From owner-freebsd-pf@FreeBSD.ORG Sun Sep 19 02:40:08 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9070616A4CE for ; Sun, 19 Sep 2004 02:40:08 +0000 (GMT) Received: from gecea.ist.utl.pt (gecea.ist.utl.pt [193.136.140.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4964A43D4C for ; Sun, 19 Sep 2004 02:40:08 +0000 (GMT) (envelope-from brunomiguel@dequim.ist.utl.pt) Received: from [10.10.59.250] (unknown [81.84.199.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gecea.ist.utl.pt (Postfix) with ESMTP id 29E384089; Sun, 19 Sep 2004 03:40:16 +0100 (WEST) Message-ID: <414CF186.5030006@dequim.ist.utl.pt> Date: Sun, 19 Sep 2004 03:40:06 +0100 From: Bruno Afonso User-Agent: Mozilla Thunderbird 0.8 (X11/20040918) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Hugo Silva References: <58653.81.84.174.8.1095267239.squirrel@81.84.174.8> <200409180203.09842.max@love2party.net> <62049.81.84.174.8.1095525241.squirrel@81.84.174.8> <200409182238.24719.max@love2party.net> <62540.81.84.174.8.1095536731.squirrel@81.84.174.8> In-Reply-To: <62540.81.84.174.8.1095536731.squirrel@81.84.174.8> X-Enigmail-Version: 0.86.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: pf not logging on 5.3-BETA3 ? [more info] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 02:40:08 -0000 Hugo Silva wrote: > I didn't have the _pflogd user! > Shouldnt this user be automagically created when I added pf to the kernel? , I was expecting that (see previous msg from me). "mergemaster -p" should let you know about the new user but it doesn't and I fail to understand why. see /usr/src/etc/master.passwd BA -- Bruno Afonso http://dequim.ist.utl.pt/~bruno/sciTocs/ - Bruno's SciTocs! http://freebsd-pt.org/forum/ - Portuguese FreeBSD forum From owner-freebsd-pf@FreeBSD.ORG Sun Sep 19 10:03:26 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE73D16A4CE for ; Sun, 19 Sep 2004 10:03:26 +0000 (GMT) Received: from smtp02.net-yan.com (smtp02.hgcbroadband.com [210.0.255.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id B829143D1D for ; Sun, 19 Sep 2004 10:03:25 +0000 (GMT) (envelope-from sam.wun@authtec.net) Received: (qmail 77014 invoked from network); 19 Sep 2004 10:03:23 -0000 Received: from unknown (HELO [192.168.4.129]) (samwun@hgcbroadband.com@[221.127.106.235]) (envelope-sender ) by localhost (qmail-ldap-1.03) with SMTP for ; 19 Sep 2004 10:03:23 -0000 Message-ID: <414D5858.2030709@authtec.net> Date: Sun, 19 Sep 2004 17:58:48 +0800 From: sam User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Latest PF patch faield with Beta 4 Current X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 10:03:27 -0000 Hi, PF patch is failed with the following rej file: *************** *** 544,557 **** #else #define BRIDGE_TEST (0) /* cc will optimise the test away */ #endif /* * For a bridge, we want to check the address irrespective * of the receive interface. (This will change slightly * when we have clusters of interfaces). */ LIST_FOREACH(ia, INADDR_HASH(itaddr.s_addr), ia_hash) - if ((BRIDGE_TEST || (ia->ia_ifp == ifp)) && - itaddr.s_addr == ia->ia_addr.sin_addr.s_addr) goto match; LIST_FOREACH(ia, INADDR_HASH(isaddr.s_addr), ia_hash) if ((BRIDGE_TEST || (ia->ia_ifp == ifp)) && --- 550,572 ---- #else #define BRIDGE_TEST (0) /* cc will optimise the test away */ #endif + /* * For a bridge, we want to check the address irrespective * of the receive interface. (This will change slightly * when we have clusters of interfaces). + * If the interface does not match, but the recieving interface + * is part of carp, we call carp_iamatch to see if this is a + * request for the virtual host ip. + * XXX: This is really ugly! */ LIST_FOREACH(ia, INADDR_HASH(itaddr.s_addr), ia_hash) + if ((BRIDGE_TEST || (ia->ia_ifp == ifp) + #ifdef DEV_CARP + || (ifp->if_carp + && carp_iamatch(ifp->if_carp, ia, &isaddr, &enaddr)) + #endif + ) && itaddr.s_addr == ia->ia_addr.sin_addr.s_addr) goto match; LIST_FOREACH(ia, INADDR_HASH(isaddr.s_addr), ia_hash) if ((BRIDGE_TEST || (ia->ia_ifp == ifp)) && *************** *** 566,579 **** ia = ifatoia(ifa); goto match; } /* * If bridging, fall back to using any inet address. */ if (!BRIDGE_TEST || (ia = TAILQ_FIRST(&in_ifaddrhead)) == NULL) goto drop; match: myaddr = ia->ia_addr.sin_addr; - if (!bcmp(ar_sha(ah), IF_LLADDR(ifp), ifp->if_addrlen)) goto drop; /* it's from me, ignore it. */ if (!bcmp(ar_sha(ah), ifp->if_broadcastaddr, ifp->if_addrlen)) { log(LOG_ERR, --- 581,597 ---- ia = ifatoia(ifa); goto match; } + /* * If bridging, fall back to using any inet address. */ if (!BRIDGE_TEST || (ia = TAILQ_FIRST(&in_ifaddrhead)) == NULL) goto drop; match: + if (!enaddr) + enaddr = (u_int8_t *)IF_LLADDR(ifp); myaddr = ia->ia_addr.sin_addr; + if (!bcmp(ar_sha(ah), enaddr, ifp->if_addrlen)) goto drop; /* it's from me, ignore it. */ if (!bcmp(ar_sha(ah), ifp->if_broadcastaddr, ifp->if_addrlen)) { log(LOG_ERR, sam. