From owner-freebsd-pf@freebsd.org Sun Jul 31 17:47:42 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6C210BA9D2D for ; Sun, 31 Jul 2016 17:47:42 +0000 (UTC) (envelope-from radek.krejca@starnet.cz) Received: from EXCHANGE.mail.starnet.cz (exchange.mail.starnet.cz [92.62.224.72]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "EXCHANGE.mail.starnet.cz", Issuer "STARNET" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 007821D4B for ; Sun, 31 Jul 2016 17:47:41 +0000 (UTC) (envelope-from radek.krejca@starnet.cz) Received: from EXCHANGE.mail.starnet.cz ([fe80::d017:9e72:12a5:7bb4]) by EXCHANGE.mail.starnet.cz ([fe80::d017:9e72:12a5:7bb4%14]) with mapi; Sun, 31 Jul 2016 19:46:26 +0200 From: =?iso-8859-2?Q?Radek_Krej=E8a?= To: "'freebsd-pf@freebsd.org'" Date: Sun, 31 Jul 2016 19:46:24 +0200 Subject: How to set tos to 0 Thread-Topic: How to set tos to 0 Thread-Index: AdHrU3m7kC8dS9mZSXeK4hrNhJrglQ== Message-ID: Accept-Language: cs-CZ Content-Language: cs-CZ X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: cs-CZ Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jul 2016 17:47:42 -0000 Hello, I need to set TOS to 0 and remark it with rules. I am trying to use scrub to set tos to 0, but I have problem: scrub all fragment reassemble no-df set-tos 0 give Illegal value but scrub all fragment reassemble no-df set-tos 1 is working. I am trying 0x00, 0x0 and still the same. How can I set TOS to 0? Thank you Radek From owner-freebsd-pf@freebsd.org Sun Jul 31 20:46:49 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33800BA895D for ; Sun, 31 Jul 2016 20:46:49 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F31AA14C0 for ; Sun, 31 Jul 2016 20:46:48 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [10.0.2.164] (unknown [IPv6:2a02:1811:2419:4e02:6912:cf17:38bf:c5ab]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id D41E2CF43; Sun, 31 Jul 2016 22:46:45 +0200 (CEST) From: "Kristof Provost" To: "Radek =?utf-8?q?Krej=C4=8Da?=" Cc: "freebsd-pf@freebsd.org" Subject: Re: How to set tos to 0 Date: Sun, 31 Jul 2016 22:46:45 +0200 Message-ID: <19EA8000-0945-40D0-8A9E-D33E5397D8CC@FreeBSD.org> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6042) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jul 2016 20:46:49 -0000 On 31 Jul 2016, at 19:46, Radek Krejča wrote: > I need to set TOS to 0 and remark it with rules. > > I am trying to use scrub to set tos to 0, but I have problem: > > scrub all fragment reassemble no-df set-tos 0 > > give Illegal value > > but scrub all fragment reassemble no-df set-tos 1 > is working. > > I am trying 0x00, 0x0 and still the same. > > How can I set TOS to 0? > I think you may have found a bug. Can you give this patch a try? diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index e0cfa3d..980976e 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -3593,8 +3593,8 @@ tos : STRING { else if ($1[0] == '0' && $1[1] == 'x') $$ = strtoul($1, NULL, 16); else - $$ = 0; /* flag bad argument */ - if (!$$ || $$ > 255) { + $$ = 256; /* flag bad argument */ + if ($$ < 0 || $$ > 255) { yyerror("illegal tos value %s", $1); free($1); YYERROR; @@ -3603,7 +3603,7 @@ tos : STRING { } | NUMBER { $$ = $1; - if (!$$ || $$ > 255) { + if ($$ < 0 || $$ > 255) { yyerror("illegal tos value %s", $1); YYERROR; } Regards, Kristof From owner-freebsd-pf@freebsd.org Wed Aug 3 17:03:15 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CEA52BAEC91 for ; Wed, 3 Aug 2016 17:03:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BE8A115D4 for ; Wed, 3 Aug 2016 17:03:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u73H3Dk7024934 for ; Wed, 3 Aug 2016 17:03:15 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 201519] pf NAT translates ICMP type 3 packects incorrectly Date: Wed, 03 Aug 2016 17:03:13 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: clbuisson@orange.fr X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2016 17:03:15 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D201519 clbuisson@orange.fr changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |clbuisson@orange.fr --- Comment #9 from clbuisson@orange.fr --- Upgrading my Router/firwall from 9.3-STABLE svn 299225 to 10.3-STABLE svn 303269 I found that NATed traceroute's from the internal network to an external sy= stem displayed the IPv4 addresses/names of the final destination system instead = of the IPv4 addresses/names of the intermediate systems/routers. I reverted 300979 and obtained correct traceroute addresses/name display. So I dare think that the bug cannot be closed. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Aug 3 21:00:44 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 53EA1BAE328 for ; Wed, 3 Aug 2016 21:00:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 43CEE1183 for ; Wed, 3 Aug 2016 21:00:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u73L0gF8019604 for ; Wed, 3 Aug 2016 21:00:44 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 201519] pf NAT translates ICMP type 3 packects incorrectly Date: Wed, 03 Aug 2016 21:00:42 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2016 21:00:44 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D201519 --- Comment #10 from Kristof Provost --- (In reply to clbuisson from comment #9) I'm afraid I don't understand what the problem is. Can you add a description of your network setup, the trace route output and= a network capture (please specify where in the network the capture was made)? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Aug 3 21:40:09 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E3F7BBAE9B9 for ; Wed, 3 Aug 2016 21:40:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D3B1D1237 for ; Wed, 3 Aug 2016 21:40:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u73Le9U3014980 for ; Wed, 3 Aug 2016 21:40:09 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 201519] pf NAT translates ICMP type 3 packects incorrectly Date: Wed, 03 Aug 2016 21:40:10 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: clbuisson@orange.fr X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2016 21:40:10 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D201519 --- Comment #11 from clbuisson@orange.fr --- There is nothing complicated in my setup ! 1. An Internal network with "private" IPv4 addresses 2. A Gateway/Router/Firewall connected to this internal network, and to the Internet (ADSL), and NATing the traffic betwwen 1 and 3 3. The Internet with any system, for exemple www.freebsd.org On a system on the internal network, if I do traceroute www.freebsd.org I get - first line: the internal address/name of the gateway (OK) - a number of lines, one for each intermediate router on the Internet, but labelled with the address/name of www.freebsd.org (!OK) - last line: the address/name of www.freebsd.org (OK) Details seem irrelevant (anyone can find the address of www/freebsd.org ..), and the effect of outgoing NAT on UDP or ICMP (in case of traceroute -I) is supposed known. It is clear that the bug is in the NAT of the ICMP TIME_EXCEEDED received from the Internet (invalid substitution of the address of the responding ro= uter with address of the traceroute target). --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu Aug 4 06:24:10 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EC194BAEA31 for ; Thu, 4 Aug 2016 06:24:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CB34911A0 for ; Thu, 4 Aug 2016 06:24:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u746O9r8080427 for ; Thu, 4 Aug 2016 06:24:10 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 201519] pf NAT translates ICMP type 3 packects incorrectly Date: Thu, 04 Aug 2016 06:24:09 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2016 06:24:11 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D201519 --- Comment #12 from Kristof Provost --- (In reply to clbuisson from comment #11) I'm unable to reproduce the described behaviour on my system. Please make a network capture so we can look in detail at what's going wrong. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu Aug 4 23:39:54 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DE374BAF893 for ; Thu, 4 Aug 2016 23:39:54 +0000 (UTC) (envelope-from zeus@ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [148.251.53.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.new-ukraine.org", Issuer "smtp.new-ukraine.