From owner-freebsd-pf@FreeBSD.ORG Mon Feb 28 11:03:46 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A19C116A4CE for ; Mon, 28 Feb 2005 11:03:46 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 726BC43D1F for ; Mon, 28 Feb 2005 11:03:46 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j1SB3ki2008354 for ; Mon, 28 Feb 2005 11:03:46 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j1SB3jkj008348 for pf@freebsd.org; Mon, 28 Feb 2005 11:03:45 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 28 Feb 2005 11:03:45 GMT Message-Id: <200502281103.j1SB3jkj008348@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: pf@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2005 11:03:46 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- p [2005/02/17] kern/77645 pf pfctl panices the system when interface r 1 problem total. Non-critical problems From owner-freebsd-pf@FreeBSD.ORG Mon Feb 28 14:45:22 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8FD716A4CE for ; Mon, 28 Feb 2005 14:45:22 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B1EA43D55 for ; Mon, 28 Feb 2005 14:45:22 +0000 (GMT) (envelope-from edwin.brown@gmail.com) Received: by rproxy.gmail.com with SMTP id j1so878284rnf for ; Mon, 28 Feb 2005 06:45:21 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=Y7+0tULvl9A4V58AAuMMW4OpApqwSRcsg0cFKUwbDuoGYoLLz07FTPbP+tYrE+uWt8ACIaQ7v0Yq2QNuiHz2+rc6G5RY2rQoFAnEXTIaVe62SbduWQ03FFH4uMQTF9ds3f0cD0DVyPq1WTMQla9OvrkTOdnd13++UMf7/Pb7MMs= Received: by 10.38.92.26 with SMTP id p26mr163935rnb; Mon, 28 Feb 2005 06:45:21 -0800 (PST) Received: by 10.38.78.45 with HTTP; Mon, 28 Feb 2005 06:45:21 -0800 (PST) Message-ID: <8b6eae96050228064529024040@mail.gmail.com> Date: Mon, 28 Feb 2005 09:45:21 -0500 From: Edwin Brown To: freebsd-pf@freebsd.org In-Reply-To: <8b6eae960502260641730eac9@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200502211852.01792.max@love2party.net> <200502251734.08309.max@love2party.net> <8b6eae960502260641730eac9@mail.gmail.com> Subject: Re: Please test: MPSAFE callouts X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Edwin Brown List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2005 14:45:23 -0000 I ran some tests of these patches on a hyperthreaded box with SMP and PREEMPTION enabled. The test setup looked like this: -------------- ----------------- ------------- - Server - -------bge0/100Mb-fdx---- - pf -----fxp0/100mb-fdx-------- client1 - -------------- ----------------- | -------------- | -------------- |------------------------ client2 - -------------- Server (FreeBSD5.4pre) Client1 (FreeBSD5.4pre) Client2 (WindowsXP,SP2) I ran concurrent ftp (passive and active), http tests. Also, a few tests from netperf, both tcp and udp. I happy to report that nothing happend :). Please take that for whatever it's worth. Best regards, Edwin From owner-freebsd-pf@FreeBSD.ORG Mon Feb 28 21:27:25 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8FE8A16A4CE for ; Mon, 28 Feb 2005 21:27:25 +0000 (GMT) Received: from zixvpm01.seton.org (zixvpm01.seton.org [207.193.126.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2189143D5A for ; Mon, 28 Feb 2005 21:27:25 +0000 (GMT) (envelope-from mgrooms@seton.org) Received: from zixvpm01.seton.org (ZixVPM [127.0.0.1]) by Outbound.seton.org (Proprietary) with ESMTP id 785E63600A0 for ; Mon, 28 Feb 2005 15:27:24 -0600 (CST) Received: from smtp-out.seton.org (mail-relay.aus.dcnhs.org [10.21.254.249]) by zixvpm01.seton.org (Proprietary) with ESMTP id 47B3B330060; Mon, 28 Feb 2005 15:27:24 -0600 (CST) Received: from localhost (unknown [127.0.0.1]) by smtp-out.seton.org (Postfix) with ESMTP id 3BE838014E24; Mon, 28 Feb 2005 15:27:24 -0600 (CST) Received: from smtp-out.seton.org ([10.21.254.249]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 25454-05; Mon, 28 Feb 2005 15:27:24 -0600 (CST) Received: from ausexfe02.seton.org (ausexfe02.seton.org [10.20.10.185]) by smtp-out.seton.org (Postfix) with ESMTP id 2DDB68014E23; Mon, 28 Feb 2005 15:27:24 -0600 (CST) Received: from [10.20.160.190] ([10.20.160.190]) by ausexfe02.seton.org with Microsoft SMTPSVC(6.0.3790.211); Mon, 28 Feb 2005 15:27:23 -0600 Message-ID: <42238D9C.9010705@seton.org> Date: Mon, 28 Feb 2005 15:31:08 -0600 From: Matthew Grooms Organization: Seton Healthcare Network User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 28 Feb 2005 21:27:23.0902 (UTC) FILETIME=[4B0C11E0:01C51DDC] X-Virus-Scanned: by amavisd-new at seton.org Subject: pf + pfsync + carp testing ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2005 21:27:25 -0000 All, I am trying to run some tests on CARP under 5.x and plan to use the patch set recently announced by max to do so ... http://people.freebsd.org/~glebius/totest/carp-RELENG_5-patch To test the patched I first set up two boxes, cvsup'd to the latest 5.x sources, make build/install/world/kernel and configured a simple pf environment. However, when I get to the point where I configure my pfsync interfaces to sync state, I am getting ... >ifconfig pfsync0 up syncif em5 syncif: bad value Should this be the case or did I miss something? Thanks. Matthew Grooms From owner-freebsd-pf@FreeBSD.ORG Mon Feb 28 21:32:21 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 44F4916A4CE; Mon, 28 Feb 2005 21:32:21 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 688D643D2D; Mon, 28 Feb 2005 21:32:20 +0000 (GMT) (envelope-from max@love2party.net) Received: from pD9E39616.dip.t-dialin.net[217.227.150.22] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKxQS-1D5sV11e71-00049s; Mon, 28 Feb 2005 22:32:19 +0100 From: Max Laier Date: Mon, 28 Feb 2005 22:32:08 +0100 User-Agent: KMail/1.7.2 To: Gleb Smirnoff MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1566270.lbxj1cJ0kA"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200502282232.17646.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 cc: Matthew Grooms cc: freebsd-pf@freebsd.org Subject: Fwd: pf + pfsync + carp testing ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2005 21:32:21 -0000 --nextPart1566270.lbxj1cJ0kA Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Matthew, I am forwarding your mail to Glebius. The errormessage indicates that your= =20 ifconfig is not up-to-date or that something went wrong with the patch in=20 sbin/ifconfig. Check for rejected hunks in there. =2D--------- Forwarded Message ---------- Subject: pf + pfsync + carp testing ... Date: Monday 28 February 2005 22:31 =46rom: Matthew Grooms To: freebsd-pf@freebsd.org Cc: max@love2party.net All, I am trying to run some tests on CARP under 5.x and plan to use the patch set recently announced by max to do so ... http://people.freebsd.org/~glebius/totest/carp-RELENG_5-patch To test the patched I first set up two boxes, cvsup'd to the latest 5.x sources, make build/install/world/kernel and configured a simple pf environment. However, when I get to the point where I configure my pfsync interfaces to sync state, I am getting ... >ifconfig pfsync0 up syncif em5 syncif: bad value Should this be the case or did I miss something? Thanks. Matthew Grooms =2D------------------------------------------------------ =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1566270.lbxj1cJ0kA Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD4DBQBCI43hXyyEoT62BG0RAuJPAJ9k+Nk3prXbclylX1CDm3ZCprNW3QCYy+8p nraFJH0GJu5yLfgQmJ3Vjw== =Zmv5 -----END PGP SIGNATURE----- --nextPart1566270.lbxj1cJ0kA-- From owner-freebsd-pf@FreeBSD.ORG Mon Feb 28 21:50:52 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1F4016A4CF for ; Mon, 28 Feb 2005 21:50:52 +0000 (GMT) Received: from zixvpm01.seton.org (zixvpm01.seton.org [207.193.126.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE68A43D5D for ; Mon, 28 Feb 2005 21:50:51 +0000 (GMT) (envelope-from mgrooms@seton.org) Received: from zixvpm01.seton.org (ZixVPM [127.0.0.1]) by Outbound.seton.org (Proprietary) with ESMTP id 868FF3600AA for ; Mon, 28 Feb 2005 15:50:51 -0600 (CST) Received: from smtp-out.seton.org (unknown [10.21.254.249]) by zixvpm01.seton.org (Proprietary) with ESMTP id 3E67E330061; Mon, 28 Feb 2005 15:50:51 -0600 (CST) Received: from localhost (unknown [127.0.0.1]) by smtp-out.seton.org (Postfix) with ESMTP id 322338014E24; Mon, 28 Feb 2005 15:50:51 -0600 (CST) Received: from smtp-out.seton.org ([10.21.254.249]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 25641-03; Mon, 28 Feb 2005 15:50:51 -0600 (CST) Received: from ausexfe02.seton.org (ausexfe02.seton.org [10.20.10.185]) by smtp-out.seton.org (Postfix) with ESMTP id 22ABC8014E23; Mon, 28 Feb 2005 15:50:51 -0600 (CST) Received: from [10.20.160.190] ([10.20.160.190]) by ausexfe02.seton.org with Microsoft SMTPSVC(6.0.3790.211); Mon, 28 Feb 2005 15:50:51 -0600 Message-ID: <4223931C.9000607@seton.org> Date: Mon, 28 Feb 2005 15:54:36 -0600 From: Matthew Grooms Organization: Seton Healthcare Network User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <200502282232.17646.max@love2party.net> In-Reply-To: <200502282232.17646.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 28 Feb 2005 21:50:51.0038 (UTC) FILETIME=[91C3FBE0:01C51DDF] X-Virus-Scanned: by amavisd-new at seton.org cc: Gleb Smirnoff cc: freebsd-pf@freebsd.org Subject: Re: Fwd: pf + pfsync + carp testing ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2005 21:50:52 -0000 Max & Gleb, The tag I used for cvsup is RELENG_5 in my cvsup file. I did not notice any output that denoted a merge conflict at the time. When I view the sbin/ifconfig directory the only files I see are ... Makefile ifconfig.8 ifconfig.c ifconfig.h ifieee80211.c ifmac.c ifmedia.c ifvlan.c If there was a 'hunk in there' from a merge conflict, would it be expressed as one of these file names or would it be stored somewhere else? I apologize for my unfamiliarity with cvs as I use subversion myself. Svn creates . file names when it hits a conflict. I assume cvs does something similar. Is the ifconfig change part of the patch located at ... http://people.freebsd.org/~glebius/totest/carp-RELENG_5-patch ... as I have not applied it yet. I assumed the pfsync ifconfig changes were already in the RELENG_5 branch. Did I make a poor assumption? Matthew Grooms Network Engineer Seton Healthcare Network mgrooms@seton.org (512) 324 9913 Max Laier wrote: > Matthew, > > I am forwarding your mail to Glebius. The errormessage indicates that your > ifconfig is not up-to-date or that something went wrong with the patch in > sbin/ifconfig. Check for rejected hunks in there. > > ---------- Forwarded Message ---------- > > Subject: pf + pfsync + carp testing ... > Date: Monday 28 February 2005 22:31 > From: Matthew Grooms > To: freebsd-pf@freebsd.org > Cc: max@love2party.net > > All, > > I am trying to run some tests on CARP under 5.x and plan to use > the patch set recently announced by max to do so ... > > http://people.freebsd.org/~glebius/totest/carp-RELENG_5-patch > > To test the patched I first set up two boxes, cvsup'd to the latest 5.x > sources, make build/install/world/kernel and configured a simple pf > environment. However, when I get to the point where I configure my > pfsync interfaces to sync state, I am getting ... > > >ifconfig pfsync0 up syncif em5 > > syncif: bad value > > Should this be the case or did I miss something? Thanks. > > Matthew Grooms > > ------------------------------------------------------- > From owner-freebsd-pf@FreeBSD.ORG Mon Feb 28 22:26:44 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D4D5E16A4CE; Mon, 28 Feb 2005 22:26:44 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 814DE43D39; Mon, 28 Feb 2005 22:26:44 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.207] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1D5tLe-0003uF-00; Mon, 28 Feb 2005 23:26:42 +0100 Received: from [84.128.137.157] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1D5tLe-0007bI-00; Mon, 28 Feb 2005 23:26:42 +0100 From: Max Laier To: Matthew Grooms Date: Mon, 28 Feb 2005 23:26:30 +0100 User-Agent: KMail/1.7.2 References: <200502282232.17646.max@love2party.net> <4223931C.9000607@seton.org> In-Reply-To: <4223931C.9000607@seton.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2224461.Lqa177QpFR"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200502282326.41760.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: Gleb Smirnoff cc: freebsd-pf@freebsd.org Subject: Re: Fwd: pf + pfsync + carp testing ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2005 22:26:45 -0000 --nextPart2224461.Lqa177QpFR Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 28 February 2005 22:54, Matthew Grooms wrote: <...> > Is the ifconfig change part of the patch located at ... > > http://people.freebsd.org/~glebius/totest/carp-RELENG_5-patch > > ... as I have not applied it yet. I assumed the pfsync ifconfig changes > were already in the RELENG_5 branch. Did I make a poor assumption? Okay, looks like this is confusing. You are not to blame for this, Matthew! Here is a walkthrough for testing this: 0) Patch is located in your home directory. You should know what to fill = in for (anoncvs@... or /some/path). 1) Checkout a *clean* RELENG_5 $ cd /usr && rm -rf src && cvs -d co -rRELENG_5 src 2) Apply the patch: $ cd /usr/src && patch -p0 < ~/carp-RELENG_5-patch Note the -p0 to get new files. 3) Look for rejects: $ find . -name \*.rej 4) Normal {build, install}{world, kernel} dance. Hope this helps. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2224461.Lqa177QpFR Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCI5qhXyyEoT62BG0RAhmDAJ9JANU9rIKJVw5py0MxuBDXvsh7rACfVM7l ljw0NJBcQD3LOoNoS4wh4Iw= =zAdW -----END PGP SIGNATURE----- --nextPart2224461.Lqa177QpFR-- From owner-freebsd-pf@FreeBSD.ORG Tue Mar 1 08:07:27 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BCD616A4CE for ; Tue, 1 Mar 2005 08:07:27 +0000 (GMT) Received: from relay.bestcom.ru (relay.bestcom.ru [217.72.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id B276843D41 for ; Tue, 1 Mar 2005 08:07:26 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (root@cell.sick.ru [217.72.144.68]) by relay.bestcom.ru (8.13.1/8.12.9) with ESMTP id j2187Ndw071688 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 1 Mar 2005 11:07:24 +0300 (MSK) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.1/8.12.8) with ESMTP id j2187Me9075884 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 1 Mar 2005 11:07:23 +0300 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.1/8.13.1/Submit) id j2187Mvb075883; Tue, 1 Mar 2005 11:07:22 +0300 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Tue, 1 Mar 2005 11:07:21 +0300 From: Gleb Smirnoff To: Matthew Grooms Message-ID: <20050301080721.GA75831@cell.sick.ru> References: <200502282232.17646.max@love2party.net> <4223931C.9000607@seton.