From owner-freebsd-pf@FreeBSD.ORG Mon Aug 6 03:10:18 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6BF4616A41A for ; Mon, 6 Aug 2007 03:10:18 +0000 (UTC) (envelope-from reza@mra.co.id) Received: from mx3.mra.co.id (fw.mra.co.id [202.57.14.4]) by mx1.freebsd.org (Postfix) with ESMTP id B4CB913C458 for ; Mon, 6 Aug 2007 03:10:17 +0000 (UTC) (envelope-from reza@mra.co.id) Received: from localhost (localhost.mra.co.id [127.0.0.1]) by mx3.mra.co.id (Postfix) with ESMTP id 9127E30FB0 for ; Mon, 6 Aug 2007 09:50:05 +0700 (WIT) Received: from mx3.mra.co.id ([127.0.0.1]) by localhost (mx3.mra.co.id [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25837-01 for ; Mon, 6 Aug 2007 09:50:05 +0700 (WIT) Received: from [172.16.13.228] (unknown [172.16.13.228]) by mx3.mra.co.id (Postfix) with ESMTP id 45A3930F9B for ; Mon, 6 Aug 2007 09:50:05 +0700 (WIT) From: MUhammad Reza To: freebsd-pf@freebsd.org Content-Type: text/plain Date: Mon, 06 Aug 2007 09:42:03 +0700 Message-Id: <1186368123.4982.8.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at mra.co.id Subject: binat rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2007 03:10:18 -0000 Dear all I have problem to setup binat rule's on virtual interface's on pf. the goal is to establishes a one to one mapping between an internal IP address and an external addres. this my partial configuration of rc.conf and pf.conf rc.conf : ifconfig_bge2="inet 202.157.x.1 netmask 255.255.255.224" ifconfig_bge2_alias0="inet 202.157.x.2 netmask 255.255.255.255" pf.conf : nat on bge2 from 172.16.0.0/16 to any -> 202.157.x.1 binat on bge2 from 172.16.0.25 to any -> 202.157.x.2 When this rule's apply, host 172.16.0.25 could not connect to internet. Is there something wrong with my configuration ? please enlight me. regards Reza From owner-freebsd-pf@FreeBSD.ORG Mon Aug 6 03:10:31 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 409CA16A418 for ; Mon, 6 Aug 2007 03:10:31 +0000 (UTC) (envelope-from beastie@mra.co.id) Received: from mx3.mra.co.id (fw.mra.co.id [202.57.14.4]) by mx1.freebsd.org (Postfix) with ESMTP id B8D7513C459 for ; Mon, 6 Aug 2007 03:10:17 +0000 (UTC) (envelope-from beastie@mra.co.id) Received: from localhost (localhost.mra.co.id [127.0.0.1]) by mx3.mra.co.id (Postfix) with ESMTP id 60E6C30F83 for ; Mon, 6 Aug 2007 09:57:22 +0700 (WIT) Received: from mx3.mra.co.id ([127.0.0.1]) by localhost (mx3.mra.co.id [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25792-03 for ; Mon, 6 Aug 2007 09:57:22 +0700 (WIT) Received: from mail.mra.co.id (unknown [172.16.0.224]) by mx3.mra.co.id (Postfix) with ESMTP id 2A09230F81 for ; Mon, 6 Aug 2007 09:57:22 +0700 (WIT) Received: from [172.16.13.228] (unknown [172.16.13.228]) by mail.mra.co.id (Postfix) with ESMTP id 5801868C8997 for ; Mon, 6 Aug 2007 10:00:09 +0700 (WIT) From: ^Beastie^ To: freebsd-pf@freebsd.org Content-Type: text/plain Date: Mon, 06 Aug 2007 09:49:19 +0700 Message-Id: <1186368559.4982.12.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at mra.co.id Subject: binat rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2007 03:10:31 -0000 Dear all I have problem to setup binat rule's on virtual interface's on pf. the goal is to establishes a one to one mapping between an internal IP address and an external addres. this my partial configuration of rc.conf and pf.conf rc.conf : ifconfig_bge2="inet 202.157.x.1 netmask 255.255.255.224" ifconfig_bge2_alias0="inet 202.157.x.2 netmask 255.255.255.255" pf.conf : nat on bge2 from 172.16.0.0/16 to any -> 202.157.x.1 binat on bge2 from 172.16.0.25 to any -> 202.157.x.2 When this rule's apply, host 172.16.0.25 could not connect to internet. Is there something wrong with my configuration ? please enlight me. regards Reza From owner-freebsd-pf@FreeBSD.ORG Mon Aug 6 11:08:30 2007 