From owner-freebsd-pf@FreeBSD.ORG Sun Jun 19 11:01:44 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4681B16A41C for ; Sun, 19 Jun 2005 11:01:44 +0000 (GMT) (envelope-from robertusn@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0951443D4C for ; Sun, 19 Jun 2005 11:01:43 +0000 (GMT) (envelope-from robertusn@gmail.com) Received: by wproxy.gmail.com with SMTP id 71so285272wri for ; Sun, 19 Jun 2005 04:01:43 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=qzNxubjiOehXdYhbs7PBcwvqus6gftMEd5ZJyZu6B8TsJk+z1L2FJk40z208mjFHktaDIUADteB6iavD7rHVBYmelnQ+zsRTBf8tNoj4UZpvomuWdCWJ/3Wb9nixYyNxbJ8iPnOfIeTpsjjvCWkGLA+YAApTNhpvT96k5OfxBQc= Received: by 10.54.51.26 with SMTP id y26mr2158498wry; Sun, 19 Jun 2005 04:01:43 -0700 (PDT) Received: by 10.54.51.48 with HTTP; Sun, 19 Jun 2005 04:01:43 -0700 (PDT) Message-ID: <3713853f05061904017a4a7e3f@mail.gmail.com> Date: Sun, 19 Jun 2005 13:01:43 +0200 From: Robert Usle To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: ipfw -pf processing order X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Robert Usle List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2005 11:01:44 -0000 Hi, I'm using FreeBSD 5.4 with ipfw (module) & pf (kernel compiled) firewall. pf is used for nat, pass/block, rdr, and dummynet/ipfw is used only for packet queueing. ext_if =3D vr0 int_if =3D rl1 ipfw rules: /sbin/ipfw pipe 10 config bw 256Kbit/s queue 20 mask dst-ip 0x000000ff /sbin/ipfw pipe 11 config bw 256Kbit/s queue 20 mask src-ip 0x000000ff /sbin/ipfw add 100 pipe 10 log ip from any to 10.0.9.0/24=20 /sbin/ipfw add 101 pipe 11 log ip from 10.0.9.0/24 to any=20 sysctl: net.inet.ip.fw.one_pass: 1 (I've also tried with 'via','xmit','recv' tags) I see packets coming to my dummynet pipes/rules, but then=20 pf rdr rule: rdr on $int_if proto tcp from $internal_net to any port 80 -> 127.0.0.1 port 3128 does not work. When i disable ipfw firewall, it's just ok again. pf options are as follows: set optimization normal set block-policy drop set require-order yes scrub in all Is this related to firewall processing order ? Thanks, --=20 Robert From owner-freebsd-pf@FreeBSD.ORG Sun Jun 19 11:18:55 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 518AB16A41C for ; Sun, 19 Jun 2005 11:18:55 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FFBA43D1F for ; Sun, 19 Jun 2005 11:18:54 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so291977wra for ; Sun, 19 Jun 2005 04:18:54 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ecnKUP85GDsF7fJUCJmoMNAKXoYhQsc+JEf8vRkajrNpT4sEvsQhhLFnZOso87CzuqddFCdMB3ojl6uD1BrqR1j+L2+jpFIdU3dwAAXXrkDFVs3vdu87BAtbXsNGMlM8xdNFVqqrgeuugtxlEtrhibsee2B+Bbi2IZWml7VgSKo= Received: by 10.54.98.17 with SMTP id v17mr2150564wrb; Sun, 19 Jun 2005 04:18:54 -0700 (PDT) Received: by 10.54.66.16 with HTTP; Sun, 19 Jun 2005 04:18:54 -0700 (PDT) Message-ID: Date: Sun, 19 Jun 2005 14:18:54 +0300 From: Abu Khaled To: Robert Usle In-Reply-To: <3713853f05061904017a4a7e3f@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <3713853f05061904017a4a7e3f@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: ipfw -pf processing order X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Abu Khaled List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2005 11:18:55 -0000 On 6/19/05, Robert Usle wrote: > Hi, >=20 > I'm using FreeBSD 5.4 with ipfw (module) & pf (kernel compiled) firewall. >=20 > pf is used for nat, pass/block, rdr, and dummynet/ipfw is used only > for packet queueing. >=20 > ext_if =3D vr0 > int_if =3D rl1 >=20 > ipfw rules: > /sbin/ipfw pipe 10 config bw 256Kbit/s queue 20 mask dst-ip 0x000000ff > /sbin/ipfw pipe 11 config bw 256Kbit/s queue 20 mask src-ip 0x000000ff > /sbin/ipfw add 100 pipe 10 log ip from any to 10.0.9.0/24 > /sbin/ipfw add 101 pipe 11 log ip from 10.0.9.0/24 to any >=20 > sysctl: net.inet.ip.fw.one_pass: 1 > (I've also tried with 'via','xmit','recv' tags) >=20 > I see packets coming to my dummynet pipes/rules, but then > pf rdr rule: >=20 > rdr on $int_if proto tcp from $internal_net to any port 80 -> > 127.0.0.1 port 3128 >=20 > does not work. > When i disable ipfw firewall, it's just ok again. >=20 > pf options are as follows: > set optimization normal > set block-policy drop > set require-order yes > scrub in all >=20 > Is this related to firewall processing order ? >=20 > Thanks, >=20 > -- > Robert My guess is that IPFW is blocking packets from your $internal_net to localhost port 3128. Add this to your IPFW rules before any other rules that block traffic to 127.0.0.1 # ipfw 100 allow tcp from $internal_net to 127.0.0.1 3128 # ipfw 200 allow tcp from 127.0.0.1 3128 to $internal_net for example: ipfw add 100 pass all from any to any via lo0 ipfw add 200 allow tcp from $internal_net to 127.0.0.1 3128 ipfw add 300 allow tcp from 127.0.0.1 3128 to $internal_net ipfw add 400 deny all from any to 127.0.0.0/8 ipfw add 500 deny ip from 127.0.0.0/8 to any --=20 Kind regards Abu Khaled From owner-freebsd-pf@FreeBSD.ORG Sun Jun 19 14:20:15 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D59A16A41F for ; Sun, 19 Jun 2005 14:20:15 +0000 (GMT) (envelope-from liste@encephalon.de) Received: from briefzentrum.encephalon.de (encephalon.de [213.146.112.