From owner-freebsd-pf@FreeBSD.ORG Mon Oct 23 11:08:28 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A462B16A407 for ; Mon, 23 Oct 2006 11:08:28 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A8F843D45 for ; Mon, 23 Oct 2006 11:08:28 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k9NB8SFl027742 for ; Mon, 23 Oct 2006 11:08:28 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k9NB8RV0027738 for freebsd-pf@FreeBSD.org; Mon, 23 Oct 2006 11:08:27 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 23 Oct 2006 11:08:27 GMT Message-Id: <200610231108.k9NB8RV0027738@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2006 11:08:28 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency f kern/86072 pf [pf] Packet Filter rule not working properly (with SYN o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 4 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/94992 pf [pf] [patch] pfctl complains about ALTQ missing o kern/103304 pf pf accepts nonexistent queue in rules 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 23 20:49:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E1D416A51A for ; Mon, 23 Oct 2006 20:49:53 +0000 (UTC) (envelope-from aristeu.jr@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0109B43D58 for ; Mon, 23 Oct 2006 20:49:52 +0000 (GMT) (envelope-from aristeu.jr@gmail.com) Received: by wr-out-0506.google.com with SMTP id 71so383431wri for ; Mon, 23 Oct 2006 13:49:52 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=NfOvSMN9kA3+EXLZOJCJ+5xQXGngo9GqxIKDX7I8iRAjVxSjftWJJM1/4LPHdnZSVHBx0cBypBT/9BZjQFQuulLViQD5tgvJlz2yORnJCE+YOAbHb8h7qgRO3ji0fjiTkVLbOAszLWnv4QxSB1R+Uvb4pZpyLcOtyO9h7mmPKC0= Received: by 10.35.39.13 with SMTP id r13mr7310410pyj; Mon, 23 Oct 2006 13:49:36 -0700 (PDT) Received: by 10.35.103.8 with HTTP; Mon, 23 Oct 2006 13:49:35 -0700 (PDT) Message-ID: <2c84c1de0610231349k1c303ff1ie790d498d3ce47db@mail.gmail.com> Date: Mon, 23 Oct 2006 18:49:35 -0200 From: "Aristeu Gil Alves Jr" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: reply-to+synproxy versus default route X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2006 20:49:53 -0000 he reply-to is not working when it is used with synproxy. The scenario is described bellow: gw-isp1 e gw-isp2 are the IP from ISP 1 and 2 gateways: /etc/pf.conf ------------------------------------ if_isp1="ed0" if_isp2="ed1" if_internal="ed2" route1="( ed0 gw-isp1 )" route2="( ed1 gw-isp2 )" rdr on $if_isp1 proto tcp to port 25 -> 192.168.0.2 port 25 rdr on $if_isp2 proto tcp to port 25 -> 192.168.0.2 port 25 block in log all pass in quick on $if_isp1 reply-to $rota1 proto tcp to 192.168.0.2 port 25 synproxy state pass in quick on $if_isp2 reply-to $rota2 proto tcp to 192.168.0.2 port 25 synproxy state pass out quick on $if_internal to 192.168.0.2 port 25 keep state -------- The default route is ISP1 gateway. -------- The problem is that even pf feeding the route, the reply packet obey the route imposed by system default route. Ex: Syn packet comes from ISP2 interface and goes out with ISP1, resulting in comunication failure. When I use keep state instead of synproxy state, the comunication goes as expected. -- Aristeu Gil Alves Jr From owner-freebsd-pf@FreeBSD.ORG Mon Oct 23 20:59:45 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C0A916A530 for ; Mon, 23 Oct 2006 20:59:45 +0000 (UTC) (envelope-from aristeu.jr@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86D1C43D64 for ; Mon, 23 Oct 2006 20:59:44 +0000 (GMT) (envelope-from aristeu.jr@gmail.com) Received: by py-out-1112.google.com with SMTP id c59so162399pyc for ; Mon, 23 Oct 2006 13:59:11 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=H34vCC88rhqgpu7sKplgxwM4wrDdI4cL20v2K0VTRtTkB+6HDqiDHQ33WDI6EHjOgAmVTua+1Z0sTe/d6OVoRPrEzJD7vG+v4Exhnr1IXVBlGrYpgTyuV8ExrnfqBawNGvodE6L2kp0Fz1lcuhMk8z101HGbFH/sYxekKSKpZk0= Received: by 10.35.66.12 with SMTP id t12mr7257229pyk; Mon, 23 Oct 2006 13:18:41 -0700 (PDT) Received: by 10.35.103.8 with HTTP; Mon, 23 Oct 2006 13:18:41 -0700 (PDT) Message-ID: <2c84c1de0610231318m170dfe55wbc4f3af4fc929b22@mail.gmail.com> Date: Mon, 23 Oct 2006 18:18:41 -0200 From: "Aristeu Gil Alves Jr" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: reply-to versus default route - PF/synproxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2006 20:59:45 -0000 The reply-to is not working when it is used with synproxy. The scenario is described bellow: gw-isp1 e gw-isp2 are the IP from ISP 1 and 2 gateways: /etc/pf.conf ------------------------------------ if_isp1="ed0" if_isp2="ed1" if_internal="ed2" route1="( ed0 gw-isp1 )" route2="( ed1 gw-isp2 )" rdr on $if_isp1 proto tcp to port 25 -> 192.168.0.2 port 25 rdr on $if_isp2 proto tcp to port 25 -> 192.168.0.2 port 25 block in log all pass in quick on $if_isp1 reply-to $rota1 proto tcp to 192.168.0.2 port 25 synproxy state pass in quick on $if_isp2 reply-to $rota2 proto tcp to 192.168.0.2 port 25 synproxy state pass out quick on $if_internal to 192.168.0.2 port 25 keep state -------- The default route is ISP1 gateway. -------- The problem is that even pf feeding the route, the reply packet obey the route imposed by system default route. Ex: Syn packet comes from ISP2 interface and goes out with ISP1, resulting in comunication failure. When I use keep state instead of synproxy state, the comunication goes as expected. -- Aristeu Gil Alves Jr From owner-freebsd-pf@FreeBSD.ORG Mon Oct 23 21:10:24 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D115116A53B for ; Mon, 23 Oct 2006 21:10:24 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE1A043DBF for ; Mon, 23 Oct 2006 21:10:00 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k9NLA2Xa010292 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Mon, 23 Oct 2006 23:10:02 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k9NLA1Ja013385; Mon, 23 Oct 2006 23:10:01 +0200 (MEST) Date: Mon, 23 Oct 2006 23:10:01 +0200 From: Daniel Hartmeier To: Aristeu Gil Alves Jr Message-ID: <20061023211001.GA8162@insomnia.benzedrine.cx> References: <2c84c1de0610231349k1c303ff1ie790d498d3ce47db@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2c84c1de0610231349k1c303ff1ie790d498d3ce47db@mail.gmail.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: reply-to+synproxy versus default route X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2006 21:10:24 -0000 On Mon, Oct 23, 2006 at 06:49:35PM -0200, Aristeu Gil Alves Jr wrote: > he reply-to is not working when it is used with synproxy. Yes, that's a known problem. Packets generated by pf itself (synproxy, return-rst, etc.) don't honour route-to or reply-to options. It's on some to-do list, but hasn't been implemented yet. Daniel From owner-freebsd-pf@FreeBSD.ORG Mon Oct 23 21:43:42 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F06F516A49E for ; Mon, 23 Oct 2006 21:43:42 +0000 (UTC) (envelope-from aristeu.jr@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93A6943D64 for ; Mon, 23 Oct 2006 21:43:41 +0000 (GMT) (envelope-from aristeu.jr@gmail.com) Received: by py-out-1112.google.com with SMTP id c59so175665pyc for ; Mon, 23 Oct 2006 14:43:41 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=qkfLwVhp7Ci/Lt7HP/NcuvjIR40zlHH8cr7UIDEbuPS5lm7aqG2d4SjcrHyUFMy8cO/bhF79a0cIr8a2IA/NG91vkfR10n5AfhRV6O+px5QYoOltr8I+FSw8Lk6yUfLOfGGvB6h0BppZQM5u4zdWNZ0Q973iEZxOik70xk+deO8= Received: by 10.35.88.18 with SMTP id q18mr4325804pyl; Mon, 23 Oct 2006 13:54:11 -0700 (PDT) Received: by 10.35.103.8 with HTTP; Mon, 23 Oct 2006 13:54:10 -0700 (PDT) Message-ID: <2c84c1de0610231354x445eafc6tf2afc36735160e2c@mail.gmail.com> Date: Mon, 23 Oct 2006 18:54:10 -0200 From: "Aristeu Gil Alves Jr" To: freebsd-pf@freebsd.org In-Reply-To: <2c84c1de0610231349k1c303ff1ie790d498d3ce47db@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <2c84c1de0610231349k1c303ff1ie790d498d3ce47db@mail.gmail.com> Subject: Re: reply-to+synproxy versus default route X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2006 21:43:43 -0000 Sorry the typo. "The reply-to is not working when it is used with synproxy" From owner-freebsd-pf@FreeBSD.ORG Mon Oct 23 23:13:50 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A21816A47C for ; Mon, 23 Oct 2006 23:13:50 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from nxm.secservers.com (nxm.secservers.com [193.85.228.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09D7F43D49 for ; Mon, 23 Oct 2006 23:13:49 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from [127.0.0.1] (nxm.secservers.com. [193.85.228.22]) by nxm.secservers.com (8.13.4/8.13.4) with ESMTP id k9NNDmtX071914 for ; Tue, 24 Oct 2006 01:13:48 +0200 (CEST) (envelope-from mime@traveller.cz) From: Michal Mertl To: freebsd-pf Content-Type: text/plain Date: Tue, 24 Oct 2006 01:13:44 +0200 Message-Id: <1161645224.1054.80.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.8.1.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: BAD state with pftpx X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2006 23:13:50 -0000 I wanted to run an FTP server on a machine protected by PF on FreeBSD 6.1 p10. I use pftpx for normal client proxying (as the PF's ftp-proxy in FreeBSD is outdated and does not work for my FTP clients (Windows XP with firewall enabled does not allow the connections to originate from different IP address than the client connected to). The pftpx proxy seems to support also standing in front of FTP server. I use the following for configuring pf for the task (pftpx 0.8_1 from ports): -- nat on $ext_if from $internal_net to any -> ($ext_if) nat-anchor "pftpx/*" rdr-anchor "pftpx/*" rdr on $ext_if proto tcp from any to any port ftp -> 127.0.0.1 port 8022 anchor "pftpx/*" -- I run pftpx with "pftpx -c 8022 -f 127.0.0.1 -d -D 7" and stock ftpd with "ftpd -D -a 127.0.0.1". The connection from outside is established and I can do passive transfers. Active ones (either PORT or EPRT) don't work and with "set debug loud" in /etc/pf.conf I see these messages on the console: --- pf: BAD state: TCP 127.0.0.1:20 server.ip:59188 client.ip:52124 [lo=427260297 high=427325833 win=65535 modulator=0 wscale=1] [lo=3208002793 high=3208068329 win=32768 modulator=0 wscale=1] 10:10 SA seq=2588730766 ack=427260297 len=0 ackskew=0 pkts=3:1 dir=in,rev pf: State failure on: 2 | 6 --- Debug output of pftpx follows: --- #1 client: EPRT |1|client.ip|52124|\r\n #1 proxy: EPRT |1|127.0.0.1|61630|\r\n #1 server: 200 EPRT command successful.