From owner-freebsd-pf@FreeBSD.ORG Mon Aug 8 06:08:55 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF40916A41F for ; Mon, 8 Aug 2005 06:08:55 +0000 (GMT) (envelope-from aalesina@yahoo.com) Received: from web32615.mail.mud.yahoo.com (web32615.mail.mud.yahoo.com [68.142.207.242]) by mx1.FreeBSD.org (Postfix) with SMTP id 6DFDB43F33 for ; Mon, 8 Aug 2005 06:08:55 +0000 (GMT) (envelope-from aalesina@yahoo.com) Received: (qmail 97706 invoked by uid 60001); 8 Aug 2005 06:08:54 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=4h3w+HHUjZvm3KcS/vEshARC+qDiU6Q89SnsR/lmp8iieosXx2NnuonkR2pKENt5fHomvbkqmivO+YykkhV1Ijg2oinCKWrd9UOrN59pgmgpUnCXYbam6iyGDSs6rXnOdEI+lGcWyye0tgGWNbseuR5PIaCao8Pp09ax9V8UC4I= ; Message-ID: <20050808060854.97704.qmail@web32615.mail.mud.yahoo.com> Received: from [24.6.214.44] by web32615.mail.mud.yahoo.com via HTTP; Sun, 07 Aug 2005 23:08:54 PDT Date: Sun, 7 Aug 2005 23:08:54 -0700 (PDT) From: Alberto Alesina To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: TCP reassembly X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2005 06:08:56 -0000 I see the following comment in the PF code (pf_norm.c): /* I have a dream.... TCP segment reassembly.... */ Is there a plan or work being undertaken to include TCP reassembly capability? Thanks a lot, Alberto Alesina ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs From owner-freebsd-pf@FreeBSD.ORG Mon Aug 8 11:02:00 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B435F16A422 for ; Mon, 8 Aug 2005 11:01:59 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C11343D48 for ; Mon, 8 Aug 2005 11:01:59 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j78B1xfR006885 for ; Mon, 8 Aug 2005 11:01:59 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j78B1w31006879 for freebsd-pf@freebsd.org; Mon, 8 Aug 2005 11:01:58 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 8 Aug 2005 11:01:58 GMT Message-Id: <200508081101.j78B1w31006879@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2005 11:02:00 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- p [2005/05/19] ia64/81284 pf Unaligned Reference with pf on 5.4/IA64 o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency 2 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- p [2005/05/04] kern/80627 pf pf_test6: kif == NULL ... o [2005/05/15] conf/81042 pf [patch] /etc/pf.os doesn't match FreeBSD 2 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 8 11:52:58 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 83A1A16A41F for ; Mon, 8 Aug 2005 11:52:58 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA04143D45 for ; Mon, 8 Aug 2005 11:52:57 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so565723nzd for ; Mon, 08 Aug 2005 04:52:57 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=K0HdW+UK235IeoGc+0rcOm2xAv/1GK7Tcy+FF/AEIy+MCRllaSZoz/Ojh68xHpX2pnS7gaupT2R1I5s/2u7Bv0zUsPJ+3LhYmpjpRqFW80ReNUFtuz7w30E2wN3uNAJP2WrTRL2qnuoPDs9sNTReetnqwQEp0ctfL50lvmpFVFg= Received: by 10.36.36.14 with SMTP id j14mr2519750nzj; Mon, 08 Aug 2005 04:52:57 -0700 (PDT) Received: by 10.36.33.4 with HTTP; Mon, 8 Aug 2005 04:52:55 -0700 (PDT) Message-ID: <48239d390508080452270c8d10@mail.gmail.com> Date: Mon, 8 Aug 2005 15:52:55 +0400 From: Sergey Lapin To: freebsd-pf@freebsd.org In-Reply-To: <200508060411.05482.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <48239d390508040958265ce62@mail.gmail.com> <48239d3905080504297b3ebc89@mail.gmail.com> <200508060411.05482.max@love2party.net> Subject: Re: Fwd: pf problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2005 11:52:58 -0000 > What version of FreeBSD are you running? 5.4-RELEASE > Do you have a SMP/PREEMPTION kernel? No > Does setting debug.mpsafenet=3D0 in loader.conf change the situation? Do= you > have a chance to attach a remote debugger or can you try to break into th= e > debugger from the console? Will try it, thanks for idea. Here's more proper description of the problem: Hi. While trying to configure pf on our freebsd 5.4 router we have encountered three bugs, one of which is minor, second is more serious. And the worst of all, because of the second bug we have to use workaround and that workaround triggers third bug which is actually critical (because it hangs device and floods the network). I'll try to explain these bugs briefly. Please advice where to report each fo them. We haev no idea if they are PF global or FreeBSD specific. We are going to repeat all the scenarios on OpenBSD. =20 Background: we have two ISP connections and it is the source of all our problems - looks like work in such a mode is not debugged very well in pf. =20 Setup: Let's say ISP1 gives us 1.0.0.0/24 block with their gateway at 1.0.0.1. Our router is at 1.0.0.254. Similarly, ISP2 gives us 2.0.0.0/24, their gateway is at 2.0.0.1 and our router is at 2.0.0.254. ISP2 gateway (2.0.0.1) is our default gateway. We have DMZ where hosts of both ISP network live (dmz_net1=3D1.0.0.128/25 and dmz_net2=3D2.0.0.128/25). +---------------+ 1.0.0.254 | | -------------------+ ext_if1 | | | dmz_net1 | dmz_if +-------- 2.0.0.254 | | dmz_net2 -------------------+ ext_if2 | | | +---------------+ =20 Note that firewall rules below are oversimplified to make rule listing compact. In our "real" firewall we differentiate between TCP and UDP/ICMP traffic to make sure all outgoing TCP connections use "modulate state" insted of "keep state" etc. Also ruleset below loosened in terms it uses "any" where our real ruleset explicitly defines networks. Again, this is only to demostrate problem with minimum amount of rules. =20 **************************************************** ****************** BUG#1 (minor) ******************* **************************************************** =20 When pf blocks incoming packet with "block return" rule, it does not return RST or ICMP packet to the interface from which original packet came from but always use default gateway instead. This way if we have default gateway set to ISP2's 2.0.0.1 and packet destined to 1.0.0.254 comes from ISP1 interface (ext_if1) and this packet gets blocked with "block return", the TCP RST packet with source address 1.0.0.254 will be sent through 2.0.0.1 gateway. Obviously, ISP2 drops packets which source does not belong to their network so basically "block return" does not work at all. =20 **************************************************** ****************** Bug#2 (severe) ****************** **************************************************** =20 ruleset: #########################################################33 =20 # nat outgoing connections on each internet interface nat on $ext_if1 from { $dmz_net2 } to any -> ($ext_if1) nat on $ext_if2 from { $dmz_net1 } to any -> ($ext_if2) =20 # default deny silently block drop all =20 # pass in quick any packets destined for the gateway itself pass in quick on $dmz_if from any to $dmz_if keep state =20 pass quick on lo0 =20 # Classify traffic from DMZ # Allow all outgoing connections from DMZ =20 pass in on $dmz_if inet from $dmz_net1 to any keep state tag DMZ_TO_EXT1 pass in on $dmz_if inet from $dmz_net2 to any keep state tag DMZ_TO_EXT2 =20 # Allow gateway to route between different networks on the DMZ pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to { $dmz_net1, $dmz_net2 } keep state tag DMZ_TO_DMZ =20 # Reroute OUT traffic appropriately pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) tagged DMZ_TO_EXT2 keep state pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) tagged DMZ_TO_EXT1 keep state =20 # general "pass out" rules for external interfaces pass out on { $ext_if1, $ext_if2, $dmz_if } from any to any keep state =20 #########################################################33 =20 Note that route-to rules should re-route all the traffic to proper interface regardless of default gateway specified. =20 What happens with such a rules:=20 * When a host from dmz_net1 sends packets to the internet and default gateway is ISP1 one, everything works fine and no translation is performed. * When we change default gateway to the ISP2 very interesting thing happens: packet from dmz_net1 host leaves ext_if1 BUT it gets translated like it should leave ext_if2! =20 I do not understand this one completely. =20 **************************************************** ***************** Bug#3 (critical) ***************** **************************************************** =20 Because route-to for "out" rules did not work well, we decided to add the redirection for "in" rules so we added =20 pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) tagged DMZ_TO_EXT1 keep state pass in quick on $dmz_if route-to ($ext_if2 $ext_gw2) tagged DMZ_TO_EXT2 keep state =20 right before before "pass out quick" rules. Everything started working right and it worked fine for some time but then firewall died (machine do not respond to keyboard and the only bring it back to live was to bounce power). After rebooting situation repeated - router was working well for 2 to 10 minutes and then unexpectedly freeze. We discovered that problem was caused by broadcast UDP packet coming on dmz_if and destined to 255.255.255.255 Later we discovered that this situation is triggered by any packet for which both conditions are true: 1. destination MAC is broadcast 2. destination IP is none of router's directly connected networks =20 Any such a packet kills the router. Actually, router is not completely dead - it sends that damn packet over and over at huge speed to the outer interface. =20 Even if I'm doing something completely wrong, router should NOT hang that w= ay. =20 =20 No idea if these bugs are PF's or they are FreeBSD specific. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 8 12:29:36 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1222C16A41F for ; Mon, 8 Aug 2005 12:29:36 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from srv-03.bs2.com.br (srv-03.bs2.com.br [200.203.183.