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7359919F1 for ; Thu, 4 Aug 2016 23:39:53 +0000 (UTC) (envelope-from zeus@ibs.dn.ua) Received: on behalf of honored client by relay.ibs.dn.ua with ESMTP id u74NdD3g051417 for on Fri, 5 Aug 2016 02:39:14 +0300 (EEST) Message-ID: <20160805023908.51416@relay.ibs.dn.ua> Date: Fri, 05 Aug 2016 02:39:08 -2100 From: "Zeus Panchenko" To: cc: Subject: default to wan1, definite subnet replies to wan2 Organization: I.B.S. LLC Reply-To: "Zeus Panchenko" X-Attribution: zeus Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEWxsbGdnZ3U1NQTExN cXFzx8fG/v7+f8hyWAAACXUlEQVQ4jUWSwXYiIRBFi4yyhtjtWpmRdTL0ZC3TJOukDa6Rc+T/P2F eFepwtFvr8upVFVDua8mLWw6La4VIKTuMdAPOebdU55sQs3n/D1xFFPFGVGh4AHKttr5K0bS6g7N ZCge7qpVLB+f1Z2WAj2OKXwIWt/bXpdXSiu8KXbviWkHxF5td9+lg2e3xlI2SCvatK8YLfHyh9lw 15yrad8Va5eXg4Llr7QmAaC+dL9sDt9iad/DX3OKvLMBf+dm0A0QuMrTvYIevSik1IaSVvgjIHt5 lSCG2ynNRpEcBZ8cgDWk+Ns99qzsYYV3MZoppWzGtYlTO9+meG6m/g92iNO9LfQB2JZsMpoJs7QG ku2KtabRK0bZRwDLyBDvwlxTm6ZlP7qyOqLcfqtLexpDSB4M0H3I/PQy1emvjjzgK+A0LmMKl6Lq zlqzh0VGAw440F6MJd8cY0nI7wiF/fVIBGY7UNCAXy6DmfYGCLLI0wtDbVcDUMqtJLmAhLqODQAe riERAxXJ1/QYGpa0ymqyytpKC19MNXHjvFmEsfcHIrncFR4xdbYWgmfEGLCcZokpGbGj1egMR+6M 1BkNX1pDdhPcOXpAnAeLQUwQLYepgQoZVNGS61yaE8CYA7gYAcWKzwGstACY2HTFvvOwk4FXAG/a mKHni/EcA/GkOk7I0IK7UMIf3+SahU8/FJdiE7KcuWdM3MFocUDEEIX9LfJoo4xV5tnNKc3jJuSs SZWgnnhepgU1zN4Hii18yW4RwDX52CXUtk0Hqz6cHOIUkWaX8fDcB+J7y1y2xDHwjv/8Buu8Ekz6 7tXQAAAAASUVORK5CYII= X-Mailer: MH-E 8.3.1; nil; GNU Emacs 24.3.1 X-NewUkraine-Agent: mailfromd (7.99.92) X-NewUkraine-URL: https://mail.prozora-kraina.org/smtp.html X-NewUkraine-VirStat: NO X-NewUkraine-VirScan: ScanPE, ScanELF, ScanOLE2, ScanMail, PhishingSignatures, ScanHTML, ScanPDF X-NewUkraine-SpamStat: NO X-NewUkraine-SpamScore: -1.000 of 3.500 X-NewUkraine-SpamKeys: AWL, BAYES_00, BUG6152_INVALID_DATE_TZ_ABSURD, INVALID_DATE_TZ_ABSURD, NO_RECEIVED, NO_RELAYS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2016 23:39:55 -0000 greetings, I have two wan intefaces, wan1 and wan2 wan1 is for default I have subnet in my LAN all replies from which I need to direct through wan2 I hoped to do that with this pf configuration: if_service = "vlan1234" # service network table const { 10.0.0.0/24 } # requests for the service rdr pass on $if_wan2 proto { tcp, udp } to ($if_wan2) port 1234 -> 10.0.0.1 port 5678 nat log on $if_wan2 from to any -> ($if_wan2) ... pass in log on $if_video route-to ($if_wan3 $gw_wan3) from to ! keep state -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) From owner-freebsd-pf@freebsd.org Fri Aug 5 00:06:06 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2BA2EBAFF32 for ; Fri, 5 Aug 2016 00:06:06 +0000 (UTC) (envelope-from zeus@ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [148.251.53.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.new-ukraine.org", Issuer "smtp.new-ukraine.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id AE50C1A5C for ; Fri, 5 Aug 2016 00:06:05 +0000 (UTC) (envelope-from zeus@ibs.dn.ua) Received: on behalf of honored client by relay.ibs.dn.ua with ESMTP id u75061bA053102 for on Fri, 5 Aug 2016 03:06:02 +0300 (EEST) Message-ID: <20160805030555.53101@relay.ibs.dn.ua> Date: Fri, 05 Aug 2016 03:05:55 +0300 From: "Zeus Panchenko" To: cc: Subject: wan1 as default, wan2 dedicated to a service Organization: I.B.S. LLC Reply-To: "Zeus Panchenko" X-Attribution: zeus Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEWxsbGdnZ3U1NQTExN cXFzx8fG/v7+f8hyWAAACXUlEQVQ4jUWSwXYiIRBFi4yyhtjtWpmRdTL0ZC3TJOukDa6Rc+T/P2F eFepwtFvr8upVFVDua8mLWw6La4VIKTuMdAPOebdU55sQs3n/D1xFFPFGVGh4AHKttr5K0bS6g7N ZCge7qpVLB+f1Z2WAj2OKXwIWt/bXpdXSiu8KXbviWkHxF5td9+lg2e3xlI2SCvatK8YLfHyh9lw 15yrad8Va5eXg4Llr7QmAaC+dL9sDt9iad/DX3OKvLMBf+dm0A0QuMrTvYIevSik1IaSVvgjIHt5 lSCG2ynNRpEcBZ8cgDWk+Ns99qzsYYV3MZoppWzGtYlTO9+meG6m/g92iNO9LfQB2JZsMpoJs7QG ku2KtabRK0bZRwDLyBDvwlxTm6ZlP7qyOqLcfqtLexpDSB4M0H3I/PQy1emvjjzgK+A0LmMKl6Lq zlqzh0VGAw440F6MJd8cY0nI7wiF/fVIBGY7UNCAXy6DmfYGCLLI0wtDbVcDUMqtJLmAhLqODQAe riERAxXJ1/QYGpa0ymqyytpKC19MNXHjvFmEsfcHIrncFR4xdbYWgmfEGLCcZokpGbGj1egMR+6M 1BkNX1pDdhPcOXpAnAeLQUwQLYepgQoZVNGS61yaE8CYA7gYAcWKzwGstACY2HTFvvOwk4FXAG/a mKHni/EcA/GkOk7I0IK7UMIf3+SahU8/FJdiE7KcuWdM3MFocUDEEIX9LfJoo4xV5tnNKc3jJuSs SZWgnnhepgU1zN4Hii18yW4RwDX52CXUtk0Hqz6cHOIUkWaX8fDcB+J7y1y2xDHwjv/8Buu8Ekz6 