\r\n #1 active: server to client port 52124 via port 61630 #1 client: LIST\r\n --- I haven't yet had a chance to test it on RELENG_6 or CURRENT but I think the code there is the same. There can be a bug in pftpx as well. Is there any other way to allow FTP server (active and passive) to run behind/on PF protected firewall? Active should work without a proxy but I want both and do not want to open up the firewall for passive without a proxy. Thanks Michal From owner-freebsd-pf@FreeBSD.ORG Tue Oct 24 09:29:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D6EF16A415 for ; Tue, 24 Oct 2006 09:29:31 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF39543D49 for ; Tue, 24 Oct 2006 09:29:30 +0000 (GMT) (envelope-from kian.mohageri@gmail.com) Received: by py-out-1112.google.com with SMTP id c59so365770pyc for ; Tue, 24 Oct 2006 02:28:57 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=SL9zBY4eqGOz04lWav/HfDXsXtgSG2UvLxNL3auX7tcpkyZISxRXIIYbdcJx4Ov4ohtXT6i+c6MQNSyie3MjPEEpI1Xoy388JmU/QC14nEfbFZx6piwUfCEDc70d8XSYqVX9VPMq5yIFcResDoGX/hGvF/Eu2WlAuuUwnyW7e7Y= Received: by 10.65.93.18 with SMTP id v18mr7094260qbl; Tue, 24 Oct 2006 02:28:56 -0700 (PDT) Received: by 10.65.220.10 with HTTP; Tue, 24 Oct 2006 02:28:56 -0700 (PDT) Message-ID: Date: Tue, 24 Oct 2006 02:28:56 -0700 From: "Kian Mohageri" To: "Aristeu Gil Alves Jr" In-Reply-To: <2c84c1de0610231318m170dfe55wbc4f3af4fc929b22@mail.gmail.com> MIME-Version: 1.0 References: <2c84c1de0610231318m170dfe55wbc4f3af4fc929b22@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: reply-to versus default route - PF/synproxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2006 09:29:31 -0000 On 10/23/06, Aristeu Gil Alves Jr wrote: > > > route1="( ed0 gw-isp1 )" > route2="( ed1 gw-isp2 )" > > rdr on $if_isp1 proto tcp to port 25 -> 192.168.0.2 port 25 > rdr on $if_isp2 proto tcp to port 25 -> 192.168.0.2 port 25 > > block in log all > > pass in quick on $if_isp1 reply-to $rota1 proto tcp to 192.168.0.2 > port 25 synproxy state > pass in quick on $if_isp2 reply-to $rota2 proto tcp to 192.168.0.2 > port 25 synproxy state > > What are the $rota1 and $rota2 macroes set to? -Kian -- Kian Mohageri From owner-freebsd-pf@FreeBSD.ORG Tue Oct 24 14:36:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B74D16A4D8 for ; Tue, 24 Oct 2006 14:36:35 +0000 (UTC) (envelope-from aristeu.jr@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id 38F6643DC8 for ; Tue, 24 Oct 2006 14:33:36 +0000 (GMT) (envelope-from aristeu.jr@gmail.com) Received: by py-out-1112.google.com with SMTP id c59so450490pyc for ; Tue, 24 Oct 2006 07:33:17 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=cp1/sv7UOk+QO+ToH8ihD23wez7fCBbYHLXcJPOIr2XEiHMMKyCAWr7l1OVmz0j68IZPZ/ZS5NRDI/UN/SKh/utP8fVwdNzm4M+JNjEdISdKhmO7uglfohr46srlO7aZrhVH/3n7B1jsKeMcUUOJrus/No3/iok1dBX2M1H8g68= Received: by 10.35.76.9 with SMTP id d9mr8937503pyl; Tue, 24 Oct 2006 07:33:17 -0700 (PDT) Received: by 10.35.103.8 with HTTP; Tue, 24 Oct 2006 07:33:16 -0700 (PDT) Message-ID: <2c84c1de0610240733k39546da2s47492d7864db4711@mail.gmail.com> Date: Tue, 24 Oct 2006 11:33:16 -0300 From: "Aristeu Gil Alves Jr" To: "Kian Mohageri" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <2c84c1de0610231318m170dfe55wbc4f3af4fc929b22@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: reply-to versus default route - PF/synproxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2006 14:36:35 -0000 > What are the $rota1 and $rota2 macroes set to? oops, I made first the example in portuguese to send to another list, and used the same example in the english message. Actually this are $route1 and $route2. Daniel in his message answered my question very well. That was the answer I needed. I don't know why this is not on the manual. -- Aristeu Gil Alves Jr From owner-freebsd-pf@FreeBSD.ORG Tue Oct 24 18:27:40 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D182816A415 for ; Tue, 24 Oct 2006 18:27:40 +0000 (UTC) (envelope-from antik@bsd.ee) Received: from a5.virtuaal.com (a5.virtuaal.com [195.222.15.