From owner-freebsd-pf@FreeBSD.ORG Sun May 5 05:28:47 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 5B13F67F for ; Sun, 5 May 2013 05:28:47 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-gg0-x22e.google.com (mail-gg0-x22e.google.com [IPv6:2607:f8b0:4002:c02::22e]) by mx1.freebsd.org (Postfix) with ESMTP id B59C76A for ; Sun, 5 May 2013 05:28:46 +0000 (UTC) Received: by mail-gg0-f174.google.com with SMTP id i2so472872ggn.33 for ; Sat, 04 May 2013 22:28:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=x-received:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to; bh=L60Myc4QT4ZCXVZ89Do5+NyjyabpssTMMXNEfIioI10=; b=K99TEFs8ix9aRXmxBuTyr8+pvFEjhW0rVNdsZmE+9z2y872VskqokpMOUFIfFQ+iKG PuBK7I9gaE3tQq8QHjhd9zim1yh5HG9eSin652CSTnqwk98ojJKP5qevDnTrmlsK1lan o10PgTI9cPtDQemRs90Dzc0IVGWQBvr1VDbgM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to:x-gm-message-state; bh=L60Myc4QT4ZCXVZ89Do5+NyjyabpssTMMXNEfIioI10=; b=l7xD3jR5Vsc25aYvQeC6GG8H2APkgGdKZJiv8CECFOO1Gpx9jG2BSU5PYSsG8jCK/a VZ4JTS3oR/7rWcoYOdZcy2ywM4cuzWrVSpo5dKd5mQVjeTLieHrjh36AYm9ztVwm9G/a ip4F7e9QcxAKFZHJF+uZt43LSAKvuvcEudlQ2WzVHbXsAHai6JOkn8HFD/dFDytzH/qt FLQw5V9RcRt4hEMuWxSI6JOr2r+QDDd2v14Z/tovKfuJUT8Zi2OaLVAFH4eYqNkW0syA SM+sSovOUfWjKmhxPpU5THop04l3bVY1Mt5v6Orj/Fp2WC5UO1OjXUuNQ1ilRkOVxi3O GQ0g== X-Received: by 10.236.74.201 with SMTP id x49mr14659609yhd.80.1367731313999; Sat, 04 May 2013 22:21:53 -0700 (PDT) Received: from [192.168.30.77] (24-236-152-143.dhcp.aldl.mi.charter.com. [24.236.152.143]) by mx.google.com with ESMTPSA id w67sm36026244yhk.7.2013.05.04.22.21.51 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 04 May 2013 22:21:52 -0700 (PDT) References: <86C973B6-D12D-41AA-A1F9-D93E1C60856F@DataIX.net> <518510B6.8000309@smeets.im> Mime-Version: 1.0 (1.0) In-Reply-To: <518510B6.8000309@smeets.im> Message-Id: X-Mailer: iPhone Mail (10B329) From: Jason Hellenthal Subject: Re: IGMP with no matching rules Date: Sun, 5 May 2013 01:21:49 -0400 To: Florian Smeets X-Gm-Message-State: ALoCoQnhbrRq3okoNmv076BE5x3fLNj/35ZiEriSag+AU1yjJFocEZfkg8bW6yQ1pXcH08d0JcGf Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-pf@FreeBSD.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 May 2013 05:28:47 -0000 Wow I can't believe I skipped over that option. pass quick proto igmp allow-opts Did it perfectly!!!! Thank you Florian -- Jason Hellenthal JJH48-ARIN -(2^(N-1)) On May 4, 2013, at 9:44, Florian Smeets wrote: > On 04.05.13 09:36, Jason Hellenthal wrote: >> Hey Everyone, >> >> Has anyone seen IGMP traffic hit there pflog interface even if there >> are no rules matching that tell it to log ? >> >> Anyone that has a pointer to eliminate the logging of the IGMP >> traffic would be extremely helpful. This has been fairly frustrating >> up to this point trying to either create a rule to catch it that does >> not specify logging or eliminate rules that shouldn't be matching but >> do. > > It would be easier to tell with your rule set, but I think this may be > related to IP options, look for allow-opts in pf.conf(5). > > Florian > From owner-freebsd-pf@FreeBSD.ORG Mon May 6 11:06:50 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 80E879FB for ; Mon, 6 May 2013 11:06:50 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 729AEA0B for ; Mon, 6 May 2013 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r46B6oSv023885 for ; Mon, 6 May 2013 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r46B6o9v023883 for freebsd-pf@FreeBSD.org; Mon, 6 May 2013 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 6 May 2013 11:06:50 GMT Message-Id: <201305061106.r46B6o9v023883@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 May 2013 11:06:50 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176763 pf [pf] [patch] Removing pf Source entries locks kernel. o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 52 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue May 7 10:03:24 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B6681330 for ; Tue, 7 May 2013 10:03:24 +0000 (UTC) (envelope-from noname.esst@yahoo.com) Received: from nm21-vm0.bullet.mail.bf1.yahoo.com (nm21-vm0.bullet.mail.bf1.yahoo.com [98.139.213.137]) by mx1.freebsd.org (Postfix) with ESMTP id 24480D38 for ; Tue, 7 May 2013 10:03:24 +0000 (UTC) Received: from [98.139.212.145] by nm21.bullet.mail.bf1.yahoo.com with NNFMP; 07 May 2013 10:03:23 -0000 Received: from [98.139.212.216] by tm2.bullet.mail.bf1.yahoo.com with NNFMP; 07 May 2013 10:03:23 -0000 Received: from [127.0.0.1] by omp1025.mail.bf1.yahoo.com with NNFMP; 07 May 2013 10:03:23 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 130155.81631.bm@omp1025.mail.bf1.yahoo.com Received: (qmail 65092 invoked by uid 60001); 7 May 2013 10:03:23 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1367921003; bh=LdLR8E9ctJoWswBL4c2AryVtRkoqDlaLmlO0jiX0nwY=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=sVyPH4Np4WihcVGMJNAvHtO9/saR8hBSj4pL1Be1ns0HbSM8QUwRNvmQo0TESLtbYRnIt+CAqUyMfFem2xdN8RuSrNnzJ2wHKFRcBHOIx1/Rb9K/IIHMPyzQogGPnkwjNFa+/oeZU6a48+J3eQeXJftm/MJEMnSLr1s/AaaKK/E= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=fA4XMGr2MrC+MSkvGr1sAOVwqxwvImomp1iOV/AU0X5JgksJk7LHkmd3X5emgjaCF4SDJiDGaFlmWmVvOXMlTQXNJrqU0gsozFSMAr8r+YDWwQ01guTuF2i4XUuu9nXtZ4xrxFF/Qxfh3I61u0k8tmp6vU+G8Dx7D/WoNGXOAtU=; X-YMail-OSG: VsyLTbMVM1l5FIJQbOEtJn1x2_CPfEKbHQ.imfiva2lUrOU fHgC97uZ_qdc0pJMdRfzPtXGe.QeCCZxp8A0DIpPctlg1ckh8wI1u1DwFFr1 TI7Lc4TvSdpbJbVqMLoi3J7vni9D29ciFT4ewdEZ7nCkV0d6D8dWr2mBR4mA 25CJSYfyvrKigs6_eiTHceFJt.k6c3fFXD7.JBCiO1Vf18bDzVdl4rxV4GAm K_zQeepH1GGxPrI_jm3HFzysUQQlsjwwRsMcl9fZd_IvWdlLMngg0wMokdFM