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 20 21:06:25 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84BBB16A4CE for ; Mon, 20 Sep 2004 21:06:25 +0000 (GMT) Received: from mail3.speakeasy.net (mail3.speakeasy.net [216.254.0.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 51DC343D2F for ; Mon, 20 Sep 2004 21:06:25 +0000 (GMT) (envelope-from freebsd-pf.20.openmacnews@spamgourmet.com) Received: (qmail 321 invoked from network); 20 Sep 2004 21:06:25 -0000 Received: from ns1.presence-group.net (HELO [172.30.11.6]) (blakers@[216.27.177.134]) )encrypted SMTP for ; 20 Sep 2004 21:06:24 -0000 Date: Mon, 20 Sep 2004 14:06:22 -0700 From: OpenMacNews To: freebsd-pf Message-ID: <3115A3AD0B2015CD92858115@[172.30.11.6]> X-Mailer: Mulberry/3.1.6 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: does (can?) freebsd-pf 'support' OSX? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: OpenMacNews List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2004 21:06:25 -0000 hi all, i've a couple of old macs i'd like to turn into useful gateway/firewall boxes. they're running MacOSX 10.3.5 just fine. but, with OSX, i'm stuck with ipfw -- v1, no less! if my goal is a decent firewall, i understand my options to be pf & iptables. to get to either, i can, of course, fight to get the openbsd, netbsd, freebsd, YelloDogLinux and/or Debian ports running on the box ... but given the h/w upgrades i have (ATA card, CPU upgrade) it doesn't look good. soooooo, my QUESTION to y'all: as OSX "shares" underpinnings with FreeBSD -- some go so far as to say "built on", but i get lost in the Mach vs FreeBSD core discussions -- I'm wondering if it's (a) currently possible, or (b) what would it take to get the freebsd-pf port up/running on OSX? is is a forgone conclusion that pf is/must be built in to the kernel? or can it be built as an extension to OSX? i simply am too green to know/understand the answer at this point, and would appreciate any/all pointers/comments/etc. =) fwiw, i've raised this issue on the Darwin kernel & developer lists a number of times over the past months-n-years to no avail ... the best i ever got was a "we're looking at firewalls" from someone, and the leaning, at that time, was towards ipfw2. bottom line? how can i get pf running on OSX? cheers, richard From owner-freebsd-pf@FreeBSD.ORG Wed Sep 22 08:35:48 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0763016A4CE for ; Wed, 22 Sep 2004 08:35:48 +0000 (GMT) Received: from mail5.speakeasy.net (mail5.speakeasy.net [216.254.0.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB20343D5D for ; Wed, 22 Sep 2004 08:35:47 +0000 (GMT) (envelope-from freebsd-pf.20.openmacnews@spamgourmet.com) Received: (qmail 6730 invoked from network); 22 Sep 2004 08:35:47 -0000 Received: from ns1.presence-group.net (HELO [172.30.11.6]) (blakers@[216.27.177.134]) )encrypted SMTP for ; 22 Sep 2004 08:35:46 -0000 Date: Wed, 22 Sep 2004 01:35:44 -0700 From: OpenMacNews To: freebsd-pf Message-ID: <17ADEEA751BECDA6D731D3DB@[172.30.11.6]> In-Reply-To: References: <3115A3AD0B2015CD92858115@[172.30.11.6]> X-Mailer: Mulberry/3.1.6 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline cc: "Christopher D. Lewis" Subject: Re: does (can?) freebsd-pf 'support' OSX? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: OpenMacNews List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Sep 2004 08:35:48 -0000 Chris, > And the last time I broached firewalls with an Apple employee he scoffed at the idea that BSD needed more than the ipfw in old FreeBSD, seeing no point to ipf, pf, etc. and deeming the projects wastes of time. my experience(s) with them on darwin-kernel, and elsewhere -- oh heck, everywhere! -- has been ... er ... less than rewarding ... as well. i'd point you to the old, relevant threads, but they've changed the lists so that they're no longer searchable -- at least until the new-format lists are crawled. cref: >> if my goal is a decent firewall, i understand my options to be pf & >> iptables. > > If you want stateful packet filtering, i do > and you actually intend to make sure the sequence numbers are examined rather than just pass packets from hosts which you've previously sent an ack, my recent experience with iptables has exposed me to all sorts of attacks from my many apparent 'fiends' in China trying to pumch holes in this issue ... > I gather you really have only pf and ipf to think on, and with pf apparently blowing past ipf, pf is apparently your man. And there are questions lingering perhaps over the license in ipf, so ... pf. clear. it's what i thought. thx! > OpenBSD offers pf native, and when you say "old macs" you need to make sure you're discussing macs with open firmware to get OpenBSD installed. there are, apparently, some stories of