From owner-freebsd-pf@FreeBSD.ORG Sun Feb 6 15:25:16 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5515C16A4CE for ; Sun, 6 Feb 2005 15:25:16 +0000 (GMT) Received: from post1.wesleyan.edu (post1.wesleyan.edu [129.133.6.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id D33FD43D41 for ; Sun, 6 Feb 2005 15:25:13 +0000 (GMT) (envelope-from vsavichev@wesleyan.edu) Received: from pony1.wesleyan.edu (pony1.wesleyan.edu [129.133.6.192]) by post1.wesleyan.edu (8.12.11/8.12.11) with ESMTP id j16FPCbp023404 for ; Sun, 6 Feb 2005 10:25:12 -0500 Received: from pony1.wesleyan.edu (pony1.wesleyan.edu [127.0.0.1]) by pony1.wesleyan.edu (8.12.11/8.12.11) with ESMTP id j16FPCBe031101 for ; Sun, 6 Feb 2005 10:25:12 -0500 Received: (from apache@localhost) by pony1.wesleyan.edu (8.12.11/8.12.11/Submit) id j16FPB7w031099; Sun, 6 Feb 2005 10:25:11 -0500 Received: from 81.30.213.103 (SquirrelMail authenticated user vsavichev); by webmail.wesleyan.edu with HTTP; Sun, 6 Feb 2005 10:25:11 -0500 (EST) Message-ID: <63053.81.30.213.103.1107703511.squirrel@81.30.213.103> Date: Sun, 6 Feb 2005 10:25:11 -0500 (EST) From: vsavichev@wesleyan.edu To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.3a-0.e3.1 X-Mailer: SquirrelMail/1.4.3a-0.e3.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Wesleyan-MailScanner-Information: Please contact the ISP for more information X-Wesleyan-MailScanner: Found to be clean X-MailScanner-From: vsavichev@wesleyan.edu Subject: block specific IP's: corporate network X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Feb 2005 15:25:16 -0000 we have a standart LAN-server-WAN network configuration in cyber-cafe --LAN---|-em0-server----dc0-|---WAN we want to rule outbound client connections, so pf.conf has the following layout (only filter rules part) ..... pass quick on $int_if all pass quick on lo0 all # block specific client's ip's # block in quick on $ext_if from any to IP block out quick on $ext_if from IP to any ..... # statefule pass out rules on the specific ports #e.g. # Allow out non-secure standard www function pass out quick on $ext_if proto tcp from any to any port = 80 flags S/SA keep state .... so we assume given IP should be blocked from the WAN. But to my amusement, the client's browser gets out, states are created, so nothing is being blocked. For now, I have no clue how it is happening Vlad From owner-freebsd-pf@FreeBSD.ORG Sun Feb 6 16:48:54 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58ABB16A4CE for ; Sun, 6 Feb 2005 16:48:54 +0000 (GMT) Received: from helium.webpack.hosteurope.de (helium.webpack.hosteurope.de [217.115.142.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB8F543D2F for ; Sun, 6 Feb 2005 16:48:53 +0000 (GMT) (envelope-from me@hexren.net) Received: by helium.webpack.hosteurope.de running Exim 4.34 using asmtp helo=hexren.steenbuck.net) id 1Cxpad-0005eo-8d; Sun, 06 Feb 2005 17:48:51 +0100 Date: Sun, 6 Feb 2005 17:48:49 +0100 From: Hexren X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <10021429243.20050206174849@hexren.net> To: vsavichev@wesleyan.edu In-Reply-To: <63053.81.30.213.103.1107703511.squirrel@81.30.213.103> References: <63053.81.30.213.103.1107703511.squirrel@81.30.213.103> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: block specific IP's: corporate network X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Hexren List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Feb 2005 16:48:54 -0000 vwe> we have a standart LAN-server-WAN network configuration in vwe> cyber-cafe vwe> --LAN---|-em0-server----dc0-|---WAN vwe> we want to rule outbound client connections, so pf.conf has the following vwe> layout (only filter rules part) vwe> ..... vwe> pass quick on $int_if all vwe> pass quick on lo0 all vwe> # block specific client's ip's vwe> # vwe> block in quick on $ext_if from any to IP vwe> block out quick on $ext_if from IP to any vwe> ..... vwe> # statefule pass out rules on the specific ports vwe> #e.g. vwe> # Allow out non-secure standard www function vwe> pass out quick on $ext_if proto tcp from any to any port = 80 flags S/SA vwe> keep state vwe> .... vwe> so we assume given IP should be blocked from the WAN. But to my amusement, vwe> the client's browser gets out, states are created, so nothing is vwe> being blocked. For now, I have no clue how it is happening vwe> Vlad vwe> _______________________________________________ vwe> freebsd-pf@freebsd.org mailing list vwe> http://lists.freebsd.org/mailman/listinfo/freebsd-pf vwe> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --------------------------------------------- shooting in the dark here, are you doing NAT on outbound connections ? In that instance the filtering part of the ruleset will see the NATed packet on $ext_if and as that packet will have as source the IP from $ext_if the rule blocking IP (IP beeing internal) will not catch it. Maybe you should try to do the filtering on $int_if. Regards Hexren From owner-freebsd-pf@FreeBSD.ORG Mon Feb 7 12:15:23 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B11316A4CE for ; Mon, 7 Feb 2005 12:15:23 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8DC843D3F for ; Mon, 7 Feb 2005 12:15:22 +0000 (GMT) (envelope-from macdonald.matthew@gmail.com) Received: by rproxy.gmail.com with SMTP id z35so708308rne for ; Mon, 07 Feb 2005 04:15:22 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=bps5JDWTFGzZyOcjnpxg1SDD39L6ROQjD5wXbEDa/d3gmF3I/extM3qdHWpVfKQ7N1ivch8F/kqOsA39aQEZmmo5BAj/WCCCLoiWL5acLu5ojaLH1V1G/2GxpRNNGi8e37IwZ02rh5PYnOWSxgKv0PeE+O8YmM36a8uG7D0Pt4w= Received: by 10.38.83.9 with SMTP id g9mr456293rnb; Mon, 07 Feb 2005 04:15:21 -0800 (PST) Received: by 10.38.104.62 with HTTP; Mon, 7 Feb 2005 04:15:21 -0800 (PST) Message-ID: <8878e3ce05020704156c54f315@mail.gmail.com> Date: Mon, 7 Feb 2005 07:15:21 -0500 From: Matt MacDonald To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Two interface route-to problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Matt MacDonald List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Feb 2005 12:15:23 -0000 I've been working on a problem for a while but it doesn't seem to be getting fixed. I've got two PPPoe interfaces to different ISPs. The default route is to ISP1 but my servers are on the ISP2. Everything seems to be working fine except for traffic that is destined for ISP2 get's returned on the ISP1 interface. The docs seem to say that route-to will fix me problem but I can't seem to get it to work. Hopefully someone on this list will see what I'm doing wrong. Here is the commands that I have tried to get this to work: pass out log quick on $ISP1 route-to ( $ISP2 $ISP2:peer ) from ($ISP2) \ to any flags S/SA pass out log quick on $ISP1 route-to ( $ISP2 $ISP2gw ) from ($ISP2) \ to any flags S/SA pass out log quick on $ISP1 route-to ( $ISP2 $ISP2:peer ) from $ISP2addr \ to any flags S/SA pass out log quick on $ISP1 route-to ( $ISP2 $ISP2gw ) from $ISP2addr \ to any flags S/SA but none of them seem to work. I do have a similar line that routes SMTP traffic inbound on the inside interface to ISP2 and that works fine. Thanks, Matt Here is my entire config: ############### /etc/pf.conf ########################### ## Macros ISP1="tun0" ISP2="tun1" INSIDE="rl1" MYNET="192.168.1.0/24" ALLOWED="{ 20, 21, 22, 113 }" ## TABLES table const { 10/8, 172.16/12, 192.168/16, 224/8 } table persist table { 66.x.x.x} table { 64.x.x.x} ## GLOBAL OPTIONS set loginterface $ISP2 set block-policy return ## TRAFFIC NORMALIZATION scrub in on { $ISP2, $ISP1 } all fragment reassemble #scrub out on { $ISP2, $ISP1 } all fragment reassemble random-id no-df ## QUEUEING RULES ## TRANSLATION RULES (NAT) nat on $ISP1 from $INSIDE:network to any -> ($ISP1) nat on $ISP2 from $INSIDE:network to any -> ($ISP2) rdr on $INSIDE proto tcp from any to any port 21 -> 127.0.0.1 \ port 8021 ## FILTER RULES # # Defaults Block All # block log all block in log quick on { $ISP2, $ISP1 } from to any block log quick on { $ISP2, $ISP1 } from to any # # Tun 0 - ISP1 # Out pass out log quick on $ISP1 route-to ( $ISP2 $ISP2:peer ) from ($ISP2) to any flags S/SA pass out log on $ISP1 proto tcp all modulate state flags S/SA pass out log on $ISP1 proto { udp, icmp } all keep state # In pass in log on $ISP1 proto icmp from any to ($ISP1) keep state pass in log on $ISP1 inet proto tcp from any to ($ISP1) port $ALLOWED flags S/SA keep state pass in log on $ISP1 inet proto tcp from any to ($ISP1) \ port > 49151 keep state # # Tun 1 - ISP2 # Out pass out log quick on $ISP2 route-to ( $ISP1 $ISP1:peer ) from ($ISP1) to any flags S/SA pass out log on $ISP2 proto tcp all modulate state flags S/SA pass out log on $ISP2 proto { udp, icmp } all keep state # In pass in log on $ISP2 proto icmp from any to ($ISP2) keep state pass in log on $ISP2 inet proto tcp from any to ($ISP2) port $ALLOWED flags S/SA keep state # # rl1 - Inside # Out pass in quick on $INSIDE route-to ( $ISP2 ) inet proto tcp from any to any port 25 modulate state pass in on $INSIDE from $MYNET to any pass out on $INSIDE from any to $MYNET # # Loopback # pass in quick on lo0 all pass out quick on lo0 all From owner-freebsd-pf@FreeBSD.ORG Mon Feb 7 18:40:09 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 90BFB16A4CF for ; Mon, 7 Feb 2005 18:40:09 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 948EC43D46 for ; Mon, 7 Feb 2005 18:40:07 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 58so775854wri for ; Mon, 07 Feb 2005 10:40:07 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=tvX+nlOAL8CTp4NTjjV013xhsdt9dR78SXbVTibJwKppnK8+KuTUTa8Z7tErpuR4IbPGg2kU7Jcc4LTig1uiHo0wIFK+8CrpzVw5eS4sVgsmyha05PDAESJQV5KoGLeHbtgMnh3jxd3zedH+YnjIkV+6ca9EikFot9jBV0/beNA= Received: by 10.54.54.71 with SMTP id c71mr229821wra; Mon, 07 Feb 2005 10:40:06 -0800 (PST) Received: by 10.54.39.34 with HTTP; Mon, 7 Feb 2005 10:40:06 -0800 (PST) Message-ID: <8eea0408050207104056b5f37d@mail.gmail.com> Date: Mon, 7 Feb 2005 10:40:06 -0800 From: Jon Simola To: Matt MacDonald In-Reply-To: <8878e3ce05020704156c54f315@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <8878e3ce05020704156c54f315@mail.gmail.com> cc: freebsd-pf@freebsd.org Subject: Re: Two interface route-to problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Feb 2005 18:40:09 -0000 On Mon, 7 Feb 2005 07:15:21 -0500, Matt MacDonald wrote: > I've got two PPPoe interfaces to different ISPs. The default route is > to ISP1 but my servers are on the ISP2. Everything seems to be > working fine except for traffic that is destined for ISP2 get's > returned on the ISP1 interface. The docs seem to say that route-to > will fix me problem but I can't seem to get it to work. Hopefully > someone on this list will see what I'm doing wrong. > > Here is the commands that I have tried to get this to work: > > pass out log quick on $ISP1 route-to ( $ISP2 $ISP2:peer ) from ($ISP2) \ > to any flags S/SA > pass out log quick on $ISP1 route-to ( $ISP2 $ISP2gw ) from ($ISP2) \ > to any flags S/SA > pass out log quick on $ISP1 route-to ( $ISP2 $ISP2:peer ) from $ISP2addr \ > to any flags S/SA > pass out log quick on $ISP1 route-to ( $ISP2 $ISP2gw ) from $ISP2addr \ > to any flags S/SA > > but none of them seem to work. I do have a similar line that routes > SMTP traffic inbound on the inside interface to ISP2 and that works > fine. Yes, route-to should be used on the "pass in" side of the ruleset. You've got a working SMTP rule for it, and here's an example from one of my routers: pass in on vlan107 route-to (vlan700 172.16.0.129) from vlan107:network to x.x.0.0/16 keep state The man page talks about creating route-to creating state, and I think it's much easier to do this on the incoming interface. From owner-freebsd-pf@FreeBSD.ORG Tue Feb 8 00:14:36 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7B9116A4CE for ; Tue, 8 Feb 2005 00:14:36 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42D9F43D3F for ; Tue, 8 Feb 2005 00:14:36 +0000 (GMT) (envelope-from macdonald.matthew@gmail.com) Received: by rproxy.gmail.com with SMTP id z35so804960rne for ; Mon, 07 Feb 2005 16:14:35 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=cVNtw0BDfxFeA5ESAZpOED+uXRxwOfMAUSOAQ/el/2eGxoOs3amqQXBiIsz18d0QAX9DFBfSU7++AYMXy7VIh+wzUcHY06kQbTJRjsHVYRtk6aWX/gN3XwBg/clU6j6d+c7XaIPx6o6TTr1NHeGtI4Xf60L24UG+OvIrBUk5e2A= Received: by 10.38.88.9 with SMTP id l9mr7894rnb; Mon, 07 Feb 2005 16:14:35 -0800 (PST) Received: by 10.38.104.62 with HTTP; Mon, 7 Feb 2005 16:14:35 -0800 (PST) Message-ID: <8878e3ce05020716141bc822c4@mail.gmail.com> Date: Mon, 7 Feb 2005 19:14:35 -0500 From: Matt MacDonald To: freebsd-pf@freebsd.org In-Reply-To: <8eea0408050207104056b5f37d@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <8878e3ce05020704156c54f315@mail.gmail.com> <8eea0408050207104056b5f37d@mail.gmail.com> cc: jon@abccomm.com Subject: Re: Two interface route-to problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Matt MacDonald List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2005 00:14:36 -0000 Thank you for the help. I was sure that I read in the docs somewhere that you could use route-to on an outgoing packet as well. If not, is there any way that I can route a packet back out tun1 when my default route is tun0? Thanks, Matthew MacDonald On Mon, 7 Feb 2005 10:40:06 -0800, Jon Simola wrote: > On Mon, 7 Feb 2005 07:15:21 -0500, Matt MacDonald > wrote: > > > I've got two PPPoe interfaces to different ISPs. The default route is > > to ISP1 but my servers are on the ISP2. Everything seems to be > > working fine except for traffic that is destined for ISP2 get's > > returned on the ISP1 interface. The docs seem to say that route-to > > will fix me problem but I can't seem to get it to work. Hopefully > > someone on this list will see what I'm doing wrong. > > > > Here is the commands that I have tried to get this to work: > > > > pass out log quick on $ISP1 route-to ( $ISP2 $ISP2:peer ) from ($ISP2) \ > > to any flags S/SA > > pass out log quick on $ISP1 route-to ( $ISP2 $ISP2gw ) from ($ISP2) \ > > to any flags S/SA > > pass out log quick on $ISP1 route-to ( $ISP2 $ISP2:peer ) from $ISP2addr \ > > to any flags S/SA > > pass out log quick on $ISP1 route-to ( $ISP2 $ISP2gw ) from $ISP2addr \ > > to any flags S/SA > > > > but none of them seem to work. I do have a similar line that routes > > SMTP traffic inbound on the inside interface to ISP2 and that works > > fine. > > Yes, route-to should be used on the "pass in" side of the ruleset. > You've got a working SMTP rule for it, and here's an example from one > of my routers: > > pass in on vlan107 route-to (vlan700 172.16.0.129) from > vlan107:network to x.x.0.0/16 keep state > > The man page talks about creating route-to creating state, and I think > it's much easier to do this on the incoming interface. > From owner-freebsd-pf@FreeBSD.ORG Tue Feb 8 01:00:07 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E388116A4CE for ; Tue, 8 Feb 2005 01:00:07 +0000 (GMT) Received: from mail.meangrape.com (mail.meangrape.com [209.223.7.159]) by mx1.FreeBSD.org (Postfix) with SMTP id 61DB543D1D for ; Tue, 8 Feb 2005 01:00:05 +0000 (GMT) (envelope-from jay@meangrape.com) Received: (qmail 19224 invoked by uid 1002); 8 Feb 2005 01:01:12 -0000 Date: Mon, 7 Feb 2005 19:01:12 -0600 From: Jay To: freebsd-pf@freebsd.org Message-ID: <20050208010112.GC17904@mail.meangrape.com> Mail-Followup-To: Jay , freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Y5rl02BVI9TCfPar" Content-Disposition: inline X-PGP-Signature: C9C8 6FEE 0E34 A778 8D4A 5240 B5C6 6B4A C364 241A User-Agent: Mutt/1.5.6i Subject: rule ordering X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2005 01:00:08 -0000 --Y5rl02BVI9TCfPar Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'm putting in a NAT rule for the first time. My pf.conf is just edited =66rom the original. When I insert the NAT rule and run pfctl -n -f /etc/pf.conf, I get the following error message: /etc/pf.conf:62: Rules must be in order: options, normalization, queueing, translation, filtering A perfectly understandable error message -- queuing should be before translation. As in the following snippet from my pf.conf: # Queueing: rule-based bandwidth control. altq on $ext_1 priq bandwidth 256Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) pass out on $ext_1 proto tcp from $ext_1 to any flags S/SA \ keep state queue (q_def, q_pri) pass in on $ext_1 proto tcp from any to $ext_1 flags S/SA \ keep state queue (q_def, q_pri) # Translation: specify how addresses are to be mapped or redirected. nat on rl1 from 192.168.0.0/24 to any -> 209.223.7.161 Yup. Looks like queueing before translation. But that's the snippet that throws the error. If I comment out all of the ALTQ rules, pfctl -n -f /etc/pf.conf works fine. Also the same if I comment out the NAT rule. =20 My full pf.conf is available at http://www.meangrape.com/Members/jayed/configurations/pf.conf/ (Yeah, I know, I know -- things probably look ugly -- no, I don't know why that comment or rule is in there any more -- I'm constantly playing around with it -- I'm not obfuscating the IPs because that's a stupid idea...if my firewall works, it works; hiding the IPs isn't going to make a difference. However, if anyone feels the urge to provide constructive criticism, I'm all ears). --=20 Jay. --Y5rl02BVI9TCfPar Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCCA9YtcZrSsNkJBoRAoWTAJ9+njucaHAXUWGyP0PEXDRj+7KK3ACfXnyq caW0KuqmgXlsTX2u0JjYeyk= =If6C -----END PGP SIGNATURE----- --Y5rl02BVI9TCfPar-- From owner-freebsd-pf@FreeBSD.ORG Tue Feb 8 01:14:44 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F5A816A4CE for ; Tue, 8 Feb 2005 01:14:44 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id A234D43D46 for ; Tue, 8 Feb 2005 01:14:43 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 58so833003wri for ; Mon, 07 Feb 2005 17:14:41 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=dTQFPmioh+4EpLCut+kkqRN5xk7u4qj7cjLzvi+cOv9rNvRArch6suUn+eKbmVSh9crgMGca9MLXCcGzAgb5gdslGORoZ1De11yeLnFzuUmftTzGd/3x+Pp78hvtbN2/skbtu9/mwGYQ11/a8EeLh/VytaUCa2laidasDP2tAns= Received: by 10.54.57.80 with SMTP id f80mr149179wra; Mon, 07 Feb 2005 17:14:35 -0800 (PST) Received: by 10.54.39.34 with HTTP; Mon, 7 Feb 2005 17:13:53 -0800 (PST) Message-ID: <8eea0408050207171355d8e2d9@mail.gmail.com> Date: Mon, 7 Feb 2005 17:13:53 -0800 From: Jon Simola To: Matt MacDonald In-Reply-To: <8878e3ce05020716141bc822c4@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <8878e3ce05020704156c54f315@mail.gmail.com> <8eea0408050207104056b5f37d@mail.gmail.com> <8878e3ce05020716141bc822c4@mail.gmail.com> cc: freebsd-pf@freebsd.org Subject: Re: Two interface route-to problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2005 01:14:44 -0000 On Mon, 7 Feb 2005 19:14:35 -0500, Matt MacDonald wrote: > I was sure that I read in the docs somewhere that you could use > route-to on an outgoing packet as well. If not, is there any way that > I can route a packet back out tun1 when my default route is tun0? I've only ever done it on inbound packets, ala: pass in on em1 reply-to (em1 x.x.252.1) proto tcp to em1 port smtp keep state In that case, for an inbound SMTP I run from a secondary low-priority connection. (Read: cheap multihoming, we've got an OC3 and use a cheap business cable drop as a secondary network for DNS and SMTP) If you're running PF on a router, this should be easy because packets have to enter via some interface. I've never had to do this for connections originating on the PF machine. Perhaps tweaking the route table would help do what you're looking for: route add net 192.168 gateway 172.16.100.1 From owner-freebsd-pf@FreeBSD.ORG Tue Feb 8 01:14:44 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61C9916A4CF for ; Tue, 8 Feb 2005 01:14:44 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFF7943D48 for ; Tue, 8 Feb 2005 01:14:43 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 58so833014wri for ; Mon, 07 Feb 2005 17:14:42 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=RQySFZCIui807sEhvI0Utr1rEgfY1/V/O8IimT/11gOsStx+9kmrhnufrHT/3rcYez8Yy+2MZxmTg8Yte7YulrksCvvVoOxF0SiGMTj6+xLgiWn4AUEk05ZDdFhq52+Q5qu7iakcsyxrPm7W0szEOiDxCa28tsgSBydISt1skm8= Received: by 10.54.54.71 with SMTP id c71mr22328wra; Mon, 07 Feb 2005 17:14:36 -0800 (PST) Received: by 10.54.39.34 with HTTP; Mon, 7 Feb 2005 17:13:53 -0800 (PST) Message-ID: <8eea0408050207171355d8e2d9@mail.gmail.com> Date: Mon, 7 Feb 2005 17:13:53 -0800 From: Jon Simola To: Matt MacDonald In-Reply-To: <8878e3ce05020716141bc822c4@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <8878e3ce05020704156c54f315@mail.gmail.com> <8eea0408050207104056b5f37d@mail.gmail.com> <8878e3ce05020716141bc822c4@mail.gmail.com> cc: freebsd-pf@freebsd.org Subject: Re: Two interface route-to problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2005 01:14:44 -0000 On Mon, 7 Feb 2005 19:14:35 -0500, Matt MacDonald wrote: > I was sure that I read in the docs somewhere that you could use > route-to on an outgoing packet as well. If not, is there any way that > I can route a packet back out tun1 when my default route is tun0? I've only ever done it on inbound packets, ala: pass in on em1 reply-to (em1 x.x.252.1) proto tcp to em1 port smtp keep state In that case, for an inbound SMTP I run from a secondary low-priority connection. (Read: cheap multihoming, we've got an OC3 and use a cheap business cable drop as a secondary network for DNS and SMTP) If you're running PF on a router, this should be easy because packets have to enter via some interface. I've never had to do this for connections originating on the PF machine. Perhaps tweaking the route table would help do what you're looking for: route add net 192.168 gateway 172.16.100.1 From owner-freebsd-pf@FreeBSD.ORG Tue Feb 8 04:44:32 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 004B116A4CE for ; Tue, 8 Feb 2005 04:44:32 +0000 (GMT) Received: from mail.fluidhosting.com (mail1.fluidhosting.com [66.150.201.101]) by mx1.FreeBSD.org (Postfix) with SMTP id 4950443D2D for ; Tue, 8 Feb 2005 04:44:31 +0000 (GMT) (envelope-from pf-r@solarflux.org) Received: (qmail 38481 invoked by uid 399); 8 Feb 2005 04:44:29 -0000 Received: from unknown (HELO ?192.168.0.74?) (127.0.0.1) by localhost with SMTP; 8 Feb 2005 04:44:29 -0000 Message-ID: <420843AD.7080201@solarflux.org> Date: Mon, 07 Feb 2005 23:44:29 -0500 From: "solarflux.org/pf" Organization: pf-r User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <20050208010112.GC17904@mail.meangrape.com> In-Reply-To: <20050208010112.GC17904@mail.meangrape.