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9204943D48 for ; Mon, 8 Aug 2005 12:29:35 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from localhost (localhost.bs2.com.br [127.0.0.1]) by srv-03.bs2.com.br (Postfix) with ESMTP id 77E5F4B1C3; Mon, 8 Aug 2005 09:30:10 -0300 (BRT) Received: from [172.16.12.100] (unknown [201.14.1.190]) by srv-03.bs2.com.br (Postfix) with ESMTP id 0543F4B1D0; Mon, 8 Aug 2005 09:30:09 -0300 (BRT) Message-ID: <42F7502C.4070003@tirloni.org> Date: Mon, 08 Aug 2005 09:29:32 -0300 From: "Giovanni P. Tirloni" User-Agent: Mozilla Thunderbird 1.0.6-1.4.1.centos4 (X11/20050721) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Sergey Lapin References: <48239d390508040958265ce62@mail.gmail.com> <48239d3905080504297b3ebc89@mail.gmail.com> <200508060411.05482.max@love2party.net> <48239d390508080452270c8d10@mail.gmail.com> In-Reply-To: <48239d390508080452270c8d10@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: pf@freebsd.org Subject: Re: Fwd: pf problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2005 12:29:36 -0000 Sergey Lapin wrote: > When pf blocks incoming packet with "block return" rule, it does not > return RST or ICMP packet to the interface from which original packet > came from but always use default gateway instead. This way if we have > default gateway set to ISP2's 2.0.0.1 and packet destined to 1.0.0.254 > comes from ISP1 interface (ext_if1) and this packet gets blocked with > "block return", the TCP RST packet with source address 1.0.0.254 will > be sent through 2.0.0.1 gateway. Obviously, ISP2 drops packets which > source does not belong to their network so basically "block return" > does not work at all. I've the same situation here and we use route-to to route everything from ISP1's network to their gateway and vice-versa. route-to re-routes a packet from 1.0.0.0/24 when it's trying to leave through the ISP2 interface and everything then gets NAT'ed properly. pass out on $ext_isp2_if route-to ($ext_isp1_if $ext_isp1_gw) from $isp1_net to any -- Giovanni P. Tirloni / gpt@tirloni.org From owner-freebsd-pf@FreeBSD.ORG Mon Aug 8 14:18:29 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA46C16A41F for ; Mon, 8 Aug 2005 14:18:29 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D83743D46 for ; Mon, 8 Aug 2005 14:18:29 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so581962nzd for ; Mon, 08 Aug 2005 07:18:28 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=XAeu+Xt/n4Btil6pSnpkUFfnhsDfUQj6mmSzWSh1Qbh63nQgtzEi4DleShmICTxeE91ZhiYCidp6DAIkDe8ZFsnBCnT12328furRwNUiMbnBr/gX8/4wVhioOzkmz9iX95MGs0yiYpZ3fyrb6UKvO3wjzzqAKcv75jXWFjcE8s4= Received: by 10.36.36.14 with SMTP id j14mr2640762nzj; Mon, 08 Aug 2005 07:18:28 -0700 (PDT) Received: by 10.36.33.4 with HTTP; Mon, 8 Aug 2005 07:18:28 -0700 (PDT) Message-ID: <48239d3905080807182fef6a5b@mail.gmail.com> Date: Mon, 8 Aug 2005 18:18:28 +0400 From: Sergey Lapin To: freebsd-pf@freebsd.org In-Reply-To: <42F7502C.4070003@tirloni.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <48239d390508040958265ce62@mail.gmail.com> <48239d3905080504297b3ebc89@mail.gmail.com> <200508060411.05482.max@love2party.net> <48239d390508080452270c8d10@mail.gmail.com> <42F7502C.4070003@tirloni.org> Subject: Re: Fwd: pf problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2005 14:18:29 -0000 > I've the same situation here and we use route-to to route everything > from ISP1's network to their gateway and vice-versa. >=20 > route-to re-routes a packet from 1.0.0.0/24 when it's trying to leave > through the ISP2 interface and everything then gets NAT'ed properly. >=20 > pass out on $ext_isp2_if route-to ($ext_isp1_if $ext_isp1_gw) from > $isp1_net to any >=20 It does not help. Actually, it looks like pf does not have control over outgoing packets produced by pf itself. I can not neither block nor reroute these packets. I checked this very easily - I created a rule block out log quick from SOME_OUTSIDE_HOST/32 to any block out log quick from any to SOME_OUTSIDE_HOST/32 and made it very first rules of the firewall. Needless to say, when I tried to telnet to router port 9999 from SOME_OUTSIDE_HOST, tcpdump on the pflog0 device got incoming SYN but did not show RST. From the other hand, tcpdump on the default gateway interface shown outgoing RST. Again, from this I conclude that pf-generated packets (RST/ICMP) are not subject for ruleset processing. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 8 14:54:30 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52B2316A420 for ; Mon, 8 Aug 2005 14:54:30 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FB0043D46 for ; Mon, 8 Aug 2005 14:54:29 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j78EsPoL029654 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Mon, 8 Aug 2005 16:54:26 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j78EsPHi025327; Mon, 8 Aug 2005 16:54:25 +0200 (MEST) Date: Mon, 8 Aug 2005 16:54:25 +0200 From: Daniel Hartmeier To: Sergey Lapin Message-ID: <20050808145425.GI11104@insomnia.benzedrine.cx> References: <48239d390508040958265ce62@mail.gmail.com> <48239d3905080504297b3ebc89@mail.gmail.com> <200508060411.05482.max@love2party.net> <48239d390508080452270c8d10@mail.gmail.com> <42F7502C.4070003@tirloni.org> <48239d3905080807182fef6a5b@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48239d3905080807182fef6a5b@mail.gmail.com> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@freebsd.org Subject: Re: Fwd: pf problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2005 14:54:30 -0000 On Mon, Aug 08, 2005 at 06:18:28PM +0400, Sergey Lapin wrote: > It does not help. Actually, it looks like pf does not have control > over outgoing packets produced by pf itself. I can not neither block > nor reroute these packets. I checked this very easily - I created a > rule > > block out log quick from SOME_OUTSIDE_HOST/32 to any > block out log quick from any to SOME_OUTSIDE_HOST/32 > > and made it very first rules of the firewall. Needless to say, when I > tried to telnet to router port 9999 from SOME_OUTSIDE_HOST, tcpdump on > the pflog0 device got incoming SYN but did not show RST. From the > other hand, tcpdump on the default gateway interface shown outgoing > RST. Again, from this I conclude that pf-generated packets (RST/ICMP) > are not subject for ruleset processing. No, they are not. You can try a 6.0 RC containing a newer version of pf which sends TCP RSTs (generated by 'return-rst') back out through the interface the blocked packet came in through. Alterantively, use multiple filtering devices, one in front of each uplink. Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Aug 9 00:31:00 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84F5D16A41F for ; Tue, 9 Aug 2005 00:31:00 +0000 (GMT) (envelope-from kenneth.kalmer@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 29E3443D45 for ; Tue, 9 Aug 2005 00:31:00 +0000 (GMT) (envelope-from kenneth.kalmer@gmail.com) Received: by zproxy.gmail.com with SMTP id 4so86320nzn for ; Mon, 08 Aug 2005 17:30:59 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=E131uvaqQtWEpl0Hho1nKHt8omkG0+J0w+I6GZ9d/MfctQEiPJVBA72k6Uq1YCqQRjbK/TS/3lcJrBP5gDj408NxFRUQ93D6eVT0P/kA3zUPKZzmrAuTAgDlQnDDibdp4O+QhsQYHfrGGMLaAUxC0656FQrV8RZ4qwBiqVSWx8U= Received: by 10.36.222.17 with SMTP id u17mr537313nzg; Mon, 08 Aug 2005 17:30:58 -0700 (PDT) Received: by 10.36.74.16 with HTTP; Mon, 8 Aug 2005 17:30:58 -0700 (PDT) Message-ID: Date: Tue, 9 Aug 2005 02:30:58 +0200 From: Kenneth Kalmer To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Newbie guides for pf and altq needed X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2005 00:31:00 -0000 Guys I'm new to BSD as a whole, got myself a copy of FreeBSD, NetBSD & OpenBSD to start exploring the possibilities to replace some burdened Linux boxes with something else. At the moment I have some pretty insane iptables firewalls and iproute2 setups (traffic management). I must point out that I'm rather comfortable with Linux, and I can quickly find my way around a *nix system, so I'm not a total noob... Can anybody please point me to some resources for quickly getting up to speed with the *BSD derivatives of the above mentioned? Any pointers for somebody making the switch from Linux-based routers to *BSD routers would be gladly appreciated. Kind regards --=20 Kenneth Kalmer kenneth.kalmer@gmail.com Folding@home stats http://vspx27.stanford.edu/cgi-bin/main.py?qtype=3Duserpage&username=3Dkenn= eth%2Ekalmer From owner-freebsd-pf@FreeBSD.ORG Tue Aug 9 04:59:18 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B53B16A41F for ; Tue, 9 Aug 2005 04:59:18 +0000 (GMT) (envelope-from jett@sycorax.ath.cx) Received: from mail.emediaone.net (orion.emediaone.net [203.208.226.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5CB8C43D53 for ; Tue, 9 Aug 2005 04:59:17 +0000 (GMT) (envelope-from jett@sycorax.ath.cx) Received: from mail.emediaone.net (localhost [127.0.0.1]) by mail.emediaone.net (Postfix) with ESMTP id A2CB0450FA; Tue, 9 Aug 2005 10:47:32 +0800 (SGT) Received: by mail.emediaone.net (Postfix, from userid 1017) id 62297450F8; Tue, 9 Aug 2005 10:47:32 +0800 (SGT) Received: from [192.168.3.100] (mach10.chikka.com [202.175.229.210]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail.emediaone.net (Postfix) with ESMTP id A850D450F2; Tue, 9 Aug 2005 10:47:28 +0800 (SGT) In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v733) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <1EE331CD-E13E-47CC-B3E0-4FA8F41C4935@sycorax.ath.cx> Content-Transfer-Encoding: 7bit From: Jett Tayer Date: Tue, 9 Aug 2005 10:47:26 +0800 To: Kenneth Kalmer X-Mailer: Apple Mail (2.733) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on orion.emediaone.net X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham version=3.0.4 X-Virus-Scanned: ClamAV using ClamSMTP Cc: freebsd-pf@freebsd.org Subject: Re: Newbie guides for pf and altq needed X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2005 04:59:18 -0000 Hi Kenneth, for BSD firewalling, here's a quick guide. http://www.openbsd.org/faq/pf/ jett On 08 9, 05, at 8:30 AM, Kenneth Kalmer wrote: > Guys > > I'm new to BSD as a whole, got myself a copy of FreeBSD, NetBSD & > OpenBSD to start exploring the possibilities to replace some burdened > Linux boxes with something else. > From owner-freebsd-pf@FreeBSD.ORG Wed Aug 10 08:35:02 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A0D016A41F for ; Wed, 10 Aug 2005 08:35:02 +0000 (GMT) (envelope-from 000.fbsd@quip.cz) Received: from home.quip.cz (r3ar5.chello.upc.cz [213.220.235.