From owner-freebsd-pf@FreeBSD.ORG Sun Aug 20 12:52:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7172D16A4DA for ; Sun, 20 Aug 2006 12:52:54 +0000 (UTC) (envelope-from mclone@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id D52AF43D46 for ; Sun, 20 Aug 2006 12:52:53 +0000 (GMT) (envelope-from mclone@gmail.com) Received: by nf-out-0910.google.com with SMTP id n29so1872532nfc for ; Sun, 20 Aug 2006 05:52:52 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=ifHJl1cEG8WBZcn5bbZaKTp8trrM5S365X/d6GjnCCkLADJ2rHgbs1wr4bNhj0t7TPUZ3/IpFQVqIk+dTIPYpNZIQUgC3uWNRhsdepEwZRVYMx5gbZVuXeJ2Jb5iDNi5gHyU6O1hYPCcaD+icRcRWxMe7nmsauOVCCi2sSkcGjM= Received: by 10.48.242.19 with SMTP id p19mr6469500nfh; Sun, 20 Aug 2006 05:52:52 -0700 (PDT) Received: by 10.78.202.16 with HTTP; Sun, 20 Aug 2006 05:52:52 -0700 (PDT) Message-ID: <451cb3010608200552w53ad3933x7a6ad8f7e297d571@mail.gmail.com> Date: Sun, 20 Aug 2006 15:52:52 +0300 From: McLone To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: I have pppd and i want ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Aug 2006 12:52:54 -0000 Hello, list. What can be done to be able to queue on ppp0 iface which is created by pppd? (pfctl says in-kernel ppp doesn't support queueing, i use RELENG_6) Or the only option i have is to use userland ppp instead, and queue on tun0? -- wbr, |\ _,,,---,,_ dog bless ya! ` Zzz /,`.-'`' -. ;-;;,_ McLone at GMail dot com |,4- ) )-,_. ,\ ( `'-' , net- and *BSD admin '---''(_/--' `-'\_) ...translit rawx From owner-freebsd-pf@FreeBSD.ORG Sun Aug 20 18:08:25 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D538616A4DA for ; Sun, 20 Aug 2006 18:08:25 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5143C43D4C for ; Sun, 20 Aug 2006 18:08:25 +0000 (GMT) (envelope-from kian.mohageri@gmail.com) Received: by nz-out-0102.google.com with SMTP id x3so665268nzd for ; Sun, 20 Aug 2006 11:08:24 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=jKp+yVchbBQeuOKgVRIPaPgnyJ5c7NKjCF6aHXdojSijcUKr7FG6Y0VA14139UBzrZT9K082KYevhRG2b+GFN4UWOALKOLDPDn3BaBEDhz8vV9odiSytb4fdeqGDFwdjgVH6Gx/jhZf0HvhkIAgXWk+79bkpwjR0lNm9jim7eEg= Received: by 10.65.59.20 with SMTP id m20mr5714549qbk; Sun, 20 Aug 2006 11:08:24 -0700 (PDT) Received: by 10.64.151.20 with HTTP; Sun, 20 Aug 2006 11:08:24 -0700 (PDT) Message-ID: Date: Sun, 20 Aug 2006 11:08:24 -0700 From: "Kian Mohageri" To: "Ivan Levchenko" In-Reply-To: MIME-Version: 1.0 References: <20060818141823.55551.qmail@web33913.mail.mud.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: beno - , freebsd-pf@freebsd.org Subject: Re: Easy Question From Newbie X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Aug 2006 18:08:25 -0000 On 8/18/06, Ivan Levchenko wrote: > > You need to either load the pf kernel module, which can be done by adding > pf_load="YES" to /boot/loader.conf (you may also load the module > without rebooting like this: > kldload pf) If you use the module, then altq will not work for you. I would suggest loading pf via /etc/rc.conf instead: pf_enable="YES" # Set to YES to enable packet filter (pf) pf_rules="/etc/pf.conf" # rules definition file for pf pflog_enable="YES" # Set to YES to enable packet filter logging The rc script will load the module if it needs to. See /etc/defaults/rc.conf for other variables /etc/rc.d/pf* uses. Kian From owner-freebsd-pf@FreeBSD.ORG Mon Aug 21 01:38:38 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A10216A4DA for ; Mon, 21 Aug 2006 01:38:38 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C9DE43D46 for ; Mon, 21 Aug 2006 01:38:37 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so1535051uge for ; Sun, 20 Aug 2006 18:38:36 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=VvbmkN5y1BAwF3Mr0vm43lZisrOHIy1aNcJ9QYDosQl5+/ID3EnsnkmjC70sBnwwCjuRI6jLlYdq4EPmPQEGovJtyyCu9rE1H+93QkWtbtmDbvsUedrw97UZuy7WgR+oP+J2GBsSSwdI5iZ0pUvHLz0RGoMZNYwRgZRzdZa3PHs= Received: by 10.67.101.8 with SMTP id d8mr3272182ugm; Sun, 20 Aug 2006 18:38:36 -0700 (PDT) Received: by 10.67.28.14 with HTTP; Sun, 20 Aug 2006 18:38:36 -0700 (PDT) Message-ID: Date: Sun, 20 Aug 2006 21:38:36 -0400 From: "Scott Ullrich" To: "freebsd-pf@freebsd.org" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: miniupnp port for FreeBSD-PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 01:38:38 -0000 Hello! Thanks to Seth Mos of the pfSense project and http://miniupnp.free.fr/ we would like to present the first draft of a enhanced miniupnpd port. This ports extends the version found http://miniupnp.free.fr/ to automatically install pf rules for the opened upnp rdr ports. In addition I have added a -o switch allowing a user to override the wan ip so that CARP can work correctly. The port skeleton can be found at http://www.pfsense.com/~sullrich/ports/net/miniupnpd.tgz ... Simply extract it to /usr/ports/net/ To start miniupnpd simply run something similar to this: miniupnpd -i fxp0 -a 10.0.250.2 -o X.X.X.X -p 2689 -i = wan interface -a = lan ip to listen on -o = desired wan ip to listen on (optional) -p = port to listen on Things that need to be done still: * Manual page Thanks to Andrew Thompson for helping me with the -o option when I was having brain issues and to Seth Mos for adding the additional firewall rule support. Also thanks to Thomas Bernard who created miniupnpd. Comments, questions, please! Scott From owner-freebsd-pf@FreeBSD.ORG Mon Aug 21 01:42:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07D0316A4E7 for ; Mon, 21 Aug 2006 01:42:46 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C9DB43D45 for ; Mon, 21 Aug 2006 01:42:45 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so1535720uge for ; Sun, 20 Aug 2006 18:42:44 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=P44p7kfCZsaiaDDzSCtF8mGflIexc9M+9GdpEeLoaLviu1ab1e7tJ6RDyP5IY4kZSAQQUt3ZjVKpmmAqmk9u37ICDx71F8zKMePGpTfLXxSNljC0B4EHZ8saj/t9mfGu4Fs9HbKk4LJQrZouP3HENq/3b3chq+KwmrYw3Yh7/uk= Received: by 10.66.220.17 with SMTP id s17mr3272635ugg; Sun, 20 Aug 2006 18:42:44 -0700 (PDT) Received: by 10.67.28.14 with HTTP; Sun, 20 Aug 2006 18:42:44 -0700 (PDT) Message-ID: Date: Sun, 20 Aug 2006 21:42:44 -0400 From: "Scott Ullrich" To: "freebsd-pf@freebsd.org" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Subject: Re: miniupnp port for FreeBSD-PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 01:42:46 -0000 On 8/20/06, Scott Ullrich wrote: > Hello! > > Thanks to Seth Mos of the pfSense project and http://miniupnp.free.fr/ > we would like to present the first draft of a enhanced miniupnpd port. > > This ports extends the version found http://miniupnp.free.fr/ to > automatically install pf rules for the opened upnp rdr ports. In > addition I have added a -o switch allowing a user to override the wan > ip so that CARP can work correctly. > > The port skeleton can be found at > http://www.pfsense.com/~sullrich/ports/net/miniupnpd.tgz ... Simply > extract it to /usr/ports/net/ > > To start miniupnpd simply run something similar to this: > > miniupnpd -i fxp0 -a 10.0.250.2 -o X.X.X.X -p 2689 > > -i = wan interface > -a = lan ip to listen on > -o = desired wan ip to listen on (optional) > -p = port to listen on > > Things that need to be done still: > > * Manual page > > Thanks to Andrew Thompson for helping me with the -o option when I was > having brain issues and to Seth Mos for adding the additional firewall > rule support. Also thanks to Thomas Bernard who created miniupnpd. > > Comments, questions, please! > > Scott > Sorry, I almost forgot that you need to stick two anchors in your pf.conf file.. One for rdr and one for pass rules: # UPnPd rdr anchor rdr-anchor "miniupnpd" # uPnPd anchor "miniupnpd" Scott From owner-freebsd-pf@FreeBSD.ORG Mon Aug 21 14:48:37 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E28716A4DF for ; Mon, 21 Aug 2006 14:48:37 +0000 (UTC) (envelope-from levchenko.i@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1649543EFA for ; Mon, 21 Aug 2006 14:46:05 +0000 (GMT) (envelope-from levchenko.i@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so235420wra for ; Mon, 21 Aug 2006 07:46:00 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=RpLL9ezapn+SaHHNGWDCQvMApIaI/34JAVgnniJbLZwEv5vOBZJEtscupTC8IxWPXMzjnKQmaAbB6/uhNRKfDPsOubZ7NH4ZGem9uDA029qz2iNU9vWt5zHpuK/u87PTim+u+5lck9iM/uZ9ia2FYWjx7WiY7Swfbq3RSS8yhvs= Received: by 10.66.221.19 with SMTP id t19mr3705703ugg; Mon, 21 Aug 2006 07:46:00 -0700 (PDT) Received: by 10.66.239.8 with HTTP; Mon, 21 Aug 2006 07:46:00 -0700 (PDT) Message-ID: Date: Mon, 21 Aug 2006 17:46:00 +0300 From: "Ivan Levchenko" To: "Kian Mohageri" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20060818141823.55551.qmail@web33913.mail.mud.yahoo.com> Cc: beno - , freebsd-pf@freebsd.org Subject: Re: Easy Question From Newbie X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 14:48:37 -0000 actually, could you please tell whats the difference? thanks in advance. On 8/20/06, Kian Mohageri wrote: > > > > On 8/18/06, Ivan Levchenko wrote: > > You need to either load the pf kernel module, which can be done by adding > > pf_load="YES" to /boot/loader.conf (you may also load the module > > without rebooting like this: > > kldload pf) If you use the module, then altq will not work for you. > > > > I would suggest loading pf via /etc/rc.conf instead: > > pf_enable="YES" # Set to YES to enable packet filter (pf) > pf_rules="/etc/pf.conf" # rules definition file for pf > pflog_enable="YES" # Set to YES to enable packet filter logging > > The rc script will load the module if it needs to. See > /etc/defaults/rc.conf for other variables /etc/rc.d/pf* uses. > > Kian > > -- Best Regards, Ivan Levchenko levchenko.i@gmail.com From owner-freebsd-pf@FreeBSD.ORG Mon Aug 21 14:50:19 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9ED6B16A4F6 for ; Mon, 21 Aug 2006 14:50:19 +0000 (UTC) (envelope-from zope@2012.vi) Received: from efit.xs4all.nl (efit.xs4all.nl [82.92.236.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6AFFE43DC5 for ; Mon, 21 Aug 2006 14:47:21 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (198puntacana97.codetel.net.do [200.88.97.198]) by efit.xs4all.nl (Weasel v1.73) for ; 21 Aug 2006 16:43:27 Message-ID: <44E9C775.5060009@2012.vi> Date: Mon, 21 Aug 2006 10:47:17 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Never Ask Questions On A Friday Afternoon X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 14:50:19 -0000 Hi; Let me try this again. Here's the beginning of my pf.conf: 1. # SETTING THE STAGE 2. # macros 3. ext_if="vr0" 4. int_if="lo0" 5. http_ports="80 8080 7080" 6. ssh_ports="22" 7. ftp_ports="21 8021 7021" 8. smtp_ports="25" 9. pop3_ports="110" 10. https_ports="443" 11. imap_ssl_ports="993 143" 12. squid_ports="3128" 13. mysql_ports="3306" 14. email_ports="{" $smtp_ports $pop3_ports "}" 15. all_http_ports="{" $http_ports $https_ports "}" 16. tcp_ports= "{" $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports "}" 17. int_ports="{" $squid_ports $mysql_ports "}" 18. tcp_services="ssh, ftp, http" 19. web_server="202.71.106.119" 20. NoRouteIPs = "127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" 21. shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 202.71.106.118 202.71.106.188 203.142.1.8" 22. directv_ip_addresses="69.19.0.0 netmask 0.0.127.255" 23. shadday_ip_addresses="" 24. ssh_ip_addresses="{" $shinjiru_ip_addresses $directv_ip_addresses $shadday_ip_addresses "}" Here's what I get when I try to load it: server167# pfctl -f /etc/pf.conf /etc/pf.conf:16: syntax error /etc/pf.conf:24: syntax error pfctl: Syntax error in config file: pf rules not loaded Apparently, it doesn't like *one* my nested macros in line #16 (it likes all the others) and it doesn't like the CIDR netmask in line 22. Someone suggested I research the archives concerning the latter "where this known problem was already discussed" but I found nothing. Would someone care to help me with these problems now? TIA, beno From owner-freebsd-pf@FreeBSD.ORG Mon Aug 21 15:15:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB58316A4E0 for ; Mon, 21 Aug 2006 15:15:23 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id BBF0A43D5C for ; Mon, 21 Aug 2006 15:15:22 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k7LFF85V029579 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Mon, 21 Aug 2006 17:15:09 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k7LFF7kD010297; Mon, 21 Aug 2006 17:15:07 +0200 (MEST) Date: Mon, 21 Aug 2006 17:15:06 +0200 From: Daniel Hartmeier To: beno Message-ID: <20060821151505.GA18457@insomnia.benzedrine.cx> References: <44E9C775.5060009@2012.vi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44E9C775.5060009@2012.vi> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Never Ask Questions On A Friday Afternoon X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 15:15:23 -0000 On Mon, Aug 21, 2006 at 10:47:17AM -0400, beno wrote: > Apparently, it doesn't like *one* my nested macros in line #16 (it likes > all the others) and it doesn't like the CIDR netmask in line 22. Someone > suggested I research the archives concerning the latter "where this > known problem was already discussed" but I found nothing. Would someone > care to help me with these problems now? If you want to understand WHY the parser refuses it, read the thread at http://marc.theaimsgroup.com/?t=114842643500002&r=1&w=2 If you don't care about that, the short answer is that the '/' in the CIDR notation makes a difference, and you'll have to accept this as a parser peculiarity. Alternatively you can send in a patch or request your money back. Daniel From owner-freebsd-pf@FreeBSD.ORG Mon Aug 21 15:47:29 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2EFEB16A4E5 for ; Mon, 21 Aug 2006 15:47:29 +0000 (UTC) (envelope-from zope@2012.vi) Received: from efit.xs4all.nl (efit.xs4all.nl [82.92.236.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id A38F543DBA for ; Mon, 21 Aug 2006 15:47:14 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (198puntacana97.codetel.net.do [200.88.97.198]) by efit.xs4all.nl (Weasel v1.73); 21 Aug 2006 17:43:17 Message-ID: <44E9D57C.9010905@2012.vi> Date: Mon, 21 Aug 2006 11:47:08 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: Daniel Hartmeier , freebsd-pf@freebsd.org References: <44E9C775.5060009@2012.vi> <20060821151505.GA18457@insomnia.benzedrine.cx> In-Reply-To: <20060821151505.GA18457@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Never Ask Questions On A Friday Afternoon X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 15:47:29 -0000 Daniel Hartmeier wrote: > If you don't care about that, the short answer is that the '/' in the > CIDR notation makes a difference, and you'll have to accept this as a > parser peculiarity. Alternatively you can send in a patch or request > your money back. > You mean, NOBODY has dealt with this problem before?! Are there no work-arounds?? What does everyone else do when faced with this problem?? And that only addresses (doesn't answer) the SECOND question. Here's the FIRST again: Hi; Let me try this again. Here's the beginning of my pf.conf: 1. # SETTING THE STAGE 2. # macros 3. ext_if="vr0" 4. int_if="lo0" 5. http_ports="80 8080 7080" 6. ssh_ports="22" 7. ftp_ports="21 8021 7021" 8. smtp_ports="25" 9. pop3_ports="110" 10. https_ports="443" 11. imap_ssl_ports="993 143" 12. squid_ports="3128" 13. mysql_ports="3306" 14. email_ports="{" $smtp_ports $pop3_ports "}" 15. all_http_ports="{" $http_ports $https_ports "}" 16. tcp_ports= "{" $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports "}" 17. int_ports="{" $squid_ports $mysql_ports "}" 18. tcp_services="ssh, ftp, http" 19. web_server="202.71.106.119" 20. NoRouteIPs = "127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" 21. shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 202.71.106.118 202.71.106.188 203.142.1.8" 22. directv_ip_addresses="69.19.0.0 netmask 0.0.127.255" 23. shadday_ip_addresses="" 24. ssh_ip_addresses="{" $shinjiru_ip_addresses $directv_ip_addresses $shadday_ip_addresses "}" Here's what I get when I try to load it: server167# pfctl -f /etc/pf.conf /etc/pf.conf:16: syntax error /etc/pf.conf:24: syntax error pfctl: Syntax error in config file: pf rules not loaded QUESTION #1 Apparently, it doesn't like *one* my nested macros in line #16 (it likes all the others) QUESTION #2 and it doesn't like the CIDR netmask in line 22. Someone suggested I research the archives concerning the latter "where this known problem was already discussed" but I found nothing. Would someone care to help me with these problems now? TIA, beno From owner-freebsd-pf@FreeBSD.ORG Mon Aug 21 16:08:00 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E113916A4DA for ; Mon, 21 Aug 2006 16:08:00 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com [38.99.2.