From owner-freebsd-pf@FreeBSD.ORG Mon Sep 29 08:06:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0DA1D1065691 for ; Mon, 29 Sep 2008 08:06:03 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe5.ukr.net (ffe5.ukr.net [195.214.192.21]) by mx1.freebsd.org (Postfix) with ESMTP id B51EB8FC2A for ; Mon, 29 Sep 2008 08:06:02 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from mail by ffe5.ukr.net with local ID 1KkDOx-000AGs-6b for freebsd-pf@freebsd.org; Mon, 29 Sep 2008 10:42:39 +0300 MIME-Version: 1.0 To: freebsd-pf@freebsd.org From: "Vitaliy Vladimirovich" X-Life: is great, enjoy it! X-Mailer: freemail.ukr.net mPOP 3.4.1 X-Originating-Ip: [194.0.148.10] X-Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17 Message-Id: Date: Mon, 29 Sep 2008 10:42:39 +0300 X-UkrNet-Flag: 1 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 8bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Break connection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2008 08:06:03 -0000 Hello, guys. I use PF on my FreeBSD firewall and have one question about PF. When user download some big file, such as .AVI, and if speed of downloading is slow, occurs connection breakage. What parametres of global timeouts should be changed what to solve the problem. Thanks! From owner-freebsd-pf@FreeBSD.ORG Mon Sep 29 11:06:55 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 527461065686 for ; Mon, 29 Sep 2008 11:06:55 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 41BAE8FC17 for ; Mon, 29 Sep 2008 11:06:55 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m8TB6tZ9040889 for ; Mon, 29 Sep 2008 11:06:55 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m8TB6s1D040883 for freebsd-pf@FreeBSD.org; Mon, 29 Sep 2008 11:06:54 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 29 Sep 2008 11:06:54 GMT Message-Id: <200809291106.m8TB6s1D040883@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2008 11:06:55 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 22 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 29 21:56:53 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CFCC81065686 for ; Mon, 29 Sep 2008 21:56:53 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 615158FC2F for ; Mon, 29 Sep 2008 21:56:53 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-006-176.pools.arcor-ip.net [88.66.6.176]) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis) id 0ML31I-1KkQjc14Yx-0007vo; Mon, 29 Sep 2008 23:56:52 +0200 Received: (qmail 49993 invoked from network); 29 Sep 2008 21:56:51 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 29 Sep 2008 21:56:51 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 29 Sep 2008 23:56:51 +0200 User-Agent: KMail/1.10.1 (FreeBSD/8.0-CURRENT; KDE/4.1.1; i386; ; ) MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200809292356.51500.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/krp3XMzGGdnTczLGe5BVfEpMR86I0qKRs1rZ Dd8Q6R1w6f+AUM9s5S70UU+zvXZ7phJVjl/KPzquUFxAte2WoT n5MGu1uYmomm1Wq23fJNg== Cc: Robert Watson Subject: Fwd: Please test ipfw and pf uid/gid/jail rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2008 21:56:53 -0000 Please help testing. It's been confirmed to work for IPFW, let's make sure pf is in good shape, too. Thanks. ---------- Forwarded Message ---------- Subject: Please test ipfw and pf uid/gid/jail rules Date: Monday 29 September 2008 From: Robert Watson To: current@freebsd.org Dear all: Although it didn't show up in 8.x testing to date, it turned out there was a serious stability regression in the ipfw uid/gid/jail rule implementation as a result of moving to rwlocks for inpcbinfo and inpcb. I think I've corrected the sources of the problem in 8.x and 7.x now, but it would be very helpful if people who use ipfw and pf could do some extra testing of these rules with invariants and witness enabled to see if we can't shake out any remaining problems. Thanks, Robert N M Watson Computer Laboratory University of Cambridge ------------------------------------------------------- -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Mon Sep 29 22:02:04 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A3A251065693 for ; Mon, 29 Sep 2008 22:02:04 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 7E1448FC16 for ; Mon, 29 Sep 2008 22:02:04 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTP id 1732B46B53; Mon, 29 Sep 2008 18:02:04 -0400 (EDT) Date: Mon, 29 Sep 2008 23:02:04 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Max Laier In-Reply-To: <200809292356.51500.max@love2party.net> Message-ID: References: <200809292356.51500.max@love2party.net> User-Agent: Alpine 1.10 (BSF 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: Fwd: Please test ipfw and pf uid/gid/jail rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2008 22:02:04 -0000 On Mon, 29 Sep 2008, Max Laier wrote: > Please help testing. It's been confirmed to work for IPFW, let's make sure > pf is in good shape, too. Thanks. A casual glance at pf.c suggests that pf(4) doesn't suffer from the "look up the inpcb even though it's passed down if the socket pointer is NULL" bug that ipfw(4) did, but confirmation that things work properly would definitely be good. Thanks, Robert N M Watson Computer Laboratory University of Cambridge > > ---------- Forwarded Message ---------- > > Subject: Please test ipfw and pf uid/gid/jail rules > Date: Monday 29 September 2008 > From: Robert Watson > To: current@freebsd.org > > > Dear all: > > Although it didn't show up in 8.x testing to date, it turned out there was a > serious stability regression in the ipfw uid/gid/jail rule implementation as a > result of moving to rwlocks for inpcbinfo and inpcb. I think I've corrected > the sources of the problem in 8.x and 7.x now, but it would be very helpful if > people who use ipfw and pf could do some extra testing of these rules with > invariants and witness enabled to see if we can't shake out any remaining > problems. > > Thanks, > > Robert N M Watson > Computer Laboratory > University of Cambridge > ------------------------------------------------------- > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News > From owner-freebsd-pf@FreeBSD.ORG Mon Sep 29 22:08:38 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2C4081065698 for ; Mon, 29 Sep 2008 22:08:38 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id AE7858FC2C for ; Mon, 29 Sep 2008 22:08:37 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-006-176.pools.arcor-ip.net [88.66.6.176]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1KkQuy2Ilu-0006Im; Tue, 30 Sep 2008 00:08:36 +0200 Received: (qmail 50155 invoked from network); 29 Sep 2008 22:08:36 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by laiers.local with SMTP; 29 Sep 2008 22:08:36 -0000 From: Max Laier Organization: FreeBSD To: Robert Watson Date: Tue, 30 Sep 2008 00:08:35 +0200 User-Agent: KMail/1.10.1 (FreeBSD/8.0-CURRENT; KDE/4.1.1; i386; ; ) References: <200809292356.51500.max@love2party.net> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200809300008.36074.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18WcGGDTCn8XDFyetB8XCN1u1gRYwhdUA7zyb4 dZ5fJ8VpyAayPFkVH1Lnily+CRYnhIV6crEv2X/iTL9fdBVBRP iBApjj+XQz6FNXRoL5ZUA== Cc: freebsd-pf@freebsd.org Subject: Re: Fwd: Please test ipfw and pf uid/gid/jail rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2008 22:08:38 -0000 On Tuesday 30 September 2008 00:02:04 Robert Watson wrote: > On Mon, 29 Sep 2008, Max Laier wrote: > > Please help testing. It's been confirmed to work for IPFW, let's make > > sure pf is in good shape, too. Thanks. > > A casual glance at pf.c suggests that pf(4) doesn't suffer from the "look > up the inpcb even though it's passed down if the socket pointer is NULL" > bug that ipfw(4) did, but confirmation that things work properly would > definitely be good. http://www.freebsd.org/cgi/query-pr.cgi?pr=127439 looks like it could be related. I think I see what's happening there, but unfortunately I don't have any time to look into it myself at the moment. Might be a while before I get to it so additional eyes are certainly appreciated! > Thanks, > > Robert N M Watson > Computer Laboratory > University of Cambridge > > > ---------- Forwarded Message ---------- > > > > Subject: Please test ipfw and pf uid/gid/jail rules > > Date: Monday 29 September 2008 > > From: Robert Watson > > To: current@freebsd.org > > > > > > Dear all: > > > > Although it didn't show up in 8.x testing to date, it turned out there > > was a serious stability regression in the ipfw uid/gid/jail rule > > implementation as a result of moving to rwlocks for inpcbinfo and inpcb. > > I think I've corrected the sources of the problem in 8.x and 7.x now, but > > it would be very helpful if people who use ipfw and pf could do some > > extra testing of these rules with invariants and witness enabled to see > > if we can't shake out any remaining problems. > > > > Thanks, > > > > Robert N M Watson > > Computer Laboratory > > University of Cambridge > > ------------------------------------------------------- > > -- > > /"\ Best regards, | mlaier@freebsd.org > > \ / Max Laier | ICQ #67774661 > > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > > / \ ASCII Ribbon Campaign | Against HTML Mail and News -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Tue Sep 30 06:15:28 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D782D106568B for ; Tue, 30 Sep 2008 06:15:28 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id AB0948FC2B for ; Tue, 30 Sep 2008 06:15:28 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTP id 46B7546B82; Tue, 30 Sep 2008 02:15:28 -0400 (EDT) Date: Tue, 30 Sep 2008 07:15:28 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Max Laier In-Reply-To: <200809300008.36074.max@love2party.net> Message-ID: References: <200809292356.51500.max@love2party.net> <200809300008.36074.max@love2party.net> User-Agent: Alpine 1.10 (BSF 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: Fwd: Please test ipfw and pf uid/gid/jail rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2008 06:15:28 -0000 On Tue, 30 Sep 2008, Max Laier wrote: > On Tuesday 30 September 2008 00:02:04 Robert Watson wrote: >> On Mon, 29 Sep 2008, Max Laier wrote: >>> Please help testing. It's been confirmed to work for IPFW, let's make >>> sure pf is in good shape, too. Thanks. >> >> A casual glance at pf.c suggests that pf(4) doesn't suffer from the "look >> up the inpcb even though it's passed down if the socket pointer is NULL" >> bug that ipfw(4) did, but confirmation that things work properly would >> definitely be good. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=127439 looks like it could be > related. I think I see what's happening there, but unfortunately I don't > have any time to look into it myself at the moment. Might be a while before > I get to it so additional eyes are certainly appreciated! There are a number of LOR's in this PR; some are harmless. Here's a quick and casual run-down: 1st 0xc0907fcc pf task mtx (pf task mtx) @ /usr/src/sys/contrib/pf/net/pf_ioctl.c:1394 2nd 0xc0973488 ifnet (ifnet) @ /usr/src/sys/net/if.c:1558 I don't know anything about this. 1st 0xc097830c tcp (tcp) @ /usr/src/sys/netinet/tcp_input.c:400 2nd 0xc09775d8 PFil hook read/write mutex (PFil hook read/write mutex) @ /usr/src/sys/net/pfil.c:73 This should be fixed by one of my recent TCP changes -- TCP wasn't passing down the inpcb in a situation where it should have been. 1st 0xc4013d44 udpinp (udpinp) @ /usr/src/sys/netinet/udp_usrreq.c:878 2nd 0xc09775d8 PFil hook read/write mutex (PFil hook read/write mutex) @ /usr/src/sys/net/pfil.c:73 This is the correct order. 1st 0xc423f150 tcpinp (tcpinp) @ /usr/src/sys/netinet/tcp_usrreq.c:472 2nd 0xc09775d8 PFil hook read/write mutex (PFil hook read/write mutex) @ /usr/src/sys/net/pfil.c:73 This is the correct order. 1st 0xc09786cc udp (udp) @ /usr/src/sys/netinet/udp_usrreq.c:395 2nd 0xc09775d8 PFil hook read/write mutex (PFil hook read/write mutex) @ /usr/src/sys/net/pfil.c:73 This is the correct order. panic: _rw_rlock (tcp): wlock already held @ /usr/src/sys/contrib/pf/net/pf.c:3016 cpuid = 0 KDB: stack backtrace: db_trace_self_wrapper(c088cf61,e6846220,c05ae7df,c08b659d,0,...) at db_trace_self_wrapper+0x26 kdb_backtrace(c08b659d,0,c0889c7e,e684622c,0,...) at kdb_backtrace+0x29 panic(c0889c7e,c085a754,c088f55e,c087092d,bc8,...) at panic+0x10f _rw_rlock(c097830c,c087092d,bc8,c08d9624,c087092d,...) at _rw_rlock+0x73 pf_socket_lookup(2,e68463dc,0,cc4,3,...) at pf_socket_lookup+0x208 pf_test_tcp(e6846444,e6846440,2,c3efee00,c3c8e900,...) at pf_test_tcp+0x142 pf_test6(2,c3d44000,e68464a0,0,0,...) at pf_test6+0x8a0 pf_check6_out(0,e68464a0,c3d44000,2,0,...) at pf_check6_out+0x47 pfil_run_hooks(c097ad00,e6846638,c3d44000,2,0,...) at pfil_run_hooks+0x88 ip6_output(c3c8e900,0,e6846618,0,0,...) at ip6_output+0x122e pf_send_tcp(c4fcfe00,c41259b4,1c,c4fcfe5c,c4fcfe4c,...) at pf_send_tcp+0x6dd pf_test_tcp(e68468e8,e68468e4,2,c3f20900,c4fcfe00,...) at pf_test_tcp+0xcef pf_test6(2,c3f06400,e6846944,0,c446b7bc,...) at pf_test6+0x8a0 pf_check6_out(0,e6846944,c3f06400,2,c446b7bc,...) at pf_check6_out+0x47 pfil_run_hooks(c097ad00,e6846adc,c3f06400,2,c446b7bc,...) at pfil_run_hooks+0x88 ip6_output(c4fcfe00,0,e6846abc,0,0,...) at ip6_output+0x122e tcp_output(c45553a0,c447e7c0,201,c446b858,c45553a0,...) at tcp_output+0x137e tcp6_usr_connect(c50cd340,c447e7c0,c4eed690,25,e6846c64,...) at tcp6_usr_connect+0x171 soconnect(c50cd340,c447e7c0,c4eed690,1c,16,...) at soconnect+0x52 kern_connect(c4eed690,3,c447e7c0,c447e7c0,0,...) at kern_connect+0x59 connect(c4eed690,e6846cfc,c,c08a288e,c08d3a50,...) at connect+0x46 syscall(e6846d38) at syscall+0x274 This looks like a recursion bug in pf(4) -- you can't look up sockets in that output context because youre already running in a context where connection locks are held. If it's for the same TCP connection, you need to pass down the inpcb into ip6_output(), but if it's for a different one, you ned to run the output code in a deferred context so that it can recurse safely back into the inpcb code. Robert N M Watson Computer Laboratory University of Cambridge > >> Thanks, >> >> Robert N M Watson >> Computer Laboratory >> University of Cambridge >> >>> ---------- Forwarded Message ---------- >>> >>> Subject: Please test ipfw and pf uid/gid/jail rules >>> Date: Monday 29 September 2008 >>> From: Robert Watson >>> To: current@freebsd.org >>> >>> >>> Dear all: >>> >>> Although it didn't show up in 8.x testing to date, it turned out there >>> was a serious stability regression in the ipfw uid/gid/jail rule >>> implementation as a result of moving to rwlocks for inpcbinfo and inpcb. >>> I think I've corrected the sources of the problem in 8.x and 7.x now, but >>> it would be very helpful if people who use ipfw and pf could do some >>> extra testing of these rules with invariants and witness enabled to see >>> if we can't shake out any remaining problems. >>> >>> Thanks, >>> >>> Robert N M Watson >>> Computer Laboratory >>> University of Cambridge >>> ------------------------------------------------------- >>> -- >>> /"\ Best regards, | mlaier@freebsd.org >>> \ / Max Laier | ICQ #67774661 >>> X http://pf4freebsd.love2party.net/ | mlaier@EFnet >>> / \ ASCII Ribbon Campaign | Against HTML Mail and News > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News > From owner-freebsd-pf@FreeBSD.ORG Tue Sep 30 08:12:15 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6518A106568C for ; Tue, 30 Sep 2008 08:12:15 +0000 (UTC) (envelope-from thuppi@nuumen.pair.com) Received: from nuumen.pair.com (nuumen.pair.com [209.68.1.119]) by mx1.freebsd.org (Postfix) with SMTP id 13BBB8FC3A for ; Tue, 30 Sep 2008 08:12:14 +0000 (UTC) (envelope-from thuppi@nuumen.pair.com) Received: (qmail 88777 invoked by uid 55300); 30 Sep 2008 07:45:33 -0000 Date: Tue, 30 Sep 2008 03:45:33 -0400 From: Tom Huppi To: freebsd-pf@freebsd.org Message-ID: <20080930074533.GA7549@huppi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.2i Subject: Need best practice advice: carp and /30 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2008 08:12:15 -0000 I am trying to build a pfsync implementation so that I can work on various hardening and other experiments with minimal downtime, and could use some advice. I expect to be using the most current FreeBSD codebase with this implementation. Indeed, being able to do so is a driving force behind my project. My network layout looks like so: ----------------- /-- | em0 PF-1 em1 | --- | ------------ | / | em2 | ISP -- | special vlan | ---------------- | cisco 3560 | | |------------- |\ ---------------- \ | em2 | - | em0 PF-2 em1 | ---- ---------------- My ISP provides a single IP on a /30. Say 70.187.255.246, and that carries my class-C traffic which is on a different subnet entirely. A similar solution but with only one PF firewall (also acting as a simple router) has been working well enough over the last 10 months, although I did have certain problems which I have yet to get to the bottom of. Possibly they have something to do with the Cisco which I neglected to mention in my last query to this list since I thought it unimportant at the time. Anyway, my question relates to what are best-practices vis-a-vis the network of the 'em0' interface. Pretty clearly the carp0 interface is my ISP assigned one, but there is not room in the /30 for other addresses. My guess is that I should 'invent' a RFC1918 network for the two em0 interfaces, but I certainly don't want this to cause wierd problems in the VLAN (I don't anticipate doing any routing in this VLAN, by the way.) In my googleing I found some info about getting 'carpdev' supported and the threads seem to have dried up over a year ago, so I think that it is probably in and working these days(?) Even if so, still remains unclear to me what is safe and appropriate in my situation. If anyone has experiance with a similar setup and hardware, I would very much appreciate knowing of their experiances. The IOS revision on the Cisco is from about a year ago...don't have it handy, but can get it if it is a factor. (Also, thank you to all who had input on my last question to the list. I got some feedback from my ISP about it, but it only adds to the mystery. I'll follow-up on that thread when I know more.) Thanks, - Tom -- From owner-freebsd-pf@FreeBSD.ORG Tue Sep 30 14:50:01 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED8261065688 for ; Tue, 30 Sep 2008 14:50:01 +0000 (UTC) (envelope-from catalin@starcomms.com) Received: from webmail.starcomms.com (starcomms.com [41.205.191.5]) by mx1.freebsd.org (Postfix) with SMTP id DEF0E8FC0C for ; Tue, 30 Sep 2008 14:50:00 +0000 (UTC) (envelope-from catalin@starcomms.com) Received: from (neptune.starcomms.local [172.16.2.31]) by webmail.starcomms.com with smtp id 0f1b_7eacf408_8ed3_11dd_ac4b_001d096f4b7c; Tue, 30 Sep 2008 10:38:10 +0100 Received: from STA-HQ-S001.starcomms.local ([172.16.2.28]) by webmail.starcomms.