From owner-freebsd-pf@FreeBSD.ORG Sun Mar 31 06:07:30 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id ED9A33ED for ; Sun, 31 Mar 2013 06:07:30 +0000 (UTC) (envelope-from sam.gh1986@gmail.com) Received: from mail-la0-x22d.google.com (mail-la0-x22d.google.com [IPv6:2a00:1450:4010:c03::22d]) by mx1.freebsd.org (Postfix) with ESMTP id 7BA57B38 for ; Sun, 31 Mar 2013 06:07:30 +0000 (UTC) Received: by mail-la0-f45.google.com with SMTP id er20so1403425lab.18 for ; Sat, 30 Mar 2013 23:07:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=0k23Hiz0/19bvjorPD1xqJPXnO0mALGAL/Xd4n1VERI=; b=zQTFp9ST06ZXi0o0dnTeLAI95vz5fF2ZKEiWPZdZYsPrUetO3E4oIR0B+9dYy/YVSr EmZKVExB7voA9a5GjI0TnBojkMKmZTtvXn9BSEUPztzHRXBK/oDL4mJhz8IxbzUInccE D7PC/XQAIMGeI6pnJ/WEfsmksl1kfSR8Zx22PH6eCzHhetnS/lkYi5NgNqRS8FyHTA+7 hFI5jLnN6BfAnzITK6l27s7Be8XgmivDkn6+uphUVQWg0c4Ij6N3xT3h5W+9/Oo+u1+X ORZBonH1M3LXDj6i4ZQdw7ryihJ2m9QON57o3ovWKS06Nmao5iNtrzhzqbms6IOhbQK+ D4Cw== MIME-Version: 1.0 X-Received: by 10.152.28.3 with SMTP id x3mr3690561lag.27.1364710049344; Sat, 30 Mar 2013 23:07:29 -0700 (PDT) Received: by 10.112.143.201 with HTTP; Sat, 30 Mar 2013 23:07:29 -0700 (PDT) Date: Sun, 31 Mar 2013 10:37:29 +0430 Message-ID: Subject: how access inside from outside when nat is done from inside to outside From: s m To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 06:07:31 -0000 hello guys i am newbie in pf and nat and have some problem with it. i want to nat inside traffic to outside and when i ping outside from inside, every thing is ok and nat is done perfectly. but when i ping inside from outside, request packets are sent without any nat translation while reply packets are anted and therefore outside system can not recognize reply packets and do not accept them. this is example pf packets which are received in a outside system when pings an inside system. request packets: src:192.168.2.1----> dst: 192.168.1.1 reply packets: src: 192.168.2.50----> dst:192.168.2.1 is it a correct behavior or not? and if it is correct, it means that when i configure to nat traffic from inside to outside, i can not access from outside to inside systems? (in cisco router we can do it). please let me know if i am misunderstanding. thanks From owner-freebsd-pf@FreeBSD.ORG Mon Apr 1 11:06:48 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 850F88E9 for ; Mon, 1 Apr 2013 11:06:48 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 76AEF33D for ; Mon, 1 Apr 2013 11:06:48 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r31B6mtf033751 for ; Mon, 1 Apr 2013 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r31B6mcf033749 for freebsd-pf@FreeBSD.org; Mon, 1 Apr 2013 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 1 Apr 2013 11:06:48 GMT Message-Id: <201304011106.r31B6mcf033749@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2013 11:06:48 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/176763 pf [pf] [patch] Removing pf Source entries locks kernel. o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 50 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Apr 2 07:29:49 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 8BCD7B9 for ; Tue, 2 Apr 2013 07:29:49 +0000 (UTC) (envelope-from nl@ecanode.com) Received: from mail5.webindia.com (mail5.webindia.com [216.129.98.212]) by mx1.freebsd.org (Postfix) with ESMTP id 67480D09 for ; Tue, 2 Apr 2013 07:29:49 +0000 (UTC) Received: from TIANODE (Tianode.com [67.218.96.216]) by mail5.webindia.com (8.13.1/8.13.1) with ESMTP id r326Kj4G006578 for ; Mon, 1 Apr 2013 23:22:07 -0700 Message-Id: <201304020622.r326Kj4G006578@mail5.webindia.com> From: nl@ecanode.com To: freebsd-pf@freebsd.org Date: 2 Apr 2013 00:28:41 -0700 Subject: Sea Water Electrolyzer for Electro-Chlorination MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: nl@ecanode.