From owner-freebsd-pf@FreeBSD.ORG Sun May 25 08:39:54 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 40AB9106567B for ; Sun, 25 May 2008 08:39:54 +0000 (UTC) (envelope-from ighighi@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.227]) by mx1.freebsd.org (Postfix) with ESMTP id 1B0F98FC1B for ; Sun, 25 May 2008 08:39:54 +0000 (UTC) (envelope-from ighighi@gmail.com) Received: by rv-out-0506.google.com with SMTP id l9so1734300rvb.1 for ; Sun, 25 May 2008 01:39:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=Z15Cws9MtpaZKw4bCBJBeeS/oQ+VsBKGSPZwhOn4dDM=; b=tcEgdUazbVfTeZLcwWkgmbIvCxH4hWCwzRbEZS4wHoJHv33fPePvaa//edF9OZc+See0S0UzkiLIzQlPEDwB9FcIeP47hu8z5vms3aaKT9mmIl7fjRI9MTrMYoqcfX2DLYj5PlR82UQ23LJ2it1bP8XV0E1MdHLoHpQi1vMXFFw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=K0rA5hw5wNrSkZMqQZXBs6M86/a2K8zVkq0bIFkjR0H6s8BKUoa8AZBZoOqzWuA2/HUxQQcg4jrzLIjTHUBlRJTqvUdabOTjCR1buGcsa/W14adxGWMGC9H/azwGxWPTdzX+VzWUd4FAjwuq1mI1F4f7EPb6cmOsHKfdzGwAVGE= Received: by 10.141.203.7 with SMTP id f7mr1574464rvq.7.1211703259499; Sun, 25 May 2008 01:14:19 -0700 (PDT) Received: by 10.141.76.1 with HTTP; Sun, 25 May 2008 01:14:19 -0700 (PDT) Message-ID: Date: Mon, 26 May 2008 03:44:19 +1930 From: "Ighighi Ighighi" To: freebsd-pf@freebsd.org. MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: Subject: blackhole in PF possible? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2008 08:39:54 -0000 blackhole(4) is hardly a feature if it applies to loopback interfaces as well. Its intended functionality ("to slow down anyone who is port scanning a system", according to the manpage) also slows down internal services because those TCP RST's and ICMP Port Unreachable's are never seen. Is there a way to get the same functionality in PF so I can restrict those packets to external interfaces ? Thanks in advance, Igh. From owner-freebsd-pf@FreeBSD.ORG Sun May 25 08:49:35 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EE138106566B for ; Sun, 25 May 2008 08:49:35 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id AA48F8FC20 for ; Sun, 25 May 2008 08:49:34 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [202.108.54.204]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id 5D92C2844D for ; Sun, 25 May 2008 16:49:30 +0800 (CST) Received: from localhost (tarsier.geekcn.org [202.108.54.204]) by tarsier.geekcn.org (Postfix) with ESMTP id C70CBEB9C1B; Sun, 25 May 2008 16:49:29 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([202.108.54.204]) by localhost (mail.geekcn.org [202.108.54.204]) (amavisd-new, port 10024) with ESMTP id q4H0-T-aTHlT; Sun, 25 May 2008 16:49:23 +0800 (CST) Received: from charlie.delphij.net (c-69-181-135-56.hsd1.ca.comcast.net [69.181.135.56]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 95BD7EB9BC0; Sun, 25 May 2008 16:49:21 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=HbyD8VO2gnNPsTBNNngMZIXlQAAghqGE7LjmESaPDTtB4ZkHDfHtnIbXKF/ilaQIl oFOO94A/D3/8r9RDhs3Ew== Message-ID: <4839280B.3000704@delphij.net> Date: Sun, 25 May 2008 01:49:15 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 To: Ighighi Ighighi References: In-Reply-To: X-Enigmail-Version: 0.95.6 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: blackhole in PF possible? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2008 08:49:36 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ighighi Ighighi wrote: | blackhole(4) is hardly a feature if it applies to loopback interfaces | as well. Its intended functionality | ("to slow down anyone who is port scanning a system", according to the | manpage) also slows down | internal services because those TCP RST's and ICMP Port Unreachable's | are never seen. | | Is there a way to get the same functionality in PF so I can restrict | those packets to external interfaces ? | | Thanks in advance, skip on lo0? - -- ** Help China's quake relief at http://www.redcross.org.cn/ |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkg5KAoACgkQi+vbBBjt66ArMwCdHenJHci+folJJjVjvNcajyXl MjYAoI38do4rJt9U5JG5R96nYd6vNqmA =5iuk -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Sun May 25 14:07:32 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ECE60106566C for ; Sun, 25 May 2008 14:07:32 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.bsdly.net (cl-426.sto-01.se.sixxs.net [IPv6:2001:16d8:ff00:1a9::2]) by mx1.freebsd.org (Postfix) with ESMTP id A440E8FC18 for ; Sun, 25 May 2008 14:07:32 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from thingy.bsdly.net ([10.168.103.11] helo=thingy.bsdly.net.bsdly.net ident=peter) by skapet.bsdly.net with esmtp (Exim 4.69) (envelope-from ) id 1K0Gsl-0006nU-8w for freebsd-pf@freebsd.org; Sun, 25 May 2008 16:07:31 +0200 To: freebsd-pf@freebsd.org References: From: peter@bsdly.net (Peter N. M. Hansteen) Date: Sun, 25 May 2008 16:07:29 +0200 In-Reply-To: (Ighighi Ighighi's message of "Mon, 26 May 2008 03:44:19 +1930") Message-ID: <87r6bqqxy6.fsf@thingy.bsdly.net> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: blackhole in PF possible? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2008 14:07:33 -0000 "Ighighi Ighighi" writes: > Is there a way to get the same functionality in PF so I can restrict > those packets to external interfaces ? block drop in all on $ext_ifs or something like that would have some of the desired effect. not sure how much it actually buys you, but it's quite similar to blackhole. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. From owner-freebsd-pf@FreeBSD.ORG Sun May 25 14:24:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC7E51065674 for ; Sun, 25 May 2008 14:24:49 +0000 (UTC) (envelope-from jamesoff@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.181]) by mx1.freebsd.org (Postfix) with ESMTP id C14738FC16 for ; Sun, 25 May 2008 14:24:49 +0000 (UTC) (envelope-from jamesoff@gmail.com) Received: by wa-out-1112.google.com with SMTP id j4so1483049wah.3 for ; Sun, 25 May 2008 07:24:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=Alf8kEho6jPDqsmT3ty7GzgKCa/4Xs8uiQv7OBKY6Bs=; b=DIVKosmAAyChZ0jRI4bW52gXkCB9f1SwcG7aez4gVA7wT5fseS7Il99tgBptHKPEJ9CbQvT9H+DW6iln7AbEjeaoQU+Ldu5FLipyGSHTcsyWTbMLpuOQVJ44WrlS1c8QmfH944O9NgBmVuYr2BOfGJ42zRvE29KQb86q8Wf4f5k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=EjNR0ge/t2iY/MuwC/Hb4SYaaStwl0QPbZXMz3l+CRcTpAhDaJc3KIYBQkWE0YutPsMFW2o0uJ8FB0GmZP+beT2EPdiJME2+QX8Glgj41kU7ff7UqmOlKZ9SZ056Ur5plWbcM2I6uwM9YuWM3GtUslwrMl/UTWziAR2S6SLNdbk= Received: by 10.115.110.6 with SMTP id n6mr4326733wam.34.1211724009440; Sun, 25 May 2008 07:00:09 -0700 (PDT) Received: by 10.115.92.20 with HTTP; Sun, 25 May 2008 07:00:09 -0700 (PDT) Message-ID: <720051dc0805250700y54fa58b7yd63b279af177b8bb@mail.gmail.com> Date: Sun, 25 May 2008 15:00:09 +0100 From: "James Seward" To: "Ighighi Ighighi" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Cc: freebsd-pf@freebsd.org Subject: Re: blackhole in PF possible? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2008 14:24:50 -0000 On Sun, May 25, 2008 at 9:14 AM, Ighighi Ighighi wrote: > blackhole(4) is hardly a feature if it applies to loopback interfaces > as well. Its intended functionality > ("to slow down anyone who is port scanning a system", according to the > manpage) also slows down > internal services because those TCP RST's and ICMP Port Unreachable's > are never seen. > > Is there a way to get the same functionality in PF so I can restrict > those packets to external interfaces ? Have a look at "set block-policy" and "block return" in the man page for pf.conf. /JMS From owner-freebsd-pf@FreeBSD.ORG Sun May 25 18:44:26 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2698B106567B for ; Sun, 25 May 2008 18:44:26 +0000 (UTC) (envelope-from oleksandr@samoylyk.sumy.ua) Received: from mail.telesweet.net (news.telesweet.net [194.110.252.16]) by mx1.freebsd.org (Postfix) with ESMTP id 7C10F8FC0A for ; Sun, 25 May 2008 18:44:25 +0000 (UTC) (envelope-from oleksandr@samoylyk.sumy.ua) Received: from localhost (localhost [127.0.0.1]) by mail.telesweet.net (Postfix) with ESMTP id 05EB7C195; Sun, 25 May 2008 21:44:23 +0300 (EEST) X-Virus-Scanned: by Telesweet Mail Virus Scanner X-Spam-Flag: NO X-Spam-Score: -1.44 X-Spam-Level: X-Spam-Status: No, score=-1.44 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1.44] Received: from [10.0.14.191] (pigeon.telesweet [10.0.14.191]) by mail.telesweet.net (Postfix) with ESMTP id 69081B8BA; Sun, 25 May 2008 21:44:08 +0300 (EEST) Message-ID: <4839B378.40005@samoylyk.sumy.ua> Date: Sun, 25 May 2008 21:44:08 +0300 From: Oleksandr Samoylyk User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= References: <48065337.3080805@samoylyk.sumy.ua> <9a542da30804161257h6d80efafqa5aec8442811c984@mail.gmail.com> In-Reply-To: <9a542da30804161257h6d80efafqa5aec8442811c984@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: Strange messages in dmesg X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2008 18:44:26 -0000 Ermal Luçi wrote: > 2008/4/16 Oleksandr Samoylyk : >> Dear freebsd-pf subscribers, >> >> What can such messages from system message buffer mean? >> >> ULLpf >> _tepsft_:t epsft_:g eptf__mgteatg_ mrteatgu rrneetdu rNnUeLdL N >> ULLpf_ >> tepsft_:t epsft_:g eptf__mgteatg_ mrteatgu rrneetdu rNnUeLdL >> NULpLf_t >> esptf:_ tpefs_tg:e tp_fm_tgaegt _rmettaugr nreedt uNrUnLeLd N >> ULpLf_ >> tepsft_:t epsft_:g eptf__mgteatg_ mrteatgu rrneetdu rNnUeLdL N >> ULLpf >> _tepsft_:t epsft_:g eptf__mgteatg_ mrteatgu rrneetdu rNnUeLdL NU >> LLpf >> _tepsft_:t epsft_:g eptf__mgteatg_ mrteatgu rrneetudr nNeUdL LN >> ULLpf >> _tepsft_:t epsft_: gpeft__gmetta_gm traegtu rrneetdu rNnUeLdL N >> ULLpf >> _tepsft_:t epsft_:g eptf__mgteatg_ mrteatgu rrneetdu rNnUeLdL N >> ULLpf_ >> tepsft_:t epsft_:g eptf__mgteatg_ mrteatgu rrneetdu rNnUeLdL >> NULpLf_t >> esptf:_ tpefs_tg:e tp_fm_tgaegt _rmettaugr nreedt uNrUnLeLd N >> ULpLf_t >> esptf:_ tpefs_tg:e tp_fm_tgaegt _rmettaugr nreedt uNrUnLeLd >> NULpLf_ >> tesptf:_ tpefs_tg:e tp_fm_tgaegt _rmettaugr nreedt uNrUnLeLd N >> ULpLf_ >> tesptf:_ tpefs_tg:e tp_fm_tgaegt _rmettaugr nreedt uNrUnLeLd N >> ULpLf_ >> tepsft_:t epsft_:g eptf__mgteatg_ mrteatgu rrneetdu rNnUeLdL N >> ULpLf_ >> tesptf:_ tpefs_tg:e tp_fm_tgaegt _rmettaugr nreedt uNrUnLeLd N >> ULLpf >> _tepsft_:t epsft_:g eptf__mgteatg_ mrteatgu rrneetdu rNnUeLdL NU >> LLp >> f_tpefs_tt:e sptf:_ gpeft__gmetta_gm traegt urrenteudr nNeUdL LNUL >> L >> pf_ptfe_stte:s tp:f _pgfe_tg_emtt_amgt arge truertnuerdn eNdU LNLULL >> >> pf_ptfe_stte:s tp:f _pgfe_tg_emtt_amgt arge truertnuerdn eNdU LNLULL >> >> pf_ptfe_stte:s tp:f _pgfe_tg_emtt_amgt arge truertnuerdn eNdU LNLULL >> >> pf_ptfe_stte:s tp:f _pgfe_tg_emtt_amtga gr erteutrunrende dNU LNLUL >> L >> pf_ptfe_stte:st :p fp_fg_egte_tm_tmatg arge truertnuerdn eNdU LNLUL >> L >> pf_ptfe_stte:s tp:f _pgfe_tg_emtt_amgt arge truertnuerdn eNdU LNLUL >> Lp >> f_ptfe_stte:s tp:f _pgfe_tg_emtt_amgt arge truertnuerdn eNdU LNLU >> LLpf >> _tpefs_tt:e sptf:_ gpeft__gmetta_gm traegt urrenteudr nNeUdL LNUL >> Lpf >> _tpefs_tt:e sptf:_ gpeft__gmetta_gm traegt urrenteudr nNeUdL LNU >> LLp >> f_tpefs_tt:e sptf:_ gpeft__gmetta_gm traegt urrenteudr nNeUdL LNUL >> Lp >> f_tpefs_tt:e sptf:_ gpeft__gmetta_gm traegt urrenteudr nNeUdL LN >> ULLpf >> _tepsft_:t epsft_:g eptf__gmetta_gm traegt urrenetdu rNnUeLdL N >> ULLpf >> >> The system is: >> > uname -a >> FreeBSD xxxx.yyyyyyy.zzz 7.0-STABLE FreeBSD 7.0-STABLE #0: Thu Apr 10 >> 13:38:24 EEST 2008 root@xxxx.yyyyyyy.zzz:/usr/obj/usr/src/sys/PF i386 >> >> Any tip-off? :) > > It is just a message telling that pf_get_mtag function could not > allocate a tag for PF and without that pf checking is skipped iirc. > > Why it happens it is not easily findable with this information. Is this also pf-related errors: May 25 20:41:01 router kernel: mUtLaLg May 25 20:41:01 router kernel: rpeft_utrensetd: NpUfL_Lge May 25 20:41:01 router kernel: t_pmft_atge srte:t uprfn_egde tN_UmLtLag May 25 20:41:01 router kernel: rpeft_utrensetd: NpUfL_Lget May 25 20:41:01 router kernel: _mptfa_gt ersett:u rpnfe_dg eNtU_LmLta May 25 20:41:01 router kernel: g prfe_ttuersnte:d pNfU_LgLet_ May 25 20:41:01 router kernel: mtpafg_ treesttu:r npefd_ gNeUtL_Lmt May 25 20:41:01 router kernel: agp fr_etteusrtn:e dp fN_UgLeLt_ May 25 20:41:01 router kernel: mtpafg_ treesttu:r npefd_ gNeUtL_Lm May 25 20:41:01 router kernel: tapgf _rteetsutr:n epdf _NgUeLtL_m May 25 20:41:01 router kernel: tapgf _rteetsutr:ne dp fN_UgLeLt_ May 25 20:41:01 router kernel: mtpafg_ treesttu:r npefd_ gNeUtL_Lmt May 25 20:41:01 router kernel: agp fr_etteusrtn:e dp fN_UgLeLt_ May 25 20:41:01 router kernel: mtpafg_ treesttu:r npefd_ gNeUtL_Lmt May 25 20:41:01 router kernel: agp fr_etteusrtn:e dp fN_UgLeLt_ May 25 20:41:01 router kernel: mtpafg_ treesttu:r npefd_ gNeUtL_Lmt May 25 20:41:01 router kernel: agp fr_etteusrtn:e dp fN_UgLeLt_ May 25 20:41:01 router kernel: mtpafg_ treesttu:r npefd_ gNeUtL_Lmt May 25 20:41:01 router kernel: agp fr_etteusrtn:e pdf _NgUeLtL_ May 25 20:41:01 router kernel: mtpafg_ treesttu:r npefd_ gNeUtL_Lmt May 25 20:41:01 router kernel: agp fr_etteusrtn:e dp fN_UgLeLt_m May 25 20:41:01 router kernel: tpafg_ treesttu:r