7tXQAAAAASUVORK5CYII= X-Mailer: MH-E 8.3.1; nil; GNU Emacs 24.3.1 X-NewUkraine-Agent: mailfromd (7.99.92) X-NewUkraine-URL: https://mail.prozora-kraina.org/smtp.html X-NewUkraine-VirStat: NO X-NewUkraine-VirScan: ScanPE, ScanELF, ScanOLE2, ScanMail, PhishingSignatures, ScanHTML, ScanPDF X-NewUkraine-SpamStat: NO X-NewUkraine-SpamScore: -1.600 of 3.500 X-NewUkraine-SpamKeys: AWL,BAYES_00,NO_RECEIVED,NO_RELAYS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2016 00:06:06 -0000 hi, I need trivial thing but wondering where am I wrong ... :( help please I have two WAN interfaces: wan1 and wan2 wan1 is default route interface, wan2 is dedicated for DVR (video) I'm trying to direct all output from DVR to wan2 (here I do not care of where a request to DVR came from, I want all replies to go out trough wan2) so, I hoped to do that with this pf.config ---[ start ]------------------------------------------------------------ if_wan1 = "em0" if_wan2 = "igb0" # ip address A.B.C.D gw_wan2 = "E.F.G.H" if_dvr="vlan123" table const { 10.0.0.0/24 } # redirect all requests on wan2 to DVR host1 rdr pass on $if_wan2 proto { tcp, udp } to ($if_wan2) port 1234 -> 10.0.0.1 port 5678 nat log on $if_wan2 from to any -> ($if_wan2) ... pass in log on $if_dvr route-to ($if_wan2 $gw_wan2) from to any keep state ---[ stop ]------------------------------------------------------------ as results, I see requests from world on $if_wan2 I see redirects of the requests, out packets on $if_dvr I see replies to the requests, in packets on $if_dvr but I see ($if_wan2) sourced replies, and I see them on *$if_wan1* so, as I understand ... route-to works, otherwise replies wouldn't be from ($if_wan2) but nated replies appears on $if_wan1 what is default route ... so ... how can I have replies go out through $if_wan2? is it question of the second routing table? please, advise -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) From owner-freebsd-pf@freebsd.org Fri Aug 5 00:08:58 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3ABEDBAE046 for ; Fri, 5 Aug 2016 00:08:58 +0000 (UTC) (envelope-from zeus@ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [148.251.53.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.new-ukraine.org", Issuer "smtp.new-ukraine.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C1DCE1CBB for ; Fri, 5 Aug 2016 00:08:57 +0000 (UTC) (envelope-from zeus@ibs.dn.ua) Received: on behalf of honored client by relay.ibs.dn.ua with ESMTP id u7508rBW053202 for on Fri, 5 Aug 2016 03:08:54 +0300 (EEST) Message-ID: <20160805030848.53200@relay.ibs.dn.ua> Date: Fri, 05 Aug 2016 03:08:48 +0300 From: "Zeus Panchenko" To: Subject: Re: default to wan1, definite subnet replies to wan2 In-reply-to: Your message of Fri, 05 Aug 2016 02:39:08 -2100 <20160805023908.51416@relay.ibs.dn.ua> References: <20160805023908.51416@relay.ibs.dn.ua> Organization: I.B.S. LLC Reply-To: "Zeus Panchenko" X-Attribution: zeus Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEWxsbGdnZ3U1NQTExN cXFzx8fG/v7+f8hyWAAACXUlEQVQ4jUWSwXYiIRBFi4yyhtjtWpmRdTL0ZC3TJOukDa6Rc+T/P2F eFepwtFvr8upVFVDua8mLWw6La4VIKTuMdAPOebdU55sQs3n/D1xFFPFGVGh4AHKttr5K0bS6g7N ZCge7qpVLB+f1Z2WAj2OKXwIWt/bXpdXSiu8KXbviWkHxF5td9+lg2e3xlI2SCvatK8YLfHyh9lw 15yrad8Va5eXg4Llr7QmAaC+dL9sDt9iad/DX3OKvLMBf+dm0A0QuMrTvYIevSik1IaSVvgjIHt5 lSCG2ynNRpEcBZ8cgDWk+Ns99qzsYYV3MZoppWzGtYlTO9+meG6m/g92iNO9LfQB2JZsMpoJs7QG ku2KtabRK0bZRwDLyBDvwlxTm6ZlP7qyOqLcfqtLexpDSB4M0H3I/PQy1emvjjzgK+A0LmMKl6Lq zlqzh0VGAw440F6MJd8cY0nI7wiF/fVIBGY7UNCAXy6DmfYGCLLI0wtDbVcDUMqtJLmAhLqODQAe riERAxXJ1/QYGpa0ymqyytpKC19MNXHjvFmEsfcHIrncFR4xdbYWgmfEGLCcZokpGbGj1egMR+6M 1BkNX1pDdhPcOXpAnAeLQUwQLYepgQoZVNGS61yaE8CYA7gYAcWKzwGstACY2HTFvvOwk4FXAG/a mKHni/EcA/GkOk7I0IK7UMIf3+SahU8/FJdiE7KcuWdM3MFocUDEEIX9LfJoo4xV5tnNKc3jJuSs SZWgnnhepgU1zN4Hii18yW4RwDX52CXUtk0Hqz6cHOIUkWaX8fDcB+J7y1y2xDHwjv/8Buu8Ekz6 7tXQAAAAASUVORK5CYII= X-Mailer: MH-E 8.3.1; nil; GNU Emacs 24.3.1 X-NewUkraine-Agent: mailfromd (7.99.92) X-NewUkraine-URL: https://mail.prozora-kraina.org/smtp.html X-NewUkraine-VirStat: NO X-NewUkraine-VirScan: ScanPE, ScanELF, ScanOLE2, ScanMail, PhishingSignatures, ScanHTML, ScanPDF X-NewUkraine-SpamStat: NO X-NewUkraine-SpamScore: -1.600 of 3.500 X-NewUkraine-SpamKeys: AWL,BAYES_00,NO_RECEIVED,NO_RELAYS X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2016 00:08:58 -0000 sorry for noise, please ignore this incomplete message Zeus Panchenko wrote: > greetings, > > I have two wan intefaces, wan1 and wan2 > > wan1 is for default > > I have subnet in my LAN all replies from which I need to direct through > wan2 > > I hoped to do that with this pf configuration: > > if_service = "vlan1234" # service network > table const { 10.0.0.0/24 } > # requests for the service > rdr pass on $if_wan2 proto { tcp, udp } to ($if_wan2) port 1234 -> 10.0.0.1 port 5678 > nat log on $if_wan2 from to any -> ($if_wan2) > ... > pass in log on $if_video route-to ($if_wan3 $gw_wan3) from to ! keep state > -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) From owner-freebsd-pf@freebsd.org Fri Aug 5 02:19:30 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 07D81BAFC0A for ; Fri, 5 Aug 2016 02:19:30 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EB56E117D for ; Fri, 5 Aug 2016 02:19:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u752JTiw006447 for ; Fri, 5 Aug 2016 02:19:29 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 210924] 10.3-STABLE - PF - possible regression in pf.conf set timeout interval Date: Fri, 05 Aug 2016 02:19:30 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 10.3-STABLE X-Bugzilla-Keywords: patch, regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2016 02:19:30 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D210924 --- Comment #6 from commit-hook@freebsd.org --- A commit references this bug: Author: loos Date: Fri Aug 5 02:19:03 UTC 2016 New revision: 303760 URL: https://svnweb.freebsd.org/changeset/base/303760 Log: Fix a regression in pf.conf while parsing the 'interval' keyword. The bug was introduced by r287009. PR: 210924 Submitted by: kp@ Sponsored by: Rubicon Communications (Netgate) Pointy hat to: loos Changes: head/sbin/pfctl/parse.y --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Aug 5 06:04:25 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CE745BADC37 for ; Fri, 5 Aug 2016 06:04:25 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 927B31174 for ; Fri, 5 Aug 2016 06:04:24 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.86_2 (FreeBSD)) (envelope-from ) id 1bVXuA-0004Gr-OA for freebsd-pf@freebsd.org; Fri, 05 Aug 2016 08:42:46 +0300 Subject: Re: wan1 as default, wan2 dedicated to a service To: freebsd-pf@freebsd.org References: <20160805030555.53101@relay.ibs.dn.ua> From: Max Message-ID: <3b256072-c7a5-8be7-dca0-0faf853e5432@als.nnov.ru> Date: Fri, 5 Aug 2016 08:42:46 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160805030555.53101@relay.ibs.dn.ua> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2016 06:04:25 -0000 Hello, Zeus. Probably you should use pass out log on $if_dvr reply-to ($if_wan2 $gw_wan2) to or pass out log on $if_wan1 route-to ($if_wan2 $gw_wan2) from ($if_wan2) or both rules. Please check your state table and routing table. 05.08.2016 3:05, Zeus Panchenko пишет: > hi, > I need trivial thing but wondering where am I wrong ... :( > help please > > I have two WAN interfaces: wan1 and wan2 > wan1 is default route interface, wan2 is dedicated for DVR (video) > > I'm trying to direct all output from DVR to wan2 (here I do not care of > where a request to DVR came from, I want all replies to go out trough wan2) > > so, I hoped to do that with this pf.config > > ---[ start ]------------------------------------------------------------ > if_wan1 = "em0" > if_wan2 = "igb0" # ip address A.B.C.D > gw_wan2 = "E.F.G.H" > if_dvr="vlan123" > table const { 10.0.0.0/24 } > # redirect all requests on wan2 to DVR host1 > rdr pass on $if_wan2 proto { tcp, udp } to ($if_wan2) port 1234 -> 10.0.0.1 port 5678 > nat log on $if_wan2 from to any -> ($if_wan2) > ... > pass in log on $if_dvr route-to ($if_wan2 $gw_wan2) from to any keep state > ---[ stop ]------------------------------------------------------------ > > as results, > I see requests from world on $if_wan2 > I see redirects of the requests, out packets on $if_dvr > I see replies to the requests, in packets on $if_dvr > but I see ($if_wan2) sourced replies, and I see them on *$if_wan1* > > so, as