hJ_y3NoiXk67MdVKaM.cIJsHxnpylyj14EkZeJ8ROIsP4hCOspKAfmnPTPtQ VU3xZr21nGalkmSd5uxKDiDrmLstPdwSkL_m1kJoJ4gtts4_aZPU.ADCViPC KGgu32yhZRhMFJlC51ApTLOl3qk16JkTccIBI9oTBSR7Kokw- Received: from [89.165.120.140] by web162706.mail.bf1.yahoo.com via HTTP; Tue, 07 May 2013 03:03:22 PDT X-Rocket-MIMEInfo: 002.001, SGkgbGlzdApJcyBpdCBuZWNlc3NhcnnCoCB0byByZWxvYWQgUEYgYWZ0ZXIgZWFjaCBjaGFuZ2UgZG9uZSBieSBwZmN0bD8gSWYgeWVzLCBob3c_CgEwAQEBAQ-- X-Mailer: YahooMailWebService/0.8.141.536 Message-ID: <1367921002.58322.YahooMailNeo@web162706.mail.bf1.yahoo.com> Date: Tue, 7 May 2013 03:03:22 -0700 (PDT) From: Nomad Esst Subject: pf reload To: pf list MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Nomad Esst List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 May 2013 10:03:24 -0000 Hi list=0AIs it necessary=A0 to reload PF after each change done by pfctl? = If yes, how?=0A From owner-freebsd-pf@FreeBSD.ORG Tue May 7 10:10:18 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 519013E9 for ; Tue, 7 May 2013 10:10:18 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from smtp.lamaiziere.net (net.lamaiziere.net [94.23.254.147]) by mx1.freebsd.org (Postfix) with ESMTP id 1FAE2D76 for ; Tue, 7 May 2013 10:10:16 +0000 (UTC) Received: from roxette.lamaiziere.net (231.176.97.84.rev.sfr.net [84.97.176.231]) by smtp.lamaiziere.net (Postfix) with ESMTPA id 640618845; Tue, 7 May 2013 12:10:09 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by roxette.lamaiziere.net (Postfix) with ESMTP id D1766308A; Tue, 7 May 2013 12:10:08 +0200 (CEST) Date: Tue, 7 May 2013 12:10:08 +0200 From: Patrick Lamaiziere To: freebsd-pf@freebsd.org Subject: Re: pf reload Message-ID: <20130507121008.6c1453d5@davenulle.org> In-Reply-To: <1367921002.58322.YahooMailNeo@web162706.mail.bf1.yahoo.com> References: <1367921002.58322.YahooMailNeo@web162706.mail.bf1.yahoo.com> X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.17; amd64-portbld-freebsd9.1) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 May 2013 10:10:18 -0000 Le Tue, 7 May 2013 03:03:22 -0700 (PDT), Nomad Esst a écrit : > Hi list Hello, > Is it necessary  to reload PF after each change done by pfctl? If > yes, how? No. PF itself is a kernel module, all the control is done by pfctl. Regards. From owner-freebsd-pf@FreeBSD.ORG Tue May 7 11:09:01 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id D3F7AA6F for ; Tue, 7 May 2013 11:09:01 +0000 (UTC) (envelope-from Caglar.Kilimci@logo.com.tr) Received: from logo.com.tr (ns2.logo.com.tr [212.252.63.100]) by mx1.freebsd.org (Postfix) with ESMTP id 285F7F7F for ; Tue, 7 May 2013 11:09:00 +0000 (UTC) Received: from Internal Mail-Server by Mail-SeCure (envelope-from Caglar.Kilimci@logo.com.tr) with AES128-SHA encrypted SMTP; 7 May 2013 14:02:16 +0300 Received: from mail.logo.com.tr ([::1]) by mail.logo.com.tr ([::1]) with mapi id 14.02.0342.003; Tue, 7 May 2013 14:02:17 +0300 From: Caglar Kilimci To: pf list Subject: Padding in pfloghdr Thread-Topic: Padding in pfloghdr Thread-Index: Ac5LEkMipVTBSOroQjCRsBNBnbxw0Q== Date: Tue, 7 May 2013 11:02:16 +0000 Message-ID: <200BCD16C92DAC439533916A735EE8E511C68D89@mail.logo.com.tr> Accept-Language: en-US, tr-TR Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.16.57.145] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 May 2013 11:09:01 -0000 Hello list, I want to insert an extra field, u_int32_t, into pfloghdr struc= t but I am not sure how to change padding.=20 160 Index: sys/net/if_pflog.h = =20 161 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 162 --- sys/net/if_pflog.h (revision 250171) = =20 163 +++ sys/net/if_pflog.h (working copy) = =20 164 @@ -45,6 +45,8 @@ = =20 165 uid_t rule_uid; = =20 166 pid_t rule_pid; = =20 167 u_int8_t dir; = =20 168 + //added for extra = =20 169 + u_int32_t index; = =20 170 u_int8_t pad[3]; = =20 171 };=20 If I increment hdrlen by 4 in tcpdump, everything seems fine but I guess th= is solution is not good. 1 Index: print-pflog.c = =20 2 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 3 --- print-pflog.c (revision 250174) = =20 4 +++ print-pflog.c (working copy) = =20 5 @@ -145,6 +145,7 @@ = =20 6 = =20 7 /* skip to the real packet */ = =20 8 af =3D hdr->af; = =20 9 + hdrlen+=3D4; = =20 10 length -=3D hdrlen; = =20 11 caplen -=3D hdrlen; = =20 12 p +=3D hdrlen; If I do not touch anything in tcpdump, it complains as "bad-len 0" error. I mean, what is padding number for pfloghdr struct?= "Bu mesaji yazdirmadan once cevreye olan sorumlulugumuzu bir kez daha dusunelim. / Please consider the environment before printing this e-mail." Bu elektronik posta ve ekinde yer alan tum dosyalar gonderici ve alici kisi ve kurumlara ozel olup gizli bilgi ihtiva edebilir. Dogru aliciya ulasmamasi halinde mesajin ekleri ile birlikte silinmesi ve yok edilmesi gerekmektedir. Mesaj, icerigi ve ekinde bulunan dusunce ve yorumlar Logo Yazilim Sanayi ve Ticaret A.S.'ye degil gondericiye aittir. This electronic mail and all files attached to it are private to the sender and recipient, and may contain confidential information. If it fails to reach the right recipient, the message should be deleted and destroyed along with its attachments. The message, its content and opinion and comments attached to it belong to the sender, not Logo Yazilim Sanayi ve Ticaret A.S. From owner-freebsd-pf@FreeBSD.ORG Tue May 7 14:01:13 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 666749B8 for ; Tue, 7 May 2013 14:01:13 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from zcs03.jnb1.cloudseed.co.za (zcs03.jnb1.cloudseed.co.za [41.154.0.139]) by mx1.freebsd.org (Postfix) with ESMTP id 00C949C2 for ; Tue, 7 May 2013 14:01:12 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zcs03.jnb1.cloudseed.co.za (Postfix) with ESMTP id 648BF2B430C9; Tue, 7 May 2013 16:01:09 +0200 (SAST) X-Virus-Scanned: amavisd-new at zcs03.jnb1.cloudseed.co.za Received: from zcs03.jnb1.cloudseed.co.za ([127.0.0.1]) by localhost (zcs03.jnb1.cloudseed.co.