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6502543D5E for ; Mon, 21 Aug 2006 16:08:00 +0000 (GMT) (envelope-from reed@reedmedia.net) Received: from pool-72-64-101-227.dllstx.fios.verizon.net ([72.64.101.227] helo=reedmedia.net) by ca.pugetsoundtechnology.com with esmtp (Exim 4.54) id 1GFCJ6-0004uM-7r; Mon, 21 Aug 2006 09:07:20 -0700 Received: by glacier.reedmedia.net (Postfix, from userid 1000) id 10B814DCF7; Mon, 21 Aug 2006 11:07:48 -0500 (CDT) Date: Mon, 21 Aug 2006 11:07:48 -0500 (CDT) From: "Jeremy C. Reed" To: beno In-Reply-To: <44E9C775.5060009@2012.vi> Message-ID: References: <44E9C775.5060009@2012.vi> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-pf@freebsd.org Subject: Re: Never Ask Questions On A Friday Afternoon X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 16:08:01 -0000 > Let me try this again. Here's the beginning of my pf.conf: > > 1. # SETTING THE STAGE > 2. # macros > 3. ext_if="vr0" > 4. int_if="lo0" > 5. http_ports="80 8080 7080" > 6. ssh_ports="22" > 7. ftp_ports="21 8021 7021" > 8. smtp_ports="25" > 9. pop3_ports="110" > 10. https_ports="443" > 11. imap_ssl_ports="993 143" > 12. squid_ports="3128" > 13. mysql_ports="3306" > 14. email_ports="{" $smtp_ports $pop3_ports "}" > 15. all_http_ports="{" $http_ports $https_ports "}" > 16. tcp_ports= "{" $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports "}" > 17. int_ports="{" $squid_ports $mysql_ports "}" > 18. tcp_services="ssh, ftp, http" > 19. web_server="202.71.106.119" > 20. NoRouteIPs = "127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" > 21. shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 > 202.71.106.118 202.71.106.188 203.142.1.8" > 22. directv_ip_addresses="69.19.0.0 netmask 0.0.127.255" > 23. shadday_ip_addresses="" > 24. ssh_ip_addresses="{" $shinjiru_ip_addresses $directv_ip_addresses > $shadday_ip_addresses "}" > > Here's what I get when I try to load it: > server167# pfctl -f /etc/pf.conf > /etc/pf.conf:16: syntax error > /etc/pf.conf:24: syntax error > pfctl: Syntax error in config file: pf rules not loaded > > Apparently, it doesn't like *one* my nested macros in line #16 (it likes > all the others) As mentioned before, you have confusion between the definitions of "macro" and "list". Your problem is not tested "macros" but nested "lists". Please point us to the specific line number (other than #16) that has a nested list. Your questions were answered multiple times by multiple senders. In particular look at the response in your thread direct from the PF developer. > and it doesn't like the CIDR netmask in line 22. Someone > suggested I research the archives concerning the latter "where this > known problem was already discussed" but I found nothing. Would someone > care to help me with these problems now? From owner-freebsd-pf@FreeBSD.ORG Mon Aug 21 16:14:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B36F16A4E0 for ; Mon, 21 Aug 2006 16:14:54 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BF7443D5A for ; Mon, 21 Aug 2006 16:14:52 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.182.129] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1GFCQE39zm-0002Jt; Mon, 21 Aug 2006 18:14:44 +0200 From: Max Laier Organization: FreeBSD To: beno Date: Mon, 21 Aug 2006 18:14:36 +0200 User-Agent: KMail/1.9.3 References: <44E9C775.5060009@2012.vi> <20060821151505.GA18457@insomnia.benzedrine.cx> <44E9D57C.9010905@2012.vi> In-Reply-To: <44E9D57C.9010905@2012.vi> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart11920246.CJsCOpXOId"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200608211814.41748.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: Never Ask Questions On A Friday Afternoon X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 16:14:54 -0000 --nextPart11920246.CJsCOpXOId Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 21 August 2006 17:47, beno wrote: > Daniel Hartmeier wrote: > > If you don't care about that, the short answer is that the '/' in the > > CIDR notation makes a difference, and you'll have to accept this as a > > parser peculiarity. Alternatively you can send in a patch or request > > your money back. > > You mean, NOBODY has dealt with this problem before?! Are there no > work-arounds?? What does everyone else do when faced with this > problem?? I don't see a problem. Macros are there to make your life easier and I=20 don't see how nesting macros that you hardly ever use un-nested makes=20 one's life easier. Other than that, Daniel already offered a refund. > And that only addresses (doesn't answer) the SECOND question. Here's > the FIRST again: > > Hi; > Let me try this again. Here's the beginning of my pf.conf: > > 1. # SETTING THE STAGE > 2. # macros > 3. ext_if=3D"vr0" > 4. int_if=3D"lo0" > 5. http_ports=3D"80 8080 7080" > 6. ssh_ports=3D"22" > 7. ftp_ports=3D"21 8021 7021" > 8. smtp_ports=3D"25" > 9. pop3_ports=3D"110" > 10. https_ports=3D"443" > 11. imap_ssl_ports=3D"993 143" > 12. squid_ports=3D"3128" > 13. mysql_ports=3D"3306" > 14. email_ports=3D"{" $smtp_ports $pop3_ports "}" > 15. all_http_ports=3D"{" $http_ports $https_ports "}" > 16. tcp_ports=3D "{" $ssh_ports $ftp_ports $all_http_ports > $imap_ssl_ports "}" > 17. int_ports=3D"{" $squid_ports $mysql_ports "}" > 18. tcp_services=3D"ssh, ftp, http" > 19. web_server=3D"202.71.106.119" > 20. NoRouteIPs =3D "127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" > 21. shinjiru_ip_addresses=3D"202.71.102.114 202.71.100.126 202.71.106.30 > 202.71.106.118 202.71.106.188 203.142.1.8" > 22. directv_ip_addresses=3D"69.19.0.0 netmask 0.0.127.255" > 23. shadday_ip_addresses=3D"" > 24. ssh_ip_addresses=3D"{" $shinjiru_ip_addresses $directv_ip_addresses > $shadday_ip_addresses "}" > > Here's what I get when I try to load it: > server167# pfctl -f /etc/pf.conf > /etc/pf.conf:16: syntax error > /etc/pf.conf:24: syntax error > pfctl: Syntax error in config file: pf rules not loaded > > QUESTION #1 > Apparently, it doesn't like *one* my nested macros in line #16 (it > likes all the others) Macros are simply placeholder that are expanded in place - THIS IS=20 EXPLAINED IN THE MANUAL PAGE! So line 16 really reads: > 16. tcp_ports=3D "{ 22 21 8021 7021 { 80 8080 7080 443 } 993 143 }" Which simply isn't legal as nesting curly braces isn't legal. This was=20 explained to you *several* times in this thread and the one before. I=20 really, really urge you to start reading the replies you are getting and=20 the supplied reading material. Please stop bothering this list with=20 plain stupid questions that can be answered with reading the BNF in=20 pf.conf(5), a tad bit of Google, Y!, or wikipedia or simple human sense. I still encourage questions, even simple ones - but one should be able to=20 take a hint. If you want somebody to do it for you, you usually pay for=20 that service! > QUESTION #2 > and it doesn't like the CIDR netmask in line 22. Someone suggested I > research the archives concerning the latter "where this known problem > was already discussed" but I found nothing. Would someone care to help > me with these problems now? Daniel supplied the pointer to one (of several) threads on this matter=20 above. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart11920246.CJsCOpXOId Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBE6dvxXyyEoT62BG0RAjngAJ9K9b9gYhnJLby13CQyzErT+hj4ywCaAtAc btfuye7f0rP8f6DkjuWhqHA= =chWj -----END PGP SIGNATURE----- --nextPart11920246.CJsCOpXOId-- From owner-freebsd-pf@FreeBSD.ORG Mon Aug 21 16:22:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED37316A4DA for ; Mon, 21 Aug 2006 16:22:20 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3090043D5C for ; Mon, 21 Aug 2006 16:22:19 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k7LGMKYs032434 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Mon, 21 Aug 2006 18:22:20 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k7LGMKeH029744; Mon, 21 Aug 2006 18:22:20 +0200 (MEST) Date: Mon, 21 Aug 2006 18:22:20 +0200 From: Daniel Hartmeier To: beno Message-ID: <20060821162220.GB18457@insomnia.benzedrine.cx> References: <44E9C775.5060009@2012.vi> <20060821151505.GA18457@insomnia.benzedrine.cx> <44E9D57C.9010905@2012.vi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44E9D57C.9010905@2012.vi> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Never Ask Questions On A Friday Afternoon X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 16:22:21 -0000 On Mon, Aug 21, 2006 at 11:47:08AM -0400, beno wrote: > You mean, NOBODY has dealt with this problem before?! Are there no > work-arounds?? What does everyone else do when faced with this problem?? *plonk* Daniel From owner-freebsd-pf@FreeBSD.ORG Mon Aug 21 17:05:04 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8BD216A4E2 for ; Mon, 21 Aug 2006 17:05:04 +0000 (UTC) (envelope-from zope@2012.vi) Received: from efit.xs4all.nl (efit.xs4all.nl [82.92.236.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12BA843D70 for ; Mon, 21 Aug 2006 17:03:36 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (198puntacana97.codetel.net.do [200.88.97.198]) by efit.xs4all.nl (Weasel v1.73); 21 Aug 2006 18:59:00 Message-ID: <44E9E73B.8050408@2012.vi> Date: Mon, 21 Aug 2006 13:02:51 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: Max Laier , freebsd-pf@freebsd.org References: <44E9C775.5060009@2012.vi> <20060821151505.GA18457@insomnia.benzedrine.cx> <44E9D57C.9010905@2012.vi> <200608211814.41748.max@love2party.net> In-Reply-To: <200608211814.41748.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Never Ask Questions On A Friday Afternoon X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 17:05:04 -0000 Max Laier wrote: >> 22. directv_ip_addresses="69.19.0.0/17" >> 23. shadday_ip_addresses="" >> 24. ssh_ip_addresses="{" $shinjiru_ip_addresses $directv_ip_addresses >> $shadday_ip_addresses "}" >> >> Here's what I get when I try to load it: >> server167# pfctl -f /etc/pf.conf >> /etc/pf.conf:24: syntax error >> pfctl: Syntax error in config file: pf rules not loaded >> >> 16. tcp_ports= "{ 22 21 8021 7021 { 80 8080 7080 443 } 993 143 }" >> Oh. Sorry. And I do see it in the archives. I obviously missed it in the responses. My apologies. > Please stop bothering this list with > plain stupid questions that can be answered with reading the BNF in > pf.conf(5), a tad bit of Google, Y!, or wikipedia or simple human sense. > I have tried a lot. Missing answers on the list was my bad, I admit, but I have tried googling, etc. >> QUESTION #2 >> and it doesn't like the CIDR netmask in line 22. Someone suggested I >> research the archives concerning the latter "where this known problem >> was already discussed" but I found nothing. Would someone care to help >> me with these problems now? >> > > Daniel supplied the pointer to one (of several) threads on this matter > above. > You must be referring to this URL: http://marc.theaimsgroup.com/?t=114842643500002&r=1&w=2 Unfortunately, it doesn't load, so that's not of any use. Again, I'd like to know how to deal with CIDR blocks. I looked in the documentation to see if I could somehow use other notation, such as "netmask", but apparently I can't. Also, if anyone paid for this software, they should ask for a refund, because it's free ;) But I didn't pay for it, so I won't be asking for a refund. TIA, beno From owner-freebsd-pf@FreeBSD.ORG Mon Aug 21 17:11:14 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE94A16A501 for ; Mon, 21 Aug 2006 17:11:14 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3B2343DAA for ; Mon, 21 Aug 2006 17:10:23 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by nz-out-0102.google.com with SMTP id x3so803106nzd for ; Mon, 21 Aug 2006 10:10:15 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ByArnTBEfdoCEw6GhaE/sjg48vLGaqrOyv39D0rpdOWpb+otagxZdWZCzP9/nEkwRdSBBx+oktnK9oDhRKijN9B9DMgpf9ys5NOBP/GkFpfXfGF9cmSaJaUoNbawuEMUPfpiqhkDTfw4X59pyQDkTgl9vCLXzQkggSBSTE2d/cE= Received: by 10.35.97.17 with SMTP id z17mr13612429pyl; Mon, 21 Aug 2006 10:10:15 -0700 (PDT) Received: by 10.35.131.17 with HTTP; Mon, 21 Aug 2006 10:10:14 -0700 (PDT) Message-ID: <55e8a96c0608211010q35b64221sad299c67f8ebb888@mail.gmail.com> Date: Mon, 21 Aug 2006 12:10:14 -0500 From: "Bill Marquette" To: beno In-Reply-To: <44E9E73B.8050408@2012.vi> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44E9C775.5060009@2012.vi> <20060821151505.GA18457@insomnia.benzedrine.cx> <44E9D57C.9010905@2012.vi> <200608211814.41748.max@love2party.net> <44E9E73B.8050408@2012.vi> Cc: freebsd-pf@freebsd.org Subject: Re: Never Ask Questions On A Friday Afternoon X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 17:11:15 -0000 On 8/21/06, beno wrote: > > Daniel supplied the pointer to one (of several) threads on this matter > > above. > > > You must be referring to this URL: > http://marc.theaimsgroup.com/?t=114842643500002&r=1&w=2 > Unfortunately, it doesn't load, so that's not of any use. Loads here, your ISP must be blocking it. Here's the subect lines from that thread and the authors for you to Google - should be able to find this thread on any number of mailing list archive sites. 1. 2006-05-26 Re: Recursive macro expansion problems openbsd-p Daniel Hartmeier 2. 2006-05-26 Re: Recursive macro expansion problems openbsd-p Siju George 3. 2006-05-24 Re: Recursive macro expansion problems openbsd-p andrew fresh 4. 2006-05-23 Re: Recursive macro expansion problems openbsd-p Daniel Hartmeier 5. 2006-05-23 Recursive macro expansion problems openbsd-p andrew fresh --Bill From owner-freebsd-pf@FreeBSD.ORG Mon Aug 21 17:32:47 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9403416A4DE for ; Mon, 21 Aug 2006 17:32:47 +0000 (UTC) (envelope-from zope@2012.vi) Received: from efit.xs4all.nl (efit.xs4all.nl [82.92.236.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1161F43D68 for ; Mon, 21 Aug 2006 17:32:44 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (198puntacana97.codetel.net.do [200.88.97.198]) by efit.xs4all.nl (Weasel v1.73); 21 Aug 2006 19:28:50 Message-ID: <44E9EE39.3050404@2012.vi> Date: Mon, 21 Aug 2006 13:32:41 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: Bill Marquette , freebsd-pf@freebsd.org References: <44E9C775.5060009@2012.vi> <20060821151505.GA18457@insomnia.benzedrine.cx> <44E9D57C.9010905@2012.vi> <200608211814.41748.max@love2party.net> <44E9E73B.8050408@2012.vi> <55e8a96c0608211010q35b64221sad299c67f8ebb888@mail.gmail.com> In-Reply-To: <55e8a96c0608211010q35b64221sad299c67f8ebb888@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Never Ask Questions On A Friday Afternoon X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 17:32:47 -0000 Bill Marquette wrote: > Loads here, your ISP must be blocking it. Here's the subect lines > from that thread and the authors for you to Google - should be able to > find this thread on any number of mailing list archive sites. > > 1. 2006-05-26 Re: Recursive macro expansion problems > openbsd-p Daniel Hartmeier > 2. 2006-05-26 Re: Recursive macro expansion problems > openbsd-p Siju George > 3. 2006-05-24 Re: Recursive macro expansion problems > openbsd-p andrew fresh > 4. 2006-05-23 Re: Recursive macro expansion problems > openbsd-p Daniel Hartmeier > 5. 2006-05-23 Recursive macro expansion problems > openbsd-p andrew fresh That helped a lot. Strange little trick...glad it works! But unless I (again) missed something, that still doesn't address how to deal with the CIDR/netmask problem: directv_ip_addresses="69.19.0.0/17" where (apparently) the parser doesn't like that "/". I tried escaping it directv_ip_addresses="69.19.0.0\/17" but that didn't work either. It would be great if we could do something like this: directv_ip_addresses="69.19.0.0 netmask 255.255.0.0" or whatever, but no go. So, what to do? Again, the fact that this is a *known problem* that *hasn't* been fixed gives every indication that there's a workaround :) Max Laier wrote this last week: That's a well-known problem in the pfctl-parser. Patches have been proposed but never made it to the tree - afaik. Look in the archives of this and the original ML for reasons and detailed discussion. Unfortunately, googling my best I couldn't find anything in either list on the subject. TIA, beno From owner-freebsd-pf@FreeBSD.ORG Mon Aug 21 17:43:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D36016A4DA for ; Mon, 21 Aug 2006 17:43:18 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9FC343D78 for ; Mon, 21 Aug 2006 17:43:17 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.182.129] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1GFDnt2cQC-0003NA; Mon, 21 Aug 2006 19:43:16 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 21 Aug 2006 19:43:06 +0200 User-Agent: KMail/1.9.3 References: <44E9C775.5060009@2012.vi> <55e8a96c0608211010q35b64221sad299c67f8ebb888@mail.gmail.com> <44E9EE39.3050404@2012.vi> In-Reply-To: <44E9EE39.3050404@2012.vi> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4029406.4BCM6LEjfj"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200608211943.12721.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Never Ask Questions On A Friday Afternoon X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 17:43:18 -0000 --nextPart4029406.4BCM6LEjfj Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 21 August 2006 19:32, beno wrote: > Bill Marquette wrote: > > Loads here, your ISP must be blocking it. Here's the subect lines > > from that thread and the authors for you to Google - should be able > > to find this thread on any number of mailing list archive sites. > > > > 1. 2006-05-26 Re: Recursive macro expansion problems > > openbsd-p Daniel Hartmeier > > 2. 2006-05-26 Re: Recursive macro expansion problems > > openbsd-p Siju George > > 3. 2006-05-24 Re: Recursive macro expansion problems > > openbsd-p andrew fresh > > 4. 2006-05-23 Re: Recursive macro expansion problems > > openbsd-p Daniel Hartmeier > > 5. 2006-05-23 Recursive macro expansion problems > > openbsd-p andrew fresh > > That helped a lot. Strange little trick...glad it works! But unless I > (again) missed something, that still doesn't address how to deal with > the CIDR/netmask problem: > > directv_ip_addresses=3D"69.19.0.0/17" > > where (apparently) the parser doesn't like that "/". I tried escaping > it > > directv_ip_addresses=3D"69.19.0.0\/17" > > but that didn't work either. It would be great if we could do something > like this: > > directv_ip_addresses=3D"69.19.0.0 netmask 255.255.0.0" > > or whatever, but no go. So, what to do? Again, the fact that this is a > *known problem* that *hasn't* been fixed gives every indication that > there's a workaround :) Max Laier wrote this last week: > > That's a well-known problem in the pfctl-parser. Patches have been > proposed but never made it to the tree - afaik. Look in the archives > of this and the original ML for reasons and detailed discussion. > > Unfortunately, googling my best I couldn't find anything in either list > on the subject. TIA, > beno printf 'list=3D"{ 10/8, 192.168.0/24 }"\npass from $list to any\n' |=20 pfctl -nvf- list =3D "{ 10/8, 192.168.0/24 }" pass inet from 10.0.0.0/8 to any pass inet from 192.168.0.0/24 to any =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4029406.4BCM6LEjfj Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBE6fCwXyyEoT62BG0RAo+BAJ9HXmI/+AmFOh7Hxs/b3WH541aU1QCbBE92 XTZJFfvflsbfLMIeCjOTDY4= =/z1o -----END PGP SIGNATURE----- --nextPart4029406.4BCM6LEjfj-- From owner-freebsd-pf@FreeBSD.ORG Mon Aug 21 19:45:05 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 35EB716A4DA for ; Mon, 21 Aug 2006 19:45:05 +0000 (UTC) (envelope-from zope@2012.vi) Received: from efit.xs4all.nl (efit.xs4all.nl [82.92.236.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7621843D98 for ; Mon, 21 Aug 2006 19:44:53 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (198puntacana97.codetel.net.do [200.88.97.198]) by efit.xs4all.nl (Weasel v1.73); 21 Aug 2006 21:40:56 Message-ID: <44EA0D2F.2020200@2012.vi> Date: Mon, 21 Aug 2006 15:44:47 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: Max Laier , freebsd-pf@freebsd.org References: <44E9C775.5060009@2012.vi> <55e8a96c0608211010q35b64221sad299c67f8ebb888@mail.gmail.com> <44E9EE39.3050404@2012.vi> <200608211943.12721.max@love2party.net> In-Reply-To: <200608211943.12721.