From owner-freebsd-pf@freebsd.org Sun Jun 5 11:48:14 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8027BB6B77A for ; Sun, 5 Jun 2016 11:48:14 +0000 (UTC) (envelope-from amn.brhm.sb@gmail.com) Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1DAC41CB5 for ; Sun, 5 Jun 2016 11:48:14 +0000 (UTC) (envelope-from amn.brhm.sb@gmail.com) Received: by mail-wm0-x22c.google.com with SMTP id z87so45025112wmh.0 for ; Sun, 05 Jun 2016 04:48:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=yarSepgMfIGvGut/yWYIL9El/nndhSAwYuSOMjdr9dA=; b=pLI57YYVkwqHawFESiQokY2eUcHJ2egeMA7NJJzwuoQJhUgTXBySspvBdcmvKGcmuZ stiIahPyD2tDyP8pQs70wK9b6uQjzdqTFnGG3AOk9maS85Yvnl+UeL4vPEBHkc8bkdA4 jsrSBjgIwOjOUPfjvJirsYheaZxrChjsctups/dHrTkEAhg1wFvs9M7ti6b7LCPx4QL8 Ia7Fffdz4inmbBA0eb/rc3RL4U6J9r6kXhhdv7Z/NDHqKQdw3qp5219DIUJVWb19iQWm 6Q4xHX1gYz7o4kncq2X38onQJynrvrPrdTkRkrMN7kojR/7rzPbplzE/OGdqx6rOCvN4 6U9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=yarSepgMfIGvGut/yWYIL9El/nndhSAwYuSOMjdr9dA=; b=NUUHomeeV6s1JnoRSAvbQKjSnJGM9SdNzsT7s8lQKwtJruGmKB6vKM255S8MzToDSC 99kfTCrVmY71e9hynaFUvCwLqYuo9Gdi0m3hDWhpMqCH6HR5DgTANDZbm4bNdbfl6mnD kHWUs92QcQa36dnkMMggbAbOJP180tU9+uU6SMgmvrH3XEaBY+kOK7gq0BEbxyuSix/l aoSBPNLOzDPfBbOsF1l9INbYq7zBLdsiXLJ/SK1Pi0w3NCIfmA2gxeTpHXwsplEgW8Yb GELw0E3Lz8UdS/AQQp5hypdbZP14rmMCjmrR6XpJWmsGY5AYMvGrZi2SFMy5NRguI1cp 2aHg== X-Gm-Message-State: ALyK8tI5rUx3ufNhrJHU6D8Cwb+m3D7RQLGzs1kkW0JnAATOu0Eks1ol7V5H32Vpv1Mtn/0RnKfZCeLqu5zE5w== X-Received: by 10.28.165.66 with SMTP id o63mr7639794wme.102.1465127292627; Sun, 05 Jun 2016 04:48:12 -0700 (PDT) MIME-Version: 1.0 From: Amin Saba Date: Sun, 05 Jun 2016 11:48:03 +0000 Message-ID: Subject: Dangling states problem To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Jun 2016 11:48:14 -0000 *Dangling states problem*: pf consults its state table before the rule set (as it should). So even after adding a rule to block certain connections, the ones that have a corresponding entry in the state table will continue uninterrupted. AFAIK, pf does not have any built-in/native mechanism to *automatically* terminate states that go against the current rule set. Sifting through the states and manually "pfctl -k"ing unwanted states does not look like a sustainable solution to this problem. I am writing a python script to automate this process, as much as possible. My questions are: Do you know any other projects aiming at this? Is there anything on the roadmap for the pf project to address this issue? Are there any major road blocks to implementing this directly in pf? Can someone shed more light on this, please? Thanks. From owner-freebsd-pf@freebsd.org Mon Jun 6 20:19:28 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 07AC3B6D8A0 for ; Mon, 6 Jun 2016 20:19:28 +0000 (UTC) (envelope-from purpleritza@gmail.com) Received: from mail-it0-x233.google.com (mail-it0-x233.google.com [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C9DEE1207 for ; Mon, 6 Jun 2016 20:19:27 +0000 (UTC) (envelope-from purpleritza@gmail.com) Received: by mail-it0-x233.google.com with SMTP id z189so52918470itg.0 for ; Mon, 06 Jun 2016 13:19:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=4CPfkhVWusBkROGsT+ZqQLD5QQsupQM2WZtWFznLkn8=; b=bVR2hkYsjK9mdobPZv1yDDzM+wfQstar661uiCK2yaanwTR3GHOKWMPi2RbrVTn7cq +lNBHfNcM2pM89jCKuVzC0zOWQMI/VqDZ94FyOnxeIwWZIB1UQIZBOUwZPSXVEdUB0+r ROPCKmUcvsn+IBOMl2UJet7+CILTSuFtii74B0YMyqsRC2ddZW8QkMSxCKstFnmrUfxX kxqK3Vf49gBJshu6mSNs1LeTVzUtuYabt3Bm0HFjBlwr5X3DMRqRkd6v4v1J1hCTIdVq nNU1u9058Na67LpyFP97XZzUe8rHmk6QcJD+tuWzShLXNqZBMD8Un1Elr5inp/f5UuZn Q02w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=4CPfkhVWusBkROGsT+ZqQLD5QQsupQM2WZtWFznLkn8=; b=LJkXQFXbb1OfpVVhjEYRodLF00mVhS9MGe12h5Foxn9iT7hHKnyEh60DeGBSW9tVxr oBffCBdrN8f37CBaWB+a0LzxwvBsfpN7rvp9Pywtc7pJqoze6LaPU2XpkP1G9L9hrkl+ yhvFIL9yCiAaqqZWH69dqtdMZ1Pwr5c0OCy4hDMSSF8UT5GkcncMn9AiWfXeKJN6zXYQ IEIvSIoE0/94zESCKbvm+dyT4/niNEdeF+Y2gzzaRoqgL3guu/4OWoE1ak4w3qhqsJnw 8h9WKM8z7n25TyciIQQmU7aJT2p3NridSW29qpEML9TZeeGboOd7jK8f4HfNPwJJoR2h +nkA== X-Gm-Message-State: ALyK8tIoJV5dzGyEpl4XwHy/vsOjzR9n32gxIC5xIUaMB9n0Qa5VOaV45sgk7xcOADYPK9E9Ppn35xknnLbFUQ== X-Received: by 10.36.242.67 with SMTP id j64mr708535ith.25.1465244367213; Mon, 06 Jun 2016 13:19:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.120.147 with HTTP; Mon, 6 Jun 2016 13:18:47 -0700 (PDT) From: =?UTF-8?B?R29yYW4gVGVwxaFpxIc=?