From owner-freebsd-pf@FreeBSD.ORG Sun Sep 30 16:21:26 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 00A4116A41B for ; Sun, 30 Sep 2007 16:21:26 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id E11FC13C478 for ; Sun, 30 Sep 2007 16:21:25 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1Ic1Xp-0007BZ-BC for freebsd-pf@freebsd.org; Sun, 30 Sep 2007 09:21:25 -0700 Message-ID: <12967291.post@talk.nabble.com> Date: Sun, 30 Sep 2007 09:21:25 -0700 (PDT) From: Umar To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: unix.co@gmail.com Subject: how to include external file in pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Sep 2007 16:21:26 -0000 Dear Members! Is it possible that i can include another configuration file e.g (mycustom.conf) within pf.conf Kind Regards, Umar Draz -- View this message in context: http://www.nabble.com/how-to-include-external-file-in-pf.conf-tf4543963.html#a12967291 Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Sun Sep 30 17:44:33 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC31216A494 for ; Sun, 30 Sep 2007 17:44:33 +0000 (UTC) (envelope-from rcoleman@criticalmagic.com) Received: from smtp-auth.no-ip.com (smtp-auth.no-ip.com [204.16.252.95]) by mx1.freebsd.org (Postfix) with ESMTP id BBCF013C455 for ; Sun, 30 Sep 2007 17:44:33 +0000 (UTC) (envelope-from rcoleman@criticalmagic.com) X-No-IP: criticalmagic.com@noip-smtp X-Report-Spam-To: abuse@no-ip.com Received: from [172.16.0.12] (adsl-074-229-078-253.sip.asm.bellsouth.net [74.229.78.253]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) (Authenticated sender: criticalmagic.com@noip-smtp) by smtp-auth.no-ip.com (Postfix) with ESMTP id 3B84FBCF2; Sun, 30 Sep 2007 10:44:33 -0700 (PDT) Message-ID: <46FFE080.1000204@criticalmagic.com> Date: Sun, 30 Sep 2007 13:44:32 -0400 From: Richard Coleman Organization: Critical Magic, Inc. User-Agent: Thunderbird 1.5.0.13 (X11/20070824) MIME-Version: 1.0 To: BB References: <787dcac20709281303v6bbdd30bs44c5dd63002009fd@mail.gmail.com> In-Reply-To: <787dcac20709281303v6bbdd30bs44c5dd63002009fd@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD-pf mail list Subject: Re: FreeBSD bridge pf squid X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Sep 2007 17:44:34 -0000 If you are willing to access the console for all changes, the bridging firewall does not need any ip addresses at all. It will be a pure layer 2 appliance. Richard Coleman rcoleman@criticalmagic.com BB wrote: > Would like to setup a Squid transparent proxy - > > > NET <-> COMCAST_CABLE_MODEM <-> FBSD_PROXY_BRIDGE <-> > NETGEAR_WIRELESS_ROUTER <-> LAN > > Little confused about bridging with or without IP's redirecting (rdr) to > localhost on port 3128 > > Does the FreeBSD box need to have IP's on the bridge interfaces? Would > prefer not to have any IP's on the bridge interfaces. > > Sorry if this has already been discussed, but it's not clear to me. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 1 09:24:51 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7DD7116A417 for ; Mon, 1 Oct 2007 09:24:51 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.224]) by mx1.freebsd.org (Postfix) with ESMTP id 309BB13C455 for ; Mon, 1 Oct 2007 09:24:50 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so2238232nzf for ; Mon, 01 Oct 2007 02:24:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=LQGiKg2uGfgiKw/AxB3FvywKzRC4KZZIOOfeEd1/MOY=; b=YUv7zV82j6S6P32dWXlucJaKbQXQOy/EB2hiVNpqyXe4gIDEdFxx/GloHI+FpZH3uvA96/tbFlztZ6Uxda7+fUHsYDnKSbBUb44Bn4FsjEp0v+0jCMTk86GmGhurRHmZ2d0e9PX95qu+EiCNf1AoIFwyikaQN4YBwhLHz/d/BLA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pLfrFAAQoT54spvx66ug+dB2IhA2Omh4NwL9bq6BNZJhb+yV+W1m+a+30bkmsl87oYluSPv01gD+JaC7z+A6p0uweaHfRn3rt+nNH0hTnTW8BDnS5cC+WsmQQVjzp/+jYCFHSTYpYPdDaPT5otyLXTAjRL1Y5UdT0Uc8SS3bhnM= Received: by 10.64.232.16 with SMTP id e16mr14422251qbh.1191230689982; Mon, 01 Oct 2007 02:24:49 -0700 (PDT) Received: by 10.64.209.2 with HTTP; Mon, 1 Oct 2007 02:24:49 -0700 (PDT) Message-ID: Date: Mon, 1 Oct 2007 02:24:49 -0700 From: "Kian Mohageri" To: Umar In-Reply-To: <12967291.post@talk.nabble.