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KTlEYfR2-86j; Tue, 7 May 2013 16:01:08 +0200 (SAST) Received: from clue.co.za (unknown [197.87.27.46]) by zcs03.jnb1.cloudseed.co.za (Postfix) with ESMTPSA id 5364C2B430C7; Tue, 7 May 2013 16:01:08 +0200 (SAST) Received: from localhost ([127.0.0.1] helo=zen.clue.co.za) by clue.co.za with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1UZiS3-00026B-Ep; Tue, 07 May 2013 16:01:07 +0200 To: Nomad Esst From: Ian FREISLICH Subject: Re: skipto keyword in pf In-Reply-To: <1367641777.53540.YahooMailNeo@web162702.mail.bf1.yahoo.com> References: <1367641777.53540.YahooMailNeo@web162702.mail.bf1.yahoo.com> <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> <20130501235946.GS6396@verio.net> <1367474077.47142.YahooMailNeo@web162705.mail.bf1.yahoo.com> <20130502131038.72cc6020@davenulle.org> X-Attribution: BOFH Date: Tue, 07 May 2013 16:01:06 +0200 Message-Id: Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 May 2013 14:01:13 -0000 Nomad Esst wrote: > >Well, tags could help here. With a concrete example of what you want, it > >would be easier to suggest a solution. > > >Regards. > > Aren't anchors useful as David DeSimone said? Yes they are. I used to do the following in ipfw: 10 skipto 1200 ip from any to any in recv vlan2 20 skipto 1200 ip from any to any out xmit vlan2 30 skipto 1300 ip from any to any in recv vlan3 40 skipto 1300 ip from any to any out xmit vlan3 50 skipto 1400 ip from any to any in recv vlan4 60 skipto 1400 ip from any to any out xmit vlan4 ... 100 deny log ip from any to any ... 1200 vlan2 rules ... 1299 deny log ip from any to any 1300 vlan3 rules ... 1399 deny log ip from any to any 1400 vlan4 rules ... 1499 deny log ip from any to any In pf I do the following: anchor vlan2 quick on vlan2 load anchor vlan2 from "/var/db/firewall/vlan2" anchor vlan3 quick on vlan3 load anchor vlan3 from "/var/db/firewall/vlan3" anchor vlan4 quick on vlan4 load anchor vlan4 from "/var/db/firewall/vlan4" and I put the rules for each vlan in their own file. as an example: ----- tcpports = "{ http, https }" udpports = "{ snmp }" # Proxy Network block return out log all pass out proto tcp from any to any port $tcpports pass out proto tcp from to any port ssh pass out proto udp from any to any port $udpports pass out proto udp from port 123 to any pass out proto vrrp from any to any pass out proto icmp from any to any pass out proto tcp from to any port { 3128, 8080, 10050 } pass in all pass in proto tcp from any to any port { 80 } queue vlan25_out ----- Rules are evaluated when there is no matching state. Rules are evaluated in order. The *last* rule to match is used. > Another question, is it possible to negate a rule or feature in a > rule? I mean pass all traffic which DO NOT match the rule ? e.g. using > "!" sign. You can. As an example a transpanent proxy interception rule: rdr on vlan5 inet proto tcp from ! to ! port 80 -> port 3128 I highly suggest you read the pf.conf manual page. It has a lot of good instructions and useful information, particularly the rule grammar at the end of the page. Ian -- Ian Freislich From owner-freebsd-pf@FreeBSD.ORG Wed May 8 11:14:39 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 5FAB5155 for ; Wed, 8 May 2013 11:14:39 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) by mx1.freebsd.org (Postfix) with ESMTP id EB5C481E for ; Wed, 8 May 2013 11:14:38 +0000 (UTC) Received: by mail-wg0-f51.google.com with SMTP id b13so1695069wgh.6 for ; Wed, 08 May 2013 04:14:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to:x-gm-message-state; bh=8rJCHaQWRw42X9FtiKd8YVMY97UuA9+5qU2ogfGlT6w=; b=IW5UPCJEnCqSpAGK9qnhrKAs9b7S2pduqD/pVK6cXhWCpQ4tY47khPnSrjgkqjZ8vu gy4Vm45fUBTAkc6QccuT4po17uckxOFPVpHRs4JZIbj7EMFfeMsz9p76pt9i1gWfrPey H4woHPSzIAHlY25pqGVCyrmNNWezDVnOTf+ZUUQzM2U5a0WIzqQ1zaI7xkozThCc/c/j mY5/DC5pt825j9keErCAu1DuqVvehdmVhm6Oa0Q0lwIphrxHACebsC4n2jPt2jxRVKWO dhn8jAlUjs6Jh9px55dhxZjXwyPUhUcBjJHW0Yta1fofByKn/Z2YsWSVtWURvOGjdw+q fS7w== X-Received: by 10.180.198.175 with SMTP id jd15mr9608029wic.28.1368011678157; Wed, 08 May 2013 04:14:38 -0700 (PDT) Received: from [10.186.136.125] (78.16.90.92.rev.sfr.net. [92.90.16.78]) by mx.google.com with ESMTPSA id cw8sm8513431wib.7.2013.05.08.04.14.36 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 08 May 2013 04:14:36 -0700 (PDT) References: <1367641777.53540.YahooMailNeo@web162702.mail.bf1.yahoo.com> <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> <20130501235946.GS6396@verio.net> <1367474077.47142.YahooMailNeo@web162705.mail.bf1.yahoo.com> <20130502131038.72cc6020@davenulle.org> Mime-Version: 1.0 (1.0) In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: <47F7A432-93AD-4E0B-B8F4-B0EAD2BA0D6E@my.gd> X-Mailer: iPhone Mail (10B144) From: Damien Fleuriot Subject: Re: skipto keyword in pf Date: Wed, 8 May 2013 13:13:47 +0200 To: Ian FREISLICH X-Gm-Message-State: ALoCoQnjh5nGJs87UnXf13Q0iRNa/C0xbL3uxjffoCLIM1VWU+yIofrrxkXZ2eJjfrdTgL6QlGkm Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 May 2013 11:14:39 -0000 On 7 May 2013, at 16:01, Ian FREISLICH wrote: > Nomad Esst wrote: >>> Well, tags could help here. With a concrete