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 30 Sep 2008 10:44:29 +0100 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Tue, 30 Sep 2008 10:44:32 +0100 Message-ID: <3A0AA7018522134597ED63B3B794C92A0301B363@STA-HQ-S001.starcomms.local> In-Reply-To: <20080930074533.GA7549@huppi.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Need best practice advice: carp and /30 Thread-Index: Acki1Sp42SR15qqwTNO6YTebCiF0JwACnB1A References: <20080930074533.GA7549@huppi.com> From: "Catalin Miclaus" To: "Tom Huppi" , X-OriginalArrivalTime: 30 Sep 2008 09:44:29.0296 (UTC) FILETIME=[222A6700:01C922E1] X-NAIMIME-Disclaimer: 1 X-NAIMIME-Modified: 1 Cc: Subject: RE: Need best practice advice: carp and /30 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2008 14:50:02 -0000 -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Tom Huppi Sent: Tuesday, September 30, 2008 8:46 AM To: freebsd-pf@freebsd.org Subject: Need best practice advice: carp and /30 I am trying to build a pfsync implementation so that I can work on various hardening and other experiments with minimal downtime, and could use some advice. I expect to be using the most current FreeBSD codebase with this implementation. Indeed, being able to do so is a driving force behind my project. My network layout looks like so: ----------------- /-- | em0 PF-1 em1 | --- | ------------ | / | em2 | ISP -- | special vlan | ---------------- | cisco 3560 | | |------------- |\ ---------------- =20 \ | em2 | - | em0 PF-2 em1 | ---- ---------------- My ISP provides a single IP on a /30. Say 70.187.255.246, and that carries my class-C traffic which is on a different subnet entirely. A similar solution but with only one PF firewall (also acting as a simple router) has been working well enough over the last 10 months, although I did have certain problems which I have yet to get to the bottom of. Possibly they have something to do with the Cisco which I neglected to mention in my last query to this list since I thought it unimportant at the time. Anyway, my question relates to what are best-practices vis-a-vis the network of the 'em0' interface. Pretty clearly the carp0 interface is my ISP assigned one, but there is not room in the /30 for other addresses. My guess is that I should 'invent' a RFC1918 network for the two em0 interfaces, but I certainly don't want this to cause wierd problems in the VLAN (I don't anticipate doing any routing in this VLAN, by the way.) In my googleing I found some info about getting 'carpdev' supported and the threads seem to have dried up over a year ago, so I think that it is probably in and working these days(?) Even if so, still remains unclear to me what is safe and appropriate in my situation. If anyone has experiance with a similar setup and hardware, I would very much appreciate knowing of their experiances. The IOS revision on the Cisco is from about a year ago...don't have it handy, but can get it if it is a factor. (Also, thank you to all who had input on my last question to the list. I got some feedback from my ISP about it, but it only adds to the mystery. I'll follow-up on that thread when I know more.) Thanks, - Tom On external interface you need to configure at least the default route. Moreover your ISP will have to configure same private range on his equipments which I doubt he will agree. The way I see it you have 2 solutions: 1. request for a /29 from your ISP 2. use enhanced image for 3560 (that will make it a layer 3 device) with private range to your firewalls and public range on the ISP link Best Regards Catalin Miclaus ISP-Data Ops. Starcomms Ltd. --=20 _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" DISCLAIMER: The information contained in this message (including any atta= chments) is confidential and may be privileged. If you have received it b= y mistake please notify the sender by return e-mail and permanently delet= e this message and any attachments from your system. Any form of dissemin= ation, use, review, distribution, printing or copying of this message in = whole or in part is strictly prohibited if you are not the intended recip= ient of this e-mail. Please note that e-mails are susceptible to change. = STARCOMMS PLC shall not be liable for the improper or incomplete transmis= sion of the information contained in this communication nor for any delay= in its receipt or damage to your system. STARCOMMS PLC does not guarante= e that the integrity of this communication has been maintained or that th= is communication is free of viruses, interceptions or interferences. STAR= COMMS PLC reserves the right to monitor all e-mail communications, whethe= r related to the business of STARCOMMS or not, through its internal or ex= ternal networks. From owner-freebsd-pf@FreeBSD.ORG Tue Sep 30 21:12:34 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1CF86106568F for ; Tue, 30 Sep 2008 21:12:34 +0000 (UTC) (envelope-from thuppi@nuumen.pair.com) Received: from nuumen.pair.com (nuumen.pair.com [209.68.1.119]) by mx1.freebsd.org (Postfix) with SMTP id D64698FC29 for ; Tue, 30 Sep 2008 21:12:33 +0000 (UTC) (envelope-from thuppi@nuumen.pair.com) Received: (qmail 55138 invoked by uid 55300); 30 Sep 2008 21:12:32 -0000 Date: Tue, 30 Sep 2008 17:12:32 -0400 From: Tom Huppi To: Catalin Miclaus Message-ID: <20080930211232.GA35980@huppi.com> References: <20080930074533.GA7549@huppi.com> <3A0AA7018522134597ED63B3B794C92A0301B363@STA-HQ-S001.starcomms.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <3A0AA7018522134597ED63B3B794C92A0301B363@STA-HQ-S001.starcomms.local> User-Agent: Mutt/1.4.2.2i Cc: freebsd-pf@freebsd.org Subject: Re: Need best practice advice: carp and /30 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2008 21:12:34 -0000 On 10:44 Tue 30 Sep , Catalin Miclaus wrote: > tomh writes: > > I am trying to build a pfsync implementation so that I can > > work on various hardening and other experiments with minimal > > downtime, and could use some advice. > >=20 > > I expect to be using the most current FreeBSD codebase with this > > implementation. Indeed, being able to do so is a driving force > > behind my project. > >=20 > > My network layout looks like so: > >=20 > >=20 > >=20 > > ----------------- > > /-- | em0 PF-1 em1 | --- > > | ------------ | / | em2 | > > ISP -- | special vlan | ---------------- > > | cisco 3560 | | > > |------------- |\ ---------------- =20 > > \ | em2 | > > - | em0 PF-2 em1 | ---- > > ---------------- > >=20 > >=20 > >=20 > > My ISP provides a single IP on a /30. Say 70.187.255.246, and > > that carries my class-C traffic which is on a different subnet > > entirely. > >=20 > > A similar solution but with only one PF firewall (also acting as > > a simple router) has been working well enough over the last 10 > > months, although I did have certain problems which I have yet to > > get to the bottom of. Possibly they have something to do with > > the Cisco which I neglected to mention in my last query to this > > list since I thought it unimportant at the time. > >=20 > > Anyway, my question relates to what are best-practices vis-a-vis > > the network of the 'em0' interface. Pretty clearly the carp0 > > interface is my ISP assigned one, but there is not room in the > > /30 for other addresses. > >=20 > > My guess is that I should 'invent' a RFC1918 network for the two > > em0 interfaces, but I certainly don't want this to cause wierd > > problems in the VLAN (I don't anticipate doing any routing in > > this VLAN, by the way.) > >=20 > > In my googleing I found some info about getting 'carpdev' > > supported and the threads seem to have dried up over a year > > ago, so I think that it is probably in and working these days(?) > > Even if so, still remains unclear to me what is safe and > > appropriate in my situation. > >=20 > > If anyone has experiance with a similar setup and hardware, I > > would very much appreciate knowing of their experiances. The > > IOS revision on the Cisco is from about a year ago...don't have > > it handy, but can get it if it is a factor. > >=20 > > (Also, thank you to all who had input on my last question to the > > list. I got some feedback from my ISP about it, but it only > > adds to the mystery. I'll follow-up on that thread when I know > > more.) > >=20 > > Thanks, > >=20 > > - Tom >=20 >=20 > On external interface you need to configure