From owner-freebsd-pf@FreeBSD.ORG Mon May 31 11:07:02 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E655D1065673 for ; Mon, 31 May 2010 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (unknown [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D40EA8FC15 for ; Mon, 31 May 2010 11:07:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o4VB71YI046073 for ; Mon, 31 May 2010 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o4VB718Z046071 for freebsd-pf@FreeBSD.org; Mon, 31 May 2010 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 31 May 2010 11:07:01 GMT Message-Id: <201005311107.o4VB718Z046071@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 May 2010 11:07:02 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 44 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Jun 2 20:25:16 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA17E10656F3 for ; Wed, 2 Jun 2010 20:25:16 +0000 (UTC) (envelope-from ml@infosec.pl) Received: from v027580.home.net.pl (v027580.home.net.pl [89.161.156.148]) by mx1.freebsd.org (Postfix) with SMTP id 0F3A68FC23 for ; Wed, 2 Jun 2010 20:25:15 +0000 (UTC) Received: from 94-193-57-116.zone7.bethere.co.uk [94.193.57.116] (HELO [192.168.1.65]) by freeside.home.pl [89.161.156.148] with SMTP (IdeaSmtpServer v0.70) id df5d7e9e428ed4d0; Wed, 2 Jun 2010 22:25:21 +0200 Message-ID: <4C06BE29.9000403@infosec.pl> Date: Wed, 02 Jun 2010 21:25:13 +0100 From: Michal User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.9) Gecko/20100405 Thunderbird/3.0.4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <86wruzlgk0.fsf@red.stonehenge.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: OpenBSD 4.7's pf is not backward compatible X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jun 2010 20:25:16 -0000 On 20/05/2010 05:53, Chris Buechler wrote: > On Wed, May 19, 2010 at 5:36 PM, Randal L. Schwartz > wrote: >> >> Now that OpenBSD 4.7 is out, I see that the pf has undergone a flag day. >> >> Are there people here actively working on incorporating this new release >> into FreeBSD? >> > > 4.5, yes. > http://svn.freebsd.org/viewvc/base/user/eri/pf45/head/ > > 4.7, not at this moment (Ermal, Max, etc. can expand on that). > Is there any roadmap for this project or can someone give any estimations about the progress? Is it fairy advanced and almost there or quite opposite? Anybody able to guess if we are talking about 8.2 or 9.0? Michal -- "UNIX is user-friendly, it just chooses its friends." -Andreas Bogk From owner-freebsd-pf@FreeBSD.ORG Thu Jun 3 15:16:13 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DFB76106564A for ; Thu, 3 Jun 2010 15:16:13 +0000 (UTC) (envelope-from gdoe6545@yahoo.it) Received: from smtp104.plus.mail.re1.yahoo.com (smtp104.plus.mail.re1.yahoo.com [69.147.102.67]) by mx1.freebsd.org (Postfix) with SMTP id 8A61A8FC18 for ; Thu, 3 Jun 2010 15:16:13 +0000 (UTC) Received: (qmail 55909 invoked from network); 3 Jun 2010 14:49:33 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.it; h=DKIM-Signature:Received:X-Yahoo-SMTP:X-YMail-OSG:X-Yahoo-Newman-Property:From:Content-Type:Content-Transfer-Encoding:Subject:Date:Message-Id:To:Mime-Version:X-Mailer; b=dDIjZRMdd8BLGe1sGh1+BzyijZ2bhbfD/DEACLIDcQZ8Su9d6aWYHdyvNh7EAo75T/b8t668ZTRwLlK2o+1AJVOhhHUge7QJSpktSD9HoLD/qr8WkkXyWuY22W9g4D+q7gy4enPsG9ugWkJJZm2KpRsKu48s7u26WkPzqJks1JA= ; DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.it; s=s1024; t=1275576573; bh=Y7Oxb1B+t68PiZsBS2xJ1qpHNSJJlUaqlGziU+yJsOs=; h=Received:X-Yahoo-SMTP:X-YMail-OSG:X-Yahoo-Newman-Property:From:Content-Type:Content-Transfer-Encoding:Subject:Date:Message-Id:To:Mime-Version:X-Mailer; b=tnrXrLwNBKI74hqKyIiNemjfvkZTqBgBI5ysKlEvYPNXQfCIFbuei/i6tbxLQL1uuiwSlrY5iklT1dziFfnSFs5r8jX5DpRALSiufvraX9QFWanmyYvs8QCeMWAv7IIPN+TIGfFX+GVdKApOxzN0X6LkPOZ3GFadDQVOOhPWqPA= Received: from zao.smersh.casa (gdoe6545@81.174.13.193 with plain) by smtp104.plus.mail.re1.yahoo.com with SMTP; 03 Jun 2010 07:49:32 -0700 PDT X-Yahoo-SMTP: Ldxj1OSswBDyaOddJO96A9qtUCYq X-YMail-OSG: 2tmgL10VM1k.0eC4EwhuSfYSTqtnf0qdnBHAyjr0kisUr7x Utk6Y9zSMDtR8d6pAw8nB5UjxqtQvsqx.9wKkdDbS6gZnQen0sbsOn6a3MG9 dTaW1gfnf1iTBz7SnahbfFchN7uMEzv56CSETVuLBV8jXa089dE_Gpf0okCh ITGUE5NlA502T8QaKKXDYtZBfNnThpM6GtSx.OatWcOtDJzDg_44Il8lzgUs .0BKv77HlXeOeECsAs3dv5E2F_kK6Ucty8PMEEduBL5y0aCK6J.YV.g5QJ4x khFQ1MjZC.hFHhG8DmWpN7Sb_BvjrYCL_KEZ8zcBSh.JXW1gvptfhX23eioc TUg11hL5TZT.03Im5zv6lNz3.C60jJ9r5ql_xo3xfLdmF2k1mgajWKa0GhHd mAlixb.OqnVTMz_Y91875nSeLLTlTZhvB X-Yahoo-Newman-Property: ymail-3 From: Gianni Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Thu, 3 Jun 2010 16:49:30 +0200 Message-Id: To: freebsd-pf@freebsd.org Mime-Version: 1.0 (Apple Message framework v1078) X-Mailer: Apple Mail (2.1078) Subject: udp redirect problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jun 2010 15:16:14 -0000 I'm redirecting incoming requests to tcp/udp port 5080 to an internal = host with the following rule: rdr on $ext_if2 proto { tcp, udp } from any to $ext_if2 port 5080 -> = $pbx_host The problem is that the udp packets never seem to reach the destined = host, I've checked with tcpdump and incoming TCP packets are accepted by = the filter and passed out of the internal interface (vr0) to go to the = intended destination. 7. 725492 rule 51/0(match): pass in on tun1: x.x.x.x.58770 > = 192.168.200.42.5080: tcp 32 [bad hdr length 8 - too short, < 20] 000144 rule 19/0(match): pass out on vr0: x.x.x.x.58770 > = 192.168.200.42.5080: tcp 32 [bad hdr length 8 - too short, < 20] For UDP the packets seem to be accepted by the filter but not passed on = to the destination, there's no log entry to show them leaving the = internal interface or messages to say they are getting dropped. 000000 rule 65/0(match): pass in on tun1: x.x.x.x.5060 > = 192.168.200.42.5080: SIP, length: 1207 529850 rule 65/0(match): pass in on tun1: x.x.x.x.5060 > = 192.168.200.42.5080: SIP, length: 1207 2. 028043 rule 65/0(match): pass in on tun1: x.x.x.x.5060 > = 192.168.200.42.5080: SIP, length: 1207 4. 048524 rule 65/0(match): pass in on tun1: x.x.x.x.5060 > = 192.168.200.42.5080: SIP, length: 1207 I'm a bit puzzled as I can't see any difference between the tcp and udp = rules (complete ruleset below). Any suggestions would be greatly appreciated. # PF ruleset loopback_if =3D "lo0" int_if =3D "vr0" localnet =3D "192.168.200.0/24" pbx_host =3D "192.168.200.42" mx_host =3D "192.168.200.41" ext_if1 =3D "tun0" ext_if2 =3D "tun1" ext_ifs =3D "{ tun0, tun1 }" vpn_if =3D "tun2" vpn_nets =3D "{ 192.168.0.0/24 }" icmp_in_types =3D "{ unreach,echoreq }" table persist table persist { 127.0.0.0/8, 172.16.0.0/12 \ 10.0.0.0/8, 169.254.0.0/16, = 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 } set block-policy return set skip on { $loopback_if, vr1, vr2 } #scrub in all scrub log all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment = reassemble tcp_services =3D "{ 2525, ssh, smtp, smtps, domain, https, imaps, sip, = 1194, 5080 }" udp_services =3D "{ domain, sip, 4569, 1194, 5080 }" tcp_client =3D "{ ssh, domain, pop3, pop3s, imap, imaps, smtp, smtps, = auth, ntp,\ http, https, 8080, sip, 5080, cvsup, postgresql, 3306, = 8180, 1863, 444, 1194 }" udp_client =3D "{ domain, sip, 5080, ntp, 4569, 1194, 5222 }" # NAT no nat on $ext_if1 from $localnet to $vpn_nets=20 nat on $ext_if1 from $localnet to any -> ($ext_if1) no nat on $ext_if2 from $localnet to $vpn_nets=20 nat on $ext_if2 from $localnet to any -> ($ext_if2) rdr on $ext_if1 proto tcp from any to $ext_if1 port 222 -> = 192.168.200.40 port 22 rdr on $ext_if1 proto tcp from any to $ext_if1 port 25 -> $mx_host=20 rdr on $ext_if1 proto tcp from any to $ext_if1 port 2525 -> $mx_host=20 rdr on $ext_if1 proto tcp from any to $ext_if1 port 993 -> $mx_host=20 rdr on $ext_if1 proto tcp from any to $ext_if1 port 465 -> $mx_host=20 rdr on $ext_if2 proto tcp from any to $ext_if2 port 222 -> = 192.168.200.40 port 22 rdr on $ext_if2 proto tcp from any to $ext_if2 port 25 -> $mx_host=20 rdr on $ext_if2 proto tcp from any to $ext_if2 port 2525 -> $mx_host=20 rdr on $ext_if2 proto tcp from any to $ext_if2 port 993 -> $mx_host=20 rdr on $ext_if2 proto tcp from any to $ext_if2 port 465 -> $mx_host=20 # SIP #rdr pass log on $int_if proto udp from $localnet to any port 5060 -> = 127.0.0.1 port 5060 rdr on $ext_if1 proto { tcp, udp } from any to $ext_if1 port 5080 -> = $pbx_host=20 rdr on $ext_if2 proto { tcp, udp } from any to $ext_if2 port 5080 -> = $pbx_host nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $int_if proto tcp from $localnet to any port 21 -> 127.0.0.1 = port 8021 antispoof log for $ext_ifs antispoof log for $int_if block log all block log quick from block drop in log quick on $ext_ifs from to any block drop out log quick on $ext_ifs from any to pass log from { $loopback_if, $localnet } to any pass in log on $int_if=20 pass out log on $int_if pass out log on $ext_ifs pass out log quick on $ext_ifs proto udp from any to $pbx_host port 5080 # Client pass out log quick on $ext_if1 route-to ($ext_if2 ($ext_if2:peer)) from = $ext_if2 to any=20 pass out log quick on $ext_if2 route-to ($ext_if1 ($ext_if1:peer)) from = $ext_if1 to any=20 # ICMP pass in log inet proto icmp all icmp-type $icmp_in_types pass in log on $ext_if1 reply-to ($ext_if1 ($ext_if1:peer)) inet proto = icmp all icmp-type $icmp_in_types pass in log on $ext_if2 reply-to ($ext_if2 ($ext_if2:peer)) inet proto = icmp all icmp-type $icmp_in_types # Public services=20 pass in log on $ext_if1 reply-to ($ext_if1 ($ext_if1:peer)) inet proto = tcp \ from any to any port $tcp_services \ #synproxy state \ (max-src-conn 100, max-src-conn-rate 50/5, \ overload flush global) pass in log on $ext_if2 reply-to ($ext_if2 ($ext_if2:peer)) inet proto = tcp \ from any to any port $tcp_services \ #synproxy state \ (max-src-conn 100, max-src-conn-rate 50/5, \ overload flush global) pass in log on $ext_if1 reply-to ($ext_if1 ($ext_if1:peer)) inet proto = tcp \ from any to any port { ssh, 222 } \ #synproxy state \ (max-src-conn 10, max-src-conn-rate 5/3, \ overload flush global) pass in log on $ext_if2 reply-to ($ext_if2 ($ext_if2:peer)) inet proto = tcp \ from any to any port { ssh, 222 } \ #synproxy state \ (max-src-conn 10, max-src-conn-rate 5/3, \ overload flush global) pass in log on $ext_if1 reply-to ($ext_if1 ($ext_if1:peer)) inet proto = udp \ from any to any port $udp_services pass in log on $ext_if2 reply-to ($ext_if2 ($ext_if2:peer)) inet proto = udp \ from any to any port $udp_services # VPN pass in log on $ext_ifs inet proto icmp from $vpn_nets to $localnet pass out log on $vpn_if from any to any keep state=20 # FTP-proxy anchor "ftp-proxy/*"=20 pass out log proto tcp from ($ext_if1) to any port 21 pass out log proto tcp from ($ext_if2) to any port 21 -Gianni