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: rule ordering X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2005 04:44:32 -0000 Jay wrote: > I'm putting in a NAT rule for the first time. My pf.conf is just edited > from the original. > > When I insert the NAT rule and run pfctl -n -f /etc/pf.conf, I get the > following error message: > > /etc/pf.conf:62: Rules must be in order: options, normalization, > queueing, translation, filtering > > A perfectly understandable error message -- queuing should be before > translation. As in the following snippet from my pf.conf: > > # Queueing: rule-based bandwidth control. > altq on $ext_1 priq bandwidth 256Kb queue { q_pri, q_def } > queue q_pri priority 7 > queue q_def priority 1 priq(default) > > pass out on $ext_1 proto tcp from $ext_1 to any flags S/SA \ > keep state queue (q_def, q_pri) > pass in on $ext_1 proto tcp from any to $ext_1 flags S/SA \ > keep state queue (q_def, q_pri) > > # Translation: specify how addresses are to be mapped or redirected. > nat on rl1 from 192.168.0.0/24 to any -> 209.223.7.161 > > Yup. Looks like queueing before translation. But that's the snippet > that throws the error. If I comment out all of the ALTQ rules, pfctl -n > -f /etc/pf.conf works fine. Also the same if I comment out the NAT > rule. You have pass rules (hence, filtering) in your queueing section; you must only set up queueing in that section. That's why commenting out the nat rule or everything in your queueing section allow the pf.conf to be parsed successfully. -S From owner-freebsd-pf@FreeBSD.ORG Tue Feb 8 04:49:46 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C96C16A4CE for ; Tue, 8 Feb 2005 04:49:46 +0000 (GMT) Received: from mail.meangrape.com (mail.meangrape.com [209.223.7.159]) by mx1.FreeBSD.org (Postfix) with SMTP id 76C8043D31 for ; Tue, 8 Feb 2005 04:49:45 +0000 (GMT) (envelope-from jay@meangrape.com) Received: (qmail 24858 invoked by uid 1002); 8 Feb 2005 04:50:51 -0000 Date: Mon, 7 Feb 2005 22:50:51 -0600 From: Jay To: "solarflux.org/pf" Message-ID: <20050208045051.GA24489@mail.meangrape.com> Mail-Followup-To: Jay , "solarflux.org/pf" , freebsd-pf@freebsd.org References: <20050208010112.GC17904@mail.meangrape.com> <420843AD.7080201@solarflux.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3MwIy2ne0vdjdPXF" Content-Disposition: inline In-Reply-To: <420843AD.7080201@solarflux.org> X-PGP-Signature: C9C8 6FEE 0E34 A778 8D4A 5240 B5C6 6B4A C364 241A User-Agent: Mutt/1.5.7i cc: freebsd-pf@freebsd.org Subject: Re: rule ordering X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2005 04:49:46 -0000 --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Thanks! Makes perfect sense. On Mon, Feb 07, 2005 at 11:44:29PM -0500, solarflux.org/pf wrote: > Jay wrote: > >I'm putting in a NAT rule for the first time. My pf.conf is just edited > >from the original. > > > >When I insert the NAT rule and run pfctl -n -f /etc/pf.conf, I get the > >following error message: > > > > /etc/pf.conf:62: Rules must be in order: options, normalization, > >queueing, translation, filtering > > > >A perfectly understandable error message -- queuing should be before > >translation. As in the following snippet from my pf.conf: > > > > # Queueing: rule-based bandwidth control. > > altq on $ext_1 priq bandwidth 256Kb queue { q_pri, q_def } > > queue q_pri priority 7 > > queue q_def priority 1 priq(default) > > > > pass out on $ext_1 proto tcp from $ext_1 to any flags S/SA \ > > keep state queue (q_def, q_pri) > > pass in on $ext_1 proto tcp from any to $ext_1 flags S/SA \ > > keep state queue (q_def, q_pri) > > > > # Translation: specify how addresses are to be mapped or redirected. > > nat on rl1 from 192.168.0.0/24 to any -> 209.223.7.161 > > > >Yup. Looks like queueing before translation. But that's the snippet > >that throws the error. If I comment out all of the ALTQ rules, pfctl -n > >-f /etc/pf.conf works fine. Also the same if I comment out the NAT > >rule. >=20 > You have pass rules (hence, filtering) in your queueing section; you > must only set up queueing in that section. That's why commenting out > the nat rule or everything in your queueing section allow the pf.conf to > be parsed successfully. >=20 > -S >=20 >=20 >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 Jay. --3MwIy2ne0vdjdPXF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCCEUrtcZrSsNkJBoRAlPUAJ49X/mp75ARItL2qcKoqqaTY3jJ5wCgiEPh ylzeTgZzL8gZ1txt/EMeWz8= =PYze -----END PGP SIGNATURE----- --3MwIy2ne0vdjdPXF-- From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 00:34:48 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2937F16A4CE for ; Wed, 9 Feb 2005 00:34:48 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE08443D1F for ; Wed, 9 Feb 2005 00:34:47 +0000 (GMT) (envelope-from dvanallen@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so986873wra for ; Tue, 08 Feb 2005 16:34:47 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=NdUe1YP2E/NXa/WnqCOqAo6uzH12lSTN3d/SSrZDy7QNTgmGkb4hWmhHuKlDrVNQjJ7KATYQL3D1wagsa98OJWCs7gRbLXbL4ZnNwPbVygkM8lDkyzkj3U4KlG68P+c/IAJjfgsqbiU40ZACXxJiE2MRI75La/PDTUgoCasurfI= Received: by 10.54.22.68 with SMTP id 68mr42206wrv; Tue, 08 Feb 2005 16:34:46 -0800 (PST) Received: by 10.54.22.48 with HTTP; Tue, 8 Feb 2005 16:34:46 -0800 (PST) Message-ID: <2063a95c0502081634488797f6@mail.gmail.com> Date: Tue, 8 Feb 2005 19:34:46 -0500 From: Doug Van Allen To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Valid statement in pf.conf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Doug Van Allen List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2005 00:34:48 -0000 Is this valid: pass in on $ext_if proto tcp from 151.103.xxx.xxx-151.103.xxx.xxx to $ext_if port 22 keep state I used x's only to hide the other part of the ip address. I need to let in a range of ip's like, 192.168.0.1-192.168.32.254. From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 03:16:19 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8FADB16A4CE for ; Wed, 9 Feb 2005 03:16:19 +0000 (GMT) Received: from mail.fluidhosting.com (mail1.fluidhosting.com [66.150.201.101]) by mx1.FreeBSD.org (Postfix) with SMTP id E897643D45 for ; Wed, 9 Feb 2005 03:16:18 +0000 (GMT) (envelope-from pf-r@solarflux.org) Received: (qmail 98221 invoked by uid 399); 9 Feb 2005 03:16:10 -0000 Received: from unknown (HELO ?192.168.0.74?) (127.0.0.1) by localhost with SMTP; 9 Feb 2005 03:16:10 -0000 Message-ID: <42098079.90104@solarflux.org> Date: Tue, 08 Feb 2005 22:16:09 -0500 From: "solarflux.org/pf" Organization: pf-r User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <2063a95c0502081634488797f6@mail.gmail.com> In-Reply-To: <2063a95c0502081634488797f6@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Valid statement in pf.conf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2005 03:16:19 -0000 Doug Van Allen wrote: > Is this valid: > > pass in on $ext_if proto tcp from 151.103.xxx.xxx-151.103.xxx.xxx > to $ext_if port 22 keep state > > I used x's only to hide the other part of the ip address. I need to > let in a range of ip's like, 192.168.0.1-192.168.32.254. No. Are you trying to let in an entire subnet or a range of IPs that do not consist of an entire subnet? If you want to let an entire subnet in, you can use, for example: pass in on $ext_if proto tcp from 151.103.50.96/28 to $ext_if port 22 \ keep state This lets 151.103.50.96 - 151.103.50.111 pass (really .97-.110). If you want to use a range that is not an entire subnet, you could use a macro with each IP listed: $sshallowed = "{ 151.103.50.98, 151.103.50.99, 151.103.50.100 }" The pass rule would then be: pass in on $ext_if proto tcp from $sshallowed to $ext_if port 22 \ keep state An alternative would be to use a table with each IP listed, either inclusive or in a separate file. Inclusive example: table persist { 151.103.50.98, 151.103.50.99, \ 151.103.50.100 } Pass rule: pass in on $ext_if proto tcp from to $ext_if port 22 \ keep state Separate file example: table persist file "/etc/pf.sshallowed" The file /etc/pf.sshallowed would consist of all the IP addresses, but only one IP address per line: 151.103.50.98 151.103.50.99 151.103.50.100 Same pass rule as the inclusive example. HTH -S From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 05:45:54 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB26E16A4CE for ; Wed, 9 Feb 2005 05:45:54 +0000 (GMT) Received: from smtp-out.wananchi.com (smtp-out.wananchi.com [62.8.64.