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <4223931C.9000607@seton.org> User-Agent: Mutt/1.5.6i X-Virus-Scanned: ClamAV version devel-20050125, clamav-milter version 0.80ff on relay.bestcom.ru X-Virus-Status: Clean cc: freebsd-pf@FreeBSD.org Subject: Re: Fwd: pf + pfsync + carp testing ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2005 08:07:27 -0000 On Mon, Feb 28, 2005 at 03:54:36PM -0600, Matthew Grooms wrote: M> ... as I have not applied it yet. I assumed the pfsync ifconfig changes M> were already in the RELENG_5 branch. Did I make a poor assumption? No, they are not yet. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-pf@FreeBSD.ORG Tue Mar 1 18:08:24 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CEF5116A4CF for ; Tue, 1 Mar 2005 18:08:24 +0000 (GMT) Received: from zixvpm01.seton.org (zixvpm01.seton.org [207.193.126.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14B6643D41 for ; Tue, 1 Mar 2005 18:08:24 +0000 (GMT) (envelope-from mgrooms@seton.org) Received: from zixvpm01.seton.org (ZixVPM [127.0.0.1]) by Outbound.seton.org (Proprietary) with ESMTP id 8EFE13600A2 for ; Tue, 1 Mar 2005 12:08:23 -0600 (CST) Received: from smtp-out.seton.org (mail-relay.aus.dcnhs.org [10.21.254.249]) by zixvpm01.seton.org (Proprietary) with ESMTP id 3F5EE330061; Tue, 1 Mar 2005 12:08:23 -0600 (CST) Received: from localhost (unknown [127.0.0.1]) by smtp-out.seton.org (Postfix) with ESMTP id 337748014E24; Tue, 1 Mar 2005 12:08:23 -0600 (CST) Received: from smtp-out.seton.org ([10.21.254.249]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 00877-03; Tue, 1 Mar 2005 12:08:23 -0600 (CST) Received: from ausexfe02.seton.org (ausexfe02.seton.org [10.20.10.185]) by smtp-out.seton.org (Postfix) with ESMTP id 24C468014E23; Tue, 1 Mar 2005 12:08:23 -0600 (CST) Received: from [10.20.160.190] ([10.20.160.190]) by ausexfe02.seton.org with Microsoft SMTPSVC(6.0.3790.211); Tue, 1 Mar 2005 12:08:22 -0600 Message-ID: <4224B078.9020301@seton.org> Date: Tue, 01 Mar 2005 12:12:08 -0600 From: Matthew Grooms Organization: Seton Healthcare Network User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <200502282232.17646.max@love2party.net> <4223931C.9000607@seton.org> <200502282326.41760.max@love2party.net> In-Reply-To: <200502282326.41760.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 01 Mar 2005 18:08:23.0010 (UTC) FILETIME=[A8224C20:01C51E89] X-Virus-Scanned: by amavisd-new at seton.org cc: Gleb Smirnoff cc: freebsd-pf@freebsd.org Subject: Re: Fwd: pf + pfsync + carp testing ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2005 18:08:25 -0000 Thanks Max and Gleb. You have been a great help. The patch applied cleanly and compiled fine. After configuring a few carp interfaces, they seem to fail over well. I am curious though, is CARP designed to have interfaces fail over individually or as a group? For example ... box1 & box2 em0 -> carp0 -> External em1 -> carp1 -> Internal em2 -> carp2 -> DMZ If box1 is master for all interfaces when then its em2 goes down, only carp2 on box2 becomes master and assumes the service address? Box1 is still master for carp0 and carp1. Doesn't this cause problems when traffic passes in carp0 ( still master on box1 ) and needs to be forwarded out carp2? Also, when I configure a carp interface on the command line I do something like ... ifconfig carp0 create 192.168.253.1 \ netmask 255.255.255.0 vhid 1 advskew 1 but when I place the equivalent line in rc.conf as ... ifconfig_carp0="create 192.168.253.1 \ netmask 255.255.255.0 vhid 1 advskew 1" and reboot the box, it does not seem to take. Any suggestions? Matthew Grooms Network Engineer Seton Healthcare Network mgrooms@seton.org (512) 324 9913 Max Laier wrote: > On Monday 28 February 2005 22:54, Matthew Grooms wrote: > <...> > >>Is the ifconfig change part of the patch located at ... >> >>http://people.freebsd.org/~glebius/totest/carp-RELENG_5-patch >> >>... as I have not applied it yet. I assumed the pfsync ifconfig changes >>were already in the RELENG_5 branch. Did I make a poor assumption? > > > Okay, looks like this is confusing. You are not to blame for this, Matthew! > > Here is a walkthrough for testing this: > 0) Patch is located in your home directory. You should know what to fill in > for (anoncvs@... or /some/path). > 1) Checkout a *clean* RELENG_5 > $ cd /usr && rm -rf src && cvs -d co -rRELENG_5 src > 2) Apply the patch: > $ cd /usr/src && patch -p0 < ~/carp-RELENG_5-patch > Note the -p0 to get new files. > 3) Look for rejects: > $ find . -name \*.rej > 4) Normal {build, install}{world, kernel} dance. > > Hope this helps. > From owner-freebsd-pf@FreeBSD.ORG Tue Mar 1 18:24:32 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA3B616A4CE for ; Tue, 1 Mar 2005 18:24:32 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B31743D55 for ; Tue, 1 Mar 2005 18:24:32 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so1106833wri for ; Tue, 01 Mar 2005 10:24:31 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=JIuNyK9ppXXvZwI/Z/pleAHD9+hEavwITivVJvmFbuQNhH0rKF9PGMcfXvjGY5ID/O1b6ytVDQjHIdvzvVYkbXvRmn0h4bI9N3DQ3FPOjX1hOPRjzSWeUhWsSrXpvFfLuP1HgqfFBQ9rqEMgMlpTxmAiNmraqpRmns/ofYjVxxM= Received: by 10.54.11.39 with SMTP id 39mr142688wrk; Tue, 01 Mar 2005 10:24:29 -0800 (PST) Received: by 10.54.39.34 with HTTP; Tue, 1 Mar 2005 10:24:29 -0800 (PST) Message-ID: <8eea0408050301102421493b59@mail.gmail.com> Date: Tue, 1 Mar 2005 10:24:29 -0800 From: Jon Simola To: Matthew Grooms In-Reply-To: <4224B078.9020301@seton.org> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200502282232.17646.max@love2party.net> <4223931C.9000607@seton.org> <200502282326.41760.max@love2party.net> <4224B078.9020301@seton.org> cc: freebsd-pf@freebsd.org Subject: Re: Fwd: pf + pfsync + carp testing ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2005 18:24:32 -0000 On Tue, 01 Mar 2005 12:12:08 -0600, Matthew Grooms wrote: > Thanks Max and Gleb. You have been a great help. The patch applied > cleanly and compiled fine. After configuring a few carp interfaces, they > seem to fail over well. I am curious though, is CARP designed to have > interfaces fail over individually or as a group? Just individually. There is a port for ifstated from OpenBSD that monitors multiple interfaces and will fail a CARP group if one of them fails. http://lists.freebsd.org/pipermail/freebsd-ports-bugs/2004-November/045852.html Although it may have made it into the ports tree by now. > Also, when I configure a carp interface on the command line I do > something like ... > > ifconfig carp0 create 192.168.253.1 \ > netmask 255.255.255.0 vhid 1 advskew 1 > > but when I place the equivalent line in rc.conf as ... > > ifconfig_carp0="create 192.168.253.1 \ > netmask 255.255.255.0 vhid 1 advskew 1" > > and reboot the box, it does not seem to take. Any suggestions? add to rc.conf: cloned_interfaces="carp0,carp1" That will create the interfaces, then you can use the normal ifconfig_carp0="inet 192.168.1.4 ..." -- Jon Simola Systems Administrator ABC Communications From owner-freebsd-pf@FreeBSD.ORG Tue Mar 1 18:54:35 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC94616A4D1 for ; Tue, 1 Mar 2005 18:54:35 +0000 (GMT) Received: from relay.bestcom.ru (relay.bestcom.ru [217.72.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCFDC43D39 for ; Tue, 1 Mar 2005 18:54:34 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (root@cell.sick.ru [217.72.144.68]) by relay.bestcom.ru (8.13.1/8.12.9) with ESMTP id j21IsWwm083081 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 1 Mar 2005 21:54:33 +0300 (MSK) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.1/8.12.8) with ESMTP id j21IsWvw082000 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 1 Mar 2005 21:54:32 +0300 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.1/8.13.1/Submit) id j21IsVqv081999; Tue, 1 Mar 2005 21:54:31 +0300 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Tue, 1 Mar 2005 21:54:31 +0300 From: Gleb Smirnoff To: Matthew Grooms Message-ID: <20050301185431.GA81982@cell.sick.ru> References: <200502282232.17646.max@love2party.net> <4223931C.9000607@seton.org> <200502282326.41760.max@love2party.net> <4224B078.9020301@seton.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <4224B078.9020301@seton.org> User-Agent: Mutt/1.5.6i X-Virus-Scanned: ClamAV version devel-20050125, clamav-milter version 0.80ff on relay.bestcom.ru X-Virus-Status: Clean cc: freebsd-pf@FreeBSD.org Subject: Re: Fwd: pf + pfsync + carp testing ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2005 18:54:36 -0000 On Tue, Mar 01, 2005 at 12:12:08PM -0600, Matthew Grooms wrote: M> Thanks Max and Gleb. You have been a great help. The patch applied M> cleanly and compiled fine. After configuring a few carp interfaces, they M> seem to fail over well. I am curious though, is CARP designed to have M> interfaces fail over individually or as a group? To make backup router preempt the master, when at least one interface fail you need to set sysctl net.inet.carp.preempt to one. This is also described in carp(4). -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-pf@FreeBSD.ORG Tue Mar 1 23:14:19 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B62A316A4CE for ; Tue, 1 Mar 2005 23:14:19 +0000 (GMT) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C90143D39 for ; Tue, 1 Mar 2005 23:14:19 +0000 (GMT) (envelope-from fbsd-pf@trini0.org) Received: from hivemind.trini0.org ([65.34.205.195]) by comcast.net (rwcrmhc11) with ESMTP id <2005030123141901300qmqhse>; Tue, 1 Mar 2005 23:14:19 +0000 Received: from [192.168.0.16] (gladiator.trini0.org [192.168.0.16]) by hivemind.trini0.org (Postfix) with ESMTP id D21126112 for ; Tue, 1 Mar 2005 18:14:18 -0500 (EST) Message-ID: <4224F74B.1030502@trini0.org> Date: Tue, 01 Mar 2005 18:14:19 -0500 From: Gerard Samuel User-Agent: Mozilla Thunderbird 1.0 (X11/20050122) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Whats wrong with this ruleset? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2005 23:14:19 -0000 For some reason, port 53 is blocked going out of the external interface -> 000000 rule 0/0(match): block out on ed0: IP xx.xxx.xxx.xx.53 > xx.xx.xx.xxx.4973 Im still new to pf, but shouldn't the last two lines allow anything going out to pass?? Any ideas on how to fix? Thanks for your time ---- # macros int_if = "fxp0" ext_if = "ed0" tcp_services = "{ 22, 113 }" icmp_types = "echoreq" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" hivemind = "192.168.0.2" www = "10.0.0.1" isp_dhcp = "xx.xx.xx.xx" # options set block-policy return set loginterface $ext_if # scrub scrub in all # nat/rdr nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $ext_if proto tcp from any to any port 22 -> $hivemind rdr on $ext_if proto tcp from any to any port 25 -> $hivemind rdr on $ext_if proto tcp from any to any port 80 -> $www rdr on $ext_if proto tcp from any to any port 110 -> $hivemind # filter rules block log all pass quick on lo0 all block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state pass in on $ext_if proto {udp} from $isp_dhcp to any port 68 pass in on $ext_if proto {tcp} from any to any port 22 pass in on $ext_if proto {tcp, udp} from any to any port 53 pass in on $ext_if proto {tcp} from any to any port 25 pass in on $ext_if proto {tcp} from any to any port 110 pass in on $ext_if proto tcp from any to $www port 80 flags S/SA synproxy state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto {udp, icmp} all keep state From owner-freebsd-pf@FreeBSD.ORG Tue Mar 1 23:44:16 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C65216A4CE for ; Tue, 1 Mar 2005 23:44:16 +0000 (GMT) Received: from helium.webpack.hosteurope.de (helium.webpack.hosteurope.de [217.115.142.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD94B43D2D for ; Tue, 1 Mar 2005 23:44:15 +0000 (GMT) (envelope-from me@hexren.net) Received: by helium.webpack.hosteurope.de running Exim 4.34 using asmtp helo=hexren.steenbuck.net) id 1D6H2E-0005Ye-1W; Wed, 02 Mar 2005 00:44:14 +0100 Date: Wed, 2 Mar 2005 00:44:13 +0100 From: Hexren X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <143533196.20050302004413@hexren.net> To: freebsd-pf@freebsd.org In-Reply-To: <4224F74B.1030502@trini0.org> References: <4224F74B.1030502@trini0.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: Whats wrong with this ruleset? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Hexren List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2005 23:44:16 -0000 GS> For some reason, port 53 is blocked going out of the external interface -> GS> 000000 rule 0/0(match): block out on ed0: IP xx.xxx.xxx.xx.53 > GS> xx.xx.xx.xxx.4973 GS> Im still new to pf, but shouldn't the last two lines allow anything GS> going out GS> to pass?? GS> Any ideas on how to fix? GS> Thanks for your time GS> ---- GS> # macros GS> int_if = "fxp0" GS> ext_if = "ed0" GS> tcp_services = "{ 22, 113 }" GS> icmp_types = "echoreq" GS> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" GS> hivemind = "192.168.0.2" GS> www = "10.0.0.1" GS> isp_dhcp = "xx.xx.xx.xx" GS> # options GS> set block-policy return GS> set loginterface $ext_if GS> # scrub GS> scrub in all GS> # nat/rdr GS> nat on $ext_if from $int_if:network to any -> ($ext_if) GS> rdr on $ext_if proto tcp from any to any port 22 -> $hivemind GS> rdr on $ext_if proto tcp from any to any port 25 -> $hivemind GS> rdr on $ext_if proto tcp from any to any port 80 -> $www GS> rdr on $ext_if proto tcp from any to any port 110 -> $hivemind GS> # filter rules GS> block log all GS> pass quick on lo0 all GS> block drop in quick on $ext_if from $priv_nets to any GS> block drop out quick on $ext_if from any to $priv_nets GS> pass in on $ext_if inet proto tcp from any to ($ext_if) port GS> $tcp_services flags S/SA keep state GS> pass in on $ext_if proto {udp} from $isp_dhcp to any port 68 GS> pass in on $ext_if proto {tcp} from any to any port 22 GS> pass in on $ext_if proto {tcp, udp} from any to any port 53 GS> pass in on $ext_if proto {tcp} from any to any port 25 GS> pass in on $ext_if proto {tcp} from any to any port 110 GS> pass in on $ext_if proto tcp from any to $www port 80 flags S/SA GS> synproxy state GS> pass in inet proto icmp all icmp-type $icmp_types keep state GS> pass in on $int_if from $int_if:network to any keep state GS> pass out on $int_if from any to $int_if:network keep state GS> pass out on $ext_if proto tcp all modulate state flags S/SA GS> pass out on $ext_if proto {udp, icmp} all keep state GS> _______________________________________________ GS> freebsd-pf@freebsd.org mailing list GS> http://lists.freebsd.org/mailman/listinfo/freebsd-pf GS> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --------------------------------------------- I am not that genius in pf, but try if it helps if you comment these two rules out. block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets Hexren From owner-freebsd-pf@FreeBSD.ORG Wed Mar 2 01:27:09 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F51616A4CE for ; Wed, 2 Mar 2005 01:27:09 +0000 (GMT) Received: from zixvpm01.seton.org (zixvpm01.seton.org [207.193.126.