example of what you want, it= >>> would be easier to suggest a solution. >>=20 >>> Regards. >>=20 >> Aren't anchors useful as David DeSimone said? >=20 > Yes they are. I used to do the following in ipfw: >=20 > 10 skipto 1200 ip from any to any in recv vlan2 > 20 skipto 1200 ip from any to any out xmit vlan2 > 30 skipto 1300 ip from any to any in recv vlan3 > 40 skipto 1300 ip from any to any out xmit vlan3 > 50 skipto 1400 ip from any to any in recv vlan4 > 60 skipto 1400 ip from any to any out xmit vlan4 > ... > 100 deny log ip from any to any > ... > 1200 vlan2 rules > ... > 1299 deny log ip from any to any > 1300 vlan3 rules > ... > 1399 deny log ip from any to any > 1400 vlan4 rules > ... > 1499 deny log ip from any to any >=20 >=20 > In pf I do the following: >=20 > anchor vlan2 quick on vlan2 > load anchor vlan2 from "/var/db/firewall/vlan2" > anchor vlan3 quick on vlan3 > load anchor vlan3 from "/var/db/firewall/vlan3" > anchor vlan4 quick on vlan4 > load anchor vlan4 from "/var/db/firewall/vlan4" >=20 Would you kindly elaborate on the quick keyword in conjunction with anchors ?= I would assume that makes all the rules within the anchor quick ? > and I put the rules for each vlan in their own file. as an example: If you only use anchors to cleanly split your rules, 9.x's PF supports inclu= des, by the way, a feature that's been missing for so long ;) Also, @OP: Note that if you use anchors, NAT and rdr rules need to be loaded like so: nat-anchor test rdr-anchor test anchor test load anchor test from "/etc/pf/anchor_test" Otherwise, don't be surprised if your NATs and RDRs mysteriously aren't appl= ied= From owner-freebsd-pf@FreeBSD.ORG Wed May 8 11:32:47 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 49341700 for ; Wed, 8 May 2013 11:32:47 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from zcs04.jnb1.cloudseed.co.za (zcs04.jnb1.cloudseed.co.za [41.154.0.161]) by mx1.freebsd.org (Postfix) with ESMTP id D8820903 for ; Wed, 8 May 2013 11:32:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTP id 592452A83042; Wed, 8 May 2013 13:32:38 +0200 (SAST) X-Virus-Scanned: amavisd-new at zcs04.jnb1.cloudseed.co.za Received: from zcs04.jnb1.cloudseed.co.za ([127.0.0.1]) by localhost (zcs04.jnb1.cloudseed.co.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MX6-afxozIZ1; Wed, 8 May 2013 13:32:37 +0200 (SAST) Received: from clue.co.za (unknown [41.154.88.19]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTPSA id 8CDF92A830E1; Wed, 8 May 2013 13:32:37 +0200 (SAST) Received: from localhost ([127.0.0.1] helo=zen.clue.co.za) by clue.co.za with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1Ua2bs-000NGQ-Ij; Wed, 08 May 2013 13:32:36 +0200 To: Damien Fleuriot From: Ian FREISLICH Subject: Re: skipto keyword in pf In-Reply-To: <47F7A432-93AD-4E0B-B8F4-B0EAD2BA0D6E@my.gd> References: <47F7A432-93AD-4E0B-B8F4-B0EAD2BA0D6E@my.gd> <1367641777.53540.YahooMailNeo@web162702.mail.bf1.yahoo.com> <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> <20130501235946.GS6396@verio.net> <1367474077.47142.YahooMailNeo@web162705.mail.bf1.yahoo.com> <20130502131038.72cc6020@davenulle.org> X-Attribution: BOFH Date: Wed, 08 May 2013 13:32:36 +0200 Message-Id: Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 May 2013 11:32:47 -0000 Damien Fleuriot wrote: > > anchor vlan4 quick on vlan4 > > load anchor vlan4 from "/var/db/firewall/vlan4" > > Would you kindly elaborate on the quick keyword in conjunction with anchors ? According to the manual: Matching filter and translation rules marked with the quick option are final and abort the evaluation of the rules in other anchors and the main ruleset. If the anchor itself is marked with the quick option, ruleset evaluation will terminate when the anchor is exited if the packet is matched by any rule within the anchor. > > and I put the rules for each vlan in their own file. as an example: > > If you only use anchors to cleanly split your rules, 9.x's PF supports inclu= > des, by the way, a feature that's been missing for so long ;) I use it to segment my rules per interface. include won't have the same effect in this instance. > Also, @OP: > Note that if you use anchors, NAT and rdr rules need to be loaded like so: > > nat-anchor test > rdr-anchor test > anchor test > load anchor test from "/etc/pf/anchor_test" > > Otherwise, don't be surprised if your NATs and RDRs mysteriously > aren't applied I haven't experienced this and I have loads of anchors and NAT and RDRs that aren't loaded in an anchor. Perhaps I have too much traffic to tell if some of it bypasses a NAT rule, but as far as I can tell it doesn't. Ian -- Ian Freislich From owner-freebsd-pf@FreeBSD.ORG Wed May 8 15:32:16 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 036401F0 for ; Wed, 8 May 2013 15:32:16 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id B5C8082C for ; Wed, 8 May 2013 15:32:15 +0000 (UTC) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id 729521FF007A; Wed, 8 May 2013 11:32:09 -0400 (EDT) Thread-Index: Ac5MATQIUjS0MLeXSJSVf0lCQwc1fQ== Received: from hometx-733b1p1.corp.verio.net ([10.144.2.53]) by iad-wprd-xchw01.