How does one configure pf firewall to = work with ftp protocol nowadays? Thank you, Vadym Chepkov= From owner-freebsd-pf@FreeBSD.ORG Sun Jul 4 17:06:01 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4FD92106566B for ; Sun, 4 Jul 2010 17:06:01 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 8E46A8FC0A for ; Sun, 4 Jul 2010 17:05:57 +0000 (UTC) Received: (qmail invoked by alias); 04 Jul 2010 17:05:56 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.100]) [194.231.39.124] by mail.gmx.net (mp066) with SMTP; 04 Jul 2010 19:05:56 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX1+4ufks47S4zTCnzwx7jiLS08FT5uaqtxiH8G8ec7 jtfFXDahIB4Sv2 Message-ID: <4C30BFBE.3070605@gmx.de> Date: Sun, 04 Jul 2010 19:07:10 +0200 From: olli hauer User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <2E7C4886-FF06-4FA8-A651-97057FA86239@gmail.com> In-Reply-To: <2E7C4886-FF06-4FA8-A651-97057FA86239@gmail.com> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Subject: Re: pf and ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2010 17:06:01 -0000 On 2010-07-04 18:42, Vadym Chepkov wrote: > Hi, > > pftpx port was removed in FreeBSD. How does one configure pf firewall to work with ftp protocol nowadays? > > Thank you, use ftp-proxy instead, it is included in the OS. From owner-freebsd-pf@FreeBSD.ORG Sun Jul 4 17:09:31 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8B456106564A for ; Sun, 4 Jul 2010 17:09:31 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id 404288FC14 for ; Sun, 4 Jul 2010 17:09:30 +0000 (UTC) Received: by qyk30 with SMTP id 30so1552234qyk.13 for ; Sun, 04 Jul 2010 10:09:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=Gg3CgYaiR7NlT8KLVQdImdwObHHCIc3AN93xox8fRn8=; b=UkCHDywEFA1r4/kXuZ2J+KG9m6dS2CHNaKoY3YuQ5zWFSGsxZPJ3jEhRyMFjUD0uYc 9DoPZ7vynpuMNBl1B9HkCw0qtQVq3FDua55xzjVgIkDw9o5r52uGSbNSZnV7vVmovQTF 0cgt7hYK0Lrm10xa74Hq8TXGf8esDiy8yG3tI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=OMp/0+1lUE8OKn4eL2WXQQJE7Nu9zWx+QzVTagEEEanpyn1NPAbqteEeztjOCdtpYn dzzewqK/bwNHd5riADBImjjyAbiznE/cCKm014H+zAxuTh7XAflam5sFQ5/eK6kbWgFX v5SMJQRF4ZcRqIYmJqMGmnAtS86kUFTk8eqEU= Received: by 10.224.96.144 with SMTP id h16mr810523qan.356.1278263362361; Sun, 04 Jul 2010 10:09:22 -0700 (PDT) Received: from vvcmac.chepkov.lan (pool-70-109-58-70.clppva.fios.verizon.net [70.109.58.70]) by mx.google.com with ESMTPS id q30sm13776545qcq.36.2010.07.04.10.09.21 (version=SSLv3 cipher=RC4-MD5); Sun, 04 Jul 2010 10:09:21 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1081) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov In-Reply-To: <4C30BE7C.5000206@quis.cx> Date: Sun, 4 Jul 2010 13:09:20 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <0A7A9334-BCA6-426E-A0F8-4BDA5F2EED8F@gmail.com> References: <2E7C4886-FF06-4FA8-A651-97057FA86239@gmail.com> <4C30BE7C.5000206@quis.cx> To: Jille Timmermans X-Mailer: Apple Mail (2.1081) Cc: freebsd-pf@freebsd.org Subject: Re: pf and ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2010 17:09:31 -0000 interesting, at some point pftpx was claimed to be a replacement for = ftp-proxy, I distinctly remember that. But according to port it's now part of the base FreeBSD. I guess these = things do happen :) Thanks, Vadym On Jul 4, 2010, at 1:01 PM, Jille Timmermans wrote: > Hi, >=20 > ftp-proxy(8) is what you are looking for :) > http://www.openbsd.org/faq/pf/ftp.html >=20 > -- Jille >=20 > Vadym Chepkov schreef: >> Hi, >>=20 >> pftpx port was removed in FreeBSD. How does one configure pf firewall = to work with ftp protocol nowadays? >>=20 >> Thank you, >> Vadym Chepkov_______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sun Jul 4 17:18:25 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B6070106564A for ; Sun, 4 Jul 2010 17:18:25 +0000 (UTC) (envelope-from jille@quis.cx) Received: from istud.quis.cx (10-64-223.ftth.xms.internl.net [85.223.64.10]) by mx1.freebsd.org (Postfix) with ESMTP id 7D32D8FC16 for ; Sun, 4 Jul 2010 17:18:25 +0000 (UTC) Received: from [192.168.0.4] (unknown [192.168.0.4]) by istud.quis.cx (Postfix) with ESMTP id E1ECE61082E; Sun, 4 Jul 2010 19:01:57 +0200 (CEST) Message-ID: <4C30BE7C.5000206@quis.cx> Date: Sun, 04 Jul 2010 19:01:48 +0200 From: Jille Timmermans User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Vadym Chepkov References: <2E7C4886-FF06-4FA8-A651-97057FA86239@gmail.com> In-Reply-To: <2E7C4886-FF06-4FA8-A651-97057FA86239@gmail.com> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pf and ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2010 17:18:25 -0000 Hi, ftp-proxy(8) is what you are looking for :) http://www.openbsd.org/faq/pf/ftp.html -- Jille Vadym Chepkov schreef: > Hi, > > pftpx port was removed in FreeBSD. How does one configure pf firewall to work with ftp protocol nowadays? > > Thank you, > Vadym Chepkov_______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sun Jul 4 17:27:32 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D71201065677 for ; Sun, 4 Jul 2010 17:27:32 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 27BE98FC1B for ; Sun, 4 Jul 2010 17:27:31 +0000 (UTC) Received: (qmail invoked by alias); 04 Jul 2010 17:27:30 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.100]) [194.231.39.124] by mail.gmx.net (mp011) with SMTP; 04 Jul 2010 19:27:30 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX19IWfEyyY9ISahl09pbTXJo1ERaUV2WFqJZYvgoUM VAgULl5S0x/cLR Message-ID: <4C30C4CE.7060907@gmx.de> Date: Sun, 04 Jul 2010 19:28:46 +0200 From: olli hauer User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <2E7C4886-FF06-4FA8-A651-97057FA86239@gmail.com> <4C30BE7C.5000206@quis.cx> <0A7A9334-BCA6-426E-A0F8-4BDA5F2EED8F@gmail.com> In-Reply-To: <0A7A9334-BCA6-426E-A0F8-4BDA5F2EED8F@gmail.com> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Subject: Re: pf and ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2010 17:27:32 -0000 If I remember correctly the there was first pftpx and a (unusable) buid-in ftp-proxy. Then ftpseesame was build as successor of pftpx and this went into the system. Now the build-in ftp-proxy was extend to for ipv6 ... pftpx/ftpsesame site: http://www.sentia.org/projects/ftpsesame/ lasted version ftpsesame-0.95 (OpenBSD 3.6) On 2010-07-04 19:09, Vadym Chepkov wrote: > interesting, at some point pftpx was claimed to be a replacement for ftp-proxy, I distinctly remember that. > But according to port it's now part of the base FreeBSD. I guess these things do happen :) > > Thanks, > Vadym > > > > On Jul 4, 2010, at 1:01 PM, Jille Timmermans wrote: > >> Hi, >> >> ftp-proxy(8) is what you are looking for :) >> http://www.openbsd.org/faq/pf/ftp.html >> >> -- Jille >> >> Vadym Chepkov schreef: >>> Hi, >>> >>> pftpx port was removed in FreeBSD. How does one configure pf firewall to work with ftp protocol nowadays? >>> >>> Thank you, >>> Vadym Chepkov_______________________________________________ >>> freebsd-pf@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Sun Jul 4 17:57:15 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 68AE91065675 for ; Sun, 4 Jul 2010 17:57:15 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id 1B3148FC15 for ; Sun, 4 Jul 2010 17:57:14 +0000 (UTC) Received: by qyk30 with SMTP id 30so1569526qyk.13 for ; Sun, 04 Jul 2010 10:57:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=sLm5/IQXbtFX8BA9vdN4l8Vv3c2pJ1VfDhL/CpV1pB4=; b=rAswzxVn8UrBmRhmaRmVVsfDCI11o1fjMAnY95TAU5g7drSXOfJ2oiDD4QERtzzKnb nfoEcPvGW9LhCZxhqaXZ1+wJfWnsmChK3E1FJx2+1nBsCM0qjrwog9c/7C38IzZYSdqs u4shHtdhXL2YLNnlaq91kbv0UXSoKXOr2BIF4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=SQ/wnAv1rLGiBxpOQrE8ybxRphdRlkSKggjP/eU3l/rCSR5iR6zvYUN8S4S/LQGsun fTNY7MiO/vFIobZGgaKXYaV1lsO5fex4aqroa7Flnv8zpCG05zIbcndoecGbA8og9Th+ udPUARYKc9sZag6h1iWdXb5KnjVgpSkSiwnWo= Received: by 10.229.218.14 with SMTP id ho14mr889065qcb.44.1278266227929; Sun, 04 Jul 2010 10:57:07 -0700 (PDT) Received: from vvcmac.chepkov.lan (pool-70-109-58-70.clppva.fios.verizon.net [70.109.58.70]) by mx.google.com with ESMTPS id m24sm13963183qck.17.2010.07.04.10.57.06 (version=SSLv3 cipher=RC4-MD5); Sun, 04 Jul 2010 10:57:07 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1081) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov In-Reply-To: <4C30C4CE.7060907@gmx.de> Date: Sun, 4 Jul 2010 13:57:05 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <9AECD800-E7D2-4354-B3B1-A02A6AC15F66@gmail.com> References: <2E7C4886-FF06-4FA8-A651-97057FA86239@gmail.com> <4C30BE7C.5000206@quis.cx> <0A7A9334-BCA6-426E-A0F8-4BDA5F2EED8F@gmail.com> <4C30C4CE.7060907@gmx.de> To: olli hauer X-Mailer: Apple Mail (2.1081) Cc: freebsd-pf@freebsd.org Subject: Re: pf and ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2010 17:57:15 -0000 And it's broken now too :( =3D=3D=3D> ftp-proxy-4.4p1_1 depends on shared library: event-1.4 - = found =3D=3D=3D> Configuring for ftp-proxy-4.4p1_1 =3D=3D=3D> Building for ftp-proxy-4.4p1_1 Warning: Object directory not changed from original = /usr/ports/ftp/ftp-proxy/work/ftp-proxy-4.4p1 cc -O -pipe -march=3Dathlon-mp = -I/usr/ports/ftp/ftp-proxy/work/ftp-proxy-4.4p1 -Wall = -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith = -Wno-uninitialized -c ftp-proxy.c ftp-proxy.c:32:19: event.h: No such file or directory ftp-proxy.c: In function `client_error': ftp-proxy.c:194: error: `EVBUFFER_EOF' undeclared (first use in this = function) ftp-proxy.c:194: error: (Each undeclared identifier is reported only = once ftp-proxy.c:194: error: for each function it appears in.) ftp-proxy.c:196: error: `EVBUFFER_ERROR' undeclared (first use in this = function) ftp-proxy.c:196: error: `EVBUFFER_READ' undeclared (first use in this = function) ftp-proxy.c:198: error: `EVBUFFER_TIMEOUT' undeclared (first use in this = function) ftp-proxy.c:200: error: `EVBUFFER_WRITE' undeclared (first use in this = function) ftp-proxy.c: In function `client_parse_anon': ftp-proxy.c:251: warning: implicit declaration of function = `bufferevent_write' ftp-proxy.c: In function `client_read': ftp-proxy.c:304: warning: implicit declaration of function = `bufferevent_read' ftp-proxy.c: In function `end_session': ftp-proxy.c:354: warning: implicit declaration of function = `evbuffer_write' ftp-proxy.c:354: error: dereferencing pointer to incomplete type ftp-proxy.c:356: error: dereferencing pointer to incomplete type ftp-proxy.c:364: warning: implicit declaration of function = `bufferevent_free' ftp-proxy.c: In function `handle_connection': ftp-proxy.c:561: warning: implicit declaration of function = `bufferevent_new' ftp-proxy.c:562: warning: assignment makes pointer from integer without = a cast ftp-proxy.c:567: warning: implicit declaration of function = `bufferevent_settimeout' ftp-proxy.c:568: warning: implicit declaration of function = `bufferevent_enable' ftp-proxy.c:568: error: `EV_READ' undeclared (first use in this = function) ftp-proxy.c:568: error: `EV_TIMEOUT' undeclared (first use in this = function) ftp-proxy.c:571: warning: assignment makes pointer from integer without = a cast ftp-proxy.c: In function `main': ftp-proxy.c:660: error: storage size of 'ev' isn't known ftp-proxy.c:660: error: storage size of 'ev_sighup' isn't known ftp-proxy.c:660: error: storage size of 'ev_sigint' isn't known ftp-proxy.c:660: error: storage size of 'ev_sigterm' isn't known ftp-proxy.c:842: warning: implicit declaration of function `event_init' ftp-proxy.c:846: warning: implicit declaration of function `signal_set' ftp-proxy.c:849: warning: implicit declaration of function `signal_add' ftp-proxy.c:853: warning: implicit declaration of function `event_set' ftp-proxy.c:853: error: `EV_READ' undeclared (first use in this = function) ftp-proxy.c:853: error: `EV_PERSIST' undeclared (first use in this = function) ftp-proxy.c:854: warning: implicit declaration of function `event_add' ftp-proxy.c:859: warning: implicit declaration of function = `event_dispatch' ftp-proxy.c:660: warning: unused variable `ev' ftp-proxy.c:660: warning: unused variable `ev_sighup' ftp-proxy.c:660: warning: unused variable `ev_sigint' ftp-proxy.c:660: warning: unused variable `ev_sigterm' ftp-proxy.c: In function `server_error': ftp-proxy.c:978: error: `EVBUFFER_EOF' undeclared (first use in this = function) ftp-proxy.c:980: error: `EVBUFFER_ERROR' undeclared (first use in this = function) ftp-proxy.c:980: error: `EVBUFFER_READ' undeclared (first use in this = function) ftp-proxy.c:982: error: `EVBUFFER_WRITE' undeclared (first use in this = function) ftp-proxy.c:984: error: `EVBUFFER_TIMEOUT' undeclared (first use in this = function) *** Error code 1 On Jul 4, 2010, at 1:28 PM, olli hauer wrote: > If I remember correctly the there was first pftpx and a (unusable) = buid-in > ftp-proxy. > Then ftpseesame was build as successor of pftpx and this went into the = system. > Now the build-in ftp-proxy was extend to for ipv6 ... >=20 > pftpx/ftpsesame site: > http://www.sentia.org/projects/ftpsesame/ >=20 > lasted version ftpsesame-0.95 (OpenBSD 3.6) >=20 >=20 >=20 > On 2010-07-04 19:09, Vadym Chepkov wrote: >> interesting, at some point pftpx was claimed to be a replacement for = ftp-proxy, I distinctly remember that. >> But according to port it's now part of the base FreeBSD. I guess = these things do happen :) >>=20 >> Thanks, >> Vadym >>=20 >>=20 >>=20 >> On Jul 4, 2010, at 1:01 PM, Jille Timmermans wrote: >>=20 >>> Hi, >>>=20 >>> ftp-proxy(8) is what you are looking for :) >>> http://www.openbsd.org/faq/pf/ftp.html >>>=20 >>> -- Jille >>>=20 >>> Vadym Chepkov schreef: >>>> Hi, >>>>=20 >>>> pftpx port was removed in FreeBSD. How does one configure pf = firewall to work with ftp protocol nowadays? >>>>=20 >>>> Thank you, >>>> Vadym Chepkov_______________________________________________ >>>> freebsd-pf@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>> To unsubscribe, send any mail to = "freebsd-pf-unsubscribe@freebsd.org" >>=20 >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sun Jul 4 18:07:37 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34633106566B for ; Sun, 4 Jul 2010 18:07:37 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id D9CB28FC15 for ; Sun, 4 Jul 2010 18:07:36 +0000 (UTC) Received: by qwg5 with SMTP id 5so1958640qwg.13 for ; Sun, 04 Jul 2010 11:07:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=vOy0gj1CRJSEX/ysVbTGH4+Quz/ZKFT6Vc+UOe9qGsc=; b=a7EV43FyniPcZQEglHDw21El2m8QLSaahdGmPrVUrvPjRORtukLxhE9lXv7RAJIAoj LXQaeKKYOAwl3WB553AzFnim02svsA75q/G8mTXGdGR0fQlsTbDjje7xFQiaM1aq9/V0 Y0u+UwL3w8EFH1weSfn+iITR/o1HO4o7niEzo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=sHpwpPHMIOPqRI+GW1sGhIW+iWEsJn01vRAo6ZIAr7kKv0AqQ3yGXV39A66m7nZWJf 8PWjJy1hVorNj3fpuVMEtJtKlejkzJQLD4E4nS/ntihCyE5Ww+F51Wync/pfSAbrx2+8 oka15ApT53P4GwlOTXt5F0gCSHbjG78P5jeGQ= Received: by 10.224.6.142 with SMTP id 14mr845897qaz.196.1278266849543; Sun, 04 Jul 2010 11:07:29 -0700 (PDT) Received: from vvcmac.chepkov.lan (pool-70-109-58-70.clppva.fios.verizon.net [70.109.58.70]) by mx.google.com with ESMTPS id h20sm13997018qcm.21.2010.07.04.11.07.28 (version=SSLv3 cipher=RC4-MD5); Sun, 04 Jul 2010 11:07:28 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1081) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov In-Reply-To: <0C366FF8-DD80-4F5E-A04F-5C61EA5ED66E@elvandar.org> Date: Sun, 4 Jul 2010 14:07:27 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: References: <2E7C4886-FF06-4FA8-A651-97057FA86239@gmail.com> <4C30BE7C.5000206@quis.cx> <0A7A9334-BCA6-426E-A0F8-4BDA5F2EED8F@gmail.com> <4C30C4CE.7060907@gmx.de> <9AECD800-E7D2-4354-B3B1-A02A6AC15F66@gmail.com> <0C366FF8-DD80-4F5E-A04F-5C61EA5ED66E@elvandar.org> To: Remko Lodder X-Mailer: Apple Mail (2.1081) Cc: freebsd-pf@FreeBSD.org Subject: Re: pf and ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2010 18:07:37 -0000 true that, but 6.4 still didn't reach EOL On Jul 4, 2010, at 2:01 PM, Remko Lodder wrote: >=20 > It's included in 8 by default, and perhaps even 7. >=20 > 'man ftp-proxy' does miracles, perhaps you do not even need to build = it :) >=20 >=20 > On Jul 4, 2010, at 7:57 PM, Vadym Chepkov wrote: >=20 >> And it's broken now too :( >>=20 >> =3D=3D=3D> ftp-proxy-4.4p1_1 depends on shared library: event-1.4 - = found >> =3D=3D=3D> Configuring for ftp-proxy-4.4p1_1 >> =3D=3D=3D> Building for ftp-proxy-4.4p1_1 >> Warning: Object directory not changed from original = /usr/ports/ftp/ftp-proxy/work/ftp-proxy-4.4p1 >> cc -O -pipe -march=3Dathlon-mp = -I/usr/ports/ftp/ftp-proxy/work/ftp-proxy-4.4p1 -Wall = -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith = -Wno-uninitialized -c ftp-proxy.c >> ftp-proxy.c:32:19: event.h: No such file or directory >> ftp-proxy.c: In function `client_error': >> ftp-proxy.c:194: error: `EVBUFFER_EOF' undeclared (first use in this = function) >> ftp-proxy.c:194: error: (Each undeclared identifier is reported only = once >> ftp-proxy.c:194: error: for each function it appears in.) >> ftp-proxy.c:196: error: `EVBUFFER_ERROR' undeclared (first use in = this function) >> ftp-proxy.c:196: error: `EVBUFFER_READ' undeclared (first use in this = function) >> ftp-proxy.c:198: error: `EVBUFFER_TIMEOUT' undeclared (first use in = this function) >> ftp-proxy.c:200: error: `EVBUFFER_WRITE' undeclared (first use in = this function) >> ftp-proxy.c: In function `client_parse_anon': >> ftp-proxy.c:251: warning: implicit declaration of function = `bufferevent_write' >> ftp-proxy.c: In function `client_read': >> ftp-proxy.c:304: warning: implicit declaration of function = `bufferevent_read' >> ftp-proxy.c: In function `end_session': >> ftp-proxy.c:354: warning: implicit declaration of function = `evbuffer_write' >> ftp-proxy.c:354: error: dereferencing pointer to incomplete type >> ftp-proxy.c:356: error: dereferencing pointer to incomplete type >> ftp-proxy.c:364: warning: implicit declaration of function = `bufferevent_free' >> ftp-proxy.c: In function `handle_connection': >> ftp-proxy.c:561: warning: implicit declaration of function = `bufferevent_new' >> ftp-proxy.c:562: warning: assignment makes pointer from integer = without a cast >> ftp-proxy.c:567: warning: implicit declaration of function = `bufferevent_settimeout' >> ftp-proxy.c:568: warning: implicit declaration of function = `bufferevent_enable' >> ftp-proxy.c:568: error: `EV_READ' undeclared (first use in this = function) >> ftp-proxy.c:568: error: `EV_TIMEOUT' undeclared (first use in this = function) >> ftp-proxy.c:571: warning: assignment makes pointer from integer = without a cast >> ftp-proxy.c: In function `main': >> ftp-proxy.c:660: error: storage size of 'ev' isn't known >> ftp-proxy.c:660: error: storage size of 'ev_sighup' isn't known >> ftp-proxy.c:660: error: storage size of 'ev_sigint' isn't known >> ftp-proxy.c:660: error: storage size of 'ev_sigterm' isn't known >> ftp-proxy.c:842: warning: implicit declaration of function = `event_init' >> ftp-proxy.c:846: warning: implicit declaration of function = `signal_set' >> ftp-proxy.c:849: warning: implicit declaration of function = `signal_add' >> ftp-proxy.c:853: warning: implicit declaration of function = `event_set' >> ftp-proxy.c:853: error: `EV_READ' undeclared (first use in this = function) >> ftp-proxy.c:853: error: `EV_PERSIST' undeclared (first use in this = function) >> ftp-proxy.c:854: warning: implicit declaration of function = `event_add' >> ftp-proxy.c:859: warning: implicit declaration of function = `event_dispatch' >> ftp-proxy.c:660: warning: unused variable `ev' >> ftp-proxy.c:660: warning: unused variable `ev_sighup' >> ftp-proxy.c:660: warning: unused variable `ev_sigint' >> ftp-proxy.c:660: warning: unused variable `ev_sigterm' >> ftp-proxy.c: In function `server_error': >> ftp-proxy.c:978: error: `EVBUFFER_EOF' undeclared (first use in this = function) >> ftp-proxy.c:980: error: `EVBUFFER_ERROR' undeclared (first use in = this function) >> ftp-proxy.c:980: error: `EVBUFFER_READ' undeclared (first use in this = function) >> ftp-proxy.c:982: error: `EVBUFFER_WRITE' undeclared (first use in = this function) >> ftp-proxy.c:984: error: `EVBUFFER_TIMEOUT' undeclared (first use in = this function) >> *** Error code 1 >>=20 >>=20 >>=20 >> On Jul 4, 2010, at 1:28 PM, olli hauer wrote: >>=20 >>> If I remember correctly the there was first pftpx and a (unusable) = buid-in >>> ftp-proxy. >>> Then ftpseesame was build as successor of pftpx and this went into = the system. >>> Now the build-in ftp-proxy was extend to for ipv6 ... >>>=20 >>> pftpx/ftpsesame site: >>> http://www.sentia.org/projects/ftpsesame/ >>>=20 >>> lasted version ftpsesame-0.95 (OpenBSD 3.6) >>>=20 >>>=20 >>>=20 >>> On 2010-07-04 19:09, Vadym Chepkov wrote: >>>> interesting, at some point pftpx was claimed to be a replacement = for ftp-proxy, I distinctly remember that. >>>> But according to port it's now part of the base FreeBSD. I guess = these things do happen :) >>>>=20 >>>> Thanks, >>>> Vadym >>>>=20 >>>>=20 >>>>=20 >>>> On Jul 4, 2010, at 1:01 PM, Jille Timmermans wrote: >>>>=20 >>>>> Hi, >>>>>=20 >>>>> ftp-proxy(8) is what you are looking for :) >>>>> http://www.openbsd.org/faq/pf/ftp.html >>>>>=20 >>>>> -- Jille >>>>>=20 >>>>> Vadym Chepkov schreef: >>>>>> Hi, >>>>>>=20 >>>>>> pftpx port was removed in FreeBSD. How does one configure pf = firewall to work with ftp protocol nowadays? >>>>>>=20 >>>>>> Thank you, >>>>>> Vadym Chepkov_______________________________________________ >>>>>> freebsd-pf@freebsd.org mailing list >>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>>>> To unsubscribe, send any mail to = "freebsd-pf-unsubscribe@freebsd.org" >>>>=20 >>>> _______________________________________________ >>>> freebsd-pf@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>> To unsubscribe, send any mail to = "freebsd-pf-unsubscribe@freebsd.org" >>>>=20 >>> _______________________________________________ >>> freebsd-pf@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>> To unsubscribe, send any mail to = "freebsd-pf-unsubscribe@freebsd.org" >>=20 >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 > --=20 > /"\ Best regards, | remko@FreeBSD.org > \ / Remko Lodder | remko@EFnet > X http://www.evilcoder.org/ | > / \ ASCII Ribbon Campaign | Against HTML Mail and News >=20 From owner-freebsd-pf@FreeBSD.ORG Sun Jul 4 18:11:29 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0956D1065676 for ; Sun, 4 Jul 2010 18:11:29 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 650CD8FC19 for ; Sun, 4 Jul 2010 18:11:27 +0000 (UTC) Received: (qmail invoked by alias); 04 Jul 2010 18:11:26 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.100]) [194.231.39.124] by mail.gmx.net (mp068) with SMTP; 04 Jul 2010 20:11:26 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX1/7k/oRhaf7V7CIt3AeIiPjwBeLveUhpSipAQIprc rml7bB/lmztOL5 Message-ID: <4C30CF18.1040209@gmx.de> Date: Sun, 04 Jul 2010 20:12:40 +0200 From: olli hauer User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5 MIME-Version: 1.0 To: Vadym Chepkov References: <2E7C4886-FF06-4FA8-A651-97057FA86239@gmail.com> <4C30BE7C.5000206@quis.cx> <0A7A9334-BCA6-426E-A0F8-4BDA5F2EED8F@gmail.com> <4C30C4CE.7060907@gmx.de> <9AECD800-E7D2-4354-B3B1-A02A6AC15F66@gmail.com> In-Reply-To: <9AECD800-E7D2-4354-B3B1-A02A6AC15F66@gmail.com> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: freebsd-pf@freebsd.org Subject: Re: pf and ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2010 18:11:29 -0000 On 2010-07-04 19:57, Vadym Chepkov wrote: > And it's broken now too :( > > ===> ftp-proxy-4.4p1_1 depends on shared library: event-1.4 - found > ===> Configuring for ftp-proxy-4.4p1_1 > ===> Building for ftp-proxy-4.4p1_1 > Warning: Object directory not changed from original /usr/ports/ftp/ftp-proxy/work/ftp-proxy-4.4p1 > cc -O -pipe -march=athlon-mp -I/usr/ports/ftp/ftp-proxy/work/ftp-proxy-4.4p1 -Wall -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wno-uninitialized -c ftp-proxy.c > ftp-proxy.c:32:19: event.h: No such file or directory > ftp-proxy.c: In function `client_error': > ftp-proxy.c:194: error: `EVBUFFER_EOF' undeclared (first use in this function) > ftp-proxy.c:194: error: (Each undeclared identifier is reported only once > ftp-proxy.c:194: error: for each function it appears in.) On 2010-07-04 19:57, Vadym Chepkov wrote: > And it's broken now too :( > > ===> ftp-proxy-4.4p1_1 depends on shared library: event-1.4 - found > ===> Configuring for ftp-proxy-4.4p1_1 > ===> Building for ftp-proxy-4.4p1_1 > Warning: Object directory not changed from original /usr/ports/ftp/ftp-proxy/work/ftp-proxy-4.4p1 > cc -O -pipe -march=athlon-mp -I/usr/ports/ftp/ftp-proxy/work/ftp-proxy-4.4p1 -Wall -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wno-uninitialized -c ftp-proxy.c > ftp-proxy.c:32:19: event.h: No such file or directory > ftp-proxy.c: In function `client_error': > ftp-proxy.c:194: error: `EVBUFFER_EOF' undeclared (first use in this function) > ftp-proxy.c:194: error: (Each undeclared identifier is reported only once Um, which OS version do you have (uname -a)? If I go into the port ftp/ftp-proxy # make ===> Fetching all distfiles for ftp-proxy-4.4p1_1 and dependencies ===> ftp-proxy-4.4p1_1 is a part of base for 7.0 and above. *** Error code 1 Stop in /usr/ports/ftp/ftp-proxy. *** Error code 1 Stop in /usr/ports/ftp/ftp-proxy. But if you look into /usr/src/contrib/pf/ftp-proxy/ you see which type off ftp-proxy we mean (the build-in) Hope It is now clear which ftp-proxy to use (none from the ports) From owner-freebsd-pf@FreeBSD.ORG Sun Jul 4 18:17:03 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D85F2106567C for ; Sun, 4 Jul 2010 18:17:03 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 872B58FC1F for ; Sun, 4 Jul 2010 18:17:03 +0000 (UTC) Received: by vws6 with SMTP id 6so5278988vws.13 for ; Sun, 04 Jul 2010 11:16:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=zi2d/hWdKY21KqAuH96DtH3Iscp1qZ9bbfbD+E1YR58=; b=h3Xm4gNoHpMSQxOe+DOM4om0Mh9UArXb8hTR+wEJbqv+XLRIuq6MAdv2BXAe35k1Hb Bjikladgd+bTUxWW1bgmEVL45jeg3U55JVf5TkgtOoHkGQQ/M4e6Zn/WQKVnaFaQZbV/ OJ96TSrFDWoaY3X7MasfAC7+zEU7etG7Bg5gM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=uT3a48AKrUIn9RCOLJhgI1dRxFIpAPjIdUD+eMJc2vEYOXF2bYMjXGz/T4n7o8Emqt BP25vDx5QypmU6+rZXcii6VDd/VCYw4GIOE2AftHD+h0TL5Wv4yBoZ4hHkXoQMz6nWwx 34JQjGMySlPPVr3ymQfqtgWFrzzAjjeRUF5vc= Received: by 10.229.216.130 with SMTP id hi2mr411111qcb.181.1278267419625; Sun, 04 Jul 2010 11:16:59 -0700 (PDT) Received: from vvcmac.chepkov.lan (pool-70-109-58-70.clppva.fios.verizon.net [70.109.58.70]) by mx.google.com with ESMTPS id h34sm14049252qcm.2.2010.07.04.11.16.58 (version=SSLv3 cipher=RC4-MD5); Sun, 04 Jul 2010 11:16:59 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1081) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov In-Reply-To: <4C30CF18.1040209@gmx.de> Date: Sun, 4 Jul 2010 14:16:57 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: References: <2E7C4886-FF06-4FA8-A651-97057FA86239@gmail.com> <4C30BE7C.5000206@quis.cx> <0A7A9334-BCA6-426E-A0F8-4BDA5F2EED8F@gmail.com> <4C30C4CE.7060907@gmx.de> <9AECD800-E7D2-4354-B3B1-A02A6AC15F66@gmail.com> <4C30CF18.1040209@gmx.de> To: olli hauer X-Mailer: Apple Mail (2.1081) Cc: freebsd-pf@freebsd.org Subject: Re: pf and ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2010 18:17:04 -0000 6.4 And it seems for some reasons this line in Makefile doesn't take affect: CFLAGS+=3D -I${LOCALBASE}/include I did=20 make configure modified generated port's Makefile manually=20 and then make build was successful Vadym On Jul 4, 2010, at 2:12 PM, olli hauer wrote: > On 2010-07-04 19:57, Vadym Chepkov wrote: >> And it's broken now too :( >>=20 >> =3D=3D=3D> ftp-proxy-4.4p1_1 depends on shared library: event-1.4 - = found >> =3D=3D=3D> Configuring for ftp-proxy-4.4p1_1 >> =3D=3D=3D> Building for ftp-proxy-4.4p1_1 >> Warning: Object directory not changed from original = /usr/ports/ftp/ftp-proxy/work/ftp-proxy-4.4p1 >> cc -O -pipe -march=3Dathlon-mp = -I/usr/ports/ftp/ftp-proxy/work/ftp-proxy-4.4p1 -Wall = -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith = -Wno-uninitialized -c ftp-proxy.c >> ftp-proxy.c:32:19: event.h: No such file or directory >> ftp-proxy.c: In function `client_error': >> ftp-proxy.c:194: error: `EVBUFFER_EOF' undeclared (first use in this = function) >> ftp-proxy.c:194: error: (Each undeclared identifier is reported only = once >> ftp-proxy.c:194: error: for each function it appears in.) >=20 >=20 > On 2010-07-04 19:57, Vadym Chepkov wrote: >> And it's broken now too :( >>=20 >> =3D=3D=3D> ftp-proxy-4.4p1_1 depends on shared library: event-1.4 - = found >> =3D=3D=3D> Configuring for ftp-proxy-4.4p1_1 >> =3D=3D=3D> Building for ftp-proxy-4.4p1_1 >> Warning: Object directory not changed from original = /usr/ports/ftp/ftp-proxy/work/ftp-proxy-4.4p1 >> cc -O -pipe -march=3Dathlon-mp = -I/usr/ports/ftp/ftp-proxy/work/ftp-proxy-4.4p1 -Wall = -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith = -Wno-uninitialized -c ftp-proxy.c >> ftp-proxy.c:32:19: event.h: No such file or directory >> ftp-proxy.c: In function `client_error': >> ftp-proxy.c:194: error: `EVBUFFER_EOF' undeclared (first use in this = function) >> ftp-proxy.c:194: error: (Each undeclared identifier is reported only = once >=20 >=20 > Um, which OS version do you have (uname -a)? >=20 > If I go into the port ftp/ftp-proxy >=20 > # make > =3D=3D=3D> Fetching all distfiles for ftp-proxy-4.4p1_1 and = dependencies > =3D=3D=3D> ftp-proxy-4.4p1_1 is a part of base for 7.0 and above. > *** Error code 1 >=20 > Stop in /usr/ports/ftp/ftp-proxy. > *** Error code 1 >=20 > Stop in /usr/ports/ftp/ftp-proxy. >=20 >=20 > But if you look into /usr/src/contrib/pf/ftp-proxy/ you see which type = off > ftp-proxy we mean (the build-in) >=20 > Hope It is now clear which ftp-proxy to use (none from the ports) >=20 >=20 >=20 From owner-freebsd-pf@FreeBSD.ORG Sun Jul 4 18:24:27 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 252441065672 for ; Sun, 4 Jul 2010 18:24:27 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 69FD08FC08 for ; Sun, 4 Jul 2010 18:24:26 +0000 (UTC) Received: (qmail invoked by alias); 04 Jul 2010 18:24:25 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.100]) [194.231.39.124] by mail.gmx.net (mp047) with SMTP; 04 Jul 2010 20:24:25 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX1+Ywv14TOKYVuxiTGnQHj6KOQdvhEaHHho7r/o+oz 3UVRaCYohMZAbe Message-ID: <4C30D224.5050602@gmx.de> Date: Sun, 04 Jul 2010 20:25:40 +0200 From: olli hauer User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <2E7C4886-FF06-4FA8-A651-97057FA86239@gmail.com> <4C30BE7C.5000206@quis.cx> <0A7A9334-BCA6-426E-A0F8-4BDA5F2EED8F@gmail.com> <4C30C4CE.7060907@gmx.de> <9AECD800-E7D2-4354-B3B1-A02A6AC15F66@gmail.com> <0C366FF8-DD80-4F5E-A04F-5C61EA5ED66E@elvandar.org> In-Reply-To: X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Subject: Re: pf and ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2010 18:24:27 -0000 On 2010-07-04 20:07, Vadym Chepkov wrote: > true that, but 6.4 still didn't reach EOL > > > On Jul 4, 2010, at 2:01 PM, Remko Lodder wrote: > >> >> It's included in 8 by default, and perhaps even 7. >> >> 'man ftp-proxy' does miracles, perhaps you do not even need to build it :) >> So it's best to remove the ports ftp/ftp-proxy and ftp/ftpsesame. Both ports are for pf version <= 3.5/3.6 look at the ftp-proxy history (included in FreeBSD since 6.0) http://svn.freebsd.org/viewvc/base/releng/6.4/contrib/pf/ftp-proxy/ftp-proxy.c This is the one you should use. From owner-freebsd-pf@FreeBSD.ORG Sun Jul 4 18:39:17 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 47FAB1065673 for ; Sun, 4 Jul 2010 18:39:17 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id ECBD68FC18 for ; Sun, 4 Jul 2010 18:39:16 +0000 (UTC) Received: by qyk7 with SMTP id 7so1576723qyk.13 for ; Sun, 04 Jul 2010 11:39:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=Ujgc9O7etY8IsdcxvU5WFWeap5XUSj0egC9mJWGVGhM=; b=L9Y4XnkpljbYKBsFsMUvDDacEcYSrhTppZA288EeWIOIzeTD0y16kR8l6jZvgnWBhE M19zjKveC4WCB2e2ezAKtjvqnOrYiv8cUM43PIsEbQ7JDzdHVDqzk0//QU1ZLzVum42q q9gCtSkbRpjzIDPhhmnFahnVohhBpUqxH/giI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=gKoLBxOWsF+pbSFz7yFpK3xzF9/YHMcMIR67QfwxXTgSgl+0XvM/uV81q5tysHvHVD PbYpdlApc6kBJdTQXUQ70vJLSRSlyykAl7j3N9dntzyyrEdBCuRIM40bcDG5tKZ/btfq pwtT2bsFS/p8TrwYXBwnyD7ozlWFua0lfhin0= Received: by 10.224.72.19 with SMTP id k19mr59338qaj.241.1278268752672; Sun, 04 Jul 2010 11:39:12 -0700 (PDT) Received: from vvcmac.chepkov.lan (pool-70-109-58-70.clppva.fios.verizon.net [70.109.58.70]) by mx.google.com with ESMTPS id h41sm14134900qcz.1.2010.07.04.11.39.11 (version=SSLv3 cipher=RC4-MD5); Sun, 04 Jul 2010 11:39:11 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1081) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov In-Reply-To: <4C30D224.5050602@gmx.de> Date: Sun, 4 Jul 2010 14:39:10 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: References: <2E7C4886-FF06-4FA8-A651-97057FA86239@gmail.com> <4C30BE7C.5000206@quis.cx> <0A7A9334-BCA6-426E-A0F8-4BDA5F2EED8F@gmail.com> <4C30C4CE.7060907@gmx.de> <9AECD800-E7D2-4354-B3B1-A02A6AC15F66@gmail.com> <0C366FF8-DD80-4F5E-A04F-5C61EA5ED66E@elvandar.org> <4C30D224.5050602@gmx.de> To: olli hauer X-Mailer: Apple Mail (2.1081) Cc: freebsd-pf@freebsd.org Subject: Re: pf and ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2010 18:39:17 -0000 that one didn't work for me, that's why I went to pftpx to begin with. =46rom ports it seems to be working fine at the moment. I am preparing to upgrade to 7.x and the very first step is to make sure = all ports work :) So hopefully it will be removed soon anyway. Thank you, Vadym On Jul 4, 2010, at 2:25 PM, olli hauer wrote: > On 2010-07-04 20:07, Vadym Chepkov wrote: >> true that, but 6.4 still didn't reach EOL >>=20 >>=20 >> On Jul 4, 2010, at 2:01 PM, Remko Lodder wrote: >>=20 >>>=20 >>> It's included in 8 by default, and perhaps even 7. >>>=20 >>> 'man ftp-proxy' does miracles, perhaps you do not even need to build = it :) >>>=20 >=20 > So it's best to remove the ports ftp/ftp-proxy and ftp/ftpsesame. >=20 > Both ports are for pf version <=3D 3.5/3.6 >=20 > look at the ftp-proxy history (included in FreeBSD since 6.0) > = http://svn.freebsd.org/viewvc/base/releng/6.4/contrib/pf/ftp-proxy/ftp-pro= xy.c >=20 > This is the one you should use. >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Mon Jul 5 11:07:00 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B23601065670 for ; Mon, 5 Jul 2010 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A08D58FC18 for ; Mon, 5 Jul 2010 11:07:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o65B70El079283 for ; Mon, 5 Jul 2010 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o65B703P079281 for freebsd-pf@FreeBSD.org; Mon, 5 Jul 