From owner-freebsd-pf@FreeBSD.ORG Mon Mar 6 11:03:16 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93D1A16A420 for ; Mon, 6 Mar 2006 11:03:16 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4648943D45 for ; Mon, 6 Mar 2006 11:03:16 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k26B3GLG098677 for ; Mon, 6 Mar 2006 11:03:16 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k26B3Fwx098671 for freebsd-pf@freebsd.org; Mon, 6 Mar 2006 11:03:15 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 6 Mar 2006 11:03:15 GMT Message-Id: <200603061103.k26B3Fwx098671@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Mar 2006 11:03:16 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route o [2006/02/25] kern/93829 pf [carp] pfsync state time problem with CAR 6 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2005/12/09] kern/90148 pf [pf] pf_enable="YES" -> Fatal trap 12: pa o [2006/02/25] kern/93825 pf [pf] pf reply-to doesn't work o [2006/02/26] kern/93849 pf pf no-df breaks IP checksum of all tcp tr 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Mar 8 07:12:25 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 83EE016A420; Wed, 8 Mar 2006 07:12:25 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2498043D46; Wed, 8 Mar 2006 07:12:20 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.4/8.13.3) with ESMTP id k287CBlU000342; Wed, 8 Mar 2006 10:12:11 +0300 (MSK) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.4/8.13.3/Submit) id k287CA3v000337; Wed, 8 Mar 2006 10:12:10 +0300 (MSK) (envelope-from yar) Date: Wed, 8 Mar 2006 10:12:10 +0300 From: Yar Tikhiy To: Max Laier Message-ID: <20060308071210.GA99290@comp.chem.msu.su> References: <200603061610.k26GAJKR071335@repoman.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200603061610.k26GAJKR071335@repoman.freebsd.org> User-Agent: Mutt/1.5.9i Cc: freebsd-pf@FreeBSD.org Subject: Re: cvs commit: src/etc/rc.d pflog src/sys/contrib/pf/net if_pflog.c if_pflog.h pf_ioctl.c src/sys/modules Makefile src/sys/modules/pf Makefile src/sys/modules/pflog Makefile X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Mar 2006 07:12:25 -0000 [moving this thread to freebsd-pf] On Mon, Mar 06, 2006 at 04:10:19PM +0000, Max Laier wrote: > mlaier 2006-03-06 16:10:19 UTC > > FreeBSD src repository > > Modified files: (Branch: RELENG_6) > etc/rc.d pflog > sys/contrib/pf/net if_pflog.c if_pflog.h pf_ioctl.c > sys/modules Makefile > sys/modules/pf Makefile > Added files: (Branch: RELENG_6) > sys/modules/pflog Makefile > Log: > MFC: > Make pflog a seperate module. As a result pflog_packet() becomes a > function pointer that is declared in pf_ioctl.c > > Requested by: yar (as part of the module build reorg) > > Approved by: re (scottl) > > Revision Changes Path > 1.5.2.2 +3 -3 src/etc/rc.d/pflog > 1.13.2.2 +8 -1 src/sys/contrib/pf/net/if_pflog.c > 1.6.2.1 +14 -0 src/sys/contrib/pf/net/if_pflog.h > 1.20.2.2 +5 -0 src/sys/contrib/pf/net/pf_ioctl.c > 1.450.2.12 +2 -0 src/sys/modules/Makefile > 1.7.2.1 +0 -3 src/sys/modules/pf/Makefile > 1.4.2.1 +27 -0 src/sys/modules/pflog/Makefile (new) Thanks a lot! BTW, are the DEV_PF and DEV_PFLOG #defines really called for in the Makefiles? DEV_PF is not used explicitly in the whole /sys while the explicit use of DEV_PFLOG has been eliminated from our kernel by this change. When the kernel is built w/o static pf or pflog, they will be undefined. I'd rather remove the #defines from the Makefiles when doing my part of the job, integrating KERNBUILDDIR stuff from HEAD to RELENG_6 in pf/Makefile. Just tested whether the status