I understand ... route-to works, otherwise replies wouldn't be > from ($if_wan2) > > but nated replies appears on $if_wan1 what is default route ... so > ... how can I have replies go out through $if_wan2? is it question of > the second routing table? > > please, advise From owner-freebsd-pf@freebsd.org Sat Aug 6 15:54:39 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C43EEBB065C; Sat, 6 Aug 2016 15:54:39 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from mx.box-hlm-01.niklaas.eu (mx.box-hlm-01.niklaas.eu [84.22.107.79]) by mx1.freebsd.org (Postfix) with ESMTP id 9529F181C; Sat, 6 Aug 2016 15:54:39 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from len-t420.klaas (unknown [IPv6:2a02:908:d722:7b00:224:d7ff:feec:38e0]) by mx.box-hlm-01.niklaas.eu (Postfix) with ESMTPSA id 7C30D2C3592; Sat, 6 Aug 2016 17:54:17 +0200 (CEST) Date: Sat, 6 Aug 2016 17:54:11 +0200 From: Niklaas Baudet von Gersdorff To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Firewalling jails and lo0 Message-ID: <20160806155411.GA5289@len-t420.klaas> Reply-To: stdin@niklaas.eu Mail-Followup-To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.6.0 (2016-04-01) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2016 15:54:39 -0000 Hi, In the manual I read the advice to disable the firewall on the loopback interface (`set skip on lo0`) It makes sense to me: Why would I want to firewall traffic on the loopback interface? I have jails with IPs assigned on lo1. Intentionally I do /not/ `set skip on lo1` because I also want to restrict traffic (in and out) from and to the jails. (In case one of them becomes infiltrated.) However, today I realised that some connections originating from these jails use the loopback interface lo0. That said, they "circumvent" the firewall I set on lo1. `tcpdump` shows connections on lo0 from and to jails' IPs (especially IPv6s) although these IPs are solely assigned to lo1. I was quite surprised by that behaviour. So, if I want to isolate the jails and restrict traffic from an to them, will I need to remove skipping on lo0 and block there too? Any advice and explanation is very much appreciated. Niklaas From owner-freebsd-pf@freebsd.org Sat Aug 6 16:15:20 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 26DABBB0B59; Sat, 6 Aug 2016 16:15:20 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E3D0312CC; Sat, 6 Aug 2016 16:15:19 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-it0-x22b.google.com with SMTP id u186so44623054ita.0; Sat, 06 Aug 2016 09:15:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=qCDhhAGGUSjvEGITF78spxp0IWR6fQoLVuuSpjuaMQw=; b=aR17PTC0frMbXxeR91PvWIy3VIphdDbYlx1bcVYa2MIYGdtI5vzE1sPf0ttBs4rPyh 2yx0LB9DUpPHQk+XpT14UzjaWfIZoTA7l6lOO7wx7QmH67gpX/q5nKOPCim0C3PBAryt kLeqcPXyi1ZChdn086EZaLF+O2Z195sRWiK1DP6bjQzNkEqNzinQsHkKEO9KPIHvrUP4 Ayk15Zz/yzwo1OlIvssBYk+0tf2M4cMZsgG6aOnPSs4bW3m5B5naFLsv0PB/z0SDivNI EPmPb9W3VgxJjbJyPU0GhZ0qTqKxA9H//DPDbyv680k5C25D/NLGnKypxYWUQ7dtj8mJ J+7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=qCDhhAGGUSjvEGITF78spxp0IWR6fQoLVuuSpjuaMQw=; b=GqwSheVKbsXVFo5z2A+oTQyC+eWwYjDTI4WQcd/0uoUfOOlHwau+wRwvEuovWWuQvm tvzRKx8JaLdZ37gdocVJp14726afNEeGs+qA1OA/mqnK1WqgnrPz5G7AS5UKsV76Hta+ A3+FE6A+oOgWVkvMg5eUf4eEyNh+TSqWls2ofr+c2rDEXtH70Dd/raWf2N7c1+VvmuHT BivC/Dokm7266b0g8a+S1M5bWlFBhn1cQcuwR3Cd2p/kHJ3btmLnlm03HqtNGqiaXcMt i7no1BdSCVs0xc53jFCLbST4YkDXmQS+35BlsmhPd/AaeZtIG7xWVkD81cRi2Ssi6WFM avVA== X-Gm-Message-State: AEkoouvRQ4dwb+R4iwFZ2Xui4fo6McWQhWwtANO8W7/ro7mKqLlju6chZNJI1HyOdv8uVQ== X-Received: by 10.36.31.149 with SMTP id d143mr10396671itd.87.1470500119146; Sat, 06 Aug 2016 09:15:19 -0700 (PDT) Received: from [10.0.10.3] (cpe-24-165-196-54.neo.res.rr.com. [24.165.196.54]) by smtp.googlemail.com with ESMTPSA id w138sm6283521itc.8.2016.08.06.09.15.18 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 06 Aug 2016 09:15:18 -0700 (PDT) Message-ID: <57A60D1F.80500@gmail.com> Date: Sat, 06 Aug 2016 12:15:27 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Firewalling jails and lo0 References: <20160806155411.GA5289@len-t420.klaas> In-Reply-To: <20160806155411.GA5289@len-t420.klaas> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2016 16:15:20 -0000 Niklaas Baudet von Gersdorff