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Wed, 8 May 2013 11:32:08 -0400 Received: by hometx-733b1p1.corp.verio.net (sSMTP sendmail emulation); Wed, 08 May 2013 10:32:06 -0500 Date: Wed, 8 May 2013 10:32:06 -0500 Content-Transfer-Encoding: 7bit From: "David DeSimone" To: "Damien Fleuriot" Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913 Importance: normal Priority: normal Subject: Re: skipto keyword in pf Message-ID: <20130508153205.GR6396@verio.net> Mail-Followup-To: Damien Fleuriot , Ian FREISLICH , "freebsd-pf@freebsd.org" References: <1367641777.53540.YahooMailNeo@web162702.mail.bf1.yahoo.com> <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> <20130501235946.GS6396@verio.net> <1367474077.47142.YahooMailNeo@web162705.mail.bf1.yahoo.com> <20130502131038.72cc6020@davenulle.org> <47F7A432-93AD-4E0B-B8F4-B0EAD2BA0D6E@my.gd> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Disposition: inline In-Reply-To: <47F7A432-93AD-4E0B-B8F4-B0EAD2BA0D6E@my.gd> Precedence: bulk User-Agent: Mutt/1.5.20 (2009-12-10) X-OriginalArrivalTime: 08 May 2013 15:32:08.0494 (UTC) FILETIME=[339D2CE0:01CE4C01] Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 May 2013 15:32:16 -0000 Damien Fleuriot wrote: > > Would you kindly elaborate on the quick keyword in conjunction with > anchors ? > > I would assume that makes all the rules within the anchor quick ? Using "quick" in the rule that calls an anchor is not the same as making all the rules in the anchor "quick." It instead means that whatever decision is made by the anchor will be final, and rules following the call out to the anchor will not be examined. But processing of rules within the anchor will follow standard rules of quick/non-quick. My opinion is that, when designing PF rulesets, you should choose to either always use quick, or never use quick, else you may end up easily confusing yourself. -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you. From owner-freebsd-pf@FreeBSD.ORG Thu May 9 10:59:37 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 48023B70 for ; Thu, 9 May 2013 10:59:37 +0000 (UTC) (envelope-from noname.esst@yahoo.com) Received: from nm5.bullet.mail.bf1.yahoo.com (nm5.bullet.mail.bf1.yahoo.com [98.139.212.164]) by mx1.freebsd.org (Postfix) with SMTP id B86F0F38 for ; Thu, 9 May 2013 10:59:36 +0000 (UTC) Received: from [98.139.215.142] by nm5.bullet.mail.bf1.yahoo.com with NNFMP; 09 May 2013 10:59:29 -0000 Received: from [98.139.212.218] by tm13.bullet.mail.bf1.yahoo.com with NNFMP; 09 May 2013 10:59:29 -0000 Received: from [127.0.0.1] by omp1027.mail.bf1.yahoo.com with NNFMP; 09 May 2013 10:59:29 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 900323.3577.bm@omp1027.mail.bf1.yahoo.com Received: (qmail 76307 invoked by uid 60001); 9 May 2013 10:59:29 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1368097169; bh=yYwjy6kBNTteoCoNCV9lwDX7q3kUljyJ5P4mgMnwyOg=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=0/8f8ylPWM5BMcGjs+IvA/QaSgKjFmv2HqS9KMtO9zSbOqEopfi1DK3h5L0nHcp9egje25/GbLJU+HFHk4xElFVQAX4CkrGFCupdX/6vFUjaxXCASjOJQYwKdBjazsjLSMandW5Ls6Kd9zlezlsbkHDir/K3BBwM0zL1jnJ+P4I= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=51UkdLazgMkWCRkw24lCUoLazV1SwhHHGfYZZOuPSga4xdOLnpAVmw8tz0w2VC6VjWXaKM46Jz8X2SY5Tmii0vnGFe/Zh64P3XuMiECZ/lqtN5JqMppEImZIJDrrIgNFQvpQSf6eZKpMY87c+q/EhwIiIb+m+05lZl+Ee+DTlpw=; X-YMail-OSG: BwpTCDMVM1kILTFq8z_.WK0LkA9oz0Q6b1_eeIAN5F83zFh 66O7DQhPf1X1j69pMcNf1OGGJKzKmHyLTcfUZozZILTE6NtusYGosonwG03W rhbR_ED7Qb0bK88evLIwaYy5gFJBf0TNGREmf8hNr1.mT_OiDrF5AF.8XLNq aYHyQ3x5J60XwX6VsJncDn59ZilW1CSYwQNk6JUh2Dgrhu8oLNCsHLBvaSwO eyp8D2X6y9zEJM.g22AGNWtLfiw8CdhDN0klGTfdAODXBegYYNYA6P8jBhyn eoRL11IK5r1DuKXQVgQrpZGf7zauGNQ2s1ev6FZbUdZsoR9S7WWx7Si10jje gkFMq4V.OCFV9FYLC5PmdmOKzWKFmBk4HeeovAG_gnFQQ03GvDhgxImOVz.g 3XIiRuC21SzLK3CVMp.HVHbN8WJS5dwHDquqULsxeis7uvtNU0wXg7PtDtak u Received: from [89.165.120.140] by web162701.mail.bf1.yahoo.com via HTTP; Thu, 09 May 2013 03:59:29 PDT X-Rocket-MIMEInfo: 002.001, U2hvdWxkIHRoZSBzeXN0ZW0gYWN0IGFzIGEgYnJpZGdlIGluIG9yZGVyIHRvIGRvIHRoZSB0YWdnaW5nIG9yIGlzIGl0IChicmlkZ2UpIGp1c3QgdXNlZCB0byBkbyB0aGUgdGFnZ2luZyByZWdhcmRsZXNzIG9mIHRoZSBzeXN0ZW0gcnVsZT8KATABAQEB X-Mailer: YahooMailWebService/0.8.141.536 Message-ID: <1368097169.74234.YahooMailNeo@web162701.mail.bf1.yahoo.com> Date: Thu, 9 May 2013 03:59:29 -0700 (PDT) From: Nomad Esst Subject: packet tagging To: pf list MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Nomad Esst List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 May 2013 10:59:37 -0000 Should the system act as a bridge in order to do the tagging or is it (bridge) just used to do the tagging regardless of the system rule? From owner-freebsd-pf@FreeBSD.ORG Thu May 9 12:29:57 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id A070A620 for ; Thu, 9 May 2013 12:29:57 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.bsdly.net (cl-426.sto-01.se.sixxs.net [IPv6:2001:16d8:ff00:1a9::2]) by mx1.freebsd.org (Postfix) with ESMTP id 5352E365 for ; Thu, 9 May 2013 12:29:57 +0000 (UTC) Received: from sonofskinny.bsdly.net ([192.168.103.254] helo=deeperthought.bsdly.net) by skapet.bsdly.net with esmtp (Exim 4.77) (envelope-from ) id 1UaPyr-0000de-7Z; Thu, 09 May 2013 14:29:53 +0200 From: peter@bsdly.net (Peter N. M. Hansteen) To: freebsd-pf@freebsd.org Subject: Re: packet tagging References: <1368097169.74234.YahooMailNeo@web162701.mail.bf1.yahoo.com> Date: Thu, 09 May 2013 14:29:52 +0200 In-Reply-To: <1368097169.74234.YahooMailNeo@web162701.mail.bf1.yahoo.com> (Nomad Esst's message of "Thu, 9 May 2013 03:59:29 -0700 (PDT)") Message-ID: <878v3obakf.fsf@deeperthought.bsdly.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 May 2013 12:29:57 -0000 Nomad Esst writes: > Should the system act as a bridge in order to do the tagging or is it > (bridge) just used to do the tagging regardless of the system rule? You can tag packets on incoming and filter on the tags later in your ruleset in non-bridge configurations too. But of course bridges have their own tagging and filtering facilities that may be combined with PF features. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. From owner-freebsd-pf@FreeBSD.ORG Thu May 9 12:44:54 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id A4648BB7 for ; Thu, 9 May 2013 12:44:54 +0000 (UTC) (envelope-from noname.esst@yahoo.com) Received: from nm35-vm5.bullet.mail.bf1.yahoo.com (nm35-vm5.bullet.mail.bf1.yahoo.com [72.30.238.77]) by mx1.freebsd.org (Postfix) with ESMTP id 589BD618 for ; Thu, 9 May 2013 12:44:54 +0000 (UTC) Received: from [98.139.215.143] by nm35.bullet.mail.bf1.yahoo.com with NNFMP; 09 May 2013 12:44:46 -0000 Received: from [98.139.212.237] by tm14.bullet.mail.bf1.yahoo.com with NNFMP; 09 May 2013 12:44:46 -0000 Received: from [127.0.0.1] by omp1046.mail.bf1.yahoo.com with NNFMP; 09 May 2013 12:44:46 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 890852.8599.bm@omp1046.mail.bf1.yahoo.com Received: (qmail 77992 invoked by uid 60001); 9 May 2013 12:44:46 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1368103486; bh=muXVLUrxOqyUYcJRKT5OWz5HmIzH8Uusc6vIcStMAdM=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=kxCP4dff1hCXRLzcCksLy/ey7jFjY1nORelusnq9tPnddthCZ92+7jd22u0Gkv8m8rRxN4K+iUA7SPbIDVgJmIab+n+JuouyZ9lBgVbyjGjXHmN4VWOD45N+ufz/pjoiylU0+44mhFpzokWjZFHmn4pyKJbrpXp/nZAxApAw5Yc= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=2XLKl6J7NYOLW+jP5smPseem6EmYlQfVD3EqXFyQYsM8MohXg0nmGfudTu0daYMaHWyTvTIPW46OVR3NNZlWYF2m8Fw91xEy7JTrc9MTs3yr35gxObfCWsY26FwQ4EJk5SG5fWlQgAbjtV2EHkHMGPPgNeRakz5c+zP9xo9/EVM=; X-YMail-OSG: lqq7v.YVM1kDmfdVzw38XDMHdLzFon5PJkYNc1dQRciQtzw Wg_Yz_O_kCbePCcfBjQDxSd3QM1dWYmXJ_wFs30P9X3xMupF_pYR270K5gWS hvaqhb5TaN2ddC1nv7vkPI_Supw7CG5FpK8lDj.KeTZATk8aWxqXIbF5qD5I bNE.l4.1ug59IqdJmFJcJDF7iUWK722zydKOXpBmKTLixd45x5SgxDYE1PD9 NN88tW2dA3lp1QYPkv7T_SL.IWd8sLq9_vtv8Ymdf7ySTz5oeBtK6tyBsOD6 1r8.vrFAgm_oQltpKnV3m_EAJDZwdWXIc550SyAls5nUGzgWb1xpMXN6MgTD Xr0NUeS3x71yflTNHsKhgwRpDqEDv6iAAogUwT2anp8zm87XIHPM1mi7Yodh 0gRaSqorRTQvxrB4EehH5HxQ7abXX2Peh2B8O8etBAayCke7Ni1QgOERkSEA der_zb_WBNf9cu0FbB1HiQ1O7Yw5PgNQhFZlUfd5sCru3kQQZBFSdB.J46eG pqkv1oDIEjPG95mTOeG5C7kWo_a8pDV8T Received: from [89.165.120.140] by web162706.mail.bf1.yahoo.com via HTTP; Thu, 09 May 2013 05:44:46 PDT X-Rocket-MIMEInfo: 002.001, PiA.IFNob3VsZCB0aGUgc3lzdGVtIGFjdCBhcyBhIGJyaWRnZSBpbiBvcmRlciB0byBkbyB0aGUgdGFnZ2luZyBvciBpcyBpdAoKPiA.IChicmlkZ2UpIGp1c3QgdXNlZCB0byBkbyB0aGUgdGFnZ2luZyByZWdhcmRsZXNzIG9mIHRoZSBzeXN0ZW0gcnVsZT8KPsKgCj7CoFlvdSBjYW4gdGFnIHBhY2tldHMgb24gaW5jb21pbmcgYW5kIGZpbHRlciBvbiB0aGUgdGFncyBsYXRlciBpbiB5b3VyCj7CoHJ1bGVzZXQgaW4gbm9uLWJyaWRnZSBjb25maWd1cmF0aW9ucyB0b28uIEJ1dCBvZiBjb3Vyc2UgYnJpZGdlcyABMAEBAQE- X-Mailer: YahooMailWebService/0.8.141.536 References: <1368097169.74234.YahooMailNeo@web162701.mail.bf1.yahoo.com> <878v3obakf.fsf@deeperthought.bsdly.net> Message-ID: <1368103486.77403.YahooMailNeo@web162706.mail.bf1.yahoo.com> Date: Thu, 9 May 2013 05:44:46 -0700 (PDT) From: Nomad Esst Subject: Re: packet tagging To: "Peter N. M. Hansteen" , "freebsd-pf@freebsd.org" In-Reply-To: <878v3obakf.fsf@deeperthought.bsdly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Nomad Esst List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 May 2013 12:44:54 -0000 > > Should the system act as a bridge in order to do the tagging or is it= =0A=0A> > (bridge) just used to do the tagging regardless of the system rul= e?=0A>=A0=0A>=A0You can tag packets on incoming and filter on the tags late= r in your=0A>=A0ruleset in non-bridge configurations too. But of course bri= dges have=0A>=A0their own tagging and filtering facilities that may be comb= ined with PF=0A>=A0features.=0A=0AI want filter packets based on their MAC = address. After many hours of googling I found out that such filtering is do= ne via bridge. I just want to know are there any ways besides this??? I als= o found these patches which are to old an I could not apply them on my FBSD= 8.2 ....=0AAny suggestions? I'm so=A0disappointed ... From owner-freebsd-pf@FreeBSD.ORG Thu May 9 15:55:56 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 1E1DC1AF for ; Thu, 9 May 2013 15:55:56 +0000 (UTC) (envelope-from tech@stuxnet.org) Received: from s1.stux6.net (s1.stux6.net [IPv6:2a01:240:fe00:8217::1]) by mx1.freebsd.org (Postfix) with ESMTP id 71496EC1 for ; Thu, 9 May 2013 15:55:55 +0000 (UTC) Received: from s1 (localhost [127.0.0.1]) by s1.stux6.net (s1.stux6.net) with ESMTP id 8C94D694C57 for ; Thu, 9 May 2013 17:55:52 +0200 (CEST) X-Virus-Scanned: amavisd-new at stux6.net Received: from s1.stux6.net ([127.0.0.1]) by s1 (s1.stux6.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id O7A77ppRUzgW for ; Thu, 9 May 2013 17:55:45 +0200 (CEST) Received: from localmx.stux.fr (localmx.ipv6.stux.fr [IPv6:2a01:240:feaf:1000:dcad:beff:feef:2511]) by s1.stux6.net (s1.stux6.net) with ESMTP id 10D86694C55 for ; Thu, 9 May 2013 17:55:45 +0200 (CEST) Received: from zimbra.stux.fr (zimbra.ipv6.stux.fr [IPv6:2a01:240:feaf:1000:dcad:beff:feef:2534]) by localmx.stux.fr (Postfix) with ESMTP id C4B67F61AA for ; Thu, 9 May 2013 17:55:44 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by zimbra.stux.fr (Postfix) with ESMTP id B03B01784C5 for ; Thu, 9 May 2013 17:55:44 +0200 (CEST) X-Virus-Scanned: amavisd-new at zimbra.stux.fr Received: from zimbra.stux.fr ([127.0.0.1]) by localhost (zimbra.stux.