= Date: Mon, 6 Jun 2016 22:18:47 +0200 Message-ID: Subject: Need someone to review my pf.conf To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jun 2016 20:19:28 -0000 Hi, I would like someone more skilled than me to glance over my pf.conf I compiled and possibly let me know if it can be secured/tightened further. Here's the conf: http://sprunge.us/fCLH Basically, it's a host with 10-ish jails with various services including SSH, nginx, php-fpm and postfix. Thanks in advance! From owner-freebsd-pf@freebsd.org Tue Jun 7 06:28:59 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6A423B6D06C for ; Tue, 7 Jun 2016 06:28:59 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from box-hlm-03.niklaas.eu (box-hlm-03.niklaas.eu [IPv6:2a02:2770:6:0:21a:4aff:feaa:e902]) by mx1.freebsd.org (Postfix) with ESMTP id 39E8E1DC9 for ; Tue, 7 Jun 2016 06:28:59 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: by box-hlm-03.niklaas.eu (Postfix, from userid 1001) id 60F8C38841C; Tue, 7 Jun 2016 08:28:57 +0200 (CEST) Date: Tue, 7 Jun 2016 08:28:57 +0200 From: Niklaas Baudet von Gersdorff To: freebsd-pf@freebsd.org Subject: Re: Need someone to review my pf.conf Message-ID: <20160607062857.GD37483@box-hlm-03.niklaas.eu> Mail-Followup-To: freebsd-pf@freebsd.org References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="+JUInw4efm7IfTNU" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jun 2016 06:28:59 -0000 --+JUInw4efm7IfTNU Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Goran Tep=C5=A1i=C4=87 [2016-06-06 22:18 +0200] : > Hi, I would like someone more skilled than me to glance over my pf.conf I > compiled and possibly let me know if it can be secured/tightened further. > Here's the conf: http://sprunge.us/fCLH I'm not a professional, so take the following comments with a grain of salt. Maybe they spur further discussions that will be helpful. 1. You can think about using security/sshguard-pf for further protection. 2. You can think about using anchors for rules related to your jails. This way you can add/remove rules when jails start/stop. See http://www.openbsd.org/faq/pf/anchors.html, especially "Manipulating Anchors". 3. It seems you have a mail server running. Take a look at mail/spamd. I had issues using the grey listing feature for senders that use multiple SMTP servers (Google, Amazon, etc.); so I decided to only use spamd for blocking only. Although there is some documentation in the FreeBSD handbook, you should read the man pages because the former doc seems old. 4. In general, it's not a good idea to pass out everything. Restrict it to what you really need. In case one of your jails gets hijacked it will be more difficult to use it for e.g., a botnet. 5. You disable IPv6, right? 6. It seems you rdr additional ports for SSH to your jails. I'm not sure whether that is really necessary (depends on you). You can simply administer the jails from your jail host with jexec(8). Niklaas --+JUInw4efm7IfTNU Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXVmmhAAoJEG2fODeJrIU/tg0QAJTLphkOxymvLfsRVu2G8Lzh BKonXM2O9iHOEZs1pG+CUJ51/dnmTXSn5kMqzNjwNAiia9NyRbA2JlOuOmzJeN5J Z2IliR2w9vu1X2800ZFDbtI3G2NfxUCIirh2OtJGXVqRSD6GM/aS0VsGduh+lR7H +MIT0E7wL8AuxcObwVuZq99LBjLN98rVwq3+FUYkXfge/yUbk8U8Mw1n+b9qLFUc sqRDFp8gyu2Nw9Rs+uyEWgqe9WTTSd62JoA61UKtaOMVCygb26cZ/YQYvKoGzj8P MivA0F9gh5unBHzR9mfTk8aeZwXqRig4odn8O1iq2Brp4hHWeWHkTI7dhLjCDTPJ khbc09mMs2ucP6B1cLsbgWvaixLfL1iU3Vk6oYJlL8ACmWByQNXEhLHiuFqVWcaR Y+JtS2gIpDk6q4zGVTv+pwJGlkxq7optBmIKK9mjmX45w+rRHhiG1SCUgN5ivsQ5 