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 21F3816A4D4 for ; Mon, 6 Aug 2007 11:08:30 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1110C13C45B for ; Mon, 6 Aug 2007 11:08:30 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l76B8TTA029958 for ; Mon, 6 Aug 2007 11:08:29 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l76B8S8A029954 for freebsd-pf@FreeBSD.org; Mon, 6 Aug 2007 11:08:28 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 6 Aug 2007 11:08:28 GMT Message-Id: <200708061108.l76B8S8A029954@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2007 11:08:30 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114567 pf [pf] LOR pf_ioctl.c + if.c 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 6 18:11:03 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D09016A421 for ; Mon, 6 Aug 2007 18:11:03 +0000 (UTC) (envelope-from linux@giboia.org) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.187]) by mx1.freebsd.org (Postfix) with ESMTP id EE61E13C46E for ; Mon, 6 Aug 2007 18:11:01 +0000 (UTC) (envelope-from linux@giboia.org) Received: by mu-out-0910.google.com with SMTP id w9so1597091mue for ; Mon, 06 Aug 2007 11:11:00 -0700 (PDT) Received: by 10.82.174.20 with SMTP id w20mr5912070bue.1186423859989; Mon, 06 Aug 2007 11:10:59 -0700 (PDT) Received: by 10.82.136.14 with HTTP; Mon, 6 Aug 2007 11:10:59 -0700 (PDT) Message-ID: <6e6841490708061110y1be829dbwf17424beb588492e@mail.gmail.com> Date: Mon, 6 Aug 2007 15:10:59 -0300 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: <46B2DB78.7090001@ch-st-julien.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <46B2DB78.7090001@ch-st-julien.fr> Subject: Re: PF and proxytunnel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2007 18:11:03 -0000 On 03/08/07, nicolas.cornu wrote: > Hi, > > > I'm quite new in the PF experience. I'm trying to set a rule which can > permit me to log on my home machine from work by using ssh and > proxytunnel (http://proxytunnel.sourceforge.net/) > > I can't make it work. Each time the firewall is up, my ssh connection is > broken. I think it's a flag problem but I can't make it work. > > > So, this is my rule (And I'm blocking everuthing by default) : > > " pass in quick log on $ext_if proto tcp from to $ext_if port 443 > flags S/SA keep state " > > The thing is in a forum, a guy asked me to try with the flag S/SA but it > doesn't work. i tried some other fags without any succes. > > I also got a log of the packets which are blocked : > > > > > 16:10:12.437424 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 0:112(112) ack 1 win > 32844 > 16:10:12.437433 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 1:112(111) ack 1 win > 32844 > 16:10:12.497175 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: . ack 4294967056 win > 32767 > 16:10:12.506673 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: . ack 4294967104 win > 32767 > 16:10:12.516765 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: . ack 4294967200 win > 32767 > 16:10:12.524137 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: . ack 0 win 32767 > > 16:10:12.698154 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 97750028> > 16:10:12.879724 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win > 32767 > 16:10:13.086087 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 97750028> > 16:10:13.174156 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win > 32767 > 16:10:13.661987 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 97750028> > 16:10:13.761762 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win > 32767 > 16:10:14.613849 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 97750028> > 16:10:14.937784 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win > 32767 > 16:10:16.317606 