success on OldWorld macs that have been CPU upgraded -- as mine has. but, sketchy at best. > I've not attempted a PowerPC FreeBSD install and I'm not sure if it's even possible. When I last looked, I found no evidence of PowerPC installers for the OS. It appeared x86-only. well, ther *is* here ... but a little "dusty" it seems >> soooooo, my QUESTION to y'all: > There's not a binary you can drop in now to make pf run in Darwin. You would need to port it, as the FreeBSD folk are doing here to get pf running on their OS of choice. understood. >> is is a forgone conclusion that pf is/must be built in to the kernel? >> or can it be built as an extension to OSX? > > If you look, you'll see ipfw is actually implemented in Darwin as a .kext (Kernel Extension). Thus, it's loadable and in theory replaceable. yup. got to this as well ... >> fwiw, i've raised this issue on the Darwin kernel & developer lists a >> number of times over the past months-n-years to no avail ... > > I'll see if I can find my exchange with Apple's current open source guru, it was depressing both from the standpoint of (lack of likelihood of) progress, and from the standpoint that the guy, whatever his good points, didn't seem to perceive that there was actually a difference between the firewall solutions. New solutions aren't dreamed up because people like work, they're dreamed up because there's a need. He thought all subsequent firewall projects were a waste of good coding time, I say this not to make a mockery of his position, but because he said as much. their attitudes are "challenging" at best ... and i'm one of their biggest FANS! which is why i've given up on them. i do not believe that Apple can, or for that matter, should be depended on to move their box to the "cutting edge" of functionality, which is where i perceive pf to be, but rather to develop good mass-market boxes, and a good opensource core that we can build on if/when/how we need to. >> bottom line? how can i get pf running on OSX? > > porting pf, authpf, carp, etc. to Darwin would be well-received, that's the feeling i've gotten ... > but not trivial. that too. :-S > Also, the MacOS X GUI would have no idea how to handle it. doesn't need to, IMHO. fwbuilder2 (http://www.fwbuilder.com) meets all my GUI & back-end firewall needs for Win, Mac or *NIX on iptables, pf & ipfw. > The best way to get it into a real distribution may be to work to mainstream pf in FreeBSD so it's picked up in the next code synch. i'm honestly not certain what that entails, or how to go about it ... (yet) > Authpf offers security you simply can't get from other solutions, opening ports only to your authenticated users' IP addresses. If you want a dedicated firewall, then the failover solutions are looking interesting. Frankly, my frustration with Darwin is leading me to a Soekris box . . . the question is merely when I'll throw up my hands with my current solution and do it. thanks for your input! > Take care, Likewise, Richard From owner-freebsd-pf@FreeBSD.ORG Thu Sep 23 09:50:29 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 625BC16A4CF for ; Thu, 23 Sep 2004 09:50:29 +0000 (GMT) Received: from gunfright.epcdirect.co.uk (gunfright.epcdirect.co.uk [195.10.242.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id A68D443D45 for ; Thu, 23 Sep 2004 09:50:28 +0000 (GMT) (envelope-from freebsd-isp@epcdirect.co.uk) Received: from lfarr (l-farr.int.epcdirect.co.uk [192.168.6.200]) by gunfright.epcdirect.co.uk (Postfix) with ESMTP id F3DD167EF1 for ; Thu, 23 Sep 2004 10:50:26 +0100 (BST) From: "Lawrence Farr" To: Date: Thu, 23 Sep 2004 10:50:27 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: Thread-Index: AcSgoGrJV/GjQv8aQuOEAWtq71buHQAsbhxg X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Message-Id: <20040923095026.F3DD167EF1@gunfright.epcdirect.co.uk> Subject: Bridging X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2004 09:50:29 -0000 I'm trying to get bridging with filtering to work on 5.3B5, and cant seem to get pf to filter anything on the bridged interface. Should there be a net.link.ether.bridge.pf sysctl?. I have the following two rules as a test: block drop log on fxp3 all block return quick on fxp3 proto tcp from any to any port = http fxp3 being the bridge interface. The traffic gets through unfiltered. Am I just missing something obvious? Regards, Lawrence Farr From owner-freebsd-pf@FreeBSD.ORG Thu Sep 23 10:20:18 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C49BE16A4CE for ; Thu, 23 Sep 2004 10:20:18 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2DF843D3F for ; Thu, 23 Sep 2004 10:20:17 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i8NAIQAh050358 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 23 Sep 2004 19:18:26 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i8NAJb34013074 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 23 Sep 2004 19:19:37 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.12.10/8.12.10/Submit) id i8NAJa7l013073; Thu, 23 Sep 2004 19:19:36 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Thu, 23 Sep 2004 19:19:36 +0900 From: Pyun YongHyeon To: Lawrence Farr Message-ID: <20040923101936.GA13003@kt-is.co.kr> References: <20040923095026.F3DD167EF1@gunfright.epcdirect.