zlWx33VJsBXU2tgfpfosv1IU4tciPocN4g2sPgmetv8Jmb9umOoDPw9A7Aitp53k ApZ8dS153Rqiwh1U3aL0B/1ACtyG+q074yJRdQiNIiN8wf0N53lhGByMIuRQIyTR 1rW52/smHKvcvjAkNHQYGFRUUbILvYuMEGR9n+MYBEjnD2pR14nA6yNWHwNE8nZu Zk6aNiSw7zsAGSTTejOj =Wp2l -----END PGP SIGNATURE----- --+JUInw4efm7IfTNU-- From owner-freebsd-pf@freebsd.org Tue Jun 7 20:42:33 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7B628B6E948 for ; Tue, 7 Jun 2016 20:42:33 +0000 (UTC) (envelope-from purpleritza@gmail.com) Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 442FF13C8 for ; Tue, 7 Jun 2016 20:42:33 +0000 (UTC) (envelope-from purpleritza@gmail.com) Received: by mail-it0-x22e.google.com with SMTP id n126so20668650itd.1 for ; Tue, 07 Jun 2016 13:42:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=h35JPO92AiQ5Kbm0J+fvBmBK88w6EMIlF4dC4QXm+GE=; b=x/GKntkrJoCOZ+R/XN/puwKeNcrh/tepL2fAYM8Wbm+VTf+Uah/cQmawafV3B79T26 xNBBG7dUPoTGYUUn5gXRielWBai7Ya/6dAAzxwT/4kaiT7/dpO66w10YSJBKtG6r1/QY ACBu4kXFqIn0FUqAQzNgAui+0gn3wldZ/0i6QEwvCxYIsjp3J1nAq898qf70ImJdbztK vKd/3UPLhC6PEHtYlXwqEyB4FT74WlfA69LlvCSM09s8iNVPv+y4eqAOsQhbKUK107HQ 2cmbMhzH0MmkzXJm2h2rjz5QzvvvwOM7b5l69b6tpDZ6XWp2s7zN+v+006rl4ywqgF/d Z7Ag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=h35JPO92AiQ5Kbm0J+fvBmBK88w6EMIlF4dC4QXm+GE=; b=MOEnt7sYSgHIG2mkrhkOPwNo9V2+V8h1evsvTfhl/bZi6MpaTcanUwPt9eoOt5dT1q PxkgAJc1LiJxqlRoLogFjeyITiGbklxMkoxu7TkiCvOdqyoewW0TwdxjPblvhrsU0zaQ y7aDfMEB/Hx7FYxr7rf0QyUk/FjxwGnwVRN9BGVHGfPpYUjirASpUmX3WqHx8uRbS+bp PIZuPAKdVPOQPnXxjn2Iu2ccT17dBtgsjP0pK7lCy6Yx+t6RbdHJzftJxxYcdQsWv25C 3dC/6M9knxxeY41DhSBMLM6PS1c8XqXal2xvlxOvZsctXa/VKOe9YA0eUgwMYf+cibY+ OyQA== X-Gm-Message-State: ALyK8tJqF57dFCYhFG0E3YqmFn/Xqq8NBOKaY0ibHl7A1cCsKPkRTrk56pIueDjLt9j7S9KpiJZJAfUeag7u2g== MIME-Version: 1.0 X-Received: by 10.36.5.12 with SMTP id 12mr2939515itl.11.1465332152482; Tue, 07 Jun 2016 13:42:32 -0700 (PDT) Received: by 10.79.120.147 with HTTP; Tue, 7 Jun 2016 13:42:32 -0700 (PDT) Received: by 10.79.120.147 with HTTP; Tue, 7 Jun 2016 13:42:32 -0700 (PDT) In-Reply-To: References: <20160607062857.GD37483@box-hlm-03.niklaas.eu> Date: Tue, 7 Jun 2016 22:42:32 +0200 Message-ID: Subject: Re: Need someone to review my pf.conf From: =?UTF-8?B?R29yYW4gVGVwxaFpxIc=?= To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jun 2016 20:42:33 -0000 Hey Niklaas, thanks for suggestions! 1. Do you think it works better than limiting malicious ssh attempts via PF? This way, everyone who do 5 bad logins during 60sec gets added to the table and blocked for 24hrs. How does sshguard work? 2. Will look into anchors but i'm not sure how this helps exactly. Care to elaborate please? 3. Currently postfix only does outgoing mail mrelaying to google, i think I'll remove 25 port from rules. 4. I can't block 80 and 443 a it would break apps server hosts. These ports are likely to be used in that botnet scenario but i just can't block these. Any suggestion on this? 5. Yes, IPv6 is disabled. Should i remove those IPv6 block rules from config? 6. ssh in jails is necessary for app developers to be able to manage apps occasionally. Thanks for suggestions once again! On Jun 7, 2016 8:29 AM, "Niklaas Baudet von Gersdorff" wrote: Goran Tep=C5=A1i=C4=87 [2016-06-06 22:18 +0200] : > Hi, I would like someone more skilled than me to glance over my pf.conf I > compiled and possibly let me know if it can be secured/tightened further. > Here's the conf: http://sprunge.us/fCLH I'm not a professional, so take the following comments with a grain of salt. Maybe they spur further discussions that will be helpful. 1. You can think about using security/sshguard-pf for further protection. 2. You can think about using anchors for rules related to your jails. This way you can add/remove rules when jails start/stop. See http://www.openbsd.org/faq/pf/anchors.html, especially "Manipulating Anchors". 