From owner-freebsd-pf@FreeBSD.ORG Sun Oct 8 23:30:25 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41D2A16A412 for ; Sun, 8 Oct 2006 23:30:25 +0000 (UTC) (envelope-from jfranks@inetassociation.com) Received: from ylpvm43.prodigy.net (ylpvm43-ext.prodigy.net [207.115.57.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 107AF43D45 for ; Sun, 8 Oct 2006 23:30:23 +0000 (GMT) (envelope-from jfranks@inetassociation.com) X-ORBL: [69.236.95.154] Received: from iea4grrtmmd560 (adsl-69-236-95-154.dsl.pltn13.pacbell.net [69.236.95.154]) by ylpvm43.prodigy.net (8.13.8 out.dk.spool/8.13.8) with ESMTP id k98NUKdZ023779 for ; Sun, 8 Oct 2006 19:30:20 -0400 From: "Justin Franks" To: Date: Sun, 8 Oct 2006 16:30:23 -0700 Message-ID: <000001c6eb31$bab05140$6401a8c0@iea4grrtmmd560> MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Need a little PF help here, please... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Oct 2006 23:30:25 -0000 Have been using PF for over two years and recently ran into "problem" which I am sure is something I am overlooking. So I need some direction. Here it is: I recently enabled BIND9 on FreeBSD 6.1. I have PF running too (PF config below). If I ping yahoo.com nothing happens. However, if I comment out the PF rule "block in all" then suddenly I can ping yahoo.com. Why will my server not resolve names (like yahoo.com) if the "block in all" statement exists? Why does that statement mess it up? What am I missing? Please help because I am totally frustrated. Here is my pf.conf file. table persist file "/etc/pf-files/misc" table persist file "/etc/pf-files/spam" table persist file "/etc/pf-files/ssh" table persist file "/etc/pf-files/gov" table persist file "/etc/pf-files/dod" table persist file "/etc/pf-files/fbi" table persist file "/etc/pf-files/cia" table persist file "/etc/pf-files/china" table persist file "/etc/pf-files/hongkong" table persist file "/etc/pf-files/taiwan" table persist file "/etc/pf-files/vietnam" table persist file "/etc/pf-files/argentina" scrub in all block in all antispoof for rl0 inet pass in quick on rl0 proto tcp from any to rl0 port www pass in quick on rl0 proto udp from any to rl0 port www block in quick on rl0 proto tcp from to rl0 port 25 block in quick on rl0 proto tcp from to rl0 port 25 block in quick on rl0 from to any block in quick on rl0 from to any block in quick on rl0 from to any block in quick on rl0 from to any block in quick on rl0 proto tcp from to rl0 port 25 block in quick on rl0 proto tcp from to rl0 port 25 block in quick on rl0 proto tcp from to rl0 port 25 block in quick on rl0 proto tcp from to rl0 port 25 block in quick on rl0 proto tcp from to rl0 port 25 pass in on rl0 proto tcp from any to rl0 port 25 pass in on rl0 proto tcp from any to rl0 port 110 pass in on rl0 proto tcp from to rl0 port 22 pass in on rl0 inet proto icmp all icmp-type echoreq pass out keep state ------------------- Justin From owner-freebsd-pf@FreeBSD.ORG Sun Oct 8 23:37:14 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3E1816A40F for ; Sun, 8 Oct 2006 23:37:14 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 460AA43D53 for ; Sun, 8 Oct 2006 23:37:14 +0000 (GMT) (envelope-from kian.mohageri@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so1954060pye for ; Sun, 08 Oct 2006 16:37:11 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=i7WbsFQUqqsoTeMGi9bCLqSfCY+Mr/APRSDMwSWO70tz43pMSIaLDuWkUZQw+ZY4HTuDIcjb1U8L9MZDdonLDbVMngyQBQOrL4l/Qm9Nwf+8nilAhftRf6Zo7/kG3t4OfGka9svJ37aIv51lu64qOZC8I967rU8i1sY3u3BZn+E= Received: by 10.65.20.11 with SMTP id x11mr2245044qbi; Sun, 08 Oct 2006 16:37:10 -0700 (PDT) Received: by 10.65.220.10 with HTTP; Sun, 8 Oct 2006 16:37:10 -0700 (PDT) Message-ID: Date: Sun, 8 Oct 2006 16:37:10 -0700 From: "Kian Mohageri" To: "Justin Franks" In-Reply-To: <000001c6eb31$bab05140$6401a8c0@iea4grrtmmd560> MIME-Version: 1.0 References: <000001c6eb31$bab05140$6401a8c0@iea4grrtmmd560> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Need a little PF help here, please... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Oct 2006 23:37:14 -0000 On 10/8/06, Justin Franks wrote: > > Have been using PF for over two years and recently ran into "problem" > which I am sure is something I am overlooking. So I need some direction. > Here it is: I recently enabled BIND9 on FreeBSD 6.1. I have PF running > too (PF config below). If I ping yahoo.com nothing happens. However, if > I comment out the PF rule "block in all" then suddenly I can ping > yahoo.com. Why will my server not resolve names (like yahoo.com) if the > "block in all" statement exists? Why does that statement mess it up? > What am I missing? Please help because I am totally frustrated. > > add 'set skip on lo' before scrub, so you can pass traffic on the loopback interface (which many things use). Also, might want to space out your pf.conf a little differently so it has some distinct sections. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 9 06:47:09 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05A3516A415 for ; Mon, 9 Oct 2006 06:47:09 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from lon-mail-3.gradwell.net (lon-mail-3.gradwell.net [193.111.201.127]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D53D43D49 for ; Mon, 9 Oct 2006 06:47:08 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from 84-12-192-91.dyn.gotadsl.co.uk ([84.12.192.91] helo=vaio country=GB ident=gregh&pop3*nviz*net) by lon-mail-3.gradwell.net with esmtpa (Gradwell gwh-smtpd 1.232) id 4529f06a.ec83.2 for freebsd-pf@freebsd.org; Mon, 9 Oct 2006 07:47:06 +0100 (envelope-sender ) From: "Greg Hennessy" To: Date: Mon, 9 Oct 2006 07:46:52 +0100 Message-ID: <000301c6eb6e$b49aeda0$0201a8c0@vaio> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 In-Reply-To: <000001c6eb31$bab05140$6401a8c0@iea4grrtmmd560> Thread-Index: AcbrNgh/RhaX3N15SoSJtZevjBSO5AANsayw Subject: RE: Need a little PF help here, please... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Oct 2006 06:47:09 -0000 > However, if > I comment out the PF rule "block in all" then suddenly I can ping > yahoo.com. Why will my server not resolve names (like > yahoo.com) if the > "block in all" statement exists? Why does that statement mess it up? > What am I missing? Please help because I am totally frustrated. > > > > block in all The default block rule should always have logging enabled, no exceptions. It should be block log all The pf logs would have told you straight away what was being dropped and why. On a side note, The default block rule should match both ingress and egress traffic. A system cannot be deemed secure it if implictly allows egress traffic to flow. Greg From owner-freebsd-pf@FreeBSD.ORG Mon Oct 9 11:09:53 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A218116A501 for ; Mon, 9 Oct 2006 11:09:53 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 798A043D5E for ; Mon, 9 Oct 2006 11:08:50 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k99B8b3r071618 