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040923095026.F3DD167EF1@gunfright.epcdirect.co.uk> User-Agent: Mutt/1.4.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: Bridging X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2004 10:20:18 -0000 On Thu, Sep 23, 2004 at 10:50:27AM +0100, Lawrence Farr wrote: > I'm trying to get bridging with filtering to work on 5.3B5, > and cant seem to get pf to filter anything on the bridged > interface. Should there be a net.link.ether.bridge.pf > sysctl?. I have the following two rules as a test: > Last time I saw the bridge code, pf's filtering function was only called on inbound packet. I guess this was for ipfw's optimization since ipfw can create a state with inbound traffic. However both pf and ipf should see inbound/outbound packet in order to create a *real* state. At presnet if you want to filter on bridge environments you can do filtering without creating states for inbound traffic. Patching bridge code to make pf/ipf see inbound/outbound is trivial. But it is not sufficient for pf to function correctly.(bridge(4) should be taught to handle fragmentation since pf can reassemble fragmented IP datagrams with scrub rules.) Personally I think OID like net.link.ether.bridge.pf is not needed since pf can enable/disable its running state with pfctl(8). (ipfw had no such capability) There are plans to improve current situations in bridge environments, but it's not for 5.3R. > block drop log on fxp3 all > block return quick on fxp3 proto tcp from any to any port = http > > fxp3 being the bridge interface. The traffic gets through > unfiltered. Am I just missing something obvious? > > Regards, > > Lawrence Farr > Regards, Pyun YongHyeon -- Pyun YongHyeon From owner-freebsd-pf@FreeBSD.ORG Fri Sep 24 04:44:50 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A381F16A4CE; Fri, 24 Sep 2004 04:44:50 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DC8F43D2F; Fri, 24 Sep 2004 04:44:50 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CAhwv-0007k7-00; Fri, 24 Sep 2004 06:44:49 +0200 Received: from [84.128.131.163] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CAhwv-0000Ar-00; Fri, 24 Sep 2004 06:44:49 +0200 From: Max Laier Date: Fri, 24 Sep 2004 06:43:46 +0200 User-Agent: KMail/1.7 To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2904552.CWkPNmFImX"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200409240643.53160.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: csjp@freebsd.org Subject: Looking for brave testers ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 04:44:50 -0000 --nextPart2904552.CWkPNmFImX Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi all, I am looking for brave women and men to test the unexplored depth of a shared lock for pf. This will allow to have "even more parallelism" in the network code. As a small benefit you also get rid of a LOR that is suspected to cause deadlocks. So what must be tested? http://people.freebsd.org/~mlaier/MEGA_DIFF_WITH_IPFW_AND_PF_SHARED_LOCK.diff That monster of a patch is a joint work of Christian S.J. Peron (csjp@) and myself. It modifies pfil_hooks to pass a struct inpcb. This is used to forward the *inp - that is handed to ip_output() for local sends - to the pfil consumers. This avoids a lookup and a LOR (caused by the lookup). It also changes IPFW and PF to use a shared/exclusive lock for the "rules". This allows more than one packet in the ruleset evaluation at a time ... How to test: 1) Get the patch, apply and install a kernel with it. Note that this breaks ABI for pfctl and friends. So make sure you rebuild and -install pfctl(8) at least. 2) Run the patched kernel on: - SMP hardware (p4 HT is fine) - with debug.mpsafenet=1 - with MPSAFE NICs - with a bunch of user/group rules. This is very, very ... very raw yet! IPFW is not ready in this version. Christian will post a version on freebsd-ipfw@, I guess. Nontheless, please test the pf part and give me feedback. I have it running fine on my router/gateway with ftp-proxy etc. ... so it can't be too bad. If you crash please try to get as much information as possible. Make sure you have WITNESS in the kernel. THANKS IN ADVANCE! -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2904552.CWkPNmFImX Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBU6YJXyyEoT62BG0RAnurAJ9VoNb+k35sB3pmcx/GRt+2ogl3rQCeMDCU Lh04e5ihVoc8W+mCmqdskKY= =eKBX -----END PGP SIGNATURE----- --nextPart2904552.CWkPNmFImX-- From owner-freebsd-pf@FreeBSD.ORG Fri Sep 24 05:09:32 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD48E16A4CF for ; Fri, 24 Sep 2004 05:09:32 +0000 (GMT) Received: from smtp02.net-yan.com (smtp02.hgcbroadband.com [210.0.255.