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <12967291.post@talk.nabble.com> Cc: freebsd-pf@freebsd.org Subject: Re: how to include external file in pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2007 09:24:51 -0000 On 9/30/07, Umar wrote: > > Dear Members! > > Is it possible that i can include another configuration file e.g > (mycustom.conf) within pf.conf > Have you read about anchors? http://www.openbsd.org/faq/pf/anchors.html -Kian From owner-freebsd-pf@FreeBSD.ORG Mon Oct 1 11:08:37 2007 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 14DE816A53C for ; Mon, 1 Oct 2007 11:08:36 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B65BC13C457 for ; Mon, 1 Oct 2007 11:08:36 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l91B8aV0064559 for ; Mon, 1 Oct 2007 11:08:36 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l91B8ZgD064555 for freebsd-pf@FreeBSD.org; Mon, 1 Oct 2007 11:08:35 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 1 Oct 2007 11:08:35 GMT Message-Id: <200710011108.l91B8ZgD064555@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2007 11:08:37 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf 4 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/115640 pf [net] [pf] pfctl -k dont works o kern/116645 pf pfctl -k does not work in securelevel 3 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 1 13:52:04 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ECA4616A41A for ; Mon, 1 Oct 2007 13:52:04 +0000 (UTC) (envelope-from a.v.dergatcheff@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.226]) by mx1.freebsd.org (Postfix) with ESMTP id 8FD6913C465 for ; Mon, 1 Oct 2007 13:52:04 +0000 (UTC) (envelope-from a.v.dergatcheff@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so1782700wra for ; Mon, 01 Oct 2007 06:52:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=w18pkQaALsbALQq+E6KETMuPfJrrf8ARZIw1Ch5IOkM=; b=ocrhsf6+YkPJqNPjG0eONl/cFkPMlJeMW4PW9WIquLCW0wAMjtvtKNeMNehGLiCxd+FAKBXpZEkrh3orB+C0YjwsnGLGv/J8k/bwaU2STEMPytmfOTeiLKDMw5nOLhDx1YLZSHesxIoBd0vkTE4jj1D0d6t4CCdIhuq0C+pUFUY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=qn1J4dv5sQgXG2cpn2Yf+9y0FXavIYGMMegOHHZqbLYtZDQH4M0lX7CAvwRBqui8iCr/G/ly2YMGQNhrkOPEYpG3kIhwKXN+GCa+vQOLvMXs1XCdyRylpicsZ1fl76vB/UWUJOSPJ2nk2Ht2V6ALy1whZeT/VMInJ+qRQsTyfL8= Received: by 10.90.91.14 with SMTP id o14mr458781agb.1191245239775; Mon, 01 Oct 2007 06:27:19 -0700 (PDT) Received: by 10.90.79.16 with HTTP; Mon, 1 Oct 2007 06:27:19 -0700 (PDT) Message-ID: <37dd05030710010627h2a52c002i9f7e54b91ea2dfb9@mail.gmail.com> Date: Mon, 1 Oct 2007 17:27:19 +0400 From: "=?KOI8-R?B?4c7Uz84g5MXSx8Hexdc=?=" To: freebsd-pf@freebsd.org MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 01 Oct 2007 16:04:00 +0000 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: FreeBSD 6.2-STABLE + PF + BINAT problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2007 13:52:05 -0000 Good time of day! I have two servers with FreeBSD 6.2-STABLE on it, both with pf compiled in kernel. First one works fine. It has 5 ISPs registered in world IP addresses and serves small LAN with some WEB and FTP servers. Second one didn't work at all. It has over 100 ISP IPs, and list of binat rules in config. I don't know what to do, but this pf.conf works fine under OpenBSD 3.9 for a year! pfctl -xm && pfctl -si and reading /var/log/messages doesn't clear the situation. options gateway_enable="YES" in rc.conf presents. # cat /etc/pf.conf ext_if="em0" cli_if="em1" adsl_net="192.168.12.0/24" set timeout { interval 30, frag 90 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 120, udp.single 60, udp.multiple 120 } set timeout { icmp.first 80, icmp.error 40 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 1000000, frags 1000000, src-nodes 1000000 } set loginterface none set optimization conservative set block-policy drop set require-order yes set fingerprints "/etc/pf.os" scrub in all fragment reassemble min-ttl 15 max-mss 2500 scrub all reassemble tcp altq on $ext_if cbq bandwidth 5.0Mb queue { cli } queue cli bandwidth 4.0Mb { adsl_ext } queue adsl_ext bandwidth 100% cbq(default red) altq on $cli_if cbq bandwidth 5.0Mb queue { adsl_int } queue adsl_int bandwidth 4.0Mb priority 5 cbq(default red) binat on $ext_if from 192.168.12.11 to any -> a.b.c.1 <... and so on for over 100 IPs....> nat on $ext_if from em1:network to any -> { z.x.y.1, z.x.y.2, z.x.y.3} round-robin sticky-address table persist block quick on $ext_if from to any pass out on $ext_if from $adsl_net to any queue adsl_ext pass out on $cli_if from any to $adsl_net queue adsl_int # As you see, only one rule for filtering, and two rules for shaper. Where is my error? Sincerely yours, Anthony V. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 2 08:01:39 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E279C16A418 for ; Tue, 2 Oct 2007 08:01:39 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id 9B10313C480 for ; Tue, 2 Oct 2007 08:01:39 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id D6A472FEB0 for ; Tue, 2 Oct 2007 04:01:37 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute1.internal (MEProxy); Tue, 02 Oct 2007 04:01:37 -0400 X-Sasl-enc: yNs4nVwnuCZL7iuyoAnzYUIdDdv10DBaxkqFk2ZsOPt9 1191312097 Received: from [192.168.1.101] (unknown [193.239.254.142]) by mail.messagingengine.com (Postfix) with ESMTP id 65B5D17E5 for ; Tue, 2 Oct 2007 04:01:37 -0400 (EDT) Message-ID: <4701FAD7.4050600@casino.uni-stuttgart.de> Date: Tue, 02 Oct 2007 11:01:27 +0300 From: Tobias Ernst User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8.1.6) Gecko/20070802 SeaMonkey/1.1.4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <46EDE839.8060501@criticalmagic.com> <20070917202951.GF2742@heff.fud.org.nz> <46EEE5C9.8050103@criticalmagic.com> <20070917204318.GB9614@heff.fud.org.nz> In-Reply-To: <20070917204318.GB9614@heff.fud.org.nz> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Subject: Filtering bridge - how to decide which of the bridge's interfaces a packet arrived on? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2007 08:01:40 -0000 Dear members of this list, Recently, it was stated here by Andrew Thompson that > anything that is destined for the > local host is tapped off early and handled specially. This referred to the fact that packets passing through a bridging firewall can be filtered on the individual inbound/outbound interfaces, but packets destined for the bridging firewall (that has assigned an ip address to the bridge interface) can only be filtered on the bridge interface. I have now run into a problem with this. I am setting up a routing firewall with several DMZ, but for various reasons the DMZ use the same IP range as the internal net. I.e., the DMZ are bridged to the internal net, and the entire IP subnet is then routed to the external world. To clarify things, this looks similar to the following: bridge0 = em0, em1 bridge0 has IP x.x.x.254 DMZ connected to em0 and consists of the IP addresses x.x.x.0 - 15 Internal net connected to em1 and consists of x.x.x.16-253 em2 is the external interface and has IP x.x.y.123 Now, first of all, I wanted to set up a rule that makes sure that it is impossible to use IPs from the internal range in the DMZ network segment and vice versa, so that a hacked server in the DMZ cannot change its IP and pretend to be one of our (maybe powered off) internal servers. My first try was as follows: block quick on em0 from !x.x.x.0/28 block quick on em1 from x.x.x.0/28 This works fine as long as a machine in the DMZ is trying to communicate with a machine in the internal zone. However, the above rules do not match packets sent from a machine with an illegal IP in the DMZ and destined for the firewall, because those packets only appear on bridge0. However, when I filter the packets on bridge0, I have no idea whether they arrived on the DMZ interface or on the internal interface. Is there any other possibility of finding out which member of a bridge an inbound packet has arrived on? Regards Tobias P.S.: FreeBSD 6.2-RELEASE -- Universität Stuttgart|Fakultät für Architektur und Stadtplanung|casinoIT 70174 Stuttgart Geschwister-Scholl-Straße 24D T +49 (0)711 121-4228 F +49 (0)711 121-4276 E office@casino.uni-stuttgart.de I http://www.casino.uni-stuttgart.de From owner-freebsd-pf@FreeBSD.ORG Tue Oct 2 09:16:12 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC7D216A46D for ; Tue, 2 Oct 2007 09:16:12 +0000 (UTC) (envelope-from thompsa@FreeBSD.org) Received: from heff.fud.org.nz (203-109-251-39.static.bliink.ihug.co.nz [203.109.251.39]) by mx1.freebsd.org (Postfix) with ESMTP id 5243813C4C5 for ; Tue, 2 Oct 2007 09:16:12 +0000 (UTC) (envelope-from thompsa@FreeBSD.org) Received: by heff.fud.org.nz (Postfix, from userid 1001) id D84CF1CC58; Tue, 2 Oct 2007 22:16:10 +1300 (NZDT) Date: Tue, 2 Oct 2007 22:16:10 +1300 From: Andrew Thompson To: Tobias Ernst Message-ID: <20071002091610.GD38352@heff.fud.org.nz> References: <46EDE839.8060501@criticalmagic.com> <20070917202951.GF2742@heff.fud.org.nz> <46EEE5C9.8050103@criticalmagic.com> <20070917204318.GB9614@heff.fud.org.nz> <4701FAD7.4050600@casino.uni-stuttgart.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4701FAD7.4050600@casino.uni-stuttgart.de> User-Agent: Mutt/1.5.13 (2006-08-11) Cc: freebsd-pf@freebsd.org Subject: Re: Filtering bridge - how to decide which of the bridge's interfaces a packet arrived on? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2007 09:16:12 -0000 On Tue, Oct 02, 2007 at 11:01:27AM +0300, Tobias Ernst wrote: > Dear members of this list, > > Recently, it was stated here by Andrew Thompson that > > > anything that is destined for the > > local host is tapped off early and handled specially. > > This referred to the fact that packets passing through a bridging > firewall can be filtered on the individual inbound/outbound interfaces, > but packets destined for the bridging firewall (that has assigned an ip > address to the bridge interface) can only be filtered on the bridge > interface. > > I have now run into a problem with this. I am setting up a routing > firewall with several DMZ, but for various reasons the DMZ use the same > IP range as the internal net. I.e., the DMZ are bridged to the internal > net, and the entire IP subnet is then routed to the external world. > [...] > > However, the above rules do not match packets sent from a machine with > an illegal IP in the DMZ and destined for the firewall, because those > packets only appear on bridge0. However, when I filter the packets on > bridge0, I have no idea whether they arrived on the DMZ interface or on > the internal interface. > > Is there any other possibility of finding out which member of a bridge > an inbound packet has arrived on? Yes, a new option was added to HEAD that allows this (pfil_local_phys), it adds an additional packet filter call on the member interface for local packets. > P.S.: FreeBSD 6.2-RELEASE Its not in 6.2 unfortunately but will be MFC'd in time for 6.3 Andrew From owner-freebsd-pf@FreeBSD.ORG Tue Oct 2 09:34:11 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E208B16A417 for ; Tue, 2 Oct 2007 09:34:11 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id B12E913C48A for ; Tue, 2 Oct 2007 09:34:11 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id 6593B2FBF3 for ; Tue, 2 Oct 2007 05:34:11 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute1.internal (MEProxy); Tue, 02 Oct 2007 05:34:11 -0400 X-Sasl-enc: WXMIHOhEkkv1pbUArKtt0z67By5hzxZtxHN/tD8tXpBc 1191317651 Received: from [192.168.1.101] (unknown [193.239.254.142]) by mail.messagingengine.com (Postfix) with ESMTP id E9C7E10636 for ; Tue, 2 Oct 2007 05:34:10 -0400 (EDT) Message-ID: <47021088.4090808@casino.uni-stuttgart.de> Date: Tue, 02 Oct 2007 12:34:00 +0300 From: Tobias Ernst User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8.1.6) Gecko/20070802 SeaMonkey/1.1.4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <46EDE839.8060501@criticalmagic.com> <20070917202951.GF2742@heff.fud.org.nz> <46EEE5C9.8050103@criticalmagic.com> <20070917204318.GB9614@heff.fud.org.nz> <4701FAD7.4050600@casino.uni-stuttgart.de> <20071002091610.GD38352@heff.fud.org.nz> In-Reply-To: <20071002091610.GD38352@heff.fud.org.nz> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: Filtering bridge - how to decide which of the bridge's interfaces a packet arrived on? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2007 09:34:12 -0000 Andrew Thompson schrieb: > Yes, a new option was added to HEAD that allows this (pfil_local_phys), > it adds an additional packet filter call on the member interface for > local packets. > Its not in 6.2 unfortunately but will be MFC'd in time for 6.3 Thank you very much for your quick and very useful response. Hmm, I need to keep "supported" versions of FreeBSD on this machine. I would be willing to go to STABLE now and then go back to 6.3 when it will be released, but going to CURRENT is probably too gross a violation of our policy. I will try the patch from kern/116051 on my 6.2 sources, though. The description says that it has been tested on 6.2, and hopefully 6.3 will be out by the time my setup goes into production. Thanks again! Regards Tobias -- Universität Stuttgart|Fakultät für Architektur und Stadtplanung|casinoIT 70174 Stuttgart Geschwister-Scholl-Straße 24D T +49 (0)711 121-4228 F +49 (0)711 121-4276 E office@casino.uni-stuttgart.de I http://www.casino.uni-stuttgart.de From owner-freebsd-pf@FreeBSD.ORG Wed Oct 3 14:37:03 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA71216A417 for ; Wed, 3 Oct 2007 14:37:03 +0000 (UTC) (envelope-from sugarfreemonkey@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.freebsd.org (Postfix) with ESMTP id 9224B13C49D for ; Wed, 3 Oct 2007 