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55C7F43D48 for ; Sun, 19 Jun 2005 14:20:08 +0000 (GMT) (envelope-from liste@encephalon.de) Received: from [192.168.1.1] (unknown [192.168.0.253]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by briefzentrum.encephalon.de (Postfix) with ESMTP id ED8FC1D48D for ; Sun, 19 Jun 2005 16:24:23 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v730) Content-Transfer-Encoding: 7bit Message-Id: <9B7F1DC1-E8D1-4887-A0C9-A1F74269258B@encephalon.de> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-pf@freebsd.org From: "Axel S. Gruner" Date: Sun, 19 Jun 2005 16:21:54 +0200 X-Mailer: Apple Mail (2.730) Subject: PF and ftp-proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2005 14:20:15 -0000 Hi, i got some problems running PF and ftp-proxy. Client -> GW -> NAT-Server -> FW -> Internet -> customer So, the "Customer" is doing active FTP, so i add 2 rules on the "NAT- Server": rdr on $int_if proto tcp from 10.4.1.26 to any port 21 -> 127.0.0.1 port 8021 pass in on $ext_if inet proto tcp from port 20 to $ext_if user proxy flags S/SA keep state "10.4.1.26" is our "Client" who needs to connect to the customer active ftp server (i also tried "any", no difference). /etc/inetd.conf 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp- proxy -n If i try to connect to the customer, nothing happens. If i try to connect to another FTP-Server, nothing happens. If i try to connect to our own FTP-Server (internal adress), nothing happens... tcpdump on pflog0 on the NAT-Server shows me: 000000 rule 20/0(match): pass in on xl1: IP 10.4.1.99.49295 > 127.0.0.1.8021: S 3578225143:3578225143(0) win 65535 normal tcpdump trying a normal ftp-server: 6:03:52.174714 IP 10.4.1.99.58587 > ftp.beastie.tdk.net.ftp: S 3471511073:3471511073(0) win 65535 I tried to activate debug modus on ftp-proxy (-D3), but i can not see any debug output on /var/log/debug.log. I restartet inetd and syslogd. So, my whole /etc/pf.conf looks like: # Variablen ext_if = "xl0" int_if = "xl1" clu_if = "xl2" int_ip = "212.202.224.248/29" blu_ip = "192.168.233.254" ext_ip = "212.202.xxx.aae" sfwd_ip = "{ 212.202.xxx.aaa, 212.202.xxx.aab, 212.202.xxx.aac, 212.202.xxx.aad, 212.202.xxx.aae }" spar_server = "213.150.2.xxx" spar_client = "{ 10.4.1.24, 10.4.1.26, 10.4.1.50, 10.4.1.235 }" spar_port = "3048" ausnahme = "{ 192.168.155.56, 192.168.233.4 }" set loginterface $ext_if set loginterface $int_if # asg # packet normalizer gegen hackversuche durch ueberlange pakete scrub in all # NAT nat on $ext_if from $int_if:network to $ausnahme -> $blu_ip nat on $ext_if from 10.3.1.0/24 to $ausnahme -> $blu_ip nat on $ext_if from 10.2.1.0/24 to $ausnahme -> $blu_ip nat on $ext_if from 10.1.1.0/24 to $ausnahme -> $blu_ip nat on $ext_if from $int_if:network to ! (192.168.155.56) -> $ext_ip nat on $ext_if from $int_if:network to ! (192.168.233.4) -> $ext_ip nat on $ext_if from 10.3.1.0/24 to ! (192.168.155.56) -> $ext_ip nat on $ext_if from 10.3.1.0/24 to ! (192.168.233.4) -> $ext_ip nat on $ext_if from 10.2.1.0/24 to ! (192.168.155.56) -> $ext_ip nat on $ext_if from 10.2.1.0/24 to ! (192.168.233.4) -> $ext_ip nat on $ext_if from 10.1.1.0/24 to ! (192.168.155.56) -> $ext_ip nat on $ext_if from 10.1.1.0/24 to ! (192.168.233.4) -> $ext_ip # Redirect Spar rdr on $ext_if proto udp from $spar_server to any port $spar_port -> $spar_client port $spar_port rdr on $int_if proto udp from $spar_client to any port $spar_port -> $spar_server port $spar_port rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 block log all pass out log from any to any keep state pass in log from any to any keep state pass in on $ext_if inet proto tcp from port 20 to $ext_if user proxy flags S/SA keep state I did the stuff with the ftp-proxy and active ftp connection like described in: http://www.openbsd.org/faq/pf/ftp.html So, where could be the problem? Thanks in advance. From owner-freebsd-pf@FreeBSD.ORG Sun Jun 19 16:54:32 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 646A416A41C for ; Sun, 19 Jun 2005 16:54:32 +0000 (GMT) (envelope-from ah@crypta.net) Received: from mail.crypta.net (mail.crypta.net [83.136.131.