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CFE543D2F for ; Fri, 24 Sep 2004 05:09:31 +0000 (GMT) (envelope-from sam.wun@authtec.net) Received: (qmail 76492 invoked from network); 24 Sep 2004 05:09:30 -0000 Received: from unknown (HELO [192.168.4.129]) (samwun@hgcbroadband.com@[221.127.106.26]) (envelope-sender ) by localhost (qmail-ldap-1.03) with SMTP for ; 24 Sep 2004 05:09:30 -0000 Message-ID: <4153ABDA.4020007@authtec.net> Date: Fri, 24 Sep 2004 13:08:42 +0800 From: sam User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <200409240643.53160.max@love2party.net> In-Reply-To: <200409240643.53160.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: csjp@freebsd.org cc: freebsd-pf@freebsd.org Subject: Re: Looking for brave testers ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 05:09:32 -0000 Max Laier wrote: >Hi all, > >I am looking for brave women and men to test the unexplored depth of a shared >lock for pf. This will allow to have "even more parallelism" in the network >code. As a small benefit you also get rid of a LOR that is suspected to cause >deadlocks. > >So what must be tested? >http://people.freebsd.org/~mlaier/MEGA_DIFF_WITH_IPFW_AND_PF_SHARED_LOCK.diff > >That monster of a patch is a joint work of Christian S.J. Peron (csjp@) and >myself. It modifies pfil_hooks to pass a struct inpcb. This is used to >forward the *inp - that is handed to ip_output() for local sends - to the >pfil consumers. This avoids a lookup and a LOR (caused by the lookup). It >also changes IPFW and PF to use a shared/exclusive lock for the "rules". This >allows more than one packet in the ruleset evaluation at a time ... > >How to test: >1) Get the patch, apply and install a kernel with it. Note that this breaks >ABI for pfctl and friends. So make sure you rebuild and -install pfctl(8) at >least. >2) Run the patched kernel on: > - SMP hardware (p4 HT is fine) > - with debug.mpsafenet=1 > - with MPSAFE NICs > - with a bunch of user/group rules. > >This is very, very ... very raw yet! IPFW is not ready in this version. >Christian will post a version on freebsd-ipfw@, I guess. > >Nontheless, please test the pf part and give me feedback. I have it running >fine on my router/gateway with ftp-proxy etc. ... so it can't be too bad. If >you crash please try to get as much information as possible. Make sure you >have WITNESS in the kernel. > >THANKS IN ADVANCE! > > > I assumed execution of "make release ...." in /usr/src/release directory after installed this patch in my own source tree (eg. /bdata/ncvs/src) should makes a new release contains this change. I need to test this in another machine or in a VMware machine to avoid disturbing my production work. Thanks for your great work. Sam From owner-freebsd-pf@FreeBSD.ORG Fri Sep 24 22:37:54 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A359016A4CE; Fri, 24 Sep 2004 22:37:54 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C21B43D2D; Fri, 24 Sep 2004 22:37:54 +0000 (GMT) (envelope-from csjp@freebsd.org) Received: from freefall.freebsd.org (csjp@localhost [127.0.0.1]) i8OMbsd7086886; Fri, 24 Sep 2004 22:37:54 GMT (envelope-from csjp@freebsd.org) Received: (from csjp@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i8OMbs3L086885; Fri, 24 Sep 2004 22:37:54 GMT (envelope-from csjp@freebsd.org) X-Authentication-Warning: freefall.freebsd.org: csjp set sender to csjp@freebsd.org using -f Date: Fri, 24 Sep 2004 22:37:54 +0000 From: "Christian S.J. Peron" To: hackers@freebsd.org Message-ID: <20040924223754.GA86799@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i cc: ipfw@freebsd.org cc: freebsd-pf@freebsd.org Subject: fixes for ipfw and pf lock ordering issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 22:37:54 -0000 Good day folks, we need some beta testers Currently, those who utilize ucred based firewalling, i.e. firewall rules which match based on UID, GID or JAIL ID are subject to lock order problems which often results in the system hard locking. (when giant is not present ... debug.mpsafenet=1). This problem affects all FreeBSD firewalls which implement ucred based matching, namely ipfw and pf. The lock order problem exists due to a layering violation which occurs when the IP stack attempts to acquire locks within lower level stacks such as UDP and TCP. Max Laier (mlaier@) and myself have been working together to solve this problem. Together we have generated a set of diffs which do the following: o Add a pointer to a PCB to pfil_hooks o Modify existing pfil_hooks API to handle this extra argument