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78EC843D46 for ; Wed, 2 Mar 2005 01:27:08 +0000 (GMT) (envelope-from mgrooms@seton.org) Received: from zixvpm01.seton.org (ZixVPM [127.0.0.1]) by Outbound.seton.org (Proprietary) with ESMTP id AFD11360076 for ; Tue, 1 Mar 2005 19:27:07 -0600 (CST) Received: from smtp-out.seton.org (unknown [10.21.254.249]) by zixvpm01.seton.org (Proprietary) with ESMTP id 6480D330061; Tue, 1 Mar 2005 19:27:07 -0600 (CST) Received: from localhost (unknown [127.0.0.1]) by smtp-out.seton.org (Postfix) with ESMTP id 589728014E24; Tue, 1 Mar 2005 19:27:07 -0600 (CST) Received: from smtp-out.seton.org ([10.21.254.249]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 03233-45; Tue, 1 Mar 2005 19:27:07 -0600 (CST) Received: from ausexfe02.seton.org (ausexfe02.seton.org [10.20.10.185]) by smtp-out.seton.org (Postfix) with ESMTP id 3594D8014E23; Tue, 1 Mar 2005 19:27:07 -0600 (CST) Received: from [10.20.160.190] ([10.20.160.190]) by ausexfe02.seton.org with Microsoft SMTPSVC(6.0.3790.211); Tue, 1 Mar 2005 19:27:06 -0600 Message-ID: <4225174C.801@seton.org> Date: Tue, 01 Mar 2005 19:30:52 -0600 From: Matthew Grooms Organization: Seton Healthcare Network User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Gleb Smirnoff References: <200502282232.17646.max@love2party.net> <4223931C.9000607@seton.org> <200502282326.41760.max@love2party.net> <4224B078.9020301@seton.org> <20050301185431.GA81982@cell.sick.ru> In-Reply-To: <20050301185431.GA81982@cell.sick.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 02 Mar 2005 01:27:06.0984 (UTC) FILETIME=[F271F680:01C51EC6] X-Virus-Scanned: by amavisd-new at seton.org cc: freebsd-pf@FreeBSD.org Subject: Re: Fwd: pf + pfsync + carp testing ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 01:27:09 -0000 Gleb, Thanks for the response. I have net.inet.carp.preempt=1 set but only one carp interface changes state to master at a time. The second host always retains the master for the other two carp interfaces. I am able to manually fail over the remaining carp interfaces by changing either the carp or parent em[n] interface to down which quickly brings the other hosts corresponding interface from backup to master. After a firewall holds a master status for all carp devices, I can start to talk again through the firewall out to the internet or into the DMZ from my test pc. I have two Dell SMP boxes running dual amd64 compatible intel processors with two on board intel ports ( em0 & em1 ) and a quad port intel pro 1000 MT ( em2, em3, em4 & em5 ). I am using RELENG_5 amd64 SMP builds on both hosts. Here is my config info ... --- both firewalls --- em0 -> carp0 -> External em1 -> carp1 -> Internal em2 -> carp2 -> DMZ --- fw1 sysctl.conf --- net.inet.carp.preempt=1 --- fw1 rc.conf --- hostname="fw1.seton.org" cloned_interfaces="carp0 carp1 carp2" ifconfig_em0="inet 192.168.253.2 netmask 255.255.255.0" ifconfig_em1="inet 192.168.254.2 netmask 255.255.255.0" ifconfig_em2="inet 192.168.251.2 netmask 255.255.255.0" ifconfig_em5="inet 192.168.252.2 netmask 255.255.255.0" ifconfig_carp0="up vhid 1 advskew 0 pass blah 192.168.253.1 255.255.255.0" ifconfig_carp1="up vhid 2 advskew 0 pass blah 192.168.254.1 255.255.255.0" ifconfig_carp2="up vhid 3 advskew 0 pass blah 192.168.251.1 255.255.255.0" ifconfig_pfsync0="up syncif em5" defaultrouter="192.168.253.252" pf_enable="YES" gateway_enable="YES" sshd_enable="YES" --- fw1 pf.conf --- nat on em0 from ! em0 to any -> carp0 pass from any to any keep state --- fw2 sysctl.conf --- net.inet.carp.preempt=1 --- fw2 rc.conf --- hostname="fw2.seton.org" cloned_interfaces="carp0 carp1 carp2" ifconfig_em0="inet 192.168.253.3 netmask 255.255.255.0" ifconfig_em1="inet 192.168.254.3 netmask 255.255.255.0" ifconfig_em2="inet 192.168.251.3 netmask 255.255.255.0" ifconfig_em5="inet 192.168.252.3 netmask 255.255.255.0" ifconfig_carp0="up vhid 1 advskew 100 pass blah 192.168.253.1 255.255.255.0" ifconfig_carp1="up vhid 2 advskew 100 pass blah 192.168.254.1 255.255.255.0" ifconfig_carp2="up vhid 3 advskew 100 pass blah 192.168.251.1 255.255.255.0" ifconfig_pfsync0="up syncif em5" defaultrouter="192.168.253.252" pf_enable="YES" gateway_enable="YES" sshd_enable="YES" --- fw2 pf.conf --- nat on em0 from ! em0 to any -> carp0 pass from any to any keep state The other thing I should mention is that I cannot get any of the carp interfaces to change to an up state using ifconfig_carp[n] entries in the rc.conf file no matter what I try. When the box comes up, they always have a flags value of zero and I have to manually set them to up after gaining remote console access. Here is ifconfig output from both firewalls after a boot using the above configs ... --- fw1 ifconfig --- carp0: flags=0<> mtu 1500 inet 192.168.253.1 netmask 0xffffff00 carp: INIT vhid 1 advbase 1 advskew 0 carp1: flags=0<> mtu 1500 inet 192.168.254.1 netmask 0xffffff00 carp: INIT vhid 2 advbase 1 advskew 0 carp2: flags=0<> mtu 1500 inet 192.168.251.1 netmask 0xffffff00 carp: INIT vhid 3 advbase 1 advskew 0 --- fw2 ifconfig --- carp0: flags=0<> mtu 1500 inet 192.168.253.1 netmask 0xffffff00 carp: INIT vhid 1 advbase 1 advskew 100 carp1: flags=0<> mtu 1500 inet 192.168.254.1 netmask 0xffffff00 carp: INIT vhid 2 advbase 1 advskew 100 carp2: flags=0<> mtu 1500 inet 192.168.251.1 netmask 0xffffff00 carp: INIT vhid 3 advbase 1 advskew 100 Please let me know what other information I can provide or what else I can do to help test this out. P.S. - I have had the preempt flag set all along but I thought it did something else entirely due to the way it is described at ... http://www.countersiege.com/doc/pfsync-carp/ Sorry for not being able to read the carp man page earlier to get the updated definition. It actually didn't install for me when I applied the patch and did the buildinstall. Probably something I goofed. After manually copying it over from /usr/src/share/man/man4 to /usr/share/man/man4 I was able to read it. Thanks again. Matthew Grooms Gleb Smirnoff wrote: > On Tue, Mar 01, 2005 at 12:12:08PM -0600, Matthew Grooms wrote: > M> Thanks Max and Gleb. You have been a great help. The patch applied > M> cleanly and compiled fine. After configuring a few carp interfaces, they > M> seem to fail over well. I am curious though, is CARP designed to have > M> interfaces fail over individually or as a group? > > To make backup router preempt the master, when at least one > interface fail you need to set sysctl net.inet.carp.preempt to one. > > This is also described in carp(4). > From owner-freebsd-pf@FreeBSD.ORG Wed Mar 2 01:31:50 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3769616A4CF for ; Wed, 2 Mar 2005 01:31:50 +0000 (GMT) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB0AE43D3F for ; Wed, 2 Mar 2005 01:31:49 +0000 (GMT) (envelope-from fbsd-pf@trini0.org) Received: from hivemind.trini0.org ([65.34.205.195]) by comcast.net (rwcrmhc11) with ESMTP id <2005030201314701300qp1n6e>; Wed, 2 Mar 2005 01:31:47 +0000 Received: from [192.168.0.16] (gladiator.trini0.org [192.168.0.16]) by hivemind.trini0.org (Postfix) with ESMTP id 361886112; Tue, 1 Mar 2005 20:31:42 -0500 (EST) Message-ID: <4225177F.1060008@trini0.org> Date: Tue, 01 Mar 2005 20:31:43 -0500 From: Gerard Samuel User-Agent: Mozilla Thunderbird 1.0 (X11/20050122) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Hexren References: <4224F74B.1030502@trini0.org> <143533196.20050302004413@hexren.net> In-Reply-To: <143533196.20050302004413@hexren.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: Whats wrong with this ruleset? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 01:31:50 -0000 Hexren wrote: >GS> For some reason, port 53 is blocked going out of the external interface -> >GS> 000000 rule 0/0(match): block out on ed0: IP xx.xxx.xxx.xx.53 > >GS> xx.xx.xx.xxx.4973 > >GS> Im still new to pf, but shouldn't the last two lines allow anything >GS> going out >GS> to pass?? >GS> Any ideas on how to fix? >GS> Thanks for your time > >GS> ---- >GS> # macros >GS> int_if = "fxp0" >GS> ext_if = "ed0" > >GS> tcp_services = "{ 22, 113 }" >GS> icmp_types = "echoreq" > >GS> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" > >GS> hivemind = "192.168.0.2" >GS> www = "10.0.0.1" > >GS> isp_dhcp = "xx.xx.xx.xx" > >GS> # options >GS> set block-policy return >GS> set loginterface $ext_if > >GS> # scrub >GS> scrub in all > >GS> # nat/rdr >GS> nat on $ext_if from $int_if:network to any -> ($ext_if) > >GS> rdr on $ext_if proto tcp from any to any port 22 -> $hivemind >GS> rdr on $ext_if proto tcp from any to any port 25 -> $hivemind >GS> rdr on $ext_if proto tcp from any to any port 80 -> $www >GS> rdr on $ext_if proto tcp from any to any port 110 -> $hivemind > > >GS> # filter rules >GS> block log all > >GS> pass quick on lo0 all > >GS> block drop in quick on $ext_if from $priv_nets to any >GS> block drop out quick on $ext_if from any to $priv_nets > >GS> pass in on $ext_if inet proto tcp from any to ($ext_if) port >GS> $tcp_services flags S/SA keep state > >GS> pass in on $ext_if proto {udp} from $isp_dhcp to any port 68 > >GS> pass in on $ext_if proto {tcp} from any to any port 22 > >GS> pass in on $ext_if proto {tcp, udp} from any to any port 53 > >GS> pass in on $ext_if proto {tcp} from any to any port 25 >GS> pass in on $ext_if proto {tcp} from any to any port 110 > >GS> pass in on $ext_if proto tcp from any to $www port 80 flags S/SA >GS> synproxy state > >GS> pass in inet proto icmp all icmp-type $icmp_types keep state > >GS> pass in on $int_if from $int_if:network to any keep state >GS> pass out on $int_if from any to $int_if:network keep state > >GS> pass out on $ext_if proto tcp all modulate state flags S/SA >GS> pass out on $ext_if proto {udp, icmp} all keep state >GS> _______________________________________________ >GS> freebsd-pf@freebsd.org mailing list >GS> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >GS> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >--------------------------------------------- > >I am not that genius in pf, but try if it helps if you comment these >two rules out. > >block drop in quick on $ext_if from $priv_nets to any >block drop out quick on $ext_if from any to $priv_nets > >Hexren > That didn't work. I didn't think it would have, as $priv_nets only referes to the internal network. From owner-freebsd-pf@FreeBSD.ORG Wed Mar 2 01:48:03 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49E3F16A4CE for ; Wed, 2 Mar 2005 01:48:03 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id C617D43D46 for ; Wed, 2 Mar 2005 01:48:02 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.208] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1D6Iy1-00040v-00; Wed, 02 Mar 2005 02:48:01 +0100 Received: from [217.83.10.140] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1D6Iy1-0005ep-00; Wed, 02 Mar 2005 02:48:02 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Wed, 2 Mar 2005 02:47:53 +0100 User-Agent: KMail/1.7.2 References: <4224F74B.1030502@trini0.org> In-Reply-To: <4224F74B.1030502@trini0.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2193814.uip7lUt62x"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200503020248.01088.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: Whats wrong with this ruleset? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 01:48:03 -0000 --nextPart2193814.uip7lUt62x Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 02 March 2005 00:14, Gerard Samuel wrote: > For some reason, port 53 is blocked going out of the external interface -> > 000000 rule 0/0(match): block out on ed0: IP xx.xxx.xxx.xx.53 > > xx.xx.xx.xxx.4973 > > Im still new to pf, but shouldn't the last two lines allow anything > going out > to pass?? > Any ideas on how to fix? Can you send the output of "$pfctl -vsr" after some packets have been block= ed? =20 The match counters are extremely helpful when debugging such problems. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2193814.uip7lUt62x Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCJRtRXyyEoT62BG0RAkeOAJ0WM9JX2LVy+EHuQsoO+5GHljBsHACeIB/f m2hDRXFbDCSo8Bla13kL8Us= =Iqnr -----END PGP SIGNATURE----- --nextPart2193814.uip7lUt62x-- From owner-freebsd-pf@FreeBSD.ORG Wed Mar 2 02:25:26 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4BC6316A4CE for ; Wed, 2 Mar 2005 02:25:26 +0000 (GMT) Received: from sccrmhc11.comcast.net (sccrmhc14.comcast.net [204.127.202.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id E797D43D53 for ; Wed, 2 Mar 2005 02:25:25 +0000 (GMT) (envelope-from fbsd-pf@trini0.org) Received: from hivemind.trini0.org ([65.34.205.195]) by comcast.net (sccrmhc14) with ESMTP id <2005030202252501400s9m4ke>; Wed, 2 Mar 2005 02:25:25 +0000 Received: from [192.168.0.16] (gladiator.trini0.org [192.168.0.16]) by hivemind.trini0.org (Postfix) with ESMTP id 784DE6112; Tue, 1 Mar 2005 21:25:24 -0500 (EST) Message-ID: <42252415.7030808@trini0.org> Date: Tue, 01 Mar 2005 21:25:25 -0500 From: Gerard Samuel User-Agent: Mozilla Thunderbird 1.0 (X11/20050122) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <4224F74B.1030502@trini0.org> <200503020248.01088.max@love2party.net> In-Reply-To: <200503020248.01088.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: Whats wrong with this ruleset? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 02:25:26 -0000 Max Laier wrote: >On Wednesday 02 March 2005 00:14, Gerard Samuel wrote: > > >>For some reason, port 53 is blocked going out of the external interface -> >>000000 rule 0/0(match): block out on ed0: IP xx.xxx.xxx.xx.53 > >>xx.xx.xx.xxx.4973 >> >>Im still new to pf, but shouldn't the last two lines allow anything >>going out >>to pass?? >>Any ideas on how to fix? >> >> > >Can you send the output of "$pfctl -vsr" after some packets have been blocked? >The match counters are extremely helpful when debugging such problems. > Just before this email came in, I changed the last 2 rules to -> #pass out on $ext_if proto tcp all modulate state flags S/SA #pass out on $ext_if proto {udp, icmp} all keep state pass out on $ext_if proto {tcp, udp, icmp} all keep state And it started working. I've changed it back, and I'll try what you've suggested in a few hours, when the dns servers start looking for updates... From owner-freebsd-pf@FreeBSD.ORG Wed Mar 2 04:16:44 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EA4316A4CE for ; Wed, 2 Mar 2005 04:16:44 +0000 (GMT) Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DA3143D2F for ; Wed, 2 Mar 2005 04:16:43 +0000 (GMT) (envelope-from fbsd-pf@trini0.org) Received: from hivemind.trini0.org ([65.34.205.195]) by comcast.net (sccrmhc12) with ESMTP id <2005030204164001200rtrele>; Wed, 2 Mar 2005 04:16:40 +0000 Received: from [192.168.0.16] (gladiator.trini0.org [192.168.0.16]) by hivemind.trini0.org (Postfix) with ESMTP id 933EC6129; Tue, 1 Mar 2005 23:16:39 -0500 (EST) Message-ID: <42253E27.9080506@trini0.org> Date: Tue, 01 Mar 2005 23:16:39 -0500 From: Gerard Samuel User-Agent: Mozilla Thunderbird 1.0 (X11/20050122) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <4224F74B.1030502@trini0.org> <200503020248.01088.max@love2party.net> In-Reply-To: <200503020248.01088.