of DEV_PF or DEV_PFLOG would affect the pf.ko or pflog.ko binaries -- the result was negative. I also fail to recall if I proposed the attached patch to get rid of the inclusion of from if_pflog.h. Both pf.ko and pflog.ko build well with this patch applied, and it's a well-known approach in general. -- Yar Index: if_pflog.h =================================================================== RCS file: /home/ncvs/src/sys/contrib/pf/net/if_pflog.h,v retrieving revision 1.7 diff -u -p -r1.7 if_pflog.h --- if_pflog.h 5 Feb 2006 17:17:32 -0000 1.7 +++ if_pflog.h 8 Mar 2006 07:05:11 -0000 @@ -71,8 +71,9 @@ struct old_pfloghdr { #ifdef _KERNEL #ifdef __FreeBSD__ -/* XXX */ -#include +struct pf_rule; +struct pf_ruleset; +struct pfi_kif; typedef int pflog_packet_t(struct pfi_kif *, struct mbuf *, sa_family_t, u_int8_t, u_int8_t, struct pf_rule *, struct pf_rule *, From owner-freebsd-pf@FreeBSD.ORG Wed Mar 8 15:24:12 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71E9816A420 for ; Wed, 8 Mar 2006 15:24:12 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E5AD43D4C for ; Wed, 8 Mar 2006 15:24:11 +0000 (GMT) (envelope-from max@love2party.net) Received: from [84.163.239.198] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1FH0WH3VHz-0008Gg; Wed, 08 Mar 2006 16:24:10 +0100 From: Max Laier Organization: FreeBSD To: Yar Tikhiy Date: Wed, 8 Mar 2006 16:21:44 +0100 User-Agent: KMail/1.9.1 References: <200603061610.k26GAJKR071335@repoman.freebsd.org> <20060308071210.GA99290@comp.chem.msu.su> In-Reply-To: <20060308071210.GA99290@comp.chem.msu.su> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart12712004.I3z3mcTqQp"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200603081621.50675.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: cvs commit: src/etc/rc.d pflog src/sys/contrib/pf/net if_pflog.c if_pflog.h pf_ioctl.c src/sys/modules Makefile src/sys/modules/pf Makefile src/sys/modules/pflog Makefile X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Mar 2006 15:24:12 -0000 --nextPart12712004.I3z3mcTqQp Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 08 March 2006 08:12, Yar Tikhiy wrote: > [moving this thread to freebsd-pf] > > On Mon, Mar 06, 2006 at 04:10:19PM +0000, Max Laier wrote: > > mlaier 2006-03-06 16:10:19 UTC > > > > FreeBSD src repository > > > > Modified files: (Branch: RELENG_6) > > etc/rc.d pflog > > sys/contrib/pf/net if_pflog.c if_pflog.h pf_ioctl.c > > sys/modules Makefile > > sys/modules/pf Makefile > > Added files: (Branch: RELENG_6) > > sys/modules/pflog Makefile > > Log: > > MFC: > > Make pflog a seperate module. As a result pflog_packet() becomes a > > function pointer that is declared in pf_ioctl.c > > > > Requested by: yar (as part of the module build reorg) > > > > Approved by: re (scottl) > > > > Revision Changes Path > > 1.5.2.2 +3 -3 src/etc/rc.d/pflog > > 1.13.2.2 +8 -1 src/sys/contrib/pf/net/if_pflog.c > > 1.6.2.1 +14 -0 src/sys/contrib/pf/net/if_pflog.h > > 1.20.2.2 +5 -0 src/sys/contrib/pf/net/pf_ioctl.c > > 1.450.2.12 +2 -0 src/sys/modules/Makefile > > 1.7.2.1 +0 -3 src/sys/modules/pf/Makefile > > 1.4.2.1 +27 -0 src/sys/modules/pflog/Makefile (new) > > Thanks a lot! > > BTW, are the DEV_PF and DEV_PFLOG #defines really called for in the > Makefiles? DEV_PF is not used explicitly in the whole /sys while > the explicit use of DEV_PFLOG has been eliminated from our kernel > by this change. When the kernel is built w/o static pf or pflog, > they will be undefined. I'd rather remove the #defines from the > Makefiles when doing my part of the job, integrating KERNBUILDDIR > stuff from HEAD to RELENG_6 in pf/Makefile. Just tested whether > the status of DEV_PF or DEV_PFLOG would affect the pf.ko or pflog.ko > binaries -- the result was negative. > > I also fail to recall if I proposed the attached patch to get rid > of the inclusion of from if_pflog.h. Both pf.ko and > pflog.ko build well with this patch applied, and it's a well-known > approach in general. Right, please go ahead. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart12712004.I3z3mcTqQp Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBEDvaOXyyEoT62BG0RAmK3AJ9uAQ2Qf8sxqTmYAJ5O+V/SGv0+dQCdFaaZ 985yRaTbwFDsM+glm0Z6jCY= =/2Na -----END PGP SIGNATURE----- --nextPart12712004.I3z3mcTqQp-- From owner-freebsd-pf@FreeBSD.ORG Thu Mar 9 09:03:08 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E060716A420 for ; Thu, 9 Mar 2006 09:03:08 +0000 (GMT) (envelope-from hdemir@metu.edu.tr) Received: from tenedos.general.services.metu.edu.tr (tenedos.general.services.metu.edu.tr [144.122.144.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1889743D45 for ; Thu, 9 Mar 2006 09:03:07 +0000 (GMT) (envelope-from hdemir@metu.edu.tr) Received: from simena.user.services.metu.edu.tr (simena.user.services.metu.edu.tr [144.122.144.15]) by tenedos.general.services.metu.edu.tr (8.13.5/8.13.5) with ESMTP id k29934Ix004683 for ; Thu, 9 Mar 2006 11:03:04 +0200 Received: (from hdemir@localhost) by simena.user.services.metu.edu.tr (8.13.5/8.13.5/Submit) id k29934Hb303312 for freebsd-pf@freebsd.org; Thu, 9 Mar 2006 11:03:04 +0200 Date: Thu, 9 Mar 2006 11:03:02 +0200 From: husnu demir To: freebsd-pf@freebsd.org Message-ID: <20060309090302.GA2392258@metu.edu.tr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.10i X-Virus-Scanned: ClamAV 0.88/1319/Thu Mar 9 03:00:26 2006 on tenedos.general.services.metu.edu.tr X-Virus-Status: Clean Subject: dup-to - How works?? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Mar 2006 09:03:09 -0000 Hi, I tried to duplicate the traffic to another interface by writing ; inf_if = "bge0" dup_if = "bge1" dup_ip = "10.0.0.1" block all pass in on $int_if dup-to ($dup_if $dup_ip) pass all keep state This is just a simple ruleset. I just want to show the case. Since the last statement is valid all the packets get through the last statement and dup-to rule is not used at all. If I put a quick keword which is not what I want all the traffic route-to there (bge1) but no other traffic pass. The logic that I need is that: I want to copy all the traffice that rule implies to dup_if and then pass the traffic goes through the other PF rules in the list and get routed. Can you help me. I could not solved the problem :( Husnu Demir. From owner-freebsd-pf@FreeBSD.ORG Thu Mar 9 09:43:13 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B036616A420 for ; Thu, 9 Mar 2006 09:43:13 +0000 (GMT) (envelope-from hdemir@metu.edu.tr) Received: from tenedos.general.services.metu.edu.tr (tenedos.general.services.metu.edu.tr [144.122.144.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id D801E43D46 for ; Thu, 9 Mar 2006 09:43:12 +0000 (GMT) (envelope-from hdemir@metu.edu.tr) Received: from simena.user.services.metu.edu.tr (simena.user.services.metu.edu.tr [144.122.144.15]) by tenedos.general.services.metu.edu.tr (8.13.5/8.13.5) with ESMTP id k299hBTg015196; Thu, 9 Mar 2006 11:43:11 +0200 Received: (from hdemir@localhost) by simena.user.services.metu.edu.tr (8.13.5/8.13.5/Submit) id k299hAJb2683102; Thu, 9 Mar 2006 11:43:10 +0200 Date: Thu, 9 Mar 2006 11:43:09 +0200 From: husnu demir To: Huzeyfe Onal Message-ID: <20060309094307.GA913536@metu.edu.tr> References: <20060309090302.GA2392258@metu.edu.tr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.10i X-Virus-Scanned: ClamAV 0.88/1319/Thu Mar 9 03:00:26 2006 on tenedos.general.services.metu.edu.tr X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: dup-to - How works?? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Mar 2006 09:43:13 -0000 On Thu, Mar 09, 2006 at 11:32:30AM +0200, Huzeyfe Onal wrote: > Hi, > with these rules you sent packets which coming from on $int_if, to > 10.0.0.1host, run PF at > 10.0.0.1 side and write a rule which log the packets. Then you can see the > packets with tcpdump -i pflog0 ... > > > > On 3/9/06, husnu demir wrote: > > > > Hi, > > > > I tried to duplicate the traffic to another interface by writing ; > > > > > > inf_if = "bge0" > > dup_if = "bge1" > > dup_ip = "10.0.0.1" > > > > > > > > block all > > pass in on $int_if dup-to ($dup_if $dup_ip) > > > > pass all keep state > > > > > > > > > > This is just a simple ruleset. I just want to show the case. Since the > > last statement is valid all the packets get through the last statement and > > dup-to rule is not used at all. If I put a quick keword which is not what I > > want all the traffic route-to there (bge1) but no other traffic pass. > > > > The logic that I need is that: I want to copy all the traffice that rule > > implies to dup_if and then pass the traffic goes through the other PF rules > > in the list and get routed. > > > > > > Can you help me. I could not solved the problem :( > > > > Husnu Demir. Yes, I understand the logic behind dup-to. I added all the pass statements to dup-to statement. So that if the packet matches the rule it also dup-to where I want. I, at first, thought that I will write a rule to dup all the traffic then PF will continue to proceed with the next rule statement. I understand that is not the situation :)) Thanks, and sorry about disturb you. Husnu Demir. From owner-freebsd-pf@FreeBSD.ORG Thu Mar 9 13:42:54 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C83CD16A422 for ; Thu, 9 Mar 2006 13:42:54 +0000 (GMT) (envelope-from tiagocruz@forumgdh.net) Received: from gdhs.guiadohardware.net (gdhs.guiadohardware.net [64.246.6.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CAF543D49 for ; Thu, 9 Mar 2006 13:42:53 +0000 (GMT) (envelope-from tiagocruz@forumgdh.net) Received: (qmail 7666 invoked by uid 15); 9 Mar 2006 13:42:51 -0000 Received: from unknown (HELO tuxkiller.matter.b4br.net) (tiagocruz@forumgdh.net@200.152.202.10) by 0 with SMTP; 9 Mar 2006 13:42:51 -0000 From: Tiago Cruz To: freebsd-pf@FreeBSD.org In-Reply-To: References: <1140612265.5617.25.camel@localhost.localdomain> <000001c637b3$a54b0a70$0a00a8c0@thebeast> <1141326676.9163.5.camel@localhost.localdomain> <1141386582.9163.19.camel@localhost.localdomain> Content-Type: text/plain Date: Thu, 09 Mar 2006 10:42:51 -0300 Message-Id: <1141911771.11450.26.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: Dirty NAT tricks (solution) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Mar 2006 13:42:54 -0000 On Fri, 2006-03-03 at 16:02 -0600, Travis H. wrote: > On 3/3/06, Tiago Cruz wrote: > > 1-) I'm in Brazil, and my clients (is more than one) don't stay here, > > and yes in all the world (italy, eua, germany...) > > > > 2-) The notebooks clients is running Window$ XP :-/ > > Sorry, I don't know how to do what you want then. Some months after, I'm here back to say the solution: I did this in my default gateway master (192.168.0.0/22) with CARP (firewall fail over): Firewall Rules: ============== vpn2 = "tun0" ... set loginterface $vpn2 ... binat on $vpn2 from 192.168.0.0/22 to any -> 192.168.8.0/22 ... pass in on $vpn from any to any keep state pass out on $vpn from any to any keep state Client: Windows XP (192.168.0.0/24) with OpenVPN (10.5.0.0/24): SO, the client need to ping the host 192.168.8.32 to get reply from 192.168.0.8. Is working now :-) Logs: 54. 