at least the default route. > Moreover your ISP will have to configure same private range on his > equipments which I doubt he will agree. >=20 > The way I see it you have 2 solutions: >=20 > 1. request for a /29 from your ISP > 2. use enhanced image for 3560 (that will make it a layer 3 device) with > private range to your firewalls and public range on the ISP link Thank you for your suggestions. The 3560 I have to work with has 'C3560-IPBASE-M' while the one I have currently in production has 'C3560-ADVIPSERVICESK9-M'. I think that both of these IOS version would do simple VLAN routing. I am very much a novice at this and don't use any VLAN routing at all currently since I was able to do the simple stuff I needed host-side in on my current setup. (I have been planning to abandon that strategy with my new carp implementation and try to do more with VLAN routing, but that is on the 'other side' of the issue I am currently trying to deal with.) I wonder if it would/could work to have something like: ---------- ---------- ISP --> | 3560 | --> | 3560 | -- em0:pf-1 | VLAN /30 | | VLAN /29 | -- em0:pf-2 ---------- ---------- where I arrange appropriate routing between the two VLANs? Perhaps that is basically what you are suggesting? I am quite confused about what traffic one would expect to see makeing it out of the em0 interfaces when carp is active and working. Relatedly, what exactly the default route does in such a scenerio. These details don't seem to be broadly described in the documentation I have run across so far. Thanks again for any thoughts on the matter. - Tom > Best Regards > Catalin Miclaus > ISP-Data Ops. > Starcomms Ltd. >=20 >=20 >=20 > --=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 >=20 > DISCLAIMER: The information contained in this message (including any atta= chments) is confidential and may be privileged. If you have received it by = mistake please notify the sender by return e-mail and permanently delete th= is message and any attachments from your system. Any form of dissemination,= use, review, distribution, printing or copying of this message in whole or= in part is strictly prohibited if you are not the intended recipient of th= is e-mail. Please note that e-mails are susceptible to change. STARCOMMS PL= C shall not be liable for the improper or incomplete transmission of the in= formation contained in this communication nor for any delay in its receipt = or damage to your system. STARCOMMS PLC does not guarantee that the integri= ty of this communication has been maintained or that this communication is = free of viruses, interceptions or interferences. STARCOMMS PLC reserves the= right to monitor all e-mail communications, whether related to the busines= s of STARCOMMS or not, through its internal or external networks. --=20 From owner-freebsd-pf@FreeBSD.ORG Wed Oct 1 01:35:55 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 69F6C1065688 for ; Wed, 1 Oct 2008 01:35:55 +0000 (UTC) (envelope-from catalin@starcomms.com) Received: from webmail.starcomms.com (starcomms.com [41.205.191.5]) by mx1.freebsd.org (Postfix) with SMTP id 7A4628FC16 for ; Wed, 1 Oct 2008 01:35:53 +0000 (UTC) (envelope-from catalin@starcomms.com) Received: from (neptune.starcomms.local [172.16.2.31]) by webmail.starcomms.com with smtp id 0f47_83b12ab2_8f3e_11dd_a0a8_001d096f4b7c; Tue, 30 Sep 2008 23:24:16 +0100 Received: from STA-HQ-S001.starcomms.local ([172.16.2.28]) by webmail.starcomms.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 30 Sep 2008 23:30:33 +0100 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Tue, 30 Sep 2008 23:30:20 +0100 Message-ID: <3A0AA7018522134597ED63B3B794C92A0301B45C@STA-HQ-S001.starcomms.local> In-Reply-To: <20080930211232.GA35980@huppi.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Need best practice advice: carp and /30 Thread-Index: AckjQib7/27sFKCuTsydYoFzxsjVuwACDkeQ References: <20080930074533.GA7549@huppi.com> <3A0AA7018522134597ED63B3B794C92A0301B363@STA-HQ-S001.starcomms.local> <20080930211232.GA35980@huppi.com> From: "Catalin Miclaus" To: "Tom Huppi" X-OriginalArrivalTime: 30 Sep 2008 22:30:33.0703 (UTC) FILETIME=[27164F70:01C9234C] X-NAIMIME-Disclaimer: 1 X-NAIMIME-Modified: 1 Cc: freebsd-pf@freebsd.org Subject: RE: Need best practice advice: carp and /30 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Oct 2008 01:35:55 -0000 -----Original Message----- From: Tom Huppi [mailto:tomh@huppi.com]=20 Sent: Tuesday, September 30, 2008 10:13 PM To: Catalin Miclaus Cc: freebsd-pf@freebsd.org Subject: Re: Need best practice advice: carp and /30 On 10:44 Tue 30 Sep , Catalin Miclaus wrote: > tomh writes: > > I am trying to build a pfsync implementation so that I can > > work on various hardening and other experiments with minimal > > downtime, and could use some advice. > >=20 > > I expect to be using the most current FreeBSD codebase with this > > implementation. Indeed, being able to do so is a driving force > > behind my project. > >=20 > > My network layout looks like so: > >=20 > >=20 > >=20 > > ----------------- > > /-- | em0 PF-1 em1 | --- > > | ------------ | / | em2 | > > ISP -- | special vlan | ---------------- > > | cisco 3560 | | > > |------------- |\ ---------------- =20 > > \ | em2 | > > - | em0 PF-2 em1 | ---- > > ---------------- > >=20 > >=20 > >=20 > > My ISP provides a single IP on a /30. Say 70.187.255.246, and > > that carries my class-C traffic which is on a different subnet > > entirely. > >=20 > > A similar solution but with only one PF firewall (also acting as > > a simple router) has been working well enough over the last 10 > > months, although I did have certain problems which I have yet to > > get to the bottom of. Possibly they have something to do with > > the Cisco which I neglected to mention in my last query to this > > list since I thought it unimportant at the time. > >=20 > > Anyway, my question relates to what are best-practices vis-a-vis > > the network of the 'em0' interface. Pretty clearly the carp0 > > interface is my ISP assigned one, but there is not room in the > > /30 for other addresses. > >=20 > > My guess is that I should 'invent' a RFC1918 network for the two > > em0 interfaces, but I certainly don't want this to cause wierd > > problems in the VLAN (I don't anticipate doing any routing in > > this VLAN, by the way.) > >=20 > > In my googleing I found some info about getting 'carpdev' > > supported and the threads seem to have dried up over a year > > ago, so I think that it is probably in and working these days(?) > > Even if so, still remains unclear to me what is safe and > > appropriate in my situation. > >=20 > > If anyone has experiance with a similar setup and hardware, I > > would very much appreciate knowing of their experiances. The > > IOS revision on the Cisco is from about a year ago...don't have > > it handy, but can get it if it is a factor. > >=20 > > (Also, thank you to all who had input on my last question to the > > list. I got some feedback from my ISP about it, but it only > > adds to the mystery. I'll follow-up on that thread when I know > > more.) > >=20 > > Thanks, > >=20 > > - Tom >=20 >=20 > On external interface you need to configure at least the default route. > Moreover your ISP will have to configure same private range on his > equipments which I doubt he will agree. >=20 > The way I see it you have 2 solutions: >=20 > 1. request for a /29 from your ISP > 2. use enhanced image for 3560 (that will make it a layer 3 device) with > private range to your firewalls and public range on the ISP link Thank you for your suggestions. The 3560 I have to work with has 'C3560-IPBASE-M' while the one I have currently in production has 'C3560-ADVIPSERVICESK9-M'. The one in production will support also IP routing. I think that both of these IOS version would do simple VLAN routing. I am very much a novice at this and don't use any VLAN routing at all currently since I was able to do the simple stuff I needed host-side in on my current setup. (I have been planning to abandon that strategy with my new carp implementation and try to do more with VLAN routing, but that is on the 'other side' of the issue I am currently trying to deal with.) I wonder if it would/could work to have something like: ---------- ---------- ISP --> | 3560 | --> | 3560 | -- em0:pf-1 | VLAN /30 | | VLAN /29 | -- em0:pf-2 ---------- ---------- Yes, however, on ISP interface you don't need any VLAN. Just use 'ip routing' on global config mode and 'no switchport' on interface config mode so that your switch port will become a router port. where I arrange appropriate routing between the two VLANs? Perhaps that is basically what you are suggesting? See above suggestion. Don't forget to point default route towards your ISP. I am quite confused about what traffic one would expect to see makeing it out of the em0 interfaces when carp is active and working. Relatedly, what exactly the default route does in such a scenerio. These details don't seem to be broadly described in the documentation I have run across so far. Default route is routing all traffic with for which does not exist a specific route in the routing table. Aka default gateway, gateway of last resort, etc. Thanks again for any thoughts on the matter.