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED16243D2F for ; Wed, 9 Feb 2005 05:45:53 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com ([62.8.64.4]) by smtp-out.wananchi.com with esmtp (Exim 4.43 #1 (FreeBSD 5.2.1)) id 1Cykfh-0002aE-Io for ; Wed, 09 Feb 2005 08:45:53 +0300 Received: from wash by ns2.wananchi.com with local (Exim 4.44 #0 (FreeBSD 4.10-STABLE)) id 1CykeJ-0008KX-3n by authid for ; Wed, 09 Feb 2005 08:44:27 +0300 Date: Wed, 9 Feb 2005 08:44:26 +0300 From: Odhiambo Washington To: freebsd-pf@freebsd.org Message-ID: <20050209054426.GE20131@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Disclaimer: Any views expressed in this message,where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.6i (2004-02-01) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.6i Subject: IPFilter TO PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2005 05:45:54 -0000 Hello users, I am a newbie to PF, but I have been using IPFilter for some time. Please bear with my first silly question. For reasons that I would like to enter the era of bandwidth control, and this is not available in IPFilter. I have a few boxes running almost with similar rules and was wondering if there could be a tool to convert ipf/ipnat rules into PF format/syntax or I just have to sit down and start the conversion manually. Thanks for any insights. -Wash http://www.netmeister.org/news/learn2quote.html -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ Hark ye, Clinker, you are a most notorious offender. You stand convicted of sickness, hunger, wretchedness, and want. -- Tobias Smollet From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 05:51:57 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B55D16A4CE for ; Wed, 9 Feb 2005 05:51:57 +0000 (GMT) Received: from helium.webpack.hosteurope.de (helium.webpack.hosteurope.de [217.115.142.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A29543D39 for ; Wed, 9 Feb 2005 05:51:57 +0000 (GMT) (envelope-from me@hexren.net) Received: by helium.webpack.hosteurope.de running Exim 4.34 using asmtp helo=hexren.steenbuck.net) id 1CyklZ-00025I-UI; Wed, 09 Feb 2005 06:51:58 +0100 Date: Wed, 9 Feb 2005 06:51:58 +0100 From: Hexren X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <5155910064.20050209065158@hexren.net> To: Odhiambo Washington In-Reply-To: <20050209054426.GE20131@ns2.wananchi.com> References: <20050209054426.GE20131@ns2.wananchi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: IPFilter TO PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Hexren List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2005 05:51:57 -0000 OW> Hello users, OW> I am a newbie to PF, but I have been using IPFilter for some OW> time. Please bear with my first silly question. OW> For reasons that I would like to enter the era of bandwidth control, OW> and this is not available in IPFilter. I have a few boxes running OW> almost with similar rules and was wondering if there could be a tool OW> to convert ipf/ipnat rules into PF format/syntax or I just have to OW> sit down and start the conversion manually. OW> Thanks for any insights. OW> -Wash --------------------------------------------- duno abot the tool but in my experience it was alwya wortwhile to "sit down and start the conversion manually" it's so much a learning experience :) Hexren From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 10:25:17 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F204516A4CE for ; Wed, 9 Feb 2005 10:25:17 +0000 (GMT) Received: from top.topocentras.lt (top.topocentras.lt [213.197.161.70]) by mx1.FreeBSD.org (Postfix) with SMTP id 7600443D1D for ; Wed, 9 Feb 2005 10:25:16 +0000 (GMT) (envelope-from news@topocentras.lt) Received: (qmail 26962 invoked by uid 1013); 9 Feb 2005 10:00:34 -0000 Received: from news@topocentras.lt by top by uid 64011 with qmail-scanner-1.22 (clamdscan: 0.71. Clear:RC:1(213.197.161.67):. Processed in 0.40861 secs); 09 Feb 2005 10:00:34 -0000 X-Qmail-Scanner-Mail-From: news@topocentras.lt via top X-Qmail-Scanner: 1.22 (Clear:RC:1(213.197.161.67):. Processed in 0.40861 secs) Received: from unknown (HELO ?192.168.0.84?) (213.197.161.67) by top.topocentras.lt with SMTP; 9 Feb 2005 10:00:33 -0000 Message-ID: <4209E50E.2010603@topocentras.lt> Date: Wed, 09 Feb 2005 12:25:18 +0200 From: Albertas Guscius User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: squid with pf problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2005 10:25:18 -0000 Hello, I have problem running squid and packet filter. After certain moment it hangs machine. I tried three different types of hardware, so I think it is problem with software. Squid is compiled with pf support. Rule in pf: rdr on $int_if proto tcp from any to any port http -> 127.0.0.1 port 3128 I'm using xl() NIC's. FreeBSD xxx 5.3-RELEASE-p5 FreeBSD 5.3-RELEASE-p5 #3: Wed Feb 9 10: 31:09 EET 2005 xxx@xxx:/usr/obj/usr/src/sys/GENERIC i386 It looks that I tried everything, that I found on internet. "options NET_WITH_GIANT" debug.mpsafenet=0 net.inet.tcp.sack.enable=0 But still getting the same result: fault virtual address = 0x18 fault code = supervisor read, page not present instruction pointer = 0x8:0xffffffff803a14b3 stack pointer = 0x10:0xffffffffb1bd9800 frame pointer = 0x10:0x0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 44 (swi1: net) trap number = 12 I think that problem is with pf, because even then squid is not running, machine hangs once a day. With squid it hangs much faster (in few minutes). From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 12:55:41 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1629816A4CE for ; Wed, 9 Feb 2005 12:55:41 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5827D43D1F for ; Wed, 9 Feb 2005 12:55:40 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.207] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CyrNb-0003wa-00; Wed, 09 Feb 2005 13:55:39 +0100 Received: from [217.227.147.152] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CyrNa-0006Cj-00; Wed, 09 Feb 2005 13:55:39 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Wed, 9 Feb 2005 13:55:22 +0100 User-Agent: KMail/1.7.2 References: <4209E50E.2010603@topocentras.lt> In-Reply-To: <4209E50E.2010603@topocentras.lt> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart184724652.sHdbfut8mq"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200502091355.36805.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: squid with pf problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2005 12:55:41 -0000 --nextPart184724652.sHdbfut8mq Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 09 February 2005 11:25, Albertas Guscius wrote: > Hello, > I have problem running squid and packet filter. > After certain moment it hangs machine. I tried three different types of > hardware, so I think it is problem with software. > Squid is compiled with pf support. > Rule in pf: rdr on $int_if proto tcp from any to any port http -> > 127.0.0.1 port 3128 > I'm using xl() NIC's. > FreeBSD xxx 5.3-RELEASE-p5 FreeBSD 5.3-RELEASE-p5 #3: Wed Feb 9 10: > 31:09 EET 2005 xxx@xxx:/usr/obj/usr/src/sys/GENERIC i386 > > It looks that I tried everything, that I found on internet. > > "options NET_WITH_GIANT" > > debug.mpsafenet=3D0 > net.inet.tcp.sack.enable=3D0 > > But still getting the same result: > > fault virtual address =3D 0x18 > fault code =3D supervisor read, page not present > instruction pointer =3D 0x8:0xffffffff803a14b3 > stack pointer =3D 0x10:0xffffffffb1bd9800 > frame pointer =3D 0x10:0x0 > code segment =3D base 0x0, limit 0xfffff, type 0x1b > =3D DPL 0, pres 1, long 1, def32 0, gran 1 > processor eflags =3D interrupt enabled, resume, IOPL =3D 0 > current process =3D 44 (swi1: net) > trap number =3D 12 > > > I think that problem is with pf, because even then squid is not running, > machine hangs once a day. With squid it hangs much faster (in few minutes= ). This report is not very helpful (not helpful at all). Please obtain at lea= st=20 a backtrace:=20 http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/advanced.html#KERNEL-P= ANIC-TROUBLESHOOTING http://www.freebsd.org/doc/en_US.ISO8859-1/books/developers-handbook/kernel= debug.html (build in KDB and DDB and issue a "trace" when the panic shows up) With what you have posted so far it's impossible to find the culprit. =20 Nontheless, you might want to try to update src/sys/contrib/pf to RELENG_5= =20 (not RELENG_5_3 what you seem to have) to see if that improves the situatio= n. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart184724652.sHdbfut8mq Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCCghIXyyEoT62BG0RAh9mAJ0fFNopklOp78ZpqGnl6r52VZf8XwCeLBFl sHy3S5FqMKQImGo+lgTW5ww= =/hSg -----END PGP SIGNATURE----- --nextPart184724652.sHdbfut8mq-- From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 13:10:58 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 985BE16A4CE for ; Wed, 9 Feb 2005 13:10:58 +0000 (GMT) Received: from mail.crypta.net (mail.crypta.net [83.136.131.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0745543D1D for ; Wed, 9 Feb 2005 13:10:58 +0000 (GMT) (envelope-from ah@crypta.net) Received: by mail.crypta.net ([crypta.net] mailer, from userid 1001) id 899F2ECD406; Wed, 9 Feb 2005 14:10:56 +0100 (CET) Date: Wed, 9 Feb 2005 14:10:55 +0100 From: Andy Hilker To: freebsd-pf@freebsd.org Message-ID: <20050209131055.GA94001@mail.crypta.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-PGP-Key: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0xEC6E1071 X-PGP-Fingerprint: 9B2E 5892 AD93 D5C5 FB8E 3912 35D6 951B EC6E 1071 Organization: cryptobank - Andy Hilker Subject: problems with synproxy on 5.3-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2005 13:10:58 -0000 Hi, i have migrated from ipfilter to pf and have problems with synproxy. First: many thanks for importing pf to freebsd :) pf protects only localhost with multiple IPs and jails. There is only 1 outside interface. When i use "keep state" everything works normally. If using synproxy a few people having problems accessing pop3 and http on my server. Requests are incomplete or corrupt (for example get requests in httpd-access.log). But it seems that this problem occurs only for a few people. Is there any way to "count" or monitor the activity of synproxy to see how much clients are blocked? Any ideas why synproxy does not work at this "few peoples"? Thanks in advance and best regards, Andy From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 18:45:11 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B806816A4CE for ; Wed, 9 Feb 2005 18:45:11 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0791343D1F for ; Wed, 9 Feb 2005 18:45:11 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.161] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1Cywpq-0002ti-00; Wed, 09 Feb 2005 19:45:10 +0100 Received: from [217.227.147.152] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1Cywpo-00074A-00; Wed, 09 Feb 2005 19:45:10 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Wed, 9 Feb 2005 19:44:40 +0100 User-Agent: KMail/1.7.2 References: <20050209131055.GA94001@mail.crypta.net> In-Reply-To: <20050209131055.GA94001@mail.crypta.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2006107.KzJc7PKIdS"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200502091945.01577.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: problems with synproxy on 5.3-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2005 18:45:11 -0000 --nextPart2006107.KzJc7PKIdS Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 09 February 2005 14:10, Andy Hilker wrote: > Hi, > > i have migrated from ipfilter to pf and have problems with synproxy. > First: many thanks for importing pf to freebsd :) > > pf protects only localhost with multiple IPs and jails. There is > only 1 outside interface. > > When i use "keep state" everything works normally. If using synproxy > a few people having problems accessing pop3 and http on my server. > Requests are incomplete or corrupt (for example get requests in > httpd-access.log). But it seems that this problem occurs only for > a few people. > > Is there any way to "count" or monitor the activity of synproxy to > see how much clients are blocked? > Any ideas why synproxy does not work at this "few peoples"? Not really, but tcpdump can help. Add log-all to the synproxy and try to=20 watch the connection in tcpdump on pflog0 with something like: $tcpdump -n -e -ttt -i pflog0 rulenum and host "testip" You might also want to raise the debugging level with "$pfctl -x misc" and= =20 watch the console for BAD state messages. Keep us posted, thanks. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2006107.KzJc7PKIdS Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCClotXyyEoT62BG0RArnBAJ9aymyFn/+5/n+ZQmvk1/nnCZzPOgCfTZGD D5cQx+Ur2RH1StKVa2+c7ks= =mH/l -----END PGP SIGNATURE----- --nextPart2006107.KzJc7PKIdS-- From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 21:58:38 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE10016A4CE for ; Wed, 9 Feb 2005 21:58:38 +0000 (GMT) Received: from mail.crypta.net (mail.crypta.net [83.136.131.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 50FD443D45 for ; Wed, 9 Feb 2005 21:58:38 +0000 (GMT) (envelope-from ah@crypta.net) Received: by mail.crypta.net ([crypta.net] mailer, from userid 1001) id B3175ECD403; Wed, 9 Feb 2005 22:58:33 +0100 (CET) Date: Wed, 9 Feb 2005 22:58:32 +0100 From: Andy Hilker To: freebsd-pf@freebsd.org Message-ID: <20050209215832.GA22874@mail.crypta.net> References: <20050209131055.GA94001@mail.crypta.net> <200502091945.01577.max@love2party.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="TB36FDmn/VVEgNH/" Content-Disposition: inline In-Reply-To: <200502091945.01577.max@love2party.net> User-Agent: Mutt/1.4.2.1i X-PGP-Key: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0xEC6E1071 X-PGP-Fingerprint: 9B2E 5892 AD93 D5C5 FB8E 3912 35D6 951B EC6E 1071 Organization: cryptobank - Andy Hilker Subject: Re: problems with synproxy on 5.3-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2005 21:58:38 -0000 --TB36FDmn/VVEgNH/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable You (Max Laier) wrote: > Not really, but tcpdump can help. Add log-all to the synproxy and try to= =20 > watch the connection in tcpdump on pflog0 with something like: > $tcpdump -n -e -ttt -i pflog0 rulenum and host "testip" >=20 > You might also want to raise the debugging level with "$pfctl -x misc" an= d=20 > watch the console for BAD state messages. Ok, i modified my ruleset like this: [...] set loginterface $if_ext [...] pass in log quick on $if_ext proto tcp from any to = port =3D 80 flags S/SA synproxy state Then typed "pfctl -x loud" and "tcpdump -n -e -ttt -i pflog0". Output looks like without "pfctl -x loud". Where do i see debug output? > Keep us posted, thanks. Yes, sure. But before I call the person who has problems and let him try again, I have to be sure, to debug the right way. bye, Andy --TB36FDmn/VVEgNH/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCCoeINdaVG+xuEHERAqoYAJ9+zw/rUSOTuPU3ID5UC+yrU/SV2ACggK9r 7xSDx6LccEaTLXUTGK3orTo= =th+X -----END PGP SIGNATURE----- --TB36FDmn/VVEgNH/-- From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 22:11:24 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A75516A4CE for ; Wed, 9 Feb 2005 22:11:24 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DF1F43D49 for ; Wed, 9 Feb 2005 22:11:23 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.179] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1Cz03N-0004ql-00; Wed, 09 Feb 2005 23:11:21 +0100 Received: from [217.227.147.152] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1Cz03M-0007Di-00; Wed, 09 Feb 2005 23:11:21 +0100 From: Max Laier To: Andy Hilker Date: Wed, 9 Feb 2005 23:11:41 +0100 User-Agent: KMail/1.7.2 References: <20050209131055.GA94001@mail.crypta.net> <200502091945.01577.max@love2party.net> <20050209215832.GA22874@mail.crypta.net> In-Reply-To: <20050209215832.GA22874@mail.crypta.