224700 rule 26/0(match): pass in on tun0: 10.5.0.6 > 192.168.0.32: ICMP echo request, id 1024, seq 13568, length 40 Thank you, Hope that help somebody. -- Tiago Cruz http://linuxrapido.org From owner-freebsd-pf@FreeBSD.ORG Thu Mar 9 15:56:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7052116A420 for ; Thu, 9 Mar 2006 15:56:35 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA1B943D78 for ; Thu, 9 Mar 2006 15:56:29 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.4/8.13.3) with ESMTP id k29FuHF1039268; Thu, 9 Mar 2006 18:56:17 +0300 (MSK) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.4/8.13.3/Submit) id k29FuENR039264; Thu, 9 Mar 2006 18:56:14 +0300 (MSK) (envelope-from yar) Date: Thu, 9 Mar 2006 18:56:14 +0300 From: Yar Tikhiy To: Max Laier Message-ID: <20060309155614.GO4474@comp.chem.msu.su> References: <200603061610.k26GAJKR071335@repoman.freebsd.org> <20060308071210.GA99290@comp.chem.msu.su> <200603081621.50675.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200603081621.50675.max@love2party.net> User-Agent: Mutt/1.5.9i Cc: freebsd-pf@freebsd.org Subject: Re: cvs commit: src/etc/rc.d pflog src/sys/contrib/pf/net if_pflog.c if_pflog.h pf_ioctl.c src/sys/modules Makefile src/sys/modules/pf Makefile src/sys/modules/pflog Makefile X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Mar 2006 15:56:35 -0000 On Wed, Mar 08, 2006 at 04:21:44PM +0100, Max Laier wrote: > On Wednesday 08 March 2006 08:12, Yar Tikhiy wrote: > > [moving this thread to freebsd-pf] > > > > On Mon, Mar 06, 2006 at 04:10:19PM +0000, Max Laier wrote: > > > mlaier 2006-03-06 16:10:19 UTC > > > > > > FreeBSD src repository > > > > > > Modified files: (Branch: RELENG_6) > > > etc/rc.d pflog > > > sys/contrib/pf/net if_pflog.c if_pflog.h pf_ioctl.c > > > sys/modules Makefile > > > sys/modules/pf Makefile > > > Added files: (Branch: RELENG_6) > > > sys/modules/pflog Makefile > > > Log: > > > MFC: > > > Make pflog a seperate module. As a result pflog_packet() becomes a > > > function pointer that is declared in pf_ioctl.c > > > > > > Requested by: yar (as part of the module build reorg) > > > > > > Approved by: re (scottl) > > > > > > Revision Changes Path > > > 1.5.2.2 +3 -3 src/etc/rc.d/pflog > > > 1.13.2.2 +8 -1 src/sys/contrib/pf/net/if_pflog.c > > > 1.6.2.1 +14 -0 src/sys/contrib/pf/net/if_pflog.h > > > 1.20.2.2 +5 -0 src/sys/contrib/pf/net/pf_ioctl.c > > > 1.450.2.12 +2 -0 src/sys/modules/Makefile > > > 1.7.2.1 +0 -3 src/sys/modules/pf/Makefile > > > 1.4.2.1 +27 -0 src/sys/modules/pflog/Makefile (new) > > > > Thanks a lot! > > > > BTW, are the DEV_PF and DEV_PFLOG #defines really called for in the > > Makefiles? DEV_PF is not used explicitly in the whole /sys while > > the explicit use of DEV_PFLOG has been eliminated from our kernel > > by this change. When the kernel is built w/o static pf or pflog, > > they will be undefined. I'd rather remove the #defines from the > > Makefiles when doing my part of the job, integrating KERNBUILDDIR > > stuff from HEAD to RELENG_6 in pf/Makefile. Just tested whether > > the status of DEV_PF or DEV_PFLOG would affect the pf.ko or pflog.ko > > binaries -- the result was negative. > > > > I also fail to recall if I proposed the