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA77543D45 for ; Wed, 10 Aug 2005 08:34:59 +0000 (GMT) (envelope-from 000.fbsd@quip.cz) Received: from [192.168.1.2] (qwork.quip.test [192.168.1.2]) by home.quip.cz (Postfix) with ESMTP id D1F3581D6; Wed, 10 Aug 2005 10:34:56 +0200 (CEST) Message-ID: <42F9BC30.5040604@quip.cz> Date: Wed, 10 Aug 2005 10:34:56 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.11) Gecko/20050728 X-Accept-Language: cs, cz, en, en-us MIME-Version: 1.0 To: Kenneth Kalmer References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Newbie guides for pf and altq needed X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2005 08:35:02 -0000 A lot of links to PF / ALTQ HowTos: https://solarflux.org/pf/ Miroslav Lachman Kenneth Kalmer wrote: > Guys > > I'm new to BSD as a whole, got myself a copy of FreeBSD, NetBSD & > OpenBSD to start exploring the possibilities to replace some burdened > Linux boxes with something else. > > At the moment I have some pretty insane iptables firewalls and > iproute2 setups (traffic management). I must point out that I'm rather > comfortable with Linux, and I can quickly find my way around a *nix > system, so I'm not a total noob... > > Can anybody please point me to some resources for quickly getting up > to speed with the *BSD derivatives of the above mentioned? Any > pointers for somebody making the switch from Linux-based routers to > *BSD routers would be gladly appreciated. > > Kind regards > From owner-freebsd-pf@FreeBSD.ORG Wed Aug 10 09:22:00 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 905BE16A41F for ; Wed, 10 Aug 2005 09:22:00 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D31043D49 for ; Wed, 10 Aug 2005 09:21:59 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so56967nzd for ; Wed, 10 Aug 2005 02:21:59 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Vh8BWtvLq0WhPNOriQXPakDCaZ7OeLfSKl5Ak10pRGS7bYyc2bApb/QFvI3lgC1CKQHAyvd9iT0XZA00HvmnxxCmM/9QIVJf9R50xDEvsPEHOlTKZCzTtcjJkXcnZcSFTvLyDp1B9/g1+2TWwdBb29blEBFgwo7Z4y2NFTOcwpI= Received: by 10.36.247.75 with SMTP id u75mr536291nzh; Wed, 10 Aug 2005 02:21:59 -0700 (PDT) Received: by 10.36.33.4 with HTTP; Wed, 10 Aug 2005 02:21:59 -0700 (PDT) Message-ID: <48239d390508100221659db9d6@mail.gmail.com> Date: Wed, 10 Aug 2005 13:21:59 +0400 From: Sergey Lapin To: freebsd-pf@freebsd.org In-Reply-To: <200508060411.05482.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <48239d390508040958265ce62@mail.gmail.com> <48239d3905080504297b3ebc89@mail.gmail.com> <200508060411.05482.max@love2party.net> Subject: Re: Fwd: pf problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2005 09:22:00 -0000 On 8/6/05, Max Laier wrote: > Sergey, >=20 > On Friday 05 August 2005 13:29, Sergey Lapin wrote: > > Hi, all: > <...> > > Test case: > > (done from Linix machine from 1.1.1.128/25) > > > > tcpreplay -e 1.1.1.133:255.255.255.255 -i eth0 packet > > (where packet is random captured UDP packet using tcpdump -peni) > > > > or > > > > tcpreplay -e 1.1.1.133:10.2.2.2 -i eth0 packet > > (where packet is random captured UDP packet) > > > > kills machine. > > Machine hangs and doesn't react on keyboard, whatever. > > Only reset helps. > > Directly blocking addresses in pf.conf help and normal connections > > with UDP disabled > > work well. > > Any ideas? >=20 > What version of FreeBSD are you running? Do you have a SMP/PREEMPTION ke= rnel? > Does setting debug.mpsafenet=3D0 in loader.conf change the situation? Do= you > have a chance to attach a remote debugger or can you try to break into th= e > debugger from the console? Status update: It's not SMP/PREEMPTION kernel debug.mpsafenet=3D0 doesn't help I couldn't break into debugger - machine is locked and looped somehow. It sends that packet in loop even when we stop sending it. More than that - the situation doesn't replicate in vmware. More on that - when we set everything on VLANs and use only one physical interface (fxp), about 30 seconds passes before machine dies and if we stop sending traffic, it survives. Seems like some buffer filling... When we use several physical interfaces(fxp, xl0, xl1) without vlans system die immediately. Any ideas? From owner-freebsd-pf@FreeBSD.ORG Wed Aug 10 15:16:02 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0355B16A41F for ; Wed, 10 Aug 2005 15:16:02 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93A2443D53 for ; Wed, 10 Aug 2005 15:16:01 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so94864nzd for ; Wed, 10 Aug 2005 08:16:01 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=IjfRFlqlvjVGI1M1nm6EuRPp1G0Vm3VOnqHYwQ30zCMQzkx8PP9gPpbogLdHkUsRyWri7wgxjgdDjK8HSGvfpJbmuqZsdKN5PMHlUrkJFzlh/PDCwqUmz+jxU6G4gUqL+OA8nuhyNJZ7UatGlHqvxeSWMOJJBQSxeyjBJ/2fuW0= Received: by 10.36.132.4 with SMTP id f4mr791439nzd; Wed, 10 Aug 2005 08:16:01 -0700 (PDT) Received: by 10.36.33.4 with HTTP; Wed, 10 Aug 2005 08:16:01 -0700 (PDT) Message-ID: <48239d39050810081675ee369c@mail.gmail.com> Date: Wed, 10 Aug 2005 19:16:01 +0400 From: Sergey Lapin To: freebsd-pf@freebsd.org In-Reply-To: <48239d390508100221659db9d6@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <48239d390508040958265ce62@mail.gmail.com> <48239d3905080504297b3ebc89@mail.gmail.com> <200508060411.05482.max@love2party.net> <48239d390508100221659db9d6@mail.gmail.com> Subject: Re: Fwd: pf problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2005 15:16:02 -0000 > > What version of FreeBSD are you running? Do you have a SMP/PREEMPTION = kernel? > > Does setting debug.mpsafenet=3D0 in loader.conf change the situation? = Do you > > have a chance to attach a remote debugger or can you try to break into = the > > debugger from the console? > Status update: > It's not SMP/PREEMPTION kernel > debug.mpsafenet=3D0 doesn't help > I couldn't break into debugger - machine is locked and looped somehow. > It sends that packet in loop even when we stop sending it. > More than that - the situation doesn't replicate in vmware. >=20 > More on that - when we set everything on VLANs and use only one > physical interface (fxp), > about 30 seconds passes before machine dies and if we stop sending > traffic, it survives. > Seems like some buffer filling... > When we use several physical interfaces(fxp, xl0, xl1) without vlans > system die immediately. >=20 > Any ideas? >=20 Now more on that - We installed 6.0beta2 and this problem is still here, BUT I could get into debugger. Any ideas how could I localize this problem? From owner-freebsd-pf@FreeBSD.ORG Thu Aug 11 15:35:40 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B93616A41F for ; Thu, 11 Aug 2005 15:35:40 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F9EB43D45 for ; Thu, 11 Aug 2005 15:35:40 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so248720nzd for ; Thu, 11 Aug 2005 08:35:39 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QBIxVFqvF09F0pcSr9IPchbXpj77Lf5GBWegje+3MBmWQP+25vc5dzTJYmsV5hMGzjaeFYyyy92IZuov5WuFsIeRU9gQEFB2zc9HREq+6Uo7Qfbm9fo56VHO18EYTr4iabsMIBlvXC1zTT791nIaO7D5vkKVoODI4G3ZHs/ed6M= Received: by 10.36.82.9 with SMTP id f9mr1815311nzb; Thu, 11 Aug 2005 08:35:39 -0700 (PDT) Received: by 10.36.33.4 with HTTP; Thu, 11 Aug 2005 08:35:39 -0700 (PDT) Message-ID: <48239d3905081108355f37468c@mail.gmail.com> Date: Thu, 11 Aug 2005 19:35:39 +0400 From: Sergey Lapin To: freebsd-pf@freebsd.org In-Reply-To: <48239d390508080452270c8d10@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <48239d390508040958265ce62@mail.gmail.com> <48239d3905080504297b3ebc89@mail.gmail.com> <200508060411.05482.max@love2party.net> <48239d390508080452270c8d10@mail.gmail.com> Subject: Re: Fwd: pf problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 15:35:40 -0000 > Here's more proper description of the problem: >=20 > Hi. >=20 > While trying to configure pf on our freebsd 5.4 router we have > encountered three bugs, one of which is minor, second is more serious. > And the worst of all, because of the second bug we have to use > workaround and that workaround triggers third bug which is actually > critical (because it hangs device and floods the network). I'll try to > explain these bugs briefly. Please advice where to report each fo > them. We haev no idea if they are PF global or FreeBSD specific. We > are going to repeat all the scenarios on OpenBSD. >=20 > Background: we have two ISP connections and it is the source of all > our problems - looks like work in such a mode is not debugged very > well in pf. >=20 > Setup: > Let's say ISP1 gives us 1.0.0.0/24 block with their gateway at > 1.0.0.1. Our router is at 1.0.0.254. > Similarly, ISP2 gives us 2.0.0.0/24, their gateway is at 2.0.0.1 > and our router is at 2.0.0.254. > ISP2 gateway (2.0.0.1) is our default gateway. > We have DMZ where hosts of both ISP network live > (dmz_net1=3D1.0.0.128/25 and dmz_net2=3D2.0.0.128/25). >=20 >=20 > +---------------+ > 1.0.0.254 | | > -------------------+ ext_if1 | > | | dmz_net1 > | dmz_if +-------- > 2.0.0.254 | | dmz_net2 > -------------------+ ext_if2 | > | | > +---------------+ >=20 >=20 > Note that firewall rules below are oversimplified to make rule listing > compact. In our "real" firewall we differentiate between TCP and > UDP/ICMP traffic to make sure all outgoing TCP connections use > "modulate state" insted of "keep state" etc. Also ruleset below > loosened in terms it uses "any" where our real ruleset explicitly > defines networks. Again, this is only to demostrate problem with > minimum amount of rules. >=20 >=20 > **************************************************** > ****************** BUG#1 (minor) ******************* > **************************************************** >=20 > When pf blocks incoming packet with "block return" rule, it does not > return RST or ICMP packet to the interface from which original packet > came from but always use default gateway instead. This way if we have > default gateway set to ISP2's 2.0.0.1 and packet destined to 1.0.0.254 > comes from ISP1 interface (ext_if1) and this packet gets blocked with > "block return", the TCP RST packet with source address 1.0.0.254 will > be sent through 2.0.0.1 gateway. Obviously, ISP2 drops packets which > source does not belong to their network so basically "block return" > does not work at all. >=20 >=20 > **************************************************** > ****************** Bug#2 (severe) ****************** > **************************************************** >=20 > ruleset: >=20 > #########################################################33 >=20 > # nat outgoing connections on each internet interface > nat on $ext_if1 from { $dmz_net2 } to any -> ($ext_if1) > nat on $ext_if2 from { $dmz_net1 } to any -> ($ext_if2) >=20 > # default deny silently > block drop all >=20 > # pass in quick any packets destined for the gateway itself > pass in