3. It seems you have a mail server running. Take a look at mail/spamd. I had issues using the grey listing feature for senders that use multiple SMTP servers (Google, Amazon, etc.); so I decided to only use spamd for blocking only. Although there is some documentation in the FreeBSD handbook, you should read the man pages because the former doc seems old. 4. In general, it's not a good idea to pass out everything. Restrict it to what you really need. In case one of your jails gets hijacked it will be more difficult to use it for e.g., a botnet. 5. You disable IPv6, right? 6. It seems you rdr additional ports for SSH to your jails. I'm not sure whether that is really necessary (depends on you). You can simply administer the jails from your jail host with jexec(8). Niklaas From owner-freebsd-pf@freebsd.org Wed Jun 8 06:07:59 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 10C05B6F8E8 for ; Wed, 8 Jun 2016 06:07:59 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from box-hlm-03.niklaas.eu (box-hlm-03.niklaas.eu [84.22.110.84]) by mx1.freebsd.org (Postfix) with ESMTP id B8EAB1E5E for ; Wed, 8 Jun 2016 06:07:58 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: by box-hlm-03.niklaas.eu (Postfix, from userid 1001) id 0FD39387E10; Wed, 8 Jun 2016 07:57:49 +0200 (CEST) Date: Wed, 8 Jun 2016 07:57:49 +0200 From: Niklaas Baudet von Gersdorff To: freebsd-pf@freebsd.org Subject: Re: Need someone to review my pf.conf Message-ID: <20160608055749.GA2050@box-hlm-03.niklaas.eu> Mail-Followup-To: freebsd-pf@freebsd.org References: <20160607062857.GD37483@box-hlm-03.niklaas.eu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jun 2016 06:07:59 -0000 --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Goran Tep=C5=A1i=C4=87 [2016-06-07 22:42 +0200] : > 1. Do you think it works better than limiting malicious ssh attempts via > PF? This way, everyone who do 5 bad logins during 60sec gets added to the > table and blocked for 24hrs. How does sshguard work? Well, actually your rules don't really check whether a connection was followed by a successful login or not. The rule simply limits connection *attempts*. Sshguard only bans those attempts *that failed* and it does so very clever. Have a look here http://www.sshguard.net/ what sshguard can and cannot do: * it supports log message authentication * it features touchiness and automatic blacklisting * it supports IPv6 addressing natively * it supports slick multiple-source monitoring * it supports sophisticated whitelisting * it recognizes many logging formats transparently * it handles host names or addresses in log files natively * it supports per-service and per-address blocking actions > 2. Will look into anchors but i'm not sure how this helps exactly. Care to > elaborate please? The way you do it now your ports will remain open, independently from whether your jails are running or not. With anchors you can add the required rules when a jail starts, and remove them when a jail stops. In my /etc/pf.conf I have: --------------------8<-------------------- table persist [...] rdr-anchor "jails/*" on $ext_if to $ext_if [...] pass in proto { udp tcp } to port domain -------------------->8-------------------- In my /etc/jail.conf I have e.g., --------------------8<-------------------- [...] exec.prestart =3D "pfctl -t $class -T add $private_ip4 $private_ip6"; exec.prestop =3D "pfctl -t $class -T delete $private_ip4 $private_ip6"; [...] ns1 { $network =3D 1; $id =3D 1; $class =3D "ns"; exec.poststart +=3D "echo 'rdr pass on vtnet0 inet6 proto { udp tcp } t= o vtnet0 port domain -> $private_ip6' | pfctl -a 'jails/$name-ipv6' -f -"; exec.poststart +=3D "echo 'rdr pass on vtnet0 inet proto { udp tcp } t= o vtnet0 port domain -> $private_ip4' | pfctl -a 'jails/$name-ipv4' -f -"; exec.poststop +=3D "pfctl -a jails/$name-ipv6 -F all"; exec.poststop +=3D "pfctl -a jails/$name-ipv4 -F all"; } -------------------->8-------------------- So, I each time jail ns1 starts its IP addresses are added to the