From owner-freebsd-pf@FreeBSD.ORG Sun Oct 17 23:02:25 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B73F316A4CE for ; Sun, 17 Oct 2004 23:02:25 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2166643D46 for ; Sun, 17 Oct 2004 23:02:25 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.205] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CJK2i-0007yW-00 for freebsd-pf@freebsd.org; Mon, 18 Oct 2004 01:02:24 +0200 Received: from [84.128.141.34] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CJK2e-0008Uz-00 for freebsd-pf@freebsd.org; Mon, 18 Oct 2004 01:02:24 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Mon, 18 Oct 2004 01:01:42 +0200 User-Agent: KMail/1.7 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2255424.PjvYpdfZ49"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200410180101.48611.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Plans for 6-CURRENT and 5-STABLE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Oct 2004 23:02:25 -0000 --nextPart2255424.PjvYpdfZ49 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline All, [Attention: Long mail - lot of babbling] now that RELENG_5_3 has been cut and FreeBSD 5.3 - the first release to shi= p=20 with PF - is about to leave the door. It's time to talk about the future=20 direction on PF development within FreeBSD. I'd like to share some of the=20 plans I have in mind and the anticipated schedule for them. One of the more serious problems we have to address is how (and if) we stay= in=20 sync with OpenBSD. As far as I understand it is suggested not to change any= =20 kernel <-> userland API/ABI during a -STABLE cycle. This effectively means= =20 that we can *not* track OpenBSD releases in -STABLE since they tend to chan= ge=20 API/ABI a lot. I think, however, that PF as of OpenBSD 3.5 (the one we have= =20 now as part of 5-STABLE) is already very mature and will serve well for the= =20 coming <2 years until we will move on to 6-STABLE. There are some FreeBSD specific things that need improvement and clean up.= =20 This is the first task that I will work on in 6-CURRENT starting from now.= =20 Most prominently this includes the interface handling. There are some open= =20 problems to be addressed, such as the inability to recognize renamed=20 interfaces as well as problems around 6to4. The hotfix for the interface=20 renaming that I posted here a while ago (and was not tested :-( ) causes so= me=20 problems with unloading the module and hence has not been committed. There = is=20 some more fundamental cleaning to be done in that part of the code. Together with the cleaning I will address the way we handle the PF modules = at=20 the moment. It should be possible to load pflog/pfsync as individual module= s.=20 It is yet unclear if that is possible without impacts on the performance so= =20 we will consider this very carefully. Another big thing on the plate now, is a shared/exclusive lock semantic for= =20 the ruleset evaluation. This will not only speed things up by quite a bit,= =20 but will also resolve the requirement to run with mpsafenet=3D0 if one want= s to=20 use user/group based filter rules. Preliminary patches have been on the lis= t=20 some time ago, but there are serious shortcomings and we will have to take= =20 this back to the blueprint planning to make it as good as we want it to be. All these projects will be merged into 5-STABLE once they have proven in HE= AD. Other than that, we will resume tracking OpenBSD releases once (some of) th= e=20 above tasks have been completed. If we catch up on OpenBSD 3.6 in HEAD it=20 will only complicate the testing of these changes. At the same time we will= =20 start to work on some FreeBSD specific features, but this has a low(er)=20 priority for the moment. It seems that pf development has reached a point o= f=20 maturity and will not gain too much new features in the next releases of=20 OpenBSD. There are some interesting cleanups and improvements of existing=20 infrastructure, but the main capabilities seem to have settled. Thanks for reading so far, please let me know your thoughts, concerns and=20 questions. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2255424.PjvYpdfZ49 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBcvncXyyEoT62BG0RAi+rAJwPW5lqjhGwS8rD9KZPnRpM3QI3NQCfT0pN 1P70j4kzsNwdVY9LGL4vbs4= =nZzY -----END PGP SIGNATURE----- --nextPart2255424.PjvYpdfZ49-- From owner-freebsd-pf@FreeBSD.ORG Mon Oct 18 04:31:07 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64A2416A4CF for ; Mon, 18 Oct 2004 04:31:07 +0000 (GMT) Received: from web53907.mail.yahoo.com (web53907.mail.yahoo.com [206.190.36.217]) by mx1.FreeBSD.org (Postfix) with SMTP id D746843D1D for ; Mon, 18 Oct 2004 04:31:06 +0000 (GMT) (envelope-from stheg_olloydson@yahoo.com) Message-ID: <20041018043106.57778.qmail@web53907.mail.yahoo.com> Received: from [68.157.56.37] by web53907.mail.yahoo.com via HTTP; Sun, 17 Oct 2004 21:31:06 PDT Date: Sun, 17 Oct 2004 21:31:06 -0700 (PDT) From: stheg olloydson To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Plans for 6-CURRENT and 5-STABLE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 04:31:07 -0000 it was said by Max Laier on 17.10.04: >There are some FreeBSD specific things that need improvement and clean >up. This is the first task that I will work on in 6-CURRENT starting >from now. > >Most prominently this includes the interface handling. There are some >open problems to be addressed, such as the inability to recognize >renamed interfaces as well as problems around 6to4. Does this include improvements in bridging? I saw your comments in a reply to this list 15.10.04. on this issue that vast improvements to FBSD's bridging support are needed to enable use of all of pf's features. While I am not using bridging now, I will need to set it up in six months or so. >Another big thing on the plate now, is a shared/exclusive lock semantic >for the ruleset evaluation. This will not only speed things up by quite >a bit, but will also resolve the requirement to run with mpsafenet=0 if >one wants to use user/group based filter rules. How badly does this impact now? This is a feature I have been looking forward to using. >All these projects will be merged into 5-STABLE once they have proven in HEAD. Will they be merged to 5-RELEASE, as well? I prefer not to track STABLE. Thanks for reading so far, please let me know your thoughts, concerns and questions. You're welcome. And thank you for your efforts in bring pf over from OpenBSD! One final question: Considering the inevitable loss of sync with the OBSD version, is separate FreeBSD-centric documentation planned? I ask because currently all docs are done by OBSD people, as far as I can tell. (I'd be willing to try my hand at this if someone doesn't mind my asking a lot of questions.) Thanks again, Stheg _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Mon Oct 18 11:03:41 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB43916A4CE for ; Mon, 18 Oct 2004 11:03:41 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 996B443D1F for ; Mon, 18 Oct 2004 11:03:41 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i9IB3fNC049731 for ; Mon, 18 Oct 2004 11:03:41 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i9IB3eew049725 for pf@freebsd.org; Mon, 18 Oct 2004 11:03:40 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 18 Oct 2004 11:03:40 GMT Message-Id: <200410181103.i9IB3eew049725@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: pf@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 11:03:41 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2004/10/08] kern/72444 pf PF can't properly detect interface after 1 problem total. Non-critical problems From owner-freebsd-pf@FreeBSD.ORG Mon Oct 18 11:53:51 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 54C4916A4CE for ; Mon, 18 Oct 2004 11:53:51 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF62B43D1F for ; Mon, 18 Oct 2004 11:53:50 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.160] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CJW5A-0005OU-00; Mon, 18 Oct 2004 13:53:44 +0200 Received: from [217.227.151.171] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CJW59-0000ay-00; Mon, 18 Oct 2004 13:53:44 +0200 From: Max Laier To: stheg olloydson Date: Mon, 18 Oct 2004 13:53:16 +0200 User-Agent: KMail/1.7 References: <20041018043106.57778.qmail@web53907.mail.yahoo.com> In-Reply-To: <20041018043106.57778.qmail@web53907.mail.