wrote: > Hi, > > In the manual I read the advice to disable the firewall on the > loopback interface (`set skip on lo0`) It makes sense to me: Why > would I want to firewall traffic on the loopback interface? > > I have jails with IPs assigned on lo1. Intentionally I do /not/ > `set skip on lo1` because I also want to restrict traffic (in and > out) from and to the jails. (In case one of them becomes > infiltrated.) > > However, today I realized that some connections originating from > these jails use the loopback interface lo0. That said, they > "circumvent" the firewall I set on lo1. `tcpdump` shows > connections on lo0 from and to jails' IPs (especially IPv6s) > although these IPs are solely assigned to lo1. > > I was quite surprised by that behavior. So, if I want to isolate > the jails and restrict traffic from an to them, will I need to > remove skipping on lo0 and block there too? > > Any advice and explanation is very much appreciated. > > Niklaas This bug report will answer your questions for non-vimage jails. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210049 From owner-freebsd-pf@freebsd.org Sat Aug 6 16:24:11 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 565D9BB0DCE; Sat, 6 Aug 2016 16:24:11 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from mx.box-hlm-01.niklaas.eu (mx.box-hlm-01.niklaas.eu [IPv6:2a02:2770:15:0:21a:4aff:fe1b:d1ad]) by mx1.freebsd.org (Postfix) with ESMTP id 2776E173A; Sat, 6 Aug 2016 16:24:11 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from len-t420.klaas (unknown [IPv6:2a02:908:d722:7b00:224:d7ff:feec:38e0]) by mx.box-hlm-01.niklaas.eu (Postfix) with ESMTPSA id 00A1C2C3592; Sat, 6 Aug 2016 18:23:48 +0200 (CEST) Date: Sat, 6 Aug 2016 18:23:43 +0200 From: Niklaas Baudet von Gersdorff To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Firewalling jails and lo0 Message-ID: <20160806162343.GE5566@len-t420.klaas> Reply-To: stdin@niklaas.eu Mail-Followup-To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org References: <20160806155411.GA5289@len-t420.klaas> <57A60D1F.80500@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <57A60D1F.80500@gmail.com> User-Agent: Mutt/1.6.0 (2016-04-01) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2016 16:24:11 -0000 Ernie Luzar [2016-08-06 12:15 -0400] : > > This bug report will answer your questions for non-vimage jails. > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210049 Thanks a lot. So I stumbled upon a security issue? And the only way to work around this is by using vimage jails? While vimage refers to some virtualisation of the network /within/ the jails? Niklaas From owner-freebsd-pf@freebsd.org Sat Aug 6 16:54:51 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E0C3ABB0447; Sat, 6 Aug 2016 16:54:51 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A98D81462; Sat, 6 Aug 2016 16:54:51 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-io0-x235.google.com with SMTP id m101so325253084ioi.2; Sat, 06 Aug 2016 09:54:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-transfer-encoding; bh=KwKHLH+GxN02OAAgvbq3a0SH2/p2UZwLyD8Jv5y2EVw=; b=EHewpkmsFYChqKM+5elNRQlGwJJX/H2lAOSrnBfE8U/uyRuHj/4qOsaDqRG6yrzf7J M5UuKS8OHkQYFURoMu1qVZkWObNnOCmjXcWzAxpqRs5/xsRjFX14iyp5W2BCqJE4QodK xugdH3+hHORq0swn+o9TOPOycrYG+zviM0761upRjHwpQgWyHM78o2eREilT02XG2/z/ 2vDsZDNfySqSILUc/vQ4LQcgABKoyPm5PDm0cp5X522dzWvTE7lOxkXWczvyalS3U0E6 pZW7eU66UP45V2Z7M7Msg60x18k5GasFypMbl9xINot16p+36t0TTkecsso0BLZQPKV6 XwBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-transfer-encoding; bh=KwKHLH+GxN02OAAgvbq3a0SH2/p2UZwLyD8Jv5y2EVw=; b=BL9n8zqv+xsBp8BqlXFkwGsu8Fh7N3Tf8Ei/kUyZioS2dgypmXZf4QTskxzDPo3yUd V2waM8GK21jr57AGr8a0uPHDntJUA3XBXC08aUa9SfIpLhV+nNA2DY0mGe5U/fmK6BBy OdDOmohpTGmzI1lxkp+/s+RpSRtXaobVI4svKrqP9PeEEH+Un9bVQ67dc3JeyXdJ3paY eI8Fkqo7VSOIuMi+GwWM0ELg0/e4ZydO3Nta8gOOKzLEFGZjhXVkTsfp7pO930ZCCd2d ehigGi6xpfJFWtL73MSicTmlggjh06EvlF6IT1yPMTTJSegn5SlnYNCiV67ltHWIJoYF TyCw== X-Gm-Message-State: AEkooutF5Jfqx3JydBNzk+pmeejf0/dmGh9Rklp81Xt8CkpObAKeRGj1/faUAjG8xf2Y+A== X-Received: by 10.107.128.200 with SMTP id k69mr101869274ioi.65.1470502490872; Sat, 06 Aug 2016 09:54:50 -0700 (PDT) Received: from [10.0.10.3] (cpe-24-165-196-54.neo.res.rr.com. [24.165.196.54]) by