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F01D43D1D for ; Sun, 19 Jun 2005 16:54:31 +0000 (GMT) (envelope-from ah@crypta.net) Received: by mail.crypta.net (cryptobank/eProtect-smtpd, from userid 1001) id 4A3BFECD414; Sun, 19 Jun 2005 18:54:24 +0200 (CEST) Date: Sun, 19 Jun 2005 18:54:24 +0200 From: Andy Hilker To: "Axel S. Gruner" Message-ID: <20050619165423.GC32104@mail.crypta.net> References: <9B7F1DC1-E8D1-4887-A0C9-A1F74269258B@encephalon.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="u3/rZRmxL6MmkK24" Content-Disposition: inline In-Reply-To: <9B7F1DC1-E8D1-4887-A0C9-A1F74269258B@encephalon.de> User-Agent: Mutt/1.4.2.1i X-PGP-Key: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0xEC6E1071 X-PGP-Fingerprint: 9B2E 5892 AD93 D5C5 FB8E 3912 35D6 951B EC6E 1071 Organization: cryptobank - Andy Hilker Cc: freebsd-pf@freebsd.org Subject: Re: PF and ftp-proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2005 16:54:32 -0000 --u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, You (Axel S. Gruner) wrote: > Client -> GW -> NAT-Server -> FW -> Internet -> customer FW =3D packet filter without NAT? Does the NAT-Server do some magic to allow actice ftp sessions? Does ftp active works without pf on the fw box (fw box =3D router)? If not maybe here is your problem... I'll give you my configuration, maybe it helps: LAN (official ips) ---- pf GW without NAT --- Internet /etc/inetd.conf ----------------- ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp= -proxy -u proxy -m 55000 -M 57000 -t 180 /etc/rc.conf -------------- inetd_enable=3D"YES" pf.conf, parts of ftp section ------------------------------ # default deny block all # local loopback traffic pass quick on lo0 all # redirect ftp to local proxy rdr on $intern_if proto tcp from $intern_net to any port 21 -> 127.0.0.1= port 8021 # ftp for all pass log quick proto tcp from to 127.0.0.1 port 8= 021 keep state block in log quick proto tcp from ! to 127.0.0.1 port 8= 021 pass out log quick proto tcp from to p= ort > 1023 keep state # Allow remote FTP servers (on data port 20) to respond to the proxy's # active ftp # to internet pass in log quick on $extern_if proto tcp from any port 20 to $extern_if= port 55000 >< 57000 flags S/SA keep state pass out log quick on $extern_if proto tcp from $extern_if to any port {2= 0,21} flags S/AUPRFS modulate state pass out log quick on $extern_if proto tcp from $extern_if port 55000 >< = 57000 to any flags S/SAFR keep state > I did the stuff with the ftp-proxy and active ftp connection like =20 > described in: http://www.openbsd.org/faq/pf/ftp.html I assume you are german... see also http://www.warp9.de/downloads/pf-ftp.pdf > So, where could be the problem? Does telnet 127.0.0.1 8021 works? bye, Andy --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCtaM/NdaVG+xuEHERAvKjAJ0fP4DLqvWDBXAuiBLZtQvEEOOIMACfbIuX M22RQyifoXNmFgtk1DSuKwo= =G+2n -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24-- From owner-freebsd-pf@FreeBSD.ORG Sun Jun 19 21:31:36 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3586916A43E for ; Sun, 19 Jun 2005 21:31:36 +0000 (GMT) (envelope-from robertusn@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id E9F0D43D1F for ; Sun, 19 Jun 2005 21:31:35 +0000 (GMT) (envelope-from robertusn@gmail.com) Received: by wproxy.gmail.com with SMTP id 70so388907wra for ; Sun, 19 Jun 2005 14:31:35 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nb+DT9dC9d24/mD59jNPZ1QqdaYwRbgyGx3caVU9UjY6PxMG7x3TXzTBCGtS12M7qehbv9/gjI8e7CMhafHO5Y+etR2yOtHbmuKLOKQ6rc9xBAqHw7532B704jGBXVH725CW6Fo9aNPCSkAKgostse4GZp0CcIMSqapMU+3ZKLw= Received: by 10.54.41.64 with SMTP id o64mr2326832wro; Sun, 19 Jun 2005 14:31:35 -0700 (PDT) Received: by 10.54.51.48 with HTTP; Sun, 19 Jun 2005 14:31:35 -0700 (PDT) Message-ID: <3713853f0506191431125da26d@mail.gmail.com> Date: Sun, 19 Jun 2005 23:31:35 +0200 From: Robert Usle To: Abu Khaled In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <3713853f05061904017a4a7e3f@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: ipfw -pf processing order X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Robert Usle List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2005 21:31:36 -0000 On 6/19/05, Abu Khaled wrote: > On 6/19/05, Robert Usle wrote: > > Hi, > > > > I'm using FreeBSD 5.4 with ipfw (module) & pf (kernel compiled) firewal= l. > > > > pf is used for nat, pass/block, rdr, and dummynet/ipfw is used only > > for packet queueing. > > > > ext_if =3D vr0 > > int_if =3D rl1 > > > > ipfw rules: > > /sbin/ipfw pipe 10 config bw 256Kbit/s queue 20 mask dst-ip 0x000000ff > > /sbin/ipfw pipe 11 config bw 256Kbit/s queue 20 mask src-ip 0x000000ff > > /sbin/ipfw add 100 pipe 10 log ip from any to 10.0.9.0/24 > > /sbin/ipfw add 101 pipe 11 log ip from 10.0.9.0/24 to any > > > > sysctl: net.inet.ip.fw.one_pass: 1 > > (I've also tried with 'via','xmit','recv' tags) > > > > I see packets coming to my dummynet pipes/rules, but then > > pf rdr rule: > > > > rdr on $int_if proto tcp from $internal_net to any port 80 -> > > 127.0.0.1 port 3128 > > > > does not work. > > When i disable ipfw firewall, it's just ok again. > > > > pf options are as follows: > > set optimization normal > > set block-policy drop > > set require-order yes > > scrub in all > > > > Is this related to firewall processing order ? > > > > Thanks, > > > > -- > > Robert >=20 > My guess is that IPFW is blocking packets from your $internal_net to > localhost port 3128. Add this to your IPFW rules before any other > rules that block traffic to 127.0.0.1 >=20 > # ipfw 100 allow tcp from $internal_net to 127.0.0.1 3128 > # ipfw 200 allow tcp from 127.0.0.1 3128 to $internal_net > for example: >=20 > ipfw add 100 pass all from any to any via lo0 > ipfw add 200 allow tcp from $internal_net to 127.0.0.1 3128 > ipfw add 300 allow tcp from 127.0.0.1 3128 to $internal_net > ipfw add 400 deny all from any to 127.0.0.0/8 > ipfw add 500 deny ip from 127.0.0.0/8 to any Thank you for your email Khaled. I think that loading ipfw/dummynet modules is a problem itself. The same happens even If I set 'allow ip from any to any' as a first rule. Regards, --=20 Robert From owner-freebsd-pf@FreeBSD.ORG Mon Jun 20 09:00:09 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8153216A41C; Mon, 20 Jun 2005 09:00:09 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B93043D4C; Mon, 20 Jun 2005 09:00:09 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (glebius@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5K909aR095337; Mon, 20 Jun 2005 09:00:09 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5K9098Z095333; Mon, 20 Jun 2005 09:00:09 GMT (envelope-from glebius) Date: Mon, 20 Jun 2005 09:00:09 GMT From: Gleb Smirnoff Message-Id: <200506200900.j5K9098Z095333@freefall.freebsd.org> To: glebius@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/82271: cbq scheduler cause bad latency X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 09:00:09 -0000 Synopsis: cbq scheduler cause bad latency Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: glebius Responsible-Changed-When: Mon Jun 20 08:59:48 GMT 2005 Responsible-Changed-Why: For pf gurus review. http://www.freebsd.org/cgi/query-pr.cgi?pr=82271 From owner-freebsd-pf@FreeBSD.ORG Mon Jun 20 11:01:56 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0544316A422 for ; Mon, 20 Jun 2005 11:01:56 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C7BD543D4C for ; Mon, 20 Jun 2005 11:01:55 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5KB1twT011482 for ; Mon, 20 Jun 2005 11:01:55 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5KB1sfH011477 for freebsd-pf@freebsd.org; Mon, 20 Jun 2005 11:01:54 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 20 Jun 2005 11:01:54 GMT Message-Id: <200506201101.j5KB1sfH011477@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 11:01:56 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/19] ia64/81284 pf Unaligned Reference with pf on 5.4/IA64 o [2005/06/15] kern/82271 pf cbq scheduler cause bad latency 2 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf /etc/pf.os doesn't match FreeBSD 5.3->5.4 1 problem total. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 20 11:03:56 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8402916A422 for ; Mon, 20 Jun 2005 11:03:56 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5734F43D58 for ; Mon, 20 Jun 2005 11:03:56 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5KB3uEr013082 for ; Mon, 20 Jun 2005 11:03:56 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5KB3tgg013076 for pf@freebsd.org; Mon, 20 Jun 2005 11:03:55 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 20 Jun 2005 11:03:55 GMT Message-Id: <200506201103.j5KB3tgg013076@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 11:03:56 -0000 Current FreeBSD problem reports Critical problems Serious problems Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- f [2005/02/09] kern/77308 pf ALTQ doesn't seem to be working on tun0 1 problem total. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 20 15:27:06 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32A9416A41F for ; Mon, 20 Jun 2005 15:27:06 +0000 (GMT) (envelope-from dhutch9999@yahoo.com) Received: from web33114.mail.mud.yahoo.com (web33114.mail.mud.yahoo.com [68.142.206.95]) by mx1.FreeBSD.org (Postfix) with SMTP id E712843D49 for ; Mon, 20 Jun 2005 15:27:05 +0000 (GMT) (envelope-from dhutch9999@yahoo.com) Received: (qmail 46974 invoked by uid 60001); 20 Jun 2005 15:27:05 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=CWFLekCMYxYMctfOkgkNE/GAchn8YORxC5RTOFJ7erBep6JJVJZRTw7cCTpedYB12rUGpFq96mqMexjIp00vjTSGlut/RZFLiRckQdIljTw82dJKpDnOvu8OrD6BoLdgmB94/l0lN0XmWpB/YfYWTaOT4x0sbe63O6EUIbJ2q88= ; Message-ID: <20050620152705.46972.qmail@web33114.mail.mud.yahoo.com> Received: from [12.153.72.219] by web33114.mail.mud.yahoo.com via HTTP; Mon, 20 Jun 2005 08:27:05 PDT Date: Mon, 20 Jun 2005 08:27:05 -0700 (PDT) From: DH To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Vexing IPF problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 15:27:06 -0000 I posted this on freebsd-questions last week & unfortunately the folks who rsvp'd did not have a solution so I've posted to this forum. I'm having a problem with IPF blocking packets that appear should be let through. I've sent quite a bit of time going through the Handbook, man pages, etc & I must be missing something so any help is greatly appriciated. uname -a freebsd 4.11-release #0 SMP kernel, dual PIII processor, 512 MB ECC RAM, SCSI HDs execerpt from rule set: Kernel compiled with "default allow" until I finish getting the rule set rewritten. Rule #1 block in log from any to any pass in quick on lo0 pass out quick on lo0 block in log quick on fxp0 from any to any with ipopts block in log quick proto tcp from any to any with short ... pass in log first proto tcp from any to any port = 80 flags S keep state pass in log first proto tcp from any port = 80 to any flags S keep state pass out log first proto tcp from any to any port = 80 flags S keep state netstat -m = 129/576/16384 9% of mb_map in use Proxy Server - Squid 2.5.stable10 The behavior I'm seeing is out going connections to websites on port 80 are being passed but the in bound traffic is being blocked. The ipflog entries look like this: my ip = s theirs = d @0:390 p s.s.s.s,3601 -> d.d.d.d,80 PR tcp len 20 60 -S K-S OUT @0:1 b d.d.d.d,80 -> s.s.s.s,3601 PR tcp len 20 43 -AR IN Thanks in advance to those giving their time to lend a hand, I know you time is valuable. Please CC my address in your reply. David Hutchens III Network Technician --------------------------------- Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football David Hutchens III Network Technician DRS Surveillance Support Systems - A division of DRS Technologies. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-pf@FreeBSD.ORG Mon Jun 20 16:38:58 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2CF4416A41C for ; Mon, 20 Jun 2005 16:38:58 +0000 (GMT) (envelope-from liste@encephalon.de) Received: from briefzentrum.encephalon.de (encephalon.de [213.146.112.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id B519443D4C for ; Mon, 20 Jun 2005 16:38:57 +0000 (GMT) (envelope-from liste@encephalon.de) Received: from [192.168.1.1] (unknown [192.168.0.253]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by briefzentrum.encephalon.de (Postfix) with ESMTP id B46431D48D; Mon, 20 Jun 2005 18:43:11 +0200 (CEST) In-Reply-To: <20050619165423.GC32104@mail.crypta.net> References: <9B7F1DC1-E8D1-4887-A0C9-A1F74269258B@encephalon.de> <20050619165423.GC32104@mail.crypta.net> Mime-Version: 1.0 (Apple Message framework v730) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <42AC52F5-569E-47FD-8B2C-45FEF0B25C70@encephalon.de> Content-Transfer-Encoding: 7bit From: "Axel S. Gruner" Date: Mon, 20 Jun 2005 18:40:43 +0200 To: Andy Hilker X-Mailer: Apple Mail (2.730) Cc: freebsd-pf@freebsd.org Subject: Re: PF and ftp-proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 16:38:58 -0000 Hi, Am 19.06.2005 um 18:54 schrieb Andy Hilker: > /etc/inetd.conf > ----------------- > ftp-proxy stream tcp nowait root /usr/libexec/ftp- > proxy ftp-proxy -u proxy -m 55000 -M 57000 -t 180 > > > /etc/rc.conf > -------------- > inetd_enable="YES" > > > pf.conf, parts of ftp section > ------------------------------ > # default deny > block all > > # local loopback traffic > pass quick on lo0 all > > # redirect ftp to local proxy > rdr on $intern_if proto tcp from $intern_net to any port 21 -> > 127.0.0.1 port 8021 > > > # ftp for all > pass log quick proto tcp from to > 127.0.0.1 port 8021 keep state > block in log quick proto tcp from ! to > 127.0.0.1 port 8021 > pass out log quick proto tcp from to > port > 1023 keep state > > # Allow remote FTP servers (on data port 20) to respond to the > proxy's > # active ftp > # to internet > pass in log quick on $extern_if proto tcp from any port 20 to > $extern_if port 55000 >< 57000 flags S/SA keep state > pass