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2013 07:29:49 -0000 [1]If you can't view this mail click here.. [2] 2011111721370email.jpg __________________________________________________________________ [3]Unsubscribeme! [4]Update Email Address! This email sent to freebsd-pf@freebsd.org by [5]nl@ecanode.com Powered by [6][elogo1.jpg] References 1. http://www.ewhizs.com/Preview.aspx?nno=MTAw-T%2f3%2fcheYTl4%3d&mem=14 2. http://www.ecanode.com/ 3. http://www.ewhizs.com/unsubscribeme.aspx?ee=ZnJlZWJzZC1wZkBmcmVlYnNkLm9yZw%3d%3d-JOGlXzdqxrU%3d&mem=14 4. http://www.ewhizs.com/updat.aspx?ee=ZnJlZWJzZC1wZkBmcmVlYnNkLm9yZw%3d%3d-JOGlXzdqxrU%3d&mem=14 5. mailto:%20nl@ecanode.com 6. http://www.tiaanosoft.com/ From owner-freebsd-pf@FreeBSD.ORG Tue Apr 2 08:41:35 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 82001C5; Tue, 2 Apr 2013 08:41:35 +0000 (UTC) (envelope-from longwitz@incore.de) Received: from dss.incore.de (dss.incore.de [195.145.1.138]) by mx1.freebsd.org (Postfix) with ESMTP id 12993FBD; Tue, 2 Apr 2013 08:41:34 +0000 (UTC) Received: from inetmail.dmz (inetmail.dmz [10.3.0.3]) by dss.incore.de (Postfix) with ESMTP id 91F205C6EF; Tue, 2 Apr 2013 10:41:27 +0200 (CEST) X-Virus-Scanned: amavisd-new at incore.de Received: from dss.incore.de ([10.3.0.3]) by inetmail.dmz (inetmail.dmz [10.3.0.3]) (amavisd-new, port 10024) with LMTP id RxahS3uj18M4; Tue, 2 Apr 2013 10:41:26 +0200 (CEST) Received: from mail.incore (fwintern.dmz [10.0.0.253]) by dss.incore.de (Postfix) with ESMTP id BF0885C129; Tue, 2 Apr 2013 10:41:26 +0200 (CEST) Received: from bsdlo.incore (bsdlo.incore [192.168.0.84]) by mail.incore (Postfix) with ESMTP id B82395085F; Tue, 2 Apr 2013 10:41:26 +0200 (CEST) Message-ID: <515A99B6.10802@incore.de> Date: Tue, 02 Apr 2013 10:41:26 +0200 From: Andreas Longwitz User-Agent: Thunderbird 2.0.0.19 (X11/20090113) MIME-Version: 1.0 To: =?ISO-8859-15?Q?Ermal_Lu=E7i?= Subject: Re: [patch] Reloading pf rules breaks connections on lo0 References: <5134C218.6060701@incore.de> <5149BE75.3040308@incore.de> <5149E3A8.3020608@incore.de> <51544DAF.7000203@incore.de> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2013 08:41:35 -0000 Ermal Luçi wrote: > Looks ok. > Can you make the changes so i can push it? Yes, now the patch looks like this: --- pfctl.c.orig 2013-01-14 15:17:48.000000000 +0100 +++ pfctl.c 2013-04-02 10:24:21.000000000 +0200 @@ -67,6 +67,9 @@ int pfctl_enable(int, int); int pfctl_disable(int, int); int pfctl_clear_stats(int, int); +int pfctl_get_skip_ifaces(void); +int pfctl_check_skip_ifaces(char *); +int pfctl_clear_skip_ifaces(struct pfctl *); int pfctl_clear_interface_flags(int, int); int pfctl_clear_rules(int, int, char *); int pfctl_clear_nat(int, int, char *); @@ -105,6 +108,8 @@ struct pf_anchor_global pf_anchors; struct pf_anchor pf_main_anchor; +static struct pfr_buffer skip_b; + const char *clearopt; char *rulesopt; const char *showopt; @@ -297,6 +302,44 @@ } int +pfctl_get_skip_ifaces(void) +{ + bzero(&skip_b, sizeof(skip_b)); + skip_b.pfrb_type = PFRB_IFACES; + for (;;) { + pfr_buf_grow(&skip_b, skip_b.pfrb_size); + skip_b.pfrb_size = skip_b.pfrb_msize; + if (pfi_get_ifaces(NULL, skip_b.pfrb_caddr, &skip_b.pfrb_size)) + err(1, "pfi_get_ifaces"); + if (skip_b.pfrb_size <= skip_b.pfrb_msize) + break; + } + return (0); +} + +int +pfctl_check_skip_ifaces(char *ifname) +{ + struct pfi_kif *p; + + PFRB_FOREACH(p, &skip_b) + if ((p->pfik_flags & PFI_IFLAG_SKIP) && !strcmp(ifname, p->pfik_name)) + p->pfik_flags &= ~PFI_IFLAG_SKIP; + return (0); +} + +int +pfctl_clear_skip_ifaces(struct pfctl *pf) +{ + struct pfi_kif *p; + + PFRB_FOREACH(p, &skip_b) + if (p->pfik_flags & PFI_IFLAG_SKIP) + pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0); + return (0); +} + +int pfctl_clear_interface_flags(int dev, int opts) { struct pfioc_iface pi; @@ -1437,6 +1480,8 @@ else goto _error; } + if (loadopt & PFCTL_FLAG_OPTION) + pfctl_clear_skip_ifaces(&pf); if ((pf.loadopt & PFCTL_FLAG_FILTER && (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_SCRUB, 0))) || @@ -1861,6 +1906,7 @@ } else { if (ioctl(pf->dev, DIOCSETIFFLAG, &pi)) err(1, "DIOCSETIFFLAG"); + pfctl_check_skip_ifaces(ifname); } } return (0); @@ -2340,7 +2386,7 @@ } if ((rulesopt != NULL) && (loadopt & PFCTL_FLAG_OPTION) && !anchorname[0]) - if (pfctl_clear_interface_flags(dev, opts | PF_OPT_QUIET)) + if (pfctl_get_skip_ifaces()) error = 1; if (rulesopt != NULL && !(opts & (PF_OPT_MERGE|PF_OPT_NOACTION)) && -- Andreas Longwitz From owner-freebsd-pf@FreeBSD.ORG Thu Apr 4 14:40:22 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A7AC5E58 for ; Thu, 4 Apr 2013 14:40:22 +0000 (UTC) (envelope-from cs@innolan.dk) Received: from serv.innomanslan.tf (0126800067.1.fullrate.dk [95.166.204.165]) by mx1.freebsd.org (Postfix) with ESMTP id 20C00733 for ; Thu, 4 Apr 2013 14:40:21 +0000 (UTC) Received: from [192.168.44.228] (192.168.44.228) by serv.innomanslan.tf (Axigen) with ESMTP id 097D19; Thu, 4 Apr 2013 16:35:09 +0200 Message-ID: <515D8F9D.3080001@innolan.dk> Date: Thu, 04 Apr 2013 16:35:09 +0200 From: Carsten Sonne Larsen User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130324 Thunderbird/17.0.4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Filtering bridge with pf. Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Apr 2013 14:40:22 -0000 Hello guy, I am using pf to implement a filtering bridge but Im experinces some strange behaviour from pf. While using tcpdump I get entries like this: 16:25:45.998253 rule 2..16777216/0(match): block in on rl0: 192.168.0.1.32768 > 239.255.255.250.1900: UDP, length 339 I am using the keyword *quick* and would expect a certain rule match instead of rule 2..16777216 Also using pftop for some reason states does not expire while looking in the rules view. Could this be due a miscompiled kernel or maybe simply a faulty configuration ? Im using 9.1 on a AMD Geode CPU. Thanks in advance. Carsten Sonne Larsen From owner-freebsd-pf@FreeBSD.ORG Thu Apr 4 18:07:25 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id BE2B839B for ; Thu, 4 Apr 2013 18:07:25 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe10.ukr.net (ffe10.ukr.net [195.214.192.60]) by mx1.freebsd.org (Postfix) with ESMTP id 71224632 for ; Thu, 4 