attached patch to get rid > > of the inclusion of from if_pflog.h. Both pf.ko and > > pflog.ko build well with this patch applied, and it's a well-known > > approach in general. > > Right, please go ahead. Committed to HEAD, thanks! MFC is due. -- Yar From owner-freebsd-pf@FreeBSD.ORG Sat Mar 11 01:55:19 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25A5216A428 for ; Sat, 11 Mar 2006 01:55:19 +0000 (GMT) (envelope-from raymond.jacob@navy.mil) Received: from gate15-norfolk.nmci.navy.mil (gate15-norfolk.nmci.navy.mil [138.162.5.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 957224F521 for ; Fri, 10 Mar 2006 23:13:36 +0000 (GMT) (envelope-from raymond.jacob@navy.mil) Received: from naeanrfkms03.nmci.navy.mil by gate15-norfolk.nmci.navy.mil via smtpd (for mx1.freebsd.org [216.136.204.125]) with ESMTP; Fri, 10 Mar 2006 23:13:35 +0000 Received: (private information removed) Received: from no.name.available by naeanrfkfw10c.nmci.navy.mil via smtpd (for insidesmtp2.nmci.navy.mil [10.16.0.170]) with ESMTP; Thu, 9 Mar 2006 14:41:14 +0000 Received: (private information removed) Received: (private information removed) Received: (private information removed) X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Fri, 10 Mar 2006 18:12:38 -0500 Message-ID: <653C8E7D21FB654997909E77C691053F446ADB@NAEAWNYDEX21VA.nadsusea.nads.navy.mil> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Two(2) questions regarding quick and adding rules later. Thread-Index: AcZEmCAXOHyC8MvBQc6G5xQGKtM7Pw== From: "Jacob, Raymond A Jr" To: X-OriginalArrivalTime: 10 Mar 2006 23:12:39.0591 (UTC) FILETIME=[2065FB70:01C64498] Subject: Two(2) questions regarding quick and adding rules later. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Mar 2006 01:55:19 -0000 O/S FreeBsd 6.0 All traffic blocked unless I use quick. tcpdump -n -e -ttt -r /var/log/pflog=20 showed traffic was blocked by the last rule unless I added quick to pass = rules. I thought the matching rules would have overiden the block rule? One more question: bundle0 is composed of two(2) interfaces bonded = together. Is there away to bring up the firewall when all the physical interfaces = are up and then once for the bundle0 interface is up add : public_if =3D "bundle0" pass in quick on $public_if all to the rules in memory? I have the following working(obfiscated) pf.conf in my = /usr/home/bigdaddy directory =3D=3D=3D=3D=3Dpf.conf=3D=3D=3D=3D dns_servers =3D "{ X , Y , Z }" mngmt_if=3D "myi0" mngmt_net=3D "xx.yy.zz.0/24" public_if =3D "bundle0" ids =3D "A" port3 =3D "4444" allowed_ports =3D "{" "port1, port2," $port3 "}" set loginterface $mngmt_if pass in quick on $public_if all pass in log-all quick on $mngmt_if proto tcp from $mngmt_net to $ids = port $allowed_ports keep state=20 pass out log-all quick on $mngmt_if proto {tcp,udp} from $ids to = $dns_servers port 53 keep state pass in log-all quick on $mngmt_if proto icmp from $mngmt_net to $ids = icmp-type 8 code 0 keep state pass out log-all quick on $mngmt_if proto icmp from $ids to any = icmp-type 8 code 0 keep state pass out log-all quick on $mngmt_if proto { tcp, udp } all keep state block in log-all on $mngmt_if all block out log-all on $mngmt_if all =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D kldload shows pf.ko loaded When I boot, my rc.conf file has pf_enable=3D"YES" pf_flags=3D"-d" From owner-freebsd-pf@FreeBSD.ORG Sat Mar 11 09:38:10 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB1A116A41F for ; Sat, 11 Mar 2006 09:38:10 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from lon-mail-4.gradwell.net (lon-mail-4.gradwell.net [193.111.201.