smtp.googlemail.com with ESMTPSA id b66sm5974719itd.0.2016.08.06.09.54.49 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 06 Aug 2016 09:54:50 -0700 (PDT) Message-ID: <57A61664.9010100@gmail.com> Date: Sat, 06 Aug 2016 12:55:00 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org, stdin@niklaas.eu Subject: Re: Firewalling jails and lo0 References: <20160806155411.GA5289@len-t420.klaas> <57A60D1F.80500@gmail.com> <20160806162343.GE5566@len-t420.klaas> In-Reply-To: <20160806162343.GE5566@len-t420.klaas> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2016 16:54:52 -0000 Niklaas Baudet von Gersdorff wrote: > Ernie Luzar [2016-08-06 12:15 -0400] : > >> This bug report will answer your questions for non-vimage jails. >> >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210049 > > Thanks a lot. So I stumbled upon a security issue? And the only > way to work around this is by using vimage jails? While vimage > refers to some virtualisation of the network /within/ the jails? > > Niklaas That is not the un-documented work around solution contained in the PR. Vimage jails are not mentioned at all. The loopback problem is isolated to non-vimage jails only. If your non-vimage jail does not contain a application that uses local host lo0/127.0.0.x then you don't need to do anything. If there is an application in your jail that uses lo0/127.0.0.x, then for that jails jail.conf definition you have to manually activate loopback by adding lo0:127.0.0.x to the jails ip4_addr parameter value alone with the jails primary IP address. Then manually change the conf file of all the applications running in that jail to use that lo0 127.0.0.x IP address. Or an alternate is to add a statement to the hosts rc.conf to clone the lo0 interface and them code as above. This means each jail has a unique loopback ip address. From owner-freebsd-pf@freebsd.org Sat Aug 6 20:02:53 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5F51CBB17EA; Sat, 6 Aug 2016 20:02:53 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 22133152B; Sat, 6 Aug 2016 20:02:51 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id C203525D387C; Sat, 6 Aug 2016 20:02:42 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id B01A4D1F7E4; Sat, 6 Aug 2016 20:02:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id oxKQqsQVS6P2; Sat, 6 Aug 2016 20:02:40 +0000 (UTC) Received: from [10.111.64.116] (unknown [IPv6:fde9:577b:c1a9:4410:500c:ee72:e712:5af8]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id BD7FAD1F7E3; Sat, 6 Aug 2016 20:02:39 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Niklaas Baudet von Gersdorff" Cc: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Firewalling jails and lo0 Date: Sat, 06 Aug 2016 20:02:37 +0000 Message-ID: <3C1C4822-17C2-42D9-A9BE-C3549B9B6F25@lists.zabbadoz.net> In-Reply-To: <20160806155411.GA5289@len-t420.klaas> References: <20160806155411.GA5289@len-t420.klaas> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6043) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2016 20:02:53 -0000 On 6 Aug 2016, at 15:54, Niklaas Baudet von Gersdorff wrote: > Hi, > > In the manual I read the advice to disable the firewall on the > loopback interface (`set skip on lo0`) It makes sense to me: Why > would I want to firewall traffic on the loopback interface? > > I have jails with IPs assigned on lo1. Intentionally I do /not/ > `set skip on lo1` because I also want to restrict traffic (in and > out) from and to the jails. (In case one of them becomes > infiltrated.) > > However, today I realised that some connections originating from > these jails use the loopback interface lo0. That said, they > "circumvent" the firewall I set on lo1. `tcpdump` shows > connections on lo0 from and to jails' IPs (especially IPv6s) > although these IPs are solely assigned to lo1. I am curious about this. Can you give me an (obfuscated) example? (if you want in private email) Are these ::1 connections, link-local addresses (unlikely as they should not be visible to jails), or full IP? And what’s the routing table entry in the base system for them? Also do these jails have multiple IP address per-address family, and especially, do they have any IP address assigned to lo0 in them at all?