From owner-freebsd-pf@FreeBSD.ORG Mon Apr 15 11:06:48 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id CA83996D for ; Mon, 15 Apr 2013 11:06:48 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id BD0097AA for ; Mon, 15 Apr 2013 11:06:48 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r3FB6mvG015197 for ; Mon, 15 Apr 2013 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r3FB6mIb015195 for freebsd-pf@FreeBSD.org; Mon, 15 Apr 2013 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 15 Apr 2013 11:06:48 GMT Message-Id: <201304151106.r3FB6mIb015195@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Apr 2013 11:06:48 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176763 pf [pf] [patch] Removing pf Source entries locks kernel. o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 52 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Apr 16 09:09:18 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 50B76298 for ; Tue, 16 Apr 2013 09:09:18 +0000 (UTC) (envelope-from lenochek0183@yandex.ru) Received: from ds02.justclick.ru (gora4o.ru [IPv6:2a01:4f8:191:1061::2]) by mx1.freebsd.org (Postfix) with ESMTP id E051ED52 for ; Tue, 16 Apr 2013 09:09:17 +0000 (UTC) Received: from ds02.justclick.ru (localhost [127.0.0.1]) by ds02.justclick.ru (8.14.4/8.14.4) with ESMTP id r3G995jK013338 for ; Tue, 16 Apr 2013 11:09:05 +0200 Received: (from coach773866@localhost) by ds02.justclick.ru (8.14.4/8.14.4/Submit) id r3G995Lj013337; Tue, 16 Apr 2013 11:09:05 +0200 X-Authentication-Warning: ds02.justclick.ru: coach773866 set sender to lenochek0183@yandex.ru using -f To: freebsd-pf@freebsd.org Subject: Help the Syrian refugees in turkey. Date: Tue, 16 Apr 2013 13:09:05 +0400 From: NIEN-SHENG LIN Message-ID: X-Priority: 3 X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="iso-8859-1" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: loveforall2013@yahoo.co.jp List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Apr 2013 09:09:18 -0000 Good Day, My name is Nien-sheng Lin, and I have been suffering prostate cancer for so many years now but only recently my doctor told me that i have just some time/days to live in this world before i die. I am an US Citizen,dealing with gold exportation business.I was born on 26th may,1939.Here is my international passport. Now that i am about to die because of this prostate cancer disease,i want to hand over my millions of dollars to you.I want you to inherit my wealth.But you must assure me that you will use at least 50% of my wealth to help the Syrian refugees in turkey.Turkish Disaster Management Agency (AFAD) said that the Syrian refugees in southern Turkey has risen to 654,200.You must promise me that you will use 50% of my wealth to help the Syria people that are suffering in turkey and the middle east. I want you to inherit my wealth.But you must also assure me that you will use at least 30% of my wealth to help the orphanages home,widows and poor people in your country. Take the remaining 20% of my wealth for yourself.I dash you the remaining 20% of my wealth if you promise to follow all my instructions. Here is my private email address: niensheng.lin@yahoo.co.uk Write down your full names, telephone number and your address. Regard, Nien-sheng Lin From owner-freebsd-pf@FreeBSD.ORG Thu Apr 18 07:11:35 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9947C589 for ; Thu, 18 Apr 2013 07:11:35 +0000 (UTC) (envelope-from radek.krejca@starnet.cz) Received: from EXCHANGE.mail.starnet.cz (exchange.mail.starnet.cz [92.62.224.72]) by mx1.freebsd.org (Postfix) with ESMTP id 2E983F44 for ; Thu, 18 Apr 2013 07:11:35 +0000 (UTC) Received: from EXCHANGE.mail.starnet.cz ([fe80::d017:9e72:12a5:7bb4]) by EXCHANGE.mail.starnet.cz ([fe80::d017:9e72:12a5:7bb4%14]) with mapi; Thu, 18 Apr 2013 09:11:33 +0200 From: =?iso-8859-2?Q?Radek_Krej=E8a?= To: "'freebsd-pf@freebsd.org'" Date: Thu, 18 Apr 2013 09:11:33 +0200 Subject: peer address over pf rdr Thread-Topic: peer address over pf rdr Thread-Index: Ac48A/UZaPRSISEKSj202yglegSwbQ== Message-ID: Accept-Language: cs-CZ Content-Language: cs-CZ X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: cs-CZ Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Apr 2013 07:11:35 -0000 Hello, I need to get in some cases ip address of our customer over nat to my www p= age (eg. for stopping spam and give our customer info). I wrote daemon whic= h listen on port where is traffic of our customers redirected (this is my t= esting rule): rdr proto tcp from 192.168.255.2 to any port 8009 -> 127.0.0.1 port 9000 On port 9000 liste my daemon which get ip address with this function: int Getpeerinfo (int sock,char **IP) { struct sockaddr_in peer; int porto; socklen_t peer_len; peer_len =3D sizeof(peer); if (getpeername(sock, (struct sockaddr*)&peer, &peer_len) =3D=3D -1) { error("getpeername() failed"); return -1; } *IP=3D (char *)malloc(strlen((char *)(inet_ntoa(peer.sin_addr))) + 