o Modify the pf and ipfw firewalls to utilize this extra argument so that lookups on local outbound TCP and UDP traffic can be deactivated (removing the requirement for holding INP locks, which was a primary suspect for these lock ordering issues). o Implement a shared locking mechanism for firewall rule chain protection The intended results of these changes are: 1) Remove the lock ordering issues which result in system hard locks 2) Avoid redundant PCB lookup overhead improving the overall performance of ucred based rule sets 3) Improving network and firewall parallelism, shared locks give the OS the ability to run multiple evaluation or rule check activations concurrently, which should increase the overall network throughput on devices which have ipfw or pf firewalls enabled (regardless of whether or not these rules contain ucred based constraints). If anyone could help us test these changes that would be great: download: http://people.freebsd.org/~csjp/inp_pfil_fw_lor_fixes_shared_locks.1096053274.diff cd /usr/src/sys fetch http://people.freebsd.org/~csjp/inp_pfil_fw_lor_fixes_shared_locks.1096053274.diff patch < inp_pfil_fw_lor_fixes_shared_locks.1096053274.diff Recompile your kernel and any related pf or ipfw modules add some user/group/jail based firewall rules Remember, these are pretty beta so ... be gentle :) -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer From owner-freebsd-pf@FreeBSD.ORG Fri Sep 24 22:57:06 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58D8D16A4CE; Fri, 24 Sep 2004 22:57:06 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BD8243D5F; Fri, 24 Sep 2004 22:57:06 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.205] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CAyzx-0000ms-00; Sat, 25 Sep 2004 00:57:05 +0200 Received: from [217.83.1.154] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CAyzx-0002SW-00; Sat, 25 Sep 2004 00:57:05 +0200 From: Max Laier To: "Christian S.J. Peron" Date: Sat, 25 Sep 2004 00:55:55 +0200 User-Agent: KMail/1.7 References: <20040924223754.GA86799@freefall.freebsd.org> In-Reply-To: <20040924223754.GA86799@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4033428.rfQkKE7BF2"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200409250056.10275.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: bz@freebsd.org cc: hackers@freebsd.org cc: ipfw@freebsd.org cc: freebsd-pf@freebsd.org Subject: Re: fixes for ipfw and pf lock ordering issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 22:57:06 -0000 --nextPart4033428.rfQkKE7BF2 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 25 September 2004 00:37, Christian S.J. Peron wrote: > Good day folks, we need some beta testers > > Currently, those who utilize ucred based firewalling, i.e. firewall > rules which match based on UID, GID or JAIL ID are subject to lock order > problems which often results in the system hard locking. (when giant > is not present ... debug.mpsafenet=3D1). > > This problem affects all FreeBSD firewalls which implement ucred based > matching, namely ipfw and pf. The lock order problem exists due to a > layering violation which occurs when the IP stack attempts to acquire > locks within lower level stacks such as UDP and TCP. =46or the record [just realized that we forgot]: Talking about LOR id 14-17= ... =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4033428.rfQkKE7BF2 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBVKYKXyyEoT62BG0RAn4eAJ46af5V5qDZOC5y1Nkf51CLfDDH7QCffFFa KQ2b9SmNIRWsgpa8pz4KveU= =1xo3 -----END PGP SIGNATURE----- --nextPart4033428.rfQkKE7BF2-- From owner-freebsd-pf@FreeBSD.ORG Sat Sep 25 04:08:40 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 01F1216A4CE for ; Sat, 25 Sep 2004 04:08:40 +0000 (GMT) Received: from imo-d02.mx.aol.com (imo-d02.mx.aol.com [205.188.157.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6584C43D49 for ; Sat, 25 Sep 2004 04:08:39 +0000 (GMT) (envelope-from AndygreenNet@netscape.net) Received: from AndygreenNet@netscape.net by imo-d02.mx.aol.com (mail_out_v37_r3.7.) id n.1af.bf63aa4 (16239) for ; Sat, 25 Sep 2004 00:08:31 -0400 (EDT) Received: from netscape.net (mow-d21.webmail.aol.com [205.188.139.162]) by air-in03.mx.aol.com (v101_r1.4) with ESMTP id MAILININ33-3f6f4154ef3f2d2; Sat, 25 Sep 2004 00:08:31 -0400 Date: Sat, 25 Sep 2004 00:08:31 -0400 From: AndygreenNet@netscape.net To: freebsd-pf@freebsd.org MIME-Version: 1.0 Message-ID: <3DF5ED57.7064152C.0C457E44@netscape.net> X-Mailer: Atlas Mailer 2.0 X-AOL-IP: 62.33.196.200 X-AOL-Language: english Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Can't access rsh listen on lo0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Sep 2004 04:08:40 -0000 Hello freebsd-pf, Help me please. I have: FreeBSD 5_2_1 pf-freebsd-2.03 I'm tried to access rsh listen on lo0. Connection