14:37:03 +0000 (UTC) (envelope-from sugarfreemonkey@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so3230754nfb for ; Wed, 03 Oct 2007 07:37:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=gSl0ECEhCHhiQWd+XwcQ3SrJxUep3XBH00XN5o0RoDM=; b=h23FZQR0XzKX4mW9Q4BPmQKWoAdY0mPlUQ6oed5+cdzYMjp6xd29V47hDIeH67h8fhmAPxhGdwInn/sZmQqtOlURefwbp48tGYqQgN3EqTEjr7SBviRSgp5bb6zRxlyEvQw2oCfo+GyskyWziF6LMw/nIwdlIHpIqFptBc+Bf5Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=GhhYvDJ24xjIG5vo7AjywYomt5JDGjuo2Ye5FkLBHuyfqyDrYIkY8zI4hMw7r1St5lIIPz2dJQNHOI4veyjG+U0W//+XjKSRIqxZHxTrkyKqPF/mzNNaOWjS7t8LX6VnPsr7+rc8AZDIhWxbsb2CfAu7JCLMQVqUYM1bM1R0ynk= Received: by 10.78.168.1 with SMTP id q1mr3107422hue.1191420660009; Wed, 03 Oct 2007 07:11:00 -0700 (PDT) Received: by 10.78.171.12 with HTTP; Wed, 3 Oct 2007 07:10:59 -0700 (PDT) Message-ID: <1fc8a2a60710030710j485e4a00h2aaa8a97180e0082@mail.gmail.com> Date: Wed, 3 Oct 2007 22:10:59 +0800 From: "Nex Mon" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ALTQ HFSC_MAX_CLASSES limit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Oct 2007 14:37:04 -0000 Hello, Is there a maximum limit that can be set for HFSC_MAX_CLASSES before HFSC starts to fail or shows unexpected behavior? The default is only 64, which means you can only add up to 64 queues. I want to increase that value to 1000 or more (required for my setup where i need allocate 1 queue per client). is there any limitation or consideration to this value? how many queues can HFSC support under heavy traffic load? I've tried digging for answers and docs in the list and internet but I cound't find any. Any help is very much appreciated. Thanks Mon From owner-freebsd-pf@FreeBSD.ORG Thu Oct 4 08:52:20 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED55516A418 for ; Thu, 4 Oct 2007 08:52:20 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id A85B013C45B for ; Thu, 4 Oct 2007 08:52:20 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id D84F52E94D for ; Thu, 4 Oct 2007 04:52:19 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute1.internal (MEProxy); Thu, 04 Oct 2007 04:52:19 -0400 X-Sasl-enc: cqUl3sQpz4iduo6MXs8fs/oO3llOhTFhjY370BiGgxKT 1191487939 Received: from [192.168.1.101] (unknown [193.239.254.142]) by mail.messagingengine.com (Postfix) with ESMTP id 3DE941639D for ; Thu, 4 Oct 2007 04:52:19 -0400 (EDT) Message-ID: <4704A9B5.8030805@casino.uni-stuttgart.de> Date: Thu, 04 Oct 2007 11:52:05 +0300 From: Tobias Ernst User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8.1.6) Gecko/20070802 SeaMonkey/1.1.4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <46EDE839.8060501@criticalmagic.com> <20070917202951.GF2742@heff.fud.org.nz> <46EEE5C9.8050103@criticalmagic.com> <20070917204318.GB9614@heff.fud.org.nz> <4701FAD7.4050600@casino.uni-stuttgart.de> <20071002091610.GD38352@heff.fud.org.nz> <47021088.4090808@casino.uni-stuttgart.de> In-Reply-To: <47021088.4090808@casino.uni-stuttgart.de> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: Filtering bridge - how to decide which of the bridge's interfaces a packet arrived on? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Oct 2007 08:52:21 -0000 Tobias Ernst schrieb: > I will try the patch from kern/116051 on my 6.2 sources, though. The > description says that it has been tested on 6.2, and hopefully 6.3 will > be out by the time my setup goes into production. For the interested audience: Applying this patch to 6.2 requires some modifications, but they are rather straightforward. My patch for 6.2 is below. After applying it, you can do sysctl net.link.bridge.pfil_local_phys=1 After that, packets destined for an IP address of the local firewall that is assigned to a bridge interface will show up in PF on the individual bridge member that they physically arrive on (e.g. em0) RATHER than on the bridge interface of which the physical interface is a member (e.g. bridge0). The packets will then be visible on the physical interface only, so if you were previously filtering on bridge0, you now have to adapt your rules to filter on each individual member interface. Many thanks to Andrew for pointing me in the right direction, and of course to Eygene for developing this patch. Regards Tobias *** if_bridge.c.ORIG Tue Oct 2 11:33:42 2007 --- if_bridge.c Tue Oct 2 15:01:09 2007 *************** *** 281,286 **** --- 281,287 ---- static int pfil_member = 1; /* run pfil hooks on the member interface */ static int pfil_ipfw = 0; /* layer2 filter