1); strcpy(*IP,(char *)(inet_ntoa(peer.sin_addr))); porto=3D(int)(peer.sin_port); return 0 ; } If I connect to port 9000 directly, I got right ip address, but over redire= ct in pf is result empty. It looks that pf destroy this information or is m= y idea wrong? Thank you Radek From owner-freebsd-pf@FreeBSD.ORG Thu Apr 18 07:29:00 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 433FC9D2 for ; Thu, 18 Apr 2013 07:29:00 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qe0-f45.google.com (mail-qe0-f45.google.com [209.85.128.45]) by mx1.freebsd.org (Postfix) with ESMTP id 04CE9FDF for ; Thu, 18 Apr 2013 07:28:59 +0000 (UTC) Received: by mail-qe0-f45.google.com with SMTP id 1so1451789qee.32 for ; Thu, 18 Apr 2013 00:28:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=yZ5fnvrW5BkW85TZmBiclRkECFTVr9TH0mQowpFJ6ek=; b=OKQ7WZh3jeLOvvM92/Isz93XZ3QYam1KIXj8ceashVLMrqKIfIPb+XuRhcmjcI+qBq MVRE0j96T5eYdJDIxJQHFOfjsIGr+mBM73mte14MnV2shO5LXC6pPCajGEhGwlVN9a6o o0ss4eOmE+1RvtL5gPgJqK2mfSon87qLD4YIt09GJjrqwh+KoaHkuwmp5vT9zgO/bCei WhVTOk8GV2wMOyaasKCNZ0qlvH4ef9lutPpWL2PVg0QQ3xhe2nPZbhmud5sFwZZhiLnD bVOzIecvhIzi4em6Nq3/N4g0dPitvbNNg6+xw1+xw3Ad0b2rRXtfN1oA6oyM28GgHvDQ xpag== MIME-Version: 1.0 X-Received: by 10.224.40.197 with SMTP id l5mr9421109qae.41.1366270138921; Thu, 18 Apr 2013 00:28:58 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.49.49.37 with HTTP; Thu, 18 Apr 2013 00:28:58 -0700 (PDT) In-Reply-To: References: Date: Thu, 18 Apr 2013 09:28:58 +0200 X-Google-Sender-Auth: v9kFhZ3MXjQLd84PHWrWK7tT2GY Message-ID: Subject: Re: peer address over pf rdr From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: =?ISO-8859-2?Q?Radek_Krej=E8a?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Apr 2013 07:29:00 -0000 On Thu, Apr 18, 2013 at 9:11 AM, Radek Krej=C4=8Da wrote: > Hello, > > I need to get in some cases ip address of our customer over nat to my www > page (eg. for stopping spam and give our customer info). I wrote daemon > which listen on port where is traffic of our customers redirected (this i= s > my testing rule): > > > rdr proto tcp from 192.168.255.2 to any port 8009 -> 127.0.0.1 port 9000 > > On port 9000 liste my daemon which get ip address with this function: > > int Getpeerinfo (int sock,char **IP) > { > struct sockaddr_in peer; > int porto; > socklen_t peer_len; > peer_len =3D sizeof(peer); > if (getpeername(sock, (struct sockaddr*)&peer, &peer_len) =3D=3D -1) { > error("getpeername() failed"); > return -1; > } > > *IP=3D (char *)malloc(strlen((char *)(inet_ntoa(peer.sin_addr))) + 1)= ; > strcpy(*IP,(char *)(inet_ntoa(peer.sin_addr))); > porto=3D(int)(peer.sin_port); > return 0 ; > } > > If I connect to port 9000 directly, I got right ip address, but over > redirect in pf is result empty. It looks that pf destroy this information > or is my idea wrong? > > Take a look at squid daemon source code on how he does a lookup on the nat translation table to extract the real customer ip. > Thank you > > Radek > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Thu Apr 18 12:20:52 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 93B388CD for ; Thu, 18 Apr 2013 12:20:52 +0000 (UTC) (envelope-from sam.gh1986@gmail.com) Received: from mail-la0-x244.google.com (mail-la0-x244.google.com [IPv6:2a00:1450:4010:c03::244]) by mx1.freebsd.org (Postfix) with ESMTP id 2A00E962 for ; Thu, 18 Apr 2013 12:20:51 +0000 (UTC) Received: by mail-la0-f68.google.com with SMTP id fk20so440499lab.3 for ; Thu, 18 Apr 2013 05:20:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=grBbGpvnxRVdWMwGKuOhQI3dM0y9sH+YCUjj3rtl0e8=; b=UWKXv6ySSDtH2Rd+A5b1EH7UKqzd+qegpEHm/ugJkRih7+7SRiRo+zWw+cJ78P1Ft+ PGzU/aFeCcwfSJ+Ut4CaZAZxFul0MOyl565hxMzWzJ+RNRUw1PpouW+eeKmE5LaypUgZ NmQxauyFvfhSu/HjgK7ghk2SUvo8Ta8AgED4NbwqTLQkz602mquiA2SDScXqhR4CLqLR cB0SP0ca62ctce88j4pE+SZdVVCohLhZx9PM0/6MMYzYC294yASj+MOCD2Q8E73z9e9y e3skoEzy/FNqsx2UIeXJY0EfPaUW+UOJuIdlhXq74OX57tWHuybAoIv810j7OMZYKLC0 mZSQ== MIME-Version: 1.0 X-Received: by 10.112.180.193 with SMTP id dq1mr5624324lbc.60.1366287651074; Thu, 18 Apr 2013 05:20:51 -0700 (PDT) Received: by 10.112.163.130 with HTTP; Thu, 18 Apr 2013 05:20:50 -0700 (PDT) Date: Thu, 18 Apr 2013 16:50:50 +0430 Message-ID: Subject: access inside systems from outside From: s m To: freebsd-pf Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Apr 2013 12:20:52 -0000 hello every body i am newbie in pf and nat and have a conceptual problem with it. i enable inside nat and it works properly (inside addresses are nated to external ones). i can ping outside systems from inside but not in reverse side. my question is: is it the true behavior? i mean when we have inside nat, just inside systems should access outside systems and outside one should not access to inside ones? in cisco we can access inside systems from outside when inside nat is configured. please help me to clear my mind and understand what is correct manner. thanks in advance sam