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9XJmxv3MiY8C for ; Thu, 9 May 2013 17:55:43 +0200 (CEST) Received: from [IPv6:2a01:240:feaf:1000:21d:72ff:feb0:b394] (wks1.ipv6.stux.fr [IPv6:2a01:240:feaf:1000:21d:72ff:feb0:b394]) by zimbra.stux.fr (Postfix) with ESMTPSA id A83D91784C4 for ; Thu, 9 May 2013 17:55:43 +0200 (CEST) Message-ID: <518BC6C2.5030702@stuxnet.org> Date: Thu, 09 May 2013 17:54:42 +0200 From: Christophe User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130329 Thunderbird/17.0.5 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: packet tagging References: <1368097169.74234.YahooMailNeo@web162701.mail.bf1.yahoo.com> <878v3obakf.fsf@deeperthought.bsdly.net> <1368103486.77403.YahooMailNeo@web162706.mail.bf1.yahoo.com> In-Reply-To: <1368103486.77403.YahooMailNeo@web162706.mail.bf1.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 May 2013 15:55:56 -0000 Hi, Nomad Esst wrote, > I want filter packets based on their MAC address. After many hours of googling I found out that such filtering is done via bridge. I just want to know are there any ways besides this??? I also found these patches which are to old an I could not apply them on my FBSD 8.2 .... > Any suggestions? I'm so disappointed ... Never made such a config on FreeBSD but on OpenBSD : A bridge (even with a single interface) is, as far as I know, mandatory to filter MAC based packets. A "rulefile" : /etc/l2filter like this : ### WKS1 ######## pass in on trunk0 src 00:1d:72:b0:b3:94 tag wks1lan ### WKS2 ######## pass in on trunk0 src 00:1d:72:b0:b3:91 tag wks2lan ### WKS3 ######## pass in on trunk0 src 08:00:27:50:fe:f4 tag wks3lan ### WKS4 ######## pass in on trunk0 src 08:00:27:03:7f:9b tag wks4lan ### WKS5 ######## pass in on trunk0 src 08:00:27:45:d3:27 tag wks5lan ### WKS6 ######### pass in on trunk0 src 00:1f:16:f0:dc:55 tag wks6lan ... Bringing the rulefile on the bridge : ifconfig bridge0 rulefile /etc/l2filter pf rule sample : pass in quick on $int_if inet proto tcp from $lan_nets to ! port { www, https } tagged wks4lan tag fromlan keep state If modifications are made in /etc/l2filter (and trunk0 and re2 bridged themselves) : ifconfig bridge0 flushrule re2 ifconfig bridge0 flushrule trunk0 ifconfig bridge0 rulefile /etc/l2filter to disable : ifconfig bridge0 flushrule re2 ifconfig bridge0 flushrule trunk0 ifconfig bridge0 rule pass in on re2 ifconfig bridge0 rule pass in on trunk0 Remember it is an OpenBSD (native) configuration, I don't know if it applies on FreeBSD. Regards. Christophe. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Fri May 10 04:19:47 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 6B97D7D3 for ; Fri, 10 May 2013 04:19:47 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-ia0-x231.google.com (mail-ia0-x231.google.com [IPv6:2607:f8b0:4001:c02::231]) by mx1.freebsd.org (Postfix) with ESMTP id 34D95B28 for ; Fri, 10 May 2013 04:19:47 +0000 (UTC) Received: by mail-ia0-f177.google.com with SMTP id z3so1156177iad.8 for ; Thu, 09 May 2013 21:19:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=x-received:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to; bh=CSZOCU8Jn0Tuk6O4DFBk4r0Wlgy3nNDCsCYDpG4yq0I=; b=HX9Emzq/zi5ko6ggXoO6Wibp7eHRN+xH/Nh+yYcELXSf8YtLSsH+EOuRHh0TsJXwEi o8L9WvuUCsHm+JshiOAhrXn0wEcqZ5Q4IOXmfMTw5y4j4wwJGWaNdLqZ/W29o3J0aYng mDphCZz/0UqF7PAuPVFOzetPwk48FJAMdYeJQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to:x-gm-message-state; bh=CSZOCU8Jn0Tuk6O4DFBk4r0Wlgy3nNDCsCYDpG4yq0I=; b=LoBXUrlRPcceuYigM/FBa0UGN3GvC5dNvpvykhI0k8XOudYZGHso3F1QjNGRZLTtP7 cWw7Ts2VE+U/scz5q3ejmHjcJBBL4GOkMjtGAAz+Nhpz8W0/wJ8w1XlAf9zQyOefWwK8 HrWc3mQCTTft7W1eAZ5jWIOZRZR/HgfsqP5aYKwo08kGOADMU8EIsC3o38S84ltFz8SQ FwQEY5RK+IwxbZhns0MZorJSBBcBKySQkxz8ChI/RhezFXZLO2wAWjAIlas6oEK8rBE/ odSDz9yHcZRPhjgxZQpHRZqiRE1ZR/TruTpSqYlPr4HfieGvvxCbHdLeadte/KJJLC0m hwng== X-Received: by 10.50.136.138 with SMTP id qa10mr687655igb.74.1368159586612; Thu, 09 May 2013 21:19:46 -0700 (PDT) Received: from [192.168.30.77] (24-236-152-143.dhcp.aldl.mi.charter.com. [24.236.152.143]) by mx.google.com with ESMTPSA id 9sm1871643igy.7.2013.05.09.21.19.38 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 09 May 2013 21:19:45 -0700 (PDT) References: <1368097169.74234.YahooMailNeo@web162701.mail.bf1.yahoo.com> <878v3obakf.fsf@deeperthought.bsdly.net> <1368103486.77403.YahooMailNeo@web162706.mail.bf1.yahoo.com> <518BC6C2.5030702@stuxnet.org> Mime-Version: 1.0 (1.0) In-Reply-To: <518BC6C2.5030702@stuxnet.org> Message-Id: <5D8FA439-4EA7-462F-B410-A815C1C78769@DataIX.net> X-Mailer: iPhone Mail (10B329) From: Jason Hellenthal Subject: Re: packet tagging Date: Fri, 10 May 2013 00:19:36 -0400 To: Christophe X-Gm-Message-State: ALoCoQm5HkJoEDLgSDiQC/oKA0o6+ZOXdmQlca7QIFl9IyMmYPEbgViV137feXqjCaTFAxt9757F Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 May 2013 04:19:47 -0000 As for 8-STABLE this functionality is not available. I'm not tracking 9-* so someone else will have to answer for that. But as far as L2 filtering on the bridge... You will probably want ipfw instead as on 8-* were using pf4.3=C2=BF which o= n FreeBSD is L3, & L4 filtering only. If you are looking for a BSD solution for filtering only and your concern is= mainly based on using pf, I will sadly say you should lean on OpenBSD unles= s something changes or you are willing to use access lists on your switches.