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: Whats wrong with this ruleset? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 04:16:44 -0000 Max Laier wrote: >On Wednesday 02 March 2005 00:14, Gerard Samuel wrote: > > >>For some reason, port 53 is blocked going out of the external interface -> >>000000 rule 0/0(match): block out on ed0: IP xx.xxx.xxx.xx.53 > >>xx.xx.xx.xxx.4973 >> >>Im still new to pf, but shouldn't the last two lines allow anything >>going out >>to pass?? >>Any ideas on how to fix? >> >> > >Can you send the output of "$pfctl -vsr" after some packets have been blocked? >The match counters are extremely helpful when debugging such problems. > Ok, here is the output -> gatekeeper# pfctl -vsr No ALTQ support in kernel ALTQ related functions disabled scrub in all fragment reassemble [ Evaluations: 12507 Packets: 6644 Bytes: 0 States: 0 ] block return log all [ Evaluations: 1503 Packets: 260 Bytes: 22541 States: 0 ] pass quick on lo0 all [ Evaluations: 1503 Packets: 128 Bytes: 13700 States: 0 ] block drop in quick on ed0 inet from 127.0.0.0/8 to any [ Evaluations: 1375 Packets: 0 Bytes: 0 States: 0 ] block drop in quick on ed0 inet from 192.168.0.0/16 to any [ Evaluations: 628 Packets: 0 Bytes: 0 States: 0 ] block drop in quick on ed0 inet from 172.16.0.0/12 to any [ Evaluations: 628 Packets: 0 Bytes: 0 States: 0 ] block drop in quick on ed0 inet from 10.0.0.0/8 to any [ Evaluations: 628 Packets: 319 Bytes: 117104 States: 0 ] block drop out quick on ed0 inet from any to 127.0.0.0/8 [ Evaluations: 682 Packets: 0 Bytes: 0 States: 0 ] block drop out quick on ed0 inet from any to 192.168.0.0/16 [ Evaluations: 373 Packets: 0 Bytes: 0 States: 0 ] block drop out quick on ed0 inet from any to 172.16.0.0/12 [ Evaluations: 373 Packets: 0 Bytes: 0 States: 0 ] block drop out quick on ed0 inet from any to 10.0.0.0/8 [ Evaluations: 373 Packets: 0 Bytes: 0 States: 0 ] pass in on ed0 inet proto tcp from any to (ed0) port = ssh flags S/SA keep state [ Evaluations: 682 Packets: 0 Bytes: 0 States: 0 ] pass in on ed0 inet proto tcp from any to (ed0) port = auth flags S/SA keep state [ Evaluations: 243 Packets: 0 Bytes: 0 States: 0 ] pass in on ed0 inet proto udp from xx.xx.xx.xx to any port = bootpc [ Evaluations: 309 Packets: 0 Bytes: 0 States: 0 ] pass in on ed0 proto tcp from any to any port = ssh [ Evaluations: 309 Packets: 0 Bytes: 0 States: 0 ] pass in on ed0 proto tcp from any to any port = domain [ Evaluations: 259 Packets: 210 Bytes: 10392 States: 0 ] pass in on ed0 proto udp from any to any port = domain [ Evaluations: 260 Packets: 35 Bytes: 2367 States: 0 ] pass in on ed0 proto tcp from any to any port = smtp [ Evaluations: 309 Packets: 294 Bytes: 100871 States: 0 ] pass in on ed0 proto tcp from any to any port = pop3 [ Evaluations: 259 Packets: 0 Bytes: 0 States: 0 ] pass in on ed0 inet proto tcp from any to 10.0.0.1 port = http flags S/SA synproxy state [ Evaluations: 259 Packets: 54 Bytes: 25986 States: 0 ] pass in inet proto icmp all icmp-type echoreq keep state [ Evaluations: 683 Packets: 0 Bytes: 0 States: 0 ] pass in on fxp0 inet from 192.168.0.0/16 to any keep state [ Evaluations: 664 Packets: 3099 Bytes: 1026733 States: 33 ] pass in on fxp0 inet from 10.0.0.0/24 to any keep state [ Evaluations: 355 Packets: 0 Bytes: 0 States: 0 ] pass out on fxp0 inet from any to 192.168.0.0/16 keep state [ Evaluations: 747 Packets: 296 Bytes: 100967 States: 0 ] pass out on fxp0 inet from any to 10.0.0.0/24 keep state [ Evaluations: 19 Packets: 126 Bytes: 51074 States: 1 ] pass out on ed0 proto tcp all flags S/SA modulate state [ Evaluations: 701 Packets: 1660 Bytes: 837928 States: 13 ] pass out on ed0 proto udp all keep state [ Evaluations: 373 Packets: 261 Bytes: 40969 States: 3 ] pass out on ed0 proto icmp all keep state [ Evaluations: 373 Packets: 38 Bytes: 3192 States: 0 ] From owner-freebsd-pf@FreeBSD.ORG Wed Mar 2 05:31:18 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8873916A4CE for ; Wed, 2 Mar 2005 05:31:18 +0000 (GMT) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 654F043D4C for ; Wed, 2 Mar 2005 05:31:18 +0000 (GMT) (envelope-from fbsd-pf@trini0.org) Received: from hivemind.trini0.org ([65.34.205.195]) by comcast.net (rwcrmhc12) with ESMTP id <2005030205311801400hl0qme>; Wed, 2 Mar 2005 05:31:18 +0000 Received: from [192.168.0.16] (gladiator.trini0.org [192.168.0.16]) by hivemind.trini0.org (Postfix) with ESMTP id 908A56123; Wed, 2 Mar 2005 00:31:17 -0500 (EST) Message-ID: <42254FA5.1040508@trini0.org> Date: Wed, 02 Mar 2005 00:31:17 -0500 From: Gerard Samuel User-Agent: Mozilla Thunderbird 1.0 (X11/20050122) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <4224F74B.1030502@trini0.org> <200503020248.01088.max@love2party.net> <42252415.7030808@trini0.org> In-Reply-To: <42252415.7030808@trini0.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: Whats wrong with this ruleset? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 05:31:18 -0000 Gerard Samuel wrote: > Max Laier wrote: > >> On Wednesday 02 March 2005 00:14, Gerard Samuel wrote: >> >> >>> For some reason, port 53 is blocked going out of the external >>> interface -> >>> 000000 rule 0/0(match): block out on ed0: IP xx.xxx.xxx.xx.53 > >>> xx.xx.xx.xxx.4973 >>> >>> Im still new to pf, but shouldn't the last two lines allow anything >>> going out >>> to pass?? >>> Any ideas on how to fix? >>> >> >> >> Can you send the output of "$pfctl -vsr" after some packets have been >> blocked? The match counters are extremely helpful when debugging >> such problems. >> > > Just before this email came in, I changed the last 2 rules to -> > #pass out on $ext_if proto tcp all modulate state flags S/SA > #pass out on $ext_if proto {udp, icmp} all keep state > pass out on $ext_if proto {tcp, udp, icmp} all keep state I went back to my original ruleset, and started reviewing the real time blocks again. I noticed that blocked packets were tcp. I fiddled with the rule -> pass out on $ext_if proto tcp all modulate state flags S/SA till I came to -> pass out on $ext_if proto tcp all modulate state and it started working as it should be. Whether its the correct way to write the rule, I'm not sure. I'll read up on flag options and see if I can come up with an answer for that... From owner-freebsd-pf@FreeBSD.ORG Wed Mar 2 08:10:57 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 159F516A4CE for ; Wed, 2 Mar 2005 08:10:57 +0000 (GMT) Received: from relay.bestcom.ru (relay.bestcom.ru [217.72.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 232B443D5A for ; Wed, 2 Mar 2005 08:10:56 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (root@cell.sick.ru [217.72.144.68]) by relay.bestcom.ru (8.13.1/8.12.9) with ESMTP id j228Aqp7095581 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 2 Mar 2005 11:10:53 +0300 (MSK) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.1/8.12.8) with ESMTP id j228AqWq087218 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 2 Mar 2005 11:10:52 +0300 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.1/8.13.1/Submit) id j228Ap6u087217; Wed, 2 Mar 2005 11:10:51 +0300 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Wed, 2 Mar 2005 11:10:51 +0300 From: Gleb Smirnoff To: Matthew Grooms Message-ID: <20050302081051.GB87159@cell.sick.ru> References: <200502282232.17646.max@love2party.net> <4223931C.9000607@seton.org> <200502282326.41760.max@love2party.net> <4224B078.9020301@seton.org> <20050301185431.GA81982@cell.sick.ru> <4225174C.801@seton.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <4225174C.801@seton.org> User-Agent: Mutt/1.5.6i X-Virus-Scanned: ClamAV version devel-20050125, clamav-milter version 0.80ff on relay.bestcom.ru X-Virus-Status: Clean cc: freebsd-pf@FreeBSD.org Subject: Re: Fwd: pf + pfsync + carp testing ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 08:10:57 -0000 On Tue, Mar 01, 2005 at 07:30:52PM -0600, Matthew Grooms wrote: M> Thanks for the response. I have net.inet.carp.preempt=1 set but M> only one carp interface changes state to master at a time. The second M> host always retains the master for the other two carp interfaces. I am M> able to manually fail over the remaining carp interfaces by changing M> either the carp or parent em[n] interface to down which quickly brings M> the other hosts corresponding interface from backup to master. After a M> firewall holds a master status for all carp devices, I can start to talk M> again through the firewall out to the internet or into the DMZ from my M> test pc. M> M> I have two Dell SMP boxes running dual amd64 compatible intel processors M> with two on board intel ports ( em0 & em1 ) and a quad port intel pro M> 1000 MT ( em2, em3, em4 & em5 ). I am using RELENG_5 amd64 SMP builds on M> both hosts. Here is my config info ... You have that damn em interfaces, which are mot miibus aware. In the patch there is also a small hack in if_em.c to workaround this problem. Can you check please that this part of the patch has successfully applied to your tree and went into your if_em.ko (or kernel)? -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-pf@FreeBSD.ORG Wed Mar 2 18:12:17 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB09E16A4CE for ; Wed, 2 Mar 2005 18:12:17 +0000 (GMT) Received: from zixvpm01.seton.org (zixvpm01.seton.org [207.193.126.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3BD643D31 for ; Wed, 2 Mar 2005 18:12:15 +0000 (GMT) (envelope-from mgrooms@seton.org) Received: from zixvpm01.seton.org (ZixVPM [127.0.0.1]) by Outbound.seton.org (Proprietary) with ESMTP id 928453604BA for ; Wed, 2 Mar 2005 12:05:34 -0600 (CST) Received: from smtp-out.seton.org (unknown [10.21.254.249]) by zixvpm01.seton.org (Proprietary) with ESMTP id 0E96E330098; Wed, 2 Mar 2005 12:02:40 -0600 (CST) Received: from localhost (unknown [127.0.0.1]) by smtp-out.seton.org (Postfix) with ESMTP id 02B2C8014E24; Wed, 2 Mar 2005 12:02:40 -0600 (CST) Received: from smtp-out.seton.org ([10.21.254.249]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 10418-01; Wed, 2 Mar 2005 12:02:39 -0600 (CST) Received: from ausexfe02.seton.org (ausexfe02.seton.org [10.20.10.185]) by smtp-out.seton.org (Postfix) with ESMTP id DBC628014E23; Wed, 2 Mar 2005 12:02:39 -0600 (CST) Received: from [10.20.160.190] ([10.20.160.190]) by ausexfe02.seton.org with Microsoft SMTPSVC(6.0.3790.211); Wed, 2 Mar 2005 12:02:39 -0600 Message-ID: <422600A2.2080907@seton.org> Date: Wed, 02 Mar 2005 12:06:26 -0600 From: Matthew Grooms Organization: Seton Healthcare Network User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Gleb Smirnoff References: <200502282232.17646.max@love2party.net> <4223931C.9000607@seton.org> <200502282326.41760.max@love2party.net> <4224B078.9020301@seton.org> <20050301185431.GA81982@cell.sick.ru> <4225174C.801@seton.org> <20050302081051.GB87159@cell.sick.ru> In-Reply-To: <20050302081051.GB87159@cell.sick.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 02 Mar 2005 18:02:39.0786 (UTC) FILETIME=[05F838A0:01C51F52] X-Virus-Scanned: by amavisd-new at seton.org cc: freebsd-pf@FreeBSD.org Subject: Re: Fwd: pf + pfsync + carp testing ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 18:12:18 -0000 Gleb, Thanks again for looking at this. I see the #ifdev DEV_CARP section in if_em.c file. I rebuilt the kernel after applying the patch and installed it so I assumed it was in there. I apologize in advance for my complete lack of kernel hacking knowledge. I went ahead and added ... if (ifp->if_carp) { carp_carpdev_state(ifp->if_carp); printf( "carp interface notified\n" ); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ } ... for up/down to make sure the kernel was hitting that chunk of code. After a compile and reinstall, unfortunately I didn't see the output along with link state changes. I added a ... #define CARP_DEV 1 ... to the beginning of both if_em.c and if_em.h to force it to include the em carp support but got this compile error during the kernel build ... In file included from ../../../dev/em/if_em.h:68, from ../../../dev/em/if_em.c:38: ../../../netinet/ip_carp.h:158: warning: "struct in_ifaddr" declared inside parameter list ../../../netinet/ip_carp.h:158: warning: its scope is only this definition or declaration, which is probably not what you want *** Error code 1 Stop in /usr/src/sys/amd64/compile/CUSTOM. I wish I had more kernel-foo as this is probably me shooting myself in the foot somehow. Anyways, Im not sure where to go from here. Just on a side note, I seem to vaguely remember seeing something the current mailing list about the em driver having problems reporting link states. When I did a search in the mailing list archives I found this commit message from you. Could this be applicable to the card I am using? http://www.freebsd.org/cgi/getmsg.cgi?fetch=2244676+2246764+/usr/local/www/db/text/2005/cvs-all/20050206.cvs-all Please let me know if there is anything else I can do to help test this. -Matthew Gleb Smirnoff wrote: > On Tue, Mar 01, 2005 at 07:30:52PM -0600, Matthew Grooms wrote: > M> Thanks for the response. I have net.inet.carp.preempt=1 set but > M> only one carp interface changes state to master at a time. The second > M> host always retains the master for the other two carp interfaces. I am > M> able to manually fail over the remaining carp interfaces by changing > M> either the carp or parent em[n] interface to down which quickly brings > M> the other hosts corresponding interface from backup to master. After a > M> firewall holds a master status for all carp devices, I can start to talk > M> again through the firewall out to the internet or into the DMZ from my > M> test pc. > M> > M> I have two Dell SMP boxes running dual amd64 compatible intel processors > M> with two on board intel ports ( em0 & em1 ) and a quad port intel pro > M> 1000 MT ( em2, em3, em4 & em5 ). I am using RELENG_5 amd64 SMP builds on > M> both hosts. Here is my config info ... > > You have that damn em interfaces, which are mot miibus aware. In the patch > there is also a small hack in if_em.c to workaround this problem. Can you > check please that this part of the patch has successfully applied to your > tree and went into your if_em.ko (or kernel)? > From owner-freebsd-pf@FreeBSD.ORG Wed Mar 2 19:12:54 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB10216A4CE for ; Wed, 2 Mar 2005 19:12:54 +0000 (GMT) Received: from post2.wesleyan.edu (post2.wesleyan.edu [129.133.6.