npefd_ gNeUtL_Lm May 25 20:41:01 router kernel: tapgf _rteetsutr:n epdf _NgUeLtL_mt May 25 20:41:01 router kernel: agp fr_teetsutr:n epdf _NgUeLtL_ May 25 20:41:01 router kernel: mtpafg_ treesttu:r npefd_ gNeUtL_Lmta May 25 20:41:01 router kernel: g prfe_ttuersnte:d pNfU_gLeLt May 25 20:41:01 router kernel: _mptfa_gt ersett:u rpnfe_dg eNtU_LmLtag May 25 20:41:01 router kernel: prfe_ttuersnte:d pNfU_LgLet May 25 20:41:01 router kernel: _mptfa_gt ersett:u rpnfe_dg eNtU_LmLtag May 25 20:41:01 router kernel: rpeft_utrensetd: NpUfL_Lget May 25 20:41:01 router kernel: _pmft_atge srte:t uprfn_egde tN_UmLtLa May 25 20:41:01 router kernel: g prfe_ttuersnte:d pNfU_LgLet_ May 25 20:41:01 router kernel: mtpafg_ treesttu:r npefd_ gNeUtL_Lmt May 25 20:41:01 router kernel: agp fr_etteusrtn:e dp fN_UgLeLt_m May 25 20:41:01 router kernel: tpafg_ treesttu:r npefd_ gNeUtL_Lm May 25 20:41:01 router kernel: tapgf _rteetsutr:n epdf _NgUeLtL_mt May 25 20:41:01 router kernel: agp fr_etteusrtn:e dp fN_UgLeLt_ May 25 20:41:01 router kernel: mtpafg_ treesttu:r npefd_ gNeUtL_Lmt May 25 20:41:01 router kernel: agp fr_etteusrtn:e dp fN_UgLeLt_ May 25 20:41:01 router kernel: mtpafg_ treesttu:r npefd_ gNeUtL_Lmt May 25 20:41:01 router kernel: agp fr_etteusrtn:e dp fN_UgLeLt_ May 25 20:41:01 router kernel: mptfa_gt ersett:u rpnfe_dg eNtU_LmLt May 25 20:41:01 router kernel: agp fr_etteusrtn:e dp fN_UgLeLt_m May 25 20:41:01 router kernel: tpafg_ treesttu:r npefd_ gNeUtL_Lm May 25 20:41:01 router kernel: tapgf _rteetsutr:n epdf _NgUeLtL_mt May 25 20:41:01 router kernel: apgf _rteetsutr:n epdf _NgUeLtL_m May 25 20:41:01 router kernel: tapgf _rteetsutr:n epdf _NgUeLtL_mt May 25 20:41:01 router kernel: agp fr_etteusrtn:e dp fN_UgLeLt_m May 25 20:41:01 router kernel: tpafg_ treesttu:r npefd_ gNeUtL_Lmt May 25 20:41:01 router kernel: agp fr_etteusrtn:e dp fN_UgLeLt_m ? Thank you! -- Oleksandr Samoylyk OVS-RIPE From owner-freebsd-pf@FreeBSD.ORG Sun May 25 19:54:10 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 591D8106566B for ; Sun, 25 May 2008 19:54:10 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4047F8FC0A for ; Sun, 25 May 2008 19:54:10 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 3373B1CC033; Sun, 25 May 2008 12:54:10 -0700 (PDT) Date: Sun, 25 May 2008 12:54:10 -0700 From: Jeremy Chadwick To: Oleksandr Samoylyk Message-ID: <20080525195410.GA28558@eos.sc1.parodius.com> References: <48065337.3080805@samoylyk.sumy.ua> <9a542da30804161257h6d80efafqa5aec8442811c984@mail.gmail.com> <4839B378.40005@samoylyk.sumy.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4839B378.40005@samoylyk.sumy.ua> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org, Ermal =?iso-8859-1?Q?Lu=E7i?= Subject: Re: Strange messages in dmesg X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2008 19:54:10 -0000 On Sun, May 25, 2008 at 09:44:08PM +0300, Oleksandr Samoylyk wrote: > Ermal Luçi wrote: >> 2008/4/16 Oleksandr Samoylyk : >>> Dear freebsd-pf subscribers, >>> >>> What can such messages from system message buffer mean? >>> >>> ULLpf >>> _tepsft_:t epsft_:g eptf__mgteatg_ mrteatgu rrneetdu rNnUeLdL N >>> ULLpf_ If you're referring to the two strings being intermixed, yes, this is a known problem. I have it documented, as well as a workaround, on my Wiki; see "Scrambled or garbled kernel output": http://wiki.freebsd.org/JeremyChadwick/Commonly_reported_issues With regards to the errors from pf: no idea. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Mon May 26 01:46:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5DF8C1065681 for ; Mon, 26 May 2008 01:46:27 +0000 (UTC) (envelope-from comp.john@googlemail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28]) by mx1.freebsd.org (Postfix) with ESMTP id 0ABBB8FC26 for ; Mon, 26 May 2008 01:46:26 +0000 (UTC) (envelope-from comp.john@googlemail.com) Received: by yw-out-2324.google.com with SMTP id 9so1093554ywe.13 for ; Sun, 25 May 2008 18:46:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=fIycmIno7fmmqUeBfGRVmOGD1jRHXjeWeueDHo4b0s4=; b=F3xbOf2+G5Kvy3Rl5RLTHKxli9pvM2H6Jr+OvjIe7aOVtkXrxkjetZchO8VuvDb29FcWr68VEH9GJdN5q2arFXWDGG4/lhjyoH49YsydbdRuo4BKiUMF4kTNNa51gfGo/1/7sr2UgUMFWuBhroZUalfkgecUSQvxRIQ/cslL/dY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=npHh2xX4vVgv21tnF0ckcadWxsiJtg1+mUqi1KFucyJPIrggQoqYV/4fEKKvyGy39Cv2iYXmSkN6pMcuuHVedT5w5gte4uBh50RUHK03yp74sD9c0HzHk4tly4Yj7GyOsj14U57mSllP/SxUOXDG2kAhr43TV5tqxEbI6aeilJs= Received: by 10.150.68.41 with SMTP id q41mr1788016yba.102.1211764845120; Sun, 25 May 2008 18:20:45 -0700 (PDT) Received: by 10.150.97.21 with HTTP; Sun, 25 May 2008 18:20:45 -0700 (PDT) Message-ID: Date: Mon, 26 May 2008 02:20:45 +0100 From: "John ." To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: auto-blackholing/blacklisting on multiple hacking attempts X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2008 01:46:27 -0000 Hi, I'm running freebsd 7-RELEASE I see this, for example, in my auth log: May 15 02:00:39 www sshd[9180]: Invalid user web from 201.18.232.30 May 15 02:00:41 www sshd[9182]: Invalid user web from 201.18.232.30 May 15 02:00:43 www sshd[9184]: Invalid user web from 201.18.232.30 May 15 02:00:45 www sshd[9186]: Invalid user web from 201.18.232.30 May 15 02:00:48 www sshd[9188]: Invalid user web from 201.18.232.30 May 15 02:00:50 www sshd[9190]: Invalid user web from 201.18.232.30 May 15 02:00:52 www sshd[9192]: Invalid user web from 201.18.232.30 May 15 02:00:54 www sshd[9194]: Invalid user web from 201.18.232.30 May 15 02:00:56 www sshd[9196]: Invalid user web from 201.18.232.30 May 15 02:00:58 www sshd[9198]: Invalid user web from 201.18.232.30 May 15 02:01:00 www sshd[9200]: Invalid user web from 201.18.232.30 May 15 02:01:02 www sshd[9205]: Invalid user web from 201.18.232.30 May 15 02:01:04 www sshd[9207]: Invalid user account from 201.18.232.30 May 15 02:01:06 www sshd[9209]: Invalid user account from 201.18.232.30 May 15 02:01:08 www sshd[9211]: Invalid user account from 201.18.232.30 May 15 02:01:10 www sshd[9213]: Invalid user account from 201.18.232.30 May 15 02:01:12 www sshd[9218]: Invalid user account from 201.18.232.30 May 15 02:01:14 www sshd[9220]: Invalid user account from 201.18.232.30 May 15 02:01:39 www sshd[9244]: Invalid user apache from 201.18.232.30 May 15 02:01:41 www sshd[9246]: Invalid user apache from 201.18.232.30 May 15 02:01:43 www sshd[9248]: Invalid user apache from 201.18.232.30 May 15 02:01:45 www sshd[9250]: Invalid user apache from 201.18.232.30 May 15 02:01:47 www sshd[9252]: Invalid user apache from 201.18.232.30 I'd like it to be so that if an IP tries to connect to sshd more than once in a 30 second period, that they are immediately blackholed. Should I be using pf for this or would it be done better in some other utility? cheers -- John From owner-freebsd-pf@FreeBSD.ORG Mon May 26 02:24:48 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B19B51065680 for ; Mon, 26 May 2008 02:24:48 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 90B5E8FC0A for ; Mon, 26 May 2008 02:24:48 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 8EA8F1CC033; Sun, 25 May 2008 19:24:48 -0700 (PDT) Date: Sun, 25 May 2008 19:24:48 -0700 From: Jeremy Chadwick To: "John ." Message-ID: <20080526022448.GA47206@eos.sc1.parodius.