quick on $dmz_if from any to $dmz_if keep state >=20 > pass quick on lo0 >=20 > # Classify traffic from DMZ > # Allow all outgoing connections from DMZ >=20 > pass in on $dmz_if inet from $dmz_net1 to any keep state tag DMZ_TO_EXT1 > pass in on $dmz_if inet from $dmz_net2 to any keep state tag DMZ_TO_EXT2 >=20 > # Allow gateway to route between different networks on the DMZ > pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to { $dmz_net1, > $dmz_net2 } keep state tag DMZ_TO_DMZ >=20 > # Reroute OUT traffic appropriately > pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) tagged > DMZ_TO_EXT2 keep state > pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) tagged > DMZ_TO_EXT1 keep state >=20 > # general "pass out" rules for external interfaces > pass out on { $ext_if1, $ext_if2, $dmz_if } from any to any keep state >=20 > #########################################################33 >=20 > Note that route-to rules should re-route all the traffic to proper > interface regardless of default gateway specified. >=20 > What happens with such a rules: > * When a host from dmz_net1 sends packets to the internet and default > gateway is ISP1 one, everything works fine and no translation is > performed. > * When we change default gateway to the ISP2 very interesting thing > happens: packet from dmz_net1 host leaves ext_if1 BUT it gets > translated like it should leave ext_if2! >=20 > I do not understand this one completely. >=20 >=20 > **************************************************** > ***************** Bug#3 (critical) ***************** > **************************************************** >=20 > Because route-to for "out" rules did not work well, we decided to add > the redirection for "in" rules so we added >=20 > pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) tagged > DMZ_TO_EXT1 keep state > pass in quick on $dmz_if route-to ($ext_if2 $ext_gw2) tagged > DMZ_TO_EXT2 keep state >=20 > right before before "pass out quick" rules. Everything started working > right and it worked fine for some time but then firewall died (machine > do not respond to keyboard and the only bring it back to live was to > bounce power). After rebooting situation repeated - router was working > well for 2 to 10 minutes and then unexpectedly freeze. We discovered > that problem was caused by broadcast UDP packet coming on dmz_if and > destined to 255.255.255.255 Later we discovered that this situation is > triggered by any packet for which both conditions are true: > 1. destination MAC is broadcast > 2. destination IP is none of router's directly connected networks >=20 > Any such a packet kills the router. Actually, router is not completely > dead - it sends that damn packet over and over at huge speed to the > outer interface. >=20 > Even if I'm doing something completely wrong, router should NOT hang that= way. >=20 >=20 > No idea if these bugs are PF's or they are FreeBSD specific. >=20 Okay, we tested FreeBSD 5.4, FreeBSD 6.0 and OpenBSD 3.7 Bug #2 present everywhere. Which means it is pf bug (or misfeature) Bug #3 is definitely FreeBSD specific - it does not hurt OpenBSD. Bug #1 does not seem like a bug anymore. In general, router can not send reply to the interface from which packet has arrived because it is unclear what to use as next hop on thin interface. That means this issue is somewhat global to most flavors of UNIX. Have no idea how this can be fixed at all - the only thing I can think about is to make pf-generated replies processable by pf itself to be able to route them by pf's means. So, the final resume: FreeBSD-pf bundle has critical bug (ok, critical for us) which we reported to FreeBSD team. From owner-freebsd-pf@FreeBSD.ORG Thu Aug 11 16:09:52 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4089316A41F for ; Thu, 11 Aug 2005 16:09:52 +0000 (GMT) (envelope-from me@hexren.net) Received: from helium.webpack.hosteurope.de (helium.webpack.hosteurope.de [217.115.142.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id E455743D55 for ; Thu, 11 Aug 2005 16:09:51 +0000 (GMT) (envelope-from me@hexren.net) Received: by helium.webpack.hosteurope.de running Exim 4.51 using esmtpa from p548ccaef.dip.t-dialin.net ([84.140.202.239] helo=hexren.steenbuck.net) id 1E3Fcr-00045c-U8; Thu, 11 Aug 2005 18:09:50 +0200 Date: Thu, 11 Aug 2005 18:09:49 +0200 From: Hexren X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <715586652.20050811180949@hexren.net> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Bug Report (system crash with GRE and NAT) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Hexren List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 16:09:52 -0000 We tried to run NAT on GRE sessions. That failed with more than 1 host in the NATed network using GRE. ( GRE NAT is after all not really supported as far as I can see,so no big surprise here) The unfortunate thing that I would call a bug is that the gateway did not fail gracefuly (dropping the sessions involved) but died completly to the point where only power cycling brought it back. Kind Regards and thanks for the work that goes into making pf work under FreeBSD. Oliver Steenbuck From owner-freebsd-pf@FreeBSD.ORG Thu Aug 11 17:00:06 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 843D916A420 for ; Thu, 11 Aug 2005 17:00:06 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9FD743D53 for ; Thu, 11 Aug 2005 17:00:05 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3C1CF.dip.t-dialin.net [84.163.193.207] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKxQS-1E3GPP07xv-0002dT; Thu, 11 Aug 2005 18:59:59 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Thu, 11 Aug 2005 18:59:11 +0200 User-Agent: KMail/1.8.2 References: <48239d390508040958265ce62@mail.gmail.com> <48239d390508080452270c8d10@mail.gmail.com> <48239d3905081108355f37468c@mail.gmail.com> In-Reply-To: <48239d3905081108355f37468c@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2476019.Gkgfb7DMs5"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200508111859.23803.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Fwd: pf problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 17:00:06 -0000 --nextPart2476019.Gkgfb7DMs5 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 11 August 2005 17:35, Sergey Lapin wrote: > > **************************************************** > > ***************** Bug#3 (critical) ***************** > > **************************************************** > > > > Because route-to for "out" rules did not work well, we decided to add > > the redirection for "in" rules so we added > > > > pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) tagged > > DMZ_TO_EXT1 keep state > > pass in quick on $dmz_if route-to ($ext_if2 $ext_gw2) tagged > > DMZ_TO_EXT2 keep state > > > > right before before "pass out quick" rules. Everything started working > > right and it worked fine for some time but then firewall died (machine > > do not respond to keyboard and the only bring it back to live was to > > bounce power). After rebooting situation repeated - router was working > > well for 2 to 10 minutes and then unexpectedly freeze. We discovered > > that problem was caused by broadcast UDP packet coming on dmz_if and > > destined to 255.255.255.255 Later we discovered that this situation is > > triggered by any packet for which both conditions are true: > > 1. destination MAC is broadcast > > 2. destination IP is none of router's directly connected networks > > > > Any such a packet kills the router. Actually, router is not completely > > dead - it sends that damn packet over and over at huge speed to the > > outer interface. > > > > Even if I'm doing something completely wrong, router should NOT hang th= at > > way. > Okay, we tested FreeBSD 5.4, FreeBSD 6.0 and OpenBSD 3.7 Thanks for doing this research. Appreciated! > Bug #2 present everywhere. Which means it is pf bug (or misfeature) I'll leave that to the OpenBSD guys for the moment ... > Bug #3 is definitely FreeBSD specific - it does not hurt OpenBSD. =2E.. and focus on this one. You told in an earlier mail that you have bee= n=20 able to break to DDB while hung? Can you get a couple of traces from that= =20 machine so that we get an idea where we are spinning? Just break into the= =20 debugger, issue a "trace" followed by a "continue", break again, repeat. =20 =46innally you should make sure that you have a "interesting" trace (i.e.=20 something with pf_* functions) and "call doadump". On reboot secure the co= re=20 and get back to me. Thanks for your investigation and help! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2476019.Gkgfb7DMs5 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBC+4PrXyyEoT62BG0RAg6/AJ9f4c+s+lPjt2CsYPAcr3shXwCEngCfTG2f 08SeJxTSY+g/b7QDnWMxK1I= =TJ8C -----END PGP SIGNATURE----- --nextPart2476019.Gkgfb7DMs5-- From owner-freebsd-pf@FreeBSD.ORG Thu Aug 11 17:02:02 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2949616A41F for ; Thu, 11 Aug 2005 17:02:02 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6EDB143D49 for ; Thu, 11 Aug 2005 17:02:01 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3C1CF.dip.t-dialin.net [84.163.193.207] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML25U-1E3GRH1hpL-0003lL; Thu, 11 Aug 2005 19:01:55 +0200 From: Max Laier To: freebsd-pf@freebsd.org, Hexren Date: Thu, 11 Aug 2005 19:01:15 +0200 User-Agent: KMail/1.8.2 References: <715586652.20050811180949@hexren.net> In-Reply-To: <715586652.20050811180949@hexren.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1213460.1x6Eu8b0ys"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200508111901.27246.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Bug Report (system crash with GRE and NAT) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 17:02:02 -0000 --nextPart1213460.1x6Eu8b0ys Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 11 August 2005 18:09, Hexren wrote: > We tried to run NAT on GRE sessions. That failed with more than 1 host > in the NATed network using GRE. ( GRE NAT is after all not really > supported as far as I can see,so no big surprise here) > The unfortunate thing that I would call a bug is that the gateway did > not fail gracefuly (dropping the sessions involved) but died completly to > the point where only power cycling brought it back. Are you able to break into debugger? Can you check if we are spinning or i= f=20 this is a deadlock? See my mail just a couple of seconds ago for more=20 details on what to do. Thanks! btw, what version of FreeBSD are you running? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1213460.1x6Eu8b0ys Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBC+4RnXyyEoT62BG0RAuqAAJ9EjGi6MfDLWFuVTr4R1Kz0ZmMK3gCferCt aR0ek9vYZeqTAOAZ1bPJpEo= =6IPX -----END PGP SIGNATURE----- --nextPart1213460.1x6Eu8b0ys-- From owner-freebsd-pf@FreeBSD.ORG Thu Aug 11 22:00:50 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D71316A420 for ; Thu, 11 Aug 2005 22:00:50 +0000 (GMT) (envelope-from me@hexren.net) Received: from helium.webpack.hosteurope.de (helium.webpack.hosteurope.de [217.115.142.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04D5E43D45 for ; Thu, 11 Aug 2005 22:00:50 +0000 (GMT) (envelope-from me@hexren.net) Received: by helium.webpack.hosteurope.de running Exim 4.51 using esmtpa from p548ccaef.dip.t-dialin.net ([84.140.202.239] helo=hexren.steenbuck.net) id 1E3L6W-0001za-U1; Fri, 12 Aug 2005 00:00:49 +0200 Date: Fri, 12 Aug 2005 00:00:47 +0200 From: Hexren X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <12236646895.20050812000047@hexren.net> To: freebsd-pf@freebsd.org In-Reply-To: <200508111901.27246.max@love2party.net> References: <715586652.20050811180949@hexren.net> <200508111901.27246.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re[2]: Bug Report (system crash with GRE and NAT) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Hexren List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 22:00:50 -0000 > On Thursday 11 August 2005 18:09, Hexren wrote: >> We tried to run NAT on GRE sessions. That failed with more than 1 host >> in the NATed network using GRE. ( GRE NAT is after all not really >> supported as far as I can see,so no big surprise here) >> The unfortunate thing that I would call a bug is that the gateway did >> not fail gracefuly (dropping the sessions involved) but died completly to >> the point where only power cycling brought it back. > Are you able to break into debugger? Can you check if we are spinning or if > this is a deadlock? See my mail just a couple of seconds ago for more > details on what to do. Thanks! > btw, what version of FreeBSD are you running? --------------------------------------------- I'mm running 5.4, could be a few days till I can test something, sorry. From owner-freebsd-pf@FreeBSD.ORG Fri Aug 12 14:56:20 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71A2616A41F for ; Fri, 12 Aug 2005 14:56:20 +0000 (GMT) (envelope-from rod@supanet.net.uk) Received: from torgau.office.netline.net.uk (torgau.office.netline.net.uk [213.40.193.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id A9B0843D48 for ; Fri, 12 Aug 2005 14:56:18 +0000 (GMT) (envelope-from rod@supanet.net.uk) Received: from torgau.office.netline.net.uk (torgau.office.netline.net.uk [127.0.0.1]) by torgau.office.netline.net.uk (8.12.11/8.12.11) with ESMTP id j7CF2JU9028103 for ; Fri, 12 Aug 2005 16:02:19 +0100 Received: (from rod@localhost) by torgau.office.netline.net.uk (8.12.11/8.12.11/Submit) id j7CF2JcL028102 for freebsd-pf@freebsd.org; Fri, 12 Aug 2005 16:02:19 +0100 X-Authentication-Warning: torgau.office.netline.net.uk: rod set sender to rod@supanet.net.uk using -f From: Rod To: freebsd-pf@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-aHkA8/V6c4bFSxJntYsj" Message-Id: <1123858936.22864.252.camel@torgau.office.netline.net.uk> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2) Date: Fri, 12 Aug 2005 16:02:19 +0100 Subject: Bridge and PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2005 14:56:20 -0000 --=-aHkA8/V6c4bFSxJntYsj Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, Does anyone know if their is a setting similar to that of ipf and ipfw for setting bridged devices to use a firewall in sysctl e.g. for ipfw: net.link.ether.bridge.ipfw=3D1 for ipf net.link.ether.bridge.ipfw=3D1 Guessed at net.link.ether.bridge.pf=3D1 but no such luck. Is this at all possible with PF on freebsd? kind regards Rod --=-aHkA8/V6c4bFSxJntYsj Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBC/Ln3SKw3AiKIO7sRAra7AKCBVWkg25AqvermVFzWctiaKecmYwCgjWqw Hg6UnVAZostWnza3aJdiMpE= =KpGu -----END PGP SIGNATURE----- --=-aHkA8/V6c4bFSxJntYsj-- From owner-freebsd-pf@FreeBSD.ORG Fri Aug 12 15:39:47 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0E2F16A41F for ; Fri, 12 Aug 2005 15:39:47 +0000 (GMT) (envelope-from rod@supanet.net.uk) Received: from torgau.office.netline.net.uk (torgau.office.netline.net.uk [213.40.193.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11C7F43D49 for ; Fri, 12 Aug 2005 15:39:46 +0000 (GMT) (envelope-from rod@supanet.net.uk) Received: from torgau.office.netline.net.uk (torgau.office.netline.net.uk [127.0.0.1]) by torgau.office.netline.net.uk (8.12.11/8.12.11) with ESMTP id j7CFjmmY028173 for ; Fri, 12 Aug 2005 16:45:48 +0100 Received: (from rod@localhost) by torgau.office.netline.net.uk (8.12.11/8.12.11/Submit) id j7CFjmjS028172 for freebsd-pf@freebsd.org; Fri, 12 Aug 2005 16:45:48 +0100 X-Authentication-Warning: torgau.office.netline.net.uk: rod set sender to rod@supanet.net.uk using -f From: Rod To: freebsd-pf@freebsd.org In-Reply-To: <1123858936.22864.252.camel@torgau.office.netline.net.uk> References: <1123858936.22864.252.camel@torgau.office.netline.net.uk> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-zuWkWI6oPSGUnB3sQuYE" Message-Id: <1123861547.22864.256.camel@torgau.office.netline.net.uk> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2) Date: Fri, 12 Aug 2005 16:45:47 +0100 Subject: Re: Bridge and PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2005 15:39:47 -0000 --=-zuWkWI6oPSGUnB3sQuYE Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Found my answer :=20 http://lists.freebsd.org/mailman/htdig/freebsd-pf/2005-April/000984.html >FreeBSD has no support for pf in its bridge code.=20 >Neither has it IPv6 support. On Fri, 2005-08-12 at 16:02, Rod wrote: > Hi, >=20 > Does anyone know if their is a setting similar to that of ipf and ipfw > for setting bridged devices to use a firewall in sysctl e.g. >=20 > for ipfw: >=20 > net.link.ether.bridge.ipfw=3D1 >=20 > for ipf >=20 > net.link.ether.bridge.ipfw=3D1 >=20 > Guessed at net.link.ether.bridge.pf=3D1 but no such luck. Is this at all > possible with PF on freebsd? >=20 > kind regards >=20 > Rod >=20 --=-zuWkWI6oPSGUnB3sQuYE Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBC/MQqSKw3AiKIO7sRApoyAKCP6U7tQ3XKRztrKrks/HTHBw+CkwCdF1cQ k2t8xiQFOYeSg9cK0DrqnLk= =YWJc -----END PGP SIGNATURE----- --=-zuWkWI6oPSGUnB3sQuYE-- From owner-freebsd-pf@FreeBSD.ORG Fri Aug 12 15:42:45 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCBFF16A41F for ; Fri, 12 Aug 2005 15:42:45 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id BBFCF43D70 for ; Fri, 12 Aug 2005 15:42:37 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by rproxy.gmail.com with SMTP id r35so521069rna for ; Fri, 12 Aug 2005 08:42:37 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=EQFNizv0uM6gGRExSbNq3xAZjxYXZV12i1jDaMACJpyl0eUOKDFSu1AFPkpvIjmmX8++CYj+Xeh00ZcBMPVG9/rT9J/QaMa/EFe6vQMYOGriuCsPxBr6NvBkKwJ3y6zYjfA4tSAS5WOWARVJ4/garcnW3gUeM7kabhoRn7d6B1s= Received: by 10.38.24.79 with SMTP id 79mr1091609rnx; Fri, 12 Aug 2005 08:42:37 -0700 (PDT) Received: by 10.38.207.79 with HTTP; Fri, 12 Aug 2005 08:42:36 -0700 (PDT) Message-ID: Date: Fri, 12 Aug 2005 11:42:37 -0400 From: Scott Ullrich To: Rod In-Reply-To: <1123861547.22864.256.camel@torgau.office.netline.net.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <1123858936.22864.252.camel@torgau.office.netline.net.uk> <1123861547.22864.256.camel@torgau.office.netline.net.uk> Cc: freebsd-pf@freebsd.org Subject: Re: Bridge and PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2005 15:42:45 -0000 On 8/12/05, Rod wrote: > Found my answer : >=20 > http://lists.freebsd.org/mailman/htdig/freebsd-pf/2005-April/000984.html >=20 > >FreeBSD has no support for pf in its bridge code. > >Neither has it IPv6 support. If your using FreeBSD 6 check out the new if_bridge facilities that does support pf. If your using 5, I would suggest upgrading to 6 where a lot of items is improved. Scott From owner-freebsd-pf@FreeBSD.ORG Fri Aug 12 15:51:51 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 21CF016A41F for ; Fri, 12 Aug 2005 15:51:51 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 806DF43D45 for ; Fri, 12 Aug 2005 15:51:50 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3EAE3.dip.t-dialin.net [84.163.234.227] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwh2-1E3bov3VVA-0008HE; Fri, 12 Aug 2005 17:51:45 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Fri, 12 Aug 2005 17:51:15 +0200 User-Agent: KMail/1.8.2 References: <1123858936.22864.252.camel@torgau.office.netline.net.uk> <1123861547.22864.256.camel@torgau.office.netline.net.uk> In-Reply-To: <1123861547.22864.256.camel@torgau.office.netline.net.uk> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1593939.JSmLmUunit"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200508121751.27737.