with ipfw */ static int pfil_ipfw_arp = 0; /* layer2 filter with ipfw */ + static int pfil_local_phys = 0; /* PATCH show phys interface for bridge-destined packages */ SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_onlyip, CTLFLAG_RW, &pfil_onlyip, 0, "Only pass IP packets when pfil is enabled"); SYSCTL_INT(_net_link_bridge, OID_AUTO, ipfw_arp, CTLFLAG_RW, *************** *** 289,294 **** --- 290,297 ---- &pfil_bridge, 0, "Packet filter on the bridge interface"); SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_member, CTLFLAG_RW, &pfil_member, 0, "Packet filter on the member interface"); + SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_local_phys, CTLFLAG_RW, + &pfil_local_phys, 0, "Show physical interface for bridge-destined packets"); struct bridge_control { int (*bc_func)(struct bridge_softc *, void *); *************** *** 1984,1989 **** --- 1987,2006 ---- if (memcmp(eh->ether_dhost, IFP2ENADDR(bifp), ETHER_ADDR_LEN) == 0) { + /* Try to filter on the physical interface. + * + */ + if (pfil_local_phys && ((inet_pfil_hook.ph_busy_count >= 0) + #ifdef INET6 + || (inet6_pfil_hook.ph_busy_count >= 0) + #endif + )) { + if (bridge_pfil(&m, ifp, NULL, PFIL_IN)!=0 || + m == NULL) { + BRIDGE_UNLOCK(sc); + return NULL; + } + } /* * If the packet is for us, set the packets source as the * bridge, and return the packet back to ether_input for -- Universität Stuttgart|Fakultät für Architektur und Stadtplanung|casinoIT 70174 Stuttgart Geschwister-Scholl-Straße 24D T +49 (0)711 121-4228 F +49 (0)711 121-4276 E office@casino.uni-stuttgart.de I http://www.casino.uni-stuttgart.de From owner-freebsd-pf@FreeBSD.ORG Thu Oct 4 19:19:25 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B4F916A41A for ; Thu, 4 Oct 2007 19:19:25 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 7635B13C44B for ; Thu, 4 Oct 2007 19:19:25 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1IdWEG-0003A3-Nz for freebsd-pf@freebsd.org; Thu, 04 Oct 2007 12:19:24 -0700 Message-ID: <13046989.post@talk.nabble.com> Date: Thu, 4 Oct 2007 12:19:24 -0700 (PDT) From: Umar To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: unix.co@gmail.com Subject: altq within anchor X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Oct 2007 19:19:25 -0000 Dear members! I want to include altq anchor within my pf.conf but i got error. here is the altqrule file /home/anchor-altq altq on fxp0 bandwidth 100Mb cbq queue { default, ip4, ip5, ip6, ip7 } queue default bandwidth 90Mb cbq (default) queue ip bandwidth 90Kb queue ip5 bandwidth 90Kb queue ip6 bandwidth 90Kb queue ip7 bandwidth 90Kb anchor altqrules here is my /etc/pf.conf file <-------snip--------> int_if = "fxp0" ext_if = "rl0" lan_net = "192.168.1.0/24" # Options: tune the behavior of pf, default values are given. set timeout { interval 10, frag 30 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 10000, frags 5000 } set loginterface none set optimization normal set block-policy drop set require-order yes set fingerprints "/etc/pf.os" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all # Bandwidth Shapping anchor altqrules load anchor altqrules from "/home/anchor-altq" # Translation: specify how addresses are to be mapped or redirected. nat on $ext_if from { $lan_net } to any -> ($ext_if) pass in quick on lo0 all pass in quick on $int_if from $lan_net to any keep state pass out on $int_if from any to any keep state pass out on $ext_if from any to any keep state # default deny block in log on $ext_if <-------snip--------> but when i reload my pf i got the error Reloading pf rules. /etc/pf.conf:36: Rules must be in order: options, normalization, queueing, translation, filtering /etc/pf.conf:37: Rules must be in order: options, normalization, queueing, translation, filtering /etc/pf.conf:38: Rules must be in order: options, normalization, queueing, translation, filtering /etc/pf.conf:39: Rules must be in order: options, normalization, queueing, translation, filtering Please help what should i do? Regards, Umar Draz -- View this message in context: http://www.nabble.com/altq-within-anchor-tf4570970.html#a13046989 Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Thu Oct 4 20:32:42 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C904816A46E for ; Thu, 4 Oct 2007 20:32:42 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp802.mail.ird.yahoo.com (smtp802.mail.ird.yahoo.com [217.146.188.62]) by mx1.freebsd.org (Postfix) with SMTP id 5A15513C494 for ; Thu, 