2010 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 5 Jul 2010 11:07:00 GMT Message-Id: <201007051107.o65B703P079281@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jul 2010 11:07:00 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 47 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jul 5 13:17:03 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 68E8C1065670 for ; Mon, 5 Jul 2010 13:17:03 +0000 (UTC) (envelope-from holger.rauch@empic.de) Received: from ox.heitec.net (ox.heitec.net [93.93.253.50]) by mx1.freebsd.org (Postfix) with SMTP id E902C8FC16 for ; Mon, 5 Jul 2010 13:17:02 +0000 (UTC) Received: from ox.heitec.net ([10.100.1.50]) by eSafe SMTP Relay 1278328333; Mon, 05 Jul 2010 15:01:49 +0200 Received: by ox.heitec.net (Postfix, from userid 110) id AC8F51A005; Mon, 5 Jul 2010 15:01:48 +0200 (CEST) Received: from siena.er.heitec.net (unknown [10.64.80.14]) by ox.heitec.net (Postfix) with ESMTPSA id 970001A005; Mon, 5 Jul 2010 15:01:48 +0200 (CEST) Received: by siena.er.heitec.net (Postfix, from userid 1000) id 844CE8089; Mon, 5 Jul 2010 15:01:48 +0200 (CEST) Date: Mon, 5 Jul 2010 15:01:48 +0200 From: Holger Rauch To: Jille Timmermans Message-ID: <20100705130148.GA32632@heitec.de> References: <2E7C4886-FF06-4FA8-A651-97057FA86239@gmail.com><4C30BE7C.5000206@quis.cx> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5vNYLRcllDrimb99" Content-Disposition: inline In-Reply-To: <4C30BE7C.5000206@quis.cx> User-Agent: Mutt/1.5.20 (2009-06-14) Organization: EMPIC GmbH, Werner-von-Siemens-Str. 61, 91052 Erlangen, Germany, Reg. No: 2873 / Fuerth / Germany, CEO / Managing Director: Joerg K. Kottenbrink, WWW: http://www.empic.eu X-ESAFE-STATUS: [esafe01.heitec.net] Mail clean X-ESAFE-DETAILS: [esafe01.heitec.net] Cc: freebsd-pf@freebsd.org Subject: Re: pf and ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jul 2010 13:17:03 -0000 --5vNYLRcllDrimb99 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Hi, out of curiousity: How do you deal with the FTP problem (only allowing passive FTP access) on a bridge where rdr rules in conjunction with ftp-proxy can not be used? Thanks in advance for any info & kind regards, Holger --5vNYLRcllDrimb99 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkwx17wACgkQbiVtWpZdKQL9tACeN/aDYYeXq+oYYoYBR0oO9OOU bO4AnAmCZk4j/futpibN8tWAzHO1+EAj =gMjp -----END PGP SIGNATURE----- --5vNYLRcllDrimb99-- From owner-freebsd-pf@FreeBSD.ORG Mon Jul 5 14:37:45 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 130B2106566B for ; Mon, 5 Jul 2010 14:37:45 +0000 (UTC) (envelope-from adg@a-real.ru) Received: from mbox1.a-real.ru (mbox1.a-real.ru [213.187.98.202]) by mx1.freebsd.org (Postfix) with ESMTP id B8F0D8FC0A for ; Mon, 5 Jul 2010 14:37:44 +0000 (UTC) Received: by mbox1.a-real.ru (Sendmail, from userid 1002) id 993DD6E07B; Mon, 5 Jul 2010 15:26:00 +0400 (MSD) X-Envelope-Sender: adg@a-real.ru X-Envelope-Recipient: freebsd-pf@freebsd.org X-Original-To: freebsd-pf@freebsd.org Received: from [192.168.17.150] (unknown [192.168.17.150]) (Authenticated sender: adg@a-real.ru) by mbox1.a-real.ru (Sendmail) with ESMTPSA id 7AF186E068 for ; Mon, 5 Jul 2010 15:26:00 +0400 (MSD) Message-ID: <4C31C14F.9090001@a-real.ru> Date: Mon, 05 Jul 2010 15:26:07 +0400 From: =?UTF-8?B?0JDQu9C10LrRgdC10Lkg0JPRg9GB0YzQutC+0LI=?= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.4) Gecko/20100608 Thunderbird/3.1 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: pf route-to breaks pfil processing order X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jul 2010 14:37:45 -0000 Hello everyone. Here's the problem: I need to forward some outgoing traffic to some local service. Traffic goes from my machine, not from local network, so i cannot use pf rdr rule, because it handles only incoming traffic. So, i'm using ipfw fwd rule for that: # ipfw add 100 fwd 192.168.1.1,3127 ip from me to any 80 out Here i redirect all outgoing traffic to another local proxy. (Nope, i can not use parent proxy). Everything is fine and works ok until I turn on pf and create route-to rule: pass out on le0 out route-to (le0 192.168.1.254) from any to yandex.ru Besides i'm using dummynet pipes for traffic shaping, so i need ipfw to process incoming packets before pf (and after pf for outgoing packets): # ipfw disable firewall # ipfw enable firewall So, the problem goes here: Here's the path of the outgoing packet inside the kernel: ip_output() -> ... -> pfil_run_hooks() -> ... -> pf_test() pf_test checks the packets, searches for state etc. Finally it checks if the packet should be redirected by "route-to", "reply-to" or "dup-to" options pf.c, line 7125, pf_test(): ------ if (r->rt) /* pf_route can free the mbuf causing *m0 to become NULL */ pf_route(m0, r, dir, ifp, s, &pd); pf_route() itself performs some routing actions, rewrites nexthop and if, and (sic!) sends the packet _directly_ to the specified interface: pf.c, line 6239, pf_route() ---- PF_UNLOCK(); error = (*ifp->if_output)(ifp, m0, sintosa(dst), ro->ro_rt); PF_LOCK(); Original packet is deleted as if it's been blocked by firewall. So, any packet that is processed by pf_route would not then be processed with ipfw, would not be diverted into pipes etc. (actually i believe it wouldn't also be processed by altq). For example in my case the tcp connection wouldn't be redirected by ipfw. So' heres the questions: 1) for what purpose pf_route invokes if_output by itself? 