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org Subject: Re: auto-blackholing/blacklisting on multiple hacking attempts X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2008 02:24:48 -0000 On Mon, May 26, 2008 at 02:20:45AM +0100, John . wrote: > I see this, for example, in my auth log: > > May 15 02:00:39 www sshd[9180]: Invalid user web from 201.18.232.30 > > I'd like it to be so that if an IP tries to connect to sshd more than > once in a 30 second period, that they are immediately blackholed. > Should I be using pf for this or would it be done better in some other > utility? ports/security/sshguard-pf ports/security/blocksshd -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Mon May 26 02:51:47 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC9D11065672; Mon, 26 May 2008 02:51:47 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B23C58FC12; Mon, 26 May 2008 02:51:47 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4Q2plFS098915; Mon, 26 May 2008 02:51:47 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4Q2plsu098911; Mon, 26 May 2008 02:51:47 GMT (envelope-from linimon) Date: Mon, 26 May 2008 02:51:47 GMT Message-Id: <200805260251.m4Q2plsu098911@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/123965: [pf] tcpdump(1) does not see outgoing RST when pf is enabled X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2008 02:51:48 -0000 Old Synopsis: tcpdump does not see outgoing RST when pf is enabled New Synopsis: [pf] tcpdump(1) does not see outgoing RST when pf is enabled Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Mon May 26 02:50:58 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=123965 From owner-freebsd-pf@FreeBSD.ORG Mon May 26 02:54:24 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C51310656AB for ; Mon, 26 May 2008 02:54:24 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from orthanc.ca (orthanc.ca [216.40.124.68]) by mx1.freebsd.org (Postfix) with ESMTP id E33A68FC15 for ; Mon, 26 May 2008 02:54:23 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from peregrin.wbb.net.cable.rogers.com (peregrin.wbb.net.cable.rogers.com [74.210.92.116]) (authenticated bits=0) by orthanc.ca (8.14.2/8.14.2) with ESMTP id m4Q2J75M084406; Sun, 25 May 2008 19:19:08 -0700 (PDT) (envelope-from lyndon@orthanc.ca) Message-Id: From: Lyndon Nerenberg To: "John ." In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Sun, 25 May 2008 19:19:06 -0700 References: X-Mailer: Apple Mail (2.919.2) X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=failed version=3.2.3 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on orthanc.ca Cc: freebsd-pf@freebsd.org Subject: Re: auto-blackholing/blacklisting on multiple hacking attempts X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2008 02:54:24 -0000 > > I'd like it to be so that if an IP tries to connect to sshd more than > once in a 30 second period, that they are immediately blackholed. > Should I be using pf for this or would it be done better in some other > utility? /usr/ports/security/bruteforceblocker. From owner-freebsd-pf@FreeBSD.ORG Mon May 26 07:05:29 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D1B71065678 for ; Mon, 26 May 2008 07:05:29 +0000 (UTC) (envelope-from elliott@c7.ca) Received: from mail.c7.ca (mail.c7.ca [66.207.198.232]) by mx1.freebsd.org (Postfix) with ESMTP id 0622D8FC15 for ; Mon, 26 May 2008 07:05:28 +0000 (UTC) (envelope-from elliott@c7.ca) Received: (qmail 11993 invoked by uid 89); 26 May 2008 07:05:23 -0000 Received: by simscan 1.2.0 ppid: 11986, pid: 11988, t: 0.1499s scanners: clamav: 0.90.1/m:43 Received: from unknown (HELO ?66.207.210.10?) (elliott@c7.ca@66.207.210.10) by 10.1.1.32 with ESMTPA; 26 May 2008 07:05:23 -0000 From: Elliott Perrin To: "John ." In-Reply-To: References: Content-Type: text/plain Date: Mon, 26 May 2008 03:04:10 -0400 Message-Id: <1211785451.91794.19.camel@kensho.c7.ca> Mime-Version: 1.0 X-Mailer: Evolution 2.22.0 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: auto-blackholing/blacklisting on multiple hacking attempts X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: elliott@c7.ca List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2008 07:05:29 -0000 On Mon, 2008-05-26 at 02:20 +0100, John . wrote: > Hi, > > I'm running freebsd 7-RELEASE > > I see this, for example, in my auth log: > > May 15 02:00:39 www sshd[9180]: Invalid user web from 201.18.232.30 > May 15 02:00:41 www sshd[9182]: Invalid user web from 201.18.232.30 > May 15 02:00:43 www sshd[9184]: Invalid user web from 201.18.232.30 > May 15 02:00:45 www sshd[9186]: Invalid user web from 201.18.232.30 > May 15 02:00:48 www sshd[9188]: Invalid user web from 201.18.232.30 > May 15 02:00:50 www sshd[9190]: Invalid user web from 201.18.232.30 > May 15 02:00:52 www sshd[9192]: Invalid user web from 201.18.232.30 > May 15 02:00:54 www sshd[9194]: Invalid user web from 201.18.232.30 > May 15 02:00:56 www sshd[9196]: Invalid user web from 201.18.232.30 > May 15 02:00:58 www sshd[9198]: Invalid user web from 201.18.232.30 > May 15 02:01:00 www sshd[9200]: Invalid user web from 201.18.232.30 > May 15 02:01:02 www sshd[9205]: Invalid user web from 201.18.232.30 > May 15 02:01:04 www sshd[9207]: Invalid user account from 201.18.232.30 > May 15 02:01:06 www sshd[9209]: Invalid user account from 201.18.232.30 > May 15 02:01:08 www sshd[9211]: Invalid user account from 201.18.232.30 > May 15 02:01:10 www sshd[9213]: Invalid user account from 201.18.232.30 > May 15 02:01:12 www sshd[9218]: Invalid user account from 201.18.232.30 > May 15 02:01:14 www sshd[9220]: Invalid user account from 201.18.232.30 > May 15 02:01:39 www sshd[9244]: Invalid user apache from 201.18.232.30 > May 15 02:01:41 www sshd[9246]: Invalid user apache from 201.18.232.30 > May 15 02:01:43 www sshd[9248]: Invalid user apache from 201.18.232.30 > May 15 02:01:45 www sshd[9250]: Invalid user apache from 201.18.232.30 > May 15 02:01:47 www sshd[9252]: Invalid user apache from 201.18.232.30 > > I'd like it to be so that if an IP tries to connect to sshd more than > once in a 30 second period, that they are immediately blackholed. > Should I be using pf for this or would it be done better in some other > utility? > In pf you could write a rule like pass in quick on $ext_if proto tcp from any to $some_ip_address port 22 flags S/SAFR keep state (max-src-conn 1, max-src-conn-rate 1/30, overload flush global) you would have to have setup a table named in your configuration and assign values to both $ext_if and $some_ip_address or replace them with whatever values work for you. This rule would track connections allowing a maximum of 1 connection per source IP address and would allow 1 connection to be initiated every 31 seconds or longer, otherwise it would add the offending IP address to the table and flush the global state table of all entries from the same source IP. You would have to have a rule in your configuration prior to this rule that would block traffic from source IP addresses in the ssh_hacks table. Depending on your policies this could be a block of all services or just ssh. Personally I use a rule like block drop log quick from but block drop log in quick proto tcp from to any port 22 would block ssh traffic from the offending IP to just ssh services on your network. Beware that you can lock yourself out of your servers very quickly with this if you do not have another rule allowing yourself access to your machines setup earlier in your configuration. Cheers, ~e From owner-freebsd-pf@FreeBSD.ORG Mon May 26 09:51:10 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 120331065679 for ; Mon, 26 May 2008 09:51:10 +0000 (UTC) (envelope-from comp.john@googlemail.com) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.185]) by mx1.freebsd.org (Postfix) with ESMTP id 832DE8FC13 for ; Mon, 26 May 2008 09:51:09 +0000 (UTC) (envelope-from comp.john@googlemail.com) Received: by gv-out-0910.google.com with SMTP id n8so531193gve.39 for ; Mon, 26 May 2008 02:51:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=MSREXlXxaIiXH78fVa0KihZTJ8pqGNWe65LE5LTkGX8=; b=AF7XrYaA/ASWAMcZduUDnAWvaByf6g9qDyS7pBSsD0Y4DnVKAhmLCY6cH6LKJoe4F/w0azPOfKKTMR3Mbs+nQ7l75klAGQ6K+EQ4wJw/QEzg1RxN4BgQ6jJ1wWKZ/EZt2LgLsK6ME//96YHZqbsTKAHo8iEXjSzMk6LJx0rriyo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pZo1rvZvnaAiNXhX7ZLdrWJ1+BDzNoPBQkVFyNaMX0/uuRG9WgwA3L1jQf/dRg21F0b4OPV9lwk2T+yFO+dH4iQZOflyt9JHlWHtjN/cr7zi9QG0loqU4sGII6GvR0a8p3/Nq3xhPiCSitzA71DyYpFRmRhqap3ksrhqQEPcE7g= Received: by 10.151.114.9 with SMTP id r9mr2640928ybm.147.1211795467691; Mon, 26 May 2008 02:51:07 -0700 (PDT) Received: by 10.150.97.21 with HTTP; Mon, 26 May 2008 02:51:07 -0700 (PDT) Message-ID: Date: Mon, 26 May 2008 10:51:07 +0100 From: "John ." To: freebsd-pf@freebsd.org In-Reply-To: <1211785451.91794.19.camel@kensho.c7.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1211785451.91794.19.camel@kensho.c7.ca> Subject: Re: auto-blackholing/blacklisting on multiple hacking attempts X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2008 09:51:10 -0000 Thanks everybody for their suggestions! As always, more than one way of doing this ;) -- John From owner-freebsd-pf@FreeBSD.ORG Mon May 26 11:06:53 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F8621065676 for ; Mon, 26 May 2008 11:06:53 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3B51B8FC15 for ; Mon, 26 May 2008 11:06:53 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4QB6rJc064990 for ; Mon, 26 May 2008 11:06:53 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4QB6qUE064986 for freebsd-pf@FreeBSD.org; Mon, 26 May 2008 11:06:52 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 26 May 2008 11:06:52 GMT Message-Id: <200805261106.m4QB6qUE064986@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2008 11:06:53 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/118355 pf [pf] [patch] pfctl help message options order false -t o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o kern/121704 pf [pf] PF mangles loopback packets o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/123965 pf [pf] tcpdump(1) does not see outgoing RST when pf is e 10 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon May 26 14:20:28 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F8CD106566B for ; Mon, 26 May 2008 14:20:28 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178]) by mx1.freebsd.org (Postfix) with ESMTP id BCFB88FC14 for ; Mon, 26 May 2008 14:20:27 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: by py-out-1112.google.com with SMTP id p76so1544323pyb.10 for ; Mon, 26 May 2008 07:20:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:cc:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; bh=/wtxNn6bPAXSdHZGCDWSBS/9/dn9uu5MFCW5aCc1lJE=; b=qxbdfDtqZFU4F8G1DsasbetZMHnTXvOw6UFZrDUMtw6y/1mWPHH/TWCvGdyIYGmIodpcQGWGgqS2bStNfV614ALXotOGQAsZ8fFHSw9SKL3gZZAJC6mH9rDbaxqJ/EKLstn/UkOGDw/y+7BovCF+8VsffKhUNiOCZb2dmxyjAg0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; b=Frd0HZPFv+EpXoYhd3gbrGp7hhjYugeS4HwpKDmN2kgC4hE3YgRV/yhPJnLYwEOqTBm9I2aIfF9NgmAYG/dqHMwl06grlYFTewvlf9WFvvde4Ao9v3hG3mWd63ODAOYQTPmfAbVTKNULdSN313qCNrd3G/Pl5MKOA3GJY+g4+rg= Received: by 10.64.179.12 with SMTP id b12mr3813929qbf.98.1211811626711; Mon, 26 May 2008 07:20:26 -0700 (PDT) Received: from ansarmm2 ( [206.248.190.95]) by mx.google.com with ESMTPS id d5sm8405974qbd.8.2008.05.26.07.20.25 (version=SSLv3 cipher=RC4-MD5); Mon, 26 May 2008 07:20:25 -0700 (PDT) From: "Ansar Mohammed" To: "'Jeremy Chadwick'" References: <002d01c8bba7$96128db0$c237a910$@com> <20080522042936.GA24418@eos.sc1.parodius.com> In-Reply-To: Date: Mon, 26 May 2008 10:20:23 -0400 Message-ID: <065801c8bf3b$a4334be0$ec99e3a0$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Aci7xHO/oQIfWlGPRoW04Z+lF9cg8AADEO0QANqarqA= Content-Language: en-ca Cc: freebsd-pf@freebsd.org Subject: SOLVED: ALTQ and bandwidth limiting X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2008 14:20:28 -0000 So the problem was that I was running in VMware and the default adapter that vmware configures for the VM is le(AMD PCnet). The le driver did not return the negotiated connection speed when I ran ifconfig. I switched the vm config over to a em (Intel gig) emulation and ifconfig returned the right connection speed. altq now works great. > -----Original Message----- > From: Ansar Mohammed [mailto:ansarm@gmail.com] > Sent: May 22, 2008 2:20 AM > To: 'Jeremy Chadwick' > Cc: 'freebsd-pf@freebsd.org' > Subject: RE: ALTQ and bandwidth limiting > > Ok, I got a bit further. I compiled in ALTQ and I am using Class Based > Queueing. > > Here is a snippet of my pf.conf > > > altq on le1 cbq bandwidth 100Mb queue { std, cifs, http } > > queue std bandwidth 88.5Mb cbq(default) > queue cifs bandwidth 1500Kb cbq > queue http bandwidth 1Mb cbq > > > Here is the problem, no matter what value I set for the CBQ Queue, its > at least 1/4 of the actual configured maximum. So I configured http for > 1Mb, the max throughput I get is 288Mb. Can anyone explain why? > > > > -----Original Message----- > > From: Jeremy Chadwick [mailto:koitsu@FreeBSD.org] > > Sent: May 22, 2008 12:30 AM > > To: Ansar Mohammed > > Cc: freebsd-pf@freebsd.org > > Subject: Re: ALTQ and bandwidth limiting > > > > On Wed, May 21, 2008 at 09:02:59PM -0400, Ansar Mohammed wrote: > > > Hello All, > > > > > > Is there a way using PF and ALTQ that I can set a policy to > restrict > > a > > > particular host to a maximum network speed? > > > > > > I would like to simulate low speed connection using pf. > > > > I believe ipfw dummynet has the capability you're looking for. See > the > > ipfw manpage, section "TRAFFIC SHAPER". > > > > -- > > | Jeremy Chadwick jdc at parodius.com > | > > | Parodius Networking http://www.parodius.com/ > | > > | UNIX Systems Administrator Mountain View, CA, USA > | > > | Making life hard for others since 1977. PGP: 4BD6C0CB > | From owner-freebsd-pf@FreeBSD.ORG Mon May 26 14:30:05 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 73299106566B for ; Mon, 26 May 2008 14:30:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 415C18FC0C for ; Mon, 26 May 2008 14:30:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4QEU4qk083911 for ; Mon, 26 May 2008 14:30:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4QEU4HI083906; Mon, 26 May 2008 14:30:04 GMT (envelope-from gnats) Date: Mon, 26 May 2008 14:30:04 GMT Message-Id: <200805261430.m4QEU4HI083906@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: kern/123965: [pf] tcpdump(1) does not see outgoing RST when pf is enabled X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2008 14:30:05 -0000 The following reply was made to PR kern/123965; it has been noted by GNATS. From: Max Laier To: bug-followup@freebsd.org, kian.mohageri@gmail.com Cc: Subject: Re: kern/123965: [pf] tcpdump(1) does not see outgoing RST when pf is enabled Date: Mon, 26 May 2008 16:21:18 +0200 This has been fixed with rev. 1.193 of sys/net/bpf.c or 1.181.2.2 in RELENG_7. See below for details. http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/net/bpf.c#rev1.181.2.2 -- Max From owner-freebsd-pf@FreeBSD.ORG Mon May 26 16:31:42 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37C521065675 for ; Mon, 26 May 2008 16:31:42 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from skapet.bsdly.net (cl-426.sto-01.se.sixxs.net [IPv6:2001:16d8:ff00:1a9::2]) by mx1.freebsd.org (Postfix) with ESMTP id E0E2B8FC2B for ; Mon, 26 May 2008 16:31:41 +0000 (UTC) (envelope-from peter@bsdly.net) Received: from thingy.bsdly.net ([10.168.103.11] helo=thingy.bsdly.net.bsdly.net ident=peter) by skapet.bsdly.net with esmtp (Exim 4.69) (envelope-from ) id 1K0fbo-00020e-Cw for freebsd-pf@freebsd.org; Mon, 26 May 2008 18:31:40 +0200 To: freebsd-pf@freebsd.org References: From: peter@bsdly.net (Peter N. M. Hansteen) Date: Mon, 26 May 2008 18:31:39 +0200 In-Reply-To: (John .'s message of "Mon, 26 May 2008 02:20:45 +0100") Message-ID: <87mymdm3h0.fsf@thingy.bsdly.net> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: auto-blackholing/blacklisting on multiple hacking attempts X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2008 16:31:42 -0000 "John ." writes: > I'd like it to be so that if an IP tries to connect to sshd more than > once in a 30 second period, that they are immediately blackholed. > Should I be using pf for this or would it be done better in some other > utility? PF offers a very flexible mechanism for that, via state tracking options. See eg http://home.nuug.no/~peter/pf/en/bruteforce.html for a walkthrough. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. From owner-freebsd-pf@FreeBSD.ORG Mon May 26 18:40:04 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02A4910656A9 for ; Mon, 26 May 2008 18:40:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C793B8FC13 for ; Mon, 26 May 2008 18:40:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4QIe33i003720 for ; Mon, 26 May 2008 18:40:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4QIe3M5003719; Mon, 26 May 2008 18:40:03 GMT (envelope-from gnats) Date: Mon, 26 May 2008 18:40:03 GMT Message-Id: <200805261840.m4QIe3M5003719@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Kian Mohageri Cc: Subject: Re: kern/123965: [pf] tcpdump(1) does not see outgoing RST when pf is enabled X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Kian Mohageri List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2008 18:40:04 -0000 The following reply was made to PR kern/123965; it has been noted by GNATS. From: Kian Mohageri To: bug-followup@FreeBSD.org, kian.mohageri@gmail.com Cc: Subject: Re: kern/123965: [pf] tcpdump(1) does not see outgoing RST when pf is enabled Date: Mon, 26 May 2008 11:10:21 -0700 Cool, should have searched more thoroughly. Thanks! From owner-freebsd-pf@FreeBSD.ORG Mon May 26 21:11:35 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F0819106566C for ; Mon, 26 May 2008 21:11:35 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 63DF48FC27 for ; Mon, 26 May 2008 21:11:35 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail 7372 invoked by uid 0); 26 May 2008 20:44:54 -0000 Received: from 194.231.39.124 by www186.gmx.net with HTTP; Mon, 26 May 2008 22:44:53 +0200 (CEST) Content-Type: text/plain; charset="iso-8859-1" Date: Mon, 26 May 2008 22:44:54 +0200 From: "Olli Hauer" In-Reply-To: <1211785451.91794.19.camel@kensho.c7.ca> Message-ID: <20080526204454.97610@gmx.net> MIME-Version: 1.0 References: <1211785451.91794.19.camel@kensho.c7.ca> To: elliott@c7.ca, comp.john@googlemail.com X-Authenticated: #1956535 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 3 X-Provags-ID: V01U2FsdGVkX1/yK+daqFny40Uk/0BD1nfcV034LzzXOSSNN2LeZr MODeJSJ3//FKUcB+X1A5qhInHGBD33GKyhQQ== Content-Transfer-Encoding: 8bit X-GMX-UID: cRcIfENuTXsuecS+fGQ50rVCRzdyMoNH Cc: freebsd-pf@freebsd.org Subject: Re: auto-blackholing/blacklisting on multiple hacking attempts