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8209543D72 for ; Tue, 24 Oct 2006 18:27:38 +0000 (GMT) (envelope-from antik@bsd.ee) Received: from pc134.host2.ida.starman.ee ([62.65.241.134] helo=[192.168.2.100]) by a5.virtuaal.com with esmtpsa (SSLv3:AES256-SHA:256) (Exim 4.52) id 1GcQzv-0002GQ-Oy for freebsd-pf@freebsd.org; Tue, 24 Oct 2006 21:27:36 +0300 From: Andrei Kolu To: freebsd-pf@freebsd.org Date: Tue, 24 Oct 2006 21:27:33 +0300 User-Agent: KMail/1.9.4 References: <2c84c1de0610231318m170dfe55wbc4f3af4fc929b22@mail.gmail.com> <2c84c1de0610240733k39546da2s47492d7864db4711@mail.gmail.com> In-Reply-To: <2c84c1de0610240733k39546da2s47492d7864db4711@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200610242127.33703.antik@bsd.ee> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - a5.virtuaal.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - bsd.ee X-Source: X-Source-Args: X-Source-Dir: Subject: pf firewall shows ports are open? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2006 18:27:41 -0000 Hello all! I got strange problem here, looks like I am dumb enough to understand this. My current PF rules: ------------------------------------------------------------------------------------------ pfctl -sa FILTER RULES: scrub in all fragment reassemble block drop all block drop in from no-route to any pass out inet proto icmp all icmp-type echoreq keep state pass in proto tcp from any to any port = http flags S/SA synproxy state pass on nve0 proto icmp all pass out on nve0 proto tcp from (nve0) to any keep state pass out on nve0 proto udp from (nve0) to any keep state pass in on nve0 proto tcp from any to (nve0) port = http keep state block drop on nve0 from to any No queue in use ------------------------------------------------------------------------------------------ why nmap shows me that these ports are open? I can't connect with ssh because it is blocked I guess, then why I see it here? ------------------------------------------------------------------------------------------ nmap 192.168.2.100 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-10-24 21:23 EEST Interesting ports on 192.168.2.100: Not shown: 1676 closed ports PORT STATE SERVICE 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp Nmap finished: 1 IP address (1 host up) scanned in 14.412 seconds ------------------------------------------------------------------------------------------ original config file is here: . /etc/rc.subr name="pf_rules" rcvar=`set_rcvar` start_cmd="create_rules" required_files="$pf_rules" create_rules () { echo "Creating $pf_rules." echo "set skip on { lo0 }" > $pf_rules echo "scrub in all" >> $pf_rules echo "block drop all" >> $pf_rules # block anything coming from source we have no back routes for echo "block in from no-route to any" >> $pf_rules # echo "pass quick on all" >> $pf_rules echo 'table persist file "/etc/blacklist"' >> $pf_rules echo "pass out inet proto icmp all icmp-type echoreq keep state" >> $pf_rules