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Never Ask Questions On A Friday Afternoon X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 19:45:05 -0000 Max Laier wrote: > printf 'list="{ 10/8, 192.168.0/24 }"\npass from $list to any\n' | > pfctl -nvf- > > list = "{ 10/8, 192.168.0/24 }" > pass inet from 10.0.0.0/8 to any > pass inet from 192.168.0.0/24 to any > I'm sure I misunderstand. Here is *my* code: shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 202.71.106.118 202.71.106.188 203.142.1.8" directv_ip_addresses="{ 69.19.0.0/17 }" shadday_ip_addresses="" ssh_ip_addresses="{" $shinjiru_ip_addresses $directv_ip_addresses $shadday_ip_addresses "}" The parser throws an error on the last line because it won't render $directv_ip_addresses Now, I could do something really ugly like this: ssh_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 202.71.106.118 202.71.106.188 203.142.1.8 69.19.0.0/17 " and just say the hell with it, but I'd like to write elegant code... TIA, beno From owner-freebsd-pf@FreeBSD.ORG Mon Aug 21 19:56:34 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08FEC16A4EA for ; Mon, 21 Aug 2006 19:56:34 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A627E43E1C for ; Mon, 21 Aug 2006 19:56:05 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k7LJtVrJ062581 for ; Mon, 21 Aug 2006 19:55:31 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k7LJtT0l062577 for freebsd-pf@FreeBSD.org; Mon, 21 Aug 2006 19:55:29 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 21 Aug 2006 19:55:29 GMT Message-Id: <200608211955.k7LJtT0l062577@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 19:56:34 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency f kern/86072 pf [pf] Packet Filter rule not working properly (with SYN o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 4 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/94992 pf [pf] [patch] pfctl complains about ALTQ missing 3 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 21 23:12:21 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E50C16A4E7 for ; Mon, 21 Aug 2006 23:12:21 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from ss.eunet.cz (ss.eunet.cz [193.85.228.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4A1F43D45 for ; Mon, 21 Aug 2006 23:12:20 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from localhost.i.cz (ss.eunet.cz [193.85.228.13]) by ss.eunet.cz (8.13.6/8.13.6) with ESMTP id k7LNC8uL039012 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Tue, 22 Aug 2006 01:12:13 +0200 (CEST) (envelope-from mime@traveller.cz) From: Michal Mertl To: beno In-Reply-To: <44EA0D2F.2020200@2012.vi> References: <44E9C775.5060009@2012.vi> <55e8a96c0608211010q35b64221sad299c67f8ebb888@mail.gmail.com> <44E9EE39.3050404@2012.vi> <200608211943.12721.max@love2party.net> <44EA0D2F.2020200@2012.vi> Content-Type: text/plain Date: Tue, 22 Aug 2006 01:11:45 +0200 Message-Id: <1156201905.1294.5.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.6.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Never Ask Questions On A Friday Afternoon X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 23:12:21 -0000 beno wrote: > Max Laier wrote: > > printf 'list="{ 10/8, 192.168.0/24 }"\npass from $list to any\n' | > > pfctl -nvf- > > > > list = "{ 10/8, 192.168.0/24 }" > > pass inet from 10.0.0.0/8 to any > > pass inet from 192.168.0.0/24 to any > > > I'm sure I misunderstand. Here is *my* code: > > shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 > 202.71.106.118 202.71.106.188 203.142.1.8" > directv_ip_addresses="{ 69.19.0.0/17 }" > shadday_ip_addresses="" > ssh_ip_addresses="{" $shinjiru_ip_addresses $directv_ip_addresses > $shadday_ip_addresses "}" > > The parser throws an error on the last line because it won't render > $directv_ip_addresses > Now, I could do something really ugly like this: > > ssh_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 > 202.71.106.118 202.71.106.188 203.142.1.8 69.19.0.0/17 " > > and just say the hell with it, but I'd like to write elegant code... > TIA, > beno This (whole config file to pass info pfctl -f) works: -- directv_ip_addresses="69.19.0.0/17" sh_ip_addresses="{ $directv_ip_addresses }" -- and this doesn't: -- directv_ip_addresses="69.19.0.0/17" sh_ip_addresses="{" $directv_ip_addresses "}" -- This is exactly the kind of problem which drives me crazy but we probably have to accept the way a particular parser works. For the record - the parser, which I had similar "stupid" issues with, was from a different product. HTH Michal From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 12:35:29 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4CF4416A4DA for ; Tue, 22 Aug 2006 12:35:29 +0000 (UTC) (envelope-from zope@2012.vi) Received: from mail.dunhill.ws (satnet64-79.wctc.net [66.208.64.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id B623543D45 for ; Tue, 22 Aug 2006 12:35:21 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (60puntacana97.codetel.net.do [200.88.97.60]) by mail.dunhill.ws (Weasel v1.73); 22 Aug 2006 08:35:17 -0400 Message-ID: <44EAF9CF.5040207@2012.vi> Date: Tue, 22 Aug 2006 08:34:23 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: Michal Mertl , freebsd-pf@freebsd.org References: <44E9C775.5060009@2012.vi> <55e8a96c0608211010q35b64221sad299c67f8ebb888@mail.gmail.com> <44E9EE39.3050404@2012.vi> <200608211943.12721.max@love2party.net> <44EA0D2F.2020200@2012.vi> <1156201905.1294.5.camel@genius.i.cz> In-Reply-To: <1156201905.1294.5.camel@genius.i.cz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Never Ask Questions On A Friday Afternoon X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 12:35:29 -0000 Michal Mertl wrote: > This (whole config file to pass info pfctl -f) works: > -- > directv_ip_addresses="69.19.0.0/17" > sh_ip_addresses="{ $directv_ip_addresses }" > -- > > and this doesn't: > -- > directv_ip_addresses="69.19.0.0/17" > sh_ip_addresses="{" $directv_ip_addresses "}" > THANK YOU!!! beno From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 16:31:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3B9416A4DD for ; Tue, 22 Aug 2006 16:31:31 +0000 (UTC) (envelope-from zope@2012.vi) Received: from mail.dunhill.ws (satnet64-79.wctc.net [66.208.64.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C32143D46 for ; Tue, 22 Aug 2006 16:31:27 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (60puntacana97.codetel.net.do [200.88.97.60]) by mail.dunhill.ws (Weasel v1.73) for ; 22 Aug 2006 12:31:23 -0400 Message-ID: <44EB314F.3030907@2012.vi> Date: Tue, 22 Aug 2006 12:31:11 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: ATLQ Support X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 16:31:31 -0000 Hi; I copied my /usr/src/sys/i386/conf/GENERIC to /usr/src/sys/i386/conf/LOCAL with the "cp" command (no flags), then used vi to edit and added the following lines: # Packet Filters device pf device pflog device pfsync Then I rebooted the machine. However, when I go to run pfctl it tells me ALTQ is not supported. Please advise. TIA, beno From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 16:48:40 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2F6016A4E6 for ; Tue, 22 Aug 2006 16:48:40 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56A8043D8B for ; Tue, 22 Aug 2006 16:48:25 +0000 (GMT) (envelope-from phoemix@harmless.hu) Received: from localhost (localhost [127.0.0.1]) by marvin (Postfix) with ESMTP id 4CEAD2096EA7; Tue, 22 Aug 2006 18:48:24 +0200 (CEST) Received: from marvin.harmless.hu ([127.0.0.1]) by localhost (marvin [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31169-09; Tue, 22 Aug 2006 18:48:23 +0200 (CEST) Received: by marvin (Postfix, from userid 1000) id DED722096EA5; Tue, 22 Aug 2006 18:48:23 +0200 (CEST) Date: Tue, 22 Aug 2006 18:48:23 +0200 To: beno Message-ID: <20060822164823.GA5413@marvin.harmless.hu> References: <44EB314F.3030907@2012.vi> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline In-Reply-To: <44EB314F.3030907@2012.vi> User-Agent: Mutt/1.5.9i From: phoemix@harmless.hu (Gergely CZUCZY) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at harmless.hu Cc: freebsd-pf@freebsd.org Subject: Re: ATLQ Support X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 16:48:41 -0000 --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 22, 2006 at 12:31:11PM -0400, beno wrote: > Hi; > I copied my /usr/src/sys/i386/conf/GENERIC to=20 > /usr/src/sys/i386/conf/LOCAL with the "cp" command (no flags), then used= =20 > vi to edit and added the following lines: >=20 > # Packet Filters > device pf > device pflog > device pfsync >=20 > Then I rebooted the machine. However, when I go to run pfctl it tells me= =20 > ALTQ is not supported. Please advise. > TIA, > beno and i'm sure you haven't read altq(4) weren't you he guy who wrote here before looking at any manuals, last time? Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu PGP: http://phoemix.harmless.hu/phoemix.pgp Weenies test. Geniuses solve problems that arise. --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFE6zVXbBsEN0U7BV0RAvImAKCR+meROyHCirhU+UASAS/DrP5iVACfbV5n Zf3EnyRj8wd2JTHGmx5cb8A= =VpO8 -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT-- From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 16:56:02 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE22D16A4DD for ; Tue, 22 Aug 2006 16:56:02 +0000 (UTC) (envelope-from besquivel@immense.net) Received: from mail1.immense.net (ip-216-93-243-84.twdx.net [216.93.243.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07A8743D6D for ; Tue, 22 Aug 2006 16:55:56 +0000 (GMT) (envelope-from besquivel@immense.net) Received: from bretlaptop (rain.net-shapers.com [216.83.242.211]) by mail1.immense.net (Postfix) with ESMTP id E18AA1D7A11; Tue, 22 Aug 2006 16:55:50 +0000 (UTC) From: "Bret Esquivel" To: "'beno'" , Date: Tue, 22 Aug 2006 11:55:51 -0500 Message-ID: <001301c6c60b$d3657760$0202fea9@bretlaptop> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 In-Reply-To: <44EB314F.3030907@2012.vi> Thread-Index: AcbGCqBrFICxS23zRKq9fJnMhuY7sgAAPeSg X-MailScan: Found to be clean X-MailScan-From: besquivel@immense.net X-Spam-Status: No Cc: Subject: RE: ATLQ Support X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 16:56:02 -0000 Beno, That only added pf support to the kernel. Add these to your kernel config: options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) ------------------------------------------ Bret J. Esquivel bret@immense.net Immense Networks LLC http://www.immense.net Ofc: (225) 754-9005 Cell: (504) 301-7413 -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of beno Sent: Tuesday, August 22, 2006 11:31 AM To: freebsd-pf@freebsd.org Subject: ATLQ Support Hi; I copied my /usr/src/sys/i386/conf/GENERIC to /usr/src/sys/i386/conf/LOCAL with the "cp" command (no flags), then used vi to edit and added the following lines: # Packet Filters device pf device pflog device pfsync Then I rebooted the machine. However, when I go to run pfctl it tells me ALTQ is not supported. Please advise. TIA, beno _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 16:56:33 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2221016A4DD for ; Tue, 22 Aug 2006 16:56:33 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9809443D68 for ; Tue, 22 Aug 2006 16:56:26 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by wr-out-0506.google.com with SMTP id 68so71646wri for ; Tue, 22 Aug 2006 09:56:25 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=X7WmvnmHmtcentjuGAh9ULd9tN8FU41tc+vJql9j5TQYLT5Ut3+0l3p/00VEhxV3Jwla2fpKPk9Hl+4aLRxKKNNs6zO9EM7dLfKaJX4YdmgFlVLlwVMVlfOxotjJCWiLl6Wl543OrrDsK5dWz4qTfae+OLjX9sEGICob6O5Coz4= Received: by 10.66.216.6 with SMTP id o6mr4501995ugg; Tue, 22 Aug 2006 09:56:25 -0700 (PDT) Received: by 10.67.28.14 with HTTP; Tue, 22 Aug 2006 09:56:25 -0700 (PDT) Message-ID: Date: Tue, 22 Aug 2006 12:56:25 -0400 From: "Scott Ullrich" To: beno In-Reply-To: <44EB314F.3030907@2012.vi> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44EB314F.3030907@2012.vi> Cc: freebsd-pf@freebsd.org Subject: Re: ATLQ Support X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 16:56:33 -0000 On 8/22/06, beno wrote: > Hi; > I copied my /usr/src/sys/i386/conf/GENERIC to > /usr/src/sys/i386/conf/LOCAL with the "cp" command (no flags), then used > vi to edit and added the following lines: > > # Packet Filters > device pf > device pflog > device pfsync > > Then I rebooted the machine. However, when I go to run pfctl it tells me > ALTQ is not supported. Please advise. > TIA, > beno You have not completed all of the steps. Refer to "21.4.8 Compile and Install a New Kernel" at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html The entire process is outlined very well in the handbook. Scott From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 17:06:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F04916A4DA for ; Tue, 22 Aug 2006 17:06:53 +0000 (UTC) (envelope-from zope@2012.vi) Received: from mail.dunhill.ws (satnet64-79.wctc.net [66.208.64.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13CF843DCA for ; Tue, 22 Aug 2006 17:06:14 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (3puntacana97.codetel.net.do [200.88.97.3]) by mail.dunhill.ws (Weasel v1.73) for ; 22 Aug 2006 13:05:44 -0400 Message-ID: <44EB395A.1070003@2012.vi> Date: Tue, 22 Aug 2006 13:05:30 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <44EB314F.3030907@2012.vi> <20060822164823.GA5413@marvin.harmless.hu> In-Reply-To: <20060822164823.GA5413@marvin.harmless.hu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ATLQ Support X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 17:06:53 -0000 Gergely CZUCZY wrote: > and i'm sure you haven't read altq(4) > > weren't you he guy who wrote here before looking at any manuals, last time? > No, silly, I'm the guy who *always* reads and re-reads the instructions...and *still* misunderstands them! If you would take a moment to reflect (instead of genuflect), you would clearly recognize that I had followed part of the instructions from that same page and source, or did you figure that I just came up with those other lines I added to my kernel out of my head? No, they were recorded in the instructions, and that's where I got them. You are clearly a very intelligent man. You clearly have a bad temper, and that makes you immature. Education that only increases the brain without increasing the heart is of no consequence, and you are a clear example of that. Education without maturity is a waste, and until you add the latter, that is all you have. Please be so kind as to reign in your temper from now on, and let's treat each other as gentlemen, okay? I'm trying my best. Accept that, won't you? beno From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 17:08:09 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FCE116A4E2 for ; Tue, 22 Aug 2006 17:08:09 +0000 (UTC) (envelope-from voovoos-fpf@killfile.pl) Received: from mailhub.media4u.pl (mailhub.media4u.pl [194.79.24.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D29243D90 for ; Tue, 22 Aug 2006 17:07:25 +0000 (GMT) (envelope-from voovoos-fpf@killfile.pl) Received: from mail.media4u.pl ([194.79.24.11]) by mailhub.media4u.pl with esmtp (Exim 4.62) (envelope-from ) id 1GFZi2-000Mmq-Rq for freebsd-pf@freebsd.org; Tue, 22 Aug 2006 19:06:38 +0200 Received: from voovoos by mail.media4u.pl with local (Exim 4.51) id 1GFZi2-000Mmn-Pl for freebsd-pf@freebsd.org; Tue, 22 Aug 2006 19:06:38 +0200 Date: Tue, 22 Aug 2006 19:06:38 +0200 From: Maciej Wierzbicki To: freebsd-pf@freebsd.org Message-ID: <20060822170638.GA85270@mail.media4u.pl> References: <44EB314F.3030907@2012.vi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44EB314F.3030907@2012.vi> User-Agent: Mutt/1.4.2.1i Subject: Re: ATLQ Support X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 17:08:09 -0000 On Tue, Aug 22, 2006 at 12:31:11PM -0400, beno wrote: > I copied my /usr/src/sys/i386/conf/GENERIC to > /usr/src/sys/i386/conf/LOCAL with the "cp" command (no flags), then used > vi to edit and added the following lines: > > # Packet Filters > device pf > device pflog > device pfsync > > Then I rebooted the machine. However, when I go to run pfctl it tells me > ALTQ is not supported. Please advise. And what did you want to achieve? Read handbook, including Chapter 8 "Configuring the FreeBSD Kernel". More help in 'customizing kernel' subject is OT on this list. Read /usr/src/sys/conf/NOTES (and altq(9) for more info) about ALTQ support in kernel. More help in 'customizing kernel' subject is OT on this list. -- * Maciej Wierzbicki * At paranoia's poison door * * VOO1-RIPE * From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 17:11:44 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 798B316A4DE for ; Tue, 22 Aug 2006 17:11:44 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id EAC9543D94 for ; Tue, 22 Aug 2006 17:11:28 +0000 (GMT) (envelope-from phoemix@harmless.hu) Received: from localhost (localhost [127.0.0.1]) by marvin (Postfix) with ESMTP id 28FCC2096EA7; Tue, 22 Aug 2006 19:11:28 +0200 (CEST) Received: from marvin.harmless.hu ([127.0.0.1]) by localhost (marvin [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08106-02; Tue, 22 Aug 2006 19:11:27 +0200 (CEST) Received: by marvin (Postfix, from userid 1000) id 9ACE02096EA6; Tue, 22 Aug 2006 19:11:27 +0200 (CEST) Date: Tue, 22 Aug 2006 19:11:27 +0200 To: beno Message-ID: <20060822171127.GA19806@marvin.harmless.hu> References: <44EB314F.3030907@2012.vi> <20060822164823.GA5413@marvin.harmless.hu> <44EB395A.1070003@2012.vi> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7JfCtLOvnd9MIVvH" Content-Disposition: inline In-Reply-To: <44EB395A.1070003@2012.vi> User-Agent: Mutt/1.5.9i From: phoemix@harmless.hu (Gergely CZUCZY) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at harmless.hu Cc: freebsd-pf@freebsd.org Subject: Re: ATLQ Support X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 17:11:44 -0000 --7JfCtLOvnd9MIVvH Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 22, 2006 at 01:05:30PM -0400, beno wrote: > Gergely CZUCZY wrote: > >and i'm sure you haven't read altq(4) > > > >weren't you he guy who wrote here before looking at any manuals, last ti= me? > >=20 > No, silly, I'm the guy who *always* reads and re-reads the > instructions...and *still* misunderstands them! If you would take a > moment to reflect (instead of genuflect), you would clearly recognize > that I had followed part of the instructions from that same page and > source, or did you figure that I just came up with those other lines I > added to my kernel out of my head? No, they were recorded in the > instructions, and that's where I got them. > > You are clearly a very intelligent man. > > You clearly have a bad temper, and that makes you immature. Education > that only increases the brain without increasing the heart is of no > consequence, and you are a clear example of that. Education without > maturity is a waste, and until you add the latter, that is all you have. > > Please be so kind as to reign in your temper from now on, and let's > treat each other as gentlemen, okay? I'm trying my best. Accept that, > won't you? > beno ohh, don't do this, please. read the first line of my reply, not only the last. please, don't skip the first line, that's very important. okey, let's hel you, and give an example of my good nature. i give you a hint, that will help you through times like this, and it will be ever useful. here it goes: read, understand and don't forget the _whole_ message/reply/whatsoever. here's the part that you've missed: > >and i'm sure you haven't read altq(4) let me highlight the most important part of this: altq(4) a word with a number within parenthesis after it always refers to a manual page. to get altq(4), use ``man 4 altq'' as you surely notice, the manual will begin with the kernel options required of the varios altq support settings, and it will continue with the explanation of that. so, what are you complaining about? i do had gave you what you had missed... Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu PGP: http://phoemix.harmless.hu/phoemix.pgp Weenies test. Geniuses solve problems that arise. --7JfCtLOvnd9MIVvH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFE6zq/bBsEN0U7BV0RAleKAKDonsQVV1jpYpFYlQF/2F1Usj7W1ACfYucd OF+Y7nsqP1SiGqYj8FvpHSU= =gzgt -----END PGP SIGNATURE----- --7JfCtLOvnd9MIVvH-- From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 17:12:02 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E770916A4E5 for ; Tue, 22 Aug 2006 17:12:02 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 28EEE43D70 for ; Tue, 22 Aug 2006 17:11:48 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.180.8] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1GFZn207Uf-0003DT; Tue, 22 Aug 2006 19:11:48 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 22 Aug 2006 19:11:40 +0200 User-Agent: KMail/1.9.3 References: <44EB314F.3030907@2012.vi> <20060822164823.GA5413@marvin.harmless.hu> <44EB395A.1070003@2012.vi> In-Reply-To: <44EB395A.1070003@2012.vi> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3267187.AkUQXilxAI"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200608221911.46297.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: ATLQ Support X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 17:12:03 -0000 --nextPart3267187.AkUQXilxAI Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 22 August 2006 19:05, beno wrote: > Yet another rant That's it ... please, don't feed the troll. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3267187.AkUQXilxAI Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBE6zrSXyyEoT62BG0RAkt6AJ0Y0xJ2txWEx96FLmkQv91Ck7SjBgCeNISa qT1n7gGSQde/P6wpe8gz+NQ= =zxBi -----END PGP SIGNATURE----- --nextPart3267187.AkUQXilxAI-- From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 17:30:47 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8871916A4E1 for ; Tue, 22 Aug 2006 17:30:47 +0000 (UTC) (envelope-from levchenko.i@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB08C43D76 for ; Tue, 22 Aug 2006 17:30:46 +0000 (GMT) (envelope-from levchenko.i@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so2128414uge for ; Tue, 22 Aug 2006 10:30:45 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Yygs+RpvZD1cB9FaDNLAb+gXLkM4MqiBv4cl9gRRhldAZgecCtGjM4WKmbwIBRuI8NnsR2F8i4suHFVH95oV/SMHHfh2yqLHCGmrpTiFeaQBdxr6zu4r3iV9KLdk8XNRwzYzqlhWVSqGh7soODCebZTJLfyu77DcaT+vpohmbJw= Received: by 10.66.216.20 with SMTP id o20mr4517294ugg; Tue, 22 Aug 2006 10:30:45 -0700 (PDT) Received: by 10.66.239.8 with HTTP; Tue, 22 Aug 2006 10:30:45 -0700 (PDT) Message-ID: Date: Tue, 22 Aug 2006 20:30:45 +0300 From: "Ivan Levchenko" To: beno In-Reply-To: <44EB314F.3030907@2012.vi> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44EB314F.3030907@2012.vi> Cc: freebsd-pf@freebsd.org Subject: Re: ATLQ Support X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 17:30:47 -0000 read the following things VERY carefully: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html http://www.openbsd.org/faq/pf/ You will not find better pf information for freebsd anywhere in the net. to get alq with pf, you need to add more options in the kernel than you specified. if you go to that first link that i gave you, you will find out which ones are needed On 8/22/06, beno wrote: > Hi; > I copied my /usr/src/sys/i386/conf/GENERIC to > /usr/src/sys/i386/conf/LOCAL with the "cp" command (no flags), then used > vi to edit and added the following lines: > > # Packet Filters > device pf > device pflog > device pfsync > > Then I rebooted the machine. However, when I go to run pfctl it tells me > ALTQ is not supported. Please advise. > TIA, > beno > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Best Regards, Ivan Levchenko levchenko.i@gmail.com From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 17:31:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A208816A4DE for ; Tue, 22 Aug 2006 17:31:28 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 482A043D6B for ; Tue, 22 Aug 2006 17:31:28 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 1A3AE2B5170 for ; Tue, 22 Aug 2006 18:31:26 +0100 (BST) From: "Greg Hennessy" To: "'beno'" , Date: Tue, 22 Aug 2006 18:29:53 +0100 Keywords: freebsd-pf Message-ID: <000001c6c610$942f6bf0$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Thread-Index: AcbGDJisVrDojRLJTgKSdC4gf+VEFAAA+nkg In-Reply-To: <44EB314F.3030907@2012.vi> X-OriginalArrivalTime: 22 Aug 2006 17:29:53.0455 (UTC) FILETIME=[942F6BF0:01C6C610] Cc: Subject: RE: ATLQ Support X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 17:31:28 -0000 RTFHB http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html > > Hi; > I copied my /usr/src/sys/i386/conf/GENERIC to > /usr/src/sys/i386/conf/LOCAL with the "cp" command (no > flags), then used vi to edit and added the following lines: > > # Packet Filters > device pf > device pflog > device pfsync > > Then I rebooted the machine. However, when I go to run pfctl > it tells me ALTQ is not supported. Please advise. > TIA, > beno > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 17:32:25 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FBCB16A4DA for ; Tue, 22 Aug 2006 17:32:25 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5BEA643D60 for ; Tue, 22 Aug 2006 17:32:15 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.180.8] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1GFa6l1ryk-0005n6; Tue, 22 Aug 2006 19:32:11 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 22 Aug 2006 19:32:04 +0200 User-Agent: KMail/1.9.3 References: <200608141947.06724.max@love2party.net> In-Reply-To: <200608141947.06724.max@love2party.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3648429.JpapihDmP6"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200608221932.10056.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: CARP panics on RELENG_6 when destroying a CARP interface X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 17:32:25 -0000 --nextPart3648429.JpapihDmP6 Content-Type: multipart/mixed; boundary="Boundary-01=_V+z6EKu4gVOwhPv" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_V+z6EKu4gVOwhPv Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 14 August 2006 19:46, I wrote: > On Monday 14 August 2006 18:39, Scott Ullrich wrote: > > I am testing out CARP on RELENG_6 as of yesterday and I am seeing a > > panic when attempting to destory a CARP interface: > > > > # ifconfig carp0 delete > > # ifconfig carp0 destroy > > # panic: thread 100049(ifconfig):0 holds carp_if but isn't blocked on > > a lock > > > > KDB: enter: panic > > [thread pid 12 tid 100004 ] > > Stopped at kdb_enter+0x2b: nop > > db> bt > > Tracing pid 12 tid 100004 td 0xc14d6900 > > kdb_enter(c08690a0) at kdb_enter+0x2b > > panic(c086c2f3,186d6,c1630bc4,0,c0876fc4) at panic+0xbb > > propagate_priority(c14d6900,c0948fd0,c15a7e90,c14d6900,c1575000) at > > propagate_pr iority+0x137 > > turnstile_wait(c15a7e90,c1632000,c15a7e90,2,c0868048,225) at > > turnstile_wait+0x2f 0 > > _mtx_lock_sleep(c15a7e90,c14d6900,0,c0876cbe,283) at > > _mtx_lock_sleep+0x102 _mtx_lock_flags(c15a7e90,0,c0876cbe,283,0) at > > _mtx_lock_flags+0x72 > > carp_input_c(c15e8500,c15e8544,2,c15e8544,c172100e) at > > carp_input_c+0x30 carp_input(c16eb700,14,c15fa940,0,0) at > > carp_input+0x216 > > ip_input(c16eb700) at ip_input+0x7ad > > Looks like a race between the check in ip_carp.c:502 > m->m_pkthdr.rcvif->if_carp =3D=3D NULL > and the actual use of that interface pointer. I'm afraid we need some > form of synchronization for access to ifnet.if_carp From a quick > glance we could either use IFADDR_LOCK() or the global IFNET_{W,R}LOCK=20 > I will look at producing a patch later tonight. Took a little longer - I actually forgot about it :-\ Anyway, find=20 attached a WIP of the above idea. It's completely untested (it should=20 compile, though) - so test with care. Also, testing this should happen=20 with WITNESS enabled since I didn't really look closely if I produced=20 LORs or the like - I doubt it, however. This is more or less to verify the hypothesis - let me know if it works. > > netisr_processqueue(c094a958) at netisr_processqueue+0x6e > > swi_net(0) at swi_net+0xc6 > > ithread_execute_handlers(c14d5830,c14d3580) at > > ithread_execute_handlers+0xe6 > > ithread_loop(c14bd760,c796cd38,c14bd760,c05f76a8,0) at > > ithread_loop+0x66 fork_exit(c05f76a8,c14bd760,c796cd38) at > > fork_exit+0xa0 > > fork_trampoline() at fork_trampoline+0x8 > > --- trap 0x1, eip =3D 0, esp =3D 0xc796cd6c, ebp =3D 0 --- > > db> > > > > Please let me know if I can supply more information. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_V+z6EKu4gVOwhPv Content-Type: text/x-diff; charset="iso-8859-6"; name="if_carp.lock.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="if_carp.lock.diff" Index: net/if.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/net/if.c,v retrieving revision 1.261 diff -u -p -r1.261 if.c =2D-- net/if.c 9 Jul 2006 06:04:00 -0000 1.261 +++ net/if.c 22 Aug 2006 16:45:55 -0000 @@ -1223,8 +1223,10 @@ if_unroute(struct ifnet *ifp, int flag,=20 pfctlinput(PRC_IFDOWN, ifa->ifa_addr); if_qflush(&ifp->if_snd); #ifdef DEV_CARP + IF_ADDR_LOCK(ifp); if (ifp->if_carp) carp_carpdev_state(ifp->if_carp); + IF_ADDR_UNLOCK(ifp); #endif rt_ifmsg(ifp); } @@ -1247,8 +1249,10 @@ if_route(struct ifnet *ifp, int flag, in if (fam =3D=3D PF_UNSPEC || (fam =3D=3D ifa->ifa_addr->sa_family)) pfctlinput(PRC_IFUP, ifa->ifa_addr); #ifdef DEV_CARP + IF_ADDR_LOCK(ifp); if (ifp->if_carp) carp_carpdev_state(ifp->if_carp); + IF_ADDR_UNLOCK(ifp); #endif rt_ifmsg(ifp); #ifdef INET6 @@ -1300,8 +1304,10 @@ do_link_state_change(void *arg, int pend IFP2AC(ifp)->ac_netgraph !=3D NULL) (*ng_ether_link_state_p)(ifp, link_state); #ifdef DEV_CARP + IF_ADDR_LOCK(ifp); if (ifp->if_carp) carp_carpdev_state(ifp->if_carp); + IF_ADDR_UNLOCK(ifp); #endif if (ifp->if_bridge) { KASSERT(bstp_linkstate_p !=3D NULL,("if_bridge bstp not loaded!")); Index: net/if_var.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/net/if_var.h,v retrieving revision 1.108 diff -u -p -r1.108 if_var.h =2D-- net/if_var.h 4 Aug 2006 21:27:37 -0000 1.108 +++ net/if_var.h 22 Aug 2006 16:43:02 -0000 @@ -227,12 +227,12 @@ typedef void if_init_f_t(void *); /* * Locks for address lists on the network interface. */ =2D#define IF_ADDR_LOCK_INIT(if) mtx_init(&(if)->if_addr_mtx, \ +#define IF_ADDR_LOCK_INIT(ifp) mtx_init(&(ifp)->if_addr_mtx, \ "if_addr_mtx", NULL, MTX_DEF) =2D#define IF_ADDR_LOCK_DESTROY(if) mtx_destroy(&(if)->if_addr_mtx) =2D#define IF_ADDR_LOCK(if) mtx_lock(&(if)->if_addr_mtx) =2D#define IF_ADDR_UNLOCK(if) mtx_unlock(&(if)->if_addr_mtx) =2D#define IF_ADDR_LOCK_ASSERT(if) mtx_assert(&(if)->if_addr_mtx, MA_OWNED) +#define IF_ADDR_LOCK_DESTROY(ifp) mtx_destroy(&(ifp)->if_addr_mtx) +#define IF_ADDR_LOCK(ifp) mtx_lock(&(ifp)->if_addr_mtx) +#define IF_ADDR_UNLOCK(ifp) mtx_unlock(&(ifp)->if_addr_mtx) +#define IF_ADDR_LOCK_ASSERT(ifp) mtx_assert(&(ifp)->if_addr_mtx, MA_OWNED) =20 /* * Output queues (ifp->if_snd) and slow device input queues (*ifp->if_slow= q) Index: netinet/if_ether.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/netinet/if_ether.c,v retrieving revision 1.153 diff -u -p -r1.153 if_ether.c =2D-- netinet/if_ether.c 29 Jun 2006 19:22:04 -0000 1.153 +++ netinet/if_ether.c 22 Aug 2006 16:50:31 -0000 @@ -636,12 +636,15 @@ in_arpinput(m) itaddr.s_addr =3D=3D ia->ia_addr.sin_addr.s_addr) goto match; #ifdef DEV_CARP + IF_ADDR_LOCK(ifp); if (ifp->if_carp !=3D NULL && carp_iamatch(ifp->if_carp, ia, &isaddr, &enaddr) && itaddr.s_addr =3D=3D ia->ia_addr.sin_addr.s_addr) { carp_match =3D 1; + IF_ADDR_UNLOCK(ifp); goto match; } + IF_ADDR_UNLOCK(ifp); #endif } LIST_FOREACH(ia, INADDR_HASH(isaddr.s_addr), ia_hash) Index: netinet/ip_carp.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/netinet/ip_carp.c,v retrieving revision 1.42 diff -u -p -r1.42 ip_carp.c =2D-- netinet/ip_carp.c 9 Jul 2006 06:04:01 -0000 1.42 +++ netinet/ip_carp.c 22 Aug 2006 17:04:52 -0000 @@ -451,7 +451,9 @@ carpdetach(struct carp_softc *sc) TAILQ_REMOVE(&cif->vhif_vrs, sc, sc_list); if (!--cif->vhif_nvrs) { ifpromisc(sc->sc_carpdev, 0); + IF_ADDR_LOCK(ifp); sc->sc_carpdev->if_carp =3D NULL; + IF_ADDR_UNLOCK(ifp); CARP_LOCK_DESTROY(cif); FREE(cif, M_IFADDR); } @@ -489,6 +491,7 @@ carp_input(struct mbuf *m, int hlen) { struct ip *ip =3D mtod(m, struct ip *); struct carp_header *ch; + struct ifnet *ifp =3D m->m_pkthdr.rcvif; int iplen, len; =20 carpstats.carps_ipackets++; @@ -499,13 +502,13 @@ carp_input(struct mbuf *m, int hlen) } =20 /* check if received on a valid carp interface */ =2D if (m->m_pkthdr.rcvif->if_carp =3D=3D NULL) { + IF_ADDR_LOCK(ifp); + if (ifp->if_carp =3D=3D NULL) { carpstats.carps_badif++; CARP_LOG("carp_input: packet received on non-carp " "interface: %s\n", m->m_pkthdr.rcvif->if_xname); =2D m_freem(m); =2D return; + goto drop_pkt; } =20 /* verify that the IP TTL is 255. */ @@ -514,8 +517,7 @@ carp_input(struct mbuf *m, int hlen) CARP_LOG("carp_input: received ttl %d !=3D 255i on %s\n", ip->ip_ttl, m->m_pkthdr.rcvif->if_xname); =2D m_freem(m); =2D return; + goto drop_pkt; } =20 iplen =3D ip->ip_hl << 2; @@ -525,15 +527,14 @@ carp_input(struct mbuf *m, int hlen) CARP_LOG("carp_input: received len %zd < " "sizeof(struct carp_header)\n", m->m_len - sizeof(struct ip)); =2D m_freem(m); =2D return; + goto drop_pkt; } =20 if (iplen + sizeof(*ch) < m->m_len) { if ((m =3D m_pullup(m, iplen + sizeof(*ch))) =3D=3D NULL) { carpstats.carps_hdrops++; CARP_LOG("carp_input: pullup failed\n"); =2D return; + goto drop_pkt; } ip =3D mtod(m, struct ip *); } @@ -549,13 +550,12 @@ carp_input(struct mbuf *m, int hlen) CARP_LOG("carp_input: packet too short %d on %s\n", m->m_pkthdr.len, m->m_pkthdr.rcvif->if_xname); =2D m_freem(m); =2D return; + goto drop_pkt; } =20 if ((m =3D m_pullup(m, len)) =3D=3D NULL) { carpstats.carps_hdrops++; =2D return; + goto drop_pkt; } ip =3D mtod(m, struct ip *); ch =3D (struct carp_header *)((char *)ip + iplen); @@ -566,12 +566,17 @@ carp_input(struct mbuf *m, int hlen) carpstats.carps_badsum++; CARP_LOG("carp_input: checksum failed on %s\n", m->m_pkthdr.rcvif->if_xname); =2D m_freem(m); =2D return; + goto drop_pkt; } m->m_data -=3D iplen; =20 carp_input_c(m, ch, AF_INET); + m =3D NULL; +drop_pkt: + IF_ADDR_UNLOCK(ifp); + if (m !=3D NULL) + m_freem(m); + return; } =20 #ifdef INET6 @@ -581,6 +586,7 @@ carp6_input(struct mbuf **mp, int *offp, struct mbuf *m =3D *mp; struct ip6_hdr *ip6 =3D mtod(m, struct ip6_hdr *); struct carp_header *ch; + struct ifnet *ifp =3D m->m_pkthdr.rcvif; u_int len; =20 carpstats.carps_ipackets6++; @@ -591,13 +597,13 @@ carp6_input(struct mbuf **mp, int *offp, } =20 /* check if received on a valid carp interface */ + IF_ADDR_LOCK(ifp); if (m->m_pkthdr.rcvif->if_carp =3D=3D NULL) { carpstats.carps_badif++; CARP_LOG("carp6_input: packet received on non-carp " "interface: %s\n", m->m_pkthdr.rcvif->if_xname); =2D m_freem(m); =2D return (IPPROTO_DONE); + goto drop_pkt; } =20 /* verify that the IP TTL is 255 */ @@ -606,8 +612,7 @@ carp6_input(struct mbuf **mp, int *offp, CARP_LOG("carp6_input: received ttl %d !=3D 255 on %s\n", ip6->ip6_hlim, m->m_pkthdr.rcvif->if_xname); =2D m_freem(m); =2D return (IPPROTO_DONE); + goto drop_pkt; } =20 /* verify that we have a complete carp packet */ @@ -616,7 +621,7 @@ carp6_input(struct mbuf **mp, int *offp, if (ch =3D=3D NULL) { carpstats.carps_badlen++; CARP_LOG("carp6_input: packet size %u too small\n", len); =2D return (IPPROTO_DONE); + goto drop_pkt; } =20 =20 @@ -626,12 +631,16 @@ carp6_input(struct mbuf **mp, int *offp, carpstats.carps_badsum++; CARP_LOG("carp6_input: checksum failed, on %s\n", m->m_pkthdr.rcvif->if_xname); =2D m_freem(m); =2D return (IPPROTO_DONE); + goto drop_pkt; } m->m_data -=3D *offp; =20 carp_input_c(m, ch, AF_INET6); + m =3D NULL; +drop_pkt: + IF_ADDR_UNLOCK(ifp); + if (m !=3D NULL) + m_freem(m); return (IPPROTO_DONE); } #endif /* INET6 */ @@ -1466,7 +1475,9 @@ carp_set_addr(struct carp_softc *sc, str CARP_LOCK(cif); cif->vhif_ifp =3D ifp; TAILQ_INIT(&cif->vhif_vrs); + IF_ADDR_LOCK(ifp); ifp->if_carp =3D cif; + IF_ADDR_UNLOCK(ifp); =20 } else { struct carp_softc *vr; @@ -1543,7 +1554,9 @@ carp_del_addr(struct carp_softc *sc, str imo->imo_multicast_ifp =3D NULL; TAILQ_REMOVE(&cif->vhif_vrs, sc, sc_list); if (!