relevant table and the required rdr rules are added to an anchor. If I stop it the firewall closes every connection that relates to that jail. Maybe this is a bit paranoid. But this way I can simply transfer jails between different hosts and the rules I need are added automagically. > 3. Currently postfix only does outgoing mail mrelaying to google, i think > I'll remove 25 port from rules. If you only have outgoing connections (and since you have an `pass out all` rule) you can remove `pass in ... port 25`, yes. > 4. I can't block 80 and 443 a it would break apps server hosts. These por= ts > are likely to be used in that botnet scenario but i just can't block thes= e. > Any suggestion on this? Remember that it's only about outgoing connections that are *established* by your app servers. Where do they need to establish connections to? For regular www servers that I had in use, they only needed to connect to pkg.freebsd.org for upgrading. So, what you can do is write a sh script that `drill`s pkg.freebsd.org occasionally and adds the addresses to e.g., ``. In your pf.conf you can add something like pass out on $jail_if proto tcp to port 80 to limit connectivity of your jails. To further improve and get around them connecting to pkg.freebsd.org you can run your own poudriere instance on the host, mount_nullfs the package repository to another jail "pkg" and only allow your "www" jails to connect to "pkg". This highly depends on your setup and what your app servers are doing. Just to give you some idea of what worked for me. > 5. Yes, IPv6 is disabled. Should i remove those IPv6 block rules from > config? Depends on whether you need it or not. :-) I have --------------------8<-------------------- pass on $ext_if inet6 proto ipv6-icmp all icmp6-type { 1 2 3 4 128 129 131 = 133 134 135 136 137 143 } -------------------->8-------------------- which is necessary for IPv6 to work correctly. (Maybe one can limit the rule even more but I haven't investigated this further yet.) Niklaas --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXV7PVAAoJEG2fODeJrIU/mMEP/3kN8R6LJCaCQL52xIsH0X2N J9gvcnS9wMy7LRjQe0j2qVuJZLPTdj+b0OsXtlL8exHWOA79RB/aoNR4EEn/Qwvu P8vzmWFov7qaoQkh5SNfdJakNdh3yDCwVQq5K8Lu8FTAo+crt9pBCYhlvuDccxVk hgYMmu2a3+Wviac9SQRKz+QfnrPB8RMATHBHpTjX/tDr78Gbj0WXVCKj17AKb+gA sz+3LgAaHGya4xIjItuMcYtBx11G3uPc7iiLyxpZr3nW0tb6HGJOB3S2zRy3pHfp g4yJwcHHvyMsf1SqsEE7b+z2JmJetzkL9Tr0M/VajGwh5zhjksNGDxGqjSbc0xbz 4da/lmqVFIYD0EKPVvms80YFh1slrKbnAIk+xh/+H48sqfSxG+/UVrCbFSE9mZAh /S4j1MGC3FCfW20a9WMhUAZANBTHVUGn43w3V0slMbbPfT8oUkHoRYZdehYA1xZg whO5ARrR7Llo2RTvgKQZTM0E0eqX37wST2BTklMEXqdp69eem8gp4NwCOEhn4fri BviNF7BQD5YLxrULxMtiKoiQZE7JM8eag1cmVrK02dwrAIIddy9KqNC7DiJgL1OW Dbzd7DPfwiOUmEKRm0kva8ijhK9wD6hKLvu2md3+QkqRmB+H1qJXjn7Zhn8sGQvQ 7B3mgdlHtaU547llwi1a =Qt+G -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+-- From owner-freebsd-pf@freebsd.org Wed Jun 8 10:47:52 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 497B8B6FC6D for ; Wed, 8 Jun 2016 10:47:52 +0000 (UTC) (envelope-from emz@norma.perm.ru) Received: from elf.hq.norma.perm.ru (unknown [IPv6:2a00:7540:1::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.norma.perm.ru", Issuer "Vivat-Trade UNIX Root CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BD6B61E3E for ; Wed, 8 Jun 2016 10:47:51 +0000 (UTC) (envelope-from emz@norma.perm.ru) Received: from bsdrookie.norma.com. (pc846408.norma.com [IPv6:fd00::73d] (may be forged)) by elf.hq.norma.perm.ru (8.15.2/8.15.2) with ESMTPS id u58AlmqU024910 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Wed, 8 Jun 2016 15:47:48 +0500 (YEKT) (envelope-from emz@norma.perm.ru) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=norma.perm.ru; s=key; t=1465382868; bh=/HC0nl1h9M4rsIZClWaWLOWqXPbHTtmgN/vAhUJH4MM=; h=To:From:Subject:Date; b=JgP5hK+LRw/rTpMsgwQ2BY//wjN02xaNU2STvh1mLe5iduQqNHnD9/b92JIUCtaNY RkkHx7FoyjF2ehE4iC6i8V7pfGjmWTiIysoEihKKIyumCJP962bHJ1Srtr+10Kvw93 