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 97750028> > 16:10:17.289307 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win > 32767 > 16:10:17.381429 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 97750028> > 16:10:19.309147 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 97750028> > 16:10:21.992459 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win > 32767 > 16:10:22.964584 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 97750028> > 16:10:29.280630 rule 0/0(match): block in on tun0: > [work_ip_address].58926 > [home_ip_address].443: S > 3840383586:3840383586(0) win 5840 8 0,nop,wscale 0> > 16:10:30.075509 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 97750028> > 16:10:31.399531 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win > 32767 > 16:10:32.279624 rule 0/0(match): block in on tun0: > [work_ip_address].58926 > [home_ip_address].443: S > 3840383586:3840383586(0) win 5840 8 0,nop,wscale 0> > 16:10:38.278752 rule 0/0(match): block in on tun0: > [work_ip_address].58926 > [home_ip_address].443: S > 3840383586:3840383586(0) win 5840 8 0,nop,wscale 0> > 16:10:44.097373 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 97750028> > 16:10:50.211598 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win > 32767 > 16:10:50.277124 rule 0/0(match): block in on tun0: > [work_ip_address].58926 > [home_ip_address].443: S > 3840383586:3840383586(0) win 5840 8 0,nop,wscale 0> > 16:10:51.796096 rule 0/0(match): block in on tun0: > [work_ip_address].58951 > [home_ip_address].443: S > 3848980265:3848980265(0) win 5840 6 0,nop,wscale 0> > 16:10:54.795329 rule 0/0(match): block in on tun0: > [work_ip_address].58951 > [home_ip_address].443: S > 3848980265:3848980265(0) win 5840 6 0,nop,wscale 0> > 16:10:58.119242 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 97750028> > 16:14:05.064569 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58951: P > 939245923:939246035(112) ack 3848991638 win 32844 1877064567 597982693> > > > > > > > > > I hope someone can help me. > > > > Regards, > > Nicolas > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > I think you have a rule like: block out $ext_if all Try add other rule like: pass out quick log on $ext_if proto tcp from $ext_if port 443 to flags S/SA keep state -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com From owner-freebsd-pf@FreeBSD.ORG Tue Aug 7 12:43:59 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B48A516A421 for ; Tue, 7 Aug 2007 12:43:59 +0000 (UTC) (envelope-from nicolas.cornu@ch-st-julien.fr) Received: from smtp20.orange.fr (smtp20.orange.fr [193.252.22.31]) by mx1.freebsd.org (Postfix) with ESMTP id 0AD6B13C4A8 for ; Tue, 7 Aug 2007 12:43:58 +0000 (UTC) (envelope-from nicolas.cornu@ch-st-julien.fr) Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf2019.orange.fr (SMTP Server) with ESMTP id 8DB861C00094 for ; Tue, 7 Aug 2007 14:43:57 +0200 (CEST) Received: from relais.ch-st-julien.fr (LNeuilly-152-21-111-175.w193-253.abo.wanadoo.fr [193.253.48.175]) by mwinf2019.orange.fr (SMTP Server) with ESMTP id 538BC1C00082; Tue, 7 Aug 2007 14:43:57 +0200 (CEST) X-ME-UUID: 20070807124357342.538BC1C00082@mwinf2019.orange.fr Received: from relais.ch-st-julien.fr (localhost [127.0.0.1]) by relais-back.ch-st-julien.fr (Postfix::smtpd) with ESMTP id 3C7DC126E5A; Tue, 7 Aug 2007 15:43:52 +0200 (CEST) Received: from [172.16.0.41] (unknown [172.16.0.41]) by relais.ch-st-julien.fr (Postfix::smtpd) with ESMTP id 144D3126E57; Tue, 7 Aug 2007 15:43:52 +0200 (CEST) Message-ID: <46B86904.4080900@ch-st-julien.fr> Date: Tue, 07 Aug 2007 14:43:48 +0200 From: "nicolas.cornu" User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20070608 SeaMonkey/1.1.2 MIME-Version: 1.0 To: Gilberto Villani Brito , freebsd-pf@freebsd.org References: <46B2DB78.7090001@ch-st-julien.fr> <6e6841490708061110y1be829dbwf17424beb588492e@mail.gmail.com> In-Reply-To: <6e6841490708061110y1be829dbwf17424beb588492e@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on relais.ch-st-julien.fr X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=disabled version=3.0.3 Cc: Subject: Re: PF and proxytunnel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Aug 2007 12:43:59 -0000 Gilberto Villani Brito wrote: > On 03/08/07, nicolas.cornu wrote: > >> Hi, >> >> >> I'm quite new in the PF experience. I'm trying to set a rule which can >> permit me to log on my home machine from work by using ssh and >> proxytunnel (http://proxytunnel.sourceforge.net/) >> >> I can't make it work. Each time the firewall is up, my ssh connection is >> broken. I think it's a flag problem but I can't make it work. >> >> >> So, this is my rule (And I'm blocking everuthing by default) : >> >> " pass in quick log on $ext_if proto tcp from to $ext_if port 443 >> flags S/SA keep state " >> >> The thing is in a forum, a guy asked me to try with the flag S/SA but it >> doesn't work. i tried some other fags without any succes. >> >> I also got a log of the packets which are blocked : >> >> >> >> >> 16:10:12.437424 rule 0/0(match): block out on tun0: >> [home_ip_address].443 > [work_ip_address].58797: FP 0:112(112) ack 1 win >> 32844 >> 16:10:12.437433 rule 0/0(match): block out on tun0: >> [home_ip_address].443 > [work_ip_address].58797: FP 1:112(111) ack 1 win >> 32844 >> 16:10:12.497175 rule 0/0(match): block in on tun0: >> [work_ip_address].58797 > [home_ip_address].443: . ack 4294967056 win >> 32767 >> 16:10:12.506673 rule 0/0(match): block in on tun0: >> [work_ip_address].58797 > [home_ip_address].443: . ack 4294967104 win >> 32767 >> 16:10:12.516765 rule 0/0(match): block in on tun0: >> [work_ip_address].58797 > [home_ip_address].443: . ack 4294967200 win >> 32767 >> 16:10:12.524137 rule 0/0(match): block in on tun0: >> [work_ip_address].58797 > [home_ip_address].443: . ack 0 win 32767 >> >> 16:10:12.698154 rule 0/0(match): block out on tun0: >> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) >> ack 1 win 32844 > 97750028> >> 16:10:12.879724 rule 0/0(match): block in on tun0: >> [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win >> 32767 >> 16:10:13.086087 rule 0/0(match): block out on tun0: >> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) >> ack 1 win 32844 > 97750028> >> 16:10:13.174156 rule 0/0(match): block in on tun0: >> [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win >> 32767 >> 16:10:13.661987 rule 0/0(match): block out on tun0: >> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) >> ack 1 win 32844 > 97750028> >> 16:10:13.761762 rule 0/0(match): block in on tun0: >> [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win >> 32767 >> 16:10:14.613849 rule 0/0(match): block out on tun0: >> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) >> ack 1 win 32844 > 97750028> >> 16:10:14.937784 rule 0/0(match): block in on tun0: >> [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win >> 32767 >> 16:10:16.317606 rule 0/0(match): block out on tun0: >> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) >> ack 1 win 32844 > 97750028> >> 16:10:17.289307 rule 0/0(match): block in on tun0: >> [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win >> 32767 >> 16:10:17.381429 rule 0/0(match): block out on tun0: >> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) >> ack 1 win 32844 > 97750028> >> 16:10:19.309147 rule 0/0(match): block out on tun0: >> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) >> ack 1 win 32844 > 97750028> >> 16:10:21.992459 rule 0/0(match): block in on tun0: >> [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win >> 32767 >> 16:10:22.964584 rule 