--cif->vhif_nvrs) { + IF_ADDR_LOCK(sc->sc_carpdev); sc->sc_carpdev->if_carp =3D NULL; + IF_ADDR_UNLOCK(sc->sc_carpdev); CARP_LOCK_DESTROY(cif); FREE(cif, M_IFADDR); } else { @@ -1651,7 +1664,9 @@ carp_set_addr6(struct carp_softc *sc, st CARP_LOCK(cif); cif->vhif_ifp =3D ifp; TAILQ_INIT(&cif->vhif_vrs); + IF_ADDR_LOCK(ifp); ifp->if_carp =3D cif; + IF_ADDR_UNLOCK(ifp); =20 } else { struct carp_softc *vr; @@ -1739,8 +1754,10 @@ carp_del_addr6(struct carp_softc *sc, st im6o->im6o_multicast_ifp =3D NULL; TAILQ_REMOVE(&cif->vhif_vrs, sc, sc_list); if (!--cif->vhif_nvrs) { =2D CARP_LOCK_DESTROY(cif); + IF_ADDR_LOCK(sc->sc_carpdev); sc->sc_carpdev->if_carp =3D NULL; + IF_ADDR_UNLOCK(sc->sc_carpdev); + CARP_LOCK_DESTROY(cif); FREE(cif, M_IFADDR); } else CARP_UNLOCK(cif); Index: netinet6/nd6_nbr.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/netinet6/nd6_nbr.c,v retrieving revision 1.41 diff -u -p -r1.41 nd6_nbr.c =2D-- netinet6/nd6_nbr.c 4 Aug 2006 21:27:39 -0000 1.41 +++ netinet6/nd6_nbr.c 22 Aug 2006 16:51:49 -0000 @@ -194,8 +194,10 @@ nd6_ns_input(m, off, icmp6len) */ /* (1) and (3) check. */ #ifdef DEV_CARP + IF_ADDR_LOCK(ifp); if (ifp->if_carp) ifa =3D carp_iamatch6(ifp->if_carp, &taddr6); + IF_ADDR_UNLOCK(ifp); if (ifa =3D=3D NULL) ifa =3D (struct ifaddr *)in6ifa_ifpwithaddr(ifp, &taddr6); #else @@ -962,8 +964,10 @@ nd6_na_output(ifp, daddr6_0, taddr6, fla */ if (sdl0 =3D=3D NULL) { #ifdef DEV_CARP + IF_ADDR_LOCK(ifp); if (ifp->if_carp) mac =3D carp_macmatch6(ifp->if_carp, m, taddr6); + IF_ADDR_UNLOCK(ifp); if (mac =3D=3D NULL) mac =3D nd6_ifptomac(ifp); #else --Boundary-01=_V+z6EKu4gVOwhPv-- --nextPart3648429.JpapihDmP6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBE6z+aXyyEoT62BG0RAjzdAJ92bk2DjDwev6+Ie2W90Ubf9CYI/ACfRVvu f8c2DQc7HYxzYO0vYaARpWU= =mJNS -----END PGP SIGNATURE----- --nextPart3648429.JpapihDmP6-- From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 17:36:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B00116A4EA for ; Tue, 22 Aug 2006 17:36:57 +0000 (UTC) (envelope-from zope@2012.vi) Received: from mail.dunhill.ws (satnet64-79.wctc.net [66.208.64.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5CBE543D77 for ; Tue, 22 Aug 2006 17:36:53 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (3puntacana97.codetel.net.do [200.88.97.3]) by mail.dunhill.ws (Weasel v1.73) for ; 22 Aug 2006 13:36:50 -0400 Message-ID: <44EB40A2.3000207@2012.vi> Date: Tue, 22 Aug 2006 13:36:34 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <001301c6c60b$d3657760$0202fea9@bretlaptop> In-Reply-To: <001301c6c60b$d3657760$0202fea9@bretlaptop> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ATLQ Support X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 17:36:57 -0000 Bret Esquivel wrote: > Beno, > > That only added pf support to the kernel. Add these to your kernel config: > > options ALTQ > options ALTQ_CBQ # Class Bases Queuing (CBQ) > options ALTQ_RED # Random Early Detection (RED) > options ALTQ_RIO # RED In/Out > options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) > > options ALTQ_PRIQ # Priority Queuing (PRIQ) > That worked, thank you. beno From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 17:42:32 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19E5716A4DF for ; Tue, 22 Aug 2006 17:42:32 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com [38.99.2.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F8E343D80 for ; Tue, 22 Aug 2006 17:42:30 +0000 (GMT) (envelope-from reed@reedmedia.net) Received: from pool-72-64-101-227.dllstx.fios.verizon.net ([72.64.101.227] helo=reedmedia.net) by ca.pugetsoundtechnology.com with esmtp (Exim 4.54) id 1GFaFv-0001Fx-SJ; Tue, 22 Aug 2006 10:41:39 -0700 Received: by glacier.reedmedia.net (Postfix, from userid 1000) id 2EA454DCF7; Tue, 22 Aug 2006 12:42:21 -0500 (CDT) Date: Tue, 22 Aug 2006 12:42:21 -0500 (CDT) From: "Jeremy C. Reed" To: beno In-Reply-To: <44EB314F.3030907@2012.vi> Message-ID: References: <44EB314F.3030907@2012.vi> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-pf@freebsd.org Subject: Re: ATLQ Support X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 17:42:32 -0000 > Then I rebooted the machine. However, when I go to run pfctl it tells me ALTQ > is not supported. Please advise. Please see http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html section "26.4.4 Enabling ALTQ". (If you want to purchase a printed book covering PF for FreeBSD let me know.) From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 18:15:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 822FF16A4DA for ; Tue, 22 Aug 2006 18:15:57 +0000 (UTC) (envelope-from zope@2012.vi) Received: from mail.dunhill.ws (satnet64-79.wctc.net [66.208.64.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 862CF43D45 for ; Tue, 22 Aug 2006 18:15:54 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (3puntacana97.codetel.net.do [200.88.97.3]) by mail.dunhill.ws (Weasel v1.73) for ; 22 Aug 2006 14:15:48 -0400 Message-ID: <44EB49C7.1040209@2012.vi> Date: Tue, 22 Aug 2006 14:15:35 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: DIOCADDALTQ: Invalid argument X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 18:15:57 -0000 Thank you for all of your comments and help. According to my googling, this error is thrown when one has too many cbq classes. The limit, apparently, is 256. I don't have 1/20th of that limit, so I must be doing something else wrong. Here is the part of my pf.conf file in question: # class-based queueing (cbq) altq on $ext_if cbq bandwidth 3Mb queue { ssh, standard } queue ssh bandwidth 500Kb cbq(default) { ssh_login, ssh_bulk } queue ssh_login bandwidth 100Kb cbq(default) queue ssh_bulk bandwidth 400Kb cbq(borrow, priority 2) queue standard bandwidth 2500Kb cbq(ecn, priority 2) { http, ftp, email, other } queue http bandwidth 1900Kb cbq(default) (ecn, borrow) queue ftp bandwidth 200Kb cbq(ecn, borrow, priority 2) queue email bandwidth 200Kb cbq(ecn, priority 3) queue other bandwidth 200Kb cbq(ecn, priority 2) I have these options loaded in my kernel: # Packet Filters device pf device pflog device pfsync options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) According to the tutorial, one cannot have more than one default per queue, which I am (perhaps mistakenly) interpreting to mean that one can (and I presume should) have one default per queue and per sub-queue, since they are nested and therefore semi-autonomous/independent. I am admittedly confused concerning priq and priority. TIA, beno From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 18:47:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC5DA16A4E5 for ; Tue, 22 Aug 2006 18:47:46 +0000 (UTC) (envelope-from remko@freebsd.org) Received: from caelis.elvandar.org (caelis.elvandar.org [217.148.169.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id A023C43D7E for ; Tue, 22 Aug 2006 18:47:35 +0000 (GMT) (envelope-from remko@freebsd.org) Received: from localhost (caelis.elvandar.org [217.148.169.59]) by caelis.elvandar.org (Postfix) with ESMTP id BB13D92FDD5; Tue, 22 Aug 2006 20:47:34 +0200 (CEST) Received: from caelis.elvandar.org ([217.148.169.59]) by localhost (caelis.elvandar.org [217.148.169.59]) (amavisd-new, port 10024) with ESMTP id 21947-01; Tue, 22 Aug 2006 20:47:34 +0200 (CEST) Message-ID: <44EB5149.5060105@FreeBSD.org> Date: Tue, 22 Aug 2006 20:47:37 +0200 From: Remko Lodder User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: beno References: <44EB49C7.1040209@2012.vi> In-Reply-To: <44EB49C7.1040209@2012.vi> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by the elvandar.org maildomain Cc: freebsd-pf@freebsd.org Subject: Re: DIOCADDALTQ: Invalid argument X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 18:47:46 -0000 beno wrote: > Thank you for all of your comments and help. > > According to my googling, this error is thrown when one has too many cbq > classes. The limit, apparently, is 256. I don't have 1/20th of that > limit, so I must be doing something else wrong. Here is the part of my > pf.conf file in question: > > # class-based queueing (cbq) > altq on $ext_if cbq bandwidth 3Mb queue { ssh, standard } > queue ssh bandwidth 500Kb cbq(default) { ssh_login, ssh_bulk } > queue ssh_login bandwidth 100Kb cbq(default) > queue ssh_bulk bandwidth 400Kb cbq(borrow, priority 2) > queue standard bandwidth 2500Kb cbq(ecn, priority 2) { http, ftp, email, > other } > queue http bandwidth 1900Kb cbq(default) (ecn, borrow) > queue ftp bandwidth 200Kb cbq(ecn, borrow, priority 2) > queue email bandwidth 200Kb cbq(ecn, priority 3) > queue other bandwidth 200Kb cbq(ecn, priority 2) > > I have these options loaded in my kernel: > > # Packet Filters > device pf > device pflog > device pfsync > options ALTQ > options ALTQ_CBQ # Class Bases Queuing (CBQ) > options ALTQ_RED # Random Early Detection (RED) > options ALTQ_RIO # RED In/Out > options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) > options ALTQ_PRIQ # Priority Queuing (PRIQ) > > According to the tutorial, one cannot have more than one default per > queue, which I am (perhaps mistakenly) interpreting to mean that one can > (and I presume should) have one default per queue and per sub-queue, > since they are nested and therefore semi-autonomous/independent. I am > admittedly confused concerning priq and priority. > TIA, > beno Dear Beno, As others already have stated a couple of times, make sure you entirely read what the information tells you. There can only be one default line. You have three. Which is not quite the same as you will also be able to tell. Please remove the subqueue default's and test it with pfctl -n -f /etc/pf.conf to see whether there are any other rules. Btw: you forgot one important step; show the error you are facing, this most likely can help you a lot more then just spitting out some information and have us figure out the rest. So again: one default means one default, and not more (not even in subqueue's since they are inherited from the main queue and inherit the default, it is already used). Hope this helps, now go read the documentation and solve your problem. Remko -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 20:38:24 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB5CF16A548 for ; Tue, 22 Aug 2006 20:38:24 +0000 (UTC) (envelope-from zope@2012.vi) Received: from mail.dunhill.ws (network191-36.wctc.net [209.94.191.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 100C343D46 for ; Tue, 22 Aug 2006 20:38:21 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (3puntacana97.codetel.net.do [200.88.97.3]) by mail.dunhill.ws (Weasel v1.73) for ; 22 Aug 2006 16:38:16 -0400 Message-ID: <44EB6B18.4030201@2012.vi> Date: Tue, 22 Aug 2006 16:37:44 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Another Lists/Macros Question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 20:38:24 -0000 This is accepted by the pfclt compiler just fine: http_ports="80 8080 7080" ssh_ports="22" ftp_ports="21 8021 7021" smtp_ports="25" pop3_ports="110" https_ports="443" imap_ssl_ports="993 143" squid_ports="3128" mysql_ports="3306" email_ports='"{' $smtp_ports $pop3_ports '}"' all_http_ports='"{' $http_ports $https_ports '}"' tcp_ports= "{" $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports "}" However, this line throws errors: pass in quick inet proto tcp from any to $web_server port $tcp_ports flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, overload flush global) If I replace "$tcp_ports" with "$ssh_ports" it works. Just throws a syntax error. If I replace "$tcp_ports" with "$ftp_ports" it does not work, but if I change that to "{ $ftp_ports }" it does work. Why?? If I replace "$tcp_ports" with "$all_http_ports" it doesn't work. Says it doesn't recognize ports 80, 7080, 8080 or 443. Now, 443 isn't being used yet, so I removed that port. Raised the same error. Removed all but 80. Same thing. Curly braces didn't help me here. Reading the tutorial says this: Here is an example of a list: block out on fxp0 from { 192.168.0.1, 10.5.32.6 } to any Here is an example of a macro: friends = "{ 192.168.1.1, 10.0.2.5, 192.168.43.53 }" Notice the curly braces on the macro. I can't get those to work, but it seems to accept my macros without curly braces. Perhaps that is unique to OpenBSD. Perhaps its outdated. Dunno. However, *that* is *all* the information the tutorial has on the subject (you may look here in the chapter appropriately entitled "Lists and Macros" to verify: http://www.openbsd.org/faq/pf/macros.html ), so I presume the only other source is, unfortunately, this most generous list. TIA, beno From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 21:25:33 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FFDE16A4DE for ; Tue, 22 Aug 2006 21:25:33 +0000 (UTC) (envelope-from remko@freebsd.org) Received: from caelis.elvandar.org (caelis.elvandar.org [217.148.169.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18A9743D49 for ; Tue, 22 Aug 2006 21:25:33 +0000 (GMT) (envelope-from remko@freebsd.org) Received: from localhost (caelis.elvandar.org [217.148.169.59]) by caelis.elvandar.org (Postfix) with ESMTP id 1E50C92FD3C; Tue, 22 Aug 2006 23:25:32 +0200 (CEST) Received: from caelis.elvandar.org ([217.148.169.59]) by localhost (caelis.elvandar.org [217.148.169.59]) (amavisd-new, port 10024) with ESMTP id 37274-01; Tue, 22 Aug 2006 23:25:31 +0200 (CEST) Message-ID: <44EB764F.9020807@FreeBSD.org> Date: Tue, 22 Aug 2006 23:25:35 +0200 From: Remko Lodder User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: beno References: <44EB6B18.4030201@2012.vi> In-Reply-To: <44EB6B18.4030201@2012.vi> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by the elvandar.org maildomain Cc: freebsd-pf@freebsd.org Subject: Re: Another Lists/Macros Question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 21:25:33 -0000 beno wrote: > This is accepted by the pfclt compiler just fine: > > http_ports="80 8080 7080" > ssh_ports="22" > ftp_ports="21 8021 7021" > smtp_ports="25" > pop3_ports="110" > https_ports="443" > imap_ssl_ports="993 143" > squid_ports="3128" > mysql_ports="3306" > email_ports='"{' $smtp_ports $pop3_ports '}"' > all_http_ports='"{' $http_ports $https_ports '}"' > tcp_ports= "{" $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports "}" > > However, this line throws errors: > > pass in quick inet proto tcp from any to $web_server port $tcp_ports > flags S/SA keep state \ > (max-src-conn 100, max-src-conn-rate 15/5, overload > flush global) > > If I replace "$tcp_ports" with "$ssh_ports" it works. Just throws a > syntax error. > If I replace "$tcp_ports" with "$ftp_ports" it does not work, but if I > change that to "{ $ftp_ports }" it does work. Why?? > If I replace "$tcp_ports" with "$all_http_ports" it doesn't work. Says > it doesn't recognize ports 80, 7080, 8080 or 443. Now, 443 isn't being > used yet, so I removed that port. Raised the same error. Removed all but > 80. Same thing. Curly braces didn't help me here. > > Reading the tutorial says this: > > Here is an example of a list: > block out on fxp0 from { 192.168.0.1, 10.5.32.6 } to any > Here is an example of a macro: > friends = "{ 192.168.1.1, 10.0.2.5, 192.168.43.53 }" > > Notice the curly braces on the macro. I can't get those to work, but it > seems to accept my macros without curly braces. Perhaps that is unique > to OpenBSD. Perhaps its outdated. Dunno. However, *that* is *all* the > information the tutorial has on the subject (you may look here in the > chapter appropriately entitled "Lists and Macros" to verify: > http://www.openbsd.org/faq/pf/macros.html ), so I presume the only other > source is, unfortunately, this most generous list. > TIA, > beno > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" Dude, You really should start _reading_ and _understanding_ what people tell you. I think this is the same problem as you raised before. Please look at those messages for more support. Now again: read the docs and solve your problem. Thanks, remko -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 21:38:52 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F68716A4DF for ; Tue, 22 Aug 2006 21:38:52 +0000 (UTC) (envelope-from zope@2012.vi) Received: from mail.dunhill.ws (network191-36.wctc.net [209.94.191.