Apr 2013 18:07:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Date:Message-Id:From:To:References:In-Reply-To:Subject:Cc:Content-Type:Content-Transfer-Encoding:MIME-Version; bh=FUj+5+HT4VdBw1Xentjp1jV/Oo7Pe0cIKzruCIKVU2I=; b=Yi2TgxAdafUvpW7VwStSmxUlR56A4o6Vmg47lJ6VVt+ZkJrM7vDAyvRs7D4+m5v8Hrmjl7qnqwK46N8ud+l0l/+6ADDW0VfMWhD5rsTQjSId3SSRSPDXHmdWfX++cpD1V4iDZiW4YZCQqe43V0mYPtd8x+J5J3EHSGvTmOH28CE=; Received: from mail by ffe10.ukr.net with local ID 1UNoGn-000NUN-NA ; Thu, 04 Apr 2013 20:48:17 +0300 MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain; charset="windows-1251" Subject: Re: Filtering bridge with pf. In-Reply-To: <515D8F9D.3080001@innolan.dk> References: <515D8F9D.3080001@innolan.dk> To: "Carsten Sonne Larsen" From: "wishmaster" X-Mailer: freemail.ukr.net 4.0 Message-Id: <89362.1365097697.16075958140210511872@ffe10.ukr.net> Date: Thu, 04 Apr 2013 20:48:17 +0300 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Apr 2013 18:07:25 -0000 --- Original message --- From: "Carsten Sonne Larsen" Date: 4 April 2013, 17:49:07 > Hello guy, > > I am using pf to implement a filtering bridge but Im experinces some > strange behaviour from pf. While using tcpdump I get entries like this: > > 16:25:45.998253 rule 2..16777216/0(match): block in on rl0: > 192.168.0.1.32768 > 239.255.255.250.1900: UDP, length 339 > > I am using the keyword *quick* and would expect a certain rule match > instead of rule 2..16777216 > Hi. What is your sysctl's? Below from my production server with 3 NIC's in bridge. I use filtering only on the bridge0 interface. net.link.bridge.pfil_local_phys: 0 net.link.bridge.pfil_member: 0 net.link.bridge.pfil_bridge: 1 net.link.bridge.pfil_onlyip: 1 and set skip quick on [[members]] in pf.conf. From owner-freebsd-pf@FreeBSD.ORG Thu Apr 4 18:14:06 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D27B8495 for ; Thu, 4 Apr 2013 18:14:06 +0000 (UTC) (envelope-from mikemacleod@gmail.com) Received: from mail-ie0-x232.google.com (mail-ie0-x232.google.com [IPv6:2607:f8b0:4001:c03::232]) by mx1.freebsd.org (Postfix) with ESMTP id AA6C6692 for ; Thu, 4 Apr 2013 18:14:06 +0000 (UTC) Received: by mail-ie0-f178.google.com with SMTP id bn7so3441719ieb.9 for ; Thu, 04 Apr 2013 11:14:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=wJZUWMKZb7XtzJPFY5gOsCD0FYbLlJiAEBLZfNHzNcg=; b=gVKO8bIARm+8/15aWuHKGHnZin6xuiXkbGrsl/Boid9exb1p9wT2INCegn+1BAxrxx /7Ft2BO8ug1b5OyhXOMKORzBOWc945Z1Jy29JRB/E8OfC2gwHv5k5+2ql7chkiheU5G0 rXLAyPtJ1ststgGTVRqoILD5cm1MiRwvyyMr00bS7a4r4tCIrm2my09mst/zC5tmxl79 l4rkTncEY6f7FIA1QqlM0ujjFQF+8IBpV0iNqikIdmzmUbfSNoMRVGOyPpkdCULmfmM7 KIGvJIiOTDbLop5i/RFx8a8mcUrb2WnQHSWQgWliKbhnAhAmREOoqgwwEqobegWUpLpa h0MQ== X-Received: by 10.42.247.8 with SMTP id ma8mr3788431icb.1.1365099246364; Thu, 04 Apr 2013 11:14:06 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.106.161 with HTTP; Thu, 4 Apr 2013 11:13:46 -0700 (PDT) In-Reply-To: <515D8F9D.3080001@innolan.dk> References: <515D8F9D.3080001@innolan.dk> From: Michael MacLeod Date: Thu, 4 Apr 2013 14:13:46 -0400 Message-ID: Subject: Re: Filtering bridge with pf. To: Carsten Sonne Larsen Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Apr 2013 18:14:06 -0000 Without seeing the ruleset in question it's hard to say, but if rule 2 also uses the quick keyword, then it won't reach the certain expected rule you mention. Again, hard