echo "pass in proto tcp from any to any port www flags S/SA synproxy state" >> $pf_rules for inf in `ifconfig -l` ; do if `echo $inf | egrep -v 'lo|plip|gif|tun|pfsync' 1>/dev/null` ; then echo "pass on $inf proto icmp all" >> $pf_rules # Allow all outgoing traffic echo "pass out on $inf proto { tcp,udp } from ($inf) to any keep state" >> $pf_rules # Check if we have a /etc/pf.inports file, and open those ports if [ -e "/etc/pf.inports" ] then for PORT in `cat /etc/pf.inports | grep "^udp: " | cut -d " " -f 2` do echo "pass in on $inf proto udp from any to ($inf) port $PORT keep state" >> $pf_rules done fi if [ -e "/etc/pf.inports" ] then for PORT in `cat /etc/pf.inports | grep "^tcp: " | cut -d " " -f 2` do echo "pass in on $inf proto tcp from any to ($inf) port $PORT keep state" >> $pf_rules done fi # Deny all from our blacklist echo "block on $inf from to any" >> $pf_rules fi done } load_rc_config $name run_rc_command "$1" From owner-freebsd-pf@FreeBSD.ORG Tue Oct 24 19:08:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AAB616A412 for ; Tue, 24 Oct 2006 19:08:20 +0000 (UTC) (envelope-from albinootje@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15E6343D67 for ; Tue, 24 Oct 2006 19:08:13 +0000 (GMT) (envelope-from albinootje@gmail.com) Received: by nf-out-0910.google.com with SMTP id p77so312154nfc for ; Tue, 24 Oct 2006 12:08:12 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=M2NWZYn9kfwauu2t1UwWe26bDdSPsmj6q89VKsDbMU4CeeeEXksDhyWfwZrnIhpQXAB4l0jwqrDfVnxKBEuzFaf4AKreHHhPmXkSptlUjbMpVrYwjIcWH/7SwmHqhQeq5nT9spQySLWu8VULJjLewnSlof9NKA6Zrb31fWpu8XA= Received: by 10.82.126.19 with SMTP id y19mr2152961buc; Tue, 24 Oct 2006 12:08:12 -0700 (PDT) Received: by 10.82.147.15 with HTTP; Tue, 24 Oct 2006 12:08:12 -0700 (PDT) Message-ID: <6a1189840610241208k701bfa53v44035536f06d8c91@mail.gmail.com> Date: Tue, 24 Oct 2006 21:08:12 +0200 From: "albi albinootje" To: "Andrei Kolu" In-Reply-To: <200610242127.33703.antik@bsd.ee> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <2c84c1de0610231318m170dfe55wbc4f3af4fc929b22@mail.gmail.com> <2c84c1de0610240733k39546da2s47492d7864db4711@mail.gmail.com> <200610242127.33703.antik@bsd.ee> Cc: freebsd-pf@freebsd.org Subject: Re: pf firewall shows ports are open? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2006 19:08:20 -0000 On 10/24/06, Andrei Kolu wrote: > I got strange problem here, looks like I am dumb enough to understand this. > > My current PF rules: --cut-- > nmap 192.168.2.100 i haven't looked at your pf-rules properly, but you're scanning from inside the LAN ? if you need your firewall to block outside access, you should scan from the outside From owner-freebsd-pf@FreeBSD.ORG Tue Oct 24 19:32:15 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7CF116A416 for ; Tue, 24 Oct 2006 19:32:15 +0000 (UTC) (envelope-from antik@bsd.ee) Received: from a5.virtuaal.com (a5.virtuaal.com [195.222.15.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CBCE43D5E for ; Tue, 24 Oct 2006 19:32:12 +0000 (GMT) (envelope-from antik@bsd.ee) Received: from pc134.host2.ida.starman.ee ([62.65.241.134] helo=[192.168.2.100]) by a5.virtuaal.com with esmtpsa (SSLv3:AES256-SHA:256) (Exim 4.52) id 1GcS0P-0007H8-9u for freebsd-pf@freebsd.org; Tue, 24 Oct 2006 22:32:09 +0300 From: Andrei Kolu To: freebsd-pf@freebsd.org Date: Tue, 24 Oct 2006 22:32:06 +0300 User-Agent: KMail/1.9.4 References: <2c84c1de0610231318m170dfe55wbc4f3af4fc929b22@mail.gmail.com> <200610242127.33703.antik@bsd.ee> <6a1189840610241208k701bfa53v44035536f06d8c91@mail.gmail.com> In-Reply-To: <6a1189840610241208k701bfa53v44035536f06d8c91@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200610242232.07076.antik@bsd.ee> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - a5.virtuaal.