out log quick on $extern_if proto tcp from $extern_if to any > port {20,21} flags S/AUPRFS modulate state > pass out log quick on $extern_if proto tcp from $extern_if port > 55000 >< 57000 to any flags S/SAFR keep state > Thanks for your quick reply. I tried your configuration, and, know what? It works perfectly for me. Thanks a lot. asg From owner-freebsd-pf@FreeBSD.ORG Mon Jun 20 19:56:08 2005 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5095116A41C; Mon, 20 Jun 2005 19:56:08 +0000 (GMT) (envelope-from matteo@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2847543D1F; Mon, 20 Jun 2005 19:56:08 +0000 (GMT) (envelope-from matteo@FreeBSD.org) Received: from freefall.freebsd.org (matteo@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5KJu8PW087986; Mon, 20 Jun 2005 19:56:08 GMT (envelope-from matteo@freefall.freebsd.org) Received: (from matteo@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5KJu8Oe087982; Mon, 20 Jun 2005 19:56:08 GMT (envelope-from matteo) Date: Mon, 20 Jun 2005 19:56:08 GMT From: Matteo Riondato Message-Id: <200506201956.j5KJu8Oe087982@freefall.freebsd.org> To: matteo@FreeBSD.org, pf@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/77308: ALTQ doesn't seem to be working on tun0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 19:56:08 -0000 Synopsis: ALTQ doesn't seem to be working on tun0 Responsible-Changed-From-To: pf->freebsd-pf Responsible-Changed-By: matteo Responsible-Changed-When: Mon Jun 20 19:55:12 GMT 2005 Responsible-Changed-Why: Change owner from "pf" to "freebsd-pf" so that the freebsd-pf@ mailing list will receive only one remainder http://www.freebsd.org/cgi/query-pr.cgi?pr=77308 From owner-freebsd-pf@FreeBSD.ORG Mon Jun 20 19:56:08 2005 Return-Path: X-Original-To: pf@hub.freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5095116A41C; Mon, 20 Jun 2005 19:56:08 +0000 (GMT) (envelope-from matteo@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2847543D1F; Mon, 20 Jun 2005 19:56:08 +0000 (GMT) (envelope-from matteo@FreeBSD.org) Received: from freefall.freebsd.org (matteo@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5KJu8PW087986; Mon, 20 Jun 2005 19:56:08 GMT (envelope-from matteo@freefall.freebsd.org) Received: (from matteo@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5KJu8Oe087982; Mon, 20 Jun 2005 19:56:08 GMT (envelope-from matteo) Date: Mon, 20 Jun 2005 19:56:08 GMT From: Matteo Riondato Message-Id: <200506201956.j5KJu8Oe087982@freefall.freebsd.org> To: matteo@FreeBSD.org, pf@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/77308: ALTQ doesn't seem to be working on tun0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 19:56:08 -0000 Synopsis: ALTQ doesn't seem to be working on tun0 Responsible-Changed-From-To: pf->freebsd-pf Responsible-Changed-By: matteo Responsible-Changed-When: Mon Jun 20 19:55:12 GMT 2005 Responsible-Changed-Why: Change owner from "pf" to "freebsd-pf" so that the freebsd-pf@ mailing list will receive only one remainder http://www.freebsd.org/cgi/query-pr.cgi?pr=77308 From owner-freebsd-pf@FreeBSD.ORG Mon Jun 20 23:30:19 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 037B216A41C for ; Mon, 20 Jun 2005 23:30:19 +0000 (GMT) (envelope-from ah@crypta.net) Received: from mail.crypta.net (mail.crypta.net [83.136.131.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4FAB43D4C for ; Mon, 20 Jun 2005 23:30:18 +0000 (GMT) (envelope-from ah@crypta.net) Received: by mail.crypta.net (cryptobank/eProtect-smtpd, from userid 1001) id 6E78FECD414; Tue, 21 Jun 2005 01:30:14 +0200 (CEST) Date: Tue, 21 Jun 2005 01:30:13 +0200 From: Andy Hilker To: "Axel S. Gruner" Message-ID: <20050620233012.GA56044@mail.crypta.net> References: <9B7F1DC1-E8D1-4887-A0C9-A1F74269258B@encephalon.de> <20050619165423.GC32104@mail.crypta.net> <42AC52F5-569E-47FD-8B2C-45FEF0B25C70@encephalon.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="T4sUOijqQbZv57TR" Content-Disposition: inline In-Reply-To: <42AC52F5-569E-47FD-8B2C-45FEF0B25C70@encephalon.de> User-Agent: Mutt/1.4.2.1i X-PGP-Key: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0xEC6E1071 X-PGP-Fingerprint: 9B2E 5892 AD93 D5C5 FB8E 3912 35D6 951B EC6E 1071 Organization: cryptobank - Andy Hilker Cc: freebsd-pf@freebsd.org Subject: Re: PF and ftp-proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 23:30:19 -0000 --T4sUOijqQbZv57TR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, > Am 19.06.2005 um 18:54 schrieb Andy Hilker: > Thanks for your quick reply. > I tried your configuration, and, know what? It works perfectly for me. > Thanks a lot. No problem, I am glad to help someone like other people from the list helped me :) bye, Andy --=20 