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1102097.YEOH9uDcCj"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200410181353.24464.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: freebsd-pf@freebsd.org Subject: Re: Plans for 6-CURRENT and 5-STABLE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 11:53:51 -0000 --nextPart1102097.YEOH9uDcCj Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 18 October 2004 06:31, stheg olloydson wrote: > it was said by Max Laier on 17.10.04: > >There are some FreeBSD specific things that need improvement and clean > >up. This is the first task that I will work on in 6-CURRENT starting > >from now. > > > >Most prominently this includes the interface handling. There are some > >open problems to be addressed, such as the inability to recognize > >renamed interfaces as well as problems around 6to4. > > Does this include improvements in bridging? I saw your comments in a > reply to this list 15.10.04. on this issue that vast improvements to > FBSD's bridging support are needed to enable use of all of pf's > features. While I am not using bridging now, I will need to set it up > in six months or so. No. Bridgeing is a completely different story. I'd welcome an import of=20 if_bridge from Net/OpenBSD, but I will not have time to persue this. There= =20 was an effort to do so, but - unfortunately - I lost track of it. People=20 interested should find it in the -current or -net archives. > >Another big thing on the plate now, is a shared/exclusive lock semantic = for=20 > >the ruleset evaluation. This will not only speed things up by quite a bi= t,=20 > >but will also resolve the requirement to run with mpsafenet=3D0 if one w= ants=20 > >to use user/group based filter rules. =20 > > How badly does this impact now? This is a feature I have been looking > forward to using. Largely depends on your workload, hardware and so forth. If you have - for= =20 example - a fairly heavy loaded MySQL on a 4way Xeon box, you'd want to run= =20 with mpsafenet=3D1 (and hence avoid using user/group rules). On an UP box i= t=20 should not matter. > >All these projects will be merged into 5-STABLE once they have proven in= =20 > >HEAD.=20 > > Will they be merged to 5-RELEASE, as well? I prefer not to track > STABLE. There is no such thing as 5-RELEASE. RELENG_5_3 (which you might be confusi= ng=20 here) is solely for merging security fixes. All other changes go to RELENG_= 5=20 (aka 5-STABLE) and become part of the *next* release. > > Thanks for reading so far, please let me know your thoughts, concerns a= nd=20 > > questions. > > You're welcome. And thank you for your efforts in bring pf over from > OpenBSD! One final question: Considering the inevitable loss of sync > with the OBSD version, is separate FreeBSD-centric documentation > planned? I ask because currently all docs are done by OBSD people, as > far as I can tell. (I'd be willing to try my hand at this if someone > doesn't mind my asking a lot of questions.) The firewall chapter of the Handbook is being revised to give some informat= ion=20 about PF as well. This will link to the OpenBSD PF-FAQ - an extra ordinary= =20 piece of documentation - for now. Depending on "how bad" we diverge from=20 OpenBSD we will either maintain our own version of the FAQ or (more likely)= =20 describe the "delta" between Open- and FreeBSD's PF in the handbook's=20 firewall chapter and continue to reference the FAQ. At the moment the=20 difference between OpenBSD 3.5 PF and FreeBSD 5.3 PF is negligible. But of course, you are more than welcome to read the existing documentation= ,=20 to identify problems and differences and eventually provide solutions. Aski= ng=20 questions is not a problem either. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1102097.YEOH9uDcCj Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBc660XyyEoT62BG0RAkKrAJ9FJIb8e4Ca4b1mxitlJwKXDr9ZMQCdHxux z6kgcCGNdC8kS3t16S+AJqg= =sRgV -----END PGP SIGNATURE----- --nextPart1102097.YEOH9uDcCj-- From owner-freebsd-pf@FreeBSD.ORG Mon Oct 18 17:07:12 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0760E16A4CE for ; Mon, 18 Oct 2004 17:07:12 +0000 (GMT) Received: from web53910.mail.yahoo.com (web53910.mail.yahoo.com [206.190.36.220]) by mx1.FreeBSD.org (Postfix) with SMTP id 875D443D5A for ; Mon, 18 Oct 2004 17:07:11 +0000 (GMT) (envelope-from stheg_olloydson@yahoo.com) Message-ID: <20041018170711.51626.qmail@web53910.mail.yahoo.com> Received: from [68.157.56.37] by web53910.mail.yahoo.com via HTTP; Mon, 18 Oct 2004 10:07:10 PDT Date: Mon, 18 Oct 2004 10:07:10 -0700 (PDT) From: stheg olloydson To: freebsd-pf@freebsd.org In-Reply-To: <200410181353.24464.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Plans for 6-CURRENT and 5-STABLE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 17:07:12 -0000 --- Max Laier wrote: >No. Bridgeing is a completely different story. I'd welcome an import >of if_bridge from Net/OpenBSD, but I will not have time to persue this. >There was an effort to do so, but - unfortunately - I lost track of it. >People interested should find it in the -current or -net archives. This is what I thought. Unfortunately, doing anything about this is beyond my skill level by a goodly margin. >Largely depends on your workload, hardware and so forth. If you have >- for example - a fairly heavy loaded MySQL on a 4way Xeon box, you'd >want to run with mpsafenet=1 (and hence avoid using user/group rules). >On an UP box it should not matter. I have some of each, so we will see :). >There is no such thing as 5-RELEASE. RELENG_5_3 (which you might be >confusing here) is solely for merging security fixes. All other >changes go to RELENG_5 (aka 5-STABLE) and become part of the *next* >release. I should have said RELENG_5_>3. I know some thing, in general, not specifically pf-related, are being held back until 6.0. I just wanted to be sure these weren't included with those. >The firewall chapter of the Handbook is being revised to give some >information about PF as well. This will link to the OpenBSD PF-FAQ - an >extra ordinary piece of documentation - for now. Depending on "how bad" >we diverge from OpenBSD we will either maintain our own version of the >FAQ or (more likely) describe the "delta" between Open- and FreeBSD's >PF in the handbook's firewall chapter and continue to reference the >FAQ. Exactly my thoughts and opinions! > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News Thanks for your quick response. Too bad about bridging. I know that's outside your realm. In the worst case, though, I would run OpenBSD on those machines and even that may not be necessary, so really the problem is minimal. Best Regards, Stheg __________________________________ Do you Yahoo!? Y! Messenger - Communicate in real time. Download now. http://messenger.