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart13349901.uKPbb2PvEP"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200502092311.47713.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: freebsd-pf@freebsd.org Subject: Re: problems with synproxy on 5.3-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2005 22:11:24 -0000 --nextPart13349901.uKPbb2PvEP Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 09 February 2005 22:58, Andy Hilker wrote: > You (Max Laier) wrote: > > Not really, but tcpdump can help. Add log-all to the synproxy and try = to > > watch the connection in tcpdump on pflog0 with something like: > > $tcpdump -n -e -ttt -i pflog0 rulenum and host "testip" > > > > You might also want to raise the debugging level with "$pfctl -x misc" > > and watch the console for BAD state messages. > > Ok, i modified my ruleset like this: > > [...] > set loginterface $if_ext That does not matter here. It only affects $pfctl -si > [...] > pass in log quick on $if_ext proto tcp from any to ^^^ Change this to "log-all" in order to get the full transaction log on pflog.= =20 If you happen to know a "known bad"-peer you can also split the rule as: pass in log-all quick on $if_ext proto tcp from $bad_peer to \ port =3D 80 flags S/SA synproxy state pass in quick on $if_ext proto tcp from any to \ port =3D 80 flags S/SA synproxy state > port =3D 80 flags S/SA synproxy state > > Then typed "pfctl -x loud" and "tcpdump -n -e -ttt -i pflog0". > Output looks like without "pfctl -x loud". Where do i see debug output? $dmesg -a should turn it up. It's written to the console. > > Keep us posted, thanks. > > Yes, sure. > But before I call the person who has problems and let him try again, > I have to be sure, to debug the right way. Be sure to have pflogd(8) or tcpdump logging the traffic on pflog0 while th= e=20 connection attempt. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart13349901.uKPbb2PvEP Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCCoqjXyyEoT62BG0RAqoHAJ9qPzPnIcamEYzjy4LtT6t23KG+LwCePPg/ H1IyROT7m4G0ccu10J6fuHI= =wy5k -----END PGP SIGNATURE----- --nextPart13349901.uKPbb2PvEP-- From owner-freebsd-pf@FreeBSD.ORG Fri Feb 11 00:30:11 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58A8716A4CE for ; Fri, 11 Feb 2005 00:30:11 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id D413843D31 for ; Fri, 11 Feb 2005 00:30:10 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.208] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CzOhG-0008MF-00; Fri, 11 Feb 2005 01:30:10 +0100 Received: from [217.83.1.47] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CzOhF-0003vK-00; Fri, 11 Feb 2005 01:30:09 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Fri, 11 Feb 2005 01:30:00 +0100 User-Agent: KMail/1.7.2 References: <20050209054426.GE20131@ns2.wananchi.com> In-Reply-To: <20050209054426.GE20131@ns2.wananchi.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1292129.z120bavJbT"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200502110130.07341.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: IPFilter TO PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2005 00:30:11 -0000 --nextPart1292129.z120bavJbT Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 09 February 2005 06:44, Odhiambo Washington wrote: > Hello users, > > I am a newbie to PF, but I have been using IPFilter for some > time. Please bear with my first silly question. > > For reasons that I would like to enter the era of bandwidth control, > and this is not available in IPFilter. I have a few boxes running > almost with similar rules and was wondering if there could be a tool > to convert ipf/ipnat rules into PF format/syntax or I just have to > sit down and start the conversion manually. > > Thanks for any insights. I am not aware of a tool like this. I also encourage to do manual conversi= on=20 or (better even) start from scratch. The OpenBSD PF-FAQ is a good tutorial= =20 to start from. It makes a better ruleset if you write it with the PF=20 "philosophy" in mind. I understand however, that it might be interesting t= o=20 take over long lists of individual block/pass rules. This type of rule,=20 however, is a prime example of how PF differs from the 3.x IPFilter since P= =46=20 comes with tables you might want to rewrite your rules there. It is hard t= o=20 do such things in an automated tool. Please let us know if you find something helpful on the net - I didn't yet. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1292129.z120bavJbT Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCC/yPXyyEoT62BG0RAt5kAJ4k1aJGP3ncDq15ytxkG6EQiLU9xACfWlLC gLSIPhL0R1fCLBrBoBXXy8Y= =csD/ -----END PGP SIGNATURE----- --nextPart1292129.z120bavJbT-- From owner-freebsd-pf@FreeBSD.ORG Fri Feb 11 09:16:48 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AE0516A4CE for ; Fri, 11 Feb 2005 09:16:48 +0000 (GMT) Received: from top.topocentras.lt (top.topocentras.lt [213.197.161.70]) by mx1.FreeBSD.org (Postfix) with SMTP id D8BD643D41 for ; Fri, 11 Feb 2005 09:16:46 +0000 (GMT) (envelope-from news@topocentras.lt) Received: (qmail 22526 invoked by uid 1013); 11 Feb 2005 08:51:59 -0000 Received: from news@topocentras.lt by top by uid 64011 with qmail-scanner-1.22 (clamdscan: 0.71. Clear:RC:1(213.197.161.67):. Processed in 0.07812 secs); 11 Feb 2005 08:51:59 -0000 X-Qmail-Scanner-Mail-From: news@topocentras.lt via top X-Qmail-Scanner: 1.22 (Clear:RC:1(213.197.161.67):. Processed in 0.07812 secs) Received: from unknown (HELO ?192.168.0.84?) (213.197.161.67) by top.topocentras.lt with SMTP; 11 Feb 2005 08:51:58 -0000 Message-ID: <420C780D.2050007@topocentras.lt> Date: Fri, 11 Feb 2005 11:17:01 +0200 From: Albertas Guscius User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4209E50E.2010603@topocentras.lt> <200502091355.36805.max@love2party.net> In-Reply-To: <200502091355.36805.