Andy Hilker -- mailto:ah@cryptobank.de http://www.cryptobank.de -- PGP Key: https://ca.crypta.net --T4sUOijqQbZv57TR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCt1GENdaVG+xuEHERAt/eAKCEHfRAaHxPzHuYY45J1qVOXrQHswCghmix 546P2d0nrtrFYAX4Ne0Hoi0= =Ls8d -----END PGP SIGNATURE----- --T4sUOijqQbZv57TR-- From owner-freebsd-pf@FreeBSD.ORG Wed Jun 22 15:52:20 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAF6416A41F for ; Wed, 22 Jun 2005 15:52:20 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from fep16.inet.fi (fep16.inet.fi [194.251.242.241]) by mx1.FreeBSD.org (Postfix) with ESMTP id D440343D4C for ; Wed, 22 Jun 2005 15:52:19 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from mato.suutari.iki.fi ([80.222.160.17]) by fep16.inet.fi with ESMTP id <20050622155218.KQTS2488.fep16.inet.fi@mato.suutari.iki.fi> for ; Wed, 22 Jun 2005 18:52:18 +0300 Received: from [192.168.53.140] (orava.suutari.iki.fi [192.168.53.140]) by mato.suutari.iki.fi (8.13.3/8.13.3) with ESMTP id j5MFqHpj061178 for ; Wed, 22 Jun 2005 18:52:17 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Received: from 127.0.0.1 (AVG SMTP 7.0.323 [267.7.10]); Wed, 22 Jun 2005 18:52:11 +0300 Message-ID: <42B9892B.7080608@suutari.iki.fi> Date: Wed, 22 Jun 2005 18:52:11 +0300 From: Ari Suutari User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=ISO-8859-1; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.6 (mato.suutari.iki.fi [192.168.53.129]); Wed, 22 Jun 2005 18:52:17 +0300 (EEST) Subject: pf initialization during boot X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 15:52:20 -0000 Hi, I'm considering switching from ipfw to pf. However, I noticed a discussion about pf starting a little bit late during boot (the thread was in march, called "pf seems to start late?"). As far as I understood, interfaces were brought up before pf rules were loaded, causing the firewall to be temporarily fully open during boot process. Was this issue resolved later ? Ari S. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.7.10/25 - Release Date: 21.6.2005 From owner-freebsd-pf@FreeBSD.ORG Thu Jun 23 14:40:09 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3922E16A41C for ; Thu, 23 Jun 2005 14:40:09 +0000 (GMT) (envelope-from peceka@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05AD643D1D for ; Thu, 23 Jun 2005 14:40:08 +0000 (GMT) (envelope-from peceka@gmail.com) Received: by zproxy.gmail.com with SMTP id 12so719069nzp for ; Thu, 23 Jun 2005 07:40:08 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=p37FCDyZq+C37xirHXIoF8azgLD4NpnptGW2+ed4cUySHICQCn0KSCPHeanINxNhdwKc5Lw7w1aoeZqlGdURh960hFfDft/0sFZNyCbcAgEoMfn/SNVdw/8anBPwQ8kcc+bfUK79HT3tsV3QmO8ObJskYKib6Y70cT2OcI36dbY= Received: by 10.36.17.18 with SMTP id 18mr1528689nzq; Thu, 23 Jun 2005 07:40:08 -0700 (PDT) Received: by 10.36.4.10 with HTTP; Thu, 23 Jun 2005 07:40:08 -0700 (PDT) Message-ID: Date: Thu, 23 Jun 2005 16:40:08 +0200 From: peceka To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: PF with SSP patch doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: peceka List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 14:40:09 -0000 Hi, is there any possibility to compile pf with http://www.trl.ibm.com/projects/security/ssp/ (http://www.paranoid.nl/~eilander/freebsd/propolice/) installed in the system? Ok, it compiles but it doesn't work: # pfctl -f /etc/pf.conf NO ALTQ support in kernel ALTQ related functions disabled panic: stack overflow in function (null). cpuid=3D0 Uptime=3D6m50s And after that machine hangs. TIA, p. From owner-freebsd-pf@FreeBSD.ORG Sat Jun 25 16:45:54 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F19516A41C for ; Sat, 25 Jun 2005 16:45:54 +0000 (GMT) (envelope-from terry@twopeasinabucket.com) Received: from outbound1.mail.tds.net (outbound1.mail.tds.net [216.170.230.91]) by mx1.FreeBSD.org (Postfix) with ESMTP id 110C343D1F for ; Sat, 25 Jun 2005 16:45:53 +0000 (GMT) (envelope-from terry@twopeasinabucket.com) Received: from tj (vrnawibas01-pool4-a241.vrnawi.tds.net [69.128.144.241]) by outbound1.mail.tds.net (8.13.4/8.12.2) with ESMTP id j5PGjoRb028520 for ; Sat, 25 Jun 2005 11:45:50 -0500 (CDT) Message-Id: <200506251645.j5PGjoRb028520@outbound1.mail.tds.net> From: "Ninneman, TJ" To: Date: Sat, 25 Jun 2005 11:45:50 -0500 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: AcV5pVfsFg1cGEOxRlq19uQOeZwi8A== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Outbound SSH problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jun 2005 16:45:54 -0000 I'm having some trouble on both my 5.3 and 5.4 FreeBSD servers running PF. My ruleset explicitly blocks outbound ssh from my servers to prevent attacks on other