From owner-freebsd-pf@FreeBSD.ORG Sun Jun 10 17:58:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1E9DF16A400 for ; Sun, 10 Jun 2007 17:58:29 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.freebsd.org (Postfix) with ESMTP id AAC5713C465 for ; Sun, 10 Jun 2007 17:58:28 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.2.105] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1HxRgJ0bW3-0003Op; Sun, 10 Jun 2007 19:58:27 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sun, 10 Jun 2007 19:59:54 +0200 User-Agent: KMail/1.9.6 X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<%}*_BD U_or=\mOZf764&nYj=JYbR1PW0ud>|!~, , CPC.1-D$FG@0h3#'5"k{V]a~. X-Provags-ID: V01U2FsdGVkX1+k9sNNdvFKEsmEeUxLgmimP9a/33AAfAno5Qy jYrJNTwzfCjh1tJ8clDJrnDLWd6manGWHFpWSVnUj3JRIpIhZg E7msIS9yiFTecIRU45IZQ== Subject: Here we go again: pf 4.1 !!!ALPHA!!! update X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jun 2007 17:58:29 -0000 --nextPart13582169.IufudPiY0X Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi, long story short: http://people.freebsd.org/~mlaier/PF41/ enjoy. A word of caution: This is almost completely untested (eventhough this=20 email passed through a minimal ruleset of pf 4.1 ;). I'd like to hear=20 feedback, but I won't demand feedback from you until I've done some basic=20 tests myself. Note that ALTQ and pfsync are defunct at the moment! As is tcpdumpping on= =20 pflog0 (though the basic idea should come through). This includes the new ftp-proxy with a private libevent (as suggested by=20 des@). It also has tftp-proxy, but not yet linked to the build. If you do test it, please note that there are two known problems that=20 don't need to be reported anymore (a LOR and some malloc warnings). =20 Everything else (with sufficient debugging details) very welcome! Thanks - hope to have a more complete update during the week. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart13582169.IufudPiY0X Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGbDwjXyyEoT62BG0RAmR6AJ9SWUQEumfjOyXI+r4QSQVPSCTTTACdFy4i ia+4S/jgVbw685IBR+et2Rs= =NzN4 -----END PGP SIGNATURE----- --nextPart13582169.IufudPiY0X-- From owner-freebsd-pf@FreeBSD.ORG Mon Jun 11 11:08:51 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A7B0816A481 for ; Mon, 11 Jun 2007 11:08:51 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 96B4913C4BC for ; Mon, 11 Jun 2007 11:08:51 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l5BB8pM4026701 for ; Mon, 11 Jun 2007 11:08:51 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l5BB8oKe026694 for freebsd-pf@FreeBSD.org; Mon, 11 Jun 2007 11:08:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 11 Jun 2007 11:08:50 GMT Message-Id: <200706111108.l5BB8oKe026694@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jun 2007 11:08:51 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- f conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 11 21:08:10 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AFDB416A474 for ; Mon, 11 Jun 2007 21:08:10 +0000 (UTC) (envelope-from linux@giboia.org) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.187]) by mx1.freebsd.org (Postfix) with ESMTP id 9ECD113C4EF for ; Mon, 11 Jun 2007 21:08:08 +0000 (UTC) (envelope-from linux@giboia.org) Received: by mu-out-0910.google.com with SMTP id w9so977788mue for ; Mon, 11 Jun 2007 14:08:06 -0700 (PDT) Received: by 10.82.156.12 with SMTP id d12mr11717455bue.1181596084498; Mon, 11 Jun 2007 14:08:04 -0700 (PDT) Received: by 10.82.141.7 with HTTP; Mon, 11 Jun 2007 14:08:04 -0700 (PDT) Message-ID: <6e6841490706111408x51f53de9j9f94c6910d259035@mail.gmail.com> Date: Mon, 11 Jun 2007 18:08:04 -0300 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Firewall delay. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jun 2007 21:08:10 -0000 Hi, I have a firewall (FreeBSD + PF) for my network witch speed is max 20 Mbps. Sometimes my firewall begins lost packets with high delay. My log: Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 1735 @ 4368-5824 Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 1735 @ 5824-7280 Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 1735 @ 7280-8259 Jun 11 16:33:05 teste2 pf_reassemble: 8259 < 8259? Jun 11 16:33:05 teste2 pf_reassemble: complete: 0xc24c4200(8279) Jun 11 16:33:05 teste2 pf: loose state match: TCP 10.137.2.2:2787 189.36.241.138:64323 69.210.247.107:26977 [lo=1070436136 hi gh=1070436137 win=16384 modulator=0] [lo=23 high=16407 win=1 modulator=0] 10:10 RA seq=0 ack=1070436136 len=23 ackskew=0 pkts =2:1 Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 7360-8404 Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 1044, next -1, max 8404 Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 0-1472 Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 1472, next 7360, max 8404 Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 1472-2944 Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 2944, next 7360, max 8404 Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 2944-4416 Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 4416, next 7360, max 8404 Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 4416-5888 Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 5888, next 7360, max 8404 Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 5888-7360 Jun 11 16:33:05 teste2 pf_reassemble: 8404 < 8404? Jun 11 16:33:05 teste2 pf_reassemble: complete: 0xc22ec800(8424) Jun 11 16:33:05 teste2 pf: loose state match: TCP 10.143.4.2:1916 189.36.241.144:62874 68.50.45.106:37812 [lo=1994065 high=20 53760 win=8760 modulator=0] [lo=3076635998 high=3076644605 win=65535 modulator=0] 10:10 R seq=3076635998 ack=1994065 len=0 ac kskew=0 pkts=11:6 Jun 11 16:33:05 teste2 pf: loose state match: TCP 10.143.4.2:1916 189.36.241.144:62874 68.50.45.106:37812 [lo=1994065 high=20 53760 win=8760 modulator=0] [lo=3076635998 high=3076644605 win=65535 modulator=0] 10:10 R seq=3076635998 ack=1994065 len=0 ac kskew=0 pkts=11:7 I deleted the line scrub in all and now my log is: Jun 11 17:59:20 teste2 pf: State failure on: 1 | 5 Jun 11 17:59:22 teste2 pf: loose state match: TCP 24.20.246.56:45086 24.20.246.56:45086 10.137.2.2:4849 [lo=745162846 high=745162871 win=17367 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 PA seq=745162846 ack=0 len=48 ackskew=0 pkts=1:0 Jun 11 17:59:22 teste2 pf: loose state match: TCP 10.137.2.2:4849 189.36.241.138:62521 24.20.246.56:45086 [lo=745162846 high=745162871 win=17367 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 PA seq=745162846 ack=0 len=48 ackskew=0 pkts=1:0 Jun 11 17:59:22 teste2 pf: BAD state: TCP 10.139.32.2:1136 189.36.241.140:52465 200.176.2.71:80 [lo=373432 high=381624 win=8192 modulator=0] [lo=2103533023 high=2103541215 win=8192 modulator=0] 4:2 SA seq=2121929591 ack=373432 len=0 ackskew=0 pkts=2:1 dir=in,rev Jun 11 17:59:22 teste2 pf: State failure on: 1 | 5 Jun 11 17:59:25 teste2 pf: BAD state: TCP 10.32.3.2:4424 189.36.241.33:60839 200.77.10.59:35581 [lo=2664673092 high=2664673093 win=16384 modulator=0] [lo=860203439 high=860219823 win=1 modulator=0] 4:2 SA seq=3776746073 ack=2664673092 len=0 ackskew=0 pkts=3:1 dir=in,rev Jun 11 17:59:25 teste2 pf: State failure on: 2 | 6 Jun 11 17:59:26 teste2 pf: BAD state: TCP 10.37.6.5:3044 189.36.241.38:53176 72.14.209.85:80 [lo=3600173939 high=3600182129 win=65535 modulator=0] [lo=2902009590 high=2902075125 win=8190 modulator=0] 4:2 SA seq=3133227478 ack=3600173939 len=0 ackskew=0 pkts=3:1 dir=in,rev My pf.conf: set debug misc set timeout { interval 10, frag 30 ,src.track 0 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 100000, src-nodes 100000, frags 5000 } set loginterface em0 set optimization conservative set block-policy drop set require-order yes set state-policy floating I have about 1500 ips passing through this firewall and the server is not full process. Does somebody have any tip??? -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com From owner-freebsd-pf@FreeBSD.ORG Tue Jun 12 02:20:48 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A6C3616A46B for ; Tue, 12 Jun 2007 02:20:48 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.239]) by mx1.freebsd.org (Postfix) with ESMTP id 52B2113C480 for ; Tue, 12 Jun 2007 02:20:48 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by wx-out-0506.google.com with SMTP id h28so1415248wxd for ; Mon, 11 Jun 2007 19:20:47 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=mOdJdzbLIP5AnmDMeE+pinqP7KWniLbw+sJWbSc2N+UlpwmAzTgEufr8EfPJgqDXG5S0+CukN4WW3tVem/eFh6CJs02398fuHdq0OvJrotDk2s6TPAf3ToVH5/GRV+Ipl9XX+n8qOZqe3W6DokEkX7gowKw+nu+ObXlW2qk0KI4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=TiSARMDA8GTXyNpvV2kIADKNY1KxpL/Tw5jcago8YuDqnG0QMR4qY13rIZ0WzPf9NABPJS+xZnLcoYscormySbUuwFtqYPvGG7ZiKqVL5fCUUpgxZOg2qpGzoF+jzVE/N9QIdxo5O4AhWayb8a6uCOBQw8Mzcap9EcSdexHIDE4= Received: by 10.90.98.3 with SMTP id v3mr6064313agb.1181614847231; Mon, 11 Jun 2007 19:20:47 -0700 (PDT) Received: by 10.90.50.6 with HTTP; Mon, 11 Jun 2007 19:20:47 -0700 (PDT) Message-ID: <70f41ba20706111920x2e9e2d71ma2bcb3dd074daa60@mail.gmail.com> Date: Mon, 11 Jun 2007 19:20:47 -0700 From: snowcrash+freebsd Sender: schneecrash@gmail.com To: freebsd-pf , freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: 91baf1d6f50edf66 Cc: Subject: how 2 address&port map outbound traffic to multiple/different IPs on a single intfc? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2007 02:20:48 -0000 hi, i'm trying to do 1:1 (nat?) *outbound* address mapping using pf, but NOT 'whole server' binat, but rather a single address&port. i'm close, but no cigar ... any suggestions? details follow ... thanks! i've a block of 8 static IPs, x.x.x.1 - x.x.x.8. freebsd6.2-Rp5+pf are installed as my edge router/firewall. the router has a SINGLE external interface, "sis0", mapped at bootup to a single pppoe-generated interface, "tun0". ifconfig shows that "tun0" is assigned the 'primary' IP of x.x.x.1. so most of my LAN->WAN traffic travels out, appearing to originate at x.x.x.1. i've two mail servers on my LAN, at private addresses z.z.z.100 & z.z.z.200. i've NAT+rdr set up to address-map WAN to LAN addresses for the two servers. nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $ext_if proto tcp from any to x.x.x.2 port 25 -> z.z.z.102 port 25 rdr on $ext_if proto tcp from any to x.x.x.3 port 25 -> z.z.z.103 port 25 where $ext_if == tun0. now as to OUTBOUND mapping ... i want to make sure that traffic: FROM internal server @ z.z.z.102:25 exits $ext_if, 'seen' as SRC_ADDR=x.x.x.2 & FROM internal server @ z.z.z.103:25 exits $ext_if, 'seen' as SRC_ADDR=x.x.x.3 reading: "PF: Network Address Translation (NAT)" http://cvs.openbsd.org/faq/pf/nat.html and, "PF: Address Pools and Load Balancing http://cvs.openbsd.org/faq/pf/pools.html (1) 'binat' is not what i want, as i want to ONLY map a single addr for a single port -- NOT the whole server in a 1:1 mapping for all ports and, (2) from the POOLS discussion, 'simple' outbound NAT: nat on $ext_if from z.z.z.102 port 25 to any -> ($ext_if) nat on $ext_if from z.z.z.102 port 25 to any -> ($ext_if) doesn't do it either - i dno't think -- as $ext_if picks up the "primary IP" assigned via the pppoe startup, x.x.x.1. so, i think i'm in the right ballpark with *nat of some sort, but how do i get this done correctly? cheers! From owner-freebsd-pf@FreeBSD.ORG Tue Jun 12 07:04:55 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C99BC16A400 for ; Tue, 12 Jun 2007 07:04:55 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.freebsd.org (Postfix) with ESMTP id 8CD1F13C46E for ; Tue, 12 Jun 2007 07:04:55 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local (gsaltd.gotadsl.co.uk [82.133.127.200]) by smtp.nildram.co.uk (Postfix) with ESMTP id CE9E42B788B; Tue, 12 Jun 2007 08:04:52 +0100 (BST) From: "Greg Hennessy" To: , "'freebsd-pf'" References: <70f41ba20706111920x2e9e2d71ma2bcb3dd074daa60@mail.gmail.com> In-Reply-To: <70f41ba20706111920x2e9e2d71ma2bcb3dd074daa60@mail.gmail.com> Date: Tue, 12 Jun 2007 08:04:51 +0100 Message-ID: <000301c7acbf$f8bac830$ea305890$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcesmmHaEvRMiXCpSfGmdB61tAhR9gAIfIHw Content-Language: en-gb X-Antivirus: avast! (VPS 000748-3, 11/06/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: how 2 address&port map outbound traffic to multiple/different IPs on a single intfc? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2007 07:04:55 -0000 > so, i think i'm in the right ballpark with *nat of some sort, but how > do i get this done correctly? > There's a number of ways to do this. Add the extra addresses as aliases to the internet facing interface. E.g gw2:~ # cat /etc/rc.early /etc/rc.conf | egrep -i 'outside|alias' | sed -e ..... /sbin/ifconfig rue0 name outside network_interfaces="lo0 outside inside" ifconfig_outside="inet xx.yy.zz.251 netmask 0xfffffff8 up" ifconfig_outside_alias0="inet xx.yy.zz.252 netmask 0xffffffff" ifconfig_outside_alias1="inet xx.yy.zz.253 netmask 0xffffffff" Or. If you have control of the upstream router from your firewall add static routes for either the entire cidr block or /32 host routes for each address in the /29 you control. The routes should point to the external address of the firewall. Greg From owner-freebsd-pf@FreeBSD.ORG Tue Jun 12 13:44:23 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 42ADB16A41F for ; Tue, 12 Jun 2007 13:44:23 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.236]) by mx1.freebsd.org (Postfix) with ESMTP id CC9A413C448 for ; Tue, 12 Jun 2007 13:44:22 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by wx-out-0506.google.com with SMTP id h28so1544524wxd for ; Tue, 12 Jun 2007 06:44:22 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=m43ZPMpbAjJds2MFJ/RZOzbbxzOo+MFP7JHjQmZe/UkREf/aNpKxK4Tbi/CY4+/1yFNG9uGTuqHvb6YkgjsXLtzZkirzylZQJhF75PFP3WIsnGaGEQ/5A5aJkoKFZg7Z/QSQDOtvbrrRsvRa+dYbyMUkjGYZ0Ioq+x7xuQSzI08= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=UTPR/8ClvQkavYQgnEXjbLy1dv++V0q4e63Hk+UN7p9D+xSgGrfGJmI0+1ubenTI/HEUU4V5YF9JuDmsMXl4Qk7UW3RENxgrhRnKiGwGShc6QZ3IA83tJKzb1qj//H8CbPkyK2y+1g0Qj3s9TKC+Bgw4unCnj3lx6EGOznTqUJ0= Received: by 10.90.50.1 with SMTP id x1mr6393184agx.1181655862204; Tue, 12 Jun 2007 06:44:22 -0700 (PDT) Received: by 10.90.50.6 with HTTP; Tue, 12 Jun 2007 06:44:22 -0700 (PDT) Message-ID: <70f41ba20706120644y401ee52bpe2baaf4d8c9753ef@mail.gmail.com> Date: Tue, 12 Jun 2007 06:44:22 -0700 From: snowcrash To: "Greg Hennessy" In-Reply-To: <781957739614121600@unknownmsgid> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20706111920x2e9e2d71ma2bcb3dd074daa60@mail.gmail.com> <781957739614121600@unknownmsgid> Cc: freebsd-questions@freebsd.org, freebsd-pf Subject: Re: how 2 address&port map outbound traffic to multiple/different IPs on a single intfc? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: schneecrash@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2007 13:44:23 -0000 hi greg, > There's a number of ways to do this. > > Add the extra addresses as aliases to the internet facing interface. E.g > > gw2:~ # cat /etc/rc.early /etc/rc.conf | egrep -i 'outside|alias' | sed -e > ..... > /sbin/ifconfig rue0 name outside > network_interfaces="lo0 outside inside" > ifconfig_outside="inet xx.yy.zz.251 netmask 0xfffffff8 up" > ifconfig_outside_alias0="inet xx.yy.zz.252 netmask 0xffffffff" > ifconfig_outside_alias1="inet xx.yy.zz.253 netmask 0xffffffff" i am using aliases, but, atm, only for INTERNAL addresses on the router/firewall. e.g., in rc.conf, int_if = "sis0" lo_if = "lo0" ifconfig_sis0="inet x.x.x.80 netmask 255.255.255.0 mtu 1492 polling" ifconfig_sis0_alias0="x.x.x.81 netmask 255.255.255.0 mtu 1492 polling" ifconfig_sis0_alias1="x.x.x.82 netmask 255.255.255.0 mtu 1492 polling" ifconfig_sis0_alias2="x.x.x.83 netmask 255.255.255.0 mtu 1492 polling" ifconfig_sis0_alias3="x.x.x.84 netmask 255.255.255.0 mtu 1492 polling" dhcpd_ifaces="sis0" the $ext_if, "tun0" (pppoe) is not created UNTIL ppp launches -- later. so, iiuc -- which i may well not -- setting aliases for the ext intfc would NOT work in rc.conf (early), but only (later) after ppp int'd the alias ... don't know what issues that causes for maintaining any/all required synchronization with pf ... which would be expecting/addressing those external intfc aliases on startup. so, don't think this is a viable option :-/ unless ... > Or. If you have control of the upstream router from your firewall add > static routes for either the entire cidr block or /32 host routes for each > address in the /29 you control. > > The routes should point to the external address of the firewall. aha. i assume you really DO mean the upstream router here, NOT any router capabilities ON the firewall box itself, yes? if so, after pppoe setup/connect, ifconfig shows, tun0: flags=8051 mtu 1492 inet x.x.x.1 --> aa.bb.cc.dd netmask 0xffffffff Opened by PID 511 and the upstream router, aa.bb.cc.dd, is my ISP's. checking established routes, as per in "ppp.conf", add default HISADDR checking routes, i see the one, netstat -nr | grep aa.bb.cc.dd default aa.bb.cc.dd UGS 0 19 tun0 aa.bb.cc.dd x.x.x.1 UH 1 3 tun0 now, looking at that, i suspect i MIGHT be able to add add'l routes in the ppp.conf transaction config -- e.g., instead of (just?) add default HISADDR add something 'like' set ifaddr x.x.x.1 x.x.x.2 x.x.x.3 255.255.255.255 add x.x.x.0/29 HISADDR but, i have to search/fumble around with the correct pppoe-time syntax. i assume that this would (?) set up additional external intfcs, which would then be pf-addressable? thoughts? thanks! From owner-freebsd-pf@FreeBSD.ORG Tue Jun 12 14:41:04 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A88CC16A468 for ; Tue, 12 Jun 2007 14:41:04 +0000 (UTC) (envelope-from csirki@mail.tiszanet.hu) Received: from jail.solvo.hu (www.solvo.hu [217.65.100.10]) by mx1.freebsd.org (Postfix) with ESMTP id 6191F13C487 for ; Tue, 12 Jun 2007 14:41:04 +0000 (UTC) (envelope-from csirki@mail.tiszanet.hu) Received: from relay.solvo.u-szeged.hu ([160.114.44.81] helo=szabszivista) by jail.solvo.hu with esmtpa (Exim 4.63 (FreeBSD)) (envelope-from ) id 1Hy7EM-000Hze-GB for freebsd-pf@freebsd.org; Tue, 12 Jun 2007 16:20:25 +0200 Message-ID: From: =?iso-8859-1?Q?G=E9czi_Szabolcs?= To: Date: Tue, 12 Jun 2007 16:22:31 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Mail 6.0.6000.16386 X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6000.16386 Subject: log nat connections source address X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?iso-8859-1?Q?G=E9czi_Szabolcs?= List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2007 14:41:04 -0000 hi, i'd like to log nat connections with pflog. I tag the nat connections packets and log tagged packets but I can't log the source address of connections. in the log there are the external interface address and the destinations address only. nat on $ext_if from $internal_net to any tag natted -> {public ip} pass out quick log on $ext_if keep state tagged natted part of the log: 16:00:08.384847 IP publicip.62642 > www.mifene.hu.http: S 4030616034:4030616034(0) win 65535 what should I do? thx sz From owner-freebsd-pf@FreeBSD.ORG Wed Jun 13 02:13:02 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A074016A468 for ; Wed, 13 Jun 2007 02:13:02 +0000 (UTC) (envelope-from freebsdpf@academ.org) Received: from mx6.academ.org (mx6.academ.org [85.118.224.218]) by mx1.freebsd.org (Postfix) with ESMTP id 45D6A13C4AE for ; Wed, 13 Jun 2007 02:13:02 +0000 (UTC) (envelope-from freebsdpf@academ.org) Received: from stronghold.academ.local (stronghold.academ.local [192.168.234.23]) (Authenticated sender: vgi@academ.org) by mx6.academ.org (Postfix) with ESMTP id 2E5ECEBC9F; Wed, 13 Jun 2007 09:12:59 +0700 (NOVST) From: Vasily Ivanov Organization: Academ.org To: freebsd-pf@freebsd.org, freebsd-questions@freebsd.org Date: Wed, 13 Jun 2007 09:13:52 +0700 User-Agent: KMail/1.9.5 References: <70f41ba20706111920x2e9e2d71ma2bcb3dd074daa60@mail.gmail.com> In-Reply-To: <70f41ba20706111920x2e9e2d71ma2bcb3dd074daa60@mail.gmail.com> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200706130913.53526.freebsdpf@academ.org> X-Virus-Scanned: ClamAV version 0.88.7, clamav-milter version 0.88.7 on mail.academ.org X-Virus-Status: Clean X-Spam-Ystatus: hits=-3.8 R529 R4010 R3466 R2286 R4708 __R3988 R4397 R3261 R2195 R4850 R208 R3260 R4232 __R4747 R3198 R668 R2026 R3496 R3497 __R4335 R3279 R2062 R3262 R2580 R3980 R3989 R4896 X-Spam-Flag: NO X-Spam-Yversion: academ.org Cc: Subject: Re: how 2 address&port map outbound traffic to multiple/different IPs on a single intfc? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jun 2007 02:13:02 -0000 Hello. On 12 June 2007 09:20, snowcrash+freebsd wrote: [- snip -] > (2) from the POOLS discussion, 'simple' outbound NAT: > > nat on $ext_if from z.z.z.102 port 25 to any -> ($ext_if) > nat on $ext_if from z.z.z.102 port 25 to any -> ($ext_if) > > doesn't do it either - i dno't think -- as $ext_if picks up the > "primary IP" assigned via the pppoe startup, x.x.x.1. You can specify required IP explicitly, like nat on $ext_if from z.z.z.102 port 25 to any -> x.x.x.2 You don't even need aliases on interface (at least it works for my ethernet connection, dunno about pppoe). Just make sure your upstream routes traffic to your x.x.x.x/29 into your box. > > so, i think i'm in the right ballpark with *nat of some sort, but how > do i get this done correctly? > > cheers! > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- wbr, Vasily http://www.academ.org mailto: From owner-freebsd-pf@FreeBSD.ORG Wed Jun 13 11:15:11 2007 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DAC4616A469; Wed, 13 Jun 2007 11:15:11 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id B2E8E13C489; Wed, 13 Jun 2007 11:15:11 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l5DBFBHB063552; Wed, 13 Jun 2007 11:15:11 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l5DBFBVm063548; Wed, 13 Jun 2007 11:15:11 GMT (envelope-from remko) Date: Wed, 13 Jun 2007 11:15:11 GMT From: Remko Lodder Message-Id: <200706131115.l5DBFBVm063548@freefall.freebsd.org> To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: bin/113650: pf does not use IPv6 interface addresses at startups X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jun 2007 11:15:12 -0000 Synopsis: pf does not use IPv6 interface addresses at startups Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: remko Responsible-Changed-When: Wed Jun 13 11:14:43 UTC 2007 Responsible-Changed-Why: reassign to PF team, note that the pfboot had been discussed a lot already and probably falls outside of the scope. http://www.freebsd.org/cgi/query-pr.cgi?pr=113650 From owner-freebsd-pf@FreeBSD.ORG Wed Jun 13 11:44:48 2007 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9C73C16A477; Wed, 13 Jun 2007 11:44:48 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 6B53F13C4BE; Wed, 13 Jun 2007 11:44:48 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l5DBimY0066470; Wed, 13 Jun 2007 11:44:48 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l5DBimOe066466; Wed, 13 Jun 2007 11:44:48 GMT (envelope-from mlaier) Date: Wed, 13 Jun 2007 11:44:48 GMT From: Max Laier Message-Id: <200706131144.l5DBimOe066466@freefall.freebsd.org> To: janos.mohacsi@bsd.hu, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: bin/113650: pf does not use IPv6 interface addresses at startups X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jun 2007 11:44:48 -0000 Synopsis: pf does not use IPv6 interface addresses at startups State-Changed-From-To: open->closed State-Changed-By: mlaier State-Changed-When: Wed Jun 13 11:43:49 UTC 2007 State-Changed-Why: Can be fixed otherwise. Patch not a good idea in general - sorry. http://www.freebsd.org/cgi/query-pr.cgi?pr=113650 From owner-freebsd-pf@FreeBSD.ORG Wed Jun 13 12:00:16 2007 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 63DC716A4DD for ; Wed, 13 Jun 2007 12:00:16 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 0F6B313C48C for ; Wed, 13 Jun 2007 12:00:16 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l5DC0F2o067200 for ; Wed, 13 Jun 2007 12:00:15 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l5DC0FXe067199; Wed, 13 Jun 2007 12:00:15 GMT (envelope-from gnats) Date: Wed, 13 Jun 2007 12:00:15 GMT Message-Id: <200706131200.l5DC0FXe067199@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: bin/113650: pf does not use IPv6 interface addresses at startups X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jun 2007 12:00:16 -0000 The following reply was made to PR bin/113650; it has been noted by GNATS. From: Max Laier To: bug-followup@freebsd.org, janos.mohacsi@bsd.hu Cc: Subject: Re: bin/113650: pf does not use IPv6 interface addresses at startups Date: Wed, 13 Jun 2007 13:43:51 +0200 The better fix is to use the "(if0)"-syntax to pick up additional addresses as they are configured. Starting pf late(r) has the downside, that unwanted traffic can sneak in during the early boot. -- Max Laier From owner-freebsd-pf@FreeBSD.ORG Wed Jun 13 13:57:23 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6728916A41F for ; Wed, 13 Jun 2007 13:57:23 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.freebsd.org (Postfix) with ESMTP id 0003F13C44C for ; Wed, 13 Jun 2007 13:57:22 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.12.143] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1HyTLd19vc-0006LC; Wed, 13 Jun 2007 15:57:22 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 13 Jun 2007 15:58:49 +0200 User-Agent: KMail/1.9.6 References: <200706102000.03313.max@love2party.net> In-Reply-To: <200706102000.03313.max@love2party.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1444492.fph7o670RW"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706131558.56002.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19vHt5f2qN1OzCd9Z68SMgvd0J62nlFlzqI1So zKYKz3jtpalM2gUmEZGsa6KWhd2Mlk2RZOQ80guS6Hmz3QWxDq 6pp3fzQWsTGonwgegJYFg== Subject: Re: Here we go again: pf 4.1 !!!ALPHA!!! update X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jun 2007 13:57:23 -0000 --nextPart1444492.fph7o670RW Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline UPDATE available details below: On Sunday 10 June 2007, Max Laier wrote: > http://people.freebsd.org/~mlaier/PF41/ > > enjoy. > > A word of caution: This is almost completely untested (eventhough this > email passed through a minimal ruleset of pf 4.1 ;). I'd like to hear > feedback, but I won't demand feedback from you until I've done some > basic tests myself. > > Note that ALTQ and pfsync are defunct at the moment! As is tcpdumpping > on pflog0 (though the basic idea should come through). > > This includes the new ftp-proxy with a private libevent (as suggested > by des@). It also has tftp-proxy, but not yet linked to the build. > > If you do test it, please note that there are two known problems that > don't need to be reported anymore (a LOR and some malloc warnings). > Everything else (with sufficient debugging details) very welcome! > > Thanks - hope to have a more complete update during the week. ALTQ should be working again. The malloc warnings have been resolved. =20 tcpdump and pfsync remain for the weekend session. I did some more testing which didn't show any major problems - alpha=20 testing welcome! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1444492.fph7o670RW Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGb/gfXyyEoT62BG0RAk+3AJoDF5hlTBhU7RXpyzyav543lHCf/QCaAw75 Uli5dVYteh0kJrCcYeIJGYE= =YHwo -----END PGP SIGNATURE----- --nextPart1444492.fph7o670RW-- From owner-freebsd-pf@FreeBSD.ORG Thu Jun 14 06:27:25 2007 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D98C016A46B; Thu, 14 Jun 2007 06:27:25 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id B266D13C480; Thu, 14 Jun 2007 06:27:25 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l5E6RPp0052196; Thu, 14 Jun 2007 06:27:25 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l5E6RPi0052192; Thu, 14 Jun 2007 06:27:25 GMT (envelope-from linimon) Date: Thu, 14 Jun 2007 06:27:25 GMT From: Mark Linimon Message-Id: <200706140627.l5E6RPi0052192@freefall.freebsd.org> To: strgout@unixjunkie.com, linimon@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: conf/81042: [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2007 06:27:25 -0000 Synopsis: [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 State-Changed-From-To: feedback->closed State-Changed-By: linimon State-Changed-When: Thu Jun 14 06:27:09 UTC 2007 State-Changed-Why: Feedback timeout (> 6 months). http://www.freebsd.org/cgi/query-pr.cgi?pr=81042 From owner-freebsd-pf@FreeBSD.ORG Thu Jun 14 13:50:25 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 584E816A46C for ; Thu, 14 Jun 2007 13:50:25 +0000 (UTC) (envelope-from rmiranda@digitalrelay.ca) Received: from wrdsl02.terago.ca (wrdsl02.terago.ca [207.54.102.194]) by mx1.freebsd.org (Postfix) with ESMTP id 399E713C4BB for ; Thu, 14 Jun 2007 13:50:24 +0000 (UTC) (envelope-from rmiranda@digitalrelay.ca) Received: from [192.168.0.12] (unknown [64.201.181.165]) by wrdsl02.terago.ca (Postfix) with ESMTP id 3803F86E7C for ; Thu, 14 Jun 2007 08:33:09 -0500 (CDT) From: Roger Miranda Organization: Digital Relay Inc. To: freebsd-pf@freebsd.org Date: Thu, 14 Jun 2007 08:33:49 -0500 User-Agent: KMail/1.9.4 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200706140833.50583.rmiranda@digitalrelay.ca> Subject: PF error message looping on screen. System Locked. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2007 13:50:25 -0000 We are having a bit of a problem with Freebsd and PF. We have transfered 150GB (+/-), yesterday over a Freebsd 6.2 machine with IF_Bridge (acting as a transparent proxy) The issue is 5-8 hours after the boot up of the machine we get PF loop (Fast, continuous loop, so we can not read the message) on the screen. The machine is completly un responsive. But I noticed the that Num Lock (only the num lock button) button is still responsive. Thanks in advance for any help. I am still new at freebsd and pf, switching over from Linux. Here is a copy of my pf.conf and output of ifconfig. ----pf.conf---- int_if="em1" ext_if="em0" net="XXX.XXX.0.XX/16" wac_ip="XXX.XXX.0.XX" set optimization conservative rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 pass in log on $int_if route-to lo0 inet proto tcp from any to any port 3128 keep state pass in log quick on $int_if proto tcp from any to any port 80 keep state pass in log quick on $int_if proto tcp from any to any port 443 keep state pass in log quick on $int_if proto tcp from any to $wac_ip port 8080 keep state pass in log quick proto icmp from any to any keep state block in log quick on $int_if proto tcp from any to any port 1863 pass in log quick proto udp from any to any port 67:68 keep state pass in log quick proto udp from any to any port 53 keep state pass log quick proto tcp from any to any port 22 keep state ----Output: ifconfig----- em0: flags=8943 mtu 1500 options=48 ether 00:30:48:86:97:62 media: Ethernet autoselect (1000baseTX ) status: active em1: flags=8943 mtu 1500 options=48 inet XXX.XXX.0.XX netmask 0xffffff00 broadcast XXX.XXX.0.XXX ether 00:30:48:86:97:63 media: Ethernet autoselect (1000baseTX ) status: active pfsync0: flags=0<> mtu 2020 syncpeer: 224.0.0.240 maxupd: 128 pflog0: flags=0<> mtu 33208 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 bridge0: flags=8843 mtu 1500 ether 36:3e:f7:b9:a3:4d priority 32768 hellotime 2 fwddelay 15 maxage 20 member: em1 flags=3 member: em0 flags=3 From owner-freebsd-pf@FreeBSD.ORG Thu Jun 14 14:00:55 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BEC1516A46B for ; Thu, 14 Jun 2007 14:00:55 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 5FF8F13C4AD for ; Thu, 14 Jun 2007 14:00:55 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7cc2.q.ppp-pool.de [89.53.124.194]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 94BA3128844; Thu, 14 Jun 2007 16:00:48 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 5A94B3F525; Thu, 14 Jun 2007 15:59:52 +0200 (CEST) Message-ID: <467149DE.3080600@vwsoft.com> Date: Thu, 14 Jun 2007 15:59:58 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070528) MIME-Version: 1.0 To: Roger Miranda References: <200706140833.50583.rmiranda@digitalrelay.ca> In-Reply-To: <200706140833.50583.rmiranda@digitalrelay.ca> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: PF error message looping on screen. System Locked. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2007 14:00:55 -0000 On 06/14/07 15:33, Roger Miranda wrote: > We are having a bit of a problem with Freebsd and PF. We have transfered > 150GB (+/-), yesterday over a Freebsd 6.2 machine with IF_Bridge (acting as a > transparent proxy) > > The issue is 5-8 hours after the boot up of the machine we get PF loop (Fast, > continuous loop, so we can not read the message) on the screen. The machine > is completly un responsive. But I noticed the that Num Lock (only the num > lock button) button is still responsive. > > Thanks in advance for any help. I am still new at freebsd and pf, switching > over from Linux. > > Here is a copy of my pf.conf and output of ifconfig. > > ----pf.conf---- > int_if="em1" > ext_if="em0" > net="XXX.XXX.0.XX/16" > wac_ip="XXX.XXX.0.XX" > set optimization conservative > > rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 > pass in log on $int_if route-to lo0 inet proto tcp from any to any port 3128 > keep state > > pass in log quick on $int_if proto tcp from any to any port 80 keep state > pass in log quick on $int_if proto tcp from any to any port 443 keep state > > pass in log quick on $int_if proto tcp from any to $wac_ip port 8080 keep > state > > pass in log quick proto icmp from any to any keep state > > block in log quick on $int_if proto tcp from any to any port 1863 > > pass in log quick proto udp from any to any port 67:68 keep state > > pass in log quick proto udp from any to any port 53 keep state > > pass log quick proto tcp from any to any port 22 keep state > > > ----Output: ifconfig----- > em0: flags=8943 mtu 1500 > options=48 > ether 00:30:48:86:97:62 > media: Ethernet autoselect (1000baseTX ) > status: active > em1: flags=8943 mtu 1500 > options=48 > inet XXX.XXX.0.XX netmask 0xffffff00 broadcast XXX.XXX.0.XXX > ether 00:30:48:86:97:63 > media: Ethernet autoselect (1000baseTX ) > status: active > pfsync0: flags=0<> mtu 2020 > syncpeer: 224.0.0.240 maxupd: 128 > pflog0: flags=0<> mtu 33208 > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > bridge0: flags=8843 mtu 1500 > ether 36:3e:f7:b9:a3:4d > priority 32768 hellotime 2 fwddelay 15 maxage 20 > member: em1 flags=3 > member: em0 flags=3 Roger, I remember a discussion about your machine in stable@ some time ago. > We have transfered 150GB (+/-) Using sftp, ftp, http or ...? Are you by any chance being able to get a photopicture (with fast shutter time) of the debug messages? Do you have anything in /var/log/debug.log /var/log/messages which might be useful? I think we first need an idea of what messages are popping up. Volker From owner-freebsd-pf@FreeBSD.ORG Thu Jun 14 14:05:25 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AFBDE16A46B for ; Thu, 14 Jun 2007 14:05:25 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 48E6513C4AD for ; Thu, 14 Jun 2007 14:05:25 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.177.78] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1Hypwq3chm-0008FG; Thu, 14 Jun 2007 16:05:22 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 14 Jun 2007 16:06:13 +0200 User-Agent: KMail/1.9.6 References: <200706140833.50583.rmiranda@digitalrelay.ca> <467149DE.3080600@vwsoft.com> In-Reply-To: <467149DE.3080600@vwsoft.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1661563.ZfoePEZcNi"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706141606.53795.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/7u0KQTZDTSvQxjnyEfWrP0iJI1szO/kbS9Mc gYZplfnYcyKmYRJ5kKXcluRQldq87o9gNwOfPwZKqv/gdo0ym3 NY+nkrGQx4Q6dqXPIl/Dg== Cc: Volker Subject: Re: PF error message looping on screen. System Locked. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2007 14:05:25 -0000 --nextPart1661563.ZfoePEZcNi Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 14 June 2007, Volker wrote: > On 06/14/07 15:33, Roger Miranda wrote: =2E.. > > The issue is 5-8 hours after the boot up of the machine we get PF > > loop (Fast, continuous loop, so we can not read the message) on the > > screen. The machine is completly un responsive. But I noticed the > > that Num Lock (only the num lock button) button is still responsive. =2E.. > Are you by any chance being able to get a photopicture (with fast > shutter time) of the debug messages? Do you have anything in > /var/log/debug.log /var/log/messages which might be useful? > > I think we first need an idea of what messages are popping up. Exactly. Other than Volker's pointers, you might also try to include=20 debugger support and use the manual break (Ctrl+Alt+Esc) to pause and get=20 a look at the messages. "ps" from debugger might also be insightful. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1661563.ZfoePEZcNi Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGcUt9XyyEoT62BG0RAsKeAJ9tI0hvc20ie3Wy6U0+7Zo+bE+cMgCdEGHl bb0d0f9Uzppq2K+D5Lqz180= =0QvJ -----END PGP SIGNATURE----- --nextPart1661563.ZfoePEZcNi-- From owner-freebsd-pf@FreeBSD.ORG Thu Jun 14 15:20:34 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0C32516A468 for ; Thu, 14 Jun 2007 15:20:34 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id C3CFE13C489 for ; Thu, 14 Jun 2007 15:20:33 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7cc2.q.ppp-pool.de [89.53.124.194]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id D171E128844; Thu, 14 Jun 2007 17:20:26 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 8FEB73F525; Thu, 14 Jun 2007 17:19:20 +0200 (CEST) Message-ID: <46715C7F.4060602@vwsoft.com> Date: Thu, 14 Jun 2007 17:19:27 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070528) MIME-Version: 1.0 To: Roger Miranda References: <200706140833.50583.rmiranda@digitalrelay.ca> <467149DE.3080600@vwsoft.com> <200706140921.53115.rmiranda@digitalrelay.ca> In-Reply-To: <200706140921.53115.rmiranda@digitalrelay.ca> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: "FreeBSD \(PF\)" Subject: Re: PF error message looping on screen. System Locked. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2007 15:20:34 -0000 [re-added cc:pf to have a wider audience, please keep this] On 06/14/07 16:21, Roger Miranda wrote: >> I remember a discussion about your machine in stable@ some time ago. > Yes. I have come a bit further. Generally I would get nothing on the screen. > I just started getting this. > >>> We have transfered 150GB (+/-) >> Using sftp, ftp, http or ...? > http / NFS / SMB >> Are you by any chance being able to get a photopicture (with fast >> shutter time) of the debug messages? Do you have anything in >> /var/log/debug.log /var/log/messages which might be useful? > > I do not have nothing with that fast of a shutter. I looked in the logs the > message the loops is not there. But I did find the follwoing: > > Jun 13 10:22:32 kernel: pf: dropping packet with ip options > Jun 13 10:22:33 last message repeated 5 times Roger, I don't think this message is related to your trouble. I think you can also avoid these messages by adding 'no scrub' to your pf.conf (I'm currently not aware of any side effects by adding this). Probably Max has some more suggestions on not scrubbing packets. You should get a debugger into your kernel (like Max suggested) and probably also use `pfctl -x loud' or `pfctl -x misc' to get more messages out of pf. If these messages are popping up again, break the system into the debugger and look for the messages (using 'scroll lock' to scroll back some pages), ps and a backtrace. HTH Volker From owner-freebsd-pf@FreeBSD.ORG Thu Jun 14 15:55:36 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2C89216A41F for ; Thu, 14 Jun 2007 15:55:36 +0000 (UTC) (envelope-from rmiranda@digitalrelay.ca) Received: from wrdsl02.terago.ca (wrdsl02.terago.ca [207.54.102.194]) by mx1.freebsd.org (Postfix) with ESMTP id 0192413C48C for ; Thu, 14 Jun 2007 15:55:35 +0000 (UTC) (envelope-from rmiranda@digitalrelay.ca) Received: from [192.168.0.12] (unknown [64.201.181.165]) by wrdsl02.terago.ca (Postfix) with ESMTP id A0C7C86EFA; Thu, 14 Jun 2007 10:55:34 -0500 (CDT) From: Roger Miranda Organization: Digital Relay Inc. To: Volker Date: Thu, 14 Jun 2007 10:56:13 -0500 User-Agent: KMail/1.9.4 References: <200706140833.50583.rmiranda@digitalrelay.ca> <200706140921.53115.rmiranda@digitalrelay.ca> <46715C7F.4060602@vwsoft.com> In-Reply-To: <46715C7F.4060602@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200706141056.15453.rmiranda@digitalrelay.ca> Cc: "FreeBSD \(PF\)" Subject: Re: PF error message looping on screen. System Locked. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2007 15:55:36 -0000 > > I don't think this message is related to your trouble. I think you can > also avoid these messages by adding 'no scrub' to your pf.conf (I'm > currently not aware of any side effects by adding this). I did add it. > > Probably Max has some more suggestions on not scrubbing packets. > > You should get a debugger into your kernel (like Max suggested) The debugger is in the kernel. I can break to it during normal operation. Except when these messages are loop through the screen. > and > probably also use `pfctl -x loud' or `pfctl -x misc' to get more > messages out of pf. If these messages are popping up again, break the > system into the debugger and look for the messages (using 'scroll > lock' to scroll back some pages), ps and a backtrace. > I have set debug to loud. I found this after I rebooted in dmesg: ---------------------------------------------------- pf_reassemble: complete: 0xc4338100(1504) pf_normalize_ip: reass frag 39811 @ 0-1480 pf_normalize_ip: reass frag 39811 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc4453d00(1504) pf_normalize_ip: reass frag 40067 @ 0-1480 pf_normalize_ip: reass frag 40067 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc43bdc00(1504) pf_normalize_ip: reass frag 40323 @ 0-1480 pf_normalize_ip: reass frag 40323 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc440ac00(1504) pf_normalize_ip: reass frag 57987 @ 0-1480 pf_normalize_ip: reass frag 57987 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc4336800(1504) pf_normalize_ip: reass frag 58243 @ 0-1480 pf_normalize_ip: reass frag 58243 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc4407300(1504) pf_normalize_ip: reass frag 58499 @ 0-1480 pf_normalize_ip: reass frag 58499 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc413d400(1504) pf_normalize_ip: reass frag 58755 @ 0-1480 pf_normalize_ip: reass frag 58755 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc4337000(1504) pf_normalize_ip: reass frag 59011 @ 0-1480 pf_normalize_ip: reass frag 59011 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc4786300(1504) pf_normalize_ip: reass frag 59267 @ 0-1480 pf_normalize_ip: reass frag 59267 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc43bdd00(1504) pf_normalize_ip: reass frag 59523 @ 0-1480 pf_normalize_ip: reass frag 59523 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc451bc00(1504) pf_normalize_ip: reass frag 59779 @ 0-1480 pf_normalize_ip: reass frag 59779 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc4336b00(1504) pf_normalize_ip: reass frag 60035 @ 0-1480 pf_normalize_ip: reass frag 60035 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc451a000(1504) pf_normalize_ip: reass frag 60547 @ 0-1480 pf_normalize_ip: reass frag 60547 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc4788100(1504) pf_normalize_ip: reass frag 60803 @ 0-1480 pf_normalize_ip: reass frag 60803 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc4338e00(1504) pf_normalize_ip: reass frag 61059 @ 0-1480 pf_normalize_ip: reass frag 61059 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc4337800(1504) pf_normalize_ip: reass frag 61827 @ 0-1480 pf_normalize_ip: reass frag 61827 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc4458d00(1504) pf_normalize_ip: reass frag 62083 @ 0-1480 pf_normalize_ip: reass frag 62083 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc43c0a00(1504) pf_normalize_ip: reass frag 62339 @ 