=20 - Tom Best Regards Catalin Miclaus ISP-Data Ops. Starcomms Ltd. > Best Regards > Catalin Miclaus > ISP-Data Ops. > Starcomms Ltd. >=20 >=20 >=20 > --=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 >=20 > DISCLAIMER: The information contained in this message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and permanently delete this message and any attachments from your system. Any form of dissemination, use, review, distribution, printing or copying of this message in whole or in part is strictly prohibited if you are not the intended recipient of this e-mail. Please note that e-mails are susceptible to change. STARCOMMS PLC shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. STARCOMMS PLC does not guarantee that the integrity of this communication has been maintained or that this communication is free of viruses, interceptions or interferences. STARCOMMS PLC reserves the right to monitor all e-mail communications, whether related to the business of STARCOMMS or not, through its internal or external networks. --=20 DISCLAIMER: The information contained in this message (including any atta= chments) is confidential and may be privileged. If you have received it b= y mistake please notify the sender by return e-mail and permanently delet= e this message and any attachments from your system. Any form of dissemin= ation, use, review, distribution, printing or copying of this message in = whole or in part is strictly prohibited if you are not the intended recip= ient of this e-mail. Please note that e-mails are susceptible to change. = STARCOMMS PLC shall not be liable for the improper or incomplete transmis= sion of the information contained in this communication nor for any delay= in its receipt or damage to your system. STARCOMMS PLC does not guarante= e that the integrity of this communication has been maintained or that th= is communication is free of viruses, interceptions or interferences. STAR= COMMS PLC reserves the right to monitor all e-mail communications, whethe= r related to the business of STARCOMMS or not, through its internal or ex= ternal networks. From owner-freebsd-pf@FreeBSD.ORG Fri Oct 3 09:38:29 2008 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C3575106568E for ; Fri, 3 Oct 2008 09:38:29 +0000 (UTC) (envelope-from reddvinylene@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.191]) by mx1.freebsd.org (Postfix) with ESMTP id 51F4A8FC1B for ; Fri, 3 Oct 2008 09:38:28 +0000 (UTC) (envelope-from reddvinylene@gmail.com) Received: by mu-out-0910.google.com with SMTP id i2so1253082mue.3 for ; Fri, 03 Oct 2008 02:38:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=fmMNGv3eL0lCYHM9k+yad7/49usgkTU16PuFZwX6cdc=; b=KgIwVS+bWcIByKwtM2Fzo7KYMvJvHu6zJK82k8d9YZGA30ot3M0N6cJH66R2DSoeI9 4MZIXeAJEcSLPdq4GtQexoQaHE9ssmy/Mv9HnWvUg1OPa2p7KDhtmVY9WyCXDk/deJ4K bvIl0B8tBiXbCKxFYLX2qtzCNCNvSl9hwtT8w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=Yu+VHUSPVdYndFz7poLea64WZ48L/lfkJubSa7cB/AzmX4cqudZcg3sv2ybmnIK/JQ Gwl68/n9Xu0zn6uhGccxk2q/HO3n5R6GYVH33jl6/jv5TEMv4kxPe3o8d23APevNYRbY x8LKl1TYnABzblU7pJP7gSSZrJppju8pcP488= Received: by 10.103.243.7 with SMTP id v7mr483743mur.24.1223025117454; Fri, 03 Oct 2008 02:11:57 -0700 (PDT) Received: by 10.103.247.7 with HTTP; Fri, 3 Oct 2008 02:11:57 -0700 (PDT) Message-ID: Date: Fri, 3 Oct 2008 11:11:57 +0200 From: "Redd Vinylene" To: questions@freebsd.org, jail@freebsd.org, pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: Subject: Jail, pf and ftpd: Connection refused X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2008 09:38:29 -0000 Greetings ladies and gentlemen! Why does the below pf.conf (run from box1) give me "getpeername(control_sock): Transport endpoint is not connected, Socket error (Connection refused) - reconnecting" when trying to log onto box3 via passive FTP? Active FTP gives me "425 Can't build data connection: Connection refused." (box2 and box3 are jails running off box1) - root@box1# cat /etc/pf.conf box1 = "80.203.2.2" box2 = "80.203.2.3" box3 = "{ 80.203.2.4 [...] 80.203.2.127 }" ext_if = "rl0" set block-policy return set skip on { lo0 } scrub in pass out keep state block in pass in on $ext_if inet proto tcp from any to any port { 22 } keep state pass in on $ext_if inet proto tcp from any to $box2 port { 25, 53, 80, 110 } keep state pass in on $ext_if inet proto udp from any to $box2 port 53 keep state pass in on $ext_if inet proto tcp from any to $box3 port { 20, 21, 113 } keep state pass in on $ext_if inet proto icmp from any to any keep state - root@box3# cat /etc/inetd.conf ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l - I hope I've been verbose enough. Thank you! -- http://www.home.no/reddvinylene From owner-freebsd-pf@FreeBSD.ORG Fri Oct 3 09:56:11 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3883D1065691 for ; Fri, 3 Oct 2008 09:56:11 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id C00038FC16 for ; Fri, 3 Oct 2008 09:56:10 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-021-211.pools.arcor-ip.net [88.66.21.211]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1KlhOK40tb-0005yn; Fri, 03 Oct 2008 11:56:09 +0200 Received: (qmail 48763 invoked from network); 3 Oct 2008 09:56:08 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 3 Oct 2008 09:56:08 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 3 Oct 2008 11:56:07 +0200 User-Agent: KMail/1.10.1 (FreeBSD/8.0-CURRENT; KDE/4.1.1; i386; ; ) References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200810031156.07623.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+itc974Pu8zQD35Z1DA0Bvhv9Sogkf4OIaOS3 vZMWpNG0dKRpAvrL8CFap19VqLIsYS+sHWxEWZW7trozW+zRjW IiMgcxZztTm7aRKINf8KA== Cc: jail@freebsd.org, questions@freebsd.org, pf@freebsd.org Subject: Re: Jail, pf and ftpd: Connection refused X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2008 09:56:11 -0000 On Friday 03 October 2008 11:11:57 Redd Vinylene wrote: > Greetings ladies and gentlemen! > > Why does the below pf.conf (run from box1) give me > "getpeername(control_sock): Transport endpoint is not connected, > Socket error (Connection refused) - reconnecting" when trying to log > onto box3 via passive FTP? Active FTP gives me "425 Can't build data > connection: Connection refused." (box2 and box3 are jails running off > box1) See ftp-proxy(8). Note that active works with the ruleset you provided (due to the "pass out keep state"-rule), but there is obviously a firewall problem on the client preventing that. > - > > root@box1# cat /etc/pf.conf > > box1 = "80.203.2.2" > > box2 = "80.203.2.3" > > box3 = "{ 80.203.2.4 [...] 80.203.2.127 }" > > ext_if = "rl0" > > set block-policy return > > set skip on { lo0 } > > scrub in > > pass out keep state > > block in > > pass in on $ext_if inet proto tcp from any to any port { 22 } keep state > > pass in on $ext_if inet proto tcp from any to $box2 port { 25, 53, 80, > 110 } keep state > > pass in on $ext_if inet proto udp from any to $box2 port 53 keep state > > pass in on $ext_if inet proto tcp from any to $box3 port { 20, 21, 113 > } keep state > > pass in on $ext_if inet proto icmp from any to any keep state > > - > > root@box3# cat /etc/inetd.conf > > ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l > > - > > I hope I've been verbose enough. Thank you! -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Fri Oct 3 10:08:46 2008 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7002210656B9 for ; Fri, 3 Oct 2008 10:08:46 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id DD3C48FC1E for ; Fri, 3 Oct 2008 10:08:45 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-021-211.pools.arcor-ip.net [88.66.21.211]) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis) id 0ML2xA-1KlhOK44hw-0003y0; Fri, 03 Oct 2008 11:56:09 +0200 Received: (qmail 48763 invoked from network); 3 Oct 2008 09:56:08 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 3 Oct 2008 09:56:08 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 3 Oct 2008 11:56:07 +0200 User-Agent: KMail/1.10.1 (FreeBSD/8.0-CURRENT; KDE/4.1.1; i386; ; ) References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200810031156.07623.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/+LSV30cXw6qPmxwPkZjBWnWue13U5MZecpXE hFvv2onTKY0DuQlQusVnN1jOr7N0hEnHk50xEQy72u7o2/VjLz VMl02ZvI10PJpr0WDzZ4A== Cc: jail@freebsd.org, questions@freebsd.org, pf@freebsd.org Subject: Re: Jail, pf and ftpd: Connection refused X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2008 10:08:46 -0000 On Friday 03 October 2008 11:11:57 Redd Vinylene wrote: > Greetings ladies and gentlemen! > > Why does the below pf.conf (run from box1) give me > "getpeername(control_sock): Transport endpoint is not connected, > Socket error (Connection refused) - reconnecting" when trying to log > onto box3 via passive FTP? Active FTP gives me "425 Can't build data > connection: Connection refused." (box2 and box3 are jails running off > box1) See ftp-proxy(8). Note that active works with the ruleset you provided (due to the "pass out keep state"-rule), but there is obviously a firewall problem on the client preventing that. > - > > root@box1# cat /etc/pf.conf > > box1 = "80.203.2.2" > > box2 = "80.203.2.3" > > box3 = "{ 80.203.2.4 [...] 