servers in the event that one of my servers is compromised. The problem is that I have noticed (after a few days of the server being up) my daily run output showing both TCP and UDP packets being dropped outbound: block drop out quick on em0 proto tcp from any to any port = ssh [ Evaluations: 437 Packets: 0 Bytes: 0 States: 0 ] block drop out quick on em0 proto udp from any to any port = ssh [ Evaluations: 1505 Packets: 0 Bytes: 0 States: 0 ] My 5.3 server (the oldest I have at this location) used to show these blocked packets in the log but now doesn't and my 5.4 machines never have. I only see them on the daily security run. My question is, are my servers compromised or am I misreading the run output? I find it hard to believe that they are compromised simply because the latest server I setup, every file system is mounted read only yet I still have this output. As you can imagine I'm pretty nervous about this and any help would be awesome! Here is my pf.conf on an internal Samba server with external ssh access: ##### Initial Setup ##### #Setup Macros ext_if = "em0" ext_ip = "xxx.xxx.xxx.xxx" int_if = "em1" int_ip = "192.168.0.52" #Set block plolicy to drop set block-policy drop #Lets first scrub all incoming packets scrub in on $ext_if scrub in on $int_if #setup a default deny policy for everything block log all #pass traffic on the loopback interface in either direction pass quick on lo0 all #Set up a tables for non-routable IP's, blacklisted IP's, and whitelisted IP's table const {192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8} table persist file "/etc/pf_blacklist" table persist file "/etc/pf_ext_whitelist" table persist file "/etc/pf_int_whitelist" ##### End Setup ##### ##### Inbound - Internal Interface ##### #Allow pings from internal network non-routable IP's pass in quick on $int_if inet proto icmp all icmp-type echoreq code 0 keep state #Allow inbound ssh pass in quick on $int_if proto tcp from to $int_ip port 22 flags S/SA synproxy state #Samba ports pass in quick on $int_if proto tcp from to $int_ip port {139, 445} keep state pass in quick on $int_if proto udp from to $int_ip port {137, 138} keep state ##### Outbound - Internal Interface ##### #Allow out traffic to internal network non-routable IP's pass out quick on $int_if proto {tcp, udp, icmp} from $int_ip to keep state ##### Inbound - External Interface ##### #Block bad ip's block in quick on $ext_if from to any block in quick on $ext_if from to any #Allow inbound SSH traffic (from approved IP's) pass in quick on $ext_if proto tcp from to $ext_ip port ssh flags S/SA synproxy state ##### Outbound - External Interface ##### #Lets block port 22 outbound in the event were compromised block out quick on $ext_if proto {tcp, udp} to any port 22 #Allow outbound tcp, udp, and icmp traffic pass out quick on $ext_if proto {tcp, udp, icmp} all flags S/SA synproxy state The whitelist files contain the approved internal and external ips. From owner-freebsd-pf@FreeBSD.ORG Sat Jun 25 17:13:00 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 639B916A41C for ; Sat, 25 Jun 2005 17:13:00 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CAB343D1F for ; Sat, 25 Jun 2005 17:13:00 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id A0749253696 for ; Sat, 25 Jun 2005 18:12:55 +0100 (BST) From: "Greg Hennessy" To: Date: Sat, 25 Jun 2005 18:12:56 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcV5pVfsFg1cGEOxRlq19uQOeZwi8AAAxRcQ X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 In-Reply-To: <200506251645.j5PGjoRb028520@outbound1.mail.tds.net> Message-Id: <20050625171256.F366A28@gw2.local.net> Subject: RE: Outbound SSH problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jun 2005 17:13:00 -0000 > block drop out quick on em0 proto tcp from any to any port = ssh [ > Evaluations: 437 Packets: 0 Bytes: 0 States: 0 ] > > block drop out quick on em0 proto udp from any to any port = ssh [ > Evaluations: 1505 Packets: 0 Bytes: 0 States: 0 ] > > > > My 5.3 server (the oldest I have at this location) used to > show these blocked packets in the log but now doesn't and my > 5.4 machines never have. > I only see them on the daily security run. > > > > My question is, are my servers compromised or am I misreading > the run output? I find it hard to believe that they are > compromised simply because the latest server I setup, every > file system is mounted read only yet I still have this > output. As you can imagine I'm pretty nervous about this and > any help would be awesome! Yes, RTFMP , with a default policy of block, there is no need for specific rules to stop things like outbound ssh traffic. Logging will tell you the rest. Greg