0-1480 pf_normalize_ip: reass frag 62339 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc4336b00(1504) pf_normalize_ip: reass frag 63619 @ 0-1480 pf_normalize_ip: reass frag 63619 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc4334400(1504) pf_normalize_ip: reass frag 63875 @ 0-1480 pf_normalize_ip: reass frag 63875 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc4336800(1504) pf_normalize_ip: reass frag 64131 @ 0-1480 pf_normalize_ip: reass frag 64131 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc4332d00(1504) pf_normalize_ip: reass frag 900 @ 0-1480 pf_normalize_ip: reass frag 900 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc4454e00(1504) pf_normalize_ip: reass frag 1156 @ 0-1480 pf_normalize_ip: reass frag 1156 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc43c1200(1504) pf_normalize_ip: reass frag 1412 @ 0-1480 pf_normalize_ip: reass frag 1412 @ 1480-1484 pf_reassemble: 1484 < 1484? pf_reassemble: complete: 0xc4458100(1504) From owner-freebsd-pf@FreeBSD.ORG Thu Jun 14 17:42:15 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 47B4816A46C for ; Thu, 14 Jun 2007 17:42:15 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id CDA8013C447 for ; Thu, 14 Jun 2007 17:42:14 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.177.78] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1HytKW2gs8-000469; Thu, 14 Jun 2007 19:42:07 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 14 Jun 2007 19:43:25 +0200 User-Agent: KMail/1.9.6 References: <200706140833.50583.rmiranda@digitalrelay.ca> <46715C7F.4060602@vwsoft.com> <200706141056.15453.rmiranda@digitalrelay.ca> In-Reply-To: <200706141056.15453.rmiranda@digitalrelay.ca> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1432492.4PuehGltGc"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706141943.32931.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+DsYKiStoFJvIU+ashamWSTeDz6Si+yW3+oHZ 1wDROmSn56k6G6N93H6dKelGJWxTEyIhcLVNlSahZXDhAearIg XnTjW9SgUNgKOlNYnFcWw== Cc: Volker Subject: Re: PF error message looping on screen. System Locked. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2007 17:42:15 -0000 --nextPart1432492.4PuehGltGc Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 14 June 2007, Roger Miranda wrote: > > I don't think this message is related to your trouble. I think you > > can also avoid these messages by adding 'no scrub' to your pf.conf > > (I'm currently not aware of any side effects by adding this). > > I did add it. > > > Probably Max has some more suggestions on not scrubbing packets. > > > > You should get a debugger into your kernel (like Max suggested) > > The debugger is in the kernel. I can break to it during normal > operation. Except when these messages are loop through the screen. > > > and > > probably also use `pfctl -x loud' or `pfctl -x misc' to get more > > messages out of pf. If these messages are popping up again, break the > > system into the debugger and look for the messages (using 'scroll > > lock' to scroll back some pages), ps and a backtrace. > > I have set debug to loud. > > I found this after I rebooted in dmesg: > ---------------------------------------------------- > > pf_reassemble: complete: 0xc4338100(1504) > pf_normalize_ip: reass frag 39811 @ 0-1480 > pf_normalize_ip: reass frag 39811 @ 1480-1484 > pf_reassemble: 1484 < 1484? That's a configuration problem. Something seems to assume a MTU of 1484=20 while there really is a bottleneck with only 1480 which leads to heavy=20 fragmentation. You should find the offender and reduce its MTU. If=20 those messages show up, you did not use "no scrub" however. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1432492.4PuehGltGc Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGcX5EXyyEoT62BG0RAjnqAJ9Is/q/MyR8Ze9YlZVUeCVPXFfPQACfTORB ivBYv9gIjFCNaYq1qjNuipI= =0sIq -----END PGP SIGNATURE----- --nextPart1432492.4PuehGltGc-- From owner-freebsd-pf@FreeBSD.ORG Thu Jun 14 18:00:32 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 20CF016A46D for ; Thu, 14 Jun 2007 18:00:32 +0000 (UTC) (envelope-from rmiranda@digitalrelay.ca) Received: from wrdsl02.terago.ca (wrdsl02.terago.ca [207.54.102.194]) by mx1.freebsd.org (Postfix) with ESMTP id EE5C113C487 for ; Thu, 14 Jun 2007 18:00:31 +0000 (UTC) (envelope-from rmiranda@digitalrelay.ca) Received: from [192.168.0.12] (unknown [64.201.181.165]) by wrdsl02.terago.ca (Postfix) with ESMTP id 4128486EA5; Thu, 14 Jun 2007 13:00:30 -0500 (CDT) From: Roger Miranda Organization: Digital Relay Inc. To: Volker Date: Thu, 14 Jun 2007 13:01:13 -0500 User-Agent: KMail/1.9.4 References: <200706140833.50583.rmiranda@digitalrelay.ca> <200706140921.53115.rmiranda@digitalrelay.ca> <46715C7F.4060602@vwsoft.com> In-Reply-To: <46715C7F.4060602@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200706141301.14854.rmiranda@digitalrelay.ca> Cc: "FreeBSD \(PF\)" Subject: Re: PF error message looping on screen. System Locked. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2007 18:00:32 -0000 > Roger, > > I don't think this message is related to your trouble. I think you can > also avoid these messages by adding 'no scrub' to your pf.conf (I'm > currently not aware of any side effects by adding this). > > Probably Max has some more suggestions on not scrubbing packets. > > You should get a debugger into your kernel (like Max suggested) and > probably also use `pfctl -x loud' or `pfctl -x misc' to get more > messages out of pf. If these messages are popping up again, break the > system into the debugger and look for the messages (using 'scroll > lock' to scroll back some pages), ps and a backtrace. > > HTH > > Volker I found the following in Dmesg just a while ago ("BAD STATE" Line). Look simalier to what is loop on the screen when the sytem locks up. Could Pf be mixing or confusing states? pf_normalize_ip: reass frag 21897 @ 0-1480 pf_normalize_ip: reass frag 21897 @ 1480-2960 pf_normalize_ip: reass frag 21897 @ 2960-4440 pf_normalize_ip: reass frag 21897 @ 4440-5920 pf_normalize_ip: reass frag 21897 @ 5920-5940 pf_reassemble: 5940 < 5940? pf_reassemble: complete: 0xc413be00(5960) pf: BAD state: TCP 127.0.0.1:3128 207.253.106.226:80 192.168.0.103:2700 [lo=2780948104 high=2781013640 win=16384 modulator=0] [lo=3673678172 high=3673694556 win=65535 modulator=0] 4:2 R seq=2780948104 ack=3673678172 len=0 ackskew=0 pkts=1:1 dir=in,fwd pf: State failure on: | pf: BAD state: TCP 127.0.0.1:3128 207.253.106.226:80 192.168.0.103:2700 [lo=2780948104 high=2781013640 win=16384 modulator=0] [lo=3673678172 high=3673694556 win=65535 modulator=0] 4:2 R seq=2780948104 ack=3673678172 len=0 ackskew=0 pkts=1:2 dir=in,fwd pf: State failure on: | pf: BAD state: TCP 127.0.0.1:3128 207.253.106.226:80 192.168.0.103:2700 [lo=2780948104 high=2781013640 win=16384 modulator=0] [lo=3673678172 high=3673694556 win=65535 modulator=0] 4:2 R seq=2780948104 ack=3673678172 len=0 ackskew=0 pkts=1:3 dir=in,fwd pf: State failure on: | pf_normalize_ip: reass frag 22153 @ 0-1480 pf_normalize_ip: reass frag 22153 @ 1480-2960 pf_normalize_ip: reass frag 22153 @ 2960-4440 pf_normalize_ip: reass frag 22153 @ 4440-5920 pf_normalize_ip: reass frag 22153 @ 5920-5940 pf_reassemble: 5940 < 5940? pf_reassemble: complete: 0xc43c1800(5960) pf_normalize_ip: reass frag 22409 @ 0-1480 pf_normalize_ip: reass frag 22409 @ 1480-2960 pf_normalize_ip: reass frag 22409 @ 2960-4440 pf_normalize_ip: reass frag 22409 @ 4440-5920 pf_normalize_ip: reass frag 22409 @ 5920-5940 pf_reassemble: 5940 < 5940? pf_reassemble: complete: 0xc4409c00(5960) pf_normalize_ip: reass frag 22665 @ 0-1480 pf_normalize_ip: reass frag 22665 @ 1480-2960 pf_normalize_ip: reass frag 22665 @ 2960-4440 pf_normalize_ip: reass frag 22665 @ 4440-5920 pf_normalize_ip: reass frag 22665 @ 5920-5940 pf_reassemble: 5940 < 5940? pf_reassemble: complete: 0xc4335a00(5960) From owner-freebsd-pf@FreeBSD.ORG Fri Jun 15 06:52:47 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 52BE516A400 for ; Fri, 15 Jun 2007 06:52:47 +0000 (UTC) (envelope-from gurdiga@gmail.com) Received: from ik-out-1112.google.com (ik-out-1112.google.com [66.249.90.183]) by mx1.freebsd.org (Postfix) with ESMTP id E0E9013C43E for ; Fri, 15 Jun 2007 06:52:46 +0000 (UTC) (envelope-from gurdiga@gmail.com) Received: by ik-out-1112.google.com with SMTP id c21so824533ika for ; Thu, 14 Jun 2007 23:52:45 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pNRGC5R/9he+qkTK9tJqG59Em/qeKhQ8chhdvqVd/zBcVQm+o7hVU3lnHnR9PQcIjTIJ6PRpLyKX+/GXbXHK5IV2H1MnMQuaK4gIyDtO5xcPwh6c+1b3OKdPjmQKmWtZdEfXLIqR5KKvO5mvItYzMGk+9d14M97jio9WUhJJmG4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ZbZotN139ECAhBcWXS1X33N70Y6aQR/TS+j87Rf9o1EVyR4IPDgnU3eoPuFdTy6hB7lCFQ1/8RnD6Zq7buC1Od6UszhviDTMW2cCKXBCF2roQSA+m3OMQf5h+2ceDtV+ScINmZUBY9mGNbCEW+YvY7OeiTwBEwAux7+FfGfRTM4= Received: by 10.78.183.8 with SMTP id g8mr1081899huf.1181888691950; Thu, 14 Jun 2007 23:24:51 -0700 (PDT) Received: by 10.78.194.12 with HTTP; Thu, 14 Jun 2007 23:24:51 -0700 (PDT) Message-ID: Date: Fri, 15 Jun 2007 09:24:51 +0300 From: "Vlad GURDIGA" To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Subject: pf(4) + fetch(1) + http://ftp.gnu.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2007 06:52:47 -0000 Hello, There is one strange thing going on with this combination. I saw this many times by now: when fetch(1) is trying to download something from http://ftp.gnu.org, it is hanging after a very small amount of data; sometimes on 0%. After disabling pf(4), fetch(1) is not hanging any more, so I guess that the problem is somewhere in my pf.conf. Here is it: ---- pf.conf -- begin --- ext_if = "em0" icmp_types="echoreq" # don't filter on the loopback interface set skip on lo0 set block-policy return scrub all no-df random-id reassemble tcp # setup a default deny policy block all # activate spoofing protection for the internal interface. antispoof quick for lo0 inet # pass tcp, udp, and icmp out on the external (Internet) interface. # keep state on udp and icmp and modulate state on tcp. pass in on $ext_if proto tcp from any to $ext_if port 65522 keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto {udp, icmp} all keep state ---- pf.conf -- end --- Any idea what's wrong here? From owner-freebsd-pf@FreeBSD.ORG Fri Jun 15 07:11:47 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 26D4C16A400 for ; Fri, 15 Jun 2007 07:11:47 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id B289A13C45B for ; Fri, 15 Jun 2007 07:11:46 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7cc2.q.ppp-pool.de [89.53.124.194]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 009EB128844 for ; Fri, 15 Jun 2007 09:11:39 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id D22433F51A; Fri, 15 Jun 2007 09:10:35 +0200 (CEST) Message-ID: <46723B71.1080404@vwsoft.com> Date: Fri, 15 Jun 2007 09:10:41 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070528) MIME-Version: 1.0 To: Vlad GURDIGA References: In-Reply-To: X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: pf(4) + fetch(1) + http://ftp.gnu.