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id 287FA43D2D for ; Wed, 2 Mar 2005 19:12:54 +0000 (GMT) (envelope-from vsavichev@wesleyan.edu) Received: from localhost.localdomain (pony3.wesleyan.edu [129.133.6.194]) by post2.wesleyan.edu (8.12.11/8.12.11) with ESMTP id j22JCo3b007577 for ; Wed, 2 Mar 2005 14:12:50 -0500 Received: from localhost.localdomain (pony3 [127.0.0.1]) j22JCoeq018432 for ; Wed, 2 Mar 2005 14:12:50 -0500 Received: (from apache@localhost) by localhost.localdomain (8.12.11/8.12.11/Submit) id j22JCoGs018430; Wed, 2 Mar 2005 14:12:50 -0500 Received: from 81.30.200.207 (SquirrelMail authenticated user vsavichev); by webmail.wesleyan.edu with HTTP; Wed, 2 Mar 2005 14:12:50 -0500 (EST) Message-ID: <57056.81.30.200.207.1109790770.squirrel@81.30.200.207> Date: Wed, 2 Mar 2005 14:12:50 -0500 (EST) From: vsavichev@wesleyan.edu To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.3a-0.e3.1 X-Mailer: SquirrelMail/1.4.3a-0.e3.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Wesleyan-MailScanner-Information: Please contact the ISP for more information X-Wesleyan-MailScanner: Found to be clean X-MailScanner-From: vsavichev@wesleyan.edu Subject: pfsync + pfflowd + flow-tools (ifconfig maxupd)? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 19:12:55 -0000 hi all, we're trying to build pfsync centric accounting system. Our plan is to use pfflowd to emit NetFlow datagrams to work them out within flow-tools. E.g., using flow-receive we get SOMEFILE which can be further proceesed by flow-export or alikes. We found that SOMEFILE gets occassionaly updated. man pfsync says that state infomation refreshment is condensed which is controled by maxupd parameter to ifconfig (equal by default to 128). For some reason FreeBSD (5.3-stable) version of ifconfig has no maxupd option, OpenBSD does. So we believe now, pfsync iface in that incarnation of FreeBSD has no way to change this parameter and hence to fine tune state information update frequency. Is that so? Vlad From owner-freebsd-pf@FreeBSD.ORG Wed Mar 2 19:17:00 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBBDD16A4CE for ; Wed, 2 Mar 2005 19:17:00 +0000 (GMT) Received: from relay.bestcom.ru (relay.bestcom.ru [217.72.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id B899243D54 for ; Wed, 2 Mar 2005 19:16:59 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (root@cell.sick.ru [217.72.144.68]) by relay.bestcom.ru (8.13.1/8.12.9) with ESMTP id j22JGvt7008653 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 2 Mar 2005 22:16:57 +0300 (MSK) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.1/8.12.8) with ESMTP id j22JGu3o093418 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 2 Mar 2005 22:16:57 +0300 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.1/8.13.1/Submit) id j22JGuUH093417; Wed, 2 Mar 2005 22:16:56 +0300 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Wed, 2 Mar 2005 22:16:56 +0300 From: Gleb Smirnoff To: Matthew Grooms Message-ID: <20050302191656.GA93112@cell.sick.ru> References: <200502282232.17646.max@love2party.net> <4223931C.9000607@seton.org> <200502282326.41760.max@love2party.net> <4224B078.9020301@seton.org> <20050301185431.GA81982@cell.sick.ru> <4225174C.801@seton.org> <20050302081051.GB87159@cell.sick.ru> <422600A2.2080907@seton.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <422600A2.2080907@seton.org> User-Agent: Mutt/1.5.6i X-Virus-Scanned: ClamAV version devel-20050125, clamav-milter version 0.80ff on relay.bestcom.ru X-Virus-Status: Clean cc: freebsd-pf@FreeBSD.org Subject: Re: Fwd: pf + pfsync + carp testing ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 19:17:01 -0000 Matthew, On Wed, Mar 02, 2005 at 12:06:26PM -0600, Matthew Grooms wrote: M> Thanks again for looking at this. I see the #ifdev DEV_CARP M> section in if_em.c file. I rebuilt the kernel after applying the patch M> and installed it so I assumed it was in there. I apologize in advance M> for my complete lack of kernel hacking knowledge. I went ahead and added ... M> M> if (ifp->if_carp) { M> carp_carpdev_state(ifp->if_carp); M> printf( "carp interface notified\n" ); M> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ M> } M> M> ... for up/down to make sure the kernel was hitting that chunk of code. M> After a compile and reinstall, unfortunately I didn't see the output M> along with link state changes. I added a ... M> M> #define CARP_DEV 1 M> M> ... to the beginning of both if_em.c and if_em.h to force it to include M> the em carp support but got this compile error during the kernel build ... M> M> In file included from ../../../dev/em/if_em.h:68, M> from ../../../dev/em/if_em.c:38: M> ../../../netinet/ip_carp.h:158: warning: "struct in_ifaddr" declared M> inside parameter list M> ../../../netinet/ip_carp.h:158: warning: its scope is only this M> definition or declaration, which is probably not what you want M> *** Error code 1 M> M> Stop in /usr/src/sys/amd64/compile/CUSTOM. Yes. There was an error in there. Frank Volf has already showed me it in private mail. Sorry for this. I'm working in HEAD now, where miibus and em does not need this hacks. Fixed patch available at the same place: http://people.freebsd.org/~glebius/totest/carp-RELENG_5-patch M> I wish I had more kernel-foo as this is probably me shooting myself in M> the foot somehow. Anyways, Im not sure where to go from here. M> M> Just on a side note, I seem to vaguely remember seeing something M> the current mailing list about the em driver having problems reporting M> link states. When I did a search in the mailing list archives I found M> this commit message from you. Could this be applicable to the card I am M> using? M> M> http://www.freebsd.org/cgi/getmsg.cgi?fetch=2244676+2246764+/usr/local/www/db/text/2005/cvs-all/20050206.cvs-all Yes, but this change can't be MFCed due to ABI freeze for RELENG_5. That's why I'm doing these hacks for em in carp.RELENG_5-patch. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-pf@FreeBSD.ORG Wed Mar 2 19:31:10 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03C3C16A4CE for ; Wed, 2 Mar 2005 19:31:10 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9391E43D48 for ; Wed, 2 Mar 2005 19:31:09 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so273400wri for ; Wed, 02 Mar 2005 11:31:09 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=lOlCBy+V0gQKNydh93yq0LRPgtmHPBq1rO3x6UkhgZfN0pY1KA5VArngPpn/uGBgDwDDrqCtzBVv9hB6D9E2zxHIK/SJCsKMvaj+c4VsOYqb0yMrHaw41PV5QlXGggmlWZy/G9uQH6Ng38bgd+j9cawpCyFpBusuLH7pSArsejE= Received: by 10.54.63.14 with SMTP id l14mr116256wra; Wed, 02 Mar 2005 11:31:08 -0800 (PST) Received: by 10.54.39.34 with HTTP; Wed, 2 Mar 2005 11:31:08 -0800 (PST) Message-ID: <8eea0408050302113163b70535@mail.gmail.com> Date: Wed, 2 Mar 2005 11:31:08 -0800 From: Jon Simola To: "vsavichev@wesleyan.edu" In-Reply-To: <57056.81.30.200.207.1109790770.squirrel@81.30.200.207> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <57056.81.30.200.207.1109790770.squirrel@81.30.200.207> cc: freebsd-pf@freebsd.org Subject: Re: pfsync + pfflowd + flow-tools (ifconfig maxupd)? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 19:31:10 -0000 On Wed, 2 Mar 2005 14:12:50 -0500 (EST), vsavichev@wesleyan.edu wrote: > that SOMEFILE gets occassionaly updated. man pfsync says that > state infomation refreshment is condensed which is controled by > maxupd parameter to ifconfig (equal by default to 128). > For some reason FreeBSD (5.3-stable) version of ifconfig has > no maxupd option, OpenBSD does. So we believe now, pfsync iface > in that incarnation of FreeBSD has no way to change this parameter > and hence to fine tune state information update frequency. I see the appropriate code in src/sbin/ifconfig/ifpfsync.c if (preq.pfsyncr_syncif[0] != '\0') { printf("\tpfsync: syncif: %s maxupd: %d\n", preq.pfsyncr_syncif, preq.pfsyncr_maxupdates); } and I can set the maxupd on a pfsync interface: bash-3.00# ifconfig pfsync0 syncif em0 maxupd 64 bash-3.00# ifconfig pfsync0 pfsync0: flags=0<> mtu 1348 pfsync: syncif: em0 maxupd: 64 The only thing I can see is that it will not actually display or do anything unlss there is a syncif set. -- Jon Simola Systems Administrator ABC Communications From owner-freebsd-pf@FreeBSD.ORG Wed Mar 2 23:15:55 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 241A916A4CE for ; Wed, 2 Mar 2005 23:15:55 +0000 (GMT) Received: from zixvpm01.seton.org (zixvpm01.seton.org [207.193.126.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FA6843D46 for ; Wed, 2 Mar 2005 23:15:54 +0000 (GMT) (envelope-from mgrooms@seton.org) Received: from zixvpm01.seton.org (ZixVPM [127.0.0.1]) by Outbound.seton.org (Proprietary) with ESMTP id 80EDC3600AF for ; Wed, 2 Mar 2005 17:15:53 -0600 (CST) Received: from smtp-out.seton.org (unknown [10.21.254.249]) by zixvpm01.seton.org (Proprietary) with ESMTP id A6D38330059; Wed, 2 Mar 2005 17:15:52 -0600 (CST) Received: from localhost (unknown [127.0.0.1]) by smtp-out.seton.org (Postfix) with ESMTP id 9AE038014E24; Wed, 2 Mar 2005 17:15:52 -0600 (CST) Received: from smtp-out.seton.org ([10.21.254.249]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 13254-16; Wed, 2 Mar 2005 17:15:52 -0600 (CST) Received: from ausexfe01.seton.org (ausexfe01.seton.org [10.20.10.211]) by smtp-out.seton.org (Postfix) with ESMTP id 8C5F48014E23; Wed, 2 Mar 2005 17:15:52 -0600 (CST) Received: from [10.20.160.190] ([10.20.160.190]) by ausexfe01.seton.org with Microsoft SMTPSVC(6.0.3790.211); Wed, 2 Mar 2005 17:15:52 -0600 Message-ID: <42264A0A.1090301@seton.org> Date: Wed, 02 Mar 2005 17:19:38 -0600 From: Matthew Grooms Organization: Seton Healthcare Network User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Gleb Smirnoff References: <200502282232.17646.max@love2party.net> <4223931C.9000607@seton.org> <200502282326.41760.max@love2party.net> <4224B078.9020301@seton.org> <20050301185431.GA81982@cell.sick.ru> <4225174C.801@seton.org> <20050302081051.GB87159@cell.sick.ru> <422600A2.2080907@seton.org> <20050302191656.GA93112@cell.sick.ru> In-Reply-To: <20050302191656.GA93112@cell.sick.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 02 Mar 2005 23:15:52.0453 (UTC) FILETIME=[C745A350:01C51F7D] X-Virus-Scanned: by amavisd-new at seton.org cc: freebsd-pf@FreeBSD.org Subject: Re: Fwd: pf + pfsync + carp testing ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 23:15:55 -0000 Gleb & Max, Fantastic! The carp interfaces work like a champ now on RELENG_5. I have been testing the fail over for about half an hour and the MASTER / BACKUP state changes have worked 100% of the time. I really appreciate both of you taking the time to get this stuff into FreeBSD. On a slightly more depressing note, I don't think that state via pfsync seems to be working right between the two firewalls. Sometimes ( maybe every 1 out of 4 tries ) when the interfaces fail over, the traffic flow stops. The reason why I believe it is a state sync issue is that new connections can always be opened even while the previously opened connections are stalled. This doesn't always happen when an interface is going down either. It happens just as often when an interface is coming back up and reclaims a MASTER state. Any ideas? Matthew Gleb Smirnoff wrote: > Matthew, > > Yes. There was an error in there. Frank Volf has already showed me it in private > mail. Sorry for this. I'm working in HEAD now, where miibus and em does not need > this hacks. > > Fixed patch available at the same place: > > http://people.freebsd.org/~glebius/totest/carp-RELENG_5-patch > From owner-freebsd-pf@FreeBSD.ORG Thu Mar 3 01:38:12 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 032B916A4CE; Thu, 3 Mar 2005 01:38:12 +0000 (GMT) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11D9543D49; Thu, 3 Mar 2005 01:38:11 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) j231c7r7005105 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 3 Mar 2005 02:38:08 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.3/8.12.10/Submit) id j231c7di028981; Thu, 3 Mar 2005 02:38:07 +0100 (MET) Date: Thu, 3 Mar 2005 02:38:07 +0100 From: Daniel Hartmeier To: Matthew Grooms Message-ID: <20050303013807.GH25140@insomnia.benzedrine.cx> References: <200502282232.17646.max@love2party.net> <4223931C.9000607@seton.org> <200502282326.41760.max@love2party.net> <4224B078.9020301@seton.org> <20050301185431.GA81982@cell.sick.ru> <4225174C.801@seton.org> <20050302081051.GB87159@cell.sick.ru> <422600A2.2080907@seton.org> <20050302191656.GA93112@cell.sick.ru> <42264A0A.1090301@seton.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42264A0A.1090301@seton.org> User-Agent: Mutt/1.5.6i cc: Gleb Smirnoff cc: freebsd-pf@freebsd.org Subject: Re: Fwd: pf + pfsync + carp testing ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 01:38:12 -0000 On Wed, Mar 02, 2005 at 05:19:38PM -0600, Matthew Grooms wrote: > On a slightly more depressing note, I don't think that state via > pfsync seems to be working right between the two firewalls. Sometimes ( > maybe every 1 out of 4 tries ) when the interfaces fail over, the > traffic flow stops. The reason why I believe it is a state sync issue is > that new connections can always be opened even while the previously > opened connections are stalled. This doesn't always happen when an > interface is going down either. It happens just as often when an > interface is coming back up and reclaims a MASTER state. Any ideas? It would help isolate the problem if you can provide the output of pfctl -vvss for one such stalling connection on both boxes, for comparison. The obvious requirement is that the state is actually present on the secondary box. If it is present, maybe we spot an inconsistency between the two state entries. If they look the same, maybe you can get a tcpdump -vvvS for the stalled connection (which matches the state entry). If the state is not present on the secondary, a tcpdump -nvvvei pfsync0 over the time between when the state was created on the primary and when it should have arrived at the secondary would help. Daniel From owner-freebsd-pf@FreeBSD.ORG Thu Mar 3 02:46:40 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BA0C16A4CE for ; Thu, 3 Mar 2005 02:46:40 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D38943D1F for ; Thu, 3 Mar 2005 02:46:39 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54808E84.dip.t-dialin.net[84.128.142.132] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML21M-1D6gME0rpX-0005gQ; Thu, 03 Mar 2005 03:46:34 +0100 From: Max Laier To: freebsd-pf@freebsd.org, jon@abccomm.com Date: Thu, 3 Mar 2005 03:46:24 +0100 User-Agent: KMail/1.7.2 References: <57056.81.30.200.207.1109790770.squirrel@81.30.200.207> <8eea0408050302113163b70535@mail.gmail.com> In-Reply-To: <8eea0408050302113163b70535@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart30828940.rLSDhifFQ3"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200503030346.31871.