for ; Mon, 9 Oct 2006 11:08:37 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k99B8aPc071613 for freebsd-pf@FreeBSD.org; Mon, 9 Oct 2006 11:08:36 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 9 Oct 2006 11:08:36 GMT Message-Id: <200610091108.k99B8aPc071613@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Oct 2006 11:09:53 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency f kern/86072 pf [pf] Packet Filter rule not working properly (with SYN o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 4 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/94992 pf [pf] [patch] pfctl complains about ALTQ missing o kern/103304 pf pf accepts nonexistent queue in rules 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 9 14:36:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D214016A416 for ; Mon, 9 Oct 2006 14:36:41 +0000 (UTC) (envelope-from eculp@bafirst.com) Received: from lora.pns.networktel.net (jor-l.pns.networktel.net [216.83.236.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9235843D55 for ; Mon, 9 Oct 2006 14:36:37 +0000 (GMT) (envelope-from eculp@bafirst.com) Received: from bafirst.com (72-12-2-214.wan.networktel.net [72.12.2.214]) by lora.pns.networktel.net (8.13.6/8.12.11) with ESMTP id k99EZ21P086950 for ; Mon, 9 Oct 2006 14:35:08 GMT (envelope-from eculp@bafirst.com) Received: from localhost (localhost [127.0.0.1]) (uid 80) by bafirst.com with local; Mon, 09 Oct 2006 09:36:15 -0500 id 00095809.452A5E5F.00000CF7 Received: from dsl-189-129-17-243.prod-infinitum.com.mx (dsl-189-129-17-243.prod-infinitum.com.mx [189.129.17.243]) by mail.bafirst.com (Horde MIME library) with HTTP; Mon, 09 Oct 2006 09:36:15 -0500 Message-ID: <20061009093615.ik9e6k87k88kcggg@mail.bafirst.com> Date: Mon, 09 Oct 2006 09:36:15 -0500 From: eculp@bafirst.com To: freebsd-pf@freebsd.org References: <000301c6eb6e$b49aeda0$0201a8c0@vaio> In-Reply-To: <000301c6eb6e$b49aeda0$0201a8c0@vaio> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.1-cvs X-Virus-Scanned: ClamAV version 0.84, clamav-milter version 0.84e on lora.pns.networktel.net X-Virus-Status: Clean Subject: Greg's side note X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Oct 2006 14:36:41 -0000 < snip > > On a side note, > > The default block rule should match both ingress and egress traffic. > A system cannot be deemed secure it if implictly allows egress traffic to > flow. Makes sense but I haven't done it do to an ignorance of which unprivileged ports need to be enabled for things like skype, IM etc. Does anyone have any recommendations as to where a list of ports used by programs like the above can be found or a restricted range of ports that has worked for you? Thanks, ed From owner-freebsd-pf@FreeBSD.ORG Wed Oct 11 15:05:14 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B9C716A403 for ; Wed, 11 Oct 2006 15:05:14 +0000 (UTC) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from mail1.cil.se (mail1.cil.se [217.197.56.