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Tue Oct 19 15:57:04 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A64216A50A for ; Tue, 19 Oct 2004 15:57:03 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B2C543D2F for ; Tue, 19 Oct 2004 15:57:03 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.208] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CJwMA-0003FQ-00; Tue, 19 Oct 2004 17:57:02 +0200 Received: from [217.227.158.113] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CJwMA-0007sV-00; Tue, 19 Oct 2004 17:57:02 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Tue, 19 Oct 2004 17:56:44 +0200 User-Agent: KMail/1.7 References: <200410180101.48611.max@love2party.net> <41752EAC.5060401@fid4.com> In-Reply-To: <41752EAC.5060401@fid4.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2219292.hUv24BsnGq"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200410191756.45707.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: Plans for 6-CURRENT and 5-STABLE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2004 15:57:04 -0000 --nextPart2219292.hUv24BsnGq Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 19 October 2004 17:11, Michael C. Cambria wrote: > Max Laier wrote: > > [deleted] > > > One of the more serious problems we have to address is how (and if) we > > stay in sync with OpenBSD. As far as I understand it is suggested not to > > change any kernel <-> userland API/ABI during a -STABLE cycle. This > > effectively means that we can *not* track OpenBSD releases in -STABLE > > since they tend to change API/ABI a lot. I think, however, that PF as of > > OpenBSD 3.5 (the one we have now as part of 5-STABLE) is already very > > mature and will serve well for the coming <2 years until we will move on > > to 6-STABLE. > > Can there be a port that does track OpenBSD? Those who want to stay > close to OpenBSD on 5-Stable can then use the port. I will try to make it possible to do a cvs co -rRELENG_5 src cvs up -dA src/contrib/pf src/sys/contrib/pf and rebuild to obtain the latest version in a RELENG_5 tree. Building from = a=20 port and thus having to use pf as module is nothing I'd consider a good=20 solution. On a sidenote: I am going to remove security/pf and security/authpf in a=20 couple of weeks. I still see ~100 downloads per day of the *outdated* sourc= es=20 and want to make it a bit harder for people to use this. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2219292.hUv24BsnGq Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBdTk9XyyEoT62BG0RAm4oAJ46QAwtUsQMv0DXDfuy+wcAGfBmwgCeKe5G qO27+yKU/hw99PNT+asU/OM= =Gbqp -----END PGP SIGNATURE----- --nextPart2219292.hUv24BsnGq-- From owner-freebsd-pf@FreeBSD.ORG Wed Oct 20 07:14:07 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3295A16A4CF for ; Wed, 20 Oct 2004 07:14:07 +0000 (GMT) Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id C39A643D55 for ; Wed, 20 Oct 2004 07:14:06 +0000 (GMT) (envelope-from dr.clau@gmail.com) Received: by mproxy.gmail.com with SMTP id 79so390529rnk for ; Wed, 20 Oct 2004 00:14:06 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=q8hyXQ0VjxSnJ2ktfrLt1rEtQfDpUy/Rl7YErIh0Z4XRaxv8nJMAn2437nil8BvfRqQ3z6puP6efke7OryJrQ/rbDAjYN6jfRYjkFfU0LcdNNLCEWDOXC4bDWFsvSZcmbm/rbd48l5eZdKSJ8D16+A6omM+CsZZx1IMfcL/lSRs Received: by 10.38.78.23 with SMTP id a23mr2701333rnb; Wed, 20 Oct 2004 00:14:06 -0700 (PDT) Received: by 10.38.14.53 with HTTP; Wed, 20 Oct 2004 00:14:06 -0700 (PDT) Message-ID: Date: Wed, 20 Oct 2004 09:14:06 +0200 From: Claudiu Dragalina-Paraipan To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: FTP Server behind NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Claudiu Dragalina-Paraipan List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2004 07:14:07 -0000 Hello, I am using a FTP Server behind NAT. I have problems connecting to it from a computer which is itself behind NAT. I do know how to fix this problem at client side, by using ftp-proxy, but this is not a possible scenario. I am looking for a way to solve this at FTP Server side (the NATing machine). The OpenBSD PF FAQ doesn't help too much in this direction. I encounter this situation: - when I use active mode it tells me that it won't connect to 192.168.99.201, which is my ftp client machine, behind NAT. - when I use passive move, the ftp client tells me it cannot connect to 192.168.20.1, which is the internal network IP address of the FTP server. Of course, this happens after I succesfully log into the FTP server. Hopefully someone has solved this situation. Thank you in advance. Best regards, -- Claudiu Dragalina-Paraipan e-mail: dr.clau@gmail.com From owner-freebsd-pf@FreeBSD.ORG Wed Oct 20 16:27:54 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E0BB16A4CE for ; Wed, 20 Oct 2004 16:27:54 +0000 (GMT) Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id ABE9643D2F for ; Wed, 20 Oct 2004 16:27:53 +0000 (GMT) (envelope-from brent.bolin@gmail.com) Received: by mproxy.gmail.com with SMTP id 79so436356rnk for ; Wed, 20 Oct 2004 09:27:53 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=PUa8jUadCHB6BAdfXAdz4in9UBKYs1VUH5TtKqMEKxprpwzfqMZS6HcMB9waUKSvm9ipL/n0xTChZvTTQbxXaENbILCrMJIM3OCFWC5sip04Z6L9LsCGP3fvWRCcPQBOoAuY5NpYTfsHFUjP58axWWMzWDfUlYpTA5nE2N3Y7MI Received: by 10.38.77.61 with SMTP id z61mr2963998rna; Wed, 20 Oct 2004 09:27:52 -0700 (PDT) Received: by 10.38.14.50 with HTTP; Wed, 20 Oct 2004 09:27:52 -0700 (PDT) Message-ID: <787dcac204102009271a97f003@mail.gmail.com> Date: Wed, 20 Oct 2004 11:27:52 -0500 From: BB To: freebsd-pf@freebsd.org In-Reply-To: <200410152325.06151.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20041015132212.0ED0660C3@asgard.cryptotech.net> <200410152325.06151.max@love2party.net> Subject: Re: Installing on FreeBSD 5.2.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: BB List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2004 16:27:54 -0000 cvsup stable-supfile *default release=cvs tag=RELENG_5_3 Do we still need to put these into the kernel config and compile ? options ALTQ options ALTQ_CBQ # Class Bases Queueing options ALTQ_RED # Random Early Drop options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler options ALTQ_CDNR # Traffic conditioner options ALTQ_PRIQ # Prioirity Queueing Thanks btb On Fri, 15 Oct 2004 23:24:57 +0200, Max Laier wrote: > On Friday 15 October 2004 15:19, Sean Preston wrote: > > Hi > > > > Sorry to have to ask this. I have done a number of searches and tried to > > figure this out but having some problems. I am running FreeBSD 5.2.1 and > > would like to use pf with the traffic shaping stuff (altq I think) and > > everything I read says it is a part of the base from 5.2 upwards. > > Where do you get that information from? ALTQ was imported June 12th 2004 into > FreeBSD. This is quite some time after the 5.2(.1) release was cut. > > > What do I need to do to install it on my system because I don't seem to have > > it as part of my base system. > > You need patches from rofug.ro which are outdated and you have to compile the > pf port with special options etc. etc. ... All in all nothing you want to be > near. I urge - once again - that everybody who is considering pf in > productive use should move to RELENG_5 and get everything out of the box and > in way better shape than possible in 5.2.1 + port (+ altq patches ...) > > > Currently my supfile uses RELENG_5_2 as the tag is this the problem? IF so > > what should I be using. The other thing is how stable is it as I want to > > use the system in a production environment. > > Don't go near it. Though it will work and is in productive use on quite a few > big sites, I suggest everybody who wants to build a productive pf(+altq) > system today to check out 5.3R ... the BETA releases are already much higher > quality than the 5.2.1 (technologie demo) release. There are some pending > issues, but chances are that you will never hit them - while the chance for > hitting something bad in 5.2.1 + pf-port + altq-patches is *way* bigger! > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News > > > From owner-freebsd-pf@FreeBSD.ORG Thu Oct 21 18:05:30 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E495516A4CE for ; Thu, 21 Oct 2004 18:05:30 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9437B43D1F for ; Thu, 21 Oct 2004 18:05:30 +0000 (GMT) (envelope-from dr.clau@gmail.com) Received: by rproxy.gmail.com with SMTP id 79so50783rnk for ; Thu, 21 Oct 2004 11:05:30 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=UHHn45Vm/6x64aAa1DF8Fh7KQ8yhCIa6IfsbSacK0KzF9vE0ye7kUX8aFNWQ2jGvhXZCR3KoEyre5SWNr3N2gHu4+AVYFQdtVU1h3BgPaJ1/bJv8UjOuaY0XT/SM9Oa3f50zMjT7Yk7/wP/gUjINbwEISyHYvWXgJz6Rw4JThsA= Received: by 10.38.78.34 with SMTP id a34mr3727761rnb; Thu, 21 Oct 2004 11:05:29 -0700 (PDT) Received: by 10.38.14.53 with HTTP; Thu, 21 Oct 2004 11:05:29 -0700 (PDT) Message-ID: Date: Thu, 21 Oct 2004 21:05:29 +0300 From: Claudiu Dragalina-Paraipan To: freebsd-pf@freebsd.org In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: Subject: Re: FTP Server behind NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Claudiu Dragalina-Paraipan List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Oct 2004 18:05:31 -0000 Hello again, in the meanwhile I found a solution: ftp can be aware of the fact that it must use another IP for passive mode connections. vsftpd option that does this is "pasv_address" and pureftpd is "ForcePassiveIP". Probably most decent ftp servers have such an option. The firewall still has the redirect the same ports to the internal ftp server for this to work. Best regards, On Wed, 20 Oct 2004 09:14:06 +0200, Claudiu Dragalina-Paraipan wrote: > Hello, > > I am using a FTP Server behind NAT. I have problems connecting to it > from a computer which is itself behind NAT. > I do know how to fix this problem at client side, by using ftp-proxy, > but this is not a possible scenario. > I am looking for a way to solve this at FTP Server side (the NATing machine). > The OpenBSD PF FAQ doesn't help too much in this direction. > > I encounter this situation: > - when I use active mode it tells me that it won't connect to > 192.168.99.201, which is my ftp client machine, behind NAT. > - when I use passive move, the ftp client tells me it cannot connect > to 192.168.20.1, which is the internal network IP address of the FTP > server. > > Of course, this happens after I succesfully log into the FTP server. > > Hopefully someone has solved this situation. > Thank you in advance. > > Best regards, > > -- > Claudiu Dragalina-Paraipan > e-mail: dr.clau@gmail.com > -- Claudiu Dragalina-Paraipan e-mail: dr.clau@gmail.com From owner-freebsd-pf@FreeBSD.ORG Thu Oct 21 18:29:51 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A11916A4CE for ; Thu, 21 Oct 2004 18:29:51 +0000 (GMT) Received: from vsmtp2.tin.it (vsmtp2alice.tin.it [212.216.176.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id A368443D2D for ; Thu, 21 Oct 2004 18:29:50 +0000 (GMT) (envelope-from rionda@gufi.org) Received: from kaiser.sig11.org (82.52.115.76) by vsmtp2.tin.it (7.0.027) id 4175094F0013764B for freebsd-pf@freebsd.org; Thu, 21 Oct 2004 20:29:50 +0200 Received: from [127.0.0.1] (localhost [127.0.0.1]) by kaiser.sig11.org (Postfix) with ESMTP id AC6EF71 for ; Thu, 21 Oct 2004 20:29:48 +0200 (CEST) From: Matteo Riondato To: freebsd-pf@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-HMZ6/NkVh7GkzMzTphyQ" Message-Id: <1098383388.909.3.camel@kaiser.sig11.org> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Thu, 21 Oct 2004 20:29:48 +0200 Subject: Another problem with pf.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: rionda@gufi.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Oct 2004 18:29:51 -0000 --=-HMZ6/NkVh7GkzMzTphyQ Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Sorry to bother you again, but I'm having trouble with pf: just rebooted my machine with this lines in /etc/rc.conf: pf_enable=3D"YES" pf_rules=3D"/etc/pf.conf" But if I do a=20 kaiser# pfctl -s nat No ALTQ support in kernel ALTQ related functions disabled kaiser# pfctl -s rules No ALTQ support in kernel ALTQ related functions disabled kaiser#=20 But..my rules _are_ in /etc/pf.conf .... but the ruleset does not get loaded. I will give you more information on request. Best Regards --=20 Rionda aka Matteo Riondato GUFI Staff Member (http://www.gufi.org) FreeSBIE Developer (http://www.freesbie.org) BSD-FAQ-it Main Developer (http://utenti.gufi.org/~rionda) Sent from: kaiser.sig11.org running FreeBSD-6.0-CURRENT --=-HMZ6/NkVh7GkzMzTphyQ Content-Type: application/pgp-signature; name=signature.asc Content-Description: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQBBeAAc2Mp4pR7Fa+wRAitPAKDGpPrFLxGABH1iL6l/8y4hTJoowQCaAgMN Hty76au2hb6WXfSVsyd/7xo= =nQVE -----END PGP SIGNATURE----- --=-HMZ6/NkVh7GkzMzTphyQ-- From owner-freebsd-pf@FreeBSD.ORG Thu Oct 21 18:46:34 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2448016A4CE for ; Thu, 21 Oct 2004 18:46:34 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id D528B43D2D for ; Thu, 21 Oct 2004 18:46:33 +0000 (GMT) (envelope-from adnichols@gmail.com) Received: by wproxy.gmail.com with SMTP id 68so8018wri for ; Thu, 21 Oct 2004 11:46:30 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=sUq95w2O3zFQwIDhFOOTwyRswFeOHxv1hHMK8V9IIsHC7spnFJSz83HrNPbpXZX0BbxGJnqNGBCFSzvBFVWcnHWVPzmLhBceot/47Sps3uoyofCl18sA/RFnUNy7T4JusGL7nUNZ1TA3FghsWgJDa4s71eisEtpe09XGqZVT9cg= Received: by 10.54.4.69 with SMTP id 69mr88739wrd; Thu, 21 Oct 2004 11:46:30 -0700 (PDT) Received: by 10.54.35.52 with HTTP; Thu, 21 Oct 2004 11:46:30 -0700 (PDT) Message-ID: Date: Thu, 21 Oct 2004 11:46:30 -0700 From: Aaron Nichols To: rionda@gufi.org In-Reply-To: <1098383388.909.3.camel@kaiser.sig11.org> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <1098383388.909.3.camel@kaiser.sig11.org> cc: freebsd-pf@freebsd.org Subject: Re: Another problem with pf.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Aaron Nichols List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Oct 2004 18:46:34 -0000 You may want to verify that those are the correct options in rc.conf. At least in the 4.10 release the commands to enable the firewall are: firewall_enable="YES" firewall_script="/etc/pf.conf" (or whatever your firewall script is) Aaron > pf_enable="YES" > pf_rules="/etc/pf.conf" > > But if I do a > kaiser# pfctl -s nat > No ALTQ support in kernel > ALTQ related functions disabled > kaiser# pfctl -s rules > No ALTQ support in kernel > ALTQ related functions disabled > kaiser# > From owner-freebsd-pf@FreeBSD.ORG Thu Oct 21 19:14:47 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 59B6F16A4CE for ; Thu, 21 Oct 2004 19:14:47 +0000 (GMT) Received: from tensor.xs4all.nl (tensor.xs4all.nl [194.109.160.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03BB243D39 for ; Thu, 21 Oct 2004 19:14:47 +0000 (GMT) (envelope-from dimitry@andric.com) Received: from kilgore.dim (kilgore.dim [192.168.0.