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 cc: "vsavichev@wesleyan.edu" Subject: Re: pfsync + pfflowd + flow-tools (ifconfig maxupd)? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 02:46:40 -0000 --nextPart30828940.rLSDhifFQ3 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 02 March 2005 20:31, Jon Simola wrote: > On Wed, 2 Mar 2005 14:12:50 -0500 (EST), vsavichev@wesleyan.edu > > wrote: > > that SOMEFILE gets occassionaly updated. man pfsync says that > > state infomation refreshment is condensed which is controled by > > maxupd parameter to ifconfig (equal by default to 128). > > For some reason FreeBSD (5.3-stable) version of ifconfig has > > no maxupd option, OpenBSD does. So we believe now, pfsync iface > > in that incarnation of FreeBSD has no way to change this parameter > > and hence to fine tune state information update frequency. > > I see the appropriate code in src/sbin/ifconfig/ifpfsync.c This file is not (yet) in RELENG_5. It is going to be MFCed together with= =20 CARP in the coming days, I believe. Use Glebius patch to get it straight=20 away: http://people.freebsd.org/~glebius/totest/carp-RELENG_5-patch > if (preq.pfsyncr_syncif[0] !=3D '\0') { > printf("\tpfsync: syncif: %s maxupd: %d\n", > preq.pfsyncr_syncif, preq.pfsyncr_maxupdates); > } > > and I can set the maxupd on a pfsync interface: > > bash-3.00# ifconfig pfsync0 syncif em0 maxupd 64 > bash-3.00# ifconfig pfsync0 > pfsync0: flags=3D0<> mtu 1348 > pfsync: syncif: em0 maxupd: 64 > > The only thing I can see is that it will not actually display or do > anything unlss there is a syncif set. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart30828940.rLSDhifFQ3 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCJnqHXyyEoT62BG0RAh6MAJ922MV00n+GqXnDHVUujIaPJ1K8uACbBbje y18q6cg/j0nR4AcF9gVae/Q= =Jva+ -----END PGP SIGNATURE----- --nextPart30828940.rLSDhifFQ3-- From owner-freebsd-pf@FreeBSD.ORG Thu Mar 3 17:45:13 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 82A6816A4CE for ; Thu, 3 Mar 2005 17:45:13 +0000 (GMT) Received: from zixvpm01.seton.org (zixvpm01.seton.org [207.193.126.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id C03D543D5C for ; Thu, 3 Mar 2005 17:45:12 +0000 (GMT) (envelope-from mgrooms@seton.org) Received: from zixvpm01.seton.org (ZixVPM [127.0.0.1]) by Outbound.seton.org (Proprietary) with ESMTP id 56C9F360081 for ; Thu, 3 Mar 2005 11:45:12 -0600 (CST) Received: from smtp-out.seton.org (unknown [10.21.254.249]) by zixvpm01.seton.org (Proprietary) with ESMTP id 98A11330057; Thu, 3 Mar 2005 11:45:09 -0600 (CST) Received: from localhost (unknown [127.0.0.1]) by smtp-out.seton.org (Postfix) with ESMTP id 70CA18014E24; Thu, 3 Mar 2005 11:45:09 -0600 (CST) Received: from smtp-out.seton.org ([10.21.254.249]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 21381-16; Thu, 3 Mar 2005 11:45:09 -0600 (CST) Received: from ausexfe01.seton.org (ausexfe01.seton.org [10.20.10.211]) by smtp-out.seton.org (Postfix) with ESMTP id 579018014E23; Thu, 3 Mar 2005 11:45:09 -0600 (CST) Received: from [10.20.160.190] ([10.20.160.190]) by ausexfe01.seton.org with Microsoft SMTPSVC(6.0.3790.211); Thu, 3 Mar 2005 11:45:09 -0600 Message-ID: <42274E08.7050404@seton.org> Date: Thu, 03 Mar 2005 11:48:56 -0600 From: Matthew Grooms Organization: Seton Healthcare Network User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Daniel Hartmeier References: <200502282232.17646.max@love2party.net> <4223931C.9000607@seton.org> <200502282326.41760.max@love2party.net> <4224B078.9020301@seton.org> <20050301185431.GA81982@cell.sick.ru> <4225174C.801@seton.org> <20050302081051.GB87159@cell.sick.ru> <422600A2.2080907@seton.org> <20050302191656.GA93112@cell.sick.ru> <42264A0A.1090301@seton.org> <20050303013807.GH25140@insomnia.benzedrine.cx> In-Reply-To: <20050303013807.GH25140@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 03 Mar 2005 17:45:09.0092 (UTC) FILETIME=[BE1ECA40:01C52018] X-Virus-Scanned: by amavisd-new at seton.org cc: Gleb Smirnoff cc: freebsd-pf@freebsd.org Subject: Re: Fwd: pf + pfsync + carp testing ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 17:45:13 -0000 Daniel, Please let me know if this is not what you want. I will try to do what it takes to get you any data that you may require. The stalled connection is coming from 192.168.254.51 to 192.168.251.100:80. Sorry for not paring it down but I did not want to cut out something you may want to see due to ignorance on my part. I will prepare the other output you requested unless I hear back from you first. example 1 - fw1 - pfctl -vvss self tcp 192.168.254.2:22 <- 192.168.254.51:4461 ESTABLISHED:ESTABLISHED [895578000 + 63960] [3194607704 + 65483] age 00:02:33, expires in 24:00:00, 511:579 pkts, 49580:61016 bytes, rule 4 id: 4226ef910000001f creatorid: 5357f190 self tcp 192.168.254.3:22 -> 192.168.254.51:4462 ESTABLISHED:ESTABLISHED [1673568462 + 63104] [3196457500 + 65535] age 00:02:42, expires in 23:59:11, 0:0 pkts, 0:0 bytes id: 4226ef8800000018 creatorid: 5357f190 self tcp 192.168.251.100:80 <- 192.168.254.51:4469 TIME_WAIT:TIME_WAIT [32533272 + 272] [3248810405 + 65535] age 00:02:10, expires in 00:01:12, 85852:161987 pkts, 3434080:242936092 bytes id: 4226ef8800000019 creatorid: 5357f190 self tcp 192.168.251.100:80 <- 192.168.254.51:4470 ESTABLISHED:ESTABLISHED [2020265516 + 64512] [3277486902 + 65535] age 00:00:16, expires in 23:59:57, 22968:43193 pkts, 919669:64635019 bytes, rule 4 id: 4226ef9100000022 creatorid: 5357f190 self tcp 192.168.254.51:4469 -> 192.168.251.100:80 TIME_WAIT:TIME_WAIT [3248810405 + 65535] [32533272 + 272] age 00:02:10, expires in 00:01:12, 85852:161987 pkts, 3434080:242936092 bytes id: 4226ef880000001a creatorid: 5357f190 self tcp 192.168.254.51:4470 -> 192.168.251.100:80 ESTABLISHED:ESTABLISHED [3277486902 + 65535] [2020265516 + 64512] age 00:00:16, expires in 23:59:57, 22968:43193 pkts, 919669:64635019 bytes, rule 4 id: 4226ef9100000023 creatorid: 5357f190 self tcp 192.168.253.1:62481 <- 64.233.187.104:80 TIME_WAIT:TIME_WAIT [3223153423 + 8190] [2943726748 + 2] age 00:00:41, expires in 00:00:49, 1:1 pkts, 40:40 bytes, rule 4 id: 4226ef9100000021 creatorid: 5357f190 example 1 - fw2 - pfctl -vvss self tcp 192.168.254.2:22 <- 192.168.254.51:4461 ESTABLISHED:ESTABLISHED [895580236 + 63532] [3194608276 + 65535] age 00:02:35, expires in 23:59:58, 0:0 pkts, 0:0 bytes id: 4226ef910000001f creatorid: 5357f190 self tcp 192.168.254.3:22 -> 192.168.254.51:4462 ESTABLISHED:ESTABLISHED [1673568634 + 64408] [3196457656 + 65535] age 00:02:44, expires in 24:00:00, 227:206 pkts, 37788:12244 bytes, rule 4 id: 4226ef8800000018 creatorid: 5357f190 self tcp 192.168.251.100:80 <- 192.168.254.51:4469 TIME_WAIT:TIME_WAIT [32533272 + 272] [3248810405 + 65535] age 00:02:13, expires in 00:01:11, 155592:293304 pkts, 6224629:439872827 bytes, rule 4 id: 4226ef8800000019 creatorid: 5357f190 self tcp 192.168.251.100:80 <- 192.168.254.51:4470 ESTABLISHED:ESTABLISHED [2016193576 + 51372] [3277486902 + 65535] age 00:00:18, expires in 23:59:54, 1479:2789 pkts, 59160:4183500 bytes id: 4226ef9100000022 creatorid: 5357f190 self tcp 192.168.254.51:4469 -> 192.168.251.100:80 TIME_WAIT:TIME_WAIT [3248810405 + 65535] [32533272 + 272] age 00:02:13, expires in 00:01:11, 155592:293304 pkts, 6224629:439872827 bytes, rule 4 id: 4226ef880000001a creatorid: 5357f190 self tcp 192.168.254.51:4470 -> 192.168.251.100:80 ESTABLISHED:ESTABLISHED [3277486902 + 65535] [2016193576 + 51372] age 00:00:18, expires in 23:59:54, 1479:2789 pkts, 59160:4183500 bytes id: 4226ef9100000023 creatorid: 5357f190 self tcp 192.168.253.1:62481 <- 64.233.187.104:80 TIME_WAIT:TIME_WAIT [3223153423 + 8190] [2943726748 + 2] age 00:00:43, expires in 00:00:47, 0:0 pkts, 0:0 bytes id: 4226ef9100000021 creatorid: 5357f190 example 2 - fw1 - pfctl -vvss self tcp 192.168.254.2:22 <- 192.168.254.51:4461 ESTABLISHED:ESTABLISHED [895581492 + 63756] [3194610408 + 65483] age 00:05:55, expires in 24:00:00, 560:633 pkts, 54244:66668 bytes, rule 4 id: 4226ef910000001f creatorid: 5357f190 self tcp 192.168.254.3:22 -> 192.168.254.51:4462 ESTABLISHED:ESTABLISHED [1673570802 + 63856] [3196458072 + 65535] age 00:06:04, expires in 23:56:41, 0:0 pkts, 0:0 bytes id: 4226ef8800000018 creatorid: 5357f190 self tcp 192.168.251.100:80 <- 192.168.254.51:4470 FIN_WAIT_2:FIN_WAIT_2 [2629520121 + 64512] [3277486903 + 65535] age 00:03:38, expires in 00:01:04, 244235:460539 pkts, 9770349:690583463 bytes, rule 4 id: 4226ef9100000022 creatorid: 5357f190 self tcp 192.168.251.100:80 <- 192.168.254.51:4472 ESTABLISHED:ESTABLISHED [679995100 + 272] [3327911464 + 65535] age 00:00:16, expires in 23:59:57, 25897:49715 pkts, 1036349:74514782 bytes, rule 4 id: 4226ef9100000027 creatorid: 5357f190 self tcp 192.168.254.51:4470 -> 192.168.251.100:80 FIN_WAIT_2:FIN_WAIT_2 [3277486903 + 65535] [2629520121 + 64512] age 00:03:38, expires in 00:01:04, 244235:460539 pkts, 9770349:690583463 bytes, rule 4 id: 4226ef9100000023 creatorid: 5357f190 self tcp 192.168.254.51:4472 -> 192.168.251.100:80 ESTABLISHED:ESTABLISHED [3327911464 + 65535] [679995100 + 272] age 00:00:16, expires in 23:59:57, 25897:49715 pkts, 1036349:74514782 bytes, rule 4 id: 4226ef9100000028 creatorid: 5357f190 example 2 - fw2 - pfctl -vvss self tcp 192.168.254.2:22 <- 192.168.254.51:4461 ESTABLISHED:ESTABLISHED [895583468 + 63448] [3194610928 + 65535] age 00:05:57, expires in 23:59:59, 0:0 pkts, 0:0 bytes id: 4226ef910000001f creatorid: 5357f190 self tcp 192.168.254.3:22 -> 192.168.254.51:4462 ESTABLISHED:ESTABLISHED [1673570974 + 63684] [3196458384 + 65483] age 00:06:06, expires in 24:00:00, 244:219 pkts, 40808:13492 bytes, rule 4 id: 4226ef8800000018 creatorid: 5357f190 self tcp 192.168.251.100:80 <- 192.168.254.51:4470 FIN_WAIT_2:FIN_WAIT_2 [2629520121 + 64512] [3277486903 + 65535] age 00:03:40, expires in 00:01:03, 1479:2789 pkts, 59160:4183500 bytes id: 4226ef9100000022 creatorid: 5357f190 self tcp 192.168.251.100:80 <- 192.168.254.51:4472 ESTABLISHED:ESTABLISHED [673471820 + 35312] [3327911464 + 65535] age 00:00:18, expires in 23:59:54, 2370:4468 pkts, 94800:6702000 bytes id: 4226ef9100000027 creatorid: 5357f190 self tcp 192.168.254.51:4470 -> 192.168.251.100:80 FIN_WAIT_2:FIN_WAIT_2 [3277486903 + 65535] [2629520121 + 64512] age 00:03:40, expires in 00:01:03, 1479:2789 pkts, 59160:4183500 bytes id: 4226ef9100000023 creatorid: 5357f190 self tcp 192.168.254.51:4472 -> 192.168.251.100:80 ESTABLISHED:ESTABLISHED [3327911464 + 65535] [673471820 + 35312] age 00:00:18, expires in 23:59:54, 2370:4468 pkts, 94800:6702000 bytes id: 4226ef9100000028 creatorid: 5357f190 Matthew Grooms Network Engineer Seton Healthcare Network mgrooms@seton.org (512) 324 9913 Daniel Hartmeier wrote: > On Wed, Mar 02, 2005 at 05:19:38PM -0600, Matthew Grooms wrote: > > >> On a slightly more depressing note, I don't think that state via >>pfsync seems to be working right between the two firewalls. Sometimes ( >>maybe every 1 out of 4 tries ) when the interfaces fail over, the >>traffic flow stops. The reason why I believe it is a state sync issue is >>that new connections can always be opened even while the previously >>opened connections are stalled. This doesn't always happen when an >>interface is going down either. It happens just as often when an >>interface is coming back up and reclaims a MASTER state. Any ideas? > > > It would help isolate the problem if you can provide the output of pfctl > -vvss for one such stalling connection on both boxes, for comparison. > > The obvious requirement is that the state is actually present on the > secondary box. If it is present, maybe we spot an inconsistency between > the two state entries. If they look the same, maybe you can get a > tcpdump -vvvS for the stalled connection (which matches the state > entry). > > If the state is not present on the secondary, a tcpdump -nvvvei pfsync0 > over the time between when the state was created on the primary and when > it should have arrived at the secondary would help. > > Daniel From owner-freebsd-pf@FreeBSD.ORG Thu Mar 3 20:27:42 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10E2116A4CF for ; Thu, 3 Mar 2005 20:27:42 +0000 (GMT) Received: from zixvpm01.seton.org (zixvpm01.seton.org [207.193.126.