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - bsd.ee X-Source: X-Source-Args: X-Source-Dir: Subject: Re: pf firewall shows ports are open? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2006 19:32:15 -0000 On Tuesday 24 October 2006 10:08 pm, you wrote: > On 10/24/06, Andrei Kolu wrote: > > I got strange problem here, looks like I am dumb enough to understand > > this. > > > > My current PF rules: > > --cut-- > > > nmap 192.168.2.100 > > i haven't looked at your pf-rules properly, but you're scanning from > inside the LAN ? > if you need your firewall to block outside access, you should scan > from the outside I want to block all access, not just outside. Or it shows open ports because I scanned from same computer? Now I understand- scanned from other computer: ----------------------------------------------------------------------------------- Interesting ports on 192.168.2.100: Not shown: 1679 filtered ports PORT STATE SERVICE 80/tcp closed http MAC Address: 00:50:8D:xx:xx:xx (Abit Computer) Nmap finished: 1 IP address (1 host up) scanned in 24.686 seconds ----------------------------------------------------------------------------------- Scanned from localhost: ----------------------------------------------------------------------------------- Interesting ports on 192.168.2.100: Not shown: 1676 closed ports PORT STATE SERVICE 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp Nmap finished: 1 IP address (1 host up) scanned in 14.438 seconds ----------------------------------------------------------------------------------- OK, looks like my firewall is in working condition actually, only problem now- I can't connect to SMB shares for some reasons.... From owner-freebsd-pf@FreeBSD.ORG Wed Oct 25 17:35:04 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB4DA16A412 for ; Wed, 25 Oct 2006 17:35:04 +0000 (UTC) (envelope-from aristeu.jr@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD01443D62 for ; Wed, 25 Oct 2006 17:35:03 +0000 (GMT) (envelope-from aristeu.jr@gmail.com) Received: by nz-out-0102.google.com with SMTP id o37so143332nzf for ; Wed, 25 Oct 2006 10:35:03 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=JHcPDmdbCG+88n/J9B+1XvlZbVu7uDrAFl3pLbrPAVXpD6bG6I4jZC23icHVZP+t4YPVv0Dezib+NuA18KIeP6nK3tmr1mL/6VttYosm6lTN6LKjNrSv6vHfjXf16L+p9rkAPme+hIGCWtL7GPW9Tcp0vuyrAZOaeLi/qmyleO4= Received: by 10.35.89.10 with SMTP id r10mr1472816pyl; Wed, 25 Oct 2006 10:28:26 -0700 (PDT) Received: by 10.35.103.8 with HTTP; Wed, 25 Oct 2006 10:28:26 -0700 (PDT) Message-ID: <2c84c1de0610251028k70fa766bu9022d2d978166c0@mail.gmail.com> Date: Wed, 25 Oct 2006 15:28:26 -0200 From: "Aristeu Gil Alves Jr" To: "Daniel Hartmeier" In-Reply-To: <20061023211001.GA8162@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <2c84c1de0610231349k1c303ff1ie790d498d3ce47db@mail.gmail.com> <20061023211001.GA8162@insomnia.benzedrine.cx> Cc: freebsd-pf@freebsd.org Subject: Re: reply-to+synproxy versus default route X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2006 17:35:04 -0000 2006/10/23, Daniel Hartmeier : > It's on some to-do list, but hasn't been implemented yet. Daniel, Is there a public link to the TODO list or BUG list for pf? Thx!! -- Aristeu Gil Alves Jr