m0xnfCa9o1scVhYdRrKDf5K6Yb5QWh9VFNNZEJWI= To: freebsd-pf@freebsd.org From: "Eugene M. Zheganin" Subject: cannot delete state, when the state is obviously present Message-ID: <5757F7D4.2030405@norma.perm.ru> Date: Wed, 8 Jun 2016 15:47:48 +0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0 MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jun 2016 10:47:52 -0000 Hi. Why it's often impossible to delete state from state table ? Suppose I have a state: all icmp 46.146.220.88:36386 <- 104.81.60.125:36386 0:0 age 00:00:20, expires in 00:00:05, 2:2 pkts, 128:128 bytes, rule 43 id: 0100000073bcdded creatorid: 1017b0dc # pfctl -k id -k 0100000073bcdded killed 0 states And the state is still present after this. Thanks. Eugene. From owner-freebsd-pf@freebsd.org Wed Jun 8 13:08:45 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DC1FEB6EFD9 for ; Wed, 8 Jun 2016 13:08:45 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A0D5616AD for ; Wed, 8 Jun 2016 13:08:45 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.86_2 (FreeBSD)) (envelope-from ) id 1bAcsS-0006bG-C9 for freebsd-pf@freebsd.org; Wed, 08 Jun 2016 15:46:32 +0300 Subject: Re: cannot delete state, when the state is obviously present To: freebsd-pf@freebsd.org References: <5757F7D4.2030405@norma.perm.ru> From: Max Message-ID: <6906ba6c-832b-2e19-b970-4b19b8a45da1@als.nnov.ru> Date: Wed, 8 Jun 2016 15:46:32 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <5757F7D4.2030405@norma.perm.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jun 2016 13:08:46 -0000 Hello, Eugene. Can you show the output of "pfctl -vvss" before and after "pfctl -k id -k ..."? > age 00:00:20, expires in *00:00:05* 08.06.2016 13:47, Eugene M. Zheganin пишет: > Hi. > > Why it's often impossible to delete state from state table ? > > Suppose I have a state: > > all icmp 46.146.220.88:36386 <- 104.81.60.125:36386 0:0 > age 00:00:20, expires in 00:00:05, 2:2 pkts, 128:128 bytes, rule 43 > id: 0100000073bcdded creatorid: 1017b0dc > > # pfctl -k id -k 0100000073bcdded > killed 0 states > > And the state is still present after this. > > Thanks. > Eugene. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@freebsd.org Thu Jun 9 09:47:34 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C5980AEE8B6 for ; Thu, 9 Jun 2016 09:47:34 +0000 (UTC) (envelope-from aikjs.asold@aol.de) Received: from oms-m015e.mx.aol.com (oms-m015e.mx.aol.com [204.29.186.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 920F31DCC for ; Thu, 9 Jun 2016 09:47:33 +0000 (UTC) (envelope-from aikjs.asold@aol.de) Received: from omr-m008e.mx.aol.com (omr-m008.mx.aol.com [10.74.137.100]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by oms-m015e.mx.aol.com (AOL Outbound OMS Interface) with ESMTPS id 221AF38022DA for ; Thu, 9 Jun 2016 05:47:32 -0400 (EDT) Received: from mtaout-mce01.mx.aol.com (mtaout-mce01.mx.aol.com [172.29.27.205]) by omr-m008e.mx.aol.com (Outbound Mail Relay) with ESMTP id 0138C38000A2 for ; Thu, 9 Jun 2016 05:47:32 -0400 (EDT) Received: from DELL-PC (unknown [173.245.202.81]) by mtaout-mce01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPA id C53B838000090 for ; Thu, 9 Jun 2016 05:47:30 -0400 (EDT) From: "Raymond Thomson" Subject: reply me To: freebsd-pf@freebsd.org MIME-Version: 1.0 Reply-To: office.restitution@qq.com Date: Thu, 9 Jun 2016 02:47:32 -0700 Message-ID: <345629065174750@smtp.aol.com> x-aol-global-disposition: S X-SPAM-FLAG: YES DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.de; s=20150623; t=1465465651; bh=1tw6+LvNtxT/QtTxJNKiz0+Noql5wScF0qnX/l+zj14=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=jyazFKUo165OqgqqOngg7cTsy9W7AfRwO2JAsncumOo0v0MedePNHPd+beAZC/wD7 1HHUHGf6PWNuj2ze6vuWOhDNQcRNQ9sJ40cqkQ2NX3vLx00AKbpM/BCX4+fXb+ytLU FLW51yIav8J0iWo0iP3UKJSAnrEtMqbt3N2UxVgk= X-AOL-REROUTE: YES x-aol-sid: 3039ac1d1bcd57593b321445 X-AOL-IP: 173.245.202.81 Content-Type: text/plain ; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jun 2016 09:47:34 -0000 =20 Hello We have received instructions from the Debt Reconciliation Board to ha= ve your USD$3.1m currently approved released to you .Payment will be = by Automated Teller Machine Card. You are to send : Your Name, Addres= s,Phone and Occupation Mr Raymond Thomson From owner-freebsd-pf@freebsd.org Fri Jun 10 14:35:24 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 03EA4B71235 for ; Fri, 10 Jun 2016 14:35:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E826A18FD for ; Fri, 10 Jun 2016 14:35:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u5AEZNZW018618 for ; Fri, 10 Jun 2016 14:35:23 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Fri, 10 Jun 2016 14:35:24 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.isobsolete attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jun 2016 14:35:24 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #170747|0 |1 is obsolete| | --- Comment #29 from Kristof Provost --- Created attachment 171268 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D171268&action= =3Dedit pf error returns Hmm. I might be making this harder than it needs to be. If the netpfil hook returns EACCESS ip_forward() won't actually generate an ICMP error message. The problem is that PF returns PF_PASS, PF_DROP, ... instead of the error c= odes the stack expects. Can you test this patch? It's interesting that this doesn't seem to be as big a problem on CURRENT, because the fast forwarding code (ip_tryforward()) doesn't generate ICMP er= rors for netpfil() errors. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Jun 10 16:51:30 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 46B04AD976E for ; Fri, 10 Jun 2016 16:51:30 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 379EC2732 for ; Fri, 10 Jun 2016 16:51:30 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u5AGpSUO029263 for ; Fri, 10 Jun 2016 16:51:30 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Fri, 10 Jun 2016 16:51:28 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jun 2016 16:51:30 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #30 from Max --- (In reply to Kristof Provost from comment #29) It seems the patch works, except one thing: "block return ..." does not generate ICMP message. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Jun 10 17:42:04 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 74AB1AD9715 for ; Fri, 10 Jun 2016 17:42:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 659DD20C2 for ; Fri, 10 Jun 2016 17:42:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u5AHg4uK066260 for ; Fri, 10 Jun 2016 17:42:04 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Fri, 10 Jun 2016 17:42:04 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jun 2016 17:42:04 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #31 from Max --- (In reply to Max from comment #30) But it looks like this is not a patch problem. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Jun 10 17:49:51 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AF031AD982F for ; Fri, 10 Jun 2016 17:49:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A02AE2275 for ; Fri, 10 Jun 2016 17:49:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u5AHnpE6077141 for ; Fri, 10 Jun 2016 17:49:51 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Fri, 10 Jun 2016 17:49:51 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jun 2016 17:49:51 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #32 from Kristof Provost --- (In reply to Max from comment #31) Okay, let's track that in a new bug. Can you create one? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Jun 10 18:15:14 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D4B1BADA395 for ; Fri, 10 Jun 2016 18:15:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C57472A50 for ; Fri, 10 Jun 2016 18:15:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u5AIFEHs006318 for ; Fri, 10 Jun 2016 18:15:14 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Fri, 10 Jun 2016 18:15:14 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jun 2016 18:15:14 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #33 from Kristof Provost --- (In reply to Max from comment #30) Was this with TCP/UDP or ICMP? Note that pf doesn't generate ICMP error messages for anything other than U= DP (and TCP RST for TCP): return A TCP RST is returned for blocked TCP packets, an ICMP UNREACHABLE is returned for blocked UDP packets, and a= ll other packets are silently dropped. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Jun 10 18:57:06 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 55093ADAEE8 for ; Fri, 10 Jun 2016 18:57:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 45D9C2121 for ; Fri, 10 Jun 2016 18:57:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u5AIv6hq012563 for ; Fri, 10 Jun 2016 18:57:06 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Fri, 10 Jun 2016 18:57:06 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jun 2016 18:57:06 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #34 from Max --- (In reply to Kristof Provost from comment #33) Yeah, that's my fault... It is ICMP. But man pf.conf says return This causes a TCP RST to be returned for tcp(4) packets and an ICMP UNREACHABLE for UDP and other packets. (In reply to Kristof Provost from comment #32) I'm trying to understand what's happening... Without the patch: ruleset 1: scrub on gre1 pass log (all) all block return out log (all) on gre1 proto icmp ICMP-unreach exists. ruleset 2: scrub on gre1 pass log (all) all block return in log (all) on gre0 proto icmp ICMP-unreach doesn't exist. Should it? ruleset 3: scrub on gre0 scrub on gre1 pass log (all) all block return in log (all) on gre0 proto icmp ICMP-unreach doesn't exist. I've rebuilt the kernel... again... the patched version. There is no ICMP-unreach at all. So, the first case is relevant to patch, I think... --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Jun 10 19:26:41 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3387EAD9CDD for ; Fri, 10 Jun 2016 19:26:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 246FF2501 for ; Fri, 10 Jun 2016 19:26:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u5AJQe8I007576 for ; Fri, 10 Jun 2016 19:26:41 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Fri, 10 Jun 2016 19:26:40 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: maximos@als.nnov.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jun 2016 19:26:41 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #35 from Max --- (In reply to Kristof Provost from comment #33) Now I see that... } else if (pd->proto !=3D IPPROTO_ICMP && af =3D=3D AF_INET= && r->return_icmp) pf_send_icmp(m, r->return_icmp >> 8, r->return_icmp & 255, af, r); else if (pd->proto !=3D IPPROTO_ICMPV6 && af =3D=3D AF_INET= 6 && r->return_icmp6) pf_send_icmp(m, r->return_icmp6 >> 8, r->return_icmp6 & 255, af, r); block return ... proto tcp works as expected. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Jun 10 19:54:43 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 816D1AEE8F5 for ; Fri, 10 Jun 2016 19:54:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 724E429A0 for ; Fri, 10 Jun 2016 19:54:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u5AJshC9063197 for ; Fri, 10 Jun 2016 19:54:43 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Fri, 10 Jun 2016 19:54:43 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jun 2016 19:54:43 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #36 from Kristof Provost --- (In reply to Max from comment #35) Yeah, we may want to clarify the man page somewhat, and explicitly state th= at there are no ICMP error messages for ICMP packets. --=20 You are receiving this mail because: You are the assignee for the bug.=