to say without seeing at least rule 2 and the expected rule, and better the whole ruleset. On Thu, Apr 4, 2013 at 10:35 AM, Carsten Sonne Larsen wrote: > Hello guy, > > I am using pf to implement a filtering bridge but Im experinces some > strange behaviour from pf. While using tcpdump I get entries like this: > > 16:25:45.998253 rule 2..16777216/0(match): block in on rl0: > 192.168.0.1.32768 > 239.255.255.250.1900: UDP, length 339 > > I am using the keyword *quick* and would expect a certain rule match > instead of rule 2..16777216 > > Also using pftop for some reason states does not expire while looking in > the rules view. > > Could this be due a miscompiled kernel or maybe simply a faulty > configuration ? Im using 9.1 on a AMD Geode CPU. > > Thanks in advance. > > Carsten Sonne Larsen > > ______________________________**_________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/**mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**freebsd.org > " > From owner-freebsd-pf@FreeBSD.ORG Thu Apr 4 18:56:29 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id E84CEB48 for ; Thu, 4 Apr 2013 18:56:29 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.tyknet.dk (mail.tyknet.dk [IPv6:2a01:4f8:141:52a3:186::]) by mx1.freebsd.org (Postfix) with ESMTP id ADBC482C for ; Thu, 4 Apr 2013 18:56:29 +0000 (UTC) Received: from [10.10.1.100] (unknown [217.71.4.82]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.tyknet.dk (Postfix) with ESMTPSA id 1D1C711C8FA; Thu, 4 Apr 2013 20:56:20 +0200 (CEST) X-DKIM: OpenDKIM Filter v2.5.2 mail.tyknet.dk 1D1C711C8FA DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default; t=1365101781; bh=AZzPEXSHoQqkdWISbt0ySAqMUySBeCO22LypBOD7F/8=; h=Date:From:To:Subject:References:In-Reply-To; b=eaJ6qr+YJ6zgtAj3whgdHNZfdTJ/OJdpYyR+K1aE6zdBWjEDOGdhQb1TA/DCUsRrg gRgltuHwxqPidWftq72XKeOmWpF5JRC7Ezc/Pz3B3MGt5VNVJoH+42rkQY0F//Qfr2 8x8ciTUKcCIAPpb766+DgtAFp8Qu0iLFypVj3mSk= Message-ID: <515DCCD2.3010102@gibfest.dk> Date: Thu, 04 Apr 2013 20:56:18 +0200 From: Thomas Steen Rasmussen User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: Filtering bridge with pf. References: <515D8F9D.3080001@innolan.dk> In-Reply-To: <515D8F9D.3080001@innolan.dk> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Apr 2013 18:56:30 -0000 On 04-04-2013 16:35, Carsten Sonne Larsen wrote: > > I am using the keyword *quick* and would expect a certain rule match > instead of rule 2..16777216 > It has been like this since FreeBSD 9 I believe, and the situation is the same in the new smp pf from head. I don't know what causes it, but just to let you know it is not related to your specific ruleset. I also use the "quick" keyword on all my rules if that helps. Best regards, Thomas Steen Rasmussen From owner-freebsd-pf@FreeBSD.ORG Thu Apr 4 19:05:49 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 38118288 for ; Thu, 4 Apr 2013 19:05:49 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: from mail-we0-x231.google.com (mail-we0-x231.google.com [IPv6:2a00:1450:400c:c03::231]) by mx1.freebsd.org (Postfix) with ESMTP id CA4AD8AB for ; Thu, 4 Apr 2013 19:05:48 +0000 (UTC) Received: by mail-we0-f177.google.com with SMTP id o45so2285623wer.8 for ; Thu, 04 Apr 2013 12:05:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=Lo6nmYFM9HanYG3Fq1AaYJG78fhVUYzGsPTrI40H7vA=; b=FYNKdqhMqyGkilfDRE4s5rnbwy27WKeVwRA2p4/r6ezfZotmquo5EGpZSApfTpv+W5 