0/0(match): block out on tun0: >> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) >> ack 1 win 32844 > 97750028> >> 16:10:29.280630 rule 0/0(match): block in on tun0: >> [work_ip_address].58926 > [home_ip_address].443: S >> 3840383586:3840383586(0) win 5840 > 8 0,nop,wscale 0> >> 16:10:30.075509 rule 0/0(match): block out on tun0: >> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) >> ack 1 win 32844 > 97750028> >> 16:10:31.399531 rule 0/0(match): block in on tun0: >> [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win >> 32767 >> 16:10:32.279624 rule 0/0(match): block in on tun0: >> [work_ip_address].58926 > [home_ip_address].443: S >> 3840383586:3840383586(0) win 5840 > 8 0,nop,wscale 0> >> 16:10:38.278752 rule 0/0(match): block in on tun0: >> [work_ip_address].58926 > [home_ip_address].443: S >> 3840383586:3840383586(0) win 5840 > 8 0,nop,wscale 0> >> 16:10:44.097373 rule 0/0(match): block out on tun0: >> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) >> ack 1 win 32844 > 97750028> >> 16:10:50.211598 rule 0/0(match): block in on tun0: >> [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win >> 32767 >> 16:10:50.277124 rule 0/0(match): block in on tun0: >> [work_ip_address].58926 > [home_ip_address].443: S >> 3840383586:3840383586(0) win 5840 > 8 0,nop,wscale 0> >> 16:10:51.796096 rule 0/0(match): block in on tun0: >> [work_ip_address].58951 > [home_ip_address].443: S >> 3848980265:3848980265(0) win 5840 > 6 0,nop,wscale 0> >> 16:10:54.795329 rule 0/0(match): block in on tun0: >> [work_ip_address].58951 > [home_ip_address].443: S >> 3848980265:3848980265(0) win 5840 > 6 0,nop,wscale 0> >> 16:10:58.119242 rule 0/0(match): block out on tun0: >> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) >> ack 1 win 32844 > 97750028> >> 16:14:05.064569 rule 0/0(match): block out on tun0: >> [home_ip_address].443 > [work_ip_address].58951: P >> 939245923:939246035(112) ack 3848991638 win 32844 > 1877064567 597982693> >> >> >> >> >> >> >> >> >> I hope someone can help me. >> >> >> >> Regards, >> >> Nicolas >> >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> > > I think you have a rule like: > block out $ext_if all > > Try add other rule like: > pass out quick log on $ext_if proto tcp from $ext_if port 443 to > flags S/SA keep state > > > thank you. It actually worked but I replaced the port from 443 to >1024. I thought the "keep state" could permit me to use one rule instead of two... Nicolas. From owner-freebsd-pf@FreeBSD.ORG Wed Aug 8 14:03:01 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 960EC16A419 for ; Wed, 8 Aug 2007 14:03:01 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 7874613C442 for ; Wed, 8 Aug 2007 14:03:01 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1IIlqA-0004om-Iz for freebsd-pf@freebsd.org; Wed, 08 Aug 2007 06:44:46 -0700 Message-ID: <12053439.post@talk.nabble.com> Date: Wed, 8 Aug 2007 06:44:46 -0700 (PDT) From: cowbear To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: fcolvin@aol.com Subject: Inbound/outbound mail rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Aug 2007 14:03:01 -0000 I am trying to configure my openbsd pf rules to allow incoming and outgoing smtp traffic to my new exchange server. I have to admit that I am a newbie to this and have been plunged into the unix arena with little to no advanced knowledge so some simple and concise help is greatly appreciated. Thanks. Frank -- View this message in context: http://www.nabble.com/Inbound-outbound-mail-rules-tf4236461.html#a12053439 Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Wed Aug 8 14:39:06 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 510CB16A417 for ; Wed, 8 Aug 2007 14:39:06 +0000 (UTC) (envelope-from rob@techniumcast.com) Received: from smtp.techniumcast.net (smtp.techniumcast.net [194.74.204.204]) by mx1.freebsd.org (Postfix) with ESMTP id 0CD2D13C480 for ; Wed, 8 Aug 2007 14:39:05 +0000 (UTC) (envelope-from rob@techniumcast.com) Received: from [10.1.32.11] (penguin.techniumcast.net [10.1.32.11]) by smtp.techniumcast.net (Postfix) with ESMTP id E532E120AF3 for ; Wed, 8 Aug 2007 15:22:51 +0100 (BST) Message-ID: <46B9D1BB.2010108@techniumcast.com> Date: Wed, 08 Aug 2007 15:22:51 +0100 From: Rob Shepherd User-Agent: Thunderbird 2.0.0.6 (X11/20070802) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-TechniumCAST-MailScanner-Information: Please contact the ISP for more information X-TechniumCAST-MailScanner: Found to be clean X-TechniumCAST-MailScanner-From: rob@techniumcast.com X-Spam-Status: No Subject: ALTQ suspends X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Aug 2007 14:39:06 -0000 Dear pf users, I have an installation of FreeBSD, using PF/ALTQ for bandwidth limitation. I can't find any documentation or manpage reference to "suspends". I havn't the skill to delve into the source code, so could somebody clarify the following. I assume 'suspends' are the occurances of when a queue has reached it's alloted amount of data per time period. And how long is this time period? Cheers Rob -- Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd Technium CAST | LL57 4HJ | http://www.techniumcast.com From owner-freebsd-pf@FreeBSD.ORG Wed Aug 8 14:54:44 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D246A16A418 for ; Wed, 8 Aug 2007 14:54:44 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id 732B013C45D for ; Wed, 8 Aug 2007 14:54:44 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id l78Esheg019621 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 8 Aug 2007 16:54:43 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id l78EshHU002628; Wed, 8 Aug 2007 16:54:43 +0200 (MEST) Date: Wed, 8 Aug 2007 16:54:43 +0200 From: Daniel Hartmeier To: Rob Shepherd Message-ID: <20070808145443.GB25512@insomnia.benzedrine.cx> References: <46B9D1BB.2010108@techniumcast.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <46B9D1BB.2010108@techniumcast.com> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: ALTQ suspends X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Aug 2007 14:54:44 -0000 On Wed, Aug 08, 2007 at 03:22:51PM +0100, Rob Shepherd wrote: > I can't find any documentation or manpage reference to "suspends". I > havn't the skill to delve into the source code, so could somebody > clarify the following. I assume you mean what pfctl -vsq prints for CBQ queues as "suspends:". As far as I can tell, that counter is not used (yet?) at all, and should always be zero. What is printed is the 'delays' variable from the CBQ status counters, which is defined as sys/altq/altq_cbq.h u_int delays; /* # times invoked delay actions */ But it's never used (incremented, etc.) anywhere that I can see. So, just ignore it ;) Daniel From owner-freebsd-pf@FreeBSD.ORG Thu Aug 9 12:09:26 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C62FA16A468 for ; Thu, 9 Aug 2007 12:09:26 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.datadok.no (cl-426.sto-01.se.sixxs.net [IPv6:2001:16d8:ff00:1a9::2]) by mx1.freebsd.org (Postfix) with ESMTP id 787BE13C481 for ; Thu, 9 Aug 2007 12:09:26 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from thingy.bsdly.net ([10.168.103.11] helo=thingy.datadok.no.bsdly.net ident=peter) by skapet.datadok.no with esmtp (Exim 4.62) (envelope-from ) id 1IJ6pR-00007q-0l for freebsd-pf@freebsd.org; Thu, 09 Aug 2007 14:09:25 +0200 To: freebsd-pf@freebsd.org References: <12053439.post@talk.nabble.com> From: peter@bsdly.net (Peter N. M. Hansteen) Date: Thu, 09 Aug 2007 14:09:23 +0200 In-Reply-To: <12053439.post@talk.nabble.com> (cowbear's message of "Wed, 8 Aug 