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2007 07:11:47 -0000 On 06/15/07 08:24, Vlad GURDIGA wrote: > Hello, > > There is one strange thing going on with this combination. I saw this > many times by now: when fetch(1) is trying to download something from > http://ftp.gnu.org, it is hanging after a very small amount of data; > sometimes on 0%. After disabling pf(4), fetch(1) is not hanging any > more, so I guess that the problem is somewhere in my pf.conf. Here is > it: > > ---- pf.conf -- begin --- > ext_if = "em0" > icmp_types="echoreq" > > # don't filter on the loopback interface > set skip on lo0 > set block-policy return > > scrub all no-df random-id reassemble tcp > > # setup a default deny policy > block all > > # activate spoofing protection for the internal interface. > antispoof quick for lo0 inet > > # pass tcp, udp, and icmp out on the external (Internet) interface. > # keep state on udp and icmp and modulate state on tcp. > pass in on $ext_if proto tcp from any to $ext_if port 65522 keep state > > pass in inet proto icmp all icmp-type $icmp_types keep state > pass out on $ext_if proto tcp all modulate state flags S/SA > pass out on $ext_if proto {udp, icmp} all keep state > ---- pf.conf -- end --- > > Any idea what's wrong here? Vlad, if we're out of ideas, there would be something wrong... ;) My first try is to replace your 'pass out on $ext_if ... modulate state ...' by 'keep state'. modulate state is more of use for incoming connections as you don't want half open connections to your services. HTH Volker From owner-freebsd-pf@FreeBSD.ORG Fri Jun 15 15:24:12 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7D65B16A469 for ; Fri, 15 Jun 2007 15:24:12 +0000 (UTC) (envelope-from apache@www1.quechup.com) Received: from www1.quechup.com (mail2.quechup.com [212.100.231.184]) by mx1.freebsd.org (Postfix) with ESMTP id 0614F13C4BA for ; Fri, 15 Jun 2007 15:24:11 +0000 (UTC) (envelope-from apache@www1.quechup.com) Received: by www1.quechup.com (Postfix, from userid 48) id DE6C22B0874; Fri, 15 Jun 2007 15:58:13 +0100 (BST) To: freebsd-pf@freebsd.org From: "Sergey Lapin" Sender: "Quechup" X-Mailer: PHP v4.3.9 MIME-Version: 1.0 Message-Id: <20070615145813.DE6C22B0874@www1.quechup.com> Date: Fri, 15 Jun 2007 15:58:13 +0100 (BST) Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Invite from Sergey Lapin (slapinid@gmail.com) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Sergey Lapin List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2007 15:24:12 -0000 Join Sergey on Quechup You have been invited to join SergeyLapin's friends network http://quechup.com/ - REGISTER NOW FOR FREE and find out why everyone's joining As a member of Quechup you can... - Start a blog and share your thoughts with private groups, friends or the world - Get in touch with old friends. - Meet new people in your area, or anywhere else in the world. - Online instant messenger with full video and audio support. - Socialize with 'friends-of-friends' and mutual acquaintances. - Increase your social circle ... and so much more! Become part of Sergey's Quechup.com friends. New & Coming Soon on Quechup -------------------------------- - Games - play Solitaire, Mahjong, Dice, Bubble Up and more online - Blogs - let people know what you're up to - Video Posts - use your webcam to record video clips on Quechup - Member Comments - on photos and blogs ------------------------------------------------------------------ You received this because Sergey Lapin (slapinid@gmail.com) knows and agreed to invite you. You will only receive one invitation from slapinid@gmail.com. Quechup will not spam or sell your email address, see our privacy policy - http://quechup.com/privacy.php Go to http://quechup.com/emailunsubscribe.php/ZW09ZnJlZWJzZC1wZkBmcmVlYnNkLm9yZw%3D%3D if you do not wish to receive any more emails from Quechup. ------------------------------------------------------------------ This e-mail was sent on behalf of SergeyCopyright Quechup.com 2007. Quechup.com is owned by iDate Ltd From owner-freebsd-pf@FreeBSD.ORG Fri Jun 15 16:11:03 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7780216A400 for ; Fri, 15 Jun 2007 16:11:03 +0000 (UTC) (envelope-from rmiranda@digitalrelay.ca) Received: from pd6mo3no.prod.shaw.ca (idcmail-mo2no.cg.shawcable.net [64.59.134.9]) by mx1.freebsd.org (Postfix) with ESMTP id 5681113C4C7 for ; Fri, 15 Jun 2007 16:10:58 +0000 (UTC) (envelope-from rmiranda@digitalrelay.ca) Received: from pd7mr1no.prod.shaw.ca (pd7mr1no-qfe3.prod.shaw.ca [10.0.144.128]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JJO00GP5NHV3T80@l-daemon> for freebsd-pf@freebsd.org; Fri, 15 Jun 2007 09:10:43 -0600 (MDT) Received: from pn7ml1no.prod.shaw.ca ([10.0.149.110]) by pd7mr1no.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JJO00CVJNHV21E0@pd7mr1no.prod.shaw.ca> for freebsd-pf@freebsd.org; Fri, 15 Jun 2007 09:10:44 -0600 (MDT) Received: from [192.168.200.107] ([24.76.253.150]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JJO00655NHU7I00@l-daemon> for freebsd-pf@freebsd.org; Fri, 15 Jun 2007 09:10:42 -0600 (MDT) Date: Fri, 15 Jun 2007 10:11:26 -0500 From: Roger Miranda In-reply-to: <46715C7F.4060602@vwsoft.com> To: Volker Message-id: <200706151011.27121.rmiranda@digitalrelay.ca> Organization: Digital Relay Inc. MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Content-disposition: inline References: <200706140833.50583.rmiranda@digitalrelay.ca> <200706140921.53115.rmiranda@digitalrelay.ca> <46715C7F.4060602@vwsoft.com> User-Agent: KMail/1.9.4 Cc: "FreeBSD \(PF\)" Subject: Re: PF error message looping on screen. System Locked. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2007 16:11:03 -0000 On Thursday 14 June 2007 10:19, Volker wrote: > [re-added cc:pf to have a wider audience, please keep this] > > On 06/14/07 16:21, Roger Miranda wrote: > >> I remember a discussion about your machine in stable@ some time ago. > > > > Yes. I have come a bit further. Generally I would get nothing on the > > screen. I just started getting this. > > > >>> We have transfered 150GB (+/-) > >> > >> Using sftp, ftp, http or ...? > > > > http / NFS / SMB > > > >> Are you by any chance being able to get a photopicture (with fast > >> shutter time) of the debug messages? Do you have anything in > >> /var/log/debug.log /var/log/messages which might be useful? > > > > I do not have nothing with that fast of a shutter. I looked in the logs > > the message the loops is not there. But I did find the follwoing: > > > > Jun 13 10:22:32 kernel: pf: dropping packet with ip options > > Jun 13 10:22:33 last message repeated 5 times > > Roger, > > I don't think this message is related to your trouble. I think you can > also avoid these messages by adding 'no scrub' to your pf.conf (I'm > currently not aware of any side effects by adding this). > > Probably Max has some more suggestions on not scrubbing packets. > > You should get a debugger into your kernel (like Max suggested) and > probably also use `pfctl -x loud' or `pfctl -x misc' to get more > messages out of pf. If these messages are popping up again, break the > system into the debugger and look for the messages (using 'scroll > lock' to scroll back some pages), ps and a backtrace. > > HTH > > Volker Alright, I have encoutered the loop messages again today. I have debug set to loud and "no scrub" is in pf.conf. I managed to get a 5 sec. video of the loop. Get it at: http://64.201.181.165:82/pfloop.avi Any help would be appreciated. Roger From owner-freebsd-pf@FreeBSD.ORG Fri Jun 15 18:48:36 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CC70216A46B for ; Fri, 15 Jun 2007 18:48:36 +0000 (UTC) (envelope-from lm.net.security@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.227]) by mx1.freebsd.org (Postfix) with ESMTP id 8D68F13C45D for ; Fri, 15 Jun 2007 18:48:36 +0000 (UTC) (envelope-from lm.net.security@gmail.com) Received: by nz-out-0506.google.com with SMTP id 14so894183nzn for ; Fri, 15 Jun 2007 11:48:35 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=Vueseunb7oPlJln2WWU1wVCGuY4lpVzcaz17Gp4MiHy1T4ebVm3hnDnW6yjRlJKFjEJRPWRPkb8zacqaSjstc5NE4cfmW7MEMrzytlgLJ377OXASw+X6mEMAxw5JclnpkrgnLATqCYJOyVVhitQjcb8c9GJYrdIWF4sop8TaJgM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=TAkPZoXwdubVBfspcYsru9fTKvOT6K4aQXymnv1em0U4gaAj/37fWPOC6rTHR5Yht6Tqx8FlF8zZgZNcvtxcgCXA7jHWEGFHXpjuXVgjZRVOpF+CL6MQm4BEOk29Fv+zrwF6cjYg/jvQYoCzC65WKZU4QfiR7rQe9u5gydii3nw= Received: by 10.143.2.19 with SMTP id e19mr172142wfi.1181931773139; Fri, 15 Jun 2007 11:22:53 -0700 (PDT) Received: by 10.142.109.18 with HTTP; Fri, 15 Jun 2007 11:22:53 -0700 (PDT) Message-ID: <8142b02f0706151122s2775911fme30e79f67e4da625@mail.gmail.com> Date: Fri, 15 Jun 2007 15:22:53 -0300 From: "Leandro Malaquias" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pf version 3.7 on freebsd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2007 18:48:37 -0000 I've heard that the pf version being used on freebsd 6-stable is 3.7 so the features "pass" and "log" when using "rdr" won't work. Is this true?? Sincerly, Leandro From owner-freebsd-pf@FreeBSD.ORG Fri Jun 15 19:11:23 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6E71716A400 for ; Fri, 15 Jun 2007 19:11:23 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 06F0813C489 for ; Fri, 15 Jun 2007 19:11:22 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.21.157] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis), id 0ML31I-1HzHCO0B3J-00046I; Fri, 15 Jun 2007 21:11:21 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 15 Jun 2007 21:12:44 +0200 User-Agent: KMail/1.9.6 References: <8142b02f0706151122s2775911fme30e79f67e4da625@mail.gmail.com> In-Reply-To: <8142b02f0706151122s2775911fme30e79f67e4da625@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4091322.jhfnaWgpaO"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706152112.51383.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19SkuVfqhoNnS62i1DNbRwC0pOdPbLI/Hy30/e +aiAJlHHbq5JFVHFsNDHBaCNPLDxJv5SX2umdyGSEoGaJcGUY7 5QIPIT+7Jtm+SUmirYHxg== Cc: Subject: Re: pf version 3.7 on freebsd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2007 19:11:23 -0000 --nextPart4091322.jhfnaWgpaO Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 15 June 2007, Leandro Malaquias wrote: > I've heard that the pf version being used on freebsd 6-stable is 3.7 so > the features "pass" and "log" when using "rdr" won't work. > Is this true?? Yes, FreeBSD RELENG_6's pf is based on OpenBSD 3.7. Yes, "log" is not=20 valid for rdr rules in that version. No, "pass" is valid on rdr rules. There is also an update to OpenBSD 4.1 code available from=20 http://people.freebsd.org/~mlaier/PF41/ for testing. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4091322.jhfnaWgpaO Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGcuSzXyyEoT62BG0RAlV5AJ9BqxIOq4/wCR127u435G7V9x7o5wCfYkkj KImdoQKcQV/tLf54FxPP/z4= =h4HW -----END PGP SIGNATURE----- --nextPart4091322.jhfnaWgpaO-- From owner-freebsd-pf@FreeBSD.ORG Fri Jun 15 19:12:33 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 810B816A41F for ; Fri, 15 Jun 2007 19:12:33 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.149.33.74]) by mx1.freebsd.org (Postfix) with ESMTP id 4291D13C4AE for ; Fri, 15 Jun 2007 19:12:33 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local (gsaltd.gotadsl.co.uk [82.133.127.200]) by smtp.nildram.co.uk (Postfix) with ESMTP id 410864E492 for ; Fri, 15 Jun 2007 20:12:29 +0100 (BST) From: "Greg Hennessy" To: "'Leandro Malaquias'" , References: <8142b02f0706151122s2775911fme30e79f67e4da625@mail.gmail.com> In-Reply-To: <8142b02f0706151122s2775911fme30e79f67e4da625@mail.gmail.com> Date: Fri, 15 Jun 2007 20:12:29 +0100 Message-ID: <000301c7af81$1e5e7fa0$5b1b7ee0$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acevf41RoAeRV8txS8quGUv2gMqc0AAARnww Content-Language: en-gb X-Antivirus: avast! (VPS 000749-1, 15/06/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: pf version 3.7 on freebsd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2007 19:12:33 -0000 > > I've heard that the pf version being used on freebsd 6-stable is 3.7 so > the > features "pass" and "log" when using "rdr" won't work. > Is this true?? Yes and yes, Max Laier has just found a mechanism to squeeze 27 hours into a working day and is currently porting the 4.1 PF code into CURRENT. http://people.freebsd.org/~mlaier/PF41/ All beta testers gratefully accepted. Greg > > Sincerly, > > Leandro > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Fri Jun 15 19:13:12 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8862916A400 for ; Fri, 15 Jun 2007 19:13:12 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 20A7813C487 for ; Fri, 15 Jun 2007 19:13:11 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.21.157] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1HzHEM3hEQ-0000pi; Fri, 15 Jun 2007 21:13:11 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 15 Jun 2007 21:14:48 +0200 User-Agent: KMail/1.9.6 References: <200706102000.03313.max@love2party.net> <200706131558.56002.max@love2party.net> In-Reply-To: <200706131558.56002.max@love2party.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1493925.DbG2ZZ6DiY"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706152114.54358.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/RWmC5Yq4Oxqz2HzF5IuTcYGxrm5Ct4Q/gQ4E DLK4cQS22iVqszz1lOOpUh68Uzrkd5044m9cgQ470dLaUG+euh Ecs8p+alBn/j0Cis/o7kQ== Subject: Re: Here we go again: pf 4.1 !!!ALPHA!!! update X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2007 19:13:12 -0000 --nextPart1493925.DbG2ZZ6DiY Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline And again ... On Wednesday 13 June 2007, Max Laier wrote: > UPDATE available details below: > > On Sunday 10 June 2007, Max Laier wrote: > > http://people.freebsd.org/~mlaier/PF41/ > > > > enjoy. minor update to fix a build issue. There is some initial pfsync locking=20 as well, but it's not working yet. This time only the tarball changed,=20 so there is no new diff. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1493925.DbG2ZZ6DiY Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGcuUuXyyEoT62BG0RAn8/AJ9JS5VMI3yc190UcAzwYHgN2czt2wCeJVh0 pMik1+1R69oxqAr3SJ4SI7U= =akTp -----END PGP SIGNATURE----- --nextPart1493925.DbG2ZZ6DiY-- From owner-freebsd-pf@FreeBSD.ORG Fri Jun 15 19:30:48 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4CB6216A41F for ; Fri, 15 Jun 2007 19:30:48 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id 2593213C447 for ; Fri, 15 Jun 2007 19:30:48 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1HzHVP-00014t-LQ for freebsd-pf@freebsd.org; Fri, 15 Jun 2007 19:30:47 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1HzHVP-0007Ol-GO for freebsd-pf@freebsd.org; Fri, 15 Jun 2007 19:30:47 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id CA5098E296; Fri, 15 Jun 2007 14:30:46 -0500 (CDT) Date: Fri, 15 Jun 2007 14:30:46 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070615193046.GD21747@verio.net> References: <8142b02f0706151122s2775911fme30e79f67e4da625@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <8142b02f0706151122s2775911fme30e79f67e4da625@mail.gmail.com> User-Agent: Mutt/1.5.9i Subject: Re: pf version 3.7 on freebsd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2007 19:30:48 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Leandro Malaquias wrote: > > I've heard that the pf version being used on freebsd 6-stable is 3.7 so the > features "pass" and "log" when using "rdr" won't work. "pass" works, but "log" does not. You can work around this by forgoing "pass" and instead use "tag" to add a NAT tag to your redirected packets, then create a "pass" rule which passes and logs the resultant traffic. rdr on $EXT_IF proto tcp from x.x.x.x to y.y.y.y port zz \ tag REDIRECT -> w.w.w.w pass in log quick on $EXT_IF all tagged REDIRECT - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGcujmFSrKRjX5eCoRAmqhAJ4/FeplWFekEhytmIPF8I4GERkRmQCeNh58 X5luzos0BKO1ZRB0FVUzNdQ= =p3Vi -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Sat Jun 16 01:45:56 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6C23816A469; Sat, 16 Jun 2007 01:45:56 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id 00B6313C457; Sat, 16 Jun 2007 01:45:55 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.21.157] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1HzNMQ2pJr-0008AL; Sat, 16 Jun 2007 03:45:55 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sat, 16 Jun 2007 03:47:24 +0200 User-Agent: KMail/1.9.6 X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<%}*_BD U_or=\mOZf764&nYj=JYbR1PW0ud>|!~, , CPC.1-D$FG@0h3#'5"k{V]a~. X-Provags-ID: V01U2FsdGVkX1+5/kohqPo8zXyDhvD3j1C3PK0NDjzvQkn2zGM tdWmD89gZppLMhs9e67Rpk919fJAJ7KVfDxVp6tn5NgBIR111M WAEerUYI8DWmcAyegodyQ== Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org Subject: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jun 2007 01:45:56 -0000 --nextPart2912810.rfjCpjmcA6 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi, $subject at: http://people.freebsd.org/~mlaier/PF41/ As of today (20070616) I consider this to be BETA quality (at least). =20 Please test and provide me (and freebsd-pf@) with feedback (good or=20 else). If things work out well, I plan to commit this soon. To make testing easier I'm working on RELENG_6 patches as well, but it=20 will be a bit to get through the fix/build/repeat-cycles. Note that almost every API/ABI changed (as usual in OpenBSD-land) and thus= =20 you need to compile world, remove your old pflogd files. Also note that=20 the pfsync protocol has changed and thus you won't be able to sync an old=20 and a new box. It should be possible to sync with a OpenBSD 4.1 box,=20 however. Enjoy and report back! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2912810.rfjCpjmcA6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGc0E1XyyEoT62BG0RAi4eAJ47w8LHWoAKrD1J1tyIISscaos7cgCeKyzx rYXNq4b4i2oMLyZ2+0XXppI= =Tva/ -----END PGP SIGNATURE----- --nextPart2912810.rfjCpjmcA6-- From owner-freebsd-pf@FreeBSD.ORG Sat Jun 16 13:25:37 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C5C7616A46D for ; Sat, 16 Jun 2007 13:25:37 +0000 (UTC) (envelope-from rmiranda@digitalrelay.ca) Received: from pd7mo2no.prod.shaw.ca (idcmail-mo2no.cg.shawcable.net [64.59.134.9]) by mx1.freebsd.org (Postfix) with ESMTP id A3D5F13C45B for ; Sat, 16 Jun 2007 13:25:37 +0000 (UTC) (envelope-from rmiranda@digitalrelay.ca) Received: from pd7mr2no.prod.shaw.ca (pd7mr2no-qfe3.prod.shaw.ca [10.0.144.129]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JJQ00KDNDAQW980@l-daemon> for freebsd-pf@freebsd.org; Sat, 16 Jun 2007 07:25:38 -0600 (MDT) Received: from pn7ml3no.prod.shaw.ca ([10.0.149.112]) by pd7mr2no.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JJQ00IS1DAP3350@pd7mr2no.prod.shaw.ca> for freebsd-pf@freebsd.org; Sat, 16 Jun 2007 07:25:38 -0600 (MDT) Received: from [192.168.200.107] ([24.76.253.150]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JJQ00034DANFD90@l-daemon> for freebsd-pf@freebsd.org; Sat, 16 Jun 2007 07:25:37 -0600 (MDT) Date: Sat, 16 Jun 2007 08:26:15 -0500 From: Roger Miranda In-reply-to: <46715C7F.4060602@vwsoft.com> To: volker@vwsoft.com Message-id: <200706160826.16372.rmiranda@digitalrelay.ca> Organization: Digital Relay Inc. MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Content-disposition: inline References: <200706140833.50583.rmiranda@digitalrelay.ca> <200706140921.53115.rmiranda@digitalrelay.ca> <46715C7F.4060602@vwsoft.com> User-Agent: KMail/1.9.4 Cc: freebsd-pf@freebsd.org Subject: Re: PF error message looping on screen. System Locked. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jun 2007 13:25:37 -0000 On Thursday 14 June 2007 10:19, Volker wrote: > [re-added cc:pf to have a wider audience, please keep this] > > On 06/14/07 16:21, Roger Miranda wrote: > >> I remember a discussion about your machine in stable@ some time ago. > > > > Yes. I have come a bit further. Generally I would get nothing on the > > screen. I just started getting this. > > > >>> We have transfered 150GB (+/-) > >> > >> Using sftp, ftp, http or ...? > > > > http / NFS / SMB > > > >> Are you by any chance being able to get a photopicture (with fast > >> shutter time) of the debug messages? Do you have anything in > >> /var/log/debug.log /var/log/messages which might be useful? > > > > I do not have nothing with that fast of a shutter. I looked in the logs > > the message the loops is not there. But I did find the follwoing: > > > > Jun 13 10:22:32 kernel: pf: dropping packet with ip options > > Jun 13 10:22:33 last message repeated 5 times > > Roger, > > I don't think this message is related to your trouble. I think you can > also avoid these messages by adding 'no scrub' to your pf.conf (I'm > currently not aware of any side effects by adding this). > > Probably Max has some more suggestions on not scrubbing packets. > > You should get a debugger into your kernel (like Max suggested) and > probably also use `pfctl -x loud' or `pfctl -x misc' to get more > messages out of pf. If these messages are popping up again, break the > system into the debugger and look for the messages (using 'scroll > lock' to scroll back some pages), ps and a backtrace. > > HTH > > Volker Alright, I have encoutered the loop messages again today. I have debug set to loud and "no scrub" is in pf.conf. I managed to get a 5 sec. video of the loop. Get it at: http://64.201.181.165:82/pfloop.avi Any help would be appreciated. Roger From owner-freebsd-pf@FreeBSD.ORG Sat Jun 16 15:22:13 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3432816A400 for ; Sat, 16 Jun 2007 15:22:13 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id C091C13C44C for ; Sat, 16 Jun 2007 15:22:12 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7c94.q.ppp-pool.de [89.53.124.148]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 92DF2128844; Sat, 16 Jun 2007 17:22:01 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 6660C3F51A; Sat, 16 Jun 2007 17:20:33 +0200 (CEST) Message-ID: <4673FFC7.2030904@vwsoft.com> Date: Sat, 16 Jun 2007 17:20:39 +0200 From: Volker User-Agent: Thunderbird 2.0.0.4 (X11/20070615) MIME-Version: 1.0 To: Roger Miranda References: <200706140833.50583.rmiranda@digitalrelay.ca> <200706140921.53115.rmiranda@digitalrelay.ca> <46715C7F.4060602@vwsoft.com> <200706160826.16372.rmiranda@digitalrelay.ca> In-Reply-To: <200706160826.16372.rmiranda@digitalrelay.ca> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: PF error message looping on screen. System Locked. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jun 2007 15:22:13 -0000 On 06/16/07 15:26, Roger Miranda wrote: > On Thursday 14 June 2007 10:19, Volker wrote: >> [re-added cc:pf to have a wider audience, please keep this] >> >> On 06/14/07 16:21, Roger Miranda wrote: >>>> I remember a discussion about your machine in stable@ some time ago. >>> Yes. I have come a bit further. Generally I would get nothing on the >>> screen. I just started getting this. >>> >>>>> We have transfered 150GB (+/-) >>>> Using sftp, ftp, http or ...? >>> http / NFS / SMB >>> >>>> Are you by any chance being able to get a photopicture (with fast >>>> shutter time) of the debug messages? Do you have anything in >>>> /var/log/debug.log /var/log/messages which might be useful? >>> I do not have nothing with that fast of a shutter. I looked in the logs >>> the message the loops is not there. But I did find the follwoing: >>> >>> Jun 13 10:22:32 kernel: pf: dropping packet with ip options >>> Jun 13 10:22:33 last message repeated 5 times >> Roger, >> >> I don't think this message is related to your trouble. I think you can >> also avoid these messages by adding 'no scrub' to your pf.conf (I'm >> currently not aware of any side effects by adding this). >> >> Probably Max has some more suggestions on not scrubbing packets. >> >> You should get a debugger into your kernel (like Max suggested) and >> probably also use `pfctl -x loud' or `pfctl -x misc' to get more >> messages out of pf. If these messages are popping up again, break the >> system into the debugger and look for the messages (using 'scroll >> lock' to scroll back some pages), ps and a backtrace. >> >> HTH >> >> Volker > Alright, I have encoutered the loop messages again today. > I have debug set to loud and "no scrub" is in pf.conf. > > I managed to get a 5 sec. video of the loop. Get it at: > http://64.201.181.165:82/pfloop.avi > > Any help would be appreciated. > > Roger > Roger, watched your video (the next time, please mix some nice music in... just kidding). I've seen tons of 'pf: loose state match' messages. After seen this, I took again a look at your rules and am wondering about this one: rdr on $int_if inet proto tcp from any to any port www -> \ 127.0.0.1 port 3128 pass in log on $int_if route-to lo0 inet proto tcp from any to \ any port 3128 keep state I've never tried a combination like that but I think it might be dangerous. When a packet arrives your $int_if with a destination port 80, the rdr rule will replace the destination address to 127.0.0.1 port 3128. The pass rule will route that packet to lo0. I think you can safely avoid that extra step. Try it just like: rdr on $int_if inet proto tcp from any to any port www -> \ 127.0.0.1 port 3128 pass in log quick on $int_if inet proto tcp from any to \ any port 3128 flats S/SA keep state and see if you still see error messages. (Please note the missing 'route-to' statement, an added quick statement and the added 'flags S/SA' option) If that doesn't help, I recommend rewriting your rules a bit and use 'set state-policy if-bound' (which I'm using most as I find it better to administer). Unfortunately I don't have experience with state-policy if-bound in a bridged environment (just a little warning). HTH Volker From owner-freebsd-pf@FreeBSD.ORG Sat Jun 16 19:45:49 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 65CDF16A47C for ; Sat, 16 Jun 2007 19:45:49 +0000 (UTC) (envelope-from mcdouga9@daemon.egr.msu.edu) Received: from daemon.egr.msu.edu (daemon.egr.msu.edu [35.9.44.65]) by mx1.freebsd.org (Postfix) with ESMTP id 21A1513C448 for ; Sat, 16 Jun 2007 19:45:49 +0000 (UTC) (envelope-from mcdouga9@daemon.egr.msu.edu) Received: by daemon.egr.msu.edu (Postfix, from userid 21281) id 222391CC4B; Sat, 16 Jun 2007 15:29:53 -0400 (EDT) Date: Sat, 16 Jun 2007 15:29:53 -0400 From: Adam McDougall To: Volker Message-ID: <20070616192952.GB87503@egr.msu.edu> References: <200706140833.50583.rmiranda@digitalrelay.ca> <200706140921.53115.rmiranda@digitalrelay.ca> <46715C7F.4060602@vwsoft.com> <200706160826.16372.rmiranda@digitalrelay.ca> <4673FFC7.2030904@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4673FFC7.2030904@vwsoft.com> User-Agent: Mutt/1.5.15 (2007-04-06) Cc: freebsd-pf@freebsd.org Subject: Re: PF error message looping on screen. System Locked. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jun 2007 19:45:49 -0000 On Sat, Jun 16, 2007 at 05:20:39PM +0200, Volker wrote: On 06/16/07 15:26, Roger Miranda wrote: > On Thursday 14 June 2007 10:19, Volker wrote: >> [re-added cc:pf to have a wider audience, please keep this] >> >> On 06/14/07 16:21, Roger Miranda wrote: >>>> I remember a discussion about your machine in stable@ some time ago. >>> Yes. I have come a bit further. Generally I would get nothing on the >>> screen. I just started getting this. >>> >>>>> We have transfered 150GB (+/-) >>>> Using sftp, ftp, http or ...? >>> http / NFS / SMB >>> >>>> Are you by any chance being able to get a photopicture (with fast >>>> shutter time) of the debug messages? Do you have anything in >>>> /var/log/debug.log /var/log/messages which might be useful? >>> I do not have nothing with that fast of a shutter. I looked in the logs >>> the message the loops is not there. But I did find the follwoing: >>> >>> Jun 13 10:22:32 kernel: pf: dropping packet with ip options >>> Jun 13 10:22:33 last message repeated 5 times >> Roger, >> >> I don't think this message is related to your trouble. I think you can >> also avoid these messages by adding 'no scrub' to your pf.conf (I'm >> currently not aware of any side effects by adding this). >> >> Probably Max has some more suggestions on not scrubbing packets. >> >> You should get a debugger into your kernel (like Max suggested) and >> probably also use `pfctl -x loud' or `pfctl -x misc' to get more >> messages out of pf. If these messages are popping up again, break the >> system into the debugger and look for the messages (using 'scroll >> lock' to scroll back some pages), ps and a backtrace. >> >> HTH >> >> Volker > Alright, I have encoutered the loop messages again today. > I have debug set to loud and "no scrub" is in pf.conf. > > I managed to get a 5 sec. video of the loop. Get it at: > http://64.201.181.165:82/pfloop.avi > > Any help would be appreciated. > > Roger > Roger, watched your video (the next time, please mix some nice music in... just kidding). I've seen tons of 'pf: loose state match' messages. After seen this, I took again a look at your rules and am wondering about this one: rdr on $int_if inet proto tcp from any to any port www -> \ 127.0.0.1 port 3128 pass in log on $int_if route-to lo0 inet proto tcp from any to \ any port 3128 keep state I've never tried a combination like that but I think it might be dangerous. When a packet arrives your $int_if with a destination port 80, the rdr rule will replace the destination address to 127.0.0.1 port 3128. The pass rule will route that packet to lo0. I think you can safely avoid that extra step. Try it just like: rdr on $int_if inet proto tcp from any to any port www -> \ 127.0.0.1 port 3128 pass in log quick on $int_if inet proto tcp from any to \ any port 3128 flats S/SA keep state and see if you still see error messages. (Please note the missing 'route-to' statement, an added quick statement and the added 'flags S/SA' option) If that doesn't help, I recommend rewriting your rules a bit and use 'set state-policy if-bound' (which I'm using most as I find it better to administer). Unfortunately I don't have experience with state-policy if-bound in a bridged environment (just a little warning). I was thinking the same thing regarding if-bound. I use if-bound in production on a pf bridge and found it avoids lots of loose state match and other state confusion. Also, I have found using pf loud debugging tends to deadlock the console after not too long if I have more than one cpu enabled, so I avoid using it in production. After much testing, I feel comfortable without it, however interesting it is. HTH Volker _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sat Jun 16 22:16:25 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4B95C16A400 for ; Sat, 16 Jun 2007 22:16:25 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id D901E13C45E for ; Sat, 16 Jun 2007 22:16:24 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7c94.q.ppp-pool.de [89.53.124.148]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id A6966128844; Sun, 17 Jun 2007 00:16:17 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 76E163F51A; Sun, 17 Jun 2007 00:15:15 +0200 (CEST) Message-ID: <467460F8.6030905@vwsoft.com> Date: Sun, 17 Jun 2007 00:15:20 +0200 From: Volker User-Agent: Thunderbird 2.0.0.4 (X11/20070615) MIME-Version: 1.0 To: Adam McDougall References: <200706140833.50583.rmiranda@digitalrelay.ca> <200706140921.53115.rmiranda@digitalrelay.ca> <46715C7F.4060602@vwsoft.com> <200706160826.16372.rmiranda@digitalrelay.ca> <4673FFC7.2030904@vwsoft.com> <20070616192952.GB87503@egr.msu.edu> In-Reply-To: <20070616192952.GB87503@egr.msu.edu> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: filtering bridges [was: PF error message looping on screen] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jun 2007 22:16:25 -0000 On 06/16/07 21:29, Adam McDougall wrote: > On Sat, Jun 16, 2007 at 05:20:39PM +0200, Volker wrote: ... > If that doesn't help, I recommend rewriting your rules a bit and use > 'set state-policy if-bound' (which I'm using most as I find it better > to administer). Unfortunately I don't have experience with > state-policy if-bound in a bridged environment (just a little warning). > > I was thinking the same thing regarding if-bound. I use if-bound in production > on a pf bridge and found it avoids lots of loose state match and other state > confusion. Also, I have found using pf loud debugging tends to deadlock the > console after not too long if I have more than one cpu enabled, so I avoid > using it in production. After much testing, I feel comfortable without it, > however interesting it is. Adam, good to know, someone else will re-check my writings! ;) A couple of days ago I was writing something totally stupid but nobody complained (conclusion: I will avoid posting to mailing lists when my uptime is -gt 24h). Thanks for your hint. I wasn't quite sure if if-bound works on bridges as I don't have much bridge experiences. On a bridge, does it make sense to filter on bridge0 or is it generally better to filter on it's member interfaces? Using a quick google search, I found some problems when filtering on the bridge interface in the past but if I would be in need of setting up a bridge, it would be the first thing for me to filter on the bridge interface and not on the member interfaces. What's the big reason for either? Thanks Volker