4 Oct 2007 20:32:41 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 1954 invoked from network); 4 Oct 2007 19:35:17 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@217.44.142.35 with plain) by smtp802.mail.ird.yahoo.com with SMTP; 4 Oct 2007 19:35:17 -0000 X-YMail-OSG: zICG1rEVM1lSsPH7_iTlXi248.mOOQa6MdEro4EiXJHmyw6f7xjXVAz5mao4XHMAfy_F2ceUbLefx.eiloTxM1aFE4eDF1UCCm34qHJhuUFPFgCZ7vtvcGdA5PbbLFNrTXBw Message-ID: <47054F99.5090001@tomjudge.com> Date: Thu, 04 Oct 2007 21:39:53 +0100 From: Tom Judge User-Agent: Thunderbird 1.5.0.13 (X11/20070824) MIME-Version: 1.0 To: Umar References: <13046989.post@talk.nabble.com> In-Reply-To: <13046989.post@talk.nabble.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: altq within anchor X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Oct 2007 20:32:42 -0000 Umar wrote: > Dear members! > > I want to include altq anchor within my pf.conf but i got error. > > here is the altqrule file /home/anchor-altq > > altq on fxp0 bandwidth 100Mb cbq queue { default, ip4, ip5, ip6, ip7 } > queue default bandwidth 90Mb cbq (default) > queue ip bandwidth 90Kb > queue ip5 bandwidth 90Kb > queue ip6 bandwidth 90Kb > queue ip7 bandwidth 90Kb > anchor altqrules > > here is my /etc/pf.conf file > > <-------snip--------> > > int_if = "fxp0" > ext_if = "rl0" > lan_net = "192.168.1.0/24" > > # Options: tune the behavior of pf, default values are given. > set timeout { interval 10, frag 30 } > set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } > set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } > set timeout { udp.first 60, udp.single 30, udp.multiple 60 } > set timeout { icmp.first 20, icmp.error 10 } > set timeout { other.first 60, other.single 30, other.multiple 60 } > set timeout { adaptive.start 0, adaptive.end 0 } > set limit { states 10000, frags 5000 } > > set loginterface none > set optimization normal > set block-policy drop > set require-order yes > set fingerprints "/etc/pf.os" > > # Normalization: reassemble fragments and resolve or reduce traffic > ambiguities. > scrub in all > > # Bandwidth Shapping > anchor altqrules > load anchor altqrules from "/home/anchor-altq" > > # Translation: specify how addresses are to be mapped or redirected. > nat on $ext_if from { $lan_net } to any -> ($ext_if) > > pass in quick on lo0 all > pass in quick on $int_if from $lan_net to any keep state > pass out on $int_if from any to any keep state > pass out on $ext_if from any to any keep state > > # default deny > block in log on $ext_if > > <-------snip--------> > > but when i reload my pf i got the error > > Reloading pf rules. > /etc/pf.conf:36: Rules must be in order: options, normalization, queueing, > translation, filtering > /etc/pf.conf:37: Rules must be in order: options, normalization, queueing, > translation, filtering > /etc/pf.conf:38: Rules must be in order: options, normalization, queueing, > translation, filtering > /etc/pf.conf:39: Rules must be in order: options, normalization, queueing, > translation, filtering > > > Please help what should i do? > > Regards, > > Umar Draz Hi, As the above messages state the rules must be present in the rules file in a fixed order: 1) Options 2) Normalization 3) Queueing (Aka ALTQ) 4) Translation (Aka NAT) 5) Filtering Quote from pf.conf(5): With the exception of macros and tables, the types of statements should be grouped and appear in pf.conf in the order shown above, as this matches the operation of the underlying packet filtering engine. By default pfctl(8) enforces this order (see set require-order below). And again from pf.conf(5) set require-order By default pfctl(8) enforces an ordering of the statement types in the ruleset to: options, normalization, queueing, translation, filtering. Setting this option to no disables this enforcement. There may be non-trivial and non-obvious implications to an out of order ruleset. Consider carefully before disabling the order enforcement. Tom From owner-freebsd-pf@FreeBSD.ORG Thu Oct 4 21:32:29 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 33F9A16A417 for ; Thu, 4 Oct 2007 21:32:29 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp802.mail.ird.yahoo.com (smtp802.mail.ird.yahoo.com [217.146.188.62]) by mx1.freebsd.org (Postfix) with SMTP id BC34F13C45A for ; Thu, 4 Oct 2007 21:32:28 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 65542 invoked from network); 4 Oct 2007 21:32:27 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@217.44.142.35 with plain) by smtp802.mail.ird.yahoo.com with SMTP; 4 Oct 2007 21:32:27 -0000 X-YMail-OSG: SZt9efcVM1kneobVmVMFJf5CDBio66gUOV2ZVoWUKrHlBxsLFInRwi2AOlXgzCnyuO1kMRjmIaYKPVSeEGm06FNrA0o9ZjM8_Gv5PaNdsYj8D3dmuq1yXaudOAXcHbCgqQI6 Message-ID: <47056B10.5040700@tomjudge.com> Date: Thu, 04 Oct 2007 23:37:04 +0100 From: Tom Judge User-Agent: Thunderbird 1.5.0.13 (X11/20070824) MIME-Version: 1.0 To: Umar References: <13046989.post@talk.nabble.com> <47054F99.5090001@tomjudge.com> In-Reply-To: <47054F99.5090001@tomjudge.