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 190B743D55 for ; Tue, 22 Aug 2006 21:38:46 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (3puntacana97.codetel.net.do [200.88.97.3]) by mail.dunhill.ws (Weasel v1.73) for ; 22 Aug 2006 17:38:41 -0400 Message-ID: <44EB7956.3030705@2012.vi> Date: Tue, 22 Aug 2006 17:38:30 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <44EB6B18.4030201@2012.vi> <44EB764F.9020807@FreeBSD.org> In-Reply-To: <44EB764F.9020807@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Another Lists/Macros Question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 21:38:52 -0000 Remko Lodder wrote: > beno wrote: >> This is accepted by the pfclt compiler just fine: >> >> http_ports="80 8080 7080" >> ssh_ports="22" >> ftp_ports="21 8021 7021" >> smtp_ports="25" >> pop3_ports="110" >> https_ports="443" >> imap_ssl_ports="993 143" >> squid_ports="3128" >> mysql_ports="3306" >> email_ports='"{' $smtp_ports $pop3_ports '}"' >> all_http_ports='"{' $http_ports $https_ports '}"' >> tcp_ports= "{" $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports "}" >> >> However, this line throws errors: >> >> pass in quick inet proto tcp from any to $web_server port $tcp_ports >> flags S/SA keep state \ >> (max-src-conn 100, max-src-conn-rate 15/5, overload >> flush global) >> >> If I replace "$tcp_ports" with "$ssh_ports" it works. Just throws a >> syntax error. >> If I replace "$tcp_ports" with "$ftp_ports" it does not work, but if I >> change that to "{ $ftp_ports }" it does work. Why?? >> If I replace "$tcp_ports" with "$all_http_ports" it doesn't work. Says >> it doesn't recognize ports 80, 7080, 8080 or 443. Now, 443 isn't being >> used yet, so I removed that port. Raised the same error. Removed all but >> 80. Same thing. Curly braces didn't help me here. >> >> Reading the tutorial says this: >> >> Here is an example of a list: >> block out on fxp0 from { 192.168.0.1, 10.5.32.6 } to any >> Here is an example of a macro: >> friends = "{ 192.168.1.1, 10.0.2.5, 192.168.43.53 }" >> >> Notice the curly braces on the macro. I can't get those to work, but it >> seems to accept my macros without curly braces. Perhaps that is unique >> to OpenBSD. Perhaps its outdated. Dunno. However, *that* is *all* the >> information the tutorial has on the subject (you may look here in the >> chapter appropriately entitled "Lists and Macros" to verify: >> http://www.openbsd.org/faq/pf/macros.html ), so I presume the only other >> source is, unfortunately, this most generous list. >> TIA, >> beno >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > Dude, > > You really should start _reading_ and _understanding_ what people > tell you. I think this is the same problem as you raised before. > Please look at those messages for more support. > > Now again: read the docs and solve your problem. If you had read what I wrote, you will notice not only did I read the docs, I even quoted them! It is possible (probable?) that you folks are simply far more advanced than the docs, at least in this case, and aren't even aware that the docs DO NOT answer this question! Why don't you take a look? Why don't you take a look at the doc I quoted? Why don't you read my quotes? How anyone expects me to answer this question with the docs provided, which do not address this question, is beyond me. Perhaps there are other docs of which I am not aware. Trust me, I would prefer to answer these questions by myself than to be brow-beaten by this list. But I need to get a job done, "dude". And the docs *do not* answer the question!!! In fact, as I have pointed out, they even befuddle the problem with curly braces!!! So, would you mind answering my question? TIA, beno From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 22:17:05 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C8F616A4DA for ; Tue, 22 Aug 2006 22:17:05 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id A00B843D53 for ; Tue, 22 Aug 2006 22:17:04 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by nf-out-0910.google.com with SMTP id n15so190972nfc for ; Tue, 22 Aug 2006 15:17:03 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=gpmLaFCBUNb7/bmI7FaWGROW7BXZ/Nj0WdZfKeAg0ffVNmQrKgyX0rpb5Wc8gax/Th78PnfPFupe1j7pns96f53LhyY2qNvJdT9ATtvic2I8/WqVy3a/Ri+oBAtnf8yFBkRjwbC3XMmr++iA0tdLl8i+D35Nr2ncHeVvqLM11mE= Received: by 10.48.48.15 with SMTP id v15mr1101958nfv; Tue, 22 Aug 2006 15:17:03 -0700 (PDT) Received: by 10.78.193.17 with HTTP; Tue, 22 Aug 2006 15:17:02 -0700 (PDT) Message-ID: <8eea04080608221517rd487cf1v35f5372c1a5bb157@mail.gmail.com> Date: Tue, 22 Aug 2006 15:17:03 -0700 From: "Jon Simola" To: freebsd-pf@freebsd.org In-Reply-To: <44EB6B18.4030201@2012.vi> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44EB6B18.4030201@2012.vi> Subject: Re: Another Lists/Macros Question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 22:17:05 -0000 On 8/22/06, beno wrote: > This is accepted by the pfclt compiler just fine: > > http_ports="80 8080 7080" > ssh_ports="22" > ftp_ports="21 8021 7021" > smtp_ports="25" > pop3_ports="110" > https_ports="443" > imap_ssl_ports="993 143" > squid_ports="3128" > mysql_ports="3306" > email_ports='"{' $smtp_ports $pop3_ports '}"' > all_http_ports='"{' $http_ports $https_ports '}"' > tcp_ports= "{" $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports "}" Not here: # pfctl -vvnf ./pf-beno-test http_ports = "80 8080 7080" ssh_ports = "22" ftp_ports = "21 8021 7021" smtp_ports = "25" pop3_ports = "110" https_ports = "443" imap_ssl_ports = "993 143" squid_ports = "3128" mysql_ports = "3306" email_ports = ""{ 25 110 }"" all_http_ports = ""{ 80 8080 7080 443 }"" tcp_ports = "{ 22 21 8021 7021 { 80 8080 7080 443 } 993 143 }" Note the nested braces in the last line - that is your problem. -- Jon From owner-freebsd-pf@FreeBSD.ORG Tue Aug 22 23:10:00 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B902E16A4E0 for ; Tue, 22 Aug 2006 23:10:00 +0000 (UTC) (envelope-from remko@freebsd.org) Received: from caelis.elvandar.org (caelis.elvandar.org [217.148.169.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8453B43D6A for ; Tue, 22 Aug 2006 23:09:51 +0000 (GMT) (envelope-from remko@freebsd.org) Received: from localhost (caelis.elvandar.org [217.148.169.59]) by caelis.elvandar.org (Postfix) with ESMTP id 7746F92FD48; Wed, 23 Aug 2006 01:09:50 +0200 (CEST) Received: from caelis.elvandar.org ([217.148.169.59]) by localhost (caelis.elvandar.org [217.148.169.59]) (amavisd-new, port 10024) with ESMTP id 48652-01; Wed, 23 Aug 2006 01:09:50 +0200 (CEST) Message-ID: <44EB8EC1.2060300@FreeBSD.org> Date: Wed, 23 Aug 2006 01:09:53 +0200 From: Remko Lodder User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: Jon Simola References: <44EB6B18.4030201@2012.vi> <8eea04080608221517rd487cf1v35f5372c1a5bb157@mail.gmail.com> In-Reply-To: <8eea04080608221517rd487cf1v35f5372c1a5bb157@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by the elvandar.org maildomain Cc: freebsd-pf@freebsd.org Subject: Re: Another Lists/Macros Question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 23:10:00 -0000 Jon Simola wrote: > On 8/22/06, beno wrote: >> This is accepted by the pfclt compiler just fine: >> >> http_ports="80 8080 7080" >> ssh_ports="22" >> ftp_ports="21 8021 7021" >> smtp_ports="25" >> pop3_ports="110" >> https_ports="443" >> imap_ssl_ports="993 143" >> squid_ports="3128" >> mysql_ports="3306" >> email_ports='"{' $smtp_ports $pop3_ports '}"' >> all_http_ports='"{' $http_ports $https_ports '}"' >> tcp_ports= "{" $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports "}" > > Not here: > > # pfctl -vvnf ./pf-beno-test > http_ports = "80 8080 7080" > ssh_ports = "22" > ftp_ports = "21 8021 7021" > smtp_ports = "25" > pop3_ports = "110" > https_ports = "443" > imap_ssl_ports = "993 143" > squid_ports = "3128" > mysql_ports = "3306" > email_ports = ""{ 25 110 }"" > all_http_ports = ""{ 80 8080 7080 443 }"" > tcp_ports = "{ 22 21 8021 7021 { 80 8080 7080 443 } 993 143 }" > > Note the nested braces in the last line - that is your problem. > Like i said; the same problem as before! That is what I meant by not reading the information given from others. Thanks for clarifying this Jon. Cheers, remko -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org From owner-freebsd-pf@FreeBSD.ORG Wed Aug 23 07:42:22 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C937616A4DE for ; Wed, 23 Aug 2006 07:42:22 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from ss.eunet.cz (ss.eunet.cz [193.85.228.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B27343D46 for ; Wed, 23 Aug 2006 07:42:21 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from localhost.i.cz (ss.eunet.cz [193.85.228.13]) by ss.eunet.cz (8.13.6/8.13.6) with ESMTP id k7N7gJts081618 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Wed, 23 Aug 2006 09:42:19 +0200 (CEST) (envelope-from mime@traveller.cz) From: Michal Mertl To: Jon Simola In-Reply-To: <8eea04080608221517rd487cf1v35f5372c1a5bb157@mail.gmail.com> References: <44EB6B18.4030201@2012.vi> <8eea04080608221517rd487cf1v35f5372c1a5bb157@mail.gmail.com> Content-Type: text/plain Date: Wed, 23 Aug 2006 09:41:57 +0200 Message-Id: <1156318917.1543.11.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.6.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Another Lists/Macros Question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2006 07:42:22 -0000 Jon Simola wrote: > On 8/22/06, beno wrote: > > This is accepted by the pfclt compiler just fine: > > > > http_ports="80 8080 7080" > > ssh_ports="22" > > ftp_ports="21 8021 7021" > > smtp_ports="25" > > pop3_ports="110" > > https_ports="443" > > imap_ssl_ports="993 143" > > squid_ports="3128" > > mysql_ports="3306" > > email_ports='"{' $smtp_ports $pop3_ports '}"' > > all_http_ports='"{' $http_ports $https_ports '}"' > > tcp_ports= "{" $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports "}" > > Not here: > > # pfctl -vvnf ./pf-beno-test > http_ports = "80 8080 7080" > ssh_ports = "22" > ftp_ports = "21 8021 7021" > smtp_ports = "25" > pop3_ports = "110" > https_ports = "443" > imap_ssl_ports = "993 143" > squid_ports = "3128" > mysql_ports = "3306" > email_ports = ""{ 25 110 }"" > all_http_ports = ""{ 80 8080 7080 443 }"" > tcp_ports = "{ 22 21 8021 7021 { 80 8080 7080 443 } 993 143 }" > > Note the nested braces in the last line - that is your problem. And the fix is to omit braces in definitions and use them with actual rules. For example this pf config file works: ---- smtp_ports = 25 465 pop3_ports = 110 995 email_ports = $smtp_ports $pop3_ports pass in proto tcp from any to any port { $email_ports } ---- Note that no quoting is necessary here and the parser doesn't care much about whitespace. If you run pfctl with "-v" you shall see the macro expansion which should help in understanding the parser and finding out errors. Michal From owner-freebsd-pf@FreeBSD.ORG Wed Aug 23 14:07:05 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61B4B16A506 for ; Wed, 23 Aug 2006 14:07:05 +0000 (UTC) (envelope-from zope@2012.vi) Received: from mail.dunhill.ws (network191-36.wctc.net [209.94.191.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7348243D45 for ; Wed, 23 Aug 2006 14:07:02 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (128puntacana97.codetel.net.do [200.88.97.128]) by mail.dunhill.ws (Weasel v1.73) for ; 23 Aug 2006 10:06:58 -0400 Message-ID: <44EC60F9.2080102@2012.vi> Date: Wed, 23 Aug 2006 10:06:49 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <44EB6B18.4030201@2012.vi> <8eea04080608221517rd487cf1v35f5372c1a5bb157@mail.gmail.com> <1156318917.1543.11.camel@genius.i.cz> In-Reply-To: <1156318917.1543.11.camel@genius.i.cz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Another Lists/Macros Question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2006 14:07:05 -0000 Michal Mertl wrote: > Note that no quoting is necessary here and the parser doesn't care much > about whitespace. If you run pfctl with "-v" you shall see the macro > expansion which should help in understanding the parser and finding out > errors. > That does help! Thanks! Now, throwing that flag with the others (-f and -n) I now get the following errors: set fingerprints /etc/pf.os pfctl: /etc/pf.os : No such file or directory In fact, there *is* such a file, and it's the default! I haven't edited it, changed perms, etc. Now, if I recall correctly, I don't need to actually cite that file, since the parser will include it automatically; however, there is certainly nothing wrong with doing so, therefore it should not throw an error! Wazzup? server167# ls -al /etc/|grep pf.os -rw-r--r-- 1 root wheel 26591 Aug 17 18:32 pf.os (I'm in as root.) /etc/pf.conf:24: syntax error Here's that line, which the parser doesn't parse, preceded by other lines in question: shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 202.71.106.118 202.71.106.188 203.142.1.8" directv_ip_addresses="{ 69.19.0.0/17 }" shadday_ip_addresses="" ssh_ip_addresses= $shinjiru_ip_addresses $directv_ip_addresses $shadday_ip_addresses Now, we've been here before, and I was instructed to write the directv_ip_address line just so, but now the parser is throwing another error based on that very variable yet again! (I have singled it out through experimentation.) What doesn't it like this time? /etc/pf.conf:68: syntax error pass in quick proto tcp from any to any port = ssh flags S/SA keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3, overload flush global, if-bound, src.track 3) when the actual lines I wrote are these: web_server="202.71.106.119" http_ports="80 8080 7080" ssh_ports="22" ftp_ports="21 8021 7021" https_ports="443" imap_ssl_ports="993 143" all_http_ports= $http_ports $https_ports tcp_ports= $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports pass in quick inet proto tcp from any to $web_server port $tcp_ports flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, overload flush global) Here are my questions concerning this much: * Why does the parser render "from any to $web_server" as "from any to any"? That's not what I specified! * Why does the parser render "port $tcp_ports" as "port = ssh"? That's not what I specified, either! * Why does the parser automatically reduce my variables max-src-conn and max-src-conn-rate (okay because the proportion is the same?) TIA, beno From owner-freebsd-pf@FreeBSD.ORG Wed Aug 23 15:05:58 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57E3316A4EA for ; Wed, 23 Aug 2006 15:05:58 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from ss.eunet.cz (ss.eunet.cz [193.85.228.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id DFE7A43D5A for ; Wed, 23 Aug 2006 15:05:57 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from localhost.i.cz (ss.eunet.cz [193.85.228.13]) by ss.eunet.cz (8.13.6/8.13.6) with ESMTP id k7NF5pnk066415 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Wed, 23 Aug 2006 17:05:52 +0200 (CEST) (envelope-from mime@traveller.cz) From: Michal Mertl To: beno In-Reply-To: <44EC60F9.2080102@2012.vi> References: <44EB6B18.4030201@2012.vi> <8eea04080608221517rd487cf1v35f5372c1a5bb157@mail.gmail.com> <1156318917.1543.11.camel@genius.i.cz> <44EC60F9.2080102@2012.vi> Content-Type: text/plain Date: Wed, 23 Aug 2006 17:05:28 +0200 Message-Id: <1156345528.1543.134.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.6.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Another Lists/Macros Question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2006 15:05:58 -0000 beno wrote: > Michal Mertl wrote: > > Note that no quoting is necessary here and the parser doesn't care much > > about whitespace. If you run pfctl with "-v" you shall see the macro > > expansion which should help in understanding the parser and finding out > > errors. > > > That does help! Thanks! Now, throwing that flag with the others (-f and > -n) I now get the following errors: > > set fingerprints /etc/pf.os > pfctl: /etc/pf.os : No such file or directory I expect you removed all " characters from the file? Apparently in some places they matter (e.g. set fingerprints). Maybe the explanation is that it doesn't require quoting of numbers (including single IP address) but does require quoting of texts. Why don't you just make a single modification at a time? It is very difficult to help you as it is difficult to guess what have you done. We don't know the exact contents of the file you were loading, by which command and what was the full output of pfctl. > /etc/pf.conf:24: syntax error > Here's that line, which the parser doesn't parse, preceded by other > lines in question: > shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 > 202.71.106.118 202.71.106.188 203.142.1.8" > directv_ip_addresses="{ 69.19.0.0/17 }" > shadday_ip_addresses="" > ssh_ip_addresses= $shinjiru_ip_addresses $directv_ip_addresses > $shadday_ip_addresses > > Now, we've been here before, and I was instructed to write the > directv_ip_address line just so, but now the parser is throwing another > error based on that very variable yet again! (I have singled it out > through experimentation.) What doesn't it like this time? Does shinjiru_ip_addresses macro definition span multiple lines? If so, you need to fix it by typing \ at the end of the line which continues on another. > /etc/pf.conf:68: syntax error > pass in quick proto tcp from any to any port = ssh flags S/SA keep state > (source-track rule, max-src-conn 15, max-src-conn-rate 5/3, overload > flush global, if-bound, src.track 3) > > when the actual lines I wrote are these: Does the rule span multiple lines again? > Here are my questions concerning this much: > * Why does the parser render "from any to $web_server" as "from any to > any"? That's not what I specified! I don't know what you have specified and what was the result. > * Why does the parser render "port $tcp_ports" as "port = ssh"? That's > not what I specified, either! You probably forgot to surround the macro invocation with {} (wrote "port $macro_with_multiple_ports" instead of "port { $macro_with_multiple_ports }" (without quotes). > * Why does the parser automatically reduce my variables max-src-conn and > max-src-conn-rate (okay because the proportion is the same?) Probably not. It works for me. All of the following work: -- set fingerprints "/etc/pf.os" adrs1 = "{ 69.19.0.0/17 10/8 }" adrs2 = "69.19.0.0/17 10/8" adr3 = 1.2.3.4 adrs4 = "1.2.3.4 \ 12.5.1.2" smtp_ports = 25 465 pop3_ports = 110 995 email_ports = $smtp_ports $pop3_ports pass in proto tcp from any to any port { $email_ports } pass in proto tcp from any to { $adrs2 } pass in proto tcp from any to $adrs1 pass in quick proto tcp from any to $adr3 port = ssh flags S/SA keep state \ (source-track rule, max-src-conn 15, max-src-conn-rate 15/5, \ overload flush global, if-bound, src.track 3) -- Michal From owner-freebsd-pf@FreeBSD.ORG Wed Aug 23 15:30:15 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EED5A16A4DA for ; Wed, 23 Aug 2006 15:30:15 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com [38.99.2.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55EDE43D46 for ; Wed, 23 Aug 2006 15:30:15 +0000 (GMT) (envelope-from reed@reedmedia.net) Received: from pool-72-64-101-227.dllstx.fios.verizon.net ([72.64.101.227] helo=reedmedia.net) by ca.pugetsoundtechnology.com with esmtp (Exim 4.54) id 1GFufE-00070b-2S; Wed, 23 Aug 2006 08:29:08 -0700 Received: by glacier.reedmedia.net (Postfix, from userid 1000) id EBC974DCF7; Wed, 23 Aug 2006 10:29:55 -0500 (CDT) Date: Wed, 23 Aug 2006 10:29:55 -0500 (CDT) From: "Jeremy C. Reed" To: beno In-Reply-To: <44EC60F9.2080102@2012.vi> Message-ID: References: <44EB6B18.4030201@2012.vi> <8eea04080608221517rd487cf1v35f5372c1a5bb157@mail.gmail.com> <1156318917.1543.11.camel@genius.i.cz> <44EC60F9.2080102@2012.vi> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-pf@freebsd.org Subject: Re: Another Lists/Macros Question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2006 15:30:16 -0000 > set fingerprints /etc/pf.os > pfctl: /etc/pf.os : No such file or directory I wonder if the parser sees the second space and assumes that is part of the filename. I didn't test, but try removing the extra space before the pathname. > /etc/pf.conf:24: syntax error > Here's that line, which the parser doesn't parse, preceded by other lines in > question: > shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 > 202.71.106.118 202.71.106.188 203.142.1.8" > directv_ip_addresses="{ 69.19.0.0/17 }" > shadday_ip_addresses="" > ssh_ip_addresses= $shinjiru_ip_addresses $directv_ip_addresses > $shadday_ip_addresses > > Now, we've been here before, and I was instructed to write the > directv_ip_address line just so, but now the parser is throwing another error > based on that very variable yet again! (I have singled it out through > experimentation.) What doesn't it like this time? Did it like it last time? :) > /etc/pf.conf:68: syntax error > pass in quick proto tcp from any to any port = ssh flags S/SA keep state > (source-track rule, max-src-conn 15, max-src-conn-rate 5/3, overload > flush global, if-bound, src.track 3) > > when the actual lines I wrote are these: > web_server="202.71.106.119" > http_ports="80 8080 7080" > ssh_ports="22" > ftp_ports="21 8021 7021" > https_ports="443" > imap_ssl_ports="993 143" > all_http_ports= $http_ports $https_ports > tcp_ports= $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports > pass in quick inet proto tcp from any to $web_server port $tcp_ports flags > S/SA keep state \ > (max-src-conn 100, max-src-conn-rate 15/5, overload flush > global) > > Here are my questions concerning this much: > * Why does the parser render "from any to $web_server" as "from any to any"? > That's not what I specified! > * Why does the parser render "port $tcp_ports" as "port = ssh"? That's not > what I specified, either! If you want to use a list, use the braces { } From owner-freebsd-pf@FreeBSD.ORG Wed Aug 23 16:27:08 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBB7C16A4DD for ; Wed, 23 Aug 2006 16:27:08 +0000 (UTC) (envelope-from zope@2012.vi) Received: from mail.dunhill.ws (network191-36.wctc.net [209.94.191.