80.203.2.127 }" > > ext_if = "rl0" > > set block-policy return > > set skip on { lo0 } > > scrub in > > pass out keep state > > block in > > pass in on $ext_if inet proto tcp from any to any port { 22 } keep state > > pass in on $ext_if inet proto tcp from any to $box2 port { 25, 53, 80, > 110 } keep state > > pass in on $ext_if inet proto udp from any to $box2 port 53 keep state > > pass in on $ext_if inet proto tcp from any to $box3 port { 20, 21, 113 > } keep state > > pass in on $ext_if inet proto icmp from any to any keep state > > - > > root@box3# cat /etc/inetd.conf > > ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l > > - > > I hope I've been verbose enough. Thank you! -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Fri Oct 3 11:38:28 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5B2AE10656A1 for ; Fri, 3 Oct 2008 11:38:28 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA08.westchester.pa.mail.comcast.net (qmta08.westchester.pa.mail.comcast.net [76.96.62.80]) by mx1.freebsd.org (Postfix) with ESMTP id E89318FC12 for ; Fri, 3 Oct 2008 11:38:27 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA04.westchester.pa.mail.comcast.net ([76.96.62.35]) by QMTA08.westchester.pa.mail.comcast.net with comcast id N9as1a00F0ldTLk58BeT5y; Fri, 03 Oct 2008 11:38:27 +0000 Received: from koitsu.dyndns.org ([69.181.141.110]) by OMTA04.westchester.pa.mail.comcast.net with comcast id NBeQ1a00K2P6wsM3QBeQw2; Fri, 03 Oct 2008 11:38:27 +0000 X-Authority-Analysis: v=1.0 c=1 a=CHt_mEGTzOcA:10 a=OJujf1_Ut9MA:10 a=QycZ5dHgAAAA:8 a=JOr_kaPOtu08zEbprysA:9 a=8El2cu6u8I-SJ3X6EeIA:7 a=mhKmPw4oBOWUK70ZEuP3FqN_iTEA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 3630FC941A; Fri, 3 Oct 2008 04:38:24 -0700 (PDT) Date: Fri, 3 Oct 2008 04:38:24 -0700 From: Jeremy Chadwick To: freebsd-pf@freebsd.org Message-ID: <20081003113824.GA27757@icarus.home.lan> References: <48E535D3.8000805@cran.org.uk> <20081003111703.GA27385@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20081003111703.GA27385@icarus.home.lan> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: Bruce Cran , freebsd-stable@freebsd.org Subject: Re: pf rules not being loaded during boot on 7.1-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2008 11:38:28 -0000 On Fri, Oct 03, 2008 at 04:17:03AM -0700, Jeremy Chadwick wrote: > On Thu, Oct 02, 2008 at 09:57:55PM +0100, Bruce Cran wrote: > > I recently upgraded my i386 router from 7.0 to 7.1-PRERELEASE. I > > rebooted it today but despite pf_enable="YES" being in /etc/rc.conf no > > rules got loaded during boot, despite pf itself having been enabled: > > > > router# pfctl -s rules > > router# pfctl -e -f /etc/pf.conf > > pfctl: pf already enabled > > [connection is closed due to new rules being loaded] > > router# pfctl -s rules > > scrub in all fragment reassemble > > [... lots of rules listed] > > > > Has anyone else seen this problem, or have I just missed something > > that's changed between 7.0 and 7.1 in the way pf works? > > I was seeing something similar on my own box which I just upgraded from > a 150-day-old RELENG_6 to present RELENG_6. pfctl -s rules output no > rules. pfctl -s info showed packet counters, but no interface stats > (due to the rules not being loaded, e.g. no loginterface). > > kldstat showed pflog.ko and pf.ko loaded. > > If I did /etc/rc.d/pf start, the rules would loaded, and everything > starts working as expected. > > I rebooted the box and saw the following on serial console, which I'm > pretty sure is what's responsible for the breakage: > > Enabling pf. > Oct 3 04:14:51 pflogd[374]: [priv]: msg PRIV_OPEN_LOG received > cannot determine interface bandwidth for bge0, specify an absolute > bandwidth > altq not defined on bge0 > altq not defined on bge0 > /conf/ME/pf.conf:52: errors in queue definition > altq not defined on bge0 > /conf/ME/pf.conf:53: errors in queue definition > altq not defined on bge0 > /conf/ME/pf.conf:54: errors in queue definition > pfctl: Syntax error in config file: pf rules not loaded > pf enabled Cross-posting to freebsd-pf (I'm sorry for doing this, but it needs attention from both -pf and -stable). I've figured out what the problem is. This is not good, and is guaranteed to bite other people. I'd like to believe this is an rc-related problem, but I'm not sure how to fix it. The problem in my case: The physical interfaces were brought online, but were still technically offline (the switch and NIC PHY were taking some time to negotiate speed and duplex). Boot messages: bge0: link state changed to DOWN bge1: link state changed to DOWN lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 bge0: flags=8843 mtu 1500 options=1b inet XXXXXXXXXXX netmask 0xffffff80 broadcast XXXXXXXXXXXXX ether 00:30:48:81:fc:8a media: Ethernet autoselect (none) status: no carrier bge1: flags=8843 mtu 1500 options=1b inet XXXXXXXXX netmask 0xffffff00 broadcast XXXXXXXXXXX ether 00:30:48:81:fc:8b media: Ethernet autoselect (none) status: no carrier Note that the interfaces are UP, not DOWN. Then the very next thing seen on the console: Starting pflog. pflog0: promiscuous mode enabled Enabling pf. Oct 3 04:14:51 pflogd[374]: [priv]: msg PRIV_OPEN_LOG received cannot determine interface bandwidth for bge0, specify an absolute bandwidth altq not defined on bge0 altq not defined on bge0 /conf/ME/pf.conf:52: errors in queue definition altq not defined on bge0 /conf/ME/pf.conf:53: errors in queue definition altq not defined on bge0 /conf/ME/pf.conf:54: errors in queue definition pfctl: Syntax error in config file: pf rules not loaded pf enabled The error message about "interface bandwidth" is the key here. My ALTQ rules use "bandwidth ", not a static amount in bits: altq on $ext_if cbq bandwidth 100% queue { std, blah, blah2 } queue std bandwidth 95% cbq(default borrow) queue blah bandwidth 384Kb queue blah2 bandwidth 384Kb Since the PHY hadn't negotiated speed, pf was unable to determine what the percentage really mapped to bandwidth/bit-wise. If at all possible, pf should wait for the interfaces to come up fully (that includes autonegotiation being completed; do we have framework for this?) before starting. I changed my rules to use a static speeds (100% --> 100Mb, and 95% --> 95Mb), which appear to work, but after the 2nd reboot the speed/duplex had been negotiated by the time pf had started, so I don't know if it truly fixed anything. I don't know what pf will do if you say "100Mb" for an interface which has no link/speed defined yet. It may behave the same way as shown above; I don't know. This needs some thought and definitely a solution. Again, note that I'm using RELENG_6, but I've a feeling this might bite RELENG_7 too. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-pf@FreeBSD.ORG Fri Oct 3 12:54:22 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E71BD1065696 for ; Fri, 3 Oct 2008 12:54:22 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (mail.violetlan.net [80.81.242.7]) by mx1.freebsd.org (Postfix) with ESMTP id A7B718FC2F for ; Fri, 3 Oct 2008 12:54:22 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (mail.violetlan.net [10.0.100.111]) by mail.violetlan.net (Postfix) with ESMTP id F16F01143E for ; Fri, 3 Oct 2008 13:41:00 +0100 (BST) Received: from www.violetlan.net (mbali.violetlan.net [10.0.100.150]) by mail.violetlan.net (Postfix) with ESMTP id A2FD61143C for ; Fri, 3 Oct 2008 13:41:00 +0100 (BST) Received: from 217.45.165.129 (SquirrelMail authenticated user freebsd@violetlan.net) by www.violetlan.net with HTTP; Fri, 3 Oct 2008 13:37:35 +0100 (BST) Message-ID: <56157.217.45.165.129.1223037455.squirrel@www.violetlan.net> Date: Fri, 3 Oct 2008 13:37:35 +0100 (BST) From: "Reinhold" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: limiting bandwidth at certain times during the day X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2008 12:54:23 -0000 Hi I was asked to limit the amount of bandwidth being used by our openvpn connections during our office hours and then allow full access after hours. In my current set up I'm using pf that does load balancing over 2 adsl lines on a FreeBSD 7-STABLE system, I'm using mpd5 for dialing in and establish the connections with our ISP. I'm in the process of implementing HFSC to see if I can improve our bandwidth usage, I tried PRIQ but ended up loosing packets and the over all performance decreased to a point where I had to disable it. How can I go about setting up a limit for a certain time period on the amount of bandwidth being used by openvpn? Thanks Reinhold From owner-freebsd-pf@FreeBSD.ORG Fri Oct 3 14:42:49 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10E491065687; Fri, 3 Oct 2008 14:42:49 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id DB9688FC13; Fri, 3 Oct 2008 14:42:48 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m93Egmcn086128; Fri, 3 Oct 2008 