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by tensor.xs4all.nl (Postfix) with ESMTP id 7BF0522852; Thu, 21 Oct 2004 21:14:45 +0200 (CEST) Date: Thu, 21 Oct 2004 21:13:40 +0200 From: Dimitry Andric X-Mailer: The Bat! (v3.0.2.1) Professional X-Priority: 3 (Normal) Message-ID: <643946323.20041021211340@andric.com> To: Matteo Riondato In-Reply-To: <1098383388.909.3.camel@kaiser.sig11.org> References: <1098383388.909.3.camel@kaiser.sig11.org> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="----------F634351903F755" cc: freebsd-pf@freebsd.org Subject: Re: Another problem with pf.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Oct 2004 19:14:47 -0000 ------------F634351903F755 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit On 2004-10-21 at 20:29:48 Matteo Riondato wrote: > pf_enable="YES" > pf_rules="/etc/pf.conf" The last line is not really needed, as it is the default anyway (see /etc/defaults/rc.conf). > but the ruleset does not get loaded. A likely cause is an invalid syntax in your pf.conf file. Please show us the output of: pfctl -n -v -f /etc/pf.conf ------------F634351903F755 Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: GnuPG v1.2.5 (MingW32) iD8DBQFBeApksF6jCi4glqMRAsqMAKDfRDMeMPXj/qsBM4mxeVIeRcmsCwCghOPx LmPppPw6hc7M4qjuZZVnHpo= =XyEs -----END PGP MESSAGE----- ------------F634351903F755-- From owner-freebsd-pf@FreeBSD.ORG Thu Oct 21 19:14:47 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9745816A4CE for ; Thu, 21 Oct 2004 19:14:47 +0000 (GMT) Received: from tensor.xs4all.nl (tensor.xs4all.nl [194.109.160.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 537CD43D45 for ; Thu, 21 Oct 2004 19:14:47 +0000 (GMT) (envelope-from dimitry@andric.com) Received: from kilgore.dim (kilgore.dim [192.168.0.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by tensor.xs4all.nl (Postfix) with ESMTP id BBEB422859; Thu, 21 Oct 2004 21:14:45 +0200 (CEST) Date: Thu, 21 Oct 2004 21:14:45 +0200 From: Dimitry Andric X-Mailer: The Bat! (v3.0.2.1) Professional X-Priority: 3 (Normal) Message-ID: <1811124671.20041021211445@andric.com> To: Aaron Nichols In-Reply-To: References: <1098383388.909.3.camel@kaiser.sig11.org> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="----------B3127FB2187A4CC" cc: freebsd-pf@freebsd.org Subject: Re: Another problem with pf.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Oct 2004 19:14:47 -0000 ------------B3127FB2187A4CC Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit On 2004-10-21 at 20:46:30 Aaron Nichols wrote: > You may want to verify that those are the correct options in rc.conf. > At least in the 4.10 release the commands to enable the firewall are: > firewall_enable="YES" > firewall_script="/etc/pf.conf" (or whatever your firewall script is) Ehm, this is about FreeBSD 5.3-ish at least, with pf, not ipfw. :) His options were correct. ------------B3127FB2187A4CC Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: GnuPG v1.2.5 (MingW32) iD8DBQFBeAqlsF6jCi4glqMRAtOiAKCyDF885excrLFFD5ltVcl0gEwN0ACbBZW4 L89YXu+MEFGikr1A+wdqpGA= =tLBO -----END PGP MESSAGE----- ------------B3127FB2187A4CC-- From owner-freebsd-pf@FreeBSD.ORG Thu Oct 21 19:41:06 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 394AD16A4CE for ; Thu, 21 Oct 2004 19:41:06 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBAC643D48 for ; Thu, 21 Oct 2004 19:41:05 +0000 (GMT) (envelope-from adnichols@gmail.com) Received: by wproxy.gmail.com with SMTP id 68so8897wri for ; Thu, 21 Oct 2004 12:41:05 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=tQRYpAWkUqVeWqsxc0DbKdnro3cCKwkcTqwvpYaJqrIGCoVeM3OcoObtaYEt2OHHyc/YMgM1vrjGScfWmuOJf9O/d0wwySvRve4n/Y08bUQgdAGgASedLcpLuSyk9ZsfHgeA7nguqLT0GADj7kd0Eygexh0TvHgIEDXqfErdYWI= Received: by 10.54.36.61 with SMTP id j61mr88294wrj; Thu, 21 Oct 2004 12:41:05 -0700 (PDT) Received: by 10.54.35.52 with HTTP; Thu, 21 Oct 2004 12:41:05 -0700 (PDT) Message-ID: Date: Thu, 21 Oct 2004 12:41:05 -0700 From: Aaron Nichols To: Dimitry Andric In-Reply-To: <1811124671.20041021211445@andric.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <1098383388.909.3.camel@kaiser.sig11.org> <1811124671.20041021211445@andric.com> cc: freebsd-pf@freebsd.org Subject: Re: Another problem with pf.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Aaron Nichols List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Oct 2004 19:41:06 -0000 On Thu, 21 Oct 2004 21:14:45 +0200, Dimitry Andric wrote: > Ehm, this is about FreeBSD 5.3-ish at least, with pf, not ipfw. :) > His options were correct. > > > Yep - that makes sense. I didn't see any obvious indication (to me) of the version involved so I figured I'd give it a shot. Sorry for any confusion that resulted. Aaron From owner-freebsd-pf@FreeBSD.ORG Thu Oct 21 20:49:17 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9825B16A4CE for ; Thu, 21 Oct 2004 20:49:17 +0000 (GMT) Received: from vsmtp2.tin.it (vsmtp2alice.tin.it [212.216.176.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id 200F843D45 for ; Thu, 21 Oct 2004 20:49:17 +0000 (GMT) (envelope-from rionda@gufi.org) Received: from kaiser.sig11.org (82.52.115.76) by vsmtp2.tin.it (7.0.027) id 4175094F001410D6 for freebsd-pf@freebsd.org; Thu, 21 Oct 2004 22:49:17 +0200 Received: from [127.0.0.1] (localhost [127.0.0.1]) by kaiser.sig11.org (Postfix) with ESMTP id 1162771 for ; Thu, 21 Oct 2004 22:49:15 +0200 (CEST) From: Matteo Riondato To: freebsd-pf@freebsd.org In-Reply-To: <643946323.20041021211340@andric.com> References: <1098383388.909.3.camel@kaiser.sig11.org> <643946323.20041021211340@andric.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-y74eZpyOa9ZXrphJ2Sqf" Message-Id: <1098391754.909.16.camel@kaiser.sig11.org> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Thu, 21 Oct 2004 22:49:14 +0200 Subject: Re: Another problem with pf.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: rionda@gufi.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Oct 2004 20:49:17 -0000 --=-y74eZpyOa9ZXrphJ2Sqf Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Il Gio, 2004-10-21 alle 21:13, Dimitry Andric ha scritto: > On 2004-10-21 at 20:29:48 Matteo Riondato wrote: >=20 > > pf_enable=3D"YES" > > pf_rules=3D"/etc/pf.conf" >=20 > The last line is not really needed, as it is the default anyway (see > /etc/defaults/rc.conf). With or without that line, the situation does not change. > pfctl -n -v -f /etc/pf.conf kaiser# pfctl -n -v -f /etc/pf.conf ext_if =3D "tun0" wifi_if =3D "rl0" eth_if =3D "fxp1" wifi_net =3D "192.168.1.0/27" eth_net =3D "192.168.0.0/29" tcp_services =3D "{ 22, 80, 25, 4660 >< 4683, 6890 >< 6901 }" icmp_types =3D "{ 0, 3, 8, 11 }" scrub in all fragment reassemble block drop all pass quick on lo0 all block drop in log quick on ! rl0 inet from 192.168.1.0/24 to any block drop in log quick inet from 192.168.1.1 to any block drop in quick on ! fxp1 inet from 192.168.0.0/24 to any block drop in quick inet from 192.168.0.1 to any pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D ssh flags S /SA keep state pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D http flags=20 S/SA keep state pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D smtp flags=20 S/SA keep state pass in on tun0 inet proto tcp from any to 82.52.115.76 port 4660 >< 4683=20 flags S/SA keep state pass in on tun0 inet proto tcp from any to 82.52.115.76 port 6890 >< 6901=20 flags S/SA keep state pass inet proto icmp all icmp-type echorep pass inet proto icmp all icmp-type unreach pass inet proto icmp all icmp-type echoreq pass inet proto icmp all icmp-type timex pass in on rl0 inet from 192.168.1.0/27 to any keep state pass out on