2007 06:44:46 -0700 (PDT)") Message-ID: <87hcn8hpu4.fsf@thingy.datadok.no> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Inbound/outbound mail rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Aug 2007 12:09:26 -0000 cowbear writes: > I am trying to configure my openbsd pf rules to allow incoming and outgoing > smtp traffic to my new exchange server. as long as it speaks smtp, you simply write pass rules to let 'port smtp' pass from your mail server and to it. You probably want to set up your pf to use spamd to wash the incoming a bit first, though. > I have to admit that I am a newbie to this and have been plunged into the > unix arena with little to no advanced knowledge so some simple and concise > help is greatly appreciated. For PF, it's possible that my tutorial at could be useful. (expect some updates for EuroBSDCon. yes, it's on.) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. From owner-freebsd-pf@FreeBSD.ORG Fri Aug 10 02:33:47 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97ABC16A41A for ; Fri, 10 Aug 2007 02:33:47 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com [38.99.2.247]) by mx1.freebsd.org (Postfix) with ESMTP id 86B8D13C469 for ; Fri, 10 Aug 2007 02:33:47 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from pool-71-170-114-32.dllstx.fios.verizon.net ([71.170.114.32] helo=reedmedia.net) by ca.pugetsoundtechnology.com with esmtpa (Exim 4.54) id 1IJJeE-0006rK-2f for freebsd-pf@freebsd.org; Thu, 09 Aug 2007 18:50:42 -0700 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 2692-1186710637; Thu, 09 Aug 2007 20:50:37 -0500 Date: Thu, 9 Aug 2007 20:50:37 -0500 (CDT) From: "Jeremy C. Reed" To: freebsd-pf@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: do you use spamd with sync? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2007 02:33:47 -0000 (Maybe I should post this to the freebsdspamd berlios list instead??) If you use spamd, can you please check your logs for errors like: zgrep -E "bogus entry|can't delete|scan.*failed" /var/log/messages.*z (If that is where you log to.) I have many errors and I can't track down why or what is corrupted. One interesting result is that it will attempt to whitelist the same entry tens of thousands of times in less than one minute. And my CPU load will go high. And my spamd memory usage goes up ten times. I have moved my spamd databases out of the way around 20 times. But new corruption continues. I have been running spamd for over a year now. I am thing it might be related to my sync usage ... Do any of you use the -Y and -y options? I only use it with unicast. So my -Y is an hostname. So sync_addhost is successful (and my debugging shows the "added spam sync host" line) so sync_iface stays NULL. And sync_init() is ran with that as NULL. The code does: if (iface != NULL) sendmcast++; So I am not multicast. Good. But then the code resets it: if (iface == NULL) iface = baddr; And then: /* Don't use multicast messages */ if (iface == NULL) return (syncfd); (I added fprintf(stderr debugging to verify this.) So it doesn't return even though I am not using multicast which it attempts to setup. So added a return (syncfd); anyways since it wouldn't work with out it. I am guessing that I am the only person in the world using it with unicast. I have asked about this a couple times on the OpenBSD tech list, but no feedback on that there. Maybe the unicast method is broken? I'd appreciate to hear anyone's experiences with using this. I have been using it since sync it existed -- maybe around February. Jeremy C. Reed From owner-freebsd-pf@FreeBSD.ORG Fri Aug 10 10:01:55 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A16716A41A for ; Fri, 10 Aug 2007 10:01:55 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id B2F8713C4DE for ; Fri, 10 