14:42:48 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m93EgmYn086124; Fri, 3 Oct 2008 14:42:48 GMT (envelope-from linimon) Date: Fri, 3 Oct 2008 14:42:48 GMT Message-Id: <200810031442.m93EgmYn086124@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: conf/127814: [pf] The flush in pf_reload in /etc/rc.d/pf does not work as intended X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2008 14:42:49 -0000 Old Synopsis: The flush in pf_reload in /etc/rc.d/pf does not work as intended New Synopsis: [pf] The flush in pf_reload in /etc/rc.d/pf does not work as intended Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Fri Oct 3 14:42:02 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=127814 From owner-freebsd-pf@FreeBSD.ORG Fri Oct 3 22:06:21 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BE061065687; Fri, 3 Oct 2008 22:06:21 +0000 (UTC) (envelope-from bruce@cran.org.uk) Received: from muon.cran.org.uk (muon.cran.org.uk [IPv6:2001:41c8:1:548a::2]) by mx1.freebsd.org (Postfix) with ESMTP id 986B08FC0A; Fri, 3 Oct 2008 22:06:20 +0000 (UTC) (envelope-from bruce@cran.org.uk) Received: from muon.cran.org.uk (localhost [127.0.0.1]) by muon.cran.org.uk (Postfix) with ESMTP id 429A330126; Fri, 3 Oct 2008 23:06:07 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on muon.cran.org.uk X-Spam-Level: X-Spam-Status: No, score=-2.3 required=8.0 tests=BAYES_00 autolearn=ham version=3.2.3 Received: from tau.draftnet (tau.demon.co.uk [80.177.26.208]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by muon.cran.org.uk (Postfix) with ESMTP; Fri, 3 Oct 2008 23:06:06 +0100 (BST) Date: Fri, 3 Oct 2008 23:05:34 +0100 From: Bruce Cran To: Jeremy Chadwick Message-ID: <20081003230534.60b4c1cb@tau.draftnet> In-Reply-To: <20081003113824.GA27757@icarus.home.lan> References: <48E535D3.8000805@cran.org.uk> <20081003111703.GA27385@icarus.home.lan> <20081003113824.GA27757@icarus.home.lan> X-Mailer: Claws Mail 3.5.0 (GTK+ 2.12.11; amd64-portbld-freebsd7.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Volker , freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf rules not being loaded during boot on 7.1-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2008 22:06:21 -0000 On Fri, 3 Oct 2008 04:38:24 -0700 Jeremy Chadwick wrote: > I've figured out what the problem is. This is not good, and is > guaranteed to bite other people. I'd like to believe this is an > rc-related problem, but I'm not sure how to fix it. > > The problem in my case: > > The physical interfaces were brought online, but were still > technically offline (the switch and NIC PHY were taking some time to > negotiate speed and duplex). Boot messages: > My box is headless so I didn't see the startup messages until I attached a serial cable. It's a similar problem in my case, but caused because I'm firewalling an ADSL connection which uses PPP, and pf is being enabled before PPP has configured tun0: Setting hostname: router.draftnet. vr0: link state changed to DOWN dc0: link state changed to UP dc3: link state changed to UP lo0: flags=8049 metric 0 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 inet 127.0.0.1 netmask 0xff000000 vr0: flags=8843 metric 0 mtu 1500 options=2808 ether 00:40:63:e3:d1:b7 inet6 XXXXXXXXXX%vr0 prefixlen 64 tentative scopeid 0x1 inet XXXXXXXXX netmask 0xffffff00 broadcast XXXXXXXXXX media: Ethernet autoselect (none) status: no carrier dc0: flags=8843 metric 0 mtu 1500 options=8 ether 00:80:c8:c9:96:6d inet6 XXXXXXXXX%dc0 prefixlen 64 tentative scopeid 0x2 inet XXXXXXXXX netmask 0xffffff00 broadcast XXXXXXXXX media: Ethernet autoselect (100baseTX ) status: active dc3: flags=8843 metric 0 mtu 1500 options=8 ether 00:80:c8:c9:96:70 inet6 XXXXXXXXX%dc3 prefixlen 64 tentative scopeid 0x5 inet XXXXXXXXX netmask 0xffffff00 broadcast XXXXXXXXX media: Ethernet autoselect (100baseTX ) status: active Enabling pf. no IP address found for tun0 /etc/pf.conf:45: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded pf enabled Starting PPP profile: demonLoading /lib/libalias_cuseeme.so Loading /lib/libalias_ftp.so Loading /lib/libalias_irc.so Lodading /lib/libalcias_nbt.so Load1ing /lib/libalia:s_pptp.so Loadi ng /lib/libaliasl_skinny.so Loadiing /lib/libalians_smedia.so k. no IP address found for tun0 s /etc/pf.conf:45t: could not parsae host specificattion pfctl: Synetax error in con fig file: pf rulces not loaded ahdd net default: agateway tun0 Adnditional routingg options: IP gateeway=YES. dadd net ::ffff:0 .0.0.0: gateway t::1 add net ::0o.0.0.0: gateway ::1 net.inet6.iDp6.forwarding: 0O -> 1 net.inet6W.ip6.accept_rtadNv: 0 -> 0 dc2: link state changed to DOWN The messages following "link state changed to DOWN" indicate that all the interfaces are now properly configured with IP addresses, including the external ADSL tun0 and IPv6 gif0 interfaces. -- Bruce Cran From owner-freebsd-pf@FreeBSD.ORG Fri Oct 3 23:05:42 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 70FB51065686; Fri, 3 Oct 2008 23:05:42 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id EBF6F8FC08; Fri, 3 Oct 2008 23:05:41 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d3d.q.ppp-pool.de [89.53.125.61]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 329C412883F; Sat, 4 Oct 2008 00:40:53 +0200 (CEST) Received: from cesar.sz.vwsoft.com (unknown [192.168.18.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id A1AE72E90F; Sat, 4 Oct 2008 00:39:42 +0200 (CEST) Message-ID: <48E69F6D.5050001@vwsoft.com> Date: Sat, 04 Oct 2008 00:40:45 +0200 From: Volker User-Agent: Thunderbird 2.0.0.17 (X11/20080930) MIME-Version: 1.0 To: Bruce Cran References: <48E535D3.8000805@cran.org.uk> <20081003111703.GA27385@icarus.home.lan> <20081003113824.GA27757@icarus.home.lan> <20081003230534.60b4c1cb@tau.draftnet> In-Reply-To: <20081003230534.60b4c1cb@tau.draftnet> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit MailScanner-NULL-Check: 1223678386.31281@pkCxgK+QRMmbd06MSsRjPA X-MailScanner-ID: A1AE72E90F.F1033 X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: Jeremy Chadwick , freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf rules not being loaded during boot on 7.1-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2008 23:05:42 -0000 On 10/04/08 00:05, Bruce Cran wrote: > On Fri, 3 Oct 2008 04:38:24 -0700 > Jeremy Chadwick wrote: >> I've figured out what the problem is. This is not good, and is >> guaranteed to bite other people. I'd like to believe this is an >> rc-related problem, but I'm not sure how to fix it. >> >> The problem in my case: >> >> The physical interfaces were brought online, but were still >> technically offline (the switch and NIC PHY were taking some time to >> negotiate speed and duplex). Boot messages: >> > > My box is headless so I didn't see the startup messages until I > attached a serial cable. It's a similar problem in my case, but caused > because I'm firewalling an ADSL connection which uses PPP, and pf is > being enabled before PPP has configured tun0: > > Setting hostname: router.draftnet. > vr0: link state changed to DOWN > dc0: link state changed to UP > dc3: link state changed to UP > lo0: flags=8049 metric 0 mtu 16384 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 > inet 127.0.0.1 netmask 0xff000000 > vr0: flags=8843 metric 0 mtu > 1500 options=2808 > ether 00:40:63:e3:d1:b7 > inet6 XXXXXXXXXX%vr0 prefixlen 64 tentative > scopeid 0x1 inet XXXXXXXXX netmask 0xffffff00 broadcast XXXXXXXXXX > media: Ethernet autoselect (none) > status: no carrier > dc0: flags=8843 metric 0 mtu > 1500 options=8 > ether 00:80:c8:c9:96:6d > inet6 XXXXXXXXX%dc0 prefixlen 64 tentative > scopeid 0x2 inet XXXXXXXXX netmask 0xffffff00 broadcast XXXXXXXXX > media: Ethernet autoselect (100baseTX ) > status: active > dc3: flags=8843 metric 0 mtu > 1500 options=8 > ether 00:80:c8:c9:96:70 > inet6 XXXXXXXXX%dc3 prefixlen 64 tentative > scopeid 0x5 inet XXXXXXXXX netmask 0xffffff00 broadcast XXXXXXXXX > media: Ethernet autoselect (100baseTX ) > status: active > Enabling pf. > no IP address found for tun0 > /etc/pf.conf:45: could not parse host specification > pfctl: Syntax error in config file: pf rules not loaded > pf enabled > Starting PPP profile: demonLoading /lib/libalias_cuseeme.so > Loading /lib/libalias_ftp.so > Loading /lib/libalias_irc.so > Lodading /lib/libalcias_nbt.so > Load1ing /lib/libalia:s_pptp.so > Loadi ng /lib/libaliasl_skinny.so > Loadiing /lib/libalians_smedia.so > k. > no IP address found for tun0 > s > /etc/pf.conf:45t: could not parsae host specificattion > pfctl: Synetax error in con fig file: pf rulces not loaded > ahdd net default: agateway tun0 > Adnditional routingg options: IP gateeway=YES. > dadd net ::ffff:0 .0.0.0: gateway t::1 > add net ::0o.0.0.0: gateway ::1 > net.inet6.iDp6.forwarding: 0O -> 1 > net.inet6W.ip6.accept_rtadNv: 0 -> 0 > > dc2: link state changed to DOWN > > The messages following "link state changed to DOWN" indicate that all > the interfaces are now properly configured with IP addresses, including > the external ADSL tun0 and IPv6 gif0 interfaces. > Bruce, looking into my crystal ball... ;) You seem to have a rule like: pass ... on