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id D82CD43D3F for ; Thu, 3 Mar 2005 20:27:40 +0000 (GMT) (envelope-from mgrooms@seton.org) Received: from zixvpm01.seton.org (ZixVPM [127.0.0.1]) by Outbound.seton.org (Proprietary) with ESMTP id 48838360086 for ; Thu, 3 Mar 2005 14:27:40 -0600 (CST) Received: from smtp-out.seton.org (unknown [10.21.254.249]) by zixvpm01.seton.org (Proprietary) with ESMTP id E7C0C330057; Thu, 3 Mar 2005 14:27:39 -0600 (CST) Received: from localhost (unknown [127.0.0.1]) by smtp-out.seton.org (Postfix) with ESMTP id DBDE28014E24; Thu, 3 Mar 2005 14:27:39 -0600 (CST) Received: from smtp-out.seton.org ([10.21.254.249]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 22525-10; Thu, 3 Mar 2005 14:27:39 -0600 (CST) Received: from ausexfe02.seton.org (ausexfe02.seton.org [10.20.10.185]) by smtp-out.seton.org (Postfix) with ESMTP id CCE888014E23; Thu, 3 Mar 2005 14:27:39 -0600 (CST) Received: from [10.20.160.190] ([10.20.160.190]) by ausexfe02.seton.org with Microsoft SMTPSVC(6.0.3790.211); Thu, 3 Mar 2005 14:27:39 -0600 Message-ID: <4227741E.5030805@seton.org> Date: Thu, 03 Mar 2005 14:31:26 -0600 From: Matthew Grooms Organization: Seton Healthcare Network User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Daniel Hartmeier References: <200502282232.17646.max@love2party.net> <4223931C.9000607@seton.org> <200502282326.41760.max@love2party.net> <4224B078.9020301@seton.org> <20050301185431.GA81982@cell.sick.ru> <4225174C.801@seton.org> <20050302081051.GB87159@cell.sick.ru> <422600A2.2080907@seton.org> <20050302191656.GA93112@cell.sick.ru> <42264A0A.1090301@seton.org> <20050303013807.GH25140@insomnia.benzedrine.cx> In-Reply-To: <20050303013807.GH25140@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 03 Mar 2005 20:27:39.0825 (UTC) FILETIME=[72029210:01C5202F] X-Virus-Scanned: by amavisd-new at seton.org cc: Gleb Smirnoff cc: freebsd-pf@freebsd.org Subject: pf + pfsync + carp ... more fun X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 20:27:42 -0000 While running tests in my lab, there have been a few times where I could no longer talk out my external interface. This usually happens after I ifconfig em0 up / down a few times to force the carp0 failover. Previously, I have just rebooted the box since I was concentrating on testing the pf + pfsync stuff but this time I stopped to take a look and noticed that I am loosing a route for the locally attached network. Is this the intended behavior? --- output from defunct fw1 --- root@fw1# ping 192.168.253.252 PING 192.168.253.252 (192.168.253.252): 56 data bytes ping: sendto: No route to host ping: sendto: No route to host ^C --- 192.168.253.252 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss root@fw1# route -n usage: route [-dnqtv] command [[modifiers] args] root@fw1# netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.253.252 UGS 0 24 em0 127.0.0.1 127.0.0.1 UH 0 0 lo0 192.168.251 link#3 UC 0 0 em2 192.168.251.1 192.168.251.1 UH 0 0 carp2 192.168.252 link#6 UC 0 0 em5 192.168.252.3 00:04:23:08:17:6b UHLW 0 17 em5 729 192.168.253 link#10 UC 0 0 carp0 192.168.253.1 192.168.253.1 UH 0 4 carp0 192.168.253.252 link#10 UHRLW 1 2 carp0 192.168.254 link#2 UC 0 0 em1 192.168.254.1 192.168.254.1 UH 0 0 carp1 192.168.254.51 00:0d:56:de:9e:3a UHLW 0 253 em1 1162 --- output from working fw2 --- default 192.168.253.252 UGS 0 572 em0 127.0.0.1 127.0.0.1 UH 0 0 lo0 192.168.251 link#3 UC 0 0 em2 192.168.252 link#6 UC 0 0 em5 192.168.252.2 00:04:23:08:17:37 UHLW 0 18 em5 585 192.168.253 link#1 UC 0 0 em0 192.168.253.252 link#1 UHLW 1 0 em0 192.168.254 link#2 UC 0 0 em1 192.168.254.51 00:0d:56:de:9e:3a UHLW 0 64 em1 1192 If I need to repost this over to the net mailing list, please let me know. Thanks in advance. Matthew Grooms From owner-freebsd-pf@FreeBSD.ORG Thu Mar 3 23:43:16 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3AA0C16A4CF; Thu, 3 Mar 2005 23:43:16 +0000 (GMT) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56F1843D5D; Thu, 3 Mar 2005 23:43:15 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) j23Nh8wl019255 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 4 Mar 2005 00:43:09 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.3/8.12.10/Submit) id j23Nh8JR004133; Fri, 4 Mar 2005 00:43:08 +0100 (MET) Date: Fri, 4 Mar 2005 00:43:08 +0100 From: Daniel Hartmeier To: Matthew Grooms Message-ID: <20050303234308.GJ25140@insomnia.benzedrine.cx> References: <200502282326.41760.max@love2party.net> <4224B078.9020301@seton.org> <20050301185431.GA81982@cell.sick.ru> <4225174C.801@seton.org> <20050302081051.GB87159@cell.sick.ru> <422600A2.2080907@seton.org> <20050302191656.GA93112@cell.sick.ru> <42264A0A.1090301@seton.org> <20050303013807.GH25140@insomnia.benzedrine.cx> <4227741E.5030805@seton.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4227741E.5030805@seton.org> User-Agent: Mutt/1.5.6i cc: Gleb Smirnoff cc: freebsd-pf@freebsd.org Subject: Re: pf + pfsync + carp ... more fun X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 23:43:16 -0000 On Thu, Mar 03, 2005 at 02:31:26PM -0600, Matthew Grooms wrote: > While running tests in my lab, there have been a few times where I > could no longer talk out my external interface. This usually happens > after I ifconfig em0 up / down a few times to force the carp0 failover. > Previously, I have just rebooted the box since I was concentrating on > testing the pf + pfsync stuff but this time I stopped to take a look > and noticed that I am loosing a route for the locally attached network. > Is this the intended behavior? It might explain the problem. On OpenBSD, you can ifconfig down an interface without losing the route table entries through that interface. I noticed that FreeBSD seems to automatically remove route entries in this case. AFAIK, carp itself does set and clear interfaces' IFF_RUNNING flag to activate/deactivate them. I think the intention is not to lose any routes doing that, but simply make the stack ignore frames on that interface (so no ARP replies are sent on it). When you manually ifconfig down to initiate the test, you also clear IFF_UP, which might cause routes to get removed. Maybe try to initiate the failover by removing the cable instead. Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Mar 4 17:42:14 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67AE916A4CF for ; Fri, 4 Mar 2005 17:42:14 +0000 (GMT) Received: from atlas.spiretech.com (atlas.spiretech.com [207.173.200.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15B3E43D5E for ; Fri, 4 Mar 2005 17:42:14 +0000 (GMT) (envelope-from fbsd-pf@shelton.ca) Received: from [192.168.0.110] (ben.shelton.ca [207.173.201.46]) (authenticated) by atlas.spiretech.com (8.11.6/8.11.6) with ESMTP id j24HgDL24482 for ; Fri, 4 Mar 2005 09:42:13 -0800 Message-ID: <42289DEA.5050205@shelton.ca> Date: Fri, 04 Mar 2005 09:42:02 -0800 From: Ben Shelton User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: pf routing issue? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 17:42:14 -0000 Hi there, I've been trying to convert a firewall for a site from ipfw to pf (under FreeBSD.) I had all the rules translated over to pf format and then went ahead, took down ipfw, brought up pf and... nothing. Couldn't connect to any services at all behind the firewall. After thinking I must have screwed up some rule or something, I started cutting things down to simple rules. I ended up with: ---- # begin rules pass quick on lo0 all # block by default #block log # commented out only for testing - should work instead of the # following two lines block in all block out all pass in quick proto icmp from any to any keep state pass out quick proto icmp from any to any keep state pass in quick inet proto tcp from any to x.x.x.x keep state #pass in quick inet proto tcp from any to any keep state # works ---- So the last 2 lines are completely odd. If I enable the first of them, I cannot contact the x.x.x.x machine via tcp (http port, etc.) and a tcpdump on the firewall's internal interface confirms that the packets are not going through. ICMP works, however, according to the preceding 2 rules. If I enable the last rule, all tcp then works. When I cannot connect, I get a "no route to host" error when attempting to, for example, telnet to port 80. The funny thing is that if I change the x.x.x.x rule to: pass in quick inet proto tcp from any to any port 80 keep state it ALSO doesn't work. It seems any specifier for destination address or port screws everything up. I am totally stumped. Can anyone offer any advice? I run a pf firewall at home and don't have any issues at all. Then again, it's slightly different at home with NAT and stuff. This one that's not working should be even simpler - no NAT, routing from real internet addresses to real internet addresses, etc. As a note, this is a FreeBSD 5.3 on amd64 (Xeon EM64T) system. I don't know if that might have something to do with it. Any help is greatly appreciated. Thanks, Ben From owner-freebsd-pf@FreeBSD.ORG Fri Mar 4 17:49:30 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5167716A4CE for ; Fri, 4 Mar 2005 17:49:30 +0000 (GMT) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 363FD43D31 for ; Fri, 4 Mar 2005 17:49:29 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) j24HnSRm012945 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 4 Mar 2005 18:49:28 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.3/8.12.10/Submit) id j24HnS3G004635; Fri, 4 Mar 2005 18:49:28 +0100 (MET) Date: Fri, 4 Mar 2005 18:49:27 +0100 From: Daniel Hartmeier To: Ben Shelton Message-ID: <20050304174927.GC6369@insomnia.benzedrine.cx> References: <42289DEA.5050205@shelton.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42289DEA.5050205@shelton.ca> User-Agent: Mutt/1.5.6i cc: freebsd-pf@freebsd.org Subject: Re: pf routing issue? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 17:49:30 -0000 On Fri, Mar 04, 2005 at 09:42:02AM -0800, Ben Shelton wrote: > pass in quick inet proto tcp from any to x.x.x.x keep state This allow only incoming packets (on any interface). It does not allow packets to go out through any interface. Even if a packet first comes in on one interface, and is then routed out through another interface, that second step is blocked, because the rule does not allow packets to go out through any interface. What else did you expect the 'in' option in that rule to do? If I understand you correctly, you've been trying to connect _from_ the firewall to another host (getting the 'no route to host' error, which has a new additional meaning, issued also when pf blocks an outgoing packet from a local socket), so you should expect outgoing packets on some interface... Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Mar 4 17:56:29 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF65F16A4CE for ; Fri, 4 Mar 2005 17:56:29 +0000 (GMT) Received: from atlas.spiretech.com (atlas.spiretech.com [207.173.200.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id AEDC543D53 for ; Fri, 4 Mar 2005 17:56:28 +0000 (GMT) (envelope-from netbsd-pf@shelton.ca) Received: from [192.168.0.110] (ben.shelton.ca [207.173.201.46]) (authenticated) by atlas.spiretech.com (8.11.6/8.11.6) with ESMTP id j24HuHL32479; Fri, 4 Mar 2005 09:56:17 -0800 Message-ID: <4228A136.30707@shelton.ca> Date: Fri, 04 Mar 2005 09:56:06 -0800 From: Ben Shelton User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Daniel Hartmeier References: <42289DEA.5050205@shelton.ca> <20050304174927.GC6369@insomnia.benzedrine.cx> In-Reply-To: <20050304174927.GC6369@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: pf routing issue? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 17:56:29 -0000 Daniel Hartmeier wrote: > On Fri, Mar 04, 2005 at 09:42:02AM -0800, Ben Shelton wrote: > > >>pass in quick inet proto tcp from any to x.x.x.x keep state > > > This allow only incoming packets (on any interface). It does not allow > packets to go out through any interface. Even if a packet first comes in > on one interface, and is then routed out through another interface, that > second step is blocked, because the rule does not allow packets to go > out through any interface. What else did you expect the 'in' option in > that rule to do? > > If I understand you correctly, you've been trying to connect _from_ the > firewall to another host (getting the 'no route to host' error, which > has a new additional meaning, issued also when pf blocks an outgoing > packet from a local socket), so you should expect outgoing packets on > some interface... I'm actually trying to connect from an outside host through the firewall to a host behind the firewall. I understood that the keep state would handle the return packet, am I wrong here? Also, at various times during the testing I had included a second rule: pass out quick inet proto tcp from x.x.x.x port 80 to any keep state as well. I can't guarantee that I did this in a completely orderly fashion (it was the middle of the night), but this didn't work then. I *think* I have the basics down here, but there probably is something completely braindead I've done. Thanks for the response. Ben From owner-freebsd-pf@FreeBSD.ORG Fri Mar 4 18:00:27 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79B7116A4CE for ; Fri, 4 Mar 2005 18:00:27 +0000 (GMT) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 792C843D2F for ; Fri, 4 Mar 2005 18:00:26 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) j24I0Pr3010596 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 4 Mar 2005 19:00:25 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.3/8.12.10/Submit) id j24I0Ps1015962; Fri, 4 Mar 2005 19:00:25 +0100 (MET) Date: Fri, 4 Mar 2005 19:00:24 +0100 From: Daniel Hartmeier To: Ben Shelton Message-ID: <20050304180024.GD6369@insomnia.benzedrine.cx> References: <42289DEA.5050205@shelton.ca> <20050304174927.GC6369@insomnia.benzedrine.cx> <4228A136.30707@shelton.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4228A136.30707@shelton.ca> User-Agent: Mutt/1.5.6i cc: freebsd-pf@freebsd.org Subject: Re: pf routing issue? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 18:00:27 -0000 On Fri, Mar 04, 2005 at 09:56:06AM -0800, Ben Shelton wrote: > I'm actually trying to connect from an outside host through the firewall > to a host behind the firewall. I understood that the keep state would > handle the return packet, am I wrong here? > Also, at various times during the testing I had included a second rule: > pass out quick inet proto tcp from x.x.x.x port 80 to any keep state > as well. I can't guarantee that I did this in a completely orderly > fashion (it was the middle of the night), but this didn't work then. > I *think* I have the basics down here, but there probably is something > completely braindead I've done. When filtering on both interfaces, you have to create two state entries per forwarded connection. pass in on $if_towards_browser from any to $web_server port 80 \ keep state pass out on $if_towards_server from any to $web_server port 80 \ keep state This is just for the initial SYN packet, the state will allow further packets in the same direction (and replies in the reverse direction). Your rule 'pass out from x.x.x.x port 80 to any' is wrong, it would be addressing replies, which isn't necessary. You need to allow the initial SYN in on the first interface, then out on the second one. A state entry does not grant passage _through_ the firewall, it only grants passage through one interface. Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Mar 4 21:30:44 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9945616A4CE for ; Fri, 4 Mar 2005 21:30:44 +0000 (GMT) Received: from atlas.spiretech.com (atlas.spiretech.com [207.173.200.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DDA843D48 for ; Fri, 4 Mar 2005 21:30:44 +0000 (GMT) (envelope-from fbsd-pf@shelton.ca) Received: from [192.168.0.110] (ben.shelton.ca [207.173.201.46]) (authenticated) by atlas.spiretech.com (8.11.6/8.11.6) with ESMTP id j24LUZL13472; Fri, 4 Mar 2005 13:30:35 -0800 Message-ID: <4228D370.6020802@shelton.ca> Date: Fri, 04 Mar 2005 13:30:24 -0800 From: Ben Shelton User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Daniel Hartmeier References: <42289DEA.5050205@shelton.ca> <20050304174927.GC6369@insomnia.benzedrine.cx> <4228A136.30707@shelton.ca> <20050304180024.GD6369@insomnia.benzedrine.cx> In-Reply-To: <20050304180024.GD6369@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: pf routing issue? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 21:30:44 -0000 Daniel, Thanks for the help. Pretty silly of me - I guess I assumed that it allowed it right through the firewall, which would be pretty bad. Anyway I've tested allowing through both sides at various times, just probably not in the right combination. I'll rewrite stuff and give it a shot tonight. Thanks, Ben Daniel Hartmeier wrote: > On Fri, Mar 04, 2005 at 09:56:06AM -0800, Ben Shelton wrote: > > >>I'm actually trying to connect from an outside host through the firewall >>to a host behind the firewall. I understood that the keep state would >>handle the return packet, am I wrong here? >>Also, at various times during the testing I had included a second rule: >>pass out quick inet proto tcp from x.x.x.x port 80 to any keep state >>as well. I can't guarantee that I did this in a completely orderly >>fashion (it was the middle of the night), but this didn't work then. >>I *think* I have the basics down here, but there probably is something >>completely braindead I've done. > > > When filtering on both interfaces, you have to create two state entries > per forwarded connection. > > pass in on $if_towards_browser from any to $web_server port 80 \ > keep state > pass out on $if_towards_server from any to $web_server port 80 \ > keep state > > This is just for the initial SYN packet, the state will allow further > packets in the same direction (and replies in the reverse direction). > > Your rule 'pass out from x.x.x.x port 80 to any' is wrong, it would be > addressing replies, which isn't necessary. > > You need to allow the initial SYN in on the first interface, then out on > the second one. A state entry does not grant passage _through_ the > firewall, it only grants passage through one interface. > > Daniel > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sat Mar 5 09:35:12 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1578716A4CE for ; Sat, 5 Mar 2005 09:35:12 +0000 (GMT) Received: from atlas.spiretech.com (atlas.spiretech.com [207.173.200.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE36443D1F for ; Sat, 5 Mar 2005 09:35:11 +0000 (GMT) (envelope-from fbsd-pf@shelton.ca) Received: from [192.168.0.110] (ben.shelton.ca [207.173.201.46]) (authenticated) by atlas.spiretech.com (8.11.6/8.11.6) with ESMTP id j259ZBL26477 for ; Sat, 5 Mar 2005 01:35:11 -0800 Message-ID: <42297D44.2000008@shelton.ca> Date: Sat, 05 Mar 2005 01:35:00 -0800 From: Ben Shelton User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <42289DEA.5050205@shelton.ca> <20050304174927.GC6369@insomnia.benzedrine.cx> <4228A136.30707@shelton.ca> <20050304180024.GD6369@insomnia.benzedrine.cx> <4228D370.6020802@shelton.ca> In-Reply-To: <4228D370.6020802@shelton.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: pf routing issue? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Mar 2005 09:35:12 -0000 After rewriting the rules so each one included an in on the outside interface and an out on the inside interface, everything worked great! I noticed a couple things: Apparently FreeBSD's altq doesn't support multi-level queues? I was a bit surprised at that - I followed some examples out there but it kept giving me an error until I just made each queue flat. Could be my mistake, either way it's not critical for my purposes. I'm observing the behavior of the state table counter and it's a bit funny. There are a minimum of about 50k state table entries, it climbs up to ~70k under current load then drops back down to 50-55k then climbs back up then drops again. Any idea why it might do that back down to nearly those exact numbers over and over in the last hour or two? It just seems a bit suspicious that there would always be at least 50k entries and never more than 70k (cieling is 262k in my setup - yes, this is high traffic). Later, Ben Ben Shelton wrote: > Daniel, > Thanks for the help. Pretty silly of me - I guess I assumed that it > allowed it right through the firewall, which would be pretty bad. Anyway > I've tested allowing through both sides at various times, just probably > not in the right combination. > I'll rewrite stuff and give it a shot tonight. > Thanks, > Ben > > Daniel Hartmeier wrote: > >> On Fri, Mar 04, 2005 at 09:56:06AM -0800, Ben Shelton wrote: >> >> >>> I'm actually trying to connect from an outside host through the >>> firewall to a host behind the firewall. I understood that the keep >>> state would handle the return packet, am I wrong here? >>> Also, at various times during the testing I had included a second rule: >>> pass out quick inet proto tcp from x.x.x.x port 80 to any keep state >>> as well. I can't guarantee that I did this in a completely orderly >>> fashion (it was the middle of the night), but this didn't work then. >>> I *think* I have the basics down here, but there probably is >>> something completely braindead I've done. >> >> >> >> When filtering on both interfaces, you have to create two state entries >> per forwarded connection. >> >> pass in on $if_towards_browser from any to $web_server port 80 \ >> keep state >> pass out on $if_towards_server from any to $web_server port 80 \ >> keep state >> >> This is just for the initial SYN packet, the state will allow further >> packets in the same direction (and replies in the reverse direction). >> >> Your rule 'pass out from x.x.x.x port 80 to any' is wrong, it would be >> addressing replies, which isn't necessary. >> >> You need to allow the initial SYN in on the first interface, then out on >> the second one. A state entry does not grant passage _through_ the >> firewall, it only grants passage through one interface. >> >> Daniel >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sat Mar 5 13:59:27 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6186316A4CE for ; Sat, 5 Mar 2005 13:59:27 +0000 (GMT) Received: from post1.wesleyan.edu (post1.wesleyan.edu [129.133.6.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB43A43D2D for ; Sat, 5 Mar 2005 13:59:26 +0000 (GMT) (envelope-from vsavichev@wesleyan.edu) Received: from pony1.wesleyan.edu (pony1.wesleyan.edu [129.133.6.192]) by post1.wesleyan.edu (8.12.11/8.12.11) with ESMTP id j25DxM46002338; Sat, 5 Mar 2005 08:59:22 -0500 Received: from pony1.wesleyan.edu (pony1.wesleyan.edu [127.0.0.1]) by pony1.wesleyan.edu (8.12.11/8.12.11) with ESMTP id j25DxMF5010980; Sat, 5 Mar 2005 08:59:22 -0500 Received: (from apache@localhost) by pony1.wesleyan.edu (8.12.11/8.12.11/Submit) id j25DxM1o010978; Sat, 5 Mar 2005 08:59:22 -0500 Received: from 81.30.200.207 (SquirrelMail authenticated user vsavichev); by webmail.wesleyan.edu with HTTP; Sat, 5 Mar 2005 08:59:22 -0500 (EST) Message-ID: <62956.81.30.200.207.1110031162.squirrel@81.30.200.207> Date: Sat, 5 Mar 2005 08:59:22 -0500 (EST) From: vsavichev@wesleyan.edu To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.3a-0.e3.1 X-Mailer: SquirrelMail/1.4.3a-0.e3.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Wesleyan-MailScanner-Information: Please contact the ISP for more information X-Wesleyan-MailScanner: Found to be clean X-MailScanner-From: vsavichev@wesleyan.edu Subject: Re: pfsync + pfflowd + flow-tools (ifconfig maxupd)? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Mar 2005 13:59:27 -0000 does it mean i have to set syncif iface on FreeBSD if i want to change maxupd parameter? After applying a patch, man ifconfig doesn't show any trace of maxupd parameter presented (apart it is there ...). Does syncif post any additional workload on iface? Apart to change maxupd i'm not really in a need to syncif for a moment. To the last, may be pflog0 would be better non-biased alternative for FreeBSD REL_5 incarnation march 2005? thanks to all for your help vlad From owner-freebsd-pf@FreeBSD.ORG Sat Mar 5 19:00:01 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAB5816A4CE for ; Sat, 5 Mar 2005 19:00:00 +0000 (GMT) Received: from hotmail.com (bay24-f33.bay24.hotmail.com [64.4.18.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id B284043D2F for ; Sat, 5 Mar 2005 19:00:00 +0000 (GMT) (envelope-from segr@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 5 Mar 2005 11:00:00 -0800 Message-ID: Received: from 204.9.110.182 by by24fd.bay24.hotmail.msn.com with HTTP; Sat, 05 Mar 2005 18:59:59 GMT X-Originating-IP: [204.9.110.182] X-Originating-Email: [segr@hotmail.com] X-Sender: segr@hotmail.com From: "Stephane Raimbault" To: freebsd-pf@freebsd.org Date: Sat, 05 Mar 2005 11:59:59 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 05 Mar 2005 19:00:00.0317 (UTC) FILETIME=[87ECD6D0:01C521B5] Subject: nat / rdr timeouts? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Mar 2005 19:00:01 -0000 I have a box running FreeBSD 5.3-RELEASE-p5 and I'm running at nat and redirecting port 80 traffic to a couple internal servers. I was running some benchmarks with the apache ab tool and discovered a couple problems popping up. I could run the ab benchmark with the following options no problem: ab -c 5 -n 50 http:///host.html however as soon as I put the concurrency to 1... ab -c 1 -n 50 http:///host.html It would inconsistently start blocking and timing out with this error: apr_poll: The timeout specified has expired (70007) Total of 46 requests completed When I noctice that ab gets' hung up... running this pfctl -F state on the nat box seems to fix the problem and ab completes it's test this leads me to guess that something in pf is causing this block to occur based on the states? Possibly to prevent a DoS? Does anyone know what is causing this and if it's a tunable value. here is the pf rules I have for this test. ------------------------ ext_if="em1" int_net="10.0.11.0/27" web_servers = "{ 10.0.11.16,10.0.11.17 }" nat on $ext_if from $int_net to any -> ($ext_if) rdr on $ext_if proto tcp from any to any port 80 -> $web_servers round-robin ------------------------ The problem is also there when I only have one web_servers set instead of 2. Any thougths/ideas are welcome. Thank you, Stephane. _________________________________________________________________ Powerful Parental Controls Let your child discover the best the Internet has to offer. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSNŽ Premium right now and get the first two months FREE*. From owner-freebsd-pf@FreeBSD.ORG Sat Mar 5 20:06:01 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5C8A16A4CE for ; Sat, 5 Mar 2005 20:06:01 +0000 (GMT) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id A70C043D3F for ; Sat, 5 Mar 2005 20:06:00 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) j25K60su006603 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sat, 5 Mar 2005 21:06:00 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.3/8.12.10/Submit) id j25K5xWp004009; Sat, 5 Mar 2005 21:05:59 +0100 (MET) Date: Sat, 5 Mar 2005 21:05:59 +0100 From: Daniel Hartmeier To: Stephane Raimbault Message-ID: <20050305200559.GA26999@insomnia.benzedrine.cx> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i cc: freebsd-pf@freebsd.org Subject: Re: nat / rdr timeouts? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Mar 2005 20:06:01 -0000 On Sat, Mar 05, 2005 at 11:59:59AM -0700, Stephane Raimbault wrote: > I have a box running FreeBSD 5.3-RELEASE-p5 and I'm running at nat and > redirecting port 80 traffic to a couple internal servers. The following bugfix was commited to RELENG_5 about two months ago, it's likely that it fixes your problem. It's not part of 5.3-RELEASE-p5 (which is built from RELENG_5_3, afaik). http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c.diff?r1=1.18.2.5&r2=1.18.2.6&f=h Daniel From owner-freebsd-pf@FreeBSD.ORG Sat Mar 5 21:57:57 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1486016A4CE for ; Sat, 5 Mar 2005 21:57:57 +0000 (GMT) Received: from hotmail.com (bay24-f31.bay24.hotmail.com [64.4.18.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id E3B9143D2D for ; Sat, 5 Mar 2005 21:57:56 +0000 (GMT) (envelope-from segr@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 5 Mar 2005 13:57:56 -0800 Message-ID: Received: from 204.9.110.182 by by24fd.bay24.hotmail.msn.com with HTTP; Sat, 05 Mar 2005 21:57:56 GMT X-Originating-IP: [204.9.110.182] X-Originating-Email: [segr@hotmail.com] X-Sender: segr@hotmail.com In-Reply-To: <20050305200559.GA26999@insomnia.benzedrine.cx> From: "Stephane Raimbault" To: daniel@benzedrine.cx Date: Sat, 05 Mar 2005 14:57:56 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 05 Mar 2005 21:57:56.0781 (UTC) FILETIME=[6397F5D0:01C521CE] cc: freebsd-pf@freebsd.org Subject: Re: nat / rdr timeouts? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Mar 2005 21:57:57 -0000 I cvsup'd RELENG_5 and recompiled the kernel and I'm seeing the same results. Do I need to recompile any other parts of the system? Do we believe I've stumbled onto a bug of pf... or is this some sort of anti-DoS feature? >From: Daniel Hartmeier >To: Stephane Raimbault >CC: freebsd-pf@freebsd.org >Subject: Re: nat / rdr timeouts? >Date: Sat, 5 Mar 2005 21:05:59 +0100 > >On Sat, Mar 05, 2005 at 11:59:59AM -0700, Stephane Raimbault wrote: > > > I have a box running FreeBSD 5.3-RELEASE-p5 and I'm running at nat and > > redirecting port 80 traffic to a couple internal servers. > >The following bugfix was commited to RELENG_5 about two months ago, it's >likely that it fixes your problem. It's not part of 5.3-RELEASE-p5 >(which is built from RELENG_5_3, afaik). > >http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c.diff?r1=1.18.2.5&r2=1.18.2.6&f=h > >Daniel _________________________________________________________________ Don't just Search. Find! http://search.sympatico.msn.ca/default.aspx The new MSN Search! Check it out! From owner-freebsd-pf@FreeBSD.ORG Sat Mar 5 22:20:02 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0A6516A4CE for ; Sat, 5 Mar 2005 22:20:02 +0000 (GMT) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8481143D3F for ; Sat, 5 Mar 2005 22:20:01 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) j25MK0Zr010951 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sat, 5 Mar 2005 23:20:01 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.3/8.12.10/Submit) id j25MK0pt016776; Sat, 5 Mar 2005 23:20:00 +0100 (MET) Date: Sat, 5 Mar 2005 23:20:00 +0100 From: Daniel Hartmeier To: Stephane Raimbault Message-ID: <20050305222000.GC26999@insomnia.benzedrine.cx> References: <20050305200559.GA26999@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i cc: freebsd-pf@freebsd.org Subject: Re: nat / rdr timeouts? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Mar 2005 22:20:03 -0000 On Sat, Mar 05, 2005 at 02:57:56PM -0700, Stephane Raimbault wrote: > I cvsup'd RELENG_5 and recompiled the kernel and I'm seeing the same > results. Do I need to recompile any other parts of the system? No, that's it. > Do we believe I've stumbled onto a bug of pf... or is this some sort of > anti-DoS feature? The default limit on number of states is 10,000. If further packets try to create state, they are dropped. But it doesn't look like you're hitting that. Enable debug loggin (pfctl -xm), reproduce the problem, then check /var/log/messages for anything from pf. Also quote pfctl -vvss output after the problem, as well as pfctl -si, please. Daniel