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Bridge and PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2005 15:51:51 -0000 --nextPart1593939.JSmLmUunit Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 12 August 2005 17:45, Rod wrote: > Found my answer : > > http://lists.freebsd.org/mailman/htdig/freebsd-pf/2005-April/000984.html > > >FreeBSD has no support for pf in its bridge code. > >Neither has it IPv6 support. This is not true. As Scott suggested try if_bridge in 6.0 which has both I= Pv6=20 and full pf support. Additionally, pf is supported by the old bridge just= =20 use the same settings you would use for ipf. The old bridge does not allow= =20 for stateful filtering however. The same is true for ipf and ipfw with the= =20 old bridge code. > On Fri, 2005-08-12 at 16:02, Rod wrote: > > Hi, > > > > Does anyone know if their is a setting similar to that of ipf and ipfw > > for setting bridged devices to use a firewall in sysctl e.g. > > > > for ipfw: > > > > net.link.ether.bridge.ipfw=3D1 > > > > for ipf > > > > net.link.ether.bridge.ipfw=3D1 > > > > Guessed at net.link.ether.bridge.pf=3D1 but no such luck. Is this at all > > possible with PF on freebsd? > > > > kind regards > > > > Rod =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1593939.JSmLmUunit Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBC/MV/XyyEoT62BG0RAmEwAJ9IFbqWCzG9r7PCWHvuaatcdA7K7QCdEHg+ ap0DyjTAkckhX8zO+dVG5I8= =sPh0 -----END PGP SIGNATURE----- --nextPart1593939.JSmLmUunit-- From owner-freebsd-pf@FreeBSD.ORG Fri Aug 12 16:12:50 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70A6316A41F for ; Fri, 12 Aug 2005 16:12:50 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id E19CD43D45 for ; Fri, 12 Aug 2005 16:12:49 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so405048nzd for ; Fri, 12 Aug 2005 09:12:49 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=J3YK/8wZqA8ZPoCdF2makTpFy0VO8CwZfVaRgR3VbMX1tGdHE93n04xl2S5yM4SknAc/c0O27lOnOerAxEs7SV80JEwnhOGqlDphVtOKQFCJP9PRTBXdiDZDN13JOX7x8QxxL49WTE7gf1L9nlJlbUX9hFhKolmNnJ6yMMW0nuM= Received: by 10.36.252.68 with SMTP id z68mr1900458nzh; Fri, 12 Aug 2005 09:12:47 -0700 (PDT) Received: by 10.36.33.4 with HTTP; Fri, 12 Aug 2005 09:12:47 -0700 (PDT) Message-ID: <48239d3905081209121363815b@mail.gmail.com> Date: Fri, 12 Aug 2005 20:12:47 +0400 From: Sergey Lapin To: freebsd-pf@freebsd.org In-Reply-To: <48239d39050812090347ce703b@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <48239d39050812090347ce703b@mail.gmail.com> Subject: Fwd: kern/84801: kernel hangs with pf and route-to X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2005 16:12:50 -0000 Copying to list, maybe someon be of any help. ---------- Forwarded message ---------- From: Sergey Lapin Date: Aug 12, 2005 8:03 PM Subject: Re: kern/84801: kernel hangs with pf and route-to To: bug-followup@freebsd.org Here come data from debugger. login: ~KDB: enter: Line break on console [thread pid 37 tid 100036 ] Stopped at kdb_enter+0x2b: nop db> trace Tracing pid 37 tid 100036 td 0xc1918d80 kdb_enter(c0877106) at kdb_enter+0x2b siointr1(c1a97400,c09879c0,0,c0876f16,56e) at siointr1+0xce siointr(c1a97400) at siointr+0x21 intr_execute_handlers(c18e4890,d33c695c,4,d33c69a4,c07dba33) at intr_execute_handlers+0xa5 lapic_handle_intr(34) at lapic_handle_intr+0x2e Xapic_isr1() at Xapic_isr1+0x33 --- interrupt, eip =3D 0xc0692442, esp =3D 0xd33c69a0, ebp =3D 0xd33c69a4 -= -- strncmp(c086c33f,c0859af9,3) at strncmp+0x16 fixup_filename(c086c336,d33c69f4,c0654bc4,c0926440,c092ef18) at fixup_filename+0x24 witness_checkorder(c1a4c0a4,9,c086c336,a0d) at witness_checkorder+0x72 _mtx_lock_flags(c1a4c0a4,0,c086c336,a0d) at _mtx_lock_flags+0x5b xl_start(c19e5400) at xl_start+0x22 if_start(c19e5400,c19e550c,c1b2850c,202a2a4,62) at if_start+0x7b vlan_start(c1b28400) at vlan_start+0x346 if_start(c1b28400) at if_start+0x7b ether_output_frame(c1b28400,c1b16200,0,0,0) at ether_output_frame+0x1d9 ether_output(c1b28400,c1b16200,d33c6b34,0,c1b28400) at ether_output+0x3b4 pf_route(d33c6c7c,c1cf04b8,1,c1b28400,c1e7a820) at pf_route+0x2a1 pf_test(1,c1b28400,d33c6c7c,0,0) at pf_test+0x66e pf_check_in(0,d33c6c7c,c1b28400,1,0) at pf_check_in+0x37 pfil_run_hooks(c096ed00,d33c6cc8,c1b28400,1,0) at pfil_run_hooks+0xc9 ip_input(c1b15800) at ip_input+0x231 netisr_processqueue(c096e338) at netisr_processqueue+0x6e swi_net(0) at swi_net+0xbe ithread_loop(c18fa480,d33c6d38,c18fa480,c061f854,0) at ithread_loop+0x11c fork_exit(c061f854,c18fa480,d33c6d38) at fork_exit+0xa0 fork_trampoline() at fork_trampoline+0x8 --- trap 0x1, eip =3D 0, esp =3D 0xd33c6d6c, ebp =3D 0 --- ~KDB: enter: Line break on console [thread pid 29 tid 100023 ] Stopped at kdb_enter+0x2b: nop db> trace Tracing pid 29 tid 100023 td 0xc190b780 kdb_enter(c0877106) at kdb_enter+0x2b siointr1(c1a97400,c09879c0,0,c0876f16,56e) at siointr1+0xce siointr(c1a97400) at siointr+0x21 intr_execute_handlers(c18e4890,d339cc94,4,d339cce8,c07dba33) at intr_execute_handlers+0xa5 lapic_handle_intr(34) at lapic_handle_intr+0x2e Xapic_isr1() at Xapic_isr1+0x33 --- interrupt, eip =3D 0xc074fee2, esp =3D 0xd339ccd8, ebp =3D 0xd339cce8 -= -- xl_intr(c1a4a000) at xl_intr+0x102 ithread_loop(c18fa880,d339cd38,c18fa880,c061f854,0) at ithread_loop+0x11c fork_exit(c061f854,c18fa880,d339cd38) at fork_exit+0xa0 fork_trampoline() at fork_trampoline+0x8 --- trap 0x1, eip =3D 0, esp =3D 0xd339cd6c, ebp =3D 0 --- ~KDB: enter: Line break on console [thread pid 40 tid 100029 ] Stopped at kdb_enter+0x2b: nop db> trace Tracing pid 40 tid 100029 td 0xc18bed80 kdb_enter(c0877106) at kdb_enter+0x2b siointr1(c1a97400,c09879c0,0,c0876f16,56e) at siointr1+0xce siointr(c1a97400) at siointr+0x21 intr_execute_handlers(c18e4890,d23b9bb0,4,d23b9bf8,c07dba33) at intr_execute_handlers+0xa5 lapic_handle_intr(34) at lapic_handle_intr+0x2e Xapic_isr1() at Xapic_isr1+0x33 --- interrupt, eip =3D 0xc07e46e7, esp =3D 0xd23b9bf4, ebp =3D 0xd23b9bf8 -= -- spinlock_exit(c096cb10,d23b9c30,c0654bc4,c0926440,0) at spinlock_exit+0x27 _mtx_unlock_spin_flags(c0926440,0,c085995e,6af,c0926440) at _mtx_unlock_spin_flags+0x8d witness_lock_list_free(c096cb10) at witness_lock_list_free+0x40 witness_unlock(c1a4c0a4,8,c086c33f,839) at witness_unlock+0x1b6 _mtx_unlock_flags(c1a4c0a4,0,c086c336,839,c1a4a000) at _mtx_unlock_flags+0x= 5b xl_rxeof_task(c1a4a000,0,c19b839c,0,c085914d) at xl_rxeof_task+0x38 taskqueue_run(c19b8380,d23b9d0c,c061f970,0,0) at taskqueue_run+0x86 taskqueue_swi_run(0) at taskqueue_swi_run+0xe ithread_loop(c19b8300,d23b9d38,c19b8300,c061f854,0) at ithread_loop+0x11c fork_exit(c061f854,c19b8300,d23b9d38) at fork_exit+0xa0 fork_trampoline() at fork_trampoline+0x8 --- trap 0x1, eip =3D 0, esp =3D 0xd23b9d6c, ebp =3D 0 --- ~KDB: enter: Line break on console [thread pid 40 tid 100029 ] Stopped at kdb_enter+0x2b: nop db> trace Tracing pid 40 tid 100029 td 0xc18bed80 kdb_enter(c0877106) at kdb_enter+0x2b siointr1(c1a97400,c09879c0,0,c0876f16,56e) at siointr1+0xce siointr(c1a97400) at siointr+0x21 intr_execute_handlers(c18e4890,d23b9be8,4,d23b9c30,c07dba33) at intr_execute_handlers+0xa5 lapic_handle_intr(34) at lapic_handle_intr+0x2e Xapic_isr1() at Xapic_isr1+0x33 --- interrupt, eip =3D 0xc069244f, esp =3D 0xd23b9c2c, ebp =3D 0xd23b9c30 -= -- strncmp(c086c33f,c0859af9,3) at strncmp+0x23 fixup_filename(c086c336,c092ef18,c1a4c0a4,837,c086c336) at fixup_filename+0= x24 witness_lock(c1a4c0a4,8,c086c336,837,c1a4a000) at witness_lock+0x55 _mtx_lock_flags(c1a4c0a4,0,c086c336,837,0) at _mtx_lock_flags+0x97 xl_rxeof_task(c1a4a000,0,c19b839c,0,c085914d) at xl_rxeof_task+0x20 taskqueue_run(c19b8380,d23b9d0c,c061f970,0,0) at taskqueue_run+0x86 taskqueue_swi_run(0) at taskqueue_swi_run+0xe ithread_loop(c19b8300,d23b9d38,c19b8300,c061f854,0) at ithread_loop+0x11c fork_exit(c061f854,c19b8300,d23b9d38) at fork_exit+0xa0 fork_trampoline() at fork_trampoline+0x8 --- trap 0x1, eip =3D 0, esp =3D 0xd23b9d6c, ebp =3D 0 --- db> trace Tracing pid 29 tid 100023 td 0xc190b780 kdb_enter(c0877106) at kdb_enter+0x2b siointr1(c1a97400,c09879c0,0,c0876f16,56e) at siointr1+0xce siointr(c1a97400) at siointr+0x21 intr_execute_handlers(c18e4890,d339cc88,4,d339ccd0,c07dba33) at intr_execute_handlers+0xa5 lapic_handle_intr(34) at lapic_handle_intr+0x2e Xapic_isr1() at Xapic_isr1+0x33 --- interrupt, eip =3D 0xc07e46e7, esp =3D 0xd339cccc, ebp =3D 0xd339ccd0 -= -- spinlock_exit(0,d339cd0c,c061fa8c,c091efa0,0) at spinlock_exit+0x27 _mtx_unlock_spin_flags(c091efa0,0,c08539c9,251) at _mtx_unlock_spin_flags+0= x8d ithread_loop(c18fa880,d339cd38,c18fa880,c061f854,0) at ithread_loop+0x238 fork_exit(c061f854,c18fa880,d339cd38) at fork_exit+0xa0 fork_trampoline() at fork_trampoline+0x8 --- trap 0x1, eip =3D 0, esp =3D 0xd339cd6c, ebp =3D 0 --- ~KDB: enter: Line break on console [thread pid 40 tid 100029 ] Stopped at kdb_enter+0x2b: nop db> trace Tracing pid 40 tid 100029 td 0xc18bed80 kdb_enter(c0877106) at kdb_enter+0x2b siointr1(c1a97400,c09879c0,0,c0876f16,56e) at siointr1+0xce siointr(c1a97400) at siointr+0x21 intr_execute_handlers(c18e4890,d23b9c80,4,d23b9cdc,c07dba33) at intr_execute_handlers+0xa5 lapic_handle_intr(34) at lapic_handle_intr+0x2e Xapic_isr1() at Xapic_isr1+0x33 --- interrupt, eip =3D 0xc06505da, esp =3D 0xd23b9cc4, ebp =3D 0xd23b9cdc -= -- taskqueue_run(c19b8380,d23b9d0c,c061f970,0,0) at taskqueue_run+0xaa taskqueue_swi_run(0) at taskqueue_swi_run+0xe ithread_loop(c19b8300,d23b9d38,c19b8300,c061f854,0) at ithread_loop+0x11c fork_exit(c061f854,c19b8300,d23b9d38) at fork_exit+0xa0 fork_trampoline() at fork_trampoline+0x8 --- trap 0x1, eip =3D 0, esp =3D 0xd23b9d6c, ebp =3D 0 --- From owner-freebsd-pf@FreeBSD.ORG Fri Aug 12 16:15:40 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4237F16A420 for ; Fri, 12 Aug 2005 16:15:40 +0000 (GMT) (envelope-from rod@supanet.net.uk) Received: from torgau.office.netline.net.uk (torgau.office.netline.net.uk [213.40.193.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 645C843D46 for ; Fri, 12 Aug 2005 16:15:38 +0000 (GMT) (envelope-from rod@supanet.net.uk) Received: from torgau.office.netline.net.uk (torgau.office.netline.net.uk [127.0.0.1]) by torgau.office.netline.net.uk (8.12.11/8.12.11) with ESMTP id j7CGLdHq028252; Fri, 12 Aug 2005 17:21:40 +0100 Received: (from rod@localhost) by torgau.office.netline.net.uk (8.12.11/8.12.11/Submit) id j7CGLdga028251; Fri, 12 Aug 2005 17:21:39 +0100 X-Authentication-Warning: torgau.office.netline.net.uk: rod set sender to rod@supanet.net.uk using -f From: Rod To: Max Laier In-Reply-To: <200508121751.27737.max@love2party.net> References: <1123858936.22864.252.camel@torgau.office.netline.net.uk> <1123861547.22864.256.camel@torgau.office.netline.net.uk> <200508121751.27737.max@love2party.net> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-7a7Dug74Hy4Q2wJbwthf" Message-Id: <1123863698.22864.266.camel@torgau.office.netline.net.uk> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2) Date: Fri, 12 Aug 2005 17:21:39 +0100 Cc: freebsd-pf@freebsd.org Subject: Re: Bridge and PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2005 16:15:40 -0000 --=-7a7Dug74Hy4Q2wJbwthf Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Unfortunately can't use a beta in the current environment and require stateful filtering, on this occasion looks like we will be using OpenBSD, but looking forward to FreeBSD6.0 Release.