tun0 from any to tun0 ... If you change that into: pass ... on tun0 from any to (tun0) ... pf will happily parse your rules and activate your firewall even while tun0 does not already have an IP address. You may also try to use rules naming an interface family instead of a single interface. Other than that suggestion, I may help you if you'll send me your rules (private mail is ok for me). Volker From owner-freebsd-pf@FreeBSD.ORG Fri Oct 3 23:23:01 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3BE5E106569B; Fri, 3 Oct 2008 23:23:01 +0000 (UTC) (envelope-from bruce@cran.org.uk) Received: from muon.cran.org.uk (muon.cran.org.uk [IPv6:2001:41c8:1:548a::2]) by mx1.freebsd.org (Postfix) with ESMTP id CA6278FC1C; Fri, 3 Oct 2008 23:23:00 +0000 (UTC) (envelope-from bruce@cran.org.uk) Received: from muon.cran.org.uk (localhost [127.0.0.1]) by muon.cran.org.uk (Postfix) with ESMTP id 0266930126; Sat, 4 Oct 2008 00:22:56 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on muon.cran.org.uk X-Spam-Level: X-Spam-Status: No, score=-2.3 required=8.0 tests=BAYES_00 autolearn=ham version=3.2.3 Received: from tau.draftnet (tau.demon.co.uk [80.177.26.208]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by muon.cran.org.uk (Postfix) with ESMTP; Sat, 4 Oct 2008 00:22:56 +0100 (BST) Date: Sat, 4 Oct 2008 00:22:29 +0100 From: Bruce Cran To: Volker Message-ID: <20081004002229.7089be9c@tau.draftnet> In-Reply-To: <48E69F6D.5050001@vwsoft.com> References: <48E535D3.8000805@cran.org.uk> <20081003111703.GA27385@icarus.home.lan> <20081003113824.GA27757@icarus.home.lan> <20081003230534.60b4c1cb@tau.draftnet> <48E69F6D.5050001@vwsoft.com> X-Mailer: Claws Mail 3.5.0 (GTK+ 2.12.11; amd64-portbld-freebsd7.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Jeremy Chadwick , freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf rules not being loaded during boot on 7.1-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2008 23:23:01 -0000 On Sat, 04 Oct 2008 00:40:45 +0200 Volker wrote: > You seem to have a rule like: > > pass ... on tun0 from any to tun0 ... > > If you change that into: > > pass ... on tun0 from any to (tun0) ... > > pf will happily parse your rules and activate your firewall even while > tun0 does not already have an IP address. You may also try to use > rules naming an interface family instead of a single interface. You're right - I mostly used lines with (tun0) but line 45 didn't have the brackets. I've just added them, rebooted and pf loaded the rules during boot. -- Bruce Cran From owner-freebsd-pf@FreeBSD.ORG Fri Oct 3 23:26:07 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 015571065690; Fri, 3 Oct 2008 23:26:07 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id A8EC58FC16; Fri, 3 Oct 2008 23:26:06 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d3d.q.ppp-pool.de [89.53.125.61]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 8AF1412883F; Sat, 4 Oct 2008 01:25:57 +0200 (CEST) Received: from cesar.sz.vwsoft.com (unknown [192.168.18.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 406DC2E90F; Sat, 4 Oct 2008 01:24:46 +0200 (CEST) Message-ID: <48E6A9FD.4060406@vwsoft.com> Date: Sat, 04 Oct 2008 01:25:49 +0200 From: Volker User-Agent: Thunderbird 2.0.0.17 (X11/20080930) MIME-Version: 1.0 To: Bruce Cran References: <48E535D3.8000805@cran.org.uk> <20081003111703.GA27385@icarus.home.lan> <20081003113824.GA27757@icarus.home.lan> <20081003230534.60b4c1cb@tau.draftnet> <48E69F6D.5050001@vwsoft.com> <20081004002229.7089be9c@tau.draftnet> In-Reply-To: <20081004002229.7089be9c@tau.draftnet> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit MailScanner-NULL-Check: 1223681090.8577@XbLc3dd+NwLql3FmLiP34w X-MailScanner-ID: 406DC2E90F.C1F5B X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: Jeremy Chadwick , freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf rules not being loaded during boot on 7.1-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2008 23:26:07 -0000 On 10/04/08 01:22, Bruce Cran wrote: > On Sat, 04 Oct 2008 00:40:45 +0200 > Volker wrote: >> You seem to have a rule like: >> >> pass ... on tun0 from any to tun0 ... >> >> If you change that into: >> >> pass ... on tun0 from any to (tun0) ... >> >> pf will happily parse your rules and activate your firewall even while >> tun0 does not already have an IP address. You may also try to use >> rules naming an interface family instead of a single interface. > > You're right - I mostly used lines with (tun0) but line 45 didn't have > the brackets. I've just added them, rebooted and pf loaded the rules > during boot. > Well, sometimes my crystal ball works ;) From owner-freebsd-pf@FreeBSD.ORG Sat Oct 4 10:24:11 2008 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C0711065691 for ; Sat, 4 Oct 2008 10:24:11 +0000 (UTC) (envelope-from reddvinylene@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.156]) by mx1.freebsd.org (Postfix) with ESMTP id 15B1E8FC23 for ; Sat, 4 Oct 2008 10:24:10 +0000 (UTC) (envelope-from reddvinylene@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so1276009fgb.35 for ; Sat, 04 Oct 2008 03:24:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=Rpfn7u4i7E8A8+WFpRIySp8orkSa42k5jPc15q9Ju18=; b=MRN7wZFTYGV/DdMk5/hu6R3AkZRrQSyHliwLpSLPRX/X9RQLh4CmwUdf1dXEM6dAa4 q3Np83H1SArbKE4pc9Ndpk3jN0p/HrSSefbNjEnuuYpUe/zWg2UPyjEJ/8tm4qFDLxQY 6y3+dtnIFf8iREYKmAq8qLz99yyfaKWk3GI54= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=stR06iLGL+/9QW1uY1Yc5aCjrFEnqNc5nnlvUSc279JQ7TujbYNxLyRVvmsSausqrX nxDAV4+d9iZyzliCrrOIO0WpwhWj2H7SmwfddeoonvjoYGo95YBMciqGD0hX0dKKETST E/QUG9RgMOVTX64sXIKrKNbAvisqVDHqnbNfU= Received: by 10.103.46.9 with SMTP id y9mr1333976muj.107.1223115849726; Sat, 04 Oct 2008 03:24:09 -0700 (PDT) Received: by 10.103.247.7 with HTTP; Sat, 4 Oct 2008 03:24:09 -0700 (PDT) Message-ID: Date: Sat, 4 Oct 2008 12:24:09 +0200 From: "Redd Vinylene" To: "Max Laier" In-Reply-To: <200810031156.07623.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200810031156.07623.max@love2party.net> Cc: jail@freebsd.org, questions@freebsd.org, pf@freebsd.org Subject: Re: Jail, pf and ftpd: Connection refused X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2008 10:24:11 -0000 On Fri, Oct 3, 2008 at 11:56 AM, Max Laier wrote: > > See ftp-proxy(8). > > Note that active works with the ruleset you provided (due to the "pass out > keep state"-rule), but there is obviously a firewall problem on the client > preventing that. > Are you sure I need ftp-proxy? I opened the datarange 49152:65535 and now I no longer get a connection refused. I seem to be able to list, download, you know the usual stuff. I still get the "getpeername(control_sock): Transport endpoint is not connected" though. If I do need ftp-proxy, I take it it's the "FTP Server Protected by an External PF Firewall Running NAT" at http://www.openbsd.org/faq/pf/ftp.html that applies to my setup? I can't quite comprehend the nat/rdr rules in that example, as I ain't really got an int_if. As I stated earlier, I have a FreeBSD server running pf and two jails, and I'm trying to get ftpd running smoothly inside one of those jails. Thank you so much. -- http://www.home.no/reddvinylene From owner-freebsd-pf@FreeBSD.ORG Sat Oct 4 12:51:54 2008 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E2A31065697 for ; Sat, 4 Oct 2008 12:51:54 +0000 (UTC) (envelope-from reddvinylene@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.159]) by mx1.freebsd.org (Postfix) with ESMTP id 27D738FC27 for ; Sat, 4 Oct 2008 12:51:53 +0000 (UTC) (envelope-from reddvinylene@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so1303297fgb.35 for ; Sat, 04 Oct 2008 05:51:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=cFkcfljadRDu0UN73lkelR0atsl45eFUI+l0kLYvYVM=; b=hXSyEJX0QKHuMOJTcU4wg9umZJMjIe2Y+rc3EMeLce3Zp2bu5DoXkp2QmI4zoljKSj FJIq/oKoBbn622iM3hVj5gPY4+7NGc9OWXWKdpiuAWoFTMWQg7KYgPjte4k6/d2PxwAJ /sGDBMU5Ci9XiR58Jxa02LV5SOZRNPoTcH02U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=ngHTukprDZqiuCFFyw36Y6NkEGHfoqhdvjU/JYXp1mXXUGAT3NH3Jb0nTIUyxhMJPy aZ2WGmYVoiRjOVOsAiY8fSLBBh+AmbIGF8fpSWt4yv6TDm5aWtdGbTWAvARrbw9eQ8t6 vHd7Andim9EhOZH077a+iabH1qV8nTR+Piyc0= Received: by 10.103.172.9 with SMTP id z9mr1407939muo.122.1223124712000; Sat, 04 Oct 2008 05:51:52 -0700 (PDT) Received: by 10.103.247.7 with HTTP; Sat, 4 Oct 2008 05:51:51 -0700 (PDT) Message-ID: Date: Sat, 4 Oct 2008 14:51:51 +0200 From: "Redd Vinylene" To: "Max Laier" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200810031156.07623.max@love2party.net> Cc: jail@freebsd.org, questions@freebsd.org, pf@freebsd.org Subject: Re: Jail, pf and ftpd: Connection refused X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2008 12:51:54 -0000 > On Fri, Oct 3, 2008 at 11:56 AM, Max Laier wrote: > > See ftp-proxy(8). > > Note that active works with the ruleset you provided (due to the "pass out > keep state"-rule), but there is obviously a firewall problem on the client > preventing that. > Nevermind, I think the "Transport endpoint is not connected" is most likely due to lftp. Nonetheless, much obliged for the assistance! -- http://www.home.no/reddvinylene