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id A53DC43D49 for ; Wed, 11 Oct 2006 15:05:00 +0000 (GMT) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from [192.168.2.10] ([192.168.2.10]) by mail1.cil.se with Microsoft SMTPSVC(6.0.3790.0); Wed, 11 Oct 2006 17:04:59 +0200 Message-ID: <452D081A.9090603@ide.resurscentrum.se> Date: Wed, 11 Oct 2006 17:04:58 +0200 From: Jon Otterholm User-Agent: Thunderbird 1.5 (X11/20060204) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 11 Oct 2006 15:04:59.0070 (UTC) FILETIME=[9E950DE0:01C6ED46] Subject: table persist file X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 15:05:14 -0000 Hi. I have a table in my pf.conf: table persist file "/etc/pf/commit" When I add IP's to the table nothing gets into the file even though they are listed in the table. Any thoughts? Info: su-2.05b# uname -a FreeBSD host.domain.se 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #2: Fri Sep 15 13:26:01 CEST 2006 user@:/usr/obj/usr/src/sys/GENERIC i386 su-2.05b# pfctl -t commit -T sh No ALTQ support in kernel ALTQ related functions disabled XXX.XXX.XX.228 XXX.XXX.XX.229 XXX.XXX.XX.232 XXX.XXX.XX.233 XXX.XXX.XX.234 XXX.XXX.XX.236 XXX.XXX.XX.237 su-2.05b# cat /etc/pf/commit su-2.05b# ls -la /etc/pf/commit -rwxrwxrwx 1 root wheel 0 Sep 26 11:06 /etc/pf/commit /Jon From owner-freebsd-pf@FreeBSD.ORG Wed Oct 11 15:10:01 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29A8016A4E1 for ; Wed, 11 Oct 2006 15:10:01 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (mostly.harmless.hu [195.56.55.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43C6643DAF for ; Wed, 11 Oct 2006 15:09:45 +0000 (GMT) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin (Postfix) with ESMTP id 435727BFF72; Wed, 11 Oct 2006 17:09:44 +0200 (CEST) X-Virus-Scanned: amavisd-new at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id IBWfwkIu7+xG; Wed, 11 Oct 2006 17:09:38 +0200 (CEST) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin (Postfix) with ESMTP id B30787BFF71; Wed, 11 Oct 2006 17:09:36 +0200 (CEST) Date: Wed, 11 Oct 2006 17:09:36 +0200 From: Gergely CZUCZY To: Jon Otterholm Message-ID: <20061011150936.GA47845@harmless.hu> References: <452D081A.9090603@ide.resurscentrum.se> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="ZGiS0Q5IWpPtfppv" Content-Disposition: inline In-Reply-To: <452D081A.9090603@ide.resurscentrum.se> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@freebsd.org Subject: Re: table persist file X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 15:10:01 -0000 --ZGiS0Q5IWpPtfppv Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 11, 2006 at 05:04:58PM +0200, Jon Otterholm wrote: > Hi. >=20 > I have a table in my pf.conf: >=20 > table persist file "/etc/pf/commit" let me quote the manual, pf.conf(5) for you: --- chop with axe here --- A table can also be initialized with an address list specified in one = or more external files, using the following syntax: --- chop with axe here --- And now, some terminology. the process named "initalization" means, to set the initalial values of some object. the initial value is the value that the object has at startup-time. > When I add IP's to the table nothing gets into the file even though they = are listed in the table. check the part of the manual, and reinterpret what i have read. >=20 > Any thoughts? Hint: it's nowhere said that the pf will synchronize the contents of the file with the table. use a crontab script for this, like 05 * * * * root pfctl -t ftp-blacklist -Tsh= ow > /etc/pf/ftp-blacklist have fun, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --ZGiS0Q5IWpPtfppv Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owF9VL+LJEUUHu80sEDkMgOFxyb+2OmZnmNnd250Z13vlrsVZC9YWEEQampeT5db XdVWvZ7ZWcxOxMBADTXQWBAUDMyMBEEU/QcEEf8HEQNfVc+cZ3KddPd7r1597/u+ qg+fuNq5cu3nr755Y/uDjz995MtH/5luVw2RnWeV9Atts0GeD7KdvdHOMNvNdm/s jG7sDdVAzUbFNN87yh7PbzpLaCk7XdU4BsIL6tdGavsiqFL6gLTfUJGNxKbulg61 