rl0 inet from any to 192.168.1.0/27 keep state pass in on fxp1 inet from 192.168.0.0/29 to any keep state pass out on fxp1 inet from any to 192.168.0.0/29 keep state pass in on rl0 inet from 192.168.1.200 to 192.168.1.1 keep state pass out on rl0 inet from 192.168.1.1 to 192.168.1.200 keep state pass out on tun0 proto tcp all flags S/SA modulate state pass out on tun0 proto udp all keep state pass out on tun0 proto icmp all keep state kaiser# --=20 Rionda aka Matteo Riondato GUFI Staff Member (http://www.gufi.org) FreeSBIE Developer (http://www.freesbie.org) BSD-FAQ-it Main Developer (http://utenti.gufi.org/~rionda) Sent from: kaiser.sig11.org running FreeBSD-6.0-CURRENT --=-y74eZpyOa9ZXrphJ2Sqf Content-Type: application/pgp-signature; name=signature.asc Content-Description: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQBBeCDK2Mp4pR7Fa+wRAgwAAJ4gNg1rAhDvuWITN6aJIPhkYv//RQCdGTbc T8JyoYdajOtZnfK2QtdyyUA= =Kk8i -----END PGP SIGNATURE----- --=-y74eZpyOa9ZXrphJ2Sqf-- From owner-freebsd-pf@FreeBSD.ORG Thu Oct 21 20:53:41 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7320916A4CE for ; Thu, 21 Oct 2004 20:53:41 +0000 (GMT) Received: from vsmtp2.tin.it (vsmtp2alice.tin.it [212.216.176.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1BC5243D39 for ; Thu, 21 Oct 2004 20:53:41 +0000 (GMT) (envelope-from rionda@gufi.org) Received: from kaiser.sig11.org (82.52.115.76) by vsmtp2.tin.it (7.0.027) id 4175094F00141553 for freebsd-pf@freebsd.org; Thu, 21 Oct 2004 22:53:41 +0200 Received: from [127.0.0.1] (localhost [127.0.0.1]) by kaiser.sig11.org (Postfix) with ESMTP id 9270571 for ; Thu, 21 Oct 2004 22:53:39 +0200 (CEST) From: Matteo Riondato To: freebsd-pf@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-Pj3if7nhEm30sIzXpS0p" Message-Id: <1098392019.909.22.camel@kaiser.sig11.org> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Thu, 21 Oct 2004 22:53:39 +0200 Subject: Re: Is PF nat broken? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: rionda@gufi.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Oct 2004 20:53:41 -0000 --=-Pj3if7nhEm30sIzXpS0p Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Thu, 2004-10-21 18:38 CEST, Max Laier wrote: > Matteo Riondato wrote: > > Please note that I'm using pf.ko, not in-kernel support. > > There isn't a "nat enable yes" line in /etc/ppp/ppp.conf > > Any help will be appreciated. >=20 > Well, could you try to tell us what exactly the problem is? I don't see a= ny=20 > mentioning of the actual problem. Ouch, sorry, I forgot to mention it.. :) Well, the fact is that nat does not work. I mean: packets arrive from the lan to the internal interface (wifi_if =3D "rl0") and it seems that they are forward to remote hosts, but when they come back, they are not forward back to lan hosts. Here you found the output of "pfctl -vrs": http://www.riondabsd.net/pfctl-vsr.output The output of "tcpdump -i rl0 port 110" http://www.riondabsd.net/tcpdump.rl0 The output of "tcpdump -i tun0 port 110"=20 http://www.riondabsd.net/tcpdump.tun0 (the two tcpdump were taken at the same time) Here my /etc/pf.conf http://www.riondabsd.net/pf.conf Hope this helps.=20 Thank you in advance for any hint. Best Regards --=20 Rionda aka Matteo Riondato GUFI Staff Member (http://www.gufi.org) FreeSBIE Developer (http://www.freesbie.org) BSD-FAQ-it Main Developer (http://utenti.gufi.org/~rionda) Sent from: kaiser.sig11.org running FreeBSD-6.0-CURRENT --=-Pj3if7nhEm30sIzXpS0p Content-Type: application/pgp-signature; name=signature.asc Content-Description: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQBBeCHT2Mp4pR7Fa+wRAivdAJ9ib0czJOgjBxvETA3lzZbv4hgxDQCgiH/B rAJ1HsBkhEiFjGvpfeCcvdM= =yVsH -----END PGP SIGNATURE----- --=-Pj3if7nhEm30sIzXpS0p-- From owner-freebsd-pf@FreeBSD.ORG Thu Oct 21 20:57:18 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B2D816A4CE for ; Thu, 21 Oct 2004 20:57:18 +0000 (GMT) Received: from tensor.xs4all.nl (tensor.xs4all.nl [194.109.160.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C9F543D39 for ; Thu, 21 Oct 2004 20:57:17 +0000 (GMT) (envelope-from dimitry@andric.com) Received: from kilgore.dim (kilgore.dim [192.168.0.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by tensor.xs4all.nl (Postfix) with ESMTP id 1536A22852; Thu, 21 Oct 2004 22:57:15 +0200 (CEST) Date: Thu, 21 Oct 2004 22:56:52 +0200 From: Dimitry Andric X-Mailer: The Bat! (v3.0.2.1) Professional X-Priority: 3 (Normal) Message-ID: <1415983562.20041021225652@andric.com> To: Matteo Riondato In-Reply-To: <1098391754.909.16.camel@kaiser.sig11.org> References: <1098383388.909.3.camel@kaiser.sig11.org> <1098391754.909.16.camel@kaiser.sig11.org> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="----------198121F385E4979" cc: freebsd-pf@freebsd.org Subject: Re: Another problem with pf.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Oct 2004 20:57:18 -0000 ------------198121F385E4979 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable On 2004-10-21 at 22:49:14 Matteo Riondato wrote: > ext_if =3D "tun0" > wifi_if =3D "rl0" > eth_if =3D "fxp1" > wifi_net =3D "192.168.1.0/27" > eth_net =3D "192.168.0.0/29" > tcp_services =3D "{ 22, 80, 25, 4660 >< 4683, 6890 >< 6901 }" > icmp_types =3D "{ 0, 3, 8, 11 }" > scrub in all fragment reassemble > block drop all > pass quick on lo0 all > block drop in log quick on ! rl0 inet from 192.168.1.0/24 to any > block drop in log quick inet from 192.168.1.1 to any > block drop in quick on ! fxp1 inet from 192.168.0.0/24 to any > block drop in quick inet from 192.168.0.1 to any > pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D ssh flag= s S/SA keep state > pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D http fla= gs S/SA keep state > pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D smtp fla= gs S/SA keep state > pass in on tun0 inet proto tcp from any to 82.52.115.76 port 4660 >< 4683= flags S/SA keep state > pass in on tun0 inet proto tcp from any to 82.52.115.76 port 6890 >< 6901= flags S/SA keep state > pass inet proto icmp all icmp-type echorep > pass inet proto icmp all icmp-type unreach > pass inet proto icmp all icmp-type echoreq > pass inet proto icmp all icmp-type timex > pass in on rl0 inet from 192.168.1.0/27 to any keep state > pass out on rl0 inet from any to 192.168.1.0/27 keep state > pass in on fxp1 inet from 192.168.0.0/29 to any keep state > pass out on fxp1 inet from any to 192.168.0.0/29 keep state > pass in on rl0 inet from 192.168.1.200 to 192.168.1.1 keep state > pass out on rl0 inet from 192.168.1.1 to 192.168.1.200 keep state > pass out on tun0 proto tcp all flags S/SA modulate state > pass out on tun0 proto udp all keep state > pass out on tun0 proto icmp all keep state Hm, so your rules seem to be okay. Do I miss something, or don't I see any NAT rule in there? Next question is: what happens if you manually run /etc/rc.d/pf start or reload? ------------198121F385E4979 Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: GnuPG v1.2.5 (MingW32) iD8DBQFBeCKUsF6jCi4glqMRAkcgAKCLWAN816USa+KO8bc6ux39R2841QCg04xs 0iClWxNVF57yy00XZ1RNmu8= =otv2 -----END PGP MESSAGE----- ------------198121F385E4979-- From owner-freebsd-pf@FreeBSD.ORG Thu Oct 21 21:07:26 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF02216A4CE for ; Thu, 21 Oct 2004 21:07:26 +0000 (GMT) Received: from vsmtp2.tin.it (vsmtp2alice.tin.it [212.216.176.