=20 On Fri, 2005-08-12 at 16:51, Max Laier wrote: > On Friday 12 August 2005 17:45, Rod wrote: > > Found my answer : > > > > http://lists.freebsd.org/mailman/htdig/freebsd-pf/2005-April/000984.htm= l > > > > >FreeBSD has no support for pf in its bridge code. > > >Neither has it IPv6 support. >=20 > This is not true. As Scott suggested try if_bridge in 6.0 which has both= IPv6=20 > and full pf support. Additionally, pf is supported by the old bridge jus= t=20 > use the same settings you would use for ipf. The old bridge does not all= ow=20 > for stateful filtering however. The same is true for ipf and ipfw with t= he=20 > old bridge code. >=20 > > On Fri, 2005-08-12 at 16:02, Rod wrote: > > > Hi, > > > > > > Does anyone know if their is a setting similar to that of ipf and ipf= w > > > for setting bridged devices to use a firewall in sysctl e.g. > > > > > > for ipfw: > > > > > > net.link.ether.bridge.ipfw=3D1 > > > > > > for ipf > > > > > > net.link.ether.bridge.ipfw=3D1 > > > > > > Guessed at net.link.ether.bridge.pf=3D1 but no such luck. Is this at = all > > > possible with PF on freebsd? > > > > > > kind regards > > > > > > Rod --=-7a7Dug74Hy4Q2wJbwthf Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBC/MySSKw3AiKIO7sRAmhvAJ0fzBD82cdbjXp4O9LtBzR2NXWRLACeJ1MX EwQtHVVKbeK+OYxqBwdjXiA= =F7tH -----END PGP SIGNATURE----- --=-7a7Dug74Hy4Q2wJbwthf-- From owner-freebsd-pf@FreeBSD.ORG Fri Aug 12 17:17:33 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FD2216A41F for ; Fri, 12 Aug 2005 17:17:33 +0000 (GMT) (envelope-from kenneth.kalmer@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE30243D46 for ; Fri, 12 Aug 2005 17:17:31 +0000 (GMT) (envelope-from kenneth.kalmer@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so413678nzo for ; Fri, 12 Aug 2005 10:17:31 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=fjmmCL2c7jaX3PUdSJ9TpSK5iOpVdvw6qnNr3xW+u7FFsn/ub88HP7zeRaisIMxjYN65oOcQ6JO/ruzJ4mqCot/eoIlUfu/UK8xyVNQXIWCiKYwCtn9JPZHbP2chfQRyMAg3oeYXC2a2lC2eu4qbHVkSF3nsbclG2bxmNZ8Mubc= Received: by 10.36.5.3 with SMTP id 3mr2579553nze; Fri, 12 Aug 2005 10:17:30 -0700 (PDT) Received: by 10.36.74.16 with HTTP; Fri, 12 Aug 2005 10:17:30 -0700 (PDT) Message-ID: Date: Fri, 12 Aug 2005 19:17:30 +0200 From: Kenneth Kalmer To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Newbie (Round II) ALTQ & pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2005 17:17:33 -0000 Guys Thanks for the replies on my previous post for links on pf and altq, it really helped and I'm still reading up on some of the docs, very interesting stuff. I've got a Linux-based gateway that I'd like to try and replace with a FreeBSD one, currently I use the following features in iptables/iproute2 that I need to replace with pf/altq. Traffic shaping is done using the HTB scheduler, it works much better than CBQ (personal experience and the opinions in the LARTC list). I need quite a complex hierarchy to get the desired results. I had a look at HSFC and it appears to be more capable than HTB. Can anyone confirm this for me? Secondly, with iptables do MAC-based access control. I understand that MAC addresses can be easily spoofed, but in this specific environment the odds that somebody will do it is less than the Zimbabwean dollar becoming the world currency. Also thrown in is a transparent squid (seen this can be done) and some clever DNATting (playing with it now). Thanks in advance --=20 Kenneth Kalmer kenneth.kalmer@gmail.com Folding@home stats http://vspx27.stanford.edu/cgi-bin/main.py?qtype=3Duserpage&username=3Dkenn= eth%2Ekalmer From owner-freebsd-pf@FreeBSD.ORG Fri Aug 12 21:45:46 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 09C4216A41F for ; Fri, 12 Aug 2005 21:45:46 +0000 (GMT) (envelope-from uainfo@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8868B43D45 for ; Fri, 12 Aug 2005 21:45:45 +0000 (GMT) (envelope-from uainfo@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so441980nzo for ; Fri, 12 Aug 2005 14:45:45 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=Hf10namsethUmIPfOHS890egYhginNmhvAVFzgwGjabIJW+l2e0400v+zoo6Pz3e1v8QXqxC4fmXBD7aanAYWdQ45cvHS2fz4Q3IK2C7FCoiO6+xd1x5zQFzUWYODaDSBOKB0dBC5Zr+S00LmZOyeBtLKdUXqCFpfATb+hTDYq8= Received: by 10.36.71.14 with SMTP id t14mr615416nza; Fri, 12 Aug 2005 14:45:44 -0700 (PDT) Received: by 10.36.72.18 with HTTP; Fri, 12 Aug 2005 14:45:44 -0700 (PDT) Message-ID: <9d3a3aab050812144554949bc0@mail.gmail.com> Date: Sat, 13 Aug 2005 00:45:44 +0300 From: "uainfo.net" To: pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Cc: Subject: a problem about mpd,error 619 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2005 21:45:46 -0000 My PC(vpn client OS:win2k) 80.73.10.xx =09|| =09|| NAT firewall 80.73.0.233 =09|| =09|| (^^^^^^^^^^^^^^^^^) ( Internet ) ^^^^^^^^^^^^^^^^^ =20 =09|| =09|| VPN server(freebsd 4.8+ipf+mpd) 212.42.77.xx =09|| =09|| LAN 192.168.0. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D #ipf.rules: pass in quick on ng0 all=20 pass out quick on ng0 all=20 pass in quick on rl0 proto tcp from any to any port =3D 47 keep state=20 pass out quick on rl0 proto tcp from any port =3D 47 to any keep state=20 pass in quick on rl0 proto tcp from any to any port =3D 1723 keep state=20 pass out quick on rl0 proto tcp from any port =3D 1723 to any keep state=20 pass in proto gre from any to any keep state=20 pass out proto gre from any to any keep state ---------------------------------------------------------------------------= --------------------------------------- #mpd.conf: default: load client1 load client2 load client3 client1: new -i ng0 pptp1 pptp1 set ipcp ranges 10.0.100.1/32 10.0.100.2/32 load pptp client2: new -i ng1 pptp2 pptp2 set ipcp ranges 10.0.100.1/32 10.0.100.3/32 load pptp client3: new -i ng2 pptp3 pptp3 set ipcp ranges 10.0.100.1/32 10.0.100.4/32 load pptp pptp: set iface disable on-demand set iface enable proxy-arp set iface idle 1800 set bundle enable multilink set link yes acfcomp protocomp set link no pap chap set link enable chap set link enable no-orig-auth set link mtu 1460 set link keep-alive 10 60 set ipcp yes vjcomp set ipcp dns 212.42.64.xx # set ipcp nbns=20 # #The five lines below enable Microsoft Point-to-Point encryption #(MPPE) using the ng_mppc(8) netgraph node type. # set bundle enable compression set ccp yes mppc set ccp yes mpp-e40 set ccp yes mpp-e128 set ccp yes mpp-stateless ---------------------------------------------------------------------------= --------------------------------------- #mpd.links: pptp1: set link type pptp set pptp self 0.0.0.0 set pptp enable incoming set pptp disable originate pptp2: set link type pptp set pptp self 0.0.0.0 set pptp enable incoming set pptp disable originate pptp3: set link type pptp set pptp self 0.0.0.0 set pptp enable incoming set pptp disable originate =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D The problem is : When clients from LAN(192.168.0.) connect VPN server ,all works. But from 80.73.10.xx reports error 619. I thought it may be filter by NAT firewall (80.73.0.233),and just want to give it up, typed "mpd" and going for some beer :) (i sshed to vpn server from 80.73.10.xx ),when i came back,tried one more time,it conneted....then i tried many times,the result is ssh to the vpn server,mpd -k, wait about 20 min, it will connect,otherwise error 619. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D successful connection: mpd: PPTP connection from 80.73.0.233:1419 pptp0: attached to connection with 80.73.0.233:1419 [pptp1] IFACE: Open event [pptp1] IPCP: Open event [pptp1] IPCP: state change Initial --> Starting [pptp1] IPCP: LayerStart [pptp1] IPCP: Open event [pptp1] bundle: OPEN event in state CLOSED [pptp1] opening link "pptp1"... [pptp1] link: OPEN event [pptp1] LCP: Open event [pptp1] LCP: state change Initial --> Starting [pptp1] LCP: LayerStart [pptp1] device: OPEN event in state DOWN [pptp1] attaching to peer's outgoing call [pptp1] device is now in state OPENING [pptp1] device: UP event in state OPENING [pptp1] device is now in state UP [pptp1] link: UP event [pptp1] link: origination is remote [pptp1] LCP: Up event [pptp1] LCP: state change Starting --> Req-Sent [pptp1] LCP: phase shift DEAD --> ESTABLISH [pptp1] LCP: SendConfigReq #11 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 155430c4 AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 MP SHORTSEQ ENDPOINTDISC [802.1] 00 03 47 a3 ab 33 pptp0-0: ignoring SetLinkInfo [pptp1] LCP: rec'd Configure Request #0 link 0 (Req-Sent) MAGICNUM 751f7a9f PROTOCOMP ACFCOMP CALLBACK Not supported MP MRRU 1614 ENDPOINTDISC [802.1] 00 48 54 8a 29 9d [pptp1] LCP: SendConfigRej #0 CALLBACK [pptp1] LCP: rec'd Configure Reject #11 link 0 (Req-Sent) MP SHORTSEQ [pptp1] LCP: SendConfigReq #12 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 155430c4 AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 ENDPOINTDISC [802.1] 00 03 47 a3 ab 33 [pptp1] LCP: rec'd Configure Request #1 link 0 (Req-Sent) MAGICNUM 751f7a9f PROTOCOMP ACFCOMP MP MRRU 1614 ENDPOINTDISC [802.1] 00 48 54 8a 29 9d [pptp1] LCP: SendConfigNak #1 MP MRRU 1600 [pptp1] LCP: rec'd Configure Ack #12 link 0 (Req-Sent) ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 155430c4 AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 ENDPOINTDISC [802.1] 00 03 47 a3 ab 33 [pptp1] LCP: state change Req-Sent --> Ack-Rcvd [pptp1] LCP: rec'd Configure Request #2 link 0 (Ack-Rcvd) MAGICNUM 751f7a9f PROTOCOMP ACFCOMP MP MRRU 1600 ENDPOINTDISC [802.1] 00 48 54 8a 29 9d [pptp1] LCP: SendConfigAck #2 MAGICNUM 751f7a9f PROTOCOMP ACFCOMP MP MRRU 1600 ENDPOINTDISC [802.1] 00 48 54 8a 29 9d [pptp1] LCP: state change Ack-Rcvd --> Opened [pptp1] LCP: phase shift ESTABLISH --> AUTHENTICATE [pptp1] LCP: auth: peer wants nothing, I want CHAP [pptp1] CHAP: sending CHALLENGE [pptp1] LCP: LayerUp pptp0-0: ignoring SetLinkInfo [pptp1] LCP: rec'd Ident #3 link 0 (Opened) MESG: MSRASV5.00 [pptp1] LCP: rec'd Ident #4 link 0 (Opened) MESG: MSRAS-1-UAINFO [pptp1] CHAP: rec'd RESPONSE #1 Name: "test1" Peer name: "test1" Response is valid [pptp1] CHAP: sending SUCCESS [pptp1] LCP: authorization successful [pptp1] LCP: phase shift AUTHENTICATE --> NETWORK [pptp1] setting interface ng0 MTU to 1500 bytes [pptp1] up: 1 link, total bandwidth 64000 bps [pptp1] IPCP: Up event [pptp1] IPCP: state change Starting --> Req-Sent [pptp1] IPCP: SendConfigReq #1 IPADDR 10.0.100.1 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid [pptp1] CCP: Open event [pptp1] CCP: state change Initial --> Starting [pptp1] CCP: LayerStart [pptp1] CCP: Up event [pptp1] CCP: state change Starting --> Req-Sent [pptp1] CCP: SendConfigReq #1 MPPC 0x010000e0: MPPE, 40 bit, 56 bit, 128 bit, stateless [pptp1] CCP: rec'd Configure Request #5 link 0 (Req-Sent) MPPC 0x010000e1: MPPC MPPE, 40 bit, 56 bit, 128 bit, stateless [pptp1] CCP: SendConfigNak #5 MPPC 0x01000040: MPPE, 128 bit, stateless [pptp1] IPCP: rec'd Configure Request #6 link 0 (Req-Sent) IPADDR 0.0.0.0 NAKing with 10.0.100.4 PRIDNS 0.0.0.0 NAKing with 10.0.100.1 PRINBNS 0.0.0.0 NAKing with 10.0.100.1 SECDNS 0.0.0.0 SECNBNS 0.0.0.0 [pptp1] IPCP: SendConfigRej #6 SECDNS 0.0.0.0 SECNBNS 0.0.0.0 [pptp1] IPCP: rec'd Configure Reject #1 link 0 (Req-Sent) COMPPROTO VJCOMP, 16 comp. channels, no comp-cid [pptp1] IPCP: SendConfigReq #2 IPADDR 10.0.100.1 [pptp1] CCP: rec'd Configure Nak #1 link 0 (Req-Sent) MPPC 0x01000040: MPPE, 128 bit, stateless [pptp1] CCP: SendConfigReq #2 MPPC 0x01000040: MPPE, 128 bit, stateless [pptp1] CCP: rec'd Configure Request #7 link 0 (Req-Sent) MPPC 0x01000040: MPPE, 128 bit, stateless [pptp1] CCP: SendConfigAck #7 MPPC 0x01000040: MPPE, 128 bit, stateless [pptp1] CCP: state change Req-Sent --> Ack-Sent [pptp1] IPCP: rec'd Configure Request #8 link 0 (Req-Sent) IPADDR 0.0.0.0 NAKing with 10.0.100.4 PRIDNS 0.0.0.0 NAKing with 10.0.100.1 PRINBNS 0.0.0.0 NAKing with 10.0.100.1 [pptp1] IPCP: SendConfigNak #8 IPADDR 10.0.100.4 PRIDNS 10.0.100.1 PRINBNS 10.0.100.1 [pptp1] IPCP: rec'd Configure Ack #2 link 0 (Req-Sent) IPADDR 10.0.100.1 [pptp1] IPCP: state change Req-Sent --> Ack-Rcvd [pptp1] CCP: rec'd Configure Ack #2 link 0 (Ack-Sent) MPPC 0x01000040: MPPE, 128 bit, stateless [pptp1] CCP: state change Ack-Sent --> Opened [pptp1] CCP: LayerUp Compress using: MPPE, 128 bit, stateless Decompress using: MPPE, 128 bit, stateless [pptp1] setting interface ng0 MTU to 1500 bytes [pptp1] IPCP: rec'd Configure Request #9 link 0 (Ack-Rcvd) IPADDR 10.0.100.4 10.0.100.4 is OK PRIDNS 10.0.100.1 PRINBNS 10.0.100.1 [pptp1] IPCP: SendConfigAck #9 IPADDR 10.0.100.4 PRIDNS 10.0.100.1 PRINBNS 10.0.100.1 [pptp1] IPCP: state change Ack-Rcvd --> Opened [pptp1] IPCP: LayerUp 10.0.100.1 -> 10.0.100.4 [pptp1] IFACE: Up event [pptp1] setting interface ng0 MTU to 1500 bytes [pptp1] exec: /sbin/ifconfig ng0 10.0.100.1 10.0.100.4 netmask 0xffffffff -= link0 [pptp1] no interface to proxy arp on for 10.0.100.4 [pptp1] exec: /sbin/route add 10.0.100.1 -iface lo0 [pptp1] IFACE: Up event =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D failed connection: [pptp5:pptp5] mpd: PPTP connection from 80.73.0.233:1392 pptp0: attached to connection with 80.73.0.233:1392 [pptp1] IFACE: Open event [pptp1] IPCP: Open event [pptp1] IPCP: state change Initial --> Starting [pptp1] IPCP: LayerStart [pptp1] IPCP: Open event [pptp1] bundle: OPEN event in state CLOSED [pptp1] opening link "pptp1"... [pptp1] link: OPEN event [pptp1] LCP: Open event [pptp1] LCP: state change Initial --> Starting [pptp1] LCP: LayerStart [pptp1] device: OPEN event in state DOWN [pptp1] attaching to peer's outgoing call [pptp1] device is now in state OPENING [pptp1] device: UP event in state OPENING [pptp1] device is now in state UP [pptp1] link: UP event [pptp1] link: origination is remote [pptp1] LCP: Up event [pptp1] LCP: state change Starting --> Req-Sent [pptp1] LCP: phase shift DEAD --> ESTABLISH [pptp1] LCP: SendConfigReq #1 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 73bae5f4 AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 MP SHORTSEQ ENDPOINTDISC [802.1] 00 03 47 a3 ab 33 pptp0-0: ignoring SetLinkInfo [pptp1] LCP: SendConfigReq #2 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 73bae5f4 AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 MP SHORTSEQ ENDPOINTDISC [802.1] 00 03 47 a3 ab 33 [pptp1] LCP: SendConfigReq #3 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 73bae5f4 AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 MP SHORTSEQ ENDPOINTDISC [802.1] 00 03 47 a3 ab 33 [pptp1] LCP: SendConfigReq #4 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 73bae5f4 AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 MP SHORTSEQ ENDPOINTDISC [802.1] 00 03 47 a3 ab 33 [pptp1] LCP: SendConfigReq #5 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 73bae5f4 AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 MP SHORTSEQ ENDPOINTDISC [802.1] 00 03 47 a3 ab 33 [pptp1] LCP: SendConfigReq #6 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 73bae5f4 AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 MP SHORTSEQ ENDPOINTDISC [802.1] 00 03 47 a3 ab 33 [pptp1] LCP: SendConfigReq #7 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 73bae5f4 AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 MP SHORTSEQ ENDPOINTDISC [802.1] 00 03 47 a3 ab 33 [pptp1] LCP: SendConfigReq #8 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 73bae5f4 AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 MP SHORTSEQ ENDPOINTDISC [802.1] 00 03 47 a3 ab 33 [pptp1] LCP: SendConfigReq #9 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 73bae5f4 AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 MP SHORTSEQ ENDPOINTDISC [802.1] 00 03 47 a3 ab 33 [pptp1] LCP: SendConfigReq #10 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 73bae5f4 AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 MP SHORTSEQ ENDPOINTDISC [802.1] 00 03 47 a3 ab 33 [pptp1] LCP: state change Req-Sent --> Stopped [pptp1] LCP: LayerFinish [pptp1] LCP: parameter negotiation failed [pptp1] LCP: LayerFinish [pptp1] device: CLOSE event in state UP pptp0-0: clearing call pptp0-0: killing channel [pptp1] PPTP call terminated [pptp1] IFACE: Close event [pptp1] IPCP: Close event [pptp1] IPCP: state change Starting --> Initial [pptp1] IPCP: LayerFinish [pptp1] IFACE: Close event pptp0: closing connection with 80.73.0.233:1392 [pptp1] IFACE: Close event [pptp1] device is now in state CLOSING [pptp1] bundle: CLOSE event in state OPENED [pptp1] closing link "pptp1"... [pptp1] device: CLOSE event in state CLOSING [pptp1] device is now in state CLOSING [pptp1] link: CLOSE event [pptp1] LCP: Close event [pptp1] LCP: state change Stopped --> Closed [pptp1] device: DOWN event in state CLOSING [pptp1] device is now in state DOWN [pptp1] link: DOWN event [pptp1] LCP: Down event [pptp1] LCP: state change Closed --> Initial [pptp1] LCP: phase shift ESTABLISH --> DEAD [pptp1] device: DOWN event in state DOWN [pptp1] device is now in state DOWN [pptp1] link: DOWN event [pptp1] LCP: Down event pptp0: killing connection with 80.73.0.233:1392 From owner-freebsd-pf@FreeBSD.ORG Fri Aug 12 22:40:57 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 027E116A41F; Fri, 12 Aug 2005 22:40:57 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix4-1.free.fr (postfix4-1.free.fr [213.228.0.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 23B5543DA5; Fri, 12 Aug 2005 22:40:46 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-1.free.fr (Postfix) with ESMTP id BEDCC317FB6; Sat, 13 Aug 2005 00:40:45 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id EDFF9405B; Sat, 13 Aug 2005 00:40:55 +0200 (CEST) Date: Sat, 13 Aug 2005 00:40:55 +0200 From: Jeremie Le Hen To: Max Laier Message-ID: <20050812224055.GF45385@obiwan.tataz.chchile.org> References: <1123858936.22864.252.camel@torgau.office.netline.net.uk> <1123861547.22864.256.camel@torgau.office.netline.net.uk> <200508121751.27737.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200508121751.27737.max@love2party.net> User-Agent: Mutt/1.5.9i Cc: Andrew Thompson , freebsd-pf@freebsd.org Subject: Re: Bridge and PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2005 22:40:58 -0000 Hi, > This is not true. As Scott suggested try if_bridge in 6.0 which has both > IPv6 > and full pf support. Additionally, pf is supported by the old bridge just > use the same settings you would use for ipf. The old bridge does not allow > for stateful filtering however. The same is true for ipf and ipfw with the > old bridge code. Does if_bridge generally support PF_HOOKS (thus one can use ipfw), or is it strictly bound to pf ? Thanks. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-pf@FreeBSD.ORG Fri Aug 12 23:00:39 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34F6516A420; Fri, 12 Aug 2005 23:00:39 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 697ED43D46; Fri, 12 Aug 2005 23:00:38 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3D8F9.dip.t-dialin.net [84.163.216.249] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKxQS-1E3iVu2foV-0001Rg; Sat, 13 Aug 2005 01:00:34 +0200 From: Max Laier To: Jeremie Le Hen Date: Sat, 13 Aug 2005 00:59:54 +0200 User-Agent: KMail/1.8.2 References: <1123858936.22864.252.camel@torgau.office.netline.net.uk> <200508121751.27737.max@love2party.net> <20050812224055.GF45385@obiwan.tataz.chchile.org> In-Reply-To: <20050812224055.GF45385@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1163691.tYQ7fp2MzY"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200508130100.09827.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Andrew Thompson , freebsd-pf@freebsd.org Subject: Re: Bridge and PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2005 23:00:39 -0000 --nextPart1163691.tYQ7fp2MzY Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 13 August 2005 00:40, Jeremie Le Hen wrote: > Hi, > > > This is not true. As Scott suggested try if_bridge in 6.0 which has bo= th > > IPv6 > > and full pf support. Additionally, pf is supported by the old bridge > > just use the same settings you would use for ipf. The old bridge does > > not allow for stateful filtering however. The same is true for ipf and > > ipfw with the old bridge code. > > Does if_bridge generally support PF_HOOKS (thus one can use ipfw), > or is it strictly bound to pf ? As per if_bridge(4): When filtering is enabled, bridged packets will pass through the filter inbound on the originating interface, on the bridge interface and out- bound on the appropriate interfaces. Either stage can be disabled, th= is behaviour can be controlled using sysctl(8): net.link.bridge.pfil_member Set to 1 to enable filtering on the incom= ing and outgoing member interfaces, set to 0 = to disable it. net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge interface, set to 0 to disable it. net.link.bridge.ipfw Set to 1 to enable layer2 filtering with ipfirewall(4), set to 0 to disable it. T= his needs to be enabled for dummynet(4) suppo= rt. When ipfw is enabled, pfil_bridge and pfil_member will be disabled so that IPFW= is not run twice; these can be re-enabled if desired. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1163691.tYQ7fp2MzY Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBC/Sn5XyyEoT62BG0RAp8sAJwITsFMqqH4YymHzncwCSg9zssaKACfbsAk Sw38Tj6lnKayxUcr9ukuXrk= =f9My -----END PGP SIGNATURE----- --nextPart1163691.tYQ7fp2MzY--