= Now if your concern is mainly wireless the if_wlan interface is capable of i= ts own l2 filtering but nothing like pf. Good luck & best packeting, --=20 Jason Hellenthal IS&T Services Professional Inbox: jhellenthal@DataIX.net JJH48-ARIN On May 9, 2013, at 11:54, Christophe wrote: > Hi, >=20 > Nomad Esst wrote, >> I want filter packets based on their MAC address. After many hours of goo= gling I found out that such filtering is done via bridge. I just want to kno= w are there any ways besides this??? I also found these patches which are to= old an I could not apply them on my FBSD 8.2 .... >> Any suggestions? I'm so disappointed ... >=20 > Never made such a config on FreeBSD but on OpenBSD : >=20 > A bridge (even with a single interface) is, as far as I know, mandatory to= filter MAC based packets. >=20 >=20 > A "rulefile" : /etc/l2filter like this : >=20 > ### WKS1 ######## > pass in on trunk0 src 00:1d:72:b0:b3:94 tag wks1lan >=20 > ### WKS2 ######## > pass in on trunk0 src 00:1d:72:b0:b3:91 tag wks2lan >=20 > ### WKS3 ######## > pass in on trunk0 src 08:00:27:50:fe:f4 tag wks3lan >=20 > ### WKS4 ######## > pass in on trunk0 src 08:00:27:03:7f:9b tag wks4lan >=20 > ### WKS5 ######## > pass in on trunk0 src 08:00:27:45:d3:27 tag wks5lan >=20 > ### WKS6 ######### > pass in on trunk0 src 00:1f:16:f0:dc:55 tag wks6lan >=20 > ... >=20 >=20 > Bringing the rulefile on the bridge : >=20 > ifconfig bridge0 rulefile /etc/l2filter >=20 >=20 > pf rule sample : >=20 > pass in quick on $int_if inet proto tcp from $lan_nets to ! = port { www, https } tagged wks4lan tag fromlan keep state >=20 >=20 >=20 > If modifications are made in /etc/l2filter (and trunk0 and re2 bridged the= mselves) : >=20 > ifconfig bridge0 flushrule re2 > ifconfig bridge0 flushrule trunk0 > ifconfig bridge0 rulefile /etc/l2filter >=20 >=20 >=20 > to disable : >=20 > ifconfig bridge0 flushrule re2 > ifconfig bridge0 flushrule trunk0 > ifconfig bridge0 rule pass in on re2 > ifconfig bridge0 rule pass in on trunk0 >=20 >=20 >=20 > Remember it is an OpenBSD (native) configuration, I don't know if it appli= es on FreeBSD. >=20 >=20 > Regards. > Christophe. >=20 >=20 >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sat May 11 06:52:41 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id CA4E6A82 for ; Sat, 11 May 2013 06:52:41 +0000 (UTC) (envelope-from noname.esst@yahoo.com) Received: from nm30-vm0.bullet.mail.bf1.yahoo.com (nm30-vm0.bullet.mail.bf1.yahoo.com [98.139.213.126]) by mx1.freebsd.org (Postfix) with ESMTP id 89760A57 for ; Sat, 11 May 2013 06:52:41 +0000 (UTC) Received: from [98.139.215.142] by nm30.bullet.mail.bf1.yahoo.com with NNFMP; 11 May 2013 06:52:35 -0000 Received: from [98.139.212.199] by tm13.bullet.mail.bf1.yahoo.com with NNFMP; 11 May 2013 06:52:35 -0000 Received: from [127.0.0.1] by omp1008.mail.bf1.yahoo.com with NNFMP; 11 May 2013 06:52:35 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 580275.43329.bm@omp1008.mail.bf1.yahoo.com Received: (qmail 79284 invoked by uid 60001); 11 May 2013 06:52:35 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1368255155; bh=hNQRPnTZs/HQbA4cbSBiFyaC26nEvlIVQD/hNBoxfa8=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=duLNbQDZkkCoZE+2c8HlgRlzTeJO8eZ4beocuAiN5DM0XJ+GJyXJJ2iijcL88uDt8OmLnTCZJq6fMM+PqqXQQzngSmfiBkDXXRP/fCzscushdD6pSo7snE+lJCLbi8yKzrE94NzQIB9JtacWOSSEHftdI+WIvK13iFQeoza24w4= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=fJQchetbD1Y5XK7G/+X9Ti/Tziyy5IPibdZWg5KPnYdp5K/qN765qgQvo4QMPdXbZ/xq3Xb4j7Jpp5fygb/8PRHKCPT35GQ6ziAnjSOxamkGeEZ5Vcmv8VzXUJrZzwV/nBNy0HQBII7V3D3sksAthVE6N6WFR0apuEk1v0aEsMQ=; X-YMail-OSG: wjBZXL4VM1kFJcjDFWdVhmpA9FcrrZkf_zYxkgVz3PJK1x4 7OZ.pRoYGMG4WGjh2f.eA Received: from [89.165.120.140] by web162701.mail.bf1.yahoo.com via HTTP; Fri, 10 May 2013 23:52:33 PDT X-Rocket-MIMEInfo: 002.001, wqA.IEFzIGZvciA4LVNUQUJMRSB0aGlzIGZ1bmN0aW9uYWxpdHkgaXMgbm90IGF2YWlsYWJsZS4KCgrCoD7CoEknbSBub3QgdHJhY2tpbmcgOS0qIHNvIHNvbWVvbmUgZWxzZSB3aWxsIGhhdmUgdG8gYW5zd2VyIGZvciB0aGF0LgoKwqA.wqBCdXQgYXMgZmFyIGFzIEwyIGZpbHRlcmluZyBvbiB0aGUgYnJpZGdlLi4uCgrCoD7CoFlvdSB3aWxsIHByb2JhYmx5IHdhbnQgaXBmdyBpbnN0ZWFkIGFzIG9uIDgtKiB3ZXJlIHVzaW5nIHBmNC4zwr8gd2hpY2ggb24gRnJlZUJTRCBpcyBMMywgJiBMNCBmaWx0ZXJpbmcBMAEBAQE- X-Mailer: YahooMailWebService/0.8.141.536 References: <1368097169.74234.YahooMailNeo@web162701.mail.bf1.yahoo.com> <878v3obakf.fsf@deeperthought.bsdly.net> <1368103486.77403.YahooMailNeo@web162706.mail.bf1.yahoo.com> <518BC6C2.5030702@stuxnet.org> <5D8FA439-4EA7-462F-B410-A815C1C78769@DataIX.net> Message-ID: <1368255153.65555.YahooMailNeo@web162701.mail.bf1.yahoo.com> Date: Fri, 10 May 2013 23:52:33 -0700 (PDT) From: Nomad Esst Subject: Re: packet tagging To: Jason Hellenthal , Christophe In-Reply-To: <5D8FA439-4EA7-462F-B410-A815C1C78769@DataIX.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Nomad Esst List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 May 2013 06:52:41 -0000 =A0> As for 8-STABLE this functionality is not available.=0A=0A=0A=A0>=A0I'= m not tracking 9-* so someone else will have to answer for that.=0A=0A=A0>= =A0But as far as L2 filtering on the bridge...=0A=0A=A0>=A0You will probabl= y want ipfw instead as on 8-* were using pf4.3=BF which on FreeBSD is L3, &= L4 filtering only.=0A=0A=A0>=A0If you are looking for a BSD solution for f= iltering only and your concern is mainly based on using pf, I will sadly sa= y you should lean on OpenBSD unless something changes or you are willing = =A0>=A0=A0to=A0use=A0access lists on your switches.=0A=0ASo bad!!! I'm thin= king of developing some utility that do the MAC address filtering and then = send them to PF, so PF can decide about them, whether to pass or drop them = away. Do you have any ieads about that?=0A=0A>=A0Now if your concern is mai= nly wireless the if_wlan interface is capable of its own l2 filtering but n= othing like pf.=0A=0A>=A0Good luck & best packeting,=0A=0A>=A0-- =0A>=A0Jas= on Hellenthal=0A>=A0IS&T Services Professional=0A>=A0Inbox: jhellenthal@Dat= aIX.net=0A>=A0JJH48-ARIN