JsBFYohcALO0jlmJNvH60guBtu1AoS32VrnzSsoFhzwmgO4vPQu7bPbFcLWM9zT74bNO GfK06Nl6pU/1BFrZTsc0rfK4cQjd3jLnXNT1OCw0/Xhx6/3EQP3vhcDjGbDrF0ADJT4s 3COEwXYpm/r17PL40v/z6hb/nKkfbwY8B1fLvZcgBADCOdMPjZo5iODEqcKqsRi66vLS MlgDZmWz1RYXbmkpvrhPINmudBlY7etZaY1lDTAoI8U8IP1Wew9FwkcBrga2gQhljNsw 642w== MIME-Version: 1.0 X-Received: by 10.194.60.195 with SMTP id j3mr11521783wjr.33.1365102347982; Thu, 04 Apr 2013 12:05:47 -0700 (PDT) Received: by 10.216.139.72 with HTTP; Thu, 4 Apr 2013 12:05:47 -0700 (PDT) In-Reply-To: <515DCCD2.3010102@gibfest.dk> References: <515D8F9D.3080001@innolan.dk> <515DCCD2.3010102@gibfest.dk> Date: Thu, 4 Apr 2013 22:05:47 +0300 Message-ID: Subject: Re: Filtering bridge with pf. From: Kimmo Paasiala To: Thomas Steen Rasmussen Content-Type: text/plain; charset=UTF-8 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Apr 2013 19:05:49 -0000 On Thu, Apr 4, 2013 at 9:56 PM, Thomas Steen Rasmussen wrote: > On 04-04-2013 16:35, Carsten Sonne Larsen wrote: >> >> I am using the keyword *quick* and would expect a certain rule match >> instead of rule 2..16777216 >> > > It has been like this since FreeBSD 9 I believe, and the situation > is the same in the new smp pf from head. I don't know what causes > it, but just to let you know it is not related to your specific ruleset. > > I also use the "quick" keyword on all my rules if that helps. > > > Best regards, > > Thomas Steen Rasmussen > _______________________________________________ I believe this is the same what you see with the UDP broadcast traffic that SAMBA uses. Basically the interface that is used to send the broadcast also receives the same broadcast because it's in same broadcast domain. That's why the log entries say "block IN on..." with the source address in the packet matching the address bound to the same interface. To OP: Are you using antispoof on the interface? That would explain the log entry I think. -Kimmo From owner-freebsd-pf@FreeBSD.ORG Thu Apr 4 20:47:00 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 628AB2BF for ; Thu, 4 Apr 2013 20:47:00 +0000 (UTC) (envelope-from cs@innolan.dk) Received: from serv.innomanslan.tf (0126800067.1.fullrate.dk [95.166.204.165]) by mx1.freebsd.org (Postfix) with ESMTP id E1A43CC5 for ; Thu, 4 Apr 2013 20:46:58 +0000 (UTC) Received: from [192.168.44.228] (192.168.44.228) by serv.innomanslan.tf (Axigen) with ESMTP id 25F963; Thu, 4 Apr 2013 22:46:56 +0200 Message-ID: <515DE6C0.2020701@innolan.dk> Date: Thu, 04 Apr 2013 22:46:56 +0200 From: Carsten Sonne Larsen User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130324 Thunderbird/17.0.4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: Filtering bridge with pf. References: <515D8F9D.3080001@innolan.dk> <89362.1365097697.16075958140210511872@ffe10.ukr.net> In-Reply-To: <89362.1365097697.16075958140210511872@ffe10.ukr.net> Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Apr 2013 20:47:00 -0000 Thanks for the replies. I also run a 3 NIC setup. I do the filtering on interfaces to control directions, eg. what goes in and what goes out. The sysctl are: net.link.bridge.pfil_bridge=1 net.link.bridge.pfil_member=1 Im not sure why I didnt add the two other lines. I think I followed chapter 38 of the FreeBSD Handbook. I did omit ALTQ_NOPCC while compiling the kernel though. Rules are maybe