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75C4143D81 for ; Wed, 23 Aug 2006 16:26:57 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (128puntacana97.codetel.net.do [200.88.97.128]) by mail.dunhill.ws (Weasel v1.73) for ; 23 Aug 2006 12:26:52 -0400 Message-ID: <44EC81C2.5050105@2012.vi> Date: Wed, 23 Aug 2006 12:26:42 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <44EB6B18.4030201@2012.vi> <8eea04080608221517rd487cf1v35f5372c1a5bb157@mail.gmail.com> <1156318917.1543.11.camel@genius.i.cz> <44EC60F9.2080102@2012.vi> <1156345528.1543.134.camel@genius.i.cz> In-Reply-To: <1156345528.1543.134.camel@genius.i.cz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Another Lists/Macros Question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2006 16:27:08 -0000 Michal Mertl wrote: > beno wrote: > >> Michal Mertl wrote: >> >>> Note that no quoting is necessary here and the parser doesn't care much >>> about whitespace. If you run pfctl with "-v" you shall see the macro >>> expansion which should help in understanding the parser and finding out >>> errors. >>> >>> >> That does help! Thanks! Now, throwing that flag with the others (-f and >> -n) I now get the following errors: >> >> set fingerprints /etc/pf.os >> pfctl: /etc/pf.os : No such file or directory >> > > I expect you removed all " characters from the file? Apparently in some > places they matter (e.g. set fingerprints). Maybe the explanation is > that it doesn't require quoting of numbers (including single IP address) > but does require quoting of texts. > This is interesting! No...here's the line I had written: set fingerprints " /etc/pf.os " and *that* doesn't work! Why? The s_p_a_c_e_s!!! (So much for the parser not being particular about spacing, either.) This works: set fingerprints "/etc/pf.os" Go figure! I guess the parser is v_e_r_y particular ;) >> /etc/pf.conf:24: syntax error >> Here's that line, which the parser doesn't parse, preceded by other >> lines in question: >> shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 >> 202.71.106.118 202.71.106.188 203.142.1.8" >> directv_ip_addresses="{ 69.19.0.0/17 }" >> shadday_ip_addresses="" >> ssh_ip_addresses= $shinjiru_ip_addresses $directv_ip_addresses >> $shadday_ip_addresses >> >> Now, we've been here before, and I was instructed to write the >> directv_ip_address line just so, but now the parser is throwing another >> error based on that very variable yet again! (I have singled it out >> through experimentation.) What doesn't it like this time? >> > > Does shinjiru_ip_addresses macro definition span multiple lines? If so, > you need to fix it by typing \ at the end of the line which continues on > another. > No...it's all in one line. Also this works (changing only the line below): ssh_ip_addresses= $shinjiru_ip_addresses $shadday_ip_addresses So, the problem is *only* the variable $directv_ip_addresses, which I excluded in this example. Again, this matter was supposedly put to rest in an earlier communication with the list, but it has resurrected itself :( > >> /etc/pf.conf:68: syntax error >> pass in quick proto tcp from any to any port = ssh flags S/SA keep state >> (source-track rule, max-src-conn 15, max-src-conn-rate 5/3, overload >> flush global, if-bound, src.track 3) >> >> when the actual lines I wrote are these: >> > > Does the rule span multiple lines again? > Yes, written as follows: pass in quick inet proto tcp from any to $web_server port $tcp_ports flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, overload flush global) Even when I make it all one line, like this: pass in quick inet proto tcp from any to $web_server port $tcp_ports flags S/SA keep state (max-src-conn 100, max-src-conn-rate 15/5, overload flush global) it throws a "syntax error" (no further details this time..?) >> Here are my questions concerning this much: >> * Why does the parser render "from any to $web_server" as "from any to >> any"? That's not what I specified! >> > > I don't know what you have specified and what was the result. > I specified this: pass in quick inet proto tcp from any to $web_server port $tcp_ports flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, overload flush global) and this previously: web_server="202.71.106.119" http_ports="80 8080 7080" ssh_ports="22" ftp_ports="21 8021 7021" https_ports="443" imap_ssl_ports="993 143" all_http_ports= $http_ports $https_ports tcp_ports= $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports so I would have expected it to render this: ...from any to 202.71.106.119 port 80 8080 7080 22 21 8021 7021 443 993 143 flags S/SA... [see below before commenting] > >> * Why does the parser render "port $tcp_ports" as "port = ssh"? That's >> not what I specified, either! >> > > You probably forgot to surround the macro invocation with {} (wrote > "port $macro_with_multiple_ports" instead of "port > { $macro_with_multiple_ports }" (without quotes). > Now, *that* worked! That yielded the result I was expecting, as noted above! > >> * Why does the parser automatically reduce my variables max-src-conn and >> max-src-conn-rate (okay because the proportion is the same?) >> > > Probably not. It works for me. > And me now, with the curly braces. So, the only problem left, thus far, is the one above concerning the macro $directv_ip_addresses Everything else in my initial pf.conf works FINE now! TIA, beno From owner-freebsd-pf@FreeBSD.ORG Wed Aug 23 16:36:51 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7498D16A4E1 for ; Wed, 23 Aug 2006 16:36:51 +0000 (UTC) (envelope-from zope@2012.vi) Received: from mail.dunhill.ws (network191-36.wctc.net [209.94.191.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A05A43D49 for ; Wed, 23 Aug 2006 16:36:47 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (128puntacana97.codetel.net.do [200.88.97.128]) by mail.dunhill.ws (Weasel v1.73) for ; 23 Aug 2006 12:36:43 -0400 Message-ID: <44EC840E.2060303@2012.vi> Date: Wed, 23 Aug 2006 12:36:30 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: How To Track Down a CIDR (slightly OT) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2006 16:36:51 -0000 Hi; Now that my initial pf.conf file is all but completed, I still need (or, want) to block out all the world from SSH access except myself. However, I still need to get the IP addresses from the Internet café I occasionally use (like right now), who gets them from Verizon here in the Dominican Republic, where I live. However, trying to get that information from them is like trying to steal state secrets. Is there another way of doing this? Since I'm here at said café, this is my current address: *200.88.97.128 *I went to ripe.net and searched it, but that didn't provide anything interesting that I could see. It says "Allocated Unspecified" and "This country is really worldwide." Any ideas? TIA, beno From owner-freebsd-pf@FreeBSD.ORG Wed Aug 23 17:02:30 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BDF516A4DA for ; Wed, 23 Aug 2006 17:02:30 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id A721D43D4C for ; Wed, 23 Aug 2006 17:02:29 +0000 (GMT) (envelope-from cbuechler@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so277546pye for ; Wed, 23 Aug 2006 10:02:28 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=a+xyV4MHaw2LikLwIu4cpc4Hp7h+MRGx0KGLWXJp2GZB0BajMtKnRmj3TBQnheAJNFsDphA1kHEnbG/vEpvxCgQ4U+nmNb4XjPyv7FGHG0hX9vRyRoHQNFyQjAEOZXAzzridLR74YyZxoOGIsjxsoIBLmT7MaiVPM17RQOmZRBI= Received: by 10.35.51.19 with SMTP id d19mr931929pyk; Wed, 23 Aug 2006 10:02:28 -0700 (PDT) Received: by 10.35.50.13 with HTTP; Wed, 23 Aug 2006 10:02:27 -0700 (PDT) Message-ID: Date: Wed, 23 Aug 2006 13:02:27 -0400 From: "Chris Buechler" Cc: freebsd-pf@freebsd.org In-Reply-To: <44EC840E.2060303@2012.vi> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <44EC840E.2060303@2012.vi> Subject: Re: How To Track Down a CIDR (slightly OT) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2006 17:02:30 -0000 On 8/23/06, beno wrote: > > Since I'm here at said caf=E9, this is my > current address: > *200.88.97.128 > *I went to ripe.net and searched it, but that didn't provide anything > interesting that I could see. It says "Allocated Unspecified" and "This > country is really worldwide." Any ideas? > That's LANIC IP space, not RIPE. Though RIPE should have pointed you to LANIC, IMO, they don't. They show what you see for any IP space that isn't under their control. I'd recommend starting your searches with ARIN, as they'll point you to the right place for any IP space that's outside their control. http://lacnic.net/cgi-bin/lacnic/whois?lg=3DEN&query=3D200.88.64/18 -Chris From owner-freebsd-pf@FreeBSD.ORG Wed Aug 23 18:09:34 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F019416A4EE for ; Wed, 23 Aug 2006 18:09:34 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 982EE43D45 for ; Wed, 23 Aug 2006 18:09:34 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id A07272B5486 for ; Wed, 23 Aug 2006 19:09:29 +0100 (BST) From: "Greg Hennessy" To: "'Chris Buechler'" Date: Wed, 23 Aug 2006 19:07:48 +0100 Keywords: freebsd-pf Message-ID: <000001c6c6df$0ac706a0$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: Thread-Index: AcbG2enWopKDqtJTS/2jeMxhPFfwdAABKx4g X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-OriginalArrivalTime: 23 Aug 2006 18:07:48.0746 (UTC) FILETIME=[0AC706A0:01C6C6DF] Cc: freebsd-pf@freebsd.org Subject: RE: How To Track Down a CIDR (slightly OT) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2006 18:09:35 -0000 > That's LANIC IP space, not RIPE. Though RIPE should have > pointed you to LANIC, IMO, they don't. With RIPE one is doing well to get anything at all. > They show what you > see for any IP space that isn't under their control. I'd > recommend starting your searches with ARIN, as they'll point > you to the right place for any IP space that's outside their control. The following site is invaluable http://www.completewhois.com/whois.htm Greg From owner-freebsd-pf@FreeBSD.ORG Thu Aug 24 14:05:14 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DC3516A4DD for ; Thu, 24 Aug 2006 14:05:14 +0000 (UTC) (envelope-from zope@2012.vi) Received: from mail.dunhill.ws (network191-36.wctc.net [209.94.191.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C46E43D5C for ; Thu, 24 Aug 2006 14:05:06 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (159puntacana97.codetel.net.do [200.88.97.159]) by mail.dunhill.ws (Weasel v1.73) for ; 24 Aug 2006 10:05:01 -0400 Message-ID: <44EDB200.5020006@2012.vi> Date: Thu, 24 Aug 2006 10:04:48 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Last Two Questions (I Think...) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Aug 2006 14:05:14 -0000 Thank you very much for all your help! Here is the first problem. It's a continuation of a problem we "fixed" earlier (nor did I change anything after we got it working the first time): shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 202.71.106.118 202.71.106.188 203.142.1.8" directv_ip_addresses="{ 69.19.0.0/17 }" shadday_ip_addresses="{ 200.88.64/23 200.88.66/23 200.88.80/20 200.88.96/20 200.88.112/22 200.88.118/23 200.88.120/21 }" ssh_ip_addresses= $shinjiru_ip_addresses $directv_ip_addresses $shadday_ip_addresses The parser won't parse the last line. It won't let me include either of the last two macros. This happened before I added the addresses to the latter (shadday) but is compounded by the same. The second problem has to do with logs. For example, this works: pass in quick inet proto tcp from any to $web_server port { $tcp_ports } flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, overload flush global) but this does not work: pass in quick log (all) inet proto tcp from any to $web_server port { $tcp_ports } flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, overload flush global) How do I turn on logging? Also, can someone give me good pointers as to what I should log? Being inexperienced, I'm apt to log everything in site :/ TIA, beno From owner-freebsd-pf@FreeBSD.ORG Thu Aug 24 16:51:40 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DABC516A4E7 for ; Thu, 24 Aug 2006 16:51:40 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from ss.eunet.cz (ss.eunet.cz [193.85.228.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1E1C43D46 for ; Thu, 24 Aug 2006 16:51:39 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from localhost.i.cz (ss.eunet.cz [193.85.228.13]) by ss.eunet.cz (8.13.6/8.13.6) with ESMTP id k7OGpUVQ023816 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Thu, 24 Aug 2006 18:51:34 +0200 (CEST) (envelope-from mime@traveller.cz) From: Michal Mertl To: beno In-Reply-To: <44EDB200.5020006@2012.vi> References: <44EDB200.5020006@2012.vi> Content-Type: text/plain Date: Thu, 24 Aug 2006 18:51:07 +0200 Message-Id: <1156438267.1107.46.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.6.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Last Two Questions (I Think...) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Aug 2006 16:51:40 -0000 beno wrote: > Thank you very much for all your help! > > Here is the first problem. It's a continuation of a problem we "fixed" > earlier (nor did I change anything after we got it working the first time): > > shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 > 202.71.106.118 202.71.106.188 203.142.1.8" > directv_ip_addresses="{ 69.19.0.0/17 }" > shadday_ip_addresses="{ 200.88.64/23 200.88.66/23 200.88.80/20 > 200.88.96/20 200.88.112/22 200.88.118/23 200.88.120/21 }" > ssh_ip_addresses= $shinjiru_ip_addresses $directv_ip_addresses > $shadday_ip_addresses You are again combining lists and that is not supported, but you also have really found a problem/bug. It seems you can't combine strings containing "/" (a="big fat", b="dog", c=$a $b works but when you have "/" in the strings (as in network definitions) it does not). My conclusion is that you cannot nest even the macros with networks. Did you think about using tables? You wouldn't be able to fill them in steps from pf.conf either but they are easier to manage than lists. > The parser won't parse the last line. It won't let me include either of > the last two macros. This happened before I added the addresses to the > latter (shadday) but is compounded by the same. > > The second problem has to do with logs. For example, this works: > > pass in quick inet proto tcp from any to $web_server port { $tcp_ports } > flags S/SA keep state \ > (max-src-conn 100, max-src-conn-rate 15/5, overload > flush global) > > > but this does not work: > > pass in quick log (all) inet proto tcp from any to $web_server port { > $tcp_ports } flags S/SA keep state \ > (max-src-conn 100, max-src-conn-rate 15/5, overload > flush global) log (all) -> log-all > How do I turn on logging? Also, can someone give me good pointers as to > what I should log? Being inexperienced, I'm apt to log everything in site :/ > > TIA, > beno > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Aug 24 17:50:10 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F37416A4DF for ; Thu, 24 Aug 2006 17:50:10 +0000 (UTC) (envelope-from zope@2012.vi) Received: from mail.dunhill.ws (network191-36.wctc.net [209.94.191.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9724C43D67 for ; Thu, 24 Aug 2006 17:50:01 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (159puntacana97.codetel.net.do [200.88.97.159]) by mail.dunhill.ws (Weasel v1.73) for ; 24 Aug 2006 13:49:58 -0400 Message-ID: <44EDE6B8.9050406@2012.vi> Date: Thu, 24 Aug 2006 13:49:44 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <44EDB200.5020006@2012.vi> <1156438267.1107.46.camel@genius.i.cz> In-Reply-To: <1156438267.1107.46.camel@genius.i.cz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Last Two Questions (I Think...) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Aug 2006 17:50:10 -0000 Michal Mertl wrote: > Did you think about using tables? You wouldn't be able to fill them in > steps from pf.conf either but they are easier to manage than lists. > I hadn't considered that. I'll try that. Thanks! > log (all) -> log-all > k. Thanks! beno From owner-freebsd-pf@FreeBSD.ORG Thu Aug 24 18:01:29 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FB9816A4E1; Thu, 24 Aug 2006 18:01:29 +0000 (UTC) (envelope-from steinex@nognu.de) Received: from shodan.nognu.de (shodan.nognu.de [85.14.216.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19DAD43D45; Thu, 24 Aug 2006 18:01:28 +0000 (GMT) (envelope-from steinex@nognu.de) Received: by shodan.nognu.de (Postfix, from userid 1002) id DA797B828; Thu, 24 Aug 2006 20:01:26 +0200 (CEST) Date: Thu, 24 Aug 2006 20:01:26 +0200 From: Frank Steinborn To: Max Laier Mail-Followup-To: Max Laier , freebsd-pf@freebsd.org, Daniel Hartmeier , gnn@freebsd.org References: <20060801142925.54F5CB828@shodan.nognu.de> <200608021601.49038.max@love2party.net> <20060802142129.D0BBDB81E@shodan.nognu.de> <200608021802.45589.