C5q0s2PQ1miL93OnXtpQoM+OrHIzbedjeLtxhLOs9tqSnBoU4sTCGc66cKIIBoMu XM/zXZAE+XCc74yHo7uvwXbOwS686iycEKEvnalg6bnTWEzgju6Jyf71nD+PoZQL BAmpN8OBagV10VPOFuNNUZt7Sbmq0jSBGn3QgaDQHN3qI6l+XfTb7JYwSFBhCxuo RKikbaTpbro+N3weCudh5ZqxyLKMWXI1LDWVIC8QSvQIHBYQn8P13kpakCY4mEaM zJ00+hJn62Wcm808hgAm4go1Kl1oTvM4ziLsC+fbfpXj7qwQeitNGiB0oQlMdIJa OGPcMv6FFbN98VCAh3YG1i27EBzPyy0rbZ1x81VPxF61dypCsrJiJFsRdQQto+5b zBAL3QVywAaJe4t1AcNaSNNgAFe0nd30LVTUSwDXs7clQocUTD/8JVOjdT3rGqIp AklPTZ2RrrAnWMyzEi3LzozB8d1nQ4QQV7U8W0dlHH+OFHizdS4JjQteR6Vr5mUM rphVyUxExlum73fpCVWiOk+BmnePkzxoBMnEeeTu6GvP0y8jct0a0aOcRZit8Q7t ar0lhQNxh5fwiSEGzbwnHYLUs/8mrwuWyZgoniq9s2yRRK1qT1fYAEnzJEEfwCya EM+B4nUcgaC8rik5lSlhqYw+R5EPk43gBXj42ztH8V0Xigxk3IfqbGqkOk8OzU5D yaZcwgQ2x+d/BUIkMorGdoW4jX6OZgU3Lxt1uRKV1IbcmCVK4Z5K4Zf5qqnYzaFX NoJdG/k7Q7SajUQY2D63+YdHDGwqs0j25LGr0LInvQ7MwfsHVx/rxDttcyFeu3J+ r/P5138d/HL6zreTd83rP/T1Rz/+/et7n3Q+e+WZ3/H77+799OQfR38+deuLzvFv T7/5Lw== =9b1M -----END PGP SIGNATURE----- --ZGiS0Q5IWpPtfppv-- From owner-freebsd-pf@FreeBSD.ORG Thu Oct 12 12:47:06 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E9FA16A4C9 for ; Thu, 12 Oct 2006 12:47:06 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.ipactive.de [85.214.39.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27FCF43D55 for ; Thu, 12 Oct 2006 12:47:03 +0000 (GMT) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (gprs-pool-1-016.eplus-online.de [212.23.126.16]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 00F3A33D3A for ; Thu, 12 Oct 2006 14:46:54 +0200 (CEST) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id E82512E557; Thu, 12 Oct 2006 14:46:18 +0200 (CEST) Message-ID: <452E392E.9030007@vwsoft.com> Date: Thu, 12 Oct 2006 14:46:38 +0200 From: Volker User-Agent: Thunderbird 1.5.0.7 (X11/20060915) MIME-Version: 1.0 To: Jon Otterholm References: <452D081A.9090603@ide.resurscentrum.se> In-Reply-To: <452D081A.9090603@ide.resurscentrum.se> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: table persist file X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2006 12:47:06 -0000 On 12/23/-58 20:59, Jon Otterholm wrote: >
Hi. > > I have a table in my pf.conf: > > table persist file "/etc/pf/commit" > > When I add IP's to the table nothing gets into the file even though they > are listed in the table. > > Any thoughts? > > Info: > > su-2.05b# uname -a > FreeBSD host.domain.se 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #2: Fri Sep > 15 13:26:01 CEST 2006 user@:/usr/obj/usr/src/sys/GENERIC i386 > > su-2.05b# pfctl -t commit -T sh > No ALTQ support in kernel > ALTQ related functions disabled > XXX.XXX.XX.228 > XXX.XXX.XX.229 > XXX.XXX.XX.232 > XXX.XXX.XX.233 > XXX.XXX.XX.234 > XXX.XXX.XX.236 > XXX.XXX.XX.237 > > su-2.05b# cat /etc/pf/commit > > su-2.05b# ls -la /etc/pf/commit > -rwxrwxrwx 1 root wheel 0 Sep 26 11:06 /etc/pf/commit > > /Jon > >
Jon, you may use a command like: `pfctl -t commit -Ts > /path/to/tablefile' to write the contents of the table out to disk. HTH, Volker From owner-freebsd-pf@FreeBSD.ORG Fri Oct 13 09:13:56 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2844216A407 for ; Fri, 13 Oct 2006 09:13:56 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DA9C43D5E for ; Fri, 13 Oct 2006 09:13:53 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so970182pye for ; Fri, 13 Oct 2006 02:13:52 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=rhXhWPy2AqjJEPLypNI6bvd1T5Nr7MSrkdMkIXWdJPJ6LbW91iimjmcY8ser+UcJYRlF5feOcWLA9y+hIqcHcz+8S4UZ9xOCTgiEQo/mKtRiqMPamcDW2L4iJrFScAPpxE7pcwSxj4ypGEofNJrPynUdic+En1X9qPPJpVI4xfg= Received: by 10.35.21.9 with SMTP id y9mr5258681pyi; Fri, 13 Oct 2006 02:13:52 -0700 (PDT) Received: by 10.35.35.8 with HTTP; Fri, 13 Oct 2006 02:13:52 -0700 (PDT) Message-ID: Date: Fri, 13 Oct 2006 04:13:52 -0500 From: "Travis H." To: "B. Cook" In-Reply-To: <56217.24.161.8.173.1159492654.squirrel@mail.poklib.