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: squid with pf problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2005 09:16:48 -0000 Thanks Max Laier for advice, it was enouth to update src/sys/contrib/pf to RELENG_5. Have a nice day, Albertas Max Laier wrote: >On Wednesday 09 February 2005 11:25, Albertas Guscius wrote: > > >>Hello, >>I have problem running squid and packet filter. >>After certain moment it hangs machine. I tried three different types of >>hardware, so I think it is problem with software. >>Squid is compiled with pf support. >>Rule in pf: rdr on $int_if proto tcp from any to any port http -> >>127.0.0.1 port 3128 >>I'm using xl() NIC's. >>FreeBSD xxx 5.3-RELEASE-p5 FreeBSD 5.3-RELEASE-p5 #3: Wed Feb 9 10: >>31:09 EET 2005 xxx@xxx:/usr/obj/usr/src/sys/GENERIC i386 >> >>It looks that I tried everything, that I found on internet. >> >>"options NET_WITH_GIANT" >> >>debug.mpsafenet=0 >>net.inet.tcp.sack.enable=0 >> >>But still getting the same result: >> >>fault virtual address = 0x18 >>fault code = supervisor read, page not present >>instruction pointer = 0x8:0xffffffff803a14b3 >>stack pointer = 0x10:0xffffffffb1bd9800 >>frame pointer = 0x10:0x0 >>code segment = base 0x0, limit 0xfffff, type 0x1b >> = DPL 0, pres 1, long 1, def32 0, gran 1 >>processor eflags = interrupt enabled, resume, IOPL = 0 >>current process = 44 (swi1: net) >>trap number = 12 >> >> >>I think that problem is with pf, because even then squid is not running, >>machine hangs once a day. With squid it hangs much faster (in few minutes). >> >> > >This report is not very helpful (not helpful at all). Please obtain at least >a backtrace: >http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/advanced.html#KERNEL-PANIC-TROUBLESHOOTING >http://www.freebsd.org/doc/en_US.ISO8859-1/books/developers-handbook/kerneldebug.html >(build in KDB and DDB and issue a "trace" when the panic shows up) > >With what you have posted so far it's impossible to find the culprit. >Nontheless, you might want to try to update src/sys/contrib/pf to RELENG_5 >(not RELENG_5_3 what you seem to have) to see if that improves the situation. > > > From owner-freebsd-pf@FreeBSD.ORG Fri Feb 11 15:28:22 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4BD2116A4CE for ; Fri, 11 Feb 2005 15:28:22 +0000 (GMT) Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155]) by mx1.FreeBSD.org (Postfix) with SMTP id 97A4543D46 for ; Fri, 11 Feb 2005 15:28:21 +0000 (GMT) (envelope-from mdg@secureworks.net) Received: (qmail 60839 invoked from network); 11 Feb 2005 15:28:20 -0000 Received: from unknown (HELO ?192.168.8.243?) (209.101.212.253) by mail.secureworks.net with SMTP; 11 Feb 2005 15:28:20 -0000 Message-ID: <420CCF14.1040004@secureworks.net> Date: Fri, 11 Feb 2005 10:28:20 -0500 From: Matthew George User-Agent: Mozilla Thunderbird 0.9 (X11/20041117) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <200502110130.07341.max@love2party.net> In-Reply-To: <200502110130.07341.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: IPFilter TO PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2005 15:28:22 -0000 Max Laier wrote: > > Please let us know if you find something helpful on the net - I didn't > yet. > I manage a good number of firewalls, and although I appreciate the write it from scratch philosophy, other demands on my time don't always allow me to wrap my head around the big picture. I have found the fwbuilder port invaluable in managing my systems. You can't really import from an existing ruleset, but once you have all your objects and policies defined, doing just about anything is really easy. I recently migrated several systems from 4.10 w/ ipfilter to 5.3 w/ pf. In order to get the new rulesets, I selected the target firewall object in fwbuilder, clicked the ipfilter dropdown, changed it to pf, and hit compile. Worked like a charm ... All of the ruleset compilers are separated from the interface such that it makes it really easy to do what you want with them. -- Matthew George SecureWorks Technical Operations From owner-freebsd-pf@FreeBSD.ORG Sat Feb 12 04:29:49 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B9C516A4CE for ; Sat, 12 Feb 2005 04:29:49 +0000 (GMT) Received: from mgr2.xmission.com (mgr2.xmission.com [198.60.22.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10B0F43D1F for ; Sat, 12 Feb 2005 04:29:49 +0000 (GMT) (envelope-from acc@anthonychavez.org) Received: from [198.60.22.206] (helo=mgr6.xmission.com) by mgr2.xmission.com with esmtp (Exim 4.34) id 1Czoui-00051e-Si for freebsd-pf@freebsd.org; Fri, 11 Feb 2005 21:29:48 -0700 Received: from [166.70.126.66] (helo=mail.anthonychavez.org) by mgr6.xmission.com with esmtp (Exim 4.34) id 1Czoui-0005w4-JY for freebsd-pf@freebsd.org; Fri, 11 Feb 2005 21:29:48 -0700 Received: from localhost (localhost [127.0.0.1]) by mail.anthonychavez.org (Postfix) with ESMTP id B5EF4A6 for ; Fri, 11 Feb 2005 21:29:47 -0700 (MST) Received: from mail.anthonychavez.org ([127.0.0.1]) by localhost (mail.anthonychavez.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 83688-03 for ; Fri, 11 Feb 2005 21:29:38 -0700 (MST) Received: from pegasos.local (pegasos.anthonychavez.org [192.168.133.6]) by mail.anthonychavez.org (Postfix) with ESMTP id 6751D3E for ; Fri, 11 Feb 2005 21:29:38 -0700 (MST) To: freebsd-pf@freebsd.org X-PGP-Key: http://anthonychavez.org/pubkey.asc From: Anthony Chavez Date: Fri, 11 Feb 2005 21:29:32 -0700 Message-ID: User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3.50 (darwin) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Virus-Scanned: amavisd-new at anthonychavez.org Received-SPF: none (mgr6.xmission.com: 166.70.126.66 is neither permitted nor denied by domain of anthonychavez.org) client-ip=166.70.126.66; envelope-from=acc@anthonychavez.org; helo=mail.anthonychavez.org; X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mgr6.xmission.com X-Spam-Level: X-Spam-Status: No, score=-0.9 required=8.0 tests=BAYES_00,FVGT_m_MULTI_ODD, XMLngstWrd_00,XMLngstWrd_01 autolearn=disabled version=3.0.2 X-SA-Exim-Connect-IP: 166.70.126.66 X-SA-Exim-Mail-From: acc@anthonychavez.org X-SA-Exim-Version: 4.2 (built Tue, 25 Jan 2005 19:36:50 +0100) X-SA-Exim-Scanned: Yes (on mgr6.xmission.com) Subject: pf + kldload X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Feb 2005 04:29:49 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, all. When enabling pf on a 5.3-RELENG-p2 box, I simply attempted to load the kernel module using kldload and loaded a default-deny ruleset using pfctl. kldstat shows that the module has in fact loaded. However, pfctl shows that no packet evaulations are being performed and thus, no packets are being dropped. This particular machine has a significant amount of uptime, so I'd like to avoid rebooting it if possible, but is that the only course of action that I can take at this point? If not, what am I missing? Thanks! - -- Anthony Chavez http://anthonychavez.org/ mailto:acc@anthonychavez.org jabber:acc@jabber.anthonychavez.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Darwin) iD8DBQFCDYYvbZTbIaRBRXERArpDAJ9vhClecI220UFzsF21qfk63aZcjwCfXKU3 6SQ/V6PRUpCahXNliMywkF0= =4BSk -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Sat Feb 12 05:23:12 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CA4F16A4CE for ; Sat, 12 Feb 2005 05:23:12 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE6FD43D58 for ; Sat, 12 Feb 2005 05:23:11 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 58so1584502wri for ; Fri, 11 Feb 2005 21:23:11 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=mkvuNu7+SXTC+oSn+Zxb9PGlxM6epMaoYrQoSbsFuZM9862CLC4uNYEee+qNbdinAbbcF45UonP5o3ALNIz/e8Yi2pZHHHJVMu89pnMDxqkDP2x3g2KlqERFcZ1B8N0Xr55VmFUM4JLY83UvTdpG6B44htgcg9amGcXu2gxZkmE= Received: by 10.54.54.53 with SMTP id c53mr235787wra; Fri, 11 Feb 2005 21:23:11 -0800 (PST) Received: by 10.54.39.34 with HTTP; Fri, 11 Feb 2005 21:23:11 -0800 (PST) Message-ID: <8eea040805021121233c040991@mail.gmail.com> Date: Fri, 11 Feb 2005 21:23:11 -0800 From: Jon Simola To: Anthony Chavez In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: cc: freebsd-pf@freebsd.org Subject: Re: pf + kldload X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Feb 2005 05:23:12 -0000 On Fri, 11 Feb 2005 21:29:32 -0700, Anthony Chavez wrote: > However, pfctl shows that no packet evaulations are being performed and > thus, no packets are being dropped. On a wild guess (because I had two techs brain-o this one for 6 hours) have you done "pfctl -e" to turn on pf? ipfw twiddles the sysctls when it's loaded and starts filtering immediately, but pf requires manually turning it on. You can load rulesets and test them for valid syntax without running pf (part feature, part skill-testing question). -- Jon Simola