X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2008 21:11:36 -0000 > > Hi, > > > > I'm running freebsd 7-RELEASE > > > > I see this, for example, in my auth log: > > > > May 15 02:00:39 www sshd[9180]: Invalid user web from 201.18.232.30 > > May 15 02:00:41 www sshd[9182]: Invalid user web from 201.18.232.30 ... > > May 15 02:01:43 www sshd[9248]: Invalid user apache from 201.18.232.30 > > May 15 02:01:45 www sshd[9250]: Invalid user apache from 201.18.232.30 > > May 15 02:01:47 www sshd[9252]: Invalid user apache from 201.18.232.30 > > > > I'd like it to be so that if an IP tries to connect to sshd more than > > once in a 30 second period, that they are immediately blackholed. > > Should I be using pf for this or would it be done better in some other > > utility? > > > > In pf you could write a rule like > > pass in quick on $ext_if proto tcp from any to $some_ip_address port 22 > flags S/SAFR keep state (max-src-conn 1, max-src-conn-rate 1/30, > overload flush global) > > you would have to have setup a table named in your > configuration and assign values to both $ext_if and $some_ip_address or > replace them with whatever values work for you. > > This rule would track connections allowing a maximum of 1 connection per > source IP address and would allow 1 connection to be initiated every 31 > seconds or longer, otherwise it would add the offending IP address to > the table and flush the global state table of all entries > from the same source IP. > > You would have to have a rule in your configuration prior to this rule > that would block traffic from source IP addresses in the ssh_hacks > table. Depending on your policies this could be a block of all services > or just ssh. Personally I use a rule like > > block drop log quick from > > but > > block drop log in quick proto tcp from to any port 22 > > would block ssh traffic from the offending IP to just ssh services on > your network. > > Beware that you can lock yourself out of your servers very quickly with > this if you do not have another rule allowing yourself access to your > machines setup earlier in your configuration. > I have a nice script for my OpenBSD machines aviable, with some small changes it will work also on FreeBSD. The script make usage of a special table dumps and compare the addresses with a run some minutes ago (cron job) and reports the ip's per mail with the help of GeoIP. This reports make it easy to block big network ranges where you don't expect to travel ... You can get the script here: http://sorry.mine.nu/scripts/pftable_to_file.sh.txt ps: In the directoy is also an actual bf_ssh dump from one of my machines regards, olli -- Super-Aktion nur in der GMX Spieleflat: 10 Tage für 1 Euro. Über 180 Spiele downloaden und spiele: http://flat.games.gmx.de From owner-freebsd-pf@FreeBSD.ORG Tue May 27 07:22:33 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2385C1065685 for ; Tue, 27 May 2008 07:22:33 +0000 (UTC) (envelope-from reinhard.haller@interactive-net.de) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id AEA508FC21 for ; Tue, 27 May 2008 07:22:32 +0000 (UTC) (envelope-from reinhard.haller@interactive-net.de) Received: from interactive.dnsalias.net (ppp-82-135-87-233.dynamic.mnet-online.de [82.135.87.233]) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis) id 0MKxQS-1K0tVv2Ad0-0007iz; Tue, 27 May 2008 09:22:31 +0200 Received: from fs-inter.interactive.de ([192.168.0.1]) by interactive.dnsalias.net with smtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1K0tVu-000AZl-Qe for freebsd-pf@freebsd.org; Tue, 27 May 2008 09:22:30 +0200 Received: from [192.168.0.196] (core2duo.interactive.de [192.168.0.196]) by fs-inter.interactive.de; Tue, 27 May 2008 09:25:01 +0200 Message-ID: <483BB699.4040608@interactive-net.de> Date: Tue, 27 May 2008 09:22:01 +0200 From: Reinhard Haller User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <48333B05.9090203@interactive-net.de> <20080521084000.GC5072@verio.net> In-Reply-To: <20080521084000.GC5072@verio.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-ACL-rcpt: freebsd-pf@freebsd.org X-ACL-Send: reinhard.haller@interactive-net.de X-Provags-ID: V01U2FsdGVkX18DutmeQ/M2D8oswzFvBKMzcEcvuvJx+ODSFoS MMlCjEwIp3QWOeZMRWx67m1TGYcWykKtij2U21k8Pb1fglxA7x GQ+A920pPVWpK0g/oDLtbtVJQHcMBNY22QUMe+j3vSBZyMGix3 Vpw== Subject: Re: NAT problem with pppoe X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2008 07:22:33 -0000 Hi David, David DeSimone schrieb: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Reinhard Haller wrote: > >> Sending HUP to ppp does'nt eliminate the problem, pfctl -d/-e and a >> restart of the internal server solve it. >> > > I suggest that your ppp "if_down" script make use of the "pfctl -k" > command to kill state entries that have to do with the IP that is being > removed. > 16:45 linkdown: pfctl -k 88.217.34.98 16:45 linkup: myaddr=82.135.87.233 16:48 dns-request with 88.217.34.98 as source address to 212.18.0.5 our DNS queries from internal servers are still sent with the old dynamic address as source address where a local dig on the pf-box uses the new dynamic address. Any suggestions where to search? Thanks Reinhard From owner-freebsd-pf@FreeBSD.ORG Wed May 28 13:33:53 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1CCF3106564A for ; Wed, 28 May 2008 13:33:53 +0000 (UTC) (envelope-from user@lgkap.com) Received: from hapkido.dreamhost.com (hapkido.dreamhost.com [66.33.216.122]) by mx1.freebsd.org (Postfix) with ESMTP id E6C188FC27 for ; Wed, 28 May 2008 13:33:52 +0000 (UTC) (envelope-from user@lgkap.com) Received: from randymail-a5.g.dreamhost.com (mailbigip.dreamhost.com [208.97.132.5]) by hapkido.dreamhost.com (Postfix) with ESMTP id 9254217D592 for ; Wed, 28 May 2008 06:14:48 -0700 (PDT) Received: from [127.0.0.1] (pool-70-16-223-121.man.east.verizon.net [70.16.223.121]) by randymail-a5.g.dreamhost.com (Postfix) with ESMTP id CFE5990DC1 for ; Wed, 28 May 2008 06:14:47 -0700 (PDT) Message-ID: <483D5BB9.40900@lgkap.com> Date: Wed, 28 May 2008 09:18:49 -0400 From: user User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: PF occasionally "losing" packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2008 13:33:53 -0000 Hey Everyone, I seem to have a problem with PF "losing" packets. With PF enabled (7.0-RELEASE) allowed traffic will sometimes get through but more often will not. More specifically, from the logs I can see packets passed into the internal interface, but they often do not trigger the outbound rule even though I allow everything out. pass out quick log all pass in quick log on fxp1 proto {tcp,udp} from X.33.195/24 to X.33.10.20 port 53 keep state Sometimes BIND requests will get through and I can see both in/out rule trigger and get logged. More often, I see the following in the logs when the nslookup fails: 4. 