interrupts with messages: rsh: Connection timeout; or rsh: Connection reset by peer. My pf.conf. # Macros: define common values, so they can be referenced and changed easily. ext_if="{ vlan1, fxp2 }" # replace with actual external interface name i.e., dc0 int_if="fxp0" # replace with actual internal interface name i.e., dc1 ext_bridge_if="{ vlan0, vlan2, vlan3 }" int_bridge_if="{ xl0, vlan4, vlan5 }" internal_net_TTK="62.33.196.128/25" internal_net_RT_COMM="213.59.235.120/29" external_addr_TTK="62.33.196.254" external_addr_RT_COMM="213.59.128.130" restricted_ports="{ 135, 136, 137, 138, 139, 445 }" allow_tcp_ports="{ ftp, ftp-data, ssh, smtp, domain, http, pop3, ntp, imap, https, snpp, > 1023}" allow_udp_ports="{ domain, > 1023}" ARP_in="inet proto { tcp, udp } from any port uarps to any port > 1023" ARP_out="inet proto { tcp, udp } from any port > 1023 to any port uarps" # Options: tune the behavior of pf, default values are given. set timeout { interval 10, frag 30 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 10000, frags 5000 } set loginterface none set optimization normal set block-policy drop set require-order yes set fingerprints "/usr/local/etc/pf.os" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all # spamd-setup puts addresses to be redirected into table . table persist no rdr on lo0 from any to any rdr inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 # Filtering: external interfaces block in log quick on $ext_if inet proto { tcp, udp } from any to any port $restricted_ports pass in on $ext_if inet proto icmp from any to any icmp-type { 0, 8 } pass in quick on $ext_if inet proto tcp from any to any port $allow_tcp_ports pass in quick on $ext_if inet proto udp from any port $allow_udp_ports to any port $allow_udp_ports pass out on $ext_if inet proto icmp from any to any icmp-type { 0, 8 } pass out quick on $ext_if inet proto tcp from any port $allow_tcp_ports to any pass out quick on $ext_if inet proto udp from any port $allow_udp_ports to any port $allow_udp_ports # Filtering: external bridge interfaces block in log quick on $ext_bridge_if inet proto { tcp, udp } from any to any port $restricted_ports pass in quick on $ext_bridge_if $ARP_in pass in on $ext_bridge_if inet proto icmp from any to any icmp-type { 0, 8 } pass in quick on $ext_bridge_if inet proto { tcp, udp } from any to any pass out quick on $ext_bridge_if $ARP_out pass out on $ext_bridge_if inet proto icmp from any to any icmp-type { 0, 8 } pass out quick on $ext_bridge_if inet proto { tcp, udp } from any to any # Filtering internal interfaces with keep state, logging blocked packets. block in log on $int_if all pass in quick on $int_if $ARP_out keep state pass in quick on $int_if inet proto icmp all icmp-type { 0, 8 } keep state pass in quick on $int_if inet proto tcp from { $internal_net_TTK, $internal_net_RT_COMM } port $allow_tcp_ports to any keep st ate pass in quick on $int_if inet proto udp from { $internal_net_TTK, $internal_net_RT_COMM } port $allow_udp_ports to any port $a llow_udp_ports keep state # Filtering internal bridge interfaces with keep state, logging blocked packets. block in log on $int_bridge_if all pass in quick on $int_bridge_if $ARP_out keep state pass in quick on $int_bridge_if inet proto icmp all icmp-type { 0, 8 } keep state pass in quick on $int_bridge_if inet proto { tcp, udp } from any to any keep state Where I was mistaken. -- Best regards, A. Kochetkoff mailto:andrews@mtelecom.chita.ru __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From owner-freebsd-pf@FreeBSD.ORG Sat Sep 25 16:58:26 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FF0D16A4CE for ; Sat, 25 Sep 2004 16:58:26 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0C1943D45 for ; Sat, 25 Sep 2004 16:58:25 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.207] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CBFsO-0003Tc-00; Sat, 25 Sep 2004 18:58:24 +0200 Received: from [217.227.149.160] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CBFsO-0006Ij-00; Sat, 25 Sep 2004 18:58:24 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Sat, 25 Sep 2004 18:57:18 +0200 User-Agent: KMail/1.7 References: <3DF5ED57.7064152C.0C457E44@netscape.net> In-Reply-To: <3DF5ED57.7064152C.0C457E44@netscape.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart45672835.XE09iZkaOT"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200409251857.29746.