2) why rewritten packets can't be left intact so they would be normally processed by ipfw, altq etc and send to interfaces by uip_output()? I'm asking that because when ipfw redirects packets they are processed this way and nothing bad happens. Thanks -- Alexey Guskov Areal company From owner-freebsd-pf@FreeBSD.ORG Thu Jul 8 02:40:07 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 220A9106564A for ; Thu, 8 Jul 2010 02:40:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EBABA8FC13 for ; Thu, 8 Jul 2010 02:40:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o682e6Iu046029 for ; Thu, 8 Jul 2010 02:40:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o682e6eH046028; Thu, 8 Jul 2010 02:40:06 GMT (envelope-from gnats) Date: Thu, 8 Jul 2010 02:40:06 GMT Message-Id: <201007080240.o682e6eH046028@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Janne Snabb Cc: Subject: Re: kern/127920: [pf] ipv6 and synproxy don't play well together X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Janne Snabb List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jul 2010 02:40:07 -0000 The following reply was made to PR kern/127920; it has been noted by GNATS. From: Janne Snabb To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/127920: [pf] ipv6 and synproxy don't play well together Date: Thu, 8 Jul 2010 02:35:04 +0000 (UTC) Hi, I can confirm that this problem still exists on 8.0p2: FreeBSD xxx.example.com 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #3: Thu May 27 06:52:37 UTC 2010 snabb@xxx.example.com:/usr/obj/usr/src/sys/GENERIC i386 I was hitting my head against the wall for a while until I found out that synproxy is just broken and should not be used. -- Janne Snabb / EPIPE Communications snabb@epipe.com - http://epipe.com/ From owner-freebsd-pf@FreeBSD.ORG Fri Jul 9 21:36:22 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A20A9106564A for ; Fri, 9 Jul 2010 21:36:22 +0000 (UTC) (envelope-from lconrad@Go2France.com) Received: from mgw1.MEIway.com (mgw1.meiway.com [81.255.84.75]) by mx1.freebsd.org (Postfix) with ESMTP id 6A5908FC14 for ; Fri, 9 Jul 2010 21:36:22 +0000 (UTC) Received: from VirusGate.MEIway.com (virusgate.meiway.com [81.255.84.76]) by mgw1.MEIway.com (Postfix Relay Hub) with ESMTP id 90678471868 for ; Fri, 9 Jul 2010 23:36:24 +0200 (CEST) Received: from mail.Go2France.com (ms1.meiway.com [81.255.84.73]) by VirusGate.MEIway.com (Postfix) with ESMTP id 6CD793865C0 for ; Fri, 9 Jul 2010 23:36:29 +0200 (CEST) (envelope-from lconrad@Go2France.com) Date: Fri, 9 Jul 2010 23:36:39 +0200 Message-Id: <201007092336.AA320012590@mail.Go2France.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Len Conrad" X-Sender: To: X-Mailer: Subject: Subject: pf: pass in quick to port 25 still getting blocks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: lconrad@Go2France.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2010 21:36:22 -0000 pf doing host security not a whole of rules, and all is working well. an early rule is: pass in quick on $ext_if inet proto tcp from any to $ext_if port smtp keep state and the last rule is: block in log on $ext_if from any to $ext_if, which logs as: rule 33/0(match) in spite of the pass in smtp, rule 33 is still blocking several 1000 SMTP accesses/day, eg: rule 33/0(match): block in on em0: 74.120.242.172.57093 > x.x.x.x.25: . ack 50 win 46 rule 33/0(match): block in on em0: 94.179.232.111.8364 > x.x.x.x.25: P 0:6(6) ack 1 win 65438 where the text after the 25: has several different formats. How is any port 25 access not being passed by the pass smtp rule? Len From owner-freebsd-pf@FreeBSD.ORG Fri Jul 9 21:47:16 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A938106564A for ; Fri, 9 Jul 2010 21:47:16 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id F325F8FC14 for ; Fri, 9 Jul 2010 21:47:15 +0000 (UTC) Received: from iad-wprd-xchw02.corp.verio.net (iad-wprd-xchw02.corp.verio.net [198.87.7.165]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id D93001FF01D0 for ; Fri, 9 Jul 2010 17:47:13 -0400 (EDT) Thread-Index: AcsfsEpfFlzPpxIvRbSZQtUvp+tzSg== Received: from dllstx1-8sst9f1.corp.verio.net ([10.144.2.52]) by iad-wprd-xchw02.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Fri, 9 Jul 2010 17:47:12 -0400 Received: by dllstx1-8sst9f1.corp.verio.net (sSMTP sendmail emulation); Fri, 09 Jul 2010 16:47:11 -0500 Date: Fri, 9 Jul 2010 16:47:11 -0500 Content-Transfer-Encoding: 7bit From: "David DeSimone" To: Content-class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4657 Message-ID: <20100709214710.GE5292@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <201007092336.AA320012590@mail.Go2France.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <201007092336.AA320012590@mail.Go2France.com> Precedence: bulk User-Agent: Mutt/1.5.20 (2009-06-14) X-OriginalArrivalTime: 09 Jul 2010 21:47:12.0158 (UTC) FILETIME=[49B64BE0:01CB1FB0] Subject: Re: Subject: pf: pass in quick to port 25 still getting blocks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2010 21:47:16 -0000 Len Conrad wrote: > > pass in quick on $ext_if inet proto tcp from any to $ext_if port smtp keep state Be aware that there is an implied "flags S/SA" added to your rule, so it only matched initial SYN packets. > and the last rule is: > > block in log on $ext_if from any to $ext_if, which logs as: > in spite of the pass in smtp, rule 33 is still blocking several 1000 SMTP accesses/day, eg: > > rule 33/0(match): block in on em0: 74.120.242.172.57093 > x.x.x.x.25: . ack 50 win 46 > > rule 33/0(match): block in on em0: 94.179.232.111.8364 > x.x.x.x.25: P 0:6(6) ack 1 win 65438 The packets shown here are not SYN packets, so they fail to match the early rule. They are supposed to be matched by the connection state which is built, but for some reason they are not matching. Are your state entries expiring early for some reason? You may want to add "log" to the early pass rule, and then you can compare the timestamp between when the initial SYN arrived for a connection, and the later block occurred for a packet in the middle of the connection. -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.