not so well formed. Examples are: ... block log on $ext_if all block log on $int_if all block log on $mgt_if all pass in quick on $int_if inet proto tcp from $ext_ip2 to any keep state pass out quick on $ext_if inet proto tcp from $ext_ip2 to any keep state pass in quick on $int_if inet proto udp from $ext_ip2 to any keep state pass out quick on $ext_if inet proto udp from $ext_ip2 to any keep state ... antispoof is only specified for the management interface. I run some other instances of pf, but not in bridge mode. All are deployed with 8.3 and they work perfectly fine. tcpdump on those shows up like: rule 25/0(match): block out on em1 ... -cs On 04/04/2013 19:48, wishmaster wrote: > > --- Original message --- > From: "Carsten Sonne Larsen" > Date: 4 April 2013, 17:49:07 > > >> Hello guy, >> >> I am using pf to implement a filtering bridge but Im experinces some >> strange behaviour from pf. While using tcpdump I get entries like this: >> >> 16:25:45.998253 rule 2..16777216/0(match): block in on rl0: >> 192.168.0.1.32768 > 239.255.255.250.1900: UDP, length 339 >> >> I am using the keyword *quick* and would expect a certain rule match >> instead of rule 2..16777216 >> > Hi. > > What is your sysctl's? > > Below from my production server with 3 NIC's in bridge. I use filtering only on the bridge0 interface. > > net.link.bridge.pfil_local_phys: 0 > net.link.bridge.pfil_member: 0 > net.link.bridge.pfil_bridge: 1 > net.link.bridge.pfil_onlyip: 1 > > and set skip quick on [[members]] in pf.conf. > > From owner-freebsd-pf@FreeBSD.ORG Fri Apr 5 13:01:44 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 2A24E54B for ; Fri, 5 Apr 2013 13:01:44 +0000 (UTC) (envelope-from cs@innolan.dk) Received: from serv.innomanslan.tf (0126800067.1.fullrate.dk [95.166.204.165]) by mx1.freebsd.org (Postfix) with ESMTP id A112D5F5 for ; Fri, 5 Apr 2013 13:01:42 +0000 (UTC) Received: from [192.168.44.228] (192.168.44.228) by serv.innomanslan.tf (Axigen) with ESMTP id 20A262; Fri, 5 Apr 2013 15:01:39 +0200 Message-ID: <515ECB33.7030202@innolan.dk> Date: Fri, 05 Apr 2013 15:01:39 +0200 From: Carsten Sonne Larsen User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130324 Thunderbird/17.0.4 MIME-Version: 1.0 To: wishmaster Subject: Solved: Filtering bridge with pf. References: <515D8F9D.3080001@innolan.dk> <89362.1365097697.16075958140210511872@ffe10.ukr.net> <515DE6C0.2020701@innolan.dk> In-Reply-To: <515DE6C0.2020701@innolan.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Apr 2013 13:01:44 -0000 After reading carefully through the man pages of if_bridge, sysctl's are now: net.link.bridge.pfil_onlyip=1 net.link.bridge.pfil_member=1 net.link.bridge.pfil_bridge=1 net.link.bridge.pfil_local_phys=1 net.link.bridge.ipfw=0 net.link.bridge.ipfw_arp=0 Statistics with pftop and "pfctl -vs rules" still shows an accumulated number of states. Also tcpdump still shows a rule range instead of a fixed rule number, while pftop shows * in the rule column. Nevertheless, the bridge seems to work as intended. > > On 04/04/2013 19:48, wishmaster wrote: >> >> What is your sysctl's? >> >> Below from my production server with 3 NIC's in bridge. I use >> filtering only on the bridge0 interface. >> >> net.link.bridge.pfil_local_phys: 0 >> net.link.bridge.pfil_member: 0 >> net.link.bridge.pfil_bridge: 1 >> net.link.bridge.pfil_onlyip: 1 >>