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <56217.24.161.8.173.1159492654.squirrel@mail.poklib.org> Cc: freebsd-pf@freebsd.org Subject: Re: Transparent proxy with ! and table issues.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 09:13:56 -0000 I know this has been a while, but I didn't see a proper response in the thread. I suspect that the gateway is unset or improperly set on the routes associated with the alias. I'm not familiar with squidclient, but It looks like all requests are going through the squid proxy. The common pattern seems to be that all the queries to .53 fail, and the only one to .52 succeeded. I'm not sure why you think any of these queries should _not_ go through the rdr rules, since they are all in and none are in , so they all match rdr rules. -- "The obvious mathematical breakthrough would be the development of an easy way to factor large prime numbers.'' [sic] -- Bill Gates -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Fri Oct 13 12:55:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB53F16A407 for ; Fri, 13 Oct 2006 12:55:46 +0000 (UTC) (envelope-from bcook@poklib.org) Received: from c.mx.poklib.org (c.mx.poklib.org [64.72.87.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D44C43D60 for ; Fri, 13 Oct 2006 12:55:45 +0000 (GMT) (envelope-from bcook@poklib.org) Received: from [192.168.1.249] (port=64763 helo=mail.poklib.org) by c.mx.poklib.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63; FreeBSD) (envelope-from ) id 1GYMZj-000Pky-Rt ; Fri, 13 Oct 2006 08:55:43 -0400 Received: from node-249.adriance.poklib.org ([192.168.1.249] helo=mail.poklib.org) by mail.poklib.org with esmtp (Exim 4.63; FreeBSD) (envelope-from ) id 1GYMZj-000Il6-ET ; Fri, 13 Oct 2006 08:55:43 -0400 Received: from 24.161.8.173 (SquirrelMail authenticated user bcook@poklib.org) by mail.poklib.org with HTTP; Fri, 13 Oct 2006 08:55:43 -0400 (EDT) X-Virus-Check: ClamAV 0.88.4/2028 on c.mx.poklib.org; Fri, 13 Oct 2006 08:55:43 -0400 Message-ID: <54636.24.161.8.173.1160744143.squirrel@mail.poklib.org> In-Reply-To: References: <56217.24.161.8.173.1159492654.squirrel@mail.poklib.org> Date: Fri, 13 Oct 2006 08:55:43 -0400 (EDT) From: "B. Cook" To: "Travis H." User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-RcvHost: node-249.adriance.poklib.org ([192.168.1.249] helo=mail.poklib.org) X-RcvFor: X-Auth-Id: X-AntiVirus: No Virus Found X-MIME-Character-set: iso-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: Transparent proxy with ! and table issues.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 12:55:46 -0000 On Fri, October 13, 2006 5:13 am, Travis H. wrote: > I know this has been a while, but I didn't see a proper response in the > thread. > I suspect that the gateway is unset or improperly set on the routes > associated > with the alias. > > I'm not familiar with squidclient, but It looks like all requests are > going through the squid proxy. The common pattern seems to be that > all the queries to .53 fail, and the only one to .52 succeeded. I'm > not sure why you think any of these queries should _not_ go through > the rdr rules, since they are