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200608021802.45589.max@love2party.net> User-Agent: mutt-ng/devel-r804 (FreeBSD) Message-Id: <20060824180126.DA797B828@shodan.nognu.de> Cc: gnn@freebsd.org, freebsd-pf@freebsd.org Subject: Re: I'm getting sick - Problems filtering IPv6. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Aug 2006 18:01:29 -0000 Max Laier wrote: > [please do not cut the audit trail from your replys - it really helps to have > all information in one email] > > Short recap for everybody: Using pf stateful rules for inet6 fails for > connections originating from the firewall itself to a service running on the > same box. Culprit seems to be interface selection in inet6 (switching > between the interface that has the address configured and lo0). See below. Something new on that? I searched for a PR, and couldn't fine one so i just wanted to ask. I could file a PR if neccessary. Thanks, Frank From owner-freebsd-pf@FreeBSD.ORG Thu Aug 24 23:50:56 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BFAA16A4DA for ; Thu, 24 Aug 2006 23:50:56 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFCFC43D4C for ; Thu, 24 Aug 2006 23:50:55 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so857825pye for ; Thu, 24 Aug 2006 16:50:54 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=TawwqqcZqEXb13hVVhpjDn9zEE87AFiC2bNQUEZdTGQODzymCFgG+I07OgVwH2XtJTfgEaJiiP1456EdNAhLv7zIQkaQWJ/oDWMtKDOXOruD/rYJYYv1fRuKNeBKbloDuQfwEM21p8J89WaakGmgQkDn9M8Rp9NEyOrCOQIOncI= Received: by 10.35.108.12 with SMTP id k12mr3716196pym; Thu, 24 Aug 2006 16:50:54 -0700 (PDT) Received: by 10.35.34.3 with HTTP; Thu, 24 Aug 2006 16:50:54 -0700 (PDT) Message-ID: Date: Thu, 24 Aug 2006 18:50:54 -0500 From: "Travis H." To: beno In-Reply-To: <44EC81C2.5050105@2012.vi> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44EB6B18.4030201@2012.vi> <8eea04080608221517rd487cf1v35f5372c1a5bb157@mail.gmail.com> <1156318917.1543.11.camel@genius.i.cz> <44EC60F9.2080102@2012.vi> <1156345528.1543.134.camel@genius.i.cz> <44EC81C2.5050105@2012.vi> Cc: freebsd-pf@freebsd.org Subject: Re: Another Lists/Macros Question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Aug 2006 23:50:56 -0000 This is getting freaking ridiculous. I answered the same question long ago. > Note the nested braces in the last line - that is your problem. How many times does this guy need to be told? I told him _exactly_the_same_thing_. Beno, welcome to /dev/null. Some people are just too dense to be helped. -- "If you're not part of the solution, you're part of the precipitate." Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Fri Aug 25 13:59:14 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02E7316A4DD for ; Fri, 25 Aug 2006 13:59:14 +0000 (UTC) (envelope-from zope@2012.vi) Received: from mail.dunhill.ws (network191-36.wctc.net [209.94.191.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E12B43D70 for ; Fri, 25 Aug 2006 13:59:08 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (74puntacana97.codetel.net.do [200.88.97.74]) by mail.dunhill.ws (Weasel v1.73); 25 Aug 2006 09:59:04 -0400 Message-ID: <44EF021B.4020801@2012.vi> Date: Fri, 25 Aug 2006 09:58:51 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: "Travis H." , freebsd-pf@freebsd.org References: <44EB6B18.4030201@2012.vi> <8eea04080608221517rd487cf1v35f5372c1a5bb157@mail.gmail.com> <1156318917.1543.11.camel@genius.i.cz> <44EC60F9.2080102@2012.vi> <1156345528.1543.134.camel@genius.i.cz> <44EC81C2.5050105@2012.vi> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Another Lists/Macros Question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Aug 2006 13:59:14 -0000 Travis H. wrote: > This is getting freaking ridiculous. > > I answered the same question long ago. > >> Note the nested braces in the last line - that is your problem. > > How many times does this guy need to be told? > > I told him _exactly_the_same_thing_. > > Beno, welcome to /dev/null. > > Some people are just too dense to be helped. Michal Mertl wrote this: You are again combining lists and that is not supported, but you also have really found a problem/bug. It seems you can't combine strings containing "/" (a="big fat", b="dog", c=$a $b works but when you have "/" in the strings (as in network definitions) it does not). My conclusion is that you cannot nest even the macros with networks. Travis: I found a bug! Am I "too stupid to be helped" because I found a bug? Why are you so belligerent? Is your temper indicative of your maturity, or the lack thereof? You don't have to help me, but what gives you the right to attack me? beno conclusion is that you cannot nest even the macros with networks. From owner-freebsd-pf@FreeBSD.ORG Fri Aug 25 14:00:51 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 994C616A4DA for ; Fri, 25 Aug 2006 14:00:51 +0000 (UTC) (envelope-from zope@2012.vi) Received: from mail.dunhill.ws (network191-36.wctc.net [209.94.191.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 904A943D68 for ; Fri, 25 Aug 2006 14:00:45 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (74puntacana97.codetel.net.do [200.88.97.74]) by mail.dunhill.ws (Weasel v1.73); 25 Aug 2006 10:00:42 -0400 Message-ID: <44EF027D.7050502@2012.vi> Date: Fri, 25 Aug 2006 10:00:29 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: Ender , freebsd-pf@freebsd.org References: <44EDB200.5020006@2012.vi> <44EE5BD7.2090308@enderzone.com> In-Reply-To: <44EE5BD7.2090308@enderzone.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Last Two Questions (I Think...) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Aug 2006 14:00:51 -0000 Ender wrote: > beno wrote: >> Thank you very much for all your help! >> >> Here is the first problem. It's a continuation of a problem we >> "fixed" earlier (nor did I change anything after we got it working >> the first time): >> > I strongly suggest reading this link on how to ask questions correctly: > http://www.catb.org/~esr/faqs/smart-questions.html Michal Mertl wrote: You are again combining lists and that is not supported, but you also have really found a problem/bug. It seems you can't combine strings containing "/" (a="big fat", b="dog", c=$a $b works but when you have "/" in the strings (as in network definitions) it does not). My conclusion is that you cannot nest even the macros with networks. Ender: I found a bug! Am I not asking smart questions because I found a bug? Why are you so belligerent? Is your temper indicative of your maturity, or the lack thereof? You don't have to help me, but what gives you the right to attack me? beno From owner-freebsd-pf@FreeBSD.ORG Fri Aug 25 15:01:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C717716A4E2 for ; Fri, 25 Aug 2006 15:01:28 +0000 (UTC) (envelope-from bbandeira@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E32443D45 for ; Fri, 25 Aug 2006 15:01:28 +0000 (GMT) (envelope-from bbandeira@gmail.com) Received: by wr-out-0506.google.com with SMTP id i21so148899wra for ; Fri, 25 Aug 2006 08:01:27 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=O49fmiX/O5sJ1p11x1LupOQpSkHD/gTs1RD1UatT6M4m18OuGqt8RfU8Aw/ijChEmG9PDzHZYR1waUejFr2zC7C9SXeElwLm8+eUhXEDz4sgOCVCy326O2EaN2Y8JTJk9vDt6IQG5adfYkEZHnQVRUYBLi1vfBF9h41DlvKvvoM= Received: by 10.90.50.6 with SMTP id x6mr606431agx; Fri, 25 Aug 2006 08:01:26 -0700 (PDT) Received: by 10.90.75.9 with HTTP; Fri, 25 Aug 2006 08:01:26 -0700 (PDT) Message-ID: <130a355b0608250801n6762c91dk159f4880835f8bdd@mail.gmail.com> Date: Fri, 25 Aug 2006 12:01:26 -0300 From: "Bruno Bandeira" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Newbie X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Aug 2006 15:01:28 -0000 Hey Guys, I am newbie in pf world, so i need to put my network to access internet .... My gateway is a freebsd machine, and i have a few questions... PS: I have read the manual =) I need to nat my network.How can i do this? I try this.. nat on $ext_if from $rede to any -> ($ext_if) My default policy is: block in all And the statefull spection pass out keep state So i need to known, how can i put it working .... from my workstation i can't access the internet .....=( Thanks anyway Bruno From owner-freebsd-pf@FreeBSD.ORG Fri Aug 25 15:11:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFCA616A4DE for ; Fri, 25 Aug 2006 15:11:35 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id B70E043D5D for ; Fri, 25 Aug 2006 15:11:32 +0000 (GMT) (envelope-from phoemix@harmless.hu) Received: from localhost (localhost [127.0.0.1]) by marvin (Postfix) with ESMTP id 52002400F160; Fri, 25 Aug 2006 17:11:31 +0200 (CEST) Received: from marvin.harmless.hu ([127.0.0.1]) by localhost (marvin [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28122-08; Fri, 25 Aug 2006 17:11:29 +0200 (CEST) Received: by marvin (Postfix, from userid 1000) id 4903A400F15C; Fri, 25 Aug 2006 17:11:29 +0200 (CEST) Date: Fri, 25 Aug 2006 17:11:29 +0200 To: Bruno Bandeira Message-ID: <20060825151129.GA8815@marvin.harmless.hu> References: <130a355b0608250801n6762c91dk159f4880835f8bdd@mail.gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb" Content-Disposition: inline In-Reply-To: <130a355b0608250801n6762c91dk159f4880835f8bdd@mail.gmail.com> User-Agent: Mutt/1.5.9i From: phoemix@harmless.hu (Gergely CZUCZY) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at harmless.hu Cc: freebsd-pf@freebsd.org Subject: Re: Newbie X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Aug 2006 15:11:36 -0000 --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=utf-8 Content-Disposition: inline On Fri, Aug 25, 2006 at 12:01:26PM -0300, Bruno Bandeira wrote: > Hey Guys, > > I am newbie in pf world, so i need to put my network to access internet .... > > My gateway is a freebsd machine, and i have a few questions... PS: I have > read the manual =) also read this: http://www.openbsd.org/faq/pf/ > I need to nat my network.How can i do this? I try this.. > > nat on $ext_if from $rede to any -> ($ext_if) let's parse this: +nat: this means, you will perform a NAT action, Network Address Translation +on $ext_if: on those packets which arrive on your $ext_if to your machine +from $rede: from the source of $rede (it's usually a CIDR) +to any: they go to anywhere, aka 0/0 +-> ($ext_if): after translation they will have the address of the interface $ext_if hint: check the "on" part of the rule > My default policy is: > > block in all > > And the statefull spection > > pass out keep state that looks good. also read the faq, there are examples for this IIRC. Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu PGP: http://phoemix.harmless.hu/phoemix.pgp Weenies test. Geniuses solve problems that arise. --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFE7xMhbBsEN0U7BV0RAubyAKDhSSDRYuP8c7UJUpTqi5ZyI7JmCACg0MOq ZqVHafut/cpfKTNQQK4Uyj4= =Gff1 -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb-- From owner-freebsd-pf@FreeBSD.ORG Fri Aug 25 15:15:30 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA28216A4E8 for ; Fri, 25 Aug 2006 15:15:30 +0000 (UTC) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com (ns2.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0D9443D46 for ; Fri, 25 Aug 2006 15:15:29 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.63 #0 (FreeBSD 4.11-STABLE)) id 1GGdP4-000E06-22 by authid ; Fri, 25 Aug 2006 18:15:26 +0300 Date: Fri, 25 Aug 2006 18:15:26 +0300 From: Odhiambo Washington To: Bruno Bandeira Message-ID: <20060825151526.GA46160@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , Bruno Bandeira , freebsd-pf@freebsd.org References: <130a355b0608250801n6762c91dk159f4880835f8bdd@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <130a355b0608250801n6762c91dk159f4880835f8bdd@mail.gmail.com> X-Disclaimer: Any views expressed in this message, where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.12 (2006-07-14) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: Newbie X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Aug 2006 15:15:30 -0000 * On 25/08/06 12:01 -0300, Bruno Bandeira wrote: | Hey Guys, | | I am newbie in pf world, so i need to put my network to access internet .... | | My gateway is a freebsd machine, and i have a few questions... PS: I have | read the manual =) | | I need to nat my network.How can i do this? I try this.. | | nat on $ext_if from $rede to any -> ($ext_if) | | My default policy is: | | block in all | | And the statefull spection | | pass out keep state | | So i need to known, how can i put it working .... from my workstation i | can't access the internet .....=( | | Thanks anyway | | Bruno Hi Bruno, Please try to read the PF FAQ - http://cvs.openbsd.org/faq/pf/ and you will finally land in http://cvs.openbsd.org/faq/pf/example1.html, which is what you are asking about ;) -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ As the poet said, "Only God can make a tree" -- probably because it's so hard to figure out how to get the bark on. -- Woody Allen From owner-freebsd-pf@FreeBSD.ORG Fri Aug 25 16:49:38 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9500516A4DE; Fri, 25 Aug 2006 16:49:38 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id E7E0E43D45; Fri, 25 Aug 2006 16:49:35 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.182.17] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1GGes732K0-0003Mv; Fri, 25 Aug 2006 18:49:32 +0200 From: Max Laier Organization: FreeBSD To: Frank Steinborn Date: Fri, 25 Aug 2006 18:49:17 +0200 User-Agent: KMail/1.9.3 References: <20060801142925.54F5CB828@shodan.nognu.de> <200608021802.45589.max@love2party.net> <20060824180126.DA797B828@shodan.nognu.de> In-Reply-To: <20060824180126.DA797B828@shodan.nognu.de> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1297449.MtVoWhDfYX"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200608251849.30631.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: gnn@freebsd.org, freebsd-pf@freebsd.org Subject: Re: I'm getting sick - Problems filtering IPv6. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Aug 2006 16:49:38 -0000 --nextPart1297449.MtVoWhDfYX Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 24 August 2006 20:01, Frank Steinborn wrote: > Max Laier wrote: > > [please do not cut the audit trail from your replys - it really helps > > to have all information in one email] > > > > Short recap for everybody: Using pf stateful rules for inet6 fails > > for connections originating from the firewall itself to a service > > running on the same box. Culprit seems to be interface selection in > > inet6 (switching between the interface that has the address > > configured and lo0). See below. > > Something new on that? I searched for a PR, and couldn't fine one > so i just wanted to ask. > > I could file a PR if neccessary. Please do and let me know the PR#. I almost forgot, but will look at it=20 over the weekend as I find time. Thanks for the reminder. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1297449.MtVoWhDfYX Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBE7yoaXyyEoT62BG0RAjMMAJ0QjJSJzYTJCiFOPsvQSV5RaUh5tgCeMkTJ Y8gXClAqEKSpNd2wpHcH6Ow= =VvFY -----END PGP SIGNATURE----- --nextPart1297449.MtVoWhDfYX-- From owner-freebsd-pf@FreeBSD.ORG Fri Aug 25 19:02:42 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7145C16A4E5 for ; Fri, 25 Aug 2006 19:02:42 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9E7343D6D for ; Fri, 25 Aug 2006 19:02:39 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so1225140pye for ; Fri, 25 Aug 2006 12:02:39 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=cupE3qQ+a2fdLRHwL3yI1qdzHUfv2cC2/wRjtvYF4IFooEyTDHMF/5IZBhAqwxZAu6nRv2gpDlr8uIQHzEg9A+kcT+Kg1ZQzde+Z1HhbSbIMIjuS5wNhDziir3T7AEphpJXXmblbTlmwWgFoyUYUq350XXS5qLMKxZV0glaF5cQ= Received: by 10.35.107.20 with SMTP id j20mr5669756pym; Fri, 25 Aug 2006 12:02:38 -0700 (PDT) Received: by 10.35.34.3 with HTTP; Fri, 25 Aug 2006 12:02:38 -0700 (PDT) Message-ID: Date: Fri, 25 Aug 2006 14:02:38 -0500 From: "Travis H." To: beno In-Reply-To: <44EF027D.7050502@2012.vi> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44EDB200.5020006@2012.vi> <44EE5BD7.2090308@enderzone.com> <44EF027D.7050502@2012.vi> Cc: freebsd-pf@freebsd.org Subject: Re: Last Two Questions (I Think...) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Aug 2006 19:02:42 -0000 On 8/25/06, beno wrote: > You are again combining lists and that is not supported, but you also > Ender: I found a bug! Am I not asking smart questions because I found a bug? No, you're not asking smart questions because you're making the same mistakes over and over and you're putting random things like log(all) in your rules; where did you get that syntax? What made you think that would work? -- "If you're not part of the solution, you're part of the precipitate." Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Fri Aug 25 19:21:36 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C7D916A4E1 for ; Fri, 25 Aug 2006 19:21:36 +0000 (UTC) (envelope-from zope@2012.vi) Received: from mail.dunhill.ws (network191-36.wctc.net [209.94.191.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 48B1343D6E for ; Fri, 25 Aug 2006 19:21:30 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (74puntacana97.codetel.net.do [200.88.97.74]) by mail.dunhill.ws (Weasel v1.73); 25 Aug 2006 15:21:25 -0400 Message-ID: <44EF4DA6.1030700@2012.vi> Date: Fri, 25 Aug 2006 15:21:10 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: "Travis H." , freebsd-pf@freebsd.org References: <44EDB200.5020006@2012.vi> <44EE5BD7.2090308@enderzone.com> <44EF027D.7050502@2012.vi> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Last Two Questions (I Think...) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Aug 2006 19:21:36 -0000 Travis H. wrote: > On 8/25/06, beno wrote: >> You are again combining lists and that is not supported, but you also > >> Ender: I found a bug! Am I not asking smart questions because I found >> a bug? > > No, you're not asking smart questions because you're making the same > mistakes over and over and you're putting random things like log(all) > in your rules; where did you get that syntax? What made you think > that would work? openbsd.org/faq/pf/logging.html I will probably not be responding to this thread any more because it's degenerating into a bashing contest, and I really don't care to be bothered with that. Have a good day. beno