835454 rule 21/0(match): pass in on fxp1: X.33.195.244.45453 > X.33.10.20.53: [|domain] 242279 rule 21/0(match): pass in on fxp1: X.33.195.244.45454 > X.33.10.20.53: [|domain] 3. 756975 rule 21/0(match): pass in on fxp1: X.33.195.244.45455 > X.33.10.20.53: [|domain] 242070 rule 21/0(match): pass in on fxp1: X.33.195.244.45454 > X.33.10.20.53: [|domain] 7. 756284 rule 21/0(match): pass in on fxp1: X.33.195.244.45456 > X.33.10.20.53: [|domain] Even though the packets are allowed in, they often never get to the outbound interface. Note that this is not limited to bind requests. I see the same thing with ssh, ping, etc. I've checked the routing table, interfaces, etc.... I can't seem to pinpoint the cause. Has anyone seen this inconsistency? Thanks in advance for any help. Louis From owner-freebsd-pf@FreeBSD.ORG Wed May 28 16:54:39 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8A44D106564A for ; Wed, 28 May 2008 16:54:39 +0000 (UTC) (envelope-from fox@verio.net) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id 777678FC18 for ; Wed, 28 May 2008 16:54:39 +0000 (UTC) (envelope-from fox@verio.net) Received: from limbo.int.dllstx01.us.it.verio.net (nkfw1.it.verio.net [129.250.40.241]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id EFCE91FF08D8 for ; Wed, 28 May 2008 12:28:39 -0400 (EDT) Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 9D26E8E298; Wed, 28 May 2008 11:28:39 -0500 (CDT) Date: Wed, 28 May 2008 11:28:39 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20080528162839.GA8700@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <483D5BB9.40900@lgkap.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <483D5BB9.40900@lgkap.com> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: PF occasionally "losing" packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2008 16:54:39 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 user wrote: > > I seem to have a problem with PF "losing" packets. With PF enabled > (7.0-RELEASE) allowed traffic will sometimes get through but more > often will not. Are you certain that the packets are not passing, or are they simply not being logged? You appear to be assuming that every packet that passes will be logged via pflog(4). > pass out quick log all > pass in quick log on fxp1 proto {tcp,udp} from X.33.195/24 to X.33.10.20 port 53 keep state Both of your rules specify that state be established ("keep state" is now explicit in 7.0). Packet logging is only performed when the rulebase is matched; once that is done, state is established and packets matching that state are passed without being logged. The only way to be sure you are losing traffic is by running tcpdump on both the internal and external interface, and comparing traffic. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFIPYg3FSrKRjX5eCoRAhoAAKCgj9IB0LY4Iu3AHrXTZPoF+2ramQCfWeV8 tjLhYkVQ3Tq4FlbnJatf5A0= =wg8t -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Thu May 29 06:13:44 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C5AC1065673 for ; Thu, 29 May 2008 06:13:44 +0000 (UTC) (envelope-from gerryw@compvia.com) Received: from mailgate.compvia.com (adsl-70-242-249-117.dsl.wacotx.swbell.net [70.242.249.117]) by mx1.freebsd.org (Postfix) with ESMTP id D07B58FC2C for ; Thu, 29 May 2008 06:13:43 +0000 (UTC) (envelope-from gerryw@compvia.com) Received: from proxmox.domain.tld (localhost [127.0.0.1]) by proxmox.domain.tld (Proxmox) with ESMTP id C1A7E69C869 for ; Sun, 25 May 2008 22:20:24 -0500 (CDT) Received: from mail01.compvia.com (unknown [10.10.20.251]) by proxmox.domain.tld (Proxmox) with ESMTP id A047A69C85A for ; Sun, 25 May 2008 22:20:24 -0500 (CDT) To: MIME-Version: 1.0 X-Mailer: Lotus Notes Release 6.5.3 September 14, 2004 Message-ID: From: gerryw@compvia.com Date: Sun, 25 May 2008 22:18:22 -0500 X-MIMETrack: Serialize by Router on itpc-mail01/IT-Pro Corp.(Release 6.5.3|September 14, 2004) at 05/25/2008 10:20:23 PM, Serialize complete at 05/25/2008 10:20:23 PM Content-Type: text/plain; charset="US-ASCII" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Misc PF +ALTQ questions X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 May 2008 06:13:44 -0000 Hello All, I have been looking at the possibility of doing a project to create a C API library for PF + ALTQ and possibly a higher level C++ API. I am new to these components and fairly new to FreeBSD. I have been looking at the man pages and various other docs on the topic. It would seem I can glean most of the ioctl info from the pfctl source. However, I have a few question the I haven't been able to find answers to. I apologize if these have been answered before and I have missed them. 1. Most of the examples I've seen are oriented towards a home or small office user with a DSL or cable Internet connection. My focus is more in the ISP area. I want to support the ability to hard limit bandwidth by IP and/or MAC address. I have read somewhere that MAC addresses can be used as a source, but this can only be done in bridge mode. Is this correct? 2. I can see how a queue could be crated for each IP address and the traffic from that IP sent to the appropriate queue. This would result in quite a few queues when done for an entire /24 subnet. Is there a better way to do this? I have also read somewhere that table lookups are pretty fast. Is there a way to take advantage of this fact where bandwidth limiting is concerned? 3. Would I be better off using one of the existing queueing disciplines as an example and writing some code specifically designed to do what I'm wanting to do? 4. Is there any good info on the bandwidth usage statistics provided by PF + ALTQ? I would like to do as much through the ioctl interface as possible. 5. I am also looking for a way to enumerate the IPs and MACS that are being seen by a particular interface. Again, I would like to do as much through the ioctl interface as possible. The pflog component is not really a possibility because my application will be for embedded use. Comment: I must say I am very impressed with the fact that the ioctl interface is actually provided and documented to some degree. I am really enjoying the fact that there seems to be much more doc in general in this area than of Linux. Many thanks to the folks that took the time to do this work. Thanks in advance, -G