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B52843D48 for ; Sat, 11 Mar 2006 09:38:09 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from 88-105-197-146.dynamic.dsl.as9105.com ([88.105.197.146] helo=vaio ident=gregh#pop3&nviz$net) by lon-mail-4.gradwell.net with esmtpa (Gradwell gwh-smtpd 1.214) id 44129a7e.a84e.e4; Sat, 11 Mar 2006 09:38:06 +0000 (envelope-sender ) From: "Greg Hennessy" To: "'Jacob, Raymond A Jr'" , Date: Sat, 11 Mar 2006 09:37:56 -0000 Message-ID: <000001c644ef$7ac4ace0$0301a8c0@vaio> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Thread-Index: AcZEmCAXOHyC8MvBQc6G5xQGKtM7PwAVv/0Q In-Reply-To: <653C8E7D21FB654997909E77C691053F446ADB@NAEAWNYDEX21VA.nadsusea.nads.navy.mil> Cc: Subject: RE: Two(2) questions regarding quick and adding rules later. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Mar 2006 09:38:11 -0000 > > All traffic blocked unless I use quick. > tcpdump -n -e -ttt -r /var/log/pflog > showed traffic was blocked by the last rule unless I added > quick to pass rules. > I thought the matching rules would have overiden the block rule? If you don't use quick , the last matching rule wins. Make the very 1st rule block log all And delete any non specific blocks further down. Greg From owner-freebsd-pf@FreeBSD.ORG Sat Mar 11 19:50:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28CB616A41F for ; Sat, 11 Mar 2006 19:50:23 +0000 (GMT) (envelope-from raymond.jacob@navy.mil) Received: from gate15-norfolk.nmci.navy.mil (gate15-norfolk.nmci.navy.mil [138.162.5.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 678B143D60 for ; Sat, 11 Mar 2006 19:50:10 +0000 (GMT) (envelope-from raymond.jacob@navy.mil) Received: from naeanrfkms03.nmci.navy.mil by gate15-norfolk.nmci.navy.mil via smtpd (for mx1.freebsd.org [216.136.204.125]) with ESMTP; Sat, 11 Mar 2006 19:50:10 +0000 Received: (private information removed) Received: from no.name.available by naeanrfkfw09c.nmci.navy.mil via smtpd (for insidesmtp2.nmci.navy.mil [10.16.0.170]) with ESMTP; Sat, 11 Mar 2006 19:50:07 +0000 Received: (private information removed) Received: (private information removed) Received: (private information removed) X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 content-class: urn:content-classes:message MIME-Version: 1.0 Date: Sat, 11 Mar 2006 14:50:04 -0500 Message-ID: <653C8E7D21FB654997909E77C691053F446ADF@NAEAWNYDEX21VA.nadsusea.nads.navy.mil> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: when to start pfctl when using ng_one2many? Thread-Index: AcZFRP3Gy2n77ovsRZ2tetnm0LbtQw== From: "Jacob, Raymond A Jr" To: X-OriginalArrivalTime: 11 Mar 2006 19:50:04.0663 (UTC) FILETIME=[FDE8E870:01C64544] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: when to start pfctl when using ng_one2many? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Mar 2006 19:50:23 -0000 I am using ng_one2many to bundle interfaces togther into the interface = ngeth0 with a script in /usr/local/etc/rc.d/. I am assuming that I can not load the enable pf until ngeth0 is up? I can not figure = out how to load ngeth0 in the kernel so all I have to do is have a line with ifconfig_ngeth0=3D"promisc up" in the /etc/rc.conf. = Questions:=20 1. Is it a good idea load pf with -d flag then write a script in = /usr/local/etc/rc.d to start the firewall when all the interfaces are = up? or to set pf_flags =3D "" and have pf run from /etc/rc.d? 2. How should I handle the bundled interfaces? If there is no way to use = /etc/network.subr or /etc/rc.d/netif? Thank you, Raymond=20