Aug 2007 10:01:54 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail 1519 invoked by uid 0); 10 Aug 2007 09:35:13 -0000 Received: from 213.61.170.34 by www006.gmx.net with HTTP; Fri, 10 Aug 2007 11:35:08 +0200 (CEST) Content-Type: text/plain; charset="iso-8859-1" Date: Fri, 10 Aug 2007 11:35:08 +0200 From: "Olli Hauer" In-Reply-To: Message-ID: <20070810093508.280560@gmx.net> MIME-Version: 1.0 References: To: "Jeremy C. Reed" , freebsd-pf@freebsd.org X-Authenticated: #1956535 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 3 X-Provags-ID: V01U2FsdGVkX19iMOsem9Ji8BvDiIEhoQGf5l5K3Bmq7W/5ku1ojU APKWo52/FRll7FgWQmP3+jtYh5eSdqTBZfuw== Content-Transfer-Encoding: 8bit X-GMX-UID: N1XUC6MMbHIhVMXiJDQ0KAsiJihyapDP Cc: Subject: Re: do you use spamd with sync? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2007 10:01:55 -0000 -------- Original-Nachricht -------- Datum: Thu, 9 Aug 2007 20:50:37 -0500 (CDT) Von: "Jeremy C. Reed" An: freebsd-pf@freebsd.org Betreff: do you use spamd with sync? > (Maybe I should post this to the freebsdspamd berlios list instead??) > > If you use spamd, can you please check your logs for errors like: > > zgrep -E "bogus entry|can't delete|scan.*failed" /var/log/messages.*z > > (If that is where you log to.) > > I have many errors and I can't track down why or what is corrupted. > > One interesting result is that it will attempt to whitelist the same entry > tens of thousands of times in less than one minute. And my CPU load will > go high. And my spamd memory usage goes up ten times. I have moved my > spamd databases out of the way around 20 times. But new corruption > continues. I have been running spamd for over a year now. > > I am thing it might be related to my sync usage ... > > Do any of you use the -Y and -y options? > > I only use it with unicast. > > So my -Y is an hostname. So sync_addhost is successful (and my debugging > shows the "added spam sync host" line) so sync_iface stays NULL. > > And sync_init() is ran with that as NULL. The code does: > > if (iface != NULL) > sendmcast++; > > So I am not multicast. Good. > > But then the code resets it: > > if (iface == NULL) > iface = baddr; > > And then: > > /* Don't use multicast messages */ > if (iface == NULL) > return (syncfd); > > (I added fprintf(stderr debugging to verify this.) > > So it doesn't return even though I am not using multicast which it > attempts to setup. > > So added a return (syncfd); anyways since it wouldn't work with out it. > > I am guessing that I am the only person in the world using it with > unicast. I have asked about this a couple times on the OpenBSD tech list, > but no feedback on that there. > > Maybe the unicast method is broken? I'd appreciate to hear anyone's > experiences with using this. > > I have been using it since sync it existed -- maybe around February. > > Jeremy C. Reed Hi Jeremy, read about your issues at tech@openbsd, no issues here with sync (even between OpenBDS/FreeBSD servers). # my entries from rc.conf.local ################################################# # spamd + spamlogd obspamd_hostname="-h mx.mydomain.tld" obspamd_banner="-n \"Postfix-spamd IP-based SPAM blocker\"" obspamd_trapp_ip="-M 192.168.1.23" obspamd_sync_ip="-y 192.168.1.20" obspamd_sync_peer="-Y 192.168.1.10 -Y 192.168.1.30" obspamd_enable="YES" obspamd_flags="-5 -v -l127.0.0.1 -S10 -s10 -G 15:6:864 ${obspamd_hostname} ${obspamd_banner} ${obspamd_trapp_ip} ${obspamd_sync_ip} ${obspamd_sync_peer}" obspamlogd_enable="YES" obspamlogd_flags="-i fxp0 ${obspamd_sync_peer}" The patch for spamdb PR 5475 is also in the freebsd port. http://svn.berlios.de/viewcvs/freebsdspamd/trunk/spamdb/spamdb.c?rev=50&view=log olli -- Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kanns mit allen: http://www.gmx.net/de/go/multimessenger