all in and none are in > , so they all match rdr rules. > -- > "The obvious mathematical breakthrough would be the development of an > easy way to factor large prime numbers.'' [sic] -- Bill Gates -><- > > GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 > Thank you for looking at my post. I did end up solving it with the following config: staff_if="sis0" public_if="xl0" proxy_server="192.168.1.3" allowed="{ 192.168.1.0/24, 172.16.10.0/24 }" scrub on { $public_if, $staff_if } no-df min-ttl 32 max-mss 1460 random-id no rdr on $public_if from $public_if:network to $allowed no rdr on $staff_if from $staff_if:network to $allowed rdr on $public_if inet proto tcp from $public_if:network to any port www -> $proxy_server port 8080 rdr on $staff_if inet proto tcp from $staff_if:network to any port www -> $proxy_server port 8080 pass in on $staff_if inet proto tcp from any to $proxy_server port 8080 keep state pass in on $public_if inet proto tcp from any to $proxy_server port 8080 keep state pass out on $staff_if inet proto tcp from any to any port www keep state pass out on $public_if inet proto tcp from any to any port www keep state pass out on lo0 inet proto tcp from any to any port www modulate state # EOF the "no rdr" needed to be before the rdr statements. It seems that having the ! it would only take the first network and not the second. I was trying to say "Not (this and that)" to negate them both, but it would come out like this "Not this and that" so the 'that' was allowed the "not this" worked as intended. From owner-freebsd-pf@FreeBSD.ORG Fri Oct 13 21:23:21 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B996416A407 for ; Fri, 13 Oct 2006 21:23:21 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 454EC43D60 for ; Fri, 13 Oct 2006 21:23:20 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so1228613pye for ; Fri, 13 Oct 2006 14:23:19 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ttACIH5no3KhDD7l4nk/k2Lf2Cog1amSI8tYLlVB/jO8qtjEuVXQB6IL1xik3IQkf4lzxu1jIXnf7pV/qzHa/d7yR5LMHEqli0h6FFDN1WHQ+D2XfX8HbIRqDVkiNGnFB7RcFReq4AVz1KnaITq1GllUTJ5aQJI8rKhHfN2wmCQ= Received: by 10.35.119.8 with SMTP id w8mr7364450pym; Fri, 13 Oct 2006 14:23:19 -0700 (PDT) Received: by 10.35.35.8 with HTTP; Fri, 13 Oct 2006 14:23:19 -0700 (PDT) Message-ID: Date: Fri, 13 Oct 2006 16:23:19 -0500 From: "Travis H." To: "B. Cook" In-Reply-To: <54636.24.161.8.173.1160744143.squirrel@mail.poklib.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <56217.24.161.8.173.1159492654.squirrel@mail.poklib.org> <54636.24.161.8.173.1160744143.squirrel@mail.poklib.org> Cc: freebsd-pf@freebsd.org Subject: Re: Transparent proxy with ! and table issues.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 21:23:21 -0000 On 10/13/06, B. Cook wrote: > the "no rdr" needed to be before the rdr statements. It seems that having > the ! it would only take the first network and not the second. Well, I don't think that's the way it was working. Negated lists don't work as expected (see the FAQ), but your table "noproxy" had one entry in it and you were negating it, and it appears to work the way I'd expect. Perhaps you got confused, or what you posted was not what you were talking about. Note that you can put negated items in a table, but avoid negated items in a list. -- "The obvious mathematical breakthrough would be the development of an easy way to factor large prime numbers.'' [sic] -- Bill Gates -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484