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D22743D1D for ; Thu, 21 Oct 2004 21:07:26 +0000 (GMT) (envelope-from rionda@gufi.org) Received: from kaiser.sig11.org (82.52.115.76) by vsmtp2.tin.it (7.0.027) id 4175094F00141F13 for freebsd-pf@freebsd.org; Thu, 21 Oct 2004 23:07:26 +0200 Received: from [127.0.0.1] (localhost [127.0.0.1]) by kaiser.sig11.org (Postfix) with ESMTP id 951FC11C for ; Thu, 21 Oct 2004 23:07:24 +0200 (CEST) From: Matteo Riondato To: freebsd-pf@freebsd.org In-Reply-To: <1415983562.20041021225652@andric.com> References: <1098383388.909.3.camel@kaiser.sig11.org> <643946323.20041021211340@andric.com> <1098391754.909.16.camel@kaiser.sig11.org> <1415983562.20041021225652@andric.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-F20G7WEXN5yOvCKXbAvh" Message-Id: <1098392844.909.34.camel@kaiser.sig11.org> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Thu, 21 Oct 2004 23:07:24 +0200 Subject: Re: Another problem with pf.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: rionda@gufi.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Oct 2004 21:07:26 -0000 --=-F20G7WEXN5yOvCKXbAvh Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Thu, 2004-10-21 at 22:56, Dimitry Andric wrote: > On 2004-10-21 at 22:49:14 Matteo Riondato wrote: > Hm, so your rules seem to be okay. Do I miss something, or don't I > see any NAT rule in there? Uh, well, I commented them out because I had to make my lan hosts browsing (and my family happy...) The complete output is this:=20 kaiser# pfctl -n -v -f /etc/pf.conf ext_if =3D "tun0" wifi_if =3D "rl0" eth_if =3D "fxp1" wifi_net =3D "192.168.1.0/27" eth_net =3D "192.168.0.0/29" tcp_services =3D "{ 22, 80, 25, 4660 >< 4683, 6890 >< 6901 }" icmp_types =3D "{ 0, 3, 8, 11 }" scrub in all fragment reassemble nat on tun0 inet from 192.168.1.0/27 to any -> (tun0) round-robin nat on tun0 inet from 192.168.0.0/29 to any -> (tun0) round-robin block drop all pass quick on lo0 all block drop in log quick on ! rl0 inet from 192.168.1.0/24 to any block drop in log quick inet from 192.168.1.1 to any block drop in quick on ! fxp1 inet from 192.168.0.0/24 to any block drop in quick inet from 192.168.0.1 to any pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D ssh flags S/SA keep state pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D http flags S/SA keep state pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D smtp flags S/SA keep state pass in on tun0 inet proto tcp from any to 82.52.115.76 port 4660 >< 4683 flags S/SA keep state pass in on tun0 inet proto tcp from any to 82.52.115.76 port 6890 >< 6901 flags S/SA keep state pass inet proto icmp all icmp-type echorep pass inet proto icmp all icmp-type unreach pass inet proto icmp all icmp-type echoreq pass inet proto icmp all icmp-type timex pass in on rl0 inet from 192.168.1.0/27 to any keep state pass out on rl0 inet from any to 192.168.1.0/27 keep state pass in on fxp1 inet from 192.168.0.0/29 to any keep state pass out on fxp1 inet from any to 192.168.0.0/29 keep state pass in on rl0 inet from 192.168.1.200 to 192.168.1.1 keep state pass out on rl0 inet from 192.168.1.1 to 192.168.1.200 keep state pass out on tun0 proto tcp all flags S/SA modulate state pass out on tun0 proto udp all keep state pass out on tun0 proto icmp all keep state > Next question is: what happens if you manually run /etc/rc.d/pf start > or reload? Rules get loaded. Can this be related to the fact that I use the module and not the in-kernel support? Best Regards --=20 Rionda aka Matteo Riondato GUFI Staff Member (http://www.gufi.org) FreeSBIE Developer (http://www.freesbie.org) BSD-FAQ-it Main Developer (http://utenti.gufi.org/~rionda) Sent from: kaiser.sig11.org running FreeBSD-6.0-CURRENT --=-F20G7WEXN5yOvCKXbAvh Content-Type: application/pgp-signature; name=signature.asc Content-Description: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQBBeCUL2Mp4pR7Fa+wRAkNtAJ9D0zOO1dQ6YT3NJi0lmXFMBTJDEgCdFxz4 +PrvYsLvymcwCpnsViYLXE8= =oObK -----END PGP SIGNATURE----- --=-F20G7WEXN5yOvCKXbAvh-- From owner-freebsd-pf@FreeBSD.ORG Fri Oct 22 05:36:42 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAA8C16A4CE for ; Fri, 22 Oct 2004 05:36:42 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19E5A43D54 for ; Fri, 22 Oct 2004 05:36:42 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i9M5aLAh001092 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 22 Oct 2004 14:36:21 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i9M5a4vJ030567 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 22 Oct 2004 14:36:04 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.12.10/8.12.10/Submit) id i9M5a3ED030566; Fri, 22 Oct 2004 14:36:03 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Fri, 22 Oct 2004 14:36:03 +0900 From: Pyun YongHyeon To: Matteo Riondato Message-ID: <20041022053603.GA30294@kt-is.co.kr> References: <1098383388.909.3.camel@kaiser.sig11.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1098383388.909.3.camel@kaiser.sig11.org> User-Agent: Mutt/1.4.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: Another problem with pf.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 05:36:42 -0000 On Thu, Oct 21, 2004 at 08:29:48PM +0200, Matteo Riondato wrote: > Sorry to bother you again, but I'm having trouble with pf: > just rebooted my machine with this lines in /etc/rc.conf: > > pf_enable="YES" > pf_rules="/etc/pf.conf" > > But if I do a > kaiser# pfctl -s nat > No ALTQ support in kernel > ALTQ related functions disabled > kaiser# pfctl -s rules > No ALTQ support in kernel > ALTQ related functions disabled > kaiser# > Maybe you don't have ALTQ compiled in kernel. > But..my rules _are_ in /etc/pf.conf .... > but the ruleset does not get loaded. Are you sure pf didn't load your rule? The ALTQ message you seen is just an informational one, not fatal error. With "pfctl -sr" you can't see NAT rules. You need somthing like "pfctl -vvsn" to check NAT state. > I will give you more information on request. > Best Regards > -- > Rionda aka Matteo Riondato > GUFI Staff Member (http://www.gufi.org) > FreeSBIE Developer (http://www.freesbie.org) > BSD-FAQ-it Main Developer (http://utenti.gufi.org/~rionda) > Sent from: kaiser.sig11.org running FreeBSD-6.0-CURRENT -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Fri Oct 22 05:59:09 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 344AC16A4CE for ; Fri, 22 Oct 2004 05:59:09 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id A9F2943D53 for ; Fri, 22 Oct 2004 05:59:08 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i9M5wjAh002162 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 22 Oct 2004 14:58:46 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i9M5wSvJ030628 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 22 Oct 2004 14:58:29 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.12.10/8.12.10/Submit) id i9M5wSaJ030627; Fri, 22 Oct 2004 14:58:28 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Fri, 22 Oct 2004 14:58:28 +0900 From: Pyun YongHyeon To: Matteo Riondato Message-ID: <20041022055828.GB30294@kt-is.co.kr> References: <1098392019.909.22.camel@kaiser.sig11.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1098392019.909.22.camel@kaiser.sig11.org> User-Agent: Mutt/1.4.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: Is PF nat broken? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 05:59:09 -0000 On Thu, Oct 21, 2004 at 10:53:39PM +0200, Matteo Riondato wrote: > Thu, 2004-10-21 18:38 CEST, Max Laier wrote: > > Matteo Riondato wrote: > > > Please note that I'm using pf.ko, not in-kernel support. > > > There isn't a "nat enable yes" line in /etc/ppp/ppp.conf > > > Any help will be appreciated. > > > > Well, could you try to tell us what exactly the problem is? I don't see any > > mentioning of the actual problem. > > Ouch, sorry, I forgot to mention it.. :) > Well, the fact is that nat does not work. I mean: packets arrive from > the lan to the internal interface (wifi_if = "rl0") and it seems that > they are forward to remote hosts, but when they come back, they are not > forward back to lan hosts. > > Here you found the output of "pfctl -vrs": > http://www.riondabsd.net/pfctl-vsr.output > You many need "pfctl -vvsn" to check NAT and "pfctl -vss" to check created states. > The output of "tcpdump -i rl0 port 110" > http://www.riondabsd.net/tcpdump.rl0 > > The output of "tcpdump -i tun0 port 110" > http://www.riondabsd.net/tcpdump.tun0 > > (the two tcpdump were taken at the same time) > I guess additional "-nvvv" options is preferable since it conveies more information than that of plain tcpdump command. > Here my /etc/pf.conf > http://www.riondabsd.net/pf.conf > Remove block rule or add log keyword and check whether your NAT rule really works. > Hope this helps. > Thank you in advance for any hint. PS: Your mail server rejects my mail. -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Fri Oct 22 06:12:30 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C06616A4CE for ; Fri, 22 Oct 2004 06:12:30 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0257943D55 for ; Fri, 22 Oct 2004 06:12:30 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i9M6C9Ah002756 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 22 Oct 2004 15:12:09 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i9M6BqvJ030686 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 22 Oct 2004 15:11:52 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.12.10/8.12.10/Submit) id i9M6Bqa7030685; Fri, 22 Oct 2004 15:11:52 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Fri, 22 Oct 2004 15:11:52 +0900 From: Pyun YongHyeon To: Claudiu Dragalina-Paraipan Message-ID: <20041022061152.GA30651@kt-is.co.kr> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: FTP Server behind NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 06:12:30 -0000 On Thu, Oct 21, 2004 at 09:05:29PM +0300, Claudiu Dragalina-Paraipan wrote: > Hello again, > > in the meanwhile I found a solution: > ftp can be aware of the fact that it must use another IP for passive > mode connections. > vsftpd option that does this is "pasv_address" and pureftpd is > "ForcePassiveIP". Probably most decent ftp servers have such an > option. > The firewall still has the redirect the same ports to the internal ftp > server for this to work. > I guess you need "-a" option of ftp-proxy(8). > Best regards, > -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Fri Oct 22 06:29:24 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BE1616A4CE for ; Fri, 22 Oct 2004 06:29:24 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2085F43D46 for ; Fri, 22 Oct 2004 06:29:24 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i9M6T3Ah003497 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 22 Oct 2004 15:29:03 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i9M6SkvJ030726 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 22 Oct 2004 15:28:46 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.12.10/8.12.10/Submit) id i9M6SkUd030725; Fri, 22 Oct 2004 15:28:46 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Fri, 22 Oct 2004 15:28:46 +0900 From: Pyun YongHyeon To: Claudiu Dragalina-Paraipan Message-ID: <20041022062846.GB30651@kt-is.co.kr> References: <20041022061152.GA30651@kt-is.co.kr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041022061152.GA30651@kt-is.co.kr> User-Agent: Mutt/1.4.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: FTP Server behind NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 06:29:24 -0000 On Fri, Oct 22, 2004 at 03:11:52PM +0900, To Claudiu Dragalina-Paraipan wrote: > On Thu, Oct 21, 2004 at 09:05:29PM +0300, Claudiu Dragalina-Paraipan wrote: > > Hello again, > > > > in the meanwhile I found a solution: > > ftp can be aware of the fact that it must use another IP for passive > > mode connections. > > vsftpd option that does this is "pasv_address" and pureftpd is > > "ForcePassiveIP". Probably most decent ftp servers have such an > > option. > > The firewall still has the redirect the same ports to the internal ftp > > server for this to work. > > > > I guess you need "-a" option of ftp-proxy(8). > Ooops. Please ignore this. Need more coffee. -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Sat Oct 23 11:16:13 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D6BE16A4CE for ; Sat, 23 Oct 2004 11:16:13 +0000 (GMT) Received: from mail.furrfu.net (mail.furrfu.net [217.154.177.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id D341D43D4C for ; Sat, 23 Oct 2004 11:16:12 +0000 (GMT) (envelope-from aled@thinknuts.org) Received: from [217.154.177.116] (helo=gwydion) by mail.furrfu.net with esmtp (Exim 4.20) id 1CLJsn-000K9Z-R4 for freebsd-pf@freebsd.org; Sat, 23 Oct 2004 12:16:25 +0100 From: "Aled Treharne" To: Date: Sat, 23 Oct 2004 12:15:21 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcS48ZWWpeDqtd2fRy6lsxJzefbeqQ== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Message-Id: X-Spam-Score: 3.3 (+++) X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *1CLJsn-000K9Z-R4*Wn/4k4Y4Cp.* Subject: NAT with IP != primary external IP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Oct 2004 11:16:13 -0000 Hi guys. I'm trying to set up a firewall on a box for a friend. The arrangement is fairly simple, bunch of machines behind the FBSD box, FBSD box connected to ADSL. What I'd like to do (because I wanted to in the first place, and now it's annoying me) is to have 2 Ips on the external i/f on the FBSD box, and have one as the machine's primary IP and t'other solely as the NAT IP. I've tried putting various Ips in the places that make sense to me, but I just couldn't get it to work[1]. Is this possible, and if so, would someone be so kind as to tell me how? I'm trying to move over to pf from ipfw, and if I can get it working, I've got a strong case for using it at work as well. Thanks in advance for your sage advice. :) Cheers, Aled. [1] This is just one place where I prefer linux's eth0:alias1 type labelling of sub-interfaces over FreeBSD's just-put-multiple-ips-on-one-interface way. From owner-freebsd-pf@FreeBSD.ORG Sat Oct 23 17:43:06 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5648216A4CE for ; Sat, 23 Oct 2004 17:43:06 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1BC443D2D for ; Sat, 23 Oct 2004 17:43:05 +0000 (GMT) (envelope-from listen@danielgraupner.de) Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CLPuy-0001uj-00 for freebsd-pf@freebsd.org; Sat, 23 Oct 2004 19:43:04 +0200 Received: from [80.145.30.237] (helo=[192.168.177.32]) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CLPuy-0003pi-00 for freebsd-pf@freebsd.org; Sat, 23 Oct 2004 19:43:04 +0200 Message-ID: <417A988C.6030607@danielgraupner.de> Date: Sat, 23 Oct 2004 19:44:44 +0200 From: Daniel Graupner User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: de-DE, de, en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:dfad8e3b291c1a47284dc57432edc129 Subject: pf and multicast X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Oct 2004 17:43:06 -0000 Hello, i'am currently using fbsd 5.2.1 and the security/pf port. With this port i sadly can not match multicast traffic. My pf is running on a multicast source an i want to create a rule that allows udp packets to a specific multicast-address and port. Is it possible? Regards, Daniel.