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: AndygreenNet@netscape.net Subject: Re: Can't access rsh listen on lo0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Sep 2004 16:58:26 -0000 --nextPart45672835.XE09iZkaOT Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 25 September 2004 06:08, AndygreenNet@netscape.net wrote: > Hello freebsd-pf, > > Help me please. > > I have: > FreeBSD 5_2_1 > pf-freebsd-2.03 =46irst of all ... to *everybody*: If you want a production use box with pf= -=20 please move to a 5.3-BETA installation and get pf out of the box. If you ar= e=20 worried with stability set debug.mpsafenet=3D0 (PREEMPTION and ULE are off = by=20 default). You won't regret it! > I'm tried to access rsh listen on lo0. > Connection interrupts with messages: > rsh: Connection timeout; > or > rsh: Connection reset by peer. That is a fairly complicated ruleset you have there, I have some troubles=20 reading it. But you might want to try the following: > My pf.conf. > > # Macros: define common values, so they can be referenced and changed > easily. ext_if=3D"{ vlan1, fxp2 }" # replace with actual external > interface name i.e., dc0 > int_if=3D"fxp0" # replace with actual internal interface name i= =2Ee., > dc1 ext_bridge_if=3D"{ vlan0, vlan2, vlan3 }" unfiltered=3D"{ lo0 }" > int_bridge_if=3D"{ xl0, vlan4, vlan5 }" > internal_net_TTK=3D"62.33.196.128/25" > internal_net_RT_COMM=3D"213.59.235.120/29" > external_addr_TTK=3D"62.33.196.254" > external_addr_RT_COMM=3D"213.59.128.130" > restricted_ports=3D"{ 135, 136, 137, 138, 139, 445 }" > allow_tcp_ports=3D"{ ftp, ftp-data, ssh, smtp, domain, http, pop3, ntp, i= map, > https, snpp, > 1023}" > allow_udp_ports=3D"{ domain, > 1023}" > ARP_in=3D"inet proto { tcp, udp } from any port uarps to any port > 1023" > ARP_out=3D"inet proto { tcp, udp } from any port > 1023 to any port uarps" > > # Options: tune the behavior of pf, default values are given. > set timeout { interval 10, frag 30 } > set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } > set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } > set timeout { udp.first 60, udp.single 30, udp.multiple 60 } > set timeout { icmp.first 20, icmp.error 10 } > set timeout { other.first 60, other.single 30, other.multiple 60 } > set timeout { adaptive.start 0, adaptive.end 0 } > set limit { states 10000, frags 5000 } > set loginterface none > set optimization normal > set block-policy drop > set require-order yes > set fingerprints "/usr/local/etc/pf.os" > > # Normalization: reassemble fragments and resolve or reduce traffic > ambiguities. scrub in all > > # spamd-setup puts addresses to be redirected into table . > table persist > no rdr on lo0 from any to any > rdr inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 > #Allow loopback and friends pass quick on $unfiltered > # Filtering: external interfaces > block in log quick on $ext_if inet proto { tcp, udp } from any to any port > $restricted_ports > pass in on $ext_if inet proto icmp from any to any icmp-type { 0, 8 } > pass in quick on $ext_if inet proto tcp from any to any port > $allow_tcp_ports pass in quick on $ext_if inet proto udp from any port > $allow_udp_ports to any port $allow_udp_ports > pass out on $ext_if inet proto icmp from any to any icmp-type { 0, 8 } > pass out quick on $ext_if inet proto tcp from any port $allow_tcp_ports to > any pass out quick on $ext_if inet proto udp from any port $allow_udp_por= ts > to any port $allow_udp_ports > > # Filtering: external bridge interfaces > block in log quick on $ext_bridge_if inet proto { tcp, udp } from any to > any port $restricted_ports > pass in quick on $ext_bridge_if $ARP_in > pass in on $ext_bridge_if inet proto icmp from any to any icmp-type { 0, 8 > } pass in quick on $ext_bridge_if inet proto { tcp, udp } from any to any > pass out quick on $ext_bridge_if $ARP_out > pass out on $ext_bridge_if inet proto icmp from any to any icmp-type { 0,= 8 > } pass out quick on $ext_bridge_if inet proto { tcp, udp } from any to a= ny > > # Filtering internal interfaces with keep state, logging blocked packets. > block in log on $int_if all > pass in quick on $int_if $ARP_out keep state > pass in quick on $int_if inet proto icmp all icmp-type { 0, 8 } keep state > pass in quick on $int_if inet proto tcp from { $internal_net_TTK, > $internal_net_RT_COMM } port $allow_tcp_ports to any keep st > ate > pass in quick on $int_if inet proto udp from { $internal_net_TTK, > $internal_net_RT_COMM } port $allow_udp_ports to any port $a > llow_udp_ports keep state > > # Filtering internal bridge interfaces with keep state, logging blocked > packets. block in log on $int_bridge_if all > pass in quick on $int_bridge_if $ARP_out keep state > pass in quick on $int_bridge_if inet proto icmp all icmp-type { 0, 8 } ke= ep > state pass in quick on $int_bridge_if inet proto { tcp, udp } from any to > any keep state > > Where I was mistaken. Not sure ... $pfctl -vsr and pflog0 may tell you. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart45672835.XE09iZkaOT Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBVaN5XyyEoT62BG0RAoHbAJ4xYzYn0QtzC6QFBbF1AMigICiY9wCeNnXb Gj7qVne+cW1chL9C/2NyFYM= =7/jP -----END PGP SIGNATURE----- --nextPart45672835.XE09iZkaOT--