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: altq within anchor X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Oct 2007 21:32:29 -0000 Tom Judge wrote: > Umar wrote: >> Dear members! >> >> I want to include altq anchor within my pf.conf but i got error. >> >> here is the altqrule file /home/anchor-altq >> >> altq on fxp0 bandwidth 100Mb cbq queue { default, ip4, ip5, ip6, ip7 } >> queue default bandwidth 90Mb cbq (default) >> queue ip bandwidth 90Kb >> queue ip5 bandwidth 90Kb >> queue ip6 bandwidth 90Kb >> queue ip7 bandwidth 90Kb >> anchor altqrules >> >> here is my /etc/pf.conf file >> <-------snip--------> >> >> int_if = "fxp0" >> ext_if = "rl0" >> lan_net = "192.168.1.0/24" >> >> # Options: tune the behavior of pf, default values are given. >> set timeout { interval 10, frag 30 } >> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } >> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } >> set timeout { udp.first 60, udp.single 30, udp.multiple 60 } >> set timeout { icmp.first 20, icmp.error 10 } >> set timeout { other.first 60, other.single 30, other.multiple 60 } >> set timeout { adaptive.start 0, adaptive.end 0 } >> set limit { states 10000, frags 5000 } >> >> set loginterface none >> set optimization normal >> set block-policy drop >> set require-order yes >> set fingerprints "/etc/pf.os" >> >> # Normalization: reassemble fragments and resolve or reduce traffic >> ambiguities. >> scrub in all >> >> # Bandwidth Shapping >> anchor altqrules >> load anchor altqrules from "/home/anchor-altq" >> >> # Translation: specify how addresses are to be mapped or redirected. >> nat on $ext_if from { $lan_net } to any -> ($ext_if) >> >> pass in quick on lo0 all >> pass in quick on $int_if from $lan_net to any keep state >> pass out on $int_if from any to any keep state >> pass out on $ext_if from any to any keep state >> >> # default deny >> block in log on $ext_if >> >> <-------snip--------> >> >> but when i reload my pf i got the error >> >> Reloading pf rules. >> /etc/pf.conf:36: Rules must be in order: options, normalization, >> queueing, >> translation, filtering >> /etc/pf.conf:37: Rules must be in order: options, normalization, >> queueing, >> translation, filtering >> /etc/pf.conf:38: Rules must be in order: options, normalization, >> queueing, >> translation, filtering >> /etc/pf.conf:39: Rules must be in order: options, normalization, >> queueing, >> translation, filtering >> >> >> Please help what should i do? >> >> Regards, >> >> Umar Draz > Hi, > > As the above messages state the rules must be present in the rules file > in a fixed order: > > 1) Options > > 2) Normalization > > 3) Queueing (Aka ALTQ) > > 4) Translation (Aka NAT) > > 5) Filtering > > Quote from pf.conf(5): > > With the exception of macros and tables, the types of statements should > be grouped and appear in pf.conf in the order shown above, as this > matches the operation of the underlying packet filtering engine. By > default pfctl(8) enforces this order (see set require-order below). > > > And again from pf.conf(5) > > set require-order > By default pfctl(8) enforces an ordering of the statement types in > the ruleset to: options, normalization, queueing, translation, > filtering. Setting this option to no disables this enforcement. There > may be non-trivial and non-obvious implications to an out of order > ruleset. Consider carefully before disabling the order enforcement. > > > > Tom Further to my original reply, having realised I have not given a complete answer, there are four types of anchor available in PF nat-anchor - Holds nat rules rdr-anchor - Holds rdr rules binat-anchor - Holes binat riles anchor - Holds filter rules And referring to my last post from this it can be seen that by using a standard filter anchor you start the filter section of the configuration which in turn violates the rule ordering rules. Tom PS: All of the above information was taken from the pf.conf man page.